Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:3.4 commit in: /
Date: Tue, 01 Nov 2016 11:58:08
Message-Id: 1478001426.faca600326e872a08745525a8c3dd15f0fbdc517.mpagano@gentoo
1 commit: faca600326e872a08745525a8c3dd15f0fbdc517
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Tue Nov 1 11:57:06 2016 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Tue Nov 1 11:57:06 2016 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=faca6003
7
8 Linux patch 3.4.113
9
10 0000_README | 4 +
11 1112_linux-3.4.113.patch | 4341 ++++++++++++++++++++++++++++++++++++++++++++++
12 2 files changed, 4345 insertions(+)
13
14 diff --git a/0000_README b/0000_README
15 index 2dee9b4..6a446df 100644
16 --- a/0000_README
17 +++ b/0000_README
18 @@ -487,6 +487,10 @@ Patch: 1111_linux-3.4.112.patch
19 From: http://www.kernel.org
20 Desc: Linux 3.4.112
21
22 +Patch: 1112_linux-3.4.113.patch
23 +From: http://www.kernel.org
24 +Desc: Linux 3.4.113
25 +
26 Patch: 1500_XATTR_USER_PREFIX.patch
27 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
28 Desc: Support for namespace user.pax.* on tmpfs.
29
30 diff --git a/1112_linux-3.4.113.patch b/1112_linux-3.4.113.patch
31 new file mode 100644
32 index 0000000..938581a
33 --- /dev/null
34 +++ b/1112_linux-3.4.113.patch
35 @@ -0,0 +1,4341 @@
36 +diff --git a/Makefile b/Makefile
37 +index c63e1836d738..564196d5d89a 100644
38 +--- a/Makefile
39 ++++ b/Makefile
40 +@@ -1,6 +1,6 @@
41 + VERSION = 3
42 + PATCHLEVEL = 4
43 +-SUBLEVEL = 112
44 ++SUBLEVEL = 113
45 + EXTRAVERSION =
46 + NAME = Saber-toothed Squirrel
47 +
48 +diff --git a/arch/arm/mach-pxa/include/mach/pxa27x.h b/arch/arm/mach-pxa/include/mach/pxa27x.h
49 +index 7cff640582b8..66c4cbfc7f36 100644
50 +--- a/arch/arm/mach-pxa/include/mach/pxa27x.h
51 ++++ b/arch/arm/mach-pxa/include/mach/pxa27x.h
52 +@@ -21,7 +21,7 @@
53 +
54 + extern void __init pxa27x_map_io(void);
55 + extern void __init pxa27x_init_irq(void);
56 +-extern int __init pxa27x_set_pwrmode(unsigned int mode);
57 ++extern int pxa27x_set_pwrmode(unsigned int mode);
58 + extern void pxa27x_cpu_pm_enter(suspend_state_t state);
59 +
60 + #define pxa27x_handle_irq ichp_handle_irq
61 +diff --git a/arch/arm/mach-pxa/pxa27x.c b/arch/arm/mach-pxa/pxa27x.c
62 +index a2fe795bae14..f7c997822cff 100644
63 +--- a/arch/arm/mach-pxa/pxa27x.c
64 ++++ b/arch/arm/mach-pxa/pxa27x.c
65 +@@ -242,7 +242,7 @@ static struct clk_lookup pxa27x_clkregs[] = {
66 + */
67 + static unsigned int pwrmode = PWRMODE_SLEEP;
68 +
69 +-int __init pxa27x_set_pwrmode(unsigned int mode)
70 ++int pxa27x_set_pwrmode(unsigned int mode)
71 + {
72 + switch (mode) {
73 + case PWRMODE_SLEEP:
74 +diff --git a/arch/arm/mm/proc-v7.S b/arch/arm/mm/proc-v7.S
75 +index fb489cc56713..74c3e53092e7 100644
76 +--- a/arch/arm/mm/proc-v7.S
77 ++++ b/arch/arm/mm/proc-v7.S
78 +@@ -94,7 +94,7 @@ ENDPROC(cpu_v7_dcache_clean_area)
79 + .equ cpu_v7_suspend_size, 4 * 8
80 + #ifdef CONFIG_ARM_CPU_SUSPEND
81 + ENTRY(cpu_v7_do_suspend)
82 +- stmfd sp!, {r4 - r10, lr}
83 ++ stmfd sp!, {r4 - r11, lr}
84 + mrc p15, 0, r4, c13, c0, 0 @ FCSE/PID
85 + mrc p15, 0, r5, c13, c0, 3 @ User r/o thread ID
86 + stmia r0!, {r4 - r5}
87 +@@ -105,7 +105,7 @@ ENTRY(cpu_v7_do_suspend)
88 + mrc p15, 0, r9, c1, c0, 1 @ Auxiliary control register
89 + mrc p15, 0, r10, c1, c0, 2 @ Co-processor access control
90 + stmia r0, {r6 - r11}
91 +- ldmfd sp!, {r4 - r10, pc}
92 ++ ldmfd sp!, {r4 - r11, pc}
93 + ENDPROC(cpu_v7_do_suspend)
94 +
95 + ENTRY(cpu_v7_do_resume)
96 +diff --git a/arch/mips/include/asm/atomic.h b/arch/mips/include/asm/atomic.h
97 +index 3f4c5cb6433e..939a6b76810b 100644
98 +--- a/arch/mips/include/asm/atomic.h
99 ++++ b/arch/mips/include/asm/atomic.h
100 +@@ -679,7 +679,7 @@ static __inline__ long atomic64_sub_if_positive(long i, atomic64_t * v)
101 + * @u: ...unless v is equal to u.
102 + *
103 + * Atomically adds @a to @v, so long as it was not @u.
104 +- * Returns the old value of @v.
105 ++ * Returns true iff @v was not @u.
106 + */
107 + static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u)
108 + {
109 +diff --git a/arch/parisc/kernel/signal.c b/arch/parisc/kernel/signal.c
110 +index 12c1ed33dc18..c6268551b910 100644
111 +--- a/arch/parisc/kernel/signal.c
112 ++++ b/arch/parisc/kernel/signal.c
113 +@@ -468,6 +468,55 @@ handle_signal(unsigned long sig, siginfo_t *info, struct k_sigaction *ka,
114 + return 1;
115 + }
116 +
117 ++/*
118 ++ * Check how the syscall number gets loaded into %r20 within
119 ++ * the delay branch in userspace and adjust as needed.
120 ++ */
121 ++
122 ++static void check_syscallno_in_delay_branch(struct pt_regs *regs)
123 ++{
124 ++ u32 opcode, source_reg;
125 ++ u32 __user *uaddr;
126 ++ int err;
127 ++
128 ++ /* Usually we don't have to restore %r20 (the system call number)
129 ++ * because it gets loaded in the delay slot of the branch external
130 ++ * instruction via the ldi instruction.
131 ++ * In some cases a register-to-register copy instruction might have
132 ++ * been used instead, in which case we need to copy the syscall
133 ++ * number into the source register before returning to userspace.
134 ++ */
135 ++
136 ++ /* A syscall is just a branch, so all we have to do is fiddle the
137 ++ * return pointer so that the ble instruction gets executed again.
138 ++ */
139 ++ regs->gr[31] -= 8; /* delayed branching */
140 ++
141 ++ /* Get assembler opcode of code in delay branch */
142 ++ uaddr = (unsigned int *) ((regs->gr[31] & ~3) + 4);
143 ++ err = get_user(opcode, uaddr);
144 ++ if (err)
145 ++ return;
146 ++
147 ++ /* Check if delay branch uses "ldi int,%r20" */
148 ++ if ((opcode & 0xffff0000) == 0x34140000)
149 ++ return; /* everything ok, just return */
150 ++
151 ++ /* Check if delay branch uses "nop" */
152 ++ if (opcode == INSN_NOP)
153 ++ return;
154 ++
155 ++ /* Check if delay branch uses "copy %rX,%r20" */
156 ++ if ((opcode & 0xffe0ffff) == 0x08000254) {
157 ++ source_reg = (opcode >> 16) & 31;
158 ++ regs->gr[source_reg] = regs->gr[20];
159 ++ return;
160 ++ }
161 ++
162 ++ pr_warn("syscall restart: %s (pid %d): unexpected opcode 0x%08x\n",
163 ++ current->comm, task_pid_nr(current), opcode);
164 ++}
165 ++
166 + static inline void
167 + syscall_restart(struct pt_regs *regs, struct k_sigaction *ka)
168 + {
169 +@@ -489,10 +538,7 @@ syscall_restart(struct pt_regs *regs, struct k_sigaction *ka)
170 + }
171 + /* fallthrough */
172 + case -ERESTARTNOINTR:
173 +- /* A syscall is just a branch, so all
174 +- * we have to do is fiddle the return pointer.
175 +- */
176 +- regs->gr[31] -= 8; /* delayed branching */
177 ++ check_syscallno_in_delay_branch(regs);
178 + /* Preserve original r28. */
179 + regs->gr[28] = regs->orig_r28;
180 + break;
181 +@@ -543,18 +589,9 @@ insert_restart_trampoline(struct pt_regs *regs)
182 + }
183 + case -ERESTARTNOHAND:
184 + case -ERESTARTSYS:
185 +- case -ERESTARTNOINTR: {
186 +- /* Hooray for delayed branching. We don't
187 +- * have to restore %r20 (the system call
188 +- * number) because it gets loaded in the delay
189 +- * slot of the branch external instruction.
190 +- */
191 +- regs->gr[31] -= 8;
192 +- /* Preserve original r28. */
193 +- regs->gr[28] = regs->orig_r28;
194 +-
195 ++ case -ERESTARTNOINTR:
196 ++ check_syscallno_in_delay_branch(regs);
197 + return;
198 +- }
199 + default:
200 + break;
201 + }
202 +diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S
203 +index 40f4eb3766d1..59d0eac26132 100644
204 +--- a/arch/x86/kernel/head_64.S
205 ++++ b/arch/x86/kernel/head_64.S
206 +@@ -45,6 +45,9 @@ L3_START_KERNEL = pud_index(__START_KERNEL_map)
207 + .globl startup_64
208 + startup_64:
209 +
210 ++ /* Sanitize CPU configuration */
211 ++ call verify_cpu
212 ++
213 + /*
214 + * At this point the CPU runs in 64bit mode CS.L = 1 CS.D = 1,
215 + * and someone has loaded an identity mapped page table
216 +@@ -160,6 +163,9 @@ ENTRY(secondary_startup_64)
217 + * after the boot processor executes this code.
218 + */
219 +
220 ++ /* Sanitize CPU configuration */
221 ++ call verify_cpu
222 ++
223 + /* Enable PAE mode and PGE */
224 + movl $(X86_CR4_PAE | X86_CR4_PGE), %eax
225 + movq %rax, %cr4
226 +@@ -253,6 +259,8 @@ ENTRY(secondary_startup_64)
227 + pushq %rax # target address in negative space
228 + lretq
229 +
230 ++#include "verify_cpu.S"
231 ++
232 + /* SMP bootup changes these two */
233 + __REFDATA
234 + .align 8
235 +diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c
236 +index 115eac431483..b2952cac860f 100644
237 +--- a/arch/x86/kernel/signal.c
238 ++++ b/arch/x86/kernel/signal.c
239 +@@ -748,12 +748,15 @@ handle_signal(unsigned long sig, siginfo_t *info, struct k_sigaction *ka,
240 + return 0;
241 + }
242 +
243 +-#ifdef CONFIG_X86_32
244 +-#define NR_restart_syscall __NR_restart_syscall
245 +-#else /* !CONFIG_X86_32 */
246 +-#define NR_restart_syscall \
247 +- test_thread_flag(TIF_IA32) ? __NR_ia32_restart_syscall : __NR_restart_syscall
248 +-#endif /* CONFIG_X86_32 */
249 ++static inline unsigned long get_nr_restart_syscall(const struct pt_regs *regs)
250 ++{
251 ++#if defined(CONFIG_X86_32) || !defined(CONFIG_X86_64)
252 ++ return __NR_restart_syscall;
253 ++#else /* !CONFIG_X86_32 && CONFIG_X86_64 */
254 ++ return test_thread_flag(TIF_IA32) ? __NR_ia32_restart_syscall :
255 ++ __NR_restart_syscall | (regs->orig_ax & __X32_SYSCALL_BIT);
256 ++#endif /* CONFIG_X86_32 || !CONFIG_X86_64 */
257 ++}
258 +
259 + /*
260 + * Note that 'init' is a special process: it doesn't get signals it doesn't
261 +@@ -795,7 +798,7 @@ static void do_signal(struct pt_regs *regs)
262 + break;
263 +
264 + case -ERESTART_RESTARTBLOCK:
265 +- regs->ax = NR_restart_syscall;
266 ++ regs->ax = get_nr_restart_syscall(regs);
267 + regs->ip -= 2;
268 + break;
269 + }
270 +diff --git a/arch/x86/kernel/verify_cpu.S b/arch/x86/kernel/verify_cpu.S
271 +index b9242bacbe59..4cf401f581e7 100644
272 +--- a/arch/x86/kernel/verify_cpu.S
273 ++++ b/arch/x86/kernel/verify_cpu.S
274 +@@ -34,10 +34,11 @@
275 + #include <asm/msr-index.h>
276 +
277 + verify_cpu:
278 +- pushfl # Save caller passed flags
279 +- pushl $0 # Kill any dangerous flags
280 +- popfl
281 ++ pushf # Save caller passed flags
282 ++ push $0 # Kill any dangerous flags
283 ++ popf
284 +
285 ++#ifndef __x86_64__
286 + pushfl # standard way to check for cpuid
287 + popl %eax
288 + movl %eax,%ebx
289 +@@ -48,6 +49,7 @@ verify_cpu:
290 + popl %eax
291 + cmpl %eax,%ebx
292 + jz verify_cpu_no_longmode # cpu has no cpuid
293 ++#endif
294 +
295 + movl $0x0,%eax # See if cpuid 1 is implemented
296 + cpuid
297 +@@ -130,10 +132,10 @@ verify_cpu_sse_test:
298 + jmp verify_cpu_sse_test # try again
299 +
300 + verify_cpu_no_longmode:
301 +- popfl # Restore caller passed flags
302 ++ popf # Restore caller passed flags
303 + movl $1,%eax
304 + ret
305 + verify_cpu_sse_ok:
306 +- popfl # Restore caller passed flags
307 ++ popf # Restore caller passed flags
308 + xorl %eax, %eax
309 + ret
310 +diff --git a/block/partitions/mac.c b/block/partitions/mac.c
311 +index 11f688bd76c5..f51c9305d1e1 100644
312 +--- a/block/partitions/mac.c
313 ++++ b/block/partitions/mac.c
314 +@@ -32,7 +32,7 @@ int mac_partition(struct parsed_partitions *state)
315 + Sector sect;
316 + unsigned char *data;
317 + int slot, blocks_in_map;
318 +- unsigned secsize;
319 ++ unsigned secsize, datasize, partoffset;
320 + #ifdef CONFIG_PPC_PMAC
321 + int found_root = 0;
322 + int found_root_goodness = 0;
323 +@@ -50,10 +50,14 @@ int mac_partition(struct parsed_partitions *state)
324 + }
325 + secsize = be16_to_cpu(md->block_size);
326 + put_dev_sector(sect);
327 +- data = read_part_sector(state, secsize/512, &sect);
328 ++ datasize = round_down(secsize, 512);
329 ++ data = read_part_sector(state, datasize / 512, &sect);
330 + if (!data)
331 + return -1;
332 +- part = (struct mac_partition *) (data + secsize%512);
333 ++ partoffset = secsize % 512;
334 ++ if (partoffset + sizeof(*part) > datasize)
335 ++ return -1;
336 ++ part = (struct mac_partition *) (data + partoffset);
337 + if (be16_to_cpu(part->signature) != MAC_PARTITION_MAGIC) {
338 + put_dev_sector(sect);
339 + return 0; /* not a MacOS disk */
340 +diff --git a/crypto/ablkcipher.c b/crypto/ablkcipher.c
341 +index 4a9c499ea78a..1ef14284d09e 100644
342 +--- a/crypto/ablkcipher.c
343 ++++ b/crypto/ablkcipher.c
344 +@@ -280,12 +280,12 @@ static int ablkcipher_walk_first(struct ablkcipher_request *req,
345 + if (WARN_ON_ONCE(in_irq()))
346 + return -EDEADLK;
347 +
348 ++ walk->iv = req->info;
349 + walk->nbytes = walk->total;
350 + if (unlikely(!walk->total))
351 + return 0;
352 +
353 + walk->iv_buffer = NULL;
354 +- walk->iv = req->info;
355 + if (unlikely(((unsigned long)walk->iv & alignmask))) {
356 + int err = ablkcipher_copy_iv(walk, tfm, alignmask);
357 + if (err)
358 +diff --git a/crypto/algif_hash.c b/crypto/algif_hash.c
359 +index 850246206b12..a68b56a368a8 100644
360 +--- a/crypto/algif_hash.c
361 ++++ b/crypto/algif_hash.c
362 +@@ -192,9 +192,14 @@ static int hash_accept(struct socket *sock, struct socket *newsock, int flags)
363 + struct sock *sk2;
364 + struct alg_sock *ask2;
365 + struct hash_ctx *ctx2;
366 ++ bool more;
367 + int err;
368 +
369 +- err = crypto_ahash_export(req, state);
370 ++ lock_sock(sk);
371 ++ more = ctx->more;
372 ++ err = more ? crypto_ahash_export(req, state) : 0;
373 ++ release_sock(sk);
374 ++
375 + if (err)
376 + return err;
377 +
378 +@@ -205,7 +210,10 @@ static int hash_accept(struct socket *sock, struct socket *newsock, int flags)
379 + sk2 = newsock->sk;
380 + ask2 = alg_sk(sk2);
381 + ctx2 = ask2->private;
382 +- ctx2->more = 1;
383 ++ ctx2->more = more;
384 ++
385 ++ if (!more)
386 ++ return err;
387 +
388 + err = crypto_ahash_import(&ctx2->req, state);
389 + if (err) {
390 +diff --git a/crypto/blkcipher.c b/crypto/blkcipher.c
391 +index 0a1ebea3d6fc..34e5d6507e54 100644
392 +--- a/crypto/blkcipher.c
393 ++++ b/crypto/blkcipher.c
394 +@@ -329,12 +329,12 @@ static int blkcipher_walk_first(struct blkcipher_desc *desc,
395 + if (WARN_ON_ONCE(in_irq()))
396 + return -EDEADLK;
397 +
398 ++ walk->iv = desc->info;
399 + walk->nbytes = walk->total;
400 + if (unlikely(!walk->total))
401 + return 0;
402 +
403 + walk->buffer = NULL;
404 +- walk->iv = desc->info;
405 + if (unlikely(((unsigned long)walk->iv & alignmask))) {
406 + int err = blkcipher_copy_iv(walk, tfm, alignmask);
407 + if (err)
408 +diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
409 +index f48720cf96ff..2788c155cd0d 100644
410 +--- a/drivers/acpi/osl.c
411 ++++ b/drivers/acpi/osl.c
412 +@@ -85,6 +85,7 @@ static void *acpi_irq_context;
413 + static struct workqueue_struct *kacpid_wq;
414 + static struct workqueue_struct *kacpi_notify_wq;
415 + struct workqueue_struct *kacpi_hotplug_wq;
416 ++unsigned int acpi_sci_irq = INVALID_ACPI_IRQ;
417 + EXPORT_SYMBOL(kacpi_hotplug_wq);
418 +
419 + /*
420 +@@ -612,17 +613,19 @@ acpi_os_install_interrupt_handler(u32 gsi, acpi_osd_handler handler,
421 + acpi_irq_handler = NULL;
422 + return AE_NOT_ACQUIRED;
423 + }
424 ++ acpi_sci_irq = irq;
425 +
426 + return AE_OK;
427 + }
428 +
429 +-acpi_status acpi_os_remove_interrupt_handler(u32 irq, acpi_osd_handler handler)
430 ++acpi_status acpi_os_remove_interrupt_handler(u32 gsi, acpi_osd_handler handler)
431 + {
432 +- if (irq != acpi_gbl_FADT.sci_interrupt)
433 ++ if (gsi != acpi_gbl_FADT.sci_interrupt || !acpi_sci_irq_valid())
434 + return AE_BAD_PARAMETER;
435 +
436 +- free_irq(irq, acpi_irq);
437 ++ free_irq(acpi_sci_irq, acpi_irq);
438 + acpi_irq_handler = NULL;
439 ++ acpi_sci_irq = INVALID_ACPI_IRQ;
440 +
441 + return AE_OK;
442 + }
443 +diff --git a/drivers/ata/libahci.c b/drivers/ata/libahci.c
444 +index 30cdba79d7ae..1f0db2c542e2 100644
445 +--- a/drivers/ata/libahci.c
446 ++++ b/drivers/ata/libahci.c
447 +@@ -1228,6 +1228,15 @@ static int ahci_exec_polled_cmd(struct ata_port *ap, int pmp,
448 + ata_tf_to_fis(tf, pmp, is_cmd, fis);
449 + ahci_fill_cmd_slot(pp, 0, cmd_fis_len | flags | (pmp << 12));
450 +
451 ++ /* set port value for softreset of Port Multiplier */
452 ++ if (pp->fbs_enabled && pp->fbs_last_dev != pmp) {
453 ++ tmp = readl(port_mmio + PORT_FBS);
454 ++ tmp &= ~(PORT_FBS_DEV_MASK | PORT_FBS_DEC);
455 ++ tmp |= pmp << PORT_FBS_DEV_OFFSET;
456 ++ writel(tmp, port_mmio + PORT_FBS);
457 ++ pp->fbs_last_dev = pmp;
458 ++ }
459 ++
460 + /* issue & wait */
461 + writel(1, port_mmio + PORT_CMD_ISSUE);
462 +
463 +diff --git a/drivers/ata/sata_sil.c b/drivers/ata/sata_sil.c
464 +index 0c4ed89b6aa5..7f0c7f068030 100644
465 +--- a/drivers/ata/sata_sil.c
466 ++++ b/drivers/ata/sata_sil.c
467 +@@ -631,6 +631,9 @@ static void sil_dev_config(struct ata_device *dev)
468 + unsigned int n, quirks = 0;
469 + unsigned char model_num[ATA_ID_PROD_LEN + 1];
470 +
471 ++ /* This controller doesn't support trim */
472 ++ dev->horkage |= ATA_HORKAGE_NOTRIM;
473 ++
474 + ata_id_c_string(dev->id, model_num, ATA_ID_PROD, sizeof(model_num));
475 +
476 + for (n = 0; sil_blacklist[n].product; n++)
477 +diff --git a/drivers/block/xen-blkback/common.h b/drivers/block/xen-blkback/common.h
478 +index 933adc5a2637..47e5b6509682 100644
479 +--- a/drivers/block/xen-blkback/common.h
480 ++++ b/drivers/block/xen-blkback/common.h
481 +@@ -256,8 +256,8 @@ static inline void blkif_get_x86_32_req(struct blkif_request *dst,
482 + struct blkif_x86_32_request *src)
483 + {
484 + int i, n = BLKIF_MAX_SEGMENTS_PER_REQUEST;
485 +- dst->operation = src->operation;
486 +- switch (src->operation) {
487 ++ dst->operation = ACCESS_ONCE(src->operation);
488 ++ switch (dst->operation) {
489 + case BLKIF_OP_READ:
490 + case BLKIF_OP_WRITE:
491 + case BLKIF_OP_WRITE_BARRIER:
492 +@@ -292,8 +292,8 @@ static inline void blkif_get_x86_64_req(struct blkif_request *dst,
493 + struct blkif_x86_64_request *src)
494 + {
495 + int i, n = BLKIF_MAX_SEGMENTS_PER_REQUEST;
496 +- dst->operation = src->operation;
497 +- switch (src->operation) {
498 ++ dst->operation = ACCESS_ONCE(src->operation);
499 ++ switch (dst->operation) {
500 + case BLKIF_OP_READ:
501 + case BLKIF_OP_WRITE:
502 + case BLKIF_OP_WRITE_BARRIER:
503 +diff --git a/drivers/bluetooth/ath3k.c b/drivers/bluetooth/ath3k.c
504 +index 4b8e03fc3281..8ff6f5c21852 100644
505 +--- a/drivers/bluetooth/ath3k.c
506 ++++ b/drivers/bluetooth/ath3k.c
507 +@@ -94,6 +94,7 @@ static struct usb_device_id ath3k_table[] = {
508 + { USB_DEVICE(0x0CF3, 0x311D) },
509 + { USB_DEVICE(0x0cf3, 0x3121) },
510 + { USB_DEVICE(0x0CF3, 0x817a) },
511 ++ { USB_DEVICE(0x0CF3, 0x817b) },
512 + { USB_DEVICE(0x0cf3, 0xe003) },
513 + { USB_DEVICE(0x0CF3, 0xE004) },
514 + { USB_DEVICE(0x0CF3, 0xE005) },
515 +@@ -144,6 +145,7 @@ static struct usb_device_id ath3k_blist_tbl[] = {
516 + { USB_DEVICE(0x0cf3, 0x311D), .driver_info = BTUSB_ATH3012 },
517 + { USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 },
518 + { USB_DEVICE(0x0CF3, 0x817a), .driver_info = BTUSB_ATH3012 },
519 ++ { USB_DEVICE(0x0CF3, 0x817b), .driver_info = BTUSB_ATH3012 },
520 + { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 },
521 + { USB_DEVICE(0x0cf3, 0xe005), .driver_info = BTUSB_ATH3012 },
522 + { USB_DEVICE(0x0cf3, 0xe003), .driver_info = BTUSB_ATH3012 },
523 +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
524 +index bbd1e6c7a4e9..2302075cb5ca 100644
525 +--- a/drivers/bluetooth/btusb.c
526 ++++ b/drivers/bluetooth/btusb.c
527 +@@ -172,6 +172,7 @@ static struct usb_device_id blacklist_table[] = {
528 + { USB_DEVICE(0x0cf3, 0x311d), .driver_info = BTUSB_ATH3012 },
529 + { USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 },
530 + { USB_DEVICE(0x0cf3, 0x817a), .driver_info = BTUSB_ATH3012 },
531 ++ { USB_DEVICE(0x0cf3, 0x817b), .driver_info = BTUSB_ATH3012 },
532 + { USB_DEVICE(0x0cf3, 0xe003), .driver_info = BTUSB_ATH3012 },
533 + { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 },
534 + { USB_DEVICE(0x0cf3, 0xe005), .driver_info = BTUSB_ATH3012 },
535 +diff --git a/drivers/firewire/ohci.c b/drivers/firewire/ohci.c
536 +index c1de4c3a3fe7..4eedb0781912 100644
537 +--- a/drivers/firewire/ohci.c
538 ++++ b/drivers/firewire/ohci.c
539 +@@ -3620,6 +3620,11 @@ static int __devinit pci_probe(struct pci_dev *dev,
540 +
541 + reg_write(ohci, OHCI1394_IsoXmitIntMaskSet, ~0);
542 + ohci->it_context_support = reg_read(ohci, OHCI1394_IsoXmitIntMaskSet);
543 ++ /* JMicron JMB38x often shows 0 at first read, just ignore it */
544 ++ if (!ohci->it_context_support) {
545 ++ dev_notice(&dev->dev, "overriding IsoXmitIntMask\n");
546 ++ ohci->it_context_support = 0xf;
547 ++ }
548 + reg_write(ohci, OHCI1394_IsoXmitIntMaskClear, ~0);
549 + ohci->it_context_mask = ohci->it_context_support;
550 + ohci->n_it = hweight32(ohci->it_context_mask);
551 +diff --git a/drivers/gpu/drm/radeon/radeon_irq_kms.c b/drivers/gpu/drm/radeon/radeon_irq_kms.c
552 +index 77c456d624bf..afd1cc14b26c 100644
553 +--- a/drivers/gpu/drm/radeon/radeon_irq_kms.c
554 ++++ b/drivers/gpu/drm/radeon/radeon_irq_kms.c
555 +@@ -51,6 +51,11 @@ static void radeon_hotplug_work_func(struct work_struct *work)
556 + struct drm_mode_config *mode_config = &dev->mode_config;
557 + struct drm_connector *connector;
558 +
559 ++ /* we can race here at startup, some boards seem to trigger
560 ++ * hotplug irqs when they shouldn't. */
561 ++ if (!rdev->mode_info.mode_config_initialized)
562 ++ return;
563 ++
564 + mutex_lock(&mode_config->mutex);
565 + if (mode_config->num_connector) {
566 + list_for_each_entry(connector, &mode_config->connector_list, head)
567 +diff --git a/drivers/gpu/vga/vgaarb.c b/drivers/gpu/vga/vgaarb.c
568 +index 111d956d8e7d..6a46d6e3377b 100644
569 +--- a/drivers/gpu/vga/vgaarb.c
570 ++++ b/drivers/gpu/vga/vgaarb.c
571 +@@ -381,8 +381,10 @@ int vga_get(struct pci_dev *pdev, unsigned int rsrc, int interruptible)
572 + set_current_state(interruptible ?
