Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:3.10 commit in: /
Date: Sun, 28 Aug 2016 21:54:19
Message-Id: 1472421244.80dd442fa65be5bd488631176a196b7d2fbd3d9d.mpagano@gentoo
1 commit: 80dd442fa65be5bd488631176a196b7d2fbd3d9d
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Sun Aug 28 21:54:04 2016 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Sun Aug 28 21:54:04 2016 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=80dd442f
7
8 Linux patch 3.10.103
9
10 0000_README | 4 +
11 1102_linux-3.10.103.patch | 6785 +++++++++++++++++++++++++++++++++++++++++++++
12 2 files changed, 6789 insertions(+)
13
14 diff --git a/0000_README b/0000_README
15 index ccfaff0..c6ef0e7 100644
16 --- a/0000_README
17 +++ b/0000_README
18 @@ -450,6 +450,10 @@ Patch: 1101_linux-3.10.102.patch
19 From: http://www.kernel.org
20 Desc: Linux 3.10.102
21
22 +Patch: 1102_linux-3.10.103.patch
23 +From: http://www.kernel.org
24 +Desc: Linux 3.10.103
25 +
26 Patch: 1500_XATTR_USER_PREFIX.patch
27 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
28 Desc: Support for namespace user.pax.* on tmpfs.
29
30 diff --git a/1102_linux-3.10.103.patch b/1102_linux-3.10.103.patch
31 new file mode 100644
32 index 0000000..a1db16b
33 --- /dev/null
34 +++ b/1102_linux-3.10.103.patch
35 @@ -0,0 +1,6785 @@
36 +diff --git a/Documentation/scsi/scsi_eh.txt b/Documentation/scsi/scsi_eh.txt
37 +index 6ff16b620d84..c08b62d63afa 100644
38 +--- a/Documentation/scsi/scsi_eh.txt
39 ++++ b/Documentation/scsi/scsi_eh.txt
40 +@@ -255,19 +255,23 @@ scmd->allowed.
41 +
42 + 3. scmd recovered
43 + ACTION: scsi_eh_finish_cmd() is invoked to EH-finish scmd
44 +- - shost->host_failed--
45 + - clear scmd->eh_eflags
46 + - scsi_setup_cmd_retry()
47 + - move from local eh_work_q to local eh_done_q
48 + LOCKING: none
49 ++ CONCURRENCY: at most one thread per separate eh_work_q to
50 ++ keep queue manipulation lockless
51 +
52 + 4. EH completes
53 + ACTION: scsi_eh_flush_done_q() retries scmds or notifies upper
54 +- layer of failure.
55 ++ layer of failure. May be called concurrently but must have
56 ++ a no more than one thread per separate eh_work_q to
57 ++ manipulate the queue locklessly
58 + - scmd is removed from eh_done_q and scmd->eh_entry is cleared
59 + - if retry is necessary, scmd is requeued using
60 + scsi_queue_insert()
61 + - otherwise, scsi_finish_command() is invoked for scmd
62 ++ - zero shost->host_failed
63 + LOCKING: queue or finish function performs appropriate locking
64 +
65 +
66 +diff --git a/Documentation/sysctl/fs.txt b/Documentation/sysctl/fs.txt
67 +index 88152f214f48..302b5ed616a6 100644
68 +--- a/Documentation/sysctl/fs.txt
69 ++++ b/Documentation/sysctl/fs.txt
70 +@@ -32,6 +32,8 @@ Currently, these files are in /proc/sys/fs:
71 + - nr_open
72 + - overflowuid
73 + - overflowgid
74 ++- pipe-user-pages-hard
75 ++- pipe-user-pages-soft
76 + - protected_hardlinks
77 + - protected_symlinks
78 + - suid_dumpable
79 +@@ -159,6 +161,27 @@ The default is 65534.
80 +
81 + ==============================================================
82 +
83 ++pipe-user-pages-hard:
84 ++
85 ++Maximum total number of pages a non-privileged user may allocate for pipes.
86 ++Once this limit is reached, no new pipes may be allocated until usage goes
87 ++below the limit again. When set to 0, no limit is applied, which is the default
88 ++setting.
89 ++
90 ++==============================================================
91 ++
92 ++pipe-user-pages-soft:
93 ++
94 ++Maximum total number of pages a non-privileged user may allocate for pipes
95 ++before the pipe size gets limited to a single page. Once this limit is reached,
96 ++new pipes will be limited to a single page in size for this user in order to
97 ++limit total memory usage, and trying to increase them using fcntl() will be
98 ++denied until usage goes below the limit again. The default value allows to
99 ++allocate up to 1024 pipes at their default size. When set to 0, no limit is
100 ++applied.
101 ++
102 ++==============================================================
103 ++
104 + protected_hardlinks:
105 +
106 + A long-standing class of security issues is the hardlink-based
107 +diff --git a/Makefile b/Makefile
108 +index 868093c16ae0..d3cb458b295a 100644
109 +--- a/Makefile
110 ++++ b/Makefile
111 +@@ -1,6 +1,6 @@
112 + VERSION = 3
113 + PATCHLEVEL = 10
114 +-SUBLEVEL = 102
115 ++SUBLEVEL = 103
116 + EXTRAVERSION =
117 + NAME = TOSSUG Baby Fish
118 +
119 +diff --git a/arch/arc/kernel/stacktrace.c b/arch/arc/kernel/stacktrace.c
120 +index ca0207b9d5b6..06997ad70725 100644
121 +--- a/arch/arc/kernel/stacktrace.c
122 ++++ b/arch/arc/kernel/stacktrace.c
123 +@@ -131,7 +131,7 @@ arc_unwind_core(struct task_struct *tsk, struct pt_regs *regs,
124 + * prelogue is setup (callee regs saved and then fp set and not other
125 + * way around
126 + */
127 +- pr_warn("CONFIG_ARC_DW2_UNWIND needs to be enabled\n");
128 ++ pr_warn_once("CONFIG_ARC_DW2_UNWIND needs to be enabled\n");
129 + return 0;
130 +
131 + #endif
132 +diff --git a/arch/arc/mm/tlbex.S b/arch/arc/mm/tlbex.S
133 +index 3357d26ffe54..74691e652a3a 100644
134 +--- a/arch/arc/mm/tlbex.S
135 ++++ b/arch/arc/mm/tlbex.S
136 +@@ -219,7 +219,7 @@ ex_saved_reg1:
137 + #ifdef CONFIG_SMP
138 + sr r0, [ARC_REG_SCRATCH_DATA0] ; freeup r0 to code with
139 + GET_CPU_ID r0 ; get to per cpu scratch mem,
140 +- lsl r0, r0, L1_CACHE_SHIFT ; cache line wide per cpu
141 ++ asl r0, r0, L1_CACHE_SHIFT ; cache line wide per cpu
142 + add r0, @ex_saved_reg1, r0
143 + #else
144 + st r0, [@ex_saved_reg1]
145 +@@ -239,7 +239,7 @@ ex_saved_reg1:
146 + .macro TLBMISS_RESTORE_REGS
147 + #ifdef CONFIG_SMP
148 + GET_CPU_ID r0 ; get to per cpu scratch mem
149 +- lsl r0, r0, L1_CACHE_SHIFT ; each is cache line wide
150 ++ asl r0, r0, L1_CACHE_SHIFT ; each is cache line wide
151 + add r0, @ex_saved_reg1, r0
152 + ld_s r3, [r0,12]
153 + ld_s r2, [r0, 8]
154 +diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c
155 +index 03deeffd9f6d..4e2110d48c41 100644
156 +--- a/arch/arm/kernel/ptrace.c
157 ++++ b/arch/arm/kernel/ptrace.c
158 +@@ -733,8 +733,8 @@ static int vfp_set(struct task_struct *target,
159 + if (ret)
160 + return ret;
161 +
162 +- vfp_flush_hwstate(thread);
163 + thread->vfpstate.hard = new_vfp;
164 ++ vfp_flush_hwstate(thread);
165 +
166 + return 0;
167 + }
168 +diff --git a/arch/arm/kernel/sys_oabi-compat.c b/arch/arm/kernel/sys_oabi-compat.c
169 +index 3e94811690ce..a0aee80b608d 100644
170 +--- a/arch/arm/kernel/sys_oabi-compat.c
171 ++++ b/arch/arm/kernel/sys_oabi-compat.c
172 +@@ -275,8 +275,12 @@ asmlinkage long sys_oabi_epoll_wait(int epfd,
173 + mm_segment_t fs;
174 + long ret, err, i;
175 +
176 +- if (maxevents <= 0 || maxevents > (INT_MAX/sizeof(struct epoll_event)))
177 ++ if (maxevents <= 0 ||
178 ++ maxevents > (INT_MAX/sizeof(*kbuf)) ||
179 ++ maxevents > (INT_MAX/sizeof(*events)))
180 + return -EINVAL;
181 ++ if (!access_ok(VERIFY_WRITE, events, sizeof(*events) * maxevents))
182 ++ return -EFAULT;
183 + kbuf = kmalloc(sizeof(*kbuf) * maxevents, GFP_KERNEL);
184 + if (!kbuf)
185 + return -ENOMEM;
186 +@@ -313,6 +317,8 @@ asmlinkage long sys_oabi_semtimedop(int semid,
187 +
188 + if (nsops < 1 || nsops > SEMOPM)
189 + return -EINVAL;
190 ++ if (!access_ok(VERIFY_READ, tsops, sizeof(*tsops) * nsops))
191 ++ return -EFAULT;
192 + sops = kmalloc(sizeof(*sops) * nsops, GFP_KERNEL);
193 + if (!sops)
194 + return -ENOMEM;
195 +diff --git a/arch/metag/include/asm/cmpxchg_lnkget.h b/arch/metag/include/asm/cmpxchg_lnkget.h
196 +index 0154e2807ebb..2369ad394876 100644
197 +--- a/arch/metag/include/asm/cmpxchg_lnkget.h
198 ++++ b/arch/metag/include/asm/cmpxchg_lnkget.h
199 +@@ -73,7 +73,7 @@ static inline unsigned long __cmpxchg_u32(volatile int *m, unsigned long old,
200 + " DCACHE [%2], %0\n"
201 + #endif
202 + "2:\n"
203 +- : "=&d" (temp), "=&da" (retval)
204 ++ : "=&d" (temp), "=&d" (retval)
205 + : "da" (m), "bd" (old), "da" (new)
206 + : "cc"
207 + );
208 +diff --git a/arch/mips/ath79/early_printk.c b/arch/mips/ath79/early_printk.c
209 +index b955fafc58ba..d1adc59af5bf 100644
210 +--- a/arch/mips/ath79/early_printk.c
211 ++++ b/arch/mips/ath79/early_printk.c
212 +@@ -31,13 +31,15 @@ static inline void prom_putchar_wait(void __iomem *reg, u32 mask, u32 val)
213 + } while (1);
214 + }
215 +
216 ++#define BOTH_EMPTY (UART_LSR_TEMT | UART_LSR_THRE)
217 ++
218 + static void prom_putchar_ar71xx(unsigned char ch)
219 + {
220 + void __iomem *base = (void __iomem *)(KSEG1ADDR(AR71XX_UART_BASE));
221 +
222 +- prom_putchar_wait(base + UART_LSR * 4, UART_LSR_THRE, UART_LSR_THRE);
223 ++ prom_putchar_wait(base + UART_LSR * 4, BOTH_EMPTY, BOTH_EMPTY);
224 + __raw_writel(ch, base + UART_TX * 4);
225 +- prom_putchar_wait(base + UART_LSR * 4, UART_LSR_THRE, UART_LSR_THRE);
226 ++ prom_putchar_wait(base + UART_LSR * 4, BOTH_EMPTY, BOTH_EMPTY);
227 + }
228 +
229 + static void prom_putchar_ar933x(unsigned char ch)
230 +diff --git a/arch/mips/include/asm/kvm_host.h b/arch/mips/include/asm/kvm_host.h
231 +index 4d6fa0bf1305..883a162083af 100644
232 +--- a/arch/mips/include/asm/kvm_host.h
233 ++++ b/arch/mips/include/asm/kvm_host.h
234 +@@ -349,6 +349,7 @@ struct kvm_mips_tlb {
235 + #define KVM_MIPS_GUEST_TLB_SIZE 64
236 + struct kvm_vcpu_arch {
237 + void *host_ebase, *guest_ebase;
238 ++ int (*vcpu_run)(struct kvm_run *run, struct kvm_vcpu *vcpu);
239 + unsigned long host_stack;
240 + unsigned long host_gp;
241 +
242 +diff --git a/arch/mips/include/asm/processor.h b/arch/mips/include/asm/processor.h
243 +index 1470b7b68b0e..a7e71744fe89 100644
244 +--- a/arch/mips/include/asm/processor.h
245 ++++ b/arch/mips/include/asm/processor.h
246 +@@ -51,7 +51,7 @@ extern unsigned int vced_count, vcei_count;
247 + * User space process size: 2GB. This is hardcoded into a few places,
248 + * so don't change it unless you know what you are doing.
249 + */
250 +-#define TASK_SIZE 0x7fff8000UL
251 ++#define TASK_SIZE 0x80000000UL
252 + #endif
253 +
254 + #ifdef __KERNEL__
255 +diff --git a/arch/mips/include/uapi/asm/siginfo.h b/arch/mips/include/uapi/asm/siginfo.h
256 +index 6a8714193fb9..b5f77f76c899 100644
257 +--- a/arch/mips/include/uapi/asm/siginfo.h
258 ++++ b/arch/mips/include/uapi/asm/siginfo.h
259 +@@ -45,13 +45,13 @@ typedef struct siginfo {
260 +
261 + /* kill() */
262 + struct {
263 +- pid_t _pid; /* sender's pid */
264 ++ __kernel_pid_t _pid; /* sender's pid */
265 + __ARCH_SI_UID_T _uid; /* sender's uid */
266 + } _kill;
267 +
268 + /* POSIX.1b timers */
269 + struct {
270 +- timer_t _tid; /* timer id */
271 ++ __kernel_timer_t _tid; /* timer id */
272 + int _overrun; /* overrun count */
273 + char _pad[sizeof( __ARCH_SI_UID_T) - sizeof(int)];
274 + sigval_t _sigval; /* same as below */
275 +@@ -60,26 +60,26 @@ typedef struct siginfo {
276 +
277 + /* POSIX.1b signals */
278 + struct {
279 +- pid_t _pid; /* sender's pid */
280 ++ __kernel_pid_t _pid; /* sender's pid */
281 + __ARCH_SI_UID_T _uid; /* sender's uid */
282 + sigval_t _sigval;
283 + } _rt;
284 +
285 + /* SIGCHLD */
286 + struct {
287 +- pid_t _pid; /* which child */
288 ++ __kernel_pid_t _pid; /* which child */
289 + __ARCH_SI_UID_T _uid; /* sender's uid */
290 + int _status; /* exit code */
291 +- clock_t _utime;
292 +- clock_t _stime;
293 ++ __kernel_clock_t _utime;
294 ++ __kernel_clock_t _stime;
295 + } _sigchld;
296 +
297 + /* IRIX SIGCHLD */
298 + struct {
299 +- pid_t _pid; /* which child */
300 +- clock_t _utime;
301 ++ __kernel_pid_t _pid; /* which child */
302 ++ __kernel_clock_t _utime;
303 + int _status; /* exit code */
304 +- clock_t _stime;
305 ++ __kernel_clock_t _stime;
306 + } _irix_sigchld;
307 +
308 + /* SIGILL, SIGFPE, SIGSEGV, SIGBUS */
309 +diff --git a/arch/mips/kernel/scall64-n32.S b/arch/mips/kernel/scall64-n32.S
310 +index cab150789c8d..b657fbefc466 100644
311 +--- a/arch/mips/kernel/scall64-n32.S
312 ++++ b/arch/mips/kernel/scall64-n32.S
313 +@@ -349,7 +349,7 @@ EXPORT(sysn32_call_table)
314 + PTR sys_ni_syscall /* available, was setaltroot */
315 + PTR sys_add_key
316 + PTR sys_request_key
317 +- PTR sys_keyctl /* 6245 */
318 ++ PTR compat_sys_keyctl /* 6245 */
319 + PTR sys_set_thread_area
320 + PTR sys_inotify_init
321 + PTR sys_inotify_add_watch
322 +diff --git a/arch/mips/kernel/scall64-o32.S b/arch/mips/kernel/scall64-o32.S
323 +index 37605dc8eef7..bf56d7e271dd 100644
324 +--- a/arch/mips/kernel/scall64-o32.S
325 ++++ b/arch/mips/kernel/scall64-o32.S
326 +@@ -474,7 +474,7 @@ sys_call_table:
327 + PTR sys_ni_syscall /* available, was setaltroot */
328 + PTR sys_add_key /* 4280 */
329 + PTR sys_request_key
330 +- PTR sys_keyctl
331 ++ PTR compat_sys_keyctl
332 + PTR sys_set_thread_area
333 + PTR sys_inotify_init
334 + PTR sys_inotify_add_watch /* 4285 */
335 +diff --git a/arch/mips/kvm/kvm_locore.S b/arch/mips/kvm/kvm_locore.S
336 +index 34c35f0e3290..73553cd98070 100644
337 +--- a/arch/mips/kvm/kvm_locore.S
338 ++++ b/arch/mips/kvm/kvm_locore.S
339 +@@ -227,6 +227,7 @@ FEXPORT(__kvm_mips_load_k0k1)
340 + /* Jump to guest */
341 + eret
342 + .set pop
343 ++EXPORT(__kvm_mips_vcpu_run_end)
344 +
345 + VECTOR(MIPSX(exception), unknown)
346 + /*
347 +diff --git a/arch/mips/kvm/kvm_mips.c b/arch/mips/kvm/kvm_mips.c
348 +index 8aa5f30d8579..97a181a44e53 100644
349 +--- a/arch/mips/kvm/kvm_mips.c
350 ++++ b/arch/mips/kvm/kvm_mips.c
351 +@@ -343,6 +343,15 @@ struct kvm_vcpu *kvm_arch_vcpu_create(struct kvm *kvm, unsigned int id)
352 + memcpy(gebase + offset, mips32_GuestException,
353 + mips32_GuestExceptionEnd - mips32_GuestException);
354 +
355 ++#ifdef MODULE
356 ++ offset += mips32_GuestExceptionEnd - mips32_GuestException;
357 ++ memcpy(gebase + offset, (char *)__kvm_mips_vcpu_run,
358 ++ __kvm_mips_vcpu_run_end - (char *)__kvm_mips_vcpu_run);
359 ++ vcpu->arch.vcpu_run = gebase + offset;
360 ++#else
361 ++ vcpu->arch.vcpu_run = __kvm_mips_vcpu_run;
362 ++#endif
363 ++
364 + /* Invalidate the icache for these ranges */
365 + mips32_SyncICache((unsigned long) gebase, ALIGN(size, PAGE_SIZE));
366 +
367 +@@ -426,7 +435,7 @@ int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *run)
368 +
369 + kvm_guest_enter();
370 +
371 +- r = __kvm_mips_vcpu_run(run, vcpu);
372 ++ r = vcpu->arch.vcpu_run(run, vcpu);
373 +
374 + kvm_guest_exit();
375 + local_irq_enable();
376 +diff --git a/arch/mips/kvm/kvm_mips_emul.c b/arch/mips/kvm/kvm_mips_emul.c
377 +index 33085819cd89..9f7643874fba 100644
378 +--- a/arch/mips/kvm/kvm_mips_emul.c
379 ++++ b/arch/mips/kvm/kvm_mips_emul.c
380 +@@ -972,8 +972,13 @@ kvm_mips_emulate_cache(uint32_t inst, uint32_t *opc, uint32_t cause,
381 + preempt_disable();
382 + if (KVM_GUEST_KSEGX(va) == KVM_GUEST_KSEG0) {
383 +
384 +- if (kvm_mips_host_tlb_lookup(vcpu, va) < 0) {
385 +- kvm_mips_handle_kseg0_tlb_fault(va, vcpu);
386 ++ if (kvm_mips_host_tlb_lookup(vcpu, va) < 0 &&
387 ++ kvm_mips_handle_kseg0_tlb_fault(va, vcpu)) {
388 ++ kvm_err("%s: handling mapped kseg0 tlb fault for %lx, vcpu: %p, ASID: %#lx\n",
389 ++ __func__, va, vcpu, read_c0_entryhi());
390 ++ er = EMULATE_FAIL;
391 ++ preempt_enable();
392 ++ goto done;
393 + }
394 + } else if ((KVM_GUEST_KSEGX(va) < KVM_GUEST_KSEG0) ||
395 + KVM_GUEST_KSEGX(va) == KVM_GUEST_KSEG23) {
396 +@@ -1006,11 +1011,16 @@ kvm_mips_emulate_cache(uint32_t inst, uint32_t *opc, uint32_t cause,
397 + run, vcpu);
398 + preempt_enable();
399 + goto dont_update_pc;
400 +- } else {
401 +- /* We fault an entry from the guest tlb to the shadow host TLB */
402 +- kvm_mips_handle_mapped_seg_tlb_fault(vcpu, tlb,
403 +- NULL,
404 +- NULL);
405 ++ }
406 ++ /* We fault an entry from the guest tlb to the shadow host TLB */
407 ++ if (kvm_mips_handle_mapped_seg_tlb_fault(vcpu, tlb,
408 ++ NULL, NULL)) {
409 ++ kvm_err("%s: handling mapped seg tlb fault for %lx, index: %u, vcpu: %p, ASID: %#lx\n",
410 ++ __func__, va, index, vcpu,
411 ++ read_c0_entryhi());
412 ++ er = EMULATE_FAIL;
413 ++ preempt_enable();
414 ++ goto done;
415 + }
416 + }
417 + } else {
418 +@@ -1821,8 +1831,13 @@ kvm_mips_handle_tlbmiss(unsigned long cause, uint32_t *opc,
419 + tlb->tlb_hi, tlb->tlb_lo0, tlb->tlb_lo1);
420 + #endif
421 + /* OK we have a Guest TLB entry, now inject it into the shadow host TLB */
422 +- kvm_mips_handle_mapped_seg_tlb_fault(vcpu, tlb, NULL,
423 +- NULL);
424 ++ if (kvm_mips_handle_mapped_seg_tlb_fault(vcpu, tlb,
425 ++ NULL, NULL)) {
426 ++ kvm_err("%s: handling mapped seg tlb fault for %lx, index: %u, vcpu: %p, ASID: %#lx\n",
427 ++ __func__, va, index, vcpu,
428 ++ read_c0_entryhi());
429 ++ er = EMULATE_FAIL;
430 ++ }
431 + }
432 + }
433 +
434 +diff --git a/arch/mips/kvm/kvm_mips_int.h b/arch/mips/kvm/kvm_mips_int.h
435 +index 20da7d29eede..bf41ea36210e 100644
436 +--- a/arch/mips/kvm/kvm_mips_int.h
437 ++++ b/arch/mips/kvm/kvm_mips_int.h
438 +@@ -27,6 +27,8 @@
439 + #define MIPS_EXC_MAX 12
440 + /* XXXSL More to follow */
441 +
442 ++extern char __kvm_mips_vcpu_run_end[];
443 ++
444 + #define C_TI (_ULCAST_(1) << 30)
445 +
446 + #define KVM_MIPS_IRQ_DELIVER_ALL_AT_ONCE (0)
447 +diff --git a/arch/mips/kvm/kvm_tlb.c b/arch/mips/kvm/kvm_tlb.c
448 +index c777dd36d4a8..4bee4397dca8 100644
449 +--- a/arch/mips/kvm/kvm_tlb.c
450 ++++ b/arch/mips/kvm/kvm_tlb.c
451 +@@ -312,7 +312,7 @@ int kvm_mips_handle_kseg0_tlb_fault(unsigned long badvaddr,
452 + }
453 +
454 + gfn = (KVM_GUEST_CPHYSADDR(badvaddr) >> PAGE_SHIFT);
455 +- if (gfn >= kvm->arch.guest_pmap_npages) {
456 ++ if ((gfn | 1) >= kvm->arch.guest_pmap_npages) {
457 + kvm_err("%s: Invalid gfn: %#llx, BadVaddr: %#lx\n", __func__,
458 + gfn, badvaddr);
459 + kvm_mips_dump_host_tlbs();
460 +@@ -397,21 +397,38 @@ kvm_mips_handle_mapped_seg_tlb_fault(struct kvm_vcpu *vcpu,
461 + unsigned long entryhi = 0, entrylo0 = 0, entrylo1 = 0;
462 + struct kvm *kvm = vcpu->kvm;
463 + pfn_t pfn0, pfn1;
464 ++ gfn_t gfn0, gfn1;
465 ++ long tlb_lo[2];
466 ++
467 ++ tlb_lo[0] = tlb->tlb_lo0;
468 ++ tlb_lo[1] = tlb->tlb_lo1;
469 ++
470 ++ /*
471 ++ * The commpage address must not be mapped to anything else if the guest
472 ++ * TLB contains entries nearby, or commpage accesses will break.
473 ++ */
474 ++ if (!((tlb->tlb_hi ^ KVM_GUEST_COMMPAGE_ADDR) &
475 ++ VPN2_MASK & (PAGE_MASK << 1)))
476 ++ tlb_lo[(KVM_GUEST_COMMPAGE_ADDR >> PAGE_SHIFT) & 1] = 0;
477 ++
478 ++ gfn0 = mips3_tlbpfn_to_paddr(tlb_lo[0]) >> PAGE_SHIFT;
479 ++ gfn1 = mips3_tlbpfn_to_paddr(tlb_lo[1]) >> PAGE_SHIFT;
480 ++ if (gfn0 >= kvm->arch.guest_pmap_npages ||
481 ++ gfn1 >= kvm->arch.guest_pmap_npages) {
482 ++ kvm_err("%s: Invalid gfn: [%#llx, %#llx], EHi: %#lx\n",
483 ++ __func__, gfn0, gfn1, tlb->tlb_hi);
484 ++ kvm_mips_dump_guest_tlbs(vcpu);
485 ++ return -1;
486 ++ }
487 +
488 ++ if (kvm_mips_map_page(kvm, gfn0) < 0)
489 ++ return -1;
490 +
491 +- if ((tlb->tlb_hi & VPN2_MASK) == 0) {
492 +- pfn0 = 0;
493 +- pfn1 = 0;
494 +- } else {
495 +- if (kvm_mips_map_page(kvm, mips3_tlbpfn_to_paddr(tlb->tlb_lo0) >> PAGE_SHIFT) < 0)
496 +- return -1;
497 +-
498 +- if (kvm_mips_map_page(kvm, mips3_tlbpfn_to_paddr(tlb->tlb_lo1) >> PAGE_SHIFT) < 0)
499 +- return -1;
500 ++ if (kvm_mips_map_page(kvm, gfn1) < 0)
501 ++ return -1;
502 +
503 +- pfn0 = kvm->arch.guest_pmap[mips3_tlbpfn_to_paddr(tlb->tlb_lo0) >> PAGE_SHIFT];
504 +- pfn1 = kvm->arch.guest_pmap[mips3_tlbpfn_to_paddr(tlb->tlb_lo1) >> PAGE_SHIFT];
505 +- }
506 ++ pfn0 = kvm->arch.guest_pmap[gfn0];
507 ++ pfn1 = kvm->arch.guest_pmap[gfn1];
508 +
509 + if (hpa0)
510 + *hpa0 = pfn0 << PAGE_SHIFT;
511 +@@ -423,9 +440,9 @@ kvm_mips_handle_mapped_seg_tlb_fault(struct kvm_vcpu *vcpu,
512 + entryhi = (tlb->tlb_hi & VPN2_MASK) | (KVM_GUEST_KERNEL_MODE(vcpu) ?
513 + kvm_mips_get_kernel_asid(vcpu) : kvm_mips_get_user_asid(vcpu));
514 + entrylo0 = mips3_paddr_to_tlbpfn(pfn0 << PAGE_SHIFT) | (0x3 << 3) |
515 +- (tlb->tlb_lo0 & MIPS3_PG_D) | (tlb->tlb_lo0 & MIPS3_PG_V);
516 ++ (tlb_lo[0] & MIPS3_PG_D) | (tlb_lo[0] & MIPS3_PG_V);
517 + entrylo1 = mips3_paddr_to_tlbpfn(pfn1 << PAGE_SHIFT) | (0x3 << 3) |
518 +- (tlb->tlb_lo1 & MIPS3_PG_D) | (tlb->tlb_lo1 & MIPS3_PG_V);
519 ++ (tlb_lo[1] & MIPS3_PG_D) | (tlb_lo[1] & MIPS3_PG_V);
520 +
521 + #ifdef DEBUG
522 + kvm_debug("@ %#lx tlb_lo0: 0x%08lx tlb_lo1: 0x%08lx\n", vcpu->arch.pc,
523 +@@ -909,10 +926,16 @@ uint32_t kvm_get_inst(uint32_t *opc, struct kvm_vcpu *vcpu)
524 + local_irq_restore(flags);
525 + return KVM_INVALID_INST;
526 + }
527 +- kvm_mips_handle_mapped_seg_tlb_fault(vcpu,
528 +- &vcpu->arch.
529 +- guest_tlb[index],
530 +- NULL, NULL);
531 ++ if (kvm_mips_handle_mapped_seg_tlb_fault(vcpu,
532 ++ &vcpu->arch.guest_tlb[index],
533 ++ NULL, NULL)) {
534 ++ kvm_err("%s: handling mapped seg tlb fault failed for %p, index: %u, vcpu: %p, ASID: %#lx\n",
535 ++ __func__, opc, index, vcpu,
536 ++ read_c0_entryhi());
537 ++ kvm_mips_dump_guest_tlbs(vcpu);
538 ++ local_irq_restore(flags);
539 ++ return KVM_INVALID_INST;
540 ++ }
541 + inst = *(opc);
542 + }
543 + local_irq_restore(flags);
544 +diff --git a/arch/mips/math-emu/cp1emu.c b/arch/mips/math-emu/cp1emu.c
545 +index f03771900813..3d492a823a55 100644
546 +--- a/arch/mips/math-emu/cp1emu.c
547 ++++ b/arch/mips/math-emu/cp1emu.c
548 +@@ -684,9 +684,11 @@ static int isBranchInstr(struct pt_regs *regs, struct mm_decoded_insn dec_insn,
549 + case spec_op:
550 + switch (insn.r_format.func) {
551 + case jalr_op:
552 +- regs->regs[insn.r_format.rd] =
553 +- regs->cp0_epc + dec_insn.pc_inc +
554 +- dec_insn.next_pc_inc;
555 ++ if (insn.r_format.rd != 0) {
556 ++ regs->regs[insn.r_format.rd] =
557 ++ regs->cp0_epc + dec_insn.pc_inc +
558 ++ dec_insn.next_pc_inc;
559 ++ }
560 + /* Fall through */
561 + case jr_op:
562 + *contpc = regs->regs[insn.r_format.rs];
563 +diff --git a/arch/parisc/kernel/unaligned.c b/arch/parisc/kernel/unaligned.c
564 +index d7c0acb35ec2..8d49614d600d 100644
565 +--- a/arch/parisc/kernel/unaligned.c
566 ++++ b/arch/parisc/kernel/unaligned.c
567 +@@ -666,7 +666,7 @@ void handle_unaligned(struct pt_regs *regs)
568 + break;
569 + }
570 +
571 +- if (modify && R1(regs->iir))
572 ++ if (ret == 0 && modify && R1(regs->iir))
573 + regs->gr[R1(regs->iir)] = newbase;
574 +
575 +
576 +@@ -677,6 +677,14 @@ void handle_unaligned(struct pt_regs *regs)
577 +
578 + if (ret)
579 + {
580 ++ /*
581 ++ * The unaligned handler failed.
582 ++ * If we were called by __get_user() or __put_user() jump
583 ++ * to it's exception fixup handler instead of crashing.
584 ++ */
585 ++ if (!user_mode(regs) && fixup_exception(regs))
586 ++ return;
587 ++
588 + printk(KERN_CRIT "Unaligned handler failed, ret = %d\n", ret);
589 + die_if_kernel("Unaligned data reference", regs, 28);
590 +
591 +diff --git a/arch/powerpc/include/asm/reg.h b/arch/powerpc/include/asm/reg.h
592 +index 60c31698f7d5..469d7715d6aa 100644
593 +--- a/arch/powerpc/include/asm/reg.h
594 ++++ b/arch/powerpc/include/asm/reg.h
595 +@@ -643,7 +643,7 @@
596 + #define MMCR0_FCWAIT 0x00000002UL /* freeze counter in WAIT state */
597 + #define MMCR0_FCHV 0x00000001UL /* freeze conditions in hypervisor mode */
598 + #define SPRN_MMCR1 798
599 +-#define SPRN_MMCR2 769
600 ++#define SPRN_MMCR2 785
601 + #define SPRN_MMCRA 0x312
602 + #define MMCRA_SDSYNC 0x80000000UL /* SDAR synced with SIAR */
603 + #define MMCRA_SDAR_DCACHE_MISS 0x40000000UL
604 +@@ -677,13 +677,13 @@
605 + #define SPRN_PMC6 792
606 + #define SPRN_PMC7 793
607 + #define SPRN_PMC8 794
608 +-#define SPRN_SIAR 780
609 +-#define SPRN_SDAR 781
610 + #define SPRN_SIER 784
611 + #define SIER_SIPR 0x2000000 /* Sampled MSR_PR */
612 + #define SIER_SIHV 0x1000000 /* Sampled MSR_HV */
613 + #define SIER_SIAR_VALID 0x0400000 /* SIAR contents valid */
614 + #define SIER_SDAR_VALID 0x0200000 /* SDAR contents valid */
615 ++#define SPRN_SIAR 796
616 ++#define SPRN_SDAR 797
617 +
618 + #define SPRN_PA6T_MMCR0 795
619 + #define PA6T_MMCR0_EN0 0x0000000000000001UL
620 +diff --git a/arch/powerpc/kernel/exceptions-64s.S b/arch/powerpc/kernel/exceptions-64s.S
621 +index 902ca3c6b4b6..3ac1d3a90551 100644
622 +--- a/arch/powerpc/kernel/exceptions-64s.S
623 ++++ b/arch/powerpc/kernel/exceptions-64s.S
624 +@@ -857,11 +857,6 @@ hv_facility_unavailable_relon_trampoline:
625 + #endif
626 + STD_RELON_EXCEPTION_PSERIES(0x5700, 0x1700, altivec_assist)
627 +
628 +- /* Other future vectors */
629 +- .align 7
630 +- .globl __end_interrupts
631 +-__end_interrupts:
632 +-
633 + .align 7
634 + system_call_entry_direct:
635 + #if defined(CONFIG_RELOCATABLE)
636 +@@ -1191,6 +1186,17 @@ __end_handlers:
637 + STD_RELON_EXCEPTION_PSERIES_OOL(0xf60, facility_unavailable)
638 + STD_RELON_EXCEPTION_HV_OOL(0xf80, hv_facility_unavailable)
639 +
640 ++ /*
641 ++ * The __end_interrupts marker must be past the out-of-line (OOL)
642 ++ * handlers, so that they are copied to real address 0x100 when running
643 ++ * a relocatable kernel. This ensures they can be reached from the short
644 ++ * trampoline handlers (like 0x4f00, 0x4f20, etc.) which branch
645 ++ * directly, without using LOAD_HANDLER().
646 ++ */
647 ++ .align 7
648 ++ .globl __end_interrupts
649 ++__end_interrupts:
650 ++
651 + #if defined(CONFIG_PPC_PSERIES) || defined(CONFIG_PPC_POWERNV)
652 + /*
653 + * Data area reserved for FWNMI option.
654 +diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c
655 +index d55357ee9028..a5e339806589 100644
656 +--- a/arch/powerpc/kernel/process.c
657 ++++ b/arch/powerpc/kernel/process.c
658 +@@ -1088,6 +1088,16 @@ void start_thread(struct pt_regs *regs, unsigned long start, unsigned long sp)
659 + current->thread.regs = regs - 1;
660 + }
661 +
662 ++#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
663 ++ /*
664 ++ * Clear any transactional state, we're exec()ing. The cause is
665 ++ * not important as there will never be a recheckpoint so it's not
666 ++ * user visible.
667 ++ */
668 ++ if (MSR_TM_SUSPENDED(mfmsr()))
669 ++ tm_reclaim_current(0);
670 ++#endif
671 ++
672 + memset(regs->gpr, 0, sizeof(regs->gpr));
673 + regs->ctr = 0;
674 + regs->link = 0;
675 +diff --git a/arch/powerpc/platforms/pseries/eeh_pseries.c b/arch/powerpc/platforms/pseries/eeh_pseries.c
676 +index 68f97d5a4679..dc0278e7fd91 100644
677 +--- a/arch/powerpc/platforms/pseries/eeh_pseries.c
678 ++++ b/arch/powerpc/platforms/pseries/eeh_pseries.c
679 +@@ -551,29 +551,50 @@ static int pseries_eeh_configure_bridge(struct eeh_pe *pe)
680 + {
681 + int config_addr;
682 + int ret;
683 ++ /* Waiting 0.2s maximum before skipping configuration */
684 ++ int max_wait = 200;
685 +
686 + /* Figure out the PE address */
687 + config_addr = pe->config_addr;
688 + if (pe->addr)
689 + config_addr = pe->addr;
690 +
691 +- /* Use new configure-pe function, if supported */
692 +- if (ibm_configure_pe != RTAS_UNKNOWN_SERVICE) {
693 +- ret = rtas_call(ibm_configure_pe, 3, 1, NULL,
694 +- config_addr, BUID_HI(pe->phb->buid),
695 +- BUID_LO(pe->phb->buid));
696 +- } else if (ibm_configure_bridge != RTAS_UNKNOWN_SERVICE) {
697 +- ret = rtas_call(ibm_configure_bridge, 3, 1, NULL,
698 +- config_addr, BUID_HI(pe->phb->buid),
699 +- BUID_LO(pe->phb->buid));
700 +- } else {
701 +- return -EFAULT;
702 +- }
703 ++ while (max_wait > 0) {
704 ++ /* Use new configure-pe function, if supported */
705 ++ if (ibm_configure_pe != RTAS_UNKNOWN_SERVICE) {
706 ++ ret = rtas_call(ibm_configure_pe, 3, 1, NULL,
707 ++ config_addr, BUID_HI(pe->phb->buid),
708 ++ BUID_LO(pe->phb->buid));
709 ++ } else if (ibm_configure_bridge != RTAS_UNKNOWN_SERVICE) {
710 ++ ret = rtas_call(ibm_configure_bridge, 3, 1, NULL,
711 ++ config_addr, BUID_HI(pe->phb->buid),
712 ++ BUID_LO(pe->phb->buid));
713 ++ } else {
714 ++ return -EFAULT;
715 ++ }
716 +
717 +- if (ret)
718 +- pr_warning("%s: Unable to configure bridge PHB#%d-PE#%x (%d)\n",
719 +- __func__, pe->phb->global_number, pe->addr, ret);
720 ++ if (!ret)
721 ++ return ret;
722 ++
723 ++ /*
724 ++ * If RTAS returns a delay value that's above 100ms, cut it
725 ++ * down to 100ms in case firmware made a mistake. For more
726 ++ * on how these delay values work see rtas_busy_delay_time
727 ++ */
728 ++ if (ret > RTAS_EXTENDED_DELAY_MIN+2 &&
729 ++ ret <= RTAS_EXTENDED_DELAY_MAX)
730 ++ ret = RTAS_EXTENDED_DELAY_MIN+2;
731 ++
732 ++ max_wait -= rtas_busy_delay_time(ret);
733 ++
734 ++ if (max_wait < 0)
735 ++ break;
736 ++
737 ++ rtas_busy_delay(ret);
738 ++ }
739 +
740 ++ pr_warn("%s: Unable to configure bridge PHB#%d-PE#%x (%d)\n",
741 ++ __func__, pe->phb->global_number, pe->addr, ret);
742 + return ret;
743 + }
744 +
745 +diff --git a/arch/powerpc/platforms/pseries/iommu.c b/arch/powerpc/platforms/pseries/iommu.c
746 +index 86ae364900d6..401369134ba3 100644
747 +--- a/arch/powerpc/platforms/pseries/iommu.c
748 ++++ b/arch/powerpc/platforms/pseries/iommu.c
749 +@@ -858,7 +858,8 @@ machine_arch_initcall(pseries, find_existing_ddw_windows);
750 + static int query_ddw(struct pci_dev *dev, const u32 *ddw_avail,
751 + struct ddw_query_response *query)
752 + {
753 +- struct eeh_dev *edev;
754 ++ struct device_node *dn;
755 ++ struct pci_dn *pdn;
756 + u32 cfg_addr;
757 + u64 buid;
758 + int ret;
759 +@@ -869,11 +870,10 @@ static int query_ddw(struct pci_dev *dev, const u32 *ddw_avail,
760 + * Retrieve them from the pci device, not the node with the
761 + * dma-window property
762 + */
763 +- edev = pci_dev_to_eeh_dev(dev);
764 +- cfg_addr = edev->config_addr;
765 +- if (edev->pe_config_addr)
766 +- cfg_addr = edev->pe_config_addr;
767 +- buid = edev->phb->buid;
768 ++ dn = pci_device_to_OF_node(dev);
769 ++ pdn = PCI_DN(dn);
770 ++ buid = pdn->phb->buid;
771 ++ cfg_addr = ((pdn->busno << 16) | (pdn->devfn << 8));
772 +
773 + ret = rtas_call(ddw_avail[0], 3, 5, (u32 *)query,
774 + cfg_addr, BUID_HI(buid), BUID_LO(buid));
775 +@@ -887,7 +887,8 @@ static int create_ddw(struct pci_dev *dev, const u32 *ddw_avail,
776 + struct ddw_create_response *create, int page_shift,
777 + int window_shift)
778 + {
779 +- struct eeh_dev *edev;
780 ++ struct device_node *dn;
781 ++ struct pci_dn *pdn;
782 + u32 cfg_addr;
783 + u64 buid;
784 + int ret;
785 +@@ -898,11 +899,10 @@ static int create_ddw(struct pci_dev *dev, const u32 *ddw_avail,
786 + * Retrieve them from the pci device, not the node with the
787 + * dma-window property
788 + */
789 +- edev = pci_dev_to_eeh_dev(dev);
790 +- cfg_addr = edev->config_addr;
791 +- if (edev->pe_config_addr)
792 +- cfg_addr = edev->pe_config_addr;
793 +- buid = edev->phb->buid;
794 ++ dn = pci_device_to_OF_node(dev);
795 ++ pdn = PCI_DN(dn);
796 ++ buid = pdn->phb->buid;
797 ++ cfg_addr = ((pdn->busno << 16) | (pdn->devfn << 8));
798 +
799 + do {
800 + /* extra outputs are LIOBN and dma-addr (hi, lo) */
801 +diff --git a/arch/s390/include/asm/syscall.h b/arch/s390/include/asm/syscall.h
802 +index cd29d2f4e4f3..749313b452ae 100644
803 +--- a/arch/s390/include/asm/syscall.h
804 ++++ b/arch/s390/include/asm/syscall.h
805 +@@ -54,7 +54,7 @@ static inline void syscall_set_return_value(struct task_struct *task,
806 + struct pt_regs *regs,
807 + int error, long val)
808 + {
809 +- regs->gprs[2] = error ? -error : val;
810 ++ regs->gprs[2] = error ? error : val;
811 + }
812 +
813 + static inline void syscall_get_arguments(struct task_struct *task,
814 +diff --git a/arch/x86/boot/Makefile b/arch/x86/boot/Makefile
815 +index 6cf0111783d3..368f3582c93e 100644
816 +--- a/arch/x86/boot/Makefile
817 ++++ b/arch/x86/boot/Makefile
818 +@@ -168,6 +168,9 @@ isoimage: $(obj)/bzImage
819 + for i in lib lib64 share end ; do \
820 + if [ -f /usr/$$i/syslinux/isolinux.bin ] ; then \
821 + cp /usr/$$i/syslinux/isolinux.bin $(obj)/isoimage ; \
822 ++ if [ -f /usr/$$i/syslinux/ldlinux.c32 ]; then \
823 ++ cp /usr/$$i/syslinux/ldlinux.c32 $(obj)/isoimage ; \
824 ++ fi ; \
825 + break ; \
826 + fi ; \
827 + if [ $$i = end ] ; then exit 1 ; fi ; \
828 +diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h
829 +index be12c534fd59..29a3d1b00ca9 100644
830 +--- a/arch/x86/include/asm/mmu_context.h
831 ++++ b/arch/x86/include/asm/mmu_context.h
832 +@@ -42,7 +42,34 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
833 + #endif
834 + cpumask_set_cpu(cpu, mm_cpumask(next));
835 +
836 +- /* Re-load page tables */
837 ++ /*
838 ++ * Re-load page tables.
