Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:4.9 commit in: /
Date: Thu, 27 Jan 2022 11:41:50
Message-Id: 1643283693.6e79f651605de012d8a78a3dde1bab966017a0cb.mpagano@gentoo
1 commit: 6e79f651605de012d8a78a3dde1bab966017a0cb
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Thu Jan 27 11:41:33 2022 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Thu Jan 27 11:41:33 2022 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=6e79f651
7
8 Linux patch 4.9.298
9
10 Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>
11
12 0000_README | 4 +
13 1297_linux-4.9.298.patch | 4800 ++++++++++++++++++++++++++++++++++++++++++++++
14 2 files changed, 4804 insertions(+)
15
16 diff --git a/0000_README b/0000_README
17 index 124bfa64..52cd88fb 100644
18 --- a/0000_README
19 +++ b/0000_README
20 @@ -1231,6 +1231,10 @@ Patch: 1296_linux-4.9.297.patch
21 From: http://www.kernel.org
22 Desc: Linux 4.9.297
23
24 +Patch: 1297_linux-4.9.298.patch
25 +From: http://www.kernel.org
26 +Desc: Linux 4.9.298
27 +
28 Patch: 1500_XATTR_USER_PREFIX.patch
29 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
30 Desc: Support for namespace user.pax.* on tmpfs.
31
32 diff --git a/1297_linux-4.9.298.patch b/1297_linux-4.9.298.patch
33 new file mode 100644
34 index 00000000..26807c93
35 --- /dev/null
36 +++ b/1297_linux-4.9.298.patch
37 @@ -0,0 +1,4800 @@
38 +diff --git a/Documentation/rbtree.txt b/Documentation/rbtree.txt
39 +index b9d9cc57be189..9fedfedfd85fc 100644
40 +--- a/Documentation/rbtree.txt
41 ++++ b/Documentation/rbtree.txt
42 +@@ -190,6 +190,39 @@ Example:
43 + for (node = rb_first(&mytree); node; node = rb_next(node))
44 + printk("key=%s\n", rb_entry(node, struct mytype, node)->keystring);
45 +
46 ++Cached rbtrees
47 ++--------------
48 ++
49 ++Computing the leftmost (smallest) node is quite a common task for binary
50 ++search trees, such as for traversals or users relying on a the particular
51 ++order for their own logic. To this end, users can use 'struct rb_root_cached'
52 ++to optimize O(logN) rb_first() calls to a simple pointer fetch avoiding
53 ++potentially expensive tree iterations. This is done at negligible runtime
54 ++overhead for maintanence; albeit larger memory footprint.
55 ++
56 ++Similar to the rb_root structure, cached rbtrees are initialized to be
57 ++empty via:
58 ++
59 ++ struct rb_root_cached mytree = RB_ROOT_CACHED;
60 ++
61 ++Cached rbtree is simply a regular rb_root with an extra pointer to cache the
62 ++leftmost node. This allows rb_root_cached to exist wherever rb_root does,
63 ++which permits augmented trees to be supported as well as only a few extra
64 ++interfaces:
65 ++
66 ++ struct rb_node *rb_first_cached(struct rb_root_cached *tree);
67 ++ void rb_insert_color_cached(struct rb_node *, struct rb_root_cached *, bool);
68 ++ void rb_erase_cached(struct rb_node *node, struct rb_root_cached *);
69 ++
70 ++Both insert and erase calls have their respective counterpart of augmented
71 ++trees:
72 ++
73 ++ void rb_insert_augmented_cached(struct rb_node *node, struct rb_root_cached *,
74 ++ bool, struct rb_augment_callbacks *);
75 ++ void rb_erase_augmented_cached(struct rb_node *, struct rb_root_cached *,
76 ++ struct rb_augment_callbacks *);
77 ++
78 ++
79 + Support for Augmented rbtrees
80 + -----------------------------
81 +
82 +diff --git a/Makefile b/Makefile
83 +index 70a11157b2404..b0f683f18df71 100644
84 +--- a/Makefile
85 ++++ b/Makefile
86 +@@ -1,6 +1,6 @@
87 + VERSION = 4
88 + PATCHLEVEL = 9
89 +-SUBLEVEL = 297
90 ++SUBLEVEL = 298
91 + EXTRAVERSION =
92 + NAME = Roaring Lionus
93 +
94 +diff --git a/arch/arm64/boot/dts/qcom/msm8916.dtsi b/arch/arm64/boot/dts/qcom/msm8916.dtsi
95 +index c2557cf43b3dc..d8bf83d732be3 100644
96 +--- a/arch/arm64/boot/dts/qcom/msm8916.dtsi
97 ++++ b/arch/arm64/boot/dts/qcom/msm8916.dtsi
98 +@@ -25,8 +25,8 @@
99 + #size-cells = <2>;
100 +
101 + aliases {
102 +- sdhc1 = &sdhc_1; /* SDC1 eMMC slot */
103 +- sdhc2 = &sdhc_2; /* SDC2 SD card slot */
104 ++ mmc0 = &sdhc_1; /* SDC1 eMMC slot */
105 ++ mmc1 = &sdhc_2; /* SDC2 SD card slot */
106 + };
107 +
108 + chosen { };
109 +diff --git a/arch/mips/bcm63xx/clk.c b/arch/mips/bcm63xx/clk.c
110 +index 4f375050ab8e9..3be875a45c834 100644
111 +--- a/arch/mips/bcm63xx/clk.c
112 ++++ b/arch/mips/bcm63xx/clk.c
113 +@@ -342,6 +342,12 @@ struct clk *clk_get_parent(struct clk *clk)
114 + }
115 + EXPORT_SYMBOL(clk_get_parent);
116 +
117 ++int clk_set_parent(struct clk *clk, struct clk *parent)
118 ++{
119 ++ return 0;
120 ++}
121 ++EXPORT_SYMBOL(clk_set_parent);
122 ++
123 + unsigned long clk_get_rate(struct clk *clk)
124 + {
125 + return clk->rate;
126 +diff --git a/arch/mips/include/asm/octeon/cvmx-bootinfo.h b/arch/mips/include/asm/octeon/cvmx-bootinfo.h
127 +index 62787765575ef..ce6e5fddce0bf 100644
128 +--- a/arch/mips/include/asm/octeon/cvmx-bootinfo.h
129 ++++ b/arch/mips/include/asm/octeon/cvmx-bootinfo.h
130 +@@ -315,7 +315,7 @@ enum cvmx_chip_types_enum {
131 +
132 + /* Functions to return string based on type */
133 + #define ENUM_BRD_TYPE_CASE(x) \
134 +- case x: return(#x + 16); /* Skip CVMX_BOARD_TYPE_ */
135 ++ case x: return (&#x[16]); /* Skip CVMX_BOARD_TYPE_ */
136 + static inline const char *cvmx_board_type_to_string(enum
137 + cvmx_board_types_enum type)
138 + {
139 +@@ -404,7 +404,7 @@ static inline const char *cvmx_board_type_to_string(enum
140 + }
141 +
142 + #define ENUM_CHIP_TYPE_CASE(x) \
143 +- case x: return(#x + 15); /* Skip CVMX_CHIP_TYPE */
144 ++ case x: return (&#x[15]); /* Skip CVMX_CHIP_TYPE */
145 + static inline const char *cvmx_chip_type_to_string(enum
146 + cvmx_chip_types_enum type)
147 + {
148 +diff --git a/arch/mips/lantiq/clk.c b/arch/mips/lantiq/clk.c
149 +index 149f0513c4f5d..d1de57b86683c 100644
150 +--- a/arch/mips/lantiq/clk.c
151 ++++ b/arch/mips/lantiq/clk.c
152 +@@ -165,6 +165,12 @@ struct clk *of_clk_get_from_provider(struct of_phandle_args *clkspec)
153 + return NULL;
154 + }
155 +
156 ++int clk_set_parent(struct clk *clk, struct clk *parent)
157 ++{
158 ++ return 0;
159 ++}
160 ++EXPORT_SYMBOL(clk_set_parent);
161 ++
162 + static inline u32 get_counter_resolution(void)
163 + {
164 + u32 res;
165 +diff --git a/arch/mips/mm/gup.c b/arch/mips/mm/gup.c
166 +index d8c3c159289a2..71a19d20bbb7a 100644
167 +--- a/arch/mips/mm/gup.c
168 ++++ b/arch/mips/mm/gup.c
169 +@@ -271,7 +271,14 @@ int get_user_pages_fast(unsigned long start, int nr_pages, int write,
170 + next = pgd_addr_end(addr, end);
171 + if (pgd_none(pgd))
172 + goto slow;
173 +- if (!gup_pud_range(pgd, addr, next, write, pages, &nr))
174 ++ /*
175 ++ * The FAST_GUP case requires FOLL_WRITE even for pure reads,
176 ++ * because get_user_pages() may need to cause an early COW in
177 ++ * order to avoid confusing the normal COW routines. So only
178 ++ * targets that are already writable are safe to do by just
179 ++ * looking at the page tables.
180 ++ */
181 ++ if (!gup_pud_range(pgd, addr, next, 1, pages, &nr))
182 + goto slow;
183 + } while (pgdp++, addr = next, addr != end);
184 + local_irq_enable();
185 +diff --git a/arch/parisc/kernel/traps.c b/arch/parisc/kernel/traps.c
186 +index 11c91697d5f9e..5b41779de2337 100644
187 +--- a/arch/parisc/kernel/traps.c
188 ++++ b/arch/parisc/kernel/traps.c
189 +@@ -793,7 +793,7 @@ void notrace handle_interruption(int code, struct pt_regs *regs)
190 + * unless pagefault_disable() was called before.
191 + */
192 +
193 +- if (fault_space == 0 && !faulthandler_disabled())
194 ++ if (faulthandler_disabled() || fault_space == 0)
195 + {
196 + /* Clean up and return if in exception table. */
197 + if (fixup_exception(regs))
198 +diff --git a/arch/powerpc/boot/dts/fsl/qoriq-fman3l-0.dtsi b/arch/powerpc/boot/dts/fsl/qoriq-fman3l-0.dtsi
199 +index 7f60b60601764..39b1c1fa0c81f 100644
200 +--- a/arch/powerpc/boot/dts/fsl/qoriq-fman3l-0.dtsi
201 ++++ b/arch/powerpc/boot/dts/fsl/qoriq-fman3l-0.dtsi
202 +@@ -78,6 +78,7 @@ fman0: fman@400000 {
203 + #size-cells = <0>;
204 + compatible = "fsl,fman-memac-mdio", "fsl,fman-xmdio";
205 + reg = <0xfc000 0x1000>;
206 ++ fsl,erratum-a009885;
207 + };
208 +
209 + xmdio0: mdio@fd000 {
210 +@@ -85,6 +86,7 @@ fman0: fman@400000 {
211 + #size-cells = <0>;
212 + compatible = "fsl,fman-memac-mdio", "fsl,fman-xmdio";
213 + reg = <0xfd000 0x1000>;
214 ++ fsl,erratum-a009885;
215 + };
216 +
217 + ptp_timer0: ptp-timer@fe000 {
218 +diff --git a/arch/powerpc/kernel/btext.c b/arch/powerpc/kernel/btext.c
219 +index 8275858a434d9..2d91ba38b4524 100644
220 +--- a/arch/powerpc/kernel/btext.c
221 ++++ b/arch/powerpc/kernel/btext.c
222 +@@ -257,8 +257,10 @@ int __init btext_find_display(int allow_nonstdout)
223 + rc = btext_initialize(np);
224 + printk("result: %d\n", rc);
225 + }
226 +- if (rc == 0)
227 ++ if (rc == 0) {
228 ++ of_node_put(np);
229 + break;
230 ++ }
231 + }
232 + return rc;
233 + }
234 +diff --git a/arch/powerpc/kernel/prom_init.c b/arch/powerpc/kernel/prom_init.c
235 +index 1e8c57207346e..df3af10b8cc95 100644
236 +--- a/arch/powerpc/kernel/prom_init.c
237 ++++ b/arch/powerpc/kernel/prom_init.c
238 +@@ -2528,7 +2528,7 @@ static void __init fixup_device_tree_efika_add_phy(void)
239 +
240 + /* Check if the phy-handle property exists - bail if it does */
241 + rv = prom_getprop(node, "phy-handle", prop, sizeof(prop));
242 +- if (!rv)
243 ++ if (rv <= 0)
244 + return;
245 +
246 + /*
247 +diff --git a/arch/powerpc/kernel/smp.c b/arch/powerpc/kernel/smp.c
248 +index 9c6f3fd580597..31675c1d678b6 100644
249 +--- a/arch/powerpc/kernel/smp.c
250 ++++ b/arch/powerpc/kernel/smp.c
251 +@@ -759,10 +759,12 @@ void start_secondary(void *unused)
252 + BUG();
253 + }
254 +
255 ++#ifdef CONFIG_PROFILING
256 + int setup_profiling_timer(unsigned int multiplier)
257 + {
258 + return 0;
259 + }
260 ++#endif
261 +
262 + #ifdef CONFIG_SCHED_SMT
263 + /* cpumask of CPUs with asymetric SMT dependancy */
264 +diff --git a/arch/powerpc/platforms/cell/iommu.c b/arch/powerpc/platforms/cell/iommu.c
265 +index 7ff51f96a00e8..8df43781f5db9 100644
266 +--- a/arch/powerpc/platforms/cell/iommu.c
267 ++++ b/arch/powerpc/platforms/cell/iommu.c
268 +@@ -1107,6 +1107,7 @@ static int __init cell_iommu_fixed_mapping_init(void)
269 + if (hbase < dbase || (hend > (dbase + dsize))) {
270 + pr_debug("iommu: hash window doesn't fit in"
271 + "real DMA window\n");
272 ++ of_node_put(np);
273 + return -1;
274 + }
275 + }
276 +diff --git a/arch/powerpc/platforms/embedded6xx/hlwd-pic.c b/arch/powerpc/platforms/embedded6xx/hlwd-pic.c
277 +index bf4a125faec66..db2ea6b6889de 100644
278 +--- a/arch/powerpc/platforms/embedded6xx/hlwd-pic.c
279 ++++ b/arch/powerpc/platforms/embedded6xx/hlwd-pic.c
280 +@@ -220,6 +220,7 @@ void hlwd_pic_probe(void)
281 + irq_set_chained_handler(cascade_virq,
282 + hlwd_pic_irq_cascade);
283 + hlwd_irq_host = host;
284 ++ of_node_put(np);
285 + break;
286 + }
287 + }
288 +diff --git a/arch/powerpc/platforms/powernv/opal-lpc.c b/arch/powerpc/platforms/powernv/opal-lpc.c
289 +index e4169d68cb328..d28c4a9269c38 100644
290 +--- a/arch/powerpc/platforms/powernv/opal-lpc.c
291 ++++ b/arch/powerpc/platforms/powernv/opal-lpc.c
292 +@@ -401,6 +401,7 @@ void opal_lpc_init(void)
293 + if (!of_get_property(np, "primary", NULL))
294 + continue;
295 + opal_lpc_chip_id = of_get_ibm_chip_id(np);
296 ++ of_node_put(np);
297 + break;
298 + }
299 + if (opal_lpc_chip_id < 0)
300 +diff --git a/arch/s390/mm/gup.c b/arch/s390/mm/gup.c
301 +index cf045f56581e3..be1e2ed6405d3 100644
302 +--- a/arch/s390/mm/gup.c
303 ++++ b/arch/s390/mm/gup.c
304 +@@ -261,7 +261,14 @@ int get_user_pages_fast(unsigned long start, int nr_pages, int write,
305 +
306 + might_sleep();
307 + start &= PAGE_MASK;
308 +- nr = __get_user_pages_fast(start, nr_pages, write, pages);
309 ++ /*
310 ++ * The FAST_GUP case requires FOLL_WRITE even for pure reads,
311 ++ * because get_user_pages() may need to cause an early COW in
312 ++ * order to avoid confusing the normal COW routines. So only
313 ++ * targets that are already writable are safe to do by just
314 ++ * looking at the page tables.
315 ++ */
316 ++ nr = __get_user_pages_fast(start, nr_pages, 1, pages);
317 + if (nr == nr_pages)
318 + return nr;
319 +
320 +diff --git a/arch/sh/mm/gup.c b/arch/sh/mm/gup.c
321 +index 063c298ba56cc..7fec66e34af06 100644
322 +--- a/arch/sh/mm/gup.c
323 ++++ b/arch/sh/mm/gup.c
324 +@@ -239,7 +239,14 @@ int get_user_pages_fast(unsigned long start, int nr_pages, int write,
325 + next = pgd_addr_end(addr, end);
326 + if (pgd_none(pgd))
327 + goto slow;
328 +- if (!gup_pud_range(pgd, addr, next, write, pages, &nr))
329 ++ /*
330 ++ * The FAST_GUP case requires FOLL_WRITE even for pure reads,
331 ++ * because get_user_pages() may need to cause an early COW in
332 ++ * order to avoid confusing the normal COW routines. So only
333 ++ * targets that are already writable are safe to do by just
334 ++ * looking at the page tables.
335 ++ */
336 ++ if (!gup_pud_range(pgd, addr, next, 1, pages, &nr))
337 + goto slow;
338 + } while (pgdp++, addr = next, addr != end);
339 + local_irq_enable();
340 +diff --git a/arch/sparc/mm/gup.c b/arch/sparc/mm/gup.c
341 +index cd0e32bbcb1de..685679f879888 100644
342 +--- a/arch/sparc/mm/gup.c
343 ++++ b/arch/sparc/mm/gup.c
344 +@@ -218,7 +218,14 @@ int get_user_pages_fast(unsigned long start, int nr_pages, int write,
345 + next = pgd_addr_end(addr, end);
346 + if (pgd_none(pgd))
347 + goto slow;
348 +- if (!gup_pud_range(pgd, addr, next, write, pages, &nr))
349 ++ /*
350 ++ * The FAST_GUP case requires FOLL_WRITE even for pure reads,
351 ++ * because get_user_pages() may need to cause an early COW in
352 ++ * order to avoid confusing the normal COW routines. So only
353 ++ * targets that are already writable are safe to do by just
354 ++ * looking at the page tables.
355 ++ */
356 ++ if (!gup_pud_range(pgd, addr, next, 1, pages, &nr))
357 + goto slow;
358 + } while (pgdp++, addr = next, addr != end);
359 +
360 +diff --git a/arch/um/include/shared/registers.h b/arch/um/include/shared/registers.h
361 +index a74449b5b0e31..12ad7c435e97f 100644
362 +--- a/arch/um/include/shared/registers.h
363 ++++ b/arch/um/include/shared/registers.h
364 +@@ -16,8 +16,8 @@ extern int restore_fp_registers(int pid, unsigned long *fp_regs);
365 + extern int save_fpx_registers(int pid, unsigned long *fp_regs);
366 + extern int restore_fpx_registers(int pid, unsigned long *fp_regs);
367 + extern int save_registers(int pid, struct uml_pt_regs *regs);
368 +-extern int restore_registers(int pid, struct uml_pt_regs *regs);
369 +-extern int init_registers(int pid);
370 ++extern int restore_pid_registers(int pid, struct uml_pt_regs *regs);
371 ++extern int init_pid_registers(int pid);
372 + extern void get_safe_registers(unsigned long *regs, unsigned long *fp_regs);
373 + extern unsigned long get_thread_reg(int reg, jmp_buf *buf);
374 + extern int get_fp_registers(int pid, unsigned long *regs);
375 +diff --git a/arch/um/os-Linux/registers.c b/arch/um/os-Linux/registers.c
376 +index 2ff8d4fe83c4f..34a5963bd7efd 100644
377 +--- a/arch/um/os-Linux/registers.c
378 ++++ b/arch/um/os-Linux/registers.c
379 +@@ -21,7 +21,7 @@ int save_registers(int pid, struct uml_pt_regs *regs)
380 + return 0;
381 + }
382 +
383 +-int restore_registers(int pid, struct uml_pt_regs *regs)
384 ++int restore_pid_registers(int pid, struct uml_pt_regs *regs)
385 + {
386 + int err;
387 +
388 +@@ -36,7 +36,7 @@ int restore_registers(int pid, struct uml_pt_regs *regs)
389 + static unsigned long exec_regs[MAX_REG_NR];
390 + static unsigned long exec_fp_regs[FP_SIZE];
391 +
392 +-int init_registers(int pid)
393 ++int init_pid_registers(int pid)
394 + {
395 + int err;
396 +
397 +diff --git a/arch/um/os-Linux/start_up.c b/arch/um/os-Linux/start_up.c
398 +index 22a358ef1b0cd..dc06933ba63d9 100644
399 +--- a/arch/um/os-Linux/start_up.c
400 ++++ b/arch/um/os-Linux/start_up.c
401 +@@ -334,7 +334,7 @@ void __init os_early_checks(void)
402 + check_tmpexec();
403 +
404 + pid = start_ptraced_child();
405 +- if (init_registers(pid))
406 ++ if (init_pid_registers(pid))
407 + fatal("Failed to initialize default registers");
408 + stop_ptraced_child(pid, 1, 1);
409 + }
410 +diff --git a/arch/x86/mm/gup.c b/arch/x86/mm/gup.c
411 +index 82f727fbbbd2c..549f89fb3abc9 100644
412 +--- a/arch/x86/mm/gup.c
413 ++++ b/arch/x86/mm/gup.c
414 +@@ -454,7 +454,14 @@ int get_user_pages_fast(unsigned long start, int nr_pages, int write,
415 + next = pgd_addr_end(addr, end);
416 + if (pgd_none(pgd))
417 + goto slow;
418 +- if (!gup_pud_range(pgd, addr, next, write, pages, &nr))
419 ++ /*
420 ++ * The FAST_GUP case requires FOLL_WRITE even for pure reads,
421 ++ * because get_user_pages() may need to cause an early COW in
422 ++ * order to avoid confusing the normal COW routines. So only
423 ++ * targets that are already writable are safe to do by just
424 ++ * looking at the page tables.
425 ++ */
426 ++ if (!gup_pud_range(pgd, addr, next, 1, pages, &nr))
427 + goto slow;
428 + } while (pgdp++, addr = next, addr != end);
429 + local_irq_enable();
430 +diff --git a/arch/x86/um/syscalls_64.c b/arch/x86/um/syscalls_64.c
431 +index e6552275320bc..40ecacb2c54b3 100644
432 +--- a/arch/x86/um/syscalls_64.c
433 ++++ b/arch/x86/um/syscalls_64.c
434 +@@ -9,6 +9,7 @@
435 + #include <linux/uaccess.h>
436 + #include <asm/prctl.h> /* XXX This should get the constants from libc */
437 + #include <os.h>
438 ++#include <registers.h>
439 +
440 + long arch_prctl(struct task_struct *task, int code, unsigned long __user *addr)
441 + {
442 +@@ -32,7 +33,7 @@ long arch_prctl(struct task_struct *task, int code, unsigned long __user *addr)
443 + switch (code) {
444 + case ARCH_SET_FS:
445 + case ARCH_SET_GS:
446 +- ret = restore_registers(pid, &current->thread.regs.regs);
447 ++ ret = restore_pid_registers(pid, &current->thread.regs.regs);
448 + if (ret)
449 + return ret;
450 + break;
451 +diff --git a/drivers/acpi/acpica/exoparg1.c b/drivers/acpi/acpica/exoparg1.c
452 +index 007300433cdea..1cea26a741474 100644
453 +--- a/drivers/acpi/acpica/exoparg1.c
454 ++++ b/drivers/acpi/acpica/exoparg1.c
455 +@@ -1029,7 +1029,8 @@ acpi_status acpi_ex_opcode_1A_0T_1R(struct acpi_walk_state *walk_state)
456 + (walk_state, return_desc,
457 + &temp_desc);
458 + if (ACPI_FAILURE(status)) {
459 +- goto cleanup;
460 ++ return_ACPI_STATUS
461 ++ (status);
462 + }
463 +
464 + return_desc = temp_desc;
465 +diff --git a/drivers/acpi/acpica/utdelete.c b/drivers/acpi/acpica/utdelete.c
466 +index 03a2282ceb9ca..81a9c47973ce8 100644
467 +--- a/drivers/acpi/acpica/utdelete.c
468 ++++ b/drivers/acpi/acpica/utdelete.c
469 +@@ -440,6 +440,7 @@ acpi_ut_update_ref_count(union acpi_operand_object *object, u32 action)
470 + ACPI_WARNING((AE_INFO,
471 + "Obj %p, Reference Count is already zero, cannot decrement\n",
472 + object));
473 ++ return;
474 + }
475 +
476 + ACPI_DEBUG_PRINT((ACPI_DB_ALLOCATIONS,
477 +diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
478 +index 4496e7a492352..7164be9710e51 100644
479 +--- a/drivers/block/floppy.c
480 ++++ b/drivers/block/floppy.c
481 +@@ -994,7 +994,7 @@ static DECLARE_DELAYED_WORK(fd_timer, fd_timer_workfn);
482 + static void cancel_activity(void)
483 + {
484 + do_floppy = NULL;
485 +- cancel_delayed_work_sync(&fd_timer);
486 ++ cancel_delayed_work(&fd_timer);
487 + cancel_work_sync(&floppy_work);
488 + }
489 +
490 +@@ -3116,6 +3116,8 @@ static void raw_cmd_free(struct floppy_raw_cmd **ptr)
491 + }
492 + }
493 +
494 ++#define MAX_LEN (1UL << MAX_ORDER << PAGE_SHIFT)
495 ++
496 + static int raw_cmd_copyin(int cmd, void __user *param,
497 + struct floppy_raw_cmd **rcmd)
498 + {
499 +@@ -3153,7 +3155,7 @@ loop:
500 + ptr->resultcode = 0;
501 +
502 + if (ptr->flags & (FD_RAW_READ | FD_RAW_WRITE)) {
503 +- if (ptr->length <= 0)
504 ++ if (ptr->length <= 0 || ptr->length >= MAX_LEN)
505 + return -EINVAL;
506 + ptr->kernel_data = (char *)fd_dma_mem_alloc(ptr->length);
507 + fallback_on_nodma_alloc(&ptr->kernel_data, ptr->length);
508 +diff --git a/drivers/bluetooth/bfusb.c b/drivers/bluetooth/bfusb.c
509 +index 3bf4ec60e0736..cee2de027e5ad 100644
510 +--- a/drivers/bluetooth/bfusb.c
511 ++++ b/drivers/bluetooth/bfusb.c
512 +@@ -644,6 +644,9 @@ static int bfusb_probe(struct usb_interface *intf, const struct usb_device_id *i
513 + data->bulk_out_ep = bulk_out_ep->desc.bEndpointAddress;
514 + data->bulk_pkt_size = le16_to_cpu(bulk_out_ep->desc.wMaxPacketSize);
515 +
516 ++ if (!data->bulk_pkt_size)
517 ++ goto done;
518 ++
519 + rwlock_init(&data->lock);
520 +
521 + data->reassembly = NULL;
522 +diff --git a/drivers/char/mwave/3780i.h b/drivers/char/mwave/3780i.h
523 +index 9ccb6b270b071..95164246afd1a 100644
524 +--- a/drivers/char/mwave/3780i.h
525 ++++ b/drivers/char/mwave/3780i.h
526 +@@ -68,7 +68,7 @@ typedef struct {
527 + unsigned char ClockControl:1; /* RW: Clock control: 0=normal, 1=stop 3780i clocks */
528 + unsigned char SoftReset:1; /* RW: Soft reset 0=normal, 1=soft reset active */
529 + unsigned char ConfigMode:1; /* RW: Configuration mode, 0=normal, 1=config mode */
530 +- unsigned char Reserved:5; /* 0: Reserved */
531 ++ unsigned short Reserved:13; /* 0: Reserved */
532 + } DSP_ISA_SLAVE_CONTROL;
533 +
534 +
535 +diff --git a/drivers/char/random.c b/drivers/char/random.c
536 +index 2184d87623272..70ee86e034fcd 100644
537 +--- a/drivers/char/random.c
538 ++++ b/drivers/char/random.c
539 +@@ -845,8 +845,8 @@ static void do_numa_crng_init(struct work_struct *work)
540 + crng_initialize(crng);
541 + pool[i] = crng;
542 + }
543 +- mb();
544 +- if (cmpxchg(&crng_node_pool, NULL, pool)) {
545 ++ /* pairs with READ_ONCE() in select_crng() */
546 ++ if (cmpxchg_release(&crng_node_pool, NULL, pool) != NULL) {
547 + for_each_node(i)
548 + kfree(pool[i]);
549 + kfree(pool);
550 +@@ -859,8 +859,26 @@ static void numa_crng_init(void)
551 + {
552 + schedule_work(&numa_crng_init_work);
553 + }
554 ++
555 ++static struct crng_state *select_crng(void)
556 ++{
557 ++ struct crng_state **pool;
558 ++ int nid = numa_node_id();
559 ++
560 ++ /* pairs with cmpxchg_release() in do_numa_crng_init() */
561 ++ pool = READ_ONCE(crng_node_pool);
562 ++ if (pool && pool[nid])
563 ++ return pool[nid];
564 ++
565 ++ return &primary_crng;
566 ++}
567 + #else
568 + static void numa_crng_init(void) {}
569 ++
570 ++static struct crng_state *select_crng(void)
571 ++{
572 ++ return &primary_crng;
573 ++}
574 + #endif
575 +
576 + static void crng_reseed(struct crng_state *crng, struct entropy_store *r)
577 +@@ -890,7 +908,7 @@ static void crng_reseed(struct crng_state *crng, struct entropy_store *r)
578 + crng->state[i+4] ^= buf.key[i] ^ rv;
579 + }
580 + memzero_explicit(&buf, sizeof(buf));
581 +- crng->init_time = jiffies;
582 ++ WRITE_ONCE(crng->init_time, jiffies);
583 + if (crng == &primary_crng && crng_init < 2) {
584 + numa_crng_init();
585 + crng_init = 2;
586 +@@ -928,12 +946,15 @@ static inline void crng_wait_ready(void)
587 + static void _extract_crng(struct crng_state *crng,
588 + __u8 out[CHACHA20_BLOCK_SIZE])
589 + {
590 +- unsigned long v, flags;
591 +-
592 +- if (crng_ready() &&
593 +- (time_after(crng_global_init_time, crng->init_time) ||
594 +- time_after(jiffies, crng->init_time + CRNG_RESEED_INTERVAL)))
595 +- crng_reseed(crng, crng == &primary_crng ? &input_pool : NULL);
596 ++ unsigned long v, flags, init_time;
597 ++
598 ++ if (crng_ready()) {
599 ++ init_time = READ_ONCE(crng->init_time);
600 ++ if (time_after(READ_ONCE(crng_global_init_time), init_time) ||
601 ++ time_after(jiffies, init_time + CRNG_RESEED_INTERVAL))
602 ++ crng_reseed(crng, crng == &primary_crng ?