573 + TASK_INTERRUPTIBLE :
574 + TASK_UNINTERRUPTIBLE);
575 +- if (signal_pending(current)) {
576 +- rc = -EINTR;
577 ++ if (interruptible && signal_pending(current)) {
578 ++ __set_current_state(TASK_RUNNING);
579 ++ remove_wait_queue(&vga_wait_queue, &wait);
580 ++ rc = -ERESTARTSYS;
581 + break;
582 + }
583 + schedule();
584 +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
585 +index 75fa2e7b87b5..b8ad132bc220 100644
586 +--- a/drivers/hid/hid-core.c
587 ++++ b/drivers/hid/hid-core.c
588 +@@ -1301,7 +1301,7 @@ int hid_connect(struct hid_device *hdev, unsigned int connect_mask)
589 + "Multi-Axis Controller"
590 + };
591 + const char *type, *bus;
592 +- char buf[64];
593 ++ char buf[64] = "";
594 + unsigned int i;
595 + int len;
596 + int ret;
597 +diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c
598 +index bd400f2a8d26..99e4974fe699 100644
599 +--- a/drivers/iommu/intel-iommu.c
600 ++++ b/drivers/iommu/intel-iommu.c
601 +@@ -3586,10 +3586,15 @@ found:
602 + for (bus = dev->bus; bus; bus = bus->parent) {
603 + struct pci_dev *bridge = bus->self;
604 +
605 +- if (!bridge || !pci_is_pcie(bridge) ||
606 ++ /* If it's an integrated device, allow ATS */
607 ++ if (!bridge)
608 ++ return 1;
609 ++ /* Connected via non-PCIe: no ATS */
610 ++ if (!pci_is_pcie(bridge) ||
611 + bridge->pcie_type == PCI_EXP_TYPE_PCI_BRIDGE)
612 + return 0;
613 +
614 ++ /* If we found the root port, look it up in the ATSR */
615 + if (bridge->pcie_type == PCI_EXP_TYPE_ROOT_PORT) {
616 + for (i = 0; i < atsru->devices_cnt; i++)
617 + if (atsru->devices[i] == bridge)
618 +diff --git a/drivers/isdn/gigaset/ser-gigaset.c b/drivers/isdn/gigaset/ser-gigaset.c
619 +index 6f3fd4cf4378..39119914e185 100644
620 +--- a/drivers/isdn/gigaset/ser-gigaset.c
621 ++++ b/drivers/isdn/gigaset/ser-gigaset.c
622 +@@ -371,19 +371,12 @@ static void gigaset_freecshw(struct cardstate *cs)
623 + tasklet_kill(&cs->write_tasklet);
624 + if (!cs->hw.ser)
625 + return;
626 +- dev_set_drvdata(&cs->hw.ser->dev.dev, NULL);
627 + platform_device_unregister(&cs->hw.ser->dev);
628 +- kfree(cs->hw.ser);
629 +- cs->hw.ser = NULL;
630 + }
631 +
632 + static void gigaset_device_release(struct device *dev)
633 + {
634 +- struct platform_device *pdev = to_platform_device(dev);
635 +-
636 +- /* adapted from platform_device_release() in drivers/base/platform.c */
637 +- kfree(dev->platform_data);
638 +- kfree(pdev->resource);
639 ++ kfree(container_of(dev, struct ser_cardstate, dev.dev));
640 + }
641 +
642 + /*
643 +@@ -412,7 +405,6 @@ static int gigaset_initcshw(struct cardstate *cs)
644 + cs->hw.ser = NULL;
645 + return 0;
646 + }
647 +- dev_set_drvdata(&cs->hw.ser->dev.dev, cs);
648 +
649 + tasklet_init(&cs->write_tasklet,
650 + gigaset_modem_fill, (unsigned long) cs);
651 +diff --git a/drivers/isdn/hardware/mISDN/mISDNipac.c b/drivers/isdn/hardware/mISDN/mISDNipac.c
652 +index 884369f09cad..c0b787b3336c 100644
653 +--- a/drivers/isdn/hardware/mISDN/mISDNipac.c
654 ++++ b/drivers/isdn/hardware/mISDN/mISDNipac.c
655 +@@ -1156,7 +1156,7 @@ mISDNipac_irq(struct ipac_hw *ipac, int maxloop)
656 +
657 + if (ipac->type & IPAC_TYPE_IPACX) {
658 + ista = ReadIPAC(ipac, ISACX_ISTA);
659 +- while (ista && cnt--) {
660 ++ while (ista && --cnt) {
661 + pr_debug("%s: ISTA %02x\n", ipac->name, ista);
662 + if (ista & IPACX__ICA)
663 + ipac_irq(&ipac->hscx[0], ista);
664 +@@ -1168,7 +1168,7 @@ mISDNipac_irq(struct ipac_hw *ipac, int maxloop)
665 + }
666 + } else if (ipac->type & IPAC_TYPE_IPAC) {
667 + ista = ReadIPAC(ipac, IPAC_ISTA);
668 +- while (ista && cnt--) {
669 ++ while (ista && --cnt) {
670 + pr_debug("%s: ISTA %02x\n", ipac->name, ista);
671 + if (ista & (IPAC__ICD | IPAC__EXD)) {
672 + istad = ReadISAC(isac, ISAC_ISTA);
673 +@@ -1186,7 +1186,7 @@ mISDNipac_irq(struct ipac_hw *ipac, int maxloop)
674 + ista = ReadIPAC(ipac, IPAC_ISTA);
675 + }
676 + } else if (ipac->type & IPAC_TYPE_HSCX) {
677 +- while (cnt) {
678 ++ while (--cnt) {
679 + ista = ReadIPAC(ipac, IPAC_ISTAB + ipac->hscx[1].off);
680 + pr_debug("%s: B2 ISTA %02x\n", ipac->name, ista);
681 + if (ista)
682 +@@ -1197,7 +1197,6 @@ mISDNipac_irq(struct ipac_hw *ipac, int maxloop)
683 + mISDNisac_irq(isac, istad);
684 + if (0 == (ista | istad))
685 + break;
686 +- cnt--;
687 + }
688 + }
689 + if (cnt > maxloop) /* only for ISAC/HSCX without PCI IRQ test */
690 +diff --git a/drivers/md/dm-mpath.c b/drivers/md/dm-mpath.c
691 +index d5fc3ec3639e..a0b28eee8270 100644
692 +--- a/drivers/md/dm-mpath.c
693 ++++ b/drivers/md/dm-mpath.c
694 +@@ -1553,11 +1553,8 @@ static int multipath_ioctl(struct dm_target *ti, unsigned int cmd,
695 + /*
696 + * Only pass ioctls through if the device sizes match exactly.
697 + */
698 +- if (!bdev || ti->len != i_size_read(bdev->bd_inode) >> SECTOR_SHIFT) {
699 +- int err = scsi_verify_blk_ioctl(NULL, cmd);
700 +- if (err)
701 +- r = err;
702 +- }
703 ++ if (!r && ti->len != i_size_read(bdev->bd_inode) >> SECTOR_SHIFT)
704 ++ r = scsi_verify_blk_ioctl(NULL, cmd);
705 +
706 + return r ? : __blkdev_driver_ioctl(bdev, mode, cmd, arg);
707 + }
708 +diff --git a/drivers/md/persistent-data/dm-btree.c b/drivers/md/persistent-data/dm-btree.c
709 +index be86d59eaa90..c948acfba43c 100644
710 +--- a/drivers/md/persistent-data/dm-btree.c
711 ++++ b/drivers/md/persistent-data/dm-btree.c
712 +@@ -230,6 +230,16 @@ static void pop_frame(struct del_stack *s)
713 + dm_tm_unlock(s->tm, f->b);
714 + }
715 +
716 ++static void unlock_all_frames(struct del_stack *s)
717 ++{
718 ++ struct frame *f;
719 ++
720 ++ while (unprocessed_frames(s)) {
721 ++ f = s->spine + s->top--;
722 ++ dm_tm_unlock(s->tm, f->b);
723 ++ }
724 ++}
725 ++
726 + int dm_btree_del(struct dm_btree_info *info, dm_block_t root)
727 + {
728 + int r;
729 +@@ -285,9 +295,13 @@ int dm_btree_del(struct dm_btree_info *info, dm_block_t root)
730 + f->current_child = f->nr_children;
731 + }
732 + }
733 +-
734 + out:
735 ++ if (r) {
736 ++ /* cleanup all frames of del_stack */
737 ++ unlock_all_frames(s);
738 ++ }
739 + kfree(s);
740 ++
741 + return r;
742 + }
743 + EXPORT_SYMBOL_GPL(dm_btree_del);
744 +@@ -450,8 +464,10 @@ static int btree_split_sibling(struct shadow_spine *s, dm_block_t root,
745 +
746 + r = insert_at(sizeof(__le64), pn, parent_index + 1,
747 + le64_to_cpu(rn->keys[0]), &location);
748 +- if (r)
749 ++ if (r) {
750 ++ unlock_block(s->info, right);
751 + return r;
752 ++ }
753 +
754 + if (key < le64_to_cpu(rn->keys[0])) {
755 + unlock_block(s->info, right);
756 +diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
757 +index a548eed38937..a4d994f0cea4 100644
758 +--- a/drivers/md/raid1.c
759 ++++ b/drivers/md/raid1.c
760 +@@ -1272,11 +1272,8 @@ static void error(struct mddev *mddev, struct md_rdev *rdev)
761 + set_bit(Blocked, &rdev->flags);
762 + spin_lock_irqsave(&conf->device_lock, flags);
763 + if (test_and_clear_bit(In_sync, &rdev->flags)) {
764 +- unsigned long flags;
765 +- spin_lock_irqsave(&conf->device_lock, flags);
766 + mddev->degraded++;
767 + set_bit(Faulty, &rdev->flags);
768 +- spin_unlock_irqrestore(&conf->device_lock, flags);
769 + /*
770 + * if recovery is running, make sure it aborts.
771 + */
772 +diff --git a/drivers/mtd/mtdpart.c b/drivers/mtd/mtdpart.c
773 +index bf24aa77175d..1c96f3d08c34 100644
774 +--- a/drivers/mtd/mtdpart.c
775 ++++ b/drivers/mtd/mtdpart.c
776 +@@ -632,8 +632,10 @@ int add_mtd_partitions(struct mtd_info *master,
777 +
778 + for (i = 0; i < nbparts; i++) {
779 + slave = allocate_partition(master, parts + i, i, cur_offset);
780 +- if (IS_ERR(slave))
781 ++ if (IS_ERR(slave)) {
782 ++ del_mtd_partitions(master);
783 + return PTR_ERR(slave);
784 ++ }
785 +
786 + mutex_lock(&mtd_partitions_mutex);
787 + list_add(&slave->list, &mtd_partitions);
788 +diff --git a/drivers/net/can/sja1000/sja1000.c b/drivers/net/can/sja1000/sja1000.c
789 +index 2d3ad72958ff..18244862dfbf 100644
790 +--- a/drivers/net/can/sja1000/sja1000.c
791 ++++ b/drivers/net/can/sja1000/sja1000.c
792 +@@ -177,6 +177,9 @@ static void sja1000_start(struct net_device *dev)
793 + priv->write_reg(priv, REG_RXERR, 0x0);
794 + priv->read_reg(priv, REG_ECC);
795 +
796 ++ /* clear interrupt flags */
797 ++ priv->read_reg(priv, REG_IR);
798 ++
799 + /* leave reset mode */
800 + set_normal_mode(dev);
801 + }
802 +diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c
803 +index 16caebaec007..53f5a96e99c3 100644
804 +--- a/drivers/net/ethernet/renesas/sh_eth.c
805 ++++ b/drivers/net/ethernet/renesas/sh_eth.c
806 +@@ -1513,8 +1513,7 @@ static int sh_eth_start_xmit(struct sk_buff *skb, struct net_device *ndev)
807 + txdesc = &mdp->tx_ring[entry];
808 + /* soft swap. */
809 + if (!mdp->cd->hw_swap)
810 +- sh_eth_soft_swap(phys_to_virt(ALIGN(txdesc->addr, 4)),
811 +- skb->len + 2);
812 ++ sh_eth_soft_swap(PTR_ALIGN(skb->data, 4), skb->len + 2);
813 + txdesc->addr = dma_map_single(&ndev->dev, skb->data, skb->len,
814 + DMA_TO_DEVICE);
815 + if (skb->len < ETHERSMALL)
816 +diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c
817 +index 6749acf6f3f4..e7352399b1fa 100644
818 +--- a/drivers/net/macvlan.c
819 ++++ b/drivers/net/macvlan.c
820 +@@ -173,6 +173,7 @@ static rx_handler_result_t macvlan_handle_frame(struct sk_buff **pskb)
821 + skb = ip_check_defrag(skb, IP_DEFRAG_MACVLAN);
822 + if (!skb)
823 + return RX_HANDLER_CONSUMED;
824 ++ *pskb = skb;
825 + eth = eth_hdr(skb);
826 + src = macvlan_hash_lookup(port, eth->h_source);
827 + if (!src)
828 +@@ -222,6 +223,7 @@ static rx_handler_result_t macvlan_handle_frame(struct sk_buff **pskb)
829 + if (!skb)
830 + goto out;
831 +
832 ++ *pskb = skb;
833 + skb->dev = dev;
834 + skb->pkt_type = PACKET_HOST;
835 +
836 +diff --git a/drivers/net/phy/broadcom.c b/drivers/net/phy/broadcom.c
837 +index 60338ff63092..5b45369a0878 100644
838 +--- a/drivers/net/phy/broadcom.c
839 ++++ b/drivers/net/phy/broadcom.c
840 +@@ -933,7 +933,7 @@ static struct mdio_device_id __maybe_unused broadcom_tbl[] = {
841 + { PHY_ID_BCM5421, 0xfffffff0 },
842 + { PHY_ID_BCM5461, 0xfffffff0 },
843 + { PHY_ID_BCM5464, 0xfffffff0 },
844 +- { PHY_ID_BCM5482, 0xfffffff0 },
845 ++ { PHY_ID_BCM5481, 0xfffffff0 },
846 + { PHY_ID_BCM5482, 0xfffffff0 },
847 + { PHY_ID_BCM50610, 0xfffffff0 },
848 + { PHY_ID_BCM50610M, 0xfffffff0 },
849 +diff --git a/drivers/net/wan/x25_asy.c b/drivers/net/wan/x25_asy.c
850 +index d7a65e141d1a..dadf08512273 100644
851 +--- a/drivers/net/wan/x25_asy.c
852 ++++ b/drivers/net/wan/x25_asy.c
853 +@@ -546,16 +546,12 @@ static void x25_asy_receive_buf(struct tty_struct *tty,
854 +
855 + static int x25_asy_open_tty(struct tty_struct *tty)
856 + {
857 +- struct x25_asy *sl = tty->disc_data;
858 ++ struct x25_asy *sl;
859 + int err;
860 +
861 + if (tty->ops->write == NULL)
862 + return -EOPNOTSUPP;
863 +
864 +- /* First make sure we're not already connected. */
865 +- if (sl && sl->magic == X25_ASY_MAGIC)
866 +- return -EEXIST;
867 +-
868 + /* OK. Find a free X.25 channel to use. */
869 + sl = x25_asy_alloc();
870 + if (sl == NULL)
871 +diff --git a/drivers/net/wireless/mwifiex/debugfs.c b/drivers/net/wireless/mwifiex/debugfs.c
872 +index 1a845074c52a..e24ef9a4228d 100644
873 +--- a/drivers/net/wireless/mwifiex/debugfs.c
874 ++++ b/drivers/net/wireless/mwifiex/debugfs.c
875 +@@ -621,7 +621,7 @@ mwifiex_rdeeprom_read(struct file *file, char __user *ubuf,
876 + (struct mwifiex_private *) file->private_data;
877 + unsigned long addr = get_zeroed_page(GFP_KERNEL);
878 + char *buf = (char *) addr;
879 +- int pos = 0, ret = 0, i;
880 ++ int pos, ret, i;
881 + u8 value[MAX_EEPROM_DATA];
882 +
883 + if (!buf)
884 +@@ -629,7 +629,7 @@ mwifiex_rdeeprom_read(struct file *file, char __user *ubuf,
885 +
886 + if (saved_offset == -1) {
887 + /* No command has been given */
888 +- pos += snprintf(buf, PAGE_SIZE, "0");
889 ++ pos = snprintf(buf, PAGE_SIZE, "0");
890 + goto done;
891 + }
892 +
893 +@@ -638,17 +638,17 @@ mwifiex_rdeeprom_read(struct file *file, char __user *ubuf,
894 + (u16) saved_bytes, value);
895 + if (ret) {
896 + ret = -EINVAL;
897 +- goto done;
898 ++ goto out_free;
899 + }
900 +
901 +- pos += snprintf(buf, PAGE_SIZE, "%d %d ", saved_offset, saved_bytes);
902 ++ pos = snprintf(buf, PAGE_SIZE, "%d %d ", saved_offset, saved_bytes);
903 +
904 + for (i = 0; i < saved_bytes; i++)
905 +- pos += snprintf(buf + strlen(buf), PAGE_SIZE, "%d ", value[i]);
906 +-
907 +- ret = simple_read_from_buffer(ubuf, count, ppos, buf, pos);
908 ++ pos += scnprintf(buf + pos, PAGE_SIZE - pos, "%d ", value[i]);
909 +
910 + done:
911 ++ ret = simple_read_from_buffer(ubuf, count, ppos, buf, pos);
912 ++out_free:
913 + free_page(addr);
914 + return ret;
915 + }
916 +diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c
917 +index cd4966bcb2d2..37bcc560210e 100644
918 +--- a/drivers/net/xen-netback/netback.c
919 ++++ b/drivers/net/xen-netback/netback.c
920 +@@ -398,17 +398,17 @@ static struct netbk_rx_meta *get_next_rx_buffer(struct xenvif *vif,
921 + struct netrx_pending_operations *npo)
922 + {
923 + struct netbk_rx_meta *meta;
924 +- struct xen_netif_rx_request *req;
925 ++ struct xen_netif_rx_request req;
926 +
927 +- req = RING_GET_REQUEST(&vif->rx, vif->rx.req_cons++);
928 ++ RING_COPY_REQUEST(&vif->rx, vif->rx.req_cons++, &req);
929 +
930 + meta = npo->meta + npo->meta_prod++;
931 + meta->gso_size = 0;
932 + meta->size = 0;
933 +- meta->id = req->id;
934 ++ meta->id = req.id;
935 +
936 + npo->copy_off = 0;
937 +- npo->copy_gref = req->gref;
938 ++ npo->copy_gref = req.gref;
939 +
940 + return meta;
941 + }
942 +@@ -510,7 +510,7 @@ static int netbk_gop_skb(struct sk_buff *skb,
943 + struct xenvif *vif = netdev_priv(skb->dev);
944 + int nr_frags = skb_shinfo(skb)->nr_frags;
945 + int i;
946 +- struct xen_netif_rx_request *req;
947 ++ struct xen_netif_rx_request req;
948 + struct netbk_rx_meta *meta;
949 + unsigned char *data;
950 + int head = 1;
951 +@@ -520,14 +520,14 @@ static int netbk_gop_skb(struct sk_buff *skb,
952 +
953 + /* Set up a GSO prefix descriptor, if necessary */
954 + if (skb_shinfo(skb)->gso_size && vif->gso_prefix) {
955 +- req = RING_GET_REQUEST(&vif->rx, vif->rx.req_cons++);
956 ++ RING_COPY_REQUEST(&vif->rx, vif->rx.req_cons++, &req);
957 + meta = npo->meta + npo->meta_prod++;
958 + meta->gso_size = skb_shinfo(skb)->gso_size;
959 + meta->size = 0;
960 +- meta->id = req->id;
961 ++ meta->id = req.id;
962 + }
963 +
964 +- req = RING_GET_REQUEST(&vif->rx, vif->rx.req_cons++);
965 ++ RING_COPY_REQUEST(&vif->rx, vif->rx.req_cons++, &req);
966 + meta = npo->meta + npo->meta_prod++;
967 +
968 + if (!vif->gso_prefix)
969 +@@ -536,9 +536,9 @@ static int netbk_gop_skb(struct sk_buff *skb,
970 + meta->gso_size = 0;
971 +
972 + meta->size = 0;
973 +- meta->id = req->id;
974 ++ meta->id = req.id;
975 + npo->copy_off = 0;
976 +- npo->copy_gref = req->gref;
977 ++ npo->copy_gref = req.gref;
978 +
979 + data = skb->data;
980 + while (data < skb_tail_pointer(skb)) {
981 +@@ -856,9 +856,7 @@ static void tx_add_credit(struct xenvif *vif)
982 + * Allow a burst big enough to transmit a jumbo packet of up to 128kB.
983 + * Otherwise the interface can seize up due to insufficient credit.
984 + */
985 +- max_burst = RING_GET_REQUEST(&vif->tx, vif->tx.req_cons)->size;
986 +- max_burst = min(max_burst, 131072UL);
987 +- max_burst = max(max_burst, vif->credit_bytes);
988 ++ max_burst = max(131072UL, vif->credit_bytes);
989 +
990 + /* Take care that adding a new chunk of credit doesn't wrap to zero. */
991 + max_credit = vif->remaining_credit + vif->credit_bytes;
992 +@@ -884,7 +882,7 @@ static void netbk_tx_err(struct xenvif *vif,
993 + make_tx_response(vif, txp, XEN_NETIF_RSP_ERROR);
994 + if (cons == end)
995 + break;
996 +- txp = RING_GET_REQUEST(&vif->tx, cons++);
997 ++ RING_COPY_REQUEST(&vif->tx, cons++, txp);
998 + } while (1);
999 + vif->tx.req_cons = cons;
1000 + xen_netbk_check_rx_xenvif(vif);
1001 +@@ -945,8 +943,7 @@ static int netbk_count_requests(struct xenvif *vif,
1002 + drop_err = -E2BIG;
1003 + }
1004 +
1005 +- memcpy(txp, RING_GET_REQUEST(&vif->tx, cons + slots),
1006 +- sizeof(*txp));
1007 ++ RING_COPY_REQUEST(&vif->tx, cons + slots, txp);
1008 +
1009 + /* If the guest submitted a frame >= 64 KiB then
1010 + * first->size overflowed and following slots will
1011 +@@ -1228,8 +1225,7 @@ static int xen_netbk_get_extras(struct xenvif *vif,
1012 + return -EBADR;
1013 + }
1014 +
1015 +- memcpy(&extra, RING_GET_REQUEST(&vif->tx, cons),
1016 +- sizeof(extra));
1017 ++ RING_COPY_REQUEST(&vif->tx, cons, &extra);
1018 + if (unlikely(!extra.type ||
1019 + extra.type >= XEN_NETIF_EXTRA_TYPE_MAX)) {
1020 + vif->tx.req_cons = ++cons;
1021 +@@ -1424,7 +1420,7 @@ static unsigned xen_netbk_tx_build_gops(struct xen_netbk *netbk)
1022 +
1023 + idx = vif->tx.req_cons;
1024 + rmb(); /* Ensure that we see the request before we copy it. */
1025 +- memcpy(&txreq, RING_GET_REQUEST(&vif->tx, idx), sizeof(txreq));
1026 ++ RING_COPY_REQUEST(&vif->tx, idx, &txreq);
1027 +
1028 + /* Credit-based scheduling. */
1029 + if (txreq.size > vif->remaining_credit &&
1030 +diff --git a/drivers/parisc/iommu-helpers.h b/drivers/parisc/iommu-helpers.h
1031 +index 8c33491b21fe..c6aa38883466 100644
1032 +--- a/drivers/parisc/iommu-helpers.h
1033 ++++ b/drivers/parisc/iommu-helpers.h
1034 +@@ -104,7 +104,11 @@ iommu_coalesce_chunks(struct ioc *ioc, struct device *dev,
1035 + struct scatterlist *contig_sg; /* contig chunk head */
1036 + unsigned long dma_offset, dma_len; /* start/len of DMA stream */
1037 + unsigned int n_mappings = 0;
1038 +- unsigned int max_seg_size = dma_get_max_seg_size(dev);
1039 ++ unsigned int max_seg_size = min(dma_get_max_seg_size(dev),
1040 ++ (unsigned)DMA_CHUNK_SIZE);
1041 ++ unsigned int max_seg_boundary = dma_get_seg_boundary(dev) + 1;
1042 ++ if (max_seg_boundary) /* check if the addition above didn't overflow */
1043 ++ max_seg_size = min(max_seg_size, max_seg_boundary);
1044 +
1045 + while (nents > 0) {
1046 +
1047 +@@ -139,14 +143,11 @@ iommu_coalesce_chunks(struct ioc *ioc, struct device *dev,
1048 +
1049 + /*
1050 + ** First make sure current dma stream won't
1051 +- ** exceed DMA_CHUNK_SIZE if we coalesce the
1052 ++ ** exceed max_seg_size if we coalesce the
1053 + ** next entry.
1054 + */
1055 +- if(unlikely(ALIGN(dma_len + dma_offset + startsg->length,
1056 +- IOVP_SIZE) > DMA_CHUNK_SIZE))
1057 +- break;
1058 +-
1059 +- if (startsg->length + dma_len > max_seg_size)
1060 ++ if (unlikely(ALIGN(dma_len + dma_offset + startsg->length, IOVP_SIZE) >
1061 ++ max_seg_size))
1062 + break;
1063 +
1064 + /*
1065 +diff --git a/drivers/power/wm831x_power.c b/drivers/power/wm831x_power.c
1066 +index 987332b71d8d..036ee0b258be 100644
1067 +--- a/drivers/power/wm831x_power.c
1068 ++++ b/drivers/power/wm831x_power.c
1069 +@@ -567,7 +567,7 @@ static __devinit int wm831x_power_probe(struct platform_device *pdev)
1070 +
1071 + irq = platform_get_irq_byname(pdev, "SYSLO");
1072 + ret = request_threaded_irq(irq, NULL, wm831x_syslo_irq,
1073 +- IRQF_TRIGGER_RISING, "System power low",
1074 ++ IRQF_TRIGGER_RISING | IRQF_ONESHOT, "System power low",
1075 + power);
1076 + if (ret != 0) {
1077 + dev_err(&pdev->dev, "Failed to request SYSLO IRQ %d: %d\n",
1078 +@@ -577,7 +577,7 @@ static __devinit int wm831x_power_probe(struct platform_device *pdev)
1079 +
1080 + irq = platform_get_irq_byname(pdev, "PWR SRC");
1081 + ret = request_threaded_irq(irq, NULL, wm831x_pwr_src_irq,
1082 +- IRQF_TRIGGER_RISING, "Power source",
1083 ++ IRQF_TRIGGER_RISING | IRQF_ONESHOT, "Power source",
1084 + power);
1085 + if (ret != 0) {
1086 + dev_err(&pdev->dev, "Failed to request PWR SRC IRQ %d: %d\n",
1087 +@@ -588,7 +588,7 @@ static __devinit int wm831x_power_probe(struct platform_device *pdev)
1088 + for (i = 0; i < ARRAY_SIZE(wm831x_bat_irqs); i++) {
1089 + irq = platform_get_irq_byname(pdev, wm831x_bat_irqs[i]);
1090 + ret = request_threaded_irq(irq, NULL, wm831x_bat_irq,
1091 +- IRQF_TRIGGER_RISING,
1092 ++ IRQF_TRIGGER_RISING | IRQF_ONESHOT,
1093 + wm831x_bat_irqs[i],
1094 + power);
1095 + if (ret != 0) {
1096 +diff --git a/drivers/scsi/megaraid/megaraid_sas.h b/drivers/scsi/megaraid/megaraid_sas.h
1097 +index 1a7955a39070..0eaf19676157 100644
1098 +--- a/drivers/scsi/megaraid/megaraid_sas.h
1099 ++++ b/drivers/scsi/megaraid/megaraid_sas.h
1100 +@@ -300,6 +300,8 @@ enum MR_EVT_ARGS {
1101 + MR_EVT_ARGS_GENERIC,
1102 + };
1103 +
1104 ++
1105 ++#define SGE_BUFFER_SIZE 4096
1106 + /*
1107 + * define constants for device list query options
1108 + */
1109 +diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c
1110 +index bacd344f4626..2e46060e45e2 100644
1111 +--- a/drivers/scsi/megaraid/megaraid_sas_base.c
1112 ++++ b/drivers/scsi/megaraid/megaraid_sas_base.c
1113 +@@ -3582,7 +3582,7 @@ static int megasas_init_fw(struct megasas_instance *instance)
1114 + }
1115 +
1116 + instance->max_sectors_per_req = instance->max_num_sge *
1117 +- PAGE_SIZE / 512;
1118 ++ SGE_BUFFER_SIZE / 512;
1119 + if (tmp_sectors && (instance->max_sectors_per_req > tmp_sectors))
1120 + instance->max_sectors_per_req = tmp_sectors;
1121 +
1122 +@@ -5014,6 +5014,9 @@ static int megasas_mgmt_compat_ioctl_fw(struct file *file, unsigned long arg)
1123 + int i;
1124 + int error = 0;
1125 + compat_uptr_t ptr;
1126 ++ unsigned long local_raw_ptr;
1127 ++ u32 local_sense_off;
1128 ++ u32 local_sense_len;
1129 +
1130 + if (clear_user(ioc, sizeof(*ioc)))
1131 + return -EFAULT;
1132 +@@ -5031,9 +5034,15 @@ static int megasas_mgmt_compat_ioctl_fw(struct file *file, unsigned long arg)
1133 + * sense_len is not null, so prepare the 64bit value under
1134 + * the same condition.
