Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:4.4 commit in: /
Date: Wed, 11 Mar 2020 10:14:55
Message-Id: 1583921668.833529f439f2d25ab9197573f88dad1b0544ebb5.mpagano@gentoo
1 commit: 833529f439f2d25ab9197573f88dad1b0544ebb5
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Wed Mar 11 10:14:28 2020 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Wed Mar 11 10:14:28 2020 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=833529f4
7
8 Linux patch 4.4.216
9
10 Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>
11
12 0000_README | 4 +
13 1215_linux-4.4.216.patch | 2919 ++++++++++++++++++++++++++++++++++++++++++++++
14 2 files changed, 2923 insertions(+)
15
16 diff --git a/0000_README b/0000_README
17 index b4dfa87..5c1fd6b 100644
18 --- a/0000_README
19 +++ b/0000_README
20 @@ -903,6 +903,10 @@ Patch: 1214_linux-4.4.215.patch
21 From: http://www.kernel.org
22 Desc: Linux 4.4.215
23
24 +Patch: 1215_linux-4.4.216.patch
25 +From: http://www.kernel.org
26 +Desc: Linux 4.4.216
27 +
28 Patch: 1500_XATTR_USER_PREFIX.patch
29 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
30 Desc: Support for namespace user.pax.* on tmpfs.
31
32 diff --git a/1215_linux-4.4.216.patch b/1215_linux-4.4.216.patch
33 new file mode 100644
34 index 0000000..04d770a
35 --- /dev/null
36 +++ b/1215_linux-4.4.216.patch
37 @@ -0,0 +1,2919 @@
38 +diff --git a/Makefile b/Makefile
39 +index 9118ca43acb4..e0bcd5a0ae9b 100644
40 +--- a/Makefile
41 ++++ b/Makefile
42 +@@ -1,6 +1,6 @@
43 + VERSION = 4
44 + PATCHLEVEL = 4
45 +-SUBLEVEL = 215
46 ++SUBLEVEL = 216
47 + EXTRAVERSION =
48 + NAME = Blurry Fish Butt
49 +
50 +diff --git a/arch/arm/mach-imx/Makefile b/arch/arm/mach-imx/Makefile
51 +index fb689d813b09..6358ea48eaf9 100644
52 +--- a/arch/arm/mach-imx/Makefile
53 ++++ b/arch/arm/mach-imx/Makefile
54 +@@ -91,6 +91,8 @@ AFLAGS_suspend-imx6.o :=-Wa,-march=armv7-a
55 + obj-$(CONFIG_SOC_IMX6) += suspend-imx6.o
56 + obj-$(CONFIG_SOC_IMX53) += suspend-imx53.o
57 + endif
58 ++AFLAGS_resume-imx6.o :=-Wa,-march=armv7-a
59 ++obj-$(CONFIG_SOC_IMX6) += resume-imx6.o
60 + obj-$(CONFIG_SOC_IMX6) += pm-imx6.o
61 +
62 + obj-$(CONFIG_SOC_IMX50) += mach-imx50.o
63 +diff --git a/arch/arm/mach-imx/common.h b/arch/arm/mach-imx/common.h
64 +index e2d53839fceb..288f57222745 100644
65 +--- a/arch/arm/mach-imx/common.h
66 ++++ b/arch/arm/mach-imx/common.h
67 +@@ -115,17 +115,17 @@ void imx_cpu_die(unsigned int cpu);
68 + int imx_cpu_kill(unsigned int cpu);
69 +
70 + #ifdef CONFIG_SUSPEND
71 +-void v7_cpu_resume(void);
72 + void imx53_suspend(void __iomem *ocram_vbase);
73 + extern const u32 imx53_suspend_sz;
74 + void imx6_suspend(void __iomem *ocram_vbase);
75 + #else
76 +-static inline void v7_cpu_resume(void) {}
77 + static inline void imx53_suspend(void __iomem *ocram_vbase) {}
78 + static const u32 imx53_suspend_sz;
79 + static inline void imx6_suspend(void __iomem *ocram_vbase) {}
80 + #endif
81 +
82 ++void v7_cpu_resume(void);
83 ++
84 + void imx6_pm_ccm_init(const char *ccm_compat);
85 + void imx6q_pm_init(void);
86 + void imx6dl_pm_init(void);
87 +diff --git a/arch/arm/mach-imx/resume-imx6.S b/arch/arm/mach-imx/resume-imx6.S
88 +new file mode 100644
89 +index 000000000000..5bd1ba7ef15b
90 +--- /dev/null
91 ++++ b/arch/arm/mach-imx/resume-imx6.S
92 +@@ -0,0 +1,24 @@
93 ++/* SPDX-License-Identifier: GPL-2.0-or-later */
94 ++/*
95 ++ * Copyright 2014 Freescale Semiconductor, Inc.
96 ++ */
97 ++
98 ++#include <linux/linkage.h>
99 ++#include <asm/assembler.h>
100 ++#include <asm/asm-offsets.h>
101 ++#include <asm/hardware/cache-l2x0.h>
102 ++#include "hardware.h"
103 ++
104 ++/*
105 ++ * The following code must assume it is running from physical address
106 ++ * where absolute virtual addresses to the data section have to be
107 ++ * turned into relative ones.
108 ++ */
109 ++
110 ++ENTRY(v7_cpu_resume)
111 ++ bl v7_invalidate_l1
112 ++#ifdef CONFIG_CACHE_L2X0
113 ++ bl l2c310_early_resume
114 ++#endif
115 ++ b cpu_resume
116 ++ENDPROC(v7_cpu_resume)
117 +diff --git a/arch/arm/mach-imx/suspend-imx6.S b/arch/arm/mach-imx/suspend-imx6.S
118 +index 76ee2ceec8d5..7d84b617af48 100644
119 +--- a/arch/arm/mach-imx/suspend-imx6.S
120 ++++ b/arch/arm/mach-imx/suspend-imx6.S
121 +@@ -333,17 +333,3 @@ resume:
122 +
123 + ret lr
124 + ENDPROC(imx6_suspend)
125 +-
126 +-/*
127 +- * The following code must assume it is running from physical address
128 +- * where absolute virtual addresses to the data section have to be
129 +- * turned into relative ones.
130 +- */
131 +-
132 +-ENTRY(v7_cpu_resume)
133 +- bl v7_invalidate_l1
134 +-#ifdef CONFIG_CACHE_L2X0
135 +- bl l2c310_early_resume
136 +-#endif
137 +- b cpu_resume
138 +-ENDPROC(v7_cpu_resume)
139 +diff --git a/arch/mips/kernel/vpe.c b/arch/mips/kernel/vpe.c
140 +index 9067b651c7a2..ca93984ff5a6 100644
141 +--- a/arch/mips/kernel/vpe.c
142 ++++ b/arch/mips/kernel/vpe.c
143 +@@ -134,7 +134,7 @@ void release_vpe(struct vpe *v)
144 + {
145 + list_del(&v->list);
146 + if (v->load_addr)
147 +- release_progmem(v);
148 ++ release_progmem(v->load_addr);
149 + kfree(v);
150 + }
151 +
152 +diff --git a/arch/powerpc/kernel/cputable.c b/arch/powerpc/kernel/cputable.c
153 +index 7d80bfdfb15e..7ad686009795 100644
154 +--- a/arch/powerpc/kernel/cputable.c
155 ++++ b/arch/powerpc/kernel/cputable.c
156 +@@ -2147,11 +2147,13 @@ static struct cpu_spec * __init setup_cpu_spec(unsigned long offset,
157 + * oprofile_cpu_type already has a value, then we are
158 + * possibly overriding a real PVR with a logical one,
159 + * and, in that case, keep the current value for
160 +- * oprofile_cpu_type.
161 ++ * oprofile_cpu_type. Futhermore, let's ensure that the
162 ++ * fix for the PMAO bug is enabled on compatibility mode.
163 + */
164 + if (old.oprofile_cpu_type != NULL) {
165 + t->oprofile_cpu_type = old.oprofile_cpu_type;
166 + t->oprofile_type = old.oprofile_type;
167 ++ t->cpu_features |= old.cpu_features & CPU_FTR_PMAO_BUG;
168 + }
169 + }
170 +
171 +diff --git a/arch/s390/mm/gup.c b/arch/s390/mm/gup.c
172 +index 7ad41be8b373..4f7dad36b3c1 100644
173 +--- a/arch/s390/mm/gup.c
174 ++++ b/arch/s390/mm/gup.c
175 +@@ -37,7 +37,8 @@ static inline int gup_pte_range(pmd_t *pmdp, pmd_t pmd, unsigned long addr,
176 + return 0;
177 + VM_BUG_ON(!pfn_valid(pte_pfn(pte)));
178 + page = pte_page(pte);
179 +- if (!page_cache_get_speculative(page))
180 ++ if (WARN_ON_ONCE(page_ref_count(page) < 0)
181 ++ || !page_cache_get_speculative(page))
182 + return 0;
183 + if (unlikely(pte_val(pte) != pte_val(*ptep))) {
184 + put_page(page);
185 +@@ -76,7 +77,8 @@ static inline int gup_huge_pmd(pmd_t *pmdp, pmd_t pmd, unsigned long addr,
186 + refs++;
187 + } while (addr += PAGE_SIZE, addr != end);
188 +
189 +- if (!page_cache_add_speculative(head, refs)) {
190 ++ if (WARN_ON_ONCE(page_ref_count(head) < 0)
191 ++ || !page_cache_add_speculative(head, refs)) {
192 + *nr -= refs;
193 + return 0;
194 + }
195 +diff --git a/arch/x86/mm/gup.c b/arch/x86/mm/gup.c
196 +index 7d2542ad346a..6612d532e42e 100644
197 +--- a/arch/x86/mm/gup.c
198 ++++ b/arch/x86/mm/gup.c
199 +@@ -95,7 +95,10 @@ static noinline int gup_pte_range(pmd_t pmd, unsigned long addr,
200 + }
201 + VM_BUG_ON(!pfn_valid(pte_pfn(pte)));
202 + page = pte_page(pte);
203 +- get_page(page);
204 ++ if (unlikely(!try_get_page(page))) {
205 ++ pte_unmap(ptep);
206 ++ return 0;
207 ++ }
208 + SetPageReferenced(page);
209 + pages[*nr] = page;
210 + (*nr)++;
211 +@@ -132,6 +135,8 @@ static noinline int gup_huge_pmd(pmd_t pmd, unsigned long addr,
212 +
213 + refs = 0;
214 + head = pmd_page(pmd);
215 ++ if (WARN_ON_ONCE(page_ref_count(head) <= 0))
216 ++ return 0;
217 + page = head + ((addr & ~PMD_MASK) >> PAGE_SHIFT);
218 + do {
219 + VM_BUG_ON_PAGE(compound_head(page) != head, page);
220 +@@ -208,6 +213,8 @@ static noinline int gup_huge_pud(pud_t pud, unsigned long addr,
221 +
222 + refs = 0;
223 + head = pud_page(pud);
224 ++ if (WARN_ON_ONCE(page_ref_count(head) <= 0))
225 ++ return 0;
226 + page = head + ((addr & ~PUD_MASK) >> PAGE_SHIFT);
227 + do {
228 + VM_BUG_ON_PAGE(compound_head(page) != head, page);
229 +diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c
230 +index d12782dc9683..9bd4691cc5c5 100644
231 +--- a/crypto/algif_skcipher.c
232 ++++ b/crypto/algif_skcipher.c
233 +@@ -538,7 +538,7 @@ static int skcipher_recvmsg_async(struct socket *sock, struct msghdr *msg,
234 + lock_sock(sk);
235 + tx_nents = skcipher_all_sg_nents(ctx);
236 + sreq->tsg = kcalloc(tx_nents, sizeof(*sg), GFP_KERNEL);
237 +- if (unlikely(!sreq->tsg))
238 ++ if (unlikely(ZERO_OR_NULL_PTR(sreq->tsg)))
239 + goto unlock;
240 + sg_init_table(sreq->tsg, tx_nents);
241 + memcpy(iv, ctx->iv, ivsize);
242 +diff --git a/drivers/char/ipmi/ipmi_ssif.c b/drivers/char/ipmi/ipmi_ssif.c
243 +index 67d23ed2d1a0..29082d99264e 100644
244 +--- a/drivers/char/ipmi/ipmi_ssif.c
245 ++++ b/drivers/char/ipmi/ipmi_ssif.c
246 +@@ -742,10 +742,14 @@ static void msg_done_handler(struct ssif_info *ssif_info, int result,
247 + flags = ipmi_ssif_lock_cond(ssif_info, &oflags);
248 + msg = ssif_info->curr_msg;
249 + if (msg) {
250 ++ if (data) {
251 ++ if (len > IPMI_MAX_MSG_LENGTH)
252 ++ len = IPMI_MAX_MSG_LENGTH;
253 ++ memcpy(msg->rsp, data, len);
254 ++ } else {
255 ++ len = 0;
256 ++ }
257 + msg->rsp_size = len;
258 +- if (msg->rsp_size > IPMI_MAX_MSG_LENGTH)
259 +- msg->rsp_size = IPMI_MAX_MSG_LENGTH;
260 +- memcpy(msg->rsp, data, msg->rsp_size);
261 + ssif_info->curr_msg = NULL;
262 + }
263 +
264 +diff --git a/drivers/dma/coh901318.c b/drivers/dma/coh901318.c
265 +index 4746fee4cd48..546a91186de1 100644
266 +--- a/drivers/dma/coh901318.c
267 ++++ b/drivers/dma/coh901318.c
268 +@@ -1960,8 +1960,6 @@ static void dma_tc_handle(struct coh901318_chan *cohc)
269 + return;
270 + }
271 +
272 +- spin_lock(&cohc->lock);
273 +-
274 + /*
275 + * When we reach this point, at least one queue item
276 + * should have been moved over from cohc->queue to
277 +@@ -1982,8 +1980,6 @@ static void dma_tc_handle(struct coh901318_chan *cohc)
278 + if (coh901318_queue_start(cohc) == NULL)
279 + cohc->busy = 0;
280 +
281 +- spin_unlock(&cohc->lock);
282 +-
283 + /*
284 + * This tasklet will remove items from cohc->active
285 + * and thus terminates them.