603 ++ &input_pool : NULL);
604 ++ }
605 + spin_lock_irqsave(&crng->lock, flags);
606 + if (arch_get_random_long(&v))
607 + crng->state[14] ^= v;
608 +@@ -945,15 +966,7 @@ static void _extract_crng(struct crng_state *crng,
609 +
610 + static void extract_crng(__u8 out[CHACHA20_BLOCK_SIZE])
611 + {
612 +- struct crng_state *crng = NULL;
613 +-
614 +-#ifdef CONFIG_NUMA
615 +- if (crng_node_pool)
616 +- crng = crng_node_pool[numa_node_id()];
617 +- if (crng == NULL)
618 +-#endif
619 +- crng = &primary_crng;
620 +- _extract_crng(crng, out);
621 ++ _extract_crng(select_crng(), out);
622 + }
623 +
624 + /*
625 +@@ -982,15 +995,7 @@ static void _crng_backtrack_protect(struct crng_state *crng,
626 +
627 + static void crng_backtrack_protect(__u8 tmp[CHACHA20_BLOCK_SIZE], int used)
628 + {
629 +- struct crng_state *crng = NULL;
630 +-
631 +-#ifdef CONFIG_NUMA
632 +- if (crng_node_pool)
633 +- crng = crng_node_pool[numa_node_id()];
634 +- if (crng == NULL)
635 +-#endif
636 +- crng = &primary_crng;
637 +- _crng_backtrack_protect(crng, tmp, used);
638 ++ _crng_backtrack_protect(select_crng(), tmp, used);
639 + }
640 +
641 + static ssize_t extract_crng_user(void __user *buf, size_t nbytes)
642 +@@ -1914,7 +1919,7 @@ static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg)
643 + if (crng_init < 2)
644 + return -ENODATA;
645 + crng_reseed(&primary_crng, &input_pool);
646 +- crng_global_init_time = jiffies - 1;
647 ++ WRITE_ONCE(crng_global_init_time, jiffies - 1);
648 + return 0;
649 + default:
650 + return -EINVAL;
651 +diff --git a/drivers/crypto/qce/sha.c b/drivers/crypto/qce/sha.c
652 +index 47e114ac09d01..ff1e788f92767 100644
653 +--- a/drivers/crypto/qce/sha.c
654 ++++ b/drivers/crypto/qce/sha.c
655 +@@ -544,8 +544,8 @@ static int qce_ahash_register_one(const struct qce_ahash_def *def,
656 +
657 + ret = crypto_register_ahash(alg);
658 + if (ret) {
659 +- kfree(tmpl);
660 + dev_err(qce->dev, "%s registration failed\n", base->cra_name);
661 ++ kfree(tmpl);
662 + return ret;
663 + }
664 +
665 +diff --git a/drivers/dma/at_xdmac.c b/drivers/dma/at_xdmac.c
666 +index a505be9ef96da..c15ca560fe60d 100644
667 +--- a/drivers/dma/at_xdmac.c
668 ++++ b/drivers/dma/at_xdmac.c
669 +@@ -100,6 +100,7 @@
670 + #define AT_XDMAC_CNDC_NDE (0x1 << 0) /* Channel x Next Descriptor Enable */
671 + #define AT_XDMAC_CNDC_NDSUP (0x1 << 1) /* Channel x Next Descriptor Source Update */
672 + #define AT_XDMAC_CNDC_NDDUP (0x1 << 2) /* Channel x Next Descriptor Destination Update */
673 ++#define AT_XDMAC_CNDC_NDVIEW_MASK GENMASK(28, 27)
674 + #define AT_XDMAC_CNDC_NDVIEW_NDV0 (0x0 << 3) /* Channel x Next Descriptor View 0 */
675 + #define AT_XDMAC_CNDC_NDVIEW_NDV1 (0x1 << 3) /* Channel x Next Descriptor View 1 */
676 + #define AT_XDMAC_CNDC_NDVIEW_NDV2 (0x2 << 3) /* Channel x Next Descriptor View 2 */
677 +@@ -232,15 +233,15 @@ struct at_xdmac {
678 +
679 + /* Linked List Descriptor */
680 + struct at_xdmac_lld {
681 +- dma_addr_t mbr_nda; /* Next Descriptor Member */
682 +- u32 mbr_ubc; /* Microblock Control Member */
683 +- dma_addr_t mbr_sa; /* Source Address Member */
684 +- dma_addr_t mbr_da; /* Destination Address Member */
685 +- u32 mbr_cfg; /* Configuration Register */
686 +- u32 mbr_bc; /* Block Control Register */
687 +- u32 mbr_ds; /* Data Stride Register */
688 +- u32 mbr_sus; /* Source Microblock Stride Register */
689 +- u32 mbr_dus; /* Destination Microblock Stride Register */
690 ++ u32 mbr_nda; /* Next Descriptor Member */
691 ++ u32 mbr_ubc; /* Microblock Control Member */
692 ++ u32 mbr_sa; /* Source Address Member */
693 ++ u32 mbr_da; /* Destination Address Member */
694 ++ u32 mbr_cfg; /* Configuration Register */
695 ++ u32 mbr_bc; /* Block Control Register */
696 ++ u32 mbr_ds; /* Data Stride Register */
697 ++ u32 mbr_sus; /* Source Microblock Stride Register */
698 ++ u32 mbr_dus; /* Destination Microblock Stride Register */
699 + };
700 +
701 + /* 64-bit alignment needed to update CNDA and CUBC registers in an atomic way. */
702 +@@ -345,9 +346,6 @@ static void at_xdmac_start_xfer(struct at_xdmac_chan *atchan,
703 +
704 + dev_vdbg(chan2dev(&atchan->chan), "%s: desc 0x%p\n", __func__, first);
705 +
706 +- if (at_xdmac_chan_is_enabled(atchan))
707 +- return;
708 +-
709 + /* Set transfer as active to not try to start it again. */
710 + first->active_xfer = true;
711 +
712 +@@ -363,7 +361,8 @@ static void at_xdmac_start_xfer(struct at_xdmac_chan *atchan,
713 + */
714 + if (at_xdmac_chan_is_cyclic(atchan))
715 + reg = AT_XDMAC_CNDC_NDVIEW_NDV1;
716 +- else if (first->lld.mbr_ubc & AT_XDMAC_MBR_UBC_NDV3)
717 ++ else if ((first->lld.mbr_ubc &
718 ++ AT_XDMAC_CNDC_NDVIEW_MASK) == AT_XDMAC_MBR_UBC_NDV3)
719 + reg = AT_XDMAC_CNDC_NDVIEW_NDV3;
720 + else
721 + reg = AT_XDMAC_CNDC_NDVIEW_NDV2;
722 +@@ -428,13 +427,12 @@ static dma_cookie_t at_xdmac_tx_submit(struct dma_async_tx_descriptor *tx)
723 + spin_lock_irqsave(&atchan->lock, irqflags);
724 + cookie = dma_cookie_assign(tx);
725 +
726 ++ list_add_tail(&desc->xfer_node, &atchan->xfers_list);
727 ++ spin_unlock_irqrestore(&atchan->lock, irqflags);
728 ++
729 + dev_vdbg(chan2dev(tx->chan), "%s: atchan 0x%p, add desc 0x%p to xfers_list\n",
730 + __func__, atchan, desc);
731 +- list_add_tail(&desc->xfer_node, &atchan->xfers_list);
732 +- if (list_is_singular(&atchan->xfers_list))
733 +- at_xdmac_start_xfer(atchan, desc);
734 +
735 +- spin_unlock_irqrestore(&atchan->lock, irqflags);
736 + return cookie;
737 + }
738 +
739 +diff --git a/drivers/dma/mmp_pdma.c b/drivers/dma/mmp_pdma.c
740 +index eb3a1f42ab065..e8b2d3e31de80 100644
741 +--- a/drivers/dma/mmp_pdma.c
742 ++++ b/drivers/dma/mmp_pdma.c
743 +@@ -722,12 +722,6 @@ static int mmp_pdma_config(struct dma_chan *dchan,
744 +
745 + chan->dir = cfg->direction;
746 + chan->dev_addr = addr;
747 +- /* FIXME: drivers should be ported over to use the filter
748 +- * function. Once that's done, the following two lines can
749 +- * be removed.
750 +- */
751 +- if (cfg->slave_id)
752 +- chan->drcmr = cfg->slave_id;
753 +
754 + return 0;
755 + }
756 +diff --git a/drivers/dma/pxa_dma.c b/drivers/dma/pxa_dma.c
757 +index 3f56f9ca44824..5bd1ade187d3f 100644
758 +--- a/drivers/dma/pxa_dma.c
759 ++++ b/drivers/dma/pxa_dma.c
760 +@@ -975,13 +975,6 @@ static void pxad_get_config(struct pxad_chan *chan,
761 + *dcmd |= PXA_DCMD_BURST16;
762 + else if (maxburst == 32)
763 + *dcmd |= PXA_DCMD_BURST32;
764 +-
765 +- /* FIXME: drivers should be ported over to use the filter
766 +- * function. Once that's done, the following two lines can
767 +- * be removed.
768 +- */
769 +- if (chan->cfg.slave_id)
770 +- chan->drcmr = chan->cfg.slave_id;
771 + }
772 +
773 + static struct dma_async_tx_descriptor *
774 +diff --git a/drivers/gpio/gpiolib-acpi.c b/drivers/gpio/gpiolib-acpi.c
775 +index 986248f7011aa..c479280590e42 100644
776 +--- a/drivers/gpio/gpiolib-acpi.c
777 ++++ b/drivers/gpio/gpiolib-acpi.c
778 +@@ -675,10 +675,17 @@ int acpi_dev_gpio_irq_get(struct acpi_device *adev, int index)
779 + irq_flags = acpi_dev_get_irq_type(info.triggering,
780 + info.polarity);
781 +
782 +- /* Set type if specified and different than the current one */
783 +- if (irq_flags != IRQ_TYPE_NONE &&
784 +- irq_flags != irq_get_trigger_type(irq))
785 +- irq_set_irq_type(irq, irq_flags);
786 ++ /*
787 ++ * If the IRQ is not already in use then set type
788 ++ * if specified and different than the current one.
789 ++ */
790 ++ if (can_request_irq(irq, irq_flags)) {
791 ++ if (irq_flags != IRQ_TYPE_NONE &&
792 ++ irq_flags != irq_get_trigger_type(irq))
793 ++ irq_set_irq_type(irq, irq_flags);
794 ++ } else {
795 ++ dev_dbg(&adev->dev, "IRQ %d already in use\n", irq);
796 ++ }
797 +
798 + return irq;
799 + }
800 +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
801 +index eb79d0d3d34f1..7264169d5f2a7 100644
802 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
803 ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
804 +@@ -404,6 +404,9 @@ amdgpu_connector_lcd_native_mode(struct drm_encoder *encoder)
805 + native_mode->vdisplay != 0 &&
806 + native_mode->clock != 0) {
807 + mode = drm_mode_duplicate(dev, native_mode);
808 ++ if (!mode)
809 ++ return NULL;
810 ++
811 + mode->type = DRM_MODE_TYPE_PREFERRED | DRM_MODE_TYPE_DRIVER;
812 + drm_mode_set_name(mode);
813 +
814 +@@ -418,6 +421,9 @@ amdgpu_connector_lcd_native_mode(struct drm_encoder *encoder)
815 + * simpler.
816 + */
817 + mode = drm_cvt_mode(dev, native_mode->hdisplay, native_mode->vdisplay, 60, true, false, false);
818 ++ if (!mode)
819 ++ return NULL;
820 ++
821 + mode->type = DRM_MODE_TYPE_PREFERRED | DRM_MODE_TYPE_DRIVER;
822 + DRM_DEBUG_KMS("Adding cvt approximation of native panel mode %s\n", mode->name);
823 + }
824 +diff --git a/drivers/gpu/drm/i915/intel_pm.c b/drivers/gpu/drm/i915/intel_pm.c
825 +index 07d2a8e7f78c3..202c00b17df2d 100644
826 +--- a/drivers/gpu/drm/i915/intel_pm.c
827 ++++ b/drivers/gpu/drm/i915/intel_pm.c
828 +@@ -2274,9 +2274,9 @@ static void snb_wm_latency_quirk(struct drm_device *dev)
829 + * The BIOS provided WM memory latency values are often
830 + * inadequate for high resolution displays. Adjust them.
831 + */
832 +- changed = ilk_increase_wm_latency(dev_priv, dev_priv->wm.pri_latency, 12) |
833 +- ilk_increase_wm_latency(dev_priv, dev_priv->wm.spr_latency, 12) |
834 +- ilk_increase_wm_latency(dev_priv, dev_priv->wm.cur_latency, 12);
835 ++ changed = ilk_increase_wm_latency(dev_priv, dev_priv->wm.pri_latency, 12);
836 ++ changed |= ilk_increase_wm_latency(dev_priv, dev_priv->wm.spr_latency, 12);
837 ++ changed |= ilk_increase_wm_latency(dev_priv, dev_priv->wm.cur_latency, 12);
838 +
839 + if (!changed)
840 + return;
841 +diff --git a/drivers/gpu/drm/nouveau/nouveau_sgdma.c b/drivers/gpu/drm/nouveau/nouveau_sgdma.c
842 +index db35ab5883acd..d3bfd7912a994 100644
843 +--- a/drivers/gpu/drm/nouveau/nouveau_sgdma.c
844 ++++ b/drivers/gpu/drm/nouveau/nouveau_sgdma.c
845 +@@ -105,12 +105,9 @@ nouveau_sgdma_create_ttm(struct ttm_bo_device *bdev,
846 + else
847 + nvbe->ttm.ttm.func = &nv50_sgdma_backend;
848 +
849 +- if (ttm_dma_tt_init(&nvbe->ttm, bdev, size, page_flags, dummy_read_page))
850 +- /*
851 +- * A failing ttm_dma_tt_init() will call ttm_tt_destroy()
852 +- * and thus our nouveau_sgdma_destroy() hook, so we don't need
853 +- * to free nvbe here.
854 +- */
855 ++ if (ttm_dma_tt_init(&nvbe->ttm, bdev, size, page_flags, dummy_read_page)) {
856 ++ kfree(nvbe);
857 + return NULL;
858 ++ }
859 + return &nvbe->ttm.ttm;
860 + }
861 +diff --git a/drivers/gpu/drm/radeon/radeon_kms.c b/drivers/gpu/drm/radeon/radeon_kms.c
862 +index 61000e3b2e793..b55403c99d804 100644
863 +--- a/drivers/gpu/drm/radeon/radeon_kms.c
864 ++++ b/drivers/gpu/drm/radeon/radeon_kms.c
865 +@@ -630,6 +630,8 @@ void radeon_driver_lastclose_kms(struct drm_device *dev)
866 + int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv)
867 + {
868 + struct radeon_device *rdev = dev->dev_private;
869 ++ struct radeon_fpriv *fpriv;
870 ++ struct radeon_vm *vm;
871 + int r;
872 +
873 + file_priv->driver_priv = NULL;
874 +@@ -642,48 +644,52 @@ int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv)
875 +
876 + /* new gpu have virtual address space support */
877 + if (rdev->family >= CHIP_CAYMAN) {
878 +- struct radeon_fpriv *fpriv;
879 +- struct radeon_vm *vm;
880 +
881 + fpriv = kzalloc(sizeof(*fpriv), GFP_KERNEL);
882 + if (unlikely(!fpriv)) {
883 + r = -ENOMEM;
884 +- goto out_suspend;
885 ++ goto err_suspend;
886 + }
887 +
888 + if (rdev->accel_working) {
889 + vm = &fpriv->vm;
890 + r = radeon_vm_init(rdev, vm);
891 +- if (r) {
892 +- kfree(fpriv);
893 +- goto out_suspend;
894 +- }
895 ++ if (r)
896 ++ goto err_fpriv;
897 +
898 + r = radeon_bo_reserve(rdev->ring_tmp_bo.bo, false);
899 +- if (r) {
900 +- radeon_vm_fini(rdev, vm);
901 +- kfree(fpriv);
902 +- goto out_suspend;
903 +- }
904 ++ if (r)
905 ++ goto err_vm_fini;
906 +
907 + /* map the ib pool buffer read only into
908 + * virtual address space */
909 + vm->ib_bo_va = radeon_vm_bo_add(rdev, vm,
910 + rdev->ring_tmp_bo.bo);
911 ++ if (!vm->ib_bo_va) {
912 ++ r = -ENOMEM;
913 ++ goto err_vm_fini;
914 ++ }
915 ++
916 + r = radeon_vm_bo_set_addr(rdev, vm->ib_bo_va,
917 + RADEON_VA_IB_OFFSET,
918 + RADEON_VM_PAGE_READABLE |
919 + RADEON_VM_PAGE_SNOOPED);
920 +- if (r) {
921 +- radeon_vm_fini(rdev, vm);
922 +- kfree(fpriv);
923 +- goto out_suspend;
924 +- }
925 ++ if (r)
926 ++ goto err_vm_fini;
927 + }
928 + file_priv->driver_priv = fpriv;
929 + }
930 +
931 +-out_suspend:
932 ++ pm_runtime_mark_last_busy(dev->dev);
933 ++ pm_runtime_put_autosuspend(dev->dev);
934 ++ return 0;
935 ++
936 ++err_vm_fini:
937 ++ radeon_vm_fini(rdev, vm);
938 ++err_fpriv:
939 ++ kfree(fpriv);
940 ++
941 ++err_suspend:
942 + pm_runtime_mark_last_busy(dev->dev);
943 + pm_runtime_put_autosuspend(dev->dev);
944 + return r;
945 +diff --git a/drivers/gpu/drm/ttm/ttm_tt.c b/drivers/gpu/drm/ttm/ttm_tt.c
946 +index aee3c00f836e7..e4e24be523533 100644
947 +--- a/drivers/gpu/drm/ttm/ttm_tt.c
948 ++++ b/drivers/gpu/drm/ttm/ttm_tt.c
949 +@@ -195,7 +195,6 @@ int ttm_tt_init(struct ttm_tt *ttm, struct ttm_bo_device *bdev,
950 +
951 + ttm_tt_alloc_page_directory(ttm);
952 + if (!ttm->pages) {
953 +- ttm_tt_destroy(ttm);
954 + pr_err("Failed allocating page table\n");
955 + return -ENOMEM;
956 + }
957 +@@ -228,7 +227,6 @@ int ttm_dma_tt_init(struct ttm_dma_tt *ttm_dma, struct ttm_bo_device *bdev,
958 + INIT_LIST_HEAD(&ttm_dma->pages_list);
959 + ttm_dma_tt_alloc_page_directory(ttm_dma);
960 + if (!ttm->pages) {
961 +- ttm_tt_destroy(ttm);
962 + pr_err("Failed allocating page table\n");
963 + return -ENOMEM;
964 + }
965 +diff --git a/drivers/hid/hid-apple.c b/drivers/hid/hid-apple.c
966 +index 149902619cbc8..0074091c27aa2 100644
967 +--- a/drivers/hid/hid-apple.c
968 ++++ b/drivers/hid/hid-apple.c
969 +@@ -390,7 +390,7 @@ static int apple_input_configured(struct hid_device *hdev,
970 +
971 + if ((asc->quirks & APPLE_HAS_FN) && !asc->fn_found) {
972 + hid_info(hdev, "Fn key not found (Apple Wireless Keyboard clone?), disabling Fn key handling\n");
973 +- asc->quirks = 0;
974 ++ asc->quirks &= ~APPLE_HAS_FN;
975 + }
976 +
977 + return 0;
978 +diff --git a/drivers/hid/uhid.c b/drivers/hid/uhid.c
979 +index e60e41e775020..f7705a057f0f4 100644
980 +--- a/drivers/hid/uhid.c
981 ++++ b/drivers/hid/uhid.c
982 +@@ -33,11 +33,22 @@
983 +
984 + struct uhid_device {
985 + struct mutex devlock;
986 ++
987 ++ /* This flag tracks whether the HID device is usable for commands from
988 ++ * userspace. The flag is already set before hid_add_device(), which
989 ++ * runs in workqueue context, to allow hid_add_device() to communicate
990 ++ * with userspace.
991 ++ * However, if hid_add_device() fails, the flag is cleared without
992 ++ * holding devlock.
993 ++ * We guarantee that if @running changes from true to false while you're
994 ++ * holding @devlock, it's still fine to access @hid.
995 ++ */
996 + bool running;
997 +
998 + __u8 *rd_data;
999 + uint rd_size;
1000 +
1001 ++ /* When this is NULL, userspace may use UHID_CREATE/UHID_CREATE2. */
1002 + struct hid_device *hid;
1003 + struct uhid_event input_buf;
1004 +
1005 +@@ -68,9 +79,18 @@ static void uhid_device_add_worker(struct work_struct *work)
1006 + if (ret) {
1007 + hid_err(uhid->hid, "Cannot register HID device: error %d\n", ret);
1008 +
1009 +- hid_destroy_device(uhid->hid);
1010 +- uhid->hid = NULL;
1011 ++ /* We used to call hid_destroy_device() here, but that's really
1012 ++ * messy to get right because we have to coordinate with
1013 ++ * concurrent writes from userspace that might be in the middle
1014 ++ * of using uhid->hid.
1015 ++ * Just leave uhid->hid as-is for now, and clean it up when
1016 ++ * userspace tries to close or reinitialize the uhid instance.
1017 ++ *
1018 ++ * However, we do have to clear the ->running flag and do a
1019 ++ * wakeup to make sure userspace knows that the device is gone.
1020 ++ */
1021 + uhid->running = false;
1022 ++ wake_up_interruptible(&uhid->report_wait);
1023 + }
1024 + }
1025 +
1026 +@@ -479,7 +499,7 @@ static int uhid_dev_create2(struct uhid_device *uhid,
1027 + void *rd_data;
1028 + int ret;
1029 +
1030 +- if (uhid->running)
1031 ++ if (uhid->hid)
1032 + return -EALREADY;
1033 +
1034 + rd_size = ev->u.create2.rd_size;
1035 +@@ -560,7 +580,7 @@ static int uhid_dev_create(struct uhid_device *uhid,
1036 +
1037 + static int uhid_dev_destroy(struct uhid_device *uhid)
1038 + {
1039 +- if (!uhid->running)
1040 ++ if (!uhid->hid)
1041 + return -EINVAL;
1042 +
1043 + uhid->running = false;
1044 +@@ -569,6 +589,7 @@ static int uhid_dev_destroy(struct uhid_device *uhid)
1045 + cancel_work_sync(&uhid->worker);
1046 +
1047 + hid_destroy_device(uhid->hid);
1048 ++ uhid->hid = NULL;
1049 + kfree(uhid->rd_data);
1050 +
1051 + return 0;
1052 +diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c
1053 +index fbf14a14bdd43..bfce62dbe0ace 100644
1054 +--- a/drivers/hid/wacom_wac.c
1055 ++++ b/drivers/hid/wacom_wac.c
1056 +@@ -1693,6 +1693,10 @@ static void wacom_wac_finger_pre_report(struct hid_device *hdev,
1057 + struct hid_data* hid_data = &wacom_wac->hid_data;
1058 + int i;
1059 +
1060 ++ hid_data->cc_report = 0;
1061 ++ hid_data->cc_index = -1;
1062 ++ hid_data->cc_value_index = -1;
1063 ++
1064 + for (i = 0; i < report->maxfield; i++) {
1065 + struct hid_field *field = report->field[i];
1066 + int j;
1067 +diff --git a/drivers/hsi/hsi_core.c b/drivers/hsi/hsi_core.c
1068 +index e9d63b966caff..4a9fd745b8cb4 100644
1069 +--- a/drivers/hsi/hsi_core.c
1070 ++++ b/drivers/hsi/hsi_core.c
1071 +@@ -115,6 +115,7 @@ struct hsi_client *hsi_new_client(struct hsi_port *port,
1072 + if (device_register(&cl->device) < 0) {
1073 + pr_err("hsi: failed to register client: %s\n", info->name);
1074 + put_device(&cl->device);
1075 ++ goto err;
1076 + }
1077 +
1078 + return cl;
1079 +diff --git a/drivers/i2c/busses/i2c-designware-pcidrv.c b/drivers/i2c/busses/i2c-designware-pcidrv.c
1080 +index 96f8230cd2d33..5c32a7ef476da 100644
1081 +--- a/drivers/i2c/busses/i2c-designware-pcidrv.c
1082 ++++ b/drivers/i2c/busses/i2c-designware-pcidrv.c
1083 +@@ -49,10 +49,10 @@ enum dw_pci_ctl_id_t {
1084 + };
1085 +
1086 + struct dw_scl_sda_cfg {
1087 +- u32 ss_hcnt;
1088 +- u32 fs_hcnt;
1089 +- u32 ss_lcnt;
1090 +- u32 fs_lcnt;
1091 ++ u16 ss_hcnt;
1092 ++ u16 fs_hcnt;
1093 ++ u16 ss_lcnt;
1094 ++ u16 fs_lcnt;
1095 + u32 sda_hold;
1096 + };
1097 +
1098 +diff --git a/drivers/i2c/busses/i2c-i801.c b/drivers/i2c/busses/i2c-i801.c
1099 +index 0e04b27e3158d..b577c64f3b3ec 100644
1100 +--- a/drivers/i2c/busses/i2c-i801.c
1101 ++++ b/drivers/i2c/busses/i2c-i801.c
1102 +@@ -762,6 +762,11 @@ static int i801_block_transaction(struct i801_priv *priv,
1103 + int result = 0;
1104 + unsigned char hostc;
1105 +
1106 ++ if (read_write == I2C_SMBUS_READ && command == I2C_SMBUS_BLOCK_DATA)
1107 ++ data->block[0] = I2C_SMBUS_BLOCK_MAX;
1108 ++ else if (data->block[0] < 1 || data->block[0] > I2C_SMBUS_BLOCK_MAX)
1109 ++ return -EPROTO;
1110 ++
1111 + if (command == I2C_SMBUS_I2C_BLOCK_DATA) {
1112 + if (read_write == I2C_SMBUS_WRITE) {
1113 + /* set I2C_EN bit in configuration register */
1114 +@@ -775,16 +780,6 @@ static int i801_block_transaction(struct i801_priv *priv,
1115 + }
1116 + }
1117 +
1118 +- if (read_write == I2C_SMBUS_WRITE
1119 +- || command == I2C_SMBUS_I2C_BLOCK_DATA) {
1120 +- if (data->block[0] < 1)
1121 +- data->block[0] = 1;
1122 +- if (data->block[0] > I2C_SMBUS_BLOCK_MAX)
1123 +- data->block[0] = I2C_SMBUS_BLOCK_MAX;
1124 +- } else {
1125 +- data->block[0] = 32; /* max for SMBus block reads */
1126 +- }
1127 +-
1128 + /* Experience has shown that the block buffer can only be used for
1129 + SMBus (not I2C) block transactions, even though the datasheet
1130 + doesn't mention this limitation. */
1131 +diff --git a/drivers/i2c/busses/i2c-mpc.c b/drivers/i2c/busses/i2c-mpc.c
1132 +index 90e4f839eb1cb..d153fc28e6bfb 100644
1133 +--- a/drivers/i2c/busses/i2c-mpc.c
1134 ++++ b/drivers/i2c/busses/i2c-mpc.c
1135 +@@ -107,23 +107,30 @@ static irqreturn_t mpc_i2c_isr(int irq, void *dev_id)
1136 + /* Sometimes 9th clock pulse isn't generated, and slave doesn't release
1137 + * the bus, because it wants to send ACK.
1138 + * Following sequence of enabling/disabling and sending start/stop generates
1139 +- * the 9 pulses, so it's all OK.
1140 ++ * the 9 pulses, each with a START then ending with STOP, so it's all OK.