1135 + */
1136 +- if (ioc->sense_len) {
1137 ++ if (get_user(local_raw_ptr, ioc->frame.raw) ||
1138 ++ get_user(local_sense_off, &ioc->sense_off) ||
1139 ++ get_user(local_sense_len, &ioc->sense_len))
1140 ++ return -EFAULT;
1141 ++
1142 ++
1143 ++ if (local_sense_len) {
1144 + void __user **sense_ioc_ptr =
1145 +- (void __user **)(ioc->frame.raw + ioc->sense_off);
1146 ++ (void __user **)((u8*)local_raw_ptr + local_sense_off);
1147 + compat_uptr_t *sense_cioc_ptr =
1148 + (compat_uptr_t *)(cioc->frame.raw + cioc->sense_off);
1149 + if (get_user(ptr, sense_cioc_ptr) ||
1150 +diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c
1151 +index 72ca515a4304..ca6ddab8c4a7 100644
1152 +--- a/drivers/scsi/scsi_sysfs.c
1153 ++++ b/drivers/scsi/scsi_sysfs.c
1154 +@@ -793,7 +793,7 @@ sdev_store_queue_ramp_up_period(struct device *dev,
1155 + return -EINVAL;
1156 +
1157 + sdev->queue_ramp_up_period = msecs_to_jiffies(period);
1158 +- return period;
1159 ++ return count;
1160 + }
1161 +
1162 + static struct device_attribute sdev_attr_queue_ramp_up_period =
1163 +@@ -1020,31 +1020,23 @@ static void __scsi_remove_target(struct scsi_target *starget)
1164 + void scsi_remove_target(struct device *dev)
1165 + {
1166 + struct Scsi_Host *shost = dev_to_shost(dev->parent);
1167 +- struct scsi_target *starget, *last = NULL;
1168 ++ struct scsi_target *starget;
1169 + unsigned long flags;
1170 +
1171 +- /* remove targets being careful to lookup next entry before
1172 +- * deleting the last
1173 +- */
1174 ++restart:
1175 + spin_lock_irqsave(shost->host_lock, flags);
1176 + list_for_each_entry(starget, &shost->__targets, siblings) {
1177 + if (starget->state == STARGET_DEL)
1178 + continue;
1179 + if (starget->dev.parent == dev || &starget->dev == dev) {
1180 +- /* assuming new targets arrive at the end */
1181 + starget->reap_ref++;
1182 + spin_unlock_irqrestore(shost->host_lock, flags);
1183 +- if (last)
1184 +- scsi_target_reap(last);
1185 +- last = starget;
1186 + __scsi_remove_target(starget);
1187 +- spin_lock_irqsave(shost->host_lock, flags);
1188 ++ scsi_target_reap(starget);
1189 ++ goto restart;
1190 + }
1191 + }
1192 + spin_unlock_irqrestore(shost->host_lock, flags);
1193 +-
1194 +- if (last)
1195 +- scsi_target_reap(last);
1196 + }
1197 + EXPORT_SYMBOL(scsi_remove_target);
1198 +
1199 +diff --git a/drivers/scsi/ses.c b/drivers/scsi/ses.c
1200 +index eba183c428cf..3643bbf5456d 100644
1201 +--- a/drivers/scsi/ses.c
1202 ++++ b/drivers/scsi/ses.c
1203 +@@ -70,6 +70,7 @@ static int ses_probe(struct device *dev)
1204 + static int ses_recv_diag(struct scsi_device *sdev, int page_code,
1205 + void *buf, int bufflen)
1206 + {
1207 ++ int ret;
1208 + unsigned char cmd[] = {
1209 + RECEIVE_DIAGNOSTIC,
1210 + 1, /* Set PCV bit */
1211 +@@ -78,9 +79,26 @@ static int ses_recv_diag(struct scsi_device *sdev, int page_code,
1212 + bufflen & 0xff,
1213 + 0
1214 + };
1215 ++ unsigned char recv_page_code;
1216 +
1217 +- return scsi_execute_req(sdev, cmd, DMA_FROM_DEVICE, buf, bufflen,
1218 ++ ret = scsi_execute_req(sdev, cmd, DMA_FROM_DEVICE, buf, bufflen,
1219 + NULL, SES_TIMEOUT, SES_RETRIES, NULL);
1220 ++ if (unlikely(!ret))
1221 ++ return ret;
1222 ++
1223 ++ recv_page_code = ((unsigned char *)buf)[0];
1224 ++
1225 ++ if (likely(recv_page_code == page_code))
1226 ++ return ret;
1227 ++
1228 ++ /* successful diagnostic but wrong page code. This happens to some
1229 ++ * USB devices, just print a message and pretend there was an error */
1230 ++
1231 ++ sdev_printk(KERN_ERR, sdev,
1232 ++ "Wrong diagnostic page; asked for %d got %u\n",
1233 ++ page_code, recv_page_code);
1234 ++
1235 ++ return -EINVAL;
1236 + }
1237 +
1238 + static int ses_send_diag(struct scsi_device *sdev, int page_code,
1239 +@@ -436,7 +454,15 @@ static void ses_enclosure_data_process(struct enclosure_device *edev,
1240 + if (desc_ptr)
1241 + desc_ptr += len;
1242 +
1243 +- if (addl_desc_ptr)
1244 ++ if (addl_desc_ptr &&
1245 ++ /* only find additional descriptions for specific devices */
1246 ++ (type_ptr[0] == ENCLOSURE_COMPONENT_DEVICE ||
1247 ++ type_ptr[0] == ENCLOSURE_COMPONENT_ARRAY_DEVICE ||
1248 ++ type_ptr[0] == ENCLOSURE_COMPONENT_SAS_EXPANDER ||
1249 ++ /* these elements are optional */
1250 ++ type_ptr[0] == ENCLOSURE_COMPONENT_SCSI_TARGET_PORT ||
1251 ++ type_ptr[0] == ENCLOSURE_COMPONENT_SCSI_INITIATOR_PORT ||
1252 ++ type_ptr[0] == ENCLOSURE_COMPONENT_CONTROLLER_ELECTRONICS))
1253 + addl_desc_ptr += addl_desc_ptr[1] + 2;
1254 +
1255 + }
1256 +diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c
1257 +index a3f31e9ab214..516fd23ba0d5 100644
1258 +--- a/drivers/spi/spi.c
1259 ++++ b/drivers/spi/spi.c
1260 +@@ -846,7 +846,7 @@ struct spi_master *spi_alloc_master(struct device *dev, unsigned size)
1261 +
1262 + device_initialize(&master->dev);
1263 + master->dev.class = &spi_master_class;
1264 +- master->dev.parent = get_device(dev);
1265 ++ master->dev.parent = dev;
1266 + spi_master_set_devdata(master, &master[1]);
1267 +
1268 + return master;
1269 +diff --git a/drivers/staging/iio/adc/lpc32xx_adc.c b/drivers/staging/iio/adc/lpc32xx_adc.c
1270 +index dfc9033843a3..37ca387327cf 100644
1271 +--- a/drivers/staging/iio/adc/lpc32xx_adc.c
1272 ++++ b/drivers/staging/iio/adc/lpc32xx_adc.c
1273 +@@ -75,7 +75,7 @@ static int lpc32xx_read_raw(struct iio_dev *indio_dev,
1274 +
1275 + if (mask == 0) {
1276 + mutex_lock(&indio_dev->mlock);
1277 +- clk_enable(info->clk);
1278 ++ clk_prepare_enable(info->clk);
1279 + /* Measurement setup */
1280 + __raw_writel(AD_INTERNAL | (chan->address) | AD_REFp | AD_REFm,
1281 + LPC32XX_ADC_SELECT(info->adc_base));
1282 +@@ -83,7 +83,7 @@ static int lpc32xx_read_raw(struct iio_dev *indio_dev,
1283 + __raw_writel(AD_PDN_CTRL | AD_STROBE,
1284 + LPC32XX_ADC_CTRL(info->adc_base));
1285 + wait_for_completion(&info->completion); /* set by ISR */
1286 +- clk_disable(info->clk);
1287 ++ clk_disable_unprepare(info->clk);
1288 + *val = info->value;
1289 + mutex_unlock(&indio_dev->mlock);
1290 +
1291 +diff --git a/drivers/staging/rtl8712/usb_intf.c b/drivers/staging/rtl8712/usb_intf.c
1292 +index 1b1bf38e8839..3c4a54cf4b5d 100644
1293 +--- a/drivers/staging/rtl8712/usb_intf.c
1294 ++++ b/drivers/staging/rtl8712/usb_intf.c
1295 +@@ -147,6 +147,7 @@ static struct usb_device_id rtl871x_usb_id_tbl[] = {
1296 + {USB_DEVICE(0x0DF6, 0x0058)},
1297 + {USB_DEVICE(0x0DF6, 0x0049)},
1298 + {USB_DEVICE(0x0DF6, 0x004C)},
1299 ++ {USB_DEVICE(0x0DF6, 0x006C)},
1300 + {USB_DEVICE(0x0DF6, 0x0064)},
1301 + /* Skyworth */
1302 + {USB_DEVICE(0x14b2, 0x3300)},
1303 +diff --git a/drivers/tty/tty_buffer.c b/drivers/tty/tty_buffer.c
1304 +index 4f02f9ce05c5..3f59d6c399da 100644
1305 +--- a/drivers/tty/tty_buffer.c
1306 ++++ b/drivers/tty/tty_buffer.c
1307 +@@ -443,7 +443,8 @@ static void flush_to_ldisc(struct work_struct *work)
1308 + flag_buf = head->flag_buf_ptr + head->read;
1309 + head->read += count;
1310 + spin_unlock_irqrestore(&tty->buf.lock, flags);
1311 +- disc->ops->receive_buf(tty, char_buf,
1312 ++ if (disc->ops->receive_buf)
1313 ++ disc->ops->receive_buf(tty, char_buf,
1314 + flag_buf, count);
1315 + spin_lock_irqsave(&tty->buf.lock, flags);
1316 + }
1317 +diff --git a/drivers/usb/class/usblp.c b/drivers/usb/class/usblp.c
1318 +index a68c1a63dc65..8bbe67ccb758 100644
1319 +--- a/drivers/usb/class/usblp.c
1320 ++++ b/drivers/usb/class/usblp.c
1321 +@@ -861,11 +861,11 @@ static int usblp_wwait(struct usblp *usblp, int nonblock)
1322 +
1323 + add_wait_queue(&usblp->wwait, &waita);
1324 + for (;;) {
1325 +- set_current_state(TASK_INTERRUPTIBLE);
1326 + if (mutex_lock_interruptible(&usblp->mut)) {
1327 + rc = -EINTR;
1328 + break;
1329 + }
1330 ++ set_current_state(TASK_INTERRUPTIBLE);
1331 + rc = usblp_wtest(usblp, nonblock);
1332 + mutex_unlock(&usblp->mut);
1333 + if (rc <= 0)
1334 +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
1335 +index 62ea924dee1c..65ff69a05225 100644
1336 +--- a/drivers/usb/core/hub.c
1337 ++++ b/drivers/usb/core/hub.c
1338 +@@ -156,6 +156,7 @@ EXPORT_SYMBOL_GPL(ehci_cf_port_reset_rwsem);
1339 + #define HUB_DEBOUNCE_STABLE 100
1340 +
1341 +
1342 ++static void hub_release(struct kref *kref);
1343 + static int usb_reset_and_verify_device(struct usb_device *udev);
1344 +
1345 + static inline char *portspeed(struct usb_hub *hub, int portstatus)
1346 +@@ -797,10 +798,20 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type)
1347 + unsigned delay;
1348 +
1349 + /* Continue a partial initialization */
1350 +- if (type == HUB_INIT2)
1351 +- goto init2;
1352 +- if (type == HUB_INIT3)
1353 ++ if (type == HUB_INIT2 || type == HUB_INIT3) {
1354 ++ device_lock(hub->intfdev);
1355 ++
1356 ++ /* Was the hub disconnected while we were waiting? */
1357 ++ if (hub->disconnected) {
1358 ++ device_unlock(hub->intfdev);
1359 ++ kref_put(&hub->kref, hub_release);
1360 ++ return;
1361 ++ }
1362 ++ if (type == HUB_INIT2)
1363 ++ goto init2;
1364 + goto init3;
1365 ++ }
1366 ++ kref_get(&hub->kref);
1367 +
1368 + /* The superspeed hub except for root hub has to use Hub Depth
1369 + * value as an offset into the route string to locate the bits
1370 +@@ -990,6 +1001,7 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type)
1371 + PREPARE_DELAYED_WORK(&hub->init_work, hub_init_func3);
1372 + schedule_delayed_work(&hub->init_work,
1373 + msecs_to_jiffies(delay));
1374 ++ device_unlock(hub->intfdev);
1375 + return; /* Continues at init3: below */
1376 + } else {
1377 + msleep(delay);
1378 +@@ -1010,6 +1022,11 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type)
1379 + /* Allow autosuspend if it was suppressed */
1380 + if (type <= HUB_INIT3)
1381 + usb_autopm_put_interface_async(to_usb_interface(hub->intfdev));
1382 ++
1383 ++ if (type == HUB_INIT2 || type == HUB_INIT3)
1384 ++ device_unlock(hub->intfdev);
1385 ++
1386 ++ kref_put(&hub->kref, hub_release);
1387 + }
1388 +
1389 + /* Implement the continuations for the delays above */
1390 +@@ -1638,10 +1655,8 @@ void usb_set_device_state(struct usb_device *udev,
1391 + || new_state == USB_STATE_SUSPENDED)
1392 + ; /* No change to wakeup settings */
1393 + else if (new_state == USB_STATE_CONFIGURED)
1394 +- wakeup = (udev->quirks &
1395 +- USB_QUIRK_IGNORE_REMOTE_WAKEUP) ? 0 :
1396 +- udev->actconfig->desc.bmAttributes &
1397 +- USB_CONFIG_ATT_WAKEUP;
1398 ++ wakeup = udev->actconfig->desc.bmAttributes
1399 ++ & USB_CONFIG_ATT_WAKEUP;
1400 + else
1401 + wakeup = 0;
1402 + }
1403 +diff --git a/drivers/usb/core/otg_whitelist.h b/drivers/usb/core/otg_whitelist.h
1404 +index 2753cec61aaf..e8cdce571bb1 100644
1405 +--- a/drivers/usb/core/otg_whitelist.h
1406 ++++ b/drivers/usb/core/otg_whitelist.h
1407 +@@ -59,11 +59,6 @@ static int is_targeted(struct usb_device *dev)
1408 + le16_to_cpu(dev->descriptor.idProduct) == 0xbadd))
1409 + return 0;
1410 +
1411 +- /* OTG PET device is always targeted (see OTG 2.0 ECN 6.4.2) */
1412 +- if ((le16_to_cpu(dev->descriptor.idVendor) == 0x1a0a &&
1413 +- le16_to_cpu(dev->descriptor.idProduct) == 0x0200))
1414 +- return 1;
1415 +-
1416 + /* NOTE: can't use usb_match_id() since interface caches
1417 + * aren't set up yet. this is cut/paste from that code.
1418 + */
1419 +diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c
1420 +index fd8e60ee7df2..90f04a8e859a 100644
1421 +--- a/drivers/usb/core/quirks.c
1422 ++++ b/drivers/usb/core/quirks.c
1423 +@@ -184,14 +184,6 @@ static const struct usb_device_id usb_interface_quirk_list[] = {
1424 + { USB_VENDOR_AND_INTERFACE_INFO(0x046d, USB_CLASS_VIDEO, 1, 0),
1425 + .driver_info = USB_QUIRK_RESET_RESUME },
1426 +
1427 +- /* ASUS Base Station(T100) */
1428 +- { USB_DEVICE(0x0b05, 0x17e0), .driver_info =
1429 +- USB_QUIRK_IGNORE_REMOTE_WAKEUP },
1430 +-
1431 +- /* Protocol and OTG Electrical Test Device */
1432 +- { USB_DEVICE(0x1a0a, 0x0200), .driver_info =
1433 +- USB_QUIRK_LINEAR_UFRAME_INTR_BINTERVAL },
1434 +-
1435 + { } /* terminating entry must be last */
1436 + };
1437 +
1438 +diff --git a/drivers/usb/host/whci/qset.c b/drivers/usb/host/whci/qset.c
1439 +index 76083ae92138..412b4feea17b 100644
1440 +--- a/drivers/usb/host/whci/qset.c
1441 ++++ b/drivers/usb/host/whci/qset.c
1442 +@@ -377,6 +377,10 @@ static int qset_fill_page_list(struct whc *whc, struct whc_std *std, gfp_t mem_f
1443 + if (std->pl_virt == NULL)
1444 + return -ENOMEM;
1445 + std->dma_addr = dma_map_single(whc->wusbhc.dev, std->pl_virt, pl_len, DMA_TO_DEVICE);
1446 ++ if (dma_mapping_error(whc->wusbhc.dev, std->dma_addr)) {
1447 ++ kfree(std->pl_virt);
1448 ++ return -EFAULT;
1449 ++ }
1450 +
1451 + for (p = 0; p < std->num_pointers; p++) {
1452 + std->pl_virt[p].buf_ptr = cpu_to_le64(dma_addr);
1453 +diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
1454 +index 88be7a51df52..95ac4cf9d5bf 100644
1455 +--- a/drivers/usb/host/xhci.c
1456 ++++ b/drivers/usb/host/xhci.c
1457 +@@ -4123,8 +4123,16 @@ int xhci_update_hub_device(struct usb_hcd *hcd, struct usb_device *hdev,
1458 + ctrl_ctx->add_flags |= cpu_to_le32(SLOT_FLAG);
1459 + slot_ctx = xhci_get_slot_ctx(xhci, config_cmd->in_ctx);
1460 + slot_ctx->dev_info |= cpu_to_le32(DEV_HUB);
1461 ++ /*
1462 ++ * refer to section 6.2.2: MTT should be 0 for full speed hub,
1463 ++ * but it may be already set to 1 when setup an xHCI virtual
1464 ++ * device, so clear it anyway.
1465 ++ */
1466 + if (tt->multi)
1467 + slot_ctx->dev_info |= cpu_to_le32(DEV_MTT);
1468 ++ else if (hdev->speed == USB_SPEED_FULL)
1469 ++ slot_ctx->dev_info &= cpu_to_le32(~DEV_MTT);
1470 ++
1471 + if (xhci->hci_version > 0x95) {
1472 + xhci_dbg(xhci, "xHCI version %x needs hub "
1473 + "TT think time and number of ports\n",
1474 +diff --git a/drivers/usb/musb/musb_core.c b/drivers/usb/musb/musb_core.c
1475 +index d3481c497be9..db25165ed16a 100644
1476 +--- a/drivers/usb/musb/musb_core.c
1477 ++++ b/drivers/usb/musb/musb_core.c
1478 +@@ -131,7 +131,7 @@ static inline struct musb *dev_to_musb(struct device *dev)
1479 + /*-------------------------------------------------------------------------*/
1480 +
1481 + #ifndef CONFIG_BLACKFIN
1482 +-static int musb_ulpi_read(struct usb_phy *phy, u32 offset)
1483 ++static int musb_ulpi_read(struct usb_phy *phy, u32 reg)
1484 + {
1485 + void __iomem *addr = phy->io_priv;
1486 + int i = 0;
1487 +@@ -150,7 +150,7 @@ static int musb_ulpi_read(struct usb_phy *phy, u32 offset)
1488 + * ULPICarKitControlDisableUTMI after clearing POWER_SUSPENDM.
1489 + */
1490 +
1491 +- musb_writeb(addr, MUSB_ULPI_REG_ADDR, (u8)offset);
1492 ++ musb_writeb(addr, MUSB_ULPI_REG_ADDR, (u8)reg);
1493 + musb_writeb(addr, MUSB_ULPI_REG_CONTROL,
1494 + MUSB_ULPI_REG_REQ | MUSB_ULPI_RDN_WR);
1495 +
1496 +@@ -175,7 +175,7 @@ out:
1497 + return ret;
1498 + }
1499 +
1500 +-static int musb_ulpi_write(struct usb_phy *phy, u32 offset, u32 data)
1501 ++static int musb_ulpi_write(struct usb_phy *phy, u32 val, u32 reg)
1502 + {
1503 + void __iomem *addr = phy->io_priv;
1504 + int i = 0;
1505 +@@ -190,8 +190,8 @@ static int musb_ulpi_write(struct usb_phy *phy, u32 offset, u32 data)
1506 + power &= ~MUSB_POWER_SUSPENDM;
1507 + musb_writeb(addr, MUSB_POWER, power);
1508 +
1509 +- musb_writeb(addr, MUSB_ULPI_REG_ADDR, (u8)offset);
1510 +- musb_writeb(addr, MUSB_ULPI_REG_DATA, (u8)data);
1511 ++ musb_writeb(addr, MUSB_ULPI_REG_ADDR, (u8)reg);
1512 ++ musb_writeb(addr, MUSB_ULPI_REG_DATA, (u8)val);
1513 + musb_writeb(addr, MUSB_ULPI_REG_CONTROL, MUSB_ULPI_REG_REQ);
1514 +
1515 + while (!(musb_readb(addr, MUSB_ULPI_REG_CONTROL)
1516 +diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c
1517 +index 7a04e2c4e0af..b48444b84e40 100644
1518 +--- a/drivers/usb/serial/cp210x.c
1519 ++++ b/drivers/usb/serial/cp210x.c
1520 +@@ -138,7 +138,6 @@ static const struct usb_device_id id_table[] = {
1521 + { USB_DEVICE(0x10C4, 0xEA60) }, /* Silicon Labs factory default */
1522 + { USB_DEVICE(0x10C4, 0xEA61) }, /* Silicon Labs factory default */
1523 + { USB_DEVICE(0x10C4, 0xEA70) }, /* Silicon Labs factory default */
1524 +- { USB_DEVICE(0x10C4, 0xEA80) }, /* Silicon Labs factory default */
1525 + { USB_DEVICE(0x10C4, 0xEA71) }, /* Infinity GPS-MIC-1 Radio Monophone */
1526 + { USB_DEVICE(0x10C4, 0xF001) }, /* Elan Digital Systems USBscope50 */
1527 + { USB_DEVICE(0x10C4, 0xF002) }, /* Elan Digital Systems USBwave12 */
1528 +diff --git a/drivers/usb/serial/ipaq.c b/drivers/usb/serial/ipaq.c
1529 +index 10c02b8b5664..af019a82c0d6 100644
1530 +--- a/drivers/usb/serial/ipaq.c
1531 ++++ b/drivers/usb/serial/ipaq.c
1532 +@@ -550,7 +550,8 @@ static int ipaq_open(struct tty_struct *tty,
1533 + * through. Since this has a reasonably high failure rate, we retry
1534 + * several times.
