Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:4.4 commit in: /
Date: Thu, 29 Oct 2020 11:14:05
Message-Id: 1603970023.0d3873bbb3fa29b3ba9b817b349382af23573e29.mpagano@gentoo
1 commit: 0d3873bbb3fa29b3ba9b817b349382af23573e29
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Thu Oct 29 11:13:43 2020 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Thu Oct 29 11:13:43 2020 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=0d3873bb
7
8 Linux patch 4.4.241
9
10 Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>
11
12 0000_README | 4 +
13 1240_linux-4.4.241.patch | 3320 ++++++++++++++++++++++++++++++++++++++++++++++
14 2 files changed, 3324 insertions(+)
15
16 diff --git a/0000_README b/0000_README
17 index 81d1c83..9f307c4 100644
18 --- a/0000_README
19 +++ b/0000_README
20 @@ -1003,6 +1003,10 @@ Patch: 1239_linux-4.4.240.patch
21 From: http://www.kernel.org
22 Desc: Linux 4.4.240
23
24 +Patch: 1240_linux-4.4.241.patch
25 +From: http://www.kernel.org
26 +Desc: Linux 4.4.241
27 +
28 Patch: 1500_XATTR_USER_PREFIX.patch
29 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
30 Desc: Support for namespace user.pax.* on tmpfs.
31
32 diff --git a/1240_linux-4.4.241.patch b/1240_linux-4.4.241.patch
33 new file mode 100644
34 index 0000000..3c18a53
35 --- /dev/null
36 +++ b/1240_linux-4.4.241.patch
37 @@ -0,0 +1,3320 @@
38 +diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
39 +index 21ad4f3cece89..eac939abe6c4c 100644
40 +--- a/Documentation/networking/ip-sysctl.txt
41 ++++ b/Documentation/networking/ip-sysctl.txt
42 +@@ -868,12 +868,14 @@ icmp_ratelimit - INTEGER
43 + icmp_msgs_per_sec - INTEGER
44 + Limit maximal number of ICMP packets sent per second from this host.
45 + Only messages whose type matches icmp_ratemask (see below) are
46 +- controlled by this limit.
47 ++ controlled by this limit. For security reasons, the precise count
48 ++ of messages per second is randomized.
49 + Default: 1000
50 +
51 + icmp_msgs_burst - INTEGER
52 + icmp_msgs_per_sec controls number of ICMP packets sent per second,
53 + while icmp_msgs_burst controls the burst size of these packets.
54 ++ For security reasons, the precise burst size is randomized.
55 + Default: 50
56 +
57 + icmp_ratemask - INTEGER
58 +diff --git a/Makefile b/Makefile
59 +index 69e7cd30e6465..f475808037540 100644
60 +--- a/Makefile
61 ++++ b/Makefile
62 +@@ -1,6 +1,6 @@
63 + VERSION = 4
64 + PATCHLEVEL = 4
65 +-SUBLEVEL = 240
66 ++SUBLEVEL = 241
67 + EXTRAVERSION =
68 + NAME = Blurry Fish Butt
69 +
70 +diff --git a/arch/arm/mm/cache-l2x0.c b/arch/arm/mm/cache-l2x0.c
71 +index 493692d838c67..0b6f8a93d8c60 100644
72 +--- a/arch/arm/mm/cache-l2x0.c
73 ++++ b/arch/arm/mm/cache-l2x0.c
74 +@@ -1228,20 +1228,28 @@ static void __init l2c310_of_parse(const struct device_node *np,
75 +
76 + ret = of_property_read_u32(np, "prefetch-data", &val);
77 + if (ret == 0) {
78 +- if (val)
79 ++ if (val) {
80 + prefetch |= L310_PREFETCH_CTRL_DATA_PREFETCH;
81 +- else
82 ++ *aux_val |= L310_PREFETCH_CTRL_DATA_PREFETCH;
83 ++ } else {
84 + prefetch &= ~L310_PREFETCH_CTRL_DATA_PREFETCH;
85 ++ *aux_val &= ~L310_PREFETCH_CTRL_DATA_PREFETCH;
86 ++ }
87 ++ *aux_mask &= ~L310_PREFETCH_CTRL_DATA_PREFETCH;
88 + } else if (ret != -EINVAL) {
89 + pr_err("L2C-310 OF prefetch-data property value is missing\n");
90 + }
91 +
92 + ret = of_property_read_u32(np, "prefetch-instr", &val);
93 + if (ret == 0) {
94 +- if (val)
95 ++ if (val) {
96 + prefetch |= L310_PREFETCH_CTRL_INSTR_PREFETCH;
97 +- else
98 ++ *aux_val |= L310_PREFETCH_CTRL_INSTR_PREFETCH;
99 ++ } else {
100 + prefetch &= ~L310_PREFETCH_CTRL_INSTR_PREFETCH;
101 ++ *aux_val &= ~L310_PREFETCH_CTRL_INSTR_PREFETCH;
102 ++ }
103 ++ *aux_mask &= ~L310_PREFETCH_CTRL_INSTR_PREFETCH;
104 + } else if (ret != -EINVAL) {
105 + pr_err("L2C-310 OF prefetch-instr property value is missing\n");
106 + }
107 +diff --git a/arch/arm64/boot/dts/xilinx/zynqmp.dtsi b/arch/arm64/boot/dts/xilinx/zynqmp.dtsi
108 +index 172402cc1a0f5..ae2cbbdb634e4 100644
109 +--- a/arch/arm64/boot/dts/xilinx/zynqmp.dtsi
110 ++++ b/arch/arm64/boot/dts/xilinx/zynqmp.dtsi
111 +@@ -191,7 +191,7 @@
112 + };
113 +
114 + i2c0: i2c@ff020000 {
115 +- compatible = "cdns,i2c-r1p14", "cdns,i2c-r1p10";
116 ++ compatible = "cdns,i2c-r1p14";
117 + status = "disabled";
118 + interrupt-parent = <&gic>;
119 + interrupts = <0 17 4>;
120 +@@ -202,7 +202,7 @@
121 + };
122 +
123 + i2c1: i2c@ff030000 {
124 +- compatible = "cdns,i2c-r1p14", "cdns,i2c-r1p10";
125 ++ compatible = "cdns,i2c-r1p14";
126 + status = "disabled";
127 + interrupt-parent = <&gic>;
128 + interrupts = <0 18 4>;
129 +diff --git a/arch/powerpc/include/asm/reg.h b/arch/powerpc/include/asm/reg.h
130 +index ca372bbc0ffee..dd262f09a99ed 100644
131 +--- a/arch/powerpc/include/asm/reg.h
132 ++++ b/arch/powerpc/include/asm/reg.h
133 +@@ -647,7 +647,7 @@
134 + #define THRM1_TIN (1 << 31)
135 + #define THRM1_TIV (1 << 30)
136 + #define THRM1_THRES(x) ((x&0x7f)<<23)
137 +-#define THRM3_SITV(x) ((x&0x3fff)<<1)
138 ++#define THRM3_SITV(x) ((x & 0x1fff) << 1)
139 + #define THRM1_TID (1<<2)
140 + #define THRM1_TIE (1<<1)
141 + #define THRM1_V (1<<0)
142 +diff --git a/arch/powerpc/kernel/tau_6xx.c b/arch/powerpc/kernel/tau_6xx.c
143 +index a753b72efbc0c..70c9d134a9d44 100644
144 +--- a/arch/powerpc/kernel/tau_6xx.c
145 ++++ b/arch/powerpc/kernel/tau_6xx.c
146 +@@ -37,8 +37,6 @@ static struct tau_temp
147 +
148 + struct timer_list tau_timer;
149 +
150 +-#undef DEBUG
151 +-
152 + /* TODO: put these in a /proc interface, with some sanity checks, and maybe
153 + * dynamic adjustment to minimize # of interrupts */
154 + /* configurable values for step size and how much to expand the window when
155 +@@ -71,47 +69,33 @@ void set_thresholds(unsigned long cpu)
156 +
157 + void TAUupdate(int cpu)
158 + {
159 +- unsigned thrm;
160 +-
161 +-#ifdef DEBUG
162 +- printk("TAUupdate ");
163 +-#endif
164 ++ u32 thrm;
165 ++ u32 bits = THRM1_TIV | THRM1_TIN | THRM1_V;
166 +
167 + /* if both thresholds are crossed, the step_sizes cancel out
168 + * and the window winds up getting expanded twice. */
169 +- if((thrm = mfspr(SPRN_THRM1)) & THRM1_TIV){ /* is valid? */
170 +- if(thrm & THRM1_TIN){ /* crossed low threshold */
171 +- if (tau[cpu].low >= step_size){
172 +- tau[cpu].low -= step_size;
173 +- tau[cpu].high -= (step_size - window_expand);
174 +- }
175 +- tau[cpu].grew = 1;
176 +-#ifdef DEBUG
177 +- printk("low threshold crossed ");
178 +-#endif
179 ++ thrm = mfspr(SPRN_THRM1);
180 ++ if ((thrm & bits) == bits) {
181 ++ mtspr(SPRN_THRM1, 0);
182 ++
183 ++ if (tau[cpu].low >= step_size) {
184 ++ tau[cpu].low -= step_size;
185 ++ tau[cpu].high -= (step_size - window_expand);
186 + }
187 ++ tau[cpu].grew = 1;
188 ++ pr_debug("%s: low threshold crossed\n", __func__);
189 + }
190 +- if((thrm = mfspr(SPRN_THRM2)) & THRM1_TIV){ /* is valid? */
191 +- if(thrm & THRM1_TIN){ /* crossed high threshold */
192 +- if (tau[cpu].high <= 127-step_size){
193 +- tau[cpu].low += (step_size - window_expand);
194 +- tau[cpu].high += step_size;
195 +- }
196 +- tau[cpu].grew = 1;
197 +-#ifdef DEBUG
198 +- printk("high threshold crossed ");
199 +-#endif
200 ++ thrm = mfspr(SPRN_THRM2);
201 ++ if ((thrm & bits) == bits) {
202 ++ mtspr(SPRN_THRM2, 0);
203 ++
204 ++ if (tau[cpu].high <= 127 - step_size) {
205 ++ tau[cpu].low += (step_size - window_expand);
206 ++ tau[cpu].high += step_size;
207 + }
208 ++ tau[cpu].grew = 1;
209 ++ pr_debug("%s: high threshold crossed\n", __func__);
210 + }
211 +-
212 +-#ifdef DEBUG
213 +- printk("grew = %d\n", tau[cpu].grew);
214 +-#endif
215 +-
216 +-#ifndef CONFIG_TAU_INT /* tau_timeout will do this if not using interrupts */
217 +- set_thresholds(cpu);
218 +-#endif
219 +-
220 + }
221 +
222 + #ifdef CONFIG_TAU_INT
223 +@@ -136,18 +120,18 @@ void TAUException(struct pt_regs * regs)
224 + static void tau_timeout(void * info)
225 + {
226 + int cpu;
227 +- unsigned long flags;
228 + int size;
229 + int shrink;
230 +
231 +- /* disabling interrupts *should* be okay */
232 +- local_irq_save(flags);
233 + cpu = smp_processor_id();
234 +
235 + #ifndef CONFIG_TAU_INT
236 + TAUupdate(cpu);
237 + #endif
238 +
239 ++ /* Stop thermal sensor comparisons and interrupts */
240 ++ mtspr(SPRN_THRM3, 0);
241 ++
242 + size = tau[cpu].high - tau[cpu].low;
243 + if (size > min_window && ! tau[cpu].grew) {
244 + /* do an exponential shrink of half the amount currently over size */
245 +@@ -169,22 +153,12 @@ static void tau_timeout(void * info)
246 +
247 + set_thresholds(cpu);
248 +
249 +- /*
250 +- * Do the enable every time, since otherwise a bunch of (relatively)
251 +- * complex sleep code needs to be added. One mtspr every time
252 +- * tau_timeout is called is probably not a big deal.
253 +- *
254 +- * Enable thermal sensor and set up sample interval timer
255 +- * need 20 us to do the compare.. until a nice 'cpu_speed' function
256 +- * call is implemented, just assume a 500 mhz clock. It doesn't really
257 +- * matter if we take too long for a compare since it's all interrupt
258 +- * driven anyway.
259 +- *
260 +- * use a extra long time.. (60 us @ 500 mhz)
261 ++ /* Restart thermal sensor comparisons and interrupts.
262 ++ * The "PowerPC 740 and PowerPC 750 Microprocessor Datasheet"
263 ++ * recommends that "the maximum value be set in THRM3 under all
264 ++ * conditions."
265 + */
266 +- mtspr(SPRN_THRM3, THRM3_SITV(500*60) | THRM3_E);
267 +-
268 +- local_irq_restore(flags);
269 ++ mtspr(SPRN_THRM3, THRM3_SITV(0x1fff) | THRM3_E);
270 + }
271 +
272 + static void tau_timeout_smp(unsigned long unused)
273 +diff --git a/arch/powerpc/perf/hv-gpci-requests.h b/arch/powerpc/perf/hv-gpci-requests.h
274 +index acd17648cd188..5ea24d16a74a1 100644
275 +--- a/arch/powerpc/perf/hv-gpci-requests.h
276 ++++ b/arch/powerpc/perf/hv-gpci-requests.h
277 +@@ -94,7 +94,7 @@ REQUEST(__field(0, 8, partition_id)
278 +
279 + #define REQUEST_NAME system_performance_capabilities
280 + #define REQUEST_NUM 0x40
281 +-#define REQUEST_IDX_KIND "starting_index=0xffffffffffffffff"
282 ++#define REQUEST_IDX_KIND "starting_index=0xffffffff"
283 + #include I(REQUEST_BEGIN)
284 + REQUEST(__field(0, 1, perf_collect_privileged)
285 + __field(0x1, 1, capability_mask)
286 +@@ -222,7 +222,7 @@ REQUEST(__field(0, 2, partition_id)
287 +
288 + #define REQUEST_NAME system_hypervisor_times
289 + #define REQUEST_NUM 0xF0
290 +-#define REQUEST_IDX_KIND "starting_index=0xffffffffffffffff"
291 ++#define REQUEST_IDX_KIND "starting_index=0xffffffff"
292 + #include I(REQUEST_BEGIN)
293 + REQUEST(__count(0, 8, time_spent_to_dispatch_virtual_processors)
294 + __count(0x8, 8, time_spent_processing_virtual_processor_timers)
295 +@@ -233,7 +233,7 @@ REQUEST(__count(0, 8, time_spent_to_dispatch_virtual_processors)
296 +
297 + #define REQUEST_NAME system_tlbie_count_and_time
298 + #define REQUEST_NUM 0xF4
299 +-#define REQUEST_IDX_KIND "starting_index=0xffffffffffffffff"
300 ++#define REQUEST_IDX_KIND "starting_index=0xffffffff"
301 + #include I(REQUEST_BEGIN)
302 + REQUEST(__count(0, 8, tlbie_instructions_issued)
303 + /*
304 +diff --git a/arch/powerpc/platforms/Kconfig b/arch/powerpc/platforms/Kconfig
305 +index b7f9c408bf24f..0a0281a21ea50 100644
306 +--- a/arch/powerpc/platforms/Kconfig
307 ++++ b/arch/powerpc/platforms/Kconfig
308 +@@ -242,7 +242,7 @@ config TAU
309 + temp is actually what /proc/cpuinfo says it is.
310 +
311 + config TAU_INT
312 +- bool "Interrupt driven TAU driver (DANGEROUS)"
313 ++ bool "Interrupt driven TAU driver (EXPERIMENTAL)"
314 + depends on TAU
315 + ---help---
316 + The TAU supports an interrupt driven mode which causes an interrupt
317 +@@ -250,12 +250,7 @@ config TAU_INT
318 + to get notified the temp has exceeded a range. With this option off,
319 + a timer is used to re-check the temperature periodically.
320 +
321 +- However, on some cpus it appears that the TAU interrupt hardware
322 +- is buggy and can cause a situation which would lead unexplained hard
323 +- lockups.
324 +-
325 +- Unless you are extending the TAU driver, or enjoy kernel/hardware
326 +- debugging, leave this option off.
327 ++ If in doubt, say N here.
328 +
329 + config TAU_AVERAGE
330 + bool "Average high and low temp"
331 +diff --git a/arch/powerpc/platforms/powernv/opal-dump.c b/arch/powerpc/platforms/powernv/opal-dump.c
332 +index 4c827826c05eb..e21e2c0af69d2 100644
333 +--- a/arch/powerpc/platforms/powernv/opal-dump.c
334 ++++ b/arch/powerpc/platforms/powernv/opal-dump.c
335 +@@ -319,15 +319,14 @@ static ssize_t dump_attr_read(struct file *filep, struct kobject *kobj,
336 + return count;
337 + }
338 +
339 +-static struct dump_obj *create_dump_obj(uint32_t id, size_t size,
340 +- uint32_t type)
341 ++static void create_dump_obj(uint32_t id, size_t size, uint32_t type)
342 + {
343 + struct dump_obj *dump;
344 + int rc;
345 +
346 + dump = kzalloc(sizeof(*dump), GFP_KERNEL);
347 + if (!dump)
348 +- return NULL;
349 ++ return;
350 +
351 + dump->kobj.kset = dump_kset;
352 +
353 +@@ -347,21 +346,39 @@ static struct dump_obj *create_dump_obj(uint32_t id, size_t size,
354 + rc = kobject_add(&dump->kobj, NULL, "0x%x-0x%x", type, id);
355 + if (rc) {
356 + kobject_put(&dump->kobj);
357 +- return NULL;
358 ++ return;
359 + }
360 +
361 ++ /*
362 ++ * As soon as the sysfs file for this dump is created/activated there is
363 ++ * a chance the opal_errd daemon (or any userspace) might read and
364 ++ * acknowledge the dump before kobject_uevent() is called. If that
365 ++ * happens then there is a potential race between
366 ++ * dump_ack_store->kobject_put() and kobject_uevent() which leads to a
367 ++ * use-after-free of a kernfs object resulting in a kernel crash.
368 ++ *
369 ++ * To avoid that, we need to take a reference on behalf of the bin file,
370 ++ * so that our reference remains valid while we call kobject_uevent().
371 ++ * We then drop our reference before exiting the function, leaving the
372 ++ * bin file to drop the last reference (if it hasn't already).
