Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:4.9 commit in: /
Date: Thu, 01 Oct 2020 18:59:51
Message-Id: 1601578771.e032640bc9855a93b6cccdb01e27044c4bf6551c.mpagano@gentoo
1 commit: e032640bc9855a93b6cccdb01e27044c4bf6551c
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Thu Oct 1 18:59:31 2020 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Thu Oct 1 18:59:31 2020 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=e032640b
7
8 Linux patch 4.9.238
9
10 Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>
11
12 0000_README | 4 +
13 1237_linux-4.9.238.patch | 4359 ++++++++++++++++++++++++++++++++++++++++++++++
14 2 files changed, 4363 insertions(+)
15
16 diff --git a/0000_README b/0000_README
17 index 2b5f2bf..c39cf2b 100644
18 --- a/0000_README
19 +++ b/0000_README
20 @@ -991,6 +991,10 @@ Patch: 1236_linux-4.9.237.patch
21 From: http://www.kernel.org
22 Desc: Linux 4.9.237
23
24 +Patch: 1237_linux-4.9.238.patch
25 +From: http://www.kernel.org
26 +Desc: Linux 4.9.238
27 +
28 Patch: 1500_XATTR_USER_PREFIX.patch
29 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
30 Desc: Support for namespace user.pax.* on tmpfs.
31
32 diff --git a/1237_linux-4.9.238.patch b/1237_linux-4.9.238.patch
33 new file mode 100644
34 index 0000000..2a0fbe4
35 --- /dev/null
36 +++ b/1237_linux-4.9.238.patch
37 @@ -0,0 +1,4359 @@
38 +diff --git a/Documentation/DocBook/libata.tmpl b/Documentation/DocBook/libata.tmpl
39 +index d7fcdc5a43792..9b55778ab024f 100644
40 +--- a/Documentation/DocBook/libata.tmpl
41 ++++ b/Documentation/DocBook/libata.tmpl
42 +@@ -324,7 +324,7 @@ Many legacy IDE drivers use ata_bmdma_status() as the bmdma_status() hook.
43 +
44 + <sect2><title>High-level taskfile hooks</title>
45 + <programlisting>
46 +-void (*qc_prep) (struct ata_queued_cmd *qc);
47 ++enum ata_completion_errors (*qc_prep) (struct ata_queued_cmd *qc);
48 + int (*qc_issue) (struct ata_queued_cmd *qc);
49 + </programlisting>
50 +
51 +diff --git a/Documentation/devicetree/bindings/sound/wm8994.txt b/Documentation/devicetree/bindings/sound/wm8994.txt
52 +index 68c4e8d96bed6..b309de00cd836 100644
53 +--- a/Documentation/devicetree/bindings/sound/wm8994.txt
54 ++++ b/Documentation/devicetree/bindings/sound/wm8994.txt
55 +@@ -14,9 +14,15 @@ Required properties:
56 + - #gpio-cells : Must be 2. The first cell is the pin number and the
57 + second cell is used to specify optional parameters (currently unused).
58 +
59 +- - AVDD2-supply, DBVDD1-supply, DBVDD2-supply, DBVDD3-supply, CPVDD-supply,
60 +- SPKVDD1-supply, SPKVDD2-supply : power supplies for the device, as covered
61 +- in Documentation/devicetree/bindings/regulator/regulator.txt
62 ++ - power supplies for the device, as covered in
63 ++ Documentation/devicetree/bindings/regulator/regulator.txt, depending
64 ++ on compatible:
65 ++ - for wlf,wm1811 and wlf,wm8958:
66 ++ AVDD1-supply, AVDD2-supply, DBVDD1-supply, DBVDD2-supply, DBVDD3-supply,
67 ++ DCVDD-supply, CPVDD-supply, SPKVDD1-supply, SPKVDD2-supply
68 ++ - for wlf,wm8994:
69 ++ AVDD1-supply, AVDD2-supply, DBVDD-supply, DCVDD-supply, CPVDD-supply,
70 ++ SPKVDD1-supply, SPKVDD2-supply
71 +
72 + Optional properties:
73 +
74 +@@ -68,11 +74,11 @@ codec: wm8994@1a {
75 +
76 + lineout1-se;
77 +
78 ++ AVDD1-supply = <&regulator>;
79 + AVDD2-supply = <&regulator>;
80 + CPVDD-supply = <&regulator>;
81 +- DBVDD1-supply = <&regulator>;
82 +- DBVDD2-supply = <&regulator>;
83 +- DBVDD3-supply = <&regulator>;
84 ++ DBVDD-supply = <&regulator>;
85 ++ DCVDD-supply = <&regulator>;
86 + SPKVDD1-supply = <&regulator>;
87 + SPKVDD2-supply = <&regulator>;
88 + };
89 +diff --git a/Makefile b/Makefile
90 +index 3c78b28c6a0da..41a7d6626e354 100644
91 +--- a/Makefile
92 ++++ b/Makefile
93 +@@ -1,6 +1,6 @@
94 + VERSION = 4
95 + PATCHLEVEL = 9
96 +-SUBLEVEL = 237
97 ++SUBLEVEL = 238
98 + EXTRAVERSION =
99 + NAME = Roaring Lionus
100 +
101 +diff --git a/arch/m68k/q40/config.c b/arch/m68k/q40/config.c
102 +index ea89a24f46000..cc0f924bbdd2d 100644
103 +--- a/arch/m68k/q40/config.c
104 ++++ b/arch/m68k/q40/config.c
105 +@@ -303,6 +303,7 @@ static int q40_get_rtc_pll(struct rtc_pll_info *pll)
106 + {
107 + int tmp = Q40_RTC_CTRL;
108 +
109 ++ pll->pll_ctrl = 0;
110 + pll->pll_value = tmp & Q40_RTC_PLL_MASK;
111 + if (tmp & Q40_RTC_PLL_SIGN)
112 + pll->pll_value = -pll->pll_value;
113 +diff --git a/arch/mips/include/asm/cpu-type.h b/arch/mips/include/asm/cpu-type.h
114 +index bdd6dc18e65c6..941efd8783344 100644
115 +--- a/arch/mips/include/asm/cpu-type.h
116 ++++ b/arch/mips/include/asm/cpu-type.h
117 +@@ -47,6 +47,7 @@ static inline int __pure __get_cpu_type(const int cpu_type)
118 + case CPU_34K:
119 + case CPU_1004K:
120 + case CPU_74K:
121 ++ case CPU_1074K:
122 + case CPU_M14KC:
123 + case CPU_M14KEC:
124 + case CPU_INTERAPTIV:
125 +diff --git a/arch/s390/kernel/setup.c b/arch/s390/kernel/setup.c
126 +index a559908d180ec..ce49c2b9db7ee 100644
127 +--- a/arch/s390/kernel/setup.c
128 ++++ b/arch/s390/kernel/setup.c
129 +@@ -529,7 +529,7 @@ static struct notifier_block kdump_mem_nb = {
130 + /*
131 + * Make sure that the area behind memory_end is protected
132 + */
133 +-static void reserve_memory_end(void)
134 ++static void __init reserve_memory_end(void)
135 + {
136 + #ifdef CONFIG_CRASH_DUMP
137 + if (ipl_info.type == IPL_TYPE_FCP_DUMP &&
138 +@@ -547,7 +547,7 @@ static void reserve_memory_end(void)
139 + /*
140 + * Make sure that oldmem, where the dump is stored, is protected
141 + */
142 +-static void reserve_oldmem(void)
143 ++static void __init reserve_oldmem(void)
144 + {
145 + #ifdef CONFIG_CRASH_DUMP
146 + if (OLDMEM_BASE)
147 +@@ -559,7 +559,7 @@ static void reserve_oldmem(void)
148 + /*
149 + * Make sure that oldmem, where the dump is stored, is protected
150 + */
151 +-static void remove_oldmem(void)
152 ++static void __init remove_oldmem(void)
153 + {
154 + #ifdef CONFIG_CRASH_DUMP
155 + if (OLDMEM_BASE)
156 +diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
157 +index 4af16acc001a3..204a5ce65afda 100644
158 +--- a/arch/x86/include/asm/nospec-branch.h
159 ++++ b/arch/x86/include/asm/nospec-branch.h
160 +@@ -321,7 +321,7 @@ DECLARE_STATIC_KEY_FALSE(mds_idle_clear);
161 + * combination with microcode which triggers a CPU buffer flush when the
162 + * instruction is executed.
163 + */
164 +-static inline void mds_clear_cpu_buffers(void)
165 ++static __always_inline void mds_clear_cpu_buffers(void)
166 + {
167 + static const u16 ds = __KERNEL_DS;
168 +
169 +@@ -342,7 +342,7 @@ static inline void mds_clear_cpu_buffers(void)
170 + *
171 + * Clear CPU buffers if the corresponding static key is enabled
172 + */
173 +-static inline void mds_user_clear_cpu_buffers(void)
174 ++static __always_inline void mds_user_clear_cpu_buffers(void)
175 + {
176 + if (static_branch_likely(&mds_user_clear))
177 + mds_clear_cpu_buffers();
178 +diff --git a/arch/x86/include/asm/pkeys.h b/arch/x86/include/asm/pkeys.h
179 +index c50d6dcf4a227..4e7273e176cb7 100644
180 +--- a/arch/x86/include/asm/pkeys.h
181 ++++ b/arch/x86/include/asm/pkeys.h
182 +@@ -3,6 +3,11 @@
183 +
184 + #define ARCH_DEFAULT_PKEY 0
185 +
186 ++/*
187 ++ * If more than 16 keys are ever supported, a thorough audit
188 ++ * will be necessary to ensure that the types that store key
189 ++ * numbers and masks have sufficient capacity.
190 ++ */
191 + #define arch_max_pkey() (boot_cpu_has(X86_FEATURE_OSPKE) ? 16 : 1)
192 +
193 + extern int arch_set_user_pkey_access(struct task_struct *tsk, int pkey,
194 +diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c
195 +index e9d7f461b7fa5..dbd396c913488 100644
196 +--- a/arch/x86/kernel/fpu/xstate.c
197 ++++ b/arch/x86/kernel/fpu/xstate.c
198 +@@ -871,8 +871,6 @@ const void *get_xsave_field_ptr(int xsave_state)
199 +
200 + #ifdef CONFIG_ARCH_HAS_PKEYS
201 +
202 +-#define NR_VALID_PKRU_BITS (CONFIG_NR_PROTECTION_KEYS * 2)
203 +-#define PKRU_VALID_MASK (NR_VALID_PKRU_BITS - 1)
204 + /*
205 + * This will go out and modify PKRU register to set the access
206 + * rights for @pkey to @init_val.
207 +@@ -891,6 +889,13 @@ int arch_set_user_pkey_access(struct task_struct *tsk, int pkey,
208 + if (!boot_cpu_has(X86_FEATURE_OSPKE))
209 + return -EINVAL;
210 +
211 ++ /*
212 ++ * This code should only be called with valid 'pkey'
213 ++ * values originating from in-kernel users. Complain
214 ++ * if a bad value is observed.
215 ++ */
216 ++ WARN_ON_ONCE(pkey >= arch_max_pkey());
217 ++
218 + /* Set the bits we need in PKRU: */
219 + if (init_val & PKEY_DISABLE_ACCESS)
220 + new_pkru_bits |= PKRU_AD_BIT;
221 +diff --git a/arch/x86/kvm/mmutrace.h b/arch/x86/kvm/mmutrace.h
222 +index 756b14ecc957a..df1076b0eabf3 100644
223 +--- a/arch/x86/kvm/mmutrace.h
224 ++++ b/arch/x86/kvm/mmutrace.h
225 +@@ -336,7 +336,7 @@ TRACE_EVENT(
226 + /* These depend on page entry type, so compute them now. */
227 + __field(bool, r)
228 + __field(bool, x)
229 +- __field(u8, u)
230 ++ __field(signed char, u)
231 + ),
232 +
233 + TP_fast_assign(
234 +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
235 +index 6b7faa14c27bb..3c0f9be107e42 100644
236 +--- a/arch/x86/kvm/x86.c
237 ++++ b/arch/x86/kvm/x86.c
238 +@@ -4263,10 +4263,13 @@ long kvm_arch_vm_ioctl(struct file *filp,
239 + r = -EFAULT;
240 + if (copy_from_user(&u.ps, argp, sizeof u.ps))
241 + goto out;
242 ++ mutex_lock(&kvm->lock);
243 + r = -ENXIO;
244 + if (!kvm->arch.vpit)
245 +- goto out;
246 ++ goto set_pit_out;
247 + r = kvm_vm_ioctl_set_pit(kvm, &u.ps);
248 ++set_pit_out:
249 ++ mutex_unlock(&kvm->lock);
250 + break;
251 + }
252 + case KVM_GET_PIT2: {
253 +@@ -4286,10 +4289,13 @@ long kvm_arch_vm_ioctl(struct file *filp,
254 + r = -EFAULT;
255 + if (copy_from_user(&u.ps2, argp, sizeof(u.ps2)))
256 + goto out;
257 ++ mutex_lock(&kvm->lock);
258 + r = -ENXIO;
259 + if (!kvm->arch.vpit)
260 +- goto out;
261 ++ goto set_pit2_out;
262 + r = kvm_vm_ioctl_set_pit2(kvm, &u.ps2);
263 ++set_pit2_out:
264 ++ mutex_unlock(&kvm->lock);
265 + break;
266 + }
267 + case KVM_REINJECT_CONTROL: {
268 +diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c
269 +index 307b3e28f34ce..8781b5dc97f1c 100644
270 +--- a/drivers/acpi/ec.c
271 ++++ b/drivers/acpi/ec.c
272 +@@ -1049,29 +1049,21 @@ void acpi_ec_unblock_transactions(void)
273 + /* --------------------------------------------------------------------------
274 + Event Management
275 + -------------------------------------------------------------------------- */
276 +-static struct acpi_ec_query_handler *
277 +-acpi_ec_get_query_handler(struct acpi_ec_query_handler *handler)
278 +-{
279 +- if (handler)
280 +- kref_get(&handler->kref);
281 +- return handler;
282 +-}
283 +-
284 + static struct acpi_ec_query_handler *
285 + acpi_ec_get_query_handler_by_value(struct acpi_ec *ec, u8 value)
286 + {
287 + struct acpi_ec_query_handler *handler;
288 +- bool found = false;
289 +
290 + mutex_lock(&ec->mutex);
291 + list_for_each_entry(handler, &ec->list, node) {
292 + if (value == handler->query_bit) {
293 +- found = true;
294 +- break;
295 ++ kref_get(&handler->kref);
296 ++ mutex_unlock(&ec->mutex);
297 ++ return handler;
298 + }
299 + }
300 + mutex_unlock(&ec->mutex);
301 +- return found ? acpi_ec_get_query_handler(handler) : NULL;
302 ++ return NULL;
303 + }
304 +
305 + static void acpi_ec_query_handler_release(struct kref *kref)
306 +diff --git a/drivers/ata/acard-ahci.c b/drivers/ata/acard-ahci.c
307 +index ed6a30cd681a0..98581ae397c12 100644
308 +--- a/drivers/ata/acard-ahci.c
309 ++++ b/drivers/ata/acard-ahci.c
310 +@@ -72,7 +72,7 @@ struct acard_sg {
311 + __le32 size; /* bit 31 (EOT) max==0x10000 (64k) */
312 + };
313 +
314 +-static void acard_ahci_qc_prep(struct ata_queued_cmd *qc);
315 ++static enum ata_completion_errors acard_ahci_qc_prep(struct ata_queued_cmd *qc);
316 + static bool acard_ahci_qc_fill_rtf(struct ata_queued_cmd *qc);
317 + static int acard_ahci_port_start(struct ata_port *ap);
318 + static int acard_ahci_init_one(struct pci_dev *pdev, const struct pci_device_id *ent);
319 +@@ -257,7 +257,7 @@ static unsigned int acard_ahci_fill_sg(struct ata_queued_cmd *qc, void *cmd_tbl)
320 + return si;
321 + }
322 +
323 +-static void acard_ahci_qc_prep(struct ata_queued_cmd *qc)
324 ++static enum ata_completion_errors acard_ahci_qc_prep(struct ata_queued_cmd *qc)
325 + {
326 + struct ata_port *ap = qc->ap;
327 + struct ahci_port_priv *pp = ap->private_data;
328 +@@ -295,6 +295,8 @@ static void acard_ahci_qc_prep(struct ata_queued_cmd *qc)
329 + opts |= AHCI_CMD_ATAPI | AHCI_CMD_PREFETCH;
330 +
331 + ahci_fill_cmd_slot(pp, qc->tag, opts);
332 ++
333 ++ return AC_ERR_OK;
334 + }
335 +
336 + static bool acard_ahci_qc_fill_rtf(struct ata_queued_cmd *qc)
337 +diff --git a/drivers/ata/libahci.c b/drivers/ata/libahci.c
338 +index 1610fff19bb39..984260902d0be 100644
339 +--- a/drivers/ata/libahci.c
340 ++++ b/drivers/ata/libahci.c
341 +@@ -73,7 +73,7 @@ static int ahci_scr_write(struct ata_link *link, unsigned int sc_reg, u32 val);
342 + static bool ahci_qc_fill_rtf(struct ata_queued_cmd *qc);
343 + static int ahci_port_start(struct ata_port *ap);
344 + static void ahci_port_stop(struct ata_port *ap);
345 +-static void ahci_qc_prep(struct ata_queued_cmd *qc);
346 ++static enum ata_completion_errors ahci_qc_prep(struct ata_queued_cmd *qc);
347 + static int ahci_pmp_qc_defer(struct ata_queued_cmd *qc);
348 + static void ahci_freeze(struct ata_port *ap);
349 + static void ahci_thaw(struct ata_port *ap);
350 +@@ -1607,7 +1607,7 @@ static int ahci_pmp_qc_defer(struct ata_queued_cmd *qc)
351 + return sata_pmp_qc_defer_cmd_switch(qc);
352 + }
353 +
354 +-static void ahci_qc_prep(struct ata_queued_cmd *qc)
355 ++static enum ata_completion_errors ahci_qc_prep(struct ata_queued_cmd *qc)
356 + {
357 + struct ata_port *ap = qc->ap;
358 + struct ahci_port_priv *pp = ap->private_data;
359 +@@ -1643,6 +1643,8 @@ static void ahci_qc_prep(struct ata_queued_cmd *qc)
360 + opts |= AHCI_CMD_ATAPI | AHCI_CMD_PREFETCH;
361 +
362 + ahci_fill_cmd_slot(pp, qc->tag, opts);
363 ++
364 ++ return AC_ERR_OK;
365 + }
366 +
367 + static void ahci_fbs_dec_intr(struct ata_port *ap)
368 +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
369 +index 2aa10cd4c5b75..228a4cfb0e7d2 100644
370 +--- a/drivers/ata/libata-core.c
371 ++++ b/drivers/ata/libata-core.c
372 +@@ -4895,7 +4895,10 @@ int ata_std_qc_defer(struct ata_queued_cmd *qc)
373 + return ATA_DEFER_LINK;
374 + }
375 +
376 +-void ata_noop_qc_prep(struct ata_queued_cmd *qc) { }
377 ++enum ata_completion_errors ata_noop_qc_prep(struct ata_queued_cmd *qc)
378 ++{
379 ++ return AC_ERR_OK;
380 ++}
381 +
382 + /**
383 + * ata_sg_init - Associate command with scatter-gather table.
384 +@@ -5313,7 +5316,9 @@ void ata_qc_issue(struct ata_queued_cmd *qc)
385 + return;
386 + }
387 +
388 +- ap->ops->qc_prep(qc);
389 ++ qc->err_mask |= ap->ops->qc_prep(qc);
390 ++ if (unlikely(qc->err_mask))
391 ++ goto err;
392 + trace_ata_qc_issue(qc);
393 + qc->err_mask |= ap->ops->qc_issue(qc);
394 + if (unlikely(qc->err_mask))
395 +diff --git a/drivers/ata/libata-sff.c b/drivers/ata/libata-sff.c
396 +index 0e2bc5b9a78c1..0edd83cae0fd0 100644
397 +--- a/drivers/ata/libata-sff.c
398 ++++ b/drivers/ata/libata-sff.c
399 +@@ -2742,12 +2742,14 @@ static void ata_bmdma_fill_sg_dumb(struct ata_queued_cmd *qc)
400 + * LOCKING:
401 + * spin_lock_irqsave(host lock)
402 + */
403 +-void ata_bmdma_qc_prep(struct ata_queued_cmd *qc)
404 ++enum ata_completion_errors ata_bmdma_qc_prep(struct ata_queued_cmd *qc)
405 + {
406 + if (!(qc->flags & ATA_QCFLAG_DMAMAP))
407 +- return;
408 ++ return AC_ERR_OK;
409 +
410 + ata_bmdma_fill_sg(qc);
411 ++
412 ++ return AC_ERR_OK;
413 + }
414 + EXPORT_SYMBOL_GPL(ata_bmdma_qc_prep);
415 +
416 +@@ -2760,12 +2762,14 @@ EXPORT_SYMBOL_GPL(ata_bmdma_qc_prep);
417 + * LOCKING:
418 + * spin_lock_irqsave(host lock)
419 + */
420 +-void ata_bmdma_dumb_qc_prep(struct ata_queued_cmd *qc)
421 ++enum ata_completion_errors ata_bmdma_dumb_qc_prep(struct ata_queued_cmd *qc)
422 + {
423 + if (!(qc->flags & ATA_QCFLAG_DMAMAP))
424 +- return;
425 ++ return AC_ERR_OK;
426 +
427 + ata_bmdma_fill_sg_dumb(qc);
428 ++
429 ++ return AC_ERR_OK;
430 + }
431 + EXPORT_SYMBOL_GPL(ata_bmdma_dumb_qc_prep);
432 +
433 +diff --git a/drivers/ata/pata_macio.c b/drivers/ata/pata_macio.c
434 +index e347e7acd8edb..d8000bbd1e11d 100644
435 +--- a/drivers/ata/pata_macio.c
436 ++++ b/drivers/ata/pata_macio.c
437 +@@ -507,7 +507,7 @@ static int pata_macio_cable_detect(struct ata_port *ap)
438 + return ATA_CBL_PATA40;
439 + }
440 +
441 +-static void pata_macio_qc_prep(struct ata_queued_cmd *qc)
442 ++static enum ata_completion_errors pata_macio_qc_prep(struct ata_queued_cmd *qc)
443 + {
444 + unsigned int write = (qc->tf.flags & ATA_TFLAG_WRITE);
445 + struct ata_port *ap = qc->ap;
446 +@@ -520,7 +520,7 @@ static void pata_macio_qc_prep(struct ata_queued_cmd *qc)
447 + __func__, qc, qc->flags, write, qc->dev->devno);
448 +
449 + if (!(qc->flags & ATA_QCFLAG_DMAMAP))
450 +- return;
451 ++ return AC_ERR_OK;
452 +
453 + table = (struct dbdma_cmd *) priv->dma_table_cpu;
454 +
455 +@@ -565,6 +565,8 @@ static void pata_macio_qc_prep(struct ata_queued_cmd *qc)
456 + table->command = cpu_to_le16(DBDMA_STOP);
457 +
458 + dev_dbgdma(priv->dev, "%s: %d DMA list entries\n", __func__, pi);
459 ++
460 ++ return AC_ERR_OK;
461 + }
462 +
463 +
464 +diff --git a/drivers/ata/pata_pxa.c b/drivers/ata/pata_pxa.c
465 +index f6c46e9a4dc0f..d7186a503e358 100644
466 +--- a/drivers/ata/pata_pxa.c
467 ++++ b/drivers/ata/pata_pxa.c
468 +@@ -59,25 +59,27 @@ static void pxa_ata_dma_irq(void *d)
469 + /*
470 + * Prepare taskfile for submission.
471 + */
472 +-static void pxa_qc_prep(struct ata_queued_cmd *qc)
473 ++static enum ata_completion_errors pxa_qc_prep(struct ata_queued_cmd *qc)
474 + {
475 + struct pata_pxa_data *pd = qc->ap->private_data;
476 + struct dma_async_tx_descriptor *tx;
477 + enum dma_transfer_direction dir;
478 +
479 + if (!(qc->flags & ATA_QCFLAG_DMAMAP))
480 +- return;
481 ++ return AC_ERR_OK;
482 +
483 + dir = (qc->dma_dir == DMA_TO_DEVICE ? DMA_MEM_TO_DEV : DMA_DEV_TO_MEM);
484 + tx = dmaengine_prep_slave_sg(pd->dma_chan, qc->sg, qc->n_elem, dir,
485 + DMA_PREP_INTERRUPT);
486 + if (!tx) {
487 + ata_dev_err(qc->dev, "prep_slave_sg() failed\n");
488 +- return;
489 ++ return AC_ERR_OK;
490 + }
491 + tx->callback = pxa_ata_dma_irq;
492 + tx->callback_param = pd;
493 + pd->dma_cookie = dmaengine_submit(tx);
494 ++
495 ++ return AC_ERR_OK;
496 + }
497 +
498 + /*
499 +diff --git a/drivers/ata/pdc_adma.c b/drivers/ata/pdc_adma.c
500 +index 64d682c6ee57e..11da13bea2c93 100644
501 +--- a/drivers/ata/pdc_adma.c
502 ++++ b/drivers/ata/pdc_adma.c
503 +@@ -132,7 +132,7 @@ static int adma_ata_init_one(struct pci_dev *pdev,
504 + const struct pci_device_id *ent);
505 + static int adma_port_start(struct ata_port *ap);
506 + static void adma_port_stop(struct ata_port *ap);
507 +-static void adma_qc_prep(struct ata_queued_cmd *qc);
508 ++static enum ata_completion_errors adma_qc_prep(struct ata_queued_cmd *qc);
509 + static unsigned int adma_qc_issue(struct ata_queued_cmd *qc);
510 + static int adma_check_atapi_dma(struct ata_queued_cmd *qc);
511 + static void adma_freeze(struct ata_port *ap);
512 +@@ -311,7 +311,7 @@ static int adma_fill_sg(struct ata_queued_cmd *qc)
513 + return i;
514 + }
515 +
516 +-static void adma_qc_prep(struct ata_queued_cmd *qc)
517 ++static enum ata_completion_errors adma_qc_prep(struct ata_queued_cmd *qc)
518 + {
519 + struct adma_port_priv *pp = qc->ap->private_data;
520 + u8 *buf = pp->pkt;
521 +@@ -322,7 +322,7 @@ static void adma_qc_prep(struct ata_queued_cmd *qc)
522 +
523 + adma_enter_reg_mode(qc->ap);
524 + if (qc->tf.protocol != ATA_PROT_DMA)
525 +- return;
526 ++ return AC_ERR_OK;
527 +
528 + buf[i++] = 0; /* Response flags */
529 + buf[i++] = 0; /* reserved */
530 +@@ -387,6 +387,7 @@ static void adma_qc_prep(struct ata_queued_cmd *qc)
531 + printk("%s\n", obuf);
532 + }
533 + #endif
534 ++ return AC_ERR_OK;
535 + }
536 +
537 + static inline void adma_packet_start(struct ata_queued_cmd *qc)
538 +diff --git a/drivers/ata/sata_fsl.c b/drivers/ata/sata_fsl.c
539 +index a723ae9297831..100b5a3621ef3 100644
540 +--- a/drivers/ata/sata_fsl.c
541 ++++ b/drivers/ata/sata_fsl.c
542 +@@ -513,7 +513,7 @@ static unsigned int sata_fsl_fill_sg(struct ata_queued_cmd *qc, void *cmd_desc,
543 + return num_prde;
544 + }
545 +
546 +-static void sata_fsl_qc_prep(struct ata_queued_cmd *qc)
547 ++static enum ata_completion_errors sata_fsl_qc_prep(struct ata_queued_cmd *qc)
548 + {
549 + struct ata_port *ap = qc->ap;
550 + struct sata_fsl_port_priv *pp = ap->private_data;
551 +@@ -559,6 +559,8 @@ static void sata_fsl_qc_prep(struct ata_queued_cmd *qc)
552 +
553 + VPRINTK("SATA FSL : xx_qc_prep, di = 0x%x, ttl = %d, num_prde = %d\n",
554 + desc_info, ttl_dwords, num_prde);
555 ++
556 ++ return AC_ERR_OK;
557 + }
558 +
559 + static unsigned int sata_fsl_qc_issue(struct ata_queued_cmd *qc)
560 +diff --git a/drivers/ata/sata_inic162x.c b/drivers/ata/sata_inic162x.c
561 +index e81a8217f1ff7..349a175f02675 100644
562 +--- a/drivers/ata/sata_inic162x.c
563 ++++ b/drivers/ata/sata_inic162x.c
564 +@@ -472,7 +472,7 @@ static void inic_fill_sg(struct inic_prd *prd, struct ata_queued_cmd *qc)
565 + prd[-1].flags |= PRD_END;
566 + }
567 +
568 +-static void inic_qc_prep(struct ata_queued_cmd *qc)
569 ++static enum ata_completion_errors inic_qc_prep(struct ata_queued_cmd *qc)
570 + {
571 + struct inic_port_priv *pp = qc->ap->private_data;
572 + struct inic_pkt *pkt = pp->pkt;
573 +@@ -532,6 +532,8 @@ static void inic_qc_prep(struct ata_queued_cmd *qc)
574 + inic_fill_sg(prd, qc);
575 +
576 + pp->cpb_tbl[0] = pp->pkt_dma;
577 ++
578 ++ return AC_ERR_OK;
579 + }
580 +
581 + static unsigned int inic_qc_issue(struct ata_queued_cmd *qc)
582 +diff --git a/drivers/ata/sata_mv.c b/drivers/ata/sata_mv.c
583 +index 2f32782cea6d9..513ef298dd960 100644
584 +--- a/drivers/ata/sata_mv.c
585 ++++ b/drivers/ata/sata_mv.c
586 +@@ -605,8 +605,8 @@ static int mv5_scr_write(struct ata_link *link, unsigned int sc_reg_in, u32 val)
587 + static int mv_port_start(struct ata_port *ap);
588 + static void mv_port_stop(struct ata_port *ap);
589 + static int mv_qc_defer(struct ata_queued_cmd *qc);
590 +-static void mv_qc_prep(struct ata_queued_cmd *qc);
591 +-static void mv_qc_prep_iie(struct ata_queued_cmd *qc);
592 ++static enum ata_completion_errors mv_qc_prep(struct ata_queued_cmd *qc);
593 ++static enum ata_completion_errors mv_qc_prep_iie(struct ata_queued_cmd *qc);
594 + static unsigned int mv_qc_issue(struct ata_queued_cmd *qc);
595 + static int mv_hardreset(struct ata_link *link, unsigned int *class,
596 + unsigned long deadline);
597 +@@ -2044,7 +2044,7 @@ static void mv_rw_multi_errata_sata24(struct ata_queued_cmd *qc)
598 + * LOCKING:
599 + * Inherited from caller.