1535 + */
1536 +- while (retries--) {
1537 ++ while (retries) {
1538 ++ retries--;
1539 + result = usb_control_msg(serial->dev,
1540 + usb_sndctrlpipe(serial->dev, 0), 0x22, 0x21,
1541 + 0x1, 0, NULL, 0, 100);
1542 +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
1543 +index cb999af237dd..1852ca6a33a3 100644
1544 +--- a/drivers/usb/serial/option.c
1545 ++++ b/drivers/usb/serial/option.c
1546 +@@ -162,6 +162,7 @@ static void option_instat_callback(struct urb *urb);
1547 + #define NOVATELWIRELESS_PRODUCT_HSPA_EMBEDDED_HIGHSPEED 0x9001
1548 + #define NOVATELWIRELESS_PRODUCT_E362 0x9010
1549 + #define NOVATELWIRELESS_PRODUCT_E371 0x9011
1550 ++#define NOVATELWIRELESS_PRODUCT_U620L 0x9022
1551 + #define NOVATELWIRELESS_PRODUCT_G2 0xA010
1552 + #define NOVATELWIRELESS_PRODUCT_MC551 0xB001
1553 +
1554 +@@ -351,6 +352,7 @@ static void option_instat_callback(struct urb *urb);
1555 + /* This is the 4G XS Stick W14 a.k.a. Mobilcom Debitel Surf-Stick *
1556 + * It seems to contain a Qualcomm QSC6240/6290 chipset */
1557 + #define FOUR_G_SYSTEMS_PRODUCT_W14 0x9603
1558 ++#define FOUR_G_SYSTEMS_PRODUCT_W100 0x9b01
1559 +
1560 + /* iBall 3.5G connect wireless modem */
1561 + #define IBALL_3_5G_CONNECT 0x9605
1562 +@@ -524,6 +526,11 @@ static const struct option_blacklist_info four_g_w14_blacklist = {
1563 + .sendsetup = BIT(0) | BIT(1),
1564 + };
1565 +
1566 ++static const struct option_blacklist_info four_g_w100_blacklist = {
1567 ++ .sendsetup = BIT(1) | BIT(2),
1568 ++ .reserved = BIT(3),
1569 ++};
1570 ++
1571 + static const struct option_blacklist_info alcatel_x200_blacklist = {
1572 + .sendsetup = BIT(0) | BIT(1),
1573 + .reserved = BIT(4),
1574 +@@ -1045,6 +1052,7 @@ static const struct usb_device_id option_ids[] = {
1575 + { USB_DEVICE_AND_INTERFACE_INFO(NOVATELWIRELESS_VENDOR_ID, NOVATELWIRELESS_PRODUCT_MC551, 0xff, 0xff, 0xff) },
1576 + { USB_DEVICE_AND_INTERFACE_INFO(NOVATELWIRELESS_VENDOR_ID, NOVATELWIRELESS_PRODUCT_E362, 0xff, 0xff, 0xff) },
1577 + { USB_DEVICE_AND_INTERFACE_INFO(NOVATELWIRELESS_VENDOR_ID, NOVATELWIRELESS_PRODUCT_E371, 0xff, 0xff, 0xff) },
1578 ++ { USB_DEVICE_AND_INTERFACE_INFO(NOVATELWIRELESS_VENDOR_ID, NOVATELWIRELESS_PRODUCT_U620L, 0xff, 0x00, 0x00) },
1579 +
1580 + { USB_DEVICE(AMOI_VENDOR_ID, AMOI_PRODUCT_H01) },
1581 + { USB_DEVICE(AMOI_VENDOR_ID, AMOI_PRODUCT_H01A) },
1582 +@@ -1619,6 +1627,9 @@ static const struct usb_device_id option_ids[] = {
1583 + { USB_DEVICE(LONGCHEER_VENDOR_ID, FOUR_G_SYSTEMS_PRODUCT_W14),
1584 + .driver_info = (kernel_ulong_t)&four_g_w14_blacklist
1585 + },
1586 ++ { USB_DEVICE(LONGCHEER_VENDOR_ID, FOUR_G_SYSTEMS_PRODUCT_W100),
1587 ++ .driver_info = (kernel_ulong_t)&four_g_w100_blacklist
1588 ++ },
1589 + { USB_DEVICE_INTERFACE_CLASS(LONGCHEER_VENDOR_ID, SPEEDUP_PRODUCT_SU9800, 0xff) },
1590 + { USB_DEVICE(LONGCHEER_VENDOR_ID, ZOOM_PRODUCT_4597) },
1591 + { USB_DEVICE(LONGCHEER_VENDOR_ID, IBALL_3_5G_CONNECT) },
1592 +diff --git a/drivers/usb/serial/ti_usb_3410_5052.c b/drivers/usb/serial/ti_usb_3410_5052.c
1593 +index 257577977d23..974c4fa30b14 100644
1594 +--- a/drivers/usb/serial/ti_usb_3410_5052.c
1595 ++++ b/drivers/usb/serial/ti_usb_3410_5052.c
1596 +@@ -164,7 +164,7 @@ static unsigned int product_5052_count;
1597 + /* the array dimension is the number of default entries plus */
1598 + /* TI_EXTRA_VID_PID_COUNT user defined entries plus 1 terminating */
1599 + /* null entry */
1600 +-static struct usb_device_id ti_id_table_3410[15+TI_EXTRA_VID_PID_COUNT+1] = {
1601 ++static struct usb_device_id ti_id_table_3410[16+TI_EXTRA_VID_PID_COUNT+1] = {
1602 + { USB_DEVICE(TI_VENDOR_ID, TI_3410_PRODUCT_ID) },
1603 + { USB_DEVICE(TI_VENDOR_ID, TI_3410_EZ430_ID) },
1604 + { USB_DEVICE(MTS_VENDOR_ID, MTS_GSM_NO_FW_PRODUCT_ID) },
1605 +@@ -190,7 +190,7 @@ static struct usb_device_id ti_id_table_5052[5+TI_EXTRA_VID_PID_COUNT+1] = {
1606 + { USB_DEVICE(TI_VENDOR_ID, TI_5052_FIRMWARE_PRODUCT_ID) },
1607 + };
1608 +
1609 +-static struct usb_device_id ti_id_table_combined[19+2*TI_EXTRA_VID_PID_COUNT+1] = {
1610 ++static struct usb_device_id ti_id_table_combined[20+2*TI_EXTRA_VID_PID_COUNT+1] = {
1611 + { USB_DEVICE(TI_VENDOR_ID, TI_3410_PRODUCT_ID) },
1612 + { USB_DEVICE(TI_VENDOR_ID, TI_3410_EZ430_ID) },
1613 + { USB_DEVICE(MTS_VENDOR_ID, MTS_GSM_NO_FW_PRODUCT_ID) },
1614 +diff --git a/drivers/xen/xen-pciback/pciback.h b/drivers/xen/xen-pciback/pciback.h
1615 +index a7def010eba3..7a642e3e049c 100644
1616 +--- a/drivers/xen/xen-pciback/pciback.h
1617 ++++ b/drivers/xen/xen-pciback/pciback.h
1618 +@@ -37,6 +37,7 @@ struct xen_pcibk_device {
1619 + struct xen_pci_sharedinfo *sh_info;
1620 + unsigned long flags;
1621 + struct work_struct op_work;
1622 ++ struct xen_pci_op op;
1623 + };
1624 +
1625 + struct xen_pcibk_dev_data {
1626 +diff --git a/drivers/xen/xen-pciback/pciback_ops.c b/drivers/xen/xen-pciback/pciback_ops.c
1627 +index d52703c5821a..3d0c70a81208 100644
1628 +--- a/drivers/xen/xen-pciback/pciback_ops.c
1629 ++++ b/drivers/xen/xen-pciback/pciback_ops.c
1630 +@@ -69,6 +69,13 @@ static void xen_pcibk_control_isr(struct pci_dev *dev, int reset)
1631 + enable ? "enable" : "disable");
1632 +
1633 + if (enable) {
1634 ++ /*
1635 ++ * The MSI or MSI-X should not have an IRQ handler. Otherwise
1636 ++ * if the guest terminates we BUG_ON in free_msi_irqs.
1637 ++ */
1638 ++ if (dev->msi_enabled || dev->msix_enabled)
1639 ++ goto out;
1640 ++
1641 + rc = request_irq(dev_data->irq,
1642 + xen_pcibk_guest_interrupt, IRQF_SHARED,
1643 + dev_data->irq_name, dev);
1644 +@@ -143,7 +150,12 @@ int xen_pcibk_enable_msi(struct xen_pcibk_device *pdev,
1645 + if (unlikely(verbose_request))
1646 + printk(KERN_DEBUG DRV_NAME ": %s: enable MSI\n", pci_name(dev));
1647 +
1648 +- status = pci_enable_msi(dev);
1649 ++ if (dev->msi_enabled)
1650 ++ status = -EALREADY;
1651 ++ else if (dev->msix_enabled)
1652 ++ status = -ENXIO;
1653 ++ else
1654 ++ status = pci_enable_msi(dev);
1655 +
1656 + if (status) {
1657 + pr_warn_ratelimited(DRV_NAME ": %s: error enabling MSI for guest %u: err %d\n",
1658 +@@ -172,20 +184,23 @@ static
1659 + int xen_pcibk_disable_msi(struct xen_pcibk_device *pdev,
1660 + struct pci_dev *dev, struct xen_pci_op *op)
1661 + {
1662 +- struct xen_pcibk_dev_data *dev_data;
1663 +-
1664 + if (unlikely(verbose_request))
1665 + printk(KERN_DEBUG DRV_NAME ": %s: disable MSI\n",
1666 + pci_name(dev));
1667 +- pci_disable_msi(dev);
1668 +
1669 ++ if (dev->msi_enabled) {
1670 ++ struct xen_pcibk_dev_data *dev_data;
1671 ++
1672 ++ pci_disable_msi(dev);
1673 ++
1674 ++ dev_data = pci_get_drvdata(dev);
1675 ++ if (dev_data)
1676 ++ dev_data->ack_intr = 1;
1677 ++ }
1678 + op->value = dev->irq ? xen_pirq_from_irq(dev->irq) : 0;
1679 + if (unlikely(verbose_request))
1680 + printk(KERN_DEBUG DRV_NAME ": %s: MSI: %d\n", pci_name(dev),
1681 + op->value);
1682 +- dev_data = pci_get_drvdata(dev);
1683 +- if (dev_data)
1684 +- dev_data->ack_intr = 1;
1685 + return 0;
1686 + }
1687 +
1688 +@@ -196,13 +211,26 @@ int xen_pcibk_enable_msix(struct xen_pcibk_device *pdev,
1689 + struct xen_pcibk_dev_data *dev_data;
1690 + int i, result;
1691 + struct msix_entry *entries;
1692 ++ u16 cmd;
1693 +
1694 + if (unlikely(verbose_request))
1695 + printk(KERN_DEBUG DRV_NAME ": %s: enable MSI-X\n",
1696 + pci_name(dev));
1697 ++
1698 + if (op->value > SH_INFO_MAX_VEC)
1699 + return -EINVAL;
1700 +
1701 ++ if (dev->msix_enabled)
1702 ++ return -EALREADY;
1703 ++
1704 ++ /*
1705 ++ * PCI_COMMAND_MEMORY must be enabled, otherwise we may not be able
1706 ++ * to access the BARs where the MSI-X entries reside.
1707 ++ */
1708 ++ pci_read_config_word(dev, PCI_COMMAND, &cmd);
1709 ++ if (dev->msi_enabled || !(cmd & PCI_COMMAND_MEMORY))
1710 ++ return -ENXIO;
1711 ++
1712 + entries = kmalloc(op->value * sizeof(*entries), GFP_KERNEL);
1713 + if (entries == NULL)
1714 + return -ENOMEM;
1715 +@@ -244,23 +272,27 @@ static
1716 + int xen_pcibk_disable_msix(struct xen_pcibk_device *pdev,
1717 + struct pci_dev *dev, struct xen_pci_op *op)
1718 + {
1719 +- struct xen_pcibk_dev_data *dev_data;
1720 + if (unlikely(verbose_request))
1721 + printk(KERN_DEBUG DRV_NAME ": %s: disable MSI-X\n",
1722 + pci_name(dev));
1723 +- pci_disable_msix(dev);
1724 +
1725 ++ if (dev->msix_enabled) {
1726 ++ struct xen_pcibk_dev_data *dev_data;
1727 ++
1728 ++ pci_disable_msix(dev);
1729 ++
1730 ++ dev_data = pci_get_drvdata(dev);
1731 ++ if (dev_data)
1732 ++ dev_data->ack_intr = 1;
1733 ++ }
1734 + /*
1735 + * SR-IOV devices (which don't have any legacy IRQ) have
1736 + * an undefined IRQ value of zero.
1737 + */
1738 + op->value = dev->irq ? xen_pirq_from_irq(dev->irq) : 0;
1739 + if (unlikely(verbose_request))
1740 +- printk(KERN_DEBUG DRV_NAME ": %s: MSI-X: %d\n", pci_name(dev),
1741 +- op->value);
1742 +- dev_data = pci_get_drvdata(dev);
1743 +- if (dev_data)
1744 +- dev_data->ack_intr = 1;
1745 ++ printk(KERN_DEBUG DRV_NAME ": %s: MSI-X: %d\n",
1746 ++ pci_name(dev), op->value);
1747 + return 0;
1748 + }
1749 + #endif
1750 +@@ -297,9 +329,14 @@ void xen_pcibk_do_op(struct work_struct *data)
1751 + container_of(data, struct xen_pcibk_device, op_work);
1752 + struct pci_dev *dev;
1753 + struct xen_pcibk_dev_data *dev_data = NULL;
1754 +- struct xen_pci_op *op = &pdev->sh_info->op;
1755 ++ struct xen_pci_op *op = &pdev->op;
1756 + int test_intx = 0;
1757 ++#ifdef CONFIG_PCI_MSI
1758 ++ unsigned int nr = 0;
1759 ++#endif
1760 +
1761 ++ *op = pdev->sh_info->op;
1762 ++ barrier();
1763 + dev = xen_pcibk_get_pci_dev(pdev, op->domain, op->bus, op->devfn);
1764 +
1765 + if (dev == NULL)
1766 +@@ -325,6 +362,7 @@ void xen_pcibk_do_op(struct work_struct *data)
1767 + op->err = xen_pcibk_disable_msi(pdev, dev, op);
1768 + break;
1769 + case XEN_PCI_OP_enable_msix:
1770 ++ nr = op->value;
1771 + op->err = xen_pcibk_enable_msix(pdev, dev, op);
1772 + break;
1773 + case XEN_PCI_OP_disable_msix:
1774 +@@ -341,6 +379,17 @@ void xen_pcibk_do_op(struct work_struct *data)
1775 + if ((dev_data->enable_intx != test_intx))
1776 + xen_pcibk_control_isr(dev, 0 /* no reset */);
1777 + }
1778 ++ pdev->sh_info->op.err = op->err;
1779 ++ pdev->sh_info->op.value = op->value;
1780 ++#ifdef CONFIG_PCI_MSI
1781 ++ if (op->cmd == XEN_PCI_OP_enable_msix && op->err == 0) {
1782 ++ unsigned int i;
1783 ++
1784 ++ for (i = 0; i < nr; i++)
1785 ++ pdev->sh_info->op.msix_entries[i].vector =
1786 ++ op->msix_entries[i].vector;
1787 ++ }
1788 ++#endif
1789 + /* Tell the driver domain that we're done. */
1790 + wmb();
1791 + clear_bit(_XEN_PCIF_active, (unsigned long *)&pdev->sh_info->flags);
1792 +diff --git a/fs/9p/vfs_inode.c b/fs/9p/vfs_inode.c
1793 +index c9b32dcf820d..116e43f89325 100644
1794 +--- a/fs/9p/vfs_inode.c
1795 ++++ b/fs/9p/vfs_inode.c
1796 +@@ -447,9 +447,9 @@ void v9fs_evict_inode(struct inode *inode)
1797 + {
1798 + struct v9fs_inode *v9inode = V9FS_I(inode);
1799 +
1800 +- truncate_inode_pages(inode->i_mapping, 0);
1801 ++ truncate_inode_pages(&inode->i_data, 0);
1802 + end_writeback(inode);
1803 +- filemap_fdatawrite(inode->i_mapping);
1804 ++ filemap_fdatawrite(&inode->i_data);
1805 +
1806 + #ifdef CONFIG_9P_FSCACHE
1807 + v9fs_cache_inode_put_cookie(inode);
1808 +diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
1809 +index a181b58cedd5..a54779243735 100644
1810 +--- a/fs/binfmt_elf.c
1811 ++++ b/fs/binfmt_elf.c
1812 +@@ -668,16 +668,16 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
1813 + */
1814 + would_dump(bprm, interpreter);
1815 +
1816 +- retval = kernel_read(interpreter, 0, bprm->buf,
1817 +- BINPRM_BUF_SIZE);
1818 +- if (retval != BINPRM_BUF_SIZE) {
1819 ++ /* Get the exec headers */
1820 ++ retval = kernel_read(interpreter, 0,
1821 ++ (void *)&loc->interp_elf_ex,
1822 ++ sizeof(loc->interp_elf_ex));
1823 ++ if (retval != sizeof(loc->interp_elf_ex)) {
1824 + if (retval >= 0)
1825 + retval = -EIO;
1826 + goto out_free_dentry;
1827 + }
1828 +
1829 +- /* Get the exec headers */
1830 +- loc->interp_elf_ex = *((struct elfhdr *)bprm->buf);
1831 + break;
1832 + }
1833 + elf_ppnt++;
1834 +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
1835 +index 575c1902d38d..d460390484a8 100644
1836 +--- a/fs/btrfs/inode.c
1837 ++++ b/fs/btrfs/inode.c
1838 +@@ -1203,8 +1203,14 @@ next_slot:
1839 + num_bytes = 0;
1840 + btrfs_item_key_to_cpu(leaf, &found_key, path->slots[0]);
1841 +
1842 +- if (found_key.objectid > ino ||
1843 +- found_key.type > BTRFS_EXTENT_DATA_KEY ||
1844 ++ if (found_key.objectid > ino)
1845 ++ break;
1846 ++ if (WARN_ON_ONCE(found_key.objectid < ino) ||
1847 ++ found_key.type < BTRFS_EXTENT_DATA_KEY) {
1848 ++ path->slots[0]++;
1849 ++ goto next_slot;
1850 ++ }
1851 ++ if (found_key.type > BTRFS_EXTENT_DATA_KEY ||
1852 + found_key.offset > end)
1853 + break;
1854 +
1855 +diff --git a/fs/cachefiles/rdwr.c b/fs/cachefiles/rdwr.c
1856 +index b4d2438da9a5..00d942540e6c 100644
1857 +--- a/fs/cachefiles/rdwr.c
1858 ++++ b/fs/cachefiles/rdwr.c
1859 +@@ -914,6 +914,15 @@ int cachefiles_write_page(struct fscache_storage *op, struct page *page)
1860 + cache = container_of(object->fscache.cache,
1861 + struct cachefiles_cache, cache);
1862 +
1863 ++ pos = (loff_t)page->index << PAGE_SHIFT;
1864 ++
1865 ++ /* We mustn't write more data than we have, so we have to beware of a
1866 ++ * partial page at EOF.
1867 ++ */
1868 ++ eof = object->fscache.store_limit_l;
1869 ++ if (pos >= eof)
1870 ++ goto error;
1871 ++
1872 + /* write the page to the backing filesystem and let it store it in its
1873 + * own time */
1874 + dget(object->backer);
1875 +@@ -922,47 +931,46 @@ int cachefiles_write_page(struct fscache_storage *op, struct page *page)
1876 + cache->cache_cred);
1877 + if (IS_ERR(file)) {
1878 + ret = PTR_ERR(file);
1879 +- } else {
1880 ++ goto error_2;
1881 ++ }
1882 ++ if (!file->f_op->write) {
1883 + ret = -EIO;
1884 +- if (file->f_op->write) {
1885 +- pos = (loff_t) page->index << PAGE_SHIFT;
1886 +-
1887 +- /* we mustn't write more data than we have, so we have
1888 +- * to beware of a partial page at EOF */
1889 +- eof = object->fscache.store_limit_l;
1890 +- len = PAGE_SIZE;
1891 +- if (eof & ~PAGE_MASK) {
1892 +- ASSERTCMP(pos, <, eof);
1893 +- if (eof - pos < PAGE_SIZE) {
1894 +- _debug("cut short %llx to %llx",
1895 +- pos, eof);
1896 +- len = eof - pos;
1897 +- ASSERTCMP(pos + len, ==, eof);
1898 +- }
1899 +- }
1900 ++ goto error_2;
1901 ++ }
1902 +
1903 +- data = kmap(page);
1904 +- old_fs = get_fs();
1905 +- set_fs(KERNEL_DS);
1906 +- ret = file->f_op->write(
1907 +- file, (const void __user *) data, len, &pos);
1908 +- set_fs(old_fs);
1909 +- kunmap(page);
1910 +- if (ret != len)
1911 +- ret = -EIO;
1912 ++ len = PAGE_SIZE;
1913 ++ if (eof & ~PAGE_MASK) {
1914 ++ if (eof - pos < PAGE_SIZE) {
1915 ++ _debug("cut short %llx to %llx",
1916 ++ pos, eof);
1917 ++ len = eof - pos;
1918 ++ ASSERTCMP(pos + len, ==, eof);
1919 + }
1920 +- fput(file);
1921 + }
1922 +
1923 +- if (ret < 0) {
1924 +- if (ret == -EIO)
1925 +- cachefiles_io_error_obj(
1926 +- object, "Write page to backing file failed");
1927 +- ret = -ENOBUFS;
1928 +- }
1929 ++ data = kmap(page);
1930 ++ old_fs = get_fs();
1931 ++ set_fs(KERNEL_DS);
1932 ++ ret = file->f_op->write(
1933 ++ file, (const void __user *) data, len, &pos);
1934 ++ set_fs(old_fs);
1935 ++ kunmap(page);
1936 ++ fput(file);
1937 ++ if (ret != len)
1938 ++ goto error_eio;
1939 ++
1940 ++ _leave(" = 0");
1941 ++ return 0;
1942 +
1943 +- _leave(" = %d", ret);
1944 +- return ret;
1945 ++error_eio:
1946 ++ ret = -EIO;
1947 ++error_2:
1948 ++ if (ret == -EIO)
1949 ++ cachefiles_io_error_obj(object,
1950 ++ "Write page to backing file failed");
1951 ++error:
1952 ++ _leave(" = -ENOBUFS [%d]", ret);
1953 ++ return -ENOBUFS;
1954 + }
1955 +
1956 + /*
1957 +diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
1958 +index b9cdb6df8d2b..aedf75fd62b4 100644
1959 +--- a/fs/ext4/ext4.h
1960 ++++ b/fs/ext4/ext4.h
1961 +@@ -26,6 +26,7 @@
1962 + #include <linux/seqlock.h>
1963 + #include <linux/mutex.h>
1964 + #include <linux/timer.h>
1965 ++#include <linux/version.h>
1966 + #include <linux/wait.h>
1967 + #include <linux/blockgroup_lock.h>
1968 + #include <linux/percpu_counter.h>
1969 +@@ -704,19 +705,55 @@ struct move_extent {
1970 + <= (EXT4_GOOD_OLD_INODE_SIZE + \
1971 + (einode)->i_extra_isize)) \
1972 +
1973 ++/*
1974 ++ * We use an encoding that preserves the times for extra epoch "00":
1975 ++ *
1976 ++ * extra msb of adjust for signed
1977 ++ * epoch 32-bit 32-bit tv_sec to
1978 ++ * bits time decoded 64-bit tv_sec 64-bit tv_sec valid time range
1979 ++ * 0 0 1 -0x80000000..-0x00000001 0x000000000 1901-12-13..1969-12-31
1980 ++ * 0 0 0 0x000000000..0x07fffffff 0x000000000 1970-01-01..2038-01-19
1981 ++ * 0 1 1 0x080000000..0x0ffffffff 0x100000000 2038-01-19..2106-02-07
1982 ++ * 0 1 0 0x100000000..0x17fffffff 0x100000000 2106-02-07..2174-02-25
1983 ++ * 1 0 1 0x180000000..0x1ffffffff 0x200000000 2174-02-25..2242-03-16
1984 ++ * 1 0 0 0x200000000..0x27fffffff 0x200000000 2242-03-16..2310-04-04
1985 ++ * 1 1 1 0x280000000..0x2ffffffff 0x300000000 2310-04-04..2378-04-22
1986 ++ * 1 1 0 0x300000000..0x37fffffff 0x300000000 2378-04-22..2446-05-10
1987 ++ *
1988 ++ * Note that previous versions of the kernel on 64-bit systems would
1989 ++ * incorrectly use extra epoch bits 1,1 for dates between 1901 and
1990 ++ * 1970. e2fsck will correct this, assuming that it is run on the
1991 ++ * affected filesystem before 2242.
1992 ++ */
1993 ++
1994 + static inline __le32 ext4_encode_extra_time(struct timespec *time)
1995 + {
1996 +- return cpu_to_le32((sizeof(time->tv_sec) > 4 ?
1997 +- (time->tv_sec >> 32) & EXT4_EPOCH_MASK : 0) |
1998 +- ((time->tv_nsec << EXT4_EPOCH_BITS) & EXT4_NSEC_MASK));
1999 ++ u32 extra = sizeof(time->tv_sec) > 4 ?
2000 ++ ((time->tv_sec - (s32)time->tv_sec) >> 32) & EXT4_EPOCH_MASK : 0;
2001 ++ return cpu_to_le32(extra | (time->tv_nsec << EXT4_EPOCH_BITS));
2002 + }
2003 +
2004 + static inline void ext4_decode_extra_time(struct timespec *time, __le32 extra)
2005 + {
2006 +- if (sizeof(time->tv_sec) > 4)
2007 +- time->tv_sec |= (__u64)(le32_to_cpu(extra) & EXT4_EPOCH_MASK)
2008 +- << 32;
2009 +- time->tv_nsec = (le32_to_cpu(extra) & EXT4_NSEC_MASK) >> EXT4_EPOCH_BITS;
2010 ++ if (unlikely(sizeof(time->tv_sec) > 4 &&
2011 ++ (extra & cpu_to_le32(EXT4_EPOCH_MASK)))) {
2012 ++#if LINUX_VERSION_CODE < KERNEL_VERSION(4,20,0)
2013 ++ /* Handle legacy encoding of pre-1970 dates with epoch
2014 ++ * bits 1,1. We assume that by kernel version 4.20,
2015 ++ * everyone will have run fsck over the affected
2016 ++ * filesystems to correct the problem. (This
2017 ++ * backwards compatibility may be removed before this
2018 ++ * time, at the discretion of the ext4 developers.)
2019 ++ */
2020 ++ u64 extra_bits = le32_to_cpu(extra) & EXT4_EPOCH_MASK;
2021 ++ if (extra_bits == 3 && ((time->tv_sec) & 0x80000000) != 0)
2022 ++ extra_bits = 0;
2023 ++ time->tv_sec += extra_bits << 32;
2024 ++#else
2025 ++ time->tv_sec += (u64)(le32_to_cpu(extra) & EXT4_EPOCH_MASK) << 32;
2026 ++#endif
2027 ++ }
2028 ++ time->tv_nsec = (le32_to_cpu(extra) & EXT4_NSEC_MASK) >> EXT4_EPOCH_BITS;
2029 + }
2030 +
2031 + #define EXT4_INODE_SET_XTIME(xtime, inode, raw_inode) \
2032 +diff --git a/fs/ext4/super.c b/fs/ext4/super.c
2033 +index 3de888c3894a..5862518c6737 100644
2034 +--- a/fs/ext4/super.c
2035 ++++ b/fs/ext4/super.c
2036 +@@ -483,9 +483,13 @@ static void ext4_handle_error(struct super_block *sb)
2037 + ext4_msg(sb, KERN_CRIT, "Remounting filesystem read-only");
2038 + sb->s_flags |= MS_RDONLY;
2039 + }
2040 +- if (test_opt(sb, ERRORS_PANIC))
2041 ++ if (test_opt(sb, ERRORS_PANIC)) {
2042 ++ if (EXT4_SB(sb)->s_journal &&
2043 ++ !(EXT4_SB(sb)->s_journal->j_flags & JBD2_REC_ERR))
2044 ++ return;
2045 + panic("EXT4-fs (device %s): panic forced after error\n",
2046 + sb->s_id);
2047 ++ }
2048 + }
2049 +
2050 + void __ext4_error(struct super_block *sb, const char *function,
2051 +@@ -659,8 +663,12 @@ void __ext4_abort(struct super_block *sb, const char *function,
2052 + jbd2_journal_abort(EXT4_SB(sb)->s_journal, -EIO);
2053 + save_error_info(sb, function, line);
2054 + }
2055 +- if (test_opt(sb, ERRORS_PANIC))
2056 ++ if (test_opt(sb, ERRORS_PANIC)) {
2057 ++ if (EXT4_SB(sb)->s_journal &&
2058 ++ !(EXT4_SB(sb)->s_journal->j_flags & JBD2_REC_ERR))
2059 ++ return;
2060 + panic("EXT4-fs panic from previous error\n");
2061 ++ }
2062 + }
2063 +
2064 + void ext4_msg(struct super_block *sb, const char *prefix, const char *fmt, ...)
