Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Mike Pagano (mpagano)" <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] linux-patches r2235 - genpatches-2.6/trunk/3.6
Date: Mon, 26 Nov 2012 22:21:57
Message-Id: 20121126222140.8B15B20C65@flycatcher.gentoo.org
1 Author: mpagano
2 Date: 2012-11-26 22:20:36 +0000 (Mon, 26 Nov 2012)
3 New Revision: 2235
4
5 Added:
6 genpatches-2.6/trunk/3.6/1006_linux-3.6.7.patch
7 genpatches-2.6/trunk/3.6/1007_linux-3.6.8.patch
8 Modified:
9 genpatches-2.6/trunk/3.6/0000_README
10 Log:
11 Linux patches 3.6.7 and 3.6.8
12
13 Modified: genpatches-2.6/trunk/3.6/0000_README
14 ===================================================================
15 --- genpatches-2.6/trunk/3.6/0000_README 2012-11-06 01:34:32 UTC (rev 2234)
16 +++ genpatches-2.6/trunk/3.6/0000_README 2012-11-26 22:20:36 UTC (rev 2235)
17 @@ -63,6 +63,14 @@
18 From: http://www.kernel.org
19 Desc: Linux 3.6.6
20
21 +Patch: 1006_linux-3.6.7.patch
22 +From: http://www.kernel.org
23 +Desc: Linux 3.6.7
24 +
25 +Patch: 1007_linux-3.6.8.patch
26 +From: http://www.kernel.org
27 +Desc: Linux 3.6.8
28 +
29 Patch: 2400_kcopy-patch-for-infiniband-driver.patch
30 From: Alexey Shvetsov <alexxy@g.o>
31 Desc: Zero copy for infiniband psm userspace driver
32
33 Added: genpatches-2.6/trunk/3.6/1006_linux-3.6.7.patch
34 ===================================================================
35 --- genpatches-2.6/trunk/3.6/1006_linux-3.6.7.patch (rev 0)
36 +++ genpatches-2.6/trunk/3.6/1006_linux-3.6.7.patch 2012-11-26 22:20:36 UTC (rev 2235)
37 @@ -0,0 +1,3082 @@
38 +diff --git a/Makefile b/Makefile
39 +index 471b83c..07f2308 100644
40 +--- a/Makefile
41 ++++ b/Makefile
42 +@@ -1,6 +1,6 @@
43 + VERSION = 3
44 + PATCHLEVEL = 6
45 +-SUBLEVEL = 6
46 ++SUBLEVEL = 7
47 + EXTRAVERSION =
48 + NAME = Terrified Chipmunk
49 +
50 +diff --git a/arch/x86/xen/mmu.c b/arch/x86/xen/mmu.c
51 +index 5141d80..dde1a3f 100644
52 +--- a/arch/x86/xen/mmu.c
53 ++++ b/arch/x86/xen/mmu.c
54 +@@ -1215,6 +1215,25 @@ unsigned long xen_read_cr2_direct(void)
55 + return this_cpu_read(xen_vcpu_info.arch.cr2);
56 + }
57 +
58 ++void xen_flush_tlb_all(void)
59 ++{
60 ++ struct mmuext_op *op;
61 ++ struct multicall_space mcs;
62 ++
63 ++ trace_xen_mmu_flush_tlb_all(0);
64 ++
65 ++ preempt_disable();
66 ++
67 ++ mcs = xen_mc_entry(sizeof(*op));
68 ++
69 ++ op = mcs.args;
70 ++ op->cmd = MMUEXT_TLB_FLUSH_ALL;
71 ++ MULTI_mmuext_op(mcs.mc, op, 1, NULL, DOMID_SELF);
72 ++
73 ++ xen_mc_issue(PARAVIRT_LAZY_MMU);
74 ++
75 ++ preempt_enable();
76 ++}
77 + static void xen_flush_tlb(void)
78 + {
79 + struct mmuext_op *op;
80 +@@ -2366,7 +2385,7 @@ int xen_remap_domain_mfn_range(struct vm_area_struct *vma,
81 + err = 0;
82 + out:
83 +
84 +- flush_tlb_all();
85 ++ xen_flush_tlb_all();
86 +
87 + return err;
88 + }
89 +diff --git a/drivers/gpu/drm/drm_fops.c b/drivers/gpu/drm/drm_fops.c
90 +index 5062eec..7aff5c7 100644
91 +--- a/drivers/gpu/drm/drm_fops.c
92 ++++ b/drivers/gpu/drm/drm_fops.c
93 +@@ -121,6 +121,8 @@ int drm_open(struct inode *inode, struct file *filp)
94 + int minor_id = iminor(inode);
95 + struct drm_minor *minor;
96 + int retcode = 0;
97 ++ int need_setup = 0;
98 ++ struct address_space *old_mapping;
99 +
100 + minor = idr_find(&drm_minors_idr, minor_id);
101 + if (!minor)
102 +@@ -132,23 +134,37 @@ int drm_open(struct inode *inode, struct file *filp)
103 + if (drm_device_is_unplugged(dev))
104 + return -ENODEV;
105 +
106 ++ if (!dev->open_count++)
107 ++ need_setup = 1;
108 ++ mutex_lock(&dev->struct_mutex);
109 ++ old_mapping = dev->dev_mapping;
110 ++ if (old_mapping == NULL)
111 ++ dev->dev_mapping = &inode->i_data;
112 ++ /* ihold ensures nobody can remove inode with our i_data */
113 ++ ihold(container_of(dev->dev_mapping, struct inode, i_data));
114 ++ inode->i_mapping = dev->dev_mapping;
115 ++ filp->f_mapping = dev->dev_mapping;
116 ++ mutex_unlock(&dev->struct_mutex);
117 ++
118 + retcode = drm_open_helper(inode, filp, dev);
119 +- if (!retcode) {
120 +- atomic_inc(&dev->counts[_DRM_STAT_OPENS]);
121 +- if (!dev->open_count++)
122 +- retcode = drm_setup(dev);
123 +- }
124 +- if (!retcode) {
125 +- mutex_lock(&dev->struct_mutex);
126 +- if (dev->dev_mapping == NULL)
127 +- dev->dev_mapping = &inode->i_data;
128 +- /* ihold ensures nobody can remove inode with our i_data */
129 +- ihold(container_of(dev->dev_mapping, struct inode, i_data));
130 +- inode->i_mapping = dev->dev_mapping;
131 +- filp->f_mapping = dev->dev_mapping;
132 +- mutex_unlock(&dev->struct_mutex);
133 ++ if (retcode)
134 ++ goto err_undo;
135 ++ atomic_inc(&dev->counts[_DRM_STAT_OPENS]);
136 ++ if (need_setup) {
137 ++ retcode = drm_setup(dev);
138 ++ if (retcode)
139 ++ goto err_undo;
140 + }
141 ++ return 0;
142 +
143 ++err_undo:
144 ++ mutex_lock(&dev->struct_mutex);
145 ++ filp->f_mapping = old_mapping;
146 ++ inode->i_mapping = old_mapping;
147 ++ iput(container_of(dev->dev_mapping, struct inode, i_data));
148 ++ dev->dev_mapping = old_mapping;
149 ++ mutex_unlock(&dev->struct_mutex);
150 ++ dev->open_count--;
151 + return retcode;
152 + }
153 + EXPORT_SYMBOL(drm_open);
154 +diff --git a/drivers/gpu/drm/i915/i915_dma.c b/drivers/gpu/drm/i915/i915_dma.c
155 +index 914c0df..0969a7c 100644
156 +--- a/drivers/gpu/drm/i915/i915_dma.c
157 ++++ b/drivers/gpu/drm/i915/i915_dma.c
158 +@@ -1484,7 +1484,8 @@ int i915_driver_load(struct drm_device *dev, unsigned long flags)
159 + goto put_gmch;
160 + }
161 +
162 +- i915_kick_out_firmware_fb(dev_priv);
163 ++ if (drm_core_check_feature(dev, DRIVER_MODESET))
164 ++ i915_kick_out_firmware_fb(dev_priv);
165 +
166 + pci_set_master(dev->pdev);
167 +
168 +diff --git a/drivers/gpu/drm/i915/intel_overlay.c b/drivers/gpu/drm/i915/intel_overlay.c
169 +index 830d0dd..cf49a57 100644
170 +--- a/drivers/gpu/drm/i915/intel_overlay.c
171 ++++ b/drivers/gpu/drm/i915/intel_overlay.c
172 +@@ -431,9 +431,17 @@ static int intel_overlay_off(struct intel_overlay *overlay)
173 + intel_ring_emit(ring, flip_addr);
174 + intel_ring_emit(ring, MI_WAIT_FOR_EVENT | MI_WAIT_FOR_OVERLAY_FLIP);
175 + /* turn overlay off */
176 +- intel_ring_emit(ring, MI_OVERLAY_FLIP | MI_OVERLAY_OFF);
177 +- intel_ring_emit(ring, flip_addr);
178 +- intel_ring_emit(ring, MI_WAIT_FOR_EVENT | MI_WAIT_FOR_OVERLAY_FLIP);
179 ++ if (IS_I830(dev)) {
180 ++ /* Workaround: Don't disable the overlay fully, since otherwise
181 ++ * it dies on the next OVERLAY_ON cmd. */
182 ++ intel_ring_emit(ring, MI_NOOP);
183 ++ intel_ring_emit(ring, MI_NOOP);
184 ++ intel_ring_emit(ring, MI_NOOP);
185 ++ } else {
186 ++ intel_ring_emit(ring, MI_OVERLAY_FLIP | MI_OVERLAY_OFF);
187 ++ intel_ring_emit(ring, flip_addr);
188 ++ intel_ring_emit(ring, MI_WAIT_FOR_EVENT | MI_WAIT_FOR_OVERLAY_FLIP);
189 ++ }
190 + intel_ring_advance(ring);
191 +
192 + return intel_overlay_do_wait_request(overlay, request,
193 +diff --git a/drivers/gpu/drm/i915/intel_sdvo.c b/drivers/gpu/drm/i915/intel_sdvo.c
194 +index 123afd3..20cb52d 100644
195 +--- a/drivers/gpu/drm/i915/intel_sdvo.c
196 ++++ b/drivers/gpu/drm/i915/intel_sdvo.c
197 +@@ -882,6 +882,45 @@ static void intel_sdvo_dump_hdmi_buf(struct intel_sdvo *intel_sdvo)
198 + }
199 + #endif
200 +
201 ++static bool intel_sdvo_write_infoframe(struct intel_sdvo *intel_sdvo,
202 ++ unsigned if_index, uint8_t tx_rate,
203 ++ uint8_t *data, unsigned length)
204 ++{
205 ++ uint8_t set_buf_index[2] = { if_index, 0 };
206 ++ uint8_t hbuf_size, tmp[8];
207 ++ int i;
208 ++
209 ++ if (!intel_sdvo_set_value(intel_sdvo,
210 ++ SDVO_CMD_SET_HBUF_INDEX,
211 ++ set_buf_index, 2))
212 ++ return false;
213 ++
214 ++ if (!intel_sdvo_get_value(intel_sdvo, SDVO_CMD_GET_HBUF_INFO,
215 ++ &hbuf_size, 1))
216 ++ return false;
217 ++
218 ++ /* Buffer size is 0 based, hooray! */
219 ++ hbuf_size++;
220 ++
221 ++ DRM_DEBUG_KMS("writing sdvo hbuf: %i, hbuf_size %i, hbuf_size: %i\n",
222 ++ if_index, length, hbuf_size);
223 ++
224 ++ for (i = 0; i < hbuf_size; i += 8) {
225 ++ memset(tmp, 0, 8);
226 ++ if (i < length)
227 ++ memcpy(tmp, data + i, min_t(unsigned, 8, length - i));
228 ++
229 ++ if (!intel_sdvo_set_value(intel_sdvo,
230 ++ SDVO_CMD_SET_HBUF_DATA,
231 ++ tmp, 8))
232 ++ return false;
233 ++ }
234 ++
235 ++ return intel_sdvo_set_value(intel_sdvo,
236 ++ SDVO_CMD_SET_HBUF_TXRATE,
237 ++ &tx_rate, 1);
238 ++}
239 ++
240 + static bool intel_sdvo_set_avi_infoframe(struct intel_sdvo *intel_sdvo)
241 + {
242 + struct dip_infoframe avi_if = {
243 +@@ -889,11 +928,7 @@ static bool intel_sdvo_set_avi_infoframe(struct intel_sdvo *intel_sdvo)
244 + .ver = DIP_VERSION_AVI,
245 + .len = DIP_LEN_AVI,
246 + };
247 +- uint8_t tx_rate = SDVO_HBUF_TX_VSYNC;
248 +- uint8_t set_buf_index[2] = { 1, 0 };
249 + uint8_t sdvo_data[4 + sizeof(avi_if.body.avi)];
250 +- uint64_t *data = (uint64_t *)sdvo_data;
251 +- unsigned i;
252 +
253 + intel_dip_infoframe_csum(&avi_if);
254 +
255 +@@ -903,22 +938,9 @@ static bool intel_sdvo_set_avi_infoframe(struct intel_sdvo *intel_sdvo)
256 + sdvo_data[3] = avi_if.checksum;
257 + memcpy(&sdvo_data[4], &avi_if.body, sizeof(avi_if.body.avi));
258 +
259 +- if (!intel_sdvo_set_value(intel_sdvo,
260 +- SDVO_CMD_SET_HBUF_INDEX,
261 +- set_buf_index, 2))
262 +- return false;
263 +-
264 +- for (i = 0; i < sizeof(sdvo_data); i += 8) {
265 +- if (!intel_sdvo_set_value(intel_sdvo,
266 +- SDVO_CMD_SET_HBUF_DATA,
267 +- data, 8))
268 +- return false;
269 +- data++;
270 +- }
271 +-
272 +- return intel_sdvo_set_value(intel_sdvo,
273 +- SDVO_CMD_SET_HBUF_TXRATE,
274 +- &tx_rate, 1);
275 ++ return intel_sdvo_write_infoframe(intel_sdvo, SDVO_HBUF_INDEX_AVI_IF,
276 ++ SDVO_HBUF_TX_VSYNC,
277 ++ sdvo_data, sizeof(sdvo_data));
278 + }
279 +
280 + static bool intel_sdvo_set_tv_format(struct intel_sdvo *intel_sdvo)
281 +diff --git a/drivers/gpu/drm/i915/intel_sdvo_regs.h b/drivers/gpu/drm/i915/intel_sdvo_regs.h
282 +index 9d03014..770bdd6 100644
283 +--- a/drivers/gpu/drm/i915/intel_sdvo_regs.h
284 ++++ b/drivers/gpu/drm/i915/intel_sdvo_regs.h
285 +@@ -708,6 +708,8 @@ struct intel_sdvo_enhancements_arg {
286 + #define SDVO_CMD_SET_AUDIO_STAT 0x91
287 + #define SDVO_CMD_GET_AUDIO_STAT 0x92
288 + #define SDVO_CMD_SET_HBUF_INDEX 0x93
289 ++ #define SDVO_HBUF_INDEX_ELD 0
290 ++ #define SDVO_HBUF_INDEX_AVI_IF 1
291 + #define SDVO_CMD_GET_HBUF_INDEX 0x94
292 + #define SDVO_CMD_GET_HBUF_INFO 0x95
293 + #define SDVO_CMD_SET_HBUF_AV_SPLIT 0x96
294 +diff --git a/drivers/gpu/drm/radeon/evergreen_cs.c b/drivers/gpu/drm/radeon/evergreen_cs.c
295 +index e932810..4a33cdc 100644
296 +--- a/drivers/gpu/drm/radeon/evergreen_cs.c
297 ++++ b/drivers/gpu/drm/radeon/evergreen_cs.c
298 +@@ -2725,6 +2725,9 @@ static bool evergreen_vm_reg_valid(u32 reg)
299 + /* check config regs */
300 + switch (reg) {
301 + case GRBM_GFX_INDEX:
302 ++ case CP_STRMOUT_CNTL:
303 ++ case CP_COHER_CNTL:
304 ++ case CP_COHER_SIZE:
305 + case VGT_VTX_VECT_EJECT_REG:
306 + case VGT_CACHE_INVALIDATION:
307 + case VGT_GS_VERTEX_REUSE:
308 +diff --git a/drivers/gpu/drm/radeon/evergreend.h b/drivers/gpu/drm/radeon/evergreend.h
309 +index 7934785..302af4f 100644
310 +--- a/drivers/gpu/drm/radeon/evergreend.h
311 ++++ b/drivers/gpu/drm/radeon/evergreend.h
312 +@@ -87,6 +87,10 @@
313 +
314 + #define CONFIG_MEMSIZE 0x5428
315 +
316 ++#define CP_STRMOUT_CNTL 0x84FC
317 ++
318 ++#define CP_COHER_CNTL 0x85F0
319 ++#define CP_COHER_SIZE 0x85F4
320 + #define CP_COHER_BASE 0x85F8
321 + #define CP_STALLED_STAT1 0x8674
322 + #define CP_STALLED_STAT2 0x8678
323 +diff --git a/drivers/gpu/drm/radeon/radeon_legacy_encoders.c b/drivers/gpu/drm/radeon/radeon_legacy_encoders.c
324 +index d16f50f..dd402bb 100644
325 +--- a/drivers/gpu/drm/radeon/radeon_legacy_encoders.c
326 ++++ b/drivers/gpu/drm/radeon/radeon_legacy_encoders.c
327 +@@ -651,6 +651,7 @@ static enum drm_connector_status radeon_legacy_primary_dac_detect(struct drm_enc
328 + tmp |= RADEON_DAC_RANGE_CNTL_PS2 | RADEON_DAC_CMP_EN;
329 + WREG32(RADEON_DAC_CNTL, tmp);
330 +
331 ++ tmp = dac_macro_cntl;
332 + tmp &= ~(RADEON_DAC_PDWN_R |
333 + RADEON_DAC_PDWN_G |
334 + RADEON_DAC_PDWN_B);
335 +diff --git a/drivers/gpu/drm/radeon/si.c b/drivers/gpu/drm/radeon/si.c
336 +index 0139e22..6ab4a90 100644
337 +--- a/drivers/gpu/drm/radeon/si.c
338 ++++ b/drivers/gpu/drm/radeon/si.c
339 +@@ -2472,6 +2472,7 @@ static bool si_vm_reg_valid(u32 reg)
340 + /* check config regs */
341 + switch (reg) {
342 + case GRBM_GFX_INDEX:
343 ++ case CP_STRMOUT_CNTL:
344 + case VGT_VTX_VECT_EJECT_REG:
345 + case VGT_CACHE_INVALIDATION:
346 + case VGT_ESGS_RING_SIZE:
347 +diff --git a/drivers/gpu/drm/radeon/sid.h b/drivers/gpu/drm/radeon/sid.h
348 +index ef4815c..6f0083a 100644
349 +--- a/drivers/gpu/drm/radeon/sid.h
350 ++++ b/drivers/gpu/drm/radeon/sid.h
351 +@@ -424,6 +424,7 @@
352 + # define RDERR_INT_ENABLE (1 << 0)
353 + # define GUI_IDLE_INT_ENABLE (1 << 19)
354 +
355 ++#define CP_STRMOUT_CNTL 0x84FC
356 + #define SCRATCH_REG0 0x8500
357 + #define SCRATCH_REG1 0x8504
358 + #define SCRATCH_REG2 0x8508
359 +diff --git a/drivers/gpu/drm/udl/udl_drv.h b/drivers/gpu/drm/udl/udl_drv.h
360 +index fccd361..87aa5f5 100644
361 +--- a/drivers/gpu/drm/udl/udl_drv.h
362 ++++ b/drivers/gpu/drm/udl/udl_drv.h
363 +@@ -104,7 +104,7 @@ udl_fb_user_fb_create(struct drm_device *dev,
364 +
365 + int udl_render_hline(struct drm_device *dev, int bpp, struct urb **urb_ptr,
366 + const char *front, char **urb_buf_ptr,
367 +- u32 byte_offset, u32 byte_width,
368 ++ u32 byte_offset, u32 device_byte_offset, u32 byte_width,
369 + int *ident_ptr, int *sent_ptr);
370 +
371 + int udl_dumb_create(struct drm_file *file_priv,
372 +diff --git a/drivers/gpu/drm/udl/udl_fb.c b/drivers/gpu/drm/udl/udl_fb.c
373 +index ce9a611..6f6ca50 100644
374 +--- a/drivers/gpu/drm/udl/udl_fb.c
375 ++++ b/drivers/gpu/drm/udl/udl_fb.c
376 +@@ -114,9 +114,10 @@ static void udlfb_dpy_deferred_io(struct fb_info *info,
377 + list_for_each_entry(cur, &fbdefio->pagelist, lru) {
378 +
379 + if (udl_render_hline(dev, (ufbdev->ufb.base.bits_per_pixel / 8),
380 +- &urb, (char *) info->fix.smem_start,
381 +- &cmd, cur->index << PAGE_SHIFT,
382 +- PAGE_SIZE, &bytes_identical, &bytes_sent))
383 ++ &urb, (char *) info->fix.smem_start,
384 ++ &cmd, cur->index << PAGE_SHIFT,
385 ++ cur->index << PAGE_SHIFT,
386 ++ PAGE_SIZE, &bytes_identical, &bytes_sent))
387 + goto error;
388 + bytes_rendered += PAGE_SIZE;
389 + }
390 +@@ -187,10 +188,11 @@ int udl_handle_damage(struct udl_framebuffer *fb, int x, int y,
391 + for (i = y; i < y + height ; i++) {
392 + const int line_offset = fb->base.pitches[0] * i;
393 + const int byte_offset = line_offset + (x * bpp);
394 +-
395 ++ const int dev_byte_offset = (fb->base.width * bpp * i) + (x * bpp);
396 + if (udl_render_hline(dev, bpp, &urb,
397 + (char *) fb->obj->vmapping,
398 +- &cmd, byte_offset, width * bpp,
399 ++ &cmd, byte_offset, dev_byte_offset,
400 ++ width * bpp,
401 + &bytes_identical, &bytes_sent))
402 + goto error;
403 + }
404 +diff --git a/drivers/gpu/drm/udl/udl_transfer.c b/drivers/gpu/drm/udl/udl_transfer.c
405 +index b9320e2..fc11344 100644
406 +--- a/drivers/gpu/drm/udl/udl_transfer.c
407 ++++ b/drivers/gpu/drm/udl/udl_transfer.c
408 +@@ -213,11 +213,12 @@ static void udl_compress_hline16(
409 + */
410 + int udl_render_hline(struct drm_device *dev, int bpp, struct urb **urb_ptr,
411 + const char *front, char **urb_buf_ptr,
412 +- u32 byte_offset, u32 byte_width,
413 ++ u32 byte_offset, u32 device_byte_offset,
414 ++ u32 byte_width,
415 + int *ident_ptr, int *sent_ptr)
416 + {
417 + const u8 *line_start, *line_end, *next_pixel;
418 +- u32 base16 = 0 + (byte_offset / bpp) * 2;
419 ++ u32 base16 = 0 + (device_byte_offset / bpp) * 2;
420 + struct urb *urb = *urb_ptr;
421 + u8 *cmd = *urb_buf_ptr;
422 + u8 *cmd_end = (u8 *) urb->transfer_buffer + urb->transfer_buffer_length;
423 +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_dmabuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_dmabuf.c
424 +index 3fa884d..27151f7 100644
425 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_dmabuf.c
426 ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_dmabuf.c
427 +@@ -306,7 +306,7 @@ void vmw_bo_pin(struct ttm_buffer_object *bo, bool pin)
428 +
429 + BUG_ON(!atomic_read(&bo->reserved));
430 + BUG_ON(old_mem_type != TTM_PL_VRAM &&
431 +- old_mem_type != VMW_PL_FLAG_GMR);
432 ++ old_mem_type != VMW_PL_GMR);
433 +
434 + pl_flags = TTM_PL_FLAG_VRAM | VMW_PL_FLAG_GMR | TTM_PL_FLAG_CACHED;
435 + if (pin)
436 +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
437 +index ba2c35d..4a04ae0 100644
438 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
439 ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
440 +@@ -1099,6 +1099,11 @@ static void vmw_pm_complete(struct device *kdev)
441 + struct drm_device *dev = pci_get_drvdata(pdev);
442 + struct vmw_private *dev_priv = vmw_priv(dev);
443 +
444 ++ mutex_lock(&dev_priv->hw_mutex);
445 ++ vmw_write(dev_priv, SVGA_REG_ID, SVGA_ID_2);
446 ++ (void) vmw_read(dev_priv, SVGA_REG_ID);
447 ++ mutex_unlock(&dev_priv->hw_mutex);
448 ++
449 + /**
450 + * Reclaim 3d reference held by fbdev and potentially
451 + * start fifo.
452 +diff --git a/drivers/hwmon/w83627ehf.c b/drivers/hwmon/w83627ehf.c
453 +index 1821b74..de3c7e0 100644
454 +--- a/drivers/hwmon/w83627ehf.c
455 ++++ b/drivers/hwmon/w83627ehf.c
456 +@@ -2083,6 +2083,7 @@ static int __devinit w83627ehf_probe(struct platform_device *pdev)
457 + mutex_init(&data->lock);
458 + mutex_init(&data->update_lock);
459 + data->name = w83627ehf_device_names[sio_data->kind];
460 ++ data->bank = 0xff; /* Force initial bank selection */
461 + platform_set_drvdata(pdev, data);
462 +
463 + /* 627EHG and 627EHF have 10 voltage inputs; 627DHG and 667HG have 9 */
464 +diff --git a/drivers/input/touchscreen/tsc40.c b/drivers/input/touchscreen/tsc40.c
465 +index 63209aa..eb96f16 100644
466 +--- a/drivers/input/touchscreen/tsc40.c
467 ++++ b/drivers/input/touchscreen/tsc40.c
468 +@@ -107,7 +107,6 @@ static int tsc_connect(struct serio *serio, struct serio_driver *drv)
469 + __set_bit(BTN_TOUCH, input_dev->keybit);
470 + input_set_abs_params(ptsc->dev, ABS_X, 0, 0x3ff, 0, 0);
471 + input_set_abs_params(ptsc->dev, ABS_Y, 0, 0x3ff, 0, 0);
472 +- input_set_abs_params(ptsc->dev, ABS_PRESSURE, 0, 0, 0, 0);
473 +
474 + serio_set_drvdata(serio, ptsc);
475 +
476 +diff --git a/drivers/mmc/host/sdhci.c b/drivers/mmc/host/sdhci.c
477 +index 9a11dc3..b1facf9 100644
478 +--- a/drivers/mmc/host/sdhci.c
479 ++++ b/drivers/mmc/host/sdhci.c
480 +@@ -1307,16 +1307,19 @@ static void sdhci_request(struct mmc_host *mmc, struct mmc_request *mrq)
481 + */
482 + if ((host->flags & SDHCI_NEEDS_RETUNING) &&
483 + !(present_state & (SDHCI_DOING_WRITE | SDHCI_DOING_READ))) {
484 +- /* eMMC uses cmd21 while sd and sdio use cmd19 */
485 +- tuning_opcode = mmc->card->type == MMC_TYPE_MMC ?
486 +- MMC_SEND_TUNING_BLOCK_HS200 :
487 +- MMC_SEND_TUNING_BLOCK;
488 +- spin_unlock_irqrestore(&host->lock, flags);
489 +- sdhci_execute_tuning(mmc, tuning_opcode);
490 +- spin_lock_irqsave(&host->lock, flags);
491 +-
492 +- /* Restore original mmc_request structure */
493 +- host->mrq = mrq;
494 ++ if (mmc->card) {
495 ++ /* eMMC uses cmd21 but sd and sdio use cmd19 */
496 ++ tuning_opcode =
497 ++ mmc->card->type == MMC_TYPE_MMC ?
498 ++ MMC_SEND_TUNING_BLOCK_HS200 :
499 ++ MMC_SEND_TUNING_BLOCK;
500 ++ spin_unlock_irqrestore(&host->lock, flags);
501 ++ sdhci_execute_tuning(mmc, tuning_opcode);
502 ++ spin_lock_irqsave(&host->lock, flags);
503 ++
504 ++ /* Restore original mmc_request structure */
505 ++ host->mrq = mrq;
506 ++ }
507 + }
508 +
509 + if (mrq->sbc && !(host->flags & SDHCI_AUTO_CMD23))
510 +diff --git a/drivers/mmc/host/sh_mmcif.c b/drivers/mmc/host/sh_mmcif.c
511 +index ba0e493..9058d21 100644
512 +--- a/drivers/mmc/host/sh_mmcif.c
513 ++++ b/drivers/mmc/host/sh_mmcif.c
514 +@@ -1464,9 +1464,9 @@ static int __devexit sh_mmcif_remove(struct platform_device *pdev)
515 +
516 + platform_set_drvdata(pdev, NULL);
517 +
518 ++ clk_disable(host->hclk);
519 + mmc_free_host(host->mmc);
520 + pm_runtime_put_sync(&pdev->dev);
521 +- clk_disable(host->hclk);
522 + pm_runtime_disable(&pdev->dev);
523 +
524 + return 0;
525 +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c
526 +index 56b20d1..116f0e9 100644
527 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c
528 ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c
529 +@@ -2673,6 +2673,9 @@ static int ixgbe_get_ts_info(struct net_device *dev,
530 + case ixgbe_mac_X540:
531 + case ixgbe_mac_82599EB:
532 + info->so_timestamping =
533 ++ SOF_TIMESTAMPING_TX_SOFTWARE |
534 ++ SOF_TIMESTAMPING_RX_SOFTWARE |
535 ++ SOF_TIMESTAMPING_SOFTWARE |
536 + SOF_TIMESTAMPING_TX_HARDWARE |
537 + SOF_TIMESTAMPING_RX_HARDWARE |
538 + SOF_TIMESTAMPING_RAW_HARDWARE;
539 +diff --git a/drivers/net/ethernet/nxp/lpc_eth.c b/drivers/net/ethernet/nxp/lpc_eth.c
540 +index 53743f7..af8b414 100644
541 +--- a/drivers/net/ethernet/nxp/lpc_eth.c
542 ++++ b/drivers/net/ethernet/nxp/lpc_eth.c
543 +@@ -1524,6 +1524,7 @@ static int lpc_eth_drv_remove(struct platform_device *pdev)
544 + pldat->dma_buff_base_p);
545 + free_irq(ndev->irq, ndev);
546 + iounmap(pldat->net_base);
547 ++ mdiobus_unregister(pldat->mii_bus);
548 + mdiobus_free(pldat->mii_bus);
549 + clk_disable(pldat->clk);
550 + clk_put(pldat->clk);
551 +diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
552 +index fc9f578..9c382b5 100644
553 +--- a/drivers/net/usb/usbnet.c
554 ++++ b/drivers/net/usb/usbnet.c
555 +@@ -1158,6 +1158,7 @@ netdev_tx_t usbnet_start_xmit (struct sk_buff *skb,
556 + usb_anchor_urb(urb, &dev->deferred);
557 + /* no use to process more packets */
558 + netif_stop_queue(net);
559 ++ usb_put_urb(urb);
560 + spin_unlock_irqrestore(&dev->txq.lock, flags);
561 + netdev_dbg(dev->net, "Delaying transmission for resumption\n");
562 + goto deferred;
563 +@@ -1310,6 +1311,8 @@ void usbnet_disconnect (struct usb_interface *intf)
564 +
565 + cancel_work_sync(&dev->kevent);
566 +
567 ++ usb_scuttle_anchored_urbs(&dev->deferred);
568 ++
569 + if (dev->driver_info->unbind)
570 + dev->driver_info->unbind (dev, intf);
571 +
572 +diff --git a/drivers/net/wireless/ath/ath9k/xmit.c b/drivers/net/wireless/ath/ath9k/xmit.c
573 +index 423a9f3..88b6acc 100644
574 +--- a/drivers/net/wireless/ath/ath9k/xmit.c
575 ++++ b/drivers/net/wireless/ath/ath9k/xmit.c
576 +@@ -312,6 +312,7 @@ static struct ath_buf *ath_tx_get_buffer(struct ath_softc *sc)
577 + }
578 +
579 + bf = list_first_entry(&sc->tx.txbuf, struct ath_buf, list);
580 ++ bf->bf_next = NULL;
581 + list_del(&bf->list);
582 +
583 + spin_unlock_bh(&sc->tx.txbuflock);
584 +@@ -393,7 +394,7 @@ static void ath_tx_complete_aggr(struct ath_softc *sc, struct ath_txq *txq,
585 + u16 seq_st = 0, acked_cnt = 0, txfail_cnt = 0, seq_first;
586 + u32 ba[WME_BA_BMP_SIZE >> 5];
587 + int isaggr, txfail, txpending, sendbar = 0, needreset = 0, nbad = 0;
588 +- bool rc_update = true;
589 ++ bool rc_update = true, isba;
590 + struct ieee80211_tx_rate rates[4];
591 + struct ath_frame_info *fi;
592 + int nframes;
593 +@@ -437,13 +438,17 @@ static void ath_tx_complete_aggr(struct ath_softc *sc, struct ath_txq *txq,
594 + tidno = ieee80211_get_qos_ctl(hdr)[0] & IEEE80211_QOS_CTL_TID_MASK;
595 + tid = ATH_AN_2_TID(an, tidno);
596 + seq_first = tid->seq_start;
597 ++ isba = ts->ts_flags & ATH9K_TX_BA;
598 +
599 + /*
600 + * The hardware occasionally sends a tx status for the wrong TID.
601 + * In this case, the BA status cannot be considered valid and all
602 + * subframes need to be retransmitted
603 ++ *
604 ++ * Only BlockAcks have a TID and therefore normal Acks cannot be
605 ++ * checked
606 + */
607 +- if (tidno != ts->tid)
608 ++ if (isba && tidno != ts->tid)
609 + txok = false;
610 +
611 + isaggr = bf_isaggr(bf);
612 +@@ -1774,6 +1779,7 @@ static void ath_tx_send_normal(struct ath_softc *sc, struct ath_txq *txq,
613 + list_add_tail(&bf->list, &bf_head);
614 + bf->bf_state.bf_type = 0;
615 +
616 ++ bf->bf_next = NULL;
617 + bf->bf_lastbf = bf;
618 + ath_tx_fill_desc(sc, bf, txq, fi->framelen);
619 + ath_tx_txqaddbuf(sc, txq, &bf_head, false);
620 +diff --git a/drivers/net/wireless/rt2x00/rt2800lib.c b/drivers/net/wireless/rt2x00/rt2800lib.c
621 +index b93516d..1345bdd 100644
622 +--- a/drivers/net/wireless/rt2x00/rt2800lib.c
623 ++++ b/drivers/net/wireless/rt2x00/rt2800lib.c
624 +@@ -2395,7 +2395,7 @@ static int rt2800_get_gain_calibration_delta(struct rt2x00_dev *rt2x00dev)
625 + /*
626 + * Check if temperature compensation is supported.
627 + */
628 +- if (tssi_bounds[4] == 0xff)
629 ++ if (tssi_bounds[4] == 0xff || step == 0xff)
630 + return 0;
631 +
632 + /*
633 +diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c
634 +index dd4fce2..6b6f50a 100644
635 +--- a/drivers/target/iscsi/iscsi_target.c
636 ++++ b/drivers/target/iscsi/iscsi_target.c
637 +@@ -3735,7 +3735,9 @@ restart:
638 + */
639 + iscsit_thread_check_cpumask(conn, current, 1);
640 +
641 +- schedule_timeout_interruptible(MAX_SCHEDULE_TIMEOUT);
642 ++ wait_event_interruptible(conn->queues_wq,
643 ++ !iscsit_conn_all_queues_empty(conn) ||
644 ++ ts->status == ISCSI_THREAD_SET_RESET);
645 +
646 + if ((ts->status == ISCSI_THREAD_SET_RESET) ||
647 + signal_pending(current))
648 +diff --git a/drivers/target/iscsi/iscsi_target_core.h b/drivers/target/iscsi/iscsi_target_core.h
649 +index a90294f..1d63d56 100644
650 +--- a/drivers/target/iscsi/iscsi_target_core.h
651 ++++ b/drivers/target/iscsi/iscsi_target_core.h
652 +@@ -486,6 +486,7 @@ struct iscsi_tmr_req {
653 + };
654 +
655 + struct iscsi_conn {
656 ++ wait_queue_head_t queues_wq;
657 + /* Authentication Successful for this connection */
658 + u8 auth_complete;
659 + /* State connection is currently in */
660 +diff --git a/drivers/target/iscsi/iscsi_target_login.c b/drivers/target/iscsi/iscsi_target_login.c
661 +index 6aba439..7b643ab 100644
662 +--- a/drivers/target/iscsi/iscsi_target_login.c
663 ++++ b/drivers/target/iscsi/iscsi_target_login.c
664 +@@ -45,6 +45,7 @@ extern spinlock_t sess_idr_lock;
665 +
666 + static int iscsi_login_init_conn(struct iscsi_conn *conn)
667 + {
668 ++ init_waitqueue_head(&conn->queues_wq);
669 + INIT_LIST_HEAD(&conn->conn_list);
670 + INIT_LIST_HEAD(&conn->conn_cmd_list);
671 + INIT_LIST_HEAD(&conn->immed_queue_list);
672 +diff --git a/drivers/target/iscsi/iscsi_target_util.c b/drivers/target/iscsi/iscsi_target_util.c
673 +index b42cdeb..552f45a 100644
674 +--- a/drivers/target/iscsi/iscsi_target_util.c
675 ++++ b/drivers/target/iscsi/iscsi_target_util.c
676 +@@ -488,7 +488,7 @@ void iscsit_add_cmd_to_immediate_queue(
677 + atomic_set(&conn->check_immediate_queue, 1);
678 + spin_unlock_bh(&conn->immed_queue_lock);
679 +
680 +- wake_up_process(conn->thread_set->tx_thread);
681 ++ wake_up(&conn->queues_wq);
682 + }
683 +
684 + struct iscsi_queue_req *iscsit_get_cmd_from_immediate_queue(struct iscsi_conn *conn)
685 +@@ -562,7 +562,7 @@ void iscsit_add_cmd_to_response_queue(
686 + atomic_inc(&cmd->response_queue_count);
687 + spin_unlock_bh(&conn->response_queue_lock);
688 +
689 +- wake_up_process(conn->thread_set->tx_thread);
690 ++ wake_up(&conn->queues_wq);
691 + }
692 +
693 + struct iscsi_queue_req *iscsit_get_cmd_from_response_queue(struct iscsi_conn *conn)
694 +@@ -616,6 +616,24 @@ static void iscsit_remove_cmd_from_response_queue(
695 + }
696 + }
697 +
698 ++bool iscsit_conn_all_queues_empty(struct iscsi_conn *conn)
699 ++{
700 ++ bool empty;
701 ++
702 ++ spin_lock_bh(&conn->immed_queue_lock);
703 ++ empty = list_empty(&conn->immed_queue_list);
704 ++ spin_unlock_bh(&conn->immed_queue_lock);
705 ++
706 ++ if (!empty)
707 ++ return empty;
708 ++
709 ++ spin_lock_bh(&conn->response_queue_lock);
710 ++ empty = list_empty(&conn->response_queue_list);
711 ++ spin_unlock_bh(&conn->response_queue_lock);
712 ++
713 ++ return empty;
714 ++}
715 ++
716 + void iscsit_free_queue_reqs_for_conn(struct iscsi_conn *conn)
717 + {
718 + struct iscsi_queue_req *qr, *qr_tmp;
719 +diff --git a/drivers/target/iscsi/iscsi_target_util.h b/drivers/target/iscsi/iscsi_target_util.h
720 +index e1c729b..2ff9bbc 100644
721 +--- a/drivers/target/iscsi/iscsi_target_util.h
722 ++++ b/drivers/target/iscsi/iscsi_target_util.h
723 +@@ -25,6 +25,7 @@ extern struct iscsi_queue_req *iscsit_get_cmd_from_immediate_queue(struct iscsi_
724 + extern void iscsit_add_cmd_to_response_queue(struct iscsi_cmd *, struct iscsi_conn *, u8);
725 + extern struct iscsi_queue_req *iscsit_get_cmd_from_response_queue(struct iscsi_conn *);
726 + extern void iscsit_remove_cmd_from_tx_queues(struct iscsi_cmd *, struct iscsi_conn *);
727 ++extern bool iscsit_conn_all_queues_empty(struct iscsi_conn *);
728 + extern void iscsit_free_queue_reqs_for_conn(struct iscsi_conn *);
729 + extern void iscsit_release_cmd(struct iscsi_cmd *);
730 + extern void iscsit_free_cmd(struct iscsi_cmd *);
731 +diff --git a/drivers/target/target_core_configfs.c b/drivers/target/target_core_configfs.c
732 +index 06aca11..ac0b69f 100644
733 +--- a/drivers/target/target_core_configfs.c
734 ++++ b/drivers/target/target_core_configfs.c
735 +@@ -3214,7 +3214,8 @@ static int __init target_core_init_configfs(void)
736 + if (ret < 0)
737 + goto out;
738 +
739 +- if (core_dev_setup_virtual_lun0() < 0)
740 ++ ret = core_dev_setup_virtual_lun0();
741 ++ if (ret < 0)
742 + goto out;
743 +
744 + return 0;
745 +diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c
746 +index 9fc9a60..68d4c10 100644
747 +--- a/drivers/target/target_core_device.c
748 ++++ b/drivers/target/target_core_device.c
749 +@@ -850,20 +850,20 @@ int se_dev_check_shutdown(struct se_device *dev)
750 +
751 + static u32 se_dev_align_max_sectors(u32 max_sectors, u32 block_size)
752 + {
753 +- u32 tmp, aligned_max_sectors;
754 ++ u32 aligned_max_sectors;
755 ++ u32 alignment;
756 + /*
757 + * Limit max_sectors to a PAGE_SIZE aligned value for modern
758 + * transport_allocate_data_tasks() operation.
