Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Mike Pagano (mpagano)" <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] linux-patches r2823 - genpatches-2.6/trunk/3.2
Date: Mon, 09 Jun 2014 18:29:36
Message-Id: 20140609182931.E13122004E@flycatcher.gentoo.org
1 Author: mpagano
2 Date: 2014-06-09 18:29:31 +0000 (Mon, 09 Jun 2014)
3 New Revision: 2823
4
5 Added:
6 genpatches-2.6/trunk/3.2/1058_linux-3.2.59.patch
7 genpatches-2.6/trunk/3.2/1059_linux-3.2.60.patch
8 Removed:
9 genpatches-2.6/trunk/3.2/1500_CVE-2014-0196-n_tty-Fix-n_tty_write-crash-when-echoing-in-raw-mode.patch
10 genpatches-2.6/trunk/3.2/1501-futex-add-another-early-deadlock-detection-check.patch
11 genpatches-2.6/trunk/3.2/1502-futex-prevent-attaching-to-kernel-threads.patch
12 genpatches-2.6/trunk/3.2/1503-futex-prevent-requeue-pi-on-same-futex-patch-futex-forbid-uaddr-uaddr2-in-futex_requeue-requeue_pi-1.patch
13 genpatches-2.6/trunk/3.2/1504-futex-validate-atomic-acquisition-in-futex_lock_pi_atomic.patch
14 genpatches-2.6/trunk/3.2/1505-futex-always-cleanup-owner-tid-in-unlock_pi.patch
15 genpatches-2.6/trunk/3.2/1506-futex-make-lookup_pi_state-more-robust.patch
16 Modified:
17 genpatches-2.6/trunk/3.2/0000_README
18 Log:
19 Linux patch 3.2.59. Linux patch 3.2.60. Removal of redundant patches
20
21 Modified: genpatches-2.6/trunk/3.2/0000_README
22 ===================================================================
23 --- genpatches-2.6/trunk/3.2/0000_README 2014-06-09 17:57:46 UTC (rev 2822)
24 +++ genpatches-2.6/trunk/3.2/0000_README 2014-06-09 18:29:31 UTC (rev 2823)
25 @@ -272,10 +272,14 @@
26 From: http://www.kernel.org
27 Desc: Linux 3.2.58
28
29 -Patch: 1500_CVE-2014-0196-n_tty-Fix-n_tty_write-crash-when-echoing-in-raw-mode.patch
30 -From: https://git.kernel.org/cgit/linux/kernel/git/stable/stable-queue.git/commit/?id=19f9438d73833ed532c3ba4955f9c981c9af16f2
31 -Desc: n_tty: Fix n_tty_write crash when echoing in raw mode
32 +Patch: 1058_linux-3.2.59.patch
33 +From: http://www.kernel.org
34 +Desc: Linux 3.2.59
35
36 +Patch: 1059_linux-3.2.60.patch
37 +From: http://www.kernel.org
38 +Desc: Linux 3.2.60
39 +
40 Patch: 1500_XATTR_USER_PREFIX.patch
41 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
42 Desc: Support for namespace user.pax.* on tmpfs.
43 @@ -284,30 +288,6 @@
44 From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6a96e15096da6e7491107321cfa660c7c2aa119d
45 Desc: selinux: add SOCK_DIAG_BY_FAMILY to the list of netlink message types
46
47 -Patch: 1501-futex-add-another-early-deadlock-detection-check.patch
48 -From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=866293ee54227584ffcb4a42f69c1f365974ba7f
49 -Desc: CVE-2014-3153
50 -
51 -Patch: 1502-futex-prevent-attaching-to-kernel-threads.patch
52 -From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f0d71b3dcb8332f7971b5f2363632573e6d9486a
53 -Desc: CVE-2014-3153
54 -
55 -Patch: 1503-futex-prevent-requeue-pi-on-same-futex-patch-futex-forbid-uaddr-uaddr2-in-futex_requeue-requeue_pi-1.patch
56 -From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e9c243a5a6de0be8e584c604d353412584b592f8
57 -Desc: CVE-2014-3153
58 -
59 -Patch: 1504-futex-validate-atomic-acquisition-in-futex_lock_pi_atomic.patch
60 -From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b3eaa9fc5cd0a4d74b18f6b8dc617aeaf1873270
61 -Desc: CVE-2014-3153
62 -
63 -Patch: 1505-futex-always-cleanup-owner-tid-in-unlock_pi.patch
64 -From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=13fbca4c6ecd96ec1a1cfa2e4f2ce191fe928a5e
65 -Desc: CVE-2014-3153
66 -
67 -Patch: 1506-futex-make-lookup_pi_state-more-robust.patch
68 -From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=54a217887a7b658e2650c3feff22756ab80c7339
69 -Desc: CVE-2014-3153
70 -
71 Patch: 1512_af_key-initialize-satype-in-key_notify_policy_flush.patch
72 From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=85dfb745ee40232876663ae206cba35f24ab2a40
73 Desc: af_key: initialize satype in key_notify_policy_flush()
74
75 Added: genpatches-2.6/trunk/3.2/1058_linux-3.2.59.patch
76 ===================================================================
77 --- genpatches-2.6/trunk/3.2/1058_linux-3.2.59.patch (rev 0)
78 +++ genpatches-2.6/trunk/3.2/1058_linux-3.2.59.patch 2014-06-09 18:29:31 UTC (rev 2823)
79 @@ -0,0 +1,1213 @@
80 +diff --git a/Makefile b/Makefile
81 +index d59b394ba6cd..1be3414a141f 100644
82 +--- a/Makefile
83 ++++ b/Makefile
84 +@@ -1,6 +1,6 @@
85 + VERSION = 3
86 + PATCHLEVEL = 2
87 +-SUBLEVEL = 58
88 ++SUBLEVEL = 59
89 + EXTRAVERSION =
90 + NAME = Saber-toothed Squirrel
91 +
92 +diff --git a/arch/arm/include/asm/div64.h b/arch/arm/include/asm/div64.h
93 +index d3f0a9eee9f6..506e33baabd3 100644
94 +--- a/arch/arm/include/asm/div64.h
95 ++++ b/arch/arm/include/asm/div64.h
96 +@@ -156,7 +156,7 @@
97 + /* Select the best insn combination to perform the */ \
98 + /* actual __m * __n / (__p << 64) operation. */ \
99 + if (!__c) { \
100 +- asm ( "umull %Q0, %R0, %1, %Q2\n\t" \
101 ++ asm ( "umull %Q0, %R0, %Q1, %Q2\n\t" \
102 + "mov %Q0, #0" \
103 + : "=&r" (__res) \
104 + : "r" (__m), "r" (__n) \
105 +diff --git a/arch/parisc/kernel/syscall_table.S b/arch/parisc/kernel/syscall_table.S
106 +index 3735abd7f8f6..4014d9064be1 100644
107 +--- a/arch/parisc/kernel/syscall_table.S
108 ++++ b/arch/parisc/kernel/syscall_table.S
109 +@@ -395,7 +395,7 @@
110 + ENTRY_COMP(vmsplice)
111 + ENTRY_COMP(move_pages) /* 295 */
112 + ENTRY_SAME(getcpu)
113 +- ENTRY_SAME(epoll_pwait)
114 ++ ENTRY_COMP(epoll_pwait)
115 + ENTRY_COMP(statfs64)
116 + ENTRY_COMP(fstatfs64)
117 + ENTRY_COMP(kexec_load) /* 300 */
118 +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
119 +index b3f0f5ad8c41..2b662725fd90 100644
120 +--- a/drivers/ata/libata-core.c
121 ++++ b/drivers/ata/libata-core.c
122 +@@ -4718,21 +4718,26 @@ void swap_buf_le16(u16 *buf, unsigned int buf_words)
123 + static struct ata_queued_cmd *ata_qc_new(struct ata_port *ap)
124 + {
125 + struct ata_queued_cmd *qc = NULL;
126 +- unsigned int i;
127 ++ unsigned int i, tag;
128 +
129 + /* no command while frozen */
130 + if (unlikely(ap->pflags & ATA_PFLAG_FROZEN))
131 + return NULL;
132 +
133 +- /* the last tag is reserved for internal command. */
134 +- for (i = 0; i < ATA_MAX_QUEUE - 1; i++)
135 +- if (!test_and_set_bit(i, &ap->qc_allocated)) {
136 +- qc = __ata_qc_from_tag(ap, i);
137 ++ for (i = 0; i < ATA_MAX_QUEUE; i++) {
138 ++ tag = (i + ap->last_tag + 1) % ATA_MAX_QUEUE;
139 ++
140 ++ /* the last tag is reserved for internal command. */
141 ++ if (tag == ATA_TAG_INTERNAL)
142 ++ continue;
143 ++
144 ++ if (!test_and_set_bit(tag, &ap->qc_allocated)) {
145 ++ qc = __ata_qc_from_tag(ap, tag);
146 ++ qc->tag = tag;
147 ++ ap->last_tag = tag;
148 + break;
149 + }
150 +-
151 +- if (qc)
152 +- qc->tag = i;
153 ++ }
154 +
155 + return qc;
156 + }
157 +diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
158 +index 7a90d4ae6e52..6d0f3e138221 100644
159 +--- a/drivers/block/floppy.c
160 ++++ b/drivers/block/floppy.c
161 +@@ -3060,7 +3060,10 @@ static int raw_cmd_copyout(int cmd, void __user *param,
162 + int ret;
163 +
164 + while (ptr) {
165 +- ret = copy_to_user(param, ptr, sizeof(*ptr));
166 ++ struct floppy_raw_cmd cmd = *ptr;
167 ++ cmd.next = NULL;
168 ++ cmd.kernel_data = NULL;
169 ++ ret = copy_to_user(param, &cmd, sizeof(cmd));
170 + if (ret)
171 + return -EFAULT;
172 + param += sizeof(struct floppy_raw_cmd);
173 +@@ -3114,10 +3117,11 @@ loop:
174 + return -ENOMEM;
175 + *rcmd = ptr;
176 + ret = copy_from_user(ptr, param, sizeof(*ptr));
177 +- if (ret)
178 +- return -EFAULT;
179 + ptr->next = NULL;
180 + ptr->buffer_length = 0;
181 ++ ptr->kernel_data = NULL;
182 ++ if (ret)
183 ++ return -EFAULT;
184 + param += sizeof(struct floppy_raw_cmd);
185 + if (ptr->cmd_count > 33)
186 + /* the command may now also take up the space
187 +@@ -3133,7 +3137,6 @@ loop:
188 + for (i = 0; i < 16; i++)
189 + ptr->reply[i] = 0;
190 + ptr->resultcode = 0;
191 +- ptr->kernel_data = NULL;
192 +
193 + if (ptr->flags & (FD_RAW_READ | FD_RAW_WRITE)) {
194 + if (ptr->length <= 0)
195 +diff --git a/drivers/firmware/dmi_scan.c b/drivers/firmware/dmi_scan.c
196 +index 4cd392dbf115..2861ef4570fc 100644
197 +--- a/drivers/firmware/dmi_scan.c
198 ++++ b/drivers/firmware/dmi_scan.c
199 +@@ -534,9 +534,15 @@ static bool dmi_matches(const struct dmi_system_id *dmi)
200 + int s = dmi->matches[i].slot;
201 + if (s == DMI_NONE)
202 + break;
203 +- if (dmi_ident[s]
204 +- && strstr(dmi_ident[s], dmi->matches[i].substr))
205 +- continue;
206 ++ if (dmi_ident[s]) {
207 ++ if (!dmi->matches[i].exact_match &&
208 ++ strstr(dmi_ident[s], dmi->matches[i].substr))
209 ++ continue;
210 ++ else if (dmi->matches[i].exact_match &&
211 ++ !strcmp(dmi_ident[s], dmi->matches[i].substr))
212 ++ continue;
213 ++ }
214 ++
215 + /* No match */
216 + return false;
217 + }
218 +diff --git a/drivers/input/mouse/synaptics.c b/drivers/input/mouse/synaptics.c
219 +index bc35070daf78..886c1914146b 100644
220 +--- a/drivers/input/mouse/synaptics.c
221 ++++ b/drivers/input/mouse/synaptics.c
222 +@@ -1394,6 +1394,14 @@ static const struct dmi_system_id min_max_dmi_table[] __initconst = {
223 + .driver_data = (int []){1232, 5710, 1156, 4696},
224 + },
225 + {
226 ++ /* Lenovo ThinkPad T431s */
227 ++ .matches = {
228 ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
229 ++ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad T431"),
230 ++ },
231 ++ .driver_data = (int []){1024, 5112, 2024, 4832},
232 ++ },
233 ++ {
234 + /* Lenovo ThinkPad T440s */
235 + .matches = {
236 + DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
237 +@@ -1402,6 +1410,14 @@ static const struct dmi_system_id min_max_dmi_table[] __initconst = {
238 + .driver_data = (int []){1024, 5112, 2024, 4832},
239 + },
240 + {
241 ++ /* Lenovo ThinkPad L440 */
242 ++ .matches = {
243 ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
244 ++ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad L440"),
245 ++ },
246 ++ .driver_data = (int []){1024, 5112, 2024, 4832},
247 ++ },
248 ++ {
249 + /* Lenovo ThinkPad T540p */
250 + .matches = {
251 + DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
252 +@@ -1409,6 +1425,32 @@ static const struct dmi_system_id min_max_dmi_table[] __initconst = {
253 + },
254 + .driver_data = (int []){1024, 5056, 2058, 4832},
255 + },
256 ++ {
257 ++ /* Lenovo ThinkPad L540 */
258 ++ .matches = {
259 ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
260 ++ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad L540"),
261 ++ },
262 ++ .driver_data = (int []){1024, 5112, 2024, 4832},
263 ++ },
264 ++ {
265 ++ /* Lenovo Yoga S1 */
266 ++ .matches = {
267 ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
268 ++ DMI_EXACT_MATCH(DMI_PRODUCT_VERSION,
269 ++ "ThinkPad S1 Yoga"),
270 ++ },
271 ++ .driver_data = (int []){1232, 5710, 1156, 4696},
272 ++ },
273 ++ {
274 ++ /* Lenovo ThinkPad X1 Carbon Haswell (3rd generation) */
275 ++ .matches = {
276 ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
277 ++ DMI_MATCH(DMI_PRODUCT_VERSION,
278 ++ "ThinkPad X1 Carbon 2nd"),
279 ++ },
280 ++ .driver_data = (int []){1024, 5112, 2024, 4832},
281 ++ },
282 + #endif
283 + { }
284 + };
285 +diff --git a/drivers/net/ethernet/mellanox/mlx4/en_cq.c b/drivers/net/ethernet/mellanox/mlx4/en_cq.c
286 +index 5829e0b47e7e..ba7c861e2b93 100644
287 +--- a/drivers/net/ethernet/mellanox/mlx4/en_cq.c
288 ++++ b/drivers/net/ethernet/mellanox/mlx4/en_cq.c
289 +@@ -58,7 +58,6 @@ int mlx4_en_create_cq(struct mlx4_en_priv *priv,
290 +
291 + cq->ring = ring;
292 + cq->is_tx = mode;
293 +- spin_lock_init(&cq->lock);
294 +
295 + err = mlx4_alloc_hwq_res(mdev->dev, &cq->wqres,
296 + cq->buf_size, 2 * PAGE_SIZE);
297 +diff --git a/drivers/net/ethernet/mellanox/mlx4/en_netdev.c b/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
298 +index 78d776bc355c..308349a43d60 100644
299 +--- a/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
300 ++++ b/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
301 +@@ -355,15 +355,11 @@ static void mlx4_en_netpoll(struct net_device *dev)
302 + {
303 + struct mlx4_en_priv *priv = netdev_priv(dev);
304 + struct mlx4_en_cq *cq;
305 +- unsigned long flags;
306 + int i;
307 +
308 + for (i = 0; i < priv->rx_ring_num; i++) {
309 + cq = &priv->rx_cq[i];
310 +- spin_lock_irqsave(&cq->lock, flags);
311 +- napi_synchronize(&cq->napi);
312 +- mlx4_en_process_rx_cq(dev, cq, 0);
313 +- spin_unlock_irqrestore(&cq->lock, flags);
314 ++ napi_schedule(&cq->napi);
315 + }
316 + }
317 + #endif
318 +diff --git a/drivers/net/ethernet/mellanox/mlx4/mlx4_en.h b/drivers/net/ethernet/mellanox/mlx4/mlx4_en.h
319 +index 207b5add3ca8..492055885109 100644
320 +--- a/drivers/net/ethernet/mellanox/mlx4/mlx4_en.h
321 ++++ b/drivers/net/ethernet/mellanox/mlx4/mlx4_en.h
322 +@@ -300,7 +300,6 @@ struct mlx4_en_cq {
323 + struct mlx4_cq mcq;
324 + struct mlx4_hwq_resources wqres;
325 + int ring;
326 +- spinlock_t lock;
327 + struct net_device *dev;
328 + struct napi_struct napi;
329 + /* Per-core Tx cq processing support */
330 +diff --git a/drivers/net/wireless/rtlwifi/rtl8192c/dm_common.c b/drivers/net/wireless/rtlwifi/rtl8192c/dm_common.c
331 +index a004ad75d568..ba7ef2fd4997 100644
332 +--- a/drivers/net/wireless/rtlwifi/rtl8192c/dm_common.c
333 ++++ b/drivers/net/wireless/rtlwifi/rtl8192c/dm_common.c
334 +@@ -1228,11 +1228,14 @@ static void rtl92c_dm_refresh_rate_adaptive_mask(struct ieee80211_hw *hw)
335 + if (rtlhal->interface == INTF_PCI) {
336 + rcu_read_lock();
337 + sta = ieee80211_find_sta(mac->vif, mac->bssid);
338 ++ if (!sta)
339 ++ goto out_unlock;
340 + }
341 + rtlpriv->cfg->ops->update_rate_tbl(hw, sta,
342 + p_ra->ratr_state);
343 +
344 + p_ra->pre_ratr_state = p_ra->ratr_state;
345 ++ out_unlock:
346 + if (rtlhal->interface == INTF_PCI)
347 + rcu_read_unlock();
348 + }
349 +diff --git a/drivers/staging/rtl8712/rtl871x_recv.c b/drivers/staging/rtl8712/rtl871x_recv.c
350 +index 7069f06d9b5d..4cc68d1b5069 100644
351 +--- a/drivers/staging/rtl8712/rtl871x_recv.c
352 ++++ b/drivers/staging/rtl8712/rtl871x_recv.c
353 +@@ -254,7 +254,7 @@ union recv_frame *r8712_portctrl(struct _adapter *adapter,
354 + struct sta_info *psta;
355 + struct sta_priv *pstapriv;
356 + union recv_frame *prtnframe;
357 +- u16 ether_type = 0;
358 ++ u16 ether_type;
359 +
360 + pstapriv = &adapter->stapriv;
361 + ptr = get_recvframe_data(precv_frame);
362 +@@ -263,15 +263,14 @@ union recv_frame *r8712_portctrl(struct _adapter *adapter,
363 + psta = r8712_get_stainfo(pstapriv, psta_addr);
364 + auth_alg = adapter->securitypriv.AuthAlgrthm;
365 + if (auth_alg == 2) {
366 ++ /* get ether_type */
367 ++ ptr = ptr + pfhdr->attrib.hdrlen + LLC_HEADER_SIZE;
368 ++ memcpy(&ether_type, ptr, 2);
369 ++ ether_type = ntohs((unsigned short)ether_type);
370 ++
371 + if ((psta != NULL) && (psta->ieee8021x_blocked)) {
372 + /* blocked
373 + * only accept EAPOL frame */
374 +- prtnframe = precv_frame;
375 +- /*get ether_type */
376 +- ptr = ptr + pfhdr->attrib.hdrlen +
377 +- pfhdr->attrib.iv_len + LLC_HEADER_SIZE;
378 +- memcpy(&ether_type, ptr, 2);
379 +- ether_type = ntohs((unsigned short)ether_type);
380 + if (ether_type == 0x888e)
381 + prtnframe = precv_frame;
382 + else {
383 +diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
384 +index 0f8a785a5f60..bac83d82c117 100644
385 +--- a/drivers/tty/n_tty.c
386 ++++ b/drivers/tty/n_tty.c
387 +@@ -1997,7 +1997,9 @@ static ssize_t n_tty_write(struct tty_struct *tty, struct file *file,
388 + tty->ops->flush_chars(tty);
389 + } else {
390 + while (nr > 0) {
391 ++ mutex_lock(&tty->output_lock);
392 + c = tty->ops->write(tty, b, nr);
393 ++ mutex_unlock(&tty->output_lock);
394 + if (c < 0) {
395 + retval = c;
396 + goto break_out;
397 +diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
398 +index 636ee9e5ff39..320db2a585ad 100644
399 +--- a/drivers/usb/class/cdc-acm.c
400 ++++ b/drivers/usb/class/cdc-acm.c
401 +@@ -1493,13 +1493,27 @@ static const struct usb_device_id acm_ids[] = {
402 + },
403 + /* Motorola H24 HSPA module: */
404 + { USB_DEVICE(0x22b8, 0x2d91) }, /* modem */
405 +- { USB_DEVICE(0x22b8, 0x2d92) }, /* modem + diagnostics */
406 +- { USB_DEVICE(0x22b8, 0x2d93) }, /* modem + AT port */
407 +- { USB_DEVICE(0x22b8, 0x2d95) }, /* modem + AT port + diagnostics */
408 +- { USB_DEVICE(0x22b8, 0x2d96) }, /* modem + NMEA */
409 +- { USB_DEVICE(0x22b8, 0x2d97) }, /* modem + diagnostics + NMEA */
410 +- { USB_DEVICE(0x22b8, 0x2d99) }, /* modem + AT port + NMEA */
411 +- { USB_DEVICE(0x22b8, 0x2d9a) }, /* modem + AT port + diagnostics + NMEA */
412 ++ { USB_DEVICE(0x22b8, 0x2d92), /* modem + diagnostics */
413 ++ .driver_info = NO_UNION_NORMAL, /* handle only modem interface */
414 ++ },
415 ++ { USB_DEVICE(0x22b8, 0x2d93), /* modem + AT port */
416 ++ .driver_info = NO_UNION_NORMAL, /* handle only modem interface */
417 ++ },
418 ++ { USB_DEVICE(0x22b8, 0x2d95), /* modem + AT port + diagnostics */
419 ++ .driver_info = NO_UNION_NORMAL, /* handle only modem interface */
420 ++ },
421 ++ { USB_DEVICE(0x22b8, 0x2d96), /* modem + NMEA */
422 ++ .driver_info = NO_UNION_NORMAL, /* handle only modem interface */
423 ++ },
424 ++ { USB_DEVICE(0x22b8, 0x2d97), /* modem + diagnostics + NMEA */
425 ++ .driver_info = NO_UNION_NORMAL, /* handle only modem interface */
426 ++ },
427 ++ { USB_DEVICE(0x22b8, 0x2d99), /* modem + AT port + NMEA */
428 ++ .driver_info = NO_UNION_NORMAL, /* handle only modem interface */
429 ++ },
430 ++ { USB_DEVICE(0x22b8, 0x2d9a), /* modem + AT port + diagnostics + NMEA */
431 ++ .driver_info = NO_UNION_NORMAL, /* handle only modem interface */
432 ++ },
433 +
434 + { USB_DEVICE(0x0572, 0x1329), /* Hummingbird huc56s (Conexant) */
435 + .driver_info = NO_UNION_NORMAL, /* union descriptor misplaced on
436 +diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
437 +index 2b4f42bac98f..188654458c2e 100644
438 +--- a/drivers/usb/host/xhci-ring.c
439 ++++ b/drivers/usb/host/xhci-ring.c
440 +@@ -570,10 +570,11 @@ void xhci_find_new_dequeue_state(struct xhci_hcd *xhci,
441 + struct xhci_dequeue_state *state)
442 + {
443 + struct xhci_virt_device *dev = xhci->devs[slot_id];
444 ++ struct xhci_virt_ep *ep = &dev->eps[ep_index];
445 + struct xhci_ring *ep_ring;
446 + struct xhci_generic_trb *trb;
447 +- struct xhci_ep_ctx *ep_ctx;
448 + dma_addr_t addr;
449 ++ u64 hw_dequeue;
450 +
451 + ep_ring = xhci_triad_to_transfer_ring(xhci, slot_id,
452 + ep_index, stream_id);
453 +@@ -583,52 +584,62 @@ void xhci_find_new_dequeue_state(struct xhci_hcd *xhci,
454 + stream_id);
455 + return;
456 + }
457 +- state->new_cycle_state = 0;
458 +- xhci_dbg(xhci, "Finding segment containing stopped TRB.\n");
459 +- state->new_deq_seg = find_trb_seg(cur_td->start_seg,
460 +- dev->eps[ep_index].stopped_trb,
461 +- &state->new_cycle_state);
462 +- if (!state->new_deq_seg) {
463 +- WARN_ON(1);
464 +- return;
465 +- }
466 +
467 + /* Dig out the cycle state saved by the xHC during the stop ep cmd */
468 + xhci_dbg(xhci, "Finding endpoint context\n");
469 +- ep_ctx = xhci_get_ep_ctx(xhci, dev->out_ctx, ep_index);
470 +- state->new_cycle_state = 0x1 & le64_to_cpu(ep_ctx->deq);
471 ++ /* 4.6.9 the css flag is written to the stream context for streams */
472 ++ if (ep->ep_state & EP_HAS_STREAMS) {
473 ++ struct xhci_stream_ctx *ctx =
474 ++ &ep->stream_info->stream_ctx_array[stream_id];
475 ++ hw_dequeue = le64_to_cpu(ctx->stream_ring);
476 ++ } else {
477 ++ struct xhci_ep_ctx *ep_ctx
478 ++ = xhci_get_ep_ctx(xhci, dev->out_ctx, ep_index);
479 ++ hw_dequeue = le64_to_cpu(ep_ctx->deq);
480 ++ }
481 ++
482 ++ /* Find virtual address and segment of hardware dequeue pointer */
483 ++ state->new_deq_seg = ep_ring->deq_seg;
484 ++ state->new_deq_ptr = ep_ring->dequeue;
485 ++ while (xhci_trb_virt_to_dma(state->new_deq_seg, state->new_deq_ptr)
486 ++ != (dma_addr_t)(hw_dequeue & ~0xf)) {
487 ++ next_trb(xhci, ep_ring, &state->new_deq_seg,
488 ++ &state->new_deq_ptr);
489 ++ if (state->new_deq_ptr == ep_ring->dequeue) {
490 ++ WARN_ON(1);
491 ++ return;
492 ++ }
493 ++ }
494 ++ /*
495 ++ * Find cycle state for last_trb, starting at old cycle state of
496 ++ * hw_dequeue. If there is only one segment ring, find_trb_seg() will
497 ++ * return immediately and cannot toggle the cycle state if this search
498 ++ * wraps around, so add one more toggle manually in that case.
499 ++ */
500 ++ state->new_cycle_state = hw_dequeue & 0x1;
501 ++ if (ep_ring->first_seg == ep_ring->first_seg->next &&
502 ++ cur_td->last_trb < state->new_deq_ptr)
503 ++ state->new_cycle_state ^= 0x1;
504 +
505 + state->new_deq_ptr = cur_td->last_trb;
506 + xhci_dbg(xhci, "Finding segment containing last TRB in TD.\n");
507 + state->new_deq_seg = find_trb_seg(state->new_deq_seg,
508 +- state->new_deq_ptr,
509 +- &state->new_cycle_state);
510 ++ state->new_deq_ptr, &state->new_cycle_state);
511 + if (!state->new_deq_seg) {
512 + WARN_ON(1);
513 + return;
514 + }
515 +
516 ++ /* Increment to find next TRB after last_trb. Cycle if appropriate. */
517 + trb = &state->new_deq_ptr->generic;
518 + if (TRB_TYPE_LINK_LE32(trb->field[3]) &&
519 + (trb->field[3] & cpu_to_le32(LINK_TOGGLE)))
520 + state->new_cycle_state ^= 0x1;
521 + next_trb(xhci, ep_ring, &state->new_deq_seg, &state->new_deq_ptr);
522 +
523 +- /*
524 +- * If there is only one segment in a ring, find_trb_seg()'s while loop
525 +- * will not run, and it will return before it has a chance to see if it
526 +- * needs to toggle the cycle bit. It can't tell if the stalled transfer
527 +- * ended just before the link TRB on a one-segment ring, or if the TD
528 +- * wrapped around the top of the ring, because it doesn't have the TD in
529 +- * question. Look for the one-segment case where stalled TRB's address
530 +- * is greater than the new dequeue pointer address.
531 +- */
532 +- if (ep_ring->first_seg == ep_ring->first_seg->next &&
533 +- state->new_deq_ptr < dev->eps[ep_index].stopped_trb)
534 +- state->new_cycle_state ^= 0x1;
535 ++ /* Don't update the ring cycle state for the producer (us). */
536 + xhci_dbg(xhci, "Cycle state = 0x%x\n", state->new_cycle_state);
537 +
538 +- /* Don't update the ring cycle state for the producer (us). */
539 + xhci_dbg(xhci, "New dequeue segment = %p (virtual)\n",
540 + state->new_deq_seg);
541 + addr = xhci_trb_virt_to_dma(state->new_deq_seg, state->new_deq_ptr);
542 +@@ -813,7 +824,6 @@ static void handle_stopped_endpoint(struct xhci_hcd *xhci,
543 + if (list_empty(&ep->cancelled_td_list)) {
544 + xhci_stop_watchdog_timer_in_irq(xhci, ep);
545 + ep->stopped_td = NULL;
546 +- ep->stopped_trb = NULL;
547 + ring_doorbell_for_active_rings(xhci, slot_id, ep_index);
548 + return;
549 + }
550 +@@ -880,11 +890,9 @@ remove_finished_td:
551 + ring_doorbell_for_active_rings(xhci, slot_id, ep_index);
552 + }
553 +
554 +- /* Clear stopped_td and stopped_trb if endpoint is not halted */
555 +- if (!(ep->ep_state & EP_HALTED)) {
556 ++ /* Clear stopped_td if endpoint is not halted */
557 ++ if (!(ep->ep_state & EP_HALTED))
558 + ep->stopped_td = NULL;
559 +- ep->stopped_trb = NULL;
560 +- }
561 +
562 + /*
563 + * Drop the lock and complete the URBs in the cancelled TD list.
564 +@@ -1744,14 +1752,12 @@ static void xhci_cleanup_halted_endpoint(struct xhci_hcd *xhci,
565 + struct xhci_virt_ep *ep = &xhci->devs[slot_id]->eps[ep_index];
566 + ep->ep_state |= EP_HALTED;
567 + ep->stopped_td = td;
568 +- ep->stopped_trb = event_trb;
569 + ep->stopped_stream = stream_id;
570 +
571 + xhci_queue_reset_ep(xhci, slot_id, ep_index);
572 + xhci_cleanup_stalled_ring(xhci, td->urb->dev, ep_index);
573 +
574 + ep->stopped_td = NULL;
575 +- ep->stopped_trb = NULL;
576 + ep->stopped_stream = 0;
577 +
578 + xhci_ring_cmd_db(xhci);
579 +@@ -1833,7 +1839,6 @@ static int finish_td(struct xhci_hcd *xhci, struct xhci_td *td,
580 + * the ring dequeue pointer or take this TD off any lists yet.
