diff options
| author |   Mike Pagano <mpagano@gentoo.org> | 2018-05-29 06:33:56 -0400 |
|---|---|---|
| committer | Mike Pagano <mpagano@gentoo.org> | 2018-05-29 06:33:56 -0400 |
| commit | b9fd7bdba6609d0fa42485ee3cdee8f607a321ec (patch) | |
| tree | 209d7b1c7c48a403395f7bf4802d5a47133f9c48 | |
| parent | linux kernel 4.1.49 (diff) | |
| download | linux-patches-4.1.tar.gz linux-patches-4.1.tar.bz2 linux-patches-4.1.zip | |
Linux patches 4.1.50, 4.1.51, 4.1.524.1
| -rw-r--r-- | 0000_README | 12 | ||||
| -rw-r--r-- | 1049_linux-4.1.50.patch | 18012 | ||||
| -rw-r--r-- | 1050_linux-4.1.51.patch | 2698 | ||||
| -rw-r--r-- | 1051_linux-4.1.52.patch | 15535 |
4 files changed, 36257 insertions, 0 deletions
diff --git a/0000_README b/0000_README index 3abfafcf..431a9158 100644 --- a/0000_README +++ b/0000_README @@ -239,6 +239,18 @@ Patch: 1048_linux-4.1.49.patch From: http://www.kernel.org Desc: Linux 4.1.49 +Patch: 1049_linux-4.1.50.patch +From: http://www.kernel.org +Desc: Linux 4.1.50 + +Patch: 1050_linux-4.1.51.patch +From: http://www.kernel.org +Desc: Linux 4.1.51 + +Patch: 1051_linux-4.1.52.patch +From: http://www.kernel.org +Desc: Linux 4.1.52 + Patch: 1500_XATTR_USER_PREFIX.patch From: https://bugs.gentoo.org/show_bug.cgi?id=470644 Desc: Support for namespace user.pax.* on tmpfs. diff --git a/1049_linux-4.1.50.patch b/1049_linux-4.1.50.patch new file mode 100644 index 00000000..95262b7d --- /dev/null +++ b/1049_linux-4.1.50.patch @@ -0,0 +1,18012 @@ +diff --git a/Documentation/devicetree/bindings/dma/snps-dma.txt b/Documentation/devicetree/bindings/dma/snps-dma.txt +index c261598164a7..17d43ca27f41 100644 +--- a/Documentation/devicetree/bindings/dma/snps-dma.txt ++++ b/Documentation/devicetree/bindings/dma/snps-dma.txt +@@ -58,6 +58,6 @@ Example: + interrupts = <0 35 0x4>; + status = "disabled"; + dmas = <&dmahost 12 0 1>, +- <&dmahost 13 0 1 0>; ++ <&dmahost 13 1 0>; + dma-names = "rx", "rx"; + }; +diff --git a/Documentation/filesystems/ext4.txt b/Documentation/filesystems/ext4.txt +index 6c0108eb0137..2139ea253142 100644 +--- a/Documentation/filesystems/ext4.txt ++++ b/Documentation/filesystems/ext4.txt +@@ -233,7 +233,7 @@ data_err=ignore(*) Just print an error message if an error occurs + data_err=abort Abort the journal if an error occurs in a file + data buffer in ordered mode. + +-grpid Give objects the same group ID as their creator. ++grpid New objects have the group ID of their parent. + bsdgroups + + nogrpid (*) New objects have the group ID of their creator. +diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt +index 08dc303d0d47..19e9f2e77bdf 100644 +--- a/Documentation/kernel-parameters.txt ++++ b/Documentation/kernel-parameters.txt +@@ -2435,6 +2435,8 @@ bytes respectively. Such letter suffixes can also be entirely omitted. + + nointroute [IA-64] + ++ noinvpcid [X86] Disable the INVPCID cpu feature. ++ + nojitter [IA-64] Disables jitter checking for ITC timers. + + no-kvmclock [X86,KVM] Disable paravirtualized KVM clock driver +@@ -2469,11 +2471,11 @@ bytes respectively. Such letter suffixes can also be entirely omitted. + nopat [X86] Disable PAT (page attribute table extension of + pagetables) support. + ++ nopcid [X86-64] Disable the PCID cpu feature. ++ + norandmaps Don't use address space randomization. Equivalent to + echo 0 > /proc/sys/kernel/randomize_va_space + +- noreplace-paravirt [X86,IA-64,PV_OPS] Don't patch paravirt_ops +- + noreplace-smp [X86-32,SMP] Don't replace SMP instructions + with UP alternatives + +diff --git a/Documentation/speculation.txt b/Documentation/speculation.txt +new file mode 100644 +index 000000000000..e9e6cbae2841 +--- /dev/null ++++ b/Documentation/speculation.txt +@@ -0,0 +1,90 @@ ++This document explains potential effects of speculation, and how undesirable ++effects can be mitigated portably using common APIs. ++ ++=========== ++Speculation ++=========== ++ ++To improve performance and minimize average latencies, many contemporary CPUs ++employ speculative execution techniques such as branch prediction, performing ++work which may be discarded at a later stage. ++ ++Typically speculative execution cannot be observed from architectural state, ++such as the contents of registers. However, in some cases it is possible to ++observe its impact on microarchitectural state, such as the presence or ++absence of data in caches. Such state may form side-channels which can be ++observed to extract secret information. ++ ++For example, in the presence of branch prediction, it is possible for bounds ++checks to be ignored by code which is speculatively executed. Consider the ++following code: ++ ++ int load_array(int *array, unsigned int index) ++ { ++ if (index >= MAX_ARRAY_ELEMS) ++ return 0; ++ else ++ return array[index]; ++ } ++ ++Which, on arm64, may be compiled to an assembly sequence such as: ++ ++ CMP <index>, #MAX_ARRAY_ELEMS ++ B.LT less ++ MOV <returnval>, #0 ++ RET ++ less: ++ LDR <returnval>, [<array>, <index>] ++ RET ++ ++It is possible that a CPU mis-predicts the conditional branch, and ++speculatively loads array[index], even if index >= MAX_ARRAY_ELEMS. This ++value will subsequently be discarded, but the speculated load may affect ++microarchitectural state which can be subsequently measured. ++ ++More complex sequences involving multiple dependent memory accesses may ++result in sensitive information being leaked. Consider the following ++code, building on the prior example: ++ ++ int load_dependent_arrays(int *arr1, int *arr2, int index) ++ { ++ int val1, val2, ++ ++ val1 = load_array(arr1, index); ++ val2 = load_array(arr2, val1); ++ ++ return val2; ++ } ++ ++Under speculation, the first call to load_array() may return the value ++of an out-of-bounds address, while the second call will influence ++microarchitectural state dependent on this value. This may provide an ++arbitrary read primitive. ++ ++==================================== ++Mitigating speculation side-channels ++==================================== ++ ++The kernel provides a generic API to ensure that bounds checks are ++respected even under speculation. Architectures which are affected by ++speculation-based side-channels are expected to implement these ++primitives. ++ ++The array_index_nospec() helper in <linux/nospec.h> can be used to ++prevent information from being leaked via side-channels. ++ ++A call to array_index_nospec(index, size) returns a sanitized index ++value that is bounded to [0, size) even under cpu speculation ++conditions. ++ ++This can be used to protect the earlier load_array() example: ++ ++ int load_array(int *array, unsigned int index) ++ { ++ if (index >= MAX_ARRAY_ELEMS) ++ return 0; ++ else { ++ index = array_index_nospec(index, MAX_ARRAY_ELEMS); ++ return array[index]; ++ } ++ } +diff --git a/Makefile b/Makefile +index a51938e99e37..a655f63aedeb 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 1 +-SUBLEVEL = 49 ++SUBLEVEL = 50 + EXTRAVERSION = + NAME = Series 4800 + +@@ -772,6 +772,9 @@ KBUILD_CFLAGS += $(call cc-disable-warning, pointer-sign) + # disable invalid "can't wrap" optimizations for signed / pointers + KBUILD_CFLAGS += $(call cc-option,-fno-strict-overflow) + ++# Make sure -fstack-check isn't enabled (like gentoo apparently did) ++KBUILD_CFLAGS += $(call cc-option,-fno-stack-check,) ++ + # conserve stack if available + KBUILD_CFLAGS += $(call cc-option,-fconserve-stack) + +diff --git a/arch/alpha/include/asm/mmu_context.h b/arch/alpha/include/asm/mmu_context.h +index 4c51c05333c6..4cafffa80e2c 100644 +--- a/arch/alpha/include/asm/mmu_context.h ++++ b/arch/alpha/include/asm/mmu_context.h +@@ -7,6 +7,7 @@ + * Copyright (C) 1996, Linus Torvalds + */ + ++#include <linux/sched.h> + #include <asm/machvec.h> + #include <asm/compiler.h> + #include <asm-generic/mm_hooks.h> +diff --git a/arch/alpha/kernel/pci_impl.h b/arch/alpha/kernel/pci_impl.h +index 2b0ac429f5eb..412bb3c24f36 100644 +--- a/arch/alpha/kernel/pci_impl.h ++++ b/arch/alpha/kernel/pci_impl.h +@@ -143,7 +143,8 @@ struct pci_iommu_arena + }; + + #if defined(CONFIG_ALPHA_SRM) && \ +- (defined(CONFIG_ALPHA_CIA) || defined(CONFIG_ALPHA_LCA)) ++ (defined(CONFIG_ALPHA_CIA) || defined(CONFIG_ALPHA_LCA) || \ ++ defined(CONFIG_ALPHA_AVANTI)) + # define NEED_SRM_SAVE_RESTORE + #else + # undef NEED_SRM_SAVE_RESTORE +diff --git a/arch/alpha/kernel/process.c b/arch/alpha/kernel/process.c +index 84d13263ce46..8095fb2c5c94 100644 +--- a/arch/alpha/kernel/process.c ++++ b/arch/alpha/kernel/process.c +@@ -273,12 +273,13 @@ copy_thread(unsigned long clone_flags, unsigned long usp, + application calling fork. */ + if (clone_flags & CLONE_SETTLS) + childti->pcb.unique = regs->r20; ++ else ++ regs->r20 = 0; /* OSF/1 has some strange fork() semantics. */ + childti->pcb.usp = usp ?: rdusp(); + *childregs = *regs; + childregs->r0 = 0; + childregs->r19 = 0; + childregs->r20 = 1; /* OSF/1 has some strange fork() semantics. */ +- regs->r20 = 0; + stack = ((struct switch_stack *) regs) - 1; + *childstack = *stack; + childstack->r26 = (unsigned long) ret_from_fork; +diff --git a/arch/arm/boot/dts/am335x-evmsk.dts b/arch/arm/boot/dts/am335x-evmsk.dts +index 156d05efcb70..01288546bda1 100644 +--- a/arch/arm/boot/dts/am335x-evmsk.dts ++++ b/arch/arm/boot/dts/am335x-evmsk.dts +@@ -646,6 +646,7 @@ + ti,non-removable; + bus-width = <4>; + cap-power-off-card; ++ keep-power-in-suspend; + pinctrl-names = "default"; + pinctrl-0 = <&mmc2_pins>; + +diff --git a/arch/arm/boot/dts/am4372.dtsi b/arch/arm/boot/dts/am4372.dtsi +index c80a3e233792..96222885ad27 100644 +--- a/arch/arm/boot/dts/am4372.dtsi ++++ b/arch/arm/boot/dts/am4372.dtsi +@@ -750,7 +750,8 @@ + reg = <0x48038000 0x2000>, + <0x46000000 0x400000>; + reg-names = "mpu", "dat"; +- interrupts = <80>, <81>; ++ interrupts = <GIC_SPI 80 IRQ_TYPE_LEVEL_HIGH>, ++ <GIC_SPI 81 IRQ_TYPE_LEVEL_HIGH>; + interrupt-names = "tx", "rx"; + status = "disabled"; + dmas = <&edma 8>, +@@ -764,7 +765,8 @@ + reg = <0x4803C000 0x2000>, + <0x46400000 0x400000>; + reg-names = "mpu", "dat"; +- interrupts = <82>, <83>; ++ interrupts = <GIC_SPI 82 IRQ_TYPE_LEVEL_HIGH>, ++ <GIC_SPI 83 IRQ_TYPE_LEVEL_HIGH>; + interrupt-names = "tx", "rx"; + status = "disabled"; + dmas = <&edma 10>, +diff --git a/arch/arm/boot/dts/dra7.dtsi b/arch/arm/boot/dts/dra7.dtsi +index bc04b754fe36..a13618266234 100644 +--- a/arch/arm/boot/dts/dra7.dtsi ++++ b/arch/arm/boot/dts/dra7.dtsi +@@ -216,6 +216,7 @@ + device_type = "pci"; + ranges = <0x81000000 0 0 0x03000 0 0x00010000 + 0x82000000 0 0x20013000 0x13000 0 0xffed000>; ++ bus-range = <0x00 0xff>; + #interrupt-cells = <1>; + num-lanes = <1>; + ti,hwmods = "pcie1"; +@@ -251,6 +252,7 @@ + device_type = "pci"; + ranges = <0x81000000 0 0 0x03000 0 0x00010000 + 0x82000000 0 0x30013000 0x13000 0 0xffed000>; ++ bus-range = <0x00 0xff>; + #interrupt-cells = <1>; + num-lanes = <1>; + ti,hwmods = "pcie2"; +diff --git a/arch/arm/boot/dts/kirkwood-openblocks_a7.dts b/arch/arm/boot/dts/kirkwood-openblocks_a7.dts +index d5e3bc518968..d57f48543f76 100644 +--- a/arch/arm/boot/dts/kirkwood-openblocks_a7.dts ++++ b/arch/arm/boot/dts/kirkwood-openblocks_a7.dts +@@ -53,7 +53,8 @@ + }; + + pinctrl: pin-controller@10000 { +- pinctrl-0 = <&pmx_dip_switches &pmx_gpio_header>; ++ pinctrl-0 = <&pmx_dip_switches &pmx_gpio_header ++ &pmx_gpio_header_gpo>; + pinctrl-names = "default"; + + pmx_uart0: pmx-uart0 { +@@ -85,11 +86,16 @@ + * ground. + */ + pmx_gpio_header: pmx-gpio-header { +- marvell,pins = "mpp17", "mpp7", "mpp29", "mpp28", ++ marvell,pins = "mpp17", "mpp29", "mpp28", + "mpp35", "mpp34", "mpp40"; + marvell,function = "gpio"; + }; + ++ pmx_gpio_header_gpo: pxm-gpio-header-gpo { ++ marvell,pins = "mpp7"; ++ marvell,function = "gpo"; ++ }; ++ + pmx_gpio_init: pmx-init { + marvell,pins = "mpp38"; + marvell,function = "gpio"; +diff --git a/arch/arm/boot/dts/omap4.dtsi b/arch/arm/boot/dts/omap4.dtsi +index 84be9da74c7e..48c5a3b23d03 100644 +--- a/arch/arm/boot/dts/omap4.dtsi ++++ b/arch/arm/boot/dts/omap4.dtsi +@@ -841,14 +841,12 @@ + usbhsohci: ohci@4a064800 { + compatible = "ti,ohci-omap3"; + reg = <0x4a064800 0x400>; +- interrupt-parent = <&gic>; + interrupts = <GIC_SPI 76 IRQ_TYPE_LEVEL_HIGH>; + }; + + usbhsehci: ehci@4a064c00 { + compatible = "ti,ehci-omap"; + reg = <0x4a064c00 0x400>; +- interrupt-parent = <&gic>; + interrupts = <GIC_SPI 77 IRQ_TYPE_LEVEL_HIGH>; + }; + }; +diff --git a/arch/arm/boot/dts/s5pv210.dtsi b/arch/arm/boot/dts/s5pv210.dtsi +index 8344a0ee2b86..b03fe747b98c 100644 +--- a/arch/arm/boot/dts/s5pv210.dtsi ++++ b/arch/arm/boot/dts/s5pv210.dtsi +@@ -461,6 +461,7 @@ + compatible = "samsung,exynos4210-ohci"; + reg = <0xec300000 0x100>; + interrupts = <23>; ++ interrupt-parent = <&vic1>; + clocks = <&clocks CLK_USB_HOST>; + clock-names = "usbhost"; + #address-cells = <1>; +diff --git a/arch/arm/boot/dts/spear1310-evb.dts b/arch/arm/boot/dts/spear1310-evb.dts +index d42c84b1df8d..9cff28d476be 100644 +--- a/arch/arm/boot/dts/spear1310-evb.dts ++++ b/arch/arm/boot/dts/spear1310-evb.dts +@@ -349,7 +349,7 @@ + spi0: spi@e0100000 { + status = "okay"; + num-cs = <3>; +- cs-gpios = <&gpio1 7 0>, <&spics 0>, <&spics 1>; ++ cs-gpios = <&gpio1 7 0>, <&spics 0 0>, <&spics 1 0>; + + stmpe610@0 { + compatible = "st,stmpe610"; +diff --git a/arch/arm/boot/dts/spear1340.dtsi b/arch/arm/boot/dts/spear1340.dtsi +index 13e1aa33daa2..69bc407b4a5a 100644 +--- a/arch/arm/boot/dts/spear1340.dtsi ++++ b/arch/arm/boot/dts/spear1340.dtsi +@@ -141,8 +141,8 @@ + reg = <0xb4100000 0x1000>; + interrupts = <0 105 0x4>; + status = "disabled"; +- dmas = <&dwdma0 0x600 0 0 1>, /* 0xC << 11 */ +- <&dwdma0 0x680 0 1 0>; /* 0xD << 7 */ ++ dmas = <&dwdma0 12 0 1>, ++ <&dwdma0 13 1 0>; + dma-names = "tx", "rx"; + }; + +diff --git a/arch/arm/boot/dts/spear13xx.dtsi b/arch/arm/boot/dts/spear13xx.dtsi +index 40accc87e3a2..4e5a2770eac8 100644 +--- a/arch/arm/boot/dts/spear13xx.dtsi ++++ b/arch/arm/boot/dts/spear13xx.dtsi +@@ -100,7 +100,7 @@ + reg = <0xb2800000 0x1000>; + interrupts = <0 29 0x4>; + status = "disabled"; +- dmas = <&dwdma0 0 0 0 0>; ++ dmas = <&dwdma0 0 0 0>; + dma-names = "data"; + }; + +@@ -288,8 +288,8 @@ + #size-cells = <0>; + interrupts = <0 31 0x4>; + status = "disabled"; +- dmas = <&dwdma0 0x2000 0 0 0>, /* 0x4 << 11 */ +- <&dwdma0 0x0280 0 0 0>; /* 0x5 << 7 */ ++ dmas = <&dwdma0 4 0 0>, ++ <&dwdma0 5 0 0>; + dma-names = "tx", "rx"; + }; + +diff --git a/arch/arm/boot/dts/spear600.dtsi b/arch/arm/boot/dts/spear600.dtsi +index 9f60a7b6a42b..bd379034993c 100644 +--- a/arch/arm/boot/dts/spear600.dtsi ++++ b/arch/arm/boot/dts/spear600.dtsi +@@ -194,6 +194,7 @@ + rtc@fc900000 { + compatible = "st,spear600-rtc"; + reg = <0xfc900000 0x1000>; ++ interrupt-parent = <&vic0>; + interrupts = <10>; + status = "disabled"; + }; +diff --git a/arch/arm/include/asm/kvm_arm.h b/arch/arm/include/asm/kvm_arm.h +index aacd6668d1a0..d43122f0993d 100644 +--- a/arch/arm/include/asm/kvm_arm.h ++++ b/arch/arm/include/asm/kvm_arm.h +@@ -161,8 +161,7 @@ + #else + #define VTTBR_X (5 - KVM_T0SZ) + #endif +-#define VTTBR_BADDR_SHIFT (VTTBR_X - 1) +-#define VTTBR_BADDR_MASK (((1LLU << (40 - VTTBR_X)) - 1) << VTTBR_BADDR_SHIFT) ++#define VTTBR_BADDR_MASK (((1LLU << (40 - VTTBR_X)) - 1) << VTTBR_X) + #define VTTBR_VMID_SHIFT (48LLU) + #define VTTBR_VMID_MASK (0xffLLU << VTTBR_VMID_SHIFT) + +diff --git a/arch/arm/include/asm/mmu_context.h b/arch/arm/include/asm/mmu_context.h +index 9b32f76bb0dd..10f662498eb7 100644 +--- a/arch/arm/include/asm/mmu_context.h ++++ b/arch/arm/include/asm/mmu_context.h +@@ -61,6 +61,7 @@ static inline void check_and_switch_context(struct mm_struct *mm, + cpu_switch_mm(mm->pgd, mm); + } + ++#ifndef MODULE + #define finish_arch_post_lock_switch \ + finish_arch_post_lock_switch + static inline void finish_arch_post_lock_switch(void) +@@ -82,6 +83,7 @@ static inline void finish_arch_post_lock_switch(void) + preempt_enable_no_resched(); + } + } ++#endif /* !MODULE */ + + #endif /* CONFIG_MMU */ + +diff --git a/arch/arm/kvm/handle_exit.c b/arch/arm/kvm/handle_exit.c +index f36b5b1acd1f..05b2f8294968 100644 +--- a/arch/arm/kvm/handle_exit.c ++++ b/arch/arm/kvm/handle_exit.c +@@ -45,7 +45,7 @@ static int handle_hvc(struct kvm_vcpu *vcpu, struct kvm_run *run) + + ret = kvm_psci_call(vcpu); + if (ret < 0) { +- kvm_inject_undefined(vcpu); ++ vcpu_set_reg(vcpu, 0, ~0UL); + return 1; + } + +@@ -54,7 +54,16 @@ static int handle_hvc(struct kvm_vcpu *vcpu, struct kvm_run *run) + + static int handle_smc(struct kvm_vcpu *vcpu, struct kvm_run *run) + { +- kvm_inject_undefined(vcpu); ++ /* ++ * "If an SMC instruction executed at Non-secure EL1 is ++ * trapped to EL2 because HCR_EL2.TSC is 1, the exception is a ++ * Trap exception, not a Secure Monitor Call exception [...]" ++ * ++ * We need to advance the PC after the trap, as it would ++ * otherwise return to the same address... ++ */ ++ vcpu_set_reg(vcpu, 0, ~0UL); ++ kvm_skip_instr(vcpu, kvm_vcpu_trap_il_is32bit(vcpu)); + return 1; + } + +diff --git a/arch/arm/kvm/mmio.c b/arch/arm/kvm/mmio.c +index 974b1c606d04..04e5004b34e1 100644 +--- a/arch/arm/kvm/mmio.c ++++ b/arch/arm/kvm/mmio.c +@@ -113,7 +113,7 @@ int kvm_handle_mmio_return(struct kvm_vcpu *vcpu, struct kvm_run *run) + } + + trace_kvm_mmio(KVM_TRACE_MMIO_READ, len, run->mmio.phys_addr, +- data); ++ &data); + data = vcpu_data_host_to_guest(vcpu, data, len); + *vcpu_reg(vcpu, vcpu->arch.mmio_decode.rt) = data; + } +@@ -188,14 +188,14 @@ int io_mem_abort(struct kvm_vcpu *vcpu, struct kvm_run *run, + if (is_write) { + data = vcpu_data_guest_to_host(vcpu, *vcpu_reg(vcpu, rt), len); + +- trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, len, fault_ipa, data); ++ trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, len, fault_ipa, &data); + mmio_write_buf(data_buf, len, data); + + ret = kvm_io_bus_write(vcpu, KVM_MMIO_BUS, fault_ipa, len, + data_buf); + } else { + trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, len, +- fault_ipa, 0); ++ fault_ipa, NULL); + + ret = kvm_io_bus_read(vcpu, KVM_MMIO_BUS, fault_ipa, len, + data_buf); +diff --git a/arch/arm/mach-omap2/omap-secure.c b/arch/arm/mach-omap2/omap-secure.c +index 5ac122e88f67..9ff92050053c 100644 +--- a/arch/arm/mach-omap2/omap-secure.c ++++ b/arch/arm/mach-omap2/omap-secure.c +@@ -73,6 +73,25 @@ phys_addr_t omap_secure_ram_mempool_base(void) + return omap_secure_memblock_base; + } + ++u32 omap3_save_secure_ram(void __iomem *addr, int size) ++{ ++ u32 ret; ++ u32 param[5]; ++ ++ if (size != OMAP3_SAVE_SECURE_RAM_SZ) ++ return OMAP3_SAVE_SECURE_RAM_SZ; ++ ++ param[0] = 4; /* Number of arguments */ ++ param[1] = __pa(addr); /* Physical address for saving */ ++ param[2] = 0; ++ param[3] = 1; ++ param[4] = 1; ++ ++ ret = save_secure_ram_context(__pa(param)); ++ ++ return ret; ++} ++ + /** + * rx51_secure_dispatcher: Routine to dispatch secure PPA API calls + * @idx: The PPA API index +diff --git a/arch/arm/mach-omap2/omap-secure.h b/arch/arm/mach-omap2/omap-secure.h +index af2851fbcdf0..ab6ce2597a88 100644 +--- a/arch/arm/mach-omap2/omap-secure.h ++++ b/arch/arm/mach-omap2/omap-secure.h +@@ -31,6 +31,8 @@ + /* Maximum Secure memory storage size */ + #define OMAP_SECURE_RAM_STORAGE (88 * SZ_1K) + ++#define OMAP3_SAVE_SECURE_RAM_SZ 0x803F ++ + /* Secure low power HAL API index */ + #define OMAP4_HAL_SAVESECURERAM_INDEX 0x1a + #define OMAP4_HAL_SAVEHW_INDEX 0x1b +@@ -64,6 +66,8 @@ extern u32 omap_smc2(u32 id, u32 falg, u32 pargs); + extern u32 omap_smc3(u32 id, u32 process, u32 flag, u32 pargs); + extern phys_addr_t omap_secure_ram_mempool_base(void); + extern int omap_secure_ram_reserve_memblock(void); ++extern u32 save_secure_ram_context(u32 args_pa); ++extern u32 omap3_save_secure_ram(void __iomem *save_regs, int size); + + extern u32 rx51_secure_dispatcher(u32 idx, u32 process, u32 flag, u32 nargs, + u32 arg1, u32 arg2, u32 arg3, u32 arg4); +diff --git a/arch/arm/mach-omap2/pm.h b/arch/arm/mach-omap2/pm.h +index 425bfcd67db6..326218953737 100644 +--- a/arch/arm/mach-omap2/pm.h ++++ b/arch/arm/mach-omap2/pm.h +@@ -81,10 +81,6 @@ extern unsigned int omap3_do_wfi_sz; + /* ... and its pointer from SRAM after copy */ + extern void (*omap3_do_wfi_sram)(void); + +-/* save_secure_ram_context function pointer and size, for copy to SRAM */ +-extern int save_secure_ram_context(u32 *addr); +-extern unsigned int save_secure_ram_context_sz; +- + extern void omap3_save_scratchpad_contents(void); + + #define PM_RTA_ERRATUM_i608 (1 << 0) +diff --git a/arch/arm/mach-omap2/pm34xx.c b/arch/arm/mach-omap2/pm34xx.c +index 87b98bf92366..0b8ab6c00071 100644 +--- a/arch/arm/mach-omap2/pm34xx.c ++++ b/arch/arm/mach-omap2/pm34xx.c +@@ -48,6 +48,7 @@ + #include "prm3xxx.h" + #include "pm.h" + #include "sdrc.h" ++#include "omap-secure.h" + #include "sram.h" + #include "control.h" + #include "vc.h" +@@ -66,7 +67,6 @@ struct power_state { + + static LIST_HEAD(pwrst_list); + +-static int (*_omap_save_secure_sram)(u32 *addr); + void (*omap3_do_wfi_sram)(void); + + static struct powerdomain *mpu_pwrdm, *neon_pwrdm; +@@ -121,8 +121,8 @@ static void omap3_save_secure_ram_context(void) + * will hang the system. + */ + pwrdm_set_next_pwrst(mpu_pwrdm, PWRDM_POWER_ON); +- ret = _omap_save_secure_sram((u32 *)(unsigned long) +- __pa(omap3_secure_ram_storage)); ++ ret = omap3_save_secure_ram(omap3_secure_ram_storage, ++ OMAP3_SAVE_SECURE_RAM_SZ); + pwrdm_set_next_pwrst(mpu_pwrdm, mpu_next_state); + /* Following is for error tracking, it should not happen */ + if (ret) { +@@ -431,15 +431,10 @@ static int __init pwrdms_setup(struct powerdomain *pwrdm, void *unused) + * + * The minimum set of functions is pushed to SRAM for execution: + * - omap3_do_wfi for erratum i581 WA, +- * - save_secure_ram_context for security extensions. + */ + void omap_push_sram_idle(void) + { + omap3_do_wfi_sram = omap_sram_push(omap3_do_wfi, omap3_do_wfi_sz); +- +- if (omap_type() != OMAP2_DEVICE_TYPE_GP) +- _omap_save_secure_sram = omap_sram_push(save_secure_ram_context, +- save_secure_ram_context_sz); + } + + static void __init pm_errata_configure(void) +@@ -551,7 +546,7 @@ int __init omap3_pm_init(void) + clkdm_add_wkdep(neon_clkdm, mpu_clkdm); + if (omap_type() != OMAP2_DEVICE_TYPE_GP) { + omap3_secure_ram_storage = +- kmalloc(0x803F, GFP_KERNEL); ++ kmalloc(OMAP3_SAVE_SECURE_RAM_SZ, GFP_KERNEL); + if (!omap3_secure_ram_storage) + pr_err("Memory allocation failed when allocating for secure sram context\n"); + +diff --git a/arch/arm/mach-omap2/prm33xx.c b/arch/arm/mach-omap2/prm33xx.c +index dcb5001d77da..973bcd754e1c 100644 +--- a/arch/arm/mach-omap2/prm33xx.c ++++ b/arch/arm/mach-omap2/prm33xx.c +@@ -176,17 +176,6 @@ static int am33xx_pwrdm_read_pwrst(struct powerdomain *pwrdm) + return v; + } + +-static int am33xx_pwrdm_read_prev_pwrst(struct powerdomain *pwrdm) +-{ +- u32 v; +- +- v = am33xx_prm_read_reg(pwrdm->prcm_offs, pwrdm->pwrstst_offs); +- v &= AM33XX_LASTPOWERSTATEENTERED_MASK; +- v >>= AM33XX_LASTPOWERSTATEENTERED_SHIFT; +- +- return v; +-} +- + static int am33xx_pwrdm_set_lowpwrstchange(struct powerdomain *pwrdm) + { + am33xx_prm_rmw_reg_bits(AM33XX_LOWPOWERSTATECHANGE_MASK, +@@ -357,7 +346,6 @@ struct pwrdm_ops am33xx_pwrdm_operations = { + .pwrdm_set_next_pwrst = am33xx_pwrdm_set_next_pwrst, + .pwrdm_read_next_pwrst = am33xx_pwrdm_read_next_pwrst, + .pwrdm_read_pwrst = am33xx_pwrdm_read_pwrst, +- .pwrdm_read_prev_pwrst = am33xx_pwrdm_read_prev_pwrst, + .pwrdm_set_logic_retst = am33xx_pwrdm_set_logic_retst, + .pwrdm_read_logic_pwrst = am33xx_pwrdm_read_logic_pwrst, + .pwrdm_read_logic_retst = am33xx_pwrdm_read_logic_retst, +diff --git a/arch/arm/mach-omap2/sleep34xx.S b/arch/arm/mach-omap2/sleep34xx.S +index 1b9f0520dea9..3e0d802c59da 100644 +--- a/arch/arm/mach-omap2/sleep34xx.S ++++ b/arch/arm/mach-omap2/sleep34xx.S +@@ -93,20 +93,13 @@ ENTRY(enable_omap3630_toggle_l2_on_restore) + ENDPROC(enable_omap3630_toggle_l2_on_restore) + + /* +- * Function to call rom code to save secure ram context. This gets +- * relocated to SRAM, so it can be all in .data section. Otherwise +- * we need to initialize api_params separately. ++ * Function to call rom code to save secure ram context. ++ * ++ * r0 = physical address of the parameters + */ +- .data +- .align 3 + ENTRY(save_secure_ram_context) + stmfd sp!, {r4 - r11, lr} @ save registers on stack +- adr r3, api_params @ r3 points to parameters +- str r0, [r3,#0x4] @ r0 has sdram address +- ldr r12, high_mask +- and r3, r3, r12 +- ldr r12, sram_phy_addr_mask +- orr r3, r3, r12 ++ mov r3, r0 @ physical address of parameters + mov r0, #25 @ set service ID for PPA + mov r12, r0 @ copy secure service ID in r12 + mov r1, #0 @ set task id for ROM code in r1 +@@ -120,18 +113,7 @@ ENTRY(save_secure_ram_context) + nop + nop + ldmfd sp!, {r4 - r11, pc} +- .align +-sram_phy_addr_mask: +- .word SRAM_BASE_P +-high_mask: +- .word 0xffff +-api_params: +- .word 0x4, 0x0, 0x0, 0x1, 0x1 + ENDPROC(save_secure_ram_context) +-ENTRY(save_secure_ram_context_sz) +- .word . - save_secure_ram_context +- +- .text + + /* + * ====================== +diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c +index 64d7486262e5..e37c04facc1d 100644 +--- a/arch/arm/mm/dma-mapping.c ++++ b/arch/arm/mm/dma-mapping.c +@@ -764,13 +764,31 @@ static void arm_coherent_dma_free(struct device *dev, size_t size, void *cpu_add + __arm_dma_free(dev, size, cpu_addr, handle, attrs, true); + } + ++/* ++ * The whole dma_get_sgtable() idea is fundamentally unsafe - it seems ++ * that the intention is to allow exporting memory allocated via the ++ * coherent DMA APIs through the dma_buf API, which only accepts a ++ * scattertable. This presents a couple of problems: ++ * 1. Not all memory allocated via the coherent DMA APIs is backed by ++ * a struct page ++ * 2. Passing coherent DMA memory into the streaming APIs is not allowed ++ * as we will try to flush the memory through a different alias to that ++ * actually being used (and the flushes are redundant.) ++ */ + int arm_dma_get_sgtable(struct device *dev, struct sg_table *sgt, + void *cpu_addr, dma_addr_t handle, size_t size, + struct dma_attrs *attrs) + { +- struct page *page = pfn_to_page(dma_to_pfn(dev, handle)); ++ unsigned long pfn = dma_to_pfn(dev, handle); ++ struct page *page; + int ret; + ++ /* If the PFN is not valid, we do not have a struct page */ ++ if (!pfn_valid(pfn)) ++ return -ENXIO; ++ ++ page = pfn_to_page(pfn); ++ + ret = sg_alloc_table(sgt, 1, GFP_KERNEL); + if (unlikely(ret)) + return ret; +diff --git a/arch/arm/probes/kprobes/core.c b/arch/arm/probes/kprobes/core.c +index a4ec240ee7ba..3eb018fa1a1f 100644 +--- a/arch/arm/probes/kprobes/core.c ++++ b/arch/arm/probes/kprobes/core.c +@@ -433,6 +433,7 @@ static __used __kprobes void *trampoline_handler(struct pt_regs *regs) + struct hlist_node *tmp; + unsigned long flags, orig_ret_address = 0; + unsigned long trampoline_address = (unsigned long)&kretprobe_trampoline; ++ kprobe_opcode_t *correct_ret_addr = NULL; + + INIT_HLIST_HEAD(&empty_rp); + kretprobe_hash_lock(current, &head, &flags); +@@ -455,14 +456,34 @@ static __used __kprobes void *trampoline_handler(struct pt_regs *regs) + /* another task is sharing our hash bucket */ + continue; + ++ orig_ret_address = (unsigned long)ri->ret_addr; ++ ++ if (orig_ret_address != trampoline_address) ++ /* ++ * This is the real return address. Any other ++ * instances associated with this task are for ++ * other calls deeper on the call stack ++ */ ++ break; ++ } ++ ++ kretprobe_assert(ri, orig_ret_address, trampoline_address); ++ ++ correct_ret_addr = ri->ret_addr; ++ hlist_for_each_entry_safe(ri, tmp, head, hlist) { ++ if (ri->task != current) ++ /* another task is sharing our hash bucket */ ++ continue; ++ ++ orig_ret_address = (unsigned long)ri->ret_addr; + if (ri->rp && ri->rp->handler) { + __this_cpu_write(current_kprobe, &ri->rp->kp); + get_kprobe_ctlblk()->kprobe_status = KPROBE_HIT_ACTIVE; ++ ri->ret_addr = correct_ret_addr; + ri->rp->handler(ri, regs); + __this_cpu_write(current_kprobe, NULL); + } + +- orig_ret_address = (unsigned long)ri->ret_addr; + recycle_rp_inst(ri, &empty_rp); + + if (orig_ret_address != trampoline_address) +@@ -474,7 +495,6 @@ static __used __kprobes void *trampoline_handler(struct pt_regs *regs) + break; + } + +- kretprobe_assert(ri, orig_ret_address, trampoline_address); + kretprobe_hash_unlock(current, &flags); + + hlist_for_each_entry_safe(ri, tmp, &empty_rp, hlist) { +diff --git a/arch/arm/probes/kprobes/test-core.c b/arch/arm/probes/kprobes/test-core.c +index 9775de22e2ff..a48354de1aa1 100644 +--- a/arch/arm/probes/kprobes/test-core.c ++++ b/arch/arm/probes/kprobes/test-core.c +@@ -976,7 +976,10 @@ static void coverage_end(void) + void __naked __kprobes_test_case_start(void) + { + __asm__ __volatile__ ( +- "stmdb sp!, {r4-r11} \n\t" ++ "mov r2, sp \n\t" ++ "bic r3, r2, #7 \n\t" ++ "mov sp, r3 \n\t" ++ "stmdb sp!, {r2-r11} \n\t" + "sub sp, sp, #"__stringify(TEST_MEMORY_SIZE)"\n\t" + "bic r0, lr, #1 @ r0 = inline data \n\t" + "mov r1, sp \n\t" +@@ -996,7 +999,8 @@ void __naked __kprobes_test_case_end_32(void) + "movne pc, r0 \n\t" + "mov r0, r4 \n\t" + "add sp, sp, #"__stringify(TEST_MEMORY_SIZE)"\n\t" +- "ldmia sp!, {r4-r11} \n\t" ++ "ldmia sp!, {r2-r11} \n\t" ++ "mov sp, r2 \n\t" + "mov pc, r0 \n\t" + ); + } +@@ -1012,7 +1016,8 @@ void __naked __kprobes_test_case_end_16(void) + "bxne r0 \n\t" + "mov r0, r4 \n\t" + "add sp, sp, #"__stringify(TEST_MEMORY_SIZE)"\n\t" +- "ldmia sp!, {r4-r11} \n\t" ++ "ldmia sp!, {r2-r11} \n\t" ++ "mov sp, r2 \n\t" + "bx r0 \n\t" + ); + } +diff --git a/arch/arm64/kernel/traps.c b/arch/arm64/kernel/traps.c +index 8bbd57efae78..9322be69ca09 100644 +--- a/arch/arm64/kernel/traps.c ++++ b/arch/arm64/kernel/traps.c +@@ -46,7 +46,7 @@ static const char *handler[]= { + "Error" + }; + +-int show_unhandled_signals = 1; ++int show_unhandled_signals = 0; + + /* + * Dump out the contents of some memory nicely... +diff --git a/arch/arm64/kvm/handle_exit.c b/arch/arm64/kvm/handle_exit.c +index 524fa25671fc..2d357aed5e66 100644 +--- a/arch/arm64/kvm/handle_exit.c ++++ b/arch/arm64/kvm/handle_exit.c +@@ -42,7 +42,7 @@ static int handle_hvc(struct kvm_vcpu *vcpu, struct kvm_run *run) + + ret = kvm_psci_call(vcpu); + if (ret < 0) { +- kvm_inject_undefined(vcpu); ++ vcpu_set_reg(vcpu, 0, ~0UL); + return 1; + } + +@@ -51,7 +51,7 @@ static int handle_hvc(struct kvm_vcpu *vcpu, struct kvm_run *run) + + static int handle_smc(struct kvm_vcpu *vcpu, struct kvm_run *run) + { +- kvm_inject_undefined(vcpu); ++ vcpu_set_reg(vcpu, 0, ~0UL); + return 1; + } + +diff --git a/arch/arm64/mm/init.c b/arch/arm64/mm/init.c +index ae8f940152aa..b8ed781807ef 100644 +--- a/arch/arm64/mm/init.c ++++ b/arch/arm64/mm/init.c +@@ -177,6 +177,7 @@ void __init arm64_memblock_init(void) + arm64_dma_phys_limit = max_zone_dma_phys(); + else + arm64_dma_phys_limit = PHYS_MASK + 1; ++ high_memory = __va(memblock_end_of_DRAM() - 1) + 1; + dma_contiguous_reserve(arm64_dma_phys_limit); + + memblock_allow_resize(); +@@ -201,7 +202,6 @@ void __init bootmem_init(void) + sparse_init(); + zone_sizes_init(min, max); + +- high_memory = __va((max << PAGE_SHIFT) - 1) + 1; + max_pfn = max_low_pfn = max; + } + +diff --git a/arch/mips/ar7/platform.c b/arch/mips/ar7/platform.c +index 5afbb7b41160..d60986fdc288 100644 +--- a/arch/mips/ar7/platform.c ++++ b/arch/mips/ar7/platform.c +@@ -577,7 +577,7 @@ static int __init ar7_register_uarts(void) + uart_port.type = PORT_AR7; + uart_port.uartclk = clk_get_rate(bus_clk) / 2; + uart_port.iotype = UPIO_MEM32; +- uart_port.flags = UPF_FIXED_TYPE; ++ uart_port.flags = UPF_FIXED_TYPE | UPF_BOOT_AUTOCONF; + uart_port.regshift = 2; + + uart_port.line = 0; +diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c +index ded8b8ba34fd..18cb5eb10e55 100644 +--- a/arch/mips/kernel/process.c ++++ b/arch/mips/kernel/process.c +@@ -631,6 +631,18 @@ int mips_set_process_fp_mode(struct task_struct *task, unsigned int value) + unsigned long switch_count; + struct task_struct *t; + ++ /* If nothing to change, return right away, successfully. */ ++ if (value == mips_get_process_fp_mode(task)) ++ return 0; ++ ++ /* Only accept a mode change if 64-bit FP enabled for o32. */ ++ if (!IS_ENABLED(CONFIG_MIPS_O32_FP64_SUPPORT)) ++ return -EOPNOTSUPP; ++ ++ /* And only for o32 tasks. */ ++ if (IS_ENABLED(CONFIG_64BIT) && !test_thread_flag(TIF_32BIT_REGS)) ++ return -EOPNOTSUPP; ++ + /* Check the value is valid */ + if (value & ~known_bits) + return -EOPNOTSUPP; +diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c +index 2bea5db01b0b..938d7576f455 100644 +--- a/arch/mips/kernel/ptrace.c ++++ b/arch/mips/kernel/ptrace.c +@@ -438,63 +438,160 @@ static int gpr64_set(struct task_struct *target, + + #endif /* CONFIG_64BIT */ + ++/* ++ * Copy the floating-point context to the supplied NT_PRFPREG buffer, ++ * !CONFIG_CPU_HAS_MSA variant. FP context's general register slots ++ * correspond 1:1 to buffer slots. Only general registers are copied. ++ */ ++static int fpr_get_fpa(struct task_struct *target, ++ unsigned int *pos, unsigned int *count, ++ void **kbuf, void __user **ubuf) ++{ ++ return user_regset_copyout(pos, count, kbuf, ubuf, ++ &target->thread.fpu, ++ 0, NUM_FPU_REGS * sizeof(elf_fpreg_t)); ++} ++ ++/* ++ * Copy the floating-point context to the supplied NT_PRFPREG buffer, ++ * CONFIG_CPU_HAS_MSA variant. Only lower 64 bits of FP context's ++ * general register slots are copied to buffer slots. Only general ++ * registers are copied. ++ */ ++static int fpr_get_msa(struct task_struct *target, ++ unsigned int *pos, unsigned int *count, ++ void **kbuf, void __user **ubuf) ++{ ++ unsigned int i; ++ u64 fpr_val; ++ int err; ++ ++ BUILD_BUG_ON(sizeof(fpr_val) != sizeof(elf_fpreg_t)); ++ for (i = 0; i < NUM_FPU_REGS; i++) { ++ fpr_val = get_fpr64(&target->thread.fpu.fpr[i], 0); ++ err = user_regset_copyout(pos, count, kbuf, ubuf, ++ &fpr_val, i * sizeof(elf_fpreg_t), ++ (i + 1) * sizeof(elf_fpreg_t)); ++ if (err) ++ return err; ++ } ++ ++ return 0; ++} ++ ++/* ++ * Copy the floating-point context to the supplied NT_PRFPREG buffer. ++ * Choose the appropriate helper for general registers, and then copy ++ * the FCSR register separately. ++ */ + static int fpr_get(struct task_struct *target, + const struct user_regset *regset, + unsigned int pos, unsigned int count, + void *kbuf, void __user *ubuf) + { +- unsigned i; ++ const int fcr31_pos = NUM_FPU_REGS * sizeof(elf_fpreg_t); + int err; +- u64 fpr_val; + +- /* XXX fcr31 */ ++ if (sizeof(target->thread.fpu.fpr[0]) == sizeof(elf_fpreg_t)) ++ err = fpr_get_fpa(target, &pos, &count, &kbuf, &ubuf); ++ else ++ err = fpr_get_msa(target, &pos, &count, &kbuf, &ubuf); ++ if (err) ++ return err; + +- if (sizeof(target->thread.fpu.fpr[i]) == sizeof(elf_fpreg_t)) +- return user_regset_copyout(&pos, &count, &kbuf, &ubuf, +- &target->thread.fpu, +- 0, sizeof(elf_fpregset_t)); ++ err = user_regset_copyout(&pos, &count, &kbuf, &ubuf, ++ &target->thread.fpu.fcr31, ++ fcr31_pos, fcr31_pos + sizeof(u32)); + +- for (i = 0; i < NUM_FPU_REGS; i++) { +- fpr_val = get_fpr64(&target->thread.fpu.fpr[i], 0); +- err = user_regset_copyout(&pos, &count, &kbuf, &ubuf, +- &fpr_val, i * sizeof(elf_fpreg_t), +- (i + 1) * sizeof(elf_fpreg_t)); ++ return err; ++} ++ ++/* ++ * Copy the supplied NT_PRFPREG buffer to the floating-point context, ++ * !CONFIG_CPU_HAS_MSA variant. Buffer slots correspond 1:1 to FP ++ * context's general register slots. Only general registers are copied. ++ */ ++static int fpr_set_fpa(struct task_struct *target, ++ unsigned int *pos, unsigned int *count, ++ const void **kbuf, const void __user **ubuf) ++{ ++ return user_regset_copyin(pos, count, kbuf, ubuf, ++ &target->thread.fpu, ++ 0, NUM_FPU_REGS * sizeof(elf_fpreg_t)); ++} ++ ++/* ++ * Copy the supplied NT_PRFPREG buffer to the floating-point context, ++ * CONFIG_CPU_HAS_MSA variant. Buffer slots are copied to lower 64 ++ * bits only of FP context's general register slots. Only general ++ * registers are copied. ++ */ ++static int fpr_set_msa(struct task_struct *target, ++ unsigned int *pos, unsigned int *count, ++ const void **kbuf, const void __user **ubuf) ++{ ++ unsigned int i; ++ u64 fpr_val; ++ int err; ++ ++ BUILD_BUG_ON(sizeof(fpr_val) != sizeof(elf_fpreg_t)); ++ for (i = 0; i < NUM_FPU_REGS && *count > 0; i++) { ++ err = user_regset_copyin(pos, count, kbuf, ubuf, ++ &fpr_val, i * sizeof(elf_fpreg_t), ++ (i + 1) * sizeof(elf_fpreg_t)); + if (err) + return err; ++ set_fpr64(&target->thread.fpu.fpr[i], 0, fpr_val); + } + + return 0; + } + ++/* ++ * Copy the supplied NT_PRFPREG buffer to the floating-point context. ++ * Choose the appropriate helper for general registers, and then copy ++ * the FCSR register separately. ++ * ++ * We optimize for the case where `count % sizeof(elf_fpreg_t) == 0', ++ * which is supposed to have been guaranteed by the kernel before ++ * calling us, e.g. in `ptrace_regset'. We enforce that requirement, ++ * so that we can safely avoid preinitializing temporaries for ++ * partial register writes. ++ */ + static int fpr_set(struct task_struct *target, + const struct user_regset *regset, + unsigned int pos, unsigned int count, + const void *kbuf, const void __user *ubuf) + { +- unsigned i; ++ const int fcr31_pos = NUM_FPU_REGS * sizeof(elf_fpreg_t); ++ u32 fcr31; + int err; +- u64 fpr_val; + +- /* XXX fcr31 */ ++ BUG_ON(count % sizeof(elf_fpreg_t)); ++ ++ if (pos + count > sizeof(elf_fpregset_t)) ++ return -EIO; + + init_fp_ctx(target); + +- if (sizeof(target->thread.fpu.fpr[i]) == sizeof(elf_fpreg_t)) +- return user_regset_copyin(&pos, &count, &kbuf, &ubuf, +- &target->thread.fpu, +- 0, sizeof(elf_fpregset_t)); ++ if (sizeof(target->thread.fpu.fpr[0]) == sizeof(elf_fpreg_t)) ++ err = fpr_set_fpa(target, &pos, &count, &kbuf, &ubuf); ++ else ++ err = fpr_set_msa(target, &pos, &count, &kbuf, &ubuf); ++ if (err) ++ return err; + +- BUILD_BUG_ON(sizeof(fpr_val) != sizeof(elf_fpreg_t)); +- for (i = 0; i < NUM_FPU_REGS && count >= sizeof(elf_fpreg_t); i++) { ++ if (count > 0) { + err = user_regset_copyin(&pos, &count, &kbuf, &ubuf, +- &fpr_val, i * sizeof(elf_fpreg_t), +- (i + 1) * sizeof(elf_fpreg_t)); ++ &fcr31, ++ fcr31_pos, fcr31_pos + sizeof(u32)); + if (err) + return err; +- set_fpr64(&target->thread.fpu.fpr[i], 0, fpr_val); ++ ++ ptrace_setfcr31(target, fcr31); + } + +- return 0; ++ return err; + } + + enum mips_regset { +diff --git a/arch/mn10300/mm/misalignment.c b/arch/mn10300/mm/misalignment.c +index b9920b1edd5a..70cef54dc40f 100644 +--- a/arch/mn10300/mm/misalignment.c ++++ b/arch/mn10300/mm/misalignment.c +@@ -437,7 +437,7 @@ transfer_failed: + + info.si_signo = SIGSEGV; + info.si_errno = 0; +- info.si_code = 0; ++ info.si_code = SEGV_MAPERR; + info.si_addr = (void *) regs->pc; + force_sig_info(SIGSEGV, &info, current); + return; +diff --git a/arch/openrisc/kernel/traps.c b/arch/openrisc/kernel/traps.c +index 3d3f6062f49c..605a284922fb 100644 +--- a/arch/openrisc/kernel/traps.c ++++ b/arch/openrisc/kernel/traps.c +@@ -302,12 +302,12 @@ asmlinkage void do_unaligned_access(struct pt_regs *regs, unsigned long address) + siginfo_t info; + + if (user_mode(regs)) { +- /* Send a SIGSEGV */ +- info.si_signo = SIGSEGV; ++ /* Send a SIGBUS */ ++ info.si_signo = SIGBUS; + info.si_errno = 0; +- /* info.si_code has been set above */ +- info.si_addr = (void *)address; +- force_sig_info(SIGSEGV, &info, current); ++ info.si_code = BUS_ADRALN; ++ info.si_addr = (void __user *)address; ++ force_sig_info(SIGBUS, &info, current); + } else { + printk("KERNEL: Unaligned Access 0x%.8lx\n", address); + show_registers(regs); +diff --git a/arch/parisc/include/asm/ldcw.h b/arch/parisc/include/asm/ldcw.h +index 8121aa6db2ff..51bb6b8eade6 100644 +--- a/arch/parisc/include/asm/ldcw.h ++++ b/arch/parisc/include/asm/ldcw.h +@@ -11,6 +11,7 @@ + for the semaphore. */ + + #define __PA_LDCW_ALIGNMENT 16 ++#define __PA_LDCW_ALIGN_ORDER 4 + #define __ldcw_align(a) ({ \ + unsigned long __ret = (unsigned long) &(a)->lock[0]; \ + __ret = (__ret + __PA_LDCW_ALIGNMENT - 1) \ +@@ -28,6 +29,7 @@ + ldcd). */ + + #define __PA_LDCW_ALIGNMENT 4 ++#define __PA_LDCW_ALIGN_ORDER 2 + #define __ldcw_align(a) (&(a)->slock) + #define __LDCW "ldcw,co" + +diff --git a/arch/parisc/kernel/entry.S b/arch/parisc/kernel/entry.S +index c5ef4081b01d..b523fa90a727 100644 +--- a/arch/parisc/kernel/entry.S ++++ b/arch/parisc/kernel/entry.S +@@ -35,6 +35,7 @@ + #include <asm/pgtable.h> + #include <asm/signal.h> + #include <asm/unistd.h> ++#include <asm/ldcw.h> + #include <asm/thread_info.h> + + #include <linux/linkage.h> +@@ -46,6 +47,14 @@ + #endif + + .import pa_tlb_lock,data ++ .macro load_pa_tlb_lock reg ++#if __PA_LDCW_ALIGNMENT > 4 ++ load32 PA(pa_tlb_lock) + __PA_LDCW_ALIGNMENT-1, \reg ++ depi 0,31,__PA_LDCW_ALIGN_ORDER, \reg ++#else ++ load32 PA(pa_tlb_lock), \reg ++#endif ++ .endm + + /* space_to_prot macro creates a prot id from a space id */ + +@@ -457,7 +466,7 @@ + .macro tlb_lock spc,ptp,pte,tmp,tmp1,fault + #ifdef CONFIG_SMP + cmpib,COND(=),n 0,\spc,2f +- load32 PA(pa_tlb_lock),\tmp ++ load_pa_tlb_lock \tmp + 1: LDCW 0(\tmp),\tmp1 + cmpib,COND(=) 0,\tmp1,1b + nop +@@ -480,7 +489,7 @@ + /* Release pa_tlb_lock lock. */ + .macro tlb_unlock1 spc,tmp + #ifdef CONFIG_SMP +- load32 PA(pa_tlb_lock),\tmp ++ load_pa_tlb_lock \tmp + tlb_unlock0 \spc,\tmp + #endif + .endm +diff --git a/arch/parisc/kernel/pacache.S b/arch/parisc/kernel/pacache.S +index b743a80eaba0..ddc2f0cf1c73 100644 +--- a/arch/parisc/kernel/pacache.S ++++ b/arch/parisc/kernel/pacache.S +@@ -36,6 +36,7 @@ + #include <asm/assembly.h> + #include <asm/pgtable.h> + #include <asm/cache.h> ++#include <asm/ldcw.h> + #include <linux/linkage.h> + + .text +@@ -333,8 +334,12 @@ ENDPROC(flush_data_cache_local) + + .macro tlb_lock la,flags,tmp + #ifdef CONFIG_SMP +- ldil L%pa_tlb_lock,%r1 +- ldo R%pa_tlb_lock(%r1),\la ++#if __PA_LDCW_ALIGNMENT > 4 ++ load32 pa_tlb_lock + __PA_LDCW_ALIGNMENT-1, \la ++ depi 0,31,__PA_LDCW_ALIGN_ORDER, \la ++#else ++ load32 pa_tlb_lock, \la ++#endif + rsm PSW_SM_I,\flags + 1: LDCW 0(\la),\tmp + cmpib,<>,n 0,\tmp,3f +diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig +index 4b8c928a9873..a55a246fc784 100644 +--- a/arch/powerpc/Kconfig ++++ b/arch/powerpc/Kconfig +@@ -126,13 +126,14 @@ config PPC + select IRQ_FORCED_THREADING + select HAVE_RCU_TABLE_FREE if SMP + select HAVE_SYSCALL_TRACEPOINTS +- select HAVE_BPF_JIT ++ select HAVE_BPF_JIT if CPU_BIG_ENDIAN + select HAVE_ARCH_JUMP_LABEL + select ARCH_HAVE_NMI_SAFE_CMPXCHG + select ARCH_HAS_GCOV_PROFILE_ALL + select GENERIC_SMP_IDLE_THREAD + select GENERIC_CMOS_UPDATE + select GENERIC_TIME_VSYSCALL_OLD ++ select GENERIC_CPU_VULNERABILITIES if PPC_BOOK3S_64 + select GENERIC_CLOCKEVENTS + select GENERIC_CLOCKEVENTS_BROADCAST if SMP + select ARCH_HAS_TICK_BROADCAST if GENERIC_CLOCKEVENTS_BROADCAST +diff --git a/arch/powerpc/include/asm/exception-64e.h b/arch/powerpc/include/asm/exception-64e.h +index a8b52b61043f..bd8958445336 100644 +--- a/arch/powerpc/include/asm/exception-64e.h ++++ b/arch/powerpc/include/asm/exception-64e.h +@@ -208,5 +208,11 @@ exc_##label##_book3e: + ori r3,r3,interrupt_base_book3e@l; \ + mtspr SPRN_IVOR##vector_number,r3; + ++#define RFI_TO_KERNEL \ ++ rfi ++ ++#define RFI_TO_USER \ ++ rfi ++ + #endif /* _ASM_POWERPC_EXCEPTION_64E_H */ + +diff --git a/arch/powerpc/include/asm/exception-64s.h b/arch/powerpc/include/asm/exception-64s.h +index 77f52b26dad6..9bddbec441b8 100644 +--- a/arch/powerpc/include/asm/exception-64s.h ++++ b/arch/powerpc/include/asm/exception-64s.h +@@ -50,6 +50,59 @@ + #define EX_PPR 88 /* SMT thread status register (priority) */ + #define EX_CTR 96 + ++/* ++ * Macros for annotating the expected destination of (h)rfid ++ * ++ * The nop instructions allow us to insert one or more instructions to flush the ++ * L1-D cache when returning to userspace or a guest. ++ */ ++#define RFI_FLUSH_SLOT \ ++ RFI_FLUSH_FIXUP_SECTION; \ ++ nop; \ ++ nop; \ ++ nop ++ ++#define RFI_TO_KERNEL \ ++ rfid ++ ++#define RFI_TO_USER \ ++ RFI_FLUSH_SLOT; \ ++ rfid; \ ++ b rfi_flush_fallback ++ ++#define RFI_TO_USER_OR_KERNEL \ ++ RFI_FLUSH_SLOT; \ ++ rfid; \ ++ b rfi_flush_fallback ++ ++#define RFI_TO_GUEST \ ++ RFI_FLUSH_SLOT; \ ++ rfid; \ ++ b rfi_flush_fallback ++ ++#define HRFI_TO_KERNEL \ ++ hrfid ++ ++#define HRFI_TO_USER \ ++ RFI_FLUSH_SLOT; \ ++ hrfid; \ ++ b hrfi_flush_fallback ++ ++#define HRFI_TO_USER_OR_KERNEL \ ++ RFI_FLUSH_SLOT; \ ++ hrfid; \ ++ b hrfi_flush_fallback ++ ++#define HRFI_TO_GUEST \ ++ RFI_FLUSH_SLOT; \ ++ hrfid; \ ++ b hrfi_flush_fallback ++ ++#define HRFI_TO_UNKNOWN \ ++ RFI_FLUSH_SLOT; \ ++ hrfid; \ ++ b hrfi_flush_fallback ++ + #ifdef CONFIG_RELOCATABLE + #define __EXCEPTION_RELON_PROLOG_PSERIES_1(label, h) \ + ld r12,PACAKBASE(r13); /* get high part of &label */ \ +@@ -191,7 +244,7 @@ END_FTR_SECTION_NESTED(ftr,ftr,943) + mtspr SPRN_##h##SRR0,r12; \ + mfspr r12,SPRN_##h##SRR1; /* and SRR1 */ \ + mtspr SPRN_##h##SRR1,r10; \ +- h##rfid; \ ++ h##RFI_TO_KERNEL; \ + b . /* prevent speculative execution */ + #define EXCEPTION_PROLOG_PSERIES_1(label, h) \ + __EXCEPTION_PROLOG_PSERIES_1(label, h) +diff --git a/arch/powerpc/include/asm/feature-fixups.h b/arch/powerpc/include/asm/feature-fixups.h +index 9a67a38bf7b9..7068bafbb2d6 100644 +--- a/arch/powerpc/include/asm/feature-fixups.h ++++ b/arch/powerpc/include/asm/feature-fixups.h +@@ -184,4 +184,19 @@ label##3: \ + FTR_ENTRY_OFFSET label##1b-label##3b; \ + .popsection; + ++#define RFI_FLUSH_FIXUP_SECTION \ ++951: \ ++ .pushsection __rfi_flush_fixup,"a"; \ ++ .align 2; \ ++952: \ ++ FTR_ENTRY_OFFSET 951b-952b; \ ++ .popsection; ++ ++ ++#ifndef __ASSEMBLY__ ++ ++extern long __start___rfi_flush_fixup, __stop___rfi_flush_fixup; ++ ++#endif ++ + #endif /* __ASM_POWERPC_FEATURE_FIXUPS_H */ +diff --git a/arch/powerpc/include/asm/hvcall.h b/arch/powerpc/include/asm/hvcall.h +index 85bc8c0d257b..449bbb87c257 100644 +--- a/arch/powerpc/include/asm/hvcall.h ++++ b/arch/powerpc/include/asm/hvcall.h +@@ -239,6 +239,7 @@ + #define H_GET_HCA_INFO 0x1B8 + #define H_GET_PERF_COUNT 0x1BC + #define H_MANAGE_TRACE 0x1C0 ++#define H_GET_CPU_CHARACTERISTICS 0x1C8 + #define H_FREE_LOGICAL_LAN_BUFFER 0x1D4 + #define H_QUERY_INT_STATE 0x1E4 + #define H_POLL_PENDING 0x1D8 +@@ -285,7 +286,19 @@ + #define H_SET_MODE_RESOURCE_ADDR_TRANS_MODE 3 + #define H_SET_MODE_RESOURCE_LE 4 + ++/* H_GET_CPU_CHARACTERISTICS return values */ ++#define H_CPU_CHAR_SPEC_BAR_ORI31 (1ull << 63) // IBM bit 0 ++#define H_CPU_CHAR_BCCTRL_SERIALISED (1ull << 62) // IBM bit 1 ++#define H_CPU_CHAR_L1D_FLUSH_ORI30 (1ull << 61) // IBM bit 2 ++#define H_CPU_CHAR_L1D_FLUSH_TRIG2 (1ull << 60) // IBM bit 3 ++#define H_CPU_CHAR_L1D_THREAD_PRIV (1ull << 59) // IBM bit 4 ++ ++#define H_CPU_BEHAV_FAVOUR_SECURITY (1ull << 63) // IBM bit 0 ++#define H_CPU_BEHAV_L1D_FLUSH_PR (1ull << 62) // IBM bit 1 ++#define H_CPU_BEHAV_BNDS_CHK_SPEC_BAR (1ull << 61) // IBM bit 2 ++ + #ifndef __ASSEMBLY__ ++#include <linux/types.h> + + /** + * plpar_hcall_norets: - Make a pseries hypervisor call with no return arguments +@@ -423,6 +436,11 @@ extern long pseries_big_endian_exceptions(void); + + #endif /* CONFIG_PPC_PSERIES */ + ++struct h_cpu_char_result { ++ u64 character; ++ u64 behaviour; ++}; ++ + #endif /* __ASSEMBLY__ */ + #endif /* __KERNEL__ */ + #endif /* _ASM_POWERPC_HVCALL_H */ +diff --git a/arch/powerpc/include/asm/paca.h b/arch/powerpc/include/asm/paca.h +index 70bd4381f8e6..08e5df3395fa 100644 +--- a/arch/powerpc/include/asm/paca.h ++++ b/arch/powerpc/include/asm/paca.h +@@ -192,6 +192,15 @@ struct paca_struct { + #endif + struct kvmppc_host_state kvm_hstate; + #endif ++#ifdef CONFIG_PPC_BOOK3S_64 ++ /* ++ * rfi fallback flush must be in its own cacheline to prevent ++ * other paca data leaking into the L1d ++ */ ++ u64 exrfi[13] __aligned(0x80); ++ void *rfi_flush_fallback_area; ++ u64 l1d_flush_size; ++#endif + }; + + extern struct paca_struct *paca; +diff --git a/arch/powerpc/include/asm/plpar_wrappers.h b/arch/powerpc/include/asm/plpar_wrappers.h +index 67859edbf8fd..6e05cb397a5c 100644 +--- a/arch/powerpc/include/asm/plpar_wrappers.h ++++ b/arch/powerpc/include/asm/plpar_wrappers.h +@@ -323,4 +323,18 @@ static inline long plapr_set_watchpoint0(unsigned long dawr0, unsigned long dawr + return plpar_set_mode(0, H_SET_MODE_RESOURCE_SET_DAWR, dawr0, dawrx0); + } + ++static inline long plpar_get_cpu_characteristics(struct h_cpu_char_result *p) ++{ ++ unsigned long retbuf[PLPAR_HCALL_BUFSIZE]; ++ long rc; ++ ++ rc = plpar_hcall(H_GET_CPU_CHARACTERISTICS, retbuf); ++ if (rc == H_SUCCESS) { ++ p->character = retbuf[0]; ++ p->behaviour = retbuf[1]; ++ } ++ ++ return rc; ++} ++ + #endif /* _ASM_POWERPC_PLPAR_WRAPPERS_H */ +diff --git a/arch/powerpc/include/asm/ppc_asm.h b/arch/powerpc/include/asm/ppc_asm.h +index dd0fc18d8103..160bb2311bbb 100644 +--- a/arch/powerpc/include/asm/ppc_asm.h ++++ b/arch/powerpc/include/asm/ppc_asm.h +@@ -224,6 +224,16 @@ name: \ + .globl name; \ + name: + ++#define _KPROBE_TOC(name) \ ++ .section ".kprobes.text","a"; \ ++ .align 2 ; \ ++ .type name,@function; \ ++ .globl name; \ ++name: \ ++0: addis r2,r12,(.TOC.-0b)@ha; \ ++ addi r2,r2,(.TOC.-0b)@l; \ ++ .localentry name,.-name ++ + #define DOTSYM(a) a + + #else +@@ -261,6 +271,8 @@ name: \ + .type GLUE(.,name),@function; \ + GLUE(.,name): + ++#define _KPROBE_TOC(n) _KPROBE(n) ++ + #define DOTSYM(a) GLUE(.,a) + + #endif +diff --git a/arch/powerpc/include/asm/setup.h b/arch/powerpc/include/asm/setup.h +index e9d384cbd021..7916b56f2e60 100644 +--- a/arch/powerpc/include/asm/setup.h ++++ b/arch/powerpc/include/asm/setup.h +@@ -26,6 +26,19 @@ void initmem_init(void); + void setup_panic(void); + #define ARCH_PANIC_TIMEOUT 180 + ++void rfi_flush_enable(bool enable); ++ ++/* These are bit flags */ ++enum l1d_flush_type { ++ L1D_FLUSH_NONE = 0x1, ++ L1D_FLUSH_FALLBACK = 0x2, ++ L1D_FLUSH_ORI = 0x4, ++ L1D_FLUSH_MTTRIG = 0x8, ++}; ++ ++void __init setup_rfi_flush(enum l1d_flush_type, bool enable); ++void do_rfi_flush_fixups(enum l1d_flush_type types); ++ + #endif /* !