759 + */
760 +- tmp = rounddown((max_sectors * block_size), PAGE_SIZE);
761 +- aligned_max_sectors = (tmp / block_size);
762 +- if (max_sectors != aligned_max_sectors) {
763 +- printk(KERN_INFO "Rounding down aligned max_sectors from %u"
764 +- " to %u\n", max_sectors, aligned_max_sectors);
765 +- return aligned_max_sectors;
766 +- }
767 ++ alignment = max(1ul, PAGE_SIZE / block_size);
768 ++ aligned_max_sectors = rounddown(max_sectors, alignment);
769 ++
770 ++ if (max_sectors != aligned_max_sectors)
771 ++ pr_info("Rounding down aligned max_sectors from %u to %u\n",
772 ++ max_sectors, aligned_max_sectors);
773 +
774 +- return max_sectors;
775 ++ return aligned_max_sectors;
776 + }
777 +
778 + void se_dev_set_default_attribs(
779 +diff --git a/drivers/target/target_core_spc.c b/drivers/target/target_core_spc.c
780 +index 9229bd9..6fd434d 100644
781 +--- a/drivers/target/target_core_spc.c
782 ++++ b/drivers/target/target_core_spc.c
783 +@@ -605,6 +605,8 @@ static int spc_emulate_inquiry(struct se_cmd *cmd)
784 + unsigned char buf[SE_INQUIRY_BUF];
785 + int p, ret;
786 +
787 ++ memset(buf, 0, SE_INQUIRY_BUF);
788 ++
789 + if (dev == tpg->tpg_virt_lun0.lun_se_dev)
790 + buf[0] = 0x3f; /* Not connected */
791 + else
792 +diff --git a/drivers/target/target_core_tmr.c b/drivers/target/target_core_tmr.c
793 +index 1c59a3c..be75c43 100644
794 +--- a/drivers/target/target_core_tmr.c
795 ++++ b/drivers/target/target_core_tmr.c
796 +@@ -140,15 +140,15 @@ void core_tmr_abort_task(
797 + printk("ABORT_TASK: Found referenced %s task_tag: %u\n",
798 + se_cmd->se_tfo->get_fabric_name(), ref_tag);
799 +
800 +- spin_lock_irq(&se_cmd->t_state_lock);
801 ++ spin_lock(&se_cmd->t_state_lock);
802 + if (se_cmd->transport_state & CMD_T_COMPLETE) {
803 + printk("ABORT_TASK: ref_tag: %u already complete, skipping\n", ref_tag);
804 +- spin_unlock_irq(&se_cmd->t_state_lock);
805 ++ spin_unlock(&se_cmd->t_state_lock);
806 + spin_unlock_irqrestore(&se_sess->sess_cmd_lock, flags);
807 + goto out;
808 + }
809 + se_cmd->transport_state |= CMD_T_ABORTED;
810 +- spin_unlock_irq(&se_cmd->t_state_lock);
811 ++ spin_unlock(&se_cmd->t_state_lock);
812 +
813 + list_del_init(&se_cmd->se_cmd_list);
814 + kref_get(&se_cmd->cmd_kref);
815 +diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c
816 +index 7f12416..9a113b7 100644
817 +--- a/drivers/xen/gntdev.c
818 ++++ b/drivers/xen/gntdev.c
819 +@@ -105,6 +105,21 @@ static void gntdev_print_maps(struct gntdev_priv *priv,
820 + #endif
821 + }
822 +
823 ++static void gntdev_free_map(struct grant_map *map)
824 ++{
825 ++ if (map == NULL)
826 ++ return;
827 ++
828 ++ if (map->pages)
829 ++ free_xenballooned_pages(map->count, map->pages);
830 ++ kfree(map->pages);
831 ++ kfree(map->grants);
832 ++ kfree(map->map_ops);
833 ++ kfree(map->unmap_ops);
834 ++ kfree(map->kmap_ops);
835 ++ kfree(map);
836 ++}
837 ++
838 + static struct grant_map *gntdev_alloc_map(struct gntdev_priv *priv, int count)
839 + {
840 + struct grant_map *add;
841 +@@ -142,12 +157,7 @@ static struct grant_map *gntdev_alloc_map(struct gntdev_priv *priv, int count)
842 + return add;
843 +
844 + err:
845 +- kfree(add->pages);
846 +- kfree(add->grants);
847 +- kfree(add->map_ops);
848 +- kfree(add->unmap_ops);
849 +- kfree(add->kmap_ops);
850 +- kfree(add);
851 ++ gntdev_free_map(add);
852 + return NULL;
853 + }
854 +
855 +@@ -198,17 +208,9 @@ static void gntdev_put_map(struct grant_map *map)
856 + evtchn_put(map->notify.event);
857 + }
858 +
859 +- if (map->pages) {
860 +- if (!use_ptemod)
861 +- unmap_grant_pages(map, 0, map->count);
862 +-
863 +- free_xenballooned_pages(map->count, map->pages);
864 +- }
865 +- kfree(map->pages);
866 +- kfree(map->grants);
867 +- kfree(map->map_ops);
868 +- kfree(map->unmap_ops);
869 +- kfree(map);
870 ++ if (map->pages && !use_ptemod)
871 ++ unmap_grant_pages(map, 0, map->count);
872 ++ gntdev_free_map(map);
873 + }
874 +
875 + /* ------------------------------------------------------------------ */
876 +diff --git a/fs/gfs2/lops.c b/fs/gfs2/lops.c
877 +index 8ff95a2..0967d0c 100644
878 +--- a/fs/gfs2/lops.c
879 ++++ b/fs/gfs2/lops.c
880 +@@ -393,12 +393,10 @@ static void buf_lo_add(struct gfs2_sbd *sdp, struct gfs2_bufdata *bd)
881 + struct gfs2_meta_header *mh;
882 + struct gfs2_trans *tr;
883 +
884 +- lock_buffer(bd->bd_bh);
885 +- gfs2_log_lock(sdp);
886 + tr = current->journal_info;
887 + tr->tr_touched = 1;
888 + if (!list_empty(&bd->bd_list))
889 +- goto out;
890 ++ return;
891 + set_bit(GLF_LFLUSH, &bd->bd_gl->gl_flags);
892 + set_bit(GLF_DIRTY, &bd->bd_gl->gl_flags);
893 + mh = (struct gfs2_meta_header *)bd->bd_bh->b_data;
894 +@@ -414,9 +412,6 @@ static void buf_lo_add(struct gfs2_sbd *sdp, struct gfs2_bufdata *bd)
895 + sdp->sd_log_num_buf++;
896 + list_add(&bd->bd_list, &sdp->sd_log_le_buf);
897 + tr->tr_num_buf_new++;
898 +-out:
899 +- gfs2_log_unlock(sdp);
900 +- unlock_buffer(bd->bd_bh);
901 + }
902 +
903 + static void gfs2_check_magic(struct buffer_head *bh)
904 +@@ -777,12 +772,10 @@ static void databuf_lo_add(struct gfs2_sbd *sdp, struct gfs2_bufdata *bd)
905 + struct address_space *mapping = bd->bd_bh->b_page->mapping;
906 + struct gfs2_inode *ip = GFS2_I(mapping->host);
907 +
908 +- lock_buffer(bd->bd_bh);
909 +- gfs2_log_lock(sdp);
910 + if (tr)
911 + tr->tr_touched = 1;
912 + if (!list_empty(&bd->bd_list))
913 +- goto out;
914 ++ return;
915 + set_bit(GLF_LFLUSH, &bd->bd_gl->gl_flags);
916 + set_bit(GLF_DIRTY, &bd->bd_gl->gl_flags);
917 + if (gfs2_is_jdata(ip)) {
918 +@@ -793,9 +786,6 @@ static void databuf_lo_add(struct gfs2_sbd *sdp, struct gfs2_bufdata *bd)
919 + } else {
920 + list_add_tail(&bd->bd_list, &sdp->sd_log_le_ordered);
921 + }
922 +-out:
923 +- gfs2_log_unlock(sdp);
924 +- unlock_buffer(bd->bd_bh);
925 + }
926 +
927 + /**
928 +diff --git a/fs/gfs2/trans.c b/fs/gfs2/trans.c
929 +index adbd278..4136270 100644
930 +--- a/fs/gfs2/trans.c
931 ++++ b/fs/gfs2/trans.c
932 +@@ -155,14 +155,22 @@ void gfs2_trans_add_bh(struct gfs2_glock *gl, struct buffer_head *bh, int meta)
933 + struct gfs2_sbd *sdp = gl->gl_sbd;
934 + struct gfs2_bufdata *bd;
935 +
936 ++ lock_buffer(bh);
937 ++ gfs2_log_lock(sdp);
938 + bd = bh->b_private;
939 + if (bd)
940 + gfs2_assert(sdp, bd->bd_gl == gl);
941 + else {
942 ++ gfs2_log_unlock(sdp);
943 ++ unlock_buffer(bh);
944 + gfs2_attach_bufdata(gl, bh, meta);
945 + bd = bh->b_private;
946 ++ lock_buffer(bh);
947 ++ gfs2_log_lock(sdp);
948 + }
949 + lops_add(sdp, bd);
950 ++ gfs2_log_unlock(sdp);
951 ++ unlock_buffer(bh);
952 + }
953 +
954 + void gfs2_trans_add_revoke(struct gfs2_sbd *sdp, struct gfs2_bufdata *bd)
955 +diff --git a/fs/nfs/dns_resolve.c b/fs/nfs/dns_resolve.c
956 +index 31c26c4..ca4b11e 100644
957 +--- a/fs/nfs/dns_resolve.c
958 ++++ b/fs/nfs/dns_resolve.c
959 +@@ -217,7 +217,7 @@ static int nfs_dns_parse(struct cache_detail *cd, char *buf, int buflen)
960 + {
961 + char buf1[NFS_DNS_HOSTNAME_MAXLEN+1];
962 + struct nfs_dns_ent key, *item;
963 +- unsigned long ttl;
964 ++ unsigned int ttl;
965 + ssize_t len;
966 + int ret = -EINVAL;
967 +
968 +@@ -240,7 +240,8 @@ static int nfs_dns_parse(struct cache_detail *cd, char *buf, int buflen)
969 + key.namelen = len;
970 + memset(&key.h, 0, sizeof(key.h));
971 +
972 +- ttl = get_expiry(&buf);
973 ++ if (get_uint(&buf, &ttl) < 0)
974 ++ goto out;
975 + if (ttl == 0)
976 + goto out;
977 + key.h.expiry_time = ttl + seconds_since_boot();
978 +diff --git a/fs/nfs/internal.h b/fs/nfs/internal.h
979 +index 31fdb03..e794dee 100644
980 +--- a/fs/nfs/internal.h
981 ++++ b/fs/nfs/internal.h
982 +@@ -353,8 +353,9 @@ extern void nfs_sb_active(struct super_block *sb);
983 + extern void nfs_sb_deactive(struct super_block *sb);
984 +
985 + /* namespace.c */
986 ++#define NFS_PATH_CANONICAL 1
987 + extern char *nfs_path(char **p, struct dentry *dentry,
988 +- char *buffer, ssize_t buflen);
989 ++ char *buffer, ssize_t buflen, unsigned flags);
990 + extern struct vfsmount *nfs_d_automount(struct path *path);
991 + struct vfsmount *nfs_submount(struct nfs_server *, struct dentry *,
992 + struct nfs_fh *, struct nfs_fattr *);
993 +@@ -491,7 +492,7 @@ static inline char *nfs_devname(struct dentry *dentry,
994 + char *buffer, ssize_t buflen)
995 + {
996 + char *dummy;
997 +- return nfs_path(&dummy, dentry, buffer, buflen);
998 ++ return nfs_path(&dummy, dentry, buffer, buflen, NFS_PATH_CANONICAL);
999 + }
1000 +
1001 + /*
1002 +diff --git a/fs/nfs/mount_clnt.c b/fs/nfs/mount_clnt.c
1003 +index 8e65c7f..015f71f 100644
1004 +--- a/fs/nfs/mount_clnt.c
1005 ++++ b/fs/nfs/mount_clnt.c
1006 +@@ -181,7 +181,7 @@ int nfs_mount(struct nfs_mount_request *info)
1007 + else
1008 + msg.rpc_proc = &mnt_clnt->cl_procinfo[MOUNTPROC_MNT];
1009 +
1010 +- status = rpc_call_sync(mnt_clnt, &msg, 0);
1011 ++ status = rpc_call_sync(mnt_clnt, &msg, RPC_TASK_SOFT|RPC_TASK_TIMEOUT);
1012 + rpc_shutdown_client(mnt_clnt);
1013 +
1014 + if (status < 0)
1015 +diff --git a/fs/nfs/namespace.c b/fs/nfs/namespace.c
1016 +index 6559253..dd057bc 100644
1017 +--- a/fs/nfs/namespace.c
1018 ++++ b/fs/nfs/namespace.c
1019 +@@ -33,6 +33,7 @@ int nfs_mountpoint_expiry_timeout = 500 * HZ;
1020 + * @dentry - pointer to dentry
1021 + * @buffer - result buffer
1022 + * @buflen - length of buffer
1023 ++ * @flags - options (see below)
1024 + *
1025 + * Helper function for constructing the server pathname
1026 + * by arbitrary hashed dentry.
1027 +@@ -40,8 +41,14 @@ int nfs_mountpoint_expiry_timeout = 500 * HZ;
1028 + * This is mainly for use in figuring out the path on the
1029 + * server side when automounting on top of an existing partition
1030 + * and in generating /proc/mounts and friends.
1031 ++ *
1032 ++ * Supported flags:
1033 ++ * NFS_PATH_CANONICAL: ensure there is exactly one slash after
1034 ++ * the original device (export) name
1035 ++ * (if unset, the original name is returned verbatim)
1036 + */
1037 +-char *nfs_path(char **p, struct dentry *dentry, char *buffer, ssize_t buflen)
1038 ++char *nfs_path(char **p, struct dentry *dentry, char *buffer, ssize_t buflen,
1039 ++ unsigned flags)
1040 + {
1041 + char *end;
1042 + int namelen;
1043 +@@ -74,7 +81,7 @@ rename_retry:
1044 + rcu_read_unlock();
1045 + goto rename_retry;
1046 + }
1047 +- if (*end != '/') {
1048 ++ if ((flags & NFS_PATH_CANONICAL) && *end != '/') {
1049 + if (--buflen < 0) {
1050 + spin_unlock(&dentry->d_lock);
1051 + rcu_read_unlock();
1052 +@@ -91,9 +98,11 @@ rename_retry:
1053 + return end;
1054 + }
1055 + namelen = strlen(base);
1056 +- /* Strip off excess slashes in base string */
1057 +- while (namelen > 0 && base[namelen - 1] == '/')
1058 +- namelen--;
1059 ++ if (flags & NFS_PATH_CANONICAL) {
1060 ++ /* Strip off excess slashes in base string */
1061 ++ while (namelen > 0 && base[namelen - 1] == '/')
1062 ++ namelen--;
1063 ++ }
1064 + buflen -= namelen;
1065 + if (buflen < 0) {
1066 + spin_unlock(&dentry->d_lock);
1067 +diff --git a/fs/nfs/nfs4namespace.c b/fs/nfs/nfs4namespace.c
1068 +index 017b4b0..c077b25 100644
1069 +--- a/fs/nfs/nfs4namespace.c
1070 ++++ b/fs/nfs/nfs4namespace.c
1071 +@@ -81,7 +81,8 @@ static char *nfs_path_component(const char *nfspath, const char *end)
1072 + static char *nfs4_path(struct dentry *dentry, char *buffer, ssize_t buflen)
1073 + {
1074 + char *limit;
1075 +- char *path = nfs_path(&limit, dentry, buffer, buflen);
1076 ++ char *path = nfs_path(&limit, dentry, buffer, buflen,
1077 ++ NFS_PATH_CANONICAL);
1078 + if (!IS_ERR(path)) {
1079 + char *path_component = nfs_path_component(path, limit);
1080 + if (path_component)
1081 +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
1082 +index d5a0cf1..7bff871 100644
1083 +--- a/fs/nfs/nfs4proc.c
1084 ++++ b/fs/nfs/nfs4proc.c
1085 +@@ -331,8 +331,7 @@ static int nfs4_handle_exception(struct nfs_server *server, int errorcode, struc
1086 + dprintk("%s ERROR: %d Reset session\n", __func__,
1087 + errorcode);
1088 + nfs4_schedule_session_recovery(clp->cl_session, errorcode);
1089 +- exception->retry = 1;
1090 +- break;
1091 ++ goto wait_on_recovery;
1092 + #endif /* defined(CONFIG_NFS_V4_1) */
1093 + case -NFS4ERR_FILE_OPEN:
1094 + if (exception->timeout > HZ) {
1095 +@@ -1499,9 +1498,11 @@ static void nfs4_open_prepare(struct rpc_task *task, void *calldata)
1096 + data->timestamp = jiffies;
1097 + if (nfs4_setup_sequence(data->o_arg.server,
1098 + &data->o_arg.seq_args,
1099 +- &data->o_res.seq_res, task))
1100 +- return;
1101 +- rpc_call_start(task);
1102 ++ &data->o_res.seq_res,
1103 ++ task) != 0)
1104 ++ nfs_release_seqid(data->o_arg.seqid);
1105 ++ else
1106 ++ rpc_call_start(task);
1107 + return;
1108 + unlock_no_action:
1109 + rcu_read_unlock();
1110 +@@ -2182,9 +2183,10 @@ static void nfs4_close_prepare(struct rpc_task *task, void *data)
1111 + if (nfs4_setup_sequence(NFS_SERVER(calldata->inode),
1112 + &calldata->arg.seq_args,
1113 + &calldata->res.seq_res,
1114 +- task))
1115 +- goto out;
1116 +- rpc_call_start(task);
1117 ++ task) != 0)
1118 ++ nfs_release_seqid(calldata->arg.seqid);
1119 ++ else
1120 ++ rpc_call_start(task);
1121 + out:
1122 + dprintk("%s: done!\n", __func__);
1123 + }
1124 +@@ -4390,6 +4392,7 @@ static void nfs4_locku_done(struct rpc_task *task, void *data)
1125 + if (nfs4_async_handle_error(task, calldata->server, NULL) == -EAGAIN)
1126 + rpc_restart_call_prepare(task);
1127 + }
1128 ++ nfs_release_seqid(calldata->arg.seqid);
1129 + }
1130 +
1131 + static void nfs4_locku_prepare(struct rpc_task *task, void *data)
1132 +@@ -4406,9 +4409,11 @@ static void nfs4_locku_prepare(struct rpc_task *task, void *data)
1133 + calldata->timestamp = jiffies;
1134 + if (nfs4_setup_sequence(calldata->server,
1135 + &calldata->arg.seq_args,
1136 +- &calldata->res.seq_res, task))
1137 +- return;
1138 +- rpc_call_start(task);
1139 ++ &calldata->res.seq_res,
1140 ++ task) != 0)
1141 ++ nfs_release_seqid(calldata->arg.seqid);
1142 ++ else
1143 ++ rpc_call_start(task);
1144 + }
1145 +
1146 + static const struct rpc_call_ops nfs4_locku_ops = {
1147 +@@ -4553,7 +4558,7 @@ static void nfs4_lock_prepare(struct rpc_task *task, void *calldata)
1148 + /* Do we need to do an open_to_lock_owner? */
1149 + if (!(data->arg.lock_seqid->sequence->flags & NFS_SEQID_CONFIRMED)) {
1150 + if (nfs_wait_on_sequence(data->arg.open_seqid, task) != 0)
1151 +- return;
1152 ++ goto out_release_lock_seqid;
1153 + data->arg.open_stateid = &state->stateid;
1154 + data->arg.new_lock_owner = 1;
1155 + data->res.open_seqid = data->arg.open_seqid;
1156 +@@ -4562,10 +4567,15 @@ static void nfs4_lock_prepare(struct rpc_task *task, void *calldata)
1157 + data->timestamp = jiffies;
1158 + if (nfs4_setup_sequence(data->server,
1159 + &data->arg.seq_args,
1160 +- &data->res.seq_res, task))
1161 ++ &data->res.seq_res,
1162 ++ task) == 0) {
1163 ++ rpc_call_start(task);
1164 + return;
1165 +- rpc_call_start(task);
1166 +- dprintk("%s: done!, ret = %d\n", __func__, data->rpc_status);
1167 ++ }
1168 ++ nfs_release_seqid(data->arg.open_seqid);
1169 ++out_release_lock_seqid:
1170 ++ nfs_release_seqid(data->arg.lock_seqid);
1171 ++ dprintk("%s: done!, ret = %d\n", __func__, task->tk_status);
1172 + }
1173 +
1174 + static void nfs4_recover_lock_prepare(struct rpc_task *task, void *calldata)
1175 +diff --git a/fs/nfs/super.c b/fs/nfs/super.c
1176 +index b8eda70..d8d7396 100644
1177 +--- a/fs/nfs/super.c
1178 ++++ b/fs/nfs/super.c
1179 +@@ -765,7 +765,7 @@ int nfs_show_devname(struct seq_file *m, struct dentry *root)
1180 + int err = 0;
1181 + if (!page)
1182 + return -ENOMEM;
1183 +- devname = nfs_path(&dummy, root, page, PAGE_SIZE);
1184 ++ devname = nfs_path(&dummy, root, page, PAGE_SIZE, 0);
1185 + if (IS_ERR(devname))
1186 + err = PTR_ERR(devname);
1187 + else
1188 +diff --git a/fs/xfs/xfs_buf_item.c b/fs/xfs/xfs_buf_item.c
1189 +index a8d0ed9..becf4a9 100644
1190 +--- a/fs/xfs/xfs_buf_item.c
1191 ++++ b/fs/xfs/xfs_buf_item.c
1192 +@@ -526,7 +526,25 @@ xfs_buf_item_unpin(
1193 + }
1194 + xfs_buf_relse(bp);
1195 + } else if (freed && remove) {
1196 ++ /*
1197 ++ * There are currently two references to the buffer - the active
1198 ++ * LRU reference and the buf log item. What we are about to do
1199 ++ * here - simulate a failed IO completion - requires 3
1200 ++ * references.
1201 ++ *
1202 ++ * The LRU reference is removed by the xfs_buf_stale() call. The
1203 ++ * buf item reference is removed by the xfs_buf_iodone()
1204 ++ * callback that is run by xfs_buf_do_callbacks() during ioend
1205 ++ * processing (via the bp->b_iodone callback), and then finally
1206 ++ * the ioend processing will drop the IO reference if the buffer
1207 ++ * is marked XBF_ASYNC.
1208 ++ *
1209 ++ * Hence we need to take an additional reference here so that IO
1210 ++ * completion processing doesn't free the buffer prematurely.
1211 ++ */
1212 + xfs_buf_lock(bp);
1213 ++ xfs_buf_hold(bp);
1214 ++ bp->b_flags |= XBF_ASYNC;
1215 + xfs_buf_ioerror(bp, EIO);
1216 + XFS_BUF_UNDONE(bp);
1217 + xfs_buf_stale(bp);
1218 +diff --git a/fs/xfs/xfs_log_recover.c b/fs/xfs/xfs_log_recover.c
1219 +index 5da3ace..d308749 100644
1220 +--- a/fs/xfs/xfs_log_recover.c
1221 ++++ b/fs/xfs/xfs_log_recover.c
1222 +@@ -3541,7 +3541,7 @@ xlog_do_recovery_pass(
1223 + * - order is important.
1224 + */
1225 + error = xlog_bread_offset(log, 0,
1226 +- bblks - split_bblks, hbp,
1227 ++ bblks - split_bblks, dbp,
1228 + offset + BBTOB(split_bblks));
1229 + if (error)
1230 + goto bread_err2;
1231 +diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
1232 +index f10553c..fb5204b 100644
1233 +--- a/include/net/cfg80211.h
1234 ++++ b/include/net/cfg80211.h
1235 +@@ -2633,6 +2633,15 @@ unsigned int ieee80211_get_hdrlen_from_skb(const struct sk_buff *skb);
1236 + unsigned int __attribute_const__ ieee80211_hdrlen(__le16 fc);
1237 +
1238 + /**
1239 ++ * ieee80211_get_mesh_hdrlen - get mesh extension header length
1240 ++ * @meshhdr: the mesh extension header, only the flags field
1241 ++ * (first byte) will be accessed
1242 ++ * Returns the length of the extension header, which is always at
1243 ++ * least 6 bytes and at most 18 if address 5 and 6 are present.
1244 ++ */
1245 ++unsigned int ieee80211_get_mesh_hdrlen(struct ieee80211s_hdr *meshhdr);
1246 ++
1247 ++/**
1248 + * DOC: Data path helpers
1249 + *
1250 + * In addition to generic utilities, cfg80211 also offers
1251 +diff --git a/include/sound/core.h b/include/sound/core.h
1252 +index bc05668..93896ad 100644
1253 +--- a/include/sound/core.h
1254 ++++ b/include/sound/core.h
1255 +@@ -132,6 +132,7 @@ struct snd_card {
1256 + int shutdown; /* this card is going down */
1257 + int free_on_last_close; /* free in context of file_release */
1258 + wait_queue_head_t shutdown_sleep;
1259 ++ atomic_t refcount; /* refcount for disconnection */
1260 + struct device *dev; /* device assigned to this card */
1261 + struct device *card_dev; /* cardX object for sysfs */
1262 +
1263 +@@ -189,6 +190,7 @@ struct snd_minor {
1264 + const struct file_operations *f_ops; /* file operations */
1265 + void *private_data; /* private data for f_ops->open */
1266 + struct device *dev; /* device for sysfs */
1267 ++ struct snd_card *card_ptr; /* assigned card instance */
1268 + };
1269 +
1270 + /* return a device pointer linked to each sound device as a parent */
1271 +@@ -295,6 +297,7 @@ int snd_card_info_done(void);
1272 + int snd_component_add(struct snd_card *card, const char *component);
1273 + int snd_card_file_add(struct snd_card *card, struct file *file);
1274 + int snd_card_file_remove(struct snd_card *card, struct file *file);
1275 ++void snd_card_unref(struct snd_card *card);
1276 +
1277 + #define snd_card_set_dev(card, devptr) ((card)->dev = (devptr))
1278 +
1279 +diff --git a/include/trace/events/xen.h b/include/trace/events/xen.h
1280 +index 15ba03b..d06b6da 100644
1281 +--- a/include/trace/events/xen.h
1282 ++++ b/include/trace/events/xen.h
1283 +@@ -377,6 +377,14 @@ DECLARE_EVENT_CLASS(xen_mmu_pgd,
1284 + DEFINE_XEN_MMU_PGD_EVENT(xen_mmu_pgd_pin);
1285 + DEFINE_XEN_MMU_PGD_EVENT(xen_mmu_pgd_unpin);
1286 +
1287 ++TRACE_EVENT(xen_mmu_flush_tlb_all,
1288 ++ TP_PROTO(int x),
1289 ++ TP_ARGS(x),
1290 ++ TP_STRUCT__entry(__array(char, x, 0)),
1291 ++ TP_fast_assign((void)x),
1292 ++ TP_printk("%s", "")
1293 ++ );
1294 ++
1295 + TRACE_EVENT(xen_mmu_flush_tlb,
1296 + TP_PROTO(int x),
1297 + TP_ARGS(x),
1298 +diff --git a/kernel/futex.c b/kernel/futex.c
1299 +index 3717e7b..20ef219 100644
1300 +--- a/kernel/futex.c
1301 ++++ b/kernel/futex.c
1302 +@@ -716,7 +716,7 @@ static int futex_lock_pi_atomic(u32 __user *uaddr, struct futex_hash_bucket *hb,
1303 + struct futex_pi_state **ps,
1304 + struct task_struct *task, int set_waiters)
1305 + {
1306 +- int lock_taken, ret, ownerdied = 0;
1307 ++ int lock_taken, ret, force_take = 0;
1308 + u32 uval, newval, curval, vpid = task_pid_vnr(task);
1309 +
1310 + retry:
1311 +@@ -755,17 +755,15 @@ retry:
1312 + newval = curval | FUTEX_WAITERS;
1313 +
1314 + /*
1315 +- * There are two cases, where a futex might have no owner (the
1316 +- * owner TID is 0): OWNER_DIED. We take over the futex in this
1317 +- * case. We also do an unconditional take over, when the owner
1318 +- * of the futex died.
1319 +- *
1320 +- * This is safe as we are protected by the hash bucket lock !
1321 ++ * Should we force take the futex? See below.
1322 + */
1323 +- if (unlikely(ownerdied || !(curval & FUTEX_TID_MASK))) {
1324 +- /* Keep the OWNER_DIED bit */
1325 ++ if (unlikely(force_take)) {
1326 ++ /*
1327 ++ * Keep the OWNER_DIED and the WAITERS bit and set the
1328 ++ * new TID value.
1329 ++ */
1330 + newval = (curval & ~FUTEX_TID_MASK) | vpid;
1331 +- ownerdied = 0;
1332 ++ force_take = 0;
1333 + lock_taken = 1;
1334 + }
1335 +
1336 +@@ -775,7 +773,7 @@ retry:
1337 + goto retry;
1338 +
1339 + /*
1340 +- * We took the lock due to owner died take over.
1341 ++ * We took the lock due to forced take over.
1342 + */
1343 + if (unlikely(lock_taken))
1344 + return 1;
1345 +@@ -790,20 +788,25 @@ retry:
1346 + switch (ret) {
1347 + case -ESRCH:
1348 + /*
1349 +- * No owner found for this futex. Check if the
1350 +- * OWNER_DIED bit is set to figure out whether
1351 +- * this is a robust futex or not.
1352 ++ * We failed to find an owner for this
1353 ++ * futex. So we have no pi_state to block
1354 ++ * on. This can happen in two cases:
1355 ++ *
1356 ++ * 1) The owner died
1357 ++ * 2) A stale FUTEX_WAITERS bit
1358 ++ *
1359 ++ * Re-read the futex value.
1360 + */
1361 + if (get_futex_value_locked(&curval, uaddr))
1362 + return -EFAULT;
1363 +
1364 + /*
1365 +- * We simply start over in case of a robust
1366 +- * futex. The code above will take the futex
1367 +- * and return happy.
1368 ++ * If the owner died or we have a stale
1369 ++ * WAITERS bit the owner TID in the user space
1370 ++ * futex is 0.