286 +diff --git a/drivers/dma/tegra20-apb-dma.c b/drivers/dma/tegra20-apb-dma.c
287 +index 67f201b8dcda..b5cf5d36de2b 100644
288 +--- a/drivers/dma/tegra20-apb-dma.c
289 ++++ b/drivers/dma/tegra20-apb-dma.c
290 +@@ -285,7 +285,7 @@ static struct tegra_dma_desc *tegra_dma_desc_get(
291 +
292 + /* Do not allocate if desc are waiting for ack */
293 + list_for_each_entry(dma_desc, &tdc->free_dma_desc, node) {
294 +- if (async_tx_test_ack(&dma_desc->txd)) {
295 ++ if (async_tx_test_ack(&dma_desc->txd) && !dma_desc->cb_count) {
296 + list_del(&dma_desc->node);
297 + spin_unlock_irqrestore(&tdc->lock, flags);
298 + dma_desc->txd.flags = 0;
299 +@@ -754,10 +754,6 @@ static int tegra_dma_terminate_all(struct dma_chan *dc)
300 + bool was_busy;
301 +
302 + spin_lock_irqsave(&tdc->lock, flags);
303 +- if (list_empty(&tdc->pending_sg_req)) {
304 +- spin_unlock_irqrestore(&tdc->lock, flags);
305 +- return 0;
306 +- }
307 +
308 + if (!tdc->busy)
309 + goto skip_dma_stop;
310 +diff --git a/drivers/gpu/drm/msm/dsi/dsi_manager.c b/drivers/gpu/drm/msm/dsi/dsi_manager.c
311 +index 0455ff75074a..34220df1265f 100644
312 +--- a/drivers/gpu/drm/msm/dsi/dsi_manager.c
313 ++++ b/drivers/gpu/drm/msm/dsi/dsi_manager.c
314 +@@ -302,7 +302,7 @@ static int dsi_mgr_connector_get_modes(struct drm_connector *connector)
315 + return num;
316 + }
317 +
318 +-static int dsi_mgr_connector_mode_valid(struct drm_connector *connector,
319 ++static enum drm_mode_status dsi_mgr_connector_mode_valid(struct drm_connector *connector,
320 + struct drm_display_mode *mode)
321 + {
322 + int id = dsi_mgr_connector_get_id(connector);
323 +@@ -434,6 +434,7 @@ static void dsi_mgr_bridge_post_disable(struct drm_bridge *bridge)
324 + struct msm_dsi *msm_dsi1 = dsi_mgr_get_dsi(DSI_1);
325 + struct mipi_dsi_host *host = msm_dsi->host;
326 + struct drm_panel *panel = msm_dsi->panel;
327 ++ struct msm_dsi_pll *src_pll;
328 + bool is_dual_dsi = IS_DUAL_DSI();
329 + int ret;
330 +
331 +@@ -467,6 +468,10 @@ static void dsi_mgr_bridge_post_disable(struct drm_bridge *bridge)
332 + id, ret);
333 + }
334 +
335 ++ /* Save PLL status if it is a clock source */
336 ++ src_pll = msm_dsi_phy_get_pll(msm_dsi->phy);
337 ++ msm_dsi_pll_save_state(src_pll);
338 ++
339 + ret = msm_dsi_host_power_off(host);
340 + if (ret)
341 + pr_err("%s: host %d power off failed,%d\n", __func__, id, ret);
342 +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
343 +index 16ff8d3c7cfe..325adbef134c 100644
344 +--- a/drivers/hid/hid-core.c
345 ++++ b/drivers/hid/hid-core.c
346 +@@ -1508,7 +1508,9 @@ int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size,
347 +
348 + rsize = ((report->size - 1) >> 3) + 1;
349 +
350 +- if (rsize > HID_MAX_BUFFER_SIZE)
351 ++ if (report_enum->numbered && rsize >= HID_MAX_BUFFER_SIZE)
352 ++ rsize = HID_MAX_BUFFER_SIZE - 1;
353 ++ else if (rsize > HID_MAX_BUFFER_SIZE)
354 + rsize = HID_MAX_BUFFER_SIZE;
355 +
356 + if (csize < rsize) {
357 +diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c
358 +index 8903ea09ac58..dbdd265075da 100644
359 +--- a/drivers/hid/usbhid/hiddev.c
360 ++++ b/drivers/hid/usbhid/hiddev.c
361 +@@ -962,9 +962,9 @@ void hiddev_disconnect(struct hid_device *hid)
362 + hiddev->exist = 0;
363 +
364 + if (hiddev->open) {
365 +- mutex_unlock(&hiddev->existancelock);
366 + usbhid_close(hiddev->hid);
367 + wake_up_interruptible(&hiddev->wait);
368 ++ mutex_unlock(&hiddev->existancelock);
369 + } else {
370 + mutex_unlock(&hiddev->existancelock);
371 + kfree(hiddev);
372 +diff --git a/drivers/hwmon/adt7462.c b/drivers/hwmon/adt7462.c
373 +index 5929e126da63..d9923d63eb4f 100644
374 +--- a/drivers/hwmon/adt7462.c
375 ++++ b/drivers/hwmon/adt7462.c
376 +@@ -426,7 +426,7 @@ static int ADT7462_REG_VOLT(struct adt7462_data *data, int which)
377 + return 0x95;
378 + break;
379 + }
380 +- return -ENODEV;
381 ++ return 0;
382 + }
383 +
384 + /* Provide labels for sysfs */
385 +diff --git a/drivers/i2c/busses/i2c-jz4780.c b/drivers/i2c/busses/i2c-jz4780.c
386 +index 4b58e8aaf5c5..ba3b94505c14 100644
387 +--- a/drivers/i2c/busses/i2c-jz4780.c
388 ++++ b/drivers/i2c/busses/i2c-jz4780.c
389 +@@ -82,25 +82,6 @@
390 + #define JZ4780_I2C_STA_TFNF BIT(1)
391 + #define JZ4780_I2C_STA_ACT BIT(0)
392 +
393 +-static const char * const jz4780_i2c_abrt_src[] = {
394 +- "ABRT_7B_ADDR_NOACK",
395 +- "ABRT_10ADDR1_NOACK",
396 +- "ABRT_10ADDR2_NOACK",
397 +- "ABRT_XDATA_NOACK",
398 +- "ABRT_GCALL_NOACK",
399 +- "ABRT_GCALL_READ",
400 +- "ABRT_HS_ACKD",
401 +- "SBYTE_ACKDET",
402 +- "ABRT_HS_NORSTRT",
403 +- "SBYTE_NORSTRT",
404 +- "ABRT_10B_RD_NORSTRT",
405 +- "ABRT_MASTER_DIS",
406 +- "ARB_LOST",
407 +- "SLVFLUSH_TXFIFO",
408 +- "SLV_ARBLOST",
409 +- "SLVRD_INTX",
410 +-};
411 +-
412 + #define JZ4780_I2C_INTST_IGC BIT(11)
413 + #define JZ4780_I2C_INTST_ISTT BIT(10)
414 + #define JZ4780_I2C_INTST_ISTP BIT(9)
415 +@@ -538,21 +519,8 @@ done:
416 +
417 + static void jz4780_i2c_txabrt(struct jz4780_i2c *i2c, int src)
418 + {
419 +- int i;
420 +-
421 +- dev_err(&i2c->adap.dev, "txabrt: 0x%08x\n", src);
422 +- dev_err(&i2c->adap.dev, "device addr=%x\n",
423 +- jz4780_i2c_readw(i2c, JZ4780_I2C_TAR));
424 +- dev_err(&i2c->adap.dev, "send cmd count:%d %d\n",
425 +- i2c->cmd, i2c->cmd_buf[i2c->cmd]);
426 +- dev_err(&i2c->adap.dev, "receive data count:%d %d\n",
427 +- i2c->cmd, i2c->data_buf[i2c->cmd]);
428 +-
429 +- for (i = 0; i < 16; i++) {
430 +- if (src & BIT(i))
431 +- dev_dbg(&i2c->adap.dev, "I2C TXABRT[%d]=%s\n",
432 +- i, jz4780_i2c_abrt_src[i]);
433 +- }
434 ++ dev_dbg(&i2c->adap.dev, "txabrt: 0x%08x, cmd: %d, send: %d, recv: %d\n",
435 ++ src, i2c->cmd, i2c->cmd_buf[i2c->cmd], i2c->data_buf[i2c->cmd]);
436 + }
437 +
438 + static inline int jz4780_i2c_xfer_read(struct jz4780_i2c *i2c,
439 +diff --git a/drivers/infiniband/core/cm.c b/drivers/infiniband/core/cm.c
440 +index 941cd9b83941..53c622c99ee4 100644
441 +--- a/drivers/infiniband/core/cm.c
442 ++++ b/drivers/infiniband/core/cm.c
443 +@@ -1073,6 +1073,7 @@ struct ib_cm_id *ib_cm_insert_listen(struct ib_device *device,
444 + /* Sharing an ib_cm_id with different handlers is not
445 + * supported */
446 + spin_unlock_irqrestore(&cm.lock, flags);
447 ++ ib_destroy_cm_id(cm_id);
448 + return ERR_PTR(-EINVAL);
449 + }
450 + atomic_inc(&cm_id_priv->refcount);
451 +diff --git a/drivers/infiniband/core/iwcm.c b/drivers/infiniband/core/iwcm.c
452 +index ff9163dc1596..c4b779cc3b94 100644
453 +--- a/drivers/infiniband/core/iwcm.c
454 ++++ b/drivers/infiniband/core/iwcm.c
455 +@@ -125,8 +125,10 @@ static void dealloc_work_entries(struct iwcm_id_private *cm_id_priv)
456 + {
457 + struct list_head *e, *tmp;
458 +
459 +- list_for_each_safe(e, tmp, &cm_id_priv->work_free_list)
460 ++ list_for_each_safe(e, tmp, &cm_id_priv->work_free_list) {
461 ++ list_del(e);
462 + kfree(list_entry(e, struct iwcm_work, free_list));
463 ++ }
464 + }
465 +
466 + static int alloc_work_entries(struct iwcm_id_private *cm_id_priv, int count)
467 +diff --git a/drivers/md/dm-cache-target.c b/drivers/md/dm-cache-target.c
468 +index 531d6f3a786e..c95139fea15c 100644
469 +--- a/drivers/md/dm-cache-target.c
470 ++++ b/drivers/md/dm-cache-target.c
471 +@@ -2193,8 +2193,8 @@ static void wait_for_migrations(struct cache *cache)
472 +
473 + static void stop_worker(struct cache *cache)
474 + {
475 +- cancel_delayed_work(&cache->waker);
476 +- flush_workqueue(cache->wq);
477 ++ cancel_delayed_work_sync(&cache->waker);
478 ++ drain_workqueue(cache->wq);
479 + }
480 +
481 + static void requeue_deferred_cells(struct cache *cache)
482 +diff --git a/drivers/net/ethernet/micrel/ks8851_mll.c b/drivers/net/ethernet/micrel/ks8851_mll.c
483 +index 8dc1f0277117..d94e151cff12 100644
484 +--- a/drivers/net/ethernet/micrel/ks8851_mll.c
485 ++++ b/drivers/net/ethernet/micrel/ks8851_mll.c
486 +@@ -474,24 +474,6 @@ static int msg_enable;
487 + * chip is busy transferring packet data (RX/TX FIFO accesses).
488 + */
489 +
490 +-/**
491 +- * ks_rdreg8 - read 8 bit register from device
492 +- * @ks : The chip information
493 +- * @offset: The register address
494 +- *
495 +- * Read a 8bit register from the chip, returning the result
496 +- */
497 +-static u8 ks_rdreg8(struct ks_net *ks, int offset)
498 +-{
499 +- u16 data;
500 +- u8 shift_bit = offset & 0x03;
501 +- u8 shift_data = (offset & 1) << 3;
502 +- ks->cmd_reg_cache = (u16) offset | (u16)(BE0 << shift_bit);
503 +- iowrite16(ks->cmd_reg_cache, ks->hw_addr_cmd);
504 +- data = ioread16(ks->hw_addr);
505 +- return (u8)(data >> shift_data);
506 +-}
507 +-
508 + /**
509 + * ks_rdreg16 - read 16 bit register from device
510 + * @ks : The chip information
511 +@@ -502,27 +484,11 @@ static u8 ks_rdreg8(struct ks_net *ks, int offset)
512 +
513 + static u16 ks_rdreg16(struct ks_net *ks, int offset)
514 + {
515 +- ks->cmd_reg_cache = (u16)offset | ((BE1 | BE0) << (offset & 0x02));
516 ++ ks->cmd_reg_cache = (u16)offset | ((BE3 | BE2) >> (offset & 0x02));
517 + iowrite16(ks->cmd_reg_cache, ks->hw_addr_cmd);
518 + return ioread16(ks->hw_addr);
519 + }
520 +
521 +-/**
522 +- * ks_wrreg8 - write 8bit register value to chip
523 +- * @ks: The chip information
524 +- * @offset: The register address
525 +- * @value: The value to write
526 +- *
527 +- */
528 +-static void ks_wrreg8(struct ks_net *ks, int offset, u8 value)
529 +-{
530 +- u8 shift_bit = (offset & 0x03);
531 +- u16 value_write = (u16)(value << ((offset & 1) << 3));
532 +- ks->cmd_reg_cache = (u16)offset | (BE0 << shift_bit);
533 +- iowrite16(ks->cmd_reg_cache, ks->hw_addr_cmd);
534 +- iowrite16(value_write, ks->hw_addr);
535 +-}
536 +-
537 + /**
538 + * ks_wrreg16 - write 16bit register value to chip
539 + * @ks: The chip information
540 +@@ -533,7 +499,7 @@ static void ks_wrreg8(struct ks_net *ks, int offset, u8 value)
541 +
542 + static void ks_wrreg16(struct ks_net *ks, int offset, u16 value)
543 + {
544 +- ks->cmd_reg_cache = (u16)offset | ((BE1 | BE0) << (offset & 0x02));
545 ++ ks->cmd_reg_cache = (u16)offset | ((BE3 | BE2) >> (offset & 0x02));
546 + iowrite16(ks->cmd_reg_cache, ks->hw_addr_cmd);
547 + iowrite16(value, ks->hw_addr);
548 + }
549 +@@ -549,7 +515,7 @@ static inline void ks_inblk(struct ks_net *ks, u16 *wptr, u32 len)
550 + {
551 + len >>= 1;
552 + while (len--)
553 +- *wptr++ = (u16)ioread16(ks->hw_addr);
554 ++ *wptr++ = be16_to_cpu(ioread16(ks->hw_addr));
555 + }
556 +
557 + /**
558 +@@ -563,7 +529,7 @@ static inline void ks_outblk(struct ks_net *ks, u16 *wptr, u32 len)
559 + {
560 + len >>= 1;
561 + while (len--)
562 +- iowrite16(*wptr++, ks->hw_addr);
563 ++ iowrite16(cpu_to_be16(*wptr++), ks->hw_addr);
564 + }
565 +
566 + static void ks_disable_int(struct ks_net *ks)
567 +@@ -642,8 +608,7 @@ static void ks_read_config(struct ks_net *ks)
568 + u16 reg_data = 0;
569 +
570 + /* Regardless of bus width, 8 bit read should always work.*/
571 +- reg_data = ks_rdreg8(ks, KS_CCR) & 0x00FF;
572 +- reg_data |= ks_rdreg8(ks, KS_CCR+1) << 8;
573 ++ reg_data = ks_rdreg16(ks, KS_CCR);
574 +
575 + /* addr/data bus are multiplexed */
576 + ks->sharedbus = (reg_data & CCR_SHARED) == CCR_SHARED;
577 +@@ -747,7 +712,7 @@ static inline void ks_read_qmu(struct ks_net *ks, u16 *buf, u32 len)
578 +
579 + /* 1. set sudo DMA mode */
580 + ks_wrreg16(ks, KS_RXFDPR, RXFDPR_RXFPAI);
581 +- ks_wrreg8(ks, KS_RXQCR, (ks->rc_rxqcr | RXQCR_SDA) & 0xff);
582 ++ ks_wrreg16(ks, KS_RXQCR, ks->rc_rxqcr | RXQCR_SDA);
583 +
584 + /* 2. read prepend data */
585 + /**
586 +@@ -764,7 +729,7 @@ static inline void ks_read_qmu(struct ks_net *ks, u16 *buf, u32 len)
587 + ks_inblk(ks, buf, ALIGN(len, 4));
588 +
589 + /* 4. reset sudo DMA Mode */
590 +- ks_wrreg8(ks, KS_RXQCR, ks->rc_rxqcr);
591 ++ ks_wrreg16(ks, KS_RXQCR, ks->rc_rxqcr);
592 + }
593 +
594 + /**
595 +@@ -997,13 +962,13 @@ static void ks_write_qmu(struct ks_net *ks, u8 *pdata, u16 len)
596 + ks->txh.txw[1] = cpu_to_le16(len);
597 +
598 + /* 1. set sudo-DMA mode */
599 +- ks_wrreg8(ks, KS_RXQCR, (ks->rc_rxqcr | RXQCR_SDA) & 0xff);
600 ++ ks_wrreg16(ks, KS_RXQCR, ks->rc_rxqcr | RXQCR_SDA);
601 + /* 2. write status/lenth info */
602 + ks_outblk(ks, ks->txh.txw, 4);
603 + /* 3. write pkt data */
604 + ks_outblk(ks, (u16 *)pdata, ALIGN(len, 4));
605 + /* 4. reset sudo-DMA mode */
606 +- ks_wrreg8(ks, KS_RXQCR, ks->rc_rxqcr);
607 ++ ks_wrreg16(ks, KS_RXQCR, ks->rc_rxqcr);
608 + /* 5. Enqueue Tx(move the pkt from TX buffer into TXQ) */
609 + ks_wrreg16(ks, KS_TXQCR, TXQCR_METFE);
610 + /* 6. wait until TXQCR_METFE is auto-cleared */
611 +diff --git a/drivers/net/phy/mdio-bcm-iproc.c b/drivers/net/phy/mdio-bcm-iproc.c
612 +index 46fe1ae919a3..51ce3ea17fb3 100644
613 +--- a/drivers/net/phy/mdio-bcm-iproc.c
614 ++++ b/drivers/net/phy/mdio-bcm-iproc.c
615 +@@ -188,6 +188,23 @@ static int iproc_mdio_remove(struct platform_device *pdev)
616 + return 0;
617 + }
618 +
619 ++#ifdef CONFIG_PM_SLEEP
620 ++int iproc_mdio_resume(struct device *dev)
621 ++{
622 ++ struct platform_device *pdev = to_platform_device(dev);
623 ++ struct iproc_mdio_priv *priv = platform_get_drvdata(pdev);
624 ++
625 ++ /* restore the mii clock configuration */
626 ++ iproc_mdio_config_clk(priv->base);
627 ++
628 ++ return 0;
629 ++}
630 ++
631 ++static const struct dev_pm_ops iproc_mdio_pm_ops = {
632 ++ .resume = iproc_mdio_resume
633 ++};
634 ++#endif /* CONFIG_PM_SLEEP */
635 ++
636 + static const struct of_device_id iproc_mdio_of_match[] = {
637 + { .compatible = "brcm,iproc-mdio", },
638 + { /* sentinel */ },
639 +@@ -198,6 +215,9 @@ static struct platform_driver iproc_mdio_driver = {
640 + .driver = {
641 + .name = "iproc-mdio",
642 + .of_match_table = iproc_mdio_of_match,
643 ++#ifdef CONFIG_PM_SLEEP
644 ++ .pm = &iproc_mdio_pm_ops,
645 ++#endif
646 + },
647 + .probe = iproc_mdio_probe,
648 + .remove = iproc_mdio_remove,
649 +diff --git a/drivers/net/slip/slip.c b/drivers/net/slip/slip.c
650 +index 0f8d5609ed51..d4a33baa33b6 100644
651 +--- a/drivers/net/slip/slip.c
652 ++++ b/drivers/net/slip/slip.c
653 +@@ -868,7 +868,6 @@ err_free_chan:
654 + tty->disc_data = NULL;
655 + clear_bit(SLF_INUSE, &sl->flags);
656 + sl_free_netdev(sl->dev);
657 +- free_netdev(sl->dev);
658 +
659 + err_exit:
660 + rtnl_unlock();
661 +diff --git a/drivers/net/wireless/iwlwifi/pcie/rx.c b/drivers/net/wireless/iwlwifi/pcie/rx.c
662 +index d6f9858ff2de..7fdb3ad9f53d 100644
663 +--- a/drivers/net/wireless/iwlwifi/pcie/rx.c
664 ++++ b/drivers/net/wireless/iwlwifi/pcie/rx.c
665 +@@ -708,9 +708,13 @@ int iwl_pcie_rx_init(struct iwl_trans *trans)
666 + if (err)
667 + return err;
668 + }
669 +- if (!rba->alloc_wq)
670 ++ if (!rba->alloc_wq) {
671 + rba->alloc_wq = alloc_workqueue("rb_allocator",
672 + WQ_HIGHPRI | WQ_UNBOUND, 1);
673 ++ if (!rba->alloc_wq)
674 ++ return -ENOMEM;
675 ++ }
676 ++
677 + INIT_WORK(&rba->rx_alloc, iwl_pcie_rx_allocator_work);
678 +
679 + cancel_work_sync(&rba->rx_alloc);
680 +diff --git a/drivers/nfc/pn544/i2c.c b/drivers/nfc/pn544/i2c.c
681 +index fa75c53f3fa5..22522edb6341 100644
682 +--- a/drivers/nfc/pn544/i2c.c
683 ++++ b/drivers/nfc/pn544/i2c.c
684 +@@ -241,6 +241,7 @@ static void pn544_hci_i2c_platform_init(struct pn544_i2c_phy *phy)
685 +
686 + out:
687 + gpio_set_value_cansleep(phy->gpio_en, !phy->en_polarity);
688 ++ usleep_range(10000, 15000);
689 + }
690 +
691 + static void pn544_hci_i2c_enable_mode(struct pn544_i2c_phy *phy, int run_mode)
692 +diff --git a/drivers/s390/cio/blacklist.c b/drivers/s390/cio/blacklist.c
693 +index 20314aad7ab7..f329459cadf1 100644
694 +--- a/drivers/s390/cio/blacklist.c
695 ++++ b/drivers/s390/cio/blacklist.c
696 +@@ -303,8 +303,10 @@ static void *
697 + cio_ignore_proc_seq_next(struct seq_file *s, void *it, loff_t *offset)
698 + {
699 + struct ccwdev_iter *iter;
700 ++ loff_t p = *offset;
701 +
702 +- if (*offset >= (__MAX_SUBCHANNEL + 1) * (__MAX_SSID + 1))
703 ++ (*offset)++;
704 ++ if (p >= (__MAX_SUBCHANNEL + 1) * (__MAX_SSID + 1))
705 + return NULL;
706 + iter = it;
707 + if (iter->devno == __MAX_SUBCHANNEL) {
708 +@@ -314,7 +316,6 @@ cio_ignore_proc_seq_next(struct seq_file *s, void *it, loff_t *offset)
709 + return NULL;
710 + } else
711 + iter->devno++;
712 +- (*offset)++;
713 + return iter;
714 + }
715 +
716 +diff --git a/drivers/tty/serial/ar933x_uart.c b/drivers/tty/serial/ar933x_uart.c
717 +index 1519d2ca7705..40194791cde0 100644
718 +--- a/drivers/tty/serial/ar933x_uart.c
719 ++++ b/drivers/tty/serial/ar933x_uart.c
720 +@@ -294,6 +294,10 @@ static void ar933x_uart_set_termios(struct uart_port *port,
721 + ar933x_uart_rmw_set(up, AR933X_UART_CS_REG,
722 + AR933X_UART_CS_HOST_INT_EN);
723 +
724 ++ /* enable RX and TX ready overide */
725 ++ ar933x_uart_rmw_set(up, AR933X_UART_CS_REG,
726 ++ AR933X_UART_CS_TX_READY_ORIDE | AR933X_UART_CS_RX_READY_ORIDE);
727 ++
728 + /* reenable the UART */
729 + ar933x_uart_rmw(up, AR933X_UART_CS_REG,
730 + AR933X_UART_CS_IF_MODE_M << AR933X_UART_CS_IF_MODE_S,
731 +@@ -426,6 +430,10 @@ static int ar933x_uart_startup(struct uart_port *port)
732 + ar933x_uart_rmw_set(up, AR933X_UART_CS_REG,
733 + AR933X_UART_CS_HOST_INT_EN);
734 +
735 ++ /* enable RX and TX ready overide */
736 ++ ar933x_uart_rmw_set(up, AR933X_UART_CS_REG,
737 ++ AR933X_UART_CS_TX_READY_ORIDE | AR933X_UART_CS_RX_READY_ORIDE);
738 ++
739 + /* Enable RX interrupts */
740 + up->ier = AR933X_UART_INT_RX_VALID;
741 + ar933x_uart_write(up, AR933X_UART_INT_EN_REG, up->ier);
742 +diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
743 +index ed27fda13387..def99f020d82 100644
744 +--- a/drivers/tty/sysrq.c
745 ++++ b/drivers/tty/sysrq.c
746 +@@ -542,7 +542,6 @@ void __handle_sysrq(int key, bool check_mask)
747 + */
748 + orig_log_level = console_loglevel;
749 + console_loglevel = CONSOLE_LOGLEVEL_DEFAULT;
750 +- pr_info("SysRq : ");
751 +
752 + op_p = __sysrq_get_key_op(key);
753 + if (op_p) {
754 +@@ -551,14 +550,15 @@ void __handle_sysrq(int key, bool check_mask)
755 + * should not) and is the invoked operation enabled?