373 ++ */
374 ++
375 ++ /* Take a reference for the bin file */
376 ++ kobject_get(&dump->kobj);
377 + rc = sysfs_create_bin_file(&dump->kobj, &dump->dump_attr);
378 +- if (rc) {
379 ++ if (rc == 0) {
380 ++ kobject_uevent(&dump->kobj, KOBJ_ADD);
381 ++
382 ++ pr_info("%s: New platform dump. ID = 0x%x Size %u\n",
383 ++ __func__, dump->id, dump->size);
384 ++ } else {
385 ++ /* Drop reference count taken for bin file */
386 + kobject_put(&dump->kobj);
387 +- return NULL;
388 + }
389 +
390 +- pr_info("%s: New platform dump. ID = 0x%x Size %u\n",
391 +- __func__, dump->id, dump->size);
392 +-
393 +- kobject_uevent(&dump->kobj, KOBJ_ADD);
394 +-
395 +- return dump;
396 ++ /* Drop our reference */
397 ++ kobject_put(&dump->kobj);
398 ++ return;
399 + }
400 +
401 + static irqreturn_t process_dump(int irq, void *data)
402 +diff --git a/arch/powerpc/platforms/pseries/rng.c b/arch/powerpc/platforms/pseries/rng.c
403 +index 31ca557af60bc..262b8c5e1b9d0 100644
404 +--- a/arch/powerpc/platforms/pseries/rng.c
405 ++++ b/arch/powerpc/platforms/pseries/rng.c
406 +@@ -40,6 +40,7 @@ static __init int rng_init(void)
407 +
408 + ppc_md.get_random_seed = pseries_get_random_long;
409 +
410 ++ of_node_put(dn);
411 + return 0;
412 + }
413 + machine_subsys_initcall(pseries, rng_init);
414 +diff --git a/arch/powerpc/sysdev/xics/icp-hv.c b/arch/powerpc/sysdev/xics/icp-hv.c
415 +index c1917cf67c3de..3205e64c452bd 100644
416 +--- a/arch/powerpc/sysdev/xics/icp-hv.c
417 ++++ b/arch/powerpc/sysdev/xics/icp-hv.c
418 +@@ -179,6 +179,7 @@ int icp_hv_init(void)
419 +
420 + icp_ops = &icp_hv_ops;
421 +
422 ++ of_node_put(np);
423 + return 0;
424 + }
425 +
426 +diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
427 +index 466028623e1a0..0c1e249a7ab69 100644
428 +--- a/arch/x86/kvm/emulate.c
429 ++++ b/arch/x86/kvm/emulate.c
430 +@@ -3524,7 +3524,7 @@ static int em_rdpid(struct x86_emulate_ctxt *ctxt)
431 + u64 tsc_aux = 0;
432 +
433 + if (ctxt->ops->get_msr(ctxt, MSR_TSC_AUX, &tsc_aux))
434 +- return emulate_gp(ctxt, 0);
435 ++ return emulate_ud(ctxt);
436 + ctxt->dst.val = tsc_aux;
437 + return X86EMUL_CONTINUE;
438 + }
439 +diff --git a/arch/x86/mm/dump_pagetables.c b/arch/x86/mm/dump_pagetables.c
440 +index 0f1c6fc3ddd88..47770ccab6d77 100644
441 +--- a/arch/x86/mm/dump_pagetables.c
442 ++++ b/arch/x86/mm/dump_pagetables.c
443 +@@ -15,6 +15,7 @@
444 + #include <linux/debugfs.h>
445 + #include <linux/mm.h>
446 + #include <linux/module.h>
447 ++#include <linux/sched.h>
448 + #include <linux/seq_file.h>
449 +
450 + #include <asm/pgtable.h>
451 +@@ -407,6 +408,7 @@ static void ptdump_walk_pgd_level_core(struct seq_file *m, pgd_t *pgd,
452 + } else
453 + note_page(m, &st, __pgprot(0), 1);
454 +
455 ++ cond_resched();
456 + start++;
457 + }
458 +
459 +diff --git a/drivers/cpufreq/powernv-cpufreq.c b/drivers/cpufreq/powernv-cpufreq.c
460 +index 57e6c45724e73..1930a1d1a1892 100644
461 +--- a/drivers/cpufreq/powernv-cpufreq.c
462 ++++ b/drivers/cpufreq/powernv-cpufreq.c
463 +@@ -410,12 +410,15 @@ static int powernv_cpufreq_reboot_notifier(struct notifier_block *nb,
464 + unsigned long action, void *unused)
465 + {
466 + int cpu;
467 +- struct cpufreq_policy cpu_policy;
468 ++ struct cpufreq_policy *cpu_policy;
469 +
470 + rebooting = true;
471 + for_each_online_cpu(cpu) {
472 +- cpufreq_get_policy(&cpu_policy, cpu);
473 +- powernv_cpufreq_target_index(&cpu_policy, get_nominal_index());
474 ++ cpu_policy = cpufreq_cpu_get(cpu);
475 ++ if (!cpu_policy)
476 ++ continue;
477 ++ powernv_cpufreq_target_index(cpu_policy, get_nominal_index());
478 ++ cpufreq_cpu_put(cpu_policy);
479 + }
480 +
481 + return NOTIFY_DONE;
482 +diff --git a/drivers/crypto/ixp4xx_crypto.c b/drivers/crypto/ixp4xx_crypto.c
483 +index 8f27903532812..13657105cfb93 100644
484 +--- a/drivers/crypto/ixp4xx_crypto.c
485 ++++ b/drivers/crypto/ixp4xx_crypto.c
486 +@@ -533,7 +533,7 @@ static void release_ixp_crypto(struct device *dev)
487 +
488 + if (crypt_virt) {
489 + dma_free_coherent(dev,
490 +- NPE_QLEN_TOTAL * sizeof( struct crypt_ctl),
491 ++ NPE_QLEN * sizeof(struct crypt_ctl),
492 + crypt_virt, crypt_phys);
493 + }
494 + return;
495 +diff --git a/drivers/crypto/omap-sham.c b/drivers/crypto/omap-sham.c
496 +index 48adb2a0903e5..7e9a44cee4250 100644
497 +--- a/drivers/crypto/omap-sham.c
498 ++++ b/drivers/crypto/omap-sham.c
499 +@@ -453,6 +453,9 @@ static void omap_sham_write_ctrl_omap4(struct omap_sham_dev *dd, size_t length,
500 + struct omap_sham_reqctx *ctx = ahash_request_ctx(dd->req);
501 + u32 val, mask;
502 +
503 ++ if (likely(ctx->digcnt))
504 ++ omap_sham_write(dd, SHA_REG_DIGCNT(dd), ctx->digcnt);
505 ++
506 + /*
507 + * Setting ALGO_CONST only for the first iteration and
508 + * CLOSE_HASH only for the last one. Note that flags mode bits
509 +diff --git a/drivers/edac/i5100_edac.c b/drivers/edac/i5100_edac.c
510 +index 40917775dca1c..59d10f48ed6ab 100644
511 +--- a/drivers/edac/i5100_edac.c
512 ++++ b/drivers/edac/i5100_edac.c
513 +@@ -1075,16 +1075,15 @@ static int i5100_init_one(struct pci_dev *pdev, const struct pci_device_id *id)
514 + PCI_DEVICE_ID_INTEL_5100_19, 0);
515 + if (!einj) {
516 + ret = -ENODEV;
517 +- goto bail_einj;
518 ++ goto bail_mc_free;
519 + }
520 +
521 + rc = pci_enable_device(einj);
522 + if (rc < 0) {
523 + ret = rc;
524 +- goto bail_disable_einj;
525 ++ goto bail_einj;
526 + }
527 +
528 +-
529 + mci->pdev = &pdev->dev;
530 +
531 + priv = mci->pvt_info;
532 +@@ -1151,14 +1150,14 @@ static int i5100_init_one(struct pci_dev *pdev, const struct pci_device_id *id)
533 + bail_scrub:
534 + priv->scrub_enable = 0;
535 + cancel_delayed_work_sync(&(priv->i5100_scrubbing));
536 +- edac_mc_free(mci);
537 +-
538 +-bail_disable_einj:
539 + pci_disable_device(einj);
540 +
541 + bail_einj:
542 + pci_dev_put(einj);
543 +
544 ++bail_mc_free:
545 ++ edac_mc_free(mci);
546 ++
547 + bail_disable_ch1:
548 + pci_disable_device(ch1mm);
549 +
550 +diff --git a/drivers/gpu/drm/gma500/cdv_intel_dp.c b/drivers/gpu/drm/gma500/cdv_intel_dp.c
551 +index d3de377dc857e..25c68e4dc7a53 100644
552 +--- a/drivers/gpu/drm/gma500/cdv_intel_dp.c
553 ++++ b/drivers/gpu/drm/gma500/cdv_intel_dp.c
554 +@@ -2120,7 +2120,7 @@ cdv_intel_dp_init(struct drm_device *dev, struct psb_intel_mode_device *mode_dev
555 + intel_dp->dpcd,
556 + sizeof(intel_dp->dpcd));
557 + cdv_intel_edp_panel_vdd_off(gma_encoder);
558 +- if (ret == 0) {
559 ++ if (ret <= 0) {
560 + /* if this fails, presume the device is a ghost */
561 + DRM_INFO("failed to retrieve link info, disabling eDP\n");
562 + cdv_intel_dp_encoder_destroy(encoder);
563 +diff --git a/drivers/gpu/drm/virtio/virtgpu_kms.c b/drivers/gpu/drm/virtio/virtgpu_kms.c
564 +index 06496a1281622..476b9993b0682 100644
565 +--- a/drivers/gpu/drm/virtio/virtgpu_kms.c
566 ++++ b/drivers/gpu/drm/virtio/virtgpu_kms.c
567 +@@ -113,8 +113,10 @@ static void virtio_gpu_get_capsets(struct virtio_gpu_device *vgdev,
568 + vgdev->capsets[i].id > 0, 5 * HZ);
569 + if (ret == 0) {
570 + DRM_ERROR("timed out waiting for cap set %d\n", i);
571 ++ spin_lock(&vgdev->display_info_lock);
572 + kfree(vgdev->capsets);
573 + vgdev->capsets = NULL;
574 ++ spin_unlock(&vgdev->display_info_lock);
575 + return;
576 + }
577 + DRM_INFO("cap set %d: id %d, max-version %d, max-size %d\n",
578 +diff --git a/drivers/gpu/drm/virtio/virtgpu_vq.c b/drivers/gpu/drm/virtio/virtgpu_vq.c
579 +index 772a5a3b0ce1a..18e8fcad6690b 100644
580 +--- a/drivers/gpu/drm/virtio/virtgpu_vq.c
581 ++++ b/drivers/gpu/drm/virtio/virtgpu_vq.c
582 +@@ -596,9 +596,13 @@ static void virtio_gpu_cmd_get_capset_info_cb(struct virtio_gpu_device *vgdev,
583 + int i = le32_to_cpu(cmd->capset_index);
584 +
585 + spin_lock(&vgdev->display_info_lock);
586 +- vgdev->capsets[i].id = le32_to_cpu(resp->capset_id);
587 +- vgdev->capsets[i].max_version = le32_to_cpu(resp->capset_max_version);
588 +- vgdev->capsets[i].max_size = le32_to_cpu(resp->capset_max_size);
589 ++ if (vgdev->capsets) {
590 ++ vgdev->capsets[i].id = le32_to_cpu(resp->capset_id);
591 ++ vgdev->capsets[i].max_version = le32_to_cpu(resp->capset_max_version);
592 ++ vgdev->capsets[i].max_size = le32_to_cpu(resp->capset_max_size);
593 ++ } else {
594 ++ DRM_ERROR("invalid capset memory.");
595 ++ }
596 + spin_unlock(&vgdev->display_info_lock);
597 + wake_up(&vgdev->resp_wq);
598 + }
599 +diff --git a/drivers/hid/hid-roccat-kone.c b/drivers/hid/hid-roccat-kone.c
600 +index c29265055ac1a..6c2b821c8d8b5 100644
601 +--- a/drivers/hid/hid-roccat-kone.c
602 ++++ b/drivers/hid/hid-roccat-kone.c
603 +@@ -299,31 +299,40 @@ static ssize_t kone_sysfs_write_settings(struct file *fp, struct kobject *kobj,
604 + struct kone_device *kone = hid_get_drvdata(dev_get_drvdata(dev));
605 + struct usb_device *usb_dev = interface_to_usbdev(to_usb_interface(dev));
606 + int retval = 0, difference, old_profile;
607 ++ struct kone_settings *settings = (struct kone_settings *)buf;
608 +
609 + /* I need to get my data in one piece */
610 + if (off != 0 || count != sizeof(struct kone_settings))
611 + return -EINVAL;
612 +
613 + mutex_lock(&kone->kone_lock);
614 +- difference = memcmp(buf, &kone->settings, sizeof(struct kone_settings));
615 ++ difference = memcmp(settings, &kone->settings,
616 ++ sizeof(struct kone_settings));
617 + if (difference) {
618 +- retval = kone_set_settings(usb_dev,
619 +- (struct kone_settings const *)buf);
620 +- if (retval) {
621 +- mutex_unlock(&kone->kone_lock);
622 +- return retval;
623 ++ if (settings->startup_profile < 1 ||
624 ++ settings->startup_profile > 5) {
625 ++ retval = -EINVAL;
626 ++ goto unlock;
627 + }
628 +
629 ++ retval = kone_set_settings(usb_dev, settings);
630 ++ if (retval)
631 ++ goto unlock;
632 ++
633 + old_profile = kone->settings.startup_profile;
634 +- memcpy(&kone->settings, buf, sizeof(struct kone_settings));
635 ++ memcpy(&kone->settings, settings, sizeof(struct kone_settings));
636 +
637 + kone_profile_activated(kone, kone->settings.startup_profile);
638 +
639 + if (kone->settings.startup_profile != old_profile)
640 + kone_profile_report(kone, kone->settings.startup_profile);
641 + }
642 ++unlock:
643 + mutex_unlock(&kone->kone_lock);
644 +
645 ++ if (retval)
646 ++ return retval;
647 ++
648 + return sizeof(struct kone_settings);
649 + }
650 + static BIN_ATTR(settings, 0660, kone_sysfs_read_settings,
651 +diff --git a/drivers/infiniband/hw/mlx4/cm.c b/drivers/infiniband/hw/mlx4/cm.c
652 +index 5dc920fe13269..c8c586c78d071 100644
653 +--- a/drivers/infiniband/hw/mlx4/cm.c
654 ++++ b/drivers/infiniband/hw/mlx4/cm.c
655 +@@ -309,6 +309,9 @@ static void schedule_delayed(struct ib_device *ibdev, struct id_map_entry *id)
656 + if (!sriov->is_going_down) {
657 + id->scheduled_delete = 1;
658 + schedule_delayed_work(&id->timeout, CM_CLEANUP_CACHE_TIMEOUT);
659 ++ } else if (id->scheduled_delete) {
660 ++ /* Adjust timeout if already scheduled */
661 ++ mod_delayed_work(system_wq, &id->timeout, CM_CLEANUP_CACHE_TIMEOUT);
662 + }
663 + spin_unlock_irqrestore(&sriov->going_down_lock, flags);
664 + spin_unlock(&sriov->id_map_lock);
665 +diff --git a/drivers/input/keyboard/ep93xx_keypad.c b/drivers/input/keyboard/ep93xx_keypad.c
666 +index f77b295e0123e..01788a78041b3 100644
667 +--- a/drivers/input/keyboard/ep93xx_keypad.c
668 ++++ b/drivers/input/keyboard/ep93xx_keypad.c
669 +@@ -257,8 +257,8 @@ static int ep93xx_keypad_probe(struct platform_device *pdev)
670 + }
671 +
672 + keypad->irq = platform_get_irq(pdev, 0);
673 +- if (!keypad->irq) {
674 +- err = -ENXIO;
675 ++ if (keypad->irq < 0) {
676 ++ err = keypad->irq;
677 + goto failed_free;
678 + }
679 +
680 +diff --git a/drivers/input/keyboard/omap4-keypad.c b/drivers/input/keyboard/omap4-keypad.c
681 +index 3d2c60c8de830..c6a468dfdfb48 100644
682 +--- a/drivers/input/keyboard/omap4-keypad.c
683 ++++ b/drivers/input/keyboard/omap4-keypad.c
684 +@@ -253,10 +253,8 @@ static int omap4_keypad_probe(struct platform_device *pdev)
685 + }
686 +
687 + irq = platform_get_irq(pdev, 0);
688 +- if (!irq) {
689 +- dev_err(&pdev->dev, "no keyboard irq assigned\n");
690 +- return -EINVAL;
691 +- }
692 ++ if (irq < 0)
693 ++ return irq;
694 +
695 + keypad_data = kzalloc(sizeof(struct omap4_keypad), GFP_KERNEL);
696 + if (!keypad_data) {
697 +diff --git a/drivers/input/serio/sun4i-ps2.c b/drivers/input/serio/sun4i-ps2.c
698 +index 04b96fe393397..46512b4d686a8 100644
699 +--- a/drivers/input/serio/sun4i-ps2.c
700 ++++ b/drivers/input/serio/sun4i-ps2.c
701 +@@ -210,7 +210,6 @@ static int sun4i_ps2_probe(struct platform_device *pdev)
702 + struct sun4i_ps2data *drvdata;
703 + struct serio *serio;
704 + struct device *dev = &pdev->dev;
705 +- unsigned int irq;
706 + int error;
707 +
708 + drvdata = kzalloc(sizeof(struct sun4i_ps2data), GFP_KERNEL);
709 +@@ -263,14 +262,12 @@ static int sun4i_ps2_probe(struct platform_device *pdev)
710 + writel(0, drvdata->reg_base + PS2_REG_GCTL);
711 +
712 + /* Get IRQ for the device */
713 +- irq = platform_get_irq(pdev, 0);
714 +- if (!irq) {
715 +- dev_err(dev, "no IRQ found\n");
716 +- error = -ENXIO;
717 ++ drvdata->irq = platform_get_irq(pdev, 0);
718 ++ if (drvdata->irq < 0) {
719 ++ error = drvdata->irq;
720 + goto err_disable_clk;
721 + }
722 +
723 +- drvdata->irq = irq;
724 + drvdata->serio = serio;
725 + drvdata->dev = dev;
726 +
727 +diff --git a/drivers/input/touchscreen/imx6ul_tsc.c b/drivers/input/touchscreen/imx6ul_tsc.c
728 +index 8275267eac254..4be7ddc04af0f 100644
729 +--- a/drivers/input/touchscreen/imx6ul_tsc.c
730 ++++ b/drivers/input/touchscreen/imx6ul_tsc.c
731 +@@ -490,20 +490,25 @@ static int __maybe_unused imx6ul_tsc_resume(struct device *dev)
732 +
733 + mutex_lock(&input_dev->mutex);
734 +
735 +- if (input_dev->users) {
736 +- retval = clk_prepare_enable(tsc->adc_clk);
737 +- if (retval)
738 +- goto out;
739 +-
740 +- retval = clk_prepare_enable(tsc->tsc_clk);
741 +- if (retval) {
742 +- clk_disable_unprepare(tsc->adc_clk);
743 +- goto out;
744 +- }
745 ++ if (!input_dev->users)
746 ++ goto out;
747 +
748 +- retval = imx6ul_tsc_init(tsc);
749 ++ retval = clk_prepare_enable(tsc->adc_clk);
750 ++ if (retval)
751 ++ goto out;
752 ++
753 ++ retval = clk_prepare_enable(tsc->tsc_clk);
754 ++ if (retval) {
755 ++ clk_disable_unprepare(tsc->adc_clk);
756 ++ goto out;
757 + }
758 +
759 ++ retval = imx6ul_tsc_init(tsc);
760 ++ if (retval) {
761 ++ clk_disable_unprepare(tsc->tsc_clk);
762 ++ clk_disable_unprepare(tsc->adc_clk);
763 ++ goto out;
764 ++ }
765 + out:
766 + mutex_unlock(&input_dev->mutex);
767 + return retval;
768 +diff --git a/drivers/media/firewire/firedtv-fw.c b/drivers/media/firewire/firedtv-fw.c
769 +index 5d634706a7eaa..382f290c3f4d5 100644
770 +--- a/drivers/media/firewire/firedtv-fw.c
771 ++++ b/drivers/media/firewire/firedtv-fw.c
772 +@@ -271,8 +271,10 @@ static int node_probe(struct fw_unit *unit, const struct ieee1394_device_id *id)
773 +
774 + name_len = fw_csr_string(unit->directory, CSR_MODEL,
775 + name, sizeof(name));
776 +- if (name_len < 0)
777 +- return name_len;
778 ++ if (name_len < 0) {
779 ++ err = name_len;
780 ++ goto fail_free;
781 ++ }
782 + for (i = ARRAY_SIZE(model_names); --i; )
783 + if (strlen(model_names[i]) <= name_len &&
784 + strncmp(name, model_names[i], name_len) == 0)
785 +diff --git a/drivers/media/i2c/m5mols/m5mols_core.c b/drivers/media/i2c/m5mols/m5mols_core.c
786 +index 6404c0d93e7af..514267680dc96 100644
787 +--- a/drivers/media/i2c/m5mols/m5mols_core.c
788 ++++ b/drivers/media/i2c/m5mols/m5mols_core.c
789 +@@ -754,7 +754,8 @@ static int m5mols_sensor_power(struct m5mols_info *info, bool enable)
790 +
791 + ret = regulator_bulk_enable(ARRAY_SIZE(supplies), supplies);
792 + if (ret) {
793 +- info->set_power(&client->dev, 0);
794 ++ if (info->set_power)
795 ++ info->set_power(&client->dev, 0);
796 + return ret;
797 + }
798 +
799 +diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c
800 +index bc630a7197761..1e95fdb61041b 100644
801 +--- a/drivers/media/i2c/tc358743.c
802 ++++ b/drivers/media/i2c/tc358743.c
803 +@@ -1325,7 +1325,7 @@ static int tc358743_isr(struct v4l2_subdev *sd, u32 status, bool *handled)
804 + static irqreturn_t tc358743_irq_handler(int irq, void *dev_id)
805 + {
806 + struct tc358743_state *state = dev_id;
807 +- bool handled;
808 ++ bool handled = false;
809 +
810 + tc358743_isr(&state->sd, 0, &handled);
811 +
812 +diff --git a/drivers/media/pci/bt8xx/bttv-driver.c b/drivers/media/pci/bt8xx/bttv-driver.c
813 +index 51dbef2f9a489..10c9c078af014 100644
814 +--- a/drivers/media/pci/bt8xx/bttv-driver.c
815 ++++ b/drivers/media/pci/bt8xx/bttv-driver.c
816 +@@ -4053,11 +4053,13 @@ static int bttv_probe(struct pci_dev *dev, const struct pci_device_id *pci_id)
817 + btv->id = dev->device;
818 + if (pci_enable_device(dev)) {
819 + pr_warn("%d: Can't enable device\n", btv->c.nr);
820 +- return -EIO;
821 ++ result = -EIO;
822 ++ goto free_mem;
823 + }
824 + if (pci_set_dma_mask(dev, DMA_BIT_MASK(32))) {
825 + pr_warn("%d: No suitable DMA available\n", btv->c.nr);
826 +- return -EIO;
827 ++ result = -EIO;
828 ++ goto free_mem;
829 + }
830 + if (!request_mem_region(pci_resource_start(dev,0),
831 + pci_resource_len(dev,0),
832 +@@ -4065,7 +4067,8 @@ static int bttv_probe(struct pci_dev *dev, const struct pci_device_id *pci_id)
833 + pr_warn("%d: can't request iomem (0x%llx)\n",
834 + btv->c.nr,
835 + (unsigned long long)pci_resource_start(dev, 0));
836 +- return -EBUSY;
837 ++ result = -EBUSY;
838 ++ goto free_mem;
839 + }
840 + pci_set_master(dev);
841 + pci_set_command(dev);
842 +@@ -4251,6 +4254,10 @@ fail0:
843 + release_mem_region(pci_resource_start(btv->c.pci,0),
844 + pci_resource_len(btv->c.pci,0));
845 + pci_disable_device(btv->c.pci);
846 ++
847 ++free_mem:
848 ++ bttvs[btv->c.nr] = NULL;
849 ++ kfree(btv);
850 + return result;
851 + }
852 +
853 +diff --git a/drivers/media/pci/saa7134/saa7134-tvaudio.c b/drivers/media/pci/saa7134/saa7134-tvaudio.c
854 +index 21a579309575d..02407983ce236 100644
855 +--- a/drivers/media/pci/saa7134/saa7134-tvaudio.c
856 ++++ b/drivers/media/pci/saa7134/saa7134-tvaudio.c
857 +@@ -696,7 +696,8 @@ int saa_dsp_writel(struct saa7134_dev *dev, int reg, u32 value)
858 + {
859 + int err;
860 +
861 +- audio_dbg(2, "dsp write reg 0x%x = 0x%06x\n", reg << 2, value);
862 ++ audio_dbg(2, "dsp write reg 0x%x = 0x%06x\n",
863 ++ (reg << 2) & 0xffffffff, value);
864 + err = saa_dsp_wait_bit(dev,SAA7135_DSP_RWSTATE_WRR);
865 + if (err < 0)
866 + return err;
867 +diff --git a/drivers/media/platform/exynos4-is/fimc-isp.c b/drivers/media/platform/exynos4-is/fimc-isp.c
868 +index 5d78f5716f3b8..ad280c5258b34 100644
869 +--- a/drivers/media/platform/exynos4-is/fimc-isp.c
870 ++++ b/drivers/media/platform/exynos4-is/fimc-isp.c
871 +@@ -311,8 +311,10 @@ static int fimc_isp_subdev_s_power(struct v4l2_subdev *sd, int on)
872 +
873 + if (on) {
874 + ret = pm_runtime_get_sync(&is->pdev->dev);
875 +- if (ret < 0)
876 ++ if (ret < 0) {
877 ++ pm_runtime_put(&is->pdev->dev);
878 + return ret;
879 ++ }
880 + set_bit(IS_ST_PWR_ON, &is->state);
881 +
882 + ret = fimc_is_start_firmware(is);
883 +diff --git a/drivers/media/platform/exynos4-is/fimc-lite.c b/drivers/media/platform/exynos4-is/fimc-lite.c
884 +index 60660c3a5de0d..65b33470a1b1b 100644
885 +--- a/drivers/media/platform/exynos4-is/fimc-lite.c
886 ++++ b/drivers/media/platform/exynos4-is/fimc-lite.c
887 +@@ -487,7 +487,7 @@ static int fimc_lite_open(struct file *file)
888 + set_bit(ST_FLITE_IN_USE, &fimc->state);
889 + ret = pm_runtime_get_sync(&fimc->pdev->dev);
