Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:4.4 commit in: /
Date: Wed, 21 Nov 2018 12:18:17
Message-Id: 1542802669.1cc2d593aa5e4aa0a4a17970b4866a24eb4284b5.mpagano@gentoo
1 commit: 1cc2d593aa5e4aa0a4a17970b4866a24eb4284b5
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Wed Nov 21 12:17:49 2018 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Wed Nov 21 12:17:49 2018 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=1cc2d593
7
8 Linux patch 4.4.164
9
10 Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>
11
12 0000_README | 4 +
13 1163_linux-4.4.164.patch | 4219 ++++++++++++++++++++++++++++++++++++++++++++++
14 2 files changed, 4223 insertions(+)
15
16 diff --git a/0000_README b/0000_README
17 index 3fa80ea..aeea8d7 100644
18 --- a/0000_README
19 +++ b/0000_README
20 @@ -695,6 +695,10 @@ Patch: 1162_linux-4.4.163.patch
21 From: http://www.kernel.org
22 Desc: Linux 4.4.163
23
24 +Patch: 1163_linux-4.4.164.patch
25 +From: http://www.kernel.org
26 +Desc: Linux 4.4.164
27 +
28 Patch: 1500_XATTR_USER_PREFIX.patch
29 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
30 Desc: Support for namespace user.pax.* on tmpfs.
31
32 diff --git a/1163_linux-4.4.164.patch b/1163_linux-4.4.164.patch
33 new file mode 100644
34 index 0000000..2157e5a
35 --- /dev/null
36 +++ b/1163_linux-4.4.164.patch
37 @@ -0,0 +1,4219 @@
38 +diff --git a/Makefile b/Makefile
39 +index 4e3179768eea..9382e7e4e750 100644
40 +--- a/Makefile
41 ++++ b/Makefile
42 +@@ -1,6 +1,6 @@
43 + VERSION = 4
44 + PATCHLEVEL = 4
45 +-SUBLEVEL = 163
46 ++SUBLEVEL = 164
47 + EXTRAVERSION =
48 + NAME = Blurry Fish Butt
49 +
50 +diff --git a/arch/alpha/include/asm/termios.h b/arch/alpha/include/asm/termios.h
51 +index 7fde0f88da88..51ed90be770a 100644
52 +--- a/arch/alpha/include/asm/termios.h
53 ++++ b/arch/alpha/include/asm/termios.h
54 +@@ -72,9 +72,15 @@
55 + })
56 +
57 + #define user_termios_to_kernel_termios(k, u) \
58 +- copy_from_user(k, u, sizeof(struct termios))
59 ++ copy_from_user(k, u, sizeof(struct termios2))
60 +
61 + #define kernel_termios_to_user_termios(u, k) \
62 ++ copy_to_user(u, k, sizeof(struct termios2))
63 ++
64 ++#define user_termios_to_kernel_termios_1(k, u) \
65 ++ copy_from_user(k, u, sizeof(struct termios))
66 ++
67 ++#define kernel_termios_to_user_termios_1(u, k) \
68 + copy_to_user(u, k, sizeof(struct termios))
69 +
70 + #endif /* _ALPHA_TERMIOS_H */
71 +diff --git a/arch/alpha/include/uapi/asm/ioctls.h b/arch/alpha/include/uapi/asm/ioctls.h
72 +index f30c94ae1bdb..7ee8ab577e11 100644
73 +--- a/arch/alpha/include/uapi/asm/ioctls.h
74 ++++ b/arch/alpha/include/uapi/asm/ioctls.h
75 +@@ -31,6 +31,11 @@
76 + #define TCXONC _IO('t', 30)
77 + #define TCFLSH _IO('t', 31)
78 +
79 ++#define TCGETS2 _IOR('T', 42, struct termios2)
80 ++#define TCSETS2 _IOW('T', 43, struct termios2)
81 ++#define TCSETSW2 _IOW('T', 44, struct termios2)
82 ++#define TCSETSF2 _IOW('T', 45, struct termios2)
83 ++
84 + #define TIOCSWINSZ _IOW('t', 103, struct winsize)
85 + #define TIOCGWINSZ _IOR('t', 104, struct winsize)
86 + #define TIOCSTART _IO('t', 110) /* start output, like ^Q */
87 +diff --git a/arch/alpha/include/uapi/asm/termbits.h b/arch/alpha/include/uapi/asm/termbits.h
88 +index 879dd3589921..483c7ec2a879 100644
89 +--- a/arch/alpha/include/uapi/asm/termbits.h
90 ++++ b/arch/alpha/include/uapi/asm/termbits.h
91 +@@ -25,6 +25,19 @@ struct termios {
92 + speed_t c_ospeed; /* output speed */
93 + };
94 +
95 ++/* Alpha has identical termios and termios2 */
96 ++
97 ++struct termios2 {
98 ++ tcflag_t c_iflag; /* input mode flags */
99 ++ tcflag_t c_oflag; /* output mode flags */
100 ++ tcflag_t c_cflag; /* control mode flags */
101 ++ tcflag_t c_lflag; /* local mode flags */
102 ++ cc_t c_cc[NCCS]; /* control characters */
103 ++ cc_t c_line; /* line discipline (== c_cc[19]) */
104 ++ speed_t c_ispeed; /* input speed */
105 ++ speed_t c_ospeed; /* output speed */
106 ++};
107 ++
108 + /* Alpha has matching termios and ktermios */
109 +
110 + struct ktermios {
111 +@@ -147,6 +160,7 @@ struct ktermios {
112 + #define B3000000 00034
113 + #define B3500000 00035
114 + #define B4000000 00036
115 ++#define BOTHER 00037
116 +
117 + #define CSIZE 00001400
118 + #define CS5 00000000
119 +@@ -164,6 +178,9 @@ struct ktermios {
120 + #define CMSPAR 010000000000 /* mark or space (stick) parity */
121 + #define CRTSCTS 020000000000 /* flow control */
122 +
123 ++#define CIBAUD 07600000
124 ++#define IBSHIFT 16
125 ++
126 + /* c_lflag bits */
127 + #define ISIG 0x00000080
128 + #define ICANON 0x00000100
129 +diff --git a/arch/arm64/boot/dts/altera/socfpga_stratix10.dtsi b/arch/arm64/boot/dts/altera/socfpga_stratix10.dtsi
130 +index 445aa678f914..6a37101344aa 100644
131 +--- a/arch/arm64/boot/dts/altera/socfpga_stratix10.dtsi
132 ++++ b/arch/arm64/boot/dts/altera/socfpga_stratix10.dtsi
133 +@@ -249,7 +249,7 @@
134 +
135 + sysmgr: sysmgr@ffd12000 {
136 + compatible = "altr,sys-mgr", "syscon";
137 +- reg = <0xffd12000 0x1000>;
138 ++ reg = <0xffd12000 0x228>;
139 + };
140 +
141 + /* Local timer */
142 +diff --git a/arch/mips/cavium-octeon/executive/cvmx-helper.c b/arch/mips/cavium-octeon/executive/cvmx-helper.c
143 +index 376701f41cc2..692bbc1c5b79 100644
144 +--- a/arch/mips/cavium-octeon/executive/cvmx-helper.c
145 ++++ b/arch/mips/cavium-octeon/executive/cvmx-helper.c
146 +@@ -67,7 +67,7 @@ void (*cvmx_override_pko_queue_priority) (int pko_port,
147 + void (*cvmx_override_ipd_port_setup) (int ipd_port);
148 +
149 + /* Port count per interface */
150 +-static int interface_port_count[5];
151 ++static int interface_port_count[9];
152 +
153 + /* Port last configured link info index by IPD/PKO port */
154 + static cvmx_helper_link_info_t
155 +diff --git a/arch/mips/include/asm/mach-loongson64/irq.h b/arch/mips/include/asm/mach-loongson64/irq.h
156 +index d18c45c7c394..19ff9ce46c02 100644
157 +--- a/arch/mips/include/asm/mach-loongson64/irq.h
158 ++++ b/arch/mips/include/asm/mach-loongson64/irq.h
159 +@@ -9,7 +9,7 @@
160 + #define MIPS_CPU_IRQ_BASE 56
161 +
162 + #define LOONGSON_UART_IRQ (MIPS_CPU_IRQ_BASE + 2) /* UART */
163 +-#define LOONGSON_HT1_IRQ (MIPS_CPU_IRQ_BASE + 3) /* HT1 */
164 ++#define LOONGSON_BRIDGE_IRQ (MIPS_CPU_IRQ_BASE + 3) /* CASCADE */
165 + #define LOONGSON_TIMER_IRQ (MIPS_CPU_IRQ_BASE + 7) /* CPU Timer */
166 +
167 + #define LOONGSON_HT1_CFG_BASE loongson_sysconf.ht_control_base
168 +diff --git a/arch/mips/kernel/crash.c b/arch/mips/kernel/crash.c
169 +index 610f0f3bdb34..93c46c9cebb7 100644
170 +--- a/arch/mips/kernel/crash.c
171 ++++ b/arch/mips/kernel/crash.c
172 +@@ -34,6 +34,9 @@ static void crash_shutdown_secondary(void *passed_regs)
173 + if (!cpu_online(cpu))
174 + return;
175 +
176 ++ /* We won't be sent IPIs any more. */
177 ++ set_cpu_online(cpu, false);
178 ++
179 + local_irq_disable();
180 + if (!cpumask_test_cpu(cpu, &cpus_in_crash))
181 + crash_save_cpu(regs, cpu);
182 +diff --git a/arch/mips/kernel/machine_kexec.c b/arch/mips/kernel/machine_kexec.c
183 +index 50980bf3983e..92bc066e47a3 100644
184 +--- a/arch/mips/kernel/machine_kexec.c
185 ++++ b/arch/mips/kernel/machine_kexec.c
186 +@@ -95,6 +95,9 @@ machine_kexec(struct kimage *image)
187 + *ptr = (unsigned long) phys_to_virt(*ptr);
188 + }
189 +
190 ++ /* Mark offline BEFORE disabling local irq. */
191 ++ set_cpu_online(smp_processor_id(), false);
192 ++
193 + /*
194 + * we do not want to be bothered.
195 + */
196 +diff --git a/arch/mips/loongson64/loongson-3/irq.c b/arch/mips/loongson64/loongson-3/irq.c
197 +index 0f75b6b3d218..241cb88f9c03 100644
198 +--- a/arch/mips/loongson64/loongson-3/irq.c
199 ++++ b/arch/mips/loongson64/loongson-3/irq.c
200 +@@ -42,51 +42,8 @@ void mach_irq_dispatch(unsigned int pending)
201 + }
202 + }
203 +
204 +-static struct irqaction cascade_irqaction = {
205 +- .handler = no_action,
206 +- .flags = IRQF_NO_SUSPEND,
207 +- .name = "cascade",
208 +-};
209 +-
210 +-static inline void mask_loongson_irq(struct irq_data *d)
211 +-{
212 +- clear_c0_status(0x100 << (d->irq - MIPS_CPU_IRQ_BASE));
213 +- irq_disable_hazard();
214 +-
215 +- /* Workaround: UART IRQ may deliver to any core */
216 +- if (d->irq == LOONGSON_UART_IRQ) {
217 +- int cpu = smp_processor_id();
218 +- int node_id = cpu_logical_map(cpu) / loongson_sysconf.cores_per_node;
219 +- int core_id = cpu_logical_map(cpu) % loongson_sysconf.cores_per_node;
220 +- u64 intenclr_addr = smp_group[node_id] |
221 +- (u64)(&LOONGSON_INT_ROUTER_INTENCLR);
222 +- u64 introuter_lpc_addr = smp_group[node_id] |
223 +- (u64)(&LOONGSON_INT_ROUTER_LPC);
224 +-
225 +- *(volatile u32 *)intenclr_addr = 1 << 10;
226 +- *(volatile u8 *)introuter_lpc_addr = 0x10 + (1<<core_id);
227 +- }
228 +-}
229 +-
230 +-static inline void unmask_loongson_irq(struct irq_data *d)
231 +-{
232 +- /* Workaround: UART IRQ may deliver to any core */
233 +- if (d->irq == LOONGSON_UART_IRQ) {
234 +- int cpu = smp_processor_id();
235 +- int node_id = cpu_logical_map(cpu) / loongson_sysconf.cores_per_node;
236 +- int core_id = cpu_logical_map(cpu) % loongson_sysconf.cores_per_node;
237 +- u64 intenset_addr = smp_group[node_id] |
238 +- (u64)(&LOONGSON_INT_ROUTER_INTENSET);
239 +- u64 introuter_lpc_addr = smp_group[node_id] |
240 +- (u64)(&LOONGSON_INT_ROUTER_LPC);
241 +-
242 +- *(volatile u32 *)intenset_addr = 1 << 10;
243 +- *(volatile u8 *)introuter_lpc_addr = 0x10 + (1<<core_id);
244 +- }
245 +-
246 +- set_c0_status(0x100 << (d->irq - MIPS_CPU_IRQ_BASE));
247 +- irq_enable_hazard();
248 +-}
249 ++static inline void mask_loongson_irq(struct irq_data *d) { }
250 ++static inline void unmask_loongson_irq(struct irq_data *d) { }
251 +
252 + /* For MIPS IRQs which shared by all cores */
253 + static struct irq_chip loongson_irq_chip = {
254 +@@ -124,12 +81,11 @@ void __init mach_init_irq(void)
255 + mips_cpu_irq_init();
256 + init_i8259_irqs();
257 + irq_set_chip_and_handler(LOONGSON_UART_IRQ,
258 +- &loongson_irq_chip, handle_level_irq);
259 +-
260 +- /* setup HT1 irq */
261 +- setup_irq(LOONGSON_HT1_IRQ, &cascade_irqaction);
262 ++ &loongson_irq_chip, handle_percpu_irq);
263 ++ irq_set_chip_and_handler(LOONGSON_BRIDGE_IRQ,
264 ++ &loongson_irq_chip, handle_percpu_irq);
265 +
266 +- set_c0_status(STATUSF_IP2 | STATUSF_IP6);
267 ++ set_c0_status(STATUSF_IP2 | STATUSF_IP3 | STATUSF_IP6);
268 + }
269 +
270 + #ifdef CONFIG_HOTPLUG_CPU
271 +diff --git a/arch/parisc/kernel/entry.S b/arch/parisc/kernel/entry.S
272 +index 13cb2461fef5..3b7b022384a0 100644
273 +--- a/arch/parisc/kernel/entry.S
274 ++++ b/arch/parisc/kernel/entry.S
275 +@@ -185,7 +185,7 @@
276 + bv,n 0(%r3)
277 + nop
278 + .word 0 /* checksum (will be patched) */
279 +- .word PA(os_hpmc) /* address of handler */
280 ++ .word 0 /* address of handler */
281 + .word 0 /* length of handler */
282 + .endm
283 +
284 +diff --git a/arch/parisc/kernel/traps.c b/arch/parisc/kernel/traps.c
285 +index 77e2262c97f6..6f61a17e2485 100644
286 +--- a/arch/parisc/kernel/traps.c
287 ++++ b/arch/parisc/kernel/traps.c
288 +@@ -829,7 +829,8 @@ void __init initialize_ivt(const void *iva)
289 + for (i = 0; i < 8; i++)
290 + *ivap++ = 0;
291 +
292 +- /* Compute Checksum for HPMC handler */
293 ++ /* Setup IVA and compute checksum for HPMC handler */
294 ++ ivap[6] = (u32)__pa(os_hpmc);
295 + length = os_hpmc_size;
296 + ivap[7] = length;
297 +
298 +diff --git a/arch/parisc/mm/init.c b/arch/parisc/mm/init.c
299 +index 1b366c477687..63741f2e8d01 100644
300 +--- a/arch/parisc/mm/init.c
301 ++++ b/arch/parisc/mm/init.c
302 +@@ -491,12 +491,8 @@ static void __init map_pages(unsigned long start_vaddr,
303 + pte = pte_mkhuge(pte);
304 + }
305 +
306 +- if (address >= end_paddr) {
307 +- if (force)
308 +- break;
309 +- else
310 +- pte_val(pte) = 0;
311 +- }
312 ++ if (address >= end_paddr)
313 ++ break;
314 +
315 + set_pte(pg_table, pte);
316 +
317 +diff --git a/arch/powerpc/boot/crt0.S b/arch/powerpc/boot/crt0.S
318 +index 12866ccb5694..5c2199857aa8 100644
319 +--- a/arch/powerpc/boot/crt0.S
320 ++++ b/arch/powerpc/boot/crt0.S
321 +@@ -47,8 +47,10 @@ p_end: .long _end
322 + p_pstack: .long _platform_stack_top
323 + #endif
324 +
325 +- .weak _zimage_start
326 + .globl _zimage_start
327 ++ /* Clang appears to require the .weak directive to be after the symbol
328 ++ * is defined. See https://bugs.llvm.org/show_bug.cgi?id=38921 */
329 ++ .weak _zimage_start
330 + _zimage_start:
331 + .globl _zimage_start_lib
332 + _zimage_start_lib:
333 +diff --git a/arch/powerpc/include/asm/mpic.h b/arch/powerpc/include/asm/mpic.h
334 +index 98697611e7b3..705f4dc5073b 100644
335 +--- a/arch/powerpc/include/asm/mpic.h
336 ++++ b/arch/powerpc/include/asm/mpic.h
337 +@@ -392,7 +392,14 @@ extern struct bus_type mpic_subsys;
338 + #define MPIC_REGSET_TSI108 MPIC_REGSET(1) /* Tsi108/109 PIC */
339 +
340 + /* Get the version of primary MPIC */
341 ++#ifdef CONFIG_MPIC
342 + extern u32 fsl_mpic_primary_get_version(void);
343 ++#else
344 ++static inline u32 fsl_mpic_primary_get_version(void)
345 ++{
346 ++ return 0;
347 ++}
348 ++#endif
349 +
350 + /* Allocate the controller structure and setup the linux irq descs
351 + * for the range if interrupts passed in. No HW initialization is
352 +diff --git a/arch/powerpc/mm/tlb_nohash.c b/arch/powerpc/mm/tlb_nohash.c
353 +index bb04e4df3100..1b784b8fd8b4 100644
354 +--- a/arch/powerpc/mm/tlb_nohash.c
355 ++++ b/arch/powerpc/mm/tlb_nohash.c
356 +@@ -487,6 +487,9 @@ static void setup_page_sizes(void)
357 + for (psize = 0; psize < MMU_PAGE_COUNT; ++psize) {
358 + struct mmu_psize_def *def = &mmu_psize_defs[psize];
359 +
360 ++ if (!def->shift)
361 ++ continue;
362 ++
363 + if (tlb1ps & (1U << (def->shift - 10))) {
364 + def->flags |= MMU_PAGE_SIZE_DIRECT;
365 +
366 +diff --git a/arch/sparc/kernel/perf_event.c b/arch/sparc/kernel/perf_event.c
367 +index 6596f66ce112..a5d0c2f08110 100644
368 +--- a/arch/sparc/kernel/perf_event.c
369 ++++ b/arch/sparc/kernel/perf_event.c
370 +@@ -926,6 +926,8 @@ static void read_in_all_counters(struct cpu_hw_events *cpuc)
371 + sparc_perf_event_update(cp, &cp->hw,
372 + cpuc->current_idx[i]);
373 + cpuc->current_idx[i] = PIC_NO_INDEX;
374 ++ if (cp->hw.state & PERF_HES_STOPPED)
375 ++ cp->hw.state |= PERF_HES_ARCH;
376 + }
377 + }
378 + }
379 +@@ -958,10 +960,12 @@ static void calculate_single_pcr(struct cpu_hw_events *cpuc)
380 +
381 + enc = perf_event_get_enc(cpuc->events[i]);
382 + cpuc->pcr[0] &= ~mask_for_index(idx);
383 +- if (hwc->state & PERF_HES_STOPPED)
384 ++ if (hwc->state & PERF_HES_ARCH) {
385 + cpuc->pcr[0] |= nop_for_index(idx);
386 +- else
387 ++ } else {
388 + cpuc->pcr[0] |= event_encoding(enc, idx);
389 ++ hwc->state = 0;
390 ++ }
391 + }
392 + out:
393 + cpuc->pcr[0] |= cpuc->event[0]->hw.config_base;
394 +@@ -987,6 +991,9 @@ static void calculate_multiple_pcrs(struct cpu_hw_events *cpuc)
395 +
396 + cpuc->current_idx[i] = idx;
397 +
398 ++ if (cp->hw.state & PERF_HES_ARCH)
399 ++ continue;
400 ++
401 + sparc_pmu_start(cp, PERF_EF_RELOAD);
402 + }
403 + out:
404 +@@ -1078,6 +1085,8 @@ static void sparc_pmu_start(struct perf_event *event, int flags)
405 + event->hw.state = 0;
406 +
407 + sparc_pmu_enable_event(cpuc, &event->hw, idx);
408 ++
409 ++ perf_event_update_userpage(event);
410 + }
411 +
412 + static void sparc_pmu_stop(struct perf_event *event, int flags)
413 +@@ -1370,9 +1379,9 @@ static int sparc_pmu_add(struct perf_event *event, int ef_flags)
414 + cpuc->events[n0] = event->hw.event_base;
415 + cpuc->current_idx[n0] = PIC_NO_INDEX;
416 +
417 +- event->hw.state = PERF_HES_UPTODATE;
418 ++ event->hw.state = PERF_HES_UPTODATE | PERF_HES_STOPPED;
419 + if (!(ef_flags & PERF_EF_START))
420 +- event->hw.state |= PERF_HES_STOPPED;
421 ++ event->hw.state |= PERF_HES_ARCH;
422 +
423 + /*
424 + * If group events scheduling transaction was started,
425 +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
426 +index d9afe6d40550..9beee7f364ad 100644
427 +--- a/arch/x86/Kconfig
428 ++++ b/arch/x86/Kconfig
429 +@@ -41,7 +41,6 @@ config X86
430 + select ARCH_USE_BUILTIN_BSWAP
431 + select ARCH_USE_CMPXCHG_LOCKREF if X86_64
432 + select ARCH_USE_QUEUED_RWLOCKS
433 +- select ARCH_USE_QUEUED_SPINLOCKS
434 + select ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH
435 + select ARCH_WANTS_DYNAMIC_TASK_STRUCT
436 + select ARCH_WANT_FRAME_POINTERS
437 +diff --git a/arch/x86/boot/tools/build.c b/arch/x86/boot/tools/build.c
438 +index a7661c430cd9..523db6ce88dd 100644
439 +--- a/arch/x86/boot/tools/build.c
440 ++++ b/arch/x86/boot/tools/build.c
441 +@@ -391,6 +391,13 @@ int main(int argc, char ** argv)
442 + die("Unable to mmap '%s': %m", argv[2]);
443 + /* Number of 16-byte paragraphs, including space for a 4-byte CRC */
444 + sys_size = (sz + 15 + 4) / 16;
445 ++#ifdef CONFIG_EFI_STUB
446 ++ /*
447 ++ * COFF requires minimum 32-byte alignment of sections, and
448 ++ * adding a signature is problematic without that alignment.
449 ++ */
450 ++ sys_size = (sys_size + 1) & ~1;
451 ++#endif
452 +
453 + /* Patch the setup code with the appropriate size parameters */
454 + buf[0x1f1] = setup_sectors-1;
455 +diff --git a/arch/x86/kernel/check.c b/arch/x86/kernel/check.c
456 +index 145863d4d343..a8b215865636 100644
457 +--- a/arch/x86/kernel/check.c
458 ++++ b/arch/x86/kernel/check.c
459 +@@ -30,6 +30,11 @@ static __init int set_corruption_check(char *arg)
460 + ssize_t ret;
461 + unsigned long val;
462 +
463 ++ if (!arg) {
464 ++ pr_err("memory_corruption_check config string not provided\n");
465 ++ return -EINVAL;
466 ++ }
467 ++
468 + ret = kstrtoul(arg, 10, &val);
469 + if (ret)
470 + return ret;
471 +@@ -44,6 +49,11 @@ static __init int set_corruption_check_period(char *arg)
472 + ssize_t ret;
473 + unsigned long val;
474 +
475 ++ if (!arg) {
476 ++ pr_err("memory_corruption_check_period config string not provided\n");
477 ++ return -EINVAL;
478 ++ }
479 ++
480 + ret = kstrtoul(arg, 10, &val);
481 + if (ret)
482 + return ret;
483 +@@ -58,6 +68,11 @@ static __init int set_corruption_check_size(char *arg)
484 + char *end;
485 + unsigned size;
486 +
487 ++ if (!arg) {
488 ++ pr_err("memory_corruption_check_size config string not provided\n");
489 ++ return -EINVAL;
490 ++ }
491 ++
492 + size = memparse(arg, &end);
493 +
494 + if (*end == '\0')
495 +diff --git a/arch/x86/kernel/fpu/signal.c b/arch/x86/kernel/fpu/signal.c
496 +index 9be3e79eb629..31fad2cbd734 100644
497 +--- a/arch/x86/kernel/fpu/signal.c
498 ++++ b/arch/x86/kernel/fpu/signal.c
499 +@@ -294,7 +294,6 @@ static int __fpu__restore_sig(void __user *buf, void __user *buf_fx, int size)
500 + * thread's fpu state, reconstruct fxstate from the fsave
501 + * header. Sanitize the copied state etc.
502 + */
503 +- struct fpu *fpu = &tsk->thread.fpu;
504 + struct user_i387_ia32_struct env;
505 + int err = 0;
506 +
507 +diff --git a/arch/x86/xen/spinlock.c b/arch/x86/xen/spinlock.c
508 +index f42e78de1e10..85872a08994a 100644
509 +--- a/arch/x86/xen/spinlock.c
510 ++++ b/arch/x86/xen/spinlock.c
511 +@@ -8,6 +8,7 @@
512 + #include <linux/log2.h>
513 + #include <linux/gfp.h>
514 + #include <linux/slab.h>
515 ++#include <linux/atomic.h>
516 +
517 + #include <asm/paravirt.h>
518 +
519 +@@ -19,6 +20,7 @@
520 +
521 + static DEFINE_PER_CPU(int, lock_kicker_irq) = -1;
522 + static DEFINE_PER_CPU(char *, irq_name);
523 ++static DEFINE_PER_CPU(atomic_t, xen_qlock_wait_nest);
524 + static bool xen_pvspin = true;
525 +
526 + #ifdef CONFIG_QUEUED_SPINLOCKS
527 +@@ -42,33 +44,24 @@ static void xen_qlock_kick(int cpu)
528 + static void xen_qlock_wait(u8 *byte, u8 val)
529 + {
530 + int irq = __this_cpu_read(lock_kicker_irq);
531 ++ atomic_t *nest_cnt = this_cpu_ptr(&xen_qlock_wait_nest);
532 +
533 + /* If kicker interrupts not initialized yet, just spin */
534 +- if (irq == -1)
535 ++ if (irq == -1 || in_nmi())
536 + return;
537 +
538 +- /* clear pending */
539 +- xen_clear_irq_pending(irq);
540 +- barrier();
541 +-
542 +- /*
543 +- * We check the byte value after clearing pending IRQ to make sure
544 +- * that we won't miss a wakeup event because of the clearing.
545 +- *
546 +- * The sync_clear_bit() call in xen_clear_irq_pending() is atomic.