756 + */
757 + if (!check_mask || sysrq_on_mask(op_p->enable_mask)) {
758 +- pr_cont("%s\n", op_p->action_msg);
759 ++ pr_info("%s\n", op_p->action_msg);
760 + console_loglevel = orig_log_level;
761 + op_p->handler(key);
762 + } else {
763 +- pr_cont("This sysrq operation is disabled.\n");
764 ++ pr_info("This sysrq operation is disabled.\n");
765 ++ console_loglevel = orig_log_level;
766 + }
767 + } else {
768 +- pr_cont("HELP : ");
769 ++ pr_info("HELP : ");
770 + /* Only print the help msg once per handler */
771 + for (i = 0; i < ARRAY_SIZE(sysrq_key_table); i++) {
772 + if (sysrq_key_table[i]) {
773 +diff --git a/drivers/tty/vt/selection.c b/drivers/tty/vt/selection.c
774 +index 381a2b13682c..9dae02ce4092 100644
775 +--- a/drivers/tty/vt/selection.c
776 ++++ b/drivers/tty/vt/selection.c
777 +@@ -13,6 +13,7 @@
778 + #include <linux/tty.h>
779 + #include <linux/sched.h>
780 + #include <linux/mm.h>
781 ++#include <linux/mutex.h>
782 + #include <linux/slab.h>
783 + #include <linux/types.h>
784 +
785 +@@ -40,6 +41,7 @@ static volatile int sel_start = -1; /* cleared by clear_selection */
786 + static int sel_end;
787 + static int sel_buffer_lth;
788 + static char *sel_buffer;
789 ++static DEFINE_MUTEX(sel_lock);
790 +
791 + /* clear_selection, highlight and highlight_pointer can be called
792 + from interrupt (via scrollback/front) */
793 +@@ -156,14 +158,14 @@ static int store_utf8(u16 c, char *p)
794 + * The entire selection process is managed under the console_lock. It's
795 + * a lot under the lock but its hardly a performance path
796 + */
797 +-int set_selection(const struct tiocl_selection __user *sel, struct tty_struct *tty)
798 ++static int __set_selection(const struct tiocl_selection __user *sel, struct tty_struct *tty)
799 + {
800 + struct vc_data *vc = vc_cons[fg_console].d;
801 + int sel_mode, new_sel_start, new_sel_end, spc;
802 + char *bp, *obp;
803 + int i, ps, pe, multiplier;
804 + u16 c;
805 +- int mode;
806 ++ int mode, ret = 0;
807 +
808 + poke_blanked_console();
809 +
810 +@@ -324,7 +326,21 @@ int set_selection(const struct tiocl_selection __user *sel, struct tty_struct *t
811 + }
812 + }
813 + sel_buffer_lth = bp - sel_buffer;
814 +- return 0;
815 ++
816 ++ return ret;
817 ++}
818 ++
819 ++int set_selection(const struct tiocl_selection __user *v, struct tty_struct *tty)
820 ++{
821 ++ int ret;
822 ++
823 ++ mutex_lock(&sel_lock);
824 ++ console_lock();
825 ++ ret = __set_selection(v, tty);
826 ++ console_unlock();
827 ++ mutex_unlock(&sel_lock);
828 ++
829 ++ return ret;
830 + }
831 +
832 + /* Insert the contents of the selection buffer into the
833 +@@ -350,6 +366,7 @@ int paste_selection(struct tty_struct *tty)
834 + tty_buffer_lock_exclusive(&vc->port);
835 +
836 + add_wait_queue(&vc->paste_wait, &wait);
837 ++ mutex_lock(&sel_lock);
838 + while (sel_buffer && sel_buffer_lth > pasted) {
839 + set_current_state(TASK_INTERRUPTIBLE);
840 + if (test_bit(TTY_THROTTLED, &tty->flags)) {
841 +@@ -362,6 +379,7 @@ int paste_selection(struct tty_struct *tty)
842 + count);
843 + pasted += count;
844 + }
845 ++ mutex_unlock(&sel_lock);
846 + remove_wait_queue(&vc->paste_wait, &wait);
847 + __set_current_state(TASK_RUNNING);
848 +
849 +diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
850 +index 6779f733bb83..5b8b6ebebf3e 100644
851 +--- a/drivers/tty/vt/vt.c
852 ++++ b/drivers/tty/vt/vt.c
853 +@@ -2687,9 +2687,7 @@ int tioclinux(struct tty_struct *tty, unsigned long arg)
854 + switch (type)
855 + {
856 + case TIOCL_SETSEL:
857 +- console_lock();
858 + ret = set_selection((struct tiocl_selection __user *)(p+1), tty);
859 +- console_unlock();
860 + break;
861 + case TIOCL_PASTESEL:
862 + ret = paste_selection(tty);
863 +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
864 +index 4c302424c97a..963dd8a4b540 100644
865 +--- a/drivers/usb/core/hub.c
866 ++++ b/drivers/usb/core/hub.c
867 +@@ -938,13 +938,17 @@ int usb_remove_device(struct usb_device *udev)
868 + {
869 + struct usb_hub *hub;
870 + struct usb_interface *intf;
871 ++ int ret;
872 +
873 + if (!udev->parent) /* Can't remove a root hub */
874 + return -EINVAL;
875 + hub = usb_hub_to_struct_hub(udev->parent);
876 + intf = to_usb_interface(hub->intfdev);
877 +
878 +- usb_autopm_get_interface(intf);
879 ++ ret = usb_autopm_get_interface(intf);
880 ++ if (ret < 0)
881 ++ return ret;
882 ++
883 + set_bit(udev->portnum, hub->removed_bits);
884 + hub_port_logical_disconnect(hub, udev->portnum);
885 + usb_autopm_put_interface(intf);
886 +diff --git a/drivers/usb/core/port.c b/drivers/usb/core/port.c
887 +index 5487fe308f01..1235e678184b 100644
888 +--- a/drivers/usb/core/port.c
889 ++++ b/drivers/usb/core/port.c
890 +@@ -98,7 +98,10 @@ static int usb_port_runtime_resume(struct device *dev)
891 + if (!port_dev->is_superspeed && peer)
892 + pm_runtime_get_sync(&peer->dev);
893 +
894 +- usb_autopm_get_interface(intf);
895 ++ retval = usb_autopm_get_interface(intf);
896 ++ if (retval < 0)
897 ++ return retval;
898 ++
899 + retval = usb_hub_set_port_power(hdev, hub, port1, true);
900 + msleep(hub_power_on_good_delay(hub));
901 + if (udev && !retval) {
902 +@@ -151,7 +154,10 @@ static int usb_port_runtime_suspend(struct device *dev)
903 + if (usb_port_block_power_off)
904 + return -EBUSY;
905 +
906 +- usb_autopm_get_interface(intf);
907 ++ retval = usb_autopm_get_interface(intf);
908 ++ if (retval < 0)
909 ++ return retval;
910 ++
911 + retval = usb_hub_set_port_power(hdev, hub, port1, false);
912 + usb_clear_port_feature(hdev, port1, USB_PORT_FEAT_C_CONNECTION);
913 + if (!port_dev->is_superspeed)
914 +diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c
915 +index ad8307140df8..64c03e871f2d 100644
916 +--- a/drivers/usb/core/quirks.c
917 ++++ b/drivers/usb/core/quirks.c
918 +@@ -86,6 +86,9 @@ static const struct usb_device_id usb_quirk_list[] = {
919 + /* Logitech PTZ Pro Camera */
920 + { USB_DEVICE(0x046d, 0x0853), .driver_info = USB_QUIRK_DELAY_INIT },
921 +
922 ++ /* Logitech Screen Share */
923 ++ { USB_DEVICE(0x046d, 0x086c), .driver_info = USB_QUIRK_NO_LPM },
924 ++
925 + /* Logitech Quickcam Fusion */
926 + { USB_DEVICE(0x046d, 0x08c1), .driver_info = USB_QUIRK_RESET_RESUME },
927 +
928 +diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
929 +index 4cb1355271ec..9536c409a90d 100644
930 +--- a/drivers/usb/gadget/function/f_fs.c
931 ++++ b/drivers/usb/gadget/function/f_fs.c
932 +@@ -888,18 +888,19 @@ static int ffs_aio_cancel(struct kiocb *kiocb)
933 + {
934 + struct ffs_io_data *io_data = kiocb->private;
935 + struct ffs_epfile *epfile = kiocb->ki_filp->private_data;
936 ++ unsigned long flags;
937 + int value;
938 +
939 + ENTER();
940 +
941 +- spin_lock_irq(&epfile->ffs->eps_lock);
942 ++ spin_lock_irqsave(&epfile->ffs->eps_lock, flags);
943 +
944 + if (likely(io_data && io_data->ep && io_data->req))
945 + value = usb_ep_dequeue(io_data->ep, io_data->req);
946 + else
947 + value = -EINVAL;
948 +
949 +- spin_unlock_irq(&epfile->ffs->eps_lock);
950 ++ spin_unlock_irqrestore(&epfile->ffs->eps_lock, flags);
951 +
952 + return value;
953 + }
954 +diff --git a/drivers/usb/gadget/function/u_serial.c b/drivers/usb/gadget/function/u_serial.c
955 +index 31e08bb3cb41..58a699cfa458 100644
956 +--- a/drivers/usb/gadget/function/u_serial.c
957 ++++ b/drivers/usb/gadget/function/u_serial.c
958 +@@ -701,8 +701,10 @@ static int gs_start_io(struct gs_port *port)
959 + port->n_read = 0;
960 + started = gs_start_rx(port);
961 +
962 +- /* unblock any pending writes into our circular buffer */
963 + if (started) {
964 ++ gs_start_tx(port);
965 ++ /* Unblock any pending writes into our circular buffer, in case
966 ++ * we didn't in gs_start_tx() */
967 + tty_wakeup(port->port.tty);
968 + } else {
969 + gs_free_requests(ep, head, &port->read_allocated);
970 +diff --git a/drivers/usb/storage/unusual_devs.h b/drivers/usb/storage/unusual_devs.h
971 +index a98259e136dd..2e0a8088ffe2 100644
972 +--- a/drivers/usb/storage/unusual_devs.h
973 ++++ b/drivers/usb/storage/unusual_devs.h
974 +@@ -1206,6 +1206,12 @@ UNUSUAL_DEV( 0x090a, 0x1200, 0x0000, 0x9999,
975 + USB_SC_RBC, USB_PR_BULK, NULL,
976 + 0 ),
977 +
978 ++UNUSUAL_DEV(0x090c, 0x1000, 0x1100, 0x1100,
979 ++ "Samsung",
980 ++ "Flash Drive FIT",
981 ++ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
982 ++ US_FL_MAX_SECTORS_64),
983 ++
984 + /* aeb */
985 + UNUSUAL_DEV( 0x090c, 0x1132, 0x0000, 0xffff,
986 + "Feiya",
987 +diff --git a/drivers/video/console/vgacon.c b/drivers/video/console/vgacon.c
988 +index 598ec7545e84..e5231dd55e6e 100644
989 +--- a/drivers/video/console/vgacon.c
990 ++++ b/drivers/video/console/vgacon.c
991 +@@ -1330,6 +1330,9 @@ static int vgacon_font_get(struct vc_data *c, struct console_font *font)
992 + static int vgacon_resize(struct vc_data *c, unsigned int width,
993 + unsigned int height, unsigned int user)
994 + {
995 ++ if ((width << 1) * height > vga_vram_size)
996 ++ return -EINVAL;
997 ++
998 + if (width % 2 || width > screen_info.orig_video_cols ||
999 + height > (screen_info.orig_video_lines * vga_default_font_height)/
1000 + c->vc_font.height)
1001 +diff --git a/drivers/watchdog/da9062_wdt.c b/drivers/watchdog/da9062_wdt.c
1002 +index 7386111220d5..daeb645fcea8 100644
1003 +--- a/drivers/watchdog/da9062_wdt.c
1004 ++++ b/drivers/watchdog/da9062_wdt.c
1005 +@@ -126,13 +126,6 @@ static int da9062_wdt_stop(struct watchdog_device *wdd)
1006 + struct da9062_watchdog *wdt = watchdog_get_drvdata(wdd);
1007 + int ret;
1008 +
1009 +- ret = da9062_reset_watchdog_timer(wdt);
1010 +- if (ret) {
1011 +- dev_err(wdt->hw->dev, "Failed to ping the watchdog (err = %d)\n",
1012 +- ret);
1013 +- return ret;
1014 +- }
1015 +-
1016 + ret = regmap_update_bits(wdt->hw->regmap,
1017 + DA9062AA_CONTROL_D,
1018 + DA9062AA_TWDSCALE_MASK,
1019 +diff --git a/fs/cifs/cifsacl.c b/fs/cifs/cifsacl.c
1020 +index 3f93125916bf..f5b87a8f75c4 100644
1021 +--- a/fs/cifs/cifsacl.c
1022 ++++ b/fs/cifs/cifsacl.c
1023 +@@ -480,7 +480,7 @@ static void access_flags_to_mode(__le32 ace_flags, int type, umode_t *pmode,
1024 + ((flags & FILE_EXEC_RIGHTS) == FILE_EXEC_RIGHTS))
1025 + *pmode |= (S_IXUGO & (*pbits_to_set));
1026 +
1027 +- cifs_dbg(NOISY, "access flags 0x%x mode now 0x%x\n", flags, *pmode);
1028 ++ cifs_dbg(NOISY, "access flags 0x%x mode now %04o\n", flags, *pmode);
1029 + return;
1030 + }
1031 +
1032 +@@ -509,7 +509,7 @@ static void mode_to_access_flags(umode_t mode, umode_t bits_to_use,
1033 + if (mode & S_IXUGO)
1034 + *pace_flags |= SET_FILE_EXEC_RIGHTS;
1035 +
1036 +- cifs_dbg(NOISY, "mode: 0x%x, access flags now 0x%x\n",
1037 ++ cifs_dbg(NOISY, "mode: %04o, access flags now 0x%x\n",
1038 + mode, *pace_flags);
1039 + return;
1040 + }
1041 +diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
1042 +index 4bde8acca455..cf104bbe30a1 100644
1043 +--- a/fs/cifs/connect.c
1044 ++++ b/fs/cifs/connect.c
1045 +@@ -3402,7 +3402,7 @@ void cifs_setup_cifs_sb(struct smb_vol *pvolume_info,
1046 + cifs_sb->mnt_gid = pvolume_info->linux_gid;
1047 + cifs_sb->mnt_file_mode = pvolume_info->file_mode;
1048 + cifs_sb->mnt_dir_mode = pvolume_info->dir_mode;
1049 +- cifs_dbg(FYI, "file mode: 0x%hx dir mode: 0x%hx\n",
1050 ++ cifs_dbg(FYI, "file mode: %04ho dir mode: %04ho\n",
1051 + cifs_sb->mnt_file_mode, cifs_sb->mnt_dir_mode);
1052 +
1053 + cifs_sb->actimeo = pvolume_info->actimeo;
1054 +diff --git a/fs/cifs/inode.c b/fs/cifs/inode.c
1055 +index 0a219545940d..c18c26a78453 100644
1056 +--- a/fs/cifs/inode.c
1057 ++++ b/fs/cifs/inode.c
1058 +@@ -1540,7 +1540,7 @@ int cifs_mkdir(struct inode *inode, struct dentry *direntry, umode_t mode)
1059 + struct TCP_Server_Info *server;
1060 + char *full_path;
1061 +
1062 +- cifs_dbg(FYI, "In cifs_mkdir, mode = 0x%hx inode = 0x%p\n",
1063 ++ cifs_dbg(FYI, "In cifs_mkdir, mode = %04ho inode = 0x%p\n",
1064 + mode, inode);
1065 +
1066 + cifs_sb = CIFS_SB(inode->i_sb);
1067 +@@ -1957,6 +1957,7 @@ int cifs_revalidate_dentry_attr(struct dentry *dentry)
1068 + struct inode *inode = d_inode(dentry);
1069 + struct super_block *sb = dentry->d_sb;
1070 + char *full_path = NULL;
1071 ++ int count = 0;
1072 +
1073 + if (inode == NULL)
1074 + return -ENOENT;
1075 +@@ -1978,15 +1979,18 @@ int cifs_revalidate_dentry_attr(struct dentry *dentry)
1076 + full_path, inode, inode->i_count.counter,
1077 + dentry, dentry->d_time, jiffies);
1078 +
1079 ++again:
1080 + if (cifs_sb_master_tcon(CIFS_SB(sb))->unix_ext)
1081 + rc = cifs_get_inode_info_unix(&inode, full_path, sb, xid);
1082 + else
1083 + rc = cifs_get_inode_info(&inode, full_path, NULL, sb,
1084 + xid, NULL);
1085 +-
1086 ++ if (rc == -EAGAIN && count++ < 10)
1087 ++ goto again;
1088 + out:
1089 + kfree(full_path);
1090 + free_xid(xid);
1091 ++
1092 + return rc;
1093 + }
1094 +
1095 +diff --git a/fs/ecryptfs/keystore.c b/fs/ecryptfs/keystore.c
1096 +index b272b778aa85..37920394c64c 100644
1097 +--- a/fs/ecryptfs/keystore.c
1098 ++++ b/fs/ecryptfs/keystore.c
1099 +@@ -1280,7 +1280,7 @@ parse_tag_1_packet(struct ecryptfs_crypt_stat *crypt_stat,
1100 + printk(KERN_ERR "Enter w/ first byte != 0x%.2x\n",
1101 + ECRYPTFS_TAG_1_PACKET_TYPE);
1102 + rc = -EINVAL;
1103 +- goto out_free;
1104 ++ goto out;
1105 + }
1106 + /* Released: wipe_auth_tok_list called in ecryptfs_parse_packet_set or
1107 + * at end of function upon failure */
1108 +@@ -1330,7 +1330,7 @@ parse_tag_1_packet(struct ecryptfs_crypt_stat *crypt_stat,
1109 + printk(KERN_WARNING "Tag 1 packet contains key larger "
1110 + "than ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES");
1111 + rc = -EINVAL;
1112 +- goto out;
1113 ++ goto out_free;
1114 + }
1115 + memcpy((*new_auth_tok)->session_key.encrypted_key,
1116 + &data[(*packet_size)], (body_size - (ECRYPTFS_SIG_SIZE + 2)));
1117 +diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c
1118 +index e0fb7cdcee89..b041a215cd73 100644
1119 +--- a/fs/ext4/balloc.c
1120 ++++ b/fs/ext4/balloc.c
1121 +@@ -279,6 +279,7 @@ struct ext4_group_desc * ext4_get_group_desc(struct super_block *sb,
1122 + ext4_group_t ngroups = ext4_get_groups_count(sb);
1123 + struct ext4_group_desc *desc;
1124 + struct ext4_sb_info *sbi = EXT4_SB(sb);
1125 ++ struct buffer_head *bh_p;
1126 +
1127 + if (block_group >= ngroups) {
1128 + ext4_error(sb, "block_group >= groups_count - block_group = %u,"
1129 +@@ -289,7 +290,14 @@ struct ext4_group_desc * ext4_get_group_desc(struct super_block *sb,
1130 +
1131 + group_desc = block_group >> EXT4_DESC_PER_BLOCK_BITS(sb);
1132 + offset = block_group & (EXT4_DESC_PER_BLOCK(sb) - 1);
1133 +- if (!sbi->s_group_desc[group_desc]) {
1134 ++ bh_p = sbi_array_rcu_deref(sbi, s_group_desc, group_desc);
1135 ++ /*
1136 ++ * sbi_array_rcu_deref returns with rcu unlocked, this is ok since
1137 ++ * the pointer being dereferenced won't be dereferenced again. By
1138 ++ * looking at the usage in add_new_gdb() the value isn't modified,
1139 ++ * just the pointer, and so it remains valid.
