Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:4.4 commit in: /
Date: Thu, 01 Oct 2020 11:24:08
Message-Id: 1601551429.16d3f8c13c8b9b34abd4f771917fcae6cc20ce89.mpagano@gentoo
1 commit: 16d3f8c13c8b9b34abd4f771917fcae6cc20ce89
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Thu Oct 1 11:23:49 2020 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Thu Oct 1 11:23:49 2020 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=16d3f8c1
7
8 Linux patch 4.4.238
9
10 Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>
11
12 0000_README | 4 +
13 1237_linux-4.4.238.patch | 2701 ++++++++++++++++++++++++++++++++++++++++++++++
14 2 files changed, 2705 insertions(+)
15
16 diff --git a/0000_README b/0000_README
17 index d93edf8..dfe06b2 100644
18 --- a/0000_README
19 +++ b/0000_README
20 @@ -991,6 +991,10 @@ Patch: 1236_linux-4.4.237.patch
21 From: http://www.kernel.org
22 Desc: Linux 4.4.237
23
24 +Patch: 1237_linux-4.4.238.patch
25 +From: http://www.kernel.org
26 +Desc: Linux 4.4.238
27 +
28 Patch: 1500_XATTR_USER_PREFIX.patch
29 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
30 Desc: Support for namespace user.pax.* on tmpfs.
31
32 diff --git a/1237_linux-4.4.238.patch b/1237_linux-4.4.238.patch
33 new file mode 100644
34 index 0000000..feef366
35 --- /dev/null
36 +++ b/1237_linux-4.4.238.patch
37 @@ -0,0 +1,2701 @@
38 +diff --git a/Documentation/DocBook/libata.tmpl b/Documentation/DocBook/libata.tmpl
39 +index d7fcdc5a43792..9b55778ab024f 100644
40 +--- a/Documentation/DocBook/libata.tmpl
41 ++++ b/Documentation/DocBook/libata.tmpl
42 +@@ -324,7 +324,7 @@ Many legacy IDE drivers use ata_bmdma_status() as the bmdma_status() hook.
43 +
44 + <sect2><title>High-level taskfile hooks</title>
45 + <programlisting>
46 +-void (*qc_prep) (struct ata_queued_cmd *qc);
47 ++enum ata_completion_errors (*qc_prep) (struct ata_queued_cmd *qc);
48 + int (*qc_issue) (struct ata_queued_cmd *qc);
49 + </programlisting>
50 +
51 +diff --git a/Documentation/devicetree/bindings/sound/wm8994.txt b/Documentation/devicetree/bindings/sound/wm8994.txt
52 +index e045e90a0924b..0f03b8228d080 100644
53 +--- a/Documentation/devicetree/bindings/sound/wm8994.txt
54 ++++ b/Documentation/devicetree/bindings/sound/wm8994.txt
55 +@@ -14,9 +14,15 @@ Required properties:
56 + - #gpio-cells : Must be 2. The first cell is the pin number and the
57 + second cell is used to specify optional parameters (currently unused).
58 +
59 +- - AVDD2-supply, DBVDD1-supply, DBVDD2-supply, DBVDD3-supply, CPVDD-supply,
60 +- SPKVDD1-supply, SPKVDD2-supply : power supplies for the device, as covered
61 +- in Documentation/devicetree/bindings/regulator/regulator.txt
62 ++ - power supplies for the device, as covered in
63 ++ Documentation/devicetree/bindings/regulator/regulator.txt, depending
64 ++ on compatible:
65 ++ - for wlf,wm1811 and wlf,wm8958:
66 ++ AVDD1-supply, AVDD2-supply, DBVDD1-supply, DBVDD2-supply, DBVDD3-supply,
67 ++ DCVDD-supply, CPVDD-supply, SPKVDD1-supply, SPKVDD2-supply
68 ++ - for wlf,wm8994:
69 ++ AVDD1-supply, AVDD2-supply, DBVDD-supply, DCVDD-supply, CPVDD-supply,
70 ++ SPKVDD1-supply, SPKVDD2-supply
71 +
72 + Optional properties:
73 +
74 +@@ -68,11 +74,11 @@ codec: wm8994@1a {
75 +
76 + lineout1-se;
77 +
78 ++ AVDD1-supply = <&regulator>;
79 + AVDD2-supply = <&regulator>;
80 + CPVDD-supply = <&regulator>;
81 +- DBVDD1-supply = <&regulator>;
82 +- DBVDD2-supply = <&regulator>;
83 +- DBVDD3-supply = <&regulator>;
84 ++ DBVDD-supply = <&regulator>;
85 ++ DCVDD-supply = <&regulator>;
86 + SPKVDD1-supply = <&regulator>;
87 + SPKVDD2-supply = <&regulator>;
88 + };
89 +diff --git a/Makefile b/Makefile
90 +index 003334dad3c3f..209fe98a591cd 100644
91 +--- a/Makefile
92 ++++ b/Makefile
93 +@@ -1,6 +1,6 @@
94 + VERSION = 4
95 + PATCHLEVEL = 4
96 +-SUBLEVEL = 237
97 ++SUBLEVEL = 238
98 + EXTRAVERSION =
99 + NAME = Blurry Fish Butt
100 +
101 +diff --git a/arch/m68k/q40/config.c b/arch/m68k/q40/config.c
102 +index e90fe903613ea..4e5f04d333188 100644
103 +--- a/arch/m68k/q40/config.c
104 ++++ b/arch/m68k/q40/config.c
105 +@@ -303,6 +303,7 @@ static int q40_get_rtc_pll(struct rtc_pll_info *pll)
106 + {
107 + int tmp = Q40_RTC_CTRL;
108 +
109 ++ pll->pll_ctrl = 0;
110 + pll->pll_value = tmp & Q40_RTC_PLL_MASK;
111 + if (tmp & Q40_RTC_PLL_SIGN)
112 + pll->pll_value = -pll->pll_value;
113 +diff --git a/arch/mips/include/asm/cpu-type.h b/arch/mips/include/asm/cpu-type.h
114 +index abee2bfd10dc1..cea0bbb71590f 100644
115 +--- a/arch/mips/include/asm/cpu-type.h
116 ++++ b/arch/mips/include/asm/cpu-type.h
117 +@@ -46,6 +46,7 @@ static inline int __pure __get_cpu_type(const int cpu_type)
118 + case CPU_34K:
119 + case CPU_1004K:
120 + case CPU_74K:
121 ++ case CPU_1074K:
122 + case CPU_M14KC:
123 + case CPU_M14KEC:
124 + case CPU_INTERAPTIV:
125 +diff --git a/arch/s390/kernel/setup.c b/arch/s390/kernel/setup.c
126 +index 47692c78d09c5..fdc5e76e1f6b0 100644
127 +--- a/arch/s390/kernel/setup.c
128 ++++ b/arch/s390/kernel/setup.c
129 +@@ -513,7 +513,7 @@ static struct notifier_block kdump_mem_nb = {
130 + /*
131 + * Make sure that the area behind memory_end is protected
132 + */
133 +-static void reserve_memory_end(void)
134 ++static void __init reserve_memory_end(void)
135 + {
136 + #ifdef CONFIG_CRASH_DUMP
137 + if (ipl_info.type == IPL_TYPE_FCP_DUMP &&
138 +@@ -531,7 +531,7 @@ static void reserve_memory_end(void)
139 + /*
140 + * Make sure that oldmem, where the dump is stored, is protected
141 + */
142 +-static void reserve_oldmem(void)
143 ++static void __init reserve_oldmem(void)
144 + {
145 + #ifdef CONFIG_CRASH_DUMP
146 + if (OLDMEM_BASE)
147 +@@ -543,7 +543,7 @@ static void reserve_oldmem(void)
148 + /*
149 + * Make sure that oldmem, where the dump is stored, is protected
150 + */
151 +-static void remove_oldmem(void)
152 ++static void __init remove_oldmem(void)
153 + {
154 + #ifdef CONFIG_CRASH_DUMP
155 + if (OLDMEM_BASE)
156 +diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
157 +index 664e8505ccd63..2f84887e8934c 100644
158 +--- a/arch/x86/include/asm/nospec-branch.h
159 ++++ b/arch/x86/include/asm/nospec-branch.h
160 +@@ -275,7 +275,7 @@ DECLARE_STATIC_KEY_FALSE(mds_idle_clear);
161 + * combination with microcode which triggers a CPU buffer flush when the
162 + * instruction is executed.
163 + */
164 +-static inline void mds_clear_cpu_buffers(void)
165 ++static __always_inline void mds_clear_cpu_buffers(void)
166 + {
167 + static const u16 ds = __KERNEL_DS;
168 +
169 +@@ -296,7 +296,7 @@ static inline void mds_clear_cpu_buffers(void)
170 + *
171 + * Clear CPU buffers if the corresponding static key is enabled
172 + */
173 +-static inline void mds_user_clear_cpu_buffers(void)
174 ++static __always_inline void mds_user_clear_cpu_buffers(void)
175 + {
176 + if (static_branch_likely(&mds_user_clear))
177 + mds_clear_cpu_buffers();
178 +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
179 +index 61fc92f92e0a0..ef920da075184 100644
180 +--- a/arch/x86/kvm/x86.c
181 ++++ b/arch/x86/kvm/x86.c
182 +@@ -4013,10 +4013,13 @@ long kvm_arch_vm_ioctl(struct file *filp,
183 + r = -EFAULT;
184 + if (copy_from_user(&u.ps, argp, sizeof u.ps))
185 + goto out;
186 ++ mutex_lock(&kvm->lock);
187 + r = -ENXIO;
188 + if (!kvm->arch.vpit)
189 +- goto out;
190 ++ goto set_pit_out;
191 + r = kvm_vm_ioctl_set_pit(kvm, &u.ps);
192 ++set_pit_out:
193 ++ mutex_unlock(&kvm->lock);
194 + break;
195 + }
196 + case KVM_GET_PIT2: {
197 +@@ -4036,10 +4039,13 @@ long kvm_arch_vm_ioctl(struct file *filp,
198 + r = -EFAULT;
199 + if (copy_from_user(&u.ps2, argp, sizeof(u.ps2)))
200 + goto out;
201 ++ mutex_lock(&kvm->lock);
202 + r = -ENXIO;
203 + if (!kvm->arch.vpit)
204 +- goto out;
205 ++ goto set_pit2_out;
206 + r = kvm_vm_ioctl_set_pit2(kvm, &u.ps2);
207 ++set_pit2_out:
208 ++ mutex_unlock(&kvm->lock);
209 + break;
210 + }
211 + case KVM_REINJECT_CONTROL: {
212 +diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c
213 +index 43f20328f830e..3096c087b7328 100644
214 +--- a/drivers/acpi/ec.c
215 ++++ b/drivers/acpi/ec.c
216 +@@ -943,29 +943,21 @@ void acpi_ec_unblock_transactions_early(void)
217 + /* --------------------------------------------------------------------------
218 + Event Management
219 + -------------------------------------------------------------------------- */
220 +-static struct acpi_ec_query_handler *
221 +-acpi_ec_get_query_handler(struct acpi_ec_query_handler *handler)
222 +-{
223 +- if (handler)
224 +- kref_get(&handler->kref);
225 +- return handler;
226 +-}
227 +-
228 + static struct acpi_ec_query_handler *
229 + acpi_ec_get_query_handler_by_value(struct acpi_ec *ec, u8 value)
230 + {
231 + struct acpi_ec_query_handler *handler;
232 +- bool found = false;
233 +
234 + mutex_lock(&ec->mutex);
235 + list_for_each_entry(handler, &ec->list, node) {
236 + if (value == handler->query_bit) {
237 +- found = true;
238 +- break;
239 ++ kref_get(&handler->kref);
240 ++ mutex_unlock(&ec->mutex);
241 ++ return handler;
242 + }
243 + }
244 + mutex_unlock(&ec->mutex);
245 +- return found ? acpi_ec_get_query_handler(handler) : NULL;
246 ++ return NULL;
247 + }
248 +
249 + static void acpi_ec_query_handler_release(struct kref *kref)
250 +diff --git a/drivers/ata/acard-ahci.c b/drivers/ata/acard-ahci.c
251 +index ed6a30cd681a0..98581ae397c12 100644
252 +--- a/drivers/ata/acard-ahci.c
253 ++++ b/drivers/ata/acard-ahci.c
254 +@@ -72,7 +72,7 @@ struct acard_sg {
255 + __le32 size; /* bit 31 (EOT) max==0x10000 (64k) */
256 + };
257 +
258 +-static void acard_ahci_qc_prep(struct ata_queued_cmd *qc);
259 ++static enum ata_completion_errors acard_ahci_qc_prep(struct ata_queued_cmd *qc);
260 + static bool acard_ahci_qc_fill_rtf(struct ata_queued_cmd *qc);
261 + static int acard_ahci_port_start(struct ata_port *ap);
262 + static int acard_ahci_init_one(struct pci_dev *pdev, const struct pci_device_id *ent);
263 +@@ -257,7 +257,7 @@ static unsigned int acard_ahci_fill_sg(struct ata_queued_cmd *qc, void *cmd_tbl)
264 + return si;
265 + }
266 +
267 +-static void acard_ahci_qc_prep(struct ata_queued_cmd *qc)
268 ++static enum ata_completion_errors acard_ahci_qc_prep(struct ata_queued_cmd *qc)
269 + {
270 + struct ata_port *ap = qc->ap;
271 + struct ahci_port_priv *pp = ap->private_data;
272 +@@ -295,6 +295,8 @@ static void acard_ahci_qc_prep(struct ata_queued_cmd *qc)
273 + opts |= AHCI_CMD_ATAPI | AHCI_CMD_PREFETCH;
274 +
275 + ahci_fill_cmd_slot(pp, qc->tag, opts);
276 ++
277 ++ return AC_ERR_OK;
278 + }
279 +
280 + static bool acard_ahci_qc_fill_rtf(struct ata_queued_cmd *qc)
281 +diff --git a/drivers/ata/libahci.c b/drivers/ata/libahci.c
282 +index 1241cecfcfcad..48338da2ecdfa 100644
283 +--- a/drivers/ata/libahci.c
284 ++++ b/drivers/ata/libahci.c
285 +@@ -71,7 +71,7 @@ static int ahci_scr_write(struct ata_link *link, unsigned int sc_reg, u32 val);
286 + static bool ahci_qc_fill_rtf(struct ata_queued_cmd *qc);
287 + static int ahci_port_start(struct ata_port *ap);
288 + static void ahci_port_stop(struct ata_port *ap);
289 +-static void ahci_qc_prep(struct ata_queued_cmd *qc);
290 ++static enum ata_completion_errors ahci_qc_prep(struct ata_queued_cmd *qc);
291 + static int ahci_pmp_qc_defer(struct ata_queued_cmd *qc);
292 + static void ahci_freeze(struct ata_port *ap);
293 + static void ahci_thaw(struct ata_port *ap);
294 +@@ -1535,7 +1535,7 @@ static int ahci_pmp_qc_defer(struct ata_queued_cmd *qc)
295 + return sata_pmp_qc_defer_cmd_switch(qc);
296 + }
297 +
298 +-static void ahci_qc_prep(struct ata_queued_cmd *qc)
299 ++static enum ata_completion_errors ahci_qc_prep(struct ata_queued_cmd *qc)
300 + {
301 + struct ata_port *ap = qc->ap;
302 + struct ahci_port_priv *pp = ap->private_data;
303 +@@ -1571,6 +1571,8 @@ static void ahci_qc_prep(struct ata_queued_cmd *qc)
304 + opts |= AHCI_CMD_ATAPI | AHCI_CMD_PREFETCH;
305 +
306 + ahci_fill_cmd_slot(pp, qc->tag, opts);
307 ++
308 ++ return AC_ERR_OK;
309 + }
310 +
311 + static void ahci_fbs_dec_intr(struct ata_port *ap)
312 +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
313 +index 17cebfe5acc82..8ed3f6d75ff13 100644
314 +--- a/drivers/ata/libata-core.c
315 ++++ b/drivers/ata/libata-core.c
316 +@@ -4713,7 +4713,10 @@ int ata_std_qc_defer(struct ata_queued_cmd *qc)
317 + return ATA_DEFER_LINK;
318 + }
319 +
320 +-void ata_noop_qc_prep(struct ata_queued_cmd *qc) { }
321 ++enum ata_completion_errors ata_noop_qc_prep(struct ata_queued_cmd *qc)
322 ++{
323 ++ return AC_ERR_OK;
324 ++}
325 +
326 + /**
327 + * ata_sg_init - Associate command with scatter-gather table.