1141 + */
1142 + static void mpc_i2c_fixup(struct mpc_i2c *i2c)
1143 + {
1144 + int k;
1145 +- u32 delay_val = 1000000 / i2c->real_clk + 1;
1146 +-
1147 +- if (delay_val < 2)
1148 +- delay_val = 2;
1149 ++ unsigned long flags;
1150 +
1151 + for (k = 9; k; k--) {
1152 + writeccr(i2c, 0);
1153 +- writeccr(i2c, CCR_MSTA | CCR_MTX | CCR_MEN);
1154 ++ writeb(0, i2c->base + MPC_I2C_SR); /* clear any status bits */
1155 ++ writeccr(i2c, CCR_MEN | CCR_MSTA); /* START */
1156 ++ readb(i2c->base + MPC_I2C_DR); /* init xfer */
1157 ++ udelay(15); /* let it hit the bus */
1158 ++ local_irq_save(flags); /* should not be delayed further */
1159 ++ writeccr(i2c, CCR_MEN | CCR_MSTA | CCR_RSTA); /* delay SDA */
1160 + readb(i2c->base + MPC_I2C_DR);
1161 +- writeccr(i2c, CCR_MEN);
1162 +- udelay(delay_val << 1);
1163 ++ if (k != 1)
1164 ++ udelay(5);
1165 ++ local_irq_restore(flags);
1166 + }
1167 ++ writeccr(i2c, CCR_MEN); /* Initiate STOP */
1168 ++ readb(i2c->base + MPC_I2C_DR);
1169 ++ udelay(15); /* Let STOP propagate */
1170 ++ writeccr(i2c, 0);
1171 + }
1172 +
1173 + static int i2c_wait(struct mpc_i2c *i2c, unsigned timeout, int writing)
1174 +diff --git a/drivers/infiniband/core/device.c b/drivers/infiniband/core/device.c
1175 +index 4b947d5cafe28..c5c175b72f21e 100644
1176 +--- a/drivers/infiniband/core/device.c
1177 ++++ b/drivers/infiniband/core/device.c
1178 +@@ -870,7 +870,8 @@ int ib_find_gid(struct ib_device *device, union ib_gid *gid,
1179 + for (i = 0; i < device->port_immutable[port].gid_tbl_len; ++i) {
1180 + ret = ib_query_gid(device, port, i, &tmp_gid, NULL);
1181 + if (ret)
1182 +- return ret;
1183 ++ continue;
1184 ++
1185 + if (!memcmp(&tmp_gid, gid, sizeof *gid)) {
1186 + *port_num = port;
1187 + if (index)
1188 +diff --git a/drivers/infiniband/hw/cxgb4/qp.c b/drivers/infiniband/hw/cxgb4/qp.c
1189 +index 87bc7b0db892b..2eeac8401c927 100644
1190 +--- a/drivers/infiniband/hw/cxgb4/qp.c
1191 ++++ b/drivers/infiniband/hw/cxgb4/qp.c
1192 +@@ -1974,6 +1974,7 @@ int c4iw_ib_query_qp(struct ib_qp *ibqp, struct ib_qp_attr *attr,
1193 + memset(attr, 0, sizeof *attr);
1194 + memset(init_attr, 0, sizeof *init_attr);
1195 + attr->qp_state = to_ib_qp_state(qhp->attr.state);
1196 ++ attr->cur_qp_state = to_ib_qp_state(qhp->attr.state);
1197 + init_attr->cap.max_send_wr = qhp->attr.sq_num_entries;
1198 + init_attr->cap.max_recv_wr = qhp->attr.rq_num_entries;
1199 + init_attr->cap.max_send_sge = qhp->attr.sq_max_sges;
1200 +diff --git a/drivers/infiniband/hw/hns/hns_roce_main.c b/drivers/infiniband/hw/hns/hns_roce_main.c
1201 +index 764e35a54457e..0aa2400db8fa0 100644
1202 +--- a/drivers/infiniband/hw/hns/hns_roce_main.c
1203 ++++ b/drivers/infiniband/hw/hns/hns_roce_main.c
1204 +@@ -475,6 +475,9 @@ static int hns_roce_query_gid(struct ib_device *ib_dev, u8 port_num, int index,
1205 + static int hns_roce_query_pkey(struct ib_device *ib_dev, u8 port, u16 index,
1206 + u16 *pkey)
1207 + {
1208 ++ if (index > 0)
1209 ++ return -EINVAL;
1210 ++
1211 + *pkey = PKEY_ID;
1212 +
1213 + return 0;
1214 +@@ -553,7 +556,7 @@ static int hns_roce_mmap(struct ib_ucontext *context,
1215 + return -EINVAL;
1216 +
1217 + if (vma->vm_pgoff == 0) {
1218 +- vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot);
1219 ++ vma->vm_page_prot = pgprot_device(vma->vm_page_prot);
1220 + if (io_remap_pfn_range(vma, vma->vm_start,
1221 + to_hr_ucontext(context)->uar.pfn,
1222 + PAGE_SIZE, vma->vm_page_prot))
1223 +diff --git a/drivers/infiniband/sw/rxe/rxe_opcode.c b/drivers/infiniband/sw/rxe/rxe_opcode.c
1224 +index 61927c165b598..e67ed9141cd8a 100644
1225 +--- a/drivers/infiniband/sw/rxe/rxe_opcode.c
1226 ++++ b/drivers/infiniband/sw/rxe/rxe_opcode.c
1227 +@@ -137,7 +137,7 @@ struct rxe_opcode_info rxe_opcode[RXE_NUM_OPCODE] = {
1228 + }
1229 + },
1230 + [IB_OPCODE_RC_SEND_MIDDLE] = {
1231 +- .name = "IB_OPCODE_RC_SEND_MIDDLE]",
1232 ++ .name = "IB_OPCODE_RC_SEND_MIDDLE",
1233 + .mask = RXE_PAYLOAD_MASK | RXE_REQ_MASK | RXE_SEND_MASK
1234 + | RXE_MIDDLE_MASK,
1235 + .length = RXE_BTH_BYTES,
1236 +diff --git a/drivers/md/persistent-data/dm-btree.c b/drivers/md/persistent-data/dm-btree.c
1237 +index 386215245dfe2..85273da5da206 100644
1238 +--- a/drivers/md/persistent-data/dm-btree.c
1239 ++++ b/drivers/md/persistent-data/dm-btree.c
1240 +@@ -83,14 +83,16 @@ void inc_children(struct dm_transaction_manager *tm, struct btree_node *n,
1241 + }
1242 +
1243 + static int insert_at(size_t value_size, struct btree_node *node, unsigned index,
1244 +- uint64_t key, void *value)
1245 +- __dm_written_to_disk(value)
1246 ++ uint64_t key, void *value)
1247 ++ __dm_written_to_disk(value)
1248 + {
1249 + uint32_t nr_entries = le32_to_cpu(node->header.nr_entries);
1250 ++ uint32_t max_entries = le32_to_cpu(node->header.max_entries);
1251 + __le64 key_le = cpu_to_le64(key);
1252 +
1253 + if (index > nr_entries ||
1254 +- index >= le32_to_cpu(node->header.max_entries)) {
1255 ++ index >= max_entries ||
1256 ++ nr_entries >= max_entries) {
1257 + DMERR("too many entries in btree node for insert");
1258 + __dm_unbless_for_disk(value);
1259 + return -ENOMEM;
1260 +diff --git a/drivers/md/persistent-data/dm-space-map-common.c b/drivers/md/persistent-data/dm-space-map-common.c
1261 +index ca09ad2a639c4..6fa4a68e78b0d 100644
1262 +--- a/drivers/md/persistent-data/dm-space-map-common.c
1263 ++++ b/drivers/md/persistent-data/dm-space-map-common.c
1264 +@@ -279,6 +279,11 @@ int sm_ll_lookup_bitmap(struct ll_disk *ll, dm_block_t b, uint32_t *result)
1265 + struct disk_index_entry ie_disk;
1266 + struct dm_block *blk;
1267 +
1268 ++ if (b >= ll->nr_blocks) {
1269 ++ DMERR_LIMIT("metadata block out of bounds");
1270 ++ return -EINVAL;
1271 ++ }
1272 ++
1273 + b = do_div(index, ll->entries_per_block);
1274 + r = ll->load_ie(ll, index, &ie_disk);
1275 + if (r < 0)
1276 +diff --git a/drivers/media/common/saa7146/saa7146_fops.c b/drivers/media/common/saa7146/saa7146_fops.c
1277 +index 930d2c94d5d30..2c9365a39270a 100644
1278 +--- a/drivers/media/common/saa7146/saa7146_fops.c
1279 ++++ b/drivers/media/common/saa7146/saa7146_fops.c
1280 +@@ -524,7 +524,7 @@ int saa7146_vv_init(struct saa7146_dev* dev, struct saa7146_ext_vv *ext_vv)
1281 + ERR("out of memory. aborting.\n");
1282 + kfree(vv);
1283 + v4l2_ctrl_handler_free(hdl);
1284 +- return -1;
1285 ++ return -ENOMEM;
1286 + }
1287 +
1288 + saa7146_video_uops.init(dev,vv);
1289 +diff --git a/drivers/media/dvb-core/dmxdev.c b/drivers/media/dvb-core/dmxdev.c
1290 +index 0418b5a0fb645..32a2e6ffdb097 100644
1291 +--- a/drivers/media/dvb-core/dmxdev.c
1292 ++++ b/drivers/media/dvb-core/dmxdev.c
1293 +@@ -1225,7 +1225,7 @@ static const struct dvb_device dvbdev_dvr = {
1294 + };
1295 + int dvb_dmxdev_init(struct dmxdev *dmxdev, struct dvb_adapter *dvb_adapter)
1296 + {
1297 +- int i;
1298 ++ int i, ret;
1299 +
1300 + if (dmxdev->demux->open(dmxdev->demux) < 0)
1301 + return -EUSERS;
1302 +@@ -1243,14 +1243,26 @@ int dvb_dmxdev_init(struct dmxdev *dmxdev, struct dvb_adapter *dvb_adapter)
1303 + DMXDEV_STATE_FREE);
1304 + }
1305 +
1306 +- dvb_register_device(dvb_adapter, &dmxdev->dvbdev, &dvbdev_demux, dmxdev,
1307 ++ ret = dvb_register_device(dvb_adapter, &dmxdev->dvbdev, &dvbdev_demux, dmxdev,
1308 + DVB_DEVICE_DEMUX, dmxdev->filternum);
1309 +- dvb_register_device(dvb_adapter, &dmxdev->dvr_dvbdev, &dvbdev_dvr,
1310 ++ if (ret < 0)
1311 ++ goto err_register_dvbdev;
1312 ++
1313 ++ ret = dvb_register_device(dvb_adapter, &dmxdev->dvr_dvbdev, &dvbdev_dvr,
1314 + dmxdev, DVB_DEVICE_DVR, dmxdev->filternum);
1315 ++ if (ret < 0)
1316 ++ goto err_register_dvr_dvbdev;
1317 +
1318 + dvb_ringbuffer_init(&dmxdev->dvr_buffer, NULL, 8192);
1319 +
1320 + return 0;
1321 ++
1322 ++err_register_dvr_dvbdev:
1323 ++ dvb_unregister_device(dmxdev->dvbdev);
1324 ++err_register_dvbdev:
1325 ++ vfree(dmxdev->filter);
1326 ++ dmxdev->filter = NULL;
1327 ++ return ret;
1328 + }
1329 +
1330 + EXPORT_SYMBOL(dvb_dmxdev_init);
1331 +diff --git a/drivers/media/dvb-frontends/dib8000.c b/drivers/media/dvb-frontends/dib8000.c
1332 +index ddf9c44877a25..ea2eab2d5be91 100644
1333 +--- a/drivers/media/dvb-frontends/dib8000.c
1334 ++++ b/drivers/media/dvb-frontends/dib8000.c
1335 +@@ -4462,8 +4462,10 @@ static struct dvb_frontend *dib8000_init(struct i2c_adapter *i2c_adap, u8 i2c_ad
1336 +
1337 + state->timf_default = cfg->pll->timf;
1338 +
1339 +- if (dib8000_identify(&state->i2c) == 0)
1340 ++ if (dib8000_identify(&state->i2c) == 0) {
1341 ++ kfree(fe);
1342 + goto error;
1343 ++ }
1344 +
1345 + dibx000_init_i2c_master(&state->i2c_master, DIB8000, state->i2c.adap, state->i2c.addr);
1346 +
1347 +diff --git a/drivers/media/pci/b2c2/flexcop-pci.c b/drivers/media/pci/b2c2/flexcop-pci.c
1348 +index 4cac1fc233f28..98e94cd8bfad7 100644
1349 +--- a/drivers/media/pci/b2c2/flexcop-pci.c
1350 ++++ b/drivers/media/pci/b2c2/flexcop-pci.c
1351 +@@ -184,6 +184,8 @@ static irqreturn_t flexcop_pci_isr(int irq, void *dev_id)
1352 + dma_addr_t cur_addr =
1353 + fc->read_ibi_reg(fc,dma1_008).dma_0x8.dma_cur_addr << 2;
1354 + u32 cur_pos = cur_addr - fc_pci->dma[0].dma_addr0;
1355 ++ if (cur_pos > fc_pci->dma[0].size * 2)
1356 ++ goto error;
1357 +
1358 + deb_irq("%u irq: %08x cur_addr: %llx: cur_pos: %08x, "
1359 + "last_cur_pos: %08x ",
1360 +@@ -225,6 +227,7 @@ static irqreturn_t flexcop_pci_isr(int irq, void *dev_id)
1361 + ret = IRQ_NONE;
1362 + }
1363 +
1364 ++error:
1365 + spin_unlock_irqrestore(&fc_pci->irq_lock, flags);
1366 + return ret;
1367 + }
1368 +diff --git a/drivers/media/pci/saa7146/hexium_gemini.c b/drivers/media/pci/saa7146/hexium_gemini.c
1369 +index be85a2c4318e7..be91a2de81dcc 100644
1370 +--- a/drivers/media/pci/saa7146/hexium_gemini.c
1371 ++++ b/drivers/media/pci/saa7146/hexium_gemini.c
1372 +@@ -296,7 +296,12 @@ static int hexium_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_d
1373 + hexium_set_input(hexium, 0);
1374 + hexium->cur_input = 0;
1375 +
1376 +- saa7146_vv_init(dev, &vv_data);
1377 ++ ret = saa7146_vv_init(dev, &vv_data);
1378 ++ if (ret) {
1379 ++ i2c_del_adapter(&hexium->i2c_adapter);
1380 ++ kfree(hexium);
1381 ++ return ret;
1382 ++ }
1383 +
1384 + vv_data.vid_ops.vidioc_enum_input = vidioc_enum_input;
1385 + vv_data.vid_ops.vidioc_g_input = vidioc_g_input;
1386 +diff --git a/drivers/media/pci/saa7146/hexium_orion.c b/drivers/media/pci/saa7146/hexium_orion.c
1387 +index dc07ca37ebd06..e8e96c7a57844 100644
1388 +--- a/drivers/media/pci/saa7146/hexium_orion.c
1389 ++++ b/drivers/media/pci/saa7146/hexium_orion.c
1390 +@@ -366,10 +366,16 @@ static struct saa7146_ext_vv vv_data;
1391 + static int hexium_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_data *info)
1392 + {
1393 + struct hexium *hexium = (struct hexium *) dev->ext_priv;
1394 ++ int ret;
1395 +
1396 + DEB_EE("\n");
1397 +
1398 +- saa7146_vv_init(dev, &vv_data);
1399 ++ ret = saa7146_vv_init(dev, &vv_data);
1400 ++ if (ret) {
1401 ++ pr_err("Error in saa7146_vv_init()\n");
1402 ++ return ret;
1403 ++ }
1404 ++
1405 + vv_data.vid_ops.vidioc_enum_input = vidioc_enum_input;
1406 + vv_data.vid_ops.vidioc_g_input = vidioc_g_input;
1407 + vv_data.vid_ops.vidioc_s_input = vidioc_s_input;
1408 +diff --git a/drivers/media/pci/saa7146/mxb.c b/drivers/media/pci/saa7146/mxb.c
1409 +index 3e8753c9e1e47..849c2a1d09f99 100644
1410 +--- a/drivers/media/pci/saa7146/mxb.c
1411 ++++ b/drivers/media/pci/saa7146/mxb.c
1412 +@@ -694,10 +694,16 @@ static struct saa7146_ext_vv vv_data;
1413 + static int mxb_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_data *info)
1414 + {
1415 + struct mxb *mxb;
1416 ++ int ret;
1417 +
1418 + DEB_EE("dev:%p\n", dev);
1419 +
1420 +- saa7146_vv_init(dev, &vv_data);
1421 ++ ret = saa7146_vv_init(dev, &vv_data);
1422 ++ if (ret) {
1423 ++ ERR("Error in saa7146_vv_init()");
1424 ++ return ret;
1425 ++ }
1426 ++
1427 + if (mxb_probe(dev)) {
1428 + saa7146_vv_release(dev);
1429 + return -1;
1430 +diff --git a/drivers/media/rc/igorplugusb.c b/drivers/media/rc/igorplugusb.c
1431 +index 5cf983be07a20..0f4c4c39bf6da 100644
1432 +--- a/drivers/media/rc/igorplugusb.c
1433 ++++ b/drivers/media/rc/igorplugusb.c
1434 +@@ -73,9 +73,11 @@ static void igorplugusb_irdata(struct igorplugusb *ir, unsigned len)
1435 + if (start >= len) {
1436 + dev_err(ir->dev, "receive overflow invalid: %u", overflow);
1437 + } else {
1438 +- if (overflow > 0)
1439 ++ if (overflow > 0) {
1440 + dev_warn(ir->dev, "receive overflow, at least %u lost",
1441 + overflow);
1442 ++ ir_raw_event_reset(ir->rc);
1443 ++ }
1444 +
1445 + do {
1446 + rawir.duration = ir->buf_in[i] * 85333;
1447 +diff --git a/drivers/media/rc/mceusb.c b/drivers/media/rc/mceusb.c
1448 +index b78d70685b1c3..49122f442b872 100644
1449 +--- a/drivers/media/rc/mceusb.c
1450 ++++ b/drivers/media/rc/mceusb.c
1451 +@@ -1129,7 +1129,7 @@ static void mceusb_gen1_init(struct mceusb_dev *ir)
1452 + */
1453 + ret = usb_control_msg(ir->usbdev, usb_rcvctrlpipe(ir->usbdev, 0),
1454 + USB_REQ_SET_ADDRESS, USB_TYPE_VENDOR, 0, 0,
1455 +- data, USB_CTRL_MSG_SZ, HZ * 3);
1456 ++ data, USB_CTRL_MSG_SZ, 3000);
1457 + dev_dbg(dev, "set address - ret = %d", ret);
1458 + dev_dbg(dev, "set address - data[0] = %d, data[1] = %d",
1459 + data[0], data[1]);
1460 +@@ -1137,20 +1137,20 @@ static void mceusb_gen1_init(struct mceusb_dev *ir)
1461 + /* set feature: bit rate 38400 bps */
1462 + ret = usb_control_msg(ir->usbdev, usb_sndctrlpipe(ir->usbdev, 0),
1463 + USB_REQ_SET_FEATURE, USB_TYPE_VENDOR,
1464 +- 0xc04e, 0x0000, NULL, 0, HZ * 3);
1465 ++ 0xc04e, 0x0000, NULL, 0, 3000);
1466 +
1467 + dev_dbg(dev, "set feature - ret = %d", ret);
1468 +
1469 + /* bRequest 4: set char length to 8 bits */
1470 + ret = usb_control_msg(ir->usbdev, usb_sndctrlpipe(ir->usbdev, 0),
1471 + 4, USB_TYPE_VENDOR,
1472 +- 0x0808, 0x0000, NULL, 0, HZ * 3);
1473 ++ 0x0808, 0x0000, NULL, 0, 3000);
1474 + dev_dbg(dev, "set char length - retB = %d", ret);
1475 +
1476 + /* bRequest 2: set handshaking to use DTR/DSR */
1477 + ret = usb_control_msg(ir->usbdev, usb_sndctrlpipe(ir->usbdev, 0),
1478 + 2, USB_TYPE_VENDOR,
1479 +- 0x0000, 0x0100, NULL, 0, HZ * 3);
1480 ++ 0x0000, 0x0100, NULL, 0, 3000);
1481 + dev_dbg(dev, "set handshake - retC = %d", ret);
1482 +
1483 + /* device resume */
1484 +diff --git a/drivers/media/rc/redrat3.c b/drivers/media/rc/redrat3.c
1485 +index 05ba47bc0b613..5f3c1c204f643 100644
1486 +--- a/drivers/media/rc/redrat3.c
1487 ++++ b/drivers/media/rc/redrat3.c
1488 +@@ -427,7 +427,7 @@ static int redrat3_send_cmd(int cmd, struct redrat3_dev *rr3)
1489 + udev = rr3->udev;
1490 + res = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0), cmd,
1491 + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN,
1492 +- 0x0000, 0x0000, data, sizeof(u8), HZ * 10);
1493 ++ 0x0000, 0x0000, data, sizeof(u8), 10000);
1494 +
1495 + if (res < 0) {
1496 + dev_err(rr3->dev, "%s: Error sending rr3 cmd res %d, data %d",
1497 +@@ -493,7 +493,7 @@ static u32 redrat3_get_timeout(struct redrat3_dev *rr3)
1498 + pipe = usb_rcvctrlpipe(rr3->udev, 0);
1499 + ret = usb_control_msg(rr3->udev, pipe, RR3_GET_IR_PARAM,
1500 + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN,
1501 +- RR3_IR_IO_SIG_TIMEOUT, 0, tmp, len, HZ * 5);
1502 ++ RR3_IR_IO_SIG_TIMEOUT, 0, tmp, len, 5000);
1503 + if (ret != len)
1504 + dev_warn(rr3->dev, "Failed to read timeout from hardware\n");
1505 + else {
1506 +@@ -523,7 +523,7 @@ static int redrat3_set_timeout(struct rc_dev *rc_dev, unsigned int timeoutns)
1507 + ret = usb_control_msg(udev, usb_sndctrlpipe(udev, 0), RR3_SET_IR_PARAM,
1508 + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT,
1509 + RR3_IR_IO_SIG_TIMEOUT, 0, timeout, sizeof(*timeout),
1510 +- HZ * 25);
1511 ++ 25000);
1512 + dev_dbg(dev, "set ir parm timeout %d ret 0x%02x\n",
1513 + be32_to_cpu(*timeout), ret);
1514 +
1515 +@@ -557,32 +557,32 @@ static void redrat3_reset(struct redrat3_dev *rr3)
1516 + *val = 0x01;
1517 + rc = usb_control_msg(udev, rxpipe, RR3_RESET,
1518 + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN,
1519 +- RR3_CPUCS_REG_ADDR, 0, val, len, HZ * 25);
1520 ++ RR3_CPUCS_REG_ADDR, 0, val, len, 25000);
1521 + dev_dbg(dev, "reset returned 0x%02x\n", rc);
1522 +
1523 + *val = length_fuzz;
1524 + rc = usb_control_msg(udev, txpipe, RR3_SET_IR_PARAM,
1525 + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT,
1526 +- RR3_IR_IO_LENGTH_FUZZ, 0, val, len, HZ * 25);
1527 ++ RR3_IR_IO_LENGTH_FUZZ, 0, val, len, 25000);
1528 + dev_dbg(dev, "set ir parm len fuzz %d rc 0x%02x\n", *val, rc);
1529 +
1530 + *val = (65536 - (minimum_pause * 2000)) / 256;
1531 + rc = usb_control_msg(udev, txpipe, RR3_SET_IR_PARAM,
1532 + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT,
1533 +- RR3_IR_IO_MIN_PAUSE, 0, val, len, HZ * 25);
1534 ++ RR3_IR_IO_MIN_PAUSE, 0, val, len, 25000);
1535 + dev_dbg(dev, "set ir parm min pause %d rc 0x%02x\n", *val, rc);
1536 +
1537 + *val = periods_measure_carrier;
1538 + rc = usb_control_msg(udev, txpipe, RR3_SET_IR_PARAM,
1539 + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT,
1540 +- RR3_IR_IO_PERIODS_MF, 0, val, len, HZ * 25);
1541 ++ RR3_IR_IO_PERIODS_MF, 0, val, len, 25000);
1542 + dev_dbg(dev, "set ir parm periods measure carrier %d rc 0x%02x", *val,
1543 + rc);
1544 +
1545 + *val = RR3_DRIVER_MAXLENS;
1546 + rc = usb_control_msg(udev, txpipe, RR3_SET_IR_PARAM,
1547 + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT,
1548 +- RR3_IR_IO_MAX_LENGTHS, 0, val, len, HZ * 25);
1549 ++ RR3_IR_IO_MAX_LENGTHS, 0, val, len, 25000);
1550 + dev_dbg(dev, "set ir parm max lens %d rc 0x%02x\n", *val, rc);
1551 +
1552 + kfree(val);
1553 +@@ -602,7 +602,7 @@ static void redrat3_get_firmware_rev(struct redrat3_dev *rr3)
1554 + rc = usb_control_msg(rr3->udev, usb_rcvctrlpipe(rr3->udev, 0),
1555 + RR3_FW_VERSION,
1556 + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN,
1557 +- 0, 0, buffer, RR3_FW_VERSION_LEN, HZ * 5);
1558 ++ 0, 0, buffer, RR3_FW_VERSION_LEN, 5000);
1559 +
1560 + if (rc >= 0)
1561 + dev_info(rr3->dev, "Firmware rev: %s", buffer);
1562 +@@ -842,14 +842,14 @@ static int redrat3_transmit_ir(struct rc_dev *rcdev, unsigned *txbuf,
1563 +
1564 + pipe = usb_sndbulkpipe(rr3->udev, rr3->ep_out->bEndpointAddress);
1565 + ret = usb_bulk_msg(rr3->udev, pipe, irdata,
1566 +- sendbuf_len, &ret_len, 10 * HZ);
1567 ++ sendbuf_len, &ret_len, 10000);
1568 + dev_dbg(dev, "sent %d bytes, (ret %d)\n", ret_len, ret);
1569 +
1570 + /* now tell the hardware to transmit what we sent it */
1571 + pipe = usb_rcvctrlpipe(rr3->udev, 0);
1572 + ret = usb_control_msg(rr3->udev, pipe, RR3_TX_SEND_SIGNAL,
1573 + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN,
1574 +- 0, 0, irdata, 2, HZ * 10);
1575 ++ 0, 0, irdata, 2, 10000);
1576 +
1577 + if (ret < 0)
1578 + dev_err(dev, "Error: control msg send failed, rc %d\n", ret);
1579 +diff --git a/drivers/media/tuners/msi001.c b/drivers/media/tuners/msi001.c
1580 +index 3a12ef35682b5..64d98517f470f 100644
1581 +--- a/drivers/media/tuners/msi001.c
1582 ++++ b/drivers/media/tuners/msi001.c
1583 +@@ -464,6 +464,13 @@ static int msi001_probe(struct spi_device *spi)
1584 + V4L2_CID_RF_TUNER_BANDWIDTH_AUTO, 0, 1, 1, 1);
1585 + dev->bandwidth = v4l2_ctrl_new_std(&dev->hdl, &msi001_ctrl_ops,
1586 + V4L2_CID_RF_TUNER_BANDWIDTH, 200000, 8000000, 1, 200000);
1587 ++ if (dev->hdl.error) {
1588 ++ ret = dev->hdl.error;
1589 ++ dev_err(&spi->dev, "Could not initialize controls\n");
1590 ++ /* control init failed, free handler */
1591 ++ goto err_ctrl_handler_free;
1592 ++ }
1593 ++
1594 + v4l2_ctrl_auto_cluster(2, &dev->bandwidth_auto, 0, false);
1595 + dev->lna_gain = v4l2_ctrl_new_std(&dev->hdl, &msi001_ctrl_ops,
1596 + V4L2_CID_RF_TUNER_LNA_GAIN, 0, 1, 1, 1);
1597 +diff --git a/drivers/media/tuners/si2157.c b/drivers/media/tuners/si2157.c
1598 +index 72a47da0db2ae..e56837414e2c7 100644
1599 +--- a/drivers/media/tuners/si2157.c
1600 ++++ b/drivers/media/tuners/si2157.c
1601 +@@ -89,7 +89,7 @@ static int si2157_init(struct dvb_frontend *fe)
1602 + dev_dbg(&client->dev, "\n");
1603 +
1604 + /* Try to get Xtal trim property, to verify tuner still running */
1605 +- memcpy(cmd.args, "\x15\x00\x04\x02", 4);
1606 ++ memcpy(cmd.args, "\x15\x00\x02\x04", 4);
1607 + cmd.wlen = 4;
1608 + cmd.rlen = 4;
1609 + ret = si2157_cmd_execute(client, &cmd);
1610 +diff --git a/drivers/media/usb/b2c2/flexcop-usb.c b/drivers/media/usb/b2c2/flexcop-usb.c
1611 +index a93fc1839e139..3d6e991df9261 100644
1612 +--- a/drivers/media/usb/b2c2/flexcop-usb.c
1613 ++++ b/drivers/media/usb/b2c2/flexcop-usb.c
1614 +@@ -87,7 +87,7 @@ static int flexcop_usb_readwrite_dw(struct flexcop_device *fc, u16 wRegOffsPCI,
1615 + 0,
1616 + fc_usb->data,
1617 + sizeof(u32),
1618 +- B2C2_WAIT_FOR_OPERATION_RDW * HZ);
1619 ++ B2C2_WAIT_FOR_OPERATION_RDW);
1620 +
1621 + if (ret != sizeof(u32)) {
1622 + err("error while %s dword from %d (%d).", read ? "reading" :
1623 +@@ -155,7 +155,7 @@ static int flexcop_usb_v8_memory_req(struct flexcop_usb *fc_usb,
1624 + wIndex,
1625 + fc_usb->data,
1626 + buflen,
1627 +- nWaitTime * HZ);
1628 ++ nWaitTime);
1629 + if (ret != buflen)
1630 + ret = -EIO;
1631 +
1632 +@@ -249,13 +249,13 @@ static int flexcop_usb_i2c_req(struct flexcop_i2c_adapter *i2c,
1633 + /* DKT 020208 - add this to support special case of DiSEqC */
1634 + case USB_FUNC_I2C_CHECKWRITE:
1635 + pipe = B2C2_USB_CTRL_PIPE_OUT;
1636 +- nWaitTime = 2;
1637 ++ nWaitTime = 2000;
1638 + request_type |= USB_DIR_OUT;
1639 + break;
1640 + case USB_FUNC_I2C_READ:
1641 + case USB_FUNC_I2C_REPEATREAD:
1642 + pipe = B2C2_USB_CTRL_PIPE_IN;
1643 +- nWaitTime = 2;
1644 ++ nWaitTime = 2000;
1645 + request_type |= USB_DIR_IN;
1646 + break;
1647 + default:
1648 +@@ -282,7 +282,7 @@ static int flexcop_usb_i2c_req(struct flexcop_i2c_adapter *i2c,
1649 + wIndex,
1650 + fc_usb->data,
1651 + buflen,
1652 +- nWaitTime * HZ);
1653 ++ nWaitTime);
1654 +
1655 + if (ret != buflen)
1656 + ret = -EIO;
1657 +diff --git a/drivers/media/usb/b2c2/flexcop-usb.h b/drivers/media/usb/b2c2/flexcop-usb.h
1658 +index 25ad43166e78c..247c7dbc8a619 100644
1659 +--- a/drivers/media/usb/b2c2/flexcop-usb.h
1660 ++++ b/drivers/media/usb/b2c2/flexcop-usb.h
1661 +@@ -90,13 +90,13 @@ typedef enum {
1662 + UTILITY_SRAM_TESTVERIFY = 0x16,
1663 + } flexcop_usb_utility_function_t;
1664 +
1665 +-#define B2C2_WAIT_FOR_OPERATION_RW (1*HZ)
1666 +-#define B2C2_WAIT_FOR_OPERATION_RDW (3*HZ)
1667 +-#define B2C2_WAIT_FOR_OPERATION_WDW (1*HZ)
1668 ++#define B2C2_WAIT_FOR_OPERATION_RW 1000
1669 ++#define B2C2_WAIT_FOR_OPERATION_RDW 3000
1670 ++#define B2C2_WAIT_FOR_OPERATION_WDW 1000
1671 +
1672 +-#define B2C2_WAIT_FOR_OPERATION_V8READ (3*HZ)
1673 +-#define B2C2_WAIT_FOR_OPERATION_V8WRITE (3*HZ)
1674 +-#define B2C2_WAIT_FOR_OPERATION_V8FLASH (3*HZ)
1675 ++#define B2C2_WAIT_FOR_OPERATION_V8READ 3000
1676 ++#define B2C2_WAIT_FOR_OPERATION_V8WRITE 3000
1677 ++#define B2C2_WAIT_FOR_OPERATION_V8FLASH 3000
1678 +
1679 + typedef enum {
1680 + V8_MEMORY_PAGE_DVB_CI = 0x20,
1681 +diff --git a/drivers/media/usb/cpia2/cpia2_usb.c b/drivers/media/usb/cpia2/cpia2_usb.c
1682 +index 4f4a130f17af3..447d6a52af3b8 100644
1683 +--- a/drivers/media/usb/cpia2/cpia2_usb.c
1684 ++++ b/drivers/media/usb/cpia2/cpia2_usb.c
1685 +@@ -565,7 +565,7 @@ static int write_packet(struct usb_device *udev,
1686 + 0, /* index */
1687 + buf, /* buffer */
1688 + size,
1689 +- HZ);
1690 ++ 1000);
1691 +
1692 + kfree(buf);
1693 + return ret;
1694 +@@ -597,7 +597,7 @@ static int read_packet(struct usb_device *udev,
1695 + 0, /* index */
1696 + buf, /* buffer */
1697 + size,
1698 +- HZ);
1699 ++ 1000);
1700 +
1701 + if (ret >= 0)
1702 + memcpy(registers, buf, size);
1703 +diff --git a/drivers/media/usb/dvb-usb/dib0700_core.c b/drivers/media/usb/dvb-usb/dib0700_core.c
1704 +index 4a5ea74c91d45..1b56824fbe51e 100644
1705 +--- a/drivers/media/usb/dvb-usb/dib0700_core.c
1706 ++++ b/drivers/media/usb/dvb-usb/dib0700_core.c
1707 +@@ -610,8 +610,6 @@ int dib0700_streaming_ctrl(struct dvb_usb_adapter *adap, int onoff)
1708 + deb_info("the endpoint number (%i) is not correct, use the adapter id instead", adap->fe_adap[0].stream.props.endpoint);
1709 + if (onoff)
1710 + st->channel_state |= 1 << (adap->id);
1711 +- else
1712 +- st->channel_state |= 1 << ~(adap->id);
1713 + } else {
1714 + if (onoff)
1715 + st->channel_state |= 1 << (adap->fe_adap[0].stream.props.endpoint-2);
1716 +diff --git a/drivers/media/usb/dvb-usb/m920x.c b/drivers/media/usb/dvb-usb/m920x.c
1717 +index eafc5c82467f4..5b806779e2106 100644
1718 +--- a/drivers/media/usb/dvb-usb/m920x.c
1719 ++++ b/drivers/media/usb/dvb-usb/m920x.c
1720 +@@ -284,6 +284,13 @@ static int m920x_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int nu
1721 + /* Should check for ack here, if we knew how. */
1722 + }
1723 + if (msg[i].flags & I2C_M_RD) {
1724 ++ char *read = kmalloc(1, GFP_KERNEL);
1725 ++ if (!read) {
1726 ++ ret = -ENOMEM;
1727 ++ kfree(read);
1728 ++ goto unlock;
1729 ++ }
1730 ++
1731 + for (j = 0; j < msg[i].len; j++) {
1732 + /* Last byte of transaction?