1140 ++ */
1141 ++ if (!bh_p) {
1142 + ext4_error(sb, "Group descriptor not loaded - "
1143 + "block_group = %u, group_desc = %u, desc = %u",
1144 + block_group, group_desc, offset);
1145 +@@ -297,10 +305,10 @@ struct ext4_group_desc * ext4_get_group_desc(struct super_block *sb,
1146 + }
1147 +
1148 + desc = (struct ext4_group_desc *)(
1149 +- (__u8 *)sbi->s_group_desc[group_desc]->b_data +
1150 ++ (__u8 *)bh_p->b_data +
1151 + offset * EXT4_DESC_SIZE(sb));
1152 + if (bh)
1153 +- *bh = sbi->s_group_desc[group_desc];
1154 ++ *bh = bh_p;
1155 + return desc;
1156 + }
1157 +
1158 +diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
1159 +index 00ab96311487..ab0f08c89d5f 100644
1160 +--- a/fs/ext4/ext4.h
1161 ++++ b/fs/ext4/ext4.h
1162 +@@ -1303,7 +1303,7 @@ struct ext4_sb_info {
1163 + loff_t s_bitmap_maxbytes; /* max bytes for bitmap files */
1164 + struct buffer_head * s_sbh; /* Buffer containing the super block */
1165 + struct ext4_super_block *s_es; /* Pointer to the super block in the buffer */
1166 +- struct buffer_head **s_group_desc;
1167 ++ struct buffer_head * __rcu *s_group_desc;
1168 + unsigned int s_mount_opt;
1169 + unsigned int s_mount_opt2;
1170 + unsigned int s_mount_flags;
1171 +@@ -1363,7 +1363,7 @@ struct ext4_sb_info {
1172 + #endif
1173 +
1174 + /* for buddy allocator */
1175 +- struct ext4_group_info ***s_group_info;
1176 ++ struct ext4_group_info ** __rcu *s_group_info;
1177 + struct inode *s_buddy_cache;
1178 + spinlock_t s_md_lock;
1179 + unsigned short *s_mb_offsets;
1180 +@@ -1410,7 +1410,7 @@ struct ext4_sb_info {
1181 + unsigned int s_extent_max_zeroout_kb;
1182 +
1183 + unsigned int s_log_groups_per_flex;
1184 +- struct flex_groups *s_flex_groups;
1185 ++ struct flex_groups * __rcu *s_flex_groups;
1186 + ext4_group_t s_flex_groups_allocated;
1187 +
1188 + /* workqueue for reserved extent conversions (buffered io) */
1189 +@@ -1491,6 +1491,23 @@ static inline void ext4_inode_aio_set(struct inode *inode, ext4_io_end_t *io)
1190 + inode->i_private = io;
1191 + }
1192 +
1193 ++/*
1194 ++ * Returns: sbi->field[index]
1195 ++ * Used to access an array element from the following sbi fields which require
1196 ++ * rcu protection to avoid dereferencing an invalid pointer due to reassignment
1197 ++ * - s_group_desc
1198 ++ * - s_group_info
1199 ++ * - s_flex_group
1200 ++ */
1201 ++#define sbi_array_rcu_deref(sbi, field, index) \
1202 ++({ \
1203 ++ typeof(*((sbi)->field)) _v; \
1204 ++ rcu_read_lock(); \
1205 ++ _v = ((typeof(_v)*)rcu_dereference((sbi)->field))[index]; \
1206 ++ rcu_read_unlock(); \
1207 ++ _v; \
1208 ++})
1209 ++
1210 + /*
1211 + * Inode dynamic state flags
1212 + */
1213 +@@ -2555,6 +2572,7 @@ extern int ext4_generic_delete_entry(handle_t *handle,
1214 + extern int ext4_empty_dir(struct inode *inode);
1215 +
1216 + /* resize.c */
1217 ++extern void ext4_kvfree_array_rcu(void *to_free);
1218 + extern int ext4_group_add(struct super_block *sb,
1219 + struct ext4_new_group_data *input);
1220 + extern int ext4_group_extend(struct super_block *sb,
1221 +@@ -2795,13 +2813,13 @@ static inline
1222 + struct ext4_group_info *ext4_get_group_info(struct super_block *sb,
1223 + ext4_group_t group)
1224 + {
1225 +- struct ext4_group_info ***grp_info;
1226 ++ struct ext4_group_info **grp_info;
1227 + long indexv, indexh;
1228 + BUG_ON(group >= EXT4_SB(sb)->s_groups_count);
1229 +- grp_info = EXT4_SB(sb)->s_group_info;
1230 + indexv = group >> (EXT4_DESC_PER_BLOCK_BITS(sb));
1231 + indexh = group & ((EXT4_DESC_PER_BLOCK(sb)) - 1);
1232 +- return grp_info[indexv][indexh];
1233 ++ grp_info = sbi_array_rcu_deref(EXT4_SB(sb), s_group_info, indexv);
1234 ++ return grp_info[indexh];
1235 + }
1236 +
1237 + /*
1238 +diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c
1239 +index 0963213e9cd3..c31b05f0bd69 100644
1240 +--- a/fs/ext4/ialloc.c
1241 ++++ b/fs/ext4/ialloc.c
1242 +@@ -331,11 +331,13 @@ void ext4_free_inode(handle_t *handle, struct inode *inode)
1243 +
1244 + percpu_counter_inc(&sbi->s_freeinodes_counter);
1245 + if (sbi->s_log_groups_per_flex) {
1246 +- ext4_group_t f = ext4_flex_group(sbi, block_group);
1247 ++ struct flex_groups *fg;
1248 +
1249 +- atomic_inc(&sbi->s_flex_groups[f].free_inodes);
1250 ++ fg = sbi_array_rcu_deref(sbi, s_flex_groups,
1251 ++ ext4_flex_group(sbi, block_group));
1252 ++ atomic_inc(&fg->free_inodes);
1253 + if (is_directory)
1254 +- atomic_dec(&sbi->s_flex_groups[f].used_dirs);
1255 ++ atomic_dec(&fg->used_dirs);
1256 + }
1257 + BUFFER_TRACE(bh2, "call ext4_handle_dirty_metadata");
1258 + fatal = ext4_handle_dirty_metadata(handle, NULL, bh2);
1259 +@@ -376,12 +378,13 @@ static void get_orlov_stats(struct super_block *sb, ext4_group_t g,
1260 + int flex_size, struct orlov_stats *stats)
1261 + {
1262 + struct ext4_group_desc *desc;
1263 +- struct flex_groups *flex_group = EXT4_SB(sb)->s_flex_groups;
1264 +
1265 + if (flex_size > 1) {
1266 +- stats->free_inodes = atomic_read(&flex_group[g].free_inodes);
1267 +- stats->free_clusters = atomic64_read(&flex_group[g].free_clusters);
1268 +- stats->used_dirs = atomic_read(&flex_group[g].used_dirs);
1269 ++ struct flex_groups *fg = sbi_array_rcu_deref(EXT4_SB(sb),
1270 ++ s_flex_groups, g);
1271 ++ stats->free_inodes = atomic_read(&fg->free_inodes);
1272 ++ stats->free_clusters = atomic64_read(&fg->free_clusters);
1273 ++ stats->used_dirs = atomic_read(&fg->used_dirs);
1274 + return;
1275 + }
1276 +
1277 +@@ -981,7 +984,8 @@ got:
1278 + if (sbi->s_log_groups_per_flex) {
1279 + ext4_group_t f = ext4_flex_group(sbi, group);
1280 +
1281 +- atomic_inc(&sbi->s_flex_groups[f].used_dirs);
1282 ++ atomic_inc(&sbi_array_rcu_deref(sbi, s_flex_groups,
1283 ++ f)->used_dirs);
1284 + }
1285 + }
1286 + if (ext4_has_group_desc_csum(sb)) {
1287 +@@ -1004,7 +1008,8 @@ got:
1288 +
1289 + if (sbi->s_log_groups_per_flex) {
1290 + flex_group = ext4_flex_group(sbi, group);
1291 +- atomic_dec(&sbi->s_flex_groups[flex_group].free_inodes);
1292 ++ atomic_dec(&sbi_array_rcu_deref(sbi, s_flex_groups,
1293 ++ flex_group)->free_inodes);
1294 + }
1295 +
1296 + inode->i_ino = ino + group * EXT4_INODES_PER_GROUP(sb);
1297 +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
1298 +index 828b4c080c38..fda49f4c5a8e 100644
1299 +--- a/fs/ext4/mballoc.c
1300 ++++ b/fs/ext4/mballoc.c
1301 +@@ -2378,7 +2378,7 @@ int ext4_mb_alloc_groupinfo(struct super_block *sb, ext4_group_t ngroups)
1302 + {
1303 + struct ext4_sb_info *sbi = EXT4_SB(sb);
1304 + unsigned size;
1305 +- struct ext4_group_info ***new_groupinfo;
1306 ++ struct ext4_group_info ***old_groupinfo, ***new_groupinfo;
1307 +
1308 + size = (ngroups + EXT4_DESC_PER_BLOCK(sb) - 1) >>
1309 + EXT4_DESC_PER_BLOCK_BITS(sb);
1310 +@@ -2391,13 +2391,16 @@ int ext4_mb_alloc_groupinfo(struct super_block *sb, ext4_group_t ngroups)
1311 + ext4_msg(sb, KERN_ERR, "can't allocate buddy meta group");
1312 + return -ENOMEM;
1313 + }
1314 +- if (sbi->s_group_info) {
1315 +- memcpy(new_groupinfo, sbi->s_group_info,
1316 ++ rcu_read_lock();
1317 ++ old_groupinfo = rcu_dereference(sbi->s_group_info);
1318 ++ if (old_groupinfo)
1319 ++ memcpy(new_groupinfo, old_groupinfo,
1320 + sbi->s_group_info_size * sizeof(*sbi->s_group_info));
1321 +- kvfree(sbi->s_group_info);
1322 +- }
1323 +- sbi->s_group_info = new_groupinfo;
1324 ++ rcu_read_unlock();
1325 ++ rcu_assign_pointer(sbi->s_group_info, new_groupinfo);
1326 + sbi->s_group_info_size = size / sizeof(*sbi->s_group_info);
1327 ++ if (old_groupinfo)
1328 ++ ext4_kvfree_array_rcu(old_groupinfo);
1329 + ext4_debug("allocated s_groupinfo array for %d meta_bg's\n",
1330 + sbi->s_group_info_size);
1331 + return 0;
1332 +@@ -2409,6 +2412,7 @@ int ext4_mb_add_groupinfo(struct super_block *sb, ext4_group_t group,
1333 + {
1334 + int i;
1335 + int metalen = 0;
1336 ++ int idx = group >> EXT4_DESC_PER_BLOCK_BITS(sb);
1337 + struct ext4_sb_info *sbi = EXT4_SB(sb);
1338 + struct ext4_group_info **meta_group_info;
1339 + struct kmem_cache *cachep = get_groupinfo_cache(sb->s_blocksize_bits);
1340 +@@ -2427,12 +2431,12 @@ int ext4_mb_add_groupinfo(struct super_block *sb, ext4_group_t group,
1341 + "for a buddy group");
1342 + goto exit_meta_group_info;
1343 + }
1344 +- sbi->s_group_info[group >> EXT4_DESC_PER_BLOCK_BITS(sb)] =
1345 +- meta_group_info;
1346 ++ rcu_read_lock();
1347 ++ rcu_dereference(sbi->s_group_info)[idx] = meta_group_info;
1348 ++ rcu_read_unlock();
1349 + }
1350 +
1351 +- meta_group_info =
1352 +- sbi->s_group_info[group >> EXT4_DESC_PER_BLOCK_BITS(sb)];
1353 ++ meta_group_info = sbi_array_rcu_deref(sbi, s_group_info, idx);
1354 + i = group & (EXT4_DESC_PER_BLOCK(sb) - 1);
1355 +
1356 + meta_group_info[i] = kmem_cache_zalloc(cachep, GFP_NOFS);
1357 +@@ -2480,8 +2484,13 @@ int ext4_mb_add_groupinfo(struct super_block *sb, ext4_group_t group,
1358 + exit_group_info:
1359 + /* If a meta_group_info table has been allocated, release it now */
1360 + if (group % EXT4_DESC_PER_BLOCK(sb) == 0) {
1361 +- kfree(sbi->s_group_info[group >> EXT4_DESC_PER_BLOCK_BITS(sb)]);
1362 +- sbi->s_group_info[group >> EXT4_DESC_PER_BLOCK_BITS(sb)] = NULL;
1363 ++ struct ext4_group_info ***group_info;
1364 ++
1365 ++ rcu_read_lock();
1366 ++ group_info = rcu_dereference(sbi->s_group_info);
1367 ++ kfree(group_info[idx]);
1368 ++ group_info[idx] = NULL;
1369 ++ rcu_read_unlock();
1370 + }
1371 + exit_meta_group_info:
1372 + return -ENOMEM;
1373 +@@ -2494,6 +2503,7 @@ static int ext4_mb_init_backend(struct super_block *sb)
1374 + struct ext4_sb_info *sbi = EXT4_SB(sb);
1375 + int err;
1376 + struct ext4_group_desc *desc;
1377 ++ struct ext4_group_info ***group_info;
1378 + struct kmem_cache *cachep;
1379 +
1380 + err = ext4_mb_alloc_groupinfo(sb, ngroups);
1381 +@@ -2528,11 +2538,16 @@ err_freebuddy:
1382 + while (i-- > 0)
1383 + kmem_cache_free(cachep, ext4_get_group_info(sb, i));
1384 + i = sbi->s_group_info_size;
1385 ++ rcu_read_lock();
1386 ++ group_info = rcu_dereference(sbi->s_group_info);
1387 + while (i-- > 0)
1388 +- kfree(sbi->s_group_info[i]);
1389 ++ kfree(group_info[i]);
1390 ++ rcu_read_unlock();
1391 + iput(sbi->s_buddy_cache);
1392 + err_freesgi:
1393 +- kvfree(sbi->s_group_info);
1394 ++ rcu_read_lock();
1395 ++ kvfree(rcu_dereference(sbi->s_group_info));
1396 ++ rcu_read_unlock();
1397 + return -ENOMEM;
1398 + }
1399 +
1400 +@@ -2720,7 +2735,7 @@ int ext4_mb_release(struct super_block *sb)
1401 + ext4_group_t ngroups = ext4_get_groups_count(sb);
1402 + ext4_group_t i;
1403 + int num_meta_group_infos;
1404 +- struct ext4_group_info *grinfo;
1405 ++ struct ext4_group_info *grinfo, ***group_info;
1406 + struct ext4_sb_info *sbi = EXT4_SB(sb);
1407 + struct kmem_cache *cachep = get_groupinfo_cache(sb->s_blocksize_bits);
1408 +
1409 +@@ -2738,9 +2753,12 @@ int ext4_mb_release(struct super_block *sb)
1410 + num_meta_group_infos = (ngroups +
1411 + EXT4_DESC_PER_BLOCK(sb) - 1) >>
1412 + EXT4_DESC_PER_BLOCK_BITS(sb);
1413 ++ rcu_read_lock();
1414 ++ group_info = rcu_dereference(sbi->s_group_info);
1415 + for (i = 0; i < num_meta_group_infos; i++)
1416 +- kfree(sbi->s_group_info[i]);
1417 +- kvfree(sbi->s_group_info);
1418 ++ kfree(group_info[i]);
1419 ++ kvfree(group_info);
1420 ++ rcu_read_unlock();
1421 + }
1422 + kfree(sbi->s_mb_offsets);
1423 + kfree(sbi->s_mb_maxs);
1424 +@@ -2995,7 +3013,8 @@ ext4_mb_mark_diskspace_used(struct ext4_allocation_context *ac,
1425 + ext4_group_t flex_group = ext4_flex_group(sbi,
1426 + ac->ac_b_ex.fe_group);
1427 + atomic64_sub(ac->ac_b_ex.fe_len,
1428 +- &sbi->s_flex_groups[flex_group].free_clusters);
1429 ++ &sbi_array_rcu_deref(sbi, s_flex_groups,
1430 ++ flex_group)->free_clusters);
1431 + }
1432 +
1433 + err = ext4_handle_dirty_metadata(handle, NULL, bitmap_bh);
1434 +@@ -4887,7 +4906,8 @@ do_more:
1435 + if (sbi->s_log_groups_per_flex) {
1436 + ext4_group_t flex_group = ext4_flex_group(sbi, block_group);
1437 + atomic64_add(count_clusters,
1438 +- &sbi->s_flex_groups[flex_group].free_clusters);
1439 ++ &sbi_array_rcu_deref(sbi, s_flex_groups,
1440 ++ flex_group)->free_clusters);
1441 + }
1442 +
1443 + if (!(flags & EXT4_FREE_BLOCKS_NO_QUOT_UPDATE))
1444 +@@ -5032,7 +5052,8 @@ int ext4_group_add_blocks(handle_t *handle, struct super_block *sb,
1445 + if (sbi->s_log_groups_per_flex) {
1446 + ext4_group_t flex_group = ext4_flex_group(sbi, block_group);
1447 + atomic64_add(EXT4_NUM_B2C(sbi, blocks_freed),
1448 +- &sbi->s_flex_groups[flex_group].free_clusters);
1449 ++ &sbi_array_rcu_deref(sbi, s_flex_groups,
1450 ++ flex_group)->free_clusters);
1451 + }
1452 +
1453 + ext4_mb_unload_buddy(&e4b);
1454 +diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c
1455 +index 5223eb25bf59..f5b6667b0ab0 100644
1456 +--- a/fs/ext4/resize.c
1457 ++++ b/fs/ext4/resize.c
1458 +@@ -16,6 +16,33 @@
1459 +
1460 + #include "ext4_jbd2.h"
1461 +
1462 ++struct ext4_rcu_ptr {
1463 ++ struct rcu_head rcu;
1464 ++ void *ptr;
1465 ++};
1466 ++
1467 ++static void ext4_rcu_ptr_callback(struct rcu_head *head)
1468 ++{
1469 ++ struct ext4_rcu_ptr *ptr;
1470 ++
1471 ++ ptr = container_of(head, struct ext4_rcu_ptr, rcu);
1472 ++ kvfree(ptr->ptr);
1473 ++ kfree(ptr);
1474 ++}