547 +- * So it is effectively a memory barrier for x86.
548 +- */
549 +- if (READ_ONCE(*byte) != val)
550 +- return;
551 ++ /* Detect reentry. */
552 ++ atomic_inc(nest_cnt);
553 +
554 +- /*
555 +- * If an interrupt happens here, it will leave the wakeup irq
556 +- * pending, which will cause xen_poll_irq() to return
557 +- * immediately.
558 +- */
559 ++ /* If irq pending already and no nested call clear it. */
560 ++ if (atomic_read(nest_cnt) == 1 && xen_test_irq_pending(irq)) {
561 ++ xen_clear_irq_pending(irq);
562 ++ } else if (READ_ONCE(*byte) == val) {
563 ++ /* Block until irq becomes pending (or a spurious wakeup) */
564 ++ xen_poll_irq(irq);
565 ++ }
566 +
567 +- /* Block until irq becomes pending (or perhaps a spurious wakeup) */
568 +- xen_poll_irq(irq);
569 ++ atomic_dec(nest_cnt);
570 + }
571 +
572 + #else /* CONFIG_QUEUED_SPINLOCKS */
573 +diff --git a/arch/xtensa/boot/Makefile b/arch/xtensa/boot/Makefile
574 +index ca20a892021b..6c6877d628ef 100644
575 +--- a/arch/xtensa/boot/Makefile
576 ++++ b/arch/xtensa/boot/Makefile
577 +@@ -31,7 +31,7 @@ $(bootdir-y): $(addprefix $(obj)/,$(subdir-y)) \
578 + $(addprefix $(obj)/,$(host-progs))
579 + $(Q)$(MAKE) $(build)=$(obj)/$@ $(MAKECMDGOALS)
580 +
581 +-OBJCOPYFLAGS = --strip-all -R .comment -R .note.gnu.build-id -O binary
582 ++OBJCOPYFLAGS = --strip-all -R .comment -R .notes -O binary
583 +
584 + vmlinux.bin: vmlinux FORCE
585 + $(call if_changed,objcopy)
586 +diff --git a/arch/xtensa/include/asm/processor.h b/arch/xtensa/include/asm/processor.h
587 +index 83e2e4bc01ba..d3ac00fcb15c 100644
588 +--- a/arch/xtensa/include/asm/processor.h
589 ++++ b/arch/xtensa/include/asm/processor.h
590 +@@ -24,7 +24,11 @@
591 + # error Linux requires the Xtensa Windowed Registers Option.
592 + #endif
593 +
594 +-#define ARCH_SLAB_MINALIGN XCHAL_DATA_WIDTH
595 ++/* Xtensa ABI requires stack alignment to be at least 16 */
596 ++
597 ++#define STACK_ALIGN (XCHAL_DATA_WIDTH > 16 ? XCHAL_DATA_WIDTH : 16)
598 ++
599 ++#define ARCH_SLAB_MINALIGN STACK_ALIGN
600 +
601 + /*
602 + * User space process size: 1 GB.
603 +diff --git a/arch/xtensa/kernel/head.S b/arch/xtensa/kernel/head.S
604 +index 05e1df943856..c7b3bedbfffe 100644
605 +--- a/arch/xtensa/kernel/head.S
606 ++++ b/arch/xtensa/kernel/head.S
607 +@@ -88,9 +88,12 @@ _SetupMMU:
608 + initialize_mmu
609 + #if defined(CONFIG_MMU) && XCHAL_HAVE_PTP_MMU && XCHAL_HAVE_SPANNING_WAY
610 + rsr a2, excsave1
611 +- movi a3, 0x08000000
612 ++ movi a3, XCHAL_KSEG_PADDR
613 ++ bltu a2, a3, 1f
614 ++ sub a2, a2, a3
615 ++ movi a3, XCHAL_KSEG_SIZE
616 + bgeu a2, a3, 1f
617 +- movi a3, 0xd0000000
618 ++ movi a3, XCHAL_KSEG_CACHED_VADDR
619 + add a2, a2, a3
620 + wsr a2, excsave1
621 + 1:
622 +diff --git a/arch/xtensa/kernel/vmlinux.lds.S b/arch/xtensa/kernel/vmlinux.lds.S
623 +index c417cbe4ec87..bdfeda5a913c 100644
624 +--- a/arch/xtensa/kernel/vmlinux.lds.S
625 ++++ b/arch/xtensa/kernel/vmlinux.lds.S
626 +@@ -110,6 +110,7 @@ SECTIONS
627 + .fixup : { *(.fixup) }
628 +
629 + EXCEPTION_TABLE(16)
630 ++ NOTES
631 + /* Data section */
632 +
633 + _sdata = .;
634 +diff --git a/crypto/lrw.c b/crypto/lrw.c
635 +index 6f9908a7ebcb..d38a382b09eb 100644
636 +--- a/crypto/lrw.c
637 ++++ b/crypto/lrw.c
638 +@@ -132,7 +132,12 @@ static inline int get_index128(be128 *block)
639 + return x + ffz(val);
640 + }
641 +
642 +- return x;
643 ++ /*
644 ++ * If we get here, then x == 128 and we are incrementing the counter
645 ++ * from all ones to all zeros. This means we must return index 127, i.e.
646 ++ * the one corresponding to key2*{ 1,...,1 }.
647 ++ */
648 ++ return 127;
649 + }
650 +
651 + static int crypt(struct blkcipher_desc *d,
652 +diff --git a/drivers/acpi/acpi_lpss.c b/drivers/acpi/acpi_lpss.c
653 +index 8a0f77fb5181..572755e557d6 100644
654 +--- a/drivers/acpi/acpi_lpss.c
655 ++++ b/drivers/acpi/acpi_lpss.c
656 +@@ -235,9 +235,11 @@ static const struct acpi_device_id acpi_lpss_device_ids[] = {
657 + { "INT33FC", },
658 +
659 + /* Braswell LPSS devices */
660 ++ { "80862286", LPSS_ADDR(lpss_dma_desc) },
661 + { "80862288", LPSS_ADDR(bsw_pwm_dev_desc) },
662 + { "8086228A", LPSS_ADDR(bsw_uart_dev_desc) },
663 + { "8086228E", LPSS_ADDR(bsw_spi_dev_desc) },
664 ++ { "808622C0", LPSS_ADDR(lpss_dma_desc) },
665 + { "808622C1", LPSS_ADDR(bsw_i2c_dev_desc) },
666 +
667 + /* Broadwell LPSS devices */
668 +diff --git a/drivers/block/ataflop.c b/drivers/block/ataflop.c
669 +index 2104b1b4ccda..9ab759bcebd5 100644
670 +--- a/drivers/block/ataflop.c
671 ++++ b/drivers/block/ataflop.c
672 +@@ -1933,6 +1933,11 @@ static int __init atari_floppy_init (void)
673 + unit[i].disk = alloc_disk(1);
674 + if (!unit[i].disk)
675 + goto Enomem;
676 ++
677 ++ unit[i].disk->queue = blk_init_queue(do_fd_request,
678 ++ &ataflop_lock);
679 ++ if (!unit[i].disk->queue)
680 ++ goto Enomem;
681 + }
682 +
683 + if (UseTrackbuffer < 0)
684 +@@ -1964,10 +1969,6 @@ static int __init atari_floppy_init (void)
685 + sprintf(unit[i].disk->disk_name, "fd%d", i);
686 + unit[i].disk->fops = &floppy_fops;
687 + unit[i].disk->private_data = &unit[i];
688 +- unit[i].disk->queue = blk_init_queue(do_fd_request,
689 +- &ataflop_lock);
690 +- if (!unit[i].disk->queue)
691 +- goto Enomem;
692 + set_capacity(unit[i].disk, MAX_DISK_SIZE * 2);
693 + add_disk(unit[i].disk);
694 + }
695 +@@ -1982,13 +1983,17 @@ static int __init atari_floppy_init (void)
696 +
697 + return 0;
698 + Enomem:
699 +- while (i--) {
700 +- struct request_queue *q = unit[i].disk->queue;
701 ++ do {
702 ++ struct gendisk *disk = unit[i].disk;
703 +
704 +- put_disk(unit[i].disk);
705 +- if (q)
706 +- blk_cleanup_queue(q);
707 +- }
708 ++ if (disk) {
709 ++ if (disk->queue) {
710 ++ blk_cleanup_queue(disk->queue);
711 ++ disk->queue = NULL;
712 ++ }
713 ++ put_disk(unit[i].disk);
714 ++ }
715 ++ } while (i--);
716 +
717 + unregister_blkdev(FLOPPY_MAJOR, "fd");
718 + return -ENOMEM;
719 +diff --git a/drivers/block/swim.c b/drivers/block/swim.c
720 +index b5afd495d482..eec6e393c124 100644
721 +--- a/drivers/block/swim.c
722 ++++ b/drivers/block/swim.c
723 +@@ -868,8 +868,17 @@ static int swim_floppy_init(struct swim_priv *swd)
724 +
725 + exit_put_disks:
726 + unregister_blkdev(FLOPPY_MAJOR, "fd");
727 +- while (drive--)
728 +- put_disk(swd->unit[drive].disk);
729 ++ do {
730 ++ struct gendisk *disk = swd->unit[drive].disk;
731 ++
732 ++ if (disk) {
733 ++ if (disk->queue) {
734 ++ blk_cleanup_queue(disk->queue);
735 ++ disk->queue = NULL;
736 ++ }
737 ++ put_disk(disk);
738 ++ }
739 ++ } while (drive--);
740 + return err;
741 + }
742 +
743 +diff --git a/drivers/bluetooth/btbcm.c b/drivers/bluetooth/btbcm.c
744 +index 0b697946e9bc..a08c6529271e 100644
745 +--- a/drivers/bluetooth/btbcm.c
746 ++++ b/drivers/bluetooth/btbcm.c
747 +@@ -270,6 +270,7 @@ static const struct {
748 + { 0x4103, "BCM4330B1" }, /* 002.001.003 */
749 + { 0x410e, "BCM43341B0" }, /* 002.001.014 */
750 + { 0x4406, "BCM4324B3" }, /* 002.004.006 */
751 ++ { 0x6109, "BCM4335C0" }, /* 003.001.009 */
752 + { 0x610c, "BCM4354" }, /* 003.001.012 */
753 + { }
754 + };
755 +diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
756 +index 1012b2cb6a16..d203940203b6 100644
757 +--- a/drivers/cdrom/cdrom.c
758 ++++ b/drivers/cdrom/cdrom.c
759 +@@ -2425,7 +2425,7 @@ static int cdrom_ioctl_select_disc(struct cdrom_device_info *cdi,
760 + return -ENOSYS;
761 +
762 + if (arg != CDSL_CURRENT && arg != CDSL_NONE) {
763 +- if ((int)arg >= cdi->capacity)
764 ++ if (arg >= cdi->capacity)
765 + return -EINVAL;
766 + }
767 +
768 +diff --git a/drivers/char/ipmi/ipmi_ssif.c b/drivers/char/ipmi/ipmi_ssif.c
769 +index d6d166fe49a3..7a2e23d6bfdd 100644
770 +--- a/drivers/char/ipmi/ipmi_ssif.c
771 ++++ b/drivers/char/ipmi/ipmi_ssif.c
772 +@@ -613,8 +613,9 @@ static void msg_done_handler(struct ssif_info *ssif_info, int result,
773 + flags = ipmi_ssif_lock_cond(ssif_info, &oflags);
774 + ssif_info->waiting_alert = true;
775 + ssif_info->rtc_us_timer = SSIF_MSG_USEC;
776 +- mod_timer(&ssif_info->retry_timer,
777 +- jiffies + SSIF_MSG_JIFFIES);
778 ++ if (!ssif_info->stopping)
779 ++ mod_timer(&ssif_info->retry_timer,
780 ++ jiffies + SSIF_MSG_JIFFIES);
781 + ipmi_ssif_unlock_cond(ssif_info, flags);
782 + return;
783 + }
784 +@@ -951,8 +952,9 @@ static void msg_written_handler(struct ssif_info *ssif_info, int result,
785 + ssif_info->waiting_alert = true;
786 + ssif_info->retries_left = SSIF_RECV_RETRIES;
787 + ssif_info->rtc_us_timer = SSIF_MSG_PART_USEC;
788 +- mod_timer(&ssif_info->retry_timer,
789 +- jiffies + SSIF_MSG_PART_JIFFIES);
790 ++ if (!ssif_info->stopping)
791 ++ mod_timer(&ssif_info->retry_timer,
792 ++ jiffies + SSIF_MSG_PART_JIFFIES);
793 + ipmi_ssif_unlock_cond(ssif_info, flags);
794 + }
795 + }
796 +diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c
797 +index 95a40ec854ad..e3f2915ca4be 100644
798 +--- a/drivers/char/tpm/tpm-interface.c
799 ++++ b/drivers/char/tpm/tpm-interface.c
800 +@@ -415,7 +415,8 @@ ssize_t tpm_transmit_cmd(struct tpm_chip *chip, const void *cmd,
801 + header = cmd;
802 +
803 + err = be32_to_cpu(header->return_code);
804 +- if (err != 0 && desc)
805 ++ if (err != 0 && err != TPM_ERR_DISABLED && err != TPM_ERR_DEACTIVATED
806 ++ && desc)
807 + dev_err(&chip->dev, "A TPM error (%d) occurred %s\n", err,
808 + desc);
809 +
810 +diff --git a/drivers/char/tpm/xen-tpmfront.c b/drivers/char/tpm/xen-tpmfront.c
811 +index 849f2e29c243..0fb18765f982 100644
812 +--- a/drivers/char/tpm/xen-tpmfront.c
813 ++++ b/drivers/char/tpm/xen-tpmfront.c
814 +@@ -201,7 +201,7 @@ static int setup_ring(struct xenbus_device *dev, struct tpm_private *priv)
815 + return -ENOMEM;
816 + }
817 +
818 +- rv = xenbus_grant_ring(dev, &priv->shr, 1, &gref);
819 ++ rv = xenbus_grant_ring(dev, priv->shr, 1, &gref);
820 + if (rv < 0)
821 + return rv;
822 +
823 +diff --git a/drivers/clk/clk-s2mps11.c b/drivers/clk/clk-s2mps11.c
824 +index d266299dfdb1..785864893f9a 100644
825 +--- a/drivers/clk/clk-s2mps11.c
826 ++++ b/drivers/clk/clk-s2mps11.c
827 +@@ -297,6 +297,36 @@ static const struct platform_device_id s2mps11_clk_id[] = {
828 + };
829 + MODULE_DEVICE_TABLE(platform, s2mps11_clk_id);
830 +
831 ++#ifdef CONFIG_OF
832 ++/*
833 ++ * Device is instantiated through parent MFD device and device matching is done
834 ++ * through platform_device_id.
835 ++ *
836 ++ * However if device's DT node contains proper clock compatible and driver is
837 ++ * built as a module, then the *module* matching will be done trough DT aliases.
838 ++ * This requires of_device_id table. In the same time this will not change the
839 ++ * actual *device* matching so do not add .of_match_table.
840 ++ */
841 ++static const struct of_device_id s2mps11_dt_match[] = {
842 ++ {
843 ++ .compatible = "samsung,s2mps11-clk",
844 ++ .data = (void *)S2MPS11X,
845 ++ }, {
846 ++ .compatible = "samsung,s2mps13-clk",
847 ++ .data = (void *)S2MPS13X,
848 ++ }, {
849 ++ .compatible = "samsung,s2mps14-clk",
850 ++ .data = (void *)S2MPS14X,
851 ++ }, {
852 ++ .compatible = "samsung,s5m8767-clk",
853 ++ .data = (void *)S5M8767X,
854 ++ }, {
855 ++ /* Sentinel */
856 ++ },
857 ++};
858 ++MODULE_DEVICE_TABLE(of, s2mps11_dt_match);
859 ++#endif
860 ++
861 + static struct platform_driver s2mps11_clk_driver = {
862 + .driver = {
863 + .name = "s2mps11-clk",
864 +diff --git a/drivers/clocksource/i8253.c b/drivers/clocksource/i8253.c
865 +index 0efd36e483ab..60c8a9bd562d 100644
866 +--- a/drivers/clocksource/i8253.c
867 ++++ b/drivers/clocksource/i8253.c
868 +@@ -19,6 +19,13 @@
869 + DEFINE_RAW_SPINLOCK(i8253_lock);
870 + EXPORT_SYMBOL(i8253_lock);
871 +
872 ++/*
873 ++ * Handle PIT quirk in pit_shutdown() where zeroing the counter register
874 ++ * restarts the PIT, negating the shutdown. On platforms with the quirk,
875 ++ * platform specific code can set this to false.
876 ++ */
877 ++bool i8253_clear_counter_on_shutdown = true;
878 ++
879 + #ifdef CONFIG_CLKSRC_I8253
880 + /*
881 + * Since the PIT overflows every tick, its not very useful
882 +@@ -108,8 +115,11 @@ static int pit_shutdown(struct clock_event_device *evt)
883 + raw_spin_lock(&i8253_lock);
884 +
885 + outb_p(0x30, PIT_MODE);
886 +- outb_p(0, PIT_CH0);
887 +- outb_p(0, PIT_CH0);
888 ++
889 ++ if (i8253_clear_counter_on_shutdown) {
890 ++ outb_p(0, PIT_CH0);
891 ++ outb_p(0, PIT_CH0);
892 ++ }
893 +
894 + raw_spin_unlock(&i8253_lock);
895 + return 0;
896 +diff --git a/drivers/dma/dma-jz4780.c b/drivers/dma/dma-jz4780.c
897 +index dade7c47ff18..8344b7c91fe3 100644
898 +--- a/drivers/dma/dma-jz4780.c
899 ++++ b/drivers/dma/dma-jz4780.c
900 +@@ -750,6 +750,11 @@ static int jz4780_dma_probe(struct platform_device *pdev)
901 + struct resource *res;
902 + int i, ret;
903 +
904 ++ if (!dev->of_node) {
905 ++ dev_err(dev, "This driver must be probed from devicetree\n");
906 ++ return -EINVAL;
907 ++ }
908 ++
909 + jzdma = devm_kzalloc(dev, sizeof(*jzdma), GFP_KERNEL);
910 + if (!jzdma)
911 + return -ENOMEM;
912 +diff --git a/drivers/dma/ioat/init.c b/drivers/dma/ioat/init.c
913 +index ac8c28968422..106fa9b327d9 100644
914 +--- a/drivers/dma/ioat/init.c
915 ++++ b/drivers/dma/ioat/init.c
916 +@@ -1210,8 +1210,15 @@ static void ioat_shutdown(struct pci_dev *pdev)
917 +
918 + spin_lock_bh(&ioat_chan->prep_lock);
919 + set_bit(IOAT_CHAN_DOWN, &ioat_chan->state);
920 +- del_timer_sync(&ioat_chan->timer);
921 + spin_unlock_bh(&ioat_chan->prep_lock);
922 ++ /*
923 ++ * Synchronization rule for del_timer_sync():
924 ++ * - The caller must not hold locks which would prevent
925 ++ * completion of the timer's handler.
926 ++ * So prep_lock cannot be held before calling it.
927 ++ */
928 ++ del_timer_sync(&ioat_chan->timer);
929 ++
930 + /* this should quiesce then reset */
931 + ioat_reset_hw(ioat_chan);
932 + }
933 +diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c b/drivers/gpu/drm/drm_dp_mst_topology.c
934 +index 273e05a3c933..5a1bafb5ecbb 100644
935 +--- a/drivers/gpu/drm/drm_dp_mst_topology.c
936 ++++ b/drivers/gpu/drm/drm_dp_mst_topology.c
937 +@@ -1225,6 +1225,9 @@ static struct drm_dp_mst_branch *drm_dp_get_mst_branch_device(struct drm_dp_mst_
938 + mutex_lock(&mgr->lock);
939 + mstb = mgr->mst_primary;
940 +
941 ++ if (!mstb)
942 ++ goto out;
943 ++
944 + for (i = 0; i < lct - 1; i++) {
945 + int shift = (i % 2) ? 0 : 4;
946 + int port_num = (rad[i / 2] >> shift) & 0xf;
947 +diff --git a/drivers/gpu/drm/i915/intel_audio.c b/drivers/gpu/drm/i915/intel_audio.c
948 +index 4dccd9b003a1..0d738d7870fd 100644
949 +--- a/drivers/gpu/drm/i915/intel_audio.c
950 ++++ b/drivers/gpu/drm/i915/intel_audio.c
951 +@@ -76,6 +76,9 @@ static const struct {
952 + /* HDMI N/CTS table */
953 + #define TMDS_297M 297000
954 + #define TMDS_296M 296703
955 ++#define TMDS_594M 594000
956 ++#define TMDS_593M 593407
957 ++
958 + static const struct {
959 + int sample_rate;
960 + int clock;
961 +@@ -96,6 +99,20 @@ static const struct {
962 + { 176400, TMDS_297M, 18816, 247500 },
963 + { 192000, TMDS_296M, 23296, 281250 },
964 + { 192000, TMDS_297M, 20480, 247500 },
965 ++ { 44100, TMDS_593M, 8918, 937500 },
966 ++ { 44100, TMDS_594M, 9408, 990000 },
967 ++ { 48000, TMDS_593M, 5824, 562500 },
968 ++ { 48000, TMDS_594M, 6144, 594000 },
969 ++ { 32000, TMDS_593M, 5824, 843750 },
970 ++ { 32000, TMDS_594M, 3072, 445500 },
971 ++ { 88200, TMDS_593M, 17836, 937500 },
972 ++ { 88200, TMDS_594M, 18816, 990000 },
973 ++ { 96000, TMDS_593M, 11648, 562500 },
974 ++ { 96000, TMDS_594M, 12288, 594000 },
975 ++ { 176400, TMDS_593M, 35672, 937500 },
976 ++ { 176400, TMDS_594M, 37632, 990000 },
977 ++ { 192000, TMDS_593M, 23296, 562500 },
978 ++ { 192000, TMDS_594M, 24576, 594000 },
979 + };
980 +
981 + /* get AUD_CONFIG_PIXEL_CLOCK_HDMI_* value for mode */
982 +diff --git a/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c b/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c
983 +index 083db3f5181f..8282ae0c4fc3 100644
984 +--- a/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c
985 ++++ b/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c
986 +@@ -262,6 +262,17 @@ static int dmm_txn_commit(struct dmm_txn *txn, bool wait)
987 + }
988 +
989 + txn->last_pat->next_pa = 0;
990 ++ /* ensure that the written descriptors are visible to DMM */
991 ++ wmb();
992 ++
993 ++ /*
994 ++ * NOTE: the wmb() above should be enough, but there seems to be a bug
995 ++ * in OMAP's memory barrier implementation, which in some rare cases may
996 ++ * cause the writes not to be observable after wmb().
997 ++ */
998 ++
999 ++ /* read back to ensure the data is in RAM */
1000 ++ readl(&txn->last_pat->next_pa);
1001 +
1002 + /* write to PAT_DESCR to clear out any pending transaction */
1003 + writel(0x0, dmm->base + reg[PAT_DESCR][engine->id]);
1004 +diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_drv.c b/drivers/gpu/drm/rockchip/rockchip_drm_drv.c
1005 +index f22e1e1ee64a..d1f3be78c649 100644
1006 +--- a/drivers/gpu/drm/rockchip/rockchip_drm_drv.c
1007 ++++ b/drivers/gpu/drm/rockchip/rockchip_drm_drv.c
1008 +@@ -547,6 +547,11 @@ static int rockchip_drm_platform_remove(struct platform_device *pdev)
1009 + return 0;
1010 + }
1011 +
1012 ++static void rockchip_drm_platform_shutdown(struct platform_device *pdev)
1013 ++{
1014 ++ rockchip_drm_platform_remove(pdev);
1015 ++}
1016 ++
1017 + static const struct of_device_id rockchip_drm_dt_ids[] = {
1018 + { .compatible = "rockchip,display-subsystem", },
1019 + { /* sentinel */ },
1020 +@@ -556,6 +561,7 @@ MODULE_DEVICE_TABLE(of, rockchip_drm_dt_ids);
1021 + static struct platform_driver rockchip_drm_platform_driver = {
1022 + .probe = rockchip_drm_platform_probe,
1023 + .remove = rockchip_drm_platform_remove,
1024 ++ .shutdown = rockchip_drm_platform_shutdown,
1025 + .driver = {
1026 + .name = "rockchip-drm",
1027 + .of_match_table = rockchip_drm_dt_ids,
1028 +diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c
1029 +index b59b15d4caa9..308d8432fea3 100644
1030 +--- a/drivers/hid/usbhid/hiddev.c
1031 ++++ b/drivers/hid/usbhid/hiddev.c
1032 +@@ -521,14 +521,24 @@ static noinline int hiddev_ioctl_usage(struct hiddev *hiddev, unsigned int cmd,
1033 + if (cmd == HIDIOCGCOLLECTIONINDEX) {
1034 + if (uref->usage_index >= field->maxusage)
1035 + goto inval;
1036 ++ uref->usage_index =
1037 ++ array_index_nospec(uref->usage_index,
1038 ++ field->maxusage);
1039 + } else if (uref->usage_index >= field->report_count)
1040 + goto inval;
1041 + }
1042 +
1043 +- if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) &&
1044 +- (uref_multi->num_values > HID_MAX_MULTI_USAGES ||
1045 +- uref->usage_index + uref_multi->num_values > field->report_count))
1046 +- goto inval;
1047 ++ if (cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) {
1048 ++ if (uref_multi->num_values > HID_MAX_MULTI_USAGES ||
1049 ++ uref->usage_index + uref_multi->num_values >
1050 ++ field->report_count)
1051 ++ goto inval;
1052 ++
1053 ++ uref->usage_index =
1054 ++ array_index_nospec(uref->usage_index,
1055 ++ field->report_count -
1056 ++ uref_multi->num_values);
1057 ++ }
1058 +
1059 + switch (cmd) {
1060 + case HIDIOCGUSAGE:
1061 +diff --git a/drivers/hwmon/pmbus/pmbus.c b/drivers/hwmon/pmbus/pmbus.c
1062 +index 0a74991a60f0..1b2b79f6ea3a 100644
1063 +--- a/drivers/hwmon/pmbus/pmbus.c
1064 ++++ b/drivers/hwmon/pmbus/pmbus.c
1065 +@@ -117,6 +117,8 @@ static int pmbus_identify(struct i2c_client *client,
1066 + } else {
1067 + info->pages = 1;
1068 + }
1069 ++
1070 ++ pmbus_clear_faults(client);
1071 + }
1072 +
1073 + if (pmbus_check_byte_register(client, 0, PMBUS_VOUT_MODE)) {
1074 +diff --git a/drivers/hwmon/pmbus/pmbus_core.c b/drivers/hwmon/pmbus/pmbus_core.c
1075 +index d013acf3f83a..c00bad02761a 100644
1076 +--- a/drivers/hwmon/pmbus/pmbus_core.c
1077 ++++ b/drivers/hwmon/pmbus/pmbus_core.c
1078 +@@ -1759,7 +1759,10 @@ static int pmbus_init_common(struct i2c_client *client, struct pmbus_data *data,
1079 + if (ret >= 0 && (ret & PB_CAPABILITY_ERROR_CHECK))
1080 + client->flags |= I2C_CLIENT_PEC;
1081 +
1082 +- pmbus_clear_faults(client);
1083 ++ if (data->info->pages)
1084 ++ pmbus_clear_faults(client);
1085 ++ else
1086 ++ pmbus_clear_fault_page(client, -1);
1087 +
1088 + if (info->identify) {
1089 + ret = (*info->identify)(client, info);
1090 +diff --git a/drivers/iio/adc/at91_adc.c b/drivers/iio/adc/at91_adc.c
1091 +index 93986f0590ef..d83e5b75a37b 100644
1092 +--- a/drivers/iio/adc/at91_adc.c
1093 ++++ b/drivers/iio/adc/at91_adc.c
1094 +@@ -245,12 +245,14 @@ static irqreturn_t at91_adc_trigger_handler(int irq, void *p)
1095 + struct iio_poll_func *pf = p;
1096 + struct iio_dev *idev = pf->indio_dev;
1097 + struct at91_adc_state *st = iio_priv(idev);
1098 ++ struct iio_chan_spec const *chan;
1099 + int i, j = 0;
1100 +
1101 + for (i = 0; i < idev->masklength; i++) {
1102 + if (!test_bit(i, idev->active_scan_mask))
1103 + continue;
1104 +- st->buffer[j] = at91_adc_readl(st, AT91_ADC_CHAN(st, i));
1105 ++ chan = idev->channels + i;
1106 ++ st->buffer[j] = at91_adc_readl(st, AT91_ADC_CHAN(st, chan->channel));
1107 + j++;
1108 + }
1109 +
1110 +@@ -276,6 +278,8 @@ static void handle_adc_eoc_trigger(int irq, struct iio_dev *idev)
1111 + iio_trigger_poll(idev->trig);
1112 + } else {
1113 + st->last_value = at91_adc_readl(st, AT91_ADC_CHAN(st, st->chnb));
1114 ++ /* Needed to ACK the DRDY interruption */
1115 ++ at91_adc_readl(st, AT91_ADC_LCDR);
1116 + st->done = true;
1117 + wake_up_interruptible(&st->wq_data_avail);
1118 + }
1119 +diff --git a/drivers/md/bcache/btree.c b/drivers/md/bcache/btree.c
1120 +index 4ed621ad27e4..05aa3ac1381b 100644
1121 +--- a/drivers/md/bcache/btree.c
1122 ++++ b/drivers/md/bcache/btree.c
1123 +@@ -2372,7 +2372,7 @@ static int refill_keybuf_fn(struct btree_op *op, struct btree *b,
1124 + struct keybuf *buf = refill->buf;
1125 + int ret = MAP_CONTINUE;
1126 +
1127 +- if (bkey_cmp(k, refill->end) >= 0) {
1128 ++ if (bkey_cmp(k, refill->end) > 0) {
1129 + ret = MAP_DONE;
1130 + goto out;
1131 + }
1132 +diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c
1133 +index 6865b186f749..9371194677dc 100644
1134 +--- a/drivers/md/dm-ioctl.c
1135 ++++ b/drivers/md/dm-ioctl.c
1136 +@@ -1685,8 +1685,7 @@ static void free_params(struct dm_ioctl *param, size_t param_size, int param_fla
1137 + }
1138 +
1139 + static int copy_params(struct dm_ioctl __user *user, struct dm_ioctl *param_kernel,
1140 +- int ioctl_flags,
1141 +- struct dm_ioctl **param, int *param_flags)
1142 ++ int ioctl_flags, struct dm_ioctl **param, int *param_flags)
1143 + {
1144 + struct dm_ioctl *dmi;
1145 + int secure_data;
1146 +@@ -1734,18 +1733,13 @@ static int copy_params(struct dm_ioctl __user *user, struct dm_ioctl *param_kern
1147 + return -ENOMEM;
1148 + }
1149 +
1150 +- if (copy_from_user(dmi, user, param_kernel->data_size))
1151 +- goto bad;
1152 ++ /* Copy from param_kernel (which was already copied from user) */
1153 ++ memcpy(dmi, param_kernel, minimum_data_size);
1154 +
1155 +-data_copied:
1156 +- /*
1157 +- * Abort if something changed the ioctl data while it was being copied.