328 +@@ -5126,7 +5129,9 @@ void ata_qc_issue(struct ata_queued_cmd *qc)
329 + return;
330 + }
331 +
332 +- ap->ops->qc_prep(qc);
333 ++ qc->err_mask |= ap->ops->qc_prep(qc);
334 ++ if (unlikely(qc->err_mask))
335 ++ goto err;
336 + trace_ata_qc_issue(qc);
337 + qc->err_mask |= ap->ops->qc_issue(qc);
338 + if (unlikely(qc->err_mask))
339 +diff --git a/drivers/ata/libata-sff.c b/drivers/ata/libata-sff.c
340 +index 1d8901fc0bfa9..0c69bc1d30c62 100644
341 +--- a/drivers/ata/libata-sff.c
342 ++++ b/drivers/ata/libata-sff.c
343 +@@ -2741,12 +2741,14 @@ static void ata_bmdma_fill_sg_dumb(struct ata_queued_cmd *qc)
344 + * LOCKING:
345 + * spin_lock_irqsave(host lock)
346 + */
347 +-void ata_bmdma_qc_prep(struct ata_queued_cmd *qc)
348 ++enum ata_completion_errors ata_bmdma_qc_prep(struct ata_queued_cmd *qc)
349 + {
350 + if (!(qc->flags & ATA_QCFLAG_DMAMAP))
351 +- return;
352 ++ return AC_ERR_OK;
353 +
354 + ata_bmdma_fill_sg(qc);
355 ++
356 ++ return AC_ERR_OK;
357 + }
358 + EXPORT_SYMBOL_GPL(ata_bmdma_qc_prep);
359 +
360 +@@ -2759,12 +2761,14 @@ EXPORT_SYMBOL_GPL(ata_bmdma_qc_prep);
361 + * LOCKING:
362 + * spin_lock_irqsave(host lock)
363 + */
364 +-void ata_bmdma_dumb_qc_prep(struct ata_queued_cmd *qc)
365 ++enum ata_completion_errors ata_bmdma_dumb_qc_prep(struct ata_queued_cmd *qc)
366 + {
367 + if (!(qc->flags & ATA_QCFLAG_DMAMAP))
368 +- return;
369 ++ return AC_ERR_OK;
370 +
371 + ata_bmdma_fill_sg_dumb(qc);
372 ++
373 ++ return AC_ERR_OK;
374 + }
375 + EXPORT_SYMBOL_GPL(ata_bmdma_dumb_qc_prep);
376 +
377 +diff --git a/drivers/ata/pata_macio.c b/drivers/ata/pata_macio.c
378 +index e3d4b059fcd14..f1a20d1a65be0 100644
379 +--- a/drivers/ata/pata_macio.c
380 ++++ b/drivers/ata/pata_macio.c
381 +@@ -507,7 +507,7 @@ static int pata_macio_cable_detect(struct ata_port *ap)
382 + return ATA_CBL_PATA40;
383 + }
384 +
385 +-static void pata_macio_qc_prep(struct ata_queued_cmd *qc)
386 ++static enum ata_completion_errors pata_macio_qc_prep(struct ata_queued_cmd *qc)
387 + {
388 + unsigned int write = (qc->tf.flags & ATA_TFLAG_WRITE);
389 + struct ata_port *ap = qc->ap;
390 +@@ -520,7 +520,7 @@ static void pata_macio_qc_prep(struct ata_queued_cmd *qc)
391 + __func__, qc, qc->flags, write, qc->dev->devno);
392 +
393 + if (!(qc->flags & ATA_QCFLAG_DMAMAP))
394 +- return;
395 ++ return AC_ERR_OK;
396 +
397 + table = (struct dbdma_cmd *) priv->dma_table_cpu;
398 +
399 +@@ -565,6 +565,8 @@ static void pata_macio_qc_prep(struct ata_queued_cmd *qc)
400 + table->command = cpu_to_le16(DBDMA_STOP);
401 +
402 + dev_dbgdma(priv->dev, "%s: %d DMA list entries\n", __func__, pi);
403 ++
404 ++ return AC_ERR_OK;
405 + }
406 +
407 +
408 +diff --git a/drivers/ata/pata_pxa.c b/drivers/ata/pata_pxa.c
409 +index f6c46e9a4dc0f..d7186a503e358 100644
410 +--- a/drivers/ata/pata_pxa.c
411 ++++ b/drivers/ata/pata_pxa.c
412 +@@ -59,25 +59,27 @@ static void pxa_ata_dma_irq(void *d)
413 + /*
414 + * Prepare taskfile for submission.
415 + */
416 +-static void pxa_qc_prep(struct ata_queued_cmd *qc)
417 ++static enum ata_completion_errors pxa_qc_prep(struct ata_queued_cmd *qc)
418 + {
419 + struct pata_pxa_data *pd = qc->ap->private_data;
420 + struct dma_async_tx_descriptor *tx;
421 + enum dma_transfer_direction dir;
422 +
423 + if (!(qc->flags & ATA_QCFLAG_DMAMAP))
424 +- return;
425 ++ return AC_ERR_OK;
426 +
427 + dir = (qc->dma_dir == DMA_TO_DEVICE ? DMA_MEM_TO_DEV : DMA_DEV_TO_MEM);
428 + tx = dmaengine_prep_slave_sg(pd->dma_chan, qc->sg, qc->n_elem, dir,
429 + DMA_PREP_INTERRUPT);
430 + if (!tx) {
431 + ata_dev_err(qc->dev, "prep_slave_sg() failed\n");
432 +- return;
433 ++ return AC_ERR_OK;
434 + }
435 + tx->callback = pxa_ata_dma_irq;
436 + tx->callback_param = pd;
437 + pd->dma_cookie = dmaengine_submit(tx);
438 ++
439 ++ return AC_ERR_OK;
440 + }
441 +
442 + /*
443 +diff --git a/drivers/ata/pdc_adma.c b/drivers/ata/pdc_adma.c
444 +index 64d682c6ee57e..11da13bea2c93 100644
445 +--- a/drivers/ata/pdc_adma.c
446 ++++ b/drivers/ata/pdc_adma.c
447 +@@ -132,7 +132,7 @@ static int adma_ata_init_one(struct pci_dev *pdev,
448 + const struct pci_device_id *ent);
449 + static int adma_port_start(struct ata_port *ap);
450 + static void adma_port_stop(struct ata_port *ap);
451 +-static void adma_qc_prep(struct ata_queued_cmd *qc);
452 ++static enum ata_completion_errors adma_qc_prep(struct ata_queued_cmd *qc);
453 + static unsigned int adma_qc_issue(struct ata_queued_cmd *qc);
454 + static int adma_check_atapi_dma(struct ata_queued_cmd *qc);
455 + static void adma_freeze(struct ata_port *ap);
456 +@@ -311,7 +311,7 @@ static int adma_fill_sg(struct ata_queued_cmd *qc)
457 + return i;
458 + }
459 +
460 +-static void adma_qc_prep(struct ata_queued_cmd *qc)
461 ++static enum ata_completion_errors adma_qc_prep(struct ata_queued_cmd *qc)
462 + {
463 + struct adma_port_priv *pp = qc->ap->private_data;
464 + u8 *buf = pp->pkt;
465 +@@ -322,7 +322,7 @@ static void adma_qc_prep(struct ata_queued_cmd *qc)
466 +
467 + adma_enter_reg_mode(qc->ap);
468 + if (qc->tf.protocol != ATA_PROT_DMA)
469 +- return;
470 ++ return AC_ERR_OK;
471 +
472 + buf[i++] = 0; /* Response flags */
473 + buf[i++] = 0; /* reserved */
474 +@@ -387,6 +387,7 @@ static void adma_qc_prep(struct ata_queued_cmd *qc)
475 + printk("%s\n", obuf);
476 + }
477 + #endif
478 ++ return AC_ERR_OK;
479 + }
480 +
481 + static inline void adma_packet_start(struct ata_queued_cmd *qc)
482 +diff --git a/drivers/ata/sata_fsl.c b/drivers/ata/sata_fsl.c
483 +index a723ae9297831..100b5a3621ef3 100644
484 +--- a/drivers/ata/sata_fsl.c
485 ++++ b/drivers/ata/sata_fsl.c
486 +@@ -513,7 +513,7 @@ static unsigned int sata_fsl_fill_sg(struct ata_queued_cmd *qc, void *cmd_desc,
487 + return num_prde;
488 + }
489 +
490 +-static void sata_fsl_qc_prep(struct ata_queued_cmd *qc)
491 ++static enum ata_completion_errors sata_fsl_qc_prep(struct ata_queued_cmd *qc)
492 + {
493 + struct ata_port *ap = qc->ap;
494 + struct sata_fsl_port_priv *pp = ap->private_data;
495 +@@ -559,6 +559,8 @@ static void sata_fsl_qc_prep(struct ata_queued_cmd *qc)
496 +
497 + VPRINTK("SATA FSL : xx_qc_prep, di = 0x%x, ttl = %d, num_prde = %d\n",
498 + desc_info, ttl_dwords, num_prde);
499 ++
500 ++ return AC_ERR_OK;
501 + }
502 +
503 + static unsigned int sata_fsl_qc_issue(struct ata_queued_cmd *qc)
504 +diff --git a/drivers/ata/sata_inic162x.c b/drivers/ata/sata_inic162x.c
505 +index e81a8217f1ff7..349a175f02675 100644
506 +--- a/drivers/ata/sata_inic162x.c
507 ++++ b/drivers/ata/sata_inic162x.c
508 +@@ -472,7 +472,7 @@ static void inic_fill_sg(struct inic_prd *prd, struct ata_queued_cmd *qc)
509 + prd[-1].flags |= PRD_END;
510 + }
511 +
512 +-static void inic_qc_prep(struct ata_queued_cmd *qc)
513 ++static enum ata_completion_errors inic_qc_prep(struct ata_queued_cmd *qc)
514 + {
515 + struct inic_port_priv *pp = qc->ap->private_data;
516 + struct inic_pkt *pkt = pp->pkt;
517 +@@ -532,6 +532,8 @@ static void inic_qc_prep(struct ata_queued_cmd *qc)
518 + inic_fill_sg(prd, qc);
519 +
520 + pp->cpb_tbl[0] = pp->pkt_dma;
521 ++
522 ++ return AC_ERR_OK;
523 + }
524 +
525 + static unsigned int inic_qc_issue(struct ata_queued_cmd *qc)
526 +diff --git a/drivers/ata/sata_mv.c b/drivers/ata/sata_mv.c
527 +index 729f26322095e..5718dc94c90cb 100644
528 +--- a/drivers/ata/sata_mv.c
529 ++++ b/drivers/ata/sata_mv.c
530 +@@ -605,8 +605,8 @@ static int mv5_scr_write(struct ata_link *link, unsigned int sc_reg_in, u32 val)
531 + static int mv_port_start(struct ata_port *ap);
532 + static void mv_port_stop(struct ata_port *ap);
533 + static int mv_qc_defer(struct ata_queued_cmd *qc);
534 +-static void mv_qc_prep(struct ata_queued_cmd *qc);
535 +-static void mv_qc_prep_iie(struct ata_queued_cmd *qc);
536 ++static enum ata_completion_errors mv_qc_prep(struct ata_queued_cmd *qc);
537 ++static enum ata_completion_errors mv_qc_prep_iie(struct ata_queued_cmd *qc);
538 + static unsigned int mv_qc_issue(struct ata_queued_cmd *qc);
539 + static int mv_hardreset(struct ata_link *link, unsigned int *class,
540 + unsigned long deadline);
541 +@@ -2046,7 +2046,7 @@ static void mv_rw_multi_errata_sata24(struct ata_queued_cmd *qc)
542 + * LOCKING:
543 + * Inherited from caller.
544 + */
545 +-static void mv_qc_prep(struct ata_queued_cmd *qc)
546 ++static enum ata_completion_errors mv_qc_prep(struct ata_queued_cmd *qc)
547 + {
548 + struct ata_port *ap = qc->ap;
549 + struct mv_port_priv *pp = ap->private_data;
550 +@@ -2058,15 +2058,15 @@ static void mv_qc_prep(struct ata_queued_cmd *qc)
551 + switch (tf->protocol) {
552 + case ATA_PROT_DMA:
553 + if (tf->command == ATA_CMD_DSM)
554 +- return;
555 ++ return AC_ERR_OK;
556 + /* fall-thru */
557 + case ATA_PROT_NCQ:
558 + break; /* continue below */
559 + case ATA_PROT_PIO:
560 + mv_rw_multi_errata_sata24(qc);
561 +- return;
562 ++ return AC_ERR_OK;
563 + default:
564 +- return;
565 ++ return AC_ERR_OK;
566 + }
567 +
568 + /* Fill in command request block
569 +@@ -2113,12 +2113,10 @@ static void mv_qc_prep(struct ata_queued_cmd *qc)
570 + * non-NCQ mode are: [RW] STREAM DMA and W DMA FUA EXT, none
571 + * of which are defined/used by Linux. If we get here, this
572 + * driver needs work.
573 +- *
574 +- * FIXME: modify libata to give qc_prep a return value and
575 +- * return error here.
576 + */
577 +- BUG_ON(tf->command);
578 +- break;
579 ++ ata_port_err(ap, "%s: unsupported command: %.2x\n", __func__,
580 ++ tf->command);
581 ++ return AC_ERR_INVALID;
582 + }
583 + mv_crqb_pack_cmd(cw++, tf->nsect, ATA_REG_NSECT, 0);
584 + mv_crqb_pack_cmd(cw++, tf->hob_lbal, ATA_REG_LBAL, 0);
585 +@@ -2131,8 +2129,10 @@ static void mv_qc_prep(struct ata_queued_cmd *qc)
586 + mv_crqb_pack_cmd(cw++, tf->command, ATA_REG_CMD, 1); /* last */
587 +
588 + if (!(qc->flags & ATA_QCFLAG_DMAMAP))
589 +- return;
590 ++ return AC_ERR_OK;
591 + mv_fill_sg(qc);
592 ++
593 ++ return AC_ERR_OK;
594 + }
595 +
596 + /**
597 +@@ -2147,7 +2147,7 @@ static void mv_qc_prep(struct ata_queued_cmd *qc)
598 + * LOCKING:
599 + * Inherited from caller.