1475 ++
1476 ++void ext4_kvfree_array_rcu(void *to_free)
1477 ++{
1478 ++ struct ext4_rcu_ptr *ptr = kzalloc(sizeof(*ptr), GFP_KERNEL);
1479 ++
1480 ++ if (ptr) {
1481 ++ ptr->ptr = to_free;
1482 ++ call_rcu(&ptr->rcu, ext4_rcu_ptr_callback);
1483 ++ return;
1484 ++ }
1485 ++ synchronize_rcu();
1486 ++ kvfree(to_free);
1487 ++}
1488 ++
1489 + int ext4_resize_begin(struct super_block *sb)
1490 + {
1491 + struct ext4_sb_info *sbi = EXT4_SB(sb);
1492 +@@ -541,8 +568,8 @@ static int setup_new_flex_group_blocks(struct super_block *sb,
1493 + brelse(gdb);
1494 + goto out;
1495 + }
1496 +- memcpy(gdb->b_data, sbi->s_group_desc[j]->b_data,
1497 +- gdb->b_size);
1498 ++ memcpy(gdb->b_data, sbi_array_rcu_deref(sbi,
1499 ++ s_group_desc, j)->b_data, gdb->b_size);
1500 + set_buffer_uptodate(gdb);
1501 +
1502 + err = ext4_handle_dirty_metadata(handle, NULL, gdb);
1503 +@@ -849,13 +876,15 @@ static int add_new_gdb(handle_t *handle, struct inode *inode,
1504 + }
1505 + brelse(dind);
1506 +
1507 +- o_group_desc = EXT4_SB(sb)->s_group_desc;
1508 ++ rcu_read_lock();
1509 ++ o_group_desc = rcu_dereference(EXT4_SB(sb)->s_group_desc);
1510 + memcpy(n_group_desc, o_group_desc,
1511 + EXT4_SB(sb)->s_gdb_count * sizeof(struct buffer_head *));
1512 ++ rcu_read_unlock();
1513 + n_group_desc[gdb_num] = gdb_bh;
1514 +- EXT4_SB(sb)->s_group_desc = n_group_desc;
1515 ++ rcu_assign_pointer(EXT4_SB(sb)->s_group_desc, n_group_desc);
1516 + EXT4_SB(sb)->s_gdb_count++;
1517 +- kvfree(o_group_desc);
1518 ++ ext4_kvfree_array_rcu(o_group_desc);
1519 +
1520 + le16_add_cpu(&es->s_reserved_gdt_blocks, -1);
1521 + err = ext4_handle_dirty_super(handle, sb);
1522 +@@ -903,9 +932,11 @@ static int add_new_gdb_meta_bg(struct super_block *sb,
1523 + return err;
1524 + }
1525 +
1526 +- o_group_desc = EXT4_SB(sb)->s_group_desc;
1527 ++ rcu_read_lock();
1528 ++ o_group_desc = rcu_dereference(EXT4_SB(sb)->s_group_desc);
1529 + memcpy(n_group_desc, o_group_desc,
1530 + EXT4_SB(sb)->s_gdb_count * sizeof(struct buffer_head *));
1531 ++ rcu_read_unlock();
1532 + n_group_desc[gdb_num] = gdb_bh;
1533 +
1534 + BUFFER_TRACE(gdb_bh, "get_write_access");
1535 +@@ -916,9 +947,9 @@ static int add_new_gdb_meta_bg(struct super_block *sb,
1536 + return err;
1537 + }
1538 +
1539 +- EXT4_SB(sb)->s_group_desc = n_group_desc;
1540 ++ rcu_assign_pointer(EXT4_SB(sb)->s_group_desc, n_group_desc);
1541 + EXT4_SB(sb)->s_gdb_count++;
1542 +- kvfree(o_group_desc);
1543 ++ ext4_kvfree_array_rcu(o_group_desc);
1544 + return err;
1545 + }
1546 +
1547 +@@ -1180,7 +1211,8 @@ static int ext4_add_new_descs(handle_t *handle, struct super_block *sb,
1548 + * use non-sparse filesystems anymore. This is already checked above.
1549 + */
1550 + if (gdb_off) {
1551 +- gdb_bh = sbi->s_group_desc[gdb_num];
1552 ++ gdb_bh = sbi_array_rcu_deref(sbi, s_group_desc,
1553 ++ gdb_num);
1554 + BUFFER_TRACE(gdb_bh, "get_write_access");
1555 + err = ext4_journal_get_write_access(handle, gdb_bh);
1556 +
1557 +@@ -1262,7 +1294,7 @@ static int ext4_setup_new_descs(handle_t *handle, struct super_block *sb,
1558 + /*
1559 + * get_write_access() has been called on gdb_bh by ext4_add_new_desc().
1560 + */
1561 +- gdb_bh = sbi->s_group_desc[gdb_num];
1562 ++ gdb_bh = sbi_array_rcu_deref(sbi, s_group_desc, gdb_num);
1563 + /* Update group descriptor block for new group */
1564 + gdp = (struct ext4_group_desc *)(gdb_bh->b_data +
1565 + gdb_off * EXT4_DESC_SIZE(sb));
1566 +@@ -1390,11 +1422,14 @@ static void ext4_update_super(struct super_block *sb,
1567 + percpu_counter_read(&sbi->s_freeclusters_counter));
1568 + if (ext4_has_feature_flex_bg(sb) && sbi->s_log_groups_per_flex) {
1569 + ext4_group_t flex_group;
1570 ++ struct flex_groups *fg;
1571 ++
1572 + flex_group = ext4_flex_group(sbi, group_data[0].group);
1573 ++ fg = sbi_array_rcu_deref(sbi, s_flex_groups, flex_group);
1574 + atomic64_add(EXT4_NUM_B2C(sbi, free_blocks),
1575 +- &sbi->s_flex_groups[flex_group].free_clusters);
1576 ++ &fg->free_clusters);
1577 + atomic_add(EXT4_INODES_PER_GROUP(sb) * flex_gd->count,
1578 +- &sbi->s_flex_groups[flex_group].free_inodes);
1579 ++ &fg->free_inodes);
1580 + }
1581 +
1582 + /*
1583 +@@ -1489,7 +1524,8 @@ exit_journal:
1584 + for (; gdb_num <= gdb_num_end; gdb_num++) {
1585 + struct buffer_head *gdb_bh;
1586 +
1587 +- gdb_bh = sbi->s_group_desc[gdb_num];
1588 ++ gdb_bh = sbi_array_rcu_deref(sbi, s_group_desc,
1589 ++ gdb_num);
1590 + if (old_gdb == gdb_bh->b_blocknr)
1591 + continue;
1592 + update_backups(sb, gdb_bh->b_blocknr, gdb_bh->b_data,
1593 +diff --git a/fs/ext4/super.c b/fs/ext4/super.c
1594 +index adf02b1509ca..f2e0220b00c3 100644
1595 +--- a/fs/ext4/super.c
1596 ++++ b/fs/ext4/super.c
1597 +@@ -794,6 +794,8 @@ static void ext4_put_super(struct super_block *sb)
1598 + {
1599 + struct ext4_sb_info *sbi = EXT4_SB(sb);
1600 + struct ext4_super_block *es = sbi->s_es;
1601 ++ struct buffer_head **group_desc;
1602 ++ struct flex_groups **flex_groups;
1603 + int aborted = 0;
1604 + int i, err;
1605 +
1606 +@@ -826,10 +828,18 @@ static void ext4_put_super(struct super_block *sb)
1607 + if (!(sb->s_flags & MS_RDONLY))
1608 + ext4_commit_super(sb, 1);
1609 +
1610 ++ rcu_read_lock();
1611 ++ group_desc = rcu_dereference(sbi->s_group_desc);
1612 + for (i = 0; i < sbi->s_gdb_count; i++)
1613 +- brelse(sbi->s_group_desc[i]);
1614 +- kvfree(sbi->s_group_desc);
1615 +- kvfree(sbi->s_flex_groups);
1616 ++ brelse(group_desc[i]);
1617 ++ kvfree(group_desc);
1618 ++ flex_groups = rcu_dereference(sbi->s_flex_groups);
1619 ++ if (flex_groups) {
1620 ++ for (i = 0; i < sbi->s_flex_groups_allocated; i++)
1621 ++ kvfree(flex_groups[i]);
1622 ++ kvfree(flex_groups);
1623 ++ }
1624 ++ rcu_read_unlock();
1625 + percpu_counter_destroy(&sbi->s_freeclusters_counter);
1626 + percpu_counter_destroy(&sbi->s_freeinodes_counter);
1627 + percpu_counter_destroy(&sbi->s_dirs_counter);
1628 +@@ -1978,8 +1988,8 @@ done:
1629 + int ext4_alloc_flex_bg_array(struct super_block *sb, ext4_group_t ngroup)
1630 + {
1631 + struct ext4_sb_info *sbi = EXT4_SB(sb);
1632 +- struct flex_groups *new_groups;
1633 +- int size;
1634 ++ struct flex_groups **old_groups, **new_groups;
1635 ++ int size, i, j;
1636 +
1637 + if (!sbi->s_log_groups_per_flex)
1638 + return 0;
1639 +@@ -1988,22 +1998,37 @@ int ext4_alloc_flex_bg_array(struct super_block *sb, ext4_group_t ngroup)
1640 + if (size <= sbi->s_flex_groups_allocated)
1641 + return 0;
1642 +
1643 +- size = roundup_pow_of_two(size * sizeof(struct flex_groups));
1644 +- new_groups = ext4_kvzalloc(size, GFP_KERNEL);
1645 ++ new_groups = ext4_kvzalloc(roundup_pow_of_two(size *
1646 ++ sizeof(*sbi->s_flex_groups)), GFP_KERNEL);
1647 + if (!new_groups) {
1648 +- ext4_msg(sb, KERN_ERR, "not enough memory for %d flex groups",
1649 +- size / (int) sizeof(struct flex_groups));
1650 ++ ext4_msg(sb, KERN_ERR,
1651 ++ "not enough memory for %d flex group pointers", size);
1652 + return -ENOMEM;
1653 + }
1654 +-
1655 +- if (sbi->s_flex_groups) {
1656 +- memcpy(new_groups, sbi->s_flex_groups,
1657 +- (sbi->s_flex_groups_allocated *
1658 +- sizeof(struct flex_groups)));
1659 +- kvfree(sbi->s_flex_groups);
1660 ++ for (i = sbi->s_flex_groups_allocated; i < size; i++) {
1661 ++ new_groups[i] = ext4_kvzalloc(roundup_pow_of_two(
1662 ++ sizeof(struct flex_groups)),
1663 ++ GFP_KERNEL);
1664 ++ if (!new_groups[i]) {
1665 ++ for (j = sbi->s_flex_groups_allocated; j < i; j++)
1666 ++ kvfree(new_groups[j]);
1667 ++ kvfree(new_groups);
1668 ++ ext4_msg(sb, KERN_ERR,
1669 ++ "not enough memory for %d flex groups", size);
1670 ++ return -ENOMEM;
1671 ++ }
1672 + }
1673 +- sbi->s_flex_groups = new_groups;
1674 +- sbi->s_flex_groups_allocated = size / sizeof(struct flex_groups);
1675 ++ rcu_read_lock();
1676 ++ old_groups = rcu_dereference(sbi->s_flex_groups);
1677 ++ if (old_groups)
1678 ++ memcpy(new_groups, old_groups,
1679 ++ (sbi->s_flex_groups_allocated *
1680 ++ sizeof(struct flex_groups *)));
1681 ++ rcu_read_unlock();
1682 ++ rcu_assign_pointer(sbi->s_flex_groups, new_groups);
1683 ++ sbi->s_flex_groups_allocated = size;
1684 ++ if (old_groups)
1685 ++ ext4_kvfree_array_rcu(old_groups);
1686 + return 0;
1687 + }
1688 +
1689 +@@ -2011,6 +2036,7 @@ static int ext4_fill_flex_info(struct super_block *sb)
1690 + {
1691 + struct ext4_sb_info *sbi = EXT4_SB(sb);
1692 + struct ext4_group_desc *gdp = NULL;
1693 ++ struct flex_groups *fg;
1694 + ext4_group_t flex_group;
1695 + int i, err;
1696 +
1697 +@@ -2028,12 +2054,11 @@ static int ext4_fill_flex_info(struct super_block *sb)
1698 + gdp = ext4_get_group_desc(sb, i, NULL);
1699 +
1700 + flex_group = ext4_flex_group(sbi, i);
1701 +- atomic_add(ext4_free_inodes_count(sb, gdp),
1702 +- &sbi->s_flex_groups[flex_group].free_inodes);
1703 ++ fg = sbi_array_rcu_deref(sbi, s_flex_groups, flex_group);
1704 ++ atomic_add(ext4_free_inodes_count(sb, gdp), &fg->free_inodes);
1705 + atomic64_add(ext4_free_group_clusters(sb, gdp),
1706 +- &sbi->s_flex_groups[flex_group].free_clusters);
1707 +- atomic_add(ext4_used_dirs_count(sb, gdp),
1708 +- &sbi->s_flex_groups[flex_group].used_dirs);
1709 ++ &fg->free_clusters);
1710 ++ atomic_add(ext4_used_dirs_count(sb, gdp), &fg->used_dirs);
1711 + }
1712 +
1713 + return 1;
1714 +@@ -3236,9 +3261,10 @@ static void ext4_set_resv_clusters(struct super_block *sb)
1715 + static int ext4_fill_super(struct super_block *sb, void *data, int silent)
1716 + {
1717 + char *orig_data = kstrdup(data, GFP_KERNEL);
1718 +- struct buffer_head *bh;
1719 ++ struct buffer_head *bh, **group_desc;
1720 + struct ext4_super_block *es = NULL;
1721 + struct ext4_sb_info *sbi = kzalloc(sizeof(*sbi), GFP_KERNEL);
1722 ++ struct flex_groups **flex_groups;
1723 + ext4_fsblk_t block;
1724 + ext4_fsblk_t sb_block = get_sb_block(&data);
1725 + ext4_fsblk_t logical_sb_block;
1726 +@@ -3795,9 +3821,10 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
1727 + goto failed_mount;
1728 + }
1729 + }
1730 +- sbi->s_group_desc = ext4_kvmalloc(db_count *
1731 ++ rcu_assign_pointer(sbi->s_group_desc,
1732 ++ ext4_kvmalloc(db_count *
1733 + sizeof(struct buffer_head *),
1734 +- GFP_KERNEL);
1735 ++ GFP_KERNEL));
1736 + if (sbi->s_group_desc == NULL) {
1737 + ext4_msg(sb, KERN_ERR, "not enough memory");
1738 + ret = -ENOMEM;
1739 +@@ -3807,14 +3834,19 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
1740 + bgl_lock_init(sbi->s_blockgroup_lock);
1741 +
1742 + for (i = 0; i < db_count; i++) {
1743 ++ struct buffer_head *bh;
1744 ++
1745 + block = descriptor_loc(sb, logical_sb_block, i);
1746 +- sbi->s_group_desc[i] = sb_bread_unmovable(sb, block);
1747 +- if (!sbi->s_group_desc[i]) {
1748 ++ bh = sb_bread_unmovable(sb, block);
1749 ++ if (!bh) {
1750 + ext4_msg(sb, KERN_ERR,
1751 + "can't read group descriptor %d", i);
1752 + db_count = i;
1753 + goto failed_mount2;
1754 + }
1755 ++ rcu_read_lock();
1756 ++ rcu_dereference(sbi->s_group_desc)[i] = bh;
1757 ++ rcu_read_unlock();
1758 + }
1759 + sbi->s_gdb_count = db_count;
1760 + if (!ext4_check_descriptors(sb, logical_sb_block, &first_not_zeroed)) {
1761 +@@ -4149,8 +4181,14 @@ failed_mount7:
1762 + ext4_unregister_li_request(sb);
1763 + failed_mount6:
1764 + ext4_mb_release(sb);
1765 +- if (sbi->s_flex_groups)
1766 +- kvfree(sbi->s_flex_groups);
1767 ++ rcu_read_lock();
1768 ++ flex_groups = rcu_dereference(sbi->s_flex_groups);
1769 ++ if (flex_groups) {
1770 ++ for (i = 0; i < sbi->s_flex_groups_allocated; i++)
1771 ++ kvfree(flex_groups[i]);
1772 ++ kvfree(flex_groups);
1773 ++ }
1774 ++ rcu_read_unlock();
1775 + percpu_counter_destroy(&sbi->s_freeclusters_counter);
1776 + percpu_counter_destroy(&sbi->s_freeinodes_counter);
1777 + percpu_counter_destroy(&sbi->s_dirs_counter);
1778 +@@ -4177,9 +4215,12 @@ failed_mount3:
1779 + if (sbi->s_mmp_tsk)
1780 + kthread_stop(sbi->s_mmp_tsk);
1781 + failed_mount2:
1782 ++ rcu_read_lock();
1783 ++ group_desc = rcu_dereference(sbi->s_group_desc);
1784 + for (i = 0; i < db_count; i++)
1785 +- brelse(sbi->s_group_desc[i]);
1786 +- kvfree(sbi->s_group_desc);
1787 ++ brelse(group_desc[i]);
1788 ++ kvfree(group_desc);
1789 ++ rcu_read_unlock();
1790 + failed_mount:
1791 + if (sbi->s_chksum_driver)
1792 + crypto_free_shash(sbi->s_chksum_driver);
1793 +diff --git a/fs/fat/inode.c b/fs/fat/inode.c
1794 +index c81cfb79a339..5e87b9aa7ba6 100644
1795 +--- a/fs/fat/inode.c
1796 ++++ b/fs/fat/inode.c
1797 +@@ -653,6 +653,13 @@ static struct inode *fat_alloc_inode(struct super_block *sb)
1798 + return NULL;
1799 +
1800 + init_rwsem(&ei->truncate_lock);
1801 ++ /* Zeroing to allow iput() even if partial initialized inode. */
1802 ++ ei->mmu_private = 0;
1803 ++ ei->i_start = 0;
1804 ++ ei->i_logstart = 0;
1805 ++ ei->i_attrs = 0;
1806 ++ ei->i_pos = 0;
1807 ++
1808 + return &ei->vfs_inode;
1809 + }
1810 +
1811 +@@ -1276,16 +1283,6 @@ out:
1812 + return 0;
1813 + }
1814 +
1815 +-static void fat_dummy_inode_init(struct inode *inode)
1816 +-{
1817 +- /* Initialize this dummy inode to work as no-op. */
1818 +- MSDOS_I(inode)->mmu_private = 0;
1819 +- MSDOS_I(inode)->i_start = 0;
1820 +- MSDOS_I(inode)->i_logstart = 0;
1821 +- MSDOS_I(inode)->i_attrs = 0;
