Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:4.4 commit in: /
Date: Wed, 21 Nov 2018 15:02:43
Message-Id: 1542812506.e1d87008a575b506d4ed0cf82c4e9ee0d42628f7.mpagano@gentoo
1 commit: e1d87008a575b506d4ed0cf82c4e9ee0d42628f7
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Sat Nov 10 21:26:21 2018 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Wed Nov 21 15:01:46 2018 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=e1d87008
7
8 Linux patch 4.4.163
9
10 Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>
11
12 0000_README | 4 +
13 1162_linux-4.4.163.patch | 3554 ++++++++++++++++++++++++++++++++++++++++++++++
14 2 files changed, 3558 insertions(+)
15
16 diff --git a/0000_README b/0000_README
17 index 98ec483..3fa80ea 100644
18 --- a/0000_README
19 +++ b/0000_README
20 @@ -691,6 +691,10 @@ Patch: 1161_linux-4.4.162.patch
21 From: http://www.kernel.org
22 Desc: Linux 4.4.162
23
24 +Patch: 1162_linux-4.4.163.patch
25 +From: http://www.kernel.org
26 +Desc: Linux 4.4.163
27 +
28 Patch: 1500_XATTR_USER_PREFIX.patch
29 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
30 Desc: Support for namespace user.pax.* on tmpfs.
31
32 diff --git a/1162_linux-4.4.163.patch b/1162_linux-4.4.163.patch
33 new file mode 100644
34 index 0000000..ae6d7c9
35 --- /dev/null
36 +++ b/1162_linux-4.4.163.patch
37 @@ -0,0 +1,3554 @@
38 +diff --git a/Makefile b/Makefile
39 +index 00ff2dd68ff1..4e3179768eea 100644
40 +--- a/Makefile
41 ++++ b/Makefile
42 +@@ -1,6 +1,6 @@
43 + VERSION = 4
44 + PATCHLEVEL = 4
45 +-SUBLEVEL = 162
46 ++SUBLEVEL = 163
47 + EXTRAVERSION =
48 + NAME = Blurry Fish Butt
49 +
50 +diff --git a/arch/arm/boot/dts/imx53-qsb-common.dtsi b/arch/arm/boot/dts/imx53-qsb-common.dtsi
51 +index 53fd75c8ffcf..47894b41e4e2 100644
52 +--- a/arch/arm/boot/dts/imx53-qsb-common.dtsi
53 ++++ b/arch/arm/boot/dts/imx53-qsb-common.dtsi
54 +@@ -130,6 +130,17 @@
55 + };
56 + };
57 +
58 ++&cpu0 {
59 ++ /* CPU rated to 1GHz, not 1.2GHz as per the default settings */
60 ++ operating-points = <
61 ++ /* kHz uV */
62 ++ 166666 850000
63 ++ 400000 900000
64 ++ 800000 1050000
65 ++ 1000000 1200000
66 ++ >;
67 ++};
68 ++
69 + &esdhc1 {
70 + pinctrl-names = "default";
71 + pinctrl-0 = <&pinctrl_esdhc1>;
72 +diff --git a/arch/arm/boot/dts/qcom-apq8064.dtsi b/arch/arm/boot/dts/qcom-apq8064.dtsi
73 +index e00d50ef678f..3ff5ea16ebb3 100644
74 +--- a/arch/arm/boot/dts/qcom-apq8064.dtsi
75 ++++ b/arch/arm/boot/dts/qcom-apq8064.dtsi
76 +@@ -577,7 +577,7 @@
77 + };
78 +
79 + sata0: sata@29000000 {
80 +- compatible = "generic-ahci";
81 ++ compatible = "qcom,apq8064-ahci", "generic-ahci";
82 + status = "disabled";
83 + reg = <0x29000000 0x180>;
84 + interrupts = <GIC_SPI 209 IRQ_TYPE_NONE>;
85 +@@ -599,6 +599,7 @@
86 +
87 + phys = <&sata_phy0>;
88 + phy-names = "sata-phy";
89 ++ ports-implemented = <0x1>;
90 + };
91 +
92 + /* Temporary fixed regulator */
93 +diff --git a/arch/arm/mm/ioremap.c b/arch/arm/mm/ioremap.c
94 +index 0c81056c1dd7..2a3feb73de0b 100644
95 +--- a/arch/arm/mm/ioremap.c
96 ++++ b/arch/arm/mm/ioremap.c
97 +@@ -460,7 +460,7 @@ void pci_ioremap_set_mem_type(int mem_type)
98 +
99 + int pci_ioremap_io(unsigned int offset, phys_addr_t phys_addr)
100 + {
101 +- BUG_ON(offset + SZ_64K > IO_SPACE_LIMIT);
102 ++ BUG_ON(offset + SZ_64K - 1 > IO_SPACE_LIMIT);
103 +
104 + return ioremap_page_range(PCI_IO_VIRT_BASE + offset,
105 + PCI_IO_VIRT_BASE + offset + SZ_64K,
106 +diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c
107 +index 86485415c5f0..be7f8416809f 100644
108 +--- a/arch/arm64/mm/fault.c
109 ++++ b/arch/arm64/mm/fault.c
110 +@@ -107,26 +107,27 @@ int ptep_set_access_flags(struct vm_area_struct *vma,
111 + /* only preserve the access flags and write permission */
112 + pte_val(entry) &= PTE_AF | PTE_WRITE | PTE_DIRTY;
113 +
114 +- /*
115 +- * PTE_RDONLY is cleared by default in the asm below, so set it in
116 +- * back if necessary (read-only or clean PTE).
117 +- */
118 ++ /* set PTE_RDONLY if actual read-only or clean PTE */
119 + if (!pte_write(entry) || !pte_sw_dirty(entry))
120 + pte_val(entry) |= PTE_RDONLY;
121 +
122 + /*
123 + * Setting the flags must be done atomically to avoid racing with the
124 +- * hardware update of the access/dirty state.
125 ++ * hardware update of the access/dirty state. The PTE_RDONLY bit must
126 ++ * be set to the most permissive (lowest value) of *ptep and entry
127 ++ * (calculated as: a & b == ~(~a | ~b)).
128 + */
129 ++ pte_val(entry) ^= PTE_RDONLY;
130 + asm volatile("// ptep_set_access_flags\n"
131 + " prfm pstl1strm, %2\n"
132 + "1: ldxr %0, %2\n"
133 +- " and %0, %0, %3 // clear PTE_RDONLY\n"
134 ++ " eor %0, %0, %3 // negate PTE_RDONLY in *ptep\n"
135 + " orr %0, %0, %4 // set flags\n"
136 ++ " eor %0, %0, %3 // negate final PTE_RDONLY\n"
137 + " stxr %w1, %0, %2\n"
138 + " cbnz %w1, 1b\n"
139 + : "=&r" (old_pteval), "=&r" (tmp), "+Q" (pte_val(*ptep))
140 +- : "L" (~PTE_RDONLY), "r" (pte_val(entry)));
141 ++ : "L" (PTE_RDONLY), "r" (pte_val(entry)));
142 +
143 + flush_tlb_fix_spurious_fault(vma, address);
144 + return 1;
145 +diff --git a/arch/mips/dec/int-handler.S b/arch/mips/dec/int-handler.S
146 +index 554d1da97743..21f4a9fe82fa 100644
147 +--- a/arch/mips/dec/int-handler.S
148 ++++ b/arch/mips/dec/int-handler.S
149 +@@ -147,23 +147,12 @@
150 + * Find irq with highest priority
151 + */
152 + # open coded PTR_LA t1, cpu_mask_nr_tbl
153 +-#if (_MIPS_SZPTR == 32)
154 ++#if defined(CONFIG_32BIT) || defined(KBUILD_64BIT_SYM32)
155 + # open coded la t1, cpu_mask_nr_tbl
156 + lui t1, %hi(cpu_mask_nr_tbl)
157 + addiu t1, %lo(cpu_mask_nr_tbl)
158 +-
159 +-#endif
160 +-#if (_MIPS_SZPTR == 64)
161 +- # open coded dla t1, cpu_mask_nr_tbl
162 +- .set push
163 +- .set noat
164 +- lui t1, %highest(cpu_mask_nr_tbl)
165 +- lui AT, %hi(cpu_mask_nr_tbl)
166 +- daddiu t1, t1, %higher(cpu_mask_nr_tbl)
167 +- daddiu AT, AT, %lo(cpu_mask_nr_tbl)
168 +- dsll t1, 32
169 +- daddu t1, t1, AT
170 +- .set pop
171 ++#else
172 ++#error GCC `-msym32' option required for 64-bit DECstation builds
173 + #endif
174 + 1: lw t2,(t1)
175 + nop
176 +@@ -214,23 +203,12 @@
177 + * Find irq with highest priority
178 + */
179 + # open coded PTR_LA t1,asic_mask_nr_tbl
180 +-#if (_MIPS_SZPTR == 32)
181 ++#if defined(CONFIG_32BIT) || defined(KBUILD_64BIT_SYM32)
182 + # open coded la t1, asic_mask_nr_tbl
183 + lui t1, %hi(asic_mask_nr_tbl)
184 + addiu t1, %lo(asic_mask_nr_tbl)
185 +-
186 +-#endif
187 +-#if (_MIPS_SZPTR == 64)
188 +- # open coded dla t1, asic_mask_nr_tbl
189 +- .set push
190 +- .set noat
191 +- lui t1, %highest(asic_mask_nr_tbl)
192 +- lui AT, %hi(asic_mask_nr_tbl)
193 +- daddiu t1, t1, %higher(asic_mask_nr_tbl)
194 +- daddiu AT, AT, %lo(asic_mask_nr_tbl)
195 +- dsll t1, 32
196 +- daddu t1, t1, AT
197 +- .set pop
198 ++#else
199 ++#error GCC `-msym32' option required for 64-bit DECstation builds
200 + #endif
201 + 2: lw t2,(t1)
202 + nop
203 +diff --git a/arch/mips/include/asm/fpu_emulator.h b/arch/mips/include/asm/fpu_emulator.h
204 +index 2f021cdfba4f..742223716fc8 100644
205 +--- a/arch/mips/include/asm/fpu_emulator.h
206 ++++ b/arch/mips/include/asm/fpu_emulator.h
207 +@@ -66,6 +66,8 @@ extern int do_dsemulret(struct pt_regs *xcp);
208 + extern int fpu_emulator_cop1Handler(struct pt_regs *xcp,
209 + struct mips_fpu_struct *ctx, int has_fpu,
210 + void *__user *fault_addr);
211 ++void force_fcr31_sig(unsigned long fcr31, void __user *fault_addr,
212 ++ struct task_struct *tsk);
213 + int process_fpemu_return(int sig, void __user *fault_addr,
214 + unsigned long fcr31);
215 + int mm_isBranchInstr(struct pt_regs *regs, struct mm_decoded_insn dec_insn,
216 +@@ -92,4 +94,15 @@ static inline void fpu_emulator_init_fpu(void)
217 + set_fpr64(&t->thread.fpu.fpr[i], 0, SIGNALLING_NAN);
218 + }
219 +
220 ++/*
221 ++ * Mask the FCSR Cause bits according to the Enable bits, observing
222 ++ * that Unimplemented is always enabled.
223 ++ */
224 ++static inline unsigned long mask_fcr31_x(unsigned long fcr31)
225 ++{
226 ++ return fcr31 & (FPU_CSR_UNI_X |
227 ++ ((fcr31 & FPU_CSR_ALL_E) <<
228 ++ (ffs(FPU_CSR_ALL_X) - ffs(FPU_CSR_ALL_E))));
229 ++}
230 ++
231 + #endif /* _ASM_FPU_EMULATOR_H */
232 +diff --git a/arch/mips/include/asm/switch_to.h b/arch/mips/include/asm/switch_to.h
233 +index ebb5c0f2f90d..c0ae27971e31 100644
234 +--- a/arch/mips/include/asm/switch_to.h
235 ++++ b/arch/mips/include/asm/switch_to.h
236 +@@ -75,6 +75,22 @@ do { if (cpu_has_rw_llb) { \
237 + } \
238 + } while (0)
239 +
240 ++/*
241 ++ * Check FCSR for any unmasked exceptions pending set with `ptrace',
242 ++ * clear them and send a signal.
243 ++ */
244 ++#define __sanitize_fcr31(next) \
245 ++do { \
246 ++ unsigned long fcr31 = mask_fcr31_x(next->thread.fpu.fcr31); \
247 ++ void __user *pc; \
248 ++ \
249 ++ if (unlikely(fcr31)) { \
250 ++ pc = (void __user *)task_pt_regs(next)->cp0_epc; \
251 ++ next->thread.fpu.fcr31 &= ~fcr31; \
252 ++ force_fcr31_sig(fcr31, pc, next); \
253 ++ } \
254 ++} while (0)
255 ++
256 + /*
257 + * For newly created kernel threads switch_to() will return to
258 + * ret_from_kernel_thread, newly created user threads to ret_from_fork.
259 +@@ -85,6 +101,8 @@ do { if (cpu_has_rw_llb) { \
260 + do { \
261 + __mips_mt_fpaff_switch_to(prev); \
262 + lose_fpu_inatomic(1, prev); \
263 ++ if (tsk_used_math(next)) \
264 ++ __sanitize_fcr31(next); \
265 + if (cpu_has_dsp) { \
266 + __save_dsp(prev); \
267 + __restore_dsp(next); \
268 +diff --git a/arch/mips/include/uapi/asm/inst.h b/arch/mips/include/uapi/asm/inst.h
269 +index 9b44d5a816fa..1b6f2f219298 100644
270 +--- a/arch/mips/include/uapi/asm/inst.h
271 ++++ b/arch/mips/include/uapi/asm/inst.h
272 +@@ -846,7 +846,7 @@ struct mm16_r3_format { /* Load from global pointer format */
273 + struct mm16_r5_format { /* Load/store from stack pointer format */
274 + __BITFIELD_FIELD(unsigned int opcode : 6,
275 + __BITFIELD_FIELD(unsigned int rt : 5,
276 +- __BITFIELD_FIELD(signed int simmediate : 5,
277 ++ __BITFIELD_FIELD(unsigned int imm : 5,
278 + __BITFIELD_FIELD(unsigned int : 16, /* Ignored */
279 + ;))))
280 + };
281 +diff --git a/arch/mips/kernel/mips-r2-to-r6-emul.c b/arch/mips/kernel/mips-r2-to-r6-emul.c
282 +index cbe0f025856d..7b887027dca2 100644
283 +--- a/arch/mips/kernel/mips-r2-to-r6-emul.c
284 ++++ b/arch/mips/kernel/mips-r2-to-r6-emul.c
285 +@@ -900,7 +900,7 @@ static inline int mipsr2_find_op_func(struct pt_regs *regs, u32 inst,
286 + * mipsr2_decoder: Decode and emulate a MIPS R2 instruction
287 + * @regs: Process register set
288 + * @inst: Instruction to decode and emulate
289 +- * @fcr31: Floating Point Control and Status Register returned
290 ++ * @fcr31: Floating Point Control and Status Register Cause bits returned
291 + */
292 + int mipsr2_decoder(struct pt_regs *regs, u32 inst, unsigned long *fcr31)
293 + {
294 +@@ -1183,13 +1183,13 @@ fpu_emul:
295 +
296 + err = fpu_emulator_cop1Handler(regs, &current->thread.fpu, 0,
297 + &fault_addr);
298 +- *fcr31 = current->thread.fpu.fcr31;
299 +
300 + /*
301 +- * We can't allow the emulated instruction to leave any of
302 +- * the cause bits set in $fcr31.
303 ++ * We can't allow the emulated instruction to leave any
304 ++ * enabled Cause bits set in $fcr31.
305 + */
306 +- current->thread.fpu.fcr31 &= ~FPU_CSR_ALL_X;
307 ++ *fcr31 = res = mask_fcr31_x(current->thread.fpu.fcr31);
308 ++ current->thread.fpu.fcr31 &= ~res;
309 +
310 + /*
311 + * this is a tricky issue - lose_fpu() uses LL/SC atomics
312 +diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c
313 +index ed6cac4a4df0..ebd8a715fe38 100644
314 +--- a/arch/mips/kernel/process.c
315 ++++ b/arch/mips/kernel/process.c
316 +@@ -207,7 +207,7 @@ static inline int is_ra_save_ins(union mips_instruction *ip, int *poff)
317 + if (ip->mm16_r5_format.rt != 31)
318 + return 0;
319 +
320 +- *poff = ip->mm16_r5_format.simmediate;
321 ++ *poff = ip->mm16_r5_format.imm;
322 + *poff = (*poff << 2) / sizeof(ulong);
323 + return 1;
324 +
325 +@@ -341,6 +341,7 @@ static int get_frame_info(struct mips_frame_info *info)
326 + bool is_mmips = IS_ENABLED(CONFIG_CPU_MICROMIPS);
327 + union mips_instruction insn, *ip, *ip_end;
328 + const unsigned int max_insns = 128;
329 ++ unsigned int last_insn_size = 0;
330 + unsigned int i;
331 +
332 + info->pc_offset = -1;
333 +@@ -352,15 +353,19 @@ static int get_frame_info(struct mips_frame_info *info)
334 +
335 + ip_end = (void *)ip + info->func_size;
336 +
337 +- for (i = 0; i < max_insns && ip < ip_end; i++, ip++) {
338 ++ for (i = 0; i < max_insns && ip < ip_end; i++) {
339 ++ ip = (void *)ip + last_insn_size;
340 + if (is_mmips && mm_insn_16bit(ip->halfword[0])) {
341 + insn.halfword[0] = 0;
342 + insn.halfword[1] = ip->halfword[0];
343 ++ last_insn_size = 2;
344 + } else if (is_mmips) {
345 + insn.halfword[0] = ip->halfword[1];
346 + insn.halfword[1] = ip->halfword[0];
347 ++ last_insn_size = 4;
348 + } else {
349 + insn.word = ip->word;
350 ++ last_insn_size = 4;
351 + }
352 +
353 + if (is_jump_ins(&insn))
354 +@@ -382,8 +387,6 @@ static int get_frame_info(struct mips_frame_info *info)
355 + tmp = (ip->halfword[0] >> 1);
356 + info->frame_size = -(signed short)(tmp & 0xf);
357 + }
358 +- ip = (void *) &ip->halfword[1];
359 +- ip--;
360 + } else
361 + #endif
362 + info->frame_size = - ip->i_format.simmediate;
363 +diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c
364 +index 5a869515b393..9d04392f7ef0 100644
365 +--- a/arch/mips/kernel/ptrace.c
366 ++++ b/arch/mips/kernel/ptrace.c
367 +@@ -79,16 +79,15 @@ void ptrace_disable(struct task_struct *child)
368 + }
369 +
370 + /*
371 +- * Poke at FCSR according to its mask. Don't set the cause bits as
372 +- * this is currently not handled correctly in FP context restoration
373 +- * and will cause an oops if a corresponding enable bit is set.
374 ++ * Poke at FCSR according to its mask. Set the Cause bits even
375 ++ * if a corresponding Enable bit is set. This will be noticed at
376 ++ * the time the thread is switched to and SIGFPE thrown accordingly.
377 + */
378 + static void ptrace_setfcr31(struct task_struct *child, u32 value)
379 + {
380 + u32 fcr31;
381 + u32 mask;
382 +
383 +- value &= ~FPU_CSR_ALL_X;
384 + fcr31 = child->thread.fpu.fcr31;
385 + mask = boot_cpu_data.fpu_msk31;
386 + child->thread.fpu.fcr31 = (value & ~mask) | (fcr31 & mask);
387 +diff --git a/arch/mips/kernel/traps.c b/arch/mips/kernel/traps.c
388 +index 1b901218e3ae..6abd6b41c13d 100644
389 +--- a/arch/mips/kernel/traps.c
390 ++++ b/arch/mips/kernel/traps.c
391 +@@ -706,6 +706,32 @@ asmlinkage void do_ov(struct pt_regs *regs)
392 + exception_exit(prev_state);
393 + }
394 +
395 ++/*
396 ++ * Send SIGFPE according to FCSR Cause bits, which must have already
397 ++ * been masked against Enable bits. This is impotant as Inexact can
398 ++ * happen together with Overflow or Underflow, and `ptrace' can set
399 ++ * any bits.
400 ++ */
401 ++void force_fcr31_sig(unsigned long fcr31, void __user *fault_addr,
402 ++ struct task_struct *tsk)
403 ++{
404 ++ struct siginfo si = { .si_addr = fault_addr, .si_signo = SIGFPE };
405 ++
406 ++ if (fcr31 & FPU_CSR_INV_X)
407 ++ si.si_code = FPE_FLTINV;
408 ++ else if (fcr31 & FPU_CSR_DIV_X)
409 ++ si.si_code = FPE_FLTDIV;
410 ++ else if (fcr31 & FPU_CSR_OVF_X)
411 ++ si.si_code = FPE_FLTOVF;
412 ++ else if (fcr31 & FPU_CSR_UDF_X)
413 ++ si.si_code = FPE_FLTUND;
414 ++ else if (fcr31 & FPU_CSR_INE_X)
415 ++ si.si_code = FPE_FLTRES;
416 ++ else
417 ++ si.si_code = __SI_FAULT;
418 ++ force_sig_info(SIGFPE, &si, tsk);
419 ++}
420 ++
421 + int process_fpemu_return(int sig, void __user *fault_addr, unsigned long fcr31)
422 + {
423 + struct siginfo si = { 0 };
424 +@@ -715,27 +741,7 @@ int process_fpemu_return(int sig, void __user *fault_addr, unsigned long fcr31)
425 + return 0;
426 +
427 + case SIGFPE:
428 +- si.si_addr = fault_addr;
429 +- si.si_signo = sig;
430 +- /*
431 +- * Inexact can happen together with Overflow or Underflow.
432 +- * Respect the mask to deliver the correct exception.
433 +- */
434 +- fcr31 &= (fcr31 & FPU_CSR_ALL_E) <<
435 +- (ffs(FPU_CSR_ALL_X) - ffs(FPU_CSR_ALL_E));
436 +- if (fcr31 & FPU_CSR_INV_X)
437 +- si.si_code = FPE_FLTINV;
438 +- else if (fcr31 & FPU_CSR_DIV_X)
439 +- si.si_code = FPE_FLTDIV;
440 +- else if (fcr31 & FPU_CSR_OVF_X)
441 +- si.si_code = FPE_FLTOVF;
442 +- else if (fcr31 & FPU_CSR_UDF_X)
443 +- si.si_code = FPE_FLTUND;
444 +- else if (fcr31 & FPU_CSR_INE_X)
445 +- si.si_code = FPE_FLTRES;
446 +- else
447 +- si.si_code = __SI_FAULT;
448 +- force_sig_info(sig, &si, current);
449 ++ force_fcr31_sig(fcr31, fault_addr, current);
450 + return 1;
451 +
452 + case SIGBUS:
453 +@@ -798,13 +804,13 @@ static int simulate_fp(struct pt_regs *regs, unsigned int opcode,
454 + /* Run the emulator */
455 + sig = fpu_emulator_cop1Handler(regs, &current->thread.fpu, 1,
456 + &fault_addr);
457 +- fcr31 = current->thread.fpu.fcr31;
458 +
459 + /*
460 +- * We can't allow the emulated instruction to leave any of
461 +- * the cause bits set in $fcr31.