581 + */
582 + ep->stopped_td = td;
583 +- ep->stopped_trb = event_trb;
584 + return 0;
585 + } else {
586 + if (trb_comp_code == COMP_STALL) {
587 +@@ -1845,7 +1850,6 @@ static int finish_td(struct xhci_hcd *xhci, struct xhci_td *td,
588 + * USB class driver clear the stall later.
589 + */
590 + ep->stopped_td = td;
591 +- ep->stopped_trb = event_trb;
592 + ep->stopped_stream = ep_ring->stream_id;
593 + } else if (xhci_requires_manual_halt_cleanup(xhci,
594 + ep_ctx, trb_comp_code)) {
595 +diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
596 +index 03c35da16e48..b2eac8db55e8 100644
597 +--- a/drivers/usb/host/xhci.c
598 ++++ b/drivers/usb/host/xhci.c
599 +@@ -378,16 +378,16 @@ static int xhci_try_enable_msi(struct usb_hcd *hcd)
600 +
601 + #else
602 +
603 +-static int xhci_try_enable_msi(struct usb_hcd *hcd)
604 ++static inline int xhci_try_enable_msi(struct usb_hcd *hcd)
605 + {
606 + return 0;
607 + }
608 +
609 +-static void xhci_cleanup_msix(struct xhci_hcd *xhci)
610 ++static inline void xhci_cleanup_msix(struct xhci_hcd *xhci)
611 + {
612 + }
613 +
614 +-static void xhci_msix_sync_irqs(struct xhci_hcd *xhci)
615 ++static inline void xhci_msix_sync_irqs(struct xhci_hcd *xhci)
616 + {
617 + }
618 +
619 +@@ -2884,7 +2884,6 @@ void xhci_endpoint_reset(struct usb_hcd *hcd,
620 + xhci_ring_cmd_db(xhci);
621 + }
622 + virt_ep->stopped_td = NULL;
623 +- virt_ep->stopped_trb = NULL;
624 + virt_ep->stopped_stream = 0;
625 + spin_unlock_irqrestore(&xhci->lock, flags);
626 +
627 +diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h
628 +index cf4fd241fc77..1bc91c8927aa 100644
629 +--- a/drivers/usb/host/xhci.h
630 ++++ b/drivers/usb/host/xhci.h
631 +@@ -835,8 +835,6 @@ struct xhci_virt_ep {
632 + #define EP_GETTING_NO_STREAMS (1 << 5)
633 + /* ---- Related to URB cancellation ---- */
634 + struct list_head cancelled_td_list;
635 +- /* The TRB that was last reported in a stopped endpoint ring */
636 +- union xhci_trb *stopped_trb;
637 + struct xhci_td *stopped_td;
638 + unsigned int stopped_stream;
639 + /* Watchdog timer for stop endpoint command to cancel URBs */
640 +diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c
641 +index c408ff73e99d..01fd64a0a9ee 100644
642 +--- a/drivers/usb/serial/cp210x.c
643 ++++ b/drivers/usb/serial/cp210x.c
644 +@@ -110,6 +110,7 @@ static const struct usb_device_id id_table[] = {
645 + { USB_DEVICE(0x10C4, 0x8218) }, /* Lipowsky Industrie Elektronik GmbH, HARP-1 */
646 + { USB_DEVICE(0x10C4, 0x822B) }, /* Modem EDGE(GSM) Comander 2 */
647 + { USB_DEVICE(0x10C4, 0x826B) }, /* Cygnal Integrated Products, Inc., Fasttrax GPS demonstration module */
648 ++ { USB_DEVICE(0x10C4, 0x8281) }, /* Nanotec Plug & Drive */
649 + { USB_DEVICE(0x10C4, 0x8293) }, /* Telegesis ETRX2USB */
650 + { USB_DEVICE(0x10C4, 0x82F9) }, /* Procyon AVS */
651 + { USB_DEVICE(0x10C4, 0x8341) }, /* Siemens MC35PU GPRS Modem */
652 +diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c
653 +index 5c97d9fcc613..332f04d76bd9 100644
654 +--- a/drivers/usb/serial/ftdi_sio.c
655 ++++ b/drivers/usb/serial/ftdi_sio.c
656 +@@ -920,6 +920,39 @@ static struct usb_device_id id_table_combined [] = {
657 + { USB_DEVICE(FTDI_VID, FTDI_Z3X_PID) },
658 + /* Cressi Devices */
659 + { USB_DEVICE(FTDI_VID, FTDI_CRESSI_PID) },
660 ++ /* Brainboxes Devices */
661 ++ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_VX_001_PID) },
662 ++ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_VX_012_PID) },
663 ++ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_VX_023_PID) },
664 ++ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_VX_034_PID) },
665 ++ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_101_PID) },
666 ++ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_160_1_PID) },
667 ++ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_160_2_PID) },
668 ++ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_160_3_PID) },
669 ++ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_160_4_PID) },
670 ++ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_160_5_PID) },
671 ++ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_160_6_PID) },
672 ++ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_160_7_PID) },
673 ++ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_160_8_PID) },
674 ++ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_257_PID) },
675 ++ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_279_1_PID) },
676 ++ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_279_2_PID) },
677 ++ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_279_3_PID) },
678 ++ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_279_4_PID) },
679 ++ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_313_PID) },
680 ++ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_324_PID) },
681 ++ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_346_1_PID) },
682 ++ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_346_2_PID) },
683 ++ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_357_PID) },
684 ++ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_606_1_PID) },
685 ++ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_606_2_PID) },
686 ++ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_606_3_PID) },
687 ++ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_701_1_PID) },
688 ++ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_701_2_PID) },
689 ++ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_842_1_PID) },
690 ++ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_842_2_PID) },
691 ++ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_842_3_PID) },
692 ++ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_842_4_PID) },
693 + { }, /* Optional parameter entry */
694 + { } /* Terminating entry */
695 + };
696 +diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h
697 +index 71fe2de79bab..83a440fd28d6 100644
698 +--- a/drivers/usb/serial/ftdi_sio_ids.h
699 ++++ b/drivers/usb/serial/ftdi_sio_ids.h
700 +@@ -1326,3 +1326,40 @@
701 + * Manufacturer: Cressi
702 + */
703 + #define FTDI_CRESSI_PID 0x87d0
704 ++
705 ++/*
706 ++ * Brainboxes devices
707 ++ */
708 ++#define BRAINBOXES_VID 0x05d1
709 ++#define BRAINBOXES_VX_001_PID 0x1001 /* VX-001 ExpressCard 1 Port RS232 */
710 ++#define BRAINBOXES_VX_012_PID 0x1002 /* VX-012 ExpressCard 2 Port RS232 */
711 ++#define BRAINBOXES_VX_023_PID 0x1003 /* VX-023 ExpressCard 1 Port RS422/485 */
712 ++#define BRAINBOXES_VX_034_PID 0x1004 /* VX-034 ExpressCard 2 Port RS422/485 */
713 ++#define BRAINBOXES_US_101_PID 0x1011 /* US-101 1xRS232 */
714 ++#define BRAINBOXES_US_324_PID 0x1013 /* US-324 1xRS422/485 1Mbaud */
715 ++#define BRAINBOXES_US_606_1_PID 0x2001 /* US-606 6 Port RS232 Serial Port 1 and 2 */
716 ++#define BRAINBOXES_US_606_2_PID 0x2002 /* US-606 6 Port RS232 Serial Port 3 and 4 */
717 ++#define BRAINBOXES_US_606_3_PID 0x2003 /* US-606 6 Port RS232 Serial Port 4 and 6 */
718 ++#define BRAINBOXES_US_701_1_PID 0x2011 /* US-701 4xRS232 1Mbaud Port 1 and 2 */
719 ++#define BRAINBOXES_US_701_2_PID 0x2012 /* US-701 4xRS422 1Mbaud Port 3 and 4 */
720 ++#define BRAINBOXES_US_279_1_PID 0x2021 /* US-279 8xRS422 1Mbaud Port 1 and 2 */
721 ++#define BRAINBOXES_US_279_2_PID 0x2022 /* US-279 8xRS422 1Mbaud Port 3 and 4 */
722 ++#define BRAINBOXES_US_279_3_PID 0x2023 /* US-279 8xRS422 1Mbaud Port 5 and 6 */
723 ++#define BRAINBOXES_US_279_4_PID 0x2024 /* US-279 8xRS422 1Mbaud Port 7 and 8 */
724 ++#define BRAINBOXES_US_346_1_PID 0x3011 /* US-346 4xRS422/485 1Mbaud Port 1 and 2 */
725 ++#define BRAINBOXES_US_346_2_PID 0x3012 /* US-346 4xRS422/485 1Mbaud Port 3 and 4 */
726 ++#define BRAINBOXES_US_257_PID 0x5001 /* US-257 2xRS232 1Mbaud */
727 ++#define BRAINBOXES_US_313_PID 0x6001 /* US-313 2xRS422/485 1Mbaud */
728 ++#define BRAINBOXES_US_357_PID 0x7001 /* US_357 1xRS232/422/485 */
729 ++#define BRAINBOXES_US_842_1_PID 0x8001 /* US-842 8xRS422/485 1Mbaud Port 1 and 2 */
730 ++#define BRAINBOXES_US_842_2_PID 0x8002 /* US-842 8xRS422/485 1Mbaud Port 3 and 4 */
731 ++#define BRAINBOXES_US_842_3_PID 0x8003 /* US-842 8xRS422/485 1Mbaud Port 5 and 6 */
732 ++#define BRAINBOXES_US_842_4_PID 0x8004 /* US-842 8xRS422/485 1Mbaud Port 7 and 8 */
733 ++#define BRAINBOXES_US_160_1_PID 0x9001 /* US-160 16xRS232 1Mbaud Port 1 and 2 */
734 ++#define BRAINBOXES_US_160_2_PID 0x9002 /* US-160 16xRS232 1Mbaud Port 3 and 4 */
735 ++#define BRAINBOXES_US_160_3_PID 0x9003 /* US-160 16xRS232 1Mbaud Port 5 and 6 */
736 ++#define BRAINBOXES_US_160_4_PID 0x9004 /* US-160 16xRS232 1Mbaud Port 7 and 8 */
737 ++#define BRAINBOXES_US_160_5_PID 0x9005 /* US-160 16xRS232 1Mbaud Port 9 and 10 */
738 ++#define BRAINBOXES_US_160_6_PID 0x9006 /* US-160 16xRS232 1Mbaud Port 11 and 12 */
739 ++#define BRAINBOXES_US_160_7_PID 0x9007 /* US-160 16xRS232 1Mbaud Port 13 and 14 */
740 ++#define BRAINBOXES_US_160_8_PID 0x9008 /* US-160 16xRS232 1Mbaud Port 15 and 16 */
741 +diff --git a/drivers/usb/serial/io_ti.c b/drivers/usb/serial/io_ti.c
742 +index f42119d22467..c575e0a17270 100644
743 +--- a/drivers/usb/serial/io_ti.c
744 ++++ b/drivers/usb/serial/io_ti.c
745 +@@ -36,6 +36,7 @@
746 + #include <linux/spinlock.h>
747 + #include <linux/mutex.h>
748 + #include <linux/serial.h>
749 ++#include <linux/swab.h>
750 + #include <linux/kfifo.h>
751 + #include <linux/ioctl.h>
752 + #include <linux/firmware.h>
753 +@@ -306,7 +307,7 @@ static int read_download_mem(struct usb_device *dev, int start_address,
754 + {
755 + int status = 0;
756 + __u8 read_length;
757 +- __be16 be_start_address;
758 ++ u16 be_start_address;
759 +
760 + dbg("%s - @ %x for %d", __func__, start_address, length);
761 +
762 +@@ -323,10 +324,14 @@ static int read_download_mem(struct usb_device *dev, int start_address,
763 + dbg("%s - @ %x for %d", __func__,
764 + start_address, read_length);
765 + }
766 +- be_start_address = cpu_to_be16(start_address);
767 ++ /*
768 ++ * NOTE: Must use swab as wIndex is sent in little-endian
769 ++ * byte order regardless of host byte order.
770 ++ */
771 ++ be_start_address = swab16((u16)start_address);
772 + status = ti_vread_sync(dev, UMPC_MEMORY_READ,
773 + (__u16)address_type,
774 +- (__force __u16)be_start_address,
775 ++ be_start_address,
776 + buffer, read_length);
777 +
778 + if (status) {
779 +@@ -426,7 +431,7 @@ static int write_i2c_mem(struct edgeport_serial *serial,
780 + {
781 + int status = 0;
782 + int write_length;
783 +- __be16 be_start_address;
784 ++ u16 be_start_address;
785 +
786 + /* We can only send a maximum of 1 aligned byte page at a time */
787 +
788 +@@ -442,11 +447,16 @@ static int write_i2c_mem(struct edgeport_serial *serial,
789 + usb_serial_debug_data(debug, &serial->serial->dev->dev,
790 + __func__, write_length, buffer);
791 +
792 +- /* Write first page */
793 +- be_start_address = cpu_to_be16(start_address);
794 ++ /*
795 ++ * Write first page.
796 ++ *
797 ++ * NOTE: Must use swab as wIndex is sent in little-endian byte order
798 ++ * regardless of host byte order.
799 ++ */
800 ++ be_start_address = swab16((u16)start_address);
801 + status = ti_vsend_sync(serial->serial->dev,
802 + UMPC_MEMORY_WRITE, (__u16)address_type,
803 +- (__force __u16)be_start_address,
804 ++ be_start_address,
805 + buffer, write_length);
806 + if (status) {
807 + dbg("%s - ERROR %d", __func__, status);
808 +@@ -470,11 +480,16 @@ static int write_i2c_mem(struct edgeport_serial *serial,
809 + usb_serial_debug_data(debug, &serial->serial->dev->dev,
810 + __func__, write_length, buffer);
811 +
812 +- /* Write next page */
813 +- be_start_address = cpu_to_be16(start_address);
814 ++ /*
815 ++ * Write next page.
816 ++ *
817 ++ * NOTE: Must use swab as wIndex is sent in little-endian byte
818 ++ * order regardless of host byte order.
819 ++ */
820 ++ be_start_address = swab16((u16)start_address);
821 + status = ti_vsend_sync(serial->serial->dev, UMPC_MEMORY_WRITE,
822 + (__u16)address_type,
823 +- (__force __u16)be_start_address,
824 ++ be_start_address,
825 + buffer, write_length);
826 + if (status) {
827 + dev_err(&serial->serial->dev->dev, "%s - ERROR %d\n",
828 +@@ -681,8 +696,8 @@ static int get_descriptor_addr(struct edgeport_serial *serial,
829 + if (rom_desc->Type == desc_type)
830 + return start_address;
831 +
832 +- start_address = start_address + sizeof(struct ti_i2c_desc)
833 +- + rom_desc->Size;
834 ++ start_address = start_address + sizeof(struct ti_i2c_desc) +
835 ++ le16_to_cpu(rom_desc->Size);
836 +
837 + } while ((start_address < TI_MAX_I2C_SIZE) && rom_desc->Type);
838 +
839 +@@ -695,7 +710,7 @@ static int valid_csum(struct ti_i2c_desc *rom_desc, __u8 *buffer)
840 + __u16 i;
841 + __u8 cs = 0;
842 +
843 +- for (i = 0; i < rom_desc->Size; i++)
844 ++ for (i = 0; i < le16_to_cpu(rom_desc->Size); i++)
845 + cs = (__u8)(cs + buffer[i]);
846 +
847 + if (cs != rom_desc->CheckSum) {
848 +@@ -749,7 +764,7 @@ static int check_i2c_image(struct edgeport_serial *serial)
849 + break;
850 +
851 + if ((start_address + sizeof(struct ti_i2c_desc) +
852 +- rom_desc->Size) > TI_MAX_I2C_SIZE) {
853 ++ le16_to_cpu(rom_desc->Size)) > TI_MAX_I2C_SIZE) {
854 + status = -ENODEV;
855 + dbg("%s - structure too big, erroring out.", __func__);
856 + break;
857 +@@ -764,7 +779,8 @@ static int check_i2c_image(struct edgeport_serial *serial)
858 + /* Read the descriptor data */
859 + status = read_rom(serial, start_address +
860 + sizeof(struct ti_i2c_desc),
861 +- rom_desc->Size, buffer);
862 ++ le16_to_cpu(rom_desc->Size),
863 ++ buffer);
864 + if (status)
865 + break;
866 +
867 +@@ -773,7 +789,7 @@ static int check_i2c_image(struct edgeport_serial *serial)
868 + break;
869 + }
870 + start_address = start_address + sizeof(struct ti_i2c_desc) +
871 +- rom_desc->Size;
872 ++ le16_to_cpu(rom_desc->Size);
873 +
874 + } while ((rom_desc->Type != I2C_DESC_TYPE_ION) &&
875 + (start_address < TI_MAX_I2C_SIZE));
876 +@@ -812,7 +828,7 @@ static int get_manuf_info(struct edgeport_serial *serial, __u8 *buffer)
877 +
878 + /* Read the descriptor data */
879 + status = read_rom(serial, start_address+sizeof(struct ti_i2c_desc),
880 +- rom_desc->Size, buffer);
881 ++ le16_to_cpu(rom_desc->Size), buffer);
882 + if (status)
883 + goto exit;
884 +
885 +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
886 +index 5f5047fcfecf..9823e79e9f56 100644
887 +--- a/drivers/usb/serial/option.c
888 ++++ b/drivers/usb/serial/option.c
889 +@@ -234,8 +234,31 @@ static void option_instat_callback(struct urb *urb);
890 + #define QUALCOMM_VENDOR_ID 0x05C6
891 +
892 + #define CMOTECH_VENDOR_ID 0x16d8
893 +-#define CMOTECH_PRODUCT_6008 0x6008
894 +-#define CMOTECH_PRODUCT_6280 0x6280
895 ++#define CMOTECH_PRODUCT_6001 0x6001
896 ++#define CMOTECH_PRODUCT_CMU_300 0x6002
897 ++#define CMOTECH_PRODUCT_6003 0x6003
898 ++#define CMOTECH_PRODUCT_6004 0x6004
899 ++#define CMOTECH_PRODUCT_6005 0x6005
900 ++#define CMOTECH_PRODUCT_CGU_628A 0x6006
901 ++#define CMOTECH_PRODUCT_CHE_628S 0x6007
902 ++#define CMOTECH_PRODUCT_CMU_301 0x6008
903 ++#define CMOTECH_PRODUCT_CHU_628 0x6280
904 ++#define CMOTECH_PRODUCT_CHU_628S 0x6281
905 ++#define CMOTECH_PRODUCT_CDU_680 0x6803
906 ++#define CMOTECH_PRODUCT_CDU_685A 0x6804
907 ++#define CMOTECH_PRODUCT_CHU_720S 0x7001
908 ++#define CMOTECH_PRODUCT_7002 0x7002
909 ++#define CMOTECH_PRODUCT_CHU_629K 0x7003
910 ++#define CMOTECH_PRODUCT_7004 0x7004
911 ++#define CMOTECH_PRODUCT_7005 0x7005
912 ++#define CMOTECH_PRODUCT_CGU_629 0x7006
913 ++#define CMOTECH_PRODUCT_CHU_629S 0x700a
914 ++#define CMOTECH_PRODUCT_CHU_720I 0x7211
915 ++#define CMOTECH_PRODUCT_7212 0x7212
916 ++#define CMOTECH_PRODUCT_7213 0x7213
917 ++#define CMOTECH_PRODUCT_7251 0x7251
918 ++#define CMOTECH_PRODUCT_7252 0x7252
919 ++#define CMOTECH_PRODUCT_7253 0x7253
920 +
921 + #define TELIT_VENDOR_ID 0x1bc7
922 + #define TELIT_PRODUCT_UC864E 0x1003
923 +@@ -243,6 +266,7 @@ static void option_instat_callback(struct urb *urb);
924 + #define TELIT_PRODUCT_CC864_DUAL 0x1005
925 + #define TELIT_PRODUCT_CC864_SINGLE 0x1006
926 + #define TELIT_PRODUCT_DE910_DUAL 0x1010
927 ++#define TELIT_PRODUCT_UE910_V2 0x1012
928 + #define TELIT_PRODUCT_LE920 0x1200
929 +
930 + /* ZTE PRODUCTS */
931 +@@ -291,6 +315,7 @@ static void option_instat_callback(struct urb *urb);
932 + #define ALCATEL_PRODUCT_X060S_X200 0x0000
933 + #define ALCATEL_PRODUCT_X220_X500D 0x0017
934 + #define ALCATEL_PRODUCT_L100V 0x011e
935 ++#define ALCATEL_PRODUCT_L800MA 0x0203
936 +
937 + #define PIRELLI_VENDOR_ID 0x1266
938 + #define PIRELLI_PRODUCT_C100_1 0x1002
939 +@@ -353,6 +378,7 @@ static void option_instat_callback(struct urb *urb);
940 + #define OLIVETTI_PRODUCT_OLICARD100 0xc000
941 + #define OLIVETTI_PRODUCT_OLICARD145 0xc003
942 + #define OLIVETTI_PRODUCT_OLICARD200 0xc005
943 ++#define OLIVETTI_PRODUCT_OLICARD500 0xc00b
944 +
945 + /* Celot products */
946 + #define CELOT_VENDOR_ID 0x211f
947 +@@ -514,6 +540,10 @@ static const struct option_blacklist_info huawei_cdc12_blacklist = {
948 + .reserved = BIT(1) | BIT(2),
949 + };
950 +
951 ++static const struct option_blacklist_info net_intf0_blacklist = {
952 ++ .reserved = BIT(0),
953 ++};
954 ++
955 + static const struct option_blacklist_info net_intf1_blacklist = {
956 + .reserved = BIT(1),
957 + };
958 +@@ -1048,13 +1078,53 @@ static const struct usb_device_id option_ids[] = {
959 + { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x6613)}, /* Onda H600/ZTE MF330 */
960 + { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x0023)}, /* ONYX 3G device */
961 + { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x9000)}, /* SIMCom SIM5218 */
962 +- { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6280) }, /* BP3-USB & BP3-EXT HSDPA */
963 +- { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6008) },
964 ++ { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6001) },
965 ++ { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CMU_300) },
966 ++ { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6003),
967 ++ .driver_info = (kernel_ulong_t)&net_intf0_blacklist },
968 ++ { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6004) },
969 ++ { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6005) },
970 ++ { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CGU_628A) },
971 ++ { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CHE_628S),
972 ++ .driver_info = (kernel_ulong_t)&net_intf0_blacklist },
973 ++ { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CMU_301),
974 ++ .driver_info = (kernel_ulong_t)&net_intf0_blacklist },
975 ++ { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CHU_628),
976 ++ .driver_info = (kernel_ulong_t)&net_intf0_blacklist },
977 ++ { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CHU_628S) },
978 ++ { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CDU_680) },
979 ++ { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CDU_685A) },
980 ++ { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CHU_720S),
981 ++ .driver_info = (kernel_ulong_t)&net_intf0_blacklist },
982 ++ { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_7002),
983 ++ .driver_info = (kernel_ulong_t)&net_intf0_blacklist },
984 ++ { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CHU_629K),
985 ++ .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
986 ++ { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_7004),
987 ++ .driver_info = (kernel_ulong_t)&net_intf3_blacklist },
988 ++ { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_7005) },
989 ++ { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CGU_629),
990 ++ .driver_info = (kernel_ulong_t)&net_intf5_blacklist },
991 ++ { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CHU_629S),
992 ++ .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
993 ++ { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CHU_720I),
994 ++ .driver_info = (kernel_ulong_t)&net_intf0_blacklist },
995 ++ { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_7212),
996 ++ .driver_info = (kernel_ulong_t)&net_intf0_blacklist },
997 ++ { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_7213),
998 ++ .driver_info = (kernel_ulong_t)&net_intf0_blacklist },
999 ++ { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_7251),
1000 ++ .driver_info = (kernel_ulong_t)&net_intf1_blacklist },
1001 ++ { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_7252),
1002 ++ .driver_info = (kernel_ulong_t)&net_intf1_blacklist },
1003 ++ { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_7253),
1004 ++ .driver_info = (kernel_ulong_t)&net_intf1_blacklist },
1005 + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_UC864E) },
1006 + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_UC864G) },
1007 + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_CC864_DUAL) },
1008 + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_CC864_SINGLE) },
1009 + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_DE910_DUAL) },
1010 ++ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_UE910_V2) },
1011 + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920),
1012 + .driver_info = (kernel_ulong_t)&telit_le920_blacklist },
1013 + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_MF622, 0xff, 0xff, 0xff) }, /* ZTE WCDMA products */
1014 +@@ -1518,6 +1588,8 @@ static const struct usb_device_id option_ids[] = {
1015 + .driver_info = (kernel_ulong_t)&net_intf5_blacklist },
1016 + { USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_L100V),
1017 + .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
1018 ++ { USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_L800MA),
1019 ++ .driver_info = (kernel_ulong_t)&net_intf2_blacklist },
1020 + { USB_DEVICE(AIRPLUS_VENDOR_ID, AIRPLUS_PRODUCT_MCD650) },
1021 + { USB_DEVICE(TLAYTECH_VENDOR_ID, TLAYTECH_PRODUCT_TEU800) },
1022 + { USB_DEVICE(LONGCHEER_VENDOR_ID, FOUR_G_SYSTEMS_PRODUCT_W14),
1023 +@@ -1563,6 +1635,9 @@ static const struct usb_device_id option_ids[] = {
1024 + { USB_DEVICE(OLIVETTI_VENDOR_ID, OLIVETTI_PRODUCT_OLICARD200),
1025 + .driver_info = (kernel_ulong_t)&net_intf6_blacklist
1026 + },
1027 ++ { USB_DEVICE(OLIVETTI_VENDOR_ID, OLIVETTI_PRODUCT_OLICARD500),
1028 ++ .driver_info = (kernel_ulong_t)&net_intf4_blacklist
1029 ++ },
1030 + { USB_DEVICE(CELOT_VENDOR_ID, CELOT_PRODUCT_CT680M) }, /* CT-650 CDMA 450 1xEVDO modem */
1031 + { USB_DEVICE_AND_INTERFACE_INFO(SAMSUNG_VENDOR_ID, SAMSUNG_PRODUCT_GT_B3730, USB_CLASS_CDC_DATA, 0x00, 0x00) }, /* Samsung GT-B3730 LTE USB modem.*/
1032 + { USB_DEVICE(YUGA_VENDOR_ID, YUGA_PRODUCT_CEM600) },
1033 +diff --git a/drivers/usb/serial/pl2303.c b/drivers/usb/serial/pl2303.c
1034 +index 7b293178e8a6..45a288cc423c 100644
1035 +--- a/drivers/usb/serial/pl2303.c
1036 ++++ b/drivers/usb/serial/pl2303.c
1037 +@@ -86,6 +86,9 @@ static const struct usb_device_id id_table[] = {
1038 + { USB_DEVICE(YCCABLE_VENDOR_ID, YCCABLE_PRODUCT_ID) },
1039 + { USB_DEVICE(SUPERIAL_VENDOR_ID, SUPERIAL_PRODUCT_ID) },
1040 + { USB_DEVICE(HP_VENDOR_ID, HP_LD220_PRODUCT_ID) },
1041 ++ { USB_DEVICE(HP_VENDOR_ID, HP_LD960_PRODUCT_ID) },
1042 ++ { USB_DEVICE(HP_VENDOR_ID, HP_LCM220_PRODUCT_ID) },
1043 ++ { USB_DEVICE(HP_VENDOR_ID, HP_LCM960_PRODUCT_ID) },
1044 + { USB_DEVICE(CRESSI_VENDOR_ID, CRESSI_EDY_PRODUCT_ID) },
1045 + { USB_DEVICE(ZEAGLE_VENDOR_ID, ZEAGLE_N2ITION3_PRODUCT_ID) },
1046 + { USB_DEVICE(SONY_VENDOR_ID, SONY_QN3USB_PRODUCT_ID) },
1047 +diff --git a/drivers/usb/serial/pl2303.h b/drivers/usb/serial/pl2303.h
1048 +index c38b8c00c06f..42bc082896ac 100644
1049 +--- a/drivers/usb/serial/pl2303.h
1050 ++++ b/drivers/usb/serial/pl2303.h
1051 +@@ -121,8 +121,11 @@
1052 + #define SUPERIAL_VENDOR_ID 0x5372
1053 + #define SUPERIAL_PRODUCT_ID 0x2303
1054 +
1055 +-/* Hewlett-Packard LD220-HP POS Pole Display */
1056 ++/* Hewlett-Packard POS Pole Displays */
1057 + #define HP_VENDOR_ID 0x03f0
1058 ++#define HP_LD960_PRODUCT_ID 0x0b39
1059 ++#define HP_LCM220_PRODUCT_ID 0x3139
1060 ++#define HP_LCM960_PRODUCT_ID 0x3239
1061 + #define HP_LD220_PRODUCT_ID 0x3524
1062 +
1063 + /* Cressi Edy (diving computer) PC interface */
1064 +diff --git a/drivers/usb/serial/sierra.c b/drivers/usb/serial/sierra.c
1065 +index a7fa673466ce..dbdfeb4647ee 100644
1066 +--- a/drivers/usb/serial/sierra.c
1067 ++++ b/drivers/usb/serial/sierra.c
1068 +@@ -305,7 +305,6 @@ static const struct usb_device_id id_table[] = {
1069 + { USB_DEVICE(0x0f3d, 0x68A3), /* Airprime/Sierra Wireless Direct IP modems */
1070 + .driver_info = (kernel_ulong_t)&direct_ip_interface_blacklist
1071 + },
1072 +- { USB_DEVICE(0x413C, 0x08133) }, /* Dell Computer Corp. Wireless 5720 VZW Mobile Broadband (EVDO Rev-A) Minicard GPS Port */
1073 +
1074 + { }
1075 + };
1076 +diff --git a/drivers/usb/serial/usb-serial.c b/drivers/usb/serial/usb-serial.c
1077 +index 850faa447000..8f76a2b1d721 100644
1078 +--- a/drivers/usb/serial/usb-serial.c
1079 ++++ b/drivers/usb/serial/usb-serial.c
1080 +@@ -1400,10 +1400,12 @@ void usb_serial_deregister(struct usb_serial_driver *device)
1081 + /* must be called with BKL held */
1082 + printk(KERN_INFO "USB Serial deregistering driver %s\n",
1083 + device->description);
1084 ++
1085 + mutex_lock(&table_lock);
1086 + list_del(&device->driver_list);
1087 +- usb_serial_bus_deregister(device);
1088 + mutex_unlock(&table_lock);
1089 ++
1090 ++ usb_serial_bus_deregister(device);
1091 + }
1092 + EXPORT_SYMBOL_GPL(usb_serial_deregister);
1093 +
1094 +diff --git a/fs/btrfs/inode-map.c b/fs/btrfs/inode-map.c
1095 +index f8962a957d65..a1fee6f1546a 100644
1096 +--- a/fs/btrfs/inode-map.c
1097 ++++ b/fs/btrfs/inode-map.c
1098 +@@ -207,24 +207,14 @@ again:
1099 +
1100 + void btrfs_return_ino(struct btrfs_root *root, u64 objectid)
1101 + {
1102 +- struct btrfs_free_space_ctl *ctl = root->free_ino_ctl;
1103 + struct btrfs_free_space_ctl *pinned = root->free_ino_pinned;
1104 +
1105 + if (!btrfs_test_opt(root, INODE_MAP_CACHE))
1106 + return;
1107 +-
1108 + again:
1109 + if (root->cached == BTRFS_CACHE_FINISHED) {
1110 +- __btrfs_add_free_space(ctl, objectid, 1);
1111 ++ __btrfs_add_free_space(pinned, objectid, 1);
1112 + } else {
1113 +- /*
1114 +- * If we are in the process of caching free ino chunks,
1115 +- * to avoid adding the same inode number to the free_ino
1116 +- * tree twice due to cross transaction, we'll leave it
1117 +- * in the pinned tree until a transaction is committed
1118 +- * or the caching work is done.