1822 +- MSDOS_I(inode)->i_pos = 0;
1823 +-}
1824 +-
1825 + static int fat_read_root(struct inode *inode)
1826 + {
1827 + struct msdos_sb_info *sbi = MSDOS_SB(inode->i_sb);
1828 +@@ -1730,13 +1727,11 @@ int fat_fill_super(struct super_block *sb, void *data, int silent, int isvfat,
1829 + fat_inode = new_inode(sb);
1830 + if (!fat_inode)
1831 + goto out_fail;
1832 +- fat_dummy_inode_init(fat_inode);
1833 + sbi->fat_inode = fat_inode;
1834 +
1835 + fsinfo_inode = new_inode(sb);
1836 + if (!fsinfo_inode)
1837 + goto out_fail;
1838 +- fat_dummy_inode_init(fsinfo_inode);
1839 + fsinfo_inode->i_ino = MSDOS_FSINFO_INO;
1840 + sbi->fsinfo_inode = fsinfo_inode;
1841 + insert_inode_hash(fsinfo_inode);
1842 +diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
1843 +index f5d2d2340b44..16891f5364af 100644
1844 +--- a/fs/fuse/dev.c
1845 ++++ b/fs/fuse/dev.c
1846 +@@ -2031,10 +2031,8 @@ static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,
1847 + rem += pipe->bufs[(pipe->curbuf + idx) & (pipe->buffers - 1)].len;
1848 +
1849 + ret = -EINVAL;
1850 +- if (rem < len) {
1851 +- pipe_unlock(pipe);
1852 +- goto out;
1853 +- }
1854 ++ if (rem < len)
1855 ++ goto out_free;
1856 +
1857 + rem = len;
1858 + while (rem) {
1859 +@@ -2052,7 +2050,9 @@ static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,
1860 + pipe->curbuf = (pipe->curbuf + 1) & (pipe->buffers - 1);
1861 + pipe->nrbufs--;
1862 + } else {
1863 +- ibuf->ops->get(pipe, ibuf);
1864 ++ if (!pipe_buf_get(pipe, ibuf))
1865 ++ goto out_free;
1866 ++
1867 + *obuf = *ibuf;
1868 + obuf->flags &= ~PIPE_BUF_FLAG_GIFT;
1869 + obuf->len = rem;
1870 +@@ -2075,13 +2075,13 @@ static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,
1871 + ret = fuse_dev_do_write(fud, &cs, len);
1872 +
1873 + pipe_lock(pipe);
1874 ++out_free:
1875 + for (idx = 0; idx < nbuf; idx++) {
1876 + struct pipe_buffer *buf = &bufs[idx];
1877 + buf->ops->release(pipe, buf);
1878 + }
1879 + pipe_unlock(pipe);
1880 +
1881 +-out:
1882 + kfree(bufs);
1883 + return ret;
1884 + }
1885 +diff --git a/fs/namei.c b/fs/namei.c
1886 +index 9f1aae507909..4a2b9371e00e 100644
1887 +--- a/fs/namei.c
1888 ++++ b/fs/namei.c
1889 +@@ -1358,7 +1358,7 @@ static int follow_dotdot_rcu(struct nameidata *nd)
1890 + nd->path.dentry = parent;
1891 + nd->seq = seq;
1892 + if (unlikely(!path_connected(&nd->path)))
1893 +- return -ENOENT;
1894 ++ return -ECHILD;
1895 + break;
1896 + } else {
1897 + struct mount *mnt = real_mount(nd->path.mnt);
1898 +diff --git a/fs/pipe.c b/fs/pipe.c
1899 +index 1e7263bb837a..6534470a6c19 100644
1900 +--- a/fs/pipe.c
1901 ++++ b/fs/pipe.c
1902 +@@ -178,9 +178,9 @@ EXPORT_SYMBOL(generic_pipe_buf_steal);
1903 + * in the tee() system call, when we duplicate the buffers in one
1904 + * pipe into another.
1905 + */
1906 +-void generic_pipe_buf_get(struct pipe_inode_info *pipe, struct pipe_buffer *buf)
1907 ++bool generic_pipe_buf_get(struct pipe_inode_info *pipe, struct pipe_buffer *buf)
1908 + {
1909 +- page_cache_get(buf->page);
1910 ++ return try_get_page(buf->page);
1911 + }
1912 + EXPORT_SYMBOL(generic_pipe_buf_get);
1913 +
1914 +diff --git a/fs/splice.c b/fs/splice.c
1915 +index 8398974e1538..57ccc583a172 100644
1916 +--- a/fs/splice.c
1917 ++++ b/fs/splice.c
1918 +@@ -1876,7 +1876,11 @@ retry:
1919 + * Get a reference to this pipe buffer,
1920 + * so we can copy the contents over.
1921 + */
1922 +- ibuf->ops->get(ipipe, ibuf);
1923 ++ if (!pipe_buf_get(ipipe, ibuf)) {
1924 ++ if (ret == 0)
1925 ++ ret = -EFAULT;
1926 ++ break;
1927 ++ }
1928 + *obuf = *ibuf;
1929 +
1930 + /*
1931 +@@ -1948,7 +1952,11 @@ static int link_pipe(struct pipe_inode_info *ipipe,
1932 + * Get a reference to this pipe buffer,
1933 + * so we can copy the contents over.
1934 + */
1935 +- ibuf->ops->get(ipipe, ibuf);
1936 ++ if (!pipe_buf_get(ipipe, ibuf)) {
1937 ++ if (ret == 0)
1938 ++ ret = -EFAULT;
1939 ++ break;
1940 ++ }
1941 +
1942 + obuf = opipe->bufs + nbuf;
1943 + *obuf = *ibuf;
1944 +diff --git a/include/linux/bitops.h b/include/linux/bitops.h
1945 +index 83edade218fa..ce2bb045b3fd 100644
1946 +--- a/include/linux/bitops.h
1947 ++++ b/include/linux/bitops.h
1948 +@@ -3,7 +3,8 @@
1949 + #include <asm/types.h>
1950 + #include <linux/bits.h>
1951 +
1952 +-#define BITS_TO_LONGS(nr) DIV_ROUND_UP(nr, BITS_PER_BYTE * sizeof(long))
1953 ++#define BITS_PER_TYPE(type) (sizeof(type) * BITS_PER_BYTE)
1954 ++#define BITS_TO_LONGS(nr) DIV_ROUND_UP(nr, BITS_PER_TYPE(long))
1955 +
1956 + extern unsigned int __sw_hweight8(unsigned int w);
1957 + extern unsigned int __sw_hweight16(unsigned int w);
1958 +diff --git a/include/linux/hid.h b/include/linux/hid.h
1959 +index 5f3131885136..2149f650982e 100644
1960 +--- a/include/linux/hid.h
1961 ++++ b/include/linux/hid.h
1962 +@@ -451,7 +451,7 @@ struct hid_report_enum {
1963 + };
1964 +
1965 + #define HID_MIN_BUFFER_SIZE 64 /* make sure there is at least a packet size of space */
1966 +-#define HID_MAX_BUFFER_SIZE 4096 /* 4kb */
1967 ++#define HID_MAX_BUFFER_SIZE 8192 /* 8kb */
1968 + #define HID_CONTROL_FIFO_SIZE 256 /* to init devices with >100 reports */
1969 + #define HID_OUTPUT_FIFO_SIZE 64
1970 +
1971 +diff --git a/include/linux/mm.h b/include/linux/mm.h
1972 +index 15f81b2b87ed..69fa3df9e712 100644
1973 +--- a/include/linux/mm.h
1974 ++++ b/include/linux/mm.h
1975 +@@ -488,6 +488,15 @@ static inline void get_huge_page_tail(struct page *page)
1976 +
1977 + extern bool __get_page_tail(struct page *page);
1978 +
1979 ++static inline int page_ref_count(struct page *page)
1980 ++{
1981 ++ return atomic_read(&page->_count);
1982 ++}
1983 ++
1984 ++/* 127: arbitrary random number, small enough to assemble well */
1985 ++#define page_ref_zero_or_close_to_overflow(page) \
1986 ++ ((unsigned int) atomic_read(&page->_count) + 127u <= 127u)
1987 ++
1988 + static inline void get_page(struct page *page)
1989 + {
1990 + if (unlikely(PageTail(page)))
1991 +@@ -497,10 +506,22 @@ static inline void get_page(struct page *page)
1992 + * Getting a normal page or the head of a compound page
1993 + * requires to already have an elevated page->_count.
1994 + */
1995 +- VM_BUG_ON_PAGE(atomic_read(&page->_count) <= 0, page);
1996 ++ VM_BUG_ON_PAGE(page_ref_zero_or_close_to_overflow(page), page);
1997 + atomic_inc(&page->_count);
1998 + }
1999 +
2000 ++static inline __must_check bool try_get_page(struct page *page)
2001 ++{
2002 ++ if (unlikely(PageTail(page)))
2003 ++ if (likely(__get_page_tail(page)))
2004 ++ return true;
2005 ++
2006 ++ if (WARN_ON_ONCE(atomic_read(&page->_count) <= 0))
2007 ++ return false;
2008 ++ atomic_inc(&page->_count);
2009 ++ return true;
2010 ++}
2011 ++
2012 + static inline struct page *virt_to_head_page(const void *x)
2013 + {
2014 + struct page *page = virt_to_page(x);
2015 +diff --git a/include/linux/pipe_fs_i.h b/include/linux/pipe_fs_i.h
2016 +index 24f5470d3944..0b28b65c12fb 100644
2017 +--- a/include/linux/pipe_fs_i.h
2018 ++++ b/include/linux/pipe_fs_i.h
2019 +@@ -112,9 +112,22 @@ struct pipe_buf_operations {
2020 + /*
2021 + * Get a reference to the pipe buffer.
2022 + */
2023 +- void (*get)(struct pipe_inode_info *, struct pipe_buffer *);
2024 ++ bool (*get)(struct pipe_inode_info *, struct pipe_buffer *);
2025 + };
2026 +
2027 ++/**
2028 ++ * pipe_buf_get - get a reference to a pipe_buffer
2029 ++ * @pipe: the pipe that the buffer belongs to
2030 ++ * @buf: the buffer to get a reference to
2031 ++ *
2032 ++ * Return: %true if the reference was successfully obtained.
2033 ++ */
2034 ++static inline __must_check bool pipe_buf_get(struct pipe_inode_info *pipe,
2035 ++ struct pipe_buffer *buf)
2036 ++{
2037 ++ return buf->ops->get(pipe, buf);
2038 ++}
2039 ++
2040 + /* Differs from PIPE_BUF in that PIPE_SIZE is the length of the actual
2041 + memory allocation, whereas PIPE_BUF makes atomicity guarantees. */
2042 + #define PIPE_SIZE PAGE_SIZE
2043 +@@ -137,7 +150,7 @@ struct pipe_inode_info *alloc_pipe_info(void);
2044 + void free_pipe_info(struct pipe_inode_info *);
2045 +
2046 + /* Generic pipe buffer ops functions */
2047 +-void generic_pipe_buf_get(struct pipe_inode_info *, struct pipe_buffer *);
2048 ++bool generic_pipe_buf_get(struct pipe_inode_info *, struct pipe_buffer *);
2049 + int generic_pipe_buf_confirm(struct pipe_inode_info *, struct pipe_buffer *);
2050 + int generic_pipe_buf_steal(struct pipe_inode_info *, struct pipe_buffer *);
2051 + void generic_pipe_buf_release(struct pipe_inode_info *, struct pipe_buffer *);
2052 +diff --git a/include/net/flow_dissector.h b/include/net/flow_dissector.h
2053 +index 62a462413081..a5a1a1650668 100644
2054 +--- a/include/net/flow_dissector.h
2055 ++++ b/include/net/flow_dissector.h
2056 +@@ -4,6 +4,7 @@
2057 + #include <linux/types.h>
2058 + #include <linux/in6.h>
2059 + #include <linux/siphash.h>
2060 ++#include <linux/string.h>
2061 + #include <uapi/linux/if_ether.h>
2062 +
2063 + /**
2064 +@@ -185,4 +186,12 @@ static inline bool flow_keys_have_l4(struct flow_keys *keys)
2065 +
2066 + u32 flow_hash_from_keys(struct flow_keys *keys);
2067 +
2068 ++static inline void
2069 ++flow_dissector_init_keys(struct flow_dissector_key_control *key_control,
2070 ++ struct flow_dissector_key_basic *key_basic)
2071 ++{
2072 ++ memset(key_control, 0, sizeof(*key_control));
2073 ++ memset(key_basic, 0, sizeof(*key_basic));
2074 ++}
2075 ++
2076 + #endif
2077 +diff --git a/kernel/audit.c b/kernel/audit.c
2078 +index bdf0cf463815..84c445db5fe1 100644
2079 +--- a/kernel/audit.c
2080 ++++ b/kernel/audit.c
2081 +@@ -753,13 +753,11 @@ static void audit_log_feature_change(int which, u32 old_feature, u32 new_feature
2082 + audit_log_end(ab);
2083 + }
2084 +
2085 +-static int audit_set_feature(struct sk_buff *skb)
2086 ++static int audit_set_feature(struct audit_features *uaf)
2087 + {
2088 +- struct audit_features *uaf;
2089 + int i;
2090 +
2091 + BUILD_BUG_ON(AUDIT_LAST_FEATURE + 1 > ARRAY_SIZE(audit_feature_names));
2092 +- uaf = nlmsg_data(nlmsg_hdr(skb));
2093 +
2094 + /* if there is ever a version 2 we should handle that here */
2095 +
2096 +@@ -815,6 +813,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
2097 + {
2098 + u32 seq;
2099 + void *data;
2100 ++ int data_len;
2101 + int err;
2102 + struct audit_buffer *ab;
2103 + u16 msg_type = nlh->nlmsg_type;
2104 +@@ -838,6 +837,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
2105 + }
2106 + seq = nlh->nlmsg_seq;
2107 + data = nlmsg_data(nlh);
2108 ++ data_len = nlmsg_len(nlh);
2109 +
2110 + switch (msg_type) {
2111 + case AUDIT_GET: {
2112 +@@ -859,7 +859,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
2113 + struct audit_status s;
2114 + memset(&s, 0, sizeof(s));
2115 + /* guard against past and future API changes */
2116 +- memcpy(&s, data, min_t(size_t, sizeof(s), nlmsg_len(nlh)));
2117 ++ memcpy(&s, data, min_t(size_t, sizeof(s), data_len));
2118 + if (s.mask & AUDIT_STATUS_ENABLED) {
2119 + err = audit_set_enabled(s.enabled);
2120 + if (err < 0)
2121 +@@ -908,7 +908,9 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
2122 + return err;
2123 + break;
2124 + case AUDIT_SET_FEATURE:
2125 +- err = audit_set_feature(skb);
2126 ++ if (data_len < sizeof(struct audit_features))
2127 ++ return -EINVAL;
2128 ++ err = audit_set_feature(data);
2129 + if (err)
2130 + return err;
2131 + break;
2132 +@@ -920,6 +922,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
2133 +
2134 + err = audit_filter_user(msg_type);
2135 + if (err == 1) { /* match or error */
2136 ++ char *str = data;
2137 ++
2138 + err = 0;
2139 + if (msg_type == AUDIT_USER_TTY) {
2140 + err = tty_audit_push_current();
2141 +@@ -928,19 +932,17 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
2142 + }
2143 + mutex_unlock(&audit_cmd_mutex);
2144 + audit_log_common_recv_msg(&ab, msg_type);
2145 +- if (msg_type != AUDIT_USER_TTY)
2146 ++ if (msg_type != AUDIT_USER_TTY) {
2147 ++ /* ensure NULL termination */
2148 ++ str[data_len - 1] = '\0';
2149 + audit_log_format(ab, " msg='%.*s'",
2150 + AUDIT_MESSAGE_TEXT_MAX,
2151 +- (char *)data);
2152 +- else {
2153 +- int size;
2154 +-
2155 ++ str);
2156 ++ } else {
2157 + audit_log_format(ab, " data=");
2158 +- size = nlmsg_len(nlh);
2159 +- if (size > 0 &&
2160 +- ((unsigned char *)data)[size - 1] == '\0')
2161 +- size--;
2162 +- audit_log_n_untrustedstring(ab, data, size);
2163 ++ if (data_len > 0 && str[data_len - 1] == '\0')
2164 ++ data_len--;
2165 ++ audit_log_n_untrustedstring(ab, str, data_len);
2166 + }
2167 + audit_set_portid(ab, NETLINK_CB(skb).portid);
2168 + audit_log_end(ab);
2169 +@@ -949,7 +951,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
2170 + break;
2171 + case AUDIT_ADD_RULE:
2172 + case AUDIT_DEL_RULE:
2173 +- if (nlmsg_len(nlh) < sizeof(struct audit_rule_data))
2174 ++ if (data_len < sizeof(struct audit_rule_data))
2175 + return -EINVAL;
2176 + if (audit_enabled == AUDIT_LOCKED) {
2177 + audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE);
2178 +@@ -958,7 +960,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
2179 + return -EPERM;
2180 + }
2181 + err = audit_rule_change(msg_type, NETLINK_CB(skb).portid,
2182 +- seq, data, nlmsg_len(nlh));