462 ++ * We can't allow the emulated instruction to leave any
463 ++ * enabled Cause bits set in $fcr31.
464 + */
465 +- current->thread.fpu.fcr31 &= ~FPU_CSR_ALL_X;
466 ++ fcr31 = mask_fcr31_x(current->thread.fpu.fcr31);
467 ++ current->thread.fpu.fcr31 &= ~fcr31;
468 +
469 + /* Restore the hardware register state */
470 + own_fpu(1);
471 +@@ -830,7 +836,7 @@ asmlinkage void do_fpe(struct pt_regs *regs, unsigned long fcr31)
472 + goto out;
473 +
474 + /* Clear FCSR.Cause before enabling interrupts */
475 +- write_32bit_cp1_register(CP1_STATUS, fcr31 & ~FPU_CSR_ALL_X);
476 ++ write_32bit_cp1_register(CP1_STATUS, fcr31 & ~mask_fcr31_x(fcr31));
477 + local_irq_enable();
478 +
479 + die_if_kernel("FP exception in kernel code", regs);
480 +@@ -852,13 +858,13 @@ asmlinkage void do_fpe(struct pt_regs *regs, unsigned long fcr31)
481 + /* Run the emulator */
482 + sig = fpu_emulator_cop1Handler(regs, &current->thread.fpu, 1,
483 + &fault_addr);
484 +- fcr31 = current->thread.fpu.fcr31;
485 +
486 + /*
487 +- * We can't allow the emulated instruction to leave any of
488 +- * the cause bits set in $fcr31.
489 ++ * We can't allow the emulated instruction to leave any
490 ++ * enabled Cause bits set in $fcr31.
491 + */
492 +- current->thread.fpu.fcr31 &= ~FPU_CSR_ALL_X;
493 ++ fcr31 = mask_fcr31_x(current->thread.fpu.fcr31);
494 ++ current->thread.fpu.fcr31 &= ~fcr31;
495 +
496 + /* Restore the hardware register state */
497 + own_fpu(1); /* Using the FPU again. */
498 +@@ -1431,13 +1437,13 @@ asmlinkage void do_cpu(struct pt_regs *regs)
499 +
500 + sig = fpu_emulator_cop1Handler(regs, &current->thread.fpu, 0,
501 + &fault_addr);
502 +- fcr31 = current->thread.fpu.fcr31;
503 +
504 + /*
505 + * We can't allow the emulated instruction to leave
506 +- * any of the cause bits set in $fcr31.
507 ++ * any enabled Cause bits set in $fcr31.
508 + */
509 +- current->thread.fpu.fcr31 &= ~FPU_CSR_ALL_X;
510 ++ fcr31 = mask_fcr31_x(current->thread.fpu.fcr31);
511 ++ current->thread.fpu.fcr31 &= ~fcr31;
512 +
513 + /* Send a signal if required. */
514 + if (!process_fpemu_return(sig, fault_addr, fcr31) && !err)
515 +diff --git a/arch/sparc/include/asm/page_64.h b/arch/sparc/include/asm/page_64.h
516 +index 8c2a8c937540..c1263fc390db 100644
517 +--- a/arch/sparc/include/asm/page_64.h
518 ++++ b/arch/sparc/include/asm/page_64.h
519 +@@ -25,6 +25,7 @@
520 + #define HPAGE_MASK (~(HPAGE_SIZE - 1UL))
521 + #define HUGETLB_PAGE_ORDER (HPAGE_SHIFT - PAGE_SHIFT)
522 + #define HAVE_ARCH_HUGETLB_UNMAPPED_AREA
523 ++#define REAL_HPAGE_PER_HPAGE (_AC(1,UL) << (HPAGE_SHIFT - REAL_HPAGE_SHIFT))
524 + #endif
525 +
526 + #ifndef __ASSEMBLY__
527 +diff --git a/arch/sparc/kernel/pci.c b/arch/sparc/kernel/pci.c
528 +index 9f9614df9e1e..c2b202d763a1 100644
529 +--- a/arch/sparc/kernel/pci.c
530 ++++ b/arch/sparc/kernel/pci.c
531 +@@ -245,6 +245,18 @@ static void pci_parse_of_addrs(struct platform_device *op,
532 + }
533 + }
534 +
535 ++static void pci_init_dev_archdata(struct dev_archdata *sd, void *iommu,
536 ++ void *stc, void *host_controller,
537 ++ struct platform_device *op,
538 ++ int numa_node)
539 ++{
540 ++ sd->iommu = iommu;
541 ++ sd->stc = stc;
542 ++ sd->host_controller = host_controller;
543 ++ sd->op = op;
544 ++ sd->numa_node = numa_node;
545 ++}
546 ++
547 + static struct pci_dev *of_create_pci_dev(struct pci_pbm_info *pbm,
548 + struct device_node *node,
549 + struct pci_bus *bus, int devfn)
550 +@@ -259,13 +271,10 @@ static struct pci_dev *of_create_pci_dev(struct pci_pbm_info *pbm,
551 + if (!dev)
552 + return NULL;
553 +
554 ++ op = of_find_device_by_node(node);
555 + sd = &dev->dev.archdata;
556 +- sd->iommu = pbm->iommu;
557 +- sd->stc = &pbm->stc;
558 +- sd->host_controller = pbm;
559 +- sd->op = op = of_find_device_by_node(node);
560 +- sd->numa_node = pbm->numa_node;
561 +-
562 ++ pci_init_dev_archdata(sd, pbm->iommu, &pbm->stc, pbm, op,
563 ++ pbm->numa_node);
564 + sd = &op->dev.archdata;
565 + sd->iommu = pbm->iommu;
566 + sd->stc = &pbm->stc;
567 +@@ -1003,9 +1012,13 @@ int pcibios_add_device(struct pci_dev *dev)
568 + * Copy dev_archdata from PF to VF
569 + */
570 + if (dev->is_virtfn) {
571 ++ struct dev_archdata *psd;
572 ++
573 + pdev = dev->physfn;
574 +- memcpy(&dev->dev.archdata, &pdev->dev.archdata,
575 +- sizeof(struct dev_archdata));
576 ++ psd = &pdev->dev.archdata;
577 ++ pci_init_dev_archdata(&dev->dev.archdata, psd->iommu,
578 ++ psd->stc, psd->host_controller, NULL,
579 ++ psd->numa_node);
580 + }
581 + return 0;
582 + }
583 +diff --git a/arch/sparc/lib/U3memcpy.S b/arch/sparc/lib/U3memcpy.S
584 +index 54f98706b03b..5a8cb37f0a3b 100644
585 +--- a/arch/sparc/lib/U3memcpy.S
586 ++++ b/arch/sparc/lib/U3memcpy.S
587 +@@ -145,13 +145,13 @@ ENDPROC(U3_retl_o2_plus_GS_plus_0x08)
588 + ENTRY(U3_retl_o2_and_7_plus_GS)
589 + and %o2, 7, %o2
590 + retl
591 +- add %o2, GLOBAL_SPARE, %o2
592 ++ add %o2, GLOBAL_SPARE, %o0
593 + ENDPROC(U3_retl_o2_and_7_plus_GS)
594 + ENTRY(U3_retl_o2_and_7_plus_GS_plus_8)
595 + add GLOBAL_SPARE, 8, GLOBAL_SPARE
596 + and %o2, 7, %o2
597 + retl
598 +- add %o2, GLOBAL_SPARE, %o2
599 ++ add %o2, GLOBAL_SPARE, %o0
600 + ENDPROC(U3_retl_o2_and_7_plus_GS_plus_8)
601 + #endif
602 +
603 +diff --git a/arch/sparc/mm/fault_64.c b/arch/sparc/mm/fault_64.c
604 +index e15f33715103..b01ec72522cb 100644
605 +--- a/arch/sparc/mm/fault_64.c
606 ++++ b/arch/sparc/mm/fault_64.c
607 +@@ -487,6 +487,7 @@ good_area:
608 + tsb_grow(mm, MM_TSB_BASE, mm_rss);
609 + #if defined(CONFIG_HUGETLB_PAGE) || defined(CONFIG_TRANSPARENT_HUGEPAGE)
610 + mm_rss = mm->context.hugetlb_pte_count + mm->context.thp_pte_count;
611 ++ mm_rss *= REAL_HPAGE_PER_HPAGE;
612 + if (unlikely(mm_rss >
613 + mm->context.tsb_block[MM_TSB_HUGE].tsb_rss_limit)) {
614 + if (mm->context.tsb_block[MM_TSB_HUGE].tsb)
615 +diff --git a/arch/sparc/mm/tlb.c b/arch/sparc/mm/tlb.c
616 +index 3659d37b4d81..c56a195c9071 100644
617 +--- a/arch/sparc/mm/tlb.c
618 ++++ b/arch/sparc/mm/tlb.c
619 +@@ -174,10 +174,25 @@ void set_pmd_at(struct mm_struct *mm, unsigned long addr,
620 + return;
621 +
622 + if ((pmd_val(pmd) ^ pmd_val(orig)) & _PAGE_PMD_HUGE) {
623 +- if (pmd_val(pmd) & _PAGE_PMD_HUGE)
624 +- mm->context.thp_pte_count++;
625 +- else
626 +- mm->context.thp_pte_count--;
627 ++ /*
628 ++ * Note that this routine only sets pmds for THP pages.
629 ++ * Hugetlb pages are handled elsewhere. We need to check
630 ++ * for huge zero page. Huge zero pages are like hugetlb
631 ++ * pages in that there is no RSS, but there is the need
632 ++ * for TSB entries. So, huge zero page counts go into
633 ++ * hugetlb_pte_count.
634 ++ */
635 ++ if (pmd_val(pmd) & _PAGE_PMD_HUGE) {
636 ++ if (is_huge_zero_page(pmd_page(pmd)))
637 ++ mm->context.hugetlb_pte_count++;
638 ++ else
639 ++ mm->context.thp_pte_count++;
640 ++ } else {
641 ++ if (is_huge_zero_page(pmd_page(orig)))
642 ++ mm->context.hugetlb_pte_count--;
643 ++ else
644 ++ mm->context.thp_pte_count--;
645 ++ }
646 +
647 + /* Do not try to allocate the TSB hash table if we
648 + * don't have one already. We have various locks held
649 +@@ -204,6 +219,9 @@ void set_pmd_at(struct mm_struct *mm, unsigned long addr,
650 + }
651 + }
652 +
653 ++/*
654 ++ * This routine is only called when splitting a THP
655 ++ */
656 + void pmdp_invalidate(struct vm_area_struct *vma, unsigned long address,
657 + pmd_t *pmdp)
658 + {
659 +@@ -213,6 +231,15 @@ void pmdp_invalidate(struct vm_area_struct *vma, unsigned long address,
660 +
661 + set_pmd_at(vma->vm_mm, address, pmdp, entry);
662 + flush_tlb_range(vma, address, address + HPAGE_PMD_SIZE);
663 ++
664 ++ /*
665 ++ * set_pmd_at() will not be called in a way to decrement
666 ++ * thp_pte_count when splitting a THP, so do it now.
667 ++ * Sanity check pmd before doing the actual decrement.
668 ++ */
669 ++ if ((pmd_val(entry) & _PAGE_PMD_HUGE) &&
670 ++ !is_huge_zero_page(pmd_page(entry)))
671 ++ (vma->vm_mm)->context.thp_pte_count--;
672 + }
673 +
674 + void pgtable_trans_huge_deposit(struct mm_struct *mm, pmd_t *pmdp,
675 +diff --git a/arch/sparc/mm/tsb.c b/arch/sparc/mm/tsb.c
676 +index 266411291634..84cd593117a6 100644
677 +--- a/arch/sparc/mm/tsb.c
678 ++++ b/arch/sparc/mm/tsb.c
679 +@@ -489,8 +489,10 @@ retry_tsb_alloc:
680 +
681 + int init_new_context(struct task_struct *tsk, struct mm_struct *mm)
682 + {
683 ++ unsigned long mm_rss = get_mm_rss(mm);
684 + #if defined(CONFIG_HUGETLB_PAGE) || defined(CONFIG_TRANSPARENT_HUGEPAGE)
685 +- unsigned long total_huge_pte_count;
686 ++ unsigned long saved_hugetlb_pte_count;
687 ++ unsigned long saved_thp_pte_count;
688 + #endif
689 + unsigned int i;
690 +
691 +@@ -503,10 +505,12 @@ int init_new_context(struct task_struct *tsk, struct mm_struct *mm)
692 + * will re-increment the counters as the parent PTEs are
693 + * copied into the child address space.
694 + */
695 +- total_huge_pte_count = mm->context.hugetlb_pte_count +
696 +- mm->context.thp_pte_count;
697 ++ saved_hugetlb_pte_count = mm->context.hugetlb_pte_count;
698 ++ saved_thp_pte_count = mm->context.thp_pte_count;
699 + mm->context.hugetlb_pte_count = 0;
700 + mm->context.thp_pte_count = 0;
701 ++
702 ++ mm_rss -= saved_thp_pte_count * (HPAGE_SIZE / PAGE_SIZE);
703 + #endif
704 +
705 + /* copy_mm() copies over the parent's mm_struct before calling
706 +@@ -519,11 +523,13 @@ int init_new_context(struct task_struct *tsk, struct mm_struct *mm)
707 + /* If this is fork, inherit the parent's TSB size. We would
708 + * grow it to that size on the first page fault anyways.
709 + */
710 +- tsb_grow(mm, MM_TSB_BASE, get_mm_rss(mm));
711 ++ tsb_grow(mm, MM_TSB_BASE, mm_rss);
712 +
713 + #if defined(CONFIG_HUGETLB_PAGE) || defined(CONFIG_TRANSPARENT_HUGEPAGE)
714 +- if (unlikely(total_huge_pte_count))
715 +- tsb_grow(mm, MM_TSB_HUGE, total_huge_pte_count);
716 ++ if (unlikely(saved_hugetlb_pte_count + saved_thp_pte_count))
717 ++ tsb_grow(mm, MM_TSB_HUGE,
718 ++ (saved_hugetlb_pte_count + saved_thp_pte_count) *
719 ++ REAL_HPAGE_PER_HPAGE);
720 + #endif
721 +
722 + if (unlikely(!mm->context.tsb_block[MM_TSB_BASE].tsb))
723 +diff --git a/arch/um/Makefile b/arch/um/Makefile
724 +index 9ccf462131c4..d9cd7ed27834 100644
725 +--- a/arch/um/Makefile
726 ++++ b/arch/um/Makefile
727 +@@ -59,10 +59,14 @@ KBUILD_CPPFLAGS += -I$(srctree)/$(HOST_DIR)/um
728 + # Same things for in6addr_loopback and mktime - found in libc. For these two we
729 + # only get link-time error, luckily.
730 + #
731 ++# -Dlongjmp=kernel_longjmp prevents anything from referencing the libpthread.a
732 ++# embedded copy of longjmp, same thing for setjmp.
733 ++#
734 + # These apply to USER_CFLAGS to.
735 +
736 + KBUILD_CFLAGS += $(CFLAGS) $(CFLAGS-y) -D__arch_um__ \
737 + $(ARCH_INCLUDE) $(MODE_INCLUDE) -Dvmap=kernel_vmap \
738 ++ -Dlongjmp=kernel_longjmp -Dsetjmp=kernel_setjmp \
739 + -Din6addr_loopback=kernel_in6addr_loopback \
740 + -Din6addr_any=kernel_in6addr_any -Dstrrchr=kernel_strrchr
741 +
742 +diff --git a/arch/x86/include/asm/percpu.h b/arch/x86/include/asm/percpu.h
743 +index e0ba66ca68c6..f5e780bfa2b3 100644
744 +--- a/arch/x86/include/asm/percpu.h
745 ++++ b/arch/x86/include/asm/percpu.h
746 +@@ -184,22 +184,22 @@ do { \
747 + typeof(var) pfo_ret__; \
748 + switch (sizeof(var)) { \
749 + case 1: \
750 +- asm(op "b "__percpu_arg(1)",%0" \
751 ++ asm volatile(op "b "__percpu_arg(1)",%0"\
752 + : "=q" (pfo_ret__) \
753 + : "m" (var)); \
754 + break; \
755 + case 2: \
756 +- asm(op "w "__percpu_arg(1)",%0" \
757 ++ asm volatile(op "w "__percpu_arg(1)",%0"\
758 + : "=r" (pfo_ret__) \
759 + : "m" (var)); \
760 + break; \
761 + case 4: \
762 +- asm(op "l "__percpu_arg(1)",%0" \
763 ++ asm volatile(op "l "__percpu_arg(1)",%0"\
764 + : "=r" (pfo_ret__) \
765 + : "m" (var)); \
766 + break; \
767 + case 8: \
768 +- asm(op "q "__percpu_arg(1)",%0" \
769 ++ asm volatile(op "q "__percpu_arg(1)",%0"\
770 + : "=r" (pfo_ret__) \
771 + : "m" (var)); \
772 + break; \
773 +diff --git a/arch/x86/kernel/time.c b/arch/x86/kernel/time.c
774 +index d39c09119db6..590c8fd2ed9b 100644
775 +--- a/arch/x86/kernel/time.c
776 ++++ b/arch/x86/kernel/time.c
777 +@@ -23,7 +23,7 @@
778 + #include <asm/time.h>
779 +
780 + #ifdef CONFIG_X86_64
781 +-__visible volatile unsigned long jiffies __cacheline_aligned = INITIAL_JIFFIES;
782 ++__visible volatile unsigned long jiffies __cacheline_aligned_in_smp = INITIAL_JIFFIES;
783 + #endif
784 +
785 + unsigned long profile_pc(struct pt_regs *regs)
786 +diff --git a/arch/x86/mm/pageattr.c b/arch/x86/mm/pageattr.c
787 +index 0e1dd7d47f05..26598e08666c 100644
788 +--- a/arch/x86/mm/pageattr.c
789 ++++ b/arch/x86/mm/pageattr.c
790 +@@ -955,11 +955,11 @@ static void populate_pte(struct cpa_data *cpa,
791 + }
792 + }
793 +
794 +-static int populate_pmd(struct cpa_data *cpa,
795 +- unsigned long start, unsigned long end,
796 +- unsigned num_pages, pud_t *pud, pgprot_t pgprot)
797 ++static long populate_pmd(struct cpa_data *cpa,
798 ++ unsigned long start, unsigned long end,
799 ++ unsigned num_pages, pud_t *pud, pgprot_t pgprot)
800 + {
801 +- unsigned int cur_pages = 0;
802 ++ long cur_pages = 0;
803 + pmd_t *pmd;
804 + pgprot_t pmd_pgprot;
805 +
806 +@@ -1029,12 +1029,12 @@ static int populate_pmd(struct cpa_data *cpa,
807 + return num_pages;
808 + }
809 +
810 +-static int populate_pud(struct cpa_data *cpa, unsigned long start, pgd_t *pgd,
811 +- pgprot_t pgprot)
812 ++static long populate_pud(struct cpa_data *cpa, unsigned long start, pgd_t *pgd,
813 ++ pgprot_t pgprot)
814 + {
815 + pud_t *pud;
816 + unsigned long end;
817 +- int cur_pages = 0;
818 ++ long cur_pages = 0;
819 + pgprot_t pud_pgprot;
820 +
821 + end = start + (cpa->numpages << PAGE_SHIFT);
822 +@@ -1090,7 +1090,7 @@ static int populate_pud(struct cpa_data *cpa, unsigned long start, pgd_t *pgd,
823 +
824 + /* Map trailing leftover */
825 + if (start < end) {
826 +- int tmp;
827 ++ long tmp;
828 +
829 + pud = pud_offset(pgd, start);
830 + if (pud_none(*pud))
831 +@@ -1116,7 +1116,7 @@ static int populate_pgd(struct cpa_data *cpa, unsigned long addr)
832 + pgprot_t pgprot = __pgprot(_KERNPG_TABLE);
833 + pud_t *pud = NULL; /* shut up gcc */
834 + pgd_t *pgd_entry;
835 +- int ret;
836 ++ long ret;
837 +
838 + pgd_entry = cpa->pgd + pgd_index(addr);
839 +
840 +@@ -1351,7 +1351,8 @@ static int cpa_process_alias(struct cpa_data *cpa)
841 +
842 + static int __change_page_attr_set_clr(struct cpa_data *cpa, int checkalias)
843 + {
844 +- int ret, numpages = cpa->numpages;
845 ++ unsigned long numpages = cpa->numpages;
846 ++ int ret;
847 +
848 + while (numpages) {
849 + /*
850 +diff --git a/arch/x86/pci/fixup.c b/arch/x86/pci/fixup.c
851 +index 0ae7e9fa348d..89f90549c6a8 100644
852 +--- a/arch/x86/pci/fixup.c
853 ++++ b/arch/x86/pci/fixup.c
854 +@@ -541,9 +541,16 @@ static void twinhead_reserve_killing_zone(struct pci_dev *dev)
855 + }
856 + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x27B9, twinhead_reserve_killing_zone);
857 +
858 ++/*
859 ++ * Broadwell EP Home Agent BARs erroneously return non-zero values when read.
860 ++ *
861 ++ * See http://www.intel.com/content/www/us/en/processors/xeon/xeon-e5-v4-spec-update.html
862 ++ * entry BDF2.