1733 + * Send STOP, otherwise send ACK. */
1734 +@@ -291,9 +298,12 @@ static int m920x_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int nu
1735 +
1736 + if ((ret = m920x_read(d->udev, M9206_I2C, 0x0,
1737 + 0x20 | stop,
1738 +- &msg[i].buf[j], 1)) != 0)
1739 ++ read, 1)) != 0)
1740 + goto unlock;
1741 ++ msg[i].buf[j] = read[0];
1742 + }
1743 ++
1744 ++ kfree(read);
1745 + } else {
1746 + for (j = 0; j < msg[i].len; j++) {
1747 + /* Last byte of transaction? Then send STOP. */
1748 +diff --git a/drivers/media/usb/em28xx/em28xx-core.c b/drivers/media/usb/em28xx/em28xx-core.c
1749 +index eebd5d7088d00..fb3008a7233fe 100644
1750 +--- a/drivers/media/usb/em28xx/em28xx-core.c
1751 ++++ b/drivers/media/usb/em28xx/em28xx-core.c
1752 +@@ -99,7 +99,7 @@ int em28xx_read_reg_req_len(struct em28xx *dev, u8 req, u16 reg,
1753 + mutex_lock(&dev->ctrl_urb_lock);
1754 + ret = usb_control_msg(dev->udev, pipe, req,
1755 + USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
1756 +- 0x0000, reg, dev->urb_buf, len, HZ);
1757 ++ 0x0000, reg, dev->urb_buf, len, 1000);
1758 + if (ret < 0) {
1759 + if (reg_debug)
1760 + printk(" failed!\n");
1761 +@@ -182,7 +182,7 @@ int em28xx_write_regs_req(struct em28xx *dev, u8 req, u16 reg, char *buf,
1762 + memcpy(dev->urb_buf, buf, len);
1763 + ret = usb_control_msg(dev->udev, pipe, req,
1764 + USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
1765 +- 0x0000, reg, dev->urb_buf, len, HZ);
1766 ++ 0x0000, reg, dev->urb_buf, len, 1000);
1767 + mutex_unlock(&dev->ctrl_urb_lock);
1768 +
1769 + if (ret < 0)
1770 +diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
1771 +index 0cb8dd5852357..40535db585a0e 100644
1772 +--- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
1773 ++++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
1774 +@@ -1488,7 +1488,7 @@ static int pvr2_upload_firmware1(struct pvr2_hdw *hdw)
1775 + for (address = 0; address < fwsize; address += 0x800) {
1776 + memcpy(fw_ptr, fw_entry->data + address, 0x800);
1777 + ret += usb_control_msg(hdw->usb_dev, pipe, 0xa0, 0x40, address,
1778 +- 0, fw_ptr, 0x800, HZ);
1779 ++ 0, fw_ptr, 0x800, 1000);
1780 + }
1781 +
1782 + trace_firmware("Upload done, releasing device's CPU");
1783 +@@ -1627,7 +1627,7 @@ int pvr2_upload_firmware2(struct pvr2_hdw *hdw)
1784 + ((u32 *)fw_ptr)[icnt] = swab32(((u32 *)fw_ptr)[icnt]);
1785 +
1786 + ret |= usb_bulk_msg(hdw->usb_dev, pipe, fw_ptr,bcnt,
1787 +- &actual_length, HZ);
1788 ++ &actual_length, 1000);
1789 + ret |= (actual_length != bcnt);
1790 + if (ret) break;
1791 + fw_done += bcnt;
1792 +@@ -3486,7 +3486,7 @@ void pvr2_hdw_cpufw_set_enabled(struct pvr2_hdw *hdw,
1793 + 0xa0,0xc0,
1794 + address,0,
1795 + hdw->fw_buffer+address,
1796 +- 0x800,HZ);
1797 ++ 0x800,1000);
1798 + if (ret < 0) break;
1799 + }
1800 +
1801 +@@ -4011,7 +4011,7 @@ void pvr2_hdw_cpureset_assert(struct pvr2_hdw *hdw,int val)
1802 + /* Write the CPUCS register on the 8051. The lsb of the register
1803 + is the reset bit; a 1 asserts reset while a 0 clears it. */
1804 + pipe = usb_sndctrlpipe(hdw->usb_dev, 0);
1805 +- ret = usb_control_msg(hdw->usb_dev,pipe,0xa0,0x40,0xe600,0,da,1,HZ);
1806 ++ ret = usb_control_msg(hdw->usb_dev,pipe,0xa0,0x40,0xe600,0,da,1,1000);
1807 + if (ret < 0) {
1808 + pvr2_trace(PVR2_TRACE_ERROR_LEGS,
1809 + "cpureset_assert(%d) error=%d",val,ret);
1810 +diff --git a/drivers/media/usb/s2255/s2255drv.c b/drivers/media/usb/s2255/s2255drv.c
1811 +index f7bb78c1873c9..fb5636f07e7eb 100644
1812 +--- a/drivers/media/usb/s2255/s2255drv.c
1813 ++++ b/drivers/media/usb/s2255/s2255drv.c
1814 +@@ -1913,7 +1913,7 @@ static long s2255_vendor_req(struct s2255_dev *dev, unsigned char Request,
1815 + USB_TYPE_VENDOR | USB_RECIP_DEVICE |
1816 + USB_DIR_IN,
1817 + Value, Index, buf,
1818 +- TransferBufferLength, HZ * 5);
1819 ++ TransferBufferLength, USB_CTRL_SET_TIMEOUT);
1820 +
1821 + if (r >= 0)
1822 + memcpy(TransferBuffer, buf, TransferBufferLength);
1823 +@@ -1922,7 +1922,7 @@ static long s2255_vendor_req(struct s2255_dev *dev, unsigned char Request,
1824 + r = usb_control_msg(dev->udev, usb_sndctrlpipe(dev->udev, 0),
1825 + Request, USB_TYPE_VENDOR | USB_RECIP_DEVICE,
1826 + Value, Index, buf,
1827 +- TransferBufferLength, HZ * 5);
1828 ++ TransferBufferLength, USB_CTRL_SET_TIMEOUT);
1829 + }
1830 + kfree(buf);
1831 + return r;
1832 +diff --git a/drivers/media/usb/stk1160/stk1160-core.c b/drivers/media/usb/stk1160/stk1160-core.c
1833 +index bc029478065a0..a526ea2fe587a 100644
1834 +--- a/drivers/media/usb/stk1160/stk1160-core.c
1835 ++++ b/drivers/media/usb/stk1160/stk1160-core.c
1836 +@@ -76,7 +76,7 @@ int stk1160_read_reg(struct stk1160 *dev, u16 reg, u8 *value)
1837 + return -ENOMEM;
1838 + ret = usb_control_msg(dev->udev, pipe, 0x00,
1839 + USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
1840 +- 0x00, reg, buf, sizeof(u8), HZ);
1841 ++ 0x00, reg, buf, sizeof(u8), 1000);
1842 + if (ret < 0) {
1843 + stk1160_err("read failed on reg 0x%x (%d)\n",
1844 + reg, ret);
1845 +@@ -96,7 +96,7 @@ int stk1160_write_reg(struct stk1160 *dev, u16 reg, u16 value)
1846 +
1847 + ret = usb_control_msg(dev->udev, pipe, 0x01,
1848 + USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
1849 +- value, reg, NULL, 0, HZ);
1850 ++ value, reg, NULL, 0, 1000);
1851 + if (ret < 0) {
1852 + stk1160_err("write failed on reg 0x%x (%d)\n",
1853 + reg, ret);
1854 +diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c
1855 +index 1d724e86f3780..2a7d178a9d069 100644
1856 +--- a/drivers/media/usb/uvc/uvc_video.c
1857 ++++ b/drivers/media/usb/uvc/uvc_video.c
1858 +@@ -1716,6 +1716,10 @@ static int uvc_init_video(struct uvc_streaming *stream, gfp_t gfp_flags)
1859 + if (ep == NULL)
1860 + return -EIO;
1861 +
1862 ++ /* Reject broken descriptors. */
1863 ++ if (usb_endpoint_maxp(&ep->desc) == 0)
1864 ++ return -EIO;
1865 ++
1866 + ret = uvc_init_video_bulk(stream, ep, gfp_flags);
1867 + }
1868 +
1869 +diff --git a/drivers/mfd/intel-lpss-acpi.c b/drivers/mfd/intel-lpss-acpi.c
1870 +index 6bf8d643d9428..31fbfd9c4b11c 100644
1871 +--- a/drivers/mfd/intel-lpss-acpi.c
1872 ++++ b/drivers/mfd/intel-lpss-acpi.c
1873 +@@ -84,6 +84,7 @@ static int intel_lpss_acpi_probe(struct platform_device *pdev)
1874 + {
1875 + struct intel_lpss_platform_info *info;
1876 + const struct acpi_device_id *id;
1877 ++ int ret;
1878 +
1879 + id = acpi_match_device(intel_lpss_acpi_ids, &pdev->dev);
1880 + if (!id)
1881 +@@ -97,10 +98,14 @@ static int intel_lpss_acpi_probe(struct platform_device *pdev)
1882 + info->mem = platform_get_resource(pdev, IORESOURCE_MEM, 0);
1883 + info->irq = platform_get_irq(pdev, 0);
1884 +
1885 ++ ret = intel_lpss_probe(&pdev->dev, info);
1886 ++ if (ret)
1887 ++ return ret;
1888 ++
1889 + pm_runtime_set_active(&pdev->dev);
1890 + pm_runtime_enable(&pdev->dev);
1891 +
1892 +- return intel_lpss_probe(&pdev->dev, info);
1893 ++ return 0;
1894 + }
1895 +
1896 + static int intel_lpss_acpi_remove(struct platform_device *pdev)
1897 +diff --git a/drivers/misc/lattice-ecp3-config.c b/drivers/misc/lattice-ecp3-config.c
1898 +index 626fdcaf25101..645d26536114f 100644
1899 +--- a/drivers/misc/lattice-ecp3-config.c
1900 ++++ b/drivers/misc/lattice-ecp3-config.c
1901 +@@ -81,12 +81,12 @@ static void firmware_load(const struct firmware *fw, void *context)
1902 +
1903 + if (fw == NULL) {
1904 + dev_err(&spi->dev, "Cannot load firmware, aborting\n");
1905 +- return;
1906 ++ goto out;
1907 + }
1908 +
1909 + if (fw->size == 0) {
1910 + dev_err(&spi->dev, "Error: Firmware size is 0!\n");
1911 +- return;
1912 ++ goto out;
1913 + }
1914 +
1915 + /* Fill dummy data (24 stuffing bits for commands) */
1916 +@@ -108,7 +108,7 @@ static void firmware_load(const struct firmware *fw, void *context)
1917 + dev_err(&spi->dev,
1918 + "Error: No supported FPGA detected (JEDEC_ID=%08x)!\n",
1919 + jedec_id);
1920 +- return;
1921 ++ goto out;
1922 + }
1923 +
1924 + dev_info(&spi->dev, "FPGA %s detected\n", ecp3_dev[i].name);
1925 +@@ -121,7 +121,7 @@ static void firmware_load(const struct firmware *fw, void *context)
1926 + buffer = kzalloc(fw->size + 8, GFP_KERNEL);
1927 + if (!buffer) {
1928 + dev_err(&spi->dev, "Error: Can't allocate memory!\n");
1929 +- return;
1930 ++ goto out;
1931 + }
1932 +
1933 + /*
1934 +@@ -160,7 +160,7 @@ static void firmware_load(const struct firmware *fw, void *context)
1935 + "Error: Timeout waiting for FPGA to clear (status=%08x)!\n",
1936 + status);
1937 + kfree(buffer);
1938 +- return;
1939 ++ goto out;
1940 + }
1941 +
1942 + dev_info(&spi->dev, "Configuring the FPGA...\n");
1943 +@@ -186,7 +186,7 @@ static void firmware_load(const struct firmware *fw, void *context)
1944 + release_firmware(fw);
1945 +
1946 + kfree(buffer);
1947 +-
1948 ++out:
1949 + complete(&data->fw_loaded);
1950 + }
1951 +
1952 +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
1953 +index 2b721ed392adb..0d9226bdf6614 100644
1954 +--- a/drivers/net/bonding/bond_main.c
1955 ++++ b/drivers/net/bonding/bond_main.c
1956 +@@ -782,14 +782,14 @@ static bool bond_should_notify_peers(struct bonding *bond)
1957 + slave = rcu_dereference(bond->curr_active_slave);
1958 + rcu_read_unlock();
1959 +
1960 +- netdev_dbg(bond->dev, "bond_should_notify_peers: slave %s\n",
1961 +- slave ? slave->dev->name : "NULL");
1962 +-
1963 + if (!slave || !bond->send_peer_notif ||
1964 + !netif_carrier_ok(bond->dev) ||
1965 + test_bit(__LINK_STATE_LINKWATCH_PENDING, &slave->dev->state))
1966 + return false;
1967 +
1968 ++ netdev_dbg(bond->dev, "bond_should_notify_peers: slave %s\n",
1969 ++ slave ? slave->dev->name : "NULL");
1970 ++
1971 + return true;
1972 + }
1973 +
1974 +diff --git a/drivers/net/can/softing/softing_cs.c b/drivers/net/can/softing/softing_cs.c
1975 +index cdc0c7433a4b5..9fbed88d6c821 100644
1976 +--- a/drivers/net/can/softing/softing_cs.c
1977 ++++ b/drivers/net/can/softing/softing_cs.c
1978 +@@ -304,7 +304,7 @@ static int softingcs_probe(struct pcmcia_device *pcmcia)
1979 + return 0;
1980 +
1981 + platform_failed:
1982 +- kfree(dev);
1983 ++ platform_device_put(pdev);
1984 + mem_failed:
1985 + pcmcia_bad:
1986 + pcmcia_failed:
1987 +diff --git a/drivers/net/can/softing/softing_fw.c b/drivers/net/can/softing/softing_fw.c
1988 +index 52fe50725d749..a74c779feb90e 100644
1989 +--- a/drivers/net/can/softing/softing_fw.c
1990 ++++ b/drivers/net/can/softing/softing_fw.c
1991 +@@ -576,18 +576,19 @@ int softing_startstop(struct net_device *dev, int up)
1992 + if (ret < 0)
1993 + goto failed;
1994 + }
1995 +- /* enable_error_frame */
1996 +- /*
1997 ++
1998 ++ /* enable_error_frame
1999 ++ *
2000 + * Error reporting is switched off at the moment since
2001 + * the receiving of them is not yet 100% verified
2002 + * This should be enabled sooner or later
2003 +- *
2004 +- if (error_reporting) {
2005 ++ */
2006 ++ if (0 && error_reporting) {
2007 + ret = softing_fct_cmd(card, 51, "enable_error_frame");
2008 + if (ret < 0)
2009 + goto failed;
2010 + }
2011 +- */
2012 ++
2013 + /* initialize interface */
2014 + iowrite16(1, &card->dpram[DPRAM_FCT_PARAM + 2]);
2015 + iowrite16(1, &card->dpram[DPRAM_FCT_PARAM + 4]);
2016 +diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c
2017 +index d21c68882e867..75399aa1ba951 100644
2018 +--- a/drivers/net/can/usb/gs_usb.c
2019 ++++ b/drivers/net/can/usb/gs_usb.c
2020 +@@ -328,7 +328,7 @@ static void gs_usb_receive_bulk_callback(struct urb *urb)
2021 +
2022 + /* device reports out of range channel id */
2023 + if (hf->channel >= GS_MAX_INTF)
2024 +- goto resubmit_urb;
2025 ++ goto device_detach;
2026 +
2027 + dev = usbcan->canch[hf->channel];
2028 +
2029 +@@ -413,6 +413,7 @@ static void gs_usb_receive_bulk_callback(struct urb *urb)
2030 +
2031 + /* USB failure take down all interfaces */
2032 + if (rc == -ENODEV) {
2033 ++ device_detach:
2034 + for (rc = 0; rc < GS_MAX_INTF; rc++) {
2035 + if (usbcan->canch[rc])
2036 + netif_device_detach(usbcan->canch[rc]->netdev);
2037 +@@ -514,6 +515,8 @@ static netdev_tx_t gs_can_start_xmit(struct sk_buff *skb,
2038 +
2039 + hf->echo_id = idx;
2040 + hf->channel = dev->channel;
2041 ++ hf->flags = 0;
2042 ++ hf->reserved = 0;
2043 +
2044 + cf = (struct can_frame *)skb->data;
2045 +
2046 +diff --git a/drivers/net/can/xilinx_can.c b/drivers/net/can/xilinx_can.c
2047 +index e680bab27dd7e..ef24b619e0e57 100644
2048 +--- a/drivers/net/can/xilinx_can.c
2049 ++++ b/drivers/net/can/xilinx_can.c
2050 +@@ -1302,7 +1302,12 @@ static int xcan_probe(struct platform_device *pdev)
2051 + spin_lock_init(&priv->tx_lock);
2052 +
2053 + /* Get IRQ for the device */
2054 +- ndev->irq = platform_get_irq(pdev, 0);
2055 ++ ret = platform_get_irq(pdev, 0);
2056 ++ if (ret < 0)
2057 ++ goto err_free;
2058 ++
2059 ++ ndev->irq = ret;
2060 ++
2061 + ndev->flags |= IFF_ECHO; /* We support local echo */
2062 +
2063 + platform_set_drvdata(pdev, ndev);
2064 +diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
2065 +index fae5517770834..6676924d5f3e7 100644
2066 +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
2067 ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
2068 +@@ -3358,10 +3358,12 @@ static int bcmgenet_probe(struct platform_device *pdev)
2069 +
2070 + /* Request the WOL interrupt and advertise suspend if available */
2071 + priv->wol_irq_disabled = true;
2072 +- err = devm_request_irq(&pdev->dev, priv->wol_irq, bcmgenet_wol_isr, 0,
2073 +- dev->name, priv);
2074 +- if (!err)
2075 +- device_set_wakeup_capable(&pdev->dev, 1);
2076 ++ if (priv->wol_irq > 0) {
2077 ++ err = devm_request_irq(&pdev->dev, priv->wol_irq,
2078 ++ bcmgenet_wol_isr, 0, dev->name, priv);
2079 ++ if (!err)
2080 ++ device_set_wakeup_capable(&pdev->dev, 1);
2081 ++ }
2082 +
2083 + /* Set the needed headroom to account for any possible
2084 + * features enabling/disabling at runtime
2085 +diff --git a/drivers/net/ethernet/chelsio/libcxgb/libcxgb_cm.c b/drivers/net/ethernet/chelsio/libcxgb/libcxgb_cm.c
2086 +index d04a6c1634452..da8d10475a08e 100644
2087 +--- a/drivers/net/ethernet/chelsio/libcxgb/libcxgb_cm.c
2088 ++++ b/drivers/net/ethernet/chelsio/libcxgb/libcxgb_cm.c
2089 +@@ -32,6 +32,7 @@
2090 +
2091 + #include <linux/tcp.h>
2092 + #include <linux/ipv6.h>
2093 ++#include <net/inet_ecn.h>
2094 + #include <net/route.h>
2095 + #include <net/ip6_route.h>
2096 +
2097 +@@ -99,7 +100,7 @@ cxgb_find_route(struct cxgb4_lld_info *lldi,
2098 +
2099 + rt = ip_route_output_ports(&init_net, &fl4, NULL, peer_ip, local_ip,
2100 + peer_port, local_port, IPPROTO_TCP,
2101 +- tos, 0);
2102 ++ tos & ~INET_ECN_MASK, 0);
2103 + if (IS_ERR(rt))
2104 + return NULL;
2105 + n = dst_neigh_lookup(&rt->dst, &peer_ip);
2106 +diff --git a/drivers/net/ethernet/freescale/fman/mac.c b/drivers/net/ethernet/freescale/fman/mac.c
2107 +index 81021f87e4f39..93b7ed361b82e 100644
2108 +--- a/drivers/net/ethernet/freescale/fman/mac.c
2109 ++++ b/drivers/net/ethernet/freescale/fman/mac.c
2110 +@@ -96,14 +96,17 @@ static void mac_exception(void *handle, enum fman_mac_exceptions ex)
2111 + __func__, ex);
2112 + }
2113 +
2114 +-static void set_fman_mac_params(struct mac_device *mac_dev,
2115 +- struct fman_mac_params *params)
2116 ++static int set_fman_mac_params(struct mac_device *mac_dev,
2117 ++ struct fman_mac_params *params)
2118 + {
2119 + struct mac_priv_s *priv = mac_dev->priv;
2120 +
2121 + params->base_addr = (typeof(params->base_addr))
2122 + devm_ioremap(priv->dev, mac_dev->res->start,
2123 + resource_size(mac_dev->res));
2124 ++ if (!params->base_addr)
2125 ++ return -ENOMEM;
2126 ++
2127 + memcpy(&params->addr, mac_dev->addr, sizeof(mac_dev->addr));
2128 + params->max_speed = priv->max_speed;
2129 + params->phy_if = priv->phy_if;
2130 +@@ -114,6 +117,8 @@ static void set_fman_mac_params(struct mac_device *mac_dev,
2131 + params->event_cb = mac_exception;
2132 + params->dev_id = mac_dev;
2133 + params->internal_phy_node = priv->internal_phy_node;
2134 ++
2135 ++ return 0;
2136 + }
2137 +
2138 + static int tgec_initialization(struct mac_device *mac_dev)
2139 +@@ -125,7 +130,9 @@ static int tgec_initialization(struct mac_device *mac_dev)
2140 +
2141 + priv = mac_dev->priv;
2142 +
2143 +- set_fman_mac_params(mac_dev, &params);
2144 ++ err = set_fman_mac_params(mac_dev, &params);
2145 ++ if (err)
2146 ++ goto _return;
2147 +
2148 + mac_dev->fman_mac = tgec_config(&params);
2149 + if (!mac_dev->fman_mac) {
2150 +@@ -171,7 +178,9 @@ static int dtsec_initialization(struct mac_device *mac_dev)
2151 +
2152 + priv = mac_dev->priv;
2153 +
2154 +- set_fman_mac_params(mac_dev, &params);
2155 ++ err = set_fman_mac_params(mac_dev, &params);
2156 ++ if (err)
2157 ++ goto _return;
2158 +
2159 + mac_dev->fman_mac = dtsec_config(&params);
2160 + if (!mac_dev->fman_mac) {
2161 +@@ -220,7 +229,9 @@ static int memac_initialization(struct mac_device *mac_dev)
2162 +
2163 + priv = mac_dev->priv;
2164 +
2165 +- set_fman_mac_params(mac_dev, &params);
2166 ++ err = set_fman_mac_params(mac_dev, &params);
2167 ++ if (err)
2168 ++ goto _return;
2169 +
2170 + if (priv->max_speed == SPEED_10000)
2171 + params.phy_if = PHY_INTERFACE_MODE_XGMII;
2172 +diff --git a/drivers/net/ethernet/freescale/gianfar.c b/drivers/net/ethernet/freescale/gianfar.c
2173 +index 9fd68cfdd9734..fc721a59a4086 100644
2174 +--- a/drivers/net/ethernet/freescale/gianfar.c
2175 ++++ b/drivers/net/ethernet/freescale/gianfar.c
2176 +@@ -2939,29 +2939,21 @@ static bool gfar_add_rx_frag(struct gfar_rx_buff *rxb, u32 lstatus,
2177 + {
2178 + int size = lstatus & BD_LENGTH_MASK;
2179 + struct page *page = rxb->page;
2180 +- bool last = !!(lstatus & BD_LFLAG(RXBD_LAST));
2181 +-
2182 +- /* Remove the FCS from the packet length */
2183 +- if (last)
2184 +- size -= ETH_FCS_LEN;
2185 +
2186 + if (likely(first)) {
2187 + skb_put(skb, size);
2188 + } else {
2189 + /* the last fragments' length contains the full frame length */
2190 +- if (last)
2191 ++ if (lstatus & BD_LFLAG(RXBD_LAST))
2192 + size -= skb->len;
2193 +
2194 +- /* Add the last fragment if it contains something other than
2195 +- * the FCS, otherwise drop it and trim off any part of the FCS
2196 +- * that was already received.