890 + if (ret < 0)
891 +- goto unlock;
892 ++ goto err_pm;
893 +
894 + ret = v4l2_fh_open(file);
895 + if (ret < 0)
896 +diff --git a/drivers/media/platform/exynos4-is/media-dev.c b/drivers/media/platform/exynos4-is/media-dev.c
897 +index 31cc7d94064e3..76fadd3e3ada2 100644
898 +--- a/drivers/media/platform/exynos4-is/media-dev.c
899 ++++ b/drivers/media/platform/exynos4-is/media-dev.c
900 +@@ -413,8 +413,10 @@ static int fimc_md_register_sensor_entities(struct fimc_md *fmd)
901 + return -ENXIO;
902 +
903 + ret = pm_runtime_get_sync(fmd->pmf);
904 +- if (ret < 0)
905 ++ if (ret < 0) {
906 ++ pm_runtime_put(fmd->pmf);
907 + return ret;
908 ++ }
909 +
910 + fmd->num_sensors = 0;
911 +
912 +@@ -1170,11 +1172,9 @@ static int fimc_md_get_pinctrl(struct fimc_md *fmd)
913 + if (IS_ERR(pctl->state_default))
914 + return PTR_ERR(pctl->state_default);
915 +
916 ++ /* PINCTRL_STATE_IDLE is optional */
917 + pctl->state_idle = pinctrl_lookup_state(pctl->pinctrl,
918 + PINCTRL_STATE_IDLE);
919 +- if (IS_ERR(pctl->state_idle))
920 +- return PTR_ERR(pctl->state_idle);
921 +-
922 + return 0;
923 + }
924 +
925 +diff --git a/drivers/media/platform/exynos4-is/mipi-csis.c b/drivers/media/platform/exynos4-is/mipi-csis.c
926 +index 4b85105dc159b..4f7a0f59f36c2 100644
927 +--- a/drivers/media/platform/exynos4-is/mipi-csis.c
928 ++++ b/drivers/media/platform/exynos4-is/mipi-csis.c
929 +@@ -513,8 +513,10 @@ static int s5pcsis_s_stream(struct v4l2_subdev *sd, int enable)
930 + if (enable) {
931 + s5pcsis_clear_counters(state);
932 + ret = pm_runtime_get_sync(&state->pdev->dev);
933 +- if (ret && ret != 1)
934 ++ if (ret && ret != 1) {
935 ++ pm_runtime_put_noidle(&state->pdev->dev);
936 + return ret;
937 ++ }
938 + }
939 +
940 + mutex_lock(&state->lock);
941 +diff --git a/drivers/media/platform/omap3isp/isp.c b/drivers/media/platform/omap3isp/isp.c
942 +index f41e0d08de93e..4c6842202e47c 100644
943 +--- a/drivers/media/platform/omap3isp/isp.c
944 ++++ b/drivers/media/platform/omap3isp/isp.c
945 +@@ -2388,8 +2388,10 @@ static int isp_probe(struct platform_device *pdev)
946 + mem = platform_get_resource(pdev, IORESOURCE_MEM, i);
947 + isp->mmio_base[map_idx] =
948 + devm_ioremap_resource(isp->dev, mem);
949 +- if (IS_ERR(isp->mmio_base[map_idx]))
950 +- return PTR_ERR(isp->mmio_base[map_idx]);
951 ++ if (IS_ERR(isp->mmio_base[map_idx])) {
952 ++ ret = PTR_ERR(isp->mmio_base[map_idx]);
953 ++ goto error;
954 ++ }
955 + }
956 +
957 + ret = isp_get_clocks(isp);
958 +diff --git a/drivers/media/platform/sti/bdisp/bdisp-v4l2.c b/drivers/media/platform/sti/bdisp/bdisp-v4l2.c
959 +index a00dfaa1b945d..6c97063cb3b3f 100644
960 +--- a/drivers/media/platform/sti/bdisp/bdisp-v4l2.c
961 ++++ b/drivers/media/platform/sti/bdisp/bdisp-v4l2.c
962 +@@ -1369,7 +1369,7 @@ static int bdisp_probe(struct platform_device *pdev)
963 + ret = pm_runtime_get_sync(dev);
964 + if (ret < 0) {
965 + dev_err(dev, "failed to set PM\n");
966 +- goto err_dbg;
967 ++ goto err_pm;
968 + }
969 +
970 + /* Continuous memory allocator */
971 +@@ -1406,7 +1406,6 @@ err_vb2_dma:
972 + vb2_dma_contig_cleanup_ctx(bdisp->alloc_ctx);
973 + err_pm:
974 + pm_runtime_put(dev);
975 +-err_dbg:
976 + bdisp_debugfs_remove(bdisp);
977 + err_v4l2:
978 + v4l2_device_unregister(&bdisp->v4l2_dev);
979 +diff --git a/drivers/media/platform/ti-vpe/vpe.c b/drivers/media/platform/ti-vpe/vpe.c
980 +index b5f8c425cd2ef..8a3714bfb77e8 100644
981 +--- a/drivers/media/platform/ti-vpe/vpe.c
982 ++++ b/drivers/media/platform/ti-vpe/vpe.c
983 +@@ -2135,6 +2135,8 @@ static int vpe_runtime_get(struct platform_device *pdev)
984 +
985 + r = pm_runtime_get_sync(&pdev->dev);
986 + WARN_ON(r < 0);
987 ++ if (r)
988 ++ pm_runtime_put_noidle(&pdev->dev);
989 + return r < 0 ? r : 0;
990 + }
991 +
992 +diff --git a/drivers/media/rc/ati_remote.c b/drivers/media/rc/ati_remote.c
993 +index a35631891cc00..3c3f4c4f6be40 100644
994 +--- a/drivers/media/rc/ati_remote.c
995 ++++ b/drivers/media/rc/ati_remote.c
996 +@@ -843,6 +843,10 @@ static int ati_remote_probe(struct usb_interface *interface,
997 + err("%s: endpoint_in message size==0? \n", __func__);
998 + return -ENODEV;
999 + }
1000 ++ if (!usb_endpoint_is_int_out(endpoint_out)) {
1001 ++ err("%s: Unexpected endpoint_out\n", __func__);
1002 ++ return -ENODEV;
1003 ++ }
1004 +
1005 + ati_remote = kzalloc(sizeof (struct ati_remote), GFP_KERNEL);
1006 + rc_dev = rc_allocate_device();
1007 +diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c
1008 +index 0e7d16fe84d42..a0a544628053d 100644
1009 +--- a/drivers/media/usb/uvc/uvc_v4l2.c
1010 ++++ b/drivers/media/usb/uvc/uvc_v4l2.c
1011 +@@ -242,11 +242,41 @@ static int uvc_v4l2_try_format(struct uvc_streaming *stream,
1012 + if (ret < 0)
1013 + goto done;
1014 +
1015 ++ /* After the probe, update fmt with the values returned from
1016 ++ * negotiation with the device.
1017 ++ */
1018 ++ for (i = 0; i < stream->nformats; ++i) {
1019 ++ if (probe->bFormatIndex == stream->format[i].index) {
1020 ++ format = &stream->format[i];
1021 ++ break;
1022 ++ }
1023 ++ }
1024 ++
1025 ++ if (i == stream->nformats) {
1026 ++ uvc_trace(UVC_TRACE_FORMAT, "Unknown bFormatIndex %u\n",
1027 ++ probe->bFormatIndex);
1028 ++ return -EINVAL;
1029 ++ }
1030 ++
1031 ++ for (i = 0; i < format->nframes; ++i) {
1032 ++ if (probe->bFrameIndex == format->frame[i].bFrameIndex) {
1033 ++ frame = &format->frame[i];
1034 ++ break;
1035 ++ }
1036 ++ }
1037 ++
1038 ++ if (i == format->nframes) {
1039 ++ uvc_trace(UVC_TRACE_FORMAT, "Unknown bFrameIndex %u\n",
1040 ++ probe->bFrameIndex);
1041 ++ return -EINVAL;
1042 ++ }
1043 ++
1044 + fmt->fmt.pix.width = frame->wWidth;
1045 + fmt->fmt.pix.height = frame->wHeight;
1046 + fmt->fmt.pix.field = V4L2_FIELD_NONE;
1047 + fmt->fmt.pix.bytesperline = format->bpp * frame->wWidth / 8;
1048 + fmt->fmt.pix.sizeimage = probe->dwMaxVideoFrameSize;
1049 ++ fmt->fmt.pix.pixelformat = format->fcc;
1050 + fmt->fmt.pix.colorspace = format->colorspace;
1051 + fmt->fmt.pix.priv = 0;
1052 +
1053 +diff --git a/drivers/memory/fsl-corenet-cf.c b/drivers/memory/fsl-corenet-cf.c
1054 +index 662d050243bec..2fbf8d09af36b 100644
1055 +--- a/drivers/memory/fsl-corenet-cf.c
1056 ++++ b/drivers/memory/fsl-corenet-cf.c
1057 +@@ -215,10 +215,8 @@ static int ccf_probe(struct platform_device *pdev)
1058 + dev_set_drvdata(&pdev->dev, ccf);
1059 +
1060 + irq = platform_get_irq(pdev, 0);
1061 +- if (!irq) {
1062 +- dev_err(&pdev->dev, "%s: no irq\n", __func__);
1063 +- return -ENXIO;
1064 +- }
1065 ++ if (irq < 0)
1066 ++ return irq;
1067 +
1068 + ret = devm_request_irq(&pdev->dev, irq, ccf_irq, 0, pdev->name, ccf);
1069 + if (ret) {
1070 +diff --git a/drivers/memory/omap-gpmc.c b/drivers/memory/omap-gpmc.c
1071 +index 49691a8c74ee9..af187c91fc33b 100644
1072 +--- a/drivers/memory/omap-gpmc.c
1073 ++++ b/drivers/memory/omap-gpmc.c
1074 +@@ -928,7 +928,7 @@ static int gpmc_cs_remap(int cs, u32 base)
1075 + int ret;
1076 + u32 old_base, size;
1077 +
1078 +- if (cs > gpmc_cs_num) {
1079 ++ if (cs >= gpmc_cs_num) {
1080 + pr_err("%s: requested chip-select is disabled\n", __func__);
1081 + return -ENODEV;
1082 + }
1083 +@@ -963,7 +963,7 @@ int gpmc_cs_request(int cs, unsigned long size, unsigned long *base)
1084 + struct resource *res = &gpmc->mem;
1085 + int r = -1;
1086 +
1087 +- if (cs > gpmc_cs_num) {
1088 ++ if (cs >= gpmc_cs_num) {
1089 + pr_err("%s: requested chip-select is disabled\n", __func__);
1090 + return -ENODEV;
1091 + }
1092 +diff --git a/drivers/mfd/rtsx_pcr.c b/drivers/mfd/rtsx_pcr.c
1093 +index 98029ee0959e3..be61f8606a045 100644
1094 +--- a/drivers/mfd/rtsx_pcr.c
1095 ++++ b/drivers/mfd/rtsx_pcr.c
1096 +@@ -1255,12 +1255,14 @@ static int rtsx_pci_probe(struct pci_dev *pcidev,
1097 + ret = mfd_add_devices(&pcidev->dev, pcr->id, rtsx_pcr_cells,
1098 + ARRAY_SIZE(rtsx_pcr_cells), NULL, 0, NULL);
1099 + if (ret < 0)
1100 +- goto disable_irq;
1101 ++ goto free_slots;
1102 +
1103 + schedule_delayed_work(&pcr->idle_work, msecs_to_jiffies(200));
1104 +
1105 + return 0;
1106 +
1107 ++free_slots:
1108 ++ kfree(pcr->slots);
1109 + disable_irq:
1110 + free_irq(pcr->irq, (void *)pcr);
1111 + disable_msi:
1112 +diff --git a/drivers/mfd/sm501.c b/drivers/mfd/sm501.c
1113 +index fbec711c41956..0fe273d2f6190 100644
1114 +--- a/drivers/mfd/sm501.c
1115 ++++ b/drivers/mfd/sm501.c
1116 +@@ -1430,8 +1430,14 @@ static int sm501_plat_probe(struct platform_device *dev)
1117 + goto err_claim;
1118 + }
1119 +
1120 +- return sm501_init_dev(sm);
1121 ++ ret = sm501_init_dev(sm);
1122 ++ if (ret)
1123 ++ goto err_unmap;
1124 ++
1125 ++ return 0;
1126 +
1127 ++ err_unmap:
1128 ++ iounmap(sm->regs);
1129 + err_claim:
1130 + release_resource(sm->regs_claim);
1131 + kfree(sm->regs_claim);
1132 +diff --git a/drivers/misc/mic/scif/scif_rma.c b/drivers/misc/mic/scif/scif_rma.c
1133 +index 71c69e1c4ac05..4188b88c20a4a 100644
1134 +--- a/drivers/misc/mic/scif/scif_rma.c
1135 ++++ b/drivers/misc/mic/scif/scif_rma.c
1136 +@@ -1403,6 +1403,8 @@ retry:
1137 + NULL);
1138 + up_write(&mm->mmap_sem);
1139 + if (nr_pages != pinned_pages->nr_pages) {
1140 ++ if (pinned_pages->nr_pages < 0)
1141 ++ pinned_pages->nr_pages = 0;
1142 + if (try_upgrade) {
1143 + if (ulimit)
1144 + __scif_dec_pinned_vm_lock(mm,
1145 +@@ -1423,7 +1425,6 @@ retry:
1146 +
1147 + if (pinned_pages->nr_pages < nr_pages) {
1148 + err = -EFAULT;
1149 +- pinned_pages->nr_pages = nr_pages;
1150 + goto dec_pinned;
1151 + }
1152 +
1153 +@@ -1436,7 +1437,6 @@ dec_pinned:
1154 + __scif_dec_pinned_vm_lock(mm, nr_pages, 0);
1155 + /* Something went wrong! Rollback */
1156 + error_unmap:
1157 +- pinned_pages->nr_pages = nr_pages;
1158 + scif_destroy_pinned_pages(pinned_pages);
1159 + *pages = NULL;
1160 + dev_dbg(scif_info.mdev.this_device,
1161 +diff --git a/drivers/misc/vmw_vmci/vmci_queue_pair.c b/drivers/misc/vmw_vmci/vmci_queue_pair.c
1162 +index 3877f534fd3f4..e57340e980c4b 100644
1163 +--- a/drivers/misc/vmw_vmci/vmci_queue_pair.c
1164 ++++ b/drivers/misc/vmw_vmci/vmci_queue_pair.c
1165 +@@ -758,8 +758,9 @@ static int qp_host_get_user_memory(u64 produce_uva,
1166 + if (retval < (int)produce_q->kernel_if->num_pages) {
1167 + pr_debug("get_user_pages_fast(produce) failed (retval=%d)",
1168 + retval);
1169 +- qp_release_pages(produce_q->kernel_if->u.h.header_page,
1170 +- retval, false);
1171 ++ if (retval > 0)
1172 ++ qp_release_pages(produce_q->kernel_if->u.h.header_page,
1173 ++ retval, false);
1174 + err = VMCI_ERROR_NO_MEM;
1175 + goto out;
1176 + }
1177 +@@ -770,8 +771,9 @@ static int qp_host_get_user_memory(u64 produce_uva,
1178 + if (retval < (int)consume_q->kernel_if->num_pages) {
1179 + pr_debug("get_user_pages_fast(consume) failed (retval=%d)",
1180 + retval);
1181 +- qp_release_pages(consume_q->kernel_if->u.h.header_page,
1182 +- retval, false);
1183 ++ if (retval > 0)
1184 ++ qp_release_pages(consume_q->kernel_if->u.h.header_page,
1185 ++ retval, false);
1186 + qp_release_pages(produce_q->kernel_if->u.h.header_page,
1187 + produce_q->kernel_if->num_pages, false);
1188 + err = VMCI_ERROR_NO_MEM;
1189 +diff --git a/drivers/mmc/core/sdio_cis.c b/drivers/mmc/core/sdio_cis.c
1190 +index 8e94e555b788d..8651bd30863d4 100644
1191 +--- a/drivers/mmc/core/sdio_cis.c
1192 ++++ b/drivers/mmc/core/sdio_cis.c
1193 +@@ -30,6 +30,9 @@ static int cistpl_vers_1(struct mmc_card *card, struct sdio_func *func,
1194 + unsigned i, nr_strings;
1195 + char **buffer, *string;
1196 +
1197 ++ if (size < 2)
1198 ++ return 0;
1199 ++
1200 + /* Find all null-terminated (including zero length) strings in
1201 + the TPLLV1_INFO field. Trailing garbage is ignored. */
1202 + buf += 2;
1203 +diff --git a/drivers/mtd/lpddr/lpddr2_nvm.c b/drivers/mtd/lpddr/lpddr2_nvm.c
1204 +index 2342277c9bcb0..5e36366d9b36d 100644
1205 +--- a/drivers/mtd/lpddr/lpddr2_nvm.c
1206 ++++ b/drivers/mtd/lpddr/lpddr2_nvm.c
1207 +@@ -408,6 +408,17 @@ static int lpddr2_nvm_lock(struct mtd_info *mtd, loff_t start_add,
1208 + return lpddr2_nvm_do_block_op(mtd, start_add, len, LPDDR2_NVM_LOCK);
1209 + }
1210 +
1211 ++static const struct mtd_info lpddr2_nvm_mtd_info = {
1212 ++ .type = MTD_RAM,
1213 ++ .writesize = 1,
1214 ++ .flags = (MTD_CAP_NVRAM | MTD_POWERUP_LOCK),
1215 ++ ._read = lpddr2_nvm_read,
1216 ++ ._write = lpddr2_nvm_write,
1217 ++ ._erase = lpddr2_nvm_erase,
1218 ++ ._unlock = lpddr2_nvm_unlock,
1219 ++ ._lock = lpddr2_nvm_lock,
1220 ++};
1221 ++
1222 + /*
1223 + * lpddr2_nvm driver probe method
1224 + */
1225 +@@ -448,6 +459,7 @@ static int lpddr2_nvm_probe(struct platform_device *pdev)
1226 + .pfow_base = OW_BASE_ADDRESS,
1227 + .fldrv_priv = pcm_data,
1228 + };
1229 ++
1230 + if (IS_ERR(map->virt))
1231 + return PTR_ERR(map->virt);
1232 +
1233 +@@ -459,22 +471,13 @@ static int lpddr2_nvm_probe(struct platform_device *pdev)
1234 + return PTR_ERR(pcm_data->ctl_regs);
1235 +
1236 + /* Populate mtd_info data structure */
1237 +- *mtd = (struct mtd_info) {
1238 +- .dev = { .parent = &pdev->dev },
1239 +- .name = pdev->dev.init_name,
1240 +- .type = MTD_RAM,
1241 +- .priv = map,
1242 +- .size = resource_size(add_range),
1243 +- .erasesize = ERASE_BLOCKSIZE * pcm_data->bus_width,
1244 +- .writesize = 1,
1245 +- .writebufsize = WRITE_BUFFSIZE * pcm_data->bus_width,
1246 +- .flags = (MTD_CAP_NVRAM | MTD_POWERUP_LOCK),
1247 +- ._read = lpddr2_nvm_read,
1248 +- ._write = lpddr2_nvm_write,
1249 +- ._erase = lpddr2_nvm_erase,
1250 +- ._unlock = lpddr2_nvm_unlock,
1251 +- ._lock = lpddr2_nvm_lock,
1252 +- };
1253 ++ *mtd = lpddr2_nvm_mtd_info;
1254 ++ mtd->dev.parent = &pdev->dev;
1255 ++ mtd->name = pdev->dev.init_name;
1256 ++ mtd->priv = map;
1257 ++ mtd->size = resource_size(add_range);
1258 ++ mtd->erasesize = ERASE_BLOCKSIZE * pcm_data->bus_width;
1259 ++ mtd->writebufsize = WRITE_BUFFSIZE * pcm_data->bus_width;
1260 +
1261 + /* Verify the presence of the device looking for PFOW string */
1262 + if (!lpddr2_nvm_pfow_present(map)) {
1263 +diff --git a/drivers/mtd/mtdoops.c b/drivers/mtd/mtdoops.c
1264 +index 97bb8f6304d4f..09165eaac7a15 100644
1265 +--- a/drivers/mtd/mtdoops.c
1266 ++++ b/drivers/mtd/mtdoops.c
1267 +@@ -313,12 +313,13 @@ static void mtdoops_do_dump(struct kmsg_dumper *dumper,
1268 + kmsg_dump_get_buffer(dumper, true, cxt->oops_buf + MTDOOPS_HEADER_SIZE,
1269 + record_size - MTDOOPS_HEADER_SIZE, NULL);
1270 +
1271 +- /* Panics must be written immediately */
1272 +- if (reason != KMSG_DUMP_OOPS)
1273 ++ if (reason != KMSG_DUMP_OOPS) {
1274 ++ /* Panics must be written immediately */
1275 + mtdoops_write(cxt, 1);
1276 +-
1277 +- /* For other cases, schedule work to write it "nicely" */
1278 +- schedule_work(&cxt->work_write);
1279 ++ } else {
1280 ++ /* For other cases, schedule work to write it "nicely" */
1281 ++ schedule_work(&cxt->work_write);
1282 ++ }
1283 + }
1284 +
1285 + static void mtdoops_notify_add(struct mtd_info *mtd)
1286 +diff --git a/drivers/net/ethernet/cisco/enic/enic.h b/drivers/net/ethernet/cisco/enic/enic.h
1287 +index 7ba6d530b0c0a..230a4157ae9d0 100644
1288 +--- a/drivers/net/ethernet/cisco/enic/enic.h
1289 ++++ b/drivers/net/ethernet/cisco/enic/enic.h
1290 +@@ -163,6 +163,7 @@ struct enic {
1291 + u16 num_vfs;
1292 + #endif
1293 + spinlock_t enic_api_lock;
1294 ++ bool enic_api_busy;
1295 + struct enic_port_profile *pp;
1296 +
1297 + /* work queue cache line section */
1298 +diff --git a/drivers/net/ethernet/cisco/enic/enic_api.c b/drivers/net/ethernet/cisco/enic/enic_api.c
1299 +index b161f24522b87..b028ea2dec2b9 100644
1300 +--- a/drivers/net/ethernet/cisco/enic/enic_api.c
1301 ++++ b/drivers/net/ethernet/cisco/enic/enic_api.c
1302 +@@ -34,6 +34,12 @@ int enic_api_devcmd_proxy_by_index(struct net_device *netdev, int vf,
1303 + struct vnic_dev *vdev = enic->vdev;
1304 +
1305 + spin_lock(&enic->enic_api_lock);
1306 ++ while (enic->enic_api_busy) {
1307 ++ spin_unlock(&enic->enic_api_lock);
1308 ++ cpu_relax();
1309 ++ spin_lock(&enic->enic_api_lock);
1310 ++ }
1311 ++
1312 + spin_lock_bh(&enic->devcmd_lock);
1313 +
1314 + vnic_dev_cmd_proxy_by_index_start(vdev, vf);
1315 +diff --git a/drivers/net/ethernet/cisco/enic/enic_main.c b/drivers/net/ethernet/cisco/enic/enic_main.c
1316 +index 3fd1cba0c7ec3..5c74e55b75e52 100644
1317 +--- a/drivers/net/ethernet/cisco/enic/enic_main.c
1318 ++++ b/drivers/net/ethernet/cisco/enic/enic_main.c
1319 +@@ -1938,8 +1938,6 @@ static int enic_dev_wait(struct vnic_dev *vdev,
1320 + int done;
1321 + int err;
1322 +
1323 +- BUG_ON(in_interrupt());
1324 +-
1325 + err = start(vdev, arg);
1326 + if (err)
1327 + return err;
1328 +@@ -2116,6 +2114,13 @@ static int enic_set_rss_nic_cfg(struct enic *enic)
1329 + rss_hash_bits, rss_base_cpu, rss_enable);
1330 + }
1331 +
1332 ++static void enic_set_api_busy(struct enic *enic, bool busy)
1333 ++{
1334 ++ spin_lock(&enic->enic_api_lock);
1335 ++ enic->enic_api_busy = busy;
1336 ++ spin_unlock(&enic->enic_api_lock);
1337 ++}
1338 ++
1339 + static void enic_reset(struct work_struct *work)
1340 + {
1341 + struct enic *enic = container_of(work, struct enic, reset);
1342 +@@ -2125,7 +2130,9 @@ static void enic_reset(struct work_struct *work)
1343 +
1344 + rtnl_lock();
1345 +
1346 +- spin_lock(&enic->enic_api_lock);
1347 ++ /* Stop any activity from infiniband */
1348 ++ enic_set_api_busy(enic, true);
1349 ++
1350 + enic_stop(enic->netdev);
1351 + enic_dev_soft_reset(enic);
1352 + enic_reset_addr_lists(enic);
1353 +@@ -2133,7 +2140,10 @@ static void enic_reset(struct work_struct *work)
1354 + enic_set_rss_nic_cfg(enic);
1355 + enic_dev_set_ig_vlan_rewrite_mode(enic);
1356 + enic_open(enic->netdev);
1357 +- spin_unlock(&enic->enic_api_lock);
1358 ++
1359 ++ /* Allow infiniband to fiddle with the device again */
1360 ++ enic_set_api_busy(enic, false);
1361 ++
1362 + call_netdevice_notifiers(NETDEV_REBOOT, enic->netdev);
1363 +
1364 + rtnl_unlock();
1365 +@@ -2145,7 +2155,9 @@ static void enic_tx_hang_reset(struct work_struct *work)
1366 +
1367 + rtnl_lock();
1368 +
1369 +- spin_lock(&enic->enic_api_lock);
1370 ++ /* Stop any activity from infiniband */
1371 ++ enic_set_api_busy(enic, true);
1372 ++
1373 + enic_dev_hang_notify(enic);
1374 + enic_stop(enic->netdev);
1375 + enic_dev_hang_reset(enic);
1376 +@@ -2154,7 +2166,10 @@ static void enic_tx_hang_reset(struct work_struct *work)
1377 + enic_set_rss_nic_cfg(enic);
1378 + enic_dev_set_ig_vlan_rewrite_mode(enic);
1379 + enic_open(enic->netdev);
1380 +- spin_unlock(&enic->enic_api_lock);
1381 ++
1382 ++ /* Allow infiniband to fiddle with the device again */
1383 ++ enic_set_api_busy(enic, false);
1384 ++
1385 + call_netdevice_notifiers(NETDEV_REBOOT, enic->netdev);
1386 +
1387 + rtnl_unlock();
1388 +diff --git a/drivers/net/ethernet/ibm/ibmveth.c b/drivers/net/ethernet/ibm/ibmveth.c
1389 +index b46fc37c1a947..18d17a7bba6c6 100644
1390 +--- a/drivers/net/ethernet/ibm/ibmveth.c
1391 ++++ b/drivers/net/ethernet/ibm/ibmveth.c
1392 +@@ -1254,6 +1254,7 @@ static int ibmveth_poll(struct napi_struct *napi, int budget)
1393 + int offset = ibmveth_rxq_frame_offset(adapter);
1394 + int csum_good = ibmveth_rxq_csum_good(adapter);
1395 + int lrg_pkt = ibmveth_rxq_large_packet(adapter);
1396 ++ __sum16 iph_check = 0;
1397 +
1398 + skb = ibmveth_rxq_get_buffer(adapter);
1399 +
1400 +@@ -1305,7 +1306,17 @@ static int ibmveth_poll(struct napi_struct *napi, int budget)
1401 + }
1402 + }
1403 +
1404 +- if (length > netdev->mtu + ETH_HLEN) {
1405 ++ /* PHYP without PLSO support places a -1 in the ip
1406 ++ * checksum for large send frames.