__ASSEMBLY__ */ + + #endif /* _ASM_POWERPC_SETUP_H */ +diff --git a/arch/powerpc/kernel/asm-offsets.c b/arch/powerpc/kernel/asm-offsets.c +index d8d332e65078..23fe603a98d3 100644 +--- a/arch/powerpc/kernel/asm-offsets.c ++++ b/arch/powerpc/kernel/asm-offsets.c +@@ -244,6 +244,9 @@ int main(void) + #ifdef CONFIG_PPC_BOOK3S_64 + DEFINE(PACAMCEMERGSP, offsetof(struct paca_struct, mc_emergency_sp)); + DEFINE(PACA_IN_MCE, offsetof(struct paca_struct, in_mce)); ++ DEFINE(PACA_RFI_FLUSH_FALLBACK_AREA, offsetof(struct paca_struct, rfi_flush_fallback_area)); ++ DEFINE(PACA_EXRFI, offsetof(struct paca_struct, exrfi)); ++ DEFINE(PACA_L1D_FLUSH_SIZE, offsetof(struct paca_struct, l1d_flush_size)); + #endif + DEFINE(PACAHWCPUID, offsetof(struct paca_struct, hw_cpu_id)); + DEFINE(PACAKEXECSTATE, offsetof(struct paca_struct, kexec_state)); +diff --git a/arch/powerpc/kernel/entry_64.S b/arch/powerpc/kernel/entry_64.S +index de276553cc79..36a8bf3d053b 100644 +--- a/arch/powerpc/kernel/entry_64.S ++++ b/arch/powerpc/kernel/entry_64.S +@@ -34,6 +34,11 @@ + #include <asm/ftrace.h> + #include <asm/hw_irq.h> + #include <asm/context_tracking.h> ++#ifdef CONFIG_PPC_BOOK3S ++#include <asm/exception-64s.h> ++#else ++#include <asm/exception-64e.h> ++#endif + + /* + * System calls. +@@ -218,13 +223,23 @@ END_FTR_SECTION_IFCLR(CPU_FTR_STCX_CHECKS_ADDRESS) + ACCOUNT_CPU_USER_EXIT(r11, r12) + HMT_MEDIUM_LOW_HAS_PPR + ld r13,GPR13(r1) /* only restore r13 if returning to usermode */ ++ ld r2,GPR2(r1) ++ ld r1,GPR1(r1) ++ mtlr r4 ++ mtcr r5 ++ mtspr SPRN_SRR0,r7 ++ mtspr SPRN_SRR1,r8 ++ RFI_TO_USER ++ b . /* prevent speculative execution */ ++ ++ /* exit to kernel */ + 1: ld r2,GPR2(r1) + ld r1,GPR1(r1) + mtlr r4 + mtcr r5 + mtspr SPRN_SRR0,r7 + mtspr SPRN_SRR1,r8 +- RFI ++ RFI_TO_KERNEL + b . /* prevent speculative execution */ + + syscall_error: +@@ -840,7 +855,7 @@ BEGIN_FTR_SECTION + END_FTR_SECTION_IFSET(CPU_FTR_HAS_PPR) + ACCOUNT_CPU_USER_EXIT(r2, r4) + REST_GPR(13, r1) +-1: ++ + mtspr SPRN_SRR1,r3 + + ld r2,_CCR(r1) +@@ -853,8 +868,22 @@ END_FTR_SECTION_IFSET(CPU_FTR_HAS_PPR) + ld r3,GPR3(r1) + ld r4,GPR4(r1) + ld r1,GPR1(r1) ++ RFI_TO_USER ++ b . /* prevent speculative execution */ ++ ++1: mtspr SPRN_SRR1,r3 ++ ++ ld r2,_CCR(r1) ++ mtcrf 0xFF,r2 ++ ld r2,_NIP(r1) ++ mtspr SPRN_SRR0,r2 + +- rfid ++ ld r0,GPR0(r1) ++ ld r2,GPR2(r1) ++ ld r3,GPR3(r1) ++ ld r4,GPR4(r1) ++ ld r1,GPR1(r1) ++ RFI_TO_KERNEL + b . /* prevent speculative execution */ + + #endif /* CONFIG_PPC_BOOK3E */ +@@ -1030,7 +1059,7 @@ _GLOBAL(enter_rtas) + + mtspr SPRN_SRR0,r5 + mtspr SPRN_SRR1,r6 +- rfid ++ RFI_TO_KERNEL + b . /* prevent speculative execution */ + + rtas_return_loc: +@@ -1055,7 +1084,7 @@ rtas_return_loc: + + mtspr SPRN_SRR0,r3 + mtspr SPRN_SRR1,r4 +- rfid ++ RFI_TO_KERNEL + b . /* prevent speculative execution */ + + .align 3 +@@ -1126,7 +1155,7 @@ _GLOBAL(enter_prom) + LOAD_REG_IMMEDIATE(r12, MSR_SF | MSR_ISF | MSR_LE) + andc r11,r11,r12 + mtsrr1 r11 +- rfid ++ RFI_TO_KERNEL + #endif /* CONFIG_PPC_BOOK3E */ + + 1: /* Return from OF */ +diff --git a/arch/powerpc/kernel/exceptions-64s.S b/arch/powerpc/kernel/exceptions-64s.S +index 7662bfae0493..3b8991df5101 100644 +--- a/arch/powerpc/kernel/exceptions-64s.S ++++ b/arch/powerpc/kernel/exceptions-64s.S +@@ -46,7 +46,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_REAL_LE) \ + mtspr SPRN_SRR0,r10 ; \ + ld r10,PACAKMSR(r13) ; \ + mtspr SPRN_SRR1,r10 ; \ +- rfid ; \ ++ RFI_TO_KERNEL ; \ + b . ; /* prevent speculative execution */ + + #define SYSCALL_PSERIES_3 \ +@@ -54,7 +54,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_REAL_LE) \ + 1: mfspr r12,SPRN_SRR1 ; \ + xori r12,r12,MSR_LE ; \ + mtspr SPRN_SRR1,r12 ; \ +- rfid ; /* return to userspace */ \ ++ RFI_TO_USER ; /* return to userspace */ \ + b . ; /* prevent speculative execution */ + + #if defined(CONFIG_RELOCATABLE) +@@ -508,7 +508,7 @@ BEGIN_FTR_SECTION + LOAD_HANDLER(r12, machine_check_handle_early) + 1: mtspr SPRN_SRR0,r12 + mtspr SPRN_SRR1,r11 +- rfid ++ RFI_TO_KERNEL + b . /* prevent speculative execution */ + 2: + /* Stack overflow. Stay on emergency stack and panic. +@@ -602,7 +602,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_CFAR) + ld r11,PACA_EXGEN+EX_R11(r13) + ld r12,PACA_EXGEN+EX_R12(r13) + ld r13,PACA_EXGEN+EX_R13(r13) +- HRFID ++ HRFI_TO_UNKNOWN + b . + #endif + +@@ -667,7 +667,7 @@ masked_##_H##interrupt: \ + ld r10,PACA_EXGEN+EX_R10(r13); \ + ld r11,PACA_EXGEN+EX_R11(r13); \ + GET_SCRATCH0(r13); \ +- ##_H##rfid; \ ++ ##_H##RFI_TO_KERNEL; \ + b . + + MASKED_INTERRUPT() +@@ -757,7 +757,7 @@ kvmppc_skip_interrupt: + addi r13, r13, 4 + mtspr SPRN_SRR0, r13 + GET_SCRATCH0(r13) +- rfid ++ RFI_TO_KERNEL + b . + + kvmppc_skip_Hinterrupt: +@@ -769,7 +769,7 @@ kvmppc_skip_Hinterrupt: + addi r13, r13, 4 + mtspr SPRN_HSRR0, r13 + GET_SCRATCH0(r13) +- hrfid ++ HRFI_TO_KERNEL + b . + #endif + +@@ -1447,7 +1447,7 @@ machine_check_handle_early: + li r3,MSR_ME + andc r10,r10,r3 /* Turn off MSR_ME */ + mtspr SPRN_SRR1,r10 +- rfid ++ RFI_TO_KERNEL + b . + 2: + /* +@@ -1465,7 +1465,7 @@ machine_check_handle_early: + */ + bl machine_check_queue_event + MACHINE_CHECK_HANDLER_WINDUP +- rfid ++ RFI_TO_USER_OR_KERNEL + 9: + /* Deliver the machine check to host kernel in V mode. */ + MACHINE_CHECK_HANDLER_WINDUP +@@ -1511,6 +1511,8 @@ slb_miss_realmode: + + andi. r10,r12,MSR_RI /* check for unrecoverable exception */ + beq- 2f ++ andi. r10,r12,MSR_PR /* check for user mode (PR != 0) */ ++ bne 1f + + .machine push + .machine "power4" +@@ -1524,7 +1526,23 @@ slb_miss_realmode: + ld r11,PACA_EXSLB+EX_R11(r13) + ld r12,PACA_EXSLB+EX_R12(r13) + ld r13,PACA_EXSLB+EX_R13(r13) +- rfid ++ RFI_TO_KERNEL ++ b . /* prevent speculative execution */ ++ ++1: ++.machine push ++.machine "power4" ++ mtcrf 0x80,r9 ++ mtcrf 0x01,r9 /* slb_allocate uses cr0 and cr7 */ ++.machine pop ++ ++ RESTORE_PPR_PACA(PACA_EXSLB, r9) ++ ld r9,PACA_EXSLB+EX_R9(r13) ++ ld r10,PACA_EXSLB+EX_R10(r13) ++ ld r11,PACA_EXSLB+EX_R11(r13) ++ ld r12,PACA_EXSLB+EX_R12(r13) ++ ld r13,PACA_EXSLB+EX_R13(r13) ++ RFI_TO_USER + b . /* prevent speculative execution */ + + 2: mfspr r11,SPRN_SRR0 +@@ -1533,7 +1551,7 @@ slb_miss_realmode: + mtspr SPRN_SRR0,r10 + ld r10,PACAKMSR(r13) + mtspr SPRN_SRR1,r10 +- rfid ++ RFI_TO_KERNEL + b . + + unrecov_slb: +@@ -1554,6 +1572,88 @@ power4_fixup_nap: + blr + #endif + ++ .globl rfi_flush_fallback ++rfi_flush_fallback: ++ SET_SCRATCH0(r13); ++ GET_PACA(r13); ++ std r9,PACA_EXRFI+EX_R9(r13) ++ std r10,PACA_EXRFI+EX_R10(r13) ++ std r11,PACA_EXRFI+EX_R11(r13) ++ mfctr r9 ++ ld r10,PACA_RFI_FLUSH_FALLBACK_AREA(r13) ++ ld r11,PACA_L1D_FLUSH_SIZE(r13) ++ srdi r11,r11,(7 + 3) /* 128 byte lines, unrolled 8x */ ++ mtctr r11 ++ DCBT_STOP_ALL_STREAM_IDS(r11) /* Stop prefetch streams */ ++ ++ /* order ld/st prior to dcbt stop all streams with flushing */ ++ sync ++ ++ /* ++ * The load adresses are at staggered offsets within cachelines, ++ * which suits some pipelines better (on others it should not ++ * hurt). ++ */ ++1: ++ ld r11,(0x80 + 8)*0(r10) ++ ld r11,(0x80 + 8)*1(r10) ++ ld r11,(0x80 + 8)*2(r10) ++ ld r11,(0x80 + 8)*3(r10) ++ ld r11,(0x80 + 8)*4(r10) ++ ld r11,(0x80 + 8)*5(r10) ++ ld r11,(0x80 + 8)*6(r10) ++ ld r11,(0x80 + 8)*7(r10) ++ addi r10,r10,0x80*8 ++ bdnz 1b ++ ++ mtctr r9 ++ ld r9,PACA_EXRFI+EX_R9(r13) ++ ld r10,PACA_EXRFI+EX_R10(r13) ++ ld r11,PACA_EXRFI+EX_R11(r13) ++ GET_SCRATCH0(r13); ++ rfid ++ ++ .globl hrfi_flush_fallback ++hrfi_flush_fallback: ++ SET_SCRATCH0(r13); ++ GET_PACA(r13); ++ std r9,PACA_EXRFI+EX_R9(r13) ++ std r10,PACA_EXRFI+EX_R10(r13) ++ std r11,PACA_EXRFI+EX_R11(r13) ++ mfctr r9 ++ ld r10,PACA_RFI_FLUSH_FALLBACK_AREA(r13) ++ ld r11,PACA_L1D_FLUSH_SIZE(r13) ++ srdi r11,r11,(7 + 3) /* 128 byte lines, unrolled 8x */ ++ mtctr r11 ++ DCBT_STOP_ALL_STREAM_IDS(r11) /* Stop prefetch streams */ ++ ++ /* order ld/st prior to dcbt stop all streams with flushing */ ++ sync ++ ++ /* ++ * The load adresses are at staggered offsets within cachelines, ++ * which suits some pipelines better (on others it should not ++ * hurt). ++ */ ++1: ++ ld r11,(0x80 + 8)*0(r10) ++ ld r11,(0x80 + 8)*1(r10) ++ ld r11,(0x80 + 8)*2(r10) ++ ld r11,(0x80 + 8)*3(r10) ++ ld r11,(0x80 + 8)*4(r10) ++ ld r11,(0x80 + 8)*5(r10) ++ ld r11,(0x80 + 8)*6(r10) ++ ld r11,(0x80 + 8)*7(r10) ++ addi r10,r10,0x80*8 ++ bdnz 1b ++ ++ mtctr r9 ++ ld r9,PACA_EXRFI+EX_R9(r13) ++ ld r10,PACA_EXRFI+EX_R10(r13) ++ ld r11,PACA_EXRFI+EX_R11(r13) ++ GET_SCRATCH0(r13); ++ hrfid ++ + /* + * Hash table stuff + */ +diff --git a/arch/powerpc/kernel/misc_64.S b/arch/powerpc/kernel/misc_64.S +index 4e314b90c75d..1f979d5617a2 100644 +--- a/arch/powerpc/kernel/misc_64.S ++++ b/arch/powerpc/kernel/misc_64.S +@@ -65,7 +65,7 @@ PPC64_CACHES: + * flush all bytes from start through stop-1 inclusive + */ + +-_KPROBE(flush_icache_range) ++_KPROBE_TOC(flush_icache_range) + BEGIN_FTR_SECTION + PURGE_PREFETCHED_INS + blr +@@ -116,7 +116,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_COHERENT_ICACHE) + * + * flush all bytes from start to stop-1 inclusive + */ +-_GLOBAL(flush_dcache_range) ++_GLOBAL_TOC(flush_dcache_range) + + /* + * Flush the data cache to memory +@@ -634,31 +634,3 @@ _GLOBAL(kexec_sequence) + li r5,0 + blr /* image->start(physid, image->start, 0); */ + #endif /* CONFIG_KEXEC */ +- +-#ifdef CONFIG_MODULES +-#if defined(_CALL_ELF) && _CALL_ELF == 2 +- +-#ifdef CONFIG_MODVERSIONS +-.weak __crc_TOC. +-.section "___kcrctab+TOC.","a" +-.globl __kcrctab_TOC. +-__kcrctab_TOC.: +- .llong __crc_TOC. +-#endif +- +-/* +- * Export a fake .TOC. since both modpost and depmod will complain otherwise. +- * Both modpost and depmod strip the leading . so we do the same here. +- */ +-.section "__ksymtab_strings","a" +-__kstrtab_TOC.: +- .asciz "TOC." +- +-.section "___ksymtab+TOC.","a" +-/* This symbol name is important: it's used by modpost to find exported syms */ +-.globl __ksymtab_TOC. +-__ksymtab_TOC.: +- .llong 0 /* .value */ +- .llong __kstrtab_TOC. +-#endif /* ELFv2 */ +-#endif /* MODULES */ +diff --git a/arch/powerpc/kernel/module_64.c b/arch/powerpc/kernel/module_64.c +index e4f7d4eed20c..08b7a40de5f8 100644 +--- a/arch/powerpc/kernel/module_64.c ++++ b/arch/powerpc/kernel/module_64.c +@@ -326,7 +326,10 @@ static void dedotify_versions(struct modversion_info *vers, + } + } + +-/* Undefined symbols which refer to .funcname, hack to funcname (or .TOC.) */ ++/* ++ * Undefined symbols which refer to .funcname, hack to funcname. Make .TOC. ++ * seem to be defined (value set later). ++ */ + static void dedotify(Elf64_Sym *syms, unsigned int numsyms, char *strtab) + { + unsigned int i; +@@ -334,8 +337,11 @@ static void dedotify(Elf64_Sym *syms, unsigned int numsyms, char *strtab) + for (i = 1; i < numsyms; i++) { + if (syms[i].st_shndx == SHN_UNDEF) { + char *name = strtab + syms[i].st_name; +- if (name[0] == '.') ++ if (name[0] == '.') { ++ if (strcmp(name+1, "TOC.") == 0) ++ syms[i].st_shndx = SHN_ABS; + syms[i].st_name++; ++ } + } + } + } +@@ -351,7 +357,7 @@ static Elf64_Sym *find_dot_toc(Elf64_Shdr *sechdrs, + numsyms = sechdrs[symindex].sh_size / sizeof(Elf64_Sym); + + for (i = 1; i < numsyms; i++) { +- if (syms[i].st_shndx == SHN_UNDEF ++ if (syms[i].st_shndx == SHN_ABS + && strcmp(strtab + syms[i].st_name, "TOC.") == 0) + return &syms[i]; + } +diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c +index dd023904bac5..9579f9c13315 100644 +--- a/arch/powerpc/kernel/process.c ++++ b/arch/powerpc/kernel/process.c +@@ -209,7 +209,8 @@ void enable_kernel_vsx(void) + WARN_ON(preemptible()); + + #ifdef CONFIG_SMP +- if (current->thread.regs && (current->thread.regs->msr & MSR_VSX)) ++ if (current->thread.regs && ++ (current->thread.regs->msr & (MSR_VSX|MSR_VEC|MSR_FP))) + giveup_vsx(current); + else + giveup_vsx(NULL); /* just enable vsx for kernel - force */ +@@ -231,7 +232,7 @@ void flush_vsx_to_thread(struct task_struct *tsk) + { + if (tsk->thread.regs) { + preempt_disable(); +- if (tsk->thread.regs->msr & MSR_VSX) { ++ if (tsk->thread.regs->msr & (MSR_VSX|MSR_VEC|MSR_FP)) { + #ifdef CONFIG_SMP + BUG_ON(tsk != current); + #endif +diff --git a/arch/powerpc/kernel/ptrace.c b/arch/powerpc/kernel/ptrace.c +index f21897b42057..93f200f14e19 100644 +--- a/arch/powerpc/kernel/ptrace.c ++++ b/arch/powerpc/kernel/ptrace.c +@@ -376,7 +376,7 @@ static int fpr_get(struct task_struct *target, const struct user_regset *regset, + + #else + BUILD_BUG_ON(offsetof(struct thread_fp_state, fpscr) != +- offsetof(struct thread_fp_state, fpr[32][0])); ++ offsetof(struct thread_fp_state, fpr[32])); + + return user_regset_copyout(&pos, &count, &kbuf, &ubuf, + &target->thread.fp_state, 0, -1); +@@ -404,7 +404,7 @@ static int fpr_set(struct task_struct *target, const struct user_regset *regset, + return 0; + #else + BUILD_BUG_ON(offsetof(struct thread_fp_state, fpscr) != +- offsetof(struct thread_fp_state, fpr[32][0])); ++ offsetof(struct thread_fp_state, fpr[32])); + + return user_regset_copyin(&pos, &count, &kbuf, &ubuf, + &target->thread.fp_state, 0, -1); +diff --git a/arch/powerpc/kernel/setup_64.c b/arch/powerpc/kernel/setup_64.c +index 8161d66830a2..c6ebe398def1 100644 +--- a/arch/powerpc/kernel/setup_64.c ++++ b/arch/powerpc/kernel/setup_64.c +@@ -38,6 +38,7 @@ + #include <linux/hugetlb.h> + #include <linux/memory.h> + #include <linux/nmi.h> ++#include <linux/debugfs.h> + + #include <asm/io.h> + #include <asm/kdump.h> +@@ -807,4 +808,131 @@ static int __init disable_hardlockup_detector(void) + return 0; + } + early_initcall(disable_hardlockup_detector); ++ ++#ifdef CONFIG_PPC_BOOK3S_64 ++static enum l1d_flush_type enabled_flush_types; ++static void *l1d_flush_fallback_area; ++static bool no_rfi_flush; ++bool rfi_flush; ++ ++static int __init handle_no_rfi_flush(char *p) ++{ ++ pr_info("rfi-flush: disabled on command line."); ++ no_rfi_flush = true; ++ return 0; ++} ++early_param("no_rfi_flush", handle_no_rfi_flush); ++ ++/* ++ * The RFI flush is not KPTI, but because users will see doco that says to use ++ * nopti we hijack that option here to also disable the RFI flush. ++ */ ++static int __init handle_no_pti(char *p) ++{ ++ pr_info("rfi-flush: disabling due to 'nopti' on command line.\n"); ++ handle_no_rfi_flush(NULL); ++ return 0; ++} ++early_param("nopti", handle_no_pti); ++ ++static void do_nothing(void *unused) ++{ ++ /* ++ * We don't need to do the flush explicitly, just enter+exit kernel is ++ * sufficient, the RFI exit handlers will do the right thing. ++ */ ++} ++ ++void rfi_flush_enable(bool enable) ++{ ++ if (rfi_flush == enable) ++ return; ++ ++ if (enable) { ++ do_rfi_flush_fixups(enabled_flush_types); ++ on_each_cpu(do_nothing, NULL, 1); ++ } else ++ do_rfi_flush_fixups(L1D_FLUSH_NONE); ++ ++ rfi_flush = enable; ++} ++ ++static void init_fallback_flush(void) ++{ ++ u64 l1d_size, limit; ++ int cpu; ++ ++ l1d_size = ppc64_caches.dsize; ++ limit = min(safe_stack_limit(), ppc64_rma_size); ++ ++ /* ++ * Align to L1d size, and size it at 2x L1d size, to catch possible ++ * hardware prefetch runoff. We don't have a recipe for load patterns to ++ * reliably avoid the prefetcher. ++ */ ++ l1d_flush_fallback_area = __va(memblock_alloc_base(l1d_size * 2, l1d_size, limit)); ++ memset(l1d_flush_fallback_area, 0, l1d_size * 2); ++ ++ for_each_possible_cpu(cpu) { ++ paca[cpu].rfi_flush_fallback_area = l1d_flush_fallback_area; ++ paca[cpu].l1d_flush_size = l1d_size; ++ } ++} ++ ++void __init setup_rfi_flush(enum l1d_flush_type types, bool enable) ++{ ++ if (types & L1D_FLUSH_FALLBACK) { ++ pr_info("rfi-flush: Using fallback displacement flush\n"); ++ init_fallback_flush(); ++ } ++ ++ if (types & L1D_FLUSH_ORI) ++ pr_info("rfi-flush: Using ori type flush\n"); ++ ++ if (types & L1D_FLUSH_MTTRIG) ++ pr_info("rfi-flush: Using mttrig type flush\n"); ++ ++ enabled_flush_types = types; ++ ++ if (!no_rfi_flush) ++ rfi_flush_enable(enable); ++} ++ ++#ifdef CONFIG_DEBUG_FS ++static int rfi_flush_set(void *data, u64 val) ++{ ++ if (val == 1) ++ rfi_flush_enable(true); ++ else if (val == 0) ++ rfi_flush_enable(false); ++ else ++ return -EINVAL; ++ ++ return 0; ++} ++ ++static int rfi_flush_get(void *data, u64 *val) ++{ ++ *val = rfi_flush ? 1 : 0; ++ return 0; ++} ++ ++DEFINE_SIMPLE_ATTRIBUTE(fops_rfi_flush, rfi_flush_get, rfi_flush_set, "%llu\n"); ++ ++static __init int rfi_flush_debugfs_init(void) ++{ ++ debugfs_create_file("rfi_flush", 0600, powerpc_debugfs_root, NULL, &fops_rfi_flush); ++ return 0; ++} ++device_initcall(rfi_flush_debugfs_init); ++#endif ++ ++ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, char *buf) ++{ ++ if (rfi_flush) ++ return sprintf(buf, "Mitigation: RFI Flush\n"); ++ ++ return sprintf(buf, "Vulnerable\n"); ++} ++#endif /* CONFIG_PPC_BOOK3S_64 */ + #endif +diff --git a/arch/powerpc/kernel/vdso64/datapage.S b/arch/powerpc/kernel/vdso64/datapage.S +index 79796de11737..3263ee23170d 100644 +--- a/arch/powerpc/kernel/vdso64/datapage.S ++++ b/arch/powerpc/kernel/vdso64/datapage.S +@@ -57,7 +57,7 @@ V_FUNCTION_BEGIN(__kernel_get_syscall_map) + bl V_LOCAL_FUNC(__get_datapage) + mtlr r12 + addi r3,r3,CFG_SYSCALL_MAP64 +- cmpli cr0,r4,0 ++ cmpldi cr0,r4,0 + crclr cr0*4+so + beqlr + li r0,__NR_syscalls +diff --git a/arch/powerpc/kernel/vdso64/gettimeofday.S b/arch/powerpc/kernel/vdso64/gettimeofday.S +index a76b4af37ef2..382021324883 100644 +--- a/arch/powerpc/kernel/vdso64/gettimeofday.S ++++ b/arch/powerpc/kernel/vdso64/gettimeofday.S +@@ -145,7 +145,7 @@ V_FUNCTION_BEGIN(__kernel_clock_getres) + bne cr0,99f + + li r3,0 +- cmpli cr0,r4,0 ++ cmpldi cr0,r4,0 + crclr cr0*4+so + beqlr + lis r5,CLOCK_REALTIME_RES@h +diff --git a/arch/powerpc/kernel/vmlinux.lds.S b/arch/powerpc/kernel/vmlinux.lds.S +index 1db685104ffc..b542a80477c8 100644 +--- a/arch/powerpc/kernel/vmlinux.lds.S ++++ b/arch/powerpc/kernel/vmlinux.lds.S +@@ -72,6 +72,15 @@ SECTIONS + /* Read-only data */ + RODATA + ++#ifdef CONFIG_PPC64 ++ . = ALIGN(8); ++ __rfi_flush_fixup : AT(ADDR(__rfi_flush_fixup) - LOAD_OFFSET) { ++ __start___rfi_flush_fixup = .; ++ *(__rfi_flush_fixup) ++ __stop___rfi_flush_fixup = .; ++ } ++#endif ++ + EXCEPTION_TABLE(0) + + NOTES :kernel :notes +diff --git a/arch/powerpc/kvm/book3s_hv_rmhandlers.S b/arch/powerpc/kvm/book3s_hv_rmhandlers.S +index a3018f109cd3..a7bd4100f158 100644 +--- a/arch/powerpc/kvm/book3s_hv_rmhandlers.S ++++ b/arch/powerpc/kvm/book3s_hv_rmhandlers.S +@@ -64,7 +64,7 @@ _GLOBAL_TOC(kvmppc_hv_entry_trampoline) + mtmsrd r0,1 /* clear RI in MSR */ + mtsrr0 r5 + mtsrr1 r6 +- RFI ++ RFI_TO_KERNEL + + kvmppc_call_hv_entry: + ld r4, HSTATE_KVM_VCPU(r13) +@@ -164,7 +164,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_207S) + mtsrr0 r8 + mtsrr1 r7 + beq cr1, 13f /* machine check */ +- RFI ++ RFI_TO_KERNEL + + /* On POWER7, we have external interrupts set to use HSRR0/1 */ + 11: mtspr SPRN_HSRR0, r8 +@@ -877,8 +877,7 @@ BEGIN_FTR_SECTION + END_FTR_SECTION_IFSET(CPU_FTR_HAS_PPR) + ld r0, VCPU_GPR(R0)(r4) + ld r4, VCPU_GPR(R4)(r4) +- +- hrfid ++ HRFI_TO_GUEST + b . + + secondary_too_late: +diff --git a/arch/powerpc/kvm/book3s_rmhandlers.S b/arch/powerpc/kvm/book3s_rmhandlers.S +index 16c4d88ba27d..a328f99a887c 100644 +--- a/arch/powerpc/kvm/book3s_rmhandlers.S ++++ b/arch/powerpc/kvm/book3s_rmhandlers.S +@@ -46,6 +46,9 @@ + + #define FUNC(name) name + ++#define RFI_TO_KERNEL RFI ++#define RFI_TO_GUEST RFI ++ + .macro INTERRUPT_TRAMPOLINE intno + + .global kvmppc_trampoline_\intno +@@ -141,7 +144,7 @@ kvmppc_handler_skip_ins: + GET_SCRATCH0(r13) + + /* And get back into the code */ +- RFI ++ RFI_TO_KERNEL + #endif + + /* +@@ -164,6 +167,6 @@ _GLOBAL_TOC(kvmppc_entry_trampoline) + ori r5, r5, MSR_EE + mtsrr0 r7 + mtsrr1 r6 +- RFI ++ RFI_TO_KERNEL + + #include "book3s_segment.S" +diff --git a/arch/powerpc/kvm/book3s_segment.S b/arch/powerpc/kvm/book3s_segment.S +index acee37cde840..af3a91c00b46 100644 +--- a/arch/powerpc/kvm/book3s_segment.S ++++ b/arch/powerpc/kvm/book3s_segment.S +@@ -156,7 +156,7 @@ no_dcbz32_on: + PPC_LL r9, SVCPU_R9(r3) + PPC_LL r3, (SVCPU_R3)(r3) + +- RFI ++ RFI_TO_GUEST + kvmppc_handler_trampoline_enter_end: + + +@@ -389,5 +389,5 @@ END_FTR_SECTION_IFSET(CPU_FTR_HVMODE) + cmpwi r12, BOOK3S_INTERRUPT_DOORBELL + beqa BOOK3S_INTERRUPT_DOORBELL + +- RFI ++ RFI_TO_KERNEL + kvmppc_handler_trampoline_exit_end: +diff --git a/arch/powerpc/lib/feature-fixups.c b/arch/powerpc/lib/feature-fixups.c +index 7ce3870d7ddd..a18d648d31a6 100644 +--- a/arch/powerpc/lib/feature-fixups.c ++++ b/arch/powerpc/lib/feature-fixups.c +@@ -20,6 +20,7 @@ + #include <asm/code-patching.h> + #include <asm/page.h> + #include <asm/sections.h> ++#include <asm/setup.h> + + + struct fixup_entry { +@@ -113,6 +114,47 @@ void do_feature_fixups(unsigned long value, void *fixup_start, void *fixup_end) + } + } + ++#ifdef CONFIG_PPC_BOOK3S_64 ++void do_rfi_flush_fixups(enum l1d_flush_type types) ++{ ++ unsigned int instrs[3], *dest; ++ long *start, *end; ++ int i; ++ ++ start = PTRRELOC(&__start___rfi_flush_fixup), ++ end = PTRRELOC(&__stop___rfi_flush_fixup); ++ ++ instrs[0] = 0x60000000; /* nop */ ++ instrs[1] = 0x60000000; /* nop */ ++ instrs[2] = 0x60000000; /* nop */ ++ ++ if (types & L1D_FLUSH_FALLBACK) ++ /* b .+16 to fallback flush */ ++ instrs[0] = 0x48000010; ++ ++ i = 0; ++ if (types & L1D_FLUSH_ORI) { ++ instrs[i++] = 0x63ff0000; /* ori 31,31,0 speculation barrier */ ++ instrs[i++] = 0x63de0000; /* ori 30,30,0 L1d flush*/ ++ } ++ ++ if (types & L1D_FLUSH_MTTRIG) ++ instrs[i++] = 0x7c12dba6; /* mtspr TRIG2,r0 (SPR #882) */ ++ ++ for (i = 0; start < end; start++, i++) { ++ dest = (void *)start + *start; ++ ++ pr_devel("patching dest %lx\n", (unsigned long)dest); ++ ++ patch_instruction(dest, instrs[0]); ++ patch_instruction(dest + 1, instrs[1]); ++ patch_instruction(dest + 2, instrs[2]); ++ } ++ ++ printk(KERN_DEBUG "rfi-flush: patched %d locations\n", i); ++} ++#endif /* CONFIG_PPC_BOOK3S_64 */ ++ + void do_lwsync_fixups(unsigned long value, void *fixup_start, void *fixup_end) + { + long *start, *end; +diff --git a/arch/powerpc/perf/core-book3s.c b/arch/powerpc/perf/core-book3s.c +index d90893b76e7c..b7e1307fe633 100644 +--- a/arch/powerpc/perf/core-book3s.c ++++ b/arch/powerpc/perf/core-book3s.c +@@ -401,8 +401,12 @@ static __u64 power_pmu_bhrb_to(u64 addr) + int ret; + __u64 target; + +- if (is_kernel_addr(addr)) +- return branch_target((unsigned int *)addr); ++ if (is_kernel_addr(addr)) { ++ if (probe_kernel_read(&instr, (void *)addr, sizeof(instr))) ++ return 0; ++ ++ return branch_target(&instr); ++ } + + /* Userspace: need copy instruction here then translate it */ + pagefault_disable(); +@@ -1377,7 +1381,7 @@ static int collect_events(struct perf_event *group, int max_count, + int n = 0; + struct perf_event *event; + +- if (!is_software_event(group)) { ++ if (group->pmu->task_ctx_nr == perf_hw_context) { + if (n >= max_count) + return -1; + ctrs[n] = group; +@@ -1385,7 +1389,7 @@ static int collect_events(struct perf_event *group, int max_count, + events[n++] = group->hw.config; + } + list_for_each_entry(event, &group->sibling_list, group_entry) { +- if (!is_software_event(event) && ++ if (event->pmu->task_ctx_nr == perf_hw_context && + event->state != PERF_EVENT_STATE_OFF) { + if (n >= max_count) + return -1; +diff --git a/arch/powerpc/platforms/powernv/setup.c b/arch/powerpc/platforms/powernv/setup.c +index 20974478f8d0..e3c98361e6e4 100644 +--- a/arch/powerpc/platforms/powernv/setup.c ++++ b/arch/powerpc/platforms/powernv/setup.c +@@ -38,14 +38,63 @@ + #include <asm/cputhreads.h> + #include <asm/cpuidle.h> + #include <asm/code-patching.h> ++#include <asm/setup.h> + + #include "powernv.h" + #include "subcore.h" + ++static void pnv_setup_rfi_flush(void) ++{ ++ struct device_node *np, *fw_features; ++ enum l1d_flush_type type; ++ int enable; ++ ++ /* Default to fallback in case fw-features are not available */ ++ type = L1D_FLUSH_FALLBACK; ++ enable = 1; ++ ++ np = of_find_node_by_name(NULL, "ibm,opal"); ++ fw_features = of_get_child_by_name(np, "fw-features"); ++ of_node_put(np); ++ ++ if (fw_features) { ++ np = of_get_child_by_name(fw_features, "inst-l1d-flush-trig2"); ++ if (np && of_property_read_bool(np, "enabled")) ++ type = L1D_FLUSH_MTTRIG; ++ ++ of_node_put(np); ++ ++ np = of_get_child_by_name(fw_features, "inst-l1d-flush-ori30,30,0"); ++ if (np && of_property_read_bool(np, "enabled")) ++ type = L1D_FLUSH_ORI; ++ ++ of_node_put(np); ++ ++ /* Enable unless firmware says NOT to */ ++ enable = 2; ++ np = of_get_child_by_name(fw_features, "needs-l1d-flush-msr-hv-1-to-0"); ++ if (np && of_property_read_bool(np, "disabled")) ++ enable--; ++ ++ of_node_put(np); ++ ++ np = of_get_child_by_name(fw_features, "needs-l1d-flush-msr-pr-0-to-1"); ++ if (np && of_property_read_bool(np, "disabled")) ++ enable--; ++ ++ of_node_put(np); ++ of_node_put(fw_features); ++ } ++ ++ setup_rfi_flush(type, enable > 0); ++} ++ + static void __init pnv_setup_arch(void) + { + set_arch_panic_timeout(10, ARCH_PANIC_TIMEOUT); + ++ pnv_setup_rfi_flush(); ++ + /* Initialize SMP */ + pnv_smp_init(); + +diff --git a/arch/powerpc/platforms/pseries/setup.c b/arch/powerpc/platforms/pseries/setup.c +index e6e8b241d717..b4867b4d5a1e 100644 +--- a/arch/powerpc/platforms/pseries/setup.c ++++ b/arch/powerpc/platforms/pseries/setup.c +@@ -507,6 +507,39 @@ static void __init find_and_init_phbs(void) + } + } + ++static void pseries_setup_rfi_flush(void) ++{ ++ struct h_cpu_char_result result; ++ enum l1d_flush_type types; ++ bool enable; ++ long rc; ++ ++ /* Enable by default */ ++ enable = true; ++ ++ rc = plpar_get_cpu_characteristics(&result); ++ if (rc == H_SUCCESS) { ++ types = L1D_FLUSH_NONE; ++ ++ if (result.character & H_CPU_CHAR_L1D_FLUSH_TRIG2) ++ types |= L1D_FLUSH_MTTRIG; ++ if (result.character & H_CPU_CHAR_L1D_FLUSH_ORI30) ++ types |= L1D_FLUSH_ORI; ++ ++ /* Use fallback if nothing set in hcall */ ++ if (types == L1D_FLUSH_NONE) ++ types = L1D_FLUSH_FALLBACK; ++ ++ if (!(result.behaviour & H_CPU_BEHAV_L1D_FLUSH_PR)) ++ enable = false; ++ } else { ++ /* Default to fallback if case hcall is not available */ ++ types = L1D_FLUSH_FALLBACK; ++ } ++ ++ setup_rfi_flush(types, enable); ++} ++ + static void __init pSeries_setup_arch(void) + { + set_arch_panic_timeout(10, ARCH_PANIC_TIMEOUT); +@@ -523,7 +556,9 @@ static void __init pSeries_setup_arch(void) + + fwnmi_init(); + +- /* By default, only probe PCI (can be overriden by rtas_pci) */ ++ pseries_setup_rfi_flush(); ++ ++ /* By default, only probe PCI (can be overridden by rtas_pci) */ + pci_add_flags(PCI_PROBE_ONLY); + + /* Find and initialize PCI host bridges */ +diff --git a/arch/s390/kernel/compat_linux.c b/arch/s390/kernel/compat_linux.c +index 437e61159279..86f934255eb6 100644 +--- a/arch/s390/kernel/compat_linux.c ++++ b/arch/s390/kernel/compat_linux.c +@@ -110,7 +110,7 @@ COMPAT_SYSCALL_DEFINE2(s390_setregid16, u16, rgid, u16, egid) + + COMPAT_SYSCALL_DEFINE1(s390_setgid16, u16, gid) + { +- return sys_setgid((gid_t)gid); ++ return sys_setgid(low2highgid(gid)); + } + + COMPAT_SYSCALL_DEFINE2(s390_setreuid16, u16, ruid, u16, euid) +@@ -120,7 +120,7 @@ COMPAT_SYSCALL_DEFINE2(s390_setreuid16, u16, ruid, u16, euid) + + COMPAT_SYSCALL_DEFINE1(s390_setuid16, u16, uid) + { +- return sys_setuid((uid_t)uid); ++ return sys_setuid(low2highuid(uid)); + } + + COMPAT_SYSCALL_DEFINE3(s390_setresuid16, u16, ruid, u16, euid, u16, suid) +@@ -173,12 +173,12 @@ COMPAT_SYSCALL_DEFINE3(s390_getresgid16, u16 __user *, rgidp, + + COMPAT_SYSCALL_DEFINE1(s390_setfsuid16, u16, uid) + { +- return sys_setfsuid((uid_t)uid); ++ return sys_setfsuid(low2highuid(uid)); + } + + COMPAT_SYSCALL_DEFINE1(s390_setfsgid16, u16, gid) + { +- return sys_setfsgid((gid_t)gid); ++ return sys_setfsgid(low2highgid(gid)); + } + + static int groups16_to_user(u16 __user *grouplist, struct group_info *group_info) +@@ -263,6 +263,7 @@ COMPAT_SYSCALL_DEFINE2(s390_setgroups16, int, gidsetsize, u16 __user *, grouplis + return retval; + } + ++ groups_sort(group_info); + retval = set_current_groups(group_info); + put_group_info(group_info); + +diff --git a/arch/sh/kernel/traps_32.c b/arch/sh/kernel/traps_32.c +index ff639342a8be..c5b997757988 100644 +--- a/arch/sh/kernel/traps_32.c ++++ b/arch/sh/kernel/traps_32.c +@@ -607,7 +607,8 @@ asmlinkage void do_divide_error(unsigned long r4) + break; + } + +- force_sig_info(SIGFPE, &info, current); ++ info.si_signo = SIGFPE; ++ force_sig_info(info.si_signo, &info, current); + } + #endif + +diff --git a/arch/um/Makefile b/arch/um/Makefile +index 17d4460b1af3..01558aeeba50 100644 +--- a/arch/um/Makefile ++++ b/arch/um/Makefile +@@ -116,7 +116,7 @@ archheaders: + archprepare: include/generated/user_constants.h + + LINK-$(CONFIG_LD_SCRIPT_STATIC) += -static +-LINK-$(CONFIG_LD_SCRIPT_DYN) += -Wl,-rpath,/lib ++LINK-$(CONFIG_LD_SCRIPT_DYN) += -Wl,-rpath,/lib $(call cc-option, -no-pie) + + CFLAGS_NO_HARDENING := $(call cc-option, -fno-PIC,) $(call cc-option, -fno-pic,) \ + $(call cc-option, -fno-stack-protector,) \ +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index a3d283addbde..ffb2cb0495c3 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -982,7 +982,7 @@ config X86_MCE_THRESHOLD + def_bool y + + config X86_MCE_INJECT +- depends on X86_MCE ++ depends on X86_MCE && X86_LOCAL_APIC + tristate "Machine check injector support" + ---help--- + Provide support for injecting machine checks for testing purposes. +diff --git a/arch/x86/boot/Makefile b/arch/x86/boot/Makefile +index 78c366462e70..48740eb2910c 100644 +--- a/arch/x86/boot/Makefile ++++ b/arch/x86/boot/Makefile +@@ -64,12 +64,13 @@ GCOV_PROFILE := n + $(obj)/bzImage: asflags-y := $(SVGA_MODE) + + quiet_cmd_image = BUILD $@ ++silent_redirect_image = >/dev/null + cmd_image = $(obj)/tools/build $(obj)/setup.bin $(obj)/vmlinux.bin \ +- $(obj)/zoffset.h $@ ++ $(obj)/zoffset.h $@ $($(quiet)redirect_image) + + $(obj)/bzImage: $(obj)/setup.bin $(obj)/vmlinux.bin $(obj)/tools/build FORCE + $(call if_changed,image) +- @echo 'Kernel: $@ is ready' ' (#'`cat .version`')' ++ @$(kecho) 'Kernel: $@ is ready' ' (#'`cat .version`')' + + OBJCOPYFLAGS_vmlinux.bin := -O binary -R .note -R .comment -S + $(obj)/vmlinux.bin: $(obj)/compressed/vmlinux FORCE +diff --git a/arch/x86/crypto/twofish-x86_64-asm_64-3way.S b/arch/x86/crypto/twofish-x86_64-asm_64-3way.S +index 1c3b7ceb36d2..e7273a606a07 100644 +--- a/arch/x86/crypto/twofish-x86_64-asm_64-3way.S ++++ b/arch/x86/crypto/twofish-x86_64-asm_64-3way.S +@@ -55,29 +55,31 @@ + #define RAB1bl %bl + #define RAB2bl %cl + ++#define CD0 0x0(%rsp) ++#define CD1 0x8(%rsp) ++#define CD2 0x10(%rsp) ++ ++# used only before/after all rounds + #define RCD0 %r8 + #define RCD1 %r9 + #define RCD2 %r10 + +-#define RCD0d %r8d +-#define RCD1d %r9d +-#define RCD2d %r10d +- +-#define RX0 %rbp +-#define RX1 %r11 +-#define RX2 %r12 ++# used only during rounds ++#define RX0 %r8 ++#define RX1 %r9 ++#define RX2 %r10 + +-#define RX0d %ebp +-#define RX1d %r11d +-#define RX2d %r12d ++#define RX0d %r8d ++#define RX1d %r9d ++#define RX2d %r10d + +-#define RY0 %r13 +-#define RY1 %r14 +-#define RY2 %r15 ++#define RY0 %r11 ++#define RY1 %r12 ++#define RY2 %r13 + +-#define RY0d %r13d +-#define RY1d %r14d +-#define RY2d %r15d ++#define RY0d %r11d ++#define RY1d %r12d ++#define RY2d %r13d + + #define RT0 %rdx + #define RT1 %rsi +@@ -85,6 +87,8 @@ + #define RT0d %edx + #define RT1d %esi + ++#define RT1bl %sil ++ + #define do16bit_ror(rot, op1, op2, T0, T1, tmp1, tmp2, ab, dst) \ + movzbl ab ## bl, tmp2 ## d; \ + movzbl ab ## bh, tmp1 ## d; \ +@@ -92,6 +96,11 @@ + op1##l T0(CTX, tmp2, 4), dst ## d; \ + op2##l T1(CTX, tmp1, 4), dst ## d; + ++#define swap_ab_with_cd(ab, cd, tmp) \ ++ movq cd, tmp; \ ++ movq ab, cd; \ ++ movq tmp, ab; ++ + /* + * Combined G1 & G2 function. Reordered with help of rotates to have moves + * at begining. +@@ -110,15 +119,15 @@ + /* G1,2 && G2,2 */ \ + do16bit_ror(32, xor, xor, Tx2, Tx3, RT0, RT1, ab ## 0, x ## 0); \ + do16bit_ror(16, xor, xor, Ty3, Ty0, RT0, RT1, ab ## 0, y ## 0); \ +- xchgq cd ## 0, ab ## 0; \ ++ swap_ab_with_cd(ab ## 0, cd ## 0, RT0); \ + \ + do16bit_ror(32, xor, xor, Tx2, Tx3, RT0, RT1, ab ## 1, x ## 1); \ + do16bit_ror(16, xor, xor, Ty3, Ty0, RT0, RT1, ab ## 1, y ## 1); \ +- xchgq cd ## 1, ab ## 1; \ ++ swap_ab_with_cd(ab ## 1, cd ## 1, RT0); \ + \ + do16bit_ror(32, xor, xor, Tx2, Tx3, RT0, RT1, ab ## 2, x ## 2); \ + do16bit_ror(16, xor, xor, Ty3, Ty0, RT0, RT1, ab ## 2, y ## 2); \ +- xchgq cd ## 2, ab ## 2; ++ swap_ab_with_cd(ab ## 2, cd ## 2, RT0); + + #define enc_round_end(ab, x, y, n) \ + addl y ## d, x ## d; \ +@@ -168,6 +177,16 @@ + decrypt_round3(ba, dc, (n*2)+1); \ + decrypt_round3(ba, dc, (n*2)); + ++#define push_cd() \ ++ pushq RCD2; \ ++ pushq RCD1; \ ++ pushq RCD0; ++ ++#define pop_cd() \ ++ popq RCD0; \ ++ popq RCD1; \ ++ popq RCD2; ++ + #define inpack3(in, n, xy, m) \ + movq 4*(n)(in), xy ## 0; \ + xorq w+4*m(CTX), xy ## 0; \ +@@ -223,11 +242,8 @@ ENTRY(__twofish_enc_blk_3way) + * %rdx: src, RIO + * %rcx: bool, if true: xor output + */ +- pushq %r15; +- pushq %r14; + pushq %r13; + pushq %r12; +- pushq %rbp; + pushq %rbx; + + pushq %rcx; /* bool xor */ +@@ -235,40 +251,36 @@ ENTRY(__twofish_enc_blk_3way) + + inpack_enc3(); + +- encrypt_cycle3(RAB, RCD, 0); +- encrypt_cycle3(RAB, RCD, 1); +- encrypt_cycle3(RAB, RCD, 2); +- encrypt_cycle3(RAB, RCD, 3); +- encrypt_cycle3(RAB, RCD, 4); +- encrypt_cycle3(RAB, RCD, 5); +- encrypt_cycle3(RAB, RCD, 6); +- encrypt_cycle3(RAB, RCD, 7); ++ push_cd(); ++ encrypt_cycle3(RAB, CD, 0); ++ encrypt_cycle3(RAB, CD, 1); ++ encrypt_cycle3(RAB, CD, 2); ++ encrypt_cycle3(RAB, CD, 3); ++ encrypt_cycle3(RAB, CD, 4); ++ encrypt_cycle3(RAB, CD, 5); ++ encrypt_cycle3(RAB, CD, 6); ++ encrypt_cycle3(RAB, CD, 7); ++ pop_cd(); + + popq RIO; /* dst */ +- popq %rbp; /* bool xor */ ++ popq RT1; /* bool xor */ + +- testb %bpl, %bpl; ++ testb RT1bl, RT1bl; + jnz .L__enc_xor3; + + outunpack_enc3(mov); + + popq %rbx; +- popq %rbp; + popq %r12; + popq %r13; +- popq %r14; +- popq %r15; + ret; + + .L__enc_xor3: + outunpack_enc3(xor); + + popq %rbx; +- popq %rbp; + popq %r12; + popq %r13; +- popq %r14; +- popq %r15; + ret; + ENDPROC(__twofish_enc_blk_3way) + +@@ -278,35 +290,31 @@ ENTRY(twofish_dec_blk_3way) + * %rsi: dst + * %rdx: src, RIO + */ +- pushq %r15; +- pushq %r14; + pushq %r13; + pushq %r12; +- pushq %rbp; + pushq %rbx; + + pushq %rsi; /* dst */ + + inpack_dec3(); + +- decrypt_cycle3(RAB, RCD, 7); +- decrypt_cycle3(RAB, RCD, 6); +- decrypt_cycle3(RAB, RCD, 5); +- decrypt_cycle3(RAB, RCD, 4); +- decrypt_cycle3(RAB, RCD, 3); +- decrypt_cycle3(RAB, RCD, 2); +- decrypt_cycle3(RAB, RCD, 1); +- decrypt_cycle3(RAB, RCD, 0); ++ push_cd(); ++ decrypt_cycle3(RAB, CD, 7); ++ decrypt_cycle3(RAB, CD, 6); ++ decrypt_cycle3(RAB, CD, 5); ++ decrypt_cycle3(RAB, CD, 4); ++ decrypt_cycle3(RAB, CD, 3); ++ decrypt_cycle3(RAB, CD, 2); ++ decrypt_cycle3(RAB, CD, 1); ++ decrypt_cycle3(RAB, CD, 0); ++ pop_cd(); + + popq RIO; /* dst */ + + outunpack_dec3(); + + popq %rbx; +- popq %rbp; + popq %r12; + popq %r13; +- popq %r14; +- popq %r15; + ret; + ENDPROC(twofish_dec_blk_3way) +diff --git a/arch/x86/include/asm/alternative.h b/arch/x86/include/asm/alternative.h +index c97effa6c72b..cb8fd023b23f 100644 +--- a/arch/x86/include/asm/alternative.h ++++ b/arch/x86/include/asm/alternative.h +@@ -1,6 +1,8 @@ + #ifndef _ASM_X86_ALTERNATIVE_H + #define _ASM_X86_ALTERNATIVE_H + ++#ifndef __ASSEMBLY__ ++ + #include <linux/types.h> + #include <linux/stddef.h> + #include <linux/stringify.h> +@@ -132,7 +134,7 @@ static inline int alternatives_text_reserved(void *start, void *end) + ".popsection\n" \ + ".pushsection .altinstr_replacement, \"ax\"\n" \ + ALTINSTR_REPLACEMENT(newinstr, feature, 1) \ +- ".popsection" ++ ".popsection\n" + + #define ALTERNATIVE_2(oldinstr, newinstr1, feature1, newinstr2, feature2)\ + OLDINSTR_2(oldinstr, 1, 2) \ +@@ -143,7 +145,7 @@ static inline int alternatives_text_reserved(void *start, void *end) + ".pushsection .altinstr_replacement, \"ax\"\n" \ + ALTINSTR_REPLACEMENT(newinstr1, feature1, 1) \ + ALTINSTR_REPLACEMENT(newinstr2, feature2, 2) \ +- ".popsection" ++ ".popsection\n" + + /* + * This must be included *after* the definition of ALTERNATIVE due to +@@ -265,4 +267,6 @@ extern void *text_poke(void *addr, const void *opcode, size_t len); + extern int poke_int3_handler(struct pt_regs *regs); + extern void *text_poke_bp(void *addr, const void *opcode, size_t len, void *handler); + ++#endif /* __ASSEMBLY__ */ ++ + #endif /* _ASM_X86_ALTERNATIVE_H */ +diff --git a/arch/x86/include/asm/asm-prototypes.h b/arch/x86/include/asm/asm-prototypes.h +new file mode 100644 +index 000000000000..44b8762fa0c7 +--- /dev/null ++++ b/arch/x86/include/asm/asm-prototypes.h +@@ -0,0 +1,16 @@ ++#include <asm/ftrace.h> ++#include <asm/uaccess.h> ++#include <asm/string.h> ++#include <asm/page.h> ++#include <asm/checksum.h> ++ ++#include <asm-generic/asm-prototypes.h> ++ ++#include <asm/page.h> ++#include <asm/pgtable.h> ++#include <asm/special_insns.h> ++#include <asm/preempt.h> ++ ++#ifndef CONFIG_X86_CMPXCHG64 ++extern void cmpxchg8b_emu(void); ++#endif +diff --git a/arch/x86/include/asm/asm.h b/arch/x86/include/asm/asm.h +index e2015452177d..37496d271033 100644 +--- a/arch/x86/include/asm/asm.h ++++ b/arch/x86/include/asm/asm.h +@@ -88,4 +88,15 @@ + /* For C file, we already have NOKPROBE_SYMBOL macro */ + #endif + ++#ifndef __ASSEMBLY__ ++/* ++ * This output constraint should be used for any inline asm which has a "call" ++ * instruction. Otherwise the asm may be inserted before the frame pointer ++ * gets set up by the containing function. If you forget to do this, objtool ++ * may print a "call without frame pointer save/setup" warning. ++ */ ++register unsigned long current_stack_pointer asm(_ASM_SP); ++#define ASM_CALL_CONSTRAINT "+r" (current_stack_pointer) ++#endif ++ + #endif /* _ASM_X86_ASM_H */ +diff --git a/arch/x86/include/asm/barrier.h b/arch/x86/include/asm/barrier.h +index 959e45b81fe2..0295dd893884 100644 +--- a/arch/x86/include/asm/barrier.h ++++ b/arch/x86/include/asm/barrier.h +@@ -24,6 +24,30 @@ + #define wmb() asm volatile("sfence" ::: "memory") + #endif + ++/** ++ * array_index_mask_nospec() - generate a mask that is ~0UL when the ++ * bounds check succeeds and 0 otherwise ++ * @index: array element index ++ * @size: number of elements in array ++ * ++ * Returns: ++ * 0 - (index < size) ++ */ ++static inline unsigned long array_index_mask_nospec(unsigned long index, ++ unsigned long size) ++{ ++ unsigned long mask; ++ ++ asm ("cmp %1,%2; sbb %0,%0;" ++ :"=r" (mask) ++ :"r"(size),"r" (index) ++ :"cc"); ++ return mask; ++} ++ ++/* Override the default implementation from linux/nospec.h. */ ++#define array_index_mask_nospec array_index_mask_nospec ++ + #ifdef CONFIG_X86_PPRO_FENCE + #define dma_rmb() rmb() + #else +diff --git a/arch/x86/include/asm/cmdline.h b/arch/x86/include/asm/cmdline.h +index e01f7f7ccb0c..84ae170bc3d0 100644 +--- a/arch/x86/include/asm/cmdline.h ++++ b/arch/x86/include/asm/cmdline.h +@@ -2,5 +2,7 @@ + #define _ASM_X86_CMDLINE_H + + int cmdline_find_option_bool(const char *cmdline_ptr, const char *option); ++int cmdline_find_option(const char *cmdline_ptr, const char *option, ++ char *buffer, int bufsize); + + #endif /* _ASM_X86_CMDLINE_H */ +diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h +index 3d6606fb97d0..026c0b4ae086 100644 +--- a/arch/x86/include/asm/cpufeature.h ++++ b/arch/x86/include/asm/cpufeature.h +@@ -348,6 +348,8 @@ extern const char * const x86_bug_flags[NBUGINTS*32]; + set_bit(bit, (unsigned long *)cpu_caps_set); \ + } while (0) + ++#define setup_force_cpu_bug(bit) setup_force_cpu_cap(bit) ++ + #define cpu_has_fpu boot_cpu_has(X86_FEATURE_FPU) + #define cpu_has_de boot_cpu_has(X86_FEATURE_DE) + #define cpu_has_pse boot_cpu_has(X86_FEATURE_PSE) +diff --git a/arch/x86/include/asm/disabled-features.h b/arch/x86/include/asm/disabled-features.h +index f226df064660..8b17c2ad1048 100644 +--- a/arch/x86/include/asm/disabled-features.h ++++ b/arch/x86/include/asm/disabled-features.h +@@ -21,11 +21,13 @@ + # define DISABLE_K6_MTRR (1<<(X86_FEATURE_K6_MTRR & 31)) + # define DISABLE_CYRIX_ARR (1<<(X86_FEATURE_CYRIX_ARR & 31)) + # define DISABLE_CENTAUR_MCR (1<<(X86_FEATURE_CENTAUR_MCR & 31)) ++# define DISABLE_PCID 0 + #else + # define DISABLE_VME 0 + # define DISABLE_K6_MTRR 0 + # define DISABLE_CYRIX_ARR 0 + # define DISABLE_CENTAUR_MCR 0 ++# define DISABLE_PCID (1<<(X86_FEATURE_PCID & 31)) + #endif /* CONFIG_X86_64 */ + + /* +@@ -35,7 +37,7 @@ + #define DISABLED_MASK1 0 + #define DISABLED_MASK2 0 + #define DISABLED_MASK3 (DISABLE_CYRIX_ARR|DISABLE_CENTAUR_MCR|DISABLE_K6_MTRR) +-#define DISABLED_MASK4 0 ++#define DISABLED_MASK4 (DISABLE_PCID) + #define DISABLED_MASK5 0 + #define DISABLED_MASK6 0 + #define DISABLED_MASK7 0 +diff --git a/arch/x86/include/asm/hardirq.h b/arch/x86/include/asm/hardirq.h +index 0f5fb6b6567e..ebaf64d0a785 100644 +--- a/arch/x86/include/asm/hardirq.h ++++ b/arch/x86/include/asm/hardirq.h +@@ -21,10 +21,6 @@ typedef struct { + #ifdef CONFIG_SMP + unsigned int irq_resched_count; + unsigned int irq_call_count; +- /* +- * irq_tlb_count is double-counted in irq_call_count, so it must be +- * subtracted from irq_call_count when displaying irq_call_count +- */ + unsigned int irq_tlb_count; + #endif + #ifdef CONFIG_X86_THERMAL_VECTOR +diff --git a/arch/x86/include/asm/intel-family.h b/arch/x86/include/asm/intel-family.h +new file mode 100644 +index 000000000000..6999f7d01a0d +--- /dev/null ++++ b/arch/x86/include/asm/intel-family.h +@@ -0,0 +1,68 @@ ++#ifndef _ASM_X86_INTEL_FAMILY_H ++#define _ASM_X86_INTEL_FAMILY_H ++ ++/* ++ * "Big Core" Processors (Branded as Core, Xeon, etc...) ++ * ++ * The "_X" parts are generally the EP and EX Xeons, or the ++ * "Extreme" ones, like Broadwell-E. ++ * ++ * Things ending in "2" are usually because we have no better ++ * name for them. There's no processor called "WESTMERE2". ++ */ ++ ++#define INTEL_FAM6_CORE_YONAH 0x0E ++#define INTEL_FAM6_CORE2_MEROM 0x0F ++#define INTEL_FAM6_CORE2_MEROM_L 0x16 ++#define INTEL_FAM6_CORE2_PENRYN 0x17 ++#define INTEL_FAM6_CORE2_DUNNINGTON 0x1D ++ ++#define INTEL_FAM6_NEHALEM 0x1E ++#define INTEL_FAM6_NEHALEM_EP 0x1A ++#define INTEL_FAM6_NEHALEM_EX 0x2E ++#define INTEL_FAM6_WESTMERE 0x25 ++#define INTEL_FAM6_WESTMERE2 0x1F ++#define INTEL_FAM6_WESTMERE_EP 0x2C ++#define INTEL_FAM6_WESTMERE_EX 0x2F ++ ++#define INTEL_FAM6_SANDYBRIDGE 0x2A ++#define INTEL_FAM6_SANDYBRIDGE_X 0x2D ++#define INTEL_FAM6_IVYBRIDGE 0x3A ++#define INTEL_FAM6_IVYBRIDGE_X 0x3E ++ ++#define INTEL_FAM6_HASWELL_CORE 0x3C ++#define INTEL_FAM6_HASWELL_X 0x3F ++#define INTEL_FAM6_HASWELL_ULT 0x45 ++#define INTEL_FAM6_HASWELL_GT3E 0x46 ++ ++#define INTEL_FAM6_BROADWELL_CORE 0x3D ++#define INTEL_FAM6_BROADWELL_XEON_D 0x56 ++#define INTEL_FAM6_BROADWELL_GT3E 0x47 ++#define INTEL_FAM6_BROADWELL_X 0x4F ++ ++#define INTEL_FAM6_SKYLAKE_MOBILE 0x4E ++#define INTEL_FAM6_SKYLAKE_DESKTOP 0x5E ++#define INTEL_FAM6_SKYLAKE_X 0x55 ++#define INTEL_FAM6_KABYLAKE_MOBILE 0x8E ++#define INTEL_FAM6_KABYLAKE_DESKTOP 0x9E ++ ++/* "Small Core" Processors (Atom) */ ++ ++#define INTEL_FAM6_ATOM_PINEVIEW 0x1C ++#define INTEL_FAM6_ATOM_LINCROFT 0x26 ++#define INTEL_FAM6_ATOM_PENWELL 0x27 ++#define INTEL_FAM6_ATOM_CLOVERVIEW 0x35 ++#define INTEL_FAM6_ATOM_CEDARVIEW 0x36 ++#define INTEL_FAM6_ATOM_SILVERMONT1 0x37 /* BayTrail/BYT / Valleyview */ ++#define INTEL_FAM6_ATOM_SILVERMONT2 0x4D /* Avaton/Rangely */ ++#define INTEL_FAM6_ATOM_AIRMONT 0x4C /* CherryTrail / Braswell */ ++#define INTEL_FAM6_ATOM_MERRIFIELD1 0x4A /* Tangier */ ++#define INTEL_FAM6_ATOM_MERRIFIELD2 0x5A /* Annidale */ ++#define INTEL_FAM6_ATOM_GOLDMONT 0x5C ++#define INTEL_FAM6_ATOM_DENVERTON 0x5F /* Goldmont Microserver */ ++ ++/* Xeon Phi */ ++ ++#define INTEL_FAM6_XEON_PHI_KNL 0x57 /* Knights Landing */ ++ ++#endif /* _ASM_X86_INTEL_FAMILY_H */ +diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h +index 606f5fff1989..6e014befd522 100644 +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -933,7 +933,8 @@ int x86_emulate_instruction(struct kvm_vcpu *vcpu, unsigned long cr2, + static inline int emulate_instruction(struct kvm_vcpu *vcpu, + int emulation_type) + { +- return x86_emulate_instruction(vcpu, 0, emulation_type, NULL, 0); ++ return x86_emulate_instruction(vcpu, 0, ++ emulation_type | EMULTYPE_NO_REEXECUTE, NULL, 0); + } + + void kvm_enable_efer_bits(u64); +diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h +index 23ba6765b718..4ac06db325a2 100644 +--- a/arch/x86/include/asm/processor.h ++++ b/arch/x86/include/asm/processor.h +@@ -150,8 +150,8 @@ extern struct cpuinfo_x86 boot_cpu_data; + extern struct cpuinfo_x86 new_cpu_data; + + extern struct tss_struct doublefault_tss; +-extern __u32 cpu_caps_cleared[NCAPINTS]; +-extern __u32 cpu_caps_set[NCAPINTS]; ++extern __u32 cpu_caps_cleared[NCAPINTS + NBUGINTS]; ++extern __u32 cpu_caps_set[NCAPINTS + NBUGINTS]; + + #ifdef CONFIG_SMP + DECLARE_PER_CPU_READ_MOSTLY(struct cpuinfo_x86, cpu_info); +@@ -701,7 +701,7 @@ static inline void sync_core(void) + { + int tmp; + +-#ifdef CONFIG_M486 ++#ifdef CONFIG_X86_32 + /* + * Do a CPUID if available, otherwise do a jump. The jump + * can conveniently enough be the jump around CPUID. +diff --git a/arch/x86/include/asm/thread_info.h b/arch/x86/include/asm/thread_info.h +index b4bdec3e9523..b58daa40eae9 100644 +--- a/arch/x86/include/asm/thread_info.h ++++ b/arch/x86/include/asm/thread_info.h +@@ -184,17 +184,6 @@ static inline struct thread_info *current_thread_info(void) + return (struct thread_info *)(current_top_of_stack() - THREAD_SIZE); + } + +-static inline unsigned long current_stack_pointer(void) +-{ +- unsigned long sp; +-#ifdef CONFIG_X86_64 +- asm("mov %%rsp,%0" : "=g" (sp)); +-#else +- asm("mov %%esp,%0" : "=g" (sp)); +-#endif +- return sp; +-} +- + #else /* !__ASSEMBLY__ */ + + /* Load thread_info address into "reg" */ +diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h +index 7e459b7ee708..13c1a094cead 100644 +--- a/arch/x86/include/asm/tlbflush.h ++++ b/arch/x86/include/asm/tlbflush.h +@@ -7,6 +7,54 @@ + #include <asm/processor.h> + #include <asm/special_insns.h> + ++static inline void __invpcid(unsigned long pcid, unsigned long addr, ++ unsigned long type) ++{ ++ struct { u64 d[2]; } desc = { { pcid, addr } }; ++ ++ /* ++ * The memory clobber is because the whole point is to invalidate ++ * stale TLB entries and, especially if we're flushing global ++ * mappings, we don't want the compiler to reorder any subsequent ++ * memory accesses before the TLB flush. ++ * ++ * The hex opcode is invpcid (%ecx), %eax in 32-bit mode and ++ * invpcid (%rcx), %rax in long mode. ++ */ ++ asm volatile (".byte 0x66, 0x0f, 0x38, 0x82, 0x01" ++ : : "m" (desc), "a" (type), "c" (&desc) : "memory"); ++} ++ ++#define INVPCID_TYPE_INDIV_ADDR 0 ++#define INVPCID_TYPE_SINGLE_CTXT 1 ++#define INVPCID_TYPE_ALL_INCL_GLOBAL 2 ++#define INVPCID_TYPE_ALL_NON_GLOBAL 3 ++ ++/* Flush all mappings for a given pcid and addr, not including globals. */ ++static inline void invpcid_flush_one(unsigned long pcid, ++ unsigned long addr) ++{ ++ __invpcid(pcid, addr, INVPCID_TYPE_INDIV_ADDR); ++} ++ ++/* Flush all mappings for a given PCID, not including globals. */ ++static inline void invpcid_flush_single_context(unsigned long pcid) ++{ ++ __invpcid(pcid, 0, INVPCID_TYPE_SINGLE_CTXT); ++} ++ ++/* Flush all mappings, including globals, for all PCIDs. */ ++static inline void invpcid_flush_all(void) ++{ ++ __invpcid(0, 0, INVPCID_TYPE_ALL_INCL_GLOBAL); ++} ++ ++/* Flush all mappings for all PCIDs except globals. */ ++static inline void invpcid_flush_all_nonglobals(void) ++{ ++ __invpcid(0, 0, INVPCID_TYPE_ALL_NON_GLOBAL); ++} ++ + #ifdef CONFIG_PARAVIRT + #include <asm/paravirt.h> + #else +@@ -86,7 +134,14 @@ static inline void cr4_set_bits_and_update_boot(unsigned long mask) + + static inline void __native_flush_tlb(void) + { ++ /* ++ * If current->mm == NULL then we borrow a mm which may change during a ++ * task switch and therefore we must not be preempted while we write CR3 ++ * back: ++ */ ++ preempt_disable(); + native_write_cr3(native_read_cr3()); ++ preempt_enable(); + } + + static inline void __native_flush_tlb_global_irq_disabled(void) +@@ -104,6 +159,15 @@ static inline void __native_flush_tlb_global(void) + { + unsigned long flags; + ++ if (static_cpu_has(X86_FEATURE_INVPCID)) { ++ /* ++ * Using INVPCID is considerably faster than a pair of writes ++ * to CR4 sandwiched inside an IRQ flag save/restore. ++ */ ++ invpcid_flush_all(); ++ return; ++ } ++ + /* + * Read-modify-write to CR4 - protect it from preemption and + * from interrupts. (Use the raw variant because this code can +@@ -127,6 +191,14 @@ static inline void __flush_tlb_all(void) + __flush_tlb_global(); + else + __flush_tlb(); ++ ++ /* ++ * Note: if we somehow had PCID but not PGE, then this wouldn't work -- ++ * we'd end up flushing kernel translations for the current ASID but ++ * we might fail to flush kernel translations for other cached ASIDs. ++ * ++ * To avoid this issue, we force PCID off if PGE is off. ++ */ + } + + static inline void __flush_tlb_one(unsigned long addr) +@@ -140,7 +212,6 @@ static inline void __flush_tlb_one(unsigned long addr) + /* + * TLB flushing: + * +- * - flush_tlb() flushes the current mm struct TLBs + * - flush_tlb_all() flushes all processes TLBs + * - flush_tlb_mm(mm) flushes the specified mm context TLB's + * - flush_tlb_page(vma, vmaddr) flushes one page +@@ -172,11 +243,6 @@ static inline void flush_tlb_all(void) + __flush_tlb_all(); + } + +-static inline void flush_tlb(void) +-{ +- __flush_tlb_up(); +-} +- + static inline void local_flush_tlb(void) + { + __flush_tlb_up(); +@@ -238,14 +304,11 @@ static inline void flush_tlb_kernel_range(unsigned long start, + flush_tlb_mm_range(vma->vm_mm, start, end, vma->vm_flags) + + extern void flush_tlb_all(void); +-extern void flush_tlb_current_task(void); + extern void flush_tlb_page(struct vm_area_struct *, unsigned long); + extern void flush_tlb_mm_range(struct mm_struct *mm, unsigned long start, + unsigned long end, unsigned long vmflag); + extern void flush_tlb_kernel_range(unsigned long start, unsigned long end); + +-#define flush_tlb() flush_tlb_current_task() +- + void native_flush_tlb_others(const struct cpumask *cpumask, + struct mm_struct *mm, + unsigned long start, unsigned long end); +diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c +index d1918a8c4393..9b5f8e6a9864 100644 +--- a/arch/x86/kernel/alternative.c ++++ b/arch/x86/kernel/alternative.c +@@ -41,17 +41,6 @@ static int __init setup_noreplace_smp(char *str) + } + __setup("noreplace-smp", setup_noreplace_smp); + +-#ifdef CONFIG_PARAVIRT +-static int __initdata_or_module noreplace_paravirt = 0; +- +-static int __init setup_noreplace_paravirt(char *str) +-{ +- noreplace_paravirt = 1; +- return 1; +-} +-__setup("noreplace-paravirt", setup_noreplace_paravirt); +-#endif +- + #define DPRINTK(fmt, args...) \ + do { \ + if (debug_alternative) \ +@@ -326,9 +315,12 @@ done: + static void __init_or_module optimize_nops(struct alt_instr *a, u8 *instr) + { + unsigned long flags; ++ int i; + +- if (instr[0] != 0x90) +- return; ++ for (i = 0; i < a->padlen; i++) { ++ if (instr[i] != 0x90) ++ return; ++ } + + local_irq_save(flags); + add_nops(instr + (a->instrlen - a->padlen), a->padlen); +@@ -571,9 +563,6 @@ void __init_or_module apply_paravirt(struct paravirt_patch_site *start, + struct paravirt_patch_site *p; + char insnbuf[MAX_PATCH_LEN]; + +- if (noreplace_paravirt) +- return; +- + for (p = start; p < end; p++) { + unsigned int used; + +diff --git a/arch/x86/kernel/apic/io_apic.c b/arch/x86/kernel/apic/io_apic.c +index f4dc2462a1ac..484ffab4d3e8 100644 +--- a/arch/x86/kernel/apic/io_apic.c ++++ b/arch/x86/kernel/apic/io_apic.c +@@ -2728,8 +2728,8 @@ static struct resource * __init ioapic_setup_resources(void) + res[num].flags = IORESOURCE_MEM | IORESOURCE_BUSY; + snprintf(mem, IOAPIC_RESOURCE_NAME_SIZE, "IOAPIC %u", i); + mem += IOAPIC_RESOURCE_NAME_SIZE; ++ ioapics[i].iomem_res = &res[num]; + num++; +- ioapics[i].iomem_res = res; + } + + ioapic_resources = res; +diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c +index 03445346ee0a..4c7dd836304a 100644 +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -65,6 +65,14 @@ static void __init check_fpu(void) + + void __init check_bugs(void) + { ++#ifdef CONFIG_X86_32 ++ /* ++ * Regardless of whether PCID is enumerated, the SDM says ++ * that it can't be enabled in 32-bit mode. ++ */ ++ setup_clear_cpu_cap(X86_FEATURE_PCID); ++#endif ++ + identify_boot_cpu(); + #ifndef CONFIG_SMP + pr_info("CPU: "); +diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c +index 5732326ec126..9613a72723cd 100644 +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -172,6 +172,40 @@ static int __init x86_xsaves_setup(char *s) + } + __setup("noxsaves", x86_xsaves_setup); + ++#ifdef CONFIG_X86_64 ++static int __init x86_pcid_setup(char *s) ++{ ++ /* require an exact match without trailing characters */ ++ if (strlen(s)) ++ return 0; ++ ++ /* do not emit a message if the feature is not present */ ++ if (!boot_cpu_has(X86_FEATURE_PCID)) ++ return 1; ++ ++ setup_clear_cpu_cap(X86_FEATURE_PCID); ++ pr_info("nopcid: PCID feature disabled\n"); ++ return 1; ++} ++__setup("nopcid", x86_pcid_setup); ++#endif ++ ++static int __init x86_noinvpcid_setup(char *s) ++{ ++ /* noinvpcid doesn't accept parameters */ ++ if (s) ++ return -EINVAL; ++ ++ /* do not emit a message if the feature is not present */ ++ if (!boot_cpu_has(X86_FEATURE_INVPCID)) ++ return 0; ++ ++ setup_clear_cpu_cap(X86_FEATURE_INVPCID); ++ pr_info("noinvpcid: INVPCID feature disabled\n"); ++ return 0; ++} ++early_param("noinvpcid", x86_noinvpcid_setup); ++ + #ifdef CONFIG_X86_32 + static int cachesize_override = -1; + static int disable_x86_serial_nr = 1; +@@ -305,6 +339,25 @@ static __always_inline void setup_smap(struct cpuinfo_x86 *c) + } + } + ++static void setup_pcid(struct cpuinfo_x86 *c) ++{ ++ if (cpu_has(c, X86_FEATURE_PCID)) { ++ if (cpu_has(c, X86_FEATURE_PGE)) { ++ cr4_set_bits(X86_CR4_PCIDE); ++ } else { ++ /* ++ * flush_tlb_all(), as currently implemented, won't ++ * work if PCID is on but PGE is not. Since that ++ * combination doesn't exist on real hardware, there's ++ * no reason to try to fully support it, but it's ++ * polite to avoid corrupting data if we're on ++ * an improperly configured VM. ++ */ ++ clear_cpu_cap(c, X86_FEATURE_PCID); ++ } ++ } ++} ++ + /* + * Some CPU features depend on higher CPUID levels, which may not always + * be available due to CPUID level capping or broken virtualization +@@ -383,8 +436,8 @@ static const char *table_lookup_model(struct cpuinfo_x86 *c) + return NULL; /* Not found */ + } + +-__u32 cpu_caps_cleared[NCAPINTS]; +-__u32 cpu_caps_set[NCAPINTS]; ++__u32 cpu_caps_cleared[NCAPINTS + NBUGINTS]; ++__u32 cpu_caps_set[NCAPINTS + NBUGINTS]; + + void load_percpu_segment(int cpu) + { +@@ -613,6 +666,16 @@ void cpu_detect(struct cpuinfo_x86 *c) + } + } + ++static void apply_forced_caps(struct cpuinfo_x86 *c) ++{ ++ int i; ++ ++ for (i = 0; i < NCAPINTS + NBUGINTS; i++) { ++ c->x86_capability[i] &= ~cpu_caps_cleared[i]; ++ c->x86_capability[i] |= cpu_caps_set[i]; ++ } ++} ++ + void get_cpu_cap(struct cpuinfo_x86 *c) + { + u32 tfms, xlvl; +@@ -904,11 +967,8 @@ static void identify_cpu(struct cpuinfo_x86 *c) + if (this_cpu->c_identify) + this_cpu->c_identify(c); + +- /* Clear/Set all flags overriden by options, after probe */ +- for (i = 0; i < NCAPINTS; i++) { +- c->x86_capability[i] &= ~cpu_caps_cleared[i]; +- c->x86_capability[i] |= cpu_caps_set[i]; +- } ++ /* Clear/Set all flags overridden by options, after probe */ ++ apply_forced_caps(c); + + #ifdef CONFIG_X86_64 + c->apicid = apic->phys_pkg_id(c->initial_apicid, 0); +@@ -934,6 +994,9 @@ static void identify_cpu(struct cpuinfo_x86 *c) + setup_smep(c); + setup_smap(c); + ++ /* Set up PCID */ ++ setup_pcid(c); ++ + /* + * The vendor-specific functions might have changed features. + * Now we do "generic changes." +@@ -966,10 +1029,7 @@ static void identify_cpu(struct cpuinfo_x86 *c) + * Clear/Set all flags overriden by options, need do it + * before following smp all cpus cap AND. + */ +- for (i = 0; i < NCAPINTS; i++) { +- c->x86_capability[i] &= ~cpu_caps_cleared[i]; +- c->x86_capability[i] |= cpu_caps_set[i]; +- } ++ apply_forced_caps(c); + + /* + * On SMP, boot_cpu_data holds the common feature set between +diff --git a/arch/x86/kernel/cpu/intel_cacheinfo.c b/arch/x86/kernel/cpu/intel_cacheinfo.c +index edcb0e28c336..13fb13334f2a 100644 +--- a/arch/x86/kernel/cpu/intel_cacheinfo.c ++++ b/arch/x86/kernel/cpu/intel_cacheinfo.c +@@ -934,6 +934,8 @@ static int __populate_cache_leaves(unsigned int cpu) + ci_leaf_init(this_leaf++, &id4_regs); + __cache_cpumap_setup(cpu, idx, &id4_regs); + } ++ this_cpu_ci->cpu_map_populated = true; ++ + return 0; + } + +diff --git a/arch/x86/kernel/cpu/mcheck/mce-inject.c b/arch/x86/kernel/cpu/mcheck/mce-inject.c +index 4cfba4371a71..101bfae369e1 100644 +--- a/arch/x86/kernel/cpu/mcheck/mce-inject.c ++++ b/arch/x86/kernel/cpu/mcheck/mce-inject.c +@@ -152,7 +152,6 @@ static void raise_mce(struct mce *m) + if (context == MCJ_CTX_RANDOM) + return; + +-#ifdef CONFIG_X86_LOCAL_APIC + if (m->inject_flags & (MCJ_IRQ_BROADCAST | MCJ_NMI_BROADCAST)) { + unsigned long start; + int cpu; +@@ -193,9 +192,7 @@ static void raise_mce(struct mce *m) + raise_local(); + put_cpu(); + put_online_cpus(); +- } else +-#endif +- { ++ } else { + preempt_disable(); + raise_local(); + preempt_enable(); +diff --git a/arch/x86/kernel/cpu/microcode/amd.c b/arch/x86/kernel/cpu/microcode/amd.c +index 12829c3ced3c..ff422a92f063 100644 +--- a/arch/x86/kernel/cpu/microcode/amd.c ++++ b/arch/x86/kernel/cpu/microcode/amd.c +@@ -153,6 +153,7 @@ static unsigned int verify_patch_size(u8 family, u32 patch_size, + #define F14H_MPB_MAX_SIZE 1824 + #define F15H_MPB_MAX_SIZE 4096 + #define F16H_MPB_MAX_SIZE 3458 ++#define F17H_MPB_MAX_SIZE 3200 + + switch (family) { + case 0x14: +@@ -164,6 +165,9 @@ static unsigned int verify_patch_size(u8 family, u32 patch_size, + case 0x16: + max_size = F16H_MPB_MAX_SIZE; + break; ++ case 0x17: ++ max_size = F17H_MPB_MAX_SIZE; ++ break; + default: + max_size = F1XH_MPB_MAX_SIZE; + break; +diff --git a/arch/x86/kernel/cpu/microcode/intel.c b/arch/x86/kernel/cpu/microcode/intel.c +index 6ca31bf3ccbd..1009c82088ed 100644 +--- a/arch/x86/kernel/cpu/microcode/intel.c ++++ b/arch/x86/kernel/cpu/microcode/intel.c +@@ -276,9 +276,17 @@ static bool is_blacklisted(unsigned int cpu) + { + struct cpuinfo_x86 *c = &cpu_data(cpu); + +- if (c->x86 == 6 && c->x86_model == 79) { +- pr_err_once("late loading on model 79 is disabled.