600 + */
601 +-static void mv_qc_prep(struct ata_queued_cmd *qc)
602 ++static enum ata_completion_errors mv_qc_prep(struct ata_queued_cmd *qc)
603 + {
604 + struct ata_port *ap = qc->ap;
605 + struct mv_port_priv *pp = ap->private_data;
606 +@@ -2056,15 +2056,15 @@ static void mv_qc_prep(struct ata_queued_cmd *qc)
607 + switch (tf->protocol) {
608 + case ATA_PROT_DMA:
609 + if (tf->command == ATA_CMD_DSM)
610 +- return;
611 ++ return AC_ERR_OK;
612 + /* fall-thru */
613 + case ATA_PROT_NCQ:
614 + break; /* continue below */
615 + case ATA_PROT_PIO:
616 + mv_rw_multi_errata_sata24(qc);
617 +- return;
618 ++ return AC_ERR_OK;
619 + default:
620 +- return;
621 ++ return AC_ERR_OK;
622 + }
623 +
624 + /* Fill in command request block
625 +@@ -2111,12 +2111,10 @@ static void mv_qc_prep(struct ata_queued_cmd *qc)
626 + * non-NCQ mode are: [RW] STREAM DMA and W DMA FUA EXT, none
627 + * of which are defined/used by Linux. If we get here, this
628 + * driver needs work.
629 +- *
630 +- * FIXME: modify libata to give qc_prep a return value and
631 +- * return error here.
632 + */
633 +- BUG_ON(tf->command);
634 +- break;
635 ++ ata_port_err(ap, "%s: unsupported command: %.2x\n", __func__,
636 ++ tf->command);
637 ++ return AC_ERR_INVALID;
638 + }
639 + mv_crqb_pack_cmd(cw++, tf->nsect, ATA_REG_NSECT, 0);
640 + mv_crqb_pack_cmd(cw++, tf->hob_lbal, ATA_REG_LBAL, 0);
641 +@@ -2129,8 +2127,10 @@ static void mv_qc_prep(struct ata_queued_cmd *qc)
642 + mv_crqb_pack_cmd(cw++, tf->command, ATA_REG_CMD, 1); /* last */
643 +
644 + if (!(qc->flags & ATA_QCFLAG_DMAMAP))
645 +- return;
646 ++ return AC_ERR_OK;
647 + mv_fill_sg(qc);
648 ++
649 ++ return AC_ERR_OK;
650 + }
651 +
652 + /**
653 +@@ -2145,7 +2145,7 @@ static void mv_qc_prep(struct ata_queued_cmd *qc)
654 + * LOCKING:
655 + * Inherited from caller.
656 + */
657 +-static void mv_qc_prep_iie(struct ata_queued_cmd *qc)
658 ++static enum ata_completion_errors mv_qc_prep_iie(struct ata_queued_cmd *qc)
659 + {
660 + struct ata_port *ap = qc->ap;
661 + struct mv_port_priv *pp = ap->private_data;
662 +@@ -2156,9 +2156,9 @@ static void mv_qc_prep_iie(struct ata_queued_cmd *qc)
663 +
664 + if ((tf->protocol != ATA_PROT_DMA) &&
665 + (tf->protocol != ATA_PROT_NCQ))
666 +- return;
667 ++ return AC_ERR_OK;
668 + if (tf->command == ATA_CMD_DSM)
669 +- return; /* use bmdma for this */
670 ++ return AC_ERR_OK; /* use bmdma for this */
671 +
672 + /* Fill in Gen IIE command request block */
673 + if (!(tf->flags & ATA_TFLAG_WRITE))
674 +@@ -2199,8 +2199,10 @@ static void mv_qc_prep_iie(struct ata_queued_cmd *qc)
675 + );
676 +
677 + if (!(qc->flags & ATA_QCFLAG_DMAMAP))
678 +- return;
679 ++ return AC_ERR_OK;
680 + mv_fill_sg(qc);
681 ++
682 ++ return AC_ERR_OK;
683 + }
684 +
685 + /**
686 +diff --git a/drivers/ata/sata_nv.c b/drivers/ata/sata_nv.c
687 +index 734f563b8d37b..bb098c4ae1775 100644
688 +--- a/drivers/ata/sata_nv.c
689 ++++ b/drivers/ata/sata_nv.c
690 +@@ -313,7 +313,7 @@ static void nv_ck804_freeze(struct ata_port *ap);
691 + static void nv_ck804_thaw(struct ata_port *ap);
692 + static int nv_adma_slave_config(struct scsi_device *sdev);
693 + static int nv_adma_check_atapi_dma(struct ata_queued_cmd *qc);
694 +-static void nv_adma_qc_prep(struct ata_queued_cmd *qc);
695 ++static enum ata_completion_errors nv_adma_qc_prep(struct ata_queued_cmd *qc);
696 + static unsigned int nv_adma_qc_issue(struct ata_queued_cmd *qc);
697 + static irqreturn_t nv_adma_interrupt(int irq, void *dev_instance);
698 + static void nv_adma_irq_clear(struct ata_port *ap);
699 +@@ -335,7 +335,7 @@ static void nv_mcp55_freeze(struct ata_port *ap);
700 + static void nv_swncq_error_handler(struct ata_port *ap);
701 + static int nv_swncq_slave_config(struct scsi_device *sdev);
702 + static int nv_swncq_port_start(struct ata_port *ap);
703 +-static void nv_swncq_qc_prep(struct ata_queued_cmd *qc);
704 ++static enum ata_completion_errors nv_swncq_qc_prep(struct ata_queued_cmd *qc);
705 + static void nv_swncq_fill_sg(struct ata_queued_cmd *qc);
706 + static unsigned int nv_swncq_qc_issue(struct ata_queued_cmd *qc);
707 + static void nv_swncq_irq_clear(struct ata_port *ap, u16 fis);
708 +@@ -1382,7 +1382,7 @@ static int nv_adma_use_reg_mode(struct ata_queued_cmd *qc)
709 + return 1;
710 + }
711 +
712 +-static void nv_adma_qc_prep(struct ata_queued_cmd *qc)
713 ++static enum ata_completion_errors nv_adma_qc_prep(struct ata_queued_cmd *qc)
714 + {
715 + struct nv_adma_port_priv *pp = qc->ap->private_data;
716 + struct nv_adma_cpb *cpb = &pp->cpb[qc->tag];
717 +@@ -1394,7 +1394,7 @@ static void nv_adma_qc_prep(struct ata_queued_cmd *qc)
718 + (qc->flags & ATA_QCFLAG_DMAMAP));
719 + nv_adma_register_mode(qc->ap);
720 + ata_bmdma_qc_prep(qc);
721 +- return;
722 ++ return AC_ERR_OK;
723 + }
724 +
725 + cpb->resp_flags = NV_CPB_RESP_DONE;
726 +@@ -1426,6 +1426,8 @@ static void nv_adma_qc_prep(struct ata_queued_cmd *qc)
727 + cpb->ctl_flags = ctl_flags;
728 + wmb();
729 + cpb->resp_flags = 0;
730 ++
731 ++ return AC_ERR_OK;
732 + }
733 +
734 + static unsigned int nv_adma_qc_issue(struct ata_queued_cmd *qc)
735 +@@ -1989,17 +1991,19 @@ static int nv_swncq_port_start(struct ata_port *ap)
736 + return 0;
737 + }
738 +
739 +-static void nv_swncq_qc_prep(struct ata_queued_cmd *qc)
740 ++static enum ata_completion_errors nv_swncq_qc_prep(struct ata_queued_cmd *qc)
741 + {
742 + if (qc->tf.protocol != ATA_PROT_NCQ) {
743 + ata_bmdma_qc_prep(qc);
744 +- return;
745 ++ return AC_ERR_OK;
746 + }
747 +
748 + if (!(qc->flags & ATA_QCFLAG_DMAMAP))
749 +- return;
750 ++ return AC_ERR_OK;
751 +
752 + nv_swncq_fill_sg(qc);
753 ++
754 ++ return AC_ERR_OK;
755 + }
756 +
757 + static void nv_swncq_fill_sg(struct ata_queued_cmd *qc)
758 +diff --git a/drivers/ata/sata_promise.c b/drivers/ata/sata_promise.c
759 +index 0fa211e2831cd..8ad8b376a642c 100644
760 +--- a/drivers/ata/sata_promise.c
761 ++++ b/drivers/ata/sata_promise.c
762 +@@ -155,7 +155,7 @@ static int pdc_sata_scr_write(struct ata_link *link, unsigned int sc_reg, u32 va
763 + static int pdc_ata_init_one(struct pci_dev *pdev, const struct pci_device_id *ent);
764 + static int pdc_common_port_start(struct ata_port *ap);
765 + static int pdc_sata_port_start(struct ata_port *ap);
766 +-static void pdc_qc_prep(struct ata_queued_cmd *qc);
767 ++static enum ata_completion_errors pdc_qc_prep(struct ata_queued_cmd *qc);
768 + static void pdc_tf_load_mmio(struct ata_port *ap, const struct ata_taskfile *tf);
769 + static void pdc_exec_command_mmio(struct ata_port *ap, const struct ata_taskfile *tf);
770 + static int pdc_check_atapi_dma(struct ata_queued_cmd *qc);
771 +@@ -649,7 +649,7 @@ static void pdc_fill_sg(struct ata_queued_cmd *qc)
772 + prd[idx - 1].flags_len |= cpu_to_le32(ATA_PRD_EOT);
773 + }
774 +
775 +-static void pdc_qc_prep(struct ata_queued_cmd *qc)
776 ++static enum ata_completion_errors pdc_qc_prep(struct ata_queued_cmd *qc)
777 + {
778 + struct pdc_port_priv *pp = qc->ap->private_data;
779 + unsigned int i;
780 +@@ -681,6 +681,8 @@ static void pdc_qc_prep(struct ata_queued_cmd *qc)
781 + default:
782 + break;
783 + }
784 ++
785 ++ return AC_ERR_OK;
786 + }
787 +
788 + static int pdc_is_sataii_tx4(unsigned long flags)
789 +diff --git a/drivers/ata/sata_qstor.c b/drivers/ata/sata_qstor.c
790 +index af987a4f33d19..80ff3bbfc8269 100644
791 +--- a/drivers/ata/sata_qstor.c
792 ++++ b/drivers/ata/sata_qstor.c
793 +@@ -116,7 +116,7 @@ static int qs_scr_write(struct ata_link *link, unsigned int sc_reg, u32 val);
794 + static int qs_ata_init_one(struct pci_dev *pdev, const struct pci_device_id *ent);
795 + static int qs_port_start(struct ata_port *ap);
796 + static void qs_host_stop(struct ata_host *host);
797 +-static void qs_qc_prep(struct ata_queued_cmd *qc);
798 ++static enum ata_completion_errors qs_qc_prep(struct ata_queued_cmd *qc);
799 + static unsigned int qs_qc_issue(struct ata_queued_cmd *qc);
800 + static int qs_check_atapi_dma(struct ata_queued_cmd *qc);
801 + static void qs_freeze(struct ata_port *ap);
802 +@@ -276,7 +276,7 @@ static unsigned int qs_fill_sg(struct ata_queued_cmd *qc)
803 + return si;
804 + }
805 +
806 +-static void qs_qc_prep(struct ata_queued_cmd *qc)
807 ++static enum ata_completion_errors qs_qc_prep(struct ata_queued_cmd *qc)
808 + {
809 + struct qs_port_priv *pp = qc->ap->private_data;
810 + u8 dflags = QS_DF_PORD, *buf = pp->pkt;
811 +@@ -288,7 +288,7 @@ static void qs_qc_prep(struct ata_queued_cmd *qc)
812 +
813 + qs_enter_reg_mode(qc->ap);
814 + if (qc->tf.protocol != ATA_PROT_DMA)
815 +- return;
816 ++ return AC_ERR_OK;
817 +
818 + nelem = qs_fill_sg(qc);
819 +
820 +@@ -311,6 +311,8 @@ static void qs_qc_prep(struct ata_queued_cmd *qc)
821 +
822 + /* frame information structure (FIS) */
823 + ata_tf_to_fis(&qc->tf, 0, 1, &buf[32]);
824 ++
825 ++ return AC_ERR_OK;
826 + }
827 +
828 + static inline void qs_packet_start(struct ata_queued_cmd *qc)
829 +diff --git a/drivers/ata/sata_rcar.c b/drivers/ata/sata_rcar.c
830 +index 07e146b772ead..301419325b975 100644
831 +--- a/drivers/ata/sata_rcar.c
832 ++++ b/drivers/ata/sata_rcar.c
833 +@@ -551,12 +551,14 @@ static void sata_rcar_bmdma_fill_sg(struct ata_queued_cmd *qc)
834 + prd[si - 1].addr |= cpu_to_le32(SATA_RCAR_DTEND);
835 + }
836 +
837 +-static void sata_rcar_qc_prep(struct ata_queued_cmd *qc)
838 ++static enum ata_completion_errors sata_rcar_qc_prep(struct ata_queued_cmd *qc)
839 + {
840 + if (!(qc->flags & ATA_QCFLAG_DMAMAP))
841 +- return;
842 ++ return AC_ERR_OK;
843 +
844 + sata_rcar_bmdma_fill_sg(qc);
845 ++
846 ++ return AC_ERR_OK;
847 + }
848 +
849 + static void sata_rcar_bmdma_setup(struct ata_queued_cmd *qc)
850 +diff --git a/drivers/ata/sata_sil.c b/drivers/ata/sata_sil.c
851 +index 29bcff086bced..73156a301912f 100644
852 +--- a/drivers/ata/sata_sil.c
853 ++++ b/drivers/ata/sata_sil.c
854 +@@ -119,7 +119,7 @@ static void sil_dev_config(struct ata_device *dev);
855 + static int sil_scr_read(struct ata_link *link, unsigned int sc_reg, u32 *val);
856 + static int sil_scr_write(struct ata_link *link, unsigned int sc_reg, u32 val);
857 + static int sil_set_mode(struct ata_link *link, struct ata_device **r_failed);
858 +-static void sil_qc_prep(struct ata_queued_cmd *qc);
859 ++static enum ata_completion_errors sil_qc_prep(struct ata_queued_cmd *qc);
860 + static void sil_bmdma_setup(struct ata_queued_cmd *qc);
861 + static void sil_bmdma_start(struct ata_queued_cmd *qc);
862 + static void sil_bmdma_stop(struct ata_queued_cmd *qc);
863 +@@ -333,12 +333,14 @@ static void sil_fill_sg(struct ata_queued_cmd *qc)
864 + last_prd->flags_len |= cpu_to_le32(ATA_PRD_EOT);
865 + }
866 +
867 +-static void sil_qc_prep(struct ata_queued_cmd *qc)
868 ++static enum ata_completion_errors sil_qc_prep(struct ata_queued_cmd *qc)
869 + {
870 + if (!(qc->flags & ATA_QCFLAG_DMAMAP))
871 +- return;
872 ++ return AC_ERR_OK;
873 +
874 + sil_fill_sg(qc);
875 ++
876 ++ return AC_ERR_OK;
877 + }
878 +
879 + static unsigned char sil_get_device_cache_line(struct pci_dev *pdev)
880 +diff --git a/drivers/ata/sata_sil24.c b/drivers/ata/sata_sil24.c
881 +index 4b1995e2d044b..ffa3bf724054d 100644
882 +--- a/drivers/ata/sata_sil24.c
883 ++++ b/drivers/ata/sata_sil24.c
884 +@@ -336,7 +336,7 @@ static void sil24_dev_config(struct ata_device *dev);
885 + static int sil24_scr_read(struct ata_link *link, unsigned sc_reg, u32 *val);
886 + static int sil24_scr_write(struct ata_link *link, unsigned sc_reg, u32 val);
887 + static int sil24_qc_defer(struct ata_queued_cmd *qc);
888 +-static void sil24_qc_prep(struct ata_queued_cmd *qc);
889 ++static enum ata_completion_errors sil24_qc_prep(struct ata_queued_cmd *qc);
890 + static unsigned int sil24_qc_issue(struct ata_queued_cmd *qc);
891 + static bool sil24_qc_fill_rtf(struct ata_queued_cmd *qc);
892 + static void sil24_pmp_attach(struct ata_port *ap);
893 +@@ -840,7 +840,7 @@ static int sil24_qc_defer(struct ata_queued_cmd *qc)
894 + return ata_std_qc_defer(qc);
895 + }
896 +
897 +-static void sil24_qc_prep(struct ata_queued_cmd *qc)
898 ++static enum ata_completion_errors sil24_qc_prep(struct ata_queued_cmd *qc)
899 + {
900 + struct ata_port *ap = qc->ap;
901 + struct sil24_port_priv *pp = ap->private_data;
902 +@@ -884,6 +884,8 @@ static void sil24_qc_prep(struct ata_queued_cmd *qc)
903 +
904 + if (qc->flags & ATA_QCFLAG_DMAMAP)
905 + sil24_fill_sg(qc, sge);
906 ++
907 ++ return AC_ERR_OK;
908 + }
909 +
910 + static unsigned int sil24_qc_issue(struct ata_queued_cmd *qc)
911 +diff --git a/drivers/ata/sata_sx4.c b/drivers/ata/sata_sx4.c
912 +index 48301cb3a3165..043953200b52a 100644
913 +--- a/drivers/ata/sata_sx4.c
914 ++++ b/drivers/ata/sata_sx4.c
915 +@@ -218,7 +218,7 @@ static void pdc_error_handler(struct ata_port *ap);
916 + static void pdc_freeze(struct ata_port *ap);
917 + static void pdc_thaw(struct ata_port *ap);
918 + static int pdc_port_start(struct ata_port *ap);
919 +-static void pdc20621_qc_prep(struct ata_queued_cmd *qc);
920 ++static enum ata_completion_errors pdc20621_qc_prep(struct ata_queued_cmd *qc);
921 + static void pdc_tf_load_mmio(struct ata_port *ap, const struct ata_taskfile *tf);
922 + static void pdc_exec_command_mmio(struct ata_port *ap, const struct ata_taskfile *tf);
923 + static unsigned int pdc20621_dimm_init(struct ata_host *host);
924 +@@ -546,7 +546,7 @@ static void pdc20621_nodata_prep(struct ata_queued_cmd *qc)
925 + VPRINTK("ata pkt buf ofs %u, mmio copied\n", i);
926 + }
927 +
928 +-static void pdc20621_qc_prep(struct ata_queued_cmd *qc)
929 ++static enum ata_completion_errors pdc20621_qc_prep(struct ata_queued_cmd *qc)
930 + {
931 + switch (qc->tf.protocol) {
932 + case ATA_PROT_DMA:
933 +@@ -558,6 +558,8 @@ static void pdc20621_qc_prep(struct ata_queued_cmd *qc)
934 + default:
935 + break;
936 + }
937 ++
938 ++ return AC_ERR_OK;
939 + }
940 +
941 + static void __pdc20621_push_hdma(struct ata_queued_cmd *qc,
942 +diff --git a/drivers/atm/eni.c b/drivers/atm/eni.c
943 +index 88819409e0beb..9d16743c49178 100644
944 +--- a/drivers/atm/eni.c
945 ++++ b/drivers/atm/eni.c
946 +@@ -2243,7 +2243,7 @@ static int eni_init_one(struct pci_dev *pci_dev,
947 +
948 + rc = dma_set_mask_and_coherent(&pci_dev->dev, DMA_BIT_MASK(32));
949 + if (rc < 0)
950 +- goto out;
951 ++ goto err_disable;
952 +
953 + rc = -ENOMEM;
954 + eni_dev = kmalloc(sizeof(struct eni_dev), GFP_KERNEL);
955 +diff --git a/drivers/char/tlclk.c b/drivers/char/tlclk.c
956 +index 100cd1de9939d..59e1e94d12c01 100644
957 +--- a/drivers/char/tlclk.c
958 ++++ b/drivers/char/tlclk.c
959 +@@ -777,17 +777,21 @@ static int __init tlclk_init(void)
960 + {
961 + int ret;
962 +
963 ++ telclk_interrupt = (inb(TLCLK_REG7) & 0x0f);
964 ++
965 ++ alarm_events = kzalloc( sizeof(struct tlclk_alarms), GFP_KERNEL);
966 ++ if (!alarm_events) {
967 ++ ret = -ENOMEM;
968 ++ goto out1;
969 ++ }
970 ++
971 + ret = register_chrdev(tlclk_major, "telco_clock", &tlclk_fops);
972 + if (ret < 0) {
973 + printk(KERN_ERR "tlclk: can't get major %d.\n", tlclk_major);
974 ++ kfree(alarm_events);
975 + return ret;
976 + }
977 + tlclk_major = ret;
978 +- alarm_events = kzalloc( sizeof(struct tlclk_alarms), GFP_KERNEL);
979 +- if (!alarm_events) {
980 +- ret = -ENOMEM;
981 +- goto out1;
982 +- }
983 +
984 + /* Read telecom clock IRQ number (Set by BIOS) */
985 + if (!request_region(TLCLK_BASE, 8, "telco_clock")) {
986 +@@ -796,7 +800,6 @@ static int __init tlclk_init(void)
987 + ret = -EBUSY;
988 + goto out2;
989 + }
990 +- telclk_interrupt = (inb(TLCLK_REG7) & 0x0f);
991 +
992 + if (0x0F == telclk_interrupt ) { /* not MCPBL0010 ? */
993 + printk(KERN_ERR "telclk_interrupt = 0x%x non-mcpbl0010 hw.\n",
994 +@@ -837,8 +840,8 @@ out3:
995 + release_region(TLCLK_BASE, 8);
996 + out2:
997 + kfree(alarm_events);
998 +-out1:
999 + unregister_chrdev(tlclk_major, "telco_clock");
1000 ++out1:
1001 + return ret;
1002 + }
1003 +
1004 +diff --git a/drivers/char/tpm/tpm_ibmvtpm.c b/drivers/char/tpm/tpm_ibmvtpm.c
1005 +index 84eca4f93b828..0fad6cf37bab4 100644
1006 +--- a/drivers/char/tpm/tpm_ibmvtpm.c
1007 ++++ b/drivers/char/tpm/tpm_ibmvtpm.c
1008 +@@ -550,6 +550,7 @@ static irqreturn_t ibmvtpm_interrupt(int irq, void *vtpm_instance)
1009 + */
1010 + while ((crq = ibmvtpm_crq_get_next(ibmvtpm)) != NULL) {
1011 + ibmvtpm_crq_process(crq, ibmvtpm);
1012 ++ wake_up_interruptible(&ibmvtpm->crq_queue.wq);
1013 + crq->valid = 0;
1014 + smp_wmb();
1015 + }
1016 +@@ -596,6 +597,7 @@ static int tpm_ibmvtpm_probe(struct vio_dev *vio_dev,
1017 + }
1018 +
1019 + crq_q->num_entry = CRQ_RES_BUF_SIZE / sizeof(*crq_q->crq_addr);
1020 ++ init_waitqueue_head(&crq_q->wq);
1021 + ibmvtpm->crq_dma_handle = dma_map_single(dev, crq_q->crq_addr,
1022 + CRQ_RES_BUF_SIZE,
1023 + DMA_BIDIRECTIONAL);
1024 +@@ -648,6 +650,13 @@ static int tpm_ibmvtpm_probe(struct vio_dev *vio_dev,
1025 + if (rc)
1026 + goto init_irq_cleanup;
1027 +
1028 ++ if (!wait_event_timeout(ibmvtpm->crq_queue.wq,
1029 ++ ibmvtpm->rtce_buf != NULL,
1030 ++ HZ)) {
1031 ++ dev_err(dev, "CRQ response timed out\n");
1032 ++ goto init_irq_cleanup;
1033 ++ }
1034 ++
1035 + return tpm_chip_register(chip);
1036 + init_irq_cleanup:
1037 + do {
1038 +diff --git a/drivers/char/tpm/tpm_ibmvtpm.h b/drivers/char/tpm/tpm_ibmvtpm.h
1039 +index 91dfe766d0800..4f6a124601db4 100644
1040 +--- a/drivers/char/tpm/tpm_ibmvtpm.h
1041 ++++ b/drivers/char/tpm/tpm_ibmvtpm.h
1042 +@@ -31,6 +31,7 @@ struct ibmvtpm_crq_queue {
1043 + struct ibmvtpm_crq *crq_addr;
1044 + u32 index;
1045 + u32 num_entry;
1046 ++ wait_queue_head_t wq;
1047 + };
1048 +
1049 + struct ibmvtpm_dev {
1050 +diff --git a/drivers/clk/ti/adpll.c b/drivers/clk/ti/adpll.c
1051 +index 255cafb18336a..9345eaf00938e 100644
1052 +--- a/drivers/clk/ti/adpll.c
1053 ++++ b/drivers/clk/ti/adpll.c
1054 +@@ -193,15 +193,8 @@ static const char *ti_adpll_clk_get_name(struct ti_adpll_data *d,
1055 + if (err)
1056 + return NULL;
1057 + } else {
1058 +- const char *base_name = "adpll";
1059 +- char *buf;
1060 +-
1061 +- buf = devm_kzalloc(d->dev, 8 + 1 + strlen(base_name) + 1 +
1062 +- strlen(postfix), GFP_KERNEL);
1063 +- if (!buf)
1064 +- return NULL;
1065 +- sprintf(buf, "%08lx.%s.%s", d->pa, base_name, postfix);
1066 +- name = buf;
1067 ++ name = devm_kasprintf(d->dev, GFP_KERNEL, "%08lx.adpll.%s",
1068 ++ d->pa, postfix);
1069 + }
1070 +
1071 + return name;
1072 +diff --git a/drivers/clocksource/h8300_timer8.c b/drivers/clocksource/h8300_timer8.c
1073 +index 546bb180f5a44..8202e49ac64cd 100644
1074 +--- a/drivers/clocksource/h8300_timer8.c
1075 ++++ b/drivers/clocksource/h8300_timer8.c
1076 +@@ -176,7 +176,7 @@ static int __init h8300_8timer_init(struct device_node *node)
1077 + return PTR_ERR(clk);
1078 + }
1079 +
1080 +- ret = ENXIO;
1081 ++ ret = -ENXIO;
1082 + base = of_iomap(node, 0);
1083 + if (!base) {
1084 + pr_err("failed to map registers for clockevent\n");
1085 +diff --git a/drivers/cpufreq/powernv-cpufreq.c b/drivers/cpufreq/powernv-cpufreq.c
1086 +index b4fc65512aad3..c3b05676e0dbe 100644
1087 +--- a/drivers/cpufreq/powernv-cpufreq.c
1088 ++++ b/drivers/cpufreq/powernv-cpufreq.c
1089 +@@ -802,6 +802,7 @@ static struct notifier_block powernv_cpufreq_reboot_nb = {
1090 + void powernv_cpufreq_work_fn(struct work_struct *work)
1091 + {
1092 + struct chip *chip = container_of(work, struct chip, throttle);