863 ++ */
864 + static void pci_bdwep_bar(struct pci_dev *dev)
865 + {
866 + dev->non_compliant_bars = 1;
867 + }
868 ++DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_INTEL, 0x6f60, pci_bdwep_bar);
869 + DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_INTEL, 0x6fa0, pci_bdwep_bar);
870 + DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_INTEL, 0x6fc0, pci_bdwep_bar);
871 +diff --git a/arch/x86/um/setjmp_32.S b/arch/x86/um/setjmp_32.S
872 +index b766792c9933..39053192918d 100644
873 +--- a/arch/x86/um/setjmp_32.S
874 ++++ b/arch/x86/um/setjmp_32.S
875 +@@ -16,9 +16,9 @@
876 +
877 + .text
878 + .align 4
879 +- .globl setjmp
880 +- .type setjmp, @function
881 +-setjmp:
882 ++ .globl kernel_setjmp
883 ++ .type kernel_setjmp, @function
884 ++kernel_setjmp:
885 + #ifdef _REGPARM
886 + movl %eax,%edx
887 + #else
888 +@@ -35,13 +35,13 @@ setjmp:
889 + movl %ecx,20(%edx) # Return address
890 + ret
891 +
892 +- .size setjmp,.-setjmp
893 ++ .size kernel_setjmp,.-kernel_setjmp
894 +
895 + .text
896 + .align 4
897 +- .globl longjmp
898 +- .type longjmp, @function
899 +-longjmp:
900 ++ .globl kernel_longjmp
901 ++ .type kernel_longjmp, @function
902 ++kernel_longjmp:
903 + #ifdef _REGPARM
904 + xchgl %eax,%edx
905 + #else
906 +@@ -55,4 +55,4 @@ longjmp:
907 + movl 16(%edx),%edi
908 + jmp *20(%edx)
909 +
910 +- .size longjmp,.-longjmp
911 ++ .size kernel_longjmp,.-kernel_longjmp
912 +diff --git a/arch/x86/um/setjmp_64.S b/arch/x86/um/setjmp_64.S
913 +index 45f547b4043e..c56942e1a38c 100644
914 +--- a/arch/x86/um/setjmp_64.S
915 ++++ b/arch/x86/um/setjmp_64.S
916 +@@ -18,9 +18,9 @@
917 +
918 + .text
919 + .align 4
920 +- .globl setjmp
921 +- .type setjmp, @function
922 +-setjmp:
923 ++ .globl kernel_setjmp
924 ++ .type kernel_setjmp, @function
925 ++kernel_setjmp:
926 + pop %rsi # Return address, and adjust the stack
927 + xorl %eax,%eax # Return value
928 + movq %rbx,(%rdi)
929 +@@ -34,13 +34,13 @@ setjmp:
930 + movq %rsi,56(%rdi) # Return address
931 + ret
932 +
933 +- .size setjmp,.-setjmp
934 ++ .size kernel_setjmp,.-kernel_setjmp
935 +
936 + .text
937 + .align 4
938 +- .globl longjmp
939 +- .type longjmp, @function
940 +-longjmp:
941 ++ .globl kernel_longjmp
942 ++ .type kernel_longjmp, @function
943 ++kernel_longjmp:
944 + movl %esi,%eax # Return value (int)
945 + movq (%rdi),%rbx
946 + movq 8(%rdi),%rsp
947 +@@ -51,4 +51,4 @@ longjmp:
948 + movq 48(%rdi),%r15
949 + jmp *56(%rdi)
950 +
951 +- .size longjmp,.-longjmp
952 ++ .size kernel_longjmp,.-kernel_longjmp
953 +diff --git a/crypto/shash.c b/crypto/shash.c
954 +index 5444b429e35d..4f89f78031e2 100644
955 +--- a/crypto/shash.c
956 ++++ b/crypto/shash.c
957 +@@ -41,7 +41,7 @@ static int shash_setkey_unaligned(struct crypto_shash *tfm, const u8 *key,
958 + int err;
959 +
960 + absize = keylen + (alignmask & ~(crypto_tfm_ctx_alignment() - 1));
961 +- buffer = kmalloc(absize, GFP_KERNEL);
962 ++ buffer = kmalloc(absize, GFP_ATOMIC);
963 + if (!buffer)
964 + return -ENOMEM;
965 +
966 +diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c
967 +index 34fdaa6e99ba..5f1f049063dd 100644
968 +--- a/drivers/ata/ahci.c
969 ++++ b/drivers/ata/ahci.c
970 +@@ -619,8 +619,11 @@ static void ahci_pci_save_initial_config(struct pci_dev *pdev,
971 + static int ahci_pci_reset_controller(struct ata_host *host)
972 + {
973 + struct pci_dev *pdev = to_pci_dev(host->dev);
974 ++ int rc;
975 +
976 +- ahci_reset_controller(host);
977 ++ rc = ahci_reset_controller(host);
978 ++ if (rc)
979 ++ return rc;
980 +
981 + if (pdev->vendor == PCI_VENDOR_ID_INTEL) {
982 + struct ahci_host_priv *hpriv = host->private_data;
983 +diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c
984 +index e759100e41a7..28894878dcd5 100644
985 +--- a/drivers/char/tpm/tpm-chip.c
986 ++++ b/drivers/char/tpm/tpm-chip.c
987 +@@ -230,7 +230,11 @@ struct tpm_chip *tpmm_chip_alloc(struct device *dev,
988 + chip->cdev.owner = dev->driver->owner;
989 + chip->cdev.kobj.parent = &chip->dev.kobj;
990 +
991 +- devm_add_action(dev, (void (*)(void *)) put_device, &chip->dev);
992 ++ rc = devm_add_action(dev, (void (*)(void *)) put_device, &chip->dev);
993 ++ if (rc) {
994 ++ put_device(&chip->dev);
995 ++ return ERR_PTR(rc);
996 ++ }
997 +
998 + return chip;
999 + }
1000 +diff --git a/drivers/devfreq/tegra-devfreq.c b/drivers/devfreq/tegra-devfreq.c
1001 +index 848b93ee930f..64a2e02b87d7 100644
1002 +--- a/drivers/devfreq/tegra-devfreq.c
1003 ++++ b/drivers/devfreq/tegra-devfreq.c
1004 +@@ -688,9 +688,9 @@ static int tegra_devfreq_probe(struct platform_device *pdev)
1005 + }
1006 +
1007 + irq = platform_get_irq(pdev, 0);
1008 +- if (irq <= 0) {
1009 +- dev_err(&pdev->dev, "Failed to get IRQ\n");
1010 +- return -ENODEV;
1011 ++ if (irq < 0) {
1012 ++ dev_err(&pdev->dev, "Failed to get IRQ: %d\n", irq);
1013 ++ return irq;
1014 + }
1015 +
1016 + platform_set_drvdata(pdev, tegra);
1017 +diff --git a/drivers/gpio/gpio-msic.c b/drivers/gpio/gpio-msic.c
1018 +index 22523aae8abe..3abf066f93d3 100644
1019 +--- a/drivers/gpio/gpio-msic.c
1020 ++++ b/drivers/gpio/gpio-msic.c
1021 +@@ -266,8 +266,8 @@ static int platform_msic_gpio_probe(struct platform_device *pdev)
1022 + int i;
1023 +
1024 + if (irq < 0) {
1025 +- dev_err(dev, "no IRQ line\n");
1026 +- return -EINVAL;
1027 ++ dev_err(dev, "no IRQ line: %d\n", irq);
1028 ++ return irq;
1029 + }
1030 +
1031 + if (!pdata || !pdata->gpio_base) {
1032 +diff --git a/drivers/gpu/drm/nouveau/nouveau_fbcon.c b/drivers/gpu/drm/nouveau/nouveau_fbcon.c
1033 +index e40a1b07a014..343476d15726 100644
1034 +--- a/drivers/gpu/drm/nouveau/nouveau_fbcon.c
1035 ++++ b/drivers/gpu/drm/nouveau/nouveau_fbcon.c
1036 +@@ -235,7 +235,7 @@ void
1037 + nouveau_fbcon_accel_save_disable(struct drm_device *dev)
1038 + {
1039 + struct nouveau_drm *drm = nouveau_drm(dev);
1040 +- if (drm->fbcon) {
1041 ++ if (drm->fbcon && drm->fbcon->helper.fbdev) {
1042 + drm->fbcon->saved_flags = drm->fbcon->helper.fbdev->flags;
1043 + drm->fbcon->helper.fbdev->flags |= FBINFO_HWACCEL_DISABLED;
1044 + }
1045 +@@ -245,7 +245,7 @@ void
1046 + nouveau_fbcon_accel_restore(struct drm_device *dev)
1047 + {
1048 + struct nouveau_drm *drm = nouveau_drm(dev);
1049 +- if (drm->fbcon) {
1050 ++ if (drm->fbcon && drm->fbcon->helper.fbdev) {
1051 + drm->fbcon->helper.fbdev->flags = drm->fbcon->saved_flags;
1052 + }
1053 + }
1054 +@@ -257,7 +257,8 @@ nouveau_fbcon_accel_fini(struct drm_device *dev)
1055 + struct nouveau_fbdev *fbcon = drm->fbcon;
1056 + if (fbcon && drm->channel) {
1057 + console_lock();
1058 +- fbcon->helper.fbdev->flags |= FBINFO_HWACCEL_DISABLED;
1059 ++ if (fbcon->helper.fbdev)
1060 ++ fbcon->helper.fbdev->flags |= FBINFO_HWACCEL_DISABLED;
1061 + console_unlock();
1062 + nouveau_channel_idle(drm->channel);
1063 + nvif_object_fini(&fbcon->twod);
1064 +diff --git a/drivers/gpu/host1x/dev.c b/drivers/gpu/host1x/dev.c
1065 +index 53d3d1d45b48..ce1b10a2ae85 100644
1066 +--- a/drivers/gpu/host1x/dev.c
1067 ++++ b/drivers/gpu/host1x/dev.c
1068 +@@ -116,8 +116,8 @@ static int host1x_probe(struct platform_device *pdev)
1069 +
1070 + syncpt_irq = platform_get_irq(pdev, 0);
1071 + if (syncpt_irq < 0) {
1072 +- dev_err(&pdev->dev, "failed to get IRQ\n");
1073 +- return -ENXIO;
1074 ++ dev_err(&pdev->dev, "failed to get IRQ: %d\n", syncpt_irq);
1075 ++ return syncpt_irq;
1076 + }
1077 +
1078 + host = devm_kzalloc(&pdev->dev, sizeof(*host), GFP_KERNEL);
1079 +diff --git a/drivers/infiniband/core/ucm.c b/drivers/infiniband/core/ucm.c
1080 +index 564adf3116e8..4b3a00855f52 100644
1081 +--- a/drivers/infiniband/core/ucm.c
1082 ++++ b/drivers/infiniband/core/ucm.c
1083 +@@ -46,6 +46,8 @@
1084 + #include <linux/mutex.h>
1085 + #include <linux/slab.h>
1086 +
1087 ++#include <linux/nospec.h>
1088 ++
1089 + #include <asm/uaccess.h>
1090 +
1091 + #include <rdma/ib.h>
1092 +@@ -1115,6 +1117,7 @@ static ssize_t ib_ucm_write(struct file *filp, const char __user *buf,
1093 +
1094 + if (hdr.cmd >= ARRAY_SIZE(ucm_cmd_table))
1095 + return -EINVAL;
1096 ++ hdr.cmd = array_index_nospec(hdr.cmd, ARRAY_SIZE(ucm_cmd_table));
1097 +
1098 + if (hdr.in + sizeof(hdr) > len)
1099 + return -EINVAL;
1100 +diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c
1101 +index 7525e9f6949e..3e4d3d5560bf 100644
1102 +--- a/drivers/infiniband/core/ucma.c
1103 ++++ b/drivers/infiniband/core/ucma.c
1104 +@@ -44,6 +44,8 @@
1105 + #include <linux/module.h>
1106 + #include <linux/nsproxy.h>
1107 +
1108 ++#include <linux/nospec.h>
1109 ++
1110 + #include <rdma/rdma_user_cm.h>
1111 + #include <rdma/ib_marshall.h>
1112 + #include <rdma/rdma_cm.h>
1113 +@@ -1627,6 +1629,7 @@ static ssize_t ucma_write(struct file *filp, const char __user *buf,
1114 +
1115 + if (hdr.cmd >= ARRAY_SIZE(ucma_cmd_table))
1116 + return -EINVAL;
1117 ++ hdr.cmd = array_index_nospec(hdr.cmd, ARRAY_SIZE(ucma_cmd_table));
1118 +
1119 + if (hdr.in + sizeof(hdr) > len)
1120 + return -EINVAL;
1121 +diff --git a/drivers/input/mouse/elan_i2c_core.c b/drivers/input/mouse/elan_i2c_core.c
1122 +index a716482774db..b3119589a444 100644
1123 +--- a/drivers/input/mouse/elan_i2c_core.c
1124 ++++ b/drivers/input/mouse/elan_i2c_core.c
1125 +@@ -1251,6 +1251,7 @@ static const struct acpi_device_id elan_acpi_id[] = {
1126 + { "ELAN0611", 0 },
1127 + { "ELAN0612", 0 },
1128 + { "ELAN0618", 0 },
1129 ++ { "ELAN061C", 0 },
1130 + { "ELAN061D", 0 },
1131 + { "ELAN0622", 0 },
1132 + { "ELAN1000", 0 },
1133 +diff --git a/drivers/isdn/gigaset/ser-gigaset.c b/drivers/isdn/gigaset/ser-gigaset.c
1134 +index 74bf1a17ae7c..b90776ef56ec 100644
1135 +--- a/drivers/isdn/gigaset/ser-gigaset.c
1136 ++++ b/drivers/isdn/gigaset/ser-gigaset.c
1137 +@@ -373,13 +373,7 @@ static void gigaset_freecshw(struct cardstate *cs)
1138 +
1139 + static void gigaset_device_release(struct device *dev)
1140 + {
1141 +- struct cardstate *cs = dev_get_drvdata(dev);
1142 +-
1143 +- if (!cs)
1144 +- return;
1145 +- dev_set_drvdata(dev, NULL);
1146 +- kfree(cs->hw.ser);
1147 +- cs->hw.ser = NULL;
1148 ++ kfree(container_of(dev, struct ser_cardstate, dev.dev));
1149 + }
1150 +
1151 + /*
1152 +@@ -408,7 +402,6 @@ static int gigaset_initcshw(struct cardstate *cs)
1153 + cs->hw.ser = NULL;
1154 + return rc;
1155 + }
1156 +- dev_set_drvdata(&cs->hw.ser->dev.dev, cs);
1157 +
1158 + tasklet_init(&cs->write_tasklet,
1159 + gigaset_modem_fill, (unsigned long) cs);
1160 +diff --git a/drivers/media/usb/usbvision/usbvision-video.c b/drivers/media/usb/usbvision/usbvision-video.c
1161 +index cafc34938a79..91d709efef7a 100644
1162 +--- a/drivers/media/usb/usbvision/usbvision-video.c
1163 ++++ b/drivers/media/usb/usbvision/usbvision-video.c
1164 +@@ -1461,13 +1461,6 @@ static int usbvision_probe(struct usb_interface *intf,
1165 + printk(KERN_INFO "%s: %s found\n", __func__,
1166 + usbvision_device_data[model].model_string);
1167 +
1168 +- /*
1169 +- * this is a security check.
1170 +- * an exploit using an incorrect bInterfaceNumber is known
1171 +- */
1172 +- if (ifnum >= USB_MAXINTERFACES || !dev->actconfig->interface[ifnum])
1173 +- return -ENODEV;
1174 +-
1175 + if (usbvision_device_data[model].interface >= 0)
1176 + interface = &dev->actconfig->interface[usbvision_device_data[model].interface]->altsetting[0];
1177 + else if (ifnum < dev->actconfig->desc.bNumInterfaces)
1178 +diff --git a/drivers/mfd/db8500-prcmu.c b/drivers/mfd/db8500-prcmu.c
1179 +index e6e4bacb09ee..12099b09a9a7 100644
1180 +--- a/drivers/mfd/db8500-prcmu.c
1181 ++++ b/drivers/mfd/db8500-prcmu.c
1182 +@@ -2048,6 +2048,7 @@ int db8500_prcmu_config_hotmon(u8 low, u8 high)
1183 +
1184 + return 0;
1185 + }
1186 ++EXPORT_SYMBOL_GPL(db8500_prcmu_config_hotmon);
1187 +
1188 + static int config_hot_period(u16 val)
1189 + {
1190 +@@ -2074,11 +2075,13 @@ int db8500_prcmu_start_temp_sense(u16 cycles32k)
1191 +
1192 + return config_hot_period(cycles32k);
1193 + }
1194 ++EXPORT_SYMBOL_GPL(db8500_prcmu_start_temp_sense);
1195 +
1196 + int db8500_prcmu_stop_temp_sense(void)
1197 + {
1198 + return config_hot_period(0xFFFF);
1199 + }
1200 ++EXPORT_SYMBOL_GPL(db8500_prcmu_stop_temp_sense);
1201 +
1202 + static int prcmu_a9wdog(u8 cmd, u8 d0, u8 d1, u8 d2, u8 d3)
1203 + {
1204 +diff --git a/drivers/mtd/spi-nor/spi-nor.c b/drivers/mtd/spi-nor/spi-nor.c
1205 +index 64d6f053c2a5..276998ea0267 100644
1206 +--- a/drivers/mtd/spi-nor/spi-nor.c
1207 ++++ b/drivers/mtd/spi-nor/spi-nor.c
1208 +@@ -708,6 +708,12 @@ static const struct flash_info spi_nor_ids[] = {
1209 +
1210 + /* ISSI */
1211 + { "is25cd512", INFO(0x7f9d20, 0, 32 * 1024, 2, SECT_4K) },
1212 ++ { "is25wp032", INFO(0x9d7016, 0, 64 * 1024, 64,
1213 ++ SECT_4K | SPI_NOR_DUAL_READ | SPI_NOR_QUAD_READ) },
1214 ++ { "is25wp064", INFO(0x9d7017, 0, 64 * 1024, 128,
1215 ++ SECT_4K | SPI_NOR_DUAL_READ | SPI_NOR_QUAD_READ) },
1216 ++ { "is25wp128", INFO(0x9d7018, 0, 64 * 1024, 256,
1217 ++ SECT_4K | SPI_NOR_DUAL_READ | SPI_NOR_QUAD_READ) },
1218 +
1219 + /* Macronix */
1220 + { "mx25l512e", INFO(0xc22010, 0, 64 * 1024, 1, SECT_4K) },
1221 +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
1222 +index 78da1b7b4d86..a32dcb6718ca 100644
1223 +--- a/drivers/net/bonding/bond_main.c
1224 ++++ b/drivers/net/bonding/bond_main.c
1225 +@@ -1107,11 +1107,11 @@ static void bond_compute_features(struct bonding *bond)
1226 + gso_max_size = min(gso_max_size, slave->dev->gso_max_size);
1227 + gso_max_segs = min(gso_max_segs, slave->dev->gso_max_segs);
1228 + }
1229 ++ bond_dev->hard_header_len = max_hard_header_len;
1230 +
1231 + done:
1232 + bond_dev->vlan_features = vlan_features;
1233 + bond_dev->hw_enc_features = enc_features | NETIF_F_GSO_ENCAP_ALL;
1234 +- bond_dev->hard_header_len = max_hard_header_len;
1235 + bond_dev->gso_max_segs = gso_max_segs;
1236 + netif_set_gso_max_size(bond_dev, gso_max_size);
1237 +
1238 +diff --git a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
1239 +index 7ae8374bff13..3dd4c39640dc 100644
1240 +--- a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
1241 ++++ b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
1242 +@@ -2147,6 +2147,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
1243 + return -EPERM;
1244 + if (copy_from_user(&t, useraddr, sizeof(t)))
1245 + return -EFAULT;
1246 ++ if (t.cmd != CHELSIO_SET_QSET_PARAMS)
1247 ++ return -EINVAL;
1248 + if (t.qset_idx >= SGE_QSETS)
1249 + return -EINVAL;
1250 + if (!in_range(t.intr_lat, 0, M_NEWTIMER) ||
1251 +@@ -2246,6 +2248,9 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
1252 + if (copy_from_user(&t, useraddr, sizeof(t)))
1253 + return -EFAULT;
1254 +
1255 ++ if (t.cmd != CHELSIO_GET_QSET_PARAMS)
1256 ++ return -EINVAL;
1257 ++
1258 + /* Display qsets for all ports when offload enabled */
1259 + if (test_bit(OFFLOAD_DEVMAP_BIT, &adapter->open_device_map)) {
1260 + q1 = 0;
1261 +@@ -2291,6 +2296,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
1262 + return -EBUSY;
1263 + if (copy_from_user(&edata, useraddr, sizeof(edata)))
1264 + return -EFAULT;
1265 ++ if (edata.cmd != CHELSIO_SET_QSET_NUM)
1266 ++ return -EINVAL;
1267 + if (edata.val < 1 ||
1268 + (edata.val > 1 && !(adapter->flags & USING_MSIX)))
1269 + return -EINVAL;
1270 +@@ -2331,6 +2338,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
1271 + return -EPERM;
1272 + if (copy_from_user(&t, useraddr, sizeof(t)))
1273 + return -EFAULT;
1274 ++ if (t.cmd != CHELSIO_LOAD_FW)
1275 ++ return -EINVAL;
1276 + /* Check t.len sanity ? */
1277 + fw_data = memdup_user(useraddr + sizeof(t), t.len);
1278 + if (IS_ERR(fw_data))
1279 +@@ -2354,6 +2363,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
1280 + return -EBUSY;
1281 + if (copy_from_user(&m, useraddr, sizeof(m)))
1282 + return -EFAULT;
1283 ++ if (m.cmd != CHELSIO_SETMTUTAB)
1284 ++ return -EINVAL;
1285 + if (m.nmtus != NMTUS)
1286 + return -EINVAL;
1287 + if (m.mtus[0] < 81) /* accommodate SACK */
1288 +@@ -2395,6 +2406,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
1289 + return -EBUSY;
1290 + if (copy_from_user(&m, useraddr, sizeof(m)))
1291 + return -EFAULT;
1292 ++ if (m.cmd != CHELSIO_SET_PM)
1293 ++ return -EINVAL;
1294 + if (!is_power_of_2(m.rx_pg_sz) ||
1295 + !is_power_of_2(m.tx_pg_sz))
1296 + return -EINVAL; /* not power of 2 */
1297 +@@ -2428,6 +2441,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
1298 + return -EIO; /* need the memory controllers */
1299 + if (copy_from_user(&t, useraddr, sizeof(t)))
1300 + return -EFAULT;
1301 ++ if (t.cmd != CHELSIO_GET_MEM)
1302 ++ return -EINVAL;
1303 + if ((t.addr & 7) || (t.len & 7))
1304 + return -EINVAL;
1305 + if (t.mem_id == MEM_CM)
1306 +@@ -2480,6 +2495,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
1307 + return -EAGAIN;
1308 + if (copy_from_user(&t, useraddr, sizeof(t)))
1309 + return -EFAULT;
1310 ++ if (t.cmd != CHELSIO_SET_TRACE_FILTER)
1311 ++ return -EINVAL;
1312 +
1313 + tp = (const struct trace_params *)&t.sip;
1314 + if (t.config_tx)
1315 +diff --git a/drivers/net/ethernet/intel/igb/e1000_82575.c b/drivers/net/ethernet/intel/igb/e1000_82575.c
1316 +index f3f3b95d5512..97bf0c3d5c69 100644
1317 +--- a/drivers/net/ethernet/intel/igb/e1000_82575.c
1318 ++++ b/drivers/net/ethernet/intel/igb/e1000_82575.c
1319 +@@ -223,17 +223,6 @@ static s32 igb_init_phy_params_82575(struct e1000_hw *hw)
1320 + hw->bus.func = (rd32(E1000_STATUS) & E1000_STATUS_FUNC_MASK) >>
1321 + E1000_STATUS_FUNC_SHIFT;
1322 +
1323 +- /* Make sure the PHY is in a good state. Several people have reported
1324 +- * firmware leaving the PHY's page select register set to something
1325 +- * other than the default of zero, which causes the PHY ID read to
1326 +- * access something other than the intended register.