2183 ++ seq, data, data_len);
2184 + break;
2185 + case AUDIT_LIST_RULES:
2186 + err = audit_list_rules_send(skb, seq);
2187 +@@ -972,7 +974,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
2188 + case AUDIT_MAKE_EQUIV: {
2189 + void *bufp = data;
2190 + u32 sizes[2];
2191 +- size_t msglen = nlmsg_len(nlh);
2192 ++ size_t msglen = data_len;
2193 + char *old, *new;
2194 +
2195 + err = -EINVAL;
2196 +@@ -1049,7 +1051,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
2197 +
2198 + memset(&s, 0, sizeof(s));
2199 + /* guard against past and future API changes */
2200 +- memcpy(&s, data, min_t(size_t, sizeof(s), nlmsg_len(nlh)));
2201 ++ memcpy(&s, data, min_t(size_t, sizeof(s), data_len));
2202 + /* check if new data is valid */
2203 + if ((s.enabled != 0 && s.enabled != 1) ||
2204 + (s.log_passwd != 0 && s.log_passwd != 1))
2205 +diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
2206 +index cf7aa656b308..41a668a9d561 100644
2207 +--- a/kernel/auditfilter.c
2208 ++++ b/kernel/auditfilter.c
2209 +@@ -434,6 +434,7 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
2210 + bufp = data->buf;
2211 + for (i = 0; i < data->field_count; i++) {
2212 + struct audit_field *f = &entry->rule.fields[i];
2213 ++ u32 f_val;
2214 +
2215 + err = -EINVAL;
2216 +
2217 +@@ -442,12 +443,12 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
2218 + goto exit_free;
2219 +
2220 + f->type = data->fields[i];
2221 +- f->val = data->values[i];
2222 ++ f_val = data->values[i];
2223 +
2224 + /* Support legacy tests for a valid loginuid */
2225 +- if ((f->type == AUDIT_LOGINUID) && (f->val == AUDIT_UID_UNSET)) {
2226 ++ if ((f->type == AUDIT_LOGINUID) && (f_val == AUDIT_UID_UNSET)) {
2227 + f->type = AUDIT_LOGINUID_SET;
2228 +- f->val = 0;
2229 ++ f_val = 0;
2230 + entry->rule.pflags |= AUDIT_LOGINUID_LEGACY;
2231 + }
2232 +
2233 +@@ -463,7 +464,7 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
2234 + case AUDIT_SUID:
2235 + case AUDIT_FSUID:
2236 + case AUDIT_OBJ_UID:
2237 +- f->uid = make_kuid(current_user_ns(), f->val);
2238 ++ f->uid = make_kuid(current_user_ns(), f_val);
2239 + if (!uid_valid(f->uid))
2240 + goto exit_free;
2241 + break;
2242 +@@ -472,11 +473,12 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
2243 + case AUDIT_SGID:
2244 + case AUDIT_FSGID:
2245 + case AUDIT_OBJ_GID:
2246 +- f->gid = make_kgid(current_user_ns(), f->val);
2247 ++ f->gid = make_kgid(current_user_ns(), f_val);
2248 + if (!gid_valid(f->gid))
2249 + goto exit_free;
2250 + break;
2251 + case AUDIT_ARCH:
2252 ++ f->val = f_val;
2253 + entry->rule.arch_f = f;
2254 + break;
2255 + case AUDIT_SUBJ_USER:
2256 +@@ -489,11 +491,13 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
2257 + case AUDIT_OBJ_TYPE:
2258 + case AUDIT_OBJ_LEV_LOW:
2259 + case AUDIT_OBJ_LEV_HIGH:
2260 +- str = audit_unpack_string(&bufp, &remain, f->val);
2261 +- if (IS_ERR(str))
2262 ++ str = audit_unpack_string(&bufp, &remain, f_val);
2263 ++ if (IS_ERR(str)) {
2264 ++ err = PTR_ERR(str);
2265 + goto exit_free;
2266 +- entry->rule.buflen += f->val;
2267 +-
2268 ++ }
2269 ++ entry->rule.buflen += f_val;
2270 ++ f->lsm_str = str;
2271 + err = security_audit_rule_init(f->type, f->op, str,
2272 + (void **)&f->lsm_rule);
2273 + /* Keep currently invalid fields around in case they
2274 +@@ -502,68 +506,71 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
2275 + pr_warn("audit rule for LSM \'%s\' is invalid\n",
2276 + str);
2277 + err = 0;
2278 +- }
2279 +- if (err) {
2280 +- kfree(str);
2281 ++ } else if (err)
2282 + goto exit_free;
2283 +- } else
2284 +- f->lsm_str = str;
2285 + break;
2286 + case AUDIT_WATCH:
2287 +- str = audit_unpack_string(&bufp, &remain, f->val);
2288 +- if (IS_ERR(str))
2289 ++ str = audit_unpack_string(&bufp, &remain, f_val);
2290 ++ if (IS_ERR(str)) {
2291 ++ err = PTR_ERR(str);
2292 + goto exit_free;
2293 +- entry->rule.buflen += f->val;
2294 +-
2295 +- err = audit_to_watch(&entry->rule, str, f->val, f->op);
2296 ++ }
2297 ++ err = audit_to_watch(&entry->rule, str, f_val, f->op);
2298 + if (err) {
2299 + kfree(str);
2300 + goto exit_free;
2301 + }
2302 ++ entry->rule.buflen += f_val;
2303 + break;
2304 + case AUDIT_DIR:
2305 +- str = audit_unpack_string(&bufp, &remain, f->val);
2306 +- if (IS_ERR(str))
2307 ++ str = audit_unpack_string(&bufp, &remain, f_val);
2308 ++ if (IS_ERR(str)) {
2309 ++ err = PTR_ERR(str);
2310 + goto exit_free;
2311 +- entry->rule.buflen += f->val;
2312 +-
2313 ++ }
2314 + err = audit_make_tree(&entry->rule, str, f->op);
2315 + kfree(str);
2316 + if (err)
2317 + goto exit_free;
2318 ++ entry->rule.buflen += f_val;
2319 + break;
2320 + case AUDIT_INODE:
2321 ++ f->val = f_val;
2322 + err = audit_to_inode(&entry->rule, f);
2323 + if (err)
2324 + goto exit_free;
2325 + break;
2326 + case AUDIT_FILTERKEY:
2327 +- if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN)
2328 ++ if (entry->rule.filterkey || f_val > AUDIT_MAX_KEY_LEN)
2329 + goto exit_free;
2330 +- str = audit_unpack_string(&bufp, &remain, f->val);
2331 +- if (IS_ERR(str))
2332 ++ str = audit_unpack_string(&bufp, &remain, f_val);
2333 ++ if (IS_ERR(str)) {
2334 ++ err = PTR_ERR(str);
2335 + goto exit_free;
2336 +- entry->rule.buflen += f->val;
2337 ++ }
2338 ++ entry->rule.buflen += f_val;
2339 + entry->rule.filterkey = str;
2340 + break;
2341 + case AUDIT_EXE:
2342 +- if (entry->rule.exe || f->val > PATH_MAX)
2343 ++ if (entry->rule.exe || f_val > PATH_MAX)
2344 + goto exit_free;
2345 +- str = audit_unpack_string(&bufp, &remain, f->val);
2346 ++ str = audit_unpack_string(&bufp, &remain, f_val);
2347 + if (IS_ERR(str)) {
2348 + err = PTR_ERR(str);
2349 + goto exit_free;
2350 + }
2351 +- entry->rule.buflen += f->val;
2352 +-
2353 +- audit_mark = audit_alloc_mark(&entry->rule, str, f->val);
2354 ++ audit_mark = audit_alloc_mark(&entry->rule, str, f_val);
2355 + if (IS_ERR(audit_mark)) {
2356 + kfree(str);
2357 + err = PTR_ERR(audit_mark);
2358 + goto exit_free;
2359 + }
2360 ++ entry->rule.buflen += f_val;
2361 + entry->rule.exe = audit_mark;
2362 + break;
2363 ++ default:
2364 ++ f->val = f_val;
2365 ++ break;
2366 + }
2367 + }
2368 +
2369 +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
2370 +index 6176dc89b32c..06efd18bf3e3 100644
2371 +--- a/kernel/trace/trace.c
2372 ++++ b/kernel/trace/trace.c
2373 +@@ -5749,12 +5749,16 @@ static void buffer_pipe_buf_release(struct pipe_inode_info *pipe,
2374 + buf->private = 0;
2375 + }
2376 +
2377 +-static void buffer_pipe_buf_get(struct pipe_inode_info *pipe,
2378 ++static bool buffer_pipe_buf_get(struct pipe_inode_info *pipe,
2379 + struct pipe_buffer *buf)
2380 + {
2381 + struct buffer_ref *ref = (struct buffer_ref *)buf->private;
2382 +
2383 ++ if (ref->ref > INT_MAX/2)
2384 ++ return false;
2385 ++
2386 + ref->ref++;
2387 ++ return true;
2388 + }
2389 +
2390 + /* Pipe buffer operations for a buffer. */
2391 +diff --git a/mm/gup.c b/mm/gup.c
2392 +index 2cd3b31e3666..4c5857889e9d 100644
2393 +--- a/mm/gup.c
2394 ++++ b/mm/gup.c
2395 +@@ -126,8 +126,12 @@ retry:
2396 + }
2397 + }
2398 +
2399 +- if (flags & FOLL_GET)
2400 +- get_page_foll(page);
2401 ++ if (flags & FOLL_GET) {
2402 ++ if (unlikely(!try_get_page_foll(page))) {
2403 ++ page = ERR_PTR(-ENOMEM);
2404 ++ goto out;
2405 ++ }
2406 ++ }
2407 + if (flags & FOLL_TOUCH) {
2408 + if ((flags & FOLL_WRITE) &&
2409 + !pte_dirty(pte) && !PageDirty(page))
2410 +@@ -289,7 +293,10 @@ static int get_gate_page(struct mm_struct *mm, unsigned long address,
2411 + goto unmap;
2412 + *page = pte_page(*pte);
2413 + }
2414 +- get_page(*page);
2415 ++ if (unlikely(!try_get_page(*page))) {
2416 ++ ret = -ENOMEM;
2417 ++ goto unmap;
2418 ++ }
2419 + out:
2420 + ret = 0;
2421 + unmap:
2422 +@@ -1053,6 +1060,20 @@ struct page *get_dump_page(unsigned long addr)
2423 + */
2424 + #ifdef CONFIG_HAVE_GENERIC_RCU_GUP
2425 +
2426 ++/*
2427 ++ * Return the compund head page with ref appropriately incremented,
2428 ++ * or NULL if that failed.
2429 ++ */
2430 ++static inline struct page *try_get_compound_head(struct page *page, int refs)
2431 ++{
2432 ++ struct page *head = compound_head(page);
2433 ++ if (WARN_ON_ONCE(atomic_read(&head->_count) < 0))
2434 ++ return NULL;
2435 ++ if (unlikely(!page_cache_add_speculative(head, refs)))
2436 ++ return NULL;
2437 ++ return head;
2438 ++}
2439 ++
2440 + #ifdef __HAVE_ARCH_PTE_SPECIAL
2441 + static int gup_pte_range(pmd_t pmd, unsigned long addr, unsigned long end,
2442 + int write, struct page **pages, int *nr)
2443 +@@ -1083,6 +1104,9 @@ static int gup_pte_range(pmd_t pmd, unsigned long addr, unsigned long end,
2444 + VM_BUG_ON(!pfn_valid(pte_pfn(pte)));
2445 + page = pte_page(pte);
2446 +
2447 ++ if (WARN_ON_ONCE(page_ref_count(page) < 0))
2448 ++ goto pte_unmap;
2449 ++
2450 + if (!page_cache_get_speculative(page))
2451 + goto pte_unmap;
2452 +
2453 +@@ -1130,18 +1154,17 @@ static int gup_huge_pmd(pmd_t orig, pmd_t *pmdp, unsigned long addr,
2454 + return 0;
2455 +
2456 + refs = 0;
2457 +- head = pmd_page(orig);
2458 +- page = head + ((addr & ~PMD_MASK) >> PAGE_SHIFT);
2459 ++ page = pmd_page(orig) + ((addr & ~PMD_MASK) >> PAGE_SHIFT);
2460 + tail = page;
2461 + do {
2462 +- VM_BUG_ON_PAGE(compound_head(page) != head, page);
2463 + pages[*nr] = page;
2464 + (*nr)++;
2465 + page++;
2466 + refs++;
2467 + } while (addr += PAGE_SIZE, addr != end);
2468 +
2469 +- if (!page_cache_add_speculative(head, refs)) {
2470 ++ head = try_get_compound_head(pmd_page(orig), refs);
2471 ++ if (!head) {
2472 + *nr -= refs;
2473 + return 0;
2474 + }
2475 +@@ -1177,18 +1200,17 @@ static int gup_huge_pud(pud_t orig, pud_t *pudp, unsigned long addr,
2476 + return 0;
2477 +
2478 + refs = 0;
2479 +- head = pud_page(orig);
2480 +- page = head + ((addr & ~PUD_MASK) >> PAGE_SHIFT);
2481 ++ page = pud_page(orig) + ((addr & ~PUD_MASK) >> PAGE_SHIFT);
2482 + tail = page;
2483 + do {
2484 +- VM_BUG_ON_PAGE(compound_head(page) != head, page);
2485 + pages[*nr] = page;
2486 + (*nr)++;
2487 + page++;
2488 + refs++;
2489 + } while (addr += PAGE_SIZE, addr != end);
2490 +
2491 +- if (!page_cache_add_speculative(head, refs)) {
2492 ++ head = try_get_compound_head(pud_page(orig), refs);
2493 ++ if (!head) {
2494 + *nr -= refs;
2495 + return 0;
2496 + }
2497 +@@ -1220,18 +1242,17 @@ static int gup_huge_pgd(pgd_t orig, pgd_t *pgdp, unsigned long addr,
2498 + return 0;
2499 +
2500 + refs = 0;
2501 +- head = pgd_page(orig);
2502 +- page = head + ((addr & ~PGDIR_MASK) >> PAGE_SHIFT);
2503 ++ page = pgd_page(orig) + ((addr & ~PGDIR_MASK) >> PAGE_SHIFT);
2504 + tail = page;
2505 + do {
2506 +- VM_BUG_ON_PAGE(compound_head(page) != head, page);
2507 + pages[*nr] = page;
2508 + (*nr)++;
2509 + page++;
2510 + refs++;
2511 + } while (addr += PAGE_SIZE, addr != end);
2512 +
2513 +- if (!page_cache_add_speculative(head, refs)) {
2514 ++ head = try_get_compound_head(pgd_page(orig), refs);
2515 ++ if (!head) {
2516 + *nr -= refs;
2517 + return 0;
2518 + }
2519 +diff --git a/mm/hugetlb.c b/mm/hugetlb.c
2520 +index fd932e7a25dd..3a1501e85483 100644
2521 +--- a/mm/hugetlb.c
2522 ++++ b/mm/hugetlb.c
2523 +@@ -3886,6 +3886,7 @@ long follow_hugetlb_page(struct mm_struct *mm, struct vm_area_struct *vma,
2524 + unsigned long vaddr = *position;
2525 + unsigned long remainder = *nr_pages;
2526 + struct hstate *h = hstate_vma(vma);
2527 ++ int err = -EFAULT;
2528 +
2529 + while (vaddr < vma->vm_end && remainder) {
2530 + pte_t *pte;
2531 +@@ -3957,6 +3958,19 @@ long follow_hugetlb_page(struct mm_struct *mm, struct vm_area_struct *vma,
2532 +
2533 + pfn_offset = (vaddr & ~huge_page_mask(h)) >> PAGE_SHIFT;
2534 + page = pte_page(huge_ptep_get(pte));
2535 ++
2536 ++ /*
2537 ++ * Instead of doing 'try_get_page_foll()' below in the same_page
2538 ++ * loop, just check the count once here.
2539 ++ */
2540 ++ if (unlikely(page_count(page) <= 0)) {
2541 ++ if (pages) {
2542 ++ spin_unlock(ptl);
2543 ++ remainder = 0;
2544 ++ err = -ENOMEM;
2545 ++ break;
2546 ++ }
2547 ++ }
2548 + same_page:
2549 + if (pages) {
2550 + pages[i] = mem_map_offset(page, pfn_offset);
2551 +@@ -3983,7 +3997,7 @@ same_page:
2552 + *nr_pages = remainder;
2553 + *position = vaddr;
2554 +
2555 +- return i ? i : -EFAULT;
2556 ++ return i ? i : err;
2557 + }
2558 +
2559 + unsigned long hugetlb_change_protection(struct vm_area_struct *vma,
2560 +diff --git a/mm/internal.h b/mm/internal.h
2561 +index f63f4393d633..d83afc995a49 100644
2562 +--- a/mm/internal.h
2563 ++++ b/mm/internal.h
2564 +@@ -81,7 +81,8 @@ static inline void __get_page_tail_foll(struct page *page,
2565 + * speculative page access (like in
2566 + * page_cache_get_speculative()) on tail pages.
2567 + */
2568 +- VM_BUG_ON_PAGE(atomic_read(&compound_head(page)->_count) <= 0, page);
2569 ++ VM_BUG_ON_PAGE(page_ref_zero_or_close_to_overflow(compound_head(page)),
2570 ++ page);
2571 + if (get_page_head)
2572 + atomic_inc(&compound_head(page)->_count);
2573 + get_huge_page_tail(page);
2574 +@@ -106,11 +107,34 @@ static inline void get_page_foll(struct page *page)
2575 + * Getting a normal page or the head of a compound page
2576 + * requires to already have an elevated page->_count.