1093 ++ struct cpufreq_policy *policy;
1094 + unsigned int cpu;
1095 + cpumask_t mask;
1096 +
1097 +@@ -816,12 +817,14 @@ void powernv_cpufreq_work_fn(struct work_struct *work)
1098 + chip->restore = false;
1099 + for_each_cpu(cpu, &mask) {
1100 + int index;
1101 +- struct cpufreq_policy policy;
1102 +
1103 +- cpufreq_get_policy(&policy, cpu);
1104 +- index = cpufreq_table_find_index_c(&policy, policy.cur);
1105 +- powernv_cpufreq_target_index(&policy, index);
1106 +- cpumask_andnot(&mask, &mask, policy.cpus);
1107 ++ policy = cpufreq_cpu_get(cpu);
1108 ++ if (!policy)
1109 ++ continue;
1110 ++ index = cpufreq_table_find_index_c(policy, policy->cur);
1111 ++ powernv_cpufreq_target_index(policy, index);
1112 ++ cpumask_andnot(&mask, &mask, policy->cpus);
1113 ++ cpufreq_cpu_put(policy);
1114 + }
1115 + out:
1116 + put_online_cpus();
1117 +diff --git a/drivers/devfreq/tegra-devfreq.c b/drivers/devfreq/tegra-devfreq.c
1118 +index fe9dce0245bf0..a20267d93f8a4 100644
1119 +--- a/drivers/devfreq/tegra-devfreq.c
1120 ++++ b/drivers/devfreq/tegra-devfreq.c
1121 +@@ -79,6 +79,8 @@
1122 +
1123 + #define KHZ 1000
1124 +
1125 ++#define KHZ_MAX (ULONG_MAX / KHZ)
1126 ++
1127 + /* Assume that the bus is saturated if the utilization is 25% */
1128 + #define BUS_SATURATION_RATIO 25
1129 +
1130 +@@ -179,7 +181,7 @@ struct tegra_actmon_emc_ratio {
1131 + };
1132 +
1133 + static struct tegra_actmon_emc_ratio actmon_emc_ratios[] = {
1134 +- { 1400000, ULONG_MAX },
1135 ++ { 1400000, KHZ_MAX },
1136 + { 1200000, 750000 },
1137 + { 1100000, 600000 },
1138 + { 1000000, 500000 },
1139 +diff --git a/drivers/dma/tegra20-apb-dma.c b/drivers/dma/tegra20-apb-dma.c
1140 +index 4eaf92b2b8868..909739426f78c 100644
1141 +--- a/drivers/dma/tegra20-apb-dma.c
1142 ++++ b/drivers/dma/tegra20-apb-dma.c
1143 +@@ -1208,8 +1208,7 @@ static void tegra_dma_free_chan_resources(struct dma_chan *dc)
1144 +
1145 + dev_dbg(tdc2dev(tdc), "Freeing channel %d\n", tdc->id);
1146 +
1147 +- if (tdc->busy)
1148 +- tegra_dma_terminate_all(dc);
1149 ++ tegra_dma_terminate_all(dc);
1150 +
1151 + spin_lock_irqsave(&tdc->lock, flags);
1152 + list_splice_init(&tdc->pending_sg_req, &sg_req_list);
1153 +diff --git a/drivers/dma/xilinx/zynqmp_dma.c b/drivers/dma/xilinx/zynqmp_dma.c
1154 +index 9069fb8543196..514763dcc3758 100644
1155 +--- a/drivers/dma/xilinx/zynqmp_dma.c
1156 ++++ b/drivers/dma/xilinx/zynqmp_dma.c
1157 +@@ -125,10 +125,12 @@
1158 + /* Max transfer size per descriptor */
1159 + #define ZYNQMP_DMA_MAX_TRANS_LEN 0x40000000
1160 +
1161 ++/* Max burst lengths */
1162 ++#define ZYNQMP_DMA_MAX_DST_BURST_LEN 32768U
1163 ++#define ZYNQMP_DMA_MAX_SRC_BURST_LEN 32768U
1164 ++
1165 + /* Reset values for data attributes */
1166 + #define ZYNQMP_DMA_AXCACHE_VAL 0xF
1167 +-#define ZYNQMP_DMA_ARLEN_RST_VAL 0xF
1168 +-#define ZYNQMP_DMA_AWLEN_RST_VAL 0xF
1169 +
1170 + #define ZYNQMP_DMA_SRC_ISSUE_RST_VAL 0x1F
1171 +
1172 +@@ -527,17 +529,19 @@ static void zynqmp_dma_handle_ovfl_int(struct zynqmp_dma_chan *chan, u32 status)
1173 +
1174 + static void zynqmp_dma_config(struct zynqmp_dma_chan *chan)
1175 + {
1176 +- u32 val;
1177 ++ u32 val, burst_val;
1178 +
1179 + val = readl(chan->regs + ZYNQMP_DMA_CTRL0);
1180 + val |= ZYNQMP_DMA_POINT_TYPE_SG;
1181 + writel(val, chan->regs + ZYNQMP_DMA_CTRL0);
1182 +
1183 + val = readl(chan->regs + ZYNQMP_DMA_DATA_ATTR);
1184 ++ burst_val = __ilog2_u32(chan->src_burst_len);
1185 + val = (val & ~ZYNQMP_DMA_ARLEN) |
1186 +- (chan->src_burst_len << ZYNQMP_DMA_ARLEN_OFST);
1187 ++ ((burst_val << ZYNQMP_DMA_ARLEN_OFST) & ZYNQMP_DMA_ARLEN);
1188 ++ burst_val = __ilog2_u32(chan->dst_burst_len);
1189 + val = (val & ~ZYNQMP_DMA_AWLEN) |
1190 +- (chan->dst_burst_len << ZYNQMP_DMA_AWLEN_OFST);
1191 ++ ((burst_val << ZYNQMP_DMA_AWLEN_OFST) & ZYNQMP_DMA_AWLEN);
1192 + writel(val, chan->regs + ZYNQMP_DMA_DATA_ATTR);
1193 + }
1194 +
1195 +@@ -551,8 +555,10 @@ static int zynqmp_dma_device_config(struct dma_chan *dchan,
1196 + {
1197 + struct zynqmp_dma_chan *chan = to_chan(dchan);
1198 +
1199 +- chan->src_burst_len = config->src_maxburst;
1200 +- chan->dst_burst_len = config->dst_maxburst;
1201 ++ chan->src_burst_len = clamp(config->src_maxburst, 1U,
1202 ++ ZYNQMP_DMA_MAX_SRC_BURST_LEN);
1203 ++ chan->dst_burst_len = clamp(config->dst_maxburst, 1U,
1204 ++ ZYNQMP_DMA_MAX_DST_BURST_LEN);
1205 +
1206 + return 0;
1207 + }
1208 +@@ -968,8 +974,8 @@ static int zynqmp_dma_chan_probe(struct zynqmp_dma_device *zdev,
1209 + return PTR_ERR(chan->regs);
1210 +
1211 + chan->bus_width = ZYNQMP_DMA_BUS_WIDTH_64;
1212 +- chan->dst_burst_len = ZYNQMP_DMA_AWLEN_RST_VAL;
1213 +- chan->src_burst_len = ZYNQMP_DMA_ARLEN_RST_VAL;
1214 ++ chan->dst_burst_len = ZYNQMP_DMA_MAX_DST_BURST_LEN;
1215 ++ chan->src_burst_len = ZYNQMP_DMA_MAX_SRC_BURST_LEN;
1216 + err = of_property_read_u32(node, "xlnx,bus-width", &chan->bus_width);
1217 + if (err < 0) {
1218 + dev_err(&pdev->dev, "missing xlnx,bus-width property\n");
1219 +diff --git a/drivers/gpu/drm/amd/amdgpu/atom.c b/drivers/gpu/drm/amd/amdgpu/atom.c
1220 +index 1b50e6c13fb3f..5fbf99d600587 100644
1221 +--- a/drivers/gpu/drm/amd/amdgpu/atom.c
1222 ++++ b/drivers/gpu/drm/amd/amdgpu/atom.c
1223 +@@ -748,8 +748,8 @@ static void atom_op_jump(atom_exec_context *ctx, int *ptr, int arg)
1224 + cjiffies = jiffies;
1225 + if (time_after(cjiffies, ctx->last_jump_jiffies)) {
1226 + cjiffies -= ctx->last_jump_jiffies;
1227 +- if ((jiffies_to_msecs(cjiffies) > 5000)) {
1228 +- DRM_ERROR("atombios stuck in loop for more than 5secs aborting\n");
1229 ++ if ((jiffies_to_msecs(cjiffies) > 10000)) {
1230 ++ DRM_ERROR("atombios stuck in loop for more than 10secs aborting\n");
1231 + ctx->abort = true;
1232 + }
1233 + } else {
1234 +diff --git a/drivers/gpu/drm/gma500/cdv_intel_display.c b/drivers/gpu/drm/gma500/cdv_intel_display.c
1235 +index 17db4b4749d5a..2e8479744ca4a 100644
1236 +--- a/drivers/gpu/drm/gma500/cdv_intel_display.c
1237 ++++ b/drivers/gpu/drm/gma500/cdv_intel_display.c
1238 +@@ -415,6 +415,8 @@ static bool cdv_intel_find_dp_pll(const struct gma_limit_t *limit,
1239 + struct gma_crtc *gma_crtc = to_gma_crtc(crtc);
1240 + struct gma_clock_t clock;
1241 +
1242 ++ memset(&clock, 0, sizeof(clock));
1243 ++
1244 + switch (refclk) {
1245 + case 27000:
1246 + if (target < 200000) {
1247 +diff --git a/drivers/gpu/drm/omapdrm/dss/omapdss-boot-init.c b/drivers/gpu/drm/omapdrm/dss/omapdss-boot-init.c
1248 +index 136d30484d023..46111e9ee9a25 100644
1249 +--- a/drivers/gpu/drm/omapdrm/dss/omapdss-boot-init.c
1250 ++++ b/drivers/gpu/drm/omapdrm/dss/omapdss-boot-init.c
1251 +@@ -194,7 +194,7 @@ static int __init omapdss_boot_init(void)
1252 + dss = of_find_matching_node(NULL, omapdss_of_match);
1253 +
1254 + if (dss == NULL || !of_device_is_available(dss))
1255 +- return 0;
1256 ++ goto put_node;
1257 +
1258 + omapdss_walk_device(dss, true);
1259 +
1260 +@@ -219,6 +219,8 @@ static int __init omapdss_boot_init(void)
1261 + kfree(n);
1262 + }
1263 +
1264 ++put_node:
1265 ++ of_node_put(dss);
1266 + return 0;
1267 + }
1268 +
1269 +diff --git a/drivers/i2c/i2c-core.c b/drivers/i2c/i2c-core.c
1270 +index 80d82c6792d8d..4fd7bfda2f9de 100644
1271 +--- a/drivers/i2c/i2c-core.c
1272 ++++ b/drivers/i2c/i2c-core.c
1273 +@@ -1858,8 +1858,8 @@ static int i2c_register_adapter(struct i2c_adapter *adap)
1274 +
1275 + /* create pre-declared device nodes */
1276 + of_i2c_register_devices(adap);
1277 +- i2c_acpi_register_devices(adap);
1278 + i2c_acpi_install_space_handler(adap);
1279 ++ i2c_acpi_register_devices(adap);
1280 +
1281 + if (adap->nr < __i2c_first_dynamic_bus_num)
1282 + i2c_scan_static_board_info(adap);
1283 +diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c
1284 +index a4f4cd4932657..bb0d728f4b76f 100644
1285 +--- a/drivers/infiniband/core/ucma.c
1286 ++++ b/drivers/infiniband/core/ucma.c
1287 +@@ -1296,13 +1296,13 @@ static ssize_t ucma_set_option(struct ucma_file *file, const char __user *inbuf,
1288 + if (copy_from_user(&cmd, inbuf, sizeof(cmd)))
1289 + return -EFAULT;
1290 +
1291 ++ if (unlikely(cmd.optlen > KMALLOC_MAX_SIZE))
1292 ++ return -EINVAL;
1293 ++
1294 + ctx = ucma_get_ctx(file, cmd.id);
1295 + if (IS_ERR(ctx))
1296 + return PTR_ERR(ctx);
1297 +
1298 +- if (unlikely(cmd.optlen > KMALLOC_MAX_SIZE))
1299 +- return -EINVAL;
1300 +-
1301 + optval = memdup_user((void __user *) (unsigned long) cmd.optval,
1302 + cmd.optlen);
1303 + if (IS_ERR(optval)) {
1304 +diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c
1305 +index a04a53acb24ff..a60e1c1b4b5e8 100644
1306 +--- a/drivers/infiniband/hw/cxgb4/cm.c
1307 ++++ b/drivers/infiniband/hw/cxgb4/cm.c
1308 +@@ -3245,7 +3245,7 @@ int c4iw_connect(struct iw_cm_id *cm_id, struct iw_cm_conn_param *conn_param)
1309 + if (raddr->sin_addr.s_addr == htonl(INADDR_ANY)) {
1310 + err = pick_local_ipaddrs(dev, cm_id);
1311 + if (err)
1312 +- goto fail2;
1313 ++ goto fail3;
1314 + }
1315 +
1316 + /* find a route */
1317 +@@ -3267,7 +3267,7 @@ int c4iw_connect(struct iw_cm_id *cm_id, struct iw_cm_conn_param *conn_param)
1318 + if (ipv6_addr_type(&raddr6->sin6_addr) == IPV6_ADDR_ANY) {
1319 + err = pick_local_ip6addrs(dev, cm_id);
1320 + if (err)
1321 +- goto fail2;
1322 ++ goto fail3;
1323 + }
1324 +
1325 + /* find a route */
1326 +diff --git a/drivers/infiniband/hw/i40iw/i40iw_cm.c b/drivers/infiniband/hw/i40iw/i40iw_cm.c
1327 +index 282a726351c81..ce1a4817ab923 100644
1328 +--- a/drivers/infiniband/hw/i40iw/i40iw_cm.c
1329 ++++ b/drivers/infiniband/hw/i40iw/i40iw_cm.c
1330 +@@ -2036,9 +2036,9 @@ static int i40iw_addr_resolve_neigh_ipv6(struct i40iw_device *iwdev,
1331 + dst = i40iw_get_dst_ipv6(&src_addr, &dst_addr);
1332 + if (!dst || dst->error) {
1333 + if (dst) {
1334 +- dst_release(dst);
1335 + i40iw_pr_err("ip6_route_output returned dst->error = %d\n",
1336 + dst->error);
1337 ++ dst_release(dst);
1338 + }
1339 + return rc;
1340 + }
1341 +diff --git a/drivers/infiniband/sw/rxe/rxe_qp.c b/drivers/infiniband/sw/rxe/rxe_qp.c
1342 +index d6672127808b7..186da467060cc 100644
1343 +--- a/drivers/infiniband/sw/rxe/rxe_qp.c
1344 ++++ b/drivers/infiniband/sw/rxe/rxe_qp.c
1345 +@@ -597,15 +597,16 @@ int rxe_qp_from_attr(struct rxe_qp *qp, struct ib_qp_attr *attr, int mask,
1346 + struct ib_gid_attr sgid_attr;
1347 +
1348 + if (mask & IB_QP_MAX_QP_RD_ATOMIC) {
1349 +- int max_rd_atomic = __roundup_pow_of_two(attr->max_rd_atomic);
1350 ++ int max_rd_atomic = attr->max_rd_atomic ?
1351 ++ roundup_pow_of_two(attr->max_rd_atomic) : 0;
1352 +
1353 + qp->attr.max_rd_atomic = max_rd_atomic;
1354 + atomic_set(&qp->req.rd_atomic, max_rd_atomic);
1355 + }
1356 +
1357 + if (mask & IB_QP_MAX_DEST_RD_ATOMIC) {
1358 +- int max_dest_rd_atomic =
1359 +- __roundup_pow_of_two(attr->max_dest_rd_atomic);
1360 ++ int max_dest_rd_atomic = attr->max_dest_rd_atomic ?
1361 ++ roundup_pow_of_two(attr->max_dest_rd_atomic) : 0;
1362 +
1363 + qp->attr.max_dest_rd_atomic = max_dest_rd_atomic;
1364 +
1365 +diff --git a/drivers/md/bcache/bcache.h b/drivers/md/bcache/bcache.h
1366 +index 7fe7df56fa334..f0939fc1cfe55 100644
1367 +--- a/drivers/md/bcache/bcache.h
1368 ++++ b/drivers/md/bcache/bcache.h
1369 +@@ -547,6 +547,7 @@ struct cache_set {
1370 + */
1371 + wait_queue_head_t btree_cache_wait;
1372 + struct task_struct *btree_cache_alloc_lock;
1373 ++ spinlock_t btree_cannibalize_lock;
1374 +
1375 + /*
1376 + * When we free a btree node, we increment the gen of the bucket the
1377 +diff --git a/drivers/md/bcache/btree.c b/drivers/md/bcache/btree.c
1378 +index 764d519a7f1c6..26e56a9952d09 100644
1379 +--- a/drivers/md/bcache/btree.c
1380 ++++ b/drivers/md/bcache/btree.c
1381 +@@ -836,15 +836,17 @@ out:
1382 +
1383 + static int mca_cannibalize_lock(struct cache_set *c, struct btree_op *op)
1384 + {
1385 +- struct task_struct *old;
1386 +-
1387 +- old = cmpxchg(&c->btree_cache_alloc_lock, NULL, current);
1388 +- if (old && old != current) {
1389 ++ spin_lock(&c->btree_cannibalize_lock);
1390 ++ if (likely(c->btree_cache_alloc_lock == NULL)) {
1391 ++ c->btree_cache_alloc_lock = current;
1392 ++ } else if (c->btree_cache_alloc_lock != current) {
1393 + if (op)
1394 + prepare_to_wait(&c->btree_cache_wait, &op->wait,
1395 + TASK_UNINTERRUPTIBLE);
1396 ++ spin_unlock(&c->btree_cannibalize_lock);
1397 + return -EINTR;
1398 + }
1399 ++ spin_unlock(&c->btree_cannibalize_lock);
1400 +
1401 + return 0;
1402 + }
1403 +@@ -879,10 +881,12 @@ static struct btree *mca_cannibalize(struct cache_set *c, struct btree_op *op,
1404 + */
1405 + static void bch_cannibalize_unlock(struct cache_set *c)
1406 + {
1407 ++ spin_lock(&c->btree_cannibalize_lock);
1408 + if (c->btree_cache_alloc_lock == current) {
1409 + c->btree_cache_alloc_lock = NULL;
1410 + wake_up(&c->btree_cache_wait);
1411 + }
1412 ++ spin_unlock(&c->btree_cannibalize_lock);
1413 + }
1414 +
1415 + static struct btree *mca_alloc(struct cache_set *c, struct btree_op *op,
1416 +diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c
1417 +index 95e9a33de06a2..263c0d987929e 100644
1418 +--- a/drivers/md/bcache/super.c
1419 ++++ b/drivers/md/bcache/super.c
1420 +@@ -1510,6 +1510,7 @@ struct cache_set *bch_cache_set_alloc(struct cache_sb *sb)
1421 + sema_init(&c->sb_write_mutex, 1);
1422 + mutex_init(&c->bucket_lock);
1423 + init_waitqueue_head(&c->btree_cache_wait);
1424 ++ spin_lock_init(&c->btree_cannibalize_lock);
1425 + init_waitqueue_head(&c->bucket_wait);
1426 + init_waitqueue_head(&c->gc_wait);
1427 + sema_init(&c->uuid_write_mutex, 1);
1428 +diff --git a/drivers/media/dvb-frontends/tda10071.c b/drivers/media/dvb-frontends/tda10071.c
1429 +index 37ebeef2bbd0b..43343091ea93e 100644
1430 +--- a/drivers/media/dvb-frontends/tda10071.c
1431 ++++ b/drivers/media/dvb-frontends/tda10071.c
1432 +@@ -483,10 +483,11 @@ static int tda10071_read_status(struct dvb_frontend *fe, enum fe_status *status)
1433 + goto error;
1434 +
1435 + if (dev->delivery_system == SYS_DVBS) {
1436 +- dev->dvbv3_ber = buf[0] << 24 | buf[1] << 16 |
1437 +- buf[2] << 8 | buf[3] << 0;
1438 +- dev->post_bit_error += buf[0] << 24 | buf[1] << 16 |
1439 +- buf[2] << 8 | buf[3] << 0;
1440 ++ u32 bit_error = buf[0] << 24 | buf[1] << 16 |
1441 ++ buf[2] << 8 | buf[3] << 0;
1442 ++
1443 ++ dev->dvbv3_ber = bit_error;
1444 ++ dev->post_bit_error += bit_error;
1445 + c->post_bit_error.stat[0].scale = FE_SCALE_COUNTER;
1446 + c->post_bit_error.stat[0].uvalue = dev->post_bit_error;
1447 + dev->block_error += buf[4] << 8 | buf[5] << 0;
1448 +diff --git a/drivers/media/platform/ti-vpe/cal.c b/drivers/media/platform/ti-vpe/cal.c
1449 +index 563b9636ab63b..803e0794ca131 100644
1450 +--- a/drivers/media/platform/ti-vpe/cal.c
1451 ++++ b/drivers/media/platform/ti-vpe/cal.c
1452 +@@ -690,12 +690,13 @@ static void pix_proc_config(struct cal_ctx *ctx)
1453 + }
1454 +
1455 + static void cal_wr_dma_config(struct cal_ctx *ctx,
1456 +- unsigned int width)
1457 ++ unsigned int width, unsigned int height)
1458 + {
1459 + u32 val;
1460 +
1461 + val = reg_read(ctx->dev, CAL_WR_DMA_CTRL(ctx->csi2_port));
1462 + set_field(&val, ctx->csi2_port, CAL_WR_DMA_CTRL_CPORT_MASK);
1463 ++ set_field(&val, height, CAL_WR_DMA_CTRL_YSIZE_MASK);
1464 + set_field(&val, CAL_WR_DMA_CTRL_DTAG_PIX_DAT,
1465 + CAL_WR_DMA_CTRL_DTAG_MASK);
1466 + set_field(&val, CAL_WR_DMA_CTRL_MODE_CONST,
1467 +@@ -1321,7 +1322,8 @@ static int cal_start_streaming(struct vb2_queue *vq, unsigned int count)
1468 + csi2_lane_config(ctx);
1469 + csi2_ctx_config(ctx);
1470 + pix_proc_config(ctx);
1471 +- cal_wr_dma_config(ctx, ctx->v_fmt.fmt.pix.bytesperline);
1472 ++ cal_wr_dma_config(ctx, ctx->v_fmt.fmt.pix.bytesperline,
1473 ++ ctx->v_fmt.fmt.pix.height);
1474 + cal_wr_dma_addr(ctx, addr);
1475 + csi2_ppi_enable(ctx);
1476 +
1477 +diff --git a/drivers/media/usb/go7007/go7007-usb.c b/drivers/media/usb/go7007/go7007-usb.c
1478 +index ed9bcaf08d5ec..ddfaabd4c0813 100644
1479 +--- a/drivers/media/usb/go7007/go7007-usb.c
1480 ++++ b/drivers/media/usb/go7007/go7007-usb.c
1481 +@@ -1052,6 +1052,7 @@ static int go7007_usb_probe(struct usb_interface *intf,
1482 + struct go7007_usb *usb;
1483 + const struct go7007_usb_board *board;
1484 + struct usb_device *usbdev = interface_to_usbdev(intf);
1485 ++ struct usb_host_endpoint *ep;
1486 + unsigned num_i2c_devs;
1487 + char *name;
1488 + int video_pipe, i, v_urb_len;
1489 +@@ -1147,7 +1148,8 @@ static int go7007_usb_probe(struct usb_interface *intf,
1490 + if (usb->intr_urb->transfer_buffer == NULL)
1491 + goto allocfail;
1492 +
1493 +- if (go->board_id == GO7007_BOARDID_SENSORAY_2250)
1494 ++ ep = usb->usbdev->ep_in[4];
1495 ++ if (usb_endpoint_type(&ep->desc) == USB_ENDPOINT_XFER_BULK)
1496 + usb_fill_bulk_urb(usb->intr_urb, usb->usbdev,
1497 + usb_rcvbulkpipe(usb->usbdev, 4),
1498 + usb->intr_urb->transfer_buffer, 2*sizeof(u16),
1499 +diff --git a/drivers/mfd/mfd-core.c b/drivers/mfd/mfd-core.c
1500 +index 5c8ed2150c8bf..fb687368ac98c 100644
1501 +--- a/drivers/mfd/mfd-core.c
1502 ++++ b/drivers/mfd/mfd-core.c
1503 +@@ -32,6 +32,11 @@ int mfd_cell_enable(struct platform_device *pdev)
1504 + const struct mfd_cell *cell = mfd_get_cell(pdev);
1505 + int err = 0;
1506 +
1507 ++ if (!cell->enable) {
1508 ++ dev_dbg(&pdev->dev, "No .enable() call-back registered\n");
1509 ++ return 0;
1510 ++ }
1511 ++
1512 + /* only call enable hook if the cell wasn't previously enabled */
1513 + if (atomic_inc_return(cell->usage_count) == 1)
1514 + err = cell->enable(pdev);
1515 +@@ -49,6 +54,11 @@ int mfd_cell_disable(struct platform_device *pdev)
1516 + const struct mfd_cell *cell = mfd_get_cell(pdev);
1517 + int err = 0;
1518 +
1519 ++ if (!cell->disable) {
1520 ++ dev_dbg(&pdev->dev, "No .disable() call-back registered\n");
1521 ++ return 0;
1522 ++ }
1523 ++
1524 + /* only disable if no other clients are using it */
1525 + if (atomic_dec_return(cell->usage_count) == 0)
1526 + err = cell->disable(pdev);
1527 +diff --git a/drivers/mtd/chips/cfi_cmdset_0002.c b/drivers/mtd/chips/cfi_cmdset_0002.c
1528 +index 00ba09fa6f16d..3c4819a05bf03 100644
1529 +--- a/drivers/mtd/chips/cfi_cmdset_0002.c
1530 ++++ b/drivers/mtd/chips/cfi_cmdset_0002.c
1531 +@@ -722,7 +722,6 @@ static struct mtd_info *cfi_amdstd_setup(struct mtd_info *mtd)
1532 + kfree(mtd->eraseregions);
1533 + kfree(mtd);
1534 + kfree(cfi->cmdset_priv);
1535 +- kfree(cfi->cfiq);
1536 + return NULL;
1537 + }
1538 +
1539 +diff --git a/drivers/mtd/cmdlinepart.c b/drivers/mtd/cmdlinepart.c
1540 +index fbd5affc0acfe..04fd845de05fb 100644
1541 +--- a/drivers/mtd/cmdlinepart.c
1542 ++++ b/drivers/mtd/cmdlinepart.c
1543 +@@ -228,12 +228,29 @@ static int mtdpart_setup_real(char *s)
1544 + struct cmdline_mtd_partition *this_mtd;
1545 + struct mtd_partition *parts;
1546 + int mtd_id_len, num_parts;
1547 +- char *p, *mtd_id;
1548 ++ char *p, *mtd_id, *semicol;
1549 ++
1550 ++ /*
1551 ++ * Replace the first ';' by a NULL char so strrchr can work
1552 ++ * properly.
1553 ++ */
1554 ++ semicol = strchr(s, ';');
1555 ++ if (semicol)
1556 ++ *semicol = '\0';
1557 +
1558 + mtd_id = s;
1559 +
1560 +- /* fetch <mtd-id> */
1561 +- p = strchr(s, ':');
1562 ++ /*
1563 ++ * fetch <mtd-id>. We use strrchr to ignore all ':' that could
1564 ++ * be present in the MTD name, only the last one is interpreted
1565 ++ * as an <mtd-id>/<part-definition> separator.