839 ++ *
840 ++ * This logic has an ordering constraint:
841 ++ *
842 ++ * CPU 0: Write to a PTE for 'next'
843 ++ * CPU 0: load bit 1 in mm_cpumask. if nonzero, send IPI.
844 ++ * CPU 1: set bit 1 in next's mm_cpumask
845 ++ * CPU 1: load from the PTE that CPU 0 writes (implicit)
846 ++ *
847 ++ * We need to prevent an outcome in which CPU 1 observes
848 ++ * the new PTE value and CPU 0 observes bit 1 clear in
849 ++ * mm_cpumask. (If that occurs, then the IPI will never
850 ++ * be sent, and CPU 0's TLB will contain a stale entry.)
851 ++ *
852 ++ * The bad outcome can occur if either CPU's load is
853 ++ * reordered before that CPU's store, so both CPUs must
854 ++ * execute full barriers to prevent this from happening.
855 ++ *
856 ++ * Thus, switch_mm needs a full barrier between the
857 ++ * store to mm_cpumask and any operation that could load
858 ++ * from next->pgd. TLB fills are special and can happen
859 ++ * due to instruction fetches or for no reason at all,
860 ++ * and neither LOCK nor MFENCE orders them.
861 ++ * Fortunately, load_cr3() is serializing and gives the
862 ++ * ordering guarantee we need.
863 ++ *
864 ++ */
865 + load_cr3(next->pgd);
866 +
867 + /* Stop flush ipis for the previous mm */
868 +@@ -65,10 +92,14 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
869 + * schedule, protecting us from simultaneous changes.
870 + */
871 + cpumask_set_cpu(cpu, mm_cpumask(next));
872 ++
873 + /*
874 + * We were in lazy tlb mode and leave_mm disabled
875 + * tlb flush IPI delivery. We must reload CR3
876 + * to make sure to use no freed page tables.
877 ++ *
878 ++ * As above, load_cr3() is serializing and orders TLB
879 ++ * fills with respect to the mm_cpumask write.
880 + */
881 + load_cr3(next->pgd);
882 + load_LDT_nolock(&next->context);
883 +diff --git a/arch/x86/kernel/amd_nb.c b/arch/x86/kernel/amd_nb.c
884 +index 59554dca96ec..e6a3b1e35fae 100644
885 +--- a/arch/x86/kernel/amd_nb.c
886 ++++ b/arch/x86/kernel/amd_nb.c
887 +@@ -67,8 +67,8 @@ int amd_cache_northbridges(void)
888 + while ((misc = next_northbridge(misc, amd_nb_misc_ids)) != NULL)
889 + i++;
890 +
891 +- if (i == 0)
892 +- return 0;
893 ++ if (!i)
894 ++ return -ENODEV;
895 +
896 + nb = kzalloc(i * sizeof(struct amd_northbridge), GFP_KERNEL);
897 + if (!nb)
898 +diff --git a/arch/x86/kernel/apm_32.c b/arch/x86/kernel/apm_32.c
899 +index 53a4e2744846..3ab03430211d 100644
900 +--- a/arch/x86/kernel/apm_32.c
901 ++++ b/arch/x86/kernel/apm_32.c
902 +@@ -392,7 +392,7 @@ static struct cpuidle_device apm_cpuidle_device;
903 + /*
904 + * Local variables
905 + */
906 +-static struct {
907 ++__visible struct {
908 + unsigned long offset;
909 + unsigned short segment;
910 + } apm_bios_entry;
911 +diff --git a/arch/x86/kernel/cpu/perf_event_intel.c b/arch/x86/kernel/cpu/perf_event_intel.c
912 +index ac057583282a..a18154454e36 100644
913 +--- a/arch/x86/kernel/cpu/perf_event_intel.c
914 ++++ b/arch/x86/kernel/cpu/perf_event_intel.c
915 +@@ -2241,13 +2241,16 @@ __init int intel_pmu_init(void)
916 + * counter, so do not extend mask to generic counters
917 + */
918 + for_each_event_constraint(c, x86_pmu.event_constraints) {
919 +- if (c->cmask != X86_RAW_EVENT_MASK
920 +- || c->idxmsk64 == INTEL_PMC_MSK_FIXED_REF_CYCLES) {
921 ++ if (c->cmask == X86_RAW_EVENT_MASK
922 ++ && c->idxmsk64 == INTEL_PMC_MSK_FIXED_REF_CYCLES) {
923 ++ c->idxmsk64 |= (1ULL << x86_pmu.num_counters) - 1;
924 + continue;
925 + }
926 +
927 +- c->idxmsk64 |= (1ULL << x86_pmu.num_counters) - 1;
928 +- c->weight += x86_pmu.num_counters;
929 ++ c->idxmsk64 &=
930 ++ ~(~0ULL << (INTEL_PMC_IDX_FIXED + x86_pmu.num_counters_fixed));
931 ++ c->weight = hweight64(c->idxmsk64);
932 ++
933 + }
934 + }
935 +
936 +diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c
937 +index 0c6c07cea3f7..766aa3bf1798 100644
938 +--- a/arch/x86/kernel/kprobes/core.c
939 ++++ b/arch/x86/kernel/kprobes/core.c
940 +@@ -908,7 +908,19 @@ int __kprobes kprobe_fault_handler(struct pt_regs *regs, int trapnr)
941 + * normal page fault.
942 + */
943 + regs->ip = (unsigned long)cur->addr;
944 ++ /*
945 ++ * Trap flag (TF) has been set here because this fault
946 ++ * happened where the single stepping will be done.
947 ++ * So clear it by resetting the current kprobe:
948 ++ */
949 ++ regs->flags &= ~X86_EFLAGS_TF;
950 ++
951 ++ /*
952 ++ * If the TF flag was set before the kprobe hit,
953 ++ * don't touch it:
954 ++ */
955 + regs->flags |= kcb->kprobe_old_flags;
956 ++
957 + if (kcb->kprobe_status == KPROBE_REENTER)
958 + restore_previous_kprobe(kcb);
959 + else
960 +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
961 +index 3c0b085b4336..8e57771d4bfd 100644
962 +--- a/arch/x86/kvm/x86.c
963 ++++ b/arch/x86/kvm/x86.c
964 +@@ -2966,6 +2966,11 @@ static int kvm_vcpu_ioctl_x86_set_debugregs(struct kvm_vcpu *vcpu,
965 + if (dbgregs->flags)
966 + return -EINVAL;
967 +
968 ++ if (dbgregs->dr6 & ~0xffffffffull)
969 ++ return -EINVAL;
970 ++ if (dbgregs->dr7 & ~0xffffffffull)
971 ++ return -EINVAL;
972 ++
973 + memcpy(vcpu->arch.db, dbgregs->db, sizeof(vcpu->arch.db));
974 + vcpu->arch.dr6 = dbgregs->dr6;
975 + vcpu->arch.dr7 = dbgregs->dr7;
976 +diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c
977 +index 282375f13c7e..c26b610a604d 100644
978 +--- a/arch/x86/mm/tlb.c
979 ++++ b/arch/x86/mm/tlb.c
980 +@@ -149,7 +149,9 @@ void flush_tlb_current_task(void)
981 +
982 + preempt_disable();
983 +
984 ++ /* This is an implicit full barrier that synchronizes with switch_mm. */
985 + local_flush_tlb();
986 ++
987 + if (cpumask_any_but(mm_cpumask(mm), smp_processor_id()) < nr_cpu_ids)
988 + flush_tlb_others(mm_cpumask(mm), mm, 0UL, TLB_FLUSH_ALL);
989 + preempt_enable();
990 +@@ -188,11 +190,19 @@ void flush_tlb_mm_range(struct mm_struct *mm, unsigned long start,
991 + unsigned act_entries, tlb_entries = 0;
992 +
993 + preempt_disable();
994 +- if (current->active_mm != mm)
995 ++ if (current->active_mm != mm) {
996 ++ /* Synchronize with switch_mm. */
997 ++ smp_mb();
998 ++
999 + goto flush_all;
1000 ++ }
1001 +
1002 + if (!current->mm) {
1003 + leave_mm(smp_processor_id());
1004 ++
1005 ++ /* Synchronize with switch_mm. */
1006 ++ smp_mb();
1007 ++
1008 + goto flush_all;
1009 + }
1010 +
1011 +@@ -242,10 +252,18 @@ void flush_tlb_page(struct vm_area_struct *vma, unsigned long start)
1012 + preempt_disable();
1013 +
1014 + if (current->active_mm == mm) {
1015 +- if (current->mm)
1016 ++ if (current->mm) {
1017 ++ /*
1018 ++ * Implicit full barrier (INVLPG) that synchronizes
1019 ++ * with switch_mm.
1020 ++ */
1021 + __flush_tlb_one(start);
1022 +- else
1023 ++ } else {
1024 + leave_mm(smp_processor_id());
1025 ++
1026 ++ /* Synchronize with switch_mm. */
1027 ++ smp_mb();
1028 ++ }
1029 + }
1030 +
1031 + if (cpumask_any_but(mm_cpumask(mm), smp_processor_id()) < nr_cpu_ids)
1032 +diff --git a/block/genhd.c b/block/genhd.c
1033 +index b09f5fc94dee..7af2f6a18d9b 100644
1034 +--- a/block/genhd.c
1035 ++++ b/block/genhd.c
1036 +@@ -829,6 +829,7 @@ static void disk_seqf_stop(struct seq_file *seqf, void *v)
1037 + if (iter) {
1038 + class_dev_iter_exit(iter);
1039 + kfree(iter);
1040 ++ seqf->private = NULL;
1041 + }
1042 + }
1043 +
1044 +diff --git a/crypto/gcm.c b/crypto/gcm.c
1045 +index cd97cdd8cabe..451e420ce56c 100644
1046 +--- a/crypto/gcm.c
1047 ++++ b/crypto/gcm.c
1048 +@@ -716,7 +716,9 @@ static struct crypto_instance *crypto_gcm_alloc_common(struct rtattr **tb,
1049 +
1050 + ghash_alg = crypto_find_alg(ghash_name, &crypto_ahash_type,
1051 + CRYPTO_ALG_TYPE_HASH,
1052 +- CRYPTO_ALG_TYPE_AHASH_MASK);
1053 ++ CRYPTO_ALG_TYPE_AHASH_MASK |
1054 ++ crypto_requires_sync(algt->type,
1055 ++ algt->mask));
1056 + if (IS_ERR(ghash_alg))
1057 + return ERR_CAST(ghash_alg);
1058 +
1059 +diff --git a/crypto/scatterwalk.c b/crypto/scatterwalk.c
1060 +index 7281b8a93ad3..79cbbbfffffc 100644
1061 +--- a/crypto/scatterwalk.c
1062 ++++ b/crypto/scatterwalk.c
1063 +@@ -68,7 +68,8 @@ static void scatterwalk_pagedone(struct scatter_walk *walk, int out,
1064 +
1065 + void scatterwalk_done(struct scatter_walk *walk, int out, int more)
1066 + {
1067 +- if (!(scatterwalk_pagelen(walk) & (PAGE_SIZE - 1)) || !more)
1068 ++ if (!more || walk->offset >= walk->sg->offset + walk->sg->length ||
1069 ++ !(walk->offset & (PAGE_SIZE - 1)))
1070 + scatterwalk_pagedone(walk, out, more);
1071 + }
1072 + EXPORT_SYMBOL_GPL(scatterwalk_done);
1073 +diff --git a/drivers/acpi/pci_root.c b/drivers/acpi/pci_root.c
1074 +index a02a91cd1de4..c5e3dd93865a 100644
1075 +--- a/drivers/acpi/pci_root.c
1076 ++++ b/drivers/acpi/pci_root.c
1077 +@@ -385,6 +385,7 @@ static int acpi_pci_root_add(struct acpi_device *device,
1078 + int result;
1079 + struct acpi_pci_root *root;
1080 + u32 flags, base_flags;
1081 ++ bool no_aspm = false, clear_aspm = false;
1082 +
1083 + root = kzalloc(sizeof(struct acpi_pci_root), GFP_KERNEL);
1084 + if (!root)
1085 +@@ -445,31 +446,10 @@ static int acpi_pci_root_add(struct acpi_device *device,
1086 + flags = base_flags = OSC_PCI_SEGMENT_GROUPS_SUPPORT;
1087 + acpi_pci_osc_support(root, flags);
1088 +
1089 +- /*
1090 +- * TBD: Need PCI interface for enumeration/configuration of roots.
1091 +- */
1092 +-
1093 + mutex_lock(&acpi_pci_root_lock);
1094 + list_add_tail(&root->node, &acpi_pci_roots);
1095 + mutex_unlock(&acpi_pci_root_lock);
1096 +
1097 +- /*
1098 +- * Scan the Root Bridge
1099 +- * --------------------
1100 +- * Must do this prior to any attempt to bind the root device, as the
1101 +- * PCI namespace does not get created until this call is made (and
1102 +- * thus the root bridge's pci_dev does not exist).
1103 +- */
1104 +- root->bus = pci_acpi_scan_root(root);
1105 +- if (!root->bus) {
1106 +- printk(KERN_ERR PREFIX
1107 +- "Bus %04x:%02x not present in PCI namespace\n",
1108 +- root->segment, (unsigned int)root->secondary.start);
1109 +- result = -ENODEV;
1110 +- goto out_del_root;
1111 +- }
1112 +-
1113 +- /* Indicate support for various _OSC capabilities. */
1114 + if (pci_ext_cfg_avail())
1115 + flags |= OSC_EXT_PCI_CONFIG_SUPPORT;
1116 + if (pcie_aspm_support_enabled()) {
1117 +@@ -483,7 +463,7 @@ static int acpi_pci_root_add(struct acpi_device *device,
1118 + if (ACPI_FAILURE(status)) {
1119 + dev_info(&device->dev, "ACPI _OSC support "
1120 + "notification failed, disabling PCIe ASPM\n");
1121 +- pcie_no_aspm();
1122 ++ no_aspm = true;
1123 + flags = base_flags;
1124 + }
1125 + }
1126 +@@ -515,7 +495,7 @@ static int acpi_pci_root_add(struct acpi_device *device,
1127 + * We have ASPM control, but the FADT indicates
1128 + * that it's unsupported. Clear it.
1129 + */
1130 +- pcie_clear_aspm(root->bus);
1131 ++ clear_aspm = true;
1132 + }
1133 + } else {
1134 + dev_info(&device->dev,
1135 +@@ -524,7 +504,14 @@ static int acpi_pci_root_add(struct acpi_device *device,
1136 + acpi_format_exception(status), flags);
1137 + pr_info("ACPI _OSC control for PCIe not granted, "
1138 + "disabling ASPM\n");
1139 +- pcie_no_aspm();
1140 ++ /*
1141 ++ * We want to disable ASPM here, but aspm_disabled
1142 ++ * needs to remain in its state from boot so that we
1143 ++ * properly handle PCIe 1.1 devices. So we set this
1144 ++ * flag here, to defer the action until after the ACPI
1145 ++ * root scan.
1146 ++ */
1147 ++ no_aspm = true;
1148 + }
1149 + } else {
1150 + dev_info(&device->dev,
1151 +@@ -532,6 +519,33 @@ static int acpi_pci_root_add(struct acpi_device *device,
1152 + "(_OSC support mask: 0x%02x)\n", flags);
1153 + }
1154 +
1155 ++ /*
1156 ++ * TBD: Need PCI interface for enumeration/configuration of roots.
1157 ++ */
1158 ++
1159 ++ /*
1160 ++ * Scan the Root Bridge
1161 ++ * --------------------
1162 ++ * Must do this prior to any attempt to bind the root device, as the
1163 ++ * PCI namespace does not get created until this call is made (and
1164 ++ * thus the root bridge's pci_dev does not exist).
1165 ++ */
1166 ++ root->bus = pci_acpi_scan_root(root);
1167 ++ if (!root->bus) {
1168 ++ dev_err(&device->dev,
1169 ++ "Bus %04x:%02x not present in PCI namespace\n",
1170 ++ root->segment, (unsigned int)root->secondary.start);
1171 ++ result = -ENODEV;
1172 ++ goto end;
1173 ++ }
1174 ++
1175 ++ if (clear_aspm) {
1176 ++ dev_info(&device->dev, "Disabling ASPM (FADT indicates it is unsupported)\n");
1177 ++ pcie_clear_aspm(root->bus);
1178 ++ }
1179 ++ if (no_aspm)
1180 ++ pcie_no_aspm();
1181 ++
1182 + pci_acpi_add_bus_pm_notifier(device, root->bus);
1183 + if (device->wakeup.flags.run_wake)
1184 + device_set_run_wake(root->bus->bridge, true);
1185 +@@ -548,11 +562,6 @@ static int acpi_pci_root_add(struct acpi_device *device,
1186 + pci_bus_add_devices(root->bus);
1187 + return 1;
1188 +
1189 +-out_del_root:
1190 +- mutex_lock(&acpi_pci_root_lock);
1191 +- list_del(&root->node);
1192 +- mutex_unlock(&acpi_pci_root_lock);
1193 +-
1194 + end:
1195 + kfree(root);
1196 + return result;
1197 +diff --git a/drivers/ata/libata-eh.c b/drivers/ata/libata-eh.c
1198 +index 063036d876b0..126eb86f239f 100644
1199 +--- a/drivers/ata/libata-eh.c
1200 ++++ b/drivers/ata/libata-eh.c
1201 +@@ -604,7 +604,7 @@ void ata_scsi_error(struct Scsi_Host *host)
1202 + ata_scsi_port_error_handler(host, ap);
1203 +
1204 + /* finish or retry handled scmd's and clean up */
1205 +- WARN_ON(host->host_failed || !list_empty(&eh_work_q));
1206 ++ WARN_ON(!list_empty(&eh_work_q));
1207 +
1208 + DPRINTK("EXIT\n");
1209 + }
1210 +diff --git a/drivers/base/module.c b/drivers/base/module.c
1211 +index db930d3ee312..2a215780eda2 100644
1212 +--- a/drivers/base/module.c
1213 ++++ b/drivers/base/module.c
1214 +@@ -24,10 +24,12 @@ static char *make_driver_name(struct device_driver *drv)
1215 +
1216 + static void module_create_drivers_dir(struct module_kobject *mk)
1217 + {
1218 +- if (!mk || mk->drivers_dir)
1219 +- return;
1220 ++ static DEFINE_MUTEX(drivers_dir_mutex);
1221 +
1222 +- mk->drivers_dir = kobject_create_and_add("drivers", &mk->kobj);
1223 ++ mutex_lock(&drivers_dir_mutex);
1224 ++ if (mk && !mk->drivers_dir)
1225 ++ mk->drivers_dir = kobject_create_and_add("drivers", &mk->kobj);
1226 ++ mutex_unlock(&drivers_dir_mutex);
1227 + }
1228 +
1229 + void module_add_driver(struct module *mod, struct device_driver *drv)
1230 +diff --git a/drivers/crypto/ux500/hash/hash_core.c b/drivers/crypto/ux500/hash/hash_core.c
1231 +index 6789c1653913..cde4a6e0fab0 100644
1232 +--- a/drivers/crypto/ux500/hash/hash_core.c
1233 ++++ b/drivers/crypto/ux500/hash/hash_core.c
1234 +@@ -806,7 +806,7 @@ int hash_process_data(
1235 + &device_data->state);
1236 + memmove(req_ctx->state.buffer,
1237 + device_data->state.buffer,
1238 +- HASH_BLOCK_SIZE / sizeof(u32));
1239 ++ HASH_BLOCK_SIZE);
1240 + if (ret) {
1241 + dev_err(device_data->dev, "[%s] "
1242 + "hash_resume_state()"
1243 +@@ -858,7 +858,7 @@ int hash_process_data(
1244 +
1245 + memmove(device_data->state.buffer,
1246 + req_ctx->state.buffer,
1247 +- HASH_BLOCK_SIZE / sizeof(u32));
1248 ++ HASH_BLOCK_SIZE);
1249 + if (ret) {
1250 + dev_err(device_data->dev, "[%s] "
1251 + "hash_save_state()"
1252 +diff --git a/drivers/gpio/gpio-pca953x.c b/drivers/gpio/gpio-pca953x.c
1253 +index 426c51dd420c..ac11e455aea5 100644
1254 +--- a/drivers/gpio/gpio-pca953x.c
1255 ++++ b/drivers/gpio/gpio-pca953x.c
1256 +@@ -75,7 +75,7 @@ MODULE_DEVICE_TABLE(i2c, pca953x_id);
1257 + #define MAX_BANK 5
1258 + #define BANK_SZ 8
1259 +
1260 +-#define NBANK(chip) (chip->gpio_chip.ngpio / BANK_SZ)
1261 ++#define NBANK(chip) DIV_ROUND_UP(chip->gpio_chip.ngpio, BANK_SZ)
1262 +
1263 + struct pca953x_chip {
1264 + unsigned gpio_start;
1265 +diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c
1266 +index b78cbe74dadf..93b74107d20d 100644
1267 +--- a/drivers/gpu/drm/drm_fb_helper.c
1268 ++++ b/drivers/gpu/drm/drm_fb_helper.c
1269 +@@ -1313,7 +1313,6 @@ static int drm_pick_crtcs(struct drm_fb_helper *fb_helper,
1270 + int n, int width, int height)
1271 + {
1272 + int c, o;
1273 +- struct drm_device *dev = fb_helper->dev;
1274 + struct drm_connector *connector;
1275 + struct drm_connector_helper_funcs *connector_funcs;
1276 + struct drm_encoder *encoder;
1277 +@@ -1334,7 +1333,7 @@ static int drm_pick_crtcs(struct drm_fb_helper *fb_helper,
1278 + if (modes[n] == NULL)
1279 + return best_score;
1280 +
1281 +- crtcs = kzalloc(dev->mode_config.num_connector *
1282 ++ crtcs = kzalloc(fb_helper->connector_count *
1283 + sizeof(struct drm_fb_helper_crtc *), GFP_KERNEL);
1284 + if (!crtcs)
1285 + return best_score;
1286 +@@ -1381,7 +1380,7 @@ static int drm_pick_crtcs(struct drm_fb_helper *fb_helper,
1287 + best_crtc = crtc;
1288 + best_score = score;
1289 + memcpy(best_crtcs, crtcs,
1290 +- dev->mode_config.num_connector *
1291 ++ fb_helper->connector_count *
1292 + sizeof(struct drm_fb_helper_crtc *));
1293 + }
1294 + }
1295 +diff --git a/drivers/gpu/drm/gma500/mdfld_dsi_pkg_sender.c b/drivers/gpu/drm/gma500/mdfld_dsi_pkg_sender.c
1296 +index 489ffd2c66e5..a3d37e4a84ae 100644
1297 +--- a/drivers/gpu/drm/gma500/mdfld_dsi_pkg_sender.c
1298 ++++ b/drivers/gpu/drm/gma500/mdfld_dsi_pkg_sender.c
1299 +@@ -85,7 +85,7 @@ static const char *const dsi_errors[] = {
1300 + "RX Prot Violation",
1301 + "HS Generic Write FIFO Full",
1302 + "LP Generic Write FIFO Full",
1303 +- "Generic Read Data Avail"
1304 ++ "Generic Read Data Avail",
1305 + "Special Packet Sent",
1306 + "Tearing Effect",
1307 + };
1308 +diff --git a/drivers/gpu/drm/radeon/radeon_atombios.c b/drivers/gpu/drm/radeon/radeon_atombios.c
1309 +index f3cce23f4a62..f4b9b1c0cae8 100644
1310 +--- a/drivers/gpu/drm/radeon/radeon_atombios.c
1311 ++++ b/drivers/gpu/drm/radeon/radeon_atombios.c
1312 +@@ -1144,7 +1144,7 @@ bool radeon_atom_get_clock_info(struct drm_device *dev)
1313 + le16_to_cpu(firmware_info->info.usReferenceClock);
1314 + p1pll->reference_div = 0;
1315 +
1316 +- if (crev < 2)
1317 ++ if ((frev < 2) && (crev < 2))
1318 + p1pll->pll_out_min =
1319 + le16_to_cpu(firmware_info->info.usMinPixelClockPLL_Output);
1320 + else
1321 +@@ -1153,7 +1153,7 @@ bool radeon_atom_get_clock_info(struct drm_device *dev)
1322 + p1pll->pll_out_max =
1323 + le32_to_cpu(firmware_info->info.ulMaxPixelClockPLL_Output);
1324 +
1325 +- if (crev >= 4) {
1326 ++ if (((frev < 2) && (crev >= 4)) || (frev >= 2)) {
1327 + p1pll->lcd_pll_out_min =
1328 + le16_to_cpu(firmware_info->info_14.usLcdMinPixelClockPLL_Output) * 100;
1329 + if (p1pll->lcd_pll_out_min == 0)
1330 +diff --git a/drivers/gpu/drm/radeon/radeon_atpx_handler.c b/drivers/gpu/drm/radeon/radeon_atpx_handler.c
1331 +index 8c44ef57864b..a7e1893de838 100644
1332 +--- a/drivers/gpu/drm/radeon/radeon_atpx_handler.c
1333 ++++ b/drivers/gpu/drm/radeon/radeon_atpx_handler.c
1334 +@@ -11,6 +11,7 @@
1335 + #include <acpi/acpi.h>
1336 + #include <acpi/acpi_bus.h>
1337 + #include <linux/pci.h>
1338 ++#include <linux/delay.h>
1339 +
1340 + #include "radeon_acpi.h"
1341 +
1342 +@@ -252,6 +253,10 @@ static int radeon_atpx_set_discrete_state(struct radeon_atpx *atpx, u8 state)
1343 + if (!info)
1344 + return -EIO;
1345 + kfree(info);
1346 ++
1347 ++ /* 200ms delay is required after off */
1348 ++ if (state == 0)
1349 ++ msleep(200);
1350 + }
1351 + return 0;
1352 + }
1353 +diff --git a/drivers/gpu/drm/radeon/radeon_connectors.c b/drivers/gpu/drm/radeon/radeon_connectors.c
1354 +index 1fbd38b371d4..ea62810aeda6 100644
1355 +--- a/drivers/gpu/drm/radeon/radeon_connectors.c
1356 ++++ b/drivers/gpu/drm/radeon/radeon_connectors.c
1357 +@@ -1691,7 +1691,6 @@ radeon_add_atom_connector(struct drm_device *dev,
1358 + 1);
1359 + /* no HPD on analog connectors */
1360 + radeon_connector->hpd.hpd = RADEON_HPD_NONE;
1361 +- connector->polled = DRM_CONNECTOR_POLL_CONNECT;
1362 + connector->interlace_allowed = true;
1363 + connector->doublescan_allowed = true;
1364 + break;
1365 +@@ -1889,8 +1888,10 @@ radeon_add_atom_connector(struct drm_device *dev,
1366 + }
1367 +
1368 + if (radeon_connector->hpd.hpd == RADEON_HPD_NONE) {
1369 +- if (i2c_bus->valid)
1370 +- connector->polled = DRM_CONNECTOR_POLL_CONNECT;
1371 ++ if (i2c_bus->valid) {
1372 ++ connector->polled = DRM_CONNECTOR_POLL_CONNECT |
1373 ++ DRM_CONNECTOR_POLL_DISCONNECT;
1374 ++ }
1375 + } else
1376 + connector->polled = DRM_CONNECTOR_POLL_HPD;
1377 +
1378 +@@ -1962,7 +1963,6 @@ radeon_add_legacy_connector(struct drm_device *dev,
1379 + 1);
1380 + /* no HPD on analog connectors */
1381 + radeon_connector->hpd.hpd = RADEON_HPD_NONE;
1382 +- connector->polled = DRM_CONNECTOR_POLL_CONNECT;
1383 + connector->interlace_allowed = true;
1384 + connector->doublescan_allowed = true;
1385 + break;
1386 +@@ -2047,10 +2047,13 @@ radeon_add_legacy_connector(struct drm_device *dev,
1387 + }
1388 +
1389 + if (radeon_connector->hpd.hpd == RADEON_HPD_NONE) {
1390 +- if (i2c_bus->valid)
1391 +- connector->polled = DRM_CONNECTOR_POLL_CONNECT;
1392 ++ if (i2c_bus->valid) {
1393 ++ connector->polled = DRM_CONNECTOR_POLL_CONNECT |
1394 ++ DRM_CONNECTOR_POLL_DISCONNECT;
1395 ++ }
1396 + } else
1397 + connector->polled = DRM_CONNECTOR_POLL_HPD;
1398 ++
1399 + connector->display_info.subpixel_order = subpixel_order;
1400 + drm_sysfs_connector_add(connector);
1401 + }
1402 +diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c
1403 +index 8df1525f71d2..e9db3f8125ed 100644
1404 +--- a/drivers/gpu/drm/radeon/radeon_device.c
1405 ++++ b/drivers/gpu/drm/radeon/radeon_device.c
1406 +@@ -449,6 +449,23 @@ void radeon_gtt_location(struct radeon_device *rdev, struct radeon_mc *mc)
1407 + /*
1408 + * GPU helpers function.
1409 + */
1410 ++
1411 ++/**
1412 ++ * radeon_device_is_virtual - check if we are running is a virtual environment
1413 ++ *
1414 ++ * Check if the asic has been passed through to a VM (all asics).
1415 ++ * Used at driver startup.
1416 ++ * Returns true if virtual or false if not.