2577 + */
2578 +- VM_BUG_ON_PAGE(atomic_read(&page->_count) <= 0, page);
2579 ++ VM_BUG_ON_PAGE(page_ref_zero_or_close_to_overflow(page), page);
2580 + atomic_inc(&page->_count);
2581 + }
2582 + }
2583 +
2584 ++static inline __must_check bool try_get_page_foll(struct page *page)
2585 ++{
2586 ++ if (unlikely(PageTail(page))) {
2587 ++ if (WARN_ON_ONCE(atomic_read(&compound_head(page)->_count) <= 0))
2588 ++ return false;
2589 ++ /*
2590 ++ * This is safe only because
2591 ++ * __split_huge_page_refcount() can't run under
2592 ++ * get_page_foll() because we hold the proper PT lock.
2593 ++ */
2594 ++ __get_page_tail_foll(page, true);
2595 ++ } else {
2596 ++ /*
2597 ++ * Getting a normal page or the head of a compound page
2598 ++ * requires to already have an elevated page->_count.
2599 ++ */
2600 ++ if (WARN_ON_ONCE(atomic_read(&page->_count) <= 0))
2601 ++ return false;
2602 ++ atomic_inc(&page->_count);
2603 ++ }
2604 ++ return true;
2605 ++}
2606 ++
2607 + extern unsigned long highest_memmap_pfn;
2608 +
2609 + /*
2610 +diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c
2611 +index 365de66436ac..2fd4aae8f285 100644
2612 +--- a/net/core/fib_rules.c
2613 ++++ b/net/core/fib_rules.c
2614 +@@ -570,7 +570,7 @@ static int fib_nl_fill_rule(struct sk_buff *skb, struct fib_rule *rule,
2615 +
2616 + frh = nlmsg_data(nlh);
2617 + frh->family = ops->family;
2618 +- frh->table = rule->table;
2619 ++ frh->table = rule->table < 256 ? rule->table : RT_TABLE_COMPAT;
2620 + if (nla_put_u32(skb, FRA_TABLE, rule->table))
2621 + goto nla_put_failure;
2622 + if (nla_put_u32(skb, FRA_SUPPRESS_PREFIXLEN, rule->suppress_prefixlen))
2623 +diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
2624 +index c23e02a7ccb0..30eb8bdcdbda 100644
2625 +--- a/net/ipv6/ip6_fib.c
2626 ++++ b/net/ipv6/ip6_fib.c
2627 +@@ -780,8 +780,7 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct rt6_info *rt,
2628 + found++;
2629 + break;
2630 + }
2631 +- if (rt_can_ecmp)
2632 +- fallback_ins = fallback_ins ?: ins;
2633 ++ fallback_ins = fallback_ins ?: ins;
2634 + goto next_iter;
2635 + }
2636 +
2637 +@@ -821,7 +820,9 @@ next_iter:
2638 + }
2639 +
2640 + if (fallback_ins && !found) {
2641 +- /* No ECMP-able route found, replace first non-ECMP one */
2642 ++ /* No matching route with same ecmp-able-ness found, replace
2643 ++ * first matching route
2644 ++ */
2645 + ins = fallback_ins;
2646 + iter = *ins;
2647 + found++;
2648 +diff --git a/net/ipv6/route.c b/net/ipv6/route.c
2649 +index fffd2ad28942..63a7d31fa9f0 100644
2650 +--- a/net/ipv6/route.c
2651 ++++ b/net/ipv6/route.c
2652 +@@ -2953,6 +2953,7 @@ static int ip6_route_multipath_add(struct fib6_config *cfg)
2653 + */
2654 + cfg->fc_nlinfo.nlh->nlmsg_flags &= ~(NLM_F_EXCL |
2655 + NLM_F_REPLACE);
2656 ++ cfg->fc_nlinfo.nlh->nlmsg_flags |= NLM_F_CREATE;
2657 + nhn++;
2658 + }
2659 +
2660 +diff --git a/net/mac80211/util.c b/net/mac80211/util.c
2661 +index 2214c77d4172..4301a92fc160 100644
2662 +--- a/net/mac80211/util.c
2663 ++++ b/net/mac80211/util.c
2664 +@@ -939,16 +939,22 @@ u32 ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
2665 + elem_parse_failed = true;
2666 + break;
2667 + case WLAN_EID_VHT_OPERATION:
2668 +- if (elen >= sizeof(struct ieee80211_vht_operation))
2669 ++ if (elen >= sizeof(struct ieee80211_vht_operation)) {
2670 + elems->vht_operation = (void *)pos;
2671 +- else
2672 +- elem_parse_failed = true;
2673 ++ if (calc_crc)
2674 ++ crc = crc32_be(crc, pos - 2, elen + 2);
2675 ++ break;
2676 ++ }
2677 ++ elem_parse_failed = true;
2678 + break;
2679 + case WLAN_EID_OPMODE_NOTIF:
2680 +- if (elen > 0)
2681 ++ if (elen > 0) {
2682 + elems->opmode_notif = pos;
2683 +- else
2684 +- elem_parse_failed = true;
2685 ++ if (calc_crc)
2686 ++ crc = crc32_be(crc, pos - 2, elen + 2);
2687 ++ break;
2688 ++ }
2689 ++ elem_parse_failed = true;
2690 + break;
2691 + case WLAN_EID_MESH_ID:
2692 + elems->mesh_id = pos;
2693 +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
2694 +index bf292010760a..cc37a219e11e 100644
2695 +--- a/net/netlink/af_netlink.c
2696 ++++ b/net/netlink/af_netlink.c
2697 +@@ -1003,7 +1003,8 @@ static int netlink_bind(struct socket *sock, struct sockaddr *addr,
2698 + if (nlk->netlink_bind && groups) {
2699 + int group;
2700 +
2701 +- for (group = 0; group < nlk->ngroups; group++) {
2702 ++ /* nl_groups is a u32, so cap the maximum groups we can bind */
2703 ++ for (group = 0; group < BITS_PER_TYPE(u32); group++) {
2704 + if (!test_bit(group, &groups))
2705 + continue;
2706 + err = nlk->netlink_bind(net, group + 1);
2707 +@@ -1022,7 +1023,7 @@ static int netlink_bind(struct socket *sock, struct sockaddr *addr,
2708 + netlink_insert(sk, nladdr->nl_pid) :
2709 + netlink_autobind(sock);
2710 + if (err) {
2711 +- netlink_undo_bind(nlk->ngroups, groups, sk);
2712 ++ netlink_undo_bind(BITS_PER_TYPE(u32), groups, sk);
2713 + return err;
2714 + }
2715 + }
2716 +diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c
2717 +index e5a58c82728a..5ab8205f988b 100644
2718 +--- a/net/sched/cls_flower.c
2719 ++++ b/net/sched/cls_flower.c
2720 +@@ -127,6 +127,7 @@ static int fl_classify(struct sk_buff *skb, const struct tcf_proto *tp,
2721 + struct fl_flow_key skb_key;
2722 + struct fl_flow_key skb_mkey;
2723 +
2724 ++ flow_dissector_init_keys(&skb_key.control, &skb_key.basic);
2725 + fl_clear_masked_range(&skb_key, &head->mask);
2726 + skb_key.indev_ifindex = skb->skb_iif;
2727 + /* skb_flow_dissect() does not set n_proto in case an unknown protocol,
2728 +diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
2729 +index df9ac3746c1b..adaaaaad527d 100644
2730 +--- a/net/sctp/sm_statefuns.c
2731 ++++ b/net/sctp/sm_statefuns.c
2732 +@@ -177,6 +177,16 @@ sctp_chunk_length_valid(struct sctp_chunk *chunk,
2733 + return 1;
2734 + }
2735 +
2736 ++/* Check for format error in an ABORT chunk */
2737 ++static inline bool sctp_err_chunk_valid(struct sctp_chunk *chunk)
2738 ++{
2739 ++ struct sctp_errhdr *err;
2740 ++
2741 ++ sctp_walk_errors(err, chunk->chunk_hdr);
2742 ++
2743 ++ return (void *)err == (void *)chunk->chunk_end;
2744 ++}
2745 ++
2746 + /**********************************************************
2747 + * These are the state functions for handling chunk events.
2748 + **********************************************************/
2749 +@@ -2159,6 +2169,9 @@ sctp_disposition_t sctp_sf_shutdown_pending_abort(
2750 + sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
2751 + return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
2752 +
2753 ++ if (!sctp_err_chunk_valid(chunk))
2754 ++ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2755 ++
2756 + return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands);
2757 + }
2758 +
2759 +@@ -2201,6 +2214,9 @@ sctp_disposition_t sctp_sf_shutdown_sent_abort(struct net *net,
2760 + sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
2761 + return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
2762 +
2763 ++ if (!sctp_err_chunk_valid(chunk))
2764 ++ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2765 ++
2766 + /* Stop the T2-shutdown timer. */
2767 + sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2768 + SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
2769 +@@ -2466,6 +2482,9 @@ sctp_disposition_t sctp_sf_do_9_1_abort(struct net *net,
2770 + sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
2771 + return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
2772 +
2773 ++ if (!sctp_err_chunk_valid(chunk))
2774 ++ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2775 ++
2776 + return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands);
2777 + }
2778 +
2779 +@@ -2482,15 +2501,9 @@ static sctp_disposition_t __sctp_sf_do_9_1_abort(struct net *net,
2780 +
2781 + /* See if we have an error cause code in the chunk. */
2782 + len = ntohs(chunk->chunk_hdr->length);
2783 +- if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) {
2784 +-
2785 +- sctp_errhdr_t *err;
2786 +- sctp_walk_errors(err, chunk->chunk_hdr);
2787 +- if ((void *)err != (void *)chunk->chunk_end)
2788 +- return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2789 +
2790 ++ if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr))
2791 + error = ((sctp_errhdr_t *)chunk->skb->data)->cause;
2792 +- }
2793 +
2794 + sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET));
2795 + /* ASSOC_FAILED will DELETE_TCB. */
2796 +diff --git a/net/wireless/ethtool.c b/net/wireless/ethtool.c
2797 +index e9e91298c70d..3cedf2c2b60b 100644
2798 +--- a/net/wireless/ethtool.c
2799 ++++ b/net/wireless/ethtool.c
2800 +@@ -6,9 +6,13 @@
2801 + void cfg80211_get_drvinfo(struct net_device *dev, struct ethtool_drvinfo *info)
2802 + {
2803 + struct wireless_dev *wdev = dev->ieee80211_ptr;
2804 ++ struct device *pdev = wiphy_dev(wdev->wiphy);
2805 +
2806 +- strlcpy(info->driver, wiphy_dev(wdev->wiphy)->driver->name,
2807 +- sizeof(info->driver));
2808 ++ if (pdev->driver)
2809 ++ strlcpy(info->driver, pdev->driver->name,
2810 ++ sizeof(info->driver));
2811 ++ else
2812 ++ strlcpy(info->driver, "N/A", sizeof(info->driver));
2813 +
2814 + strlcpy(info->version, init_utsname()->release, sizeof(info->version));
2815 +
2816 +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
2817 +index fd0bf278067e..4b30e91106d0 100644
2818 +--- a/net/wireless/nl80211.c
2819 ++++ b/net/wireless/nl80211.c
2820 +@@ -330,6 +330,7 @@ static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
2821 + [NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
2822 + [NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
2823 + [NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
2824 ++ [NL80211_ATTR_STATUS_CODE] = { .type = NLA_U16 },
2825 + [NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
2826 + [NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
2827 + [NL80211_ATTR_PID] = { .type = NLA_U32 },
2828 +diff --git a/sound/soc/codecs/pcm512x.c b/sound/soc/codecs/pcm512x.c
2829 +index 047c48953a20..1a90732e7621 100644
2830 +--- a/sound/soc/codecs/pcm512x.c
2831 ++++ b/sound/soc/codecs/pcm512x.c
2832 +@@ -1439,13 +1439,15 @@ int pcm512x_probe(struct device *dev, struct regmap *regmap)
2833 + }
2834 +
2835 + pcm512x->sclk = devm_clk_get(dev, NULL);
2836 +- if (PTR_ERR(pcm512x->sclk) == -EPROBE_DEFER)
2837 +- return -EPROBE_DEFER;
2838 ++ if (PTR_ERR(pcm512x->sclk) == -EPROBE_DEFER) {
2839 ++ ret = -EPROBE_DEFER;
2840 ++ goto err;
2841 ++ }
2842 + if (!IS_ERR(pcm512x->sclk)) {
2843 + ret = clk_prepare_enable(pcm512x->sclk);
2844 + if (ret != 0) {
2845 + dev_err(dev, "Failed to enable SCLK: %d\n", ret);
2846 +- return ret;
2847 ++ goto err;
2848 + }
2849 + }
2850 +
2851 +diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c
2852 +index 7e26d173da41..b245379b4dfc 100644
2853 +--- a/sound/soc/soc-dapm.c
2854 ++++ b/sound/soc/soc-dapm.c
2855 +@@ -4317,7 +4317,7 @@ static void soc_dapm_shutdown_dapm(struct snd_soc_dapm_context *dapm)
2856 + continue;
2857 + if (w->power) {
2858 + dapm_seq_insert(w, &down_list, false);
2859 +- w->power = 0;
2860 ++ w->new_power = 0;
2861 + powerdown = 1;
2862 + }
2863 + }
2864 +diff --git a/sound/soc/soc-pcm.c b/sound/soc/soc-pcm.c
2865 +index 81bedd9bb922..7cffa98ec313 100644
2866 +--- a/sound/soc/soc-pcm.c
2867 ++++ b/sound/soc/soc-pcm.c
2868 +@@ -2866,16 +2866,16 @@ static ssize_t dpcm_show_state(struct snd_soc_pcm_runtime *fe,
2869 + ssize_t offset = 0;
2870 +
2871 + /* FE state */
2872 +- offset += snprintf(buf + offset, size - offset,
2873 ++ offset += scnprintf(buf + offset, size - offset,
2874 + "[%s - %s]\n", fe->dai_link->name,
2875 + stream ? "Capture" : "Playback");
2876 +
2877 +- offset += snprintf(buf + offset, size - offset, "State: %s\n",
2878 ++ offset += scnprintf(buf + offset, size - offset, "State: %s\n",
2879 + dpcm_state_string(fe->dpcm[stream].state));
2880 +
2881 + if ((fe->dpcm[stream].state >= SND_SOC_DPCM_STATE_HW_PARAMS) &&
2882 + (fe->dpcm[stream].state <= SND_SOC_DPCM_STATE_STOP))
2883 +- offset += snprintf(buf + offset, size - offset,
2884 ++ offset += scnprintf(buf + offset, size - offset,
2885 + "Hardware Params: "
2886 + "Format = %s, Channels = %d, Rate = %d\n",
2887 + snd_pcm_format_name(params_format(params)),
2888 +@@ -2883,10 +2883,10 @@ static ssize_t dpcm_show_state(struct snd_soc_pcm_runtime *fe,
2889 + params_rate(params));
2890 +
2891 + /* BEs state */
2892 +- offset += snprintf(buf + offset, size - offset, "Backends:\n");
2893 ++ offset += scnprintf(buf + offset, size - offset, "Backends:\n");
2894 +
2895 + if (list_empty(&fe->dpcm[stream].be_clients)) {
2896 +- offset += snprintf(buf + offset, size - offset,
2897 ++ offset += scnprintf(buf + offset, size - offset,
2898 + " No active DSP links\n");
2899 + goto out;
2900 + }
2901 +@@ -2895,16 +2895,16 @@ static ssize_t dpcm_show_state(struct snd_soc_pcm_runtime *fe,
2902 + struct snd_soc_pcm_runtime *be = dpcm->be;
2903 + params = &dpcm->hw_params;
2904 +
2905 +- offset += snprintf(buf + offset, size - offset,
2906 ++ offset += scnprintf(buf + offset, size - offset,
2907 + "- %s\n", be->dai_link->name);
2908 +
2909 +- offset += snprintf(buf + offset, size - offset,
2910 ++ offset += scnprintf(buf + offset, size - offset,
2911 + " State: %s\n",
2912 + dpcm_state_string(be->dpcm[stream].state));
2913 +
2914 + if ((be->dpcm[stream].state >= SND_SOC_DPCM_STATE_HW_PARAMS) &&
2915 + (be->dpcm[stream].state <= SND_SOC_DPCM_STATE_STOP))
2916 +- offset += snprintf(buf + offset, size - offset,
2917 ++ offset += scnprintf(buf + offset, size - offset,
2918 + " Hardware Params: "
2919 + "Format = %s, Channels = %d, Rate = %d\n",
2920 + snd_pcm_format_name(params_format(params)),
2921 +diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
2922 +index 08a954582e31..82f3a9d78cab 100644
2923 +--- a/virt/kvm/kvm_main.c
2924 ++++ b/virt/kvm/kvm_main.c
2925 +@@ -1865,12 +1865,12 @@ int kvm_write_guest_cached(struct kvm *kvm, struct gfn_to_hva_cache *ghc,
2926 + if (slots->generation != ghc->generation)
2927 + kvm_gfn_to_hva_cache_init(kvm, ghc, ghc->gpa, ghc->len);
2928 +
2929 +- if (unlikely(!ghc->memslot))
2930 +- return kvm_write_guest(kvm, ghc->gpa, data, len);
2931 +-
2932 + if (kvm_is_error_hva(ghc->hva))
2933 + return -EFAULT;
2934 +
2935 ++ if (unlikely(!ghc->memslot))
2936 ++ return kvm_write_guest(kvm, ghc->gpa, data, len);
2937 ++
2938 + r = __copy_to_user((void __user *)ghc->hva, data, len);
2939 + if (r)
2940 + return -EFAULT;
2941 +@@ -1891,12 +1891,12 @@ int kvm_read_guest_cached(struct kvm *kvm, struct gfn_to_hva_cache *ghc,
2942 + if (slots->generation != ghc->generation)
2943 + kvm_gfn_to_hva_cache_init(kvm, ghc, ghc->gpa, ghc->len);
2944 +
2945 +- if (unlikely(!ghc->memslot))
2946 +- return kvm_read_guest(kvm, ghc->gpa, data, len);
2947 +-
2948 + if (kvm_is_error_hva(ghc->hva))
2949 + return -EFAULT;
2950 +
2951 ++ if (unlikely(!ghc->memslot))
2952 ++ return kvm_read_guest(kvm, ghc->gpa, data, len);
2953 ++
2954 + r = __copy_from_user(data, (void __user *)ghc->hva, len);
2955 + if (r)
2956 + return -EFAULT;