\n"); +- return true; ++ /* ++ * Late loading on model 79 with microcode revision less than 0x0b000021 ++ * may result in a system hang. This behavior is documented in item ++ * BDF90, #334165 (Intel Xeon Processor E7-8800/4800 v4 Product Family). ++ */ ++ if (c->x86 == 6 && ++ c->x86_model == 79 && ++ c->x86_mask == 0x01 && ++ c->microcode < 0x0b000021) { ++ pr_err_once("Erratum BDF90: late loading with revision < 0x0b000021 (0x%x) disabled.\n", c->microcode); ++ pr_err_once("Please consider either early loading through initrd/built-in or a potential BIOS update.\n"); + } + + return false; +diff --git a/arch/x86/kernel/cpu/perf_event.c b/arch/x86/kernel/cpu/perf_event.c +index 83f33a2e662f..904b31ebc419 100644 +--- a/arch/x86/kernel/cpu/perf_event.c ++++ b/arch/x86/kernel/cpu/perf_event.c +@@ -187,8 +187,8 @@ static void release_pmc_hardware(void) {} + + static bool check_hw_exists(void) + { +- u64 val, val_fail, val_new= ~0; +- int i, reg, reg_fail, ret = 0; ++ u64 val, val_fail = -1, val_new= ~0; ++ int i, reg, reg_fail = -1, ret = 0; + int bios_fail = 0; + int reg_safe = -1; + +diff --git a/arch/x86/kernel/head_32.S b/arch/x86/kernel/head_32.S +index 7e429c99c728..63dd2c971db8 100644 +--- a/arch/x86/kernel/head_32.S ++++ b/arch/x86/kernel/head_32.S +@@ -670,14 +670,17 @@ __PAGE_ALIGNED_BSS + initial_pg_pmd: + .fill 1024*KPMDS,4,0 + #else +-ENTRY(initial_page_table) ++.globl initial_page_table ++initial_page_table: + .fill 1024,4,0 + #endif + initial_pg_fixmap: + .fill 1024,4,0 +-ENTRY(empty_zero_page) ++.globl empty_zero_page ++empty_zero_page: + .fill 4096,1,0 +-ENTRY(swapper_pg_dir) ++.globl swapper_pg_dir ++swapper_pg_dir: + .fill 1024,4,0 + + /* +diff --git a/arch/x86/kernel/irq.c b/arch/x86/kernel/irq.c +index e5952c225532..b6460c5a9cab 100644 +--- a/arch/x86/kernel/irq.c ++++ b/arch/x86/kernel/irq.c +@@ -96,8 +96,7 @@ int arch_show_interrupts(struct seq_file *p, int prec) + seq_puts(p, " Rescheduling interrupts\n"); + seq_printf(p, "%*s: ", prec, "CAL"); + for_each_online_cpu(j) +- seq_printf(p, "%10u ", irq_stats(j)->irq_call_count - +- irq_stats(j)->irq_tlb_count); ++ seq_printf(p, "%10u ", irq_stats(j)->irq_call_count); + seq_puts(p, " Function call interrupts\n"); + seq_printf(p, "%*s: ", prec, "TLB"); + for_each_online_cpu(j) +diff --git a/arch/x86/kernel/irq_32.c b/arch/x86/kernel/irq_32.c +index f9fd86a7fcc7..9f4ffc122d9e 100644 +--- a/arch/x86/kernel/irq_32.c ++++ b/arch/x86/kernel/irq_32.c +@@ -71,7 +71,7 @@ static void call_on_stack(void *func, void *stack) + + static inline void *current_stack(void) + { +- return (void *)(current_stack_pointer() & ~(THREAD_SIZE - 1)); ++ return (void *)(current_stack_pointer & ~(THREAD_SIZE - 1)); + } + + static inline int +@@ -96,7 +96,7 @@ execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq) + + /* Save the next esp at the bottom of the stack */ + prev_esp = (u32 *)irqstk; +- *prev_esp = current_stack_pointer(); ++ *prev_esp = current_stack_pointer; + + if (unlikely(overflow)) + call_on_stack(print_stack_overflow, isp); +@@ -149,7 +149,7 @@ void do_softirq_own_stack(void) + + /* Push the previous esp onto the stack */ + prev_esp = (u32 *)irqstk; +- *prev_esp = current_stack_pointer(); ++ *prev_esp = current_stack_pointer; + + call_on_stack(__do_softirq, isp); + } +diff --git a/arch/x86/kernel/paravirt_patch_64.c b/arch/x86/kernel/paravirt_patch_64.c +index a1da6737ba5b..a91d9b9b4bde 100644 +--- a/arch/x86/kernel/paravirt_patch_64.c ++++ b/arch/x86/kernel/paravirt_patch_64.c +@@ -9,7 +9,6 @@ DEF_NATIVE(pv_irq_ops, save_fl, "pushfq; popq %rax"); + DEF_NATIVE(pv_mmu_ops, read_cr2, "movq %cr2, %rax"); + DEF_NATIVE(pv_mmu_ops, read_cr3, "movq %cr3, %rax"); + DEF_NATIVE(pv_mmu_ops, write_cr3, "movq %rdi, %cr3"); +-DEF_NATIVE(pv_mmu_ops, flush_tlb_single, "invlpg (%rdi)"); + DEF_NATIVE(pv_cpu_ops, clts, "clts"); + DEF_NATIVE(pv_cpu_ops, wbinvd, "wbinvd"); + +@@ -57,7 +56,6 @@ unsigned native_patch(u8 type, u16 clobbers, void *ibuf, + PATCH_SITE(pv_mmu_ops, read_cr3); + PATCH_SITE(pv_mmu_ops, write_cr3); + PATCH_SITE(pv_cpu_ops, clts); +- PATCH_SITE(pv_mmu_ops, flush_tlb_single); + PATCH_SITE(pv_cpu_ops, wbinvd); + + patch_site: +diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c +index 0549ae3cb332..d9ea27ec9dbd 100644 +--- a/arch/x86/kernel/reboot.c ++++ b/arch/x86/kernel/reboot.c +@@ -93,6 +93,10 @@ void __noreturn machine_real_restart(unsigned int type) + load_cr3(initial_page_table); + #else + write_cr3(real_mode_header->trampoline_pgd); ++ ++ /* Exiting long mode will fail if CR4.PCIDE is set. */ ++ if (static_cpu_has(X86_FEATURE_PCID)) ++ cr4_clear_bits(X86_CR4_PCIDE); + #endif + + /* Jump to the identity-mapped low memory code */ +diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c +index 50e547eac8cd..f6911cc90a81 100644 +--- a/arch/x86/kernel/smpboot.c ++++ b/arch/x86/kernel/smpboot.c +@@ -107,25 +107,16 @@ static inline void smpboot_setup_warm_reset_vector(unsigned long start_eip) + spin_lock_irqsave(&rtc_lock, flags); + CMOS_WRITE(0xa, 0xf); + spin_unlock_irqrestore(&rtc_lock, flags); +- local_flush_tlb(); +- pr_debug("1.\n"); + *((volatile unsigned short *)phys_to_virt(TRAMPOLINE_PHYS_HIGH)) = + start_eip >> 4; +- pr_debug("2.\n"); + *((volatile unsigned short *)phys_to_virt(TRAMPOLINE_PHYS_LOW)) = + start_eip & 0xf; +- pr_debug("3.\n"); + } + + static inline void smpboot_restore_warm_reset_vector(void) + { + unsigned long flags; + +- /* +- * Install writable page 0 entry to set BIOS data area. +- */ +- local_flush_tlb(); +- + /* + * Paranoid: Set warm reset code and vector here back + * to default values. +diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c +index 020248f2cec4..e78c6783a2de 100644 +--- a/arch/x86/kernel/traps.c ++++ b/arch/x86/kernel/traps.c +@@ -175,7 +175,7 @@ void ist_begin_non_atomic(struct pt_regs *regs) + * from double_fault. + */ + BUG_ON((unsigned long)(current_top_of_stack() - +- current_stack_pointer()) >= THREAD_SIZE); ++ current_stack_pointer) >= THREAD_SIZE); + + preempt_count_sub(HARDIRQ_OFFSET); + } +diff --git a/arch/x86/kernel/vm86_32.c b/arch/x86/kernel/vm86_32.c +index fc9db6ef2a95..e0ae0a8ad5bd 100644 +--- a/arch/x86/kernel/vm86_32.c ++++ b/arch/x86/kernel/vm86_32.c +@@ -194,7 +194,7 @@ static void mark_screen_rdonly(struct mm_struct *mm) + pte_unmap_unlock(pte, ptl); + out: + up_write(&mm->mmap_sem); +- flush_tlb(); ++ flush_tlb_mm_range(mm, 0xA0000, 0xA0000 + 32*PAGE_SIZE, 0UL); + } + + +diff --git a/arch/x86/kvm/Kconfig b/arch/x86/kvm/Kconfig +index 413a7bf9efbb..64c1920515ea 100644 +--- a/arch/x86/kvm/Kconfig ++++ b/arch/x86/kvm/Kconfig +@@ -22,7 +22,7 @@ config KVM + depends on HAVE_KVM + depends on HIGH_RES_TIMERS + # for TASKSTATS/TASK_DELAY_ACCT: +- depends on NET ++ depends on NET && MULTIUSER + select PREEMPT_NOTIFIERS + select MMU_NOTIFIER + select ANON_INODES +diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c +index d877a59f8de8..dd49efe915e1 100644 +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -4480,6 +4480,8 @@ int x86_decode_insn(struct x86_emulate_ctxt *ctxt, void *insn, int insn_len) + bool op_prefix = false; + bool has_seg_override = false; + struct opcode opcode; ++ u16 dummy; ++ struct desc_struct desc; + + ctxt->memop.type = OP_NONE; + ctxt->memopp = NULL; +@@ -4498,6 +4500,11 @@ int x86_decode_insn(struct x86_emulate_ctxt *ctxt, void *insn, int insn_len) + switch (mode) { + case X86EMUL_MODE_REAL: + case X86EMUL_MODE_VM86: ++ def_op_bytes = def_ad_bytes = 2; ++ ctxt->ops->get_segment(ctxt, &dummy, &desc, NULL, VCPU_SREG_CS); ++ if (desc.d) ++ def_op_bytes = def_ad_bytes = 4; ++ break; + case X86EMUL_MODE_PROT16: + def_op_bytes = def_ad_bytes = 2; + break; +diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c +index c5ecf85227e0..6b87d8bcdcdd 100644 +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -3947,6 +3947,25 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu) + "mov %%r13, %c[r13](%[svm]) \n\t" + "mov %%r14, %c[r14](%[svm]) \n\t" + "mov %%r15, %c[r15](%[svm]) \n\t" ++#endif ++ /* ++ * Clear host registers marked as clobbered to prevent ++ * speculative use. ++ */ ++ "xor %%" _ASM_BX ", %%" _ASM_BX " \n\t" ++ "xor %%" _ASM_CX ", %%" _ASM_CX " \n\t" ++ "xor %%" _ASM_DX ", %%" _ASM_DX " \n\t" ++ "xor %%" _ASM_SI ", %%" _ASM_SI " \n\t" ++ "xor %%" _ASM_DI ", %%" _ASM_DI " \n\t" ++#ifdef CONFIG_X86_64 ++ "xor %%r8, %%r8 \n\t" ++ "xor %%r9, %%r9 \n\t" ++ "xor %%r10, %%r10 \n\t" ++ "xor %%r11, %%r11 \n\t" ++ "xor %%r12, %%r12 \n\t" ++ "xor %%r13, %%r13 \n\t" ++ "xor %%r14, %%r14 \n\t" ++ "xor %%r15, %%r15 \n\t" + #endif + "pop %%" _ASM_BP + : +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index 84f2825f19b5..ffd5502dd215 100644 +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -32,6 +32,7 @@ + #include <linux/slab.h> + #include <linux/tboot.h> + #include <linux/hrtimer.h> ++#include <linux/nospec.h> + #include "kvm_cache_regs.h" + #include "x86.h" + +@@ -770,13 +771,18 @@ static const unsigned short vmcs_field_to_offset_table[] = { + + static inline short vmcs_field_to_offset(unsigned long field) + { +- BUILD_BUG_ON(ARRAY_SIZE(vmcs_field_to_offset_table) > SHRT_MAX); ++ const size_t size = ARRAY_SIZE(vmcs_field_to_offset_table); ++ unsigned short offset; + +- if (field >= ARRAY_SIZE(vmcs_field_to_offset_table) || +- vmcs_field_to_offset_table[field] == 0) ++ BUILD_BUG_ON(size > SHRT_MAX); ++ if (field >= size) + return -ENOENT; + +- return vmcs_field_to_offset_table[field]; ++ field = array_index_nospec(field, size); ++ offset = vmcs_field_to_offset_table[field]; ++ if (offset == 0) ++ return -ENOENT; ++ return offset; + } + + static inline struct vmcs12 *get_vmcs12(struct kvm_vcpu *vcpu) +@@ -4356,7 +4362,7 @@ static int vmx_vm_has_apicv(struct kvm *kvm) + return enable_apicv && irqchip_in_kernel(kvm); + } + +-static int vmx_complete_nested_posted_interrupt(struct kvm_vcpu *vcpu) ++static void vmx_complete_nested_posted_interrupt(struct kvm_vcpu *vcpu) + { + struct vcpu_vmx *vmx = to_vmx(vcpu); + int max_irr; +@@ -4367,19 +4373,15 @@ static int vmx_complete_nested_posted_interrupt(struct kvm_vcpu *vcpu) + vmx->nested.pi_pending) { + vmx->nested.pi_pending = false; + if (!pi_test_and_clear_on(vmx->nested.pi_desc)) +- return 0; ++ return; + + max_irr = find_last_bit( + (unsigned long *)vmx->nested.pi_desc->pir, 256); + + if (max_irr == 256) +- return 0; ++ return; + + vapic_page = kmap(vmx->nested.virtual_apic_page); +- if (!vapic_page) { +- WARN_ON(1); +- return -ENOMEM; +- } + __kvm_apic_update_irr(vmx->nested.pi_desc->pir, vapic_page); + kunmap(vmx->nested.virtual_apic_page); + +@@ -4390,7 +4392,6 @@ static int vmx_complete_nested_posted_interrupt(struct kvm_vcpu *vcpu) + vmcs_write16(GUEST_INTR_STATUS, status); + } + } +- return 0; + } + + static inline bool kvm_vcpu_trigger_posted_interrupt(struct kvm_vcpu *vcpu) +@@ -4412,14 +4413,15 @@ static int vmx_deliver_nested_posted_interrupt(struct kvm_vcpu *vcpu, + + if (is_guest_mode(vcpu) && + vector == vmx->nested.posted_intr_nv) { +- /* the PIR and ON have been set by L1. */ +- kvm_vcpu_trigger_posted_interrupt(vcpu); + /* + * If a posted intr is not recognized by hardware, + * we will accomplish it in the next vmentry. + */ + vmx->nested.pi_pending = true; + kvm_make_request(KVM_REQ_EVENT, vcpu); ++ /* the PIR and ON have been set by L1. */ ++ if (!kvm_vcpu_trigger_posted_interrupt(vcpu)) ++ kvm_vcpu_kick(vcpu); + return 0; + } + return -1; +@@ -4762,7 +4764,7 @@ static void vmx_vcpu_reset(struct kvm_vcpu *vcpu) + vmcs_writel(GUEST_SYSENTER_ESP, 0); + vmcs_writel(GUEST_SYSENTER_EIP, 0); + +- vmcs_writel(GUEST_RFLAGS, 0x02); ++ kvm_set_rflags(vcpu, X86_EFLAGS_FIXED); + kvm_rip_write(vcpu, 0xfff0); + + vmcs_writel(GUEST_GDTR_BASE, 0); +@@ -5921,7 +5923,7 @@ static int handle_invalid_guest_state(struct kvm_vcpu *vcpu) + if (test_bit(KVM_REQ_EVENT, &vcpu->requests)) + return 1; + +- err = emulate_instruction(vcpu, EMULTYPE_NO_REEXECUTE); ++ err = emulate_instruction(vcpu, 0); + + if (err == EMULATE_USER_EXIT) { + ++vcpu->stat.mmio_exits; +@@ -8252,6 +8254,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) + /* Save guest registers, load host registers, keep flags */ + "mov %0, %c[wordsize](%%" _ASM_SP ") \n\t" + "pop %0 \n\t" ++ "setbe %c[fail](%0)\n\t" + "mov %%" _ASM_AX ", %c[rax](%0) \n\t" + "mov %%" _ASM_BX ", %c[rbx](%0) \n\t" + __ASM_SIZE(pop) " %c[rcx](%0) \n\t" +@@ -8268,12 +8271,23 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) + "mov %%r13, %c[r13](%0) \n\t" + "mov %%r14, %c[r14](%0) \n\t" + "mov %%r15, %c[r15](%0) \n\t" ++ "xor %%r8d, %%r8d \n\t" ++ "xor %%r9d, %%r9d \n\t" ++ "xor %%r10d, %%r10d \n\t" ++ "xor %%r11d, %%r11d \n\t" ++ "xor %%r12d, %%r12d \n\t" ++ "xor %%r13d, %%r13d \n\t" ++ "xor %%r14d, %%r14d \n\t" ++ "xor %%r15d, %%r15d \n\t" + #endif + "mov %%cr2, %%" _ASM_AX " \n\t" + "mov %%" _ASM_AX ", %c[cr2](%0) \n\t" + ++ "xor %%eax, %%eax \n\t" ++ "xor %%ebx, %%ebx \n\t" ++ "xor %%esi, %%esi \n\t" ++ "xor %%edi, %%edi \n\t" + "pop %%" _ASM_BP "; pop %%" _ASM_DX " \n\t" +- "setbe %c[fail](%0) \n\t" + ".pushsection .rodata \n\t" + ".global vmx_return \n\t" + "vmx_return: " _ASM_PTR " 2b \n\t" +@@ -8806,11 +8820,6 @@ static inline bool nested_vmx_merge_msr_bitmap(struct kvm_vcpu *vcpu, + return false; + } + msr_bitmap = (unsigned long *)kmap(page); +- if (!msr_bitmap) { +- nested_release_page_clean(page); +- WARN_ON(1); +- return false; +- } + + if (nested_cpu_has_virt_x2apic_mode(vmcs12)) { + if (nested_cpu_has_apic_reg_virt(vmcs12)) +@@ -9720,7 +9729,8 @@ static int vmx_check_nested_events(struct kvm_vcpu *vcpu, bool external_intr) + return 0; + } + +- return vmx_complete_nested_posted_interrupt(vcpu); ++ vmx_complete_nested_posted_interrupt(vcpu); ++ return 0; + } + + static u32 vmx_get_preemption_timer_value(struct kvm_vcpu *vcpu) +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index e4e7d45fd551..e05cb66b575b 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -4188,7 +4188,7 @@ static int vcpu_mmio_read(struct kvm_vcpu *vcpu, gpa_t addr, int len, void *v) + addr, n, v)) + && kvm_io_bus_read(vcpu, KVM_MMIO_BUS, addr, n, v)) + break; +- trace_kvm_mmio(KVM_TRACE_MMIO_READ, n, addr, *(u64 *)v); ++ trace_kvm_mmio(KVM_TRACE_MMIO_READ, n, addr, v); + handled += n; + addr += n; + len -= n; +@@ -4427,7 +4427,7 @@ static int read_prepare(struct kvm_vcpu *vcpu, void *val, int bytes) + { + if (vcpu->mmio_read_completed) { + trace_kvm_mmio(KVM_TRACE_MMIO_READ, bytes, +- vcpu->mmio_fragments[0].gpa, *(u64 *)val); ++ vcpu->mmio_fragments[0].gpa, val); + vcpu->mmio_read_completed = 0; + return 1; + } +@@ -4449,14 +4449,14 @@ static int write_emulate(struct kvm_vcpu *vcpu, gpa_t gpa, + + static int write_mmio(struct kvm_vcpu *vcpu, gpa_t gpa, int bytes, void *val) + { +- trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, bytes, gpa, *(u64 *)val); ++ trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, bytes, gpa, val); + return vcpu_mmio_write(vcpu, gpa, bytes, val); + } + + static int read_exit_mmio(struct kvm_vcpu *vcpu, gpa_t gpa, + void *val, int bytes) + { +- trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, bytes, gpa, 0); ++ trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, bytes, gpa, NULL); + return X86EMUL_IO_NEEDED; + } + +@@ -5187,7 +5187,7 @@ static int handle_emulation_failure(struct kvm_vcpu *vcpu) + vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR; + vcpu->run->internal.suberror = KVM_INTERNAL_ERROR_EMULATION; + vcpu->run->internal.ndata = 0; +- r = EMULATE_FAIL; ++ r = EMULATE_USER_EXIT; + } + kvm_queue_exception(vcpu, UD_VECTOR); + +@@ -6737,7 +6737,7 @@ int kvm_arch_vcpu_ioctl_set_regs(struct kvm_vcpu *vcpu, struct kvm_regs *regs) + #endif + + kvm_rip_write(vcpu, regs->rip); +- kvm_set_rflags(vcpu, regs->rflags); ++ kvm_set_rflags(vcpu, regs->rflags | X86_EFLAGS_FIXED); + + vcpu->arch.exception.pending = false; + +@@ -7927,6 +7927,13 @@ static int apf_put_user(struct kvm_vcpu *vcpu, u32 val) + sizeof(val)); + } + ++static int apf_get_user(struct kvm_vcpu *vcpu, u32 *val) ++{ ++ ++ return kvm_read_guest_cached(vcpu->kvm, &vcpu->arch.apf.data, val, ++ sizeof(u32)); ++} ++ + void kvm_arch_async_page_not_present(struct kvm_vcpu *vcpu, + struct kvm_async_pf *work) + { +@@ -7953,21 +7960,32 @@ void kvm_arch_async_page_present(struct kvm_vcpu *vcpu, + struct kvm_async_pf *work) + { + struct x86_exception fault; ++ u32 val; + +- trace_kvm_async_pf_ready(work->arch.token, work->gva); + if (work->wakeup_all) + work->arch.token = ~0; /* broadcast wakeup */ + else + kvm_del_async_pf_gfn(vcpu, work->arch.gfn); ++ trace_kvm_async_pf_ready(work->arch.token, work->gva); + +- if ((vcpu->arch.apf.msr_val & KVM_ASYNC_PF_ENABLED) && +- !apf_put_user(vcpu, KVM_PV_REASON_PAGE_READY)) { +- fault.vector = PF_VECTOR; +- fault.error_code_valid = true; +- fault.error_code = 0; +- fault.nested_page_fault = false; +- fault.address = work->arch.token; +- kvm_inject_page_fault(vcpu, &fault); ++ if (vcpu->arch.apf.msr_val & KVM_ASYNC_PF_ENABLED && ++ !apf_get_user(vcpu, &val)) { ++ if (val == KVM_PV_REASON_PAGE_NOT_PRESENT && ++ vcpu->arch.exception.pending && ++ vcpu->arch.exception.nr == PF_VECTOR && ++ !apf_put_user(vcpu, 0)) { ++ vcpu->arch.exception.pending = false; ++ vcpu->arch.exception.nr = 0; ++ vcpu->arch.exception.has_error_code = false; ++ vcpu->arch.exception.error_code = 0; ++ } else if (!apf_put_user(vcpu, KVM_PV_REASON_PAGE_READY)) { ++ fault.vector = PF_VECTOR; ++ fault.error_code_valid = true; ++ fault.error_code = 0; ++ fault.nested_page_fault = false; ++ fault.address = work->arch.token; ++ kvm_inject_page_fault(vcpu, &fault); ++ } + } + vcpu->arch.apf.halted = false; + vcpu->arch.mp_state = KVM_MP_STATE_RUNNABLE; +diff --git a/arch/x86/lib/checksum_32.S b/arch/x86/lib/checksum_32.S +index 9bc944a91274..b7518368492a 100644 +--- a/arch/x86/lib/checksum_32.S ++++ b/arch/x86/lib/checksum_32.S +@@ -29,7 +29,8 @@ + #include <asm/dwarf2.h> + #include <asm/errno.h> + #include <asm/asm.h> +- ++#include <asm/nospec-branch.h> ++ + /* + * computes a partial checksum, e.g. for TCP/UDP fragments + */ +@@ -159,7 +160,7 @@ ENTRY(csum_partial) + negl %ebx + lea 45f(%ebx,%ebx,2), %ebx + testl %esi, %esi +- jmp *%ebx ++ JMP_NOSPEC %ebx + + # Handle 2-byte-aligned regions + 20: addw (%esi), %ax +@@ -446,7 +447,7 @@ ENTRY(csum_partial_copy_generic) + andl $-32,%edx + lea 3f(%ebx,%ebx), %ebx + testl %esi, %esi +- jmp *%ebx ++ JMP_NOSPEC %ebx + 1: addl $64,%esi + addl $64,%edi + SRC(movb -32(%edx),%bl) ; SRC(movb (%edx),%bl) +diff --git a/arch/x86/lib/cmdline.c b/arch/x86/lib/cmdline.c +index 422db000d727..a744506856b1 100644 +--- a/arch/x86/lib/cmdline.c ++++ b/arch/x86/lib/cmdline.c +@@ -82,3 +82,108 @@ int cmdline_find_option_bool(const char *cmdline, const char *option) + + return 0; /* Buffer overrun */ + } ++ ++/* ++ * Find a non-boolean option (i.e. option=argument). In accordance with ++ * standard Linux practice, if this option is repeated, this returns the ++ * last instance on the command line. ++ * ++ * @cmdline: the cmdline string ++ * @max_cmdline_size: the maximum size of cmdline ++ * @option: option string to look for ++ * @buffer: memory buffer to return the option argument ++ * @bufsize: size of the supplied memory buffer ++ * ++ * Returns the length of the argument (regardless of if it was ++ * truncated to fit in the buffer), or -1 on not found. ++ */ ++static int ++__cmdline_find_option(const char *cmdline, int max_cmdline_size, ++ const char *option, char *buffer, int bufsize) ++{ ++ char c; ++ int pos = 0, len = -1; ++ const char *opptr = NULL; ++ char *bufptr = buffer; ++ enum { ++ st_wordstart = 0, /* Start of word/after whitespace */ ++ st_wordcmp, /* Comparing this word */ ++ st_wordskip, /* Miscompare, skip */ ++ st_bufcpy, /* Copying this to buffer */ ++ } state = st_wordstart; ++ ++ if (!cmdline) ++ return -1; /* No command line */ ++ ++ /* ++ * This 'pos' check ensures we do not overrun ++ * a non-NULL-terminated 'cmdline' ++ */ ++ while (pos++ < max_cmdline_size) { ++ c = *(char *)cmdline++; ++ if (!c) ++ break; ++ ++ switch (state) { ++ case st_wordstart: ++ if (myisspace(c)) ++ break; ++ ++ state = st_wordcmp; ++ opptr = option; ++ /* fall through */ ++ ++ case st_wordcmp: ++ if ((c == '=') && !*opptr) { ++ /* ++ * We matched all the way to the end of the ++ * option we were looking for, prepare to ++ * copy the argument. ++ */ ++ len = 0; ++ bufptr = buffer; ++ state = st_bufcpy; ++ break; ++ } else if (c == *opptr++) { ++ /* ++ * We are currently matching, so continue ++ * to the next character on the cmdline. ++ */ ++ break; ++ } ++ state = st_wordskip; ++ /* fall through */ ++ ++ case st_wordskip: ++ if (myisspace(c)) ++ state = st_wordstart; ++ break; ++ ++ case st_bufcpy: ++ if (myisspace(c)) { ++ state = st_wordstart; ++ } else { ++ /* ++ * Increment len, but don't overrun the ++ * supplied buffer and leave room for the ++ * NULL terminator. ++ */ ++ if (++len < bufsize) ++ *bufptr++ = c; ++ } ++ break; ++ } ++ } ++ ++ if (bufsize) ++ *bufptr = '\0'; ++ ++ return len; ++} ++ ++int cmdline_find_option(const char *cmdline, const char *option, char *buffer, ++ int bufsize) ++{ ++ return __cmdline_find_option(cmdline, COMMAND_LINE_SIZE, option, ++ buffer, bufsize); ++} +diff --git a/arch/x86/lib/getuser.S b/arch/x86/lib/getuser.S +index a4512359656a..3917307fca99 100644 +--- a/arch/x86/lib/getuser.S ++++ b/arch/x86/lib/getuser.S +@@ -40,6 +40,8 @@ ENTRY(__get_user_1) + GET_THREAD_INFO(%_ASM_DX) + cmp TI_addr_limit(%_ASM_DX),%_ASM_AX + jae bad_get_user ++ sbb %_ASM_DX, %_ASM_DX /* array_index_mask_nospec() */ ++ and %_ASM_DX, %_ASM_AX + ASM_STAC + 1: movzbl (%_ASM_AX),%edx + xor %eax,%eax +@@ -55,6 +57,8 @@ ENTRY(__get_user_2) + GET_THREAD_INFO(%_ASM_DX) + cmp TI_addr_limit(%_ASM_DX),%_ASM_AX + jae bad_get_user ++ sbb %_ASM_DX, %_ASM_DX /* array_index_mask_nospec() */ ++ and %_ASM_DX, %_ASM_AX + ASM_STAC + 2: movzwl -1(%_ASM_AX),%edx + xor %eax,%eax +@@ -70,6 +74,8 @@ ENTRY(__get_user_4) + GET_THREAD_INFO(%_ASM_DX) + cmp TI_addr_limit(%_ASM_DX),%_ASM_AX + jae bad_get_user ++ sbb %_ASM_DX, %_ASM_DX /* array_index_mask_nospec() */ ++ and %_ASM_DX, %_ASM_AX + ASM_STAC + 3: movl -3(%_ASM_AX),%edx + xor %eax,%eax +@@ -86,6 +92,8 @@ ENTRY(__get_user_8) + GET_THREAD_INFO(%_ASM_DX) + cmp TI_addr_limit(%_ASM_DX),%_ASM_AX + jae bad_get_user ++ sbb %_ASM_DX, %_ASM_DX /* array_index_mask_nospec() */ ++ and %_ASM_DX, %_ASM_AX + ASM_STAC + 4: movq -7(%_ASM_AX),%rdx + xor %eax,%eax +@@ -97,6 +105,8 @@ ENTRY(__get_user_8) + GET_THREAD_INFO(%_ASM_DX) + cmp TI_addr_limit(%_ASM_DX),%_ASM_AX + jae bad_get_user_8 ++ sbb %_ASM_DX, %_ASM_DX /* array_index_mask_nospec() */ ++ and %_ASM_DX, %_ASM_AX + ASM_STAC + 4: movl -7(%_ASM_AX),%edx + 5: movl -3(%_ASM_AX),%ecx +diff --git a/arch/x86/mm/Makefile b/arch/x86/mm/Makefile +index a482d105172b..d893640d5c68 100644 +--- a/arch/x86/mm/Makefile ++++ b/arch/x86/mm/Makefile +@@ -1,5 +1,5 @@ + obj-y := init.o init_$(BITS).o fault.o ioremap.o extable.o pageattr.o mmap.o \ +- pat.o pgtable.o physaddr.o gup.o setup_nx.o ++ pat.o pgtable.o physaddr.o gup.o setup_nx.o tlb.o + + # Make sure __phys_addr has no stackprotector + nostackp := $(call cc-option, -fno-stack-protector) +@@ -9,7 +9,6 @@ CFLAGS_setup_nx.o := $(nostackp) + CFLAGS_fault.o := -I$(src)/../include/asm/trace + + obj-$(CONFIG_X86_PAT) += pat_rbtree.o +-obj-$(CONFIG_SMP) += tlb.o + + obj-$(CONFIG_X86_32) += pgtable_32.o iomap_32.o + +diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c +index 3e1bb1c8daea..6fae65ea51d6 100644 +--- a/arch/x86/mm/init.c ++++ b/arch/x86/mm/init.c +@@ -758,7 +758,7 @@ DEFINE_PER_CPU_SHARED_ALIGNED(struct tlb_state, cpu_tlbstate) = { + #endif + .cr4 = ~0UL, /* fail hard if we screw up cr4 shadow initialization */ + }; +-EXPORT_SYMBOL_GPL(cpu_tlbstate); ++EXPORT_PER_CPU_SYMBOL(cpu_tlbstate); + + void update_cache_mode_entry(unsigned entry, enum page_cache_mode cache) + { +diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c +index 70e7444c6835..5f3e167daefd 100644 +--- a/arch/x86/mm/ioremap.c ++++ b/arch/x86/mm/ioremap.c +@@ -304,11 +304,11 @@ void iounmap(volatile void __iomem *addr) + (void __force *)addr < phys_to_virt(ISA_END_ADDRESS)) + return; + ++ mmiotrace_iounmap(addr); ++ + addr = (volatile void __iomem *) + (PAGE_MASK & (unsigned long __force)addr); + +- mmiotrace_iounmap(addr); +- + /* Use the vm area unlocked, assuming the caller + ensures there isn't another iounmap for the same address + in parallel. Reuse of the virtual address is prevented by +diff --git a/arch/x86/mm/kmmio.c b/arch/x86/mm/kmmio.c +index ddb2244b06a1..76604c8a2a48 100644 +--- a/arch/x86/mm/kmmio.c ++++ b/arch/x86/mm/kmmio.c +@@ -434,17 +434,18 @@ int register_kmmio_probe(struct kmmio_probe *p) + unsigned long flags; + int ret = 0; + unsigned long size = 0; ++ unsigned long addr = p->addr & PAGE_MASK; + const unsigned long size_lim = p->len + (p->addr & ~PAGE_MASK); + unsigned int l; + pte_t *pte; + + spin_lock_irqsave(&kmmio_lock, flags); +- if (get_kmmio_probe(p->addr)) { ++ if (get_kmmio_probe(addr)) { + ret = -EEXIST; + goto out; + } + +- pte = lookup_address(p->addr, &l); ++ pte = lookup_address(addr, &l); + if (!pte) { + ret = -EINVAL; + goto out; +@@ -453,7 +454,7 @@ int register_kmmio_probe(struct kmmio_probe *p) + kmmio_count++; + list_add_rcu(&p->list, &kmmio_probes); + while (size < size_lim) { +- if (add_kmmio_fault_page(p->addr + size)) ++ if (add_kmmio_fault_page(addr + size)) + pr_err("Unable to set page fault.\n"); + size += page_level_size(l); + } +@@ -527,19 +528,20 @@ void unregister_kmmio_probe(struct kmmio_probe *p) + { + unsigned long flags; + unsigned long size = 0; ++ unsigned long addr = p->addr & PAGE_MASK; + const unsigned long size_lim = p->len + (p->addr & ~PAGE_MASK); + struct kmmio_fault_page *release_list = NULL; + struct kmmio_delayed_release *drelease; + unsigned int l; + pte_t *pte; + +- pte = lookup_address(p->addr, &l); ++ pte = lookup_address(addr, &l); + if (!pte) + return; + + spin_lock_irqsave(&kmmio_lock, flags); + while (size < size_lim) { +- release_kmmio_fault_page(p->addr + size, &release_list); ++ release_kmmio_fault_page(addr + size, &release_list); + size += page_level_size(l); + } + list_del_rcu(&p->list); +diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c +index 061e0114005e..cd6e3339b19e 100644 +--- a/arch/x86/mm/tlb.c ++++ b/arch/x86/mm/tlb.c +@@ -28,6 +28,8 @@ + * Implement flush IPI by CALL_FUNCTION_VECTOR, Alex Shi + */ + ++#ifdef CONFIG_SMP ++ + struct flush_tlb_info { + struct mm_struct *flush_mm; + unsigned long flush_start; +@@ -153,23 +155,6 @@ void native_flush_tlb_others(const struct cpumask *cpumask, + smp_call_function_many(cpumask, flush_tlb_func, &info, 1); + } + +-void flush_tlb_current_task(void) +-{ +- struct mm_struct *mm = current->mm; +- +- preempt_disable(); +- +- count_vm_tlb_event(NR_TLB_LOCAL_FLUSH_ALL); +- +- /* This is an implicit full barrier that synchronizes with switch_mm. */ +- local_flush_tlb(); +- +- trace_tlb_flush(TLB_LOCAL_SHOOTDOWN, TLB_FLUSH_ALL); +- if (cpumask_any_but(mm_cpumask(mm), smp_processor_id()) < nr_cpu_ids) +- flush_tlb_others(mm_cpumask(mm), mm, 0UL, TLB_FLUSH_ALL); +- preempt_enable(); +-} +- + /* + * See Documentation/x86/tlb.txt for details. We choose 33 + * because it is large enough to cover the vast majority (at +@@ -190,6 +175,12 @@ void flush_tlb_mm_range(struct mm_struct *mm, unsigned long start, + unsigned long base_pages_to_flush = TLB_FLUSH_ALL; + + preempt_disable(); ++ ++ if ((end != TLB_FLUSH_ALL) && !(vmflag & VM_HUGETLB)) ++ base_pages_to_flush = (end - start) >> PAGE_SHIFT; ++ if (base_pages_to_flush > tlb_single_page_flush_ceiling) ++ base_pages_to_flush = TLB_FLUSH_ALL; ++ + if (current->active_mm != mm) { + /* Synchronize with switch_mm. */ + smp_mb(); +@@ -206,15 +197,11 @@ void flush_tlb_mm_range(struct mm_struct *mm, unsigned long start, + goto out; + } + +- if ((end != TLB_FLUSH_ALL) && !(vmflag & VM_HUGETLB)) +- base_pages_to_flush = (end - start) >> PAGE_SHIFT; +- + /* + * Both branches below are implicit full barriers (MOV to CR or + * INVLPG) that synchronize with switch_mm. + */ +- if (base_pages_to_flush > tlb_single_page_flush_ceiling) { +- base_pages_to_flush = TLB_FLUSH_ALL; ++ if (base_pages_to_flush == TLB_FLUSH_ALL) { + count_vm_tlb_event(NR_TLB_LOCAL_FLUSH_ALL); + local_flush_tlb(); + } else { +@@ -346,3 +333,5 @@ static int __init create_tlb_single_page_flush_ceiling(void) + return 0; + } + late_initcall(create_tlb_single_page_flush_ceiling); ++ ++#endif /* CONFIG_SMP */ +diff --git a/arch/x86/oprofile/nmi_int.c b/arch/x86/oprofile/nmi_int.c +index 1d2e6392f5fa..f24bd7249536 100644 +--- a/arch/x86/oprofile/nmi_int.c ++++ b/arch/x86/oprofile/nmi_int.c +@@ -471,7 +471,7 @@ static int nmi_setup(void) + goto fail; + + for_each_possible_cpu(cpu) { +- if (!cpu) ++ if (!IS_ENABLED(CONFIG_SMP) || !cpu) + continue; + + memcpy(per_cpu(cpu_msrs, cpu).counters, +diff --git a/arch/x86/platform/olpc/olpc-xo15-sci.c b/arch/x86/platform/olpc/olpc-xo15-sci.c +index 55130846ac87..c0533fbc39e3 100644 +--- a/arch/x86/platform/olpc/olpc-xo15-sci.c ++++ b/arch/x86/platform/olpc/olpc-xo15-sci.c +@@ -196,6 +196,7 @@ static int xo15_sci_remove(struct acpi_device *device) + return 0; + } + ++#ifdef CONFIG_PM_SLEEP + static int xo15_sci_resume(struct device *dev) + { + /* Enable all EC events */ +@@ -207,6 +208,7 @@ static int xo15_sci_resume(struct device *dev) + + return 0; + } ++#endif + + static SIMPLE_DEV_PM_OPS(xo15_sci_pm, NULL, xo15_sci_resume); + +diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c +index 1ecae556d4ed..809730c09e2b 100644 +--- a/arch/x86/xen/enlighten.c ++++ b/arch/x86/xen/enlighten.c +@@ -432,6 +432,12 @@ static void __init xen_init_cpuid_mask(void) + ~((1 << X86_FEATURE_MTRR) | /* disable MTRR */ + (1 << X86_FEATURE_ACC)); /* thermal monitoring */ + ++ /* ++ * Xen PV would need some work to support PCID: CR3 handling as well ++ * as xen_flush_tlb_others() would need updating. ++ */ ++ cpuid_leaf1_ecx_mask &= ~(1 << (X86_FEATURE_PCID % 32)); /* disable PCID */ ++ + if (!xen_initial_domain()) + cpuid_leaf1_edx_mask &= + ~((1 << X86_FEATURE_ACPI)); /* disable ACPI */ +diff --git a/arch/xtensa/include/asm/futex.h b/arch/xtensa/include/asm/futex.h +index b39531babec0..72bfc1cbc2b5 100644 +--- a/arch/xtensa/include/asm/futex.h ++++ b/arch/xtensa/include/asm/futex.h +@@ -109,7 +109,6 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr, + u32 oldval, u32 newval) + { + int ret = 0; +- u32 prev; + + if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32))) + return -EFAULT; +@@ -120,26 +119,24 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr, + + __asm__ __volatile__ ( + " # futex_atomic_cmpxchg_inatomic\n" +- "1: l32i %1, %3, 0\n" +- " mov %0, %5\n" +- " wsr %1, scompare1\n" +- "2: s32c1i %0, %3, 0\n" +- "3:\n" ++ " wsr %5, scompare1\n" ++ "1: s32c1i %1, %4, 0\n" ++ " s32i %1, %6, 0\n" ++ "2:\n" + " .section .fixup,\"ax\"\n" + " .align 4\n" +- "4: .long 3b\n" +- "5: l32r %1, 4b\n" +- " movi %0, %6\n" ++ "3: .long 2b\n" ++ "4: l32r %1, 3b\n" ++ " movi %0, %7\n" + " jx %1\n" + " .previous\n" + " .section __ex_table,\"a\"\n" +- " .long 1b,5b,2b,5b\n" ++ " .long 1b,4b\n" + " .previous\n" +- : "+r" (ret), "=&r" (prev), "+m" (*uaddr) +- : "r" (uaddr), "r" (oldval), "r" (newval), "I" (-EFAULT) ++ : "+r" (ret), "+r" (newval), "+m" (*uaddr), "+m" (*uval) ++ : "r" (uaddr), "r" (oldval), "r" (uval), "I" (-EFAULT) + : "memory"); + +- *uval = prev; + return ret; + } + +diff --git a/block/bio.c b/block/bio.c +index d9cf77c6a847..f90b2abe2fa7 100644 +--- a/block/bio.c ++++ b/block/bio.c +@@ -1290,6 +1290,7 @@ struct bio *bio_map_user_iov(struct request_queue *q, + int ret, offset; + struct iov_iter i; + struct iovec iov; ++ struct bio_vec *bvec; + + iov_for_each(iov, i, *iter) { + unsigned long uaddr = (unsigned long) iov.iov_base; +@@ -1334,7 +1335,12 @@ struct bio *bio_map_user_iov(struct request_queue *q, + ret = get_user_pages_fast(uaddr, local_nr_pages, + (iter->type & WRITE) != WRITE, + &pages[cur_page]); +- if (ret < local_nr_pages) { ++ if (unlikely(ret < local_nr_pages)) { ++ for (j = cur_page; j < page_limit; j++) { ++ if (!pages[j]) ++ break; ++ put_page(pages[j]); ++ } + ret = -EFAULT; + goto out_unmap; + } +@@ -1396,10 +1402,8 @@ struct bio *bio_map_user_iov(struct request_queue *q, + return bio; + + out_unmap: +- for (j = 0; j < nr_pages; j++) { +- if (!pages[j]) +- break; +- page_cache_release(pages[j]); ++ bio_for_each_segment_all(bvec, bio, j) { ++ put_page(bvec->bv_page); + } + out: + kfree(pages); +diff --git a/crypto/ahash.c b/crypto/ahash.c +index f9caf0f74199..7006dbfd39bd 100644 +--- a/crypto/ahash.c ++++ b/crypto/ahash.c +@@ -637,5 +637,16 @@ struct hash_alg_common *ahash_attr_alg(struct rtattr *rta, u32 type, u32 mask) + } + EXPORT_SYMBOL_GPL(ahash_attr_alg); + ++bool crypto_hash_alg_has_setkey(struct hash_alg_common *halg) ++{ ++ struct crypto_alg *alg = &halg->base; ++ ++ if (alg->cra_type != &crypto_ahash_type) ++ return crypto_shash_alg_has_setkey(__crypto_shash_alg(alg)); ++ ++ return __crypto_ahash_alg(alg)->setkey != NULL; ++} ++EXPORT_SYMBOL_GPL(crypto_hash_alg_has_setkey); ++ + MODULE_LICENSE("GPL"); + MODULE_DESCRIPTION("Asynchronous cryptographic hash type"); +diff --git a/crypto/algapi.c b/crypto/algapi.c +index 4e69f3161888..35f5efb2ecff 100644 +--- a/crypto/algapi.c ++++ b/crypto/algapi.c +@@ -160,6 +160,18 @@ void crypto_remove_spawns(struct crypto_alg *alg, struct list_head *list, + + spawn->alg = NULL; + spawns = &inst->alg.cra_users; ++ ++ /* ++ * We may encounter an unregistered instance here, since ++ * an instance's spawns are set up prior to the instance ++ * being registered. An unregistered instance will have ++ * NULL ->cra_users.next, since ->cra_users isn't ++ * properly initialized until registration. But an ++ * unregistered instance cannot have any users, so treat ++ * it the same as ->cra_users being empty. ++ */ ++ if (spawns->next == NULL) ++ break; + } + } while ((spawns = crypto_more_spawns(alg, &stack, &top, + &secondary_spawns))); +diff --git a/crypto/cryptd.c b/crypto/cryptd.c +index 66c9e8262572..4e76f1db3e68 100644 +--- a/crypto/cryptd.c ++++ b/crypto/cryptd.c +@@ -645,7 +645,8 @@ static int cryptd_create_hash(struct crypto_template *tmpl, struct rtattr **tb, + inst->alg.finup = cryptd_hash_finup_enqueue; + inst->alg.export = cryptd_hash_export; + inst->alg.import = cryptd_hash_import; +- inst->alg.setkey = cryptd_hash_setkey; ++ if (crypto_shash_alg_has_setkey(salg)) ++ inst->alg.setkey = cryptd_hash_setkey; + inst->alg.digest = cryptd_hash_digest_enqueue; + + err = ahash_register_instance(tmpl, inst); +diff --git a/crypto/mcryptd.c b/crypto/mcryptd.c +index cfb68a889ef6..cbe0135839df 100644 +--- a/crypto/mcryptd.c ++++ b/crypto/mcryptd.c +@@ -80,6 +80,7 @@ static int mcryptd_init_queue(struct mcryptd_queue *queue, + pr_debug("cpu_queue #%d %p\n", cpu, queue->cpu_queue); + crypto_init_queue(&cpu_queue->queue, max_cpu_qlen); + INIT_WORK(&cpu_queue->work, mcryptd_queue_worker); ++ spin_lock_init(&cpu_queue->q_lock); + } + return 0; + } +@@ -103,15 +104,16 @@ static int mcryptd_enqueue_request(struct mcryptd_queue *queue, + int cpu, err; + struct mcryptd_cpu_queue *cpu_queue; + +- cpu = get_cpu(); +- cpu_queue = this_cpu_ptr(queue->cpu_queue); +- rctx->tag.cpu = cpu; ++ cpu_queue = raw_cpu_ptr(queue->cpu_queue); ++ spin_lock(&cpu_queue->q_lock); ++ cpu = smp_processor_id(); ++ rctx->tag.cpu = smp_processor_id(); + + err = crypto_enqueue_request(&cpu_queue->queue, request); + pr_debug("enqueue request: cpu %d cpu_queue %p request %p\n", + cpu, cpu_queue, request); ++ spin_unlock(&cpu_queue->q_lock); + queue_work_on(cpu, kcrypto_wq, &cpu_queue->work); +- put_cpu(); + + return err; + } +@@ -164,16 +166,11 @@ static void mcryptd_queue_worker(struct work_struct *work) + cpu_queue = container_of(work, struct mcryptd_cpu_queue, work); + i = 0; + while (i < MCRYPTD_BATCH || single_task_running()) { +- /* +- * preempt_disable/enable is used to prevent +- * being preempted by mcryptd_enqueue_request() +- */ +- local_bh_disable(); +- preempt_disable(); ++ ++ spin_lock_bh(&cpu_queue->q_lock); + backlog = crypto_get_backlog(&cpu_queue->queue); + req = crypto_dequeue_request(&cpu_queue->queue); +- preempt_enable(); +- local_bh_enable(); ++ spin_unlock_bh(&cpu_queue->q_lock); + + if (!req) { + mcryptd_opportunistic_flush(); +@@ -188,7 +185,7 @@ static void mcryptd_queue_worker(struct work_struct *work) + ++i; + } + if (cpu_queue->queue.qlen) +- queue_work(kcrypto_wq, &cpu_queue->work); ++ queue_work_on(smp_processor_id(), kcrypto_wq, &cpu_queue->work); + } + + void mcryptd_flusher(struct work_struct *__work) +diff --git a/drivers/Makefile b/drivers/Makefile +index d7407f0b0d3b..bffce51498df 100644 +--- a/drivers/Makefile ++++ b/drivers/Makefile +@@ -93,6 +93,7 @@ obj-$(CONFIG_TC) += tc/ + obj-$(CONFIG_UWB) += uwb/ + obj-$(CONFIG_USB_PHY) += usb/ + obj-$(CONFIG_USB) += usb/ ++obj-$(CONFIG_USB_SUPPORT) += usb/ + obj-$(CONFIG_PCI) += usb/ + obj-$(CONFIG_USB_GADGET) += usb/ + obj-$(CONFIG_OF) += usb/ +diff --git a/drivers/acpi/acpi_processor.c b/drivers/acpi/acpi_processor.c +index 568f2b942aac..0272d53d5bcb 100644 +--- a/drivers/acpi/acpi_processor.c ++++ b/drivers/acpi/acpi_processor.c +@@ -315,15 +315,6 @@ static int acpi_processor_get_info(struct acpi_device *device) + pr->throttling.duty_width = acpi_gbl_FADT.duty_width; + + pr->pblk = object.processor.pblk_address; +- +- /* +- * We don't care about error returns - we just try to mark +- * these reserved so that nobody else is confused into thinking +- * that this region might be unused.. +- * +- * (In particular, allocating the IO range for Cardbus) +- */ +- request_region(pr->throttling.address, 6, "ACPI CPU throttle"); + } + + /* +diff --git a/drivers/acpi/apei/erst.c b/drivers/acpi/apei/erst.c +index ed65e9c4b5b0..ba4930c0e98c 100644 +--- a/drivers/acpi/apei/erst.c ++++ b/drivers/acpi/apei/erst.c +@@ -1023,7 +1023,7 @@ skip: + /* The record may be cleared by others, try read next record */ + if (len == -ENOENT) + goto skip; +- else if (len < sizeof(*rcd)) { ++ else if (len < 0 || len < sizeof(*rcd)) { + rc = -EIO; + goto out; + } +diff --git a/drivers/acpi/processor_throttling.c b/drivers/acpi/processor_throttling.c +index 84243c32e29c..f3df4b5e5fc9 100644 +--- a/drivers/acpi/processor_throttling.c ++++ b/drivers/acpi/processor_throttling.c +@@ -680,6 +680,15 @@ static int acpi_processor_get_throttling_fadt(struct acpi_processor *pr) + if (!pr->flags.throttling) + return -ENODEV; + ++ /* ++ * We don't care about error returns - we just try to mark ++ * these reserved so that nobody else is confused into thinking ++ * that this region might be unused.. ++ * ++ * (In particular, allocating the IO range for Cardbus) ++ */ ++ request_region(pr->throttling.address, 6, "ACPI CPU throttle"); ++ + pr->throttling.state = 0; + + duty_mask = pr->throttling.state_count - 1; +diff --git a/drivers/acpi/sbshc.c b/drivers/acpi/sbshc.c +index bf034f8b7c1a..030ab2f543df 100644 +--- a/drivers/acpi/sbshc.c ++++ b/drivers/acpi/sbshc.c +@@ -309,8 +309,8 @@ static int acpi_smbus_hc_add(struct acpi_device *device) + device->driver_data = hc; + + acpi_ec_add_query_handler(hc->ec, hc->query_bit, NULL, smbus_alarm, hc); +- printk(KERN_INFO PREFIX "SBS HC: EC = 0x%p, offset = 0x%0x, query_bit = 0x%0x\n", +- hc->ec, hc->offset, hc->query_bit); ++ dev_info(&device->dev, "SBS HC: offset = 0x%0x, query_bit = 0x%0x\n", ++ hc->offset, hc->query_bit); + + return 0; + } +diff --git a/drivers/android/binder.c b/drivers/android/binder.c +index 235ba1fbabdb..b834278c0c4d 100644 +--- a/drivers/android/binder.c ++++ b/drivers/android/binder.c +@@ -2618,6 +2618,8 @@ static unsigned int binder_poll(struct file *filp, + binder_lock(__func__); + + thread = binder_get_thread(proc); ++ if (!thread) ++ return POLLERR; + + wait_for_proc_work = thread->transaction_stack == NULL && + list_empty(&thread->todo) && thread->return_error == BR_OK; +diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c +index 34825d63d483..3b0cebb2122b 100644 +--- a/drivers/ata/ahci.c ++++ b/drivers/ata/ahci.c +@@ -388,6 +388,11 @@ static const struct pci_device_id ahci_pci_tbl[] = { + { PCI_VDEVICE(INTEL, 0xa20e), board_ahci }, /* Lewisburg RAID*/ + { PCI_VDEVICE(INTEL, 0xa252), board_ahci }, /* Lewisburg RAID*/ + { PCI_VDEVICE(INTEL, 0xa256), board_ahci }, /* Lewisburg RAID*/ ++ { PCI_VDEVICE(INTEL, 0xa356), board_ahci }, /* Cannon Lake PCH-H RAID */ ++ { PCI_VDEVICE(INTEL, 0x0f22), board_ahci }, /* Bay Trail AHCI */ ++ { PCI_VDEVICE(INTEL, 0x0f23), board_ahci }, /* Bay Trail AHCI */ ++ { PCI_VDEVICE(INTEL, 0x22a3), board_ahci }, /* Cherry Trail AHCI */ ++ { PCI_VDEVICE(INTEL, 0x5ae3), board_ahci }, /* Apollo Lake AHCI */ + + /* JMicron 360/1/3/5/6, match class to avoid IDE function */ + { PCI_VENDOR_ID_JMICRON, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index 4c0dac27882f..b31d6853ba7a 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -4145,6 +4145,7 @@ static const struct ata_blacklist_entry ata_device_blacklist [] = { + * https://bugzilla.kernel.org/show_bug.cgi?id=121671 + */ + { "LITEON CX1-JB*-HP", NULL, ATA_HORKAGE_MAX_SEC_1024 }, ++ { "LITEON EP1-*", NULL, ATA_HORKAGE_MAX_SEC_1024 }, + + /* Devices we expect to fail diagnostics */ + +diff --git a/drivers/base/cacheinfo.c b/drivers/base/cacheinfo.c +index fdba441457ec..3f5fb95b0f4c 100644 +--- a/drivers/base/cacheinfo.c ++++ b/drivers/base/cacheinfo.c +@@ -106,6 +106,9 @@ static int cache_shared_cpu_map_setup(unsigned int cpu) + unsigned int index; + int ret; + ++ if (this_cpu_ci->cpu_map_populated) ++ return 0; ++ + ret = cache_setup_of_node(cpu); + if (ret) + return ret; +diff --git a/drivers/base/power/trace.c b/drivers/base/power/trace.c +index a311cfa4c5bd..a6975795e7f3 100644 +--- a/drivers/base/power/trace.c ++++ b/drivers/base/power/trace.c +@@ -166,14 +166,14 @@ void generate_pm_trace(const void *tracedata, unsigned int user) + } + EXPORT_SYMBOL(generate_pm_trace); + +-extern char __tracedata_start, __tracedata_end; ++extern char __tracedata_start[], __tracedata_end[]; + static int show_file_hash(unsigned int value) + { + int match; + char *tracedata; + + match = 0; +- for (tracedata = &__tracedata_start ; tracedata < &__tracedata_end ; ++ for (tracedata = __tracedata_start ; tracedata < __tracedata_end ; + tracedata += 2 + sizeof(unsigned long)) { + unsigned short lineno = *(unsigned short *)tracedata; + const char *file = *(const char **)(tracedata + 2); +diff --git a/drivers/block/loop.c b/drivers/block/loop.c +index ea0c863861b9..b5dbce192c6b 100644 +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -1338,9 +1338,8 @@ out: + return err; + } + +-static void lo_release(struct gendisk *disk, fmode_t mode) ++static void __lo_release(struct loop_device *lo) + { +- struct loop_device *lo = disk->private_data; + int err; + + mutex_lock(&lo->lo_ctl_mutex); +@@ -1368,6 +1367,13 @@ out: + mutex_unlock(&lo->lo_ctl_mutex); + } + ++static void lo_release(struct gendisk *disk, fmode_t mode) ++{ ++ mutex_lock(&loop_index_mutex); ++ __lo_release(disk->private_data); ++ mutex_unlock(&loop_index_mutex); ++} ++ + static const struct block_device_operations lo_fops = { + .owner = THIS_MODULE, + .open = lo_open, +diff --git a/drivers/block/pktcdvd.c b/drivers/block/pktcdvd.c +index 09e628dafd9d..46098d236476 100644 +--- a/drivers/block/pktcdvd.c ++++ b/drivers/block/pktcdvd.c +@@ -2798,7 +2798,7 @@ static int pkt_setup_dev(dev_t dev, dev_t* pkt_dev) + pd->pkt_dev = MKDEV(pktdev_major, idx); + ret = pkt_new_dev(pd, dev); + if (ret) +- goto out_new_dev; ++ goto out_mem2; + + /* inherit events of the host device */ + disk->events = pd->bdev->bd_disk->events; +@@ -2816,8 +2816,6 @@ static int pkt_setup_dev(dev_t dev, dev_t* pkt_dev) + mutex_unlock(&ctl_mutex); + return 0; + +-out_new_dev: +- blk_cleanup_queue(disk->queue); + out_mem2: + put_disk(disk); + out_mem: +diff --git a/drivers/bluetooth/btsdio.c b/drivers/bluetooth/btsdio.c +index 83f6437dd91d..1481a3c9b5af 100644 +--- a/drivers/bluetooth/btsdio.c ++++ b/drivers/bluetooth/btsdio.c +@@ -31,6 +31,7 @@ + #include <linux/errno.h> + #include <linux/skbuff.h> + ++#include <linux/mmc/host.h> + #include <linux/mmc/sdio_ids.h> + #include <linux/mmc/sdio_func.h> + +@@ -303,6 +304,14 @@ static int btsdio_probe(struct sdio_func *func, + tuple = tuple->next; + } + ++ /* BCM43341 devices soldered onto the PCB (non-removable) use an ++ * uart connection for bluetooth, ignore the BT SDIO interface. ++ */ ++ if (func->vendor == SDIO_VENDOR_ID_BROADCOM && ++ func->device == SDIO_DEVICE_ID_BROADCOM_43341 && ++ !mmc_card_is_removable(func->card->host)) ++ return -ENODEV; ++ + data = devm_kzalloc(&func->dev, sizeof(*data), GFP_KERNEL); + if (!data) + return -ENOMEM; +diff --git a/drivers/char/hw_random/core.c b/drivers/char/hw_random/core.c +index 5643b65cee20..0ff7682cfb14 100644 +--- a/drivers/char/hw_random/core.c ++++ b/drivers/char/hw_random/core.c +@@ -238,7 +238,10 @@ static ssize_t rng_dev_read(struct file *filp, char __user *buf, + goto out; + } + +- mutex_lock(&reading_mutex); ++ if (mutex_lock_interruptible(&reading_mutex)) { ++ err = -ERESTARTSYS; ++ goto out_put; ++ } + if (!data_avail) { + bytes_read = rng_get_data(rng, rng_buffer, + rng_buffer_size(), +@@ -288,6 +291,7 @@ out: + + out_unlock_reading: + mutex_unlock(&reading_mutex); ++out_put: + put_rng(rng); + goto out; + } +diff --git a/drivers/cpufreq/Kconfig b/drivers/cpufreq/Kconfig +index 659879a56dba..949610360b14 100644 +--- a/drivers/cpufreq/Kconfig ++++ b/drivers/cpufreq/Kconfig +@@ -236,6 +236,7 @@ endif + if MIPS + config LOONGSON2_CPUFREQ + tristate "Loongson2 CPUFreq Driver" ++ depends on LEMOTE_MACH2F + help + This option adds a CPUFreq driver for loongson processors which + support software configurable cpu frequency. +@@ -248,6 +249,7 @@ config LOONGSON2_CPUFREQ + + config LOONGSON1_CPUFREQ + tristate "Loongson1 CPUFreq Driver" ++ depends on LOONGSON1_LS1B + help + This option adds a CPUFreq driver for loongson1 processors which + support software configurable cpu frequency. +diff --git a/drivers/cpuidle/cpuidle-powernv.c b/drivers/cpuidle/cpuidle-powernv.c +index 3442764a5293..544e0e330afd 100644 +--- a/drivers/cpuidle/cpuidle-powernv.c ++++ b/drivers/cpuidle/cpuidle-powernv.c +@@ -153,6 +153,24 @@ static int powernv_cpuidle_driver_init(void) + drv->state_count += 1; + } + ++ /* ++ * On the PowerNV platform cpu_present may be less than cpu_possible in ++ * cases when firmware detects the CPU, but it is not available to the ++ * OS. If CONFIG_HOTPLUG_CPU=n, then such CPUs are not hotplugable at ++ * run time and hence cpu_devices are not created for those CPUs by the ++ * generic topology_init(). ++ * ++ * drv->cpumask defaults to cpu_possible_mask in ++ * __cpuidle_driver_init(). This breaks cpuidle on PowerNV where ++ * cpu_devices are not created for CPUs in cpu_possible_mask that ++ * cannot be hot-added later at run time. ++ * ++ * Trying cpuidle_register_device() on a CPU without a cpu_device is ++ * incorrect, so pass a correct CPU mask to the generic cpuidle driver. ++ */ ++ ++ drv->cpumask = (struct cpumask *)cpu_present_mask; ++ + return 0; + } + +diff --git a/drivers/cpuidle/sysfs.c b/drivers/cpuidle/sysfs.c +index 832a2c3f01ff..9e98a5fbbc1d 100644 +--- a/drivers/cpuidle/sysfs.c ++++ b/drivers/cpuidle/sysfs.c +@@ -613,6 +613,18 @@ int cpuidle_add_sysfs(struct cpuidle_device *dev) + struct device *cpu_dev = get_cpu_device((unsigned long)dev->cpu); + int error; + ++ /* ++ * Return if cpu_device is not setup for this CPU. ++ * ++ * This could happen if the arch did not set up cpu_device ++ * since this CPU is not in cpu_present mask and the ++ * driver did not send a correct CPU mask during registration. ++ * Without this check we would end up passing bogus ++ * value for &cpu_dev->kobj in kobject_init_and_add() ++ */ ++ if (!cpu_dev) ++ return -ENODEV; ++ + kdev = kzalloc(sizeof(*kdev), GFP_KERNEL); + if (!kdev) + return -ENOMEM; +diff --git a/drivers/crypto/amcc/crypto4xx_core.h b/drivers/crypto/amcc/crypto4xx_core.h +index bac0bdeb4b5f..b6529b9fcbe2 100644 +--- a/drivers/crypto/amcc/crypto4xx_core.h ++++ b/drivers/crypto/amcc/crypto4xx_core.h +@@ -32,12 +32,12 @@ + #define PPC405EX_CE_RESET 0x00000008 + + #define CRYPTO4XX_CRYPTO_PRIORITY 300 +-#define PPC4XX_LAST_PD 63 +-#define PPC4XX_NUM_PD 64 +-#define PPC4XX_LAST_GD 1023 ++#define PPC4XX_NUM_PD 256 ++#define PPC4XX_LAST_PD (PPC4XX_NUM_PD - 1) + #define PPC4XX_NUM_GD 1024 +-#define PPC4XX_LAST_SD 63 +-#define PPC4XX_NUM_SD 64 ++#define PPC4XX_LAST_GD (PPC4XX_NUM_GD - 1) ++#define PPC4XX_NUM_SD 256 ++#define PPC4XX_LAST_SD (PPC4XX_NUM_SD - 1) + #define PPC4XX_SD_BUFFER_SIZE 2048 + + #define PD_ENTRY_INUSE 1 +diff --git a/drivers/crypto/n2_core.c b/drivers/crypto/n2_core.c +index 10a9aeff1666..32035daae8c9 100644 +--- a/drivers/crypto/n2_core.c ++++ b/drivers/crypto/n2_core.c +@@ -1641,6 +1641,7 @@ static int queue_cache_init(void) + CWQ_ENTRY_SIZE, 0, NULL); + if (!queue_cache[HV_NCS_QTYPE_CWQ - 1]) { + kmem_cache_destroy(queue_cache[HV_NCS_QTYPE_MAU - 1]); ++ queue_cache[HV_NCS_QTYPE_MAU - 1] = NULL; + return -ENOMEM; + } + return 0; +@@ -1650,6 +1651,8 @@ static void queue_cache_destroy(void) + { + kmem_cache_destroy(queue_cache[HV_NCS_QTYPE_MAU - 1]); + kmem_cache_destroy(queue_cache[HV_NCS_QTYPE_CWQ - 1]); ++ queue_cache[HV_NCS_QTYPE_MAU - 1] = NULL; ++ queue_cache[HV_NCS_QTYPE_CWQ - 1] = NULL; + } + + static int spu_queue_register(struct spu_queue *p, unsigned long q_type) +diff --git a/drivers/crypto/s5p-sss.c b/drivers/crypto/s5p-sss.c +index 4f0c4a3cc5c5..89219806fd8e 100644 +--- a/drivers/crypto/s5p-sss.c ++++ b/drivers/crypto/s5p-sss.c +@@ -419,16 +419,21 @@ static void s5p_aes_crypt_start(struct s5p_aes_dev *dev, unsigned long mode) + uint32_t aes_control; + int err; + unsigned long flags; ++ u8 *iv; + + aes_control = SSS_AES_KEY_CHANGE_MODE; + if (mode & FLAGS_AES_DECRYPT) + aes_control |= SSS_AES_MODE_DECRYPT; + +- if ((mode & FLAGS_AES_MODE_MASK) == FLAGS_AES_CBC) ++ if ((mode & FLAGS_AES_MODE_MASK) == FLAGS_AES_CBC) { + aes_control |= SSS_AES_CHAIN_MODE_CBC; +- else if ((mode & FLAGS_AES_MODE_MASK) == FLAGS_AES_CTR) ++ iv = req->info; ++ } else if ((mode & FLAGS_AES_MODE_MASK) == FLAGS_AES_CTR) { + aes_control |= SSS_AES_CHAIN_MODE_CTR; +- ++ iv = req->info; ++ } else { ++ iv = NULL; /* AES_ECB */ ++ } + if (dev->ctx->keylen == AES_KEYSIZE_192) + aes_control |= SSS_AES_KEY_SIZE_192; + else if (dev->ctx->keylen == AES_KEYSIZE_256) +@@ -458,7 +463,7 @@ static void s5p_aes_crypt_start(struct s5p_aes_dev *dev, unsigned long mode) + goto outdata_error; + + SSS_AES_WRITE(dev, AES_CONTROL, aes_control); +- s5p_set_aes(dev, dev->ctx->aes_key, req->info, dev->ctx->keylen); ++ s5p_set_aes(dev, dev->ctx->aes_key, iv, dev->ctx->keylen); + + s5p_set_dma_indata(dev, req->src); + s5p_set_dma_outdata(dev, req->dst); +diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c +index ca1b362d77e2..3373561caae8 100644 +--- a/drivers/devfreq/devfreq.c ++++ b/drivers/devfreq/devfreq.c +@@ -584,7 +584,7 @@ struct devfreq *devm_devfreq_add_device(struct device *dev, + devfreq = devfreq_add_device(dev, profile, governor_name, data); + if (IS_ERR(devfreq)) { + devres_free(ptr); +- return ERR_PTR(-ENOMEM); ++ return devfreq; + } + + *ptr = devfreq; +diff --git a/drivers/dma/dma-jz4740.c b/drivers/dma/dma-jz4740.c +index 7638b24ce8d0..35fc58f4bf4b 100644 +--- a/drivers/dma/dma-jz4740.c ++++ b/drivers/dma/dma-jz4740.c +@@ -557,7 +557,7 @@ static int jz4740_dma_probe(struct platform_device *pdev) + + ret = dma_async_device_register(dd); + if (ret) +- return ret; ++ goto err_clk; + + irq = platform_get_irq(pdev, 0); + ret = request_irq(irq, jz4740_dma_irq, 0, dev_name(&pdev->dev), dmadev); +@@ -570,6 +570,8 @@ static int jz4740_dma_probe(struct platform_device *pdev) + + err_unregister: + dma_async_device_unregister(dd); ++err_clk: ++ clk_disable_unprepare(dmadev->clk); + return ret; + } + +diff --git a/drivers/dma/dmatest.c b/drivers/dma/dmatest.c +index 2e9bc49d30ec..5e4fe755a4d8 100644 +--- a/drivers/dma/dmatest.c ++++ b/drivers/dma/dmatest.c +@@ -329,7 +329,7 @@ static void dmatest_callback(void *arg) + { + struct dmatest_done *done = arg; + struct dmatest_thread *thread = +- container_of(arg, struct dmatest_thread, done_wait); ++ container_of(done, struct dmatest_thread, test_done); + if (!thread->done) { + done->done = true; + wake_up_all(done->wait); +diff --git a/drivers/edac/octeon_edac-lmc.c b/drivers/edac/octeon_edac-lmc.c +index cda6dab5067a..6b65a102b49d 100644 +--- a/drivers/edac/octeon_edac-lmc.c ++++ b/drivers/edac/octeon_edac-lmc.c +@@ -79,6 +79,7 @@ static void octeon_lmc_edac_poll_o2(struct mem_ctl_info *mci) + if (!pvt->inject) + int_reg.u64 = cvmx_read_csr(CVMX_LMCX_INT(mci->mc_idx)); + else { ++ int_reg.u64 = 0; + if (pvt->error_type == 1) + int_reg.s.sec_err = 1; + if (pvt->error_type == 2) +diff --git a/drivers/gpio/gpio-intel-mid.c b/drivers/gpio/gpio-intel-mid.c +index 14945fd9d5e1..935fa3bce6d0 100644 +--- a/drivers/gpio/gpio-intel-mid.c ++++ b/drivers/gpio/gpio-intel-mid.c +@@ -326,7 +326,7 @@ static void intel_mid_irq_init_hw(struct intel_mid_gpio *priv) + } + } + +-static int intel_gpio_runtime_idle(struct device *dev) ++static int __maybe_unused intel_gpio_runtime_idle(struct device *dev) + { + int err = pm_schedule_suspend(dev, 500); + return err ?: -EBUSY; +diff --git a/drivers/gpio/gpio-iop.c b/drivers/gpio/gpio-iop.c +index 2ed0237a8baf..304e68633d29 100644 +--- a/drivers/gpio/gpio-iop.c ++++ b/drivers/gpio/gpio-iop.c +@@ -129,3 +129,7 @@ static int __init iop3xx_gpio_init(void) + return platform_driver_register(&iop3xx_gpio_driver); + } + arch_initcall(iop3xx_gpio_init); ++ ++MODULE_DESCRIPTION("GPIO handling for Intel IOP3xx processors"); ++MODULE_AUTHOR("Lennert Buytenhek <buytenh@wantstofly.org>"); ++MODULE_LICENSE("GPL"); +diff --git a/drivers/gpio/gpio-xgene.c b/drivers/gpio/gpio-xgene.c +index 18a8182d4fec..7f1f32324504 100644 +--- a/drivers/gpio/gpio-xgene.c ++++ b/drivers/gpio/gpio-xgene.c +@@ -42,9 +42,7 @@ struct xgene_gpio { + struct gpio_chip chip; + void __iomem *base; + spinlock_t lock; +-#ifdef CONFIG_PM + u32 set_dr_val[XGENE_MAX_GPIO_BANKS]; +-#endif + }; + + static inline struct xgene_gpio *to_xgene_gpio(struct gpio_chip *chip) +@@ -132,8 +130,7 @@ static int xgene_gpio_dir_out(struct gpio_chip *gc, + return 0; + } + +-#ifdef CONFIG_PM +-static int xgene_gpio_suspend(struct device *dev) ++static __maybe_unused int xgene_gpio_suspend(struct device *dev) + { + struct xgene_gpio *gpio = dev_get_drvdata(dev); + unsigned long bank_offset; +@@ -146,7 +143,7 @@ static int xgene_gpio_suspend(struct device *dev) + return 0; + } + +-static int xgene_gpio_resume(struct device *dev) ++static __maybe_unused int xgene_gpio_resume(struct device *dev) + { + struct xgene_gpio *gpio = dev_get_drvdata(dev); + unsigned long bank_offset; +@@ -160,10 +157,6 @@ static int xgene_gpio_resume(struct device *dev) + } + + static SIMPLE_DEV_PM_OPS(xgene_gpio_pm, xgene_gpio_suspend, xgene_gpio_resume); +-#define XGENE_GPIO_PM_OPS (&xgene_gpio_pm) +-#else +-#define XGENE_GPIO_PM_OPS NULL +-#endif + + static int xgene_gpio_probe(struct platform_device *pdev) + { +@@ -230,7 +223,7 @@ static struct platform_driver xgene_gpio_driver = { + .driver = { + .name = "xgene-gpio", + .of_match_table = xgene_gpio_of_match, +- .pm = XGENE_GPIO_PM_OPS, ++ .pm = &xgene_gpio_pm, + }, + .probe = xgene_gpio_probe, + .remove = xgene_gpio_remove, +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c +index 530b82c4e78b..7c736e8d7f33 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c +@@ -189,6 +189,24 @@ int pqm_create_queue(struct process_queue_manager *pqm, + + switch (type) { + case KFD_QUEUE_TYPE_SDMA: ++ if (dev->dqm->queue_count >= ++ CIK_SDMA_QUEUES_PER_ENGINE * CIK_SDMA_ENGINE_NUM) { ++ pr_err("Over-subscription is not allowed for SDMA.