600 + */
601 +-static void mv_qc_prep_iie(struct ata_queued_cmd *qc)
602 ++static enum ata_completion_errors mv_qc_prep_iie(struct ata_queued_cmd *qc)
603 + {
604 + struct ata_port *ap = qc->ap;
605 + struct mv_port_priv *pp = ap->private_data;
606 +@@ -2158,9 +2158,9 @@ static void mv_qc_prep_iie(struct ata_queued_cmd *qc)
607 +
608 + if ((tf->protocol != ATA_PROT_DMA) &&
609 + (tf->protocol != ATA_PROT_NCQ))
610 +- return;
611 ++ return AC_ERR_OK;
612 + if (tf->command == ATA_CMD_DSM)
613 +- return; /* use bmdma for this */
614 ++ return AC_ERR_OK; /* use bmdma for this */
615 +
616 + /* Fill in Gen IIE command request block */
617 + if (!(tf->flags & ATA_TFLAG_WRITE))
618 +@@ -2201,8 +2201,10 @@ static void mv_qc_prep_iie(struct ata_queued_cmd *qc)
619 + );
620 +
621 + if (!(qc->flags & ATA_QCFLAG_DMAMAP))
622 +- return;
623 ++ return AC_ERR_OK;
624 + mv_fill_sg(qc);
625 ++
626 ++ return AC_ERR_OK;
627 + }
628 +
629 + /**
630 +diff --git a/drivers/ata/sata_nv.c b/drivers/ata/sata_nv.c
631 +index 734f563b8d37b..bb098c4ae1775 100644
632 +--- a/drivers/ata/sata_nv.c
633 ++++ b/drivers/ata/sata_nv.c
634 +@@ -313,7 +313,7 @@ static void nv_ck804_freeze(struct ata_port *ap);
635 + static void nv_ck804_thaw(struct ata_port *ap);
636 + static int nv_adma_slave_config(struct scsi_device *sdev);
637 + static int nv_adma_check_atapi_dma(struct ata_queued_cmd *qc);
638 +-static void nv_adma_qc_prep(struct ata_queued_cmd *qc);
639 ++static enum ata_completion_errors nv_adma_qc_prep(struct ata_queued_cmd *qc);
640 + static unsigned int nv_adma_qc_issue(struct ata_queued_cmd *qc);
641 + static irqreturn_t nv_adma_interrupt(int irq, void *dev_instance);
642 + static void nv_adma_irq_clear(struct ata_port *ap);
643 +@@ -335,7 +335,7 @@ static void nv_mcp55_freeze(struct ata_port *ap);
644 + static void nv_swncq_error_handler(struct ata_port *ap);
645 + static int nv_swncq_slave_config(struct scsi_device *sdev);
646 + static int nv_swncq_port_start(struct ata_port *ap);
647 +-static void nv_swncq_qc_prep(struct ata_queued_cmd *qc);
648 ++static enum ata_completion_errors nv_swncq_qc_prep(struct ata_queued_cmd *qc);
649 + static void nv_swncq_fill_sg(struct ata_queued_cmd *qc);
650 + static unsigned int nv_swncq_qc_issue(struct ata_queued_cmd *qc);
651 + static void nv_swncq_irq_clear(struct ata_port *ap, u16 fis);
652 +@@ -1382,7 +1382,7 @@ static int nv_adma_use_reg_mode(struct ata_queued_cmd *qc)
653 + return 1;
654 + }
655 +
656 +-static void nv_adma_qc_prep(struct ata_queued_cmd *qc)
657 ++static enum ata_completion_errors nv_adma_qc_prep(struct ata_queued_cmd *qc)
658 + {
659 + struct nv_adma_port_priv *pp = qc->ap->private_data;
660 + struct nv_adma_cpb *cpb = &pp->cpb[qc->tag];
661 +@@ -1394,7 +1394,7 @@ static void nv_adma_qc_prep(struct ata_queued_cmd *qc)
662 + (qc->flags & ATA_QCFLAG_DMAMAP));
663 + nv_adma_register_mode(qc->ap);
664 + ata_bmdma_qc_prep(qc);
665 +- return;
666 ++ return AC_ERR_OK;
667 + }
668 +
669 + cpb->resp_flags = NV_CPB_RESP_DONE;
670 +@@ -1426,6 +1426,8 @@ static void nv_adma_qc_prep(struct ata_queued_cmd *qc)
671 + cpb->ctl_flags = ctl_flags;
672 + wmb();
673 + cpb->resp_flags = 0;
674 ++
675 ++ return AC_ERR_OK;
676 + }
677 +
678 + static unsigned int nv_adma_qc_issue(struct ata_queued_cmd *qc)
679 +@@ -1989,17 +1991,19 @@ static int nv_swncq_port_start(struct ata_port *ap)
680 + return 0;
681 + }
682 +
683 +-static void nv_swncq_qc_prep(struct ata_queued_cmd *qc)
684 ++static enum ata_completion_errors nv_swncq_qc_prep(struct ata_queued_cmd *qc)
685 + {
686 + if (qc->tf.protocol != ATA_PROT_NCQ) {
687 + ata_bmdma_qc_prep(qc);
688 +- return;
689 ++ return AC_ERR_OK;
690 + }
691 +
692 + if (!(qc->flags & ATA_QCFLAG_DMAMAP))
693 +- return;
694 ++ return AC_ERR_OK;
695 +
696 + nv_swncq_fill_sg(qc);
697 ++
698 ++ return AC_ERR_OK;
699 + }
700 +
701 + static void nv_swncq_fill_sg(struct ata_queued_cmd *qc)
702 +diff --git a/drivers/ata/sata_promise.c b/drivers/ata/sata_promise.c
703 +index 0fa211e2831cd..8ad8b376a642c 100644
704 +--- a/drivers/ata/sata_promise.c
705 ++++ b/drivers/ata/sata_promise.c
706 +@@ -155,7 +155,7 @@ static int pdc_sata_scr_write(struct ata_link *link, unsigned int sc_reg, u32 va
707 + static int pdc_ata_init_one(struct pci_dev *pdev, const struct pci_device_id *ent);
708 + static int pdc_common_port_start(struct ata_port *ap);
709 + static int pdc_sata_port_start(struct ata_port *ap);
710 +-static void pdc_qc_prep(struct ata_queued_cmd *qc);
711 ++static enum ata_completion_errors pdc_qc_prep(struct ata_queued_cmd *qc);
712 + static void pdc_tf_load_mmio(struct ata_port *ap, const struct ata_taskfile *tf);
713 + static void pdc_exec_command_mmio(struct ata_port *ap, const struct ata_taskfile *tf);
714 + static int pdc_check_atapi_dma(struct ata_queued_cmd *qc);
715 +@@ -649,7 +649,7 @@ static void pdc_fill_sg(struct ata_queued_cmd *qc)
716 + prd[idx - 1].flags_len |= cpu_to_le32(ATA_PRD_EOT);
717 + }
718 +
719 +-static void pdc_qc_prep(struct ata_queued_cmd *qc)
720 ++static enum ata_completion_errors pdc_qc_prep(struct ata_queued_cmd *qc)
721 + {
722 + struct pdc_port_priv *pp = qc->ap->private_data;
723 + unsigned int i;
724 +@@ -681,6 +681,8 @@ static void pdc_qc_prep(struct ata_queued_cmd *qc)
725 + default:
726 + break;
727 + }
728 ++
729 ++ return AC_ERR_OK;
730 + }
731 +
732 + static int pdc_is_sataii_tx4(unsigned long flags)
733 +diff --git a/drivers/ata/sata_qstor.c b/drivers/ata/sata_qstor.c
734 +index af987a4f33d19..80ff3bbfc8269 100644
735 +--- a/drivers/ata/sata_qstor.c
736 ++++ b/drivers/ata/sata_qstor.c
737 +@@ -116,7 +116,7 @@ static int qs_scr_write(struct ata_link *link, unsigned int sc_reg, u32 val);
738 + static int qs_ata_init_one(struct pci_dev *pdev, const struct pci_device_id *ent);
739 + static int qs_port_start(struct ata_port *ap);
740 + static void qs_host_stop(struct ata_host *host);
741 +-static void qs_qc_prep(struct ata_queued_cmd *qc);
742 ++static enum ata_completion_errors qs_qc_prep(struct ata_queued_cmd *qc);
743 + static unsigned int qs_qc_issue(struct ata_queued_cmd *qc);
744 + static int qs_check_atapi_dma(struct ata_queued_cmd *qc);
745 + static void qs_freeze(struct ata_port *ap);
746 +@@ -276,7 +276,7 @@ static unsigned int qs_fill_sg(struct ata_queued_cmd *qc)
747 + return si;
748 + }
749 +
750 +-static void qs_qc_prep(struct ata_queued_cmd *qc)
751 ++static enum ata_completion_errors qs_qc_prep(struct ata_queued_cmd *qc)
752 + {
753 + struct qs_port_priv *pp = qc->ap->private_data;
754 + u8 dflags = QS_DF_PORD, *buf = pp->pkt;
755 +@@ -288,7 +288,7 @@ static void qs_qc_prep(struct ata_queued_cmd *qc)
756 +
757 + qs_enter_reg_mode(qc->ap);
758 + if (qc->tf.protocol != ATA_PROT_DMA)
759 +- return;
760 ++ return AC_ERR_OK;
761 +
762 + nelem = qs_fill_sg(qc);
763 +
764 +@@ -311,6 +311,8 @@ static void qs_qc_prep(struct ata_queued_cmd *qc)
765 +
766 + /* frame information structure (FIS) */
767 + ata_tf_to_fis(&qc->tf, 0, 1, &buf[32]);
768 ++
769 ++ return AC_ERR_OK;
770 + }
771 +
772 + static inline void qs_packet_start(struct ata_queued_cmd *qc)
773 +diff --git a/drivers/ata/sata_rcar.c b/drivers/ata/sata_rcar.c
774 +index 21b80f5ee0920..4199f7a39be0b 100644
775 +--- a/drivers/ata/sata_rcar.c
776 ++++ b/drivers/ata/sata_rcar.c
777 +@@ -551,12 +551,14 @@ static void sata_rcar_bmdma_fill_sg(struct ata_queued_cmd *qc)
778 + prd[si - 1].addr |= cpu_to_le32(SATA_RCAR_DTEND);
779 + }
780 +
781 +-static void sata_rcar_qc_prep(struct ata_queued_cmd *qc)
782 ++static enum ata_completion_errors sata_rcar_qc_prep(struct ata_queued_cmd *qc)
783 + {
784 + if (!(qc->flags & ATA_QCFLAG_DMAMAP))
785 +- return;
786 ++ return AC_ERR_OK;
787 +
788 + sata_rcar_bmdma_fill_sg(qc);
789 ++
790 ++ return AC_ERR_OK;
791 + }
792 +
793 + static void sata_rcar_bmdma_setup(struct ata_queued_cmd *qc)
794 +diff --git a/drivers/ata/sata_sil.c b/drivers/ata/sata_sil.c
795 +index 29bcff086bced..73156a301912f 100644
796 +--- a/drivers/ata/sata_sil.c
797 ++++ b/drivers/ata/sata_sil.c
798 +@@ -119,7 +119,7 @@ static void sil_dev_config(struct ata_device *dev);
799 + static int sil_scr_read(struct ata_link *link, unsigned int sc_reg, u32 *val);
800 + static int sil_scr_write(struct ata_link *link, unsigned int sc_reg, u32 val);
801 + static int sil_set_mode(struct ata_link *link, struct ata_device **r_failed);
802 +-static void sil_qc_prep(struct ata_queued_cmd *qc);
803 ++static enum ata_completion_errors sil_qc_prep(struct ata_queued_cmd *qc);
804 + static void sil_bmdma_setup(struct ata_queued_cmd *qc);
805 + static void sil_bmdma_start(struct ata_queued_cmd *qc);
806 + static void sil_bmdma_stop(struct ata_queued_cmd *qc);
807 +@@ -333,12 +333,14 @@ static void sil_fill_sg(struct ata_queued_cmd *qc)
808 + last_prd->flags_len |= cpu_to_le32(ATA_PRD_EOT);
809 + }
810 +
811 +-static void sil_qc_prep(struct ata_queued_cmd *qc)
812 ++static enum ata_completion_errors sil_qc_prep(struct ata_queued_cmd *qc)
813 + {
814 + if (!(qc->flags & ATA_QCFLAG_DMAMAP))
815 +- return;
816 ++ return AC_ERR_OK;
817 +
818 + sil_fill_sg(qc);
819 ++
820 ++ return AC_ERR_OK;
821 + }
822 +
823 + static unsigned char sil_get_device_cache_line(struct pci_dev *pdev)
824 +diff --git a/drivers/ata/sata_sil24.c b/drivers/ata/sata_sil24.c
825 +index 4b1995e2d044b..ffa3bf724054d 100644
826 +--- a/drivers/ata/sata_sil24.c
827 ++++ b/drivers/ata/sata_sil24.c
828 +@@ -336,7 +336,7 @@ static void sil24_dev_config(struct ata_device *dev);
829 + static int sil24_scr_read(struct ata_link *link, unsigned sc_reg, u32 *val);
830 + static int sil24_scr_write(struct ata_link *link, unsigned sc_reg, u32 val);
831 + static int sil24_qc_defer(struct ata_queued_cmd *qc);
832 +-static void sil24_qc_prep(struct ata_queued_cmd *qc);
833 ++static enum ata_completion_errors sil24_qc_prep(struct ata_queued_cmd *qc);
834 + static unsigned int sil24_qc_issue(struct ata_queued_cmd *qc);
835 + static bool sil24_qc_fill_rtf(struct ata_queued_cmd *qc);
836 + static void sil24_pmp_attach(struct ata_port *ap);
837 +@@ -840,7 +840,7 @@ static int sil24_qc_defer(struct ata_queued_cmd *qc)
838 + return ata_std_qc_defer(qc);
839 + }
840 +
841 +-static void sil24_qc_prep(struct ata_queued_cmd *qc)
842 ++static enum ata_completion_errors sil24_qc_prep(struct ata_queued_cmd *qc)
843 + {
844 + struct ata_port *ap = qc->ap;
845 + struct sil24_port_priv *pp = ap->private_data;
846 +@@ -884,6 +884,8 @@ static void sil24_qc_prep(struct ata_queued_cmd *qc)
847 +
848 + if (qc->flags & ATA_QCFLAG_DMAMAP)
849 + sil24_fill_sg(qc, sge);
850 ++
851 ++ return AC_ERR_OK;
852 + }
853 +
854 + static unsigned int sil24_qc_issue(struct ata_queued_cmd *qc)
855 +diff --git a/drivers/ata/sata_sx4.c b/drivers/ata/sata_sx4.c
856 +index fab504fd9cfd7..a7cd2c7ee1388 100644
857 +--- a/drivers/ata/sata_sx4.c
858 ++++ b/drivers/ata/sata_sx4.c
859 +@@ -218,7 +218,7 @@ static void pdc_error_handler(struct ata_port *ap);
860 + static void pdc_freeze(struct ata_port *ap);
861 + static void pdc_thaw(struct ata_port *ap);
862 + static int pdc_port_start(struct ata_port *ap);
863 +-static void pdc20621_qc_prep(struct ata_queued_cmd *qc);
864 ++static enum ata_completion_errors pdc20621_qc_prep(struct ata_queued_cmd *qc);
865 + static void pdc_tf_load_mmio(struct ata_port *ap, const struct ata_taskfile *tf);
866 + static void pdc_exec_command_mmio(struct ata_port *ap, const struct ata_taskfile *tf);
867 + static unsigned int pdc20621_dimm_init(struct ata_host *host);
868 +@@ -546,7 +546,7 @@ static void pdc20621_nodata_prep(struct ata_queued_cmd *qc)
869 + VPRINTK("ata pkt buf ofs %u, mmio copied\n", i);
870 + }
871 +
872 +-static void pdc20621_qc_prep(struct ata_queued_cmd *qc)
873 ++static enum ata_completion_errors pdc20621_qc_prep(struct ata_queued_cmd *qc)
874 + {
875 + switch (qc->tf.protocol) {
876 + case ATA_PROT_DMA:
877 +@@ -558,6 +558,8 @@ static void pdc20621_qc_prep(struct ata_queued_cmd *qc)
878 + default:
879 + break;
880 + }
881 ++
882 ++ return AC_ERR_OK;
883 + }
884 +
885 + static void __pdc20621_push_hdma(struct ata_queued_cmd *qc,
886 +diff --git a/drivers/atm/eni.c b/drivers/atm/eni.c
887 +index ad591a2f7c822..340a1ee79d280 100644
888 +--- a/drivers/atm/eni.c
889 ++++ b/drivers/atm/eni.c
890 +@@ -2242,7 +2242,7 @@ static int eni_init_one(struct pci_dev *pci_dev,
891 +
892 + rc = dma_set_mask_and_coherent(&pci_dev->dev, DMA_BIT_MASK(32));
893 + if (rc < 0)
894 +- goto out;
895 ++ goto err_disable;
896 +
897 + rc = -ENOMEM;
898 + eni_dev = kmalloc(sizeof(struct eni_dev), GFP_KERNEL);
899 +diff --git a/drivers/char/tlclk.c b/drivers/char/tlclk.c
900 +index 100cd1de9939d..59e1e94d12c01 100644
901 +--- a/drivers/char/tlclk.c
902 ++++ b/drivers/char/tlclk.c
903 +@@ -777,17 +777,21 @@ static int __init tlclk_init(void)
904 + {
905 + int ret;
906 +
907 ++ telclk_interrupt = (inb(TLCLK_REG7) & 0x0f);
908 ++
909 ++ alarm_events = kzalloc( sizeof(struct tlclk_alarms), GFP_KERNEL);
910 ++ if (!alarm_events) {
911 ++ ret = -ENOMEM;
912 ++ goto out1;
913 ++ }
914 ++
915 + ret = register_chrdev(tlclk_major, "telco_clock", &tlclk_fops);
916 + if (ret < 0) {