1119 +- */
1120 +-
1121 + mutex_lock(&root->fs_commit_mutex);
1122 + spin_lock(&root->cache_lock);
1123 + if (root->cached == BTRFS_CACHE_FINISHED) {
1124 +@@ -236,11 +226,7 @@ again:
1125 +
1126 + start_caching(root);
1127 +
1128 +- if (objectid <= root->cache_progress ||
1129 +- objectid > root->highest_objectid)
1130 +- __btrfs_add_free_space(ctl, objectid, 1);
1131 +- else
1132 +- __btrfs_add_free_space(pinned, objectid, 1);
1133 ++ __btrfs_add_free_space(pinned, objectid, 1);
1134 +
1135 + mutex_unlock(&root->fs_commit_mutex);
1136 + }
1137 +diff --git a/fs/ext4/file.c b/fs/ext4/file.c
1138 +index cb70f1812a70..61999221fbfa 100644
1139 +--- a/fs/ext4/file.c
1140 ++++ b/fs/ext4/file.c
1141 +@@ -80,7 +80,7 @@ ext4_unaligned_aio(struct inode *inode, const struct iovec *iov,
1142 + size_t count = iov_length(iov, nr_segs);
1143 + loff_t final_size = pos + count;
1144 +
1145 +- if (pos >= inode->i_size)
1146 ++ if (pos >= i_size_read(inode))
1147 + return 0;
1148 +
1149 + if ((pos & blockmask) || (final_size & blockmask))
1150 +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
1151 +index dc9f0ecd8f4a..55d4f461992c 100644
1152 +--- a/fs/ext4/inode.c
1153 ++++ b/fs/ext4/inode.c
1154 +@@ -481,6 +481,11 @@ int ext4_map_blocks(handle_t *handle, struct inode *inode,
1155 + ext_debug("ext4_map_blocks(): inode %lu, flag %d, max_blocks %u,"
1156 + "logical block %lu\n", inode->i_ino, flags, map->m_len,
1157 + (unsigned long) map->m_lblk);
1158 ++
1159 ++ /* We can handle the block number less than EXT_MAX_BLOCKS */
1160 ++ if (unlikely(map->m_lblk >= EXT_MAX_BLOCKS))
1161 ++ return -EIO;
1162 ++
1163 + /*
1164 + * Try to see if we can get the block without requesting a new
1165 + * file system block.
1166 +diff --git a/fs/ext4/page-io.c b/fs/ext4/page-io.c
1167 +index 54f566d97176..b46a675e7704 100644
1168 +--- a/fs/ext4/page-io.c
1169 ++++ b/fs/ext4/page-io.c
1170 +@@ -241,13 +241,14 @@ static void ext4_end_bio(struct bio *bio, int error)
1171 +
1172 + if (error) {
1173 + io_end->flag |= EXT4_IO_END_ERROR;
1174 +- ext4_warning(inode->i_sb, "I/O error writing to inode %lu "
1175 ++ ext4_warning(inode->i_sb, "I/O error %d writing to inode %lu "
1176 + "(offset %llu size %ld starting block %llu)",
1177 +- inode->i_ino,
1178 ++ error, inode->i_ino,
1179 + (unsigned long long) io_end->offset,
1180 + (long) io_end->size,
1181 + (unsigned long long)
1182 + bi_sector >> (inode->i_blkbits - 9));
1183 ++ mapping_set_error(inode->i_mapping, error);
1184 + }
1185 +
1186 + if (!(io_end->flag & EXT4_IO_END_UNWRITTEN)) {
1187 +diff --git a/fs/locks.c b/fs/locks.c
1188 +index fcc50ab71cc6..d4f1d89d9bc6 100644
1189 +--- a/fs/locks.c
1190 ++++ b/fs/locks.c
1191 +@@ -1253,11 +1253,10 @@ int __break_lease(struct inode *inode, unsigned int mode)
1192 +
1193 + restart:
1194 + break_time = flock->fl_break_time;
1195 +- if (break_time != 0) {
1196 ++ if (break_time != 0)
1197 + break_time -= jiffies;
1198 +- if (break_time == 0)
1199 +- break_time++;
1200 +- }
1201 ++ if (break_time == 0)
1202 ++ break_time++;
1203 + locks_insert_block(flock, new_fl);
1204 + unlock_flocks();
1205 + error = wait_event_interruptible_timeout(new_fl->fl_wait,
1206 +diff --git a/fs/nfsd/nfs4callback.c b/fs/nfsd/nfs4callback.c
1207 +index 7748d6a18d97..809a38ad96aa 100644
1208 +--- a/fs/nfsd/nfs4callback.c
1209 ++++ b/fs/nfsd/nfs4callback.c
1210 +@@ -633,9 +633,11 @@ static int max_cb_time(void)
1211 +
1212 + static int setup_callback_client(struct nfs4_client *clp, struct nfs4_cb_conn *conn, struct nfsd4_session *ses)
1213 + {
1214 ++ int maxtime = max_cb_time();
1215 + struct rpc_timeout timeparms = {
1216 +- .to_initval = max_cb_time(),
1217 ++ .to_initval = maxtime,
1218 + .to_retries = 0,
1219 ++ .to_maxval = maxtime,
1220 + };
1221 + struct rpc_create_args args = {
1222 + .net = &init_net,
1223 +diff --git a/include/linux/libata.h b/include/linux/libata.h
1224 +index b1fcdba2cfbe..375dfdf0f397 100644
1225 +--- a/include/linux/libata.h
1226 ++++ b/include/linux/libata.h
1227 +@@ -763,6 +763,7 @@ struct ata_port {
1228 + unsigned long qc_allocated;
1229 + unsigned int qc_active;
1230 + int nr_active_links; /* #links with active qcs */
1231 ++ unsigned int last_tag; /* track next tag hw expects */
1232 +
1233 + struct ata_link link; /* host default link */
1234 + struct ata_link *slave_link; /* see ata_slave_link_init() */
1235 +diff --git a/include/linux/mod_devicetable.h b/include/linux/mod_devicetable.h
1236 +index 468819cdde87..226e0ff90e61 100644
1237 +--- a/include/linux/mod_devicetable.h
1238 ++++ b/include/linux/mod_devicetable.h
1239 +@@ -461,7 +461,8 @@ enum dmi_field {
1240 + };
1241 +
1242 + struct dmi_strmatch {
1243 +- unsigned char slot;
1244 ++ unsigned char slot:7;
1245 ++ unsigned char exact_match:1;
1246 + char substr[79];
1247 + };
1248 +
1249 +@@ -489,7 +490,8 @@ struct dmi_system_id {
1250 + #define dmi_device_id dmi_system_id
1251 + #endif
1252 +
1253 +-#define DMI_MATCH(a, b) { a, b }
1254 ++#define DMI_MATCH(a, b) { .slot = a, .substr = b }
1255 ++#define DMI_EXACT_MATCH(a, b) { .slot = a, .substr = b, .exact_match = 1 }
1256 +
1257 + #define PLATFORM_NAME_SIZE 20
1258 + #define PLATFORM_MODULE_PREFIX "platform:"
1259 +diff --git a/mm/hugetlb.c b/mm/hugetlb.c
1260 +index d399f5ff5d9c..cac2441956dc 100644
1261 +--- a/mm/hugetlb.c
1262 ++++ b/mm/hugetlb.c
1263 +@@ -1078,6 +1078,7 @@ static void return_unused_surplus_pages(struct hstate *h,
1264 + while (nr_pages--) {
1265 + if (!free_pool_huge_page(h, &node_states[N_HIGH_MEMORY], 1))
1266 + break;
1267 ++ cond_resched_lock(&hugetlb_lock);
1268 + }
1269 + }
1270 +
1271 +diff --git a/mm/memory.c b/mm/memory.c
1272 +index d5f913b9fae4..483e6650593e 100644
1273 +--- a/mm/memory.c
1274 ++++ b/mm/memory.c
1275 +@@ -1852,12 +1852,17 @@ int fixup_user_fault(struct task_struct *tsk, struct mm_struct *mm,
1276 + unsigned long address, unsigned int fault_flags)
1277 + {
1278 + struct vm_area_struct *vma;
1279 ++ vm_flags_t vm_flags;
1280 + int ret;
1281 +
1282 + vma = find_extend_vma(mm, address);
1283 + if (!vma || address < vma->vm_start)
1284 + return -EFAULT;
1285 +
1286 ++ vm_flags = (fault_flags & FAULT_FLAG_WRITE) ? VM_WRITE : VM_READ;
1287 ++ if (!(vm_flags & vma->vm_flags))
1288 ++ return -EFAULT;
1289 ++
1290 + ret = handle_mm_fault(mm, vma, address, fault_flags);
1291 + if (ret & VM_FAULT_ERROR) {
1292 + if (ret & VM_FAULT_OOM)
1293
1294 Added: genpatches-2.6/trunk/3.2/1059_linux-3.2.60.patch
1295 ===================================================================
1296 --- genpatches-2.6/trunk/3.2/1059_linux-3.2.60.patch (rev 0)
1297 +++ genpatches-2.6/trunk/3.2/1059_linux-3.2.60.patch 2014-06-09 18:29:31 UTC (rev 2823)
1298 @@ -0,0 +1,2964 @@
1299 +diff --git a/Documentation/input/elantech.txt b/Documentation/input/elantech.txt
1300 +index 5602eb71ad5d..e1ae127ed099 100644
1301 +--- a/Documentation/input/elantech.txt
1302 ++++ b/Documentation/input/elantech.txt
1303 +@@ -504,9 +504,12 @@ byte 5:
1304 + * reg_10
1305 +
1306 + bit 7 6 5 4 3 2 1 0
1307 +- 0 0 0 0 0 0 0 A
1308 ++ 0 0 0 0 R F T A
1309 +
1310 + A: 1 = enable absolute tracking
1311 ++ T: 1 = enable two finger mode auto correct
1312 ++ F: 1 = disable ABS Position Filter
1313 ++ R: 1 = enable real hardware resolution
1314 +
1315 + 6.2 Native absolute mode 6 byte packet format
1316 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1317 +diff --git a/Makefile b/Makefile
1318 +index 1be3414a141f..317d5eab3c66 100644
1319 +--- a/Makefile
1320 ++++ b/Makefile
1321 +@@ -1,6 +1,6 @@
1322 + VERSION = 3
1323 + PATCHLEVEL = 2
1324 +-SUBLEVEL = 59
1325 ++SUBLEVEL = 60
1326 + EXTRAVERSION =
1327 + NAME = Saber-toothed Squirrel
1328 +
1329 +diff --git a/arch/powerpc/lib/crtsavres.S b/arch/powerpc/lib/crtsavres.S
1330 +index 1c893f05d224..21ecdf5e55f9 100644
1331 +--- a/arch/powerpc/lib/crtsavres.S
1332 ++++ b/arch/powerpc/lib/crtsavres.S
1333 +@@ -230,6 +230,87 @@ _GLOBAL(_rest32gpr_31_x)
1334 + mr 1,11
1335 + blr
1336 +
1337 ++#ifdef CONFIG_ALTIVEC
1338 ++/* Called with r0 pointing just beyond the end of the vector save area. */
1339 ++
1340 ++_GLOBAL(_savevr_20)
1341 ++ li r11,-192
1342 ++ stvx vr20,r11,r0
1343 ++_GLOBAL(_savevr_21)
1344 ++ li r11,-176
1345 ++ stvx vr21,r11,r0
1346 ++_GLOBAL(_savevr_22)
1347 ++ li r11,-160
1348 ++ stvx vr22,r11,r0
1349 ++_GLOBAL(_savevr_23)
1350 ++ li r11,-144
1351 ++ stvx vr23,r11,r0
1352 ++_GLOBAL(_savevr_24)
1353 ++ li r11,-128
1354 ++ stvx vr24,r11,r0
1355 ++_GLOBAL(_savevr_25)
1356 ++ li r11,-112
1357 ++ stvx vr25,r11,r0
1358 ++_GLOBAL(_savevr_26)
1359 ++ li r11,-96
1360 ++ stvx vr26,r11,r0
1361 ++_GLOBAL(_savevr_27)
1362 ++ li r11,-80
1363 ++ stvx vr27,r11,r0
1364 ++_GLOBAL(_savevr_28)
1365 ++ li r11,-64
1366 ++ stvx vr28,r11,r0
1367 ++_GLOBAL(_savevr_29)
1368 ++ li r11,-48
1369 ++ stvx vr29,r11,r0
1370 ++_GLOBAL(_savevr_30)
1371 ++ li r11,-32
1372 ++ stvx vr30,r11,r0
1373 ++_GLOBAL(_savevr_31)
1374 ++ li r11,-16
1375 ++ stvx vr31,r11,r0
1376 ++ blr
1377 ++
1378 ++_GLOBAL(_restvr_20)
1379 ++ li r11,-192
1380 ++ lvx vr20,r11,r0
1381 ++_GLOBAL(_restvr_21)
1382 ++ li r11,-176
1383 ++ lvx vr21,r11,r0
1384 ++_GLOBAL(_restvr_22)
1385 ++ li r11,-160
1386 ++ lvx vr22,r11,r0
1387 ++_GLOBAL(_restvr_23)
1388 ++ li r11,-144
1389 ++ lvx vr23,r11,r0
1390 ++_GLOBAL(_restvr_24)
1391 ++ li r11,-128
1392 ++ lvx vr24,r11,r0
1393 ++_GLOBAL(_restvr_25)
1394 ++ li r11,-112
1395 ++ lvx vr25,r11,r0
1396 ++_GLOBAL(_restvr_26)
1397 ++ li r11,-96
1398 ++ lvx vr26,r11,r0
1399 ++_GLOBAL(_restvr_27)
1400 ++ li r11,-80
1401 ++ lvx vr27,r11,r0
1402 ++_GLOBAL(_restvr_28)
1403 ++ li r11,-64
1404 ++ lvx vr28,r11,r0
1405 ++_GLOBAL(_restvr_29)
1406 ++ li r11,-48
1407 ++ lvx vr29,r11,r0
1408 ++_GLOBAL(_restvr_30)
1409 ++ li r11,-32
1410 ++ lvx vr30,r11,r0
1411 ++_GLOBAL(_restvr_31)
1412 ++ li r11,-16
1413 ++ lvx vr31,r11,r0
1414 ++ blr
1415 ++
1416 ++#endif /* CONFIG_ALTIVEC */
1417 ++
1418 + #else /* CONFIG_PPC64 */
1419 +
1420 + .globl _savegpr0_14
1421 +@@ -353,6 +434,111 @@ _restgpr0_31:
1422 + mtlr r0
1423 + blr
1424 +
1425 ++#ifdef CONFIG_ALTIVEC
1426 ++/* Called with r0 pointing just beyond the end of the vector save area. */
1427 ++
1428 ++.globl _savevr_20
1429 ++_savevr_20:
1430 ++ li r12,-192
1431 ++ stvx vr20,r12,r0
1432 ++.globl _savevr_21
1433 ++_savevr_21:
1434 ++ li r12,-176
1435 ++ stvx vr21,r12,r0
1436 ++.globl _savevr_22
1437 ++_savevr_22:
1438 ++ li r12,-160
1439 ++ stvx vr22,r12,r0
1440 ++.globl _savevr_23
1441 ++_savevr_23:
1442 ++ li r12,-144
1443 ++ stvx vr23,r12,r0
1444 ++.globl _savevr_24
1445 ++_savevr_24:
1446 ++ li r12,-128
1447 ++ stvx vr24,r12,r0
1448 ++.globl _savevr_25
1449 ++_savevr_25:
1450 ++ li r12,-112
1451 ++ stvx vr25,r12,r0
1452 ++.globl _savevr_26
1453 ++_savevr_26:
1454 ++ li r12,-96
1455 ++ stvx vr26,r12,r0
1456 ++.globl _savevr_27
1457 ++_savevr_27:
1458 ++ li r12,-80
1459 ++ stvx vr27,r12,r0
1460 ++.globl _savevr_28
1461 ++_savevr_28:
1462 ++ li r12,-64
1463 ++ stvx vr28,r12,r0
1464 ++.globl _savevr_29
1465 ++_savevr_29:
1466 ++ li r12,-48
1467 ++ stvx vr29,r12,r0
1468 ++.globl _savevr_30
1469 ++_savevr_30:
1470 ++ li r12,-32
1471 ++ stvx vr30,r12,r0
1472 ++.globl _savevr_31
1473 ++_savevr_31:
1474 ++ li r12,-16
1475 ++ stvx vr31,r12,r0
1476 ++ blr
1477 ++
1478 ++.globl _restvr_20
1479 ++_restvr_20:
1480 ++ li r12,-192
1481 ++ lvx vr20,r12,r0
1482 ++.globl _restvr_21
1483 ++_restvr_21:
1484 ++ li r12,-176
1485 ++ lvx vr21,r12,r0
1486 ++.globl _restvr_22
1487 ++_restvr_22:
1488 ++ li r12,-160
1489 ++ lvx vr22,r12,r0
1490 ++.globl _restvr_23
1491 ++_restvr_23:
1492 ++ li r12,-144
1493 ++ lvx vr23,r12,r0
1494 ++.globl _restvr_24
1495 ++_restvr_24:
1496 ++ li r12,-128
1497 ++ lvx vr24,r12,r0
1498 ++.globl _restvr_25
1499 ++_restvr_25:
1500 ++ li r12,-112
1501 ++ lvx vr25,r12,r0
1502 ++.globl _restvr_26
1503 ++_restvr_26:
1504 ++ li r12,-96
1505 ++ lvx vr26,r12,r0
1506 ++.globl _restvr_27
1507 ++_restvr_27:
1508 ++ li r12,-80
1509 ++ lvx vr27,r12,r0
1510 ++.globl _restvr_28
1511 ++_restvr_28:
1512 ++ li r12,-64
1513 ++ lvx vr28,r12,r0
1514 ++.globl _restvr_29
1515 ++_restvr_29:
1516 ++ li r12,-48
1517 ++ lvx vr29,r12,r0
1518 ++.globl _restvr_30
1519 ++_restvr_30:
1520 ++ li r12,-32
1521 ++ lvx vr30,r12,r0
1522 ++.globl _restvr_31
1523 ++_restvr_31:
1524 ++ li r12,-16
1525 ++ lvx vr31,r12,r0
1526 ++ blr
1527 ++
1528 ++#endif /* CONFIG_ALTIVEC */
1529 ++
1530 + #endif /* CONFIG_PPC64 */
1531 +
1532 + #endif
1533 +diff --git a/arch/x86/include/asm/hugetlb.h b/arch/x86/include/asm/hugetlb.h
1534 +index 439a9acc132d..48fa3915fd02 100644
1535 +--- a/arch/x86/include/asm/hugetlb.h
1536 ++++ b/arch/x86/include/asm/hugetlb.h
1537 +@@ -51,6 +51,7 @@ static inline pte_t huge_ptep_get_and_clear(struct mm_struct *mm,
1538 + static inline void huge_ptep_clear_flush(struct vm_area_struct *vma,
1539 + unsigned long addr, pte_t *ptep)
1540 + {
1541 ++ ptep_clear_flush(vma, addr, ptep);
1542 + }
1543 +
1544 + static inline int huge_pte_none(pte_t pte)
1545 +diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c
1546 +index 4ac453114d7e..3e0ccbffff6b 100644
1547 +--- a/arch/x86/kernel/ldt.c
1548 ++++ b/arch/x86/kernel/ldt.c
1549 +@@ -21,6 +21,8 @@
1550 + #include <asm/mmu_context.h>
1551 + #include <asm/syscalls.h>
1552 +
1553 ++int sysctl_ldt16 = 0;
1554 ++
1555 + #ifdef CONFIG_SMP
1556 + static void flush_ldt(void *current_mm)
1557 + {
1558 +@@ -235,7 +237,7 @@ static int write_ldt(void __user *ptr, unsigned long bytecount, int oldmode)
1559 + * IRET leaking the high bits of the kernel stack address.
1560 + */
1561 + #ifdef CONFIG_X86_64
1562 +- if (!ldt_info.seg_32bit) {
1563 ++ if (!ldt_info.seg_32bit && !sysctl_ldt16) {
1564 + error = -EINVAL;
1565 + goto out_unlock;
1566 + }
1567 +diff --git a/arch/x86/vdso/vdso32-setup.c b/arch/x86/vdso/vdso32-setup.c
1568 +index 468d591dde31..51bdc0546733 100644
1569 +--- a/arch/x86/vdso/vdso32-setup.c
1570 ++++ b/arch/x86/vdso/vdso32-setup.c
1571 +@@ -41,6 +41,7 @@ enum {
1572 + #ifdef CONFIG_X86_64
1573 + #define vdso_enabled sysctl_vsyscall32
1574 + #define arch_setup_additional_pages syscall32_setup_pages
1575 ++extern int sysctl_ldt16;
1576 + #endif
1577 +
1578 + /*
1579 +@@ -388,6 +389,13 @@ static ctl_table abi_table2[] = {
1580 + .mode = 0644,
1581 + .proc_handler = proc_dointvec
1582 + },
1583 ++ {
1584 ++ .procname = "ldt16",
1585 ++ .data = &sysctl_ldt16,
1586 ++ .maxlen = sizeof(int),
1587 ++ .mode = 0644,
1588 ++ .proc_handler = proc_dointvec
1589 ++ },
1590 + {}
1591 + };
1592 +
1593 +diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c
1594 +index 8176b82b2e4c..392306472e5e 100644
1595 +--- a/drivers/acpi/ec.c
1596 ++++ b/drivers/acpi/ec.c
1597 +@@ -70,6 +70,8 @@ enum ec_command {
1598 + #define ACPI_EC_DELAY 500 /* Wait 500ms max. during EC ops */
1599 + #define ACPI_EC_UDELAY_GLK 1000 /* Wait 1ms max. to get global lock */
1600 + #define ACPI_EC_MSI_UDELAY 550 /* Wait 550us for MSI EC */
1601 ++#define ACPI_EC_CLEAR_MAX 100 /* Maximum number of events to query
1602 ++ * when trying to clear the EC */
1603 +
1604 + enum {
1605 + EC_FLAGS_QUERY_PENDING, /* Query is pending */
1606 +@@ -123,6 +125,7 @@ EXPORT_SYMBOL(first_ec);
1607 + static int EC_FLAGS_MSI; /* Out-of-spec MSI controller */
1608 + static int EC_FLAGS_VALIDATE_ECDT; /* ASUStec ECDTs need to be validated */
1609 + static int EC_FLAGS_SKIP_DSDT_SCAN; /* Not all BIOS survive early DSDT scan */
1610 ++static int EC_FLAGS_CLEAR_ON_RESUME; /* Needs acpi_ec_clear() on boot/resume */
1611 +
1612 + /* --------------------------------------------------------------------------
1613 + Transaction Management
1614 +@@ -203,13 +206,13 @@ unlock:
1615 + spin_unlock_irqrestore(&ec->curr_lock, flags);
1616 + }
1617 +
1618 +-static int acpi_ec_sync_query(struct acpi_ec *ec);
1619 ++static int acpi_ec_sync_query(struct acpi_ec *ec, u8 *data);
1620 +
1621 + static int ec_check_sci_sync(struct acpi_ec *ec, u8 state)
1622 + {
1623 + if (state & ACPI_EC_FLAG_SCI) {
1624 + if (!test_and_set_bit(EC_FLAGS_QUERY_PENDING, &ec->flags))
1625 +- return acpi_ec_sync_query(ec);
1626 ++ return acpi_ec_sync_query(ec, NULL);
1627 + }
1628 + return 0;
1629 + }
1630 +@@ -449,6 +452,27 @@ int ec_transaction(u8 command,
1631 +
1632 + EXPORT_SYMBOL(ec_transaction);
1633 +
1634 ++/*
1635 ++ * Process _Q events that might have accumulated in the EC.
1636 ++ * Run with locked ec mutex.
1637 ++ */
1638 ++static void acpi_ec_clear(struct acpi_ec *ec)
1639 ++{
1640 ++ int i, status;
1641 ++ u8 value = 0;
1642 ++
1643 ++ for (i = 0; i < ACPI_EC_CLEAR_MAX; i++) {
1644 ++ status = acpi_ec_sync_query(ec, &value);
1645 ++ if (status || !value)
1646 ++ break;
1647 ++ }
1648 ++
1649 ++ if (unlikely(i == ACPI_EC_CLEAR_MAX))
1650 ++ pr_warn("Warning: Maximum of %d stale EC events cleared\n", i);
1651 ++ else
1652 ++ pr_info("%d stale EC events cleared\n", i);
1653 ++}
1654 ++
1655 + void acpi_ec_block_transactions(void)
1656 + {
1657 + struct acpi_ec *ec = first_ec;
1658 +@@ -472,6 +496,10 @@ void acpi_ec_unblock_transactions(void)
1659 + mutex_lock(&ec->lock);
1660 + /* Allow transactions to be carried out again */
1661 + clear_bit(EC_FLAGS_BLOCKED, &ec->flags);
1662 ++
1663 ++ if (EC_FLAGS_CLEAR_ON_RESUME)
1664 ++ acpi_ec_clear(ec);
1665 ++
1666 + mutex_unlock(&ec->lock);
1667 + }
1668 +
1669 +@@ -561,13 +589,18 @@ static void acpi_ec_run(void *cxt)
1670 + kfree(handler);
1671 + }
1672 +
1673 +-static int acpi_ec_sync_query(struct acpi_ec *ec)
1674 ++static int acpi_ec_sync_query(struct acpi_ec *ec, u8 *data)
1675 + {
1676 + u8 value = 0;
1677 + int status;
1678 + struct acpi_ec_query_handler *handler, *copy;
1679 +- if ((status = acpi_ec_query_unlocked(ec, &value)))
1680 ++
1681 ++ status = acpi_ec_query_unlocked(ec, &value);
1682 ++ if (data)
1683 ++ *data = value;
1684 ++ if (status)
1685 + return status;
1686 ++
1687 + list_for_each_entry(handler, &ec->list, node) {
1688 + if (value == handler->query_bit) {
1689 + /* have custom handler for this bit */
1690 +@@ -590,7 +623,7 @@ static void acpi_ec_gpe_query(void *ec_cxt)
1691 + if (!ec)
1692 + return;
1693 + mutex_lock(&ec->lock);
1694 +- acpi_ec_sync_query(ec);
1695 ++ acpi_ec_sync_query(ec, NULL);
1696 + mutex_unlock(&ec->lock);
1697 + }
1698 +
1699 +@@ -828,6 +861,13 @@ static int acpi_ec_add(struct acpi_device *device)
1700 +
1701 + /* EC is fully operational, allow queries */
1702 + clear_bit(EC_FLAGS_QUERY_PENDING, &ec->flags);
1703 ++
1704 ++ /* Clear stale _Q events if hardware might require that */
1705 ++ if (EC_FLAGS_CLEAR_ON_RESUME) {
1706 ++ mutex_lock(&ec->lock);
1707 ++ acpi_ec_clear(ec);
1708 ++ mutex_unlock(&ec->lock);
1709 ++ }
1710 + return ret;
1711 + }
1712 +
1713 +@@ -929,6 +969,30 @@ static int ec_enlarge_storm_threshold(const struct dmi_system_id *id)
1714 + return 0;
1715 + }
1716 +
1717 ++/*
1718 ++ * On some hardware it is necessary to clear events accumulated by the EC during
1719 ++ * sleep. These ECs stop reporting GPEs until they are manually polled, if too
1720 ++ * many events are accumulated. (e.g. Samsung Series 5/9 notebooks)
1721 ++ *
1722 ++ * https://bugzilla.kernel.org/show_bug.cgi?id=44161
1723 ++ *
1724 ++ * Ideally, the EC should also be instructed NOT to accumulate events during
1725 ++ * sleep (which Windows seems to do somehow), but the interface to control this
1726 ++ * behaviour is not known at this time.
1727 ++ *
1728 ++ * Models known to be affected are Samsung 530Uxx/535Uxx/540Uxx/550Pxx/900Xxx,
1729 ++ * however it is very likely that other Samsung models are affected.
1730 ++ *
1731 ++ * On systems which don't accumulate _Q events during sleep, this extra check
1732 ++ * should be harmless.