\n"); ++ retval = -EPERM; ++ goto err_create_queue; ++ } ++ ++ retval = create_cp_queue(pqm, dev, &q, properties, f, *qid); ++ if (retval != 0) ++ goto err_create_queue; ++ pqn->q = q; ++ pqn->kq = NULL; ++ retval = dev->dqm->ops.create_queue(dev->dqm, q, &pdd->qpd, ++ &q->properties.vmid); ++ pr_debug("DQM returned %d for create_queue\n", retval); ++ print_queue(q); ++ break; ++ + case KFD_QUEUE_TYPE_COMPUTE: + /* check if there is over subscription */ + if ((sched_policy == KFD_SCHED_POLICY_HWS_NO_OVERSUBSCRIPTION) && +diff --git a/drivers/gpu/drm/gma500/mdfld_dsi_dpi.c b/drivers/gpu/drm/gma500/mdfld_dsi_dpi.c +index d4813e03f5ee..00275c3856ce 100644 +--- a/drivers/gpu/drm/gma500/mdfld_dsi_dpi.c ++++ b/drivers/gpu/drm/gma500/mdfld_dsi_dpi.c +@@ -821,14 +821,18 @@ void mdfld_dsi_dpi_mode_set(struct drm_encoder *encoder, + struct drm_device *dev = dsi_config->dev; + struct drm_psb_private *dev_priv = dev->dev_private; + int pipe = mdfld_dsi_encoder_get_pipe(dsi_encoder); +- + u32 pipeconf_reg = PIPEACONF; + u32 dspcntr_reg = DSPACNTR; ++ u32 pipeconf, dspcntr; + +- u32 pipeconf = dev_priv->pipeconf[pipe]; +- u32 dspcntr = dev_priv->dspcntr[pipe]; + u32 mipi = MIPI_PORT_EN | PASS_FROM_SPHY_TO_AFE | SEL_FLOPPED_HSTX; + ++ if (WARN_ON(pipe < 0)) ++ return; ++ ++ pipeconf = dev_priv->pipeconf[pipe]; ++ dspcntr = dev_priv->dspcntr[pipe]; ++ + if (pipe) { + pipeconf_reg = PIPECCONF; + dspcntr_reg = DSPCCNTR; +diff --git a/drivers/gpu/drm/gma500/mdfld_dsi_output.c b/drivers/gpu/drm/gma500/mdfld_dsi_output.c +index 89f705c3a5eb..910a2f253990 100644 +--- a/drivers/gpu/drm/gma500/mdfld_dsi_output.c ++++ b/drivers/gpu/drm/gma500/mdfld_dsi_output.c +@@ -382,16 +382,6 @@ static int mdfld_dsi_connector_mode_valid(struct drm_connector *connector, + return MODE_OK; + } + +-static void mdfld_dsi_connector_dpms(struct drm_connector *connector, int mode) +-{ +- if (mode == connector->dpms) +- return; +- +- /*first, execute dpms*/ +- +- drm_helper_connector_dpms(connector, mode); +-} +- + static struct drm_encoder *mdfld_dsi_connector_best_encoder( + struct drm_connector *connector) + { +@@ -404,7 +394,7 @@ static struct drm_encoder *mdfld_dsi_connector_best_encoder( + + /*DSI connector funcs*/ + static const struct drm_connector_funcs mdfld_dsi_connector_funcs = { +- .dpms = /*drm_helper_connector_dpms*/mdfld_dsi_connector_dpms, ++ .dpms = drm_helper_connector_dpms, + .save = mdfld_dsi_connector_save, + .restore = mdfld_dsi_connector_restore, + .detect = mdfld_dsi_connector_detect, +diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c +index 58c959265b1a..36000f76e31d 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_gem.c ++++ b/drivers/gpu/drm/nouveau/nouveau_gem.c +@@ -368,7 +368,7 @@ validate_init(struct nouveau_channel *chan, struct drm_file *file_priv, + struct nouveau_cli *cli = nouveau_cli(file_priv); + struct drm_device *dev = chan->drm->dev; + int trycnt = 0; +- int ret, i; ++ int ret = -EINVAL, i; + struct nouveau_bo *res_bo = NULL; + LIST_HEAD(gart_list); + LIST_HEAD(vram_list); +diff --git a/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c b/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c +index 042038e8a662..6e6634cd1d17 100644 +--- a/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c ++++ b/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c +@@ -610,7 +610,8 @@ static int omap_dmm_probe(struct platform_device *dev) + match = of_match_node(dmm_of_match, dev->dev.of_node); + if (!match) { + dev_err(&dev->dev, "failed to find matching device node\n"); +- return -ENODEV; ++ ret = -ENODEV; ++ goto fail; + } + + omap_dmm->plat_data = match->data; +diff --git a/drivers/gpu/drm/radeon/radeon_uvd.c b/drivers/gpu/drm/radeon/radeon_uvd.c +index 6edcb5485092..b35ebabd6a9f 100644 +--- a/drivers/gpu/drm/radeon/radeon_uvd.c ++++ b/drivers/gpu/drm/radeon/radeon_uvd.c +@@ -946,7 +946,7 @@ int radeon_uvd_calc_upll_dividers(struct radeon_device *rdev, + /* calc dclk divider with current vco freq */ + dclk_div = radeon_uvd_calc_upll_post_div(vco_freq, dclk, + pd_min, pd_even); +- if (vclk_div > pd_max) ++ if (dclk_div > pd_max) + break; /* vco is too big, it has to stop */ + + /* calc score with current vco freq */ +diff --git a/drivers/gpu/drm/rcar-du/rcar_du_crtc.c b/drivers/gpu/drm/rcar-du/rcar_du_crtc.c +index 824c835330df..de155c77f739 100644 +--- a/drivers/gpu/drm/rcar-du/rcar_du_crtc.c ++++ b/drivers/gpu/drm/rcar-du/rcar_du_crtc.c +@@ -511,7 +511,7 @@ static irqreturn_t rcar_du_crtc_irq(int irq, void *arg) + status = rcar_du_crtc_read(rcrtc, DSSR); + rcar_du_crtc_write(rcrtc, DSRCR, status & DSRCR_MASK); + +- if (status & DSSR_FRM) { ++ if (status & DSSR_VBK) { + drm_handle_vblank(rcrtc->crtc.dev, rcrtc->index); + rcar_du_crtc_finish_page_flip(rcrtc); + ret = IRQ_HANDLED; +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c +index d786b48f5d7b..d8638d8221ea 100644 +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -2010,6 +2010,7 @@ static const struct hid_device_id hid_have_special_driver[] = { + { HID_USB_DEVICE(USB_VENDOR_ID_WALTOP, USB_DEVICE_ID_WALTOP_SIRIUS_BATTERY_FREE_TABLET) }, + { HID_USB_DEVICE(USB_VENDOR_ID_X_TENSIONS, USB_DEVICE_ID_SPEEDLINK_VAD_CEZANNE) }, + { HID_USB_DEVICE(USB_VENDOR_ID_XIN_MO, USB_DEVICE_ID_XIN_MO_DUAL_ARCADE) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_XIN_MO, USB_DEVICE_ID_THT_2P_ARCADE) }, + { HID_USB_DEVICE(USB_VENDOR_ID_ZEROPLUS, 0x0005) }, + { HID_USB_DEVICE(USB_VENDOR_ID_ZEROPLUS, 0x0030) }, + { HID_USB_DEVICE(USB_VENDOR_ID_ZYDACRON, USB_DEVICE_ID_ZYDACRON_REMOTE_CONTROL) }, +@@ -2349,6 +2350,9 @@ static const struct hid_device_id hid_ignore_list[] = { + { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MICROCASSYTIME) }, + { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MICROCASSYTEMPERATURE) }, + { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MICROCASSYPH) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_POWERANALYSERCASSY) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_CONVERTERCONTROLLERCASSY) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MACHINETESTCASSY) }, + { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_JWM) }, + { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_DMMP) }, + { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_UMIP) }, +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index e995058ad264..62b337d61fe1 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -559,6 +559,9 @@ + #define USB_DEVICE_ID_LD_MICROCASSYTIME 0x1033 + #define USB_DEVICE_ID_LD_MICROCASSYTEMPERATURE 0x1035 + #define USB_DEVICE_ID_LD_MICROCASSYPH 0x1038 ++#define USB_DEVICE_ID_LD_POWERANALYSERCASSY 0x1040 ++#define USB_DEVICE_ID_LD_CONVERTERCONTROLLERCASSY 0x1042 ++#define USB_DEVICE_ID_LD_MACHINETESTCASSY 0x1043 + #define USB_DEVICE_ID_LD_JWM 0x1080 + #define USB_DEVICE_ID_LD_DMMP 0x1081 + #define USB_DEVICE_ID_LD_UMIP 0x1090 +@@ -1011,6 +1014,7 @@ + + #define USB_VENDOR_ID_XIN_MO 0x16c0 + #define USB_DEVICE_ID_XIN_MO_DUAL_ARCADE 0x05e1 ++#define USB_DEVICE_ID_THT_2P_ARCADE 0x75e1 + + #define USB_VENDOR_ID_XIROKU 0x1477 + #define USB_DEVICE_ID_XIROKU_SPX 0x1006 +diff --git a/drivers/hid/hid-xinmo.c b/drivers/hid/hid-xinmo.c +index 7df5227a7e61..9ad7731d2e10 100644 +--- a/drivers/hid/hid-xinmo.c ++++ b/drivers/hid/hid-xinmo.c +@@ -46,6 +46,7 @@ static int xinmo_event(struct hid_device *hdev, struct hid_field *field, + + static const struct hid_device_id xinmo_devices[] = { + { HID_USB_DEVICE(USB_VENDOR_ID_XIN_MO, USB_DEVICE_ID_XIN_MO_DUAL_ARCADE) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_XIN_MO, USB_DEVICE_ID_THT_2P_ARCADE) }, + { } + }; + +diff --git a/drivers/hwmon/asus_atk0110.c b/drivers/hwmon/asus_atk0110.c +index cccef87963e0..975c43d446f8 100644 +--- a/drivers/hwmon/asus_atk0110.c ++++ b/drivers/hwmon/asus_atk0110.c +@@ -646,6 +646,9 @@ static int atk_read_value(struct atk_sensor_data *sensor, u64 *value) + else + err = atk_read_value_new(sensor, value); + ++ if (err) ++ return err; ++ + sensor->is_valid = true; + sensor->last_updated = jiffies; + sensor->cached_value = *value; +diff --git a/drivers/hwmon/pmbus/pmbus_core.c b/drivers/hwmon/pmbus/pmbus_core.c +index f2e47c7dd808..1362de353076 100644 +--- a/drivers/hwmon/pmbus/pmbus_core.c ++++ b/drivers/hwmon/pmbus/pmbus_core.c +@@ -20,6 +20,7 @@ + */ + + #include <linux/kernel.h> ++#include <linux/math64.h> + #include <linux/module.h> + #include <linux/init.h> + #include <linux/err.h> +@@ -476,8 +477,8 @@ static long pmbus_reg2data_linear(struct pmbus_data *data, + static long pmbus_reg2data_direct(struct pmbus_data *data, + struct pmbus_sensor *sensor) + { +- long val = (s16) sensor->data; +- long m, b, R; ++ s64 b, val = (s16)sensor->data; ++ s32 m, R; + + m = data->info->m[sensor->class]; + b = data->info->b[sensor->class]; +@@ -505,11 +506,12 @@ static long pmbus_reg2data_direct(struct pmbus_data *data, + R--; + } + while (R < 0) { +- val = DIV_ROUND_CLOSEST(val, 10); ++ val = div_s64(val + 5LL, 10L); /* round closest */ + R++; + } + +- return (val - b) / m; ++ val = div_s64(val - b, m); ++ return clamp_val(val, LONG_MIN, LONG_MAX); + } + + /* +@@ -621,7 +623,8 @@ static u16 pmbus_data2reg_linear(struct pmbus_data *data, + static u16 pmbus_data2reg_direct(struct pmbus_data *data, + struct pmbus_sensor *sensor, long val) + { +- long m, b, R; ++ s64 b, val64 = val; ++ s32 m, R; + + m = data->info->m[sensor->class]; + b = data->info->b[sensor->class]; +@@ -638,18 +641,18 @@ static u16 pmbus_data2reg_direct(struct pmbus_data *data, + R -= 3; /* Adjust R and b for data in milli-units */ + b *= 1000; + } +- val = val * m + b; ++ val64 = val64 * m + b; + + while (R > 0) { +- val *= 10; ++ val64 *= 10; + R--; + } + while (R < 0) { +- val = DIV_ROUND_CLOSEST(val, 10); ++ val64 = div_s64(val64 + 5LL, 10L); /* round closest */ + R++; + } + +- return val; ++ return (u16)clamp_val(val64, S16_MIN, S16_MAX); + } + + static u16 pmbus_data2reg_vid(struct pmbus_data *data, +diff --git a/drivers/i2c/i2c-boardinfo.c b/drivers/i2c/i2c-boardinfo.c +index 90e322959303..42c25aed671d 100644 +--- a/drivers/i2c/i2c-boardinfo.c ++++ b/drivers/i2c/i2c-boardinfo.c +@@ -56,9 +56,7 @@ EXPORT_SYMBOL_GPL(__i2c_first_dynamic_bus_num); + * The board info passed can safely be __initdata, but be careful of embedded + * pointers (for platform_data, functions, etc) since that won't be copied. + */ +-int __init +-i2c_register_board_info(int busnum, +- struct i2c_board_info const *info, unsigned len) ++int i2c_register_board_info(int busnum, struct i2c_board_info const *info, unsigned len) + { + int status; + +diff --git a/drivers/iio/adc/axp288_adc.c b/drivers/iio/adc/axp288_adc.c +index 1c626a3cc7f2..f3a64a45c512 100644 +--- a/drivers/iio/adc/axp288_adc.c ++++ b/drivers/iio/adc/axp288_adc.c +@@ -44,7 +44,7 @@ struct axp288_adc_info { + struct regmap *regmap; + }; + +-static const struct iio_chan_spec const axp288_adc_channels[] = { ++static const struct iio_chan_spec axp288_adc_channels[] = { + { + .indexed = 1, + .type = IIO_TEMP, +diff --git a/drivers/iio/imu/adis_trigger.c b/drivers/iio/imu/adis_trigger.c +index f53e9a803a0e..93b99bd93738 100644 +--- a/drivers/iio/imu/adis_trigger.c ++++ b/drivers/iio/imu/adis_trigger.c +@@ -47,6 +47,10 @@ int adis_probe_trigger(struct adis *adis, struct iio_dev *indio_dev) + if (adis->trig == NULL) + return -ENOMEM; + ++ adis->trig->dev.parent = &adis->spi->dev; ++ adis->trig->ops = &adis_trigger_ops; ++ iio_trigger_set_drvdata(adis->trig, adis); ++ + ret = request_irq(adis->spi->irq, + &iio_trigger_generic_data_rdy_poll, + IRQF_TRIGGER_RISING, +@@ -55,9 +59,6 @@ int adis_probe_trigger(struct adis *adis, struct iio_dev *indio_dev) + if (ret) + goto error_free_trig; + +- adis->trig->dev.parent = &adis->spi->dev; +- adis->trig->ops = &adis_trigger_ops; +- iio_trigger_set_drvdata(adis->trig, adis); + ret = iio_trigger_register(adis->trig); + + indio_dev->trig = iio_trigger_get(adis->trig); +diff --git a/drivers/iio/industrialio-buffer.c b/drivers/iio/industrialio-buffer.c +index 7fa280b28ecb..ec6b26f008d9 100644 +--- a/drivers/iio/industrialio-buffer.c ++++ b/drivers/iio/industrialio-buffer.c +@@ -150,7 +150,7 @@ unsigned int iio_buffer_poll(struct file *filp, + struct iio_dev *indio_dev = filp->private_data; + struct iio_buffer *rb = indio_dev->buffer; + +- if (!indio_dev->info) ++ if (!indio_dev->info || rb == NULL) + return 0; + + poll_wait(filp, &rb->pollq, wait); +diff --git a/drivers/infiniband/hw/cxgb4/cq.c b/drivers/infiniband/hw/cxgb4/cq.c +index 68ddb3710215..c1e8c01f4ab3 100644 +--- a/drivers/infiniband/hw/cxgb4/cq.c ++++ b/drivers/infiniband/hw/cxgb4/cq.c +@@ -581,10 +581,10 @@ static int poll_cq(struct t4_wq *wq, struct t4_cq *cq, struct t4_cqe *cqe, + ret = -EAGAIN; + goto skip_cqe; + } +- if (unlikely((CQE_WRID_MSN(hw_cqe) != (wq->rq.msn)))) { ++ if (unlikely(!CQE_STATUS(hw_cqe) && ++ CQE_WRID_MSN(hw_cqe) != wq->rq.msn)) { + t4_set_wq_in_error(wq); +- hw_cqe->header |= htonl(CQE_STATUS_V(T4_ERR_MSN)); +- goto proc_cqe; ++ hw_cqe->header |= cpu_to_be32(CQE_STATUS_V(T4_ERR_MSN)); + } + goto proc_cqe; + } +diff --git a/drivers/infiniband/hw/mlx4/main.c b/drivers/infiniband/hw/mlx4/main.c +index 1563ee64a180..640bb7360537 100644 +--- a/drivers/infiniband/hw/mlx4/main.c ++++ b/drivers/infiniband/hw/mlx4/main.c +@@ -2436,9 +2436,8 @@ err_steer_free_bitmap: + kfree(ibdev->ib_uc_qpns_bitmap); + + err_steer_qp_release: +- if (ibdev->steering_support == MLX4_STEERING_MODE_DEVICE_MANAGED) +- mlx4_qp_release_range(dev, ibdev->steer_qpn_base, +- ibdev->steer_qpn_count); ++ mlx4_qp_release_range(dev, ibdev->steer_qpn_base, ++ ibdev->steer_qpn_count); + err_counter: + for (; i; --i) + if (ibdev->counters[i - 1] != -1) +@@ -2540,11 +2539,9 @@ static void mlx4_ib_remove(struct mlx4_dev *dev, void *ibdev_ptr) + ibdev->iboe.nb.notifier_call = NULL; + } + +- if (ibdev->steering_support == MLX4_STEERING_MODE_DEVICE_MANAGED) { +- mlx4_qp_release_range(dev, ibdev->steer_qpn_base, +- ibdev->steer_qpn_count); +- kfree(ibdev->ib_uc_qpns_bitmap); +- } ++ mlx4_qp_release_range(dev, ibdev->steer_qpn_base, ++ ibdev->steer_qpn_count); ++ kfree(ibdev->ib_uc_qpns_bitmap); + + if (ibdev->iboe.nb_inet.notifier_call) { + if (unregister_inetaddr_notifier(&ibdev->iboe.nb_inet)) +diff --git a/drivers/infiniband/ulp/srpt/ib_srpt.c b/drivers/infiniband/ulp/srpt/ib_srpt.c +index 416cd07ab87a..6c30192dcb78 100644 +--- a/drivers/infiniband/ulp/srpt/ib_srpt.c ++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c +@@ -958,8 +958,7 @@ static int srpt_init_ch_qp(struct srpt_rdma_ch *ch, struct ib_qp *qp) + return -ENOMEM; + + attr->qp_state = IB_QPS_INIT; +- attr->qp_access_flags = IB_ACCESS_LOCAL_WRITE | IB_ACCESS_REMOTE_READ | +- IB_ACCESS_REMOTE_WRITE; ++ attr->qp_access_flags = IB_ACCESS_LOCAL_WRITE; + attr->port_num = ch->sport->port; + attr->pkey_index = 0; + +diff --git a/drivers/input/keyboard/tca8418_keypad.c b/drivers/input/keyboard/tca8418_keypad.c +index 4e491c1762cf..5c4f7f8f2c20 100644 +--- a/drivers/input/keyboard/tca8418_keypad.c ++++ b/drivers/input/keyboard/tca8418_keypad.c +@@ -164,11 +164,18 @@ static void tca8418_read_keypad(struct tca8418_keypad *keypad_data) + int error, col, row; + u8 reg, state, code; + +- /* Initial read of the key event FIFO */ +- error = tca8418_read_byte(keypad_data, REG_KEY_EVENT_A, ®); ++ do { ++ error = tca8418_read_byte(keypad_data, REG_KEY_EVENT_A, ®); ++ if (error < 0) { ++ dev_err(&keypad_data->client->dev, ++ "unable to read REG_KEY_EVENT_A\n"); ++ break; ++ } ++ ++ /* Assume that key code 0 signifies empty FIFO */ ++ if (reg <= 0) ++ break; + +- /* Assume that key code 0 signifies empty FIFO */ +- while (error >= 0 && reg > 0) { + state = reg & KEY_EVENT_VALUE; + code = reg & KEY_EVENT_CODE; + +@@ -184,11 +191,7 @@ static void tca8418_read_keypad(struct tca8418_keypad *keypad_data) + + /* Read for next loop */ + error = tca8418_read_byte(keypad_data, REG_KEY_EVENT_A, ®); +- } +- +- if (error < 0) +- dev_err(&keypad_data->client->dev, +- "unable to read REG_KEY_EVENT_A\n"); ++ } while (1); + + input_sync(input); + } +diff --git a/drivers/input/misc/twl6040-vibra.c b/drivers/input/misc/twl6040-vibra.c +index 0e0d094df2e6..6caeb1a2670c 100644 +--- a/drivers/input/misc/twl6040-vibra.c ++++ b/drivers/input/misc/twl6040-vibra.c +@@ -262,7 +262,7 @@ static int twl6040_vibra_probe(struct platform_device *pdev) + int vddvibr_uV = 0; + int error; + +- twl6040_core_node = of_find_node_by_name(twl6040_core_dev->of_node, ++ twl6040_core_node = of_get_child_by_name(twl6040_core_dev->of_node, + "vibra"); + if (!twl6040_core_node) { + dev_err(&pdev->dev, "parent of node is missing?\n"); +diff --git a/drivers/input/mouse/elantech.c b/drivers/input/mouse/elantech.c +index c3c5d492cba0..07ce8f4314ba 100644 +--- a/drivers/input/mouse/elantech.c ++++ b/drivers/input/mouse/elantech.c +@@ -1550,7 +1550,7 @@ static int elantech_set_properties(struct elantech_data *etd) + case 5: + etd->hw_version = 3; + break; +- case 6 ... 14: ++ case 6 ... 15: + etd->hw_version = 4; + break; + default: +diff --git a/drivers/input/mouse/trackpoint.c b/drivers/input/mouse/trackpoint.c +index 7e2dc5e56632..0b49f29bf0da 100644 +--- a/drivers/input/mouse/trackpoint.c ++++ b/drivers/input/mouse/trackpoint.c +@@ -383,6 +383,9 @@ int trackpoint_detect(struct psmouse *psmouse, bool set_properties) + if (trackpoint_read(&psmouse->ps2dev, TP_EXT_BTN, &button_info)) { + psmouse_warn(psmouse, "failed to get extended button data, assuming 3 buttons\n"); + button_info = 0x33; ++ } else if (!button_info) { ++ psmouse_warn(psmouse, "got 0 in extended button data, assuming 3 buttons\n"); ++ button_info = 0x33; + } + + psmouse->private = kzalloc(sizeof(struct trackpoint_data), GFP_KERNEL); +diff --git a/drivers/input/touchscreen/88pm860x-ts.c b/drivers/input/touchscreen/88pm860x-ts.c +index 251ff2aa0633..7a0dbce4dae9 100644 +--- a/drivers/input/touchscreen/88pm860x-ts.c ++++ b/drivers/input/touchscreen/88pm860x-ts.c +@@ -126,7 +126,7 @@ static int pm860x_touch_dt_init(struct platform_device *pdev, + int data, n, ret; + if (!np) + return -ENODEV; +- np = of_find_node_by_name(np, "touch"); ++ np = of_get_child_by_name(np, "touch"); + if (!np) { + dev_err(&pdev->dev, "Can't find touch node\n"); + return -EINVAL; +@@ -144,13 +144,13 @@ static int pm860x_touch_dt_init(struct platform_device *pdev, + if (data) { + ret = pm860x_reg_write(i2c, PM8607_GPADC_MISC1, data); + if (ret < 0) +- return -EINVAL; ++ goto err_put_node; + } + /* set tsi prebias time */ + if (!of_property_read_u32(np, "marvell,88pm860x-tsi-prebias", &data)) { + ret = pm860x_reg_write(i2c, PM8607_TSI_PREBIAS, data); + if (ret < 0) +- return -EINVAL; ++ goto err_put_node; + } + /* set prebias & prechg time of pen detect */ + data = 0; +@@ -161,10 +161,18 @@ static int pm860x_touch_dt_init(struct platform_device *pdev, + if (data) { + ret = pm860x_reg_write(i2c, PM8607_PD_PREBIAS, data); + if (ret < 0) +- return -EINVAL; ++ goto err_put_node; + } + of_property_read_u32(np, "marvell,88pm860x-resistor-X", res_x); ++ ++ of_node_put(np); ++ + return 0; ++ ++err_put_node: ++ of_node_put(np); ++ ++ return -EINVAL; + } + #else + #define pm860x_touch_dt_init(x, y, z) (-1) +diff --git a/drivers/irqchip/irq-gic-v3.c b/drivers/irqchip/irq-gic-v3.c +index 9976c37b9c64..f2b3a0152860 100644 +--- a/drivers/irqchip/irq-gic-v3.c ++++ b/drivers/irqchip/irq-gic-v3.c +@@ -584,7 +584,7 @@ static void gic_raise_softirq(const struct cpumask *mask, unsigned int irq) + * Ensure that stores to Normal memory are visible to the + * other CPUs before issuing the IPI. + */ +- smp_wmb(); ++ wmb(); + + for_each_cpu(cpu, mask) { + u64 cluster_id = cpu_logical_map(cpu) & ~0xffUL; +diff --git a/drivers/isdn/capi/kcapi.c b/drivers/isdn/capi/kcapi.c +index 823f6985b260..dd7e38ac29bd 100644 +--- a/drivers/isdn/capi/kcapi.c ++++ b/drivers/isdn/capi/kcapi.c +@@ -1032,6 +1032,7 @@ static int old_capi_manufacturer(unsigned int cmd, void __user *data) + sizeof(avmb1_carddef)))) + return -EFAULT; + cdef.cardtype = AVM_CARDTYPE_B1; ++ cdef.cardnr = 0; + } else { + if ((retval = copy_from_user(&cdef, data, + sizeof(avmb1_extcarddef)))) +diff --git a/drivers/isdn/hardware/eicon/message.c b/drivers/isdn/hardware/eicon/message.c +index 7b4ddf0a39ec..2d28530b7e82 100644 +--- a/drivers/isdn/hardware/eicon/message.c ++++ b/drivers/isdn/hardware/eicon/message.c +@@ -147,7 +147,7 @@ static word plci_remove_check(PLCI *); + static void listen_check(DIVA_CAPI_ADAPTER *); + static byte AddInfo(byte **, byte **, byte *, byte *); + static byte getChannel(API_PARSE *); +-static void IndParse(PLCI *, word *, byte **, byte); ++static void IndParse(PLCI *, const word *, byte **, byte); + static byte ie_compare(byte *, byte *); + static word find_cip(DIVA_CAPI_ADAPTER *, byte *, byte *); + static word CPN_filter_ok(byte *cpn, DIVA_CAPI_ADAPTER *, word); +@@ -4860,7 +4860,7 @@ static void sig_ind(PLCI *plci) + /* included before the ESC_MSGTYPE and MAXPARMSIDS has to be incremented */ + /* SMSG is situated at the end because its 0 (for compatibility reasons */ + /* (see Info_Mask Bit 4, first IE. then the message type) */ +- word parms_id[] = ++ static const word parms_id[] = + {MAXPARMSIDS, CPN, 0xff, DSA, OSA, BC, LLC, HLC, ESC_CAUSE, DSP, DT, CHA, + UUI, CONG_RR, CONG_RNR, ESC_CHI, KEY, CHI, CAU, ESC_LAW, + RDN, RDX, CONN_NR, RIN, NI, CAI, ESC_CR, +@@ -4868,12 +4868,12 @@ static void sig_ind(PLCI *plci) + /* 14 FTY repl by ESC_CHI */ + /* 18 PI repl by ESC_LAW */ + /* removed OAD changed to 0xff for future use, OAD is multiIE now */ +- word multi_fac_id[] = {1, FTY}; +- word multi_pi_id[] = {1, PI}; +- word multi_CiPN_id[] = {1, OAD}; +- word multi_ssext_id[] = {1, ESC_SSEXT}; ++ static const word multi_fac_id[] = {1, FTY}; ++ static const word multi_pi_id[] = {1, PI}; ++ static const word multi_CiPN_id[] = {1, OAD}; ++ static const word multi_ssext_id[] = {1, ESC_SSEXT}; + +- word multi_vswitch_id[] = {1, ESC_VSWITCH}; ++ static const word multi_vswitch_id[] = {1, ESC_VSWITCH}; + + byte *cau; + word ncci; +@@ -8926,7 +8926,7 @@ static void listen_check(DIVA_CAPI_ADAPTER *a) + /* functions for all parameters sent in INDs */ + /*------------------------------------------------------------------*/ + +-static void IndParse(PLCI *plci, word *parms_id, byte **parms, byte multiIEsize) ++static void IndParse(PLCI *plci, const word *parms_id, byte **parms, byte multiIEsize) + { + word ploc; /* points to current location within packet */ + byte w; +diff --git a/drivers/isdn/icn/icn.c b/drivers/isdn/icn/icn.c +index 358a574d9e8b..46d957c34be1 100644 +--- a/drivers/isdn/icn/icn.c ++++ b/drivers/isdn/icn/icn.c +@@ -718,7 +718,7 @@ icn_sendbuf(int channel, int ack, struct sk_buff *skb, icn_card *card) + return 0; + if (card->sndcount[channel] > ICN_MAX_SQUEUE) + return 0; +-#warning TODO test headroom or use skb->nb to flag ACK ++ /* TODO test headroom or use skb->nb to flag ACK */ + nskb = skb_clone(skb, GFP_ATOMIC); + if (nskb) { + /* Push ACK flag as one +diff --git a/drivers/md/bcache/btree.c b/drivers/md/bcache/btree.c +index f0b75d54951a..ee2927b460c9 100644 +--- a/drivers/md/bcache/btree.c ++++ b/drivers/md/bcache/btree.c +@@ -808,7 +808,10 @@ int bch_btree_cache_alloc(struct cache_set *c) + c->shrink.scan_objects = bch_mca_scan; + c->shrink.seeks = 4; + c->shrink.batch = c->btree_pages * 2; +- register_shrinker(&c->shrink); ++ ++ if (register_shrinker(&c->shrink)) ++ pr_warn("bcache: %s: could not register shrinker", ++ __func__); + + return 0; + } +diff --git a/drivers/md/dm-bufio.c b/drivers/md/dm-bufio.c +index 51dc353f7962..657b8f763754 100644 +--- a/drivers/md/dm-bufio.c ++++ b/drivers/md/dm-bufio.c +@@ -1521,7 +1521,8 @@ static unsigned long __scan(struct dm_bufio_client *c, unsigned long nr_to_scan, + int l; + struct dm_buffer *b, *tmp; + unsigned long freed = 0; +- unsigned long count = nr_to_scan; ++ unsigned long count = c->n_buffers[LIST_CLEAN] + ++ c->n_buffers[LIST_DIRTY]; + unsigned long retain_target = get_retain_buffers(c); + + for (l = 0; l < LIST_SIZE; l++) { +@@ -1558,6 +1559,7 @@ dm_bufio_shrink_count(struct shrinker *shrink, struct shrink_control *sc) + { + struct dm_bufio_client *c; + unsigned long count; ++ unsigned long retain_target; + + c = container_of(shrink, struct dm_bufio_client, shrinker); + if (sc->gfp_mask & __GFP_FS) +@@ -1566,8 +1568,9 @@ dm_bufio_shrink_count(struct shrinker *shrink, struct shrink_control *sc) + return 0; + + count = c->n_buffers[LIST_CLEAN] + c->n_buffers[LIST_DIRTY]; ++ retain_target = get_retain_buffers(c); + dm_bufio_unlock(c); +- return count; ++ return (count < retain_target) ? 0 : (count - retain_target); + } + + /* +diff --git a/drivers/md/dm-thin-metadata.c b/drivers/md/dm-thin-metadata.c +index a178134abbe8..c9f51f7c1063 100644 +--- a/drivers/md/dm-thin-metadata.c ++++ b/drivers/md/dm-thin-metadata.c +@@ -81,10 +81,14 @@ + #define SECTOR_TO_BLOCK_SHIFT 3 + + /* ++ * For btree insert: + * 3 for btree insert + + * 2 for btree lookup used within space map ++ * For btree remove: ++ * 2 for shadow spine + ++ * 4 for rebalance 3 child node + */ +-#define THIN_MAX_CONCURRENT_LOCKS 5 ++#define THIN_MAX_CONCURRENT_LOCKS 6 + + /* This should be plenty */ + #define SPACE_MAP_ROOT_SIZE 128 +diff --git a/drivers/md/md.c b/drivers/md/md.c +index 1fdcd5735418..03bcc1ab2e9d 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -1043,8 +1043,9 @@ static int super_90_load(struct md_rdev *rdev, struct md_rdev *refdev, int minor + * (not needed for Linear and RAID0 as metadata doesn't + * record this size) + */ +- if (rdev->sectors >= (2ULL << 32) && sb->level >= 1) +- rdev->sectors = (2ULL << 32) - 2; ++ if (IS_ENABLED(CONFIG_LBDAF) && (u64)rdev->sectors >= (2ULL << 32) && ++ sb->level >= 1) ++ rdev->sectors = (sector_t)(2ULL << 32) - 2; + + if (rdev->sectors < ((sector_t)sb->size) * 2 && sb->level >= 1) + /* "this cannot possibly happen" ... */ +@@ -1337,8 +1338,9 @@ super_90_rdev_size_change(struct md_rdev *rdev, sector_t num_sectors) + /* Limit to 4TB as metadata cannot record more than that. + * 4TB == 2^32 KB, or 2*2^32 sectors. + */ +- if (num_sectors >= (2ULL << 32) && rdev->mddev->level >= 1) +- num_sectors = (2ULL << 32) - 2; ++ if (IS_ENABLED(CONFIG_LBDAF) && (u64)num_sectors >= (2ULL << 32) && ++ rdev->mddev->level >= 1) ++ num_sectors = (sector_t)(2ULL << 32) - 2; + md_super_write(rdev->mddev, rdev, rdev->sb_start, rdev->sb_size, + rdev->sb_page); + md_super_wait(rdev->mddev); +diff --git a/drivers/md/persistent-data/dm-btree.c b/drivers/md/persistent-data/dm-btree.c +index 360c22d44647..f2a8e4c69d9f 100644 +--- a/drivers/md/persistent-data/dm-btree.c ++++ b/drivers/md/persistent-data/dm-btree.c +@@ -572,23 +572,8 @@ static int btree_split_beneath(struct shadow_spine *s, uint64_t key) + pn->keys[1] = rn->keys[0]; + memcpy_disk(value_ptr(pn, 1), &val, sizeof(__le64)); + +- /* +- * rejig the spine. This is ugly, since it knows too +- * much about the spine +- */ +- if (s->nodes[0] != new_parent) { +- unlock_block(s->info, s->nodes[0]); +- s->nodes[0] = new_parent; +- } +- if (key < le64_to_cpu(rn->keys[0])) { +- unlock_block(s->info, right); +- s->nodes[1] = left; +- } else { +- unlock_block(s->info, left); +- s->nodes[1] = right; +- } +- s->count = 2; +- ++ unlock_block(s->info, left); ++ unlock_block(s->info, right); + return 0; + } + +diff --git a/drivers/media/i2c/s5k6aa.c b/drivers/media/i2c/s5k6aa.c +index de803a11efb4..768ae2115f1a 100644 +--- a/drivers/media/i2c/s5k6aa.c ++++ b/drivers/media/i2c/s5k6aa.c +@@ -421,6 +421,7 @@ static int s5k6aa_set_ahb_address(struct i2c_client *client) + + /** + * s5k6aa_configure_pixel_clock - apply ISP main clock/PLL configuration ++ * @s5k6aa: pointer to &struct s5k6aa describing the device + * + * Configure the internal ISP PLL for the required output frequency. + * Locking: called with s5k6aa.lock mutex held. +@@ -669,6 +670,7 @@ static int s5k6aa_set_input_params(struct s5k6aa *s5k6aa) + + /** + * s5k6aa_configure_video_bus - configure the video output interface ++ * @s5k6aa: pointer to &struct s5k6aa describing the device + * @bus_type: video bus type: parallel or MIPI-CSI + * @nlanes: number of MIPI lanes to be used (MIPI-CSI only) + * +@@ -724,6 +726,8 @@ static int s5k6aa_new_config_sync(struct i2c_client *client, int timeout, + + /** + * s5k6aa_set_prev_config - write user preview register set ++ * @s5k6aa: pointer to &struct s5k6aa describing the device ++ * @preset: s5kaa preset to be applied + * + * Configure output resolution and color fromat, pixel clock + * frequency range, device frame rate type and frame period range. +@@ -777,6 +781,7 @@ static int s5k6aa_set_prev_config(struct s5k6aa *s5k6aa, + + /** + * s5k6aa_initialize_isp - basic ISP MCU initialization ++ * @sd: pointer to V4L2 sub-device descriptor + * + * Configure AHB addresses for registers read/write; configure PLLs for + * required output pixel clock. The ISP power supply needs to be already +diff --git a/drivers/media/platform/soc_camera/soc_scale_crop.c b/drivers/media/platform/soc_camera/soc_scale_crop.c +index 8e74fb7f2a07..2d673516a614 100644 +--- a/drivers/media/platform/soc_camera/soc_scale_crop.c ++++ b/drivers/media/platform/soc_camera/soc_scale_crop.c +@@ -400,3 +400,7 @@ void soc_camera_calc_client_output(struct soc_camera_device *icd, + mf->height = soc_camera_shift_scale(rect->height, shift, scale_v); + } + EXPORT_SYMBOL(soc_camera_calc_client_output); ++ ++MODULE_DESCRIPTION("soc-camera scaling-cropping functions"); ++MODULE_AUTHOR("Guennadi Liakhovetski <kernel@pengutronix.de>"); ++MODULE_LICENSE("GPL"); +diff --git a/drivers/media/tuners/r820t.c b/drivers/media/tuners/r820t.c +index 71159a58860f..4bfd64b0c0ad 100644 +--- a/drivers/media/tuners/r820t.c ++++ b/drivers/media/tuners/r820t.c +@@ -410,9 +410,11 @@ static int r820t_write(struct r820t_priv *priv, u8 reg, const u8 *val, + return 0; + } + +-static int r820t_write_reg(struct r820t_priv *priv, u8 reg, u8 val) ++static inline int r820t_write_reg(struct r820t_priv *priv, u8 reg, u8 val) + { +- return r820t_write(priv, reg, &val, 1); ++ u8 tmp = val; /* work around GCC PR81715 with asan-stack=1 */ ++ ++ return r820t_write(priv, reg, &tmp, 1); + } + + static int r820t_read_cache_reg(struct r820t_priv *priv, int reg) +@@ -425,17 +427,18 @@ static int r820t_read_cache_reg(struct r820t_priv *priv, int reg) + return -EINVAL; + } + +-static int r820t_write_reg_mask(struct r820t_priv *priv, u8 reg, u8 val, ++static inline int r820t_write_reg_mask(struct r820t_priv *priv, u8 reg, u8 val, + u8 bit_mask) + { ++ u8 tmp = val; + int rc = r820t_read_cache_reg(priv, reg); + + if (rc < 0) + return rc; + +- val = (rc & ~bit_mask) | (val & bit_mask); ++ tmp = (rc & ~bit_mask) | (tmp & bit_mask); + +- return r820t_write(priv, reg, &val, 1); ++ return r820t_write(priv, reg, &tmp, 1); + } + + static int r820t_read(struct r820t_priv *priv, u8 reg, u8 *val, int len) +diff --git a/drivers/media/usb/dvb-usb-v2/lmedm04.c b/drivers/media/usb/dvb-usb-v2/lmedm04.c +index 5de6f7c04d09..7399bd58e286 100644 +--- a/drivers/media/usb/dvb-usb-v2/lmedm04.c ++++ b/drivers/media/usb/dvb-usb-v2/lmedm04.c +@@ -444,18 +444,23 @@ static int lme2510_pid_filter(struct dvb_usb_adapter *adap, int index, u16 pid, + + static int lme2510_return_status(struct dvb_usb_device *d) + { +- int ret = 0; ++ int ret; + u8 *data; + +- data = kzalloc(10, GFP_KERNEL); ++ data = kzalloc(6, GFP_KERNEL); + if (!data) + return -ENOMEM; + +- ret |= usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0), +- 0x06, 0x80, 0x0302, 0x00, data, 0x0006, 200); +- info("Firmware Status: %x (%x)", ret , data[2]); ++ ret = usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0), ++ 0x06, 0x80, 0x0302, 0x00, ++ data, 0x6, 200); ++ if (ret != 6) ++ ret = -EINVAL; ++ else ++ ret = data[2]; ++ ++ info("Firmware Status: %6ph", data); + +- ret = (ret < 0) ? -ENODEV : data[2]; + kfree(data); + return ret; + } +@@ -1029,8 +1034,6 @@ static int dm04_lme2510_frontend_attach(struct dvb_usb_adapter *adap) + + if (adap->fe[0]) { + info("FE Found M88RS2000"); +- dvb_attach(ts2020_attach, adap->fe[0], &ts2020_config, +- &d->i2c_adap); + st->i2c_tuner_gate_w = 5; + st->i2c_tuner_gate_r = 5; + st->i2c_tuner_addr = 0x60; +@@ -1096,17 +1099,18 @@ static int dm04_lme2510_tuner(struct dvb_usb_adapter *adap) + ret = st->tuner_config; + break; + case TUNER_RS2000: +- ret = st->tuner_config; ++ if (dvb_attach(ts2020_attach, adap->fe[0], ++ &ts2020_config, &d->i2c_adap)) ++ ret = st->tuner_config; + break; + default: + break; + } + +- if (ret) ++ if (ret) { + info("TUN Found %s tuner", tun_msg[ret]); +- else { +- info("TUN No tuner found --- resetting device"); +- lme_coldreset(d); ++ } else { ++ info("TUN No tuner found"); + return -ENODEV; + } + +@@ -1150,6 +1154,7 @@ static int lme2510_get_adapter_count(struct dvb_usb_device *d) + static int lme2510_identify_state(struct dvb_usb_device *d, const char **name) + { + struct lme2510_state *st = d->priv; ++ int status; + + usb_reset_configuration(d->udev); + +@@ -1158,12 +1163,16 @@ static int lme2510_identify_state(struct dvb_usb_device *d, const char **name) + + st->dvb_usb_lme2510_firmware = dvb_usb_lme2510_firmware; + +- if (lme2510_return_status(d) == 0x44) { ++ status = lme2510_return_status(d); ++ if (status == 0x44) { + *name = lme_firmware_switch(d, 0); + return COLD; + } + +- return 0; ++ if (status != 0x47) ++ return -EINVAL; ++ ++ return WARM; + } + + static int lme2510_get_stream_config(struct dvb_frontend *fe, u8 *ts_type, +diff --git a/drivers/media/usb/dvb-usb/cxusb.c b/drivers/media/usb/dvb-usb/cxusb.c +index ffc3704abded..d89de44d94a0 100644 +--- a/drivers/media/usb/dvb-usb/cxusb.c ++++ b/drivers/media/usb/dvb-usb/cxusb.c +@@ -818,6 +818,8 @@ static int dvico_bluebird_xc2028_callback(void *ptr, int component, + case XC2028_RESET_CLK: + deb_info("%s: XC2028_RESET_CLK %d\n", __func__, arg); + break; ++ case XC2028_I2C_FLUSH: ++ break; + default: + deb_info("%s: unknown command %d, arg %d\n", __func__, + command, arg); +diff --git a/drivers/media/usb/dvb-usb/dib0700_devices.c b/drivers/media/usb/dvb-usb/dib0700_devices.c +index 0d7565158207..97057ae10509 100644 +--- a/drivers/media/usb/dvb-usb/dib0700_devices.c ++++ b/drivers/media/usb/dvb-usb/dib0700_devices.c +@@ -431,6 +431,7 @@ static int stk7700ph_xc3028_callback(void *ptr, int component, + state->dib7000p_ops.set_gpio(adap->fe_adap[0].fe, 8, 0, 1); + break; + case XC2028_RESET_CLK: ++ case XC2028_I2C_FLUSH: + break; + default: + err("%s: unknown command %d, arg %d\n", __func__, +diff --git a/drivers/media/usb/em28xx/Kconfig b/drivers/media/usb/em28xx/Kconfig +index e382210c4ada..75323f5efd0f 100644 +--- a/drivers/media/usb/em28xx/Kconfig ++++ b/drivers/media/usb/em28xx/Kconfig +@@ -11,7 +11,7 @@ config VIDEO_EM28XX_V4L2 + select VIDEO_SAA711X if MEDIA_SUBDRV_AUTOSELECT + select VIDEO_TVP5150 if MEDIA_SUBDRV_AUTOSELECT + select VIDEO_MSP3400 if MEDIA_SUBDRV_AUTOSELECT +- select VIDEO_MT9V011 if MEDIA_SUBDRV_AUTOSELECT ++ select VIDEO_MT9V011 if MEDIA_SUBDRV_AUTOSELECT && MEDIA_CAMERA_SUPPORT + + ---help--- + This is a video4linux driver for Empia 28xx based TV cards. +diff --git a/drivers/media/usb/go7007/Kconfig b/drivers/media/usb/go7007/Kconfig +index 95a3af644a92..af1d02430931 100644 +--- a/drivers/media/usb/go7007/Kconfig ++++ b/drivers/media/usb/go7007/Kconfig +@@ -11,7 +11,7 @@ config VIDEO_GO7007 + select VIDEO_TW2804 if MEDIA_SUBDRV_AUTOSELECT + select VIDEO_TW9903 if MEDIA_SUBDRV_AUTOSELECT + select VIDEO_TW9906 if MEDIA_SUBDRV_AUTOSELECT +- select VIDEO_OV7640 if MEDIA_SUBDRV_AUTOSELECT ++ select VIDEO_OV7640 if MEDIA_SUBDRV_AUTOSELECT && MEDIA_CAMERA_SUPPORT + select VIDEO_UDA1342 if MEDIA_SUBDRV_AUTOSELECT + ---help--- + This is a video4linux driver for the WIS GO7007 MPEG +diff --git a/drivers/media/usb/hdpvr/hdpvr-core.c b/drivers/media/usb/hdpvr/hdpvr-core.c +index 3fc64197b4e6..08f0ca7aa012 100644 +--- a/drivers/media/usb/hdpvr/hdpvr-core.c ++++ b/drivers/media/usb/hdpvr/hdpvr-core.c +@@ -273,7 +273,9 @@ static int hdpvr_probe(struct usb_interface *interface, + struct hdpvr_device *dev; + struct usb_host_interface *iface_desc; + struct usb_endpoint_descriptor *endpoint; ++#if IS_ENABLED(CONFIG_I2C) + struct i2c_client *client; ++#endif + size_t buffer_size; + int i; + int retval = -ENOMEM; +diff --git a/drivers/media/usb/pwc/pwc-if.c b/drivers/media/usb/pwc/pwc-if.c +index a7e1f6f37790..a8f265cee365 100644 +--- a/drivers/media/usb/pwc/pwc-if.c ++++ b/drivers/media/usb/pwc/pwc-if.c +@@ -1110,8 +1110,10 @@ static int usb_pwc_probe(struct usb_interface *intf, const struct usb_device_id + + return 0; + ++#ifdef CONFIG_USB_PWC_INPUT_EVDEV + err_video_unreg: + video_unregister_device(&pdev->vdev); ++#endif + err_unregister_v4l2_dev: + v4l2_device_unregister(&pdev->v4l2_dev); + err_free_controls: +diff --git a/drivers/media/usb/usbtv/usbtv-core.c b/drivers/media/usb/usbtv/usbtv-core.c +index 29428bef272c..3bbc77aa6a33 100644 +--- a/drivers/media/usb/usbtv/usbtv-core.c ++++ b/drivers/media/usb/usbtv/usbtv-core.c +@@ -127,6 +127,7 @@ static void usbtv_disconnect(struct usb_interface *intf) + + static struct usb_device_id usbtv_id_table[] = { + { USB_DEVICE(0x1b71, 0x3002) }, ++ { USB_DEVICE(0x1f71, 0x3301) }, + {} + }; + MODULE_DEVICE_TABLE(usb, usbtv_id_table); +diff --git a/drivers/media/usb/usbvision/usbvision-video.c b/drivers/media/usb/usbvision/usbvision-video.c +index 3b3becc5718d..7b12710becac 100644 +--- a/drivers/media/usb/usbvision/usbvision-video.c ++++ b/drivers/media/usb/usbvision/usbvision-video.c +@@ -1522,6 +1522,13 @@ static int usbvision_probe(struct usb_interface *intf, + printk(KERN_INFO "%s: %s found\n", __func__, + usbvision_device_data[model].model_string); + ++ /* ++ * this is a security check. ++ * an exploit using an incorrect bInterfaceNumber is known ++ */ ++ if (ifnum >= USB_MAXINTERFACES || !dev->actconfig->interface[ifnum]) ++ return -ENODEV; ++ + if (usbvision_device_data[model].interface >= 0) + interface = &dev->actconfig->interface[usbvision_device_data[model].interface]->altsetting[0]; + else if (ifnum < dev->actconfig->desc.bNumInterfaces) +diff --git a/drivers/media/v4l2-core/Kconfig b/drivers/media/v4l2-core/Kconfig +index ba7e21a73023..b0372b1908f1 100644 +--- a/drivers/media/v4l2-core/Kconfig ++++ b/drivers/media/v4l2-core/Kconfig +@@ -37,7 +37,6 @@ config VIDEO_PCI_SKELETON + # Used by drivers that need tuner.ko + config VIDEO_TUNER + tristate +- depends on MEDIA_TUNER + + # Used by drivers that need v4l2-mem2mem.ko + config V4L2_MEM2MEM_DEV +diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c +index 4f002d0bebb1..e03aa0961360 100644 +--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c ++++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c +@@ -18,8 +18,18 @@ + #include <linux/videodev2.h> + #include <linux/v4l2-subdev.h> + #include <media/v4l2-dev.h> ++#include <media/v4l2-fh.h> ++#include <media/v4l2-ctrls.h> + #include <media/v4l2-ioctl.h> + ++/* Use the same argument order as copy_in_user */ ++#define assign_in_user(to, from) \ ++({ \ ++ typeof(*from) __assign_tmp; \ ++ \ ++ get_user(__assign_tmp, from) || put_user(__assign_tmp, to); \ ++}) ++ + static long native_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + { + long ret = -ENOIOCTLCMD; +@@ -33,117 +43,88 @@ static long native_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + + struct v4l2_clip32 { + struct v4l2_rect c; +- compat_caddr_t next; ++ compat_caddr_t next; + }; + + struct v4l2_window32 { + struct v4l2_rect w; +- __u32 field; /* enum v4l2_field */ ++ __u32 field; /* enum v4l2_field */ + __u32 chromakey; + compat_caddr_t clips; /* actually struct v4l2_clip32 * */ + __u32 clipcount; + compat_caddr_t bitmap; ++ __u8 global_alpha; + }; + +-static int get_v4l2_window32(struct v4l2_window *kp, struct v4l2_window32 __user *up) +-{ +- if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_window32)) || +- copy_from_user(&kp->w, &up->w, sizeof(up->w)) || +- get_user(kp->field, &up->field) || +- get_user(kp->chromakey, &up->chromakey) || +- get_user(kp->clipcount, &up->clipcount)) +- return -EFAULT; +- if (kp->clipcount > 2048) +- return -EINVAL; +- if (kp->clipcount) { +- struct v4l2_clip32 __user *uclips; +- struct v4l2_clip __user *kclips; +- int n = kp->clipcount; +- compat_caddr_t p; +- +- if (get_user(p, &up->clips)) +- return -EFAULT; +- uclips = compat_ptr(p); +- kclips = compat_alloc_user_space(n * sizeof(struct v4l2_clip)); +- kp->clips = kclips; +- while (--n >= 0) { +- if (copy_in_user(&kclips->c, &uclips->c, sizeof(uclips->c))) +- return -EFAULT; +- if (put_user(n ? kclips + 1 : NULL, &kclips->next)) +- return -EFAULT; +- uclips += 1; +- kclips += 1; +- } +- } else +- kp->clips = NULL; +- return 0; +-} +- +-static int put_v4l2_window32(struct v4l2_window *kp, struct v4l2_window32 __user *up) ++static int get_v4l2_window32(struct v4l2_window __user *kp, ++ struct v4l2_window32 __user *up, ++ void __user *aux_buf, u32 aux_space) + { +- if (copy_to_user(&up->w, &kp->w, sizeof(kp->w)) || +- put_user(kp->field, &up->field) || +- put_user(kp->chromakey, &up->chromakey) || +- put_user(kp->clipcount, &up->clipcount)) +- return -EFAULT; +- return 0; +-} +- +-static inline int get_v4l2_pix_format(struct v4l2_pix_format *kp, struct v4l2_pix_format __user *up) +-{ +- if (copy_from_user(kp, up, sizeof(struct v4l2_pix_format))) +- return -EFAULT; +- return 0; +-} +- +-static inline int get_v4l2_pix_format_mplane(struct v4l2_pix_format_mplane *kp, +- struct v4l2_pix_format_mplane __user *up) +-{ +- if (copy_from_user(kp, up, sizeof(struct v4l2_pix_format_mplane))) ++ struct v4l2_clip32 __user *uclips; ++ struct v4l2_clip __user *kclips; ++ compat_caddr_t p; ++ u32 clipcount; ++ ++ if (!access_ok(VERIFY_READ, up, sizeof(*up)) || ++ copy_in_user(&kp->w, &up->w, sizeof(up->w)) || ++ assign_in_user(&kp->field, &up->field) || ++ assign_in_user(&kp->chromakey, &up->chromakey) || ++ assign_in_user(&kp->global_alpha, &up->global_alpha) || ++ get_user(clipcount, &up->clipcount) || ++ put_user(clipcount, &kp->clipcount)) + return -EFAULT; +- return 0; +-} ++ if (clipcount > 2048) ++ return -EINVAL; ++ if (!clipcount) ++ return put_user(NULL, &kp->clips); + +-static inline int put_v4l2_pix_format(struct v4l2_pix_format *kp, struct v4l2_pix_format __user *up) +-{ +- if (copy_to_user(up, kp, sizeof(struct v4l2_pix_format))) ++ if (get_user(p, &up->clips)) + return -EFAULT; +- return 0; +-} +- +-static inline int put_v4l2_pix_format_mplane(struct v4l2_pix_format_mplane *kp, +- struct v4l2_pix_format_mplane __user *up) +-{ +- if (copy_to_user(up, kp, sizeof(struct v4l2_pix_format_mplane))) ++ uclips = compat_ptr(p); ++ if (aux_space < clipcount * sizeof(*kclips)) + return -EFAULT; +- return 0; +-} +- +-static inline int get_v4l2_vbi_format(struct v4l2_vbi_format *kp, struct v4l2_vbi_format __user *up) +-{ +- if (copy_from_user(kp, up, sizeof(struct v4l2_vbi_format))) ++ kclips = aux_buf; ++ if (put_user(kclips, &kp->clips)) + return -EFAULT; +- return 0; +-} + +-static inline int put_v4l2_vbi_format(struct v4l2_vbi_format *kp, struct v4l2_vbi_format __user *up) +-{ +- if (copy_to_user(up, kp, sizeof(struct v4l2_vbi_format))) +- return -EFAULT; ++ while (clipcount--) { ++ if (copy_in_user(&kclips->c, &uclips->c, sizeof(uclips->c))) ++ return -EFAULT; ++ if (put_user(clipcount ? kclips + 1 : NULL, &kclips->next)) ++ return -EFAULT; ++ uclips++; ++ kclips++; ++ } + return 0; + } + +-static inline int get_v4l2_sliced_vbi_format(struct v4l2_sliced_vbi_format *kp, struct v4l2_sliced_vbi_format __user *up) ++static int put_v4l2_window32(struct v4l2_window __user *kp, ++ struct v4l2_window32 __user *up) + { +- if (copy_from_user(kp, up, sizeof(struct v4l2_sliced_vbi_format))) ++ struct v4l2_clip __user *kclips = kp->clips; ++ struct v4l2_clip32 __user *uclips; ++ compat_caddr_t p; ++ u32 clipcount; ++ ++ if (copy_in_user(&up->w, &kp->w, sizeof(kp->w)) || ++ assign_in_user(&up->field, &kp->field) || ++ assign_in_user(&up->chromakey, &kp->chromakey) || ++ assign_in_user(&up->global_alpha, &kp->global_alpha) || ++ get_user(clipcount, &kp->clipcount) || ++ put_user(clipcount, &up->clipcount)) + return -EFAULT; +- return 0; +-} ++ if (!clipcount) ++ return 0; + +-static inline int put_v4l2_sliced_vbi_format(struct v4l2_sliced_vbi_format *kp, struct v4l2_sliced_vbi_format __user *up) +-{ +- if (copy_to_user(up, kp, sizeof(struct v4l2_sliced_vbi_format))) ++ if (get_user(p, &up->clips)) + return -EFAULT; ++ uclips = compat_ptr(p); ++ while (clipcount--) { ++ if (copy_in_user(&uclips->c, &kclips->c, sizeof(uclips->c))) ++ return -EFAULT; ++ uclips++; ++ kclips++; ++ } + return 0; + } + +@@ -176,91 +157,150 @@ struct v4l2_create_buffers32 { + __u32 reserved[8]; + }; + +-static int __get_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user *up) ++static int __bufsize_v4l2_format(struct v4l2_format32 __user *up, u32 *size) + { +- if (get_user(kp->type, &up->type)) ++ u32 type; ++ ++ if (get_user(type, &up->type)) + return -EFAULT; + +- switch (kp->type) { ++ switch (type) { ++ case V4L2_BUF_TYPE_VIDEO_OVERLAY: ++ case V4L2_BUF_TYPE_VIDEO_OUTPUT_OVERLAY: { ++ u32 clipcount; ++ ++ if (get_user(clipcount, &up->fmt.win.clipcount)) ++ return -EFAULT; ++ if (clipcount > 2048) ++ return -EINVAL; ++ *size = clipcount * sizeof(struct v4l2_clip); ++ return 0; ++ } ++ default: ++ *size = 0; ++ return 0; ++ } ++} ++ ++static int bufsize_v4l2_format(struct v4l2_format32 __user *up, u32 *size) ++{ ++ if (!access_ok(VERIFY_READ, up, sizeof(*up))) ++ return -EFAULT; ++ return __bufsize_v4l2_format(up, size); ++} ++ ++static int __get_v4l2_format32(struct v4l2_format __user *kp, ++ struct v4l2_format32 __user *up, ++ void __user *aux_buf, u32 aux_space) ++{ ++ u32 type; ++ ++ if (get_user(type, &up->type) || put_user(type, &kp->type)) ++ return -EFAULT; ++ ++ switch (type) { + case V4L2_BUF_TYPE_VIDEO_CAPTURE: + case V4L2_BUF_TYPE_VIDEO_OUTPUT: +- return get_v4l2_pix_format(&kp->fmt.pix, &up->fmt.pix); ++ return copy_in_user(&kp->fmt.pix, &up->fmt.pix, ++ sizeof(kp->fmt.pix)) ? -EFAULT : 0; + case V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE: + case V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE: +- return get_v4l2_pix_format_mplane(&kp->fmt.pix_mp, +- &up->fmt.pix_mp); ++ return copy_in_user(&kp->fmt.pix_mp, &up->fmt.pix_mp, ++ sizeof(kp->fmt.pix_mp)) ? -EFAULT : 0; + case V4L2_BUF_TYPE_VIDEO_OVERLAY: + case V4L2_BUF_TYPE_VIDEO_OUTPUT_OVERLAY: +- return get_v4l2_window32(&kp->fmt.win, &up->fmt.win); ++ return get_v4l2_window32(&kp->fmt.win, &up->fmt.win, ++ aux_buf, aux_space); + case V4L2_BUF_TYPE_VBI_CAPTURE: + case V4L2_BUF_TYPE_VBI_OUTPUT: +- return get_v4l2_vbi_format(&kp->fmt.vbi, &up->fmt.vbi); ++ return copy_in_user(&kp->fmt.vbi, &up->fmt.vbi, ++ sizeof(kp->fmt.vbi)) ? -EFAULT : 0; + case V4L2_BUF_TYPE_SLICED_VBI_CAPTURE: + case V4L2_BUF_TYPE_SLICED_VBI_OUTPUT: +- return get_v4l2_sliced_vbi_format(&kp->fmt.sliced, &up->fmt.sliced); ++ return copy_in_user(&kp->fmt.sliced, &up->fmt.sliced, ++ sizeof(kp->fmt.sliced)) ? -EFAULT : 0; + default: +- printk(KERN_INFO "compat_ioctl32: unexpected VIDIOC_FMT type %d\n", +- kp->type); + return -EINVAL; + } + } + +-static int get_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user *up) ++static int get_v4l2_format32(struct v4l2_format __user *kp, ++ struct v4l2_format32 __user *up, ++ void __user *aux_buf, u32 aux_space) + { +- if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_format32))) ++ if (!access_ok(VERIFY_READ, up, sizeof(*up))) + return -EFAULT; +- return __get_v4l2_format32(kp, up); ++ return __get_v4l2_format32(kp, up, aux_buf, aux_space); + } + +-static int get_v4l2_create32(struct v4l2_create_buffers *kp, struct v4l2_create_buffers32 __user *up) ++static int bufsize_v4l2_create(struct v4l2_create_buffers32 __user *up, ++ u32 *size) + { +- if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_create_buffers32)) || +- copy_from_user(kp, up, offsetof(struct v4l2_create_buffers32, format))) ++ if (!access_ok(VERIFY_READ, up, sizeof(*up))) + return -EFAULT; +- return __get_v4l2_format32(&kp->format, &up->format); ++ return __bufsize_v4l2_format(&up->format, size); + } + +-static int __put_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user *up) ++static int get_v4l2_create32(struct v4l2_create_buffers __user *kp, ++ struct v4l2_create_buffers32 __user *up, ++ void __user *aux_buf, u32 aux_space) + { +- if (put_user(kp->type, &up->type)) ++ if (!access_ok(VERIFY_READ, up, sizeof(*up)) || ++ copy_in_user(kp, up, ++ offsetof(struct v4l2_create_buffers32, format))) + return -EFAULT; ++ return __get_v4l2_format32(&kp->format, &up->format, ++ aux_buf, aux_space); ++} ++ ++static int __put_v4l2_format32(struct v4l2_format __user *kp, ++ struct v4l2_format32 __user *up) ++{ ++ u32 type; + +- switch (kp->type) { ++ if (get_user(type, &kp->type)) ++ return -EFAULT; ++ ++ switch (type) { + case V4L2_BUF_TYPE_VIDEO_CAPTURE: + case V4L2_BUF_TYPE_VIDEO_OUTPUT: +- return put_v4l2_pix_format(&kp->fmt.pix, &up->fmt.pix); ++ return copy_in_user(&up->fmt.pix, &kp->fmt.pix, ++ sizeof(kp->fmt.pix)) ? -EFAULT : 0; + case V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE: + case V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE: +- return put_v4l2_pix_format_mplane(&kp->fmt.pix_mp, +- &up->fmt.pix_mp); ++ return copy_in_user(&up->fmt.pix_mp, &kp->fmt.pix_mp, ++ sizeof(kp->fmt.pix_mp)) ? -EFAULT : 0; + case V4L2_BUF_TYPE_VIDEO_OVERLAY: + case V4L2_BUF_TYPE_VIDEO_OUTPUT_OVERLAY: + return put_v4l2_window32(&kp->fmt.win, &up->fmt.win); + case V4L2_BUF_TYPE_VBI_CAPTURE: + case V4L2_BUF_TYPE_VBI_OUTPUT: +- return put_v4l2_vbi_format(&kp->fmt.vbi, &up->fmt.vbi); ++ return copy_in_user(&up->fmt.vbi, &kp->fmt.vbi, ++ sizeof(kp->fmt.vbi)) ? -EFAULT : 0; + case V4L2_BUF_TYPE_SLICED_VBI_CAPTURE: + case V4L2_BUF_TYPE_SLICED_VBI_OUTPUT: +- return put_v4l2_sliced_vbi_format(&kp->fmt.sliced, &up->fmt.sliced); ++ return copy_in_user(&up->fmt.sliced, &kp->fmt.sliced, ++ sizeof(kp->fmt.sliced)) ? -EFAULT : 0; + default: +- printk(KERN_INFO "compat_ioctl32: unexpected VIDIOC_FMT type %d\n", +- kp->type); + return -EINVAL; + } + } + +-static int put_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user *up) ++static int put_v4l2_format32(struct v4l2_format __user *kp, ++ struct v4l2_format32 __user *up) + { +- if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_format32))) ++ if (!access_ok(VERIFY_WRITE, up, sizeof(*up))) + return -EFAULT; + return __put_v4l2_format32(kp, up); + } + +-static int put_v4l2_create32(struct v4l2_create_buffers *kp, struct v4l2_create_buffers32 __user *up) ++static int put_v4l2_create32(struct v4l2_create_buffers __user *kp, ++ struct v4l2_create_buffers32 __user *up) + { +- if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_create_buffers32)) || +- copy_to_user(up, kp, offsetof(struct v4l2_create_buffers32, format)) || +- copy_to_user(up->reserved, kp->reserved, sizeof(kp->reserved))) ++ if (!access_ok(VERIFY_WRITE, up, sizeof(*up)) || ++ copy_in_user(up, kp, ++ offsetof(struct v4l2_create_buffers32, format)) || ++ copy_in_user(up->reserved, kp->reserved, sizeof(kp->reserved))) + return -EFAULT; + return __put_v4l2_format32(&kp->format, &up->format); + } +@@ -274,25 +314,28 @@ struct v4l2_standard32 { + __u32 reserved[4]; + }; + +-static int get_v4l2_standard32(struct v4l2_standard *kp, struct v4l2_standard32 __user *up) ++static int get_v4l2_standard32(struct v4l2_standard __user *kp, ++ struct v4l2_standard32 __user *up) + { + /* other fields are not set by the user, nor used by the driver */ +- if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_standard32)) || +- get_user(kp->index, &up->index)) ++ if (!access_ok(VERIFY_READ, up, sizeof(*up)) || ++ assign_in_user(&kp->index, &up->index)) + return -EFAULT; + return 0; + } + +-static int put_v4l2_standard32(struct v4l2_standard *kp, struct v4l2_standard32 __user *up) ++static int put_v4l2_standard32(struct v4l2_standard __user *kp, ++ struct v4l2_standard32 __user *up) + { +- if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_standard32)) || +- put_user(kp->index, &up->index) || +- copy_to_user(up->id, &kp->id, sizeof(__u64)) || +- copy_to_user(up->name, kp->name, 24) || +- copy_to_user(&up->frameperiod, &kp->frameperiod, sizeof(kp->frameperiod)) || +- put_user(kp->framelines, &up->framelines) || +- copy_to_user(up->reserved, kp->reserved, 4 * sizeof(__u32))) +- return -EFAULT; ++ if (!access_ok(VERIFY_WRITE, up, sizeof(*up)) || ++ assign_in_user(&up->index, &kp->index) || ++ copy_in_user(&up->id, &kp->id, sizeof(up->id)) || ++ copy_in_user(up->name, kp->name, sizeof(up->name)) || ++ copy_in_user(&up->frameperiod, &kp->frameperiod, ++ sizeof(up->frameperiod)) || ++ assign_in_user(&up->framelines, &kp->framelines) || ++ copy_in_user(up->reserved, kp->reserved, sizeof(up->reserved))) ++ return -EFAULT; + return 0; + } + +@@ -331,134 +374,186 @@ struct v4l2_buffer32 { + __u32 reserved; + }; + +-static int get_v4l2_plane32(struct v4l2_plane __user *up, struct v4l2_plane32 __user *up32, +- enum v4l2_memory memory) ++static int get_v4l2_plane32(struct v4l2_plane __user *up, ++ struct v4l2_plane32 __user *up32, ++ enum v4l2_memory memory) + { +- void __user *up_pln; +- compat_long_t p; ++ compat_ulong_t p; + + if (copy_in_user(up, up32, 2 * sizeof(__u32)) || +- copy_in_user(&up->data_offset, &up32->data_offset, +- sizeof(__u32))) ++ copy_in_user(&up->data_offset, &up32->data_offset, ++ sizeof(up->data_offset))) + return -EFAULT; + +- if (memory == V4L2_MEMORY_USERPTR) { +- if (get_user(p, &up32->m.userptr)) +- return -EFAULT; +- up_pln = compat_ptr(p); +- if (put_user((unsigned long)up_pln, &up->m.userptr)) ++ switch (memory) { ++ case V4L2_MEMORY_MMAP: ++ case V4L2_MEMORY_OVERLAY: ++ if (copy_in_user(&up->m.mem_offset, &up32->m.mem_offset, ++ sizeof(up32->m.mem_offset))) + return -EFAULT; +- } else if (memory == V4L2_MEMORY_DMABUF) { +- if (copy_in_user(&up->m.fd, &up32->m.fd, sizeof(int))) ++ break; ++ case V4L2_MEMORY_USERPTR: ++ if (get_user(p, &up32->m.userptr) || ++ put_user((unsigned long)compat_ptr(p), &up->m.userptr)) + return -EFAULT; +- } else { +- if (copy_in_user(&up->m.mem_offset, &up32->m.mem_offset, +- sizeof(__u32))) ++ break; ++ case V4L2_MEMORY_DMABUF: ++ if (copy_in_user(&up->m.fd, &up32->m.fd, sizeof(up32->m.fd))) + return -EFAULT; ++ break; + } + + return 0; + } + +-static int put_v4l2_plane32(struct v4l2_plane __user *up, struct v4l2_plane32 __user *up32, +- enum v4l2_memory memory) ++static int put_v4l2_plane32(struct v4l2_plane __user *up, ++ struct v4l2_plane32 __user *up32, ++ enum v4l2_memory memory) + { ++ unsigned long p; ++ + if (copy_in_user(up32, up, 2 * sizeof(__u32)) || +- copy_in_user(&up32->data_offset, &up->data_offset, +- sizeof(__u32))) ++ copy_in_user(&up32->data_offset, &up->data_offset, ++ sizeof(up->data_offset))) + return -EFAULT; + +- /* For MMAP, driver might've set up the offset, so copy it back. +- * USERPTR stays the same (was userspace-provided), so no copying. */ +- if (memory == V4L2_MEMORY_MMAP) ++ switch (memory) { ++ case V4L2_MEMORY_MMAP: ++ case V4L2_MEMORY_OVERLAY: + if (copy_in_user(&up32->m.mem_offset, &up->m.mem_offset, +- sizeof(__u32))) ++ sizeof(up->m.mem_offset))) + return -EFAULT; +- /* For DMABUF, driver might've set up the fd, so copy it back. */ +- if (memory == V4L2_MEMORY_DMABUF) +- if (copy_in_user(&up32->m.fd, &up->m.fd, +- sizeof(int))) ++ break; ++ case V4L2_MEMORY_USERPTR: ++ if (get_user(p, &up->m.userptr) || ++ put_user((compat_ulong_t)ptr_to_compat((__force void *)p), ++ &up32->m.userptr)) ++ return -EFAULT; ++ break; ++ case V4L2_MEMORY_DMABUF: ++ if (copy_in_user(&up32->m.fd, &up->m.fd, sizeof(up->m.fd))) + return -EFAULT; ++ break; ++ } ++ ++ return 0; ++} ++ ++static int bufsize_v4l2_buffer(struct v4l2_buffer32 __user *up, u32 *size) ++{ ++ u32 type; ++ u32 length; ++ ++ if (!access_ok(VERIFY_READ, up, sizeof(*up)) || ++ get_user(type, &up->type) || ++ get_user(length, &up->length)) ++ return -EFAULT; + ++ if (V4L2_TYPE_IS_MULTIPLANAR(type)) { ++ if (length > VIDEO_MAX_PLANES) ++ return -EINVAL; ++ ++ /* ++ * We don't really care if userspace decides to kill itself ++ * by passing a very big length value ++ */ ++ *size = length * sizeof(struct v4l2_plane); ++ } else { ++ *size = 0; ++ } + return 0; + } + +-static int get_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user *up) ++static int get_v4l2_buffer32(struct v4l2_buffer __user *kp, ++ struct v4l2_buffer32 __user *up, ++ void __user *aux_buf, u32 aux_space) + { ++ u32 type; ++ u32 length; ++ enum v4l2_memory memory; + struct v4l2_plane32 __user *uplane32; + struct v4l2_plane __user *uplane; + compat_caddr_t p; +- int num_planes; + int ret; + +- if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_buffer32)) || +- get_user(kp->index, &up->index) || +- get_user(kp->type, &up->type) || +- get_user(kp->flags, &up->flags) || +- get_user(kp->memory, &up->memory) || +- get_user(kp->length, &up->length)) +- return -EFAULT; ++ if (!access_ok(VERIFY_READ, up, sizeof(*up)) || ++ assign_in_user(&kp->index, &up->index) || ++ get_user(type, &up->type) || ++ put_user(type, &kp->type) || ++ assign_in_user(&kp->flags, &up->flags) || ++ get_user(memory, &up->memory) || ++ put_user(memory, &kp->memory) || ++ get_user(length, &up->length) || ++ put_user(length, &kp->length)) ++ return -EFAULT; + +- if (V4L2_TYPE_IS_OUTPUT(kp->type)) +- if (get_user(kp->bytesused, &up->bytesused) || +- get_user(kp->field, &up->field) || +- get_user(kp->timestamp.tv_sec, &up->timestamp.tv_sec) || +- get_user(kp->timestamp.tv_usec, +- &up->timestamp.tv_usec)) ++ if (V4L2_TYPE_IS_OUTPUT(type)) ++ if (assign_in_user(&kp->bytesused, &up->bytesused) || ++ assign_in_user(&kp->field, &up->field) || ++ assign_in_user(&kp->timestamp.tv_sec, ++ &up->timestamp.tv_sec) || ++ assign_in_user(&kp->timestamp.tv_usec, ++ &up->timestamp.tv_usec)) + return -EFAULT; + +- if (V4L2_TYPE_IS_MULTIPLANAR(kp->type)) { +- num_planes = kp->length; ++ if (V4L2_TYPE_IS_MULTIPLANAR(type)) { ++ u32 num_planes = length; ++ + if (num_planes == 0) { +- kp->m.planes = NULL; +- /* num_planes == 0 is legal, e.g. when userspace doesn't +- * need planes array on DQBUF*/ +- return 0; ++ /* ++ * num_planes == 0 is legal, e.g. when userspace doesn't ++ * need planes array on DQBUF ++ */ ++ return put_user(NULL, &kp->m.planes); + } ++ if (num_planes > VIDEO_MAX_PLANES) ++ return -EINVAL; + + if (get_user(p, &up->m.planes)) + return -EFAULT; + + uplane32 = compat_ptr(p); + if (!access_ok(VERIFY_READ, uplane32, +- num_planes * sizeof(struct v4l2_plane32))) ++ num_planes * sizeof(*uplane32))) + return -EFAULT; + +- /* We don't really care if userspace decides to kill itself +- * by passing a very big num_planes value */ +- uplane = compat_alloc_user_space(num_planes * +- sizeof(struct v4l2_plane)); +- kp->m.planes = (__force struct v4l2_plane *)uplane; ++ /* ++ * We don't really care if userspace decides to kill itself ++ * by passing a very big num_planes value ++ */ ++ if (aux_space < num_planes * sizeof(*uplane)) ++ return -EFAULT; ++ ++ uplane = aux_buf; ++ if (put_user((__force struct v4l2_plane *)uplane, ++ &kp->m.planes)) ++ return -EFAULT; + +- while (--num_planes >= 0) { +- ret = get_v4l2_plane32(uplane, uplane32, kp->memory); ++ while (num_planes--) { ++ ret = get_v4l2_plane32(uplane, uplane32, memory); + if (ret) + return ret; +- ++uplane; +- ++uplane32; ++ uplane++; ++ uplane32++; + } + } else { +- switch (kp->memory) { ++ switch (memory) { + case V4L2_MEMORY_MMAP: +- if (get_user(kp->m.offset, &up->m.offset)) ++ case V4L2_MEMORY_OVERLAY: ++ if (assign_in_user(&kp->m.offset, &up->m.offset)) + return -EFAULT; + break; +- case V4L2_MEMORY_USERPTR: +- { +- compat_long_t tmp; ++ case V4L2_MEMORY_USERPTR: { ++ compat_ulong_t userptr; + +- if (get_user(tmp, &up->m.userptr)) +- return -EFAULT; +- +- kp->m.userptr = (unsigned long)compat_ptr(tmp); +- } +- break; +- case V4L2_MEMORY_OVERLAY: +- if (get_user(kp->m.offset, &up->m.offset)) ++ if (get_user(userptr, &up->m.userptr) || ++ put_user((unsigned long)compat_ptr(userptr), ++ &kp->m.userptr)) + return -EFAULT; + break; ++ } + case V4L2_MEMORY_DMABUF: +- if (get_user(kp->m.fd, &up->m.fd)) ++ if (assign_in_user(&kp->m.fd, &up->m.fd)) + return -EFAULT; + break; + } +@@ -467,65 +562,70 @@ static int get_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user + return 0; + } + +-static int put_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user *up) ++static int put_v4l2_buffer32(struct v4l2_buffer __user *kp, ++ struct v4l2_buffer32 __user *up) + { ++ u32 type; ++ u32 length; ++ enum v4l2_memory memory; + struct v4l2_plane32 __user *uplane32; + struct v4l2_plane __user *uplane; + compat_caddr_t p; +- int num_planes; + int ret; + +- if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_buffer32)) || +- put_user(kp->index, &up->index) || +- put_user(kp->type, &up->type) || +- put_user(kp->flags, &up->flags) || +- put_user(kp->memory, &up->memory)) +- return -EFAULT; ++ if (!access_ok(VERIFY_WRITE, up, sizeof(*up)) || ++ assign_in_user(&up->index, &kp->index) || ++ get_user(type, &kp->type) || ++ put_user(type, &up->type) || ++ assign_in_user(&up->flags, &kp->flags) || ++ get_user(memory, &kp->memory) || ++ put_user(memory, &up->memory)) ++ return -EFAULT; + +- if (put_user(kp->bytesused, &up->bytesused) || +- put_user(kp->field, &up->field) || +- put_user(kp->timestamp.tv_sec, &up->timestamp.tv_sec) || +- put_user(kp->timestamp.tv_usec, &up->timestamp.tv_usec) || +- copy_to_user(&up->timecode, &kp->timecode, sizeof(struct v4l2_timecode)) || +- put_user(kp->sequence, &up->sequence) || +- put_user(kp->reserved2, &up->reserved2) || +- put_user(kp->reserved, &up->reserved) || +- put_user(kp->length, &up->length)) +- return -EFAULT; ++ if (assign_in_user(&up->bytesused, &kp->bytesused) || ++ assign_in_user(&up->field, &kp->field) || ++ assign_in_user(&up->timestamp.tv_sec, &kp->timestamp.tv_sec) || ++ assign_in_user(&up->timestamp.tv_usec, &kp->timestamp.tv_usec) || ++ copy_in_user(&up->timecode, &kp->timecode, sizeof(kp->timecode)) || ++ assign_in_user(&up->sequence, &kp->sequence) || ++ assign_in_user(&up->reserved2, &kp->reserved2) || ++ assign_in_user(&up->reserved, &kp->reserved) || ++ get_user(length, &kp->length) || ++ put_user(length, &up->length)) ++ return -EFAULT; ++ ++ if (V4L2_TYPE_IS_MULTIPLANAR(type)) { ++ u32 num_planes = length; + +- if (V4L2_TYPE_IS_MULTIPLANAR(kp->type)) { +- num_planes = kp->length; + if (num_planes == 0) + return 0; + +- uplane = (__force struct v4l2_plane __user *)kp->m.planes; ++ if (get_user(uplane, ((__force struct v4l2_plane __user **)&kp->m.planes))) ++ return -EFAULT; + if (get_user(p, &up->m.planes)) + return -EFAULT; + uplane32 = compat_ptr(p); + +- while (--num_planes >= 0) { +- ret = put_v4l2_plane32(uplane, uplane32, kp->memory); ++ while (num_planes--) { ++ ret = put_v4l2_plane32(uplane, uplane32, memory); + if (ret) + return ret; + ++uplane; + ++uplane32; + } + } else { +- switch (kp->memory) { ++ switch (memory) { + case V4L2_MEMORY_MMAP: +- if (put_user(kp->m.offset, &up->m.offset)) ++ case V4L2_MEMORY_OVERLAY: ++ if (assign_in_user(&up->m.offset, &kp->m.offset)) + return -EFAULT; + break; + case V4L2_MEMORY_USERPTR: +- if (put_user(kp->m.userptr, &up->m.userptr)) +- return -EFAULT; +- break; +- case V4L2_MEMORY_OVERLAY: +- if (put_user(kp->m.offset, &up->m.offset)) ++ if (assign_in_user(&up->m.userptr, &kp->m.userptr)) + return -EFAULT; + break; + case V4L2_MEMORY_DMABUF: +- if (put_user(kp->m.fd, &up->m.fd)) ++ if (assign_in_user(&up->m.fd, &kp->m.fd)) + return -EFAULT; + break; + } +@@ -537,7 +637,7 @@ static int put_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user + struct v4l2_framebuffer32 { + __u32 capability; + __u32 flags; +- compat_caddr_t base; ++ compat_caddr_t base; + struct { + __u32 width; + __u32 height; +@@ -550,30 +650,33 @@ struct v4l2_framebuffer32 { + } fmt; + }; + +-static int get_v4l2_framebuffer32(struct v4l2_framebuffer *kp, struct v4l2_framebuffer32 __user *up) ++static int get_v4l2_framebuffer32(struct v4l2_framebuffer __user *kp, ++ struct v4l2_framebuffer32 __user *up) + { +- u32 tmp; +- +- if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_framebuffer32)) || +- get_user(tmp, &up->base) || +- get_user(kp->capability, &up->capability) || +- get_user(kp->flags, &up->flags) || +- copy_from_user(&kp->fmt, &up->fmt, sizeof(up->fmt))) +- return -EFAULT; +- kp->base = (__force void *)compat_ptr(tmp); ++ compat_caddr_t tmp; ++ ++ if (!access_ok(VERIFY_READ, up, sizeof(*up)) || ++ get_user(tmp, &up->base) || ++ put_user((__force void *)compat_ptr(tmp), &kp->base) || ++ assign_in_user(&kp->capability, &up->capability) || ++ assign_in_user(&kp->flags, &up->flags) || ++ copy_in_user(&kp->fmt, &up->fmt, sizeof(kp->fmt))) ++ return -EFAULT; + return 0; + } + +-static int put_v4l2_framebuffer32(struct v4l2_framebuffer *kp, struct v4l2_framebuffer32 __user *up) ++static int put_v4l2_framebuffer32(struct v4l2_framebuffer __user *kp, ++ struct v4l2_framebuffer32 __user *up) + { +- u32 tmp = (u32)((unsigned long)kp->base); +- +- if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_framebuffer32)) || +- put_user(tmp, &up->base) || +- put_user(kp->capability, &up->capability) || +- put_user(kp->flags, &up->flags) || +- copy_to_user(&up->fmt, &kp->fmt, sizeof(up->fmt))) +- return -EFAULT; ++ void *base; ++ ++ if (!access_ok(VERIFY_WRITE, up, sizeof(*up)) || ++ get_user(base, &kp->base) || ++ put_user(ptr_to_compat(base), &up->base) || ++ assign_in_user(&up->capability, &kp->capability) || ++ assign_in_user(&up->flags, &kp->flags) || ++ copy_in_user(&up->fmt, &kp->fmt, sizeof(kp->fmt))) ++ return -EFAULT; + return 0; + } + +@@ -585,31 +688,36 @@ struct v4l2_input32 { + __u32 tuner; /* Associated tuner */ + v4l2_std_id std; + __u32 status; +- __u32 reserved[4]; +-} __attribute__ ((packed)); ++ __u32 capabilities; ++ __u32 reserved[3]; ++}; + +-/* The 64-bit v4l2_input struct has extra padding at the end of the struct. +- Otherwise it is identical to the 32-bit version. */ +-static inline int get_v4l2_input32(struct v4l2_input *kp, struct v4l2_input32 __user *up) ++/* ++ * The 64-bit v4l2_input struct has extra padding at the end of the struct. ++ * Otherwise it is identical to the 32-bit version. ++ */ ++static inline int get_v4l2_input32(struct v4l2_input __user *kp, ++ struct v4l2_input32 __user *up) + { +- if (copy_from_user(kp, up, sizeof(struct v4l2_input32))) ++ if (copy_in_user(kp, up, sizeof(*up))) + return -EFAULT; + return 0; + } + +-static inline int put_v4l2_input32(struct v4l2_input *kp, struct v4l2_input32 __user *up) ++static inline int put_v4l2_input32(struct v4l2_input __user *kp, ++ struct v4l2_input32 __user *up) + { +- if (copy_to_user(up, kp, sizeof(struct v4l2_input32))) ++ if (copy_in_user(up, kp, sizeof(*up))) + return -EFAULT; + return 0; + } + + struct v4l2_ext_controls32 { +- __u32 ctrl_class; +- __u32 count; +- __u32 error_idx; +- __u32 reserved[2]; +- compat_caddr_t controls; /* actually struct v4l2_ext_control32 * */ ++ __u32 ctrl_class; ++ __u32 count; ++ __u32 error_idx; ++ __u32 reserved[2]; ++ compat_caddr_t controls; /* actually struct v4l2_ext_control32 * */ + }; + + struct v4l2_ext_control32 { +@@ -623,57 +731,95 @@ struct v4l2_ext_control32 { + }; + } __attribute__ ((packed)); + +-/* The following function really belong in v4l2-common, but that causes +- a circular dependency between modules. We need to think about this, but +- for now this will do. */ +- +-/* Return non-zero if this control is a pointer type. Currently only +- type STRING is a pointer type. */ +-static inline int ctrl_is_pointer(u32 id) ++/* Return true if this control is a pointer type. */ ++static inline bool ctrl_is_pointer(struct file *file, u32 id) + { +- switch (id) { +- case V4L2_CID_RDS_TX_PS_NAME: +- case V4L2_CID_RDS_TX_RADIO_TEXT: +- return 1; +- default: +- return 0; ++ struct video_device *vdev = video_devdata(file); ++ struct v4l2_fh *fh = NULL; ++ struct v4l2_ctrl_handler *hdl = NULL; ++ struct v4l2_query_ext_ctrl qec = { id }; ++ const struct v4l2_ioctl_ops *ops = vdev->ioctl_ops; ++ ++ if (test_bit(V4L2_FL_USES_V4L2_FH, &vdev->flags)) ++ fh = file->private_data; ++ ++ if (fh && fh->ctrl_handler) ++ hdl = fh->ctrl_handler; ++ else if (vdev->ctrl_handler) ++ hdl = vdev->ctrl_handler; ++ ++ if (hdl) { ++ struct v4l2_ctrl *ctrl = v4l2_ctrl_find(hdl, id); ++ ++ return ctrl && ctrl->is_ptr; + } ++ ++ if (!ops || !ops->vidioc_query_ext_ctrl) ++ return false; ++ ++ return !ops->vidioc_query_ext_ctrl(file, fh, &qec) && ++ (qec.flags & V4L2_CTRL_FLAG_HAS_PAYLOAD); ++} ++ ++static int bufsize_v4l2_ext_controls(struct v4l2_ext_controls32 __user *up, ++ u32 *size) ++{ ++ u32 count; ++ ++ if (!access_ok(VERIFY_READ, up, sizeof(*up)) || ++ get_user(count, &up->count)) ++ return -EFAULT; ++ if (count > V4L2_CID_MAX_CTRLS) ++ return -EINVAL; ++ *size = count * sizeof(struct v4l2_ext_control); ++ return 0; + } + +-static int get_v4l2_ext_controls32(struct v4l2_ext_controls *kp, struct v4l2_ext_controls32 __user *up) ++static int get_v4l2_ext_controls32(struct file *file, ++ struct v4l2_ext_controls __user *kp, ++ struct v4l2_ext_controls32 __user *up, ++ void __user *aux_buf, u32 aux_space) + { + struct v4l2_ext_control32 __user *ucontrols; + struct v4l2_ext_control __user *kcontrols; +- int n; ++ u32 count; ++ u32 n; + compat_caddr_t p; + +- if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_ext_controls32)) || +- get_user(kp->ctrl_class, &up->ctrl_class) || +- get_user(kp->count, &up->count) || +- get_user(kp->error_idx, &up->error_idx) || +- copy_from_user(kp->reserved, up->reserved, sizeof(kp->reserved))) +- return -EFAULT; +- n = kp->count; +- if (n == 0) { +- kp->controls = NULL; +- return 0; +- } ++ if (!access_ok(VERIFY_READ, up, sizeof(*up)) || ++ assign_in_user(&kp->ctrl_class, &up->ctrl_class) || ++ get_user(count, &up->count) || ++ put_user(count, &kp->count) || ++ assign_in_user(&kp->error_idx, &up->error_idx) || ++ copy_in_user(kp->reserved, up->reserved, sizeof(kp->reserved))) ++ return -EFAULT; ++ ++ if (count == 0) ++ return put_user(NULL, &kp->controls); ++ if (count > V4L2_CID_MAX_CTRLS) ++ return -EINVAL; + if (get_user(p, &up->controls)) + return -EFAULT; + ucontrols = compat_ptr(p); +- if (!access_ok(VERIFY_READ, ucontrols, +- n * sizeof(struct v4l2_ext_control32))) ++ if (!access_ok(VERIFY_READ, ucontrols, count * sizeof(*ucontrols))) + return -EFAULT; +- kcontrols = compat_alloc_user_space(n * sizeof(struct v4l2_ext_control)); +- kp->controls = (__force struct v4l2_ext_control *)kcontrols; +- while (--n >= 0) { ++ if (aux_space < count * sizeof(*kcontrols)) ++ return -EFAULT; ++ kcontrols = aux_buf; ++ if (put_user((__force struct v4l2_ext_control *)kcontrols, ++ &kp->controls)) ++ return -EFAULT; ++ ++ for (n = 0; n < count; n++) { + u32 id; + + if (copy_in_user(kcontrols, ucontrols, sizeof(*ucontrols))) + return -EFAULT; ++ + if (get_user(id, &kcontrols->id)) + return -EFAULT; +- if (ctrl_is_pointer(id)) { ++ ++ if (ctrl_is_pointer(file, id)) { + void __user *s; + + if (get_user(p, &ucontrols->string)) +@@ -688,43 +834,55 @@ static int get_v4l2_ext_controls32(struct v4l2_ext_controls *kp, struct v4l2_ext + return 0; + } + +-static int put_v4l2_ext_controls32(struct v4l2_ext_controls *kp, struct v4l2_ext_controls32 __user *up) ++static int put_v4l2_ext_controls32(struct file *file, ++ struct v4l2_ext_controls __user *kp, ++ struct v4l2_ext_controls32 __user *up) + { + struct v4l2_ext_control32 __user *ucontrols; +- struct v4l2_ext_control __user *kcontrols = +- (__force struct v4l2_ext_control __user *)kp->controls; +- int n = kp->count; ++ struct v4l2_ext_control __user *kcontrols; ++ u32 count; ++ u32 n; + compat_caddr_t p; + +- if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_ext_controls32)) || +- put_user(kp->ctrl_class, &up->ctrl_class) || +- put_user(kp->count, &up->count) || +- put_user(kp->error_idx, &up->error_idx) || +- copy_to_user(up->reserved, kp->reserved, sizeof(up->reserved))) +- return -EFAULT; +- if (!kp->count) +- return 0; ++ if (!access_ok(VERIFY_WRITE, up, sizeof(*up)) || ++ assign_in_user(&up->ctrl_class, &kp->ctrl_class) || ++ get_user(count, &kp->count) || ++ put_user(count, &up->count) || ++ assign_in_user(&up->error_idx, &kp->error_idx) || ++ copy_in_user(up->reserved, kp->reserved, sizeof(up->reserved)) || ++ get_user(kcontrols, &kp->controls)) ++ return -EFAULT; + ++ if (!count) ++ return 0; + if (get_user(p, &up->controls)) + return -EFAULT; + ucontrols = compat_ptr(p); +- if (!access_ok(VERIFY_WRITE, ucontrols, +- n * sizeof(struct v4l2_ext_control32))) ++ if (!access_ok(VERIFY_WRITE, ucontrols, count * sizeof(*ucontrols))) + return -EFAULT; + +- while (--n >= 0) { +- unsigned size = sizeof(*ucontrols); ++ for (n = 0; n < count; n++) { ++ unsigned int size = sizeof(*ucontrols); + u32 id; + +- if (get_user(id, &kcontrols->id)) ++ if (get_user(id, &kcontrols->id) || ++ put_user(id, &ucontrols->id) || ++ assign_in_user(&ucontrols->size, &kcontrols->size) || ++ copy_in_user(&ucontrols->reserved2, &kcontrols->reserved2, ++ sizeof(ucontrols->reserved2))) + return -EFAULT; +- /* Do not modify the pointer when copying a pointer control. +- The contents of the pointer was changed, not the pointer +- itself. */ +- if (ctrl_is_pointer(id)) ++ ++ /* ++ * Do not modify the pointer when copying a pointer control. ++ * The contents of the pointer was changed, not the pointer ++ * itself. ++ */ ++ if (ctrl_is_pointer(file, id)) + size -= sizeof(ucontrols->value64); ++ + if (copy_in_user(ucontrols, kcontrols, size)) + return -EFAULT; ++ + ucontrols++; + kcontrols++; + } +@@ -743,18 +901,19 @@ struct v4l2_event32 { + __u32 reserved[8]; + }; + +-static int put_v4l2_event32(struct v4l2_event *kp, struct v4l2_event32 __user *up) ++static int put_v4l2_event32(struct v4l2_event __user *kp, ++ struct v4l2_event32 __user *up) + { +- if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_event32)) || +- put_user(kp->type, &up->type) || +- copy_to_user(&up->u, &kp->u, sizeof(kp->u)) || +- put_user(kp->pending, &up->pending) || +- put_user(kp->sequence, &up->sequence) || +- put_user(kp->timestamp.tv_sec, &up->timestamp.tv_sec) || +- put_user(kp->timestamp.tv_nsec, &up->timestamp.tv_nsec) || +- put_user(kp->id, &up->id) || +- copy_to_user(up->reserved, kp->reserved, 8 * sizeof(__u32))) +- return -EFAULT; ++ if (!access_ok(VERIFY_WRITE, up, sizeof(*up)) || ++ assign_in_user(&up->type, &kp->type) || ++ copy_in_user(&up->u, &kp->u, sizeof(kp->u)) || ++ assign_in_user(&up->pending, &kp->pending) || ++ assign_in_user(&up->sequence, &kp->sequence) || ++ assign_in_user(&up->timestamp.tv_sec, &kp->timestamp.tv_sec) || ++ assign_in_user(&up->timestamp.tv_nsec, &kp->timestamp.tv_nsec) || ++ assign_in_user(&up->id, &kp->id) || ++ copy_in_user(up->reserved, kp->reserved, sizeof(up->reserved))) ++ return -EFAULT; + return 0; + } + +@@ -766,32 +925,35 @@ struct v4l2_edid32 { + compat_caddr_t edid; + }; + +-static int get_v4l2_edid32(struct v4l2_edid *kp, struct v4l2_edid32 __user *up) ++static int get_v4l2_edid32(struct v4l2_edid __user *kp, ++ struct v4l2_edid32 __user *up) + { +- u32 tmp; +- +- if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_edid32)) || +- get_user(kp->pad, &up->pad) || +- get_user(kp->start_block, &up->start_block) || +- get_user(kp->blocks, &up->blocks) || +- get_user(tmp, &up->edid) || +- copy_from_user(kp->reserved, up->reserved, sizeof(kp->reserved))) +- return -EFAULT; +- kp->edid = (__force u8 *)compat_ptr(tmp); ++ compat_uptr_t tmp; ++ ++ if (!access_ok(VERIFY_READ, up, sizeof(*up)) || ++ assign_in_user(&kp->pad, &up->pad) || ++ assign_in_user(&kp->start_block, &up->start_block) || ++ assign_in_user(&kp->blocks, &up->blocks) || ++ get_user(tmp, &up->edid) || ++ put_user(compat_ptr(tmp), &kp->edid) || ++ copy_in_user(kp->reserved, up->reserved, sizeof(kp->reserved))) ++ return -EFAULT; + return 0; + } + +-static int put_v4l2_edid32(struct v4l2_edid *kp, struct v4l2_edid32 __user *up) ++static int put_v4l2_edid32(struct v4l2_edid __user *kp, ++ struct v4l2_edid32 __user *up) + { +- u32 tmp = (u32)((unsigned long)kp->edid); +- +- if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_edid32)) || +- put_user(kp->pad, &up->pad) || +- put_user(kp->start_block, &up->start_block) || +- put_user(kp->blocks, &up->blocks) || +- put_user(tmp, &up->edid) || +- copy_to_user(up->reserved, kp->reserved, sizeof(up->reserved))) +- return -EFAULT; ++ void *edid; ++ ++ if (!access_ok(VERIFY_WRITE, up, sizeof(*up)) || ++ assign_in_user(&up->pad, &kp->pad) || ++ assign_in_user(&up->start_block, &kp->start_block) || ++ assign_in_user(&up->blocks, &kp->blocks) || ++ get_user(edid, &kp->edid) || ++ put_user(ptr_to_compat(edid), &up->edid) || ++ copy_in_user(up->reserved, kp->reserved, sizeof(up->reserved))) ++ return -EFAULT; + return 0; + } + +@@ -807,7 +969,7 @@ static int put_v4l2_edid32(struct v4l2_edid *kp, struct v4l2_edid32 __user *up) + #define VIDIOC_ENUMINPUT32 _IOWR('V', 26, struct v4l2_input32) + #define VIDIOC_G_EDID32 _IOWR('V', 40, struct v4l2_edid32) + #define VIDIOC_S_EDID32 _IOWR('V', 41, struct v4l2_edid32) +-#define VIDIOC_TRY_FMT32 _IOWR('V', 64, struct v4l2_format32) ++#define VIDIOC_TRY_FMT32 _IOWR('V', 64, struct v4l2_format32) + #define VIDIOC_G_EXT_CTRLS32 _IOWR('V', 71, struct v4l2_ext_controls32) + #define VIDIOC_S_EXT_CTRLS32 _IOWR('V', 72, struct v4l2_ext_controls32) + #define VIDIOC_TRY_EXT_CTRLS32 _IOWR('V', 73, struct v4l2_ext_controls32) +@@ -823,22 +985,23 @@ static int put_v4l2_edid32(struct v4l2_edid *kp, struct v4l2_edid32 __user *up) + #define VIDIOC_G_OUTPUT32 _IOR ('V', 46, s32) + #define VIDIOC_S_OUTPUT32 _IOWR('V', 47, s32) + ++static int alloc_userspace(unsigned int size, u32 aux_space, ++ void __user **up_native) ++{ ++ *up_native = compat_alloc_user_space(size + aux_space); ++ if (!*up_native) ++ return -ENOMEM; ++ if (clear_user(*up_native, size)) ++ return -EFAULT; ++ return 0; ++} ++ + static long do_video_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + { +- union { +- struct v4l2_format v2f; +- struct v4l2_buffer v2b; +- struct v4l2_framebuffer v2fb; +- struct v4l2_input v2i; +- struct v4l2_standard v2s; +- struct v4l2_ext_controls v2ecs; +- struct v4l2_event v2ev; +- struct v4l2_create_buffers v2crt; +- struct v4l2_edid v2edid; +- unsigned long vx; +- int vi; +- } karg; + void __user *up = compat_ptr(arg); ++ void __user *up_native = NULL; ++ void __user *aux_buf; ++ u32 aux_space; + int compatible_arg = 1; + long err = 0; + +@@ -877,30 +1040,52 @@ static long do_video_ioctl(struct file *file, unsigned int cmd, unsigned long ar + case VIDIOC_STREAMOFF: + case VIDIOC_S_INPUT: + case VIDIOC_S_OUTPUT: +- err = get_user(karg.vi, (s32 __user *)up); ++ err = alloc_userspace(sizeof(unsigned int), 0, &up_native); ++ if (!err && assign_in_user((unsigned int __user *)up_native, ++ (compat_uint_t __user *)up)) ++ err = -EFAULT; + compatible_arg = 0; + break; + + case VIDIOC_G_INPUT: + case VIDIOC_G_OUTPUT: ++ err = alloc_userspace(sizeof(unsigned int), 0, &up_native); + compatible_arg = 0; + break; + + case VIDIOC_G_EDID: + case VIDIOC_S_EDID: +- err = get_v4l2_edid32(&karg.v2edid, up); ++ err = alloc_userspace(sizeof(struct v4l2_edid), 0, &up_native); ++ if (!err) ++ err = get_v4l2_edid32(up_native, up); + compatible_arg = 0; + break; + + case VIDIOC_G_FMT: + case VIDIOC_S_FMT: + case VIDIOC_TRY_FMT: +- err = get_v4l2_format32(&karg.v2f, up); ++ err = bufsize_v4l2_format(up, &aux_space); ++ if (!err) ++ err = alloc_userspace(sizeof(struct v4l2_format), ++ aux_space, &up_native); ++ if (!err) { ++ aux_buf = up_native + sizeof(struct v4l2_format); ++ err = get_v4l2_format32(up_native, up, ++ aux_buf, aux_space); ++ } + compatible_arg = 0; + break; + + case VIDIOC_CREATE_BUFS: +- err = get_v4l2_create32(&karg.v2crt, up); ++ err = bufsize_v4l2_create(up, &aux_space); ++ if (!err) ++ err = alloc_userspace(sizeof(struct v4l2_create_buffers), ++ aux_space, &up_native); ++ if (!err) { ++ aux_buf = up_native + sizeof(struct v4l2_create_buffers); ++ err = get_v4l2_create32(up_native, up, ++ aux_buf, aux_space); ++ } + compatible_arg = 0; + break; + +@@ -908,36 +1093,63 @@ static long do_video_ioctl(struct file *file, unsigned int cmd, unsigned long ar + case VIDIOC_QUERYBUF: + case VIDIOC_QBUF: + case VIDIOC_DQBUF: +- err = get_v4l2_buffer32(&karg.v2b, up); ++ err = bufsize_v4l2_buffer(up, &aux_space); ++ if (!err) ++ err = alloc_userspace(sizeof(struct v4l2_buffer), ++ aux_space, &up_native); ++ if (!err) { ++ aux_buf = up_native + sizeof(struct v4l2_buffer); ++ err = get_v4l2_buffer32(up_native, up, ++ aux_buf, aux_space); ++ } + compatible_arg = 0; + break; + + case VIDIOC_S_FBUF: +- err = get_v4l2_framebuffer32(&karg.v2fb, up); ++ err = alloc_userspace(sizeof(struct v4l2_framebuffer), 0, ++ &up_native); ++ if (!err) ++ err = get_v4l2_framebuffer32(up_native, up); + compatible_arg = 0; + break; + + case VIDIOC_G_FBUF: ++ err = alloc_userspace(sizeof(struct v4l2_framebuffer), 0, ++ &up_native); + compatible_arg = 0; + break; + + case VIDIOC_ENUMSTD: +- err = get_v4l2_standard32(&karg.v2s, up); ++ err = alloc_userspace(sizeof(struct v4l2_standard), 0, ++ &up_native); ++ if (!err) ++ err = get_v4l2_standard32(up_native, up); + compatible_arg = 0; + break; + + case VIDIOC_ENUMINPUT: +- err = get_v4l2_input32(&karg.v2i, up); ++ err = alloc_userspace(sizeof(struct v4l2_input), 0, &up_native); ++ if (!err) ++ err = get_v4l2_input32(up_native, up); + compatible_arg = 0; + break; + + case VIDIOC_G_EXT_CTRLS: + case VIDIOC_S_EXT_CTRLS: + case VIDIOC_TRY_EXT_CTRLS: +- err = get_v4l2_ext_controls32(&karg.v2ecs, up); ++ err = bufsize_v4l2_ext_controls(up, &aux_space); ++ if (!err) ++ err = alloc_userspace(sizeof(struct v4l2_ext_controls), ++ aux_space, &up_native); ++ if (!err) { ++ aux_buf = up_native + sizeof(struct v4l2_ext_controls); ++ err = get_v4l2_ext_controls32(file, up_native, up, ++ aux_buf, aux_space); ++ } + compatible_arg = 0; + break; + case VIDIOC_DQEVENT: ++ err = alloc_userspace(sizeof(struct v4l2_event), 0, &up_native); + compatible_arg = 0; + break; + } +@@ -946,22 +1158,26 @@ static long do_video_ioctl(struct file *file, unsigned int cmd, unsigned long ar + + if (compatible_arg) + err = native_ioctl(file, cmd, (unsigned long)up); +- else { +- mm_segment_t old_fs = get_fs(); ++ else ++ err = native_ioctl(file, cmd, (unsigned long)up_native); + +- set_fs(KERNEL_DS); +- err = native_ioctl(file, cmd, (unsigned long)&karg); +- set_fs(old_fs); +- } ++ if (err == -ENOTTY) ++ return err; + +- /* Special case: even after an error we need to put the +- results back for these ioctls since the error_idx will +- contain information on which control failed. */ ++ /* ++ * Special case: even after an error we need to put the ++ * results back for these ioctls since the error_idx will ++ * contain information on which control failed. ++ */ + switch (cmd) { + case VIDIOC_G_EXT_CTRLS: + case VIDIOC_S_EXT_CTRLS: + case VIDIOC_TRY_EXT_CTRLS: +- if (put_v4l2_ext_controls32(&karg.v2ecs, up)) ++ if (put_v4l2_ext_controls32(file, up_native, up)) ++ err = -EFAULT; ++ break; ++ case VIDIOC_S_EDID: ++ if (put_v4l2_edid32(up_native, up)) + err = -EFAULT; + break; + } +@@ -973,44 +1189,46 @@ static long do_video_ioctl(struct file *file, unsigned int cmd, unsigned long ar + case VIDIOC_S_OUTPUT: + case VIDIOC_G_INPUT: + case VIDIOC_G_OUTPUT: +- err = put_user(((s32)karg.vi), (s32 __user *)up); ++ if (assign_in_user((compat_uint_t __user *)up, ++ ((unsigned int __user *)up_native))) ++ err = -EFAULT; + break; + + case VIDIOC_G_FBUF: +- err = put_v4l2_framebuffer32(&karg.v2fb, up); ++ err = put_v4l2_framebuffer32(up_native, up); + break; + + case VIDIOC_DQEVENT: +- err = put_v4l2_event32(&karg.v2ev, up); ++ err = put_v4l2_event32(up_native, up); + break; + + case VIDIOC_G_EDID: +- case VIDIOC_S_EDID: +- err = put_v4l2_edid32(&karg.v2edid, up); ++ err = put_v4l2_edid32(up_native, up); + break; + + case VIDIOC_G_FMT: + case VIDIOC_S_FMT: + case VIDIOC_TRY_FMT: +- err = put_v4l2_format32(&karg.v2f, up); ++ err = put_v4l2_format32(up_native, up); + break; + + case VIDIOC_CREATE_BUFS: +- err = put_v4l2_create32(&karg.v2crt, up); ++ err = put_v4l2_create32(up_native, up); + break; + ++ case VIDIOC_PREPARE_BUF: + case VIDIOC_QUERYBUF: + case VIDIOC_QBUF: + case VIDIOC_DQBUF: +- err = put_v4l2_buffer32(&karg.v2b, up); ++ err = put_v4l2_buffer32(up_native, up); + break; + + case VIDIOC_ENUMSTD: +- err = put_v4l2_standard32(&karg.v2s, up); ++ err = put_v4l2_standard32(up_native, up); + break; + + case VIDIOC_ENUMINPUT: +- err = put_v4l2_input32(&karg.v2i, up); ++ err = put_v4l2_input32(up_native, up); + break; + } + return err; +diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c +index aa407cb5f830..7004477e7ffc 100644 +--- a/drivers/media/v4l2-core/v4l2-ioctl.c ++++ b/drivers/media/v4l2-core/v4l2-ioctl.c +@@ -2552,8 +2552,11 @@ video_usercopy(struct file *file, unsigned int cmd, unsigned long arg, + + /* Handles IOCTL */ + err = func(file, cmd, parg); +- if (err == -ENOIOCTLCMD) ++ if (err == -ENOTTY || err == -ENOIOCTLCMD) { + err = -ENOTTY; ++ goto out; ++ } ++ + if (err == 0) { + if (cmd == VIDIOC_DQBUF) + trace_v4l2_dqbuf(video_devdata(file)->minor, parg); +diff --git a/drivers/media/v4l2-core/videobuf2-core.c b/drivers/media/v4l2-core/videobuf2-core.c +index fd9b252e2b34..079ee4ae9436 100644 +--- a/drivers/media/v4l2-core/videobuf2-core.c ++++ b/drivers/media/v4l2-core/videobuf2-core.c +@@ -2119,6 +2119,11 @@ static int vb2_internal_dqbuf(struct vb2_queue *q, struct v4l2_buffer *b, bool n + dprintk(1, "dqbuf of buffer %d, with state %d\n", + vb->v4l2_buf.index, vb->state); + ++ /* ++ * After calling the VIDIOC_DQBUF V4L2_BUF_FLAG_DONE must be ++ * cleared. ++ */ ++ b->flags &= ~V4L2_BUF_FLAG_DONE; + return 0; + } + +diff --git a/drivers/message/fusion/mptbase.c b/drivers/message/fusion/mptbase.c +index 187f83629f7e..b1c5f02c3cab 100644 +--- a/drivers/message/fusion/mptbase.c ++++ b/drivers/message/fusion/mptbase.c +@@ -6872,6 +6872,7 @@ mpt_print_ioc_summary(MPT_ADAPTER *ioc, char *buffer, int *size, int len, int sh + *size = y; + } + ++#ifdef CONFIG_PROC_FS + static void seq_mpt_print_ioc_summary(MPT_ADAPTER *ioc, struct seq_file *m, int showlan) + { + char expVer[32]; +@@ -6903,6 +6904,7 @@ static void seq_mpt_print_ioc_summary(MPT_ADAPTER *ioc, struct seq_file *m, int + + seq_putc(m, '\n'); + } ++#endif + + /** + * mpt_set_taskmgmt_in_progress_flag - set flags associated with task management +diff --git a/drivers/mfd/twl4030-audio.c b/drivers/mfd/twl4030-audio.c +index 0a1606480023..cc832d309599 100644 +--- a/drivers/mfd/twl4030-audio.c ++++ b/drivers/mfd/twl4030-audio.c +@@ -159,13 +159,18 @@ unsigned int twl4030_audio_get_mclk(void) + EXPORT_SYMBOL_GPL(twl4030_audio_get_mclk); + + static bool twl4030_audio_has_codec(struct twl4030_audio_data *pdata, +- struct device_node *node) ++ struct device_node *parent) + { ++ struct device_node *node; ++ + if (pdata && pdata->codec) + return true; + +- if (of_find_node_by_name(node, "codec")) ++ node = of_get_child_by_name(parent, "codec"); ++ if (node) { ++ of_node_put(node); + return true; ++ } + + return false; + } +diff --git a/drivers/mfd/twl6040.c b/drivers/mfd/twl6040.c +index 6aacd205a774..aec1ab253f7f 100644 +--- a/drivers/mfd/twl6040.c ++++ b/drivers/mfd/twl6040.c +@@ -97,12 +97,16 @@ static struct reg_default twl6040_patch[] = { + }; + + +-static bool twl6040_has_vibra(struct device_node *node) ++static bool twl6040_has_vibra(struct device_node *parent) + { +-#ifdef CONFIG_OF +- if (of_find_node_by_name(node, "vibra")) ++ struct device_node *node; ++ ++ node = of_get_child_by_name(parent, "vibra"); ++ if (node) { ++ of_node_put(node); + return true; +-#endif ++ } ++ + return false; + } + +diff --git a/drivers/mtd/chips/Kconfig b/drivers/mtd/chips/Kconfig +index 6bc1f94333a5..e956231de30f 100644 +--- a/drivers/mtd/chips/Kconfig ++++ b/drivers/mtd/chips/Kconfig +@@ -66,6 +66,10 @@ endchoice + config MTD_CFI_GEOMETRY + bool "Specific CFI Flash geometry selection" + depends on MTD_CFI_ADV_OPTIONS ++ select MTD_MAP_BANK_WIDTH_1 if !(MTD_MAP_BANK_WIDTH_2 || \ ++ MTD_MAP_BANK_WIDTH_4 || MTD_MAP_BANK_WIDTH_8 || \ ++ MTD_MAP_BANK_WIDTH_16 || MTD_MAP_BANK_WIDTH_32) ++ select MTD_CFI_I1 if !(MTD_CFI_I2 || MTD_CFI_I4 || MTD_CFI_I8) + help + This option does not affect the code directly, but will enable + some other configuration options which would allow you to reduce +diff --git a/drivers/mtd/maps/ck804xrom.c b/drivers/mtd/maps/ck804xrom.c +index 0455166f05fa..4f206a99164c 100644 +--- a/drivers/mtd/maps/ck804xrom.c ++++ b/drivers/mtd/maps/ck804xrom.c +@@ -112,8 +112,8 @@ static void ck804xrom_cleanup(struct ck804xrom_window *window) + } + + +-static int ck804xrom_init_one(struct pci_dev *pdev, +- const struct pci_device_id *ent) ++static int __init ck804xrom_init_one(struct pci_dev *pdev, ++ const struct pci_device_id *ent) + { + static char *rom_probe_types[] = { "cfi_probe", "jedec_probe", NULL }; + u8 byte; +diff --git a/drivers/mtd/maps/esb2rom.c b/drivers/mtd/maps/esb2rom.c +index f784cf0caa13..a47b374b1b0c 100644 +--- a/drivers/mtd/maps/esb2rom.c ++++ b/drivers/mtd/maps/esb2rom.c +@@ -144,8 +144,8 @@ static void esb2rom_cleanup(struct esb2rom_window *window) + pci_dev_put(window->pdev); + } + +-static int esb2rom_init_one(struct pci_dev *pdev, +- const struct pci_device_id *ent) ++static int __init esb2rom_init_one(struct pci_dev *pdev, ++ const struct pci_device_id *ent) + { + static char *rom_probe_types[] = { "cfi_probe", "jedec_probe", NULL }; + struct esb2rom_window *window = &esb2rom_window; +diff --git a/drivers/mtd/maps/ichxrom.c b/drivers/mtd/maps/ichxrom.c +index c7478e18f485..aa83e7b87cfe 100644 +--- a/drivers/mtd/maps/ichxrom.c ++++ b/drivers/mtd/maps/ichxrom.c +@@ -57,10 +57,12 @@ static void ichxrom_cleanup(struct ichxrom_window *window) + { + struct ichxrom_map_info *map, *scratch; + u16 word; ++ int ret; + + /* Disable writes through the rom window */ +- pci_read_config_word(window->pdev, BIOS_CNTL, &word); +- pci_write_config_word(window->pdev, BIOS_CNTL, word & ~1); ++ ret = pci_read_config_word(window->pdev, BIOS_CNTL, &word); ++ if (!ret) ++ pci_write_config_word(window->pdev, BIOS_CNTL, word & ~1); + pci_dev_put(window->pdev); + + /* Free all of the mtd devices */ +@@ -84,8 +86,8 @@ static void ichxrom_cleanup(struct ichxrom_window *window) + } + + +-static int ichxrom_init_one(struct pci_dev *pdev, +- const struct pci_device_id *ent) ++static int __init ichxrom_init_one(struct pci_dev *pdev, ++ const struct pci_device_id *ent) + { + static char *rom_probe_types[] = { "cfi_probe", "jedec_probe", NULL }; + struct ichxrom_window *window = &ichxrom_window; +diff --git a/drivers/mtd/nand/nand_base.c b/drivers/mtd/nand/nand_base.c +index f84113fc7cb7..14a5f559e300 100644 +--- a/drivers/mtd/nand/nand_base.c ++++ b/drivers/mtd/nand/nand_base.c +@@ -1889,6 +1889,7 @@ static int nand_write_oob_syndrome(struct mtd_info *mtd, + static int nand_do_read_oob(struct mtd_info *mtd, loff_t from, + struct mtd_oob_ops *ops) + { ++ unsigned int max_bitflips = 0; + int page, realpage, chipnr; + struct nand_chip *chip = mtd->priv; + struct mtd_ecc_stats stats; +@@ -1949,6 +1950,8 @@ static int nand_do_read_oob(struct mtd_info *mtd, loff_t from, + nand_wait_ready(mtd); + } + ++ max_bitflips = max_t(unsigned int, max_bitflips, ret); ++ + readlen -= len; + if (!readlen) + break; +@@ -1974,7 +1977,7 @@ static int nand_do_read_oob(struct mtd_info *mtd, loff_t from, + if (mtd->ecc_stats.failed - stats.failed) + return -EBADMSG; + +- return mtd->ecc_stats.corrected - stats.corrected ? -EUCLEAN : 0; ++ return max_bitflips; + } + + /** +diff --git a/drivers/mtd/nand/sh_flctl.c b/drivers/mtd/nand/sh_flctl.c +index c3ce81c1a716..54cf6fce9877 100644 +--- a/drivers/mtd/nand/sh_flctl.c ++++ b/drivers/mtd/nand/sh_flctl.c +@@ -160,7 +160,7 @@ static void flctl_setup_dma(struct sh_flctl *flctl) + + memset(&cfg, 0, sizeof(cfg)); + cfg.direction = DMA_MEM_TO_DEV; +- cfg.dst_addr = (dma_addr_t)FLDTFIFO(flctl); ++ cfg.dst_addr = flctl->fifo; + cfg.src_addr = 0; + ret = dmaengine_slave_config(flctl->chan_fifo0_tx, &cfg); + if (ret < 0) +@@ -176,7 +176,7 @@ static void flctl_setup_dma(struct sh_flctl *flctl) + + cfg.direction = DMA_DEV_TO_MEM; + cfg.dst_addr = 0; +- cfg.src_addr = (dma_addr_t)FLDTFIFO(flctl); ++ cfg.src_addr = flctl->fifo; + ret = dmaengine_slave_config(flctl->chan_fifo0_rx, &cfg); + if (ret < 0) + goto err; +@@ -1095,6 +1095,7 @@ static int flctl_probe(struct platform_device *pdev) + flctl->reg = devm_ioremap_resource(&pdev->dev, res); + if (IS_ERR(flctl->reg)) + return PTR_ERR(flctl->reg); ++ flctl->fifo = res->start + 0x24; /* FLDTFIFO */ + + irq = platform_get_irq(pdev, 0); + if (irq < 0) { +diff --git a/drivers/mtd/nand/sunxi_nand.c b/drivers/mtd/nand/sunxi_nand.c +index 499b8e433d3d..1c8fdc3cec93 100644 +--- a/drivers/mtd/nand/sunxi_nand.c ++++ b/drivers/mtd/nand/sunxi_nand.c +@@ -933,8 +933,14 @@ static int sunxi_nand_hw_common_ecc_ctrl_init(struct mtd_info *mtd, + + /* Add ECC info retrieval from DT */ + for (i = 0; i < ARRAY_SIZE(strengths); i++) { +- if (ecc->strength <= strengths[i]) ++ if (ecc->strength <= strengths[i]) { ++ /* ++ * Update ecc->strength value with the actual strength ++ * that will be used by the ECC engine. ++ */ ++ ecc->strength = strengths[i]; + break; ++ } + } + + if (i >= ARRAY_SIZE(strengths)) { +diff --git a/drivers/net/Kconfig b/drivers/net/Kconfig +index df51d6025a90..0eeb248a287e 100644 +--- a/drivers/net/Kconfig ++++ b/drivers/net/Kconfig +@@ -374,6 +374,9 @@ config XEN_NETDEV_BACKEND + config VMXNET3 + tristate "VMware VMXNET3 ethernet driver" + depends on PCI && INET ++ depends on !(PAGE_SIZE_64KB || ARM64_64K_PAGES || \ ++ IA64_PAGE_SIZE_64KB || MICROBLAZE_64K_PAGES || \ ++ PARISC_PAGE_SIZE_64KB || PPC_64K_PAGES) + help + This driver supports VMware's vmxnet3 virtual ethernet NIC. + To compile this driver as a module, choose M here: the +diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c +index 3b850f390fd7..7e6f36a59f06 100644 +--- a/drivers/net/can/usb/gs_usb.c ++++ b/drivers/net/can/usb/gs_usb.c +@@ -430,7 +430,7 @@ static int gs_usb_set_bittiming(struct net_device *netdev) + dev_err(netdev->dev.parent, "Couldn't set bittimings (err=%d)", + rc); + +- return rc; ++ return (rc > 0) ? 0 : rc; + } + + static void gs_usb_xmit_callback(struct urb *urb) +diff --git a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c +index ce44a033f63b..64cc86a82b2d 100644 +--- a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c ++++ b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c +@@ -184,7 +184,7 @@ static int pcan_usb_fd_send_cmd(struct peak_usb_device *dev, void *cmd_tail) + void *cmd_head = pcan_usb_fd_cmd_buffer(dev); + int err = 0; + u8 *packet_ptr; +- int i, n = 1, packet_len; ++ int packet_len; + ptrdiff_t cmd_len; + + /* usb device unregistered? */ +@@ -201,17 +201,13 @@ static int pcan_usb_fd_send_cmd(struct peak_usb_device *dev, void *cmd_tail) + } + + packet_ptr = cmd_head; ++ packet_len = cmd_len; + + /* firmware is not able to re-assemble 512 bytes buffer in full-speed */ +- if ((dev->udev->speed != USB_SPEED_HIGH) && +- (cmd_len > PCAN_UFD_LOSPD_PKT_SIZE)) { +- packet_len = PCAN_UFD_LOSPD_PKT_SIZE; +- n += cmd_len / packet_len; +- } else { +- packet_len = cmd_len; +- } ++ if (unlikely(dev->udev->speed != USB_SPEED_HIGH)) ++ packet_len = min(packet_len, PCAN_UFD_LOSPD_PKT_SIZE); + +- for (i = 0; i < n; i++) { ++ do { + err = usb_bulk_msg(dev->udev, + usb_sndbulkpipe(dev->udev, + PCAN_USBPRO_EP_CMDOUT), +@@ -224,7 +220,12 @@ static int pcan_usb_fd_send_cmd(struct peak_usb_device *dev, void *cmd_tail) + } + + packet_ptr += packet_len; +- } ++ cmd_len -= packet_len; ++ ++ if (cmd_len < PCAN_UFD_LOSPD_PKT_SIZE) ++ packet_len = cmd_len; ++ ++ } while (packet_len > 0); + + return err; + } +diff --git a/drivers/net/ethernet/3com/3c509.c b/drivers/net/ethernet/3com/3c509.c +index 4547a1b8b958..7677c745fb30 100644 +--- a/drivers/net/ethernet/3com/3c509.c ++++ b/drivers/net/ethernet/3com/3c509.c +@@ -562,7 +562,7 @@ static void el3_common_remove (struct net_device *dev) + } + + #ifdef CONFIG_EISA +-static int __init el3_eisa_probe (struct device *device) ++static int el3_eisa_probe(struct device *device) + { + short i; + int ioaddr, irq, if_port; +diff --git a/drivers/net/ethernet/3com/3c59x.c b/drivers/net/ethernet/3com/3c59x.c +index 41095ebad97f..8a876e97597c 100644 +--- a/drivers/net/ethernet/3com/3c59x.c ++++ b/drivers/net/ethernet/3com/3c59x.c +@@ -907,7 +907,7 @@ static struct eisa_device_id vortex_eisa_ids[] = { + }; + MODULE_DEVICE_TABLE(eisa, vortex_eisa_ids); + +-static int __init vortex_eisa_probe(struct device *device) ++static int vortex_eisa_probe(struct device *device) + { + void __iomem *ioaddr; + struct eisa_device *edev; +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-main.c b/drivers/net/ethernet/amd/xgbe/xgbe-main.c +index 714905384900..5feddde71f18 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-main.