2065 +diff --git a/fs/fscache/netfs.c b/fs/fscache/netfs.c
2066 +index e028b8eb1c40..6f4e4ed0c8e3 100644
2067 +--- a/fs/fscache/netfs.c
2068 ++++ b/fs/fscache/netfs.c
2069 +@@ -22,6 +22,7 @@ static LIST_HEAD(fscache_netfs_list);
2070 + int __fscache_register_netfs(struct fscache_netfs *netfs)
2071 + {
2072 + struct fscache_netfs *ptr;
2073 ++ struct fscache_cookie *cookie;
2074 + int ret;
2075 +
2076 + _enter("{%s}", netfs->name);
2077 +@@ -29,27 +30,23 @@ int __fscache_register_netfs(struct fscache_netfs *netfs)
2078 + INIT_LIST_HEAD(&netfs->link);
2079 +
2080 + /* allocate a cookie for the primary index */
2081 +- netfs->primary_index =
2082 +- kmem_cache_zalloc(fscache_cookie_jar, GFP_KERNEL);
2083 ++ cookie = kmem_cache_zalloc(fscache_cookie_jar, GFP_KERNEL);
2084 +
2085 +- if (!netfs->primary_index) {
2086 ++ if (!cookie) {
2087 + _leave(" = -ENOMEM");
2088 + return -ENOMEM;
2089 + }
2090 +
2091 + /* initialise the primary index cookie */
2092 +- atomic_set(&netfs->primary_index->usage, 1);
2093 +- atomic_set(&netfs->primary_index->n_children, 0);
2094 ++ atomic_set(&cookie->usage, 1);
2095 ++ atomic_set(&cookie->n_children, 0);
2096 +
2097 +- netfs->primary_index->def = &fscache_fsdef_netfs_def;
2098 +- netfs->primary_index->parent = &fscache_fsdef_index;
2099 +- netfs->primary_index->netfs_data = netfs;
2100 ++ cookie->def = &fscache_fsdef_netfs_def;
2101 ++ cookie->parent = &fscache_fsdef_index;
2102 ++ cookie->netfs_data = netfs;
2103 +
2104 +- atomic_inc(&netfs->primary_index->parent->usage);
2105 +- atomic_inc(&netfs->primary_index->parent->n_children);
2106 +-
2107 +- spin_lock_init(&netfs->primary_index->lock);
2108 +- INIT_HLIST_HEAD(&netfs->primary_index->backing_objects);
2109 ++ spin_lock_init(&cookie->lock);
2110 ++ INIT_HLIST_HEAD(&cookie->backing_objects);
2111 +
2112 + /* check the netfs type is not already present */
2113 + down_write(&fscache_addremove_sem);
2114 +@@ -60,6 +57,10 @@ int __fscache_register_netfs(struct fscache_netfs *netfs)
2115 + goto already_registered;
2116 + }
2117 +
2118 ++ atomic_inc(&cookie->parent->usage);
2119 ++ atomic_inc(&cookie->parent->n_children);
2120 ++
2121 ++ netfs->primary_index = cookie;
2122 + list_add(&netfs->link, &fscache_netfs_list);
2123 + ret = 0;
2124 +
2125 +@@ -69,11 +70,8 @@ int __fscache_register_netfs(struct fscache_netfs *netfs)
2126 + already_registered:
2127 + up_write(&fscache_addremove_sem);
2128 +
2129 +- if (ret < 0) {
2130 +- netfs->primary_index->parent = NULL;
2131 +- __fscache_cookie_put(netfs->primary_index);
2132 +- netfs->primary_index = NULL;
2133 +- }
2134 ++ if (ret < 0)
2135 ++ kmem_cache_free(fscache_cookie_jar, cookie);
2136 +
2137 + _leave(" = %d", ret);
2138 + return ret;
2139 +diff --git a/fs/fscache/page.c b/fs/fscache/page.c
2140 +index 3f7a59bfa7ad..c9d52e1a8fa9 100644
2141 +--- a/fs/fscache/page.c
2142 ++++ b/fs/fscache/page.c
2143 +@@ -676,7 +676,7 @@ static void fscache_write_op(struct fscache_operation *_op)
2144 + goto superseded;
2145 + page = results[0];
2146 + _debug("gang %d [%lx]", n, page->index);
2147 +- if (page->index > op->store_limit) {
2148 ++ if (page->index >= op->store_limit) {
2149 + fscache_stat(&fscache_n_store_pages_over_limit);
2150 + goto superseded;
2151 + }
2152 +diff --git a/fs/fuse/file.c b/fs/fuse/file.c
2153 +index e4f1f1ace347..951457a2da6b 100644
2154 +--- a/fs/fuse/file.c
2155 ++++ b/fs/fuse/file.c
2156 +@@ -846,6 +846,7 @@ static ssize_t fuse_fill_write_pages(struct fuse_req *req,
2157 +
2158 + mark_page_accessed(page);
2159 +
2160 ++ iov_iter_advance(ii, tmp);
2161 + if (!tmp) {
2162 + unlock_page(page);
2163 + page_cache_release(page);
2164 +@@ -857,7 +858,6 @@ static ssize_t fuse_fill_write_pages(struct fuse_req *req,
2165 + req->pages[req->num_pages] = page;
2166 + req->num_pages++;
2167 +
2168 +- iov_iter_advance(ii, tmp);
2169 + count += tmp;
2170 + pos += tmp;
2171 + offset += tmp;
2172 +diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c
2173 +index a3279442bf30..2e3063c76ab6 100644
2174 +--- a/fs/jbd2/journal.c
2175 ++++ b/fs/jbd2/journal.c
2176 +@@ -1921,8 +1921,12 @@ static void __journal_abort_soft (journal_t *journal, int errno)
2177 +
2178 + __jbd2_journal_abort_hard(journal);
2179 +
2180 +- if (errno)
2181 ++ if (errno) {
2182 + jbd2_journal_update_sb_errno(journal);
2183 ++ write_lock(&journal->j_state_lock);
2184 ++ journal->j_flags |= JBD2_REC_ERR;
2185 ++ write_unlock(&journal->j_state_lock);
2186 ++ }
2187 + }
2188 +
2189 + /**
2190 +diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c
2191 +index f512c690d38e..51a743e6307b 100644
2192 +--- a/fs/jbd2/transaction.c
2193 ++++ b/fs/jbd2/transaction.c
2194 +@@ -1904,6 +1904,7 @@ static int journal_unmap_buffer(journal_t *journal, struct buffer_head *bh)
2195 +
2196 + if (!buffer_dirty(bh)) {
2197 + /* bdflush has written it. We can drop it now */
2198 ++ __jbd2_journal_remove_checkpoint(jh);
2199 + goto zap_buffer;
2200 + }
2201 +
2202 +@@ -1941,6 +1942,7 @@ static int journal_unmap_buffer(journal_t *journal, struct buffer_head *bh)
2203 + /* The orphan record's transaction has
2204 + * committed. We can cleanse this buffer */
2205 + clear_buffer_jbddirty(bh);
2206 ++ __jbd2_journal_remove_checkpoint(jh);
2207 + goto zap_buffer;
2208 + }
2209 + }
2210 +diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
2211 +index a6d59054e8b3..bf980b5821cc 100644
2212 +--- a/fs/nfs/inode.c
2213 ++++ b/fs/nfs/inode.c
2214 +@@ -1458,7 +1458,11 @@ static int nfs_update_inode(struct inode *inode, struct nfs_fattr *fattr)
2215 + nfsi->attrtimeo_timestamp = now;
2216 + }
2217 + }
2218 +- invalid &= ~NFS_INO_INVALID_ATTR;
2219 ++
2220 ++ /* Don't declare attrcache up to date if there were no attrs! */
2221 ++ if (fattr->valid != 0)
2222 ++ invalid &= ~NFS_INO_INVALID_ATTR;
2223 ++
2224 + /* Don't invalidate the data if we were to blame */
2225 + if (!(S_ISREG(inode->i_mode) || S_ISDIR(inode->i_mode)
2226 + || S_ISLNK(inode->i_mode)))
2227 +diff --git a/fs/ocfs2/resize.c b/fs/ocfs2/resize.c
2228 +index ec55add7604a..2ca64fab715c 100644
2229 +--- a/fs/ocfs2/resize.c
2230 ++++ b/fs/ocfs2/resize.c
2231 +@@ -56,11 +56,12 @@ static u16 ocfs2_calc_new_backup_super(struct inode *inode,
2232 + int new_clusters,
2233 + u32 first_new_cluster,
2234 + u16 cl_cpg,
2235 ++ u16 old_bg_clusters,
2236 + int set)
2237 + {
2238 + int i;
2239 + u16 backups = 0;
2240 +- u32 cluster;
2241 ++ u32 cluster, lgd_cluster;
2242 + u64 blkno, gd_blkno, lgd_blkno = le64_to_cpu(gd->bg_blkno);
2243 +
2244 + for (i = 0; i < OCFS2_MAX_BACKUP_SUPERBLOCKS; i++) {
2245 +@@ -73,6 +74,12 @@ static u16 ocfs2_calc_new_backup_super(struct inode *inode,
2246 + else if (gd_blkno > lgd_blkno)
2247 + break;
2248 +
2249 ++ /* check if already done backup super */
2250 ++ lgd_cluster = ocfs2_blocks_to_clusters(inode->i_sb, lgd_blkno);
2251 ++ lgd_cluster += old_bg_clusters;
2252 ++ if (lgd_cluster >= cluster)
2253 ++ continue;
2254 ++
2255 + if (set)
2256 + ocfs2_set_bit(cluster % cl_cpg,
2257 + (unsigned long *)gd->bg_bitmap);
2258 +@@ -101,6 +108,7 @@ static int ocfs2_update_last_group_and_inode(handle_t *handle,
2259 + u16 chain, num_bits, backups = 0;
2260 + u16 cl_bpc = le16_to_cpu(cl->cl_bpc);
2261 + u16 cl_cpg = le16_to_cpu(cl->cl_cpg);
2262 ++ u16 old_bg_clusters;
2263 +
2264 + trace_ocfs2_update_last_group_and_inode(new_clusters,
2265 + first_new_cluster);
2266 +@@ -114,6 +122,7 @@ static int ocfs2_update_last_group_and_inode(handle_t *handle,
2267 +
2268 + group = (struct ocfs2_group_desc *)group_bh->b_data;
2269 +
2270 ++ old_bg_clusters = le16_to_cpu(group->bg_bits) / cl_bpc;
2271 + /* update the group first. */
2272 + num_bits = new_clusters * cl_bpc;
2273 + le16_add_cpu(&group->bg_bits, num_bits);
2274 +@@ -129,7 +138,7 @@ static int ocfs2_update_last_group_and_inode(handle_t *handle,
2275 + group,
2276 + new_clusters,
2277 + first_new_cluster,
2278 +- cl_cpg, 1);
2279 ++ cl_cpg, old_bg_clusters, 1);
2280 + le16_add_cpu(&group->bg_free_bits_count, -1 * backups);
2281 + }
2282 +
2283 +@@ -169,7 +178,7 @@ out_rollback:
2284 + group,
2285 + new_clusters,
2286 + first_new_cluster,
2287 +- cl_cpg, 0);
2288 ++ cl_cpg, old_bg_clusters, 0);
2289 + le16_add_cpu(&group->bg_free_bits_count, backups);
2290 + le16_add_cpu(&group->bg_bits, -1 * num_bits);
2291 + le16_add_cpu(&group->bg_free_bits_count, -1 * num_bits);
2292 +diff --git a/fs/splice.c b/fs/splice.c
2293 +index 286417764d6b..8b97331b3b14 100644
2294 +--- a/fs/splice.c
2295 ++++ b/fs/splice.c
2296 +@@ -850,6 +850,13 @@ EXPORT_SYMBOL(splice_from_pipe_feed);
2297 + */
2298 + int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd)
2299 + {
2300 ++ /*
2301 ++ * Check for signal early to make process killable when there are
2302 ++ * always buffers available
2303 ++ */
2304 ++ if (signal_pending(current))
2305 ++ return -ERESTARTSYS;
2306 ++
2307 + while (!pipe->nrbufs) {
2308 + if (!pipe->writers)
2309 + return 0;
2310 +@@ -928,6 +935,7 @@ ssize_t __splice_from_pipe(struct pipe_inode_info *pipe, struct splice_desc *sd,
2311 +
2312 + splice_from_pipe_begin(sd);
2313 + do {
2314 ++ cond_resched();
2315 + ret = splice_from_pipe_next(pipe, sd);
2316 + if (ret > 0)
2317 + ret = splice_from_pipe_feed(pipe, sd, actor);
2318 +diff --git a/fs/sysv/inode.c b/fs/sysv/inode.c
2319 +index 3da5ce25faf0..fcdd63c71a2b 100644
2320 +--- a/fs/sysv/inode.c
2321 ++++ b/fs/sysv/inode.c
2322 +@@ -176,14 +176,8 @@ void sysv_set_inode(struct inode *inode, dev_t rdev)
2323 + inode->i_fop = &sysv_dir_operations;
2324 + inode->i_mapping->a_ops = &sysv_aops;
2325 + } else if (S_ISLNK(inode->i_mode)) {
2326 +- if (inode->i_blocks) {
2327 +- inode->i_op = &sysv_symlink_inode_operations;
2328 +- inode->i_mapping->a_ops = &sysv_aops;
2329 +- } else {
2330 +- inode->i_op = &sysv_fast_symlink_inode_operations;
2331 +- nd_terminate_link(SYSV_I(inode)->i_data, inode->i_size,
2332 +- sizeof(SYSV_I(inode)->i_data) - 1);
2333 +- }
2334 ++ inode->i_op = &sysv_symlink_inode_operations;
2335 ++ inode->i_mapping->a_ops = &sysv_aops;
2336 + } else
2337 + init_special_inode(inode, inode->i_mode, rdev);
2338 + }
2339 +diff --git a/include/linux/acpi.h b/include/linux/acpi.h
2340 +index f421dd84f29d..668351a6a683 100644
2341 +--- a/include/linux/acpi.h
2342 ++++ b/include/linux/acpi.h
2343 +@@ -110,6 +110,12 @@ int acpi_unregister_ioapic(acpi_handle handle, u32 gsi_base);
2344 + void acpi_irq_stats_init(void);
2345 + extern u32 acpi_irq_handled;
2346 + extern u32 acpi_irq_not_handled;
2347 ++extern unsigned int acpi_sci_irq;
2348 ++#define INVALID_ACPI_IRQ ((unsigned)-1)
2349 ++static inline bool acpi_sci_irq_valid(void)
2350 ++{
2351 ++ return acpi_sci_irq != INVALID_ACPI_IRQ;
2352 ++}
2353 +
2354 + extern int sbf_port;
2355 + extern unsigned long acpi_realmode_flags;
2356 +diff --git a/include/linux/enclosure.h b/include/linux/enclosure.h
2357 +index 9a33c5f7e126..f6c229e2bffa 100644
2358 +--- a/include/linux/enclosure.h
2359 ++++ b/include/linux/enclosure.h
2360 +@@ -29,7 +29,11 @@
2361 + /* A few generic types ... taken from ses-2 */
2362 + enum enclosure_component_type {
2363 + ENCLOSURE_COMPONENT_DEVICE = 0x01,
2364 ++ ENCLOSURE_COMPONENT_CONTROLLER_ELECTRONICS = 0x07,
2365 ++ ENCLOSURE_COMPONENT_SCSI_TARGET_PORT = 0x14,
2366 ++ ENCLOSURE_COMPONENT_SCSI_INITIATOR_PORT = 0x15,
2367 + ENCLOSURE_COMPONENT_ARRAY_DEVICE = 0x17,
2368 ++ ENCLOSURE_COMPONENT_SAS_EXPANDER = 0x18,
2369 + };
2370 +
2371 + /* ses-2 common element status */
2372 +diff --git a/include/linux/jbd2.h b/include/linux/jbd2.h
2373 +index 2179d78b6ea6..ee8090f33757 100644
2374 +--- a/include/linux/jbd2.h
2375 ++++ b/include/linux/jbd2.h
2376 +@@ -954,6 +954,7 @@ struct journal_s
2377 + #define JBD2_ABORT_ON_SYNCDATA_ERR 0x040 /* Abort the journal on file
2378 + * data write error in ordered
2379 + * mode */
2380 ++#define JBD2_REC_ERR 0x080 /* The errno in the sb has been recorded */
2381 +
2382 + /*
2383 + * Function declarations for the journaling transaction and buffer
2384 +diff --git a/include/linux/mm.h b/include/linux/mm.h
2385 +index ceebf63ef5da..ef706abe56be 100644
2386 +--- a/include/linux/mm.h
2387 ++++ b/include/linux/mm.h
2388 +@@ -1525,6 +1525,7 @@ struct page *follow_page(struct vm_area_struct *, unsigned long address,
2389 + #define FOLL_MLOCK 0x40 /* mark page as mlocked */
2390 + #define FOLL_SPLIT 0x80 /* don't return transhuge pages, split them */
2391 + #define FOLL_HWPOISON 0x100 /* check page is hwpoisoned */
2392 ++#define FOLL_COW 0x4000 /* internal GUP flag */
2393 +
2394 + typedef int (*pte_fn_t)(pte_t *pte, pgtable_t token, unsigned long addr,
2395 + void *data);
2396 +diff --git a/include/linux/usb/quirks.h b/include/linux/usb/quirks.h
2397 +index 0972470bb072..a67e7d13008b 100644
2398 +--- a/include/linux/usb/quirks.h
2399 ++++ b/include/linux/usb/quirks.h
2400 +@@ -30,9 +30,6 @@
2401 + descriptor */
2402 + #define USB_QUIRK_DELAY_INIT 0x00000040
2403 +
2404 +-/* device generates spurious wakeup, ignore remote wakeup capability */
2405 +-#define USB_QUIRK_IGNORE_REMOTE_WAKEUP 0x00000200
2406 +-
2407 + /* device can't handle device_qualifier descriptor requests */
2408 + #define USB_QUIRK_DEVICE_QUALIFIER 0x00000100
2409 +
2410 +diff --git a/include/net/af_unix.h b/include/net/af_unix.h
2411 +index d29a576e4a16..f3cbf1c14fda 100644
2412 +--- a/include/net/af_unix.h
2413 ++++ b/include/net/af_unix.h
2414 +@@ -56,9 +56,10 @@ struct unix_sock {
2415 + struct list_head link;
2416 + atomic_long_t inflight;
2417 + spinlock_t lock;
2418 +- unsigned int gc_candidate : 1;
2419 +- unsigned int gc_maybe_cycle : 1;
2420 + unsigned char recursion_level;
2421 ++ unsigned long gc_flags;
2422 ++#define UNIX_GC_CANDIDATE 0
2423 ++#define UNIX_GC_MAYBE_CYCLE 1
2424 + struct socket_wq peer_wq;
2425 + wait_queue_t peer_wake;
2426 + };
2427 +diff --git a/include/net/ip6_fib.h b/include/net/ip6_fib.h
2428 +index 49c4cfe810d2..acaab5e569e1 100644
2429 +--- a/include/net/ip6_fib.h
2430 ++++ b/include/net/ip6_fib.h
2431 +@@ -37,6 +37,7 @@ struct fib6_config {
2432 + int fc_ifindex;
2433 + u32 fc_flags;
2434 + u32 fc_protocol;
2435 ++ u32 fc_type; /* only 8 bits are used */
2436 +
2437 + struct in6_addr fc_dst;
2438 + struct in6_addr fc_src;
2439 +diff --git a/include/net/ndisc.h b/include/net/ndisc.h
2440 +index 6f9c25a76cd1..cd205e939c71 100644
2441 +--- a/include/net/ndisc.h
2442 ++++ b/include/net/ndisc.h
2443 +@@ -117,7 +117,9 @@ static inline struct neighbour *__ipv6_neigh_lookup(struct neigh_table *tbl, str
2444 + }
2445 +
2446 + extern int ndisc_init(void);
2447 ++extern int ndisc_late_init(void);
2448 +
2449 ++extern void ndisc_late_cleanup(void);
2450 + extern void ndisc_cleanup(void);
2451 +
2452 + extern int ndisc_rcv(struct sk_buff *skb);
2453 +diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
2454 +index 4ea0ec64eada..e60eb4036c0d 100644
2455 +--- a/include/net/sctp/structs.h
2456 ++++ b/include/net/sctp/structs.h
2457 +@@ -1587,7 +1587,8 @@ struct sctp_association {
2458 + * : order. When DATA chunks are out of order,
2459 + * : SACK's are not delayed (see Section 6).
2460 + */
2461 +- __u8 sack_needed; /* Do we need to sack the peer? */
2462 ++ __u8 sack_needed:1, /* Do we need to sack the peer? */
2463 ++ zero_window_announced:1;
2464 + __u32 sack_cnt;
2465 +
2466 + /* These are capabilities which our peer advertised. */
2467 +diff --git a/include/xen/interface/io/ring.h b/include/xen/interface/io/ring.h
2468 +index 7d28aff605c7..7dc685b4057d 100644
2469 +--- a/include/xen/interface/io/ring.h
2470 ++++ b/include/xen/interface/io/ring.h
2471 +@@ -181,6 +181,20 @@ struct __name##_back_ring { \
2472 + #define RING_GET_REQUEST(_r, _idx) \
2473 + (&((_r)->sring->ring[((_idx) & (RING_SIZE(_r) - 1))].req))
2474 +
2475 ++/*
2476 ++ * Get a local copy of a request.
2477 ++ *
2478 ++ * Use this in preference to RING_GET_REQUEST() so all processing is
2479 ++ * done on a local copy that cannot be modified by the other end.
2480 ++ *
2481 ++ * Note that https://gcc.gnu.org/bugzilla/show_bug.cgi?id=58145 may cause this
2482 ++ * to be ineffective where _req is a struct which consists of only bitfields.
2483 ++ */
2484 ++#define RING_COPY_REQUEST(_r, _idx, _req) do { \
2485 ++ /* Use volatile to force the copy into _req. */ \
2486 ++ *(_req) = *(volatile typeof(_req))RING_GET_REQUEST(_r, _idx); \
2487 ++} while (0)
2488 ++
2489 + #define RING_GET_RESPONSE(_r, _idx) \
2490 + (&((_r)->sring->ring[((_idx) & (RING_SIZE(_r) - 1))].rsp))
2491 +
2492 +diff --git a/kernel/events/core.c b/kernel/events/core.c
2493 +index 2e6c24843eb6..4713480bfe14 100644
2494 +--- a/kernel/events/core.c
2495 ++++ b/kernel/events/core.c
2496 +@@ -5366,6 +5366,10 @@ static int perf_tp_filter_match(struct perf_event *event,
2497 + {
2498 + void *record = data->raw->data;
2499 +
2500 ++ /* only top level events have filters set */
2501 ++ if (event->parent)
2502 ++ event = event->parent;
2503 ++
2504 + if (likely(!event->filter) || filter_match_preds(event->filter, record))
2505 + return 1;
2506 + return 0;
2507 +diff --git a/kernel/irq/manage.c b/kernel/irq/manage.c
2508 +index 9baa6315acf5..43e4342d56a5 100644
2509 +--- a/kernel/irq/manage.c
2510 ++++ b/kernel/irq/manage.c
2511 +@@ -1181,6 +1181,7 @@ static struct irqaction *__free_irq(unsigned int irq, void *dev_id)
2512 + if (!desc)
2513 + return NULL;
2514 +
2515 ++ chip_bus_lock(desc);
2516 + raw_spin_lock_irqsave(&desc->lock, flags);
2517 +
2518 + /*
2519 +@@ -1194,7 +1195,7 @@ static struct irqaction *__free_irq(unsigned int irq, void *dev_id)
2520 + if (!action) {
2521 + WARN(1, "Trying to free already-free IRQ %d\n", irq);
2522 + raw_spin_unlock_irqrestore(&desc->lock, flags);
2523 +-
2524 ++ chip_bus_sync_unlock(desc);
2525 + return NULL;
2526 + }
2527 +
2528 +@@ -1223,6 +1224,7 @@ static struct irqaction *__free_irq(unsigned int irq, void *dev_id)
2529 + #endif
2530 +
2531 + raw_spin_unlock_irqrestore(&desc->lock, flags);
2532 ++ chip_bus_sync_unlock(desc);
2533 +
2534 + unregister_handler_proc(irq, action);
2535 +
2536 +@@ -1296,9 +1298,7 @@ void free_irq(unsigned int irq, void *dev_id)
2537 + desc->affinity_notify = NULL;
2538 + #endif
2539 +
2540 +- chip_bus_lock(desc);
2541 + kfree(__free_irq(irq, dev_id));
2542 +- chip_bus_sync_unlock(desc);
2543 + }
2544 + EXPORT_SYMBOL(free_irq);
2545 +
2546 +diff --git a/kernel/sched/core.c b/kernel/sched/core.c
2547 +index 609a22630674..e29d8005328d 100644
2548 +--- a/kernel/sched/core.c
2549 ++++ b/kernel/sched/core.c
2550 +@@ -5931,11 +5931,11 @@ static int init_rootdomain(struct root_domain *rd)
2551 + {
2552 + memset(rd, 0, sizeof(*rd));
2553 +
2554 +- if (!alloc_cpumask_var(&rd->span, GFP_KERNEL))
2555 ++ if (!zalloc_cpumask_var(&rd->span, GFP_KERNEL))
2556 + goto out;
2557 +- if (!alloc_cpumask_var(&rd->online, GFP_KERNEL))
2558 ++ if (!zalloc_cpumask_var(&rd->online, GFP_KERNEL))
2559 + goto free_span;
2560 +- if (!alloc_cpumask_var(&rd->rto_mask, GFP_KERNEL))
2561 ++ if (!zalloc_cpumask_var(&rd->rto_mask, GFP_KERNEL))
2562 + goto free_online;
2563 +
2564 + if (cpupri_init(&rd->cpupri) != 0)
2565 +diff --git a/kernel/time/ntp.c b/kernel/time/ntp.c
2566 +index e32587e7a6ca..ea8d82ee797d 100644
2567 +--- a/kernel/time/ntp.c
2568 ++++ b/kernel/time/ntp.c
2569 +@@ -34,6 +34,7 @@ unsigned long tick_nsec;
2570 + static u64 tick_length;
2571 + static u64 tick_length_base;
2572 +
2573 ++#define SECS_PER_DAY 86400
2574 + #define MAX_TICKADJ 500LL /* usecs */
2575 + #define MAX_TICKADJ_SCALED \
2576 + (((MAX_TICKADJ * NSEC_PER_USEC) << NTP_SCALE_SHIFT) / NTP_INTERVAL_FREQ)
2577 +@@ -78,6 +79,9 @@ static long time_adjust;
2578 + /* constant (boot-param configurable) NTP tick adjustment (upscaled) */
2579 + static s64 ntp_tick_adj;
2580 +
2581 ++/* second value of the next pending leapsecond, or KTIME_MAX if no leap */
2582 ++static s64 ntp_next_leap_sec = KTIME_MAX;
2583 ++
2584 + #ifdef CONFIG_NTP_PPS
2585 +
2586 + /*
2587 +@@ -354,6 +358,8 @@ void ntp_clear(void)
2588 + time_maxerror = NTP_PHASE_LIMIT;
2589 + time_esterror = NTP_PHASE_LIMIT;
2590 +
2591 ++ ntp_next_leap_sec = KTIME_MAX;
2592 ++
2593 + ntp_update_frequency();
2594 +
2595 + tick_length = tick_length_base;
2596 +@@ -377,6 +383,21 @@ u64 ntp_tick_length(void)
2597 + return ret;
2598 + }
2599 +
2600 ++/**
2601 ++ * ntp_get_next_leap - Returns the next leapsecond in CLOCK_REALTIME ktime_t
2602 ++ *
2603 ++ * Provides the time of the next leapsecond against CLOCK_REALTIME in
2604 ++ * a ktime_t format. Returns KTIME_MAX if no leapsecond is pending.
2605 ++ */
2606 ++ktime_t ntp_get_next_leap(void)
2607 ++{
2608 ++ ktime_t ret;
2609 ++
2610 ++ if ((time_state == TIME_INS) && (time_status & STA_INS))
2611 ++ return ktime_set(ntp_next_leap_sec, 0);
2612 ++ ret.tv64 = KTIME_MAX;
2613 ++ return ret;
2614 ++}
2615 +
2616 + /*
2617 + * this routine handles the overflow of the microsecond field
2618 +@@ -403,15 +424,21 @@ int second_overflow(unsigned long secs)
2619 + */
2620 + switch (time_state) {
2621 + case TIME_OK:
2622 +- if (time_status & STA_INS)
2623 ++ if (time_status & STA_INS) {
2624 + time_state = TIME_INS;
2625 +- else if (time_status & STA_DEL)
2626 ++ ntp_next_leap_sec = secs + SECS_PER_DAY -
2627 ++ (secs % SECS_PER_DAY);
2628 ++ } else if (time_status & STA_DEL) {
2629 + time_state = TIME_DEL;
2630 ++ ntp_next_leap_sec = secs + SECS_PER_DAY -
2631 ++ ((secs+1) % SECS_PER_DAY);
2632 ++ }
2633 + break;
2634 + case TIME_INS:
2635 +- if (!(time_status & STA_INS))
2636 ++ if (!(time_status & STA_INS)) {
2637 ++ ntp_next_leap_sec = KTIME_MAX;
2638 + time_state = TIME_OK;
2639 +- else if (secs % 86400 == 0) {
2640 ++ } else if (secs % SECS_PER_DAY == 0) {
2641 + leap = -1;
2642 + time_state = TIME_OOP;
2643 + time_tai++;
2644 +@@ -420,10 +447,12 @@ int second_overflow(unsigned long secs)
2645 + }
2646 + break;
2647 + case TIME_DEL:
2648 +- if (!(time_status & STA_DEL))
2649 ++ if (!(time_status & STA_DEL)) {
2650 ++ ntp_next_leap_sec = KTIME_MAX;
2651 + time_state = TIME_OK;
2652 +- else if ((secs + 1) % 86400 == 0) {
2653 ++ } else if ((secs + 1) % SECS_PER_DAY == 0) {
2654 + leap = 1;
2655 ++ ntp_next_leap_sec = KTIME_MAX;
2656 + time_tai--;
2657 + time_state = TIME_WAIT;
2658 + printk(KERN_NOTICE
2659 +@@ -431,6 +460,7 @@ int second_overflow(unsigned long secs)
2660 + }
2661 + break;
2662 + case TIME_OOP:
2663 ++ ntp_next_leap_sec = KTIME_MAX;
2664 + time_state = TIME_WAIT;
2665 + break;
2666 +
2667 +@@ -549,6 +579,7 @@ static inline void process_adj_status(struct timex *txc, struct timespec *ts)
2668 + if ((time_status & STA_PLL) && !(txc->status & STA_PLL)) {
2669 + time_state = TIME_OK;
2670 + time_status = STA_UNSYNC;
2671 ++ ntp_next_leap_sec = KTIME_MAX;
2672 + /* restart PPS frequency calibration */
2673 + pps_reset_freq_interval();
2674 + }
2675 +@@ -619,7 +650,7 @@ static inline void process_adjtimex_modes(struct timex *txc, struct timespec *ts
2676 + * adjtimex mainly allows reading (and writing, if superuser) of
2677 + * kernel time-keeping variables. used by xntpd.