1733 ++ */
1734 ++static int ec_clear_on_resume(const struct dmi_system_id *id)
1735 ++{
1736 ++ pr_debug("Detected system needing EC poll on resume.\n");
1737 ++ EC_FLAGS_CLEAR_ON_RESUME = 1;
1738 ++ return 0;
1739 ++}
1740 ++
1741 + static struct dmi_system_id __initdata ec_dmi_table[] = {
1742 + {
1743 + ec_skip_dsdt_scan, "Compal JFL92", {
1744 +@@ -968,6 +1032,9 @@ static struct dmi_system_id __initdata ec_dmi_table[] = {
1745 + ec_validate_ecdt, "ASUS hardware", {
1746 + DMI_MATCH(DMI_SYS_VENDOR, "ASUSTek Computer Inc."),
1747 + DMI_MATCH(DMI_PRODUCT_NAME, "L4R"),}, NULL},
1748 ++ {
1749 ++ ec_clear_on_resume, "Samsung hardware", {
1750 ++ DMI_MATCH(DMI_SYS_VENDOR, "SAMSUNG ELECTRONICS CO., LTD.")}, NULL},
1751 + {},
1752 + };
1753 +
1754 +diff --git a/drivers/atm/ambassador.c b/drivers/atm/ambassador.c
1755 +index f8f41e0e8a8c..89b30f32ba68 100644
1756 +--- a/drivers/atm/ambassador.c
1757 ++++ b/drivers/atm/ambassador.c
1758 +@@ -802,7 +802,7 @@ static void fill_rx_pool (amb_dev * dev, unsigned char pool,
1759 + }
1760 + // cast needed as there is no %? for pointer differences
1761 + PRINTD (DBG_SKB, "allocated skb at %p, head %p, area %li",
1762 +- skb, skb->head, (long) (skb_end_pointer(skb) - skb->head));
1763 ++ skb, skb->head, (long) skb_end_offset(skb));
1764 + rx.handle = virt_to_bus (skb);
1765 + rx.host_address = cpu_to_be32 (virt_to_bus (skb->data));
1766 + if (rx_give (dev, &rx, pool))
1767 +diff --git a/drivers/atm/idt77252.c b/drivers/atm/idt77252.c
1768 +index b0e75ce3c8fc..81845fa2a9cd 100644
1769 +--- a/drivers/atm/idt77252.c
1770 ++++ b/drivers/atm/idt77252.c
1771 +@@ -1258,7 +1258,7 @@ idt77252_rx_raw(struct idt77252_dev *card)
1772 + tail = readl(SAR_REG_RAWCT);
1773 +
1774 + pci_dma_sync_single_for_cpu(card->pcidev, IDT77252_PRV_PADDR(queue),
1775 +- skb_end_pointer(queue) - queue->head - 16,
1776 ++ skb_end_offset(queue) - 16,
1777 + PCI_DMA_FROMDEVICE);
1778 +
1779 + while (head != tail) {
1780 +diff --git a/drivers/bluetooth/ath3k.c b/drivers/bluetooth/ath3k.c
1781 +index 3539f9b1e002..6fe003a2fca8 100644
1782 +--- a/drivers/bluetooth/ath3k.c
1783 ++++ b/drivers/bluetooth/ath3k.c
1784 +@@ -81,6 +81,7 @@ static struct usb_device_id ath3k_table[] = {
1785 + { USB_DEVICE(0x04CA, 0x3004) },
1786 + { USB_DEVICE(0x04CA, 0x3005) },
1787 + { USB_DEVICE(0x04CA, 0x3006) },
1788 ++ { USB_DEVICE(0x04CA, 0x3007) },
1789 + { USB_DEVICE(0x04CA, 0x3008) },
1790 + { USB_DEVICE(0x13d3, 0x3362) },
1791 + { USB_DEVICE(0x0CF3, 0xE004) },
1792 +@@ -123,6 +124,7 @@ static struct usb_device_id ath3k_blist_tbl[] = {
1793 + { USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 },
1794 + { USB_DEVICE(0x04ca, 0x3005), .driver_info = BTUSB_ATH3012 },
1795 + { USB_DEVICE(0x04ca, 0x3006), .driver_info = BTUSB_ATH3012 },
1796 ++ { USB_DEVICE(0x04ca, 0x3007), .driver_info = BTUSB_ATH3012 },
1797 + { USB_DEVICE(0x04ca, 0x3008), .driver_info = BTUSB_ATH3012 },
1798 + { USB_DEVICE(0x13d3, 0x3362), .driver_info = BTUSB_ATH3012 },
1799 + { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 },
1800 +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
1801 +index f18b5a28f10c..dddcb1dc6065 100644
1802 +--- a/drivers/bluetooth/btusb.c
1803 ++++ b/drivers/bluetooth/btusb.c
1804 +@@ -152,6 +152,7 @@ static struct usb_device_id blacklist_table[] = {
1805 + { USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 },
1806 + { USB_DEVICE(0x04ca, 0x3005), .driver_info = BTUSB_ATH3012 },
1807 + { USB_DEVICE(0x04ca, 0x3006), .driver_info = BTUSB_ATH3012 },
1808 ++ { USB_DEVICE(0x04ca, 0x3007), .driver_info = BTUSB_ATH3012 },
1809 + { USB_DEVICE(0x04ca, 0x3008), .driver_info = BTUSB_ATH3012 },
1810 + { USB_DEVICE(0x13d3, 0x3362), .driver_info = BTUSB_ATH3012 },
1811 + { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 },
1812 +diff --git a/drivers/crypto/caam/error.c b/drivers/crypto/caam/error.c
1813 +index 7e2d54bffad6..9b8d231b1da6 100644
1814 +--- a/drivers/crypto/caam/error.c
1815 ++++ b/drivers/crypto/caam/error.c
1816 +@@ -16,9 +16,13 @@
1817 + char *tmp; \
1818 + \
1819 + tmp = kmalloc(sizeof(format) + max_alloc, GFP_ATOMIC); \
1820 +- sprintf(tmp, format, param); \
1821 +- strcat(str, tmp); \
1822 +- kfree(tmp); \
1823 ++ if (likely(tmp)) { \
1824 ++ sprintf(tmp, format, param); \
1825 ++ strcat(str, tmp); \
1826 ++ kfree(tmp); \
1827 ++ } else { \
1828 ++ strcat(str, "kmalloc failure in SPRINTFCAT"); \
1829 ++ } \
1830 + }
1831 +
1832 + static void report_jump_idx(u32 status, char *outstr)
1833 +diff --git a/drivers/dma/mv_xor.c b/drivers/dma/mv_xor.c
1834 +index 9a353c2216d0..9b01145e6723 100644
1835 +--- a/drivers/dma/mv_xor.c
1836 ++++ b/drivers/dma/mv_xor.c
1837 +@@ -218,12 +218,10 @@ static void mv_set_mode(struct mv_xor_chan *chan,
1838 +
1839 + static void mv_chan_activate(struct mv_xor_chan *chan)
1840 + {
1841 +- u32 activation;
1842 +-
1843 + dev_dbg(chan->device->common.dev, " activate chan.\n");
1844 +- activation = __raw_readl(XOR_ACTIVATION(chan));
1845 +- activation |= 0x1;
1846 +- __raw_writel(activation, XOR_ACTIVATION(chan));
1847 ++
1848 ++ /* writel ensures all descriptors are flushed before activation */
1849 ++ writel(BIT(0), XOR_ACTIVATION(chan));
1850 + }
1851 +
1852 + static char mv_chan_is_busy(struct mv_xor_chan *chan)
1853 +diff --git a/drivers/gpu/drm/nouveau/nouveau_acpi.c b/drivers/gpu/drm/nouveau/nouveau_acpi.c
1854 +index 3df56c7c692f..5ee8cca9ee6c 100644
1855 +--- a/drivers/gpu/drm/nouveau/nouveau_acpi.c
1856 ++++ b/drivers/gpu/drm/nouveau/nouveau_acpi.c
1857 +@@ -332,9 +332,6 @@ bool nouveau_acpi_rom_supported(struct pci_dev *pdev)
1858 + acpi_status status;
1859 + acpi_handle dhandle, rom_handle;
1860 +
1861 +- if (!nouveau_dsm_priv.dsm_detected && !nouveau_dsm_priv.optimus_detected)
1862 +- return false;
1863 +-
1864 + dhandle = DEVICE_ACPI_HANDLE(&pdev->dev);
1865 + if (!dhandle)
1866 + return false;
1867 +diff --git a/drivers/gpu/drm/radeon/radeon_bios.c b/drivers/gpu/drm/radeon/radeon_bios.c
1868 +index d306cc8fdeaa..ccf324b451c4 100644
1869 +--- a/drivers/gpu/drm/radeon/radeon_bios.c
1870 ++++ b/drivers/gpu/drm/radeon/radeon_bios.c
1871 +@@ -173,6 +173,20 @@ static bool radeon_atrm_get_bios(struct radeon_device *rdev)
1872 + }
1873 + }
1874 +
1875 ++ if (!found) {
1876 ++ while ((pdev = pci_get_class(PCI_CLASS_DISPLAY_OTHER << 8, pdev)) != NULL) {
1877 ++ dhandle = DEVICE_ACPI_HANDLE(&pdev->dev);
1878 ++ if (!dhandle)
1879 ++ continue;
1880 ++
1881 ++ status = acpi_get_handle(dhandle, "ATRM", &atrm_handle);
1882 ++ if (!ACPI_FAILURE(status)) {
1883 ++ found = true;
1884 ++ break;
1885 ++ }
1886 ++ }
1887 ++ }
1888 ++
1889 + if (!found)
1890 + return false;
1891 +
1892 +diff --git a/drivers/gpu/drm/radeon/radeon_object.c b/drivers/gpu/drm/radeon/radeon_object.c
1893 +index f3ae60759c5f..3e35bbe96e3a 100644
1894 +--- a/drivers/gpu/drm/radeon/radeon_object.c
1895 ++++ b/drivers/gpu/drm/radeon/radeon_object.c
1896 +@@ -513,22 +513,30 @@ int radeon_bo_fault_reserve_notify(struct ttm_buffer_object *bo)
1897 + rbo = container_of(bo, struct radeon_bo, tbo);
1898 + radeon_bo_check_tiling(rbo, 0, 0);
1899 + rdev = rbo->rdev;
1900 +- if (bo->mem.mem_type == TTM_PL_VRAM) {
1901 +- size = bo->mem.num_pages << PAGE_SHIFT;
1902 +- offset = bo->mem.start << PAGE_SHIFT;
1903 +- if ((offset + size) > rdev->mc.visible_vram_size) {
1904 +- /* hurrah the memory is not visible ! */
1905 +- radeon_ttm_placement_from_domain(rbo, RADEON_GEM_DOMAIN_VRAM);
1906 +- rbo->placement.lpfn = rdev->mc.visible_vram_size >> PAGE_SHIFT;
1907 +- r = ttm_bo_validate(bo, &rbo->placement, false, true, false);
1908 +- if (unlikely(r != 0))
1909 +- return r;
1910 +- offset = bo->mem.start << PAGE_SHIFT;
1911 +- /* this should not happen */
1912 +- if ((offset + size) > rdev->mc.visible_vram_size)
1913 +- return -EINVAL;
1914 +- }
1915 ++ if (bo->mem.mem_type != TTM_PL_VRAM)
1916 ++ return 0;
1917 ++
1918 ++ size = bo->mem.num_pages << PAGE_SHIFT;
1919 ++ offset = bo->mem.start << PAGE_SHIFT;
1920 ++ if ((offset + size) <= rdev->mc.visible_vram_size)
1921 ++ return 0;
1922 ++
1923 ++ /* hurrah the memory is not visible ! */
1924 ++ radeon_ttm_placement_from_domain(rbo, RADEON_GEM_DOMAIN_VRAM);
1925 ++ rbo->placement.lpfn = rdev->mc.visible_vram_size >> PAGE_SHIFT;
1926 ++ r = ttm_bo_validate(bo, &rbo->placement, false, true, false);
1927 ++ if (unlikely(r == -ENOMEM)) {
1928 ++ radeon_ttm_placement_from_domain(rbo, RADEON_GEM_DOMAIN_GTT);
1929 ++ return ttm_bo_validate(bo, &rbo->placement, false, true, false);
1930 ++ } else if (unlikely(r != 0)) {
1931 ++ return r;
1932 + }
1933 ++
1934 ++ offset = bo->mem.start << PAGE_SHIFT;
1935 ++ /* this should never happen */
1936 ++ if ((offset + size) > rdev->mc.visible_vram_size)
1937 ++ return -EINVAL;
1938 ++
1939 + return 0;
1940 + }
1941 +
1942 +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
1943 +index 40932fbdac0f..84ba033dd68a 100644
1944 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
1945 ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
1946 +@@ -558,14 +558,36 @@ static int vmw_cmd_dma(struct vmw_private *dev_priv,
1947 + } *cmd;
1948 + int ret;
1949 + struct vmw_resource *res;
1950 ++ SVGA3dCmdSurfaceDMASuffix *suffix;
1951 ++ uint32_t bo_size;
1952 +
1953 + cmd = container_of(header, struct vmw_dma_cmd, header);
1954 ++ suffix = (SVGA3dCmdSurfaceDMASuffix *)((unsigned long) &cmd->dma +
1955 ++ header->size - sizeof(*suffix));
1956 ++
1957 ++ /* Make sure device and verifier stays in sync. */
1958 ++ if (unlikely(suffix->suffixSize != sizeof(*suffix))) {
1959 ++ DRM_ERROR("Invalid DMA suffix size.\n");
1960 ++ return -EINVAL;
1961 ++ }
1962 ++
1963 + ret = vmw_translate_guest_ptr(dev_priv, sw_context,
1964 + &cmd->dma.guest.ptr,
1965 + &vmw_bo);
1966 + if (unlikely(ret != 0))
1967 + return ret;
1968 +
1969 ++ /* Make sure DMA doesn't cross BO boundaries. */
1970 ++ bo_size = vmw_bo->base.num_pages * PAGE_SIZE;
1971 ++ if (unlikely(cmd->dma.guest.ptr.offset > bo_size)) {
1972 ++ DRM_ERROR("Invalid DMA offset.\n");
1973 ++ return -EINVAL;
1974 ++ }
1975 ++
1976 ++ bo_size -= cmd->dma.guest.ptr.offset;
1977 ++ if (unlikely(suffix->maximumOffset > bo_size))
1978 ++ suffix->maximumOffset = bo_size;
1979 ++
1980 + bo = &vmw_bo->base;
1981 + ret = vmw_user_surface_lookup_handle(dev_priv, sw_context->tfile,
1982 + cmd->dma.host.sid, &srf);
1983 +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
1984 +index ca2b3e6c4e9f..ccc89b0e14d9 100644
1985 +--- a/drivers/hid/hid-ids.h
1986 ++++ b/drivers/hid/hid-ids.h
1987 +@@ -678,6 +678,13 @@
1988 + #define USB_DEVICE_ID_SYMBOL_SCANNER_1 0x0800
1989 + #define USB_DEVICE_ID_SYMBOL_SCANNER_2 0x1300
1990 +
1991 ++#define USB_VENDOR_ID_SYNAPTICS 0x06cb
1992 ++#define USB_DEVICE_ID_SYNAPTICS_LTS1 0x0af8
1993 ++#define USB_DEVICE_ID_SYNAPTICS_LTS2 0x1d10
1994 ++#define USB_DEVICE_ID_SYNAPTICS_HD 0x0ac3
1995 ++#define USB_DEVICE_ID_SYNAPTICS_QUAD_HD 0x1ac3
1996 ++#define USB_DEVICE_ID_SYNAPTICS_TP_V103 0x5710
1997 ++
1998 + #define USB_VENDOR_ID_THRUSTMASTER 0x044f
1999 +
2000 + #define USB_VENDOR_ID_TOPSEED 0x0766
2001 +diff --git a/drivers/hid/usbhid/hid-quirks.c b/drivers/hid/usbhid/hid-quirks.c
2002 +index f98fbad966e7..71c258295045 100644
2003 +--- a/drivers/hid/usbhid/hid-quirks.c
2004 ++++ b/drivers/hid/usbhid/hid-quirks.c
2005 +@@ -100,6 +100,11 @@ static const struct hid_blacklist {
2006 + { USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_WIRELESS, HID_QUIRK_MULTI_INPUT },
2007 + { USB_VENDOR_ID_SIGMA_MICRO, USB_DEVICE_ID_SIGMA_MICRO_KEYBOARD, HID_QUIRK_NO_INIT_REPORTS },
2008 + { USB_VENDOR_ID_NTRIG, USB_DEVICE_ID_NTRIG_DUOSENSE, HID_QUIRK_NO_INIT_REPORTS },
2009 ++ { USB_VENDOR_ID_SYNAPTICS, USB_DEVICE_ID_SYNAPTICS_LTS1, HID_QUIRK_NO_INIT_REPORTS },
2010 ++ { USB_VENDOR_ID_SYNAPTICS, USB_DEVICE_ID_SYNAPTICS_LTS2, HID_QUIRK_NO_INIT_REPORTS },
2011 ++ { USB_VENDOR_ID_SYNAPTICS, USB_DEVICE_ID_SYNAPTICS_HD, HID_QUIRK_NO_INIT_REPORTS },
2012 ++ { USB_VENDOR_ID_SYNAPTICS, USB_DEVICE_ID_SYNAPTICS_QUAD_HD, HID_QUIRK_NO_INIT_REPORTS },
2013 ++ { USB_VENDOR_ID_SYNAPTICS, USB_DEVICE_ID_SYNAPTICS_TP_V103, HID_QUIRK_NO_INIT_REPORTS },
2014 +
2015 + { 0, 0 }
2016 + };
2017 +diff --git a/drivers/hwmon/emc1403.c b/drivers/hwmon/emc1403.c
2018 +index cd2a6e437aec..7da08accab8b 100644
2019 +--- a/drivers/hwmon/emc1403.c
2020 ++++ b/drivers/hwmon/emc1403.c
2021 +@@ -159,7 +159,7 @@ static ssize_t store_hyst(struct device *dev,
2022 + if (retval < 0)
2023 + goto fail;
2024 +
2025 +- hyst = val - retval * 1000;
2026 ++ hyst = retval * 1000 - val;
2027 + hyst = DIV_ROUND_CLOSEST(hyst, 1000);
2028 + if (hyst < 0 || hyst > 255) {
2029 + retval = -ERANGE;
2030 +@@ -290,7 +290,7 @@ static int emc1403_detect(struct i2c_client *client,
2031 + }
2032 +
2033 + id = i2c_smbus_read_byte_data(client, THERMAL_REVISION_REG);
2034 +- if (id != 0x01)
2035 ++ if (id < 0x01 || id > 0x04)
2036 + return -ENODEV;
2037 +
2038 + return 0;
2039 +diff --git a/drivers/i2c/busses/i2c-designware-core.c b/drivers/i2c/busses/i2c-designware-core.c
2040 +index 3c2812f13d96..aadb3984f0d3 100644
2041 +--- a/drivers/i2c/busses/i2c-designware-core.c
2042 ++++ b/drivers/i2c/busses/i2c-designware-core.c
2043 +@@ -346,6 +346,9 @@ static void i2c_dw_xfer_init(struct dw_i2c_dev *dev)
2044 + ic_con &= ~DW_IC_CON_10BITADDR_MASTER;
2045 + dw_writel(dev, ic_con, DW_IC_CON);
2046 +
2047 ++ /* enforce disabled interrupts (due to HW issues) */
2048 ++ i2c_dw_disable_int(dev);
2049 ++
2050 + /* Enable the adapter */
2051 + dw_writel(dev, 1, DW_IC_ENABLE);
2052 +
2053 +diff --git a/drivers/i2c/busses/i2c-s3c2410.c b/drivers/i2c/busses/i2c-s3c2410.c
2054 +index 4c1718081685..7d6d2b76b92e 100644
2055 +--- a/drivers/i2c/busses/i2c-s3c2410.c
2056 ++++ b/drivers/i2c/busses/i2c-s3c2410.c
2057 +@@ -1082,10 +1082,10 @@ static int s3c24xx_i2c_resume(struct device *dev)
2058 + struct platform_device *pdev = to_platform_device(dev);
2059 + struct s3c24xx_i2c *i2c = platform_get_drvdata(pdev);
2060 +
2061 +- i2c->suspended = 0;
2062 + clk_enable(i2c->clk);
2063 + s3c24xx_i2c_init(i2c);
2064 + clk_disable(i2c->clk);
2065 ++ i2c->suspended = 0;
2066 +
2067 + return 0;
2068 + }
2069 +diff --git a/drivers/input/mouse/elantech.c b/drivers/input/mouse/elantech.c
2070 +index e2a9867c19d5..342a059184a3 100644
2071 +--- a/drivers/input/mouse/elantech.c
2072 ++++ b/drivers/input/mouse/elantech.c
2073 +@@ -11,6 +11,7 @@
2074 + */
2075 +
2076 + #include <linux/delay.h>
2077 ++#include <linux/dmi.h>
2078 + #include <linux/slab.h>
2079 + #include <linux/module.h>
2080 + #include <linux/input.h>
2081 +@@ -783,7 +784,11 @@ static int elantech_set_absolute_mode(struct psmouse *psmouse)
2082 + break;
2083 +
2084 + case 3:
2085 +- etd->reg_10 = 0x0b;
2086 ++ if (etd->set_hw_resolution)
2087 ++ etd->reg_10 = 0x0b;
2088 ++ else
2089 ++ etd->reg_10 = 0x03;
2090 ++
2091 + if (elantech_write_reg(psmouse, 0x10, etd->reg_10))
2092 + rc = -1;
2093 +
2094 +@@ -1206,6 +1211,22 @@ static int elantech_reconnect(struct psmouse *psmouse)
2095 + }
2096 +
2097 + /*
2098 ++ * Some hw_version 3 models go into error state when we try to set bit 3 of r10
2099 ++ */
2100 ++static const struct dmi_system_id no_hw_res_dmi_table[] = {
2101 ++#if defined(CONFIG_DMI) && defined(CONFIG_X86)
2102 ++ {
2103 ++ /* Gigabyte U2442 */
2104 ++ .matches = {
2105 ++ DMI_MATCH(DMI_SYS_VENDOR, "GIGABYTE"),
2106 ++ DMI_MATCH(DMI_PRODUCT_NAME, "U2442"),
2107 ++ },
2108 ++ },
2109 ++#endif
2110 ++ { }
2111 ++};
2112 ++
2113 ++/*
2114 + * determine hardware version and set some properties according to it.
2115 + */
2116 + static int elantech_set_properties(struct elantech_data *etd)
2117 +@@ -1254,6 +1275,9 @@ static int elantech_set_properties(struct elantech_data *etd)
2118 + etd->reports_pressure = true;
2119 + }
2120 +
2121 ++ /* Enable real hardware resolution on hw_version 3 ? */
2122 ++ etd->set_hw_resolution = !dmi_check_system(no_hw_res_dmi_table);
2123 ++
2124 + return 0;
2125 + }
2126 +
2127 +diff --git a/drivers/input/mouse/elantech.h b/drivers/input/mouse/elantech.h
2128 +index 9e5f1aabea7e..3569bed80a28 100644
2129 +--- a/drivers/input/mouse/elantech.h
2130 ++++ b/drivers/input/mouse/elantech.h
2131 +@@ -128,6 +128,7 @@ struct elantech_data {
2132 + bool paritycheck;
2133 + bool jumpy_cursor;
2134 + bool reports_pressure;
2135 ++ bool set_hw_resolution;
2136 + unsigned char hw_version;
2137 + unsigned int fw_version;
2138 + unsigned int single_finger_reports;
2139 +diff --git a/drivers/input/mouse/synaptics.c b/drivers/input/mouse/synaptics.c
2140 +index 886c1914146b..8a398076d1e5 100644
2141 +--- a/drivers/input/mouse/synaptics.c
2142 ++++ b/drivers/input/mouse/synaptics.c
2143 +@@ -1394,6 +1394,14 @@ static const struct dmi_system_id min_max_dmi_table[] __initconst = {
2144 + .driver_data = (int []){1232, 5710, 1156, 4696},
2145 + },
2146 + {
2147 ++ /* Lenovo ThinkPad Edge E431 */
2148 ++ .matches = {
2149 ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
2150 ++ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad Edge E431"),
2151 ++ },
2152 ++ .driver_data = (int []){1024, 5022, 2508, 4832},
2153 ++ },
2154 ++ {
2155 + /* Lenovo ThinkPad T431s */
2156 + .matches = {
2157 + DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
2158 +diff --git a/drivers/md/md.c b/drivers/md/md.c
2159 +index 2d0544c92737..db4b4a82843a 100644
2160 +--- a/drivers/md/md.c
2161 ++++ b/drivers/md/md.c
2162 +@@ -8122,7 +8122,8 @@ static int md_notify_reboot(struct notifier_block *this,
2163 + if (mddev_trylock(mddev)) {
2164 + if (mddev->pers)
2165 + __md_stop_writes(mddev);
2166 +- mddev->safemode = 2;
2167 ++ if (mddev->persistent)
2168 ++ mddev->safemode = 2;
2169 + mddev_unlock(mddev);
2170 + }
2171 + need_delay = 1;
2172 +diff --git a/drivers/media/media-device.c b/drivers/media/media-device.c
2173 +index 6edc9ba81203..298703fca3b5 100644
2174 +--- a/drivers/media/media-device.c
2175 ++++ b/drivers/media/media-device.c
2176 +@@ -90,6 +90,7 @@ static long media_device_enum_entities(struct media_device *mdev,
2177 + struct media_entity *ent;
2178 + struct media_entity_desc u_ent;
2179 +
2180 ++ memset(&u_ent, 0, sizeof(u_ent));
2181 + if (copy_from_user(&u_ent.id, &uent->id, sizeof(u_ent.id)))
2182 + return -EFAULT;
2183 +
2184 +diff --git a/drivers/media/video/ov7670.c b/drivers/media/video/ov7670.c
2185 +index 8aa058531280..17125d96297b 100644
2186 +--- a/drivers/media/video/ov7670.c
2187 ++++ b/drivers/media/video/ov7670.c
2188 +@@ -937,7 +937,7 @@ static int ov7670_enum_framesizes(struct v4l2_subdev *sd,
2189 + * windows that fall outside that.
2190 + */
2191 + for (i = 0; i < N_WIN_SIZES; i++) {
2192 +- struct ov7670_win_size *win = &ov7670_win_sizes[index];
2193 ++ struct ov7670_win_size *win = &ov7670_win_sizes[i];
2194 + if (info->min_width && win->width < info->min_width)
2195 + continue;
2196 + if (info->min_height && win->height < info->min_height)
2197 +diff --git a/drivers/media/video/v4l2-compat-ioctl32.c b/drivers/media/video/v4l2-compat-ioctl32.c
2198 +index c68531b88279..2671959f01bb 100644
2199 +--- a/drivers/media/video/v4l2-compat-ioctl32.c
2200 ++++ b/drivers/media/video/v4l2-compat-ioctl32.c
2201 +@@ -178,6 +178,9 @@ struct v4l2_create_buffers32 {
2202 +
2203 + static int __get_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user *up)
2204 + {
2205 ++ if (get_user(kp->type, &up->type))
2206 ++ return -EFAULT;
2207 ++
2208 + switch (kp->type) {
2209 + case V4L2_BUF_TYPE_VIDEO_CAPTURE:
2210 + case V4L2_BUF_TYPE_VIDEO_OUTPUT:
2211 +@@ -208,17 +211,16 @@ static int __get_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __us
2212 +
2213 + static int get_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user *up)
2214 + {
2215 +- if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_format32)) ||
2216 +- get_user(kp->type, &up->type))
2217 +- return -EFAULT;
2218 ++ if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_format32)))
2219 ++ return -EFAULT;
2220 + return __get_v4l2_format32(kp, up);
2221 + }
2222 +
2223 + static int get_v4l2_create32(struct v4l2_create_buffers *kp, struct v4l2_create_buffers32 __user *up)
2224 + {
2225 + if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_create_buffers32)) ||
2226 +- copy_from_user(kp, up, offsetof(struct v4l2_create_buffers32, format.fmt)))
2227 +- return -EFAULT;
2228 ++ copy_from_user(kp, up, offsetof(struct v4l2_create_buffers32, format)))
2229 ++ return -EFAULT;
2230 + return __get_v4l2_format32(&kp->format, &up->format);
2231 + }
2232 +
2233 +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
2234 +index 1bf36ac44a10..5af2a8f29bc0 100644
2235 +--- a/drivers/net/bonding/bond_main.c
2236 ++++ b/drivers/net/bonding/bond_main.c
2237 +@@ -4914,6 +4914,7 @@ static int __init bonding_init(void)
2238 + out:
2239 + return res;
2240 + err:
2241 ++ bond_destroy_debugfs();
2242 + rtnl_link_unregister(&bond_link_ops);
2243 + err_link:
2244 + unregister_pernet_subsys(&bond_net_ops);
2245 +diff --git a/drivers/net/can/sja1000/peak_pci.c b/drivers/net/can/sja1000/peak_pci.c
2246 +index 2c7f5036f570..5192f8615258 100644
2247 +--- a/drivers/net/can/sja1000/peak_pci.c
2248 ++++ b/drivers/net/can/sja1000/peak_pci.c
2249 +@@ -39,9 +39,9 @@ MODULE_LICENSE("GPL v2");
2250 + #define DRV_NAME "peak_pci"
2251 +
2252 + struct peak_pci_chan {
2253 +- void __iomem *cfg_base; /* Common for all channels */
2254 +- struct net_device *next_dev; /* Chain of network devices */
2255 +- u16 icr_mask; /* Interrupt mask for fast ack */
2256 ++ void __iomem *cfg_base; /* Common for all channels */
2257 ++ struct net_device *prev_dev; /* Chain of network devices */
2258 ++ u16 icr_mask; /* Interrupt mask for fast ack */
2259 + };
2260 +
2261 + #define PEAK_PCI_CAN_CLOCK (16000000 / 2)
2262 +@@ -98,7 +98,7 @@ static int __devinit peak_pci_probe(struct pci_dev *pdev,
2263 + {
2264 + struct sja1000_priv *priv;
2265 + struct peak_pci_chan *chan;
2266 +- struct net_device *dev, *dev0 = NULL;
2267 ++ struct net_device *dev, *prev_dev;
2268 + void __iomem *cfg_base, *reg_base;
2269 + u16 sub_sys_id, icr;
2270 + int i, err, channels;
2271 +@@ -196,18 +196,14 @@ static int __devinit peak_pci_probe(struct pci_dev *pdev,
2272 + }
2273 +
2274 + /* Create chain of SJA1000 devices */
2275 +- if (i == 0)
2276 +- dev0 = dev;
2277 +- else
2278 +- chan->next_dev = dev;
2279 ++ chan->prev_dev = pci_get_drvdata(pdev);
2280 ++ pci_set_drvdata(pdev, dev);
2281 +
2282 + dev_info(&pdev->dev,
2283 + "%s at reg_base=0x%p cfg_base=0x%p irq=%d\n",
2284 + dev->name, priv->reg_base, chan->cfg_base, dev->irq);
2285 + }
2286 +
2287 +- pci_set_drvdata(pdev, dev0);
2288 +-
2289 + /* Enable interrupts */
2290 + writew(icr, cfg_base + PITA_ICR + 2);
2291 +
2292 +@@ -217,12 +213,13 @@ failure_remove_channels:
2293 + /* Disable interrupts */
2294 + writew(0x0, cfg_base + PITA_ICR + 2);
2295 +
2296 +- for (dev = dev0; dev; dev = chan->next_dev) {
2297 +- unregister_sja1000dev(dev);
2298 +- free_sja1000dev(dev);
2299 ++ for (dev = pci_get_drvdata(pdev); dev; dev = prev_dev) {
2300 + priv = netdev_priv(dev);
2301 + chan = priv->priv;
2302 +- dev = chan->next_dev;
2303 ++ prev_dev = chan->prev_dev;
2304 ++
2305 ++ unregister_sja1000dev(dev);
2306 ++ free_sja1000dev(dev);
2307 + }
2308 +
2309 + pci_iounmap(pdev, reg_base);
2310 +@@ -241,7 +238,7 @@ failure_disable_pci:
2311 +
2312 + static void __devexit peak_pci_remove(struct pci_dev *pdev)
2313 + {
2314 +- struct net_device *dev = pci_get_drvdata(pdev); /* First device */
2315 ++ struct net_device *dev = pci_get_drvdata(pdev); /* Last device */
2316 + struct sja1000_priv *priv = netdev_priv(dev);
2317 + struct peak_pci_chan *chan = priv->priv;
2318 + void __iomem *cfg_base = chan->cfg_base;
2319 +@@ -252,10 +249,12 @@ static void __devexit peak_pci_remove(struct pci_dev *pdev)
2320 +
2321 + /* Loop over all registered devices */
2322 + while (1) {
2323 ++ struct net_device *prev_dev = chan->prev_dev;
2324 ++
2325 + dev_info(&pdev->dev, "removing device %s\n", dev->name);
2326 + unregister_sja1000dev(dev);
2327 + free_sja1000dev(dev);
2328 +- dev = chan->next_dev;
2329 ++ dev = prev_dev;
2330 + if (!dev)
2331 + break;
2332 + priv = netdev_priv(dev);
2333 +diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c
2334 +index c77c462bcee5..2615433b279f 100644
2335 +--- a/drivers/net/ethernet/broadcom/tg3.c
2336 ++++ b/drivers/net/ethernet/broadcom/tg3.c
2337 +@@ -10656,7 +10656,9 @@ static int tg3_set_ringparam(struct net_device *dev, struct ethtool_ringparam *e
2338 + if (tg3_flag(tp, MAX_RXPEND_64) &&
2339 + tp->rx_pending > 63)
2340 + tp->rx_pending = 63;
2341 +- tp->rx_jumbo_pending = ering->rx_jumbo_pending;
2342 ++
2343 ++ if (tg3_flag(tp, JUMBO_RING_ENABLE))
2344 ++ tp->rx_jumbo_pending = ering->rx_jumbo_pending;
2345 +
2346 + for (i = 0; i < tp->irq_max; i++)
2347 + tp->napi[i].tx_pending = ering->tx_pending;
2348 +diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c
2349 +index 301b39ed96ce..b74cdf6a0d7d 100644
2350 +--- a/drivers/net/macvlan.c
2351 ++++ b/drivers/net/macvlan.c
2352 +@@ -236,11 +236,9 @@ static int macvlan_queue_xmit(struct sk_buff *skb, struct net_device *dev)
2353 + const struct macvlan_dev *vlan = netdev_priv(dev);
2354 + const struct macvlan_port *port = vlan->port;
2355 + const struct macvlan_dev *dest;
2356 +- __u8 ip_summed = skb->ip_summed;
2357 +
2358 + if (vlan->mode == MACVLAN_MODE_BRIDGE) {
2359 + const struct ethhdr *eth = (void *)skb->data;
2360 +- skb->ip_summed = CHECKSUM_UNNECESSARY;
2361 +
2362 + /* send to other bridge ports directly */
2363 + if (is_multicast_ether_addr(eth->h_dest)) {
2364 +@@ -258,7 +256,6 @@ static int macvlan_queue_xmit(struct sk_buff *skb, struct net_device *dev)
2365 + }
2366 +
2367 + xmit_world:
2368 +- skb->ip_summed = ip_summed;
2369 + skb->dev = vlan->lowerdev;
2370 + return dev_queue_xmit(skb);
2371 + }
2372 +@@ -394,8 +391,10 @@ static void macvlan_change_rx_flags(struct net_device *dev, int change)
2373 + struct macvlan_dev *vlan = netdev_priv(dev);
2374 + struct net_device *lowerdev = vlan->lowerdev;
2375 +
2376 +- if (change & IFF_ALLMULTI)
2377 +- dev_set_allmulti(lowerdev, dev->flags & IFF_ALLMULTI ? 1 : -1);
2378 ++ if (dev->flags & IFF_UP) {
2379 ++ if (change & IFF_ALLMULTI)
2380 ++ dev_set_allmulti(lowerdev, dev->flags & IFF_ALLMULTI ? 1 : -1);
2381 ++ }
2382 + }
2383 +
2384 + static void macvlan_set_multicast_list(struct net_device *dev)
2385 +diff --git a/drivers/net/wimax/i2400m/usb-rx.c b/drivers/net/wimax/i2400m/usb-rx.c
2386 +index e3257681e360..b78ee676e102 100644
2387 +--- a/drivers/net/wimax/i2400m/usb-rx.c
2388 ++++ b/drivers/net/wimax/i2400m/usb-rx.c
2389 +@@ -277,7 +277,7 @@ retry:
2390 + d_printf(1, dev, "RX: size changed to %d, received %d, "
2391 + "copied %d, capacity %ld\n",
2392 + rx_size, read_size, rx_skb->len,
2393 +- (long) (skb_end_pointer(new_skb) - new_skb->head));
2394 ++ (long) skb_end_offset(new_skb));
2395 + goto retry;
2396 + }
2397 + /* In most cases, it happens due to the hardware scheduling a
2398 +diff --git a/drivers/net/wireless/rt2x00/rt2x00mac.c b/drivers/net/wireless/rt2x00/rt2x00mac.c
2399 +index 5c38281955d4..1d4c579178f3 100644
2400 +--- a/drivers/net/wireless/rt2x00/rt2x00mac.c
2401 ++++ b/drivers/net/wireless/rt2x00/rt2x00mac.c
2402 +@@ -651,20 +651,18 @@ void rt2x00mac_bss_info_changed(struct ieee80211_hw *hw,
2403 + bss_conf->bssid);
2404 +
2405 + /*
2406 +- * Update the beacon. This is only required on USB devices. PCI
2407 +- * devices fetch beacons periodically.