1407 ++ */
1408 ++ if (skb->protocol == cpu_to_be16(ETH_P_IP)) {
1409 ++ struct iphdr *iph = (struct iphdr *)skb->data;
1410 ++
1411 ++ iph_check = iph->check;
1412 ++ }
1413 ++
1414 ++ if ((length > netdev->mtu + ETH_HLEN) ||
1415 ++ lrg_pkt || iph_check == 0xffff) {
1416 + ibmveth_rx_mss_helper(skb, mss, lrg_pkt);
1417 + adapter->rx_large_packets++;
1418 + }
1419 +diff --git a/drivers/net/ethernet/korina.c b/drivers/net/ethernet/korina.c
1420 +index 07eabf72c480c..b491de946a0e6 100644
1421 +--- a/drivers/net/ethernet/korina.c
1422 ++++ b/drivers/net/ethernet/korina.c
1423 +@@ -1188,7 +1188,7 @@ out:
1424 + return rc;
1425 +
1426 + probe_err_register:
1427 +- kfree(lp->td_ring);
1428 ++ kfree((struct dma_desc *)KSEG0ADDR(lp->td_ring));
1429 + probe_err_td_ring:
1430 + iounmap(lp->tx_dma_regs);
1431 + probe_err_dma_tx:
1432 +@@ -1208,6 +1208,7 @@ static int korina_remove(struct platform_device *pdev)
1433 + iounmap(lp->eth_regs);
1434 + iounmap(lp->rx_dma_regs);
1435 + iounmap(lp->tx_dma_regs);
1436 ++ kfree((struct dma_desc *)KSEG0ADDR(lp->td_ring));
1437 +
1438 + unregister_netdev(bif->dev);
1439 + free_netdev(bif->dev);
1440 +diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c
1441 +index 8f40e121f7d49..f3a685d3f6497 100644
1442 +--- a/drivers/net/ethernet/realtek/r8169.c
1443 ++++ b/drivers/net/ethernet/realtek/r8169.c
1444 +@@ -4452,6 +4452,62 @@ static void rtl_rar_set(struct rtl8169_private *tp, u8 *addr)
1445 + rtl_unlock_work(tp);
1446 + }
1447 +
1448 ++static void rtl_init_rxcfg(struct rtl8169_private *tp)
1449 ++{
1450 ++ void __iomem *ioaddr = tp->mmio_addr;
1451 ++
1452 ++ switch (tp->mac_version) {
1453 ++ case RTL_GIGA_MAC_VER_01:
1454 ++ case RTL_GIGA_MAC_VER_02:
1455 ++ case RTL_GIGA_MAC_VER_03:
1456 ++ case RTL_GIGA_MAC_VER_04:
1457 ++ case RTL_GIGA_MAC_VER_05:
1458 ++ case RTL_GIGA_MAC_VER_06:
1459 ++ case RTL_GIGA_MAC_VER_10:
1460 ++ case RTL_GIGA_MAC_VER_11:
1461 ++ case RTL_GIGA_MAC_VER_12:
1462 ++ case RTL_GIGA_MAC_VER_13:
1463 ++ case RTL_GIGA_MAC_VER_14:
1464 ++ case RTL_GIGA_MAC_VER_15:
1465 ++ case RTL_GIGA_MAC_VER_16:
1466 ++ case RTL_GIGA_MAC_VER_17:
1467 ++ RTL_W32(RxConfig, RX_FIFO_THRESH | RX_DMA_BURST);
1468 ++ break;
1469 ++ case RTL_GIGA_MAC_VER_18:
1470 ++ case RTL_GIGA_MAC_VER_19:
1471 ++ case RTL_GIGA_MAC_VER_20:
1472 ++ case RTL_GIGA_MAC_VER_21:
1473 ++ case RTL_GIGA_MAC_VER_22:
1474 ++ case RTL_GIGA_MAC_VER_23:
1475 ++ case RTL_GIGA_MAC_VER_24:
1476 ++ case RTL_GIGA_MAC_VER_34:
1477 ++ case RTL_GIGA_MAC_VER_35:
1478 ++ RTL_W32(RxConfig, RX128_INT_EN | RX_MULTI_EN | RX_DMA_BURST);
1479 ++ break;
1480 ++ case RTL_GIGA_MAC_VER_40:
1481 ++ RTL_W32(RxConfig, RX128_INT_EN | RX_MULTI_EN | RX_DMA_BURST | RX_EARLY_OFF);
1482 ++ break;
1483 ++ case RTL_GIGA_MAC_VER_41:
1484 ++ case RTL_GIGA_MAC_VER_42:
1485 ++ case RTL_GIGA_MAC_VER_43:
1486 ++ case RTL_GIGA_MAC_VER_44:
1487 ++ case RTL_GIGA_MAC_VER_45:
1488 ++ case RTL_GIGA_MAC_VER_46:
1489 ++ case RTL_GIGA_MAC_VER_47:
1490 ++ case RTL_GIGA_MAC_VER_48:
1491 ++ RTL_W32(RxConfig, RX128_INT_EN | RX_DMA_BURST | RX_EARLY_OFF);
1492 ++ break;
1493 ++ case RTL_GIGA_MAC_VER_49:
1494 ++ case RTL_GIGA_MAC_VER_50:
1495 ++ case RTL_GIGA_MAC_VER_51:
1496 ++ RTL_W32(RxConfig, RX128_INT_EN | RX_MULTI_EN | RX_DMA_BURST | RX_EARLY_OFF);
1497 ++ break;
1498 ++ default:
1499 ++ RTL_W32(RxConfig, RX128_INT_EN | RX_DMA_BURST);
1500 ++ break;
1501 ++ }
1502 ++}
1503 ++
1504 + static int rtl_set_mac_address(struct net_device *dev, void *p)
1505 + {
1506 + struct rtl8169_private *tp = netdev_priv(dev);
1507 +@@ -4464,6 +4520,10 @@ static int rtl_set_mac_address(struct net_device *dev, void *p)
1508 +
1509 + rtl_rar_set(tp, dev->dev_addr);
1510 +
1511 ++ /* Reportedly at least Asus X453MA truncates packets otherwise */
1512 ++ if (tp->mac_version == RTL_GIGA_MAC_VER_37)
1513 ++ rtl_init_rxcfg(tp);
1514 ++
1515 + return 0;
1516 + }
1517 +
1518 +@@ -4901,62 +4961,6 @@ static void rtl_init_pll_power_ops(struct rtl8169_private *tp)
1519 + }
1520 + }
1521 +
1522 +-static void rtl_init_rxcfg(struct rtl8169_private *tp)
1523 +-{
1524 +- void __iomem *ioaddr = tp->mmio_addr;
1525 +-
1526 +- switch (tp->mac_version) {
1527 +- case RTL_GIGA_MAC_VER_01:
1528 +- case RTL_GIGA_MAC_VER_02:
1529 +- case RTL_GIGA_MAC_VER_03:
1530 +- case RTL_GIGA_MAC_VER_04:
1531 +- case RTL_GIGA_MAC_VER_05:
1532 +- case RTL_GIGA_MAC_VER_06:
1533 +- case RTL_GIGA_MAC_VER_10:
1534 +- case RTL_GIGA_MAC_VER_11:
1535 +- case RTL_GIGA_MAC_VER_12:
1536 +- case RTL_GIGA_MAC_VER_13:
1537 +- case RTL_GIGA_MAC_VER_14:
1538 +- case RTL_GIGA_MAC_VER_15:
1539 +- case RTL_GIGA_MAC_VER_16:
1540 +- case RTL_GIGA_MAC_VER_17:
1541 +- RTL_W32(RxConfig, RX_FIFO_THRESH | RX_DMA_BURST);
1542 +- break;
1543 +- case RTL_GIGA_MAC_VER_18:
1544 +- case RTL_GIGA_MAC_VER_19:
1545 +- case RTL_GIGA_MAC_VER_20:
1546 +- case RTL_GIGA_MAC_VER_21:
1547 +- case RTL_GIGA_MAC_VER_22:
1548 +- case RTL_GIGA_MAC_VER_23:
1549 +- case RTL_GIGA_MAC_VER_24:
1550 +- case RTL_GIGA_MAC_VER_34:
1551 +- case RTL_GIGA_MAC_VER_35:
1552 +- RTL_W32(RxConfig, RX128_INT_EN | RX_MULTI_EN | RX_DMA_BURST);
1553 +- break;
1554 +- case RTL_GIGA_MAC_VER_40:
1555 +- RTL_W32(RxConfig, RX128_INT_EN | RX_MULTI_EN | RX_DMA_BURST | RX_EARLY_OFF);
1556 +- break;
1557 +- case RTL_GIGA_MAC_VER_41:
1558 +- case RTL_GIGA_MAC_VER_42:
1559 +- case RTL_GIGA_MAC_VER_43:
1560 +- case RTL_GIGA_MAC_VER_44:
1561 +- case RTL_GIGA_MAC_VER_45:
1562 +- case RTL_GIGA_MAC_VER_46:
1563 +- case RTL_GIGA_MAC_VER_47:
1564 +- case RTL_GIGA_MAC_VER_48:
1565 +- RTL_W32(RxConfig, RX128_INT_EN | RX_DMA_BURST | RX_EARLY_OFF);
1566 +- break;
1567 +- case RTL_GIGA_MAC_VER_49:
1568 +- case RTL_GIGA_MAC_VER_50:
1569 +- case RTL_GIGA_MAC_VER_51:
1570 +- RTL_W32(RxConfig, RX128_INT_EN | RX_MULTI_EN | RX_DMA_BURST | RX_EARLY_OFF);
1571 +- break;
1572 +- default:
1573 +- RTL_W32(RxConfig, RX128_INT_EN | RX_DMA_BURST);
1574 +- break;
1575 +- }
1576 +-}
1577 +-
1578 + static void rtl8169_init_ring_indexes(struct rtl8169_private *tp)
1579 + {
1580 + tp->dirty_tx = tp->cur_tx = tp->cur_rx = 0;
1581 +diff --git a/drivers/net/wan/hdlc.c b/drivers/net/wan/hdlc.c
1582 +index 51f6cee8aab2d..b9216c3d49463 100644
1583 +--- a/drivers/net/wan/hdlc.c
1584 ++++ b/drivers/net/wan/hdlc.c
1585 +@@ -57,7 +57,15 @@ int hdlc_change_mtu(struct net_device *dev, int new_mtu)
1586 + static int hdlc_rcv(struct sk_buff *skb, struct net_device *dev,
1587 + struct packet_type *p, struct net_device *orig_dev)
1588 + {
1589 +- struct hdlc_device *hdlc = dev_to_hdlc(dev);
1590 ++ struct hdlc_device *hdlc;
1591 ++
1592 ++ /* First make sure "dev" is an HDLC device */
1593 ++ if (!(dev->priv_flags & IFF_WAN_HDLC)) {
1594 ++ kfree_skb(skb);
1595 ++ return NET_RX_SUCCESS;
1596 ++ }
1597 ++
1598 ++ hdlc = dev_to_hdlc(dev);
1599 +
1600 + if (!net_eq(dev_net(dev), &init_net)) {
1601 + kfree_skb(skb);
1602 +diff --git a/drivers/net/wan/hdlc_raw_eth.c b/drivers/net/wan/hdlc_raw_eth.c
1603 +index 3ab72b3082dee..bb7c362b23ad5 100644
1604 +--- a/drivers/net/wan/hdlc_raw_eth.c
1605 ++++ b/drivers/net/wan/hdlc_raw_eth.c
1606 +@@ -101,6 +101,7 @@ static int raw_eth_ioctl(struct net_device *dev, struct ifreq *ifr)
1607 + old_qlen = dev->tx_queue_len;
1608 + ether_setup(dev);
1609 + dev->tx_queue_len = old_qlen;
1610 ++ dev->priv_flags &= ~IFF_TX_SKB_SHARING;
1611 + eth_hw_addr_random(dev);
1612 + netif_dormant_off(dev);
1613 + return 0;
1614 +diff --git a/drivers/net/wireless/ath/ath10k/htt_rx.c b/drivers/net/wireless/ath/ath10k/htt_rx.c
1615 +index a65b5d7f59f44..1c6c422dbad64 100644
1616 +--- a/drivers/net/wireless/ath/ath10k/htt_rx.c
1617 ++++ b/drivers/net/wireless/ath/ath10k/htt_rx.c
1618 +@@ -99,6 +99,14 @@ static int __ath10k_htt_rx_ring_fill_n(struct ath10k_htt *htt, int num)
1619 + BUILD_BUG_ON(HTT_RX_RING_FILL_LEVEL >= HTT_RX_RING_SIZE / 2);
1620 +
1621 + idx = __le32_to_cpu(*htt->rx_ring.alloc_idx.vaddr);
1622 ++
1623 ++ if (idx < 0 || idx >= htt->rx_ring.size) {
1624 ++ ath10k_err(htt->ar, "rx ring index is not valid, firmware malfunctioning?\n");
1625 ++ idx &= htt->rx_ring.size_mask;
1626 ++ ret = -ENOMEM;
1627 ++ goto fail;
1628 ++ }
1629 ++
1630 + while (num > 0) {
1631 + skb = dev_alloc_skb(HTT_RX_BUF_SIZE + HTT_RX_DESC_ALIGN);
1632 + if (!skb) {
1633 +diff --git a/drivers/net/wireless/ath/ath6kl/main.c b/drivers/net/wireless/ath/ath6kl/main.c
1634 +index 1af3fed5a72ca..1a68518279689 100644
1635 +--- a/drivers/net/wireless/ath/ath6kl/main.c
1636 ++++ b/drivers/net/wireless/ath/ath6kl/main.c
1637 +@@ -430,6 +430,9 @@ void ath6kl_connect_ap_mode_sta(struct ath6kl_vif *vif, u16 aid, u8 *mac_addr,
1638 +
1639 + ath6kl_dbg(ATH6KL_DBG_TRC, "new station %pM aid=%d\n", mac_addr, aid);
1640 +
1641 ++ if (aid < 1 || aid > AP_MAX_NUM_STA)
1642 ++ return;
1643 ++
1644 + if (assoc_req_len > sizeof(struct ieee80211_hdr_3addr)) {
1645 + struct ieee80211_mgmt *mgmt =
1646 + (struct ieee80211_mgmt *) assoc_info;
1647 +diff --git a/drivers/net/wireless/ath/ath6kl/wmi.c b/drivers/net/wireless/ath/ath6kl/wmi.c
1648 +index b2ec254f154e0..7e1010475cfb2 100644
1649 +--- a/drivers/net/wireless/ath/ath6kl/wmi.c
1650 ++++ b/drivers/net/wireless/ath/ath6kl/wmi.c
1651 +@@ -2644,6 +2644,11 @@ int ath6kl_wmi_delete_pstream_cmd(struct wmi *wmi, u8 if_idx, u8 traffic_class,
1652 + return -EINVAL;
1653 + }
1654 +
1655 ++ if (tsid >= 16) {
1656 ++ ath6kl_err("invalid tsid: %d\n", tsid);
1657 ++ return -EINVAL;
1658 ++ }
1659 ++
1660 + skb = ath6kl_wmi_get_new_buf(sizeof(*cmd));
1661 + if (!skb)
1662 + return -ENOMEM;
1663 +diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c
1664 +index 76d91859cfde9..75072a8f8cf42 100644
1665 +--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
1666 ++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
1667 +@@ -445,10 +445,19 @@ static void hif_usb_stop(void *hif_handle)
1668 + spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags);
1669 +
1670 + /* The pending URBs have to be canceled. */
1671 ++ spin_lock_irqsave(&hif_dev->tx.tx_lock, flags);
1672 + list_for_each_entry_safe(tx_buf, tx_buf_tmp,
1673 + &hif_dev->tx.tx_pending, list) {
1674 ++ usb_get_urb(tx_buf->urb);
1675 ++ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags);
1676 + usb_kill_urb(tx_buf->urb);
1677 ++ list_del(&tx_buf->list);
1678 ++ usb_free_urb(tx_buf->urb);
1679 ++ kfree(tx_buf->buf);
1680 ++ kfree(tx_buf);
1681 ++ spin_lock_irqsave(&hif_dev->tx.tx_lock, flags);
1682 + }
1683 ++ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags);
1684 +
1685 + usb_kill_anchored_urbs(&hif_dev->mgmt_submitted);
1686 + }
1687 +@@ -758,27 +767,37 @@ static void ath9k_hif_usb_dealloc_tx_urbs(struct hif_device_usb *hif_dev)
1688 + struct tx_buf *tx_buf = NULL, *tx_buf_tmp = NULL;
1689 + unsigned long flags;
1690 +
1691 ++ spin_lock_irqsave(&hif_dev->tx.tx_lock, flags);
1692 + list_for_each_entry_safe(tx_buf, tx_buf_tmp,
1693 + &hif_dev->tx.tx_buf, list) {
1694 ++ usb_get_urb(tx_buf->urb);
1695 ++ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags);
1696 + usb_kill_urb(tx_buf->urb);
1697 + list_del(&tx_buf->list);
1698 + usb_free_urb(tx_buf->urb);
1699 + kfree(tx_buf->buf);
1700 + kfree(tx_buf);
1701 ++ spin_lock_irqsave(&hif_dev->tx.tx_lock, flags);
1702 + }
1703 ++ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags);
1704 +
1705 + spin_lock_irqsave(&hif_dev->tx.tx_lock, flags);
1706 + hif_dev->tx.flags |= HIF_USB_TX_FLUSH;
1707 + spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags);
1708 +
1709 ++ spin_lock_irqsave(&hif_dev->tx.tx_lock, flags);
1710 + list_for_each_entry_safe(tx_buf, tx_buf_tmp,
1711 + &hif_dev->tx.tx_pending, list) {
1712 ++ usb_get_urb(tx_buf->urb);
1713 ++ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags);
1714 + usb_kill_urb(tx_buf->urb);
1715 + list_del(&tx_buf->list);
1716 + usb_free_urb(tx_buf->urb);
1717 + kfree(tx_buf->buf);
1718 + kfree(tx_buf);
1719 ++ spin_lock_irqsave(&hif_dev->tx.tx_lock, flags);
1720 + }
1721 ++ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags);
1722 +
1723 + usb_kill_anchored_urbs(&hif_dev->mgmt_submitted);
1724 + }
1725 +diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c
1726 +index 1af216aa5adae..625823e45d8f0 100644
1727 +--- a/drivers/net/wireless/ath/ath9k/htc_hst.c
1728 ++++ b/drivers/net/wireless/ath/ath9k/htc_hst.c
1729 +@@ -346,6 +346,8 @@ void ath9k_htc_txcompletion_cb(struct htc_target *htc_handle,
1730 +
1731 + if (skb) {
1732 + htc_hdr = (struct htc_frame_hdr *) skb->data;
1733 ++ if (htc_hdr->endpoint_id >= ARRAY_SIZE(htc_handle->endpoint))
1734 ++ goto ret;
1735 + endpoint = &htc_handle->endpoint[htc_hdr->endpoint_id];
1736 + skb_pull(skb, sizeof(struct htc_frame_hdr));
1737 +
1738 +diff --git a/drivers/net/wireless/ath/wcn36xx/main.c b/drivers/net/wireless/ath/wcn36xx/main.c
1739 +index a27279c2c6950..274d114962e8a 100644
1740 +--- a/drivers/net/wireless/ath/wcn36xx/main.c
1741 ++++ b/drivers/net/wireless/ath/wcn36xx/main.c
1742 +@@ -156,7 +156,7 @@ static struct ieee80211_supported_band wcn_band_5ghz = {