1158 +- */
1159 +- if (dmi->data_size != param_kernel->data_size) {
1160 +- DMERR("rejecting ioctl: data size modified while processing parameters");
1161 ++ if (copy_from_user(&dmi->data, (char __user *)user + minimum_data_size,
1162 ++ param_kernel->data_size - minimum_data_size))
1163 + goto bad;
1164 +- }
1165 +-
1166 ++data_copied:
1167 + /* Wipe the user buffer so we do not return it to userspace */
1168 + if (secure_data && clear_user(user, param_kernel->data_size))
1169 + goto bad;
1170 +diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
1171 +index 89dcbf2fa846..82e284d2b202 100644
1172 +--- a/drivers/md/raid1.c
1173 ++++ b/drivers/md/raid1.c
1174 +@@ -1605,6 +1605,7 @@ static int raid1_add_disk(struct mddev *mddev, struct md_rdev *rdev)
1175 + */
1176 + if (rdev->saved_raid_disk >= 0 &&
1177 + rdev->saved_raid_disk >= first &&
1178 ++ rdev->saved_raid_disk < conf->raid_disks &&
1179 + conf->mirrors[rdev->saved_raid_disk].rdev == NULL)
1180 + first = last = rdev->saved_raid_disk;
1181 +
1182 +diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
1183 +index 89111d455b71..8d613652d0e2 100644
1184 +--- a/drivers/md/raid10.c
1185 ++++ b/drivers/md/raid10.c
1186 +@@ -1737,6 +1737,7 @@ static int raid10_add_disk(struct mddev *mddev, struct md_rdev *rdev)
1187 + first = last = rdev->raid_disk;
1188 +
1189 + if (rdev->saved_raid_disk >= first &&
1190 ++ rdev->saved_raid_disk < conf->geo.raid_disks &&
1191 + conf->mirrors[rdev->saved_raid_disk].rdev == NULL)
1192 + mirror = rdev->saved_raid_disk;
1193 + else
1194 +diff --git a/drivers/media/i2c/tvp5150.c b/drivers/media/i2c/tvp5150.c
1195 +index 3c5fb2509c47..118277d57c30 100644
1196 +--- a/drivers/media/i2c/tvp5150.c
1197 ++++ b/drivers/media/i2c/tvp5150.c
1198 +@@ -870,9 +870,6 @@ static int tvp5150_s_crop(struct v4l2_subdev *sd, const struct v4l2_crop *a)
1199 +
1200 + /* tvp5150 has some special limits */
1201 + rect.left = clamp(rect.left, 0, TVP5150_MAX_CROP_LEFT);
1202 +- rect.width = clamp_t(unsigned int, rect.width,
1203 +- TVP5150_H_MAX - TVP5150_MAX_CROP_LEFT - rect.left,
1204 +- TVP5150_H_MAX - rect.left);
1205 + rect.top = clamp(rect.top, 0, TVP5150_MAX_CROP_TOP);
1206 +
1207 + /* Calculate height based on current standard */
1208 +@@ -886,9 +883,16 @@ static int tvp5150_s_crop(struct v4l2_subdev *sd, const struct v4l2_crop *a)
1209 + else
1210 + hmax = TVP5150_V_MAX_OTHERS;
1211 +
1212 +- rect.height = clamp_t(unsigned int, rect.height,
1213 ++ /*
1214 ++ * alignments:
1215 ++ * - width = 2 due to UYVY colorspace
1216 ++ * - height, image = no special alignment
1217 ++ */
1218 ++ v4l_bound_align_image(&rect.width,
1219 ++ TVP5150_H_MAX - TVP5150_MAX_CROP_LEFT - rect.left,
1220 ++ TVP5150_H_MAX - rect.left, 1, &rect.height,
1221 + hmax - TVP5150_MAX_CROP_TOP - rect.top,
1222 +- hmax - rect.top);
1223 ++ hmax - rect.top, 0, 0);
1224 +
1225 + tvp5150_write(sd, TVP5150_VERT_BLANKING_START, rect.top);
1226 + tvp5150_write(sd, TVP5150_VERT_BLANKING_STOP,
1227 +diff --git a/drivers/media/pci/cx23885/altera-ci.c b/drivers/media/pci/cx23885/altera-ci.c
1228 +index aaf4e46ff3e9..a0c1ff97f905 100644
1229 +--- a/drivers/media/pci/cx23885/altera-ci.c
1230 ++++ b/drivers/media/pci/cx23885/altera-ci.c
1231 +@@ -660,6 +660,10 @@ static int altera_hw_filt_init(struct altera_ci_config *config, int hw_filt_nr)
1232 + }
1233 +
1234 + temp_int = append_internal(inter);
1235 ++ if (!temp_int) {
1236 ++ ret = -ENOMEM;
1237 ++ goto err;
1238 ++ }
1239 + inter->filts_used = 1;
1240 + inter->dev = config->dev;
1241 + inter->fpga_rw = config->fpga_rw;
1242 +@@ -694,6 +698,7 @@ err:
1243 + __func__, ret);
1244 +
1245 + kfree(pid_filt);
1246 ++ kfree(inter);
1247 +
1248 + return ret;
1249 + }
1250 +@@ -728,6 +733,10 @@ int altera_ci_init(struct altera_ci_config *config, int ci_nr)
1251 + }
1252 +
1253 + temp_int = append_internal(inter);
1254 ++ if (!temp_int) {
1255 ++ ret = -ENOMEM;
1256 ++ goto err;
1257 ++ }
1258 + inter->cis_used = 1;
1259 + inter->dev = config->dev;
1260 + inter->fpga_rw = config->fpga_rw;
1261 +@@ -796,6 +805,7 @@ err:
1262 + ci_dbg_print("%s: Cannot initialize CI: Error %d.\n", __func__, ret);
1263 +
1264 + kfree(state);
1265 ++ kfree(inter);
1266 +
1267 + return ret;
1268 + }
1269 +diff --git a/drivers/media/usb/em28xx/em28xx-cards.c b/drivers/media/usb/em28xx/em28xx-cards.c
1270 +index 394004607059..7c7dfaed9d15 100644
1271 +--- a/drivers/media/usb/em28xx/em28xx-cards.c
1272 ++++ b/drivers/media/usb/em28xx/em28xx-cards.c
1273 +@@ -2021,13 +2021,13 @@ struct em28xx_board em28xx_boards[] = {
1274 + .input = { {
1275 + .type = EM28XX_VMUX_COMPOSITE1,
1276 + .vmux = TVP5150_COMPOSITE1,
1277 +- .amux = EM28XX_AUDIO_SRC_LINE,
1278 ++ .amux = EM28XX_AMUX_LINE_IN,
1279 + .gpio = terratec_av350_unmute_gpio,
1280 +
1281 + }, {
1282 + .type = EM28XX_VMUX_SVIDEO,
1283 + .vmux = TVP5150_SVIDEO,
1284 +- .amux = EM28XX_AUDIO_SRC_LINE,
1285 ++ .amux = EM28XX_AMUX_LINE_IN,
1286 + .gpio = terratec_av350_unmute_gpio,
1287 + } },
1288 + },
1289 +diff --git a/drivers/media/usb/em28xx/em28xx-video.c b/drivers/media/usb/em28xx/em28xx-video.c
1290 +index 6a3cf342e087..6cfcdcea27e0 100644
1291 +--- a/drivers/media/usb/em28xx/em28xx-video.c
1292 ++++ b/drivers/media/usb/em28xx/em28xx-video.c
1293 +@@ -1149,6 +1149,8 @@ static void em28xx_ctrl_notify(struct v4l2_ctrl *ctrl, void *priv)
1294 + {
1295 + struct em28xx *dev = priv;
1296 +
1297 ++ dev->v4l2->field_count = 0;
1298 ++
1299 + /*
1300 + * In the case of non-AC97 volume controls, we still need
1301 + * to do some setups at em28xx, in order to mute/unmute
1302 +@@ -1288,9 +1290,9 @@ static int vidioc_try_fmt_vid_cap(struct file *file, void *priv,
1303 +
1304 + fmt = format_by_fourcc(f->fmt.pix.pixelformat);
1305 + if (!fmt) {
1306 +- em28xx_videodbg("Fourcc format (%08x) invalid.\n",
1307 +- f->fmt.pix.pixelformat);
1308 +- return -EINVAL;
1309 ++ fmt = &format[0];
1310 ++ em28xx_videodbg("Fourcc format (%08x) invalid. Using default (%08x).\n",
1311 ++ f->fmt.pix.pixelformat, fmt->fourcc);
1312 + }
1313 +
1314 + if (dev->board.is_em2800) {
1315 +diff --git a/drivers/misc/genwqe/card_base.h b/drivers/misc/genwqe/card_base.h
1316 +index cb851c14ca4b..159f35b2bd11 100644
1317 +--- a/drivers/misc/genwqe/card_base.h
1318 ++++ b/drivers/misc/genwqe/card_base.h
1319 +@@ -404,7 +404,7 @@ struct genwqe_file {
1320 + struct file *filp;
1321 +
1322 + struct fasync_struct *async_queue;
1323 +- struct task_struct *owner;
1324 ++ struct pid *opener;
1325 + struct list_head list; /* entry in list of open files */
1326 +
1327 + spinlock_t map_lock; /* lock for dma_mappings */
1328 +diff --git a/drivers/misc/genwqe/card_dev.c b/drivers/misc/genwqe/card_dev.c
1329 +index 7f1b282d7d96..c0012ca4229e 100644
1330 +--- a/drivers/misc/genwqe/card_dev.c
1331 ++++ b/drivers/misc/genwqe/card_dev.c
1332 +@@ -52,7 +52,7 @@ static void genwqe_add_file(struct genwqe_dev *cd, struct genwqe_file *cfile)
1333 + {
1334 + unsigned long flags;
1335 +
1336 +- cfile->owner = current;
1337 ++ cfile->opener = get_pid(task_tgid(current));
1338 + spin_lock_irqsave(&cd->file_lock, flags);
1339 + list_add(&cfile->list, &cd->file_list);
1340 + spin_unlock_irqrestore(&cd->file_lock, flags);
1341 +@@ -65,6 +65,7 @@ static int genwqe_del_file(struct genwqe_dev *cd, struct genwqe_file *cfile)
1342 + spin_lock_irqsave(&cd->file_lock, flags);
1343 + list_del(&cfile->list);
1344 + spin_unlock_irqrestore(&cd->file_lock, flags);
1345 ++ put_pid(cfile->opener);
1346 +
1347 + return 0;
1348 + }
1349 +@@ -275,7 +276,7 @@ static int genwqe_kill_fasync(struct genwqe_dev *cd, int sig)
1350 + return files;
1351 + }
1352 +
1353 +-static int genwqe_force_sig(struct genwqe_dev *cd, int sig)
1354 ++static int genwqe_terminate(struct genwqe_dev *cd)
1355 + {
1356 + unsigned int files = 0;
1357 + unsigned long flags;
1358 +@@ -283,7 +284,7 @@ static int genwqe_force_sig(struct genwqe_dev *cd, int sig)
1359 +
1360 + spin_lock_irqsave(&cd->file_lock, flags);
1361 + list_for_each_entry(cfile, &cd->file_list, list) {
1362 +- force_sig(sig, cfile->owner);
1363 ++ kill_pid(cfile->opener, SIGKILL, 1);
1364 + files++;
1365 + }
1366 + spin_unlock_irqrestore(&cd->file_lock, flags);
1367 +@@ -1356,7 +1357,7 @@ static int genwqe_inform_and_stop_processes(struct genwqe_dev *cd)
1368 + dev_warn(&pci_dev->dev,
1369 + "[%s] send SIGKILL and wait ...\n", __func__);
1370 +
1371 +- rc = genwqe_force_sig(cd, SIGKILL); /* force terminate */
1372 ++ rc = genwqe_terminate(cd);
1373 + if (rc) {
1374 + /* Give kill_timout more seconds to end processes */
1375 + for (i = 0; (i < genwqe_kill_timeout) &&
1376 +diff --git a/drivers/mmc/host/sdhci-pci-o2micro.c b/drivers/mmc/host/sdhci-pci-o2micro.c
1377 +index d48f03104b5b..e417e4274d66 100644
1378 +--- a/drivers/mmc/host/sdhci-pci-o2micro.c
1379 ++++ b/drivers/mmc/host/sdhci-pci-o2micro.c
1380 +@@ -334,6 +334,9 @@ int sdhci_pci_o2_probe(struct sdhci_pci_chip *chip)
1381 + pci_write_config_byte(chip->pdev, O2_SD_LOCK_WP, scratch);
1382 + break;
1383 + case PCI_DEVICE_ID_O2_SEABIRD0:
1384 ++ if (chip->pdev->revision == 0x01)
1385 ++ chip->quirks |= SDHCI_QUIRK_DELAY_AFTER_POWER;
1386 ++ /* fall through */
1387 + case PCI_DEVICE_ID_O2_SEABIRD1:
1388 + /* UnLock WP */
1389 + ret = pci_read_config_byte(chip->pdev,
1390 +diff --git a/drivers/mtd/devices/Kconfig b/drivers/mtd/devices/Kconfig
1391 +index f73c41697a00..5ab9a46daf06 100644
1392 +--- a/drivers/mtd/devices/Kconfig
1393 ++++ b/drivers/mtd/devices/Kconfig
1394 +@@ -208,7 +208,7 @@ comment "Disk-On-Chip Device Drivers"
1395 + config MTD_DOCG3
1396 + tristate "M-Systems Disk-On-Chip G3"
1397 + select BCH
1398 +- select BCH_CONST_PARAMS
1399 ++ select BCH_CONST_PARAMS if !MTD_NAND_BCH
1400 + select BITREVERSE
1401 + ---help---
1402 + This provides an MTD device driver for the M-Systems DiskOnChip
1403 +diff --git a/drivers/net/ethernet/brocade/bna/bnad_ethtool.c b/drivers/net/ethernet/brocade/bna/bnad_ethtool.c
1404 +index 0e4fdc3dd729..18672ad773fb 100644
1405 +--- a/drivers/net/ethernet/brocade/bna/bnad_ethtool.c
1406 ++++ b/drivers/net/ethernet/brocade/bna/bnad_ethtool.c
1407 +@@ -556,8 +556,8 @@ bnad_get_strings(struct net_device *netdev, u32 stringset, u8 *string)
1408 + for (i = 0; i < BNAD_ETHTOOL_STATS_NUM; i++) {
1409 + BUG_ON(!(strlen(bnad_net_stats_strings[i]) <
1410 + ETH_GSTRING_LEN));
1411 +- memcpy(string, bnad_net_stats_strings[i],
1412 +- ETH_GSTRING_LEN);
1413 ++ strncpy(string, bnad_net_stats_strings[i],
1414 ++ ETH_GSTRING_LEN);
1415 + string += ETH_GSTRING_LEN;
1416 + }
1417 + bmap = bna_tx_rid_mask(&bnad->bna);
1418 +diff --git a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
1419 +index 5ae8874bbf72..d70b2e5d5222 100644
1420 +--- a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
1421 ++++ b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
1422 +@@ -1826,11 +1826,12 @@ static void e1000_get_ethtool_stats(struct net_device *netdev,
1423 + {
1424 + struct e1000_adapter *adapter = netdev_priv(netdev);
1425 + int i;
1426 +- char *p = NULL;
1427 + const struct e1000_stats *stat = e1000_gstrings_stats;
1428 +
1429 + e1000_update_stats(adapter);
1430 +- for (i = 0; i < E1000_GLOBAL_STATS_LEN; i++) {
1431 ++ for (i = 0; i < E1000_GLOBAL_STATS_LEN; i++, stat++) {
1432 ++ char *p;
1433 ++
1434 + switch (stat->type) {
1435 + case NETDEV_STATS:
1436 + p = (char *)netdev + stat->stat_offset;
1437 +@@ -1841,15 +1842,13 @@ static void e1000_get_ethtool_stats(struct net_device *netdev,
1438 + default:
1439 + WARN_ONCE(1, "Invalid E1000 stat type: %u index %d\n",
1440 + stat->type, i);
1441 +- break;
1442 ++ continue;
1443 + }
1444 +
1445 + if (stat->sizeof_stat == sizeof(u64))
1446 + data[i] = *(u64 *)p;
1447 + else
1448 + data[i] = *(u32 *)p;
1449 +-
1450 +- stat++;
1451 + }
1452 + /* BUG_ON(i != E1000_STATS_LEN); */
1453 + }
1454 +diff --git a/drivers/net/ethernet/intel/e1000/e1000_main.c b/drivers/net/ethernet/intel/e1000/e1000_main.c
1455 +index 2a1d4a9d3c19..1f84f2fa459f 100644
1456 +--- a/drivers/net/ethernet/intel/e1000/e1000_main.c
1457 ++++ b/drivers/net/ethernet/intel/e1000/e1000_main.c
1458 +@@ -521,8 +521,6 @@ void e1000_down(struct e1000_adapter *adapter)
1459 + struct net_device *netdev = adapter->netdev;
1460 + u32 rctl, tctl;
1461 +
1462 +- netif_carrier_off(netdev);
1463 +-
1464 + /* disable receives in the hardware */
1465 + rctl = er32(RCTL);
1466 + ew32(RCTL, rctl & ~E1000_RCTL_EN);
1467 +@@ -538,6 +536,15 @@ void e1000_down(struct e1000_adapter *adapter)
1468 + E1000_WRITE_FLUSH();
1469 + msleep(10);
1470 +
1471 ++ /* Set the carrier off after transmits have been disabled in the
1472 ++ * hardware, to avoid race conditions with e1000_watchdog() (which
1473 ++ * may be running concurrently to us, checking for the carrier
1474 ++ * bit to decide whether it should enable transmits again). Such
1475 ++ * a race condition would result into transmission being disabled
1476 ++ * in the hardware until the next IFF_DOWN+IFF_UP cycle.