1371 + */
1372 +- if (curval & FUTEX_OWNER_DIED) {
1373 +- ownerdied = 1;
1374 ++ if (!(curval & FUTEX_TID_MASK)) {
1375 ++ force_take = 1;
1376 + goto retry;
1377 + }
1378 + default:
1379 +diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c
1380 +index 6705d35..e7b5777 100644
1381 +--- a/net/batman-adv/bridge_loop_avoidance.c
1382 ++++ b/net/batman-adv/bridge_loop_avoidance.c
1383 +@@ -1205,8 +1205,8 @@ int batadv_bla_init(struct batadv_priv *bat_priv)
1384 + /**
1385 + * batadv_bla_check_bcast_duplist
1386 + * @bat_priv: the bat priv with all the soft interface information
1387 +- * @bcast_packet: originator mac address
1388 +- * @hdr_size: maximum length of the frame
1389 ++ * @bcast_packet: encapsulated broadcast frame plus batman header
1390 ++ * @bcast_packet_len: length of encapsulated broadcast frame plus batman header
1391 + *
1392 + * check if it is on our broadcast list. Another gateway might
1393 + * have sent the same packet because it is connected to the same backbone,
1394 +@@ -1219,14 +1219,14 @@ int batadv_bla_init(struct batadv_priv *bat_priv)
1395 + */
1396 + int batadv_bla_check_bcast_duplist(struct batadv_priv *bat_priv,
1397 + struct batadv_bcast_packet *bcast_packet,
1398 +- int hdr_size)
1399 ++ int bcast_packet_len)
1400 + {
1401 + int i, length, curr;
1402 + uint8_t *content;
1403 + uint16_t crc;
1404 + struct batadv_bcast_duplist_entry *entry;
1405 +
1406 +- length = hdr_size - sizeof(*bcast_packet);
1407 ++ length = bcast_packet_len - sizeof(*bcast_packet);
1408 + content = (uint8_t *)bcast_packet;
1409 + content += sizeof(*bcast_packet);
1410 +
1411 +diff --git a/net/batman-adv/routing.c b/net/batman-adv/routing.c
1412 +index bc2b88b..f861b7c 100644
1413 +--- a/net/batman-adv/routing.c
1414 ++++ b/net/batman-adv/routing.c
1415 +@@ -1136,8 +1136,14 @@ int batadv_recv_bcast_packet(struct sk_buff *skb,
1416 +
1417 + spin_unlock_bh(&orig_node->bcast_seqno_lock);
1418 +
1419 ++ /* keep skb linear for crc calculation */
1420 ++ if (skb_linearize(skb) < 0)
1421 ++ goto out;
1422 ++
1423 ++ bcast_packet = (struct batadv_bcast_packet *)skb->data;
1424 ++
1425 + /* check whether this has been sent by another originator before */
1426 +- if (batadv_bla_check_bcast_duplist(bat_priv, bcast_packet, hdr_size))
1427 ++ if (batadv_bla_check_bcast_duplist(bat_priv, bcast_packet, skb->len))
1428 + goto out;
1429 +
1430 + /* rebroadcast packet */
1431 +diff --git a/net/core/dev.c b/net/core/dev.c
1432 +index 2fb9f59..aed87a4 100644
1433 +--- a/net/core/dev.c
1434 ++++ b/net/core/dev.c
1435 +@@ -1644,7 +1644,7 @@ static inline int deliver_skb(struct sk_buff *skb,
1436 +
1437 + static inline bool skb_loop_sk(struct packet_type *ptype, struct sk_buff *skb)
1438 + {
1439 +- if (ptype->af_packet_priv == NULL)
1440 ++ if (!ptype->af_packet_priv || !skb->sk)
1441 + return false;
1442 +
1443 + if (ptype->id_match)
1444 +diff --git a/net/core/skbuff.c b/net/core/skbuff.c
1445 +index ef172af..9708777 100644
1446 +--- a/net/core/skbuff.c
1447 ++++ b/net/core/skbuff.c
1448 +@@ -3384,10 +3384,12 @@ EXPORT_SYMBOL(__skb_warn_lro_forwarding);
1449 +
1450 + void kfree_skb_partial(struct sk_buff *skb, bool head_stolen)
1451 + {
1452 +- if (head_stolen)
1453 ++ if (head_stolen) {
1454 ++ skb_release_head_state(skb);
1455 + kmem_cache_free(skbuff_head_cache, skb);
1456 +- else
1457 ++ } else {
1458 + __kfree_skb(skb);
1459 ++ }
1460 + }
1461 + EXPORT_SYMBOL(kfree_skb_partial);
1462 +
1463 +diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
1464 +index 570e61f..6405a44 100644
1465 +--- a/net/ipv4/inet_diag.c
1466 ++++ b/net/ipv4/inet_diag.c
1467 +@@ -883,13 +883,16 @@ static int __inet_diag_dump(struct sk_buff *skb, struct netlink_callback *cb,
1468 + struct inet_diag_req_v2 *r, struct nlattr *bc)
1469 + {
1470 + const struct inet_diag_handler *handler;
1471 ++ int err = 0;
1472 +
1473 + handler = inet_diag_lock_handler(r->sdiag_protocol);
1474 + if (!IS_ERR(handler))
1475 + handler->dump(skb, cb, r, bc);
1476 ++ else
1477 ++ err = PTR_ERR(handler);
1478 + inet_diag_unlock_handler(handler);
1479 +
1480 +- return skb->len;
1481 ++ return err ? : skb->len;
1482 + }
1483 +
1484 + static int inet_diag_dump(struct sk_buff *skb, struct netlink_callback *cb)
1485 +diff --git a/net/ipv4/route.c b/net/ipv4/route.c
1486 +index 2a1383c..c017cb1 100644
1487 +--- a/net/ipv4/route.c
1488 ++++ b/net/ipv4/route.c
1489 +@@ -1166,8 +1166,12 @@ static bool rt_bind_exception(struct rtable *rt, struct fib_nh_exception *fnhe,
1490 + spin_lock_bh(&fnhe_lock);
1491 +
1492 + if (daddr == fnhe->fnhe_daddr) {
1493 +- struct rtable *orig;
1494 +-
1495 ++ struct rtable *orig = rcu_dereference(fnhe->fnhe_rth);
1496 ++ if (orig && rt_is_expired(orig)) {
1497 ++ fnhe->fnhe_gw = 0;
1498 ++ fnhe->fnhe_pmtu = 0;
1499 ++ fnhe->fnhe_expires = 0;
1500 ++ }
1501 + if (fnhe->fnhe_pmtu) {
1502 + unsigned long expires = fnhe->fnhe_expires;
1503 + unsigned long diff = expires - jiffies;
1504 +@@ -1184,7 +1188,6 @@ static bool rt_bind_exception(struct rtable *rt, struct fib_nh_exception *fnhe,
1505 + } else if (!rt->rt_gateway)
1506 + rt->rt_gateway = daddr;
1507 +
1508 +- orig = rcu_dereference(fnhe->fnhe_rth);
1509 + rcu_assign_pointer(fnhe->fnhe_rth, rt);
1510 + if (orig)
1511 + rt_free(orig);
1512 +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
1513 +index 5f64193..49dd993 100644
1514 +--- a/net/ipv4/tcp.c
1515 ++++ b/net/ipv4/tcp.c
1516 +@@ -548,14 +548,12 @@ int tcp_ioctl(struct sock *sk, int cmd, unsigned long arg)
1517 + !tp->urg_data ||
1518 + before(tp->urg_seq, tp->copied_seq) ||
1519 + !before(tp->urg_seq, tp->rcv_nxt)) {
1520 +- struct sk_buff *skb;
1521 +
1522 + answ = tp->rcv_nxt - tp->copied_seq;
1523 +
1524 +- /* Subtract 1, if FIN is in queue. */
1525 +- skb = skb_peek_tail(&sk->sk_receive_queue);
1526 +- if (answ && skb)
1527 +- answ -= tcp_hdr(skb)->fin;
1528 ++ /* Subtract 1, if FIN was received */
1529 ++ if (answ && sock_flag(sk, SOCK_DONE))
1530 ++ answ--;
1531 + } else
1532 + answ = tp->urg_seq - tp->copied_seq;
1533 + release_sock(sk);
1534 +diff --git a/net/ipv4/tcp_illinois.c b/net/ipv4/tcp_illinois.c
1535 +index 813b43a..834857f 100644
1536 +--- a/net/ipv4/tcp_illinois.c
1537 ++++ b/net/ipv4/tcp_illinois.c
1538 +@@ -313,11 +313,13 @@ static void tcp_illinois_info(struct sock *sk, u32 ext,
1539 + .tcpv_rttcnt = ca->cnt_rtt,
1540 + .tcpv_minrtt = ca->base_rtt,
1541 + };
1542 +- u64 t = ca->sum_rtt;
1543 +
1544 +- do_div(t, ca->cnt_rtt);
1545 +- info.tcpv_rtt = t;
1546 ++ if (info.tcpv_rttcnt > 0) {
1547 ++ u64 t = ca->sum_rtt;
1548 +
1549 ++ do_div(t, info.tcpv_rttcnt);
1550 ++ info.tcpv_rtt = t;
1551 ++ }
1552 + nla_put(skb, INET_DIAG_VEGASINFO, sizeof(info), &info);
1553 + }
1554 + }
1555 +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
1556 +index d377f48..c92c4da 100644
1557 +--- a/net/ipv4/tcp_input.c
1558 ++++ b/net/ipv4/tcp_input.c
1559 +@@ -4556,6 +4556,9 @@ int tcp_send_rcvq(struct sock *sk, struct msghdr *msg, size_t size)
1560 + struct tcphdr *th;
1561 + bool fragstolen;
1562 +
1563 ++ if (size == 0)
1564 ++ return 0;
1565 ++
1566 + skb = alloc_skb(size + sizeof(*th), sk->sk_allocation);
1567 + if (!skb)
1568 + goto err;
1569 +diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
1570 +index ff36194..2edce30 100644
1571 +--- a/net/ipv6/ndisc.c
1572 ++++ b/net/ipv6/ndisc.c
1573 +@@ -535,7 +535,7 @@ static void ndisc_send_unsol_na(struct net_device *dev)
1574 + {
1575 + struct inet6_dev *idev;
1576 + struct inet6_ifaddr *ifa;
1577 +- struct in6_addr mcaddr;
1578 ++ struct in6_addr mcaddr = IN6ADDR_LINKLOCAL_ALLNODES_INIT;
1579 +
1580 + idev = in6_dev_get(dev);
1581 + if (!idev)
1582 +@@ -543,7 +543,6 @@ static void ndisc_send_unsol_na(struct net_device *dev)
1583 +
1584 + read_lock_bh(&idev->lock);
1585 + list_for_each_entry(ifa, &idev->addr_list, if_list) {
1586 +- addrconf_addr_solict_mult(&ifa->addr, &mcaddr);
1587 + ndisc_send_na(dev, NULL, &mcaddr, &ifa->addr,
1588 + /*router=*/ !!idev->cnf.forwarding,
1589 + /*solicited=*/ false, /*override=*/ true,
1590 +diff --git a/net/ipv6/route.c b/net/ipv6/route.c
1591 +index 46eff42..070a3ce 100644
1592 +--- a/net/ipv6/route.c
1593 ++++ b/net/ipv6/route.c
1594 +@@ -219,7 +219,7 @@ static struct dst_ops ip6_dst_blackhole_ops = {
1595 + };
1596 +
1597 + static const u32 ip6_template_metrics[RTAX_MAX] = {
1598 +- [RTAX_HOPLIMIT - 1] = 255,
1599 ++ [RTAX_HOPLIMIT - 1] = 0,
1600 + };
1601 +
1602 + static struct rt6_info ip6_null_entry_template = {
1603 +@@ -1241,7 +1241,7 @@ struct dst_entry *icmp6_dst_alloc(struct net_device *dev,
1604 + rt->rt6i_dst.addr = fl6->daddr;
1605 + rt->rt6i_dst.plen = 128;
1606 + rt->rt6i_idev = idev;
1607 +- dst_metric_set(&rt->dst, RTAX_HOPLIMIT, 255);
1608 ++ dst_metric_set(&rt->dst, RTAX_HOPLIMIT, 0);
1609 +
1610 + spin_lock_bh(&icmp6_dst_lock);
1611 + rt->dst.next = icmp6_dst_gc_list;
1612 +diff --git a/net/l2tp/l2tp_eth.c b/net/l2tp/l2tp_eth.c
1613 +index 3bfb34a..69bf48d 100644
1614 +--- a/net/l2tp/l2tp_eth.c
1615 ++++ b/net/l2tp/l2tp_eth.c
1616 +@@ -290,6 +290,7 @@ static int l2tp_eth_create(struct net *net, u32 tunnel_id, u32 session_id, u32 p
1617 +
1618 + out_del_dev:
1619 + free_netdev(dev);
1620 ++ spriv->dev = NULL;
1621 + out_del_session:
1622 + l2tp_session_delete(session);
1623 + out:
1624 +diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
1625 +index 5746d62..327aa07 100644
1626 +--- a/net/mac80211/ibss.c
1627 ++++ b/net/mac80211/ibss.c
1628 +@@ -1074,7 +1074,7 @@ int ieee80211_ibss_join(struct ieee80211_sub_if_data *sdata,
1629 + sdata->u.ibss.state = IEEE80211_IBSS_MLME_SEARCH;
1630 + sdata->u.ibss.ibss_join_req = jiffies;
1631 +
1632 +- memcpy(sdata->u.ibss.ssid, params->ssid, IEEE80211_MAX_SSID_LEN);
1633 ++ memcpy(sdata->u.ibss.ssid, params->ssid, params->ssid_len);
1634 + sdata->u.ibss.ssid_len = params->ssid_len;
1635 +
1636 + mutex_unlock(&sdata->u.ibss.mtx);
1637 +diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
1638 +index 0cb4ede..37fe5ce 100644
1639 +--- a/net/mac80211/rx.c
1640 ++++ b/net/mac80211/rx.c
1641 +@@ -491,6 +491,11 @@ ieee80211_rx_mesh_check(struct ieee80211_rx_data *rx)
1642 +
1643 + if (ieee80211_is_action(hdr->frame_control)) {
1644 + u8 category;
1645 ++
1646 ++ /* make sure category field is present */
1647 ++ if (rx->skb->len < IEEE80211_MIN_ACTION_SIZE)
1648 ++ return RX_DROP_MONITOR;
1649 ++
1650 + mgmt = (struct ieee80211_mgmt *)hdr;
1651 + category = mgmt->u.action.category;
1652 + if (category != WLAN_CATEGORY_MESH_ACTION &&
1653 +@@ -843,14 +848,16 @@ ieee80211_rx_h_check(struct ieee80211_rx_data *rx)
1654 + */
1655 + if (rx->sta && rx->sdata->vif.type == NL80211_IFTYPE_STATION &&
1656 + ieee80211_is_data_present(hdr->frame_control)) {
1657 +- u16 ethertype;
1658 +- u8 *payload;
1659 +-
1660 +- payload = rx->skb->data +
1661 +- ieee80211_hdrlen(hdr->frame_control);
1662 +- ethertype = (payload[6] << 8) | payload[7];
1663 +- if (cpu_to_be16(ethertype) ==
1664 +- rx->sdata->control_port_protocol)
1665 ++ unsigned int hdrlen;
1666 ++ __be16 ethertype;
1667 ++
1668 ++ hdrlen = ieee80211_hdrlen(hdr->frame_control);
1669 ++
1670 ++ if (rx->skb->len < hdrlen + 8)
1671 ++ return RX_DROP_MONITOR;
1672 ++
1673 ++ skb_copy_bits(rx->skb, hdrlen + 6, &ethertype, 2);
1674 ++ if (ethertype == rx->sdata->control_port_protocol)
1675 + return RX_CONTINUE;
1676 + }
1677 +
1678 +@@ -1422,11 +1429,14 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
1679 +
1680 + hdr = (struct ieee80211_hdr *)rx->skb->data;
1681 + fc = hdr->frame_control;
1682 ++
1683 ++ if (ieee80211_is_ctl(fc))
1684 ++ return RX_CONTINUE;
1685 ++
1686 + sc = le16_to_cpu(hdr->seq_ctrl);
1687 + frag = sc & IEEE80211_SCTL_FRAG;
1688 +
1689 + if (likely((!ieee80211_has_morefrags(fc) && frag == 0) ||
1690 +- (rx->skb)->len < 24 ||
1691 + is_multicast_ether_addr(hdr->addr1))) {
1692 + /* not fragmented */
1693 + goto out;
1694 +@@ -1849,6 +1859,20 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
1695 +
1696 + hdr = (struct ieee80211_hdr *) skb->data;
1697 + hdrlen = ieee80211_hdrlen(hdr->frame_control);
1698 ++
1699 ++ /* make sure fixed part of mesh header is there, also checks skb len */
1700 ++ if (!pskb_may_pull(rx->skb, hdrlen + 6))
1701 ++ return RX_DROP_MONITOR;
1702 ++
1703 ++ mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen);
1704 ++
1705 ++ /* make sure full mesh header is there, also checks skb len */
1706 ++ if (!pskb_may_pull(rx->skb,
1707 ++ hdrlen + ieee80211_get_mesh_hdrlen(mesh_hdr)))
1708 ++ return RX_DROP_MONITOR;
1709 ++
1710 ++ /* reload pointers */
1711 ++ hdr = (struct ieee80211_hdr *) skb->data;
1712 + mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen);
1713 +
1714 + /* frame is in RMC, don't forward */
1715 +@@ -1857,7 +1881,8 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
1716 + mesh_rmc_check(hdr->addr3, mesh_hdr, rx->sdata))
1717 + return RX_DROP_MONITOR;
1718 +
1719 +- if (!ieee80211_is_data(hdr->frame_control))
1720 ++ if (!ieee80211_is_data(hdr->frame_control) ||
1721 ++ !(status->rx_flags & IEEE80211_RX_RA_MATCH))
1722 + return RX_CONTINUE;
1723 +
1724 + if (!mesh_hdr->ttl)
1725 +@@ -1871,9 +1896,12 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
1726 + if (is_multicast_ether_addr(hdr->addr1)) {
1727 + mpp_addr = hdr->addr3;
1728 + proxied_addr = mesh_hdr->eaddr1;
1729 +- } else {
1730 ++ } else if (mesh_hdr->flags & MESH_FLAGS_AE_A5_A6) {
1731 ++ /* has_a4 already checked in ieee80211_rx_mesh_check */
1732 + mpp_addr = hdr->addr4;
1733 + proxied_addr = mesh_hdr->eaddr2;
1734 ++ } else {
1735 ++ return RX_DROP_MONITOR;
1736 + }
1737 +
1738 + rcu_read_lock();
1739 +@@ -1901,9 +1929,6 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
1740 + }
1741 + skb_set_queue_mapping(skb, q);
1742 +
1743 +- if (!(status->rx_flags & IEEE80211_RX_RA_MATCH))
1744 +- goto out;
1745 +-
1746 + if (!--mesh_hdr->ttl) {
1747 + IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_ttl);
1748 + return RX_DROP_MONITOR;
1749 +@@ -2313,6 +2338,10 @@ ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
1750 + }
1751 + break;
1752 + case WLAN_CATEGORY_SELF_PROTECTED:
1753 ++ if (len < (IEEE80211_MIN_ACTION_SIZE +
1754 ++ sizeof(mgmt->u.action.u.self_prot.action_code)))
1755 ++ break;
1756 ++
1757 + switch (mgmt->u.action.u.self_prot.action_code) {
1758 + case WLAN_SP_MESH_PEERING_OPEN:
1759 + case WLAN_SP_MESH_PEERING_CLOSE:
1760 +@@ -2331,6 +2360,10 @@ ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
1761 + }
1762 + break;
1763 + case WLAN_CATEGORY_MESH_ACTION:
1764 ++ if (len < (IEEE80211_MIN_ACTION_SIZE +
1765 ++ sizeof(mgmt->u.action.u.mesh_action.action_code)))
1766 ++ break;
1767 ++
1768 + if (!ieee80211_vif_is_mesh(&sdata->vif))
1769 + break;
1770 + if (mesh_action_is_path_sel(mgmt) &&
1771 +@@ -2865,10 +2898,15 @@ static void __ieee80211_rx_handle_packet(struct ieee80211_hw *hw,
1772 + if (ieee80211_is_data(fc) || ieee80211_is_mgmt(fc))
1773 + local->dot11ReceivedFragmentCount++;
1774 +
1775 +- if (ieee80211_is_mgmt(fc))
1776 +- err = skb_linearize(skb);
1777 +- else
1778 ++ if (ieee80211_is_mgmt(fc)) {
1779 ++ /* drop frame if too short for header */
1780 ++ if (skb->len < ieee80211_hdrlen(fc))
1781 ++ err = -ENOBUFS;
1782 ++ else
1783 ++ err = skb_linearize(skb);
1784 ++ } else {
1785 + err = !pskb_may_pull(skb, ieee80211_hdrlen(fc));
1786 ++ }
1787 +
1788 + if (err) {
1789 + dev_kfree_skb(skb);
1790 +diff --git a/net/mac80211/util.c b/net/mac80211/util.c
1791 +index c9b52f7..1cfe6d5 100644
1792 +--- a/net/mac80211/util.c
1793 ++++ b/net/mac80211/util.c
1794 +@@ -637,13 +637,41 @@ u32 ieee802_11_parse_elems_crc(u8 *start, size_t len,
1795 + break;
1796 + }
1797 +
1798 +- if (id != WLAN_EID_VENDOR_SPECIFIC &&
1799 +- id != WLAN_EID_QUIET &&
1800 +- test_bit(id, seen_elems)) {
1801 +- elems->parse_error = true;
1802 +- left -= elen;
1803 +- pos += elen;
1804 +- continue;
1805 ++ switch (id) {
1806 ++ case WLAN_EID_SSID:
1807 ++ case WLAN_EID_SUPP_RATES:
1808 ++ case WLAN_EID_FH_PARAMS:
1809 ++ case WLAN_EID_DS_PARAMS:
1810 ++ case WLAN_EID_CF_PARAMS:
1811 ++ case WLAN_EID_TIM:
1812 ++ case WLAN_EID_IBSS_PARAMS:
1813 ++ case WLAN_EID_CHALLENGE:
1814 ++ case WLAN_EID_RSN:
1815 ++ case WLAN_EID_ERP_INFO:
1816 ++ case WLAN_EID_EXT_SUPP_RATES:
1817 ++ case WLAN_EID_HT_CAPABILITY:
1818 ++ case WLAN_EID_HT_OPERATION:
1819 ++ case WLAN_EID_VHT_CAPABILITY:
1820 ++ case WLAN_EID_VHT_OPERATION:
1821 ++ case WLAN_EID_MESH_ID:
1822 ++ case WLAN_EID_MESH_CONFIG:
1823 ++ case WLAN_EID_PEER_MGMT:
1824 ++ case WLAN_EID_PREQ:
1825 ++ case WLAN_EID_PREP:
1826 ++ case WLAN_EID_PERR:
1827 ++ case WLAN_EID_RANN:
1828 ++ case WLAN_EID_CHANNEL_SWITCH:
1829 ++ case WLAN_EID_EXT_CHANSWITCH_ANN:
1830 ++ case WLAN_EID_COUNTRY:
1831 ++ case WLAN_EID_PWR_CONSTRAINT:
1832 ++ case WLAN_EID_TIMEOUT_INTERVAL:
1833 ++ if (test_bit(id, seen_elems)) {
1834 ++ elems->parse_error = true;
1835 ++ left -= elen;
1836 ++ pos += elen;
1837 ++ continue;
1838 ++ }
1839 ++ break;
1840 + }
1841 +
1842 + if (calc_crc && id < 64 && (filter & (1ULL << id)))
1843 +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
1844 +index 9172179..0426b67 100644
1845 +--- a/net/netlink/af_netlink.c
1846 ++++ b/net/netlink/af_netlink.c
1847 +@@ -138,6 +138,8 @@ static int netlink_dump(struct sock *sk);
1848 + static DEFINE_RWLOCK(nl_table_lock);
1849 + static atomic_t nl_table_users = ATOMIC_INIT(0);
1850 +
1851 ++#define nl_deref_protected(X) rcu_dereference_protected(X, lockdep_is_held(&nl_table_lock));
1852 ++
1853 + static ATOMIC_NOTIFIER_HEAD(netlink_chain);
1854 +
1855 + static inline u32 netlink_group_mask(u32 group)
1856 +@@ -345,6 +347,11 @@ netlink_update_listeners(struct sock *sk)
1857 + struct hlist_node *node;
1858 + unsigned long mask;
1859 + unsigned int i;
1860 ++ struct listeners *listeners;
1861 ++
1862 ++ listeners = nl_deref_protected(tbl->listeners);
1863 ++ if (!listeners)
1864 ++ return;
1865 +
1866 + for (i = 0; i < NLGRPLONGS(tbl->groups); i++) {
1867 + mask = 0;
1868 +@@ -352,7 +359,7 @@ netlink_update_listeners(struct sock *sk)
1869 + if (i < NLGRPLONGS(nlk_sk(sk)->ngroups))
1870 + mask |= nlk_sk(sk)->groups[i];
1871 + }
1872 +- tbl->listeners->masks[i] = mask;
1873 ++ listeners->masks[i] = mask;
1874 + }
1875 + /* this function is only called with the netlink table "grabbed", which
1876 + * makes sure updates are visible before bind or setsockopt return. */
1877 +@@ -536,7 +543,11 @@ static int netlink_release(struct socket *sock)
1878 + if (netlink_is_kernel(sk)) {
1879 + BUG_ON(nl_table[sk->sk_protocol].registered == 0);
1880 + if (--nl_table[sk->sk_protocol].registered == 0) {
1881 +- kfree(nl_table[sk->sk_protocol].listeners);
1882 ++ struct listeners *old;
1883 ++
1884 ++ old = nl_deref_protected(nl_table[sk->sk_protocol].listeners);
1885 ++ RCU_INIT_POINTER(nl_table[sk->sk_protocol].listeners, NULL);
1886 ++ kfree_rcu(old, rcu);
1887 + nl_table[sk->sk_protocol].module = NULL;
1888 + nl_table[sk->sk_protocol].registered = 0;
1889 + }
1890 +@@ -978,7 +989,7 @@ int netlink_has_listeners(struct sock *sk, unsigned int group)
1891 + rcu_read_lock();
1892 + listeners = rcu_dereference(nl_table[sk->sk_protocol].listeners);
1893 +
1894 +- if (group - 1 < nl_table[sk->sk_protocol].groups)
1895 ++ if (listeners && group - 1 < nl_table[sk->sk_protocol].groups)
1896 + res = test_bit(group - 1, listeners->masks);
1897 +
1898 + rcu_read_unlock();
1899 +@@ -1620,7 +1631,7 @@ int __netlink_change_ngroups(struct sock *sk, unsigned int groups)
1900 + new = kzalloc(sizeof(*new) + NLGRPSZ(groups), GFP_ATOMIC);
1901 + if (!new)
1902 + return -ENOMEM;
1903 +- old = rcu_dereference_protected(tbl->listeners, 1);
1904 ++ old = nl_deref_protected(tbl->listeners);
1905 + memcpy(new->masks, old->masks, NLGRPSZ(tbl->groups));
1906 + rcu_assign_pointer(tbl->listeners, new);
1907 +
1908 +diff --git a/net/sctp/sm_sideeffect.c b/net/sctp/sm_sideeffect.c
1909 +index fe99628..b1c5be3 100644
1910 +--- a/net/sctp/sm_sideeffect.c
1911 ++++ b/net/sctp/sm_sideeffect.c
1912 +@@ -1634,8 +1634,9 @@ static int sctp_cmd_interpreter(sctp_event_t event_type,
1913 + asoc->outqueue.outstanding_bytes;
1914 + sackh.num_gap_ack_blocks = 0;
1915 + sackh.num_dup_tsns = 0;
1916 ++ chunk->subh.sack_hdr = &sackh;
1917 + sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_SACK,
1918 +- SCTP_SACKH(&sackh));
1919 ++ SCTP_CHUNK(chunk));
1920 + break;
1921 +
1922 + case SCTP_CMD_DISCARD_PACKET:
1923 +diff --git a/net/wireless/core.c b/net/wireless/core.c
1924 +index dcd64d5..5797032 100644
1925 +--- a/net/wireless/core.c
1926 ++++ b/net/wireless/core.c
1927 +@@ -506,8 +506,7 @@ int wiphy_register(struct wiphy *wiphy)
1928 + for (i = 0; i < sband->n_channels; i++) {
1929 + sband->channels[i].orig_flags =
1930 + sband->channels[i].flags;
1931 +- sband->channels[i].orig_mag =
1932 +- sband->channels[i].max_antenna_gain;
1933 ++ sband->channels[i].orig_mag = INT_MAX;
1934 + sband->channels[i].orig_mpwr =
1935 + sband->channels[i].max_power;
1936 + sband->channels[i].band = band;
1937 +diff --git a/net/wireless/util.c b/net/wireless/util.c
1938 +index 994e2f0..09afde7 100644
1939 +--- a/net/wireless/util.c
1940 ++++ b/net/wireless/util.c
1941 +@@ -309,23 +309,21 @@ unsigned int ieee80211_get_hdrlen_from_skb(const struct sk_buff *skb)
1942 + }
1943 + EXPORT_SYMBOL(ieee80211_get_hdrlen_from_skb);
1944 +
1945 +-static int ieee80211_get_mesh_hdrlen(struct ieee80211s_hdr *meshhdr)
1946 ++unsigned int ieee80211_get_mesh_hdrlen(struct ieee80211s_hdr *meshhdr)
1947 + {
1948 + int ae = meshhdr->flags & MESH_FLAGS_AE;
1949 +- /* 7.1.3.5a.2 */
1950 ++ /* 802.11-2012, 8.2.4.7.3 */
1951 + switch (ae) {
1952 ++ default:
1953 + case 0:
1954 + return 6;
1955 + case MESH_FLAGS_AE_A4:
1956 + return 12;
1957 + case MESH_FLAGS_AE_A5_A6:
1958 + return 18;
1959 +- case (MESH_FLAGS_AE_A4 | MESH_FLAGS_AE_A5_A6):
1960 +- return 24;
1961 +- default:
1962 +- return 6;
1963 + }
1964 + }
1965 ++EXPORT_SYMBOL(ieee80211_get_mesh_hdrlen);
1966 +
1967 + int ieee80211_data_to_8023(struct sk_buff *skb, const u8 *addr,
1968 + enum nl80211_iftype iftype)
1969 +@@ -373,6 +371,8 @@ int ieee80211_data_to_8023(struct sk_buff *skb, const u8 *addr,
1970 + /* make sure meshdr->flags is on the linear part */
1971 + if (!pskb_may_pull(skb, hdrlen + 1))
1972 + return -1;
1973 ++ if (meshdr->flags & MESH_FLAGS_AE_A4)
1974 ++ return -1;
1975 + if (meshdr->flags & MESH_FLAGS_AE_A5_A6) {
1976 + skb_copy_bits(skb, hdrlen +
1977 + offsetof(struct ieee80211s_hdr, eaddr1),
1978 +@@ -397,6 +397,8 @@ int ieee80211_data_to_8023(struct sk_buff *skb, const u8 *addr,
1979 + /* make sure meshdr->flags is on the linear part */
1980 + if (!pskb_may_pull(skb, hdrlen + 1))
1981 + return -1;
1982 ++ if (meshdr->flags & MESH_FLAGS_AE_A5_A6)
1983 ++ return -1;
1984 + if (meshdr->flags & MESH_FLAGS_AE_A4)
1985 + skb_copy_bits(skb, hdrlen +
1986 + offsetof(struct ieee80211s_hdr, eaddr1),
1987 +diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
1988 +index eb60cb8..d5103f7 100644
1989 +--- a/sound/core/compress_offload.c
1990 ++++ b/sound/core/compress_offload.c
1991 +@@ -100,12 +100,15 @@ static int snd_compr_open(struct inode *inode, struct file *f)
1992 +
1993 + if (dirn != compr->direction) {
1994 + pr_err("this device doesn't support this direction\n");
1995 ++ snd_card_unref(compr->card);
1996 + return -EINVAL;
1997 + }
1998 +
1999 + data = kzalloc(sizeof(*data), GFP_KERNEL);
2000 +- if (!data)
2001 ++ if (!data) {
2002 ++ snd_card_unref(compr->card);
2003 + return -ENOMEM;
2004 ++ }
2005 + data->stream.ops = compr->ops;
2006 + data->stream.direction = dirn;
2007 + data->stream.private_data = compr->private_data;
2008 +@@ -113,6 +116,7 @@ static int snd_compr_open(struct inode *inode, struct file *f)
2009 + runtime = kzalloc(sizeof(*runtime), GFP_KERNEL);
2010 + if (!runtime) {
2011 + kfree(data);
2012 ++ snd_card_unref(compr->card);
2013 + return -ENOMEM;
2014 + }
2015 + runtime->state = SNDRV_PCM_STATE_OPEN;
2016 +@@ -126,7 +130,8 @@ static int snd_compr_open(struct inode *inode, struct file *f)
2017 + kfree(runtime);
2018 + kfree(data);
2019 + }
2020 +- return ret;
2021 ++ snd_card_unref(compr->card);
2022 ++ return 0;
2023 + }
2024 +
2025 + static int snd_compr_free(struct inode *inode, struct file *f)
2026 +diff --git a/sound/core/control.c b/sound/core/control.c
2027 +index 2487a6b..daa4fc8 100644
2028 +--- a/sound/core/control.c
2029 ++++ b/sound/core/control.c
2030 +@@ -86,6 +86,7 @@ static int snd_ctl_open(struct inode *inode, struct file *file)
2031 + write_lock_irqsave(&card->ctl_files_rwlock, flags);
2032 + list_add_tail(&ctl->list, &card->ctl_files);
2033 + write_unlock_irqrestore(&card->ctl_files_rwlock, flags);
2034 ++ snd_card_unref(card);
2035 + return 0;
2036 +
2037 + __error:
2038 +@@ -93,6 +94,8 @@ static int snd_ctl_open(struct inode *inode, struct file *file)
2039 + __error2:
2040 + snd_card_file_remove(card, file);
2041 + __error1:
2042 ++ if (card)
2043 ++ snd_card_unref(card);
2044 + return err;
2045 + }
2046 +
2047 +@@ -1433,6 +1436,8 @@ static ssize_t snd_ctl_read(struct file *file, char __user *buffer,
2048 + spin_unlock_irq(&ctl->read_lock);
2049 + schedule();
2050 + remove_wait_queue(&ctl->change_sleep, &wait);
2051 ++ if (ctl->card->shutdown)
2052 ++ return -ENODEV;
2053 + if (signal_pending(current))
2054 + return -ERESTARTSYS;
2055 + spin_lock_irq(&ctl->read_lock);
2056 +diff --git a/sound/core/hwdep.c b/sound/core/hwdep.c
2057 +index 75ea16f..3f7f662 100644
2058 +--- a/sound/core/hwdep.c
2059 ++++ b/sound/core/hwdep.c
2060 +@@ -100,8 +100,10 @@ static int snd_hwdep_open(struct inode *inode, struct file * file)
2061 + if (hw == NULL)
2062 + return -ENODEV;
2063 +
2064 +- if (!try_module_get(hw->card->module))
2065 ++ if (!try_module_get(hw->card->module)) {
2066 ++ snd_card_unref(hw->card);
2067 + return -EFAULT;
2068 ++ }
2069 +
2070 + init_waitqueue_entry(&wait, current);
2071 + add_wait_queue(&hw->open_wait, &wait);
2072 +@@ -129,6 +131,10 @@ static int snd_hwdep_open(struct inode *inode, struct file * file)
2073 + mutex_unlock(&hw->open_mutex);
2074 + schedule();
2075 + mutex_lock(&hw->open_mutex);
2076 ++ if (hw->card->shutdown) {
2077 ++ err = -ENODEV;
2078 ++ break;
2079 ++ }
2080 + if (signal_pending(current)) {
2081 + err = -ERESTARTSYS;
2082 + break;
2083 +@@ -148,6 +154,7 @@ static int snd_hwdep_open(struct inode *inode, struct file * file)
2084 + mutex_unlock(&hw->open_mutex);
2085 + if (err < 0)
2086 + module_put(hw->card->module);
2087 ++ snd_card_unref(hw->card);
2088 + return err;
2089 + }
2090 +
2091 +@@ -459,12 +466,15 @@ static int snd_hwdep_dev_disconnect(struct snd_device *device)
2092 + mutex_unlock(&register_mutex);
2093 + return -EINVAL;
2094 + }
2095 ++ mutex_lock(&hwdep->open_mutex);
2096 ++ wake_up(&hwdep->open_wait);
2097 + #ifdef CONFIG_SND_OSSEMUL
2098 + if (hwdep->ossreg)
2099 + snd_unregister_oss_device(hwdep->oss_type, hwdep->card, hwdep->device);
2100 + #endif
2101 + snd_unregister_device(SNDRV_DEVICE_TYPE_HWDEP, hwdep->card, hwdep->device);
2102 + list_del_init(&hwdep->list);
2103 ++ mutex_unlock(&hwdep->open_mutex);
2104 + mutex_unlock(&register_mutex);
2105 + return 0;
2106 + }
2107 +diff --git a/sound/core/init.c b/sound/core/init.c
2108 +index d8ec849..7b012d1 100644
2109 +--- a/sound/core/init.c
2110 ++++ b/sound/core/init.c
2111 +@@ -213,6 +213,7 @@ int snd_card_create(int idx, const char *xid,
2112 + spin_lock_init(&card->files_lock);
2113 + INIT_LIST_HEAD(&card->files_list);
2114 + init_waitqueue_head(&card->shutdown_sleep);
2115 ++ atomic_set(&card->refcount, 0);
2116 + #ifdef CONFIG_PM
2117 + mutex_init(&card->power_lock);
2118 + init_waitqueue_head(&card->power_sleep);
2119 +@@ -446,21 +447,36 @@ static int snd_card_do_free(struct snd_card *card)
2120 + return 0;
2121 + }
2122 +
2123 ++/**
2124 ++ * snd_card_unref - release the reference counter
2125 ++ * @card: the card instance
2126 ++ *
2127 ++ * Decrements the reference counter. When it reaches to zero, wake up
2128 ++ * the sleeper and call the destructor if needed.