2678 + */
2679 +-int do_adjtimex(struct timex *txc)
2680 ++int __do_adjtimex(struct timex *txc)
2681 + {
2682 + struct timespec ts;
2683 + int result;
2684 +diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c
2685 +index 32f0cb8f1fe8..a72f63e2f285 100644
2686 +--- a/kernel/time/timekeeping.c
2687 ++++ b/kernel/time/timekeeping.c
2688 +@@ -21,6 +21,9 @@
2689 + #include <linux/tick.h>
2690 + #include <linux/stop_machine.h>
2691 +
2692 ++extern ktime_t ntp_get_next_leap(void);
2693 ++extern int __do_adjtimex(struct timex *);
2694 ++
2695 + /* Structure holding internal timekeeping values. */
2696 + struct timekeeper {
2697 + /* Current clocksource used for timekeeping. */
2698 +@@ -30,6 +33,8 @@ struct timekeeper {
2699 + /* The shift value of the current clocksource. */
2700 + int shift;
2701 +
2702 ++ /* CLOCK_MONOTONIC time value of a pending leap-second*/
2703 ++ ktime_t next_leap_ktime;
2704 + /* Number of clock cycles in one NTP interval. */
2705 + cycle_t cycle_interval;
2706 + /* Number of clock shifted nano seconds in one NTP interval. */
2707 +@@ -186,6 +191,17 @@ static void update_rt_offset(void)
2708 + timekeeper.offs_real = timespec_to_ktime(tmp);
2709 + }
2710 +
2711 ++/*
2712 ++ * tk_update_leap_state - helper to update the next_leap_ktime
2713 ++ */
2714 ++static inline void tk_update_leap_state(struct timekeeper *tk)
2715 ++{
2716 ++ tk->next_leap_ktime = ntp_get_next_leap();
2717 ++ if (tk->next_leap_ktime.tv64 != KTIME_MAX)
2718 ++ /* Convert to monotonic time */
2719 ++ tk->next_leap_ktime = ktime_sub(tk->next_leap_ktime, tk->offs_real);
2720 ++}
2721 ++
2722 + /* must hold write on timekeeper.lock */
2723 + static void timekeeping_update(bool clearntp)
2724 + {
2725 +@@ -193,6 +209,7 @@ static void timekeeping_update(bool clearntp)
2726 + timekeeper.ntp_error = 0;
2727 + ntp_clear();
2728 + }
2729 ++ tk_update_leap_state(&timekeeper);
2730 + update_rt_offset();
2731 + update_vsyscall(&timekeeper.xtime, &timekeeper.wall_to_monotonic,
2732 + timekeeper.clock, timekeeper.mult);
2733 +@@ -1329,10 +1346,16 @@ ktime_t ktime_get_update_offsets(ktime_t *offs_real, ktime_t *offs_boot)
2734 +
2735 + *offs_real = timekeeper.offs_real;
2736 + *offs_boot = timekeeper.offs_boot;
2737 ++
2738 ++ now = ktime_add_ns(ktime_set(secs, 0), nsecs);
2739 ++ now = ktime_sub(now, *offs_real);
2740 ++
2741 ++ /* Handle leapsecond insertion adjustments */
2742 ++ if (unlikely(now.tv64 >= timekeeper.next_leap_ktime.tv64))
2743 ++ *offs_real = ktime_sub(timekeeper.offs_real, ktime_set(1, 0));
2744 ++
2745 + } while (read_seqretry(&timekeeper.lock, seq));
2746 +
2747 +- now = ktime_add_ns(ktime_set(secs, 0), nsecs);
2748 +- now = ktime_sub(now, *offs_real);
2749 + return now;
2750 + }
2751 + #endif
2752 +@@ -1354,6 +1377,16 @@ ktime_t ktime_get_monotonic_offset(void)
2753 + }
2754 + EXPORT_SYMBOL_GPL(ktime_get_monotonic_offset);
2755 +
2756 ++/*
2757 ++ * do_adjtimex() - Accessor function to NTP __do_adjtimex function
2758 ++ */
2759 ++int do_adjtimex(struct timex *txc)
2760 ++{
2761 ++ int ret;
2762 ++ ret = __do_adjtimex(txc);
2763 ++ tk_update_leap_state(&timekeeper);
2764 ++ return ret;
2765 ++}
2766 +
2767 + /**
2768 + * xtime_update() - advances the timekeeping infrastructure
2769 +diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
2770 +index bd0f1c499e0a..6cbd36f422e6 100644
2771 +--- a/kernel/trace/ring_buffer.c
2772 ++++ b/kernel/trace/ring_buffer.c
2773 +@@ -1549,12 +1549,6 @@ rb_set_commit_to_write(struct ring_buffer_per_cpu *cpu_buffer)
2774 + goto again;
2775 + }
2776 +
2777 +-static void rb_reset_reader_page(struct ring_buffer_per_cpu *cpu_buffer)
2778 +-{
2779 +- cpu_buffer->read_stamp = cpu_buffer->reader_page->page->time_stamp;
2780 +- cpu_buffer->reader_page->read = 0;
2781 +-}
2782 +-
2783 + static void rb_inc_iter(struct ring_buffer_iter *iter)
2784 + {
2785 + struct ring_buffer_per_cpu *cpu_buffer = iter->cpu_buffer;
2786 +@@ -3094,7 +3088,7 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer)
2787 +
2788 + /* Finally update the reader page to the new head */
2789 + cpu_buffer->reader_page = reader;
2790 +- rb_reset_reader_page(cpu_buffer);
2791 ++ cpu_buffer->reader_page->read = 0;
2792 +
2793 + if (overwrite != cpu_buffer->last_overrun) {
2794 + cpu_buffer->lost_events = overwrite - cpu_buffer->last_overrun;
2795 +@@ -3104,6 +3098,10 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer)
2796 + goto again;
2797 +
2798 + out:
2799 ++ /* Update the read_stamp on the first event */
2800 ++ if (reader && reader->read == 0)
2801 ++ cpu_buffer->read_stamp = reader->page->time_stamp;
2802 ++
2803 + arch_spin_unlock(&cpu_buffer->lock);
2804 + local_irq_restore(flags);
2805 +
2806 +diff --git a/lib/devres.c b/lib/devres.c
2807 +index 80b9c76d436a..584c2dcfcb03 100644
2808 +--- a/lib/devres.c
2809 ++++ b/lib/devres.c
2810 +@@ -390,7 +390,7 @@ void pcim_iounmap_regions(struct pci_dev *pdev, int mask)
2811 + if (!iomap)
2812 + return;
2813 +
2814 +- for (i = 0; i < DEVICE_COUNT_RESOURCE; i++) {
2815 ++ for (i = 0; i < PCIM_IOMAP_MAX; i++) {
2816 + if (!(mask & (1 << i)))
2817 + continue;
2818 +
2819 +diff --git a/mm/backing-dev.c b/mm/backing-dev.c
2820 +index dd8e2aafb07e..0e51d2e808ab 100644
2821 +--- a/mm/backing-dev.c
2822 ++++ b/mm/backing-dev.c
2823 +@@ -843,8 +843,9 @@ EXPORT_SYMBOL(congestion_wait);
2824 + * jiffies for either a BDI to exit congestion of the given @sync queue
2825 + * or a write to complete.
2826 + *
2827 +- * In the absence of zone congestion, cond_resched() is called to yield
2828 +- * the processor if necessary but otherwise does not sleep.
2829 ++ * In the absence of zone congestion, a short sleep or a cond_resched is
2830 ++ * performed to yield the processor and to allow other subsystems to make
2831 ++ * a forward progress.
2832 + *
2833 + * The return value is 0 if the sleep is for the full timeout. Otherwise,
2834 + * it is the number of jiffies that were still remaining when the function
2835 +@@ -864,7 +865,19 @@ long wait_iff_congested(struct zone *zone, int sync, long timeout)
2836 + */
2837 + if (atomic_read(&nr_bdi_congested[sync]) == 0 ||
2838 + !zone_is_reclaim_congested(zone)) {
2839 +- cond_resched();
2840 ++
2841 ++ /*
2842 ++ * Memory allocation/reclaim might be called from a WQ
2843 ++ * context and the current implementation of the WQ
2844 ++ * concurrency control doesn't recognize that a particular
2845 ++ * WQ is congested if the worker thread is looping without
2846 ++ * ever sleeping. Therefore we have to do a short sleep
2847 ++ * here rather than calling cond_resched().
2848 ++ */
2849 ++ if (current->flags & PF_WQ_WORKER)
2850 ++ schedule_timeout_uninterruptible(1);
2851 ++ else
2852 ++ cond_resched();
2853 +
2854 + /* In case we scheduled, work out time remaining */
2855 + ret = timeout - (jiffies - start);
2856 +diff --git a/mm/hugetlb.c b/mm/hugetlb.c
2857 +index e622aab7fd8c..6726bfea8623 100644
2858 +--- a/mm/hugetlb.c
2859 ++++ b/mm/hugetlb.c
2860 +@@ -2835,12 +2835,12 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma,
2861 + } else if (unlikely(is_hugetlb_entry_hwpoisoned(entry)))
2862 + return VM_FAULT_HWPOISON_LARGE |
2863 + VM_FAULT_SET_HINDEX(h - hstates);
2864 ++ } else {
2865 ++ ptep = huge_pte_alloc(mm, address, huge_page_size(h));
2866 ++ if (!ptep)
2867 ++ return VM_FAULT_OOM;
2868 + }
2869 +
2870 +- ptep = huge_pte_alloc(mm, address, huge_page_size(h));
2871 +- if (!ptep)
2872 +- return VM_FAULT_OOM;
2873 +-
2874 + /*
2875 + * Serialize hugepage allocation and instantiation, so that we don't
2876 + * get spurious allocation failures if two CPUs race to instantiate
2877 +@@ -2929,13 +2929,17 @@ out_page_table_lock:
2878 + unlock_page(pagecache_page);
2879 + put_page(pagecache_page);
2880 + }
2881 +- if (page != pagecache_page)
2882 +- unlock_page(page);
2883 +- put_page(page);
2884 +-
2885 + out_mutex:
2886 + mutex_unlock(&hugetlb_instantiation_mutex);
2887 +-
2888 ++ /*
2889 ++ * Generally it's safe to hold refcount during waiting page lock. But
2890 ++ * here we just wait to defer the next page fault to avoid busy loop and
2891 ++ * the page is not used after unlocked before returning from the current
2892 ++ * page fault. So we are safe from accessing freed page, even if we wait
2893 ++ * here without taking refcount.
2894 ++ */
2895 ++ if (need_wait_lock)
2896 ++ wait_on_page_locked(page);
2897 + return ret;
2898 + }
2899 +
2900 +diff --git a/mm/memory.c b/mm/memory.c
2901 +index 4774579d8acb..97019112eac4 100644
2902 +--- a/mm/memory.c
2903 ++++ b/mm/memory.c
2904 +@@ -1447,6 +1447,24 @@ int zap_vma_ptes(struct vm_area_struct *vma, unsigned long address,
2905 + }
2906 + EXPORT_SYMBOL_GPL(zap_vma_ptes);
2907 +
2908 ++static inline bool can_follow_write_pte(pte_t pte, struct page *page,
2909 ++ unsigned int flags)
2910 ++{
2911 ++ if (pte_write(pte))
2912 ++ return true;
2913 ++
2914 ++ /*
2915 ++ * Make sure that we are really following CoWed page. We do not really
2916 ++ * have to care about exclusiveness of the page because we only want
2917 ++ * to ensure that once COWed page hasn't disappeared in the meantime
2918 ++ * or it hasn't been merged to a KSM page.
2919 ++ */
2920 ++ if ((flags & FOLL_FORCE) && (flags & FOLL_COW))
2921 ++ return page && PageAnon(page) && !PageKsm(page);
2922 ++
2923 ++ return false;
2924 ++}
2925 ++
2926 + /**
2927 + * follow_page - look up a page descriptor from a user-virtual address
2928 + * @vma: vm_area_struct mapping @address
2929 +@@ -1529,10 +1547,13 @@ split_fallthrough:
2930 + pte = *ptep;
2931 + if (!pte_present(pte))
2932 + goto no_page;
2933 +- if ((flags & FOLL_WRITE) && !pte_write(pte))
2934 +- goto unlock;
2935 +
2936 + page = vm_normal_page(vma, address, pte);
2937 ++ if ((flags & FOLL_WRITE) && !can_follow_write_pte(pte, page, flags)) {
2938 ++ pte_unmap_unlock(ptep, ptl);
2939 ++ return NULL;
2940 ++ }
2941 ++
2942 + if (unlikely(!page)) {
2943 + if ((flags & FOLL_DUMP) ||
2944 + !is_zero_pfn(pte_pfn(pte)))
2945 +@@ -1575,7 +1596,7 @@ split_fallthrough:
2946 + unlock_page(page);
2947 + }
2948 + }
2949 +-unlock:
2950 ++
2951 + pte_unmap_unlock(ptep, ptl);
2952 + out:
2953 + return page;
2954 +@@ -1809,17 +1830,13 @@ int __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
2955 + * The VM_FAULT_WRITE bit tells us that
2956 + * do_wp_page has broken COW when necessary,
2957 + * even if maybe_mkwrite decided not to set
2958 +- * pte_write. We can thus safely do subsequent
2959 +- * page lookups as if they were reads. But only
2960 +- * do so when looping for pte_write is futile:
2961 +- * in some cases userspace may also be wanting
2962 +- * to write to the gotten user page, which a
2963 +- * read fault here might prevent (a readonly
2964 +- * page might get reCOWed by userspace write).
2965 ++ * pte_write. We cannot simply drop FOLL_WRITE
2966 ++ * here because the COWed page might be gone by
2967 ++ * the time we do the subsequent page lookups.
2968 + */
2969 + if ((ret & VM_FAULT_WRITE) &&
2970 + !(vma->vm_flags & VM_WRITE))
2971 +- foll_flags &= ~FOLL_WRITE;
2972 ++ foll_flags |= FOLL_COW;
2973 +
2974 + cond_resched();
2975 + }
2976 +diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c
2977 +index 09d87b709179..223232a8c98c 100644
2978 +--- a/mm/memory_hotplug.c
2979 ++++ b/mm/memory_hotplug.c
2980 +@@ -716,23 +716,30 @@ int is_mem_section_removable(unsigned long start_pfn, unsigned long nr_pages)
2981 + */
2982 + static int test_pages_in_a_zone(unsigned long start_pfn, unsigned long end_pfn)
2983 + {
2984 +- unsigned long pfn;
2985 ++ unsigned long pfn, sec_end_pfn;
2986 + struct zone *zone = NULL;
2987 + struct page *page;
2988 + int i;
2989 +- for (pfn = start_pfn;
2990 ++ for (pfn = start_pfn, sec_end_pfn = SECTION_ALIGN_UP(start_pfn);
2991 + pfn < end_pfn;
2992 +- pfn += MAX_ORDER_NR_PAGES) {
2993 +- i = 0;
2994 +- /* This is just a CONFIG_HOLES_IN_ZONE check.*/
2995 +- while ((i < MAX_ORDER_NR_PAGES) && !pfn_valid_within(pfn + i))
2996 +- i++;
2997 +- if (i == MAX_ORDER_NR_PAGES)
2998 ++ pfn = sec_end_pfn + 1, sec_end_pfn += PAGES_PER_SECTION) {
2999 ++ /* Make sure the memory section is present first */
3000 ++ if (!present_section_nr(pfn_to_section_nr(pfn)))
3001 + continue;
3002 +- page = pfn_to_page(pfn + i);
3003 +- if (zone && page_zone(page) != zone)
3004 +- return 0;
3005 +- zone = page_zone(page);
3006 ++ for (; pfn < sec_end_pfn && pfn < end_pfn;
3007 ++ pfn += MAX_ORDER_NR_PAGES) {
3008 ++ i = 0;
3009 ++ /* This is just a CONFIG_HOLES_IN_ZONE check.*/
3010 ++ while ((i < MAX_ORDER_NR_PAGES) &&
3011 ++ !pfn_valid_within(pfn + i))
3012 ++ i++;
3013 ++ if (i == MAX_ORDER_NR_PAGES)
3014 ++ continue;
3015 ++ page = pfn_to_page(pfn + i);
3016 ++ if (zone && page_zone(page) != zone)
3017 ++ return 0;
3018 ++ zone = page_zone(page);
3019 ++ }
3020 + }
3021 + return 1;
3022 + }
3023 +diff --git a/mm/vmstat.c b/mm/vmstat.c
3024 +index 7db1b9bab492..e89c0f6d9f9f 100644
3025 +--- a/mm/vmstat.c
3026 ++++ b/mm/vmstat.c
3027 +@@ -1139,13 +1139,14 @@ static const struct file_operations proc_vmstat_file_operations = {
3028 + #endif /* CONFIG_PROC_FS */
3029 +
3030 + #ifdef CONFIG_SMP
3031 ++static struct workqueue_struct *vmstat_wq;
3032 + static DEFINE_PER_CPU(struct delayed_work, vmstat_work);
3033 + int sysctl_stat_interval __read_mostly = HZ;
3034 +
3035 + static void vmstat_update(struct work_struct *w)
3036 + {
3037 + refresh_cpu_vm_stats(smp_processor_id());
3038 +- schedule_delayed_work(&__get_cpu_var(vmstat_work),
3039 ++ queue_delayed_work(vmstat_wq, &__get_cpu_var(vmstat_work),
3040 + round_jiffies_relative(sysctl_stat_interval));
3041 + }
3042 +
3043 +@@ -1154,7 +1155,7 @@ static void __cpuinit start_cpu_timer(int cpu)
3044 + struct delayed_work *work = &per_cpu(vmstat_work, cpu);
3045 +
3046 + INIT_DELAYED_WORK_DEFERRABLE(work, vmstat_update);
3047 +- schedule_delayed_work_on(cpu, work, __round_jiffies_relative(HZ, cpu));
3048 ++ queue_delayed_work_on(cpu, vmstat_wq, work, __round_jiffies_relative(HZ, cpu));
3049 + }
3050 +
3051 + /*
3052 +@@ -1204,6 +1205,7 @@ static int __init setup_vmstat(void)
3053 +
3054 + register_cpu_notifier(&vmstat_notifier);
3055 +
3056 ++ vmstat_wq = alloc_workqueue("vmstat", WQ_FREEZABLE|WQ_MEM_RECLAIM, 0);
3057 + for_each_online_cpu(cpu)
3058 + start_cpu_timer(cpu);
3059 + #endif
3060 +diff --git a/net/core/datagram.c b/net/core/datagram.c
3061 +index ba96ad93d136..bc412ca9041e 100644
3062 +--- a/net/core/datagram.c
3063 ++++ b/net/core/datagram.c
3064 +@@ -695,7 +695,8 @@ __sum16 __skb_checksum_complete_head(struct sk_buff *skb, int len)
3065 + if (likely(!sum)) {
3066 + if (unlikely(skb->ip_summed == CHECKSUM_COMPLETE))
3067 + netdev_rx_csum_fault(skb->dev);
3068 +- skb->ip_summed = CHECKSUM_UNNECESSARY;
3069 ++ if (!skb_shared(skb))
3070 ++ skb->ip_summed = CHECKSUM_UNNECESSARY;
3071 + }
3072 + return sum;
3073 + }
3074 +diff --git a/net/core/dev.c b/net/core/dev.c
3075 +index 4f679bf4f12e..573d62b9cbeb 100644
3076 +--- a/net/core/dev.c
3077 ++++ b/net/core/dev.c
3078 +@@ -5368,6 +5368,9 @@ int __netdev_update_features(struct net_device *dev)
3079 + netdev_err(dev,
3080 + "set_features() failed (%d); wanted %pNF, left %pNF\n",
3081 + err, &features, &dev->features);
3082 ++ /* return non-0 since some features might have changed and
3083 ++ * it's better to fire a spurious notification than miss it
3084 ++ */
3085 + return -1;
3086 + }
3087 +
3088 +diff --git a/net/core/dst.c b/net/core/dst.c
3089 +index 43d94cedbf7c..48cff898b5a4 100644
3090 +--- a/net/core/dst.c
3091 ++++ b/net/core/dst.c
3092 +@@ -269,10 +269,11 @@ void dst_release(struct dst_entry *dst)
3093 + {
3094 + if (dst) {
3095 + int newrefcnt;
3096 ++ unsigned short nocache = dst->flags & DST_NOCACHE;
3097 +
3098 + newrefcnt = atomic_dec_return(&dst->__refcnt);
3099 + WARN_ON(newrefcnt < 0);
3100 +- if (unlikely(dst->flags & DST_NOCACHE) && !newrefcnt) {
3101 ++ if (!newrefcnt && unlikely(nocache)) {
3102 + dst = dst_destroy(dst);
3103 + if (dst)
3104 + __dst_free(dst);
3105 +diff --git a/net/core/neighbour.c b/net/core/neighbour.c
3106 +index ebd4b21cb9d4..dbd00dfbc6ce 100644
3107 +--- a/net/core/neighbour.c
3108 ++++ b/net/core/neighbour.c
3109 +@@ -2186,7 +2186,7 @@ static int pneigh_fill_info(struct sk_buff *skb, struct pneigh_entry *pn,
3110 + ndm->ndm_pad2 = 0;
3111 + ndm->ndm_flags = pn->flags | NTF_PROXY;
3112 + ndm->ndm_type = NDA_DST;
3113 +- ndm->ndm_ifindex = pn->dev->ifindex;
3114 ++ ndm->ndm_ifindex = pn->dev ? pn->dev->ifindex : 0;
3115 + ndm->ndm_state = NUD_NONE;
3116 +
3117 + NLA_PUT(skb, NDA_DST, tbl->key_len, pn->key);
3118 +@@ -2259,7 +2259,7 @@ static int pneigh_dump_table(struct neigh_table *tbl, struct sk_buff *skb,
3119 + if (h > s_h)
3120 + s_idx = 0;
3121 + for (n = tbl->phash_buckets[h], idx = 0; n; n = n->next) {
3122 +- if (dev_net(n->dev) != net)
3123 ++ if (pneigh_net(n) != net)
3124 + continue;
3125 + if (idx < s_idx)
3126 + goto next;
3127 +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
3128 +index 2d3290496a0a..55b08e09f0c8 100644
3129 +--- a/net/ipv4/tcp_input.c
3130 ++++ b/net/ipv4/tcp_input.c
3131 +@@ -89,7 +89,7 @@ int sysctl_tcp_adv_win_scale __read_mostly = 1;
3132 + EXPORT_SYMBOL(sysctl_tcp_adv_win_scale);
3133 +
3134 + /* rfc5961 challenge ack rate limiting */
3135 +-int sysctl_tcp_challenge_ack_limit = 100;
3136 ++int sysctl_tcp_challenge_ack_limit = 1000;
3137 +
3138 + int sysctl_tcp_stdurg __read_mostly;
3139 + int sysctl_tcp_rfc1337 __read_mostly;
3140 +@@ -3701,13 +3701,18 @@ static void tcp_send_challenge_ack(struct sock *sk)
3141 + /* unprotected vars, we dont care of overwrites */
3142 + static u32 challenge_timestamp;
3143 + static unsigned int challenge_count;
3144 +- u32 now = jiffies / HZ;
3145 ++ u32 count, now = jiffies / HZ;
3146 +
3147 + if (now != challenge_timestamp) {
3148 ++ u32 half = (sysctl_tcp_challenge_ack_limit + 1) >> 1;
3149 ++
3150 + challenge_timestamp = now;
3151 +- challenge_count = 0;
3152 ++ ACCESS_ONCE(challenge_count) = half +
3153 ++ (u32)(((u64)random32() * sysctl_tcp_challenge_ack_limit) >> 32);
3154 + }
3155 +- if (++challenge_count <= sysctl_tcp_challenge_ack_limit) {
3156 ++ count = ACCESS_ONCE(challenge_count);
3157 ++ if (count > 0) {
3158 ++ ACCESS_ONCE(challenge_count) = count - 1;
3159 + NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK);
3160 + tcp_send_ack(sk);
3161 + }
3162 +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
3163 +index 727678dc7968..6e212f7a5782 100644
3164 +--- a/net/ipv4/tcp_ipv4.c
3165 ++++ b/net/ipv4/tcp_ipv4.c
3166 +@@ -983,7 +983,8 @@ int tcp_md5_do_add(struct sock *sk, const union tcp_md5_addr *addr,
3167 + }
3168 +
3169 + md5sig = rcu_dereference_protected(tp->md5sig_info,
3170 +- sock_owned_by_user(sk));
3171 ++ sock_owned_by_user(sk) ||
3172 ++ lockdep_is_held(&sk->sk_lock.slock));
3173 + if (!md5sig) {
3174 + md5sig = kmalloc(sizeof(*md5sig), gfp);
3175 + if (!md5sig)
3176 +diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
3177 +index 5f8c20b67da2..8629205717b5 100644
3178 +--- a/net/ipv4/udp.c
3179 ++++ b/net/ipv4/udp.c
3180 +@@ -1175,6 +1175,7 @@ int udp_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
3181 + int peeked, off = 0;
3182 + int err;
3183 + int is_udplite = IS_UDPLITE(sk);
3184 ++ bool checksum_valid = false;
3185 + bool slow;
3186 +
3187 + if (flags & MSG_ERRQUEUE)
3188 +@@ -1200,11 +1201,12 @@ try_again:
3189 + */
3190 +
3191 + if (copied < ulen || UDP_SKB_CB(skb)->partial_cov) {
3192 +- if (udp_lib_checksum_complete(skb))
3193 ++ checksum_valid = !udp_lib_checksum_complete(skb);
3194 ++ if (!checksum_valid)
3195 + goto csum_copy_err;
3196 + }
3197 +
3198 +- if (skb_csum_unnecessary(skb))
3199 ++ if (checksum_valid || skb_csum_unnecessary(skb))
3200 + err = skb_copy_datagram_iovec(skb, sizeof(struct udphdr),
3201 + msg->msg_iov, copied);
3202 + else {
3203 +diff --git a/net/ipv6/addrlabel.c b/net/ipv6/addrlabel.c
3204 +index 2d8ddba9ee58..c8c6a121298b 100644
3205 +--- a/net/ipv6/addrlabel.c
3206 ++++ b/net/ipv6/addrlabel.c
3207 +@@ -558,7 +558,7 @@ static int ip6addrlbl_get(struct sk_buff *in_skb, struct nlmsghdr* nlh,
3208 +
3209 + rcu_read_lock();
3210 + p = __ipv6_addr_label(net, addr, ipv6_addr_type(addr), ifal->ifal_index);
3211 +- if (p && ip6addrlbl_hold(p))
3212 ++ if (p && !ip6addrlbl_hold(p))
3213 + p = NULL;
3214 + lseq = ip6addrlbl_table.seq;
3215 + rcu_read_unlock();
3216 +diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