1477 ++ */
1478 ++ netif_carrier_off(netdev);
1479 ++
1480 + napi_disable(&adapter->napi);
1481 +
1482 + e1000_irq_disable(adapter);
1483 +diff --git a/drivers/net/ethernet/qlogic/qla3xxx.c b/drivers/net/ethernet/qlogic/qla3xxx.c
1484 +index b09a6b80d107..355c5fb802cd 100644
1485 +--- a/drivers/net/ethernet/qlogic/qla3xxx.c
1486 ++++ b/drivers/net/ethernet/qlogic/qla3xxx.c
1487 +@@ -380,8 +380,6 @@ static void fm93c56a_select(struct ql3_adapter *qdev)
1488 +
1489 + qdev->eeprom_cmd_data = AUBURN_EEPROM_CS_1;
1490 + ql_write_nvram_reg(qdev, spir, ISP_NVRAM_MASK | qdev->eeprom_cmd_data);
1491 +- ql_write_nvram_reg(qdev, spir,
1492 +- ((ISP_NVRAM_MASK << 16) | qdev->eeprom_cmd_data));
1493 + }
1494 +
1495 + /*
1496 +diff --git a/drivers/net/tun.c b/drivers/net/tun.c
1497 +index 50bfded6d7ef..5ac0b850d6b1 100644
1498 +--- a/drivers/net/tun.c
1499 ++++ b/drivers/net/tun.c
1500 +@@ -1475,6 +1475,8 @@ static void tun_setup(struct net_device *dev)
1501 + */
1502 + static int tun_validate(struct nlattr *tb[], struct nlattr *data[])
1503 + {
1504 ++ if (!data)
1505 ++ return 0;
1506 + return -EINVAL;
1507 + }
1508 +
1509 +diff --git a/drivers/net/wireless/ath/ath10k/wmi.c b/drivers/net/wireless/ath/ath10k/wmi.c
1510 +index 5bb1be478954..f201e50447d8 100644
1511 +--- a/drivers/net/wireless/ath/ath10k/wmi.c
1512 ++++ b/drivers/net/wireless/ath/ath10k/wmi.c
1513 +@@ -1749,6 +1749,12 @@ int ath10k_wmi_cmd_send(struct ath10k *ar, struct sk_buff *skb, u32 cmd_id)
1514 + if (ret)
1515 + dev_kfree_skb_any(skb);
1516 +
1517 ++ if (ret == -EAGAIN) {
1518 ++ ath10k_warn(ar, "wmi command %d timeout, restarting hardware\n",
1519 ++ cmd_id);
1520 ++ queue_work(ar->workqueue, &ar->restart_work);
1521 ++ }
1522 ++
1523 + return ret;
1524 + }
1525 +
1526 +diff --git a/drivers/nvdimm/bus.c b/drivers/nvdimm/bus.c
1527 +index a71187c783b7..273c7ecf4879 100644
1528 +--- a/drivers/nvdimm/bus.c
1529 ++++ b/drivers/nvdimm/bus.c
1530 +@@ -158,6 +158,8 @@ static void nd_async_device_register(void *d, async_cookie_t cookie)
1531 + put_device(dev);
1532 + }
1533 + put_device(dev);
1534 ++ if (dev->parent)
1535 ++ put_device(dev->parent);
1536 + }
1537 +
1538 + static void nd_async_device_unregister(void *d, async_cookie_t cookie)
1539 +@@ -175,6 +177,8 @@ static void nd_async_device_unregister(void *d, async_cookie_t cookie)
1540 + void __nd_device_register(struct device *dev)
1541 + {
1542 + dev->bus = &nvdimm_bus_type;
1543 ++ if (dev->parent)
1544 ++ get_device(dev->parent);
1545 + get_device(dev);
1546 + async_schedule_domain(nd_async_device_register, dev,
1547 + &nd_async_domain);
1548 +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
1549 +index 5697b32819cb..84d501f5ff4e 100644
1550 +--- a/drivers/pci/quirks.c
1551 ++++ b/drivers/pci/quirks.c
1552 +@@ -3061,7 +3061,11 @@ static void disable_igfx_irq(struct pci_dev *dev)
1553 +
1554 + pci_iounmap(dev, regs);
1555 + }
1556 ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x0042, disable_igfx_irq);
1557 ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x0046, disable_igfx_irq);
1558 ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x004a, disable_igfx_irq);
1559 + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x0102, disable_igfx_irq);
1560 ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x0106, disable_igfx_irq);
1561 + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x010a, disable_igfx_irq);
1562 + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x0152, disable_igfx_irq);
1563 +
1564 +diff --git a/drivers/pcmcia/ricoh.h b/drivers/pcmcia/ricoh.h
1565 +index 01098c841f87..8ac7b138c094 100644
1566 +--- a/drivers/pcmcia/ricoh.h
1567 ++++ b/drivers/pcmcia/ricoh.h
1568 +@@ -119,6 +119,10 @@
1569 + #define RL5C4XX_MISC_CONTROL 0x2F /* 8 bit */
1570 + #define RL5C4XX_ZV_ENABLE 0x08
1571 +
1572 ++/* Misc Control 3 Register */
1573 ++#define RL5C4XX_MISC3 0x00A2 /* 16 bit */
1574 ++#define RL5C47X_MISC3_CB_CLKRUN_DIS BIT(1)
1575 ++
1576 + #ifdef __YENTA_H
1577 +
1578 + #define rl_misc(socket) ((socket)->private[0])
1579 +@@ -156,6 +160,35 @@ static void ricoh_set_zv(struct yenta_socket *socket)
1580 + }
1581 + }
1582 +
1583 ++static void ricoh_set_clkrun(struct yenta_socket *socket, bool quiet)
1584 ++{
1585 ++ u16 misc3;
1586 ++
1587 ++ /*
1588 ++ * RL5C475II likely has this setting, too, however no datasheet
1589 ++ * is publicly available for this chip
1590 ++ */
1591 ++ if (socket->dev->device != PCI_DEVICE_ID_RICOH_RL5C476 &&
1592 ++ socket->dev->device != PCI_DEVICE_ID_RICOH_RL5C478)
1593 ++ return;
1594 ++
1595 ++ if (socket->dev->revision < 0x80)
1596 ++ return;
1597 ++
1598 ++ misc3 = config_readw(socket, RL5C4XX_MISC3);
1599 ++ if (misc3 & RL5C47X_MISC3_CB_CLKRUN_DIS) {
1600 ++ if (!quiet)
1601 ++ dev_dbg(&socket->dev->dev,
1602 ++ "CLKRUN feature already disabled\n");
1603 ++ } else if (disable_clkrun) {
1604 ++ if (!quiet)
1605 ++ dev_info(&socket->dev->dev,
1606 ++ "Disabling CLKRUN feature\n");
1607 ++ misc3 |= RL5C47X_MISC3_CB_CLKRUN_DIS;
1608 ++ config_writew(socket, RL5C4XX_MISC3, misc3);
1609 ++ }
1610 ++}
1611 ++
1612 + static void ricoh_save_state(struct yenta_socket *socket)
1613 + {
1614 + rl_misc(socket) = config_readw(socket, RL5C4XX_MISC);
1615 +@@ -172,6 +205,7 @@ static void ricoh_restore_state(struct yenta_socket *socket)
1616 + config_writew(socket, RL5C4XX_16BIT_IO_0, rl_io(socket));
1617 + config_writew(socket, RL5C4XX_16BIT_MEM_0, rl_mem(socket));
1618 + config_writew(socket, RL5C4XX_CONFIG, rl_config(socket));
1619 ++ ricoh_set_clkrun(socket, true);
1620 + }
1621 +
1622 +
1623 +@@ -197,6 +231,7 @@ static int ricoh_override(struct yenta_socket *socket)
1624 + config_writew(socket, RL5C4XX_CONFIG, config);
1625 +
1626 + ricoh_set_zv(socket);
1627 ++ ricoh_set_clkrun(socket, false);
1628 +
1629 + return 0;
1630 + }
1631 +diff --git a/drivers/pcmcia/yenta_socket.c b/drivers/pcmcia/yenta_socket.c
1632 +index 5d6d9b1549bc..5034422a1d96 100644
1633 +--- a/drivers/pcmcia/yenta_socket.c
1634 ++++ b/drivers/pcmcia/yenta_socket.c
1635 +@@ -26,7 +26,8 @@
1636 +
1637 + static bool disable_clkrun;
1638 + module_param(disable_clkrun, bool, 0444);
1639 +-MODULE_PARM_DESC(disable_clkrun, "If PC card doesn't function properly, please try this option");
1640 ++MODULE_PARM_DESC(disable_clkrun,
1641 ++ "If PC card doesn't function properly, please try this option (TI and Ricoh bridges only)");
1642 +
1643 + static bool isa_probe = 1;
1644 + module_param(isa_probe, bool, 0444);
1645 +diff --git a/drivers/pinctrl/qcom/pinctrl-spmi-mpp.c b/drivers/pinctrl/qcom/pinctrl-spmi-mpp.c
1646 +index 9ce0e30e33e8..5cd9a81a6060 100644
1647 +--- a/drivers/pinctrl/qcom/pinctrl-spmi-mpp.c
1648 ++++ b/drivers/pinctrl/qcom/pinctrl-spmi-mpp.c
1649 +@@ -321,6 +321,8 @@ static int pmic_mpp_set_mux(struct pinctrl_dev *pctldev, unsigned function,
1650 + pad->function = function;
1651 +
1652 + ret = pmic_mpp_write_mode_ctl(state, pad);
1653 ++ if (ret < 0)
1654 ++ return ret;
1655 +
1656 + val = pad->is_enabled << PMIC_MPP_REG_MASTER_EN_SHIFT;
1657 +
1658 +@@ -345,13 +347,12 @@ static int pmic_mpp_config_get(struct pinctrl_dev *pctldev,
1659 +
1660 + switch (param) {
1661 + case PIN_CONFIG_BIAS_DISABLE:
1662 +- arg = pad->pullup == PMIC_MPP_PULL_UP_OPEN;
1663 ++ if (pad->pullup != PMIC_MPP_PULL_UP_OPEN)
1664 ++ return -EINVAL;
1665 ++ arg = 1;
1666 + break;
1667 + case PIN_CONFIG_BIAS_PULL_UP:
1668 + switch (pad->pullup) {
1669 +- case PMIC_MPP_PULL_UP_OPEN:
1670 +- arg = 0;
1671 +- break;
1672 + case PMIC_MPP_PULL_UP_0P6KOHM:
1673 + arg = 600;
1674 + break;
1675 +@@ -366,13 +367,17 @@ static int pmic_mpp_config_get(struct pinctrl_dev *pctldev,
1676 + }
1677 + break;
1678 + case PIN_CONFIG_BIAS_HIGH_IMPEDANCE:
1679 +- arg = !pad->is_enabled;
1680 ++ if (pad->is_enabled)
1681 ++ return -EINVAL;
1682 ++ arg = 1;
1683 + break;
1684 + case PIN_CONFIG_POWER_SOURCE:
1685 + arg = pad->power_source;
1686 + break;
1687 + case PIN_CONFIG_INPUT_ENABLE:
1688 +- arg = pad->input_enabled;
1689 ++ if (!pad->input_enabled)
1690 ++ return -EINVAL;
1691 ++ arg = 1;
1692 + break;
1693 + case PIN_CONFIG_OUTPUT:
1694 + arg = pad->out_value;
1695 +@@ -384,7 +389,9 @@ static int pmic_mpp_config_get(struct pinctrl_dev *pctldev,
1696 + arg = pad->amux_input;
1697 + break;
1698 + case PMIC_MPP_CONF_PAIRED:
1699 +- arg = pad->paired;
1700 ++ if (!pad->paired)
1701 ++ return -EINVAL;
1702 ++ arg = 1;
1703 + break;
1704 + case PIN_CONFIG_DRIVE_STRENGTH:
1705 + arg = pad->drive_strength;
1706 +@@ -457,7 +464,7 @@ static int pmic_mpp_config_set(struct pinctrl_dev *pctldev, unsigned int pin,
1707 + pad->dtest = arg;
1708 + break;
1709 + case PIN_CONFIG_DRIVE_STRENGTH:
1710 +- arg = pad->drive_strength;
1711 ++ pad->drive_strength = arg;
1712 + break;
1713 + case PMIC_MPP_CONF_AMUX_ROUTE:
1714 + if (arg >= PMIC_MPP_AMUX_ROUTE_ABUS4)
1715 +@@ -501,6 +508,10 @@ static int pmic_mpp_config_set(struct pinctrl_dev *pctldev, unsigned int pin,
1716 + if (ret < 0)
1717 + return ret;
1718 +
1719 ++ ret = pmic_mpp_write(state, pad, PMIC_MPP_REG_SINK_CTL, pad->drive_strength);
1720 ++ if (ret < 0)
1721 ++ return ret;
1722 ++
1723 + val = pad->is_enabled << PMIC_MPP_REG_MASTER_EN_SHIFT;
1724 +
1725 + return pmic_mpp_write(state, pad, PMIC_MPP_REG_EN_CTL, val);
1726 +diff --git a/drivers/pinctrl/qcom/pinctrl-ssbi-gpio.c b/drivers/pinctrl/qcom/pinctrl-ssbi-gpio.c
1727 +index 19a3c3bc2f1f..b1e8a2d905ff 100644
1728 +--- a/drivers/pinctrl/qcom/pinctrl-ssbi-gpio.c
1729 ++++ b/drivers/pinctrl/qcom/pinctrl-ssbi-gpio.c
1730 +@@ -259,22 +259,32 @@ static int pm8xxx_pin_config_get(struct pinctrl_dev *pctldev,
1731 +
1732 + switch (param) {
1733 + case PIN_CONFIG_BIAS_DISABLE:
1734 +- arg = pin->bias == PM8XXX_GPIO_BIAS_NP;
1735 ++ if (pin->bias != PM8XXX_GPIO_BIAS_NP)
1736 ++ return -EINVAL;
1737 ++ arg = 1;
1738 + break;
1739 + case PIN_CONFIG_BIAS_PULL_DOWN:
1740 +- arg = pin->bias == PM8XXX_GPIO_BIAS_PD;
1741 ++ if (pin->bias != PM8XXX_GPIO_BIAS_PD)
1742 ++ return -EINVAL;
1743 ++ arg = 1;
1744 + break;
1745 + case PIN_CONFIG_BIAS_PULL_UP:
1746 +- arg = pin->bias <= PM8XXX_GPIO_BIAS_PU_1P5_30;
1747 ++ if (pin->bias > PM8XXX_GPIO_BIAS_PU_1P5_30)
1748 ++ return -EINVAL;
1749 ++ arg = 1;
1750 + break;
1751 + case PM8XXX_QCOM_PULL_UP_STRENGTH:
1752 + arg = pin->pull_up_strength;
1753 + break;
1754 + case PIN_CONFIG_BIAS_HIGH_IMPEDANCE:
1755 +- arg = pin->disable;
1756 ++ if (!pin->disable)
1757 ++ return -EINVAL;
1758 ++ arg = 1;
1759 + break;
1760 + case PIN_CONFIG_INPUT_ENABLE:
1761 +- arg = pin->mode == PM8XXX_GPIO_MODE_INPUT;
1762 ++ if (pin->mode != PM8XXX_GPIO_MODE_INPUT)
1763 ++ return -EINVAL;
1764 ++ arg = 1;
1765 + break;
1766 + case PIN_CONFIG_OUTPUT:
1767 + if (pin->mode & PM8XXX_GPIO_MODE_OUTPUT)
1768 +@@ -289,10 +299,14 @@ static int pm8xxx_pin_config_get(struct pinctrl_dev *pctldev,
1769 + arg = pin->output_strength;
1770 + break;
1771 + case PIN_CONFIG_DRIVE_PUSH_PULL:
1772 +- arg = !pin->open_drain;
1773 ++ if (pin->open_drain)
1774 ++ return -EINVAL;
1775 ++ arg = 1;
1776 + break;
1777 + case PIN_CONFIG_DRIVE_OPEN_DRAIN:
1778 +- arg = pin->open_drain;
1779 ++ if (!pin->open_drain)
1780 ++ return -EINVAL;
1781 ++ arg = 1;
1782 + break;
1783 + default:
1784 + return -EINVAL;
1785 +diff --git a/drivers/rtc/hctosys.c b/drivers/rtc/hctosys.c
1786 +index e79f2a181ad2..b9ec4a16db1f 100644
1787 +--- a/drivers/rtc/hctosys.c
1788 ++++ b/drivers/rtc/hctosys.c
1789 +@@ -50,8 +50,10 @@ static int __init rtc_hctosys(void)
1790 + tv64.tv_sec = rtc_tm_to_time64(&tm);
1791 +
1792 + #if BITS_PER_LONG == 32
1793 +- if (tv64.tv_sec > INT_MAX)
1794 ++ if (tv64.tv_sec > INT_MAX) {
1795 ++ err = -ERANGE;
1796 + goto err_read;
1797 ++ }
1798 + #endif
1799 +
1800 + err = do_settimeofday64(&tv64);
1801 +diff --git a/drivers/scsi/esp_scsi.c b/drivers/scsi/esp_scsi.c
1802 +index 71cb05b1c3eb..60be0742e2c8 100644
1803 +--- a/drivers/scsi/esp_scsi.c
1804 ++++ b/drivers/scsi/esp_scsi.c
1805 +@@ -1349,6 +1349,7 @@ static int esp_data_bytes_sent(struct esp *esp, struct esp_cmd_entry *ent,
1806 +
1807 + bytes_sent = esp->data_dma_len;
1808 + bytes_sent -= ecount;
1809 ++ bytes_sent -= esp->send_cmd_residual;
1810 +
1811 + /*
1812 + * The am53c974 has a DMA 'pecularity'. The doc states:
1813 +diff --git a/drivers/scsi/esp_scsi.h b/drivers/scsi/esp_scsi.h
1814 +index 84dcbe4a6268..55be43fe7667 100644
1815 +--- a/drivers/scsi/esp_scsi.h
1816 ++++ b/drivers/scsi/esp_scsi.h
1817 +@@ -540,6 +540,8 @@ struct esp {
1818 +
1819 + void *dma;
1820 + int dmarev;
1821 ++
1822 ++ u32 send_cmd_residual;
1823 + };
1824 +
1825 + /* A front-end driver for the ESP chip should do the following in
1826 +diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
1827 +index 3406586b9201..ad4f16ab7f7a 100644
1828 +--- a/drivers/scsi/lpfc/lpfc_sli.c
1829 ++++ b/drivers/scsi/lpfc/lpfc_sli.c
1830 +@@ -3485,6 +3485,7 @@ lpfc_sli_handle_slow_ring_event_s4(struct lpfc_hba *phba,
1831 + struct hbq_dmabuf *dmabuf;
1832 + struct lpfc_cq_event *cq_event;
1833 + unsigned long iflag;
1834 ++ int count = 0;
1835 +
1836 + spin_lock_irqsave(&phba->hbalock, iflag);
1837 + phba->hba_flag &= ~HBA_SP_QUEUE_EVT;
1838 +@@ -3506,16 +3507,22 @@ lpfc_sli_handle_slow_ring_event_s4(struct lpfc_hba *phba,
1839 + if (irspiocbq)
1840 + lpfc_sli_sp_handle_rspiocb(phba, pring,
1841 + irspiocbq);
1842 ++ count++;
1843 + break;
1844 + case CQE_CODE_RECEIVE:
1845 + case CQE_CODE_RECEIVE_V1:
1846 + dmabuf = container_of(cq_event, struct hbq_dmabuf,
1847 + cq_event);
1848 + lpfc_sli4_handle_received_buffer(phba, dmabuf);
1849 ++ count++;
1850 + break;
1851 + default:
1852 + break;
1853 + }
1854 ++
1855 ++ /* Limit the number of events to 64 to avoid soft lockups */
1856 ++ if (count == 64)
1857 ++ break;
1858 + }
1859 + }
1860 +
1861 +diff --git a/drivers/scsi/mac_esp.c b/drivers/scsi/mac_esp.c
1862 +index 26c67c42985c..1002124bd8bf 100644
1863 +--- a/drivers/scsi/mac_esp.c
1864 ++++ b/drivers/scsi/mac_esp.c
1865 +@@ -426,6 +426,8 @@ static void mac_esp_send_pio_cmd(struct esp *esp, u32 addr, u32 esp_count,
1866 + scsi_esp_cmd(esp, ESP_CMD_TI);
1867 + }
1868 + }
1869 ++
1870 ++ esp->send_cmd_residual = esp_count;
1871 + }
1872 +
1873 + static int mac_esp_irq_pending(struct esp *esp)
1874 +diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c
1875 +index 6835bae33ec4..ac7acd257c99 100644
1876 +--- a/drivers/scsi/megaraid/megaraid_sas_base.c
1877 ++++ b/drivers/scsi/megaraid/megaraid_sas_base.c
1878 +@@ -6510,6 +6510,9 @@ static int megasas_mgmt_compat_ioctl_fw(struct file *file, unsigned long arg)
1879 + get_user(user_sense_off, &cioc->sense_off))
1880 + return -EFAULT;
1881 +
1882 ++ if (local_sense_off != user_sense_off)
1883 ++ return -EINVAL;
1884 ++
1885 + if (local_sense_len) {
1886 + void __user **sense_ioc_ptr =
1887 + (void __user **)((u8 *)((unsigned long)&ioc->frame.raw) + local_sense_off);
1888 +diff --git a/drivers/scsi/qla2xxx/qla_mbx.c b/drivers/scsi/qla2xxx/qla_mbx.c
1889 +index cb11e04be568..87059a6786f4 100644
1890 +--- a/drivers/scsi/qla2xxx/qla_mbx.c
1891 ++++ b/drivers/scsi/qla2xxx/qla_mbx.c
1892 +@@ -3315,10 +3315,7 @@ qla2x00_set_idma_speed(scsi_qla_host_t *vha, uint16_t loop_id,
1893 + mcp->mb[0] = MBC_PORT_PARAMS;
1894 + mcp->mb[1] = loop_id;
1895 + mcp->mb[2] = BIT_0;
1896 +- if (IS_CNA_CAPABLE(vha->hw))
1897 +- mcp->mb[3] = port_speed & (BIT_5|BIT_4|BIT_3|BIT_2|BIT_1|BIT_0);
1898 +- else
1899 +- mcp->mb[3] = port_speed & (BIT_2|BIT_1|BIT_0);
1900 ++ mcp->mb[3] = port_speed & (BIT_5|BIT_4|BIT_3|BIT_2|BIT_1|BIT_0);
1901 + mcp->mb[9] = vha->vp_idx;
1902 + mcp->out_mb = MBX_9|MBX_3|MBX_2|MBX_1|MBX_0;
1903 + mcp->in_mb = MBX_3|MBX_1|MBX_0;
1904 +diff --git a/drivers/soc/tegra/pmc.c b/drivers/soc/tegra/pmc.c
1905 +index bc34cf7482fb..a4753644f4cf 100644
1906 +--- a/drivers/soc/tegra/pmc.c
1907 ++++ b/drivers/soc/tegra/pmc.c
1908 +@@ -738,7 +738,7 @@ void tegra_pmc_init_tsense_reset(struct tegra_pmc *pmc)
1909 + if (!pmc->soc->has_tsense_reset)
1910 + return;
1911 +
1912 +- np = of_find_node_by_name(pmc->dev->of_node, "i2c-thermtrip");
1913 ++ np = of_get_child_by_name(pmc->dev->of_node, "i2c-thermtrip");
1914 + if (!np) {
1915 + dev_warn(dev, "i2c-thermtrip node not found, %s.\n", disabled);
1916 + return;
1917 +diff --git a/drivers/tc/tc.c b/drivers/tc/tc.c
1918 +index 3be9519654e5..cf3fad2cb871 100644
1919 +--- a/drivers/tc/tc.c
1920 ++++ b/drivers/tc/tc.c
1921 +@@ -2,7 +2,7 @@
1922 + * TURBOchannel bus services.
1923 + *
1924 + * Copyright (c) Harald Koerfgen, 1998
1925 +- * Copyright (c) 2001, 2003, 2005, 2006 Maciej W. Rozycki
1926 ++ * Copyright (c) 2001, 2003, 2005, 2006, 2018 Maciej W. Rozycki
1927 + * Copyright (c) 2005 James Simmons
1928 + *
1929 + * This file is subject to the terms and conditions of the GNU
1930 +@@ -10,6 +10,7 @@
1931 + * directory of this archive for more details.
1932 + */
1933 + #include <linux/compiler.h>
1934 ++#include <linux/dma-mapping.h>
1935 + #include <linux/errno.h>
1936 + #include <linux/init.h>
1937 + #include <linux/ioport.h>
1938 +@@ -92,6 +93,11 @@ static void __init tc_bus_add_devices(struct tc_bus *tbus)
1939 + tdev->dev.bus = &tc_bus_type;
1940 + tdev->slot = slot;
1941 +
1942 ++ /* TURBOchannel has 34-bit DMA addressing (16GiB space). */
1943 ++ tdev->dma_mask = DMA_BIT_MASK(34);
1944 ++ tdev->dev.dma_mask = &tdev->dma_mask;
1945 ++ tdev->dev.coherent_dma_mask = DMA_BIT_MASK(34);
1946 ++
1947 + for (i = 0; i < 8; i++) {
1948 + tdev->firmware[i] =
1949 + readb(module + offset + TC_FIRM_VER + 4 * i);
1950 +diff --git a/drivers/tty/serial/kgdboc.c b/drivers/tty/serial/kgdboc.c
1951 +index a260cde743e2..2db68dfe497d 100644
1952 +--- a/drivers/tty/serial/kgdboc.c
1953 ++++ b/drivers/tty/serial/kgdboc.c
1954 +@@ -133,6 +133,11 @@ static void kgdboc_unregister_kbd(void)
1955 +
1956 + static int kgdboc_option_setup(char *opt)
1957 + {
1958 ++ if (!opt) {
1959 ++ pr_err("kgdboc: config string not provided\n");
1960 ++ return -EINVAL;
1961 ++ }
1962 ++
1963 + if (strlen(opt) >= MAX_CONFIG_LEN) {
1964 + printk(KERN_ERR "kgdboc: config string too long\n");
1965 + return -ENOSPC;
1966 +diff --git a/drivers/tty/serial/sc16is7xx.c b/drivers/tty/serial/sc16is7xx.c
1967 +index 7d5ee8a13ac6..17a22073d226 100644
1968 +--- a/drivers/tty/serial/sc16is7xx.c
1969 ++++ b/drivers/tty/serial/sc16is7xx.c
1970 +@@ -648,7 +648,7 @@ static void sc16is7xx_handle_tx(struct uart_port *port)
1971 + uart_write_wakeup(port);
1972 + }
1973 +
1974 +-static void sc16is7xx_port_irq(struct sc16is7xx_port *s, int portno)
1975 ++static bool sc16is7xx_port_irq(struct sc16is7xx_port *s, int portno)
1976 + {
1977 + struct uart_port *port = &s->p[portno].port;
1978 +
1979 +@@ -657,7 +657,7 @@ static void sc16is7xx_port_irq(struct sc16is7xx_port *s, int portno)
1980 +
1981 + iir = sc16is7xx_port_read(port, SC16IS7XX_IIR_REG);
1982 + if (iir & SC16IS7XX_IIR_NO_INT_BIT)
1983 +- break;
1984 ++ return false;
1985 +
1986 + iir &= SC16IS7XX_IIR_ID_MASK;
1987 +
1988 +@@ -685,16 +685,23 @@ static void sc16is7xx_port_irq(struct sc16is7xx_port *s, int portno)
1989 + port->line, iir);
1990 + break;
1991 + }
1992 +- } while (1);
1993 ++ } while (0);
1994 ++ return true;
1995 + }
1996 +
1997 + static void sc16is7xx_ist(struct kthread_work *ws)
1998 + {
1999 + struct sc16is7xx_port *s = to_sc16is7xx_port(ws, irq_work);
2000 +- int i;
2001 +
2002 +- for (i = 0; i < s->devtype->nr_uart; ++i)
2003 +- sc16is7xx_port_irq(s, i);
2004 ++ while (1) {
2005 ++ bool keep_polling = false;
2006 ++ int i;
2007 ++
2008 ++ for (i = 0; i < s->devtype->nr_uart; ++i)
2009 ++ keep_polling |= sc16is7xx_port_irq(s, i);
2010 ++ if (!keep_polling)
2011 ++ break;
2012 ++ }
2013 + }
2014 +
2015 + static irqreturn_t sc16is7xx_irq(int irq, void *dev_id)
2016 +diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
2017 +index 198451fa9e5d..c1cff2b455ae 100644
2018 +--- a/drivers/tty/tty_io.c
2019 ++++ b/drivers/tty/tty_io.c
2020 +@@ -357,7 +357,7 @@ struct tty_driver *tty_find_polling_driver(char *name, int *line)
2021 + mutex_lock(&tty_mutex);
2022 + /* Search through the tty devices to look for a match */
2023 + list_for_each_entry(p, &tty_drivers, tty_drivers) {
2024 +- if (strncmp(name, p->name, len) != 0)
2025 ++ if (!len || strncmp(name, p->name, len) != 0)
2026 + continue;
2027 + stp = str;
2028 + if (*stp == ',')
2029 +diff --git a/drivers/tty/tty_ioctl.c b/drivers/tty/tty_ioctl.c
2030 +index 1445dd39aa62..bece7e39f512 100644
2031 +--- a/drivers/tty/tty_ioctl.c
2032 ++++ b/drivers/tty/tty_ioctl.c
2033 +@@ -330,7 +330,7 @@ speed_t tty_termios_baud_rate(struct ktermios *termios)
2034 + else
2035 + cbaud += 15;
2036 + }
2037 +- return baud_table[cbaud];
2038 ++ return cbaud >= n_baud_table ? 0 : baud_table[cbaud];
2039 + }
2040 + EXPORT_SYMBOL(tty_termios_baud_rate);
2041 +
2042 +@@ -366,7 +366,7 @@ speed_t tty_termios_input_baud_rate(struct ktermios *termios)
2043 + else
2044 + cbaud += 15;
2045 + }
2046 +- return baud_table[cbaud];
2047 ++ return cbaud >= n_baud_table ? 0 : baud_table[cbaud];
2048 + #else
2049 + return tty_termios_baud_rate(termios);
2050 + #endif
2051 +diff --git a/drivers/uio/uio.c b/drivers/uio/uio.c
2052 +index b9823eb9c195..0ab15d833d1b 100644
2053 +--- a/drivers/uio/uio.c
2054 ++++ b/drivers/uio/uio.c
2055 +@@ -249,6 +249,8 @@ static struct class uio_class = {
2056 + .dev_groups = uio_groups,
2057 + };
2058 +
2059 ++bool uio_class_registered;
2060 ++
2061 + /*
2062 + * device functions
2063 + */
2064 +@@ -772,6 +774,9 @@ static int init_uio_class(void)
2065 + printk(KERN_ERR "class_register failed for uio\n");
2066 + goto err_class_register;
2067 + }
2068 ++
2069 ++ uio_class_registered = true;
2070 ++
2071 + return 0;
2072 +
2073 + err_class_register:
2074 +@@ -782,6 +787,7 @@ exit:
2075 +
2076 + static void release_uio_class(void)
2077 + {
2078 ++ uio_class_registered = false;
2079 + class_unregister(&uio_class);
2080 + uio_major_cleanup();
2081 + }
2082 +@@ -801,6 +807,9 @@ int __uio_register_device(struct module *owner,
2083 + struct uio_device *idev;
2084 + int ret = 0;
2085 +
2086 ++ if (!uio_class_registered)
2087 ++ return -EPROBE_DEFER;
2088 ++
2089 + if (!parent || !info || !info->name || !info->version)
2090 + return -EINVAL;
2091 +
2092 +diff --git a/drivers/usb/chipidea/otg.h b/drivers/usb/chipidea/otg.h
2093 +index 9ecb598e48f0..a5557c70034a 100644
2094 +--- a/drivers/usb/chipidea/otg.h
2095 ++++ b/drivers/usb/chipidea/otg.h
2096 +@@ -20,7 +20,8 @@ void ci_handle_vbus_change(struct ci_hdrc *ci);
2097 + static inline void ci_otg_queue_work(struct ci_hdrc *ci)
2098 + {
2099 + disable_irq_nosync(ci->irq);
2100 +- queue_work(ci->wq, &ci->work);
2101 ++ if (queue_work(ci->wq, &ci->work) == false)
2102 ++ enable_irq(ci->irq);
2103 + }
2104 +
2105 + #endif /* __DRIVERS_USB_CHIPIDEA_OTG_H */
2106 +diff --git a/drivers/vhost/scsi.c b/drivers/vhost/scsi.c
2107 +index da6cc25baaef..8fc62a03637a 100644
2108 +--- a/drivers/vhost/scsi.c
2109 ++++ b/drivers/vhost/scsi.c
2110 +@@ -1009,7 +1009,8 @@ vhost_scsi_handle_vq(struct vhost_scsi *vs, struct vhost_virtqueue *vq)
2111 + prot_bytes = vhost32_to_cpu(vq, v_req_pi.pi_bytesin);
2112 + }
2113 + /*
2114 +- * Set prot_iter to data_iter, and advance past any
2115 ++ * Set prot_iter to data_iter and truncate it to
2116 ++ * prot_bytes, and advance data_iter past any
2117 + * preceeding prot_bytes that may be present.