1327 +- */
1328 +- ret_val = hw->phy.ops.reset(hw);
1329 +- if (ret_val) {
1330 +- hw_dbg("Error resetting the PHY.\n");
1331 +- goto out;
1332 +- }
1333 +-
1334 + /* Set phy->phy_addr and phy->id. */
1335 + ret_val = igb_get_phy_id_82575(hw);
1336 + if (ret_val)
1337 +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe.h b/drivers/net/ethernet/intel/ixgbe/ixgbe.h
1338 +index 1d2174526a4c..18e4e4a69262 100644
1339 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe.h
1340 ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe.h
1341 +@@ -312,7 +312,7 @@ enum ixgbe_ring_f_enum {
1342 + };
1343 +
1344 + #define IXGBE_MAX_RSS_INDICES 16
1345 +-#define IXGBE_MAX_RSS_INDICES_X550 64
1346 ++#define IXGBE_MAX_RSS_INDICES_X550 63
1347 + #define IXGBE_MAX_VMDQ_INDICES 64
1348 + #define IXGBE_MAX_FDIR_INDICES 63 /* based on q_vector limit */
1349 + #define IXGBE_MAX_FCOE_INDICES 8
1350 +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h b/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h
1351 +index 995f03107eac..04bc4df82fa7 100644
1352 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h
1353 ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h
1354 +@@ -3508,7 +3508,7 @@ struct ixgbe_info {
1355 +
1356 + #define IXGBE_FUSES0_GROUP(_i) (0x11158 + ((_i) * 4))
1357 + #define IXGBE_FUSES0_300MHZ BIT(5)
1358 +-#define IXGBE_FUSES0_REV1 BIT(6)
1359 ++#define IXGBE_FUSES0_REV_MASK (3 << 6)
1360 +
1361 + #define IXGBE_KRM_PORT_CAR_GEN_CTRL(P) ((P) ? 0x8010 : 0x4010)
1362 + #define IXGBE_KRM_LINK_CTRL_1(P) ((P) ? 0x820C : 0x420C)
1363 +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c
1364 +index a75f2e3ce86f..ffd2e74e5638 100644
1365 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c
1366 ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c
1367 +@@ -1873,10 +1873,6 @@ static s32 ixgbe_enter_lplu_t_x550em(struct ixgbe_hw *hw)
1368 + u32 save_autoneg;
1369 + bool link_up;
1370 +
1371 +- /* SW LPLU not required on later HW revisions. */
1372 +- if (IXGBE_FUSES0_REV1 & IXGBE_READ_REG(hw, IXGBE_FUSES0_GROUP(0)))
1373 +- return 0;
1374 +-
1375 + /* If blocked by MNG FW, then don't restart AN */
1376 + if (ixgbe_check_reset_blocked(hw))
1377 + return 0;
1378 +@@ -2030,8 +2026,9 @@ static s32 ixgbe_init_phy_ops_X550em(struct ixgbe_hw *hw)
1379 + }
1380 +
1381 + /* setup SW LPLU only for first revision */
1382 +- if (!(IXGBE_FUSES0_REV1 & IXGBE_READ_REG(hw,
1383 +- IXGBE_FUSES0_GROUP(0))))
1384 ++ if (hw->mac.type == ixgbe_mac_X550EM_x &&
1385 ++ !(IXGBE_READ_REG(hw, IXGBE_FUSES0_GROUP(0)) &
1386 ++ IXGBE_FUSES0_REV_MASK))
1387 + phy->ops.enter_lplu = ixgbe_enter_lplu_t_x550em;
1388 +
1389 + phy->ops.handle_lasi = ixgbe_handle_lasi_ext_t_x550em;
1390 +diff --git a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c
1391 +index 50bbad37d640..723bda33472a 100644
1392 +--- a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c
1393 ++++ b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c
1394 +@@ -1014,6 +1014,8 @@ static int ixgbevf_poll(struct napi_struct *napi, int budget)
1395 + ixgbevf_for_each_ring(ring, q_vector->tx)
1396 + clean_complete &= ixgbevf_clean_tx_irq(q_vector, ring);
1397 +
1398 ++ if (budget <= 0)
1399 ++ return budget;
1400 + #ifdef CONFIG_NET_RX_BUSY_POLL
1401 + if (!ixgbevf_qv_lock_napi(q_vector))
1402 + return budget;
1403 +diff --git a/drivers/net/ethernet/mellanox/mlx4/en_clock.c b/drivers/net/ethernet/mellanox/mlx4/en_clock.c
1404 +index 4dccf7287f0f..52e4ed2f639d 100644
1405 +--- a/drivers/net/ethernet/mellanox/mlx4/en_clock.c
1406 ++++ b/drivers/net/ethernet/mellanox/mlx4/en_clock.c
1407 +@@ -251,8 +251,11 @@ static u32 freq_to_shift(u16 freq)
1408 + {
1409 + u32 freq_khz = freq * 1000;
1410 + u64 max_val_cycles = freq_khz * 1000 * MLX4_EN_WRAP_AROUND_SEC;
1411 ++ u64 tmp_rounded =
1412 ++ roundup_pow_of_two(max_val_cycles) > max_val_cycles ?
1413 ++ roundup_pow_of_two(max_val_cycles) - 1 : UINT_MAX;
1414 + u64 max_val_cycles_rounded = is_power_of_2(max_val_cycles + 1) ?
1415 +- max_val_cycles : roundup_pow_of_two(max_val_cycles) - 1;
1416 ++ max_val_cycles : tmp_rounded;
1417 + /* calculate max possible multiplier in order to fit in 64bit */
1418 + u64 max_mul = div_u64(0xffffffffffffffffULL, max_val_cycles_rounded);
1419 +
1420 +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en.h b/drivers/net/ethernet/mellanox/mlx5/core/en.h
1421 +index 22e72bf1ae48..7a716733d9ca 100644
1422 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en.h
1423 ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en.h
1424 +@@ -586,6 +586,8 @@ int mlx5e_redirect_rqt(struct mlx5e_priv *priv, enum mlx5e_rqt_ix rqt_ix);
1425 +
1426 + int mlx5e_open_locked(struct net_device *netdev);
1427 + int mlx5e_close_locked(struct net_device *netdev);
1428 ++void mlx5e_build_default_indir_rqt(u32 *indirection_rqt, int len,
1429 ++ int num_channels);
1430 +
1431 + static inline void mlx5e_tx_notify_hw(struct mlx5e_sq *sq,
1432 + struct mlx5e_tx_wqe *wqe, int bf_sz)
1433 +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
1434 +index 7cc9df717323..7ee301310817 100644
1435 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
1436 ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
1437 +@@ -385,6 +385,8 @@ static int mlx5e_set_channels(struct net_device *dev,
1438 + mlx5e_close_locked(dev);
1439 +
1440 + priv->params.num_channels = count;
1441 ++ mlx5e_build_default_indir_rqt(priv->params.indirection_rqt,
1442 ++ MLX5E_INDIR_RQT_SIZE, count);
1443 +
1444 + if (was_opened)
1445 + err = mlx5e_open_locked(dev);
1446 +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
1447 +index 90e876ecc720..26d25ecdca7e 100644
1448 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
1449 ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
1450 +@@ -1186,7 +1186,6 @@ static void mlx5e_fill_indir_rqt_rqns(struct mlx5e_priv *priv, void *rqtc)
1451 + ix = mlx5e_bits_invert(i, MLX5E_LOG_INDIR_RQT_SIZE);
1452 +
1453 + ix = priv->params.indirection_rqt[ix];
1454 +- ix = ix % priv->params.num_channels;
1455 + MLX5_SET(rqtc, rqtc, rq_num[i],
1456 + test_bit(MLX5E_STATE_OPENED, &priv->state) ?
1457 + priv->channel[ix]->rq.rqn :
1458 +@@ -1304,7 +1303,7 @@ static void mlx5e_build_tir_ctx_lro(void *tirc, struct mlx5e_priv *priv)
1459 + lro_timer_supported_periods[2]));
1460 + }
1461 +
1462 +-static int mlx5e_modify_tir_lro(struct mlx5e_priv *priv, int tt)
1463 ++static int mlx5e_modify_tirs_lro(struct mlx5e_priv *priv)
1464 + {
1465 + struct mlx5_core_dev *mdev = priv->mdev;
1466 +
1467 +@@ -1312,6 +1311,7 @@ static int mlx5e_modify_tir_lro(struct mlx5e_priv *priv, int tt)
1468 + void *tirc;
1469 + int inlen;
1470 + int err;
1471 ++ int tt;
1472 +
1473 + inlen = MLX5_ST_SZ_BYTES(modify_tir_in);
1474 + in = mlx5_vzalloc(inlen);
1475 +@@ -1323,7 +1323,11 @@ static int mlx5e_modify_tir_lro(struct mlx5e_priv *priv, int tt)
1476 +
1477 + mlx5e_build_tir_ctx_lro(tirc, priv);
1478 +
1479 +- err = mlx5_core_modify_tir(mdev, priv->tirn[tt], in, inlen);
1480 ++ for (tt = 0; tt < MLX5E_NUM_TT; tt++) {
1481 ++ err = mlx5_core_modify_tir(mdev, priv->tirn[tt], in, inlen);
1482 ++ if (err)
1483 ++ break;
1484 ++ }
1485 +
1486 + kvfree(in);
1487 +
1488 +@@ -1870,8 +1874,10 @@ static int mlx5e_set_features(struct net_device *netdev,
1489 + mlx5e_close_locked(priv->netdev);
1490 +
1491 + priv->params.lro_en = !!(features & NETIF_F_LRO);
1492 +- mlx5e_modify_tir_lro(priv, MLX5E_TT_IPV4_TCP);
1493 +- mlx5e_modify_tir_lro(priv, MLX5E_TT_IPV6_TCP);
1494 ++ err = mlx5e_modify_tirs_lro(priv);
1495 ++ if (err)
1496 ++ mlx5_core_warn(priv->mdev, "lro modify failed, %d\n",
1497 ++ err);
1498 +
1499 + if (was_opened)
1500 + err = mlx5e_open_locked(priv->netdev);
1501 +@@ -1976,12 +1982,20 @@ u16 mlx5e_get_max_inline_cap(struct mlx5_core_dev *mdev)
1502 + 2 /*sizeof(mlx5e_tx_wqe.inline_hdr_start)*/;
1503 + }
1504 +
1505 ++void mlx5e_build_default_indir_rqt(u32 *indirection_rqt, int len,
1506 ++ int num_channels)
1507 ++{
1508 ++ int i;
1509 ++
1510 ++ for (i = 0; i < len; i++)
1511 ++ indirection_rqt[i] = i % num_channels;
1512 ++}
1513 ++
1514 + static void mlx5e_build_netdev_priv(struct mlx5_core_dev *mdev,
1515 + struct net_device *netdev,
1516 + int num_channels)
1517 + {
1518 + struct mlx5e_priv *priv = netdev_priv(netdev);
1519 +- int i;
1520 +
1521 + priv->params.log_sq_size =
1522 + MLX5E_PARAMS_DEFAULT_LOG_SQ_SIZE;
1523 +@@ -2005,8 +2019,8 @@ static void mlx5e_build_netdev_priv(struct mlx5_core_dev *mdev,
1524 + netdev_rss_key_fill(priv->params.toeplitz_hash_key,
1525 + sizeof(priv->params.toeplitz_hash_key));
1526 +
1527 +- for (i = 0; i < MLX5E_INDIR_RQT_SIZE; i++)
1528 +- priv->params.indirection_rqt[i] = i % num_channels;
1529 ++ mlx5e_build_default_indir_rqt(priv->params.indirection_rqt,
1530 ++ MLX5E_INDIR_RQT_SIZE, num_channels);
1531 +
1532 + priv->params.lro_wqe_sz =
1533 + MLX5E_PARAMS_DEFAULT_LRO_WQE_SZ;
1534 +diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c
1535 +index c6782ebd35e1..93543e176829 100644
1536 +--- a/drivers/net/ethernet/realtek/r8169.c
1537 ++++ b/drivers/net/ethernet/realtek/r8169.c
1538 +@@ -7540,17 +7540,15 @@ static int rtl8169_poll(struct napi_struct *napi, int budget)
1539 + struct rtl8169_private *tp = container_of(napi, struct rtl8169_private, napi);
1540 + struct net_device *dev = tp->dev;
1541 + u16 enable_mask = RTL_EVENT_NAPI | tp->event_slow;
1542 +- int work_done= 0;
1543 ++ int work_done;
1544 + u16 status;
1545 +
1546 + status = rtl_get_events(tp);
1547 + rtl_ack_events(tp, status & ~tp->event_slow);
1548 +
1549 +- if (status & RTL_EVENT_NAPI_RX)
1550 +- work_done = rtl_rx(dev, tp, (u32) budget);
1551 ++ work_done = rtl_rx(dev, tp, (u32) budget);
1552 +
1553 +- if (status & RTL_EVENT_NAPI_TX)
1554 +- rtl_tx(dev, tp);
1555 ++ rtl_tx(dev, tp);
1556 +
1557 + if (status & tp->event_slow) {
1558 + enable_mask &= ~tp->event_slow;
1559 +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c
1560 +index bba670c42e37..90d95b3654f5 100644
1561 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c
1562 ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c
1563 +@@ -130,7 +130,7 @@ static int stmmac_mdio_write(struct mii_bus *bus, int phyaddr, int phyreg,
1564 + */
1565 + int stmmac_mdio_reset(struct mii_bus *bus)
1566 + {
1567 +-#if defined(CONFIG_STMMAC_PLATFORM)
1568 ++#if IS_ENABLED(CONFIG_STMMAC_PLATFORM)
1569 + struct net_device *ndev = bus->priv;
1570 + struct stmmac_priv *priv = netdev_priv(ndev);
1571 + unsigned int mii_address = priv->hw->mii.addr;
1572 +diff --git a/drivers/net/usb/asix_common.c b/drivers/net/usb/asix_common.c
1573 +index 7fbd8f044207..2092ef6431f2 100644
1574 +--- a/drivers/net/usb/asix_common.c
1575 ++++ b/drivers/net/usb/asix_common.c
1576 +@@ -449,6 +449,9 @@ int asix_set_wol(struct net_device *net, struct ethtool_wolinfo *wolinfo)
1577 + struct usbnet *dev = netdev_priv(net);
1578 + u8 opt = 0;
1579 +
1580 ++ if (wolinfo->wolopts & ~(WAKE_PHY | WAKE_MAGIC))
1581 ++ return -EINVAL;
1582 ++
1583 + if (wolinfo->wolopts & WAKE_PHY)
1584 + opt |= AX_MONITOR_LINK;
1585 + if (wolinfo->wolopts & WAKE_MAGIC)
1586 +diff --git a/drivers/net/usb/ax88179_178a.c b/drivers/net/usb/ax88179_178a.c
1587 +index e6338c16081a..e3f2e6098db4 100644
1588 +--- a/drivers/net/usb/ax88179_178a.c
1589 ++++ b/drivers/net/usb/ax88179_178a.c
1590 +@@ -566,6 +566,9 @@ ax88179_set_wol(struct net_device *net, struct ethtool_wolinfo *wolinfo)
1591 + struct usbnet *dev = netdev_priv(net);
1592 + u8 opt = 0;
1593 +
1594 ++ if (wolinfo->wolopts & ~(WAKE_PHY | WAKE_MAGIC))
1595 ++ return -EINVAL;
1596 ++
1597 + if (wolinfo->wolopts & WAKE_PHY)
1598 + opt |= AX_MONITOR_MODE_RWLC;
1599 + if (wolinfo->wolopts & WAKE_MAGIC)
1600 +diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c
1601 +index 1aede726052c..45a6a7cae4bf 100644
1602 +--- a/drivers/net/usb/lan78xx.c
1603 ++++ b/drivers/net/usb/lan78xx.c
1604 +@@ -1051,19 +1051,10 @@ static int lan78xx_set_wol(struct net_device *netdev,
1605 + if (ret < 0)
1606 + return ret;
1607 +
1608 +- pdata->wol = 0;
1609 +- if (wol->wolopts & WAKE_UCAST)
1610 +- pdata->wol |= WAKE_UCAST;
1611 +- if (wol->wolopts & WAKE_MCAST)
1612 +- pdata->wol |= WAKE_MCAST;
1613 +- if (wol->wolopts & WAKE_BCAST)
1614 +- pdata->wol |= WAKE_BCAST;
1615 +- if (wol->wolopts & WAKE_MAGIC)
1616 +- pdata->wol |= WAKE_MAGIC;
1617 +- if (wol->wolopts & WAKE_PHY)
1618 +- pdata->wol |= WAKE_PHY;
1619 +- if (wol->wolopts & WAKE_ARP)
1620 +- pdata->wol |= WAKE_ARP;
1621 ++ if (wol->wolopts & ~WAKE_ALL)
1622 ++ return -EINVAL;
1623 ++
1624 ++ pdata->wol = wol->wolopts;
1625 +
1626 + device_set_wakeup_enable(&dev->udev->dev, (bool)wol->wolopts);
1627 +
1628 +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
1629 +index 2bb336cb13ee..2d83689374bb 100644
1630 +--- a/drivers/net/usb/r8152.c
1631 ++++ b/drivers/net/usb/r8152.c
1632 +@@ -3663,6 +3663,9 @@ static int rtl8152_set_wol(struct net_device *dev, struct ethtool_wolinfo *wol)
1633 + if (!rtl_can_wakeup(tp))
1634 + return -EOPNOTSUPP;
1635 +
1636 ++ if (wol->wolopts & ~WAKE_ANY)
1637 ++ return -EINVAL;
1638 ++
1639 + ret = usb_autopm_get_interface(tp->intf);
1640 + if (ret < 0)
1641 + goto out_set_wol;
1642 +diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c
1643 +index 8dbe086e0a96..234febc6e1d9 100644
1644 +--- a/drivers/net/usb/smsc75xx.c
1645 ++++ b/drivers/net/usb/smsc75xx.c
1646 +@@ -728,6 +728,9 @@ static int smsc75xx_ethtool_set_wol(struct net_device *net,
1647 + struct smsc75xx_priv *pdata = (struct smsc75xx_priv *)(dev->data[0]);
1648 + int ret;
1649 +
1650 ++ if (wolinfo->wolopts & ~SUPPORTED_WAKE)
1651 ++ return -EINVAL;
1652 ++
1653 + pdata->wolopts = wolinfo->wolopts & SUPPORTED_WAKE;
1654 +
1655 + ret = device_set_wakeup_enable(&dev->udev->dev, pdata->wolopts);
1656 +diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c
1657 +index 66b3ab9f614e..7cee7777d13f 100644
1658 +--- a/drivers/net/usb/smsc95xx.c
1659 ++++ b/drivers/net/usb/smsc95xx.c
1660 +@@ -727,6 +727,9 @@ static int smsc95xx_ethtool_set_wol(struct net_device *net,
1661 + struct smsc95xx_priv *pdata = (struct smsc95xx_priv *)(dev->data[0]);
1662 + int ret;
1663 +
1664 ++ if (wolinfo->wolopts & ~SUPPORTED_WAKE)
1665 ++ return -EINVAL;
1666 ++
1667 + pdata->wolopts = wolinfo->wolopts & SUPPORTED_WAKE;
1668 +
1669 + ret = device_set_wakeup_enable(&dev->udev->dev, pdata->wolopts);
1670 +diff --git a/drivers/net/usb/sr9800.c b/drivers/net/usb/sr9800.c
1671 +index a50df0d8fb9a..004c955c1fd1 100644
1672 +--- a/drivers/net/usb/sr9800.c
1673 ++++ b/drivers/net/usb/sr9800.c
1674 +@@ -421,6 +421,9 @@ sr_set_wol(struct net_device *net, struct ethtool_wolinfo *wolinfo)
1675 + struct usbnet *dev = netdev_priv(net);
1676 + u8 opt = 0;
1677 +
1678 ++ if (wolinfo->wolopts & ~(WAKE_PHY | WAKE_MAGIC))
1679 ++ return -EINVAL;
1680 ++
1681 + if (wolinfo->wolopts & WAKE_PHY)
1682 + opt |= SR_MONITOR_LINK;
1683 + if (wolinfo->wolopts & WAKE_MAGIC)
1684 +diff --git a/drivers/net/wireless/brcm80211/brcmfmac/bcmsdh.c b/drivers/net/wireless/brcm80211/brcmfmac/bcmsdh.c
1685 +index 91da67657f81..72e1796c8167 100644
1686 +--- a/drivers/net/wireless/brcm80211/brcmfmac/bcmsdh.c
1687 ++++ b/drivers/net/wireless/brcm80211/brcmfmac/bcmsdh.c
1688 +@@ -705,7 +705,7 @@ done:
1689 + int brcmf_sdiod_recv_chain(struct brcmf_sdio_dev *sdiodev,
1690 + struct sk_buff_head *pktq, uint totlen)
1691 + {
1692 +- struct sk_buff *glom_skb;
1693 ++ struct sk_buff *glom_skb = NULL;
1694 + struct sk_buff *skb;
1695 + u32 addr = sdiodev->sbwad;
1696 + int err = 0;
1697 +@@ -726,10 +726,8 @@ int brcmf_sdiod_recv_chain(struct brcmf_sdio_dev *sdiodev,
1698 + return -ENOMEM;
1699 + err = brcmf_sdiod_buffrw(sdiodev, SDIO_FUNC_2, false, addr,
1700 + glom_skb);
1701 +- if (err) {
1702 +- brcmu_pkt_buf_free_skb(glom_skb);
1703 ++ if (err)
1704 + goto done;
1705 +- }
1706 +
1707 + skb_queue_walk(pktq, skb) {
1708 + memcpy(skb->data, glom_skb->data, skb->len);
1709 +@@ -740,6 +738,7 @@ int brcmf_sdiod_recv_chain(struct brcmf_sdio_dev *sdiodev,
1710 + pktq);
1711 +
1712 + done:
1713 ++ brcmu_pkt_buf_free_skb(glom_skb);
1714 + return err;
1715 + }
1716 +
1717 +diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
1718 +index c98cb962b454..05413176a5d6 100644
1719 +--- a/drivers/net/wireless/mac80211_hwsim.c
1720 ++++ b/drivers/net/wireless/mac80211_hwsim.c
1721 +@@ -2547,8 +2547,7 @@ static int mac80211_hwsim_new_radio(struct genl_info *info,
1722 + list_add_tail(&data->list, &hwsim_radios);
1723 + spin_unlock_bh(&hwsim_radio_lock);
1724 +
1725 +- if (idx > 0)
1726 +- hwsim_mcast_new_radio(idx, info, param);
1727 ++ hwsim_mcast_new_radio(idx, info, param);
1728 +
1729 + return idx;
1730 +
1731 +diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c
1732 +index d877ff124365..4eb254a273f8 100644
1733 +--- a/drivers/ptp/ptp_chardev.c
1734 ++++ b/drivers/ptp/ptp_chardev.c
1735 +@@ -23,6 +23,8 @@
1736 + #include <linux/sched.h>
1737 + #include <linux/slab.h>
1738 +
1739 ++#include <linux/nospec.h>
1740 ++
1741 + #include "ptp_private.h"
1742 +
1743 + static int ptp_disable_pinfunc(struct ptp_clock_info *ops,
1744 +@@ -224,6 +226,7 @@ long ptp_ioctl(struct posix_clock *pc, unsigned int cmd, unsigned long arg)
1745 + err = -EINVAL;
1746 + break;
1747 + }
1748 ++ pin_index = array_index_nospec(pin_index, ops->n_pins);
1749 + if (mutex_lock_interruptible(&ptp->pincfg_mux))
1750 + return -ERESTARTSYS;
1751 + pd = ops->pin_config[pin_index];
1752 +@@ -242,6 +245,7 @@ long ptp_ioctl(struct posix_clock *pc, unsigned int cmd, unsigned long arg)
1753 + err = -EINVAL;
1754 + break;
1755 + }
1756 ++ pin_index = array_index_nospec(pin_index, ops->n_pins);
1757 + if (mutex_lock_interruptible(&ptp->pincfg_mux))
1758 + return -ERESTARTSYS;
1759 + err = ptp_set_pinfunc(ptp, pin_index, pd.func, pd.chan);
1760 +diff --git a/drivers/scsi/aacraid/linit.c b/drivers/scsi/aacraid/linit.c
1761 +index 8da8b46da722..1c447405ebbf 100644
1762 +--- a/drivers/scsi/aacraid/linit.c
1763 ++++ b/drivers/scsi/aacraid/linit.c
1764 +@@ -1416,8 +1416,8 @@ static int aac_acquire_resources(struct aac_dev *dev)
1765 + /* After EEH recovery or suspend resume, max_msix count
1766 + * may change, therfore updating in init as well.