1743 + .ampdu_density = IEEE80211_HT_MPDU_DENSITY_16,
1744 + .mcs = {
1745 + .rx_mask = { 0xff, 0, 0, 0, 0, 0, 0, 0, 0, 0, },
1746 +- .rx_highest = cpu_to_le16(72),
1747 ++ .rx_highest = cpu_to_le16(150),
1748 + .tx_params = IEEE80211_HT_MCS_TX_DEFINED,
1749 + }
1750 + }
1751 +diff --git a/drivers/net/wireless/brcm80211/brcmfmac/msgbuf.c b/drivers/net/wireless/brcm80211/brcmfmac/msgbuf.c
1752 +index f944f356d9c51..cacb43573f579 100644
1753 +--- a/drivers/net/wireless/brcm80211/brcmfmac/msgbuf.c
1754 ++++ b/drivers/net/wireless/brcm80211/brcmfmac/msgbuf.c
1755 +@@ -1530,6 +1530,8 @@ fail:
1756 + BRCMF_TX_IOCTL_MAX_MSG_SIZE,
1757 + msgbuf->ioctbuf,
1758 + msgbuf->ioctbuf_handle);
1759 ++ if (msgbuf->txflow_wq)
1760 ++ destroy_workqueue(msgbuf->txflow_wq);
1761 + kfree(msgbuf);
1762 + }
1763 + return -ENOMEM;
1764 +diff --git a/drivers/net/wireless/brcm80211/brcmsmac/phy/phy_lcn.c b/drivers/net/wireless/brcm80211/brcmsmac/phy/phy_lcn.c
1765 +index 93d4cde0eb313..c9f48ec46f4a1 100644
1766 +--- a/drivers/net/wireless/brcm80211/brcmsmac/phy/phy_lcn.c
1767 ++++ b/drivers/net/wireless/brcm80211/brcmsmac/phy/phy_lcn.c
1768 +@@ -5090,8 +5090,10 @@ bool wlc_phy_attach_lcnphy(struct brcms_phy *pi)
1769 + pi->pi_fptr.radioloftget = wlc_lcnphy_get_radio_loft;
1770 + pi->pi_fptr.detach = wlc_phy_detach_lcnphy;
1771 +
1772 +- if (!wlc_phy_txpwr_srom_read_lcnphy(pi))
1773 ++ if (!wlc_phy_txpwr_srom_read_lcnphy(pi)) {
1774 ++ kfree(pi->u.pi_lcnphy);
1775 + return false;
1776 ++ }
1777 +
1778 + if (LCNREV_IS(pi->pubpi.phy_rev, 1)) {
1779 + if (pi_lcn->lcnphy_tempsense_option == 3) {
1780 +diff --git a/drivers/net/wireless/mwifiex/scan.c b/drivers/net/wireless/mwifiex/scan.c
1781 +index e7c8972431d34..e54dd4b7face6 100644
1782 +--- a/drivers/net/wireless/mwifiex/scan.c
1783 ++++ b/drivers/net/wireless/mwifiex/scan.c
1784 +@@ -1862,7 +1862,7 @@ mwifiex_parse_single_response_buf(struct mwifiex_private *priv, u8 **bss_info,
1785 + chan, CFG80211_BSS_FTYPE_UNKNOWN,
1786 + bssid, timestamp,
1787 + cap_info_bitmap, beacon_period,
1788 +- ie_buf, ie_len, rssi, GFP_KERNEL);
1789 ++ ie_buf, ie_len, rssi, GFP_ATOMIC);
1790 + if (bss) {
1791 + bss_priv = (struct mwifiex_bss_priv *)bss->priv;
1792 + bss_priv->band = band;
1793 +diff --git a/drivers/net/wireless/mwifiex/sdio.c b/drivers/net/wireless/mwifiex/sdio.c
1794 +index 78a8474e1a3dc..abfe4e8700ed3 100644
1795 +--- a/drivers/net/wireless/mwifiex/sdio.c
1796 ++++ b/drivers/net/wireless/mwifiex/sdio.c
1797 +@@ -1928,6 +1928,8 @@ error:
1798 + kfree(card->mpa_rx.buf);
1799 + card->mpa_tx.buf_size = 0;
1800 + card->mpa_rx.buf_size = 0;
1801 ++ card->mpa_tx.buf = NULL;
1802 ++ card->mpa_rx.buf = NULL;
1803 + }
1804 +
1805 + return ret;
1806 +diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.c
1807 +index 8254d4b22c50b..b8d387edde65c 100644
1808 +--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.c
1809 ++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.c
1810 +@@ -5135,7 +5135,6 @@ static int rtl8xxxu_submit_int_urb(struct ieee80211_hw *hw)
1811 + ret = usb_submit_urb(urb, GFP_KERNEL);
1812 + if (ret) {
1813 + usb_unanchor_urb(urb);
1814 +- usb_free_urb(urb);
1815 + goto error;
1816 + }
1817 +
1818 +@@ -5144,6 +5143,7 @@ static int rtl8xxxu_submit_int_urb(struct ieee80211_hw *hw)
1819 + rtl8xxxu_write32(priv, REG_USB_HIMR, val32);
1820 +
1821 + error:
1822 ++ usb_free_urb(urb);
1823 + return ret;
1824 + }
1825 +
1826 +@@ -5424,6 +5424,7 @@ static int rtl8xxxu_start(struct ieee80211_hw *hw)
1827 + struct rtl8xxxu_priv *priv = hw->priv;
1828 + struct rtl8xxxu_rx_urb *rx_urb;
1829 + struct rtl8xxxu_tx_urb *tx_urb;
1830 ++ struct sk_buff *skb;
1831 + unsigned long flags;
1832 + int ret, i;
1833 +
1834 +@@ -5472,6 +5473,13 @@ static int rtl8xxxu_start(struct ieee80211_hw *hw)
1835 + rx_urb->hw = hw;
1836 +
1837 + ret = rtl8xxxu_submit_rx_urb(priv, rx_urb);
1838 ++ if (ret) {
1839 ++ if (ret != -ENOMEM) {
1840 ++ skb = (struct sk_buff *)rx_urb->urb.context;
1841 ++ dev_kfree_skb(skb);
1842 ++ }
1843 ++ rtl8xxxu_queue_rx_urb(priv, rx_urb);
1844 ++ }
1845 + }
1846 + exit:
1847 + /*
1848 +diff --git a/drivers/scsi/csiostor/csio_hw.c b/drivers/scsi/csiostor/csio_hw.c
1849 +index dab195f04da78..06ca0495f3e8e 100644
1850 +--- a/drivers/scsi/csiostor/csio_hw.c
1851 ++++ b/drivers/scsi/csiostor/csio_hw.c
1852 +@@ -1973,7 +1973,7 @@ static int csio_hw_prep_fw(struct csio_hw *hw, struct fw_info *fw_info,
1853 + FW_HDR_FW_VER_MICRO_G(c), FW_HDR_FW_VER_BUILD_G(c),
1854 + FW_HDR_FW_VER_MAJOR_G(k), FW_HDR_FW_VER_MINOR_G(k),
1855 + FW_HDR_FW_VER_MICRO_G(k), FW_HDR_FW_VER_BUILD_G(k));
1856 +- ret = EINVAL;
1857 ++ ret = -EINVAL;
1858 + goto bye;
1859 + }
1860 +
1861 +diff --git a/drivers/scsi/ibmvscsi/ibmvfc.c b/drivers/scsi/ibmvscsi/ibmvfc.c
1862 +index 0526a47e30a3f..db80ab8335dfb 100644
1863 +--- a/drivers/scsi/ibmvscsi/ibmvfc.c
1864 ++++ b/drivers/scsi/ibmvscsi/ibmvfc.c
1865 +@@ -4790,6 +4790,7 @@ static int ibmvfc_probe(struct vio_dev *vdev, const struct vio_device_id *id)
1866 + if (IS_ERR(vhost->work_thread)) {
1867 + dev_err(dev, "Couldn't create kernel thread: %ld\n",
1868 + PTR_ERR(vhost->work_thread));
1869 ++ rc = PTR_ERR(vhost->work_thread);
1870 + goto free_host_mem;
1871 + }
1872 +
1873 +diff --git a/drivers/scsi/mvumi.c b/drivers/scsi/mvumi.c
1874 +index 39285070f3b51..17ec51f9d9880 100644
1875 +--- a/drivers/scsi/mvumi.c
1876 ++++ b/drivers/scsi/mvumi.c
1877 +@@ -2476,6 +2476,7 @@ static int mvumi_io_attach(struct mvumi_hba *mhba)
1878 + if (IS_ERR(mhba->dm_thread)) {
1879 + dev_err(&mhba->pdev->dev,
1880 + "failed to create device scan thread\n");
1881 ++ ret = PTR_ERR(mhba->dm_thread);
1882 + mutex_unlock(&mhba->sas_discovery_mutex);
1883 + goto fail_create_thread;
1884 + }
1885 +diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c
1886 +index 3fda5836aac69..f10088a1d38c0 100644
1887 +--- a/drivers/scsi/qla4xxx/ql4_os.c
1888 ++++ b/drivers/scsi/qla4xxx/ql4_os.c
1889 +@@ -1223,7 +1223,7 @@ static int qla4xxx_get_host_stats(struct Scsi_Host *shost, char *buf, int len)
1890 + le64_to_cpu(ql_iscsi_stats->iscsi_sequence_error);
1891 + exit_host_stats:
1892 + if (ql_iscsi_stats)
1893 +- dma_free_coherent(&ha->pdev->dev, host_stats_size,
1894 ++ dma_free_coherent(&ha->pdev->dev, stats_size,
1895 + ql_iscsi_stats, iscsi_stats_dma);
1896 +
1897 + ql4_printk(KERN_INFO, ha, "%s: Get host stats done\n",
1898 +diff --git a/drivers/tty/hvc/hvcs.c b/drivers/tty/hvc/hvcs.c
1899 +index 5997b17311113..cba662c50f919 100644
1900 +--- a/drivers/tty/hvc/hvcs.c
1901 ++++ b/drivers/tty/hvc/hvcs.c
1902 +@@ -1232,13 +1232,6 @@ static void hvcs_close(struct tty_struct *tty, struct file *filp)
1903 +
1904 + tty_wait_until_sent(tty, HVCS_CLOSE_WAIT);
1905 +
1906 +- /*
1907 +- * This line is important because it tells hvcs_open that this
1908 +- * device needs to be re-configured the next time hvcs_open is
1909 +- * called.
1910 +- */
1911 +- tty->driver_data = NULL;
1912 +-
1913 + free_irq(irq, hvcsd);
1914 + return;
1915 + } else if (hvcsd->port.count < 0) {
1916 +@@ -1254,6 +1247,13 @@ static void hvcs_cleanup(struct tty_struct * tty)
1917 + {
1918 + struct hvcs_struct *hvcsd = tty->driver_data;
1919 +
1920 ++ /*
1921 ++ * This line is important because it tells hvcs_open that this
1922 ++ * device needs to be re-configured the next time hvcs_open is
1923 ++ * called.
1924 ++ */
1925 ++ tty->driver_data = NULL;
1926 ++
1927 + tty_port_put(&hvcsd->port);
1928 + }
1929 +
1930 +diff --git a/drivers/tty/ipwireless/network.c b/drivers/tty/ipwireless/network.c
1931 +index c0dfb642383b2..dc7f4eb18e0a7 100644
1932 +--- a/drivers/tty/ipwireless/network.c
1933 ++++ b/drivers/tty/ipwireless/network.c
1934 +@@ -116,7 +116,7 @@ static int ipwireless_ppp_start_xmit(struct ppp_channel *ppp_channel,
1935 + skb->len,
1936 + notify_packet_sent,
1937 + network);
1938 +- if (ret == -1) {
1939 ++ if (ret < 0) {
1940 + skb_pull(skb, 2);
1941 + return 0;
1942 + }
1943 +@@ -133,7 +133,7 @@ static int ipwireless_ppp_start_xmit(struct ppp_channel *ppp_channel,
1944 + notify_packet_sent,
1945 + network);
1946 + kfree(buf);
1947 +- if (ret == -1)
1948 ++ if (ret < 0)
1949 + return 0;
1950 + }
1951 + kfree_skb(skb);
1952 +diff --git a/drivers/tty/ipwireless/tty.c b/drivers/tty/ipwireless/tty.c
1953 +index 345cebb07ae79..0b06b1847450f 100644
1954 +--- a/drivers/tty/ipwireless/tty.c
1955 ++++ b/drivers/tty/ipwireless/tty.c
1956 +@@ -217,7 +217,7 @@ static int ipw_write(struct tty_struct *linux_tty,
1957 + ret = ipwireless_send_packet(tty->hardware, IPW_CHANNEL_RAS,
1958 + buf, count,
1959 + ipw_write_packet_sent_callback, tty);
1960 +- if (ret == -1) {
1961 ++ if (ret < 0) {
1962 + mutex_unlock(&tty->ipw_tty_mutex);
1963 + return 0;
1964 + }
1965 +diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c
1966 +index c8a2e5b0eff76..8ee146b14aae8 100644
1967 +--- a/drivers/tty/pty.c
1968 ++++ b/drivers/tty/pty.c
1969 +@@ -115,10 +115,10 @@ static int pty_write(struct tty_struct *tty, const unsigned char *buf, int c)
1970 + spin_lock_irqsave(&to->port->lock, flags);
1971 + /* Stuff the data into the input queue of the other end */
1972 + c = tty_insert_flip_string(to->port, buf, c);
1973 ++ spin_unlock_irqrestore(&to->port->lock, flags);
1974 + /* And shovel */
1975 + if (c)
1976 + tty_flip_buffer_push(to->port);
1977 +- spin_unlock_irqrestore(&to->port->lock, flags);
1978 + }
1979 + return c;
1980 + }
1981 +diff --git a/drivers/tty/serial/Kconfig b/drivers/tty/serial/Kconfig
1982 +index f38beb28e7ae6..5c3c86d4fe716 100644
1983 +--- a/drivers/tty/serial/Kconfig
1984 ++++ b/drivers/tty/serial/Kconfig
1985 +@@ -9,6 +9,7 @@ menu "Serial drivers"
1986 +
1987 + config SERIAL_EARLYCON
1988 + bool
1989 ++ depends on SERIAL_CORE
1990 + help
1991 + Support for early consoles with the earlycon parameter. This enables
1992 + the console before standard serial driver is probed. The console is
1993 +diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
1994 +index 515839034dfbc..fb7e56fad41c8 100644
1995 +--- a/drivers/usb/class/cdc-acm.c
1996 ++++ b/drivers/usb/class/cdc-acm.c
1997 +@@ -1897,6 +1897,17 @@ static const struct usb_device_id acm_ids[] = {
1998 + .driver_info = IGNORE_DEVICE,
1999 + },
2000 +
2001 ++ /* Exclude ETAS ES58x */
2002 ++ { USB_DEVICE(0x108c, 0x0159), /* ES581.4 */
2003 ++ .driver_info = IGNORE_DEVICE,
2004 ++ },
2005 ++ { USB_DEVICE(0x108c, 0x0168), /* ES582.1 */
2006 ++ .driver_info = IGNORE_DEVICE,
2007 ++ },
2008 ++ { USB_DEVICE(0x108c, 0x0169), /* ES584.1 */
2009 ++ .driver_info = IGNORE_DEVICE,
2010 ++ },
2011 ++
2012 + { USB_DEVICE(0x1bc7, 0x0021), /* Telit 3G ACM only composition */
2013 + .driver_info = SEND_ZERO_PACKET,
2014 + },
2015 +diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c
2016 +index 1a1d1cfc3704c..35ee2233ad170 100644
2017 +--- a/drivers/usb/class/cdc-wdm.c
2018 ++++ b/drivers/usb/class/cdc-wdm.c
2019 +@@ -61,6 +61,9 @@ MODULE_DEVICE_TABLE (usb, wdm_ids);
2020 +
2021 + #define WDM_MAX 16
2022 +
2023 ++/* we cannot wait forever at flush() */
2024 ++#define WDM_FLUSH_TIMEOUT (30 * HZ)
2025 ++
2026 + /* CDC-WMC r1.1 requires wMaxCommand to be "at least 256 decimal (0x100)" */
2027 + #define WDM_DEFAULT_BUFSIZE 256
2028 +
2029 +@@ -151,7 +154,7 @@ static void wdm_out_callback(struct urb *urb)
2030 + kfree(desc->outbuf);
2031 + desc->outbuf = NULL;
2032 + clear_bit(WDM_IN_USE, &desc->flags);
2033 +- wake_up(&desc->wait);
2034 ++ wake_up_all(&desc->wait);
2035 + }
2036 +
2037 + static void wdm_in_callback(struct urb *urb)
2038 +@@ -382,6 +385,9 @@ static ssize_t wdm_write
2039 + if (test_bit(WDM_RESETTING, &desc->flags))
2040 + r = -EIO;
2041 +
2042 ++ if (test_bit(WDM_DISCONNECTING, &desc->flags))
2043 ++ r = -ENODEV;
2044 ++
2045 + if (r < 0) {
2046 + rv = r;
2047 + goto out_free_mem_pm;
2048 +@@ -413,6 +419,7 @@ static ssize_t wdm_write
2049 + if (rv < 0) {
2050 + desc->outbuf = NULL;
2051 + clear_bit(WDM_IN_USE, &desc->flags);
2052 ++ wake_up_all(&desc->wait); /* for wdm_wait_for_response() */
2053 + dev_err(&desc->intf->dev, "Tx URB error: %d\n", rv);
2054 + rv = usb_translate_errors(rv);
2055 + goto out_free_mem_pm;
2056 +@@ -573,28 +580,58 @@ err:
2057 + return rv;
2058 + }
2059 +
2060 +-static int wdm_flush(struct file *file, fl_owner_t id)
2061 ++static int wdm_wait_for_response(struct file *file, long timeout)
2062 + {
2063 + struct wdm_device *desc = file->private_data;
2064 ++ long rv; /* Use long here because (int) MAX_SCHEDULE_TIMEOUT < 0. */
2065 +
2066 +- wait_event(desc->wait,
2067 +- /*
2068 +- * needs both flags. We cannot do with one
2069 +- * because resetting it would cause a race
2070 +- * with write() yet we need to signal
2071 +- * a disconnect
2072 +- */
2073 +- !test_bit(WDM_IN_USE, &desc->flags) ||
2074 +- test_bit(WDM_DISCONNECTING, &desc->flags));
2075 +-
2076 +- /* cannot dereference desc->intf if WDM_DISCONNECTING */
2077 ++ /*
2078 ++ * Needs both flags. We cannot do with one because resetting it would
2079 ++ * cause a race with write() yet we need to signal a disconnect.