2197 +- */
2198 +- if (size > 0)
2199 +- skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags, page,
2200 +- rxb->page_offset + RXBUF_ALIGNMENT,
2201 +- size, GFAR_RXB_TRUESIZE);
2202 +- else if (size < 0)
2203 +- pskb_trim(skb, skb->len + size);
2204 ++ WARN(size < 0, "gianfar: rx fragment size underflow");
2205 ++ if (size < 0)
2206 ++ return false;
2207 ++
2208 ++ skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags, page,
2209 ++ rxb->page_offset + RXBUF_ALIGNMENT,
2210 ++ size, GFAR_RXB_TRUESIZE);
2211 + }
2212 +
2213 + /* try reuse page */
2214 +@@ -3074,6 +3066,9 @@ static void gfar_process_frame(struct net_device *ndev, struct sk_buff *skb)
2215 + if (priv->padding)
2216 + skb_pull(skb, priv->padding);
2217 +
2218 ++ /* Trim off the FCS */
2219 ++ pskb_trim(skb, skb->len - ETH_FCS_LEN);
2220 ++
2221 + if (ndev->features & NETIF_F_RXCSUM)
2222 + gfar_rx_checksum(skb, fcb);
2223 +
2224 +@@ -3117,6 +3112,17 @@ int gfar_clean_rx_ring(struct gfar_priv_rx_q *rx_queue, int rx_work_limit)
2225 + if (lstatus & BD_LFLAG(RXBD_EMPTY))
2226 + break;
2227 +
2228 ++ /* lost RXBD_LAST descriptor due to overrun */
2229 ++ if (skb &&
2230 ++ (lstatus & BD_LFLAG(RXBD_FIRST))) {
2231 ++ /* discard faulty buffer */
2232 ++ dev_kfree_skb(skb);
2233 ++ skb = NULL;
2234 ++ rx_queue->stats.rx_dropped++;
2235 ++
2236 ++ /* can continue normally */
2237 ++ }
2238 ++
2239 + /* order rx buffer descriptor reads */
2240 + rmb();
2241 +
2242 +diff --git a/drivers/net/ethernet/freescale/xgmac_mdio.c b/drivers/net/ethernet/freescale/xgmac_mdio.c
2243 +index c82c85ef5fb34..c37aea7ba8502 100644
2244 +--- a/drivers/net/ethernet/freescale/xgmac_mdio.c
2245 ++++ b/drivers/net/ethernet/freescale/xgmac_mdio.c
2246 +@@ -301,9 +301,10 @@ err_ioremap:
2247 + static int xgmac_mdio_remove(struct platform_device *pdev)
2248 + {
2249 + struct mii_bus *bus = platform_get_drvdata(pdev);
2250 ++ struct mdio_fsl_priv *priv = bus->priv;
2251 +
2252 + mdiobus_unregister(bus);
2253 +- iounmap(bus->priv);
2254 ++ iounmap(priv->mdio_base);
2255 + mdiobus_free(bus);
2256 +
2257 + return 0;
2258 +diff --git a/drivers/net/ethernet/i825xx/sni_82596.c b/drivers/net/ethernet/i825xx/sni_82596.c
2259 +index 2af7f77345fbd..e4128e151b854 100644
2260 +--- a/drivers/net/ethernet/i825xx/sni_82596.c
2261 ++++ b/drivers/net/ethernet/i825xx/sni_82596.c
2262 +@@ -122,9 +122,10 @@ static int sni_82596_probe(struct platform_device *dev)
2263 + netdevice->dev_addr[5] = readb(eth_addr + 0x06);
2264 + iounmap(eth_addr);
2265 +
2266 +- if (!netdevice->irq) {
2267 ++ if (netdevice->irq < 0) {
2268 + printk(KERN_ERR "%s: IRQ not found for i82596 at 0x%lx\n",
2269 + __FILE__, netdevice->base_addr);
2270 ++ retval = netdevice->irq;
2271 + goto probe_failed;
2272 + }
2273 +
2274 +diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
2275 +index 46fcf3ec2caf7..46998a58e3d96 100644
2276 +--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
2277 ++++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
2278 +@@ -278,6 +278,16 @@ static int axienet_dma_bd_init(struct net_device *ndev)
2279 + axienet_dma_out32(lp, XAXIDMA_TX_CR_OFFSET,
2280 + cr | XAXIDMA_CR_RUNSTOP_MASK);
2281 +
2282 ++ /* Wait for PhyRstCmplt bit to be set, indicating the PHY reset has finished */
2283 ++ ret = read_poll_timeout(axienet_ior, value,
2284 ++ value & XAE_INT_PHYRSTCMPLT_MASK,
2285 ++ DELAY_OF_ONE_MILLISEC, 50000, false, lp,
2286 ++ XAE_IS_OFFSET);
2287 ++ if (ret) {
2288 ++ dev_err(lp->dev, "%s: timeout waiting for PhyRstCmplt\n", __func__);
2289 ++ return ret;
2290 ++ }
2291 ++
2292 + return 0;
2293 + out:
2294 + axienet_dma_bd_release(ndev);
2295 +@@ -670,7 +680,7 @@ axienet_start_xmit(struct sk_buff *skb, struct net_device *ndev)
2296 + num_frag = skb_shinfo(skb)->nr_frags;
2297 + cur_p = &lp->tx_bd_v[lp->tx_bd_tail];
2298 +
2299 +- if (axienet_check_tx_bd_space(lp, num_frag)) {
2300 ++ if (axienet_check_tx_bd_space(lp, num_frag + 1)) {
2301 + if (netif_queue_stopped(ndev))
2302 + return NETDEV_TX_BUSY;
2303 +
2304 +@@ -680,7 +690,7 @@ axienet_start_xmit(struct sk_buff *skb, struct net_device *ndev)
2305 + smp_mb();
2306 +
2307 + /* Space might have just been freed - check again */
2308 +- if (axienet_check_tx_bd_space(lp, num_frag))
2309 ++ if (axienet_check_tx_bd_space(lp, num_frag + 1))
2310 + return NETDEV_TX_BUSY;
2311 +
2312 + netif_wake_queue(ndev);
2313 +diff --git a/drivers/net/phy/mdio_bus.c b/drivers/net/phy/mdio_bus.c
2314 +index 92fb664b56fbb..0fa6e2da4b5a2 100644
2315 +--- a/drivers/net/phy/mdio_bus.c
2316 ++++ b/drivers/net/phy/mdio_bus.c
2317 +@@ -347,7 +347,7 @@ int __mdiobus_register(struct mii_bus *bus, struct module *owner)
2318 + }
2319 +
2320 + bus->state = MDIOBUS_REGISTERED;
2321 +- pr_info("%s: probed\n", bus->name);
2322 ++ dev_dbg(&bus->dev, "probed\n");
2323 + return 0;
2324 +
2325 + error:
2326 +diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
2327 +index 0a29844676f92..6287d2ad77c6d 100644
2328 +--- a/drivers/net/ppp/ppp_generic.c
2329 ++++ b/drivers/net/ppp/ppp_generic.c
2330 +@@ -71,6 +71,8 @@
2331 + #define MPHDRLEN 6 /* multilink protocol header length */
2332 + #define MPHDRLEN_SSN 4 /* ditto with short sequence numbers */
2333 +
2334 ++#define PPP_PROTO_LEN 2
2335 ++
2336 + /*
2337 + * An instance of /dev/ppp can be associated with either a ppp
2338 + * interface unit or a ppp channel. In both cases, file->private_data
2339 +@@ -500,6 +502,9 @@ static ssize_t ppp_write(struct file *file, const char __user *buf,
2340 +
2341 + if (!pf)
2342 + return -ENXIO;
2343 ++ /* All PPP packets should start with the 2-byte protocol */
2344 ++ if (count < PPP_PROTO_LEN)
2345 ++ return -EINVAL;
2346 + ret = -ENOMEM;
2347 + skb = alloc_skb(count + pf->hdrlen, GFP_KERNEL);
2348 + if (!skb)
2349 +@@ -1563,7 +1568,7 @@ ppp_send_frame(struct ppp *ppp, struct sk_buff *skb)
2350 + }
2351 +
2352 + ++ppp->stats64.tx_packets;
2353 +- ppp->stats64.tx_bytes += skb->len - 2;
2354 ++ ppp->stats64.tx_bytes += skb->len - PPP_PROTO_LEN;
2355 +
2356 + switch (proto) {
2357 + case PPP_IP:
2358 +diff --git a/drivers/net/usb/mcs7830.c b/drivers/net/usb/mcs7830.c
2359 +index 4f345bd4e6e29..95151b46f2001 100644
2360 +--- a/drivers/net/usb/mcs7830.c
2361 ++++ b/drivers/net/usb/mcs7830.c
2362 +@@ -121,8 +121,16 @@ static const char driver_name[] = "MOSCHIP usb-ethernet driver";
2363 +
2364 + static int mcs7830_get_reg(struct usbnet *dev, u16 index, u16 size, void *data)
2365 + {
2366 +- return usbnet_read_cmd(dev, MCS7830_RD_BREQ, MCS7830_RD_BMREQ,
2367 +- 0x0000, index, data, size);
2368 ++ int ret;
2369 ++
2370 ++ ret = usbnet_read_cmd(dev, MCS7830_RD_BREQ, MCS7830_RD_BMREQ,
2371 ++ 0x0000, index, data, size);
2372 ++ if (ret < 0)
2373 ++ return ret;
2374 ++ else if (ret < size)
2375 ++ return -ENODATA;
2376 ++
2377 ++ return ret;
2378 + }
2379 +
2380 + static int mcs7830_set_reg(struct usbnet *dev, u16 index, u16 size, const void *data)
2381 +diff --git a/drivers/net/wireless/ath/ar5523/ar5523.c b/drivers/net/wireless/ath/ar5523/ar5523.c
2382 +index 9f4ee1d125b68..0c6b33c464cd9 100644
2383 +--- a/drivers/net/wireless/ath/ar5523/ar5523.c
2384 ++++ b/drivers/net/wireless/ath/ar5523/ar5523.c
2385 +@@ -153,6 +153,10 @@ static void ar5523_cmd_rx_cb(struct urb *urb)
2386 + ar5523_err(ar, "Invalid reply to WDCMSG_TARGET_START");
2387 + return;
2388 + }
2389 ++ if (!cmd->odata) {
2390 ++ ar5523_err(ar, "Unexpected WDCMSG_TARGET_START reply");
2391 ++ return;
2392 ++ }
2393 + memcpy(cmd->odata, hdr + 1, sizeof(u32));
2394 + cmd->olen = sizeof(u32);
2395 + cmd->res = 0;
2396 +diff --git a/drivers/net/wireless/ath/ath10k/htt_tx.c b/drivers/net/wireless/ath/ath10k/htt_tx.c
2397 +index ae5b33fe5ba82..374ce35940d07 100644
2398 +--- a/drivers/net/wireless/ath/ath10k/htt_tx.c
2399 ++++ b/drivers/net/wireless/ath/ath10k/htt_tx.c
2400 +@@ -158,6 +158,9 @@ void ath10k_htt_tx_dec_pending(struct ath10k_htt *htt)
2401 + htt->num_pending_tx--;
2402 + if (htt->num_pending_tx == htt->max_num_pending_tx - 1)
2403 + ath10k_mac_tx_unlock(htt->ar, ATH10K_TX_PAUSE_Q_FULL);
2404 ++
2405 ++ if (htt->num_pending_tx == 0)
2406 ++ wake_up(&htt->empty_tx_wq);
2407 + }
2408 +
2409 + int ath10k_htt_tx_inc_pending(struct ath10k_htt *htt)
2410 +diff --git a/drivers/net/wireless/ath/ath10k/txrx.c b/drivers/net/wireless/ath/ath10k/txrx.c
2411 +index beeb6be06939b..b6c050452b757 100644
2412 +--- a/drivers/net/wireless/ath/ath10k/txrx.c
2413 ++++ b/drivers/net/wireless/ath/ath10k/txrx.c
2414 +@@ -89,8 +89,6 @@ int ath10k_txrx_tx_unref(struct ath10k_htt *htt,
2415 +
2416 + ath10k_htt_tx_free_msdu_id(htt, tx_done->msdu_id);
2417 + ath10k_htt_tx_dec_pending(htt);
2418 +- if (htt->num_pending_tx == 0)
2419 +- wake_up(&htt->empty_tx_wq);
2420 + spin_unlock_bh(&htt->tx_lock);
2421 +
2422 + dma_unmap_single(dev, skb_cb->paddr, msdu->len, DMA_TO_DEVICE);
2423 +diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c
2424 +index 7c409cd43b709..33a6be0f21cac 100644
2425 +--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
2426 ++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
2427 +@@ -588,6 +588,13 @@ static void ath9k_hif_usb_rx_stream(struct hif_device_usb *hif_dev,
2428 + return;
2429 + }
2430 +
2431 ++ if (pkt_len > 2 * MAX_RX_BUF_SIZE) {
2432 ++ dev_err(&hif_dev->udev->dev,
2433 ++ "ath9k_htc: invalid pkt_len (%x)\n", pkt_len);
2434 ++ RX_STAT_INC(skb_dropped);
2435 ++ return;
2436 ++ }
2437 ++
2438 + pad_len = 4 - (pkt_len & 0x3);
2439 + if (pad_len == 4)
2440 + pad_len = 0;
2441 +diff --git a/drivers/net/wireless/ath/wcn36xx/smd.c b/drivers/net/wireless/ath/wcn36xx/smd.c
2442 +index 914c210c9e605..da2f442cab271 100644
2443 +--- a/drivers/net/wireless/ath/wcn36xx/smd.c
2444 ++++ b/drivers/net/wireless/ath/wcn36xx/smd.c
2445 +@@ -2052,7 +2052,7 @@ static int wcn36xx_smd_missed_beacon_ind(struct wcn36xx *wcn,
2446 + wcn36xx_dbg(WCN36XX_DBG_HAL, "beacon missed bss_index %d\n",
2447 + tmp->bss_index);
2448 + vif = wcn36xx_priv_to_vif(tmp);
2449 +- ieee80211_connection_loss(vif);
2450 ++ ieee80211_beacon_loss(vif);
2451 + }
2452 + return 0;
2453 + }
2454 +@@ -2067,7 +2067,7 @@ static int wcn36xx_smd_missed_beacon_ind(struct wcn36xx *wcn,
2455 + wcn36xx_dbg(WCN36XX_DBG_HAL, "beacon missed bss_index %d\n",
2456 + rsp->bss_index);
2457 + vif = wcn36xx_priv_to_vif(tmp);
2458 +- ieee80211_connection_loss(vif);
2459 ++ ieee80211_beacon_loss(vif);
2460 + return 0;
2461 + }
2462 + }
2463 +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
2464 +index d46efa8d70732..f8c225a726bd4 100644
2465 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
2466 ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
2467 +@@ -1599,6 +1599,7 @@ static void iwl_mvm_recalc_multicast(struct iwl_mvm *mvm)
2468 + struct iwl_mvm_mc_iter_data iter_data = {
2469 + .mvm = mvm,
2470 + };
2471 ++ int ret;
2472 +
2473 + lockdep_assert_held(&mvm->mutex);
2474 +
2475 +@@ -1608,6 +1609,22 @@ static void iwl_mvm_recalc_multicast(struct iwl_mvm *mvm)
2476 + ieee80211_iterate_active_interfaces_atomic(
2477 + mvm->hw, IEEE80211_IFACE_ITER_NORMAL,
2478 + iwl_mvm_mc_iface_iterator, &iter_data);
2479 ++
2480 ++ /*
2481 ++ * Send a (synchronous) ech command so that we wait for the
2482 ++ * multiple asynchronous MCAST_FILTER_CMD commands sent by
2483 ++ * the interface iterator. Otherwise, we might get here over
2484 ++ * and over again (by userspace just sending a lot of these)
2485 ++ * and the CPU can send them faster than the firmware can
2486 ++ * process them.
2487 ++ * Note that the CPU is still faster - but with this we'll
2488 ++ * actually send fewer commands overall because the CPU will
2489 ++ * not schedule the work in mac80211 as frequently if it's
2490 ++ * still running when rescheduled (possibly multiple times).
2491 ++ */
2492 ++ ret = iwl_mvm_send_cmd_pdu(mvm, ECHO_CMD, 0, 0, NULL);
2493 ++ if (ret)
2494 ++ IWL_ERR(mvm, "Failed to synchronize multicast groups update\n");
2495 + }
2496 +
2497 + static u64 iwl_mvm_prepare_multicast(struct ieee80211_hw *hw,
2498 +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
2499 +index fa97432054912..a8470817689cf 100644
2500 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
2501 ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
2502 +@@ -1260,7 +1260,7 @@ static int iwl_mvm_check_running_scans(struct iwl_mvm *mvm, int type)
2503 + return -EIO;
2504 + }
2505 +
2506 +-#define SCAN_TIMEOUT 20000
2507 ++#define SCAN_TIMEOUT 30000
2508 +
2509 + void iwl_mvm_scan_timeout_wk(struct work_struct *work)
2510 + {
2511 +diff --git a/drivers/net/wireless/marvell/mwifiex/usb.c b/drivers/net/wireless/marvell/mwifiex/usb.c
2512 +index 2c4225e57c396..3a26add665ca0 100644
2513 +--- a/drivers/net/wireless/marvell/mwifiex/usb.c
2514 ++++ b/drivers/net/wireless/marvell/mwifiex/usb.c
2515 +@@ -132,7 +132,8 @@ static int mwifiex_usb_recv(struct mwifiex_adapter *adapter,
2516 + default:
2517 + mwifiex_dbg(adapter, ERROR,
2518 + "unknown recv_type %#x\n", recv_type);
2519 +- return -1;
2520 ++ ret = -1;
2521 ++ goto exit_restore_skb;
2522 + }
2523 + break;
2524 + case MWIFIEX_USB_EP_DATA:
2525 +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/hw.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/hw.c
2526 +index 39a6bd314ca3b..264c1d57e10bc 100644
2527 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/hw.c
2528 ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/hw.c
2529 +@@ -1037,6 +1037,7 @@ int rtl92cu_hw_init(struct ieee80211_hw *hw)
2530 + _InitPABias(hw);
2531 + rtl92c_dm_init(hw);
2532 + exit:
2533 ++ local_irq_disable();
2534 + local_irq_restore(flags);
2535 + return err;
2536 + }
2537 +diff --git a/drivers/parisc/pdc_stable.c b/drivers/parisc/pdc_stable.c
2538 +index 3651c3871d5b4..1b4aacf2ff9a5 100644
2539 +--- a/drivers/parisc/pdc_stable.c
2540 ++++ b/drivers/parisc/pdc_stable.c
2541 +@@ -992,8 +992,10 @@ pdcs_register_pathentries(void)
2542 + entry->kobj.kset = paths_kset;
2543 + err = kobject_init_and_add(&entry->kobj, &ktype_pdcspath, NULL,
2544 + "%s", entry->name);
2545 +- if (err)
2546 ++ if (err) {
2547 ++ kobject_put(&entry->kobj);
2548 + return err;
2549 ++ }
2550 +
2551 + /* kobject is now registered */
2552 + write_lock(&entry->rw_lock);
2553 +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
2554 +index 3ff2971102b61..8d34c6d0de796 100644
2555 +--- a/drivers/pci/quirks.c
2556 ++++ b/drivers/pci/quirks.c
2557 +@@ -3916,6 +3916,9 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9120,
2558 + quirk_dma_func1_alias);
2559 + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9123,
2560 + quirk_dma_func1_alias);
2561 ++/* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c136 */
2562 ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9125,
2563 ++ quirk_dma_func1_alias);
2564 + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9128,
2565 + quirk_dma_func1_alias);
2566 + /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c14 */
2567 +diff --git a/drivers/pcmcia/cs.c b/drivers/pcmcia/cs.c
2568 +index c3b615c94b4bf..a92cbc952b70b 100644
2569 +--- a/drivers/pcmcia/cs.c
2570 ++++ b/drivers/pcmcia/cs.c
2571 +@@ -665,18 +665,16 @@ static int pccardd(void *__skt)
2572 + if (events || sysfs_events)
2573 + continue;
2574 +
2575 ++ set_current_state(TASK_INTERRUPTIBLE);
2576 + if (kthread_should_stop())
2577 + break;
2578 +
2579 +- set_current_state(TASK_INTERRUPTIBLE);
2580 +-
2581 + schedule();
2582 +
2583 +- /* make sure we are running */
2584 +- __set_current_state(TASK_RUNNING);
2585 +-
2586 + try_to_freeze();
2587 + }
2588 ++ /* make sure we are running before we exit */
2589 ++ __set_current_state(TASK_RUNNING);
2590 +
2591 + /* shut down socket, if a device is still present */
2592 + if (skt->state & SOCKET_PRESENT) {
2593 +diff --git a/drivers/pcmcia/rsrc_nonstatic.c b/drivers/pcmcia/rsrc_nonstatic.c
2594 +index 5ef7b46a25786..2e96d9273b780 100644
2595 +--- a/drivers/pcmcia/rsrc_nonstatic.c
2596 ++++ b/drivers/pcmcia/rsrc_nonstatic.c
2597 +@@ -693,6 +693,9 @@ static struct resource *__nonstatic_find_io_region(struct pcmcia_socket *s,
2598 + unsigned long min = base;
2599 + int ret;
2600 +
2601 ++ if (!res)
2602 ++ return NULL;
2603 ++
2604 + data.mask = align - 1;
2605 + data.offset = base & data.mask;
2606 + data.map = &s_data->io_db;
2607 +@@ -812,6 +815,9 @@ static struct resource *nonstatic_find_mem_region(u_long base, u_long num,
2608 + unsigned long min, max;
2609 + int ret, i, j;
2610 +
2611 ++ if (!res)
2612 ++ return NULL;
2613 ++
2614 + low = low || !(s->features & SS_CAP_PAGE_REGS);
2615 +
2616 + data.mask = align - 1;
2617 +diff --git a/drivers/power/supply/bq25890_charger.c b/drivers/power/supply/bq25890_charger.c
2618 +index f993a55cde20f..faf2a62435674 100644
2619 +--- a/drivers/power/supply/bq25890_charger.c
2620 ++++ b/drivers/power/supply/bq25890_charger.c
2621 +@@ -521,12 +521,12 @@ static void bq25890_handle_state_change(struct bq25890_device *bq,
2622 +
2623 + if (!new_state->online) { /* power removed */
2624 + /* disable ADC */
2625 +- ret = bq25890_field_write(bq, F_CONV_START, 0);
2626 ++ ret = bq25890_field_write(bq, F_CONV_RATE, 0);
2627 + if (ret < 0)
2628 + goto error;
2629 + } else if (!old_state.online) { /* power inserted */
2630 + /* enable ADC, to have control of charge current/voltage */
2631 +- ret = bq25890_field_write(bq, F_CONV_START, 1);
2632 ++ ret = bq25890_field_write(bq, F_CONV_RATE, 1);
2633 + if (ret < 0)
2634 + goto error;
2635 + }
2636 +diff --git a/drivers/rtc/rtc-cmos.c b/drivers/rtc/rtc-cmos.c
2637 +index b962dbe51750d..1dbd8419df7d7 100644
2638 +--- a/drivers/rtc/rtc-cmos.c
2639 ++++ b/drivers/rtc/rtc-cmos.c
2640 +@@ -342,7 +342,10 @@ static int cmos_set_alarm(struct device *dev, struct rtc_wkalrm *t)
2641 + min = t->time.tm_min;
2642 + sec = t->time.tm_sec;
2643 +
2644 ++ spin_lock_irq(&rtc_lock);
2645 + rtc_control = CMOS_READ(RTC_CONTROL);
2646 ++ spin_unlock_irq(&rtc_lock);
2647 ++
2648 + if (!(rtc_control & RTC_DM_BINARY) || RTC_ALWAYS_BCD) {
2649 + /* Writing 0xff means "don't care" or "match all". */
2650 + mon = (mon <= 12) ? bin2bcd(mon) : 0xff;
2651 +diff --git a/drivers/scsi/sr.c b/drivers/scsi/sr.c
2652 +index 9b63e46edffcc..a2a4c6e22c68d 100644
2653 +--- a/drivers/scsi/sr.c
2654 ++++ b/drivers/scsi/sr.c
2655 +@@ -882,7 +882,7 @@ static void get_capabilities(struct scsi_cd *cd)
2656 +
2657 +
2658 + /* allocate transfer buffer */
2659 +- buffer = kmalloc(512, GFP_KERNEL | GFP_DMA);
2660 ++ buffer = kmalloc(512, GFP_KERNEL);
2661 + if (!buffer) {
2662 + sr_printk(KERN_ERR, cd, "out of memory.\n");
2663 + return;
2664 +diff --git a/drivers/scsi/sr_vendor.c b/drivers/scsi/sr_vendor.c
2665 +index 11a238cb22223..629bfe1b20263 100644
2666 +--- a/drivers/scsi/sr_vendor.c
2667 ++++ b/drivers/scsi/sr_vendor.c
2668 +@@ -118,7 +118,7 @@ int sr_set_blocklength(Scsi_CD *cd, int blocklength)
2669 + density = (blocklength > 2048) ? 0x81 : 0x83;
2670 + #endif
2671 +
2672 +- buffer = kmalloc(512, GFP_KERNEL | GFP_DMA);
2673 ++ buffer = kmalloc(512, GFP_KERNEL);
2674 + if (!buffer)
2675 + return -ENOMEM;
2676 +
2677 +@@ -166,7 +166,7 @@ int sr_cd_check(struct cdrom_device_info *cdi)
2678 + if (cd->cdi.mask & CDC_MULTI_SESSION)
2679 + return 0;
2680 +
2681 +- buffer = kmalloc(512, GFP_KERNEL | GFP_DMA);
2682 ++ buffer = kmalloc(512, GFP_KERNEL);
2683 + if (!buffer)
2684 + return -ENOMEM;
2685 +
2686 +diff --git a/drivers/scsi/ufs/tc-dwc-g210-pci.c b/drivers/scsi/ufs/tc-dwc-g210-pci.c
2687 +index c09a0fef0fe60..a1785b0239667 100644
2688 +--- a/drivers/scsi/ufs/tc-dwc-g210-pci.c
2689 ++++ b/drivers/scsi/ufs/tc-dwc-g210-pci.c
2690 +@@ -140,7 +140,6 @@ tc_dwc_g210_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id)
2691 + return err;
2692 + }
2693 +
2694 +- pci_set_drvdata(pdev, hba);
2695 + pm_runtime_put_noidle(&pdev->dev);
2696 + pm_runtime_allow(&pdev->dev);
2697 +
2698 +diff --git a/drivers/scsi/ufs/ufshcd-pltfrm.c b/drivers/scsi/ufs/ufshcd-pltfrm.c
2699 +index b47decc1fb5ba..e9b0cc4cbb4d2 100644
2700 +--- a/drivers/scsi/ufs/ufshcd-pltfrm.c
2701 ++++ b/drivers/scsi/ufs/ufshcd-pltfrm.c
2702 +@@ -350,8 +350,6 @@ int ufshcd_pltfrm_init(struct platform_device *pdev,
2703 + goto dealloc_host;
2704 + }
2705 +
2706 +- platform_set_drvdata(pdev, hba);
2707 +-
2708 + pm_runtime_set_active(&pdev->dev);
2709 + pm_runtime_enable(&pdev->dev);
2710 +
2711 +diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
2712 +index a767d942bfca5..cf7946c840165 100644
2713 +--- a/drivers/scsi/ufs/ufshcd.c
2714 ++++ b/drivers/scsi/ufs/ufshcd.c
2715 +@@ -6766,6 +6766,13 @@ int ufshcd_init(struct ufs_hba *hba, void __iomem *mmio_base, unsigned int irq)
2716 + struct Scsi_Host *host = hba->host;
2717 + struct device *dev = hba->dev;
2718 +
2719 ++ /*
2720 ++ * dev_set_drvdata() must be called before any callbacks are registered
2721 ++ * that use dev_get_drvdata() (frequency scaling, clock scaling, hwmon,
2722 ++ * sysfs).
2723 ++ */
2724 ++ dev_set_drvdata(dev, hba);
2725 ++
2726 + if (!mmio_base) {
2727 + dev_err(hba->dev,
2728 + "Invalid memory reference for mmio_base is NULL\n");
2729 +diff --git a/drivers/spi/spi-meson-spifc.c b/drivers/spi/spi-meson-spifc.c
2730 +index 616566e793c62..28975b6f054fa 100644
2731 +--- a/drivers/spi/spi-meson-spifc.c
2732 ++++ b/drivers/spi/spi-meson-spifc.c
2733 +@@ -357,6 +357,7 @@ static int meson_spifc_probe(struct platform_device *pdev)
2734 + return 0;
2735 + out_clk:
2736 + clk_disable_unprepare(spifc->clk);
2737 ++ pm_runtime_disable(spifc->dev);
2738 + out_err:
2739 + spi_master_put(master);
2740 + return ret;
2741 +diff --git a/drivers/staging/wlan-ng/hfa384x_usb.c b/drivers/staging/wlan-ng/hfa384x_usb.c
2742 +index 9d4e3b0d366f4..fbaf3c407989d 100644
2743 +--- a/drivers/staging/wlan-ng/hfa384x_usb.c
2744 ++++ b/drivers/staging/wlan-ng/hfa384x_usb.c
2745 +@@ -3848,18 +3848,18 @@ static void hfa384x_usb_throttlefn(unsigned long data)
2746 +
2747 + spin_lock_irqsave(&hw->ctlxq.lock, flags);
2748 +
2749 +- /*
2750 +- * We need to check BOTH the RX and the TX throttle controls,
2751 +- * so we use the bitwise OR instead of the logical OR.
2752 +- */
2753 + pr_debug("flags=0x%lx\n", hw->usb_flags);
2754 +- if (!hw->wlandev->hwremoved &&
2755 +- ((test_and_clear_bit(THROTTLE_RX, &hw->usb_flags) &&
2756 +- !test_and_set_bit(WORK_RX_RESUME, &hw->usb_flags)) |
2757 +- (test_and_clear_bit(THROTTLE_TX, &hw->usb_flags) &&
2758 +- !test_and_set_bit(WORK_TX_RESUME, &hw->usb_flags))
2759 +- )) {
2760 +- schedule_work(&hw->usb_work);
2761 ++ if (!hw->wlandev->hwremoved) {
2762 ++ bool rx_throttle = test_and_clear_bit(THROTTLE_RX, &hw->usb_flags) &&
2763 ++ !test_and_set_bit(WORK_RX_RESUME, &hw->usb_flags);
2764 ++ bool tx_throttle = test_and_clear_bit(THROTTLE_TX, &hw->usb_flags) &&
2765 ++ !test_and_set_bit(WORK_TX_RESUME, &hw->usb_flags);
2766 ++ /*
2767 ++ * We need to check BOTH the RX and the TX throttle controls,
2768 ++ * so we use the bitwise OR instead of the logical OR.
2769 ++ */
2770 ++ if (rx_throttle | tx_throttle)
2771 ++ schedule_work(&hw->usb_work);
2772 + }
2773 +
2774 + spin_unlock_irqrestore(&hw->ctlxq.lock, flags);
2775 +diff --git a/drivers/tty/serial/amba-pl010.c b/drivers/tty/serial/amba-pl010.c
2776 +index 5d41d5b92619a..7f4ba92739663 100644
2777 +--- a/drivers/tty/serial/amba-pl010.c
2778 ++++ b/drivers/tty/serial/amba-pl010.c
2779 +@@ -465,14 +465,11 @@ pl010_set_termios(struct uart_port *port, struct ktermios *termios,
2780 + if ((termios->c_cflag & CREAD) == 0)
2781 + uap->port.ignore_status_mask |= UART_DUMMY_RSR_RX;
2782 +
2783 +- /* first, disable everything */
2784 + old_cr = readb(uap->port.membase + UART010_CR) & ~UART010_CR_MSIE;
2785 +
2786 + if (UART_ENABLE_MS(port, termios->c_cflag))
2787 + old_cr |= UART010_CR_MSIE;
2788 +
2789 +- writel(0, uap->port.membase + UART010_CR);
2790 +-
2791 + /* Set baud rate */
2792 + quot -= 1;
2793 + writel((quot & 0xf00) >> 8, uap->port.membase + UART010_LCRM);
2794 +diff --git a/drivers/tty/serial/amba-pl011.c b/drivers/tty/serial/amba-pl011.c
2795 +index e91bdd7d4c054..ad1d665e9962f 100644
2796 +--- a/drivers/tty/serial/amba-pl011.c
2797 ++++ b/drivers/tty/serial/amba-pl011.c
2798 +@@ -2090,32 +2090,13 @@ static const char *pl011_type(struct uart_port *port)
2799 + return uap->port.type == PORT_AMBA ? uap->type : NULL;
2800 + }
2801 +
2802 +-/*
2803 +- * Release the memory region(s) being used by 'port'
2804 +- */
2805 +-static void pl011_release_port(struct uart_port *port)
2806 +-{
2807 +- release_mem_region(port->mapbase, SZ_4K);
2808 +-}
2809 +-
2810 +-/*
2811 +- * Request the memory region(s) being used by 'port'
2812 +- */
2813 +-static int pl011_request_port(struct uart_port *port)
2814 +-{
2815 +- return request_mem_region(port->mapbase, SZ_4K, "uart-pl011")
2816 +- != NULL ? 0 : -EBUSY;
2817 +-}
2818 +-
2819 + /*
2820 + * Configure/autoconfigure the port.