1417 ++ */
1418 ++static bool radeon_device_is_virtual(void)
1419 ++{
1420 ++#ifdef CONFIG_X86
1421 ++ return boot_cpu_has(X86_FEATURE_HYPERVISOR);
1422 ++#else
1423 ++ return false;
1424 ++#endif
1425 ++}
1426 ++
1427 + /**
1428 + * radeon_card_posted - check if the hw has already been initialized
1429 + *
1430 +@@ -462,6 +479,10 @@ bool radeon_card_posted(struct radeon_device *rdev)
1431 + {
1432 + uint32_t reg;
1433 +
1434 ++ /* for pass through, always force asic_init */
1435 ++ if (radeon_device_is_virtual())
1436 ++ return false;
1437 ++
1438 + /* required for EFI mode on macbook2,1 which uses an r5xx asic */
1439 + if (efi_enabled(EFI_BOOT) &&
1440 + (rdev->pdev->subsystem_vendor == PCI_VENDOR_ID_APPLE) &&
1441 +diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c
1442 +index a3915d12e746..eb5700e40e1a 100644
1443 +--- a/drivers/hid/hid-input.c
1444 ++++ b/drivers/hid/hid-input.c
1445 +@@ -1084,7 +1084,7 @@ void hidinput_hid_event(struct hid_device *hid, struct hid_field *field, struct
1446 + return;
1447 +
1448 + /* report the usage code as scancode if the key status has changed */
1449 +- if (usage->type == EV_KEY && !!test_bit(usage->code, input->key) != value)
1450 ++ if (usage->type == EV_KEY && (!!test_bit(usage->code, input->key)) != value)
1451 + input_event(input, EV_MSC, MSC_SCAN, usage->hid);
1452 +
1453 + input_event(input, usage->type, usage->code, value);
1454 +diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c
1455 +index 2f1ddca6f2e0..700145b15088 100644
1456 +--- a/drivers/hid/usbhid/hiddev.c
1457 ++++ b/drivers/hid/usbhid/hiddev.c
1458 +@@ -516,13 +516,13 @@ static noinline int hiddev_ioctl_usage(struct hiddev *hiddev, unsigned int cmd,
1459 + goto inval;
1460 + } else if (uref->usage_index >= field->report_count)
1461 + goto inval;
1462 +-
1463 +- else if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) &&
1464 +- (uref_multi->num_values > HID_MAX_MULTI_USAGES ||
1465 +- uref->usage_index + uref_multi->num_values > field->report_count))
1466 +- goto inval;
1467 + }
1468 +
1469 ++ if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) &&
1470 ++ (uref_multi->num_values > HID_MAX_MULTI_USAGES ||
1471 ++ uref->usage_index + uref_multi->num_values > field->report_count))
1472 ++ goto inval;
1473 ++
1474 + switch (cmd) {
1475 + case HIDIOCGUSAGE:
1476 + uref->value = field->value[uref->usage_index];
1477 +diff --git a/drivers/iio/accel/kxsd9.c b/drivers/iio/accel/kxsd9.c
1478 +index 7c9a1d97dc68..a22c427454db 100644
1479 +--- a/drivers/iio/accel/kxsd9.c
1480 ++++ b/drivers/iio/accel/kxsd9.c
1481 +@@ -81,7 +81,7 @@ static int kxsd9_write_scale(struct iio_dev *indio_dev, int micro)
1482 +
1483 + mutex_lock(&st->buf_lock);
1484 + ret = spi_w8r8(st->us, KXSD9_READ(KXSD9_REG_CTRL_C));
1485 +- if (ret)
1486 ++ if (ret < 0)
1487 + goto error_ret;
1488 + st->tx[0] = KXSD9_WRITE(KXSD9_REG_CTRL_C);
1489 + st->tx[1] = (ret & ~KXSD9_FS_MASK) | i;
1490 +@@ -163,7 +163,7 @@ static int kxsd9_read_raw(struct iio_dev *indio_dev,
1491 + break;
1492 + case IIO_CHAN_INFO_SCALE:
1493 + ret = spi_w8r8(st->us, KXSD9_READ(KXSD9_REG_CTRL_C));
1494 +- if (ret)
1495 ++ if (ret < 0)
1496 + goto error_ret;
1497 + *val2 = kxsd9_micro_scales[ret & KXSD9_FS_MASK];
1498 + ret = IIO_VAL_INT_PLUS_MICRO;
1499 +diff --git a/drivers/iio/adc/ad7266.c b/drivers/iio/adc/ad7266.c
1500 +index c2744a75c3b0..6569a4e2a436 100644
1501 +--- a/drivers/iio/adc/ad7266.c
1502 ++++ b/drivers/iio/adc/ad7266.c
1503 +@@ -406,7 +406,7 @@ static int ad7266_probe(struct spi_device *spi)
1504 + st = iio_priv(indio_dev);
1505 +
1506 + st->reg = regulator_get(&spi->dev, "vref");
1507 +- if (!IS_ERR_OR_NULL(st->reg)) {
1508 ++ if (!IS_ERR(st->reg)) {
1509 + ret = regulator_enable(st->reg);
1510 + if (ret)
1511 + goto error_put_reg;
1512 +@@ -417,6 +417,10 @@ static int ad7266_probe(struct spi_device *spi)
1513 +
1514 + st->vref_uv = ret;
1515 + } else {
1516 ++ /* Any other error indicates that the regulator does exist */
1517 ++ if (PTR_ERR(st->reg) != -ENODEV)
1518 ++ return PTR_ERR(st->reg);
1519 ++
1520 + /* Use internal reference */
1521 + st->vref_uv = 2500000;
1522 + }
1523 +diff --git a/drivers/iio/industrialio-trigger.c b/drivers/iio/industrialio-trigger.c
1524 +index 4d6c7d84e155..301becccf5ed 100644
1525 +--- a/drivers/iio/industrialio-trigger.c
1526 ++++ b/drivers/iio/industrialio-trigger.c
1527 +@@ -203,22 +203,35 @@ static int iio_trigger_attach_poll_func(struct iio_trigger *trig,
1528 +
1529 + /* Prevent the module from being removed whilst attached to a trigger */
1530 + __module_get(pf->indio_dev->info->driver_module);
1531 ++
1532 ++ /* Get irq number */
1533 + pf->irq = iio_trigger_get_irq(trig);
1534 ++ if (pf->irq < 0)
1535 ++ goto out_put_module;
1536 ++
1537 ++ /* Request irq */
1538 + ret = request_threaded_irq(pf->irq, pf->h, pf->thread,
1539 + pf->type, pf->name,
1540 + pf);
1541 +- if (ret < 0) {
1542 +- module_put(pf->indio_dev->info->driver_module);
1543 +- return ret;
1544 +- }
1545 ++ if (ret < 0)
1546 ++ goto out_put_irq;
1547 +
1548 ++ /* Enable trigger in driver */
1549 + if (trig->ops && trig->ops->set_trigger_state && notinuse) {
1550 + ret = trig->ops->set_trigger_state(trig, true);
1551 + if (ret < 0)
1552 +- module_put(pf->indio_dev->info->driver_module);
1553 ++ goto out_free_irq;
1554 + }
1555 +
1556 + return ret;
1557 ++
1558 ++out_free_irq:
1559 ++ free_irq(pf->irq, pf);
1560 ++out_put_irq:
1561 ++ iio_trigger_put_irq(trig, pf->irq);
1562 ++out_put_module:
1563 ++ module_put(pf->indio_dev->info->driver_module);
1564 ++ return ret;
1565 + }
1566 +
1567 + static int iio_trigger_detach_poll_func(struct iio_trigger *trig,
1568 +diff --git a/drivers/infiniband/core/ucm.c b/drivers/infiniband/core/ucm.c
1569 +index f2f63933e8a9..5befec118a18 100644
1570 +--- a/drivers/infiniband/core/ucm.c
1571 ++++ b/drivers/infiniband/core/ucm.c
1572 +@@ -48,6 +48,7 @@
1573 +
1574 + #include <asm/uaccess.h>
1575 +
1576 ++#include <rdma/ib.h>
1577 + #include <rdma/ib_cm.h>
1578 + #include <rdma/ib_user_cm.h>
1579 + #include <rdma/ib_marshall.h>
1580 +@@ -1104,6 +1105,9 @@ static ssize_t ib_ucm_write(struct file *filp, const char __user *buf,
1581 + struct ib_ucm_cmd_hdr hdr;
1582 + ssize_t result;
1583 +
1584 ++ if (WARN_ON_ONCE(!ib_safe_file_access(filp)))
1585 ++ return -EACCES;
1586 ++
1587 + if (len < sizeof(hdr))
1588 + return -EINVAL;
1589 +
1590 +diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c
1591 +index 5ca44cd9b00c..99f1c170770f 100644
1592 +--- a/drivers/infiniband/core/ucma.c
1593 ++++ b/drivers/infiniband/core/ucma.c
1594 +@@ -43,6 +43,7 @@
1595 + #include <linux/sysctl.h>
1596 + #include <linux/module.h>
1597 +
1598 ++#include <rdma/ib.h>
1599 + #include <rdma/rdma_user_cm.h>
1600 + #include <rdma/ib_marshall.h>
1601 + #include <rdma/rdma_cm.h>
1602 +@@ -1249,6 +1250,9 @@ static ssize_t ucma_write(struct file *filp, const char __user *buf,
1603 + struct rdma_ucm_cmd_hdr hdr;
1604 + ssize_t ret;
1605 +
1606 ++ if (WARN_ON_ONCE(!ib_safe_file_access(filp)))
1607 ++ return -EACCES;
1608 ++
1609 + if (len < sizeof(hdr))
1610 + return -EINVAL;
1611 +
1612 +diff --git a/drivers/infiniband/core/uverbs_main.c b/drivers/infiniband/core/uverbs_main.c
1613 +index b6062b9236a2..f50623d07a75 100644
1614 +--- a/drivers/infiniband/core/uverbs_main.c
1615 ++++ b/drivers/infiniband/core/uverbs_main.c
1616 +@@ -48,6 +48,8 @@
1617 +
1618 + #include <asm/uaccess.h>
1619 +
1620 ++#include <rdma/ib.h>
1621 ++
1622 + #include "uverbs.h"
1623 +
1624 + MODULE_AUTHOR("Roland Dreier");
1625 +@@ -588,6 +590,9 @@ static ssize_t ib_uverbs_write(struct file *filp, const char __user *buf,
1626 + struct ib_uverbs_file *file = filp->private_data;
1627 + struct ib_uverbs_cmd_hdr hdr;
1628 +
1629 ++ if (WARN_ON_ONCE(!ib_safe_file_access(filp)))
1630 ++ return -EACCES;
1631 ++
1632 + if (count < sizeof hdr)
1633 + return -EINVAL;
1634 +
1635 +diff --git a/drivers/infiniband/hw/mlx4/ah.c b/drivers/infiniband/hw/mlx4/ah.c
1636 +index 890c23b3d714..f55d69500a5f 100644
1637 +--- a/drivers/infiniband/hw/mlx4/ah.c
1638 ++++ b/drivers/infiniband/hw/mlx4/ah.c
1639 +@@ -65,6 +65,7 @@ static struct ib_ah *create_ib_ah(struct ib_pd *pd, struct ib_ah_attr *ah_attr,
1640 +
1641 + ah->av.ib.port_pd = cpu_to_be32(to_mpd(pd)->pdn | (ah_attr->port_num << 24));
1642 + ah->av.ib.g_slid = ah_attr->src_path_bits;
1643 ++ ah->av.ib.sl_tclass_flowlabel = cpu_to_be32(ah_attr->sl << 28);
1644 + if (ah_attr->ah_flags & IB_AH_GRH) {
1645 + ah->av.ib.g_slid |= 0x80;
1646 + ah->av.ib.gid_index = ah_attr->grh.sgid_index;
1647 +@@ -82,7 +83,6 @@ static struct ib_ah *create_ib_ah(struct ib_pd *pd, struct ib_ah_attr *ah_attr,
1648 + !(1 << ah->av.ib.stat_rate & dev->caps.stat_rate_support))
1649 + --ah->av.ib.stat_rate;
1650 + }
1651 +- ah->av.ib.sl_tclass_flowlabel = cpu_to_be32(ah_attr->sl << 28);
1652 +
1653 + return &ah->ibah;
1654 + }
1655 +diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c
1656 +index 262a18437ceb..1fe3bdb0da14 100644
1657 +--- a/drivers/infiniband/hw/mlx4/qp.c
1658 ++++ b/drivers/infiniband/hw/mlx4/qp.c
1659 +@@ -346,7 +346,7 @@ static int send_wqe_overhead(enum mlx4_ib_qp_type type, u32 flags)
1660 + sizeof (struct mlx4_wqe_raddr_seg);
1661 + case MLX4_IB_QPT_RC:
1662 + return sizeof (struct mlx4_wqe_ctrl_seg) +
1663 +- sizeof (struct mlx4_wqe_atomic_seg) +
1664 ++ sizeof (struct mlx4_wqe_masked_atomic_seg) +
1665 + sizeof (struct mlx4_wqe_raddr_seg);
1666 + case MLX4_IB_QPT_SMI:
1667 + case MLX4_IB_QPT_GSI:
1668 +diff --git a/drivers/infiniband/hw/qib/qib_file_ops.c b/drivers/infiniband/hw/qib/qib_file_ops.c
1669 +index b56c9428f3c5..8cb29b36c82a 100644
1670 +--- a/drivers/infiniband/hw/qib/qib_file_ops.c
1671 ++++ b/drivers/infiniband/hw/qib/qib_file_ops.c
1672 +@@ -45,6 +45,8 @@
1673 + #include <linux/delay.h>
1674 + #include <linux/export.h>
1675 +
1676 ++#include <rdma/ib.h>
1677 ++
1678 + #include "qib.h"
1679 + #include "qib_common.h"
1680 + #include "qib_user_sdma.h"
1681 +@@ -1977,6 +1979,9 @@ static ssize_t qib_write(struct file *fp, const char __user *data,
1682 + ssize_t ret = 0;
1683 + void *dest;
1684 +
1685 ++ if (WARN_ON_ONCE(!ib_safe_file_access(fp)))
1686 ++ return -EACCES;
1687 ++
1688 + if (count < sizeof(cmd.type)) {
1689 + ret = -EINVAL;
1690 + goto bail;
1691 +diff --git a/drivers/infiniband/ulp/ipoib/ipoib_main.c b/drivers/infiniband/ulp/ipoib/ipoib_main.c
1692 +index b6e049a3c7a8..a481094af85f 100644
1693 +--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c
1694 ++++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c
1695 +@@ -887,7 +887,9 @@ struct ipoib_neigh *ipoib_neigh_get(struct net_device *dev, u8 *daddr)
1696 + neigh = NULL;
1697 + goto out_unlock;
1698 + }
1699 +- neigh->alive = jiffies;
1700 ++
1701 ++ if (likely(skb_queue_len(&neigh->queue) < IPOIB_MAX_PATH_REC_QUEUE))
1702 ++ neigh->alive = jiffies;
1703 + goto out_unlock;
1704 + }
1705 + }
1706 +diff --git a/drivers/input/joystick/xpad.c b/drivers/input/joystick/xpad.c
1707 +index 856c1b03e22d..685e125d6366 100644
1708 +--- a/drivers/input/joystick/xpad.c
1709 ++++ b/drivers/input/joystick/xpad.c
1710 +@@ -843,6 +843,9 @@ static int xpad_probe(struct usb_interface *intf, const struct usb_device_id *id
1711 + struct usb_endpoint_descriptor *ep_irq_in;
1712 + int i, error;
1713 +
1714 ++ if (intf->cur_altsetting->desc.bNumEndpoints != 2)
1715 ++ return -ENODEV;
1716 ++
1717 + for (i = 0; xpad_device[i].idVendor; i++) {
1718 + if ((le16_to_cpu(udev->descriptor.idVendor) == xpad_device[i].idVendor) &&
1719 + (le16_to_cpu(udev->descriptor.idProduct) == xpad_device[i].idProduct))
1720 +diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
1721 +index a0a4bbaef02c..3f2f3ac96a55 100644
1722 +--- a/drivers/input/misc/uinput.c
1723 ++++ b/drivers/input/misc/uinput.c
1724 +@@ -835,9 +835,15 @@ static long uinput_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
1725 + }
1726 +
1727 + #ifdef CONFIG_COMPAT
1728 ++
1729 ++#define UI_SET_PHYS_COMPAT _IOW(UINPUT_IOCTL_BASE, 108, compat_uptr_t)
1730 ++
1731 + static long uinput_compat_ioctl(struct file *file,
1732 + unsigned int cmd, unsigned long arg)
1733 + {
1734 ++ if (cmd == UI_SET_PHYS_COMPAT)
1735 ++ cmd = UI_SET_PHYS;
1736 ++
1737 + return uinput_ioctl_handler(file, cmd, arg, compat_ptr(arg));
1738 + }
1739 + #endif
1740 +diff --git a/drivers/input/touchscreen/wacom_w8001.c b/drivers/input/touchscreen/wacom_w8001.c
1741 +index 9a83be6b6584..abba11220f29 100644
1742 +--- a/drivers/input/touchscreen/wacom_w8001.c
1743 ++++ b/drivers/input/touchscreen/wacom_w8001.c
1744 +@@ -28,7 +28,7 @@ MODULE_AUTHOR("Jaya Kumar <jayakumar.lkml@×××××.com>");
1745 + MODULE_DESCRIPTION(DRIVER_DESC);
1746 + MODULE_LICENSE("GPL");
1747 +
1748 +-#define W8001_MAX_LENGTH 11
1749 ++#define W8001_MAX_LENGTH 13
1750 + #define W8001_LEAD_MASK 0x80
1751 + #define W8001_LEAD_BYTE 0x80
1752 + #define W8001_TAB_MASK 0x40
1753 +diff --git a/drivers/isdn/hardware/mISDN/hfcpci.c b/drivers/isdn/hardware/mISDN/hfcpci.c
1754 +index a7e4939787c9..eab9167937e2 100644
1755 +--- a/drivers/isdn/hardware/mISDN/hfcpci.c
1756 ++++ b/drivers/isdn/hardware/mISDN/hfcpci.c
1757 +@@ -2295,8 +2295,8 @@ _hfcpci_softirq(struct device *dev, void *arg)
1758 + static void
1759 + hfcpci_softirq(void *arg)
1760 + {
1761 +- (void) driver_for_each_device(&hfc_driver.driver, NULL, arg,
1762 +- _hfcpci_softirq);
1763 ++ WARN_ON_ONCE(driver_for_each_device(&hfc_driver.driver, NULL, arg,
1764 ++ _hfcpci_softirq) != 0);
1765 +
1766 + /* if next event would be in the past ... */
1767 + if ((s32)(hfc_jiffies + tics - jiffies) <= 0)
1768 +diff --git a/drivers/md/dm-flakey.c b/drivers/md/dm-flakey.c
1769 +index 7fcf21cb4ff8..a9a47cd029d5 100644
1770 +--- a/drivers/md/dm-flakey.c
1771 ++++ b/drivers/md/dm-flakey.c
1772 +@@ -286,10 +286,16 @@ static int flakey_map(struct dm_target *ti, struct bio *bio)
1773 + pb->bio_submitted = true;
1774 +
1775 + /*
1776 +- * Map reads as normal.
1777 ++ * Map reads as normal only if corrupt_bio_byte set.
1778 + */
1779 +- if (bio_data_dir(bio) == READ)
1780 +- goto map_bio;
1781 ++ if (bio_data_dir(bio) == READ) {
1782 ++ /* If flags were specified, only corrupt those that match. */
1783 ++ if (fc->corrupt_bio_byte && (fc->corrupt_bio_rw == READ) &&
1784 ++ all_corrupt_bio_flags_match(bio, fc))
1785 ++ goto map_bio;
1786 ++ else
1787 ++ return -EIO;
1788 ++ }
1789 +
1790 + /*
1791 + * Drop writes?
1792 +@@ -327,12 +333,13 @@ static int flakey_end_io(struct dm_target *ti, struct bio *bio, int error)
1793 +
1794 + /*
1795 + * Corrupt successful READs while in down state.
1796 +- * If flags were specified, only corrupt those that match.
1797 + */
1798 +- if (fc->corrupt_bio_byte && !error && pb->bio_submitted &&
1799 +- (bio_data_dir(bio) == READ) && (fc->corrupt_bio_rw == READ) &&
1800 +- all_corrupt_bio_flags_match(bio, fc))
1801 +- corrupt_bio_data(bio, fc);
1802 ++ if (!error && pb->bio_submitted && (bio_data_dir(bio) == READ)) {
1803 ++ if (fc->corrupt_bio_byte)
1804 ++ corrupt_bio_data(bio, fc);
1805 ++ else
1806 ++ return -EIO;
1807 ++ }
1808 +
1809 + return error;
1810 + }
1811 +diff --git a/drivers/media/dvb-frontends/stb6100.c b/drivers/media/dvb-frontends/stb6100.c
1812 +index cea175d19890..4ef8a5c7003e 100644
1813 +--- a/drivers/media/dvb-frontends/stb6100.c
1814 ++++ b/drivers/media/dvb-frontends/stb6100.c
1815 +@@ -193,7 +193,7 @@ static int stb6100_write_reg_range(struct stb6100_state *state, u8 buf[], int st
1816 + .len = len + 1
1817 + };
1818 +
1819 +- if (1 + len > sizeof(buf)) {
1820 ++ if (1 + len > sizeof(cmdbuf)) {
1821 + printk(KERN_WARNING
1822 + "%s: i2c wr: len=%d is too big!\n",
1823 + KBUILD_MODNAME, len);
1824 +diff --git a/drivers/media/platform/s5p-mfc/s5p_mfc.c b/drivers/media/platform/s5p-mfc/s5p_mfc.c
1825 +index 961d7ff75427..eb92027cef92 100644
1826 +--- a/drivers/media/platform/s5p-mfc/s5p_mfc.c
1827 ++++ b/drivers/media/platform/s5p-mfc/s5p_mfc.c
1828 +@@ -1000,6 +1000,11 @@ static int match_child(struct device *dev, void *data)
1829 + return !strcmp(dev_name(dev), (char *)data);
1830 + }
1831 +
1832 ++static void s5p_mfc_memdev_release(struct device *dev)
1833 ++{
1834 ++ dma_release_declared_memory(dev);
1835 ++}
1836 ++
1837 + static void *mfc_get_drv_data(struct platform_device *pdev);
1838 +
1839 + static int s5p_mfc_alloc_memdevs(struct s5p_mfc_dev *dev)
1840 +@@ -1012,6 +1017,9 @@ static int s5p_mfc_alloc_memdevs(struct s5p_mfc_dev *dev)
1841 + mfc_err("Not enough memory\n");
1842 + return -ENOMEM;
1843 + }
1844 ++
1845 ++ dev_set_name(dev->mem_dev_l, "%s", "s5p-mfc-l");
1846 ++ dev->mem_dev_l->release = s5p_mfc_memdev_release;
1847 + device_initialize(dev->mem_dev_l);
1848 + of_property_read_u32_array(dev->plat_dev->dev.of_node,
1849 + "samsung,mfc-l", mem_info, 2);
1850 +@@ -1029,6 +1037,9 @@ static int s5p_mfc_alloc_memdevs(struct s5p_mfc_dev *dev)
1851 + mfc_err("Not enough memory\n");
1852 + return -ENOMEM;
1853 + }
1854 ++
1855 ++ dev_set_name(dev->mem_dev_r, "%s", "s5p-mfc-r");
1856 ++ dev->mem_dev_r->release = s5p_mfc_memdev_release;
1857 + device_initialize(dev->mem_dev_r);
1858 + of_property_read_u32_array(dev->plat_dev->dev.of_node,
1859 + "samsung,mfc-r", mem_info, 2);
1860 +diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c
1861 +index c6bf23599eb9..a2863b7b9e21 100644
1862 +--- a/drivers/mmc/card/block.c
1863 ++++ b/drivers/mmc/card/block.c
1864 +@@ -1582,8 +1582,8 @@ static void mmc_blk_packed_hdr_wrq_prep(struct mmc_queue_req *mqrq,
1865 +
1866 + packed_cmd_hdr = packed->cmd_hdr;
1867 + memset(packed_cmd_hdr, 0, sizeof(packed->cmd_hdr));
1868 +- packed_cmd_hdr[0] = (packed->nr_entries << 16) |
1869 +- (PACKED_CMD_WR << 8) | PACKED_CMD_VER;
1870 ++ packed_cmd_hdr[0] = cpu_to_le32((packed->nr_entries << 16) |
1871 ++ (PACKED_CMD_WR << 8) | PACKED_CMD_VER);
1872 + hdr_blocks = mmc_large_sector(card) ? 8 : 1;
1873 +
1874 + /*
1875 +@@ -1597,14 +1597,14 @@ static void mmc_blk_packed_hdr_wrq_prep(struct mmc_queue_req *mqrq,
1876 + ((brq->data.blocks * brq->data.blksz) >=
1877 + card->ext_csd.data_tag_unit_size);
1878 + /* Argument of CMD23 */
1879 +- packed_cmd_hdr[(i * 2)] =
1880 ++ packed_cmd_hdr[(i * 2)] = cpu_to_le32(
1881 + (do_rel_wr ? MMC_CMD23_ARG_REL_WR : 0) |
1882 + (do_data_tag ? MMC_CMD23_ARG_TAG_REQ : 0) |
1883 +- blk_rq_sectors(prq);
1884 ++ blk_rq_sectors(prq));
1885 + /* Argument of CMD18 or CMD25 */
1886 +- packed_cmd_hdr[((i * 2)) + 1] =
1887 ++ packed_cmd_hdr[((i * 2)) + 1] = cpu_to_le32(
1888 + mmc_card_blockaddr(card) ?
1889 +- blk_rq_pos(prq) : blk_rq_pos(prq) << 9;
1890 ++ blk_rq_pos(prq) : blk_rq_pos(prq) << 9);
1891 + packed->blocks += blk_rq_sectors(prq);
1892 + i++;
1893 + }
1894 +diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c
1895 +index a56133585e92..03331c173bd0 100644
1896 +--- a/drivers/mtd/ubi/build.c
1897 ++++ b/drivers/mtd/ubi/build.c
1898 +@@ -997,6 +997,9 @@ int ubi_attach_mtd_dev(struct mtd_info *mtd, int ubi_num,
1899 + goto out_detach;
1900 + }
1901 +
1902 ++ /* Make device "available" before it becomes accessible via sysfs */
1903 ++ ubi_devices[ubi_num] = ubi;
1904 ++
1905 + err = uif_init(ubi, &ref);
1906 + if (err)
1907 + goto out_detach;
1908 +@@ -1041,7 +1044,6 @@ int ubi_attach_mtd_dev(struct mtd_info *mtd, int ubi_num,
1909 + wake_up_process(ubi->bgt_thread);
1910 + spin_unlock(&ubi->wl_lock);
1911 +
1912 +- ubi_devices[ubi_num] = ubi;
1913 + ubi_notify_all(ubi, UBI_VOLUME_ADDED, NULL);
1914 + return ubi_num;
1915 +
1916 +@@ -1052,6 +1054,7 @@ out_uif:
1917 + ubi_assert(ref);
1918 + uif_close(ubi);
1919 + out_detach:
1920 ++ ubi_devices[ubi_num] = NULL;
1921 + ubi_wl_close(ubi);
1922 + ubi_free_internal_volumes(ubi);
1923 + vfree(ubi->vtbl);
1924 +diff --git a/drivers/mtd/ubi/vmt.c b/drivers/mtd/ubi/vmt.c
1925 +index 8330703c098f..96131eb34c9f 100644
1926 +--- a/drivers/mtd/ubi/vmt.c
1927 ++++ b/drivers/mtd/ubi/vmt.c
1928 +@@ -534,13 +534,6 @@ int ubi_resize_volume(struct ubi_volume_desc *desc, int reserved_pebs)
1929 + spin_unlock(&ubi->volumes_lock);
1930 + }
1931 +
1932 +- /* Change volume table record */
1933 +- vtbl_rec = ubi->vtbl[vol_id];
1934 +- vtbl_rec.reserved_pebs = cpu_to_be32(reserved_pebs);
1935 +- err = ubi_change_vtbl_record(ubi, vol_id, &vtbl_rec);
1936 +- if (err)
1937 +- goto out_acc;
1938 +-
1939 + if (pebs < 0) {
1940 + for (i = 0; i < -pebs; i++) {
1941 + err = ubi_eba_unmap_leb(ubi, vol, reserved_pebs + i);
1942 +@@ -558,6 +551,24 @@ int ubi_resize_volume(struct ubi_volume_desc *desc, int reserved_pebs)
1943 + spin_unlock(&ubi->volumes_lock);
1944 + }
1945 +
1946 ++ /*
1947 ++ * When we shrink a volume we have to flush all pending (erase) work.
1948 ++ * Otherwise it can happen that upon next attach UBI finds a LEB with
1949 ++ * lnum > highest_lnum and refuses to attach.
1950 ++ */
1951 ++ if (pebs < 0) {
1952 ++ err = ubi_wl_flush(ubi, vol_id, UBI_ALL);
1953 ++ if (err)
1954 ++ goto out_acc;
1955 ++ }
1956 ++
1957 ++ /* Change volume table record */
1958 ++ vtbl_rec = ubi->vtbl[vol_id];
1959 ++ vtbl_rec.reserved_pebs = cpu_to_be32(reserved_pebs);
1960 ++ err = ubi_change_vtbl_record(ubi, vol_id, &vtbl_rec);
1961 ++ if (err)
1962 ++ goto out_acc;
1963 ++
1964 + vol->reserved_pebs = reserved_pebs;
1965 + if (vol->vol_type == UBI_DYNAMIC_VOLUME) {
1966 + vol->used_ebs = reserved_pebs;
1967 +diff --git a/drivers/net/can/at91_can.c b/drivers/net/can/at91_can.c
1968 +index 535d5dd8d816..024078c5fb16 100644
1969 +--- a/drivers/net/can/at91_can.c
1970 ++++ b/drivers/net/can/at91_can.c
1971 +@@ -731,9 +731,10 @@ static int at91_poll_rx(struct net_device *dev, int quota)
1972 +
1973 + /* upper group completed, look again in lower */
1974 + if (priv->rx_next > get_mb_rx_low_last(priv) &&
1975 +- quota > 0 && mb > get_mb_rx_last(priv)) {
1976 ++ mb > get_mb_rx_last(priv)) {
1977 + priv->rx_next = get_mb_rx_first(priv);
1978 +- goto again;
1979 ++ if (quota > 0)
1980 ++ goto again;
1981 + }
1982 +
1983 + return received;
1984 +diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c
1985 +index f66aeb79abdf..464e5f66b66d 100644
1986 +--- a/drivers/net/can/dev.c
1987 ++++ b/drivers/net/can/dev.c
1988 +@@ -772,6 +772,11 @@ static int can_newlink(struct net *src_net, struct net_device *dev,
1989 + return -EOPNOTSUPP;
1990 + }
1991 +
1992 ++static void can_dellink(struct net_device *dev, struct list_head *head)
1993 ++{
1994 ++ return;
1995 ++}
1996 ++
1997 + static struct rtnl_link_ops can_link_ops __read_mostly = {
1998 + .kind = "can",
1999 + .maxtype = IFLA_CAN_MAX,
2000 +@@ -779,6 +784,7 @@ static struct rtnl_link_ops can_link_ops __read_mostly = {
2001 + .setup = can_setup,
2002 + .newlink = can_newlink,
2003 + .changelink = can_changelink,
2004 ++ .dellink = can_dellink,
2005 + .get_size = can_get_size,
2006 + .fill_info = can_fill_info,
2007 + .get_xstats_size = can_get_xstats_size,
2008 +diff --git a/drivers/net/ethernet/atheros/alx/main.c b/drivers/net/ethernet/atheros/alx/main.c
2009 +index a85a9c2f1385..7357e54f1de9 100644
2010 +--- a/drivers/net/ethernet/atheros/alx/main.c
2011 ++++ b/drivers/net/ethernet/atheros/alx/main.c
2012 +@@ -86,9 +86,14 @@ static int alx_refill_rx_ring(struct alx_priv *alx, gfp_t gfp)
2013 + while (!cur_buf->skb && next != rxq->read_idx) {
2014 + struct alx_rfd *rfd = &rxq->rfd[cur];
2015 +
2016 +- skb = __netdev_alloc_skb(alx->dev, alx->rxbuf_size, gfp);
2017 ++ skb = __netdev_alloc_skb(alx->dev, alx->rxbuf_size + 64, gfp);
2018 + if (!skb)
2019 + break;
2020 ++
2021 ++ /* Workround for the HW RX DMA overflow issue */
2022 ++ if (((unsigned long)skb->data & 0xfff) == 0xfc0)
2023 ++ skb_reserve(skb, 64);
2024 ++
2025 + dma = dma_map_single(&alx->hw.pdev->dev,
2026 + skb->data, alx->rxbuf_size,
2027 + DMA_FROM_DEVICE);
2028 +diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c
2029 +index d5643c143bb8..df3af299a7d2 100644
2030 +--- a/drivers/net/ethernet/marvell/mvneta.c
2031 ++++ b/drivers/net/ethernet/marvell/mvneta.c
2032 +@@ -210,7 +210,7 @@
2033 + /* Various constants */
2034 +
2035 + /* Coalescing */
2036 +-#define MVNETA_TXDONE_COAL_PKTS 1
2037 ++#define MVNETA_TXDONE_COAL_PKTS 0 /* interrupt per packet */
2038 + #define MVNETA_RX_COAL_PKTS 32
2039 + #define MVNETA_RX_COAL_USEC 100
2040 +
2041 +diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
2042 +index 74581cbcafa7..a5802419381f 100644
2043 +--- a/drivers/net/usb/cdc_ncm.c
2044 ++++ b/drivers/net/usb/cdc_ncm.c
2045 +@@ -477,6 +477,13 @@ advance:
2046 + if (cdc_ncm_setup(ctx))
2047 + goto error2;
2048 +
2049 ++ /* Some firmwares need a pause here or they will silently fail
2050 ++ * to set up the interface properly. This value was decided
2051 ++ * empirically on a Sierra Wireless MC7455 running 02.08.02.00
2052 ++ * firmware.
2053 ++ */
2054 ++ usleep_range(10000, 20000);
2055 ++
2056 + /* configure data interface */
2057 + temp = usb_set_interface(dev->udev, iface_no, data_altsetting);
2058 + if (temp)
2059 +@@ -598,24 +605,13 @@ EXPORT_SYMBOL_GPL(cdc_ncm_select_altsetting);
2060 +
2061 + static int cdc_ncm_bind(struct usbnet *dev, struct usb_interface *intf)
2062 + {
2063 +- int ret;
2064 +-
2065 + /* MBIM backwards compatible function? */
2066 + cdc_ncm_select_altsetting(dev, intf);
2067 + if (cdc_ncm_comm_intf_is_mbim(intf->cur_altsetting))
2068 + return -ENODEV;
2069 +
2070 + /* NCM data altsetting is always 1 */
2071 +- ret = cdc_ncm_bind_common(dev, intf, 1);
2072 +-
2073 +- /*
2074 +- * We should get an event when network connection is "connected" or
2075 +- * "disconnected". Set network connection in "disconnected" state
2076 +- * (carrier is OFF) during attach, so the IP network stack does not
2077 +- * start IPv6 negotiation and more.
2078 +- */
2079 +- usbnet_link_change(dev, 0, 0);
2080 +- return ret;
2081 ++ return cdc_ncm_bind_common(dev, intf, 1);
2082 + }
2083 +
2084 + static void cdc_ncm_align_tail(struct sk_buff *skb, size_t modulus, size_t remainder, size_t max)
2085 +@@ -1161,7 +1157,8 @@ static void cdc_ncm_disconnect(struct usb_interface *intf)
2086 +
2087 + static const struct driver_info cdc_ncm_info = {
2088 + .description = "CDC NCM",
2089 +- .flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET,
2090 ++ .flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET
2091 ++ | FLAG_LINK_INTR,
2092 + .bind = cdc_ncm_bind,
2093 + .unbind = cdc_ncm_unbind,
2094 + .check_connect = cdc_ncm_check_connect,
2095 +@@ -1175,7 +1172,7 @@ static const struct driver_info cdc_ncm_info = {
2096 + static const struct driver_info wwan_info = {
2097 + .description = "Mobile Broadband Network Device",
2098 + .flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET
2099 +- | FLAG_WWAN,
2100 ++ | FLAG_LINK_INTR | FLAG_WWAN,
2101 + .bind = cdc_ncm_bind,
2102 + .unbind = cdc_ncm_unbind,
2103 + .check_connect = cdc_ncm_check_connect,
2104 +@@ -1189,7 +1186,7 @@ static const struct driver_info wwan_info = {
2105 + static const struct driver_info wwan_noarp_info = {
2106 + .description = "Mobile Broadband Network Device (NO ARP)",
2107 + .flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET
2108 +- | FLAG_WWAN | FLAG_NOARP,
2109 ++ | FLAG_LINK_INTR | FLAG_WWAN | FLAG_NOARP,
2110 + .bind = cdc_ncm_bind,
2111 + .unbind = cdc_ncm_unbind,
2112 + .check_connect = cdc_ncm_check_connect,
2113 +diff --git a/drivers/net/wireless/ath/ath5k/led.c b/drivers/net/wireless/ath/ath5k/led.c
2114 +index f77ef36acf87..61879b1f7083 100644
2115 +--- a/drivers/net/wireless/ath/ath5k/led.c
2116 ++++ b/drivers/net/wireless/ath/ath5k/led.c
2117 +@@ -77,7 +77,7 @@ static DEFINE_PCI_DEVICE_TABLE(ath5k_led_devices) = {
2118 + /* HP Compaq CQ60-206US (ddreggors@××××××.com) */
2119 + { ATH_SDEVICE(PCI_VENDOR_ID_HP, 0x0137a), ATH_LED(3, 1) },
2120 + /* HP Compaq C700 (nitrousnrg@×××××.com) */
2121 +- { ATH_SDEVICE(PCI_VENDOR_ID_HP, 0x0137b), ATH_LED(3, 1) },
2122 ++ { ATH_SDEVICE(PCI_VENDOR_ID_HP, 0x0137b), ATH_LED(3, 0) },
2123 + /* LiteOn AR5BXB63 (magooz@×××××.it) */
2124 + { ATH_SDEVICE(PCI_VENDOR_ID_ATHEROS, 0x3067), ATH_LED(3, 0) },
2125 + /* IBM-specific AR5212 (all others) */
2126 +diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
2127 +index cb34c7895f2a..735c26620387 100644
2128 +--- a/drivers/net/wireless/mac80211_hwsim.c
2129 ++++ b/drivers/net/wireless/mac80211_hwsim.c
2130 +@@ -1931,6 +1931,7 @@ static int hwsim_tx_info_frame_received_nl(struct sk_buff *skb_2,
2131 + if (!info->attrs[HWSIM_ATTR_ADDR_TRANSMITTER] ||
2132 + !info->attrs[HWSIM_ATTR_FLAGS] ||
2133 + !info->attrs[HWSIM_ATTR_COOKIE] ||
2134 ++ !info->attrs[HWSIM_ATTR_SIGNAL] ||
2135 + !info->attrs[HWSIM_ATTR_TX_INFO])
2136 + goto out;
2137 +
2138 +diff --git a/drivers/net/wireless/rtlwifi/base.c b/drivers/net/wireless/rtlwifi/base.c
2139 +index 6fc0853fd7f9..d066f74f743a 100644
2140 +--- a/drivers/net/wireless/rtlwifi/base.c
2141 ++++ b/drivers/net/wireless/rtlwifi/base.c
2142 +@@ -1392,9 +1392,9 @@ void rtl_watchdog_wq_callback(void *data)
2143 + if (((rtlpriv->link_info.num_rx_inperiod +
2144 + rtlpriv->link_info.num_tx_inperiod) > 8) ||
2145 + (rtlpriv->link_info.num_rx_inperiod > 2))
2146 +- rtlpriv->enter_ps = true;
2147 +- else
2148 + rtlpriv->enter_ps = false;
2149 ++ else
2150 ++ rtlpriv->enter_ps = true;
2151 +
2152 + /* LeisurePS only work in infra mode. */
2153 + schedule_work(&rtlpriv->works.lps_change_work);
2154 +diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
2155 +index d332d55885f8..2d7cd0c080d3 100644
2156 +--- a/drivers/pci/probe.c
2157 ++++ b/drivers/pci/probe.c
2158 +@@ -173,9 +173,6 @@ int __pci_read_base(struct pci_dev *dev, enum pci_bar_type type,
2159 + struct pci_bus_region region;
2160 + bool bar_too_big = false, bar_disabled = false;
2161 +
2162 +- if (dev->non_compliant_bars)
2163 +- return 0;
2164 +-
2165 + mask = type ? PCI_ROM_ADDRESS_MASK : ~0;
2166 +
2167 + /* No printks while decoding is disabled! */
2168 +@@ -295,6 +292,9 @@ static void pci_read_bases(struct pci_dev *dev, unsigned int howmany, int rom)
2169 + {
2170 + unsigned int pos, reg;
2171 +
2172 ++ if (dev->non_compliant_bars)
2173 ++ return;
2174 ++
2175 + for (pos = 0; pos < howmany; pos++) {
2176 + struct resource *res = &dev->resource[pos];
2177 + reg = PCI_BASE_ADDRESS_0 + (pos << 2);
2178 +diff --git a/drivers/platform/x86/hp-wmi.c b/drivers/platform/x86/hp-wmi.c
2179 +index d111c8687f9b..46497c6cbcc1 100644
2180 +--- a/drivers/platform/x86/hp-wmi.c
2181 ++++ b/drivers/platform/x86/hp-wmi.c
2182 +@@ -640,6 +640,11 @@ static int hp_wmi_rfkill_setup(struct platform_device *device)
2183 + if (err)
2184 + return err;
2185 +
2186 ++ err = hp_wmi_perform_query(HPWMI_WIRELESS_QUERY, 1, &wireless,
2187 ++ sizeof(wireless), 0);
2188 ++ if (err)
2189 ++ return err;
2190 ++
2191 + if (wireless & 0x1) {
2192 + wifi_rfkill = rfkill_alloc("hp-wifi", &device->dev,
2193 + RFKILL_TYPE_WLAN,
2194 +diff --git a/drivers/s390/net/qeth_l2_main.c b/drivers/s390/net/qeth_l2_main.c
2195 +index ec8ccdae7aba..0090de46aa5e 100644
2196 +--- a/drivers/s390/net/qeth_l2_main.c
2197 ++++ b/drivers/s390/net/qeth_l2_main.c
2198 +@@ -898,6 +898,7 @@ static void qeth_l2_remove_device(struct ccwgroup_device *cgdev)
2199 + qeth_l2_set_offline(cgdev);
2200 +
2201 + if (card->dev) {
2202 ++ netif_napi_del(&card->napi);
2203 + unregister_netdev(card->dev);
2204 + card->dev = NULL;
2205 + }
2206 +diff --git a/drivers/s390/net/qeth_l3_main.c b/drivers/s390/net/qeth_l3_main.c
2207 +index c1b0b2761f8d..7366bef742de 100644
2208 +--- a/drivers/s390/net/qeth_l3_main.c
2209 ++++ b/drivers/s390/net/qeth_l3_main.c
2210 +@@ -3333,6 +3333,7 @@ static void qeth_l3_remove_device(struct ccwgroup_device *cgdev)
2211 + qeth_l3_set_offline(cgdev);
2212 +
2213 + if (card->dev) {
2214 ++ netif_napi_del(&card->napi);
2215 + unregister_netdev(card->dev);
2216 + card->dev = NULL;
2217 + }
2218 +diff --git a/drivers/scsi/aacraid/commsup.c b/drivers/scsi/aacraid/commsup.c
2219 +index 6a0d362e2596..284efac5f202 100644
2220 +--- a/drivers/scsi/aacraid/commsup.c
2221 ++++ b/drivers/scsi/aacraid/commsup.c
2222 +@@ -590,10 +590,10 @@ int aac_fib_send(u16 command, struct fib *fibptr, unsigned long size,
2223 + }
2224 + return -EFAULT;
2225 + }
2226 +- /* We used to udelay() here but that absorbed
2227 +- * a CPU when a timeout occured. Not very
2228 +- * useful. */
2229 +- cpu_relax();
2230 ++ /*
2231 ++ * Allow other processes / CPUS to use core
2232 ++ */
2233 ++ schedule();
2234 + }
2235 + } else if (down_interruptible(&fibptr->event_wait)) {
2236 + /* Do nothing ... satisfy
2237 +@@ -1920,6 +1920,10 @@ int aac_command_thread(void *data)
2238 + if (difference <= 0)
2239 + difference = 1;
2240 + set_current_state(TASK_INTERRUPTIBLE);
2241 ++
2242 ++ if (kthread_should_stop())
2243 ++ break;
2244 ++
2245 + schedule_timeout(difference);
2246 +
2247 + if (kthread_should_stop())
2248 +diff --git a/drivers/scsi/be2iscsi/be_main.c b/drivers/scsi/be2iscsi/be_main.c
2249 +index a683a831527b..02278130826b 100644
2250 +--- a/drivers/scsi/be2iscsi/be_main.c
2251 ++++ b/drivers/scsi/be2iscsi/be_main.c
2252 +@@ -2978,7 +2978,7 @@ be_sgl_create_contiguous(void *virtual_address,
2253 + {
2254 + WARN_ON(!virtual_address);
2255 + WARN_ON(!physical_address);
2256 +- WARN_ON(!length > 0);
2257 ++ WARN_ON(!length);
2258 + WARN_ON(!sgl);
2259 +
2260 + sgl->va = virtual_address;
2261 +diff --git a/drivers/scsi/ipr.c b/drivers/scsi/ipr.c
2262 +index 25ac2c00f8b3..2891faa8e384 100644
2263 +--- a/drivers/scsi/ipr.c
2264 ++++ b/drivers/scsi/ipr.c
2265 +@@ -9607,6 +9607,7 @@ static int ipr_probe_ioa(struct pci_dev *pdev,
2266 + ioa_cfg->intr_flag = IPR_USE_MSI;
2267 + else {
2268 + ioa_cfg->intr_flag = IPR_USE_LSI;
2269 ++ ioa_cfg->clear_isr = 1;
2270 + ioa_cfg->nvectors = 1;
2271 + dev_info(&pdev->dev, "Cannot enable MSI.\n");
2272 + }
2273 +diff --git a/drivers/scsi/scsi_error.c b/drivers/scsi/scsi_error.c
2274 +index 9acbc885239b..5ba69ea8eb92 100644
2275 +--- a/drivers/scsi/scsi_error.c
2276 ++++ b/drivers/scsi/scsi_error.c
2277 +@@ -898,7 +898,6 @@ static int scsi_request_sense(struct scsi_cmnd *scmd)
2278 + */
2279 + void scsi_eh_finish_cmd(struct scsi_cmnd *scmd, struct list_head *done_q)
2280 + {
2281 +- scmd->device->host->host_failed--;
2282 + scmd->eh_eflags = 0;
2283 + list_move_tail(&scmd->eh_entry, done_q);
2284 + }
2285 +@@ -1892,6 +1891,9 @@ int scsi_error_handler(void *data)
2286 + else
2287 + scsi_unjam_host(shost);
2288 +
2289 ++ /* All scmds have been handled */
2290 ++ shost->host_failed = 0;
2291 ++
2292 + /*
2293 + * Note - if the above fails completely, the action is to take
2294 + * individual devices offline and flush the queue of any
2295 +diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
2296 +index 9f3168e8e5a8..60031e15d562 100644
2297 +--- a/drivers/scsi/scsi_lib.c
2298 ++++ b/drivers/scsi/scsi_lib.c
2299 +@@ -546,66 +546,6 @@ void scsi_run_host_queues(struct Scsi_Host *shost)
2300 +
2301 + static void __scsi_release_buffers(struct scsi_cmnd *, int);
2302 +
2303 +-/*
2304 +- * Function: scsi_end_request()
2305 +- *
2306 +- * Purpose: Post-processing of completed commands (usually invoked at end
2307 +- * of upper level post-processing and scsi_io_completion).
2308 +- *
2309 +- * Arguments: cmd - command that is complete.
2310 +- * error - 0 if I/O indicates success, < 0 for I/O error.
2311 +- * bytes - number of bytes of completed I/O
2312 +- * requeue - indicates whether we should requeue leftovers.
2313 +- *
2314 +- * Lock status: Assumed that lock is not held upon entry.
2315 +- *
2316 +- * Returns: cmd if requeue required, NULL otherwise.
2317 +- *
2318 +- * Notes: This is called for block device requests in order to
2319 +- * mark some number of sectors as complete.
2320 +- *
2321 +- * We are guaranteeing that the request queue will be goosed
2322 +- * at some point during this call.
2323 +- * Notes: If cmd was requeued, upon return it will be a stale pointer.
2324 +- */
2325 +-static struct scsi_cmnd *scsi_end_request(struct scsi_cmnd *cmd, int error,
2326 +- int bytes, int requeue)
2327 +-{
2328 +- struct request_queue *q = cmd->device->request_queue;
2329 +- struct request *req = cmd->request;
2330 +-
2331 +- /*
2332 +- * If there are blocks left over at the end, set up the command
2333 +- * to queue the remainder of them.
2334 +- */
2335 +- if (blk_end_request(req, error, bytes)) {
2336 +- /* kill remainder if no retrys */
2337 +- if (error && scsi_noretry_cmd(cmd))
2338 +- blk_end_request_all(req, error);
2339 +- else {
2340 +- if (requeue) {
2341 +- /*
2342 +- * Bleah. Leftovers again. Stick the
2343 +- * leftovers in the front of the
2344 +- * queue, and goose the queue again.
2345 +- */
2346 +- scsi_release_buffers(cmd);
2347 +- scsi_requeue_command(q, cmd);
2348 +- cmd = NULL;
2349 +- }
2350 +- return cmd;
2351 +- }
2352 +- }
2353 +-
2354 +- /*
2355 +- * This will goose the queue request function at the end, so we don't
2356 +- * need to worry about launching another command.