1566 ++ */
1567 ++ p = strrchr(s, ':');
1568 ++
1569 ++ /* Restore the ';' now. */
1570 ++ if (semicol)
1571 ++ *semicol = ';';
1572 ++
1573 + if (!p) {
1574 + pr_err("no mtd-id\n");
1575 + return -EINVAL;
1576 +diff --git a/drivers/mtd/nand/omap_elm.c b/drivers/mtd/nand/omap_elm.c
1577 +index a3f32f939cc17..6736777a41567 100644
1578 +--- a/drivers/mtd/nand/omap_elm.c
1579 ++++ b/drivers/mtd/nand/omap_elm.c
1580 +@@ -421,6 +421,7 @@ static int elm_probe(struct platform_device *pdev)
1581 + pm_runtime_enable(&pdev->dev);
1582 + if (pm_runtime_get_sync(&pdev->dev) < 0) {
1583 + ret = -EINVAL;
1584 ++ pm_runtime_put_sync(&pdev->dev);
1585 + pm_runtime_disable(&pdev->dev);
1586 + dev_err(&pdev->dev, "can't enable clock\n");
1587 + return ret;
1588 +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
1589 +index ac03bba10e4fd..8634337e1a99d 100644
1590 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
1591 ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
1592 +@@ -1000,9 +1000,12 @@ static int bnxt_set_pauseparam(struct net_device *dev,
1593 + if (!BNXT_SINGLE_PF(bp))
1594 + return -EOPNOTSUPP;
1595 +
1596 ++ mutex_lock(&bp->link_lock);
1597 + if (epause->autoneg) {
1598 +- if (!(link_info->autoneg & BNXT_AUTONEG_SPEED))
1599 +- return -EINVAL;
1600 ++ if (!(link_info->autoneg & BNXT_AUTONEG_SPEED)) {
1601 ++ rc = -EINVAL;
1602 ++ goto pause_exit;
1603 ++ }
1604 +
1605 + link_info->autoneg |= BNXT_AUTONEG_FLOW_CTRL;
1606 + if (bp->hwrm_spec_code >= 0x10201)
1607 +@@ -1023,11 +1026,11 @@ static int bnxt_set_pauseparam(struct net_device *dev,
1608 + if (epause->tx_pause)
1609 + link_info->req_flow_ctrl |= BNXT_LINK_PAUSE_TX;
1610 +
1611 +- if (netif_running(dev)) {
1612 +- mutex_lock(&bp->link_lock);
1613 ++ if (netif_running(dev))
1614 + rc = bnxt_hwrm_set_pause(bp);
1615 +- mutex_unlock(&bp->link_lock);
1616 +- }
1617 ++
1618 ++pause_exit:
1619 ++ mutex_unlock(&bp->link_lock);
1620 + return rc;
1621 + }
1622 +
1623 +@@ -1671,8 +1674,7 @@ static int bnxt_set_eee(struct net_device *dev, struct ethtool_eee *edata)
1624 + struct bnxt *bp = netdev_priv(dev);
1625 + struct ethtool_eee *eee = &bp->eee;
1626 + struct bnxt_link_info *link_info = &bp->link_info;
1627 +- u32 advertising =
1628 +- _bnxt_fw_to_ethtool_adv_spds(link_info->advertising, 0);
1629 ++ u32 advertising;
1630 + int rc = 0;
1631 +
1632 + if (!BNXT_SINGLE_PF(bp))
1633 +@@ -1681,19 +1683,23 @@ static int bnxt_set_eee(struct net_device *dev, struct ethtool_eee *edata)
1634 + if (!(bp->flags & BNXT_FLAG_EEE_CAP))
1635 + return -EOPNOTSUPP;
1636 +
1637 ++ mutex_lock(&bp->link_lock);
1638 ++ advertising = _bnxt_fw_to_ethtool_adv_spds(link_info->advertising, 0);
1639 + if (!edata->eee_enabled)
1640 + goto eee_ok;
1641 +
1642 + if (!(link_info->autoneg & BNXT_AUTONEG_SPEED)) {
1643 + netdev_warn(dev, "EEE requires autoneg\n");
1644 +- return -EINVAL;
1645 ++ rc = -EINVAL;
1646 ++ goto eee_exit;
1647 + }
1648 + if (edata->tx_lpi_enabled) {
1649 + if (bp->lpi_tmr_hi && (edata->tx_lpi_timer > bp->lpi_tmr_hi ||
1650 + edata->tx_lpi_timer < bp->lpi_tmr_lo)) {
1651 + netdev_warn(dev, "Valid LPI timer range is %d and %d microsecs\n",
1652 + bp->lpi_tmr_lo, bp->lpi_tmr_hi);
1653 +- return -EINVAL;
1654 ++ rc = -EINVAL;
1655 ++ goto eee_exit;
1656 + } else if (!bp->lpi_tmr_hi) {
1657 + edata->tx_lpi_timer = eee->tx_lpi_timer;
1658 + }
1659 +@@ -1703,7 +1709,8 @@ static int bnxt_set_eee(struct net_device *dev, struct ethtool_eee *edata)
1660 + } else if (edata->advertised & ~advertising) {
1661 + netdev_warn(dev, "EEE advertised %x must be a subset of autoneg advertised speeds %x\n",
1662 + edata->advertised, advertising);
1663 +- return -EINVAL;
1664 ++ rc = -EINVAL;
1665 ++ goto eee_exit;
1666 + }
1667 +
1668 + eee->advertised = edata->advertised;
1669 +@@ -1715,6 +1722,8 @@ eee_ok:
1670 + if (netif_running(dev))
1671 + rc = bnxt_hwrm_set_link_setting(bp, false, true);
1672 +
1673 ++eee_exit:
1674 ++ mutex_unlock(&bp->link_lock);
1675 + return rc;
1676 + }
1677 +
1678 +diff --git a/drivers/net/ethernet/intel/e1000/e1000_main.c b/drivers/net/ethernet/intel/e1000/e1000_main.c
1679 +index 3b16ee0de246e..c30792b761ee3 100644
1680 +--- a/drivers/net/ethernet/intel/e1000/e1000_main.c
1681 ++++ b/drivers/net/ethernet/intel/e1000/e1000_main.c
1682 +@@ -568,8 +568,13 @@ void e1000_reinit_locked(struct e1000_adapter *adapter)
1683 + WARN_ON(in_interrupt());
1684 + while (test_and_set_bit(__E1000_RESETTING, &adapter->flags))
1685 + msleep(1);
1686 +- e1000_down(adapter);
1687 +- e1000_up(adapter);
1688 ++
1689 ++ /* only run the task if not already down */
1690 ++ if (!test_bit(__E1000_DOWN, &adapter->flags)) {
1691 ++ e1000_down(adapter);
1692 ++ e1000_up(adapter);
1693 ++ }
1694 ++
1695 + clear_bit(__E1000_RESETTING, &adapter->flags);
1696 + }
1697 +
1698 +@@ -1456,10 +1461,15 @@ int e1000_close(struct net_device *netdev)
1699 + struct e1000_hw *hw = &adapter->hw;
1700 + int count = E1000_CHECK_RESET_COUNT;
1701 +
1702 +- while (test_bit(__E1000_RESETTING, &adapter->flags) && count--)
1703 ++ while (test_and_set_bit(__E1000_RESETTING, &adapter->flags) && count--)
1704 + usleep_range(10000, 20000);
1705 +
1706 +- WARN_ON(test_bit(__E1000_RESETTING, &adapter->flags));
1707 ++ WARN_ON(count < 0);
1708 ++
1709 ++ /* signal that we're down so that the reset task will no longer run */
1710 ++ set_bit(__E1000_DOWN, &adapter->flags);
1711 ++ clear_bit(__E1000_RESETTING, &adapter->flags);
1712 ++
1713 + e1000_down(adapter);
1714 + e1000_power_down_phy(adapter);
1715 + e1000_free_irq(adapter);
1716 +diff --git a/drivers/net/ieee802154/adf7242.c b/drivers/net/ieee802154/adf7242.c
1717 +index 1b980f12663af..a605dfb15bb75 100644
1718 +--- a/drivers/net/ieee802154/adf7242.c
1719 ++++ b/drivers/net/ieee802154/adf7242.c
1720 +@@ -834,7 +834,9 @@ static int adf7242_rx(struct adf7242_local *lp)
1721 + int ret;
1722 + u8 lqi, len_u8, *data;
1723 +
1724 +- adf7242_read_reg(lp, 0, &len_u8);
1725 ++ ret = adf7242_read_reg(lp, 0, &len_u8);
1726 ++ if (ret)
1727 ++ return ret;
1728 +
1729 + len = len_u8;
1730 +
1731 +diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
1732 +index 2f55873060220..a3ba95e96695e 100644
1733 +--- a/drivers/net/phy/phy_device.c
1734 ++++ b/drivers/net/phy/phy_device.c
1735 +@@ -1013,7 +1013,8 @@ void phy_detach(struct phy_device *phydev)
1736 + phydev->attached_dev = NULL;
1737 + phy_suspend(phydev);
1738 +
1739 +- module_put(phydev->mdio.dev.driver->owner);
1740 ++ if (phydev->mdio.dev.driver)
1741 ++ module_put(phydev->mdio.dev.driver->owner);
1742 +
1743 + /* If the device had no specific driver before (i.e. - it
1744 + * was using the generic driver), we unbind the device
1745 +diff --git a/drivers/net/wan/hdlc_ppp.c b/drivers/net/wan/hdlc_ppp.c
1746 +index 8a9aced850be3..63546d1317982 100644
1747 +--- a/drivers/net/wan/hdlc_ppp.c
1748 ++++ b/drivers/net/wan/hdlc_ppp.c
1749 +@@ -386,11 +386,8 @@ static void ppp_cp_parse_cr(struct net_device *dev, u16 pid, u8 id,
1750 + }
1751 +
1752 + for (opt = data; len; len -= opt[1], opt += opt[1]) {
1753 +- if (len < 2 || len < opt[1]) {
1754 +- dev->stats.rx_errors++;
1755 +- kfree(out);
1756 +- return; /* bad packet, drop silently */
1757 +- }
1758 ++ if (len < 2 || opt[1] < 2 || len < opt[1])
1759 ++ goto err_out;
1760 +
1761 + if (pid == PID_LCP)
1762 + switch (opt[0]) {
1763 +@@ -398,6 +395,8 @@ static void ppp_cp_parse_cr(struct net_device *dev, u16 pid, u8 id,
1764 + continue; /* MRU always OK and > 1500 bytes? */
1765 +
1766 + case LCP_OPTION_ACCM: /* async control character map */
1767 ++ if (opt[1] < sizeof(valid_accm))
1768 ++ goto err_out;
1769 + if (!memcmp(opt, valid_accm,
1770 + sizeof(valid_accm)))
1771 + continue;
1772 +@@ -409,6 +408,8 @@ static void ppp_cp_parse_cr(struct net_device *dev, u16 pid, u8 id,
1773 + }
1774 + break;
1775 + case LCP_OPTION_MAGIC:
1776 ++ if (len < 6)
1777 ++ goto err_out;
1778 + if (opt[1] != 6 || (!opt[2] && !opt[3] &&
1779 + !opt[4] && !opt[5]))
1780 + break; /* reject invalid magic number */
1781 +@@ -427,6 +428,11 @@ static void ppp_cp_parse_cr(struct net_device *dev, u16 pid, u8 id,
1782 + ppp_cp_event(dev, pid, RCR_GOOD, CP_CONF_ACK, id, req_len, data);
1783 +
1784 + kfree(out);
1785 ++ return;
1786 ++
1787 ++err_out:
1788 ++ dev->stats.rx_errors++;
1789 ++ kfree(out);
1790 + }
1791 +
1792 + static int ppp_rx(struct sk_buff *skb)
1793 +diff --git a/drivers/net/wireless/ath/ar5523/ar5523.c b/drivers/net/wireless/ath/ar5523/ar5523.c
1794 +index e492c7f0d311a..9f4ee1d125b68 100644
1795 +--- a/drivers/net/wireless/ath/ar5523/ar5523.c
1796 ++++ b/drivers/net/wireless/ath/ar5523/ar5523.c
1797 +@@ -1769,6 +1769,8 @@ static struct usb_device_id ar5523_id_table[] = {
1798 + AR5523_DEVICE_UX(0x0846, 0x4300), /* Netgear / WG111U */
1799 + AR5523_DEVICE_UG(0x0846, 0x4250), /* Netgear / WG111T */
1800 + AR5523_DEVICE_UG(0x0846, 0x5f00), /* Netgear / WPN111 */
1801 ++ AR5523_DEVICE_UG(0x083a, 0x4506), /* SMC / EZ Connect
1802 ++ SMCWUSBT-G2 */
1803 + AR5523_DEVICE_UG(0x157e, 0x3006), /* Umedia / AR5523_1 */
1804 + AR5523_DEVICE_UX(0x157e, 0x3205), /* Umedia / AR5523_2 */
1805 + AR5523_DEVICE_UG(0x157e, 0x3006), /* Umedia / TEW444UBEU */
1806 +diff --git a/drivers/net/wireless/marvell/mwifiex/fw.h b/drivers/net/wireless/marvell/mwifiex/fw.h
1807 +index 395d6ece2cacb..341f6ed5b3556 100644
1808 +--- a/drivers/net/wireless/marvell/mwifiex/fw.h
1809 ++++ b/drivers/net/wireless/marvell/mwifiex/fw.h
1810 +@@ -921,7 +921,7 @@ struct mwifiex_tkip_param {
1811 + struct mwifiex_aes_param {
1812 + u8 pn[WPA_PN_SIZE];
1813 + __le16 key_len;
1814 +- u8 key[WLAN_KEY_LEN_CCMP];
1815 ++ u8 key[WLAN_KEY_LEN_CCMP_256];
1816 + } __packed;
1817 +
1818 + struct mwifiex_wapi_param {
1819 +diff --git a/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c b/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c
1820 +index 1e26936c0d727..aa84fdb709830 100644
1821 +--- a/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c
1822 ++++ b/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c
1823 +@@ -625,7 +625,7 @@ static int mwifiex_ret_802_11_key_material_v2(struct mwifiex_private *priv,
1824 + key_v2 = &resp->params.key_material_v2;
1825 +
1826 + len = le16_to_cpu(key_v2->key_param_set.key_params.aes.key_len);
1827 +- if (len > WLAN_KEY_LEN_CCMP)
1828 ++ if (len > sizeof(key_v2->key_param_set.key_params.aes.key))
1829 + return -EINVAL;
1830 +
1831 + if (le16_to_cpu(key_v2->action) == HostCmd_ACT_GEN_SET) {
1832 +@@ -641,7 +641,7 @@ static int mwifiex_ret_802_11_key_material_v2(struct mwifiex_private *priv,
1833 + return 0;
1834 +
1835 + memset(priv->aes_key_v2.key_param_set.key_params.aes.key, 0,
1836 +- WLAN_KEY_LEN_CCMP);
1837 ++ sizeof(key_v2->key_param_set.key_params.aes.key));
1838 + priv->aes_key_v2.key_param_set.key_params.aes.key_len =
1839 + cpu_to_le16(len);
1840 + memcpy(priv->aes_key_v2.key_param_set.key_params.aes.key,
1841 +diff --git a/drivers/phy/phy-s5pv210-usb2.c b/drivers/phy/phy-s5pv210-usb2.c
1842 +index 004d320767e4d..bb36cfd4e3e90 100644
1843 +--- a/drivers/phy/phy-s5pv210-usb2.c
1844 ++++ b/drivers/phy/phy-s5pv210-usb2.c
1845 +@@ -142,6 +142,10 @@ static void s5pv210_phy_pwr(struct samsung_usb2_phy_instance *inst, bool on)
1846 + udelay(10);
1847 + rst &= ~rstbits;
1848 + writel(rst, drv->reg_phy + S5PV210_UPHYRST);
1849 ++ /* The following delay is necessary for the reset sequence to be
1850 ++ * completed
1851 ++ */
1852 ++ udelay(80);
1853 + } else {
1854 + pwr = readl(drv->reg_phy + S5PV210_UPHYPWR);
1855 + pwr |= phypwr;
1856 +diff --git a/drivers/scsi/aacraid/aachba.c b/drivers/scsi/aacraid/aachba.c
1857 +index 065f11a1964d4..39deea8601d68 100644
1858 +--- a/drivers/scsi/aacraid/aachba.c
1859 ++++ b/drivers/scsi/aacraid/aachba.c
1860 +@@ -1929,13 +1929,13 @@ static int aac_read(struct scsi_cmnd * scsicmd)
1861 + scsicmd->result = DID_OK << 16 | COMMAND_COMPLETE << 8 |
1862 + SAM_STAT_CHECK_CONDITION;
1863 + set_sense(&dev->fsa_dev[cid].sense_data,
1864 +- HARDWARE_ERROR, SENCODE_INTERNAL_TARGET_FAILURE,
1865 ++ ILLEGAL_REQUEST, SENCODE_LBA_OUT_OF_RANGE,
1866 + ASENCODE_INTERNAL_TARGET_FAILURE, 0, 0);
1867 + memcpy(scsicmd->sense_buffer, &dev->fsa_dev[cid].sense_data,
1868 + min_t(size_t, sizeof(dev->fsa_dev[cid].sense_data),
1869 + SCSI_SENSE_BUFFERSIZE));
1870 + scsicmd->scsi_done(scsicmd);
1871 +- return 1;
1872 ++ return 0;
1873 + }
1874 +
1875 + dprintk((KERN_DEBUG "aac_read[cpu %d]: lba = %llu, t = %ld.\n",
1876 +@@ -2023,13 +2023,13 @@ static int aac_write(struct scsi_cmnd * scsicmd)
1877 + scsicmd->result = DID_OK << 16 | COMMAND_COMPLETE << 8 |
1878 + SAM_STAT_CHECK_CONDITION;
1879 + set_sense(&dev->fsa_dev[cid].sense_data,
1880 +- HARDWARE_ERROR, SENCODE_INTERNAL_TARGET_FAILURE,
1881 ++ ILLEGAL_REQUEST, SENCODE_LBA_OUT_OF_RANGE,
1882 + ASENCODE_INTERNAL_TARGET_FAILURE, 0, 0);
1883 + memcpy(scsicmd->sense_buffer, &dev->fsa_dev[cid].sense_data,
1884 + min_t(size_t, sizeof(dev->fsa_dev[cid].sense_data),
1885 + SCSI_SENSE_BUFFERSIZE));
1886 + scsicmd->scsi_done(scsicmd);
1887 +- return 1;
1888 ++ return 0;
1889 + }
1890 +
1891 + dprintk((KERN_DEBUG "aac_write[cpu %d]: lba = %llu, t = %ld.\n",
1892 +diff --git a/drivers/scsi/lpfc/lpfc_ct.c b/drivers/scsi/lpfc/lpfc_ct.c
1893 +index 52afbcff362f9..b7940fffca637 100644
1894 +--- a/drivers/scsi/lpfc/lpfc_ct.c
1895 ++++ b/drivers/scsi/lpfc/lpfc_ct.c
1896 +@@ -1541,8 +1541,8 @@ lpfc_fdmi_hba_attr_wwnn(struct lpfc_vport *vport, struct lpfc_fdmi_attr_def *ad)
1897 + struct lpfc_fdmi_attr_entry *ae;
1898 + uint32_t size;
1899 +
1900 +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
1901 +- memset(ae, 0, sizeof(struct lpfc_name));
1902 ++ ae = &ad->AttrValue;
1903 ++ memset(ae, 0, sizeof(*ae));
1904 +
1905 + memcpy(&ae->un.AttrWWN, &vport->fc_sparam.nodeName,
1906 + sizeof(struct lpfc_name));
1907 +@@ -1558,8 +1558,8 @@ lpfc_fdmi_hba_attr_manufacturer(struct lpfc_vport *vport,
1908 + struct lpfc_fdmi_attr_entry *ae;
1909 + uint32_t len, size;
1910 +
1911 +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
1912 +- memset(ae, 0, 256);
1913 ++ ae = &ad->AttrValue;
1914 ++ memset(ae, 0, sizeof(*ae));
1915 +
1916 + /* This string MUST be consistent with other FC platforms
1917 + * supported by Broadcom.
1918 +@@ -1583,8 +1583,8 @@ lpfc_fdmi_hba_attr_sn(struct lpfc_vport *vport, struct lpfc_fdmi_attr_def *ad)
1919 + struct lpfc_fdmi_attr_entry *ae;
1920 + uint32_t len, size;
1921 +
1922 +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
1923 +- memset(ae, 0, 256);
1924 ++ ae = &ad->AttrValue;
1925 ++ memset(ae, 0, sizeof(*ae));
1926 +
1927 + strncpy(ae->un.AttrString, phba->SerialNumber,
1928 + sizeof(ae->un.AttrString));
1929 +@@ -1605,8 +1605,8 @@ lpfc_fdmi_hba_attr_model(struct lpfc_vport *vport,
1930 + struct lpfc_fdmi_attr_entry *ae;
1931 + uint32_t len, size;
1932 +
1933 +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
1934 +- memset(ae, 0, 256);
1935 ++ ae = &ad->AttrValue;
1936 ++ memset(ae, 0, sizeof(*ae));
1937 +
1938 + strncpy(ae->un.AttrString, phba->ModelName,
1939 + sizeof(ae->un.AttrString));
1940 +@@ -1626,8 +1626,8 @@ lpfc_fdmi_hba_attr_description(struct lpfc_vport *vport,
1941 + struct lpfc_fdmi_attr_entry *ae;
1942 + uint32_t len, size;
1943 +
1944 +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
1945 +- memset(ae, 0, 256);
1946 ++ ae = &ad->AttrValue;
1947 ++ memset(ae, 0, sizeof(*ae));
1948 +
1949 + strncpy(ae->un.AttrString, phba->ModelDesc,
1950 + sizeof(ae->un.AttrString));
1951 +@@ -1649,8 +1649,8 @@ lpfc_fdmi_hba_attr_hdw_ver(struct lpfc_vport *vport,
1952 + struct lpfc_fdmi_attr_entry *ae;
1953 + uint32_t i, j, incr, size;
1954 +
1955 +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
1956 +- memset(ae, 0, 256);
1957 ++ ae = &ad->AttrValue;
1958 ++ memset(ae, 0, sizeof(*ae));
1959 +
1960 + /* Convert JEDEC ID to ascii for hardware version */
1961 + incr = vp->rev.biuRev;
1962 +@@ -1679,8 +1679,8 @@ lpfc_fdmi_hba_attr_drvr_ver(struct lpfc_vport *vport,
1963 + struct lpfc_fdmi_attr_entry *ae;
1964 + uint32_t len, size;
1965 +
1966 +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
1967 +- memset(ae, 0, 256);
1968 ++ ae = &ad->AttrValue;
1969 ++ memset(ae, 0, sizeof(*ae));
1970 +
1971 + strncpy(ae->un.AttrString, lpfc_release_version,
1972 + sizeof(ae->un.AttrString));
1973 +@@ -1701,8 +1701,8 @@ lpfc_fdmi_hba_attr_rom_ver(struct lpfc_vport *vport,
1974 + struct lpfc_fdmi_attr_entry *ae;
1975 + uint32_t len, size;
1976 +
1977 +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
1978 +- memset(ae, 0, 256);
1979 ++ ae = &ad->AttrValue;
1980 ++ memset(ae, 0, sizeof(*ae));
1981 +
1982 + if (phba->sli_rev == LPFC_SLI_REV4)
1983 + lpfc_decode_firmware_rev(phba, ae->un.AttrString, 1);
1984 +@@ -1726,8 +1726,8 @@ lpfc_fdmi_hba_attr_fmw_ver(struct lpfc_vport *vport,
1985 + struct lpfc_fdmi_attr_entry *ae;
1986 + uint32_t len, size;
1987 +
1988 +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
1989 +- memset(ae, 0, 256);
1990 ++ ae = &ad->AttrValue;
1991 ++ memset(ae, 0, sizeof(*ae));
1992 +
1993 + lpfc_decode_firmware_rev(phba, ae->un.AttrString, 1);
1994 + len = strnlen(ae->un.AttrString,
1995 +@@ -1746,8 +1746,8 @@ lpfc_fdmi_hba_attr_os_ver(struct lpfc_vport *vport,
1996 + struct lpfc_fdmi_attr_entry *ae;
1997 + uint32_t len, size;
1998 +
1999 +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
2000 +- memset(ae, 0, 256);
2001 ++ ae = &ad->AttrValue;
2002 ++ memset(ae, 0, sizeof(*ae));
2003 +
2004 + snprintf(ae->un.AttrString, sizeof(ae->un.AttrString), "%s %s %s",
2005 + init_utsname()->sysname,
2006 +@@ -1769,7 +1769,7 @@ lpfc_fdmi_hba_attr_ct_len(struct lpfc_vport *vport,
2007 + struct lpfc_fdmi_attr_entry *ae;
2008 + uint32_t size;
2009 +
2010 +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
2011 ++ ae = &ad->AttrValue;
2012 +
2013 + ae->un.AttrInt = cpu_to_be32(LPFC_MAX_CT_SIZE);
2014 + size = FOURBYTES + sizeof(uint32_t);
2015 +@@ -1785,8 +1785,8 @@ lpfc_fdmi_hba_attr_symbolic_name(struct lpfc_vport *vport,
2016 + struct lpfc_fdmi_attr_entry *ae;
2017 + uint32_t len, size;
2018 +
2019 +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
2020 +- memset(ae, 0, 256);
2021 ++ ae = &ad->AttrValue;
2022 ++ memset(ae, 0, sizeof(*ae));
2023 +
2024 + len = lpfc_vport_symbolic_node_name(vport,
2025 + ae->un.AttrString, 256);
2026 +@@ -1804,7 +1804,7 @@ lpfc_fdmi_hba_attr_vendor_info(struct lpfc_vport *vport,
2027 + struct lpfc_fdmi_attr_entry *ae;
2028 + uint32_t size;
2029 +
2030 +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
2031 ++ ae = &ad->AttrValue;
2032 +
2033 + /* Nothing is defined for this currently */
2034 + ae->un.AttrInt = cpu_to_be32(0);
2035 +@@ -1821,7 +1821,7 @@ lpfc_fdmi_hba_attr_num_ports(struct lpfc_vport *vport,
2036 + struct lpfc_fdmi_attr_entry *ae;
2037 + uint32_t size;
2038 +
2039 +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
2040 ++ ae = &ad->AttrValue;
2041 +
2042 + /* Each driver instance corresponds to a single port */
2043 + ae->un.AttrInt = cpu_to_be32(1);
2044 +@@ -1838,8 +1838,8 @@ lpfc_fdmi_hba_attr_fabric_wwnn(struct lpfc_vport *vport,
2045 + struct lpfc_fdmi_attr_entry *ae;
2046 + uint32_t size;
2047 +
2048 +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
2049 +- memset(ae, 0, sizeof(struct lpfc_name));
2050 ++ ae = &ad->AttrValue;
2051 ++ memset(ae, 0, sizeof(*ae));
2052 +
2053 + memcpy(&ae->un.AttrWWN, &vport->fabric_nodename,
2054 + sizeof(struct lpfc_name));
2055 +@@ -1857,8 +1857,8 @@ lpfc_fdmi_hba_attr_bios_ver(struct lpfc_vport *vport,
2056 + struct lpfc_fdmi_attr_entry *ae;
2057 + uint32_t len, size;
2058 +
2059 +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
2060 +- memset(ae, 0, 256);
2061 ++ ae = &ad->AttrValue;
2062 ++ memset(ae, 0, sizeof(*ae));
2063 +
2064 + lpfc_decode_firmware_rev(phba, ae->un.AttrString, 1);
2065 + len = strnlen(ae->un.AttrString,
2066 +@@ -1877,7 +1877,7 @@ lpfc_fdmi_hba_attr_bios_state(struct lpfc_vport *vport,
2067 + struct lpfc_fdmi_attr_entry *ae;
2068 + uint32_t size;
2069 +
2070 +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
2071 ++ ae = &ad->AttrValue;
2072 +
2073 + /* Driver doesn't have access to this information */
2074 + ae->un.AttrInt = cpu_to_be32(0);
2075 +@@ -1894,8 +1894,8 @@ lpfc_fdmi_hba_attr_vendor_id(struct lpfc_vport *vport,
2076 + struct lpfc_fdmi_attr_entry *ae;
2077 + uint32_t len, size;
2078 +
2079 +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
2080 +- memset(ae, 0, 256);
2081 ++ ae = &ad->AttrValue;
2082 ++ memset(ae, 0, sizeof(*ae));
2083 +
2084 + strncpy(ae->un.AttrString, "EMULEX",
2085 + sizeof(ae->un.AttrString));
2086 +@@ -1916,8 +1916,8 @@ lpfc_fdmi_port_attr_fc4type(struct lpfc_vport *vport,
2087 + struct lpfc_fdmi_attr_entry *ae;
2088 + uint32_t size;
2089 +
2090 +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
2091 +- memset(ae, 0, 32);
2092 ++ ae = &ad->AttrValue;
2093 ++ memset(ae, 0, sizeof(*ae));
2094 +
2095 + ae->un.AttrTypes[3] = 0x02; /* Type 1 - ELS */
2096 + ae->un.AttrTypes[2] = 0x01; /* Type 8 - FCP */
2097 +@@ -1936,7 +1936,7 @@ lpfc_fdmi_port_attr_support_speed(struct lpfc_vport *vport,
2098 + struct lpfc_fdmi_attr_entry *ae;
2099 + uint32_t size;
2100 +
2101 +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
2102 ++ ae = &ad->AttrValue;
2103 +
2104 + ae->un.AttrInt = 0;
2105 + if (!(phba->hba_flag & HBA_FCOE_MODE)) {
2106 +@@ -1986,7 +1986,7 @@ lpfc_fdmi_port_attr_speed(struct lpfc_vport *vport,
2107 + struct lpfc_fdmi_attr_entry *ae;
2108 + uint32_t size;
2109 +
2110 +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
2111 ++ ae = &ad->AttrValue;
2112 +
2113 + if (!(phba->hba_flag & HBA_FCOE_MODE)) {
2114 + switch (phba->fc_linkspeed) {
2115 +@@ -2050,7 +2050,7 @@ lpfc_fdmi_port_attr_max_frame(struct lpfc_vport *vport,
2116 + struct lpfc_fdmi_attr_entry *ae;
2117 + uint32_t size;
2118 +
2119 +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
2120 ++ ae = &ad->AttrValue;
2121 +
2122 + hsp = (struct serv_parm *)&vport->fc_sparam;
2123 + ae->un.AttrInt = (((uint32_t) hsp->cmn.bbRcvSizeMsb) << 8) |
2124 +@@ -2070,8 +2070,8 @@ lpfc_fdmi_port_attr_os_devname(struct lpfc_vport *vport,
2125 + struct lpfc_fdmi_attr_entry *ae;
2126 + uint32_t len, size;
2127 +
2128 +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
2129 +- memset(ae, 0, 256);
2130 ++ ae = &ad->AttrValue;
2131 ++ memset(ae, 0, sizeof(*ae));