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-main.c +@@ -553,7 +553,7 @@ static int xgbe_remove(struct platform_device *pdev) + return 0; + } + +-#ifdef CONFIG_PM ++#ifdef CONFIG_PM_SLEEP + static int xgbe_suspend(struct device *dev) + { + struct net_device *netdev = dev_get_drvdata(dev); +@@ -591,7 +591,7 @@ static int xgbe_resume(struct device *dev) + + return ret; + } +-#endif /* CONFIG_PM */ ++#endif /* CONFIG_PM_SLEEP */ + + #ifdef CONFIG_ACPI + static const struct acpi_device_id xgbe_acpi_match[] = { +diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c +index f9713fe036ef..7b150085e34d 100644 +--- a/drivers/net/ethernet/broadcom/tg3.c ++++ b/drivers/net/ethernet/broadcom/tg3.c +@@ -14228,7 +14228,9 @@ static int tg3_change_mtu(struct net_device *dev, int new_mtu) + /* Reset PHY, otherwise the read DMA engine will be in a mode that + * breaks all requests to 256 bytes. + */ +- if (tg3_asic_rev(tp) == ASIC_REV_57766) ++ if (tg3_asic_rev(tp) == ASIC_REV_57766 || ++ tg3_asic_rev(tp) == ASIC_REV_5717 || ++ tg3_asic_rev(tp) == ASIC_REV_5719) + reset_phy = true; + + err = tg3_restart_hw(tp, reset_phy); +diff --git a/drivers/net/ethernet/brocade/bna/bfa_ioc.c b/drivers/net/ethernet/brocade/bna/bfa_ioc.c +index 68f3c13c9ef6..5be892ffdaed 100644 +--- a/drivers/net/ethernet/brocade/bna/bfa_ioc.c ++++ b/drivers/net/ethernet/brocade/bna/bfa_ioc.c +@@ -1948,13 +1948,13 @@ static void + bfa_ioc_send_enable(struct bfa_ioc *ioc) + { + struct bfi_ioc_ctrl_req enable_req; +- struct timeval tv; + + bfi_h2i_set(enable_req.mh, BFI_MC_IOC, BFI_IOC_H2I_ENABLE_REQ, + bfa_ioc_portid(ioc)); + enable_req.clscode = htons(ioc->clscode); +- do_gettimeofday(&tv); +- enable_req.tv_sec = ntohl(tv.tv_sec); ++ enable_req.rsvd = htons(0); ++ /* overflow in 2106 */ ++ enable_req.tv_sec = ntohl(ktime_get_real_seconds()); + bfa_ioc_mbox_send(ioc, &enable_req, sizeof(struct bfi_ioc_ctrl_req)); + } + +@@ -1965,6 +1965,10 @@ bfa_ioc_send_disable(struct bfa_ioc *ioc) + + bfi_h2i_set(disable_req.mh, BFI_MC_IOC, BFI_IOC_H2I_DISABLE_REQ, + bfa_ioc_portid(ioc)); ++ disable_req.clscode = htons(ioc->clscode); ++ disable_req.rsvd = htons(0); ++ /* overflow in 2106 */ ++ disable_req.tv_sec = ntohl(ktime_get_real_seconds()); + bfa_ioc_mbox_send(ioc, &disable_req, sizeof(struct bfi_ioc_ctrl_req)); + } + +diff --git a/drivers/net/ethernet/dec/tulip/de4x5.c b/drivers/net/ethernet/dec/tulip/de4x5.c +index badff181e719..37827819ae86 100644 +--- a/drivers/net/ethernet/dec/tulip/de4x5.c ++++ b/drivers/net/ethernet/dec/tulip/de4x5.c +@@ -1990,7 +1990,7 @@ SetMulticastFilter(struct net_device *dev) + + static u_char de4x5_irq[] = EISA_ALLOWED_IRQ_LIST; + +-static int __init de4x5_eisa_probe (struct device *gendev) ++static int de4x5_eisa_probe(struct device *gendev) + { + struct eisa_device *edev; + u_long iobase; +diff --git a/drivers/net/ethernet/freescale/gianfar.c b/drivers/net/ethernet/freescale/gianfar.c +index 3ea651afa63d..6075ed694a6c 100644 +--- a/drivers/net/ethernet/freescale/gianfar.c ++++ b/drivers/net/ethernet/freescale/gianfar.c +@@ -1413,9 +1413,11 @@ static int gfar_probe(struct platform_device *ofdev) + + gfar_init_addr_hash_table(priv); + +- /* Insert receive time stamps into padding alignment bytes */ ++ /* Insert receive time stamps into padding alignment bytes, and ++ * plus 2 bytes padding to ensure the cpu alignment. ++ */ + if (priv->device_flags & FSL_GIANFAR_DEV_HAS_TIMER) +- priv->padding = 8; ++ priv->padding = 8 + DEFAULT_PADDING; + + if (dev->features & NETIF_F_IP_CSUM || + priv->device_flags & FSL_GIANFAR_DEV_HAS_TIMER) +diff --git a/drivers/net/ethernet/hp/hp100.c b/drivers/net/ethernet/hp/hp100.c +index ae6e30d39f0f..3daf2d4a7ca0 100644 +--- a/drivers/net/ethernet/hp/hp100.c ++++ b/drivers/net/ethernet/hp/hp100.c +@@ -194,7 +194,6 @@ static const char *hp100_isa_tbl[] = { + }; + #endif + +-#ifdef CONFIG_EISA + static struct eisa_device_id hp100_eisa_tbl[] = { + { "HWPF180" }, /* HP J2577 rev A */ + { "HWP1920" }, /* HP 27248B */ +@@ -205,9 +204,7 @@ static struct eisa_device_id hp100_eisa_tbl[] = { + { "" } /* Mandatory final entry ! */ + }; + MODULE_DEVICE_TABLE(eisa, hp100_eisa_tbl); +-#endif + +-#ifdef CONFIG_PCI + static const struct pci_device_id hp100_pci_tbl[] = { + {PCI_VENDOR_ID_HP, PCI_DEVICE_ID_HP_J2585A, PCI_ANY_ID, PCI_ANY_ID,}, + {PCI_VENDOR_ID_HP, PCI_DEVICE_ID_HP_J2585B, PCI_ANY_ID, PCI_ANY_ID,}, +@@ -219,7 +216,6 @@ static const struct pci_device_id hp100_pci_tbl[] = { + {} /* Terminating entry */ + }; + MODULE_DEVICE_TABLE(pci, hp100_pci_tbl); +-#endif + + static int hp100_rx_ratio = HP100_DEFAULT_RX_RATIO; + static int hp100_priority_tx = HP100_DEFAULT_PRIORITY_TX; +@@ -2842,8 +2838,7 @@ static void cleanup_dev(struct net_device *d) + free_netdev(d); + } + +-#ifdef CONFIG_EISA +-static int __init hp100_eisa_probe (struct device *gendev) ++static int hp100_eisa_probe(struct device *gendev) + { + struct net_device *dev = alloc_etherdev(sizeof(struct hp100_private)); + struct eisa_device *edev = to_eisa_device(gendev); +@@ -2884,9 +2879,7 @@ static struct eisa_driver hp100_eisa_driver = { + .remove = hp100_eisa_remove, + } + }; +-#endif + +-#ifdef CONFIG_PCI + static int hp100_pci_probe(struct pci_dev *pdev, + const struct pci_device_id *ent) + { +@@ -2955,7 +2948,6 @@ static struct pci_driver hp100_pci_driver = { + .probe = hp100_pci_probe, + .remove = hp100_pci_remove, + }; +-#endif + + /* + * module section +@@ -3032,23 +3024,17 @@ static int __init hp100_module_init(void) + err = hp100_isa_init(); + if (err && err != -ENODEV) + goto out; +-#ifdef CONFIG_EISA + err = eisa_driver_register(&hp100_eisa_driver); + if (err && err != -ENODEV) + goto out2; +-#endif +-#ifdef CONFIG_PCI + err = pci_register_driver(&hp100_pci_driver); + if (err && err != -ENODEV) + goto out3; +-#endif + out: + return err; + out3: +-#ifdef CONFIG_EISA + eisa_driver_unregister (&hp100_eisa_driver); + out2: +-#endif + hp100_isa_cleanup(); + goto out; + } +@@ -3057,12 +3043,8 @@ static int __init hp100_module_init(void) + static void __exit hp100_module_exit(void) + { + hp100_isa_cleanup(); +-#ifdef CONFIG_EISA + eisa_driver_unregister (&hp100_eisa_driver); +-#endif +-#ifdef CONFIG_PCI + pci_unregister_driver (&hp100_pci_driver); +-#endif + } + + module_init(hp100_module_init) +diff --git a/drivers/net/ethernet/intel/e1000e/ich8lan.c b/drivers/net/ethernet/intel/e1000e/ich8lan.c +index e2498dbf3c3b..5e63a8931f2e 100644 +--- a/drivers/net/ethernet/intel/e1000e/ich8lan.c ++++ b/drivers/net/ethernet/intel/e1000e/ich8lan.c +@@ -1345,6 +1345,9 @@ out: + * Checks to see of the link status of the hardware has changed. If a + * change in link status has been detected, then we read the PHY registers + * to get the current speed/duplex if link exists. ++ * ++ * Returns a negative error code (-E1000_ERR_*) or 0 (link down) or 1 (link ++ * up). + **/ + static s32 e1000_check_for_copper_link_ich8lan(struct e1000_hw *hw) + { +@@ -1360,7 +1363,7 @@ static s32 e1000_check_for_copper_link_ich8lan(struct e1000_hw *hw) + * Change or Rx Sequence Error interrupt. + */ + if (!mac->get_link_status) +- return 0; ++ return 1; + + /* First we want to see if the MII Status Register reports + * link. If so, then we want to get the current speed/duplex +@@ -1519,10 +1522,12 @@ static s32 e1000_check_for_copper_link_ich8lan(struct e1000_hw *hw) + * different link partner. + */ + ret_val = e1000e_config_fc_after_link_up(hw); +- if (ret_val) ++ if (ret_val) { + e_dbg("Error configuring flow control\n"); ++ return ret_val; ++ } + +- return ret_val; ++ return 1; + } + + static s32 e1000_get_variants_ich8lan(struct e1000_adapter *adapter) +diff --git a/drivers/net/ethernet/intel/fm10k/fm10k_iov.c b/drivers/net/ethernet/intel/fm10k/fm10k_iov.c +index 5b08e6284a3c..8d8fd5d49d60 100644 +--- a/drivers/net/ethernet/intel/fm10k/fm10k_iov.c ++++ b/drivers/net/ethernet/intel/fm10k/fm10k_iov.c +@@ -126,6 +126,9 @@ process_mbx: + struct fm10k_mbx_info *mbx = &vf_info->mbx; + u16 glort = vf_info->glort; + ++ /* process the SM mailbox first to drain outgoing messages */ ++ hw->mbx.ops.process(hw, &hw->mbx); ++ + /* verify port mapping is valid, if not reset port */ + if (vf_info->vf_flags && !fm10k_glort_valid_pf(hw, glort)) + hw->iov.ops.reset_lport(hw, vf_info); +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index 13e0cf90e567..042f3486f79a 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -3894,8 +3894,12 @@ static void i40e_napi_enable_all(struct i40e_vsi *vsi) + if (!vsi->netdev) + return; + +- for (q_idx = 0; q_idx < vsi->num_q_vectors; q_idx++) +- napi_enable(&vsi->q_vectors[q_idx]->napi); ++ for (q_idx = 0; q_idx < vsi->num_q_vectors; q_idx++) { ++ struct i40e_q_vector *q_vector = vsi->q_vectors[q_idx]; ++ ++ if (q_vector->rx.ring || q_vector->tx.ring) ++ napi_enable(&q_vector->napi); ++ } + } + + /** +@@ -3909,8 +3913,12 @@ static void i40e_napi_disable_all(struct i40e_vsi *vsi) + if (!vsi->netdev) + return; + +- for (q_idx = 0; q_idx < vsi->num_q_vectors; q_idx++) +- napi_disable(&vsi->q_vectors[q_idx]->napi); ++ for (q_idx = 0; q_idx < vsi->num_q_vectors; q_idx++) { ++ struct i40e_q_vector *q_vector = vsi->q_vectors[q_idx]; ++ ++ if (q_vector->rx.ring || q_vector->tx.ring) ++ napi_disable(&q_vector->napi); ++ } + } + + /** +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index 34f15f56b2a1..cfcafea9d2b6 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -2998,6 +2998,8 @@ static int igb_sw_init(struct igb_adapter *adapter) + /* Setup and initialize a copy of the hw vlan table array */ + adapter->shadow_vfta = kcalloc(E1000_VLAN_FILTER_TBL_SIZE, sizeof(u32), + GFP_ATOMIC); ++ if (!adapter->shadow_vfta) ++ return -ENOMEM; + + /* This call may decrease the number of queues */ + if (igb_init_interrupt_scheme(adapter, true)) { +@@ -3167,7 +3169,7 @@ static int __igb_close(struct net_device *netdev, bool suspending) + + static int igb_close(struct net_device *netdev) + { +- if (netif_device_present(netdev)) ++ if (netif_device_present(netdev) || netdev->dismantle) + return __igb_close(netdev, false); + return 0; + } +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c +index 06d8f3cfa099..14f789e72c29 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c +@@ -3609,10 +3609,10 @@ s32 ixgbe_set_fw_drv_ver_generic(struct ixgbe_hw *hw, u8 maj, u8 min, + fw_cmd.ver_build = build; + fw_cmd.ver_sub = sub; + fw_cmd.hdr.checksum = 0; +- fw_cmd.hdr.checksum = ixgbe_calculate_checksum((u8 *)&fw_cmd, +- (FW_CEM_HDR_LEN + fw_cmd.hdr.buf_len)); + fw_cmd.pad = 0; + fw_cmd.pad2 = 0; ++ fw_cmd.hdr.checksum = ixgbe_calculate_checksum((u8 *)&fw_cmd, ++ (FW_CEM_HDR_LEN + fw_cmd.hdr.buf_len)); + + for (i = 0; i <= FW_CEM_MAX_RETRIES; i++) { + ret_val = ixgbe_host_interface_command(hw, (u32 *)&fw_cmd, +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c +index cf5cf819a6b8..0e1e63ee6c5e 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c +@@ -224,6 +224,8 @@ static s32 ixgbe_read_ee_hostif_buffer_X550(struct ixgbe_hw *hw, + /* convert offset from words to bytes */ + buffer.address = cpu_to_be32((offset + current_word) * 2); + buffer.length = cpu_to_be16(words_to_read * 2); ++ buffer.pad2 = 0; ++ buffer.pad3 = 0; + + status = ixgbe_host_interface_command(hw, (u32 *)&buffer, + sizeof(buffer), +diff --git a/drivers/net/ethernet/marvell/mvmdio.c b/drivers/net/ethernet/marvell/mvmdio.c +index fc2fb25343f4..c122b3b99cd8 100644 +--- a/drivers/net/ethernet/marvell/mvmdio.c ++++ b/drivers/net/ethernet/marvell/mvmdio.c +@@ -241,7 +241,8 @@ static int orion_mdio_probe(struct platform_device *pdev) + dev->regs + MVMDIO_ERR_INT_MASK); + + } else if (dev->err_interrupt == -EPROBE_DEFER) { +- return -EPROBE_DEFER; ++ ret = -EPROBE_DEFER; ++ goto out_mdio; + } + + mutex_init(&dev->lock); +diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c +index 40161dacc9c7..744277984cb8 100644 +--- a/drivers/net/ethernet/marvell/mvneta.c ++++ b/drivers/net/ethernet/marvell/mvneta.c +@@ -858,6 +858,10 @@ static void mvneta_port_disable(struct mvneta_port *pp) + val &= ~MVNETA_GMAC0_PORT_ENABLE; + mvreg_write(pp, MVNETA_GMAC_CTRL_0, val); + ++ pp->link = 0; ++ pp->duplex = -1; ++ pp->speed = 0; ++ + udelay(200); + } + +diff --git a/drivers/net/ethernet/marvell/mvpp2.c b/drivers/net/ethernet/marvell/mvpp2.c +index 3e8b1bfb1f2e..eda6b0a2faf4 100644 +--- a/drivers/net/ethernet/marvell/mvpp2.c ++++ b/drivers/net/ethernet/marvell/mvpp2.c +@@ -5583,6 +5583,7 @@ static void mvpp2_set_rx_mode(struct net_device *dev) + int id = port->id; + bool allmulti = dev->flags & IFF_ALLMULTI; + ++retry: + mvpp2_prs_mac_promisc_set(priv, id, dev->flags & IFF_PROMISC); + mvpp2_prs_mac_multi_set(priv, id, MVPP2_PE_MAC_MC_ALL, allmulti); + mvpp2_prs_mac_multi_set(priv, id, MVPP2_PE_MAC_MC_IP6, allmulti); +@@ -5590,9 +5591,13 @@ static void mvpp2_set_rx_mode(struct net_device *dev) + /* Remove all port->id's mcast enries */ + mvpp2_prs_mcast_del_all(priv, id); + +- if (allmulti && !netdev_mc_empty(dev)) { +- netdev_for_each_mc_addr(ha, dev) +- mvpp2_prs_mac_da_accept(priv, id, ha->addr, true); ++ if (!allmulti) { ++ netdev_for_each_mc_addr(ha, dev) { ++ if (mvpp2_prs_mac_da_accept(priv, id, ha->addr, true)) { ++ allmulti = true; ++ goto retry; ++ } ++ } + } + } + +diff --git a/drivers/net/ethernet/mellanox/mlx4/qp.c b/drivers/net/ethernet/mellanox/mlx4/qp.c +index b75214a80d0e..eb1dcb7e9e96 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/qp.c ++++ b/drivers/net/ethernet/mellanox/mlx4/qp.c +@@ -280,6 +280,9 @@ void mlx4_qp_release_range(struct mlx4_dev *dev, int base_qpn, int cnt) + u64 in_param = 0; + int err; + ++ if (!cnt) ++ return; ++ + if (mlx4_is_mfunc(dev)) { + set_param_l(&in_param, base_qpn); + set_param_h(&in_param, cnt); +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c +index dd618d7ed257..1c40c524f0c8 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c +@@ -3825,7 +3825,7 @@ static void qlcnic_83xx_flush_mbx_queue(struct qlcnic_adapter *adapter) + struct list_head *head = &mbx->cmd_q; + struct qlcnic_cmd_args *cmd = NULL; + +- spin_lock(&mbx->queue_lock); ++ spin_lock_bh(&mbx->queue_lock); + + while (!list_empty(head)) { + cmd = list_entry(head->next, struct qlcnic_cmd_args, list); +@@ -3836,7 +3836,7 @@ static void qlcnic_83xx_flush_mbx_queue(struct qlcnic_adapter *adapter) + qlcnic_83xx_notify_cmd_completion(adapter, cmd); + } + +- spin_unlock(&mbx->queue_lock); ++ spin_unlock_bh(&mbx->queue_lock); + } + + static int qlcnic_83xx_check_mbx_status(struct qlcnic_adapter *adapter) +@@ -3872,12 +3872,12 @@ static void qlcnic_83xx_dequeue_mbx_cmd(struct qlcnic_adapter *adapter, + { + struct qlcnic_mailbox *mbx = adapter->ahw->mailbox; + +- spin_lock(&mbx->queue_lock); ++ spin_lock_bh(&mbx->queue_lock); + + list_del(&cmd->list); + mbx->num_cmds--; + +- spin_unlock(&mbx->queue_lock); ++ spin_unlock_bh(&mbx->queue_lock); + + qlcnic_83xx_notify_cmd_completion(adapter, cmd); + } +@@ -3942,7 +3942,7 @@ static int qlcnic_83xx_enqueue_mbx_cmd(struct qlcnic_adapter *adapter, + init_completion(&cmd->completion); + cmd->rsp_opcode = QLC_83XX_MBX_RESPONSE_UNKNOWN; + +- spin_lock(&mbx->queue_lock); ++ spin_lock_bh(&mbx->queue_lock); + + list_add_tail(&cmd->list, &mbx->cmd_q); + mbx->num_cmds++; +@@ -3950,7 +3950,7 @@ static int qlcnic_83xx_enqueue_mbx_cmd(struct qlcnic_adapter *adapter, + *timeout = cmd->total_cmds * QLC_83XX_MBX_TIMEOUT; + queue_work(mbx->work_q, &mbx->work); + +- spin_unlock(&mbx->queue_lock); ++ spin_unlock_bh(&mbx->queue_lock); + + return 0; + } +@@ -4046,15 +4046,15 @@ static void qlcnic_83xx_mailbox_worker(struct work_struct *work) + mbx->rsp_status = QLC_83XX_MBX_RESPONSE_WAIT; + spin_unlock_irqrestore(&mbx->aen_lock, flags); + +- spin_lock(&mbx->queue_lock); ++ spin_lock_bh(&mbx->queue_lock); + + if (list_empty(head)) { +- spin_unlock(&mbx->queue_lock); ++ spin_unlock_bh(&mbx->queue_lock); + return; + } + cmd = list_entry(head->next, struct qlcnic_cmd_args, list); + +- spin_unlock(&mbx->queue_lock); ++ spin_unlock_bh(&mbx->queue_lock); + + mbx_ops->encode_cmd(adapter, cmd); + mbx_ops->nofity_fw(adapter, QLC_83XX_MBX_REQUEST); +diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c +index af4b1f4c24d2..8004de976890 100644 +--- a/drivers/net/ethernet/realtek/r8169.c ++++ b/drivers/net/ethernet/realtek/r8169.c +@@ -1375,7 +1375,7 @@ DECLARE_RTL_COND(rtl_ocp_tx_cond) + { + void __iomem *ioaddr = tp->mmio_addr; + +- return RTL_R8(IBISR0) & 0x02; ++ return RTL_R8(IBISR0) & 0x20; + } + + static void rtl8168ep_stop_cmac(struct rtl8169_private *tp) +@@ -1383,7 +1383,7 @@ static void rtl8168ep_stop_cmac(struct rtl8169_private *tp) + void __iomem *ioaddr = tp->mmio_addr; + + RTL_W8(IBCR2, RTL_R8(IBCR2) & ~0x01); +- rtl_msleep_loop_wait_low(tp, &rtl_ocp_tx_cond, 50, 2000); ++ rtl_msleep_loop_wait_high(tp, &rtl_ocp_tx_cond, 50, 2000); + RTL_W8(IBISR0, RTL_R8(IBISR0) | 0x20); + RTL_W8(IBCR0, RTL_R8(IBCR0) & ~0x01); + } +diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c +index e2dd94a91c15..0ae76e419482 100644 +--- a/drivers/net/ethernet/renesas/sh_eth.c ++++ b/drivers/net/ethernet/renesas/sh_eth.c +@@ -3171,18 +3171,37 @@ static int sh_eth_drv_probe(struct platform_device *pdev) + /* ioremap the TSU registers */ + if (mdp->cd->tsu) { + struct resource *rtsu; ++ + rtsu = platform_get_resource(pdev, IORESOURCE_MEM, 1); +- mdp->tsu_addr = devm_ioremap_resource(&pdev->dev, rtsu); +- if (IS_ERR(mdp->tsu_addr)) { +- ret = PTR_ERR(mdp->tsu_addr); ++ if (!rtsu) { ++ dev_err(&pdev->dev, "no TSU resource\n"); ++ ret = -ENODEV; ++ goto out_release; ++ } ++ /* We can only request the TSU region for the first port ++ * of the two sharing this TSU for the probe to succeed... ++ */ ++ if (devno % 2 == 0 && ++ !devm_request_mem_region(&pdev->dev, rtsu->start, ++ resource_size(rtsu), ++ dev_name(&pdev->dev))) { ++ dev_err(&pdev->dev, "can't request TSU resource.\n"); ++ ret = -EBUSY; ++ goto out_release; ++ } ++ mdp->tsu_addr = devm_ioremap(&pdev->dev, rtsu->start, ++ resource_size(rtsu)); ++ if (!mdp->tsu_addr) { ++ dev_err(&pdev->dev, "TSU region ioremap() failed.\n"); ++ ret = -ENOMEM; + goto out_release; + } + mdp->port = devno % 2; + ndev->features = NETIF_F_HW_VLAN_CTAG_FILTER; + } + +- /* initialize first or needed device */ +- if (!devno || pd->needs_init) { ++ /* Need to init only the first port of the two sharing a TSU */ ++ if (devno % 2 == 0) { + if (mdp->cd->chip_reset) + mdp->cd->chip_reset(ndev); + +diff --git a/drivers/net/ethernet/ti/tlan.c b/drivers/net/ethernet/ti/tlan.c +index 691ec936e88d..a0f805142d42 100644 +--- a/drivers/net/ethernet/ti/tlan.c ++++ b/drivers/net/ethernet/ti/tlan.c +@@ -610,8 +610,8 @@ err_out_regions: + #ifdef CONFIG_PCI + if (pdev) + pci_release_regions(pdev); +-#endif + err_out: ++#endif + if (pdev) + pci_disable_device(pdev); + return rc; +diff --git a/drivers/net/ethernet/xilinx/Kconfig b/drivers/net/ethernet/xilinx/Kconfig +index 7b90a5eba099..9d6c252c1911 100644 +--- a/drivers/net/ethernet/xilinx/Kconfig ++++ b/drivers/net/ethernet/xilinx/Kconfig +@@ -36,6 +36,7 @@ config XILINX_AXI_EMAC + config XILINX_LL_TEMAC + tristate "Xilinx LL TEMAC (LocalLink Tri-mode Ethernet MAC) driver" + depends on (PPC || MICROBLAZE) ++ depends on !64BIT || BROKEN + select PHYLIB + ---help--- + This driver supports the Xilinx 10/100/1000 LocalLink TEMAC +diff --git a/drivers/net/hippi/rrunner.c b/drivers/net/hippi/rrunner.c +index 95c0b45a68fb..313e006f74fe 100644 +--- a/drivers/net/hippi/rrunner.c ++++ b/drivers/net/hippi/rrunner.c +@@ -1381,8 +1381,8 @@ static int rr_close(struct net_device *dev) + rrpriv->info_dma); + rrpriv->info = NULL; + +- free_irq(pdev->irq, dev); + spin_unlock_irqrestore(&rrpriv->lock, flags); ++ free_irq(pdev->irq, dev); + + return 0; + } +diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c +index c30b5c300c05..f3cd85ecd795 100644 +--- a/drivers/net/ipvlan/ipvlan_core.c ++++ b/drivers/net/ipvlan/ipvlan_core.c +@@ -345,6 +345,7 @@ static int ipvlan_process_v4_outbound(struct sk_buff *skb) + .flowi4_oif = dev_get_iflink(dev), + .flowi4_tos = RT_TOS(ip4h->tos), + .flowi4_flags = FLOWI_FLAG_ANYSRC, ++ .flowi4_mark = skb->mark, + .daddr = ip4h->daddr, + .saddr = ip4h->saddr, + }; +diff --git a/drivers/net/irda/vlsi_ir.c b/drivers/net/irda/vlsi_ir.c +index a0849f49bbec..c0192f97ecc8 100644 +--- a/drivers/net/irda/vlsi_ir.c ++++ b/drivers/net/irda/vlsi_ir.c +@@ -418,8 +418,9 @@ static struct vlsi_ring *vlsi_alloc_ring(struct pci_dev *pdev, struct ring_descr + memset(rd, 0, sizeof(*rd)); + rd->hw = hwmap + i; + rd->buf = kmalloc(len, GFP_KERNEL|GFP_DMA); +- if (rd->buf == NULL || +- !(busaddr = pci_map_single(pdev, rd->buf, len, dir))) { ++ if (rd->buf) ++ busaddr = pci_map_single(pdev, rd->buf, len, dir); ++ if (rd->buf == NULL || pci_dma_mapping_error(pdev, busaddr)) { + if (rd->buf) { + net_err_ratelimited("%s: failed to create PCI-MAP for %p\n", + __func__, rd->buf); +@@ -430,8 +431,7 @@ static struct vlsi_ring *vlsi_alloc_ring(struct pci_dev *pdev, struct ring_descr + rd = r->rd + j; + busaddr = rd_get_addr(rd); + rd_set_addr_status(rd, 0, 0); +- if (busaddr) +- pci_unmap_single(pdev, busaddr, len, dir); ++ pci_unmap_single(pdev, busaddr, len, dir); + kfree(rd->buf); + rd->buf = NULL; + } +diff --git a/drivers/net/phy/at803x.c b/drivers/net/phy/at803x.c +index fabf11d32d27..d4b8ea30cd9d 100644 +--- a/drivers/net/phy/at803x.c ++++ b/drivers/net/phy/at803x.c +@@ -105,7 +105,7 @@ static int at803x_set_wol(struct phy_device *phydev, + mac = (const u8 *) ndev->dev_addr; + + if (!is_valid_ether_addr(mac)) +- return -EFAULT; ++ return -EINVAL; + + for (i = 0; i < 3; i++) { + phy_write(phydev, AT803X_MMD_ACCESS_CONTROL, +diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c +index d1c4bc1c4df0..31aa93907b77 100644 +--- a/drivers/net/ppp/pppoe.c ++++ b/drivers/net/ppp/pppoe.c +@@ -860,6 +860,7 @@ static int pppoe_sendmsg(struct socket *sock, struct msghdr *m, + struct pppoe_hdr *ph; + struct net_device *dev; + char *start; ++ int hlen; + + lock_sock(sk); + if (sock_flag(sk, SOCK_DEAD) || !(sk->sk_state & PPPOX_CONNECTED)) { +@@ -878,16 +879,16 @@ static int pppoe_sendmsg(struct socket *sock, struct msghdr *m, + if (total_len > (dev->mtu + dev->hard_header_len)) + goto end; + +- +- skb = sock_wmalloc(sk, total_len + dev->hard_header_len + 32, +- 0, GFP_KERNEL); ++ hlen = LL_RESERVED_SPACE(dev); ++ skb = sock_wmalloc(sk, hlen + sizeof(*ph) + total_len + ++ dev->needed_tailroom, 0, GFP_KERNEL); + if (!skb) { + error = -ENOMEM; + goto end; + } + + /* Reserve space for headers. */ +- skb_reserve(skb, dev->hard_header_len); ++ skb_reserve(skb, hlen); + skb_reset_network_header(skb); + + skb->dev = dev; +@@ -948,7 +949,7 @@ static int __pppoe_xmit(struct sock *sk, struct sk_buff *skb) + /* Copy the data if there is no space for the header or if it's + * read-only. + */ +- if (skb_cow_head(skb, sizeof(*ph) + dev->hard_header_len)) ++ if (skb_cow_head(skb, LL_RESERVED_SPACE(dev) + sizeof(*ph))) + goto abort; + + __skb_push(skb, sizeof(*ph)); +diff --git a/drivers/net/usb/Kconfig b/drivers/net/usb/Kconfig +index 2b47cbae524c..9a9e0ea05a72 100644 +--- a/drivers/net/usb/Kconfig ++++ b/drivers/net/usb/Kconfig +@@ -382,6 +382,10 @@ config USB_NET_RNDIS_HOST + The protocol specification is incomplete, and is controlled by + (and for) Microsoft; it isn't an "Open" ecosystem or market. + ++config USB_NET_CDC_SUBSET_ENABLE ++ tristate ++ depends on USB_NET_CDC_SUBSET ++ + config USB_NET_CDC_SUBSET + tristate "Simple USB Network Links (CDC Ethernet subset)" + depends on USB_USBNET +@@ -400,6 +404,7 @@ config USB_NET_CDC_SUBSET + config USB_ALI_M5632 + bool "ALi M5632 based 'USB 2.0 Data Link' cables" + depends on USB_NET_CDC_SUBSET ++ select USB_NET_CDC_SUBSET_ENABLE + help + Choose this option if you're using a host-to-host cable + based on this design, which supports USB 2.0 high speed. +@@ -407,6 +412,7 @@ config USB_ALI_M5632 + config USB_AN2720 + bool "AnchorChips 2720 based cables (Xircom PGUNET, ...)" + depends on USB_NET_CDC_SUBSET ++ select USB_NET_CDC_SUBSET_ENABLE + help + Choose this option if you're using a host-to-host cable + based on this design. Note that AnchorChips is now a +@@ -415,6 +421,7 @@ config USB_AN2720 + config USB_BELKIN + bool "eTEK based host-to-host cables (Advance, Belkin, ...)" + depends on USB_NET_CDC_SUBSET ++ select USB_NET_CDC_SUBSET_ENABLE + default y + help + Choose this option if you're using a host-to-host cable +@@ -424,6 +431,7 @@ config USB_BELKIN + config USB_ARMLINUX + bool "Embedded ARM Linux links (iPaq, ...)" + depends on USB_NET_CDC_SUBSET ++ select USB_NET_CDC_SUBSET_ENABLE + default y + help + Choose this option to support the "usb-eth" networking driver +@@ -441,6 +449,7 @@ config USB_ARMLINUX + config USB_EPSON2888 + bool "Epson 2888 based firmware (DEVELOPMENT)" + depends on USB_NET_CDC_SUBSET ++ select USB_NET_CDC_SUBSET_ENABLE + help + Choose this option to support the usb networking links used + by some sample firmware from Epson. +@@ -448,6 +457,7 @@ config USB_EPSON2888 + config USB_KC2190 + bool "KT Technology KC2190 based cables (InstaNet)" + depends on USB_NET_CDC_SUBSET ++ select USB_NET_CDC_SUBSET_ENABLE + help + Choose this option if you're using a host-to-host cable + with one of these chips. +diff --git a/drivers/net/usb/Makefile b/drivers/net/usb/Makefile +index e2797f1e1b31..ed5a577c1a61 100644 +--- a/drivers/net/usb/Makefile ++++ b/drivers/net/usb/Makefile +@@ -22,7 +22,7 @@ obj-$(CONFIG_USB_NET_GL620A) += gl620a.o + obj-$(CONFIG_USB_NET_NET1080) += net1080.o + obj-$(CONFIG_USB_NET_PLUSB) += plusb.o + obj-$(CONFIG_USB_NET_RNDIS_HOST) += rndis_host.o +-obj-$(CONFIG_USB_NET_CDC_SUBSET) += cdc_subset.o ++obj-$(CONFIG_USB_NET_CDC_SUBSET_ENABLE) += cdc_subset.o + obj-$(CONFIG_USB_NET_ZAURUS) += zaurus.o + obj-$(CONFIG_USB_NET_MCS7830) += mcs7830.o + obj-$(CONFIG_USB_USBNET) += usbnet.o +diff --git a/drivers/net/usb/cx82310_eth.c b/drivers/net/usb/cx82310_eth.c +index e221bfcee76b..947bea81d924 100644 +--- a/drivers/net/usb/cx82310_eth.c ++++ b/drivers/net/usb/cx82310_eth.c +@@ -293,12 +293,9 @@ static struct sk_buff *cx82310_tx_fixup(struct usbnet *dev, struct sk_buff *skb, + { + int len = skb->len; + +- if (skb_headroom(skb) < 2) { +- struct sk_buff *skb2 = skb_copy_expand(skb, 2, 0, flags); ++ if (skb_cow_head(skb, 2)) { + dev_kfree_skb_any(skb); +- skb = skb2; +- if (!skb) +- return NULL; ++ return NULL; + } + skb_push(skb, 2); + +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index 6cf881ce4d4e..3d97fd391793 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -464,6 +464,10 @@ static const struct usb_device_id products[] = { + USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, USB_CLASS_VENDOR_SPEC, 0x01, 0x69), + .driver_info = (unsigned long)&qmi_wwan_info, + }, ++ { /* Motorola Mapphone devices with MDM6600 */ ++ USB_VENDOR_AND_INTERFACE_INFO(0x22b8, USB_CLASS_VENDOR_SPEC, 0xfb, 0xff), ++ .driver_info = (unsigned long)&qmi_wwan_info, ++ }, + + /* 2. Combined interface devices matching on class+protocol */ + { /* Huawei E367 and possibly others in "Windows mode" */ +@@ -775,6 +779,7 @@ static const struct usb_device_id products[] = { + {QMI_FIXED_INTF(0x1199, 0x9079, 10)}, /* Sierra Wireless EM74xx */ + {QMI_FIXED_INTF(0x1199, 0x907b, 8)}, /* Sierra Wireless EM74xx */ + {QMI_FIXED_INTF(0x1199, 0x907b, 10)}, /* Sierra Wireless EM74xx */ ++ {QMI_FIXED_INTF(0x1199, 0x9091, 8)}, /* Sierra Wireless EM7565 */ + {QMI_FIXED_INTF(0x1bbb, 0x011e, 4)}, /* Telekom Speedstick LTE II (Alcatel One Touch L100V LTE) */ + {QMI_FIXED_INTF(0x1bbb, 0x0203, 2)}, /* Alcatel L800MA */ + {QMI_FIXED_INTF(0x2357, 0x0201, 4)}, /* TP-LINK HSUPA Modem MA180 */ +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c +index e387af61e0d3..55b0129acff7 100644 +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -1263,6 +1263,7 @@ static int alloc_all_mem(struct r8152 *tp) + spin_lock_init(&tp->rx_lock); + spin_lock_init(&tp->tx_lock); + INIT_LIST_HEAD(&tp->tx_free); ++ INIT_LIST_HEAD(&tp->rx_done); + skb_queue_head_init(&tp->tx_queue); + skb_queue_head_init(&tp->rx_queue); + +@@ -1928,7 +1929,6 @@ static void _rtl8152_set_rx_mode(struct net_device *netdev) + __le32 tmp[2]; + u32 ocp_data; + +- clear_bit(RTL8152_SET_RX_MODE, &tp->flags); + netif_stop_queue(netdev); + ocp_data = ocp_read_dword(tp, MCU_TYPE_PLA, PLA_RCR); + ocp_data &= ~RCR_ACPT_ALL; +@@ -2363,8 +2363,6 @@ static void rtl_phy_reset(struct r8152 *tp) + u16 data; + int i; + +- clear_bit(PHY_RESET, &tp->flags); +- + data = r8152_mdio_read(tp, MII_BMCR); + + /* don't reset again before the previous one complete */ +@@ -2859,10 +2857,9 @@ static int rtl8152_set_speed(struct r8152 *tp, u8 autoneg, u16 speed, u8 duplex) + r8152_mdio_write(tp, MII_ADVERTISE, anar); + r8152_mdio_write(tp, MII_BMCR, bmcr); + +- if (test_bit(PHY_RESET, &tp->flags)) { ++ if (test_and_clear_bit(PHY_RESET, &tp->flags)) { + int i; + +- clear_bit(PHY_RESET, &tp->flags); + for (i = 0; i < 50; i++) { + msleep(20); + if ((r8152_mdio_read(tp, MII_BMCR) & BMCR_RESET) == 0) +@@ -2871,7 +2868,6 @@ static int rtl8152_set_speed(struct r8152 *tp, u8 autoneg, u16 speed, u8 duplex) + } + + out: +- + return ret; + } + +@@ -2927,7 +2923,6 @@ static void set_carrier(struct r8152 *tp) + struct net_device *netdev = tp->netdev; + u8 speed; + +- clear_bit(RTL8152_LINK_CHG, &tp->flags); + speed = rtl8152_get_speed(tp); + + if (speed & LINK_STATUS) { +@@ -2968,20 +2963,18 @@ static void rtl_work_func_t(struct work_struct *work) + goto out1; + } + +- if (test_bit(RTL8152_LINK_CHG, &tp->flags)) ++ if (test_and_clear_bit(RTL8152_LINK_CHG, &tp->flags)) + set_carrier(tp); + +- if (test_bit(RTL8152_SET_RX_MODE, &tp->flags)) ++ if (test_and_clear_bit(RTL8152_SET_RX_MODE, &tp->flags)) + _rtl8152_set_rx_mode(tp->netdev); + + /* don't schedule napi before linking */ +- if (test_bit(SCHEDULE_NAPI, &tp->flags) && +- netif_carrier_ok(tp->netdev)) { +- clear_bit(SCHEDULE_NAPI, &tp->flags); ++ if (test_and_clear_bit(SCHEDULE_NAPI, &tp->flags) && ++ netif_carrier_ok(tp->netdev)) + napi_schedule(&tp->napi); +- } + +- if (test_bit(PHY_RESET, &tp->flags)) ++ if (test_and_clear_bit(PHY_RESET, &tp->flags)) + rtl_phy_reset(tp); + + mutex_unlock(&tp->control); +diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c +index d9e7892262fa..2c526ca29cde 100644 +--- a/drivers/net/usb/smsc75xx.c ++++ b/drivers/net/usb/smsc75xx.c +@@ -2198,13 +2198,9 @@ static struct sk_buff *smsc75xx_tx_fixup(struct usbnet *dev, + { + u32 tx_cmd_a, tx_cmd_b; + +- if (skb_headroom(skb) < SMSC75XX_TX_OVERHEAD) { +- struct sk_buff *skb2 = +- skb_copy_expand(skb, SMSC75XX_TX_OVERHEAD, 0, flags); ++ if (skb_cow_head(skb, SMSC75XX_TX_OVERHEAD)) { + dev_kfree_skb_any(skb); +- skb = skb2; +- if (!skb) +- return NULL; ++ return NULL; + } + + tx_cmd_a = (u32)(skb->len & TX_CMD_A_LEN) | TX_CMD_A_FCS; +diff --git a/drivers/net/usb/sr9700.c b/drivers/net/usb/sr9700.c +index 4a1e9c489f1f..aadfe1d1c37e 100644 +--- a/drivers/net/usb/sr9700.c ++++ b/drivers/net/usb/sr9700.c +@@ -456,14 +456,9 @@ static struct sk_buff *sr9700_tx_fixup(struct usbnet *dev, struct sk_buff *skb, + + len = skb->len; + +- if (skb_headroom(skb) < SR_TX_OVERHEAD) { +- struct sk_buff *skb2; +- +- skb2 = skb_copy_expand(skb, SR_TX_OVERHEAD, 0, flags); ++ if (skb_cow_head(skb, SR_TX_OVERHEAD)) { + dev_kfree_skb_any(skb); +- skb = skb2; +- if (!skb) +- return NULL; ++ return NULL; + } + + __skb_push(skb, SR_TX_OVERHEAD); +diff --git a/drivers/net/vmxnet3/vmxnet3_drv.c b/drivers/net/vmxnet3/vmxnet3_drv.c +index 61c0840c448c..0b9c8d61f7d1 100644 +--- a/drivers/net/vmxnet3/vmxnet3_drv.c ++++ b/drivers/net/vmxnet3/vmxnet3_drv.c +@@ -1431,7 +1431,6 @@ static void vmxnet3_rq_destroy(struct vmxnet3_rx_queue *rq, + rq->rx_ring[i].basePA); + rq->rx_ring[i].base = NULL; + } +- rq->buf_info[i] = NULL; + } + + if (rq->comp_ring.base) { +@@ -1446,6 +1445,7 @@ static void vmxnet3_rq_destroy(struct vmxnet3_rx_queue *rq, + (rq->rx_ring[0].size + rq->rx_ring[1].size); + dma_free_coherent(&adapter->pdev->dev, sz, rq->buf_info[0], + rq->buf_info_pa); ++ rq->buf_info[0] = rq->buf_info[1] = NULL; + } + } + +diff --git a/drivers/net/wireless/cw1200/wsm.c b/drivers/net/wireless/cw1200/wsm.c +index 9e0ca3048657..3dd46c78c1cc 100644 +--- a/drivers/net/wireless/cw1200/wsm.c ++++ b/drivers/net/wireless/cw1200/wsm.c +@@ -379,7 +379,6 @@ static int wsm_multi_tx_confirm(struct cw1200_common *priv, + { + int ret; + int count; +- int i; + + count = WSM_GET32(buf); + if (WARN_ON(count <= 0)) +@@ -395,11 +394,10 @@ static int wsm_multi_tx_confirm(struct cw1200_common *priv, + } + + cw1200_debug_txed_multi(priv, count); +- for (i = 0; i < count; ++i) { ++ do { + ret = wsm_tx_confirm(priv, buf, link_id); +- if (ret) +- return ret; +- } ++ } while (!ret && --count); ++ + return ret; + + underflow: +diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c +index 8a38a5bd34b8..9e8461466534 100644 +--- a/drivers/net/xen-netfront.c ++++ b/drivers/net/xen-netfront.c +@@ -87,6 +87,8 @@ struct netfront_cb { + /* IRQ name is queue name with "-tx" or "-rx" appended */ + #define IRQ_NAME_SIZE (QUEUE_NAME_SIZE + 3) + ++static DECLARE_WAIT_QUEUE_HEAD(module_unload_q); ++ + struct netfront_stats { + u64 packets; + u64 bytes; +@@ -1999,10 +2001,12 @@ static void netback_changed(struct xenbus_device *dev, + break; + + case XenbusStateClosed: ++ wake_up_all(&module_unload_q); + if (dev->state == XenbusStateClosed) + break; + /* Missed the backend's CLOSING state -- fallthrough */ + case XenbusStateClosing: ++ wake_up_all(&module_unload_q); + xenbus_frontend_closed(dev); + break; + } +@@ -2108,6 +2112,20 @@ static int xennet_remove(struct xenbus_device *dev) + + dev_dbg(&dev->dev, "%s\n", dev->nodename); + ++ if (xenbus_read_driver_state(dev->otherend) != XenbusStateClosed) { ++ xenbus_switch_state(dev, XenbusStateClosing); ++ wait_event(module_unload_q, ++ xenbus_read_driver_state(dev->otherend) == ++ XenbusStateClosing); ++ ++ xenbus_switch_state(dev, XenbusStateClosed); ++ wait_event(module_unload_q, ++ xenbus_read_driver_state(dev->otherend) == ++ XenbusStateClosed || ++ xenbus_read_driver_state(dev->otherend) == ++ XenbusStateUnknown); ++ } ++ + xennet_disconnect_backend(info); + + unregister_netdev(info->netdev); +diff --git a/drivers/parisc/lba_pci.c b/drivers/parisc/lba_pci.c +index 3901ff66d0ee..2f7978204421 100644 +--- a/drivers/parisc/lba_pci.c ++++ b/drivers/parisc/lba_pci.c +@@ -1654,3 +1654,36 @@ void lba_set_iregs(struct parisc_device *lba, u32 ibase, u32 imask) + iounmap(base_addr); + } + ++ ++/* ++ * The design of the Diva management card in rp34x0 machines (rp3410, rp3440) ++ * seems rushed, so that many built-in components simply don't work. ++ * The following quirks disable the serial AUX port and the built-in ATI RV100 ++ * Radeon 7000 graphics card which both don't have any external connectors and ++ * thus are useless, and even worse, e.g. the AUX port occupies ttyS0 and as ++ * such makes those machines the only PARISC machines on which we can't use ++ * ttyS0 as boot console. ++ */ ++static void quirk_diva_ati_card(struct pci_dev *dev) ++{ ++ if (dev->subsystem_vendor != PCI_VENDOR_ID_HP || ++ dev->subsystem_device != 0x1292) ++ return; ++ ++ dev_info(&dev->dev, "Hiding Diva built-in ATI card"); ++ dev->device = 0; ++} ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATI, PCI_DEVICE_ID_ATI_RADEON_QY, ++ quirk_diva_ati_card); ++ ++static void quirk_diva_aux_disable(struct pci_dev *dev) ++{ ++ if (dev->subsystem_vendor != PCI_VENDOR_ID_HP || ++ dev->subsystem_device != 0x1291) ++ return; ++ ++ dev_info(&dev->dev, "Hiding Diva built-in AUX serial device"); ++ dev->device = 0; ++} ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_HP, PCI_DEVICE_ID_HP_DIVA_AUX, ++ quirk_diva_aux_disable); +diff --git a/drivers/pci/host/pci-keystone.c b/drivers/pci/host/pci-keystone.c +index 75333b0c4f0a..29b018c4e7e4 100644 +--- a/drivers/pci/host/pci-keystone.c ++++ b/drivers/pci/host/pci-keystone.c +@@ -179,14 +179,16 @@ static int ks_pcie_get_irq_controller_info(struct keystone_pcie *ks_pcie, + } + + /* interrupt controller is in a child node */ +- *np_temp = of_find_node_by_name(np_pcie, controller); ++ *np_temp = of_get_child_by_name(np_pcie, controller); + if (!(*np_temp)) { + dev_err(dev, "Node for %s is absent\n", controller); + goto out; + } + temp = of_irq_count(*np_temp); +- if (!temp) ++ if (!temp) { ++ of_node_put(*np_temp); + goto out; ++ } + if (temp > max_host_irqs) + dev_warn(dev, "Too many %s interrupts defined %u\n", + (legacy ? "legacy" : "MSI"), temp); +@@ -200,6 +202,9 @@ static int ks_pcie_get_irq_controller_info(struct keystone_pcie *ks_pcie, + if (!host_irqs[temp]) + break; + } ++ ++ of_node_put(*np_temp); ++ + if (temp) { + *num_irqs = temp; + ret = 0; +diff --git a/drivers/pci/iov.c b/drivers/pci/iov.c +index 089a1f41e44e..95db37cf5f08 100644 +--- a/drivers/pci/iov.c ++++ b/drivers/pci/iov.c +@@ -156,7 +156,6 @@ static int virtfn_add(struct pci_dev *dev, int id, int reset) + pci_device_add(virtfn, virtfn->bus); + mutex_unlock(&iov->dev->sriov->lock); + +- pci_bus_add_device(virtfn); + sprintf(buf, "virtfn%u", id); + rc = sysfs_create_link(&dev->dev.kobj, &virtfn->dev.kobj, buf); + if (rc) +@@ -167,6 +166,8 @@ static int virtfn_add(struct pci_dev *dev, int id, int reset) + + kobject_uevent(&virtfn->dev.kobj, KOBJ_CHANGE); + ++ pci_bus_add_device(virtfn); ++ + return 0; + + failed2: +diff --git a/drivers/pci/pci-driver.c b/drivers/pci/pci-driver.c +index 98101c4118bb..1363fe636281 100644 +--- a/drivers/pci/pci-driver.c ++++ b/drivers/pci/pci-driver.c +@@ -936,7 +936,12 @@ static int pci_pm_thaw_noirq(struct device *dev) + if (pci_has_legacy_pm_support(pci_dev)) + return pci_legacy_resume_early(dev); + +- pci_update_current_state(pci_dev, PCI_D0); ++ /* ++ * pci_restore_state() requires the device to be in D0 (because of MSI ++ * restoration among other things), so force it into D0 in case the ++ * driver's "freeze" callbacks put it into a low-power state directly. ++ */ ++ pci_set_power_state(pci_dev, PCI_D0); + pci_restore_state(pci_dev); + + if (drv && drv->pm && drv->pm->thaw_noirq) +diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c +index 409f895b5a3d..ffd8fe77b8ae 100644 +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -3651,6 +3651,10 @@ static bool pci_bus_resetable(struct pci_bus *bus) + { + struct pci_dev *dev; + ++ ++ if (bus->self && (bus->self->dev_flags & PCI_DEV_FLAGS_NO_BUS_RESET)) ++ return false; ++ + list_for_each_entry(dev, &bus->devices, bus_list) { + if (dev->dev_flags & PCI_DEV_FLAGS_NO_BUS_RESET || + (dev->subordinate && !pci_bus_resetable(dev->subordinate))) +diff --git a/drivers/pci/pcie/aer/aerdrv_core.c b/drivers/pci/pcie/aer/aerdrv_core.c +index b60a325234c5..cca4b4789ac4 100644 +--- a/drivers/pci/pcie/aer/aerdrv_core.c ++++ b/drivers/pci/pcie/aer/aerdrv_core.c +@@ -360,7 +360,14 @@ static pci_ers_result_t broadcast_error_message(struct pci_dev *dev, + * If the error is reported by an end point, we think this + * error is related to the upstream link of the end point. + */ +- pci_walk_bus(dev->bus, cb, &result_data); ++ if (state == pci_channel_io_normal) ++ /* ++ * the error is non fatal so the bus is ok, just invoke ++ * the callback for the function that logged the error. ++ */ ++ cb(dev, &result_data); ++ else ++ pci_walk_bus(dev->bus, cb, &result_data); + } + + return result_data.result; +diff --git a/drivers/pinctrl/pinctrl-st.c b/drivers/pinctrl/pinctrl-st.c +index 65bf73b70e34..a02a7caf8d4c 100644 +--- a/drivers/pinctrl/pinctrl-st.c ++++ b/drivers/pinctrl/pinctrl-st.c +@@ -1348,6 +1348,22 @@ static void st_gpio_irq_unmask(struct irq_data *d) + writel(BIT(d->hwirq), bank->base + REG_PIO_SET_PMASK); + } + ++static int st_gpio_irq_request_resources(struct irq_data *d) ++{ ++ struct gpio_chip *gc = irq_data_get_irq_chip_data(d); ++ ++ st_gpio_direction_input(gc, d->hwirq); ++ ++ return gpiochip_lock_as_irq(gc, d->hwirq); ++} ++ ++static void st_gpio_irq_release_resources(struct irq_data *d) ++{ ++ struct gpio_chip *gc = irq_data_get_irq_chip_data(d); ++ ++ gpiochip_unlock_as_irq(gc, d->hwirq); ++} ++ + static int st_gpio_irq_set_type(struct irq_data *d, unsigned type) + { + struct gpio_chip *gc = irq_data_get_irq_chip_data(d); +@@ -1503,12 +1519,14 @@ static struct gpio_chip st_gpio_template = { + }; + + static struct irq_chip st_gpio_irqchip = { +- .name = "GPIO", +- .irq_disable = st_gpio_irq_mask, +- .irq_mask = st_gpio_irq_mask, +- .irq_unmask = st_gpio_irq_unmask, +- .irq_set_type = st_gpio_irq_set_type, +- .flags = IRQCHIP_SKIP_SET_WAKE, ++ .name = "GPIO", ++ .irq_request_resources = st_gpio_irq_request_resources, ++ .irq_release_resources = st_gpio_irq_release_resources, ++ .irq_disable = st_gpio_irq_mask, ++ .irq_mask = st_gpio_irq_mask, ++ .irq_unmask = st_gpio_irq_unmask, ++ .irq_set_type = st_gpio_irq_set_type, ++ .flags = IRQCHIP_SKIP_SET_WAKE, + }; + + static int st_gpiolib_register_bank(struct st_pinctrl *info, +diff --git a/drivers/pinctrl/sunxi/pinctrl-sun9i-a80.c b/drivers/pinctrl/sunxi/pinctrl-sun9i-a80.c +index 1b580ba76453..907d7db3fcee 100644 +--- a/drivers/pinctrl/sunxi/pinctrl-sun9i-a80.c ++++ b/drivers/pinctrl/sunxi/pinctrl-sun9i-a80.c +@@ -145,19 +145,19 @@ static const struct sunxi_desc_pin sun9i_a80_pins[] = { + SUNXI_FUNCTION(0x0, "gpio_in"), + SUNXI_FUNCTION(0x1, "gpio_out"), + SUNXI_FUNCTION(0x3, "mcsi"), /* MCLK */ +- SUNXI_FUNCTION_IRQ_BANK(0x6, 0, 14)), /* PB_EINT14 */ ++ SUNXI_FUNCTION_IRQ_BANK(0x6, 1, 14)), /* PB_EINT14 */ + SUNXI_PIN(SUNXI_PINCTRL_PIN(B, 15), + SUNXI_FUNCTION(0x0, "gpio_in"), + SUNXI_FUNCTION(0x1, "gpio_out"), + SUNXI_FUNCTION(0x3, "mcsi"), /* SCK */ + SUNXI_FUNCTION(0x4, "i2c4"), /* SCK */ +- SUNXI_FUNCTION_IRQ_BANK(0x6, 0, 15)), /* PB_EINT15 */ ++ SUNXI_FUNCTION_IRQ_BANK(0x6, 1, 15)), /* PB_EINT15 */ + SUNXI_PIN(SUNXI_PINCTRL_PIN(B, 16), + SUNXI_FUNCTION(0x0, "gpio_in"), + SUNXI_FUNCTION(0x1, "gpio_out"), + SUNXI_FUNCTION(0x3, "mcsi"), /* SDA */ + SUNXI_FUNCTION(0x4, "i2c4"), /* SDA */ +- SUNXI_FUNCTION_IRQ_BANK(0x6, 0, 16)), /* PB_EINT16 */ ++ SUNXI_FUNCTION_IRQ_BANK(0x6, 1, 16)), /* PB_EINT16 */ + + /* Hole */ + SUNXI_PIN(SUNXI_PINCTRL_PIN(C, 0), +diff --git a/drivers/platform/x86/Kconfig b/drivers/platform/x86/Kconfig +index f9f205cb1f11..8becddcf130b 100644 +--- a/drivers/platform/x86/Kconfig ++++ b/drivers/platform/x86/Kconfig +@@ -94,6 +94,7 @@ config DELL_LAPTOP + tristate "Dell Laptop Extras" + depends on X86 + depends on DCDBAS ++ depends on DMI + depends on BACKLIGHT_CLASS_DEVICE + depends on RFKILL || RFKILL = n + depends on SERIO_I8042 +@@ -108,6 +109,7 @@ config DELL_LAPTOP + config DELL_WMI + tristate "Dell WMI extras" + depends on ACPI_WMI ++ depends on DMI + depends on INPUT + select INPUT_SPARSEKMAP + ---help--- +diff --git a/drivers/platform/x86/intel_mid_thermal.c b/drivers/platform/x86/intel_mid_thermal.c +index aeb3f786d2f0..84273a979768 100644 +--- a/drivers/platform/x86/intel_mid_thermal.c ++++ b/drivers/platform/x86/intel_mid_thermal.c +@@ -416,6 +416,7 @@ static struct thermal_device_info *initialize_sensor(int index) + return td_info; + } + ++#ifdef CONFIG_PM_SLEEP + /** + * mid_thermal_resume - resume routine + * @dev: device structure +@@ -443,6 +444,7 @@ static int mid_thermal_suspend(struct device *dev) + */ + return configure_adc(0); + } ++#endif + + static SIMPLE_DEV_PM_OPS(mid_thermal_pm, + mid_thermal_suspend, mid_thermal_resume); +diff --git a/drivers/platform/x86/tc1100-wmi.c b/drivers/platform/x86/tc1100-wmi.c +index e36542564131..e89ac8cd20e8 100644 +--- a/drivers/platform/x86/tc1100-wmi.c ++++ b/drivers/platform/x86/tc1100-wmi.c +@@ -52,7 +52,9 @@ struct tc1100_data { + u32 jogdial; + }; + ++#ifdef CONFIG_PM + static struct tc1100_data suspend_data; ++#endif + + /* -------------------------------------------------------------------------- + Device Management +diff --git a/drivers/rtc/interface.c b/drivers/rtc/interface.c +index faa81ac2d481..038da40e4038 100644 +--- a/drivers/rtc/interface.c ++++ b/drivers/rtc/interface.c +@@ -809,7 +809,7 @@ static int rtc_timer_enqueue(struct rtc_device *rtc, struct rtc_timer *timer) + } + + timerqueue_add(&rtc->timerqueue, &timer->node); +- if (!next) { ++ if (!next || ktime_before(timer->node.expires, next->expires)) { + struct rtc_wkalrm alarm; + int err; + alarm.time = rtc_ktime_to_tm(timer->node.expires); +diff --git a/drivers/rtc/rtc-opal.c b/drivers/rtc/rtc-opal.c +index 7061dcae2b09..482af0dda0b0 100644 +--- a/drivers/rtc/rtc-opal.c ++++ b/drivers/rtc/rtc-opal.c +@@ -58,6 +58,7 @@ static void tm_to_opal(struct rtc_time *tm, u32 *y_m_d, u64 *h_m_s_ms) + static int opal_get_rtc_time(struct device *dev, struct rtc_time *tm) + { + long rc = OPAL_BUSY; ++ int retries = 10; + u32 y_m_d; + u64 h_m_s_ms; + __be32 __y_m_d; +@@ -67,8 +68,11 @@ static int opal_get_rtc_time(struct device *dev, struct rtc_time *tm) + rc = opal_rtc_read(&__y_m_d, &__h_m_s_ms); + if (rc == OPAL_BUSY_EVENT) + opal_poll_events(NULL); +- else ++ else if (retries-- && (rc == OPAL_HARDWARE ++ || rc == OPAL_INTERNAL_ERROR)) + msleep(10); ++ else if (rc != OPAL_BUSY && rc != OPAL_BUSY_EVENT) ++ break; + } + + if (rc != OPAL_SUCCESS) +@@ -84,6 +88,7 @@ static int opal_get_rtc_time(struct device *dev, struct rtc_time *tm) + static int opal_set_rtc_time(struct device *dev, struct rtc_time *tm) + { + long rc = OPAL_BUSY; ++ int retries = 10; + u32 y_m_d = 0; + u64 h_m_s_ms = 0; + +@@ -92,8 +97,11 @@ static int opal_set_rtc_time(struct device *dev, struct rtc_time *tm) + rc = opal_rtc_write(y_m_d, h_m_s_ms); + if (rc == OPAL_BUSY_EVENT) + opal_poll_events(NULL); +- else ++ else if (retries-- && (rc == OPAL_HARDWARE ++ || rc == OPAL_INTERNAL_ERROR)) + msleep(10); ++ else if (rc != OPAL_BUSY && rc != OPAL_BUSY_EVENT) ++ break; + } + + return rc == OPAL_SUCCESS ? 0 : -EIO; +diff --git a/drivers/s390/block/dasd_eckd.c b/drivers/s390/block/dasd_eckd.c +index 6215f6455eb8..7f31087fca31 100644 +--- a/drivers/s390/block/dasd_eckd.c ++++ b/drivers/s390/block/dasd_eckd.c +@@ -518,10 +518,12 @@ static int prefix_LRE(struct ccw1 *ccw, struct PFX_eckd_data *pfxdata, + pfxdata->validity.define_extent = 1; + + /* private uid is kept up to date, conf_data may be outdated */ +- if (startpriv->uid.type != UA_BASE_DEVICE) { ++ if (startpriv->uid.type == UA_BASE_PAV_ALIAS) + pfxdata->validity.verify_base = 1; +- if (startpriv->uid.type == UA_HYPER_PAV_ALIAS) +- pfxdata->validity.hyper_pav = 1; ++ ++ if (startpriv->uid.type == UA_HYPER_PAV_ALIAS) { ++ pfxdata->validity.verify_base = 1; ++ pfxdata->validity.hyper_pav = 1; + } + + /* define extend data (mostly)*/ +@@ -2964,10 +2966,12 @@ static int prepare_itcw(struct itcw *itcw, + pfxdata.validity.define_extent = 1; + + /* private uid is kept up to date, conf_data may be outdated */ +- if (startpriv->uid.type != UA_BASE_DEVICE) { ++ if (startpriv->uid.type == UA_BASE_PAV_ALIAS) ++ pfxdata.validity.verify_base = 1; ++ ++ if (startpriv->uid.type == UA_HYPER_PAV_ALIAS) { + pfxdata.validity.verify_base = 1; +- if (startpriv->uid.type == UA_HYPER_PAV_ALIAS) +- pfxdata.validity.hyper_pav = 1; ++ pfxdata.validity.hyper_pav = 1; + } + + switch (cmd) { +diff --git a/drivers/s390/net/qeth_l3_main.c b/drivers/s390/net/qeth_l3_main.c +index fefd3c512386..6dbf0d5a2a22 100644 +--- a/drivers/s390/net/qeth_l3_main.c ++++ b/drivers/s390/net/qeth_l3_main.c +@@ -2790,17 +2790,13 @@ static void qeth_l3_fill_af_iucv_hdr(struct qeth_card *card, + char daddr[16]; + struct af_iucv_trans_hdr *iucv_hdr; + +- skb_pull(skb, 14); +- card->dev->header_ops->create(skb, card->dev, 0, +- card->dev->dev_addr, card->dev->dev_addr, +- card->dev->addr_len); +- skb_pull(skb, 14); +- iucv_hdr = (struct af_iucv_trans_hdr *)skb->data; + memset(hdr, 0, sizeof(struct qeth_hdr)); + hdr->hdr.l3.id = QETH_HEADER_TYPE_LAYER3; + hdr->hdr.l3.ext_flags = 0; +- hdr->hdr.l3.length = skb->len; ++ hdr->hdr.l3.length = skb->len - ETH_HLEN; + hdr->hdr.l3.flags = QETH_HDR_IPV6 | QETH_CAST_UNICAST; ++ ++ iucv_hdr = (struct af_iucv_trans_hdr *) (skb->data + ETH_HLEN); + memset(daddr, 0, sizeof(daddr)); + daddr[0] = 0xfe; + daddr[1] = 0x80; +@@ -2983,10 +2979,7 @@ static int qeth_l3_hard_start_xmit(struct sk_buff *skb, struct net_device *dev) + if ((card->info.type == QETH_CARD_TYPE_IQD) && (!large_send) && + (skb_shinfo(skb)->nr_frags == 0)) { + new_skb = skb; +- if (new_skb->protocol == ETH_P_AF_IUCV) +- data_offset = 0; +- else +- data_offset = ETH_HLEN; ++ data_offset = ETH_HLEN; + hdr = kmem_cache_alloc(qeth_core_header_cache, GFP_ATOMIC); + if (!hdr) + goto tx_drop; +diff --git a/drivers/scsi/advansys.c b/drivers/scsi/advansys.c +index ae95e347f37d..42a14c456da0 100644 +--- a/drivers/scsi/advansys.c ++++ b/drivers/scsi/advansys.c +@@ -6482,18 +6482,17 @@ static uchar AscGetSynPeriodIndex(ASC_DVC_VAR *asc_dvc, uchar syn_time) + static uchar + AscMsgOutSDTR(ASC_DVC_VAR *asc_dvc, uchar sdtr_period, uchar sdtr_offset) + { +- EXT_MSG sdtr_buf; +- uchar sdtr_period_index; +- PortAddr iop_base; +- +- iop_base = asc_dvc->iop_base; +- sdtr_buf.msg_type = EXTENDED_MESSAGE; +- sdtr_buf.msg_len = MS_SDTR_LEN; +- sdtr_buf.msg_req = EXTENDED_SDTR; +- sdtr_buf.xfer_period = sdtr_period; ++ PortAddr iop_base = asc_dvc->iop_base; ++ uchar sdtr_period_index = AscGetSynPeriodIndex(asc_dvc, sdtr_period); ++ EXT_MSG sdtr_buf = { ++ .msg_type = EXTENDED_MESSAGE, ++ .msg_len = MS_SDTR_LEN, ++ .msg_req = EXTENDED_SDTR, ++ .xfer_period = sdtr_period, ++ .req_ack_offset = sdtr_offset, ++ }; + sdtr_offset &= ASC_SYN_MAX_OFFSET; +- sdtr_buf.req_ack_offset = sdtr_offset; +- sdtr_period_index = AscGetSynPeriodIndex(asc_dvc, sdtr_period); ++ + if (sdtr_period_index <= asc_dvc->max_sdtr_index) { + AscMemWordCopyPtrToLram(iop_base, ASCV_MSGOUT_BEG, + (uchar *)&sdtr_buf, +@@ -11476,6 +11475,9 @@ static int advansys_board_found(struct Scsi_Host *shost, unsigned int iop, + ASC_DBG(2, "AdvInitGetConfig()\n"); + + ret = AdvInitGetConfig(pdev, shost) ? -ENODEV : 0; ++#else ++ share_irq = 0; ++ ret = -ENODEV; + #endif /* CONFIG_PCI */ + } + +diff --git a/drivers/scsi/cxgbi/cxgb4i/cxgb4i.c b/drivers/scsi/cxgbi/cxgb4i/cxgb4i.c +index dd00e5fe4a5e..18f782bfc874 100644 +--- a/drivers/scsi/cxgbi/cxgb4i/cxgb4i.c ++++ b/drivers/scsi/cxgbi/cxgb4i/cxgb4i.c +@@ -1332,6 +1332,7 @@ static void release_offload_resources(struct cxgbi_sock *csk) + csk, csk->state, csk->flags, csk->tid); + + cxgbi_sock_free_cpl_skbs(csk); ++ cxgbi_sock_purge_write_queue(csk); + if (csk->wr_cred != csk->wr_max_cred) { + cxgbi_sock_purge_wr_queue(csk); + cxgbi_sock_reset_wr_list(csk); +diff --git a/drivers/scsi/dpt_i2o.c b/drivers/scsi/dpt_i2o.c +index 2806cfbec2b9..8803bafc48e9 100644 +--- a/drivers/scsi/dpt_i2o.c ++++ b/drivers/scsi/dpt_i2o.c +@@ -180,11 +180,14 @@ static u8 adpt_read_blink_led(adpt_hba* host) + *============================================================================ + */ + ++#ifdef MODULE + static struct pci_device_id dptids[] = { + { PCI_DPT_VENDOR_ID, PCI_DPT_DEVICE_ID, PCI_ANY_ID, PCI_ANY_ID,}, + { PCI_DPT_VENDOR_ID, PCI_DPT_RAPTOR_DEVICE_ID, PCI_ANY_ID, PCI_ANY_ID,}, + { 0, } + }; ++#endif ++ + MODULE_DEVICE_TABLE(pci,dptids); + + static int adpt_detect(struct scsi_host_template* sht) +diff --git a/drivers/scsi/fdomain.c b/drivers/scsi/fdomain.c +index fff682976c56..466d0a30aae7 100644 +--- a/drivers/scsi/fdomain.c ++++ b/drivers/scsi/fdomain.c +@@ -1769,7 +1769,7 @@ struct scsi_host_template fdomain_driver_template = { + }; + + #ifndef PCMCIA +-#ifdef CONFIG_PCI ++#if defined(CONFIG_PCI) && defined(MODULE) + + static struct pci_device_id fdomain_pci_tbl[] = { + { PCI_VENDOR_ID_FD, PCI_DEVICE_ID_FD_36C70, +diff --git a/drivers/scsi/ibmvscsi/ibmvfc.h b/drivers/scsi/ibmvscsi/ibmvfc.h +index 8fae03215a85..543c10266984 100644 +--- a/drivers/scsi/ibmvscsi/ibmvfc.h ++++ b/drivers/scsi/ibmvscsi/ibmvfc.h +@@ -366,7 +366,7 @@ enum ibmvfc_fcp_rsp_info_codes { + }; + + struct ibmvfc_fcp_rsp_info { +- __be16 reserved; ++ u8 reserved[3]; + u8 rsp_code; + u8 reserved2[4]; + }__attribute__((packed, aligned (2))); +diff --git a/drivers/scsi/initio.c b/drivers/scsi/initio.c +index e5dae7b54d9a..51063177f18e 100644 +--- a/drivers/scsi/initio.c ++++ b/drivers/scsi/initio.c +@@ -110,11 +110,6 @@ + #define i91u_MAXQUEUE 2 + #define i91u_REVID "Initio INI-9X00U/UW SCSI device driver; Revision: 1.04a" + +-#define I950_DEVICE_ID 0x9500 /* Initio's inic-950 product ID */ +-#define I940_DEVICE_ID 0x9400 /* Initio's inic-940 product ID */ +-#define I935_DEVICE_ID 0x9401 /* Initio's inic-935 product ID */ +-#define I920_DEVICE_ID 0x0002 /* Initio's other product ID */ +- + #ifdef DEBUG_i91u + static unsigned int i91u_debug = DEBUG_DEFAULT; + #endif +@@ -127,17 +122,6 @@ static int setup_debug = 0; + + static void i91uSCBPost(u8 * pHcb, u8 * pScb); + +-/* PCI Devices supported by this driver */ +-static struct pci_device_id i91u_pci_devices[] = { +- { PCI_VENDOR_ID_INIT, I950_DEVICE_ID, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, +- { PCI_VENDOR_ID_INIT, I940_DEVICE_ID, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, +- { PCI_VENDOR_ID_INIT, I935_DEVICE_ID, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, +- { PCI_VENDOR_ID_INIT, I920_DEVICE_ID, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, +- { PCI_VENDOR_ID_DOMEX, I920_DEVICE_ID, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, +- { } +-}; +-MODULE_DEVICE_TABLE(pci, i91u_pci_devices); +- + #define DEBUG_INTERRUPT 0 + #define DEBUG_QUEUE 0 + #define DEBUG_STATE 0 +diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c +index 39e511216fd9..8826110991eb 100644 +--- a/drivers/scsi/libiscsi.c ++++ b/drivers/scsi/libiscsi.c +@@ -1727,7 +1727,7 @@ int iscsi_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *sc) + + if (test_bit(ISCSI_SUSPEND_BIT, &conn->suspend_tx)) { + reason = FAILURE_SESSION_IN_RECOVERY; +- sc->result = DID_REQUEUE; ++ sc->result = DID_REQUEUE << 16; + goto fault; + } + +diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c +index 30f2fe9ba766..9c09ce9b98da 100644 +--- a/drivers/scsi/lpfc/lpfc_els.c ++++ b/drivers/scsi/lpfc/lpfc_els.c +@@ -6891,7 +6891,8 @@ lpfc_els_unsol_buffer(struct lpfc_hba *phba, struct lpfc_sli_ring *pring, + did, vport->port_state, ndlp->nlp_flag); + + phba->fc_stat.elsRcvPRLI++; +- if (vport->port_state < LPFC_DISC_AUTH) { ++ if ((vport->port_state < LPFC_DISC_AUTH) && ++ (vport->fc_flag & FC_FABRIC)) { + rjt_err = LSRJT_UNABLE_TPC; + rjt_exp = LSEXP_NOTHING_MORE; + break; +diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c +index 2500f15d437f..574b1a9b2b32 100644 +--- a/drivers/scsi/lpfc/lpfc_hbadisc.c ++++ b/drivers/scsi/lpfc/lpfc_hbadisc.c +@@ -4767,7 +4767,8 @@ lpfc_nlp_remove(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp) + lpfc_cancel_retry_delay_tmo(vport, ndlp); + if ((ndlp->nlp_flag & NLP_DEFER_RM) && + !