2357 +- */
2358 +- __scsi_release_buffers(cmd, 0);
2359 +- scsi_next_command(cmd);
2360 +- return NULL;
2361 +-}
2362 +-
2363 + static inline unsigned int scsi_sgtable_index(unsigned short nents)
2364 + {
2365 + unsigned int index;
2366 +@@ -735,16 +675,9 @@ static int __scsi_error_from_host_byte(struct scsi_cmnd *cmd, int result)
2367 + *
2368 + * Returns: Nothing
2369 + *
2370 +- * Notes: This function is matched in terms of capabilities to
2371 +- * the function that created the scatter-gather list.
2372 +- * In other words, if there are no bounce buffers
2373 +- * (the normal case for most drivers), we don't need
2374 +- * the logic to deal with cleaning up afterwards.
2375 +- *
2376 +- * We must call scsi_end_request(). This will finish off
2377 +- * the specified number of sectors. If we are done, the
2378 +- * command block will be released and the queue function
2379 +- * will be goosed. If we are not done then we have to
2380 ++ * Notes: We will finish off the specified number of sectors. If we
2381 ++ * are done, the command block will be released and the queue
2382 ++ * function will be goosed. If we are not done then we have to
2383 + * figure out what to do next:
2384 + *
2385 + * a) We can call scsi_requeue_command(). The request
2386 +@@ -753,7 +686,7 @@ static int __scsi_error_from_host_byte(struct scsi_cmnd *cmd, int result)
2387 + * be used if we made forward progress, or if we want
2388 + * to switch from READ(10) to READ(6) for example.
2389 + *
2390 +- * b) We can call scsi_queue_insert(). The request will
2391 ++ * b) We can call __scsi_queue_insert(). The request will
2392 + * be put back on the queue and retried using the same
2393 + * command as before, possibly after a delay.
2394 + *
2395 +@@ -857,12 +790,28 @@ void scsi_io_completion(struct scsi_cmnd *cmd, unsigned int good_bytes)
2396 + }
2397 +
2398 + /*
2399 +- * A number of bytes were successfully read. If there
2400 +- * are leftovers and there is some kind of error
2401 +- * (result != 0), retry the rest.
2402 ++ * special case: failed zero length commands always need to
2403 ++ * drop down into the retry code. Otherwise, if we finished
2404 ++ * all bytes in the request we are done now.
2405 + */
2406 +- if (scsi_end_request(cmd, error, good_bytes, result == 0) == NULL)
2407 +- return;
2408 ++ if (!(blk_rq_bytes(req) == 0 && error) &&
2409 ++ !blk_end_request(req, error, good_bytes))
2410 ++ goto next_command;
2411 ++
2412 ++ /*
2413 ++ * Kill remainder if no retrys.
2414 ++ */
2415 ++ if (error && scsi_noretry_cmd(cmd)) {
2416 ++ blk_end_request_all(req, error);
2417 ++ goto next_command;
2418 ++ }
2419 ++
2420 ++ /*
2421 ++ * If there had been no error, but we have leftover bytes in the
2422 ++ * requeues just queue the command up again.
2423 ++ */
2424 ++ if (result == 0)
2425 ++ goto requeue;
2426 +
2427 + error = __scsi_error_from_host_byte(cmd, result);
2428 +
2429 +@@ -984,7 +933,6 @@ void scsi_io_completion(struct scsi_cmnd *cmd, unsigned int good_bytes)
2430 + switch (action) {
2431 + case ACTION_FAIL:
2432 + /* Give up and fail the remainder of the request */
2433 +- scsi_release_buffers(cmd);
2434 + if (!(req->cmd_flags & REQ_QUIET)) {
2435 + if (description)
2436 + scmd_printk(KERN_INFO, cmd, "%s\n",
2437 +@@ -994,12 +942,11 @@ void scsi_io_completion(struct scsi_cmnd *cmd, unsigned int good_bytes)
2438 + scsi_print_sense("", cmd);
2439 + scsi_print_command(cmd);
2440 + }
2441 +- if (blk_end_request_err(req, error))
2442 +- scsi_requeue_command(q, cmd);
2443 +- else
2444 +- scsi_next_command(cmd);
2445 +- break;
2446 ++ if (!blk_end_request_err(req, error))
2447 ++ goto next_command;
2448 ++ /*FALLTHRU*/
2449 + case ACTION_REPREP:
2450 ++ requeue:
2451 + /* Unprep the request and put it back at the head of the queue.
2452 + * A new command will be prepared and issued.
2453 + */
2454 +@@ -1015,6 +962,11 @@ void scsi_io_completion(struct scsi_cmnd *cmd, unsigned int good_bytes)
2455 + __scsi_queue_insert(cmd, SCSI_MLQUEUE_DEVICE_BUSY, 0);
2456 + break;
2457 + }
2458 ++ return;
2459 ++
2460 ++next_command:
2461 ++ __scsi_release_buffers(cmd, 0);
2462 ++ scsi_next_command(cmd);
2463 + }
2464 +
2465 + static int scsi_init_sgtable(struct request *req, struct scsi_data_buffer *sdb,
2466 +diff --git a/drivers/spi/spi-xilinx.c b/drivers/spi/spi-xilinx.c
2467 +index 34d18dcfa0db..109a535b639c 100644
2468 +--- a/drivers/spi/spi-xilinx.c
2469 ++++ b/drivers/spi/spi-xilinx.c
2470 +@@ -315,7 +315,7 @@ static int xilinx_spi_txrx_bufs(struct spi_device *spi, struct spi_transfer *t)
2471 + }
2472 +
2473 + /* See if there is more data to send */
2474 +- if (!xspi->remaining_bytes > 0)
2475 ++ if (xspi->remaining_bytes <= 0)
2476 + break;
2477 + }
2478 +
2479 +diff --git a/drivers/staging/iio/accel/sca3000_core.c b/drivers/staging/iio/accel/sca3000_core.c
2480 +index 32950ad94857..b30c41b3e0cc 100644
2481 +--- a/drivers/staging/iio/accel/sca3000_core.c
2482 ++++ b/drivers/staging/iio/accel/sca3000_core.c
2483 +@@ -588,7 +588,7 @@ static ssize_t sca3000_read_frequency(struct device *dev,
2484 + goto error_ret_mut;
2485 + ret = sca3000_read_ctrl_reg(st, SCA3000_REG_CTRL_SEL_OUT_CTRL);
2486 + mutex_unlock(&st->lock);
2487 +- if (ret)
2488 ++ if (ret < 0)
2489 + goto error_ret;
2490 + val = ret;
2491 + if (base_freq > 0)
2492 +diff --git a/drivers/tty/vt/keyboard.c b/drivers/tty/vt/keyboard.c
2493 +index a9af1b9ae160..1f6e09649e5a 100644
2494 +--- a/drivers/tty/vt/keyboard.c
2495 ++++ b/drivers/tty/vt/keyboard.c
2496 +@@ -371,34 +371,22 @@ static void to_utf8(struct vc_data *vc, uint c)
2497 +
2498 + static void do_compute_shiftstate(void)
2499 + {
2500 +- unsigned int i, j, k, sym, val;
2501 ++ unsigned int k, sym, val;
2502 +
2503 + shift_state = 0;
2504 + memset(shift_down, 0, sizeof(shift_down));
2505 +
2506 +- for (i = 0; i < ARRAY_SIZE(key_down); i++) {
2507 +-
2508 +- if (!key_down[i])
2509 ++ for_each_set_bit(k, key_down, min(NR_KEYS, KEY_CNT)) {
2510 ++ sym = U(key_maps[0][k]);
2511 ++ if (KTYP(sym) != KT_SHIFT && KTYP(sym) != KT_SLOCK)
2512 + continue;
2513 +
2514 +- k = i * BITS_PER_LONG;
2515 +-
2516 +- for (j = 0; j < BITS_PER_LONG; j++, k++) {
2517 +-
2518 +- if (!test_bit(k, key_down))
2519 +- continue;
2520 ++ val = KVAL(sym);
2521 ++ if (val == KVAL(K_CAPSSHIFT))
2522 ++ val = KVAL(K_SHIFT);
2523 +
2524 +- sym = U(key_maps[0][k]);
2525 +- if (KTYP(sym) != KT_SHIFT && KTYP(sym) != KT_SLOCK)
2526 +- continue;
2527 +-
2528 +- val = KVAL(sym);
2529 +- if (val == KVAL(K_CAPSSHIFT))
2530 +- val = KVAL(K_SHIFT);
2531 +-
2532 +- shift_down[val]++;
2533 +- shift_state |= (1 << val);
2534 +- }
2535 ++ shift_down[val]++;
2536 ++ shift_state |= BIT(val);
2537 + }
2538 + }
2539 +
2540 +diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
2541 +index 62e532fb82ad..cfce807531f6 100644
2542 +--- a/drivers/usb/core/devio.c
2543 ++++ b/drivers/usb/core/devio.c
2544 +@@ -1106,10 +1106,11 @@ static int proc_getdriver(struct dev_state *ps, void __user *arg)
2545 +
2546 + static int proc_connectinfo(struct dev_state *ps, void __user *arg)
2547 + {
2548 +- struct usbdevfs_connectinfo ci = {
2549 +- .devnum = ps->dev->devnum,
2550 +- .slow = ps->dev->speed == USB_SPEED_LOW
2551 +- };
2552 ++ struct usbdevfs_connectinfo ci;
2553 ++
2554 ++ memset(&ci, 0, sizeof(ci));
2555 ++ ci.devnum = ps->dev->devnum;
2556 ++ ci.slow = ps->dev->speed == USB_SPEED_LOW;
2557 +
2558 + if (copy_to_user(arg, &ci, sizeof(ci)))
2559 + return -EFAULT;
2560 +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
2561 +index 8eb2de6beee4..4e5156d212dd 100644
2562 +--- a/drivers/usb/core/hub.c
2563 ++++ b/drivers/usb/core/hub.c
2564 +@@ -113,6 +113,7 @@ EXPORT_SYMBOL_GPL(ehci_cf_port_reset_rwsem);
2565 + #define HUB_DEBOUNCE_STEP 25
2566 + #define HUB_DEBOUNCE_STABLE 100
2567 +
2568 ++static void hub_release(struct kref *kref);
2569 + static int usb_reset_and_verify_device(struct usb_device *udev);
2570 +
2571 + static inline char *portspeed(struct usb_hub *hub, int portstatus)
2572 +@@ -1024,10 +1025,20 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type)
2573 + unsigned delay;
2574 +
2575 + /* Continue a partial initialization */
2576 +- if (type == HUB_INIT2)
2577 +- goto init2;
2578 +- if (type == HUB_INIT3)
2579 ++ if (type == HUB_INIT2 || type == HUB_INIT3) {
2580 ++ device_lock(hub->intfdev);
2581 ++
2582 ++ /* Was the hub disconnected while we were waiting? */
2583 ++ if (hub->disconnected) {
2584 ++ device_unlock(hub->intfdev);
2585 ++ kref_put(&hub->kref, hub_release);
2586 ++ return;
2587 ++ }
2588 ++ if (type == HUB_INIT2)
2589 ++ goto init2;
2590 + goto init3;
2591 ++ }
2592 ++ kref_get(&hub->kref);
2593 +
2594 + /* The superspeed hub except for root hub has to use Hub Depth
2595 + * value as an offset into the route string to locate the bits
2596 +@@ -1224,6 +1235,7 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type)
2597 + PREPARE_DELAYED_WORK(&hub->init_work, hub_init_func3);
2598 + schedule_delayed_work(&hub->init_work,
2599 + msecs_to_jiffies(delay));
2600 ++ device_unlock(hub->intfdev);
2601 + return; /* Continues at init3: below */
2602 + } else {
2603 + msleep(delay);
2604 +@@ -1244,6 +1256,11 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type)
2605 + /* Allow autosuspend if it was suppressed */
2606 + if (type <= HUB_INIT3)
2607 + usb_autopm_put_interface_async(to_usb_interface(hub->intfdev));
2608 ++
2609 ++ if (type == HUB_INIT2 || type == HUB_INIT3)
2610 ++ device_unlock(hub->intfdev);
2611 ++
2612 ++ kref_put(&hub->kref, hub_release);
2613 + }
2614 +
2615 + /* Implement the continuations for the delays above */
2616 +diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c
2617 +index 94e9cddc05c1..aa27ec1f4813 100644
2618 +--- a/drivers/usb/core/quirks.c
2619 ++++ b/drivers/usb/core/quirks.c
2620 +@@ -170,14 +170,6 @@ static const struct usb_device_id usb_quirk_list[] = {
2621 + /* INTEL VALUE SSD */
2622 + { USB_DEVICE(0x8086, 0xf1a5), .driver_info = USB_QUIRK_RESET_RESUME },
2623 +
2624 +- { } /* terminating entry must be last */
2625 +-};
2626 +-
2627 +-static const struct usb_device_id usb_interface_quirk_list[] = {
2628 +- /* Logitech UVC Cameras */
2629 +- { USB_VENDOR_AND_INTERFACE_INFO(0x046d, USB_CLASS_VIDEO, 1, 0),
2630 +- .driver_info = USB_QUIRK_RESET_RESUME },
2631 +-
2632 + /* ASUS Base Station(T100) */
2633 + { USB_DEVICE(0x0b05, 0x17e0), .driver_info =
2634 + USB_QUIRK_IGNORE_REMOTE_WAKEUP },
2635 +@@ -191,6 +183,14 @@ static const struct usb_device_id usb_interface_quirk_list[] = {
2636 + { } /* terminating entry must be last */
2637 + };
2638 +
2639 ++static const struct usb_device_id usb_interface_quirk_list[] = {
2640 ++ /* Logitech UVC Cameras */
2641 ++ { USB_VENDOR_AND_INTERFACE_INFO(0x046d, USB_CLASS_VIDEO, 1, 0),
2642 ++ .driver_info = USB_QUIRK_RESET_RESUME },
2643 ++
2644 ++ { } /* terminating entry must be last */
2645 ++};
2646 ++
2647 + static bool usb_match_any_interface(struct usb_device *udev,
2648 + const struct usb_device_id *id)
2649 + {
2650 +diff --git a/drivers/usb/musb/musb_host.c b/drivers/usb/musb/musb_host.c
2651 +index 9d3044bdebe5..c6cc5201665a 100644
2652 +--- a/drivers/usb/musb/musb_host.c
2653 ++++ b/drivers/usb/musb/musb_host.c
2654 +@@ -581,14 +581,13 @@ musb_rx_reinit(struct musb *musb, struct musb_qh *qh, struct musb_hw_ep *ep)
2655 + musb_writew(ep->regs, MUSB_TXCSR, 0);
2656 +
2657 + /* scrub all previous state, clearing toggle */
2658 +- } else {
2659 +- csr = musb_readw(ep->regs, MUSB_RXCSR);
2660 +- if (csr & MUSB_RXCSR_RXPKTRDY)
2661 +- WARNING("rx%d, packet/%d ready?\n", ep->epnum,
2662 +- musb_readw(ep->regs, MUSB_RXCOUNT));
2663 +-
2664 +- musb_h_flush_rxfifo(ep, MUSB_RXCSR_CLRDATATOG);
2665 + }
2666 ++ csr = musb_readw(ep->regs, MUSB_RXCSR);
2667 ++ if (csr & MUSB_RXCSR_RXPKTRDY)
2668 ++ WARNING("rx%d, packet/%d ready?\n", ep->epnum,
2669 ++ musb_readw(ep->regs, MUSB_RXCOUNT));
2670 ++
2671 ++ musb_h_flush_rxfifo(ep, MUSB_RXCSR_CLRDATATOG);
2672 +
2673 + /* target addr and (for multipoint) hub addr/port */
2674 + if (musb->is_multipoint) {
2675 +@@ -948,9 +947,15 @@ static void musb_bulk_nak_timeout(struct musb *musb, struct musb_hw_ep *ep,
2676 + if (is_in) {
2677 + dma = is_dma_capable() ? ep->rx_channel : NULL;
2678 +
2679 +- /* clear nak timeout bit */
2680 ++ /*
2681 ++ * Need to stop the transaction by clearing REQPKT first
2682 ++ * then the NAK Timeout bit ref MUSBMHDRC USB 2.0 HIGH-SPEED
2683 ++ * DUAL-ROLE CONTROLLER Programmer's Guide, section 9.2.2
2684 ++ */
2685 + rx_csr = musb_readw(epio, MUSB_RXCSR);
2686 + rx_csr |= MUSB_RXCSR_H_WZC_BITS;
2687 ++ rx_csr &= ~MUSB_RXCSR_H_REQPKT;
2688 ++ musb_writew(epio, MUSB_RXCSR, rx_csr);
2689 + rx_csr &= ~MUSB_RXCSR_DATAERROR;
2690 + musb_writew(epio, MUSB_RXCSR, rx_csr);
2691 +
2692 +diff --git a/drivers/usb/renesas_usbhs/mod_gadget.c b/drivers/usb/renesas_usbhs/mod_gadget.c
2693 +index ed4949faa70d..64223a923932 100644
2694 +--- a/drivers/usb/renesas_usbhs/mod_gadget.c
2695 ++++ b/drivers/usb/renesas_usbhs/mod_gadget.c
2696 +@@ -558,6 +558,9 @@ static int usbhsg_ep_enable(struct usb_ep *ep,
2697 + struct usbhs_priv *priv = usbhsg_gpriv_to_priv(gpriv);
2698 + struct usbhs_pipe *pipe;
2699 + int ret = -EIO;
2700 ++ unsigned long flags;
2701 ++
2702 ++ usbhs_lock(priv, flags);
2703 +
2704 + /*
2705 + * if it already have pipe,
2706 +@@ -566,7 +569,8 @@ static int usbhsg_ep_enable(struct usb_ep *ep,
2707 + if (uep->pipe) {
2708 + usbhs_pipe_clear(uep->pipe);
2709 + usbhs_pipe_sequence_data0(uep->pipe);
2710 +- return 0;
2711 ++ ret = 0;
2712 ++ goto usbhsg_ep_enable_end;
2713 + }
2714 +
2715 + pipe = usbhs_pipe_malloc(priv,
2716 +@@ -594,6 +598,9 @@ static int usbhsg_ep_enable(struct usb_ep *ep,
2717 + ret = 0;
2718 + }
2719 +
2720 ++usbhsg_ep_enable_end:
2721 ++ usbhs_unlock(priv, flags);
2722 ++
2723 + return ret;
2724 + }
2725 +
2726 +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
2727 +index bcb6f5c2bae4..006a2a721edf 100644
2728 +--- a/drivers/usb/serial/option.c
2729 ++++ b/drivers/usb/serial/option.c
2730 +@@ -274,6 +274,7 @@ static void option_instat_callback(struct urb *urb);
2731 + #define TELIT_PRODUCT_LE922_USBCFG5 0x1045
2732 + #define TELIT_PRODUCT_LE920 0x1200
2733 + #define TELIT_PRODUCT_LE910 0x1201
2734 ++#define TELIT_PRODUCT_LE910_USBCFG4 0x1206
2735 +
2736 + /* ZTE PRODUCTS */
2737 + #define ZTE_VENDOR_ID 0x19d2
2738 +@@ -1206,6 +1207,8 @@ static const struct usb_device_id option_ids[] = {
2739 + .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg0 },
2740 + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910),
2741 + .driver_info = (kernel_ulong_t)&telit_le910_blacklist },
2742 ++ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910_USBCFG4),
2743 ++ .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg3 },
2744 + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920),
2745 + .driver_info = (kernel_ulong_t)&telit_le920_blacklist },
2746 + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_MF622, 0xff, 0xff, 0xff) }, /* ZTE WCDMA products */
2747 +diff --git a/drivers/virtio/virtio_balloon.c b/drivers/virtio/virtio_balloon.c
2748 +index 7d7add5ceba4..148e8ea1bc96 100644
2749 +--- a/drivers/virtio/virtio_balloon.c
2750 ++++ b/drivers/virtio/virtio_balloon.c
2751 +@@ -177,6 +177,8 @@ static void leak_balloon(struct virtio_balloon *vb, size_t num)
2752 + num = min(num, ARRAY_SIZE(vb->pfns));
2753 +
2754 + mutex_lock(&vb->balloon_lock);
2755 ++ /* We can't release more pages than taken */
2756 ++ num = min(num, (size_t)vb->num_pages);
2757 + for (vb->num_pfns = 0; vb->num_pfns < num;
2758 + vb->num_pfns += VIRTIO_BALLOON_PAGES_PER_PAGE) {
2759 + page = balloon_page_dequeue(vb_dev_info);
2760 +diff --git a/drivers/xen/xen-acpi-processor.c b/drivers/xen/xen-acpi-processor.c
2761 +index 8abd7d579037..2e4517277e80 100644
2762 +--- a/drivers/xen/xen-acpi-processor.c
2763 ++++ b/drivers/xen/xen-acpi-processor.c
2764 +@@ -426,36 +426,7 @@ upload:
2765 +
2766 + return 0;
2767 + }
2768 +-static int __init check_prereq(void)
2769 +-{
2770 +- struct cpuinfo_x86 *c = &cpu_data(0);
2771 +-
2772 +- if (!xen_initial_domain())
2773 +- return -ENODEV;
2774 +-
2775 +- if (!acpi_gbl_FADT.smi_command)
2776 +- return -ENODEV;
2777 +-
2778 +- if (c->x86_vendor == X86_VENDOR_INTEL) {
2779 +- if (!cpu_has(c, X86_FEATURE_EST))
2780 +- return -ENODEV;
2781 +
2782 +- return 0;
2783 +- }
2784 +- if (c->x86_vendor == X86_VENDOR_AMD) {
2785 +- /* Copied from powernow-k8.h, can't include ../cpufreq/powernow
2786 +- * as we get compile warnings for the static functions.
2787 +- */
2788 +-#define CPUID_FREQ_VOLT_CAPABILITIES 0x80000007
2789 +-#define USE_HW_PSTATE 0x00000080
2790 +- u32 eax, ebx, ecx, edx;
2791 +- cpuid(CPUID_FREQ_VOLT_CAPABILITIES, &eax, &ebx, &ecx, &edx);
2792 +- if ((edx & USE_HW_PSTATE) != USE_HW_PSTATE)
2793 +- return -ENODEV;
2794 +- return 0;
2795 +- }
2796 +- return -ENODEV;
2797 +-}
2798 + /* acpi_perf_data is a pointer to percpu data. */
2799 + static struct acpi_processor_performance __percpu *acpi_perf_data;
2800 +
2801 +@@ -511,10 +482,10 @@ static struct syscore_ops xap_syscore_ops = {
2802 + static int __init xen_acpi_processor_init(void)
2803 + {
2804 + unsigned int i;
2805 +- int rc = check_prereq();
2806 ++ int rc;
2807 +
2808 +- if (rc)
2809 +- return rc;
2810 ++ if (!xen_initial_domain())
2811 ++ return -ENODEV;
2812 +
2813 + nr_acpi_bits = get_max_acpi_id() + 1;
2814 + acpi_ids_done = kcalloc(BITS_TO_LONGS(nr_acpi_bits), sizeof(unsigned long), GFP_KERNEL);
2815 +diff --git a/drivers/xen/xen-pciback/conf_space.c b/drivers/xen/xen-pciback/conf_space.c
2816 +index 75fe3d466515..ba3fac8318bb 100644
2817 +--- a/drivers/xen/xen-pciback/conf_space.c
2818 ++++ b/drivers/xen/xen-pciback/conf_space.c
2819 +@@ -183,8 +183,7 @@ int xen_pcibk_config_read(struct pci_dev *dev, int offset, int size,
2820 + field_start = OFFSET(cfg_entry);
2821 + field_end = OFFSET(cfg_entry) + field->size;
2822 +
2823 +- if ((req_start >= field_start && req_start < field_end)
2824 +- || (req_end > field_start && req_end <= field_end)) {
2825 ++ if (req_end > field_start && field_end > req_start) {
2826 + err = conf_space_read(dev, cfg_entry, field_start,
2827 + &tmp_val);
2828 + if (err)
2829 +@@ -230,8 +229,7 @@ int xen_pcibk_config_write(struct pci_dev *dev, int offset, int size, u32 value)
2830 + field_start = OFFSET(cfg_entry);
2831 + field_end = OFFSET(cfg_entry) + field->size;
2832 +
2833 +- if ((req_start >= field_start && req_start < field_end)
2834 +- || (req_end > field_start && req_end <= field_end)) {
2835 ++ if (req_end > field_start && field_end > req_start) {
2836 + tmp_val = 0;
2837 +
2838 + err = xen_pcibk_config_read(dev, field_start,
2839 +diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
2840 +index d05a30072023..7c33afd7d5d3 100644
2841 +--- a/fs/cifs/connect.c
2842 ++++ b/fs/cifs/connect.c
2843 +@@ -408,7 +408,9 @@ cifs_echo_request(struct work_struct *work)
2844 + * server->ops->need_neg() == true. Also, no need to ping if
2845 + * we got a response recently.
2846 + */
2847 +- if (!server->ops->need_neg || server->ops->need_neg(server) ||
2848 ++
2849 ++ if (server->tcpStatus == CifsNeedReconnect ||
2850 ++ server->tcpStatus == CifsExiting || server->tcpStatus == CifsNew ||
2851 + (server->ops->can_echo && !server->ops->can_echo(server)) ||
2852 + time_before(jiffies, server->lstrp + SMB_ECHO_INTERVAL - HZ))
2853 + goto requeue_echo;
2854 +diff --git a/fs/cifs/dir.c b/fs/cifs/dir.c
2855 +index 0c2425b21974..a998c929286f 100644
2856 +--- a/fs/cifs/dir.c
2857 ++++ b/fs/cifs/dir.c
2858 +@@ -227,6 +227,13 @@ cifs_do_create(struct inode *inode, struct dentry *direntry, unsigned int xid,
2859 + goto cifs_create_get_file_info;
2860 + }
2861 +
2862 ++ if (S_ISDIR(newinode->i_mode)) {
2863 ++ CIFSSMBClose(xid, tcon, fid->netfid);
2864 ++ iput(newinode);
2865 ++ rc = -EISDIR;
2866 ++ goto out;
2867 ++ }
2868 ++
2869 + if (!S_ISREG(newinode->i_mode)) {
2870 + /*
2871 + * The server may allow us to open things like
2872 +@@ -391,10 +398,14 @@ cifs_create_set_dentry:
2873 + if (rc != 0) {
2874 + cifs_dbg(FYI, "Create worked, get_inode_info failed rc = %d\n",
2875 + rc);
2876 +- if (server->ops->close)
2877 +- server->ops->close(xid, tcon, fid);
2878 +- goto out;
2879 ++ goto out_err;
2880 + }
2881 ++
2882 ++ if (S_ISDIR(newinode->i_mode)) {
2883 ++ rc = -EISDIR;
2884 ++ goto out_err;
2885 ++ }
2886 ++
2887 + d_drop(direntry);
2888 + d_add(direntry, newinode);
2889 +
2890 +@@ -402,6 +413,13 @@ out:
2891 + kfree(buf);
2892 + kfree(full_path);
2893 + return rc;
2894 ++
2895 ++out_err:
2896 ++ if (server->ops->close)
2897 ++ server->ops->close(xid, tcon, fid);
2898 ++ if (newinode)
2899 ++ iput(newinode);
2900 ++ goto out;
2901 + }
2902 +
2903 + int
2904 +diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
2905 +index eb0de4c3ca76..9dd8c968d94e 100644
2906 +--- a/fs/cifs/smb2pdu.c
2907 ++++ b/fs/cifs/smb2pdu.c
2908 +@@ -1250,6 +1250,33 @@ SMB2_echo(struct TCP_Server_Info *server)
2909 +
2910 + cifs_dbg(FYI, "In echo request\n");
2911 +
2912 ++ if (server->tcpStatus == CifsNeedNegotiate) {
2913 ++ struct list_head *tmp, *tmp2;
2914 ++ struct cifs_ses *ses;
2915 ++ struct cifs_tcon *tcon;
2916 ++
2917 ++ cifs_dbg(FYI, "Need negotiate, reconnecting tcons\n");
2918 ++ spin_lock(&cifs_tcp_ses_lock);
2919 ++ list_for_each(tmp, &server->smb_ses_list) {
2920 ++ ses = list_entry(tmp, struct cifs_ses, smb_ses_list);
2921 ++ list_for_each(tmp2, &ses->tcon_list) {
2922 ++ tcon = list_entry(tmp2, struct cifs_tcon,
2923 ++ tcon_list);
2924 ++ /* add check for persistent handle reconnect */
2925 ++ if (tcon && tcon->need_reconnect) {
2926 ++ spin_unlock(&cifs_tcp_ses_lock);
2927 ++ rc = smb2_reconnect(SMB2_ECHO, tcon);
2928 ++ spin_lock(&cifs_tcp_ses_lock);
2929 ++ }
2930 ++ }
2931 ++ }
2932 ++ spin_unlock(&cifs_tcp_ses_lock);
2933 ++ }
2934 ++
2935 ++ /* if no session, renegotiate failed above */
2936 ++ if (server->tcpStatus == CifsNeedNegotiate)
2937 ++ return -EIO;
2938 ++
2939 + rc = small_smb2_init(SMB2_ECHO, NULL, (void **)&req);
2940 + if (rc)
2941 + return rc;
2942 +diff --git a/fs/dcache.c b/fs/dcache.c
2943 +index 17222fa5bdc6..2d0b9d2f3c43 100644
2944 +--- a/fs/dcache.c
2945 ++++ b/fs/dcache.c
2946 +@@ -1311,7 +1311,7 @@ struct dentry *d_alloc(struct dentry * parent, const struct qstr *name)
2947 + struct dentry *dentry = __d_alloc(parent->d_sb, name);
2948 + if (!dentry)
2949 + return NULL;
2950 +-
2951 ++ dentry->d_flags |= DCACHE_RCUACCESS;
2952 + spin_lock(&parent->d_lock);
2953 + /*
2954 + * don't need child lock because it is not subject
2955 +@@ -2101,7 +2101,6 @@ static void __d_rehash(struct dentry * entry, struct hlist_bl_head *b)
2956 + {
2957 + BUG_ON(!d_unhashed(entry));
2958 + hlist_bl_lock(b);
2959 +- entry->d_flags |= DCACHE_RCUACCESS;
2960 + hlist_bl_add_head_rcu(&entry->d_hash, b);
2961 + hlist_bl_unlock(b);
2962 + }
2963 +@@ -2285,6 +2284,7 @@ static void __d_move(struct dentry * dentry, struct dentry * target)
2964 +
2965 + /* ... and switch the parents */
2966 + if (IS_ROOT(dentry)) {
2967 ++ dentry->d_flags |= DCACHE_RCUACCESS;
2968 + dentry->d_parent = target->d_parent;
2969 + target->d_parent = target;
2970 + INIT_LIST_HEAD(&target->d_child);
2971 +@@ -2401,6 +2401,7 @@ static void __d_materialise_dentry(struct dentry *dentry, struct dentry *anon)
2972 + switch_names(dentry, anon);
2973 + swap(dentry->d_name.hash, anon->d_name.hash);
2974 +
2975 ++ dentry->d_flags |= DCACHE_RCUACCESS;
2976 + dentry->d_parent = dentry;
2977 + list_del_init(&dentry->d_child);
2978 + anon->d_parent = dparent;
2979 +diff --git a/fs/ecryptfs/file.c b/fs/ecryptfs/file.c
2980 +index 9ff3664bb3ea..d4644cc938ba 100644
2981 +--- a/fs/ecryptfs/file.c
2982 ++++ b/fs/ecryptfs/file.c
2983 +@@ -183,6 +183,19 @@ out:
2984 + return rc;
2985 + }
2986 +
2987 ++static int ecryptfs_mmap(struct file *file, struct vm_area_struct *vma)
2988 ++{
2989 ++ struct file *lower_file = ecryptfs_file_to_lower(file);
2990 ++ /*
2991 ++ * Don't allow mmap on top of file systems that don't support it
2992 ++ * natively. If FILESYSTEM_MAX_STACK_DEPTH > 2 or ecryptfs
2993 ++ * allows recursive mounting, this will need to be extended.
2994 ++ */
2995 ++ if (!lower_file->f_op->mmap)
2996 ++ return -ENODEV;
2997 ++ return generic_file_mmap(file, vma);
2998 ++}
2999 ++
3000 + /**
3001 + * ecryptfs_open
3002 + * @inode: inode speciying file to open
3003 +@@ -358,7 +371,7 @@ const struct file_operations ecryptfs_main_fops = {
3004 + #ifdef CONFIG_COMPAT
3005 + .compat_ioctl = ecryptfs_compat_ioctl,
3006 + #endif
3007 +- .mmap = generic_file_mmap,
3008 ++ .mmap = ecryptfs_mmap,
3009 + .open = ecryptfs_open,
3010 + .flush = ecryptfs_flush,
3011 + .release = ecryptfs_release,
3012 +diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
3013 +index df633bb25909..7eea76168d33 100644
3014 +--- a/fs/ext4/extents.c
3015 ++++ b/fs/ext4/extents.c
3016 +@@ -361,9 +361,13 @@ static int ext4_valid_extent(struct inode *inode, struct ext4_extent *ext)
3017 + ext4_fsblk_t block = ext4_ext_pblock(ext);
3018 + int len = ext4_ext_get_actual_len(ext);
3019 + ext4_lblk_t lblock = le32_to_cpu(ext->ee_block);
3020 +- ext4_lblk_t last = lblock + len - 1;
3021 +
3022 +- if (len == 0 || lblock > last)
3023 ++ /*
3024 ++ * We allow neither:
3025 ++ * - zero length
3026 ++ * - overflow/wrap-around
3027 ++ */
3028 ++ if (lblock + len <= lblock)
3029 + return 0;
3030 + return ext4_data_block_valid(EXT4_SB(inode->i_sb), block, len);
3031 + }
3032 +@@ -454,6 +458,10 @@ static int __ext4_ext_check(const char *function, unsigned int line,
3033 + error_msg = "invalid extent entries";
3034 + goto corrupted;
3035 + }
3036 ++ if (unlikely(depth > 32)) {
3037 ++ error_msg = "too large eh_depth";
3038 ++ goto corrupted;
3039 ++ }
3040 + /* Verify checksum on non-root extent tree nodes */
3041 + if (ext_depth(inode) != depth &&
3042 + !ext4_extent_block_csum_verify(inode, eh)) {
3043 +diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c
3044 +index 4d4718cf25ab..00cbc648e1dc 100644
3045 +--- a/fs/ext4/ialloc.c
3046 ++++ b/fs/ext4/ialloc.c
3047 +@@ -1027,11 +1027,13 @@ struct inode *ext4_orphan_get(struct super_block *sb, unsigned long ino)
3048 + goto iget_failed;
3049 +
3050 + /*
3051 +- * If the orphans has i_nlinks > 0 then it should be able to be
3052 +- * truncated, otherwise it won't be removed from the orphan list
3053 +- * during processing and an infinite loop will result.
3054 ++ * If the orphans has i_nlinks > 0 then it should be able to
3055 ++ * be truncated, otherwise it won't be removed from the orphan
3056 ++ * list during processing and an infinite loop will result.
3057 ++ * Similarly, it must not be a bad inode.
3058 + */
3059 +- if (inode->i_nlink && !ext4_can_truncate(inode))
3060 ++ if ((inode->i_nlink && !ext4_can_truncate(inode)) ||
3061 ++ is_bad_inode(inode))
3062 + goto bad_orphan;
3063 +
3064 + if (NEXT_ORPHAN(inode) > max_ino)
3065 +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
3066 +index fb7e576df25c..221b58298847 100644
3067 +--- a/fs/ext4/inode.c
3068 ++++ b/fs/ext4/inode.c
3069 +@@ -206,9 +206,9 @@ void ext4_evict_inode(struct inode *inode)
3070 + * Note that directories do not have this problem because they
3071 + * don't use page cache.
3072 + */
3073 +- if (ext4_should_journal_data(inode) &&
3074 +- (S_ISLNK(inode->i_mode) || S_ISREG(inode->i_mode)) &&
3075 +- inode->i_ino != EXT4_JOURNAL_INO) {
3076 ++ if (inode->i_ino != EXT4_JOURNAL_INO &&
3077 ++ ext4_should_journal_data(inode) &&
3078 ++ (S_ISLNK(inode->i_mode) || S_ISREG(inode->i_mode))) {
3079 + journal_t *journal = EXT4_SB(inode->i_sb)->s_journal;
3080 + tid_t commit_tid = EXT4_I(inode)->i_datasync_tid;
3081 +
3082 +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
3083 +index 61ee01603940..08b4495c1b12 100644
3084 +--- a/fs/ext4/mballoc.c
3085 ++++ b/fs/ext4/mballoc.c
3086 +@@ -1232,6 +1232,7 @@ static void ext4_mb_unload_buddy(struct ext4_buddy *e4b)
3087 + static int mb_find_order_for_block(struct ext4_buddy *e4b, int block)
3088 + {
3089 + int order = 1;
3090 ++ int bb_incr = 1 << (e4b->bd_blkbits - 1);
3091 + void *bb;
3092 +
3093 + BUG_ON(e4b->bd_bitmap == e4b->bd_buddy);
3094 +@@ -1244,7 +1245,8 @@ static int mb_find_order_for_block(struct ext4_buddy *e4b, int block)
3095 + /* this block is part of buddy of order 'order' */
3096 + return order;
3097 + }
3098 +- bb += 1 << (e4b->bd_blkbits - order);
3099 ++ bb += bb_incr;
3100 ++ bb_incr >>= 1;
3101 + order++;
3102 + }
3103 + return 0;
3104 +@@ -2514,7 +2516,7 @@ int ext4_mb_init(struct super_block *sb)
3105 + {
3106 + struct ext4_sb_info *sbi = EXT4_SB(sb);
3107 + unsigned i, j;
3108 +- unsigned offset;
3109 ++ unsigned offset, offset_incr;
3110 + unsigned max;
3111 + int ret;
3112 +
3113 +@@ -2543,11 +2545,13 @@ int ext4_mb_init(struct super_block *sb)
3114 +
3115 + i = 1;
3116 + offset = 0;
3117 ++ offset_incr = 1 << (sb->s_blocksize_bits - 1);
3118 + max = sb->s_blocksize << 2;
3119 + do {
3120 + sbi->s_mb_offsets[i] = offset;
3121 + sbi->s_mb_maxs[i] = max;
3122 +- offset += 1 << (sb->s_blocksize_bits - i);
3123 ++ offset += offset_incr;
3124 ++ offset_incr = offset_incr >> 1;
3125 + max = max >> 1;
3126 + i++;
3127 + } while (i <= sb->s_blocksize_bits + 1);
3128 +@@ -2872,7 +2876,7 @@ ext4_mb_mark_diskspace_used(struct ext4_allocation_context *ac,
3129 + ext4_error(sb, "Allocating blocks %llu-%llu which overlap "
3130 + "fs metadata", block, block+len);
3131 + /* File system mounted not to panic on error
3132 +- * Fix the bitmap and repeat the block allocation
3133 ++ * Fix the bitmap and return EUCLEAN
3134 + * We leak some of the blocks here.
3135 + */
3136 + ext4_lock_group(sb, ac->ac_b_ex.fe_group);
3137 +@@ -2881,7 +2885,7 @@ ext4_mb_mark_diskspace_used(struct ext4_allocation_context *ac,
3138 + ext4_unlock_group(sb, ac->ac_b_ex.fe_group);
3139 + err = ext4_handle_dirty_metadata(handle, NULL, bitmap_bh);
3140 + if (!err)
3141 +- err = -EAGAIN;
3142 ++ err = -EUCLEAN;
3143 + goto out_err;
3144 + }
3145 +
3146 +@@ -4448,18 +4452,7 @@ repeat:
3147 + }
3148 + if (likely(ac->ac_status == AC_STATUS_FOUND)) {
3149 + *errp = ext4_mb_mark_diskspace_used(ac, handle, reserv_clstrs);
3150 +- if (*errp == -EAGAIN) {
3151 +- /*
3152 +- * drop the reference that we took
3153 +- * in ext4_mb_use_best_found
3154 +- */
3155 +- ext4_mb_release_context(ac);
3156 +- ac->ac_b_ex.fe_group = 0;
3157 +- ac->ac_b_ex.fe_start = 0;
3158 +- ac->ac_b_ex.fe_len = 0;
3159 +- ac->ac_status = AC_STATUS_CONTINUE;
3160 +- goto repeat;
3161 +- } else if (*errp) {
3162 ++ if (*errp) {
3163 + ext4_discard_allocated_blocks(ac);
3164 + goto errout;
3165 + } else {
3166 +diff --git a/fs/ext4/super.c b/fs/ext4/super.c
3167 +index 063eb5094a63..15a81897df4e 100644
3168 +--- a/fs/ext4/super.c
3169 ++++ b/fs/ext4/super.c
3170 +@@ -2153,6 +2153,16 @@ static void ext4_orphan_cleanup(struct super_block *sb,
3171 + while (es->s_last_orphan) {
3172 + struct inode *inode;
3173 +
3174 ++ /*
3175 ++ * We may have encountered an error during cleanup; if
3176 ++ * so, skip the rest.