2129 ++ */
2130 ++void snd_card_unref(struct snd_card *card)
2131 ++{
2132 ++ if (atomic_dec_and_test(&card->refcount)) {
2133 ++ wake_up(&card->shutdown_sleep);
2134 ++ if (card->free_on_last_close)
2135 ++ snd_card_do_free(card);
2136 ++ }
2137 ++}
2138 ++EXPORT_SYMBOL(snd_card_unref);
2139 ++
2140 + int snd_card_free_when_closed(struct snd_card *card)
2141 + {
2142 +- int free_now = 0;
2143 +- int ret = snd_card_disconnect(card);
2144 +- if (ret)
2145 +- return ret;
2146 ++ int ret;
2147 +
2148 +- spin_lock(&card->files_lock);
2149 +- if (list_empty(&card->files_list))
2150 +- free_now = 1;
2151 +- else
2152 +- card->free_on_last_close = 1;
2153 +- spin_unlock(&card->files_lock);
2154 ++ atomic_inc(&card->refcount);
2155 ++ ret = snd_card_disconnect(card);
2156 ++ if (ret) {
2157 ++ atomic_dec(&card->refcount);
2158 ++ return ret;
2159 ++ }
2160 +
2161 +- if (free_now)
2162 ++ card->free_on_last_close = 1;
2163 ++ if (atomic_dec_and_test(&card->refcount))
2164 + snd_card_do_free(card);
2165 + return 0;
2166 + }
2167 +@@ -474,7 +490,7 @@ int snd_card_free(struct snd_card *card)
2168 + return ret;
2169 +
2170 + /* wait, until all devices are ready for the free operation */
2171 +- wait_event(card->shutdown_sleep, list_empty(&card->files_list));
2172 ++ wait_event(card->shutdown_sleep, !atomic_read(&card->refcount));
2173 + snd_card_do_free(card);
2174 + return 0;
2175 + }
2176 +@@ -886,6 +902,7 @@ int snd_card_file_add(struct snd_card *card, struct file *file)
2177 + return -ENODEV;
2178 + }
2179 + list_add(&mfile->list, &card->files_list);
2180 ++ atomic_inc(&card->refcount);
2181 + spin_unlock(&card->files_lock);
2182 + return 0;
2183 + }
2184 +@@ -908,7 +925,6 @@ EXPORT_SYMBOL(snd_card_file_add);
2185 + int snd_card_file_remove(struct snd_card *card, struct file *file)
2186 + {
2187 + struct snd_monitor_file *mfile, *found = NULL;
2188 +- int last_close = 0;
2189 +
2190 + spin_lock(&card->files_lock);
2191 + list_for_each_entry(mfile, &card->files_list, list) {
2192 +@@ -923,19 +939,13 @@ int snd_card_file_remove(struct snd_card *card, struct file *file)
2193 + break;
2194 + }
2195 + }
2196 +- if (list_empty(&card->files_list))
2197 +- last_close = 1;
2198 + spin_unlock(&card->files_lock);
2199 +- if (last_close) {
2200 +- wake_up(&card->shutdown_sleep);
2201 +- if (card->free_on_last_close)
2202 +- snd_card_do_free(card);
2203 +- }
2204 + if (!found) {
2205 + snd_printk(KERN_ERR "ALSA card file remove problem (%p)\n", file);
2206 + return -ENOENT;
2207 + }
2208 + kfree(found);
2209 ++ snd_card_unref(card);
2210 + return 0;
2211 + }
2212 +
2213 +diff --git a/sound/core/oss/mixer_oss.c b/sound/core/oss/mixer_oss.c
2214 +index 18297f7..c353768 100644
2215 +--- a/sound/core/oss/mixer_oss.c
2216 ++++ b/sound/core/oss/mixer_oss.c
2217 +@@ -52,14 +52,19 @@ static int snd_mixer_oss_open(struct inode *inode, struct file *file)
2218 + SNDRV_OSS_DEVICE_TYPE_MIXER);
2219 + if (card == NULL)
2220 + return -ENODEV;
2221 +- if (card->mixer_oss == NULL)
2222 ++ if (card->mixer_oss == NULL) {
2223 ++ snd_card_unref(card);
2224 + return -ENODEV;
2225 ++ }
2226 + err = snd_card_file_add(card, file);
2227 +- if (err < 0)
2228 ++ if (err < 0) {
2229 ++ snd_card_unref(card);
2230 + return err;
2231 ++ }
2232 + fmixer = kzalloc(sizeof(*fmixer), GFP_KERNEL);
2233 + if (fmixer == NULL) {
2234 + snd_card_file_remove(card, file);
2235 ++ snd_card_unref(card);
2236 + return -ENOMEM;
2237 + }
2238 + fmixer->card = card;
2239 +@@ -68,8 +73,10 @@ static int snd_mixer_oss_open(struct inode *inode, struct file *file)
2240 + if (!try_module_get(card->module)) {
2241 + kfree(fmixer);
2242 + snd_card_file_remove(card, file);
2243 ++ snd_card_unref(card);
2244 + return -EFAULT;
2245 + }
2246 ++ snd_card_unref(card);
2247 + return 0;
2248 + }
2249 +
2250 +diff --git a/sound/core/oss/pcm_oss.c b/sound/core/oss/pcm_oss.c
2251 +index 08fde00..4c1cc51 100644
2252 +--- a/sound/core/oss/pcm_oss.c
2253 ++++ b/sound/core/oss/pcm_oss.c
2254 +@@ -2441,6 +2441,10 @@ static int snd_pcm_oss_open(struct inode *inode, struct file *file)
2255 + mutex_unlock(&pcm->open_mutex);
2256 + schedule();
2257 + mutex_lock(&pcm->open_mutex);
2258 ++ if (pcm->card->shutdown) {
2259 ++ err = -ENODEV;
2260 ++ break;
2261 ++ }
2262 + if (signal_pending(current)) {
2263 + err = -ERESTARTSYS;
2264 + break;
2265 +@@ -2450,6 +2454,7 @@ static int snd_pcm_oss_open(struct inode *inode, struct file *file)
2266 + mutex_unlock(&pcm->open_mutex);
2267 + if (err < 0)
2268 + goto __error;
2269 ++ snd_card_unref(pcm->card);
2270 + return err;
2271 +
2272 + __error:
2273 +@@ -2457,6 +2462,8 @@ static int snd_pcm_oss_open(struct inode *inode, struct file *file)
2274 + __error2:
2275 + snd_card_file_remove(pcm->card, file);
2276 + __error1:
2277 ++ if (pcm)
2278 ++ snd_card_unref(pcm->card);
2279 + return err;
2280 + }
2281 +
2282 +diff --git a/sound/core/pcm.c b/sound/core/pcm.c
2283 +index 1a3070b..e30e1be 100644
2284 +--- a/sound/core/pcm.c
2285 ++++ b/sound/core/pcm.c
2286 +@@ -1086,11 +1086,19 @@ static int snd_pcm_dev_disconnect(struct snd_device *device)
2287 + if (list_empty(&pcm->list))
2288 + goto unlock;
2289 +
2290 ++ mutex_lock(&pcm->open_mutex);
2291 ++ wake_up(&pcm->open_wait);
2292 + list_del_init(&pcm->list);
2293 + for (cidx = 0; cidx < 2; cidx++)
2294 +- for (substream = pcm->streams[cidx].substream; substream; substream = substream->next)
2295 +- if (substream->runtime)
2296 ++ for (substream = pcm->streams[cidx].substream; substream; substream = substream->next) {
2297 ++ snd_pcm_stream_lock_irq(substream);
2298 ++ if (substream->runtime) {
2299 + substream->runtime->status->state = SNDRV_PCM_STATE_DISCONNECTED;
2300 ++ wake_up(&substream->runtime->sleep);
2301 ++ wake_up(&substream->runtime->tsleep);
2302 ++ }
2303 ++ snd_pcm_stream_unlock_irq(substream);
2304 ++ }
2305 + list_for_each_entry(notify, &snd_pcm_notify_list, list) {
2306 + notify->n_disconnect(pcm);
2307 + }
2308 +@@ -1106,6 +1114,7 @@ static int snd_pcm_dev_disconnect(struct snd_device *device)
2309 + }
2310 + snd_unregister_device(devtype, pcm->card, pcm->device);
2311 + }
2312 ++ mutex_unlock(&pcm->open_mutex);
2313 + unlock:
2314 + mutex_unlock(&register_mutex);
2315 + return 0;
2316 +diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c
2317 +index 53b5ada..bf3bf43 100644
2318 +--- a/sound/core/pcm_native.c
2319 ++++ b/sound/core/pcm_native.c
2320 +@@ -369,6 +369,14 @@ static int period_to_usecs(struct snd_pcm_runtime *runtime)
2321 + return usecs;
2322 + }
2323 +
2324 ++static void snd_pcm_set_state(struct snd_pcm_substream *substream, int state)
2325 ++{
2326 ++ snd_pcm_stream_lock_irq(substream);
2327 ++ if (substream->runtime->status->state != SNDRV_PCM_STATE_DISCONNECTED)
2328 ++ substream->runtime->status->state = state;
2329 ++ snd_pcm_stream_unlock_irq(substream);
2330 ++}
2331 ++
2332 + static int snd_pcm_hw_params(struct snd_pcm_substream *substream,
2333 + struct snd_pcm_hw_params *params)
2334 + {
2335 +@@ -452,7 +460,7 @@ static int snd_pcm_hw_params(struct snd_pcm_substream *substream,
2336 + runtime->boundary *= 2;
2337 +
2338 + snd_pcm_timer_resolution_change(substream);
2339 +- runtime->status->state = SNDRV_PCM_STATE_SETUP;
2340 ++ snd_pcm_set_state(substream, SNDRV_PCM_STATE_SETUP);
2341 +
2342 + if (pm_qos_request_active(&substream->latency_pm_qos_req))
2343 + pm_qos_remove_request(&substream->latency_pm_qos_req);
2344 +@@ -464,7 +472,7 @@ static int snd_pcm_hw_params(struct snd_pcm_substream *substream,
2345 + /* hardware might be unusable from this time,
2346 + so we force application to retry to set
2347 + the correct hardware parameter settings */
2348 +- runtime->status->state = SNDRV_PCM_STATE_OPEN;
2349 ++ snd_pcm_set_state(substream, SNDRV_PCM_STATE_OPEN);
2350 + if (substream->ops->hw_free != NULL)
2351 + substream->ops->hw_free(substream);
2352 + return err;
2353 +@@ -512,7 +520,7 @@ static int snd_pcm_hw_free(struct snd_pcm_substream *substream)
2354 + return -EBADFD;
2355 + if (substream->ops->hw_free)
2356 + result = substream->ops->hw_free(substream);
2357 +- runtime->status->state = SNDRV_PCM_STATE_OPEN;
2358 ++ snd_pcm_set_state(substream, SNDRV_PCM_STATE_OPEN);
2359 + pm_qos_remove_request(&substream->latency_pm_qos_req);
2360 + return result;
2361 + }
2362 +@@ -1320,7 +1328,7 @@ static void snd_pcm_post_prepare(struct snd_pcm_substream *substream, int state)
2363 + {
2364 + struct snd_pcm_runtime *runtime = substream->runtime;
2365 + runtime->control->appl_ptr = runtime->status->hw_ptr;
2366 +- runtime->status->state = SNDRV_PCM_STATE_PREPARED;
2367 ++ snd_pcm_set_state(substream, SNDRV_PCM_STATE_PREPARED);
2368 + }
2369 +
2370 + static struct action_ops snd_pcm_action_prepare = {
2371 +@@ -1510,6 +1518,10 @@ static int snd_pcm_drain(struct snd_pcm_substream *substream,
2372 + down_read(&snd_pcm_link_rwsem);
2373 + snd_pcm_stream_lock_irq(substream);
2374 + remove_wait_queue(&to_check->sleep, &wait);
2375 ++ if (card->shutdown) {
2376 ++ result = -ENODEV;
2377 ++ break;
2378 ++ }
2379 + if (tout == 0) {
2380 + if (substream->runtime->status->state == SNDRV_PCM_STATE_SUSPENDED)
2381 + result = -ESTRPIPE;
2382 +@@ -1633,6 +1645,7 @@ static int snd_pcm_link(struct snd_pcm_substream *substream, int fd)
2383 + write_unlock_irq(&snd_pcm_link_rwlock);
2384 + up_write(&snd_pcm_link_rwsem);
2385 + _nolock:
2386 ++ snd_card_unref(substream1->pcm->card);
2387 + fput(file);
2388 + if (res < 0)
2389 + kfree(group);
2390 +@@ -2107,7 +2120,10 @@ static int snd_pcm_playback_open(struct inode *inode, struct file *file)
2391 + return err;
2392 + pcm = snd_lookup_minor_data(iminor(inode),
2393 + SNDRV_DEVICE_TYPE_PCM_PLAYBACK);
2394 +- return snd_pcm_open(file, pcm, SNDRV_PCM_STREAM_PLAYBACK);
2395 ++ err = snd_pcm_open(file, pcm, SNDRV_PCM_STREAM_PLAYBACK);
2396 ++ if (pcm)
2397 ++ snd_card_unref(pcm->card);
2398 ++ return err;
2399 + }
2400 +
2401 + static int snd_pcm_capture_open(struct inode *inode, struct file *file)
2402 +@@ -2118,7 +2134,10 @@ static int snd_pcm_capture_open(struct inode *inode, struct file *file)
2403 + return err;
2404 + pcm = snd_lookup_minor_data(iminor(inode),
2405 + SNDRV_DEVICE_TYPE_PCM_CAPTURE);
2406 +- return snd_pcm_open(file, pcm, SNDRV_PCM_STREAM_CAPTURE);
2407 ++ err = snd_pcm_open(file, pcm, SNDRV_PCM_STREAM_CAPTURE);
2408 ++ if (pcm)
2409 ++ snd_card_unref(pcm->card);
2410 ++ return err;
2411 + }
2412 +
2413 + static int snd_pcm_open(struct file *file, struct snd_pcm *pcm, int stream)
2414 +@@ -2155,6 +2174,10 @@ static int snd_pcm_open(struct file *file, struct snd_pcm *pcm, int stream)
2415 + mutex_unlock(&pcm->open_mutex);
2416 + schedule();
2417 + mutex_lock(&pcm->open_mutex);
2418 ++ if (pcm->card->shutdown) {
2419 ++ err = -ENODEV;
2420 ++ break;
2421 ++ }
2422 + if (signal_pending(current)) {
2423 + err = -ERESTARTSYS;
2424 + break;
2425 +diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c
2426 +index ebf6e49..1bb95ae 100644
2427 +--- a/sound/core/rawmidi.c
2428 ++++ b/sound/core/rawmidi.c
2429 +@@ -379,8 +379,10 @@ static int snd_rawmidi_open(struct inode *inode, struct file *file)
2430 + if (rmidi == NULL)
2431 + return -ENODEV;
2432 +
2433 +- if (!try_module_get(rmidi->card->module))
2434 ++ if (!try_module_get(rmidi->card->module)) {
2435 ++ snd_card_unref(rmidi->card);
2436 + return -ENXIO;
2437 ++ }
2438 +
2439 + mutex_lock(&rmidi->open_mutex);
2440 + card = rmidi->card;
2441 +@@ -422,6 +424,10 @@ static int snd_rawmidi_open(struct inode *inode, struct file *file)
2442 + mutex_unlock(&rmidi->open_mutex);
2443 + schedule();
2444 + mutex_lock(&rmidi->open_mutex);
2445 ++ if (rmidi->card->shutdown) {
2446 ++ err = -ENODEV;
2447 ++ break;
2448 ++ }
2449 + if (signal_pending(current)) {
2450 + err = -ERESTARTSYS;
2451 + break;
2452 +@@ -440,6 +446,7 @@ static int snd_rawmidi_open(struct inode *inode, struct file *file)
2453 + #endif
2454 + file->private_data = rawmidi_file;
2455 + mutex_unlock(&rmidi->open_mutex);
2456 ++ snd_card_unref(rmidi->card);
2457 + return 0;
2458 +
2459 + __error:
2460 +@@ -447,6 +454,7 @@ static int snd_rawmidi_open(struct inode *inode, struct file *file)
2461 + __error_card:
2462 + mutex_unlock(&rmidi->open_mutex);
2463 + module_put(rmidi->card->module);
2464 ++ snd_card_unref(rmidi->card);
2465 + return err;
2466 + }
2467 +
2468 +@@ -991,6 +999,8 @@ static ssize_t snd_rawmidi_read(struct file *file, char __user *buf, size_t coun
2469 + spin_unlock_irq(&runtime->lock);
2470 + schedule();
2471 + remove_wait_queue(&runtime->sleep, &wait);
2472 ++ if (rfile->rmidi->card->shutdown)
2473 ++ return -ENODEV;
2474 + if (signal_pending(current))
2475 + return result > 0 ? result : -ERESTARTSYS;
2476 + if (!runtime->avail)
2477 +@@ -1234,6 +1244,8 @@ static ssize_t snd_rawmidi_write(struct file *file, const char __user *buf,
2478 + spin_unlock_irq(&runtime->lock);
2479 + timeout = schedule_timeout(30 * HZ);
2480 + remove_wait_queue(&runtime->sleep, &wait);
2481 ++ if (rfile->rmidi->card->shutdown)
2482 ++ return -ENODEV;
2483 + if (signal_pending(current))
2484 + return result > 0 ? result : -ERESTARTSYS;
2485 + if (!runtime->avail && !timeout)
2486 +@@ -1609,9 +1621,20 @@ static int snd_rawmidi_dev_register(struct snd_device *device)
2487 + static int snd_rawmidi_dev_disconnect(struct snd_device *device)
2488 + {
2489 + struct snd_rawmidi *rmidi = device->device_data;
2490 ++ int dir;
2491 +
2492 + mutex_lock(&register_mutex);
2493 ++ mutex_lock(&rmidi->open_mutex);
2494 ++ wake_up(&rmidi->open_wait);
2495 + list_del_init(&rmidi->list);
2496 ++ for (dir = 0; dir < 2; dir++) {
2497 ++ struct snd_rawmidi_substream *s;
2498 ++ list_for_each_entry(s, &rmidi->streams[dir].substreams, list) {
2499 ++ if (s->runtime)
2500 ++ wake_up(&s->runtime->sleep);
2501 ++ }
2502 ++ }
2503 ++
2504 + #ifdef CONFIG_SND_OSSEMUL
2505 + if (rmidi->ossreg) {
2506 + if ((int)rmidi->device == midi_map[rmidi->card->number]) {
2507 +@@ -1626,6 +1649,7 @@ static int snd_rawmidi_dev_disconnect(struct snd_device *device)
2508 + }
2509 + #endif /* CONFIG_SND_OSSEMUL */
2510 + snd_unregister_device(SNDRV_DEVICE_TYPE_RAWMIDI, rmidi->card, rmidi->device);
2511 ++ mutex_unlock(&rmidi->open_mutex);
2512 + mutex_unlock(&register_mutex);
2513 + return 0;
2514 + }
2515 +diff --git a/sound/core/sound.c b/sound/core/sound.c
2516 +index 28f3559..3700d96 100644
2517 +--- a/sound/core/sound.c
2518 ++++ b/sound/core/sound.c
2519 +@@ -99,6 +99,10 @@ static void snd_request_other(int minor)
2520 + *
2521 + * Checks that a minor device with the specified type is registered, and returns
2522 + * its user data pointer.
2523 ++ *
2524 ++ * This function increments the reference counter of the card instance
2525 ++ * if an associated instance with the given minor number and type is found.
2526 ++ * The caller must call snd_card_unref() appropriately later.
2527 + */
2528 + void *snd_lookup_minor_data(unsigned int minor, int type)
2529 + {
2530 +@@ -109,9 +113,11 @@ void *snd_lookup_minor_data(unsigned int minor, int type)
2531 + return NULL;
2532 + mutex_lock(&sound_mutex);
2533 + mreg = snd_minors[minor];
2534 +- if (mreg && mreg->type == type)
2535 ++ if (mreg && mreg->type == type) {
2536 + private_data = mreg->private_data;
2537 +- else
2538 ++ if (private_data && mreg->card_ptr)
2539 ++ atomic_inc(&mreg->card_ptr->refcount);
2540 ++ } else
2541 + private_data = NULL;
2542 + mutex_unlock(&sound_mutex);
2543 + return private_data;
2544 +@@ -276,6 +282,7 @@ int snd_register_device_for_dev(int type, struct snd_card *card, int dev,
2545 + preg->device = dev;
2546 + preg->f_ops = f_ops;
2547 + preg->private_data = private_data;
2548 ++ preg->card_ptr = card;
2549 + mutex_lock(&sound_mutex);
2550 + #ifdef CONFIG_SND_DYNAMIC_MINORS
2551 + minor = snd_find_free_minor(type);
2552 +diff --git a/sound/core/sound_oss.c b/sound/core/sound_oss.c
2553 +index e952833..726a49a 100644
2554 +--- a/sound/core/sound_oss.c
2555 ++++ b/sound/core/sound_oss.c
2556 +@@ -40,6 +40,9 @@
2557 + static struct snd_minor *snd_oss_minors[SNDRV_OSS_MINORS];
2558 + static DEFINE_MUTEX(sound_oss_mutex);
2559 +
2560 ++/* NOTE: This function increments the refcount of the associated card like
2561 ++ * snd_lookup_minor_data(); the caller must call snd_card_unref() appropriately
2562 ++ */
2563 + void *snd_lookup_oss_minor_data(unsigned int minor, int type)
2564 + {
2565 + struct snd_minor *mreg;
2566 +@@ -49,9 +52,11 @@ void *snd_lookup_oss_minor_data(unsigned int minor, int type)
2567 + return NULL;
2568 + mutex_lock(&sound_oss_mutex);
2569 + mreg = snd_oss_minors[minor];
2570 +- if (mreg && mreg->type == type)
2571 ++ if (mreg && mreg->type == type) {
2572 + private_data = mreg->private_data;
2573 +- else
2574 ++ if (private_data && mreg->card_ptr)
2575 ++ atomic_inc(&mreg->card_ptr->refcount);
2576 ++ } else
2577 + private_data = NULL;
2578 + mutex_unlock(&sound_oss_mutex);
2579 + return private_data;
2580 +@@ -123,6 +128,7 @@ int snd_register_oss_device(int type, struct snd_card *card, int dev,
2581 + preg->device = dev;
2582 + preg->f_ops = f_ops;
2583 + preg->private_data = private_data;
2584 ++ preg->card_ptr = card;
2585 + mutex_lock(&sound_oss_mutex);
2586 + snd_oss_minors[minor] = preg;
2587 + minor_unit = SNDRV_MINOR_OSS_DEVICE(minor);
2588 +diff --git a/sound/usb/card.c b/sound/usb/card.c
2589 +index 4a469f0..b3f5ad4 100644
2590 +--- a/sound/usb/card.c
2591 ++++ b/sound/usb/card.c
2592 +@@ -339,7 +339,7 @@ static int snd_usb_audio_create(struct usb_device *dev, int idx,
2593 + }
2594 +
2595 + mutex_init(&chip->mutex);
2596 +- mutex_init(&chip->shutdown_mutex);
2597 ++ init_rwsem(&chip->shutdown_rwsem);
2598 + chip->index = idx;
2599 + chip->dev = dev;
2600 + chip->card = card;
2601 +@@ -559,9 +559,11 @@ static void snd_usb_audio_disconnect(struct usb_device *dev,
2602 + return;
2603 +
2604 + card = chip->card;
2605 +- mutex_lock(&register_mutex);
2606 +- mutex_lock(&chip->shutdown_mutex);
2607 ++ down_write(&chip->shutdown_rwsem);
2608 + chip->shutdown = 1;
2609 ++ up_write(&chip->shutdown_rwsem);
2610 ++
2611 ++ mutex_lock(&register_mutex);
2612 + chip->num_interfaces--;
2613 + if (chip->num_interfaces <= 0) {
2614 + snd_card_disconnect(card);
2615 +@@ -582,11 +584,9 @@ static void snd_usb_audio_disconnect(struct usb_device *dev,
2616 + snd_usb_mixer_disconnect(p);
2617 + }
2618 + usb_chip[chip->index] = NULL;
2619 +- mutex_unlock(&chip->shutdown_mutex);
2620 + mutex_unlock(&register_mutex);
2621 + snd_card_free_when_closed(card);
2622 + } else {
2623 +- mutex_unlock(&chip->shutdown_mutex);
2624 + mutex_unlock(&register_mutex);
2625 + }
2626 + }
2627 +@@ -618,16 +618,20 @@ int snd_usb_autoresume(struct snd_usb_audio *chip)
2628 + {
2629 + int err = -ENODEV;
2630 +
2631 ++ down_read(&chip->shutdown_rwsem);
2632 + if (!chip->shutdown && !chip->probing)
2633 + err = usb_autopm_get_interface(chip->pm_intf);
2634 ++ up_read(&chip->shutdown_rwsem);
2635 +
2636 + return err;
2637 + }
2638 +
2639 + void snd_usb_autosuspend(struct snd_usb_audio *chip)
2640 + {
2641 ++ down_read(&chip->shutdown_rwsem);
2642 + if (!chip->shutdown && !chip->probing)
2643 + usb_autopm_put_interface(chip->pm_intf);
2644 ++ up_read(&chip->shutdown_rwsem);
2645 + }
2646 +
2647 + static int usb_audio_suspend(struct usb_interface *intf, pm_message_t message)
2648 +diff --git a/sound/usb/card.h b/sound/usb/card.h
2649 +index d9d2b5a..6e262c5 100644
2650 +--- a/sound/usb/card.h
2651 ++++ b/sound/usb/card.h
2652 +@@ -125,6 +125,7 @@ struct snd_usb_substream {
2653 + struct snd_usb_endpoint *data_endpoint;
2654 + struct snd_usb_endpoint *sync_endpoint;
2655 + unsigned long flags;
2656 ++ unsigned int speed; /* USB_SPEED_XXX */
2657 +
2658 + u64 formats; /* format bitmasks (all or'ed) */
2659 + unsigned int num_formats; /* number of supported audio formats (list) */
2660 +diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
2661 +index fe56c9d..298070e 100644
2662 +--- a/sound/usb/mixer.c
2663 ++++ b/sound/usb/mixer.c
2664 +@@ -287,25 +287,32 @@ static int get_ctl_value_v1(struct usb_mixer_elem_info *cval, int request, int v
2665 + unsigned char buf[2];
2666 + int val_len = cval->val_type >= USB_MIXER_S16 ? 2 : 1;
2667 + int timeout = 10;
2668 +- int err;
2669 ++ int idx = 0, err;
2670 +
2671 + err = snd_usb_autoresume(cval->mixer->chip);
2672 + if (err < 0)
2673 + return -EIO;
2674 ++ down_read(&chip->shutdown_rwsem);
2675 + while (timeout-- > 0) {
2676 ++ if (chip->shutdown)
2677 ++ break;
2678 ++ idx = snd_usb_ctrl_intf(chip) | (cval->id << 8);
2679 + if (snd_usb_ctl_msg(chip->dev, usb_rcvctrlpipe(chip->dev, 0), request,
2680 + USB_RECIP_INTERFACE | USB_TYPE_CLASS | USB_DIR_IN,
2681 +- validx, snd_usb_ctrl_intf(chip) | (cval->id << 8),
2682 +- buf, val_len) >= val_len) {
2683 ++ validx, idx, buf, val_len) >= val_len) {
2684 + *value_ret = convert_signed_value(cval, snd_usb_combine_bytes(buf, val_len));
2685 +- snd_usb_autosuspend(cval->mixer->chip);
2686 +- return 0;
2687 ++ err = 0;
2688 ++ goto out;
2689 + }
2690 + }
2691 +- snd_usb_autosuspend(cval->mixer->chip);
2692 + snd_printdd(KERN_ERR "cannot get ctl value: req = %#x, wValue = %#x, wIndex = %#x, type = %d\n",
2693 +- request, validx, snd_usb_ctrl_intf(chip) | (cval->id << 8), cval->val_type);
2694 +- return -EINVAL;
2695 ++ request, validx, idx, cval->val_type);
2696 ++ err = -EINVAL;
2697 ++
2698 ++ out:
2699 ++ up_read(&chip->shutdown_rwsem);
2700 ++ snd_usb_autosuspend(cval->mixer->chip);
2701 ++ return err;
2702 + }
2703 +
2704 + static int get_ctl_value_v2(struct usb_mixer_elem_info *cval, int request, int validx, int *value_ret)
2705 +@@ -313,7 +320,7 @@ static int get_ctl_value_v2(struct usb_mixer_elem_info *cval, int request, int v
2706 + struct snd_usb_audio *chip = cval->mixer->chip;
2707 + unsigned char buf[2 + 3*sizeof(__u16)]; /* enough space for one range */
2708 + unsigned char *val;
2709 +- int ret, size;
2710 ++ int idx = 0, ret, size;
2711 + __u8 bRequest;
2712 +
2713 + if (request == UAC_GET_CUR) {
2714 +@@ -330,16 +337,22 @@ static int get_ctl_value_v2(struct usb_mixer_elem_info *cval, int request, int v
2715 + if (ret)
2716 + goto error;
2717 +
2718 +- ret = snd_usb_ctl_msg(chip->dev, usb_rcvctrlpipe(chip->dev, 0), bRequest,
2719 ++ down_read(&chip->shutdown_rwsem);
2720 ++ if (chip->shutdown)
2721 ++ ret = -ENODEV;
2722 ++ else {
2723 ++ idx = snd_usb_ctrl_intf(chip) | (cval->id << 8);
2724 ++ ret = snd_usb_ctl_msg(chip->dev, usb_rcvctrlpipe(chip->dev, 0), bRequest,
2725 + USB_RECIP_INTERFACE | USB_TYPE_CLASS | USB_DIR_IN,
2726 +- validx, snd_usb_ctrl_intf(chip) | (cval->id << 8),
2727 +- buf, size);
2728 ++ validx, idx, buf, size);
2729 ++ }
2730 ++ up_read(&chip->shutdown_rwsem);
2731 + snd_usb_autosuspend(chip);
2732 +
2733 + if (ret < 0) {
2734 + error:
2735 + snd_printk(KERN_ERR "cannot get ctl value: req = %#x, wValue = %#x, wIndex = %#x, type = %d\n",
2736 +- request, validx, snd_usb_ctrl_intf(chip) | (cval->id << 8), cval->val_type);
2737 ++ request, validx, idx, cval->val_type);
2738 + return ret;
2739 + }
2740 +
2741 +@@ -417,7 +430,7 @@ int snd_usb_mixer_set_ctl_value(struct usb_mixer_elem_info *cval,
2742 + {
2743 + struct snd_usb_audio *chip = cval->mixer->chip;
2744 + unsigned char buf[2];
2745 +- int val_len, err, timeout = 10;
2746 ++ int idx = 0, val_len, err, timeout = 10;
2747 +
2748 + if (cval->mixer->protocol == UAC_VERSION_1) {
2749 + val_len = cval->val_type >= USB_MIXER_S16 ? 2 : 1;
2750 +@@ -440,19 +453,27 @@ int snd_usb_mixer_set_ctl_value(struct usb_mixer_elem_info *cval,
2751 + err = snd_usb_autoresume(chip);
2752 + if (err < 0)
2753 + return -EIO;
2754 +- while (timeout-- > 0)
2755 ++ down_read(&chip->shutdown_rwsem);
2756 ++ while (timeout-- > 0) {
2757 ++ if (chip->shutdown)
2758 ++ break;
2759 ++ idx = snd_usb_ctrl_intf(chip) | (cval->id << 8);
2760 + if (snd_usb_ctl_msg(chip->dev,
2761 + usb_sndctrlpipe(chip->dev, 0), request,
2762 + USB_RECIP_INTERFACE | USB_TYPE_CLASS | USB_DIR_OUT,
2763 +- validx, snd_usb_ctrl_intf(chip) | (cval->id << 8),
2764 +- buf, val_len) >= 0) {
2765 +- snd_usb_autosuspend(chip);
2766 +- return 0;
2767 ++ validx, idx, buf, val_len) >= 0) {
2768 ++ err = 0;
2769 ++ goto out;
2770 + }
2771 +- snd_usb_autosuspend(chip);
2772 ++ }
2773 + snd_printdd(KERN_ERR "cannot set ctl value: req = %#x, wValue = %#x, wIndex = %#x, type = %d, data = %#x/%#x\n",
2774 +- request, validx, snd_usb_ctrl_intf(chip) | (cval->id << 8), cval->val_type, buf[0], buf[1]);
2775 +- return -EINVAL;
2776 ++ request, validx, idx, cval->val_type, buf[0], buf[1]);
2777 ++ err = -EINVAL;
2778 ++
2779 ++ out:
2780 ++ up_read(&chip->shutdown_rwsem);
2781 ++ snd_usb_autosuspend(chip);
2782 ++ return err;
2783 + }
2784 +
2785 + static int set_cur_ctl_value(struct usb_mixer_elem_info *cval, int validx, int value)
2786 +diff --git a/sound/usb/mixer_quirks.c b/sound/usb/mixer_quirks.c
2787 +index 690000d..ae2b714 100644
2788 +--- a/sound/usb/mixer_quirks.c
2789 ++++ b/sound/usb/mixer_quirks.c
2790 +@@ -283,6 +283,11 @@ static int snd_audigy2nx_led_put(struct snd_kcontrol *kcontrol, struct snd_ctl_e
2791 + if (value > 1)
2792 + return -EINVAL;
2793 + changed = value != mixer->audigy2nx_leds[index];
2794 ++ down_read(&mixer->chip->shutdown_rwsem);
2795 ++ if (mixer->chip->shutdown) {
2796 ++ err = -ENODEV;
2797 ++ goto out;
2798 ++ }
2799 + if (mixer->chip->usb_id == USB_ID(0x041e, 0x3042))
2800 + err = snd_usb_ctl_msg(mixer->chip->dev,
2801 + usb_sndctrlpipe(mixer->chip->dev, 0), 0x24,
2802 +@@ -299,6 +304,8 @@ static int snd_audigy2nx_led_put(struct snd_kcontrol *kcontrol, struct snd_ctl_e
2803 + usb_sndctrlpipe(mixer->chip->dev, 0), 0x24,
2804 + USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_OTHER,
2805 + value, index + 2, NULL, 0);
2806 ++ out:
2807 ++ up_read(&mixer->chip->shutdown_rwsem);
2808 + if (err < 0)
2809 + return err;
2810 + mixer->audigy2nx_leds[index] = value;
2811 +@@ -392,11 +399,16 @@ static void snd_audigy2nx_proc_read(struct snd_info_entry *entry,
2812 +
2813 + for (i = 0; jacks[i].name; ++i) {
2814 + snd_iprintf(buffer, "%s: ", jacks[i].name);
2815 +- err = snd_usb_ctl_msg(mixer->chip->dev,
2816 ++ down_read(&mixer->chip->shutdown_rwsem);
2817 ++ if (mixer->chip->shutdown)
2818 ++ err = 0;
2819 ++ else
2820 ++ err = snd_usb_ctl_msg(mixer->chip->dev,
2821 + usb_rcvctrlpipe(mixer->chip->dev, 0),
2822 + UAC_GET_MEM, USB_DIR_IN | USB_TYPE_CLASS |
2823 + USB_RECIP_INTERFACE, 0,
2824 + jacks[i].unitid << 8, buf, 3);
2825 ++ up_read(&mixer->chip->shutdown_rwsem);
2826 + if (err == 3 && (buf[0] == 3 || buf[0] == 6))
2827 + snd_iprintf(buffer, "%02x %02x\n", buf[1], buf[2]);
2828 + else
2829 +@@ -426,10 +438,15 @@ static int snd_xonar_u1_switch_put(struct snd_kcontrol *kcontrol,
2830 + else
2831 + new_status = old_status & ~0x02;
2832 + changed = new_status != old_status;
2833 +- err = snd_usb_ctl_msg(mixer->chip->dev,
2834 ++ down_read(&mixer->chip->shutdown_rwsem);
2835 ++ if (mixer->chip->shutdown)
2836 ++ err = -ENODEV;
2837 ++ else
2838 ++ err = snd_usb_ctl_msg(mixer->chip->dev,
2839 + usb_sndctrlpipe(mixer->chip->dev, 0), 0x08,
2840 + USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_OTHER,
2841 + 50, 0, &new_status, 1);
2842 ++ up_read(&mixer->chip->shutdown_rwsem);
2843 + if (err < 0)
2844 + return err;
2845 + mixer->xonar_u1_status = new_status;
2846 +@@ -468,11 +485,17 @@ static int snd_nativeinstruments_control_get(struct snd_kcontrol *kcontrol,
2847 + u8 bRequest = (kcontrol->private_value >> 16) & 0xff;
2848 + u16 wIndex = kcontrol->private_value & 0xffff;
2849 + u8 tmp;
2850 ++ int ret;
2851 +
2852 +- int ret = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), bRequest,
2853 ++ down_read(&mixer->chip->shutdown_rwsem);
2854 ++ if (mixer->chip->shutdown)
2855 ++ ret = -ENODEV;
2856 ++ else
2857 ++ ret = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), bRequest,
2858 + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN,
2859 + 0, cpu_to_le16(wIndex),
2860 + &tmp, sizeof(tmp), 1000);
2861 ++ up_read(&mixer->chip->shutdown_rwsem);
2862 +
2863 + if (ret < 0) {
2864 + snd_printk(KERN_ERR
2865 +@@ -493,11 +516,17 @@ static int snd_nativeinstruments_control_put(struct snd_kcontrol *kcontrol,
2866 + u8 bRequest = (kcontrol->private_value >> 16) & 0xff;
2867 + u16 wIndex = kcontrol->private_value & 0xffff;
2868 + u16 wValue = ucontrol->value.integer.value[0];
2869 ++ int ret;
2870 +
2871 +- int ret = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), bRequest,
2872 ++ down_read(&mixer->chip->shutdown_rwsem);
2873 ++ if (mixer->chip->shutdown)
2874 ++ ret = -ENODEV;
2875 ++ else
2876 ++ ret = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), bRequest,
2877 + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT,
2878 + cpu_to_le16(wValue), cpu_to_le16(wIndex),
2879 + NULL, 0, 1000);
2880 ++ up_read(&mixer->chip->shutdown_rwsem);
2881 +
2882 + if (ret < 0) {
2883 + snd_printk(KERN_ERR
2884 +@@ -656,11 +685,16 @@ static int snd_ftu_eff_switch_get(struct snd_kcontrol *kctl,
2885 + return -EINVAL;
2886 +
2887 +
2888 +- err = snd_usb_ctl_msg(chip->dev,
2889 ++ down_read(&mixer->chip->shutdown_rwsem);
2890 ++ if (mixer->chip->shutdown)
2891 ++ err = -ENODEV;
2892 ++ else
2893 ++ err = snd_usb_ctl_msg(chip->dev,
2894 + usb_rcvctrlpipe(chip->dev, 0), UAC_GET_CUR,
2895 + USB_RECIP_INTERFACE | USB_TYPE_CLASS | USB_DIR_IN,
2896 + validx << 8, snd_usb_ctrl_intf(chip) | (id << 8),
2897 + value, val_len);
2898 ++ up_read(&mixer->chip->shutdown_rwsem);
2899 + if (err < 0)
2900 + return err;
2901 +
2902 +@@ -703,11 +737,16 @@ static int snd_ftu_eff_switch_put(struct snd_kcontrol *kctl,
2903 +
2904 + if (!pval->is_cached) {
2905 + /* Read current value */
2906 +- err = snd_usb_ctl_msg(chip->dev,
2907 ++ down_read(&mixer->chip->shutdown_rwsem);
2908 ++ if (mixer->chip->shutdown)
2909 ++ err = -ENODEV;
2910 ++ else
2911 ++ err = snd_usb_ctl_msg(chip->dev,
2912 + usb_rcvctrlpipe(chip->dev, 0), UAC_GET_CUR,
2913 + USB_RECIP_INTERFACE | USB_TYPE_CLASS | USB_DIR_IN,
2914 + validx << 8, snd_usb_ctrl_intf(chip) | (id << 8),
2915 + value, val_len);
2916 ++ up_read(&mixer->chip->shutdown_rwsem);
2917 + if (err < 0)
2918 + return err;
2919 +
2920 +@@ -719,11 +758,16 @@ static int snd_ftu_eff_switch_put(struct snd_kcontrol *kctl,
2921 + if (cur_val != new_val) {
2922 + value[0] = new_val;
2923 + value[1] = 0;
2924 +- err = snd_usb_ctl_msg(chip->dev,
2925 ++ down_read(&mixer->chip->shutdown_rwsem);
2926 ++ if (mixer->chip->shutdown)
2927 ++ err = -ENODEV;
2928 ++ else
2929 ++ err = snd_usb_ctl_msg(chip->dev,
2930 + usb_sndctrlpipe(chip->dev, 0), UAC_SET_CUR,
2931 + USB_RECIP_INTERFACE | USB_TYPE_CLASS | USB_DIR_OUT,
2932 + validx << 8, snd_usb_ctrl_intf(chip) | (id << 8),
2933 + value, val_len);
2934 ++ up_read(&mixer->chip->shutdown_rwsem);
2935 + if (err < 0)
2936 + return err;
2937 +
2938 +diff --git a/sound/usb/pcm.c b/sound/usb/pcm.c
2939 +index f782ce1..ee3c15c 100644
2940 +--- a/sound/usb/pcm.c
2941 ++++ b/sound/usb/pcm.c
2942 +@@ -71,6 +71,8 @@ static snd_pcm_uframes_t snd_usb_pcm_pointer(struct snd_pcm_substream *substream
2943 + unsigned int hwptr_done;
2944 +
2945 + subs = (struct snd_usb_substream *)substream->runtime->private_data;
2946 ++ if (subs->stream->chip->shutdown)
2947 ++ return SNDRV_PCM_POS_XRUN;
2948 + spin_lock(&subs->lock);
2949 + hwptr_done = subs->hwptr_done;
2950 + substream->runtime->delay = snd_usb_pcm_delay(subs,
2951 +@@ -471,8 +473,14 @@ static int snd_usb_hw_params(struct snd_pcm_substream *substream,
2952 + changed = subs->cur_audiofmt != fmt ||
2953 + subs->period_bytes != params_period_bytes(hw_params) ||
2954 + subs->cur_rate != rate;
2955 ++
2956 ++ down_read(&subs->stream->chip->shutdown_rwsem);
2957 ++ if (subs->stream->chip->shutdown) {
2958 ++ ret = -ENODEV;
2959 ++ goto unlock;
2960 ++ }
2961 + if ((ret = set_format(subs, fmt)) < 0)
2962 +- return ret;
2963 ++ goto unlock;
2964 +
2965 + if (subs->cur_rate != rate) {
2966 + struct usb_host_interface *alts;
2967 +@@ -481,12 +489,11 @@ static int snd_usb_hw_params(struct snd_pcm_substream *substream,
2968 + alts = &iface->altsetting[fmt->altset_idx];
2969 + ret = snd_usb_init_sample_rate(subs->stream->chip, fmt->iface, alts, fmt, rate);
2970 + if (ret < 0)
2971 +- return ret;
2972 ++ goto unlock;
2973 + subs->cur_rate = rate;
2974 + }
2975 +
2976 + if (changed) {
2977 +- mutex_lock(&subs->stream->chip->shutdown_mutex);
2978 + /* format changed */
2979 + stop_endpoints(subs, 0, 0, 0);
2980 + ret = snd_usb_endpoint_set_params(subs->data_endpoint, hw_params, fmt,
2981 +@@ -497,8 +504,6 @@ static int snd_usb_hw_params(struct snd_pcm_substream *substream,
2982 + if (subs->sync_endpoint)
2983 + ret = snd_usb_endpoint_set_params(subs->sync_endpoint,
2984 + hw_params, fmt, NULL);
2985 +-unlock:
2986 +- mutex_unlock(&subs->stream->chip->shutdown_mutex);
2987 + }
2988 +
2989 + if (ret == 0) {
2990 +@@ -506,6 +511,8 @@ unlock:
2991 + subs->altset_idx = fmt->altset_idx;
2992 + }
2993 +
2994 ++unlock:
2995 ++ up_read(&subs->stream->chip->shutdown_rwsem);
2996 + return ret;
2997 + }
2998 +
2999 +@@ -521,10 +528,12 @@ static int snd_usb_hw_free(struct snd_pcm_substream *substream)
3000 + subs->cur_audiofmt = NULL;
3001 + subs->cur_rate = 0;
3002 + subs->period_bytes = 0;
3003 +- mutex_lock(&subs->stream->chip->shutdown_mutex);
3004 +- stop_endpoints(subs, 0, 1, 1);
3005 +- deactivate_endpoints(subs);
3006 +- mutex_unlock(&subs->stream->chip->shutdown_mutex);
3007 ++ down_read(&subs->stream->chip->shutdown_rwsem);
3008 ++ if (!subs->stream->chip->shutdown) {
3009 ++ stop_endpoints(subs, 0, 1, 1);
3010 ++ deactivate_endpoints(subs);
3011 ++ }
3012 ++ up_read(&subs->stream->chip->shutdown_rwsem);
3013 + return snd_pcm_lib_free_vmalloc_buffer(substream);
3014 + }
3015 +
3016 +@@ -537,14 +546,22 @@ static int snd_usb_pcm_prepare(struct snd_pcm_substream *substream)
3017 + {
3018 + struct snd_pcm_runtime *runtime = substream->runtime;
3019 + struct snd_usb_substream *subs = runtime->private_data;
3020 ++ int ret = 0;
3021 +
3022 + if (! subs->cur_audiofmt) {
3023 + snd_printk(KERN_ERR "usbaudio: no format is specified!\n");
3024 + return -ENXIO;
3025 + }
3026 +
3027 +- if (snd_BUG_ON(!subs->data_endpoint))
3028 +- return -EIO;
3029 ++ down_read(&subs->stream->chip->shutdown_rwsem);
3030 ++ if (subs->stream->chip->shutdown) {
3031 ++ ret = -ENODEV;
3032 ++ goto unlock;
3033 ++ }
3034 ++ if (snd_BUG_ON(!subs->data_endpoint)) {
3035 ++ ret = -EIO;
3036 ++ goto unlock;
3037 ++ }
3038 +
3039 + /* some unit conversions in runtime */
3040 + subs->data_endpoint->maxframesize =
3041 +@@ -562,9 +579,11 @@ static int snd_usb_pcm_prepare(struct snd_pcm_substream *substream)
3042 + /* for playback, submit the URBs now; otherwise, the first hwptr_done
3043 + * updates for all URBs would happen at the same time when starting */
3044 + if (subs->direction == SNDRV_PCM_STREAM_PLAYBACK)
3045 +- return start_endpoints(subs, 1);
3046 ++ ret = start_endpoints(subs, 1);
3047 +
3048 +- return 0;
3049 ++ unlock:
3050 ++ up_read(&subs->stream->chip->shutdown_rwsem);
3051 ++ return ret;
3052 + }
3053 +
3054 + static struct snd_pcm_hardware snd_usb_hardware =
3055 +@@ -617,7 +636,7 @@ static int hw_check_valid_format(struct snd_usb_substream *subs,
3056 + return 0;
3057 + }
3058 + /* check whether the period time is >= the data packet interval */
3059 +- if (snd_usb_get_speed(subs->dev) != USB_SPEED_FULL) {
3060 ++ if (subs->speed != USB_SPEED_FULL) {
3061 + ptime = 125 * (1 << fp->datainterval);
3062 + if (ptime > pt->max || (ptime == pt->max && pt->openmax)) {
3063 + hwc_debug(" > check: ptime %u > max %u\n", ptime, pt->max);
3064 +@@ -895,7 +914,7 @@ static int setup_hw_info(struct snd_pcm_runtime *runtime, struct snd_usb_substre
3065 + return err;
3066 +
3067 + param_period_time_if_needed = SNDRV_PCM_HW_PARAM_PERIOD_TIME;
3068 +- if (snd_usb_get_speed(subs->dev) == USB_SPEED_FULL)
3069 ++ if (subs->speed == USB_SPEED_FULL)
3070 + /* full speed devices have fixed data packet interval */
3071 + ptmin = 1000;
3072 + if (ptmin == 1000)
3073 +diff --git a/sound/usb/proc.c b/sound/usb/proc.c
3074 +index ebc1a5b..d218f76 100644
3075 +--- a/sound/usb/proc.c
3076 ++++ b/sound/usb/proc.c
3077 +@@ -108,7 +108,7 @@ static void proc_dump_substream_formats(struct snd_usb_substream *subs, struct s
3078 + }
3079 + snd_iprintf(buffer, "\n");
3080 + }
3081 +- if (snd_usb_get_speed(subs->dev) != USB_SPEED_FULL)
3082 ++ if (subs->speed != USB_SPEED_FULL)
3083 + snd_iprintf(buffer, " Data packet interval: %d us\n",
3084 + 125 * (1 << fp->datainterval));
3085 + // snd_iprintf(buffer, " Max Packet Size = %d\n", fp->maxpacksize);
3086 +@@ -124,7 +124,7 @@ static void proc_dump_ep_status(struct snd_usb_substream *subs,
3087 + return;
3088 + snd_iprintf(buffer, " Packet Size = %d\n", ep->curpacksize);
3089 + snd_iprintf(buffer, " Momentary freq = %u Hz (%#x.%04x)\n",
3090 +- snd_usb_get_speed(subs->dev) == USB_SPEED_FULL
3091 ++ subs->speed == USB_SPEED_FULL
3092 + ? get_full_speed_hz(ep->freqm)
3093 + : get_high_speed_hz(ep->freqm),
3094 + ep->freqm >> 16, ep->freqm & 0xffff);
3095 +diff --git a/sound/usb/stream.c b/sound/usb/stream.c
3096 +index 083ed81..1de0c8c 100644
3097 +--- a/sound/usb/stream.c
3098 ++++ b/sound/usb/stream.c
3099 +@@ -90,6 +90,7 @@ static void snd_usb_init_substream(struct snd_usb_stream *as,
3100 + subs->direction = stream;
3101 + subs->dev = as->chip->dev;
3102 + subs->txfr_quirk = as->chip->txfr_quirk;
3103 ++ subs->speed = snd_usb_get_speed(subs->dev);
3104 +
3105 + snd_usb_set_pcm_ops(as->pcm, stream);
3106 +
3107 +diff --git a/sound/usb/usbaudio.h b/sound/usb/usbaudio.h
3108 +index b8233eb..ef42797 100644
3109 +--- a/sound/usb/usbaudio.h
3110 ++++ b/sound/usb/usbaudio.h
3111 +@@ -37,7 +37,7 @@ struct snd_usb_audio {
3112 + struct usb_interface *pm_intf;
3113 + u32 usb_id;
3114 + struct mutex mutex;
3115 +- struct mutex shutdown_mutex;
3116 ++ struct rw_semaphore shutdown_rwsem;
3117 + unsigned int shutdown:1;
3118 + unsigned int probing:1;
3119 + unsigned int autosuspended:1;
3120
3121 Added: genpatches-2.6/trunk/3.6/1007_linux-3.6.8.patch
3122 ===================================================================
3123 --- genpatches-2.6/trunk/3.6/1007_linux-3.6.8.patch (rev 0)
3124 +++ genpatches-2.6/trunk/3.6/1007_linux-3.6.8.patch 2012-11-26 22:20:36 UTC (rev 2235)
3125 @@ -0,0 +1,2823 @@
3126 +diff --git a/Documentation/cgroups/memory.txt b/Documentation/cgroups/memory.txt
3127 +index 4372e6b..97aa4eb 100644
3128 +--- a/Documentation/cgroups/memory.txt
3129 ++++ b/Documentation/cgroups/memory.txt
3130 +@@ -466,6 +466,10 @@ Note:
3131 + 5.3 swappiness
3132 +
3133 + Similar to /proc/sys/vm/swappiness, but affecting a hierarchy of groups only.