917 + printk(KERN_ERR "tlclk: can't get major %d.\n", tlclk_major);
918 ++ kfree(alarm_events);
919 + return ret;
920 + }
921 + tlclk_major = ret;
922 +- alarm_events = kzalloc( sizeof(struct tlclk_alarms), GFP_KERNEL);
923 +- if (!alarm_events) {
924 +- ret = -ENOMEM;
925 +- goto out1;
926 +- }
927 +
928 + /* Read telecom clock IRQ number (Set by BIOS) */
929 + if (!request_region(TLCLK_BASE, 8, "telco_clock")) {
930 +@@ -796,7 +800,6 @@ static int __init tlclk_init(void)
931 + ret = -EBUSY;
932 + goto out2;
933 + }
934 +- telclk_interrupt = (inb(TLCLK_REG7) & 0x0f);
935 +
936 + if (0x0F == telclk_interrupt ) { /* not MCPBL0010 ? */
937 + printk(KERN_ERR "telclk_interrupt = 0x%x non-mcpbl0010 hw.\n",
938 +@@ -837,8 +840,8 @@ out3:
939 + release_region(TLCLK_BASE, 8);
940 + out2:
941 + kfree(alarm_events);
942 +-out1:
943 + unregister_chrdev(tlclk_major, "telco_clock");
944 ++out1:
945 + return ret;
946 + }
947 +
948 +diff --git a/drivers/char/tpm/tpm_ibmvtpm.c b/drivers/char/tpm/tpm_ibmvtpm.c
949 +index 3e6a22658b63b..d4cc1a1ac1f73 100644
950 +--- a/drivers/char/tpm/tpm_ibmvtpm.c
951 ++++ b/drivers/char/tpm/tpm_ibmvtpm.c
952 +@@ -543,6 +543,7 @@ static irqreturn_t ibmvtpm_interrupt(int irq, void *vtpm_instance)
953 + */
954 + while ((crq = ibmvtpm_crq_get_next(ibmvtpm)) != NULL) {
955 + ibmvtpm_crq_process(crq, ibmvtpm);
956 ++ wake_up_interruptible(&ibmvtpm->crq_queue.wq);
957 + crq->valid = 0;
958 + smp_wmb();
959 + }
960 +@@ -589,6 +590,7 @@ static int tpm_ibmvtpm_probe(struct vio_dev *vio_dev,
961 + }
962 +
963 + crq_q->num_entry = CRQ_RES_BUF_SIZE / sizeof(*crq_q->crq_addr);
964 ++ init_waitqueue_head(&crq_q->wq);
965 + ibmvtpm->crq_dma_handle = dma_map_single(dev, crq_q->crq_addr,
966 + CRQ_RES_BUF_SIZE,
967 + DMA_BIDIRECTIONAL);
968 +@@ -641,6 +643,13 @@ static int tpm_ibmvtpm_probe(struct vio_dev *vio_dev,
969 + if (rc)
970 + goto init_irq_cleanup;
971 +
972 ++ if (!wait_event_timeout(ibmvtpm->crq_queue.wq,
973 ++ ibmvtpm->rtce_buf != NULL,
974 ++ HZ)) {
975 ++ dev_err(dev, "CRQ response timed out\n");
976 ++ goto init_irq_cleanup;
977 ++ }
978 ++
979 + return tpm_chip_register(chip);
980 + init_irq_cleanup:
981 + do {
982 +diff --git a/drivers/char/tpm/tpm_ibmvtpm.h b/drivers/char/tpm/tpm_ibmvtpm.h
983 +index 6af92890518f8..1a8c3b698f104 100644
984 +--- a/drivers/char/tpm/tpm_ibmvtpm.h
985 ++++ b/drivers/char/tpm/tpm_ibmvtpm.h
986 +@@ -31,6 +31,7 @@ struct ibmvtpm_crq_queue {
987 + struct ibmvtpm_crq *crq_addr;
988 + u32 index;
989 + u32 num_entry;
990 ++ wait_queue_head_t wq;
991 + };
992 +
993 + struct ibmvtpm_dev {
994 +diff --git a/drivers/devfreq/tegra-devfreq.c b/drivers/devfreq/tegra-devfreq.c
995 +index 64a2e02b87d78..0b0de6a049afb 100644
996 +--- a/drivers/devfreq/tegra-devfreq.c
997 ++++ b/drivers/devfreq/tegra-devfreq.c
998 +@@ -79,6 +79,8 @@
999 +
1000 + #define KHZ 1000
1001 +
1002 ++#define KHZ_MAX (ULONG_MAX / KHZ)
1003 ++
1004 + /* Assume that the bus is saturated if the utilization is 25% */
1005 + #define BUS_SATURATION_RATIO 25
1006 +
1007 +@@ -179,7 +181,7 @@ struct tegra_actmon_emc_ratio {
1008 + };
1009 +
1010 + static struct tegra_actmon_emc_ratio actmon_emc_ratios[] = {
1011 +- { 1400000, ULONG_MAX },
1012 ++ { 1400000, KHZ_MAX },
1013 + { 1200000, 750000 },
1014 + { 1100000, 600000 },
1015 + { 1000000, 500000 },
1016 +diff --git a/drivers/dma/tegra20-apb-dma.c b/drivers/dma/tegra20-apb-dma.c
1017 +index b5cf5d36de2b4..68c460a2b16ea 100644
1018 +--- a/drivers/dma/tegra20-apb-dma.c
1019 ++++ b/drivers/dma/tegra20-apb-dma.c
1020 +@@ -1207,8 +1207,7 @@ static void tegra_dma_free_chan_resources(struct dma_chan *dc)
1021 +
1022 + dev_dbg(tdc2dev(tdc), "Freeing channel %d\n", tdc->id);
1023 +
1024 +- if (tdc->busy)
1025 +- tegra_dma_terminate_all(dc);
1026 ++ tegra_dma_terminate_all(dc);
1027 +
1028 + spin_lock_irqsave(&tdc->lock, flags);
1029 + list_splice_init(&tdc->pending_sg_req, &sg_req_list);
1030 +diff --git a/drivers/gpu/drm/amd/amdgpu/atom.c b/drivers/gpu/drm/amd/amdgpu/atom.c
1031 +index 1b50e6c13fb3f..5fbf99d600587 100644
1032 +--- a/drivers/gpu/drm/amd/amdgpu/atom.c
1033 ++++ b/drivers/gpu/drm/amd/amdgpu/atom.c
1034 +@@ -748,8 +748,8 @@ static void atom_op_jump(atom_exec_context *ctx, int *ptr, int arg)
1035 + cjiffies = jiffies;
1036 + if (time_after(cjiffies, ctx->last_jump_jiffies)) {
1037 + cjiffies -= ctx->last_jump_jiffies;
1038 +- if ((jiffies_to_msecs(cjiffies) > 5000)) {
1039 +- DRM_ERROR("atombios stuck in loop for more than 5secs aborting\n");
1040 ++ if ((jiffies_to_msecs(cjiffies) > 10000)) {
1041 ++ DRM_ERROR("atombios stuck in loop for more than 10secs aborting\n");
1042 + ctx->abort = true;
1043 + }
1044 + } else {
1045 +diff --git a/drivers/gpu/drm/gma500/cdv_intel_display.c b/drivers/gpu/drm/gma500/cdv_intel_display.c
1046 +index 7d47b3d5cc0d0..54d554d720004 100644
1047 +--- a/drivers/gpu/drm/gma500/cdv_intel_display.c
1048 ++++ b/drivers/gpu/drm/gma500/cdv_intel_display.c
1049 +@@ -415,6 +415,8 @@ static bool cdv_intel_find_dp_pll(const struct gma_limit_t *limit,
1050 + struct gma_crtc *gma_crtc = to_gma_crtc(crtc);
1051 + struct gma_clock_t clock;
1052 +
1053 ++ memset(&clock, 0, sizeof(clock));
1054 ++
1055 + switch (refclk) {
1056 + case 27000:
1057 + if (target < 200000) {
1058 +diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c
1059 +index 3e4d3d5560bf1..6315f77b4a58c 100644
1060 +--- a/drivers/infiniband/core/ucma.c
1061 ++++ b/drivers/infiniband/core/ucma.c
1062 +@@ -1295,13 +1295,13 @@ static ssize_t ucma_set_option(struct ucma_file *file, const char __user *inbuf,
1063 + if (copy_from_user(&cmd, inbuf, sizeof(cmd)))
1064 + return -EFAULT;
1065 +
1066 ++ if (unlikely(cmd.optlen > KMALLOC_MAX_SIZE))
1067 ++ return -EINVAL;
1068 ++
1069 + ctx = ucma_get_ctx(file, cmd.id);
1070 + if (IS_ERR(ctx))
1071 + return PTR_ERR(ctx);
1072 +
1073 +- if (unlikely(cmd.optlen > KMALLOC_MAX_SIZE))
1074 +- return -EINVAL;
1075 +-
1076 + optval = memdup_user((void __user *) (unsigned long) cmd.optval,
1077 + cmd.optlen);
1078 + if (IS_ERR(optval)) {
1079 +diff --git a/drivers/md/bcache/bcache.h b/drivers/md/bcache/bcache.h
1080 +index 7fe7df56fa334..f0939fc1cfe55 100644
1081 +--- a/drivers/md/bcache/bcache.h
1082 ++++ b/drivers/md/bcache/bcache.h
1083 +@@ -547,6 +547,7 @@ struct cache_set {
1084 + */
1085 + wait_queue_head_t btree_cache_wait;
1086 + struct task_struct *btree_cache_alloc_lock;
1087 ++ spinlock_t btree_cannibalize_lock;
1088 +
1089 + /*
1090 + * When we free a btree node, we increment the gen of the bucket the
1091 +diff --git a/drivers/md/bcache/btree.c b/drivers/md/bcache/btree.c
1092 +index 122d975220945..bdf6071c1b184 100644
1093 +--- a/drivers/md/bcache/btree.c
1094 ++++ b/drivers/md/bcache/btree.c
1095 +@@ -841,15 +841,17 @@ out:
1096 +
1097 + static int mca_cannibalize_lock(struct cache_set *c, struct btree_op *op)
1098 + {
1099 +- struct task_struct *old;
1100 +-
1101 +- old = cmpxchg(&c->btree_cache_alloc_lock, NULL, current);
1102 +- if (old && old != current) {
1103 ++ spin_lock(&c->btree_cannibalize_lock);
1104 ++ if (likely(c->btree_cache_alloc_lock == NULL)) {
1105 ++ c->btree_cache_alloc_lock = current;
1106 ++ } else if (c->btree_cache_alloc_lock != current) {
1107 + if (op)
1108 + prepare_to_wait(&c->btree_cache_wait, &op->wait,
1109 + TASK_UNINTERRUPTIBLE);
1110 ++ spin_unlock(&c->btree_cannibalize_lock);
1111 + return -EINTR;
1112 + }
1113 ++ spin_unlock(&c->btree_cannibalize_lock);
1114 +
1115 + return 0;
1116 + }
1117 +@@ -884,10 +886,12 @@ static struct btree *mca_cannibalize(struct cache_set *c, struct btree_op *op,
1118 + */
1119 + static void bch_cannibalize_unlock(struct cache_set *c)
1120 + {
1121 ++ spin_lock(&c->btree_cannibalize_lock);
1122 + if (c->btree_cache_alloc_lock == current) {
1123 + c->btree_cache_alloc_lock = NULL;
1124 + wake_up(&c->btree_cache_wait);
1125 + }
1126 ++ spin_unlock(&c->btree_cannibalize_lock);
1127 + }
1128 +
1129 + static struct btree *mca_alloc(struct cache_set *c, struct btree_op *op,
1130 +diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c
1131 +index f7f8fb079d2a9..d73f9ea776861 100644
1132 +--- a/drivers/md/bcache/super.c
1133 ++++ b/drivers/md/bcache/super.c
1134 +@@ -1511,6 +1511,7 @@ struct cache_set *bch_cache_set_alloc(struct cache_sb *sb)
1135 + sema_init(&c->sb_write_mutex, 1);
1136 + mutex_init(&c->bucket_lock);
1137 + init_waitqueue_head(&c->btree_cache_wait);
1138 ++ spin_lock_init(&c->btree_cannibalize_lock);
1139 + init_waitqueue_head(&c->bucket_wait);
1140 + init_waitqueue_head(&c->gc_wait);
1141 + sema_init(&c->uuid_write_mutex, 1);
1142 +diff --git a/drivers/media/dvb-frontends/tda10071.c b/drivers/media/dvb-frontends/tda10071.c
1143 +index 119d47596ac81..b81887c4f72a9 100644
1144 +--- a/drivers/media/dvb-frontends/tda10071.c
1145 ++++ b/drivers/media/dvb-frontends/tda10071.c
1146 +@@ -483,10 +483,11 @@ static int tda10071_read_status(struct dvb_frontend *fe, enum fe_status *status)
1147 + goto error;
1148 +
1149 + if (dev->delivery_system == SYS_DVBS) {
1150 +- dev->dvbv3_ber = buf[0] << 24 | buf[1] << 16 |
1151 +- buf[2] << 8 | buf[3] << 0;
1152 +- dev->post_bit_error += buf[0] << 24 | buf[1] << 16 |
1153 +- buf[2] << 8 | buf[3] << 0;
1154 ++ u32 bit_error = buf[0] << 24 | buf[1] << 16 |
1155 ++ buf[2] << 8 | buf[3] << 0;
1156 ++
1157 ++ dev->dvbv3_ber = bit_error;
1158 ++ dev->post_bit_error += bit_error;
1159 + c->post_bit_error.stat[0].scale = FE_SCALE_COUNTER;
1160 + c->post_bit_error.stat[0].uvalue = dev->post_bit_error;
1161 + dev->block_error += buf[4] << 8 | buf[5] << 0;
1162 +diff --git a/drivers/media/usb/go7007/go7007-usb.c b/drivers/media/usb/go7007/go7007-usb.c
1163 +index 4857c467e76cd..4490786936a02 100644
1164 +--- a/drivers/media/usb/go7007/go7007-usb.c
1165 ++++ b/drivers/media/usb/go7007/go7007-usb.c
1166 +@@ -1052,6 +1052,7 @@ static int go7007_usb_probe(struct usb_interface *intf,
1167 + struct go7007_usb *usb;
1168 + const struct go7007_usb_board *board;
1169 + struct usb_device *usbdev = interface_to_usbdev(intf);
1170 ++ struct usb_host_endpoint *ep;
1171 + unsigned num_i2c_devs;
1172 + char *name;
1173 + int video_pipe, i, v_urb_len;
1174 +@@ -1147,7 +1148,8 @@ static int go7007_usb_probe(struct usb_interface *intf,
1175 + if (usb->intr_urb->transfer_buffer == NULL)
1176 + goto allocfail;
1177 +
1178 +- if (go->board_id == GO7007_BOARDID_SENSORAY_2250)
1179 ++ ep = usb->usbdev->ep_in[4];
1180 ++ if (usb_endpoint_type(&ep->desc) == USB_ENDPOINT_XFER_BULK)
1181 + usb_fill_bulk_urb(usb->intr_urb, usb->usbdev,
1182 + usb_rcvbulkpipe(usb->usbdev, 4),
1183 + usb->intr_urb->transfer_buffer, 2*sizeof(u16),
1184 +diff --git a/drivers/mfd/mfd-core.c b/drivers/mfd/mfd-core.c
1185 +index 215bb5eeb5acf..c57e375fad6ed 100644
1186 +--- a/drivers/mfd/mfd-core.c
1187 ++++ b/drivers/mfd/mfd-core.c
1188 +@@ -31,6 +31,11 @@ int mfd_cell_enable(struct platform_device *pdev)
1189 + const struct mfd_cell *cell = mfd_get_cell(pdev);
1190 + int err = 0;
1191 +
1192 ++ if (!cell->enable) {
1193 ++ dev_dbg(&pdev->dev, "No .enable() call-back registered\n");
1194 ++ return 0;
1195 ++ }
1196 ++
1197 + /* only call enable hook if the cell wasn't previously enabled */
1198 + if (atomic_inc_return(cell->usage_count) == 1)
1199 + err = cell->enable(pdev);
1200 +@@ -48,6 +53,11 @@ int mfd_cell_disable(struct platform_device *pdev)
1201 + const struct mfd_cell *cell = mfd_get_cell(pdev);
1202 + int err = 0;
1203 +
1204 ++ if (!cell->disable) {
1205 ++ dev_dbg(&pdev->dev, "No .disable() call-back registered\n");
1206 ++ return 0;
1207 ++ }
1208 ++
1209 + /* only disable if no other clients are using it */
1210 + if (atomic_dec_return(cell->usage_count) == 0)
1211 + err = cell->disable(pdev);
1212 +diff --git a/drivers/mtd/chips/cfi_cmdset_0002.c b/drivers/mtd/chips/cfi_cmdset_0002.c
1213 +index 972935f1b2f7e..3a3da0eeef1fb 100644
1214 +--- a/drivers/mtd/chips/cfi_cmdset_0002.c
1215 ++++ b/drivers/mtd/chips/cfi_cmdset_0002.c
1216 +@@ -724,7 +724,6 @@ static struct mtd_info *cfi_amdstd_setup(struct mtd_info *mtd)
1217 + kfree(mtd->eraseregions);
1218 + kfree(mtd);
1219 + kfree(cfi->cmdset_priv);
1220 +- kfree(cfi->cfiq);
1221 + return NULL;
1222 + }
1223 +
1224 +diff --git a/drivers/mtd/cmdlinepart.c b/drivers/mtd/cmdlinepart.c
1225 +index 08f62987cc37c..ffbc9b304beb2 100644
1226 +--- a/drivers/mtd/cmdlinepart.c
1227 ++++ b/drivers/mtd/cmdlinepart.c
1228 +@@ -228,12 +228,29 @@ static int mtdpart_setup_real(char *s)
1229 + struct cmdline_mtd_partition *this_mtd;
1230 + struct mtd_partition *parts;
1231 + int mtd_id_len, num_parts;
1232 +- char *p, *mtd_id;
1233 ++ char *p, *mtd_id, *semicol;
1234 ++
1235 ++ /*
1236 ++ * Replace the first ';' by a NULL char so strrchr can work
1237 ++ * properly.
1238 ++ */
1239 ++ semicol = strchr(s, ';');
1240 ++ if (semicol)
1241 ++ *semicol = '\0';
1242 +
1243 + mtd_id = s;
1244 +
1245 +- /* fetch <mtd-id> */
1246 +- p = strchr(s, ':');
1247 ++ /*
1248 ++ * fetch <mtd-id>. We use strrchr to ignore all ':' that could
1249 ++ * be present in the MTD name, only the last one is interpreted
1250 ++ * as an <mtd-id>/<part-definition> separator.