2080 ++ */
2081 ++ rv = wait_event_interruptible_timeout(desc->wait,
2082 ++ !test_bit(WDM_IN_USE, &desc->flags) ||
2083 ++ test_bit(WDM_DISCONNECTING, &desc->flags),
2084 ++ timeout);
2085 ++
2086 ++ /*
2087 ++ * To report the correct error. This is best effort.
2088 ++ * We are inevitably racing with the hardware.
2089 ++ */
2090 + if (test_bit(WDM_DISCONNECTING, &desc->flags))
2091 + return -ENODEV;
2092 +- if (desc->werr < 0)
2093 +- dev_err(&desc->intf->dev, "Error in flush path: %d\n",
2094 +- desc->werr);
2095 ++ if (!rv)
2096 ++ return -EIO;
2097 ++ if (rv < 0)
2098 ++ return -EINTR;
2099 +
2100 +- return usb_translate_errors(desc->werr);
2101 ++ spin_lock_irq(&desc->iuspin);
2102 ++ rv = desc->werr;
2103 ++ desc->werr = 0;
2104 ++ spin_unlock_irq(&desc->iuspin);
2105 ++
2106 ++ return usb_translate_errors(rv);
2107 ++
2108 ++}
2109 ++
2110 ++/*
2111 ++ * You need to send a signal when you react to malicious or defective hardware.
2112 ++ * Also, don't abort when fsync() returned -EINVAL, for older kernels which do
2113 ++ * not implement wdm_flush() will return -EINVAL.
2114 ++ */
2115 ++static int wdm_fsync(struct file *file, loff_t start, loff_t end, int datasync)
2116 ++{
2117 ++ return wdm_wait_for_response(file, MAX_SCHEDULE_TIMEOUT);
2118 ++}
2119 ++
2120 ++/*
2121 ++ * Same with wdm_fsync(), except it uses finite timeout in order to react to
2122 ++ * malicious or defective hardware which ceased communication after close() was
2123 ++ * implicitly called due to process termination.
2124 ++ */
2125 ++static int wdm_flush(struct file *file, fl_owner_t id)
2126 ++{
2127 ++ return wdm_wait_for_response(file, WDM_FLUSH_TIMEOUT);
2128 + }
2129 +
2130 + static unsigned int wdm_poll(struct file *file, struct poll_table_struct *wait)
2131 +@@ -719,6 +756,7 @@ static const struct file_operations wdm_fops = {
2132 + .owner = THIS_MODULE,
2133 + .read = wdm_read,
2134 + .write = wdm_write,
2135 ++ .fsync = wdm_fsync,
2136 + .open = wdm_open,
2137 + .flush = wdm_flush,
2138 + .release = wdm_release,
2139 +diff --git a/drivers/usb/core/urb.c b/drivers/usb/core/urb.c
2140 +index c095cde55329c..8c4bfd42f785d 100644
2141 +--- a/drivers/usb/core/urb.c
2142 ++++ b/drivers/usb/core/urb.c
2143 +@@ -767,11 +767,12 @@ void usb_block_urb(struct urb *urb)
2144 + EXPORT_SYMBOL_GPL(usb_block_urb);
2145 +
2146 + /**
2147 +- * usb_kill_anchored_urbs - cancel transfer requests en masse
2148 ++ * usb_kill_anchored_urbs - kill all URBs associated with an anchor
2149 + * @anchor: anchor the requests are bound to
2150 + *
2151 +- * this allows all outstanding URBs to be killed starting
2152 +- * from the back of the queue
2153 ++ * This kills all outstanding URBs starting from the back of the queue,
2154 ++ * with guarantee that no completer callbacks will take place from the
2155 ++ * anchor after this function returns.
2156 + *
2157 + * This routine should not be called by a driver after its disconnect
2158 + * method has returned.
2159 +@@ -779,20 +780,26 @@ EXPORT_SYMBOL_GPL(usb_block_urb);
2160 + void usb_kill_anchored_urbs(struct usb_anchor *anchor)
2161 + {
2162 + struct urb *victim;
2163 ++ int surely_empty;
2164 +
2165 +- spin_lock_irq(&anchor->lock);
2166 +- while (!list_empty(&anchor->urb_list)) {
2167 +- victim = list_entry(anchor->urb_list.prev, struct urb,
2168 +- anchor_list);
2169 +- /* we must make sure the URB isn't freed before we kill it*/
2170 +- usb_get_urb(victim);
2171 +- spin_unlock_irq(&anchor->lock);
2172 +- /* this will unanchor the URB */
2173 +- usb_kill_urb(victim);
2174 +- usb_put_urb(victim);
2175 ++ do {
2176 + spin_lock_irq(&anchor->lock);
2177 +- }
2178 +- spin_unlock_irq(&anchor->lock);
2179 ++ while (!list_empty(&anchor->urb_list)) {
2180 ++ victim = list_entry(anchor->urb_list.prev,
2181 ++ struct urb, anchor_list);
2182 ++ /* make sure the URB isn't freed before we kill it */
2183 ++ usb_get_urb(victim);
2184 ++ spin_unlock_irq(&anchor->lock);
2185 ++ /* this will unanchor the URB */
2186 ++ usb_kill_urb(victim);
2187 ++ usb_put_urb(victim);
2188 ++ spin_lock_irq(&anchor->lock);
2189 ++ }
2190 ++ surely_empty = usb_anchor_check_wakeup(anchor);
2191 ++
2192 ++ spin_unlock_irq(&anchor->lock);
2193 ++ cpu_relax();
2194 ++ } while (!surely_empty);
2195 + }
2196 + EXPORT_SYMBOL_GPL(usb_kill_anchored_urbs);
2197 +
2198 +@@ -811,21 +818,27 @@ EXPORT_SYMBOL_GPL(usb_kill_anchored_urbs);
2199 + void usb_poison_anchored_urbs(struct usb_anchor *anchor)
2200 + {
2201 + struct urb *victim;
2202 ++ int surely_empty;
2203 +
2204 +- spin_lock_irq(&anchor->lock);
2205 +- anchor->poisoned = 1;
2206 +- while (!list_empty(&anchor->urb_list)) {
2207 +- victim = list_entry(anchor->urb_list.prev, struct urb,
2208 +- anchor_list);
2209 +- /* we must make sure the URB isn't freed before we kill it*/
2210 +- usb_get_urb(victim);
2211 +- spin_unlock_irq(&anchor->lock);
2212 +- /* this will unanchor the URB */
2213 +- usb_poison_urb(victim);
2214 +- usb_put_urb(victim);
2215 ++ do {
2216 + spin_lock_irq(&anchor->lock);
2217 +- }
2218 +- spin_unlock_irq(&anchor->lock);
2219 ++ anchor->poisoned = 1;
2220 ++ while (!list_empty(&anchor->urb_list)) {
2221 ++ victim = list_entry(anchor->urb_list.prev,
2222 ++ struct urb, anchor_list);
2223 ++ /* make sure the URB isn't freed before we kill it */
2224 ++ usb_get_urb(victim);
2225 ++ spin_unlock_irq(&anchor->lock);
2226 ++ /* this will unanchor the URB */
2227 ++ usb_poison_urb(victim);
2228 ++ usb_put_urb(victim);
2229 ++ spin_lock_irq(&anchor->lock);
2230 ++ }
2231 ++ surely_empty = usb_anchor_check_wakeup(anchor);
2232 ++
2233 ++ spin_unlock_irq(&anchor->lock);
2234 ++ cpu_relax();
2235 ++ } while (!surely_empty);
2236 + }
2237 + EXPORT_SYMBOL_GPL(usb_poison_anchored_urbs);
2238 +
2239 +@@ -965,14 +978,20 @@ void usb_scuttle_anchored_urbs(struct usb_anchor *anchor)
2240 + {
2241 + struct urb *victim;
2242 + unsigned long flags;
2243 ++ int surely_empty;
2244 ++
2245 ++ do {
2246 ++ spin_lock_irqsave(&anchor->lock, flags);
2247 ++ while (!list_empty(&anchor->urb_list)) {
2248 ++ victim = list_entry(anchor->urb_list.prev,
2249 ++ struct urb, anchor_list);
2250 ++ __usb_unanchor_urb(victim, anchor);
2251 ++ }
2252 ++ surely_empty = usb_anchor_check_wakeup(anchor);
2253 +
2254 +- spin_lock_irqsave(&anchor->lock, flags);
2255 +- while (!list_empty(&anchor->urb_list)) {
2256 +- victim = list_entry(anchor->urb_list.prev, struct urb,
2257 +- anchor_list);
2258 +- __usb_unanchor_urb(victim, anchor);
2259 +- }
2260 +- spin_unlock_irqrestore(&anchor->lock, flags);
2261 ++ spin_unlock_irqrestore(&anchor->lock, flags);
2262 ++ cpu_relax();
2263 ++ } while (!surely_empty);
2264 + }
2265 +
2266 + EXPORT_SYMBOL_GPL(usb_scuttle_anchored_urbs);
2267 +diff --git a/drivers/usb/gadget/function/f_printer.c b/drivers/usb/gadget/function/f_printer.c
2268 +index 69afc17fca38f..7b21ef09fffc2 100644
2269 +--- a/drivers/usb/gadget/function/f_printer.c
2270 ++++ b/drivers/usb/gadget/function/f_printer.c
2271 +@@ -35,6 +35,7 @@
2272 + #include <linux/types.h>
2273 + #include <linux/ctype.h>
2274 + #include <linux/cdev.h>
2275 ++#include <linux/kref.h>
2276 +
2277 + #include <asm/byteorder.h>
2278 + #include <linux/io.h>
2279 +@@ -69,7 +70,7 @@ struct printer_dev {
2280 + struct usb_gadget *gadget;
2281 + s8 interface;
2282 + struct usb_ep *in_ep, *out_ep;
2283 +-
2284 ++ struct kref kref;
2285 + struct list_head rx_reqs; /* List of free RX structs */
2286 + struct list_head rx_reqs_active; /* List of Active RX xfers */
2287 + struct list_head rx_buffers; /* List of completed xfers */
2288 +@@ -223,6 +224,13 @@ static inline struct usb_endpoint_descriptor *ep_desc(struct usb_gadget *gadget,
2289 +
2290 + /*-------------------------------------------------------------------------*/
2291 +
2292 ++static void printer_dev_free(struct kref *kref)
2293 ++{
2294 ++ struct printer_dev *dev = container_of(kref, struct printer_dev, kref);
2295 ++
2296 ++ kfree(dev);
2297 ++}
2298 ++
2299 + static struct usb_request *
2300 + printer_req_alloc(struct usb_ep *ep, unsigned len, gfp_t gfp_flags)
2301 + {
2302 +@@ -353,6 +361,7 @@ printer_open(struct inode *inode, struct file *fd)
2303 +
2304 + spin_unlock_irqrestore(&dev->lock, flags);
2305 +
2306 ++ kref_get(&dev->kref);
2307 + DBG(dev, "printer_open returned %x\n", ret);
2308 + return ret;
2309 + }
2310 +@@ -370,6 +379,7 @@ printer_close(struct inode *inode, struct file *fd)
2311 + dev->printer_status &= ~PRINTER_SELECTED;
2312 + spin_unlock_irqrestore(&dev->lock, flags);
2313 +
2314 ++ kref_put(&dev->kref, printer_dev_free);
2315 + DBG(dev, "printer_close\n");
2316 +
2317 + return 0;
2318 +@@ -1316,7 +1326,8 @@ static void gprinter_free(struct usb_function *f)
2319 + struct f_printer_opts *opts;
2320 +
2321 + opts = container_of(f->fi, struct f_printer_opts, func_inst);
2322 +- kfree(dev);
2323 ++
2324 ++ kref_put(&dev->kref, printer_dev_free);
2325 + mutex_lock(&opts->lock);
2326 + --opts->refcnt;
2327 + mutex_unlock(&opts->lock);
2328 +@@ -1385,6 +1396,7 @@ static struct usb_function *gprinter_alloc(struct usb_function_instance *fi)
2329 + return ERR_PTR(-ENOMEM);
2330 + }
2331 +
2332 ++ kref_init(&dev->kref);
2333 + ++opts->refcnt;
2334 + dev->minor = opts->minor;
2335 + dev->pnp_string = opts->pnp_string;
2336 +diff --git a/drivers/usb/gadget/function/u_ether.c b/drivers/usb/gadget/function/u_ether.c
2337 +index e69f20b2a3f44..46c50135ef9f7 100644
2338 +--- a/drivers/usb/gadget/function/u_ether.c
2339 ++++ b/drivers/usb/gadget/function/u_ether.c
2340 +@@ -96,7 +96,7 @@ struct eth_dev {
2341 + static inline int qlen(struct usb_gadget *gadget, unsigned qmult)
2342 + {
2343 + if (gadget_is_dualspeed(gadget) && (gadget->speed == USB_SPEED_HIGH ||
2344 +- gadget->speed == USB_SPEED_SUPER))
2345 ++ gadget->speed >= USB_SPEED_SUPER))
2346 + return qmult * DEFAULT_QLEN;
2347 + else
2348 + return DEFAULT_QLEN;
2349 +diff --git a/drivers/usb/host/ohci-hcd.c b/drivers/usb/host/ohci-hcd.c
2350 +index 27bd3e49fe8e3..07d76d9d4ce1b 100644
2351 +--- a/drivers/usb/host/ohci-hcd.c
2352 ++++ b/drivers/usb/host/ohci-hcd.c
2353 +@@ -663,20 +663,24 @@ retry:
2354 +
2355 + /* handle root hub init quirks ... */
2356 + val = roothub_a (ohci);
2357 +- val &= ~(RH_A_PSM | RH_A_OCPM);
2358 ++ /* Configure for per-port over-current protection by default */
2359 ++ val &= ~RH_A_NOCP;
2360 ++ val |= RH_A_OCPM;
2361 + if (ohci->flags & OHCI_QUIRK_SUPERIO) {
2362 +- /* NSC 87560 and maybe others */
2363 ++ /* NSC 87560 and maybe others.
2364 ++ * Ganged power switching, no over-current protection.
2365 ++ */
2366 + val |= RH_A_NOCP;
2367 +- val &= ~(RH_A_POTPGT | RH_A_NPS);
2368 +- ohci_writel (ohci, val, &ohci->regs->roothub.a);
2369 ++ val &= ~(RH_A_POTPGT | RH_A_NPS | RH_A_PSM | RH_A_OCPM);
2370 + } else if ((ohci->flags & OHCI_QUIRK_AMD756) ||
2371 + (ohci->flags & OHCI_QUIRK_HUB_POWER)) {
2372 + /* hub power always on; required for AMD-756 and some
2373 +- * Mac platforms. ganged overcurrent reporting, if any.
2374 ++ * Mac platforms.
2375 + */
2376 + val |= RH_A_NPS;
2377 +- ohci_writel (ohci, val, &ohci->regs->roothub.a);
2378 + }
2379 ++ ohci_writel(ohci, val, &ohci->regs->roothub.a);
2380 ++
2381 + ohci_writel (ohci, RH_HS_LPSC, &ohci->regs->roothub.status);
2382 + ohci_writel (ohci, (val & RH_A_NPS) ? 0 : RH_B_PPCM,
2383 + &ohci->regs->roothub.b);
2384 +diff --git a/drivers/vfio/pci/vfio_pci_intrs.c b/drivers/vfio/pci/vfio_pci_intrs.c
2385 +index f7d48661aa944..af4f7ebb45a79 100644
2386 +--- a/drivers/vfio/pci/vfio_pci_intrs.c
2387 ++++ b/drivers/vfio/pci/vfio_pci_intrs.c
2388 +@@ -364,11 +364,13 @@ static int vfio_msi_set_vector_signal(struct vfio_pci_device *vdev,
2389 + vdev->ctx[vector].producer.token = trigger;
2390 + vdev->ctx[vector].producer.irq = irq;
2391 + ret = irq_bypass_register_producer(&vdev->ctx[vector].producer);
2392 +- if (unlikely(ret))
2393 ++ if (unlikely(ret)) {
2394 + dev_info(&pdev->dev,
2395 + "irq bypass producer (token %p) registration fails: %d\n",
2396 + vdev->ctx[vector].producer.token, ret);
2397 +
2398 ++ vdev->ctx[vector].producer.token = NULL;
2399 ++ }
2400 + vdev->ctx[vector].trigger = trigger;
2401 +
2402 + return 0;
2403 +diff --git a/drivers/video/backlight/sky81452-backlight.c b/drivers/video/backlight/sky81452-backlight.c
2404 +index d414c7a3acf5a..a2f77625b7170 100644
2405 +--- a/drivers/video/backlight/sky81452-backlight.c
2406 ++++ b/drivers/video/backlight/sky81452-backlight.c
2407 +@@ -207,6 +207,7 @@ static struct sky81452_bl_platform_data *sky81452_bl_parse_dt(
2408 + num_entry);
2409 + if (ret < 0) {
2410 + dev_err(dev, "led-sources node is invalid.\n");
2411 ++ of_node_put(np);
2412 + return ERR_PTR(-EINVAL);
2413 + }
2414 +
2415 +diff --git a/drivers/video/fbdev/sis/init.c b/drivers/video/fbdev/sis/init.c
2416 +index dfe3eb769638b..fde27feae5d0c 100644
2417 +--- a/drivers/video/fbdev/sis/init.c
2418 ++++ b/drivers/video/fbdev/sis/init.c
2419 +@@ -2428,6 +2428,11 @@ SiS_SetCRT1FIFO_630(struct SiS_Private *SiS_Pr, unsigned short ModeNo,
2420 +
2421 + i = 0;
2422 +
2423 ++ if (SiS_Pr->ChipType == SIS_730)
2424 ++ queuedata = &FQBQData730[0];
2425 ++ else
2426 ++ queuedata = &FQBQData[0];
2427 ++
2428 + if(ModeNo > 0x13) {
2429 +
2430 + /* Get VCLK */
2431 +@@ -2445,12 +2450,6 @@ SiS_SetCRT1FIFO_630(struct SiS_Private *SiS_Pr, unsigned short ModeNo,
2432 + /* Get half colordepth */
2433 + colorth = colortharray[(SiS_Pr->SiS_ModeType - ModeEGA)];
2434 +
2435 +- if(SiS_Pr->ChipType == SIS_730) {
2436 +- queuedata = &FQBQData730[0];
2437 +- } else {
2438 +- queuedata = &FQBQData[0];
2439 +- }
2440 +-
2441 + do {
2442 + templ = SiS_CalcDelay2(SiS_Pr, queuedata[i]) * VCLK * colorth;
2443 +
2444 +diff --git a/drivers/video/fbdev/vga16fb.c b/drivers/video/fbdev/vga16fb.c
2445 +index 1acdb41a8a7c3..06cee2a40a9bf 100644
2446 +--- a/drivers/video/fbdev/vga16fb.c
2447 ++++ b/drivers/video/fbdev/vga16fb.c
2448 +@@ -243,7 +243,7 @@ static void vga16fb_update_fix(struct fb_info *info)
2449 + }
2450 +
2451 + static void vga16fb_clock_chip(struct vga16fb_par *par,
2452 +- unsigned int pixclock,
2453 ++ unsigned int *pixclock,
2454 + const struct fb_info *info,
2455 + int mul, int div)
2456 + {
2457 +@@ -259,14 +259,14 @@ static void vga16fb_clock_chip(struct vga16fb_par *par,
2458 + { 0 /* bad */, 0x00, 0x00}};
2459 + int err;
2460 +
2461 +- pixclock = (pixclock * mul) / div;
2462 ++ *pixclock = (*pixclock * mul) / div;
2463 + best = vgaclocks;
2464 +- err = pixclock - best->pixclock;
2465 ++ err = *pixclock - best->pixclock;
2466 + if (err < 0) err = -err;
2467 + for (ptr = vgaclocks + 1; ptr->pixclock; ptr++) {
2468 + int tmp;
2469 +
2470 +- tmp = pixclock - ptr->pixclock;
2471 ++ tmp = *pixclock - ptr->pixclock;
2472 + if (tmp < 0) tmp = -tmp;
2473 + if (tmp < err) {
2474 + err = tmp;
2475 +@@ -275,7 +275,7 @@ static void vga16fb_clock_chip(struct vga16fb_par *par,
2476 + }
2477 + par->misc |= best->misc;
2478 + par->clkdiv = best->seq_clock_mode;
2479 +- pixclock = (best->pixclock * div) / mul;
2480 ++ *pixclock = (best->pixclock * div) / mul;
2481 + }
2482 +
2483 + #define FAIL(X) return -EINVAL
2484 +@@ -497,10 +497,10 @@ static int vga16fb_check_var(struct fb_var_screeninfo *var,
2485 +
2486 + if (mode & MODE_8BPP)
2487 + /* pixel clock == vga clock / 2 */
2488 +- vga16fb_clock_chip(par, var->pixclock, info, 1, 2);
2489 ++ vga16fb_clock_chip(par, &var->pixclock, info, 1, 2);
2490 + else
2491 + /* pixel clock == vga clock */
2492 +- vga16fb_clock_chip(par, var->pixclock, info, 1, 1);
2493 ++ vga16fb_clock_chip(par, &var->pixclock, info, 1, 1);
2494 +
2495 + var->red.offset = var->green.offset = var->blue.offset =
2496 + var->transp.offset = 0;
2497 +diff --git a/drivers/virt/fsl_hypervisor.c b/drivers/virt/fsl_hypervisor.c
2498 +index 9f96c7e61387d..0d11b5043db53 100644
2499 +--- a/drivers/virt/fsl_hypervisor.c
2500 ++++ b/drivers/virt/fsl_hypervisor.c
2501 +@@ -157,7 +157,7 @@ static long ioctl_memcpy(struct fsl_hv_ioctl_memcpy __user *p)
2502 +
2503 + unsigned int i;
2504 + long ret = 0;
2505 +- int num_pinned; /* return value from get_user_pages() */
2506 ++ int num_pinned = 0; /* return value from get_user_pages_fast() */
2507 + phys_addr_t remote_paddr; /* The next address in the remote buffer */
2508 + uint32_t count; /* The number of bytes left to copy */
2509 +
2510 +@@ -174,7 +174,7 @@ static long ioctl_memcpy(struct fsl_hv_ioctl_memcpy __user *p)
2511 + return -EINVAL;
2512 +
2513 + /*
2514 +- * The array of pages returned by get_user_pages() covers only
2515 ++ * The array of pages returned by get_user_pages_fast() covers only
2516 + * page-aligned memory. Since the user buffer is probably not
2517 + * page-aligned, we need to handle the discrepancy.