1767 + */
1768 +- aac_adapter_start(dev);
1769 + dev->init->Sa_MSIXVectors = cpu_to_le32(dev->max_msix);
1770 ++ aac_adapter_start(dev);
1771 + }
1772 + return 0;
1773 +
1774 +diff --git a/drivers/scsi/aacraid/src.c b/drivers/scsi/aacraid/src.c
1775 +index e415e1c58eb5..cf3ac0654a3a 100644
1776 +--- a/drivers/scsi/aacraid/src.c
1777 ++++ b/drivers/scsi/aacraid/src.c
1778 +@@ -444,7 +444,7 @@ err_out:
1779 + return -1;
1780 +
1781 + err_blink:
1782 +- return (status > 16) & 0xFF;
1783 ++ return (status >> 16) & 0xFF;
1784 + }
1785 +
1786 + /**
1787 +diff --git a/drivers/scsi/scsi_scan.c b/drivers/scsi/scsi_scan.c
1788 +index 692445bcca6f..850ddc5fac04 100644
1789 +--- a/drivers/scsi/scsi_scan.c
1790 ++++ b/drivers/scsi/scsi_scan.c
1791 +@@ -381,11 +381,12 @@ static void scsi_target_reap_ref_release(struct kref *kref)
1792 + = container_of(kref, struct scsi_target, reap_ref);
1793 +
1794 + /*
1795 +- * if we get here and the target is still in the CREATED state that
1796 ++ * if we get here and the target is still in a CREATED state that
1797 + * means it was allocated but never made visible (because a scan
1798 + * turned up no LUNs), so don't call device_del() on it.
1799 + */
1800 +- if (starget->state != STARGET_CREATED) {
1801 ++ if ((starget->state != STARGET_CREATED) &&
1802 ++ (starget->state != STARGET_CREATED_REMOVE)) {
1803 + transport_remove_device(&starget->dev);
1804 + device_del(&starget->dev);
1805 + }
1806 +diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c
1807 +index 8db0c48943d6..085e470d1c49 100644
1808 +--- a/drivers/scsi/scsi_sysfs.c
1809 ++++ b/drivers/scsi/scsi_sysfs.c
1810 +@@ -1212,11 +1212,15 @@ restart:
1811 + spin_lock_irqsave(shost->host_lock, flags);
1812 + list_for_each_entry(starget, &shost->__targets, siblings) {
1813 + if (starget->state == STARGET_DEL ||
1814 +- starget->state == STARGET_REMOVE)
1815 ++ starget->state == STARGET_REMOVE ||
1816 ++ starget->state == STARGET_CREATED_REMOVE)
1817 + continue;
1818 + if (starget->dev.parent == dev || &starget->dev == dev) {
1819 + kref_get(&starget->reap_ref);
1820 +- starget->state = STARGET_REMOVE;
1821 ++ if (starget->state == STARGET_CREATED)
1822 ++ starget->state = STARGET_CREATED_REMOVE;
1823 ++ else
1824 ++ starget->state = STARGET_REMOVE;
1825 + spin_unlock_irqrestore(shost->host_lock, flags);
1826 + __scsi_remove_target(starget);
1827 + scsi_target_reap(starget);
1828 +diff --git a/drivers/spi/spi-bcm63xx-hsspi.c b/drivers/spi/spi-bcm63xx-hsspi.c
1829 +index 55789f7cda92..645f428ad0a2 100644
1830 +--- a/drivers/spi/spi-bcm63xx-hsspi.c
1831 ++++ b/drivers/spi/spi-bcm63xx-hsspi.c
1832 +@@ -336,8 +336,8 @@ static int bcm63xx_hsspi_probe(struct platform_device *pdev)
1833 +
1834 + irq = platform_get_irq(pdev, 0);
1835 + if (irq < 0) {
1836 +- dev_err(dev, "no irq\n");
1837 +- return -ENXIO;
1838 ++ dev_err(dev, "no irq: %d\n", irq);
1839 ++ return irq;
1840 + }
1841 +
1842 + res_mem = platform_get_resource(pdev, IORESOURCE_MEM, 0);
1843 +diff --git a/drivers/spi/spi-bcm63xx.c b/drivers/spi/spi-bcm63xx.c
1844 +index bf9a610e5b89..f14500910bc2 100644
1845 +--- a/drivers/spi/spi-bcm63xx.c
1846 ++++ b/drivers/spi/spi-bcm63xx.c
1847 +@@ -496,8 +496,8 @@ static int bcm63xx_spi_probe(struct platform_device *pdev)
1848 +
1849 + irq = platform_get_irq(pdev, 0);
1850 + if (irq < 0) {
1851 +- dev_err(dev, "no irq\n");
1852 +- return -ENXIO;
1853 ++ dev_err(dev, "no irq: %d\n", irq);
1854 ++ return irq;
1855 + }
1856 +
1857 + clk = devm_clk_get(dev, "spi");
1858 +diff --git a/drivers/spi/spi-xlp.c b/drivers/spi/spi-xlp.c
1859 +index 8f04feca6ee3..0ddb0adaa8aa 100644
1860 +--- a/drivers/spi/spi-xlp.c
1861 ++++ b/drivers/spi/spi-xlp.c
1862 +@@ -392,8 +392,8 @@ static int xlp_spi_probe(struct platform_device *pdev)
1863 +
1864 + irq = platform_get_irq(pdev, 0);
1865 + if (irq < 0) {
1866 +- dev_err(&pdev->dev, "no IRQ resource found\n");
1867 +- return -EINVAL;
1868 ++ dev_err(&pdev->dev, "no IRQ resource found: %d\n", irq);
1869 ++ return irq;
1870 + }
1871 + err = devm_request_irq(&pdev->dev, irq, xlp_spi_interrupt, 0,
1872 + pdev->name, xspi);
1873 +diff --git a/drivers/thermal/Kconfig b/drivers/thermal/Kconfig
1874 +index 4b660b5beb98..1def65d2f0b5 100644
1875 +--- a/drivers/thermal/Kconfig
1876 ++++ b/drivers/thermal/Kconfig
1877 +@@ -195,7 +195,7 @@ config IMX_THERMAL
1878 + passive trip is crossed.
1879 +
1880 + config SPEAR_THERMAL
1881 +- bool "SPEAr thermal sensor driver"
1882 ++ tristate "SPEAr thermal sensor driver"
1883 + depends on PLAT_SPEAR || COMPILE_TEST
1884 + depends on OF
1885 + help
1886 +@@ -237,8 +237,8 @@ config DOVE_THERMAL
1887 + framework.
1888 +
1889 + config DB8500_THERMAL
1890 +- bool "DB8500 thermal management"
1891 +- depends on ARCH_U8500
1892 ++ tristate "DB8500 thermal management"
1893 ++ depends on MFD_DB8500_PRCMU
1894 + default y
1895 + help
1896 + Adds DB8500 thermal management implementation according to the thermal
1897 +diff --git a/drivers/tty/serial/sprd_serial.c b/drivers/tty/serial/sprd_serial.c
1898 +index 9dbae01d41ce..1e302caaa450 100644
1899 +--- a/drivers/tty/serial/sprd_serial.c
1900 ++++ b/drivers/tty/serial/sprd_serial.c
1901 +@@ -731,8 +731,8 @@ static int sprd_probe(struct platform_device *pdev)
1902 +
1903 + irq = platform_get_irq(pdev, 0);
1904 + if (irq < 0) {
1905 +- dev_err(&pdev->dev, "not provide irq resource\n");
1906 +- return -ENODEV;
1907 ++ dev_err(&pdev->dev, "not provide irq resource: %d\n", irq);
1908 ++ return irq;
1909 + }
1910 + up->irq = irq;
1911 +
1912 +diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
1913 +index a501f3ba6a3f..3cbf6aa10f2c 100644
1914 +--- a/drivers/usb/class/cdc-acm.c
1915 ++++ b/drivers/usb/class/cdc-acm.c
1916 +@@ -332,17 +332,17 @@ static void acm_ctrl_irq(struct urb *urb)
1917 +
1918 + if (difference & ACM_CTRL_DSR)
1919 + acm->iocount.dsr++;
1920 +- if (difference & ACM_CTRL_BRK)
1921 +- acm->iocount.brk++;
1922 +- if (difference & ACM_CTRL_RI)
1923 +- acm->iocount.rng++;
1924 + if (difference & ACM_CTRL_DCD)
1925 + acm->iocount.dcd++;
1926 +- if (difference & ACM_CTRL_FRAMING)
1927 ++ if (newctrl & ACM_CTRL_BRK)
1928 ++ acm->iocount.brk++;
1929 ++ if (newctrl & ACM_CTRL_RI)
1930 ++ acm->iocount.rng++;
1931 ++ if (newctrl & ACM_CTRL_FRAMING)
1932 + acm->iocount.frame++;
1933 +- if (difference & ACM_CTRL_PARITY)
1934 ++ if (newctrl & ACM_CTRL_PARITY)
1935 + acm->iocount.parity++;
1936 +- if (difference & ACM_CTRL_OVERRUN)
1937 ++ if (newctrl & ACM_CTRL_OVERRUN)
1938 + acm->iocount.overrun++;
1939 + spin_unlock(&acm->read_lock);
1940 +
1941 +diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
1942 +index 5e0af15aebc4..7559d96695da 100644
1943 +--- a/drivers/usb/core/devio.c
1944 ++++ b/drivers/usb/core/devio.c
1945 +@@ -1329,8 +1329,6 @@ static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb
1946 + u = 0;
1947 + switch (uurb->type) {
1948 + case USBDEVFS_URB_TYPE_CONTROL:
1949 +- if (is_in)
1950 +- allow_short = true;
1951 + if (!usb_endpoint_xfer_control(&ep->desc))
1952 + return -EINVAL;
1953 + /* min 8 byte setup packet */
1954 +@@ -1360,6 +1358,8 @@ static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb
1955 + is_in = 0;
1956 + uurb->endpoint &= ~USB_DIR_IN;
1957 + }
1958 ++ if (is_in)
1959 ++ allow_short = true;
1960 + snoop(&ps->dev->dev, "control urb: bRequestType=%02x "
1961 + "bRequest=%02x wValue=%04x "
1962 + "wIndex=%04x wLength=%04x\n",
1963 +diff --git a/drivers/usb/dwc3/dwc3-omap.c b/drivers/usb/dwc3/dwc3-omap.c
1964 +index 22e9606d8e08..9078af0ce06c 100644
1965 +--- a/drivers/usb/dwc3/dwc3-omap.c
1966 ++++ b/drivers/usb/dwc3/dwc3-omap.c
1967 +@@ -469,8 +469,8 @@ static int dwc3_omap_probe(struct platform_device *pdev)
1968 +
1969 + irq = platform_get_irq(pdev, 0);
1970 + if (irq < 0) {
1971 +- dev_err(dev, "missing IRQ resource\n");
1972 +- return -EINVAL;
1973 ++ dev_err(dev, "missing IRQ resource: %d\n", irq);
1974 ++ return irq;
1975 + }
1976 +
1977 + res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
1978 +diff --git a/drivers/usb/gadget/function/f_mass_storage.c b/drivers/usb/gadget/function/f_mass_storage.c
1979 +index 4dd3c7672247..25488c89308a 100644
1980 +--- a/drivers/usb/gadget/function/f_mass_storage.c
1981 ++++ b/drivers/usb/gadget/function/f_mass_storage.c
1982 +@@ -220,6 +220,8 @@
1983 + #include <linux/usb/gadget.h>
1984 + #include <linux/usb/composite.h>
1985 +
1986 ++#include <linux/nospec.h>
1987 ++
1988 + #include "configfs.h"
1989 +
1990 +
1991 +@@ -3260,6 +3262,7 @@ static struct config_group *fsg_lun_make(struct config_group *group,
1992 + fsg_opts = to_fsg_opts(&group->cg_item);
1993 + if (num >= FSG_MAX_LUNS)
1994 + return ERR_PTR(-ERANGE);
1995 ++ num = array_index_nospec(num, FSG_MAX_LUNS);
1996 +
1997 + mutex_lock(&fsg_opts->lock);
1998 + if (fsg_opts->refcnt || fsg_opts->common->luns[num]) {
1999 +diff --git a/drivers/usb/host/ehci-omap.c b/drivers/usb/host/ehci-omap.c
2000 +index a24720beb39d..cccde8217f28 100644
2001 +--- a/drivers/usb/host/ehci-omap.c
2002 ++++ b/drivers/usb/host/ehci-omap.c
2003 +@@ -130,8 +130,8 @@ static int ehci_hcd_omap_probe(struct platform_device *pdev)
2004 +
2005 + irq = platform_get_irq(pdev, 0);
2006 + if (irq < 0) {
2007 +- dev_err(dev, "EHCI irq failed\n");
2008 +- return -ENODEV;
2009 ++ dev_err(dev, "EHCI irq failed: %d\n", irq);
2010 ++ return irq;
2011 + }
2012 +
2013 + res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
2014 +diff --git a/drivers/usb/host/imx21-hcd.c b/drivers/usb/host/imx21-hcd.c
2015 +index f542045dc2a6..e25d72e0527f 100644
2016 +--- a/drivers/usb/host/imx21-hcd.c
2017 ++++ b/drivers/usb/host/imx21-hcd.c
2018 +@@ -1849,8 +1849,10 @@ static int imx21_probe(struct platform_device *pdev)
2019 + if (!res)
2020 + return -ENODEV;
2021 + irq = platform_get_irq(pdev, 0);
2022 +- if (irq < 0)
2023 +- return -ENXIO;
2024 ++ if (irq < 0) {
2025 ++ dev_err(&pdev->dev, "Failed to get IRQ: %d\n", irq);
2026 ++ return irq;
2027 ++ }
2028 +
2029 + hcd = usb_create_hcd(&imx21_hc_driver,
2030 + &pdev->dev, dev_name(&pdev->dev));
2031 +diff --git a/drivers/usb/storage/transport.c b/drivers/usb/storage/transport.c
2032 +index 02f86dd1a340..90a7bffe3484 100644
2033 +--- a/drivers/usb/storage/transport.c
2034 ++++ b/drivers/usb/storage/transport.c
2035 +@@ -808,12 +808,24 @@ Retry_Sense:
2036 + if (result == USB_STOR_TRANSPORT_GOOD) {
2037 + srb->result = SAM_STAT_GOOD;
2038 + srb->sense_buffer[0] = 0x0;
2039 ++ }
2040 ++
2041 ++ /*
2042 ++ * ATA-passthru commands use sense data to report
2043 ++ * the command completion status, and often devices
2044 ++ * return Check Condition status when nothing is
2045 ++ * wrong.
2046 ++ */
2047 ++ else if (srb->cmnd[0] == ATA_16 ||
2048 ++ srb->cmnd[0] == ATA_12) {
2049 ++ /* leave the data alone */
2050 ++ }
2051 +
2052 + /* If there was a problem, report an unspecified
2053 + * hardware error to prevent the higher layers from
2054 + * entering an infinite retry loop.
2055 + */
2056 +- } else {
2057 ++ else {
2058 + srb->result = DID_ERROR << 16;
2059 + if ((sshdr.response_code & 0x72) == 0x72)
2060 + srb->sense_buffer[1] = HARDWARE_ERROR;
2061 +diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
2062 +index 675819a1af37..c54d388310f0 100644
2063 +--- a/drivers/vhost/vhost.c
2064 ++++ b/drivers/vhost/vhost.c
2065 +@@ -27,6 +27,7 @@
2066 + #include <linux/cgroup.h>
2067 + #include <linux/module.h>
2068 + #include <linux/sort.h>
2069 ++#include <linux/nospec.h>
2070 +
2071 + #include "vhost.h"
2072 +
2073 +@@ -748,6 +749,7 @@ long vhost_vring_ioctl(struct vhost_dev *d, int ioctl, void __user *argp)
2074 + if (idx >= d->nvqs)
2075 + return -ENOBUFS;
2076 +
2077 ++ idx = array_index_nospec(idx, d->nvqs);
2078 + vq = d->vqs[idx];
2079 +
2080 + mutex_lock(&vq->mutex);
2081 +diff --git a/drivers/video/fbdev/pxa168fb.c b/drivers/video/fbdev/pxa168fb.c
2082 +index efb57c059997..5190b1749e2a 100644
2083 +--- a/drivers/video/fbdev/pxa168fb.c
2084 ++++ b/drivers/video/fbdev/pxa168fb.c
2085 +@@ -712,7 +712,7 @@ static int pxa168fb_probe(struct platform_device *pdev)
2086 + /*
2087 + * enable controller clock
2088 + */
2089 +- clk_enable(fbi->clk);
2090 ++ clk_prepare_enable(fbi->clk);
2091 +
2092 + pxa168fb_set_par(info);
2093 +
2094 +@@ -767,7 +767,7 @@ static int pxa168fb_probe(struct platform_device *pdev)
2095 + failed_free_cmap:
2096 + fb_dealloc_cmap(&info->cmap);
2097 + failed_free_clk:
2098 +- clk_disable(fbi->clk);
2099 ++ clk_disable_unprepare(fbi->clk);
2100 + failed_free_fbmem:
2101 + dma_free_coherent(fbi->dev, info->fix.smem_len,
2102 + info->screen_base, fbi->fb_start_dma);
2103 +@@ -807,7 +807,7 @@ static int pxa168fb_remove(struct platform_device *pdev)
2104 + dma_free_writecombine(fbi->dev, PAGE_ALIGN(info->fix.smem_len),
2105 + info->screen_base, info->fix.smem_start);
2106 +
2107 +- clk_disable(fbi->clk);
2108 ++ clk_disable_unprepare(fbi->clk);
2109 +
2110 + framebuffer_release(info);
2111 +
2112 +diff --git a/drivers/video/fbdev/pxa3xx-gcu.c b/drivers/video/fbdev/pxa3xx-gcu.c
2113 +index 50bce45e7f3d..933619da1a94 100644
2114 +--- a/drivers/video/fbdev/pxa3xx-gcu.c
2115 ++++ b/drivers/video/fbdev/pxa3xx-gcu.c
2116 +@@ -626,8 +626,8 @@ static int pxa3xx_gcu_probe(struct platform_device *pdev)
2117 + /* request the IRQ */
2118 + irq = platform_get_irq(pdev, 0);
2119 + if (irq < 0) {
2120 +- dev_err(dev, "no IRQ defined\n");
2121 +- return -ENODEV;
2122 ++ dev_err(dev, "no IRQ defined: %d\n", irq);
2123 ++ return irq;
2124 + }
2125 +
2126 + ret = devm_request_irq(dev, irq, pxa3xx_gcu_handle_irq,
2127 +diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
2128 +index ae6e3a30e61e..8dbb00fbb00b 100644
2129 +--- a/fs/btrfs/disk-io.c
2130 ++++ b/fs/btrfs/disk-io.c
2131 +@@ -1608,8 +1608,8 @@ fail:
2132 + return ret;
2133 + }
2134 +
2135 +-static struct btrfs_root *btrfs_lookup_fs_root(struct btrfs_fs_info *fs_info,
2136 +- u64 root_id)
2137 ++struct btrfs_root *btrfs_lookup_fs_root(struct btrfs_fs_info *fs_info,
2138 ++ u64 root_id)
2139 + {
2140 + struct btrfs_root *root;
2141 +
2142 +diff --git a/fs/btrfs/disk-io.h b/fs/btrfs/disk-io.h
2143 +index adeb31830b9c..3c9819403487 100644
2144 +--- a/fs/btrfs/disk-io.h
2145 ++++ b/fs/btrfs/disk-io.h
2146 +@@ -68,6 +68,8 @@ struct extent_buffer *btrfs_find_tree_block(struct btrfs_fs_info *fs_info,
2147 + struct btrfs_root *btrfs_read_fs_root(struct btrfs_root *tree_root,
2148 + struct btrfs_key *location);
2149 + int btrfs_init_fs_root(struct btrfs_root *root);
2150 ++struct btrfs_root *btrfs_lookup_fs_root(struct btrfs_fs_info *fs_info,
2151 ++ u64 root_id);
2152 + int btrfs_insert_fs_root(struct btrfs_fs_info *fs_info,
2153 + struct btrfs_root *root);
2154 + void btrfs_free_fs_roots(struct btrfs_fs_info *fs_info);
2155 +diff --git a/fs/btrfs/root-tree.c b/fs/btrfs/root-tree.c
2156 +index 2c849b08a91b..6a6efb26d52f 100644
2157 +--- a/fs/btrfs/root-tree.c
2158 ++++ b/fs/btrfs/root-tree.c
2159 +@@ -272,6 +272,23 @@ int btrfs_find_orphan_roots(struct btrfs_root *tree_root)
2160 + root_key.objectid = key.offset;
2161 + key.offset++;
2162 +
2163 ++ /*
2164 ++ * The root might have been inserted already, as before we look
2165 ++ * for orphan roots, log replay might have happened, which
2166 ++ * triggers a transaction commit and qgroup accounting, which
2167 ++ * in turn reads and inserts fs roots while doing backref
2168 ++ * walking.
2169 ++ */
2170 ++ root = btrfs_lookup_fs_root(tree_root->fs_info,
2171 ++ root_key.objectid);
2172 ++ if (root) {
2173 ++ WARN_ON(!test_bit(BTRFS_ROOT_ORPHAN_ITEM_INSERTED,
2174 ++ &root->state));
2175 ++ if (btrfs_root_refs(&root->root_item) == 0)
2176 ++ btrfs_add_dead_root(root);
2177 ++ continue;
2178 ++ }
2179 ++
2180 + root = btrfs_read_fs_root(tree_root, &root_key);
2181 + err = PTR_ERR_OR_ZERO(root);
2182 + if (err && err != -ENOENT) {
2183 +@@ -310,16 +327,8 @@ int btrfs_find_orphan_roots(struct btrfs_root *tree_root)
2184 + set_bit(BTRFS_ROOT_ORPHAN_ITEM_INSERTED, &root->state);
2185 +
2186 + err = btrfs_insert_fs_root(root->fs_info, root);
2187 +- /*
2188 +- * The root might have been inserted already, as before we look
2189 +- * for orphan roots, log replay might have happened, which
2190 +- * triggers a transaction commit and qgroup accounting, which
2191 +- * in turn reads and inserts fs roots while doing backref
2192 +- * walking.