3134 ++Please note that unlike the global swappiness, memcg knob set to 0
3135 ++really prevents from any swapping even if there is a swap storage
3136 ++available. This might lead to memcg OOM killer if there are no file
3137 ++pages to reclaim.
3138 +
3139 + Following cgroups' swappiness can't be changed.
3140 + - root cgroup (uses /proc/sys/vm/swappiness).
3141 +diff --git a/Makefile b/Makefile
3142 +index 07f2308..c5cc2f0 100644
3143 +--- a/Makefile
3144 ++++ b/Makefile
3145 +@@ -1,6 +1,6 @@
3146 + VERSION = 3
3147 + PATCHLEVEL = 6
3148 +-SUBLEVEL = 7
3149 ++SUBLEVEL = 8
3150 + EXTRAVERSION =
3151 + NAME = Terrified Chipmunk
3152 +
3153 +diff --git a/arch/arm/boot/dts/tegra30.dtsi b/arch/arm/boot/dts/tegra30.dtsi
3154 +index 3e4334d..3f96658 100644
3155 +--- a/arch/arm/boot/dts/tegra30.dtsi
3156 ++++ b/arch/arm/boot/dts/tegra30.dtsi
3157 +@@ -73,8 +73,8 @@
3158 +
3159 + pinmux: pinmux {
3160 + compatible = "nvidia,tegra30-pinmux";
3161 +- reg = <0x70000868 0xd0 /* Pad control registers */
3162 +- 0x70003000 0x3e0>; /* Mux registers */
3163 ++ reg = <0x70000868 0xd4 /* Pad control registers */
3164 ++ 0x70003000 0x3e4>; /* Mux registers */
3165 + };
3166 +
3167 + serial@70006000 {
3168 +diff --git a/arch/arm/mach-at91/at91sam9g45_devices.c b/arch/arm/mach-at91/at91sam9g45_devices.c
3169 +index 1b47319..bdbbbbc 100644
3170 +--- a/arch/arm/mach-at91/at91sam9g45_devices.c
3171 ++++ b/arch/arm/mach-at91/at91sam9g45_devices.c
3172 +@@ -1847,8 +1847,8 @@ static struct resource sha_resources[] = {
3173 + .flags = IORESOURCE_MEM,
3174 + },
3175 + [1] = {
3176 +- .start = AT91SAM9G45_ID_AESTDESSHA,
3177 +- .end = AT91SAM9G45_ID_AESTDESSHA,
3178 ++ .start = NR_IRQS_LEGACY + AT91SAM9G45_ID_AESTDESSHA,
3179 ++ .end = NR_IRQS_LEGACY + AT91SAM9G45_ID_AESTDESSHA,
3180 + .flags = IORESOURCE_IRQ,
3181 + },
3182 + };
3183 +@@ -1880,8 +1880,8 @@ static struct resource tdes_resources[] = {
3184 + .flags = IORESOURCE_MEM,
3185 + },
3186 + [1] = {
3187 +- .start = AT91SAM9G45_ID_AESTDESSHA,
3188 +- .end = AT91SAM9G45_ID_AESTDESSHA,
3189 ++ .start = NR_IRQS_LEGACY + AT91SAM9G45_ID_AESTDESSHA,
3190 ++ .end = NR_IRQS_LEGACY + AT91SAM9G45_ID_AESTDESSHA,
3191 + .flags = IORESOURCE_IRQ,
3192 + },
3193 + };
3194 +@@ -1916,8 +1916,8 @@ static struct resource aes_resources[] = {
3195 + .flags = IORESOURCE_MEM,
3196 + },
3197 + [1] = {
3198 +- .start = AT91SAM9G45_ID_AESTDESSHA,
3199 +- .end = AT91SAM9G45_ID_AESTDESSHA,
3200 ++ .start = NR_IRQS_LEGACY + AT91SAM9G45_ID_AESTDESSHA,
3201 ++ .end = NR_IRQS_LEGACY + AT91SAM9G45_ID_AESTDESSHA,
3202 + .flags = IORESOURCE_IRQ,
3203 + },
3204 + };
3205 +diff --git a/arch/arm/mach-imx/ehci-imx25.c b/arch/arm/mach-imx/ehci-imx25.c
3206 +index 05bb41d..8d5b30a 100644
3207 +--- a/arch/arm/mach-imx/ehci-imx25.c
3208 ++++ b/arch/arm/mach-imx/ehci-imx25.c
3209 +@@ -30,7 +30,7 @@
3210 + #define MX25_H1_SIC_SHIFT 21
3211 + #define MX25_H1_SIC_MASK (0x3 << MX25_H1_SIC_SHIFT)
3212 + #define MX25_H1_PP_BIT (1 << 18)
3213 +-#define MX25_H1_PM_BIT (1 << 8)
3214 ++#define MX25_H1_PM_BIT (1 << 16)
3215 + #define MX25_H1_IPPUE_UP_BIT (1 << 7)
3216 + #define MX25_H1_IPPUE_DOWN_BIT (1 << 6)
3217 + #define MX25_H1_TLL_BIT (1 << 5)
3218 +diff --git a/arch/arm/mach-imx/ehci-imx35.c b/arch/arm/mach-imx/ehci-imx35.c
3219 +index 73574c3..746ce5f 100644
3220 +--- a/arch/arm/mach-imx/ehci-imx35.c
3221 ++++ b/arch/arm/mach-imx/ehci-imx35.c
3222 +@@ -30,7 +30,7 @@
3223 + #define MX35_H1_SIC_SHIFT 21
3224 + #define MX35_H1_SIC_MASK (0x3 << MX35_H1_SIC_SHIFT)
3225 + #define MX35_H1_PP_BIT (1 << 18)
3226 +-#define MX35_H1_PM_BIT (1 << 8)
3227 ++#define MX35_H1_PM_BIT (1 << 16)
3228 + #define MX35_H1_IPPUE_UP_BIT (1 << 7)
3229 + #define MX35_H1_IPPUE_DOWN_BIT (1 << 6)
3230 + #define MX35_H1_TLL_BIT (1 << 5)
3231 +diff --git a/arch/arm/plat-omap/include/plat/omap-serial.h b/arch/arm/plat-omap/include/plat/omap-serial.h
3232 +index 3a57644..1a52725 100644
3233 +--- a/arch/arm/plat-omap/include/plat/omap-serial.h
3234 ++++ b/arch/arm/plat-omap/include/plat/omap-serial.h
3235 +@@ -42,10 +42,10 @@
3236 + #define OMAP_UART_WER_MOD_WKUP 0X7F
3237 +
3238 + /* Enable XON/XOFF flow control on output */
3239 +-#define OMAP_UART_SW_TX 0x8
3240 ++#define OMAP_UART_SW_TX 0x04
3241 +
3242 + /* Enable XON/XOFF flow control on input */
3243 +-#define OMAP_UART_SW_RX 0x2
3244 ++#define OMAP_UART_SW_RX 0x04
3245 +
3246 + #define OMAP_UART_SYSC_RESET 0X07
3247 + #define OMAP_UART_TCR_TRIG 0X0F
3248 +diff --git a/arch/m68k/include/asm/signal.h b/arch/m68k/include/asm/signal.h
3249 +index 60e8866..93fe83e 100644
3250 +--- a/arch/m68k/include/asm/signal.h
3251 ++++ b/arch/m68k/include/asm/signal.h
3252 +@@ -156,7 +156,7 @@ typedef struct sigaltstack {
3253 + static inline void sigaddset(sigset_t *set, int _sig)
3254 + {
3255 + asm ("bfset %0{%1,#1}"
3256 +- : "+od" (*set)
3257 ++ : "+o" (*set)
3258 + : "id" ((_sig - 1) ^ 31)
3259 + : "cc");
3260 + }
3261 +@@ -164,7 +164,7 @@ static inline void sigaddset(sigset_t *set, int _sig)
3262 + static inline void sigdelset(sigset_t *set, int _sig)
3263 + {
3264 + asm ("bfclr %0{%1,#1}"
3265 +- : "+od" (*set)
3266 ++ : "+o" (*set)
3267 + : "id" ((_sig - 1) ^ 31)
3268 + : "cc");
3269 + }
3270 +@@ -180,7 +180,7 @@ static inline int __gen_sigismember(sigset_t *set, int _sig)
3271 + int ret;
3272 + asm ("bfextu %1{%2,#1},%0"
3273 + : "=d" (ret)
3274 +- : "od" (*set), "id" ((_sig-1) ^ 31)
3275 ++ : "o" (*set), "id" ((_sig-1) ^ 31)
3276 + : "cc");
3277 + return ret;
3278 + }
3279 +diff --git a/arch/s390/include/asm/compat.h b/arch/s390/include/asm/compat.h
3280 +index 234f1d8..2e0a15b 100644
3281 +--- a/arch/s390/include/asm/compat.h
3282 ++++ b/arch/s390/include/asm/compat.h
3283 +@@ -20,7 +20,7 @@
3284 + #define PSW32_MASK_CC 0x00003000UL
3285 + #define PSW32_MASK_PM 0x00000f00UL
3286 +
3287 +-#define PSW32_MASK_USER 0x00003F00UL
3288 ++#define PSW32_MASK_USER 0x0000FF00UL
3289 +
3290 + #define PSW32_ADDR_AMODE 0x80000000UL
3291 + #define PSW32_ADDR_INSN 0x7FFFFFFFUL
3292 +diff --git a/arch/s390/include/asm/ptrace.h b/arch/s390/include/asm/ptrace.h
3293 +index d5f08ea..f512565 100644
3294 +--- a/arch/s390/include/asm/ptrace.h
3295 ++++ b/arch/s390/include/asm/ptrace.h
3296 +@@ -238,7 +238,7 @@ typedef struct
3297 + #define PSW_MASK_EA 0x00000000UL
3298 + #define PSW_MASK_BA 0x00000000UL
3299 +
3300 +-#define PSW_MASK_USER 0x00003F00UL
3301 ++#define PSW_MASK_USER 0x0000FF00UL
3302 +
3303 + #define PSW_ADDR_AMODE 0x80000000UL
3304 + #define PSW_ADDR_INSN 0x7FFFFFFFUL
3305 +@@ -267,7 +267,7 @@ typedef struct
3306 + #define PSW_MASK_EA 0x0000000100000000UL
3307 + #define PSW_MASK_BA 0x0000000080000000UL
3308 +
3309 +-#define PSW_MASK_USER 0x00003F0180000000UL
3310 ++#define PSW_MASK_USER 0x0000FF0180000000UL
3311 +
3312 + #define PSW_ADDR_AMODE 0x0000000000000000UL
3313 + #define PSW_ADDR_INSN 0xFFFFFFFFFFFFFFFFUL
3314 +diff --git a/arch/s390/kernel/compat_signal.c b/arch/s390/kernel/compat_signal.c
3315 +index a1e8a86..593fcc9 100644
3316 +--- a/arch/s390/kernel/compat_signal.c
3317 ++++ b/arch/s390/kernel/compat_signal.c
3318 +@@ -309,6 +309,10 @@ static int restore_sigregs32(struct pt_regs *regs,_sigregs32 __user *sregs)
3319 + regs->psw.mask = (regs->psw.mask & ~PSW_MASK_USER) |
3320 + (__u64)(regs32.psw.mask & PSW32_MASK_USER) << 32 |
3321 + (__u64)(regs32.psw.addr & PSW32_ADDR_AMODE);
3322 ++ /* Check for invalid user address space control. */
3323 ++ if ((regs->psw.mask & PSW_MASK_ASC) >= (psw_kernel_bits & PSW_MASK_ASC))
3324 ++ regs->psw.mask = (psw_user_bits & PSW_MASK_ASC) |
3325 ++ (regs->psw.mask & ~PSW_MASK_ASC);
3326 + regs->psw.addr = (__u64)(regs32.psw.addr & PSW32_ADDR_INSN);
3327 + for (i = 0; i < NUM_GPRS; i++)
3328 + regs->gprs[i] = (__u64) regs32.gprs[i];
3329 +@@ -481,7 +485,10 @@ static int setup_frame32(int sig, struct k_sigaction *ka,
3330 +
3331 + /* Set up registers for signal handler */
3332 + regs->gprs[15] = (__force __u64) frame;
3333 +- regs->psw.mask |= PSW_MASK_BA; /* force amode 31 */
3334 ++ /* Force 31 bit amode and default user address space control. */
3335 ++ regs->psw.mask = PSW_MASK_BA |
3336 ++ (psw_user_bits & PSW_MASK_ASC) |
3337 ++ (regs->psw.mask & ~PSW_MASK_ASC);
3338 + regs->psw.addr = (__force __u64) ka->sa.sa_handler;
3339 +
3340 + regs->gprs[2] = map_signal(sig);
3341 +@@ -549,7 +556,10 @@ static int setup_rt_frame32(int sig, struct k_sigaction *ka, siginfo_t *info,
3342 +
3343 + /* Set up registers for signal handler */
3344 + regs->gprs[15] = (__force __u64) frame;
3345 +- regs->psw.mask |= PSW_MASK_BA; /* force amode 31 */
3346 ++ /* Force 31 bit amode and default user address space control. */
3347 ++ regs->psw.mask = PSW_MASK_BA |
3348 ++ (psw_user_bits & PSW_MASK_ASC) |
3349 ++ (regs->psw.mask & ~PSW_MASK_ASC);
3350 + regs->psw.addr = (__u64) ka->sa.sa_handler;
3351 +
3352 + regs->gprs[2] = map_signal(sig);
3353 +diff --git a/arch/s390/kernel/signal.c b/arch/s390/kernel/signal.c
3354 +index c13a2a3..d1259d8 100644
3355 +--- a/arch/s390/kernel/signal.c
3356 ++++ b/arch/s390/kernel/signal.c
3357 +@@ -136,6 +136,10 @@ static int restore_sigregs(struct pt_regs *regs, _sigregs __user *sregs)
3358 + /* Use regs->psw.mask instead of psw_user_bits to preserve PER bit. */
3359 + regs->psw.mask = (regs->psw.mask & ~PSW_MASK_USER) |
3360 + (user_sregs.regs.psw.mask & PSW_MASK_USER);
3361 ++ /* Check for invalid user address space control. */
3362 ++ if ((regs->psw.mask & PSW_MASK_ASC) >= (psw_kernel_bits & PSW_MASK_ASC))
3363 ++ regs->psw.mask = (psw_user_bits & PSW_MASK_ASC) |
3364 ++ (regs->psw.mask & ~PSW_MASK_ASC);
3365 + /* Check for invalid amode */
3366 + if (regs->psw.mask & PSW_MASK_EA)
3367 + regs->psw.mask |= PSW_MASK_BA;
3368 +@@ -273,7 +277,10 @@ static int setup_frame(int sig, struct k_sigaction *ka,
3369 +
3370 + /* Set up registers for signal handler */
3371 + regs->gprs[15] = (unsigned long) frame;
3372 +- regs->psw.mask |= PSW_MASK_EA | PSW_MASK_BA; /* 64 bit amode */
3373 ++ /* Force default amode and default user address space control. */
3374 ++ regs->psw.mask = PSW_MASK_EA | PSW_MASK_BA |
3375 ++ (psw_user_bits & PSW_MASK_ASC) |
3376 ++ (regs->psw.mask & ~PSW_MASK_ASC);
3377 + regs->psw.addr = (unsigned long) ka->sa.sa_handler | PSW_ADDR_AMODE;
3378 +
3379 + regs->gprs[2] = map_signal(sig);
3380 +@@ -346,7 +353,10 @@ static int setup_rt_frame(int sig, struct k_sigaction *ka, siginfo_t *info,
3381 +
3382 + /* Set up registers for signal handler */
3383 + regs->gprs[15] = (unsigned long) frame;
3384 +- regs->psw.mask |= PSW_MASK_EA | PSW_MASK_BA; /* 64 bit amode */
3385 ++ /* Force default amode and default user address space control. */
3386 ++ regs->psw.mask = PSW_MASK_EA | PSW_MASK_BA |
3387 ++ (psw_user_bits & PSW_MASK_ASC) |
3388 ++ (regs->psw.mask & ~PSW_MASK_ASC);
3389 + regs->psw.addr = (unsigned long) ka->sa.sa_handler | PSW_ADDR_AMODE;
3390 +
3391 + regs->gprs[2] = map_signal(sig);
3392 +diff --git a/arch/s390/mm/gup.c b/arch/s390/mm/gup.c
3393 +index 65cb06e..4ccf9f5 100644
3394 +--- a/arch/s390/mm/gup.c
3395 ++++ b/arch/s390/mm/gup.c
3396 +@@ -183,7 +183,7 @@ int get_user_pages_fast(unsigned long start, int nr_pages, int write,
3397 + addr = start;
3398 + len = (unsigned long) nr_pages << PAGE_SHIFT;
3399 + end = start + len;
3400 +- if (end < start)
3401 ++ if ((end < start) || (end > TASK_SIZE))
3402 + goto slow_irqon;
3403 +
3404 + /*
3405 +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
3406 +index b1eb202..ff66a3b 100644
3407 +--- a/arch/x86/kvm/vmx.c
3408 ++++ b/arch/x86/kvm/vmx.c
3409 +@@ -6584,19 +6584,22 @@ static void vmx_cpuid_update(struct kvm_vcpu *vcpu)
3410 + }
3411 + }
3412 +
3413 +- exec_control = vmcs_read32(SECONDARY_VM_EXEC_CONTROL);
3414 + /* Exposing INVPCID only when PCID is exposed */
3415 + best = kvm_find_cpuid_entry(vcpu, 0x7, 0);
3416 + if (vmx_invpcid_supported() &&
3417 + best && (best->ebx & bit(X86_FEATURE_INVPCID)) &&
3418 + guest_cpuid_has_pcid(vcpu)) {
3419 ++ exec_control = vmcs_read32(SECONDARY_VM_EXEC_CONTROL);
3420 + exec_control |= SECONDARY_EXEC_ENABLE_INVPCID;
3421 + vmcs_write32(SECONDARY_VM_EXEC_CONTROL,
3422 + exec_control);
3423 + } else {
3424 +- exec_control &= ~SECONDARY_EXEC_ENABLE_INVPCID;
3425 +- vmcs_write32(SECONDARY_VM_EXEC_CONTROL,
3426 +- exec_control);
3427 ++ if (cpu_has_secondary_exec_ctrls()) {
3428 ++ exec_control = vmcs_read32(SECONDARY_VM_EXEC_CONTROL);
3429 ++ exec_control &= ~SECONDARY_EXEC_ENABLE_INVPCID;
3430 ++ vmcs_write32(SECONDARY_VM_EXEC_CONTROL,
3431 ++ exec_control);
3432 ++ }
3433 + if (best)
3434 + best->ebx &= ~bit(X86_FEATURE_INVPCID);
3435 + }
3436 +diff --git a/crypto/cryptd.c b/crypto/cryptd.c
3437 +index 671d4d6..7bdd61b 100644
3438 +--- a/crypto/cryptd.c
3439 ++++ b/crypto/cryptd.c
3440 +@@ -137,13 +137,18 @@ static void cryptd_queue_worker(struct work_struct *work)
3441 + struct crypto_async_request *req, *backlog;
3442 +
3443 + cpu_queue = container_of(work, struct cryptd_cpu_queue, work);
3444 +- /* Only handle one request at a time to avoid hogging crypto
3445 +- * workqueue. preempt_disable/enable is used to prevent
3446 +- * being preempted by cryptd_enqueue_request() */
3447 ++ /*
3448 ++ * Only handle one request at a time to avoid hogging crypto workqueue.
3449 ++ * preempt_disable/enable is used to prevent being preempted by
3450 ++ * cryptd_enqueue_request(). local_bh_disable/enable is used to prevent
3451 ++ * cryptd_enqueue_request() being accessed from software interrupts.
3452 ++ */
3453 ++ local_bh_disable();
3454 + preempt_disable();
3455 + backlog = crypto_get_backlog(&cpu_queue->queue);
3456 + req = crypto_dequeue_request(&cpu_queue->queue);
3457 + preempt_enable();
3458 ++ local_bh_enable();
3459 +
3460 + if (!req)
3461 + return;
3462 +diff --git a/drivers/acpi/video.c b/drivers/acpi/video.c
3463 +index 1e0a9e1..9fe2659 100644
3464 +--- a/drivers/acpi/video.c
3465 ++++ b/drivers/acpi/video.c
3466 +@@ -1345,12 +1345,15 @@ static int
3467 + acpi_video_bus_get_devices(struct acpi_video_bus *video,
3468 + struct acpi_device *device)
3469 + {
3470 +- int status;
3471 ++ int status = 0;
3472 + struct acpi_device *dev;
3473 +
3474 +- status = acpi_video_device_enumerate(video);
3475 +- if (status)
3476 +- return status;
3477 ++ /*
3478 ++ * There are systems where video module known to work fine regardless
3479 ++ * of broken _DOD and ignoring returned value here doesn't cause
3480 ++ * any issues later.
3481 ++ */
3482 ++ acpi_video_device_enumerate(video);
3483 +
3484 + list_for_each_entry(dev, &device->children, node) {
3485 +
3486 +diff --git a/drivers/ata/libata-acpi.c b/drivers/ata/libata-acpi.c
3487 +index fd9ecf7..5b0ba3f 100644
3488 +--- a/drivers/ata/libata-acpi.c
3489 ++++ b/drivers/ata/libata-acpi.c
3490 +@@ -1105,10 +1105,15 @@ static int ata_acpi_bind_device(struct ata_port *ap, struct scsi_device *sdev,
3491 + struct acpi_device *acpi_dev;
3492 + struct acpi_device_power_state *states;
3493 +
3494 +- if (ap->flags & ATA_FLAG_ACPI_SATA)
3495 +- ata_dev = &ap->link.device[sdev->channel];
3496 +- else
3497 ++ if (ap->flags & ATA_FLAG_ACPI_SATA) {
3498 ++ if (!sata_pmp_attached(ap))
3499 ++ ata_dev = &ap->link.device[sdev->id];
3500 ++ else
3501 ++ ata_dev = &ap->pmp_link[sdev->channel].device[sdev->id];
3502 ++ }
3503 ++ else {
3504 + ata_dev = &ap->link.device[sdev->id];
3505 ++ }
3506 +
3507 + *handle = ata_dev_acpi_handle(ata_dev);
3508 +
3509 +diff --git a/drivers/gpu/drm/i915/intel_sdvo.c b/drivers/gpu/drm/i915/intel_sdvo.c
3510 +index 20cb52d..d554f64 100644
3511 +--- a/drivers/gpu/drm/i915/intel_sdvo.c
3512 ++++ b/drivers/gpu/drm/i915/intel_sdvo.c
3513 +@@ -2287,6 +2287,18 @@ intel_sdvo_output_setup(struct intel_sdvo *intel_sdvo, uint16_t flags)
3514 + return true;
3515 + }
3516 +
3517 ++static void intel_sdvo_output_cleanup(struct intel_sdvo *intel_sdvo)
3518 ++{
3519 ++ struct drm_device *dev = intel_sdvo->base.base.dev;
3520 ++ struct drm_connector *connector, *tmp;
3521 ++
3522 ++ list_for_each_entry_safe(connector, tmp,
3523 ++ &dev->mode_config.connector_list, head) {
3524 ++ if (intel_attached_encoder(connector) == &intel_sdvo->base)
3525 ++ intel_sdvo_destroy(connector);
3526 ++ }
3527 ++}
3528 ++
3529 + static bool intel_sdvo_tv_create_property(struct intel_sdvo *intel_sdvo,
3530 + struct intel_sdvo_connector *intel_sdvo_connector,
3531 + int type)
3532 +@@ -2606,7 +2618,8 @@ bool intel_sdvo_init(struct drm_device *dev, uint32_t sdvo_reg, bool is_sdvob)
3533 + intel_sdvo->caps.output_flags) != true) {
3534 + DRM_DEBUG_KMS("SDVO output failed to setup on %s\n",
3535 + SDVO_NAME(intel_sdvo));
3536 +- goto err;
3537 ++ /* Output_setup can leave behind connectors! */
3538 ++ goto err_output;
3539 + }
3540 +
3541 + /* Only enable the hotplug irq if we need it, to work around noisy
3542 +@@ -2619,12 +2632,12 @@ bool intel_sdvo_init(struct drm_device *dev, uint32_t sdvo_reg, bool is_sdvob)
3543 +
3544 + /* Set the input timing to the screen. Assume always input 0. */
3545 + if (!intel_sdvo_set_target_input(intel_sdvo))
3546 +- goto err;
3547 ++ goto err_output;
3548 +
3549 + if (!intel_sdvo_get_input_pixel_clock_range(intel_sdvo,
3550 + &intel_sdvo->pixel_clock_min,
3551 + &intel_sdvo->pixel_clock_max))
3552 +- goto err;
3553 ++ goto err_output;
3554 +
3555 + DRM_DEBUG_KMS("%s device VID/DID: %02X:%02X.%02X, "
3556 + "clock range %dMHz - %dMHz, "
3557 +@@ -2644,6 +2657,9 @@ bool intel_sdvo_init(struct drm_device *dev, uint32_t sdvo_reg, bool is_sdvob)
3558 + (SDVO_OUTPUT_TMDS1 | SDVO_OUTPUT_RGB1) ? 'Y' : 'N');
3559 + return true;
3560 +
3561 ++err_output:
3562 ++ intel_sdvo_output_cleanup(intel_sdvo);
3563 ++
3564 + err:
3565 + drm_encoder_cleanup(&intel_encoder->base);
3566 + i2c_del_adapter(&intel_sdvo->ddc);
3567 +diff --git a/drivers/gpu/drm/radeon/atombios_encoders.c b/drivers/gpu/drm/radeon/atombios_encoders.c
3568 +index 6e8803a..2eb418e 100644
3569 +--- a/drivers/gpu/drm/radeon/atombios_encoders.c
3570 ++++ b/drivers/gpu/drm/radeon/atombios_encoders.c
3571 +@@ -1421,7 +1421,7 @@ radeon_atom_encoder_dpms_dig(struct drm_encoder *encoder, int mode)
3572 + atombios_dig_transmitter_setup(encoder, ATOM_TRANSMITTER_ACTION_SETUP, 0, 0);
3573 + atombios_dig_transmitter_setup(encoder, ATOM_TRANSMITTER_ACTION_ENABLE, 0, 0);
3574 + /* some early dce3.2 boards have a bug in their transmitter control table */
3575 +- if ((rdev->family != CHIP_RV710) || (rdev->family != CHIP_RV730))
3576 ++ if ((rdev->family != CHIP_RV710) && (rdev->family != CHIP_RV730))
3577 + atombios_dig_transmitter_setup(encoder, ATOM_TRANSMITTER_ACTION_ENABLE_OUTPUT, 0, 0);
3578 + }
3579 + if (ENCODER_MODE_IS_DP(atombios_get_encoder_mode(encoder)) && connector) {
3580 +diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c b/drivers/gpu/drm/ttm/ttm_page_alloc.c
3581 +index ebc6fac..578207e 100644
3582 +--- a/drivers/gpu/drm/ttm/ttm_page_alloc.c
3583 ++++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c
3584 +@@ -749,7 +749,10 @@ static int ttm_get_pages(struct page **pages, unsigned npages, int flags,
3585 + /* clear the pages coming from the pool if requested */
3586 + if (flags & TTM_PAGE_FLAG_ZERO_ALLOC) {
3587 + list_for_each_entry(p, &plist, lru) {
3588 +- clear_page(page_address(p));
3589 ++ if (PageHighMem(p))
3590 ++ clear_highpage(p);
3591 ++ else
3592 ++ clear_page(page_address(p));
3593 + }
3594 + }
3595 +
3596 +diff --git a/drivers/i2c/muxes/i2c-mux-pinctrl.c b/drivers/i2c/muxes/i2c-mux-pinctrl.c
3597 +index 46a6697..c524018 100644
3598 +--- a/drivers/i2c/muxes/i2c-mux-pinctrl.c
3599 ++++ b/drivers/i2c/muxes/i2c-mux-pinctrl.c
3600 +@@ -169,7 +169,7 @@ static int __devinit i2c_mux_pinctrl_probe(struct platform_device *pdev)
3601 + mux->busses = devm_kzalloc(&pdev->dev,
3602 + sizeof(mux->busses) * mux->pdata->bus_count,
3603 + GFP_KERNEL);
3604 +- if (!mux->states) {
3605 ++ if (!mux->busses) {
3606 + dev_err(&pdev->dev, "Cannot allocate busses\n");
3607 + ret = -ENOMEM;
3608 + goto err;
3609 +diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c
3610 +index cb9e114..554e6ac 100644
3611 +--- a/drivers/iommu/intel-iommu.c
3612 ++++ b/drivers/iommu/intel-iommu.c
3613 +@@ -4108,7 +4108,7 @@ static void swap_pci_ref(struct pci_dev **from, struct pci_dev *to)
3614 + static int intel_iommu_add_device(struct device *dev)
3615 + {
3616 + struct pci_dev *pdev = to_pci_dev(dev);
3617 +- struct pci_dev *bridge, *dma_pdev;
3618 ++ struct pci_dev *bridge, *dma_pdev = NULL;
3619 + struct iommu_group *group;
3620 + int ret;
3621 +
3622 +@@ -4122,7 +4122,7 @@ static int intel_iommu_add_device(struct device *dev)
3623 + dma_pdev = pci_get_domain_bus_and_slot(
3624 + pci_domain_nr(pdev->bus),
3625 + bridge->subordinate->number, 0);
3626 +- else
3627 ++ if (!dma_pdev)
3628 + dma_pdev = pci_dev_get(bridge);
3629 + } else
3630 + dma_pdev = pci_dev_get(pdev);
3631 +diff --git a/drivers/net/ethernet/broadcom/Kconfig b/drivers/net/ethernet/broadcom/Kconfig
3632 +index f15e72e..4bd416b 100644
3633 +--- a/drivers/net/ethernet/broadcom/Kconfig
3634 ++++ b/drivers/net/ethernet/broadcom/Kconfig
3635 +@@ -101,6 +101,7 @@ config TIGON3
3636 + tristate "Broadcom Tigon3 support"
3637 + depends on PCI
3638 + select PHYLIB
3639 ++ select HWMON
3640 + ---help---
3641 + This driver supports Broadcom Tigon3 based gigabit Ethernet cards.
3642 +
3643 +diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c
3644 +index bf906c5..711eb14 100644
3645 +--- a/drivers/net/ethernet/broadcom/tg3.c
3646 ++++ b/drivers/net/ethernet/broadcom/tg3.c
3647 +@@ -44,10 +44,8 @@
3648 + #include <linux/prefetch.h>
3649 + #include <linux/dma-mapping.h>
3650 + #include <linux/firmware.h>
3651 +-#if IS_ENABLED(CONFIG_HWMON)
3652 + #include <linux/hwmon.h>
3653 + #include <linux/hwmon-sysfs.h>
3654 +-#endif
3655 +
3656 + #include <net/checksum.h>
3657 + #include <net/ip.h>
3658 +@@ -9517,7 +9515,6 @@ static int tg3_init_hw(struct tg3 *tp, int reset_phy)
3659 + return tg3_reset_hw(tp, reset_phy);
3660 + }
3661 +
3662 +-#if IS_ENABLED(CONFIG_HWMON)
3663 + static void tg3_sd_scan_scratchpad(struct tg3 *tp, struct tg3_ocir *ocir)
3664 + {
3665 + int i;
3666 +@@ -9570,22 +9567,17 @@ static const struct attribute_group tg3_group = {
3667 + .attrs = tg3_attributes,
3668 + };
3669 +
3670 +-#endif
3671 +-
3672 + static void tg3_hwmon_close(struct tg3 *tp)
3673 + {
3674 +-#if IS_ENABLED(CONFIG_HWMON)
3675 + if (tp->hwmon_dev) {
3676 + hwmon_device_unregister(tp->hwmon_dev);
3677 + tp->hwmon_dev = NULL;
3678 + sysfs_remove_group(&tp->pdev->dev.kobj, &tg3_group);
3679 + }
3680 +-#endif
3681 + }
3682 +
3683 + static void tg3_hwmon_open(struct tg3 *tp)
3684 + {
3685 +-#if IS_ENABLED(CONFIG_HWMON)
3686 + int i, err;
3687 + u32 size = 0;
3688 + struct pci_dev *pdev = tp->pdev;
3689 +@@ -9617,7 +9609,6 @@ static void tg3_hwmon_open(struct tg3 *tp)
3690 + dev_err(&pdev->dev, "Cannot register hwmon device, aborting\n");
3691 + sysfs_remove_group(&pdev->dev.kobj, &tg3_group);
3692 + }
3693 +-#endif
3694 + }
3695 +
3696 +
3697 +diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c
3698 +index b47d5b3..df7bbba 100644
3699 +--- a/drivers/net/ethernet/realtek/r8169.c
3700 ++++ b/drivers/net/ethernet/realtek/r8169.c
3701 +@@ -77,7 +77,7 @@
3702 + static const int multicast_filter_limit = 32;
3703 +
3704 + #define MAX_READ_REQUEST_SHIFT 12
3705 +-#define TX_DMA_BURST 6 /* Maximum PCI burst, '6' is 1024 */
3706 ++#define TX_DMA_BURST 7 /* Maximum PCI burst, '7' is unlimited */
3707 + #define SafeMtu 0x1c20 /* ... actually life sucks beyond ~7k */
3708 + #define InterFrameGap 0x03 /* 3 means InterFrameGap = the shortest one */
3709 +
3710 +@@ -3832,6 +3832,8 @@ static void rtl_wol_suspend_quirk(struct rtl8169_private *tp)
3711 + void __iomem *ioaddr = tp->mmio_addr;
3712 +
3713 + switch (tp->mac_version) {
3714 ++ case RTL_GIGA_MAC_VER_25:
3715 ++ case RTL_GIGA_MAC_VER_26:
3716 + case RTL_GIGA_MAC_VER_29:
3717 + case RTL_GIGA_MAC_VER_30:
3718 + case RTL_GIGA_MAC_VER_32:
3719 +@@ -4524,6 +4526,9 @@ static void rtl_set_rx_mode(struct net_device *dev)
3720 + mc_filter[1] = swab32(data);
3721 + }
3722 +
3723 ++ if (tp->mac_version == RTL_GIGA_MAC_VER_35)
3724 ++ mc_filter[1] = mc_filter[0] = 0xffffffff;
3725 ++
3726 + RTL_W32(MAR0 + 4, mc_filter[1]);
3727 + RTL_W32(MAR0 + 0, mc_filter[0]);
3728 +
3729 +diff --git a/drivers/net/wireless/iwlwifi/pcie/rx.c b/drivers/net/wireless/iwlwifi/pcie/rx.c
3730 +index d1a61ba..c3d2751 100644
3731 +--- a/drivers/net/wireless/iwlwifi/pcie/rx.c
3732 ++++ b/drivers/net/wireless/iwlwifi/pcie/rx.c
3733 +@@ -314,6 +314,14 @@ static void iwlagn_rx_allocate(struct iwl_trans *trans, gfp_t priority)
3734 + dma_map_page(trans->dev, page, 0,
3735 + PAGE_SIZE << trans_pcie->rx_page_order,
3736 + DMA_FROM_DEVICE);
3737 ++ if (dma_mapping_error(trans->dev, rxb->page_dma)) {
3738 ++ rxb->page = NULL;
3739 ++ spin_lock_irqsave(&rxq->lock, flags);
3740 ++ list_add(&rxb->list, &rxq->rx_used);
3741 ++ spin_unlock_irqrestore(&rxq->lock, flags);
3742 ++ __free_pages(page, trans_pcie->rx_page_order);
3743 ++ return;
3744 ++ }
3745 + /* dma address must be no more than 36 bits */
3746 + BUG_ON(rxb->page_dma & ~DMA_BIT_MASK(36));
3747 + /* and also 256 byte aligned! */
3748 +@@ -463,8 +471,19 @@ static void iwl_rx_handle_rxbuf(struct iwl_trans *trans,
3749 + dma_map_page(trans->dev, rxb->page, 0,
3750 + PAGE_SIZE << trans_pcie->rx_page_order,
3751 + DMA_FROM_DEVICE);
3752 +- list_add_tail(&rxb->list, &rxq->rx_free);
3753 +- rxq->free_count++;
3754 ++ if (dma_mapping_error(trans->dev, rxb->page_dma)) {
3755 ++ /*
3756 ++ * free the page(s) as well to not break
3757 ++ * the invariant that the items on the used
3758 ++ * list have no page(s)
3759 ++ */
3760 ++ __free_pages(rxb->page, trans_pcie->rx_page_order);
3761 ++ rxb->page = NULL;
3762 ++ list_add_tail(&rxb->list, &rxq->rx_used);
3763 ++ } else {
3764 ++ list_add_tail(&rxb->list, &rxq->rx_free);
3765 ++ rxq->free_count++;
3766 ++ }
3767 + } else
3768 + list_add_tail(&rxb->list, &rxq->rx_used);
3769 + spin_unlock_irqrestore(&rxq->lock, flags);
3770 +diff --git a/drivers/pci/pci-driver.c b/drivers/pci/pci-driver.c
3771 +index d6fd6b6..729e038 100644
3772 +--- a/drivers/pci/pci-driver.c
3773 ++++ b/drivers/pci/pci-driver.c
3774 +@@ -421,6 +421,8 @@ static void pci_device_shutdown(struct device *dev)
3775 + struct pci_dev *pci_dev = to_pci_dev(dev);
3776 + struct pci_driver *drv = pci_dev->driver;
3777 +
3778 ++ pm_runtime_resume(dev);
3779 ++
3780 + if (drv && drv->shutdown)
3781 + drv->shutdown(pci_dev);
3782 + pci_msi_shutdown(pci_dev);
3783 +@@ -431,16 +433,6 @@ static void pci_device_shutdown(struct device *dev)
3784 + * continue to do DMA
3785 + */
3786 + pci_disable_device(pci_dev);
3787 +-
3788 +- /*
3789 +- * Devices may be enabled to wake up by runtime PM, but they need not
3790 +- * be supposed to wake up the system from its "power off" state (e.g.