2118 + *
2119 + * Also fix up the exp_data_len to reflect only the
2120 +@@ -1018,6 +1019,7 @@ vhost_scsi_handle_vq(struct vhost_scsi *vs, struct vhost_virtqueue *vq)
2121 + if (prot_bytes) {
2122 + exp_data_len -= prot_bytes;
2123 + prot_iter = data_iter;
2124 ++ iov_iter_truncate(&prot_iter, prot_bytes);
2125 + iov_iter_advance(&data_iter, prot_bytes);
2126 + }
2127 + tag = vhost64_to_cpu(vq, v_req_pi.tag);
2128 +diff --git a/drivers/video/fbdev/aty/mach64_accel.c b/drivers/video/fbdev/aty/mach64_accel.c
2129 +index 182bd680141f..e9dfe0e40b8b 100644
2130 +--- a/drivers/video/fbdev/aty/mach64_accel.c
2131 ++++ b/drivers/video/fbdev/aty/mach64_accel.c
2132 +@@ -126,7 +126,7 @@ void aty_init_engine(struct atyfb_par *par, struct fb_info *info)
2133 +
2134 + /* set host attributes */
2135 + wait_for_fifo(13, par);
2136 +- aty_st_le32(HOST_CNTL, 0, par);
2137 ++ aty_st_le32(HOST_CNTL, HOST_BYTE_ALIGN, par);
2138 +
2139 + /* set pattern attributes */
2140 + aty_st_le32(PAT_REG0, 0, par);
2141 +@@ -232,7 +232,8 @@ void atyfb_copyarea(struct fb_info *info, const struct fb_copyarea *area)
2142 + rotation = rotation24bpp(dx, direction);
2143 + }
2144 +
2145 +- wait_for_fifo(4, par);
2146 ++ wait_for_fifo(5, par);
2147 ++ aty_st_le32(DP_PIX_WIDTH, par->crtc.dp_pix_width, par);
2148 + aty_st_le32(DP_SRC, FRGD_SRC_BLIT, par);
2149 + aty_st_le32(SRC_Y_X, (sx << 16) | sy, par);
2150 + aty_st_le32(SRC_HEIGHT1_WIDTH1, (width << 16) | area->height, par);
2151 +@@ -268,7 +269,8 @@ void atyfb_fillrect(struct fb_info *info, const struct fb_fillrect *rect)
2152 + rotation = rotation24bpp(dx, DST_X_LEFT_TO_RIGHT);
2153 + }
2154 +
2155 +- wait_for_fifo(3, par);
2156 ++ wait_for_fifo(4, par);
2157 ++ aty_st_le32(DP_PIX_WIDTH, par->crtc.dp_pix_width, par);
2158 + aty_st_le32(DP_FRGD_CLR, color, par);
2159 + aty_st_le32(DP_SRC,
2160 + BKGD_SRC_BKGD_CLR | FRGD_SRC_FRGD_CLR | MONO_SRC_ONE,
2161 +@@ -283,7 +285,7 @@ void atyfb_imageblit(struct fb_info *info, const struct fb_image *image)
2162 + {
2163 + struct atyfb_par *par = (struct atyfb_par *) info->par;
2164 + u32 src_bytes, dx = image->dx, dy = image->dy, width = image->width;
2165 +- u32 pix_width_save, pix_width, host_cntl, rotation = 0, src, mix;
2166 ++ u32 pix_width, rotation = 0, src, mix;
2167 +
2168 + if (par->asleep)
2169 + return;
2170 +@@ -295,8 +297,7 @@ void atyfb_imageblit(struct fb_info *info, const struct fb_image *image)
2171 + return;
2172 + }
2173 +
2174 +- pix_width = pix_width_save = aty_ld_le32(DP_PIX_WIDTH, par);
2175 +- host_cntl = aty_ld_le32(HOST_CNTL, par) | HOST_BYTE_ALIGN;
2176 ++ pix_width = par->crtc.dp_pix_width;
2177 +
2178 + switch (image->depth) {
2179 + case 1:
2180 +@@ -344,7 +345,7 @@ void atyfb_imageblit(struct fb_info *info, const struct fb_image *image)
2181 + * since Rage 3D IIc we have DP_HOST_TRIPLE_EN bit
2182 + * this hwaccelerated triple has an issue with not aligned data
2183 + */
2184 +- if (M64_HAS(HW_TRIPLE) && image->width % 8 == 0)
2185 ++ if (image->depth == 1 && M64_HAS(HW_TRIPLE) && image->width % 8 == 0)
2186 + pix_width |= DP_HOST_TRIPLE_EN;
2187 + }
2188 +
2189 +@@ -369,19 +370,18 @@ void atyfb_imageblit(struct fb_info *info, const struct fb_image *image)
2190 + mix = FRGD_MIX_D_XOR_S | BKGD_MIX_D;
2191 + }
2192 +
2193 +- wait_for_fifo(6, par);
2194 +- aty_st_le32(DP_WRITE_MASK, 0xFFFFFFFF, par);
2195 ++ wait_for_fifo(5, par);
2196 + aty_st_le32(DP_PIX_WIDTH, pix_width, par);
2197 + aty_st_le32(DP_MIX, mix, par);
2198 + aty_st_le32(DP_SRC, src, par);
2199 +- aty_st_le32(HOST_CNTL, host_cntl, par);
2200 ++ aty_st_le32(HOST_CNTL, HOST_BYTE_ALIGN, par);
2201 + aty_st_le32(DST_CNTL, DST_Y_TOP_TO_BOTTOM | DST_X_LEFT_TO_RIGHT | rotation, par);
2202 +
2203 + draw_rect(dx, dy, width, image->height, par);
2204 + src_bytes = (((image->width * image->depth) + 7) / 8) * image->height;
2205 +
2206 + /* manual triple each pixel */
2207 +- if (info->var.bits_per_pixel == 24 && !(pix_width & DP_HOST_TRIPLE_EN)) {
2208 ++ if (image->depth == 1 && info->var.bits_per_pixel == 24 && !(pix_width & DP_HOST_TRIPLE_EN)) {
2209 + int inbit, outbit, mult24, byte_id_in_dword, width;
2210 + u8 *pbitmapin = (u8*)image->data, *pbitmapout;
2211 + u32 hostdword;
2212 +@@ -414,7 +414,7 @@ void atyfb_imageblit(struct fb_info *info, const struct fb_image *image)
2213 + }
2214 + }
2215 + wait_for_fifo(1, par);
2216 +- aty_st_le32(HOST_DATA0, hostdword, par);
2217 ++ aty_st_le32(HOST_DATA0, le32_to_cpu(hostdword), par);
2218 + }
2219 + } else {
2220 + u32 *pbitmap, dwords = (src_bytes + 3) / 4;
2221 +@@ -423,8 +423,4 @@ void atyfb_imageblit(struct fb_info *info, const struct fb_image *image)
2222 + aty_st_le32(HOST_DATA0, get_unaligned_le32(pbitmap), par);
2223 + }
2224 + }
2225 +-
2226 +- /* restore pix_width */
2227 +- wait_for_fifo(1, par);
2228 +- aty_st_le32(DP_PIX_WIDTH, pix_width_save, par);
2229 + }
2230 +diff --git a/drivers/w1/masters/omap_hdq.c b/drivers/w1/masters/omap_hdq.c
2231 +index 0c427d6a12d1..4c5c6550809d 100644
2232 +--- a/drivers/w1/masters/omap_hdq.c
2233 ++++ b/drivers/w1/masters/omap_hdq.c
2234 +@@ -785,6 +785,8 @@ static int omap_hdq_remove(struct platform_device *pdev)
2235 + /* remove module dependency */
2236 + pm_runtime_disable(&pdev->dev);
2237 +
2238 ++ w1_remove_master_device(&omap_w1_master);
2239 ++
2240 + return 0;
2241 + }
2242 +
2243 +diff --git a/drivers/xen/swiotlb-xen.c b/drivers/xen/swiotlb-xen.c
2244 +index 1889e928a0da..a8a388382347 100644
2245 +--- a/drivers/xen/swiotlb-xen.c
2246 ++++ b/drivers/xen/swiotlb-xen.c
2247 +@@ -310,6 +310,9 @@ xen_swiotlb_alloc_coherent(struct device *hwdev, size_t size,
2248 + */
2249 + flags &= ~(__GFP_DMA | __GFP_HIGHMEM);
2250 +
2251 ++ /* Convert the size to actually allocated. */
2252 ++ size = 1UL << (order + XEN_PAGE_SHIFT);
2253 ++
2254 + /* On ARM this function returns an ioremap'ped virtual address for
2255 + * which virt_to_phys doesn't return the corresponding physical
2256 + * address. In fact on ARM virt_to_phys only works for kernel direct
2257 +@@ -359,6 +362,9 @@ xen_swiotlb_free_coherent(struct device *hwdev, size_t size, void *vaddr,
2258 + * physical address */
2259 + phys = xen_bus_to_phys(dev_addr);
2260 +
2261 ++ /* Convert the size to actually allocated. */
2262 ++ size = 1UL << (order + XEN_PAGE_SHIFT);
2263 ++
2264 + if (((dev_addr + size - 1 <= dma_mask)) ||
2265 + range_straddles_page_boundary(phys, size))
2266 + xen_destroy_contiguous_region(phys, order);
2267 +diff --git a/fs/9p/vfs_file.c b/fs/9p/vfs_file.c
2268 +index 12ceaf52dae6..e7b3d2c4472d 100644
2269 +--- a/fs/9p/vfs_file.c
2270 ++++ b/fs/9p/vfs_file.c
2271 +@@ -204,6 +204,14 @@ static int v9fs_file_do_lock(struct file *filp, int cmd, struct file_lock *fl)
2272 + break;
2273 + if (schedule_timeout_interruptible(P9_LOCK_TIMEOUT) != 0)
2274 + break;
2275 ++ /*
2276 ++ * p9_client_lock_dotl overwrites flock.client_id with the
2277 ++ * server message, free and reuse the client name
2278 ++ */
2279 ++ if (flock.client_id != fid->clnt->name) {
2280 ++ kfree(flock.client_id);
2281 ++ flock.client_id = fid->clnt->name;
2282 ++ }
2283 + }
2284 +
2285 + /* map 9p status to VFS status */
2286 +@@ -235,6 +243,8 @@ out_unlock:
2287 + locks_lock_file_wait(filp, fl);
2288 + fl->fl_type = fl_type;
2289 + }
2290 ++ if (flock.client_id != fid->clnt->name)
2291 ++ kfree(flock.client_id);
2292 + out:
2293 + return res;
2294 + }
2295 +@@ -269,7 +279,7 @@ static int v9fs_file_getlock(struct file *filp, struct file_lock *fl)
2296 +
2297 + res = p9_client_getlock_dotl(fid, &glock);
2298 + if (res < 0)
2299 +- return res;
2300 ++ goto out;
2301 + /* map 9p lock type to os lock type */
2302 + switch (glock.type) {
2303 + case P9_LOCK_TYPE_RDLCK:
2304 +@@ -290,7 +300,9 @@ static int v9fs_file_getlock(struct file *filp, struct file_lock *fl)
2305 + fl->fl_end = glock.start + glock.length - 1;
2306 + fl->fl_pid = glock.proc_id;
2307 + }
2308 +- kfree(glock.client_id);
2309 ++out:
2310 ++ if (glock.client_id != fid->clnt->name)
2311 ++ kfree(glock.client_id);
2312 + return res;
2313 + }
2314 +
2315 +diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
2316 +index 62bc72001fce..f010d6c8dd14 100644
2317 +--- a/fs/binfmt_elf.c
2318 ++++ b/fs/binfmt_elf.c
2319 +@@ -604,28 +604,30 @@ static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex,
2320 + * Do the same thing for the memory mapping - between
2321 + * elf_bss and last_bss is the bss section.
2322 + */
2323 +- k = load_addr + eppnt->p_memsz + eppnt->p_vaddr;
2324 ++ k = load_addr + eppnt->p_vaddr + eppnt->p_memsz;
2325 + if (k > last_bss)
2326 + last_bss = k;
2327 + }
2328 + }
2329 +
2330 ++ /*
2331 ++ * Now fill out the bss section: first pad the last page from
2332 ++ * the file up to the page boundary, and zero it from elf_bss
2333 ++ * up to the end of the page.
2334 ++ */
2335 ++ if (padzero(elf_bss)) {
2336 ++ error = -EFAULT;
2337 ++ goto out;
2338 ++ }
2339 ++ /*
2340 ++ * Next, align both the file and mem bss up to the page size,
2341 ++ * since this is where elf_bss was just zeroed up to, and where
2342 ++ * last_bss will end after the vm_brk() below.
2343 ++ */
2344 ++ elf_bss = ELF_PAGEALIGN(elf_bss);
2345 ++ last_bss = ELF_PAGEALIGN(last_bss);
2346 ++ /* Finally, if there is still more bss to allocate, do it. */
2347 + if (last_bss > elf_bss) {
2348 +- /*
2349 +- * Now fill out the bss section. First pad the last page up
2350 +- * to the page boundary, and then perform a mmap to make sure
2351 +- * that there are zero-mapped pages up to and including the
2352 +- * last bss page.
2353 +- */
2354 +- if (padzero(elf_bss)) {
2355 +- error = -EFAULT;
2356 +- goto out;
2357 +- }
2358 +-
2359 +- /* What we have mapped so far */
2360 +- elf_bss = ELF_PAGESTART(elf_bss + ELF_MIN_ALIGN - 1);
2361 +-
2362 +- /* Map the last of the bss segment */
2363 + error = vm_brk(elf_bss, last_bss - elf_bss);
2364 + if (BAD_ADDR(error))
2365 + goto out;
2366 +@@ -1212,11 +1214,13 @@ static int load_elf_library(struct file *file)
2367 + goto out_free_ph;
2368 + }
2369 +
2370 +- len = ELF_PAGESTART(eppnt->p_filesz + eppnt->p_vaddr +
2371 +- ELF_MIN_ALIGN - 1);
2372 +- bss = eppnt->p_memsz + eppnt->p_vaddr;
2373 +- if (bss > len)
2374 +- vm_brk(len, bss - len);
2375 ++ len = ELF_PAGEALIGN(eppnt->p_filesz + eppnt->p_vaddr);
2376 ++ bss = ELF_PAGEALIGN(eppnt->p_memsz + eppnt->p_vaddr);
2377 ++ if (bss > len) {
2378 ++ error = vm_brk(len, bss - len);
2379 ++ if (BAD_ADDR(error))
2380 ++ goto out_free_ph;
2381 ++ }
2382 + error = 0;
2383 +
2384 + out_free_ph:
2385 +diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
2386 +index a72f941ca750..80cd28456f08 100644
2387 +--- a/fs/btrfs/extent-tree.c
2388 ++++ b/fs/btrfs/extent-tree.c
2389 +@@ -7835,6 +7835,20 @@ btrfs_init_new_buffer(struct btrfs_trans_handle *trans, struct btrfs_root *root,
2390 + buf = btrfs_find_create_tree_block(root, bytenr);
2391 + if (!buf)
2392 + return ERR_PTR(-ENOMEM);
2393 ++
2394 ++ /*
2395 ++ * Extra safety check in case the extent tree is corrupted and extent
2396 ++ * allocator chooses to use a tree block which is already used and
2397 ++ * locked.
2398 ++ */
2399 ++ if (buf->lock_owner == current->pid) {
2400 ++ btrfs_err_rl(root->fs_info,
2401 ++"tree block %llu owner %llu already locked by pid=%d, extent tree corruption detected",
2402 ++ buf->start, btrfs_header_owner(buf), current->pid);
2403 ++ free_extent_buffer(buf);
2404 ++ return ERR_PTR(-EUCLEAN);
2405 ++ }
2406 ++
2407 + btrfs_set_header_generation(buf, trans->transid);
2408 + btrfs_set_buffer_lockdep_class(root->root_key.objectid, buf, level);
2409 + btrfs_tree_lock(buf);
2410 +@@ -8704,15 +8718,14 @@ static noinline int walk_up_proc(struct btrfs_trans_handle *trans,
2411 + if (eb == root->node) {
2412 + if (wc->flags[level] & BTRFS_BLOCK_FLAG_FULL_BACKREF)
2413 + parent = eb->start;
2414 +- else
2415 +- BUG_ON(root->root_key.objectid !=
2416 +- btrfs_header_owner(eb));
2417 ++ else if (root->root_key.objectid != btrfs_header_owner(eb))
2418 ++ goto owner_mismatch;
2419 + } else {
2420 + if (wc->flags[level + 1] & BTRFS_BLOCK_FLAG_FULL_BACKREF)
2421 + parent = path->nodes[level + 1]->start;
2422 +- else
2423 +- BUG_ON(root->root_key.objectid !=
2424 +- btrfs_header_owner(path->nodes[level + 1]));
2425 ++ else if (root->root_key.objectid !=
2426 ++ btrfs_header_owner(path->nodes[level + 1]))
2427 ++ goto owner_mismatch;
2428 + }
2429 +
2430 + btrfs_free_tree_block(trans, root, eb, parent, wc->refs[level] == 1);
2431 +@@ -8720,6 +8733,11 @@ out:
2432 + wc->refs[level] = 0;
2433 + wc->flags[level] = 0;
2434 + return 0;
2435 ++
2436 ++owner_mismatch:
2437 ++ btrfs_err_rl(root->fs_info, "unexpected tree owner, have %llu expect %llu",
2438 ++ btrfs_header_owner(eb), root->root_key.objectid);
2439 ++ return -EUCLEAN;
2440 + }
2441 +
2442 + static noinline int walk_down_tree(struct btrfs_trans_handle *trans,
2443 +@@ -8773,6 +8791,8 @@ static noinline int walk_up_tree(struct btrfs_trans_handle *trans,
2444 + ret = walk_up_proc(trans, root, path, wc);
2445 + if (ret > 0)
2446 + return 0;
2447 ++ if (ret < 0)
2448 ++ return ret;
2449 +
2450 + if (path->locks[level]) {
2451 + btrfs_tree_unlock_rw(path->nodes[level],
2452 +@@ -9501,6 +9521,7 @@ void btrfs_put_block_group_cache(struct btrfs_fs_info *info)
2453 +
2454 + block_group = btrfs_lookup_first_block_group(info, last);
2455 + while (block_group) {
2456 ++ wait_block_group_cache_done(block_group);
2457 + spin_lock(&block_group->lock);
2458 + if (block_group->iref)
2459 + break;
2460 +@@ -9891,7 +9912,7 @@ error:
2461 + void btrfs_create_pending_block_groups(struct btrfs_trans_handle *trans,
2462 + struct btrfs_root *root)
2463 + {
2464 +- struct btrfs_block_group_cache *block_group, *tmp;
2465 ++ struct btrfs_block_group_cache *block_group;
2466 + struct btrfs_root *extent_root = root->fs_info->extent_root;
2467 + struct btrfs_block_group_item item;
2468 + struct btrfs_key key;
2469 +@@ -9899,7 +9920,10 @@ void btrfs_create_pending_block_groups(struct btrfs_trans_handle *trans,
2470 + bool can_flush_pending_bgs = trans->can_flush_pending_bgs;
2471 +
2472 + trans->can_flush_pending_bgs = false;
2473 +- list_for_each_entry_safe(block_group, tmp, &trans->new_bgs, bg_list) {
2474 ++ while (!list_empty(&trans->new_bgs)) {
2475 ++ block_group = list_first_entry(&trans->new_bgs,
2476 ++ struct btrfs_block_group_cache,
2477 ++ bg_list);
2478 + if (ret)
2479 + goto next;
2480 +
2481 +@@ -10609,6 +10633,10 @@ static int btrfs_trim_free_extents(struct btrfs_device *device,
2482 +
2483 + *trimmed = 0;
2484 +
2485 ++ /* Discard not supported = nothing to do. */
2486 ++ if (!blk_queue_discard(bdev_get_queue(device->bdev)))
2487 ++ return 0;
2488 ++
2489 + /* Not writeable = nothing to do. */
2490 + if (!device->writeable)
2491 + return 0;
2492 +@@ -10731,8 +10759,8 @@ int btrfs_trim_fs(struct btrfs_root *root, struct fstrim_range *range)
2493 + }
2494 +
2495 + mutex_lock(&root->fs_info->fs_devices->device_list_mutex);
2496 +- devices = &root->fs_info->fs_devices->alloc_list;
2497 +- list_for_each_entry(device, devices, dev_alloc_list) {
2498 ++ devices = &root->fs_info->fs_devices->devices;
2499 ++ list_for_each_entry(device, devices, dev_list) {
2500 + ret = btrfs_trim_free_extents(device, range->minlen,
2501 + &group_trimmed);
2502 + if (ret)
2503 +diff --git a/fs/btrfs/free-space-cache.c b/fs/btrfs/free-space-cache.c
2504 +index 45934deacfd7..1aa897dd9ce3 100644
2505 +--- a/fs/btrfs/free-space-cache.c
2506 ++++ b/fs/btrfs/free-space-cache.c
2507 +@@ -1699,6 +1699,8 @@ static inline void __bitmap_clear_bits(struct btrfs_free_space_ctl *ctl,
2508 + bitmap_clear(info->bitmap, start, count);
2509 +
2510 + info->bytes -= bytes;
2511 ++ if (info->max_extent_size > ctl->unit)
2512 ++ info->max_extent_size = 0;
2513 + }
2514 +
2515 + static void bitmap_clear_bits(struct btrfs_free_space_ctl *ctl,
2516 +@@ -1782,6 +1784,13 @@ static int search_bitmap(struct btrfs_free_space_ctl *ctl,
2517 + return -1;
2518 + }
2519 +
2520 ++static inline u64 get_max_extent_size(struct btrfs_free_space *entry)
2521 ++{
2522 ++ if (entry->bitmap)
2523 ++ return entry->max_extent_size;
2524 ++ return entry->bytes;
2525 ++}
2526 ++
2527 + /* Cache the size of the max extent in bytes */
2528 + static struct btrfs_free_space *
2529 + find_free_space(struct btrfs_free_space_ctl *ctl, u64 *offset, u64 *bytes,
2530 +@@ -1803,8 +1812,8 @@ find_free_space(struct btrfs_free_space_ctl *ctl, u64 *offset, u64 *bytes,
2531 + for (node = &entry->offset_index; node; node = rb_next(node)) {
2532 + entry = rb_entry(node, struct btrfs_free_space, offset_index);
2533 + if (entry->bytes < *bytes) {
2534 +- if (entry->bytes > *max_extent_size)
2535 +- *max_extent_size = entry->bytes;
2536 ++ *max_extent_size = max(get_max_extent_size(entry),
2537 ++ *max_extent_size);
2538 + continue;
2539 + }
2540 +
2541 +@@ -1822,8 +1831,8 @@ find_free_space(struct btrfs_free_space_ctl *ctl, u64 *offset, u64 *bytes,
2542 + }
2543 +
2544 + if (entry->bytes < *bytes + align_off) {
2545 +- if (entry->bytes > *max_extent_size)
2546 +- *max_extent_size = entry->bytes;
2547 ++ *max_extent_size = max(get_max_extent_size(entry),
2548 ++ *max_extent_size);
2549 + continue;
2550 + }
2551 +
2552 +@@ -1835,8 +1844,10 @@ find_free_space(struct btrfs_free_space_ctl *ctl, u64 *offset, u64 *bytes,
2553 + *offset = tmp;
2554 + *bytes = size;
2555 + return entry;
2556 +- } else if (size > *max_extent_size) {
2557 +- *max_extent_size = size;
2558 ++ } else {
2559 ++ *max_extent_size =
2560 ++ max(get_max_extent_size(entry),
2561 ++ *max_extent_size);
2562 + }
2563 + continue;
2564 + }
2565 +@@ -2694,8 +2705,8 @@ static u64 btrfs_alloc_from_bitmap(struct btrfs_block_group_cache *block_group,
2566 +
2567 + err = search_bitmap(ctl, entry, &search_start, &search_bytes, true);
2568 + if (err) {
2569 +- if (search_bytes > *max_extent_size)
2570 +- *max_extent_size = search_bytes;
2571 ++ *max_extent_size = max(get_max_extent_size(entry),
2572 ++ *max_extent_size);
2573 + return 0;
2574 + }
2575 +
2576 +@@ -2732,8 +2743,9 @@ u64 btrfs_alloc_from_cluster(struct btrfs_block_group_cache *block_group,
2577 +
2578 + entry = rb_entry(node, struct btrfs_free_space, offset_index);
2579 + while (1) {
2580 +- if (entry->bytes < bytes && entry->bytes > *max_extent_size)
2581 +- *max_extent_size = entry->bytes;
2582 ++ if (entry->bytes < bytes)
2583 ++ *max_extent_size = max(get_max_extent_size(entry),
2584 ++ *max_extent_size);
2585 +
2586 + if (entry->bytes < bytes ||
2587 + (!entry->bitmap && entry->offset < min_start)) {
2588 +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
2589 +index b895be3d4311..383717ccecc7 100644
2590 +--- a/fs/btrfs/inode.c
2591 ++++ b/fs/btrfs/inode.c
2592 +@@ -481,6 +481,7 @@ again:
2593 + pages = kcalloc(nr_pages, sizeof(struct page *), GFP_NOFS);
2594 + if (!pages) {
2595 + /* just bail out to the uncompressed code */
2596 ++ nr_pages = 0;
2597 + goto cont;
2598 + }
2599 +
2600 +diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
2601 +index 6caeb946fc1d..150d3c891815 100644
2602 +--- a/fs/btrfs/ioctl.c
2603 ++++ b/fs/btrfs/ioctl.c
2604 +@@ -3950,9 +3950,17 @@ static noinline long btrfs_ioctl_clone(struct file *file, unsigned long srcfd,
2605 + goto out_unlock;
2606 + if (len == 0)
2607 + olen = len = src->i_size - off;
2608 +- /* if we extend to eof, continue to block boundary */
2609 +- if (off + len == src->i_size)
2610 ++ /*
2611 ++ * If we extend to eof, continue to block boundary if and only if the
2612 ++ * destination end offset matches the destination file's size, otherwise
2613 ++ * we would be corrupting data by placing the eof block into the middle
2614 ++ * of a file.