3217 +index 5300ef35fd41..8ddb56ff0c7a 100644
3218 +--- a/net/ipv6/af_inet6.c
3219 ++++ b/net/ipv6/af_inet6.c
3220 +@@ -1161,6 +1161,9 @@ static int __init inet6_init(void)
3221 + err = ip6_route_init();
3222 + if (err)
3223 + goto ip6_route_fail;
3224 ++ err = ndisc_late_init();
3225 ++ if (err)
3226 ++ goto ndisc_late_fail;
3227 + err = ip6_flowlabel_init();
3228 + if (err)
3229 + goto ip6_flowlabel_fail;
3230 +@@ -1221,6 +1224,8 @@ ipv6_exthdrs_fail:
3231 + addrconf_fail:
3232 + ip6_flowlabel_cleanup();
3233 + ip6_flowlabel_fail:
3234 ++ ndisc_late_cleanup();
3235 ++ndisc_late_fail:
3236 + ip6_route_cleanup();
3237 + ip6_route_fail:
3238 + #ifdef CONFIG_PROC_FS
3239 +@@ -1288,6 +1293,7 @@ static void __exit inet6_exit(void)
3240 + ipv6_exthdrs_exit();
3241 + addrconf_cleanup();
3242 + ip6_flowlabel_cleanup();
3243 ++ ndisc_late_cleanup();
3244 + ip6_route_cleanup();
3245 + #ifdef CONFIG_PROC_FS
3246 +
3247 +diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
3248 +index fc5ce6e9dc6f..e6b7a0031a14 100644
3249 +--- a/net/ipv6/ip6_fib.c
3250 ++++ b/net/ipv6/ip6_fib.c
3251 +@@ -1595,6 +1595,8 @@ static DEFINE_SPINLOCK(fib6_gc_lock);
3252 +
3253 + void fib6_run_gc(unsigned long expires, struct net *net, bool force)
3254 + {
3255 ++ unsigned long now;
3256 ++
3257 + if (force) {
3258 + spin_lock_bh(&fib6_gc_lock);
3259 + } else if (!spin_trylock_bh(&fib6_gc_lock)) {
3260 +@@ -1607,10 +1609,12 @@ void fib6_run_gc(unsigned long expires, struct net *net, bool force)
3261 + gc_args.more = icmp6_dst_gc();
3262 +
3263 + fib6_clean_all(net, fib6_age, 0, NULL);
3264 ++ now = jiffies;
3265 ++ net->ipv6.ip6_rt_last_gc = now;
3266 +
3267 + if (gc_args.more)
3268 + mod_timer(&net->ipv6.ip6_fib_timer,
3269 +- round_jiffies(jiffies
3270 ++ round_jiffies(now
3271 + + net->ipv6.sysctl.ip6_rt_gc_interval));
3272 + else
3273 + del_timer(&net->ipv6.ip6_fib_timer);
3274 +diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
3275 +index abe1f768b5b6..c5fa9df58e53 100644
3276 +--- a/net/ipv6/ip6mr.c
3277 ++++ b/net/ipv6/ip6mr.c
3278 +@@ -117,7 +117,7 @@ static int __ip6mr_fill_mroute(struct mr6_table *mrt, struct sk_buff *skb,
3279 + struct mfc6_cache *c, struct rtmsg *rtm);
3280 + static int ip6mr_rtm_dumproute(struct sk_buff *skb,
3281 + struct netlink_callback *cb);
3282 +-static void mroute_clean_tables(struct mr6_table *mrt);
3283 ++static void mroute_clean_tables(struct mr6_table *mrt, bool all);
3284 + static void ipmr_expire_process(unsigned long arg);
3285 +
3286 + #ifdef CONFIG_IPV6_MROUTE_MULTIPLE_TABLES
3287 +@@ -333,8 +333,8 @@ static struct mr6_table *ip6mr_new_table(struct net *net, u32 id)
3288 +
3289 + static void ip6mr_free_table(struct mr6_table *mrt)
3290 + {
3291 +- del_timer(&mrt->ipmr_expire_timer);
3292 +- mroute_clean_tables(mrt);
3293 ++ del_timer_sync(&mrt->ipmr_expire_timer);
3294 ++ mroute_clean_tables(mrt, true);
3295 + kfree(mrt);
3296 + }
3297 +
3298 +@@ -1472,7 +1472,7 @@ static int ip6mr_mfc_add(struct net *net, struct mr6_table *mrt,
3299 + * Close the multicast socket, and clear the vif tables etc
3300 + */
3301 +
3302 +-static void mroute_clean_tables(struct mr6_table *mrt)
3303 ++static void mroute_clean_tables(struct mr6_table *mrt, bool all)
3304 + {
3305 + int i;
3306 + LIST_HEAD(list);
3307 +@@ -1482,8 +1482,9 @@ static void mroute_clean_tables(struct mr6_table *mrt)
3308 + * Shut down all active vif entries
3309 + */
3310 + for (i = 0; i < mrt->maxvif; i++) {
3311 +- if (!(mrt->vif6_table[i].flags & VIFF_STATIC))
3312 +- mif6_delete(mrt, i, &list);
3313 ++ if (!all && (mrt->vif6_table[i].flags & VIFF_STATIC))
3314 ++ continue;
3315 ++ mif6_delete(mrt, i, &list);
3316 + }
3317 + unregister_netdevice_many(&list);
3318 +
3319 +@@ -1492,7 +1493,7 @@ static void mroute_clean_tables(struct mr6_table *mrt)
3320 + */
3321 + for (i = 0; i < MFC6_LINES; i++) {
3322 + list_for_each_entry_safe(c, next, &mrt->mfc6_cache_array[i], list) {
3323 +- if (c->mfc_flags & MFC_STATIC)
3324 ++ if (!all && (c->mfc_flags & MFC_STATIC))
3325 + continue;
3326 + write_lock_bh(&mrt_lock);
3327 + list_del(&c->list);
3328 +@@ -1546,7 +1547,7 @@ int ip6mr_sk_done(struct sock *sk)
3329 + net->ipv6.devconf_all->mc_forwarding--;
3330 + write_unlock_bh(&mrt_lock);
3331 +
3332 +- mroute_clean_tables(mrt);
3333 ++ mroute_clean_tables(mrt, false);
3334 + err = 0;
3335 + break;
3336 + }
3337 +diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
3338 +index e235b4c2b1be..02e656886c25 100644
3339 +--- a/net/ipv6/ndisc.c
3340 ++++ b/net/ipv6/ndisc.c
3341 +@@ -1867,24 +1867,28 @@ int __init ndisc_init(void)
3342 + if (err)
3343 + goto out_unregister_pernet;
3344 + #endif
3345 +- err = register_netdevice_notifier(&ndisc_netdev_notifier);
3346 +- if (err)
3347 +- goto out_unregister_sysctl;
3348 + out:
3349 + return err;
3350 +
3351 +-out_unregister_sysctl:
3352 + #ifdef CONFIG_SYSCTL
3353 +- neigh_sysctl_unregister(&nd_tbl.parms);
3354 + out_unregister_pernet:
3355 +-#endif
3356 + unregister_pernet_subsys(&ndisc_net_ops);
3357 + goto out;
3358 ++#endif
3359 + }
3360 +
3361 +-void ndisc_cleanup(void)
3362 ++int __init ndisc_late_init(void)
3363 ++{
3364 ++ return register_netdevice_notifier(&ndisc_netdev_notifier);
3365 ++}
3366 ++
3367 ++void ndisc_late_cleanup(void)
3368 + {
3369 + unregister_netdevice_notifier(&ndisc_netdev_notifier);
3370 ++}
3371 ++
3372 ++void ndisc_cleanup(void)
3373 ++{
3374 + #ifdef CONFIG_SYSCTL
3375 + neigh_sysctl_unregister(&nd_tbl.parms);
3376 + #endif
3377 +diff --git a/net/ipv6/route.c b/net/ipv6/route.c
3378 +index 7ab7f8a5ee4f..794cd2afc66f 100644
3379 +--- a/net/ipv6/route.c
3380 ++++ b/net/ipv6/route.c
3381 +@@ -1230,7 +1230,6 @@ static void icmp6_clean_all(int (*func)(struct rt6_info *rt, void *arg),
3382 +
3383 + static int ip6_dst_gc(struct dst_ops *ops)
3384 + {
3385 +- unsigned long now = jiffies;
3386 + struct net *net = container_of(ops, struct net, ipv6.ip6_dst_ops);
3387 + int rt_min_interval = net->ipv6.sysctl.ip6_rt_gc_min_interval;
3388 + int rt_max_size = net->ipv6.sysctl.ip6_rt_max_size;
3389 +@@ -1240,13 +1239,12 @@ static int ip6_dst_gc(struct dst_ops *ops)
3390 + int entries;
3391 +
3392 + entries = dst_entries_get_fast(ops);
3393 +- if (time_after(rt_last_gc + rt_min_interval, now) &&
3394 ++ if (time_after(rt_last_gc + rt_min_interval, jiffies) &&
3395 + entries <= rt_max_size)
3396 + goto out;
3397 +
3398 + net->ipv6.ip6_rt_gc_expire++;
3399 + fib6_run_gc(net->ipv6.ip6_rt_gc_expire, net, entries > rt_max_size);
3400 +- net->ipv6.ip6_rt_last_gc = now;
3401 + entries = dst_entries_get_slow(ops);
3402 + if (entries < ops->gc_thresh)
3403 + net->ipv6.ip6_rt_gc_expire = rt_gc_timeout>>1;
3404 +@@ -1401,8 +1399,18 @@ int ip6_route_add(struct fib6_config *cfg)
3405 + }
3406 + rt->dst.output = ip6_pkt_discard_out;
3407 + rt->dst.input = ip6_pkt_discard;
3408 +- rt->dst.error = -ENETUNREACH;
3409 + rt->rt6i_flags = RTF_REJECT|RTF_NONEXTHOP;
3410 ++ switch (cfg->fc_type) {
3411 ++ case RTN_BLACKHOLE:
3412 ++ rt->dst.error = -EINVAL;
3413 ++ break;
3414 ++ case RTN_PROHIBIT:
3415 ++ rt->dst.error = -EACCES;
3416 ++ break;
3417 ++ default:
3418 ++ rt->dst.error = -ENETUNREACH;
3419 ++ break;
3420 ++ }
3421 + goto install_route;
3422 + }
3423 +
3424 +@@ -2345,8 +2353,11 @@ static int rtm_to_fib6_config(struct sk_buff *skb, struct nlmsghdr *nlh,
3425 + cfg->fc_src_len = rtm->rtm_src_len;
3426 + cfg->fc_flags = RTF_UP;
3427 + cfg->fc_protocol = rtm->rtm_protocol;
3428 ++ cfg->fc_type = rtm->rtm_type;
3429 +
3430 +- if (rtm->rtm_type == RTN_UNREACHABLE)
3431 ++ if (rtm->rtm_type == RTN_UNREACHABLE ||
3432 ++ rtm->rtm_type == RTN_BLACKHOLE ||
3433 ++ rtm->rtm_type == RTN_PROHIBIT)
3434 + cfg->fc_flags |= RTF_REJECT;
3435 +
3436 + if (rtm->rtm_type == RTN_LOCAL)
3437 +@@ -2476,8 +2487,19 @@ static int rt6_fill_node(struct net *net,
3438 + table = RT6_TABLE_UNSPEC;
3439 + rtm->rtm_table = table;
3440 + NLA_PUT_U32(skb, RTA_TABLE, table);
3441 +- if (rt->rt6i_flags & RTF_REJECT)
3442 +- rtm->rtm_type = RTN_UNREACHABLE;
3443 ++ if (rt->rt6i_flags & RTF_REJECT) {
3444 ++ switch (rt->dst.error) {
3445 ++ case -EINVAL:
3446 ++ rtm->rtm_type = RTN_BLACKHOLE;
3447 ++ break;
3448 ++ case -EACCES:
3449 ++ rtm->rtm_type = RTN_PROHIBIT;
3450 ++ break;
3451 ++ default:
3452 ++ rtm->rtm_type = RTN_UNREACHABLE;
3453 ++ break;
3454 ++ }
3455 ++ }
3456 + else if (rt->rt6i_flags & RTF_LOCAL)
3457 + rtm->rtm_type = RTN_LOCAL;
3458 + else if (rt->dst.dev && (rt->dst.dev->flags & IFF_LOOPBACK))
3459 +diff --git a/net/ipv6/tunnel6.c b/net/ipv6/tunnel6.c
3460 +index 4f3cec12aa85..aa109da50001 100644
3461 +--- a/net/ipv6/tunnel6.c
3462 ++++ b/net/ipv6/tunnel6.c
3463 +@@ -145,6 +145,16 @@ static void tunnel6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
3464 + break;
3465 + }
3466 +
3467 ++static void tunnel46_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
3468 ++ u8 type, u8 code, int offset, __be32 info)
3469 ++{
3470 ++ struct xfrm6_tunnel *handler;
3471 ++
3472 ++ for_each_tunnel_rcu(tunnel46_handlers, handler)
3473 ++ if (!handler->err_handler(skb, opt, type, code, offset, info))
3474 ++ break;
3475 ++}
3476 ++
3477 + static const struct inet6_protocol tunnel6_protocol = {
3478 + .handler = tunnel6_rcv,
3479 + .err_handler = tunnel6_err,
3480 +@@ -153,7 +163,7 @@ static const struct inet6_protocol tunnel6_protocol = {
3481 +
3482 + static const struct inet6_protocol tunnel46_protocol = {
3483 + .handler = tunnel46_rcv,
3484 +- .err_handler = tunnel6_err,
3485 ++ .err_handler = tunnel46_err,
3486 + .flags = INET6_PROTO_NOPOLICY|INET6_PROTO_FINAL,
3487 + };
3488 +
3489 +diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
3490 +index 2f99b12b717e..ea5023ba9532 100644
3491 +--- a/net/ipv6/udp.c
3492 ++++ b/net/ipv6/udp.c
3493 +@@ -345,6 +345,7 @@ int udpv6_recvmsg(struct kiocb *iocb, struct sock *sk,
3494 + int peeked, off = 0;
3495 + int err;
3496 + int is_udplite = IS_UDPLITE(sk);
3497 ++ bool checksum_valid = false;
3498 + int is_udp4;
3499 + bool slow;
3500 +
3501 +@@ -376,11 +377,12 @@ try_again:
3502 + */
3503 +
3504 + if (copied < ulen || UDP_SKB_CB(skb)->partial_cov) {
3505 +- if (udp_lib_checksum_complete(skb))
3506 ++ checksum_valid = !udp_lib_checksum_complete(skb);
3507 ++ if (!checksum_valid)
3508 + goto csum_copy_err;
3509 + }
3510 +
3511 +- if (skb_csum_unnecessary(skb))
3512 ++ if (checksum_valid || skb_csum_unnecessary(skb))
3513 + err = skb_copy_datagram_iovec(skb, sizeof(struct udphdr),
3514 + msg->msg_iov, copied );
3515 + else {
3516 +diff --git a/net/mac80211/mesh_pathtbl.c b/net/mac80211/mesh_pathtbl.c
3517 +index 49aaefd99635..7ed81ee4d6a2 100644
3518 +--- a/net/mac80211/mesh_pathtbl.c
3519 ++++ b/net/mac80211/mesh_pathtbl.c
3520 +@@ -757,10 +757,8 @@ void mesh_plink_broken(struct sta_info *sta)
3521 + static void mesh_path_node_reclaim(struct rcu_head *rp)
3522 + {
3523 + struct mpath_node *node = container_of(rp, struct mpath_node, rcu);
3524 +- struct ieee80211_sub_if_data *sdata = node->mpath->sdata;
3525 +
3526 + del_timer_sync(&node->mpath->timer);
3527 +- atomic_dec(&sdata->u.mesh.mpaths);
3528 + kfree(node->mpath);
3529 + kfree(node);
3530 + }
3531 +@@ -768,8 +766,9 @@ static void mesh_path_node_reclaim(struct rcu_head *rp)
3532 + /* needs to be called with the corresponding hashwlock taken */
3533 + static void __mesh_path_del(struct mesh_table *tbl, struct mpath_node *node)
3534 + {
3535 +- struct mesh_path *mpath;
3536 +- mpath = node->mpath;
3537 ++ struct mesh_path *mpath = node->mpath;
3538 ++ struct ieee80211_sub_if_data *sdata = node->mpath->sdata;
3539 ++
3540 + spin_lock(&mpath->state_lock);
3541 + mpath->flags |= MESH_PATH_RESOLVING;
3542 + if (mpath->is_gate)
3543 +@@ -777,6 +776,7 @@ static void __mesh_path_del(struct mesh_table *tbl, struct mpath_node *node)
3544 + hlist_del_rcu(&node->list);
3545 + call_rcu(&node->rcu, mesh_path_node_reclaim);
3546 + spin_unlock(&mpath->state_lock);
3547 ++ atomic_dec(&sdata->u.mesh.mpaths);
3548 + atomic_dec(&tbl->entries);
3549 + }
3550 +
3551 +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
3552 +index abc31d7bd2a5..1dae14232a52 100644
3553 +--- a/net/mac80211/mlme.c
3554 ++++ b/net/mac80211/mlme.c
3555 +@@ -2384,7 +2384,7 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
3556 +
3557 + if (ifmgd->rssi_min_thold != ifmgd->rssi_max_thold &&
3558 + ifmgd->count_beacon_signal >= IEEE80211_SIGNAL_AVE_MIN_COUNT) {
3559 +- int sig = ifmgd->ave_beacon_signal;
3560 ++ int sig = ifmgd->ave_beacon_signal / 16;
3561 + int last_sig = ifmgd->last_ave_beacon_signal;
3562 +
3563 + /*
3564 +diff --git a/net/rfkill/core.c b/net/rfkill/core.c
3565 +index f974961754ca..feef1a459b53 100644
3566 +--- a/net/rfkill/core.c
3567 ++++ b/net/rfkill/core.c
3568 +@@ -51,7 +51,6 @@
3569 + struct rfkill {
3570 + spinlock_t lock;
3571 +
3572 +- const char *name;
3573 + enum rfkill_type type;
3574 +
3575 + unsigned long state;
3576 +@@ -75,6 +74,7 @@ struct rfkill {
3577 + struct delayed_work poll_work;
3578 + struct work_struct uevent_work;
3579 + struct work_struct sync_work;
3580 ++ char name[];
3581 + };
3582 + #define to_rfkill(d) container_of(d, struct rfkill, dev)
3583 +
3584 +@@ -849,14 +849,14 @@ struct rfkill * __must_check rfkill_alloc(const char *name,
3585 + if (WARN_ON(type == RFKILL_TYPE_ALL || type >= NUM_RFKILL_TYPES))
3586 + return NULL;
3587 +
3588 +- rfkill = kzalloc(sizeof(*rfkill), GFP_KERNEL);
3589 ++ rfkill = kzalloc(sizeof(*rfkill) + strlen(name) + 1, GFP_KERNEL);
3590 + if (!rfkill)
3591 + return NULL;
3592 +
3593 + spin_lock_init(&rfkill->lock);
3594 + INIT_LIST_HEAD(&rfkill->node);
3595 + rfkill->type = type;
3596 +- rfkill->name = name;
3597 ++ strcpy(rfkill->name, name);
3598 + rfkill->ops = ops;
3599 + rfkill->data = ops_data;
3600 +
3601 +diff --git a/net/sctp/auth.c b/net/sctp/auth.c
3602 +index 333926d4d356..075e3537d5b9 100644
3603 +--- a/net/sctp/auth.c
3604 ++++ b/net/sctp/auth.c
3605 +@@ -804,8 +804,8 @@ int sctp_auth_ep_set_hmacs(struct sctp_endpoint *ep,
3606 + if (!has_sha1)
3607 + return -EINVAL;
3608 +
3609 +- memcpy(ep->auth_hmacs_list->hmac_ids, &hmacs->shmac_idents[0],
3610 +- hmacs->shmac_num_idents * sizeof(__u16));
3611 ++ for (i = 0; i < hmacs->shmac_num_idents; i++)
3612 ++ ep->auth_hmacs_list->hmac_ids[i] = htons(hmacs->shmac_idents[i]);
3613 + ep->auth_hmacs_list->param_hdr.length = htons(sizeof(sctp_paramhdr_t) +
3614 + hmacs->shmac_num_idents * sizeof(__u16));
3615 + return 0;
3616 +diff --git a/net/sctp/outqueue.c b/net/sctp/outqueue.c
3617 +index 3dd7207d33ad..7b285462c88e 100644
3618 +--- a/net/sctp/outqueue.c
3619 ++++ b/net/sctp/outqueue.c
3620 +@@ -1265,6 +1265,7 @@ int sctp_outq_sack(struct sctp_outq *q, struct sctp_sackhdr *sack)
3621 + */
3622 +
3623 + sack_a_rwnd = ntohl(sack->a_rwnd);
3624 ++ asoc->peer.zero_window_announced = !sack_a_rwnd;
3625 + outstanding = q->outstanding_bytes;
3626 +
3627 + if (outstanding < sack_a_rwnd)
3628 +diff --git a/net/sctp/sm_sideeffect.c b/net/sctp/sm_sideeffect.c
3629 +index 5fa033ac59e5..06c75b1a5a21 100644
3630 +--- a/net/sctp/sm_sideeffect.c
3631 ++++ b/net/sctp/sm_sideeffect.c
3632 +@@ -249,11 +249,12 @@ void sctp_generate_t3_rtx_event(unsigned long peer)
3633 + int error;
3634 + struct sctp_transport *transport = (struct sctp_transport *) peer;
3635 + struct sctp_association *asoc = transport->asoc;
3636 ++ struct sock *sk = asoc->base.sk;
3637 +
3638 + /* Check whether a task is in the sock. */
3639 +
3640 +- sctp_bh_lock_sock(asoc->base.sk);
3641 +- if (sock_owned_by_user(asoc->base.sk)) {
3642 ++ sctp_bh_lock_sock(sk);
3643 ++ if (sock_owned_by_user(sk)) {
3644 + SCTP_DEBUG_PRINTK("%s:Sock is busy.\n", __func__);
3645 +
3646 + /* Try again later. */
3647 +@@ -276,10 +277,10 @@ void sctp_generate_t3_rtx_event(unsigned long peer)
3648 + transport, GFP_ATOMIC);
3649 +
3650 + if (error)
3651 +- asoc->base.sk->sk_err = -error;
3652 ++ sk->sk_err = -error;
3653 +
3654 + out_unlock:
3655 +- sctp_bh_unlock_sock(asoc->base.sk);
3656 ++ sctp_bh_unlock_sock(sk);
3657 + sctp_transport_put(transport);
3658 + }
3659 +
3660 +@@ -289,10 +290,11 @@ out_unlock:
3661 + static void sctp_generate_timeout_event(struct sctp_association *asoc,
3662 + sctp_event_timeout_t timeout_type)
3663 + {
3664 ++ struct sock *sk = asoc->base.sk;
3665 + int error = 0;
3666 +
3667 +- sctp_bh_lock_sock(asoc->base.sk);
3668 +- if (sock_owned_by_user(asoc->base.sk)) {
3669 ++ sctp_bh_lock_sock(sk);
3670 ++ if (sock_owned_by_user(sk)) {
3671 + SCTP_DEBUG_PRINTK("%s:Sock is busy: timer %d\n",
3672 + __func__,
3673 + timeout_type);
3674 +@@ -316,10 +318,10 @@ static void sctp_generate_timeout_event(struct sctp_association *asoc,
3675 + (void *)timeout_type, GFP_ATOMIC);
3676 +
3677 + if (error)
3678 +- asoc->base.sk->sk_err = -error;
3679 ++ sk->sk_err = -error;
3680 +
3681 + out_unlock:
3682 +- sctp_bh_unlock_sock(asoc->base.sk);
3683 ++ sctp_bh_unlock_sock(sk);
3684 + sctp_association_put(asoc);
3685 + }
3686 +
3687 +@@ -369,9 +371,10 @@ void sctp_generate_heartbeat_event(unsigned long data)
3688 + int error = 0;
3689 + struct sctp_transport *transport = (struct sctp_transport *) data;
3690 + struct sctp_association *asoc = transport->asoc;
3691 ++ struct sock *sk = asoc->base.sk;
3692 +
3693 +- sctp_bh_lock_sock(asoc->base.sk);
3694 +- if (sock_owned_by_user(asoc->base.sk)) {
3695 ++ sctp_bh_lock_sock(sk);
3696 ++ if (sock_owned_by_user(sk)) {
3697 + SCTP_DEBUG_PRINTK("%s:Sock is busy.\n", __func__);
3698 +
3699 + /* Try again later. */
3700 +@@ -392,10 +395,10 @@ void sctp_generate_heartbeat_event(unsigned long data)
3701 + transport, GFP_ATOMIC);
3702 +
3703 + if (error)
3704 +- asoc->base.sk->sk_err = -error;
3705 ++ sk->sk_err = -error;
3706 +
3707 + out_unlock:
3708 +- sctp_bh_unlock_sock(asoc->base.sk);
3709 ++ sctp_bh_unlock_sock(sk);
3710 + sctp_transport_put(transport);
3711 + }
3712 +
3713 +@@ -406,9 +409,10 @@ void sctp_generate_proto_unreach_event(unsigned long data)
3714 + {
3715 + struct sctp_transport *transport = (struct sctp_transport *) data;
3716 + struct sctp_association *asoc = transport->asoc;
3717 ++ struct sock *sk = asoc->base.sk;
3718 +
3719 +- sctp_bh_lock_sock(asoc->base.sk);
3720 +- if (sock_owned_by_user(asoc->base.sk)) {
3721 ++ sctp_bh_lock_sock(sk);
3722 ++ if (sock_owned_by_user(sk)) {
3723 + SCTP_DEBUG_PRINTK("%s:Sock is busy.\n", __func__);
3724 +
3725 + /* Try again later. */
3726 +@@ -429,7 +433,7 @@ void sctp_generate_proto_unreach_event(unsigned long data)
3727 + asoc->state, asoc->ep, asoc, transport, GFP_ATOMIC);
3728 +
3729 + out_unlock:
3730 +- sctp_bh_unlock_sock(asoc->base.sk);
3731 ++ sctp_bh_unlock_sock(sk);
3732 + sctp_association_put(asoc);
3733 + }
3734 +
3735 +diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
3736 +index a6a300630af4..5de7200f07a7 100644
3737 +--- a/net/sctp/sm_statefuns.c
3738 ++++ b/net/sctp/sm_statefuns.c
3739 +@@ -5299,7 +5299,8 @@ sctp_disposition_t sctp_sf_do_6_3_3_rtx(const struct sctp_endpoint *ep,
3740 + SCTP_INC_STATS(SCTP_MIB_T3_RTX_EXPIREDS);
3741 +
3742 + if (asoc->overall_error_count >= asoc->max_retrans) {
3743 +- if (asoc->state == SCTP_STATE_SHUTDOWN_PENDING) {
3744 ++ if (asoc->peer.zero_window_announced &&
3745 ++ asoc->state == SCTP_STATE_SHUTDOWN_PENDING) {
3746 + /*
3747 + * We are here likely because the receiver had its rwnd
3748 + * closed for a while and we have not been able to
3749 +diff --git a/net/socket.c b/net/socket.c
3750 +index f5ce151e0e3b..1769abc1dd55 100644
3751 +--- a/net/socket.c
3752 ++++ b/net/socket.c
3753 +@@ -2332,31 +2332,31 @@ int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
3754 + break;
3755 + }
3756 +
3757 +-out_put:
3758 +- fput_light(sock->file, fput_needed);
3759 +-
3760 + if (err == 0)
3761 +- return datagrams;
3762 ++ goto out_put;
3763 +
3764 +- if (datagrams != 0) {
3765 ++ if (datagrams == 0) {
3766 ++ datagrams = err;
3767 ++ goto out_put;
3768 ++ }
3769 ++
3770 ++ /*
3771 ++ * We may return less entries than requested (vlen) if the
3772 ++ * sock is non block and there aren't enough datagrams...
3773 ++ */
3774 ++ if (err != -EAGAIN) {
3775 + /*
3776 +- * We may return less entries than requested (vlen) if the
3777 +- * sock is non block and there aren't enough datagrams...
3778 ++ * ... or if recvmsg returns an error after we
3779 ++ * received some datagrams, where we record the
3780 ++ * error to return on the next call or if the
3781 ++ * app asks about it using getsockopt(SO_ERROR).