3791 +- * ACPI S5). Therefore disable wakeup for all devices that aren't
3792 +- * supposed to wake up the system at this point. The state argument
3793 +- * will be ignored by pci_enable_wake().
3794 +- */
3795 +- if (!device_may_wakeup(dev))
3796 +- pci_enable_wake(pci_dev, PCI_UNKNOWN, false);
3797 + }
3798 +
3799 + #ifdef CONFIG_PM
3800 +diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
3801 +index 02d107b..f39378d 100644
3802 +--- a/drivers/pci/pci-sysfs.c
3803 ++++ b/drivers/pci/pci-sysfs.c
3804 +@@ -458,40 +458,6 @@ boot_vga_show(struct device *dev, struct device_attribute *attr, char *buf)
3805 + }
3806 + struct device_attribute vga_attr = __ATTR_RO(boot_vga);
3807 +
3808 +-static void
3809 +-pci_config_pm_runtime_get(struct pci_dev *pdev)
3810 +-{
3811 +- struct device *dev = &pdev->dev;
3812 +- struct device *parent = dev->parent;
3813 +-
3814 +- if (parent)
3815 +- pm_runtime_get_sync(parent);
3816 +- pm_runtime_get_noresume(dev);
3817 +- /*
3818 +- * pdev->current_state is set to PCI_D3cold during suspending,
3819 +- * so wait until suspending completes
3820 +- */
3821 +- pm_runtime_barrier(dev);
3822 +- /*
3823 +- * Only need to resume devices in D3cold, because config
3824 +- * registers are still accessible for devices suspended but
3825 +- * not in D3cold.
3826 +- */
3827 +- if (pdev->current_state == PCI_D3cold)
3828 +- pm_runtime_resume(dev);
3829 +-}
3830 +-
3831 +-static void
3832 +-pci_config_pm_runtime_put(struct pci_dev *pdev)
3833 +-{
3834 +- struct device *dev = &pdev->dev;
3835 +- struct device *parent = dev->parent;
3836 +-
3837 +- pm_runtime_put(dev);
3838 +- if (parent)
3839 +- pm_runtime_put_sync(parent);
3840 +-}
3841 +-
3842 + static ssize_t
3843 + pci_read_config(struct file *filp, struct kobject *kobj,
3844 + struct bin_attribute *bin_attr,
3845 +diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
3846 +index ab4bf5a..a0f8e8f 100644
3847 +--- a/drivers/pci/pci.c
3848 ++++ b/drivers/pci/pci.c
3849 +@@ -1910,6 +1910,38 @@ bool pci_dev_run_wake(struct pci_dev *dev)
3850 + }
3851 + EXPORT_SYMBOL_GPL(pci_dev_run_wake);
3852 +
3853 ++void pci_config_pm_runtime_get(struct pci_dev *pdev)
3854 ++{
3855 ++ struct device *dev = &pdev->dev;
3856 ++ struct device *parent = dev->parent;
3857 ++
3858 ++ if (parent)
3859 ++ pm_runtime_get_sync(parent);
3860 ++ pm_runtime_get_noresume(dev);
3861 ++ /*
3862 ++ * pdev->current_state is set to PCI_D3cold during suspending,
3863 ++ * so wait until suspending completes
3864 ++ */
3865 ++ pm_runtime_barrier(dev);
3866 ++ /*
3867 ++ * Only need to resume devices in D3cold, because config
3868 ++ * registers are still accessible for devices suspended but
3869 ++ * not in D3cold.
3870 ++ */
3871 ++ if (pdev->current_state == PCI_D3cold)
3872 ++ pm_runtime_resume(dev);
3873 ++}
3874 ++
3875 ++void pci_config_pm_runtime_put(struct pci_dev *pdev)
3876 ++{
3877 ++ struct device *dev = &pdev->dev;
3878 ++ struct device *parent = dev->parent;
3879 ++
3880 ++ pm_runtime_put(dev);
3881 ++ if (parent)
3882 ++ pm_runtime_put_sync(parent);
3883 ++}
3884 ++
3885 + /**
3886 + * pci_pm_init - Initialize PM functions of given PCI device
3887 + * @dev: PCI device to handle.
3888 +diff --git a/drivers/pci/pci.h b/drivers/pci/pci.h
3889 +index bacbcba..fd92aab 100644
3890 +--- a/drivers/pci/pci.h
3891 ++++ b/drivers/pci/pci.h
3892 +@@ -72,6 +72,8 @@ extern void pci_disable_enabled_device(struct pci_dev *dev);
3893 + extern int pci_finish_runtime_suspend(struct pci_dev *dev);
3894 + extern int __pci_pme_wakeup(struct pci_dev *dev, void *ign);
3895 + extern void pci_wakeup_bus(struct pci_bus *bus);
3896 ++extern void pci_config_pm_runtime_get(struct pci_dev *dev);
3897 ++extern void pci_config_pm_runtime_put(struct pci_dev *dev);
3898 + extern void pci_pm_init(struct pci_dev *dev);
3899 + extern void platform_pci_wakeup_init(struct pci_dev *dev);
3900 + extern void pci_allocate_cap_save_buffers(struct pci_dev *dev);
3901 +diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
3902 +index 27911b5..af028c7 100644
3903 +--- a/drivers/pci/proc.c
3904 ++++ b/drivers/pci/proc.c
3905 +@@ -76,6 +76,8 @@ proc_bus_pci_read(struct file *file, char __user *buf, size_t nbytes, loff_t *pp
3906 + if (!access_ok(VERIFY_WRITE, buf, cnt))
3907 + return -EINVAL;
3908 +
3909 ++ pci_config_pm_runtime_get(dev);
3910 ++
3911 + if ((pos & 1) && cnt) {
3912 + unsigned char val;
3913 + pci_user_read_config_byte(dev, pos, &val);
3914 +@@ -121,6 +123,8 @@ proc_bus_pci_read(struct file *file, char __user *buf, size_t nbytes, loff_t *pp
3915 + cnt--;
3916 + }
3917 +
3918 ++ pci_config_pm_runtime_put(dev);
3919 ++
3920 + *ppos = pos;
3921 + return nbytes;
3922 + }
3923 +@@ -146,6 +150,8 @@ proc_bus_pci_write(struct file *file, const char __user *buf, size_t nbytes, lof
3924 + if (!access_ok(VERIFY_READ, buf, cnt))
3925 + return -EINVAL;
3926 +
3927 ++ pci_config_pm_runtime_get(dev);
3928 ++
3929 + if ((pos & 1) && cnt) {
3930 + unsigned char val;
3931 + __get_user(val, buf);
3932 +@@ -191,6 +197,8 @@ proc_bus_pci_write(struct file *file, const char __user *buf, size_t nbytes, lof
3933 + cnt--;
3934 + }
3935 +
3936 ++ pci_config_pm_runtime_put(dev);
3937 ++
3938 + *ppos = pos;
3939 + i_size_write(ino, dp->size);
3940 + return nbytes;
3941 +diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c
3942 +index 4838531..e6f2990a 100644
3943 +--- a/drivers/regulator/core.c
3944 ++++ b/drivers/regulator/core.c
3945 +@@ -1942,7 +1942,7 @@ int regulator_is_supported_voltage(struct regulator *regulator,
3946 + if (!(rdev->constraints->valid_ops_mask & REGULATOR_CHANGE_VOLTAGE)) {
3947 + ret = regulator_get_voltage(regulator);
3948 + if (ret >= 0)
3949 +- return (min_uV >= ret && ret <= max_uV);
3950 ++ return (min_uV <= ret && ret <= max_uV);
3951 + else
3952 + return ret;
3953 + }
3954 +diff --git a/drivers/scsi/isci/host.c b/drivers/scsi/isci/host.c
3955 +index 45385f5..446fdd8 100644
3956 +--- a/drivers/scsi/isci/host.c
3957 ++++ b/drivers/scsi/isci/host.c
3958 +@@ -1079,7 +1079,6 @@ static void sci_controller_completion_handler(struct isci_host *ihost)
3959 +
3960 + void ireq_done(struct isci_host *ihost, struct isci_request *ireq, struct sas_task *task)
3961 + {
3962 +- task->lldd_task = NULL;
3963 + if (!test_bit(IREQ_ABORT_PATH_ACTIVE, &ireq->flags) &&
3964 + !(task->task_state_flags & SAS_TASK_STATE_ABORTED)) {
3965 + if (test_bit(IREQ_COMPLETE_IN_TARGET, &ireq->flags)) {
3966 +@@ -1087,16 +1086,19 @@ void ireq_done(struct isci_host *ihost, struct isci_request *ireq, struct sas_ta
3967 + dev_dbg(&ihost->pdev->dev,
3968 + "%s: Normal - ireq/task = %p/%p\n",
3969 + __func__, ireq, task);
3970 +-
3971 ++ task->lldd_task = NULL;
3972 + task->task_done(task);
3973 + } else {
3974 + dev_dbg(&ihost->pdev->dev,
3975 + "%s: Error - ireq/task = %p/%p\n",
3976 + __func__, ireq, task);
3977 +-
3978 ++ if (sas_protocol_ata(task->task_proto))
3979 ++ task->lldd_task = NULL;
3980 + sas_task_abort(task);
3981 + }
3982 +- }
3983 ++ } else
3984 ++ task->lldd_task = NULL;
3985 ++
3986 + if (test_and_clear_bit(IREQ_ABORT_PATH_ACTIVE, &ireq->flags))
3987 + wake_up_all(&ihost->eventq);
3988 +
3989 +diff --git a/drivers/staging/android/android_alarm.h b/drivers/staging/android/android_alarm.h
3990 +index f2ffd96..d0cafd6 100644
3991 +--- a/drivers/staging/android/android_alarm.h
3992 ++++ b/drivers/staging/android/android_alarm.h
3993 +@@ -51,12 +51,10 @@ enum android_alarm_return_flags {
3994 + #define ANDROID_ALARM_WAIT _IO('a', 1)
3995 +
3996 + #define ALARM_IOW(c, type, size) _IOW('a', (c) | ((type) << 4), size)
3997 +-#define ALARM_IOR(c, type, size) _IOR('a', (c) | ((type) << 4), size)
3998 +-
3999 + /* Set alarm */
4000 + #define ANDROID_ALARM_SET(type) ALARM_IOW(2, type, struct timespec)
4001 + #define ANDROID_ALARM_SET_AND_WAIT(type) ALARM_IOW(3, type, struct timespec)
4002 +-#define ANDROID_ALARM_GET_TIME(type) ALARM_IOR(4, type, struct timespec)
4003 ++#define ANDROID_ALARM_GET_TIME(type) ALARM_IOW(4, type, struct timespec)
4004 + #define ANDROID_ALARM_SET_RTC _IOW('a', 5, struct timespec)
4005 + #define ANDROID_ALARM_BASE_CMD(cmd) (cmd & ~(_IOC(0, 0, 0xf0, 0)))
4006 + #define ANDROID_ALARM_IOCTL_TO_TYPE(cmd) (_IOC_NR(cmd) >> 4)
4007 +diff --git a/drivers/tty/serial/omap-serial.c b/drivers/tty/serial/omap-serial.c
4008 +index 22992cd..d3cda0c 100644
4009 +--- a/drivers/tty/serial/omap-serial.c
4010 ++++ b/drivers/tty/serial/omap-serial.c
4011 +@@ -667,19 +667,19 @@ serial_omap_configure_xonxoff
4012 +
4013 + /*
4014 + * IXON Flag:
4015 +- * Flow control for OMAP.TX
4016 +- * OMAP.RX should listen for XON/XOFF
4017 ++ * Enable XON/XOFF flow control on output.
4018 ++ * Transmit XON1, XOFF1
4019 + */
4020 + if (termios->c_iflag & IXON)
4021 +- up->efr |= OMAP_UART_SW_RX;
4022 ++ up->efr |= OMAP_UART_SW_TX;
4023 +
4024 + /*
4025 + * IXOFF Flag:
4026 +- * Flow control for OMAP.RX
4027 +- * OMAP.TX should send XON/XOFF
4028 ++ * Enable XON/XOFF flow control on input.
4029 ++ * Receiver compares XON1, XOFF1.
4030 + */
4031 + if (termios->c_iflag & IXOFF)
4032 +- up->efr |= OMAP_UART_SW_TX;
4033 ++ up->efr |= OMAP_UART_SW_RX;
4034 +
4035 + serial_out(up, UART_EFR, up->efr | UART_EFR_ECB);
4036 + serial_out(up, UART_LCR, UART_LCR_CONF_MODE_A);
4037 +diff --git a/drivers/usb/serial/keyspan.c b/drivers/usb/serial/keyspan.c
4038 +index f6788d7..059d44b 100644
4039 +--- a/drivers/usb/serial/keyspan.c
4040 ++++ b/drivers/usb/serial/keyspan.c
4041 +@@ -2448,7 +2448,7 @@ static void keyspan_release(struct usb_serial *serial)
4042 + static int keyspan_port_probe(struct usb_serial_port *port)
4043 + {
4044 + struct usb_serial *serial = port->serial;
4045 +- struct keyspan_port_private *s_priv;
4046 ++ struct keyspan_serial_private *s_priv;
4047 + struct keyspan_port_private *p_priv;
4048 + const struct keyspan_device_details *d_details;
4049 + struct callbacks *cback;
4050 +@@ -2463,7 +2463,6 @@ static int keyspan_port_probe(struct usb_serial_port *port)
4051 + if (!p_priv)
4052 + return -ENOMEM;
4053 +
4054 +- s_priv = usb_get_serial_data(port->serial);
4055 + p_priv->device_details = d_details;
4056 +
4057 + /* Setup values for the various callback routines */
4058 +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
4059 +index 76a48e4..f852329 100644
4060 +--- a/drivers/usb/serial/option.c
4061 ++++ b/drivers/usb/serial/option.c
4062 +@@ -158,6 +158,7 @@ static void option_instat_callback(struct urb *urb);
4063 + #define NOVATELWIRELESS_PRODUCT_EVDO_EMBEDDED_HIGHSPEED 0x8001
4064 + #define NOVATELWIRELESS_PRODUCT_HSPA_EMBEDDED_FULLSPEED 0x9000
4065 + #define NOVATELWIRELESS_PRODUCT_HSPA_EMBEDDED_HIGHSPEED 0x9001
4066 ++#define NOVATELWIRELESS_PRODUCT_E362 0x9010
4067 + #define NOVATELWIRELESS_PRODUCT_G1 0xA001
4068 + #define NOVATELWIRELESS_PRODUCT_G1_M 0xA002
4069 + #define NOVATELWIRELESS_PRODUCT_G2 0xA010
4070 +@@ -193,6 +194,9 @@ static void option_instat_callback(struct urb *urb);
4071 + #define DELL_PRODUCT_5730_MINICARD_TELUS 0x8181
4072 + #define DELL_PRODUCT_5730_MINICARD_VZW 0x8182
4073 +
4074 ++#define DELL_PRODUCT_5800_MINICARD_VZW 0x8195 /* Novatel E362 */
4075 ++#define DELL_PRODUCT_5800_V2_MINICARD_VZW 0x8196 /* Novatel E362 */
4076 ++
4077 + #define KYOCERA_VENDOR_ID 0x0c88
4078 + #define KYOCERA_PRODUCT_KPC650 0x17da
4079 + #define KYOCERA_PRODUCT_KPC680 0x180a
4080 +@@ -283,6 +287,7 @@ static void option_instat_callback(struct urb *urb);
4081 + /* ALCATEL PRODUCTS */
4082 + #define ALCATEL_VENDOR_ID 0x1bbb
4083 + #define ALCATEL_PRODUCT_X060S_X200 0x0000
4084 ++#define ALCATEL_PRODUCT_X220_X500D 0x0017
4085 +
4086 + #define PIRELLI_VENDOR_ID 0x1266
4087 + #define PIRELLI_PRODUCT_C100_1 0x1002
4088 +@@ -706,6 +711,7 @@ static const struct usb_device_id option_ids[] = {
4089 + { USB_DEVICE(NOVATELWIRELESS_VENDOR_ID, NOVATELWIRELESS_PRODUCT_G2) },
4090 + /* Novatel Ovation MC551 a.k.a. Verizon USB551L */
4091 + { USB_DEVICE_AND_INTERFACE_INFO(NOVATELWIRELESS_VENDOR_ID, NOVATELWIRELESS_PRODUCT_MC551, 0xff, 0xff, 0xff) },
4092 ++ { USB_DEVICE_AND_INTERFACE_INFO(NOVATELWIRELESS_VENDOR_ID, NOVATELWIRELESS_PRODUCT_E362, 0xff, 0xff, 0xff) },
4093 +
4094 + { USB_DEVICE(AMOI_VENDOR_ID, AMOI_PRODUCT_H01) },
4095 + { USB_DEVICE(AMOI_VENDOR_ID, AMOI_PRODUCT_H01A) },
4096 +@@ -728,6 +734,8 @@ static const struct usb_device_id option_ids[] = {
4097 + { USB_DEVICE(DELL_VENDOR_ID, DELL_PRODUCT_5730_MINICARD_SPRINT) }, /* Dell Wireless 5730 Mobile Broadband EVDO/HSPA Mini-Card */
4098 + { USB_DEVICE(DELL_VENDOR_ID, DELL_PRODUCT_5730_MINICARD_TELUS) }, /* Dell Wireless 5730 Mobile Broadband EVDO/HSPA Mini-Card */
4099 + { USB_DEVICE(DELL_VENDOR_ID, DELL_PRODUCT_5730_MINICARD_VZW) }, /* Dell Wireless 5730 Mobile Broadband EVDO/HSPA Mini-Card */
4100 ++ { USB_DEVICE_AND_INTERFACE_INFO(DELL_VENDOR_ID, DELL_PRODUCT_5800_MINICARD_VZW, 0xff, 0xff, 0xff) },
4101 ++ { USB_DEVICE_AND_INTERFACE_INFO(DELL_VENDOR_ID, DELL_PRODUCT_5800_V2_MINICARD_VZW, 0xff, 0xff, 0xff) },
4102 + { USB_DEVICE(ANYDATA_VENDOR_ID, ANYDATA_PRODUCT_ADU_E100A) }, /* ADU-E100, ADU-310 */
4103 + { USB_DEVICE(ANYDATA_VENDOR_ID, ANYDATA_PRODUCT_ADU_500A) },
4104 + { USB_DEVICE(ANYDATA_VENDOR_ID, ANYDATA_PRODUCT_ADU_620UW) },
4105 +@@ -1157,6 +1165,7 @@ static const struct usb_device_id option_ids[] = {
4106 + { USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_X060S_X200),
4107 + .driver_info = (kernel_ulong_t)&alcatel_x200_blacklist
4108 + },
4109 ++ { USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_X220_X500D) },
4110 + { USB_DEVICE(AIRPLUS_VENDOR_ID, AIRPLUS_PRODUCT_MCD650) },
4111 + { USB_DEVICE(TLAYTECH_VENDOR_ID, TLAYTECH_PRODUCT_TEU800) },
4112 + { USB_DEVICE(LONGCHEER_VENDOR_ID, FOUR_G_SYSTEMS_PRODUCT_W14),
4113 +diff --git a/drivers/usb/serial/usb_wwan.c b/drivers/usb/serial/usb_wwan.c
4114 +index 2f2d074..188b5b3 100644
4115 +--- a/drivers/usb/serial/usb_wwan.c
4116 ++++ b/drivers/usb/serial/usb_wwan.c
4117 +@@ -455,9 +455,6 @@ static struct urb *usb_wwan_setup_urb(struct usb_serial_port *port,
4118 + struct usb_serial *serial = port->serial;
4119 + struct urb *urb;
4120 +
4121 +- if (endpoint == -1)
4122 +- return NULL; /* endpoint not needed */
4123 +-
4124 + urb = usb_alloc_urb(0, GFP_KERNEL); /* No ISO */
4125 + if (urb == NULL) {
4126 + dbg("%s: alloc for endpoint %d failed.", __func__, endpoint);
4127 +@@ -487,6 +484,9 @@ int usb_wwan_port_probe(struct usb_serial_port *port)
4128 + init_usb_anchor(&portdata->delayed);
4129 +
4130 + for (i = 0; i < N_IN_URB; i++) {
4131 ++ if (!port->bulk_in_size)
4132 ++ break;
4133 ++
4134 + buffer = (u8 *)__get_free_page(GFP_KERNEL);
4135 + if (!buffer)
4136 + goto bail_out_error;
4137 +@@ -499,8 +499,8 @@ int usb_wwan_port_probe(struct usb_serial_port *port)
4138 + portdata->in_urbs[i] = urb;
4139 + }
4140 + for (i = 0; i < N_OUT_URB; i++) {
4141 +- if (port->bulk_out_endpointAddress == -1)
4142 +- continue;
4143 ++ if (!port->bulk_out_size)
4144 ++ break;
4145 +
4146 + buffer = kmalloc(OUT_BUFLEN, GFP_KERNEL);
4147 + if (!buffer)
4148 +diff --git a/drivers/virtio/virtio.c b/drivers/virtio/virtio.c
4149 +index c3b3f7f..abd47c7 100644
4150 +--- a/drivers/virtio/virtio.c
4151 ++++ b/drivers/virtio/virtio.c
4152 +@@ -225,8 +225,10 @@ EXPORT_SYMBOL_GPL(register_virtio_device);
4153 +
4154 + void unregister_virtio_device(struct virtio_device *dev)
4155 + {
4156 ++ int index = dev->index; /* save for after device release */
4157 ++
4158 + device_unregister(&dev->dev);
4159 +- ida_simple_remove(&virtio_index_ida, dev->index);
4160 ++ ida_simple_remove(&virtio_index_ida, index);
4161 + }
4162 + EXPORT_SYMBOL_GPL(unregister_virtio_device);
4163 +
4164 +diff --git a/drivers/xen/events.c b/drivers/xen/events.c
4165 +index 7595581..99c5345 100644
4166 +--- a/drivers/xen/events.c
4167 ++++ b/drivers/xen/events.c
4168 +@@ -1374,8 +1374,8 @@ void xen_evtchn_do_upcall(struct pt_regs *regs)
4169 + {
4170 + struct pt_regs *old_regs = set_irq_regs(regs);
4171 +
4172 +- exit_idle();
4173 + irq_enter();
4174 ++ exit_idle();
4175 +
4176 + __xen_evtchn_do_upcall();
4177 +
4178 +diff --git a/fs/cifs/cifsacl.c b/fs/cifs/cifsacl.c
4179 +index 05f4dc2..8d453b7 100644
4180 +--- a/fs/cifs/cifsacl.c
4181 ++++ b/fs/cifs/cifsacl.c
4182 +@@ -225,6 +225,13 @@ sid_to_str(struct cifs_sid *sidptr, char *sidstr)
4183 + }
4184 +
4185 + static void
4186 ++cifs_copy_sid(struct cifs_sid *dst, const struct cifs_sid *src)
4187 ++{
4188 ++ memcpy(dst, src, sizeof(*dst));
4189 ++ dst->num_subauth = min_t(u8, src->num_subauth, NUM_SUBAUTHS);
4190 ++}
4191 ++
4192 ++static void
4193 + id_rb_insert(struct rb_root *root, struct cifs_sid *sidptr,
4194 + struct cifs_sid_id **psidid, char *typestr)
4195 + {
4196 +@@ -248,7 +255,7 @@ id_rb_insert(struct rb_root *root, struct cifs_sid *sidptr,
4197 + }
4198 + }
4199 +
4200 +- memcpy(&(*psidid)->sid, sidptr, sizeof(struct cifs_sid));
4201 ++ cifs_copy_sid(&(*psidid)->sid, sidptr);
4202 + (*psidid)->time = jiffies - (SID_MAP_RETRY + 1);
4203 + (*psidid)->refcount = 0;
4204 +
4205 +@@ -354,7 +361,7 @@ id_to_sid(unsigned long cid, uint sidtype, struct cifs_sid *ssid)
4206 + * any fields of the node after a reference is put .
4207 + */
4208 + if (test_bit(SID_ID_MAPPED, &psidid->state)) {
4209 +- memcpy(ssid, &psidid->sid, sizeof(struct cifs_sid));
4210 ++ cifs_copy_sid(ssid, &psidid->sid);
4211 + psidid->time = jiffies; /* update ts for accessing */
4212 + goto id_sid_out;
4213 + }
4214 +@@ -370,14 +377,14 @@ id_to_sid(unsigned long cid, uint sidtype, struct cifs_sid *ssid)
4215 + if (IS_ERR(sidkey)) {
4216 + rc = -EINVAL;
4217 + cFYI(1, "%s: Can't map and id to a SID", __func__);
4218 ++ } else if (sidkey->datalen < sizeof(struct cifs_sid)) {
4219 ++ rc = -EIO;
4220 ++ cFYI(1, "%s: Downcall contained malformed key "
4221 ++ "(datalen=%hu)", __func__, sidkey->datalen);
4222 + } else {
4223 + lsid = (struct cifs_sid *)sidkey->payload.data;
4224 +- memcpy(&psidid->sid, lsid,
4225 +- sidkey->datalen < sizeof(struct cifs_sid) ?
4226 +- sidkey->datalen : sizeof(struct cifs_sid));
4227 +- memcpy(ssid, &psidid->sid,
4228 +- sidkey->datalen < sizeof(struct cifs_sid) ?
4229 +- sidkey->datalen : sizeof(struct cifs_sid));
4230 ++ cifs_copy_sid(&psidid->sid, lsid);
4231 ++ cifs_copy_sid(ssid, &psidid->sid);
4232 + set_bit(SID_ID_MAPPED, &psidid->state);
4233 + key_put(sidkey);
4234 + kfree(psidid->sidstr);
4235 +@@ -396,7 +403,7 @@ id_to_sid(unsigned long cid, uint sidtype, struct cifs_sid *ssid)
4236 + return rc;
4237 + }
4238 + if (test_bit(SID_ID_MAPPED, &psidid->state))
4239 +- memcpy(ssid, &psidid->sid, sizeof(struct cifs_sid));
4240 ++ cifs_copy_sid(ssid, &psidid->sid);
4241 + else
4242 + rc = -EINVAL;
4243 + }
4244 +@@ -675,8 +682,6 @@ int compare_sids(const struct cifs_sid *ctsid, const struct cifs_sid *cwsid)
4245 + static void copy_sec_desc(const struct cifs_ntsd *pntsd,
4246 + struct cifs_ntsd *pnntsd, __u32 sidsoffset)
4247 + {
4248 +- int i;
4249 +-
4250 + struct cifs_sid *owner_sid_ptr, *group_sid_ptr;
4251 + struct cifs_sid *nowner_sid_ptr, *ngroup_sid_ptr;
4252 +
4253 +@@ -692,26 +697,14 @@ static void copy_sec_desc(const struct cifs_ntsd *pntsd,
4254 + owner_sid_ptr = (struct cifs_sid *)((char *)pntsd +
4255 + le32_to_cpu(pntsd->osidoffset));
4256 + nowner_sid_ptr = (struct cifs_sid *)((char *)pnntsd + sidsoffset);
4257 +-
4258 +- nowner_sid_ptr->revision = owner_sid_ptr->revision;
4259 +- nowner_sid_ptr->num_subauth = owner_sid_ptr->num_subauth;
4260 +- for (i = 0; i < 6; i++)
4261 +- nowner_sid_ptr->authority[i] = owner_sid_ptr->authority[i];
4262 +- for (i = 0; i < 5; i++)
4263 +- nowner_sid_ptr->sub_auth[i] = owner_sid_ptr->sub_auth[i];
4264 ++ cifs_copy_sid(nowner_sid_ptr, owner_sid_ptr);
4265 +
4266 + /* copy group sid */
4267 + group_sid_ptr = (struct cifs_sid *)((char *)pntsd +
4268 + le32_to_cpu(pntsd->gsidoffset));
4269 + ngroup_sid_ptr = (struct cifs_sid *)((char *)pnntsd + sidsoffset +
4270 + sizeof(struct cifs_sid));
4271 +-
4272 +- ngroup_sid_ptr->revision = group_sid_ptr->revision;
4273 +- ngroup_sid_ptr->num_subauth = group_sid_ptr->num_subauth;
4274 +- for (i = 0; i < 6; i++)
4275 +- ngroup_sid_ptr->authority[i] = group_sid_ptr->authority[i];
4276 +- for (i = 0; i < 5; i++)
4277 +- ngroup_sid_ptr->sub_auth[i] = group_sid_ptr->sub_auth[i];
4278 ++ cifs_copy_sid(ngroup_sid_ptr, group_sid_ptr);
4279 +
4280 + return;
4281 + }
4282 +@@ -1120,8 +1113,7 @@ static int build_sec_desc(struct cifs_ntsd *pntsd, struct cifs_ntsd *pnntsd,
4283 + kfree(nowner_sid_ptr);
4284 + return rc;
4285 + }
4286 +- memcpy(owner_sid_ptr, nowner_sid_ptr,
4287 +- sizeof(struct cifs_sid));
4288 ++ cifs_copy_sid(owner_sid_ptr, nowner_sid_ptr);
4289 + kfree(nowner_sid_ptr);
4290 + *aclflag = CIFS_ACL_OWNER;
4291 + }
4292 +@@ -1139,8 +1131,7 @@ static int build_sec_desc(struct cifs_ntsd *pntsd, struct cifs_ntsd *pnntsd,
4293 + kfree(ngroup_sid_ptr);
4294 + return rc;
4295 + }
4296 +- memcpy(group_sid_ptr, ngroup_sid_ptr,
4297 +- sizeof(struct cifs_sid));
4298 ++ cifs_copy_sid(group_sid_ptr, ngroup_sid_ptr);
4299 + kfree(ngroup_sid_ptr);
4300 + *aclflag = CIFS_ACL_GROUP;
4301 + }
4302 +diff --git a/fs/cifs/dir.c b/fs/cifs/dir.c
4303 +index 781025b..2b33b2c 100644
4304 +--- a/fs/cifs/dir.c
4305 ++++ b/fs/cifs/dir.c
4306 +@@ -392,7 +392,16 @@ cifs_atomic_open(struct inode *inode, struct dentry *direntry,
4307 + * in network traffic in the other paths.
4308 + */
4309 + if (!(oflags & O_CREAT)) {
4310 +- struct dentry *res = cifs_lookup(inode, direntry, 0);
4311 ++ struct dentry *res;
4312 ++
4313 ++ /*
4314 ++ * Check for hashed negative dentry. We have already revalidated
4315 ++ * the dentry and it is fine. No need to perform another lookup.
4316 ++ */
4317 ++ if (!d_unhashed(direntry))
4318 ++ return -ENOENT;
4319 ++
4320 ++ res = cifs_lookup(inode, direntry, 0);
4321 + if (IS_ERR(res))
4322 + return PTR_ERR(res);
4323 +
4324 +diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
4325 +index 5c69f2b..b686b43 100644
4326 +--- a/fs/ext4/ext4.h
4327 ++++ b/fs/ext4/ext4.h
4328 +@@ -2046,8 +2046,7 @@ extern int ext4_resize_fs(struct super_block *sb, ext4_fsblk_t n_blocks_count);
4329 + extern int ext4_calculate_overhead(struct super_block *sb);
4330 + extern int ext4_superblock_csum_verify(struct super_block *sb,
4331 + struct ext4_super_block *es);
4332 +-extern void ext4_superblock_csum_set(struct super_block *sb,
4333 +- struct ext4_super_block *es);
4334 ++extern void ext4_superblock_csum_set(struct super_block *sb);
4335 + extern void *ext4_kvmalloc(size_t size, gfp_t flags);
4336 + extern void *ext4_kvzalloc(size_t size, gfp_t flags);
4337 + extern void ext4_kvfree(void *ptr);
4338 +diff --git a/fs/ext4/ext4_jbd2.c b/fs/ext4/ext4_jbd2.c
4339 +index bfa65b4..b4323ba 100644
4340 +--- a/fs/ext4/ext4_jbd2.c
4341 ++++ b/fs/ext4/ext4_jbd2.c
4342 +@@ -143,17 +143,13 @@ int __ext4_handle_dirty_super(const char *where, unsigned int line,
4343 + struct buffer_head *bh = EXT4_SB(sb)->s_sbh;
4344 + int err = 0;
4345 +
4346 ++ ext4_superblock_csum_set(sb);
4347 + if (ext4_handle_valid(handle)) {
4348 +- ext4_superblock_csum_set(sb,
4349 +- (struct ext4_super_block *)bh->b_data);
4350 + err = jbd2_journal_dirty_metadata(handle, bh);
4351 + if (err)
4352 + ext4_journal_abort_handle(where, line, __func__,
4353 + bh, handle, err);
4354 +- } else {
4355 +- ext4_superblock_csum_set(sb,
4356 +- (struct ext4_super_block *)bh->b_data);
4357 ++ } else
4358 + mark_buffer_dirty(bh);
4359 +- }
4360 + return err;
4361 + }
4362 +diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c
4363 +index 71241bc..101b41c 100644
4364 +--- a/fs/ext4/resize.c
4365 ++++ b/fs/ext4/resize.c
4366 +@@ -979,7 +979,7 @@ static void update_backups(struct super_block *sb,
4367 + goto exit_err;
4368 + }
4369 +
4370 +- ext4_superblock_csum_set(sb, (struct ext4_super_block *)data);
4371 ++ ext4_superblock_csum_set(sb);
4372 +
4373 + while ((group = ext4_list_backups(sb, &three, &five, &seven)) < last) {
4374 + struct buffer_head *bh;
4375 +diff --git a/fs/ext4/super.c b/fs/ext4/super.c
4376 +index e44b233..2b5fb60 100644
4377 +--- a/fs/ext4/super.c
4378 ++++ b/fs/ext4/super.c
4379 +@@ -143,9 +143,10 @@ int ext4_superblock_csum_verify(struct super_block *sb,
4380 + return es->s_checksum == ext4_superblock_csum(sb, es);
4381 + }
4382 +
4383 +-void ext4_superblock_csum_set(struct super_block *sb,
4384 +- struct ext4_super_block *es)
4385 ++void ext4_superblock_csum_set(struct super_block *sb)
4386 + {
4387 ++ struct ext4_super_block *es = EXT4_SB(sb)->s_es;
4388 ++
4389 + if (!EXT4_HAS_RO_COMPAT_FEATURE(sb,
4390 + EXT4_FEATURE_RO_COMPAT_METADATA_CSUM))
4391 + return;
4392 +@@ -4343,7 +4344,7 @@ static int ext4_commit_super(struct super_block *sb, int sync)
4393 + cpu_to_le32(percpu_counter_sum_positive(
4394 + &EXT4_SB(sb)->s_freeinodes_counter));
4395 + BUFFER_TRACE(sbh, "marking dirty");
4396 +- ext4_superblock_csum_set(sb, es);
4397 ++ ext4_superblock_csum_set(sb);
4398 + mark_buffer_dirty(sbh);
4399 + if (sync) {
4400 + error = sync_dirty_buffer(sbh);
4401 +diff --git a/fs/gfs2/file.c b/fs/gfs2/file.c
4402 +index 382000f..07cc71f 100644
4403 +--- a/fs/gfs2/file.c
4404 ++++ b/fs/gfs2/file.c
4405 +@@ -515,15 +515,13 @@ static int gfs2_mmap(struct file *file, struct vm_area_struct *vma)
4406 + struct gfs2_holder i_gh;
4407 + int error;
4408 +
4409 +- gfs2_holder_init(ip->i_gl, LM_ST_SHARED, LM_FLAG_ANY, &i_gh);
4410 +- error = gfs2_glock_nq(&i_gh);
4411 +- if (error == 0) {
4412 +- file_accessed(file);
4413 +- gfs2_glock_dq(&i_gh);
4414 +- }
4415 +- gfs2_holder_uninit(&i_gh);
4416 ++ error = gfs2_glock_nq_init(ip->i_gl, LM_ST_SHARED, LM_FLAG_ANY,
4417 ++ &i_gh);
4418 + if (error)
4419 + return error;
4420 ++ /* grab lock to update inode */
4421 ++ gfs2_glock_dq_uninit(&i_gh);
4422 ++ file_accessed(file);
4423 + }
4424 + vma->vm_ops = &gfs2_vm_ops;
4425 + vma->vm_flags |= VM_CAN_NONLINEAR;
4426 +diff --git a/fs/gfs2/super.c b/fs/gfs2/super.c
4427 +index fc3168f..12ff463 100644
4428 +--- a/fs/gfs2/super.c
4429 ++++ b/fs/gfs2/super.c
4430 +@@ -810,7 +810,8 @@ static void gfs2_dirty_inode(struct inode *inode, int flags)
4431 + return;
4432 + }
4433 + need_unlock = 1;
4434 +- }
4435 ++ } else if (WARN_ON_ONCE(ip->i_gl->gl_state != LM_ST_EXCLUSIVE))
4436 ++ return;
4437 +
4438 + if (current->journal_info == NULL) {
4439 + ret = gfs2_trans_begin(sdp, RES_DINODE, 0);
4440 +diff --git a/fs/notify/fanotify/fanotify.c b/fs/notify/fanotify/fanotify.c
4441 +index f35794b..a506360 100644
4442 +--- a/fs/notify/fanotify/fanotify.c
4443 ++++ b/fs/notify/fanotify/fanotify.c
4444 +@@ -21,6 +21,7 @@ static bool should_merge(struct fsnotify_event *old, struct fsnotify_event *new)
4445 + if ((old->path.mnt == new->path.mnt) &&
4446 + (old->path.dentry == new->path.dentry))
4447 + return true;
4448 ++ break;
4449 + case (FSNOTIFY_EVENT_NONE):
4450 + return true;
4451 + default:
4452 +diff --git a/fs/pstore/platform.c b/fs/pstore/platform.c
4453 +index 29996e8..2d1e0f3 100644
4454 +--- a/fs/pstore/platform.c
4455 ++++ b/fs/pstore/platform.c
4456 +@@ -161,12 +161,13 @@ static void pstore_console_write(struct console *con, const char *s, unsigned c)
4457 +
4458 + while (s < e) {
4459 + unsigned long flags;
4460 ++ u64 id;
4461 +
4462 + if (c > psinfo->bufsize)
4463 + c = psinfo->bufsize;
4464 + spin_lock_irqsave(&psinfo->buf_lock, flags);
4465 + memcpy(psinfo->buf, s, c);
4466 +- psinfo->write(PSTORE_TYPE_CONSOLE, 0, NULL, 0, c, psinfo);
4467 ++ psinfo->write(PSTORE_TYPE_CONSOLE, 0, &id, 0, c, psinfo);
4468 + spin_unlock_irqrestore(&psinfo->buf_lock, flags);
4469 + s += c;
4470 + c = e - s;
4471 +diff --git a/fs/reiserfs/inode.c b/fs/reiserfs/inode.c
4472 +index 63ce6be..567c10c 100644
4473 +--- a/fs/reiserfs/inode.c
4474 ++++ b/fs/reiserfs/inode.c
4475 +@@ -1782,8 +1782,9 @@ int reiserfs_new_inode(struct reiserfs_transaction_handle *th,
4476 +
4477 + BUG_ON(!th->t_trans_id);
4478 +
4479 +- dquot_initialize(inode);
4480 ++ reiserfs_write_unlock(inode->i_sb);
4481 + err = dquot_alloc_inode(inode);
4482 ++ reiserfs_write_lock(inode->i_sb);
4483 + if (err)
4484 + goto out_end_trans;
4485 + if (!dir->i_nlink) {
4486 +@@ -1979,8 +1980,10 @@ int reiserfs_new_inode(struct reiserfs_transaction_handle *th,
4487 +
4488 + out_end_trans:
4489 + journal_end(th, th->t_super, th->t_blocks_allocated);
4490 ++ reiserfs_write_unlock(inode->i_sb);
4491 + /* Drop can be outside and it needs more credits so it's better to have it outside */
4492 + dquot_drop(inode);
4493 ++ reiserfs_write_lock(inode->i_sb);
4494 + inode->i_flags |= S_NOQUOTA;
4495 + make_bad_inode(inode);
4496 +
4497 +@@ -3103,10 +3106,9 @@ int reiserfs_setattr(struct dentry *dentry, struct iattr *attr)
4498 + /* must be turned off for recursive notify_change calls */
4499 + ia_valid = attr->ia_valid &= ~(ATTR_KILL_SUID|ATTR_KILL_SGID);
4500 +
4501 +- depth = reiserfs_write_lock_once(inode->i_sb);
4502 + if (is_quota_modification(inode, attr))
4503 + dquot_initialize(inode);
4504 +-
4505 ++ depth = reiserfs_write_lock_once(inode->i_sb);
4506 + if (attr->ia_valid & ATTR_SIZE) {
4507 + /* version 2 items will be caught by the s_maxbytes check
4508 + ** done for us in vmtruncate
4509 +@@ -3170,7 +3172,9 @@ int reiserfs_setattr(struct dentry *dentry, struct iattr *attr)
4510 + error = journal_begin(&th, inode->i_sb, jbegin_count);
4511 + if (error)
4512 + goto out;
4513 ++ reiserfs_write_unlock_once(inode->i_sb, depth);
4514 + error = dquot_transfer(inode, attr);
4515 ++ depth = reiserfs_write_lock_once(inode->i_sb);
4516 + if (error) {
4517 + journal_end(&th, inode->i_sb, jbegin_count);
4518 + goto out;
4519 +diff --git a/fs/reiserfs/stree.c b/fs/reiserfs/stree.c
4520 +index f8afa4b..2f40a4c 100644
4521 +--- a/fs/reiserfs/stree.c
4522 ++++ b/fs/reiserfs/stree.c
4523 +@@ -1968,7 +1968,9 @@ int reiserfs_paste_into_item(struct reiserfs_transaction_handle *th, struct tree
4524 + key2type(&(key->on_disk_key)));
4525 + #endif
4526 +
4527 ++ reiserfs_write_unlock(inode->i_sb);
4528 + retval = dquot_alloc_space_nodirty(inode, pasted_size);
4529 ++ reiserfs_write_lock(inode->i_sb);
4530 + if (retval) {
4531 + pathrelse(search_path);
4532 + return retval;
4533 +@@ -2061,9 +2063,11 @@ int reiserfs_insert_item(struct reiserfs_transaction_handle *th,
4534 + "reiserquota insert_item(): allocating %u id=%u type=%c",
4535 + quota_bytes, inode->i_uid, head2type(ih));
4536 + #endif
4537 ++ reiserfs_write_unlock(inode->i_sb);
4538 + /* We can't dirty inode here. It would be immediately written but
4539 + * appropriate stat item isn't inserted yet... */
4540 + retval = dquot_alloc_space_nodirty(inode, quota_bytes);
4541 ++ reiserfs_write_lock(inode->i_sb);
4542 + if (retval) {
4543 + pathrelse(path);
4544 + return retval;
4545 +diff --git a/fs/reiserfs/super.c b/fs/reiserfs/super.c
4546 +index 7a37dab..4300030 100644
4547 +--- a/fs/reiserfs/super.c
4548 ++++ b/fs/reiserfs/super.c
4549 +@@ -298,7 +298,9 @@ static int finish_unfinished(struct super_block *s)
4550 + retval = remove_save_link_only(s, &save_link_key, 0);
4551 + continue;
4552 + }
4553 ++ reiserfs_write_unlock(s);
4554 + dquot_initialize(inode);
4555 ++ reiserfs_write_lock(s);
4556 +
4557 + if (truncate && S_ISDIR(inode->i_mode)) {
4558 + /* We got a truncate request for a dir which is impossible.