2615 ++ */
2616 ++ if (off + len == src->i_size) {
2617 ++ if (!IS_ALIGNED(len, bs) && destoff + len < inode->i_size)
2618 ++ goto out_unlock;
2619 + len = ALIGN(src->i_size, bs) - off;
2620 ++ }
2621 +
2622 + if (len == 0) {
2623 + ret = 0;
2624 +diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c
2625 +index a751937dded5..90e29d40aa82 100644
2626 +--- a/fs/btrfs/qgroup.c
2627 ++++ b/fs/btrfs/qgroup.c
2628 +@@ -2446,6 +2446,7 @@ qgroup_rescan_zero_tracking(struct btrfs_fs_info *fs_info)
2629 + qgroup->rfer_cmpr = 0;
2630 + qgroup->excl = 0;
2631 + qgroup->excl_cmpr = 0;
2632 ++ qgroup_dirty(fs_info, qgroup);
2633 + }
2634 + spin_unlock(&fs_info->qgroup_lock);
2635 + }
2636 +diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c
2637 +index cfe913d2d3df..d6ccfb31aef0 100644
2638 +--- a/fs/btrfs/relocation.c
2639 ++++ b/fs/btrfs/relocation.c
2640 +@@ -1318,7 +1318,7 @@ static void __del_reloc_root(struct btrfs_root *root)
2641 + struct mapping_node *node = NULL;
2642 + struct reloc_control *rc = root->fs_info->reloc_ctl;
2643 +
2644 +- if (rc) {
2645 ++ if (rc && root->node) {
2646 + spin_lock(&rc->reloc_root_tree.lock);
2647 + rb_node = tree_search(&rc->reloc_root_tree.rb_root,
2648 + root->node->start);
2649 +diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
2650 +index 2c7f9a5f8717..63f59f17c97e 100644
2651 +--- a/fs/btrfs/tree-log.c
2652 ++++ b/fs/btrfs/tree-log.c
2653 +@@ -5240,9 +5240,33 @@ static int btrfs_log_all_parents(struct btrfs_trans_handle *trans,
2654 +
2655 + dir_inode = btrfs_iget(root->fs_info->sb, &inode_key,
2656 + root, NULL);
2657 +- /* If parent inode was deleted, skip it. */
2658 +- if (IS_ERR(dir_inode))
2659 +- continue;
2660 ++ /*
2661 ++ * If the parent inode was deleted, return an error to
2662 ++ * fallback to a transaction commit. This is to prevent
2663 ++ * getting an inode that was moved from one parent A to
2664 ++ * a parent B, got its former parent A deleted and then
2665 ++ * it got fsync'ed, from existing at both parents after
2666 ++ * a log replay (and the old parent still existing).
2667 ++ * Example:
2668 ++ *
2669 ++ * mkdir /mnt/A
2670 ++ * mkdir /mnt/B
2671 ++ * touch /mnt/B/bar
2672 ++ * sync
2673 ++ * mv /mnt/B/bar /mnt/A/bar
2674 ++ * mv -T /mnt/A /mnt/B
2675 ++ * fsync /mnt/B/bar
2676 ++ * <power fail>
2677 ++ *
2678 ++ * If we ignore the old parent B which got deleted,
2679 ++ * after a log replay we would have file bar linked
2680 ++ * at both parents and the old parent B would still
2681 ++ * exist.
2682 ++ */
2683 ++ if (IS_ERR(dir_inode)) {
2684 ++ ret = PTR_ERR(dir_inode);
2685 ++ goto out;
2686 ++ }
2687 +
2688 + ret = btrfs_log_inode(trans, root, dir_inode,
2689 + LOG_INODE_ALL, 0, LLONG_MAX, ctx);
2690 +diff --git a/fs/cifs/cifs_debug.c b/fs/cifs/cifs_debug.c
2691 +index 0e72a14228f8..7bc6d27d47a4 100644
2692 +--- a/fs/cifs/cifs_debug.c
2693 ++++ b/fs/cifs/cifs_debug.c
2694 +@@ -285,6 +285,9 @@ static ssize_t cifs_stats_proc_write(struct file *file,
2695 + atomic_set(&totBufAllocCount, 0);
2696 + atomic_set(&totSmBufAllocCount, 0);
2697 + #endif /* CONFIG_CIFS_STATS2 */
2698 ++ atomic_set(&tcpSesReconnectCount, 0);
2699 ++ atomic_set(&tconInfoReconnectCount, 0);
2700 ++
2701 + spin_lock(&GlobalMid_Lock);
2702 + GlobalMaxActiveXid = 0;
2703 + GlobalCurrentXid = 0;
2704 +diff --git a/fs/cifs/cifs_spnego.c b/fs/cifs/cifs_spnego.c
2705 +index 6908080e9b6d..e3f2b7370bd8 100644
2706 +--- a/fs/cifs/cifs_spnego.c
2707 ++++ b/fs/cifs/cifs_spnego.c
2708 +@@ -143,8 +143,10 @@ cifs_get_spnego_key(struct cifs_ses *sesInfo)
2709 + sprintf(dp, ";sec=krb5");
2710 + else if (server->sec_mskerberos)
2711 + sprintf(dp, ";sec=mskrb5");
2712 +- else
2713 +- goto out;
2714 ++ else {
2715 ++ cifs_dbg(VFS, "unknown or missing server auth type, use krb5\n");
2716 ++ sprintf(dp, ";sec=krb5");
2717 ++ }
2718 +
2719 + dp = description + strlen(description);
2720 + sprintf(dp, ";uid=0x%x",
2721 +diff --git a/fs/cifs/inode.c b/fs/cifs/inode.c
2722 +index 36c8594bb147..5c3187df9ab9 100644
2723 +--- a/fs/cifs/inode.c
2724 ++++ b/fs/cifs/inode.c
2725 +@@ -756,7 +756,15 @@ cifs_get_inode_info(struct inode **inode, const char *full_path,
2726 + } else if (rc == -EREMOTE) {
2727 + cifs_create_dfs_fattr(&fattr, sb);
2728 + rc = 0;
2729 +- } else if (rc == -EACCES && backup_cred(cifs_sb)) {
2730 ++ } else if ((rc == -EACCES) && backup_cred(cifs_sb) &&
2731 ++ (strcmp(server->vals->version_string, SMB1_VERSION_STRING)
2732 ++ == 0)) {
2733 ++ /*
2734 ++ * For SMB2 and later the backup intent flag is already
2735 ++ * sent if needed on open and there is no path based
2736 ++ * FindFirst operation to use to retry with
2737 ++ */
2738 ++
2739 + srchinf = kzalloc(sizeof(struct cifs_search_info),
2740 + GFP_KERNEL);
2741 + if (srchinf == NULL) {
2742 +diff --git a/fs/configfs/symlink.c b/fs/configfs/symlink.c
2743 +index 0525ebc3aea2..66e8c5d58b21 100644
2744 +--- a/fs/configfs/symlink.c
2745 ++++ b/fs/configfs/symlink.c
2746 +@@ -64,7 +64,7 @@ static void fill_item_path(struct config_item * item, char * buffer, int length)
2747 +
2748 + /* back up enough to print this bus id with '/' */
2749 + length -= cur;
2750 +- strncpy(buffer + length,config_item_name(p),cur);
2751 ++ memcpy(buffer + length, config_item_name(p), cur);
2752 + *(buffer + --length) = '/';
2753 + }
2754 + }
2755 +diff --git a/fs/cramfs/inode.c b/fs/cramfs/inode.c
2756 +index 355c522f3585..a6c9c2d66af1 100644
2757 +--- a/fs/cramfs/inode.c
2758 ++++ b/fs/cramfs/inode.c
2759 +@@ -185,7 +185,8 @@ static void *cramfs_read(struct super_block *sb, unsigned int offset, unsigned i
2760 + continue;
2761 + blk_offset = (blocknr - buffer_blocknr[i]) << PAGE_CACHE_SHIFT;
2762 + blk_offset += offset;
2763 +- if (blk_offset + len > BUFFER_SIZE)
2764 ++ if (blk_offset > BUFFER_SIZE ||
2765 ++ blk_offset + len > BUFFER_SIZE)
2766 + continue;
2767 + return read_buffers[i] + blk_offset;
2768 + }
2769 +diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
2770 +index f5d9f82b173a..b6e25d771eea 100644
2771 +--- a/fs/ext4/ext4.h
2772 ++++ b/fs/ext4/ext4.h
2773 +@@ -3039,9 +3039,6 @@ extern struct buffer_head *ext4_get_first_inline_block(struct inode *inode,
2774 + extern int ext4_inline_data_fiemap(struct inode *inode,
2775 + struct fiemap_extent_info *fieinfo,
2776 + int *has_inline, __u64 start, __u64 len);
2777 +-extern int ext4_try_to_evict_inline_data(handle_t *handle,
2778 +- struct inode *inode,
2779 +- int needed);
2780 + extern void ext4_inline_data_truncate(struct inode *inode, int *has_inline);
2781 +
2782 + extern int ext4_convert_inline_data(struct inode *inode);
2783 +diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
2784 +index 1e7a9774119c..1aec46733ef8 100644
2785 +--- a/fs/ext4/inline.c
2786 ++++ b/fs/ext4/inline.c
2787 +@@ -859,7 +859,7 @@ int ext4_da_write_inline_data_begin(struct address_space *mapping,
2788 + handle_t *handle;
2789 + struct page *page;
2790 + struct ext4_iloc iloc;
2791 +- int retries;
2792 ++ int retries = 0;
2793 +
2794 + ret = ext4_get_inode_loc(inode, &iloc);
2795 + if (ret)
2796 +@@ -888,11 +888,11 @@ retry_journal:
2797 + flags |= AOP_FLAG_NOFS;
2798 +
2799 + if (ret == -ENOSPC) {
2800 ++ ext4_journal_stop(handle);
2801 + ret = ext4_da_convert_inline_data_to_extent(mapping,
2802 + inode,
2803 + flags,
2804 + fsdata);
2805 +- ext4_journal_stop(handle);
2806 + if (ret == -ENOSPC &&
2807 + ext4_should_retry_alloc(inode->i_sb, &retries))
2808 + goto retry_journal;
2809 +@@ -1867,42 +1867,6 @@ out:
2810 + return (error < 0 ? error : 0);
2811 + }
2812 +
2813 +-/*
2814 +- * Called during xattr set, and if we can sparse space 'needed',
2815 +- * just create the extent tree evict the data to the outer block.
2816 +- *
2817 +- * We use jbd2 instead of page cache to move data to the 1st block
2818 +- * so that the whole transaction can be committed as a whole and
2819 +- * the data isn't lost because of the delayed page cache write.
2820 +- */
2821 +-int ext4_try_to_evict_inline_data(handle_t *handle,
2822 +- struct inode *inode,
2823 +- int needed)
2824 +-{
2825 +- int error;
2826 +- struct ext4_xattr_entry *entry;
2827 +- struct ext4_inode *raw_inode;
2828 +- struct ext4_iloc iloc;
2829 +-
2830 +- error = ext4_get_inode_loc(inode, &iloc);
2831 +- if (error)
2832 +- return error;
2833 +-
2834 +- raw_inode = ext4_raw_inode(&iloc);
2835 +- entry = (struct ext4_xattr_entry *)((void *)raw_inode +
2836 +- EXT4_I(inode)->i_inline_off);
2837 +- if (EXT4_XATTR_LEN(entry->e_name_len) +
2838 +- EXT4_XATTR_SIZE(le32_to_cpu(entry->e_value_size)) < needed) {
2839 +- error = -ENOSPC;
2840 +- goto out;
2841 +- }
2842 +-
2843 +- error = ext4_convert_inline_data_nolock(handle, inode, &iloc);
2844 +-out:
2845 +- brelse(iloc.bh);
2846 +- return error;
2847 +-}
2848 +-
2849 + void ext4_inline_data_truncate(struct inode *inode, int *has_inline)
2850 + {
2851 + handle_t *handle;
2852 +diff --git a/fs/ext4/move_extent.c b/fs/ext4/move_extent.c
2853 +index 05048fcfd602..6b5e2eddd8d7 100644
2854 +--- a/fs/ext4/move_extent.c
2855 ++++ b/fs/ext4/move_extent.c
2856 +@@ -526,9 +526,13 @@ mext_check_arguments(struct inode *orig_inode,
2857 + orig_inode->i_ino, donor_inode->i_ino);
2858 + return -EINVAL;
2859 + }
2860 +- if (orig_eof < orig_start + *len - 1)
2861 ++ if (orig_eof <= orig_start)
2862 ++ *len = 0;
2863 ++ else if (orig_eof < orig_start + *len - 1)
2864 + *len = orig_eof - orig_start;
2865 +- if (donor_eof < donor_start + *len - 1)
2866 ++ if (donor_eof <= donor_start)
2867 ++ *len = 0;
2868 ++ else if (donor_eof < donor_start + *len - 1)
2869 + *len = donor_eof - donor_start;
2870 + if (!*len) {
2871 + ext4_debug("ext4 move extent: len should not be 0 "
2872 +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
2873 +index a1f1e53d0e25..aa08e129149d 100644
2874 +--- a/fs/ext4/namei.c
2875 ++++ b/fs/ext4/namei.c
2876 +@@ -124,6 +124,7 @@ static struct buffer_head *__ext4_read_dirblock(struct inode *inode,
2877 + if (!is_dx_block && type == INDEX) {
2878 + ext4_error_inode(inode, func, line, block,
2879 + "directory leaf block found instead of index block");
2880 ++ brelse(bh);
2881 + return ERR_PTR(-EFSCORRUPTED);
2882 + }
2883 + if (!ext4_has_metadata_csum(inode->i_sb) ||
2884 +@@ -2830,7 +2831,9 @@ int ext4_orphan_add(handle_t *handle, struct inode *inode)
2885 + list_del_init(&EXT4_I(inode)->i_orphan);
2886 + mutex_unlock(&sbi->s_orphan_lock);
2887 + }
2888 +- }
2889 ++ } else
2890 ++ brelse(iloc.bh);
2891 ++
2892 + jbd_debug(4, "superblock will point to %lu\n", inode->i_ino);
2893 + jbd_debug(4, "orphan inode %lu will point to %d\n",
2894 + inode->i_ino, NEXT_ORPHAN(inode));
2895 +diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c
2896 +index 783280ebc2fe..bad13f049fb0 100644
2897 +--- a/fs/ext4/resize.c
2898 ++++ b/fs/ext4/resize.c
2899 +@@ -442,16 +442,18 @@ static int set_flexbg_block_bitmap(struct super_block *sb, handle_t *handle,
2900 +
2901 + BUFFER_TRACE(bh, "get_write_access");
2902 + err = ext4_journal_get_write_access(handle, bh);
2903 +- if (err)
2904 ++ if (err) {
2905 ++ brelse(bh);
2906 + return err;
2907 ++ }
2908 + ext4_debug("mark block bitmap %#04llx (+%llu/%u)\n", block,
2909 + block - start, count2);
2910 + ext4_set_bits(bh->b_data, block - start, count2);
2911 +
2912 + err = ext4_handle_dirty_metadata(handle, NULL, bh);
2913 ++ brelse(bh);
2914 + if (unlikely(err))
2915 + return err;
2916 +- brelse(bh);
2917 + }
2918 +
2919 + return 0;
2920 +@@ -588,7 +590,6 @@ handle_bb:
2921 + bh = bclean(handle, sb, block);
2922 + if (IS_ERR(bh)) {
2923 + err = PTR_ERR(bh);
2924 +- bh = NULL;
2925 + goto out;
2926 + }
2927 + overhead = ext4_group_overhead_blocks(sb, group);
2928 +@@ -600,9 +601,9 @@ handle_bb:
2929 + ext4_mark_bitmap_end(group_data[i].blocks_count,
2930 + sb->s_blocksize * 8, bh->b_data);
2931 + err = ext4_handle_dirty_metadata(handle, NULL, bh);
2932 ++ brelse(bh);
2933 + if (err)
2934 + goto out;
2935 +- brelse(bh);
2936 +
2937 + handle_ib:
2938 + if (bg_flags[i] & EXT4_BG_INODE_UNINIT)
2939 +@@ -617,18 +618,16 @@ handle_ib:
2940 + bh = bclean(handle, sb, block);
2941 + if (IS_ERR(bh)) {
2942 + err = PTR_ERR(bh);
2943 +- bh = NULL;
2944 + goto out;
2945 + }
2946 +
2947 + ext4_mark_bitmap_end(EXT4_INODES_PER_GROUP(sb),
2948 + sb->s_blocksize * 8, bh->b_data);
2949 + err = ext4_handle_dirty_metadata(handle, NULL, bh);
2950 ++ brelse(bh);
2951 + if (err)
2952 + goto out;
2953 +- brelse(bh);
2954 + }
2955 +- bh = NULL;
2956 +
2957 + /* Mark group tables in block bitmap */
2958 + for (j = 0; j < GROUP_TABLE_COUNT; j++) {
2959 +@@ -659,7 +658,6 @@ handle_ib:
2960 + }
2961 +
2962 + out:
2963 +- brelse(bh);
2964 + err2 = ext4_journal_stop(handle);
2965 + if (err2 && !err)
2966 + err = err2;
2967 +@@ -846,6 +844,7 @@ static int add_new_gdb(handle_t *handle, struct inode *inode,
2968 + err = ext4_handle_dirty_metadata(handle, NULL, gdb_bh);
2969 + if (unlikely(err)) {
2970 + ext4_std_error(sb, err);
2971 ++ iloc.bh = NULL;
2972 + goto exit_inode;
2973 + }
2974 + brelse(dind);
2975 +@@ -897,6 +896,7 @@ static int add_new_gdb_meta_bg(struct super_block *sb,
2976 + sizeof(struct buffer_head *),
2977 + GFP_NOFS);
2978 + if (!n_group_desc) {
2979 ++ brelse(gdb_bh);
2980 + err = -ENOMEM;
2981 + ext4_warning(sb, "not enough memory for %lu groups",
2982 + gdb_num + 1);
2983 +@@ -912,8 +912,6 @@ static int add_new_gdb_meta_bg(struct super_block *sb,
2984 + kvfree(o_group_desc);
2985 + BUFFER_TRACE(gdb_bh, "get_write_access");
2986 + err = ext4_journal_get_write_access(handle, gdb_bh);
2987 +- if (unlikely(err))
2988 +- brelse(gdb_bh);
2989 + return err;
2990 + }
2991 +
2992 +@@ -1095,8 +1093,10 @@ static void update_backups(struct super_block *sb, sector_t blk_off, char *data,
2993 + backup_block, backup_block -
2994 + ext4_group_first_block_no(sb, group));
2995 + BUFFER_TRACE(bh, "get_write_access");
2996 +- if ((err = ext4_journal_get_write_access(handle, bh)))
2997 ++ if ((err = ext4_journal_get_write_access(handle, bh))) {
2998 ++ brelse(bh);
2999 + break;
3000 ++ }
3001 + lock_buffer(bh);
3002 + memcpy(bh->b_data, data, size);
3003 + if (rest)
3004 +@@ -1991,7 +1991,7 @@ retry:
3005 +
3006 + err = ext4_alloc_flex_bg_array(sb, n_group + 1);
3007 + if (err)
3008 +- return err;
3009 ++ goto out;
3010 +
3011 + err = ext4_mb_alloc_groupinfo(sb, n_group + 1);
3012 + if (err)
3013 +@@ -2027,6 +2027,10 @@ retry:
3014 + n_blocks_count_retry = 0;
3015 + free_flex_gd(flex_gd);
3016 + flex_gd = NULL;
3017 ++ if (resize_inode) {
3018 ++ iput(resize_inode);
3019 ++ resize_inode = NULL;
3020 ++ }
3021 + goto retry;
3022 + }
3023 +
3024 +diff --git a/fs/ext4/super.c b/fs/ext4/super.c
3025 +index a3d905abbaa9..cd9cd581fd92 100644
3026 +--- a/fs/ext4/super.c
3027 ++++ b/fs/ext4/super.c
3028 +@@ -3731,6 +3731,14 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
3029 + sbi->s_groups_count = blocks_count;
3030 + sbi->s_blockfile_groups = min_t(ext4_group_t, sbi->s_groups_count,
3031 + (EXT4_MAX_BLOCK_FILE_PHYS / EXT4_BLOCKS_PER_GROUP(sb)));
3032 ++ if (((u64)sbi->s_groups_count * sbi->s_inodes_per_group) !=
3033 ++ le32_to_cpu(es->s_inodes_count)) {
3034 ++ ext4_msg(sb, KERN_ERR, "inodes count not valid: %u vs %llu",
3035 ++ le32_to_cpu(es->s_inodes_count),
3036 ++ ((u64)sbi->s_groups_count * sbi->s_inodes_per_group));
3037 ++ ret = -EINVAL;
3038 ++ goto failed_mount;
3039 ++ }
3040 + db_count = (sbi->s_groups_count + EXT4_DESC_PER_BLOCK(sb) - 1) /
3041 + EXT4_DESC_PER_BLOCK(sb);
3042 + if (ext4_has_feature_meta_bg(sb)) {
3043 +@@ -3750,14 +3758,6 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
3044 + ret = -ENOMEM;
3045 + goto failed_mount;
3046 + }
3047 +- if (((u64)sbi->s_groups_count * sbi->s_inodes_per_group) !=
3048 +- le32_to_cpu(es->s_inodes_count)) {
3049 +- ext4_msg(sb, KERN_ERR, "inodes count not valid: %u vs %llu",
3050 +- le32_to_cpu(es->s_inodes_count),
3051 +- ((u64)sbi->s_groups_count * sbi->s_inodes_per_group));
3052 +- ret = -EINVAL;
3053 +- goto failed_mount;
3054 +- }
3055 +
3056 + bgl_lock_init(sbi->s_blockgroup_lock);
3057 +
3058 +diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
3059 +index d6bae37489af..53679716baca 100644
3060 +--- a/fs/ext4/xattr.c
3061 ++++ b/fs/ext4/xattr.c
3062 +@@ -1044,22 +1044,8 @@ int ext4_xattr_ibody_inline_set(handle_t *handle, struct inode *inode,
3063 + if (EXT4_I(inode)->i_extra_isize == 0)
3064 + return -ENOSPC;
3065 + error = ext4_xattr_set_entry(i, s, inode);
3066 +- if (error) {
3067 +- if (error == -ENOSPC &&
3068 +- ext4_has_inline_data(inode)) {
3069 +- error = ext4_try_to_evict_inline_data(handle, inode,
3070 +- EXT4_XATTR_LEN(strlen(i->name) +
3071 +- EXT4_XATTR_SIZE(i->value_len)));
3072 +- if (error)
3073 +- return error;
3074 +- error = ext4_xattr_ibody_find(inode, i, is);
3075 +- if (error)
3076 +- return error;
3077 +- error = ext4_xattr_set_entry(i, s, inode);
3078 +- }
3079 +- if (error)
3080 +- return error;
3081 +- }
3082 ++ if (error)
3083 ++ return error;
3084 + header = IHDR(inode, ext4_raw_inode(&is->iloc));
3085 + if (!IS_LAST_ENTRY(s->first)) {
3086 + header->h_magic = cpu_to_le32(EXT4_XATTR_MAGIC);
3087 +@@ -1175,6 +1161,8 @@ ext4_xattr_set_handle(handle_t *handle, struct inode *inode, int name_index,
3088 + error = ext4_xattr_block_set(handle, inode, &i, &bs);
3089 + } else if (error == -ENOSPC) {
3090 + if (EXT4_I(inode)->i_file_acl && !bs.s.base) {
3091 ++ brelse(bs.bh);
3092 ++ bs.bh = NULL;
3093 + error = ext4_xattr_block_find(inode, &i, &bs);
3094 + if (error)
3095 + goto cleanup;
3096 +@@ -1502,6 +1490,8 @@ cleanup:
3097 + kfree(buffer);
3098 + if (is)
3099 + brelse(is->iloc.bh);
3100 ++ if (bs)
3101 ++ brelse(bs->bh);
3102 + kfree(is);
3103 + kfree(bs);
3104 + brelse(bh);
3105 +diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
3106 +index 2671e922c720..e566652ac922 100644
3107 +--- a/fs/fuse/dev.c
3108 ++++ b/fs/fuse/dev.c
3109 +@@ -402,12 +402,19 @@ static void request_end(struct fuse_conn *fc, struct fuse_req *req)
3110 + if (test_bit(FR_BACKGROUND, &req->flags)) {
3111 + spin_lock(&fc->lock);
3112 + clear_bit(FR_BACKGROUND, &req->flags);
3113 +- if (fc->num_background == fc->max_background)
3114 ++ if (fc->num_background == fc->max_background) {
3115 + fc->blocked = 0;
3116 +-
3117 +- /* Wake up next waiter, if any */
3118 +- if (!fc->blocked && waitqueue_active(&fc->blocked_waitq))
3119 + wake_up(&fc->blocked_waitq);
3120 ++ } else if (!fc->blocked) {
3121 ++ /*
3122 ++ * Wake up next waiter, if any. It's okay to use
3123 ++ * waitqueue_active(), as we've already synced up
3124 ++ * fc->blocked with waiters with the wake_up() call
3125 ++ * above.