2408 +- */
2409 +- if (changes & BSS_CHANGED_BEACON && rt2x00_is_usb(rt2x00dev))
2410 +- rt2x00queue_update_beacon(rt2x00dev, vif);
2411 +-
2412 +- /*
2413 + * Start/stop beaconing.
2414 + */
2415 + if (changes & BSS_CHANGED_BEACON_ENABLED) {
2416 + if (!bss_conf->enable_beacon && intf->enable_beacon) {
2417 +- rt2x00queue_clear_beacon(rt2x00dev, vif);
2418 + rt2x00dev->intf_beaconing--;
2419 + intf->enable_beacon = false;
2420 ++ /*
2421 ++ * Clear beacon in the H/W for this vif. This is needed
2422 ++ * to disable beaconing on this particular interface
2423 ++ * and keep it running on other interfaces.
2424 ++ */
2425 ++ rt2x00queue_clear_beacon(rt2x00dev, vif);
2426 +
2427 + if (rt2x00dev->intf_beaconing == 0) {
2428 + /*
2429 +@@ -675,11 +673,15 @@ void rt2x00mac_bss_info_changed(struct ieee80211_hw *hw,
2430 + rt2x00queue_stop_queue(rt2x00dev->bcn);
2431 + mutex_unlock(&intf->beacon_skb_mutex);
2432 + }
2433 +-
2434 +-
2435 + } else if (bss_conf->enable_beacon && !intf->enable_beacon) {
2436 + rt2x00dev->intf_beaconing++;
2437 + intf->enable_beacon = true;
2438 ++ /*
2439 ++ * Upload beacon to the H/W. This is only required on
2440 ++ * USB devices. PCI devices fetch beacons periodically.
2441 ++ */
2442 ++ if (rt2x00_is_usb(rt2x00dev))
2443 ++ rt2x00queue_update_beacon(rt2x00dev, vif);
2444 +
2445 + if (rt2x00dev->intf_beaconing == 1) {
2446 + /*
2447 +diff --git a/drivers/net/wireless/rtlwifi/rtl8192cu/hw.c b/drivers/net/wireless/rtlwifi/rtl8192cu/hw.c
2448 +index d3920daa3c32..79fc4b770500 100644
2449 +--- a/drivers/net/wireless/rtlwifi/rtl8192cu/hw.c
2450 ++++ b/drivers/net/wireless/rtlwifi/rtl8192cu/hw.c
2451 +@@ -1158,12 +1158,23 @@ int rtl92cu_hw_init(struct ieee80211_hw *hw)
2452 + struct rtl_ps_ctl *ppsc = rtl_psc(rtl_priv(hw));
2453 + int err = 0;
2454 + static bool iqk_initialized;
2455 ++ unsigned long flags;
2456 ++
2457 ++ /* As this function can take a very long time (up to 350 ms)
2458 ++ * and can be called with irqs disabled, reenable the irqs
2459 ++ * to let the other devices continue being serviced.
2460 ++ *
2461 ++ * It is safe doing so since our own interrupts will only be enabled
2462 ++ * in a subsequent step.
2463 ++ */
2464 ++ local_save_flags(flags);
2465 ++ local_irq_enable();
2466 +
2467 + rtlhal->hw_type = HARDWARE_TYPE_RTL8192CU;
2468 + err = _rtl92cu_init_mac(hw);
2469 + if (err) {
2470 + RT_TRACE(rtlpriv, COMP_ERR, DBG_EMERG, ("init mac failed!\n"));
2471 +- return err;
2472 ++ goto exit;
2473 + }
2474 + err = rtl92c_download_fw(hw);
2475 + if (err) {
2476 +@@ -1171,7 +1182,7 @@ int rtl92cu_hw_init(struct ieee80211_hw *hw)
2477 + ("Failed to download FW. Init HW without FW now..\n"));
2478 + err = 1;
2479 + rtlhal->fw_ready = false;
2480 +- return err;
2481 ++ goto exit;
2482 + } else {
2483 + rtlhal->fw_ready = true;
2484 + }
2485 +@@ -1212,6 +1223,8 @@ int rtl92cu_hw_init(struct ieee80211_hw *hw)
2486 + _update_mac_setting(hw);
2487 + rtl92c_dm_init(hw);
2488 + _dump_registers(hw);
2489 ++exit:
2490 ++ local_irq_restore(flags);
2491 + return err;
2492 + }
2493 +
2494 +diff --git a/drivers/pci/hotplug/shpchp_ctrl.c b/drivers/pci/hotplug/shpchp_ctrl.c
2495 +index 3ffc1b2b3932..b888675a228a 100644
2496 +--- a/drivers/pci/hotplug/shpchp_ctrl.c
2497 ++++ b/drivers/pci/hotplug/shpchp_ctrl.c
2498 +@@ -285,8 +285,8 @@ static int board_added(struct slot *p_slot)
2499 + return WRONG_BUS_FREQUENCY;
2500 + }
2501 +
2502 +- bsp = ctrl->pci_dev->bus->cur_bus_speed;
2503 +- msp = ctrl->pci_dev->bus->max_bus_speed;
2504 ++ bsp = ctrl->pci_dev->subordinate->cur_bus_speed;
2505 ++ msp = ctrl->pci_dev->subordinate->max_bus_speed;
2506 +
2507 + /* Check if there are other slots or devices on the same bus */
2508 + if (!list_empty(&ctrl->pci_dev->subordinate->devices))
2509 +diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c
2510 +index 8e6c4fafb3eb..2a8d6aa441c3 100644
2511 +--- a/drivers/platform/x86/thinkpad_acpi.c
2512 ++++ b/drivers/platform/x86/thinkpad_acpi.c
2513 +@@ -3405,7 +3405,7 @@ static int __init hotkey_init(struct ibm_init_struct *iibm)
2514 + /* Do not issue duplicate brightness change events to
2515 + * userspace. tpacpi_detect_brightness_capabilities() must have
2516 + * been called before this point */
2517 +- if (tp_features.bright_acpimode && acpi_video_backlight_support()) {
2518 ++ if (acpi_video_backlight_support()) {
2519 + pr_info("This ThinkPad has standard ACPI backlight "
2520 + "brightness control, supported by the ACPI "
2521 + "video driver\n");
2522 +diff --git a/drivers/scsi/mpt2sas/mpt2sas_scsih.c b/drivers/scsi/mpt2sas/mpt2sas_scsih.c
2523 +index 987c6d6adb76..01780a963181 100644
2524 +--- a/drivers/scsi/mpt2sas/mpt2sas_scsih.c
2525 ++++ b/drivers/scsi/mpt2sas/mpt2sas_scsih.c
2526 +@@ -8166,7 +8166,6 @@ _scsih_suspend(struct pci_dev *pdev, pm_message_t state)
2527 +
2528 + mpt2sas_base_free_resources(ioc);
2529 + pci_save_state(pdev);
2530 +- pci_disable_device(pdev);
2531 + pci_set_power_state(pdev, device_state);
2532 + return 0;
2533 + }
2534 +diff --git a/drivers/staging/octeon/ethernet-tx.c b/drivers/staging/octeon/ethernet-tx.c
2535 +index 2542c3743904..c5da0d24b4aa 100644
2536 +--- a/drivers/staging/octeon/ethernet-tx.c
2537 ++++ b/drivers/staging/octeon/ethernet-tx.c
2538 +@@ -344,7 +344,7 @@ int cvm_oct_xmit(struct sk_buff *skb, struct net_device *dev)
2539 + }
2540 + if (unlikely
2541 + (skb->truesize !=
2542 +- sizeof(*skb) + skb_end_pointer(skb) - skb->head)) {
2543 ++ sizeof(*skb) + skb_end_offset(skb))) {
2544 + /*
2545 + printk("TX buffer truesize has been changed\n");
2546 + */
2547 +diff --git a/drivers/tty/hvc/hvc_console.c b/drivers/tty/hvc/hvc_console.c
2548 +index 7b97e7e3ede4..443547bf5407 100644
2549 +--- a/drivers/tty/hvc/hvc_console.c
2550 ++++ b/drivers/tty/hvc/hvc_console.c
2551 +@@ -190,7 +190,7 @@ static struct tty_driver *hvc_console_device(struct console *c, int *index)
2552 + return hvc_driver;
2553 + }
2554 +
2555 +-static int __init hvc_console_setup(struct console *co, char *options)
2556 ++static int hvc_console_setup(struct console *co, char *options)
2557 + {
2558 + if (co->index < 0 || co->index >= MAX_NR_HVC_CONSOLES)
2559 + return -ENODEV;
2560 +diff --git a/drivers/usb/storage/shuttle_usbat.c b/drivers/usb/storage/shuttle_usbat.c
2561 +index 0b00091d2ae9..ff8aeeebe5fa 100644
2562 +--- a/drivers/usb/storage/shuttle_usbat.c
2563 ++++ b/drivers/usb/storage/shuttle_usbat.c
2564 +@@ -1846,7 +1846,7 @@ static int usbat_probe(struct usb_interface *intf,
2565 + us->transport_name = "Shuttle USBAT";
2566 + us->transport = usbat_flash_transport;
2567 + us->transport_reset = usb_stor_CB_reset;
2568 +- us->max_lun = 1;
2569 ++ us->max_lun = 0;
2570 +
2571 + result = usb_stor_probe2(us);
2572 + return result;
2573 +diff --git a/drivers/usb/storage/unusual_devs.h b/drivers/usb/storage/unusual_devs.h
2574 +index 08711bc24124..49d222d965da 100644
2575 +--- a/drivers/usb/storage/unusual_devs.h
2576 ++++ b/drivers/usb/storage/unusual_devs.h
2577 +@@ -226,6 +226,20 @@ UNUSUAL_DEV( 0x0421, 0x0495, 0x0370, 0x0370,
2578 + USB_SC_DEVICE, USB_PR_DEVICE, NULL,
2579 + US_FL_MAX_SECTORS_64 ),
2580 +
2581 ++/* Reported by Daniele Forsi <dforsi@×××××.com> */
2582 ++UNUSUAL_DEV( 0x0421, 0x04b9, 0x0350, 0x0350,
2583 ++ "Nokia",
2584 ++ "5300",
2585 ++ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
2586 ++ US_FL_MAX_SECTORS_64 ),
2587 ++
2588 ++/* Patch submitted by Victor A. Santos <victoraur.santos@×××××.com> */
2589 ++UNUSUAL_DEV( 0x0421, 0x05af, 0x0742, 0x0742,
2590 ++ "Nokia",
2591 ++ "305",
2592 ++ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
2593 ++ US_FL_MAX_SECTORS_64),
2594 ++
2595 + /* Patch submitted by Mikhail Zolotaryov <lebon@×××××××××.ua> */
2596 + UNUSUAL_DEV( 0x0421, 0x06aa, 0x1110, 0x1110,
2597 + "Nokia",
2598 +diff --git a/drivers/video/tgafb.c b/drivers/video/tgafb.c
2599 +index ac2cf6dcc598..3b15bcac3766 100644
2600 +--- a/drivers/video/tgafb.c
2601 ++++ b/drivers/video/tgafb.c
2602 +@@ -192,6 +192,8 @@ tgafb_check_var(struct fb_var_screeninfo *var, struct fb_info *info)
2603 +
2604 + if (var->xres_virtual != var->xres || var->yres_virtual != var->yres)
2605 + return -EINVAL;
2606 ++ if (var->xres * var->yres * (var->bits_per_pixel >> 3) > info->fix.smem_len)
2607 ++ return -EINVAL;
2608 + if (var->nonstd)
2609 + return -EINVAL;
2610 + if (1000000000 / var->pixclock > TGA_PLL_MAX_FREQ)
2611 +@@ -272,6 +274,7 @@ tgafb_set_par(struct fb_info *info)
2612 + par->yres = info->var.yres;
2613 + par->pll_freq = pll_freq = 1000000000 / info->var.pixclock;
2614 + par->bits_per_pixel = info->var.bits_per_pixel;
2615 ++ info->fix.line_length = par->xres * (par->bits_per_pixel >> 3);
2616 +
2617 + tga_type = par->tga_type;
2618 +
2619 +@@ -1318,6 +1321,7 @@ tgafb_init_fix(struct fb_info *info)
2620 + int tga_bus_tc = TGA_BUS_TC(par->dev);
2621 + u8 tga_type = par->tga_type;
2622 + const char *tga_type_name = NULL;
2623 ++ unsigned memory_size;
2624 +
2625 + switch (tga_type) {
2626 + case TGA_TYPE_8PLANE:
2627 +@@ -1325,21 +1329,25 @@ tgafb_init_fix(struct fb_info *info)
2628 + tga_type_name = "Digital ZLXp-E1";
2629 + if (tga_bus_tc)
2630 + tga_type_name = "Digital ZLX-E1";
2631 ++ memory_size = 2097152;
2632 + break;
2633 + case TGA_TYPE_24PLANE:
2634 + if (tga_bus_pci)
2635 + tga_type_name = "Digital ZLXp-E2";
2636 + if (tga_bus_tc)
2637 + tga_type_name = "Digital ZLX-E2";
2638 ++ memory_size = 8388608;
2639 + break;
2640 + case TGA_TYPE_24PLUSZ:
2641 + if (tga_bus_pci)
2642 + tga_type_name = "Digital ZLXp-E3";
2643 + if (tga_bus_tc)
2644 + tga_type_name = "Digital ZLX-E3";
2645 ++ memory_size = 16777216;
2646 + break;
2647 + default:
2648 + tga_type_name = "Unknown";
2649 ++ memory_size = 16777216;
2650 + break;
2651 + }
2652 +
2653 +@@ -1351,9 +1359,8 @@ tgafb_init_fix(struct fb_info *info)
2654 + ? FB_VISUAL_PSEUDOCOLOR
2655 + : FB_VISUAL_DIRECTCOLOR);
2656 +
2657 +- info->fix.line_length = par->xres * (par->bits_per_pixel >> 3);
2658 + info->fix.smem_start = (size_t) par->tga_fb_base;
2659 +- info->fix.smem_len = info->fix.line_length * par->yres;
2660 ++ info->fix.smem_len = memory_size;
2661 + info->fix.mmio_start = (size_t) par->tga_regs_base;
2662 + info->fix.mmio_len = 512;
2663 +
2664 +@@ -1478,6 +1485,9 @@ tgafb_register(struct device *dev)
2665 + modedb_tga = &modedb_tc;
2666 + modedbsize_tga = 1;
2667 + }
2668 ++
2669 ++ tgafb_init_fix(info);
2670 ++
2671 + ret = fb_find_mode(&info->var, info,
2672 + mode_option ? mode_option : mode_option_tga,
2673 + modedb_tga, modedbsize_tga, NULL,
2674 +@@ -1495,7 +1505,6 @@ tgafb_register(struct device *dev)
2675 + }
2676 +
2677 + tgafb_set_par(info);
2678 +- tgafb_init_fix(info);
2679 +
2680 + if (register_framebuffer(info) < 0) {
2681 + printk(KERN_ERR "tgafb: Could not register framebuffer\n");
2682 +diff --git a/fs/nfsd/nfs4acl.c b/fs/nfsd/nfs4acl.c
2683 +index 9c51aff02ae2..435a9be1265e 100644
2684 +--- a/fs/nfsd/nfs4acl.c
2685 ++++ b/fs/nfsd/nfs4acl.c
2686 +@@ -373,8 +373,10 @@ sort_pacl(struct posix_acl *pacl)
2687 + * by uid/gid. */
2688 + int i, j;
2689 +
2690 +- if (pacl->a_count <= 4)
2691 +- return; /* no users or groups */
2692 ++ /* no users or groups */
2693 ++ if (!pacl || pacl->a_count <= 4)
2694 ++ return;
2695 ++
2696 + i = 1;
2697 + while (pacl->a_entries[i].e_tag == ACL_USER)
2698 + i++;
2699 +@@ -498,13 +500,12 @@ posix_state_to_acl(struct posix_acl_state *state, unsigned int flags)
2700 +
2701 + /*
2702 + * ACLs with no ACEs are treated differently in the inheritable
2703 +- * and effective cases: when there are no inheritable ACEs, we
2704 +- * set a zero-length default posix acl:
2705 ++ * and effective cases: when there are no inheritable ACEs,
2706 ++ * calls ->set_acl with a NULL ACL structure.
2707 + */
2708 +- if (state->empty && (flags & NFS4_ACL_TYPE_DEFAULT)) {
2709 +- pacl = posix_acl_alloc(0, GFP_KERNEL);
2710 +- return pacl ? pacl : ERR_PTR(-ENOMEM);
2711 +- }
2712 ++ if (state->empty && (flags & NFS4_ACL_TYPE_DEFAULT))
2713 ++ return NULL;
2714 ++
2715 + /*
2716 + * When there are no effective ACEs, the following will end
2717 + * up setting a 3-element effective posix ACL with all
2718 +diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
2719 +index 4cef99ff2408..b2e0a5585aed 100644
2720 +--- a/fs/nfsd/nfs4state.c
2721 ++++ b/fs/nfsd/nfs4state.c
2722 +@@ -986,6 +986,18 @@ static struct nfs4_client *alloc_client(struct xdr_netobj name)
2723 + }
2724 + memcpy(clp->cl_name.data, name.data, name.len);
2725 + clp->cl_name.len = name.len;
2726 ++ INIT_LIST_HEAD(&clp->cl_sessions);
2727 ++ idr_init(&clp->cl_stateids);
2728 ++ atomic_set(&clp->cl_refcount, 0);
2729 ++ clp->cl_cb_state = NFSD4_CB_UNKNOWN;
2730 ++ INIT_LIST_HEAD(&clp->cl_idhash);
2731 ++ INIT_LIST_HEAD(&clp->cl_strhash);
2732 ++ INIT_LIST_HEAD(&clp->cl_openowners);
2733 ++ INIT_LIST_HEAD(&clp->cl_delegations);
2734 ++ INIT_LIST_HEAD(&clp->cl_lru);
2735 ++ INIT_LIST_HEAD(&clp->cl_callbacks);
2736 ++ spin_lock_init(&clp->cl_lock);
2737 ++ rpc_init_wait_queue(&clp->cl_cb_waitq, "Backchannel slot table");
2738 + return clp;
2739 + }
2740 +
2741 +@@ -999,6 +1011,7 @@ free_client(struct nfs4_client *clp)
2742 + list_del(&ses->se_perclnt);
2743 + nfsd4_put_session(ses);
2744 + }
2745 ++ rpc_destroy_wait_queue(&clp->cl_cb_waitq);
2746 + if (clp->cl_cred.cr_group_info)
2747 + put_group_info(clp->cl_cred.cr_group_info);
2748 + kfree(clp->cl_principal);
2749 +@@ -1163,7 +1176,6 @@ static struct nfs4_client *create_client(struct xdr_netobj name, char *recdir,
2750 + if (clp == NULL)
2751 + return NULL;
2752 +
2753 +- INIT_LIST_HEAD(&clp->cl_sessions);
2754 +
2755 + princ = svc_gss_principal(rqstp);
2756 + if (princ) {
2757 +@@ -1174,21 +1186,10 @@ static struct nfs4_client *create_client(struct xdr_netobj name, char *recdir,
2758 + }
2759 + }
2760 +
2761 +- idr_init(&clp->cl_stateids);
2762 + memcpy(clp->cl_recdir, recdir, HEXDIR_LEN);
2763 +- atomic_set(&clp->cl_refcount, 0);
2764 +- clp->cl_cb_state = NFSD4_CB_UNKNOWN;
2765 +- INIT_LIST_HEAD(&clp->cl_idhash);
2766 +- INIT_LIST_HEAD(&clp->cl_strhash);
2767 +- INIT_LIST_HEAD(&clp->cl_openowners);
2768 +- INIT_LIST_HEAD(&clp->cl_delegations);
2769 +- INIT_LIST_HEAD(&clp->cl_lru);
2770 +- INIT_LIST_HEAD(&clp->cl_callbacks);
2771 +- spin_lock_init(&clp->cl_lock);
2772 + INIT_WORK(&clp->cl_cb_null.cb_work, nfsd4_do_callback_rpc);
2773 + clp->cl_time = get_seconds();
2774 + clear_bit(0, &clp->cl_cb_slot_busy);
2775 +- rpc_init_wait_queue(&clp->cl_cb_waitq, "Backchannel slot table");
2776 + copy_verf(clp, verf);
2777 + rpc_copy_addr((struct sockaddr *) &clp->cl_addr, sa);
2778 + clp->cl_flavor = rqstp->rq_flavor;
2779 +@@ -3375,9 +3376,16 @@ out:
2780 + static __be32
2781 + nfsd4_free_lock_stateid(struct nfs4_ol_stateid *stp)
2782 + {
2783 +- if (check_for_locks(stp->st_file, lockowner(stp->st_stateowner)))
2784 ++ struct nfs4_lockowner *lo = lockowner(stp->st_stateowner);
2785 ++
2786 ++ if (check_for_locks(stp->st_file, lo))
2787 + return nfserr_locks_held;
2788 +- release_lock_stateid(stp);
2789 ++ /*
2790 ++ * Currently there's a 1-1 lock stateid<->lockowner
2791 ++ * correspondance, and we have to delete the lockowner when we
2792 ++ * delete the lock stateid:
2793 ++ */
2794 ++ unhash_lockowner(lo);
2795 + return nfs_ok;
2796 + }
2797 +
2798 +@@ -3812,6 +3820,10 @@ static bool same_lockowner_ino(struct nfs4_lockowner *lo, struct inode *inode, c
2799 +
2800 + if (!same_owner_str(&lo->lo_owner, owner, clid))
2801 + return false;
2802 ++ if (list_empty(&lo->lo_owner.so_stateids)) {
2803 ++ WARN_ON_ONCE(1);
2804 ++ return false;
2805 ++ }
2806 + lst = list_first_entry(&lo->lo_owner.so_stateids,
2807 + struct nfs4_ol_stateid, st_perstateowner);
2808 + return lst->st_file->fi_inode == inode;
2809 +diff --git a/fs/posix_acl.c b/fs/posix_acl.c
2810 +index cea4623f1ed6..6c70ab22a3e3 100644
2811 +--- a/fs/posix_acl.c
2812 ++++ b/fs/posix_acl.c
2813 +@@ -155,6 +155,12 @@ posix_acl_equiv_mode(const struct posix_acl *acl, umode_t *mode_p)
2814 + umode_t mode = 0;
2815 + int not_equiv = 0;
2816 +
2817 ++ /*
2818 ++ * A null ACL can always be presented as mode bits.
2819 ++ */
2820 ++ if (!acl)
2821 ++ return 0;
2822 ++
2823 + FOREACH_ACL_ENTRY(pa, acl, pe) {
2824 + switch (pa->e_tag) {
2825 + case ACL_USER_OBJ:
2826 +diff --git a/include/linux/ftrace.h b/include/linux/ftrace.h
2827 +index 26eafcef75be..a3ebb09d4283 100644
2828 +--- a/include/linux/ftrace.h
2829 ++++ b/include/linux/ftrace.h
2830 +@@ -260,6 +260,7 @@ extern int ftrace_make_call(struct dyn_ftrace *rec, unsigned long addr);
2831 + extern int ftrace_arch_read_dyn_info(char *buf, int size);
2832 +
2833 + extern int skip_trace(unsigned long ip);
2834 ++extern void ftrace_module_init(struct module *mod);
2835 +
2836 + extern void ftrace_disable_daemon(void);
2837 + extern void ftrace_enable_daemon(void);
2838 +@@ -272,6 +273,7 @@ static inline void ftrace_set_filter(unsigned char *buf, int len, int reset)
2839 + static inline void ftrace_disable_daemon(void) { }
2840 + static inline void ftrace_enable_daemon(void) { }
2841 + static inline void ftrace_release_mod(struct module *mod) {}
2842 ++static inline void ftrace_module_init(struct module *mod) {}
2843 + static inline int register_ftrace_command(struct ftrace_func_command *cmd)
2844 + {
2845 + return -EINVAL;
2846 +diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
2847 +index e6796c19dc62..f93d8c11e085 100644
2848 +--- a/include/linux/kvm_host.h
2849 ++++ b/include/linux/kvm_host.h
2850 +@@ -95,7 +95,6 @@ struct kvm_async_pf {
2851 + unsigned long addr;
2852 + struct kvm_arch_async_pf arch;
2853 + struct page *page;
2854 +- bool done;
2855 + };
2856 +
2857 + void kvm_clear_async_pf_completion_queue(struct kvm_vcpu *vcpu);
2858 +diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
2859 +index 13bd6d0e43c5..c445e5221d49 100644
2860 +--- a/include/linux/skbuff.h
2861 ++++ b/include/linux/skbuff.h
2862 +@@ -617,11 +617,21 @@ static inline unsigned char *skb_end_pointer(const struct sk_buff *skb)
2863 + {
2864 + return skb->head + skb->end;
2865 + }
2866 ++
2867 ++static inline unsigned int skb_end_offset(const struct sk_buff *skb)
2868 ++{
2869 ++ return skb->end;
2870 ++}
2871 + #else
2872 + static inline unsigned char *skb_end_pointer(const struct sk_buff *skb)
2873 + {
2874 + return skb->end;
2875 + }
2876 ++
2877 ++static inline unsigned int skb_end_offset(const struct sk_buff *skb)
2878 ++{
2879 ++ return skb->end - skb->head;
2880 ++}
2881 + #endif
2882 +
2883 + /* Internal */
2884 +@@ -2549,7 +2559,7 @@ static inline bool skb_is_recycleable(const struct sk_buff *skb, int skb_size)
2885 + return false;
2886 +
2887 + skb_size = SKB_DATA_ALIGN(skb_size + NET_SKB_PAD);
2888 +- if (skb_end_pointer(skb) - skb->head < skb_size)
2889 ++ if (skb_end_offset(skb) < skb_size)
2890 + return false;
2891 +
2892 + if (skb_shared(skb) || skb_cloned(skb))
2893 +diff --git a/include/net/ip6_route.h b/include/net/ip6_route.h
2894 +index 5e91b72fc718..4913dacd1333 100644
2895 +--- a/include/net/ip6_route.h
2896 ++++ b/include/net/ip6_route.h
2897 +@@ -34,6 +34,11 @@ struct route_info {
2898 + #define RT6_LOOKUP_F_SRCPREF_PUBLIC 0x00000010
2899 + #define RT6_LOOKUP_F_SRCPREF_COA 0x00000020
2900 +
2901 ++/* We do not (yet ?) support IPv6 jumbograms (RFC 2675)
2902 ++ * Unlike IPv4, hdr->seg_len doesn't include the IPv6 header
2903 ++ */
2904 ++#define IP6_MAX_MTU (0xFFFF + sizeof(struct ipv6hdr))
2905 ++
2906 + /*
2907 + * rt6_srcprefs2flags() and rt6_flags2srcprefs() translate
2908 + * between IPV6_ADDR_PREFERENCES socket option values
2909 +diff --git a/include/trace/events/module.h b/include/trace/events/module.h
2910 +index 161932737416..ca298c7157ae 100644
2911 +--- a/include/trace/events/module.h
2912 ++++ b/include/trace/events/module.h
2913 +@@ -78,7 +78,7 @@ DECLARE_EVENT_CLASS(module_refcnt,
2914 +
2915 + TP_fast_assign(
2916 + __entry->ip = ip;
2917 +- __entry->refcnt = __this_cpu_read(mod->refptr->incs) + __this_cpu_read(mod->refptr->decs);
2918 ++ __entry->refcnt = __this_cpu_read(mod->refptr->incs) - __this_cpu_read(mod->refptr->decs);
2919 + __assign_str(name, mod->name);
2920 + ),
2921 +
2922 +diff --git a/kernel/events/core.c b/kernel/events/core.c
2923 +index b15b4f75131d..1d1edcb2d9a2 100644
2924 +--- a/kernel/events/core.c
2925 ++++ b/kernel/events/core.c
2926 +@@ -4899,6 +4899,9 @@ struct swevent_htable {
2927 +
2928 + /* Recursion avoidance in each contexts */
2929 + int recursion[PERF_NR_CONTEXTS];
2930 ++
2931 ++ /* Keeps track of cpu being initialized/exited */
2932 ++ bool online;
2933 + };
2934 +
2935 + static DEFINE_PER_CPU(struct swevent_htable, swevent_htable);
2936 +@@ -5141,8 +5144,14 @@ static int perf_swevent_add(struct perf_event *event, int flags)
2937 + hwc->state = !(flags & PERF_EF_START);
2938 +
2939 + head = find_swevent_head(swhash, event);
2940 +- if (WARN_ON_ONCE(!head))
2941 ++ if (!head) {
2942 ++ /*
2943 ++ * We can race with cpu hotplug code. Do not
2944 ++ * WARN if the cpu just got unplugged.