2193 +- */
2194 +- if (err == -EEXIST)
2195 +- err = 0;
2196 + if (err) {
2197 ++ BUG_ON(err == -EEXIST);
2198 + btrfs_free_fs_root(root);
2199 + break;
2200 + }
2201 +diff --git a/fs/cachefiles/namei.c b/fs/cachefiles/namei.c
2202 +index c43b4b08546b..a5f59eed8287 100644
2203 +--- a/fs/cachefiles/namei.c
2204 ++++ b/fs/cachefiles/namei.c
2205 +@@ -317,7 +317,7 @@ try_again:
2206 + trap = lock_rename(cache->graveyard, dir);
2207 +
2208 + /* do some checks before getting the grave dentry */
2209 +- if (rep->d_parent != dir) {
2210 ++ if (rep->d_parent != dir || IS_DEADDIR(d_inode(rep))) {
2211 + /* the entry was probably culled when we dropped the parent dir
2212 + * lock */
2213 + unlock_rename(cache->graveyard, dir);
2214 +diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
2215 +index 077ad3a06c9a..1eeb4780c3ed 100644
2216 +--- a/fs/cifs/connect.c
2217 ++++ b/fs/cifs/connect.c
2218 +@@ -3674,6 +3674,9 @@ try_mount_again:
2219 + if (IS_ERR(tcon)) {
2220 + rc = PTR_ERR(tcon);
2221 + tcon = NULL;
2222 ++ if (rc == -EACCES)
2223 ++ goto mount_fail_check;
2224 ++
2225 + goto remote_path_check;
2226 + }
2227 +
2228 +diff --git a/fs/fat/fatent.c b/fs/fat/fatent.c
2229 +index a70e37c47a78..e3fc477728b3 100644
2230 +--- a/fs/fat/fatent.c
2231 ++++ b/fs/fat/fatent.c
2232 +@@ -681,6 +681,7 @@ int fat_count_free_clusters(struct super_block *sb)
2233 + if (ops->ent_get(&fatent) == FAT_ENT_FREE)
2234 + free++;
2235 + } while (fat_ent_next(sbi, &fatent));
2236 ++ cond_resched();
2237 + }
2238 + sbi->free_clusters = free;
2239 + sbi->free_clus_valid = 1;
2240 +diff --git a/fs/fuse/file.c b/fs/fuse/file.c
2241 +index 8577f3ba6dc6..7014318f6d18 100644
2242 +--- a/fs/fuse/file.c
2243 ++++ b/fs/fuse/file.c
2244 +@@ -625,7 +625,7 @@ static void fuse_aio_complete_req(struct fuse_conn *fc, struct fuse_req *req)
2245 + struct fuse_io_priv *io = req->io;
2246 + ssize_t pos = -1;
2247 +
2248 +- fuse_release_user_pages(req, !io->write);
2249 ++ fuse_release_user_pages(req, io->should_dirty);
2250 +
2251 + if (io->write) {
2252 + if (req->misc.write.in.size != req->misc.write.out.size)
2253 +@@ -1333,7 +1333,6 @@ ssize_t fuse_direct_io(struct fuse_io_priv *io, struct iov_iter *iter,
2254 + loff_t *ppos, int flags)
2255 + {
2256 + int write = flags & FUSE_DIO_WRITE;
2257 +- bool should_dirty = !write && iter_is_iovec(iter);
2258 + int cuse = flags & FUSE_DIO_CUSE;
2259 + struct file *file = io->file;
2260 + struct inode *inode = file->f_mapping->host;
2261 +@@ -1362,6 +1361,7 @@ ssize_t fuse_direct_io(struct fuse_io_priv *io, struct iov_iter *iter,
2262 + mutex_unlock(&inode->i_mutex);
2263 + }
2264 +
2265 ++ io->should_dirty = !write && iter_is_iovec(iter);
2266 + while (count) {
2267 + size_t nres;
2268 + fl_owner_t owner = current->files;
2269 +@@ -1378,7 +1378,7 @@ ssize_t fuse_direct_io(struct fuse_io_priv *io, struct iov_iter *iter,
2270 + nres = fuse_send_read(req, io, pos, nbytes, owner);
2271 +
2272 + if (!io->async)
2273 +- fuse_release_user_pages(req, should_dirty);
2274 ++ fuse_release_user_pages(req, io->should_dirty);
2275 + if (req->out.h.error) {
2276 + if (!res)
2277 + res = req->out.h.error;
2278 +diff --git a/fs/fuse/fuse_i.h b/fs/fuse/fuse_i.h
2279 +index 7aafe9acc6c0..c6eb35a95fcc 100644
2280 +--- a/fs/fuse/fuse_i.h
2281 ++++ b/fs/fuse/fuse_i.h
2282 +@@ -252,6 +252,7 @@ struct fuse_io_priv {
2283 + size_t size;
2284 + __u64 offset;
2285 + bool write;
2286 ++ bool should_dirty;
2287 + int err;
2288 + struct kiocb *iocb;
2289 + struct file *file;
2290 +diff --git a/include/linux/bpf.h b/include/linux/bpf.h
2291 +index 132585a7fbd8..bae3da5bcda0 100644
2292 +--- a/include/linux/bpf.h
2293 ++++ b/include/linux/bpf.h
2294 +@@ -177,7 +177,6 @@ void bpf_register_map_type(struct bpf_map_type_list *tl);
2295 + struct bpf_prog *bpf_prog_get(u32 ufd);
2296 + struct bpf_prog *bpf_prog_inc(struct bpf_prog *prog);
2297 + void bpf_prog_put(struct bpf_prog *prog);
2298 +-void bpf_prog_put_rcu(struct bpf_prog *prog);
2299 +
2300 + struct bpf_map *bpf_map_get_with_uref(u32 ufd);
2301 + struct bpf_map *__bpf_map_get(struct fd f);
2302 +@@ -208,10 +207,6 @@ static inline struct bpf_prog *bpf_prog_get(u32 ufd)
2303 + static inline void bpf_prog_put(struct bpf_prog *prog)
2304 + {
2305 + }
2306 +-
2307 +-static inline void bpf_prog_put_rcu(struct bpf_prog *prog)
2308 +-{
2309 +-}
2310 + #endif /* CONFIG_BPF_SYSCALL */
2311 +
2312 + /* verifier prototypes for helper functions called from eBPF programs */
2313 +diff --git a/include/linux/cpuidle.h b/include/linux/cpuidle.h
2314 +index 786ad32631a6..07b83d32f66c 100644
2315 +--- a/include/linux/cpuidle.h
2316 ++++ b/include/linux/cpuidle.h
2317 +@@ -152,6 +152,8 @@ extern void cpuidle_disable_device(struct cpuidle_device *dev);
2318 + extern int cpuidle_play_dead(void);
2319 +
2320 + extern struct cpuidle_driver *cpuidle_get_cpu_driver(struct cpuidle_device *dev);
2321 ++static inline struct cpuidle_device *cpuidle_get_device(void)
2322 ++{return __this_cpu_read(cpuidle_devices); }
2323 + #else
2324 + static inline void disable_cpuidle(void) { }
2325 + static inline bool cpuidle_not_available(struct cpuidle_driver *drv,
2326 +@@ -187,6 +189,7 @@ static inline void cpuidle_disable_device(struct cpuidle_device *dev) { }
2327 + static inline int cpuidle_play_dead(void) {return -ENODEV; }
2328 + static inline struct cpuidle_driver *cpuidle_get_cpu_driver(
2329 + struct cpuidle_device *dev) {return NULL; }
2330 ++static inline struct cpuidle_device *cpuidle_get_device(void) {return NULL; }
2331 + #endif
2332 +
2333 + #if defined(CONFIG_CPU_IDLE) && defined(CONFIG_SUSPEND)
2334 +diff --git a/include/linux/radix-tree.h b/include/linux/radix-tree.h
2335 +index 5d5174b59802..673dee29a9b9 100644
2336 +--- a/include/linux/radix-tree.h
2337 ++++ b/include/linux/radix-tree.h
2338 +@@ -382,6 +382,7 @@ static inline __must_check
2339 + void **radix_tree_iter_retry(struct radix_tree_iter *iter)
2340 + {
2341 + iter->next_index = iter->index;
2342 ++ iter->tags = 0;
2343 + return NULL;
2344 + }
2345 +
2346 +diff --git a/include/net/inet_ecn.h b/include/net/inet_ecn.h
2347 +index 0dc0a51da38f..dce2d586d9ce 100644
2348 +--- a/include/net/inet_ecn.h
2349 ++++ b/include/net/inet_ecn.h
2350 +@@ -128,7 +128,8 @@ static inline int IP6_ECN_set_ce(struct sk_buff *skb, struct ipv6hdr *iph)
2351 + to = from | htonl(INET_ECN_CE << 20);
2352 + *(__be32 *)iph = to;
2353 + if (skb->ip_summed == CHECKSUM_COMPLETE)
2354 +- skb->csum = csum_add(csum_sub(skb->csum, from), to);
2355 ++ skb->csum = csum_add(csum_sub(skb->csum, (__force __wsum)from),
2356 ++ (__force __wsum)to);
2357 + return 1;
2358 + }
2359 +
2360 +diff --git a/include/scsi/scsi_device.h b/include/scsi/scsi_device.h
2361 +index 293b9a7f53bc..fb53a94a5e8b 100644
2362 +--- a/include/scsi/scsi_device.h
2363 ++++ b/include/scsi/scsi_device.h
2364 +@@ -240,6 +240,7 @@ enum scsi_target_state {
2365 + STARGET_CREATED = 1,
2366 + STARGET_RUNNING,
2367 + STARGET_REMOVE,
2368 ++ STARGET_CREATED_REMOVE,
2369 + STARGET_DEL,
2370 + };
2371 +
2372 +diff --git a/kernel/bpf/arraymap.c b/kernel/bpf/arraymap.c
2373 +index 0eb11b4ac4c7..daa4e0782cf7 100644
2374 +--- a/kernel/bpf/arraymap.c
2375 ++++ b/kernel/bpf/arraymap.c
2376 +@@ -270,9 +270,7 @@ static void *prog_fd_array_get_ptr(struct bpf_map *map, int fd)
2377 +
2378 + static void prog_fd_array_put_ptr(void *ptr)
2379 + {
2380 +- struct bpf_prog *prog = ptr;
2381 +-
2382 +- bpf_prog_put_rcu(prog);
2383 ++ bpf_prog_put(ptr);
2384 + }
2385 +
2386 + /* decrement refcnt of all bpf_progs that are stored in this map */
2387 +diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
2388 +index 4b9bbfe764e8..04fc1022ad9f 100644
2389 +--- a/kernel/bpf/syscall.c
2390 ++++ b/kernel/bpf/syscall.c
2391 +@@ -487,7 +487,7 @@ static void bpf_prog_uncharge_memlock(struct bpf_prog *prog)
2392 + free_uid(user);
2393 + }
2394 +
2395 +-static void __prog_put_common(struct rcu_head *rcu)
2396 ++static void __bpf_prog_put_rcu(struct rcu_head *rcu)
2397 + {
2398 + struct bpf_prog_aux *aux = container_of(rcu, struct bpf_prog_aux, rcu);
2399 +
2400 +@@ -496,17 +496,10 @@ static void __prog_put_common(struct rcu_head *rcu)
2401 + bpf_prog_free(aux->prog);
2402 + }
2403 +
2404 +-/* version of bpf_prog_put() that is called after a grace period */
2405 +-void bpf_prog_put_rcu(struct bpf_prog *prog)
2406 +-{
2407 +- if (atomic_dec_and_test(&prog->aux->refcnt))
2408 +- call_rcu(&prog->aux->rcu, __prog_put_common);
2409 +-}
2410 +-
2411 + void bpf_prog_put(struct bpf_prog *prog)
2412 + {
2413 + if (atomic_dec_and_test(&prog->aux->refcnt))
2414 +- __prog_put_common(&prog->aux->rcu);
2415 ++ call_rcu(&prog->aux->rcu, __bpf_prog_put_rcu);
2416 + }
2417 + EXPORT_SYMBOL_GPL(bpf_prog_put);
2418 +
2419 +@@ -514,7 +507,7 @@ static int bpf_prog_release(struct inode *inode, struct file *filp)
2420 + {
2421 + struct bpf_prog *prog = filp->private_data;
2422 +
2423 +- bpf_prog_put_rcu(prog);
2424 ++ bpf_prog_put(prog);
2425 + return 0;
2426 + }
2427 +
2428 +diff --git a/kernel/events/core.c b/kernel/events/core.c
2429 +index 990ac41d8a5f..e53dfb5b826e 100644
2430 +--- a/kernel/events/core.c
2431 ++++ b/kernel/events/core.c
2432 +@@ -7018,6 +7018,8 @@ void perf_tp_event(u64 addr, u64 count, void *record, int entry_size,
2433 + goto unlock;
2434 +
2435 + list_for_each_entry_rcu(event, &ctx->event_list, event_entry) {
2436 ++ if (event->cpu != smp_processor_id())
2437 ++ continue;
2438 + if (event->attr.type != PERF_TYPE_TRACEPOINT)
2439 + continue;
2440 + if (event->attr.config != entry->type)
2441 +@@ -7139,7 +7141,7 @@ static void perf_event_free_bpf_prog(struct perf_event *event)
2442 + prog = event->tp_event->prog;
2443 + if (prog && event->tp_event->bpf_prog_owner == event) {
2444 + event->tp_event->prog = NULL;
2445 +- bpf_prog_put_rcu(prog);
2446 ++ bpf_prog_put(prog);
2447 + }
2448 + }
2449 +
2450 +@@ -8530,6 +8532,7 @@ SYSCALL_DEFINE5(perf_event_open,
2451 + f_flags);
2452 + if (IS_ERR(event_file)) {
2453 + err = PTR_ERR(event_file);
2454 ++ event_file = NULL;
2455 + goto err_context;
2456 + }
2457 +
2458 +diff --git a/kernel/sched/core.c b/kernel/sched/core.c
2459 +index 65ed3501c2ca..4743e1f2a3d1 100644
2460 +--- a/kernel/sched/core.c
2461 ++++ b/kernel/sched/core.c
2462 +@@ -7817,11 +7817,9 @@ void sched_destroy_group(struct task_group *tg)
2463 + void sched_offline_group(struct task_group *tg)
2464 + {
2465 + unsigned long flags;
2466 +- int i;
2467 +
2468 + /* end participation in shares distribution */
2469 +- for_each_possible_cpu(i)
2470 +- unregister_fair_sched_group(tg, i);
2471 ++ unregister_fair_sched_group(tg);
2472 +
2473 + spin_lock_irqsave(&task_group_lock, flags);
2474 + list_del_rcu(&tg->list);
2475 +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
2476 +index 3b136fb4422c..c2af250547bb 100644
2477 +--- a/kernel/sched/fair.c
2478 ++++ b/kernel/sched/fair.c
2479 +@@ -3624,9 +3624,13 @@ static void throttle_cfs_rq(struct cfs_rq *cfs_rq)
2480 +
2481 + /*
2482 + * Add to the _head_ of the list, so that an already-started
2483 +- * distribute_cfs_runtime will not see us
2484 ++ * distribute_cfs_runtime will not see us. If disribute_cfs_runtime is
2485 ++ * not running add to the tail so that later runqueues don't get starved.
2486 + */
2487 +- list_add_rcu(&cfs_rq->throttled_list, &cfs_b->throttled_cfs_rq);
2488 ++ if (cfs_b->distribute_running)
2489 ++ list_add_rcu(&cfs_rq->throttled_list, &cfs_b->throttled_cfs_rq);
2490 ++ else
2491 ++ list_add_tail_rcu(&cfs_rq->throttled_list, &cfs_b->throttled_cfs_rq);
2492 +
2493 + /*
2494 + * If we're the first throttled task, make sure the bandwidth
2495 +@@ -3769,14 +3773,16 @@ static int do_sched_cfs_period_timer(struct cfs_bandwidth *cfs_b, int overrun)
2496 + * in us over-using our runtime if it is all used during this loop, but
2497 + * only by limited amounts in that extreme case.
2498 + */
2499 +- while (throttled && cfs_b->runtime > 0) {
2500 ++ while (throttled && cfs_b->runtime > 0 && !cfs_b->distribute_running) {
2501 + runtime = cfs_b->runtime;
2502 ++ cfs_b->distribute_running = 1;
2503 + raw_spin_unlock(&cfs_b->lock);
2504 + /* we can't nest cfs_b->lock while distributing bandwidth */
2505 + runtime = distribute_cfs_runtime(cfs_b, runtime,
2506 + runtime_expires);
2507 + raw_spin_lock(&cfs_b->lock);
2508 +
2509 ++ cfs_b->distribute_running = 0;
2510 + throttled = !list_empty(&cfs_b->throttled_cfs_rq);
2511 +
2512 + cfs_b->runtime -= min(runtime, cfs_b->runtime);
2513 +@@ -3887,6 +3893,11 @@ static void do_sched_cfs_slack_timer(struct cfs_bandwidth *cfs_b)
2514 +
2515 + /* confirm we're still not at a refresh boundary */
2516 + raw_spin_lock(&cfs_b->lock);
2517 ++ if (cfs_b->distribute_running) {
2518 ++ raw_spin_unlock(&cfs_b->lock);
2519 ++ return;
2520 ++ }
2521 ++
2522 + if (runtime_refresh_within(cfs_b, min_bandwidth_expiration)) {
2523 + raw_spin_unlock(&cfs_b->lock);
2524 + return;
2525 +@@ -3896,6 +3907,9 @@ static void do_sched_cfs_slack_timer(struct cfs_bandwidth *cfs_b)
2526 + runtime = cfs_b->runtime;
2527 +
2528 + expires = cfs_b->runtime_expires;
2529 ++ if (runtime)
2530 ++ cfs_b->distribute_running = 1;
2531 ++
2532 + raw_spin_unlock(&cfs_b->lock);
2533 +
2534 + if (!runtime)
2535 +@@ -3906,6 +3920,7 @@ static void do_sched_cfs_slack_timer(struct cfs_bandwidth *cfs_b)
2536 + raw_spin_lock(&cfs_b->lock);
2537 + if (expires == cfs_b->runtime_expires)
2538 + cfs_b->runtime -= min(runtime, cfs_b->runtime);
2539 ++ cfs_b->distribute_running = 0;
2540 + raw_spin_unlock(&cfs_b->lock);
2541 + }
2542 +
2543 +@@ -4017,6 +4032,7 @@ void init_cfs_bandwidth(struct cfs_bandwidth *cfs_b)
2544 + cfs_b->period_timer.function = sched_cfs_period_timer;
2545 + hrtimer_init(&cfs_b->slack_timer, CLOCK_MONOTONIC, HRTIMER_MODE_REL);
2546 + cfs_b->slack_timer.function = sched_cfs_slack_timer;
2547 ++ cfs_b->distribute_running = 0;
2548 + }
2549 +
2550 + static void init_cfs_rq_runtime(struct cfs_rq *cfs_rq)
2551 +@@ -8154,11 +8170,8 @@ void free_fair_sched_group(struct task_group *tg)
2552 + for_each_possible_cpu(i) {
2553 + if (tg->cfs_rq)
2554 + kfree(tg->cfs_rq[i]);
2555 +- if (tg->se) {
2556 +- if (tg->se[i])
2557 +- remove_entity_load_avg(tg->se[i]);
2558 ++ if (tg->se)
2559 + kfree(tg->se[i]);
2560 +- }
2561 + }
2562 +
2563 + kfree(tg->cfs_rq);
2564 +@@ -8206,21 +8219,29 @@ err:
2565 + return 0;
2566 + }
2567 +
2568 +-void unregister_fair_sched_group(struct task_group *tg, int cpu)
2569 ++void unregister_fair_sched_group(struct task_group *tg)
2570 + {
2571 +- struct rq *rq = cpu_rq(cpu);
2572 + unsigned long flags;
2573 ++ struct rq *rq;
2574 ++ int cpu;
2575 +
2576 +- /*
2577 +- * Only empty task groups can be destroyed; so we can speculatively
2578 +- * check on_list without danger of it being re-added.
2579 +- */
2580 +- if (!tg->cfs_rq[cpu]->on_list)
2581 +- return;
2582 ++ for_each_possible_cpu(cpu) {
2583 ++ if (tg->se[cpu])
2584 ++ remove_entity_load_avg(tg->se[cpu]);
2585 +
2586 +- raw_spin_lock_irqsave(&rq->lock, flags);
2587 +- list_del_leaf_cfs_rq(tg->cfs_rq[cpu]);
2588 +- raw_spin_unlock_irqrestore(&rq->lock, flags);
2589 ++ /*
2590 ++ * Only empty task groups can be destroyed; so we can speculatively
2591 ++ * check on_list without danger of it being re-added.
2592 ++ */
2593 ++ if (!tg->cfs_rq[cpu]->on_list)
2594 ++ continue;
2595 ++
2596 ++ rq = cpu_rq(cpu);
2597 ++
2598 ++ raw_spin_lock_irqsave(&rq->lock, flags);
2599 ++ list_del_leaf_cfs_rq(tg->cfs_rq[cpu]);
2600 ++ raw_spin_unlock_irqrestore(&rq->lock, flags);
2601 ++ }
2602 + }
2603 +
2604 + void init_tg_cfs_entry(struct task_group *tg, struct cfs_rq *cfs_rq,
2605 +@@ -8302,7 +8323,7 @@ int alloc_fair_sched_group(struct task_group *tg, struct task_group *parent)
2606 + return 1;
2607 + }
2608 +
2609 +-void unregister_fair_sched_group(struct task_group *tg, int cpu) { }
2610 ++void unregister_fair_sched_group(struct task_group *tg) { }
2611 +
2612 + #endif /* CONFIG_FAIR_GROUP_SCHED */
2613 +
2614 +diff --git a/kernel/sched/idle.c b/kernel/sched/idle.c
2615 +index 4a2ef5a02fd3..bfd573122e0d 100644
2616 +--- a/kernel/sched/idle.c
2617 ++++ b/kernel/sched/idle.c
2618 +@@ -132,7 +132,7 @@ static int call_cpuidle(struct cpuidle_driver *drv, struct cpuidle_device *dev,
2619 + */
2620 + static void cpuidle_idle_call(void)
2621 + {
2622 +- struct cpuidle_device *dev = __this_cpu_read(cpuidle_devices);
2623 ++ struct cpuidle_device *dev = cpuidle_get_device();
2624 + struct cpuidle_driver *drv = cpuidle_get_cpu_driver(dev);
2625 + int next_state, entered_state;
2626 +
2627 +diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h
2628 +index 0c9ebd82a684..6893ee31df4d 100644
2629 +--- a/kernel/sched/sched.h
2630 ++++ b/kernel/sched/sched.h
2631 +@@ -233,6 +233,8 @@ struct cfs_bandwidth {
2632 + /* statistics */
2633 + int nr_periods, nr_throttled;
2634 + u64 throttled_time;
2635 ++
2636 ++ bool distribute_running;
2637 + #endif
2638 + };
2639 +
2640 +@@ -308,7 +310,7 @@ extern int tg_nop(struct task_group *tg, void *data);
2641 +
2642 + extern void free_fair_sched_group(struct task_group *tg);
2643 + extern int alloc_fair_sched_group(struct task_group *tg, struct task_group *parent);
2644 +-extern void unregister_fair_sched_group(struct task_group *tg, int cpu);
2645 ++extern void unregister_fair_sched_group(struct task_group *tg);
2646 + extern void init_tg_cfs_entry(struct task_group *tg, struct cfs_rq *cfs_rq,
2647 + struct sched_entity *se, int cpu,
2648 + struct sched_entity *parent);
2649 +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
2650 +index e409ddce8754..1a47a64d623f 100644
2651 +--- a/kernel/trace/trace.c
2652 ++++ b/kernel/trace/trace.c
2653 +@@ -1757,7 +1757,17 @@ void trace_buffer_unlock_commit_regs(struct trace_array *tr,
2654 + {
2655 + __buffer_unlock_commit(buffer, event);
2656 +
2657 +- ftrace_trace_stack(tr, buffer, flags, 0, pc, regs);
2658 ++ /*
2659 ++ * If regs is not set, then skip the following callers:
2660 ++ * trace_buffer_unlock_commit_regs
2661 ++ * event_trigger_unlock_commit
2662 ++ * trace_event_buffer_commit
2663 ++ * trace_event_raw_event_sched_switch
2664 ++ * Note, we can still get here via blktrace, wakeup tracer
2665 ++ * and mmiotrace, but that's ok if they lose a function or
2666 ++ * two. They are that meaningful.