2821 + */
2822 + static void pl011_config_port(struct uart_port *port, int flags)
2823 + {
2824 +- if (flags & UART_CONFIG_TYPE) {
2825 ++ if (flags & UART_CONFIG_TYPE)
2826 + port->type = PORT_AMBA;
2827 +- pl011_request_port(port);
2828 +- }
2829 + }
2830 +
2831 + /*
2832 +@@ -2130,6 +2111,8 @@ static int pl011_verify_port(struct uart_port *port, struct serial_struct *ser)
2833 + ret = -EINVAL;
2834 + if (ser->baud_base < 9600)
2835 + ret = -EINVAL;
2836 ++ if (port->mapbase != (unsigned long) ser->iomem_base)
2837 ++ ret = -EINVAL;
2838 + return ret;
2839 + }
2840 +
2841 +@@ -2147,8 +2130,6 @@ static struct uart_ops amba_pl011_pops = {
2842 + .flush_buffer = pl011_dma_flush_buffer,
2843 + .set_termios = pl011_set_termios,
2844 + .type = pl011_type,
2845 +- .release_port = pl011_release_port,
2846 +- .request_port = pl011_request_port,
2847 + .config_port = pl011_config_port,
2848 + .verify_port = pl011_verify_port,
2849 + #ifdef CONFIG_CONSOLE_POLL
2850 +@@ -2178,8 +2159,6 @@ static const struct uart_ops sbsa_uart_pops = {
2851 + .shutdown = sbsa_uart_shutdown,
2852 + .set_termios = sbsa_uart_set_termios,
2853 + .type = pl011_type,
2854 +- .release_port = pl011_release_port,
2855 +- .request_port = pl011_request_port,
2856 + .config_port = pl011_config_port,
2857 + .verify_port = pl011_verify_port,
2858 + #ifdef CONFIG_CONSOLE_POLL
2859 +diff --git a/drivers/tty/serial/atmel_serial.c b/drivers/tty/serial/atmel_serial.c
2860 +index 4a7eb85f7c857..5dd04a1145b40 100644
2861 +--- a/drivers/tty/serial/atmel_serial.c
2862 ++++ b/drivers/tty/serial/atmel_serial.c
2863 +@@ -928,6 +928,13 @@ static void atmel_tx_dma(struct uart_port *port)
2864 + desc->callback = atmel_complete_tx_dma;
2865 + desc->callback_param = atmel_port;
2866 + atmel_port->cookie_tx = dmaengine_submit(desc);
2867 ++ if (dma_submit_error(atmel_port->cookie_tx)) {
2868 ++ dev_err(port->dev, "dma_submit_error %d\n",
2869 ++ atmel_port->cookie_tx);
2870 ++ return;
2871 ++ }
2872 ++
2873 ++ dma_async_issue_pending(chan);
2874 + }
2875 +
2876 + if (uart_circ_chars_pending(xmit) < WAKEUP_CHARS)
2877 +@@ -1186,6 +1193,13 @@ static int atmel_prepare_rx_dma(struct uart_port *port)
2878 + desc->callback_param = port;
2879 + atmel_port->desc_rx = desc;
2880 + atmel_port->cookie_rx = dmaengine_submit(desc);
2881 ++ if (dma_submit_error(atmel_port->cookie_rx)) {
2882 ++ dev_err(port->dev, "dma_submit_error %d\n",
2883 ++ atmel_port->cookie_rx);
2884 ++ goto chan_err;
2885 ++ }
2886 ++
2887 ++ dma_async_issue_pending(atmel_port->chan_rx);
2888 +
2889 + return 0;
2890 +
2891 +diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
2892 +index e97961dc3622d..ec458add38833 100644
2893 +--- a/drivers/tty/serial/serial_core.c
2894 ++++ b/drivers/tty/serial/serial_core.c
2895 +@@ -2349,7 +2349,8 @@ uart_configure_port(struct uart_driver *drv, struct uart_state *state,
2896 + * We probably don't need a spinlock around this, but
2897 + */
2898 + spin_lock_irqsave(&port->lock, flags);
2899 +- port->ops->set_mctrl(port, port->mctrl & TIOCM_DTR);
2900 ++ port->mctrl &= TIOCM_DTR;
2901 ++ port->ops->set_mctrl(port, port->mctrl);
2902 + spin_unlock_irqrestore(&port->lock, flags);
2903 +
2904 + /*
2905 +diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c
2906 +index 1dd4c65e9188a..2246731d96b0e 100644
2907 +--- a/drivers/usb/core/hcd.c
2908 ++++ b/drivers/usb/core/hcd.c
2909 +@@ -760,6 +760,7 @@ void usb_hcd_poll_rh_status(struct usb_hcd *hcd)
2910 + {
2911 + struct urb *urb;
2912 + int length;
2913 ++ int status;
2914 + unsigned long flags;
2915 + char buffer[6]; /* Any root hubs with > 31 ports? */
2916 +
2917 +@@ -777,11 +778,17 @@ void usb_hcd_poll_rh_status(struct usb_hcd *hcd)
2918 + if (urb) {
2919 + clear_bit(HCD_FLAG_POLL_PENDING, &hcd->flags);
2920 + hcd->status_urb = NULL;
2921 ++ if (urb->transfer_buffer_length >= length) {
2922 ++ status = 0;
2923 ++ } else {
2924 ++ status = -EOVERFLOW;
2925 ++ length = urb->transfer_buffer_length;
2926 ++ }
2927 + urb->actual_length = length;
2928 + memcpy(urb->transfer_buffer, buffer, length);
2929 +
2930 + usb_hcd_unlink_urb_from_ep(hcd, urb);
2931 +- usb_hcd_giveback_urb(hcd, urb, 0);
2932 ++ usb_hcd_giveback_urb(hcd, urb, status);
2933 + } else {
2934 + length = 0;
2935 + set_bit(HCD_FLAG_POLL_PENDING, &hcd->flags);
2936 +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
2937 +index 0abcf8bbb73fe..33bf5ba438397 100644
2938 +--- a/drivers/usb/core/hub.c
2939 ++++ b/drivers/usb/core/hub.c
2940 +@@ -1070,7 +1070,10 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type)
2941 + } else {
2942 + hub_power_on(hub, true);
2943 + }
2944 +- }
2945 ++ /* Give some time on remote wakeup to let links to transit to U0 */
2946 ++ } else if (hub_is_superspeed(hub->hdev))
2947 ++ msleep(20);
2948 ++
2949 + init2:
2950 +
2951 + /*
2952 +@@ -1185,7 +1188,7 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type)
2953 + */
2954 + if (portchange || (hub_is_superspeed(hub->hdev) &&
2955 + port_resumed))
2956 +- set_bit(port1, hub->change_bits);
2957 ++ set_bit(port1, hub->event_bits);
2958 +
2959 + } else if (udev->persist_enabled) {
2960 + #ifdef CONFIG_PM
2961 +diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
2962 +index 0336392686935..e4826454de1a7 100644
2963 +--- a/drivers/usb/gadget/function/f_fs.c
2964 ++++ b/drivers/usb/gadget/function/f_fs.c
2965 +@@ -608,7 +608,7 @@ static int ffs_ep0_open(struct inode *inode, struct file *file)
2966 + file->private_data = ffs;
2967 + ffs_data_opened(ffs);
2968 +
2969 +- return 0;
2970 ++ return stream_open(inode, file);
2971 + }
2972 +
2973 + static int ffs_ep0_release(struct inode *inode, struct file *file)
2974 +@@ -1071,7 +1071,7 @@ ffs_epfile_open(struct inode *inode, struct file *file)
2975 + file->private_data = epfile;
2976 + ffs_data_opened(epfile->ffs);
2977 +
2978 +- return 0;
2979 ++ return stream_open(inode, file);
2980 + }
2981 +
2982 + static int ffs_aio_cancel(struct kiocb *kiocb)
2983 +diff --git a/drivers/usb/misc/ftdi-elan.c b/drivers/usb/misc/ftdi-elan.c
2984 +index 9a82f8308ad7f..0738078fe8b82 100644
2985 +--- a/drivers/usb/misc/ftdi-elan.c
2986 ++++ b/drivers/usb/misc/ftdi-elan.c
2987 +@@ -206,6 +206,7 @@ static void ftdi_elan_delete(struct kref *kref)
2988 + mutex_unlock(&ftdi_module_lock);
2989 + kfree(ftdi->bulk_in_buffer);
2990 + ftdi->bulk_in_buffer = NULL;
2991 ++ kfree(ftdi);
2992 + }
2993 +
2994 + static void ftdi_elan_put_kref(struct usb_ftdi *ftdi)
2995 +diff --git a/drivers/w1/slaves/w1_ds28e04.c b/drivers/w1/slaves/w1_ds28e04.c
2996 +index 5e348d38ec5c9..f4cf54c256fd8 100644
2997 +--- a/drivers/w1/slaves/w1_ds28e04.c
2998 ++++ b/drivers/w1/slaves/w1_ds28e04.c
2999 +@@ -39,7 +39,7 @@ static int w1_strong_pullup = 1;
3000 + module_param_named(strong_pullup, w1_strong_pullup, int, 0);
3001 +
3002 + /* enable/disable CRC checking on DS28E04-100 memory accesses */
3003 +-static char w1_enable_crccheck = 1;
3004 ++static bool w1_enable_crccheck = true;
3005 +
3006 + #define W1_EEPROM_SIZE 512
3007 + #define W1_PAGE_COUNT 16
3008 +@@ -346,32 +346,18 @@ static BIN_ATTR_RW(pio, 1);
3009 + static ssize_t crccheck_show(struct device *dev, struct device_attribute *attr,
3010 + char *buf)
3011 + {
3012 +- if (put_user(w1_enable_crccheck + 0x30, buf))
3013 +- return -EFAULT;
3014 +-
3015 +- return sizeof(w1_enable_crccheck);
3016 ++ return sysfs_emit(buf, "%d\n", w1_enable_crccheck);
3017 + }
3018 +
3019 + static ssize_t crccheck_store(struct device *dev, struct device_attribute *attr,
3020 + const char *buf, size_t count)
3021 + {
3022 +- char val;
3023 +-
3024 +- if (count != 1 || !buf)
3025 +- return -EINVAL;
3026 ++ int err = kstrtobool(buf, &w1_enable_crccheck);
3027 +
3028 +- if (get_user(val, buf))
3029 +- return -EFAULT;
3030 ++ if (err)
3031 ++ return err;
3032 +
3033 +- /* convert to decimal */
3034 +- val = val - 0x30;
3035 +- if (val != 0 && val != 1)
3036 +- return -EINVAL;
3037 +-
3038 +- /* set the new value */
3039 +- w1_enable_crccheck = val;
3040 +-
3041 +- return sizeof(w1_enable_crccheck);
3042 ++ return count;
3043 + }
3044 +
3045 + static DEVICE_ATTR_RW(crccheck);
3046 +diff --git a/fs/btrfs/backref.c b/fs/btrfs/backref.c
3047 +index bb008ac507fe3..16169b35ab6e5 100644
3048 +--- a/fs/btrfs/backref.c
3049 ++++ b/fs/btrfs/backref.c
3050 +@@ -1271,7 +1271,12 @@ again:
3051 + ret = btrfs_search_slot(trans, fs_info->extent_root, &key, path, 0, 0);
3052 + if (ret < 0)
3053 + goto out;
3054 +- BUG_ON(ret == 0);
3055 ++ if (ret == 0) {
3056 ++ /* This shouldn't happen, indicates a bug or fs corruption. */
3057 ++ ASSERT(ret != 0);
3058 ++ ret = -EUCLEAN;
3059 ++ goto out;
3060 ++ }
3061 +
3062 + #ifdef CONFIG_BTRFS_FS_RUN_SANITY_TESTS
3063 + if (trans && likely(trans->type != __TRANS_DUMMY) &&
3064 +@@ -1432,10 +1437,18 @@ again:
3065 + goto out;
3066 + if (!ret && extent_item_pos) {
3067 + /*
3068 +- * we've recorded that parent, so we must extend
3069 +- * its inode list here
3070 ++ * We've recorded that parent, so we must extend
3071 ++ * its inode list here.
3072 ++ *
3073 ++ * However if there was corruption we may not
3074 ++ * have found an eie, return an error in this
3075 ++ * case.
3076 + */
3077 +- BUG_ON(!eie);
3078 ++ ASSERT(eie);
3079 ++ if (!eie) {
3080 ++ ret = -EUCLEAN;
3081 ++ goto out;
3082 ++ }
3083 + while (eie->next)
3084 + eie = eie->next;
3085 + eie->next = ref->inode_list;
3086 +diff --git a/fs/dlm/lock.c b/fs/dlm/lock.c
3087 +index 3a7f401e943c1..ffab7dc881574 100644
3088 +--- a/fs/dlm/lock.c
3089 ++++ b/fs/dlm/lock.c
3090 +@@ -3975,6 +3975,14 @@ static int validate_message(struct dlm_lkb *lkb, struct dlm_message *ms)
3091 + int from = ms->m_header.h_nodeid;
3092 + int error = 0;
3093 +
3094 ++ /* currently mixing of user/kernel locks are not supported */
3095 ++ if (ms->m_flags & DLM_IFL_USER && ~lkb->lkb_flags & DLM_IFL_USER) {
3096 ++ log_error(lkb->lkb_resource->res_ls,
3097 ++ "got user dlm message for a kernel lock");
3098 ++ error = -EINVAL;
3099 ++ goto out;
3100 ++ }
3101 ++
3102 + switch (ms->m_type) {
3103 + case DLM_MSG_CONVERT:
3104 + case DLM_MSG_UNLOCK:
3105 +@@ -4003,6 +4011,7 @@ static int validate_message(struct dlm_lkb *lkb, struct dlm_message *ms)
3106 + error = -EINVAL;
3107 + }
3108 +
3109 ++out:
3110 + if (error)
3111 + log_error(lkb->lkb_resource->res_ls,
3112 + "ignore invalid message %d from %d %x %x %x %d",
3113 +diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c
3114 +index 75fff707beb6a..e7384a6e6a083 100644
3115 +--- a/fs/ext4/ioctl.c
3116 ++++ b/fs/ext4/ioctl.c
3117 +@@ -760,8 +760,6 @@ resizefs_out:
3118 + sizeof(range)))
3119 + return -EFAULT;
3120 +
3121 +- range.minlen = max((unsigned int)range.minlen,
3122 +- q->limits.discard_granularity);
3123 + ret = ext4_trim_fs(sb, &range);
3124 + if (ret < 0)
3125 + return ret;
3126 +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
3127 +index 807331da9dfc1..2a7fb2cf19b81 100644
3128 +--- a/fs/ext4/mballoc.c
3129 ++++ b/fs/ext4/mballoc.c
3130 +@@ -5224,6 +5224,7 @@ out:
3131 + */
3132 + int ext4_trim_fs(struct super_block *sb, struct fstrim_range *range)
3133 + {
3134 ++ struct request_queue *q = bdev_get_queue(sb->s_bdev);
3135 + struct ext4_group_info *grp;
3136 + ext4_group_t group, first_group, last_group;
3137 + ext4_grpblk_t cnt = 0, first_cluster, last_cluster;
3138 +@@ -5242,6 +5243,13 @@ int ext4_trim_fs(struct super_block *sb, struct fstrim_range *range)
3139 + start >= max_blks ||
3140 + range->len < sb->s_blocksize)
3141 + return -EINVAL;
3142 ++ /* No point to try to trim less than discard granularity */
3143 ++ if (range->minlen < q->limits.discard_granularity) {
3144 ++ minlen = EXT4_NUM_B2C(EXT4_SB(sb),
3145 ++ q->limits.discard_granularity >> sb->s_blocksize_bits);
3146 ++ if (minlen > EXT4_CLUSTERS_PER_GROUP(sb))
3147 ++ goto out;
3148 ++ }
3149 + if (end >= max_blks)
3150 + end = max_blks - 1;
3151 + if (end <= first_data_blk)
3152 +diff --git a/fs/ext4/migrate.c b/fs/ext4/migrate.c
3153 +index bce2d696d6b9c..6967ab3306e7d 100644
3154 +--- a/fs/ext4/migrate.c
3155 ++++ b/fs/ext4/migrate.c
3156 +@@ -462,12 +462,12 @@ int ext4_ext_migrate(struct inode *inode)
3157 + percpu_down_write(&sbi->s_writepages_rwsem);
3158 +
3159 + /*
3160 +- * Worst case we can touch the allocation bitmaps, a bgd
3161 +- * block, and a block to link in the orphan list. We do need
3162 +- * need to worry about credits for modifying the quota inode.
3163 ++ * Worst case we can touch the allocation bitmaps and a block
3164 ++ * group descriptor block. We do need need to worry about
3165 ++ * credits for modifying the quota inode.
3166 + */
3167 + handle = ext4_journal_start(inode, EXT4_HT_MIGRATE,
3168 +- 4 + EXT4_MAXQUOTAS_TRANS_BLOCKS(inode->i_sb));
3169 ++ 3 + EXT4_MAXQUOTAS_TRANS_BLOCKS(inode->i_sb));
3170 +
3171 + if (IS_ERR(handle)) {
3172 + retval = PTR_ERR(handle);
3173 +@@ -484,6 +484,13 @@ int ext4_ext_migrate(struct inode *inode)
3174 + ext4_journal_stop(handle);
3175 + goto out_unlock;
3176 + }
3177 ++ /*
3178 ++ * Use the correct seed for checksum (i.e. the seed from 'inode'). This
3179 ++ * is so that the metadata blocks will have the correct checksum after
3180 ++ * the migration.
3181 ++ */
3182 ++ ei = EXT4_I(inode);
3183 ++ EXT4_I(tmp_inode)->i_csum_seed = ei->i_csum_seed;
3184 + i_size_write(tmp_inode, i_size_read(inode));
3185 + /*
3186 + * Set the i_nlink to zero so it will be deleted later
3187 +@@ -492,7 +499,6 @@ int ext4_ext_migrate(struct inode *inode)
3188 + clear_nlink(tmp_inode);
3189 +
3190 + ext4_ext_tree_init(handle, tmp_inode);
3191 +- ext4_orphan_add(handle, tmp_inode);
3192 + ext4_journal_stop(handle);
3193 +
3194 + /*
3195 +@@ -517,17 +523,10 @@ int ext4_ext_migrate(struct inode *inode)
3196 +
3197 + handle = ext4_journal_start(inode, EXT4_HT_MIGRATE, 1);
3198 + if (IS_ERR(handle)) {
3199 +- /*
3200 +- * It is impossible to update on-disk structures without
3201 +- * a handle, so just rollback in-core changes and live other
3202 +- * work to orphan_list_cleanup()
3203 +- */
3204 +- ext4_orphan_del(NULL, tmp_inode);
3205 + retval = PTR_ERR(handle);
3206 + goto out_tmp_inode;
3207 + }
3208 +
3209 +- ei = EXT4_I(inode);
3210 + i_data = ei->i_data;
3211 + memset(&lb, 0, sizeof(lb));
3212 +
3213 +diff --git a/fs/ext4/super.c b/fs/ext4/super.c
3214 +index ca89590d1df57..e17a6396bde6c 100644
3215 +--- a/fs/ext4/super.c
3216 ++++ b/fs/ext4/super.c
3217 +@@ -5602,7 +5602,7 @@ static ssize_t ext4_quota_write(struct super_block *sb, int type,
3218 + struct buffer_head *bh;
3219 + handle_t *handle = journal_current_handle();
3220 +
3221 +- if (EXT4_SB(sb)->s_journal && !handle) {
3222 ++ if (!handle) {
3223 + ext4_msg(sb, KERN_WARNING, "Quota write (off=%llu, len=%llu)"
3224 + " cancelled because transaction is not started",
3225 + (unsigned long long)off, (unsigned long long)len);
3226 +diff --git a/fs/fuse/acl.c b/fs/fuse/acl.c
3227 +index ec85765502f1f..990529da5354d 100644
3228 +--- a/fs/fuse/acl.c
3229 ++++ b/fs/fuse/acl.c
3230 +@@ -19,6 +19,9 @@ struct posix_acl *fuse_get_acl(struct inode *inode, int type)
3231 + void *value = NULL;
3232 + struct posix_acl *acl;
3233 +
3234 ++ if (fuse_is_bad(inode))
3235 ++ return ERR_PTR(-EIO);
3236 ++
3237 + if (!fc->posix_acl || fc->no_getxattr)
3238 + return NULL;
3239 +
3240 +@@ -53,6 +56,9 @@ int fuse_set_acl(struct inode *inode, struct posix_acl *acl, int type)
3241 + const char *name;
3242 + int ret;
3243 +
3244 ++ if (fuse_is_bad(inode))
3245 ++ return -EIO;
3246 ++
3247 + if (!fc->posix_acl || fc->no_setxattr)
3248 + return -EOPNOTSUPP;
3249 +
3250 +diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c
3251 +index b41cc537eb311..c40bdfab0a859 100644
3252 +--- a/fs/fuse/dir.c
3253 ++++ b/fs/fuse/dir.c
3254 +@@ -187,7 +187,7 @@ static int fuse_dentry_revalidate(struct dentry *entry, unsigned int flags)
3255 + int ret;
3256 +
3257 + inode = d_inode_rcu(entry);
3258 +- if (inode && is_bad_inode(inode))
3259 ++ if (inode && fuse_is_bad(inode))
3260 + goto invalid;
3261 + else if (time_before64(fuse_dentry_time(entry), get_jiffies_64()) ||
3262 + (flags & LOOKUP_REVAL)) {
3263 +@@ -364,6 +364,9 @@ static struct dentry *fuse_lookup(struct inode *dir, struct dentry *entry,
3264 + bool outarg_valid = true;
3265 + bool locked;
3266 +
3267 ++ if (fuse_is_bad(dir))
3268 ++ return ERR_PTR(-EIO);
3269 ++
3270 + locked = fuse_lock_inode(dir);
3271 + err = fuse_lookup_name(dir->i_sb, get_node_id(dir), &entry->d_name,
3272 + &outarg, &inode);
3273 +@@ -504,6 +507,9 @@ static int fuse_atomic_open(struct inode *dir, struct dentry *entry,
3274 + struct fuse_conn *fc = get_fuse_conn(dir);
3275 + struct dentry *res = NULL;
3276 +
3277 ++ if (fuse_is_bad(dir))
3278 ++ return -EIO;
3279 ++
3280 + if (d_in_lookup(entry)) {
3281 + res = fuse_lookup(dir, entry, 0);
3282 + if (IS_ERR(res))
3283 +@@ -551,6 +557,9 @@ static int create_new_entry(struct fuse_conn *fc, struct fuse_args *args,
3284 + int err;
3285 + struct fuse_forget_link *forget;
3286 +
3287 ++ if (fuse_is_bad(dir))
3288 ++ return -EIO;
3289 ++
3290 + forget = fuse_alloc_forget();
3291 + if (!forget)
3292 + return -ENOMEM;
3293 +@@ -672,6 +681,9 @@ static int fuse_unlink(struct inode *dir, struct dentry *entry)
3294 + struct fuse_conn *fc = get_fuse_conn(dir);
3295 + FUSE_ARGS(args);
3296 +
3297 ++ if (fuse_is_bad(dir))
3298 ++ return -EIO;
3299 ++
3300 + args.in.h.opcode = FUSE_UNLINK;
3301 + args.in.h.nodeid = get_node_id(dir);
3302 + args.in.numargs = 1;
3303 +@@ -708,6 +720,9 @@ static int fuse_rmdir(struct inode *dir, struct dentry *entry)
3304 + struct fuse_conn *fc = get_fuse_conn(dir);
3305 + FUSE_ARGS(args);
3306 +
3307 ++ if (fuse_is_bad(dir))
3308 ++ return -EIO;
3309 ++
3310 + args.in.h.opcode = FUSE_RMDIR;
3311 + args.in.h.nodeid = get_node_id(dir);
3312 + args.in.numargs = 1;
3313 +@@ -786,6 +801,9 @@ static int fuse_rename2(struct inode *olddir, struct dentry *oldent,
3314 + struct fuse_conn *fc = get_fuse_conn(olddir);
3315 + int err;
3316 +
3317 ++ if (fuse_is_bad(olddir))
3318 ++ return -EIO;
3319 ++
3320 + if (flags & ~(RENAME_NOREPLACE | RENAME_EXCHANGE))
3321 + return -EINVAL;
3322 +
3323 +@@ -921,7 +939,7 @@ static int fuse_do_getattr(struct inode *inode, struct kstat *stat,
3324 + if (!err) {
3325 + if (fuse_invalid_attr(&outarg.attr) ||
3326 + (inode->i_mode ^ outarg.attr.mode) & S_IFMT) {
3327 +- make_bad_inode(inode);
3328 ++ fuse_make_bad(inode);
3329 + err = -EIO;
3330 + } else {
3331 + fuse_change_attributes(inode, &outarg.attr,
3332 +@@ -1114,6 +1132,9 @@ static int fuse_permission(struct inode *inode, int mask)
3333 + bool refreshed = false;
3334 + int err = 0;
3335 +
3336 ++ if (fuse_is_bad(inode))
3337 ++ return -EIO;
3338 ++
3339 + if (!fuse_allow_current_process(fc))
3340 + return -EACCES;
3341 +
3342 +@@ -1251,7 +1272,7 @@ retry:
3343 + dput(dentry);
3344 + goto retry;
3345 + }
3346 +- if (is_bad_inode(inode)) {
3347 ++ if (fuse_is_bad(inode)) {
3348 + dput(dentry);
3349 + return -EIO;
3350 + }
3351 +@@ -1349,7 +1370,7 @@ static int fuse_readdir(struct file *file, struct dir_context *ctx)
3352 + u64 attr_version = 0;
3353 + bool locked;
3354 +
3355 +- if (is_bad_inode(inode))
3356 ++ if (fuse_is_bad(inode))
3357 + return -EIO;
3358 +
3359 + req = fuse_get_req(fc, 1);
3360 +@@ -1409,6 +1430,9 @@ static const char *fuse_get_link(struct dentry *dentry,
3361 + if (!dentry)
3362 + return ERR_PTR(-ECHILD);
3363 +
3364 ++ if (fuse_is_bad(inode))
3365 ++ return ERR_PTR(-EIO);
3366 ++
3367 + link = kmalloc(PAGE_SIZE, GFP_KERNEL);
3368 + if (!link)
3369 + return ERR_PTR(-ENOMEM);
3370 +@@ -1707,7 +1731,7 @@ int fuse_do_setattr(struct dentry *dentry, struct iattr *attr,
3371 +
3372 + if (fuse_invalid_attr(&outarg.attr) ||
3373 + (inode->i_mode ^ outarg.attr.mode) & S_IFMT) {
3374 +- make_bad_inode(inode);
3375 ++ fuse_make_bad(inode);
3376 + err = -EIO;
3377 + goto error;
3378 + }
3379 +@@ -1763,6 +1787,9 @@ static int fuse_setattr(struct dentry *entry, struct iattr *attr)
3380 + struct file *file = (attr->ia_valid & ATTR_FILE) ? attr->ia_file : NULL;
3381 + int ret;
3382 +
3383 ++ if (fuse_is_bad(inode))
3384 ++ return -EIO;
3385 ++
3386 + if (!fuse_allow_current_process(get_fuse_conn(inode)))
3387 + return -EACCES;
3388 +
3389 +@@ -1821,6 +1848,9 @@ static int fuse_getattr(struct vfsmount *mnt, struct dentry *entry,
3390 + struct inode *inode = d_inode(entry);
3391 + struct fuse_conn *fc = get_fuse_conn(inode);
3392 +
3393 ++ if (fuse_is_bad(inode))
3394 ++ return -EIO;
3395 ++
3396 + if (!fuse_allow_current_process(fc))
3397 + return -EACCES;
3398 +
3399 +diff --git a/fs/fuse/file.c b/fs/fuse/file.c
3400 +index cea2317e01380..8aef8e56eb1b6 100644
3401 +--- a/fs/fuse/file.c
3402 ++++ b/fs/fuse/file.c
3403 +@@ -206,6 +206,9 @@ int fuse_open_common(struct inode *inode, struct file *file, bool isdir)
3404 + fc->atomic_o_trunc &&
3405 + fc->writeback_cache;
3406 +
3407 ++ if (fuse_is_bad(inode))
3408 ++ return -EIO;
3409 ++
3410 + err = generic_file_open(inode, file);
3411 + if (err)
3412 + return err;
3413 +@@ -411,7 +414,7 @@ static int fuse_flush(struct file *file, fl_owner_t id)
3414 + struct fuse_flush_in inarg;
3415 + int err;
3416 +
3417 +- if (is_bad_inode(inode))
3418 ++ if (fuse_is_bad(inode))
3419 + return -EIO;
3420 +
3421 + if (fc->no_flush)
3422 +@@ -459,7 +462,7 @@ int fuse_fsync_common(struct file *file, loff_t start, loff_t end,
3423 + struct fuse_fsync_in inarg;
3424 + int err;
3425 +
3426 +- if (is_bad_inode(inode))
3427 ++ if (fuse_is_bad(inode))
3428 + return -EIO;
3429 +
3430 + inode_lock(inode);
3431 +@@ -771,7 +774,7 @@ static int fuse_readpage(struct file *file, struct page *page)
3432 + int err;
3433 +
3434 + err = -EIO;
3435 +- if (is_bad_inode(inode))
3436 ++ if (fuse_is_bad(inode))
3437 + goto out;
3438 +
3439 + err = fuse_do_readpage(file, page);
3440 +@@ -898,7 +901,7 @@ static int fuse_readpages(struct file *file, struct address_space *mapping,
3441 + int nr_alloc = min_t(unsigned, nr_pages, FUSE_MAX_PAGES_PER_REQ);
3442 +
3443 + err = -EIO;
3444 +- if (is_bad_inode(inode))
3445 ++ if (fuse_is_bad(inode))
3446 + goto out;
3447 +
3448 + data.file = file;
3449 +@@ -928,6 +931,9 @@ static ssize_t fuse_file_read_iter(struct kiocb *iocb, struct iov_iter *to)
3450 + struct inode *inode = iocb->ki_filp->f_mapping->host;
3451 + struct fuse_conn *fc = get_fuse_conn(inode);
3452 +
3453 ++ if (fuse_is_bad(inode))
3454 ++ return -EIO;
3455 ++
3456 + /*
3457 + * In auto invalidate mode, always update attributes on read.