2945 ++ */
2946 ++ WARN_ON_ONCE(swhash->online);
2947 + return -EINVAL;
2948 ++ }
2949 +
2950 + hlist_add_head_rcu(&event->hlist_entry, head);
2951 +
2952 +@@ -6301,6 +6310,9 @@ SYSCALL_DEFINE5(perf_event_open,
2953 + if (attr.freq) {
2954 + if (attr.sample_freq > sysctl_perf_event_sample_rate)
2955 + return -EINVAL;
2956 ++ } else {
2957 ++ if (attr.sample_period & (1ULL << 63))
2958 ++ return -EINVAL;
2959 + }
2960 +
2961 + /*
2962 +@@ -7078,6 +7090,7 @@ static void __cpuinit perf_event_init_cpu(int cpu)
2963 + struct swevent_htable *swhash = &per_cpu(swevent_htable, cpu);
2964 +
2965 + mutex_lock(&swhash->hlist_mutex);
2966 ++ swhash->online = true;
2967 + if (swhash->hlist_refcount > 0) {
2968 + struct swevent_hlist *hlist;
2969 +
2970 +@@ -7135,6 +7148,7 @@ static void perf_event_exit_cpu(int cpu)
2971 + perf_event_exit_cpu_context(cpu);
2972 +
2973 + mutex_lock(&swhash->hlist_mutex);
2974 ++ swhash->online = false;
2975 + swevent_hlist_release(swhash);
2976 + mutex_unlock(&swhash->hlist_mutex);
2977 + }
2978 +diff --git a/kernel/futex.c b/kernel/futex.c
2979 +index 8888815c578b..1bb37d0f3d7a 100644
2980 +--- a/kernel/futex.c
2981 ++++ b/kernel/futex.c
2982 +@@ -588,6 +588,55 @@ void exit_pi_state_list(struct task_struct *curr)
2983 + raw_spin_unlock_irq(&curr->pi_lock);
2984 + }
2985 +
2986 ++/*
2987 ++ * We need to check the following states:
2988 ++ *
2989 ++ * Waiter | pi_state | pi->owner | uTID | uODIED | ?
2990 ++ *
2991 ++ * [1] NULL | --- | --- | 0 | 0/1 | Valid
2992 ++ * [2] NULL | --- | --- | >0 | 0/1 | Valid
2993 ++ *
2994 ++ * [3] Found | NULL | -- | Any | 0/1 | Invalid
2995 ++ *
2996 ++ * [4] Found | Found | NULL | 0 | 1 | Valid
2997 ++ * [5] Found | Found | NULL | >0 | 1 | Invalid
2998 ++ *
2999 ++ * [6] Found | Found | task | 0 | 1 | Valid
3000 ++ *
3001 ++ * [7] Found | Found | NULL | Any | 0 | Invalid
3002 ++ *
3003 ++ * [8] Found | Found | task | ==taskTID | 0/1 | Valid
3004 ++ * [9] Found | Found | task | 0 | 0 | Invalid
3005 ++ * [10] Found | Found | task | !=taskTID | 0/1 | Invalid
3006 ++ *
3007 ++ * [1] Indicates that the kernel can acquire the futex atomically. We
3008 ++ * came came here due to a stale FUTEX_WAITERS/FUTEX_OWNER_DIED bit.
3009 ++ *
3010 ++ * [2] Valid, if TID does not belong to a kernel thread. If no matching
3011 ++ * thread is found then it indicates that the owner TID has died.
3012 ++ *
3013 ++ * [3] Invalid. The waiter is queued on a non PI futex
3014 ++ *
3015 ++ * [4] Valid state after exit_robust_list(), which sets the user space
3016 ++ * value to FUTEX_WAITERS | FUTEX_OWNER_DIED.
3017 ++ *
3018 ++ * [5] The user space value got manipulated between exit_robust_list()
3019 ++ * and exit_pi_state_list()
3020 ++ *
3021 ++ * [6] Valid state after exit_pi_state_list() which sets the new owner in
3022 ++ * the pi_state but cannot access the user space value.
3023 ++ *
3024 ++ * [7] pi_state->owner can only be NULL when the OWNER_DIED bit is set.
3025 ++ *
3026 ++ * [8] Owner and user space value match
3027 ++ *
3028 ++ * [9] There is no transient state which sets the user space TID to 0
3029 ++ * except exit_robust_list(), but this is indicated by the
3030 ++ * FUTEX_OWNER_DIED bit. See [4]
3031 ++ *
3032 ++ * [10] There is no transient state which leaves owner and user space
3033 ++ * TID out of sync.
3034 ++ */
3035 + static int
3036 + lookup_pi_state(u32 uval, struct futex_hash_bucket *hb,
3037 + union futex_key *key, struct futex_pi_state **ps)
3038 +@@ -603,12 +652,13 @@ lookup_pi_state(u32 uval, struct futex_hash_bucket *hb,
3039 + plist_for_each_entry_safe(this, next, head, list) {
3040 + if (match_futex(&this->key, key)) {
3041 + /*
3042 +- * Another waiter already exists - bump up
3043 +- * the refcount and return its pi_state:
3044 ++ * Sanity check the waiter before increasing
3045 ++ * the refcount and attaching to it.
3046 + */
3047 + pi_state = this->pi_state;
3048 + /*
3049 +- * Userspace might have messed up non-PI and PI futexes
3050 ++ * Userspace might have messed up non-PI and
3051 ++ * PI futexes [3]
3052 + */
3053 + if (unlikely(!pi_state))
3054 + return -EINVAL;
3055 +@@ -616,34 +666,70 @@ lookup_pi_state(u32 uval, struct futex_hash_bucket *hb,
3056 + WARN_ON(!atomic_read(&pi_state->refcount));
3057 +
3058 + /*
3059 +- * When pi_state->owner is NULL then the owner died
3060 +- * and another waiter is on the fly. pi_state->owner
3061 +- * is fixed up by the task which acquires
3062 +- * pi_state->rt_mutex.
3063 +- *
3064 +- * We do not check for pid == 0 which can happen when
3065 +- * the owner died and robust_list_exit() cleared the
3066 +- * TID.
3067 ++ * Handle the owner died case:
3068 + */
3069 +- if (pid && pi_state->owner) {
3070 ++ if (uval & FUTEX_OWNER_DIED) {
3071 ++ /*
3072 ++ * exit_pi_state_list sets owner to NULL and
3073 ++ * wakes the topmost waiter. The task which
3074 ++ * acquires the pi_state->rt_mutex will fixup
3075 ++ * owner.
3076 ++ */
3077 ++ if (!pi_state->owner) {
3078 ++ /*
3079 ++ * No pi state owner, but the user
3080 ++ * space TID is not 0. Inconsistent
3081 ++ * state. [5]
3082 ++ */
3083 ++ if (pid)
3084 ++ return -EINVAL;
3085 ++ /*
3086 ++ * Take a ref on the state and
3087 ++ * return. [4]
3088 ++ */
3089 ++ goto out_state;
3090 ++ }
3091 ++
3092 + /*
3093 +- * Bail out if user space manipulated the
3094 +- * futex value.
3095 ++ * If TID is 0, then either the dying owner
3096 ++ * has not yet executed exit_pi_state_list()
3097 ++ * or some waiter acquired the rtmutex in the
3098 ++ * pi state, but did not yet fixup the TID in
3099 ++ * user space.
3100 ++ *
3101 ++ * Take a ref on the state and return. [6]
3102 + */
3103 +- if (pid != task_pid_vnr(pi_state->owner))
3104 ++ if (!pid)
3105 ++ goto out_state;
3106 ++ } else {
3107 ++ /*
3108 ++ * If the owner died bit is not set,
3109 ++ * then the pi_state must have an
3110 ++ * owner. [7]
3111 ++ */
3112 ++ if (!pi_state->owner)
3113 + return -EINVAL;
3114 + }
3115 +
3116 ++ /*
3117 ++ * Bail out if user space manipulated the
3118 ++ * futex value. If pi state exists then the
3119 ++ * owner TID must be the same as the user
3120 ++ * space TID. [9/10]
3121 ++ */
3122 ++ if (pid != task_pid_vnr(pi_state->owner))
3123 ++ return -EINVAL;
3124 ++
3125 ++ out_state:
3126 + atomic_inc(&pi_state->refcount);
3127 + *ps = pi_state;
3128 +-
3129 + return 0;
3130 + }
3131 + }
3132 +
3133 + /*
3134 + * We are the first waiter - try to look up the real owner and attach
3135 +- * the new pi_state to it, but bail out when TID = 0
3136 ++ * the new pi_state to it, but bail out when TID = 0 [1]
3137 + */
3138 + if (!pid)
3139 + return -ESRCH;
3140 +@@ -651,6 +737,11 @@ lookup_pi_state(u32 uval, struct futex_hash_bucket *hb,
3141 + if (!p)
3142 + return -ESRCH;
3143 +
3144 ++ if (!p->mm) {
3145 ++ put_task_struct(p);
3146 ++ return -EPERM;
3147 ++ }
3148 ++
3149 + /*
3150 + * We need to look at the task state flags to figure out,
3151 + * whether the task is exiting. To protect against the do_exit
3152 +@@ -671,6 +762,9 @@ lookup_pi_state(u32 uval, struct futex_hash_bucket *hb,
3153 + return ret;
3154 + }
3155 +
3156 ++ /*
3157 ++ * No existing pi state. First waiter. [2]
3158 ++ */
3159 + pi_state = alloc_pi_state();
3160 +
3161 + /*
3162 +@@ -742,10 +836,18 @@ retry:
3163 + return -EDEADLK;
3164 +
3165 + /*
3166 +- * Surprise - we got the lock. Just return to userspace:
3167 ++ * Surprise - we got the lock, but we do not trust user space at all.
3168 + */
3169 +- if (unlikely(!curval))
3170 +- return 1;
3171 ++ if (unlikely(!curval)) {
3172 ++ /*
3173 ++ * We verify whether there is kernel state for this
3174 ++ * futex. If not, we can safely assume, that the 0 ->
3175 ++ * TID transition is correct. If state exists, we do
3176 ++ * not bother to fixup the user space state as it was
3177 ++ * corrupted already.
3178 ++ */
3179 ++ return futex_top_waiter(hb, key) ? -EINVAL : 1;
3180 ++ }
3181 +
3182 + uval = curval;
3183 +
3184 +@@ -875,6 +977,7 @@ static int wake_futex_pi(u32 __user *uaddr, u32 uval, struct futex_q *this)
3185 + struct task_struct *new_owner;
3186 + struct futex_pi_state *pi_state = this->pi_state;
3187 + u32 uninitialized_var(curval), newval;
3188 ++ int ret = 0;
3189 +
3190 + if (!pi_state)
3191 + return -EINVAL;
3192 +@@ -898,23 +1001,19 @@ static int wake_futex_pi(u32 __user *uaddr, u32 uval, struct futex_q *this)
3193 + new_owner = this->task;
3194 +
3195 + /*
3196 +- * We pass it to the next owner. (The WAITERS bit is always
3197 +- * kept enabled while there is PI state around. We must also
3198 +- * preserve the owner died bit.)
3199 ++ * We pass it to the next owner. The WAITERS bit is always
3200 ++ * kept enabled while there is PI state around. We cleanup the
3201 ++ * owner died bit, because we are the owner.
3202 + */
3203 +- if (!(uval & FUTEX_OWNER_DIED)) {
3204 +- int ret = 0;
3205 ++ newval = FUTEX_WAITERS | task_pid_vnr(new_owner);
3206 +
3207 +- newval = FUTEX_WAITERS | task_pid_vnr(new_owner);
3208 +-
3209 +- if (cmpxchg_futex_value_locked(&curval, uaddr, uval, newval))
3210 +- ret = -EFAULT;
3211 +- else if (curval != uval)
3212 +- ret = -EINVAL;
3213 +- if (ret) {
3214 +- raw_spin_unlock(&pi_state->pi_mutex.wait_lock);
3215 +- return ret;
3216 +- }
3217 ++ if (cmpxchg_futex_value_locked(&curval, uaddr, uval, newval))
3218 ++ ret = -EFAULT;
3219 ++ else if (curval != uval)
3220 ++ ret = -EINVAL;
3221 ++ if (ret) {
3222 ++ raw_spin_unlock(&pi_state->pi_mutex.wait_lock);
3223 ++ return ret;
3224 + }
3225 +
3226 + raw_spin_lock_irq(&pi_state->owner->pi_lock);
3227 +@@ -1193,7 +1292,7 @@ void requeue_pi_wake_futex(struct futex_q *q, union futex_key *key,
3228 + *
3229 + * Returns:
3230 + * 0 - failed to acquire the lock atomicly
3231 +- * 1 - acquired the lock
3232 ++ * >0 - acquired the lock, return value is vpid of the top_waiter
3233 + * <0 - error
3234 + */
3235 + static int futex_proxy_trylock_atomic(u32 __user *pifutex,
3236 +@@ -1204,7 +1303,7 @@ static int futex_proxy_trylock_atomic(u32 __user *pifutex,
3237 + {
3238 + struct futex_q *top_waiter = NULL;
3239 + u32 curval;
3240 +- int ret;
3241 ++ int ret, vpid;
3242 +
3243 + if (get_futex_value_locked(&curval, pifutex))
3244 + return -EFAULT;
3245 +@@ -1232,11 +1331,13 @@ static int futex_proxy_trylock_atomic(u32 __user *pifutex,
3246 + * the contended case or if set_waiters is 1. The pi_state is returned
3247 + * in ps in contended cases.
3248 + */
3249 ++ vpid = task_pid_vnr(top_waiter->task);
3250 + ret = futex_lock_pi_atomic(pifutex, hb2, key2, ps, top_waiter->task,
3251 + set_waiters);
3252 +- if (ret == 1)
3253 ++ if (ret == 1) {
3254 + requeue_pi_wake_futex(top_waiter, key2, hb2);
3255 +-
3256 ++ return vpid;
3257 ++ }
3258 + return ret;
3259 + }
3260 +
3261 +@@ -1268,10 +1369,16 @@ static int futex_requeue(u32 __user *uaddr1, unsigned int flags,
3262 + struct futex_hash_bucket *hb1, *hb2;
3263 + struct plist_head *head1;
3264 + struct futex_q *this, *next;
3265 +- u32 curval2;
3266 +
3267 + if (requeue_pi) {
3268 + /*
3269 ++ * Requeue PI only works on two distinct uaddrs. This
3270 ++ * check is only valid for private futexes. See below.
3271 ++ */
3272 ++ if (uaddr1 == uaddr2)
3273 ++ return -EINVAL;
3274 ++
3275 ++ /*
3276 + * requeue_pi requires a pi_state, try to allocate it now
3277 + * without any locks in case it fails.
3278 + */
3279 +@@ -1309,6 +1416,15 @@ retry:
3280 + if (unlikely(ret != 0))
3281 + goto out_put_key1;
3282 +
3283 ++ /*
3284 ++ * The check above which compares uaddrs is not sufficient for
3285 ++ * shared futexes. We need to compare the keys:
3286 ++ */
3287 ++ if (requeue_pi && match_futex(&key1, &key2)) {
3288 ++ ret = -EINVAL;
3289 ++ goto out_put_keys;
3290 ++ }
3291 ++
3292 + hb1 = hash_futex(&key1);
3293 + hb2 = hash_futex(&key2);
3294 +
3295 +@@ -1354,16 +1470,25 @@ retry_private:
3296 + * At this point the top_waiter has either taken uaddr2 or is
3297 + * waiting on it. If the former, then the pi_state will not
3298 + * exist yet, look it up one more time to ensure we have a
3299 +- * reference to it.
3300 ++ * reference to it. If the lock was taken, ret contains the
3301 ++ * vpid of the top waiter task.
3302 + */
3303 +- if (ret == 1) {
3304 ++ if (ret > 0) {
3305 + WARN_ON(pi_state);
3306 + drop_count++;
3307 + task_count++;
3308 +- ret = get_futex_value_locked(&curval2, uaddr2);
3309 +- if (!ret)
3310 +- ret = lookup_pi_state(curval2, hb2, &key2,
3311 +- &pi_state);
3312 ++ /*
3313 ++ * If we acquired the lock, then the user
3314 ++ * space value of uaddr2 should be vpid. It
3315 ++ * cannot be changed by the top waiter as it
3316 ++ * is blocked on hb2 lock if it tries to do
3317 ++ * so. If something fiddled with it behind our
3318 ++ * back the pi state lookup might unearth
3319 ++ * it. So we rather use the known value than
3320 ++ * rereading and handing potential crap to
3321 ++ * lookup_pi_state.
3322 ++ */
3323 ++ ret = lookup_pi_state(ret, hb2, &key2, &pi_state);
3324 + }
3325 +
3326 + switch (ret) {
3327 +@@ -2133,9 +2258,10 @@ retry:
3328 + /*
3329 + * To avoid races, try to do the TID -> 0 atomic transition
3330 + * again. If it succeeds then we can return without waking
3331 +- * anyone else up:
3332 ++ * anyone else up. We only try this if neither the waiters nor
3333 ++ * the owner died bit are set.
3334 + */
3335 +- if (!(uval & FUTEX_OWNER_DIED) &&
3336 ++ if (!(uval & ~FUTEX_TID_MASK) &&
3337 + cmpxchg_futex_value_locked(&uval, uaddr, vpid, 0))
3338 + goto pi_faulted;
3339 + /*
3340 +@@ -2167,11 +2293,9 @@ retry:
3341 + /*
3342 + * No waiters - kernel unlocks the futex:
3343 + */
3344 +- if (!(uval & FUTEX_OWNER_DIED)) {
3345 +- ret = unlock_futex_pi(uaddr, uval);
3346 +- if (ret == -EFAULT)
3347 +- goto pi_faulted;
3348 +- }
3349 ++ ret = unlock_futex_pi(uaddr, uval);
3350 ++ if (ret == -EFAULT)
3351 ++ goto pi_faulted;
3352 +
3353 + out_unlock:
3354 + spin_unlock(&hb->lock);
3355 +@@ -2331,6 +2455,15 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags,
3356 + if (ret)
3357 + goto out_key2;
3358 +
3359 ++ /*
3360 ++ * The check above which compares uaddrs is not sufficient for
3361 ++ * shared futexes. We need to compare the keys:
3362 ++ */
3363 ++ if (match_futex(&q.key, &key2)) {
3364 ++ ret = -EINVAL;
3365 ++ goto out_put_keys;
3366 ++ }
3367 ++
3368 + /* Queue the futex_q, drop the hb lock, wait for wakeup. */
3369 + futex_wait_queue_me(hb, &q, to);
3370 +
3371 +diff --git a/kernel/hrtimer.c b/kernel/hrtimer.c
3372 +index 60f7e326b6c8..20e88afba69b 100644
3373 +--- a/kernel/hrtimer.c
3374 ++++ b/kernel/hrtimer.c
3375 +@@ -232,6 +232,11 @@ again:
3376 + goto again;
3377 + }
3378 + timer->base = new_base;
3379 ++ } else {
3380 ++ if (cpu != this_cpu && hrtimer_check_target(timer, new_base)) {
3381 ++ cpu = this_cpu;
3382 ++ goto again;
3383 ++ }
3384 + }
3385 + return new_base;
3386 + }
3387 +@@ -567,6 +572,23 @@ hrtimer_force_reprogram(struct hrtimer_cpu_base *cpu_base, int skip_equal)
3388 +
3389 + cpu_base->expires_next.tv64 = expires_next.tv64;
3390 +
3391 ++ /*
3392 ++ * If a hang was detected in the last timer interrupt then we
3393 ++ * leave the hang delay active in the hardware. We want the
3394 ++ * system to make progress. That also prevents the following
3395 ++ * scenario:
3396 ++ * T1 expires 50ms from now
3397 ++ * T2 expires 5s from now
3398 ++ *
3399 ++ * T1 is removed, so this code is called and would reprogram
3400 ++ * the hardware to 5s from now. Any hrtimer_start after that
3401 ++ * will not reprogram the hardware due to hang_detected being
3402 ++ * set. So we'd effectivly block all timers until the T2 event
3403 ++ * fires.
3404 ++ */
3405 ++ if (cpu_base->hang_detected)
3406 ++ return;
3407 ++
3408 + if (cpu_base->expires_next.tv64 != KTIME_MAX)
3409 + tick_program_event(cpu_base->expires_next, 1);
3410 + }
3411 +@@ -958,11 +980,8 @@ int __hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim,
3412 + /* Remove an active timer from the queue: */
3413 + ret = remove_hrtimer(timer, base);
3414 +
3415 +- /* Switch the timer base, if necessary: */
3416 +- new_base = switch_hrtimer_base(timer, base, mode & HRTIMER_MODE_PINNED);
3417 +-
3418 + if (mode & HRTIMER_MODE_REL) {
3419 +- tim = ktime_add_safe(tim, new_base->get_time());
3420 ++ tim = ktime_add_safe(tim, base->get_time());
3421 + /*
3422 + * CONFIG_TIME_LOW_RES is a temporary way for architectures
3423 + * to signal that they simply return xtime in
3424 +@@ -977,6 +996,9 @@ int __hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim,
3425 +
3426 + hrtimer_set_expires_range_ns(timer, tim, delta_ns);
3427 +
3428 ++ /* Switch the timer base, if necessary: */
3429 ++ new_base = switch_hrtimer_base(timer, base, mode & HRTIMER_MODE_PINNED);
3430 ++
3431 + timer_stats_hrtimer_set_start_info(timer);
3432 +
3433 + leftmost = enqueue_hrtimer(timer, new_base);
3434 +diff --git a/kernel/module.c b/kernel/module.c
3435 +index 65362d9ab783..95ecd9ffc91f 100644
3436 +--- a/kernel/module.c
3437 ++++ b/kernel/module.c
3438 +@@ -2888,6 +2888,9 @@ static struct module *load_module(void __user *umod,
3439 + /* This has to be done once we're sure module name is unique. */
3440 + dynamic_debug_setup(info.debug, info.num_debug);
3441 +
3442 ++ /* Ftrace init must be called in the MODULE_STATE_UNFORMED state */
3443 ++ ftrace_module_init(mod);
3444 ++
3445 + /* Find duplicate symbols */
3446 + err = verify_export_symbols(mod);
3447 + if (err < 0)
3448 +diff --git a/kernel/sched_cpupri.c b/kernel/sched_cpupri.c
3449 +index a86cf9d9eb11..1f4afddf158a 100644
3450 +--- a/kernel/sched_cpupri.c
3451 ++++ b/kernel/sched_cpupri.c
3452 +@@ -68,8 +68,7 @@ int cpupri_find(struct cpupri *cp, struct task_struct *p,
3453 + int idx = 0;
3454 + int task_pri = convert_prio(p->prio);
3455 +
3456 +- if (task_pri >= MAX_RT_PRIO)
3457 +- return 0;
3458 ++ BUG_ON(task_pri >= CPUPRI_NR_PRIORITIES);
3459 +
3460 + for (idx = 0; idx < task_pri; idx++) {
3461 + struct cpupri_vec *vec = &cp->pri_to_cpu[idx];
3462 +diff --git a/kernel/timer.c b/kernel/timer.c
3463 +index f8b05a467883..349953ee9027 100644
3464 +--- a/kernel/timer.c
3465 ++++ b/kernel/timer.c
3466 +@@ -769,7 +769,7 @@ unsigned long apply_slack(struct timer_list *timer, unsigned long expires)
3467 +
3468 + bit = find_last_bit(&mask, BITS_PER_LONG);
3469 +
3470 +- mask = (1 << bit) - 1;
3471 ++ mask = (1UL << bit) - 1;
3472 +
3473 + expires_limit = expires_limit & ~(mask);
3474 +
3475 +diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
3476 +index a65fa363c024..dcbafedc38ae 100644
3477 +--- a/kernel/trace/ftrace.c
3478 ++++ b/kernel/trace/ftrace.c
3479 +@@ -3542,16 +3542,11 @@ static void ftrace_init_module(struct module *mod,
3480 + ftrace_process_locs(mod, start, end);
3481 + }
3482 +
3483 +-static int ftrace_module_notify_enter(struct notifier_block *self,
3484 +- unsigned long val, void *data)
3485 ++void ftrace_module_init(struct module *mod)
3486 + {
3487 +- struct module *mod = data;
3488 +-
3489 +- if (val == MODULE_STATE_COMING)
3490 +- ftrace_init_module(mod, mod->ftrace_callsites,
3491 +- mod->ftrace_callsites +
3492 +- mod->num_ftrace_callsites);
3493 +- return 0;
3494 ++ ftrace_init_module(mod, mod->ftrace_callsites,
3495 ++ mod->ftrace_callsites +
3496 ++ mod->num_ftrace_callsites);
3497 + }
3498 +
3499 + static int ftrace_module_notify_exit(struct notifier_block *self,
3500 +@@ -3565,11 +3560,6 @@ static int ftrace_module_notify_exit(struct notifier_block *self,
3501 + return 0;
3502 + }
3503 + #else
3504 +-static int ftrace_module_notify_enter(struct notifier_block *self,
3505 +- unsigned long val, void *data)
3506 +-{
3507 +- return 0;
3508 +-}
3509 + static int ftrace_module_notify_exit(struct notifier_block *self,
3510 + unsigned long val, void *data)
3511 + {
3512 +@@ -3577,11 +3567,6 @@ static int ftrace_module_notify_exit(struct notifier_block *self,
3513 + }
3514 + #endif /* CONFIG_MODULES */
3515 +
3516 +-struct notifier_block ftrace_module_enter_nb = {
3517 +- .notifier_call = ftrace_module_notify_enter,
3518 +- .priority = INT_MAX, /* Run before anything that can use kprobes */
3519 +-};
3520 +-
3521 + struct notifier_block ftrace_module_exit_nb = {
3522 + .notifier_call = ftrace_module_notify_exit,
3523 + .priority = INT_MIN, /* Run after anything that can remove kprobes */
3524 +@@ -3618,10 +3603,6 @@ void __init ftrace_init(void)
3525 + __start_mcount_loc,
3526 + __stop_mcount_loc);
3527 +
3528 +- ret = register_module_notifier(&ftrace_module_enter_nb);
3529 +- if (ret)
3530 +- pr_warning("Failed to register trace ftrace module enter notifier\n");
3531 +-
3532 + ret = register_module_notifier(&ftrace_module_exit_nb);
3533 + if (ret)
3534 + pr_warning("Failed to register trace ftrace module exit notifier\n");
3535 +diff --git a/kernel/tracepoint.c b/kernel/tracepoint.c
3536 +index 41b25a0ed616..088fbc525ef4 100644
3537 +--- a/kernel/tracepoint.c
3538 ++++ b/kernel/tracepoint.c
3539 +@@ -638,6 +638,9 @@ static int tracepoint_module_coming(struct module *mod)
3540 + struct tp_module *tp_mod, *iter;
3541 + int ret = 0;
3542 +
3543 ++ if (!mod->num_tracepoints)
3544 ++ return 0;
3545 ++
3546 + /*
3547 + * We skip modules that taint the kernel, especially those with different
3548 + * module headers (for forced load), to make sure we don't cause a crash.
3549 +@@ -681,6 +684,9 @@ static int tracepoint_module_going(struct module *mod)
3550 + {
3551 + struct tp_module *pos;
3552 +
3553 ++ if (!mod->num_tracepoints)
3554 ++ return 0;
3555 ++
3556 + mutex_lock(&tracepoints_mutex);
3557 + tracepoint_update_probe_range(mod->tracepoints_ptrs,
3558 + mod->tracepoints_ptrs + mod->num_tracepoints);
3559 +diff --git a/mm/memory-failure.c b/mm/memory-failure.c
3560 +index 96c4bcf188b1..51901b184872 100644
3561 +--- a/mm/memory-failure.c
3562 ++++ b/mm/memory-failure.c
3563 +@@ -1033,15 +1033,16 @@ int __memory_failure(unsigned long pfn, int trapno, int flags)
3564 + return 0;
3565 + } else if (PageHuge(hpage)) {
3566 + /*
3567 +- * Check "just unpoisoned", "filter hit", and
3568 +- * "race with other subpage."
3569 ++ * Check "filter hit" and "race with other subpage."
3570 + */
3571 + lock_page(hpage);
3572 +- if (!PageHWPoison(hpage)
3573 +- || (hwpoison_filter(p) && TestClearPageHWPoison(p))
3574 +- || (p != hpage && TestSetPageHWPoison(hpage))) {
3575 +- atomic_long_sub(nr_pages, &mce_bad_pages);
3576 +- return 0;
3577 ++ if (PageHWPoison(hpage)) {
3578 ++ if ((hwpoison_filter(p) && TestClearPageHWPoison(p))
3579 ++ || (p != hpage && TestSetPageHWPoison(hpage))) {
3580 ++ atomic_long_sub(nr_pages, &mce_bad_pages);
3581 ++ unlock_page(hpage);
3582 ++ return 0;
3583 ++ }
3584 + }
3585 + set_page_hwpoison_huge_page(hpage);
3586 + res = dequeue_hwpoisoned_huge_page(hpage);
3587 +@@ -1093,6 +1094,8 @@ int __memory_failure(unsigned long pfn, int trapno, int flags)
3588 + */
3589 + if (!PageHWPoison(p)) {
3590 + printk(KERN_ERR "MCE %#lx: just unpoisoned\n", pfn);
3591 ++ atomic_long_sub(nr_pages, &mce_bad_pages);
3592 ++ put_page(hpage);
3593 + res = 0;
3594 + goto out;
3595 + }
3596 +diff --git a/mm/page-writeback.c b/mm/page-writeback.c
3597 +index b5cd796fcd6c..d2ac057008f2 100644
3598 +--- a/mm/page-writeback.c
3599 ++++ b/mm/page-writeback.c
3600 +@@ -559,7 +559,7 @@ static unsigned long bdi_position_ratio(struct backing_dev_info *bdi,
3601 + * => fast response on large errors; small oscillation near setpoint
3602 + */
3603 + setpoint = (freerun + limit) / 2;
3604 +- x = div_s64((setpoint - dirty) << RATELIMIT_CALC_SHIFT,
3605 ++ x = div64_s64(((s64)setpoint - (s64)dirty) << RATELIMIT_CALC_SHIFT,
3606 + limit - setpoint + 1);
3607 + pos_ratio = x;
3608 + pos_ratio = pos_ratio * x >> RATELIMIT_CALC_SHIFT;
3609 +@@ -625,7 +625,7 @@ static unsigned long bdi_position_ratio(struct backing_dev_info *bdi,
3610 + x_intercept = bdi_setpoint + span;
3611 +
3612 + if (bdi_dirty < x_intercept - span / 4) {
3613 +- pos_ratio = div_u64(pos_ratio * (x_intercept - bdi_dirty),
3614 ++ pos_ratio = div64_u64(pos_ratio * (x_intercept - bdi_dirty),
3615 + x_intercept - bdi_setpoint + 1);
3616 + } else
3617 + pos_ratio /= 4;
3618 +diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
3619 +index aa1264910c4e..4d99d42f30ff 100644
3620 +--- a/net/bluetooth/hci_conn.c
3621 ++++ b/net/bluetooth/hci_conn.c
3622 +@@ -610,14 +610,17 @@ static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
3623 + if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->pend)) {
3624 + struct hci_cp_auth_requested cp;
3625 +
3626 +- /* encrypt must be pending if auth is also pending */
3627 +- set_bit(HCI_CONN_ENCRYPT_PEND, &conn->pend);
3628 +-
3629 + cp.handle = cpu_to_le16(conn->handle);
3630 + hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED,
3631 + sizeof(cp), &cp);
3632 ++
3633 ++ /* If we're already encrypted set the REAUTH_PEND flag,
3634 ++ * otherwise set the ENCRYPT_PEND.