2132 +
2133 + snprintf(ae->un.AttrString, sizeof(ae->un.AttrString),
2134 + "/sys/class/scsi_host/host%d", shost->host_no);
2135 +@@ -2091,8 +2091,8 @@ lpfc_fdmi_port_attr_host_name(struct lpfc_vport *vport,
2136 + struct lpfc_fdmi_attr_entry *ae;
2137 + uint32_t len, size;
2138 +
2139 +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
2140 +- memset(ae, 0, 256);
2141 ++ ae = &ad->AttrValue;
2142 ++ memset(ae, 0, sizeof(*ae));
2143 +
2144 + snprintf(ae->un.AttrString, sizeof(ae->un.AttrString), "%s",
2145 + init_utsname()->nodename);
2146 +@@ -2112,8 +2112,8 @@ lpfc_fdmi_port_attr_wwnn(struct lpfc_vport *vport,
2147 + struct lpfc_fdmi_attr_entry *ae;
2148 + uint32_t size;
2149 +
2150 +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
2151 +- memset(ae, 0, sizeof(struct lpfc_name));
2152 ++ ae = &ad->AttrValue;
2153 ++ memset(ae, 0, sizeof(*ae));
2154 +
2155 + memcpy(&ae->un.AttrWWN, &vport->fc_sparam.nodeName,
2156 + sizeof(struct lpfc_name));
2157 +@@ -2130,8 +2130,8 @@ lpfc_fdmi_port_attr_wwpn(struct lpfc_vport *vport,
2158 + struct lpfc_fdmi_attr_entry *ae;
2159 + uint32_t size;
2160 +
2161 +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
2162 +- memset(ae, 0, sizeof(struct lpfc_name));
2163 ++ ae = &ad->AttrValue;
2164 ++ memset(ae, 0, sizeof(*ae));
2165 +
2166 + memcpy(&ae->un.AttrWWN, &vport->fc_sparam.portName,
2167 + sizeof(struct lpfc_name));
2168 +@@ -2148,8 +2148,8 @@ lpfc_fdmi_port_attr_symbolic_name(struct lpfc_vport *vport,
2169 + struct lpfc_fdmi_attr_entry *ae;
2170 + uint32_t len, size;
2171 +
2172 +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
2173 +- memset(ae, 0, 256);
2174 ++ ae = &ad->AttrValue;
2175 ++ memset(ae, 0, sizeof(*ae));
2176 +
2177 + len = lpfc_vport_symbolic_port_name(vport, ae->un.AttrString, 256);
2178 + len += (len & 3) ? (4 - (len & 3)) : 4;
2179 +@@ -2167,7 +2167,7 @@ lpfc_fdmi_port_attr_port_type(struct lpfc_vport *vport,
2180 + struct lpfc_fdmi_attr_entry *ae;
2181 + uint32_t size;
2182 +
2183 +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
2184 ++ ae = &ad->AttrValue;
2185 + if (phba->fc_topology == LPFC_TOPOLOGY_LOOP)
2186 + ae->un.AttrInt = cpu_to_be32(LPFC_FDMI_PORTTYPE_NLPORT);
2187 + else
2188 +@@ -2185,7 +2185,7 @@ lpfc_fdmi_port_attr_class(struct lpfc_vport *vport,
2189 + struct lpfc_fdmi_attr_entry *ae;
2190 + uint32_t size;
2191 +
2192 +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
2193 ++ ae = &ad->AttrValue;
2194 + ae->un.AttrInt = cpu_to_be32(FC_COS_CLASS2 | FC_COS_CLASS3);
2195 + size = FOURBYTES + sizeof(uint32_t);
2196 + ad->AttrLen = cpu_to_be16(size);
2197 +@@ -2200,8 +2200,8 @@ lpfc_fdmi_port_attr_fabric_wwpn(struct lpfc_vport *vport,
2198 + struct lpfc_fdmi_attr_entry *ae;
2199 + uint32_t size;
2200 +
2201 +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
2202 +- memset(ae, 0, sizeof(struct lpfc_name));
2203 ++ ae = &ad->AttrValue;
2204 ++ memset(ae, 0, sizeof(*ae));
2205 +
2206 + memcpy(&ae->un.AttrWWN, &vport->fabric_portname,
2207 + sizeof(struct lpfc_name));
2208 +@@ -2218,8 +2218,8 @@ lpfc_fdmi_port_attr_active_fc4type(struct lpfc_vport *vport,
2209 + struct lpfc_fdmi_attr_entry *ae;
2210 + uint32_t size;
2211 +
2212 +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
2213 +- memset(ae, 0, 32);
2214 ++ ae = &ad->AttrValue;
2215 ++ memset(ae, 0, sizeof(*ae));
2216 +
2217 + ae->un.AttrTypes[3] = 0x02; /* Type 1 - ELS */
2218 + ae->un.AttrTypes[2] = 0x01; /* Type 8 - FCP */
2219 +@@ -2237,7 +2237,7 @@ lpfc_fdmi_port_attr_port_state(struct lpfc_vport *vport,
2220 + struct lpfc_fdmi_attr_entry *ae;
2221 + uint32_t size;
2222 +
2223 +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
2224 ++ ae = &ad->AttrValue;
2225 + /* Link Up - operational */
2226 + ae->un.AttrInt = cpu_to_be32(LPFC_FDMI_PORTSTATE_ONLINE);
2227 + size = FOURBYTES + sizeof(uint32_t);
2228 +@@ -2253,7 +2253,7 @@ lpfc_fdmi_port_attr_num_disc(struct lpfc_vport *vport,
2229 + struct lpfc_fdmi_attr_entry *ae;
2230 + uint32_t size;
2231 +
2232 +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
2233 ++ ae = &ad->AttrValue;
2234 + vport->fdmi_num_disc = lpfc_find_map_node(vport);
2235 + ae->un.AttrInt = cpu_to_be32(vport->fdmi_num_disc);
2236 + size = FOURBYTES + sizeof(uint32_t);
2237 +@@ -2269,7 +2269,7 @@ lpfc_fdmi_port_attr_nportid(struct lpfc_vport *vport,
2238 + struct lpfc_fdmi_attr_entry *ae;
2239 + uint32_t size;
2240 +
2241 +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
2242 ++ ae = &ad->AttrValue;
2243 + ae->un.AttrInt = cpu_to_be32(vport->fc_myDID);
2244 + size = FOURBYTES + sizeof(uint32_t);
2245 + ad->AttrLen = cpu_to_be16(size);
2246 +@@ -2284,8 +2284,8 @@ lpfc_fdmi_smart_attr_service(struct lpfc_vport *vport,
2247 + struct lpfc_fdmi_attr_entry *ae;
2248 + uint32_t len, size;
2249 +
2250 +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
2251 +- memset(ae, 0, 256);
2252 ++ ae = &ad->AttrValue;
2253 ++ memset(ae, 0, sizeof(*ae));
2254 +
2255 + strncpy(ae->un.AttrString, "Smart SAN Initiator",
2256 + sizeof(ae->un.AttrString));
2257 +@@ -2305,8 +2305,8 @@ lpfc_fdmi_smart_attr_guid(struct lpfc_vport *vport,
2258 + struct lpfc_fdmi_attr_entry *ae;
2259 + uint32_t size;
2260 +
2261 +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
2262 +- memset(ae, 0, 256);
2263 ++ ae = &ad->AttrValue;
2264 ++ memset(ae, 0, sizeof(*ae));
2265 +
2266 + memcpy(&ae->un.AttrString, &vport->fc_sparam.nodeName,
2267 + sizeof(struct lpfc_name));
2268 +@@ -2326,8 +2326,8 @@ lpfc_fdmi_smart_attr_version(struct lpfc_vport *vport,
2269 + struct lpfc_fdmi_attr_entry *ae;
2270 + uint32_t len, size;
2271 +
2272 +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
2273 +- memset(ae, 0, 256);
2274 ++ ae = &ad->AttrValue;
2275 ++ memset(ae, 0, sizeof(*ae));
2276 +
2277 + strncpy(ae->un.AttrString, "Smart SAN Version 2.0",
2278 + sizeof(ae->un.AttrString));
2279 +@@ -2348,8 +2348,8 @@ lpfc_fdmi_smart_attr_model(struct lpfc_vport *vport,
2280 + struct lpfc_fdmi_attr_entry *ae;
2281 + uint32_t len, size;
2282 +
2283 +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
2284 +- memset(ae, 0, 256);
2285 ++ ae = &ad->AttrValue;
2286 ++ memset(ae, 0, sizeof(*ae));
2287 +
2288 + strncpy(ae->un.AttrString, phba->ModelName,
2289 + sizeof(ae->un.AttrString));
2290 +@@ -2368,7 +2368,7 @@ lpfc_fdmi_smart_attr_port_info(struct lpfc_vport *vport,
2291 + struct lpfc_fdmi_attr_entry *ae;
2292 + uint32_t size;
2293 +
2294 +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
2295 ++ ae = &ad->AttrValue;
2296 +
2297 + /* SRIOV (type 3) is not supported */
2298 + if (vport->vpi)
2299 +@@ -2388,7 +2388,7 @@ lpfc_fdmi_smart_attr_qos(struct lpfc_vport *vport,
2300 + struct lpfc_fdmi_attr_entry *ae;
2301 + uint32_t size;
2302 +
2303 +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
2304 ++ ae = &ad->AttrValue;
2305 + ae->un.AttrInt = cpu_to_be32(0);
2306 + size = FOURBYTES + sizeof(uint32_t);
2307 + ad->AttrLen = cpu_to_be16(size);
2308 +@@ -2403,7 +2403,7 @@ lpfc_fdmi_smart_attr_security(struct lpfc_vport *vport,
2309 + struct lpfc_fdmi_attr_entry *ae;
2310 + uint32_t size;
2311 +
2312 +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
2313 ++ ae = &ad->AttrValue;
2314 + ae->un.AttrInt = cpu_to_be32(1);
2315 + size = FOURBYTES + sizeof(uint32_t);
2316 + ad->AttrLen = cpu_to_be16(size);
2317 +@@ -2551,7 +2551,8 @@ lpfc_fdmi_cmd(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp,
2318 + /* Registered Port List */
2319 + /* One entry (port) per adapter */
2320 + rh->rpl.EntryCnt = cpu_to_be32(1);
2321 +- memcpy(&rh->rpl.pe, &phba->pport->fc_sparam.portName,
2322 ++ memcpy(&rh->rpl.pe.PortName,
2323 ++ &phba->pport->fc_sparam.portName,
2324 + sizeof(struct lpfc_name));
2325 +
2326 + /* point to the HBA attribute block */
2327 +diff --git a/drivers/scsi/lpfc/lpfc_hw.h b/drivers/scsi/lpfc/lpfc_hw.h
2328 +index 3b970d3706008..daab21f940fb8 100644
2329 +--- a/drivers/scsi/lpfc/lpfc_hw.h
2330 ++++ b/drivers/scsi/lpfc/lpfc_hw.h
2331 +@@ -1289,25 +1289,8 @@ struct fc_rdp_res_frame {
2332 + /* lpfc_sli_ct_request defines the CT_IU preamble for FDMI commands */
2333 + #define SLI_CT_FDMI_Subtypes 0x10 /* Management Service Subtype */
2334 +
2335 +-/*
2336 +- * Registered Port List Format
2337 +- */
2338 +-struct lpfc_fdmi_reg_port_list {
2339 +- uint32_t EntryCnt;
2340 +- uint32_t pe; /* Variable-length array */
2341 +-};
2342 +-
2343 +-
2344 + /* Definitions for HBA / Port attribute entries */
2345 +
2346 +-struct lpfc_fdmi_attr_def { /* Defined in TLV format */
2347 +- /* Structure is in Big Endian format */
2348 +- uint32_t AttrType:16;
2349 +- uint32_t AttrLen:16;
2350 +- uint32_t AttrValue; /* Marks start of Value (ATTRIBUTE_ENTRY) */
2351 +-};
2352 +-
2353 +-
2354 + /* Attribute Entry */
2355 + struct lpfc_fdmi_attr_entry {
2356 + union {
2357 +@@ -1318,7 +1301,13 @@ struct lpfc_fdmi_attr_entry {
2358 + } un;
2359 + };
2360 +
2361 +-#define LPFC_FDMI_MAX_AE_SIZE sizeof(struct lpfc_fdmi_attr_entry)
2362 ++struct lpfc_fdmi_attr_def { /* Defined in TLV format */
2363 ++ /* Structure is in Big Endian format */
2364 ++ uint32_t AttrType:16;
2365 ++ uint32_t AttrLen:16;
2366 ++ /* Marks start of Value (ATTRIBUTE_ENTRY) */
2367 ++ struct lpfc_fdmi_attr_entry AttrValue;
2368 ++} __packed;
2369 +
2370 + /*
2371 + * HBA Attribute Block
2372 +@@ -1342,13 +1331,20 @@ struct lpfc_fdmi_hba_ident {
2373 + struct lpfc_name PortName;
2374 + };
2375 +
2376 ++/*
2377 ++ * Registered Port List Format
2378 ++ */
2379 ++struct lpfc_fdmi_reg_port_list {
2380 ++ uint32_t EntryCnt;
2381 ++ struct lpfc_fdmi_port_entry pe;
2382 ++} __packed;
2383 ++
2384 + /*
2385 + * Register HBA(RHBA)
2386 + */
2387 + struct lpfc_fdmi_reg_hba {
2388 + struct lpfc_fdmi_hba_ident hi;
2389 +- struct lpfc_fdmi_reg_port_list rpl; /* variable-length array */
2390 +-/* struct lpfc_fdmi_attr_block ab; */
2391 ++ struct lpfc_fdmi_reg_port_list rpl;
2392 + };
2393 +
2394 + /*
2395 +diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
2396 +index 1c34dc3355498..08c76c361e8dc 100644
2397 +--- a/drivers/scsi/lpfc/lpfc_sli.c
2398 ++++ b/drivers/scsi/lpfc/lpfc_sli.c
2399 +@@ -15648,6 +15648,10 @@ lpfc_prep_seq(struct lpfc_vport *vport, struct hbq_dmabuf *seq_dmabuf)
2400 + list_add_tail(&iocbq->list, &first_iocbq->list);
2401 + }
2402 + }
2403 ++ /* Free the sequence's header buffer */
2404 ++ if (!first_iocbq)
2405 ++ lpfc_in_buf_free(vport->phba, &seq_dmabuf->dbuf);
2406 ++
2407 + return first_iocbq;
2408 + }
2409 +
2410 +diff --git a/drivers/tty/serial/8250/8250_core.c b/drivers/tty/serial/8250/8250_core.c
2411 +index 6624cc07ac044..8dbfd4ffd6355 100644
2412 +--- a/drivers/tty/serial/8250/8250_core.c
2413 ++++ b/drivers/tty/serial/8250/8250_core.c
2414 +@@ -1046,8 +1046,10 @@ int serial8250_register_8250_port(struct uart_8250_port *up)
2415 +
2416 + ret = uart_add_one_port(&serial8250_reg,
2417 + &uart->port);
2418 +- if (ret == 0)
2419 +- ret = uart->port.line;
2420 ++ if (ret)
2421 ++ goto err;
2422 ++
2423 ++ ret = uart->port.line;
2424 + } else {
2425 + dev_info(uart->port.dev,
2426 + "skipping CIR port at 0x%lx / 0x%llx, IRQ %d\n",
2427 +@@ -1061,6 +1063,11 @@ int serial8250_register_8250_port(struct uart_8250_port *up)
2428 + mutex_unlock(&serial_mutex);
2429 +
2430 + return ret;
2431 ++
2432 ++err:
2433 ++ uart->port.dev = NULL;
2434 ++ mutex_unlock(&serial_mutex);
2435 ++ return ret;
2436 + }
2437 + EXPORT_SYMBOL(serial8250_register_8250_port);
2438 +
2439 +diff --git a/drivers/tty/serial/8250/8250_omap.c b/drivers/tty/serial/8250/8250_omap.c
2440 +index a3adf21f9dcec..d41be02abced2 100644
2441 +--- a/drivers/tty/serial/8250/8250_omap.c
2442 ++++ b/drivers/tty/serial/8250/8250_omap.c
2443 +@@ -773,7 +773,10 @@ static void __dma_rx_do_complete(struct uart_8250_port *p)
2444 + dmaengine_tx_status(dma->rxchan, dma->rx_cookie, &state);
2445 +
2446 + count = dma->rx_size - state.residue;
2447 +-
2448 ++ if (count < dma->rx_size)
2449 ++ dmaengine_terminate_async(dma->rxchan);
2450 ++ if (!count)
2451 ++ goto unlock;
2452 + ret = tty_insert_flip_string(tty_port, dma->rx_buf, count);
2453 +
2454 + p->port.icount.rx += ret;
2455 +@@ -811,7 +814,6 @@ static void omap_8250_rx_dma_flush(struct uart_8250_port *p)
2456 + spin_unlock_irqrestore(&priv->rx_dma_lock, flags);
2457 +
2458 + __dma_rx_do_complete(p);
2459 +- dmaengine_terminate_all(dma->rxchan);
2460 + }
2461 +
2462 + static int omap_8250_rx_dma(struct uart_8250_port *p)
2463 +@@ -1194,11 +1196,11 @@ static int omap8250_probe(struct platform_device *pdev)
2464 + spin_lock_init(&priv->rx_dma_lock);
2465 +
2466 + device_init_wakeup(&pdev->dev, true);
2467 ++ pm_runtime_enable(&pdev->dev);
2468 + pm_runtime_use_autosuspend(&pdev->dev);
2469 + pm_runtime_set_autosuspend_delay(&pdev->dev, -1);
2470 +
2471 + pm_runtime_irq_safe(&pdev->dev);
2472 +- pm_runtime_enable(&pdev->dev);
2473 +
2474 + pm_runtime_get_sync(&pdev->dev);
2475 +
2476 +diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c
2477 +index 5641b877dca53..827a641ac336e 100644
2478 +--- a/drivers/tty/serial/8250/8250_port.c
2479 ++++ b/drivers/tty/serial/8250/8250_port.c
2480 +@@ -1806,6 +1806,7 @@ int serial8250_handle_irq(struct uart_port *port, unsigned int iir)
2481 + unsigned char status;
2482 + unsigned long flags;
2483 + struct uart_8250_port *up = up_to_u8250p(port);
2484 ++ bool skip_rx = false;
2485 +
2486 + if (iir & UART_IIR_NO_INT)
2487 + return 0;
2488 +@@ -1814,7 +1815,20 @@ int serial8250_handle_irq(struct uart_port *port, unsigned int iir)
2489 +
2490 + status = serial_port_in(port, UART_LSR);
2491 +
2492 +- if (status & (UART_LSR_DR | UART_LSR_BI)) {
2493 ++ /*
2494 ++ * If port is stopped and there are no error conditions in the
2495 ++ * FIFO, then don't drain the FIFO, as this may lead to TTY buffer
2496 ++ * overflow. Not servicing, RX FIFO would trigger auto HW flow
2497 ++ * control when FIFO occupancy reaches preset threshold, thus
2498 ++ * halting RX. This only works when auto HW flow control is
2499 ++ * available.
2500 ++ */
2501 ++ if (!(status & (UART_LSR_FIFOE | UART_LSR_BRK_ERROR_BITS)) &&
2502 ++ (port->status & (UPSTAT_AUTOCTS | UPSTAT_AUTORTS)) &&
2503 ++ !(port->read_status_mask & UART_LSR_DR))
2504 ++ skip_rx = true;
2505 ++
2506 ++ if (status & (UART_LSR_DR | UART_LSR_BI) && !skip_rx) {
2507 + if (!up->dma || handle_rx_dma(up, iir))
2508 + status = serial8250_rx_chars(up, status);
2509 + }
2510 +diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c
2511 +index 4dfdb59061bea..8c89697c53573 100644
2512 +--- a/drivers/tty/serial/samsung.c
2513 ++++ b/drivers/tty/serial/samsung.c
2514 +@@ -1157,14 +1157,14 @@ static unsigned int s3c24xx_serial_getclk(struct s3c24xx_uart_port *ourport,
2515 + struct s3c24xx_uart_info *info = ourport->info;
2516 + struct clk *clk;
2517 + unsigned long rate;
2518 +- unsigned int cnt, baud, quot, clk_sel, best_quot = 0;
2519 ++ unsigned int cnt, baud, quot, best_quot = 0;
2520 + char clkname[MAX_CLK_NAME_LENGTH];
2521 + int calc_deviation, deviation = (1 << 30) - 1;
2522 +
2523 +- clk_sel = (ourport->cfg->clk_sel) ? ourport->cfg->clk_sel :
2524 +- ourport->info->def_clk_sel;
2525 + for (cnt = 0; cnt < info->num_clks; cnt++) {
2526 +- if (!(clk_sel & (1 << cnt)))
2527 ++ /* Keep selected clock if provided */
2528 ++ if (ourport->cfg->clk_sel &&
2529 ++ !(ourport->cfg->clk_sel & (1 << cnt)))
2530 + continue;
2531 +
2532 + sprintf(clkname, "clk_uart_baud%d", cnt);
2533 +diff --git a/drivers/usb/host/ehci-mv.c b/drivers/usb/host/ehci-mv.c
2534 +index 849806a75f1ce..b29610899c9f6 100644
2535 +--- a/drivers/usb/host/ehci-mv.c
2536 ++++ b/drivers/usb/host/ehci-mv.c
2537 +@@ -196,12 +196,10 @@ static int mv_ehci_probe(struct platform_device *pdev)
2538 + hcd->rsrc_len = resource_size(r);
2539 + hcd->regs = ehci_mv->op_regs;
2540 +
2541 +- hcd->irq = platform_get_irq(pdev, 0);
2542 +- if (!hcd->irq) {
2543 +- dev_err(&pdev->dev, "Cannot get irq.");
2544 +- retval = -ENODEV;
2545 ++ retval = platform_get_irq(pdev, 0);
2546 ++ if (retval < 0)
2547 + goto err_disable_clk;
2548 +- }
2549 ++ hcd->irq = retval;
2550 +
2551 + ehci = hcd_to_ehci(hcd);
2552 + ehci->caps = (struct ehci_caps *) ehci_mv->cap_regs;
2553 +diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c
2554 +index 2254c281cc766..237d5aceb302d 100644
2555 +--- a/drivers/vfio/pci/vfio_pci.c
2556 ++++ b/drivers/vfio/pci/vfio_pci.c
2557 +@@ -392,6 +392,19 @@ static void vfio_pci_release(void *device_data)
2558 + if (!(--vdev->refcnt)) {
2559 + vfio_spapr_pci_eeh_release(vdev->pdev);
2560 + vfio_pci_disable(vdev);
2561 ++ mutex_lock(&vdev->igate);
2562 ++ if (vdev->err_trigger) {
2563 ++ eventfd_ctx_put(vdev->err_trigger);
2564 ++ vdev->err_trigger = NULL;
2565 ++ }
2566 ++ mutex_unlock(&vdev->igate);
2567 ++
2568 ++ mutex_lock(&vdev->igate);
2569 ++ if (vdev->req_trigger) {
2570 ++ eventfd_ctx_put(vdev->req_trigger);
2571 ++ vdev->req_trigger = NULL;
2572 ++ }
2573 ++ mutex_unlock(&vdev->igate);
2574 + }
2575 +
2576 + mutex_unlock(&driver_lock);
2577 +diff --git a/fs/block_dev.c b/fs/block_dev.c
2578 +index 06f7cbe201326..98b37e77683d3 100644
2579 +--- a/fs/block_dev.c
2580 ++++ b/fs/block_dev.c
2581 +@@ -1586,6 +1586,16 @@ static void __blkdev_put(struct block_device *bdev, fmode_t mode, int for_part)
2582 + struct gendisk *disk = bdev->bd_disk;
2583 + struct block_device *victim = NULL;
2584 +
2585 ++ /*
2586 ++ * Sync early if it looks like we're the last one. If someone else
2587 ++ * opens the block device between now and the decrement of bd_openers
2588 ++ * then we did a sync that we didn't need to, but that's not the end
2589 ++ * of the world and we want to avoid long (could be several minute)
2590 ++ * syncs while holding the mutex.
2591 ++ */
2592 ++ if (bdev->bd_openers == 1)
2593 ++ sync_blockdev(bdev);
2594 ++
2595 + mutex_lock_nested(&bdev->bd_mutex, for_part);
2596 + if (for_part)
2597 + bdev->bd_part_count--;
2598 +diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
2599 +index c0033a0d00787..b5bff1e760a34 100644
2600 +--- a/fs/btrfs/extent-tree.c
2601 ++++ b/fs/btrfs/extent-tree.c
2602 +@@ -9435,8 +9435,6 @@ out:
2603 + */
2604 + if (!for_reloc && root_dropped == false)
2605 + btrfs_add_dead_root(root);
2606 +- if (err && err != -EAGAIN)
2607 +- btrfs_handle_fs_error(fs_info, err, NULL);
2608 + return err;
2609 + }
2610 +
2611 +diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c
2612 +index e11aacb35d6b5..cbd92dd89de16 100644
2613 +--- a/fs/ceph/caps.c
2614 ++++ b/fs/ceph/caps.c
2615 +@@ -1807,12 +1807,24 @@ ack:
2616 + if (mutex_trylock(&session->s_mutex) == 0) {
2617 + dout("inverting session/ino locks on %p\n",
2618 + session);
2619 ++ session = ceph_get_mds_session(session);
2620 + spin_unlock(&ci->i_ceph_lock);
2621 + if (took_snap_rwsem) {
2622 + up_read(&mdsc->snap_rwsem);
2623 + took_snap_rwsem = 0;
2624 + }
2625 +- mutex_lock(&session->s_mutex);
2626 ++ if (session) {
2627 ++ mutex_lock(&session->s_mutex);
2628 ++ ceph_put_mds_session(session);
2629 ++ } else {
2630 ++ /*
2631 ++ * Because we take the reference while
2632 ++ * holding the i_ceph_lock, it should
2633 ++ * never be NULL. Throw a warning if it
2634 ++ * ever is.
2635 ++ */
2636 ++ WARN_ON_ONCE(true);
2637 ++ }
2638 + goto retry;
2639 + }
2640 + }
2641 +diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
2642 +index 7ae21ad420fbf..a12258c32e8a3 100644
2643 +--- a/fs/cifs/cifsglob.h
2644 ++++ b/fs/cifs/cifsglob.h
2645 +@@ -242,8 +242,9 @@ struct smb_version_operations {
2646 + int (*check_message)(char *, unsigned int, struct TCP_Server_Info *);
2647 + bool (*is_oplock_break)(char *, struct TCP_Server_Info *);
2648 + int (*handle_cancelled_mid)(char *, struct TCP_Server_Info *);
2649 +- void (*downgrade_oplock)(struct TCP_Server_Info *,
2650 +- struct cifsInodeInfo *, bool);
2651 ++ void (*downgrade_oplock)(struct TCP_Server_Info *server,
2652 ++ struct cifsInodeInfo *cinode, __u32 oplock,
2653 ++ unsigned int epoch, bool *purge_cache);
2654 + /* process transaction2 response */
2655 + bool (*check_trans2)(struct mid_q_entry *, struct TCP_Server_Info *,
2656 + char *, int);
2657 +@@ -1080,6 +1081,8 @@ struct cifsFileInfo {
2658 + unsigned int f_flags;
2659 + bool invalidHandle:1; /* file closed via session abend */
2660 + bool oplock_break_cancelled:1;
2661 ++ unsigned int oplock_epoch; /* epoch from the lease break */
2662 ++ __u32 oplock_level; /* oplock/lease level from the lease break */
2663 + int count;
2664 + spinlock_t file_info_lock; /* protects four flag/count fields above */
2665 + struct mutex fh_mutex; /* prevents reopen race after dead ses*/
2666 +@@ -1191,7 +1194,7 @@ struct cifsInodeInfo {
2667 + unsigned int epoch; /* used to track lease state changes */
2668 + #define CIFS_INODE_PENDING_OPLOCK_BREAK (0) /* oplock break in progress */
2669 + #define CIFS_INODE_PENDING_WRITERS (1) /* Writes in progress */
2670 +-#define CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2 (2) /* Downgrade oplock to L2 */
2671 ++#define CIFS_INODE_FLAG_UNUSED (2) /* Unused flag */
2672 + #define CIFS_INO_DELETE_PENDING (3) /* delete pending on server */
2673 + #define CIFS_INO_INVALID_MAPPING (4) /* pagecache is invalid */
2674 + #define CIFS_INO_LOCK (5) /* lock bit for synchronization */
2675 +diff --git a/fs/cifs/file.c b/fs/cifs/file.c
2676 +index b2919166855f5..24508b69e78b7 100644
2677 +--- a/fs/cifs/file.c
2678 ++++ b/fs/cifs/file.c
2679 +@@ -3531,7 +3531,8 @@ readpages_get_pages(struct address_space *mapping, struct list_head *page_list,
2680 + break;
2681 +
2682 + __SetPageLocked(page);
2683 +- if (add_to_page_cache_locked(page, mapping, page->index, gfp)) {
2684 ++ rc = add_to_page_cache_locked(page, mapping, page->index, gfp);
2685 ++ if (rc) {
2686 + __ClearPageLocked(page);
2687 + break;
2688 + }
2689 +@@ -3547,6 +3548,7 @@ static int cifs_readpages(struct file *file, struct address_space *mapping,
2690 + struct list_head *page_list, unsigned num_pages)
2691 + {
2692 + int rc;
2693 ++ int err = 0;
2694 + struct list_head tmplist;
2695 + struct cifsFileInfo *open_file = file->private_data;
2696 + struct cifs_sb_info *cifs_sb = CIFS_FILE_SB(file);
2697 +@@ -3587,7 +3589,7 @@ static int cifs_readpages(struct file *file, struct address_space *mapping,
2698 + * the order of declining indexes. When we put the pages in
2699 + * the rdata->pages, then we want them in increasing order.