1251 ++ */
1252 ++ p = strrchr(s, ':');
1253 ++
1254 ++ /* Restore the ';' now. */
1255 ++ if (semicol)
1256 ++ *semicol = ';';
1257 ++
1258 + if (!p) {
1259 + pr_err("no mtd-id\n");
1260 + return -EINVAL;
1261 +diff --git a/drivers/mtd/nand/omap_elm.c b/drivers/mtd/nand/omap_elm.c
1262 +index 235ec7992b4cf..e46b11847082a 100644
1263 +--- a/drivers/mtd/nand/omap_elm.c
1264 ++++ b/drivers/mtd/nand/omap_elm.c
1265 +@@ -421,6 +421,7 @@ static int elm_probe(struct platform_device *pdev)
1266 + pm_runtime_enable(&pdev->dev);
1267 + if (pm_runtime_get_sync(&pdev->dev) < 0) {
1268 + ret = -EINVAL;
1269 ++ pm_runtime_put_sync(&pdev->dev);
1270 + pm_runtime_disable(&pdev->dev);
1271 + dev_err(&pdev->dev, "can't enable clock\n");
1272 + return ret;
1273 +diff --git a/drivers/net/ethernet/intel/e1000/e1000_main.c b/drivers/net/ethernet/intel/e1000/e1000_main.c
1274 +index f958188207fd6..e57aca6239f8e 100644
1275 +--- a/drivers/net/ethernet/intel/e1000/e1000_main.c
1276 ++++ b/drivers/net/ethernet/intel/e1000/e1000_main.c
1277 +@@ -568,8 +568,13 @@ void e1000_reinit_locked(struct e1000_adapter *adapter)
1278 + WARN_ON(in_interrupt());
1279 + while (test_and_set_bit(__E1000_RESETTING, &adapter->flags))
1280 + msleep(1);
1281 +- e1000_down(adapter);
1282 +- e1000_up(adapter);
1283 ++
1284 ++ /* only run the task if not already down */
1285 ++ if (!test_bit(__E1000_DOWN, &adapter->flags)) {
1286 ++ e1000_down(adapter);
1287 ++ e1000_up(adapter);
1288 ++ }
1289 ++
1290 + clear_bit(__E1000_RESETTING, &adapter->flags);
1291 + }
1292 +
1293 +@@ -1456,10 +1461,15 @@ static int e1000_close(struct net_device *netdev)
1294 + struct e1000_hw *hw = &adapter->hw;
1295 + int count = E1000_CHECK_RESET_COUNT;
1296 +
1297 +- while (test_bit(__E1000_RESETTING, &adapter->flags) && count--)
1298 ++ while (test_and_set_bit(__E1000_RESETTING, &adapter->flags) && count--)
1299 + usleep_range(10000, 20000);
1300 +
1301 +- WARN_ON(test_bit(__E1000_RESETTING, &adapter->flags));
1302 ++ WARN_ON(count < 0);
1303 ++
1304 ++ /* signal that we're down so that the reset task will no longer run */
1305 ++ set_bit(__E1000_DOWN, &adapter->flags);
1306 ++ clear_bit(__E1000_RESETTING, &adapter->flags);
1307 ++
1308 + e1000_down(adapter);
1309 + e1000_power_down_phy(adapter);
1310 + e1000_free_irq(adapter);
1311 +diff --git a/drivers/net/wan/hdlc_ppp.c b/drivers/net/wan/hdlc_ppp.c
1312 +index 4842344a96f1d..a2559f213daed 100644
1313 +--- a/drivers/net/wan/hdlc_ppp.c
1314 ++++ b/drivers/net/wan/hdlc_ppp.c
1315 +@@ -386,11 +386,8 @@ static void ppp_cp_parse_cr(struct net_device *dev, u16 pid, u8 id,
1316 + }
1317 +
1318 + for (opt = data; len; len -= opt[1], opt += opt[1]) {
1319 +- if (len < 2 || len < opt[1]) {
1320 +- dev->stats.rx_errors++;
1321 +- kfree(out);
1322 +- return; /* bad packet, drop silently */
1323 +- }
1324 ++ if (len < 2 || opt[1] < 2 || len < opt[1])
1325 ++ goto err_out;
1326 +
1327 + if (pid == PID_LCP)
1328 + switch (opt[0]) {
1329 +@@ -398,6 +395,8 @@ static void ppp_cp_parse_cr(struct net_device *dev, u16 pid, u8 id,
1330 + continue; /* MRU always OK and > 1500 bytes? */
1331 +
1332 + case LCP_OPTION_ACCM: /* async control character map */
1333 ++ if (opt[1] < sizeof(valid_accm))
1334 ++ goto err_out;
1335 + if (!memcmp(opt, valid_accm,
1336 + sizeof(valid_accm)))
1337 + continue;
1338 +@@ -409,6 +408,8 @@ static void ppp_cp_parse_cr(struct net_device *dev, u16 pid, u8 id,
1339 + }
1340 + break;
1341 + case LCP_OPTION_MAGIC:
1342 ++ if (len < 6)
1343 ++ goto err_out;
1344 + if (opt[1] != 6 || (!opt[2] && !opt[3] &&
1345 + !opt[4] && !opt[5]))
1346 + break; /* reject invalid magic number */
1347 +@@ -427,6 +428,11 @@ static void ppp_cp_parse_cr(struct net_device *dev, u16 pid, u8 id,
1348 + ppp_cp_event(dev, pid, RCR_GOOD, CP_CONF_ACK, id, req_len, data);
1349 +
1350 + kfree(out);
1351 ++ return;
1352 ++
1353 ++err_out:
1354 ++ dev->stats.rx_errors++;
1355 ++ kfree(out);
1356 + }
1357 +
1358 + static int ppp_rx(struct sk_buff *skb)
1359 +diff --git a/drivers/net/wireless/ath/ar5523/ar5523.c b/drivers/net/wireless/ath/ar5523/ar5523.c
1360 +index 5bf22057459e6..bc6330b437958 100644
1361 +--- a/drivers/net/wireless/ath/ar5523/ar5523.c
1362 ++++ b/drivers/net/wireless/ath/ar5523/ar5523.c
1363 +@@ -1774,6 +1774,8 @@ static struct usb_device_id ar5523_id_table[] = {
1364 + AR5523_DEVICE_UX(0x0846, 0x4300), /* Netgear / WG111U */
1365 + AR5523_DEVICE_UG(0x0846, 0x4250), /* Netgear / WG111T */
1366 + AR5523_DEVICE_UG(0x0846, 0x5f00), /* Netgear / WPN111 */
1367 ++ AR5523_DEVICE_UG(0x083a, 0x4506), /* SMC / EZ Connect
1368 ++ SMCWUSBT-G2 */
1369 + AR5523_DEVICE_UG(0x157e, 0x3006), /* Umedia / AR5523_1 */
1370 + AR5523_DEVICE_UX(0x157e, 0x3205), /* Umedia / AR5523_2 */
1371 + AR5523_DEVICE_UG(0x157e, 0x3006), /* Umedia / TEW444UBEU */
1372 +diff --git a/drivers/net/wireless/mwifiex/fw.h b/drivers/net/wireless/mwifiex/fw.h
1373 +index 9a5eb9ed89215..233af2292366d 100644
1374 +--- a/drivers/net/wireless/mwifiex/fw.h
1375 ++++ b/drivers/net/wireless/mwifiex/fw.h
1376 +@@ -848,7 +848,7 @@ struct mwifiex_tkip_param {
1377 + struct mwifiex_aes_param {
1378 + u8 pn[WPA_PN_SIZE];
1379 + __le16 key_len;
1380 +- u8 key[WLAN_KEY_LEN_CCMP];
1381 ++ u8 key[WLAN_KEY_LEN_CCMP_256];
1382 + } __packed;
1383 +
1384 + struct mwifiex_wapi_param {
1385 +diff --git a/drivers/net/wireless/mwifiex/sta_cmdresp.c b/drivers/net/wireless/mwifiex/sta_cmdresp.c
1386 +index 9e3853c8a22da..32b0b06b74f1d 100644
1387 +--- a/drivers/net/wireless/mwifiex/sta_cmdresp.c
1388 ++++ b/drivers/net/wireless/mwifiex/sta_cmdresp.c
1389 +@@ -631,7 +631,7 @@ static int mwifiex_ret_802_11_key_material_v2(struct mwifiex_private *priv,
1390 + key_v2 = &resp->params.key_material_v2;
1391 +
1392 + len = le16_to_cpu(key_v2->key_param_set.key_params.aes.key_len);
1393 +- if (len > WLAN_KEY_LEN_CCMP)
1394 ++ if (len > sizeof(key_v2->key_param_set.key_params.aes.key))
1395 + return -EINVAL;
1396 +
1397 + if (le16_to_cpu(key_v2->action) == HostCmd_ACT_GEN_SET) {
1398 +@@ -647,7 +647,7 @@ static int mwifiex_ret_802_11_key_material_v2(struct mwifiex_private *priv,
1399 + return 0;
1400 +
1401 + memset(priv->aes_key_v2.key_param_set.key_params.aes.key, 0,
1402 +- WLAN_KEY_LEN_CCMP);
1403 ++ sizeof(key_v2->key_param_set.key_params.aes.key));
1404 + priv->aes_key_v2.key_param_set.key_params.aes.key_len =
1405 + cpu_to_le16(len);
1406 + memcpy(priv->aes_key_v2.key_param_set.key_params.aes.key,
1407 +diff --git a/drivers/phy/phy-s5pv210-usb2.c b/drivers/phy/phy-s5pv210-usb2.c
1408 +index 004d320767e4d..bb36cfd4e3e90 100644
1409 +--- a/drivers/phy/phy-s5pv210-usb2.c
1410 ++++ b/drivers/phy/phy-s5pv210-usb2.c
1411 +@@ -142,6 +142,10 @@ static void s5pv210_phy_pwr(struct samsung_usb2_phy_instance *inst, bool on)
1412 + udelay(10);
1413 + rst &= ~rstbits;
1414 + writel(rst, drv->reg_phy + S5PV210_UPHYRST);
1415 ++ /* The following delay is necessary for the reset sequence to be
1416 ++ * completed
1417 ++ */
1418 ++ udelay(80);
1419 + } else {
1420 + pwr = readl(drv->reg_phy + S5PV210_UPHYPWR);
1421 + pwr |= phypwr;
1422 +diff --git a/drivers/scsi/aacraid/aachba.c b/drivers/scsi/aacraid/aachba.c
1423 +index de33801ca31ea..0614d05a990a6 100644
1424 +--- a/drivers/scsi/aacraid/aachba.c
1425 ++++ b/drivers/scsi/aacraid/aachba.c
1426 +@@ -1938,13 +1938,13 @@ static int aac_read(struct scsi_cmnd * scsicmd)
1427 + scsicmd->result = DID_OK << 16 | COMMAND_COMPLETE << 8 |
1428 + SAM_STAT_CHECK_CONDITION;
1429 + set_sense(&dev->fsa_dev[cid].sense_data,
1430 +- HARDWARE_ERROR, SENCODE_INTERNAL_TARGET_FAILURE,
1431 ++ ILLEGAL_REQUEST, SENCODE_LBA_OUT_OF_RANGE,
1432 + ASENCODE_INTERNAL_TARGET_FAILURE, 0, 0);
1433 + memcpy(scsicmd->sense_buffer, &dev->fsa_dev[cid].sense_data,
1434 + min_t(size_t, sizeof(dev->fsa_dev[cid].sense_data),
1435 + SCSI_SENSE_BUFFERSIZE));
1436 + scsicmd->scsi_done(scsicmd);
1437 +- return 1;
1438 ++ return 0;
1439 + }
1440 +
1441 + dprintk((KERN_DEBUG "aac_read[cpu %d]: lba = %llu, t = %ld.\n",
1442 +@@ -2035,13 +2035,13 @@ static int aac_write(struct scsi_cmnd * scsicmd)
1443 + scsicmd->result = DID_OK << 16 | COMMAND_COMPLETE << 8 |
1444 + SAM_STAT_CHECK_CONDITION;
1445 + set_sense(&dev->fsa_dev[cid].sense_data,
1446 +- HARDWARE_ERROR, SENCODE_INTERNAL_TARGET_FAILURE,
1447 ++ ILLEGAL_REQUEST, SENCODE_LBA_OUT_OF_RANGE,
1448 + ASENCODE_INTERNAL_TARGET_FAILURE, 0, 0);
1449 + memcpy(scsicmd->sense_buffer, &dev->fsa_dev[cid].sense_data,
1450 + min_t(size_t, sizeof(dev->fsa_dev[cid].sense_data),
1451 + SCSI_SENSE_BUFFERSIZE));
1452 + scsicmd->scsi_done(scsicmd);
1453 +- return 1;
1454 ++ return 0;
1455 + }
1456 +
1457 + dprintk((KERN_DEBUG "aac_write[cpu %d]: lba = %llu, t = %ld.\n",
1458 +diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
1459 +index 7a94c2d352390..97c0d79a2601f 100644
1460 +--- a/drivers/scsi/lpfc/lpfc_sli.c
1461 ++++ b/drivers/scsi/lpfc/lpfc_sli.c
1462 +@@ -15445,6 +15445,10 @@ lpfc_prep_seq(struct lpfc_vport *vport, struct hbq_dmabuf *seq_dmabuf)
1463 + list_add_tail(&iocbq->list, &first_iocbq->list);
1464 + }
1465 + }
1466 ++ /* Free the sequence's header buffer */
1467 ++ if (!first_iocbq)
1468 ++ lpfc_in_buf_free(vport->phba, &seq_dmabuf->dbuf);
1469 ++
1470 + return first_iocbq;
1471 + }
1472 +
1473 +diff --git a/drivers/tty/serial/8250/8250_core.c b/drivers/tty/serial/8250/8250_core.c
1474 +index e9ea9005a984e..f24fa99da69f5 100644
1475 +--- a/drivers/tty/serial/8250/8250_core.c
1476 ++++ b/drivers/tty/serial/8250/8250_core.c
1477 +@@ -1037,8 +1037,10 @@ int serial8250_register_8250_port(struct uart_8250_port *up)
1478 +
1479 + ret = uart_add_one_port(&serial8250_reg,
1480 + &uart->port);
1481 +- if (ret == 0)
1482 +- ret = uart->port.line;
1483 ++ if (ret)
1484 ++ goto err;
1485 ++
1486 ++ ret = uart->port.line;
1487 + } else {
1488 + dev_info(uart->port.dev,
1489 + "skipping CIR port at 0x%lx / 0x%llx, IRQ %d\n",
1490 +@@ -1052,6 +1054,11 @@ int serial8250_register_8250_port(struct uart_8250_port *up)
1491 + mutex_unlock(&serial_mutex);
1492 +
1493 + return ret;
1494 ++
1495 ++err:
1496 ++ uart->port.dev = NULL;
1497 ++ mutex_unlock(&serial_mutex);
1498 ++ return ret;
1499 + }
1500 + EXPORT_SYMBOL(serial8250_register_8250_port);
1501 +
1502 +diff --git a/drivers/tty/serial/8250/8250_omap.c b/drivers/tty/serial/8250/8250_omap.c
1503 +index c4383573cf668..0377b35d62b80 100644
1504 +--- a/drivers/tty/serial/8250/8250_omap.c
1505 ++++ b/drivers/tty/serial/8250/8250_omap.c
1506 +@@ -1188,11 +1188,11 @@ static int omap8250_probe(struct platform_device *pdev)
1507 + spin_lock_init(&priv->rx_dma_lock);
1508 +
1509 + device_init_wakeup(&pdev->dev, true);
1510 ++ pm_runtime_enable(&pdev->dev);
1511 + pm_runtime_use_autosuspend(&pdev->dev);
1512 + pm_runtime_set_autosuspend_delay(&pdev->dev, -1);
1513 +
1514 + pm_runtime_irq_safe(&pdev->dev);
1515 +- pm_runtime_enable(&pdev->dev);
1516 +
1517 + pm_runtime_get_sync(&pdev->dev);
1518 +
1519 +diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c
1520 +index 70a51d0bc6044..42aa37515e9bd 100644
1521 +--- a/drivers/tty/serial/samsung.c
1522 ++++ b/drivers/tty/serial/samsung.c
1523 +@@ -1151,14 +1151,14 @@ static unsigned int s3c24xx_serial_getclk(struct s3c24xx_uart_port *ourport,
1524 + struct s3c24xx_uart_info *info = ourport->info;
1525 + struct clk *clk;
1526 + unsigned long rate;
1527 +- unsigned int cnt, baud, quot, clk_sel, best_quot = 0;
1528 ++ unsigned int cnt, baud, quot, best_quot = 0;
1529 + char clkname[MAX_CLK_NAME_LENGTH];
1530 + int calc_deviation, deviation = (1 << 30) - 1;
1531 +
1532 +- clk_sel = (ourport->cfg->clk_sel) ? ourport->cfg->clk_sel :
1533 +- ourport->info->def_clk_sel;
1534 + for (cnt = 0; cnt < info->num_clks; cnt++) {
1535 +- if (!(clk_sel & (1 << cnt)))
1536 ++ /* Keep selected clock if provided */
1537 ++ if (ourport->cfg->clk_sel &&
1538 ++ !(ourport->cfg->clk_sel & (1 << cnt)))
1539 + continue;
1540 +
1541 + sprintf(clkname, "clk_uart_baud%d", cnt);
1542 +diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
1543 +index 0e4f54832fc79..01aeffcdf9849 100644
1544 +--- a/drivers/tty/vt/vt.c
1545 ++++ b/drivers/tty/vt/vt.c
1546 +@@ -2484,7 +2484,7 @@ static void console_callback(struct work_struct *ignored)
1547 + if (scrollback_delta) {
1548 + struct vc_data *vc = vc_cons[fg_console].d;
1549 + clear_selection();
1550 +- if (vc->vc_mode == KD_TEXT)
1551 ++ if (vc->vc_mode == KD_TEXT && vc->vc_sw->con_scrolldelta)
1552 + vc->vc_sw->con_scrolldelta(vc, scrollback_delta);
1553 + scrollback_delta = 0;
1554 + }
1555 +diff --git a/drivers/usb/host/ehci-mv.c b/drivers/usb/host/ehci-mv.c
1556 +index 849806a75f1ce..b29610899c9f6 100644
1557 +--- a/drivers/usb/host/ehci-mv.c
1558 ++++ b/drivers/usb/host/ehci-mv.c
1559 +@@ -196,12 +196,10 @@ static int mv_ehci_probe(struct platform_device *pdev)
1560 + hcd->rsrc_len = resource_size(r);
1561 + hcd->regs = ehci_mv->op_regs;
1562 +
1563 +- hcd->irq = platform_get_irq(pdev, 0);
1564 +- if (!hcd->irq) {
1565 +- dev_err(&pdev->dev, "Cannot get irq.");
1566 +- retval = -ENODEV;
1567 ++ retval = platform_get_irq(pdev, 0);
1568 ++ if (retval < 0)
1569 + goto err_disable_clk;
1570 +- }
1571 ++ hcd->irq = retval;
1572 +
1573 + ehci = hcd_to_ehci(hcd);
1574 + ehci->caps = (struct ehci_caps *) ehci_mv->cap_regs;
1575 +diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c
1576 +index 7a82735d53087..8276ef7f3e834 100644
1577 +--- a/drivers/vfio/pci/vfio_pci.c
1578 ++++ b/drivers/vfio/pci/vfio_pci.c
1579 +@@ -255,6 +255,19 @@ static void vfio_pci_release(void *device_data)
1580 + if (!(--vdev->refcnt)) {
1581 + vfio_spapr_pci_eeh_release(vdev->pdev);
1582 + vfio_pci_disable(vdev);
1583 ++ mutex_lock(&vdev->igate);
1584 ++ if (vdev->err_trigger) {
1585 ++ eventfd_ctx_put(vdev->err_trigger);
1586 ++ vdev->err_trigger = NULL;
1587 ++ }
1588 ++ mutex_unlock(&vdev->igate);
1589 ++
1590 ++ mutex_lock(&vdev->igate);
1591 ++ if (vdev->req_trigger) {
1592 ++ eventfd_ctx_put(vdev->req_trigger);
1593 ++ vdev->req_trigger = NULL;
1594 ++ }
1595 ++ mutex_unlock(&vdev->igate);
1596 + }
1597 +
1598 + mutex_unlock(&driver_lock);
1599 +diff --git a/drivers/video/fbdev/omap2/dss/omapdss-boot-init.c b/drivers/video/fbdev/omap2/dss/omapdss-boot-init.c
1600 +index 8b6f6d5fdd68b..43186fa8a13c9 100644
1601 +--- a/drivers/video/fbdev/omap2/dss/omapdss-boot-init.c
1602 ++++ b/drivers/video/fbdev/omap2/dss/omapdss-boot-init.c
1603 +@@ -194,7 +194,7 @@ static int __init omapdss_boot_init(void)
1604 + dss = of_find_matching_node(NULL, omapdss_of_match);
1605 +
1606 + if (dss == NULL || !of_device_is_available(dss))
1607 +- return 0;
1608 ++ goto put_node;
1609 +
1610 + omapdss_walk_device(dss, true);
1611 +
1612 +@@ -221,6 +221,8 @@ static int __init omapdss_boot_init(void)
1613 + kfree(n);
1614 + }
1615 +
1616 ++put_node:
1617 ++ of_node_put(dss);
1618 + return 0;
1619 + }
1620 +
1621 +diff --git a/fs/block_dev.c b/fs/block_dev.c
1622 +index b2ebfd96785b7..a71d442ef7d0e 100644
1623 +--- a/fs/block_dev.c
1624 ++++ b/fs/block_dev.c
1625 +@@ -1515,6 +1515,16 @@ static void __blkdev_put(struct block_device *bdev, fmode_t mode, int for_part)
1626 + struct gendisk *disk = bdev->bd_disk;
1627 + struct block_device *victim = NULL;
1628 +
1629 ++ /*
1630 ++ * Sync early if it looks like we're the last one. If someone else
1631 ++ * opens the block device between now and the decrement of bd_openers
1632 ++ * then we did a sync that we didn't need to, but that's not the end
1633 ++ * of the world and we want to avoid long (could be several minute)
1634 ++ * syncs while holding the mutex.