3635 ++ */
3636 + if (conn->key_type != 0xff)
3637 + set_bit(HCI_CONN_REAUTH_PEND, &conn->pend);
3638 ++ else
3639 ++ set_bit(HCI_CONN_ENCRYPT_PEND, &conn->pend);
3640 + }
3641 +
3642 + return 0;
3643 +diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
3644 +index cbf9ccd45784..99a48a39c009 100644
3645 +--- a/net/bridge/br_netlink.c
3646 ++++ b/net/bridge/br_netlink.c
3647 +@@ -211,11 +211,26 @@ static int br_validate(struct nlattr *tb[], struct nlattr *data[])
3648 + return 0;
3649 + }
3650 +
3651 ++static int br_dev_newlink(struct net *src_net, struct net_device *dev,
3652 ++ struct nlattr *tb[], struct nlattr *data[])
3653 ++{
3654 ++ struct net_bridge *br = netdev_priv(dev);
3655 ++
3656 ++ if (tb[IFLA_ADDRESS]) {
3657 ++ spin_lock_bh(&br->lock);
3658 ++ br_stp_change_bridge_id(br, nla_data(tb[IFLA_ADDRESS]));
3659 ++ spin_unlock_bh(&br->lock);
3660 ++ }
3661 ++
3662 ++ return register_netdevice(dev);
3663 ++}
3664 ++
3665 + struct rtnl_link_ops br_link_ops __read_mostly = {
3666 + .kind = "bridge",
3667 + .priv_size = sizeof(struct net_bridge),
3668 + .setup = br_dev_setup,
3669 + .validate = br_validate,
3670 ++ .newlink = br_dev_newlink,
3671 + .dellink = br_dev_delete,
3672 + };
3673 +
3674 +diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
3675 +index 5864cc491369..45f93f8a10c8 100644
3676 +--- a/net/bridge/netfilter/ebtables.c
3677 ++++ b/net/bridge/netfilter/ebtables.c
3678 +@@ -1044,10 +1044,9 @@ static int do_replace_finish(struct net *net, struct ebt_replace *repl,
3679 + if (repl->num_counters &&
3680 + copy_to_user(repl->counters, counterstmp,
3681 + repl->num_counters * sizeof(struct ebt_counter))) {
3682 +- ret = -EFAULT;
3683 ++ /* Silent error, can't fail, new table is already in place */
3684 ++ net_warn_ratelimited("ebtables: counters copy to user failed while replacing table\n");
3685 + }
3686 +- else
3687 +- ret = 0;
3688 +
3689 + /* decrease module count and free resources */
3690 + EBT_ENTRY_ITERATE(table->entries, table->entries_size,
3691 +diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
3692 +index ad5b70801f37..20ba2d59dc23 100644
3693 +--- a/net/ceph/messenger.c
3694 ++++ b/net/ceph/messenger.c
3695 +@@ -284,6 +284,37 @@ static int ceph_tcp_sendmsg(struct socket *sock, struct kvec *iov,
3696 + return r;
3697 + }
3698 +
3699 ++static int __ceph_tcp_sendpage(struct socket *sock, struct page *page,
3700 ++ int offset, size_t size, bool more)
3701 ++{
3702 ++ int flags = MSG_DONTWAIT | MSG_NOSIGNAL | (more ? MSG_MORE : MSG_EOR);
3703 ++ int ret;
3704 ++
3705 ++ ret = kernel_sendpage(sock, page, offset, size, flags);
3706 ++ if (ret == -EAGAIN)
3707 ++ ret = 0;
3708 ++
3709 ++ return ret;
3710 ++}
3711 ++
3712 ++static int ceph_tcp_sendpage(struct socket *sock, struct page *page,
3713 ++ int offset, size_t size, bool more)
3714 ++{
3715 ++ int ret;
3716 ++ struct kvec iov;
3717 ++
3718 ++ /* sendpage cannot properly handle pages with page_count == 0,
3719 ++ * we need to fallback to sendmsg if that's the case */
3720 ++ if (page_count(page) >= 1)
3721 ++ return __ceph_tcp_sendpage(sock, page, offset, size, more);
3722 ++
3723 ++ iov.iov_base = kmap(page) + offset;
3724 ++ iov.iov_len = size;
3725 ++ ret = ceph_tcp_sendmsg(sock, &iov, 1, size, more);
3726 ++ kunmap(page);
3727 ++
3728 ++ return ret;
3729 ++}
3730 +
3731 + /*
3732 + * Shutdown/close the socket for the given connection.
3733 +@@ -851,18 +882,14 @@ static int write_partial_msg_pages(struct ceph_connection *con)
3734 + cpu_to_le32(crc32c(tmpcrc, base, len));
3735 + con->out_msg_pos.did_page_crc = 1;
3736 + }
3737 +- ret = kernel_sendpage(con->sock, page,
3738 ++ ret = ceph_tcp_sendpage(con->sock, page,
3739 + con->out_msg_pos.page_pos + page_shift,
3740 +- len,
3741 +- MSG_DONTWAIT | MSG_NOSIGNAL |
3742 +- MSG_MORE);
3743 ++ len, 1);
3744 +
3745 + if (crc &&
3746 + (msg->pages || msg->pagelist || msg->bio || in_trail))
3747 + kunmap(page);
3748 +
3749 +- if (ret == -EAGAIN)
3750 +- ret = 0;
3751 + if (ret <= 0)
3752 + goto out;
3753 +
3754 +diff --git a/net/core/dev.c b/net/core/dev.c
3755 +index 7bcf37df0ce9..854da1571997 100644
3756 +--- a/net/core/dev.c
3757 ++++ b/net/core/dev.c
3758 +@@ -3648,6 +3648,7 @@ static void napi_reuse_skb(struct napi_struct *napi, struct sk_buff *skb)
3759 + skb->vlan_tci = 0;
3760 + skb->dev = napi->dev;
3761 + skb->skb_iif = 0;
3762 ++ skb->truesize = SKB_TRUESIZE(skb_end_offset(skb));
3763 +
3764 + napi->skb = skb;
3765 + }
3766 +diff --git a/net/core/filter.c b/net/core/filter.c
3767 +index 5dea45279215..9c88080e4049 100644
3768 +--- a/net/core/filter.c
3769 ++++ b/net/core/filter.c
3770 +@@ -320,6 +320,8 @@ load_b:
3771 +
3772 + if (skb_is_nonlinear(skb))
3773 + return 0;
3774 ++ if (skb->len < sizeof(struct nlattr))
3775 ++ return 0;
3776 + if (A > skb->len - sizeof(struct nlattr))
3777 + return 0;
3778 +
3779 +@@ -336,11 +338,13 @@ load_b:
3780 +
3781 + if (skb_is_nonlinear(skb))
3782 + return 0;
3783 ++ if (skb->len < sizeof(struct nlattr))
3784 ++ return 0;
3785 + if (A > skb->len - sizeof(struct nlattr))
3786 + return 0;
3787 +
3788 + nla = (struct nlattr *)&skb->data[A];
3789 +- if (nla->nla_len > A - skb->len)
3790 ++ if (nla->nla_len > skb->len - A)
3791 + return 0;
3792 +
3793 + nla = nla_find_nested(nla, X);
3794 +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
3795 +index 5b7d5f25d43e..7beaf10cc837 100644
3796 +--- a/net/core/rtnetlink.c
3797 ++++ b/net/core/rtnetlink.c
3798 +@@ -744,7 +744,8 @@ static inline int rtnl_vfinfo_size(const struct net_device *dev,
3799 + return 0;
3800 + }
3801 +
3802 +-static size_t rtnl_port_size(const struct net_device *dev)
3803 ++static size_t rtnl_port_size(const struct net_device *dev,
3804 ++ u32 ext_filter_mask)
3805 + {
3806 + size_t port_size = nla_total_size(4) /* PORT_VF */
3807 + + nla_total_size(PORT_PROFILE_MAX) /* PORT_PROFILE */
3808 +@@ -760,7 +761,8 @@ static size_t rtnl_port_size(const struct net_device *dev)
3809 + size_t port_self_size = nla_total_size(sizeof(struct nlattr))
3810 + + port_size;
3811 +
3812 +- if (!dev->netdev_ops->ndo_get_vf_port || !dev->dev.parent)
3813 ++ if (!dev->netdev_ops->ndo_get_vf_port || !dev->dev.parent ||
3814 ++ !(ext_filter_mask & RTEXT_FILTER_VF))
3815 + return 0;
3816 + if (dev_num_vf(dev->dev.parent))
3817 + return port_self_size + vf_ports_size +
3818 +@@ -791,7 +793,7 @@ static noinline size_t if_nlmsg_size(const struct net_device *dev,
3819 + + nla_total_size(ext_filter_mask
3820 + & RTEXT_FILTER_VF ? 4 : 0) /* IFLA_NUM_VF */
3821 + + rtnl_vfinfo_size(dev, ext_filter_mask) /* IFLA_VFINFO_LIST */
3822 +- + rtnl_port_size(dev) /* IFLA_VF_PORTS + IFLA_PORT_SELF */
3823 ++ + rtnl_port_size(dev, ext_filter_mask) /* IFLA_VF_PORTS + IFLA_PORT_SELF */
3824 + + rtnl_link_get_size(dev) /* IFLA_LINKINFO */
3825 + + rtnl_link_get_af_size(dev); /* IFLA_AF_SPEC */
3826 + }
3827 +@@ -851,11 +853,13 @@ static int rtnl_port_self_fill(struct sk_buff *skb, struct net_device *dev)
3828 + return 0;
3829 + }
3830 +
3831 +-static int rtnl_port_fill(struct sk_buff *skb, struct net_device *dev)
3832 ++static int rtnl_port_fill(struct sk_buff *skb, struct net_device *dev,
3833 ++ u32 ext_filter_mask)
3834 + {
3835 + int err;
3836 +
3837 +- if (!dev->netdev_ops->ndo_get_vf_port || !dev->dev.parent)
3838 ++ if (!dev->netdev_ops->ndo_get_vf_port || !dev->dev.parent ||
3839 ++ !(ext_filter_mask & RTEXT_FILTER_VF))
3840 + return 0;
3841 +
3842 + err = rtnl_port_self_fill(skb, dev);
3843 +@@ -1002,7 +1006,7 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb, struct net_device *dev,
3844 + nla_nest_end(skb, vfinfo);
3845 + }
3846 +
3847 +- if (rtnl_port_fill(skb, dev))
3848 ++ if (rtnl_port_fill(skb, dev, ext_filter_mask))
3849 + goto nla_put_failure;
3850 +
3851 + if (dev->rtnl_link_ops) {
3852 +@@ -1057,6 +1061,7 @@ static int rtnl_dump_ifinfo(struct sk_buff *skb, struct netlink_callback *cb)
3853 + struct hlist_node *node;
3854 + struct nlattr *tb[IFLA_MAX+1];
3855 + u32 ext_filter_mask = 0;
3856 ++ int err;
3857 +
3858 + s_h = cb->args[0];
3859 + s_idx = cb->args[1];
3860 +@@ -1077,11 +1082,17 @@ static int rtnl_dump_ifinfo(struct sk_buff *skb, struct netlink_callback *cb)
3861 + hlist_for_each_entry_rcu(dev, node, head, index_hlist) {
3862 + if (idx < s_idx)
3863 + goto cont;
3864 +- if (rtnl_fill_ifinfo(skb, dev, RTM_NEWLINK,
3865 +- NETLINK_CB(cb->skb).pid,
3866 +- cb->nlh->nlmsg_seq, 0,
3867 +- NLM_F_MULTI,
3868 +- ext_filter_mask) <= 0)
3869 ++ err = rtnl_fill_ifinfo(skb, dev, RTM_NEWLINK,
3870 ++ NETLINK_CB(cb->skb).pid,
3871 ++ cb->nlh->nlmsg_seq, 0,
3872 ++ NLM_F_MULTI,
3873 ++ ext_filter_mask);
3874 ++ /* If we ran out of room on the first message,
3875 ++ * we're in trouble
3876 ++ */
3877 ++ WARN_ON((err == -EMSGSIZE) && (skb->len == 0));
3878 ++
3879 ++ if (err <= 0)
3880 + goto out;
3881 +
3882 + nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3883 +diff --git a/net/core/skbuff.c b/net/core/skbuff.c
3884 +index 8ac4a0f3e869..9204d9b747f2 100644
3885 +--- a/net/core/skbuff.c
3886 ++++ b/net/core/skbuff.c
3887 +@@ -743,7 +743,7 @@ static void copy_skb_header(struct sk_buff *new, const struct sk_buff *old)
3888 + struct sk_buff *skb_copy(const struct sk_buff *skb, gfp_t gfp_mask)
3889 + {
3890 + int headerlen = skb_headroom(skb);
3891 +- unsigned int size = (skb_end_pointer(skb) - skb->head) + skb->data_len;
3892 ++ unsigned int size = skb_end_offset(skb) + skb->data_len;
3893 + struct sk_buff *n = alloc_skb(size, gfp_mask);
3894 +
3895 + if (!n)
3896 +@@ -843,7 +843,7 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail,
3897 + {
3898 + int i;
3899 + u8 *data;
3900 +- int size = nhead + (skb_end_pointer(skb) - skb->head) + ntail;
3901 ++ int size = nhead + skb_end_offset(skb) + ntail;
3902 + long off;
3903 + bool fastpath;
3904 +
3905 +@@ -2642,14 +2642,13 @@ struct sk_buff *skb_segment(struct sk_buff *skb, u32 features)
3906 + if (unlikely(!nskb))
3907 + goto err;
3908 +
3909 +- hsize = skb_end_pointer(nskb) - nskb->head;
3910 ++ hsize = skb_end_offset(nskb);
3911 + if (skb_cow_head(nskb, doffset + headroom)) {
3912 + kfree_skb(nskb);
3913 + goto err;
3914 + }
3915 +
3916 +- nskb->truesize += skb_end_pointer(nskb) - nskb->head -
3917 +- hsize;
3918 ++ nskb->truesize += skb_end_offset(nskb) - hsize;
3919 + skb_release_head_state(nskb);
3920 + __skb_push(nskb, doffset);
3921 + } else {
3922 +@@ -3197,12 +3196,14 @@ EXPORT_SYMBOL(__skb_warn_lro_forwarding);
3923 + unsigned int skb_gso_transport_seglen(const struct sk_buff *skb)
3924 + {
3925 + const struct skb_shared_info *shinfo = skb_shinfo(skb);
3926 +- unsigned int hdr_len;
3927 +
3928 + if (likely(shinfo->gso_type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6)))
3929 +- hdr_len = tcp_hdrlen(skb);
3930 +- else
3931 +- hdr_len = sizeof(struct udphdr);
3932 +- return hdr_len + shinfo->gso_size;
3933 ++ return tcp_hdrlen(skb) + shinfo->gso_size;
3934 ++
3935 ++ /* UFO sets gso_size to the size of the fragmentation
3936 ++ * payload, i.e. the size of the L4 (UDP) header is already
3937 ++ * accounted for.
3938 ++ */
3939 ++ return shinfo->gso_size;
3940 + }
3941 + EXPORT_SYMBOL_GPL(skb_gso_transport_seglen);
3942 +diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
3943 +index d01f9c658dec..76da979baed0 100644
3944 +--- a/net/ipv4/fib_semantics.c
3945 ++++ b/net/ipv4/fib_semantics.c
3946 +@@ -752,13 +752,13 @@ struct fib_info *fib_create_info(struct fib_config *cfg)
3947 + fi = kzalloc(sizeof(*fi)+nhs*sizeof(struct fib_nh), GFP_KERNEL);
3948 + if (fi == NULL)
3949 + goto failure;
3950 ++ fib_info_cnt++;
3951 + if (cfg->fc_mx) {
3952 + fi->fib_metrics = kzalloc(sizeof(u32) * RTAX_MAX, GFP_KERNEL);
3953 + if (!fi->fib_metrics)
3954 + goto failure;
3955 + } else
3956 + fi->fib_metrics = (u32 *) dst_default_metrics;
3957 +- fib_info_cnt++;
3958 +
3959 + fi->fib_net = hold_net(net);
3960 + fi->fib_protocol = cfg->fc_protocol;
3961 +diff --git a/net/ipv4/ip_forward.c b/net/ipv4/ip_forward.c
3962 +index e0d9f02fec11..7593f3a46035 100644
3963 +--- a/net/ipv4/ip_forward.c
3964 ++++ b/net/ipv4/ip_forward.c
3965 +@@ -42,12 +42,12 @@
3966 + static bool ip_may_fragment(const struct sk_buff *skb)
3967 + {
3968 + return unlikely((ip_hdr(skb)->frag_off & htons(IP_DF)) == 0) ||
3969 +- !skb->local_df;
3970 ++ skb->local_df;
3971 + }
3972 +
3973 + static bool ip_exceeds_mtu(const struct sk_buff *skb, unsigned int mtu)
3974 + {
3975 +- if (skb->len <= mtu || skb->local_df)
3976 ++ if (skb->len <= mtu)
3977 + return false;
3978 +
3979 + if (skb_is_gso(skb) && skb_gso_network_seglen(skb) <= mtu)
3980 +diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
3981 +index fd7a3f68917f..bcb6e6197595 100644
3982 +--- a/net/ipv4/netfilter/arp_tables.c
3983 ++++ b/net/ipv4/netfilter/arp_tables.c
3984 +@@ -1039,8 +1039,10 @@ static int __do_replace(struct net *net, const char *name,
3985 +
3986 + xt_free_table_info(oldinfo);
3987 + if (copy_to_user(counters_ptr, counters,
3988 +- sizeof(struct xt_counters) * num_counters) != 0)
3989 +- ret = -EFAULT;
3990 ++ sizeof(struct xt_counters) * num_counters) != 0) {
3991 ++ /* Silent error, can't fail, new table is already in place */
3992 ++ net_warn_ratelimited("arptables: counters copy to user failed while replacing table\n");
3993 ++ }
3994 + vfree(counters);
3995 + xt_table_unlock(t);
3996 + return ret;
3997 +diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
3998 +index 24e556e83a3b..f98a1cf54c5b 100644
3999 +--- a/net/ipv4/netfilter/ip_tables.c
4000 ++++ b/net/ipv4/netfilter/ip_tables.c
4001 +@@ -1227,8 +1227,10 @@ __do_replace(struct net *net, const char *name, unsigned int valid_hooks,
4002 +
4003 + xt_free_table_info(oldinfo);
4004 + if (copy_to_user(counters_ptr, counters,
4005 +- sizeof(struct xt_counters) * num_counters) != 0)
4006 +- ret = -EFAULT;
4007 ++ sizeof(struct xt_counters) * num_counters) != 0) {
4008 ++ /* Silent error, can't fail, new table is already in place */
4009 ++ net_warn_ratelimited("iptables: counters copy to user failed while replacing table\n");
4010 ++ }
4011 + vfree(counters);
4012 + xt_table_unlock(t);
4013 + return ret;
4014 +diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
4015 +index 00975b6db7e9..d495d4bcd745 100644
4016 +--- a/net/ipv4/ping.c
4017 ++++ b/net/ipv4/ping.c
4018 +@@ -203,26 +203,33 @@ static int ping_init_sock(struct sock *sk)
4019 + struct net *net = sock_net(sk);
4020 + gid_t group = current_egid();
4021 + gid_t range[2];
4022 +- struct group_info *group_info = get_current_groups();
4023 +- int i, j, count = group_info->ngroups;
4024 ++ struct group_info *group_info;
4025 ++ int i, j, count;
4026 ++ int ret = 0;
4027 +
4028 + inet_get_ping_group_range_net(net, range, range+1);
4029 + if (range[0] <= group && group <= range[1])
4030 + return 0;
4031 +
4032 ++ group_info = get_current_groups();
4033 ++ count = group_info->ngroups;
4034 + for (i = 0; i < group_info->nblocks; i++) {
4035 + int cp_count = min_t(int, NGROUPS_PER_BLOCK, count);
4036 +
4037 + for (j = 0; j < cp_count; j++) {
4038 + group = group_info->blocks[i][j];
4039 + if (range[0] <= group && group <= range[1])
4040 +- return 0;
4041 ++ goto out_release_group;
4042 + }
4043 +
4044 + count -= cp_count;
4045 + }
4046 +
4047 +- return -EACCES;
4048 ++ ret = -EACCES;
4049 ++
4050 ++out_release_group:
4051 ++ put_group_info(group_info);
4052 ++ return ret;
4053 + }
4054 +
4055 + static void ping_close(struct sock *sk, long timeout)
4056 +diff --git a/net/ipv4/route.c b/net/ipv4/route.c
4057 +index 6768ce2f50b1..6526110ba784 100644
4058 +--- a/net/ipv4/route.c
4059 ++++ b/net/ipv4/route.c
4060 +@@ -2142,7 +2142,7 @@ static int __mkroute_input(struct sk_buff *skb,
4061 + struct in_device *out_dev;
4062 + unsigned int flags = 0;
4063 + __be32 spec_dst;
4064 +- u32 itag;
4065 ++ u32 itag = 0;
4066 +
4067 + /* get a working reference to the output device */
4068 + out_dev = __in_dev_get_rcu(FIB_RES_DEV(*res));
4069 +diff --git a/net/ipv4/tcp_cubic.c b/net/ipv4/tcp_cubic.c
4070 +index b78eac2b7079..ed3d6d4a6d65 100644
4071 +--- a/net/ipv4/tcp_cubic.c
4072 ++++ b/net/ipv4/tcp_cubic.c
4073 +@@ -406,7 +406,7 @@ static void bictcp_acked(struct sock *sk, u32 cnt, s32 rtt_us)
4074 + ratio -= ca->delayed_ack >> ACK_RATIO_SHIFT;
4075 + ratio += cnt;
4076 +
4077 +- ca->delayed_ack = min(ratio, ACK_RATIO_LIMIT);
4078 ++ ca->delayed_ack = clamp(ratio, 1U, ACK_RATIO_LIMIT);
4079 + }
4080 +
4081 + /* Some calls are for duplicates without timetamps */
4082 +diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
4083 +index 94874b0bdcdc..2e752b2f5b30 100644
4084 +--- a/net/ipv6/netfilter/ip6_tables.c
4085 ++++ b/net/ipv6/netfilter/ip6_tables.c
4086 +@@ -1249,8 +1249,10 @@ __do_replace(struct net *net, const char *name, unsigned int valid_hooks,
4087 +
4088 + xt_free_table_info(oldinfo);
4089 + if (copy_to_user(counters_ptr, counters,
4090 +- sizeof(struct xt_counters) * num_counters) != 0)
4091 +- ret = -EFAULT;
4092 ++ sizeof(struct xt_counters) * num_counters) != 0) {
4093 ++ /* Silent error, can't fail, new table is already in place */
4094 ++ net_warn_ratelimited("ip6tables: counters copy to user failed while replacing table\n");
4095 ++ }
4096 + vfree(counters);
4097 + xt_table_unlock(t);
4098 + return ret;
4099 +diff --git a/net/ipv6/route.c b/net/ipv6/route.c
4100 +index 39e11f923a73..782f67a4f568 100644
4101 +--- a/net/ipv6/route.c
4102 ++++ b/net/ipv6/route.c
4103 +@@ -1056,7 +1056,7 @@ static unsigned int ip6_mtu(const struct dst_entry *dst)
4104 + unsigned int mtu = dst_metric_raw(dst, RTAX_MTU);
4105 +
4106 + if (mtu)
4107 +- return mtu;
4108 ++ goto out;
4109 +
4110 + mtu = IPV6_MIN_MTU;
4111 +
4112 +@@ -1066,7 +1066,8 @@ static unsigned int ip6_mtu(const struct dst_entry *dst)
4113 + mtu = idev->cnf.mtu6;
4114 + rcu_read_unlock();
4115 +
4116 +- return mtu;
4117 ++out:
4118 ++ return min_t(unsigned int, mtu, IP6_MAX_MTU);
4119 + }
4120 +
4121 + static struct dst_entry *icmp6_dst_gc_list;
4122 +diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
4123 +index 969cd3eacd2b..e0f0934d6c39 100644
4124 +--- a/net/l2tp/l2tp_ppp.c
4125 ++++ b/net/l2tp/l2tp_ppp.c
4126 +@@ -772,9 +772,9 @@ static int pppol2tp_connect(struct socket *sock, struct sockaddr *uservaddr,
4127 + session->deref = pppol2tp_session_sock_put;
4128 +
4129 + /* If PMTU discovery was enabled, use the MTU that was discovered */
4130 +- dst = sk_dst_get(sk);
4131 ++ dst = sk_dst_get(tunnel->sock);
4132 + if (dst != NULL) {
4133 +- u32 pmtu = dst_mtu(__sk_dst_get(sk));
4134 ++ u32 pmtu = dst_mtu(__sk_dst_get(tunnel->sock));
4135 + if (pmtu != 0)
4136 + session->mtu = session->mru = pmtu -
4137 + PPPOL2TP_HEADER_OVERHEAD;
4138 +diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c
4139 +index e051398fdf6b..d067ed16bab1 100644
4140 +--- a/net/sched/act_mirred.c
4141 ++++ b/net/sched/act_mirred.c
4142 +@@ -201,13 +201,12 @@ static int tcf_mirred(struct sk_buff *skb, const struct tc_action *a,
4143 + out:
4144 + if (err) {
4145 + m->tcf_qstats.overlimits++;
4146 +- /* should we be asking for packet to be dropped?
4147 +- * may make sense for redirect case only
4148 +- */
4149 +- retval = TC_ACT_SHOT;
4150 +- } else {
4151 ++ if (m->tcfm_eaction != TCA_EGRESS_MIRROR)
4152 ++ retval = TC_ACT_SHOT;
4153 ++ else
4154 ++ retval = m->tcf_action;
4155 ++ } else
4156 + retval = m->tcf_action;
4157 +- }
4158 + spin_unlock(&m->tcf_lock);
4159 +
4160 + return retval;
4161 +diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c
4162 +index 6f6ad8686833..de35e01f03a9 100644
4163 +--- a/net/sctp/protocol.c
4164 ++++ b/net/sctp/protocol.c
4165 +@@ -528,8 +528,13 @@ static void sctp_v4_get_dst(struct sctp_transport *t, union sctp_addr *saddr,
4166 + continue;
4167 + if ((laddr->state == SCTP_ADDR_SRC) &&
4168 + (AF_INET == laddr->a.sa.sa_family)) {
4169 +- fl4->saddr = laddr->a.v4.sin_addr.s_addr;
4170 + fl4->fl4_sport = laddr->a.v4.sin_port;
4171 ++ flowi4_update_output(fl4,
4172 ++ asoc->base.sk->sk_bound_dev_if,
4173 ++ RT_CONN_FLAGS(asoc->base.sk),
4174 ++ daddr->v4.sin_addr.s_addr,
4175 ++ laddr->a.v4.sin_addr.s_addr);
4176 ++
4177 + rt = ip_route_output_key(&init_net, fl4);
4178 + if (!IS_ERR(rt)) {
4179 + dst = &rt->dst;
4180 +diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c
4181 +index 619228d156c4..dc5748f3e384 100644
4182 +--- a/scripts/mod/modpost.c
4183 ++++ b/scripts/mod/modpost.c
4184 +@@ -569,12 +569,16 @@ static int ignore_undef_symbol(struct elf_info *info, const char *symname)
4185 + if (strncmp(symname, "_restgpr_", sizeof("_restgpr_") - 1) == 0 ||
4186 + strncmp(symname, "_savegpr_", sizeof("_savegpr_") - 1) == 0 ||
4187 + strncmp(symname, "_rest32gpr_", sizeof("_rest32gpr_") - 1) == 0 ||
4188 +- strncmp(symname, "_save32gpr_", sizeof("_save32gpr_") - 1) == 0)
4189 ++ strncmp(symname, "_save32gpr_", sizeof("_save32gpr_") - 1) == 0 ||
4190 ++ strncmp(symname, "_restvr_", sizeof("_restvr_") - 1) == 0 ||
4191 ++ strncmp(symname, "_savevr_", sizeof("_savevr_") - 1) == 0)
4192 + return 1;
4193 + if (info->hdr->e_machine == EM_PPC64)
4194 + /* Special register function linked on all modules during final link of .ko */
4195 + if (strncmp(symname, "_restgpr0_", sizeof("_restgpr0_") - 1) == 0 ||
4196 +- strncmp(symname, "_savegpr0_", sizeof("_savegpr0_") - 1) == 0)
4197 ++ strncmp(symname, "_savegpr0_", sizeof("_savegpr0_") - 1) == 0 ||
4198 ++ strncmp(symname, "_restvr_", sizeof("_restvr_") - 1) == 0 ||
4199 ++ strncmp(symname, "_savevr_", sizeof("_savevr_") - 1) == 0)
4200 + return 1;
4201 + /* Do not ignore this symbol */
4202 + return 0;
4203 +diff --git a/virt/kvm/async_pf.c b/virt/kvm/async_pf.c
4204 +index 74268b4c2ee1..bdd2c0d690d6 100644
4205 +--- a/virt/kvm/async_pf.c
4206 ++++ b/virt/kvm/async_pf.c
4207 +@@ -75,7 +75,6 @@ static void async_pf_execute(struct work_struct *work)
4208 + spin_lock(&vcpu->async_pf.lock);
4209 + list_add_tail(&apf->link, &vcpu->async_pf.done);
4210 + apf->page = page;
4211 +- apf->done = true;
4212 + spin_unlock(&vcpu->async_pf.lock);
4213 +
4214 + /*
4215 +@@ -88,7 +87,7 @@ static void async_pf_execute(struct work_struct *work)
4216 + if (waitqueue_active(&vcpu->wq))
4217 + wake_up_interruptible(&vcpu->wq);
4218 +
4219 +- mmdrop(mm);
4220 ++ mmput(mm);
4221 + kvm_put_kvm(vcpu->kvm);
4222 + }
4223 +
4224 +@@ -99,10 +98,12 @@ void kvm_clear_async_pf_completion_queue(struct kvm_vcpu *vcpu)
4225 + struct kvm_async_pf *work =
4226 + list_entry(vcpu->async_pf.queue.next,
4227 + typeof(*work), queue);
4228 +- cancel_work_sync(&work->work);
4229 + list_del(&work->queue);
4230 +- if (!work->done) /* work was canceled */
4231 ++ if (cancel_work_sync(&work->work)) {
4232 ++ mmput(work->mm);
4233 ++ kvm_put_kvm(vcpu->kvm); /* == work->vcpu->kvm */
4234 + kmem_cache_free(async_pf_cache, work);
4235 ++ }
4236 + }
4237 +
4238 + spin_lock(&vcpu->async_pf.lock);
4239 +@@ -163,13 +164,12 @@ int kvm_setup_async_pf(struct kvm_vcpu *vcpu, gva_t gva, gfn_t gfn,
4240 + return 0;
4241 +
4242 + work->page = NULL;
4243 +- work->done = false;
4244 + work->vcpu = vcpu;
4245 + work->gva = gva;
4246 + work->addr = gfn_to_hva(vcpu->kvm, gfn);
4247 + work->arch = *arch;
4248 + work->mm = current->mm;
4249 +- atomic_inc(&work->mm->mm_count);
4250 ++ atomic_inc(&work->mm->mm_users);
4251 + kvm_get_kvm(work->vcpu->kvm);
4252 +
4253 + /* this can't really happen otherwise gfn_to_pfn_async
4254 +@@ -187,7 +187,7 @@ int kvm_setup_async_pf(struct kvm_vcpu *vcpu, gva_t gva, gfn_t gfn,
4255 + return 1;
4256 + retry_sync:
4257 + kvm_put_kvm(work->vcpu->kvm);
4258 +- mmdrop(work->mm);
4259 ++ mmput(work->mm);
4260 + kmem_cache_free(async_pf_cache, work);
4261 + return 0;
4262 + }
4263
4264 Deleted: genpatches-2.6/trunk/3.2/1500_CVE-2014-0196-n_tty-Fix-n_tty_write-crash-when-echoing-in-raw-mode.patch
4265 ===================================================================
4266 --- genpatches-2.6/trunk/3.2/1500_CVE-2014-0196-n_tty-Fix-n_tty_write-crash-when-echoing-in-raw-mode.patch 2014-06-09 17:57:46 UTC (rev 2822)
4267 +++ genpatches-2.6/trunk/3.2/1500_CVE-2014-0196-n_tty-Fix-n_tty_write-crash-when-echoing-in-raw-mode.patch 2014-06-09 18:29:31 UTC (rev 2823)
4268 @@ -1,77 +0,0 @@
4269 -From: Peter Hurley <peter@××××××××××××××.com>
4270 -Date: Sat, 3 May 2014 14:04:59 +0200
4271 -Subject: n_tty: Fix n_tty_write crash when echoing in raw mode
4272 -
4273 -commit 4291086b1f081b869c6d79e5b7441633dc3ace00 upstream.