3177 ++ */
3178 ++ if (EXT4_SB(sb)->s_mount_state & EXT4_ERROR_FS) {
3179 ++ jbd_debug(1, "Skipping orphan recovery on fs with errors.\n");
3180 ++ es->s_last_orphan = 0;
3181 ++ break;
3182 ++ }
3183 ++
3184 + inode = ext4_orphan_get(sb, le32_to_cpu(es->s_last_orphan));
3185 + if (IS_ERR(inode)) {
3186 + es->s_last_orphan = 0;
3187 +diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
3188 +index 4d371f3b9a45..efe802e5bb3d 100644
3189 +--- a/fs/fuse/inode.c
3190 ++++ b/fs/fuse/inode.c
3191 +@@ -913,7 +913,7 @@ static void fuse_send_init(struct fuse_conn *fc, struct fuse_req *req)
3192 + arg->flags |= FUSE_ASYNC_READ | FUSE_POSIX_LOCKS | FUSE_ATOMIC_O_TRUNC |
3193 + FUSE_EXPORT_SUPPORT | FUSE_BIG_WRITES | FUSE_DONT_MASK |
3194 + FUSE_SPLICE_WRITE | FUSE_SPLICE_MOVE | FUSE_SPLICE_READ |
3195 +- FUSE_FLOCK_LOCKS | FUSE_IOCTL_DIR | FUSE_AUTO_INVAL_DATA |
3196 ++ FUSE_FLOCK_LOCKS | FUSE_HAS_IOCTL_DIR | FUSE_AUTO_INVAL_DATA |
3197 + FUSE_DO_READDIRPLUS | FUSE_READDIRPLUS_AUTO | FUSE_ASYNC_DIO;
3198 + req->in.h.opcode = FUSE_INIT;
3199 + req->in.numargs = 1;
3200 +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
3201 +index d8ac734a1e44..c2b89a1a403b 100644
3202 +--- a/fs/nfs/nfs4proc.c
3203 ++++ b/fs/nfs/nfs4proc.c
3204 +@@ -2332,12 +2332,11 @@ static void nfs4_close_prepare(struct rpc_task *task, void *data)
3205 + call_close |= is_wronly;
3206 + else if (is_wronly)
3207 + calldata->arg.fmode |= FMODE_WRITE;
3208 ++ if (calldata->arg.fmode != (FMODE_READ|FMODE_WRITE))
3209 ++ call_close |= is_rdwr;
3210 + } else if (is_rdwr)
3211 + calldata->arg.fmode |= FMODE_READ|FMODE_WRITE;
3212 +
3213 +- if (calldata->arg.fmode == 0)
3214 +- call_close |= is_rdwr;
3215 +-
3216 + if (!nfs4_valid_open_stateid(state))
3217 + call_close = 0;
3218 + spin_unlock(&state->owner->so_lock);
3219 +diff --git a/fs/nilfs2/the_nilfs.c b/fs/nilfs2/the_nilfs.c
3220 +index 41e6a04a561f..0f9a5b4ad53b 100644
3221 +--- a/fs/nilfs2/the_nilfs.c
3222 ++++ b/fs/nilfs2/the_nilfs.c
3223 +@@ -431,7 +431,7 @@ static int nilfs_valid_sb(struct nilfs_super_block *sbp)
3224 + if (!sbp || le16_to_cpu(sbp->s_magic) != NILFS_SUPER_MAGIC)
3225 + return 0;
3226 + bytes = le16_to_cpu(sbp->s_bytes);
3227 +- if (bytes > BLOCK_SIZE)
3228 ++ if (bytes < sumoff + 4 || bytes > BLOCK_SIZE)
3229 + return 0;
3230 + crc = crc32_le(le32_to_cpu(sbp->s_crc_seed), (unsigned char *)sbp,
3231 + sumoff);
3232 +diff --git a/fs/pipe.c b/fs/pipe.c
3233 +index 50267e6ba688..c281867c453e 100644
3234 +--- a/fs/pipe.c
3235 ++++ b/fs/pipe.c
3236 +@@ -39,6 +39,12 @@ unsigned int pipe_max_size = 1048576;
3237 + */
3238 + unsigned int pipe_min_size = PAGE_SIZE;
3239 +
3240 ++/* Maximum allocatable pages per user. Hard limit is unset by default, soft
3241 ++ * matches default values.
3242 ++ */
3243 ++unsigned long pipe_user_pages_hard;
3244 ++unsigned long pipe_user_pages_soft = PIPE_DEF_BUFFERS * INR_OPEN_CUR;
3245 ++
3246 + /*
3247 + * We use a start+len construction, which provides full use of the
3248 + * allocated memory.
3249 +@@ -794,20 +800,49 @@ pipe_fasync(int fd, struct file *filp, int on)
3250 + return retval;
3251 + }
3252 +
3253 ++static void account_pipe_buffers(struct pipe_inode_info *pipe,
3254 ++ unsigned long old, unsigned long new)
3255 ++{
3256 ++ atomic_long_add(new - old, &pipe->user->pipe_bufs);
3257 ++}
3258 ++
3259 ++static bool too_many_pipe_buffers_soft(struct user_struct *user)
3260 ++{
3261 ++ return pipe_user_pages_soft &&
3262 ++ atomic_long_read(&user->pipe_bufs) >= pipe_user_pages_soft;
3263 ++}
3264 ++
3265 ++static bool too_many_pipe_buffers_hard(struct user_struct *user)
3266 ++{
3267 ++ return pipe_user_pages_hard &&
3268 ++ atomic_long_read(&user->pipe_bufs) >= pipe_user_pages_hard;
3269 ++}
3270 ++
3271 + struct pipe_inode_info *alloc_pipe_info(void)
3272 + {
3273 + struct pipe_inode_info *pipe;
3274 +
3275 + pipe = kzalloc(sizeof(struct pipe_inode_info), GFP_KERNEL);
3276 + if (pipe) {
3277 +- pipe->bufs = kzalloc(sizeof(struct pipe_buffer) * PIPE_DEF_BUFFERS, GFP_KERNEL);
3278 ++ unsigned long pipe_bufs = PIPE_DEF_BUFFERS;
3279 ++ struct user_struct *user = get_current_user();
3280 ++
3281 ++ if (!too_many_pipe_buffers_hard(user)) {
3282 ++ if (too_many_pipe_buffers_soft(user))
3283 ++ pipe_bufs = 1;
3284 ++ pipe->bufs = kzalloc(sizeof(struct pipe_buffer) * pipe_bufs, GFP_KERNEL);
3285 ++ }
3286 ++
3287 + if (pipe->bufs) {
3288 + init_waitqueue_head(&pipe->wait);
3289 + pipe->r_counter = pipe->w_counter = 1;
3290 +- pipe->buffers = PIPE_DEF_BUFFERS;
3291 ++ pipe->buffers = pipe_bufs;
3292 ++ pipe->user = user;
3293 ++ account_pipe_buffers(pipe, 0, pipe_bufs);
3294 + mutex_init(&pipe->mutex);
3295 + return pipe;
3296 + }
3297 ++ free_uid(user);
3298 + kfree(pipe);
3299 + }
3300 +
3301 +@@ -818,6 +853,8 @@ void free_pipe_info(struct pipe_inode_info *pipe)
3302 + {
3303 + int i;
3304 +
3305 ++ account_pipe_buffers(pipe, pipe->buffers, 0);
3306 ++ free_uid(pipe->user);
3307 + for (i = 0; i < pipe->buffers; i++) {
3308 + struct pipe_buffer *buf = pipe->bufs + i;
3309 + if (buf->ops)
3310 +@@ -1208,6 +1245,7 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long nr_pages)
3311 + memcpy(bufs + head, pipe->bufs, tail * sizeof(struct pipe_buffer));
3312 + }
3313 +
3314 ++ account_pipe_buffers(pipe, pipe->buffers, nr_pages);
3315 + pipe->curbuf = 0;
3316 + kfree(pipe->bufs);
3317 + pipe->bufs = bufs;
3318 +@@ -1279,6 +1317,11 @@ long pipe_fcntl(struct file *file, unsigned int cmd, unsigned long arg)
3319 + if (!capable(CAP_SYS_RESOURCE) && size > pipe_max_size) {
3320 + ret = -EPERM;
3321 + goto out;
3322 ++ } else if ((too_many_pipe_buffers_hard(pipe->user) ||
3323 ++ too_many_pipe_buffers_soft(pipe->user)) &&
3324 ++ !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN)) {
3325 ++ ret = -EPERM;
3326 ++ goto out;
3327 + }
3328 + ret = pipe_set_size(pipe, nr_pages);
3329 + break;
3330 +diff --git a/fs/ubifs/file.c b/fs/ubifs/file.c
3331 +index 881324c08430..a335e4e6aba1 100644
3332 +--- a/fs/ubifs/file.c
3333 ++++ b/fs/ubifs/file.c
3334 +@@ -54,6 +54,7 @@
3335 + #include <linux/mount.h>
3336 + #include <linux/namei.h>
3337 + #include <linux/slab.h>
3338 ++#include <linux/migrate.h>
3339 +
3340 + static int read_block(struct inode *inode, void *addr, unsigned int block,
3341 + struct ubifs_data_node *dn)
3342 +@@ -1422,6 +1423,26 @@ static int ubifs_set_page_dirty(struct page *page)
3343 + return ret;
3344 + }
3345 +
3346 ++#ifdef CONFIG_MIGRATION
3347 ++static int ubifs_migrate_page(struct address_space *mapping,
3348 ++ struct page *newpage, struct page *page, enum migrate_mode mode)
3349 ++{
3350 ++ int rc;
3351 ++
3352 ++ rc = migrate_page_move_mapping(mapping, newpage, page, NULL, mode);
3353 ++ if (rc != MIGRATEPAGE_SUCCESS)
3354 ++ return rc;
3355 ++
3356 ++ if (PagePrivate(page)) {
3357 ++ ClearPagePrivate(page);
3358 ++ SetPagePrivate(newpage);
3359 ++ }
3360 ++
3361 ++ migrate_page_copy(newpage, page);
3362 ++ return MIGRATEPAGE_SUCCESS;
3363 ++}
3364 ++#endif
3365 ++
3366 + static int ubifs_releasepage(struct page *page, gfp_t unused_gfp_flags)
3367 + {
3368 + /*
3369 +@@ -1558,6 +1579,9 @@ const struct address_space_operations ubifs_file_address_operations = {
3370 + .write_end = ubifs_write_end,
3371 + .invalidatepage = ubifs_invalidatepage,
3372 + .set_page_dirty = ubifs_set_page_dirty,
3373 ++#ifdef CONFIG_MIGRATION
3374 ++ .migratepage = ubifs_migrate_page,
3375 ++#endif
3376 + .releasepage = ubifs_releasepage,
3377 + };
3378 +
3379 +diff --git a/fs/xfs/xfs_inode.c b/fs/xfs/xfs_inode.c
3380 +index f010ab4594f1..06dec557d247 100644
3381 +--- a/fs/xfs/xfs_inode.c
3382 ++++ b/fs/xfs/xfs_inode.c
3383 +@@ -2604,13 +2604,14 @@ xfs_iflush_cluster(
3384 + * We need to check under the i_flags_lock for a valid inode
3385 + * here. Skip it if it is not valid or the wrong inode.
3386 + */
3387 +- spin_lock(&ip->i_flags_lock);
3388 +- if (!ip->i_ino ||
3389 ++ spin_lock(&iq->i_flags_lock);
3390 ++ if (!iq->i_ino ||
3391 ++ __xfs_iflags_test(iq, XFS_ISTALE) ||
3392 + (XFS_INO_TO_AGINO(mp, iq->i_ino) & mask) != first_index) {
3393 +- spin_unlock(&ip->i_flags_lock);
3394 ++ spin_unlock(&iq->i_flags_lock);
3395 + continue;
3396 + }
3397 +- spin_unlock(&ip->i_flags_lock);
3398 ++ spin_unlock(&iq->i_flags_lock);
3399 +
3400 + /*
3401 + * Do an un-protected check to see if the inode is dirty and
3402 +@@ -2726,7 +2727,7 @@ xfs_iflush(
3403 + struct xfs_buf **bpp)
3404 + {
3405 + struct xfs_mount *mp = ip->i_mount;
3406 +- struct xfs_buf *bp;
3407 ++ struct xfs_buf *bp = NULL;
3408 + struct xfs_dinode *dip;
3409 + int error;
3410 +
3411 +@@ -2768,14 +2769,22 @@ xfs_iflush(
3412 + }
3413 +
3414 + /*
3415 +- * Get the buffer containing the on-disk inode.
3416 ++ * Get the buffer containing the on-disk inode. We are doing a try-lock
3417 ++ * operation here, so we may get an EAGAIN error. In that case, we
3418 ++ * simply want to return with the inode still dirty.
3419 ++ *
3420 ++ * If we get any other error, we effectively have a corruption situation
3421 ++ * and we cannot flush the inode, so we treat it the same as failing
3422 ++ * xfs_iflush_int().
3423 + */
3424 + error = xfs_imap_to_bp(mp, NULL, &ip->i_imap, &dip, &bp, XBF_TRYLOCK,
3425 + 0);
3426 +- if (error || !bp) {
3427 ++ if (error == EAGAIN) {
3428 + xfs_ifunlock(ip);
3429 + return error;
3430 + }
3431 ++ if (error)
3432 ++ goto corrupt_out;
3433 +
3434 + /*
3435 + * First flush out the inode that xfs_iflush was called with.
3436 +@@ -2803,7 +2812,8 @@ xfs_iflush(
3437 + return 0;
3438 +
3439 + corrupt_out:
3440 +- xfs_buf_relse(bp);
3441 ++ if (bp)
3442 ++ xfs_buf_relse(bp);
3443 + xfs_force_shutdown(mp, SHUTDOWN_CORRUPT_INCORE);
3444 + cluster_corrupt_out:
3445 + error = XFS_ERROR(EFSCORRUPTED);
3446 +diff --git a/include/linux/console.h b/include/linux/console.h
3447 +index 73bab0f58af5..6877ffc97d8c 100644
3448 +--- a/include/linux/console.h
3449 ++++ b/include/linux/console.h
3450 +@@ -153,6 +153,7 @@ extern int console_trylock(void);
3451 + extern void console_unlock(void);
3452 + extern void console_conditional_schedule(void);
3453 + extern void console_unblank(void);
3454 ++extern void console_flush_on_panic(void);
3455 + extern struct tty_driver *console_device(int *);
3456 + extern void console_stop(struct console *);
3457 + extern void console_start(struct console *);
3458 +diff --git a/include/linux/migrate.h b/include/linux/migrate.h
3459 +index a405d3dc0f61..e98692748066 100644
3460 +--- a/include/linux/migrate.h
3461 ++++ b/include/linux/migrate.h
3462 +@@ -55,6 +55,9 @@ extern int migrate_vmas(struct mm_struct *mm,
3463 + extern void migrate_page_copy(struct page *newpage, struct page *page);
3464 + extern int migrate_huge_page_move_mapping(struct address_space *mapping,
3465 + struct page *newpage, struct page *page);
3466 ++extern int migrate_page_move_mapping(struct address_space *mapping,
3467 ++ struct page *newpage, struct page *page,
3468 ++ struct buffer_head *head, enum migrate_mode mode);
3469 + #else
3470 +
3471 + static inline void putback_lru_pages(struct list_head *l) {}
3472 +diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
3473 +index dd49566315c6..547a5846e6ac 100644
3474 +--- a/include/linux/netfilter/x_tables.h
3475 ++++ b/include/linux/netfilter/x_tables.h
3476 +@@ -239,11 +239,18 @@ extern void xt_unregister_match(struct xt_match *target);
3477 + extern int xt_register_matches(struct xt_match *match, unsigned int n);
3478 + extern void xt_unregister_matches(struct xt_match *match, unsigned int n);
3479 +
3480 ++int xt_check_entry_offsets(const void *base, const char *elems,
3481 ++ unsigned int target_offset,
3482 ++ unsigned int next_offset);
3483 ++
3484 + extern int xt_check_match(struct xt_mtchk_param *,
3485 + unsigned int size, u_int8_t proto, bool inv_proto);
3486 + extern int xt_check_target(struct xt_tgchk_param *,
3487 + unsigned int size, u_int8_t proto, bool inv_proto);
3488 +
3489 ++void *xt_copy_counters_from_user(const void __user *user, unsigned int len,
3490 ++ struct xt_counters_info *info, bool compat);
3491 ++
3492 + extern struct xt_table *xt_register_table(struct net *net,
3493 + const struct xt_table *table,
3494 + struct xt_table_info *bootstrap,
3495 +@@ -423,7 +430,7 @@ extern void xt_compat_init_offsets(u_int8_t af, unsigned int number);
3496 + extern int xt_compat_calc_jump(u_int8_t af, unsigned int offset);
3497 +
3498 + extern int xt_compat_match_offset(const struct xt_match *match);
3499 +-extern int xt_compat_match_from_user(struct xt_entry_match *m,
3500 ++extern void xt_compat_match_from_user(struct xt_entry_match *m,
3501 + void **dstptr, unsigned int *size);
3502 + extern int xt_compat_match_to_user(const struct xt_entry_match *m,
3503 + void __user **dstptr, unsigned int *size);
3504 +@@ -433,6 +440,9 @@ extern void xt_compat_target_from_user(struct xt_entry_target *t,
3505 + void **dstptr, unsigned int *size);
3506 + extern int xt_compat_target_to_user(const struct xt_entry_target *t,
3507 + void __user **dstptr, unsigned int *size);
3508 ++int xt_compat_check_entry_offsets(const void *base, const char *elems,
3509 ++ unsigned int target_offset,
3510 ++ unsigned int next_offset);
3511 +
3512 + #endif /* CONFIG_COMPAT */
3513 + #endif /* _X_TABLES_H */
3514 +diff --git a/include/linux/pipe_fs_i.h b/include/linux/pipe_fs_i.h
3515 +index ab5752692113..b3374f63bc36 100644
3516 +--- a/include/linux/pipe_fs_i.h
3517 ++++ b/include/linux/pipe_fs_i.h
3518 +@@ -42,6 +42,7 @@ struct pipe_buffer {
3519 + * @fasync_readers: reader side fasync
3520 + * @fasync_writers: writer side fasync
3521 + * @bufs: the circular array of pipe buffers
3522 ++ * @user: the user who created this pipe
3523 + **/
3524 + struct pipe_inode_info {
3525 + struct mutex mutex;
3526 +@@ -57,6 +58,7 @@ struct pipe_inode_info {
3527 + struct fasync_struct *fasync_readers;
3528 + struct fasync_struct *fasync_writers;
3529 + struct pipe_buffer *bufs;
3530 ++ struct user_struct *user;
3531 + };
3532 +
3533 + /*
3534 +@@ -140,6 +142,8 @@ void pipe_unlock(struct pipe_inode_info *);
3535 + void pipe_double_lock(struct pipe_inode_info *, struct pipe_inode_info *);
3536 +
3537 + extern unsigned int pipe_max_size, pipe_min_size;
3538 ++extern unsigned long pipe_user_pages_hard;
3539 ++extern unsigned long pipe_user_pages_soft;
3540 + int pipe_proc_fn(struct ctl_table *, int, void __user *, size_t *, loff_t *);
3541 +
3542 +
3543 +diff --git a/include/linux/sched.h b/include/linux/sched.h
3544 +index 4781332f2e11..7728941e7ddc 100644
3545 +--- a/include/linux/sched.h
3546 ++++ b/include/linux/sched.h
3547 +@@ -671,6 +671,7 @@ struct user_struct {
3548 + #endif
3549 + unsigned long locked_shm; /* How many pages of mlocked shm ? */
3550 + unsigned long unix_inflight; /* How many files in flight in unix sockets */
3551 ++ atomic_long_t pipe_bufs; /* how many pages are allocated in pipe buffers */
3552 +
3553 + #ifdef CONFIG_KEYS
3554 + struct key *uid_keyring; /* UID specific keyring */
3555 +diff --git a/include/linux/usb/ehci_def.h b/include/linux/usb/ehci_def.h
3556 +index daec99af5d54..1c88b177cb9c 100644
3557 +--- a/include/linux/usb/ehci_def.h
3558 ++++ b/include/linux/usb/ehci_def.h
3559 +@@ -178,11 +178,11 @@ struct ehci_regs {
3560 + * PORTSCx
3561 + */
3562 + /* HOSTPC: offset 0x84 */
3563 +- u32 hostpc[1]; /* HOSTPC extension */
3564 ++ u32 hostpc[0]; /* HOSTPC extension */
3565 + #define HOSTPC_PHCD (1<<22) /* Phy clock disable */
3566 + #define HOSTPC_PSPD (3<<25) /* Port speed detection */
3567 +
3568 +- u32 reserved5[16];
3569 ++ u32 reserved5[17];
3570 +
3571 + /* USBMODE_EX: offset 0xc8 */
3572 + u32 usbmode_ex; /* USB Device mode extension */
3573 +diff --git a/include/rdma/ib.h b/include/rdma/ib.h
3574 +new file mode 100644
3575 +index 000000000000..f09331ad0aba
3576 +--- /dev/null
3577 ++++ b/include/rdma/ib.h
3578 +@@ -0,0 +1,54 @@
3579 ++/*
3580 ++ * Copyright (c) 2010 Intel Corporation. All rights reserved.
3581 ++ *
3582 ++ * This software is available to you under a choice of one of two
3583 ++ * licenses. You may choose to be licensed under the terms of the GNU
3584 ++ * General Public License (GPL) Version 2, available from the file
3585 ++ * COPYING in the main directory of this source tree, or the
3586 ++ * OpenIB.org BSD license below:
3587 ++ *
3588 ++ * Redistribution and use in source and binary forms, with or
3589 ++ * without modification, are permitted provided that the following
3590 ++ * conditions are met:
3591 ++ *
3592 ++ * - Redistributions of source code must retain the above
3593 ++ * copyright notice, this list of conditions and the following
3594 ++ * disclaimer.
3595 ++ *
3596 ++ * - Redistributions in binary form must reproduce the above
3597 ++ * copyright notice, this list of conditions and the following
3598 ++ * disclaimer in the documentation and/or other materials
3599 ++ * provided with the distribution.
3600 ++ *
3601 ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
3602 ++ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
3603 ++ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
3604 ++ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
3605 ++ * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
3606 ++ * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
3607 ++ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
3608 ++ * SOFTWARE.
3609 ++ */
3610 ++
3611 ++#if !defined(_RDMA_IB_H)
3612 ++#define _RDMA_IB_H
3613 ++
3614 ++#include <linux/types.h>
3615 ++#include <linux/sched.h>
3616 ++
3617 ++/*
3618 ++ * The IB interfaces that use write() as bi-directional ioctl() are
3619 ++ * fundamentally unsafe, since there are lots of ways to trigger "write()"
3620 ++ * calls from various contexts with elevated privileges. That includes the
3621 ++ * traditional suid executable error message writes, but also various kernel
3622 ++ * interfaces that can write to file descriptors.
3623 ++ *
3624 ++ * This function provides protection for the legacy API by restricting the
3625 ++ * calling context.
3626 ++ */
3627 ++static inline bool ib_safe_file_access(struct file *filp)
3628 ++{
3629 ++ return filp->f_cred == current_cred() && segment_eq(get_fs(), USER_DS);
3630 ++}
3631 ++
3632 ++#endif /* _RDMA_IB_H */
3633 +diff --git a/kernel/module.c b/kernel/module.c
3634 +index f8a4f48b48a9..2c87e521032b 100644
3635 +--- a/kernel/module.c
3636 ++++ b/kernel/module.c
3637 +@@ -2475,13 +2475,18 @@ static inline void kmemleak_load_module(const struct module *mod,
3638 + #endif
3639 +
3640 + #ifdef CONFIG_MODULE_SIG
3641 +-static int module_sig_check(struct load_info *info)
3642 ++static int module_sig_check(struct load_info *info, int flags)
3643 + {
3644 + int err = -ENOKEY;
3645 + const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;
3646 + const void *mod = info->hdr;
3647 +
3648 +- if (info->len > markerlen &&
3649 ++ /*
3650 ++ * Require flags == 0, as a module with version information
3651 ++ * removed is no longer the module that was signed
3652 ++ */
3653 ++ if (flags == 0 &&
3654 ++ info->len > markerlen &&
3655 + memcmp(mod + info->len - markerlen, MODULE_SIG_STRING, markerlen) == 0) {
3656 + /* We truncate the module to discard the signature */
3657 + info->len -= markerlen;
3658 +@@ -2503,7 +2508,7 @@ static int module_sig_check(struct load_info *info)
3659 + return err;
3660 + }
3661 + #else /* !CONFIG_MODULE_SIG */
3662 +-static int module_sig_check(struct load_info *info)
3663 ++static int module_sig_check(struct load_info *info, int flags)
3664 + {
3665 + return 0;
3666 + }
3667 +@@ -3228,7 +3233,7 @@ static int load_module(struct load_info *info, const char __user *uargs,
3668 + struct module *mod;
3669 + long err;
3670 +
3671 +- err = module_sig_check(info);
3672 ++ err = module_sig_check(info, flags);
3673 + if (err)
3674 + goto free_copy;
3675 +
3676 +diff --git a/kernel/panic.c b/kernel/panic.c
3677 +index 167ec097ce8b..d3d74c4e2258 100644
3678 +--- a/kernel/panic.c
3679 ++++ b/kernel/panic.c
3680 +@@ -22,6 +22,7 @@
3681 + #include <linux/sysrq.h>
3682 + #include <linux/init.h>
3683 + #include <linux/nmi.h>
3684 ++#include <linux/console.h>
3685 +
3686 + #define PANIC_TIMER_STEP 100
3687 + #define PANIC_BLINK_SPD 18
3688 +@@ -128,6 +129,8 @@ void panic(const char *fmt, ...)
3689 +
3690 + bust_spinlocks(0);
3691 +
3692 ++ console_flush_on_panic();
3693 ++
3694 + if (!panic_blink)
3695 + panic_blink = no_blink;
3696 +
3697 +diff --git a/kernel/printk.c b/kernel/printk.c
3698 +index fd0154a57d6e..ee8f6be7d8a9 100644
3699 +--- a/kernel/printk.c
3700 ++++ b/kernel/printk.c
3701 +@@ -2033,13 +2033,24 @@ void console_unlock(void)
3702 + static u64 seen_seq;
3703 + unsigned long flags;
3704 + bool wake_klogd = false;
3705 +- bool retry;
3706 ++ bool do_cond_resched, retry;
3707 +
3708 + if (console_suspended) {
3709 + up(&console_sem);
3710 + return;
3711 + }
3712 +
3713 ++ /*
3714 ++ * Console drivers are called under logbuf_lock, so
3715 ++ * @console_may_schedule should be cleared before; however, we may
3716 ++ * end up dumping a lot of lines, for example, if called from
3717 ++ * console registration path, and should invoke cond_resched()
3718 ++ * between lines if allowable. Not doing so can cause a very long
3719 ++ * scheduling stall on a slow console leading to RCU stall and
3720 ++ * softlockup warnings which exacerbate the issue with more
3721 ++ * messages practically incapacitating the system.
3722 ++ */
3723 ++ do_cond_resched = console_may_schedule;
3724 + console_may_schedule = 0;
3725 +
3726 + /* flush buffered message fragment immediately to console */
3727 +@@ -2096,6 +2107,9 @@ skip:
3728 + call_console_drivers(level, text, len);
3729 + start_critical_timings();
3730 + local_irq_restore(flags);
3731 ++
3732 ++ if (do_cond_resched)
3733 ++ cond_resched();
3734 + }
3735 + console_locked = 0;
3736 + mutex_release(&console_lock_dep_map, 1, _RET_IP_);
3737 +@@ -2164,6 +2178,25 @@ void console_unblank(void)
3738 + console_unlock();
3739 + }
3740 +
3741 ++/**
3742 ++ * console_flush_on_panic - flush console content on panic
3743 ++ *
3744 ++ * Immediately output all pending messages no matter what.
3745 ++ */
3746 ++void console_flush_on_panic(void)
3747 ++{
3748 ++ /*
3749 ++ * If someone else is holding the console lock, trylock will fail
3750 ++ * and may_schedule may be set. Ignore and proceed to unlock so
3751 ++ * that messages are flushed out. As this can be called from any
3752 ++ * context and we don't want to get preempted while flushing,
3753 ++ * ensure may_schedule is cleared.
3754 ++ */
3755 ++ console_trylock();
3756 ++ console_may_schedule = 0;
3757 ++ console_unlock();
3758 ++}
3759 ++
3760 + /*
3761 + * Return the console tty driver structure and its associated index
3762 + */
3763 +diff --git a/kernel/signal.c b/kernel/signal.c
3764 +index 4d1f7fa3138d..7b81c53b0097 100644
3765 +--- a/kernel/signal.c
3766 ++++ b/kernel/signal.c
3767 +@@ -3004,11 +3004,9 @@ static int do_rt_sigqueueinfo(pid_t pid, int sig, siginfo_t *info)
3768 + * Nor can they impersonate a kill()/tgkill(), which adds source info.
3769 + */
3770 + if ((info->si_code >= 0 || info->si_code == SI_TKILL) &&
3771 +- (task_pid_vnr(current) != pid)) {
3772 +- /* We used to allow any < 0 si_code */
3773 +- WARN_ON_ONCE(info->si_code < 0);
3774 ++ (task_pid_vnr(current) != pid))
3775 + return -EPERM;
3776 +- }
3777 ++
3778 + info->si_signo = sig;
3779 +
3780 + /* POSIX.1b doesn't mention process groups. */
3781 +@@ -3053,12 +3051,10 @@ static int do_rt_tgsigqueueinfo(pid_t tgid, pid_t pid, int sig, siginfo_t *info)
3782 + /* Not even root can pretend to send signals from the kernel.
3783 + * Nor can they impersonate a kill()/tgkill(), which adds source info.
3784 + */
3785 +- if (((info->si_code >= 0 || info->si_code == SI_TKILL)) &&
3786 +- (task_pid_vnr(current) != pid)) {
3787 +- /* We used to allow any < 0 si_code */
3788 +- WARN_ON_ONCE(info->si_code < 0);
3789 ++ if ((info->si_code >= 0 || info->si_code == SI_TKILL) &&
3790 ++ (task_pid_vnr(current) != pid))
3791 + return -EPERM;
3792 +- }
3793 ++
3794 + info->si_signo = sig;
3795 +
3796 + return do_send_specific(tgid, pid, sig, info);
3797 +diff --git a/kernel/sysctl.c b/kernel/sysctl.c
3798 +index 9469f4c61a30..4fd49fe1046d 100644
3799 +--- a/kernel/sysctl.c
3800 ++++ b/kernel/sysctl.c
3801 +@@ -1632,6 +1632,20 @@ static struct ctl_table fs_table[] = {
3802 + .proc_handler = &pipe_proc_fn,
3803 + .extra1 = &pipe_min_size,
3804 + },
3805 ++ {
3806 ++ .procname = "pipe-user-pages-hard",
3807 ++ .data = &pipe_user_pages_hard,
3808 ++ .maxlen = sizeof(pipe_user_pages_hard),
3809 ++ .mode = 0644,
3810 ++ .proc_handler = proc_doulongvec_minmax,
3811 ++ },
3812 ++ {
3813 ++ .procname = "pipe-user-pages-soft",
3814 ++ .data = &pipe_user_pages_soft,
3815 ++ .maxlen = sizeof(pipe_user_pages_soft),
3816 ++ .mode = 0644,
3817 ++ .proc_handler = proc_doulongvec_minmax,
3818 ++ },
3819 + { }
3820 + };
3821 +
3822 +diff --git a/kernel/trace/trace_printk.c b/kernel/trace/trace_printk.c
3823 +index fdb23e84b011..7be4d67cecbd 100644
3824 +--- a/kernel/trace/trace_printk.c
3825 ++++ b/kernel/trace/trace_printk.c
3826 +@@ -38,6 +38,10 @@ struct trace_bprintk_fmt {
3827 + static inline struct trace_bprintk_fmt *lookup_format(const char *fmt)
3828 + {
3829 + struct trace_bprintk_fmt *pos;
3830 ++
3831 ++ if (!fmt)
3832 ++ return ERR_PTR(-EINVAL);
3833 ++
3834 + list_for_each_entry(pos, &trace_bprintk_fmt_list, list) {
3835 + if (!strcmp(pos->fmt, fmt))
3836 + return pos;
3837 +@@ -59,7 +63,8 @@ void hold_module_trace_bprintk_format(const char **start, const char **end)
3838 + for (iter = start; iter < end; iter++) {
3839 + struct trace_bprintk_fmt *tb_fmt = lookup_format(*iter);
3840 + if (tb_fmt) {
3841 +- *iter = tb_fmt->fmt;
3842 ++ if (!IS_ERR(tb_fmt))
3843 ++ *iter = tb_fmt->fmt;
3844 + continue;
3845 + }
3846 +
3847 +diff --git a/lib/dma-debug.c b/lib/dma-debug.c
3848 +index eb43517bf261..c32437f6be61 100644
3849 +--- a/lib/dma-debug.c
3850 ++++ b/lib/dma-debug.c
3851 +@@ -445,9 +445,9 @@ static struct dma_debug_entry *dma_entry_alloc(void)
3852 + spin_lock_irqsave(&free_entries_lock, flags);
3853 +
3854 + if (list_empty(&free_entries)) {
3855 +- pr_err("DMA-API: debugging out of memory - disabling\n");
3856 + global_disable = true;
3857 + spin_unlock_irqrestore(&free_entries_lock, flags);
3858 ++ pr_err("DMA-API: debugging out of memory - disabling\n");
3859 + return NULL;
3860 + }
3861 +
3862 +diff --git a/mm/migrate.c b/mm/migrate.c
3863 +index a88c12f2235d..808f8abb1b8f 100644
3864 +--- a/mm/migrate.c
3865 ++++ b/mm/migrate.c
3866 +@@ -30,6 +30,7 @@
3867 + #include <linux/mempolicy.h>
3868 + #include <linux/vmalloc.h>
3869 + #include <linux/security.h>
3870 ++#include <linux/backing-dev.h>
3871 + #include <linux/memcontrol.h>
3872 + #include <linux/syscalls.h>
3873 + #include <linux/hugetlb.h>
3874 +@@ -307,10 +308,12 @@ static inline bool buffer_migrate_lock_buffers(struct buffer_head *head,
3875 + * 2 for pages with a mapping
3876 + * 3 for pages with a mapping and PagePrivate/PagePrivate2 set.
3877 + */
3878 +-static int migrate_page_move_mapping(struct address_space *mapping,
3879 ++int migrate_page_move_mapping(struct address_space *mapping,
3880 + struct page *newpage, struct page *page,
3881 + struct buffer_head *head, enum migrate_mode mode)
3882 + {
3883 ++ struct zone *oldzone, *newzone;
3884 ++ int dirty;
3885 + int expected_count = 0;
3886 + void **pslot;
3887 +
3888 +@@ -321,6 +324,9 @@ static int migrate_page_move_mapping(struct address_space *mapping,
3889 + return MIGRATEPAGE_SUCCESS;
3890 + }
3891 +
3892 ++ oldzone = page_zone(page);
3893 ++ newzone = page_zone(newpage);
3894 ++
3895 + spin_lock_irq(&mapping->tree_lock);
3896 +
3897 + pslot = radix_tree_lookup_slot(&mapping->page_tree,
3898 +@@ -361,6 +367,13 @@ static int migrate_page_move_mapping(struct address_space *mapping,
3899 + set_page_private(newpage, page_private(page));
3900 + }
3901 +
3902 ++ /* Move dirty while page refs frozen and newpage not yet exposed */
3903 ++ dirty = PageDirty(page);
3904 ++ if (dirty) {
3905 ++ ClearPageDirty(page);
3906 ++ SetPageDirty(newpage);
3907 ++ }
3908 ++
3909 + radix_tree_replace_slot(pslot, newpage);
3910 +
3911 + /*
3912 +@@ -370,6 +383,9 @@ static int migrate_page_move_mapping(struct address_space *mapping,
3913 + */
3914 + page_unfreeze_refs(page, expected_count - 1);
3915 +
3916 ++ spin_unlock(&mapping->tree_lock);
3917 ++ /* Leave irq disabled to prevent preemption while updating stats */
3918 ++
3919 + /*
3920 + * If moved to a different zone then also account
3921 + * the page for that zone. Other VM counters will be
3922 +@@ -380,16 +396,23 @@ static int migrate_page_move_mapping(struct address_space *mapping,
3923 + * via NR_FILE_PAGES and NR_ANON_PAGES if they
3924 + * are mapped to swap space.
3925 + */
3926 +- __dec_zone_page_state(page, NR_FILE_PAGES);
3927 +- __inc_zone_page_state(newpage, NR_FILE_PAGES);
3928 +- if (!PageSwapCache(page) && PageSwapBacked(page)) {
3929 +- __dec_zone_page_state(page, NR_SHMEM);
3930 +- __inc_zone_page_state(newpage, NR_SHMEM);
3931 ++ if (newzone != oldzone) {
3932 ++ __dec_zone_state(oldzone, NR_FILE_PAGES);
3933 ++ __inc_zone_state(newzone, NR_FILE_PAGES);
3934 ++ if (PageSwapBacked(page) && !PageSwapCache(page)) {
3935 ++ __dec_zone_state(oldzone, NR_SHMEM);
3936 ++ __inc_zone_state(newzone, NR_SHMEM);
3937 ++ }
3938 ++ if (dirty && mapping_cap_account_dirty(mapping)) {
3939 ++ __dec_zone_state(oldzone, NR_FILE_DIRTY);
3940 ++ __inc_zone_state(newzone, NR_FILE_DIRTY);
3941 ++ }
3942 + }
3943 +- spin_unlock_irq(&mapping->tree_lock);
3944 ++ local_irq_enable();
3945 +
3946 + return MIGRATEPAGE_SUCCESS;
3947 + }
3948 ++EXPORT_SYMBOL(migrate_page_move_mapping);
3949 +
3950 + /*
3951 + * The expected number of remaining references is the same as that
3952 +@@ -460,20 +483,9 @@ void migrate_page_copy(struct page *newpage, struct page *page)
3953 + if (PageMappedToDisk(page))
3954 + SetPageMappedToDisk(newpage);
3955 +
3956 +- if (PageDirty(page)) {
3957 +- clear_page_dirty_for_io(page);
3958 +- /*
3959 +- * Want to mark the page and the radix tree as dirty, and
3960 +- * redo the accounting that clear_page_dirty_for_io undid,
3961 +- * but we can't use set_page_dirty because that function
3962 +- * is actually a signal that all of the page has become dirty.
3963 +- * Whereas only part of our page may be dirty.
3964 +- */
3965 +- if (PageSwapBacked(page))
3966 +- SetPageDirty(newpage);
3967 +- else
3968 +- __set_page_dirty_nobuffers(newpage);
3969 +- }
3970 ++ /* Move dirty on pages not done by migrate_page_move_mapping() */
3971 ++ if (PageDirty(page))
3972 ++ SetPageDirty(newpage);
3973 +
3974 + mlock_migrate_page(newpage, page);
3975 + ksm_migrate_page(newpage, page);
3976 +@@ -492,6 +504,7 @@ void migrate_page_copy(struct page *newpage, struct page *page)
3977 + if (PageWriteback(newpage))
3978 + end_page_writeback(newpage);
3979 + }
3980 ++EXPORT_SYMBOL(migrate_page_copy);
3981 +
3982 + /************************************************************
3983 + * Migration functions
3984 +diff --git a/mm/shmem.c b/mm/shmem.c
3985 +index 4e4a7349c5cd..cc02b6c6eec4 100644
3986 +--- a/mm/shmem.c
3987 ++++ b/mm/shmem.c
3988 +@@ -1948,9 +1948,11 @@ static long shmem_fallocate(struct file *file, int mode, loff_t offset,
3989 + NULL);
3990 + if (error) {
3991 + /* Remove the !PageUptodate pages we added */
3992 +- shmem_undo_range(inode,
3993 +- (loff_t)start << PAGE_CACHE_SHIFT,
3994 +- (loff_t)index << PAGE_CACHE_SHIFT, true);
3995 ++ if (index > start) {
3996 ++ shmem_undo_range(inode,
3997 ++ (loff_t)start << PAGE_CACHE_SHIFT,
3998 ++ ((loff_t)index << PAGE_CACHE_SHIFT) - 1, true);
3999 ++ }
4000 + goto undone;
4001 + }
4002 +
4003 +diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
4004 +index 5f36f70ce44d..4b966c6c0145 100644
4005 +--- a/net/bluetooth/l2cap_sock.c
4006 ++++ b/net/bluetooth/l2cap_sock.c
4007 +@@ -725,7 +725,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
4008 + break;
4009 + }
4010 +
4011 +- if (get_user(opt, (u32 __user *) optval)) {
4012 ++ if (get_user(opt, (u16 __user *) optval)) {
4013 + err = -EFAULT;
4014 + break;
4015 + }
4016 +diff --git a/net/ceph/osdmap.c b/net/ceph/osdmap.c
4017 +index 7ec4e0522215..c1de8d404c47 100644
4018 +--- a/net/ceph/osdmap.c
4019 ++++ b/net/ceph/osdmap.c
4020 +@@ -798,6 +798,110 @@ bad:
4021 + }
4022 +
4023 + /*
4024 ++ * Encoding order is (new_up_client, new_state, new_weight). Need to
4025 ++ * apply in the (new_weight, new_state, new_up_client) order, because
4026 ++ * an incremental map may look like e.g.