3458 + * Otherwise, only update if we attempt to read past EOF (to ensure
3459 +@@ -1123,7 +1129,7 @@ static ssize_t fuse_perform_write(struct file *file,
3460 + int err = 0;
3461 + ssize_t res = 0;
3462 +
3463 +- if (is_bad_inode(inode))
3464 ++ if (fuse_is_bad(inode))
3465 + return -EIO;
3466 +
3467 + if (inode->i_size < pos + iov_iter_count(ii))
3468 +@@ -1180,6 +1186,9 @@ static ssize_t fuse_file_write_iter(struct kiocb *iocb, struct iov_iter *from)
3469 + ssize_t err;
3470 + loff_t endbyte = 0;
3471 +
3472 ++ if (fuse_is_bad(inode))
3473 ++ return -EIO;
3474 ++
3475 + if (get_fuse_conn(inode)->writeback_cache) {
3476 + /* Update size (EOF optimization) and mode (SUID clearing) */
3477 + err = fuse_update_attributes(mapping->host, NULL, file, NULL);
3478 +@@ -1415,7 +1424,7 @@ static ssize_t __fuse_direct_read(struct fuse_io_priv *io,
3479 + struct file *file = io->file;
3480 + struct inode *inode = file_inode(file);
3481 +
3482 +- if (is_bad_inode(inode))
3483 ++ if (fuse_is_bad(inode))
3484 + return -EIO;
3485 +
3486 + res = fuse_direct_io(io, iter, ppos, 0);
3487 +@@ -1438,7 +1447,7 @@ static ssize_t fuse_direct_write_iter(struct kiocb *iocb, struct iov_iter *from)
3488 + struct fuse_io_priv io = FUSE_IO_PRIV_SYNC(file);
3489 + ssize_t res;
3490 +
3491 +- if (is_bad_inode(inode))
3492 ++ if (fuse_is_bad(inode))
3493 + return -EIO;
3494 +
3495 + /* Don't allow parallel writes to the same file */
3496 +@@ -1911,7 +1920,7 @@ static int fuse_writepages(struct address_space *mapping,
3497 + int err;
3498 +
3499 + err = -EIO;
3500 +- if (is_bad_inode(inode))
3501 ++ if (fuse_is_bad(inode))
3502 + goto out;
3503 +
3504 + data.inode = inode;
3505 +@@ -2687,7 +2696,7 @@ long fuse_ioctl_common(struct file *file, unsigned int cmd,
3506 + if (!fuse_allow_current_process(fc))
3507 + return -EACCES;
3508 +
3509 +- if (is_bad_inode(inode))
3510 ++ if (fuse_is_bad(inode))
3511 + return -EIO;
3512 +
3513 + return fuse_do_ioctl(file, cmd, arg, flags);
3514 +diff --git a/fs/fuse/fuse_i.h b/fs/fuse/fuse_i.h
3515 +index f84dd6d87d90f..7e4b0e298bc73 100644
3516 +--- a/fs/fuse/fuse_i.h
3517 ++++ b/fs/fuse/fuse_i.h
3518 +@@ -115,6 +115,8 @@ enum {
3519 + FUSE_I_INIT_RDPLUS,
3520 + /** An operation changing file size is in progress */
3521 + FUSE_I_SIZE_UNSTABLE,
3522 ++ /* Bad inode */
3523 ++ FUSE_I_BAD,
3524 + };
3525 +
3526 + struct fuse_conn;
3527 +@@ -688,6 +690,17 @@ static inline u64 get_node_id(struct inode *inode)
3528 + return get_fuse_inode(inode)->nodeid;
3529 + }
3530 +
3531 ++static inline void fuse_make_bad(struct inode *inode)
3532 ++{
3533 ++ remove_inode_hash(inode);
3534 ++ set_bit(FUSE_I_BAD, &get_fuse_inode(inode)->state);
3535 ++}
3536 ++
3537 ++static inline bool fuse_is_bad(struct inode *inode)
3538 ++{
3539 ++ return unlikely(test_bit(FUSE_I_BAD, &get_fuse_inode(inode)->state));
3540 ++}
3541 ++
3542 + /** Device operations */
3543 + extern const struct file_operations fuse_dev_operations;
3544 +
3545 +diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
3546 +index 7a9b1069d267b..77b8f0f264078 100644
3547 +--- a/fs/fuse/inode.c
3548 ++++ b/fs/fuse/inode.c
3549 +@@ -316,7 +316,7 @@ struct inode *fuse_iget(struct super_block *sb, u64 nodeid,
3550 + unlock_new_inode(inode);
3551 + } else if ((inode->i_mode ^ attr->mode) & S_IFMT) {
3552 + /* Inode has changed type, any I/O on the old should fail */
3553 +- make_bad_inode(inode);
3554 ++ fuse_make_bad(inode);
3555 + iput(inode);
3556 + goto retry;
3557 + }
3558 +diff --git a/fs/fuse/xattr.c b/fs/fuse/xattr.c
3559 +index 3caac46b08b0e..134bbc432ae60 100644
3560 +--- a/fs/fuse/xattr.c
3561 ++++ b/fs/fuse/xattr.c
3562 +@@ -113,6 +113,9 @@ ssize_t fuse_listxattr(struct dentry *entry, char *list, size_t size)
3563 + struct fuse_getxattr_out outarg;
3564 + ssize_t ret;
3565 +
3566 ++ if (fuse_is_bad(inode))
3567 ++ return -EIO;
3568 ++
3569 + if (!fuse_allow_current_process(fc))
3570 + return -EACCES;
3571 +
3572 +@@ -178,6 +181,9 @@ static int fuse_xattr_get(const struct xattr_handler *handler,
3573 + struct dentry *dentry, struct inode *inode,
3574 + const char *name, void *value, size_t size)
3575 + {
3576 ++ if (fuse_is_bad(inode))
3577 ++ return -EIO;
3578 ++
3579 + return fuse_getxattr(inode, name, value, size);
3580 + }
3581 +
3582 +@@ -186,6 +192,9 @@ static int fuse_xattr_set(const struct xattr_handler *handler,
3583 + const char *name, const void *value, size_t size,
3584 + int flags)
3585 + {
3586 ++ if (fuse_is_bad(inode))
3587 ++ return -EIO;
3588 ++
3589 + if (!value)
3590 + return fuse_removexattr(inode, name);
3591 +
3592 +diff --git a/fs/jffs2/file.c b/fs/jffs2/file.c
3593 +index c12476e309c67..eb4e4d784d26e 100644
3594 +--- a/fs/jffs2/file.c
3595 ++++ b/fs/jffs2/file.c
3596 +@@ -135,20 +135,15 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping,
3597 + struct page *pg;
3598 + struct inode *inode = mapping->host;
3599 + struct jffs2_inode_info *f = JFFS2_INODE_INFO(inode);
3600 ++ struct jffs2_sb_info *c = JFFS2_SB_INFO(inode->i_sb);
3601 + pgoff_t index = pos >> PAGE_SHIFT;
3602 + uint32_t pageofs = index << PAGE_SHIFT;
3603 + int ret = 0;
3604 +
3605 +- pg = grab_cache_page_write_begin(mapping, index, flags);
3606 +- if (!pg)
3607 +- return -ENOMEM;
3608 +- *pagep = pg;
3609 +-
3610 + jffs2_dbg(1, "%s()\n", __func__);
3611 +
3612 + if (pageofs > inode->i_size) {
3613 + /* Make new hole frag from old EOF to new page */
3614 +- struct jffs2_sb_info *c = JFFS2_SB_INFO(inode->i_sb);
3615 + struct jffs2_raw_inode ri;
3616 + struct jffs2_full_dnode *fn;
3617 + uint32_t alloc_len;
3618 +@@ -159,7 +154,7 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping,
3619 + ret = jffs2_reserve_space(c, sizeof(ri), &alloc_len,
3620 + ALLOC_NORMAL, JFFS2_SUMMARY_INODE_SIZE);
3621 + if (ret)
3622 +- goto out_page;
3623 ++ goto out_err;
3624 +
3625 + mutex_lock(&f->sem);
3626 + memset(&ri, 0, sizeof(ri));
3627 +@@ -189,7 +184,7 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping,
3628 + ret = PTR_ERR(fn);
3629 + jffs2_complete_reservation(c);
3630 + mutex_unlock(&f->sem);
3631 +- goto out_page;
3632 ++ goto out_err;
3633 + }
3634 + ret = jffs2_add_full_dnode_to_inode(c, f, fn);
3635 + if (f->metadata) {
3636 +@@ -204,13 +199,26 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping,
3637 + jffs2_free_full_dnode(fn);
3638 + jffs2_complete_reservation(c);
3639 + mutex_unlock(&f->sem);
3640 +- goto out_page;
3641 ++ goto out_err;
3642 + }
3643 + jffs2_complete_reservation(c);
3644 + inode->i_size = pageofs;
3645 + mutex_unlock(&f->sem);
3646 + }
3647 +
3648 ++ /*
3649 ++ * While getting a page and reading data in, lock c->alloc_sem until
3650 ++ * the page is Uptodate. Otherwise GC task may attempt to read the same
3651 ++ * page in read_cache_page(), which causes a deadlock.
3652 ++ */
3653 ++ mutex_lock(&c->alloc_sem);
3654 ++ pg = grab_cache_page_write_begin(mapping, index, flags);
3655 ++ if (!pg) {
3656 ++ ret = -ENOMEM;
3657 ++ goto release_sem;
3658 ++ }
3659 ++ *pagep = pg;
3660 ++
3661 + /*
3662 + * Read in the page if it wasn't already present. Cannot optimize away
3663 + * the whole page write case until jffs2_write_end can handle the
3664 +@@ -220,15 +228,17 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping,
3665 + mutex_lock(&f->sem);
3666 + ret = jffs2_do_readpage_nolock(inode, pg);
3667 + mutex_unlock(&f->sem);
3668 +- if (ret)
3669 +- goto out_page;
3670 ++ if (ret) {
3671 ++ unlock_page(pg);
3672 ++ put_page(pg);
3673 ++ goto release_sem;
3674 ++ }
3675 + }
3676 + jffs2_dbg(1, "end write_begin(). pg->flags %lx\n", pg->flags);
3677 +- return ret;
3678 +
3679 +-out_page:
3680 +- unlock_page(pg);
3681 +- put_page(pg);
3682 ++release_sem:
3683 ++ mutex_unlock(&c->alloc_sem);
3684 ++out_err:
3685 + return ret;
3686 + }
3687 +
3688 +diff --git a/fs/ubifs/super.c b/fs/ubifs/super.c
3689 +index 727a9e3fa806f..ce58e857ae3bc 100644
3690 +--- a/fs/ubifs/super.c
3691 ++++ b/fs/ubifs/super.c
3692 +@@ -1695,7 +1695,6 @@ out:
3693 + kthread_stop(c->bgt);
3694 + c->bgt = NULL;
3695 + }
3696 +- free_wbufs(c);
3697 + kfree(c->write_reserve_buf);
3698 + c->write_reserve_buf = NULL;
3699 + vfree(c->ileb_buf);
3700 +diff --git a/include/linux/mm.h b/include/linux/mm.h
3701 +index 7a4c035b187f3..81ee5d0b26424 100644
3702 +--- a/include/linux/mm.h
3703 ++++ b/include/linux/mm.h
3704 +@@ -1269,6 +1269,8 @@ int copy_page_range(struct mm_struct *dst, struct mm_struct *src,
3705 + struct vm_area_struct *vma);
3706 + void unmap_mapping_range(struct address_space *mapping,
3707 + loff_t const holebegin, loff_t const holelen, int even_cows);
3708 ++int follow_pte_pmd(struct mm_struct *mm, unsigned long address,
3709 ++ pte_t **ptepp, pmd_t **pmdpp, spinlock_t **ptlp);
3710 + int follow_pfn(struct vm_area_struct *vma, unsigned long address,
3711 + unsigned long *pfn);
3712 + int follow_phys(struct vm_area_struct *vma, unsigned long address,
3713 +diff --git a/include/linux/rbtree.h b/include/linux/rbtree.h
3714 +index e585018498d59..d574361943ea8 100644
3715 +--- a/include/linux/rbtree.h
3716 ++++ b/include/linux/rbtree.h
3717 +@@ -44,10 +44,25 @@ struct rb_root {
3718 + struct rb_node *rb_node;
3719 + };
3720 +
3721 ++/*
3722 ++ * Leftmost-cached rbtrees.
3723 ++ *
3724 ++ * We do not cache the rightmost node based on footprint
3725 ++ * size vs number of potential users that could benefit
3726 ++ * from O(1) rb_last(). Just not worth it, users that want
3727 ++ * this feature can always implement the logic explicitly.
3728 ++ * Furthermore, users that want to cache both pointers may
3729 ++ * find it a bit asymmetric, but that's ok.
3730 ++ */
3731 ++struct rb_root_cached {
3732 ++ struct rb_root rb_root;
3733 ++ struct rb_node *rb_leftmost;
3734 ++};
3735 +
3736 + #define rb_parent(r) ((struct rb_node *)((r)->__rb_parent_color & ~3))
3737 +
3738 + #define RB_ROOT (struct rb_root) { NULL, }
3739 ++#define RB_ROOT_CACHED (struct rb_root_cached) { {NULL, }, NULL }
3740 + #define rb_entry(ptr, type, member) container_of(ptr, type, member)
3741 +
3742 + #define RB_EMPTY_ROOT(root) (READ_ONCE((root)->rb_node) == NULL)
3743 +@@ -69,6 +84,12 @@ extern struct rb_node *rb_prev(const struct rb_node *);
3744 + extern struct rb_node *rb_first(const struct rb_root *);
3745 + extern struct rb_node *rb_last(const struct rb_root *);
3746 +
3747 ++extern void rb_insert_color_cached(struct rb_node *,
3748 ++ struct rb_root_cached *, bool);
3749 ++extern void rb_erase_cached(struct rb_node *node, struct rb_root_cached *);
3750 ++/* Same as rb_first(), but O(1) */
3751 ++#define rb_first_cached(root) (root)->rb_leftmost
3752 ++
3753 + /* Postorder iteration - always visit the parent after its children */
3754 + extern struct rb_node *rb_first_postorder(const struct rb_root *);
3755 + extern struct rb_node *rb_next_postorder(const struct rb_node *);
3756 +diff --git a/include/linux/rbtree_augmented.h b/include/linux/rbtree_augmented.h
3757 +index d076183e49bec..023d64657e956 100644
3758 +--- a/include/linux/rbtree_augmented.h
3759 ++++ b/include/linux/rbtree_augmented.h
3760 +@@ -41,7 +41,9 @@ struct rb_augment_callbacks {
3761 + void (*rotate)(struct rb_node *old, struct rb_node *new);
3762 + };
3763 +
3764 +-extern void __rb_insert_augmented(struct rb_node *node, struct rb_root *root,
3765 ++extern void __rb_insert_augmented(struct rb_node *node,
3766 ++ struct rb_root *root,
3767 ++ bool newleft, struct rb_node **leftmost,
3768 + void (*augment_rotate)(struct rb_node *old, struct rb_node *new));
3769 + /*
3770 + * Fixup the rbtree and update the augmented information when rebalancing.
3771 +@@ -57,7 +59,16 @@ static inline void
3772 + rb_insert_augmented(struct rb_node *node, struct rb_root *root,
3773 + const struct rb_augment_callbacks *augment)
3774 + {
3775 +- __rb_insert_augmented(node, root, augment->rotate);
3776 ++ __rb_insert_augmented(node, root, false, NULL, augment->rotate);
3777 ++}
3778 ++
3779 ++static inline void
3780 ++rb_insert_augmented_cached(struct rb_node *node,
3781 ++ struct rb_root_cached *root, bool newleft,
3782 ++ const struct rb_augment_callbacks *augment)
3783 ++{
3784 ++ __rb_insert_augmented(node, &root->rb_root,
3785 ++ newleft, &root->rb_leftmost, augment->rotate);
3786 + }
3787 +
3788 + #define RB_DECLARE_CALLBACKS(rbstatic, rbname, rbstruct, rbfield, \
3789 +@@ -148,6 +159,7 @@ extern void __rb_erase_color(struct rb_node *parent, struct rb_root *root,
3790 +
3791 + static __always_inline struct rb_node *
3792 + __rb_erase_augmented(struct rb_node *node, struct rb_root *root,
3793 ++ struct rb_node **leftmost,
3794 + const struct rb_augment_callbacks *augment)
3795 + {
3796 + struct rb_node *child = node->rb_right;
3797 +@@ -155,6 +167,9 @@ __rb_erase_augmented(struct rb_node *node, struct rb_root *root,
3798 + struct rb_node *parent, *rebalance;
3799 + unsigned long pc;
3800 +
3801 ++ if (leftmost && node == *leftmost)
3802 ++ *leftmost = rb_next(node);
3803 ++
3804 + if (!tmp) {
3805 + /*
3806 + * Case 1: node to erase has no more than 1 child (easy!)
3807 +@@ -254,9 +269,21 @@ static __always_inline void
3808 + rb_erase_augmented(struct rb_node *node, struct rb_root *root,
3809 + const struct rb_augment_callbacks *augment)
3810 + {
3811 +- struct rb_node *rebalance = __rb_erase_augmented(node, root, augment);
3812 ++ struct rb_node *rebalance = __rb_erase_augmented(node, root,
3813 ++ NULL, augment);
3814 + if (rebalance)
3815 + __rb_erase_color(rebalance, root, augment->rotate);
3816 + }
3817 +
3818 ++static __always_inline void
3819 ++rb_erase_augmented_cached(struct rb_node *node, struct rb_root_cached *root,
3820 ++ const struct rb_augment_callbacks *augment)
3821 ++{
3822 ++ struct rb_node *rebalance = __rb_erase_augmented(node, &root->rb_root,
3823 ++ &root->rb_leftmost,
3824 ++ augment);
3825 ++ if (rebalance)
3826 ++ __rb_erase_color(rebalance, &root->rb_root, augment->rotate);
3827 ++}
3828 ++
3829 + #endif /* _LINUX_RBTREE_AUGMENTED_H */
3830 +diff --git a/include/linux/timerqueue.h b/include/linux/timerqueue.h
3831 +index 7eec17ad7fa19..42868a9b43657 100644
3832 +--- a/include/linux/timerqueue.h
3833 ++++ b/include/linux/timerqueue.h
3834 +@@ -11,8 +11,7 @@ struct timerqueue_node {
3835 + };
3836 +
3837 + struct timerqueue_head {
3838 +- struct rb_root head;
3839 +- struct timerqueue_node *next;
3840 ++ struct rb_root_cached rb_root;
3841 + };
3842 +
3843 +
3844 +@@ -28,13 +27,14 @@ extern struct timerqueue_node *timerqueue_iterate_next(
3845 + *
3846 + * @head: head of timerqueue
3847 + *
3848 +- * Returns a pointer to the timer node that has the
3849 +- * earliest expiration time.
3850 ++ * Returns a pointer to the timer node that has the earliest expiration time.
3851 + */
3852 + static inline
3853 + struct timerqueue_node *timerqueue_getnext(struct timerqueue_head *head)
3854 + {
3855 +- return head->next;
3856 ++ struct rb_node *leftmost = rb_first_cached(&head->rb_root);
3857 ++
3858 ++ return rb_entry(leftmost, struct timerqueue_node, node);
3859 + }
3860 +
3861 + static inline void timerqueue_init(struct timerqueue_node *node)
3862 +@@ -44,7 +44,6 @@ static inline void timerqueue_init(struct timerqueue_node *node)
3863 +
3864 + static inline void timerqueue_init_head(struct timerqueue_head *head)
3865 + {
3866 +- head->head = RB_ROOT;
3867 +- head->next = NULL;
3868 ++ head->rb_root = RB_ROOT_CACHED;
3869 + }
3870 + #endif /* _LINUX_TIMERQUEUE_H */
3871 +diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h
3872 +index 5d5a137b9067f..7ec889291dc48 100644
3873 +--- a/include/net/sch_generic.h
3874 ++++ b/include/net/sch_generic.h
3875 +@@ -837,6 +837,7 @@ struct psched_ratecfg {
3876 + u64 rate_bytes_ps; /* bytes per second */
3877 + u32 mult;
3878 + u16 overhead;
3879 ++ u16 mpu;
3880 + u8 linklayer;
3881 + u8 shift;
3882 + };
3883 +@@ -846,6 +847,9 @@ static inline u64 psched_l2t_ns(const struct psched_ratecfg *r,
3884 + {
3885 + len += r->overhead;
3886 +
3887 ++ if (len < r->mpu)
3888 ++ len = r->mpu;
3889 ++
3890 + if (unlikely(r->linklayer == TC_LINKLAYER_ATM))
3891 + return ((u64)(DIV_ROUND_UP(len,48)*53) * r->mult) >> r->shift;
3892 +
3893 +@@ -868,6 +872,7 @@ static inline void psched_ratecfg_getrate(struct tc_ratespec *res,
3894 + res->rate = min_t(u64, r->rate_bytes_ps, ~0U);
3895 +
3896 + res->overhead = r->overhead;
3897 ++ res->mpu = r->mpu;
3898 + res->linklayer = (r->linklayer & TC_LINKLAYER_MASK);
3899 + }
3900 +
3901 +diff --git a/lib/rbtree.c b/lib/rbtree.c
3902 +index eb8a19fee1100..53746be42903b 100644
3903 +--- a/lib/rbtree.c
3904 ++++ b/lib/rbtree.c
3905 +@@ -95,10 +95,14 @@ __rb_rotate_set_parents(struct rb_node *old, struct rb_node *new,
3906 +
3907 + static __always_inline void
3908 + __rb_insert(struct rb_node *node, struct rb_root *root,
3909 ++ bool newleft, struct rb_node **leftmost,
3910 + void (*augment_rotate)(struct rb_node *old, struct rb_node *new))
3911 + {
3912 + struct rb_node *parent = rb_red_parent(node), *gparent, *tmp;
3913 +
3914 ++ if (newleft)
3915 ++ *leftmost = node;
3916 ++
3917 + while (true) {
3918 + /*
3919 + * Loop invariant: node is red
3920 +@@ -417,19 +421,38 @@ static const struct rb_augment_callbacks dummy_callbacks = {
3921 +
3922 + void rb_insert_color(struct rb_node *node, struct rb_root *root)
3923 + {
3924 +- __rb_insert(node, root, dummy_rotate);
3925 ++ __rb_insert(node, root, false, NULL, dummy_rotate);
3926 + }
3927 + EXPORT_SYMBOL(rb_insert_color);
3928 +
3929 + void rb_erase(struct rb_node *node, struct rb_root *root)
3930 + {
3931 + struct rb_node *rebalance;
3932 +- rebalance = __rb_erase_augmented(node, root, &dummy_callbacks);
3933 ++ rebalance = __rb_erase_augmented(node, root,
3934 ++ NULL, &dummy_callbacks);
3935 + if (rebalance)
3936 + ____rb_erase_color(rebalance, root, dummy_rotate);
3937 + }
3938 + EXPORT_SYMBOL(rb_erase);
3939 +
3940 ++void rb_insert_color_cached(struct rb_node *node,
3941 ++ struct rb_root_cached *root, bool leftmost)
3942 ++{
3943 ++ __rb_insert(node, &root->rb_root, leftmost,
3944 ++ &root->rb_leftmost, dummy_rotate);
3945 ++}
3946 ++EXPORT_SYMBOL(rb_insert_color_cached);
3947 ++
3948 ++void rb_erase_cached(struct rb_node *node, struct rb_root_cached *root)
3949 ++{
3950 ++ struct rb_node *rebalance;
3951 ++ rebalance = __rb_erase_augmented(node, &root->rb_root,
3952 ++ &root->rb_leftmost, &dummy_callbacks);
3953 ++ if (rebalance)
3954 ++ ____rb_erase_color(rebalance, &root->rb_root, dummy_rotate);
3955 ++}
3956 ++EXPORT_SYMBOL(rb_erase_cached);
3957 ++
3958 + /*
3959 + * Augmented rbtree manipulation functions.
3960 + *
3961 +@@ -438,9 +461,10 @@ EXPORT_SYMBOL(rb_erase);
3962 + */
3963 +
3964 + void __rb_insert_augmented(struct rb_node *node, struct rb_root *root,
3965 ++ bool newleft, struct rb_node **leftmost,
3966 + void (*augment_rotate)(struct rb_node *old, struct rb_node *new))
3967 + {
3968 +- __rb_insert(node, root, augment_rotate);
3969 ++ __rb_insert(node, root, newleft, leftmost, augment_rotate);
3970 + }
3971 + EXPORT_SYMBOL(__rb_insert_augmented);
3972 +
3973 +@@ -485,7 +509,7 @@ struct rb_node *rb_next(const struct rb_node *node)
3974 + * as we can.
3975 + */
3976 + if (node->rb_right) {
3977 +- node = node->rb_right;
3978 ++ node = node->rb_right;
3979 + while (node->rb_left)
3980 + node=node->rb_left;
3981 + return (struct rb_node *)node;
3982 +@@ -517,7 +541,7 @@ struct rb_node *rb_prev(const struct rb_node *node)
3983 + * as we can.
3984 + */
3985 + if (node->rb_left) {
3986 +- node = node->rb_left;
3987 ++ node = node->rb_left;
3988 + while (node->rb_right)
3989 + node=node->rb_right;
3990 + return (struct rb_node *)node;
3991 +diff --git a/lib/timerqueue.c b/lib/timerqueue.c
3992 +index 782ae8ca2c06f..4f99b5c3ac0ec 100644
3993 +--- a/lib/timerqueue.c
3994 ++++ b/lib/timerqueue.c
3995 +@@ -38,9 +38,10 @@
3996 + */
3997 + bool timerqueue_add(struct timerqueue_head *head, struct timerqueue_node *node)
3998 + {
3999 +- struct rb_node **p = &head->head.rb_node;
4000 ++ struct rb_node **p = &head->rb_root.rb_root.rb_node;
4001 + struct rb_node *parent = NULL;
4002 +- struct timerqueue_node *ptr;
4003 ++ struct timerqueue_node *ptr;
4004 ++ bool leftmost = true;
4005 +
4006 + /* Make sure we don't add nodes that are already added */
4007 + WARN_ON_ONCE(!RB_EMPTY_NODE(&node->node));
4008 +@@ -48,19 +49,17 @@ bool timerqueue_add(struct timerqueue_head *head, struct timerqueue_node *node)
4009 + while (*p) {
4010 + parent = *p;
4011 + ptr = rb_entry(parent, struct timerqueue_node, node);
4012 +- if (node->expires.tv64 < ptr->expires.tv64)
4013 ++ if (node->expires.tv64 < ptr->expires.tv64) {
4014 + p = &(*p)->rb_left;
4015 +- else
4016 ++ } else {
4017 + p = &(*p)->rb_right;
4018 ++ leftmost = false;
4019 ++ }
4020 + }
4021 + rb_link_node(&node->node, parent, p);
4022 +- rb_insert_color(&node->node, &head->head);
4023 ++ rb_insert_color_cached(&node->node, &head->rb_root, leftmost);
4024 +
4025 +- if (!head->next || node->expires.tv64 < head->next->expires.tv64) {
4026 +- head->next = node;
4027 +- return true;
4028 +- }
4029 +- return false;
4030 ++ return leftmost;
4031 + }
4032 + EXPORT_SYMBOL_GPL(timerqueue_add);
4033 +
4034 +@@ -76,16 +75,10 @@ bool timerqueue_del(struct timerqueue_head *head, struct timerqueue_node *node)
4035 + {
4036 + WARN_ON_ONCE(RB_EMPTY_NODE(&node->node));
4037 +
4038 +- /* update next pointer */
4039 +- if (head->next == node) {
4040 +- struct rb_node *rbn = rb_next(&node->node);
4041 +-
4042 +- head->next = rbn ?
4043 +- rb_entry(rbn, struct timerqueue_node, node) : NULL;
4044 +- }
4045 +- rb_erase(&node->node, &head->head);
4046 ++ rb_erase_cached(&node->node, &head->rb_root);
4047 + RB_CLEAR_NODE(&node->node);
4048 +- return head->next != NULL;
4049 ++
4050 ++ return !RB_EMPTY_ROOT(&head->rb_root.rb_root);
4051 + }
4052 + EXPORT_SYMBOL_GPL(timerqueue_del);
4053 +
4054 +diff --git a/mm/gup.c b/mm/gup.c
4055 +index 301dd96ef176c..0b80bf3878dcf 100644
4056 +--- a/mm/gup.c
4057 ++++ b/mm/gup.c
4058 +@@ -1567,22 +1567,15 @@ int __get_user_pages_fast(unsigned long start, int nr_pages, int write,
4059 + next = pgd_addr_end(addr, end);
4060 + if (pgd_none(pgd))
4061 + break;
4062 +- /*
4063 +- * The FAST_GUP case requires FOLL_WRITE even for pure reads,
4064 +- * because get_user_pages() may need to cause an early COW in
4065 +- * order to avoid confusing the normal COW routines. So only
4066 +- * targets that are already writable are safe to do by just
4067 +- * looking at the page tables.
4068 +- */
4069 + if (unlikely(pgd_huge(pgd))) {
4070 +- if (!gup_huge_pgd(pgd, pgdp, addr, next, 1,
4071 ++ if (!gup_huge_pgd(pgd, pgdp, addr, next, write,
4072 + pages, &nr))
4073 + break;
4074 + } else if (unlikely(is_hugepd(__hugepd(pgd_val(pgd))))) {
4075 + if (!gup_huge_pd(__hugepd(pgd_val(pgd)), addr,
4076 +- PGDIR_SHIFT, next, 1, pages, &nr))
4077 ++ PGDIR_SHIFT, next, write, pages, &nr))
4078 + break;
4079 +- } else if (!gup_pud_range(pgd, addr, next, 1, pages, &nr))
4080 ++ } else if (!gup_pud_range(pgd, addr, next, write, pages, &nr))
4081 + break;
4082 + } while (pgdp++, addr = next, addr != end);
4083 + local_irq_restore(flags);
4084 +@@ -1612,7 +1605,14 @@ int get_user_pages_fast(unsigned long start, int nr_pages, int write,
4085 + int nr, ret;
4086 +
4087 + start &= PAGE_MASK;
4088 +- nr = __get_user_pages_fast(start, nr_pages, write, pages);
4089 ++ /*
4090 ++ * The FAST_GUP case requires FOLL_WRITE even for pure reads,
4091 ++ * because get_user_pages() may need to cause an early COW in
4092 ++ * order to avoid confusing the normal COW routines. So only
4093 ++ * targets that are already writable are safe to do by just
4094 ++ * looking at the page tables.
4095 ++ */
4096 ++ nr = __get_user_pages_fast(start, nr_pages, 1, pages);
4097 + ret = nr;
4098 +
4099 + if (nr < nr_pages) {
4100 +diff --git a/mm/memory.c b/mm/memory.c
4101 +index c2890dc104d9e..2b2cc69ddccef 100644
4102 +--- a/mm/memory.c
4103 ++++ b/mm/memory.c
4104 +@@ -3780,8 +3780,8 @@ int __pmd_alloc(struct mm_struct *mm, pud_t *pud, unsigned long address)
4105 + }
4106 + #endif /* __PAGETABLE_PMD_FOLDED */
4107 +
4108 +-static int __follow_pte(struct mm_struct *mm, unsigned long address,
4109 +- pte_t **ptepp, spinlock_t **ptlp)
4110 ++static int __follow_pte_pmd(struct mm_struct *mm, unsigned long address,
4111 ++ pte_t **ptepp, pmd_t **pmdpp, spinlock_t **ptlp)
4112 + {
4113 + pgd_t *pgd;
4114 + pud_t *pud;
4115 +@@ -3798,11 +3798,20 @@ static int __follow_pte(struct mm_struct *mm, unsigned long address,
4116 +
4117 + pmd = pmd_offset(pud, address);
4118 + VM_BUG_ON(pmd_trans_huge(*pmd));
4119 +- if (pmd_none(*pmd) || unlikely(pmd_bad(*pmd)))
4120 +- goto out;
4121 +
4122 +- /* We cannot handle huge page PFN maps. Luckily they don't exist. */
4123 +- if (pmd_huge(*pmd))
4124 ++ if (pmd_huge(*pmd)) {
4125 ++ if (!pmdpp)
4126 ++ goto out;
4127 ++
4128 ++ *ptlp = pmd_lock(mm, pmd);
4129 ++ if (pmd_huge(*pmd)) {
4130 ++ *pmdpp = pmd;
4131 ++ return 0;
4132 ++ }
4133 ++ spin_unlock(*ptlp);
4134 ++ }
4135 ++
4136 ++ if (pmd_none(*pmd) || unlikely(pmd_bad(*pmd)))
4137 + goto out;
4138 +
4139 + ptep = pte_offset_map_lock(mm, pmd, address, ptlp);
4140 +@@ -3825,9 +3834,23 @@ static inline int follow_pte(struct mm_struct *mm, unsigned long address,
4141 +
4142 + /* (void) is needed to make gcc happy */
4143 + (void) __cond_lock(*ptlp,
4144 +- !(res = __follow_pte(mm, address, ptepp, ptlp)));
4145 ++ !(res = __follow_pte_pmd(mm, address, ptepp, NULL,
4146 ++ ptlp)));
4147 ++ return res;
4148 ++}
4149 ++
4150 ++int follow_pte_pmd(struct mm_struct *mm, unsigned long address,
4151 ++ pte_t **ptepp, pmd_t **pmdpp, spinlock_t **ptlp)
4152 ++{
4153 ++ int res;
4154 ++
4155 ++ /* (void) is needed to make gcc happy */
4156 ++ (void) __cond_lock(*ptlp,
4157 ++ !(res = __follow_pte_pmd(mm, address, ptepp, pmdpp,
4158 ++ ptlp)));
4159 + return res;
4160 + }
4161 ++EXPORT_SYMBOL(follow_pte_pmd);
4162 +
4163 + /**
4164 + * follow_pfn - look up PFN at a user virtual address
4165 +diff --git a/mm/shmem.c b/mm/shmem.c
4166 +index 31b0c09fe6c60..51aa13f596220 100644
4167 +--- a/mm/shmem.c
4168 ++++ b/mm/shmem.c
4169 +@@ -436,7 +436,7 @@ static unsigned long shmem_unused_huge_shrink(struct shmem_sb_info *sbinfo,
4170 + struct shmem_inode_info *info;
4171 + struct page *page;
4172 + unsigned long batch = sc ? sc->nr_to_scan : 128;
4173 +- int removed = 0, split = 0;
4174 ++ int split = 0;
4175 +
4176 + if (list_empty(&sbinfo->shrinklist))
4177 + return SHRINK_STOP;
4178 +@@ -451,7 +451,6 @@ static unsigned long shmem_unused_huge_shrink(struct shmem_sb_info *sbinfo,
4179 + /* inode is about to be evicted */
4180 + if (!inode) {
4181 + list_del_init(&info->shrinklist);
4182 +- removed++;
4183 + goto next;
4184 + }
4185 +
4186 +@@ -459,12 +458,12 @@ static unsigned long shmem_unused_huge_shrink(struct shmem_sb_info *sbinfo,
4187 + if (round_up(inode->i_size, PAGE_SIZE) ==
4188 + round_up(inode->i_size, HPAGE_PMD_SIZE)) {
4189 + list_move(&info->shrinklist, &to_remove);
4190 +- removed++;
4191 + goto next;
4192 + }
4193 +
4194 + list_move(&info->shrinklist, &list);
4195 + next:
4196 ++ sbinfo->shrinklist_len--;
4197 + if (!--batch)
4198 + break;
4199 + }
4200 +@@ -484,7 +483,7 @@ next:
4201 + inode = &info->vfs_inode;
4202 +
4203 + if (nr_to_split && split >= nr_to_split)
4204 +- goto leave;
4205 ++ goto move_back;
4206 +
4207 + page = find_get_page(inode->i_mapping,
4208 + (inode->i_size & HPAGE_PMD_MASK) >> PAGE_SHIFT);
4209 +@@ -498,38 +497,44 @@ next:
4210 + }
4211 +
4212 + /*
4213 +- * Leave the inode on the list if we failed to lock
4214 +- * the page at this time.