4559 +@@ -1330,7 +1332,7 @@ static int reiserfs_remount(struct super_block *s, int *mount_flags, char *arg)
4560 + kfree(qf_names[i]);
4561 + #endif
4562 + err = -EINVAL;
4563 +- goto out_err;
4564 ++ goto out_unlock;
4565 + }
4566 + #ifdef CONFIG_QUOTA
4567 + handle_quota_files(s, qf_names, &qfmt);
4568 +@@ -1374,7 +1376,7 @@ static int reiserfs_remount(struct super_block *s, int *mount_flags, char *arg)
4569 + if (blocks) {
4570 + err = reiserfs_resize(s, blocks);
4571 + if (err != 0)
4572 +- goto out_err;
4573 ++ goto out_unlock;
4574 + }
4575 +
4576 + if (*mount_flags & MS_RDONLY) {
4577 +@@ -1384,9 +1386,15 @@ static int reiserfs_remount(struct super_block *s, int *mount_flags, char *arg)
4578 + /* it is read-only already */
4579 + goto out_ok;
4580 +
4581 ++ /*
4582 ++ * Drop write lock. Quota will retake it when needed and lock
4583 ++ * ordering requires calling dquot_suspend() without it.
4584 ++ */
4585 ++ reiserfs_write_unlock(s);
4586 + err = dquot_suspend(s, -1);
4587 + if (err < 0)
4588 + goto out_err;
4589 ++ reiserfs_write_lock(s);
4590 +
4591 + /* try to remount file system with read-only permissions */
4592 + if (sb_umount_state(rs) == REISERFS_VALID_FS
4593 +@@ -1396,7 +1404,7 @@ static int reiserfs_remount(struct super_block *s, int *mount_flags, char *arg)
4594 +
4595 + err = journal_begin(&th, s, 10);
4596 + if (err)
4597 +- goto out_err;
4598 ++ goto out_unlock;
4599 +
4600 + /* Mounting a rw partition read-only. */
4601 + reiserfs_prepare_for_journal(s, SB_BUFFER_WITH_SB(s), 1);
4602 +@@ -1411,7 +1419,7 @@ static int reiserfs_remount(struct super_block *s, int *mount_flags, char *arg)
4603 +
4604 + if (reiserfs_is_journal_aborted(journal)) {
4605 + err = journal->j_errno;
4606 +- goto out_err;
4607 ++ goto out_unlock;
4608 + }
4609 +
4610 + handle_data_mode(s, mount_options);
4611 +@@ -1420,7 +1428,7 @@ static int reiserfs_remount(struct super_block *s, int *mount_flags, char *arg)
4612 + s->s_flags &= ~MS_RDONLY; /* now it is safe to call journal_begin */
4613 + err = journal_begin(&th, s, 10);
4614 + if (err)
4615 +- goto out_err;
4616 ++ goto out_unlock;
4617 +
4618 + /* Mount a partition which is read-only, read-write */
4619 + reiserfs_prepare_for_journal(s, SB_BUFFER_WITH_SB(s), 1);
4620 +@@ -1437,10 +1445,16 @@ static int reiserfs_remount(struct super_block *s, int *mount_flags, char *arg)
4621 + SB_JOURNAL(s)->j_must_wait = 1;
4622 + err = journal_end(&th, s, 10);
4623 + if (err)
4624 +- goto out_err;
4625 ++ goto out_unlock;
4626 +
4627 + if (!(*mount_flags & MS_RDONLY)) {
4628 ++ /*
4629 ++ * Drop write lock. Quota will retake it when needed and lock
4630 ++ * ordering requires calling dquot_resume() without it.
4631 ++ */
4632 ++ reiserfs_write_unlock(s);
4633 + dquot_resume(s, -1);
4634 ++ reiserfs_write_lock(s);
4635 + finish_unfinished(s);
4636 + reiserfs_xattr_init(s, *mount_flags);
4637 + }
4638 +@@ -1450,9 +1464,10 @@ out_ok:
4639 + reiserfs_write_unlock(s);
4640 + return 0;
4641 +
4642 ++out_unlock:
4643 ++ reiserfs_write_unlock(s);
4644 + out_err:
4645 + kfree(new_opts);
4646 +- reiserfs_write_unlock(s);
4647 + return err;
4648 + }
4649 +
4650 +@@ -2090,13 +2105,15 @@ static int reiserfs_write_dquot(struct dquot *dquot)
4651 + REISERFS_QUOTA_TRANS_BLOCKS(dquot->dq_sb));
4652 + if (ret)
4653 + goto out;
4654 ++ reiserfs_write_unlock(dquot->dq_sb);
4655 + ret = dquot_commit(dquot);
4656 ++ reiserfs_write_lock(dquot->dq_sb);
4657 + err =
4658 + journal_end(&th, dquot->dq_sb,
4659 + REISERFS_QUOTA_TRANS_BLOCKS(dquot->dq_sb));
4660 + if (!ret && err)
4661 + ret = err;
4662 +- out:
4663 ++out:
4664 + reiserfs_write_unlock(dquot->dq_sb);
4665 + return ret;
4666 + }
4667 +@@ -2112,13 +2129,15 @@ static int reiserfs_acquire_dquot(struct dquot *dquot)
4668 + REISERFS_QUOTA_INIT_BLOCKS(dquot->dq_sb));
4669 + if (ret)
4670 + goto out;
4671 ++ reiserfs_write_unlock(dquot->dq_sb);
4672 + ret = dquot_acquire(dquot);
4673 ++ reiserfs_write_lock(dquot->dq_sb);
4674 + err =
4675 + journal_end(&th, dquot->dq_sb,
4676 + REISERFS_QUOTA_INIT_BLOCKS(dquot->dq_sb));
4677 + if (!ret && err)
4678 + ret = err;
4679 +- out:
4680 ++out:
4681 + reiserfs_write_unlock(dquot->dq_sb);
4682 + return ret;
4683 + }
4684 +@@ -2132,19 +2151,21 @@ static int reiserfs_release_dquot(struct dquot *dquot)
4685 + ret =
4686 + journal_begin(&th, dquot->dq_sb,
4687 + REISERFS_QUOTA_DEL_BLOCKS(dquot->dq_sb));
4688 ++ reiserfs_write_unlock(dquot->dq_sb);
4689 + if (ret) {
4690 + /* Release dquot anyway to avoid endless cycle in dqput() */
4691 + dquot_release(dquot);
4692 + goto out;
4693 + }
4694 + ret = dquot_release(dquot);
4695 ++ reiserfs_write_lock(dquot->dq_sb);
4696 + err =
4697 + journal_end(&th, dquot->dq_sb,
4698 + REISERFS_QUOTA_DEL_BLOCKS(dquot->dq_sb));
4699 + if (!ret && err)
4700 + ret = err;
4701 +- out:
4702 + reiserfs_write_unlock(dquot->dq_sb);
4703 ++out:
4704 + return ret;
4705 + }
4706 +
4707 +@@ -2169,11 +2190,13 @@ static int reiserfs_write_info(struct super_block *sb, int type)
4708 + ret = journal_begin(&th, sb, 2);
4709 + if (ret)
4710 + goto out;
4711 ++ reiserfs_write_unlock(sb);
4712 + ret = dquot_commit_info(sb, type);
4713 ++ reiserfs_write_lock(sb);
4714 + err = journal_end(&th, sb, 2);
4715 + if (!ret && err)
4716 + ret = err;
4717 +- out:
4718 ++out:
4719 + reiserfs_write_unlock(sb);
4720 + return ret;
4721 + }
4722 +@@ -2198,8 +2221,11 @@ static int reiserfs_quota_on(struct super_block *sb, int type, int format_id,
4723 + struct reiserfs_transaction_handle th;
4724 + int opt = type == USRQUOTA ? REISERFS_USRQUOTA : REISERFS_GRPQUOTA;
4725 +
4726 +- if (!(REISERFS_SB(sb)->s_mount_opt & (1 << opt)))
4727 +- return -EINVAL;
4728 ++ reiserfs_write_lock(sb);
4729 ++ if (!(REISERFS_SB(sb)->s_mount_opt & (1 << opt))) {
4730 ++ err = -EINVAL;
4731 ++ goto out;
4732 ++ }
4733 +
4734 + /* Quotafile not on the same filesystem? */
4735 + if (path->dentry->d_sb != sb) {
4736 +@@ -2241,8 +2267,10 @@ static int reiserfs_quota_on(struct super_block *sb, int type, int format_id,
4737 + if (err)
4738 + goto out;
4739 + }
4740 +- err = dquot_quota_on(sb, type, format_id, path);
4741 ++ reiserfs_write_unlock(sb);
4742 ++ return dquot_quota_on(sb, type, format_id, path);
4743 + out:
4744 ++ reiserfs_write_unlock(sb);
4745 + return err;
4746 + }
4747 +
4748 +@@ -2315,7 +2343,9 @@ static ssize_t reiserfs_quota_write(struct super_block *sb, int type,
4749 + tocopy = sb->s_blocksize - offset < towrite ?
4750 + sb->s_blocksize - offset : towrite;
4751 + tmp_bh.b_state = 0;
4752 ++ reiserfs_write_lock(sb);
4753 + err = reiserfs_get_block(inode, blk, &tmp_bh, GET_BLOCK_CREATE);
4754 ++ reiserfs_write_unlock(sb);
4755 + if (err)
4756 + goto out;
4757 + if (offset || tocopy != sb->s_blocksize)
4758 +@@ -2331,10 +2361,12 @@ static ssize_t reiserfs_quota_write(struct super_block *sb, int type,
4759 + flush_dcache_page(bh->b_page);
4760 + set_buffer_uptodate(bh);
4761 + unlock_buffer(bh);
4762 ++ reiserfs_write_lock(sb);
4763 + reiserfs_prepare_for_journal(sb, bh, 1);
4764 + journal_mark_dirty(current->journal_info, sb, bh);
4765 + if (!journal_quota)
4766 + reiserfs_add_ordered_list(inode, bh);
4767 ++ reiserfs_write_unlock(sb);
4768 + brelse(bh);
4769 + offset = 0;
4770 + towrite -= tocopy;
4771 +diff --git a/fs/ubifs/find.c b/fs/ubifs/find.c
4772 +index 28ec13a..2dcf3d4 100644
4773 +--- a/fs/ubifs/find.c
4774 ++++ b/fs/ubifs/find.c
4775 +@@ -681,8 +681,16 @@ int ubifs_find_free_leb_for_idx(struct ubifs_info *c)
4776 + if (!lprops) {
4777 + lprops = ubifs_fast_find_freeable(c);
4778 + if (!lprops) {
4779 +- ubifs_assert(c->freeable_cnt == 0);
4780 +- if (c->lst.empty_lebs - c->lst.taken_empty_lebs > 0) {
4781 ++ /*
4782 ++ * The first condition means the following: go scan the
4783 ++ * LPT if there are uncategorized lprops, which means
4784 ++ * there may be freeable LEBs there (UBIFS does not
4785 ++ * store the information about freeable LEBs in the
4786 ++ * master node).
4787 ++ */
4788 ++ if (c->in_a_category_cnt != c->main_lebs ||
4789 ++ c->lst.empty_lebs - c->lst.taken_empty_lebs > 0) {
4790 ++ ubifs_assert(c->freeable_cnt == 0);
4791 + lprops = scan_for_leb_for_idx(c);
4792 + if (IS_ERR(lprops)) {
4793 + err = PTR_ERR(lprops);
4794 +diff --git a/fs/ubifs/lprops.c b/fs/ubifs/lprops.c
4795 +index 86eb8e5..b33ec7a 100644
4796 +--- a/fs/ubifs/lprops.c
4797 ++++ b/fs/ubifs/lprops.c
4798 +@@ -300,8 +300,11 @@ void ubifs_add_to_cat(struct ubifs_info *c, struct ubifs_lprops *lprops,
4799 + default:
4800 + ubifs_assert(0);
4801 + }
4802 ++
4803 + lprops->flags &= ~LPROPS_CAT_MASK;
4804 + lprops->flags |= cat;
4805 ++ c->in_a_category_cnt += 1;
4806 ++ ubifs_assert(c->in_a_category_cnt <= c->main_lebs);
4807 + }
4808 +
4809 + /**
4810 +@@ -334,6 +337,9 @@ static void ubifs_remove_from_cat(struct ubifs_info *c,
4811 + default:
4812 + ubifs_assert(0);
4813 + }
4814 ++
4815 ++ c->in_a_category_cnt -= 1;
4816 ++ ubifs_assert(c->in_a_category_cnt >= 0);
4817 + }
4818 +
4819 + /**
4820 +diff --git a/fs/ubifs/ubifs.h b/fs/ubifs/ubifs.h
4821 +index 1e5a086..51ac3e6 100644
4822 +--- a/fs/ubifs/ubifs.h
4823 ++++ b/fs/ubifs/ubifs.h
4824 +@@ -1184,6 +1184,8 @@ struct ubifs_debug_info;
4825 + * @freeable_list: list of freeable non-index LEBs (free + dirty == @leb_size)
4826 + * @frdi_idx_list: list of freeable index LEBs (free + dirty == @leb_size)
4827 + * @freeable_cnt: number of freeable LEBs in @freeable_list
4828 ++ * @in_a_category_cnt: count of lprops which are in a certain category, which
4829 ++ * basically meants that they were loaded from the flash
4830 + *
4831 + * @ltab_lnum: LEB number of LPT's own lprops table
4832 + * @ltab_offs: offset of LPT's own lprops table
4833 +@@ -1413,6 +1415,7 @@ struct ubifs_info {
4834 + struct list_head freeable_list;
4835 + struct list_head frdi_idx_list;
4836 + int freeable_cnt;
4837 ++ int in_a_category_cnt;
4838 +
4839 + int ltab_lnum;
4840 + int ltab_offs;
4841 +diff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c
4842 +index 933b793..4b0b8dd 100644
4843 +--- a/fs/xfs/xfs_buf.c
4844 ++++ b/fs/xfs/xfs_buf.c
4845 +@@ -1197,9 +1197,14 @@ xfs_buf_bio_end_io(
4846 + {
4847 + xfs_buf_t *bp = (xfs_buf_t *)bio->bi_private;
4848 +
4849 +- xfs_buf_ioerror(bp, -error);
4850 ++ /*
4851 ++ * don't overwrite existing errors - otherwise we can lose errors on
4852 ++ * buffers that require multiple bios to complete.
4853 ++ */
4854 ++ if (!bp->b_error)
4855 ++ xfs_buf_ioerror(bp, -error);
4856 +
4857 +- if (!error && xfs_buf_is_vmapped(bp) && (bp->b_flags & XBF_READ))
4858 ++ if (!bp->b_error && xfs_buf_is_vmapped(bp) && (bp->b_flags & XBF_READ))
4859 + invalidate_kernel_vmap_range(bp->b_addr, xfs_buf_vmap_len(bp));
4860 +
4861 + _xfs_buf_ioend(bp, 1);
4862 +@@ -1279,6 +1284,11 @@ next_chunk:
4863 + if (size)
4864 + goto next_chunk;
4865 + } else {
4866 ++ /*
4867 ++ * This is guaranteed not to be the last io reference count
4868 ++ * because the caller (xfs_buf_iorequest) holds a count itself.
4869 ++ */
4870 ++ atomic_dec(&bp->b_io_remaining);
4871 + xfs_buf_ioerror(bp, EIO);
4872 + bio_put(bio);
4873 + }
4874 +diff --git a/include/linux/mmzone.h b/include/linux/mmzone.h
4875 +index 2daa54f..a16d929 100644
4876 +--- a/include/linux/mmzone.h
4877 ++++ b/include/linux/mmzone.h
4878 +@@ -744,7 +744,7 @@ extern int init_currently_empty_zone(struct zone *zone, unsigned long start_pfn,
4879 + unsigned long size,
4880 + enum memmap_context context);
4881 +
4882 +-extern void lruvec_init(struct lruvec *lruvec, struct zone *zone);
4883 ++extern void lruvec_init(struct lruvec *lruvec);
4884 +
4885 + static inline struct zone *lruvec_zone(struct lruvec *lruvec)
4886 + {
4887 +diff --git a/include/linux/ptp_clock_kernel.h b/include/linux/ptp_clock_kernel.h
4888 +index 945704c..00b9e61 100644
4889 +--- a/include/linux/ptp_clock_kernel.h
4890 ++++ b/include/linux/ptp_clock_kernel.h
4891 +@@ -50,7 +50,8 @@ struct ptp_clock_request {
4892 + * clock operations
4893 + *
4894 + * @adjfreq: Adjusts the frequency of the hardware clock.
4895 +- * parameter delta: Desired period change in parts per billion.
4896 ++ * parameter delta: Desired frequency offset from nominal frequency
4897 ++ * in parts per billion
4898 + *
4899 + * @adjtime: Shifts the time of the hardware clock.
4900 + * parameter delta: Desired change in nanoseconds.
4901 +diff --git a/kernel/module.c b/kernel/module.c
4902 +index 9ad9ee9..2a15c59 100644
4903 +--- a/kernel/module.c
4904 ++++ b/kernel/module.c
4905 +@@ -2273,12 +2273,17 @@ static void layout_symtab(struct module *mod, struct load_info *info)
4906 + src = (void *)info->hdr + symsect->sh_offset;
4907 + nsrc = symsect->sh_size / sizeof(*src);
4908 +
4909 ++ /* strtab always starts with a nul, so offset 0 is the empty string. */
4910 ++ strtab_size = 1;
4911 ++
4912 + /* Compute total space required for the core symbols' strtab. */
4913 +- for (ndst = i = strtab_size = 1; i < nsrc; ++i, ++src)
4914 +- if (is_core_symbol(src, info->sechdrs, info->hdr->e_shnum)) {
4915 +- strtab_size += strlen(&info->strtab[src->st_name]) + 1;
4916 ++ for (ndst = i = 0; i < nsrc; i++) {
4917 ++ if (i == 0 ||
4918 ++ is_core_symbol(src+i, info->sechdrs, info->hdr->e_shnum)) {
4919 ++ strtab_size += strlen(&info->strtab[src[i].st_name])+1;
4920 + ndst++;
4921 + }
4922 ++ }
4923 +
4924 + /* Append room for core symbols at end of core part. */
4925 + info->symoffs = ALIGN(mod->core_size, symsect->sh_addralign ?: 1);
4926 +@@ -2312,15 +2317,15 @@ static void add_kallsyms(struct module *mod, const struct load_info *info)
4927 + mod->core_symtab = dst = mod->module_core + info->symoffs;
4928 + mod->core_strtab = s = mod->module_core + info->stroffs;
4929 + src = mod->symtab;
4930 +- *dst = *src;
4931 + *s++ = 0;
4932 +- for (ndst = i = 1; i < mod->num_symtab; ++i, ++src) {
4933 +- if (!is_core_symbol(src, info->sechdrs, info->hdr->e_shnum))
4934 +- continue;
4935 +-
4936 +- dst[ndst] = *src;
4937 +- dst[ndst++].st_name = s - mod->core_strtab;
4938 +- s += strlcpy(s, &mod->strtab[src->st_name], KSYM_NAME_LEN) + 1;
4939 ++ for (ndst = i = 0; i < mod->num_symtab; i++) {
4940 ++ if (i == 0 ||
4941 ++ is_core_symbol(src+i, info->sechdrs, info->hdr->e_shnum)) {
4942 ++ dst[ndst] = src[i];
4943 ++ dst[ndst++].st_name = s - mod->core_strtab;
4944 ++ s += strlcpy(s, &mod->strtab[src[i].st_name],
4945 ++ KSYM_NAME_LEN) + 1;
4946 ++ }
4947 + }
4948 + mod->core_num_syms = ndst;
4949 + }
4950 +diff --git a/mm/memcontrol.c b/mm/memcontrol.c
4951 +index 795e525..a6e2f81 100644
4952 +--- a/mm/memcontrol.c
4953 ++++ b/mm/memcontrol.c
4954 +@@ -1061,12 +1061,24 @@ struct lruvec *mem_cgroup_zone_lruvec(struct zone *zone,
4955 + struct mem_cgroup *memcg)
4956 + {
4957 + struct mem_cgroup_per_zone *mz;
4958 ++ struct lruvec *lruvec;
4959 +
4960 +- if (mem_cgroup_disabled())
4961 +- return &zone->lruvec;
4962 ++ if (mem_cgroup_disabled()) {
4963 ++ lruvec = &zone->lruvec;
4964 ++ goto out;
4965 ++ }
4966 +
4967 + mz = mem_cgroup_zoneinfo(memcg, zone_to_nid(zone), zone_idx(zone));
4968 +- return &mz->lruvec;
4969 ++ lruvec = &mz->lruvec;
4970 ++out:
4971 ++ /*
4972 ++ * Since a node can be onlined after the mem_cgroup was created,
4973 ++ * we have to be prepared to initialize lruvec->zone here;
4974 ++ * and if offlined then reonlined, we need to reinitialize it.
4975 ++ */
4976 ++ if (unlikely(lruvec->zone != zone))
4977 ++ lruvec->zone = zone;
4978 ++ return lruvec;
4979 + }
4980 +
4981 + /*
4982 +@@ -1093,9 +1105,12 @@ struct lruvec *mem_cgroup_page_lruvec(struct page *page, struct zone *zone)
4983 + struct mem_cgroup_per_zone *mz;
4984 + struct mem_cgroup *memcg;
4985 + struct page_cgroup *pc;
4986 ++ struct lruvec *lruvec;
4987 +
4988 +- if (mem_cgroup_disabled())
4989 +- return &zone->lruvec;
4990 ++ if (mem_cgroup_disabled()) {
4991 ++ lruvec = &zone->lruvec;
4992 ++ goto out;
4993 ++ }
4994 +
4995 + pc = lookup_page_cgroup(page);
4996 + memcg = pc->mem_cgroup;
4997 +@@ -1113,7 +1128,16 @@ struct lruvec *mem_cgroup_page_lruvec(struct page *page, struct zone *zone)
4998 + pc->mem_cgroup = memcg = root_mem_cgroup;
4999 +
5000 + mz = page_cgroup_zoneinfo(memcg, page);
5001 +- return &mz->lruvec;
5002 ++ lruvec = &mz->lruvec;
5003 ++out:
5004 ++ /*
5005 ++ * Since a node can be onlined after the mem_cgroup was created,
5006 ++ * we have to be prepared to initialize lruvec->zone here;
5007 ++ * and if offlined then reonlined, we need to reinitialize it.
5008 ++ */
5009 ++ if (unlikely(lruvec->zone != zone))
5010 ++ lruvec->zone = zone;
5011 ++ return lruvec;
5012 + }
5013 +
5014 + /**
5015 +@@ -1458,17 +1482,26 @@ static int mem_cgroup_count_children(struct mem_cgroup *memcg)
5016 + static u64 mem_cgroup_get_limit(struct mem_cgroup *memcg)
5017 + {
5018 + u64 limit;
5019 +- u64 memsw;
5020 +
5021 + limit = res_counter_read_u64(&memcg->res, RES_LIMIT);
5022 +- limit += total_swap_pages << PAGE_SHIFT;
5023 +
5024 +- memsw = res_counter_read_u64(&memcg->memsw, RES_LIMIT);
5025 + /*
5026 +- * If memsw is finite and limits the amount of swap space available
5027 +- * to this memcg, return that limit.
5028 ++ * Do not consider swap space if we cannot swap due to swappiness
5029 + */
5030 +- return min(limit, memsw);
5031 ++ if (mem_cgroup_swappiness(memcg)) {
5032 ++ u64 memsw;
5033 ++
5034 ++ limit += total_swap_pages << PAGE_SHIFT;
5035 ++ memsw = res_counter_read_u64(&memcg->memsw, RES_LIMIT);
5036 ++
5037 ++ /*
5038 ++ * If memsw is finite and limits the amount of swap space
5039 ++ * available to this memcg, return that limit.
5040 ++ */
5041 ++ limit = min(limit, memsw);
5042 ++ }
5043 ++
5044 ++ return limit;
5045 + }
5046 +
5047 + void mem_cgroup_out_of_memory(struct mem_cgroup *memcg, gfp_t gfp_mask,
5048 +@@ -3694,17 +3727,17 @@ unsigned long mem_cgroup_soft_limit_reclaim(struct zone *zone, int order,
5049 + static bool mem_cgroup_force_empty_list(struct mem_cgroup *memcg,
5050 + int node, int zid, enum lru_list lru)
5051 + {
5052 +- struct mem_cgroup_per_zone *mz;
5053 ++ struct lruvec *lruvec;
5054 + unsigned long flags, loop;
5055 + struct list_head *list;
5056 + struct page *busy;
5057 + struct zone *zone;
5058 +
5059 + zone = &NODE_DATA(node)->node_zones[zid];
5060 +- mz = mem_cgroup_zoneinfo(memcg, node, zid);
5061 +- list = &mz->lruvec.lists[lru];
5062 ++ lruvec = mem_cgroup_zone_lruvec(zone, memcg);
5063 ++ list = &lruvec->lists[lru];
5064 +
5065 +- loop = mz->lru_size[lru];
5066 ++ loop = mem_cgroup_get_lru_size(lruvec, lru);
5067 + /* give some margin against EBUSY etc...*/
5068 + loop += 256;
5069 + busy = NULL;
5070 +@@ -4742,7 +4775,7 @@ static int alloc_mem_cgroup_per_zone_info(struct mem_cgroup *memcg, int node)
5071 +
5072 + for (zone = 0; zone < MAX_NR_ZONES; zone++) {
5073 + mz = &pn->zoneinfo[zone];
5074 +- lruvec_init(&mz->lruvec, &NODE_DATA(node)->node_zones[zone]);
5075 ++ lruvec_init(&mz->lruvec);
5076 + mz->usage_in_excess = 0;
5077 + mz->on_tree = false;
5078 + mz->memcg = memcg;
5079 +diff --git a/mm/mmzone.c b/mm/mmzone.c
5080 +index 3cef80f..4596d81 100644
5081 +--- a/mm/mmzone.c
5082 ++++ b/mm/mmzone.c
5083 +@@ -87,7 +87,7 @@ int memmap_valid_within(unsigned long pfn,
5084 + }
5085 + #endif /* CONFIG_ARCH_HAS_HOLES_MEMORYMODEL */
5086 +
5087 +-void lruvec_init(struct lruvec *lruvec, struct zone *zone)
5088 ++void lruvec_init(struct lruvec *lruvec)
5089 + {
5090 + enum lru_list lru;
5091 +
5092 +@@ -95,8 +95,4 @@ void lruvec_init(struct lruvec *lruvec, struct zone *zone)
5093 +
5094 + for_each_lru(lru)
5095 + INIT_LIST_HEAD(&lruvec->lists[lru]);
5096 +-
5097 +-#ifdef CONFIG_MEMCG
5098 +- lruvec->zone = zone;
5099 +-#endif
5100 + }
5101 +diff --git a/mm/page_alloc.c b/mm/page_alloc.c
5102 +index c13ea75..d2d8f54 100644
5103 +--- a/mm/page_alloc.c
5104 ++++ b/mm/page_alloc.c
5105 +@@ -4456,7 +4456,7 @@ static void __paginginit free_area_init_core(struct pglist_data *pgdat,
5106 + zone->zone_pgdat = pgdat;
5107 +
5108 + zone_pcp_init(zone);
5109 +- lruvec_init(&zone->lruvec, zone);
5110 ++ lruvec_init(&zone->lruvec);
5111 + if (!size)
5112 + continue;
5113 +
5114 +diff --git a/mm/shmem.c b/mm/shmem.c
5115 +index d2eeca1..31e1506 100644
5116 +--- a/mm/shmem.c
5117 ++++ b/mm/shmem.c
5118 +@@ -654,7 +654,7 @@ static void shmem_evict_inode(struct inode *inode)
5119 + kfree(xattr->name);
5120 + kfree(xattr);
5121 + }
5122 +- BUG_ON(inode->i_blocks);
5123 ++ WARN_ON(inode->i_blocks);
5124 + shmem_free_inode(inode->i_sb);
5125 + clear_inode(inode);
5126 + }
5127 +@@ -1156,8 +1156,20 @@ repeat:
5128 + if (!error) {
5129 + error = shmem_add_to_page_cache(page, mapping, index,
5130 + gfp, swp_to_radix_entry(swap));
5131 +- /* We already confirmed swap, and make no allocation */
5132 +- VM_BUG_ON(error);
5133 ++ /*
5134 ++ * We already confirmed swap under page lock, and make
5135 ++ * no memory allocation here, so usually no possibility
5136 ++ * of error; but free_swap_and_cache() only trylocks a
5137 ++ * page, so it is just possible that the entry has been
5138 ++ * truncated or holepunched since swap was confirmed.
5139 ++ * shmem_undo_range() will have done some of the
5140 ++ * unaccounting, now delete_from_swap_cache() will do
5141 ++ * the rest (including mem_cgroup_uncharge_swapcache).
5142 ++ * Reset swap.val? No, leave it so "failed" goes back to
5143 ++ * "repeat": reading a hole and writing should succeed.