2700 + */
2701 +- while (!list_empty(page_list)) {
2702 ++ while (!list_empty(page_list) && !err) {
2703 + unsigned int i, nr_pages, bytes, rsize;
2704 + loff_t offset;
2705 + struct page *page, *tpage;
2706 +@@ -3610,9 +3612,10 @@ static int cifs_readpages(struct file *file, struct address_space *mapping,
2707 + return 0;
2708 + }
2709 +
2710 +- rc = readpages_get_pages(mapping, page_list, rsize, &tmplist,
2711 ++ nr_pages = 0;
2712 ++ err = readpages_get_pages(mapping, page_list, rsize, &tmplist,
2713 + &nr_pages, &offset, &bytes);
2714 +- if (rc) {
2715 ++ if (!nr_pages) {
2716 + add_credits_and_wake_if(server, credits, 0);
2717 + break;
2718 + }
2719 +@@ -3912,12 +3915,13 @@ void cifs_oplock_break(struct work_struct *work)
2720 + struct cifs_tcon *tcon = tlink_tcon(cfile->tlink);
2721 + struct TCP_Server_Info *server = tcon->ses->server;
2722 + int rc = 0;
2723 ++ bool purge_cache = false;
2724 +
2725 + wait_on_bit(&cinode->flags, CIFS_INODE_PENDING_WRITERS,
2726 + TASK_UNINTERRUPTIBLE);
2727 +
2728 +- server->ops->downgrade_oplock(server, cinode,
2729 +- test_bit(CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2, &cinode->flags));
2730 ++ server->ops->downgrade_oplock(server, cinode, cfile->oplock_level,
2731 ++ cfile->oplock_epoch, &purge_cache);
2732 +
2733 + if (!CIFS_CACHE_WRITE(cinode) && CIFS_CACHE_READ(cinode) &&
2734 + cifs_has_mand_locks(cinode)) {
2735 +@@ -3932,18 +3936,21 @@ void cifs_oplock_break(struct work_struct *work)
2736 + else
2737 + break_lease(inode, O_WRONLY);
2738 + rc = filemap_fdatawrite(inode->i_mapping);
2739 +- if (!CIFS_CACHE_READ(cinode)) {
2740 ++ if (!CIFS_CACHE_READ(cinode) || purge_cache) {
2741 + rc = filemap_fdatawait(inode->i_mapping);
2742 + mapping_set_error(inode->i_mapping, rc);
2743 + cifs_zap_mapping(inode);
2744 + }
2745 + cifs_dbg(FYI, "Oplock flush inode %p rc %d\n", inode, rc);
2746 ++ if (CIFS_CACHE_WRITE(cinode))
2747 ++ goto oplock_break_ack;
2748 + }
2749 +
2750 + rc = cifs_push_locks(cfile);
2751 + if (rc)
2752 + cifs_dbg(VFS, "Push locks rc = %d\n", rc);
2753 +
2754 ++oplock_break_ack:
2755 + /*
2756 + * releasing stale oplock after recent reconnect of smb session using
2757 + * a now incorrect file handle is not a data integrity issue but do
2758 +diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c
2759 +index 5e75df69062d8..bdf151e949166 100644
2760 +--- a/fs/cifs/misc.c
2761 ++++ b/fs/cifs/misc.c
2762 +@@ -481,21 +481,10 @@ is_valid_oplock_break(char *buffer, struct TCP_Server_Info *srv)
2763 + set_bit(CIFS_INODE_PENDING_OPLOCK_BREAK,
2764 + &pCifsInode->flags);
2765 +
2766 +- /*
2767 +- * Set flag if the server downgrades the oplock
2768 +- * to L2 else clear.
2769 +- */
2770 +- if (pSMB->OplockLevel)
2771 +- set_bit(
2772 +- CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2,
2773 +- &pCifsInode->flags);
2774 +- else
2775 +- clear_bit(
2776 +- CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2,
2777 +- &pCifsInode->flags);
2778 +-
2779 +- cifs_queue_oplock_break(netfile);
2780 ++ netfile->oplock_epoch = 0;
2781 ++ netfile->oplock_level = pSMB->OplockLevel;
2782 + netfile->oplock_break_cancelled = false;
2783 ++ cifs_queue_oplock_break(netfile);
2784 +
2785 + spin_unlock(&tcon->open_file_lock);
2786 + spin_unlock(&cifs_tcp_ses_lock);
2787 +diff --git a/fs/cifs/smb1ops.c b/fs/cifs/smb1ops.c
2788 +index 6f5d78b172bac..9a1f01c2f0209 100644
2789 +--- a/fs/cifs/smb1ops.c
2790 ++++ b/fs/cifs/smb1ops.c
2791 +@@ -378,12 +378,10 @@ coalesce_t2(char *second_buf, struct smb_hdr *target_hdr)
2792 +
2793 + static void
2794 + cifs_downgrade_oplock(struct TCP_Server_Info *server,
2795 +- struct cifsInodeInfo *cinode, bool set_level2)
2796 ++ struct cifsInodeInfo *cinode, __u32 oplock,
2797 ++ unsigned int epoch, bool *purge_cache)
2798 + {
2799 +- if (set_level2)
2800 +- cifs_set_oplock_level(cinode, OPLOCK_READ);
2801 +- else
2802 +- cifs_set_oplock_level(cinode, 0);
2803 ++ cifs_set_oplock_level(cinode, oplock);
2804 + }
2805 +
2806 + static bool
2807 +diff --git a/fs/cifs/smb2misc.c b/fs/cifs/smb2misc.c
2808 +index 7b7b47e26dbd4..bddb2d7b39824 100644
2809 +--- a/fs/cifs/smb2misc.c
2810 ++++ b/fs/cifs/smb2misc.c
2811 +@@ -491,7 +491,7 @@ smb2_tcon_has_lease(struct cifs_tcon *tcon, struct smb2_lease_break *rsp,
2812 +
2813 + cifs_dbg(FYI, "found in the open list\n");
2814 + cifs_dbg(FYI, "lease key match, lease break 0x%x\n",
2815 +- le32_to_cpu(rsp->NewLeaseState));
2816 ++ lease_state);
2817 +
2818 + if (ack_req)
2819 + cfile->oplock_break_cancelled = false;
2820 +@@ -500,17 +500,8 @@ smb2_tcon_has_lease(struct cifs_tcon *tcon, struct smb2_lease_break *rsp,
2821 +
2822 + set_bit(CIFS_INODE_PENDING_OPLOCK_BREAK, &cinode->flags);
2823 +
2824 +- /*
2825 +- * Set or clear flags depending on the lease state being READ.
2826 +- * HANDLE caching flag should be added when the client starts
2827 +- * to defer closing remote file handles with HANDLE leases.
2828 +- */
2829 +- if (lease_state & SMB2_LEASE_READ_CACHING_HE)
2830 +- set_bit(CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2,
2831 +- &cinode->flags);
2832 +- else
2833 +- clear_bit(CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2,
2834 +- &cinode->flags);
2835 ++ cfile->oplock_epoch = le16_to_cpu(rsp->Epoch);
2836 ++ cfile->oplock_level = lease_state;
2837 +
2838 + cifs_queue_oplock_break(cfile);
2839 + kfree(lw);
2840 +@@ -533,7 +524,7 @@ smb2_tcon_has_lease(struct cifs_tcon *tcon, struct smb2_lease_break *rsp,
2841 +
2842 + cifs_dbg(FYI, "found in the pending open list\n");
2843 + cifs_dbg(FYI, "lease key match, lease break 0x%x\n",
2844 +- le32_to_cpu(rsp->NewLeaseState));
2845 ++ lease_state);
2846 +
2847 + open->oplock = lease_state;
2848 + }
2849 +@@ -645,18 +636,9 @@ smb2_is_valid_oplock_break(char *buffer, struct TCP_Server_Info *server)
2850 + set_bit(CIFS_INODE_PENDING_OPLOCK_BREAK,
2851 + &cinode->flags);
2852 +
2853 +- /*
2854 +- * Set flag if the server downgrades the oplock
2855 +- * to L2 else clear.
2856 +- */
2857 +- if (rsp->OplockLevel)
2858 +- set_bit(
2859 +- CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2,
2860 +- &cinode->flags);
2861 +- else
2862 +- clear_bit(
2863 +- CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2,
2864 +- &cinode->flags);
2865 ++ cfile->oplock_epoch = 0;
2866 ++ cfile->oplock_level = rsp->OplockLevel;
2867 ++
2868 + spin_unlock(&cfile->file_info_lock);
2869 +
2870 + cifs_queue_oplock_break(cfile);
2871 +diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
2872 +index edd4c7292be00..67edd6e03f803 100644
2873 +--- a/fs/cifs/smb2ops.c
2874 ++++ b/fs/cifs/smb2ops.c
2875 +@@ -1379,22 +1379,38 @@ static long smb3_fallocate(struct file *file, struct cifs_tcon *tcon, int mode,
2876 +
2877 + static void
2878 + smb2_downgrade_oplock(struct TCP_Server_Info *server,
2879 +- struct cifsInodeInfo *cinode, bool set_level2)
2880 ++ struct cifsInodeInfo *cinode, __u32 oplock,
2881 ++ unsigned int epoch, bool *purge_cache)
2882 + {
2883 +- if (set_level2)
2884 +- server->ops->set_oplock_level(cinode, SMB2_OPLOCK_LEVEL_II,
2885 +- 0, NULL);
2886 +- else
2887 +- server->ops->set_oplock_level(cinode, 0, 0, NULL);
2888 ++ server->ops->set_oplock_level(cinode, oplock, 0, NULL);
2889 + }
2890 +
2891 + static void
2892 +-smb21_downgrade_oplock(struct TCP_Server_Info *server,
2893 +- struct cifsInodeInfo *cinode, bool set_level2)
2894 ++smb21_set_oplock_level(struct cifsInodeInfo *cinode, __u32 oplock,
2895 ++ unsigned int epoch, bool *purge_cache);
2896 ++
2897 ++static void
2898 ++smb3_downgrade_oplock(struct TCP_Server_Info *server,
2899 ++ struct cifsInodeInfo *cinode, __u32 oplock,
2900 ++ unsigned int epoch, bool *purge_cache)
2901 + {
2902 +- server->ops->set_oplock_level(cinode,
2903 +- set_level2 ? SMB2_LEASE_READ_CACHING_HE :
2904 +- 0, 0, NULL);
2905 ++ unsigned int old_state = cinode->oplock;
2906 ++ unsigned int old_epoch = cinode->epoch;
2907 ++ unsigned int new_state;
2908 ++
2909 ++ if (epoch > old_epoch) {
2910 ++ smb21_set_oplock_level(cinode, oplock, 0, NULL);
2911 ++ cinode->epoch = epoch;
2912 ++ }
2913 ++
2914 ++ new_state = cinode->oplock;
2915 ++ *purge_cache = false;
2916 ++
2917 ++ if ((old_state & CIFS_CACHE_READ_FLG) != 0 &&
2918 ++ (new_state & CIFS_CACHE_READ_FLG) == 0)
2919 ++ *purge_cache = true;
2920 ++ else if (old_state == new_state && (epoch - old_epoch > 1))
2921 ++ *purge_cache = true;
2922 + }
2923 +
2924 + static void
2925 +@@ -1709,7 +1725,7 @@ struct smb_version_operations smb21_operations = {
2926 + .print_stats = smb2_print_stats,
2927 + .is_oplock_break = smb2_is_valid_oplock_break,
2928 + .handle_cancelled_mid = smb2_handle_cancelled_mid,
2929 +- .downgrade_oplock = smb21_downgrade_oplock,
2930 ++ .downgrade_oplock = smb2_downgrade_oplock,
2931 + .need_neg = smb2_need_neg,
2932 + .negotiate = smb2_negotiate,
2933 + .negotiate_wsize = smb2_negotiate_wsize,
2934 +@@ -1793,7 +1809,7 @@ struct smb_version_operations smb30_operations = {
2935 + .dump_share_caps = smb2_dump_share_caps,
2936 + .is_oplock_break = smb2_is_valid_oplock_break,
2937 + .handle_cancelled_mid = smb2_handle_cancelled_mid,
2938 +- .downgrade_oplock = smb21_downgrade_oplock,
2939 ++ .downgrade_oplock = smb3_downgrade_oplock,
2940 + .need_neg = smb2_need_neg,
2941 + .negotiate = smb2_negotiate,
2942 + .negotiate_wsize = smb2_negotiate_wsize,
2943 +@@ -1883,7 +1899,7 @@ struct smb_version_operations smb311_operations = {
2944 + .dump_share_caps = smb2_dump_share_caps,
2945 + .is_oplock_break = smb2_is_valid_oplock_break,
2946 + .handle_cancelled_mid = smb2_handle_cancelled_mid,
2947 +- .downgrade_oplock = smb21_downgrade_oplock,
2948 ++ .downgrade_oplock = smb3_downgrade_oplock,
2949 + .need_neg = smb2_need_neg,
2950 + .negotiate = smb2_negotiate,
2951 + .negotiate_wsize = smb2_negotiate_wsize,
2952 +diff --git a/fs/cifs/smb2pdu.h b/fs/cifs/smb2pdu.h
2953 +index 1af7afae3ad18..1a0c480745738 100644
2954 +--- a/fs/cifs/smb2pdu.h
2955 ++++ b/fs/cifs/smb2pdu.h
2956 +@@ -1025,7 +1025,7 @@ struct smb2_oplock_break {
2957 + struct smb2_lease_break {
2958 + struct smb2_hdr hdr;
2959 + __le16 StructureSize; /* Must be 44 */
2960 +- __le16 Reserved;
2961 ++ __le16 Epoch;
2962 + __le32 Flags;
2963 + __u8 LeaseKey[16];
2964 + __le32 CurrentLeaseState;
2965 +diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
2966 +index b99225e117120..f0129c033bd66 100644
2967 +--- a/fs/fuse/dev.c
2968 ++++ b/fs/fuse/dev.c
2969 +@@ -825,7 +825,6 @@ static int fuse_check_page(struct page *page)
2970 + {
2971 + if (page_mapcount(page) ||
2972 + page->mapping != NULL ||
2973 +- page_count(page) != 1 ||
2974 + (page->flags & PAGE_FLAGS_CHECK_AT_PREP &
2975 + ~(1 << PG_locked |
2976 + 1 << PG_referenced |
2977 +diff --git a/fs/ubifs/io.c b/fs/ubifs/io.c
2978 +index 97be412153328..9213a9e046ae0 100644
2979 +--- a/fs/ubifs/io.c
2980 ++++ b/fs/ubifs/io.c
2981 +@@ -237,7 +237,7 @@ int ubifs_is_mapped(const struct ubifs_info *c, int lnum)
2982 + int ubifs_check_node(const struct ubifs_info *c, const void *buf, int lnum,
2983 + int offs, int quiet, int must_chk_crc)
2984 + {
2985 +- int err = -EINVAL, type, node_len;
2986 ++ int err = -EINVAL, type, node_len, dump_node = 1;
2987 + uint32_t crc, node_crc, magic;
2988 + const struct ubifs_ch *ch = buf;
2989 +
2990 +@@ -290,10 +290,22 @@ int ubifs_check_node(const struct ubifs_info *c, const void *buf, int lnum,
2991 + out_len:
2992 + if (!quiet)
2993 + ubifs_err(c, "bad node length %d", node_len);
2994 ++ if (type == UBIFS_DATA_NODE && node_len > UBIFS_DATA_NODE_SZ)
2995 ++ dump_node = 0;
2996 + out:
2997 + if (!quiet) {
2998 + ubifs_err(c, "bad node at LEB %d:%d", lnum, offs);
2999 +- ubifs_dump_node(c, buf);
3000 ++ if (dump_node) {
3001 ++ ubifs_dump_node(c, buf);
3002 ++ } else {
3003 ++ int safe_len = min3(node_len, c->leb_size - offs,
3004 ++ (int)UBIFS_MAX_DATA_NODE_SZ);
3005 ++ pr_err("\tprevent out-of-bounds memory access\n");
3006 ++ pr_err("\ttruncated data node length %d\n", safe_len);
3007 ++ pr_err("\tcorrupted data node:\n");
3008 ++ print_hex_dump(KERN_ERR, "\t", DUMP_PREFIX_OFFSET, 32, 1,
3009 ++ buf, safe_len, 0);
3010 ++ }
3011 + dump_stack();
3012 + }
3013 + return err;
3014 +diff --git a/fs/xfs/libxfs/xfs_attr_leaf.c b/fs/xfs/libxfs/xfs_attr_leaf.c
3015 +index 7b9dd76403bfd..537acde2c497b 100644
3016 +--- a/fs/xfs/libxfs/xfs_attr_leaf.c
3017 ++++ b/fs/xfs/libxfs/xfs_attr_leaf.c
3018 +@@ -1332,7 +1332,9 @@ xfs_attr3_leaf_add_work(
3019 + for (i = 0; i < XFS_ATTR_LEAF_MAPSIZE; i++) {
3020 + if (ichdr->freemap[i].base == tmp) {
3021 + ichdr->freemap[i].base += sizeof(xfs_attr_leaf_entry_t);
3022 +- ichdr->freemap[i].size -= sizeof(xfs_attr_leaf_entry_t);
3023 ++ ichdr->freemap[i].size -=
3024 ++ min_t(uint16_t, ichdr->freemap[i].size,
3025 ++ sizeof(xfs_attr_leaf_entry_t));
3026 + }
3027 + }
3028 + ichdr->usedbytes += xfs_attr_leaf_entsize(leaf, args->index);
3029 +diff --git a/fs/xfs/libxfs/xfs_dir2_node.c b/fs/xfs/libxfs/xfs_dir2_node.c
3030 +index bbd1238852b3c..df7f33e60a4f6 100644
3031 +--- a/fs/xfs/libxfs/xfs_dir2_node.c
3032 ++++ b/fs/xfs/libxfs/xfs_dir2_node.c
3033 +@@ -212,6 +212,7 @@ __xfs_dir3_free_read(
3034 + xfs_buf_ioerror(*bpp, -EFSCORRUPTED);
3035 + xfs_verifier_error(*bpp);
3036 + xfs_trans_brelse(tp, *bpp);
3037 ++ *bpp = NULL;
3038 + return -EFSCORRUPTED;
3039 + }
3040 +
3041 +diff --git a/include/linux/debugfs.h b/include/linux/debugfs.h
3042 +index b20a0945b5500..7aea750538840 100644
3043 +--- a/include/linux/debugfs.h
3044 ++++ b/include/linux/debugfs.h
3045 +@@ -77,6 +77,8 @@ static const struct file_operations __fops = { \
3046 + .llseek = generic_file_llseek, \
3047 + }
3048 +
3049 ++typedef struct vfsmount *(*debugfs_automount_t)(struct dentry *, void *);
3050 ++
3051 + #if defined(CONFIG_DEBUG_FS)
3052 +
3053 + struct dentry *debugfs_create_file(const char *name, umode_t mode,
3054 +@@ -96,7 +98,6 @@ struct dentry *debugfs_create_dir(const char *name, struct dentry *parent);
3055 + struct dentry *debugfs_create_symlink(const char *name, struct dentry *parent,
3056 + const char *dest);
3057 +
3058 +-typedef struct vfsmount *(*debugfs_automount_t)(struct dentry *, void *);
3059 + struct dentry *debugfs_create_automount(const char *name,
3060 + struct dentry *parent,
3061 + debugfs_automount_t f,
3062 +@@ -211,7 +212,7 @@ static inline struct dentry *debugfs_create_symlink(const char *name,
3063 +
3064 + static inline struct dentry *debugfs_create_automount(const char *name,
3065 + struct dentry *parent,
3066 +- struct vfsmount *(*f)(void *),
3067 ++ debugfs_automount_t f,
3068 + void *data)
3069 + {
3070 + return ERR_PTR(-ENODEV);
3071 +diff --git a/include/linux/libata.h b/include/linux/libata.h
3072 +index e2dac33eae964..3fabf57fd6e0d 100644
3073 +--- a/include/linux/libata.h
3074 ++++ b/include/linux/libata.h
3075 +@@ -499,6 +499,7 @@ enum hsm_task_states {
3076 + };
3077 +
3078 + enum ata_completion_errors {
3079 ++ AC_ERR_OK = 0, /* no error */
3080 + AC_ERR_DEV = (1 << 0), /* device reported error */
3081 + AC_ERR_HSM = (1 << 1), /* host state machine violation */
3082 + AC_ERR_TIMEOUT = (1 << 2), /* timeout */
3083 +@@ -903,9 +904,9 @@ struct ata_port_operations {
3084 + /*
3085 + * Command execution
3086 + */
3087 +- int (*qc_defer)(struct ata_queued_cmd *qc);
3088 +- int (*check_atapi_dma)(struct ata_queued_cmd *qc);
3089 +- void (*qc_prep)(struct ata_queued_cmd *qc);
3090 ++ int (*qc_defer)(struct ata_queued_cmd *qc);
3091 ++ int (*check_atapi_dma)(struct ata_queued_cmd *qc);
3092 ++ enum ata_completion_errors (*qc_prep)(struct ata_queued_cmd *qc);
3093 + unsigned int (*qc_issue)(struct ata_queued_cmd *qc);
3094 + bool (*qc_fill_rtf)(struct ata_queued_cmd *qc);
3095 +
3096 +@@ -1168,7 +1169,7 @@ extern int ata_xfer_mode2shift(unsigned long xfer_mode);
3097 + extern const char *ata_mode_string(unsigned long xfer_mask);
3098 + extern unsigned long ata_id_xfermask(const u16 *id);
3099 + extern int ata_std_qc_defer(struct ata_queued_cmd *qc);
3100 +-extern void ata_noop_qc_prep(struct ata_queued_cmd *qc);
3101 ++extern enum ata_completion_errors ata_noop_qc_prep(struct ata_queued_cmd *qc);
3102 + extern void ata_sg_init(struct ata_queued_cmd *qc, struct scatterlist *sg,
3103 + unsigned int n_elem);
3104 + extern unsigned int ata_dev_classify(const struct ata_taskfile *tf);
3105 +@@ -1881,9 +1882,9 @@ extern const struct ata_port_operations ata_bmdma_port_ops;
3106 + .sg_tablesize = LIBATA_MAX_PRD, \
3107 + .dma_boundary = ATA_DMA_BOUNDARY
3108 +
3109 +-extern void ata_bmdma_qc_prep(struct ata_queued_cmd *qc);
3110 ++extern enum ata_completion_errors ata_bmdma_qc_prep(struct ata_queued_cmd *qc);
3111 + extern unsigned int ata_bmdma_qc_issue(struct ata_queued_cmd *qc);
3112 +-extern void ata_bmdma_dumb_qc_prep(struct ata_queued_cmd *qc);
3113 ++extern enum ata_completion_errors ata_bmdma_dumb_qc_prep(struct ata_queued_cmd *qc);
3114 + extern unsigned int ata_bmdma_port_intr(struct ata_port *ap,
3115 + struct ata_queued_cmd *qc);
3116 + extern irqreturn_t ata_bmdma_interrupt(int irq, void *dev_instance);
3117 +diff --git a/include/linux/mtd/map.h b/include/linux/mtd/map.h
3118 +index b5b43f94f3116..01b990e4b228a 100644
3119 +--- a/include/linux/mtd/map.h
3120 ++++ b/include/linux/mtd/map.h
3121 +@@ -312,7 +312,7 @@ void map_destroy(struct mtd_info *mtd);
3122 + ({ \
3123 + int i, ret = 1; \
3124 + for (i = 0; i < map_words(map); i++) { \
3125 +- if (((val1).x[i] & (val2).x[i]) != (val2).x[i]) { \
3126 ++ if (((val1).x[i] & (val2).x[i]) != (val3).x[i]) { \
3127 + ret = 0; \
3128 + break; \
3129 + } \
3130 +diff --git a/include/linux/seqlock.h b/include/linux/seqlock.h
3131 +index ead97654c4e9a..1613fe5c668e1 100644
3132 +--- a/include/linux/seqlock.h
3133 ++++ b/include/linux/seqlock.h
3134 +@@ -242,6 +242,13 @@ static inline void raw_write_seqcount_end(seqcount_t *s)
3135 + * usual consistency guarantee. It is one wmb cheaper, because we can
3136 + * collapse the two back-to-back wmb()s.
3137 + *
3138 ++ * Note that, writes surrounding the barrier should be declared atomic (e.g.
3139 ++ * via WRITE_ONCE): a) to ensure the writes become visible to other threads
3140 ++ * atomically, avoiding compiler optimizations; b) to document which writes are
3141 ++ * meant to propagate to the reader critical section. This is necessary because
3142 ++ * neither writes before and after the barrier are enclosed in a seq-writer
3143 ++ * critical section that would ensure readers are aware of ongoing writes.
3144 ++ *
3145 + * seqcount_t seq;
3146 + * bool X = true, Y = false;
3147 + *
3148 +@@ -261,11 +268,11 @@ static inline void raw_write_seqcount_end(seqcount_t *s)
3149 + *
3150 + * void write(void)
3151 + * {
3152 +- * Y = true;
3153 ++ * WRITE_ONCE(Y, true);
3154 + *
3155 + * raw_write_seqcount_barrier(seq);
3156 + *
3157 +- * X = false;
3158 ++ * WRITE_ONCE(X, false);
3159 + * }
3160 + */
3161 + static inline void raw_write_seqcount_barrier(seqcount_t *s)
3162 +diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
3163 +index e37112ac332f7..67b798b7115d8 100644
3164 +--- a/include/linux/skbuff.h
3165 ++++ b/include/linux/skbuff.h
3166 +@@ -1549,6 +1549,18 @@ static inline __u32 skb_queue_len(const struct sk_buff_head *list_)
3167 + return list_->qlen;
3168 + }
3169 +
3170 ++/**
3171 ++ * skb_queue_len_lockless - get queue length
3172 ++ * @list_: list to measure
3173 ++ *
3174 ++ * Return the length of an &sk_buff queue.
3175 ++ * This variant can be used in lockless contexts.
3176 ++ */
3177 ++static inline __u32 skb_queue_len_lockless(const struct sk_buff_head *list_)
3178 ++{
3179 ++ return READ_ONCE(list_->qlen);
3180 ++}
3181 ++
3182 + /**
3183 + * __skb_queue_head_init - initialize non-spinlock portions of sk_buff_head
3184 + * @list: queue to initialize
3185 +@@ -1752,7 +1764,7 @@ static inline void __skb_unlink(struct sk_buff *skb, struct sk_buff_head *list)
3186 + {
3187 + struct sk_buff *next, *prev;
3188 +
3189 +- list->qlen--;
3190 ++ WRITE_ONCE(list->qlen, list->qlen - 1);
3191 + next = skb->next;
3192 + prev = skb->prev;
3193 + skb->next = skb->prev = NULL;
3194 +@@ -2795,7 +2807,7 @@ static inline int skb_padto(struct sk_buff *skb, unsigned int len)
3195 + * is untouched. Otherwise it is extended. Returns zero on
3196 + * success. The skb is freed on error.