2518 + *
2519 +@@ -224,7 +224,7 @@ static long ioctl_memcpy(struct fsl_hv_ioctl_memcpy __user *p)
2520 +
2521 + /*
2522 + * 'pages' is an array of struct page pointers that's initialized by
2523 +- * get_user_pages().
2524 ++ * get_user_pages_fast().
2525 + */
2526 + pages = kzalloc(num_pages * sizeof(struct page *), GFP_KERNEL);
2527 + if (!pages) {
2528 +@@ -241,7 +241,7 @@ static long ioctl_memcpy(struct fsl_hv_ioctl_memcpy __user *p)
2529 + if (!sg_list_unaligned) {
2530 + pr_debug("fsl-hv: could not allocate S/G list\n");
2531 + ret = -ENOMEM;
2532 +- goto exit;
2533 ++ goto free_pages;
2534 + }
2535 + sg_list = PTR_ALIGN(sg_list_unaligned, sizeof(struct fh_sg_list));
2536 +
2537 +@@ -254,7 +254,6 @@ static long ioctl_memcpy(struct fsl_hv_ioctl_memcpy __user *p)
2538 + up_read(&current->mm->mmap_sem);
2539 +
2540 + if (num_pinned != num_pages) {
2541 +- /* get_user_pages() failed */
2542 + pr_debug("fsl-hv: could not lock source buffer\n");
2543 + ret = (num_pinned < 0) ? num_pinned : -EFAULT;
2544 + goto exit;
2545 +@@ -296,13 +295,13 @@ static long ioctl_memcpy(struct fsl_hv_ioctl_memcpy __user *p)
2546 + virt_to_phys(sg_list), num_pages);
2547 +
2548 + exit:
2549 +- if (pages) {
2550 +- for (i = 0; i < num_pages; i++)
2551 +- if (pages[i])
2552 +- put_page(pages[i]);
2553 ++ if (pages && (num_pinned > 0)) {
2554 ++ for (i = 0; i < num_pinned; i++)
2555 ++ put_page(pages[i]);
2556 + }
2557 +
2558 + kfree(sg_list_unaligned);
2559 ++free_pages:
2560 + kfree(pages);
2561 +
2562 + if (!ret)
2563 +diff --git a/fs/cifs/asn1.c b/fs/cifs/asn1.c
2564 +index a3b56544c21b9..ae1f2817bd6a6 100644
2565 +--- a/fs/cifs/asn1.c
2566 ++++ b/fs/cifs/asn1.c
2567 +@@ -541,8 +541,8 @@ decode_negTokenInit(unsigned char *security_blob, int length,
2568 + return 0;
2569 + } else if ((cls != ASN1_CTX) || (con != ASN1_CON)
2570 + || (tag != ASN1_EOC)) {
2571 +- cifs_dbg(FYI, "cls = %d con = %d tag = %d end = %p (%d) exit 0\n",
2572 +- cls, con, tag, end, *end);
2573 ++ cifs_dbg(FYI, "cls = %d con = %d tag = %d end = %p exit 0\n",
2574 ++ cls, con, tag, end);
2575 + return 0;
2576 + }
2577 +
2578 +@@ -552,8 +552,8 @@ decode_negTokenInit(unsigned char *security_blob, int length,
2579 + return 0;
2580 + } else if ((cls != ASN1_UNI) || (con != ASN1_CON)
2581 + || (tag != ASN1_SEQ)) {
2582 +- cifs_dbg(FYI, "cls = %d con = %d tag = %d end = %p (%d) exit 1\n",
2583 +- cls, con, tag, end, *end);
2584 ++ cifs_dbg(FYI, "cls = %d con = %d tag = %d end = %p exit 1\n",
2585 ++ cls, con, tag, end);
2586 + return 0;
2587 + }
2588 +
2589 +@@ -563,8 +563,8 @@ decode_negTokenInit(unsigned char *security_blob, int length,
2590 + return 0;
2591 + } else if ((cls != ASN1_CTX) || (con != ASN1_CON)
2592 + || (tag != ASN1_EOC)) {
2593 +- cifs_dbg(FYI, "cls = %d con = %d tag = %d end = %p (%d) exit 0\n",
2594 +- cls, con, tag, end, *end);
2595 ++ cifs_dbg(FYI, "cls = %d con = %d tag = %d end = %p exit 0\n",
2596 ++ cls, con, tag, end);
2597 + return 0;
2598 + }
2599 +
2600 +@@ -575,8 +575,8 @@ decode_negTokenInit(unsigned char *security_blob, int length,
2601 + return 0;
2602 + } else if ((cls != ASN1_UNI) || (con != ASN1_CON)
2603 + || (tag != ASN1_SEQ)) {
2604 +- cifs_dbg(FYI, "cls = %d con = %d tag = %d end = %p (%d) exit 1\n",
2605 +- cls, con, tag, end, *end);
2606 ++ cifs_dbg(FYI, "cls = %d con = %d tag = %d sequence_end = %p exit 1\n",
2607 ++ cls, con, tag, sequence_end);
2608 + return 0;
2609 + }
2610 +
2611 +diff --git a/fs/ntfs/inode.c b/fs/ntfs/inode.c
2612 +index d284f07eda775..38260c07de8b5 100644
2613 +--- a/fs/ntfs/inode.c
2614 ++++ b/fs/ntfs/inode.c
2615 +@@ -1844,6 +1844,12 @@ int ntfs_read_inode_mount(struct inode *vi)
2616 + brelse(bh);
2617 + }
2618 +
2619 ++ if (le32_to_cpu(m->bytes_allocated) != vol->mft_record_size) {
2620 ++ ntfs_error(sb, "Incorrect mft record size %u in superblock, should be %u.",
2621 ++ le32_to_cpu(m->bytes_allocated), vol->mft_record_size);
2622 ++ goto err_out;
2623 ++ }
2624 ++
2625 + /* Apply the mst fixups. */
2626 + if (post_read_mst_fixup((NTFS_RECORD*)m, vol->mft_record_size)) {
2627 + /* FIXME: Try to use the $MFTMirr now. */
2628 +diff --git a/fs/quota/quota_v2.c b/fs/quota/quota_v2.c
2629 +index 2aa012a68e90e..9891b8fb0432f 100644
2630 +--- a/fs/quota/quota_v2.c
2631 ++++ b/fs/quota/quota_v2.c
2632 +@@ -266,6 +266,7 @@ static void v2r1_mem2diskdqb(void *dp, struct dquot *dquot)
2633 + d->dqb_curspace = cpu_to_le64(m->dqb_curspace);
2634 + d->dqb_btime = cpu_to_le64(m->dqb_btime);
2635 + d->dqb_id = cpu_to_le32(from_kqid(&init_user_ns, dquot->dq_id));
2636 ++ d->dqb_pad = 0;
2637 + if (qtree_entry_unused(info, dp))
2638 + d->dqb_itime = cpu_to_le64(1);
2639 + }
2640 +diff --git a/fs/reiserfs/inode.c b/fs/reiserfs/inode.c
2641 +index cfb4691d92741..ccbb15ab029f4 100644
2642 +--- a/fs/reiserfs/inode.c
2643 ++++ b/fs/reiserfs/inode.c
2644 +@@ -2157,7 +2157,8 @@ out_end_trans:
2645 + out_inserted_sd:
2646 + clear_nlink(inode);
2647 + th->t_trans_id = 0; /* so the caller can't use this handle later */
2648 +- unlock_new_inode(inode); /* OK to do even if we hadn't locked it */
2649 ++ if (inode->i_state & I_NEW)
2650 ++ unlock_new_inode(inode);
2651 + iput(inode);
2652 + return err;
2653 + }
2654 +diff --git a/fs/reiserfs/super.c b/fs/reiserfs/super.c
2655 +index f9796fd515315..503d8c06e0d93 100644
2656 +--- a/fs/reiserfs/super.c
2657 ++++ b/fs/reiserfs/super.c
2658 +@@ -1232,6 +1232,10 @@ static int reiserfs_parse_options(struct super_block *s,
2659 + "turned on.");
2660 + return 0;
2661 + }
2662 ++ if (qf_names[qtype] !=
2663 ++ REISERFS_SB(s)->s_qf_names[qtype])
2664 ++ kfree(qf_names[qtype]);
2665 ++ qf_names[qtype] = NULL;
2666 + if (*arg) { /* Some filename specified? */
2667 + if (REISERFS_SB(s)->s_qf_names[qtype]
2668 + && strcmp(REISERFS_SB(s)->s_qf_names[qtype],
2669 +@@ -1261,10 +1265,6 @@ static int reiserfs_parse_options(struct super_block *s,
2670 + else
2671 + *mount_options |= 1 << REISERFS_GRPQUOTA;
2672 + } else {
2673 +- if (qf_names[qtype] !=
2674 +- REISERFS_SB(s)->s_qf_names[qtype])
2675 +- kfree(qf_names[qtype]);
2676 +- qf_names[qtype] = NULL;
2677 + if (qtype == USRQUOTA)
2678 + *mount_options &= ~(1 << REISERFS_USRQUOTA);
2679 + else
2680 +diff --git a/fs/udf/inode.c b/fs/udf/inode.c
2681 +index 3876448ec0dcb..2c39c1c81196c 100644
2682 +--- a/fs/udf/inode.c
2683 ++++ b/fs/udf/inode.c
2684 +@@ -140,21 +140,24 @@ void udf_evict_inode(struct inode *inode)
2685 + struct udf_inode_info *iinfo = UDF_I(inode);
2686 + int want_delete = 0;
2687 +
2688 +- if (!inode->i_nlink && !is_bad_inode(inode)) {
2689 +- want_delete = 1;
2690 +- udf_setsize(inode, 0);
2691 +- udf_update_inode(inode, IS_SYNC(inode));
2692 ++ if (!is_bad_inode(inode)) {
2693 ++ if (!inode->i_nlink) {
2694 ++ want_delete = 1;
2695 ++ udf_setsize(inode, 0);
2696 ++ udf_update_inode(inode, IS_SYNC(inode));
2697 ++ }
2698 ++ if (iinfo->i_alloc_type != ICBTAG_FLAG_AD_IN_ICB &&
2699 ++ inode->i_size != iinfo->i_lenExtents) {
2700 ++ udf_warn(inode->i_sb,
2701 ++ "Inode %lu (mode %o) has inode size %llu different from extent length %llu. Filesystem need not be standards compliant.\n",
2702 ++ inode->i_ino, inode->i_mode,
2703 ++ (unsigned long long)inode->i_size,
2704 ++ (unsigned long long)iinfo->i_lenExtents);
2705 ++ }
2706 + }
2707 + truncate_inode_pages_final(&inode->i_data);
2708 + invalidate_inode_buffers(inode);
2709 + clear_inode(inode);
2710 +- if (iinfo->i_alloc_type != ICBTAG_FLAG_AD_IN_ICB &&
2711 +- inode->i_size != iinfo->i_lenExtents) {
2712 +- udf_warn(inode->i_sb, "Inode %lu (mode %o) has inode size %llu different from extent length %llu. Filesystem need not be standards compliant.\n",
2713 +- inode->i_ino, inode->i_mode,
2714 +- (unsigned long long)inode->i_size,
2715 +- (unsigned long long)iinfo->i_lenExtents);
2716 +- }
2717 + kfree(iinfo->i_ext.i_data);
2718 + iinfo->i_ext.i_data = NULL;
2719 + udf_clear_extent_cache(inode);
2720 +diff --git a/fs/udf/super.c b/fs/udf/super.c
2721 +index 159977ec8e548..710f1b8fad9bf 100644
2722 +--- a/fs/udf/super.c
2723 ++++ b/fs/udf/super.c
2724 +@@ -1390,6 +1390,12 @@ static int udf_load_sparable_map(struct super_block *sb,
2725 + (int)spm->numSparingTables);
2726 + return -EIO;
2727 + }
2728 ++ if (le32_to_cpu(spm->sizeSparingTable) > sb->s_blocksize) {
2729 ++ udf_err(sb, "error loading logical volume descriptor: "
2730 ++ "Too big sparing table size (%u)\n",
2731 ++ le32_to_cpu(spm->sizeSparingTable));
2732 ++ return -EIO;
2733 ++ }
2734 +
2735 + for (i = 0; i < spm->numSparingTables; i++) {
2736 + loc = le32_to_cpu(spm->locSparingTable[i]);
2737 +diff --git a/fs/xfs/xfs_rtalloc.c b/fs/xfs/xfs_rtalloc.c
2738 +index 919b6544b61a3..bda5248fc6498 100644
2739 +--- a/fs/xfs/xfs_rtalloc.c
2740 ++++ b/fs/xfs/xfs_rtalloc.c
2741 +@@ -256,6 +256,9 @@ xfs_rtallocate_extent_block(
2742 + end = XFS_BLOCKTOBIT(mp, bbno + 1) - 1;
2743 + i <= end;
2744 + i++) {
2745 ++ /* Make sure we don't scan off the end of the rt volume. */
2746 ++ maxlen = min(mp->m_sb.sb_rextents, i + maxlen) - i;
2747 ++
2748 + /*
2749 + * See if there's a free extent of maxlen starting at i.
2750 + * If it's not so then next will contain the first non-free.
2751 +@@ -447,6 +450,14 @@ xfs_rtallocate_extent_near(
2752 + */
2753 + if (bno >= mp->m_sb.sb_rextents)
2754 + bno = mp->m_sb.sb_rextents - 1;
2755 ++
2756 ++ /* Make sure we don't run off the end of the rt volume. */
2757 ++ maxlen = min(mp->m_sb.sb_rextents, bno + maxlen) - bno;
2758 ++ if (maxlen < minlen) {
2759 ++ *rtblock = NULLRTBLOCK;
2760 ++ return 0;
2761 ++ }
2762 ++
2763 + /*
2764 + * Try the exact allocation first.
2765 + */
2766 +diff --git a/include/linux/compiler.h b/include/linux/compiler.h
2767 +index e5d349d65ae93..7cabe0cc86651 100644
2768 +--- a/include/linux/compiler.h
2769 ++++ b/include/linux/compiler.h
2770 +@@ -241,23 +241,21 @@ void __read_once_size(const volatile void *p, void *res, int size)
2771 +
2772 + #ifdef CONFIG_KASAN
2773 + /*
2774 +- * This function is not 'inline' because __no_sanitize_address confilcts
2775 ++ * We can't declare function 'inline' because __no_sanitize_address confilcts
2776 + * with inlining. Attempt to inline it may cause a build failure.
2777 + * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67368
2778 + * '__maybe_unused' allows us to avoid defined-but-not-used warnings.
2779 + */
2780 +-static __no_sanitize_address __maybe_unused
2781 +-void __read_once_size_nocheck(const volatile void *p, void *res, int size)
2782 +-{
2783 +- __READ_ONCE_SIZE;
2784 +-}
2785 ++# define __no_kasan_or_inline __no_sanitize_address __maybe_unused
2786 + #else
2787 +-static __always_inline
2788 ++# define __no_kasan_or_inline __always_inline
2789 ++#endif
2790 ++
2791 ++static __no_kasan_or_inline
2792 + void __read_once_size_nocheck(const volatile void *p, void *res, int size)
2793 + {
2794 + __READ_ONCE_SIZE;
2795 + }
2796 +-#endif
2797 +
2798 + static __always_inline void __write_once_size(volatile void *p, void *res, int size)
2799 + {
2800 +@@ -294,6 +292,7 @@ static __always_inline void __write_once_size(volatile void *p, void *res, int s
2801 + * with an explicit memory barrier or atomic instruction that provides the
2802 + * required ordering.
2803 + */
2804 ++#include <linux/kasan-checks.h>
2805 +
2806 + #define __READ_ONCE(x, check) \
2807 + ({ \
2808 +@@ -312,6 +311,13 @@ static __always_inline void __write_once_size(volatile void *p, void *res, int s
2809 + */
2810 + #define READ_ONCE_NOCHECK(x) __READ_ONCE(x, 0)
2811 +
2812 ++static __no_kasan_or_inline
2813 ++unsigned long read_word_at_a_time(const void *addr)
2814 ++{
2815 ++ kasan_check_read(addr, 1);
2816 ++ return *(unsigned long *)addr;
2817 ++}
2818 ++
2819 + #define WRITE_ONCE(x, val) \
2820 + ({ \
2821 + union { typeof(x) __val; char __c[1]; } __u = \
2822 +diff --git a/include/linux/kasan-checks.h b/include/linux/kasan-checks.h
2823 +new file mode 100644
2824 +index 0000000000000..b7f8aced78707
2825 +--- /dev/null
2826 ++++ b/include/linux/kasan-checks.h
2827 +@@ -0,0 +1,12 @@
2828 ++#ifndef _LINUX_KASAN_CHECKS_H
2829 ++#define _LINUX_KASAN_CHECKS_H
2830 ++
2831 ++#ifdef CONFIG_KASAN
2832 ++void kasan_check_read(const void *p, unsigned int size);
2833 ++void kasan_check_write(const void *p, unsigned int size);
2834 ++#else
2835 ++static inline void kasan_check_read(const void *p, unsigned int size) { }
2836 ++static inline void kasan_check_write(const void *p, unsigned int size) { }
2837 ++#endif
2838 ++
2839 ++#endif
2840 +diff --git a/include/net/ip.h b/include/net/ip.h
2841 +index 6067b7a10ccd2..5c9de851a9191 100644
2842 +--- a/include/net/ip.h
2843 ++++ b/include/net/ip.h
2844 +@@ -317,12 +317,18 @@ static inline unsigned int ip_dst_mtu_maybe_forward(const struct dst_entry *dst,
2845 + bool forwarding)
2846 + {
2847 + struct net *net = dev_net(dst->dev);
2848 ++ unsigned int mtu;
2849 +
2850 + if (net->ipv4.sysctl_ip_fwd_use_pmtu ||
2851 + ip_mtu_locked(dst) ||
2852 + !forwarding)
2853 + return dst_mtu(dst);
2854 +
2855 ++ /* 'forwarding = true' case should always honour route mtu */
2856 ++ mtu = dst_metric_raw(dst, RTAX_MTU);
2857 ++ if (mtu)
2858 ++ return mtu;
2859 ++
2860 + return min(READ_ONCE(dst->dev->mtu), IP_MAX_MTU);
2861 + }
2862 +
2863 +diff --git a/include/scsi/scsi_common.h b/include/scsi/scsi_common.h
2864 +index 11571b2a831e3..92ba09200f89b 100644
2865 +--- a/include/scsi/scsi_common.h
2866 ++++ b/include/scsi/scsi_common.h
2867 +@@ -24,6 +24,13 @@ scsi_command_size(const unsigned char *cmnd)
2868 + scsi_varlen_cdb_length(cmnd) : COMMAND_SIZE(cmnd[0]);
2869 + }
2870 +
2871 ++static inline unsigned char
2872 ++scsi_command_control(const unsigned char *cmnd)
2873 ++{
2874 ++ return (cmnd[0] == VARIABLE_LENGTH_CMD) ?
2875 ++ cmnd[1] : cmnd[COMMAND_SIZE(cmnd[0]) - 1];
2876 ++}
2877 ++
2878 + /* Returns a human-readable name for the device */
2879 + extern const char *scsi_device_type(unsigned type);
2880 +
2881 +diff --git a/include/trace/events/target.h b/include/trace/events/target.h
2882 +index 50fea660c0f89..d543e8b87e50a 100644
2883 +--- a/include/trace/events/target.h
2884 ++++ b/include/trace/events/target.h
2885 +@@ -139,6 +139,7 @@ TRACE_EVENT(target_sequencer_start,
2886 + __field( unsigned int, opcode )
2887 + __field( unsigned int, data_length )
2888 + __field( unsigned int, task_attribute )
2889 ++ __field( unsigned char, control )
2890 + __array( unsigned char, cdb, TCM_MAX_COMMAND_SIZE )
2891 + __string( initiator, cmd->se_sess->se_node_acl->initiatorname )
2892 + ),
2893 +@@ -148,6 +149,7 @@ TRACE_EVENT(target_sequencer_start,
2894 + __entry->opcode = cmd->t_task_cdb[0];
2895 + __entry->data_length = cmd->data_length;
2896 + __entry->task_attribute = cmd->sam_task_attr;
2897 ++ __entry->control = scsi_command_control(cmd->t_task_cdb);
2898 + memcpy(__entry->cdb, cmd->t_task_cdb, TCM_MAX_COMMAND_SIZE);
2899 + __assign_str(initiator, cmd->se_sess->se_node_acl->initiatorname);
2900 + ),
2901 +@@ -157,9 +159,7 @@ TRACE_EVENT(target_sequencer_start,
2902 + show_opcode_name(__entry->opcode),
2903 + __entry->data_length, __print_hex(__entry->cdb, 16),
2904 + show_task_attribute_name(__entry->task_attribute),
2905 +- scsi_command_size(__entry->cdb) <= 16 ?