4027 ++ *
4028 ++ * new_up_client: { osd=6, addr=... } # set osd_state and addr
4029 ++ * new_state: { osd=6, xorstate=EXISTS } # clear osd_state
4030 ++ */
4031 ++static int decode_new_up_state_weight(void **p, void *end,
4032 ++ struct ceph_osdmap *map)
4033 ++{
4034 ++ void *new_up_client;
4035 ++ void *new_state;
4036 ++ void *new_weight_end;
4037 ++ u32 len;
4038 ++
4039 ++ new_up_client = *p;
4040 ++ ceph_decode_32_safe(p, end, len, e_inval);
4041 ++ len *= sizeof(u32) + sizeof(struct ceph_entity_addr);
4042 ++ ceph_decode_need(p, end, len, e_inval);
4043 ++ *p += len;
4044 ++
4045 ++ new_state = *p;
4046 ++ ceph_decode_32_safe(p, end, len, e_inval);
4047 ++ len *= sizeof(u32) + sizeof(u8);
4048 ++ ceph_decode_need(p, end, len, e_inval);
4049 ++ *p += len;
4050 ++
4051 ++ /* new_weight */
4052 ++ ceph_decode_32_safe(p, end, len, e_inval);
4053 ++ while (len--) {
4054 ++ s32 osd;
4055 ++ u32 w;
4056 ++
4057 ++ ceph_decode_need(p, end, 2*sizeof(u32), e_inval);
4058 ++ osd = ceph_decode_32(p);
4059 ++ w = ceph_decode_32(p);
4060 ++ BUG_ON(osd >= map->max_osd);
4061 ++ pr_info("osd%d weight 0x%x %s\n", osd, w,
4062 ++ w == CEPH_OSD_IN ? "(in)" :
4063 ++ (w == CEPH_OSD_OUT ? "(out)" : ""));
4064 ++ map->osd_weight[osd] = w;
4065 ++
4066 ++ /*
4067 ++ * If we are marking in, set the EXISTS, and clear the
4068 ++ * AUTOOUT and NEW bits.
4069 ++ */
4070 ++ if (w) {
4071 ++ map->osd_state[osd] |= CEPH_OSD_EXISTS;
4072 ++ map->osd_state[osd] &= ~(CEPH_OSD_AUTOOUT |
4073 ++ CEPH_OSD_NEW);
4074 ++ }
4075 ++ }
4076 ++ new_weight_end = *p;
4077 ++
4078 ++ /* new_state (up/down) */
4079 ++ *p = new_state;
4080 ++ len = ceph_decode_32(p);
4081 ++ while (len--) {
4082 ++ s32 osd;
4083 ++ u8 xorstate;
4084 ++
4085 ++ osd = ceph_decode_32(p);
4086 ++ xorstate = ceph_decode_8(p);
4087 ++ if (xorstate == 0)
4088 ++ xorstate = CEPH_OSD_UP;
4089 ++ BUG_ON(osd >= map->max_osd);
4090 ++ if ((map->osd_state[osd] & CEPH_OSD_UP) &&
4091 ++ (xorstate & CEPH_OSD_UP))
4092 ++ pr_info("osd%d down\n", osd);
4093 ++ if ((map->osd_state[osd] & CEPH_OSD_EXISTS) &&
4094 ++ (xorstate & CEPH_OSD_EXISTS)) {
4095 ++ pr_info("osd%d does not exist\n", osd);
4096 ++ map->osd_weight[osd] = CEPH_OSD_IN;
4097 ++ memset(map->osd_addr + osd, 0, sizeof(*map->osd_addr));
4098 ++ map->osd_state[osd] = 0;
4099 ++ } else {
4100 ++ map->osd_state[osd] ^= xorstate;
4101 ++ }
4102 ++ }
4103 ++
4104 ++ /* new_up_client */
4105 ++ *p = new_up_client;
4106 ++ len = ceph_decode_32(p);
4107 ++ while (len--) {
4108 ++ s32 osd;
4109 ++ struct ceph_entity_addr addr;
4110 ++
4111 ++ osd = ceph_decode_32(p);
4112 ++ ceph_decode_copy(p, &addr, sizeof(addr));
4113 ++ ceph_decode_addr(&addr);
4114 ++ BUG_ON(osd >= map->max_osd);
4115 ++ pr_info("osd%d up\n", osd);
4116 ++ map->osd_state[osd] |= CEPH_OSD_EXISTS | CEPH_OSD_UP;
4117 ++ map->osd_addr[osd] = addr;
4118 ++ }
4119 ++
4120 ++ *p = new_weight_end;
4121 ++ return 0;
4122 ++
4123 ++e_inval:
4124 ++ return -EINVAL;
4125 ++}
4126 ++
4127 ++/*
4128 + * decode and apply an incremental map update.
4129 + */
4130 + struct ceph_osdmap *osdmap_apply_incremental(void **p, void *end,
4131 +@@ -912,50 +1016,10 @@ struct ceph_osdmap *osdmap_apply_incremental(void **p, void *end,
4132 + __remove_pg_pool(&map->pg_pools, pi);
4133 + }
4134 +
4135 +- /* new_up */
4136 +- err = -EINVAL;
4137 +- ceph_decode_32_safe(p, end, len, bad);
4138 +- while (len--) {
4139 +- u32 osd;
4140 +- struct ceph_entity_addr addr;
4141 +- ceph_decode_32_safe(p, end, osd, bad);
4142 +- ceph_decode_copy_safe(p, end, &addr, sizeof(addr), bad);
4143 +- ceph_decode_addr(&addr);
4144 +- pr_info("osd%d up\n", osd);
4145 +- BUG_ON(osd >= map->max_osd);
4146 +- map->osd_state[osd] |= CEPH_OSD_UP;
4147 +- map->osd_addr[osd] = addr;
4148 +- }
4149 +-
4150 +- /* new_state */
4151 +- ceph_decode_32_safe(p, end, len, bad);
4152 +- while (len--) {
4153 +- u32 osd;
4154 +- u8 xorstate;
4155 +- ceph_decode_32_safe(p, end, osd, bad);
4156 +- xorstate = **(u8 **)p;
4157 +- (*p)++; /* clean flag */
4158 +- if (xorstate == 0)
4159 +- xorstate = CEPH_OSD_UP;
4160 +- if (xorstate & CEPH_OSD_UP)
4161 +- pr_info("osd%d down\n", osd);
4162 +- if (osd < map->max_osd)
4163 +- map->osd_state[osd] ^= xorstate;
4164 +- }
4165 +-
4166 +- /* new_weight */
4167 +- ceph_decode_32_safe(p, end, len, bad);
4168 +- while (len--) {
4169 +- u32 osd, off;
4170 +- ceph_decode_need(p, end, sizeof(u32)*2, bad);
4171 +- osd = ceph_decode_32(p);
4172 +- off = ceph_decode_32(p);
4173 +- pr_info("osd%d weight 0x%x %s\n", osd, off,
4174 +- off == CEPH_OSD_IN ? "(in)" :
4175 +- (off == CEPH_OSD_OUT ? "(out)" : ""));
4176 +- if (osd < map->max_osd)
4177 +- map->osd_weight[osd] = off;
4178 +- }
4179 ++ /* new_up_client, new_state, new_weight */
4180 ++ err = decode_new_up_state_weight(p, end, map);
4181 ++ if (err)
4182 ++ goto bad;
4183 +
4184 + /* new_pg_temp */
4185 + ceph_decode_32_safe(p, end, len, bad);
4186 +diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
4187 +index b31553d385bb..89570f070e0e 100644
4188 +--- a/net/ipv4/ipmr.c
4189 ++++ b/net/ipv4/ipmr.c
4190 +@@ -881,8 +881,10 @@ static struct mfc_cache *ipmr_cache_alloc(void)
4191 + {
4192 + struct mfc_cache *c = kmem_cache_zalloc(mrt_cachep, GFP_KERNEL);
4193 +
4194 +- if (c)
4195 ++ if (c) {
4196 ++ c->mfc_un.res.last_assert = jiffies - MFC_ASSERT_THRESH - 1;
4197 + c->mfc_un.res.minvif = MAXVIFS;
4198 ++ }
4199 + return c;
4200 + }
4201 +
4202 +diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
4203 +index c8abe31961ed..95a5f261fe8a 100644
4204 +--- a/net/ipv4/netfilter/arp_tables.c
4205 ++++ b/net/ipv4/netfilter/arp_tables.c
4206 +@@ -350,11 +350,12 @@ unsigned int arpt_do_table(struct sk_buff *skb,
4207 + }
4208 +
4209 + /* All zeroes == unconditional rule. */
4210 +-static inline bool unconditional(const struct arpt_arp *arp)
4211 ++static inline bool unconditional(const struct arpt_entry *e)
4212 + {
4213 + static const struct arpt_arp uncond;
4214 +
4215 +- return memcmp(arp, &uncond, sizeof(uncond)) == 0;
4216 ++ return e->target_offset == sizeof(struct arpt_entry) &&
4217 ++ memcmp(&e->arp, &uncond, sizeof(uncond)) == 0;
4218 + }
4219 +
4220 + /* Figures out from what hook each rule can be called: returns 0 if
4221 +@@ -393,11 +394,10 @@ static int mark_source_chains(const struct xt_table_info *newinfo,
4222 + |= ((1 << hook) | (1 << NF_ARP_NUMHOOKS));
4223 +
4224 + /* Unconditional return/END. */
4225 +- if ((e->target_offset == sizeof(struct arpt_entry) &&
4226 ++ if ((unconditional(e) &&
4227 + (strcmp(t->target.u.user.name,
4228 + XT_STANDARD_TARGET) == 0) &&
4229 +- t->verdict < 0 && unconditional(&e->arp)) ||
4230 +- visited) {
4231 ++ t->verdict < 0) || visited) {
4232 + unsigned int oldpos, size;
4233 +
4234 + if ((strcmp(t->target.u.user.name,
4235 +@@ -430,6 +430,8 @@ static int mark_source_chains(const struct xt_table_info *newinfo,
4236 + size = e->next_offset;
4237 + e = (struct arpt_entry *)
4238 + (entry0 + pos + size);
4239 ++ if (pos + size >= newinfo->size)
4240 ++ return 0;
4241 + e->counters.pcnt = pos;
4242 + pos += size;
4243 + } else {
4244 +@@ -452,6 +454,8 @@ static int mark_source_chains(const struct xt_table_info *newinfo,
4245 + } else {
4246 + /* ... this is a fallthru */
4247 + newpos = pos + e->next_offset;
4248 ++ if (newpos >= newinfo->size)
4249 ++ return 0;
4250 + }
4251 + e = (struct arpt_entry *)
4252 + (entry0 + newpos);
4253 +@@ -465,25 +469,6 @@ static int mark_source_chains(const struct xt_table_info *newinfo,
4254 + return 1;
4255 + }
4256 +
4257 +-static inline int check_entry(const struct arpt_entry *e, const char *name)
4258 +-{
4259 +- const struct xt_entry_target *t;
4260 +-
4261 +- if (!arp_checkentry(&e->arp)) {
4262 +- duprintf("arp_tables: arp check failed %p %s.\n", e, name);
4263 +- return -EINVAL;
4264 +- }
4265 +-
4266 +- if (e->target_offset + sizeof(struct xt_entry_target) > e->next_offset)
4267 +- return -EINVAL;
4268 +-
4269 +- t = arpt_get_target_c(e);
4270 +- if (e->target_offset + t->u.target_size > e->next_offset)
4271 +- return -EINVAL;
4272 +-
4273 +- return 0;
4274 +-}
4275 +-
4276 + static inline int check_target(struct arpt_entry *e, const char *name)
4277 + {
4278 + struct xt_entry_target *t = arpt_get_target(e);
4279 +@@ -513,10 +498,6 @@ find_check_entry(struct arpt_entry *e, const char *name, unsigned int size)
4280 + struct xt_target *target;
4281 + int ret;
4282 +
4283 +- ret = check_entry(e, name);
4284 +- if (ret)
4285 +- return ret;
4286 +-
4287 + t = arpt_get_target(e);
4288 + target = xt_request_find_target(NFPROTO_ARP, t->u.user.name,
4289 + t->u.user.revision);
4290 +@@ -542,7 +523,7 @@ static bool check_underflow(const struct arpt_entry *e)
4291 + const struct xt_entry_target *t;
4292 + unsigned int verdict;
4293 +
4294 +- if (!unconditional(&e->arp))
4295 ++ if (!unconditional(e))
4296 + return false;
4297 + t = arpt_get_target_c(e);
4298 + if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
4299 +@@ -561,9 +542,11 @@ static inline int check_entry_size_and_hooks(struct arpt_entry *e,
4300 + unsigned int valid_hooks)
4301 + {
4302 + unsigned int h;
4303 ++ int err;
4304 +
4305 + if ((unsigned long)e % __alignof__(struct arpt_entry) != 0 ||
4306 +- (unsigned char *)e + sizeof(struct arpt_entry) >= limit) {
4307 ++ (unsigned char *)e + sizeof(struct arpt_entry) >= limit ||
4308 ++ (unsigned char *)e + e->next_offset > limit) {
4309 + duprintf("Bad offset %p\n", e);
4310 + return -EINVAL;
4311 + }
4312 +@@ -575,6 +558,14 @@ static inline int check_entry_size_and_hooks(struct arpt_entry *e,
4313 + return -EINVAL;
4314 + }
4315 +
4316 ++ if (!arp_checkentry(&e->arp))
4317 ++ return -EINVAL;
4318 ++
4319 ++ err = xt_check_entry_offsets(e, e->elems, e->target_offset,
4320 ++ e->next_offset);
4321 ++ if (err)
4322 ++ return err;
4323 ++
4324 + /* Check hooks & underflows */
4325 + for (h = 0; h < NF_ARP_NUMHOOKS; h++) {
4326 + if (!(valid_hooks & (1 << h)))
4327 +@@ -583,9 +574,9 @@ static inline int check_entry_size_and_hooks(struct arpt_entry *e,
4328 + newinfo->hook_entry[h] = hook_entries[h];
4329 + if ((unsigned char *)e - base == underflows[h]) {
4330 + if (!check_underflow(e)) {
4331 +- pr_err("Underflows must be unconditional and "
4332 +- "use the STANDARD target with "
4333 +- "ACCEPT/DROP\n");
4334 ++ pr_debug("Underflows must be unconditional and "
4335 ++ "use the STANDARD target with "
4336 ++ "ACCEPT/DROP\n");
4337 + return -EINVAL;
4338 + }
4339 + newinfo->underflow[h] = underflows[h];
4340 +@@ -675,10 +666,8 @@ static int translate_table(struct xt_table_info *newinfo, void *entry0,
4341 + }
4342 + }
4343 +
4344 +- if (!mark_source_chains(newinfo, repl->valid_hooks, entry0)) {
4345 +- duprintf("Looping hook\n");
4346 ++ if (!mark_source_chains(newinfo, repl->valid_hooks, entry0))
4347 + return -ELOOP;
4348 +- }
4349 +
4350 + /* Finally, each sanity check must pass */
4351 + i = 0;
4352 +@@ -1071,6 +1060,9 @@ static int do_replace(struct net *net, const void __user *user,
4353 + /* overflow check */
4354 + if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
4355 + return -ENOMEM;
4356 ++ if (tmp.num_counters == 0)
4357 ++ return -EINVAL;
4358 ++
4359 + tmp.name[sizeof(tmp.name)-1] = 0;
4360 +
4361 + newinfo = xt_alloc_table_info(tmp.size);
4362 +@@ -1111,56 +1103,18 @@ static int do_add_counters(struct net *net, const void __user *user,
4363 + unsigned int i, curcpu;
4364 + struct xt_counters_info tmp;
4365 + struct xt_counters *paddc;
4366 +- unsigned int num_counters;
4367 +- const char *name;
4368 +- int size;
4369 +- void *ptmp;
4370 + struct xt_table *t;
4371 + const struct xt_table_info *private;
4372 + int ret = 0;
4373 + void *loc_cpu_entry;
4374 + struct arpt_entry *iter;
4375 + unsigned int addend;
4376 +-#ifdef CONFIG_COMPAT
4377 +- struct compat_xt_counters_info compat_tmp;
4378 +-
4379 +- if (compat) {
4380 +- ptmp = &compat_tmp;
4381 +- size = sizeof(struct compat_xt_counters_info);
4382 +- } else
4383 +-#endif
4384 +- {
4385 +- ptmp = &tmp;
4386 +- size = sizeof(struct xt_counters_info);
4387 +- }
4388 +
4389 +- if (copy_from_user(ptmp, user, size) != 0)
4390 +- return -EFAULT;
4391 ++ paddc = xt_copy_counters_from_user(user, len, &tmp, compat);
4392 ++ if (IS_ERR(paddc))
4393 ++ return PTR_ERR(paddc);
4394 +
4395 +-#ifdef CONFIG_COMPAT
4396 +- if (compat) {
4397 +- num_counters = compat_tmp.num_counters;
4398 +- name = compat_tmp.name;
4399 +- } else
4400 +-#endif
4401 +- {
4402 +- num_counters = tmp.num_counters;
4403 +- name = tmp.name;
4404 +- }
4405 +-
4406 +- if (len != size + num_counters * sizeof(struct xt_counters))
4407 +- return -EINVAL;
4408 +-
4409 +- paddc = vmalloc(len - size);
4410 +- if (!paddc)
4411 +- return -ENOMEM;
4412 +-
4413 +- if (copy_from_user(paddc, user + size, len - size) != 0) {
4414 +- ret = -EFAULT;
4415 +- goto free;
4416 +- }
4417 +-
4418 +- t = xt_find_table_lock(net, NFPROTO_ARP, name);
4419 ++ t = xt_find_table_lock(net, NFPROTO_ARP, tmp.name);
4420 + if (IS_ERR_OR_NULL(t)) {
4421 + ret = t ? PTR_ERR(t) : -ENOENT;
4422 + goto free;
4423 +@@ -1168,7 +1122,7 @@ static int do_add_counters(struct net *net, const void __user *user,
4424 +
4425 + local_bh_disable();
4426 + private = t->private;
4427 +- if (private->number != num_counters) {
4428 ++ if (private->number != tmp.num_counters) {
4429 + ret = -EINVAL;
4430 + goto unlock_up_free;
4431 + }
4432 +@@ -1194,6 +1148,18 @@ static int do_add_counters(struct net *net, const void __user *user,
4433 + }
4434 +
4435 + #ifdef CONFIG_COMPAT
4436 ++struct compat_arpt_replace {
4437 ++ char name[XT_TABLE_MAXNAMELEN];
4438 ++ u32 valid_hooks;
4439 ++ u32 num_entries;
4440 ++ u32 size;
4441 ++ u32 hook_entry[NF_ARP_NUMHOOKS];
4442 ++ u32 underflow[NF_ARP_NUMHOOKS];
4443 ++ u32 num_counters;
4444 ++ compat_uptr_t counters;
4445 ++ struct compat_arpt_entry entries[0];
4446 ++};
4447 ++
4448 + static inline void compat_release_entry(struct compat_arpt_entry *e)
4449 + {
4450 + struct xt_entry_target *t;
4451 +@@ -1202,24 +1168,22 @@ static inline void compat_release_entry(struct compat_arpt_entry *e)
4452 + module_put(t->u.kernel.target->me);
4453 + }
4454 +
4455 +-static inline int
4456 ++static int
4457 + check_compat_entry_size_and_hooks(struct compat_arpt_entry *e,
4458 + struct xt_table_info *newinfo,
4459 + unsigned int *size,
4460 + const unsigned char *base,
4461 +- const unsigned char *limit,
4462 +- const unsigned int *hook_entries,
4463 +- const unsigned int *underflows,
4464 +- const char *name)
4465 ++ const unsigned char *limit)
4466 + {
4467 + struct xt_entry_target *t;
4468 + struct xt_target *target;
4469 + unsigned int entry_offset;
4470 +- int ret, off, h;
4471 ++ int ret, off;
4472 +
4473 + duprintf("check_compat_entry_size_and_hooks %p\n", e);
4474 + if ((unsigned long)e % __alignof__(struct compat_arpt_entry) != 0 ||
4475 +- (unsigned char *)e + sizeof(struct compat_arpt_entry) >= limit) {
4476 ++ (unsigned char *)e + sizeof(struct compat_arpt_entry) >= limit ||
4477 ++ (unsigned char *)e + e->next_offset > limit) {
4478 + duprintf("Bad offset %p, limit = %p\n", e, limit);
4479 + return -EINVAL;
4480 + }
4481 +@@ -1231,8 +1195,11 @@ check_compat_entry_size_and_hooks(struct compat_arpt_entry *e,
4482 + return -EINVAL;
4483 + }
4484 +
4485 +- /* For purposes of check_entry casting the compat entry is fine */
4486 +- ret = check_entry((struct arpt_entry *)e, name);
4487 ++ if (!arp_checkentry(&e->arp))
4488 ++ return -EINVAL;
4489 ++
4490 ++ ret = xt_compat_check_entry_offsets(e, e->elems, e->target_offset,
4491 ++ e->next_offset);
4492 + if (ret)
4493 + return ret;
4494 +
4495 +@@ -1256,17 +1223,6 @@ check_compat_entry_size_and_hooks(struct compat_arpt_entry *e,
4496 + if (ret)
4497 + goto release_target;
4498 +
4499 +- /* Check hooks & underflows */
4500 +- for (h = 0; h < NF_ARP_NUMHOOKS; h++) {
4501 +- if ((unsigned char *)e - base == hook_entries[h])
4502 +- newinfo->hook_entry[h] = hook_entries[h];
4503 +- if ((unsigned char *)e - base == underflows[h])
4504 +- newinfo->underflow[h] = underflows[h];
4505 +- }
4506 +-
4507 +- /* Clear counters and comefrom */
4508 +- memset(&e->counters, 0, sizeof(e->counters));
4509 +- e->comefrom = 0;
4510 + return 0;
4511 +
4512 + release_target:
4513 +@@ -1275,18 +1231,17 @@ out:
4514 + return ret;
4515 + }
4516 +
4517 +-static int
4518 ++static void
4519 + compat_copy_entry_from_user(struct compat_arpt_entry *e, void **dstptr,
4520 +- unsigned int *size, const char *name,
4521 ++ unsigned int *size,
4522 + struct xt_table_info *newinfo, unsigned char *base)
4523 + {
4524 + struct xt_entry_target *t;
4525 + struct xt_target *target;
4526 + struct arpt_entry *de;
4527 + unsigned int origsize;
4528 +- int ret, h;
4529 ++ int h;
4530 +
4531 +- ret = 0;
4532 + origsize = *size;
4533 + de = (struct arpt_entry *)*dstptr;
4534 + memcpy(de, e, sizeof(struct arpt_entry));
4535 +@@ -1307,144 +1262,81 @@ compat_copy_entry_from_user(struct compat_arpt_entry *e, void **dstptr,
4536 + if ((unsigned char *)de - base < newinfo->underflow[h])
4537 + newinfo->underflow[h] -= origsize - *size;
4538 + }
4539 +- return ret;
4540 + }
4541 +
4542 +-static int translate_compat_table(const char *name,
4543 +- unsigned int valid_hooks,
4544 +- struct xt_table_info **pinfo,
4545 ++static int translate_compat_table(struct xt_table_info **pinfo,
4546 + void **pentry0,
4547 +- unsigned int total_size,
4548 +- unsigned int number,
4549 +- unsigned int *hook_entries,
4550 +- unsigned int *underflows)
4551 ++ const struct compat_arpt_replace *compatr)
4552 + {
4553 + unsigned int i, j;
4554 + struct xt_table_info *newinfo, *info;
4555 + void *pos, *entry0, *entry1;
4556 + struct compat_arpt_entry *iter0;
4557 +- struct arpt_entry *iter1;
4558 ++ struct arpt_replace repl;
4559 + unsigned int size;
4560 + int ret = 0;
4561 +
4562 + info = *pinfo;
4563 + entry0 = *pentry0;
4564 +- size = total_size;
4565 +- info->number = number;
4566 +-
4567 +- /* Init all hooks to impossible value. */
4568 +- for (i = 0; i < NF_ARP_NUMHOOKS; i++) {
4569 +- info->hook_entry[i] = 0xFFFFFFFF;
4570 +- info->underflow[i] = 0xFFFFFFFF;
4571 +- }
4572 ++ size = compatr->size;
4573 ++ info->number = compatr->num_entries;
4574 +
4575 + duprintf("translate_compat_table: size %u\n", info->size);
4576 + j = 0;
4577 + xt_compat_lock(NFPROTO_ARP);
4578 +- xt_compat_init_offsets(NFPROTO_ARP, number);
4579 ++ xt_compat_init_offsets(NFPROTO_ARP, compatr->num_entries);
4580 + /* Walk through entries, checking offsets. */
4581 +- xt_entry_foreach(iter0, entry0, total_size) {
4582 ++ xt_entry_foreach(iter0, entry0, compatr->size) {
4583 + ret = check_compat_entry_size_and_hooks(iter0, info, &size,
4584 + entry0,
4585 +- entry0 + total_size,
4586 +- hook_entries,
4587 +- underflows,
4588 +- name);
4589 ++ entry0 + compatr->size);
4590 + if (ret != 0)
4591 + goto out_unlock;
4592 + ++j;
4593 + }
4594 +
4595 + ret = -EINVAL;
4596 +- if (j != number) {
4597 ++ if (j != compatr->num_entries) {
4598 + duprintf("translate_compat_table: %u not %u entries\n",
4599 +- j, number);
4600 ++ j, compatr->num_entries);
4601 + goto out_unlock;
4602 + }
4603 +
4604 +- /* Check hooks all assigned */
4605 +- for (i = 0; i < NF_ARP_NUMHOOKS; i++) {
4606 +- /* Only hooks which are valid */
4607 +- if (!(valid_hooks & (1 << i)))
4608 +- continue;
4609 +- if (info->hook_entry[i] == 0xFFFFFFFF) {
4610 +- duprintf("Invalid hook entry %u %u\n",
4611 +- i, hook_entries[i]);
4612 +- goto out_unlock;
4613 +- }
4614 +- if (info->underflow[i] == 0xFFFFFFFF) {
4615 +- duprintf("Invalid underflow %u %u\n",
4616 +- i, underflows[i]);
4617 +- goto out_unlock;
4618 +- }
4619 +- }
4620 +-
4621 + ret = -ENOMEM;
4622 + newinfo = xt_alloc_table_info(size);
4623 + if (!newinfo)
4624 + goto out_unlock;
4625 +
4626 +- newinfo->number = number;
4627 ++ newinfo->number = compatr->num_entries;
4628 + for (i = 0; i < NF_ARP_NUMHOOKS; i++) {
4629 + newinfo->hook_entry[i] = info->hook_entry[i];
4630 + newinfo->underflow[i] = info->underflow[i];
4631 + }
4632 + entry1 = newinfo->entries[raw_smp_processor_id()];
4633 + pos = entry1;
4634 +- size = total_size;
4635 +- xt_entry_foreach(iter0, entry0, total_size) {
4636 +- ret = compat_copy_entry_from_user(iter0, &pos, &size,
4637 +- name, newinfo, entry1);
4638 +- if (ret != 0)
4639 +- break;
4640 +- }
4641 ++ size = compatr->size;
4642 ++ xt_entry_foreach(iter0, entry0, compatr->size)
4643 ++ compat_copy_entry_from_user(iter0, &pos, &size,
4644 ++ newinfo, entry1);
4645 ++
4646 ++ /* all module references in entry0 are now gone */
4647 ++
4648 + xt_compat_flush_offsets(NFPROTO_ARP);
4649 + xt_compat_unlock(NFPROTO_ARP);
4650 +- if (ret)
4651 +- goto free_newinfo;
4652 +
4653 +- ret = -ELOOP;
4654 +- if (!mark_source_chains(newinfo, valid_hooks, entry1))
4655 +- goto free_newinfo;
4656 ++ memcpy(&repl, compatr, sizeof(*compatr));
4657 +
4658 +- i = 0;
4659 +- xt_entry_foreach(iter1, entry1, newinfo->size) {
4660 +- ret = check_target(iter1, name);
4661 +- if (ret != 0)
4662 +- break;
4663 +- ++i;
4664 +- if (strcmp(arpt_get_target(iter1)->u.user.name,
4665 +- XT_ERROR_TARGET) == 0)
4666 +- ++newinfo->stacksize;
4667 +- }
4668 +- if (ret) {
4669 +- /*
4670 +- * The first i matches need cleanup_entry (calls ->destroy)
4671 +- * because they had called ->check already. The other j-i
4672 +- * entries need only release.
4673 +- */
4674 +- int skip = i;
4675 +- j -= i;
4676 +- xt_entry_foreach(iter0, entry0, newinfo->size) {
4677 +- if (skip-- > 0)
4678 +- continue;
4679 +- if (j-- == 0)
4680 +- break;
4681 +- compat_release_entry(iter0);
4682 +- }
4683 +- xt_entry_foreach(iter1, entry1, newinfo->size) {
4684 +- if (i-- == 0)
4685 +- break;
4686 +- cleanup_entry(iter1);
4687 +- }
4688 +- xt_free_table_info(newinfo);
4689 +- return ret;
4690 ++ for (i = 0; i < NF_ARP_NUMHOOKS; i++) {
4691 ++ repl.hook_entry[i] = newinfo->hook_entry[i];
4692 ++ repl.underflow[i] = newinfo->underflow[i];
4693 + }
4694 +
4695 +- /* And one copy for every other CPU */
4696 +- for_each_possible_cpu(i)
4697 +- if (newinfo->entries[i] && newinfo->entries[i] != entry1)
4698 +- memcpy(newinfo->entries[i], entry1, newinfo->size);
4699 ++ repl.num_counters = 0;
4700 ++ repl.counters = NULL;
4701 ++ repl.size = newinfo->size;
4702 ++ ret = translate_table(newinfo, entry1, &repl);
4703 ++ if (ret)
4704 ++ goto free_newinfo;
4705 +
4706 + *pinfo = newinfo;
4707 + *pentry0 = entry1;
4708 +@@ -1453,31 +1345,18 @@ static int translate_compat_table(const char *name,
4709 +
4710 + free_newinfo:
4711 + xt_free_table_info(newinfo);
4712 +-out:
4713 +- xt_entry_foreach(iter0, entry0, total_size) {
4714 ++ return ret;
4715 ++out_unlock:
4716 ++ xt_compat_flush_offsets(NFPROTO_ARP);
4717 ++ xt_compat_unlock(NFPROTO_ARP);
4718 ++ xt_entry_foreach(iter0, entry0, compatr->size) {
4719 + if (j-- == 0)
4720 + break;
4721 + compat_release_entry(iter0);
4722 + }
4723 + return ret;
4724 +-out_unlock:
4725 +- xt_compat_flush_offsets(NFPROTO_ARP);
4726 +- xt_compat_unlock(NFPROTO_ARP);
4727 +- goto out;
4728 + }
4729 +
4730 +-struct compat_arpt_replace {
4731 +- char name[XT_TABLE_MAXNAMELEN];
4732 +- u32 valid_hooks;
4733 +- u32 num_entries;
4734 +- u32 size;
4735 +- u32 hook_entry[NF_ARP_NUMHOOKS];
4736 +- u32 underflow[NF_ARP_NUMHOOKS];
4737 +- u32 num_counters;
4738 +- compat_uptr_t counters;
4739 +- struct compat_arpt_entry entries[0];
4740 +-};
4741 +-
4742 + static int compat_do_replace(struct net *net, void __user *user,
4743 + unsigned int len)
4744 + {
4745 +@@ -1495,6 +1374,9 @@ static int compat_do_replace(struct net *net, void __user *user,
4746 + return -ENOMEM;
4747 + if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
4748 + return -ENOMEM;
4749 ++ if (tmp.num_counters == 0)
4750 ++ return -EINVAL;
4751 ++
4752 + tmp.name[sizeof(tmp.name)-1] = 0;
4753 +
4754 + newinfo = xt_alloc_table_info(tmp.size);
4755 +@@ -1508,10 +1390,7 @@ static int compat_do_replace(struct net *net, void __user *user,
4756 + goto free_newinfo;
4757 + }
4758 +
4759 +- ret = translate_compat_table(tmp.name, tmp.valid_hooks,
4760 +- &newinfo, &loc_cpu_entry, tmp.size,
4761 +- tmp.num_entries, tmp.hook_entry,
4762 +- tmp.underflow);
4763 ++ ret = translate_compat_table(&newinfo, &loc_cpu_entry, &tmp);
4764 + if (ret != 0)
4765 + goto free_newinfo;
4766 +
4767 +diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
4768 +index 651c10774d58..92c8f2727ee9 100644
4769 +--- a/net/ipv4/netfilter/ip_tables.c
4770 ++++ b/net/ipv4/netfilter/ip_tables.c
4771 +@@ -168,11 +168,12 @@ get_entry(const void *base, unsigned int offset)
4772 +
4773 + /* All zeroes == unconditional rule. */
4774 + /* Mildly perf critical (only if packet tracing is on) */
4775 +-static inline bool unconditional(const struct ipt_ip *ip)
4776 ++static inline bool unconditional(const struct ipt_entry *e)
4777 + {
4778 + static const struct ipt_ip uncond;
4779 +
4780 +- return memcmp(ip, &uncond, sizeof(uncond)) == 0;
4781 ++ return e->target_offset == sizeof(struct ipt_entry) &&
4782 ++ memcmp(&e->ip, &uncond, sizeof(uncond)) == 0;
4783 + #undef FWINV
4784 + }
4785 +
4786 +@@ -229,11 +230,10 @@ get_chainname_rulenum(const struct ipt_entry *s, const struct ipt_entry *e,
4787 + } else if (s == e) {
4788 + (*rulenum)++;
4789 +
4790 +- if (s->target_offset == sizeof(struct ipt_entry) &&
4791 ++ if (unconditional(s) &&
4792 + strcmp(t->target.u.kernel.target->name,
4793 + XT_STANDARD_TARGET) == 0 &&
4794 +- t->verdict < 0 &&
4795 +- unconditional(&s->ip)) {
4796 ++ t->verdict < 0) {
4797 + /* Tail of chains: STANDARD target (return/policy) */
4798 + *comment = *chainname == hookname
4799 + ? comments[NF_IP_TRACE_COMMENT_POLICY]
4800 +@@ -467,11 +467,10 @@ mark_source_chains(const struct xt_table_info *newinfo,
4801 + e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS));
4802 +
4803 + /* Unconditional return/END. */
4804 +- if ((e->target_offset == sizeof(struct ipt_entry) &&
4805 ++ if ((unconditional(e) &&
4806 + (strcmp(t->target.u.user.name,
4807 + XT_STANDARD_TARGET) == 0) &&
4808 +- t->verdict < 0 && unconditional(&e->ip)) ||
4809 +- visited) {
4810 ++ t->verdict < 0) || visited) {
4811 + unsigned int oldpos, size;
4812 +
4813 + if ((strcmp(t->target.u.user.name,
4814 +@@ -512,6 +511,8 @@ mark_source_chains(const struct xt_table_info *newinfo,
4815 + size = e->next_offset;
4816 + e = (struct ipt_entry *)
4817 + (entry0 + pos + size);
4818 ++ if (pos + size >= newinfo->size)
4819 ++ return 0;
4820 + e->counters.pcnt = pos;
4821 + pos += size;
4822 + } else {
4823 +@@ -533,6 +534,8 @@ mark_source_chains(const struct xt_table_info *newinfo,
4824 + } else {
4825 + /* ... this is a fallthru */
4826 + newpos = pos + e->next_offset;
4827 ++ if (newpos >= newinfo->size)
4828 ++ return 0;
4829 + }
4830 + e = (struct ipt_entry *)
4831 + (entry0 + newpos);
4832 +@@ -560,27 +563,6 @@ static void cleanup_match(struct xt_entry_match *m, struct net *net)
4833 + }
4834 +
4835 + static int
4836 +-check_entry(const struct ipt_entry *e, const char *name)
4837 +-{
4838 +- const struct xt_entry_target *t;
4839 +-
4840 +- if (!ip_checkentry(&e->ip)) {
4841 +- duprintf("ip check failed %p %s.\n", e, name);
4842 +- return -EINVAL;
4843 +- }
4844 +-
4845 +- if (e->target_offset + sizeof(struct xt_entry_target) >
4846 +- e->next_offset)
4847 +- return -EINVAL;
4848 +-
4849 +- t = ipt_get_target_c(e);
4850 +- if (e->target_offset + t->u.target_size > e->next_offset)
4851 +- return -EINVAL;
4852 +-
4853 +- return 0;
4854 +-}
4855 +-
4856 +-static int
4857 + check_match(struct xt_entry_match *m, struct xt_mtchk_param *par)
4858 + {
4859 + const struct ipt_ip *ip = par->entryinfo;
4860 +@@ -657,10 +639,6 @@ find_check_entry(struct ipt_entry *e, struct net *net, const char *name,
4861 + struct xt_mtchk_param mtpar;
4862 + struct xt_entry_match *ematch;
4863 +
4864 +- ret = check_entry(e, name);
4865 +- if (ret)
4866 +- return ret;
4867 +-
4868 + j = 0;
4869 + mtpar.net = net;
4870 + mtpar.table = name;
4871 +@@ -704,7 +682,7 @@ static bool check_underflow(const struct ipt_entry *e)
4872 + const struct xt_entry_target *t;
4873 + unsigned int verdict;
4874 +
4875 +- if (!unconditional(&e->ip))
4876 ++ if (!unconditional(e))
4877 + return false;
4878 + t = ipt_get_target_c(e);
4879 + if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
4880 +@@ -724,9 +702,11 @@ check_entry_size_and_hooks(struct ipt_entry *e,
4881 + unsigned int valid_hooks)
4882 + {
4883 + unsigned int h;
4884 ++ int err;
4885 +
4886 + if ((unsigned long)e % __alignof__(struct ipt_entry) != 0 ||
4887 +- (unsigned char *)e + sizeof(struct ipt_entry) >= limit) {
4888 ++ (unsigned char *)e + sizeof(struct ipt_entry) >= limit ||
4889 ++ (unsigned char *)e + e->next_offset > limit) {
4890 + duprintf("Bad offset %p\n", e);
4891 + return -EINVAL;
4892 + }
4893 +@@ -738,6 +718,14 @@ check_entry_size_and_hooks(struct ipt_entry *e,
4894 + return -EINVAL;
4895 + }
4896 +
4897 ++ if (!ip_checkentry(&e->ip))
4898 ++ return -EINVAL;
4899 ++
4900 ++ err = xt_check_entry_offsets(e, e->elems, e->target_offset,
4901 ++ e->next_offset);
4902 ++ if (err)
4903 ++ return err;
4904 ++
4905 + /* Check hooks & underflows */
4906 + for (h = 0; h < NF_INET_NUMHOOKS; h++) {
4907 + if (!(valid_hooks & (1 << h)))
4908 +@@ -746,9 +734,9 @@ check_entry_size_and_hooks(struct ipt_entry *e,
4909 + newinfo->hook_entry[h] = hook_entries[h];
4910 + if ((unsigned char *)e - base == underflows[h]) {
4911 + if (!check_underflow(e)) {
4912 +- pr_err("Underflows must be unconditional and "
4913 +- "use the STANDARD target with "
4914 +- "ACCEPT/DROP\n");
4915 ++ pr_debug("Underflows must be unconditional and "
4916 ++ "use the STANDARD target with "
4917 ++ "ACCEPT/DROP\n");
4918 + return -EINVAL;
4919 + }
4920 + newinfo->underflow[h] = underflows[h];
4921 +@@ -1258,6 +1246,9 @@ do_replace(struct net *net, const void __user *user, unsigned int len)
4922 + /* overflow check */
4923 + if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
4924 + return -ENOMEM;
4925 ++ if (tmp.num_counters == 0)
4926 ++ return -EINVAL;
4927 ++
4928 + tmp.name[sizeof(tmp.name)-1] = 0;
4929 +
4930 + newinfo = xt_alloc_table_info(tmp.size);
4931 +@@ -1299,56 +1290,18 @@ do_add_counters(struct net *net, const void __user *user,
4932 + unsigned int i, curcpu;
4933 + struct xt_counters_info tmp;
4934 + struct xt_counters *paddc;
4935 +- unsigned int num_counters;
4936 +- const char *name;
4937 +- int size;
4938 +- void *ptmp;
4939 + struct xt_table *t;
4940 + const struct xt_table_info *private;
4941 + int ret = 0;
4942 + void *loc_cpu_entry;
4943 + struct ipt_entry *iter;
4944 + unsigned int addend;
4945 +-#ifdef CONFIG_COMPAT
4946 +- struct compat_xt_counters_info compat_tmp;
4947 +-
4948 +- if (compat) {
4949 +- ptmp = &compat_tmp;
4950 +- size = sizeof(struct compat_xt_counters_info);
4951 +- } else
4952 +-#endif
4953 +- {
4954 +- ptmp = &tmp;
4955 +- size = sizeof(struct xt_counters_info);
4956 +- }
4957 +-
4958 +- if (copy_from_user(ptmp, user, size) != 0)
4959 +- return -EFAULT;
4960 +-
4961 +-#ifdef CONFIG_COMPAT
4962 +- if (compat) {
4963 +- num_counters = compat_tmp.num_counters;
4964 +- name = compat_tmp.name;
4965 +- } else
4966 +-#endif
4967 +- {
4968 +- num_counters = tmp.num_counters;
4969 +- name = tmp.name;
4970 +- }
4971 +
4972 +- if (len != size + num_counters * sizeof(struct xt_counters))
4973 +- return -EINVAL;
4974 +-
4975 +- paddc = vmalloc(len - size);
4976 +- if (!paddc)
4977 +- return -ENOMEM;
4978 +-
4979 +- if (copy_from_user(paddc, user + size, len - size) != 0) {
4980 +- ret = -EFAULT;
4981 +- goto free;
4982 +- }
4983 ++ paddc = xt_copy_counters_from_user(user, len, &tmp, compat);
4984 ++ if (IS_ERR(paddc))
4985 ++ return PTR_ERR(paddc);
4986 +
4987 +- t = xt_find_table_lock(net, AF_INET, name);
4988 ++ t = xt_find_table_lock(net, AF_INET, tmp.name);
4989 + if (IS_ERR_OR_NULL(t)) {
4990 + ret = t ? PTR_ERR(t) : -ENOENT;
4991 + goto free;
4992 +@@ -1356,7 +1309,7 @@ do_add_counters(struct net *net, const void __user *user,
4993 +
4994 + local_bh_disable();
4995 + private = t->private;
4996 +- if (private->number != num_counters) {
4997 ++ if (private->number != tmp.num_counters) {
4998 + ret = -EINVAL;
4999 + goto unlock_up_free;
5000 + }
5001 +@@ -1435,7 +1388,6 @@ compat_copy_entry_to_user(struct ipt_entry *e, void __user **dstptr,
5002 +
5003 + static int
5004 + compat_find_calc_match(struct xt_entry_match *m,
5005 +- const char *name,
5006 + const struct ipt_ip *ip,
5007 + unsigned int hookmask,
5008 + int *size)
5009 +@@ -1471,21 +1423,19 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e,
5010 + struct xt_table_info *newinfo,
5011 + unsigned int *size,
5012 + const unsigned char *base,
5013 +- const unsigned char *limit,
5014 +- const unsigned int *hook_entries,
5015 +- const unsigned int *underflows,
5016 +- const char *name)
5017 ++ const unsigned char *limit)
5018 + {
5019 + struct xt_entry_match *ematch;
5020 + struct xt_entry_target *t;
5021 + struct xt_target *target;
5022 + unsigned int entry_offset;
5023 + unsigned int j;
5024 +- int ret, off, h;
5025 ++ int ret, off;
5026 +
5027 + duprintf("check_compat_entry_size_and_hooks %p\n", e);
5028 + if ((unsigned long)e % __alignof__(struct compat_ipt_entry) != 0 ||
5029 +- (unsigned char *)e + sizeof(struct compat_ipt_entry) >= limit) {
5030 ++ (unsigned char *)e + sizeof(struct compat_ipt_entry) >= limit ||
5031 ++ (unsigned char *)e + e->next_offset > limit) {
5032 + duprintf("Bad offset %p, limit = %p\n", e, limit);
5033 + return -EINVAL;
5034 + }
5035 +@@ -1497,8 +1447,11 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e,
5036 + return -EINVAL;
5037 + }
5038 +
5039 +- /* For purposes of check_entry casting the compat entry is fine */
5040 +- ret = check_entry((struct ipt_entry *)e, name);
5041 ++ if (!ip_checkentry(&e->ip))
5042 ++ return -EINVAL;
5043 ++
5044 ++ ret = xt_compat_check_entry_offsets(e, e->elems,
5045 ++ e->target_offset, e->next_offset);
5046 + if (ret)
5047 + return ret;
5048 +
5049 +@@ -1506,8 +1459,8 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e,
5050 + entry_offset = (void *)e - (void *)base;
5051 + j = 0;
5052 + xt_ematch_foreach(ematch, e) {
5053 +- ret = compat_find_calc_match(ematch, name,
5054 +- &e->ip, e->comefrom, &off);
5055 ++ ret = compat_find_calc_match(ematch, &e->ip, e->comefrom,
5056 ++ &off);
5057 + if (ret != 0)
5058 + goto release_matches;
5059 + ++j;
5060 +@@ -1530,17 +1483,6 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e,
5061 + if (ret)
5062 + goto out;
5063 +
5064 +- /* Check hooks & underflows */
5065 +- for (h = 0; h < NF_INET_NUMHOOKS; h++) {
5066 +- if ((unsigned char *)e - base == hook_entries[h])
5067 +- newinfo->hook_entry[h] = hook_entries[h];
5068 +- if ((unsigned char *)e - base == underflows[h])
5069 +- newinfo->underflow[h] = underflows[h];
5070 +- }
5071 +-
5072 +- /* Clear counters and comefrom */
5073 +- memset(&e->counters, 0, sizeof(e->counters));
5074 +- e->comefrom = 0;
5075 + return 0;
5076 +
5077 + out:
5078 +@@ -1554,19 +1496,18 @@ release_matches:
5079 + return ret;
5080 + }
5081 +
5082 +-static int
5083 ++static void
5084 + compat_copy_entry_from_user(struct compat_ipt_entry *e, void **dstptr,
5085 +- unsigned int *size, const char *name,
5086 ++ unsigned int *size,
5087 + struct xt_table_info *newinfo, unsigned char *base)
5088 + {
5089 + struct xt_entry_target *t;
5090 + struct xt_target *target;
5091 + struct ipt_entry *de;
5092 + unsigned int origsize;
5093 +- int ret, h;
5094 ++ int h;
5095 + struct xt_entry_match *ematch;
5096 +
5097 +- ret = 0;
5098 + origsize = *size;
5099 + de = (struct ipt_entry *)*dstptr;
5100 + memcpy(de, e, sizeof(struct ipt_entry));
5101 +@@ -1575,198 +1516,104 @@ compat_copy_entry_from_user(struct compat_ipt_entry *e, void **dstptr,
5102 + *dstptr += sizeof(struct ipt_entry);
5103 + *size += sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry);
5104 +
5105 +- xt_ematch_foreach(ematch, e) {
5106 +- ret = xt_compat_match_from_user(ematch, dstptr, size);
5107 +- if (ret != 0)
5108 +- return ret;
5109 +- }
5110 ++ xt_ematch_foreach(ematch, e)
5111 ++ xt_compat_match_from_user(ematch, dstptr, size);
5112 ++
5113 + de->target_offset = e->target_offset - (origsize - *size);
5114 + t = compat_ipt_get_target(e);
5115 + target = t->u.kernel.target;
5116 + xt_compat_target_from_user(t, dstptr, size);
5117 +
5118 + de->next_offset = e->next_offset - (origsize - *size);
5119 ++
5120 + for (h = 0; h < NF_INET_NUMHOOKS; h++) {
5121 + if ((unsigned char *)de - base < newinfo->hook_entry[h])
5122 + newinfo->hook_entry[h] -= origsize - *size;
5123 + if ((unsigned char *)de - base < newinfo->underflow[h])
5124 + newinfo->underflow[h] -= origsize - *size;
5125 + }
5126 +- return ret;
5127 +-}
5128 +-
5129 +-static int
5130 +-compat_check_entry(struct ipt_entry *e, struct net *net, const char *name)
5131 +-{
5132 +- struct xt_entry_match *ematch;
5133 +- struct xt_mtchk_param mtpar;
5134 +- unsigned int j;
5135 +- int ret = 0;
5136 +-
5137 +- j = 0;
5138 +- mtpar.net = net;
5139 +- mtpar.table = name;
5140 +- mtpar.entryinfo = &e->ip;
5141 +- mtpar.hook_mask = e->comefrom;
5142 +- mtpar.family = NFPROTO_IPV4;
5143 +- xt_ematch_foreach(ematch, e) {
5144 +- ret = check_match(ematch, &mtpar);
5145 +- if (ret != 0)
5146 +- goto cleanup_matches;
5147 +- ++j;
5148 +- }
5149 +-
5150 +- ret = check_target(e, net, name);
5151 +- if (ret)
5152 +- goto cleanup_matches;
5153 +- return 0;
5154 +-
5155 +- cleanup_matches:
5156 +- xt_ematch_foreach(ematch, e) {
5157 +- if (j-- == 0)
5158 +- break;
5159 +- cleanup_match(ematch, net);
5160 +- }
5161 +- return ret;
5162 + }
5163 +
5164 + static int
5165 + translate_compat_table(struct net *net,
5166 +- const char *name,
5167 +- unsigned int valid_hooks,
5168 + struct xt_table_info **pinfo,
5169 + void **pentry0,
5170 +- unsigned int total_size,
5171 +- unsigned int number,
5172 +- unsigned int *hook_entries,
5173 +- unsigned int *underflows)
5174 ++ const struct compat_ipt_replace *compatr)
5175 + {
5176 + unsigned int i, j;
5177 + struct xt_table_info *newinfo, *info;
5178 + void *pos, *entry0, *entry1;
5179 + struct compat_ipt_entry *iter0;
5180 +- struct ipt_entry *iter1;
5181 ++ struct ipt_replace repl;
5182 + unsigned int size;
5183 + int ret;
5184 +
5185 + info = *pinfo;
5186 + entry0 = *pentry0;
5187 +- size = total_size;
5188 +- info->number = number;
5189 +-
5190 +- /* Init all hooks to impossible value. */
5191 +- for (i = 0; i < NF_INET_NUMHOOKS; i++) {
5192 +- info->hook_entry[i] = 0xFFFFFFFF;
5193 +- info->underflow[i] = 0xFFFFFFFF;
5194 +- }
5195 ++ size = compatr->size;
5196 ++ info->number = compatr->num_entries;
5197 +
5198 + duprintf("translate_compat_table: size %u\n", info->size);
5199 + j = 0;
5200 + xt_compat_lock(AF_INET);
5201 +- xt_compat_init_offsets(AF_INET, number);
5202 ++ xt_compat_init_offsets(AF_INET, compatr->num_entries);
5203 + /* Walk through entries, checking offsets. */
5204 +- xt_entry_foreach(iter0, entry0, total_size) {
5205 ++ xt_entry_foreach(iter0, entry0, compatr->size) {
5206 + ret = check_compat_entry_size_and_hooks(iter0, info, &size,
5207 + entry0,
5208 +- entry0 + total_size,
5209 +- hook_entries,
5210 +- underflows,
5211 +- name);
5212 ++ entry0 + compatr->size);
5213 + if (ret != 0)
5214 + goto out_unlock;
5215 + ++j;
5216 + }
5217 +
5218 + ret = -EINVAL;
5219 +- if (j != number) {
5220 ++ if (j != compatr->num_entries) {
5221 + duprintf("translate_compat_table: %u not %u entries\n",
5222 +- j, number);
5223 ++ j, compatr->num_entries);
5224 + goto out_unlock;
5225 + }
5226 +
5227 +- /* Check hooks all assigned */
5228 +- for (i = 0; i < NF_INET_NUMHOOKS; i++) {
5229 +- /* Only hooks which are valid */
5230 +- if (!(valid_hooks & (1 << i)))
5231 +- continue;
5232 +- if (info->hook_entry[i] == 0xFFFFFFFF) {
5233 +- duprintf("Invalid hook entry %u %u\n",
5234 +- i, hook_entries[i]);
5235 +- goto out_unlock;
5236 +- }
5237 +- if (info->underflow[i] == 0xFFFFFFFF) {
5238 +- duprintf("Invalid underflow %u %u\n",
5239 +- i, underflows[i]);
5240 +- goto out_unlock;
5241 +- }
5242 +- }
5243 +-
5244 + ret = -ENOMEM;
5245 + newinfo = xt_alloc_table_info(size);
5246 + if (!newinfo)
5247 + goto out_unlock;
5248 +
5249 +- newinfo->number = number;
5250 ++ newinfo->number = compatr->num_entries;
5251 + for (i = 0; i < NF_INET_NUMHOOKS; i++) {
5252 +- newinfo->hook_entry[i] = info->hook_entry[i];
5253 +- newinfo->underflow[i] = info->underflow[i];
5254 ++ newinfo->hook_entry[i] = compatr->hook_entry[i];
5255 ++ newinfo->underflow[i] = compatr->underflow[i];
5256 + }
5257 + entry1 = newinfo->entries[raw_smp_processor_id()];
5258 + pos = entry1;
5259 +- size = total_size;
5260 +- xt_entry_foreach(iter0, entry0, total_size) {
5261 +- ret = compat_copy_entry_from_user(iter0, &pos, &size,
5262 +- name, newinfo, entry1);
5263 +- if (ret != 0)
5264 +- break;
5265 +- }
5266 ++ size = compatr->size;
5267 ++ xt_entry_foreach(iter0, entry0, compatr->size)
5268 ++ compat_copy_entry_from_user(iter0, &pos, &size,
5269 ++ newinfo, entry1);
5270 ++
5271 ++ /* all module references in entry0 are now gone.