1635 ++ */
1636 ++ if (bdev->bd_openers == 1)
1637 ++ sync_blockdev(bdev);
1638 ++
1639 + mutex_lock_nested(&bdev->bd_mutex, for_part);
1640 + if (for_part)
1641 + bdev->bd_part_count--;
1642 +diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c
1643 +index 3d0497421e62b..49e693232916f 100644
1644 +--- a/fs/ceph/caps.c
1645 ++++ b/fs/ceph/caps.c
1646 +@@ -1777,12 +1777,24 @@ ack:
1647 + if (mutex_trylock(&session->s_mutex) == 0) {
1648 + dout("inverting session/ino locks on %p\n",
1649 + session);
1650 ++ session = ceph_get_mds_session(session);
1651 + spin_unlock(&ci->i_ceph_lock);
1652 + if (took_snap_rwsem) {
1653 + up_read(&mdsc->snap_rwsem);
1654 + took_snap_rwsem = 0;
1655 + }
1656 +- mutex_lock(&session->s_mutex);
1657 ++ if (session) {
1658 ++ mutex_lock(&session->s_mutex);
1659 ++ ceph_put_mds_session(session);
1660 ++ } else {
1661 ++ /*
1662 ++ * Because we take the reference while
1663 ++ * holding the i_ceph_lock, it should
1664 ++ * never be NULL. Throw a warning if it
1665 ++ * ever is.
1666 ++ */
1667 ++ WARN_ON_ONCE(true);
1668 ++ }
1669 + goto retry;
1670 + }
1671 + }
1672 +diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
1673 +index 8142f6bf3d310..fc265f4b839ae 100644
1674 +--- a/fs/fuse/dev.c
1675 ++++ b/fs/fuse/dev.c
1676 +@@ -850,7 +850,6 @@ static int fuse_check_page(struct page *page)
1677 + {
1678 + if (page_mapcount(page) ||
1679 + page->mapping != NULL ||
1680 +- page_count(page) != 1 ||
1681 + (page->flags & PAGE_FLAGS_CHECK_AT_PREP &
1682 + ~(1 << PG_locked |
1683 + 1 << PG_referenced |
1684 +diff --git a/fs/ubifs/io.c b/fs/ubifs/io.c
1685 +index 97be412153328..9213a9e046ae0 100644
1686 +--- a/fs/ubifs/io.c
1687 ++++ b/fs/ubifs/io.c
1688 +@@ -237,7 +237,7 @@ int ubifs_is_mapped(const struct ubifs_info *c, int lnum)
1689 + int ubifs_check_node(const struct ubifs_info *c, const void *buf, int lnum,
1690 + int offs, int quiet, int must_chk_crc)
1691 + {
1692 +- int err = -EINVAL, type, node_len;
1693 ++ int err = -EINVAL, type, node_len, dump_node = 1;
1694 + uint32_t crc, node_crc, magic;
1695 + const struct ubifs_ch *ch = buf;
1696 +
1697 +@@ -290,10 +290,22 @@ int ubifs_check_node(const struct ubifs_info *c, const void *buf, int lnum,
1698 + out_len:
1699 + if (!quiet)
1700 + ubifs_err(c, "bad node length %d", node_len);
1701 ++ if (type == UBIFS_DATA_NODE && node_len > UBIFS_DATA_NODE_SZ)
1702 ++ dump_node = 0;
1703 + out:
1704 + if (!quiet) {
1705 + ubifs_err(c, "bad node at LEB %d:%d", lnum, offs);
1706 +- ubifs_dump_node(c, buf);
1707 ++ if (dump_node) {
1708 ++ ubifs_dump_node(c, buf);
1709 ++ } else {
1710 ++ int safe_len = min3(node_len, c->leb_size - offs,
1711 ++ (int)UBIFS_MAX_DATA_NODE_SZ);
1712 ++ pr_err("\tprevent out-of-bounds memory access\n");
1713 ++ pr_err("\ttruncated data node length %d\n", safe_len);
1714 ++ pr_err("\tcorrupted data node:\n");
1715 ++ print_hex_dump(KERN_ERR, "\t", DUMP_PREFIX_OFFSET, 32, 1,
1716 ++ buf, safe_len, 0);
1717 ++ }
1718 + dump_stack();
1719 + }
1720 + return err;
1721 +diff --git a/fs/xfs/libxfs/xfs_attr_leaf.c b/fs/xfs/libxfs/xfs_attr_leaf.c
1722 +index da8747b870df3..4539ff4d351f9 100644
1723 +--- a/fs/xfs/libxfs/xfs_attr_leaf.c
1724 ++++ b/fs/xfs/libxfs/xfs_attr_leaf.c
1725 +@@ -1326,7 +1326,9 @@ xfs_attr3_leaf_add_work(
1726 + for (i = 0; i < XFS_ATTR_LEAF_MAPSIZE; i++) {
1727 + if (ichdr->freemap[i].base == tmp) {
1728 + ichdr->freemap[i].base += sizeof(xfs_attr_leaf_entry_t);
1729 +- ichdr->freemap[i].size -= sizeof(xfs_attr_leaf_entry_t);
1730 ++ ichdr->freemap[i].size -=
1731 ++ min_t(uint16_t, ichdr->freemap[i].size,
1732 ++ sizeof(xfs_attr_leaf_entry_t));
1733 + }
1734 + }
1735 + ichdr->usedbytes += xfs_attr_leaf_entsize(leaf, args->index);
1736 +diff --git a/include/linux/libata.h b/include/linux/libata.h
1737 +index af561d33221d6..ec49344f7555d 100644
1738 +--- a/include/linux/libata.h
1739 ++++ b/include/linux/libata.h
1740 +@@ -500,6 +500,7 @@ enum hsm_task_states {
1741 + };
1742 +
1743 + enum ata_completion_errors {
1744 ++ AC_ERR_OK = 0, /* no error */
1745 + AC_ERR_DEV = (1 << 0), /* device reported error */
1746 + AC_ERR_HSM = (1 << 1), /* host state machine violation */
1747 + AC_ERR_TIMEOUT = (1 << 2), /* timeout */
1748 +@@ -896,9 +897,9 @@ struct ata_port_operations {
1749 + /*
1750 + * Command execution
1751 + */
1752 +- int (*qc_defer)(struct ata_queued_cmd *qc);
1753 +- int (*check_atapi_dma)(struct ata_queued_cmd *qc);
1754 +- void (*qc_prep)(struct ata_queued_cmd *qc);
1755 ++ int (*qc_defer)(struct ata_queued_cmd *qc);
1756 ++ int (*check_atapi_dma)(struct ata_queued_cmd *qc);
1757 ++ enum ata_completion_errors (*qc_prep)(struct ata_queued_cmd *qc);
1758 + unsigned int (*qc_issue)(struct ata_queued_cmd *qc);
1759 + bool (*qc_fill_rtf)(struct ata_queued_cmd *qc);
1760 +
1761 +@@ -1190,7 +1191,7 @@ extern int ata_xfer_mode2shift(unsigned long xfer_mode);
1762 + extern const char *ata_mode_string(unsigned long xfer_mask);
1763 + extern unsigned long ata_id_xfermask(const u16 *id);
1764 + extern int ata_std_qc_defer(struct ata_queued_cmd *qc);
1765 +-extern void ata_noop_qc_prep(struct ata_queued_cmd *qc);
1766 ++extern enum ata_completion_errors ata_noop_qc_prep(struct ata_queued_cmd *qc);
1767 + extern void ata_sg_init(struct ata_queued_cmd *qc, struct scatterlist *sg,
1768 + unsigned int n_elem);
1769 + extern unsigned int ata_dev_classify(const struct ata_taskfile *tf);
1770 +@@ -1881,9 +1882,9 @@ extern const struct ata_port_operations ata_bmdma_port_ops;
1771 + .sg_tablesize = LIBATA_MAX_PRD, \
1772 + .dma_boundary = ATA_DMA_BOUNDARY
1773 +
1774 +-extern void ata_bmdma_qc_prep(struct ata_queued_cmd *qc);
1775 ++extern enum ata_completion_errors ata_bmdma_qc_prep(struct ata_queued_cmd *qc);
1776 + extern unsigned int ata_bmdma_qc_issue(struct ata_queued_cmd *qc);
1777 +-extern void ata_bmdma_dumb_qc_prep(struct ata_queued_cmd *qc);
1778 ++extern enum ata_completion_errors ata_bmdma_dumb_qc_prep(struct ata_queued_cmd *qc);
1779 + extern unsigned int ata_bmdma_port_intr(struct ata_port *ap,
1780 + struct ata_queued_cmd *qc);
1781 + extern irqreturn_t ata_bmdma_interrupt(int irq, void *dev_instance);
1782 +diff --git a/include/linux/mtd/map.h b/include/linux/mtd/map.h
1783 +index 676d3d2a1a0a9..d8bae7cb86f39 100644
1784 +--- a/include/linux/mtd/map.h
1785 ++++ b/include/linux/mtd/map.h
1786 +@@ -307,7 +307,7 @@ void map_destroy(struct mtd_info *mtd);
1787 + ({ \
1788 + int i, ret = 1; \
1789 + for (i = 0; i < map_words(map); i++) { \
1790 +- if (((val1).x[i] & (val2).x[i]) != (val2).x[i]) { \
1791 ++ if (((val1).x[i] & (val2).x[i]) != (val3).x[i]) { \
1792 + ret = 0; \
1793 + break; \
1794 + } \
1795 +diff --git a/include/linux/seqlock.h b/include/linux/seqlock.h
1796 +index e0582106ef4fa..a10f363784178 100644
1797 +--- a/include/linux/seqlock.h
1798 ++++ b/include/linux/seqlock.h
1799 +@@ -242,6 +242,13 @@ static inline void raw_write_seqcount_end(seqcount_t *s)
1800 + * usual consistency guarantee. It is one wmb cheaper, because we can
1801 + * collapse the two back-to-back wmb()s.
1802 + *
1803 ++ * Note that, writes surrounding the barrier should be declared atomic (e.g.
1804 ++ * via WRITE_ONCE): a) to ensure the writes become visible to other threads
1805 ++ * atomically, avoiding compiler optimizations; b) to document which writes are
1806 ++ * meant to propagate to the reader critical section. This is necessary because
1807 ++ * neither writes before and after the barrier are enclosed in a seq-writer
1808 ++ * critical section that would ensure readers are aware of ongoing writes.
1809 ++ *
1810 + * seqcount_t seq;
1811 + * bool X = true, Y = false;
1812 + *
1813 +@@ -261,11 +268,11 @@ static inline void raw_write_seqcount_end(seqcount_t *s)
1814 + *
1815 + * void write(void)
1816 + * {
1817 +- * Y = true;
1818 ++ * WRITE_ONCE(Y, true);
1819 + *
1820 + * raw_write_seqcount_barrier(seq);
1821 + *
1822 +- * X = false;
1823 ++ * WRITE_ONCE(X, false);
1824 + * }
1825 + */
1826 + static inline void raw_write_seqcount_barrier(seqcount_t *s)
1827 +diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
1828 +index 735ff1525f485..95feb153fe9a8 100644
1829 +--- a/include/linux/skbuff.h
1830 ++++ b/include/linux/skbuff.h
1831 +@@ -1438,6 +1438,18 @@ static inline __u32 skb_queue_len(const struct sk_buff_head *list_)
1832 + return list_->qlen;
1833 + }
1834 +
1835 ++/**
1836 ++ * skb_queue_len_lockless - get queue length
1837 ++ * @list_: list to measure
1838 ++ *
1839 ++ * Return the length of an &sk_buff queue.
1840 ++ * This variant can be used in lockless contexts.
1841 ++ */
1842 ++static inline __u32 skb_queue_len_lockless(const struct sk_buff_head *list_)
1843 ++{
1844 ++ return READ_ONCE(list_->qlen);
1845 ++}
1846 ++
1847 + /**
1848 + * __skb_queue_head_init - initialize non-spinlock portions of sk_buff_head
1849 + * @list: queue to initialize
1850 +@@ -1641,7 +1653,7 @@ static inline void __skb_unlink(struct sk_buff *skb, struct sk_buff_head *list)
1851 + {
1852 + struct sk_buff *next, *prev;
1853 +
1854 +- list->qlen--;
1855 ++ WRITE_ONCE(list->qlen, list->qlen - 1);
1856 + next = skb->next;
1857 + prev = skb->prev;
1858 + skb->next = skb->prev = NULL;
1859 +@@ -2651,7 +2663,7 @@ static inline int skb_padto(struct sk_buff *skb, unsigned int len)
1860 + * is untouched. Otherwise it is extended. Returns zero on
1861 + * success. The skb is freed on error.
1862 + */
1863 +-static inline int skb_put_padto(struct sk_buff *skb, unsigned int len)
1864 ++static inline int __must_check skb_put_padto(struct sk_buff *skb, unsigned int len)
1865 + {
1866 + unsigned int size = skb->len;
1867 +
1868 +diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
1869 +index f45a9a5d3e47a..af453f3c2b3dd 100644
1870 +--- a/kernel/audit_watch.c
1871 ++++ b/kernel/audit_watch.c
1872 +@@ -316,8 +316,6 @@ static void audit_update_watch(struct audit_parent *parent,
1873 + if (oentry->rule.exe)
1874 + audit_remove_mark(oentry->rule.exe);
1875 +
1876 +- audit_watch_log_rule_change(r, owatch, "updated_rules");
1877 +-
1878 + call_rcu(&oentry->rcu, audit_free_rule_rcu);
1879 + }
1880 +
1881 +diff --git a/kernel/kprobes.c b/kernel/kprobes.c
1882 +index 9241a29a1f9de..33c37dbc56a05 100644
1883 +--- a/kernel/kprobes.c
1884 ++++ b/kernel/kprobes.c
1885 +@@ -2012,6 +2012,9 @@ static void kill_kprobe(struct kprobe *p)
1886 + {
1887 + struct kprobe *kp;
1888 +
1889 ++ if (WARN_ON_ONCE(kprobe_gone(p)))
1890 ++ return;
1891 ++
1892 + p->flags |= KPROBE_FLAG_GONE;
1893 + if (kprobe_aggrprobe(p)) {
1894 + /*
1895 +@@ -2032,9 +2035,10 @@ static void kill_kprobe(struct kprobe *p)
1896 +
1897 + /*
1898 + * The module is going away. We should disarm the kprobe which
1899 +- * is using ftrace.
1900 ++ * is using ftrace, because ftrace framework is still available at
1901 ++ * MODULE_STATE_GOING notification.
1902 + */
1903 +- if (kprobe_ftrace(p))
1904 ++ if (kprobe_ftrace(p) && !kprobe_disabled(p) && !kprobes_all_disarmed)
1905 + disarm_kprobe_ftrace(p);
1906 + }
1907 +
1908 +@@ -2154,7 +2158,10 @@ static int kprobes_module_callback(struct notifier_block *nb,
1909 + mutex_lock(&kprobe_mutex);
1910 + for (i = 0; i < KPROBE_TABLE_SIZE; i++) {
1911 + head = &kprobe_table[i];
1912 +- hlist_for_each_entry_rcu(p, head, hlist)
1913 ++ hlist_for_each_entry_rcu(p, head, hlist) {
1914 ++ if (kprobe_gone(p))
1915 ++ continue;
1916 ++
1917 + if (within_module_init((unsigned long)p->addr, mod) ||
1918 + (checkcore &&
1919 + within_module_core((unsigned long)p->addr, mod))) {
1920 +@@ -2165,6 +2172,7 @@ static int kprobes_module_callback(struct notifier_block *nb,
1921 + */
1922 + kill_kprobe(p);
1923 + }
1924 ++ }
1925 + }
1926 + mutex_unlock(&kprobe_mutex);
1927 + return NOTIFY_DONE;
1928 +diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c
1929 +index e53a976ca28ea..b55dfb3e801f9 100644
1930 +--- a/kernel/printk/printk.c
1931 ++++ b/kernel/printk/printk.c
1932 +@@ -2032,6 +2032,9 @@ static int __init console_setup(char *str)
1933 + char *s, *options, *brl_options = NULL;
1934 + int idx;
1935 +
1936 ++ if (str[0] == 0)
1937 ++ return 1;
1938 ++
1939 + if (_braille_console_setup(&str, &brl_options))
1940 + return 1;
1941 +
1942 +diff --git a/kernel/sys.c b/kernel/sys.c
1943 +index 1855f1bf113e4..e98664039cb23 100644
1944 +--- a/kernel/sys.c
1945 ++++ b/kernel/sys.c
1946 +@@ -1183,11 +1183,13 @@ SYSCALL_DEFINE1(uname, struct old_utsname __user *, name)
1947 +
1948 + SYSCALL_DEFINE1(olduname, struct oldold_utsname __user *, name)
1949 + {
1950 +- struct oldold_utsname tmp = {};
1951 ++ struct oldold_utsname tmp;
1952 +
1953 + if (!name)
1954 + return -EFAULT;
1955 +
1956 ++ memset(&tmp, 0, sizeof(tmp));
1957 ++
1958 + down_read(&uts_sem);
1959 + memcpy(&tmp.sysname, &utsname()->sysname, __OLD_UTS_LEN);
1960 + memcpy(&tmp.nodename, &utsname()->nodename, __OLD_UTS_LEN);
1961 +diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
1962 +index e4c6f89b6b11f..89ed01911a9a2 100644
1963 +--- a/kernel/trace/ftrace.c
1964 ++++ b/kernel/trace/ftrace.c
1965 +@@ -2823,8 +2823,11 @@ static int referenced_filters(struct dyn_ftrace *rec)
1966 + int cnt = 0;
1967 +
1968 + for (ops = ftrace_ops_list; ops != &ftrace_list_end; ops = ops->next) {
1969 +- if (ops_references_rec(ops, rec))
1970 +- cnt++;
1971 ++ if (ops_references_rec(ops, rec)) {
1972 ++ cnt++;
1973 ++ if (ops->flags & FTRACE_OPS_FL_SAVE_REGS)
1974 ++ rec->flags |= FTRACE_FL_REGS;
1975 ++ }
1976 + }
1977 +
1978 + return cnt;
1979 +@@ -2874,7 +2877,7 @@ static int ftrace_update_code(struct module *mod, struct ftrace_page *new_pgs)
1980 + p = &pg->records[i];
1981 + if (test)
1982 + cnt += referenced_filters(p);
1983 +- p->flags = cnt;
1984 ++ p->flags += cnt;
1985 +
1986 + /*
1987 + * Do the initial record conversion from mcount jump
1988 +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
1989 +index 06efd18bf3e38..e4a0c0308b507 100644
1990 +--- a/kernel/trace/trace.c
1991 ++++ b/kernel/trace/trace.c
1992 +@@ -2271,6 +2271,9 @@ int trace_array_printk(struct trace_array *tr,
1993 + if (!(global_trace.trace_flags & TRACE_ITER_PRINTK))
1994 + return 0;
1995 +
1996 ++ if (!tr)
1997 ++ return -ENOENT;
1998 ++
1999 + va_start(ap, fmt);
2000 + ret = trace_array_vprintk(tr, ip, fmt, ap);
2001 + va_end(ap);
2002 +@@ -7260,7 +7263,7 @@ __init static int tracer_alloc_buffers(void)
2003 + goto out_free_buffer_mask;
2004 +
2005 + /* Only allocate trace_printk buffers if a trace_printk exists */
2006 +- if (__stop___trace_bprintk_fmt != __start___trace_bprintk_fmt)
2007 ++ if (&__stop___trace_bprintk_fmt != &__start___trace_bprintk_fmt)
2008 + /* Must be called before global_trace.buffer is allocated */
2009 + trace_printk_init_buffers();
2010 +
2011 +diff --git a/kernel/trace/trace_entries.h b/kernel/trace/trace_entries.h
2012 +index ee7b94a4810af..246db27dbdc99 100644
2013 +--- a/kernel/trace/trace_entries.h
2014 ++++ b/kernel/trace/trace_entries.h
2015 +@@ -178,7 +178,7 @@ FTRACE_ENTRY(kernel_stack, stack_entry,
2016 +
2017 + F_STRUCT(
2018 + __field( int, size )
2019 +- __dynamic_array(unsigned long, caller )
2020 ++ __array( unsigned long, caller, FTRACE_STACK_ENTRIES )
2021 + ),
2022 +
2023 + F_printk("\t=> (" IP_FMT ")\n\t=> (" IP_FMT ")\n\t=> (" IP_FMT ")\n"
2024 +diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c
2025 +index bd4c0bb61ad72..9d6e755d17546 100644
2026 +--- a/kernel/trace/trace_events.c
2027 ++++ b/kernel/trace/trace_events.c
2028 +@@ -755,6 +755,8 @@ static int ftrace_set_clr_event(struct trace_array *tr, char *buf, int set)
2029 + char *event = NULL, *sub = NULL, *match;
2030 + int ret;
2031 +
2032 ++ if (!tr)
2033 ++ return -ENOENT;
2034 + /*
2035 + * The buf format can be <subsystem>:<event-name>
2036 + * *:<event-name> means any event by that name.