4215 ++ * Move the inode on the list back to shrinklist if we failed
4216 ++ * to lock the page at this time.
4217 + *
4218 + * Waiting for the lock may lead to deadlock in the
4219 + * reclaim path.
4220 + */
4221 + if (!trylock_page(page)) {
4222 + put_page(page);
4223 +- goto leave;
4224 ++ goto move_back;
4225 + }
4226 +
4227 + ret = split_huge_page(page);
4228 + unlock_page(page);
4229 + put_page(page);
4230 +
4231 +- /* If split failed leave the inode on the list */
4232 ++ /* If split failed move the inode on the list back to shrinklist */
4233 + if (ret)
4234 +- goto leave;
4235 ++ goto move_back;
4236 +
4237 + split++;
4238 + drop:
4239 + list_del_init(&info->shrinklist);
4240 +- removed++;
4241 +-leave:
4242 ++ goto put;
4243 ++move_back:
4244 ++ /*
4245 ++ * Make sure the inode is either on the global list or deleted
4246 ++ * from any local list before iput() since it could be deleted
4247 ++ * in another thread once we put the inode (then the local list
4248 ++ * is corrupted).
4249 ++ */
4250 ++ spin_lock(&sbinfo->shrinklist_lock);
4251 ++ list_move(&info->shrinklist, &sbinfo->shrinklist);
4252 ++ sbinfo->shrinklist_len++;
4253 ++ spin_unlock(&sbinfo->shrinklist_lock);
4254 ++put:
4255 + iput(inode);
4256 + }
4257 +
4258 +- spin_lock(&sbinfo->shrinklist_lock);
4259 +- list_splice_tail(&list, &sbinfo->shrinklist);
4260 +- sbinfo->shrinklist_len -= removed;
4261 +- spin_unlock(&sbinfo->shrinklist_lock);
4262 +-
4263 + return split;
4264 + }
4265 +
4266 +diff --git a/net/bluetooth/cmtp/core.c b/net/bluetooth/cmtp/core.c
4267 +index 0bb150e68c53f..e2e580c747f4b 100644
4268 +--- a/net/bluetooth/cmtp/core.c
4269 ++++ b/net/bluetooth/cmtp/core.c
4270 +@@ -499,9 +499,7 @@ static int __init cmtp_init(void)
4271 + {
4272 + BT_INFO("CMTP (CAPI Emulation) ver %s", VERSION);
4273 +
4274 +- cmtp_init_sockets();
4275 +-
4276 +- return 0;
4277 ++ return cmtp_init_sockets();
4278 + }
4279 +
4280 + static void __exit cmtp_exit(void)
4281 +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
4282 +index b43f31203a430..40e6e5feb1e06 100644
4283 +--- a/net/bluetooth/hci_core.c
4284 ++++ b/net/bluetooth/hci_core.c
4285 +@@ -3148,6 +3148,7 @@ int hci_register_dev(struct hci_dev *hdev)
4286 + return id;
4287 +
4288 + err_wqueue:
4289 ++ debugfs_remove_recursive(hdev->debugfs);
4290 + destroy_workqueue(hdev->workqueue);
4291 + destroy_workqueue(hdev->req_workqueue);
4292 + err:
4293 +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
4294 +index f9484755a9baf..17cfd9f8e98e0 100644
4295 +--- a/net/bluetooth/hci_event.c
4296 ++++ b/net/bluetooth/hci_event.c
4297 +@@ -4967,7 +4967,8 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
4298 + struct hci_ev_le_advertising_info *ev = ptr;
4299 + s8 rssi;
4300 +
4301 +- if (ev->length <= HCI_MAX_AD_LENGTH) {
4302 ++ if (ev->length <= HCI_MAX_AD_LENGTH &&
4303 ++ ev->data + ev->length <= skb_tail_pointer(skb)) {
4304 + rssi = ev->data[ev->length];
4305 + process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
4306 + ev->bdaddr_type, NULL, 0, rssi,
4307 +@@ -4977,6 +4978,11 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
4308 + }
4309 +
4310 + ptr += sizeof(*ev) + ev->length + 1;
4311 ++
4312 ++ if (ptr > (void *) skb_tail_pointer(skb) - sizeof(*ev)) {
4313 ++ bt_dev_err(hdev, "Malicious advertising data. Stopping processing");
4314 ++ break;
4315 ++ }
4316 + }
4317 +
4318 + hci_dev_unlock(hdev);
4319 +diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
4320 +index 7104d5e64abb3..11d4d18012fed 100644
4321 +--- a/net/bridge/br_netfilter_hooks.c
4322 ++++ b/net/bridge/br_netfilter_hooks.c
4323 +@@ -724,6 +724,9 @@ static int br_nf_dev_queue_xmit(struct net *net, struct sock *sk, struct sk_buff
4324 + if (nf_bridge->frag_max_size && nf_bridge->frag_max_size < mtu)
4325 + mtu = nf_bridge->frag_max_size;
4326 +
4327 ++ nf_bridge_update_protocol(skb);
4328 ++ nf_bridge_push_encap_header(skb);
4329 ++
4330 + if (skb_is_gso(skb) || skb->len + mtu_reserved <= mtu) {
4331 + nf_bridge_info_free(skb);
4332 + return br_dev_queue_push_xmit(net, sk, skb);
4333 +@@ -741,8 +744,6 @@ static int br_nf_dev_queue_xmit(struct net *net, struct sock *sk, struct sk_buff
4334 +
4335 + IPCB(skb)->frag_max_size = nf_bridge->frag_max_size;
4336 +
4337 +- nf_bridge_update_protocol(skb);
4338 +-
4339 + data = this_cpu_ptr(&brnf_frag_data_storage);
4340 +
4341 + data->vlan_tci = skb->vlan_tci;
4342 +@@ -765,8 +766,6 @@ static int br_nf_dev_queue_xmit(struct net *net, struct sock *sk, struct sk_buff
4343 +
4344 + IP6CB(skb)->frag_max_size = nf_bridge->frag_max_size;
4345 +
4346 +- nf_bridge_update_protocol(skb);
4347 +-
4348 + data = this_cpu_ptr(&brnf_frag_data_storage);
4349 + data->encap_size = nf_bridge_encap_header_len(skb);
4350 + data->size = ETH_HLEN + data->encap_size;
4351 +diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c
4352 +index 7630fa80db92a..48854eae294fd 100644
4353 +--- a/net/core/net_namespace.c
4354 ++++ b/net/core/net_namespace.c
4355 +@@ -132,8 +132,10 @@ static void ops_exit_list(const struct pernet_operations *ops,
4356 + {
4357 + struct net *net;
4358 + if (ops->exit) {
4359 +- list_for_each_entry(net, net_exit_list, exit_list)
4360 ++ list_for_each_entry(net, net_exit_list, exit_list) {
4361 + ops->exit(net);
4362 ++ cond_resched();
4363 ++ }
4364 + }
4365 + if (ops->exit_batch)
4366 + ops->exit_batch(net_exit_list);
4367 +diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
4368 +index 553cda6f887ad..b7dc20a65b649 100644
4369 +--- a/net/ipv4/cipso_ipv4.c
4370 ++++ b/net/ipv4/cipso_ipv4.c
4371 +@@ -534,16 +534,10 @@ int cipso_v4_doi_remove(u32 doi, struct netlbl_audit *audit_info)
4372 + ret_val = -ENOENT;
4373 + goto doi_remove_return;
4374 + }
4375 +- if (!atomic_dec_and_test(&doi_def->refcount)) {
4376 +- spin_unlock(&cipso_v4_doi_list_lock);
4377 +- ret_val = -EBUSY;
4378 +- goto doi_remove_return;
4379 +- }
4380 + list_del_rcu(&doi_def->list);
4381 + spin_unlock(&cipso_v4_doi_list_lock);
4382 +
4383 +- cipso_v4_cache_invalidate();
4384 +- call_rcu(&doi_def->rcu, cipso_v4_doi_free_rcu);
4385 ++ cipso_v4_doi_putdef(doi_def);
4386 + ret_val = 0;
4387 +
4388 + doi_remove_return:
4389 +@@ -600,9 +594,6 @@ void cipso_v4_doi_putdef(struct cipso_v4_doi *doi_def)
4390 +
4391 + if (!atomic_dec_and_test(&doi_def->refcount))
4392 + return;
4393 +- spin_lock(&cipso_v4_doi_list_lock);
4394 +- list_del_rcu(&doi_def->list);
4395 +- spin_unlock(&cipso_v4_doi_list_lock);
4396 +
4397 + cipso_v4_cache_invalidate();
4398 + call_rcu(&doi_def->rcu, cipso_v4_doi_free_rcu);
4399 +diff --git a/net/ipv6/calipso.c b/net/ipv6/calipso.c
4400 +index b206415bbde74..7628963ddacc3 100644
4401 +--- a/net/ipv6/calipso.c
4402 ++++ b/net/ipv6/calipso.c
4403 +@@ -97,6 +97,9 @@ struct calipso_map_cache_entry {
4404 +
4405 + static struct calipso_map_cache_bkt *calipso_cache;
4406 +
4407 ++static void calipso_cache_invalidate(void);
4408 ++static void calipso_doi_putdef(struct calipso_doi *doi_def);
4409 ++
4410 + /* Label Mapping Cache Functions
4411 + */
4412 +
4413 +@@ -458,15 +461,10 @@ static int calipso_doi_remove(u32 doi, struct netlbl_audit *audit_info)
4414 + ret_val = -ENOENT;
4415 + goto doi_remove_return;
4416 + }
4417 +- if (!atomic_dec_and_test(&doi_def->refcount)) {
4418 +- spin_unlock(&calipso_doi_list_lock);
4419 +- ret_val = -EBUSY;
4420 +- goto doi_remove_return;
4421 +- }
4422 + list_del_rcu(&doi_def->list);
4423 + spin_unlock(&calipso_doi_list_lock);
4424 +
4425 +- call_rcu(&doi_def->rcu, calipso_doi_free_rcu);
4426 ++ calipso_doi_putdef(doi_def);
4427 + ret_val = 0;
4428 +
4429 + doi_remove_return:
4430 +@@ -522,10 +520,8 @@ static void calipso_doi_putdef(struct calipso_doi *doi_def)
4431 +
4432 + if (!atomic_dec_and_test(&doi_def->refcount))
4433 + return;
4434 +- spin_lock(&calipso_doi_list_lock);
4435 +- list_del_rcu(&doi_def->list);
4436 +- spin_unlock(&calipso_doi_list_lock);
4437 +
4438 ++ calipso_cache_invalidate();
4439 + call_rcu(&doi_def->rcu, calipso_doi_free_rcu);
4440 + }
4441 +
4442 +diff --git a/net/netlabel/netlabel_cipso_v4.c b/net/netlabel/netlabel_cipso_v4.c
4443 +index 422fac2a4a3c8..9a256d0fb957a 100644
4444 +--- a/net/netlabel/netlabel_cipso_v4.c
4445 ++++ b/net/netlabel/netlabel_cipso_v4.c
4446 +@@ -587,6 +587,7 @@ list_start:
4447 +
4448 + break;
4449 + }
4450 ++ cipso_v4_doi_putdef(doi_def);
4451 + rcu_read_unlock();
4452 +
4453 + genlmsg_end(ans_skb, data);
4454 +@@ -595,12 +596,14 @@ list_start:
4455 + list_retry:
4456 + /* XXX - this limit is a guesstimate */
4457 + if (nlsze_mult < 4) {
4458 ++ cipso_v4_doi_putdef(doi_def);
4459 + rcu_read_unlock();
4460 + kfree_skb(ans_skb);
4461 + nlsze_mult *= 2;
4462 + goto list_start;
4463 + }
4464 + list_failure_lock:
4465 ++ cipso_v4_doi_putdef(doi_def);
4466 + rcu_read_unlock();
4467 + list_failure:
4468 + kfree_skb(ans_skb);
4469 +diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
4470 +index 92c6fbfd51f79..bc59b2b5f9836 100644
4471 +--- a/net/nfc/llcp_sock.c
4472 ++++ b/net/nfc/llcp_sock.c
4473 +@@ -796,6 +796,11 @@ static int llcp_sock_sendmsg(struct socket *sock, struct msghdr *msg,
4474 +
4475 + lock_sock(sk);
4476 +
4477 ++ if (!llcp_sock->local) {
4478 ++ release_sock(sk);
4479 ++ return -ENODEV;
4480 ++ }
4481 ++
4482 + if (sk->sk_type == SOCK_DGRAM) {
4483 + DECLARE_SOCKADDR(struct sockaddr_nfc_llcp *, addr,
4484 + msg->msg_name);
4485 +diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c
4486 +index 04ca08f852209..daa24ec7db278 100644
4487 +--- a/net/sched/sch_generic.c
4488 ++++ b/net/sched/sch_generic.c
4489 +@@ -996,6 +996,7 @@ void psched_ratecfg_precompute(struct psched_ratecfg *r,
4490 + {
4491 + memset(r, 0, sizeof(*r));
4492 + r->overhead = conf->overhead;
4493 ++ r->mpu = conf->mpu;
4494 + r->rate_bytes_ps = max_t(u64, conf->rate, rate64);
4495 + r->linklayer = (conf->linklayer & TC_LINKLAYER_MASK);
4496 + r->mult = 1;
4497 +diff --git a/net/unix/garbage.c b/net/unix/garbage.c
4498 +index 8bbe1b8e4ff7f..4d283e26d8162 100644
4499 +--- a/net/unix/garbage.c
4500 ++++ b/net/unix/garbage.c
4501 +@@ -197,8 +197,11 @@ void wait_for_unix_gc(void)
4502 + {
4503 + /* If number of inflight sockets is insane,
4504 + * force a garbage collect right now.
4505 ++ * Paired with the WRITE_ONCE() in unix_inflight(),
4506 ++ * unix_notinflight() and gc_in_progress().
4507 + */
4508 +- if (unix_tot_inflight > UNIX_INFLIGHT_TRIGGER_GC && !gc_in_progress)
4509 ++ if (READ_ONCE(unix_tot_inflight) > UNIX_INFLIGHT_TRIGGER_GC &&
4510 ++ !READ_ONCE(gc_in_progress))
4511 + unix_gc();
4512 + wait_event(unix_gc_wait, gc_in_progress == false);
4513 + }
4514 +@@ -218,7 +221,9 @@ void unix_gc(void)
4515 + if (gc_in_progress)
4516 + goto out;
4517 +
4518 +- gc_in_progress = true;
4519 ++ /* Paired with READ_ONCE() in wait_for_unix_gc(). */
4520 ++ WRITE_ONCE(gc_in_progress, true);
4521 ++
4522 + /* First, select candidates for garbage collection. Only
4523 + * in-flight sockets are considered, and from those only ones
4524 + * which don't have any external reference.
4525 +@@ -304,7 +309,10 @@ void unix_gc(void)
4526 +
4527 + /* All candidates should have been detached by now. */
4528 + BUG_ON(!list_empty(&gc_candidates));
4529 +- gc_in_progress = false;
4530 ++
4531 ++ /* Paired with READ_ONCE() in wait_for_unix_gc(). */
4532 ++ WRITE_ONCE(gc_in_progress, false);
4533 ++
4534 + wake_up(&unix_gc_wait);
4535 +
4536 + out:
4537 +diff --git a/net/unix/scm.c b/net/unix/scm.c
4538 +index df8f636ab1d8c..bf1a8fa8c4f1d 100644
4539 +--- a/net/unix/scm.c
4540 ++++ b/net/unix/scm.c
4541 +@@ -56,7 +56,8 @@ void unix_inflight(struct user_struct *user, struct file *fp)
4542 + } else {
4543 + BUG_ON(list_empty(&u->link));
4544 + }
4545 +- unix_tot_inflight++;
4546 ++ /* Paired with READ_ONCE() in wait_for_unix_gc() */
4547 ++ WRITE_ONCE(unix_tot_inflight, unix_tot_inflight + 1);
4548 + }
4549 + user->unix_inflight++;
4550 + spin_unlock(&unix_gc_lock);
4551 +@@ -76,7 +77,8 @@ void unix_notinflight(struct user_struct *user, struct file *fp)
4552 +
4553 + if (atomic_long_dec_and_test(&u->inflight))
4554 + list_del_init(&u->link);
4555 +- unix_tot_inflight--;
4556 ++ /* Paired with READ_ONCE() in wait_for_unix_gc() */
4557 ++ WRITE_ONCE(unix_tot_inflight, unix_tot_inflight - 1);
4558 + }
4559 + user->unix_inflight--;
4560 + spin_unlock(&unix_gc_lock);
4561 +diff --git a/scripts/dtc/dtx_diff b/scripts/dtc/dtx_diff
4562 +index ec47f95991a3a..971e74f408a77 100755
4563 +--- a/scripts/dtc/dtx_diff
4564 ++++ b/scripts/dtc/dtx_diff
4565 +@@ -56,12 +56,8 @@ Otherwise DTx is treated as a dts source file (aka .dts).
4566 + or '/include/' to be processed.
4567 +
4568 + If DTx_1 and DTx_2 are in different architectures, then this script
4569 +- may not work since \${ARCH} is part of the include path. Two possible
4570 +- workarounds:
4571 +-
4572 +- `basename $0` \\
4573 +- <(ARCH=arch_of_dtx_1 `basename $0` DTx_1) \\
4574 +- <(ARCH=arch_of_dtx_2 `basename $0` DTx_2)
4575 ++ may not work since \${ARCH} is part of the include path. The following
4576 ++ workaround can be used:
4577 +
4578 + `basename $0` ARCH=arch_of_dtx_1 DTx_1 >tmp_dtx_1.dts
4579 + `basename $0` ARCH=arch_of_dtx_2 DTx_2 >tmp_dtx_2.dts
4580 +diff --git a/sound/core/jack.c b/sound/core/jack.c
4581 +index 5ddf81f091fa9..36cfe1c54109d 100644
4582 +--- a/sound/core/jack.c
4583 ++++ b/sound/core/jack.c
4584 +@@ -68,10 +68,13 @@ static int snd_jack_dev_free(struct snd_device *device)
4585 + struct snd_card *card = device->card;
4586 + struct snd_jack_kctl *jack_kctl, *tmp_jack_kctl;
4587 +
4588 ++ down_write(&card->controls_rwsem);
4589 + list_for_each_entry_safe(jack_kctl, tmp_jack_kctl, &jack->kctl_list, list) {
4590 + list_del_init(&jack_kctl->list);
4591 + snd_ctl_remove(card, jack_kctl->kctl);
4592 + }
4593 ++ up_write(&card->controls_rwsem);
4594 ++
4595 + if (jack->private_free)
4596 + jack->private_free(jack);
4597 +
4598 +diff --git a/sound/core/oss/pcm_oss.c b/sound/core/oss/pcm_oss.c
4599 +index 0ce3f42721c4d..440c16e0d0713 100644
4600 +--- a/sound/core/oss/pcm_oss.c
4601 ++++ b/sound/core/oss/pcm_oss.c
4602 +@@ -2122,7 +2122,7 @@ static int snd_pcm_oss_set_trigger(struct snd_pcm_oss_file *pcm_oss_file, int tr
4603 + int err, cmd;
4604 +
4605 + #ifdef OSS_DEBUG
4606 +- pcm_dbg(substream->pcm, "pcm_oss: trigger = 0x%x\n", trigger);
4607 ++ pr_debug("pcm_oss: trigger = 0x%x\n", trigger);
4608 + #endif
4609 +
4610 + psubstream = pcm_oss_file->streams[SNDRV_PCM_STREAM_PLAYBACK];
4611 +diff --git a/sound/core/pcm.c b/sound/core/pcm.c
4612 +index cdff5f9764808..6ae28dcd79945 100644
4613 +--- a/sound/core/pcm.c
4614 ++++ b/sound/core/pcm.c
4615 +@@ -857,7 +857,11 @@ EXPORT_SYMBOL(snd_pcm_new_internal);
4616 + static void free_chmap(struct snd_pcm_str *pstr)
4617 + {
4618 + if (pstr->chmap_kctl) {
4619 +- snd_ctl_remove(pstr->pcm->card, pstr->chmap_kctl);
4620 ++ struct snd_card *card = pstr->pcm->card;
4621 ++
4622 ++ down_write(&card->controls_rwsem);
4623 ++ snd_ctl_remove(card, pstr->chmap_kctl);
4624 ++ up_write(&card->controls_rwsem);
4625 + pstr->chmap_kctl = NULL;
4626 + }
4627 + }
4628 +diff --git a/sound/core/seq/seq_queue.c b/sound/core/seq/seq_queue.c
4629 +index ea1aa07962761..b923059a22276 100644
4630 +--- a/sound/core/seq/seq_queue.c
4631 ++++ b/sound/core/seq/seq_queue.c
4632 +@@ -257,12 +257,15 @@ struct snd_seq_queue *snd_seq_queue_find_name(char *name)
4633 +
4634 + /* -------------------------------------------------------- */
4635 +
4636 ++#define MAX_CELL_PROCESSES_IN_QUEUE 1000
4637 ++
4638 + void snd_seq_check_queue(struct snd_seq_queue *q, int atomic, int hop)
4639 + {
4640 + unsigned long flags;
4641 + struct snd_seq_event_cell *cell;
4642 + snd_seq_tick_time_t cur_tick;
4643 + snd_seq_real_time_t cur_time;
4644 ++ int processed = 0;
4645 +
4646 + if (q == NULL)
4647 + return;
4648 +@@ -285,6 +288,8 @@ void snd_seq_check_queue(struct snd_seq_queue *q, int atomic, int hop)
4649 + if (!cell)
4650 + break;
4651 + snd_seq_dispatch_event(cell, atomic, hop);
4652 ++ if (++processed >= MAX_CELL_PROCESSES_IN_QUEUE)
4653 ++ goto out; /* the rest processed at the next batch */
4654 + }
4655 +
4656 + /* Process time queue... */
4657 +@@ -294,14 +299,19 @@ void snd_seq_check_queue(struct snd_seq_queue *q, int atomic, int hop)
4658 + if (!cell)
4659 + break;
4660 + snd_seq_dispatch_event(cell, atomic, hop);
4661 ++ if (++processed >= MAX_CELL_PROCESSES_IN_QUEUE)
4662 ++ goto out; /* the rest processed at the next batch */
4663 + }
4664 +
4665 ++ out:
4666 + /* free lock */
4667 + spin_lock_irqsave(&q->check_lock, flags);
4668 + if (q->check_again) {
4669 + q->check_again = 0;
4670 +- spin_unlock_irqrestore(&q->check_lock, flags);
4671 +- goto __again;
4672 ++ if (processed < MAX_CELL_PROCESSES_IN_QUEUE) {
4673 ++ spin_unlock_irqrestore(&q->check_lock, flags);
4674 ++ goto __again;
4675 ++ }
4676 + }
4677 + q->check_blocked = 0;
4678 + spin_unlock_irqrestore(&q->check_lock, flags);
4679 +diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c
4680 +index 4e67614f15f8e..8976da3e1e288 100644
4681 +--- a/sound/pci/hda/hda_codec.c
4682 ++++ b/sound/pci/hda/hda_codec.c
4683 +@@ -1608,8 +1608,11 @@ void snd_hda_ctls_clear(struct hda_codec *codec)
4684 + {
4685 + int i;
4686 + struct hda_nid_item *items = codec->mixers.list;
4687 ++
4688 ++ down_write(&codec->card->controls_rwsem);
4689 + for (i = 0; i < codec->mixers.used; i++)
4690 + snd_ctl_remove(codec->card, items[i].kctl);
4691 ++ up_write(&codec->card->controls_rwsem);
4692 + snd_array_free(&codec->mixers);
4693 + snd_array_free(&codec->nids);
4694 + }
4695 +diff --git a/sound/soc/mediatek/mt8173/mt8173-max98090.c b/sound/soc/mediatek/mt8173/mt8173-max98090.c
4696 +index 5524a2c727ec7..cab30cb48366d 100644
4697 +--- a/sound/soc/mediatek/mt8173/mt8173-max98090.c
4698 ++++ b/sound/soc/mediatek/mt8173/mt8173-max98090.c
4699 +@@ -183,6 +183,9 @@ static int mt8173_max98090_dev_probe(struct platform_device *pdev)
4700 + if (ret)
4701 + dev_err(&pdev->dev, "%s snd_soc_register_card fail %d\n",
4702 + __func__, ret);
4703 ++
4704 ++ of_node_put(codec_node);
4705 ++ of_node_put(platform_node);
4706 + return ret;
4707 + }
4708 +
4709 +diff --git a/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5514.c b/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5514.c
4710 +index 467f7049a2886..52fdd766ee82c 100644
4711 +--- a/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5514.c
4712 ++++ b/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5514.c
4713 +@@ -228,6 +228,8 @@ static int mt8173_rt5650_rt5514_dev_probe(struct platform_device *pdev)
4714 + if (ret)
4715 + dev_err(&pdev->dev, "%s snd_soc_register_card fail %d\n",
4716 + __func__, ret);
4717 ++
4718 ++ of_node_put(platform_node);
4719 + return ret;
4720 + }
4721 +
4722 +diff --git a/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5676.c b/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5676.c
4723 +index 1b8b2a7788450..5d75b04f074fe 100644
4724 +--- a/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5676.c
4725 ++++ b/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5676.c
4726 +@@ -285,6 +285,8 @@ static int mt8173_rt5650_rt5676_dev_probe(struct platform_device *pdev)
4727 + if (ret)
4728 + dev_err(&pdev->dev, "%s snd_soc_register_card fail %d\n",
4729 + __func__, ret);
4730 ++
4731 ++ of_node_put(platform_node);
4732 + return ret;
4733 + }
4734 +
4735 +diff --git a/sound/soc/mediatek/mt8173/mt8173-rt5650.c b/sound/soc/mediatek/mt8173/mt8173-rt5650.c
4736 +index ba65f4157a7e0..d02a90201b13b 100644
4737 +--- a/sound/soc/mediatek/mt8173/mt8173-rt5650.c
4738 ++++ b/sound/soc/mediatek/mt8173/mt8173-rt5650.c
4739 +@@ -317,6 +317,8 @@ static int mt8173_rt5650_dev_probe(struct platform_device *pdev)
4740 + if (ret)
4741 + dev_err(&pdev->dev, "%s snd_soc_register_card fail %d\n",
4742 + __func__, ret);
4743 ++
4744 ++ of_node_put(platform_node);
4745 + return ret;
4746 + }
4747 +
4748 +diff --git a/sound/soc/samsung/idma.c b/sound/soc/samsung/idma.c
4749 +index 3e408158625db..72014dea75422 100644
4750 +--- a/sound/soc/samsung/idma.c
4751 ++++ b/sound/soc/samsung/idma.c
4752 +@@ -369,6 +369,8 @@ static int preallocate_idma_buffer(struct snd_pcm *pcm, int stream)
4753 + buf->addr = idma.lp_tx_addr;
4754 + buf->bytes = idma_hardware.buffer_bytes_max;
4755 + buf->area = (unsigned char * __force)ioremap(buf->addr, buf->bytes);
4756 ++ if (!buf->area)
4757 ++ return -ENOMEM;
4758 +
4759 + return 0;
4760 + }
4761 +diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
4762 +index db859b595dba1..d9b7001227e3c 100644
4763 +--- a/virt/kvm/kvm_main.c
4764 ++++ b/virt/kvm/kvm_main.c
4765 +@@ -1513,15 +1513,24 @@ static bool vma_is_valid(struct vm_area_struct *vma, bool write_fault)
4766 + return true;
4767 + }
4768 +
4769 ++static int kvm_try_get_pfn(kvm_pfn_t pfn)
4770 ++{
4771 ++ if (kvm_is_reserved_pfn(pfn))
4772 ++ return 1;
4773 ++ return get_page_unless_zero(pfn_to_page(pfn));
4774 ++}
4775 ++
4776 + static int hva_to_pfn_remapped(struct vm_area_struct *vma,
4777 + unsigned long addr, bool *async,
4778 + bool write_fault, bool *writable,
4779 + kvm_pfn_t *p_pfn)
4780 + {
4781 +- unsigned long pfn;
4782 ++ kvm_pfn_t pfn;
4783 ++ pte_t *ptep;
4784 ++ spinlock_t *ptl;
4785 + int r;
4786 +
4787 +- r = follow_pfn(vma, addr, &pfn);
4788 ++ r = follow_pte_pmd(vma->vm_mm, addr, &ptep, NULL, &ptl);
4789 + if (r) {
4790 + /*
4791 + * get_user_pages fails for VM_IO and VM_PFNMAP vmas and does
4792 +@@ -1536,14 +1545,19 @@ static int hva_to_pfn_remapped(struct vm_area_struct *vma,
4793 + if (r)
4794 + return r;
4795 +
4796 +- r = follow_pfn(vma, addr, &pfn);
4797 ++ r = follow_pte_pmd(vma->vm_mm, addr, &ptep, NULL, &ptl);
4798 + if (r)
4799 + return r;
4800 ++ }
4801 +
4802 ++ if (write_fault && !pte_write(*ptep)) {
4803 ++ pfn = KVM_PFN_ERR_RO_FAULT;
4804 ++ goto out;
4805 + }
4806 +
4807 + if (writable)
4808 +- *writable = true;
4809 ++ *writable = pte_write(*ptep);
4810 ++ pfn = pte_pfn(*ptep);
4811 +
4812 + /*
4813 + * Get a reference here because callers of *hva_to_pfn* and
4814 +@@ -1555,11 +1569,21 @@ static int hva_to_pfn_remapped(struct vm_area_struct *vma,
4815 + * Whoever called remap_pfn_range is also going to call e.g.
4816 + * unmap_mapping_range before the underlying pages are freed,
4817 + * causing a call to our MMU notifier.
4818 ++ *
4819 ++ * Certain IO or PFNMAP mappings can be backed with valid
4820 ++ * struct pages, but be allocated without refcounting e.g.,
4821 ++ * tail pages of non-compound higher order allocations, which
4822 ++ * would then underflow the refcount when the caller does the
4823 ++ * required put_page. Don't allow those pages here.
4824 + */
4825 +- kvm_get_pfn(pfn);
4826 ++ if (!kvm_try_get_pfn(pfn))
4827 ++ r = -EFAULT;
4828 +
4829 ++out:
4830 ++ pte_unmap_unlock(ptep, ptl);
4831 + *p_pfn = pfn;
4832 +- return 0;
4833 ++
4834 ++ return r;
4835 + }
4836 +
4837 + /*
Report Message
Find on MARC Find on Google Groups