3126 ++ */
3127 ++ if (waitqueue_active(&fc->blocked_waitq))
3128 ++ wake_up(&fc->blocked_waitq);
3129 ++ }
3130 +
3131 + if (fc->num_background == fc->congestion_threshold &&
3132 + fc->connected && fc->bdi_initialized) {
3133 +@@ -1328,12 +1335,14 @@ static ssize_t fuse_dev_do_read(struct fuse_dev *fud, struct file *file,
3134 + goto out_end;
3135 + }
3136 + list_move_tail(&req->list, &fpq->processing);
3137 +- spin_unlock(&fpq->lock);
3138 ++ __fuse_get_request(req);
3139 + set_bit(FR_SENT, &req->flags);
3140 ++ spin_unlock(&fpq->lock);
3141 + /* matches barrier in request_wait_answer() */
3142 + smp_mb__after_atomic();
3143 + if (test_bit(FR_INTERRUPTED, &req->flags))
3144 + queue_interrupt(fiq, req);
3145 ++ fuse_put_request(fc, req);
3146 +
3147 + return reqsize;
3148 +
3149 +@@ -1762,8 +1771,10 @@ static int fuse_retrieve(struct fuse_conn *fc, struct inode *inode,
3150 + req->in.args[1].size = total_len;
3151 +
3152 + err = fuse_request_send_notify_reply(fc, req, outarg->notify_unique);
3153 +- if (err)
3154 ++ if (err) {
3155 + fuse_retrieve_end(fc, req);
3156 ++ fuse_put_request(fc, req);
3157 ++ }
3158 +
3159 + return err;
3160 + }
3161 +@@ -1922,16 +1933,20 @@ static ssize_t fuse_dev_do_write(struct fuse_dev *fud,
3162 +
3163 + /* Is it an interrupt reply? */
3164 + if (req->intr_unique == oh.unique) {
3165 ++ __fuse_get_request(req);
3166 + spin_unlock(&fpq->lock);
3167 +
3168 + err = -EINVAL;
3169 +- if (nbytes != sizeof(struct fuse_out_header))
3170 ++ if (nbytes != sizeof(struct fuse_out_header)) {
3171 ++ fuse_put_request(fc, req);
3172 + goto err_finish;
3173 ++ }
3174 +
3175 + if (oh.error == -ENOSYS)
3176 + fc->no_interrupt = 1;
3177 + else if (oh.error == -EAGAIN)
3178 + queue_interrupt(&fc->iq, req);
3179 ++ fuse_put_request(fc, req);
3180 +
3181 + fuse_copy_finish(cs);
3182 + return nbytes;
3183 +diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c
3184 +index baab99b69d8a..d9178388cf48 100644
3185 +--- a/fs/gfs2/ops_fstype.c
3186 ++++ b/fs/gfs2/ops_fstype.c
3187 +@@ -1353,6 +1353,9 @@ static struct dentry *gfs2_mount_meta(struct file_system_type *fs_type,
3188 + struct path path;
3189 + int error;
3190 +
3191 ++ if (!dev_name || !*dev_name)
3192 ++ return ERR_PTR(-EINVAL);
3193 ++
3194 + error = kern_path(dev_name, LOOKUP_FOLLOW, &path);
3195 + if (error) {
3196 + pr_warn("path_lookup on %s returned error %d\n",
3197 +diff --git a/fs/jbd2/checkpoint.c b/fs/jbd2/checkpoint.c
3198 +index 684996c8a3a4..4d5a5a4cc017 100644
3199 +--- a/fs/jbd2/checkpoint.c
3200 ++++ b/fs/jbd2/checkpoint.c
3201 +@@ -254,8 +254,8 @@ restart:
3202 + bh = jh2bh(jh);
3203 +
3204 + if (buffer_locked(bh)) {
3205 +- spin_unlock(&journal->j_list_lock);
3206 + get_bh(bh);
3207 ++ spin_unlock(&journal->j_list_lock);
3208 + wait_on_buffer(bh);
3209 + /* the journal_head may have gone by now */
3210 + BUFFER_TRACE(bh, "brelse");
3211 +@@ -336,8 +336,8 @@ restart2:
3212 + jh = transaction->t_checkpoint_io_list;
3213 + bh = jh2bh(jh);
3214 + if (buffer_locked(bh)) {
3215 +- spin_unlock(&journal->j_list_lock);
3216 + get_bh(bh);
3217 ++ spin_unlock(&journal->j_list_lock);
3218 + wait_on_buffer(bh);
3219 + /* the journal_head may have gone by now */
3220 + BUFFER_TRACE(bh, "brelse");
3221 +diff --git a/fs/jffs2/super.c b/fs/jffs2/super.c
3222 +index 600da1a4df29..1544f530ccd0 100644
3223 +--- a/fs/jffs2/super.c
3224 ++++ b/fs/jffs2/super.c
3225 +@@ -285,10 +285,8 @@ static int jffs2_fill_super(struct super_block *sb, void *data, int silent)
3226 + sb->s_fs_info = c;
3227 +
3228 + ret = jffs2_parse_options(c, data);
3229 +- if (ret) {
3230 +- kfree(c);
3231 ++ if (ret)
3232 + return -EINVAL;
3233 +- }
3234 +
3235 + /* Initialize JFFS2 superblock locks, the further initialization will
3236 + * be done later */
3237 +diff --git a/fs/lockd/host.c b/fs/lockd/host.c
3238 +index d716c9993a26..c7eb47f2fb6c 100644
3239 +--- a/fs/lockd/host.c
3240 ++++ b/fs/lockd/host.c
3241 +@@ -340,7 +340,7 @@ struct nlm_host *nlmsvc_lookup_host(const struct svc_rqst *rqstp,
3242 + };
3243 + struct lockd_net *ln = net_generic(net, lockd_net_id);
3244 +
3245 +- dprintk("lockd: %s(host='%*s', vers=%u, proto=%s)\n", __func__,
3246 ++ dprintk("lockd: %s(host='%.*s', vers=%u, proto=%s)\n", __func__,
3247 + (int)hostname_len, hostname, rqstp->rq_vers,
3248 + (rqstp->rq_prot == IPPROTO_UDP ? "udp" : "tcp"));
3249 +
3250 +diff --git a/fs/namespace.c b/fs/namespace.c
3251 +index b56b50e3da11..88c5d5bddf74 100644
3252 +--- a/fs/namespace.c
3253 ++++ b/fs/namespace.c
3254 +@@ -1584,8 +1584,13 @@ static int do_umount(struct mount *mnt, int flags)
3255 +
3256 + namespace_lock();
3257 + lock_mount_hash();
3258 +- event++;
3259 +
3260 ++ /* Recheck MNT_LOCKED with the locks held */
3261 ++ retval = -EINVAL;
3262 ++ if (mnt->mnt.mnt_flags & MNT_LOCKED)
3263 ++ goto out;
3264 ++
3265 ++ event++;
3266 + if (flags & MNT_DETACH) {
3267 + if (!list_empty(&mnt->mnt_list))
3268 + umount_tree(mnt, UMOUNT_PROPAGATE);
3269 +@@ -1599,6 +1604,7 @@ static int do_umount(struct mount *mnt, int flags)
3270 + retval = 0;
3271 + }
3272 + }
3273 ++out:
3274 + unlock_mount_hash();
3275 + namespace_unlock();
3276 + return retval;
3277 +@@ -1681,7 +1687,7 @@ SYSCALL_DEFINE2(umount, char __user *, name, int, flags)
3278 + goto dput_and_out;
3279 + if (!check_mnt(mnt))
3280 + goto dput_and_out;
3281 +- if (mnt->mnt.mnt_flags & MNT_LOCKED)
3282 ++ if (mnt->mnt.mnt_flags & MNT_LOCKED) /* Check optimistically */
3283 + goto dput_and_out;
3284 + retval = -EPERM;
3285 + if (flags & MNT_FORCE && !capable(CAP_SYS_ADMIN))
3286 +@@ -1759,8 +1765,14 @@ struct mount *copy_tree(struct mount *mnt, struct dentry *dentry,
3287 + for (s = r; s; s = next_mnt(s, r)) {
3288 + if (!(flag & CL_COPY_UNBINDABLE) &&
3289 + IS_MNT_UNBINDABLE(s)) {
3290 +- s = skip_mnt_tree(s);
3291 +- continue;
3292 ++ if (s->mnt.mnt_flags & MNT_LOCKED) {
3293 ++ /* Both unbindable and locked. */
3294 ++ q = ERR_PTR(-EPERM);
3295 ++ goto out;
3296 ++ } else {
3297 ++ s = skip_mnt_tree(s);
3298 ++ continue;
3299 ++ }
3300 + }
3301 + if (!(flag & CL_COPY_MNT_NS_FILE) &&
3302 + is_mnt_ns_file(s->mnt.mnt_root)) {
3303 +@@ -1813,7 +1825,7 @@ void drop_collected_mounts(struct vfsmount *mnt)
3304 + {
3305 + namespace_lock();
3306 + lock_mount_hash();
3307 +- umount_tree(real_mount(mnt), UMOUNT_SYNC);
3308 ++ umount_tree(real_mount(mnt), 0);
3309 + unlock_mount_hash();
3310 + namespace_unlock();
3311 + }
3312 +diff --git a/fs/nfs/nfs4client.c b/fs/nfs/nfs4client.c
3313 +index 63498e1a542a..ae91d1e450be 100644
3314 +--- a/fs/nfs/nfs4client.c
3315 ++++ b/fs/nfs/nfs4client.c
3316 +@@ -879,10 +879,10 @@ EXPORT_SYMBOL_GPL(nfs4_set_ds_client);
3317 +
3318 + /*
3319 + * Session has been established, and the client marked ready.
3320 +- * Set the mount rsize and wsize with negotiated fore channel
3321 +- * attributes which will be bound checked in nfs_server_set_fsinfo.
3322 ++ * Limit the mount rsize, wsize and dtsize using negotiated fore
3323 ++ * channel attributes.
3324 + */
3325 +-static void nfs4_session_set_rwsize(struct nfs_server *server)
3326 ++static void nfs4_session_limit_rwsize(struct nfs_server *server)
3327 + {
3328 + #ifdef CONFIG_NFS_V4_1
3329 + struct nfs4_session *sess;
3330 +@@ -895,9 +895,11 @@ static void nfs4_session_set_rwsize(struct nfs_server *server)
3331 + server_resp_sz = sess->fc_attrs.max_resp_sz - nfs41_maxread_overhead;
3332 + server_rqst_sz = sess->fc_attrs.max_rqst_sz - nfs41_maxwrite_overhead;
3333 +
3334 +- if (!server->rsize || server->rsize > server_resp_sz)
3335 ++ if (server->dtsize > server_resp_sz)
3336 ++ server->dtsize = server_resp_sz;
3337 ++ if (server->rsize > server_resp_sz)
3338 + server->rsize = server_resp_sz;
3339 +- if (!server->wsize || server->wsize > server_rqst_sz)
3340 ++ if (server->wsize > server_rqst_sz)
3341 + server->wsize = server_rqst_sz;
3342 + #endif /* CONFIG_NFS_V4_1 */
3343 + }
3344 +@@ -944,12 +946,12 @@ static int nfs4_server_common_setup(struct nfs_server *server,
3345 + (unsigned long long) server->fsid.minor);
3346 + nfs_display_fhandle(mntfh, "Pseudo-fs root FH");
3347 +
3348 +- nfs4_session_set_rwsize(server);
3349 +-
3350 + error = nfs_probe_fsinfo(server, mntfh, fattr);
3351 + if (error < 0)
3352 + goto out;
3353 +
3354 ++ nfs4_session_limit_rwsize(server);
3355 ++
3356 + if (server->namelen == 0 || server->namelen > NFS4_MAXNAMLEN)
3357 + server->namelen = NFS4_MAXNAMLEN;
3358 +
3359 +diff --git a/fs/ocfs2/dir.c b/fs/ocfs2/dir.c
3360 +index ffecf89c8c1c..49af618e410d 100644
3361 +--- a/fs/ocfs2/dir.c
3362 ++++ b/fs/ocfs2/dir.c
3363 +@@ -1896,8 +1896,7 @@ static int ocfs2_dir_foreach_blk_el(struct inode *inode,
3364 + /* On error, skip the f_pos to the
3365 + next block. */
3366 + ctx->pos = (ctx->pos | (sb->s_blocksize - 1)) + 1;
3367 +- brelse(bh);
3368 +- continue;
3369 ++ break;
3370 + }
3371 + if (le64_to_cpu(de->inode)) {
3372 + unsigned char d_type = DT_UNKNOWN;
3373 +diff --git a/include/linux/ceph/libceph.h b/include/linux/ceph/libceph.h
3374 +index 3e3799cdc6e6..9b9fe0588008 100644
3375 +--- a/include/linux/ceph/libceph.h
3376 ++++ b/include/linux/ceph/libceph.h
3377 +@@ -72,7 +72,13 @@ struct ceph_options {
3378 +
3379 + #define CEPH_MSG_MAX_FRONT_LEN (16*1024*1024)
3380 + #define CEPH_MSG_MAX_MIDDLE_LEN (16*1024*1024)
3381 +-#define CEPH_MSG_MAX_DATA_LEN (16*1024*1024)
3382 ++
3383 ++/*
3384 ++ * Handle the largest possible rbd object in one message.
3385 ++ * There is no limit on the size of cephfs objects, but it has to obey
3386 ++ * rsize and wsize mount options anyway.
3387 ++ */
3388 ++#define CEPH_MSG_MAX_DATA_LEN (32*1024*1024)
3389 +
3390 + #define CEPH_AUTH_NAME_DEFAULT "guest"
3391 +
3392 +diff --git a/include/linux/hugetlb.h b/include/linux/hugetlb.h
3393 +index 685c262e0be8..3957d99e66ea 100644
3394 +--- a/include/linux/hugetlb.h
3395 ++++ b/include/linux/hugetlb.h
3396 +@@ -110,6 +110,8 @@ pte_t *huge_pte_alloc(struct mm_struct *mm,
3397 + unsigned long addr, unsigned long sz);
3398 + pte_t *huge_pte_offset(struct mm_struct *mm, unsigned long addr);
3399 + int huge_pmd_unshare(struct mm_struct *mm, unsigned long *addr, pte_t *ptep);
3400 ++void adjust_range_if_pmd_sharing_possible(struct vm_area_struct *vma,
3401 ++ unsigned long *start, unsigned long *end);
3402 + struct page *follow_huge_addr(struct mm_struct *mm, unsigned long address,
3403 + int write);
3404 + struct page *follow_huge_pmd(struct mm_struct *mm, unsigned long address,
3405 +@@ -132,6 +134,18 @@ static inline unsigned long hugetlb_total_pages(void)
3406 + return 0;
3407 + }
3408 +
3409 ++static inline int huge_pmd_unshare(struct mm_struct *mm, unsigned long *addr,
3410 ++ pte_t *ptep)
3411 ++{
3412 ++ return 0;
3413 ++}
3414 ++
3415 ++static inline void adjust_range_if_pmd_sharing_possible(
3416 ++ struct vm_area_struct *vma,
3417 ++ unsigned long *start, unsigned long *end)
3418 ++{
3419 ++}
3420 ++
3421 + #define follow_hugetlb_page(m,v,p,vs,a,b,i,w) ({ BUG(); 0; })
3422 + #define follow_huge_addr(mm, addr, write) ERR_PTR(-EINVAL)
3423 + #define copy_hugetlb_page_range(src, dst, vma) ({ BUG(); 0; })
3424 +diff --git a/include/linux/i8253.h b/include/linux/i8253.h
3425 +index e6bb36a97519..8336b2f6f834 100644
3426 +--- a/include/linux/i8253.h
3427 ++++ b/include/linux/i8253.h
3428 +@@ -21,6 +21,7 @@
3429 + #define PIT_LATCH ((PIT_TICK_RATE + HZ/2) / HZ)
3430 +
3431 + extern raw_spinlock_t i8253_lock;
3432 ++extern bool i8253_clear_counter_on_shutdown;
3433 + extern struct clock_event_device i8253_clockevent;
3434 + extern void clockevent_i8253_init(bool oneshot);
3435 +
3436 +diff --git a/include/linux/mm.h b/include/linux/mm.h
3437 +index 1f4366567e7d..d4e8077fca96 100644
3438 +--- a/include/linux/mm.h
3439 ++++ b/include/linux/mm.h
3440 +@@ -2058,6 +2058,12 @@ static inline struct vm_area_struct *find_exact_vma(struct mm_struct *mm,
3441 + return vma;
3442 + }
3443 +
3444 ++static inline bool range_in_vma(struct vm_area_struct *vma,
3445 ++ unsigned long start, unsigned long end)
3446 ++{
3447 ++ return (vma && vma->vm_start <= start && end <= vma->vm_end);
3448 ++}
3449 ++
3450 + #ifdef CONFIG_MMU
3451 + pgprot_t vm_get_page_prot(unsigned long vm_flags);
3452 + void vma_set_page_prot(struct vm_area_struct *vma);
3453 +diff --git a/include/linux/tc.h b/include/linux/tc.h
3454 +index f92511e57cdb..a60639f37963 100644
3455 +--- a/include/linux/tc.h
3456 ++++ b/include/linux/tc.h
3457 +@@ -84,6 +84,7 @@ struct tc_dev {
3458 + device. */
3459 + struct device dev; /* Generic device interface. */
3460 + struct resource resource; /* Address space of this device. */
3461 ++ u64 dma_mask; /* DMA addressable range. */
3462 + char vendor[9];
3463 + char name[9];
3464 + char firmware[9];
3465 +diff --git a/kernel/bounds.c b/kernel/bounds.c
3466 +index e1d1d1952bfa..c37f68d758db 100644
3467 +--- a/kernel/bounds.c
3468 ++++ b/kernel/bounds.c
3469 +@@ -12,7 +12,7 @@
3470 + #include <linux/log2.h>
3471 + #include <linux/spinlock_types.h>
3472 +
3473 +-void foo(void)
3474 ++int main(void)
3475 + {
3476 + /* The enum constants to put into include/generated/bounds.h */
3477 + DEFINE(NR_PAGEFLAGS, __NR_PAGEFLAGS);
3478 +@@ -22,4 +22,6 @@ void foo(void)
3479 + #endif
3480 + DEFINE(SPINLOCK_SIZE, sizeof(spinlock_t));
3481 + /* End of constants */
3482 ++
3483 ++ return 0;
3484 + }
3485 +diff --git a/kernel/irq/manage.c b/kernel/irq/manage.c
3486 +index 0df2b44dac7c..83cea913983c 100644
3487 +--- a/kernel/irq/manage.c
3488 ++++ b/kernel/irq/manage.c
3489 +@@ -864,6 +864,9 @@ irq_forced_thread_fn(struct irq_desc *desc, struct irqaction *action)
3490 +
3491 + local_bh_disable();
3492 + ret = action->thread_fn(action->irq, action->dev_id);
3493 ++ if (ret == IRQ_HANDLED)
3494 ++ atomic_inc(&desc->threads_handled);
3495 ++
3496 + irq_finalize_oneshot(desc, action);
3497 + local_bh_enable();
3498 + return ret;
3499 +@@ -880,6 +883,9 @@ static irqreturn_t irq_thread_fn(struct irq_desc *desc,
3500 + irqreturn_t ret;
3501 +
3502 + ret = action->thread_fn(action->irq, action->dev_id);
3503 ++ if (ret == IRQ_HANDLED)
3504 ++ atomic_inc(&desc->threads_handled);
3505 ++
3506 + irq_finalize_oneshot(desc, action);
3507 + return ret;
3508 + }
3509 +@@ -957,8 +963,6 @@ static int irq_thread(void *data)
3510 + irq_thread_check_affinity(desc, action);
3511 +
3512 + action_ret = handler_fn(desc, action);
3513 +- if (action_ret == IRQ_HANDLED)
3514 +- atomic_inc(&desc->threads_handled);
3515 + if (action_ret == IRQ_WAKE_THREAD)
3516 + irq_wake_secondary(desc, action);
3517 +
3518 +diff --git a/kernel/kprobes.c b/kernel/kprobes.c
3519 +index 388bcace62f8..d8daf6c55d2b 100644
3520 +--- a/kernel/kprobes.c
3521 ++++ b/kernel/kprobes.c
3522 +@@ -665,9 +665,10 @@ static void unoptimize_kprobe(struct kprobe *p, bool force)
3523 + }
3524 +
3525 + /* Cancel unoptimizing for reusing */
3526 +-static void reuse_unused_kprobe(struct kprobe *ap)
3527 ++static int reuse_unused_kprobe(struct kprobe *ap)
3528 + {
3529 + struct optimized_kprobe *op;
3530 ++ int ret;
3531 +
3532 + BUG_ON(!kprobe_unused(ap));
3533 + /*
3534 +@@ -681,8 +682,12 @@ static void reuse_unused_kprobe(struct kprobe *ap)
3535 + /* Enable the probe again */
3536 + ap->flags &= ~KPROBE_FLAG_DISABLED;
3537 + /* Optimize it again (remove from op->list) */
3538 +- BUG_ON(!kprobe_optready(ap));
3539 ++ ret = kprobe_optready(ap);
3540 ++ if (ret)
3541 ++ return ret;
3542 ++
3543 + optimize_kprobe(ap);
3544 ++ return 0;
3545 + }
3546 +
3547 + /* Remove optimized instructions */
3548 +@@ -894,11 +899,16 @@ static void __disarm_kprobe(struct kprobe *p, bool reopt)
3549 + #define kprobe_disarmed(p) kprobe_disabled(p)
3550 + #define wait_for_kprobe_optimizer() do {} while (0)
3551 +
3552 +-/* There should be no unused kprobes can be reused without optimization */
3553 +-static void reuse_unused_kprobe(struct kprobe *ap)
3554 ++static int reuse_unused_kprobe(struct kprobe *ap)
3555 + {
3556 ++ /*
3557 ++ * If the optimized kprobe is NOT supported, the aggr kprobe is
3558 ++ * released at the same time that the last aggregated kprobe is
3559 ++ * unregistered.
3560 ++ * Thus there should be no chance to reuse unused kprobe.
3561 ++ */
3562 + printk(KERN_ERR "Error: There should be no unused kprobe here.\n");
3563 +- BUG_ON(kprobe_unused(ap));
3564 ++ return -EINVAL;
3565 + }
3566 +
3567 + static void free_aggr_kprobe(struct kprobe *p)
3568 +@@ -1276,9 +1286,12 @@ static int register_aggr_kprobe(struct kprobe *orig_p, struct kprobe *p)
3569 + goto out;
3570 + }
3571 + init_aggr_kprobe(ap, orig_p);
3572 +- } else if (kprobe_unused(ap))
3573 ++ } else if (kprobe_unused(ap)) {
3574 + /* This probe is going to die. Rescue it */
3575 +- reuse_unused_kprobe(ap);
3576 ++ ret = reuse_unused_kprobe(ap);
3577 ++ if (ret)
3578 ++ goto out;
3579 ++ }
3580 +
3581 + if (kprobe_gone(ap)) {
3582 + /*
3583 +diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c
3584 +index 6e171b547a80..774ab79d3ec7 100644
3585 +--- a/kernel/locking/lockdep.c
3586 ++++ b/kernel/locking/lockdep.c
3587 +@@ -3826,7 +3826,7 @@ void lock_contended(struct lockdep_map *lock, unsigned long ip)
3588 + {
3589 + unsigned long flags;
3590 +
3591 +- if (unlikely(!lock_stat))
3592 ++ if (unlikely(!lock_stat || !debug_locks))
3593 + return;
3594 +
3595 + if (unlikely(current->lockdep_recursion))
3596 +@@ -3846,7 +3846,7 @@ void lock_acquired(struct lockdep_map *lock, unsigned long ip)
3597 + {
3598 + unsigned long flags;
3599 +
3600 +- if (unlikely(!lock_stat))
3601 ++ if (unlikely(!lock_stat || !debug_locks))
3602 + return;
3603 +
3604 + if (unlikely(current->lockdep_recursion))
3605 +diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c
3606 +index 0b5613554769..dd689ab22806 100644
3607 +--- a/kernel/printk/printk.c
3608 ++++ b/kernel/printk/printk.c
3609 +@@ -881,7 +881,12 @@ static void __init log_buf_len_update(unsigned size)
3610 + /* save requested log_buf_len since it's too early to process it */
3611 + static int __init log_buf_len_setup(char *str)
3612 + {
3613 +- unsigned size = memparse(str, &str);
3614 ++ unsigned int size;
3615 ++
3616 ++ if (!str)
3617 ++ return -EINVAL;
3618 ++
3619 ++ size = memparse(str, &str);
3620 +
3621 + log_buf_len_update(size);
3622 +
3623 +diff --git a/kernel/signal.c b/kernel/signal.c
3624 +index 8bfbc47f0a23..5b1313309356 100644
3625 +--- a/kernel/signal.c
3626 ++++ b/kernel/signal.c
3627 +@@ -991,7 +991,7 @@ static int __send_signal(int sig, struct siginfo *info, struct task_struct *t,
3628 +
3629 + result = TRACE_SIGNAL_IGNORED;
3630 + if (!prepare_signal(sig, t,
3631 +- from_ancestor_ns || (info == SEND_SIG_FORCED)))
3632 ++ from_ancestor_ns || (info == SEND_SIG_PRIV) || (info == SEND_SIG_FORCED)))
3633 + goto ret;
3634 +
3635 + pending = group ? &t->signal->shared_pending : &t->pending;
3636 +diff --git a/lib/debug_locks.c b/lib/debug_locks.c
3637 +index 96c4c633d95e..124fdf238b3d 100644
3638 +--- a/lib/debug_locks.c
3639 ++++ b/lib/debug_locks.c
3640 +@@ -37,7 +37,7 @@ EXPORT_SYMBOL_GPL(debug_locks_silent);
3641 + */
3642 + int debug_locks_off(void)
3643 + {
3644 +- if (__debug_locks_off()) {
3645 ++ if (debug_locks && __debug_locks_off()) {
3646 + if (!debug_locks_silent) {
3647 + console_verbose();
3648 + return 1;
3649 +diff --git a/mm/gup.c b/mm/gup.c
3650 +index b599526db9f7..018144c4b9ec 100644
3651 +--- a/mm/gup.c
3652 ++++ b/mm/gup.c
3653 +@@ -940,8 +940,6 @@ int __mm_populate(unsigned long start, unsigned long len, int ignore_errors)
3654 + int locked = 0;
3655 + long ret = 0;
3656 +
3657 +- VM_BUG_ON(start & ~PAGE_MASK);
3658 +- VM_BUG_ON(len != PAGE_ALIGN(len));
3659 + end = start + len;
3660 +
3661 + for (nstart = start; nstart < end; nstart = nend) {
3662 +diff --git a/mm/hugetlb.c b/mm/hugetlb.c
3663 +index a813b03021b7..6f99a0f906bb 100644
3664 +--- a/mm/hugetlb.c
3665 ++++ b/mm/hugetlb.c
3666 +@@ -3103,7 +3103,7 @@ static int is_hugetlb_entry_hwpoisoned(pte_t pte)
3667 + int copy_hugetlb_page_range(struct mm_struct *dst, struct mm_struct *src,
3668 + struct vm_area_struct *vma)
3669 + {
3670 +- pte_t *src_pte, *dst_pte, entry;
3671 ++ pte_t *src_pte, *dst_pte, entry, dst_entry;
3672 + struct page *ptepage;
3673 + unsigned long addr;
3674 + int cow;
3675 +@@ -3131,15 +3131,30 @@ int copy_hugetlb_page_range(struct mm_struct *dst, struct mm_struct *src,
3676 + break;
3677 + }
3678 +
3679 +- /* If the pagetables are shared don't copy or take references */
3680 +- if (dst_pte == src_pte)
3681 ++ /*
3682 ++ * If the pagetables are shared don't copy or take references.
3683 ++ * dst_pte == src_pte is the common case of src/dest sharing.
3684 ++ *
3685 ++ * However, src could have 'unshared' and dst shares with
3686 ++ * another vma. If dst_pte !none, this implies sharing.
3687 ++ * Check here before taking page table lock, and once again
3688 ++ * after taking the lock below.
3689 ++ */
3690 ++ dst_entry = huge_ptep_get(dst_pte);
3691 ++ if ((dst_pte == src_pte) || !huge_pte_none(dst_entry))
3692 + continue;
3693 +
3694 + dst_ptl = huge_pte_lock(h, dst, dst_pte);
3695 + src_ptl = huge_pte_lockptr(h, src, src_pte);
3696 + spin_lock_nested(src_ptl, SINGLE_DEPTH_NESTING);
3697 + entry = huge_ptep_get(src_pte);
3698 +- if (huge_pte_none(entry)) { /* skip none entry */
3699 ++ dst_entry = huge_ptep_get(dst_pte);
3700 ++ if (huge_pte_none(entry) || !huge_pte_none(dst_entry)) {
3701 ++ /*
3702 ++ * Skip if src entry none. Also, skip in the
3703 ++ * unlikely case dst entry !none as this implies
3704 ++ * sharing with another vma.
3705 ++ */
3706 + ;
3707 + } else if (unlikely(is_hugetlb_entry_migration(entry) ||
3708 + is_hugetlb_entry_hwpoisoned(entry))) {
3709 +@@ -3537,6 +3552,12 @@ int huge_add_to_page_cache(struct page *page, struct address_space *mapping,
3710 + return err;
3711 + ClearPagePrivate(page);
3712 +
3713 ++ /*
3714 ++ * set page dirty so that it will not be removed from cache/file
3715 ++ * by non-hugetlbfs specific code paths.