2037 +diff --git a/lib/string.c b/lib/string.c
2038 +index c7cf65ac42ad7..c9983dc01e727 100644
2039 +--- a/lib/string.c
2040 ++++ b/lib/string.c
2041 +@@ -235,6 +235,30 @@ ssize_t strscpy(char *dest, const char *src, size_t count)
2042 + EXPORT_SYMBOL(strscpy);
2043 + #endif
2044 +
2045 ++/**
2046 ++ * stpcpy - copy a string from src to dest returning a pointer to the new end
2047 ++ * of dest, including src's %NUL-terminator. May overrun dest.
2048 ++ * @dest: pointer to end of string being copied into. Must be large enough
2049 ++ * to receive copy.
2050 ++ * @src: pointer to the beginning of string being copied from. Must not overlap
2051 ++ * dest.
2052 ++ *
2053 ++ * stpcpy differs from strcpy in a key way: the return value is a pointer
2054 ++ * to the new %NUL-terminating character in @dest. (For strcpy, the return
2055 ++ * value is a pointer to the start of @dest). This interface is considered
2056 ++ * unsafe as it doesn't perform bounds checking of the inputs. As such it's
2057 ++ * not recommended for usage. Instead, its definition is provided in case
2058 ++ * the compiler lowers other libcalls to stpcpy.
2059 ++ */
2060 ++char *stpcpy(char *__restrict__ dest, const char *__restrict__ src);
2061 ++char *stpcpy(char *__restrict__ dest, const char *__restrict__ src)
2062 ++{
2063 ++ while ((*dest++ = *src++) != '\0')
2064 ++ /* nothing */;
2065 ++ return --dest;
2066 ++}
2067 ++EXPORT_SYMBOL(stpcpy);
2068 ++
2069 + #ifndef __HAVE_ARCH_STRCAT
2070 + /**
2071 + * strcat - Append one %NUL-terminated string to another
2072 +diff --git a/mm/filemap.c b/mm/filemap.c
2073 +index f217120973ebe..3d0a0e409cbf5 100644
2074 +--- a/mm/filemap.c
2075 ++++ b/mm/filemap.c
2076 +@@ -2313,6 +2313,14 @@ filler:
2077 + unlock_page(page);
2078 + goto out;
2079 + }
2080 ++
2081 ++ /*
2082 ++ * A previous I/O error may have been due to temporary
2083 ++ * failures.
2084 ++ * Clear page error before actual read, PG_error will be
2085 ++ * set again if read page fails.
2086 ++ */
2087 ++ ClearPageError(page);
2088 + goto filler;
2089 +
2090 + out:
2091 +diff --git a/mm/mmap.c b/mm/mmap.c
2092 +index 135cccce41f88..d48a654cbd237 100644
2093 +--- a/mm/mmap.c
2094 ++++ b/mm/mmap.c
2095 +@@ -1993,6 +1993,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
2096 + info.low_limit = mm->mmap_base;
2097 + info.high_limit = TASK_SIZE;
2098 + info.align_mask = 0;
2099 ++ info.align_offset = 0;
2100 + return vm_unmapped_area(&info);
2101 + }
2102 + #endif
2103 +@@ -2034,6 +2035,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
2104 + info.low_limit = max(PAGE_SIZE, mmap_min_addr);
2105 + info.high_limit = mm->mmap_base;
2106 + info.align_mask = 0;
2107 ++ info.align_offset = 0;
2108 + addr = vm_unmapped_area(&info);
2109 +
2110 + /*
2111 +diff --git a/mm/pagewalk.c b/mm/pagewalk.c
2112 +index c2cbd26201696..a024667a9c041 100644
2113 +--- a/mm/pagewalk.c
2114 ++++ b/mm/pagewalk.c
2115 +@@ -14,9 +14,9 @@ static int walk_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end,
2116 + err = walk->pte_entry(pte, addr, addr + PAGE_SIZE, walk);
2117 + if (err)
2118 + break;
2119 +- addr += PAGE_SIZE;
2120 +- if (addr == end)
2121 ++ if (addr >= end - PAGE_SIZE)
2122 + break;
2123 ++ addr += PAGE_SIZE;
2124 + pte++;
2125 + }
2126 +
2127 +diff --git a/net/atm/lec.c b/net/atm/lec.c
2128 +index e4afac94ff158..a38680e194436 100644
2129 +--- a/net/atm/lec.c
2130 ++++ b/net/atm/lec.c
2131 +@@ -1290,6 +1290,12 @@ static void lec_arp_clear_vccs(struct lec_arp_table *entry)
2132 + entry->vcc = NULL;
2133 + }
2134 + if (entry->recv_vcc) {
2135 ++ struct atm_vcc *vcc = entry->recv_vcc;
2136 ++ struct lec_vcc_priv *vpriv = LEC_VCC_PRIV(vcc);
2137 ++
2138 ++ kfree(vpriv);
2139 ++ vcc->user_back = NULL;
2140 ++
2141 + entry->recv_vcc->push = entry->old_recv_push;
2142 + vcc_release_async(entry->recv_vcc, -EPIPE);
2143 + entry->recv_vcc = NULL;
2144 +diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c
2145 +index 9aa5daa551273..1267cbb1a329a 100644
2146 +--- a/net/batman-adv/bridge_loop_avoidance.c
2147 ++++ b/net/batman-adv/bridge_loop_avoidance.c
2148 +@@ -73,11 +73,12 @@ static inline u32 batadv_choose_claim(const void *data, u32 size)
2149 + /* return the index of the backbone gateway */
2150 + static inline u32 batadv_choose_backbone_gw(const void *data, u32 size)
2151 + {
2152 +- const struct batadv_bla_claim *claim = (struct batadv_bla_claim *)data;
2153 ++ const struct batadv_bla_backbone_gw *gw;
2154 + u32 hash = 0;
2155 +
2156 +- hash = jhash(&claim->addr, sizeof(claim->addr), hash);
2157 +- hash = jhash(&claim->vid, sizeof(claim->vid), hash);
2158 ++ gw = (struct batadv_bla_backbone_gw *)data;
2159 ++ hash = jhash(&gw->orig, sizeof(gw->orig), hash);
2160 ++ hash = jhash(&gw->vid, sizeof(gw->vid), hash);
2161 +
2162 + return hash % size;
2163 + }
2164 +diff --git a/net/batman-adv/routing.c b/net/batman-adv/routing.c
2165 +index b3e8b0e3073c2..e470410abb44d 100644
2166 +--- a/net/batman-adv/routing.c
2167 ++++ b/net/batman-adv/routing.c
2168 +@@ -782,6 +782,10 @@ static int batadv_check_unicast_ttvn(struct batadv_priv *bat_priv,
2169 + vid = batadv_get_vid(skb, hdr_len);
2170 + ethhdr = (struct ethhdr *)(skb->data + hdr_len);
2171 +
2172 ++ /* do not reroute multicast frames in a unicast header */
2173 ++ if (is_multicast_ether_addr(ethhdr->h_dest))
2174 ++ return true;
2175 ++
2176 + /* check if the destination client was served by this node and it is now
2177 + * roaming. In this case, it means that the node has got a ROAM_ADV
2178 + * message and that it knows the new destination in the mesh to re-route
2179 +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
2180 +index 16cf5633eae3e..03319ab8a7c6e 100644
2181 +--- a/net/bluetooth/hci_event.c
2182 ++++ b/net/bluetooth/hci_event.c
2183 +@@ -41,12 +41,27 @@
2184 +
2185 + /* Handle HCI Event packets */
2186 +
2187 +-static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb)
2188 ++static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb,
2189 ++ u8 *new_status)
2190 + {
2191 + __u8 status = *((__u8 *) skb->data);
2192 +
2193 + BT_DBG("%s status 0x%2.2x", hdev->name, status);
2194 +
2195 ++ /* It is possible that we receive Inquiry Complete event right
2196 ++ * before we receive Inquiry Cancel Command Complete event, in
2197 ++ * which case the latter event should have status of Command
2198 ++ * Disallowed (0x0c). This should not be treated as error, since
2199 ++ * we actually achieve what Inquiry Cancel wants to achieve,
2200 ++ * which is to end the last Inquiry session.
2201 ++ */
2202 ++ if (status == 0x0c && !test_bit(HCI_INQUIRY, &hdev->flags)) {
2203 ++ bt_dev_warn(hdev, "Ignoring error of Inquiry Cancel command");
2204 ++ status = 0x00;
2205 ++ }
2206 ++
2207 ++ *new_status = status;
2208 ++
2209 + if (status)
2210 + return;
2211 +
2212 +@@ -2758,7 +2773,7 @@ static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb,
2213 +
2214 + switch (*opcode) {
2215 + case HCI_OP_INQUIRY_CANCEL:
2216 +- hci_cc_inquiry_cancel(hdev, skb);
2217 ++ hci_cc_inquiry_cancel(hdev, skb, status);
2218 + break;
2219 +
2220 + case HCI_OP_PERIODIC_INQ:
2221 +@@ -5230,6 +5245,11 @@ void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
2222 + u8 status = 0, event = hdr->evt, req_evt = 0;
2223 + u16 opcode = HCI_OP_NOP;
2224 +
2225 ++ if (!event) {
2226 ++ bt_dev_warn(hdev, "Received unexpected HCI Event 00000000");
2227 ++ goto done;
2228 ++ }
2229 ++
2230 + if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->hci.req_event == event) {
2231 + struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data;
2232 + opcode = __le16_to_cpu(cmd_hdr->opcode);
2233 +@@ -5441,6 +5461,7 @@ void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
2234 + req_complete_skb(hdev, status, opcode, orig_skb);
2235 + }
2236 +
2237 ++done:
2238 + kfree_skb(orig_skb);
2239 + kfree_skb(skb);
2240 + hdev->stat.evt_rx++;
2241 +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
2242 +index 0e31bbe1256cd..f2db50da8ce2e 100644
2243 +--- a/net/bluetooth/l2cap_core.c
2244 ++++ b/net/bluetooth/l2cap_core.c
2245 +@@ -403,6 +403,9 @@ static void l2cap_chan_timeout(struct work_struct *work)
2246 + BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
2247 +
2248 + mutex_lock(&conn->chan_lock);
2249 ++ /* __set_chan_timer() calls l2cap_chan_hold(chan) while scheduling
2250 ++ * this work. No need to call l2cap_chan_hold(chan) here again.
2251 ++ */
2252 + l2cap_chan_lock(chan);
2253 +
2254 + if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
2255 +@@ -415,12 +418,12 @@ static void l2cap_chan_timeout(struct work_struct *work)
2256 +
2257 + l2cap_chan_close(chan, reason);
2258 +
2259 +- l2cap_chan_unlock(chan);
2260 +-
2261 + chan->ops->close(chan);
2262 +- mutex_unlock(&conn->chan_lock);
2263 +
2264 ++ l2cap_chan_unlock(chan);
2265 + l2cap_chan_put(chan);
2266 ++
2267 ++ mutex_unlock(&conn->chan_lock);
2268 + }
2269 +
2270 + struct l2cap_chan *l2cap_chan_create(void)
2271 +@@ -1714,9 +1717,9 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
2272 +
2273 + l2cap_chan_del(chan, err);
2274 +
2275 +- l2cap_chan_unlock(chan);
2276 +-
2277 + chan->ops->close(chan);
2278 ++
2279 ++ l2cap_chan_unlock(chan);
2280 + l2cap_chan_put(chan);
2281 + }
2282 +
2283 +@@ -4093,7 +4096,8 @@ static inline int l2cap_config_req(struct l2cap_conn *conn,
2284 + return 0;
2285 + }
2286 +
2287 +- if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
2288 ++ if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2 &&
2289 ++ chan->state != BT_CONNECTED) {
2290 + cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
2291 + chan->dcid);
2292 + goto unlock;
2293 +@@ -4316,6 +4320,7 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
2294 + return 0;
2295 + }
2296 +
2297 ++ l2cap_chan_hold(chan);
2298 + l2cap_chan_lock(chan);
2299 +
2300 + rsp.dcid = cpu_to_le16(chan->scid);
2301 +@@ -4324,12 +4329,11 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
2302 +
2303 + chan->ops->set_shutdown(chan);
2304 +
2305 +- l2cap_chan_hold(chan);
2306 + l2cap_chan_del(chan, ECONNRESET);
2307 +
2308 +- l2cap_chan_unlock(chan);
2309 +-
2310 + chan->ops->close(chan);
2311 ++
2312 ++ l2cap_chan_unlock(chan);
2313 + l2cap_chan_put(chan);
2314 +
2315 + mutex_unlock(&conn->chan_lock);
2316 +@@ -4361,20 +4365,21 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
2317 + return 0;
2318 + }
2319 +
2320 ++ l2cap_chan_hold(chan);
2321 + l2cap_chan_lock(chan);
2322 +
2323 + if (chan->state != BT_DISCONN) {
2324 + l2cap_chan_unlock(chan);
2325 ++ l2cap_chan_put(chan);
2326 + mutex_unlock(&conn->chan_lock);
2327 + return 0;
2328 + }
2329 +
2330 +- l2cap_chan_hold(chan);
2331 + l2cap_chan_del(chan, 0);
2332 +
2333 +- l2cap_chan_unlock(chan);
2334 +-
2335 + chan->ops->close(chan);
2336 ++
2337 ++ l2cap_chan_unlock(chan);
2338 + l2cap_chan_put(chan);
2339 +
2340 + mutex_unlock(&conn->chan_lock);
2341 +diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
2342 +index d9bbbded49ef8..e562385d9440e 100644
2343 +--- a/net/bluetooth/l2cap_sock.c
2344 ++++ b/net/bluetooth/l2cap_sock.c
2345 +@@ -1038,7 +1038,7 @@ done:
2346 + }
2347 +
2348 + /* Kill socket (only if zapped and orphan)
2349 +- * Must be called on unlocked socket.
2350 ++ * Must be called on unlocked socket, with l2cap channel lock.