(ndlp->nlp_flag & NLP_REG_LOGIN_SEND) && +- !(ndlp->nlp_flag & NLP_RPI_REGISTERED)) { ++ !(ndlp->nlp_flag & NLP_RPI_REGISTERED) && ++ phba->sli_rev != LPFC_SLI_REV4) { + /* For this case we need to cleanup the default rpi + * allocated by the firmware. + */ +diff --git a/drivers/scsi/lpfc/lpfc_hw4.h b/drivers/scsi/lpfc/lpfc_hw4.h +index 3757a7399983..d7ee72ef99ed 100644 +--- a/drivers/scsi/lpfc/lpfc_hw4.h ++++ b/drivers/scsi/lpfc/lpfc_hw4.h +@@ -2953,7 +2953,7 @@ struct lpfc_mbx_get_port_name { + #define MB_CEQ_STATUS_QUEUE_FLUSHING 0x4 + #define MB_CQE_STATUS_DMA_FAILED 0x5 + +-#define LPFC_MBX_WR_CONFIG_MAX_BDE 8 ++#define LPFC_MBX_WR_CONFIG_MAX_BDE 1 + struct lpfc_mbx_wr_object { + struct mbox_header header; + union { +diff --git a/drivers/scsi/mvumi.c b/drivers/scsi/mvumi.c +index 3e6b866759fe..c51e1537ed8e 100644 +--- a/drivers/scsi/mvumi.c ++++ b/drivers/scsi/mvumi.c +@@ -2629,7 +2629,7 @@ static void mvumi_shutdown(struct pci_dev *pdev) + mvumi_flush_cache(mhba); + } + +-static int mvumi_suspend(struct pci_dev *pdev, pm_message_t state) ++static int __maybe_unused mvumi_suspend(struct pci_dev *pdev, pm_message_t state) + { + struct mvumi_hba *mhba = NULL; + +@@ -2648,7 +2648,7 @@ static int mvumi_suspend(struct pci_dev *pdev, pm_message_t state) + return 0; + } + +-static int mvumi_resume(struct pci_dev *pdev) ++static int __maybe_unused mvumi_resume(struct pci_dev *pdev) + { + int ret; + struct mvumi_hba *mhba = NULL; +diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c +index 102806a961da..2589a75f0810 100644 +--- a/drivers/scsi/sg.c ++++ b/drivers/scsi/sg.c +@@ -160,7 +160,6 @@ typedef struct sg_fd { /* holds the state of a file descriptor */ + struct list_head rq_list; /* head of request list */ + struct fasync_struct *async_qp; /* used by asynchronous notification */ + Sg_request req_arr[SG_MAX_QUEUE]; /* used as singly-linked list */ +- char low_dma; /* as in parent but possibly overridden to 1 */ + char force_packid; /* 1 -> pack_id input to read(), 0 -> ignored */ + char cmd_q; /* 1 -> allow command queuing, 0 -> don't */ + unsigned char next_cmd_len; /* 0: automatic, >0: use on next write() */ +@@ -926,24 +925,14 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg) + /* strange ..., for backward compatibility */ + return sfp->timeout_user; + case SG_SET_FORCE_LOW_DMA: +- result = get_user(val, ip); +- if (result) +- return result; +- if (val) { +- sfp->low_dma = 1; +- if ((0 == sfp->low_dma) && !sfp->res_in_use) { +- val = (int) sfp->reserve.bufflen; +- sg_remove_scat(sfp, &sfp->reserve); +- sg_build_reserve(sfp, val); +- } +- } else { +- if (atomic_read(&sdp->detaching)) +- return -ENODEV; +- sfp->low_dma = sdp->device->host->unchecked_isa_dma; +- } ++ /* ++ * N.B. This ioctl never worked properly, but failed to ++ * return an error value. So returning '0' to keep compability ++ * with legacy applications. ++ */ + return 0; + case SG_GET_LOW_DMA: +- return put_user((int) sfp->low_dma, ip); ++ return put_user((int) sdp->device->host->unchecked_isa_dma, ip); + case SG_GET_SCSI_ID: + if (!access_ok(VERIFY_WRITE, p, sizeof (sg_scsi_id_t))) + return -EFAULT; +@@ -1864,6 +1853,7 @@ sg_build_indirect(Sg_scatter_hold * schp, Sg_fd * sfp, int buff_size) + int sg_tablesize = sfp->parentdp->sg_tablesize; + int blk_size = buff_size, order; + gfp_t gfp_mask = GFP_ATOMIC | __GFP_COMP | __GFP_NOWARN; ++ struct sg_device *sdp = sfp->parentdp; + + if (blk_size < 0) + return -EFAULT; +@@ -1889,7 +1879,7 @@ sg_build_indirect(Sg_scatter_hold * schp, Sg_fd * sfp, int buff_size) + scatter_elem_sz_prev = num; + } + +- if (sfp->low_dma) ++ if (sdp->device->host->unchecked_isa_dma) + gfp_mask |= GFP_DMA; + + if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SYS_RAWIO)) +@@ -2152,8 +2142,6 @@ sg_add_sfp(Sg_device * sdp) + sfp->timeout = SG_DEFAULT_TIMEOUT; + sfp->timeout_user = SG_DEFAULT_TIMEOUT_USER; + sfp->force_packid = SG_DEF_FORCE_PACK_ID; +- sfp->low_dma = (SG_DEF_FORCE_LOW_DMA == 0) ? +- sdp->device->host->unchecked_isa_dma : 1; + sfp->cmd_q = SG_DEF_COMMAND_Q; + sfp->keep_orphan = SG_DEF_KEEP_ORPHAN; + sfp->parentdp = sdp; +@@ -2612,7 +2600,7 @@ static void sg_proc_debug_helper(struct seq_file *s, Sg_device * sdp) + jiffies_to_msecs(fp->timeout), + fp->reserve.bufflen, + (int) fp->reserve.k_use_sg, +- (int) fp->low_dma); ++ (int) sdp->device->host->unchecked_isa_dma); + seq_printf(s, " cmd_q=%d f_packid=%d k_orphan=%d closed=0\n", + (int) fp->cmd_q, (int) fp->force_packid, + (int) fp->keep_orphan); +diff --git a/drivers/scsi/sim710.c b/drivers/scsi/sim710.c +index 3b3b56f4a830..82ed99848378 100644 +--- a/drivers/scsi/sim710.c ++++ b/drivers/scsi/sim710.c +@@ -176,8 +176,7 @@ static struct eisa_device_id sim710_eisa_ids[] = { + }; + MODULE_DEVICE_TABLE(eisa, sim710_eisa_ids); + +-static __init int +-sim710_eisa_probe(struct device *dev) ++static int sim710_eisa_probe(struct device *dev) + { + struct eisa_device *edev = to_eisa_device(dev); + unsigned long io_addr = edev->base_addr; +diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c +index 648a44675880..05b76cdfb263 100644 +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -4290,12 +4290,15 @@ static int ufshcd_config_vreg(struct device *dev, + struct ufs_vreg *vreg, bool on) + { + int ret = 0; +- struct regulator *reg = vreg->reg; +- const char *name = vreg->name; ++ struct regulator *reg; ++ const char *name; + int min_uV, uA_load; + + BUG_ON(!vreg); + ++ reg = vreg->reg; ++ name = vreg->name; ++ + if (regulator_count_voltages(reg) > 0) { + min_uV = on ? vreg->min_uV : 0; + ret = regulator_set_voltage(reg, min_uV, vreg->max_uV); +diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c +index 412b9c86b997..967ba6329a58 100644 +--- a/drivers/spi/spi-imx.c ++++ b/drivers/spi/spi-imx.c +@@ -1221,12 +1221,23 @@ static int spi_imx_remove(struct platform_device *pdev) + { + struct spi_master *master = platform_get_drvdata(pdev); + struct spi_imx_data *spi_imx = spi_master_get_devdata(master); ++ int ret; + + spi_bitbang_stop(&spi_imx->bitbang); + ++ ret = clk_enable(spi_imx->clk_per); ++ if (ret) ++ return ret; ++ ++ ret = clk_enable(spi_imx->clk_ipg); ++ if (ret) { ++ clk_disable(spi_imx->clk_per); ++ return ret; ++ } ++ + writel(0, spi_imx->base + MXC_CSPICTRL); +- clk_unprepare(spi_imx->clk_ipg); +- clk_unprepare(spi_imx->clk_per); ++ clk_disable_unprepare(spi_imx->clk_ipg); ++ clk_disable_unprepare(spi_imx->clk_per); + spi_imx_sdma_exit(spi_imx); + spi_master_put(master); + +diff --git a/drivers/spi/spi-sun4i.c b/drivers/spi/spi-sun4i.c +index 39d7c7c70112..2eea3de5a668 100644 +--- a/drivers/spi/spi-sun4i.c ++++ b/drivers/spi/spi-sun4i.c +@@ -458,7 +458,7 @@ err_free_master: + + static int sun4i_spi_remove(struct platform_device *pdev) + { +- pm_runtime_disable(&pdev->dev); ++ pm_runtime_force_suspend(&pdev->dev); + + return 0; + } +diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ashmem.c +index 7dd6bde4f325..c40bd7fbc210 100644 +--- a/drivers/staging/android/ashmem.c ++++ b/drivers/staging/android/ashmem.c +@@ -758,10 +758,12 @@ static long ashmem_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + break; + case ASHMEM_SET_SIZE: + ret = -EINVAL; ++ mutex_lock(&ashmem_mutex); + if (!asma->file) { + ret = 0; + asma->size = (size_t) arg; + } ++ mutex_unlock(&ashmem_mutex); + break; + case ASHMEM_GET_SIZE: + ret = asma->size; +diff --git a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c +index 96c1c2d4a112..6e73f4e130b5 100644 +--- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c ++++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c +@@ -1397,19 +1397,13 @@ static int rtw_wx_get_essid(struct net_device *dev, + if ((check_fwstate(pmlmepriv, _FW_LINKED)) || + (check_fwstate(pmlmepriv, WIFI_ADHOC_MASTER_STATE))) { + len = pcur_bss->Ssid.SsidLength; +- +- wrqu->essid.length = len; +- + memcpy(extra, pcur_bss->Ssid.Ssid, len); +- +- wrqu->essid.flags = 1; + } else { +- ret = -1; +- goto exit; ++ len = 0; ++ *extra = 0; + } +- +-exit: +- ++ wrqu->essid.length = len; ++ wrqu->essid.flags = 1; + + return ret; + } +diff --git a/drivers/staging/ste_rmi4/synaptics_i2c_rmi4.c b/drivers/staging/ste_rmi4/synaptics_i2c_rmi4.c +index 0f524bb7b41d..daff4e76b6d6 100644 +--- a/drivers/staging/ste_rmi4/synaptics_i2c_rmi4.c ++++ b/drivers/staging/ste_rmi4/synaptics_i2c_rmi4.c +@@ -1039,7 +1039,6 @@ static int synaptics_rmi4_remove(struct i2c_client *client) + return 0; + } + +-#ifdef CONFIG_PM + /** + * synaptics_rmi4_suspend() - suspend the touch screen controller + * @dev: pointer to device structure +@@ -1047,7 +1046,7 @@ static int synaptics_rmi4_remove(struct i2c_client *client) + * This function is used to suspend the + * touch panel controller and returns integer + */ +-static int synaptics_rmi4_suspend(struct device *dev) ++static int __maybe_unused synaptics_rmi4_suspend(struct device *dev) + { + /* Touch sleep mode */ + int retval; +@@ -1081,7 +1080,7 @@ static int synaptics_rmi4_suspend(struct device *dev) + * This function is used to resume the touch panel + * controller and returns integer. + */ +-static int synaptics_rmi4_resume(struct device *dev) ++static int __maybe_unused synaptics_rmi4_resume(struct device *dev) + { + int retval; + unsigned char intr_status; +@@ -1112,8 +1111,6 @@ static int synaptics_rmi4_resume(struct device *dev) + return 0; + } + +-#endif +- + static SIMPLE_DEV_PM_OPS(synaptics_rmi4_dev_pm_ops, synaptics_rmi4_suspend, + synaptics_rmi4_resume); + +diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c +index 2d6b0cf0929e..614811e93298 100644 +--- a/drivers/target/iscsi/iscsi_target.c ++++ b/drivers/target/iscsi/iscsi_target.c +@@ -1755,7 +1755,6 @@ iscsit_handle_task_mgt_cmd(struct iscsi_conn *conn, struct iscsi_cmd *cmd, + struct iscsi_tmr_req *tmr_req; + struct iscsi_tm *hdr; + int out_of_order_cmdsn = 0, ret; +- bool sess_ref = false; + u8 function, tcm_function = TMR_UNKNOWN; + + hdr = (struct iscsi_tm *) buf; +@@ -1797,18 +1796,17 @@ iscsit_handle_task_mgt_cmd(struct iscsi_conn *conn, struct iscsi_cmd *cmd, + buf); + } + ++ transport_init_se_cmd(&cmd->se_cmd, &iscsi_ops, ++ conn->sess->se_sess, 0, DMA_NONE, ++ TCM_SIMPLE_TAG, cmd->sense_buffer + 2); ++ ++ target_get_sess_cmd(&cmd->se_cmd, true); ++ + /* + * TASK_REASSIGN for ERL=2 / connection stays inside of + * LIO-Target $FABRIC_MOD + */ + if (function != ISCSI_TM_FUNC_TASK_REASSIGN) { +- transport_init_se_cmd(&cmd->se_cmd, &iscsi_ops, +- conn->sess->se_sess, 0, DMA_NONE, +- TCM_SIMPLE_TAG, cmd->sense_buffer + 2); +- +- target_get_sess_cmd(&cmd->se_cmd, true); +- sess_ref = true; +- + switch (function) { + case ISCSI_TM_FUNC_ABORT_TASK: + tcm_function = TMR_ABORT_TASK; +@@ -1947,12 +1945,8 @@ attach: + * For connection recovery, this is also the default action for + * TMR TASK_REASSIGN. + */ +- if (sess_ref) { +- pr_debug("Handle TMR, using sess_ref=true check\n"); +- target_put_sess_cmd(&cmd->se_cmd); +- } +- + iscsit_add_cmd_to_response_queue(cmd, conn, cmd->i_state); ++ target_put_sess_cmd(&cmd->se_cmd); + return 0; + } + EXPORT_SYMBOL(iscsit_handle_task_mgt_cmd); +diff --git a/drivers/target/target_core_user.c b/drivers/target/target_core_user.c +index 39e8f22be68b..b2edb5f6e6b9 100644 +--- a/drivers/target/target_core_user.c ++++ b/drivers/target/target_core_user.c +@@ -860,7 +860,7 @@ static int tcmu_configure_device(struct se_device *dev) + info->version = xstr(TCMU_MAILBOX_VERSION); + + info->mem[0].name = "tcm-user command & data buffer"; +- info->mem[0].addr = (phys_addr_t) udev->mb_addr; ++ info->mem[0].addr = (phys_addr_t)(uintptr_t)udev->mb_addr; + info->mem[0].size = TCMU_RING_SIZE; + info->mem[0].memtype = UIO_MEM_VIRTUAL; + +diff --git a/drivers/thermal/spear_thermal.c b/drivers/thermal/spear_thermal.c +index bddb71744a6c..9d42f88a4224 100644 +--- a/drivers/thermal/spear_thermal.c ++++ b/drivers/thermal/spear_thermal.c +@@ -54,8 +54,7 @@ static struct thermal_zone_device_ops ops = { + .get_temp = thermal_get_temp, + }; + +-#ifdef CONFIG_PM +-static int spear_thermal_suspend(struct device *dev) ++static int __maybe_unused spear_thermal_suspend(struct device *dev) + { + struct platform_device *pdev = to_platform_device(dev); + struct thermal_zone_device *spear_thermal = platform_get_drvdata(pdev); +@@ -72,7 +71,7 @@ static int spear_thermal_suspend(struct device *dev) + return 0; + } + +-static int spear_thermal_resume(struct device *dev) ++static int __maybe_unused spear_thermal_resume(struct device *dev) + { + struct platform_device *pdev = to_platform_device(dev); + struct thermal_zone_device *spear_thermal = platform_get_drvdata(pdev); +@@ -94,7 +93,6 @@ static int spear_thermal_resume(struct device *dev) + + return 0; + } +-#endif + + static SIMPLE_DEV_PM_OPS(spear_thermal_pm_ops, spear_thermal_suspend, + spear_thermal_resume); +diff --git a/drivers/tty/Kconfig b/drivers/tty/Kconfig +index c01f45095877..82c4d2e45319 100644 +--- a/drivers/tty/Kconfig ++++ b/drivers/tty/Kconfig +@@ -226,7 +226,7 @@ config CYCLADES + + config CYZ_INTR + bool "Cyclades-Z interrupt mode operation" +- depends on CYCLADES ++ depends on CYCLADES && PCI + help + The Cyclades-Z family of multiport cards allows 2 (two) driver op + modes: polling and interrupt. In polling mode, the driver will check +diff --git a/drivers/tty/hvc/hvc_xen.c b/drivers/tty/hvc/hvc_xen.c +index 7a3d146a5f0e..5cc3ca1dd5c9 100644 +--- a/drivers/tty/hvc/hvc_xen.c ++++ b/drivers/tty/hvc/hvc_xen.c +@@ -322,6 +322,7 @@ void xen_console_resume(void) + } + } + ++#ifdef CONFIG_HVC_XEN_FRONTEND + static void xencons_disconnect_backend(struct xencons_info *info) + { + if (info->irq > 0) +@@ -362,7 +363,6 @@ static int xen_console_remove(struct xencons_info *info) + return 0; + } + +-#ifdef CONFIG_HVC_XEN_FRONTEND + static int xencons_remove(struct xenbus_device *dev) + { + return xen_console_remove(dev_get_drvdata(&dev->dev)); +diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c +index aba20f66bdd9..66e257b5a5b7 100644 +--- a/drivers/tty/n_tty.c ++++ b/drivers/tty/n_tty.c +@@ -1808,7 +1808,7 @@ static void n_tty_set_termios(struct tty_struct *tty, struct ktermios *old) + { + struct n_tty_data *ldata = tty->disc_data; + +- if (!old || (old->c_lflag ^ tty->termios.c_lflag) & ICANON) { ++ if (!old || (old->c_lflag ^ tty->termios.c_lflag) & (ICANON | EXTPROC)) { + bitmap_zero(ldata->read_flags, N_TTY_BUF_SIZE); + ldata->line_start = ldata->read_tail; + if (!L_ICANON(tty) || !read_cnt(ldata)) { +@@ -2517,7 +2517,7 @@ static int n_tty_ioctl(struct tty_struct *tty, struct file *file, + return put_user(tty_chars_in_buffer(tty), (int __user *) arg); + case TIOCINQ: + down_write(&tty->termios_rwsem); +- if (L_ICANON(tty)) ++ if (L_ICANON(tty) && !L_EXTPROC(tty)) + retval = inq_canon(ldata); + else + retval = read_cnt(ldata); +diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c +index 529cc86283e7..9c27ee008dff 100644 +--- a/drivers/tty/sysrq.c ++++ b/drivers/tty/sysrq.c +@@ -133,6 +133,12 @@ static void sysrq_handle_crash(int key) + { + char *killer = NULL; + ++ /* we need to release the RCU read lock here, ++ * otherwise we get an annoying ++ * 'BUG: sleeping function called from invalid context' ++ * complaint from the kernel before the panic. ++ */ ++ rcu_read_unlock(); + panic_on_oops = 1; /* force panic */ + wmb(); + *killer = 1; +diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c +index 463d8a3375f5..eeed4b45d35c 100644 +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -381,7 +381,7 @@ static int acm_submit_read_urb(struct acm *acm, int index, gfp_t mem_flags) + + res = usb_submit_urb(acm->read_urbs[index], mem_flags); + if (res) { +- if (res != -EPERM) { ++ if (res != -EPERM && res != -ENODEV) { + dev_err(&acm->data->dev, + "%s - usb_submit_urb failed: %d\n", + __func__, res); +@@ -1707,6 +1707,9 @@ static const struct usb_device_id acm_ids[] = { + { USB_DEVICE(0x0ace, 0x1611), /* ZyDAS 56K USB MODEM - new version */ + .driver_info = SINGLE_RX_URB, /* firmware bug */ + }, ++ { USB_DEVICE(0x11ca, 0x0201), /* VeriFone Mx870 Gadget Serial */ ++ .driver_info = SINGLE_RX_URB, ++ }, + { USB_DEVICE(0x22b8, 0x7000), /* Motorola Q Phone */ + .driver_info = NO_UNION_NORMAL, /* has no union descriptor */ + }, +diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c +index 50010282c010..774c97bb1c08 100644 +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -57,10 +57,11 @@ static const struct usb_device_id usb_quirk_list[] = { + /* Microsoft LifeCam-VX700 v2.0 */ + { USB_DEVICE(0x045e, 0x0770), .driver_info = USB_QUIRK_RESET_RESUME }, + +- /* Logitech HD Pro Webcams C920, C920-C and C930e */ ++ /* Logitech HD Pro Webcams C920, C920-C, C925e and C930e */ + { USB_DEVICE(0x046d, 0x082d), .driver_info = USB_QUIRK_DELAY_INIT }, + { USB_DEVICE(0x046d, 0x0841), .driver_info = USB_QUIRK_DELAY_INIT }, + { USB_DEVICE(0x046d, 0x0843), .driver_info = USB_QUIRK_DELAY_INIT }, ++ { USB_DEVICE(0x046d, 0x085b), .driver_info = USB_QUIRK_DELAY_INIT }, + + /* Logitech ConferenceCam CC3000e */ + { USB_DEVICE(0x046d, 0x0847), .driver_info = USB_QUIRK_DELAY_INIT }, +@@ -154,6 +155,9 @@ static const struct usb_device_id usb_quirk_list[] = { + /* Genesys Logic hub, internally used by KY-688 USB 3.1 Type-C Hub */ + { USB_DEVICE(0x05e3, 0x0612), .driver_info = USB_QUIRK_NO_LPM }, + ++ /* ELSA MicroLink 56K */ ++ { USB_DEVICE(0x05cc, 0x2267), .driver_info = USB_QUIRK_RESET_RESUME }, ++ + /* Genesys Logic hub, internally used by Moshi USB to Ethernet Adapter */ + { USB_DEVICE(0x05e3, 0x0616), .driver_info = USB_QUIRK_NO_LPM }, + +@@ -221,6 +225,9 @@ static const struct usb_device_id usb_quirk_list[] = { + { USB_DEVICE(0x1a0a, 0x0200), .driver_info = + USB_QUIRK_LINEAR_UFRAME_INTR_BINTERVAL }, + ++ /* Corsair K70 RGB */ ++ { USB_DEVICE(0x1b1c, 0x1b13), .driver_info = USB_QUIRK_DELAY_INIT }, ++ + /* Corsair Strafe RGB */ + { USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT }, + +diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c +index ff56aaa00bf7..3ce30909cbe4 100644 +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -2376,6 +2376,8 @@ static void dwc3_gadget_conndone_interrupt(struct dwc3 *dwc) + break; + } + ++ dwc->eps[1]->endpoint.maxpacket = dwc->gadget.ep0->maxpacket; ++ + /* Enable USB2 LPM Capability */ + + if ((dwc->revision > DWC3_REVISION_194A) +diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c +index a01d90fe37d9..54c15622e133 100644 +--- a/drivers/usb/gadget/composite.c ++++ b/drivers/usb/gadget/composite.c +@@ -103,7 +103,6 @@ int config_ep_by_speed(struct usb_gadget *g, + struct usb_function *f, + struct usb_ep *_ep) + { +- struct usb_composite_dev *cdev = get_gadget_data(g); + struct usb_endpoint_descriptor *chosen_desc = NULL; + struct usb_descriptor_header **speed_desc = NULL; + +@@ -170,8 +169,12 @@ ep_found: + _ep->maxburst = comp_desc->bMaxBurst + 1; + break; + default: +- if (comp_desc->bMaxBurst != 0) ++ if (comp_desc->bMaxBurst != 0) { ++ struct usb_composite_dev *cdev; ++ ++ cdev = get_gadget_data(g); + ERROR(cdev, "ep0 bMaxBurst must be 0\n"); ++ } + _ep->maxburst = 1; + break; + } +diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c +index 2c25a5dec442..6b62bb5c021c 100644 +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -2756,10 +2756,8 @@ static int _ffs_func_bind(struct usb_configuration *c, + struct ffs_data *ffs = func->ffs; + + const int full = !!func->ffs->fs_descs_count; +- const int high = gadget_is_dualspeed(func->gadget) && +- func->ffs->hs_descs_count; +- const int super = gadget_is_superspeed(func->gadget) && +- func->ffs->ss_descs_count; ++ const int high = !!func->ffs->hs_descs_count; ++ const int super = !!func->ffs->ss_descs_count; + + int fs_len, hs_len, ss_len, ret, i; + +@@ -3486,7 +3484,8 @@ static void ffs_closed(struct ffs_data *ffs) + ci = opts->func_inst.group.cg_item.ci_parent->ci_parent; + ffs_dev_unlock(); + +- unregister_gadget_item(ci); ++ if (test_bit(FFS_FL_BOUND, &ffs->flags)) ++ unregister_gadget_item(ci); + return; + done: + ffs_dev_unlock(); +diff --git a/drivers/usb/gadget/function/f_uvc.c b/drivers/usb/gadget/function/f_uvc.c +index 7405ce32a690..0e704a857115 100644 +--- a/drivers/usb/gadget/function/f_uvc.c ++++ b/drivers/usb/gadget/function/f_uvc.c +@@ -611,6 +611,14 @@ uvc_function_bind(struct usb_configuration *c, struct usb_function *f) + opts->streaming_maxpacket = clamp(opts->streaming_maxpacket, 1U, 3072U); + opts->streaming_maxburst = min(opts->streaming_maxburst, 15U); + ++ /* For SS, wMaxPacketSize has to be 1024 if bMaxBurst is not 0 */ ++ if (opts->streaming_maxburst && ++ (opts->streaming_maxpacket % 1024) != 0) { ++ opts->streaming_maxpacket = roundup(opts->streaming_maxpacket, 1024); ++ INFO(cdev, "overriding streaming_maxpacket to %d\n", ++ opts->streaming_maxpacket); ++ } ++ + /* Fill in the FS/HS/SS Video Streaming specific descriptors from the + * module parameters. + * +diff --git a/drivers/usb/gadget/udc/pch_udc.c b/drivers/usb/gadget/udc/pch_udc.c +index 613547f07828..2e04d6596ac6 100644 +--- a/drivers/usb/gadget/udc/pch_udc.c ++++ b/drivers/usb/gadget/udc/pch_udc.c +@@ -1534,7 +1534,6 @@ static void pch_udc_free_dma_chain(struct pch_udc_dev *dev, + td = phys_to_virt(addr); + addr2 = (dma_addr_t)td->next; + pci_pool_free(dev->data_requests, td, addr); +- td->next = 0x00; + addr = addr2; + } + req->chain_len = 1; +diff --git a/drivers/usb/host/ohci-q.c b/drivers/usb/host/ohci-q.c +index 47d2c09e4f35..5cd4b286b198 100644 +--- a/drivers/usb/host/ohci-q.c ++++ b/drivers/usb/host/ohci-q.c +@@ -1017,6 +1017,8 @@ skip_ed: + * have modified this list. normally it's just prepending + * entries (which we'd ignore), but paranoia won't hurt. + */ ++ *last = ed->ed_next; ++ ed->ed_next = NULL; + modified = 0; + + /* unlink urbs as requested, but rescan the list after +@@ -1075,21 +1077,22 @@ rescan_this: + goto rescan_this; + + /* +- * If no TDs are queued, take ED off the ed_rm_list. ++ * If no TDs are queued, ED is now idle. + * Otherwise, if the HC is running, reschedule. +- * If not, leave it on the list for further dequeues. ++ * If the HC isn't running, add ED back to the ++ * start of the list for later processing. + */ + if (list_empty(&ed->td_list)) { +- *last = ed->ed_next; +- ed->ed_next = NULL; + ed->state = ED_IDLE; + list_del(&ed->in_use_list); + } else if (ohci->rh_state == OHCI_RH_RUNNING) { +- *last = ed->ed_next; +- ed->ed_next = NULL; + ed_schedule(ohci, ed); + } else { +- last = &ed->ed_next; ++ ed->ed_next = ohci->ed_rm_list; ++ ohci->ed_rm_list = ed; ++ /* Don't loop on the same ED */ ++ if (last == &ohci->ed_rm_list) ++ last = &ed->ed_next; + } + + if (modified) +diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c +index e91cbf360afe..8a82e14829e9 100644 +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -181,6 +181,9 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci) + xhci->quirks |= XHCI_TRUST_TX_LENGTH; + xhci->quirks |= XHCI_BROKEN_STREAMS; + } ++ if (pdev->vendor == PCI_VENDOR_ID_RENESAS && ++ pdev->device == 0x0014) ++ xhci->quirks |= XHCI_TRUST_TX_LENGTH; + if (pdev->vendor == PCI_VENDOR_ID_RENESAS && + pdev->device == 0x0015) + xhci->quirks |= XHCI_RESET_ON_RESUME; +diff --git a/drivers/usb/host/xhci-plat.c b/drivers/usb/host/xhci-plat.c +index 23c5bdab988d..e92b9903faa4 100644 +--- a/drivers/usb/host/xhci-plat.c ++++ b/drivers/usb/host/xhci-plat.c +@@ -266,6 +266,7 @@ MODULE_DEVICE_TABLE(of, usb_xhci_of_match); + static struct platform_driver usb_xhci_driver = { + .probe = xhci_plat_probe, + .remove = xhci_plat_remove, ++ .shutdown = usb_hcd_platform_shutdown, + .driver = { + .name = "xhci-hcd", + .pm = DEV_PM_OPS, +diff --git a/drivers/usb/misc/ldusb.c b/drivers/usb/misc/ldusb.c +index 82503a7ff6c8..2bbca7d674d6 100644 +--- a/drivers/usb/misc/ldusb.c ++++ b/drivers/usb/misc/ldusb.c +@@ -46,6 +46,9 @@ + #define USB_DEVICE_ID_LD_MICROCASSYTIME 0x1033 /* USB Product ID of Micro-CASSY Time (reserved) */ + #define USB_DEVICE_ID_LD_MICROCASSYTEMPERATURE 0x1035 /* USB Product ID of Micro-CASSY Temperature */ + #define USB_DEVICE_ID_LD_MICROCASSYPH 0x1038 /* USB Product ID of Micro-CASSY pH */ ++#define USB_DEVICE_ID_LD_POWERANALYSERCASSY 0x1040 /* USB Product ID of Power Analyser CASSY */ ++#define USB_DEVICE_ID_LD_CONVERTERCONTROLLERCASSY 0x1042 /* USB Product ID of Converter Controller CASSY */ ++#define USB_DEVICE_ID_LD_MACHINETESTCASSY 0x1043 /* USB Product ID of Machine Test CASSY */ + #define USB_DEVICE_ID_LD_JWM 0x1080 /* USB Product ID of Joule and Wattmeter */ + #define USB_DEVICE_ID_LD_DMMP 0x1081 /* USB Product ID of Digital Multimeter P (reserved) */ + #define USB_DEVICE_ID_LD_UMIP 0x1090 /* USB Product ID of UMI P */ +@@ -94,6 +97,9 @@ static const struct usb_device_id ld_usb_table[] = { + { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MICROCASSYTIME) }, + { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MICROCASSYTEMPERATURE) }, + { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MICROCASSYPH) }, ++ { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_POWERANALYSERCASSY) }, ++ { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_CONVERTERCONTROLLERCASSY) }, ++ { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MACHINETESTCASSY) }, + { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_JWM) }, + { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_DMMP) }, + { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_UMIP) }, +diff --git a/drivers/usb/misc/usb3503.c b/drivers/usb/misc/usb3503.c +index 64ff5b91752d..b117a1f6bfc3 100644 +--- a/drivers/usb/misc/usb3503.c ++++ b/drivers/usb/misc/usb3503.c +@@ -292,6 +292,8 @@ static int usb3503_probe(struct usb3503 *hub) + if (gpio_is_valid(hub->gpio_reset)) { + err = devm_gpio_request_one(dev, hub->gpio_reset, + GPIOF_OUT_INIT_LOW, "usb3503 reset"); ++ /* Datasheet defines a hardware reset to be at least 100us */ ++ usleep_range(100, 10000); + if (err) { + dev_err(dev, + "unable to request GPIO %d as reset pin (%d)\n", +diff --git a/drivers/usb/mon/mon_bin.c b/drivers/usb/mon/mon_bin.c +index 9a62e89d6dc0..bbec84dd34fb 100644 +--- a/drivers/usb/mon/mon_bin.c ++++ b/drivers/usb/mon/mon_bin.c +@@ -1000,7 +1000,9 @@ static long mon_bin_ioctl(struct file *file, unsigned int cmd, unsigned long arg + break; + + case MON_IOCQ_RING_SIZE: ++ mutex_lock(&rp->fetch_lock); + ret = rp->b_size; ++ mutex_unlock(&rp->fetch_lock); + break; + + case MON_IOCT_RING_SIZE: +@@ -1227,12 +1229,16 @@ static int mon_bin_vma_fault(struct vm_area_struct *vma, struct vm_fault *vmf) + unsigned long offset, chunk_idx; + struct page *pageptr; + ++ mutex_lock(&rp->fetch_lock); + offset = vmf->pgoff << PAGE_SHIFT; +- if (offset >= rp->b_size) ++ if (offset >= rp->b_size) { ++ mutex_unlock(&rp->fetch_lock); + return VM_FAULT_SIGBUS; ++ } + chunk_idx = offset / CHUNK_SIZE; + pageptr = rp->b_vec[chunk_idx].pg; + get_page(pageptr); ++ mutex_unlock(&rp->fetch_lock); + vmf->page = pageptr; + return 0; + } +diff --git a/drivers/usb/musb/ux500_dma.c b/drivers/usb/musb/ux500_dma.c +index e93845c26bdb..c17495e7fcc5 100644 +--- a/drivers/usb/musb/ux500_dma.c ++++ b/drivers/usb/musb/ux500_dma.c +@@ -207,9 +207,6 @@ static int ux500_dma_channel_program(struct dma_channel *channel, + BUG_ON(channel->status == MUSB_DMA_STATUS_UNKNOWN || + channel->status == MUSB_DMA_STATUS_BUSY); + +- if (!ux500_dma_is_compatible(channel, packet_sz, (void *)dma_addr, len)) +- return false; +- + channel->status = MUSB_DMA_STATUS_BUSY; + channel->actual_len = 0; + ret = ux500_configure_channel(channel, packet_sz, mode, dma_addr, len); +diff --git a/drivers/usb/renesas_usbhs/fifo.c b/drivers/usb/renesas_usbhs/fifo.c +index 8bb9367ada45..6f37966ea54b 100644 +--- a/drivers/usb/renesas_usbhs/fifo.c ++++ b/drivers/usb/renesas_usbhs/fifo.c +@@ -999,6 +999,10 @@ static int usbhsf_dma_prepare_pop_with_usb_dmac(struct usbhs_pkt *pkt, + if ((uintptr_t)pkt->buf & (USBHS_USB_DMAC_XFER_SIZE - 1)) + goto usbhsf_pio_prepare_pop; + ++ /* return at this time if the pipe is running */ ++ if (usbhs_pipe_is_running(pipe)) ++ return 0; ++ + usbhs_pipe_config_change_bfre(pipe, 1); + + ret = usbhsf_fifo_select(pipe, fifo, 0); +@@ -1189,6 +1193,7 @@ static int usbhsf_dma_pop_done_with_usb_dmac(struct usbhs_pkt *pkt, + usbhsf_fifo_clear(pipe, fifo); + pkt->actual = usbhs_dma_calc_received_size(pkt, chan, rcv_len); + ++ usbhs_pipe_running(pipe, 0); + usbhsf_dma_stop(pipe, fifo); + usbhsf_dma_unmap(pkt); + usbhsf_fifo_unselect(pipe, pipe->fifo); +diff --git a/drivers/usb/serial/Kconfig b/drivers/usb/serial/Kconfig +index b7cf1982d1d9..941716c1177e 100644 +--- a/drivers/usb/serial/Kconfig ++++ b/drivers/usb/serial/Kconfig +@@ -63,6 +63,7 @@ config USB_SERIAL_SIMPLE + - Google USB serial devices + - HP4x calculators + - a number of Motorola phones ++ - Motorola Tetra devices + - Novatel Wireless GPS receivers + - Siemens USB/MPI adapter. + - ViVOtech ViVOpay USB device. +diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c +index b1be08570088..142c876e7b19 100644 +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -119,6 +119,7 @@ static const struct usb_device_id id_table[] = { + { USB_DEVICE(0x10C4, 0x846E) }, /* BEI USB Sensor Interface (VCP) */ + { USB_DEVICE(0x10C4, 0x8477) }, /* Balluff RFID */ + { USB_DEVICE(0x10C4, 0x84B6) }, /* Starizona Hyperion */ ++ { USB_DEVICE(0x10C4, 0x85A7) }, /* LifeScan OneTouch Verio IQ */ + { USB_DEVICE(0x10C4, 0x85EA) }, /* AC-Services IBUS-IF */ + { USB_DEVICE(0x10C4, 0x85EB) }, /* AC-Services CIS-IBUS */ + { USB_DEVICE(0x10C4, 0x85F8) }, /* Virtenio Preon32 */ +@@ -168,6 +169,7 @@ static const struct usb_device_id id_table[] = { + { USB_DEVICE(0x1843, 0x0200) }, /* Vaisala USB Instrument Cable */ + { USB_DEVICE(0x18EF, 0xE00F) }, /* ELV USB-I2C-Interface */ + { USB_DEVICE(0x18EF, 0xE025) }, /* ELV Marble Sound Board 1 */ ++ { USB_DEVICE(0x18EF, 0xE030) }, /* ELV ALC 8xxx Battery Charger */ + { USB_DEVICE(0x18EF, 0xE032) }, /* ELV TFD500 Data Logger */ + { USB_DEVICE(0x1901, 0x0190) }, /* GE B850 CP2105 Recorder interface */ + { USB_DEVICE(0x1901, 0x0193) }, /* GE B650 CP2104 PMC interface */ +diff --git a/drivers/usb/serial/io_edgeport.c b/drivers/usb/serial/io_edgeport.c +index 749e1b674145..6947985ccfb0 100644 +--- a/drivers/usb/serial/io_edgeport.c ++++ b/drivers/usb/serial/io_edgeport.c +@@ -2219,7 +2219,6 @@ static int write_cmd_usb(struct edgeport_port *edge_port, + /* something went wrong */ + dev_err(dev, "%s - usb_submit_urb(write command) failed, status = %d\n", + __func__, status); +- usb_kill_urb(urb); + usb_free_urb(urb); + atomic_dec(&CmdUrbs); + return status; +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c +index dc489fb4261b..0d31ca1cbf35 100644 +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -277,6 +277,7 @@ static void option_instat_callback(struct urb *urb); + #define TELIT_PRODUCT_LE922_USBCFG3 0x1043 + #define TELIT_PRODUCT_LE922_USBCFG5 0x1045 + #define TELIT_PRODUCT_ME910 0x1100 ++#define TELIT_PRODUCT_ME910_DUAL_MODEM 0x1101 + #define TELIT_PRODUCT_LE920 0x1200 + #define TELIT_PRODUCT_LE910 0x1201 + #define TELIT_PRODUCT_LE910_USBCFG4 0x1206 +@@ -374,6 +375,9 @@ static void option_instat_callback(struct urb *urb); + #define FOUR_G_SYSTEMS_PRODUCT_W14 0x9603 + #define FOUR_G_SYSTEMS_PRODUCT_W100 0x9b01 + ++/* Fujisoft products */ ++#define FUJISOFT_PRODUCT_FS040U 0x9b02 ++ + /* iBall 3.5G connect wireless modem */ + #define IBALL_3_5G_CONNECT 0x9605 + +@@ -642,6 +646,11 @@ static const struct option_blacklist_info telit_me910_blacklist = { + .reserved = BIT(1) | BIT(3), + }; + ++static const struct option_blacklist_info telit_me910_dual_modem_blacklist = { ++ .sendsetup = BIT(0), ++ .reserved = BIT(3), ++}; ++ + static const struct option_blacklist_info telit_le910_blacklist = { + .sendsetup = BIT(0), + .reserved = BIT(1) | BIT(2), +@@ -1241,6 +1250,8 @@ static const struct usb_device_id option_ids[] = { + .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg0 }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910), + .driver_info = (kernel_ulong_t)&telit_me910_blacklist }, ++ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910_DUAL_MODEM), ++ .driver_info = (kernel_ulong_t)&telit_me910_dual_modem_blacklist }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910), + .driver_info = (kernel_ulong_t)&telit_le910_blacklist }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910_USBCFG4), +@@ -1874,6 +1885,8 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE(LONGCHEER_VENDOR_ID, FOUR_G_SYSTEMS_PRODUCT_W100), + .driver_info = (kernel_ulong_t)&four_g_w100_blacklist + }, ++ {USB_DEVICE(LONGCHEER_VENDOR_ID, FUJISOFT_PRODUCT_FS040U), ++ .driver_info = (kernel_ulong_t)&net_intf3_blacklist}, + { USB_DEVICE_INTERFACE_CLASS(LONGCHEER_VENDOR_ID, SPEEDUP_PRODUCT_SU9800, 0xff) }, + { USB_DEVICE_INTERFACE_CLASS(LONGCHEER_VENDOR_ID, 0x9801, 0xff), + .driver_info = (kernel_ulong_t)&net_intf3_blacklist }, +diff --git a/drivers/usb/serial/pl2303.c b/drivers/usb/serial/pl2303.c +index a51b28379850..3da25ad267a2 100644 +--- a/drivers/usb/serial/pl2303.c ++++ b/drivers/usb/serial/pl2303.c +@@ -39,6 +39,7 @@ static const struct usb_device_id id_table[] = { + { USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_RSAQ2) }, + { USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_DCU11) }, + { USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_RSAQ3) }, ++ { USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_CHILITAG) }, + { USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_PHAROS) }, + { USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_ALDIGA) }, + { USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_MMX) }, +diff --git a/drivers/usb/serial/pl2303.h b/drivers/usb/serial/pl2303.h +index 3b5a15d1dc0d..123289085ee2 100644 +--- a/drivers/usb/serial/pl2303.h ++++ b/drivers/usb/serial/pl2303.h +@@ -17,6 +17,7 @@ + #define PL2303_PRODUCT_ID_DCU11 0x1234 + #define PL2303_PRODUCT_ID_PHAROS 0xaaa0 + #define PL2303_PRODUCT_ID_RSAQ3 0xaaa2 ++#define PL2303_PRODUCT_ID_CHILITAG 0xaaa8 + #define PL2303_PRODUCT_ID_ALDIGA 0x0611 + #define PL2303_PRODUCT_ID_MMX 0x0612 + #define PL2303_PRODUCT_ID_GPRS 0x0609 +diff --git a/drivers/usb/serial/usb-serial-simple.c b/drivers/usb/serial/usb-serial-simple.c +index e98b6e57b703..6aa7ff2c1cf7 100644 +--- a/drivers/usb/serial/usb-serial-simple.c ++++ b/drivers/usb/serial/usb-serial-simple.c +@@ -80,6 +80,11 @@ DEVICE(vivopay, VIVOPAY_IDS); + { USB_DEVICE(0x22b8, 0x2c64) } /* Motorola V950 phone */ + DEVICE(moto_modem, MOTO_IDS); + ++/* Motorola Tetra driver */ ++#define MOTOROLA_TETRA_IDS() \ ++ { USB_DEVICE(0x0cad, 0x9011) } /* Motorola Solutions TETRA PEI */ ++DEVICE(motorola_tetra, MOTOROLA_TETRA_IDS); ++ + /* Novatel Wireless GPS driver */ + #define NOVATEL_IDS() \ + { USB_DEVICE(0x09d7, 0x0100) } /* NovAtel FlexPack GPS */ +@@ -110,6 +115,7 @@ static struct usb_serial_driver * const serial_drivers[] = { + &google_device, + &vivopay_device, + &moto_modem_device, ++ &motorola_tetra_device, + &novatel_gps_device, + &hp4x_device, + &suunto_device, +@@ -125,6 +131,7 @@ static const struct usb_device_id id_table[] = { + GOOGLE_IDS(), + VIVOPAY_IDS(), + MOTO_IDS(), ++ MOTOROLA_TETRA_IDS(), + NOVATEL_IDS(), + HP4X_IDS(), + SUUNTO_IDS(), +diff --git a/drivers/usb/storage/uas.c b/drivers/usb/storage/uas.c +index f58ae4a84c11..021d6880a3ed 100644 +--- a/drivers/usb/storage/uas.c ++++ b/drivers/usb/storage/uas.c +@@ -1052,20 +1052,19 @@ static int uas_post_reset(struct usb_interface *intf) + return 0; + + err = uas_configure_endpoints(devinfo); +- if (err) { ++ if (err && err != ENODEV) + shost_printk(KERN_ERR, shost, + "%s: alloc streams error %d after reset", + __func__, err); +- return 1; +- } + ++ /* we must unblock the host in every case lest we deadlock */ + spin_lock_irqsave(shost->host_lock, flags); + scsi_report_bus_reset(shost, 0); + spin_unlock_irqrestore(shost->host_lock, flags); + + scsi_unblock_requests(shost); + +- return 0; ++ return err ? 1 : 0; + } + + static int uas_suspend(struct usb_interface *intf, pm_message_t message) +diff --git a/drivers/usb/storage/unusual_uas.h b/drivers/usb/storage/unusual_uas.h +index 2f80163ffb94..8ed80f28416f 100644 +--- a/drivers/usb/storage/unusual_uas.h ++++ b/drivers/usb/storage/unusual_uas.h +@@ -155,6 +155,13 @@ UNUSUAL_DEV(0x2109, 0x0711, 0x0000, 0x9999, + USB_SC_DEVICE, USB_PR_DEVICE, NULL, + US_FL_NO_ATA_1X), + ++/* Reported-by: Icenowy Zheng <icenowy@aosc.io> */ ++UNUSUAL_DEV(0x2537, 0x1068, 0x0000, 0x9999, ++ "Norelsys", ++ "NS1068X", ++ USB_SC_DEVICE, USB_PR_DEVICE, NULL, ++ US_FL_IGNORE_UAS), ++ + /* Reported-by: Takeo Nakayama <javhera@gmx.com> */ + UNUSUAL_DEV(0x357d, 0x7788, 0x0000, 0x9999, + "JMicron", +diff --git a/drivers/usb/usbip/stub_dev.c b/drivers/usb/usbip/stub_dev.c +index a3ec49bdc1e6..0931f3271119 100644 +--- a/drivers/usb/usbip/stub_dev.c ++++ b/drivers/usb/usbip/stub_dev.c +@@ -87,6 +87,7 @@ static ssize_t store_sockfd(struct device *dev, struct device_attribute *attr, + goto err; + + sdev->ud.tcp_socket = socket; ++ sdev->ud.sockfd = sockfd; + + spin_unlock_irq(&sdev->ud.lock); + +@@ -163,8 +164,7 @@ static void stub_shutdown_connection(struct usbip_device *ud) + * step 1? + */ + if (ud->tcp_socket) { +- dev_dbg(&sdev->udev->dev, "shutdown tcp_socket %p\n", +- ud->tcp_socket); ++ dev_dbg(&sdev->udev->dev, "shutdown sockfd %d\n", ud->sockfd); + kernel_sock_shutdown(ud->tcp_socket, SHUT_RDWR); + } + +@@ -187,6 +187,7 @@ static void stub_shutdown_connection(struct usbip_device *ud) + if (ud->tcp_socket) { + sockfd_put(ud->tcp_socket); + ud->tcp_socket = NULL; ++ ud->sockfd = -1; + } + + /* 3. free used data */ +@@ -281,6 +282,7 @@ static struct stub_device *stub_device_alloc(struct usb_device *udev) + sdev->ud.status = SDEV_ST_AVAILABLE; + spin_lock_init(&sdev->ud.lock); + sdev->ud.tcp_socket = NULL; ++ sdev->ud.sockfd = -1; + + INIT_LIST_HEAD(&sdev->priv_init); + INIT_LIST_HEAD(&sdev->priv_tx); +diff --git a/drivers/usb/usbip/stub_main.c b/drivers/usb/usbip/stub_main.c +index af10f7b131a4..325b4c05acdd 100644 +--- a/drivers/usb/usbip/stub_main.c ++++ b/drivers/usb/usbip/stub_main.c +@@ -252,11 +252,12 @@ void stub_device_cleanup_urbs(struct stub_device *sdev) + struct stub_priv *priv; + struct urb *urb; + +- dev_dbg(&sdev->udev->dev, "free sdev %p\n", sdev); ++ dev_dbg(&sdev->udev->dev, "Stub device cleaning up urbs\n"); + + while ((priv = stub_priv_pop(sdev))) { + urb = priv->urb; +- dev_dbg(&sdev->udev->dev, "free urb %p\n", urb); ++ dev_dbg(&sdev->udev->dev, "free urb seqnum %lu\n", ++ priv->seqnum); + usb_kill_urb(urb); + + kmem_cache_free(stub_priv_cache, priv); +diff --git a/drivers/usb/usbip/stub_rx.c b/drivers/usb/usbip/stub_rx.c +index 00e475c51a12..56cacb68040c 100644 +--- a/drivers/usb/usbip/stub_rx.c ++++ b/drivers/usb/usbip/stub_rx.c +@@ -230,9 +230,6 @@ static int stub_recv_cmd_unlink(struct stub_device *sdev, + if (priv->seqnum != pdu->u.cmd_unlink.seqnum) + continue; + +- dev_info(&priv->urb->dev->dev, "unlink urb %p\n", +- priv->urb); +- + /* + * This matched urb is not completed yet (i.e., be in + * flight in usb hcd hardware/driver). Now we are +@@ -271,8 +268,8 @@ static int stub_recv_cmd_unlink(struct stub_device *sdev, + ret = usb_unlink_urb(priv->urb); + if (ret != -EINPROGRESS) + dev_err(&priv->urb->dev->dev, +- "failed to unlink a urb %p, ret %d\n", +- priv->urb, ret); ++ "failed to unlink a urb # %lu, ret %d\n", ++ priv->seqnum, ret); + + return 0; + } +@@ -341,23 +338,26 @@ static struct stub_priv *stub_priv_alloc(struct stub_device *sdev, + return priv; + } + +-static int get_pipe(struct stub_device *sdev, int epnum, int dir) ++static int get_pipe(struct stub_device *sdev, struct usbip_header *pdu) + { + struct usb_device *udev = sdev->udev; + struct usb_host_endpoint *ep; + struct usb_endpoint_descriptor *epd = NULL; ++ int epnum = pdu->base.ep; ++ int dir = pdu->base.direction; ++ ++ if (epnum < 0 || epnum > 15) ++ goto err_ret; + + if (dir == USBIP_DIR_IN) + ep = udev->ep_in[epnum & 0x7f]; + else + ep = udev->ep_out[epnum & 0x7f]; +- if (!ep) { +- dev_err(&sdev->interface->dev, "no such endpoint?, %d\n", +- epnum); +- BUG(); +- } ++ if (!ep) ++ goto err_ret; + + epd = &ep->desc; ++ + if (usb_endpoint_xfer_control(epd)) { + if (dir == USBIP_DIR_OUT) + return usb_sndctrlpipe(udev, epnum); +@@ -380,15 +380,37 @@ static int get_pipe(struct stub_device *sdev, int epnum, int dir) + } + + if (usb_endpoint_xfer_isoc(epd)) { ++ /* validate packet size and number of packets */ ++ unsigned int maxp, packets, bytes; ++ ++#define USB_EP_MAXP_MULT_SHIFT 11 ++#define USB_EP_MAXP_MULT_MASK (3 << USB_EP_MAXP_MULT_SHIFT) ++#define USB_EP_MAXP_MULT(m) \ ++ (((m) & USB_EP_MAXP_MULT_MASK) >> USB_EP_MAXP_MULT_SHIFT) ++ ++ maxp = usb_endpoint_maxp(epd); ++ maxp *= (USB_EP_MAXP_MULT( ++ __le16_to_cpu(epd->wMaxPacketSize)) + 1); ++ bytes = pdu->u.cmd_submit.transfer_buffer_length; ++ packets = DIV_ROUND_UP(bytes, maxp); ++ ++ if (pdu->u.cmd_submit.number_of_packets < 0 || ++ pdu->u.cmd_submit.number_of_packets > packets) { ++ dev_err(&sdev->udev->dev, ++ "CMD_SUBMIT: isoc invalid num packets %d\n", ++ pdu->u.cmd_submit.number_of_packets); ++ return -1; ++ } + if (dir == USBIP_DIR_OUT) + return usb_sndisocpipe(udev, epnum); + else + return usb_rcvisocpipe(udev, epnum); + } + ++err_ret: + /* NOT REACHED */ +- dev_err(&sdev->interface->dev, "get pipe, epnum %d\n", epnum); +- return 0; ++ dev_err(&sdev->udev->dev, "CMD_SUBMIT: invalid epnum %d\n", epnum); ++ return -1; + } + + static void masking_bogus_flags(struct urb *urb) +@@ -452,7 +474,10 @@ static void stub_recv_cmd_submit(struct stub_device *sdev, + struct stub_priv *priv; + struct usbip_device *ud = &sdev->ud; + struct usb_device *udev = sdev->udev; +- int pipe = get_pipe(sdev, pdu->base.ep, pdu->base.direction); ++ int pipe = get_pipe(sdev, pdu); ++ ++ if (pipe == -1) ++ return; + + priv = stub_priv_alloc(sdev, pdu); + if (!priv) +diff --git a/drivers/usb/usbip/stub_tx.c b/drivers/usb/usbip/stub_tx.c +index af858d52608a..f4dd30c56f36 100644 +--- a/drivers/usb/usbip/stub_tx.c ++++ b/drivers/usb/usbip/stub_tx.c +@@ -201,8 +201,8 @@ static int stub_send_ret_submit(struct stub_device *sdev) + + /* 1. setup usbip_header */ + setup_ret_submit_pdu(&pdu_header, urb); +- usbip_dbg_stub_tx("setup txdata seqnum: %d urb: %p\n", +- pdu_header.base.seqnum, urb); ++ usbip_dbg_stub_tx("setup txdata seqnum: %d\n", ++ pdu_header.base.seqnum); + usbip_header_correct_endian(&pdu_header, 1); + + iov[iovnum].iov_base = &pdu_header; +diff --git a/drivers/usb/usbip/usbip_common.c b/drivers/usb/usbip/usbip_common.c +index e40da7759a0e..1838f1b2c2fa 100644 +--- a/drivers/usb/usbip/usbip_common.c ++++ b/drivers/usb/usbip/usbip_common.c +@@ -103,7 +103,7 @@ static void usbip_dump_usb_device(struct usb_device *udev) + dev_dbg(dev, " devnum(%d) devpath(%s) usb speed(%s)", + udev->devnum, udev->devpath, usb_speed_string(udev->speed)); + +- pr_debug("tt %p, ttport %d\n", udev->tt, udev->ttport); ++ pr_debug("tt hub ttport %d\n", udev->ttport); + + dev_dbg(dev, " "); + for (i = 0; i < 16; i++) +@@ -136,12 +136,8 @@ static void usbip_dump_usb_device(struct usb_device *udev) + } + pr_debug("\n"); + +- dev_dbg(dev, "parent %p, bus %p\n", udev->parent, udev->bus); +- +- dev_dbg(dev, +- "descriptor %p, config %p, actconfig %p, rawdescriptors %p\n", +- &udev->descriptor, udev->config, +- udev->actconfig, udev->rawdescriptors); ++ dev_dbg(dev, "parent %s, bus %s\n", dev_name(&udev->parent->dev), ++ udev->bus->bus_name); + + dev_dbg(dev, "have_langid %d, string_langid %d\n", + udev->have_langid, udev->string_langid); +@@ -249,9 +245,6 @@ void usbip_dump_urb(struct urb *urb) + + dev = &urb->dev->dev; + +- dev_dbg(dev, " urb :%p\n", urb); +- dev_dbg(dev, " dev :%p\n", urb->dev); +- + usbip_dump_usb_device(urb->dev); + + dev_dbg(dev, " pipe :%08x ", urb->pipe); +@@ -260,11 +253,9 @@ void usbip_dump_urb(struct urb *urb) + + dev_dbg(dev, " status :%d\n", urb->status); + dev_dbg(dev, " transfer_flags :%08X\n", urb->transfer_flags); +- dev_dbg(dev, " transfer_buffer :%p\n", urb->transfer_buffer); + dev_dbg(dev, " transfer_buffer_length:%d\n", + urb->transfer_buffer_length); + dev_dbg(dev, " actual_length :%d\n", urb->actual_length); +- dev_dbg(dev, " setup_packet :%p\n", urb->setup_packet); + + if (urb->setup_packet && usb_pipetype(urb->pipe) == PIPE_CONTROL) + usbip_dump_usb_ctrlrequest( +@@ -274,8 +265,6 @@ void usbip_dump_urb(struct urb *urb) + dev_dbg(dev, " number_of_packets :%d\n", urb->number_of_packets); + dev_dbg(dev, " interval :%d\n", urb->interval); + dev_dbg(dev, " error_count :%d\n", urb->error_count); +- dev_dbg(dev, " context :%p\n", urb->context); +- dev_dbg(dev, " complete :%p\n", urb->complete); + } + EXPORT_SYMBOL_GPL(usbip_dump_urb); + +@@ -328,18 +317,14 @@ int usbip_recv(struct socket *sock, void *buf, int size) + struct msghdr msg; + struct kvec iov; + int total = 0; +- + /* for blocks of if (usbip_dbg_flag_xmit) */ + char *bp = buf; + int osize = size; + +- usbip_dbg_xmit("enter\n"); +- +- if (!sock || !buf || !size) { +- pr_err("invalid arg, sock %p buff %p size %d\n", sock, buf, +- size); ++ if (!sock || !buf || !size) + return -EINVAL; +- } ++ ++ usbip_dbg_xmit("enter\n"); + + do { + sock->sk->sk_allocation = GFP_NOIO; +@@ -352,11 +337,8 @@ int usbip_recv(struct socket *sock, void *buf, int size) + msg.msg_flags = MSG_NOSIGNAL; + + result = kernel_recvmsg(sock, &msg, &iov, 1, size, MSG_WAITALL); +- if (result <= 0) { +- pr_debug("receive sock %p buf %p size %u ret %d total %d\n", +- sock, buf, size, result, total); ++ if (result <= 0) + goto err; +- } + + size -= result; + buf += result; +diff --git a/drivers/usb/usbip/usbip_common.h b/drivers/usb/usbip/usbip_common.h +index 86b08475c254..f875ccaa55f9 100644 +--- a/drivers/usb/usbip/usbip_common.h ++++ b/drivers/usb/usbip/usbip_common.h +@@ -261,6 +261,7 @@ struct usbip_device { + /* lock for status */ + spinlock_t lock; + ++ int sockfd; + struct socket *tcp_socket; + + struct task_struct *tcp_rx; +diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c +index e9ef1eccdace..17498af82b69 100644 +--- a/drivers/usb/usbip/vhci_hcd.c ++++ b/drivers/usb/usbip/vhci_hcd.c +@@ -462,9 +462,6 @@ static int vhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, + int ret = 0; + struct vhci_device *vdev; + +- usbip_dbg_vhci_hc("enter, usb_hcd %p urb %p mem_flags %d\n", +- hcd, urb, mem_flags); +- + /* patch to usb_sg_init() is in 2.5.60 */ + BUG_ON(!urb->transfer_buffer && urb->transfer_buffer_length); + +@@ -620,8 +617,6 @@ static int vhci_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, int status) + struct vhci_priv *priv; + struct vhci_device *vdev; + +- pr_info("dequeue a urb %p\n", urb); +- + spin_lock(&the_controller->lock); + + priv = urb->hcpriv; +@@ -649,7 +644,6 @@ static int vhci_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, int status) + /* tcp connection is closed */ + spin_lock(&vdev->priv_lock); + +- pr_info("device %p seems to be disconnected\n", vdev); + list_del(&priv->list); + kfree(priv); + urb->hcpriv = NULL; +@@ -661,8 +655,6 @@ static int vhci_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, int status) + * vhci_rx will receive RET_UNLINK and give back the URB. + * Otherwise, we give back it here. + */ +- pr_info("gives back urb %p\n", urb); +- + usb_hcd_unlink_urb_from_ep(hcd, urb); + + spin_unlock(&the_controller->lock); +@@ -691,8 +683,6 @@ static int vhci_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, int status) + + unlink->unlink_seqnum = priv->seqnum; + +- pr_info("device %p seems to be still connected\n", vdev); +- + /* send cmd_unlink and try to cancel the pending URB in the + * peer */ + list_add_tail(&unlink->list, &vdev->unlink_tx); +@@ -771,7 +761,7 @@ static void vhci_shutdown_connection(struct usbip_device *ud) + + /* need this? see stub_dev.c */ + if (ud->tcp_socket) { +- pr_debug("shutdown tcp_socket %p\n", ud->tcp_socket); ++ pr_debug("shutdown sockfd %d\n", ud->sockfd); + kernel_sock_shutdown(ud->tcp_socket, SHUT_RDWR); + } + +@@ -790,6 +780,7 @@ static void vhci_shutdown_connection(struct usbip_device *ud) + if (vdev->ud.tcp_socket) { + sockfd_put(vdev->ud.tcp_socket); + vdev->ud.tcp_socket = NULL; ++ vdev->ud.sockfd = -1; + } + pr_info("release socket\n"); + +@@ -836,6 +827,7 @@ static void vhci_device_reset(struct usbip_device *ud) + if (ud->tcp_socket) { + sockfd_put(ud->tcp_socket); + ud->tcp_socket = NULL; ++ ud->sockfd = -1; + } + ud->status = VDEV_ST_NULL; + +diff --git a/drivers/usb/usbip/vhci_rx.c b/drivers/usb/usbip/vhci_rx.c +index 00e4a54308e4..bc4eb0855314 100644 +--- a/drivers/usb/usbip/vhci_rx.c ++++ b/drivers/usb/usbip/vhci_rx.c +@@ -37,24 +37,23 @@ struct urb *pickup_urb_and_free_priv(struct vhci_device *vdev, __u32 seqnum) + urb = priv->urb; + status = urb->status; + +- usbip_dbg_vhci_rx("find urb %p vurb %p seqnum %u\n", +- urb, priv, seqnum); ++ usbip_dbg_vhci_rx("find urb seqnum %u\n", seqnum); + + switch (status) { + case -ENOENT: + /* fall through */ + case -ECONNRESET: +- dev_info(&urb->dev->dev, +- "urb %p was unlinked %ssynchronuously.