2667 ++ */
2668 ++ ftrace_trace_stack(tr, buffer, flags, regs ? 0 : 4, pc, regs);
2669 + ftrace_trace_userstack(buffer, flags, pc);
2670 + }
2671 + EXPORT_SYMBOL_GPL(trace_buffer_unlock_commit_regs);
2672 +@@ -1815,6 +1825,13 @@ static void __ftrace_trace_stack(struct ring_buffer *buffer,
2673 + trace.nr_entries = 0;
2674 + trace.skip = skip;
2675 +
2676 ++ /*
2677 ++ * Add two, for this function and the call to save_stack_trace()
2678 ++ * If regs is set, then these functions will not be in the way.
2679 ++ */
2680 ++ if (!regs)
2681 ++ trace.skip += 2;
2682 ++
2683 + /*
2684 + * Since events can happen in NMIs there's no safe way to
2685 + * use the per cpu ftrace_stacks. We reserve it and if an interrupt
2686 +diff --git a/mm/huge_memory.c b/mm/huge_memory.c
2687 +index c4ea57ee2fd1..465786cd6490 100644
2688 +--- a/mm/huge_memory.c
2689 ++++ b/mm/huge_memory.c
2690 +@@ -1511,7 +1511,7 @@ int move_huge_pmd(struct vm_area_struct *vma, struct vm_area_struct *new_vma,
2691 + spinlock_t *old_ptl, *new_ptl;
2692 + int ret = 0;
2693 + pmd_t pmd;
2694 +-
2695 ++ bool force_flush = false;
2696 + struct mm_struct *mm = vma->vm_mm;
2697 +
2698 + if ((old_addr & ~HPAGE_PMD_MASK) ||
2699 +@@ -1539,6 +1539,8 @@ int move_huge_pmd(struct vm_area_struct *vma, struct vm_area_struct *new_vma,
2700 + if (new_ptl != old_ptl)
2701 + spin_lock_nested(new_ptl, SINGLE_DEPTH_NESTING);
2702 + pmd = pmdp_huge_get_and_clear(mm, old_addr, old_pmd);
2703 ++ if (pmd_present(pmd))
2704 ++ force_flush = true;
2705 + VM_BUG_ON(!pmd_none(*new_pmd));
2706 +
2707 + if (pmd_move_must_withdraw(new_ptl, old_ptl)) {
2708 +@@ -1547,6 +1549,8 @@ int move_huge_pmd(struct vm_area_struct *vma, struct vm_area_struct *new_vma,
2709 + pgtable_trans_huge_deposit(mm, new_pmd, pgtable);
2710 + }
2711 + set_pmd_at(mm, new_addr, new_pmd, pmd_mksoft_dirty(pmd));
2712 ++ if (force_flush)
2713 ++ flush_tlb_range(vma, old_addr, old_addr + PMD_SIZE);
2714 + if (new_ptl != old_ptl)
2715 + spin_unlock(new_ptl);
2716 + spin_unlock(old_ptl);
2717 +diff --git a/mm/mremap.c b/mm/mremap.c
2718 +index fe7b7f65f4f4..450b306d473e 100644
2719 +--- a/mm/mremap.c
2720 ++++ b/mm/mremap.c
2721 +@@ -96,6 +96,8 @@ static void move_ptes(struct vm_area_struct *vma, pmd_t *old_pmd,
2722 + struct mm_struct *mm = vma->vm_mm;
2723 + pte_t *old_pte, *new_pte, pte;
2724 + spinlock_t *old_ptl, *new_ptl;
2725 ++ bool force_flush = false;
2726 ++ unsigned long len = old_end - old_addr;
2727 +
2728 + /*
2729 + * When need_rmap_locks is true, we take the i_mmap_rwsem and anon_vma
2730 +@@ -143,12 +145,26 @@ static void move_ptes(struct vm_area_struct *vma, pmd_t *old_pmd,
2731 + if (pte_none(*old_pte))
2732 + continue;
2733 + pte = ptep_get_and_clear(mm, old_addr, old_pte);
2734 ++ /*
2735 ++ * If we are remapping a valid PTE, make sure
2736 ++ * to flush TLB before we drop the PTL for the PTE.
2737 ++ *
2738 ++ * NOTE! Both old and new PTL matter: the old one
2739 ++ * for racing with page_mkclean(), the new one to
2740 ++ * make sure the physical page stays valid until
2741 ++ * the TLB entry for the old mapping has been
2742 ++ * flushed.
2743 ++ */
2744 ++ if (pte_present(pte))
2745 ++ force_flush = true;
2746 + pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
2747 + pte = move_soft_dirty_pte(pte);
2748 + set_pte_at(mm, new_addr, new_pte, pte);
2749 + }
2750 +
2751 + arch_leave_lazy_mmu_mode();
2752 ++ if (force_flush)
2753 ++ flush_tlb_range(vma, old_end - len, old_end);
2754 + if (new_ptl != old_ptl)
2755 + spin_unlock(new_ptl);
2756 + pte_unmap(new_pte - 1);
2757 +@@ -168,7 +184,6 @@ unsigned long move_page_tables(struct vm_area_struct *vma,
2758 + {
2759 + unsigned long extent, next, old_end;
2760 + pmd_t *old_pmd, *new_pmd;
2761 +- bool need_flush = false;
2762 + unsigned long mmun_start; /* For mmu_notifiers */
2763 + unsigned long mmun_end; /* For mmu_notifiers */
2764 +
2765 +@@ -207,7 +222,6 @@ unsigned long move_page_tables(struct vm_area_struct *vma,
2766 + anon_vma_unlock_write(vma->anon_vma);
2767 + }
2768 + if (err > 0) {
2769 +- need_flush = true;
2770 + continue;
2771 + } else if (!err) {
2772 + split_huge_page_pmd(vma, old_addr, old_pmd);
2773 +@@ -224,10 +238,7 @@ unsigned long move_page_tables(struct vm_area_struct *vma,
2774 + extent = LATENCY_LIMIT;
2775 + move_ptes(vma, old_pmd, old_addr, old_addr + extent,
2776 + new_vma, new_pmd, new_addr, need_rmap_locks);
2777 +- need_flush = true;
2778 + }
2779 +- if (likely(need_flush))
2780 +- flush_tlb_range(vma, old_end-len, old_addr);
2781 +
2782 + mmu_notifier_invalidate_range_end(vma->vm_mm, mmun_start, mmun_end);
2783 +
2784 +diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
2785 +index b1b0a1c0bd8d..ecc3da6a14a1 100644
2786 +--- a/net/bluetooth/mgmt.c
2787 ++++ b/net/bluetooth/mgmt.c
2788 +@@ -3083,9 +3083,8 @@ static int unpair_device(struct sock *sk, struct hci_dev *hdev, void *data,
2789 + /* LE address type */
2790 + addr_type = le_addr_type(cp->addr.type);
2791 +
2792 +- hci_remove_irk(hdev, &cp->addr.bdaddr, addr_type);
2793 +-
2794 +- err = hci_remove_ltk(hdev, &cp->addr.bdaddr, addr_type);
2795 ++ /* Abort any ongoing SMP pairing. Removes ltk and irk if they exist. */
2796 ++ err = smp_cancel_and_remove_pairing(hdev, &cp->addr.bdaddr, addr_type);
2797 + if (err < 0) {
2798 + err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
2799 + MGMT_STATUS_NOT_PAIRED, &rp,
2800 +@@ -3099,8 +3098,6 @@ static int unpair_device(struct sock *sk, struct hci_dev *hdev, void *data,
2801 + goto done;
2802 + }
2803 +
2804 +- /* Abort any ongoing SMP pairing */
2805 +- smp_cancel_pairing(conn);
2806 +
2807 + /* Defer clearing up the connection parameters until closing to
2808 + * give a chance of keeping them if a repairing happens.
2809 +diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
2810 +index 0dc27d2e8f18..bedfaef2c59e 100644
2811 +--- a/net/bluetooth/smp.c
2812 ++++ b/net/bluetooth/smp.c
2813 +@@ -2371,30 +2371,51 @@ unlock:
2814 + return ret;
2815 + }
2816 +
2817 +-void smp_cancel_pairing(struct hci_conn *hcon)
2818 ++int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr,
2819 ++ u8 addr_type)
2820 + {
2821 +- struct l2cap_conn *conn = hcon->l2cap_data;
2822 ++ struct hci_conn *hcon;
2823 ++ struct l2cap_conn *conn;
2824 + struct l2cap_chan *chan;
2825 + struct smp_chan *smp;
2826 ++ int err;
2827 ++
2828 ++ err = hci_remove_ltk(hdev, bdaddr, addr_type);
2829 ++ hci_remove_irk(hdev, bdaddr, addr_type);
2830 ++
2831 ++ hcon = hci_conn_hash_lookup_le(hdev, bdaddr, addr_type);
2832 ++ if (!hcon)
2833 ++ goto done;
2834 +
2835 ++ conn = hcon->l2cap_data;
2836 + if (!conn)
2837 +- return;
2838 ++ goto done;
2839 +
2840 + chan = conn->smp;
2841 + if (!chan)
2842 +- return;
2843 ++ goto done;
2844 +
2845 + l2cap_chan_lock(chan);
2846 +
2847 + smp = chan->data;
2848 + if (smp) {
2849 ++ /* Set keys to NULL to make sure smp_failure() does not try to
2850 ++ * remove and free already invalidated rcu list entries. */
2851 ++ smp->ltk = NULL;
2852 ++ smp->slave_ltk = NULL;
2853 ++ smp->remote_irk = NULL;
2854 ++
2855 + if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
2856 + smp_failure(conn, 0);
2857 + else
2858 + smp_failure(conn, SMP_UNSPECIFIED);
2859 ++ err = 0;
2860 + }
2861 +
2862 + l2cap_chan_unlock(chan);
2863 ++
2864 ++done:
2865 ++ return err;
2866 + }
2867 +
2868 + static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2869 +diff --git a/net/bluetooth/smp.h b/net/bluetooth/smp.h
2870 +index ffcc70b6b199..993cbd7bcfe7 100644
2871 +--- a/net/bluetooth/smp.h
2872 ++++ b/net/bluetooth/smp.h
2873 +@@ -180,7 +180,8 @@ enum smp_key_pref {
2874 + };
2875 +
2876 + /* SMP Commands */
2877 +-void smp_cancel_pairing(struct hci_conn *hcon);
2878 ++int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr,
2879 ++ u8 addr_type);
2880 + bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2881 + enum smp_key_pref key_pref);
2882 + int smp_conn_security(struct hci_conn *hcon, __u8 sec_level);
2883 +diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
2884 +index d80c15d028fe..270d9c9a5331 100644
2885 +--- a/net/bridge/br_multicast.c
2886 ++++ b/net/bridge/br_multicast.c
2887 +@@ -1261,7 +1261,14 @@ static void br_multicast_query_received(struct net_bridge *br,
2888 + return;
2889 +
2890 + br_multicast_update_query_timer(br, query, max_delay);
2891 +- br_multicast_mark_router(br, port);
2892 ++
2893 ++ /* Based on RFC4541, section 2.1.1 IGMP Forwarding Rules,
2894 ++ * the arrival port for IGMP Queries where the source address
2895 ++ * is 0.0.0.0 should not be added to router port list.
2896 ++ */
2897 ++ if ((saddr->proto == htons(ETH_P_IP) && saddr->u.ip4) ||
2898 ++ saddr->proto == htons(ETH_P_IPV6))
2899 ++ br_multicast_mark_router(br, port);
2900 + }
2901 +
2902 + static int br_ip4_multicast_query(struct net_bridge *br,
2903 +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
2904 +index f1df04c7d395..d2a46ffe6382 100644
2905 +--- a/net/core/rtnetlink.c
2906 ++++ b/net/core/rtnetlink.c
2907 +@@ -2734,6 +2734,11 @@ static int rtnl_fdb_add(struct sk_buff *skb, struct nlmsghdr *nlh)
2908 + return -EINVAL;
2909 + }
2910 +
2911 ++ if (dev->type != ARPHRD_ETHER) {
2912 ++ pr_info("PF_BRIDGE: FDB add only supported for Ethernet devices");
2913 ++ return -EINVAL;
2914 ++ }
2915 ++
2916 + addr = nla_data(tb[NDA_LLADDR]);
2917 +
2918 + err = fdb_vid_parse(tb[NDA_VLAN], &vid);
2919 +@@ -2836,6 +2841,11 @@ static int rtnl_fdb_del(struct sk_buff *skb, struct nlmsghdr *nlh)
2920 + return -EINVAL;
2921 + }
2922 +
2923 ++ if (dev->type != ARPHRD_ETHER) {
2924 ++ pr_info("PF_BRIDGE: FDB delete only supported for Ethernet devices");
2925 ++ return -EINVAL;
2926 ++ }
2927 ++
2928 + addr = nla_data(tb[NDA_LLADDR]);
2929 +
2930 + err = fdb_vid_parse(tb[NDA_VLAN], &vid);
2931 +diff --git a/net/ipv4/fou.c b/net/ipv4/fou.c
2932 +index 08d8ee124538..d83888bc33d3 100644
2933 +--- a/net/ipv4/fou.c
2934 ++++ b/net/ipv4/fou.c
2935 +@@ -195,6 +195,14 @@ static struct sk_buff **fou_gro_receive(struct sk_buff **head,
2936 + u8 proto = NAPI_GRO_CB(skb)->proto;
2937 + const struct net_offload **offloads;
2938 +
2939 ++ /* We can clear the encap_mark for FOU as we are essentially doing
2940 ++ * one of two possible things. We are either adding an L4 tunnel
2941 ++ * header to the outer L3 tunnel header, or we are are simply
2942 ++ * treating the GRE tunnel header as though it is a UDP protocol
2943 ++ * specific header such as VXLAN or GENEVE.
2944 ++ */
2945 ++ NAPI_GRO_CB(skb)->encap_mark = 0;
2946 ++
2947 + rcu_read_lock();
2948 + offloads = NAPI_GRO_CB(skb)->is_ipv6 ? inet6_offloads : inet_offloads;
2949 + ops = rcu_dereference(offloads[proto]);
2950 +@@ -354,6 +362,14 @@ static struct sk_buff **gue_gro_receive(struct sk_buff **head,
2951 + }
2952 + }
2953 +
2954 ++ /* We can clear the encap_mark for GUE as we are essentially doing
2955 ++ * one of two possible things. We are either adding an L4 tunnel
2956 ++ * header to the outer L3 tunnel header, or we are are simply
2957 ++ * treating the GRE tunnel header as though it is a UDP protocol
2958 ++ * specific header such as VXLAN or GENEVE.
2959 ++ */
2960 ++ NAPI_GRO_CB(skb)->encap_mark = 0;
2961 ++
2962 + rcu_read_lock();
2963 + offloads = NAPI_GRO_CB(skb)->is_ipv6 ? inet6_offloads : inet_offloads;
2964 + ops = rcu_dereference(offloads[guehdr->proto_ctype]);
2965 +diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
2966 +index 7057a1b09b5e..72915658a6b1 100644
2967 +--- a/net/ipv4/ip_fragment.c
2968 ++++ b/net/ipv4/ip_fragment.c
2969 +@@ -716,10 +716,14 @@ struct sk_buff *ip_check_defrag(struct net *net, struct sk_buff *skb, u32 user)
2970 + if (ip_is_fragment(&iph)) {
2971 + skb = skb_share_check(skb, GFP_ATOMIC);
2972 + if (skb) {
2973 +- if (!pskb_may_pull(skb, netoff + iph.ihl * 4))
2974 +- return skb;
2975 +- if (pskb_trim_rcsum(skb, netoff + len))
2976 +- return skb;
2977 ++ if (!pskb_may_pull(skb, netoff + iph.ihl * 4)) {
2978 ++ kfree_skb(skb);
2979 ++ return NULL;
2980 ++ }
2981 ++ if (pskb_trim_rcsum(skb, netoff + len)) {
2982 ++ kfree_skb(skb);
2983 ++ return NULL;
2984 ++ }
2985 + memset(IPCB(skb), 0, sizeof(struct inet_skb_parm));
2986 + if (ip_defrag(net, skb, user))
2987 + return NULL;
2988 +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
2989 +index 582e757e5727..4dde1e0e7d37 100644
2990 +--- a/net/ipv6/addrconf.c
2991 ++++ b/net/ipv6/addrconf.c
2992 +@@ -4439,8 +4439,8 @@ static int in6_dump_addrs(struct inet6_dev *idev, struct sk_buff *skb,
2993 +
2994 + /* unicast address incl. temp addr */
2995 + list_for_each_entry(ifa, &idev->addr_list, if_list) {
2996 +- if (++ip_idx < s_ip_idx)
2997 +- continue;
2998 ++ if (ip_idx < s_ip_idx)
2999 ++ goto next;
3000 + err = inet6_fill_ifaddr(skb, ifa,
3001 + NETLINK_CB(cb->skb).portid,
3002 + cb->nlh->nlmsg_seq,
3003 +@@ -4449,6 +4449,8 @@ static int in6_dump_addrs(struct inet6_dev *idev, struct sk_buff *skb,
3004 + if (err < 0)
3005 + break;
3006 + nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3007 ++next:
3008 ++ ip_idx++;
3009 + }
3010 + break;
3011 + }
3012 +diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
3013 +index 60d4052d97a6..51da5987952c 100644
3014 +--- a/net/ipv6/ip6_vti.c
3015 ++++ b/net/ipv6/ip6_vti.c
3016 +@@ -1140,6 +1140,33 @@ static struct xfrm6_protocol vti_ipcomp6_protocol __read_mostly = {
3017 + .priority = 100,
3018 + };
3019 +
3020 ++static bool is_vti6_tunnel(const struct net_device *dev)
3021 ++{
3022 ++ return dev->netdev_ops == &vti6_netdev_ops;
3023 ++}
3024 ++
3025 ++static int vti6_device_event(struct notifier_block *unused,
3026 ++ unsigned long event, void *ptr)
3027 ++{
3028 ++ struct net_device *dev = netdev_notifier_info_to_dev(ptr);
3029 ++ struct ip6_tnl *t = netdev_priv(dev);
3030 ++
3031 ++ if (!is_vti6_tunnel(dev))
3032 ++ return NOTIFY_DONE;
3033 ++
3034 ++ switch (event) {
3035 ++ case NETDEV_DOWN:
3036 ++ if (!net_eq(t->net, dev_net(dev)))
3037 ++ xfrm_garbage_collect(t->net);
3038 ++ break;
3039 ++ }
3040 ++ return NOTIFY_DONE;
3041 ++}
3042 ++
3043 ++static struct notifier_block vti6_notifier_block __read_mostly = {
3044 ++ .notifier_call = vti6_device_event,
3045 ++};
3046 ++
3047 + /**
3048 + * vti6_tunnel_init - register protocol and reserve needed resources
3049 + *
3050 +@@ -1150,6 +1177,8 @@ static int __init vti6_tunnel_init(void)
3051 + const char *msg;
3052 + int err;
3053 +
3054 ++ register_netdevice_notifier(&vti6_notifier_block);
3055 ++
3056 + msg = "tunnel device";
3057 + err = register_pernet_device(&vti6_net_ops);
3058 + if (err < 0)
3059 +@@ -1182,6 +1211,7 @@ xfrm_proto_ah_failed:
3060 + xfrm_proto_esp_failed:
3061 + unregister_pernet_device(&vti6_net_ops);
3062 + pernet_dev_failed:
3063 ++ unregister_netdevice_notifier(&vti6_notifier_block);
3064 + pr_err("vti6 init: failed to register %s\n", msg);
3065 + return err;
3066 + }
3067 +@@ -1196,6 +1226,7 @@ static void __exit vti6_tunnel_cleanup(void)
3068 + xfrm6_protocol_deregister(&vti_ah6_protocol, IPPROTO_AH);
3069 + xfrm6_protocol_deregister(&vti_esp6_protocol, IPPROTO_ESP);
3070 + unregister_pernet_device(&vti6_net_ops);
3071 ++ unregister_netdevice_notifier(&vti6_notifier_block);
3072 + }
3073 +
3074 + module_init(vti6_tunnel_init);
3075 +diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
3076 +index 091cee551cd9..a5ec9a0cbb80 100644
3077 +--- a/net/ipv6/mcast.c
3078 ++++ b/net/ipv6/mcast.c
3079 +@@ -2390,17 +2390,17 @@ static int ip6_mc_leave_src(struct sock *sk, struct ipv6_mc_socklist *iml,
3080 + {
3081 + int err;
3082 +
3083 +- /* callers have the socket lock and rtnl lock
3084 +- * so no other readers or writers of iml or its sflist
3085 +- */
3086 ++ write_lock_bh(&iml->sflock);
3087 + if (!iml->sflist) {
3088 + /* any-source empty exclude case */
3089 +- return ip6_mc_del_src(idev, &iml->addr, iml->sfmode, 0, NULL, 0);
3090 ++ err = ip6_mc_del_src(idev, &iml->addr, iml->sfmode, 0, NULL, 0);
3091 ++ } else {
3092 ++ err = ip6_mc_del_src(idev, &iml->addr, iml->sfmode,
3093 ++ iml->sflist->sl_count, iml->sflist->sl_addr, 0);
3094 ++ sock_kfree_s(sk, iml->sflist, IP6_SFLSIZE(iml->sflist->sl_max));
3095 ++ iml->sflist = NULL;
3096 + }
3097 +- err = ip6_mc_del_src(idev, &iml->addr, iml->sfmode,
3098 +- iml->sflist->sl_count, iml->sflist->sl_addr, 0);
3099 +- sock_kfree_s(sk, iml->sflist, IP6_SFLSIZE(iml->sflist->sl_max));
3100 +- iml->sflist = NULL;
3101 ++ write_unlock_bh(&iml->sflock);
3102 + return err;
3103 + }
3104 +
3105 +diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
3106 +index 3db8d7d1a986..0bf375177a9a 100644
3107 +--- a/net/ipv6/ndisc.c
3108 ++++ b/net/ipv6/ndisc.c
3109 +@@ -1649,10 +1649,9 @@ int ndisc_rcv(struct sk_buff *skb)
3110 + return 0;
3111 + }
3112 +
3113 +- memset(NEIGH_CB(skb), 0, sizeof(struct neighbour_cb));
3114 +-
3115 + switch (msg->icmph.icmp6_type) {
3116 + case NDISC_NEIGHBOUR_SOLICITATION:
3117 ++ memset(NEIGH_CB(skb), 0, sizeof(struct neighbour_cb));
3118 + ndisc_recv_ns(skb);
3119 + break;
3120 +
3121 +diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
3122 +index 838b65a59a73..5a9ae56e7868 100644
3123 +--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
3124 ++++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
3125 +@@ -601,6 +601,7 @@ struct sk_buff *nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 use
3126 + hdr = ipv6_hdr(clone);
3127 + fhdr = (struct frag_hdr *)skb_transport_header(clone);
3128 +
3129 ++ skb_orphan(skb);
3130 + fq = fq_find(net, fhdr->identification, user, &hdr->saddr, &hdr->daddr,
3131 + skb->dev ? skb->dev->ifindex : 0, ip6_frag_ecn(hdr));
3132 + if (fq == NULL) {
3133 +diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c
3134 +index 4d09ce6fa90e..64862c5084ee 100644
3135 +--- a/net/ipv6/xfrm6_output.c
3136 ++++ b/net/ipv6/xfrm6_output.c
3137 +@@ -165,9 +165,11 @@ static int __xfrm6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
3138 +
3139 + if (toobig && xfrm6_local_dontfrag(skb)) {
3140 + xfrm6_local_rxpmtu(skb, mtu);
3141 ++ kfree_skb(skb);
3142 + return -EMSGSIZE;
3143 + } else if (!skb->ignore_df && toobig && skb->sk) {
3144 + xfrm_local_error(skb, mtu);
3145 ++ kfree_skb(skb);
3146 + return -EMSGSIZE;
3147 + }
3148 +
3149 +diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
3150 +index aeffb65181f5..5984cc35d508 100644
3151 +--- a/net/iucv/af_iucv.c
3152 ++++ b/net/iucv/af_iucv.c
3153 +@@ -705,10 +705,8 @@ static int iucv_sock_bind(struct socket *sock, struct sockaddr *addr,
3154 + char uid[9];
3155 +
3156 + /* Verify the input sockaddr */
3157 +- if (!addr || addr->sa_family != AF_IUCV)
3158 +- return -EINVAL;
3159 +-
3160 +- if (addr_len < sizeof(struct sockaddr_iucv))
3161 ++ if (addr_len < sizeof(struct sockaddr_iucv) ||
3162 ++ addr->sa_family != AF_IUCV)
3163 + return -EINVAL;
3164 +
3165 + lock_sock(sk);
3166 +@@ -852,7 +850,7 @@ static int iucv_sock_connect(struct socket *sock, struct sockaddr *addr,
3167 + struct iucv_sock *iucv = iucv_sk(sk);
3168 + int err;
3169 +
3170 +- if (addr->sa_family != AF_IUCV || alen < sizeof(struct sockaddr_iucv))
3171 ++ if (alen < sizeof(struct sockaddr_iucv) || addr->sa_family != AF_IUCV)
3172 + return -EINVAL;
3173 +
3174 + if (sk->sk_state != IUCV_OPEN && sk->sk_state != IUCV_BOUND)
3175 +diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c
3176 +index 48ab93842322..af74e3ba0f92 100644
3177 +--- a/net/l2tp/l2tp_ip.c
3178 ++++ b/net/l2tp/l2tp_ip.c
3179 +@@ -177,21 +177,23 @@ pass_up:
3180 +
3181 + tunnel_id = ntohl(*(__be32 *) &skb->data[4]);
3182 + tunnel = l2tp_tunnel_find(net, tunnel_id);
3183 +- if (tunnel != NULL)
3184 ++ if (tunnel) {
3185 + sk = tunnel->sock;
3186 +- else {
3187 ++ sock_hold(sk);
3188 ++ } else {
3189 + struct iphdr *iph = (struct iphdr *) skb_network_header(skb);
3190 +
3191 + read_lock_bh(&l2tp_ip_lock);
3192 + sk = __l2tp_ip_bind_lookup(net, iph->daddr, 0, tunnel_id);
3193 ++ if (!sk) {
3194 ++ read_unlock_bh(&l2tp_ip_lock);
3195 ++ goto discard;
3196 ++ }
3197 ++
3198 ++ sock_hold(sk);
3199 + read_unlock_bh(&l2tp_ip_lock);
3200 + }
3201 +
3202 +- if (sk == NULL)
3203 +- goto discard;
3204 +-
3205 +- sock_hold(sk);
3206 +-
3207 + if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb))
3208 + goto discard_put;
3209 +
3210 +diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
3211 +index bcdab1cba773..591d308bf63a 100644
3212 +--- a/net/l2tp/l2tp_ip6.c
3213 ++++ b/net/l2tp/l2tp_ip6.c
3214 +@@ -188,22 +188,24 @@ pass_up:
3215 +
3216 + tunnel_id = ntohl(*(__be32 *) &skb->data[4]);
3217 + tunnel = l2tp_tunnel_find(&init_net, tunnel_id);
3218 +- if (tunnel != NULL)
3219 ++ if (tunnel) {
3220 + sk = tunnel->sock;
3221 +- else {
3222 ++ sock_hold(sk);
3223 ++ } else {
3224 + struct ipv6hdr *iph = ipv6_hdr(skb);
3225 +
3226 + read_lock_bh(&l2tp_ip6_lock);
3227 + sk = __l2tp_ip6_bind_lookup(&init_net, &iph->daddr,
3228 + 0, tunnel_id);
3229 ++ if (!sk) {
3230 ++ read_unlock_bh(&l2tp_ip6_lock);
3231 ++ goto discard;
3232 ++ }
3233 ++
3234 ++ sock_hold(sk);
3235 + read_unlock_bh(&l2tp_ip6_lock);
3236 + }
3237 +
3238 +- if (sk == NULL)
3239 +- goto discard;
3240 +-
3241 +- sock_hold(sk);
3242 +-
3243 + if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb))
3244 + goto discard_put;
3245 +
3246 +diff --git a/net/mac80211/status.c b/net/mac80211/status.c
3247 +index 45fb1abdb265..2731cf5bf052 100644
3248 +--- a/net/mac80211/status.c
3249 ++++ b/net/mac80211/status.c
3250 +@@ -466,11 +466,6 @@ static void ieee80211_report_ack_skb(struct ieee80211_local *local,
3251 + if (!skb)
3252 + return;
3253 +
3254 +- if (dropped) {
3255 +- dev_kfree_skb_any(skb);
3256 +- return;
3257 +- }
3258 +-
3259 + if (info->flags & IEEE80211_TX_INTFL_NL80211_FRAME_TX) {
3260 + u64 cookie = IEEE80211_SKB_CB(skb)->ack.cookie;
3261 + struct ieee80211_sub_if_data *sdata;
3262 +@@ -491,6 +486,8 @@ static void ieee80211_report_ack_skb(struct ieee80211_local *local,
3263 + }
3264 + rcu_read_unlock();
3265 +
3266 ++ dev_kfree_skb_any(skb);
3267 ++ } else if (dropped) {
3268 + dev_kfree_skb_any(skb);
3269 + } else {
3270 + /* consumes skb */
3271 +diff --git a/net/sched/sch_gred.c b/net/sched/sch_gred.c
3272 +index f9e8deeeac96..a5745cb2d014 100644
3273 +--- a/net/sched/sch_gred.c
3274 ++++ b/net/sched/sch_gred.c
3275 +@@ -444,7 +444,7 @@ static int gred_change(struct Qdisc *sch, struct nlattr *opt)
3276 + if (tb[TCA_GRED_PARMS] == NULL && tb[TCA_GRED_STAB] == NULL) {
3277 + if (tb[TCA_GRED_LIMIT] != NULL)
3278 + sch->limit = nla_get_u32(tb[TCA_GRED_LIMIT]);
3279 +- return gred_change_table_def(sch, opt);
3280 ++ return gred_change_table_def(sch, tb[TCA_GRED_DPS]);
3281 + }
3282 +
3283 + if (tb[TCA_GRED_PARMS] == NULL ||
3284 +diff --git a/net/sched/sch_red.c b/net/sched/sch_red.c
3285 +index 0505b8408c8b..4bf2b599ef98 100644
3286 +--- a/net/sched/sch_red.c
3287 ++++ b/net/sched/sch_red.c
3288 +@@ -97,6 +97,7 @@ static int red_enqueue(struct sk_buff *skb, struct Qdisc *sch)
3289 +
3290 + ret = qdisc_enqueue(skb, child);
3291 + if (likely(ret == NET_XMIT_SUCCESS)) {
3292 ++ qdisc_qstats_backlog_inc(sch, skb);
3293 + sch->q.qlen++;
3294 + } else if (net_xmit_drop_count(ret)) {
3295 + q->stats.pdrop++;
3296 +@@ -118,6 +119,7 @@ static struct sk_buff *red_dequeue(struct Qdisc *sch)
3297 + skb = child->dequeue(child);
3298 + if (skb) {
3299 + qdisc_bstats_update(sch, skb);
3300 ++ qdisc_qstats_backlog_dec(sch, skb);
3301 + sch->q.qlen--;
3302 + } else {
3303 + if (!red_is_idling(&q->vars))
3304 +@@ -143,6 +145,7 @@ static unsigned int red_drop(struct Qdisc *sch)
3305 + if (child->ops->drop && (len = child->ops->drop(child)) > 0) {
3306 + q->stats.other++;
3307 + qdisc_qstats_drop(sch);
3308 ++ sch->qstats.backlog -= len;
3309 + sch->q.qlen--;
3310 + return len;
3311 + }
3312 +@@ -158,6 +161,7 @@ static void red_reset(struct Qdisc *sch)
3313 + struct red_sched_data *q = qdisc_priv(sch);
3314 +
3315 + qdisc_reset(q->qdisc);
3316 ++ sch->qstats.backlog = 0;
3317 + sch->q.qlen = 0;
3318 + red_restart(&q->vars);
3319 + }
3320 +diff --git a/net/sctp/socket.c b/net/sctp/socket.c
3321 +index 13c7f42b7040..53f1b33bca4e 100644
3322 +--- a/net/sctp/socket.c
3323 ++++ b/net/sctp/socket.c
3324 +@@ -248,11 +248,10 @@ struct sctp_association *sctp_id2assoc(struct sock *sk, sctp_assoc_t id)
3325 +
3326 + spin_lock_bh(&sctp_assocs_id_lock);
3327 + asoc = (struct sctp_association *)idr_find(&sctp_assocs_id, (int)id);
3328 ++ if (asoc && (asoc->base.sk != sk || asoc->base.dead))
3329 ++ asoc = NULL;
3330 + spin_unlock_bh(&sctp_assocs_id_lock);
3331 +
3332 +- if (!asoc || (asoc->base.sk != sk) || asoc->base.dead)
3333 +- return NULL;
3334 +-
3335 + return asoc;
3336 + }
3337 +
3338 +diff --git a/net/socket.c b/net/socket.c
3339 +index 0c544ae48eac..96133777d17c 100644
3340 +--- a/net/socket.c
3341 ++++ b/net/socket.c
3342 +@@ -2760,9 +2760,14 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32)
3343 + copy_in_user(&rxnfc->fs.ring_cookie,
3344 + &compat_rxnfc->fs.ring_cookie,
3345 + (void __user *)(&rxnfc->fs.location + 1) -
3346 +- (void __user *)&rxnfc->fs.ring_cookie) ||
3347 +- copy_in_user(&rxnfc->rule_cnt, &compat_rxnfc->rule_cnt,
3348 +- sizeof(rxnfc->rule_cnt)))
3349 ++ (void __user *)&rxnfc->fs.ring_cookie))
3350 ++ return -EFAULT;
3351 ++ if (ethcmd == ETHTOOL_GRXCLSRLALL) {
3352 ++ if (put_user(rule_cnt, &rxnfc->rule_cnt))
3353 ++ return -EFAULT;
3354 ++ } else if (copy_in_user(&rxnfc->rule_cnt,
3355 ++ &compat_rxnfc->rule_cnt,
3356 ++ sizeof(rxnfc->rule_cnt)))
3357 + return -EFAULT;
3358 + }
3359 +
3360 +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
3361 +index e05ec54ac53f..c6b1eec94911 100644
3362 +--- a/net/unix/af_unix.c
3363 ++++ b/net/unix/af_unix.c
3364 +@@ -1531,7 +1531,6 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
3365 + {
3366 + int i;
3367 + unsigned char max_level = 0;
3368 +- int unix_sock_count = 0;
3369 +
3370 + if (too_many_unix_fds(current))
3371 + return -ETOOMANYREFS;
3372 +@@ -1539,11 +1538,9 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
3373 + for (i = scm->fp->count - 1; i >= 0; i--) {
3374 + struct sock *sk = unix_get_socket(scm->fp->fp[i]);
3375 +
3376 +- if (sk) {
3377 +- unix_sock_count++;
3378 ++ if (sk)
3379 + max_level = max(max_level,
3380 + unix_sk(sk)->recursion_level);
3381 +- }
3382 + }
3383 + if (unlikely(max_level > MAX_RECURSION_LEVEL))
3384 + return -ETOOMANYREFS;
3385 +diff --git a/net/wireless/reg.c b/net/wireless/reg.c
3386 +index 06d050da0d94..50dffd183cc6 100644
3387 +--- a/net/wireless/reg.c
3388 ++++ b/net/wireless/reg.c
3389 +@@ -2367,6 +2367,7 @@ static int regulatory_hint_core(const char *alpha2)
3390 + request->alpha2[0] = alpha2[0];
3391 + request->alpha2[1] = alpha2[1];
3392 + request->initiator = NL80211_REGDOM_SET_BY_CORE;
3393 ++ request->wiphy_idx = WIPHY_IDX_INVALID;
3394 +
3395 + queue_regulatory_request(request);
3396 +
3397 +diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
3398 +index d6a11af0bab1..9b6e51450fc5 100644
3399 +--- a/net/xfrm/xfrm_state.c
3400 ++++ b/net/xfrm/xfrm_state.c
3401 +@@ -1884,6 +1884,7 @@ int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen
3402 + if (err >= 0) {
3403 + xfrm_sk_policy_insert(sk, err, pol);
3404 + xfrm_pol_put(pol);
3405 ++ __sk_dst_reset(sk);
3406 + err = 0;
3407 + }
3408 +
3409 +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
3410 +index a9b4491a3cc4..476f1fc6d655 100644
3411 +--- a/net/xfrm/xfrm_user.c
3412 ++++ b/net/xfrm/xfrm_user.c
3413 +@@ -151,10 +151,16 @@ static int verify_newsa_info(struct xfrm_usersa_info *p,
3414 + err = -EINVAL;
3415 + switch (p->family) {
3416 + case AF_INET:
3417 ++ if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32)
3418 ++ goto out;
3419 ++
3420 + break;
3421 +
3422 + case AF_INET6:
3423 + #if IS_ENABLED(CONFIG_IPV6)
3424 ++ if (p->sel.prefixlen_d > 128 || p->sel.prefixlen_s > 128)
3425 ++ goto out;
3426 ++
3427 + break;
3428 + #else
3429 + err = -EAFNOSUPPORT;
3430 +@@ -1312,10 +1318,16 @@ static int verify_newpolicy_info(struct xfrm_userpolicy_info *p)
3431 +
3432 + switch (p->sel.family) {
3433 + case AF_INET:
3434 ++ if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32)
3435 ++ return -EINVAL;
3436 ++
3437 + break;
3438 +
3439 + case AF_INET6:
3440 + #if IS_ENABLED(CONFIG_IPV6)
3441 ++ if (p->sel.prefixlen_d > 128 || p->sel.prefixlen_s > 128)
3442 ++ return -EINVAL;
3443 ++
3444 + break;
3445 + #else
3446 + return -EAFNOSUPPORT;
3447 +@@ -1396,6 +1408,9 @@ static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family)
3448 + (ut[i].family != prev_family))
3449 + return -EINVAL;
3450 +
3451 ++ if (ut[i].mode >= XFRM_MODE_MAX)
3452 ++ return -EINVAL;
3453 ++
3454 + prev_family = ut[i].family;
3455 +
3456 + switch (ut[i].family) {
3457 +diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
3458 +index ac1d5b2b1626..a7095372701e 100644
3459 +--- a/security/keys/process_keys.c
3460 ++++ b/security/keys/process_keys.c
3461 +@@ -808,15 +808,14 @@ long join_session_keyring(const char *name)
3462 + ret = PTR_ERR(keyring);
3463 + goto error2;
3464 + } else if (keyring == new->session_keyring) {
3465 +- key_put(keyring);
3466 + ret = 0;
3467 +- goto error2;
3468 ++ goto error3;
3469 + }
3470 +
3471 + /* we've got a keyring - now to install it */
3472 + ret = install_session_keyring_to_cred(new, keyring);
3473 + if (ret < 0)
3474 +- goto error2;
3475 ++ goto error3;
3476 +
3477 + commit_creds(new);
3478 + mutex_unlock(&key_session_mutex);
3479 +@@ -826,6 +825,8 @@ long join_session_keyring(const char *name)
3480 + okay:
3481 + return ret;
3482 +
3483 ++error3:
3484 ++ key_put(keyring);
3485 + error2:
3486 + mutex_unlock(&key_session_mutex);
3487 + error:
3488 +diff --git a/sound/core/timer.c b/sound/core/timer.c
3489 +index ef850a99d64a..f989adb98a22 100644
3490 +--- a/sound/core/timer.c
3491 ++++ b/sound/core/timer.c
3492 +@@ -35,6 +35,9 @@
3493 + #include <sound/initval.h>
3494 + #include <linux/kmod.h>
3495 +
3496 ++/* internal flags */
3497 ++#define SNDRV_TIMER_IFLG_PAUSED 0x00010000
3498 ++
3499 + #if IS_ENABLED(CONFIG_SND_HRTIMER)
3500 + #define DEFAULT_TIMER_LIMIT 4
3501 + #elif IS_ENABLED(CONFIG_SND_RTCTIMER)
3502 +@@ -547,6 +550,10 @@ static int snd_timer_stop1(struct snd_timer_instance *timeri, bool stop)
3503 + }
3504 + }
3505 + timeri->flags &= ~(SNDRV_TIMER_IFLG_RUNNING | SNDRV_TIMER_IFLG_START);
3506 ++ if (stop)
3507 ++ timeri->flags &= ~SNDRV_TIMER_IFLG_PAUSED;
3508 ++ else
3509 ++ timeri->flags |= SNDRV_TIMER_IFLG_PAUSED;
3510 + snd_timer_notify1(timeri, stop ? SNDRV_TIMER_EVENT_STOP :
3511 + SNDRV_TIMER_EVENT_PAUSE);
3512 + unlock:
3513 +@@ -608,6 +615,10 @@ int snd_timer_stop(struct snd_timer_instance *timeri)
3514 + */
3515 + int snd_timer_continue(struct snd_timer_instance *timeri)
3516 + {
3517 ++ /* timer can continue only after pause */
3518 ++ if (!(timeri->flags & SNDRV_TIMER_IFLG_PAUSED))
3519 ++ return -EINVAL;
3520 ++
3521 + if (timeri->flags & SNDRV_TIMER_IFLG_SLAVE)
3522 + return snd_timer_start_slave(timeri, false);
3523 + else
3524 +@@ -1837,6 +1848,9 @@ static int snd_timer_user_continue(struct file *file)
3525 + tu = file->private_data;
3526 + if (!tu->timeri)
3527 + return -EBADFD;
3528 ++ /* start timer instead of continue if it's not used before */
3529 ++ if (!(tu->timeri->flags & SNDRV_TIMER_IFLG_PAUSED))
3530 ++ return snd_timer_user_start(file);
3531 + tu->timeri->lost = 0;
3532 + return (err = snd_timer_continue(tu->timeri)) < 0 ? err : 0;
3533 + }
3534 +diff --git a/sound/soc/codecs/ak4613.c b/sound/soc/codecs/ak4613.c
3535 +index 07a266460ec3..b4b36cc92ffe 100644
3536 +--- a/sound/soc/codecs/ak4613.c
3537 ++++ b/sound/soc/codecs/ak4613.c
3538 +@@ -143,6 +143,7 @@ static const struct regmap_config ak4613_regmap_cfg = {
3539 + .max_register = 0x16,
3540 + .reg_defaults = ak4613_reg,
3541 + .num_reg_defaults = ARRAY_SIZE(ak4613_reg),
3542 ++ .cache_type = REGCACHE_RBTREE,
3543 + };
3544 +
3545 + static const struct of_device_id ak4613_of_match[] = {
3546 +diff --git a/sound/soc/codecs/wm8940.c b/sound/soc/codecs/wm8940.c
3547 +index f6f9395ea38e..1c600819f768 100644
3548 +--- a/sound/soc/codecs/wm8940.c
3549 ++++ b/sound/soc/codecs/wm8940.c
3550 +@@ -743,6 +743,7 @@ static const struct regmap_config wm8940_regmap = {
3551 + .max_register = WM8940_MONOMIX,
3552 + .reg_defaults = wm8940_reg_defaults,
3553 + .num_reg_defaults = ARRAY_SIZE(wm8940_reg_defaults),
3554 ++ .cache_type = REGCACHE_RBTREE,
3555 +
3556 + .readable_reg = wm8940_readable_register,
3557 + .volatile_reg = wm8940_volatile_register,
3558 +diff --git a/sound/soc/spear/spdif_in.c b/sound/soc/spear/spdif_in.c
3559 +index 977a078eb92f..7f32527fc3c8 100644
3560 +--- a/sound/soc/spear/spdif_in.c
3561 ++++ b/sound/soc/spear/spdif_in.c
3562 +@@ -223,8 +223,10 @@ static int spdif_in_probe(struct platform_device *pdev)
3563 +
3564 + host->io_base = io_base;
3565 + host->irq = platform_get_irq(pdev, 0);
3566 +- if (host->irq < 0)
3567 +- return -EINVAL;
3568 ++ if (host->irq < 0) {
3569 ++ dev_warn(&pdev->dev, "failed to get IRQ: %d\n", host->irq);
3570 ++ return host->irq;
3571 ++ }
3572 +
3573 + host->clk = devm_clk_get(&pdev->dev, NULL);
3574 + if (IS_ERR(host->clk))
3575 +diff --git a/tools/perf/Makefile b/tools/perf/Makefile
3576 +index dcd9a70c7193..55933b2eb932 100644
3577 +--- a/tools/perf/Makefile
3578 ++++ b/tools/perf/Makefile
3579 +@@ -69,10 +69,10 @@ all tags TAGS:
3580 + $(make)
3581 +
3582 + #
3583 +-# The clean target is not really parallel, don't print the jobs info:
3584 ++# Explicitly disable parallelism for the clean target.
3585 + #
3586 + clean:
3587 +- $(make)
3588 ++ $(make) -j1
3589 +
3590 + #
3591 + # The build-test target is not really parallel, don't print the jobs info:
Report Message
Find on MARC Find on Google Groups