3716 ++ */
3717 ++ set_page_dirty(page);
3718 ++
3719 + spin_lock(&inode->i_lock);
3720 + inode->i_blocks += blocks_per_huge_page(h);
3721 + spin_unlock(&inode->i_lock);
3722 +@@ -4195,12 +4216,40 @@ static bool vma_shareable(struct vm_area_struct *vma, unsigned long addr)
3723 + /*
3724 + * check on proper vm_flags and page table alignment
3725 + */
3726 +- if (vma->vm_flags & VM_MAYSHARE &&
3727 +- vma->vm_start <= base && end <= vma->vm_end)
3728 ++ if (vma->vm_flags & VM_MAYSHARE && range_in_vma(vma, base, end))
3729 + return true;
3730 + return false;
3731 + }
3732 +
3733 ++/*
3734 ++ * Determine if start,end range within vma could be mapped by shared pmd.
3735 ++ * If yes, adjust start and end to cover range associated with possible
3736 ++ * shared pmd mappings.
3737 ++ */
3738 ++void adjust_range_if_pmd_sharing_possible(struct vm_area_struct *vma,
3739 ++ unsigned long *start, unsigned long *end)
3740 ++{
3741 ++ unsigned long check_addr = *start;
3742 ++
3743 ++ if (!(vma->vm_flags & VM_MAYSHARE))
3744 ++ return;
3745 ++
3746 ++ for (check_addr = *start; check_addr < *end; check_addr += PUD_SIZE) {
3747 ++ unsigned long a_start = check_addr & PUD_MASK;
3748 ++ unsigned long a_end = a_start + PUD_SIZE;
3749 ++
3750 ++ /*
3751 ++ * If sharing is possible, adjust start/end if necessary.
3752 ++ */
3753 ++ if (range_in_vma(vma, a_start, a_end)) {
3754 ++ if (a_start < *start)
3755 ++ *start = a_start;
3756 ++ if (a_end > *end)
3757 ++ *end = a_end;
3758 ++ }
3759 ++ }
3760 ++}
3761 ++
3762 + /*
3763 + * Search for a shareable pmd page for hugetlb. In any case calls pmd_alloc()
3764 + * and returns the corresponding pte. While this is not necessary for the
3765 +@@ -4297,6 +4346,11 @@ int huge_pmd_unshare(struct mm_struct *mm, unsigned long *addr, pte_t *ptep)
3766 + {
3767 + return 0;
3768 + }
3769 ++
3770 ++void adjust_range_if_pmd_sharing_possible(struct vm_area_struct *vma,
3771 ++ unsigned long *start, unsigned long *end)
3772 ++{
3773 ++}
3774 + #define want_pmd_share() (0)
3775 + #endif /* CONFIG_ARCH_WANT_HUGE_PMD_SHARE */
3776 +
3777 +diff --git a/mm/mempolicy.c b/mm/mempolicy.c
3778 +index b777590c3e13..be9840bf11d1 100644
3779 +--- a/mm/mempolicy.c
3780 ++++ b/mm/mempolicy.c
3781 +@@ -2010,8 +2010,36 @@ retry_cpuset:
3782 + nmask = policy_nodemask(gfp, pol);
3783 + if (!nmask || node_isset(hpage_node, *nmask)) {
3784 + mpol_cond_put(pol);
3785 +- page = __alloc_pages_node(hpage_node,
3786 +- gfp | __GFP_THISNODE, order);
3787 ++ /*
3788 ++ * We cannot invoke reclaim if __GFP_THISNODE
3789 ++ * is set. Invoking reclaim with
3790 ++ * __GFP_THISNODE set, would cause THP
3791 ++ * allocations to trigger heavy swapping
3792 ++ * despite there may be tons of free memory
3793 ++ * (including potentially plenty of THP
3794 ++ * already available in the buddy) on all the
3795 ++ * other NUMA nodes.
3796 ++ *
3797 ++ * At most we could invoke compaction when
3798 ++ * __GFP_THISNODE is set (but we would need to
3799 ++ * refrain from invoking reclaim even if
3800 ++ * compaction returned COMPACT_SKIPPED because
3801 ++ * there wasn't not enough memory to succeed
3802 ++ * compaction). For now just avoid
3803 ++ * __GFP_THISNODE instead of limiting the
3804 ++ * allocation path to a strict and single
3805 ++ * compaction invocation.
3806 ++ *
3807 ++ * Supposedly if direct reclaim was enabled by
3808 ++ * the caller, the app prefers THP regardless
3809 ++ * of the node it comes from so this would be
3810 ++ * more desiderable behavior than only
3811 ++ * providing THP originated from the local
3812 ++ * node in such case.
3813 ++ */
3814 ++ if (!(gfp & __GFP_DIRECT_RECLAIM))
3815 ++ gfp |= __GFP_THISNODE;
3816 ++ page = __alloc_pages_node(hpage_node, gfp, order);
3817 + goto out;
3818 + }
3819 + }
3820 +diff --git a/mm/mmap.c b/mm/mmap.c
3821 +index 39f5fbd07486..3074dbcd9621 100644
3822 +--- a/mm/mmap.c
3823 ++++ b/mm/mmap.c
3824 +@@ -2817,10 +2817,6 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
3825 + pgoff_t pgoff = addr >> PAGE_SHIFT;
3826 + int error;
3827 +
3828 +- len = PAGE_ALIGN(len);
3829 +- if (!len)
3830 +- return addr;
3831 +-
3832 + flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
3833 +
3834 + error = get_unmapped_area(NULL, addr, len, 0, MAP_FIXED);
3835 +@@ -2888,12 +2884,19 @@ out:
3836 + return addr;
3837 + }
3838 +
3839 +-unsigned long vm_brk(unsigned long addr, unsigned long len)
3840 ++unsigned long vm_brk(unsigned long addr, unsigned long request)
3841 + {
3842 + struct mm_struct *mm = current->mm;
3843 ++ unsigned long len;
3844 + unsigned long ret;
3845 + bool populate;
3846 +
3847 ++ len = PAGE_ALIGN(request);
3848 ++ if (len < request)
3849 ++ return -ENOMEM;
3850 ++ if (!len)
3851 ++ return addr;
3852 ++
3853 + down_write(&mm->mmap_sem);
3854 + ret = do_brk(addr, len);
3855 + populate = ((mm->def_flags & VM_LOCKED) != 0);
3856 +diff --git a/mm/rmap.c b/mm/rmap.c
3857 +index 1bceb49aa214..488dda209431 100644
3858 +--- a/mm/rmap.c
3859 ++++ b/mm/rmap.c
3860 +@@ -1324,12 +1324,41 @@ static int try_to_unmap_one(struct page *page, struct vm_area_struct *vma,
3861 + pte_t pteval;
3862 + spinlock_t *ptl;
3863 + int ret = SWAP_AGAIN;
3864 ++ unsigned long sh_address;
3865 ++ bool pmd_sharing_possible = false;
3866 ++ unsigned long spmd_start, spmd_end;
3867 + enum ttu_flags flags = (enum ttu_flags)arg;
3868 +
3869 + /* munlock has nothing to gain from examining un-locked vmas */
3870 + if ((flags & TTU_MUNLOCK) && !(vma->vm_flags & VM_LOCKED))
3871 + goto out;
3872 +
3873 ++ /*
3874 ++ * Only use the range_start/end mmu notifiers if huge pmd sharing
3875 ++ * is possible. In the normal case, mmu_notifier_invalidate_page
3876 ++ * is sufficient as we only unmap a page. However, if we unshare
3877 ++ * a pmd, we will unmap a PUD_SIZE range.
3878 ++ */
3879 ++ if (PageHuge(page)) {
3880 ++ spmd_start = address;
3881 ++ spmd_end = spmd_start + vma_mmu_pagesize(vma);
3882 ++
3883 ++ /*
3884 ++ * Check if pmd sharing is possible. If possible, we could
3885 ++ * unmap a PUD_SIZE range. spmd_start/spmd_end will be
3886 ++ * modified if sharing is possible.
3887 ++ */
3888 ++ adjust_range_if_pmd_sharing_possible(vma, &spmd_start,
3889 ++ &spmd_end);
3890 ++ if (spmd_end - spmd_start != vma_mmu_pagesize(vma)) {
3891 ++ sh_address = address;
3892 ++
3893 ++ pmd_sharing_possible = true;
3894 ++ mmu_notifier_invalidate_range_start(vma->vm_mm,
3895 ++ spmd_start, spmd_end);
3896 ++ }
3897 ++ }
3898 ++
3899 + pte = page_check_address(page, mm, address, &ptl, 0);
3900 + if (!pte)
3901 + goto out;
3902 +@@ -1356,6 +1385,30 @@ static int try_to_unmap_one(struct page *page, struct vm_area_struct *vma,
3903 + }
3904 + }
3905 +
3906 ++ /*
3907 ++ * Call huge_pmd_unshare to potentially unshare a huge pmd. Pass
3908 ++ * sh_address as it will be modified if unsharing is successful.
3909 ++ */
3910 ++ if (PageHuge(page) && huge_pmd_unshare(mm, &sh_address, pte)) {
3911 ++ /*
3912 ++ * huge_pmd_unshare unmapped an entire PMD page. There is
3913 ++ * no way of knowing exactly which PMDs may be cached for
3914 ++ * this mm, so flush them all. spmd_start/spmd_end cover
3915 ++ * this PUD_SIZE range.
3916 ++ */
3917 ++ flush_cache_range(vma, spmd_start, spmd_end);
3918 ++ flush_tlb_range(vma, spmd_start, spmd_end);
3919 ++
3920 ++ /*
3921 ++ * The ref count of the PMD page was dropped which is part
3922 ++ * of the way map counting is done for shared PMDs. When
3923 ++ * there is no other sharing, huge_pmd_unshare returns false
3924 ++ * and we will unmap the actual page and drop map count
3925 ++ * to zero.
3926 ++ */
3927 ++ goto out_unmap;
3928 ++ }
3929 ++
3930 + /* Nuke the page table entry. */
3931 + flush_cache_page(vma, address, page_to_pfn(page));
3932 + if (should_defer_flush(mm, flags)) {
3933 +@@ -1450,6 +1503,9 @@ out_unmap:
3934 + if (ret != SWAP_FAIL && ret != SWAP_MLOCK && !(flags & TTU_MUNLOCK))
3935 + mmu_notifier_invalidate_page(mm, address);
3936 + out:
3937 ++ if (pmd_sharing_possible)
3938 ++ mmu_notifier_invalidate_range_end(vma->vm_mm,
3939 ++ spmd_start, spmd_end);
3940 + return ret;
3941 + }
3942 +
3943 +diff --git a/net/9p/protocol.c b/net/9p/protocol.c
3944 +index 16d287565987..145f80518064 100644
3945 +--- a/net/9p/protocol.c
3946 ++++ b/net/9p/protocol.c
3947 +@@ -46,10 +46,15 @@ p9pdu_writef(struct p9_fcall *pdu, int proto_version, const char *fmt, ...);
3948 + void p9stat_free(struct p9_wstat *stbuf)
3949 + {
3950 + kfree(stbuf->name);
3951 ++ stbuf->name = NULL;
3952 + kfree(stbuf->uid);
3953 ++ stbuf->uid = NULL;
3954 + kfree(stbuf->gid);
3955 ++ stbuf->gid = NULL;
3956 + kfree(stbuf->muid);
3957 ++ stbuf->muid = NULL;
3958 + kfree(stbuf->extension);
3959 ++ stbuf->extension = NULL;
3960 + }
3961 + EXPORT_SYMBOL(p9stat_free);
3962 +
3963 +diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
3964 +index 5169b9b36b6a..cfaacaa023e6 100644
3965 +--- a/net/ipv4/cipso_ipv4.c
3966 ++++ b/net/ipv4/cipso_ipv4.c
3967 +@@ -1582,7 +1582,7 @@ static int cipso_v4_parsetag_loc(const struct cipso_v4_doi *doi_def,
3968 + *
3969 + * Description:
3970 + * Parse the packet's IP header looking for a CIPSO option. Returns a pointer
3971 +- * to the start of the CIPSO option on success, NULL if one if not found.
3972 ++ * to the start of the CIPSO option on success, NULL if one is not found.
3973 + *
3974 + */
3975 + unsigned char *cipso_v4_optptr(const struct sk_buff *skb)
3976 +@@ -1592,10 +1592,8 @@ unsigned char *cipso_v4_optptr(const struct sk_buff *skb)
3977 + int optlen;
3978 + int taglen;
3979 +
3980 +- for (optlen = iph->ihl*4 - sizeof(struct iphdr); optlen > 0; ) {
3981 ++ for (optlen = iph->ihl*4 - sizeof(struct iphdr); optlen > 1; ) {
3982 + switch (optptr[0]) {
3983 +- case IPOPT_CIPSO:
3984 +- return optptr;
3985 + case IPOPT_END:
3986 + return NULL;
3987 + case IPOPT_NOOP:
3988 +@@ -1604,6 +1602,11 @@ unsigned char *cipso_v4_optptr(const struct sk_buff *skb)
3989 + default:
3990 + taglen = optptr[1];
3991 + }
3992 ++ if (!taglen || taglen > optlen)
3993 ++ return NULL;
3994 ++ if (optptr[0] == IPOPT_CIPSO)
3995 ++ return optptr;
3996 ++
3997 + optlen -= taglen;
3998 + optptr += taglen;
3999 + }
4000 +diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c
4001 +index a6cbb2104667..71f15da72f02 100644
4002 +--- a/net/sunrpc/svc_xprt.c
4003 ++++ b/net/sunrpc/svc_xprt.c
4004 +@@ -945,7 +945,7 @@ static void call_xpt_users(struct svc_xprt *xprt)
4005 + spin_lock(&xprt->xpt_lock);
4006 + while (!list_empty(&xprt->xpt_users)) {
4007 + u = list_first_entry(&xprt->xpt_users, struct svc_xpt_user, list);
4008 +- list_del(&u->list);
4009 ++ list_del_init(&u->list);
4010 + u->callback(u);
4011 + }
4012 + spin_unlock(&xprt->xpt_lock);
4013 +diff --git a/net/sunrpc/xdr.c b/net/sunrpc/xdr.c
4014 +index 4439ac4c1b53..9b8d855e4a87 100644
4015 +--- a/net/sunrpc/xdr.c
4016 ++++ b/net/sunrpc/xdr.c
4017 +@@ -639,11 +639,10 @@ void xdr_truncate_encode(struct xdr_stream *xdr, size_t len)
4018 + WARN_ON_ONCE(xdr->iov);
4019 + return;
4020 + }
4021 +- if (fraglen) {
4022 ++ if (fraglen)
4023 + xdr->end = head->iov_base + head->iov_len;
4024 +- xdr->page_ptr--;
4025 +- }
4026 + /* (otherwise assume xdr->end is already set) */
4027 ++ xdr->page_ptr--;
4028 + head->iov_len = len;
4029 + buf->len = len;
4030 + xdr->p = head->iov_base + head->iov_len;
4031 +diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
4032 +index 816d175da79a..30aced99bc55 100644
4033 +--- a/security/integrity/ima/ima_fs.c
4034 ++++ b/security/integrity/ima/ima_fs.c
4035 +@@ -26,14 +26,14 @@
4036 + #include "ima.h"
4037 +
4038 + static int valid_policy = 1;
4039 +-#define TMPBUFLEN 12
4040 ++
4041 + static ssize_t ima_show_htable_value(char __user *buf, size_t count,
4042 + loff_t *ppos, atomic_long_t *val)
4043 + {
4044 +- char tmpbuf[TMPBUFLEN];
4045 ++ char tmpbuf[32]; /* greater than largest 'long' string value */
4046 + ssize_t len;
4047 +
4048 +- len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read(val));
4049 ++ len = scnprintf(tmpbuf, sizeof(tmpbuf), "%li\n", atomic_long_read(val));
4050 + return simple_read_from_buffer(buf, count, ppos, tmpbuf, len);
4051 + }
4052 +
4053 +diff --git a/sound/pci/ca0106/ca0106.h b/sound/pci/ca0106/ca0106.h
4054 +index 04402c14cb23..9847b669cf3c 100644
4055 +--- a/sound/pci/ca0106/ca0106.h
4056 ++++ b/sound/pci/ca0106/ca0106.h
4057 +@@ -582,7 +582,7 @@
4058 + #define SPI_PL_BIT_R_R (2<<7) /* right channel = right */
4059 + #define SPI_PL_BIT_R_C (3<<7) /* right channel = (L+R)/2 */
4060 + #define SPI_IZD_REG 2
4061 +-#define SPI_IZD_BIT (1<<4) /* infinite zero detect */
4062 ++#define SPI_IZD_BIT (0<<4) /* infinite zero detect */
4063 +
4064 + #define SPI_FMT_REG 3
4065 + #define SPI_FMT_BIT_RJ (0<<0) /* right justified mode */
4066 +diff --git a/sound/pci/hda/hda_controller.h b/sound/pci/hda/hda_controller.h
4067 +index b17539537b2e..55ec4470f6b6 100644
4068 +--- a/sound/pci/hda/hda_controller.h
4069 ++++ b/sound/pci/hda/hda_controller.h
4070 +@@ -151,6 +151,7 @@ struct azx {
4071 + unsigned int msi:1;
4072 + unsigned int probing:1; /* codec probing phase */
4073 + unsigned int snoop:1;
4074 ++ unsigned int uc_buffer:1; /* non-cached pages for stream buffers */
4075 + unsigned int align_buffer_size:1;
4076 + unsigned int region_requested:1;
4077 + unsigned int disabled:1; /* disabled by vga_switcheroo */
4078 +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
4079 +index 95a82e428f37..ecb07fb036af 100644
4080 +--- a/sound/pci/hda/hda_intel.c
4081 ++++ b/sound/pci/hda/hda_intel.c
4082 +@@ -401,7 +401,7 @@ static void __mark_pages_wc(struct azx *chip, struct snd_dma_buffer *dmab, bool
4083 + #ifdef CONFIG_SND_DMA_SGBUF
4084 + if (dmab->dev.type == SNDRV_DMA_TYPE_DEV_SG) {
4085 + struct snd_sg_buf *sgbuf = dmab->private_data;
4086 +- if (chip->driver_type == AZX_DRIVER_CMEDIA)
4087 ++ if (!chip->uc_buffer)
4088 + return; /* deal with only CORB/RIRB buffers */
4089 + if (on)
4090 + set_pages_array_wc(sgbuf->page_table, sgbuf->pages);
4091 +@@ -1538,6 +1538,7 @@ static void azx_check_snoop_available(struct azx *chip)
4092 + dev_info(chip->card->dev, "Force to %s mode by module option\n",
4093 + snoop ? "snoop" : "non-snoop");
4094 + chip->snoop = snoop;
4095 ++ chip->uc_buffer = !snoop;
4096 + return;
4097 + }
4098 +
4099 +@@ -1558,8 +1559,12 @@ static void azx_check_snoop_available(struct azx *chip)
4100 + snoop = false;
4101 +
4102 + chip->snoop = snoop;
4103 +- if (!snoop)
4104 ++ if (!snoop) {
4105 + dev_info(chip->card->dev, "Force to non-snoop mode\n");
4106 ++ /* C-Media requires non-cached pages only for CORB/RIRB */
4107 ++ if (chip->driver_type != AZX_DRIVER_CMEDIA)
4108 ++ chip->uc_buffer = true;
4109 ++ }
4110 + }
4111 +
4112 + static void azx_probe_work(struct work_struct *work)
4113 +@@ -1958,7 +1963,7 @@ static void pcm_mmap_prepare(struct snd_pcm_substream *substream,
4114 + #ifdef CONFIG_X86
4115 + struct azx_pcm *apcm = snd_pcm_substream_chip(substream);
4116 + struct azx *chip = apcm->chip;
4117 +- if (!azx_snoop(chip) && chip->driver_type != AZX_DRIVER_CMEDIA)
4118 ++ if (chip->uc_buffer)
4119 + area->vm_page_prot = pgprot_writecombine(area->vm_page_prot);
4120 + #endif
4121 + }
4122 +diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c
4123 +index a1a3ce8c3f56..aea3cc2abe3a 100644
4124 +--- a/sound/pci/hda/patch_conexant.c
4125 ++++ b/sound/pci/hda/patch_conexant.c
4126 +@@ -867,6 +867,7 @@ static const struct snd_pci_quirk cxt5066_fixups[] = {
4127 + SND_PCI_QUIRK(0x17aa, 0x21da, "Lenovo X220", CXT_PINCFG_LENOVO_TP410),
4128 + SND_PCI_QUIRK(0x17aa, 0x21db, "Lenovo X220-tablet", CXT_PINCFG_LENOVO_TP410),
4129 + SND_PCI_QUIRK(0x17aa, 0x38af, "Lenovo IdeaPad Z560", CXT_FIXUP_MUTE_LED_EAPD),
4130 ++ SND_PCI_QUIRK(0x17aa, 0x3905, "Lenovo G50-30", CXT_FIXUP_STEREO_DMIC),
4131 + SND_PCI_QUIRK(0x17aa, 0x390b, "Lenovo G50-80", CXT_FIXUP_STEREO_DMIC),
4132 + SND_PCI_QUIRK(0x17aa, 0x3975, "Lenovo U300s", CXT_FIXUP_STEREO_DMIC),
4133 + SND_PCI_QUIRK(0x17aa, 0x3977, "Lenovo IdeaPad U310", CXT_FIXUP_STEREO_DMIC),
4134 +diff --git a/tools/perf/util/trace-event-info.c b/tools/perf/util/trace-event-info.c
4135 +index d995743cb673..58ce62088a39 100644
4136 +--- a/tools/perf/util/trace-event-info.c
4137 ++++ b/tools/perf/util/trace-event-info.c
4138 +@@ -507,12 +507,14 @@ struct tracing_data *tracing_data_get(struct list_head *pattrs,
4139 + "/tmp/perf-XXXXXX");
4140 + if (!mkstemp(tdata->temp_file)) {
4141 + pr_debug("Can't make temp file");
4142 ++ free(tdata);
4143 + return NULL;
4144 + }
4145 +
4146 + temp_fd = open(tdata->temp_file, O_RDWR);
4147 + if (temp_fd < 0) {
4148 + pr_debug("Can't read '%s'", tdata->temp_file);
4149 ++ free(tdata);
4150 + return NULL;
4151 + }
4152 +
4153 +diff --git a/tools/perf/util/trace-event-read.c b/tools/perf/util/trace-event-read.c
4154 +index b67a0ccf5ab9..23baee7b786a 100644
4155 +--- a/tools/perf/util/trace-event-read.c
4156 ++++ b/tools/perf/util/trace-event-read.c
4157 +@@ -334,9 +334,12 @@ static int read_event_files(struct pevent *pevent)
4158 + for (x=0; x < count; x++) {
4159 + size = read8(pevent);
4160 + ret = read_event_file(pevent, sys, size);
4161 +- if (ret)
4162 ++ if (ret) {
4163 ++ free(sys);
4164 + return ret;
4165 ++ }
4166 + }
4167 ++ free(sys);
4168 + }
4169 + return 0;
4170 + }
4171 +diff --git a/tools/testing/selftests/ftrace/test.d/trigger/inter-event/trigger-synthetic-event-syntax.tc b/tools/testing/selftests/ftrace/test.d/trigger/inter-event/trigger-synthetic-event-syntax.tc
4172 +new file mode 100644
4173 +index 000000000000..88e6c3f43006
4174 +--- /dev/null
4175 ++++ b/tools/testing/selftests/ftrace/test.d/trigger/inter-event/trigger-synthetic-event-syntax.tc
4176 +@@ -0,0 +1,80 @@
4177 ++#!/bin/sh
4178 ++# SPDX-License-Identifier: GPL-2.0
4179 ++# description: event trigger - test synthetic_events syntax parser
4180 ++
4181 ++do_reset() {
4182 ++ reset_trigger
4183 ++ echo > set_event
4184 ++ clear_trace
4185 ++}
4186 ++
4187 ++fail() { #msg
4188 ++ do_reset
4189 ++ echo $1
4190 ++ exit_fail
4191 ++}
4192 ++
4193 ++if [ ! -f set_event ]; then
4194 ++ echo "event tracing is not supported"
4195 ++ exit_unsupported
4196 ++fi
4197 ++
4198 ++if [ ! -f synthetic_events ]; then
4199 ++ echo "synthetic event is not supported"
4200 ++ exit_unsupported
4201 ++fi
4202 ++
4203 ++reset_tracer
4204 ++do_reset
4205 ++
4206 ++echo "Test synthetic_events syntax parser"
4207 ++
4208 ++echo > synthetic_events
4209 ++
4210 ++# synthetic event must have a field
4211 ++! echo "myevent" >> synthetic_events
4212 ++echo "myevent u64 var1" >> synthetic_events
4213 ++
4214 ++# synthetic event must be found in synthetic_events
4215 ++grep "myevent[[:space:]]u64 var1" synthetic_events
4216 ++
4217 ++# it is not possible to add same name event
4218 ++! echo "myevent u64 var2" >> synthetic_events
4219 ++
4220 ++# Non-append open will cleanup all events and add new one
4221 ++echo "myevent u64 var2" > synthetic_events
4222 ++
4223 ++# multiple fields with different spaces
4224 ++echo "myevent u64 var1; u64 var2;" > synthetic_events
4225 ++grep "myevent[[:space:]]u64 var1; u64 var2" synthetic_events
4226 ++echo "myevent u64 var1 ; u64 var2 ;" > synthetic_events
4227 ++grep "myevent[[:space:]]u64 var1; u64 var2" synthetic_events
4228 ++echo "myevent u64 var1 ;u64 var2" > synthetic_events
4229 ++grep "myevent[[:space:]]u64 var1; u64 var2" synthetic_events
4230 ++
4231 ++# test field types
4232 ++echo "myevent u32 var" > synthetic_events
4233 ++echo "myevent u16 var" > synthetic_events
4234 ++echo "myevent u8 var" > synthetic_events
4235 ++echo "myevent s64 var" > synthetic_events
4236 ++echo "myevent s32 var" > synthetic_events
4237 ++echo "myevent s16 var" > synthetic_events
4238 ++echo "myevent s8 var" > synthetic_events
4239 ++
4240 ++echo "myevent char var" > synthetic_events
4241 ++echo "myevent int var" > synthetic_events
4242 ++echo "myevent long var" > synthetic_events
4243 ++echo "myevent pid_t var" > synthetic_events
4244 ++
4245 ++echo "myevent unsigned char var" > synthetic_events
4246 ++echo "myevent unsigned int var" > synthetic_events
4247 ++echo "myevent unsigned long var" > synthetic_events
4248 ++grep "myevent[[:space:]]unsigned long var" synthetic_events
4249 ++
4250 ++# test string type
4251 ++echo "myevent char var[10]" > synthetic_events
4252 ++grep "myevent[[:space:]]char\[10\] var" synthetic_events
4253 ++
4254 ++do_reset
4255 ++
4256 ++exit 0
Report Message
Find on MARC Find on Google Groups