3782 + */
3783 +- if (err != -EAGAIN) {
3784 +- /*
3785 +- * ... or if recvmsg returns an error after we
3786 +- * received some datagrams, where we record the
3787 +- * error to return on the next call or if the
3788 +- * app asks about it using getsockopt(SO_ERROR).
3789 +- */
3790 +- sock->sk->sk_err = -err;
3791 +- }
3792 +-
3793 +- return datagrams;
3794 ++ sock->sk->sk_err = -err;
3795 + }
3796 ++out_put:
3797 ++ fput_light(sock->file, fput_needed);
3798 +
3799 +- return err;
3800 ++ return datagrams;
3801 + }
3802 +
3803 + SYSCALL_DEFINE5(recvmmsg, int, fd, struct mmsghdr __user *, mmsg,
3804 +diff --git a/net/unix/garbage.c b/net/unix/garbage.c
3805 +index b6f4b994eb35..00d3e5678599 100644
3806 +--- a/net/unix/garbage.c
3807 ++++ b/net/unix/garbage.c
3808 +@@ -185,7 +185,7 @@ static void scan_inflight(struct sock *x, void (*func)(struct unix_sock *),
3809 + * have been added to the queues after
3810 + * starting the garbage collection
3811 + */
3812 +- if (u->gc_candidate) {
3813 ++ if (test_bit(UNIX_GC_CANDIDATE, &u->gc_flags)) {
3814 + hit = true;
3815 + func(u);
3816 + }
3817 +@@ -254,7 +254,7 @@ static void inc_inflight_move_tail(struct unix_sock *u)
3818 + * of the list, so that it's checked even if it was already
3819 + * passed over
3820 + */
3821 +- if (u->gc_maybe_cycle)
3822 ++ if (test_bit(UNIX_GC_MAYBE_CYCLE, &u->gc_flags))
3823 + list_move_tail(&u->link, &gc_candidates);
3824 + }
3825 +
3826 +@@ -315,8 +315,8 @@ void unix_gc(void)
3827 + BUG_ON(total_refs < inflight_refs);
3828 + if (total_refs == inflight_refs) {
3829 + list_move_tail(&u->link, &gc_candidates);
3830 +- u->gc_candidate = 1;
3831 +- u->gc_maybe_cycle = 1;
3832 ++ __set_bit(UNIX_GC_CANDIDATE, &u->gc_flags);
3833 ++ __set_bit(UNIX_GC_MAYBE_CYCLE, &u->gc_flags);
3834 + }
3835 + }
3836 +
3837 +@@ -344,7 +344,7 @@ void unix_gc(void)
3838 +
3839 + if (atomic_long_read(&u->inflight) > 0) {
3840 + list_move_tail(&u->link, &not_cycle_list);
3841 +- u->gc_maybe_cycle = 0;
3842 ++ __clear_bit(UNIX_GC_MAYBE_CYCLE, &u->gc_flags);
3843 + scan_children(&u->sk, inc_inflight_move_tail, NULL);
3844 + }
3845 + }
3846 +@@ -356,7 +356,7 @@ void unix_gc(void)
3847 + */
3848 + while (!list_empty(&not_cycle_list)) {
3849 + u = list_entry(not_cycle_list.next, struct unix_sock, link);
3850 +- u->gc_candidate = 0;
3851 ++ __clear_bit(UNIX_GC_CANDIDATE, &u->gc_flags);
3852 + list_move_tail(&u->link, &gc_inflight_list);
3853 + }
3854 +
3855 +diff --git a/scripts/recordmcount.c b/scripts/recordmcount.c
3856 +index ee52cb8e17ad..0d5ae4a0f20c 100644
3857 +--- a/scripts/recordmcount.c
3858 ++++ b/scripts/recordmcount.c
3859 +@@ -35,12 +35,17 @@
3860 +
3861 + static int fd_map; /* File descriptor for file being modified. */
3862 + static int mmap_failed; /* Boolean flag. */
3863 +-static void *ehdr_curr; /* current ElfXX_Ehdr * for resource cleanup */
3864 + static char gpfx; /* prefix for global symbol name (sometimes '_') */
3865 + static struct stat sb; /* Remember .st_size, etc. */
3866 + static jmp_buf jmpenv; /* setjmp/longjmp per-file error escape */
3867 + static const char *altmcount; /* alternate mcount symbol name */
3868 + static int warn_on_notrace_sect; /* warn when section has mcount not being recorded */
3869 ++static void *file_map; /* pointer of the mapped file */
3870 ++static void *file_end; /* pointer to the end of the mapped file */
3871 ++static int file_updated; /* flag to state file was changed */
3872 ++static void *file_ptr; /* current file pointer location */
3873 ++static void *file_append; /* added to the end of the file */
3874 ++static size_t file_append_size; /* how much is added to end of file */
3875 +
3876 + /* setjmp() return values */
3877 + enum {
3878 +@@ -54,10 +59,14 @@ static void
3879 + cleanup(void)
3880 + {
3881 + if (!mmap_failed)
3882 +- munmap(ehdr_curr, sb.st_size);
3883 ++ munmap(file_map, sb.st_size);
3884 + else
3885 +- free(ehdr_curr);
3886 +- close(fd_map);
3887 ++ free(file_map);
3888 ++ file_map = NULL;
3889 ++ free(file_append);
3890 ++ file_append = NULL;
3891 ++ file_append_size = 0;
3892 ++ file_updated = 0;
3893 + }
3894 +
3895 + static void __attribute__((noreturn))
3896 +@@ -79,12 +88,22 @@ succeed_file(void)
3897 + static off_t
3898 + ulseek(int const fd, off_t const offset, int const whence)
3899 + {
3900 +- off_t const w = lseek(fd, offset, whence);
3901 +- if (w == (off_t)-1) {
3902 +- perror("lseek");
3903 ++ switch (whence) {
3904 ++ case SEEK_SET:
3905 ++ file_ptr = file_map + offset;
3906 ++ break;
3907 ++ case SEEK_CUR:
3908 ++ file_ptr += offset;
3909 ++ break;
3910 ++ case SEEK_END:
3911 ++ file_ptr = file_map + (sb.st_size - offset);
3912 ++ break;
3913 ++ }
3914 ++ if (file_ptr < file_map) {
3915 ++ fprintf(stderr, "lseek: seek before file\n");
3916 + fail_file();
3917 + }
3918 +- return w;
3919 ++ return file_ptr - file_map;
3920 + }
3921 +
3922 + static size_t
3923 +@@ -101,12 +120,38 @@ uread(int const fd, void *const buf, size_t const count)
3924 + static size_t
3925 + uwrite(int const fd, void const *const buf, size_t const count)
3926 + {
3927 +- size_t const n = write(fd, buf, count);
3928 +- if (n != count) {
3929 +- perror("write");
3930 +- fail_file();
3931 ++ size_t cnt = count;
3932 ++ off_t idx = 0;
3933 ++
3934 ++ file_updated = 1;
3935 ++
3936 ++ if (file_ptr + count >= file_end) {
3937 ++ off_t aoffset = (file_ptr + count) - file_end;
3938 ++
3939 ++ if (aoffset > file_append_size) {
3940 ++ file_append = realloc(file_append, aoffset);
3941 ++ file_append_size = aoffset;
3942 ++ }
3943 ++ if (!file_append) {
3944 ++ perror("write");
3945 ++ fail_file();
3946 ++ }
3947 ++ if (file_ptr < file_end) {
3948 ++ cnt = file_end - file_ptr;
3949 ++ } else {
3950 ++ cnt = 0;
3951 ++ idx = aoffset - count;
3952 ++ }
3953 + }
3954 +- return n;
3955 ++
3956 ++ if (cnt)
3957 ++ memcpy(file_ptr, buf, cnt);
3958 ++
3959 ++ if (cnt < count)
3960 ++ memcpy(file_append + idx, buf + cnt, count - cnt);
3961 ++
3962 ++ file_ptr += count;
3963 ++ return count;
3964 + }
3965 +
3966 + static void *
3967 +@@ -163,9 +208,7 @@ static int make_nop_x86(void *map, size_t const offset)
3968 + */
3969 + static void *mmap_file(char const *fname)
3970 + {
3971 +- void *addr;
3972 +-
3973 +- fd_map = open(fname, O_RDWR);
3974 ++ fd_map = open(fname, O_RDONLY);
3975 + if (fd_map < 0 || fstat(fd_map, &sb) < 0) {
3976 + perror(fname);
3977 + fail_file();
3978 +@@ -174,15 +217,58 @@ static void *mmap_file(char const *fname)
3979 + fprintf(stderr, "not a regular file: %s\n", fname);
3980 + fail_file();
3981 + }
3982 +- addr = mmap(0, sb.st_size, PROT_READ|PROT_WRITE, MAP_PRIVATE,
3983 +- fd_map, 0);
3984 ++ file_map = mmap(0, sb.st_size, PROT_READ|PROT_WRITE, MAP_PRIVATE,
3985 ++ fd_map, 0);
3986 + mmap_failed = 0;
3987 +- if (addr == MAP_FAILED) {
3988 ++ if (file_map == MAP_FAILED) {
3989 + mmap_failed = 1;
3990 +- addr = umalloc(sb.st_size);
3991 +- uread(fd_map, addr, sb.st_size);
3992 ++ file_map = umalloc(sb.st_size);
3993 ++ uread(fd_map, file_map, sb.st_size);
3994 ++ }
3995 ++ close(fd_map);
3996 ++
3997 ++ file_end = file_map + sb.st_size;
3998 ++
3999 ++ return file_map;
4000 ++}
4001 ++
4002 ++static void write_file(const char *fname)
4003 ++{
4004 ++ char tmp_file[strlen(fname) + 4];
4005 ++ size_t n;
4006 ++
4007 ++ if (!file_updated)
4008 ++ return;
4009 ++
4010 ++ sprintf(tmp_file, "%s.rc", fname);
4011 ++
4012 ++ /*
4013 ++ * After reading the entire file into memory, delete it
4014 ++ * and write it back, to prevent weird side effects of modifying
4015 ++ * an object file in place.
4016 ++ */
4017 ++ fd_map = open(tmp_file, O_WRONLY | O_TRUNC | O_CREAT, sb.st_mode);
4018 ++ if (fd_map < 0) {
4019 ++ perror(fname);
4020 ++ fail_file();
4021 ++ }
4022 ++ n = write(fd_map, file_map, sb.st_size);
4023 ++ if (n != sb.st_size) {
4024 ++ perror("write");
4025 ++ fail_file();
4026 ++ }
4027 ++ if (file_append_size) {
4028 ++ n = write(fd_map, file_append, file_append_size);
4029 ++ if (n != file_append_size) {
4030 ++ perror("write");
4031 ++ fail_file();
4032 ++ }
4033 ++ }
4034 ++ close(fd_map);
4035 ++ if (rename(tmp_file, fname) < 0) {
4036 ++ perror(fname);
4037 ++ fail_file();
4038 + }
4039 +- return addr;
4040 + }
4041 +
4042 + /* w8rev, w8nat, ...: Handle endianness. */
4043 +@@ -289,7 +375,6 @@ do_file(char const *const fname)
4044 + Elf32_Ehdr *const ehdr = mmap_file(fname);
4045 + unsigned int reltype = 0;
4046 +
4047 +- ehdr_curr = ehdr;
4048 + w = w4nat;
4049 + w2 = w2nat;
4050 + w8 = w8nat;
4051 +@@ -401,6 +486,7 @@ do_file(char const *const fname)
4052 + }
4053 + } /* end switch */
4054 +
4055 ++ write_file(fname);
4056 + cleanup();
4057 + }
4058 +
4059 +@@ -453,11 +539,14 @@ main(int argc, char *argv[])
4060 + case SJ_SETJMP: /* normal sequence */
4061 + /* Avoid problems if early cleanup() */
4062 + fd_map = -1;
4063 +- ehdr_curr = NULL;
4064 + mmap_failed = 1;
4065 ++ file_map = NULL;
4066 ++ file_ptr = NULL;
4067 ++ file_updated = 0;
4068 + do_file(file);
4069 + break;
4070 + case SJ_FAIL: /* error in do_file or below */
4071 ++ fprintf(stderr, "%s: failed\n", file);
4072 + ++n_error;
4073 + break;
4074 + case SJ_SUCCEED: /* premature success */
4075 +diff --git a/scripts/recordmcount.h b/scripts/recordmcount.h
4076 +index 5e29610303b0..799d73483fb2 100644
4077 +--- a/scripts/recordmcount.h
4078 ++++ b/scripts/recordmcount.h
4079 +@@ -375,7 +375,7 @@ static void nop_mcount(Elf_Shdr const *const relhdr,
4080 +
4081 + if (mcountsym == Elf_r_sym(relp) && !is_fake_mcount(relp)) {
4082 + if (make_nop)
4083 +- ret = make_nop((void *)ehdr, shdr->sh_offset + relp->r_offset);
4084 ++ ret = make_nop((void *)ehdr, _w(shdr->sh_offset) + _w(relp->r_offset));
4085 + if (warn_on_notrace_sect && !once) {
4086 + printf("Section %s has mcount callers being ignored\n",
4087 + txtname);
4088 +diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
4089 +index dfc8c229e355..0ba68b18d696 100644
4090 +--- a/security/keys/keyctl.c
4091 ++++ b/security/keys/keyctl.c
4092 +@@ -702,16 +702,16 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
4093 +
4094 + /* the key is probably readable - now try to read it */
4095 + can_read_key:
4096 +- ret = key_validate(key);
4097 +- if (ret == 0) {
4098 +- ret = -EOPNOTSUPP;
4099 +- if (key->type->read) {
4100 +- /* read the data with the semaphore held (since we
4101 +- * might sleep) */
4102 +- down_read(&key->sem);
4103 ++ ret = -EOPNOTSUPP;
4104 ++ if (key->type->read) {
4105 ++ /* Read the data with the semaphore held (since we might sleep)
4106 ++ * to protect against the key being updated or revoked.
4107 ++ */
4108 ++ down_read(&key->sem);
4109 ++ ret = key_validate(key);
4110 ++ if (ret == 0)
4111 + ret = key->type->read(key, buffer, buflen);
4112 +- up_read(&key->sem);
4113 +- }
4114 ++ up_read(&key->sem);
4115 + }
4116 +
4117 + error2:
4118 +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
4119 +index f461737e4e6c..833d8355a92d 100644
4120 +--- a/sound/pci/hda/hda_intel.c
4121 ++++ b/sound/pci/hda/hda_intel.c
4122 +@@ -3144,11 +3144,13 @@ static DEFINE_PCI_DEVICE_TABLE(azx_ids) = {
4123 + .class = PCI_CLASS_MULTIMEDIA_HD_AUDIO << 8,
4124 + .class_mask = 0xffffff,
4125 + .driver_data = AZX_DRIVER_CTX | AZX_DCAPS_CTX_WORKAROUND |
4126 ++ AZX_DCAPS_NO_64BIT |
4127 + AZX_DCAPS_RIRB_PRE_DELAY | AZX_DCAPS_POSFIX_LPIB },
4128 + #else
4129 + /* this entry seems still valid -- i.e. without emu20kx chip */
4130 + { PCI_DEVICE(0x1102, 0x0009),
4131 + .driver_data = AZX_DRIVER_CTX | AZX_DCAPS_CTX_WORKAROUND |
4132 ++ AZX_DCAPS_NO_64BIT |
4133 + AZX_DCAPS_RIRB_PRE_DELAY | AZX_DCAPS_POSFIX_LPIB },
4134 + #endif
4135 + /* Vortex86MX */
4136 +diff --git a/sound/pci/hda/patch_sigmatel.c b/sound/pci/hda/patch_sigmatel.c
4137 +index 606f87aa24d9..247b1a155354 100644
4138 +--- a/sound/pci/hda/patch_sigmatel.c
4139 ++++ b/sound/pci/hda/patch_sigmatel.c
4140 +@@ -4932,6 +4932,7 @@ static int find_mute_led_cfg(struct hda_codec *codec, int default_polarity)
4141 + static int hp_blike_system(u32 subsystem_id)
4142 + {
4143 + switch (subsystem_id) {
4144 ++ case 0x103c1473: /* HP ProBook 6550b */
4145 + case 0x103c1520:
4146 + case 0x103c1521:
4147 + case 0x103c1523:
4148 +diff --git a/sound/pci/rme96.c b/sound/pci/rme96.c
4149 +index ba894158e76c..03eb085d5066 100644
4150 +--- a/sound/pci/rme96.c
4151 ++++ b/sound/pci/rme96.c
4152 +@@ -704,10 +704,11 @@ snd_rme96_playback_setrate(struct rme96 *rme96,
4153 + {
4154 + /* change to/from double-speed: reset the DAC (if available) */
4155 + snd_rme96_reset_dac(rme96);
4156 ++ return 1; /* need to restore volume */
4157 + } else {
4158 + writel(rme96->wcreg, rme96->iobase + RME96_IO_CONTROL_REGISTER);
4159 ++ return 0;
4160 + }
4161 +- return 0;
4162 + }
4163 +
4164 + static int
4165 +@@ -945,6 +946,7 @@ snd_rme96_playback_hw_params(struct snd_pcm_substream *substream,
4166 + struct rme96 *rme96 = snd_pcm_substream_chip(substream);
4167 + struct snd_pcm_runtime *runtime = substream->runtime;
4168 + int err, rate, dummy;
4169 ++ bool apply_dac_volume = false;
4170 +
4171 + runtime->dma_area = (void __force *)(rme96->iobase +
4172 + RME96_IO_PLAY_BUFFER);
4173 +@@ -958,24 +960,26 @@ snd_rme96_playback_hw_params(struct snd_pcm_substream *substream,
4174 + {
4175 + /* slave clock */
4176 + if ((int)params_rate(params) != rate) {
4177 +- spin_unlock_irq(&rme96->lock);
4178 +- return -EIO;
4179 +- }
4180 +- } else if ((err = snd_rme96_playback_setrate(rme96, params_rate(params))) < 0) {
4181 +- spin_unlock_irq(&rme96->lock);
4182 +- return err;
4183 +- }
4184 +- if ((err = snd_rme96_playback_setformat(rme96, params_format(params))) < 0) {
4185 +- spin_unlock_irq(&rme96->lock);
4186 +- return err;
4187 ++ err = -EIO;
4188 ++ goto error;
4189 ++ }
4190 ++ } else {
4191 ++ err = snd_rme96_playback_setrate(rme96, params_rate(params));
4192 ++ if (err < 0)
4193 ++ goto error;
4194 ++ apply_dac_volume = err > 0; /* need to restore volume later? */
4195 + }
4196 ++
4197 ++ err = snd_rme96_playback_setformat(rme96, params_format(params));
4198 ++ if (err < 0)
4199 ++ goto error;
4200 + snd_rme96_setframelog(rme96, params_channels(params), 1);
4201 + if (rme96->capture_periodsize != 0) {
4202 + if (params_period_size(params) << rme96->playback_frlog !=
4203 + rme96->capture_periodsize)
4204 + {
4205 +- spin_unlock_irq(&rme96->lock);
4206 +- return -EBUSY;
4207 ++ err = -EBUSY;
4208 ++ goto error;
4209 + }
4210 + }
4211 + rme96->playback_periodsize =
4212 +@@ -986,9 +990,16 @@ snd_rme96_playback_hw_params(struct snd_pcm_substream *substream,
4213 + rme96->wcreg &= ~(RME96_WCR_PRO | RME96_WCR_DOLBY | RME96_WCR_EMP);
4214 + writel(rme96->wcreg |= rme96->wcreg_spdif_stream, rme96->iobase + RME96_IO_CONTROL_REGISTER);
4215 + }
4216 ++
4217 ++ err = 0;
4218 ++ error:
4219 + spin_unlock_irq(&rme96->lock);
4220 +-
4221 +- return 0;
4222 ++ if (apply_dac_volume) {
4223 ++ usleep_range(3000, 10000);
4224 ++ snd_rme96_apply_dac_volume(rme96);
4225 ++ }
4226 ++
4227 ++ return err;
4228 + }
4229 +
4230 + static int
4231 +diff --git a/sound/soc/codecs/wm8962.c b/sound/soc/codecs/wm8962.c
4232 +index 451ec4800f4e..fd06baaeee01 100644
4233 +--- a/sound/soc/codecs/wm8962.c
4234 ++++ b/sound/soc/codecs/wm8962.c
4235 +@@ -363,8 +363,8 @@ static struct reg_default wm8962_reg[] = {
4236 + { 16924, 0x0059 }, /* R16924 - HDBASS_PG_1 */
4237 + { 16925, 0x999A }, /* R16925 - HDBASS_PG_0 */
4238 +
4239 +- { 17048, 0x0083 }, /* R17408 - HPF_C_1 */
4240 +- { 17049, 0x98AD }, /* R17409 - HPF_C_0 */
4241 ++ { 17408, 0x0083 }, /* R17408 - HPF_C_1 */
4242 ++ { 17409, 0x98AD }, /* R17409 - HPF_C_0 */
4243 +
4244 + { 17920, 0x007F }, /* R17920 - ADCL_RETUNE_C1_1 */
4245 + { 17921, 0xFFFF }, /* R17921 - ADCL_RETUNE_C1_0 */
4246 +diff --git a/sound/usb/midi.c b/sound/usb/midi.c
4247 +index de86e7487def..075f32483769 100644
4248 +--- a/sound/usb/midi.c
4249 ++++ b/sound/usb/midi.c
4250 +@@ -174,6 +174,8 @@ struct snd_usb_midi_in_endpoint {
4251 + u8 running_status_length;
4252 + } ports[0x10];
4253 + u8 seen_f5;
4254 ++ bool in_sysex;
4255 ++ u8 last_cin;
4256 + u8 error_resubmit;
4257 + int current_port;
4258 + };
4259 +@@ -465,6 +467,39 @@ static void snd_usbmidi_maudio_broken_running_status_input(
4260 + }
4261 +
4262 + /*
4263 ++ * QinHeng CH345 is buggy: every second packet inside a SysEx has not CIN 4
4264 ++ * but the previously seen CIN, but still with three data bytes.
4265 ++ */
4266 ++static void ch345_broken_sysex_input(struct snd_usb_midi_in_endpoint *ep,
4267 ++ uint8_t *buffer, int buffer_length)
4268 ++{
4269 ++ unsigned int i, cin, length;
4270 ++
4271 ++ for (i = 0; i + 3 < buffer_length; i += 4) {
4272 ++ if (buffer[i] == 0 && i > 0)
4273 ++ break;
4274 ++ cin = buffer[i] & 0x0f;
4275 ++ if (ep->in_sysex &&
4276 ++ cin == ep->last_cin &&
4277 ++ (buffer[i + 1 + (cin == 0x6)] & 0x80) == 0)
4278 ++ cin = 0x4;
4279 ++#if 0
4280 ++ if (buffer[i + 1] == 0x90) {
4281 ++ /*
4282 ++ * Either a corrupted running status or a real note-on
4283 ++ * message; impossible to detect reliably.
4284 ++ */
4285 ++ }
4286 ++#endif
4287 ++ length = snd_usbmidi_cin_length[cin];
4288 ++ snd_usbmidi_input_data(ep, 0, &buffer[i + 1], length);
4289 ++ ep->in_sysex = cin == 0x4;
4290 ++ if (!ep->in_sysex)
4291 ++ ep->last_cin = cin;
4292 ++ }
4293 ++}
4294 ++
4295 ++/*
4296 + * CME protocol: like the standard protocol, but SysEx commands are sent as a
4297 + * single USB packet preceded by a 0x0F byte.
4298 + */
4299 +@@ -650,6 +685,12 @@ static struct usb_protocol_ops snd_usbmidi_cme_ops = {
4300 + .output_packet = snd_usbmidi_output_standard_packet,
4301 + };
4302 +
4303 ++static struct usb_protocol_ops snd_usbmidi_ch345_broken_sysex_ops = {
4304 ++ .input = ch345_broken_sysex_input,
4305 ++ .output = snd_usbmidi_standard_output,
4306 ++ .output_packet = snd_usbmidi_output_standard_packet,
4307 ++};
4308 ++
4309 + /*
4310 + * AKAI MPD16 protocol:
4311 + *
4312 +@@ -1326,6 +1367,7 @@ static int snd_usbmidi_out_endpoint_create(struct snd_usb_midi* umidi,
4313 + * Various chips declare a packet size larger than 4 bytes, but
4314 + * do not actually work with larger packets:
4315 + */
4316 ++ case USB_ID(0x0a67, 0x5011): /* Medeli DD305 */
4317 + case USB_ID(0x0a92, 0x1020): /* ESI M4U */
4318 + case USB_ID(0x1430, 0x474b): /* RedOctane GH MIDI INTERFACE */
4319 + case USB_ID(0x15ca, 0x0101): /* Textech USB Midi Cable */
4320 +@@ -2214,6 +2256,10 @@ int snd_usbmidi_create(struct snd_card *card,
4321 +
4322 + err = snd_usbmidi_detect_per_port_endpoints(umidi, endpoints);
4323 + break;
4324 ++ case QUIRK_MIDI_CH345:
4325 ++ umidi->usb_protocol_ops = &snd_usbmidi_ch345_broken_sysex_ops;
4326 ++ err = snd_usbmidi_detect_per_port_endpoints(umidi, endpoints);
4327 ++ break;
4328 + default:
4329 + snd_printd(KERN_ERR "invalid quirk type %d\n", quirk->type);
4330 + err = -ENXIO;
4331 +diff --git a/sound/usb/quirks-table.h b/sound/usb/quirks-table.h
4332 +index 4cebbf7f6ad1..862ed16a7e8e 100644
4333 +--- a/sound/usb/quirks-table.h
4334 ++++ b/sound/usb/quirks-table.h
4335 +@@ -2689,6 +2689,17 @@ YAMAHA_DEVICE(0x7010, "UB99"),
4336 + .idProduct = 0x1020,
4337 + },
4338 +
4339 ++/* QinHeng devices */
4340 ++{
4341 ++ USB_DEVICE(0x1a86, 0x752d),
4342 ++ .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
4343 ++ .vendor_name = "QinHeng",
4344 ++ .product_name = "CH345",
4345 ++ .ifnum = 1,
4346 ++ .type = QUIRK_MIDI_CH345
4347 ++ }
4348 ++},
4349 ++
4350 + /* KeithMcMillen Stringport */
4351 + {
4352 + USB_DEVICE(0x1f38, 0x0001),
4353 +diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
4354 +index 9c82f8b67a61..b01d3cf3759e 100644
4355 +--- a/sound/usb/quirks.c
4356 ++++ b/sound/usb/quirks.c
4357 +@@ -311,6 +311,7 @@ int snd_usb_create_quirk(struct snd_usb_audio *chip,
4358 + [QUIRK_MIDI_CME] = create_any_midi_quirk,
4359 + [QUIRK_MIDI_AKAI] = create_any_midi_quirk,
4360 + [QUIRK_MIDI_FTDI] = create_any_midi_quirk,
4361 ++ [QUIRK_MIDI_CH345] = create_any_midi_quirk,
4362 + [QUIRK_AUDIO_STANDARD_INTERFACE] = create_standard_audio_quirk,
4363 + [QUIRK_AUDIO_FIXED_ENDPOINT] = create_fixed_stream_quirk,
4364 + [QUIRK_AUDIO_EDIROL_UAXX] = create_uaxx_quirk,
4365 +diff --git a/sound/usb/usbaudio.h b/sound/usb/usbaudio.h
4366 +index 6c805a51d7d7..5e0e58adfcdb 100644
4367 +--- a/sound/usb/usbaudio.h
4368 ++++ b/sound/usb/usbaudio.h
4369 +@@ -81,6 +81,7 @@ enum quirk_type {
4370 + QUIRK_MIDI_AKAI,
4371 + QUIRK_MIDI_US122L,
4372 + QUIRK_MIDI_FTDI,
4373 ++ QUIRK_MIDI_CH345,
4374 + QUIRK_AUDIO_STANDARD_INTERFACE,
4375 + QUIRK_AUDIO_FIXED_ENDPOINT,
4376 + QUIRK_AUDIO_EDIROL_UAXX,
Report Message
Find on MARC Find on Google Groups