5272 ++ * entry1/newinfo contains a 64bit ruleset that looks exactly as
5273 ++ * generated by 64bit userspace.
5274 ++ *
5275 ++ * Call standard translate_table() to validate all hook_entrys,
5276 ++ * underflows, check for loops, etc.
5277 ++ */
5278 + xt_compat_flush_offsets(AF_INET);
5279 + xt_compat_unlock(AF_INET);
5280 +- if (ret)
5281 +- goto free_newinfo;
5282 +
5283 +- ret = -ELOOP;
5284 +- if (!mark_source_chains(newinfo, valid_hooks, entry1))
5285 +- goto free_newinfo;
5286 ++ memcpy(&repl, compatr, sizeof(*compatr));
5287 +
5288 +- i = 0;
5289 +- xt_entry_foreach(iter1, entry1, newinfo->size) {
5290 +- ret = compat_check_entry(iter1, net, name);
5291 +- if (ret != 0)
5292 +- break;
5293 +- ++i;
5294 +- if (strcmp(ipt_get_target(iter1)->u.user.name,
5295 +- XT_ERROR_TARGET) == 0)
5296 +- ++newinfo->stacksize;
5297 +- }
5298 +- if (ret) {
5299 +- /*
5300 +- * The first i matches need cleanup_entry (calls ->destroy)
5301 +- * because they had called ->check already. The other j-i
5302 +- * entries need only release.
5303 +- */
5304 +- int skip = i;
5305 +- j -= i;
5306 +- xt_entry_foreach(iter0, entry0, newinfo->size) {
5307 +- if (skip-- > 0)
5308 +- continue;
5309 +- if (j-- == 0)
5310 +- break;
5311 +- compat_release_entry(iter0);
5312 +- }
5313 +- xt_entry_foreach(iter1, entry1, newinfo->size) {
5314 +- if (i-- == 0)
5315 +- break;
5316 +- cleanup_entry(iter1, net);
5317 +- }
5318 +- xt_free_table_info(newinfo);
5319 +- return ret;
5320 ++ for (i = 0; i < NF_INET_NUMHOOKS; i++) {
5321 ++ repl.hook_entry[i] = newinfo->hook_entry[i];
5322 ++ repl.underflow[i] = newinfo->underflow[i];
5323 + }
5324 +
5325 +- /* And one copy for every other CPU */
5326 +- for_each_possible_cpu(i)
5327 +- if (newinfo->entries[i] && newinfo->entries[i] != entry1)
5328 +- memcpy(newinfo->entries[i], entry1, newinfo->size);
5329 ++ repl.num_counters = 0;
5330 ++ repl.counters = NULL;
5331 ++ repl.size = newinfo->size;
5332 ++ ret = translate_table(net, newinfo, entry1, &repl);
5333 ++ if (ret)
5334 ++ goto free_newinfo;
5335 +
5336 + *pinfo = newinfo;
5337 + *pentry0 = entry1;
5338 +@@ -1775,17 +1622,16 @@ translate_compat_table(struct net *net,
5339 +
5340 + free_newinfo:
5341 + xt_free_table_info(newinfo);
5342 +-out:
5343 +- xt_entry_foreach(iter0, entry0, total_size) {
5344 ++ return ret;
5345 ++out_unlock:
5346 ++ xt_compat_flush_offsets(AF_INET);
5347 ++ xt_compat_unlock(AF_INET);
5348 ++ xt_entry_foreach(iter0, entry0, compatr->size) {
5349 + if (j-- == 0)
5350 + break;
5351 + compat_release_entry(iter0);
5352 + }
5353 + return ret;
5354 +-out_unlock:
5355 +- xt_compat_flush_offsets(AF_INET);
5356 +- xt_compat_unlock(AF_INET);
5357 +- goto out;
5358 + }
5359 +
5360 + static int
5361 +@@ -1805,6 +1651,9 @@ compat_do_replace(struct net *net, void __user *user, unsigned int len)
5362 + return -ENOMEM;
5363 + if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
5364 + return -ENOMEM;
5365 ++ if (tmp.num_counters == 0)
5366 ++ return -EINVAL;
5367 ++
5368 + tmp.name[sizeof(tmp.name)-1] = 0;
5369 +
5370 + newinfo = xt_alloc_table_info(tmp.size);
5371 +@@ -1819,10 +1668,7 @@ compat_do_replace(struct net *net, void __user *user, unsigned int len)
5372 + goto free_newinfo;
5373 + }
5374 +
5375 +- ret = translate_compat_table(net, tmp.name, tmp.valid_hooks,
5376 +- &newinfo, &loc_cpu_entry, tmp.size,
5377 +- tmp.num_entries, tmp.hook_entry,
5378 +- tmp.underflow);
5379 ++ ret = translate_compat_table(net, &newinfo, &loc_cpu_entry, &tmp);
5380 + if (ret != 0)
5381 + goto free_newinfo;
5382 +
5383 +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
5384 +index f89087c3cfc8..f3b15bb7fbec 100644
5385 +--- a/net/ipv4/tcp_input.c
5386 ++++ b/net/ipv4/tcp_input.c
5387 +@@ -68,6 +68,7 @@
5388 + #include <linux/module.h>
5389 + #include <linux/sysctl.h>
5390 + #include <linux/kernel.h>
5391 ++#include <linux/reciprocal_div.h>
5392 + #include <net/dst.h>
5393 + #include <net/tcp.h>
5394 + #include <net/inet_common.h>
5395 +@@ -87,7 +88,7 @@ int sysctl_tcp_adv_win_scale __read_mostly = 1;
5396 + EXPORT_SYMBOL(sysctl_tcp_adv_win_scale);
5397 +
5398 + /* rfc5961 challenge ack rate limiting */
5399 +-int sysctl_tcp_challenge_ack_limit = 100;
5400 ++int sysctl_tcp_challenge_ack_limit = 1000;
5401 +
5402 + int sysctl_tcp_stdurg __read_mostly;
5403 + int sysctl_tcp_rfc1337 __read_mostly;
5404 +@@ -3288,12 +3289,19 @@ static void tcp_send_challenge_ack(struct sock *sk)
5405 + static u32 challenge_timestamp;
5406 + static unsigned int challenge_count;
5407 + u32 now = jiffies / HZ;
5408 ++ u32 count;
5409 +
5410 + if (now != challenge_timestamp) {
5411 ++ u32 half = (sysctl_tcp_challenge_ack_limit + 1) >> 1;
5412 ++
5413 + challenge_timestamp = now;
5414 +- challenge_count = 0;
5415 ++ ACCESS_ONCE(challenge_count) = half +
5416 ++ reciprocal_divide(prandom_u32(),
5417 ++ sysctl_tcp_challenge_ack_limit);
5418 + }
5419 +- if (++challenge_count <= sysctl_tcp_challenge_ack_limit) {
5420 ++ count = ACCESS_ONCE(challenge_count);
5421 ++ if (count > 0) {
5422 ++ ACCESS_ONCE(challenge_count) = count - 1;
5423 + NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK);
5424 + tcp_send_ack(sk);
5425 + }
5426 +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
5427 +index 76c80b59e80f..276b28301a6b 100644
5428 +--- a/net/ipv4/tcp_output.c
5429 ++++ b/net/ipv4/tcp_output.c
5430 +@@ -222,7 +222,8 @@ void tcp_select_initial_window(int __space, __u32 mss,
5431 + /* Set window scaling on max possible window
5432 + * See RFC1323 for an explanation of the limit to 14
5433 + */
5434 +- space = max_t(u32, sysctl_tcp_rmem[2], sysctl_rmem_max);
5435 ++ space = max_t(u32, space, sysctl_tcp_rmem[2]);
5436 ++ space = max_t(u32, space, sysctl_rmem_max);
5437 + space = min_t(u32, space, *window_clamp);
5438 + while (space > 65535 && (*rcv_wscale) < 14) {
5439 + space >>= 1;
5440 +diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
5441 +index 63b536bbf0b0..68174e4d88c7 100644
5442 +--- a/net/ipv4/udp.c
5443 ++++ b/net/ipv4/udp.c
5444 +@@ -1208,6 +1208,7 @@ int udp_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
5445 + int peeked, off = 0;
5446 + int err;
5447 + int is_udplite = IS_UDPLITE(sk);
5448 ++ bool checksum_valid = false;
5449 + bool slow;
5450 +
5451 + if (flags & MSG_ERRQUEUE)
5452 +@@ -1233,11 +1234,12 @@ try_again:
5453 + */
5454 +
5455 + if (copied < ulen || UDP_SKB_CB(skb)->partial_cov) {
5456 +- if (udp_lib_checksum_complete(skb))
5457 ++ checksum_valid = !udp_lib_checksum_complete(skb);
5458 ++ if (!checksum_valid)
5459 + goto csum_copy_err;
5460 + }
5461 +
5462 +- if (skb_csum_unnecessary(skb))
5463 ++ if (checksum_valid || skb_csum_unnecessary(skb))
5464 + err = skb_copy_datagram_iovec(skb, sizeof(struct udphdr),
5465 + msg->msg_iov, copied);
5466 + else {
5467 +diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
5468 +index 8d69df16f6a8..107f75283b1b 100644
5469 +--- a/net/ipv6/ip6mr.c
5470 ++++ b/net/ipv6/ip6mr.c
5471 +@@ -1077,6 +1077,7 @@ static struct mfc6_cache *ip6mr_cache_alloc(void)
5472 + struct mfc6_cache *c = kmem_cache_zalloc(mrt_cachep, GFP_KERNEL);
5473 + if (c == NULL)
5474 + return NULL;
5475 ++ c->mfc_un.res.last_assert = jiffies - MFC_ASSERT_THRESH - 1;
5476 + c->mfc_un.res.minvif = MAXMIFS;
5477 + return c;
5478 + }
5479 +diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
5480 +index 89a4e4ddd8bb..e214222cd06f 100644
5481 +--- a/net/ipv6/netfilter/ip6_tables.c
5482 ++++ b/net/ipv6/netfilter/ip6_tables.c
5483 +@@ -195,11 +195,12 @@ get_entry(const void *base, unsigned int offset)
5484 +
5485 + /* All zeroes == unconditional rule. */
5486 + /* Mildly perf critical (only if packet tracing is on) */
5487 +-static inline bool unconditional(const struct ip6t_ip6 *ipv6)
5488 ++static inline bool unconditional(const struct ip6t_entry *e)
5489 + {
5490 + static const struct ip6t_ip6 uncond;
5491 +
5492 +- return memcmp(ipv6, &uncond, sizeof(uncond)) == 0;
5493 ++ return e->target_offset == sizeof(struct ip6t_entry) &&
5494 ++ memcmp(&e->ipv6, &uncond, sizeof(uncond)) == 0;
5495 + }
5496 +
5497 + static inline const struct xt_entry_target *
5498 +@@ -255,11 +256,10 @@ get_chainname_rulenum(const struct ip6t_entry *s, const struct ip6t_entry *e,
5499 + } else if (s == e) {
5500 + (*rulenum)++;
5501 +
5502 +- if (s->target_offset == sizeof(struct ip6t_entry) &&
5503 ++ if (unconditional(s) &&
5504 + strcmp(t->target.u.kernel.target->name,
5505 + XT_STANDARD_TARGET) == 0 &&
5506 +- t->verdict < 0 &&
5507 +- unconditional(&s->ipv6)) {
5508 ++ t->verdict < 0) {
5509 + /* Tail of chains: STANDARD target (return/policy) */
5510 + *comment = *chainname == hookname
5511 + ? comments[NF_IP6_TRACE_COMMENT_POLICY]
5512 +@@ -477,11 +477,10 @@ mark_source_chains(const struct xt_table_info *newinfo,
5513 + e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS));
5514 +
5515 + /* Unconditional return/END. */
5516 +- if ((e->target_offset == sizeof(struct ip6t_entry) &&
5517 ++ if ((unconditional(e) &&
5518 + (strcmp(t->target.u.user.name,
5519 + XT_STANDARD_TARGET) == 0) &&
5520 +- t->verdict < 0 &&
5521 +- unconditional(&e->ipv6)) || visited) {
5522 ++ t->verdict < 0) || visited) {
5523 + unsigned int oldpos, size;
5524 +
5525 + if ((strcmp(t->target.u.user.name,
5526 +@@ -522,6 +521,8 @@ mark_source_chains(const struct xt_table_info *newinfo,
5527 + size = e->next_offset;
5528 + e = (struct ip6t_entry *)
5529 + (entry0 + pos + size);
5530 ++ if (pos + size >= newinfo->size)
5531 ++ return 0;
5532 + e->counters.pcnt = pos;
5533 + pos += size;
5534 + } else {
5535 +@@ -543,6 +544,8 @@ mark_source_chains(const struct xt_table_info *newinfo,
5536 + } else {
5537 + /* ... this is a fallthru */
5538 + newpos = pos + e->next_offset;
5539 ++ if (newpos >= newinfo->size)
5540 ++ return 0;
5541 + }
5542 + e = (struct ip6t_entry *)
5543 + (entry0 + newpos);
5544 +@@ -569,27 +572,6 @@ static void cleanup_match(struct xt_entry_match *m, struct net *net)
5545 + module_put(par.match->me);
5546 + }
5547 +
5548 +-static int
5549 +-check_entry(const struct ip6t_entry *e, const char *name)
5550 +-{
5551 +- const struct xt_entry_target *t;
5552 +-
5553 +- if (!ip6_checkentry(&e->ipv6)) {
5554 +- duprintf("ip_tables: ip check failed %p %s.\n", e, name);
5555 +- return -EINVAL;
5556 +- }
5557 +-
5558 +- if (e->target_offset + sizeof(struct xt_entry_target) >
5559 +- e->next_offset)
5560 +- return -EINVAL;
5561 +-
5562 +- t = ip6t_get_target_c(e);
5563 +- if (e->target_offset + t->u.target_size > e->next_offset)
5564 +- return -EINVAL;
5565 +-
5566 +- return 0;
5567 +-}
5568 +-
5569 + static int check_match(struct xt_entry_match *m, struct xt_mtchk_param *par)
5570 + {
5571 + const struct ip6t_ip6 *ipv6 = par->entryinfo;
5572 +@@ -668,10 +650,6 @@ find_check_entry(struct ip6t_entry *e, struct net *net, const char *name,
5573 + struct xt_mtchk_param mtpar;
5574 + struct xt_entry_match *ematch;
5575 +
5576 +- ret = check_entry(e, name);
5577 +- if (ret)
5578 +- return ret;
5579 +-
5580 + j = 0;
5581 + mtpar.net = net;
5582 + mtpar.table = name;
5583 +@@ -715,7 +693,7 @@ static bool check_underflow(const struct ip6t_entry *e)
5584 + const struct xt_entry_target *t;
5585 + unsigned int verdict;
5586 +
5587 +- if (!unconditional(&e->ipv6))
5588 ++ if (!unconditional(e))
5589 + return false;
5590 + t = ip6t_get_target_c(e);
5591 + if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
5592 +@@ -735,9 +713,11 @@ check_entry_size_and_hooks(struct ip6t_entry *e,
5593 + unsigned int valid_hooks)
5594 + {
5595 + unsigned int h;
5596 ++ int err;
5597 +
5598 + if ((unsigned long)e % __alignof__(struct ip6t_entry) != 0 ||
5599 +- (unsigned char *)e + sizeof(struct ip6t_entry) >= limit) {
5600 ++ (unsigned char *)e + sizeof(struct ip6t_entry) >= limit ||
5601 ++ (unsigned char *)e + e->next_offset > limit) {
5602 + duprintf("Bad offset %p\n", e);
5603 + return -EINVAL;
5604 + }
5605 +@@ -749,6 +729,14 @@ check_entry_size_and_hooks(struct ip6t_entry *e,
5606 + return -EINVAL;
5607 + }
5608 +
5609 ++ if (!ip6_checkentry(&e->ipv6))
5610 ++ return -EINVAL;
5611 ++
5612 ++ err = xt_check_entry_offsets(e, e->elems, e->target_offset,
5613 ++ e->next_offset);
5614 ++ if (err)
5615 ++ return err;
5616 ++
5617 + /* Check hooks & underflows */
5618 + for (h = 0; h < NF_INET_NUMHOOKS; h++) {
5619 + if (!(valid_hooks & (1 << h)))
5620 +@@ -757,9 +745,9 @@ check_entry_size_and_hooks(struct ip6t_entry *e,
5621 + newinfo->hook_entry[h] = hook_entries[h];
5622 + if ((unsigned char *)e - base == underflows[h]) {
5623 + if (!check_underflow(e)) {
5624 +- pr_err("Underflows must be unconditional and "
5625 +- "use the STANDARD target with "
5626 +- "ACCEPT/DROP\n");
5627 ++ pr_debug("Underflows must be unconditional and "
5628 ++ "use the STANDARD target with "
5629 ++ "ACCEPT/DROP\n");
5630 + return -EINVAL;
5631 + }
5632 + newinfo->underflow[h] = underflows[h];
5633 +@@ -1268,6 +1256,9 @@ do_replace(struct net *net, const void __user *user, unsigned int len)
5634 + /* overflow check */
5635 + if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
5636 + return -ENOMEM;
5637 ++ if (tmp.num_counters == 0)
5638 ++ return -EINVAL;
5639 ++
5640 + tmp.name[sizeof(tmp.name)-1] = 0;
5641 +
5642 + newinfo = xt_alloc_table_info(tmp.size);
5643 +@@ -1309,56 +1300,17 @@ do_add_counters(struct net *net, const void __user *user, unsigned int len,
5644 + unsigned int i, curcpu;
5645 + struct xt_counters_info tmp;
5646 + struct xt_counters *paddc;
5647 +- unsigned int num_counters;
5648 +- char *name;
5649 +- int size;
5650 +- void *ptmp;
5651 + struct xt_table *t;
5652 + const struct xt_table_info *private;
5653 + int ret = 0;
5654 + const void *loc_cpu_entry;
5655 + struct ip6t_entry *iter;
5656 + unsigned int addend;
5657 +-#ifdef CONFIG_COMPAT
5658 +- struct compat_xt_counters_info compat_tmp;
5659 +-
5660 +- if (compat) {
5661 +- ptmp = &compat_tmp;
5662 +- size = sizeof(struct compat_xt_counters_info);
5663 +- } else
5664 +-#endif
5665 +- {
5666 +- ptmp = &tmp;
5667 +- size = sizeof(struct xt_counters_info);
5668 +- }
5669 +-
5670 +- if (copy_from_user(ptmp, user, size) != 0)
5671 +- return -EFAULT;
5672 +-
5673 +-#ifdef CONFIG_COMPAT
5674 +- if (compat) {
5675 +- num_counters = compat_tmp.num_counters;
5676 +- name = compat_tmp.name;
5677 +- } else
5678 +-#endif
5679 +- {
5680 +- num_counters = tmp.num_counters;
5681 +- name = tmp.name;
5682 +- }
5683 +
5684 +- if (len != size + num_counters * sizeof(struct xt_counters))
5685 +- return -EINVAL;
5686 +-
5687 +- paddc = vmalloc(len - size);
5688 +- if (!paddc)
5689 +- return -ENOMEM;
5690 +-
5691 +- if (copy_from_user(paddc, user + size, len - size) != 0) {
5692 +- ret = -EFAULT;
5693 +- goto free;
5694 +- }
5695 +-
5696 +- t = xt_find_table_lock(net, AF_INET6, name);
5697 ++ paddc = xt_copy_counters_from_user(user, len, &tmp, compat);
5698 ++ if (IS_ERR(paddc))
5699 ++ return PTR_ERR(paddc);
5700 ++ t = xt_find_table_lock(net, AF_INET6, tmp.name);
5701 + if (IS_ERR_OR_NULL(t)) {
5702 + ret = t ? PTR_ERR(t) : -ENOENT;
5703 + goto free;
5704 +@@ -1367,7 +1319,7 @@ do_add_counters(struct net *net, const void __user *user, unsigned int len,
5705 +
5706 + local_bh_disable();
5707 + private = t->private;
5708 +- if (private->number != num_counters) {
5709 ++ if (private->number != tmp.num_counters) {
5710 + ret = -EINVAL;
5711 + goto unlock_up_free;
5712 + }
5713 +@@ -1447,7 +1399,6 @@ compat_copy_entry_to_user(struct ip6t_entry *e, void __user **dstptr,
5714 +
5715 + static int
5716 + compat_find_calc_match(struct xt_entry_match *m,
5717 +- const char *name,
5718 + const struct ip6t_ip6 *ipv6,
5719 + unsigned int hookmask,
5720 + int *size)
5721 +@@ -1483,21 +1434,19 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
5722 + struct xt_table_info *newinfo,
5723 + unsigned int *size,
5724 + const unsigned char *base,
5725 +- const unsigned char *limit,
5726 +- const unsigned int *hook_entries,
5727 +- const unsigned int *underflows,
5728 +- const char *name)
5729 ++ const unsigned char *limit)
5730 + {
5731 + struct xt_entry_match *ematch;
5732 + struct xt_entry_target *t;
5733 + struct xt_target *target;
5734 + unsigned int entry_offset;
5735 + unsigned int j;
5736 +- int ret, off, h;
5737 ++ int ret, off;
5738 +
5739 + duprintf("check_compat_entry_size_and_hooks %p\n", e);
5740 + if ((unsigned long)e % __alignof__(struct compat_ip6t_entry) != 0 ||
5741 +- (unsigned char *)e + sizeof(struct compat_ip6t_entry) >= limit) {
5742 ++ (unsigned char *)e + sizeof(struct compat_ip6t_entry) >= limit ||
5743 ++ (unsigned char *)e + e->next_offset > limit) {
5744 + duprintf("Bad offset %p, limit = %p\n", e, limit);
5745 + return -EINVAL;
5746 + }
5747 +@@ -1509,8 +1458,11 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
5748 + return -EINVAL;
5749 + }
5750 +
5751 +- /* For purposes of check_entry casting the compat entry is fine */
5752 +- ret = check_entry((struct ip6t_entry *)e, name);
5753 ++ if (!ip6_checkentry(&e->ipv6))
5754 ++ return -EINVAL;
5755 ++
5756 ++ ret = xt_compat_check_entry_offsets(e, e->elems,
5757 ++ e->target_offset, e->next_offset);
5758 + if (ret)
5759 + return ret;
5760 +
5761 +@@ -1518,8 +1470,8 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
5762 + entry_offset = (void *)e - (void *)base;
5763 + j = 0;
5764 + xt_ematch_foreach(ematch, e) {
5765 +- ret = compat_find_calc_match(ematch, name,
5766 +- &e->ipv6, e->comefrom, &off);
5767 ++ ret = compat_find_calc_match(ematch, &e->ipv6, e->comefrom,
5768 ++ &off);
5769 + if (ret != 0)
5770 + goto release_matches;
5771 + ++j;
5772 +@@ -1542,17 +1494,6 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
5773 + if (ret)
5774 + goto out;
5775 +
5776 +- /* Check hooks & underflows */
5777 +- for (h = 0; h < NF_INET_NUMHOOKS; h++) {
5778 +- if ((unsigned char *)e - base == hook_entries[h])
5779 +- newinfo->hook_entry[h] = hook_entries[h];
5780 +- if ((unsigned char *)e - base == underflows[h])
5781 +- newinfo->underflow[h] = underflows[h];
5782 +- }
5783 +-
5784 +- /* Clear counters and comefrom */
5785 +- memset(&e->counters, 0, sizeof(e->counters));
5786 +- e->comefrom = 0;
5787 + return 0;
5788 +
5789 + out:
5790 +@@ -1566,18 +1507,17 @@ release_matches:
5791 + return ret;
5792 + }
5793 +
5794 +-static int
5795 ++static void
5796 + compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr,
5797 +- unsigned int *size, const char *name,
5798 ++ unsigned int *size,
5799 + struct xt_table_info *newinfo, unsigned char *base)
5800 + {
5801 + struct xt_entry_target *t;
5802 + struct ip6t_entry *de;
5803 + unsigned int origsize;
5804 +- int ret, h;
5805 ++ int h;
5806 + struct xt_entry_match *ematch;
5807 +
5808 +- ret = 0;
5809 + origsize = *size;
5810 + de = (struct ip6t_entry *)*dstptr;
5811 + memcpy(de, e, sizeof(struct ip6t_entry));
5812 +@@ -1586,11 +1526,9 @@ compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr,
5813 + *dstptr += sizeof(struct ip6t_entry);
5814 + *size += sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
5815 +
5816 +- xt_ematch_foreach(ematch, e) {
5817 +- ret = xt_compat_match_from_user(ematch, dstptr, size);
5818 +- if (ret != 0)
5819 +- return ret;
5820 +- }
5821 ++ xt_ematch_foreach(ematch, e)
5822 ++ xt_compat_match_from_user(ematch, dstptr, size);
5823 ++
5824 + de->target_offset = e->target_offset - (origsize - *size);
5825 + t = compat_ip6t_get_target(e);
5826 + xt_compat_target_from_user(t, dstptr, size);
5827 +@@ -1602,181 +1540,82 @@ compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr,
5828 + if ((unsigned char *)de - base < newinfo->underflow[h])
5829 + newinfo->underflow[h] -= origsize - *size;
5830 + }
5831 +- return ret;
5832 +-}
5833 +-
5834 +-static int compat_check_entry(struct ip6t_entry *e, struct net *net,
5835 +- const char *name)
5836 +-{
5837 +- unsigned int j;
5838 +- int ret = 0;
5839 +- struct xt_mtchk_param mtpar;
5840 +- struct xt_entry_match *ematch;
5841 +-
5842 +- j = 0;
5843 +- mtpar.net = net;
5844 +- mtpar.table = name;
5845 +- mtpar.entryinfo = &e->ipv6;
5846 +- mtpar.hook_mask = e->comefrom;
5847 +- mtpar.family = NFPROTO_IPV6;
5848 +- xt_ematch_foreach(ematch, e) {
5849 +- ret = check_match(ematch, &mtpar);
5850 +- if (ret != 0)
5851 +- goto cleanup_matches;
5852 +- ++j;
5853 +- }
5854 +-
5855 +- ret = check_target(e, net, name);
5856 +- if (ret)
5857 +- goto cleanup_matches;
5858 +- return 0;
5859 +-
5860 +- cleanup_matches:
5861 +- xt_ematch_foreach(ematch, e) {
5862 +- if (j-- == 0)
5863 +- break;
5864 +- cleanup_match(ematch, net);
5865 +- }
5866 +- return ret;
5867 + }
5868 +
5869 + static int
5870 + translate_compat_table(struct net *net,
5871 +- const char *name,
5872 +- unsigned int valid_hooks,
5873 + struct xt_table_info **pinfo,
5874 + void **pentry0,
5875 +- unsigned int total_size,
5876 +- unsigned int number,
5877 +- unsigned int *hook_entries,
5878 +- unsigned int *underflows)
5879 ++ const struct compat_ip6t_replace *compatr)
5880 + {
5881 + unsigned int i, j;
5882 + struct xt_table_info *newinfo, *info;
5883 + void *pos, *entry0, *entry1;
5884 + struct compat_ip6t_entry *iter0;
5885 +- struct ip6t_entry *iter1;
5886 ++ struct ip6t_replace repl;
5887 + unsigned int size;
5888 + int ret = 0;
5889 +
5890 + info = *pinfo;
5891 + entry0 = *pentry0;
5892 +- size = total_size;
5893 +- info->number = number;
5894 +-
5895 +- /* Init all hooks to impossible value. */
5896 +- for (i = 0; i < NF_INET_NUMHOOKS; i++) {
5897 +- info->hook_entry[i] = 0xFFFFFFFF;
5898 +- info->underflow[i] = 0xFFFFFFFF;
5899 +- }
5900 ++ size = compatr->size;
5901 ++ info->number = compatr->num_entries;
5902 +
5903 + duprintf("translate_compat_table: size %u\n", info->size);
5904 + j = 0;
5905 + xt_compat_lock(AF_INET6);
5906 +- xt_compat_init_offsets(AF_INET6, number);
5907 ++ xt_compat_init_offsets(AF_INET6, compatr->num_entries);
5908 + /* Walk through entries, checking offsets. */
5909 +- xt_entry_foreach(iter0, entry0, total_size) {
5910 ++ xt_entry_foreach(iter0, entry0, compatr->size) {
5911 + ret = check_compat_entry_size_and_hooks(iter0, info, &size,
5912 + entry0,
5913 +- entry0 + total_size,
5914 +- hook_entries,
5915 +- underflows,
5916 +- name);
5917 ++ entry0 + compatr->size);
5918 + if (ret != 0)
5919 + goto out_unlock;
5920 + ++j;
5921 + }
5922 +
5923 + ret = -EINVAL;
5924 +- if (j != number) {
5925 ++ if (j != compatr->num_entries) {
5926 + duprintf("translate_compat_table: %u not %u entries\n",
5927 +- j, number);
5928 ++ j, compatr->num_entries);
5929 + goto out_unlock;
5930 + }
5931 +
5932 +- /* Check hooks all assigned */
5933 +- for (i = 0; i < NF_INET_NUMHOOKS; i++) {
5934 +- /* Only hooks which are valid */
5935 +- if (!(valid_hooks & (1 << i)))
5936 +- continue;
5937 +- if (info->hook_entry[i] == 0xFFFFFFFF) {
5938 +- duprintf("Invalid hook entry %u %u\n",
5939 +- i, hook_entries[i]);
5940 +- goto out_unlock;
5941 +- }
5942 +- if (info->underflow[i] == 0xFFFFFFFF) {
5943 +- duprintf("Invalid underflow %u %u\n",
5944 +- i, underflows[i]);
5945 +- goto out_unlock;
5946 +- }
5947 +- }
5948 +-
5949 + ret = -ENOMEM;
5950 + newinfo = xt_alloc_table_info(size);
5951 + if (!newinfo)
5952 + goto out_unlock;
5953 +
5954 +- newinfo->number = number;
5955 ++ newinfo->number = compatr->num_entries;
5956 + for (i = 0; i < NF_INET_NUMHOOKS; i++) {
5957 +- newinfo->hook_entry[i] = info->hook_entry[i];
5958 +- newinfo->underflow[i] = info->underflow[i];
5959 ++ newinfo->hook_entry[i] = compatr->hook_entry[i];
5960 ++ newinfo->underflow[i] = compatr->underflow[i];
5961 + }
5962 + entry1 = newinfo->entries[raw_smp_processor_id()];
5963 + pos = entry1;
5964 +- size = total_size;
5965 +- xt_entry_foreach(iter0, entry0, total_size) {
5966 +- ret = compat_copy_entry_from_user(iter0, &pos, &size,
5967 +- name, newinfo, entry1);
5968 +- if (ret != 0)
5969 +- break;
5970 +- }
5971 ++ size = compatr->size;
5972 ++ xt_entry_foreach(iter0, entry0, compatr->size)
5973 ++ compat_copy_entry_from_user(iter0, &pos, &size,
5974 ++ newinfo, entry1);
5975 ++
5976 ++ /* all module references in entry0 are now gone. */
5977 + xt_compat_flush_offsets(AF_INET6);
5978 + xt_compat_unlock(AF_INET6);
5979 +- if (ret)
5980 +- goto free_newinfo;
5981 +
5982 +- ret = -ELOOP;
5983 +- if (!mark_source_chains(newinfo, valid_hooks, entry1))
5984 +- goto free_newinfo;
5985 ++ memcpy(&repl, compatr, sizeof(*compatr));
5986 +
5987 +- i = 0;
5988 +- xt_entry_foreach(iter1, entry1, newinfo->size) {
5989 +- ret = compat_check_entry(iter1, net, name);
5990 +- if (ret != 0)
5991 +- break;
5992 +- ++i;
5993 +- if (strcmp(ip6t_get_target(iter1)->u.user.name,
5994 +- XT_ERROR_TARGET) == 0)
5995 +- ++newinfo->stacksize;
5996 +- }
5997 +- if (ret) {
5998 +- /*
5999 +- * The first i matches need cleanup_entry (calls ->destroy)
6000 +- * because they had called ->check already. The other j-i
6001 +- * entries need only release.