5144 ++ */
5145 ++ if (error)
5146 ++ delete_from_swap_cache(page);
5147 + }
5148 + if (error)
5149 + goto failed;
5150 +diff --git a/mm/vmscan.c b/mm/vmscan.c
5151 +index 99b434b..a018dfc 100644
5152 +--- a/mm/vmscan.c
5153 ++++ b/mm/vmscan.c
5154 +@@ -2953,6 +2953,8 @@ static int kswapd(void *p)
5155 + &balanced_classzone_idx);
5156 + }
5157 + }
5158 ++
5159 ++ current->reclaim_state = NULL;
5160 + return 0;
5161 + }
5162 +
5163 +diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
5164 +index eba022d..534250a 100644
5165 +--- a/net/bluetooth/mgmt.c
5166 ++++ b/net/bluetooth/mgmt.c
5167 +@@ -321,7 +321,7 @@ static int read_index_list(struct sock *sk, struct hci_dev *hdev, void *data,
5168 + struct hci_dev *d;
5169 + size_t rp_len;
5170 + u16 count;
5171 +- int i, err;
5172 ++ int err;
5173 +
5174 + BT_DBG("sock %p", sk);
5175 +
5176 +@@ -339,17 +339,18 @@ static int read_index_list(struct sock *sk, struct hci_dev *hdev, void *data,
5177 + return -ENOMEM;
5178 + }
5179 +
5180 +- rp->num_controllers = cpu_to_le16(count);
5181 +-
5182 +- i = 0;
5183 ++ count = 0;
5184 + list_for_each_entry(d, &hci_dev_list, list) {
5185 + if (test_bit(HCI_SETUP, &d->dev_flags))
5186 + continue;
5187 +
5188 +- rp->index[i++] = cpu_to_le16(d->id);
5189 ++ rp->index[count++] = cpu_to_le16(d->id);
5190 + BT_DBG("Added hci%u", d->id);
5191 + }
5192 +
5193 ++ rp->num_controllers = cpu_to_le16(count);
5194 ++ rp_len = sizeof(*rp) + (2 * count);
5195 ++
5196 + read_unlock(&hci_dev_list_lock);
5197 +
5198 + err = cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_INDEX_LIST, 0, rp,
5199 +diff --git a/net/core/dev.c b/net/core/dev.c
5200 +index aed87a4..1dce5b5 100644
5201 +--- a/net/core/dev.c
5202 ++++ b/net/core/dev.c
5203 +@@ -2793,8 +2793,10 @@ static int get_rps_cpu(struct net_device *dev, struct sk_buff *skb,
5204 + if (unlikely(tcpu != next_cpu) &&
5205 + (tcpu == RPS_NO_CPU || !cpu_online(tcpu) ||
5206 + ((int)(per_cpu(softnet_data, tcpu).input_queue_head -
5207 +- rflow->last_qtail)) >= 0))
5208 ++ rflow->last_qtail)) >= 0)) {
5209 ++ tcpu = next_cpu;
5210 + rflow = set_rps_cpu(dev, skb, rflow, next_cpu);
5211 ++ }
5212 +
5213 + if (tcpu != RPS_NO_CPU && cpu_online(tcpu)) {
5214 + *rflowp = rflow;
5215 +diff --git a/net/core/dev_addr_lists.c b/net/core/dev_addr_lists.c
5216 +index c4cc2bc..716f363 100644
5217 +--- a/net/core/dev_addr_lists.c
5218 ++++ b/net/core/dev_addr_lists.c
5219 +@@ -317,7 +317,8 @@ int dev_addr_del(struct net_device *dev, unsigned char *addr,
5220 + */
5221 + ha = list_first_entry(&dev->dev_addrs.list,
5222 + struct netdev_hw_addr, list);
5223 +- if (ha->addr == dev->dev_addr && ha->refcount == 1)
5224 ++ if (!memcmp(ha->addr, addr, dev->addr_len) &&
5225 ++ ha->type == addr_type && ha->refcount == 1)
5226 + return -ENOENT;
5227 +
5228 + err = __hw_addr_del(&dev->dev_addrs, addr, dev->addr_len,
5229 +diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
5230 +index 5eea4a8..14bbfcf 100644
5231 +--- a/net/ipv4/ip_sockglue.c
5232 ++++ b/net/ipv4/ip_sockglue.c
5233 +@@ -457,19 +457,28 @@ static int do_ip_setsockopt(struct sock *sk, int level,
5234 + struct inet_sock *inet = inet_sk(sk);
5235 + int val = 0, err;
5236 +
5237 +- if (((1<<optname) & ((1<<IP_PKTINFO) | (1<<IP_RECVTTL) |
5238 +- (1<<IP_RECVOPTS) | (1<<IP_RECVTOS) |
5239 +- (1<<IP_RETOPTS) | (1<<IP_TOS) |
5240 +- (1<<IP_TTL) | (1<<IP_HDRINCL) |
5241 +- (1<<IP_MTU_DISCOVER) | (1<<IP_RECVERR) |
5242 +- (1<<IP_ROUTER_ALERT) | (1<<IP_FREEBIND) |
5243 +- (1<<IP_PASSSEC) | (1<<IP_TRANSPARENT) |
5244 +- (1<<IP_MINTTL) | (1<<IP_NODEFRAG))) ||
5245 +- optname == IP_UNICAST_IF ||
5246 +- optname == IP_MULTICAST_TTL ||
5247 +- optname == IP_MULTICAST_ALL ||
5248 +- optname == IP_MULTICAST_LOOP ||
5249 +- optname == IP_RECVORIGDSTADDR) {
5250 ++ switch (optname) {
5251 ++ case IP_PKTINFO:
5252 ++ case IP_RECVTTL:
5253 ++ case IP_RECVOPTS:
5254 ++ case IP_RECVTOS:
5255 ++ case IP_RETOPTS:
5256 ++ case IP_TOS:
5257 ++ case IP_TTL:
5258 ++ case IP_HDRINCL:
5259 ++ case IP_MTU_DISCOVER:
5260 ++ case IP_RECVERR:
5261 ++ case IP_ROUTER_ALERT:
5262 ++ case IP_FREEBIND:
5263 ++ case IP_PASSSEC:
5264 ++ case IP_TRANSPARENT:
5265 ++ case IP_MINTTL:
5266 ++ case IP_NODEFRAG:
5267 ++ case IP_UNICAST_IF:
5268 ++ case IP_MULTICAST_TTL:
5269 ++ case IP_MULTICAST_ALL:
5270 ++ case IP_MULTICAST_LOOP:
5271 ++ case IP_RECVORIGDSTADDR:
5272 + if (optlen >= sizeof(int)) {
5273 + if (get_user(val, (int __user *) optval))
5274 + return -EFAULT;
5275 +diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
5276 +index 3511ffb..bf89b21 100644
5277 +--- a/net/ipv4/ip_vti.c
5278 ++++ b/net/ipv4/ip_vti.c
5279 +@@ -341,12 +341,17 @@ static int vti_rcv(struct sk_buff *skb)
5280 + if (tunnel != NULL) {
5281 + struct pcpu_tstats *tstats;
5282 +
5283 ++ if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb))
5284 ++ return -1;
5285 ++
5286 + tstats = this_cpu_ptr(tunnel->dev->tstats);
5287 + u64_stats_update_begin(&tstats->syncp);
5288 + tstats->rx_packets++;
5289 + tstats->rx_bytes += skb->len;
5290 + u64_stats_update_end(&tstats->syncp);
5291 +
5292 ++ skb->mark = 0;
5293 ++ secpath_reset(skb);
5294 + skb->dev = tunnel->dev;
5295 + rcu_read_unlock();
5296 + return 1;
5297 +diff --git a/net/ipv4/netfilter/nf_nat_standalone.c b/net/ipv4/netfilter/nf_nat_standalone.c
5298 +index 3828a42..da4098f 100644
5299 +--- a/net/ipv4/netfilter/nf_nat_standalone.c
5300 ++++ b/net/ipv4/netfilter/nf_nat_standalone.c
5301 +@@ -194,7 +194,8 @@ nf_nat_out(unsigned int hooknum,
5302 +
5303 + if ((ct->tuplehash[dir].tuple.src.u3.ip !=
5304 + ct->tuplehash[!dir].tuple.dst.u3.ip) ||
5305 +- (ct->tuplehash[dir].tuple.src.u.all !=
5306 ++ (ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMP &&
5307 ++ ct->tuplehash[dir].tuple.src.u.all !=
5308 + ct->tuplehash[!dir].tuple.dst.u.all)
5309 + )
5310 + return ip_xfrm_me_harder(skb) == 0 ? ret : NF_DROP;
5311 +@@ -230,7 +231,8 @@ nf_nat_local_fn(unsigned int hooknum,
5312 + ret = NF_DROP;
5313 + }
5314 + #ifdef CONFIG_XFRM
5315 +- else if (ct->tuplehash[dir].tuple.dst.u.all !=
5316 ++ else if (ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMP &&
5317 ++ ct->tuplehash[dir].tuple.dst.u.all !=
5318 + ct->tuplehash[!dir].tuple.src.u.all)
5319 + if (ip_xfrm_me_harder(skb))
5320 + ret = NF_DROP;
5321 +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
5322 +index 49dd993..b0b39f6 100644
5323 +--- a/net/ipv4/tcp.c
5324 ++++ b/net/ipv4/tcp.c
5325 +@@ -1236,7 +1236,7 @@ new_segment:
5326 + wait_for_sndbuf:
5327 + set_bit(SOCK_NOSPACE, &sk->sk_socket->flags);
5328 + wait_for_memory:
5329 +- if (copied && likely(!tp->repair))
5330 ++ if (copied)
5331 + tcp_push(sk, flags & ~MSG_MORE, mss_now, TCP_NAGLE_PUSH);
5332 +
5333 + if ((err = sk_stream_wait_memory(sk, &timeo)) != 0)
5334 +@@ -1247,7 +1247,7 @@ wait_for_memory:
5335 + }
5336 +
5337 + out:
5338 +- if (copied && likely(!tp->repair))
5339 ++ if (copied)
5340 + tcp_push(sk, flags, mss_now, tp->nonagle);
5341 + release_sock(sk);
5342 + return copied + copied_syn;
5343 +diff --git a/net/ipv4/tcp_metrics.c b/net/ipv4/tcp_metrics.c
5344 +index 0abe67b..2efd1a5 100644
5345 +--- a/net/ipv4/tcp_metrics.c
5346 ++++ b/net/ipv4/tcp_metrics.c
5347 +@@ -1,13 +1,13 @@
5348 + #include <linux/rcupdate.h>
5349 + #include <linux/spinlock.h>
5350 + #include <linux/jiffies.h>
5351 +-#include <linux/bootmem.h>
5352 + #include <linux/module.h>
5353 + #include <linux/cache.h>
5354 + #include <linux/slab.h>
5355 + #include <linux/init.h>
5356 + #include <linux/tcp.h>
5357 + #include <linux/hash.h>
5358 ++#include <linux/vmalloc.h>
5359 +
5360 + #include <net/inet_connection_sock.h>
5361 + #include <net/net_namespace.h>
5362 +@@ -722,7 +722,10 @@ static int __net_init tcp_net_metrics_init(struct net *net)
5363 + net->ipv4.tcp_metrics_hash_log = order_base_2(slots);
5364 + size = sizeof(struct tcpm_hash_bucket) << net->ipv4.tcp_metrics_hash_log;
5365 +
5366 +- net->ipv4.tcp_metrics_hash = kzalloc(size, GFP_KERNEL);
5367 ++ net->ipv4.tcp_metrics_hash = kzalloc(size, GFP_KERNEL | __GFP_NOWARN);
5368 ++ if (!net->ipv4.tcp_metrics_hash)
5369 ++ net->ipv4.tcp_metrics_hash = vzalloc(size);
5370 ++
5371 + if (!net->ipv4.tcp_metrics_hash)
5372 + return -ENOMEM;
5373 +
5374 +@@ -743,7 +746,10 @@ static void __net_exit tcp_net_metrics_exit(struct net *net)
5375 + tm = next;
5376 + }
5377 + }
5378 +- kfree(net->ipv4.tcp_metrics_hash);
5379 ++ if (is_vmalloc_addr(net->ipv4.tcp_metrics_hash))
5380 ++ vfree(net->ipv4.tcp_metrics_hash);
5381 ++ else
5382 ++ kfree(net->ipv4.tcp_metrics_hash);
5383 + }
5384 +
5385 + static __net_initdata struct pernet_operations tcp_net_metrics_ops = {
5386 +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
5387 +index d046326..6735bea 100644
5388 +--- a/net/ipv4/tcp_output.c
5389 ++++ b/net/ipv4/tcp_output.c
5390 +@@ -1977,6 +1977,9 @@ static bool tcp_write_xmit(struct sock *sk, unsigned int mss_now, int nonagle,
5391 + tso_segs = tcp_init_tso_segs(sk, skb, mss_now);
5392 + BUG_ON(!tso_segs);
5393 +
5394 ++ if (unlikely(tp->repair) && tp->repair_queue == TCP_SEND_QUEUE)
5395 ++ goto repair; /* Skip network transmission */
5396 ++
5397 + cwnd_quota = tcp_cwnd_test(tp, skb);
5398 + if (!cwnd_quota)
5399 + break;
5400 +@@ -2017,6 +2020,7 @@ static bool tcp_write_xmit(struct sock *sk, unsigned int mss_now, int nonagle,
5401 + if (unlikely(tcp_transmit_skb(sk, skb, 1, gfp)))
5402 + break;
5403 +
5404 ++repair:
5405 + /* Advance the send_head. This one is sent out.
5406 + * This call will increment packets_out.
5407 + */
5408 +diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
5409 +index ba6d13d..e02faed 100644
5410 +--- a/net/ipv6/ipv6_sockglue.c
5411 ++++ b/net/ipv6/ipv6_sockglue.c
5412 +@@ -827,6 +827,7 @@ pref_skip_coa:
5413 + if (val < 0 || val > 255)
5414 + goto e_inval;
5415 + np->min_hopcount = val;
5416 ++ retv = 0;
5417 + break;
5418 + case IPV6_DONTFRAG:
5419 + np->dontfrag = valbool;
5420 +diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
5421 +index bb61f77..642a2a3 100644
5422 +--- a/net/mac80211/ieee80211_i.h
5423 ++++ b/net/mac80211/ieee80211_i.h
5424 +@@ -1304,6 +1304,8 @@ netdev_tx_t ieee80211_monitor_start_xmit(struct sk_buff *skb,
5425 + struct net_device *dev);
5426 + netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
5427 + struct net_device *dev);
5428 ++void ieee80211_purge_tx_queue(struct ieee80211_hw *hw,
5429 ++ struct sk_buff_head *skbs);
5430 +
5431 + /* HT */
5432 + void ieee80211_apply_htcap_overrides(struct ieee80211_sub_if_data *sdata,
5433 +diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
5434 +index 63882b9..31aa8b8 100644
5435 +--- a/net/mac80211/sta_info.c
5436 ++++ b/net/mac80211/sta_info.c
5437 +@@ -730,8 +730,8 @@ int __must_check __sta_info_destroy(struct sta_info *sta)
5438 +
5439 + for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
5440 + local->total_ps_buffered -= skb_queue_len(&sta->ps_tx_buf[ac]);
5441 +- __skb_queue_purge(&sta->ps_tx_buf[ac]);
5442 +- __skb_queue_purge(&sta->tx_filtered[ac]);
5443 ++ ieee80211_purge_tx_queue(&local->hw, &sta->ps_tx_buf[ac]);
5444 ++ ieee80211_purge_tx_queue(&local->hw, &sta->tx_filtered[ac]);
5445 + }
5446 +
5447 + #ifdef CONFIG_MAC80211_MESH
5448 +@@ -765,7 +765,7 @@ int __must_check __sta_info_destroy(struct sta_info *sta)
5449 + tid_tx = rcu_dereference_raw(sta->ampdu_mlme.tid_tx[i]);
5450 + if (!tid_tx)
5451 + continue;
5452 +- __skb_queue_purge(&tid_tx->pending);
5453 ++ ieee80211_purge_tx_queue(&local->hw, &tid_tx->pending);
5454 + kfree(tid_tx);
5455 + }
5456 +
5457 +@@ -948,6 +948,7 @@ void ieee80211_sta_ps_deliver_wakeup(struct sta_info *sta)
5458 + struct ieee80211_local *local = sdata->local;
5459 + struct sk_buff_head pending;
5460 + int filtered = 0, buffered = 0, ac;
5461 ++ unsigned long flags;
5462 +
5463 + clear_sta_flag(sta, WLAN_STA_SP);
5464 +
5465 +@@ -963,12 +964,16 @@ void ieee80211_sta_ps_deliver_wakeup(struct sta_info *sta)
5466 + for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
5467 + int count = skb_queue_len(&pending), tmp;
5468 +
5469 ++ spin_lock_irqsave(&sta->tx_filtered[ac].lock, flags);
5470 + skb_queue_splice_tail_init(&sta->tx_filtered[ac], &pending);
5471 ++ spin_unlock_irqrestore(&sta->tx_filtered[ac].lock, flags);
5472 + tmp = skb_queue_len(&pending);
5473 + filtered += tmp - count;
5474 + count = tmp;
5475 +
5476 ++ spin_lock_irqsave(&sta->ps_tx_buf[ac].lock, flags);
5477 + skb_queue_splice_tail_init(&sta->ps_tx_buf[ac], &pending);
5478 ++ spin_unlock_irqrestore(&sta->ps_tx_buf[ac].lock, flags);
5479 + tmp = skb_queue_len(&pending);
5480 + buffered += tmp - count;
5481 + }
5482 +diff --git a/net/mac80211/status.c b/net/mac80211/status.c
5483 +index 118329a..14e1b83 100644
5484 +--- a/net/mac80211/status.c
5485 ++++ b/net/mac80211/status.c
5486 +@@ -648,3 +648,12 @@ void ieee80211_free_txskb(struct ieee80211_hw *hw, struct sk_buff *skb)
5487 + dev_kfree_skb_any(skb);
5488 + }
5489 + EXPORT_SYMBOL(ieee80211_free_txskb);
5490 ++
5491 ++void ieee80211_purge_tx_queue(struct ieee80211_hw *hw,
5492 ++ struct sk_buff_head *skbs)
5493 ++{
5494 ++ struct sk_buff *skb;
5495 ++
5496 ++ while ((skb = __skb_dequeue(skbs)))
5497 ++ ieee80211_free_txskb(hw, skb);
5498 ++}
5499 +diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
5500 +index 362c418..8133fed 100644
5501 +--- a/net/mac80211/tx.c
5502 ++++ b/net/mac80211/tx.c
5503 +@@ -1358,7 +1358,7 @@ static int invoke_tx_handlers(struct ieee80211_tx_data *tx)
5504 + if (tx->skb)
5505 + ieee80211_free_txskb(&tx->local->hw, tx->skb);
5506 + else
5507 +- __skb_queue_purge(&tx->skbs);
5508 ++ ieee80211_purge_tx_queue(&tx->local->hw, &tx->skbs);
5509 + return -1;
5510 + } else if (unlikely(res == TX_QUEUED)) {
5511 + I802_DEBUG_INC(tx->local->tx_handlers_queued);
5512 +@@ -2132,10 +2132,13 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
5513 + */
5514 + void ieee80211_clear_tx_pending(struct ieee80211_local *local)
5515 + {
5516 ++ struct sk_buff *skb;
5517 + int i;
5518 +
5519 +- for (i = 0; i < local->hw.queues; i++)
5520 +- skb_queue_purge(&local->pending[i]);
5521 ++ for (i = 0; i < local->hw.queues; i++) {
5522 ++ while ((skb = skb_dequeue(&local->pending[i])) != NULL)
5523 ++ ieee80211_free_txskb(&local->hw, skb);
5524 ++ }
5525 + }
5526 +
5527 + /*
5528 +diff --git a/net/mac80211/util.c b/net/mac80211/util.c
5529 +index 1cfe6d5..7883449 100644
5530 +--- a/net/mac80211/util.c
5531 ++++ b/net/mac80211/util.c
5532 +@@ -1434,6 +1434,8 @@ int ieee80211_reconfig(struct ieee80211_local *local)
5533 + list_for_each_entry(sdata, &local->interfaces, list) {
5534 + if (sdata->vif.type != NL80211_IFTYPE_STATION)
5535 + continue;
5536 ++ if (!sdata->u.mgd.associated)
5537 ++ continue;
5538 +
5539 + ieee80211_send_nullfunc(local, sdata, 0);
5540 + }
5541 +diff --git a/net/netfilter/nf_conntrack_h323_main.c b/net/netfilter/nf_conntrack_h323_main.c
5542 +index 4283b20..02f65bc 100644
5543 +--- a/net/netfilter/nf_conntrack_h323_main.c
5544 ++++ b/net/netfilter/nf_conntrack_h323_main.c
5545 +@@ -733,7 +733,8 @@ static int callforward_do_filter(const union nf_inet_addr *src,
5546 + flowi4_to_flowi(&fl1), false)) {
5547 + if (!afinfo->route(&init_net, (struct dst_entry **)&rt2,
5548 + flowi4_to_flowi(&fl2), false)) {
5549 +- if (rt1->rt_gateway == rt2->rt_gateway &&
5550 ++ if (rt_nexthop(rt1, fl1.daddr) ==
5551 ++ rt_nexthop(rt2, fl2.daddr) &&
5552 + rt1->dst.dev == rt2->dst.dev)
5553 + ret = 1;
5554 + dst_release(&rt2->dst);
5555 +diff --git a/net/netfilter/xt_TEE.c b/net/netfilter/xt_TEE.c
5556 +index ee2e5bc..bd93e51 100644
5557 +--- a/net/netfilter/xt_TEE.c
5558 ++++ b/net/netfilter/xt_TEE.c
5559 +@@ -70,6 +70,7 @@ tee_tg_route4(struct sk_buff *skb, const struct xt_tee_tginfo *info)
5560 + fl4.daddr = info->gw.ip;
5561 + fl4.flowi4_tos = RT_TOS(iph->tos);
5562 + fl4.flowi4_scope = RT_SCOPE_UNIVERSE;
5563 ++ fl4.flowi4_flags = FLOWI_FLAG_KNOWN_NH;
5564 + rt = ip_route_output_key(net, &fl4);
5565 + if (IS_ERR(rt))
5566 + return false;
5567 +diff --git a/net/nfc/llcp/llcp.c b/net/nfc/llcp/llcp.c
5568 +index 82f0f75..7dd983a 100644
5569 +--- a/net/nfc/llcp/llcp.c
5570 ++++ b/net/nfc/llcp/llcp.c
5571 +@@ -1182,8 +1182,8 @@ int nfc_llcp_register_device(struct nfc_dev *ndev)
5572 + goto err_rx_wq;
5573 + }
5574 +
5575 +- local->sockets.lock = __RW_LOCK_UNLOCKED(local->sockets.lock);
5576 +- local->connecting_sockets.lock = __RW_LOCK_UNLOCKED(local->connecting_sockets.lock);
5577 ++ rwlock_init(&local->sockets.lock);
5578 ++ rwlock_init(&local->connecting_sockets.lock);
5579 +
5580 + nfc_llcp_build_gb(local);
5581 +
5582 +diff --git a/net/wireless/reg.c b/net/wireless/reg.c
5583 +index 72d170c..3062b88 100644
5584 +--- a/net/wireless/reg.c
5585 ++++ b/net/wireless/reg.c
5586 +@@ -141,9 +141,8 @@ static const struct ieee80211_regdomain world_regdom = {
5587 + .reg_rules = {
5588 + /* IEEE 802.11b/g, channels 1..11 */
5589 + REG_RULE(2412-10, 2462+10, 40, 6, 20, 0),
5590 +- /* IEEE 802.11b/g, channels 12..13. No HT40
5591 +- * channel fits here. */
5592 +- REG_RULE(2467-10, 2472+10, 20, 6, 20,
5593 ++ /* IEEE 802.11b/g, channels 12..13. */
5594 ++ REG_RULE(2467-10, 2472+10, 40, 6, 20,
5595 + NL80211_RRF_PASSIVE_SCAN |
5596 + NL80211_RRF_NO_IBSS),
5597 + /* IEEE 802.11 channel 14 - Only JP enables
5598 +diff --git a/security/selinux/netnode.c b/security/selinux/netnode.c
5599 +index 28f911c..c5454c0 100644
5600 +--- a/security/selinux/netnode.c
5601 ++++ b/security/selinux/netnode.c
5602 +@@ -174,7 +174,8 @@ static void sel_netnode_insert(struct sel_netnode *node)
5603 + if (sel_netnode_hash[idx].size == SEL_NETNODE_HASH_BKT_LIMIT) {
5604 + struct sel_netnode *tail;
5605 + tail = list_entry(
5606 +- rcu_dereference(sel_netnode_hash[idx].list.prev),
5607 ++ rcu_dereference_protected(sel_netnode_hash[idx].list.prev,
5608 ++ lockdep_is_held(&sel_netnode_lock)),
5609 + struct sel_netnode, list);
5610 + list_del_rcu(&tail->list);
5611 + kfree_rcu(tail, rcu);
5612 +diff --git a/sound/pci/hda/patch_analog.c b/sound/pci/hda/patch_analog.c
5613 +index 0208fa1..b2cd011 100644
5614 +--- a/sound/pci/hda/patch_analog.c
5615 ++++ b/sound/pci/hda/patch_analog.c
5616 +@@ -545,6 +545,7 @@ static int ad198x_build_pcms(struct hda_codec *codec)
5617 + if (spec->multiout.dig_out_nid) {
5618 + info++;
5619 + codec->num_pcms++;
5620 ++ codec->spdif_status_reset = 1;
5621 + info->name = "AD198x Digital";
5622 + info->pcm_type = HDA_PCM_TYPE_SPDIF;
5623 + info->stream[SNDRV_PCM_STREAM_PLAYBACK] = ad198x_pcm_digital_playback;
5624 +diff --git a/sound/pci/hda/patch_cirrus.c b/sound/pci/hda/patch_cirrus.c
5625 +index cc31346..2bb9bee 100644
5626 +--- a/sound/pci/hda/patch_cirrus.c
5627 ++++ b/sound/pci/hda/patch_cirrus.c
5628 +@@ -96,8 +96,8 @@ enum {
5629 + #define CS420X_VENDOR_NID 0x11
5630 + #define CS_DIG_OUT1_PIN_NID 0x10
5631 + #define CS_DIG_OUT2_PIN_NID 0x15
5632 +-#define CS_DMIC1_PIN_NID 0x12
5633 +-#define CS_DMIC2_PIN_NID 0x0e
5634 ++#define CS_DMIC1_PIN_NID 0x0e
5635 ++#define CS_DMIC2_PIN_NID 0x12
5636 +
5637 + /* coef indices */
5638 + #define IDX_SPDIF_STAT 0x0000
5639 +@@ -1074,14 +1074,18 @@ static void init_input(struct hda_codec *codec)
5640 + cs_automic(codec);
5641 +
5642 + coef = 0x000a; /* ADC1/2 - Digital and Analog Soft Ramp */
5643 ++ cs_vendor_coef_set(codec, IDX_ADC_CFG, coef);
5644 ++
5645 ++ coef = cs_vendor_coef_get(codec, IDX_BEEP_CFG);
5646 + if (is_active_pin(codec, CS_DMIC2_PIN_NID))
5647 +- coef |= 0x0500; /* DMIC2 2 chan on, GPIO1 off */
5648 ++ coef |= 1 << 4; /* DMIC2 2 chan on, GPIO1 off */
5649 + if (is_active_pin(codec, CS_DMIC1_PIN_NID))
5650 +- coef |= 0x1800; /* DMIC1 2 chan on, GPIO0 off
5651 ++ coef |= 1 << 3; /* DMIC1 2 chan on, GPIO0 off
5652 + * No effect if SPDIF_OUT2 is
5653 + * selected in IDX_SPDIF_CTL.
5654 + */
5655 +- cs_vendor_coef_set(codec, IDX_ADC_CFG, coef);
5656 ++
5657 ++ cs_vendor_coef_set(codec, IDX_BEEP_CFG, coef);
5658 + } else {
5659 + if (spec->mic_detect)
5660 + cs_automic(codec);
5661 +@@ -1102,7 +1106,7 @@ static const struct hda_verb cs_coef_init_verbs[] = {
5662 + | 0x0400 /* Disable Coefficient Auto increment */
5663 + )},
5664 + /* Beep */
5665 +- {0x11, AC_VERB_SET_COEF_INDEX, IDX_DAC_CFG},
5666 ++ {0x11, AC_VERB_SET_COEF_INDEX, IDX_BEEP_CFG},
5667 + {0x11, AC_VERB_SET_PROC_COEF, 0x0007}, /* Enable Beep thru DAC1/2/3 */
5668 +
5669 + {} /* terminator */
5670 +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
5671 +index 70ce60f..f6b5995 100644
5672 +--- a/sound/pci/hda/patch_realtek.c
5673 ++++ b/sound/pci/hda/patch_realtek.c
5674 +@@ -5434,6 +5434,7 @@ static const struct snd_pci_quirk alc882_fixup_tbl[] = {
5675 + SND_PCI_QUIRK(0x106b, 0x4000, "MacbookPro 5,1", ALC889_FIXUP_IMAC91_VREF),
5676 + SND_PCI_QUIRK(0x106b, 0x4100, "Macmini 3,1", ALC889_FIXUP_IMAC91_VREF),
5677 + SND_PCI_QUIRK(0x106b, 0x4200, "Mac Pro 5,1", ALC885_FIXUP_MACPRO_GPIO),
5678 ++ SND_PCI_QUIRK(0x106b, 0x4300, "iMac 9,1", ALC889_FIXUP_IMAC91_VREF),
5679 + SND_PCI_QUIRK(0x106b, 0x4600, "MacbookPro 5,2", ALC889_FIXUP_IMAC91_VREF),
5680 + SND_PCI_QUIRK(0x106b, 0x4900, "iMac 9,1 Aluminum", ALC889_FIXUP_IMAC91_VREF),
5681 + SND_PCI_QUIRK(0x106b, 0x4a00, "Macbook 5,2", ALC889_FIXUP_IMAC91_VREF),
5682 +@@ -5867,7 +5868,7 @@ static int alc269_parse_auto_config(struct hda_codec *codec)
5683 + return alc_parse_auto_config(codec, alc269_ignore, ssids);
5684 + }
5685 +
5686 +-static void alc269_toggle_power_output(struct hda_codec *codec, int power_up)
5687 ++static void alc269vb_toggle_power_output(struct hda_codec *codec, int power_up)
5688 + {
5689 + int val = alc_read_coef_idx(codec, 0x04);
5690 + if (power_up)
5691 +@@ -5884,10 +5885,10 @@ static void alc269_shutup(struct hda_codec *codec)
5692 + if (spec->codec_variant != ALC269_TYPE_ALC269VB)
5693 + return;
5694 +
5695 +- if ((alc_get_coef0(codec) & 0x00ff) == 0x017)
5696 +- alc269_toggle_power_output(codec, 0);
5697 +- if ((alc_get_coef0(codec) & 0x00ff) == 0x018) {
5698 +- alc269_toggle_power_output(codec, 0);
5699 ++ if (spec->codec_variant == ALC269_TYPE_ALC269VB)
5700 ++ alc269vb_toggle_power_output(codec, 0);
5701 ++ if (spec->codec_variant == ALC269_TYPE_ALC269VB &&
5702 ++ (alc_get_coef0(codec) & 0x00ff) == 0x018) {
5703 + msleep(150);
5704 + }
5705 + }
5706 +@@ -5897,24 +5898,22 @@ static int alc269_resume(struct hda_codec *codec)
5707 + {
5708 + struct alc_spec *spec = codec->spec;
5709 +
5710 +- if (spec->codec_variant == ALC269_TYPE_ALC269VB ||
5711 ++ if (spec->codec_variant == ALC269_TYPE_ALC269VB)
5712 ++ alc269vb_toggle_power_output(codec, 0);
5713 ++ if (spec->codec_variant == ALC269_TYPE_ALC269VB &&
5714 + (alc_get_coef0(codec) & 0x00ff) == 0x018) {
5715 +- alc269_toggle_power_output(codec, 0);
5716 + msleep(150);
5717 + }
5718 +
5719 + codec->patch_ops.init(codec);
5720 +
5721 +- if (spec->codec_variant == ALC269_TYPE_ALC269VB ||
5722 ++ if (spec->codec_variant == ALC269_TYPE_ALC269VB)
5723 ++ alc269vb_toggle_power_output(codec, 1);
5724 ++ if (spec->codec_variant == ALC269_TYPE_ALC269VB &&
5725 + (alc_get_coef0(codec) & 0x00ff) == 0x017) {
5726 +- alc269_toggle_power_output(codec, 1);
5727 + msleep(200);
5728 + }
5729 +
5730 +- if (spec->codec_variant == ALC269_TYPE_ALC269VB ||
5731 +- (alc_get_coef0(codec) & 0x00ff) == 0x018)
5732 +- alc269_toggle_power_output(codec, 1);
5733 +-
5734 + snd_hda_codec_resume_amp(codec);
5735 + snd_hda_codec_resume_cache(codec);
5736 + hda_call_check_power_status(codec, 0x01);
5737 +@@ -7103,6 +7102,7 @@ static const struct hda_codec_preset snd_hda_preset_realtek[] = {
5738 + .patch = patch_alc662 },
5739 + { .id = 0x10ec0663, .name = "ALC663", .patch = patch_alc662 },
5740 + { .id = 0x10ec0665, .name = "ALC665", .patch = patch_alc662 },
5741 ++ { .id = 0x10ec0668, .name = "ALC668", .patch = patch_alc662 },
5742 + { .id = 0x10ec0670, .name = "ALC670", .patch = patch_alc662 },
5743 + { .id = 0x10ec0680, .name = "ALC680", .patch = patch_alc680 },
5744 + { .id = 0x10ec0880, .name = "ALC880", .patch = patch_alc880 },
5745 +@@ -7120,6 +7120,7 @@ static const struct hda_codec_preset snd_hda_preset_realtek[] = {
5746 + { .id = 0x10ec0889, .name = "ALC889", .patch = patch_alc882 },
5747 + { .id = 0x10ec0892, .name = "ALC892", .patch = patch_alc662 },
5748 + { .id = 0x10ec0899, .name = "ALC898", .patch = patch_alc882 },
5749 ++ { .id = 0x10ec0900, .name = "ALC1150", .patch = patch_alc882 },
5750 + {} /* terminator */
5751 + };
5752 +
5753 +diff --git a/sound/pci/hda/patch_via.c b/sound/pci/hda/patch_via.c
5754 +index 4c404a0..66cd4f0 100644
5755 +--- a/sound/pci/hda/patch_via.c
5756 ++++ b/sound/pci/hda/patch_via.c
5757 +@@ -1875,11 +1875,11 @@ static int via_auto_fill_dac_nids(struct hda_codec *codec)
5758 + {
5759 + struct via_spec *spec = codec->spec;
5760 + const struct auto_pin_cfg *cfg = &spec->autocfg;
5761 +- int i, dac_num;
5762 ++ int i;
5763 + hda_nid_t nid;
5764 +
5765 ++ spec->multiout.num_dacs = 0;
5766 + spec->multiout.dac_nids = spec->private_dac_nids;
5767 +- dac_num = 0;
5768 + for (i = 0; i < cfg->line_outs; i++) {
5769 + hda_nid_t dac = 0;
5770 + nid = cfg->line_out_pins[i];
5771 +@@ -1890,16 +1890,13 @@ static int via_auto_fill_dac_nids(struct hda_codec *codec)
5772 + if (!i && parse_output_path(codec, nid, dac, 1,
5773 + &spec->out_mix_path))
5774 + dac = spec->out_mix_path.path[0];
5775 +- if (dac) {
5776 +- spec->private_dac_nids[i] = dac;
5777 +- dac_num++;
5778 +- }
5779 ++ if (dac)
5780 ++ spec->private_dac_nids[spec->multiout.num_dacs++] = dac;
5781 + }
5782 + if (!spec->out_path[0].depth && spec->out_mix_path.depth) {
5783 + spec->out_path[0] = spec->out_mix_path;
5784 + spec->out_mix_path.depth = 0;
5785 + }
5786 +- spec->multiout.num_dacs = dac_num;
5787 + return 0;
5788 + }
5789 +
5790 +@@ -3700,6 +3697,18 @@ static const struct snd_pci_quirk vt2002p_fixups[] = {
5791 + {}
5792 + };
5793 +
5794 ++/* NIDs 0x24 and 0x33 on VT1802 have connections to non-existing NID 0x3e
5795 ++ * Replace this with mixer NID 0x1c
5796 ++ */
5797 ++static void fix_vt1802_connections(struct hda_codec *codec)
5798 ++{
5799 ++ static hda_nid_t conn_24[] = { 0x14, 0x1c };
5800 ++ static hda_nid_t conn_33[] = { 0x1c };
5801 ++
5802 ++ snd_hda_override_conn_list(codec, 0x24, ARRAY_SIZE(conn_24), conn_24);
5803 ++ snd_hda_override_conn_list(codec, 0x33, ARRAY_SIZE(conn_33), conn_33);
5804 ++}
5805 ++
5806 + /* patch for vt2002P */
5807 + static int patch_vt2002P(struct hda_codec *codec)
5808 + {
5809 +@@ -3714,6 +3723,8 @@ static int patch_vt2002P(struct hda_codec *codec)
5810 + spec->aa_mix_nid = 0x21;
5811 + override_mic_boost(codec, 0x2b, 0, 3, 40);
5812 + override_mic_boost(codec, 0x29, 0, 3, 40);
5813 ++ if (spec->codec_type == VT1802)
5814 ++ fix_vt1802_connections(codec);
5815 + add_secret_dac_path(codec);
5816 +
5817 + snd_hda_pick_fixup(codec, NULL, vt2002p_fixups, via_fixups);
5818 +diff --git a/sound/soc/codecs/cs42l52.c b/sound/soc/codecs/cs42l52.c
5819 +index 628daf6..d8cfcc7 100644
5820 +--- a/sound/soc/codecs/cs42l52.c
5821 ++++ b/sound/soc/codecs/cs42l52.c
5822 +@@ -774,7 +774,6 @@ static int cs42l52_set_fmt(struct snd_soc_dai *codec_dai, unsigned int fmt)
5823 + {
5824 + struct snd_soc_codec *codec = codec_dai->codec;
5825 + struct cs42l52_private *cs42l52 = snd_soc_codec_get_drvdata(codec);
5826 +- int ret = 0;
5827 + u8 iface = 0;
5828 +
5829 + switch (fmt & SND_SOC_DAIFMT_MASTER_MASK) {
5830 +@@ -823,7 +822,7 @@ static int cs42l52_set_fmt(struct snd_soc_dai *codec_dai, unsigned int fmt)
5831 + case SND_SOC_DAIFMT_NB_IF:
5832 + break;
5833 + default:
5834 +- ret = -EINVAL;
5835 ++ return -EINVAL;
5836 + }
5837 + cs42l52->config.format = iface;
5838 + snd_soc_write(codec, CS42L52_IFACE_CTL1, cs42l52->config.format);
5839 +diff --git a/sound/soc/codecs/wm8978.c b/sound/soc/codecs/wm8978.c
5840 +index a5be3ad..2f46d66 100644
5841 +--- a/sound/soc/codecs/wm8978.c
5842 ++++ b/sound/soc/codecs/wm8978.c
5843 +@@ -782,7 +782,7 @@ static int wm8978_hw_params(struct snd_pcm_substream *substream,
5844 + wm8978->mclk_idx = -1;
5845 + f_sel = wm8978->f_mclk;
5846 + } else {
5847 +- if (!wm8978->f_pllout) {
5848 ++ if (!wm8978->f_opclk) {
5849 + /* We only enter here, if OPCLK is not used */
5850 + int ret = wm8978_configure_pll(codec);
5851 + if (ret < 0)
5852 +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
5853 +index c501af6..8bf05d7 100644
5854 +--- a/sound/soc/soc-core.c
5855 ++++ b/sound/soc/soc-core.c
5856 +@@ -2776,8 +2776,9 @@ int snd_soc_put_volsw_sx(struct snd_kcontrol *kcontrol,
5857 + val = (ucontrol->value.integer.value[0] + min) & mask;
5858 + val = val << shift;
5859 +
5860 +- if (snd_soc_update_bits_locked(codec, reg, val_mask, val))
5861 +- return err;
5862 ++ err = snd_soc_update_bits_locked(codec, reg, val_mask, val);
5863 ++ if (err < 0)
5864 ++ return err;
5865 +
5866 + if (snd_soc_volsw_is_stereo(mc)) {
5867 + val_mask = mask << rshift;
5868 +diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c
5869 +index f90139b..c4a08a2 100644
5870 +--- a/sound/soc/soc-dapm.c
5871 ++++ b/sound/soc/soc-dapm.c
5872 +@@ -3710,7 +3710,7 @@ void snd_soc_dapm_shutdown(struct snd_soc_card *card)
5873 + {
5874 + struct snd_soc_codec *codec;
5875 +
5876 +- list_for_each_entry(codec, &card->codec_dev_list, list) {
5877 ++ list_for_each_entry(codec, &card->codec_dev_list, card_list) {
5878 + soc_dapm_shutdown_codec(&codec->dapm);
5879 + if (codec->dapm.bias_level == SND_SOC_BIAS_STANDBY)
5880 + snd_soc_dapm_set_bias_level(&codec->dapm,
5881 +diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c
5882 +index d9de667..eafc889 100644
5883 +--- a/sound/usb/endpoint.c
5884 ++++ b/sound/usb/endpoint.c
5885 +@@ -35,6 +35,7 @@
5886 +
5887 + #define EP_FLAG_ACTIVATED 0
5888 + #define EP_FLAG_RUNNING 1
5889 ++#define EP_FLAG_STOPPING 2
5890 +
5891 + /*
5892 + * snd_usb_endpoint is a model that abstracts everything related to an
5893 +@@ -502,10 +503,20 @@ static int wait_clear_urbs(struct snd_usb_endpoint *ep)
5894 + if (alive)
5895 + snd_printk(KERN_ERR "timeout: still %d active urbs on EP #%x\n",
5896 + alive, ep->ep_num);
5897 ++ clear_bit(EP_FLAG_STOPPING, &ep->flags);
5898 +
5899 + return 0;
5900 + }
5901 +
5902 ++/* sync the pending stop operation;
5903 ++ * this function itself doesn't trigger the stop operation
5904 ++ */
5905 ++void snd_usb_endpoint_sync_pending_stop(struct snd_usb_endpoint *ep)
5906 ++{
5907 ++ if (ep && test_bit(EP_FLAG_STOPPING, &ep->flags))
5908 ++ wait_clear_urbs(ep);
5909 ++}
5910 ++
5911 + /*
5912 + * unlink active urbs.
5913 + */
5914 +@@ -913,6 +924,8 @@ void snd_usb_endpoint_stop(struct snd_usb_endpoint *ep,
5915 +
5916 + if (wait)
5917 + wait_clear_urbs(ep);
5918 ++ else
5919 ++ set_bit(EP_FLAG_STOPPING, &ep->flags);
5920 + }
5921 + }
5922 +
5923 +diff --git a/sound/usb/endpoint.h b/sound/usb/endpoint.h
5924 +index cbbbdf2..774a0eb 100644
5925 +--- a/sound/usb/endpoint.h
5926 ++++ b/sound/usb/endpoint.h
5927 +@@ -16,6 +16,7 @@ int snd_usb_endpoint_set_params(struct snd_usb_endpoint *ep,
5928 + int snd_usb_endpoint_start(struct snd_usb_endpoint *ep, int can_sleep);
5929 + void snd_usb_endpoint_stop(struct snd_usb_endpoint *ep,
5930 + int force, int can_sleep, int wait);
5931 ++void snd_usb_endpoint_sync_pending_stop(struct snd_usb_endpoint *ep);
5932 + int snd_usb_endpoint_activate(struct snd_usb_endpoint *ep);
5933 + int snd_usb_endpoint_deactivate(struct snd_usb_endpoint *ep);
5934 + void snd_usb_endpoint_free(struct list_head *head);
5935 +diff --git a/sound/usb/pcm.c b/sound/usb/pcm.c
5936 +index ee3c15c..90731af 100644
5937 +--- a/sound/usb/pcm.c
5938 ++++ b/sound/usb/pcm.c
5939 +@@ -563,6 +563,9 @@ static int snd_usb_pcm_prepare(struct snd_pcm_substream *substream)
5940 + goto unlock;
5941 + }
5942 +
5943 ++ snd_usb_endpoint_sync_pending_stop(subs->sync_endpoint);
5944 ++ snd_usb_endpoint_sync_pending_stop(subs->data_endpoint);
5945 ++
5946 + /* some unit conversions in runtime */
5947 + subs->data_endpoint->maxframesize =
5948 + bytes_to_frames(runtime, subs->data_endpoint->maxpacksize);
Report Message
Find on MARC Find on Google Groups