2906 +- __entry->cdb[scsi_command_size(__entry->cdb) - 1] :
2907 +- __entry->cdb[1]
2908 ++ __entry->control
2909 + )
2910 + );
2911 +
2912 +@@ -174,6 +174,7 @@ TRACE_EVENT(target_cmd_complete,
2913 + __field( unsigned int, opcode )
2914 + __field( unsigned int, data_length )
2915 + __field( unsigned int, task_attribute )
2916 ++ __field( unsigned char, control )
2917 + __field( unsigned char, scsi_status )
2918 + __field( unsigned char, sense_length )
2919 + __array( unsigned char, cdb, TCM_MAX_COMMAND_SIZE )
2920 +@@ -186,6 +187,7 @@ TRACE_EVENT(target_cmd_complete,
2921 + __entry->opcode = cmd->t_task_cdb[0];
2922 + __entry->data_length = cmd->data_length;
2923 + __entry->task_attribute = cmd->sam_task_attr;
2924 ++ __entry->control = scsi_command_control(cmd->t_task_cdb);
2925 + __entry->scsi_status = cmd->scsi_status;
2926 + __entry->sense_length = cmd->scsi_status == SAM_STAT_CHECK_CONDITION ?
2927 + min(18, ((u8 *) cmd->sense_buffer)[SPC_ADD_SENSE_LEN_OFFSET] + 8) : 0;
2928 +@@ -202,9 +204,7 @@ TRACE_EVENT(target_cmd_complete,
2929 + show_opcode_name(__entry->opcode),
2930 + __entry->data_length, __print_hex(__entry->cdb, 16),
2931 + show_task_attribute_name(__entry->task_attribute),
2932 +- scsi_command_size(__entry->cdb) <= 16 ?
2933 +- __entry->cdb[scsi_command_size(__entry->cdb) - 1] :
2934 +- __entry->cdb[1]
2935 ++ __entry->control
2936 + )
2937 + );
2938 +
2939 +diff --git a/kernel/debug/kdb/kdb_io.c b/kernel/debug/kdb/kdb_io.c
2940 +index cc892a9e109d8..ae39b014b7d6c 100644
2941 +--- a/kernel/debug/kdb/kdb_io.c
2942 ++++ b/kernel/debug/kdb/kdb_io.c
2943 +@@ -683,12 +683,16 @@ int vkdb_printf(enum kdb_msgsrc src, const char *fmt, va_list ap)
2944 + size_avail = sizeof(kdb_buffer) - len;
2945 + goto kdb_print_out;
2946 + }
2947 +- if (kdb_grepping_flag >= KDB_GREPPING_FLAG_SEARCH)
2948 ++ if (kdb_grepping_flag >= KDB_GREPPING_FLAG_SEARCH) {
2949 + /*
2950 + * This was a interactive search (using '/' at more
2951 +- * prompt) and it has completed. Clear the flag.
2952 ++ * prompt) and it has completed. Replace the \0 with
2953 ++ * its original value to ensure multi-line strings
2954 ++ * are handled properly, and return to normal mode.
2955 + */
2956 ++ *cphold = replaced_byte;
2957 + kdb_grepping_flag = 0;
2958 ++ }
2959 + /*
2960 + * at this point the string is a full line and
2961 + * should be printed, up to the null.
2962 +diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
2963 +index 3124cebaec31e..7d73b30c55ccd 100644
2964 +--- a/kernel/power/hibernate.c
2965 ++++ b/kernel/power/hibernate.c
2966 +@@ -779,17 +779,6 @@ static int software_resume(void)
2967 +
2968 + /* Check if the device is there */
2969 + swsusp_resume_device = name_to_dev_t(resume_file);
2970 +-
2971 +- /*
2972 +- * name_to_dev_t is ineffective to verify parition if resume_file is in
2973 +- * integer format. (e.g. major:minor)
2974 +- */
2975 +- if (isdigit(resume_file[0]) && resume_wait) {
2976 +- int partno;
2977 +- while (!get_gendisk(swsusp_resume_device, &partno))
2978 +- msleep(10);
2979 +- }
2980 +-
2981 + if (!swsusp_resume_device) {
2982 + /*
2983 + * Some device discovery might still be in progress; we need
2984 +diff --git a/lib/crc32.c b/lib/crc32.c
2985 +index 9a907d489d951..eed675bcd6751 100644
2986 +--- a/lib/crc32.c
2987 ++++ b/lib/crc32.c
2988 +@@ -327,7 +327,7 @@ static inline u32 __pure crc32_be_generic(u32 crc, unsigned char const *p,
2989 + return crc;
2990 + }
2991 +
2992 +-#if CRC_LE_BITS == 1
2993 ++#if CRC_BE_BITS == 1
2994 + u32 __pure crc32_be(u32 crc, unsigned char const *p, size_t len)
2995 + {
2996 + return crc32_be_generic(crc, p, len, NULL, CRCPOLY_BE);
2997 +diff --git a/lib/string.c b/lib/string.c
2998 +index c9983dc01e727..7f4baad6fb193 100644
2999 +--- a/lib/string.c
3000 ++++ b/lib/string.c
3001 +@@ -202,7 +202,7 @@ ssize_t strscpy(char *dest, const char *src, size_t count)
3002 + while (max >= sizeof(unsigned long)) {
3003 + unsigned long c, data;
3004 +
3005 +- c = *(unsigned long *)(src+res);
3006 ++ c = read_word_at_a_time(src+res);
3007 + if (has_zero(c, &data, &constants)) {
3008 + data = prep_zero_mask(c, data, &constants);
3009 + data = create_zero_mask(data);
3010 +diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c
3011 +index b7397b4599604..410b0fcb0c733 100644
3012 +--- a/mm/kasan/kasan.c
3013 ++++ b/mm/kasan/kasan.c
3014 +@@ -252,32 +252,48 @@ static __always_inline bool memory_is_poisoned(unsigned long addr, size_t size)
3015 + return memory_is_poisoned_n(addr, size);
3016 + }
3017 +
3018 +-
3019 +-static __always_inline void check_memory_region(unsigned long addr,
3020 +- size_t size, bool write)
3021 ++static __always_inline void check_memory_region_inline(unsigned long addr,
3022 ++ size_t size, bool write,
3023 ++ unsigned long ret_ip)
3024 + {
3025 + if (unlikely(size == 0))
3026 + return;
3027 +
3028 + if (unlikely((void *)addr <
3029 + kasan_shadow_to_mem((void *)KASAN_SHADOW_START))) {
3030 +- kasan_report(addr, size, write, _RET_IP_);
3031 ++ kasan_report(addr, size, write, ret_ip);
3032 + return;
3033 + }
3034 +
3035 + if (likely(!memory_is_poisoned(addr, size)))
3036 + return;
3037 +
3038 +- kasan_report(addr, size, write, _RET_IP_);
3039 ++ kasan_report(addr, size, write, ret_ip);
3040 + }
3041 +
3042 +-void __asan_loadN(unsigned long addr, size_t size);
3043 +-void __asan_storeN(unsigned long addr, size_t size);
3044 ++static void check_memory_region(unsigned long addr,
3045 ++ size_t size, bool write,
3046 ++ unsigned long ret_ip)
3047 ++{
3048 ++ check_memory_region_inline(addr, size, write, ret_ip);
3049 ++}
3050 ++
3051 ++void kasan_check_read(const void *p, unsigned int size)
3052 ++{
3053 ++ check_memory_region((unsigned long)p, size, false, _RET_IP_);
3054 ++}
3055 ++EXPORT_SYMBOL(kasan_check_read);
3056 ++
3057 ++void kasan_check_write(const void *p, unsigned int size)
3058 ++{
3059 ++ check_memory_region((unsigned long)p, size, true, _RET_IP_);
3060 ++}
3061 ++EXPORT_SYMBOL(kasan_check_write);
3062 +
3063 + #undef memset
3064 + void *memset(void *addr, int c, size_t len)
3065 + {
3066 +- __asan_storeN((unsigned long)addr, len);
3067 ++ check_memory_region((unsigned long)addr, len, true, _RET_IP_);
3068 +
3069 + return __memset(addr, c, len);
3070 + }
3071 +@@ -285,8 +301,8 @@ void *memset(void *addr, int c, size_t len)
3072 + #undef memmove
3073 + void *memmove(void *dest, const void *src, size_t len)
3074 + {
3075 +- __asan_loadN((unsigned long)src, len);
3076 +- __asan_storeN((unsigned long)dest, len);
3077 ++ check_memory_region((unsigned long)src, len, false, _RET_IP_);
3078 ++ check_memory_region((unsigned long)dest, len, true, _RET_IP_);
3079 +
3080 + return __memmove(dest, src, len);
3081 + }
3082 +@@ -294,8 +310,8 @@ void *memmove(void *dest, const void *src, size_t len)
3083 + #undef memcpy
3084 + void *memcpy(void *dest, const void *src, size_t len)
3085 + {
3086 +- __asan_loadN((unsigned long)src, len);
3087 +- __asan_storeN((unsigned long)dest, len);
3088 ++ check_memory_region((unsigned long)src, len, false, _RET_IP_);
3089 ++ check_memory_region((unsigned long)dest, len, true, _RET_IP_);
3090 +
3091 + return __memcpy(dest, src, len);
3092 + }
3093 +@@ -484,22 +500,22 @@ void __asan_unregister_globals(struct kasan_global *globals, size_t size)
3094 + }
3095 + EXPORT_SYMBOL(__asan_unregister_globals);
3096 +
3097 +-#define DEFINE_ASAN_LOAD_STORE(size) \
3098 +- void __asan_load##size(unsigned long addr) \
3099 +- { \
3100 +- check_memory_region(addr, size, false); \
3101 +- } \
3102 +- EXPORT_SYMBOL(__asan_load##size); \
3103 +- __alias(__asan_load##size) \
3104 +- void __asan_load##size##_noabort(unsigned long); \
3105 +- EXPORT_SYMBOL(__asan_load##size##_noabort); \
3106 +- void __asan_store##size(unsigned long addr) \
3107 +- { \
3108 +- check_memory_region(addr, size, true); \
3109 +- } \
3110 +- EXPORT_SYMBOL(__asan_store##size); \
3111 +- __alias(__asan_store##size) \
3112 +- void __asan_store##size##_noabort(unsigned long); \
3113 ++#define DEFINE_ASAN_LOAD_STORE(size) \
3114 ++ void __asan_load##size(unsigned long addr) \
3115 ++ { \
3116 ++ check_memory_region_inline(addr, size, false, _RET_IP_);\
3117 ++ } \
3118 ++ EXPORT_SYMBOL(__asan_load##size); \
3119 ++ __alias(__asan_load##size) \
3120 ++ void __asan_load##size##_noabort(unsigned long); \
3121 ++ EXPORT_SYMBOL(__asan_load##size##_noabort); \
3122 ++ void __asan_store##size(unsigned long addr) \
3123 ++ { \
3124 ++ check_memory_region_inline(addr, size, true, _RET_IP_); \
3125 ++ } \
3126 ++ EXPORT_SYMBOL(__asan_store##size); \
3127 ++ __alias(__asan_store##size) \
3128 ++ void __asan_store##size##_noabort(unsigned long); \
3129 + EXPORT_SYMBOL(__asan_store##size##_noabort)
3130 +
3131 + DEFINE_ASAN_LOAD_STORE(1);
3132 +@@ -510,7 +526,7 @@ DEFINE_ASAN_LOAD_STORE(16);
3133 +
3134 + void __asan_loadN(unsigned long addr, size_t size)
3135 + {
3136 +- check_memory_region(addr, size, false);
3137 ++ check_memory_region(addr, size, false, _RET_IP_);
3138 + }
3139 + EXPORT_SYMBOL(__asan_loadN);
3140 +
3141 +@@ -520,7 +536,7 @@ EXPORT_SYMBOL(__asan_loadN_noabort);
3142 +
3143 + void __asan_storeN(unsigned long addr, size_t size)
3144 + {
3145 +- check_memory_region(addr, size, true);
3146 ++ check_memory_region(addr, size, true, _RET_IP_);
3147 + }
3148 + EXPORT_SYMBOL(__asan_storeN);
3149 +
3150 +diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
3151 +index e562385d9440e..30731ce390ba0 100644
3152 +--- a/net/bluetooth/l2cap_sock.c
3153 ++++ b/net/bluetooth/l2cap_sock.c
3154 +@@ -1330,8 +1330,6 @@ static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err)
3155 +
3156 + parent = bt_sk(sk)->parent;
3157 +
3158 +- sock_set_flag(sk, SOCK_ZAPPED);
3159 +-
3160 + switch (chan->state) {
3161 + case BT_OPEN:
3162 + case BT_BOUND:
3163 +@@ -1358,8 +1356,11 @@ static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err)
3164 +
3165 + break;
3166 + }
3167 +-
3168 + release_sock(sk);
3169 ++
3170 ++ /* Only zap after cleanup to avoid use after free race */
3171 ++ sock_set_flag(sk, SOCK_ZAPPED);
3172 ++
3173 + }
3174 +
3175 + static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state,
3176 +diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
3177 +index 9a9f49b55abd7..c16c199d9cd99 100644
3178 +--- a/net/ipv4/icmp.c
3179 ++++ b/net/ipv4/icmp.c
3180 +@@ -246,7 +246,7 @@ static struct {
3181 + /**
3182 + * icmp_global_allow - Are we allowed to send one more ICMP message ?
3183 + *
3184 +- * Uses a token bucket to limit our ICMP messages to sysctl_icmp_msgs_per_sec.
3185 ++ * Uses a token bucket to limit our ICMP messages to ~sysctl_icmp_msgs_per_sec.
3186 + * Returns false if we reached the limit and can not send another packet.
3187 + * Note: called with BH disabled
3188 + */
3189 +@@ -274,7 +274,10 @@ bool icmp_global_allow(void)
3190 + }
3191 + credit = min_t(u32, icmp_global.credit + incr, sysctl_icmp_msgs_burst);
3192 + if (credit) {
3193 +- credit--;
3194 ++ /* We want to use a credit of one in average, but need to randomize
3195 ++ * it for security reasons.
3196 ++ */
3197 ++ credit = max_t(int, credit - prandom_u32_max(3), 0);
3198 + rc = true;
3199 + }
3200 + WRITE_ONCE(icmp_global.credit, credit);
3201 +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
3202 +index 9215ee1de4947..0919183b003fc 100644
3203 +--- a/net/ipv4/tcp_input.c
3204 ++++ b/net/ipv4/tcp_input.c
3205 +@@ -5531,6 +5531,8 @@ void tcp_rcv_established(struct sock *sk, struct sk_buff *skb,
3206 + tcp_data_snd_check(sk);
3207 + if (!inet_csk_ack_scheduled(sk))
3208 + goto no_ack;
3209 ++ } else {
3210 ++ tcp_update_wl(tp, TCP_SKB_CB(skb)->seq);
3211 + }
3212 +
3213 + __tcp_ack_snd_check(sk, 0);
3214 +diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
3215 +index b176f76dfaa14..c7ee962a547b9 100644
3216 +--- a/net/netfilter/ipvs/ip_vs_ctl.c
3217 ++++ b/net/netfilter/ipvs/ip_vs_ctl.c
3218 +@@ -2383,6 +2383,10 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
3219 + /* Set timeout values for (tcp tcpfin udp) */
3220 + ret = ip_vs_set_timeout(ipvs, (struct ip_vs_timeout_user *)arg);
3221 + goto out_unlock;
3222 ++ } else if (!len) {
3223 ++ /* No more commands with len == 0 below */
3224 ++ ret = -EINVAL;
3225 ++ goto out_unlock;
3226 + }
3227 +
3228 + usvc_compat = (struct ip_vs_service_user *)arg;
3229 +@@ -2459,9 +2463,6 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
3230 + break;
3231 + case IP_VS_SO_SET_DELDEST:
3232 + ret = ip_vs_del_dest(svc, &udest);
3233 +- break;
3234 +- default:
3235 +- ret = -EINVAL;
3236 + }
3237 +
3238 + out_unlock:
3239 +diff --git a/net/nfc/netlink.c b/net/nfc/netlink.c
3240 +index c9d5e9c621784..639e5cad0442c 100644
3241 +--- a/net/nfc/netlink.c
3242 ++++ b/net/nfc/netlink.c
3243 +@@ -1190,7 +1190,7 @@ static int nfc_genl_fw_download(struct sk_buff *skb, struct genl_info *info)
3244 + u32 idx;
3245 + char firmware_name[NFC_FIRMWARE_NAME_MAXSIZE + 1];
3246 +
3247 +- if (!info->attrs[NFC_ATTR_DEVICE_INDEX])
3248 ++ if (!info->attrs[NFC_ATTR_DEVICE_INDEX] || !info->attrs[NFC_ATTR_FIRMWARE_NAME])
3249 + return -EINVAL;
3250 +
3251 + idx = nla_get_u32(info->attrs[NFC_ATTR_DEVICE_INDEX]);
3252 +diff --git a/net/tipc/msg.c b/net/tipc/msg.c
3253 +index fc1aa8bcb185d..30c3a7985fa4d 100644
3254 +--- a/net/tipc/msg.c
3255 ++++ b/net/tipc/msg.c
3256 +@@ -138,7 +138,8 @@ int tipc_buf_append(struct sk_buff **headbuf, struct sk_buff **buf)
3257 + if (fragid == FIRST_FRAGMENT) {
3258 + if (unlikely(head))
3259 + goto err;
3260 +- frag = skb_unshare(frag, GFP_ATOMIC);
3261 ++ if (skb_cloned(frag))
3262 ++ frag = skb_copy(frag, GFP_ATOMIC);
3263 + if (unlikely(!frag))
3264 + goto err;
3265 + head = *headbuf = frag;
3266 +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
3267 +index 95366e35ab134..7748d674677c9 100644
3268 +--- a/net/wireless/nl80211.c
3269 ++++ b/net/wireless/nl80211.c
3270 +@@ -1672,7 +1672,10 @@ static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
3271 + * case we'll continue with more data in the next round,
3272 + * but break unconditionally so unsplit data stops here.
3273 + */
3274 +- state->split_start++;
3275 ++ if (state->split)
3276 ++ state->split_start++;
3277 ++ else
3278 ++ state->split_start = 0;
3279 + break;
3280 + case 9:
3281 + if (rdev->wiphy.extended_capabilities &&
3282 +diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c
3283 +index 5c87baaefafb6..0c0df76170aef 100644
3284 +--- a/security/integrity/ima/ima_crypto.c
3285 ++++ b/security/integrity/ima/ima_crypto.c
3286 +@@ -555,6 +555,8 @@ static int __init ima_calc_boot_aggregate_tfm(char *digest,
3287 + ima_pcrread(i, pcr_i);
3288 + /* now accumulate with current aggregate */
3289 + rc = crypto_shash_update(shash, pcr_i, TPM_DIGEST_SIZE);
3290 ++ if (rc != 0)
3291 ++ return rc;
3292 + }
3293 + if (!rc)
3294 + crypto_shash_final(shash, digest);
3295 +diff --git a/sound/core/seq/oss/seq_oss.c b/sound/core/seq/oss/seq_oss.c
3296 +index 8044775999eda..4d1548b951c41 100644
3297 +--- a/sound/core/seq/oss/seq_oss.c
3298 ++++ b/sound/core/seq/oss/seq_oss.c
3299 +@@ -186,9 +186,12 @@ odev_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
3300 + if (snd_BUG_ON(!dp))
3301 + return -ENXIO;
3302 +
3303 +- mutex_lock(&register_mutex);
3304 ++ if (cmd != SNDCTL_SEQ_SYNC &&
3305 ++ mutex_lock_interruptible(&register_mutex))
3306 ++ return -ERESTARTSYS;
3307 + rc = snd_seq_oss_ioctl(dp, cmd, arg);
3308 +- mutex_unlock(&register_mutex);
3309 ++ if (cmd != SNDCTL_SEQ_SYNC)
3310 ++ mutex_unlock(&register_mutex);
3311 + return rc;
3312 + }
3313 +
3314 +diff --git a/sound/firewire/bebob/bebob_hwdep.c b/sound/firewire/bebob/bebob_hwdep.c
3315 +index ce731f4d8b4f5..733ba42e24622 100644
3316 +--- a/sound/firewire/bebob/bebob_hwdep.c
3317 ++++ b/sound/firewire/bebob/bebob_hwdep.c
3318 +@@ -37,12 +37,11 @@ hwdep_read(struct snd_hwdep *hwdep, char __user *buf, long count,
3319 + }
3320 +
3321 + memset(&event, 0, sizeof(event));
3322 ++ count = min_t(long, count, sizeof(event.lock_status));
3323 + if (bebob->dev_lock_changed) {
3324 + event.lock_status.type = SNDRV_FIREWIRE_EVENT_LOCK_STATUS;
3325 + event.lock_status.status = (bebob->dev_lock_count > 0);
3326 + bebob->dev_lock_changed = false;
3327 +-
3328 +- count = min_t(long, count, sizeof(event.lock_status));
3329 + }
3330 +
3331 + spin_unlock_irq(&bebob->lock);
3332 +diff --git a/tools/perf/util/intel-pt.c b/tools/perf/util/intel-pt.c
3333 +index c8f2d084a8ce3..be5a7c1b36ff3 100644
3334 +--- a/tools/perf/util/intel-pt.c
3335 ++++ b/tools/perf/util/intel-pt.c
3336 +@@ -794,6 +794,8 @@ static void intel_pt_set_pid_tid_cpu(struct intel_pt *pt,
3337 +
3338 + if (queue->tid == -1 || pt->have_sched_switch) {
3339 + ptq->tid = machine__get_current_tid(pt->machine, ptq->cpu);
3340 ++ if (ptq->tid == -1)
3341 ++ ptq->pid = -1;
3342 + thread__zput(ptq->thread);
3343 + }
3344 +
3345 +@@ -1634,10 +1636,8 @@ static int intel_pt_context_switch(struct intel_pt *pt, union perf_event *event,
3346 + tid = sample->tid;
3347 + }
3348 +
3349 +- if (tid == -1) {
3350 +- pr_err("context_switch event has no tid\n");
3351 +- return -EINVAL;
3352 +- }
3353 ++ if (tid == -1)
3354 ++ intel_pt_log("context_switch event has no tid\n");
3355 +
3356 + intel_pt_log("context_switch: cpu %d pid %d tid %d time %"PRIu64" tsc %#"PRIx64"\n",
3357 + cpu, pid, tid, sample->time, perf_time_to_tsc(sample->time,
Report Message
Find on MARC Find on Google Groups