6002 +- */
6003 +- int skip = i;
6004 +- j -= i;
6005 +- xt_entry_foreach(iter0, entry0, newinfo->size) {
6006 +- if (skip-- > 0)
6007 +- continue;
6008 +- if (j-- == 0)
6009 +- break;
6010 +- compat_release_entry(iter0);
6011 +- }
6012 +- xt_entry_foreach(iter1, entry1, newinfo->size) {
6013 +- if (i-- == 0)
6014 +- break;
6015 +- cleanup_entry(iter1, net);
6016 +- }
6017 +- xt_free_table_info(newinfo);
6018 +- return ret;
6019 ++ for (i = 0; i < NF_INET_NUMHOOKS; i++) {
6020 ++ repl.hook_entry[i] = newinfo->hook_entry[i];
6021 ++ repl.underflow[i] = newinfo->underflow[i];
6022 + }
6023 +
6024 +- /* And one copy for every other CPU */
6025 +- for_each_possible_cpu(i)
6026 +- if (newinfo->entries[i] && newinfo->entries[i] != entry1)
6027 +- memcpy(newinfo->entries[i], entry1, newinfo->size);
6028 ++ repl.num_counters = 0;
6029 ++ repl.counters = NULL;
6030 ++ repl.size = newinfo->size;
6031 ++ ret = translate_table(net, newinfo, entry1, &repl);
6032 ++ if (ret)
6033 ++ goto free_newinfo;
6034 +
6035 + *pinfo = newinfo;
6036 + *pentry0 = entry1;
6037 +@@ -1785,17 +1624,16 @@ translate_compat_table(struct net *net,
6038 +
6039 + free_newinfo:
6040 + xt_free_table_info(newinfo);
6041 +-out:
6042 +- xt_entry_foreach(iter0, entry0, total_size) {
6043 ++ return ret;
6044 ++out_unlock:
6045 ++ xt_compat_flush_offsets(AF_INET6);
6046 ++ xt_compat_unlock(AF_INET6);
6047 ++ xt_entry_foreach(iter0, entry0, compatr->size) {
6048 + if (j-- == 0)
6049 + break;
6050 + compat_release_entry(iter0);
6051 + }
6052 + return ret;
6053 +-out_unlock:
6054 +- xt_compat_flush_offsets(AF_INET6);
6055 +- xt_compat_unlock(AF_INET6);
6056 +- goto out;
6057 + }
6058 +
6059 + static int
6060 +@@ -1815,6 +1653,9 @@ compat_do_replace(struct net *net, void __user *user, unsigned int len)
6061 + return -ENOMEM;
6062 + if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
6063 + return -ENOMEM;
6064 ++ if (tmp.num_counters == 0)
6065 ++ return -EINVAL;
6066 ++
6067 + tmp.name[sizeof(tmp.name)-1] = 0;
6068 +
6069 + newinfo = xt_alloc_table_info(tmp.size);
6070 +@@ -1829,10 +1670,7 @@ compat_do_replace(struct net *net, void __user *user, unsigned int len)
6071 + goto free_newinfo;
6072 + }
6073 +
6074 +- ret = translate_compat_table(net, tmp.name, tmp.valid_hooks,
6075 +- &newinfo, &loc_cpu_entry, tmp.size,
6076 +- tmp.num_entries, tmp.hook_entry,
6077 +- tmp.underflow);
6078 ++ ret = translate_compat_table(net, &newinfo, &loc_cpu_entry, &tmp);
6079 + if (ret != 0)
6080 + goto free_newinfo;
6081 +
6082 +diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
6083 +index 4ddf67c6355b..d9535bb8fe2e 100644
6084 +--- a/net/ipv6/sit.c
6085 ++++ b/net/ipv6/sit.c
6086 +@@ -530,13 +530,13 @@ static int ipip6_err(struct sk_buff *skb, u32 info)
6087 +
6088 + if (type == ICMP_DEST_UNREACH && code == ICMP_FRAG_NEEDED) {
6089 + ipv4_update_pmtu(skb, dev_net(skb->dev), info,
6090 +- t->parms.link, 0, IPPROTO_IPV6, 0);
6091 ++ t->parms.link, 0, iph->protocol, 0);
6092 + err = 0;
6093 + goto out;
6094 + }
6095 + if (type == ICMP_REDIRECT) {
6096 + ipv4_redirect(skb, dev_net(skb->dev), t->parms.link, 0,
6097 +- IPPROTO_IPV6, 0);
6098 ++ iph->protocol, 0);
6099 + err = 0;
6100 + goto out;
6101 + }
6102 +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
6103 +index 4659b8ab55d9..41c026f11edc 100644
6104 +--- a/net/ipv6/tcp_ipv6.c
6105 ++++ b/net/ipv6/tcp_ipv6.c
6106 +@@ -1767,7 +1767,9 @@ static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
6107 + destp = ntohs(inet->inet_dport);
6108 + srcp = ntohs(inet->inet_sport);
6109 +
6110 +- if (icsk->icsk_pending == ICSK_TIME_RETRANS) {
6111 ++ if (icsk->icsk_pending == ICSK_TIME_RETRANS ||
6112 ++ icsk->icsk_pending == ICSK_TIME_EARLY_RETRANS ||
6113 ++ icsk->icsk_pending == ICSK_TIME_LOSS_PROBE) {
6114 + timer_active = 1;
6115 + timer_expires = icsk->icsk_timeout;
6116 + } else if (icsk->icsk_pending == ICSK_TIME_PROBE0) {
6117 +diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
6118 +index 3046d0244393..d234e6f80570 100644
6119 +--- a/net/ipv6/udp.c
6120 ++++ b/net/ipv6/udp.c
6121 +@@ -370,6 +370,7 @@ int udpv6_recvmsg(struct kiocb *iocb, struct sock *sk,
6122 + int peeked, off = 0;
6123 + int err;
6124 + int is_udplite = IS_UDPLITE(sk);
6125 ++ bool checksum_valid = false;
6126 + int is_udp4;
6127 + bool slow;
6128 +
6129 +@@ -401,11 +402,12 @@ try_again:
6130 + */
6131 +
6132 + if (copied < ulen || UDP_SKB_CB(skb)->partial_cov) {
6133 +- if (udp_lib_checksum_complete(skb))
6134 ++ checksum_valid = !udp_lib_checksum_complete(skb);
6135 ++ if (!checksum_valid)
6136 + goto csum_copy_err;
6137 + }
6138 +
6139 +- if (skb_csum_unnecessary(skb))
6140 ++ if (checksum_valid || skb_csum_unnecessary(skb))
6141 + err = skb_copy_datagram_iovec(skb, sizeof(struct udphdr),
6142 + msg->msg_iov, copied);
6143 + else {
6144 +diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
6145 +index f8133ff5b081..c95bafa65f5b 100644
6146 +--- a/net/irda/af_irda.c
6147 ++++ b/net/irda/af_irda.c
6148 +@@ -1039,8 +1039,11 @@ static int irda_connect(struct socket *sock, struct sockaddr *uaddr,
6149 + }
6150 +
6151 + /* Check if we have opened a local TSAP */
6152 +- if (!self->tsap)
6153 +- irda_open_tsap(self, LSAP_ANY, addr->sir_name);
6154 ++ if (!self->tsap) {
6155 ++ err = irda_open_tsap(self, LSAP_ANY, addr->sir_name);
6156 ++ if (err)
6157 ++ goto out;
6158 ++ }
6159 +
6160 + /* Move to connecting socket, start sending Connect Requests */
6161 + sock->state = SS_CONNECTING;
6162 +diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c
6163 +index 6952760881c8..f8765cc84e47 100644
6164 +--- a/net/mac80211/mesh.c
6165 ++++ b/net/mac80211/mesh.c
6166 +@@ -161,6 +161,10 @@ void mesh_sta_cleanup(struct sta_info *sta)
6167 + del_timer_sync(&sta->plink_timer);
6168 + }
6169 +
6170 ++ /* make sure no readers can access nexthop sta from here on */
6171 ++ mesh_path_flush_by_nexthop(sta);
6172 ++ synchronize_net();
6173 ++
6174 + if (changed)
6175 + ieee80211_mbss_info_change_notify(sdata, changed);
6176 + }
6177 +diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
6178 +index 8b03028cca69..51c141b09dba 100644
6179 +--- a/net/netfilter/x_tables.c
6180 ++++ b/net/netfilter/x_tables.c
6181 +@@ -435,6 +435,47 @@ int xt_check_match(struct xt_mtchk_param *par,
6182 + }
6183 + EXPORT_SYMBOL_GPL(xt_check_match);
6184 +
6185 ++/** xt_check_entry_match - check that matches end before start of target
6186 ++ *
6187 ++ * @match: beginning of xt_entry_match
6188 ++ * @target: beginning of this rules target (alleged end of matches)
6189 ++ * @alignment: alignment requirement of match structures
6190 ++ *
6191 ++ * Validates that all matches add up to the beginning of the target,
6192 ++ * and that each match covers at least the base structure size.
6193 ++ *
6194 ++ * Return: 0 on success, negative errno on failure.
6195 ++ */
6196 ++static int xt_check_entry_match(const char *match, const char *target,
6197 ++ const size_t alignment)
6198 ++{
6199 ++ const struct xt_entry_match *pos;
6200 ++ int length = target - match;
6201 ++
6202 ++ if (length == 0) /* no matches */
6203 ++ return 0;
6204 ++
6205 ++ pos = (struct xt_entry_match *)match;
6206 ++ do {
6207 ++ if ((unsigned long)pos % alignment)
6208 ++ return -EINVAL;
6209 ++
6210 ++ if (length < (int)sizeof(struct xt_entry_match))
6211 ++ return -EINVAL;
6212 ++
6213 ++ if (pos->u.match_size < sizeof(struct xt_entry_match))
6214 ++ return -EINVAL;
6215 ++
6216 ++ if (pos->u.match_size > length)
6217 ++ return -EINVAL;
6218 ++
6219 ++ length -= pos->u.match_size;
6220 ++ pos = ((void *)((char *)(pos) + (pos)->u.match_size));
6221 ++ } while (length > 0);
6222 ++
6223 ++ return 0;
6224 ++}
6225 ++
6226 + #ifdef CONFIG_COMPAT
6227 + int xt_compat_add_offset(u_int8_t af, unsigned int offset, int delta)
6228 + {
6229 +@@ -504,13 +545,14 @@ int xt_compat_match_offset(const struct xt_match *match)
6230 + }
6231 + EXPORT_SYMBOL_GPL(xt_compat_match_offset);
6232 +
6233 +-int xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
6234 +- unsigned int *size)
6235 ++void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
6236 ++ unsigned int *size)
6237 + {
6238 + const struct xt_match *match = m->u.kernel.match;
6239 + struct compat_xt_entry_match *cm = (struct compat_xt_entry_match *)m;
6240 + int pad, off = xt_compat_match_offset(match);
6241 + u_int16_t msize = cm->u.user.match_size;
6242 ++ char name[sizeof(m->u.user.name)];
6243 +
6244 + m = *dstptr;
6245 + memcpy(m, cm, sizeof(*cm));
6246 +@@ -524,10 +566,12 @@ int xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
6247 +
6248 + msize += off;
6249 + m->u.user.match_size = msize;
6250 ++ strlcpy(name, match->name, sizeof(name));
6251 ++ module_put(match->me);
6252 ++ strncpy(m->u.user.name, name, sizeof(m->u.user.name));
6253 +
6254 + *size += off;
6255 + *dstptr += msize;
6256 +- return 0;
6257 + }
6258 + EXPORT_SYMBOL_GPL(xt_compat_match_from_user);
6259 +
6260 +@@ -558,8 +602,125 @@ int xt_compat_match_to_user(const struct xt_entry_match *m,
6261 + return 0;
6262 + }
6263 + EXPORT_SYMBOL_GPL(xt_compat_match_to_user);
6264 ++
6265 ++/* non-compat version may have padding after verdict */
6266 ++struct compat_xt_standard_target {
6267 ++ struct compat_xt_entry_target t;
6268 ++ compat_uint_t verdict;
6269 ++};
6270 ++
6271 ++int xt_compat_check_entry_offsets(const void *base, const char *elems,
6272 ++ unsigned int target_offset,
6273 ++ unsigned int next_offset)
6274 ++{
6275 ++ long size_of_base_struct = elems - (const char *)base;
6276 ++ const struct compat_xt_entry_target *t;
6277 ++ const char *e = base;
6278 ++
6279 ++ if (target_offset < size_of_base_struct)
6280 ++ return -EINVAL;
6281 ++
6282 ++ if (target_offset + sizeof(*t) > next_offset)
6283 ++ return -EINVAL;
6284 ++
6285 ++ t = (void *)(e + target_offset);
6286 ++ if (t->u.target_size < sizeof(*t))
6287 ++ return -EINVAL;
6288 ++
6289 ++ if (target_offset + t->u.target_size > next_offset)
6290 ++ return -EINVAL;
6291 ++
6292 ++ if (strcmp(t->u.user.name, XT_STANDARD_TARGET) == 0 &&
6293 ++ COMPAT_XT_ALIGN(target_offset + sizeof(struct compat_xt_standard_target)) != next_offset)
6294 ++ return -EINVAL;
6295 ++
6296 ++ /* compat_xt_entry match has less strict aligment requirements,
6297 ++ * otherwise they are identical. In case of padding differences
6298 ++ * we need to add compat version of xt_check_entry_match.
6299 ++ */
6300 ++ BUILD_BUG_ON(sizeof(struct compat_xt_entry_match) != sizeof(struct xt_entry_match));
6301 ++
6302 ++ return xt_check_entry_match(elems, base + target_offset,
6303 ++ __alignof__(struct compat_xt_entry_match));
6304 ++}
6305 ++EXPORT_SYMBOL(xt_compat_check_entry_offsets);
6306 + #endif /* CONFIG_COMPAT */
6307 +
6308 ++/**
6309 ++ * xt_check_entry_offsets - validate arp/ip/ip6t_entry
6310 ++ *
6311 ++ * @base: pointer to arp/ip/ip6t_entry
6312 ++ * @elems: pointer to first xt_entry_match, i.e. ip(6)t_entry->elems
6313 ++ * @target_offset: the arp/ip/ip6_t->target_offset
6314 ++ * @next_offset: the arp/ip/ip6_t->next_offset
6315 ++ *
6316 ++ * validates that target_offset and next_offset are sane and that all
6317 ++ * match sizes (if any) align with the target offset.
6318 ++ *
6319 ++ * This function does not validate the targets or matches themselves, it
6320 ++ * only tests that all the offsets and sizes are correct, that all
6321 ++ * match structures are aligned, and that the last structure ends where
6322 ++ * the target structure begins.
6323 ++ *
6324 ++ * Also see xt_compat_check_entry_offsets for CONFIG_COMPAT version.
6325 ++ *
6326 ++ * The arp/ip/ip6t_entry structure @base must have passed following tests:
6327 ++ * - it must point to a valid memory location
6328 ++ * - base to base + next_offset must be accessible, i.e. not exceed allocated
6329 ++ * length.
6330 ++ *
6331 ++ * A well-formed entry looks like this:
6332 ++ *
6333 ++ * ip(6)t_entry match [mtdata] match [mtdata] target [tgdata] ip(6)t_entry
6334 ++ * e->elems[]-----' | |
6335 ++ * matchsize | |
6336 ++ * matchsize | |
6337 ++ * | |
6338 ++ * target_offset---------------------------------' |
6339 ++ * next_offset---------------------------------------------------'
6340 ++ *
6341 ++ * elems[]: flexible array member at end of ip(6)/arpt_entry struct.
6342 ++ * This is where matches (if any) and the target reside.
6343 ++ * target_offset: beginning of target.
6344 ++ * next_offset: start of the next rule; also: size of this rule.
6345 ++ * Since targets have a minimum size, target_offset + minlen <= next_offset.
6346 ++ *
6347 ++ * Every match stores its size, sum of sizes must not exceed target_offset.
6348 ++ *
6349 ++ * Return: 0 on success, negative errno on failure.
6350 ++ */
6351 ++int xt_check_entry_offsets(const void *base,
6352 ++ const char *elems,
6353 ++ unsigned int target_offset,
6354 ++ unsigned int next_offset)
6355 ++{
6356 ++ long size_of_base_struct = elems - (const char *)base;
6357 ++ const struct xt_entry_target *t;
6358 ++ const char *e = base;
6359 ++
6360 ++ /* target start is within the ip/ip6/arpt_entry struct */
6361 ++ if (target_offset < size_of_base_struct)
6362 ++ return -EINVAL;
6363 ++
6364 ++ if (target_offset + sizeof(*t) > next_offset)
6365 ++ return -EINVAL;
6366 ++
6367 ++ t = (void *)(e + target_offset);
6368 ++ if (t->u.target_size < sizeof(*t))
6369 ++ return -EINVAL;
6370 ++
6371 ++ if (target_offset + t->u.target_size > next_offset)
6372 ++ return -EINVAL;
6373 ++
6374 ++ if (strcmp(t->u.user.name, XT_STANDARD_TARGET) == 0 &&
6375 ++ XT_ALIGN(target_offset + sizeof(struct xt_standard_target)) != next_offset)
6376 ++ return -EINVAL;
6377 ++
6378 ++ return xt_check_entry_match(elems, base + target_offset,
6379 ++ __alignof__(struct xt_entry_match));
6380 ++}
6381 ++EXPORT_SYMBOL(xt_check_entry_offsets);
6382 ++
6383 + int xt_check_target(struct xt_tgchk_param *par,
6384 + unsigned int size, u_int8_t proto, bool inv_proto)
6385 + {
6386 +@@ -610,6 +771,80 @@ int xt_check_target(struct xt_tgchk_param *par,
6387 + }
6388 + EXPORT_SYMBOL_GPL(xt_check_target);
6389 +
6390 ++/**
6391 ++ * xt_copy_counters_from_user - copy counters and metadata from userspace
6392 ++ *
6393 ++ * @user: src pointer to userspace memory
6394 ++ * @len: alleged size of userspace memory
6395 ++ * @info: where to store the xt_counters_info metadata
6396 ++ * @compat: true if we setsockopt call is done by 32bit task on 64bit kernel
6397 ++ *
6398 ++ * Copies counter meta data from @user and stores it in @info.
6399 ++ *
6400 ++ * vmallocs memory to hold the counters, then copies the counter data
6401 ++ * from @user to the new memory and returns a pointer to it.
6402 ++ *
6403 ++ * If @compat is true, @info gets converted automatically to the 64bit
6404 ++ * representation.
6405 ++ *
6406 ++ * The metadata associated with the counters is stored in @info.
6407 ++ *
6408 ++ * Return: returns pointer that caller has to test via IS_ERR().
6409 ++ * If IS_ERR is false, caller has to vfree the pointer.
6410 ++ */
6411 ++void *xt_copy_counters_from_user(const void __user *user, unsigned int len,
6412 ++ struct xt_counters_info *info, bool compat)
6413 ++{
6414 ++ void *mem;
6415 ++ u64 size;
6416 ++
6417 ++#ifdef CONFIG_COMPAT
6418 ++ if (compat) {
6419 ++ /* structures only differ in size due to alignment */
6420 ++ struct compat_xt_counters_info compat_tmp;
6421 ++
6422 ++ if (len <= sizeof(compat_tmp))
6423 ++ return ERR_PTR(-EINVAL);
6424 ++
6425 ++ len -= sizeof(compat_tmp);
6426 ++ if (copy_from_user(&compat_tmp, user, sizeof(compat_tmp)) != 0)
6427 ++ return ERR_PTR(-EFAULT);
6428 ++
6429 ++ strlcpy(info->name, compat_tmp.name, sizeof(info->name));
6430 ++ info->num_counters = compat_tmp.num_counters;
6431 ++ user += sizeof(compat_tmp);
6432 ++ } else
6433 ++#endif
6434 ++ {
6435 ++ if (len <= sizeof(*info))
6436 ++ return ERR_PTR(-EINVAL);
6437 ++
6438 ++ len -= sizeof(*info);
6439 ++ if (copy_from_user(info, user, sizeof(*info)) != 0)
6440 ++ return ERR_PTR(-EFAULT);
6441 ++
6442 ++ info->name[sizeof(info->name) - 1] = '\0';
6443 ++ user += sizeof(*info);
6444 ++ }
6445 ++
6446 ++ size = sizeof(struct xt_counters);
6447 ++ size *= info->num_counters;
6448 ++
6449 ++ if (size != (u64)len)
6450 ++ return ERR_PTR(-EINVAL);
6451 ++
6452 ++ mem = vmalloc(len);
6453 ++ if (!mem)
6454 ++ return ERR_PTR(-ENOMEM);
6455 ++
6456 ++ if (copy_from_user(mem, user, len) == 0)
6457 ++ return mem;
6458 ++
6459 ++ vfree(mem);
6460 ++ return ERR_PTR(-EFAULT);
6461 ++}
6462 ++EXPORT_SYMBOL_GPL(xt_copy_counters_from_user);
6463 ++
6464 + #ifdef CONFIG_COMPAT
6465 + int xt_compat_target_offset(const struct xt_target *target)
6466 + {
6467 +@@ -625,6 +860,7 @@ void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr,
6468 + struct compat_xt_entry_target *ct = (struct compat_xt_entry_target *)t;
6469 + int pad, off = xt_compat_target_offset(target);
6470 + u_int16_t tsize = ct->u.user.target_size;
6471 ++ char name[sizeof(t->u.user.name)];
6472 +
6473 + t = *dstptr;
6474 + memcpy(t, ct, sizeof(*ct));
6475 +@@ -638,6 +874,9 @@ void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr,
6476 +
6477 + tsize += off;
6478 + t->u.user.target_size = tsize;
6479 ++ strlcpy(name, target->name, sizeof(name));
6480 ++ module_put(target->me);
6481 ++ strncpy(t->u.user.name, name, sizeof(t->u.user.name));
6482 +
6483 + *size += off;
6484 + *dstptr += tsize;
6485 +diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
6486 +index 7c94aedd0912..5b1fbe45ff0b 100644
6487 +--- a/net/netlabel/netlabel_kapi.c
6488 ++++ b/net/netlabel/netlabel_kapi.c
6489 +@@ -700,7 +700,11 @@ socket_setattr_return:
6490 + */
6491 + void netlbl_sock_delattr(struct sock *sk)
6492 + {
6493 +- cipso_v4_sock_delattr(sk);
6494 ++ switch (sk->sk_family) {
6495 ++ case AF_INET:
6496 ++ cipso_v4_sock_delattr(sk);
6497 ++ break;
6498 ++ }
6499 + }
6500 +
6501 + /**
6502 +@@ -879,7 +883,11 @@ req_setattr_return:
6503 + */
6504 + void netlbl_req_delattr(struct request_sock *req)
6505 + {
6506 +- cipso_v4_req_delattr(req);
6507 ++ switch (req->rsk_ops->family) {
6508 ++ case AF_INET:
6509 ++ cipso_v4_req_delattr(req);
6510 ++ break;
6511 ++ }
6512 + }
6513 +
6514 + /**
6515 +diff --git a/net/rfkill/rfkill-regulator.c b/net/rfkill/rfkill-regulator.c
6516 +index d11ac79246e4..cf5b145902e5 100644
6517 +--- a/net/rfkill/rfkill-regulator.c
6518 ++++ b/net/rfkill/rfkill-regulator.c
6519 +@@ -30,6 +30,7 @@ struct rfkill_regulator_data {
6520 + static int rfkill_regulator_set_block(void *data, bool blocked)
6521 + {
6522 + struct rfkill_regulator_data *rfkill_data = data;
6523 ++ int ret = 0;
6524 +
6525 + pr_debug("%s: blocked: %d\n", __func__, blocked);
6526 +
6527 +@@ -40,15 +41,16 @@ static int rfkill_regulator_set_block(void *data, bool blocked)
6528 + }
6529 + } else {
6530 + if (!rfkill_data->reg_enabled) {
6531 +- regulator_enable(rfkill_data->vcc);
6532 +- rfkill_data->reg_enabled = true;
6533 ++ ret = regulator_enable(rfkill_data->vcc);
6534 ++ if (!ret)
6535 ++ rfkill_data->reg_enabled = true;
6536 + }
6537 + }
6538 +
6539 + pr_debug("%s: regulator_is_enabled after set_block: %d\n", __func__,
6540 + regulator_is_enabled(rfkill_data->vcc));
6541 +
6542 +- return 0;
6543 ++ return ret;
6544 + }
6545 +
6546 + static struct rfkill_ops rfkill_regulator_ops = {
6547 +diff --git a/net/sctp/sm_sideeffect.c b/net/sctp/sm_sideeffect.c
6548 +index 8aab894aeabe..730914cdb7a1 100644
6549 +--- a/net/sctp/sm_sideeffect.c
6550 ++++ b/net/sctp/sm_sideeffect.c
6551 +@@ -251,12 +251,13 @@ void sctp_generate_t3_rtx_event(unsigned long peer)
6552 + int error;
6553 + struct sctp_transport *transport = (struct sctp_transport *) peer;
6554 + struct sctp_association *asoc = transport->asoc;
6555 +- struct net *net = sock_net(asoc->base.sk);
6556 ++ struct sock *sk = asoc->base.sk;
6557 ++ struct net *net = sock_net(sk);
6558 +
6559 + /* Check whether a task is in the sock. */
6560 +
6561 +- sctp_bh_lock_sock(asoc->base.sk);
6562 +- if (sock_owned_by_user(asoc->base.sk)) {
6563 ++ sctp_bh_lock_sock(sk);
6564 ++ if (sock_owned_by_user(sk)) {
6565 + SCTP_DEBUG_PRINTK("%s:Sock is busy.\n", __func__);
6566 +
6567 + /* Try again later. */
6568 +@@ -279,10 +280,10 @@ void sctp_generate_t3_rtx_event(unsigned long peer)
6569 + transport, GFP_ATOMIC);
6570 +
6571 + if (error)
6572 +- asoc->base.sk->sk_err = -error;
6573 ++ sk->sk_err = -error;
6574 +
6575 + out_unlock:
6576 +- sctp_bh_unlock_sock(asoc->base.sk);
6577 ++ sctp_bh_unlock_sock(sk);
6578 + sctp_transport_put(transport);
6579 + }
6580 +
6581 +@@ -292,11 +293,12 @@ out_unlock:
6582 + static void sctp_generate_timeout_event(struct sctp_association *asoc,
6583 + sctp_event_timeout_t timeout_type)
6584 + {
6585 +- struct net *net = sock_net(asoc->base.sk);
6586 ++ struct sock *sk = asoc->base.sk;
6587 ++ struct net *net = sock_net(sk);
6588 + int error = 0;
6589 +
6590 +- sctp_bh_lock_sock(asoc->base.sk);
6591 +- if (sock_owned_by_user(asoc->base.sk)) {
6592 ++ sctp_bh_lock_sock(sk);
6593 ++ if (sock_owned_by_user(sk)) {
6594 + SCTP_DEBUG_PRINTK("%s:Sock is busy: timer %d\n",
6595 + __func__,
6596 + timeout_type);
6597 +@@ -320,10 +322,10 @@ static void sctp_generate_timeout_event(struct sctp_association *asoc,
6598 + (void *)timeout_type, GFP_ATOMIC);
6599 +
6600 + if (error)
6601 +- asoc->base.sk->sk_err = -error;
6602 ++ sk->sk_err = -error;
6603 +
6604 + out_unlock:
6605 +- sctp_bh_unlock_sock(asoc->base.sk);
6606 ++ sctp_bh_unlock_sock(sk);
6607 + sctp_association_put(asoc);
6608 + }
6609 +
6610 +@@ -373,10 +375,11 @@ void sctp_generate_heartbeat_event(unsigned long data)
6611 + int error = 0;
6612 + struct sctp_transport *transport = (struct sctp_transport *) data;
6613 + struct sctp_association *asoc = transport->asoc;
6614 +- struct net *net = sock_net(asoc->base.sk);
6615 ++ struct sock *sk = asoc->base.sk;
6616 ++ struct net *net = sock_net(sk);
6617 +
6618 +- sctp_bh_lock_sock(asoc->base.sk);
6619 +- if (sock_owned_by_user(asoc->base.sk)) {
6620 ++ sctp_bh_lock_sock(sk);
6621 ++ if (sock_owned_by_user(sk)) {
6622 + SCTP_DEBUG_PRINTK("%s:Sock is busy.\n", __func__);
6623 +
6624 + /* Try again later. */
6625 +@@ -397,10 +400,10 @@ void sctp_generate_heartbeat_event(unsigned long data)
6626 + transport, GFP_ATOMIC);
6627 +
6628 + if (error)
6629 +- asoc->base.sk->sk_err = -error;
6630 ++ sk->sk_err = -error;
6631 +
6632 + out_unlock:
6633 +- sctp_bh_unlock_sock(asoc->base.sk);
6634 ++ sctp_bh_unlock_sock(sk);
6635 + sctp_transport_put(transport);
6636 + }
6637 +
6638 +@@ -411,10 +414,11 @@ void sctp_generate_proto_unreach_event(unsigned long data)
6639 + {
6640 + struct sctp_transport *transport = (struct sctp_transport *) data;
6641 + struct sctp_association *asoc = transport->asoc;
6642 +- struct net *net = sock_net(asoc->base.sk);
6643 ++ struct sock *sk = asoc->base.sk;
6644 ++ struct net *net = sock_net(sk);
6645 +
6646 +- sctp_bh_lock_sock(asoc->base.sk);
6647 +- if (sock_owned_by_user(asoc->base.sk)) {
6648 ++ sctp_bh_lock_sock(sk);
6649 ++ if (sock_owned_by_user(sk)) {
6650 + SCTP_DEBUG_PRINTK("%s:Sock is busy.\n", __func__);
6651 +
6652 + /* Try again later. */
6653 +@@ -435,7 +439,7 @@ void sctp_generate_proto_unreach_event(unsigned long data)
6654 + asoc->state, asoc->ep, asoc, transport, GFP_ATOMIC);
6655 +
6656 + out_unlock:
6657 +- sctp_bh_unlock_sock(asoc->base.sk);
6658 ++ sctp_bh_unlock_sock(sk);
6659 + sctp_association_put(asoc);
6660 + }
6661 +
6662 +diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
6663 +index 29b4ba93ab3c..62663a08ffbd 100644
6664 +--- a/net/sunrpc/auth_gss/svcauth_gss.c
6665 ++++ b/net/sunrpc/auth_gss/svcauth_gss.c
6666 +@@ -859,8 +859,8 @@ unwrap_integ_data(struct svc_rqst *rqstp, struct xdr_buf *buf, u32 seq, struct g
6667 + goto out;
6668 + if (svc_getnl(&buf->head[0]) != seq)
6669 + goto out;
6670 +- /* trim off the mic at the end before returning */
6671 +- xdr_buf_trim(buf, mic.len + 4);
6672 ++ /* trim off the mic and padding at the end before returning */
6673 ++ xdr_buf_trim(buf, round_up_to_quad(mic.len) + 4);
6674 + stat = 0;
6675 + out:
6676 + kfree(mic.data);
6677 +diff --git a/scripts/asn1_compiler.c b/scripts/asn1_compiler.c
6678 +index db0e5cd34c70..91c4117637ae 100644
6679 +--- a/scripts/asn1_compiler.c
6680 ++++ b/scripts/asn1_compiler.c
6681 +@@ -1353,6 +1353,8 @@ static void render_out_of_line_list(FILE *out)
6682 + render_opcode(out, "ASN1_OP_END_SET_OF%s,\n", act);
6683 + render_opcode(out, "_jump_target(%u),\n", entry);
6684 + break;
6685 ++ default:
6686 ++ break;
6687 + }
6688 + if (e->action)
6689 + render_opcode(out, "_action(ACT_%s),\n",
6690 +diff --git a/scripts/recordmcount.c b/scripts/recordmcount.c
6691 +index ee625e3a56ba..4f7d13da04a5 100644
6692 +--- a/scripts/recordmcount.c
6693 ++++ b/scripts/recordmcount.c
6694 +@@ -33,10 +33,17 @@
6695 + #include <string.h>
6696 + #include <unistd.h>
6697 +
6698 ++/*
6699 ++ * glibc synced up and added the metag number but didn't add the relocations.
6700 ++ * Work around this in a crude manner for now.
6701 ++ */
6702 + #ifndef EM_METAG
6703 +-/* Remove this when these make it to the standard system elf.h. */
6704 + #define EM_METAG 174
6705 ++#endif
6706 ++#ifndef R_METAG_ADDR32
6707 + #define R_METAG_ADDR32 2
6708 ++#endif
6709 ++#ifndef R_METAG_NONE
6710 + #define R_METAG_NONE 3
6711 + #endif
6712 +
6713 +diff --git a/security/keys/key.c b/security/keys/key.c
6714 +index 8fb7c7bd4657..6595b2dd89fe 100644
6715 +--- a/security/keys/key.c
6716 ++++ b/security/keys/key.c
6717 +@@ -580,7 +580,7 @@ int key_reject_and_link(struct key *key,
6718 +
6719 + mutex_unlock(&key_construction_mutex);
6720 +
6721 +- if (keyring)
6722 ++ if (keyring && link_ret == 0)
6723 + __key_link_end(keyring, key->type, prealloc);
6724 +
6725 + /* wake up anyone waiting for a key to be constructed */
6726 +diff --git a/sound/core/control.c b/sound/core/control.c
6727 +index 3fcead61f0ef..251bc575f5c3 100644
6728 +--- a/sound/core/control.c
6729 ++++ b/sound/core/control.c
6730 +@@ -150,6 +150,8 @@ void snd_ctl_notify(struct snd_card *card, unsigned int mask,
6731 +
6732 + if (snd_BUG_ON(!card || !id))
6733 + return;
6734 ++ if (card->shutdown)
6735 ++ return;
6736 + read_lock(&card->ctl_files_rwlock);
6737 + #if defined(CONFIG_SND_MIXER_OSS) || defined(CONFIG_SND_MIXER_OSS_MODULE)
6738 + card->mixer_oss_change_count++;
6739 +diff --git a/sound/core/timer.c b/sound/core/timer.c
6740 +index 38742e826900..3476895ee1fb 100644
6741 +--- a/sound/core/timer.c
6742 ++++ b/sound/core/timer.c
6743 +@@ -1208,6 +1208,7 @@ static void snd_timer_user_ccallback(struct snd_timer_instance *timeri,
6744 + tu->tstamp = *tstamp;
6745 + if ((tu->filter & (1 << event)) == 0 || !tu->tread)
6746 + return;
6747 ++ memset(&r1, 0, sizeof(r1));
6748 + r1.event = event;
6749 + r1.tstamp = *tstamp;
6750 + r1.val = resolution;
6751 +@@ -1242,6 +1243,7 @@ static void snd_timer_user_tinterrupt(struct snd_timer_instance *timeri,
6752 + }
6753 + if ((tu->filter & (1 << SNDRV_TIMER_EVENT_RESOLUTION)) &&
6754 + tu->last_resolution != resolution) {
6755 ++ memset(&r1, 0, sizeof(r1));
6756 + r1.event = SNDRV_TIMER_EVENT_RESOLUTION;
6757 + r1.tstamp = tstamp;
6758 + r1.val = resolution;
6759 +@@ -1707,6 +1709,7 @@ static int snd_timer_user_params(struct file *file,
6760 + if (tu->timeri->flags & SNDRV_TIMER_IFLG_EARLY_EVENT) {
6761 + if (tu->tread) {
6762 + struct snd_timer_tread tread;
6763 ++ memset(&tread, 0, sizeof(tread));
6764 + tread.event = SNDRV_TIMER_EVENT_EARLY;
6765 + tread.tstamp.tv_sec = 0;
6766 + tread.tstamp.tv_nsec = 0;
6767 +diff --git a/sound/drivers/dummy.c b/sound/drivers/dummy.c
6768 +index 982a2c2faf24..7f400a1d42e4 100644
6769 +--- a/sound/drivers/dummy.c
6770 ++++ b/sound/drivers/dummy.c
6771 +@@ -422,6 +422,7 @@ static int dummy_hrtimer_stop(struct snd_pcm_substream *substream)
6772 +
6773 + static inline void dummy_hrtimer_sync(struct dummy_hrtimer_pcm *dpcm)
6774 + {
6775 ++ hrtimer_cancel(&dpcm->timer);
6776 + tasklet_kill(&dpcm->tasklet);
6777 + }
6778 +
6779 +diff --git a/sound/pci/au88x0/au88x0_core.c b/sound/pci/au88x0/au88x0_core.c
6780 +index ae59dbaa53d9..42d4b13f1fa7 100644
6781 +--- a/sound/pci/au88x0/au88x0_core.c
6782 ++++ b/sound/pci/au88x0/au88x0_core.c
6783 +@@ -1442,9 +1442,8 @@ static int vortex_wtdma_bufshift(vortex_t * vortex, int wtdma)
6784 + int page, p, pp, delta, i;
6785 +
6786 + page =
6787 +- (hwread(vortex->mmio, VORTEX_WTDMA_STAT + (wtdma << 2)) &
6788 +- WT_SUBBUF_MASK)
6789 +- >> WT_SUBBUF_SHIFT;
6790 ++ (hwread(vortex->mmio, VORTEX_WTDMA_STAT + (wtdma << 2))
6791 ++ >> WT_SUBBUF_SHIFT) & WT_SUBBUF_MASK;
6792 + if (dma->nr_periods >= 4)
6793 + delta = (page - dma->period_real) & 3;
6794 + else {
6795 +diff --git a/sound/pci/oxygen/oxygen_mixer.c b/sound/pci/oxygen/oxygen_mixer.c
6796 +index c0dbb52d45be..1e4bcb900fc6 100644
6797 +--- a/sound/pci/oxygen/oxygen_mixer.c
6798 ++++ b/sound/pci/oxygen/oxygen_mixer.c
6799 +@@ -88,7 +88,7 @@ static int dac_mute_put(struct snd_kcontrol *ctl,
6800 + int changed;
6801 +
6802 + mutex_lock(&chip->mutex);
6803 +- changed = !value->value.integer.value[0] != chip->dac_mute;
6804 ++ changed = (!value->value.integer.value[0]) != chip->dac_mute;
6805 + if (changed) {
6806 + chip->dac_mute = !value->value.integer.value[0];
6807 + chip->model.update_dac_mute(chip);
6808 +diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
6809 +index 4f865e122c21..f71c4ad425c6 100644
6810 +--- a/virt/kvm/kvm_main.c
6811 ++++ b/virt/kvm/kvm_main.c
6812 +@@ -2447,7 +2447,7 @@ static long kvm_vm_ioctl(struct file *filp,
6813 + if (copy_from_user(&routing, argp, sizeof(routing)))
6814 + goto out;
6815 + r = -EINVAL;
6816 +- if (routing.nr >= KVM_MAX_IRQ_ROUTES)
6817 ++ if (routing.nr > KVM_MAX_IRQ_ROUTES)
6818 + goto out;
6819 + if (routing.flags)
6820 + goto out;
Report Message
Find on MARC Find on Google Groups