3197 + */
3198 +-static inline int skb_put_padto(struct sk_buff *skb, unsigned int len)
3199 ++static inline int __must_check skb_put_padto(struct sk_buff *skb, unsigned int len)
3200 + {
3201 + unsigned int size = skb->len;
3202 +
3203 +diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
3204 +index 712469a3103ac..54b30c9bd8b13 100644
3205 +--- a/kernel/audit_watch.c
3206 ++++ b/kernel/audit_watch.c
3207 +@@ -316,8 +316,6 @@ static void audit_update_watch(struct audit_parent *parent,
3208 + if (oentry->rule.exe)
3209 + audit_remove_mark(oentry->rule.exe);
3210 +
3211 +- audit_watch_log_rule_change(r, owatch, "updated_rules");
3212 +-
3213 + call_rcu(&oentry->rcu, audit_free_rule_rcu);
3214 + }
3215 +
3216 +diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c
3217 +index 8648d7d297081..1253261fdb3ba 100644
3218 +--- a/kernel/bpf/hashtab.c
3219 ++++ b/kernel/bpf/hashtab.c
3220 +@@ -427,15 +427,7 @@ static void htab_elem_free_rcu(struct rcu_head *head)
3221 + struct htab_elem *l = container_of(head, struct htab_elem, rcu);
3222 + struct bpf_htab *htab = l->htab;
3223 +
3224 +- /* must increment bpf_prog_active to avoid kprobe+bpf triggering while
3225 +- * we're calling kfree, otherwise deadlock is possible if kprobes
3226 +- * are placed somewhere inside of slub
3227 +- */
3228 +- preempt_disable();
3229 +- __this_cpu_inc(bpf_prog_active);
3230 + htab_elem_free(htab, l);
3231 +- __this_cpu_dec(bpf_prog_active);
3232 +- preempt_enable();
3233 + }
3234 +
3235 + static void free_htab_elem(struct bpf_htab *htab, struct htab_elem *l)
3236 +diff --git a/kernel/kprobes.c b/kernel/kprobes.c
3237 +index 9aa2dbe6a4568..3938e4670b89b 100644
3238 +--- a/kernel/kprobes.c
3239 ++++ b/kernel/kprobes.c
3240 +@@ -2012,6 +2012,9 @@ static void kill_kprobe(struct kprobe *p)
3241 + {
3242 + struct kprobe *kp;
3243 +
3244 ++ if (WARN_ON_ONCE(kprobe_gone(p)))
3245 ++ return;
3246 ++
3247 + p->flags |= KPROBE_FLAG_GONE;
3248 + if (kprobe_aggrprobe(p)) {
3249 + /*
3250 +@@ -2032,9 +2035,10 @@ static void kill_kprobe(struct kprobe *p)
3251 +
3252 + /*
3253 + * The module is going away. We should disarm the kprobe which
3254 +- * is using ftrace.
3255 ++ * is using ftrace, because ftrace framework is still available at
3256 ++ * MODULE_STATE_GOING notification.
3257 + */
3258 +- if (kprobe_ftrace(p))
3259 ++ if (kprobe_ftrace(p) && !kprobe_disabled(p) && !kprobes_all_disarmed)
3260 + disarm_kprobe_ftrace(p);
3261 + }
3262 +
3263 +@@ -2154,7 +2158,10 @@ static int kprobes_module_callback(struct notifier_block *nb,
3264 + mutex_lock(&kprobe_mutex);
3265 + for (i = 0; i < KPROBE_TABLE_SIZE; i++) {
3266 + head = &kprobe_table[i];
3267 +- hlist_for_each_entry_rcu(p, head, hlist)
3268 ++ hlist_for_each_entry_rcu(p, head, hlist) {
3269 ++ if (kprobe_gone(p))
3270 ++ continue;
3271 ++
3272 + if (within_module_init((unsigned long)p->addr, mod) ||
3273 + (checkcore &&
3274 + within_module_core((unsigned long)p->addr, mod))) {
3275 +@@ -2165,6 +2172,7 @@ static int kprobes_module_callback(struct notifier_block *nb,
3276 + */
3277 + kill_kprobe(p);
3278 + }
3279 ++ }
3280 + }
3281 + mutex_unlock(&kprobe_mutex);
3282 + return NOTIFY_DONE;
3283 +diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c
3284 +index c1873d325ebda..7acae2f2478d9 100644
3285 +--- a/kernel/printk/printk.c
3286 ++++ b/kernel/printk/printk.c
3287 +@@ -2035,6 +2035,9 @@ static int __init console_setup(char *str)
3288 + char *s, *options, *brl_options = NULL;
3289 + int idx;
3290 +
3291 ++ if (str[0] == 0)
3292 ++ return 1;
3293 ++
3294 + if (_braille_console_setup(&str, &brl_options))
3295 + return 1;
3296 +
3297 +diff --git a/kernel/sys.c b/kernel/sys.c
3298 +index 157277cbf83aa..546cdc911dad4 100644
3299 +--- a/kernel/sys.c
3300 ++++ b/kernel/sys.c
3301 +@@ -1183,11 +1183,13 @@ SYSCALL_DEFINE1(uname, struct old_utsname __user *, name)
3302 +
3303 + SYSCALL_DEFINE1(olduname, struct oldold_utsname __user *, name)
3304 + {
3305 +- struct oldold_utsname tmp = {};
3306 ++ struct oldold_utsname tmp;
3307 +
3308 + if (!name)
3309 + return -EFAULT;
3310 +
3311 ++ memset(&tmp, 0, sizeof(tmp));
3312 ++
3313 + down_read(&uts_sem);
3314 + memcpy(&tmp.sysname, &utsname()->sysname, __OLD_UTS_LEN);
3315 + memcpy(&tmp.nodename, &utsname()->nodename, __OLD_UTS_LEN);
3316 +diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c
3317 +index e24e1f0c56906..e21b4d8b72405 100644
3318 +--- a/kernel/time/timekeeping.c
3319 ++++ b/kernel/time/timekeeping.c
3320 +@@ -950,9 +950,8 @@ static int scale64_check_overflow(u64 mult, u64 div, u64 *base)
3321 + ((int)sizeof(u64)*8 - fls64(mult) < fls64(rem)))
3322 + return -EOVERFLOW;
3323 + tmp *= mult;
3324 +- rem *= mult;
3325 +
3326 +- do_div(rem, div);
3327 ++ rem = div64_u64(rem * mult, div);
3328 + *base = tmp + rem;
3329 + return 0;
3330 + }
3331 +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
3332 +index b2fb25aefb2fc..2388fb50d1885 100644
3333 +--- a/kernel/trace/trace.c
3334 ++++ b/kernel/trace/trace.c
3335 +@@ -2600,6 +2600,9 @@ int trace_array_printk(struct trace_array *tr,
3336 + if (!(global_trace.trace_flags & TRACE_ITER_PRINTK))
3337 + return 0;
3338 +
3339 ++ if (!tr)
3340 ++ return -ENOENT;
3341 ++
3342 + va_start(ap, fmt);
3343 + ret = trace_array_vprintk(tr, ip, fmt, ap);
3344 + va_end(ap);
3345 +@@ -7693,7 +7696,7 @@ __init static int tracer_alloc_buffers(void)
3346 + goto out_free_buffer_mask;
3347 +
3348 + /* Only allocate trace_printk buffers if a trace_printk exists */
3349 +- if (__stop___trace_bprintk_fmt != __start___trace_bprintk_fmt)
3350 ++ if (&__stop___trace_bprintk_fmt != &__start___trace_bprintk_fmt)
3351 + /* Must be called before global_trace.buffer is allocated */
3352 + trace_printk_init_buffers();
3353 +
3354 +diff --git a/kernel/trace/trace_entries.h b/kernel/trace/trace_entries.h
3355 +index d1cc37e78f997..1430f6bbb1a07 100644
3356 +--- a/kernel/trace/trace_entries.h
3357 ++++ b/kernel/trace/trace_entries.h
3358 +@@ -178,7 +178,7 @@ FTRACE_ENTRY(kernel_stack, stack_entry,
3359 +
3360 + F_STRUCT(
3361 + __field( int, size )
3362 +- __dynamic_array(unsigned long, caller )
3363 ++ __array( unsigned long, caller, FTRACE_STACK_ENTRIES )
3364 + ),
3365 +
3366 + F_printk("\t=> (" IP_FMT ")\n\t=> (" IP_FMT ")\n\t=> (" IP_FMT ")\n"
3367 +diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c
3368 +index af969f753e5e9..5bf072e437c41 100644
3369 +--- a/kernel/trace/trace_events.c
3370 ++++ b/kernel/trace/trace_events.c
3371 +@@ -790,6 +790,8 @@ static int ftrace_set_clr_event(struct trace_array *tr, char *buf, int set)
3372 + char *event = NULL, *sub = NULL, *match;
3373 + int ret;
3374 +
3375 ++ if (!tr)
3376 ++ return -ENOENT;
3377 + /*
3378 + * The buf format can be <subsystem>:<event-name>
3379 + * *:<event-name> means any event by that name.
3380 +diff --git a/lib/string.c b/lib/string.c
3381 +index 8f1a2a04e22f5..d099762a9bd60 100644
3382 +--- a/lib/string.c
3383 ++++ b/lib/string.c
3384 +@@ -235,6 +235,30 @@ ssize_t strscpy(char *dest, const char *src, size_t count)
3385 + EXPORT_SYMBOL(strscpy);
3386 + #endif
3387 +
3388 ++/**
3389 ++ * stpcpy - copy a string from src to dest returning a pointer to the new end
3390 ++ * of dest, including src's %NUL-terminator. May overrun dest.
3391 ++ * @dest: pointer to end of string being copied into. Must be large enough
3392 ++ * to receive copy.
3393 ++ * @src: pointer to the beginning of string being copied from. Must not overlap
3394 ++ * dest.
3395 ++ *
3396 ++ * stpcpy differs from strcpy in a key way: the return value is a pointer
3397 ++ * to the new %NUL-terminating character in @dest. (For strcpy, the return
3398 ++ * value is a pointer to the start of @dest). This interface is considered
3399 ++ * unsafe as it doesn't perform bounds checking of the inputs. As such it's
3400 ++ * not recommended for usage. Instead, its definition is provided in case
3401 ++ * the compiler lowers other libcalls to stpcpy.
3402 ++ */
3403 ++char *stpcpy(char *__restrict__ dest, const char *__restrict__ src);
3404 ++char *stpcpy(char *__restrict__ dest, const char *__restrict__ src)
3405 ++{
3406 ++ while ((*dest++ = *src++) != '\0')
3407 ++ /* nothing */;
3408 ++ return --dest;
3409 ++}
3410 ++EXPORT_SYMBOL(stpcpy);
3411 ++
3412 + #ifndef __HAVE_ARCH_STRCAT
3413 + /**
3414 + * strcat - Append one %NUL-terminated string to another
3415 +diff --git a/mm/filemap.c b/mm/filemap.c
3416 +index b046d8f147e20..05af91f495f53 100644
3417 +--- a/mm/filemap.c
3418 ++++ b/mm/filemap.c
3419 +@@ -2474,6 +2474,14 @@ filler:
3420 + unlock_page(page);
3421 + goto out;
3422 + }
3423 ++
3424 ++ /*
3425 ++ * A previous I/O error may have been due to temporary
3426 ++ * failures.
3427 ++ * Clear page error before actual read, PG_error will be
3428 ++ * set again if read page fails.
3429 ++ */
3430 ++ ClearPageError(page);
3431 + goto filler;
3432 +
3433 + out:
3434 +diff --git a/mm/mmap.c b/mm/mmap.c
3435 +index 7109f886e739e..7c8815636c482 100644
3436 +--- a/mm/mmap.c
3437 ++++ b/mm/mmap.c
3438 +@@ -2028,6 +2028,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
3439 + info.low_limit = mm->mmap_base;
3440 + info.high_limit = TASK_SIZE;
3441 + info.align_mask = 0;
3442 ++ info.align_offset = 0;
3443 + return vm_unmapped_area(&info);
3444 + }
3445 + #endif
3446 +@@ -2069,6 +2070,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
3447 + info.low_limit = max(PAGE_SIZE, mmap_min_addr);
3448 + info.high_limit = mm->mmap_base;
3449 + info.align_mask = 0;
3450 ++ info.align_offset = 0;
3451 + addr = vm_unmapped_area(&info);
3452 +
3453 + /*
3454 +diff --git a/mm/pagewalk.c b/mm/pagewalk.c
3455 +index d95341cffc2f6..8d6290502631a 100644
3456 +--- a/mm/pagewalk.c
3457 ++++ b/mm/pagewalk.c
3458 +@@ -14,9 +14,9 @@ static int walk_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end,
3459 + err = walk->pte_entry(pte, addr, addr + PAGE_SIZE, walk);
3460 + if (err)
3461 + break;
3462 +- addr += PAGE_SIZE;
3463 +- if (addr == end)
3464 ++ if (addr >= end - PAGE_SIZE)
3465 + break;
3466 ++ addr += PAGE_SIZE;
3467 + pte++;
3468 + }
3469 +
3470 +diff --git a/net/atm/lec.c b/net/atm/lec.c
3471 +index 704892d79bf19..756429c95e859 100644
3472 +--- a/net/atm/lec.c
3473 ++++ b/net/atm/lec.c
3474 +@@ -1290,6 +1290,12 @@ static void lec_arp_clear_vccs(struct lec_arp_table *entry)
3475 + entry->vcc = NULL;
3476 + }
3477 + if (entry->recv_vcc) {
3478 ++ struct atm_vcc *vcc = entry->recv_vcc;
3479 ++ struct lec_vcc_priv *vpriv = LEC_VCC_PRIV(vcc);
3480 ++
3481 ++ kfree(vpriv);
3482 ++ vcc->user_back = NULL;
3483 ++
3484 + entry->recv_vcc->push = entry->old_recv_push;
3485 + vcc_release_async(entry->recv_vcc, -EPIPE);
3486 + entry->recv_vcc = NULL;
3487 +diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c
3488 +index e545b42ab0b98..516c45771d59b 100644
3489 +--- a/net/batman-adv/bridge_loop_avoidance.c
3490 ++++ b/net/batman-adv/bridge_loop_avoidance.c
3491 +@@ -36,6 +36,7 @@
3492 + #include <linux/lockdep.h>
3493 + #include <linux/netdevice.h>
3494 + #include <linux/netlink.h>
3495 ++#include <linux/preempt.h>
3496 + #include <linux/rculist.h>
3497 + #include <linux/rcupdate.h>
3498 + #include <linux/seq_file.h>
3499 +@@ -95,11 +96,12 @@ static inline u32 batadv_choose_claim(const void *data, u32 size)
3500 + */
3501 + static inline u32 batadv_choose_backbone_gw(const void *data, u32 size)
3502 + {
3503 +- const struct batadv_bla_claim *claim = (struct batadv_bla_claim *)data;
3504 ++ const struct batadv_bla_backbone_gw *gw;
3505 + u32 hash = 0;
3506 +
3507 +- hash = jhash(&claim->addr, sizeof(claim->addr), hash);
3508 +- hash = jhash(&claim->vid, sizeof(claim->vid), hash);
3509 ++ gw = (struct batadv_bla_backbone_gw *)data;
3510 ++ hash = jhash(&gw->orig, sizeof(gw->orig), hash);
3511 ++ hash = jhash(&gw->vid, sizeof(gw->vid), hash);
3512 +
3513 + return hash % size;
3514 + }
3515 +@@ -1820,7 +1822,7 @@ batadv_bla_loopdetect_check(struct batadv_priv *bat_priv, struct sk_buff *skb,
3516 + * @bat_priv: the bat priv with all the soft interface information
3517 + * @skb: the frame to be checked
3518 + * @vid: the VLAN ID of the frame
3519 +- * @is_bcast: the packet came in a broadcast packet type.
3520 ++ * @packet_type: the batman packet type this frame came in
3521 + *
3522 + * batadv_bla_rx avoidance checks if:
3523 + * * we have to race for a claim
3524 +@@ -1832,7 +1834,7 @@ batadv_bla_loopdetect_check(struct batadv_priv *bat_priv, struct sk_buff *skb,
3525 + * further process the skb.
3526 + */
3527 + bool batadv_bla_rx(struct batadv_priv *bat_priv, struct sk_buff *skb,
3528 +- unsigned short vid, bool is_bcast)
3529 ++ unsigned short vid, int packet_type)
3530 + {
3531 + struct batadv_bla_backbone_gw *backbone_gw;
3532 + struct ethhdr *ethhdr;
3533 +@@ -1854,9 +1856,24 @@ bool batadv_bla_rx(struct batadv_priv *bat_priv, struct sk_buff *skb,
3534 + goto handled;
3535 +
3536 + if (unlikely(atomic_read(&bat_priv->bla.num_requests)))
3537 +- /* don't allow broadcasts while requests are in flight */
3538 +- if (is_multicast_ether_addr(ethhdr->h_dest) && is_bcast)
3539 +- goto handled;
3540 ++ /* don't allow multicast packets while requests are in flight */
3541 ++ if (is_multicast_ether_addr(ethhdr->h_dest))
3542 ++ /* Both broadcast flooding or multicast-via-unicasts
3543 ++ * delivery might send to multiple backbone gateways
3544 ++ * sharing the same LAN and therefore need to coordinate
3545 ++ * which backbone gateway forwards into the LAN,
3546 ++ * by claiming the payload source address.
3547 ++ *
3548 ++ * Broadcast flooding and multicast-via-unicasts
3549 ++ * delivery use the following two batman packet types.
3550 ++ * Note: explicitly exclude BATADV_UNICAST_4ADDR,
3551 ++ * as the DHCP gateway feature will send explicitly
3552 ++ * to only one BLA gateway, so the claiming process
3553 ++ * should be avoided there.
3554 ++ */
3555 ++ if (packet_type == BATADV_BCAST ||
3556 ++ packet_type == BATADV_UNICAST)
3557 ++ goto handled;
3558 +
3559 + ether_addr_copy(search_claim.addr, ethhdr->h_source);
3560 + search_claim.vid = vid;
3561 +@@ -1884,13 +1901,14 @@ bool batadv_bla_rx(struct batadv_priv *bat_priv, struct sk_buff *skb,
3562 + goto allow;
3563 + }
3564 +
3565 +- /* if it is a broadcast ... */
3566 +- if (is_multicast_ether_addr(ethhdr->h_dest) && is_bcast) {
3567 ++ /* if it is a multicast ... */
3568 ++ if (is_multicast_ether_addr(ethhdr->h_dest) &&
3569 ++ (packet_type == BATADV_BCAST || packet_type == BATADV_UNICAST)) {
3570 + /* ... drop it. the responsible gateway is in charge.
3571 + *
3572 +- * We need to check is_bcast because with the gateway
3573 ++ * We need to check packet type because with the gateway
3574 + * feature, broadcasts (like DHCP requests) may be sent
3575 +- * using a unicast packet type.
3576 ++ * using a unicast 4 address packet type. See comment above.
3577 + */
3578 + goto handled;
3579 + } else {
3580 +diff --git a/net/batman-adv/bridge_loop_avoidance.h b/net/batman-adv/bridge_loop_avoidance.h
3581 +index 1ae93e46fb984..40b8ec9d4b1b5 100644
3582 +--- a/net/batman-adv/bridge_loop_avoidance.h
3583 ++++ b/net/batman-adv/bridge_loop_avoidance.h
3584 +@@ -29,7 +29,7 @@ struct sk_buff;
3585 +
3586 + #ifdef CONFIG_BATMAN_ADV_BLA
3587 + bool batadv_bla_rx(struct batadv_priv *bat_priv, struct sk_buff *skb,
3588 +- unsigned short vid, bool is_bcast);
3589 ++ unsigned short vid, int packet_type);
3590 + bool batadv_bla_tx(struct batadv_priv *bat_priv, struct sk_buff *skb,
3591 + unsigned short vid);
3592 + bool batadv_bla_is_backbone_gw(struct sk_buff *skb,
3593 +@@ -56,7 +56,7 @@ int batadv_bla_claim_dump(struct sk_buff *msg, struct netlink_callback *cb);
3594 +
3595 + static inline bool batadv_bla_rx(struct batadv_priv *bat_priv,
3596 + struct sk_buff *skb, unsigned short vid,
3597 +- bool is_bcast)
3598 ++ int packet_type)
3599 + {
3600 + return false;
3601 + }
3602 +diff --git a/net/batman-adv/routing.c b/net/batman-adv/routing.c
3603 +index 19059ae26e519..1ba205c3ea9fa 100644
3604 +--- a/net/batman-adv/routing.c
3605 ++++ b/net/batman-adv/routing.c
3606 +@@ -803,6 +803,10 @@ static bool batadv_check_unicast_ttvn(struct batadv_priv *bat_priv,
3607 + vid = batadv_get_vid(skb, hdr_len);
3608 + ethhdr = (struct ethhdr *)(skb->data + hdr_len);
3609 +
3610 ++ /* do not reroute multicast frames in a unicast header */
3611 ++ if (is_multicast_ether_addr(ethhdr->h_dest))
3612 ++ return true;
3613 ++
3614 + /* check if the destination client was served by this node and it is now
3615 + * roaming. In this case, it means that the node has got a ROAM_ADV
3616 + * message and that it knows the new destination in the mesh to re-route
3617 +diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c
3618 +index 99d2c453c8722..af0a8439cf08a 100644
3619 +--- a/net/batman-adv/soft-interface.c
3620 ++++ b/net/batman-adv/soft-interface.c
3621 +@@ -415,10 +415,10 @@ void batadv_interface_rx(struct net_device *soft_iface,
3622 + struct vlan_ethhdr *vhdr;
3623 + struct ethhdr *ethhdr;
3624 + unsigned short vid;
3625 +- bool is_bcast;
3626 ++ int packet_type;
3627 +
3628 + batadv_bcast_packet = (struct batadv_bcast_packet *)skb->data;
3629 +- is_bcast = (batadv_bcast_packet->packet_type == BATADV_BCAST);
3630 ++ packet_type = batadv_bcast_packet->packet_type;
3631 +
3632 + skb_pull_rcsum(skb, hdr_size);
3633 + skb_reset_mac_header(skb);
3634 +@@ -463,7 +463,7 @@ void batadv_interface_rx(struct net_device *soft_iface,
3635 + /* Let the bridge loop avoidance check the packet. If will
3636 + * not handle it, we can safely push it up.
3637 + */
3638 +- if (batadv_bla_rx(bat_priv, skb, vid, is_bcast))
3639 ++ if (batadv_bla_rx(bat_priv, skb, vid, packet_type))
3640 + goto out;
3641 +
3642 + if (orig_node)
3643 +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
3644 +index 757977c54d9ef..d6da119f5082e 100644
3645 +--- a/net/bluetooth/hci_event.c
3646 ++++ b/net/bluetooth/hci_event.c
3647 +@@ -41,12 +41,27 @@
3648 +
3649 + /* Handle HCI Event packets */
3650 +
3651 +-static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb)
3652 ++static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb,
3653 ++ u8 *new_status)
3654 + {
3655 + __u8 status = *((__u8 *) skb->data);
3656 +
3657 + BT_DBG("%s status 0x%2.2x", hdev->name, status);
3658 +
3659 ++ /* It is possible that we receive Inquiry Complete event right
3660 ++ * before we receive Inquiry Cancel Command Complete event, in
3661 ++ * which case the latter event should have status of Command
3662 ++ * Disallowed (0x0c). This should not be treated as error, since
3663 ++ * we actually achieve what Inquiry Cancel wants to achieve,
3664 ++ * which is to end the last Inquiry session.
3665 ++ */
3666 ++ if (status == 0x0c && !test_bit(HCI_INQUIRY, &hdev->flags)) {
3667 ++ bt_dev_warn(hdev, "Ignoring error of Inquiry Cancel command");
3668 ++ status = 0x00;
3669 ++ }
3670 ++
3671 ++ *new_status = status;
3672 ++
3673 + if (status)
3674 + return;
3675 +
3676 +@@ -2772,7 +2787,7 @@ static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb,
3677 +
3678 + switch (*opcode) {
3679 + case HCI_OP_INQUIRY_CANCEL:
3680 +- hci_cc_inquiry_cancel(hdev, skb);
3681 ++ hci_cc_inquiry_cancel(hdev, skb, status);
3682 + break;
3683 +
3684 + case HCI_OP_PERIODIC_INQ:
3685 +@@ -5257,6 +5272,11 @@ void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
3686 + u8 status = 0, event = hdr->evt, req_evt = 0;
3687 + u16 opcode = HCI_OP_NOP;
3688 +
3689 ++ if (!event) {
3690 ++ bt_dev_warn(hdev, "Received unexpected HCI Event 00000000");
3691 ++ goto done;
3692 ++ }
3693 ++
3694 + if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->hci.req_event == event) {
3695 + struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data;
3696 + opcode = __le16_to_cpu(cmd_hdr->opcode);
3697 +@@ -5468,6 +5488,7 @@ void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
3698 + req_complete_skb(hdev, status, opcode, orig_skb);
3699 + }
3700 +
3701 ++done:
3702 + kfree_skb(orig_skb);
3703 + kfree_skb(skb);
3704 + hdev->stat.evt_rx++;
3705 +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
3706 +index 11012a5090708..5e3f5c1ba07d6 100644
3707 +--- a/net/bluetooth/l2cap_core.c
3708 ++++ b/net/bluetooth/l2cap_core.c
3709 +@@ -414,6 +414,9 @@ static void l2cap_chan_timeout(struct work_struct *work)
3710 + BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
3711 +
3712 + mutex_lock(&conn->chan_lock);
3713 ++ /* __set_chan_timer() calls l2cap_chan_hold(chan) while scheduling
3714 ++ * this work. No need to call l2cap_chan_hold(chan) here again.
3715 ++ */
3716 + l2cap_chan_lock(chan);
3717 +
3718 + if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
3719 +@@ -426,12 +429,12 @@ static void l2cap_chan_timeout(struct work_struct *work)
3720 +
3721 + l2cap_chan_close(chan, reason);
3722 +
3723 +- l2cap_chan_unlock(chan);
3724 +-
3725 + chan->ops->close(chan);
3726 +- mutex_unlock(&conn->chan_lock);
3727 +
3728 ++ l2cap_chan_unlock(chan);
3729 + l2cap_chan_put(chan);
3730 ++
3731 ++ mutex_unlock(&conn->chan_lock);
3732 + }
3733 +
3734 + struct l2cap_chan *l2cap_chan_create(void)
3735 +@@ -1725,9 +1728,9 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
3736 +
3737 + l2cap_chan_del(chan, err);
3738 +
3739 +- l2cap_chan_unlock(chan);
3740 +-
3741 + chan->ops->close(chan);
3742 ++
3743 ++ l2cap_chan_unlock(chan);
3744 + l2cap_chan_put(chan);
3745 + }
3746 +
3747 +@@ -4104,7 +4107,8 @@ static inline int l2cap_config_req(struct l2cap_conn *conn,
3748 + return 0;
3749 + }
3750 +
3751 +- if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
3752 ++ if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2 &&
3753 ++ chan->state != BT_CONNECTED) {
3754 + cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
3755 + chan->dcid);
3756 + goto unlock;
3757 +@@ -4327,6 +4331,7 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
3758 + return 0;
3759 + }
3760 +
3761 ++ l2cap_chan_hold(chan);
3762 + l2cap_chan_lock(chan);
3763 +
3764 + rsp.dcid = cpu_to_le16(chan->scid);
3765 +@@ -4335,12 +4340,11 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
3766 +
3767 + chan->ops->set_shutdown(chan);
3768 +
3769 +- l2cap_chan_hold(chan);
3770 + l2cap_chan_del(chan, ECONNRESET);
3771 +
3772 +- l2cap_chan_unlock(chan);
3773 +-
3774 + chan->ops->close(chan);
3775 ++
3776 ++ l2cap_chan_unlock(chan);
3777 + l2cap_chan_put(chan);
3778 +
3779 + mutex_unlock(&conn->chan_lock);
3780 +@@ -4372,20 +4376,21 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
3781 + return 0;
3782 + }
3783 +
3784 ++ l2cap_chan_hold(chan);
3785 + l2cap_chan_lock(chan);
3786 +
3787 + if (chan->state != BT_DISCONN) {
3788 + l2cap_chan_unlock(chan);
3789 ++ l2cap_chan_put(chan);
3790 + mutex_unlock(&conn->chan_lock);
3791 + return 0;
3792 + }
3793 +
3794 +- l2cap_chan_hold(chan);
3795 + l2cap_chan_del(chan, 0);
3796 +
3797 +- l2cap_chan_unlock(chan);
3798 +-
3799 + chan->ops->close(chan);
3800 ++
3801 ++ l2cap_chan_unlock(chan);
3802 + l2cap_chan_put(chan);
3803 +
3804 + mutex_unlock(&conn->chan_lock);
3805 +diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
3806 +index a8ba752732c98..bbf08c6092f4a 100644
3807 +--- a/net/bluetooth/l2cap_sock.c
3808 ++++ b/net/bluetooth/l2cap_sock.c
3809 +@@ -1038,7 +1038,7 @@ done:
3810 + }
3811 +
3812 + /* Kill socket (only if zapped and orphan)
3813 +- * Must be called on unlocked socket.
3814 ++ * Must be called on unlocked socket, with l2cap channel lock.