4274 -
4275 -The tty atomic_write_lock does not provide an exclusion guarantee for
4276 -the tty driver if the termios settings are LECHO & !OPOST. And since
4277 -it is unexpected and not allowed to call TTY buffer helpers like
4278 -tty_insert_flip_string concurrently, this may lead to crashes when
4279 -concurrect writers call pty_write. In that case the following two
4280 -writers:
4281 -* the ECHOing from a workqueue and
4282 -* pty_write from the process
4283 -race and can overflow the corresponding TTY buffer like follows.
4284 -
4285 -If we look into tty_insert_flip_string_fixed_flag, there is:
4286 - int space = __tty_buffer_request_room(port, goal, flags);
4287 - struct tty_buffer *tb = port->buf.tail;
4288 - ...
4289 - memcpy(char_buf_ptr(tb, tb->used), chars, space);
4290 - ...
4291 - tb->used += space;
4292 -
4293 -so the race of the two can result in something like this:
4294 - A B
4295 -__tty_buffer_request_room
4296 - __tty_buffer_request_room
4297 -memcpy(buf(tb->used), ...)
4298 -tb->used += space;
4299 - memcpy(buf(tb->used), ...) ->BOOM
4300 -
4301 -B's memcpy is past the tty_buffer due to the previous A's tb->used
4302 -increment.
4303 -
4304 -Since the N_TTY line discipline input processing can output
4305 -concurrently with a tty write, obtain the N_TTY ldisc output_lock to
4306 -serialize echo output with normal tty writes. This ensures the tty
4307 -buffer helper tty_insert_flip_string is not called concurrently and
4308 -everything is fine.
4309 -
4310 -Note that this is nicely reproducible by an ordinary user using
4311 -forkpty and some setup around that (raw termios + ECHO). And it is
4312 -present in kernels at least after commit
4313 -d945cb9cce20ac7143c2de8d88b187f62db99bdc (pty: Rework the pty layer to
4314 -use the normal buffering logic) in 2.6.31-rc3.
4315 -
4316 -js: add more info to the commit log
4317 -js: switch to bool
4318 -js: lock unconditionally
4319 -js: lock only the tty->ops->write call
4320 -
4321 -References: CVE-2014-0196
4322 -Reported-and-tested-by: Jiri Slaby <jslaby@××××.cz>
4323 -Signed-off-by: Peter Hurley <peter@××××××××××××××.com>
4324 -Signed-off-by: Jiri Slaby <jslaby@××××.cz>
4325 -Cc: Linus Torvalds <torvalds@××××××××××××××××.org>
4326 -Cc: Alan Cox <alan@××××××××××××××××.uk>
4327 -Signed-off-by: Greg Kroah-Hartman <gregkh@×××××××××××××××.org>
4328 -[bwh: Backported to 3.2: output_lock is a member of struct tty_struct]
4329 -Signed-off-by: Ben Hutchings <ben@××××××××××××.uk>
4330 ----
4331 - drivers/tty/n_tty.c | 2 ++
4332 - 1 file changed, 2 insertions(+)
4333 -
4334 ---- a/drivers/tty/n_tty.c
4335 -+++ b/drivers/tty/n_tty.c
4336 -@@ -1996,7 +1996,9 @@ static ssize_t n_tty_write(struct tty_st
4337 - tty->ops->flush_chars(tty);
4338 - } else {
4339 - while (nr > 0) {
4340 -+ mutex_lock(&tty->output_lock);
4341 - c = tty->ops->write(tty, b, nr);
4342 -+ mutex_unlock(&tty->output_lock);
4343 - if (c < 0) {
4344 - retval = c;
4345 - goto break_out;
4346
4347 Deleted: genpatches-2.6/trunk/3.2/1501-futex-add-another-early-deadlock-detection-check.patch
4348 ===================================================================
4349 --- genpatches-2.6/trunk/3.2/1501-futex-add-another-early-deadlock-detection-check.patch 2014-06-09 17:57:46 UTC (rev 2822)
4350 +++ genpatches-2.6/trunk/3.2/1501-futex-add-another-early-deadlock-detection-check.patch 2014-06-09 18:29:31 UTC (rev 2823)
4351 @@ -1,160 +0,0 @@
4352 -From: Thomas Gleixner <tglx@××××××××××.de>
4353 -Date: Mon, 12 May 2014 20:45:34 +0000
4354 -Subject: futex: Add another early deadlock detection check
4355 -Git-commit: 866293ee54227584ffcb4a42f69c1f365974ba7f
4356 -
4357 -Dave Jones trinity syscall fuzzer exposed an issue in the deadlock
4358 -detection code of rtmutex:
4359 - http://lkml.kernel.org/r/20140429151655.GA14277@××××××.com
4360 -
4361 -That underlying issue has been fixed with a patch to the rtmutex code,
4362 -but the futex code must not call into rtmutex in that case because
4363 - - it can detect that issue early
4364 - - it avoids a different and more complex fixup for backing out
4365 -
4366 -If the user space variable got manipulated to 0x80000000 which means
4367 -no lock holder, but the waiters bit set and an active pi_state in the
4368 -kernel is found we can figure out the recursive locking issue by
4369 -looking at the pi_state owner. If that is the current task, then we
4370 -can safely return -EDEADLK.
4371 -
4372 -The check should have been added in commit 59fa62451 (futex: Handle
4373 -futex_pi OWNER_DIED take over correctly) already, but I did not see
4374 -the above issue caused by user space manipulation back then.
4375 -
4376 -Signed-off-by: Thomas Gleixner <tglx@××××××××××.de>
4377 -Cc: Dave Jones <davej@××××××.com>
4378 -Cc: Linus Torvalds <torvalds@××××××××××××××××.org>
4379 -Cc: Peter Zijlstra <peterz@×××××××××.org>
4380 -Cc: Darren Hart <darren@××××××.com>
4381 -Cc: Davidlohr Bueso <davidlohr@××.com>
4382 -Cc: Steven Rostedt <rostedt@×××××××.org>
4383 -Cc: Clark Williams <williams@××××××.com>
4384 -Cc: Paul McKenney <paulmck@××××××××××××××.com>
4385 -Cc: Lai Jiangshan <laijs@××××××××××.com>
4386 -Cc: Roland McGrath <roland@×××××××××.com>
4387 -Cc: Carlos ODonell <carlos@××××××.com>
4388 -Cc: Jakub Jelinek <jakub@××××××.com>
4389 -Cc: Michael Kerrisk <mtk.manpages@×××××.com>
4390 -Cc: Sebastian Andrzej Siewior <bigeasy@××××××××××.de>
4391 -Link: http://lkml.kernel.org/r/20140512201701.097349971@××××××××××.de
4392 -Signed-off-by: Thomas Gleixner <tglx@××××××××××.de>
4393 -Cc: stable@×××××××××××.org
4394 ----
4395 - kernel/futex.c | 47 ++++++++++++++++++++++++++++++++++-------------
4396 - 1 file changed, 34 insertions(+), 13 deletions(-)
4397 -
4398 -Index: linux-3.4/kernel/futex.c
4399 -===================================================================
4400 ---- linux-3.4.orig/kernel/futex.c
4401 -+++ linux-3.4/kernel/futex.c
4402 -@@ -590,7 +590,8 @@ void exit_pi_state_list(struct task_stru
4403 -
4404 - static int
4405 - lookup_pi_state(u32 uval, struct futex_hash_bucket *hb,
4406 -- union futex_key *key, struct futex_pi_state **ps)
4407 -+ union futex_key *key, struct futex_pi_state **ps,
4408 -+ struct task_struct *task)
4409 - {
4410 - struct futex_pi_state *pi_state = NULL;
4411 - struct futex_q *this, *next;
4412 -@@ -634,6 +635,16 @@ lookup_pi_state(u32 uval, struct futex_h
4413 - return -EINVAL;
4414 - }
4415 -
4416 -+ /*
4417 -+ * Protect against a corrupted uval. If uval
4418 -+ * is 0x80000000 then pid is 0 and the waiter
4419 -+ * bit is set. So the deadlock check in the
4420 -+ * calling code has failed and we did not fall
4421 -+ * into the check above due to !pid.
4422 -+ */
4423 -+ if (task && pi_state->owner == task)
4424 -+ return -EDEADLK;
4425 -+
4426 - atomic_inc(&pi_state->refcount);
4427 - *ps = pi_state;
4428 -
4429 -@@ -783,7 +794,7 @@ retry:
4430 - * We dont have the lock. Look up the PI state (or create it if
4431 - * we are the first waiter):
4432 - */
4433 -- ret = lookup_pi_state(uval, hb, key, ps);
4434 -+ ret = lookup_pi_state(uval, hb, key, ps, task);
4435 -
4436 - if (unlikely(ret)) {
4437 - switch (ret) {
4438 -@@ -1193,7 +1204,7 @@ void requeue_pi_wake_futex(struct futex_
4439 - *
4440 - * Returns:
4441 - * 0 - failed to acquire the lock atomicly
4442 -- * 1 - acquired the lock
4443 -+ * >0 - acquired the lock, return value is vpid of the top_waiter
4444 - * <0 - error
4445 - */
4446 - static int futex_proxy_trylock_atomic(u32 __user *pifutex,
4447 -@@ -1204,7 +1215,7 @@ static int futex_proxy_trylock_atomic(u3
4448 - {
4449 - struct futex_q *top_waiter = NULL;
4450 - u32 curval;
4451 -- int ret;
4452 -+ int ret, vpid;
4453 -
4454 - if (get_futex_value_locked(&curval, pifutex))
4455 - return -EFAULT;
4456 -@@ -1232,11 +1243,13 @@ static int futex_proxy_trylock_atomic(u3
4457 - * the contended case or if set_waiters is 1. The pi_state is returned
4458 - * in ps in contended cases.
4459 - */
4460 -+ vpid = task_pid_vnr(top_waiter->task);
4461 - ret = futex_lock_pi_atomic(pifutex, hb2, key2, ps, top_waiter->task,
4462 - set_waiters);
4463 -- if (ret == 1)
4464 -+ if (ret == 1) {
4465 - requeue_pi_wake_futex(top_waiter, key2, hb2);
4466 --
4467 -+ return vpid;
4468 -+ }
4469 - return ret;
4470 - }
4471 -
4472 -@@ -1268,7 +1281,6 @@ static int futex_requeue(u32 __user *uad
4473 - struct futex_hash_bucket *hb1, *hb2;
4474 - struct plist_head *head1;
4475 - struct futex_q *this, *next;
4476 -- u32 curval2;
4477 -
4478 - if (requeue_pi) {
4479 - /*
4480 -@@ -1354,16 +1366,25 @@ retry_private:
4481 - * At this point the top_waiter has either taken uaddr2 or is
4482 - * waiting on it. If the former, then the pi_state will not
4483 - * exist yet, look it up one more time to ensure we have a
4484 -- * reference to it.
4485 -+ * reference to it. If the lock was taken, ret contains the
4486 -+ * vpid of the top waiter task.
4487 - */
4488 -- if (ret == 1) {
4489 -+ if (ret > 0) {
4490 - WARN_ON(pi_state);
4491 - drop_count++;
4492 - task_count++;
4493 -- ret = get_futex_value_locked(&curval2, uaddr2);
4494 -- if (!ret)
4495 -- ret = lookup_pi_state(curval2, hb2, &key2,
4496 -- &pi_state);
4497 -+ /*
4498 -+ * If we acquired the lock, then the user
4499 -+ * space value of uaddr2 should be vpid. It
4500 -+ * cannot be changed by the top waiter as it
4501 -+ * is blocked on hb2 lock if it tries to do
4502 -+ * so. If something fiddled with it behind our
4503 -+ * back the pi state lookup might unearth
4504 -+ * it. So we rather use the known value than
4505 -+ * rereading and handing potential crap to
4506 -+ * lookup_pi_state.
4507 -+ */
4508 -+ ret = lookup_pi_state(ret, hb2, &key2, &pi_state, NULL);
4509 - }
4510 -
4511 - switch (ret) {
4512
4513 Deleted: genpatches-2.6/trunk/3.2/1502-futex-prevent-attaching-to-kernel-threads.patch
4514 ===================================================================
4515 --- genpatches-2.6/trunk/3.2/1502-futex-prevent-attaching-to-kernel-threads.patch 2014-06-09 17:57:46 UTC (rev 2822)
4516 +++ genpatches-2.6/trunk/3.2/1502-futex-prevent-attaching-to-kernel-threads.patch 2014-06-09 18:29:31 UTC (rev 2823)
4517 @@ -1,52 +0,0 @@
4518 -From: Thomas Gleixner <tglx@××××××××××.de>
4519 -Date: Mon, 12 May 2014 20:45:35 +0000
4520 -Subject: futex: Prevent attaching to kernel threads
4521 -Git-commit: f0d71b3dcb8332f7971b5f2363632573e6d9486a
4522 -
4523 -We happily allow userspace to declare a random kernel thread to be the
4524 -owner of a user space PI futex.
4525 -
4526 -Found while analysing the fallout of Dave Jones syscall fuzzer.
4527 -
4528 -We also should validate the thread group for private futexes and find
4529 -some fast way to validate whether the "alleged" owner has RW access on
4530 -the file which backs the SHM, but that's a separate issue.
4531 -
4532 -Signed-off-by: Thomas Gleixner <tglx@××××××××××.de>
4533 -Cc: Dave Jones <davej@××××××.com>
4534 -Cc: Linus Torvalds <torvalds@××××××××××××××××.org>
4535 -Cc: Peter Zijlstra <peterz@×××××××××.org>
4536 -Cc: Darren Hart <darren@××××××.com>
4537 -Cc: Davidlohr Bueso <davidlohr@××.com>
4538 -Cc: Steven Rostedt <rostedt@×××××××.org>
4539 -Cc: Clark Williams <williams@××××××.com>
4540 -Cc: Paul McKenney <paulmck@××××××××××××××.com>
4541 -Cc: Lai Jiangshan <laijs@××××××××××.com>
4542 -Cc: Roland McGrath <roland@×××××××××.com>
4543 -Cc: Carlos ODonell <carlos@××××××.com>
4544 -Cc: Jakub Jelinek <jakub@××××××.com>
4545 -Cc: Michael Kerrisk <mtk.manpages@×××××.com>
4546 -Cc: Sebastian Andrzej Siewior <bigeasy@××××××××××.de>
4547 -Link: http://lkml.kernel.org/r/20140512201701.194824402@××××××××××.de
4548 -Signed-off-by: Thomas Gleixner <tglx@××××××××××.de>
4549 -Cc: stable@×××××××××××.org
4550 ----
4551 - kernel/futex.c | 5 +++++
4552 - 1 file changed, 5 insertions(+)
4553 -
4554 -Index: linux-3.4/kernel/futex.c
4555 -===================================================================
4556 ---- linux-3.4.orig/kernel/futex.c
4557 -+++ linux-3.4/kernel/futex.c
4558 -@@ -662,6 +662,11 @@ lookup_pi_state(u32 uval, struct futex_h
4559 - if (!p)
4560 - return -ESRCH;
4561 -
4562 -+ if (!p->mm) {
4563 -+ put_task_struct(p);
4564 -+ return -EPERM;
4565 -+ }
4566 -+
4567 - /*
4568 - * We need to look at the task state flags to figure out,
4569 - * whether the task is exiting. To protect against the do_exit
4570
4571 Deleted: genpatches-2.6/trunk/3.2/1503-futex-prevent-requeue-pi-on-same-futex-patch-futex-forbid-uaddr-uaddr2-in-futex_requeue-requeue_pi-1.patch
4572 ===================================================================
4573 --- genpatches-2.6/trunk/3.2/1503-futex-prevent-requeue-pi-on-same-futex-patch-futex-forbid-uaddr-uaddr2-in-futex_requeue-requeue_pi-1.patch 2014-06-09 17:57:46 UTC (rev 2822)
4574 +++ genpatches-2.6/trunk/3.2/1503-futex-prevent-requeue-pi-on-same-futex-patch-futex-forbid-uaddr-uaddr2-in-futex_requeue-requeue_pi-1.patch 2014-06-09 18:29:31 UTC (rev 2823)
4575 @@ -1,81 +0,0 @@
4576 -From: Thomas Gleixner <tglx@××××××××××.de>
4577 -Date: Tue, 3 Jun 2014 12:27:06 +0000
4578 -Subject: futex-prevent-requeue-pi-on-same-futex.patch futex: Forbid uaddr ==
4579 - uaddr2 in futex_requeue(..., requeue_pi=1)
4580 -Git-commit: e9c243a5a6de0be8e584c604d353412584b592f8
4581 -
4582 -If uaddr == uaddr2, then we have broken the rule of only requeueing from
4583 -a non-pi futex to a pi futex with this call. If we attempt this, then
4584 -dangling pointers may be left for rt_waiter resulting in an exploitable
4585 -condition.
4586 -
4587 -This change brings futex_requeue() in line with futex_wait_requeue_pi()
4588 -which performs the same check as per commit 6f7b0a2a5c0f ("futex: Forbid
4589 -uaddr == uaddr2 in futex_wait_requeue_pi()")
4590 -
4591 -[ tglx: Compare the resulting keys as well, as uaddrs might be
4592 - different depending on the mapping ]
4593 -
4594 -Fixes CVE-2014-3153.
4595 -
4596 -Reported-by: Pinkie Pie
4597 -Signed-off-by: Will Drewry <wad@××××××××.org>
4598 -Signed-off-by: Kees Cook <keescook@××××××××.org>
4599 -Cc: stable@×××××××××××.org
4600 -Signed-off-by: Thomas Gleixner <tglx@××××××××××.de>
4601 -Reviewed-by: Darren Hart <dvhart@×××××××××××.com>
4602 -Signed-off-by: Linus Torvalds <torvalds@××××××××××××××××.org>
4603 ----
4604 - kernel/futex.c | 25 +++++++++++++++++++++++++
4605 - 1 file changed, 25 insertions(+)
4606 -
4607 -Index: linux-3.4/kernel/futex.c
4608 -===================================================================
4609 ---- linux-3.4.orig/kernel/futex.c
4610 -+++ linux-3.4/kernel/futex.c
4611 -@@ -1289,6 +1289,13 @@ static int futex_requeue(u32 __user *uad
4612 -
4613 - if (requeue_pi) {
4614 - /*
4615 -+ * Requeue PI only works on two distinct uaddrs. This
4616 -+ * check is only valid for private futexes. See below.
4617 -+ */
4618 -+ if (uaddr1 == uaddr2)
4619 -+ return -EINVAL;
4620 -+
4621 -+ /*
4622 - * requeue_pi requires a pi_state, try to allocate it now
4623 - * without any locks in case it fails.
4624 - */
4625 -@@ -1326,6 +1333,15 @@ retry:
4626 - if (unlikely(ret != 0))
4627 - goto out_put_key1;
4628 -
4629 -+ /*
4630 -+ * The check above which compares uaddrs is not sufficient for
4631 -+ * shared futexes. We need to compare the keys:
4632 -+ */
4633 -+ if (requeue_pi && match_futex(&key1, &key2)) {
4634 -+ ret = -EINVAL;
4635 -+ goto out_put_keys;
4636 -+ }
4637 -+
4638 - hb1 = hash_futex(&key1);
4639 - hb2 = hash_futex(&key2);
4640 -
4641 -@@ -2357,6 +2373,15 @@ static int futex_wait_requeue_pi(u32 __u
4642 - if (ret)
4643 - goto out_key2;
4644 -
4645 -+ /*
4646 -+ * The check above which compares uaddrs is not sufficient for
4647 -+ * shared futexes. We need to compare the keys:
4648 -+ */
4649 -+ if (match_futex(&q.key, &key2)) {
4650 -+ ret = -EINVAL;
4651 -+ goto out_put_keys;
4652 -+ }
4653 -+
4654 - /* Queue the futex_q, drop the hb lock, wait for wakeup. */
4655 - futex_wait_queue_me(hb, &q, to);
4656 -
4657
4658 Deleted: genpatches-2.6/trunk/3.2/1504-futex-validate-atomic-acquisition-in-futex_lock_pi_atomic.patch
4659 ===================================================================
4660 --- genpatches-2.6/trunk/3.2/1504-futex-validate-atomic-acquisition-in-futex_lock_pi_atomic.patch 2014-06-09 17:57:46 UTC (rev 2822)
4661 +++ genpatches-2.6/trunk/3.2/1504-futex-validate-atomic-acquisition-in-futex_lock_pi_atomic.patch 2014-06-09 18:29:31 UTC (rev 2823)
4662 @@ -1,53 +0,0 @@
4663 -From: Thomas Gleixner <tglx@××××××××××.de>
4664 -Date: Tue, 3 Jun 2014 12:27:06 +0000
4665 -Subject: futex: Validate atomic acquisition in futex_lock_pi_atomic()
4666 -Git-commit: b3eaa9fc5cd0a4d74b18f6b8dc617aeaf1873270
4667 -
4668 -We need to protect the atomic acquisition in the kernel against rogue
4669 -user space which sets the user space futex to 0, so the kernel side
4670 -acquisition succeeds while there is existing state in the kernel
4671 -associated to the real owner.
4672 -
4673 -Verify whether the futex has waiters associated with kernel state. If
4674 -it has, return -EINVAL. The state is corrupted already, so no point in
4675 -cleaning it up. Subsequent calls will fail as well. Not our problem.
4676 -
4677 -[ tglx: Use futex_top_waiter() and explain why we do not need to try
4678 - restoring the already corrupted user space state. ]
4679 -
4680 -Signed-off-by: Darren Hart <dvhart@×××××××××××.com>
4681 -Cc: Kees Cook <keescook@××××××××.org>
4682 -Cc: Will Drewry <wad@××××××××.org>
4683 -Cc: stable@×××××××××××.org
4684 -Signed-off-by: Thomas Gleixner <tglx@××××××××××.de>
4685 -Signed-off-by: Linus Torvalds <torvalds@××××××××××××××××.org>
4686 ----
4687 - kernel/futex.c | 14 +++++++++++---
4688 - 1 file changed, 11 insertions(+), 3 deletions(-)
4689 -
4690 -Index: linux-3.4/kernel/futex.c
4691 -===================================================================
4692 ---- linux-3.4.orig/kernel/futex.c
4693 -+++ linux-3.4/kernel/futex.c
4694 -@@ -758,10 +758,18 @@ retry:
4695 - return -EDEADLK;
4696 -
4697 - /*
4698 -- * Surprise - we got the lock. Just return to userspace:
4699 -+ * Surprise - we got the lock, but we do not trust user space at all.
4700 - */
4701 -- if (unlikely(!curval))
4702 -- return 1;
4703 -+ if (unlikely(!curval)) {
4704 -+ /*
4705 -+ * We verify whether there is kernel state for this
4706 -+ * futex. If not, we can safely assume, that the 0 ->
4707 -+ * TID transition is correct. If state exists, we do
4708 -+ * not bother to fixup the user space state as it was
4709 -+ * corrupted already.
4710 -+ */
4711 -+ return futex_top_waiter(hb, key) ? -EINVAL : 1;
4712 -+ }
4713 -
4714 - uval = curval;
4715 -
4716
4717 Deleted: genpatches-2.6/trunk/3.2/1505-futex-always-cleanup-owner-tid-in-unlock_pi.patch
4718 ===================================================================
4719 --- genpatches-2.6/trunk/3.2/1505-futex-always-cleanup-owner-tid-in-unlock_pi.patch 2014-06-09 17:57:46 UTC (rev 2822)
4720 +++ genpatches-2.6/trunk/3.2/1505-futex-always-cleanup-owner-tid-in-unlock_pi.patch 2014-06-09 18:29:31 UTC (rev 2823)
4721 @@ -1,99 +0,0 @@
4722 -From: Thomas Gleixner <tglx@××××××××××.de>
4723 -Date: Tue, 3 Jun 2014 12:27:07 +0000
4724 -Subject: futex: Always cleanup owner tid in unlock_pi
4725 -Git-commit: 13fbca4c6ecd96ec1a1cfa2e4f2ce191fe928a5e
4726 -
4727 -If the owner died bit is set at futex_unlock_pi, we currently do not
4728 -cleanup the user space futex. So the owner TID of the current owner
4729 -(the unlocker) persists. That's observable inconsistant state,
4730 -especially when the ownership of the pi state got transferred.
4731 -
4732 -Clean it up unconditionally.
4733 -
4734 -Signed-off-by: Thomas Gleixner <tglx@××××××××××.de>
4735 -Cc: Kees Cook <keescook@××××××××.org>
4736 -Cc: Will Drewry <wad@××××××××.org>
4737 -Cc: Darren Hart <dvhart@×××××××××××.com>
4738 -Cc: stable@×××××××××××.org
4739 -Signed-off-by: Linus Torvalds <torvalds@××××××××××××××××.org>
4740 ----
4741 - kernel/futex.c | 40 ++++++++++++++++++----------------------
4742 - 1 file changed, 18 insertions(+), 22 deletions(-)
4743 -
4744 -Index: linux-3.4/kernel/futex.c
4745 -===================================================================
4746 ---- linux-3.4.orig/kernel/futex.c
4747 -+++ linux-3.4/kernel/futex.c
4748 -@@ -899,6 +899,7 @@ static int wake_futex_pi(u32 __user *uad
4749 - struct task_struct *new_owner;
4750 - struct futex_pi_state *pi_state = this->pi_state;
4751 - u32 uninitialized_var(curval), newval;
4752 -+ int ret = 0;
4753 -
4754 - if (!pi_state)
4755 - return -EINVAL;
4756 -@@ -922,23 +923,19 @@ static int wake_futex_pi(u32 __user *uad
4757 - new_owner = this->task;
4758 -
4759 - /*
4760 -- * We pass it to the next owner. (The WAITERS bit is always
4761 -- * kept enabled while there is PI state around. We must also
4762 -- * preserve the owner died bit.)
4763 -- */
4764 -- if (!(uval & FUTEX_OWNER_DIED)) {
4765 -- int ret = 0;
4766 --
4767 -- newval = FUTEX_WAITERS | task_pid_vnr(new_owner);
4768 --
4769 -- if (cmpxchg_futex_value_locked(&curval, uaddr, uval, newval))
4770 -- ret = -EFAULT;
4771 -- else if (curval != uval)
4772 -- ret = -EINVAL;
4773 -- if (ret) {
4774 -- raw_spin_unlock(&pi_state->pi_mutex.wait_lock);
4775 -- return ret;
4776 -- }
4777 -+ * We pass it to the next owner. The WAITERS bit is always
4778 -+ * kept enabled while there is PI state around. We cleanup the
4779 -+ * owner died bit, because we are the owner.
4780 -+ */
4781 -+ newval = FUTEX_WAITERS | task_pid_vnr(new_owner);
4782 -+
4783 -+ if (cmpxchg_futex_value_locked(&curval, uaddr, uval, newval))
4784 -+ ret = -EFAULT;
4785 -+ else if (curval != uval)
4786 -+ ret = -EINVAL;
4787 -+ if (ret) {
4788 -+ raw_spin_unlock(&pi_state->pi_mutex.wait_lock);
4789 -+ return ret;
4790 - }
4791 -
4792 - raw_spin_lock_irq(&pi_state->owner->pi_lock);
4793 -@@ -2183,9 +2180,10 @@ retry:
4794 - /*
4795 - * To avoid races, try to do the TID -> 0 atomic transition
4796 - * again. If it succeeds then we can return without waking
4797 -- * anyone else up:
4798 -+ * anyone else up. We only try this if neither the waiters nor
4799 -+ * the owner died bit are set.
4800 - */
4801 -- if (!(uval & FUTEX_OWNER_DIED) &&
4802 -+ if (!(uval & ~FUTEX_TID_MASK) &&
4803 - cmpxchg_futex_value_locked(&uval, uaddr, vpid, 0))
4804 - goto pi_faulted;
4805 - /*
4806 -@@ -2217,11 +2215,9 @@ retry:
4807 - /*
4808 - * No waiters - kernel unlocks the futex:
4809 - */
4810 -- if (!(uval & FUTEX_OWNER_DIED)) {
4811 -- ret = unlock_futex_pi(uaddr, uval);
4812 -- if (ret == -EFAULT)
4813 -- goto pi_faulted;
4814 -- }
4815 -+ ret = unlock_futex_pi(uaddr, uval);
4816 -+ if (ret == -EFAULT)
4817 -+ goto pi_faulted;
4818 -
4819 - out_unlock:
4820 - spin_unlock(&hb->lock);
4821
4822 Deleted: genpatches-2.6/trunk/3.2/1506-futex-make-lookup_pi_state-more-robust.patch
4823 ===================================================================
4824 (Binary files differ)
Report Message
Find on MARC Find on Google Groups