2351 + */
2352 + static void l2cap_sock_kill(struct sock *sk)
2353 + {
2354 +@@ -1189,6 +1189,7 @@ static int l2cap_sock_release(struct socket *sock)
2355 + {
2356 + struct sock *sk = sock->sk;
2357 + int err;
2358 ++ struct l2cap_chan *chan;
2359 +
2360 + BT_DBG("sock %p, sk %p", sock, sk);
2361 +
2362 +@@ -1198,9 +1199,17 @@ static int l2cap_sock_release(struct socket *sock)
2363 + bt_sock_unlink(&l2cap_sk_list, sk);
2364 +
2365 + err = l2cap_sock_shutdown(sock, 2);
2366 ++ chan = l2cap_pi(sk)->chan;
2367 ++
2368 ++ l2cap_chan_hold(chan);
2369 ++ l2cap_chan_lock(chan);
2370 +
2371 + sock_orphan(sk);
2372 + l2cap_sock_kill(sk);
2373 ++
2374 ++ l2cap_chan_unlock(chan);
2375 ++ l2cap_chan_put(chan);
2376 ++
2377 + return err;
2378 + }
2379 +
2380 +@@ -1218,12 +1227,15 @@ static void l2cap_sock_cleanup_listen(struct sock *parent)
2381 + BT_DBG("child chan %p state %s", chan,
2382 + state_to_string(chan->state));
2383 +
2384 ++ l2cap_chan_hold(chan);
2385 + l2cap_chan_lock(chan);
2386 ++
2387 + __clear_chan_timer(chan);
2388 + l2cap_chan_close(chan, ECONNRESET);
2389 +- l2cap_chan_unlock(chan);
2390 +-
2391 + l2cap_sock_kill(sk);
2392 ++
2393 ++ l2cap_chan_unlock(chan);
2394 ++ l2cap_chan_put(chan);
2395 + }
2396 + }
2397 +
2398 +diff --git a/net/core/neighbour.c b/net/core/neighbour.c
2399 +index 9849f1f4cf4f7..40d33431bc585 100644
2400 +--- a/net/core/neighbour.c
2401 ++++ b/net/core/neighbour.c
2402 +@@ -2798,6 +2798,7 @@ static void *neigh_stat_seq_next(struct seq_file *seq, void *v, loff_t *pos)
2403 + *pos = cpu+1;
2404 + return per_cpu_ptr(tbl->stats, cpu);
2405 + }
2406 ++ (*pos)++;
2407 + return NULL;
2408 + }
2409 +
2410 +diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
2411 +index d940c9e0eb024..0355f125d8361 100644
2412 +--- a/net/ipv4/ip_output.c
2413 ++++ b/net/ipv4/ip_output.c
2414 +@@ -73,6 +73,7 @@
2415 + #include <net/icmp.h>
2416 + #include <net/checksum.h>
2417 + #include <net/inetpeer.h>
2418 ++#include <net/inet_ecn.h>
2419 + #include <linux/igmp.h>
2420 + #include <linux/netfilter_ipv4.h>
2421 + #include <linux/netfilter_bridge.h>
2422 +@@ -1597,7 +1598,7 @@ void ip_send_unicast_reply(struct sock *sk, struct sk_buff *skb,
2423 + if (IS_ERR(rt))
2424 + return;
2425 +
2426 +- inet_sk(sk)->tos = arg->tos;
2427 ++ inet_sk(sk)->tos = arg->tos & ~INET_ECN_MASK;
2428 +
2429 + sk->sk_priority = skb->priority;
2430 + sk->sk_protocol = ip_hdr(skb)->protocol;
2431 +diff --git a/net/ipv4/route.c b/net/ipv4/route.c
2432 +index 542f6e0f438f1..ea1c319100a5d 100644
2433 +--- a/net/ipv4/route.c
2434 ++++ b/net/ipv4/route.c
2435 +@@ -271,6 +271,7 @@ static void *rt_cpu_seq_next(struct seq_file *seq, void *v, loff_t *pos)
2436 + *pos = cpu+1;
2437 + return &per_cpu(rt_cache_stat, cpu);
2438 + }
2439 ++ (*pos)++;
2440 + return NULL;
2441 +
2442 + }
2443 +diff --git a/net/key/af_key.c b/net/key/af_key.c
2444 +index d2ec620319d76..76a008b1cbe5f 100644
2445 +--- a/net/key/af_key.c
2446 ++++ b/net/key/af_key.c
2447 +@@ -1873,6 +1873,13 @@ static int pfkey_dump(struct sock *sk, struct sk_buff *skb, const struct sadb_ms
2448 + if (ext_hdrs[SADB_X_EXT_FILTER - 1]) {
2449 + struct sadb_x_filter *xfilter = ext_hdrs[SADB_X_EXT_FILTER - 1];
2450 +
2451 ++ if ((xfilter->sadb_x_filter_splen >=
2452 ++ (sizeof(xfrm_address_t) << 3)) ||
2453 ++ (xfilter->sadb_x_filter_dplen >=
2454 ++ (sizeof(xfrm_address_t) << 3))) {
2455 ++ mutex_unlock(&pfk->dump_lock);
2456 ++ return -EINVAL;
2457 ++ }
2458 + filter = kmalloc(sizeof(*filter), GFP_KERNEL);
2459 + if (filter == NULL) {
2460 + mutex_unlock(&pfk->dump_lock);
2461 +diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c
2462 +index 2b8e80c721db1..a7cd031656801 100644
2463 +--- a/net/sunrpc/svc_xprt.c
2464 ++++ b/net/sunrpc/svc_xprt.c
2465 +@@ -97,8 +97,17 @@ void svc_unreg_xprt_class(struct svc_xprt_class *xcl)
2466 + }
2467 + EXPORT_SYMBOL_GPL(svc_unreg_xprt_class);
2468 +
2469 +-/*
2470 +- * Format the transport list for printing
2471 ++/**
2472 ++ * svc_print_xprts - Format the transport list for printing
2473 ++ * @buf: target buffer for formatted address
2474 ++ * @maxlen: length of target buffer
2475 ++ *
2476 ++ * Fills in @buf with a string containing a list of transport names, each name
2477 ++ * terminated with '\n'. If the buffer is too small, some entries may be
2478 ++ * missing, but it is guaranteed that all lines in the output buffer are
2479 ++ * complete.
2480 ++ *
2481 ++ * Returns positive length of the filled-in string.
2482 + */
2483 + int svc_print_xprts(char *buf, int maxlen)
2484 + {
2485 +@@ -111,9 +120,9 @@ int svc_print_xprts(char *buf, int maxlen)
2486 + list_for_each_entry(xcl, &svc_xprt_class_list, xcl_list) {
2487 + int slen;
2488 +
2489 +- sprintf(tmpstr, "%s %d\n", xcl->xcl_name, xcl->xcl_max_payload);
2490 +- slen = strlen(tmpstr);
2491 +- if (len + slen > maxlen)
2492 ++ slen = snprintf(tmpstr, sizeof(tmpstr), "%s %d\n",
2493 ++ xcl->xcl_name, xcl->xcl_max_payload);
2494 ++ if (slen >= sizeof(tmpstr) || len + slen >= maxlen)
2495 + break;
2496 + len += slen;
2497 + strcat(buf, tmpstr);
2498 +diff --git a/net/tipc/msg.c b/net/tipc/msg.c
2499 +index 67bddcb2ff466..fc1aa8bcb185d 100644
2500 +--- a/net/tipc/msg.c
2501 ++++ b/net/tipc/msg.c
2502 +@@ -138,7 +138,8 @@ int tipc_buf_append(struct sk_buff **headbuf, struct sk_buff **buf)
2503 + if (fragid == FIRST_FRAGMENT) {
2504 + if (unlikely(head))
2505 + goto err;
2506 +- if (unlikely(skb_unclone(frag, GFP_ATOMIC)))
2507 ++ frag = skb_unshare(frag, GFP_ATOMIC);
2508 ++ if (unlikely(!frag))
2509 + goto err;
2510 + head = *headbuf = frag;
2511 + *buf = NULL;
2512 +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
2513 +index b5e2ef242efe7..ac78c5ac82846 100644
2514 +--- a/net/unix/af_unix.c
2515 ++++ b/net/unix/af_unix.c
2516 +@@ -191,11 +191,17 @@ static inline int unix_may_send(struct sock *sk, struct sock *osk)
2517 + return unix_peer(osk) == NULL || unix_our_peer(sk, osk);
2518 + }
2519 +
2520 +-static inline int unix_recvq_full(struct sock const *sk)
2521 ++static inline int unix_recvq_full(const struct sock *sk)
2522 + {
2523 + return skb_queue_len(&sk->sk_receive_queue) > sk->sk_max_ack_backlog;
2524 + }
2525 +
2526 ++static inline int unix_recvq_full_lockless(const struct sock *sk)
2527 ++{
2528 ++ return skb_queue_len_lockless(&sk->sk_receive_queue) >
2529 ++ READ_ONCE(sk->sk_max_ack_backlog);
2530 ++}
2531 ++
2532 + struct sock *unix_peer_get(struct sock *s)
2533 + {
2534 + struct sock *peer;
2535 +@@ -1792,7 +1798,8 @@ restart_locked:
2536 + * - unix_peer(sk) == sk by time of get but disconnected before lock
2537 + */
2538 + if (other != sk &&
2539 +- unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {
2540 ++ unlikely(unix_peer(other) != sk &&
2541 ++ unix_recvq_full_lockless(other))) {
2542 + if (timeo) {
2543 + timeo = unix_wait_for_peer(other, timeo);
2544 +
2545 +diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
2546 +index c02da25d7b631..7778e28cce9d7 100644
2547 +--- a/security/selinux/selinuxfs.c
2548 ++++ b/security/selinux/selinuxfs.c
2549 +@@ -1370,6 +1370,7 @@ static struct avc_cache_stats *sel_avc_get_stat_idx(loff_t *idx)
2550 + *idx = cpu + 1;
2551 + return &per_cpu(avc_cache_stats, cpu);
2552 + }
2553 ++ (*idx)++;
2554 + return NULL;
2555 + }
2556 +
2557 +diff --git a/sound/hda/hdac_bus.c b/sound/hda/hdac_bus.c
2558 +index 0e81ea89a5965..e3f68a76d90eb 100644
2559 +--- a/sound/hda/hdac_bus.c
2560 ++++ b/sound/hda/hdac_bus.c
2561 +@@ -155,6 +155,7 @@ static void process_unsol_events(struct work_struct *work)
2562 + struct hdac_driver *drv;
2563 + unsigned int rp, caddr, res;
2564 +
2565 ++ spin_lock_irq(&bus->reg_lock);
2566 + while (bus->unsol_rp != bus->unsol_wp) {
2567 + rp = (bus->unsol_rp + 1) % HDA_UNSOL_QUEUE_SIZE;
2568 + bus->unsol_rp = rp;
2569 +@@ -166,10 +167,13 @@ static void process_unsol_events(struct work_struct *work)
2570 + codec = bus->caddr_tbl[caddr & 0x0f];
2571 + if (!codec || !codec->dev.driver)
2572 + continue;
2573 ++ spin_unlock_irq(&bus->reg_lock);
2574 + drv = drv_to_hdac_driver(codec->dev.driver);
2575 + if (drv->unsol_event)
2576 + drv->unsol_event(codec, res);
2577 ++ spin_lock_irq(&bus->reg_lock);
2578 + }
2579 ++ spin_unlock_irq(&bus->reg_lock);
2580 + }
2581 +
2582 + /**
2583 +diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c
2584 +index 7a32abbe0cef8..4bdcb7443b1f5 100644
2585 +--- a/sound/pci/asihpi/hpioctl.c
2586 ++++ b/sound/pci/asihpi/hpioctl.c
2587 +@@ -346,7 +346,7 @@ int asihpi_adapter_probe(struct pci_dev *pci_dev,
2588 + struct hpi_message hm;
2589 + struct hpi_response hr;
2590 + struct hpi_adapter adapter;
2591 +- struct hpi_pci pci;
2592 ++ struct hpi_pci pci = { 0 };
2593 +
2594 + memset(&adapter, 0, sizeof(adapter));
2595 +
2596 +@@ -502,7 +502,7 @@ int asihpi_adapter_probe(struct pci_dev *pci_dev,
2597 + return 0;
2598 +
2599 + err:
2600 +- for (idx = 0; idx < HPI_MAX_ADAPTER_MEM_SPACES; idx++) {
2601 ++ while (--idx >= 0) {
2602 + if (pci.ap_mem_base[idx]) {
2603 + iounmap(pci.ap_mem_base[idx]);
2604 + pci.ap_mem_base[idx] = NULL;
2605 +diff --git a/sound/soc/kirkwood/kirkwood-dma.c b/sound/soc/kirkwood/kirkwood-dma.c
2606 +index dbfdfe99c69df..231c7d97333c7 100644
2607 +--- a/sound/soc/kirkwood/kirkwood-dma.c
2608 ++++ b/sound/soc/kirkwood/kirkwood-dma.c
2609 +@@ -136,7 +136,7 @@ static int kirkwood_dma_open(struct snd_pcm_substream *substream)
2610 + err = request_irq(priv->irq, kirkwood_dma_irq, IRQF_SHARED,
2611 + "kirkwood-i2s", priv);
2612 + if (err)
2613 +- return -EBUSY;
2614 ++ return err;
2615 +
2616 + /*
2617 + * Enable Error interrupts. We're only ack'ing them but
2618 +diff --git a/sound/usb/midi.c b/sound/usb/midi.c
2619 +index 5c4a3d6c42341..934540042bc2e 100644
2620 +--- a/sound/usb/midi.c
2621 ++++ b/sound/usb/midi.c
2622 +@@ -1803,6 +1803,28 @@ static int snd_usbmidi_create_endpoints(struct snd_usb_midi *umidi,
2623 + return 0;
2624 + }
2625 +
2626 ++static struct usb_ms_endpoint_descriptor *find_usb_ms_endpoint_descriptor(
2627 ++ struct usb_host_endpoint *hostep)
2628 ++{
2629 ++ unsigned char *extra = hostep->extra;
2630 ++ int extralen = hostep->extralen;
2631 ++
2632 ++ while (extralen > 3) {
2633 ++ struct usb_ms_endpoint_descriptor *ms_ep =
2634 ++ (struct usb_ms_endpoint_descriptor *)extra;
2635 ++
2636 ++ if (ms_ep->bLength > 3 &&
2637 ++ ms_ep->bDescriptorType == USB_DT_CS_ENDPOINT &&
2638 ++ ms_ep->bDescriptorSubtype == UAC_MS_GENERAL)
2639 ++ return ms_ep;
2640 ++ if (!extra[0])
2641 ++ break;
2642 ++ extralen -= extra[0];
2643 ++ extra += extra[0];
2644 ++ }
2645 ++ return NULL;
2646 ++}
2647 ++
2648 + /*
2649 + * Returns MIDIStreaming device capabilities.
2650 + */
2651 +@@ -1840,11 +1862,8 @@ static int snd_usbmidi_get_ms_info(struct snd_usb_midi *umidi,
2652 + ep = get_ep_desc(hostep);
2653 + if (!usb_endpoint_xfer_bulk(ep) && !usb_endpoint_xfer_int(ep))
2654 + continue;
2655 +- ms_ep = (struct usb_ms_endpoint_descriptor *)hostep->extra;
2656 +- if (hostep->extralen < 4 ||
2657 +- ms_ep->bLength < 4 ||
2658 +- ms_ep->bDescriptorType != USB_DT_CS_ENDPOINT ||
2659 +- ms_ep->bDescriptorSubtype != UAC_MS_GENERAL)
2660 ++ ms_ep = find_usb_ms_endpoint_descriptor(hostep);
2661 ++ if (!ms_ep)
2662 + continue;
2663 + if (usb_endpoint_dir_out(ep)) {
2664 + if (endpoints[epidx].out_ep) {
2665 +diff --git a/tools/perf/util/symbol-elf.c b/tools/perf/util/symbol-elf.c
2666 +index 2070c02de3af5..ea55cb6b614f4 100644
2667 +--- a/tools/perf/util/symbol-elf.c
2668 ++++ b/tools/perf/util/symbol-elf.c
2669 +@@ -1390,6 +1390,7 @@ struct kcore_copy_info {
2670 + u64 first_symbol;
2671 + u64 last_symbol;
2672 + u64 first_module;
2673 ++ u64 first_module_symbol;
2674 + u64 last_module_symbol;
2675 + struct phdr_data kernel_map;
2676 + struct phdr_data modules_map;
2677 +@@ -1404,6 +1405,8 @@ static int kcore_copy__process_kallsyms(void *arg, const char *name, char type,
2678 + return 0;
2679 +
2680 + if (strchr(name, '[')) {
2681 ++ if (!kci->first_module_symbol || start < kci->first_module_symbol)
2682 ++ kci->first_module_symbol = start;
2683 + if (start > kci->last_module_symbol)
2684 + kci->last_module_symbol = start;
2685 + return 0;
2686 +@@ -1528,6 +1531,10 @@ static int kcore_copy__calc_maps(struct kcore_copy_info *kci, const char *dir,
2687 + kci->etext += page_size;
2688 + }
2689 +
2690 ++ if (kci->first_module_symbol &&
2691 ++ (!kci->first_module || kci->first_module_symbol < kci->first_module))
2692 ++ kci->first_module = kci->first_module_symbol;
2693 ++
2694 + kci->first_module = round_down(kci->first_module, page_size);
2695 +
2696 + if (kci->last_module_symbol) {
2697 +diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
2698 +index 82f3a9d78cab4..ba8e8840b94b2 100644
2699 +--- a/virt/kvm/kvm_main.c
2700 ++++ b/virt/kvm/kvm_main.c
2701 +@@ -3392,7 +3392,7 @@ int kvm_io_bus_register_dev(struct kvm *kvm, enum kvm_bus bus_idx, gpa_t addr,
2702 + void kvm_io_bus_unregister_dev(struct kvm *kvm, enum kvm_bus bus_idx,
2703 + struct kvm_io_device *dev)
2704 + {
2705 +- int i;
2706 ++ int i, j;
2707 + struct kvm_io_bus *new_bus, *bus;
2708 +
2709 + bus = kvm->buses[bus_idx];
2710 +@@ -3409,17 +3409,20 @@ void kvm_io_bus_unregister_dev(struct kvm *kvm, enum kvm_bus bus_idx,
2711 +
2712 + new_bus = kmalloc(sizeof(*bus) + ((bus->dev_count - 1) *
2713 + sizeof(struct kvm_io_range)), GFP_KERNEL);
2714 +- if (!new_bus) {
2715 ++ if (new_bus) {
2716 ++ memcpy(new_bus, bus, sizeof(*bus) + i * sizeof(struct kvm_io_range));
2717 ++ new_bus->dev_count--;
2718 ++ memcpy(new_bus->range + i, bus->range + i + 1,
2719 ++ (new_bus->dev_count - i) * sizeof(struct kvm_io_range));
2720 ++ } else {
2721 + pr_err("kvm: failed to shrink bus, removing it completely\n");
2722 +- goto broken;
2723 ++ for (j = 0; j < bus->dev_count; j++) {
2724 ++ if (j == i)
2725 ++ continue;
2726 ++ kvm_iodevice_destructor(bus->range[j].dev);
2727 ++ }
2728 + }
2729 +
2730 +- memcpy(new_bus, bus, sizeof(*bus) + i * sizeof(struct kvm_io_range));
2731 +- new_bus->dev_count--;
2732 +- memcpy(new_bus->range + i, bus->range + i + 1,
2733 +- (new_bus->dev_count - i) * sizeof(struct kvm_io_range));
2734 +-
2735 +-broken:
2736 + rcu_assign_pointer(kvm->buses[bus_idx], new_bus);
2737 + synchronize_srcu_expedited(&kvm->srcu);
2738 + kfree(bus);
Report Message
Find on MARC Find on Google Groups