3815 + */
3816 + static void l2cap_sock_kill(struct sock *sk)
3817 + {
3818 +@@ -1189,6 +1189,7 @@ static int l2cap_sock_release(struct socket *sock)
3819 + {
3820 + struct sock *sk = sock->sk;
3821 + int err;
3822 ++ struct l2cap_chan *chan;
3823 +
3824 + BT_DBG("sock %p, sk %p", sock, sk);
3825 +
3826 +@@ -1198,9 +1199,17 @@ static int l2cap_sock_release(struct socket *sock)
3827 + bt_sock_unlink(&l2cap_sk_list, sk);
3828 +
3829 + err = l2cap_sock_shutdown(sock, 2);
3830 ++ chan = l2cap_pi(sk)->chan;
3831 ++
3832 ++ l2cap_chan_hold(chan);
3833 ++ l2cap_chan_lock(chan);
3834 +
3835 + sock_orphan(sk);
3836 + l2cap_sock_kill(sk);
3837 ++
3838 ++ l2cap_chan_unlock(chan);
3839 ++ l2cap_chan_put(chan);
3840 ++
3841 + return err;
3842 + }
3843 +
3844 +@@ -1218,12 +1227,15 @@ static void l2cap_sock_cleanup_listen(struct sock *parent)
3845 + BT_DBG("child chan %p state %s", chan,
3846 + state_to_string(chan->state));
3847 +
3848 ++ l2cap_chan_hold(chan);
3849 + l2cap_chan_lock(chan);
3850 ++
3851 + __clear_chan_timer(chan);
3852 + l2cap_chan_close(chan, ECONNRESET);
3853 +- l2cap_chan_unlock(chan);
3854 +-
3855 + l2cap_sock_kill(sk);
3856 ++
3857 ++ l2cap_chan_unlock(chan);
3858 ++ l2cap_chan_put(chan);
3859 + }
3860 + }
3861 +
3862 +diff --git a/net/core/neighbour.c b/net/core/neighbour.c
3863 +index 6578d1f8e6c4a..d267dc04d9f74 100644
3864 +--- a/net/core/neighbour.c
3865 ++++ b/net/core/neighbour.c
3866 +@@ -2797,6 +2797,7 @@ static void *neigh_stat_seq_next(struct seq_file *seq, void *v, loff_t *pos)
3867 + *pos = cpu+1;
3868 + return per_cpu_ptr(tbl->stats, cpu);
3869 + }
3870 ++ (*pos)++;
3871 + return NULL;
3872 + }
3873 +
3874 +diff --git a/net/hsr/hsr_device.c b/net/hsr/hsr_device.c
3875 +index aead5ac4dbf68..ea07c91ab3488 100644
3876 +--- a/net/hsr/hsr_device.c
3877 ++++ b/net/hsr/hsr_device.c
3878 +@@ -315,7 +315,8 @@ static void send_hsr_supervision_frame(struct hsr_port *master,
3879 + hsr_sp = (typeof(hsr_sp)) skb_put(skb, sizeof(struct hsr_sup_payload));
3880 + ether_addr_copy(hsr_sp->MacAddressA, master->dev->dev_addr);
3881 +
3882 +- skb_put_padto(skb, ETH_ZLEN + HSR_HLEN);
3883 ++ if (skb_put_padto(skb, ETH_ZLEN + HSR_HLEN))
3884 ++ return;
3885 +
3886 + hsr_forward_skb(skb, master);
3887 + return;
3888 +diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
3889 +index 4f3decbe6a3a5..c37e9598262e5 100644
3890 +--- a/net/ipv4/ip_output.c
3891 ++++ b/net/ipv4/ip_output.c
3892 +@@ -73,6 +73,7 @@
3893 + #include <net/icmp.h>
3894 + #include <net/checksum.h>
3895 + #include <net/inetpeer.h>
3896 ++#include <net/inet_ecn.h>
3897 + #include <net/lwtunnel.h>
3898 + #include <linux/igmp.h>
3899 + #include <linux/netfilter_ipv4.h>
3900 +@@ -1611,7 +1612,7 @@ void ip_send_unicast_reply(struct sock *sk, struct sk_buff *skb,
3901 + if (IS_ERR(rt))
3902 + return;
3903 +
3904 +- inet_sk(sk)->tos = arg->tos;
3905 ++ inet_sk(sk)->tos = arg->tos & ~INET_ECN_MASK;
3906 +
3907 + sk->sk_priority = skb->priority;
3908 + sk->sk_protocol = ip_hdr(skb)->protocol;
3909 +diff --git a/net/ipv4/route.c b/net/ipv4/route.c
3910 +index c8c51bd2d695b..e9aae4686536a 100644
3911 +--- a/net/ipv4/route.c
3912 ++++ b/net/ipv4/route.c
3913 +@@ -271,6 +271,7 @@ static void *rt_cpu_seq_next(struct seq_file *seq, void *v, loff_t *pos)
3914 + *pos = cpu+1;
3915 + return &per_cpu(rt_cache_stat, cpu);
3916 + }
3917 ++ (*pos)++;
3918 + return NULL;
3919 +
3920 + }
3921 +diff --git a/net/key/af_key.c b/net/key/af_key.c
3922 +index d2ec620319d76..76a008b1cbe5f 100644
3923 +--- a/net/key/af_key.c
3924 ++++ b/net/key/af_key.c
3925 +@@ -1873,6 +1873,13 @@ static int pfkey_dump(struct sock *sk, struct sk_buff *skb, const struct sadb_ms
3926 + if (ext_hdrs[SADB_X_EXT_FILTER - 1]) {
3927 + struct sadb_x_filter *xfilter = ext_hdrs[SADB_X_EXT_FILTER - 1];
3928 +
3929 ++ if ((xfilter->sadb_x_filter_splen >=
3930 ++ (sizeof(xfrm_address_t) << 3)) ||
3931 ++ (xfilter->sadb_x_filter_dplen >=
3932 ++ (sizeof(xfrm_address_t) << 3))) {
3933 ++ mutex_unlock(&pfk->dump_lock);
3934 ++ return -EINVAL;
3935 ++ }
3936 + filter = kmalloc(sizeof(*filter), GFP_KERNEL);
3937 + if (filter == NULL) {
3938 + mutex_unlock(&pfk->dump_lock);
3939 +diff --git a/net/mac802154/tx.c b/net/mac802154/tx.c
3940 +index bcd1a5e6ebf42..2f873a0dc5836 100644
3941 +--- a/net/mac802154/tx.c
3942 ++++ b/net/mac802154/tx.c
3943 +@@ -42,11 +42,11 @@ void ieee802154_xmit_worker(struct work_struct *work)
3944 + if (res)
3945 + goto err_tx;
3946 +
3947 +- ieee802154_xmit_complete(&local->hw, skb, false);
3948 +-
3949 + dev->stats.tx_packets++;
3950 + dev->stats.tx_bytes += skb->len;
3951 +
3952 ++ ieee802154_xmit_complete(&local->hw, skb, false);
3953 ++
3954 + return;
3955 +
3956 + err_tx:
3957 +@@ -86,6 +86,8 @@ ieee802154_tx(struct ieee802154_local *local, struct sk_buff *skb)
3958 +
3959 + /* async is priority, otherwise sync is fallback */
3960 + if (local->ops->xmit_async) {
3961 ++ unsigned int len = skb->len;
3962 ++
3963 + ret = drv_xmit_async(local, skb);
3964 + if (ret) {
3965 + ieee802154_wake_queue(&local->hw);
3966 +@@ -93,7 +95,7 @@ ieee802154_tx(struct ieee802154_local *local, struct sk_buff *skb)
3967 + }
3968 +
3969 + dev->stats.tx_packets++;
3970 +- dev->stats.tx_bytes += skb->len;
3971 ++ dev->stats.tx_bytes += len;
3972 + } else {
3973 + local->tx_skb = skb;
3974 + queue_work(local->workqueue, &local->tx_work);
3975 +diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c
3976 +index 42ce3ed216376..56e4ac8e2e994 100644
3977 +--- a/net/sunrpc/svc_xprt.c
3978 ++++ b/net/sunrpc/svc_xprt.c
3979 +@@ -103,8 +103,17 @@ void svc_unreg_xprt_class(struct svc_xprt_class *xcl)
3980 + }
3981 + EXPORT_SYMBOL_GPL(svc_unreg_xprt_class);
3982 +
3983 +-/*
3984 +- * Format the transport list for printing
3985 ++/**
3986 ++ * svc_print_xprts - Format the transport list for printing
3987 ++ * @buf: target buffer for formatted address
3988 ++ * @maxlen: length of target buffer
3989 ++ *
3990 ++ * Fills in @buf with a string containing a list of transport names, each name
3991 ++ * terminated with '\n'. If the buffer is too small, some entries may be
3992 ++ * missing, but it is guaranteed that all lines in the output buffer are
3993 ++ * complete.
3994 ++ *
3995 ++ * Returns positive length of the filled-in string.
3996 + */
3997 + int svc_print_xprts(char *buf, int maxlen)
3998 + {
3999 +@@ -117,9 +126,9 @@ int svc_print_xprts(char *buf, int maxlen)
4000 + list_for_each_entry(xcl, &svc_xprt_class_list, xcl_list) {
4001 + int slen;
4002 +
4003 +- sprintf(tmpstr, "%s %d\n", xcl->xcl_name, xcl->xcl_max_payload);
4004 +- slen = strlen(tmpstr);
4005 +- if (len + slen > maxlen)
4006 ++ slen = snprintf(tmpstr, sizeof(tmpstr), "%s %d\n",
4007 ++ xcl->xcl_name, xcl->xcl_max_payload);
4008 ++ if (slen >= sizeof(tmpstr) || len + slen >= maxlen)
4009 + break;
4010 + len += slen;
4011 + strcat(buf, tmpstr);
4012 +diff --git a/net/sunrpc/xprtrdma/svc_rdma_backchannel.c b/net/sunrpc/xprtrdma/svc_rdma_backchannel.c
4013 +index 6035c5a380a6b..b3d48c6243c80 100644
4014 +--- a/net/sunrpc/xprtrdma/svc_rdma_backchannel.c
4015 ++++ b/net/sunrpc/xprtrdma/svc_rdma_backchannel.c
4016 +@@ -277,6 +277,7 @@ xprt_rdma_bc_put(struct rpc_xprt *xprt)
4017 + {
4018 + dprintk("svcrdma: %s: xprt %p\n", __func__, xprt);
4019 +
4020 ++ xprt_rdma_free_addresses(xprt);
4021 + xprt_free(xprt);
4022 + module_put(THIS_MODULE);
4023 + }
4024 +diff --git a/net/tipc/msg.c b/net/tipc/msg.c
4025 +index 912f1fb97c06d..ea554756a786d 100644
4026 +--- a/net/tipc/msg.c
4027 ++++ b/net/tipc/msg.c
4028 +@@ -140,7 +140,8 @@ int tipc_buf_append(struct sk_buff **headbuf, struct sk_buff **buf)
4029 + if (fragid == FIRST_FRAGMENT) {
4030 + if (unlikely(head))
4031 + goto err;
4032 +- if (unlikely(skb_unclone(frag, GFP_ATOMIC)))
4033 ++ frag = skb_unshare(frag, GFP_ATOMIC);
4034 ++ if (unlikely(!frag))
4035 + goto err;
4036 + head = *headbuf = frag;
4037 + *buf = NULL;
4038 +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
4039 +index 32ae82a5596d9..bcd6ed6e7e25c 100644
4040 +--- a/net/unix/af_unix.c
4041 ++++ b/net/unix/af_unix.c
4042 +@@ -191,11 +191,17 @@ static inline int unix_may_send(struct sock *sk, struct sock *osk)
4043 + return unix_peer(osk) == NULL || unix_our_peer(sk, osk);
4044 + }
4045 +
4046 +-static inline int unix_recvq_full(struct sock const *sk)
4047 ++static inline int unix_recvq_full(const struct sock *sk)
4048 + {
4049 + return skb_queue_len(&sk->sk_receive_queue) > sk->sk_max_ack_backlog;
4050 + }
4051 +
4052 ++static inline int unix_recvq_full_lockless(const struct sock *sk)
4053 ++{
4054 ++ return skb_queue_len_lockless(&sk->sk_receive_queue) >
4055 ++ READ_ONCE(sk->sk_max_ack_backlog);
4056 ++}
4057 ++
4058 + struct sock *unix_peer_get(struct sock *s)
4059 + {
4060 + struct sock *peer;
4061 +@@ -1793,7 +1799,8 @@ restart_locked:
4062 + * - unix_peer(sk) == sk by time of get but disconnected before lock
4063 + */
4064 + if (other != sk &&
4065 +- unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {
4066 ++ unlikely(unix_peer(other) != sk &&
4067 ++ unix_recvq_full_lockless(other))) {
4068 + if (timeo) {
4069 + timeo = unix_wait_for_peer(other, timeo);
4070 +
4071 +diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
4072 +index 72c145dd799f1..ef1226c1c3add 100644
4073 +--- a/security/selinux/selinuxfs.c
4074 ++++ b/security/selinux/selinuxfs.c
4075 +@@ -1416,6 +1416,7 @@ static struct avc_cache_stats *sel_avc_get_stat_idx(loff_t *idx)
4076 + *idx = cpu + 1;
4077 + return &per_cpu(avc_cache_stats, cpu);
4078 + }
4079 ++ (*idx)++;
4080 + return NULL;
4081 + }
4082 +
4083 +diff --git a/sound/hda/hdac_bus.c b/sound/hda/hdac_bus.c
4084 +index 0e81ea89a5965..e3f68a76d90eb 100644
4085 +--- a/sound/hda/hdac_bus.c
4086 ++++ b/sound/hda/hdac_bus.c
4087 +@@ -155,6 +155,7 @@ static void process_unsol_events(struct work_struct *work)
4088 + struct hdac_driver *drv;
4089 + unsigned int rp, caddr, res;
4090 +
4091 ++ spin_lock_irq(&bus->reg_lock);
4092 + while (bus->unsol_rp != bus->unsol_wp) {
4093 + rp = (bus->unsol_rp + 1) % HDA_UNSOL_QUEUE_SIZE;
4094 + bus->unsol_rp = rp;
4095 +@@ -166,10 +167,13 @@ static void process_unsol_events(struct work_struct *work)
4096 + codec = bus->caddr_tbl[caddr & 0x0f];
4097 + if (!codec || !codec->dev.driver)
4098 + continue;
4099 ++ spin_unlock_irq(&bus->reg_lock);
4100 + drv = drv_to_hdac_driver(codec->dev.driver);
4101 + if (drv->unsol_event)
4102 + drv->unsol_event(codec, res);
4103 ++ spin_lock_irq(&bus->reg_lock);
4104 + }
4105 ++ spin_unlock_irq(&bus->reg_lock);
4106 + }
4107 +
4108 + /**
4109 +diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c
4110 +index 3ef9af53ef497..0d5ff00cdabca 100644
4111 +--- a/sound/pci/asihpi/hpioctl.c
4112 ++++ b/sound/pci/asihpi/hpioctl.c
4113 +@@ -346,7 +346,7 @@ int asihpi_adapter_probe(struct pci_dev *pci_dev,
4114 + struct hpi_message hm;
4115 + struct hpi_response hr;
4116 + struct hpi_adapter adapter;
4117 +- struct hpi_pci pci;
4118 ++ struct hpi_pci pci = { 0 };
4119 +
4120 + memset(&adapter, 0, sizeof(adapter));
4121 +
4122 +@@ -502,7 +502,7 @@ int asihpi_adapter_probe(struct pci_dev *pci_dev,
4123 + return 0;
4124 +
4125 + err:
4126 +- for (idx = 0; idx < HPI_MAX_ADAPTER_MEM_SPACES; idx++) {
4127 ++ while (--idx >= 0) {
4128 + if (pci.ap_mem_base[idx]) {
4129 + iounmap(pci.ap_mem_base[idx]);
4130 + pci.ap_mem_base[idx] = NULL;
4131 +diff --git a/sound/pci/hda/hda_controller.c b/sound/pci/hda/hda_controller.c
4132 +index bd0e4710d15d7..79043b481d7b6 100644
4133 +--- a/sound/pci/hda/hda_controller.c
4134 ++++ b/sound/pci/hda/hda_controller.c
4135 +@@ -1158,16 +1158,23 @@ irqreturn_t azx_interrupt(int irq, void *dev_id)
4136 + if (snd_hdac_bus_handle_stream_irq(bus, status, stream_update))
4137 + active = true;
4138 +
4139 +- /* clear rirb int */
4140 + status = azx_readb(chip, RIRBSTS);
4141 + if (status & RIRB_INT_MASK) {
4142 ++ /*
4143 ++ * Clearing the interrupt status here ensures that no
4144 ++ * interrupt gets masked after the RIRB wp is read in
4145 ++ * snd_hdac_bus_update_rirb. This avoids a possible
4146 ++ * race condition where codec response in RIRB may
4147 ++ * remain unserviced by IRQ, eventually falling back
4148 ++ * to polling mode in azx_rirb_get_response.
4149 ++ */
4150 ++ azx_writeb(chip, RIRBSTS, RIRB_INT_MASK);
4151 + active = true;
4152 + if (status & RIRB_INT_RESPONSE) {
4153 + if (chip->driver_caps & AZX_DCAPS_CTX_WORKAROUND)
4154 + udelay(80);
4155 + snd_hdac_bus_update_rirb(bus);
4156 + }
4157 +- azx_writeb(chip, RIRBSTS, RIRB_INT_MASK);
4158 + }
4159 + } while (active && ++repeat < 10);
4160 +
4161 +diff --git a/sound/soc/kirkwood/kirkwood-dma.c b/sound/soc/kirkwood/kirkwood-dma.c
4162 +index dafd22e874e99..e655425e4819e 100644
4163 +--- a/sound/soc/kirkwood/kirkwood-dma.c
4164 ++++ b/sound/soc/kirkwood/kirkwood-dma.c
4165 +@@ -136,7 +136,7 @@ static int kirkwood_dma_open(struct snd_pcm_substream *substream)
4166 + err = request_irq(priv->irq, kirkwood_dma_irq, IRQF_SHARED,
4167 + "kirkwood-i2s", priv);
4168 + if (err)
4169 +- return -EBUSY;
4170 ++ return err;
4171 +
4172 + /*
4173 + * Enable Error interrupts. We're only ack'ing them but
4174 +diff --git a/sound/usb/midi.c b/sound/usb/midi.c
4175 +index 0676e7d485def..b8d4b5b3e54a1 100644
4176 +--- a/sound/usb/midi.c
4177 ++++ b/sound/usb/midi.c
4178 +@@ -1805,6 +1805,28 @@ static int snd_usbmidi_create_endpoints(struct snd_usb_midi *umidi,
4179 + return 0;
4180 + }
4181 +
4182 ++static struct usb_ms_endpoint_descriptor *find_usb_ms_endpoint_descriptor(
4183 ++ struct usb_host_endpoint *hostep)
4184 ++{
4185 ++ unsigned char *extra = hostep->extra;
4186 ++ int extralen = hostep->extralen;
4187 ++
4188 ++ while (extralen > 3) {
4189 ++ struct usb_ms_endpoint_descriptor *ms_ep =
4190 ++ (struct usb_ms_endpoint_descriptor *)extra;
4191 ++
4192 ++ if (ms_ep->bLength > 3 &&
4193 ++ ms_ep->bDescriptorType == USB_DT_CS_ENDPOINT &&
4194 ++ ms_ep->bDescriptorSubtype == UAC_MS_GENERAL)
4195 ++ return ms_ep;
4196 ++ if (!extra[0])
4197 ++ break;
4198 ++ extralen -= extra[0];
4199 ++ extra += extra[0];
4200 ++ }
4201 ++ return NULL;
4202 ++}
4203 ++
4204 + /*
4205 + * Returns MIDIStreaming device capabilities.
4206 + */
4207 +@@ -1842,11 +1864,8 @@ static int snd_usbmidi_get_ms_info(struct snd_usb_midi *umidi,
4208 + ep = get_ep_desc(hostep);
4209 + if (!usb_endpoint_xfer_bulk(ep) && !usb_endpoint_xfer_int(ep))
4210 + continue;
4211 +- ms_ep = (struct usb_ms_endpoint_descriptor *)hostep->extra;
4212 +- if (hostep->extralen < 4 ||
4213 +- ms_ep->bLength < 4 ||
4214 +- ms_ep->bDescriptorType != USB_DT_CS_ENDPOINT ||
4215 +- ms_ep->bDescriptorSubtype != UAC_MS_GENERAL)
4216 ++ ms_ep = find_usb_ms_endpoint_descriptor(hostep);
4217 ++ if (!ms_ep)
4218 + continue;
4219 + if (usb_endpoint_dir_out(ep)) {
4220 + if (endpoints[epidx].out_ep) {
4221 +diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
4222 +index 08e1af85af384..66b7ccb33c7b1 100644
4223 +--- a/sound/usb/quirks.c
4224 ++++ b/sound/usb/quirks.c
4225 +@@ -1320,12 +1320,13 @@ void snd_usb_ctl_msg_quirk(struct usb_device *dev, unsigned int pipe,
4226 + && (requesttype & USB_TYPE_MASK) == USB_TYPE_CLASS)
4227 + mdelay(20);
4228 +
4229 +- /* Zoom R16/24, Logitech H650e, Jabra 550a, Kingston HyperX needs a tiny
4230 +- * delay here, otherwise requests like get/set frequency return as
4231 +- * failed despite actually succeeding.
4232 ++ /* Zoom R16/24, Logitech H650e/H570e, Jabra 550a, Kingston HyperX
4233 ++ * needs a tiny delay here, otherwise requests like get/set
4234 ++ * frequency return as failed despite actually succeeding.
4235 + */
4236 + if ((chip->usb_id == USB_ID(0x1686, 0x00dd) ||
4237 + chip->usb_id == USB_ID(0x046d, 0x0a46) ||
4238 ++ chip->usb_id == USB_ID(0x046d, 0x0a56) ||
4239 + chip->usb_id == USB_ID(0x0b0e, 0x0349) ||
4240 + chip->usb_id == USB_ID(0x0951, 0x16ad)) &&
4241 + (requesttype & USB_TYPE_MASK) == USB_TYPE_CLASS)
4242 +diff --git a/tools/gpio/gpio-hammer.c b/tools/gpio/gpio-hammer.c
4243 +index 37b3f141053df..85f45800f881f 100644
4244 +--- a/tools/gpio/gpio-hammer.c
4245 ++++ b/tools/gpio/gpio-hammer.c
4246 +@@ -171,7 +171,14 @@ int main(int argc, char **argv)
4247 + device_name = optarg;
4248 + break;
4249 + case 'o':
4250 +- lines[i] = strtoul(optarg, NULL, 10);
4251 ++ /*
4252 ++ * Avoid overflow. Do not immediately error, we want to
4253 ++ * be able to accurately report on the amount of times
4254 ++ * '-o' was given to give an accurate error message
4255 ++ */
4256 ++ if (i < GPIOHANDLES_MAX)
4257 ++ lines[i] = strtoul(optarg, NULL, 10);
4258 ++
4259 + i++;
4260 + break;
4261 + case '?':
4262 +@@ -179,6 +186,14 @@ int main(int argc, char **argv)
4263 + return -1;
4264 + }
4265 + }
4266 ++
4267 ++ if (i >= GPIOHANDLES_MAX) {
4268 ++ fprintf(stderr,
4269 ++ "Only %d occurences of '-o' are allowed, %d were found\n",
4270 ++ GPIOHANDLES_MAX, i + 1);
4271 ++ return -1;
4272 ++ }
4273 ++
4274 + nlines = i;
4275 +
4276 + if (!device_name || !nlines) {
4277 +diff --git a/tools/objtool/check.c b/tools/objtool/check.c
4278 +index c7399d7f4bc77..31c512f19662e 100644
4279 +--- a/tools/objtool/check.c
4280 ++++ b/tools/objtool/check.c
4281 +@@ -502,7 +502,7 @@ static int add_jump_destinations(struct objtool_file *file)
4282 + insn->type != INSN_JUMP_UNCONDITIONAL)
4283 + continue;
4284 +
4285 +- if (insn->ignore || insn->offset == FAKE_JUMP_OFFSET)
4286 ++ if (insn->offset == FAKE_JUMP_OFFSET)
4287 + continue;
4288 +
4289 + rela = find_rela_by_dest_range(insn->sec, insn->offset,
4290 +diff --git a/tools/perf/util/sort.c b/tools/perf/util/sort.c
4291 +index 031e64ce71564..013e3f5102258 100644
4292 +--- a/tools/perf/util/sort.c
4293 ++++ b/tools/perf/util/sort.c
4294 +@@ -2532,7 +2532,7 @@ static char *prefix_if_not_in(const char *pre, char *str)
4295 + return str;
4296 +
4297 + if (asprintf(&n, "%s,%s", pre, str) < 0)
4298 +- return NULL;
4299 ++ n = NULL;
4300 +
4301 + free(str);
4302 + return n;
4303 +diff --git a/tools/perf/util/symbol-elf.c b/tools/perf/util/symbol-elf.c
4304 +index 5a50326c8158f..e155783c601ab 100644
4305 +--- a/tools/perf/util/symbol-elf.c
4306 ++++ b/tools/perf/util/symbol-elf.c
4307 +@@ -1421,6 +1421,7 @@ struct kcore_copy_info {
4308 + u64 first_symbol;
4309 + u64 last_symbol;
4310 + u64 first_module;
4311 ++ u64 first_module_symbol;
4312 + u64 last_module_symbol;
4313 + struct phdr_data kernel_map;
4314 + struct phdr_data modules_map;
4315 +@@ -1435,6 +1436,8 @@ static int kcore_copy__process_kallsyms(void *arg, const char *name, char type,
4316 + return 0;
4317 +
4318 + if (strchr(name, '[')) {
4319 ++ if (!kci->first_module_symbol || start < kci->first_module_symbol)
4320 ++ kci->first_module_symbol = start;
4321 + if (start > kci->last_module_symbol)
4322 + kci->last_module_symbol = start;
4323 + return 0;
4324 +@@ -1559,6 +1562,10 @@ static int kcore_copy__calc_maps(struct kcore_copy_info *kci, const char *dir,
4325 + kci->etext += page_size;
4326 + }
4327 +
4328 ++ if (kci->first_module_symbol &&
4329 ++ (!kci->first_module || kci->first_module_symbol < kci->first_module))
4330 ++ kci->first_module = kci->first_module_symbol;
4331 ++
4332 + kci->first_module = round_down(kci->first_module, page_size);
4333 +
4334 + if (kci->last_module_symbol) {
4335 +diff --git a/tools/testing/selftests/x86/syscall_nt.c b/tools/testing/selftests/x86/syscall_nt.c
4336 +index 43fcab367fb0a..74e6b3fc2d09e 100644
4337 +--- a/tools/testing/selftests/x86/syscall_nt.c
4338 ++++ b/tools/testing/selftests/x86/syscall_nt.c
4339 +@@ -67,6 +67,7 @@ static void do_it(unsigned long extraflags)
4340 + set_eflags(get_eflags() | extraflags);
4341 + syscall(SYS_getpid);
4342 + flags = get_eflags();
4343 ++ set_eflags(X86_EFLAGS_IF | X86_EFLAGS_FIXED);
4344 + if ((flags & extraflags) == extraflags) {
4345 + printf("[OK]\tThe syscall worked and flags are still set\n");
4346 + } else {
4347 +diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
4348 +index 4e4bb5dd2dcd5..5bddabb3de7c3 100644
4349 +--- a/virt/kvm/kvm_main.c
4350 ++++ b/virt/kvm/kvm_main.c
4351 +@@ -154,6 +154,7 @@ bool kvm_is_reserved_pfn(kvm_pfn_t pfn)
4352 + */
4353 + if (pfn_valid(pfn))
4354 + return PageReserved(pfn_to_page(pfn)) &&
4355 ++ !is_zero_pfn(pfn) &&
4356 + !kvm_is_zone_device_pfn(pfn);
4357 +
4358 + return true;
4359 +@@ -3639,7 +3640,7 @@ int kvm_io_bus_register_dev(struct kvm *kvm, enum kvm_bus bus_idx, gpa_t addr,
4360 + void kvm_io_bus_unregister_dev(struct kvm *kvm, enum kvm_bus bus_idx,
4361 + struct kvm_io_device *dev)
4362 + {
4363 +- int i;
4364 ++ int i, j;
4365 + struct kvm_io_bus *new_bus, *bus;
4366 +
4367 + bus = kvm->buses[bus_idx];
4368 +@@ -3656,17 +3657,20 @@ void kvm_io_bus_unregister_dev(struct kvm *kvm, enum kvm_bus bus_idx,
4369 +
4370 + new_bus = kmalloc(sizeof(*bus) + ((bus->dev_count - 1) *
4371 + sizeof(struct kvm_io_range)), GFP_KERNEL);
4372 +- if (!new_bus) {
4373 ++ if (new_bus) {
4374 ++ memcpy(new_bus, bus, sizeof(*bus) + i * sizeof(struct kvm_io_range));
4375 ++ new_bus->dev_count--;
4376 ++ memcpy(new_bus->range + i, bus->range + i + 1,
4377 ++ (new_bus->dev_count - i) * sizeof(struct kvm_io_range));
4378 ++ } else {
4379 + pr_err("kvm: failed to shrink bus, removing it completely\n");
4380 +- goto broken;
4381 ++ for (j = 0; j < bus->dev_count; j++) {
4382 ++ if (j == i)
4383 ++ continue;
4384 ++ kvm_iodevice_destructor(bus->range[j].dev);
4385 ++ }
4386 + }
4387 +
4388 +- memcpy(new_bus, bus, sizeof(*bus) + i * sizeof(struct kvm_io_range));
4389 +- new_bus->dev_count--;
4390 +- memcpy(new_bus->range + i, bus->range + i + 1,
4391 +- (new_bus->dev_count - i) * sizeof(struct kvm_io_range));
4392 +-
4393 +-broken:
4394 + rcu_assign_pointer(kvm->buses[bus_idx], new_bus);
4395 + synchronize_srcu_expedited(&kvm->srcu);
4396 + kfree(bus);
Report Message
Find on MARC Find on Google Groups