\n", urb, +- status == -ENOENT ? "" : "a"); ++ dev_dbg(&urb->dev->dev, ++ "urb seq# %u was unlinked %ssynchronuously\n", ++ seqnum, status == -ENOENT ? "" : "a"); + break; + case -EINPROGRESS: + /* no info output */ + break; + default: +- dev_info(&urb->dev->dev, +- "urb %p may be in a error, status %d\n", urb, +- status); ++ dev_dbg(&urb->dev->dev, ++ "urb seq# %u may be in a error, status %d\n", ++ seqnum, status); + } + + list_del(&priv->list); +@@ -78,8 +77,8 @@ static void vhci_recv_ret_submit(struct vhci_device *vdev, + spin_unlock(&vdev->priv_lock); + + if (!urb) { +- pr_err("cannot find a urb of seqnum %u\n", pdu->base.seqnum); +- pr_info("max seqnum %d\n", ++ pr_err("cannot find a urb of seqnum %u max seqnum %d\n", ++ pdu->base.seqnum, + atomic_read(&the_controller->seqnum)); + usbip_event_add(ud, VDEV_EVENT_ERROR_TCP); + return; +@@ -102,7 +101,7 @@ static void vhci_recv_ret_submit(struct vhci_device *vdev, + if (usbip_dbg_flag_vhci_rx) + usbip_dump_urb(urb); + +- usbip_dbg_vhci_rx("now giveback urb %p\n", urb); ++ usbip_dbg_vhci_rx("now giveback urb %u\n", pdu->base.seqnum); + + spin_lock(&the_controller->lock); + usb_hcd_unlink_urb_from_ep(vhci_to_hcd(the_controller), urb); +@@ -165,7 +164,7 @@ static void vhci_recv_ret_unlink(struct vhci_device *vdev, + pr_info("the urb (seqnum %d) was already given back\n", + pdu->base.seqnum); + } else { +- usbip_dbg_vhci_rx("now giveback urb %p\n", urb); ++ usbip_dbg_vhci_rx("now giveback urb %d\n", pdu->base.seqnum); + + /* If unlink is successful, status is -ECONNRESET */ + urb->status = pdu->u.ret_unlink.status; +diff --git a/drivers/usb/usbip/vhci_sysfs.c b/drivers/usb/usbip/vhci_sysfs.c +index 211f43f67ea2..84c21c4ccf46 100644 +--- a/drivers/usb/usbip/vhci_sysfs.c ++++ b/drivers/usb/usbip/vhci_sysfs.c +@@ -39,16 +39,20 @@ static ssize_t status_show(struct device *dev, struct device_attribute *attr, + + /* + * output example: +- * prt sta spd dev socket local_busid +- * 000 004 000 000 c5a7bb80 1-2.3 +- * 001 004 000 000 d8cee980 2-3.4 ++ * port sta spd dev sockfd local_busid ++ * 0000 004 000 00000000 000003 1-2.3 ++ * 0001 004 000 00000000 000004 2-3.4 + * +- * IP address can be retrieved from a socket pointer address by looking +- * up /proc/net/{tcp,tcp6}. Also, a userland program may remember a +- * port number and its peer IP address. ++ * Output includes socket fd instead of socket pointer address to ++ * avoid leaking kernel memory address in: ++ * /sys/devices/platform/vhci_hcd.0/status and in debug output. ++ * The socket pointer address is not used at the moment and it was ++ * made visible as a convenient way to find IP address from socket ++ * pointer address by looking up /proc/net/{tcp,tcp6}. As this opens ++ * a security hole, the change is made to use sockfd instead. + */ + out += sprintf(out, +- "prt sta spd bus dev socket local_busid\n"); ++ "prt sta spd bus dev sockfd local_busid\n"); + + for (i = 0; i < VHCI_NPORTS; i++) { + struct vhci_device *vdev = port_to_vdev(i); +@@ -60,11 +64,11 @@ static ssize_t status_show(struct device *dev, struct device_attribute *attr, + out += sprintf(out, "%03u %08x ", + vdev->speed, vdev->devid); + out += sprintf(out, "%16p ", vdev->ud.tcp_socket); ++ out += sprintf(out, "%06u", vdev->ud.sockfd); + out += sprintf(out, "%s", dev_name(&vdev->udev->dev)); + +- } else { +- out += sprintf(out, "000 000 000 0000000000000000 0-0"); +- } ++ } else ++ out += sprintf(out, "000 000 000 000000 0-0"); + + out += sprintf(out, "\n"); + spin_unlock(&vdev->ud.lock); +@@ -223,6 +227,7 @@ static ssize_t store_attach(struct device *dev, struct device_attribute *attr, + + vdev->devid = devid; + vdev->speed = speed; ++ vdev->ud.sockfd = sockfd; + vdev->ud.tcp_socket = socket; + vdev->ud.status = VDEV_ST_NOTASSIGNED; + +diff --git a/drivers/usb/usbip/vhci_tx.c b/drivers/usb/usbip/vhci_tx.c +index 409fd99f3257..3c5796c8633a 100644 +--- a/drivers/usb/usbip/vhci_tx.c ++++ b/drivers/usb/usbip/vhci_tx.c +@@ -82,7 +82,8 @@ static int vhci_send_cmd_submit(struct vhci_device *vdev) + memset(&msg, 0, sizeof(msg)); + memset(&iov, 0, sizeof(iov)); + +- usbip_dbg_vhci_tx("setup txdata urb %p\n", urb); ++ usbip_dbg_vhci_tx("setup txdata urb seqnum %lu\n", ++ priv->seqnum); + + /* 1. setup usbip_header */ + setup_cmd_submit_pdu(&pdu_header, urb); +diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c +index 7d137a43cc86..14265c4c0203 100644 +--- a/drivers/vhost/net.c ++++ b/drivers/vhost/net.c +@@ -982,6 +982,7 @@ static long vhost_net_reset_owner(struct vhost_net *n) + } + vhost_net_stop(n, &tx_sock, &rx_sock); + vhost_net_flush(n); ++ vhost_dev_stop(&n->dev); + vhost_dev_reset_owner(&n->dev, memory); + vhost_net_vq_reset(n); + done: +diff --git a/drivers/video/backlight/pwm_bl.c b/drivers/video/backlight/pwm_bl.c +index 6897f1c1bc73..95d01562ffa2 100644 +--- a/drivers/video/backlight/pwm_bl.c ++++ b/drivers/video/backlight/pwm_bl.c +@@ -79,14 +79,17 @@ static void pwm_backlight_power_off(struct pwm_bl_data *pb) + static int compute_duty_cycle(struct pwm_bl_data *pb, int brightness) + { + unsigned int lth = pb->lth_brightness; +- int duty_cycle; ++ u64 duty_cycle; + + if (pb->levels) + duty_cycle = pb->levels[brightness]; + else + duty_cycle = brightness; + +- return (duty_cycle * (pb->period - lth) / pb->scale) + lth; ++ duty_cycle *= pb->period - lth; ++ do_div(duty_cycle, pb->scale); ++ ++ return duty_cycle + lth; + } + + static int pwm_backlight_update_status(struct backlight_device *bl) +diff --git a/drivers/video/console/dummycon.c b/drivers/video/console/dummycon.c +index 0efc52f11ad0..b30e7d87804b 100644 +--- a/drivers/video/console/dummycon.c ++++ b/drivers/video/console/dummycon.c +@@ -68,7 +68,6 @@ const struct consw dummy_con = { + .con_switch = DUMMY, + .con_blank = DUMMY, + .con_font_set = DUMMY, +- .con_font_get = DUMMY, + .con_font_default = DUMMY, + .con_font_copy = DUMMY, + .con_set_palette = DUMMY, +diff --git a/drivers/video/fbdev/Kconfig b/drivers/video/fbdev/Kconfig +index 44eb7c737ea2..34af3a26472c 100644 +--- a/drivers/video/fbdev/Kconfig ++++ b/drivers/video/fbdev/Kconfig +@@ -1506,6 +1506,7 @@ config FB_SIS + select FB_CFB_COPYAREA + select FB_CFB_IMAGEBLIT + select FB_BOOT_VESA_SUPPORT if FB_SIS = y ++ select FB_SIS_300 if !FB_SIS_315 + help + This is the frame buffer device driver for the SiS 300, 315, 330 + and 340 series as well as XGI V3XT, V5, V8, Z7 graphics chipsets. +diff --git a/drivers/video/fbdev/atmel_lcdfb.c b/drivers/video/fbdev/atmel_lcdfb.c +index 94a8d04e60f9..b16a1c16e212 100644 +--- a/drivers/video/fbdev/atmel_lcdfb.c ++++ b/drivers/video/fbdev/atmel_lcdfb.c +@@ -1121,7 +1121,7 @@ static int atmel_lcdfb_of_init(struct atmel_lcdfb_info *sinfo) + goto put_display_node; + } + +- timings_np = of_find_node_by_name(display_np, "display-timings"); ++ timings_np = of_get_child_by_name(display_np, "display-timings"); + if (!timings_np) { + dev_err(dev, "failed to find display-timings node\n"); + ret = -ENODEV; +@@ -1142,6 +1142,12 @@ static int atmel_lcdfb_of_init(struct atmel_lcdfb_info *sinfo) + fb_add_videomode(&fb_vm, &info->modelist); + } + ++ /* ++ * FIXME: Make sure we are not referencing any fields in display_np ++ * and timings_np and drop our references to them before returning to ++ * avoid leaking the nodes on probe deferral and driver unbind. ++ */ ++ + return 0; + + put_timings_node: +diff --git a/drivers/video/fbdev/auo_k190x.c b/drivers/video/fbdev/auo_k190x.c +index 8d2499d1cafb..9580374667ba 100644 +--- a/drivers/video/fbdev/auo_k190x.c ++++ b/drivers/video/fbdev/auo_k190x.c +@@ -773,9 +773,7 @@ static void auok190x_recover(struct auok190xfb_par *par) + /* + * Power-management + */ +- +-#ifdef CONFIG_PM +-static int auok190x_runtime_suspend(struct device *dev) ++static int __maybe_unused auok190x_runtime_suspend(struct device *dev) + { + struct platform_device *pdev = to_platform_device(dev); + struct fb_info *info = platform_get_drvdata(pdev); +@@ -822,7 +820,7 @@ finish: + return 0; + } + +-static int auok190x_runtime_resume(struct device *dev) ++static int __maybe_unused auok190x_runtime_resume(struct device *dev) + { + struct platform_device *pdev = to_platform_device(dev); + struct fb_info *info = platform_get_drvdata(pdev); +@@ -856,7 +854,7 @@ static int auok190x_runtime_resume(struct device *dev) + return 0; + } + +-static int auok190x_suspend(struct device *dev) ++static int __maybe_unused auok190x_suspend(struct device *dev) + { + struct platform_device *pdev = to_platform_device(dev); + struct fb_info *info = platform_get_drvdata(pdev); +@@ -896,7 +894,7 @@ static int auok190x_suspend(struct device *dev) + return 0; + } + +-static int auok190x_resume(struct device *dev) ++static int __maybe_unused auok190x_resume(struct device *dev) + { + struct platform_device *pdev = to_platform_device(dev); + struct fb_info *info = platform_get_drvdata(pdev); +@@ -933,7 +931,6 @@ static int auok190x_resume(struct device *dev) + + return 0; + } +-#endif + + const struct dev_pm_ops auok190x_pm = { + SET_RUNTIME_PM_OPS(auok190x_runtime_suspend, auok190x_runtime_resume, +diff --git a/drivers/video/fbdev/exynos/s6e8ax0.c b/drivers/video/fbdev/exynos/s6e8ax0.c +index 95873f26e39c..de2f3e793786 100644 +--- a/drivers/video/fbdev/exynos/s6e8ax0.c ++++ b/drivers/video/fbdev/exynos/s6e8ax0.c +@@ -829,8 +829,7 @@ static int s6e8ax0_probe(struct mipi_dsim_lcd_device *dsim_dev) + return 0; + } + +-#ifdef CONFIG_PM +-static int s6e8ax0_suspend(struct mipi_dsim_lcd_device *dsim_dev) ++static int __maybe_unused s6e8ax0_suspend(struct mipi_dsim_lcd_device *dsim_dev) + { + struct s6e8ax0 *lcd = dev_get_drvdata(&dsim_dev->dev); + +@@ -843,7 +842,7 @@ static int s6e8ax0_suspend(struct mipi_dsim_lcd_device *dsim_dev) + return 0; + } + +-static int s6e8ax0_resume(struct mipi_dsim_lcd_device *dsim_dev) ++static int __maybe_unused s6e8ax0_resume(struct mipi_dsim_lcd_device *dsim_dev) + { + struct s6e8ax0 *lcd = dev_get_drvdata(&dsim_dev->dev); + +@@ -855,10 +854,6 @@ static int s6e8ax0_resume(struct mipi_dsim_lcd_device *dsim_dev) + + return 0; + } +-#else +-#define s6e8ax0_suspend NULL +-#define s6e8ax0_resume NULL +-#endif + + static struct mipi_dsim_lcd_driver s6e8ax0_dsim_ddi_driver = { + .name = "s6e8ax0", +@@ -867,8 +862,8 @@ static struct mipi_dsim_lcd_driver s6e8ax0_dsim_ddi_driver = { + .power_on = s6e8ax0_power_on, + .set_sequence = s6e8ax0_set_sequence, + .probe = s6e8ax0_probe, +- .suspend = s6e8ax0_suspend, +- .resume = s6e8ax0_resume, ++ .suspend = IS_ENABLED(CONFIG_PM) ? s6e8ax0_suspend : NULL, ++ .resume = IS_ENABLED(CONFIG_PM) ? s6e8ax0_resume : NULL, + }; + + static int s6e8ax0_init(void) +diff --git a/drivers/video/fbdev/intelfb/intelfbdrv.c b/drivers/video/fbdev/intelfb/intelfbdrv.c +index b847d530471a..e8d1309ccefc 100644 +--- a/drivers/video/fbdev/intelfb/intelfbdrv.c ++++ b/drivers/video/fbdev/intelfb/intelfbdrv.c +@@ -306,7 +306,7 @@ static __inline__ int get_opt_int(const char *this_opt, const char *name, + } + + static __inline__ int get_opt_bool(const char *this_opt, const char *name, +- int *ret) ++ bool *ret) + { + if (!ret) + return 0; +diff --git a/drivers/video/fbdev/mmp/core.c b/drivers/video/fbdev/mmp/core.c +index a0f496049db7..3a6bb6561ba0 100644 +--- a/drivers/video/fbdev/mmp/core.c ++++ b/drivers/video/fbdev/mmp/core.c +@@ -23,6 +23,7 @@ + #include <linux/slab.h> + #include <linux/dma-mapping.h> + #include <linux/export.h> ++#include <linux/module.h> + #include <video/mmp_disp.h> + + static struct mmp_overlay *path_get_overlay(struct mmp_path *path, +@@ -249,3 +250,7 @@ void mmp_unregister_path(struct mmp_path *path) + mutex_unlock(&disp_lock); + } + EXPORT_SYMBOL_GPL(mmp_unregister_path); ++ ++MODULE_AUTHOR("Zhou Zhu <zzhu3@marvell.com>"); ++MODULE_DESCRIPTION("Marvell MMP display framework"); ++MODULE_LICENSE("GPL"); +diff --git a/drivers/video/fbdev/sis/init301.c b/drivers/video/fbdev/sis/init301.c +index 295e0dedaf1f..20f7234e809e 100644 +--- a/drivers/video/fbdev/sis/init301.c ++++ b/drivers/video/fbdev/sis/init301.c +@@ -2151,17 +2151,15 @@ SiS_GetVCLK2Ptr(struct SiS_Private *SiS_Pr, unsigned short ModeNo, unsigned shor + unsigned short RefreshRateTableIndex) + { + unsigned short CRT2Index, VCLKIndex = 0, VCLKIndexGEN = 0, VCLKIndexGENCRT = 0; +- unsigned short modeflag, resinfo, tempbx; ++ unsigned short resinfo, tempbx; + const unsigned char *CHTVVCLKPtr = NULL; + + if(ModeNo <= 0x13) { +- modeflag = SiS_Pr->SiS_SModeIDTable[ModeIdIndex].St_ModeFlag; + resinfo = SiS_Pr->SiS_SModeIDTable[ModeIdIndex].St_ResInfo; + CRT2Index = SiS_Pr->SiS_SModeIDTable[ModeIdIndex].St_CRT2CRTC; + VCLKIndexGEN = (SiS_GetRegByte((SiS_Pr->SiS_P3ca+0x02)) >> 2) & 0x03; + VCLKIndexGENCRT = VCLKIndexGEN; + } else { +- modeflag = SiS_Pr->SiS_EModeIDTable[ModeIdIndex].Ext_ModeFlag; + resinfo = SiS_Pr->SiS_EModeIDTable[ModeIdIndex].Ext_RESINFO; + CRT2Index = SiS_Pr->SiS_RefIndex[RefreshRateTableIndex].Ext_CRT2CRTC; + VCLKIndexGEN = SiS_Pr->SiS_RefIndex[RefreshRateTableIndex].Ext_CRTVCLK; +@@ -7270,7 +7268,7 @@ SiS_ShiftXPos(struct SiS_Private *SiS_Pr, int shift) + static void + SiS_SetGroup4_C_ELV(struct SiS_Private *SiS_Pr, unsigned short ModeNo, unsigned short ModeIdIndex) + { +- unsigned short temp, temp1, resinfo = 0; ++ unsigned short temp, temp1; + unsigned char *ROMAddr = SiS_Pr->VirtualRomBase; + + if(!(SiS_Pr->SiS_VBType & VB_SIS30xCLV)) return; +@@ -7282,10 +7280,6 @@ SiS_SetGroup4_C_ELV(struct SiS_Private *SiS_Pr, unsigned short ModeNo, unsigned + if(!(ROMAddr[0x61] & 0x04)) return; + } + +- if(ModeNo > 0x13) { +- resinfo = SiS_Pr->SiS_EModeIDTable[ModeIdIndex].Ext_RESINFO; +- } +- + SiS_SetRegOR(SiS_Pr->SiS_Part4Port,0x3a,0x08); + temp = SiS_GetReg(SiS_Pr->SiS_Part4Port,0x3a); + if(!(temp & 0x01)) { +diff --git a/drivers/video/fbdev/via/viafbdev.c b/drivers/video/fbdev/via/viafbdev.c +index f9718f012aae..badee04ef496 100644 +--- a/drivers/video/fbdev/via/viafbdev.c ++++ b/drivers/video/fbdev/via/viafbdev.c +@@ -1630,16 +1630,14 @@ static void viafb_init_proc(struct viafb_shared *shared) + } + static void viafb_remove_proc(struct viafb_shared *shared) + { +- struct proc_dir_entry *viafb_entry = shared->proc_entry, +- *iga1_entry = shared->iga1_proc_entry, +- *iga2_entry = shared->iga2_proc_entry; ++ struct proc_dir_entry *viafb_entry = shared->proc_entry; + + if (!viafb_entry) + return; + +- remove_proc_entry("output_devices", iga2_entry); ++ remove_proc_entry("output_devices", shared->iga2_proc_entry); + remove_proc_entry("iga2", viafb_entry); +- remove_proc_entry("output_devices", iga1_entry); ++ remove_proc_entry("output_devices", shared->iga1_proc_entry); + remove_proc_entry("iga1", viafb_entry); + remove_proc_entry("supported_output_devices", viafb_entry); + +diff --git a/drivers/virtio/virtio_balloon.c b/drivers/virtio/virtio_balloon.c +index 01d15dca940e..7cf26768ea0b 100644 +--- a/drivers/virtio/virtio_balloon.c ++++ b/drivers/virtio/virtio_balloon.c +@@ -239,12 +239,14 @@ static void update_balloon_stats(struct virtio_balloon *vb) + all_vm_events(events); + si_meminfo(&i); + ++#ifdef CONFIG_VM_EVENT_COUNTERS + update_stat(vb, idx++, VIRTIO_BALLOON_S_SWAP_IN, + pages_to_bytes(events[PSWPIN])); + update_stat(vb, idx++, VIRTIO_BALLOON_S_SWAP_OUT, + pages_to_bytes(events[PSWPOUT])); + update_stat(vb, idx++, VIRTIO_BALLOON_S_MAJFLT, events[PGMAJFAULT]); + update_stat(vb, idx++, VIRTIO_BALLOON_S_MINFLT, events[PGFAULT]); ++#endif + update_stat(vb, idx++, VIRTIO_BALLOON_S_MEMFREE, + pages_to_bytes(i.freeram)); + update_stat(vb, idx++, VIRTIO_BALLOON_S_MEMTOT, +diff --git a/drivers/xen/Kconfig b/drivers/xen/Kconfig +index 7cd226da15fe..a4918b00308f 100644 +--- a/drivers/xen/Kconfig ++++ b/drivers/xen/Kconfig +@@ -239,7 +239,7 @@ config XEN_ACPI_HOTPLUG_CPU + + config XEN_ACPI_PROCESSOR + tristate "Xen ACPI processor" +- depends on XEN && X86 && ACPI_PROCESSOR && CPU_FREQ ++ depends on XEN && XEN_DOM0 && X86 && ACPI_PROCESSOR && CPU_FREQ + default m + help + This ACPI processor uploads Power Management information to the Xen +diff --git a/fs/btrfs/free-space-cache.c b/fs/btrfs/free-space-cache.c +index 9dbe5b548fa6..0814dffa30c8 100644 +--- a/fs/btrfs/free-space-cache.c ++++ b/fs/btrfs/free-space-cache.c +@@ -1260,7 +1260,7 @@ static int __btrfs_write_out_cache(struct btrfs_root *root, struct inode *inode, + /* Lock all pages first so we can lock the extent safely. */ + ret = io_ctl_prepare_pages(io_ctl, inode, 0); + if (ret) +- goto out; ++ goto out_unlock; + + lock_extent_bits(&BTRFS_I(inode)->io_tree, 0, i_size_read(inode) - 1, + 0, &cached_state); +@@ -1353,6 +1353,7 @@ out_nospc_locked: + out_nospc: + cleanup_write_cache_enospc(inode, io_ctl, &cached_state, &bitmap_list); + ++out_unlock: + if (block_group && (block_group->flags & BTRFS_BLOCK_GROUP_DATA)) + up_write(&block_group->data_rwsem); + +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c +index d14af5bd13d6..884e90e9622a 100644 +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -1282,8 +1282,11 @@ next_slot: + leaf = path->nodes[0]; + if (path->slots[0] >= btrfs_header_nritems(leaf)) { + ret = btrfs_next_leaf(root, path); +- if (ret < 0) ++ if (ret < 0) { ++ if (cow_start != (u64)-1) ++ cur_offset = cow_start; + goto error; ++ } + if (ret > 0) + break; + leaf = path->nodes[0]; +@@ -1999,7 +2002,15 @@ again: + goto out; + } + +- btrfs_set_extent_delalloc(inode, page_start, page_end, &cached_state); ++ ret = btrfs_set_extent_delalloc(inode, page_start, page_end, ++ &cached_state); ++ if (ret) { ++ mapping_set_error(page->mapping, ret); ++ end_extent_writepage(page, ret, page_start, page_end); ++ ClearPageChecked(page); ++ goto out; ++ } ++ + ClearPageChecked(page); + set_page_dirty(page); + out: +diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c +index 2b115c309e1c..b7f6b473cd16 100644 +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -2216,7 +2216,7 @@ static noinline int btrfs_search_path_in_tree(struct btrfs_fs_info *info, + if (!path) + return -ENOMEM; + +- ptr = &name[BTRFS_INO_LOOKUP_PATH_MAX]; ++ ptr = &name[BTRFS_INO_LOOKUP_PATH_MAX - 1]; + + key.objectid = tree_id; + key.type = BTRFS_ROOT_ITEM_KEY; +diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c +index 6ee954c62fe6..f355bd2d6ad8 100644 +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -26,6 +26,7 @@ + #include "print-tree.h" + #include "backref.h" + #include "hash.h" ++#include "inode-map.h" + + /* magic values for the inode_only field in btrfs_log_inode: + * +@@ -2343,6 +2344,9 @@ static noinline int walk_down_log_tree(struct btrfs_trans_handle *trans, + next); + btrfs_wait_tree_block_writeback(next); + btrfs_tree_unlock(next); ++ } else { ++ if (test_and_clear_bit(EXTENT_BUFFER_DIRTY, &next->bflags)) ++ clear_extent_buffer_dirty(next); + } + + WARN_ON(root_owner != +@@ -2422,6 +2426,9 @@ static noinline int walk_up_log_tree(struct btrfs_trans_handle *trans, + next); + btrfs_wait_tree_block_writeback(next); + btrfs_tree_unlock(next); ++ } else { ++ if (test_and_clear_bit(EXTENT_BUFFER_DIRTY, &next->bflags)) ++ clear_extent_buffer_dirty(next); + } + + WARN_ON(root_owner != BTRFS_TREE_LOG_OBJECTID); +@@ -2498,6 +2505,9 @@ static int walk_log_tree(struct btrfs_trans_handle *trans, + clean_tree_block(trans, log->fs_info, next); + btrfs_wait_tree_block_writeback(next); + btrfs_tree_unlock(next); ++ } else { ++ if (test_and_clear_bit(EXTENT_BUFFER_DIRTY, &next->bflags)) ++ clear_extent_buffer_dirty(next); + } + + WARN_ON(log->root_key.objectid != +@@ -5294,6 +5304,23 @@ again: + path); + } + ++ if (!ret && wc.stage == LOG_WALK_REPLAY_ALL) { ++ struct btrfs_root *root = wc.replay_dest; ++ ++ btrfs_release_path(path); ++ ++ /* ++ * We have just replayed everything, and the highest ++ * objectid of fs roots probably has changed in case ++ * some inode_item's got replayed. ++ * ++ * root->objectid_mutex is not acquired as log replay ++ * could only happen during mount. ++ */ ++ ret = btrfs_find_highest_objectid(root, ++ &root->highest_objectid); ++ } ++ + key.offset = found_key.offset - 1; + wc.replay_dest->log_root = NULL; + free_extent_buffer(log->node); +diff --git a/fs/cifs/cifsencrypt.c b/fs/cifs/cifsencrypt.c +index 4acbc390a7d6..1d707a67f8ac 100644 +--- a/fs/cifs/cifsencrypt.c ++++ b/fs/cifs/cifsencrypt.c +@@ -306,9 +306,8 @@ int calc_lanman_hash(const char *password, const char *cryptkey, bool encrypt, + { + int i; + int rc; +- char password_with_pad[CIFS_ENCPWD_SIZE]; ++ char password_with_pad[CIFS_ENCPWD_SIZE] = {0}; + +- memset(password_with_pad, 0, CIFS_ENCPWD_SIZE); + if (password) + strncpy(password_with_pad, password, CIFS_ENCPWD_SIZE); + +diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c +index a2c100aed4b0..d733df946cc6 100644 +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -1635,7 +1635,7 @@ cifs_parse_mount_options(const char *mountdata, const char *devname, + tmp_end++; + if (!(tmp_end < end && tmp_end[1] == delim)) { + /* No it is not. Set the password to NULL */ +- kfree(vol->password); ++ kzfree(vol->password); + vol->password = NULL; + break; + } +@@ -1673,7 +1673,7 @@ cifs_parse_mount_options(const char *mountdata, const char *devname, + options = end; + } + +- kfree(vol->password); ++ kzfree(vol->password); + /* Now build new password string */ + temp_len = strlen(value); + vol->password = kzalloc(temp_len+1, GFP_KERNEL); +@@ -4038,7 +4038,7 @@ cifs_construct_tcon(struct cifs_sb_info *cifs_sb, kuid_t fsuid) + reset_cifs_unix_caps(0, tcon, NULL, vol_info); + out: + kfree(vol_info->username); +- kfree(vol_info->password); ++ kzfree(vol_info->password); + kfree(vol_info); + + return tcon; +diff --git a/fs/cifs/file.c b/fs/cifs/file.c +index 47e04038a846..1366d2151389 100644 +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -3231,20 +3231,18 @@ static struct vm_operations_struct cifs_file_vm_ops = { + + int cifs_file_strict_mmap(struct file *file, struct vm_area_struct *vma) + { +- int rc, xid; ++ int xid, rc = 0; + struct inode *inode = file_inode(file); + + xid = get_xid(); + +- if (!CIFS_CACHE_READ(CIFS_I(inode))) { ++ if (!CIFS_CACHE_READ(CIFS_I(inode))) + rc = cifs_zap_mapping(inode); +- if (rc) +- return rc; +- } +- +- rc = generic_file_mmap(file, vma); +- if (rc == 0) ++ if (!rc) ++ rc = generic_file_mmap(file, vma); ++ if (!rc) + vma->vm_ops = &cifs_file_vm_ops; ++ + free_xid(xid); + return rc; + } +@@ -3254,16 +3252,16 @@ int cifs_file_mmap(struct file *file, struct vm_area_struct *vma) + int rc, xid; + + xid = get_xid(); ++ + rc = cifs_revalidate_file(file); +- if (rc) { ++ if (rc) + cifs_dbg(FYI, "Validation prior to mmap failed, error=%d\n", + rc); +- free_xid(xid); +- return rc; +- } +- rc = generic_file_mmap(file, vma); +- if (rc == 0) ++ if (!rc) ++ rc = generic_file_mmap(file, vma); ++ if (!rc) + vma->vm_ops = &cifs_file_vm_ops; ++ + free_xid(xid); + return rc; + } +diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c +index 8442b8b8e0be..a9b68cb38c12 100644 +--- a/fs/cifs/misc.c ++++ b/fs/cifs/misc.c +@@ -99,14 +99,11 @@ sesInfoFree(struct cifs_ses *buf_to_free) + kfree(buf_to_free->serverOS); + kfree(buf_to_free->serverDomain); + kfree(buf_to_free->serverNOS); +- if (buf_to_free->password) { +- memset(buf_to_free->password, 0, strlen(buf_to_free->password)); +- kfree(buf_to_free->password); +- } ++ kzfree(buf_to_free->password); + kfree(buf_to_free->user_name); + kfree(buf_to_free->domainName); +- kfree(buf_to_free->auth_key.response); +- kfree(buf_to_free); ++ kzfree(buf_to_free->auth_key.response); ++ kzfree(buf_to_free); + } + + struct cifs_tcon * +@@ -136,10 +133,7 @@ tconInfoFree(struct cifs_tcon *buf_to_free) + } + atomic_dec(&tconInfoAllocCount); + kfree(buf_to_free->nativeFileSystem); +- if (buf_to_free->password) { +- memset(buf_to_free->password, 0, strlen(buf_to_free->password)); +- kfree(buf_to_free->password); +- } ++ kzfree(buf_to_free->password); + kfree(buf_to_free); + } + +diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c +index 0cf4a76e8e94..69422157c71b 100644 +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -507,8 +507,7 @@ int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon) + } + + /* check validate negotiate info response matches what we got earlier */ +- if (pneg_rsp->Dialect != +- cpu_to_le16(tcon->ses->server->vals->protocol_id)) ++ if (pneg_rsp->Dialect != cpu_to_le16(tcon->ses->server->dialect)) + goto vneg_out; + + if (pneg_rsp->SecurityMode != cpu_to_le16(tcon->ses->server->sec_mode)) +diff --git a/fs/ext2/acl.c b/fs/ext2/acl.c +index d6aeb84e90b6..d882d873c5a3 100644 +--- a/fs/ext2/acl.c ++++ b/fs/ext2/acl.c +@@ -178,11 +178,8 @@ ext2_get_acl(struct inode *inode, int type) + return acl; + } + +-/* +- * inode->i_mutex: down +- */ +-int +-ext2_set_acl(struct inode *inode, struct posix_acl *acl, int type) ++static int ++__ext2_set_acl(struct inode *inode, struct posix_acl *acl, int type) + { + int name_index; + void *value = NULL; +@@ -192,13 +189,6 @@ ext2_set_acl(struct inode *inode, struct posix_acl *acl, int type) + switch(type) { + case ACL_TYPE_ACCESS: + name_index = EXT2_XATTR_INDEX_POSIX_ACL_ACCESS; +- if (acl) { +- error = posix_acl_update_mode(inode, &inode->i_mode, &acl); +- if (error) +- return error; +- inode->i_ctime = CURRENT_TIME_SEC; +- mark_inode_dirty(inode); +- } + break; + + case ACL_TYPE_DEFAULT: +@@ -224,6 +214,24 @@ ext2_set_acl(struct inode *inode, struct posix_acl *acl, int type) + return error; + } + ++/* ++ * inode->i_mutex: down ++ */ ++int ++ext2_set_acl(struct inode *inode, struct posix_acl *acl, int type) ++{ ++ int error; ++ ++ if (type == ACL_TYPE_ACCESS && acl) { ++ error = posix_acl_update_mode(inode, &inode->i_mode, &acl); ++ if (error) ++ return error; ++ inode->i_ctime = CURRENT_TIME_SEC; ++ mark_inode_dirty(inode); ++ } ++ return __ext2_set_acl(inode, acl, type); ++} ++ + /* + * Initialize the ACLs of a new inode. Called from ext2_new_inode. + * +@@ -241,12 +249,12 @@ ext2_init_acl(struct inode *inode, struct inode *dir) + return error; + + if (default_acl) { +- error = ext2_set_acl(inode, default_acl, ACL_TYPE_DEFAULT); ++ error = __ext2_set_acl(inode, default_acl, ACL_TYPE_DEFAULT); + posix_acl_release(default_acl); + } + if (acl) { + if (!error) +- error = ext2_set_acl(inode, acl, ACL_TYPE_ACCESS); ++ error = __ext2_set_acl(inode, acl, ACL_TYPE_ACCESS); + posix_acl_release(acl); + } + return error; +diff --git a/fs/ext4/crypto_fname.c b/fs/ext4/crypto_fname.c +index fded02f72299..b7a39a185d01 100644 +--- a/fs/ext4/crypto_fname.c ++++ b/fs/ext4/crypto_fname.c +@@ -346,8 +346,9 @@ struct ext4_fname_crypto_ctx *ext4_get_fname_crypto_ctx( + if (res == 0) + return NULL; + +- if (!ext4_has_encryption_key(inode)) +- ext4_generate_encryption_key(inode); ++ res = ext4_generate_encryption_key(inode); ++ if (res) ++ return ERR_PTR(res); + + /* Get a crypto context based on the key. + * A new context is allocated if no context matches the requested key. +diff --git a/fs/ext4/crypto_key.c b/fs/ext4/crypto_key.c +index 52170d0b7c40..4f9818719d61 100644 +--- a/fs/ext4/crypto_key.c ++++ b/fs/ext4/crypto_key.c +@@ -99,9 +99,17 @@ int ext4_generate_encryption_key(struct inode *inode) + struct ext4_encryption_context ctx; + struct user_key_payload *ukp; + struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb); +- int res = ext4_xattr_get(inode, EXT4_XATTR_INDEX_ENCRYPTION, +- EXT4_XATTR_NAME_ENCRYPTION_CONTEXT, +- &ctx, sizeof(ctx)); ++ int res; ++ ++ mutex_lock(&ei->i_encryption_lock); ++ if (ext4_has_encryption_key(inode)) { ++ mutex_unlock(&ei->i_encryption_lock); ++ return 0; ++ } ++ ++ res = ext4_xattr_get(inode, EXT4_XATTR_INDEX_ENCRYPTION, ++ EXT4_XATTR_NAME_ENCRYPTION_CONTEXT, ++ &ctx, sizeof(ctx)); + + if (res != sizeof(ctx)) { + if (res > 0) +@@ -154,6 +162,7 @@ out: + key_put(keyring_key); + if (res < 0) + crypt_key->mode = EXT4_ENCRYPTION_MODE_INVALID; ++ mutex_unlock(&ei->i_encryption_lock); + return res; + } + +diff --git a/fs/ext4/crypto_policy.c b/fs/ext4/crypto_policy.c +index a6d6291aea16..591fc37dcd9e 100644 +--- a/fs/ext4/crypto_policy.c ++++ b/fs/ext4/crypto_policy.c +@@ -85,6 +85,9 @@ static int ext4_create_encryption_context_from_policy( + int ext4_process_policy(const struct ext4_encryption_policy *policy, + struct inode *inode) + { ++ if (!inode_owner_or_capable(inode)) ++ return -EACCES; ++ + if (policy->version != 0) + return -EINVAL; + +diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h +index df67a6f8582a..01771ed4529d 100644 +--- a/fs/ext4/ext4.h ++++ b/fs/ext4/ext4.h +@@ -989,6 +989,7 @@ struct ext4_inode_info { + #ifdef CONFIG_EXT4_FS_ENCRYPTION + /* Encryption params */ + struct ext4_encryption_key i_encryption_key; ++ struct mutex i_encryption_lock; + #endif + }; + +diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c +index 4196aa567784..dbe1ff511794 100644 +--- a/fs/ext4/ioctl.c ++++ b/fs/ext4/ioctl.c +@@ -630,6 +630,9 @@ resizefs_out: + struct ext4_encryption_policy policy; + int err = 0; + ++ if (!ext4_sb_has_crypto(sb)) ++ return -EOPNOTSUPP; ++ + if (copy_from_user(&policy, + (struct ext4_encryption_policy __user *)arg, + sizeof(policy))) { +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index b29a7ef4953e..c67056a8c901 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -669,6 +669,7 @@ __acquires(bitlock) + } + + ext4_unlock_group(sb, grp); ++ ext4_commit_super(sb, 1); + ext4_handle_error(sb); + /* + * We only get here in the ERRORS_RO case; relocking the group +@@ -948,6 +949,9 @@ static void init_once(void *foo) + init_rwsem(&ei->xattr_sem); + init_rwsem(&ei->i_data_sem); + init_rwsem(&ei->i_mmap_sem); ++#ifdef CONFIG_EXT4_FS_ENCRYPTION ++ mutex_init(&ei->i_encryption_lock); ++#endif + inode_init_once(&ei->vfs_inode); + } + +diff --git a/fs/fcntl.c b/fs/fcntl.c +index 62376451bbce..5df914943d96 100644 +--- a/fs/fcntl.c ++++ b/fs/fcntl.c +@@ -113,6 +113,10 @@ void f_setown(struct file *filp, unsigned long arg, int force) + int who = arg; + type = PIDTYPE_PID; + if (who < 0) { ++ /* avoid overflow below */ ++ if (who == INT_MIN) ++ return; ++ + type = PIDTYPE_PGID; + who = -who; + } +diff --git a/fs/kernfs/file.c b/fs/kernfs/file.c +index 9ff28bc294c0..5d084638e1f8 100644 +--- a/fs/kernfs/file.c ++++ b/fs/kernfs/file.c +@@ -272,7 +272,7 @@ static ssize_t kernfs_fop_write(struct file *file, const char __user *user_buf, + { + struct kernfs_open_file *of = kernfs_of(file); + const struct kernfs_ops *ops; +- size_t len; ++ ssize_t len; + char *buf; + + if (of->atomic_write_len) { +diff --git a/fs/locks.c b/fs/locks.c +index 3c234b9fbdd9..af6fcf6e0dd0 100644 +--- a/fs/locks.c ++++ b/fs/locks.c +@@ -2192,10 +2192,12 @@ int fcntl_setlk(unsigned int fd, struct file *filp, unsigned int cmd, + error = do_lock_file_wait(filp, cmd, file_lock); + + /* +- * Attempt to detect a close/fcntl race and recover by +- * releasing the lock that was just acquired. ++ * Attempt to detect a close/fcntl race and recover by releasing the ++ * lock that was just acquired. There is no need to do that when we're ++ * unlocking though, or for OFD locks. + */ +- if (!error && file_lock->fl_type != F_UNLCK) { ++ if (!error && file_lock->fl_type != F_UNLCK && ++ !(file_lock->fl_flags & FL_OFDLCK)) { + /* + * We need that spin_lock here - it prevents reordering between + * update of i_flctx->flc_posix and check for it done in +@@ -2334,10 +2336,12 @@ int fcntl_setlk64(unsigned int fd, struct file *filp, unsigned int cmd, + error = do_lock_file_wait(filp, cmd, file_lock); + + /* +- * Attempt to detect a close/fcntl race and recover by +- * releasing the lock that was just acquired. ++ * Attempt to detect a close/fcntl race and recover by releasing the ++ * lock that was just acquired. There is no need to do that when we're ++ * unlocking though, or for OFD locks. + */ +- if (!error && file_lock->fl_type != F_UNLCK) { ++ if (!error && file_lock->fl_type != F_UNLCK && ++ !(file_lock->fl_flags & FL_OFDLCK)) { + /* + * We need that spin_lock here - it prevents reordering between + * update of i_flctx->flc_posix and check for it done in +diff --git a/fs/namei.c b/fs/namei.c +index c7a6eabc02a5..0d97235019a9 100644 +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -1894,6 +1894,9 @@ static int path_init(int dfd, const struct filename *name, unsigned int flags, + int retval = 0; + const char *s = name->name; + ++ if (!*s) ++ flags &= ~LOOKUP_RCU; ++ + nd->last_type = LAST_ROOT; /* if there are only slashes... */ + nd->flags = flags | LOOKUP_JUMPED | LOOKUP_PARENT; + nd->depth = 0; +diff --git a/fs/ncpfs/dir.c b/fs/ncpfs/dir.c +index 0c2632386f35..d2c969d1d9d2 100644 +--- a/fs/ncpfs/dir.c ++++ b/fs/ncpfs/dir.c +@@ -133,12 +133,11 @@ ncp_hash_dentry(const struct dentry *dentry, struct qstr *this) + return 0; + + if (!ncp_case_sensitive(inode)) { +- struct super_block *sb = dentry->d_sb; + struct nls_table *t; + unsigned long hash; + int i; + +- t = NCP_IO_TABLE(sb); ++ t = NCP_IO_TABLE(dentry->d_sb); + hash = init_name_hash(); + for (i=0; i<this->len ; i++) + hash = partial_name_hash(ncp_tolower(t, this->name[i]), +diff --git a/fs/nfs/direct.c b/fs/nfs/direct.c +index 38678d9a5cc4..cb050d1e8146 100644 +--- a/fs/nfs/direct.c ++++ b/fs/nfs/direct.c +@@ -784,10 +784,8 @@ static void nfs_direct_write_completion(struct nfs_pgio_header *hdr) + + spin_lock(&dreq->lock); + +- if (test_bit(NFS_IOHDR_ERROR, &hdr->flags)) { +- dreq->flags = 0; ++ if (test_bit(NFS_IOHDR_ERROR, &hdr->flags)) + dreq->error = hdr->error; +- } + if (dreq->error == 0) { + nfs_direct_good_bytes(dreq, hdr); + if (nfs_write_need_commit(hdr)) { +diff --git a/fs/nfs/nfs4idmap.c b/fs/nfs/nfs4idmap.c +index 2e1737c40a29..27c4970ed32f 100644 +--- a/fs/nfs/nfs4idmap.c ++++ b/fs/nfs/nfs4idmap.c +@@ -582,9 +582,13 @@ static int nfs_idmap_legacy_upcall(struct key_construction *cons, + struct idmap_msg *im; + struct idmap *idmap = (struct idmap *)aux; + struct key *key = cons->key; +- int ret = -ENOMEM; ++ int ret = -ENOKEY; ++ ++ if (!aux) ++ goto out1; + + /* msg and im are freed in idmap_pipe_destroy_msg */ ++ ret = -ENOMEM; + data = kzalloc(sizeof(*data), GFP_KERNEL); + if (!data) + goto out1; +diff --git a/fs/nfs/write.c b/fs/nfs/write.c +index 51af4fff890f..209b39ef69dd 100644 +--- a/fs/nfs/write.c ++++ b/fs/nfs/write.c +@@ -1728,6 +1728,8 @@ static void nfs_commit_release_pages(struct nfs_commit_data *data) + set_bit(NFS_CONTEXT_RESEND_WRITES, &req->wb_context->flags); + next: + nfs_unlock_and_release_request(req); ++ /* Latency breaker */ ++ cond_resched(); + } + nfss = NFS_SERVER(data->inode); + if (atomic_long_read(&nfss->writeback) < NFS_CONGESTION_OFF_THRESH) +diff --git a/fs/nfs_common/grace.c b/fs/nfs_common/grace.c +index ae6e58ea4de5..450954d5b7f6 100644 +--- a/fs/nfs_common/grace.c ++++ b/fs/nfs_common/grace.c +@@ -85,7 +85,9 @@ grace_exit_net(struct net *net) + { + struct list_head *grace_list = net_generic(net, grace_net_id); + +- BUG_ON(!list_empty(grace_list)); ++ WARN_ONCE(!list_empty(grace_list), ++ "net %x %s: grace_list is not empty\n", ++ net->ns.inum, __func__); + } + + static struct pernet_operations grace_net_ops = { +diff --git a/fs/nfsd/auth.c b/fs/nfsd/auth.c +index 9d46a0bdd9f9..67eb154af881 100644 +--- a/fs/nfsd/auth.c ++++ b/fs/nfsd/auth.c +@@ -59,7 +59,11 @@ int nfsd_setuser(struct svc_rqst *rqstp, struct svc_export *exp) + GROUP_AT(gi, i) = exp->ex_anon_gid; + else + GROUP_AT(gi, i) = GROUP_AT(rqgi, i); ++ + } ++ ++ /* Each thread allocates its own gi, no race */ ++ groups_sort(gi); + } else { + gi = get_group_info(rqgi); + } +diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c +index 529434f926f1..322cf41b5257 100644 +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -63,12 +63,16 @@ static const stateid_t zero_stateid = { + static const stateid_t currentstateid = { + .si_generation = 1, + }; ++static const stateid_t close_stateid = { ++ .si_generation = 0xffffffffU, ++}; + + static u64 current_sessionid = 1; + + #define ZERO_STATEID(stateid) (!memcmp((stateid), &zero_stateid, sizeof(stateid_t))) + #define ONE_STATEID(stateid) (!memcmp((stateid), &one_stateid, sizeof(stateid_t))) + #define CURRENT_STATEID(stateid) (!memcmp((stateid), ¤tstateid, sizeof(stateid_t))) ++#define CLOSE_STATEID(stateid) (!memcmp((stateid), &close_stateid, sizeof(stateid_t))) + + /* forward declarations */ + static bool check_for_locks(struct nfs4_file *fp, struct nfs4_lockowner *lowner); +@@ -4615,7 +4619,8 @@ static __be32 nfsd4_validate_stateid(struct nfs4_client *cl, stateid_t *stateid) + struct nfs4_stid *s; + __be32 status = nfserr_bad_stateid; + +- if (ZERO_STATEID(stateid) || ONE_STATEID(stateid)) ++ if (ZERO_STATEID(stateid) || ONE_STATEID(stateid) || ++ CLOSE_STATEID(stateid)) + return status; + /* Client debugging aid. */ + if (!same_clid(&stateid->si_opaque.so_clid, &cl->cl_clientid)) { +@@ -4673,7 +4678,8 @@ nfsd4_lookup_stateid(struct nfsd4_compound_state *cstate, + else if (typemask & NFS4_DELEG_STID) + typemask |= NFS4_REVOKED_DELEG_STID; + +- if (ZERO_STATEID(stateid) || ONE_STATEID(stateid)) ++ if (ZERO_STATEID(stateid) || ONE_STATEID(stateid) || ++ CLOSE_STATEID(stateid)) + return nfserr_bad_stateid; + status = lookup_clientid(&stateid->si_opaque.so_clid, cstate, nn); + if (status == nfserr_stale_clientid) { +@@ -5107,6 +5113,11 @@ nfsd4_close(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate, + + nfsd4_close_open_stateid(stp); + ++ /* See RFC5661 sectionm 18.2.4 */ ++ if (stp->st_stid.sc_client->cl_minorversion) ++ memcpy(&close->cl_stateid, &close_stateid, ++ sizeof(close->cl_stateid)); ++ + /* put reference from nfs4_preprocess_seqid_op */ + nfs4_put_stid(&stp->st_stid); + out: +diff --git a/fs/nsfs.c b/fs/nsfs.c +index 99521e7c492b..845f29e15ac9 100644 +--- a/fs/nsfs.c ++++ b/fs/nsfs.c +@@ -94,6 +94,7 @@ slow: + return ERR_PTR(-ENOMEM); + } + d_instantiate(dentry, inode); ++ dentry->d_flags |= DCACHE_RCUACCESS; + dentry->d_fsdata = (void *)ns_ops; + d = atomic_long_cmpxchg(&ns->stashed, 0, (unsigned long)dentry); + if (d) { +diff --git a/fs/overlayfs/readdir.c b/fs/overlayfs/readdir.c +index adcb1398c481..299a6e1d6b77 100644 +--- a/fs/overlayfs/readdir.c ++++ b/fs/overlayfs/readdir.c +@@ -441,10 +441,14 @@ static int ovl_dir_fsync(struct file *file, loff_t start, loff_t end, + struct dentry *dentry = file->f_path.dentry; + struct file *realfile = od->realfile; + ++ /* Nothing to sync for lower */ ++ if (!OVL_TYPE_UPPER(ovl_path_type(dentry))) ++ return 0; ++ + /* + * Need to check if we started out being a lower dir, but got copied up + */ +- if (!od->is_upper && OVL_TYPE_UPPER(ovl_path_type(dentry))) { ++ if (!od->is_upper) { + struct inode *inode = file_inode(file); + + realfile = lockless_dereference(od->upperfile); +diff --git a/fs/pipe.c b/fs/pipe.c +index 5916c19dbb02..dbea65d88398 100644 +--- a/fs/pipe.c ++++ b/fs/pipe.c +@@ -999,6 +999,9 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long nr_pages) + { + struct pipe_buffer *bufs; + ++ if (!nr_pages) ++ return -EINVAL; ++ + /* + * We can shrink the pipe, if arg >= pipe->nrbufs. Since we don't + * expect a lot of shrink+grow operations, just free and allocate +@@ -1043,13 +1046,19 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long nr_pages) + + /* + * Currently we rely on the pipe array holding a power-of-2 number +- * of pages. ++ * of pages. Returns 0 on error. + */ + static inline unsigned int round_pipe_size(unsigned int size) + { + unsigned long nr_pages; + ++ if (size < pipe_min_size) ++ size = pipe_min_size; ++ + nr_pages = (size + PAGE_SIZE - 1) >> PAGE_SHIFT; ++ if (nr_pages == 0) ++ return 0; ++ + return roundup_pow_of_two(nr_pages) << PAGE_SHIFT; + } + +@@ -1060,13 +1069,18 @@ static inline unsigned int round_pipe_size(unsigned int size) + int pipe_proc_fn(struct ctl_table *table, int write, void __user *buf, + size_t *lenp, loff_t *ppos) + { ++ unsigned int rounded_pipe_max_size; + int ret; + + ret = proc_dointvec_minmax(table, write, buf, lenp, ppos); + if (ret < 0 || !write) + return ret; + +- pipe_max_size = round_pipe_size(pipe_max_size); ++ rounded_pipe_max_size = round_pipe_size(pipe_max_size); ++ if (rounded_pipe_max_size == 0) ++ return -EINVAL; ++ ++ pipe_max_size = rounded_pipe_max_size; + return ret; + } + +diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c +index 19c777ad0084..4f3b028e3a1f 100644 +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -2881,7 +2881,8 @@ static int __init dquot_init(void) + pr_info("VFS: Dquot-cache hash table entries: %ld (order %ld," + " %ld bytes)\n", nr_hash, order, (PAGE_SIZE << order)); + +- register_shrinker(&dqcache_shrinker); ++ if (register_shrinker(&dqcache_shrinker)) ++ panic("Cannot register dquot shrinker"); + + return 0; + } +diff --git a/fs/reiserfs/bitmap.c b/fs/reiserfs/bitmap.c +index dc198bc64c61..edc8ef78b63f 100644 +--- a/fs/reiserfs/bitmap.c ++++ b/fs/reiserfs/bitmap.c +@@ -513,9 +513,17 @@ static void __discard_prealloc(struct reiserfs_transaction_handle *th, + "inode has negative prealloc blocks count."); + #endif + while (ei->i_prealloc_count > 0) { +- reiserfs_free_prealloc_block(th, inode, ei->i_prealloc_block); +- ei->i_prealloc_block++; ++ b_blocknr_t block_to_free; ++ ++ /* ++ * reiserfs_free_prealloc_block can drop the write lock, ++ * which could allow another caller to free the same block. ++ * We can protect against it by modifying the prealloc ++ * state before calling it. ++ */ ++ block_to_free = ei->i_prealloc_block++; + ei->i_prealloc_count--; ++ reiserfs_free_prealloc_block(th, inode, block_to_free); + dirty = 1; + } + if (dirty) +@@ -1128,7 +1136,7 @@ static int determine_prealloc_size(reiserfs_blocknr_hint_t * hint) + hint->prealloc_size = 0; + + if (!hint->formatted_node && hint->preallocate) { +- if (S_ISREG(hint->inode->i_mode) ++ if (S_ISREG(hint->inode->i_mode) && !IS_PRIVATE(hint->inode) + && hint->inode->i_size >= + REISERFS_SB(hint->th->t_super)->s_alloc_options. + preallocmin * hint->inode->i_sb->s_blocksize) +diff --git a/fs/reiserfs/lbalance.c b/fs/reiserfs/lbalance.c +index 249594a821e0..f5cebd70d903 100644 +--- a/fs/reiserfs/lbalance.c ++++ b/fs/reiserfs/lbalance.c +@@ -475,7 +475,7 @@ static void leaf_item_bottle(struct buffer_info *dest_bi, + * 'cpy_bytes'; create new item header; + * n_ih = new item_header; + */ +- memcpy(&n_ih, ih, SHORT_KEY_SIZE); ++ memcpy(&n_ih.ih_key, &ih->ih_key, KEY_SIZE); + + /* Endian safe, both le */ + n_ih.ih_version = ih->ih_version; +diff --git a/fs/reiserfs/reiserfs.h b/fs/reiserfs/reiserfs.h +index 2adcde137c3f..5dcf3ab83886 100644 +--- a/fs/reiserfs/reiserfs.h ++++ b/fs/reiserfs/reiserfs.h +@@ -1326,7 +1326,6 @@ struct cpu_key { + #define KEY_NOT_FOUND 0 + + #define KEY_SIZE (sizeof(struct reiserfs_key)) +-#define SHORT_KEY_SIZE (sizeof (__u32) + sizeof (__u32)) + + /* return values for search_by_key and clones */ + #define ITEM_FOUND 1 +diff --git a/fs/reiserfs/xattr_acl.c b/fs/reiserfs/xattr_acl.c +index 9b1824f35501..91b036902a17 100644 +--- a/fs/reiserfs/xattr_acl.c ++++ b/fs/reiserfs/xattr_acl.c +@@ -37,7 +37,14 @@ reiserfs_set_acl(struct inode *inode, struct posix_acl *acl, int type) + error = journal_begin(&th, inode->i_sb, jcreate_blocks); + reiserfs_write_unlock(inode->i_sb); + if (error == 0) { ++ if (type == ACL_TYPE_ACCESS && acl) { ++ error = posix_acl_update_mode(inode, &inode->i_mode, ++ &acl); ++ if (error) ++ goto unlock; ++ } + error = __reiserfs_set_acl(&th, inode, type, acl); ++unlock: + reiserfs_write_lock(inode->i_sb); + error2 = journal_end(&th); + reiserfs_write_unlock(inode->i_sb); +@@ -245,11 +252,6 @@ __reiserfs_set_acl(struct reiserfs_transaction_handle *th, struct inode *inode, + switch (type) { + case ACL_TYPE_ACCESS: + name = POSIX_ACL_XATTR_ACCESS; +- if (acl) { +- error = posix_acl_update_mode(inode, &inode->i_mode, &acl); +- if (error) +- return error; +- } + break; + case ACL_TYPE_DEFAULT: + name = POSIX_ACL_XATTR_DEFAULT; +diff --git a/fs/select.c b/fs/select.c +index f684c750e08a..f7e6fc7bf83c 100644 +--- a/fs/select.c ++++ b/fs/select.c +@@ -29,6 +29,7 @@ + #include <linux/sched/rt.h> + #include <linux/freezer.h> + #include <net/busy_poll.h> ++#include <linux/vmalloc.h> + + #include <asm/uaccess.h> + +@@ -550,7 +551,7 @@ int core_sys_select(int n, fd_set __user *inp, fd_set __user *outp, + fd_set_bits fds; + void *bits; + int ret, max_fds; +- unsigned int size; ++ size_t size, alloc_size; + struct fdtable *fdt; + /* Allocate small arguments on the stack to save memory and be faster */ + long stack_fds[SELECT_STACK_ALLOC/sizeof(long)]; +@@ -577,7 +578,14 @@ int core_sys_select(int n, fd_set __user *inp, fd_set __user *outp, + if (size > sizeof(stack_fds) / 6) { + /* Not enough space in on-stack array; must use kmalloc */ + ret = -ENOMEM; +- bits = kmalloc(6 * size, GFP_KERNEL); ++ if (size > (SIZE_MAX / 6)) ++ goto out_nofds; ++ ++ alloc_size = 6 * size; ++ bits = kmalloc(alloc_size, GFP_KERNEL|__GFP_NOWARN); ++ if (!bits && alloc_size > PAGE_SIZE) ++ bits = vmalloc(alloc_size); ++ + if (!bits) + goto out_nofds; + } +@@ -614,7 +622,7 @@ int core_sys_select(int n, fd_set __user *inp, fd_set __user *outp, + + out: + if (bits != stack_fds) +- kfree(bits); ++ kvfree(bits); + out_nofds: + return ret; + } +diff --git a/fs/xfs/xfs_aops.c b/fs/xfs/xfs_aops.c +index a56960dd1684..123ec87efac0 100644 +--- a/fs/xfs/xfs_aops.c ++++ b/fs/xfs/xfs_aops.c +@@ -303,7 +303,7 @@ xfs_map_blocks( + (ip->i_df.if_flags & XFS_IFEXTENTS)); + ASSERT(offset <= mp->m_super->s_maxbytes); + +- if (offset + count > mp->m_super->s_maxbytes) ++ if ((xfs_ufsize_t)offset + count > mp->m_super->s_maxbytes) + count = mp->m_super->s_maxbytes - offset; + end_fsb = XFS_B_TO_FSB(mp, (xfs_ufsize_t)offset + count); + offset_fsb = XFS_B_TO_FSBT(mp, offset); +@@ -1332,7 +1332,7 @@ xfs_map_trim_size( + if (mapping_size > size) + mapping_size = size; + if (offset < i_size_read(inode) && +- offset + mapping_size >= i_size_read(inode)) { ++ (xfs_ufsize_t)offset + mapping_size >= i_size_read(inode)) { + /* limit mapping to block that spans EOF */ + mapping_size = roundup_64(i_size_read(inode) - offset, + 1 << inode->i_blkbits); +@@ -1387,7 +1387,7 @@ __xfs_get_blocks( + } + + ASSERT(offset <= mp->m_super->s_maxbytes); +- if (offset + size > mp->m_super->s_maxbytes) ++ if ((xfs_ufsize_t)offset + size > mp->m_super->s_maxbytes) + size = mp->m_super->s_maxbytes - offset; + end_fsb = XFS_B_TO_FSB(mp, (xfs_ufsize_t)offset + size); + offset_fsb = XFS_B_TO_FSBT(mp, offset); +diff --git a/include/asm-generic/asm-prototypes.h b/include/asm-generic/asm-prototypes.h +new file mode 100644 +index 000000000000..df13637e4017 +--- /dev/null ++++ b/include/asm-generic/asm-prototypes.h +@@ -0,0 +1,7 @@ ++#include <linux/bitops.h> ++extern void *__memset(void *, int, __kernel_size_t); ++extern void *__memcpy(void *, const void *, __kernel_size_t); ++extern void *__memmove(void *, const void *, __kernel_size_t); ++extern void *memset(void *, int, __kernel_size_t); ++extern void *memcpy(void *, const void *, __kernel_size_t); ++extern void *memmove(void *, const void *, __kernel_size_t); +diff --git a/include/asm-generic/export.h b/include/asm-generic/export.h +new file mode 100644 +index 000000000000..43199a049da5 +--- /dev/null ++++ b/include/asm-generic/export.h +@@ -0,0 +1,94 @@ ++#ifndef __ASM_GENERIC_EXPORT_H ++#define __ASM_GENERIC_EXPORT_H ++ ++#ifndef KSYM_FUNC ++#define KSYM_FUNC(x) x ++#endif ++#ifdef CONFIG_64BIT ++#define __put .quad ++#ifndef KSYM_ALIGN ++#define KSYM_ALIGN 8 ++#endif ++#ifndef KCRC_ALIGN ++#define KCRC_ALIGN 8 ++#endif ++#else ++#define __put .long ++#ifndef KSYM_ALIGN ++#define KSYM_ALIGN 4 ++#endif ++#ifndef KCRC_ALIGN ++#define KCRC_ALIGN 4 ++#endif ++#endif ++ ++#ifdef CONFIG_HAVE_UNDERSCORE_SYMBOL_PREFIX ++#define KSYM(name) _##name ++#else ++#define KSYM(name) name ++#endif ++ ++/* ++ * note on .section use: @progbits vs %progbits nastiness doesn't matter, ++ * since we immediately emit into those sections anyway. ++ */ ++.macro ___EXPORT_SYMBOL name,val,sec ++#ifdef CONFIG_MODULES ++ .globl KSYM(__ksymtab_\name) ++ .section ___ksymtab\sec+\name,"a" ++ .balign KSYM_ALIGN ++KSYM(__ksymtab_\name): ++ __put \val, KSYM(__kstrtab_\name) ++ .previous ++ .section __ksymtab_strings,"a" ++KSYM(__kstrtab_\name): ++#ifdef CONFIG_HAVE_UNDERSCORE_SYMBOL_PREFIX ++ .asciz "_\name" ++#else ++ .asciz "\name" ++#endif ++ .previous ++#ifdef CONFIG_MODVERSIONS ++ .section ___kcrctab\sec+\name,"a" ++ .balign KCRC_ALIGN ++KSYM(__kcrctab_\name): ++ __put KSYM(__crc_\name) ++ .weak KSYM(__crc_\name) ++ .previous ++#endif ++#endif ++.endm ++#undef __put ++ ++#if defined(__KSYM_DEPS__) ++ ++#define __EXPORT_SYMBOL(sym, val, sec) === __KSYM_##sym === ++ ++#elif defined(CONFIG_TRIM_UNUSED_KSYMS) ++ ++#include <linux/kconfig.h> ++#include <generated/autoksyms.h> ++ ++#define __EXPORT_SYMBOL(sym, val, sec) \ ++ __cond_export_sym(sym, val, sec, config_enabled(__KSYM_##sym)) ++#define __cond_export_sym(sym, val, sec, conf) \ ++ ___cond_export_sym(sym, val, sec, conf) ++#define ___cond_export_sym(sym, val, sec, enabled) \ ++ __cond_export_sym_##enabled(sym, val, sec) ++#define __cond_export_sym_1(sym, val, sec) ___EXPORT_SYMBOL sym, val, sec ++#define __cond_export_sym_0(sym, val, sec) /* nothing */ ++ ++#else ++#define __EXPORT_SYMBOL(sym, val, sec) ___EXPORT_SYMBOL sym, val, sec ++#endif ++ ++#define EXPORT_SYMBOL(name) \ ++ __EXPORT_SYMBOL(name, KSYM_FUNC(KSYM(name)),) ++#define EXPORT_SYMBOL_GPL(name) \ ++ __EXPORT_SYMBOL(name, KSYM_FUNC(KSYM(name)), _gpl) ++#define EXPORT_DATA_SYMBOL(name) \ ++ __EXPORT_SYMBOL(name, KSYM(name),) ++#define EXPORT_DATA_SYMBOL_GPL(name) \ ++ __EXPORT_SYMBOL(name, KSYM(name),_gpl) ++ ++#endif +diff --git a/include/crypto/internal/hash.h b/include/crypto/internal/hash.h +index 9779c35f8454..dab9569f22bf 100644 +--- a/include/crypto/internal/hash.h ++++ b/include/crypto/internal/hash.h +@@ -91,6 +91,8 @@ static inline bool crypto_shash_alg_has_setkey(struct shash_alg *alg) + return alg->setkey != shash_no_setkey; + } + ++bool crypto_hash_alg_has_setkey(struct hash_alg_common *halg); ++ + int crypto_init_ahash_spawn(struct crypto_ahash_spawn *spawn, + struct hash_alg_common *alg, + struct crypto_instance *inst); +diff --git a/include/crypto/mcryptd.h b/include/crypto/mcryptd.h +index c23ee1f7ee80..c2ff077168d3 100644 +--- a/include/crypto/mcryptd.h ++++ b/include/crypto/mcryptd.h +@@ -26,6 +26,7 @@ static inline struct mcryptd_ahash *__mcryptd_ahash_cast( + + struct mcryptd_cpu_queue { + struct crypto_queue queue; ++ spinlock_t q_lock; + struct work_struct work; + }; + +diff --git a/include/linux/cacheinfo.h b/include/linux/cacheinfo.h +index 3daf5ed392c9..4b97ae264388 100644 +--- a/include/linux/cacheinfo.h ++++ b/include/linux/cacheinfo.h +@@ -71,6 +71,7 @@ struct cpu_cacheinfo { + struct cacheinfo *info_list; + unsigned int num_levels; + unsigned int num_leaves; ++ bool cpu_map_populated; + }; + + /* +diff --git a/include/linux/cred.h b/include/linux/cred.h +index 8b6c083e68a7..536d873ad6e5 100644 +--- a/include/linux/cred.h ++++ b/include/linux/cred.h +@@ -87,6 +87,7 @@ extern int set_current_groups(struct group_info *); + extern void set_groups(struct cred *, struct group_info *); + extern int groups_search(const struct group_info *, kgid_t); + extern bool may_setgroups(void); ++extern void groups_sort(struct group_info *); + + /* access the groups "array" with this macro */ + #define GROUP_AT(gi, i) \ +diff --git a/include/linux/device.h b/include/linux/device.h +index 98a1d9748eec..84a1c7e49c51 100644 +--- a/include/linux/device.h ++++ b/include/linux/device.h +@@ -1208,8 +1208,11 @@ do { \ + dev_printk(KERN_DEBUG, dev, fmt, ##__VA_ARGS__); \ + } while (0) + #else +-#define dev_dbg_ratelimited(dev, fmt, ...) \ +- no_printk(KERN_DEBUG pr_fmt(fmt), ##__VA_ARGS__) ++#define dev_dbg_ratelimited(dev, fmt, ...) \ ++do { \ ++ if (0) \ ++ dev_printk(KERN_DEBUG, dev, fmt, ##__VA_ARGS__); \ ++} while (0) + #endif + + #ifdef VERBOSE_DEBUG +diff --git a/include/linux/fdtable.h b/include/linux/fdtable.h +index 230f87bdf5ad..2c084871e833 100644 +--- a/include/linux/fdtable.h ++++ b/include/linux/fdtable.h +@@ -9,6 +9,7 @@ + #include <linux/compiler.h> + #include <linux/spinlock.h> + #include <linux/rcupdate.h> ++#include <linux/nospec.h> + #include <linux/types.h> + #include <linux/init.h> + #include <linux/fs.h> +@@ -76,8 +77,10 @@ static inline struct file *__fcheck_files(struct files_struct *files, unsigned i + { + struct fdtable *fdt = rcu_dereference_raw(files->fdt); + +- if (fd < fdt->max_fds) ++ if (fd < fdt->max_fds) { ++ fd = array_index_nospec(fd, fdt->max_fds); + return rcu_dereference_raw(fdt->fd[fd]); ++ } + return NULL; + } + +diff --git a/include/linux/fscache.h b/include/linux/fscache.h +index 115bb81912cc..94a8aae8f9e2 100644 +--- a/include/linux/fscache.h ++++ b/include/linux/fscache.h +@@ -764,7 +764,7 @@ bool fscache_maybe_release_page(struct fscache_cookie *cookie, + { + if (fscache_cookie_valid(cookie) && PageFsCache(page)) + return __fscache_maybe_release_page(cookie, page, gfp); +- return false; ++ return true; + } + + /** +diff --git a/include/linux/init.h b/include/linux/init.h +index 21b6d768edd7..5f4d931095ce 100644 +--- a/include/linux/init.h ++++ b/include/linux/init.h +@@ -4,6 +4,13 @@ + #include <linux/compiler.h> + #include <linux/types.h> + ++/* Built-in __init functions needn't be compiled with retpoline */ ++#if defined(RETPOLINE) && !defined(MODULE) ++#define __noretpoline __attribute__((indirect_branch("keep"))) ++#else ++#define __noretpoline ++#endif ++ + /* These macros are used to mark some functions or + * initialized data (doesn't apply to uninitialized data) + * as `initialization' functions. The kernel can take this +@@ -39,7 +46,7 @@ + + /* These are for everybody (although not all archs will actually + discard it in modules) */ +-#define __init __section(.init.text) __cold notrace ++#define __init __section(.init.text) __cold notrace __noretpoline + #define __initdata __section(.init.data) + #define __initconst __constsection(.init.rodata) + #define __exitdata __section(.exit.data) +diff --git a/include/linux/kconfig.h b/include/linux/kconfig.h +index b33c7797eb57..a94b5bf57f51 100644 +--- a/include/linux/kconfig.h ++++ b/include/linux/kconfig.h +@@ -17,10 +17,11 @@ + * the last step cherry picks the 2nd arg, we get a zero. + */ + #define __ARG_PLACEHOLDER_1 0, +-#define config_enabled(cfg) _config_enabled(cfg) +-#define _config_enabled(value) __config_enabled(__ARG_PLACEHOLDER_##value) +-#define __config_enabled(arg1_or_junk) ___config_enabled(arg1_or_junk 1, 0) +-#define ___config_enabled(__ignored, val, ...) val ++#define config_enabled(cfg) ___is_defined(cfg) ++#define __is_defined(x) ___is_defined(x) ++#define ___is_defined(val) ____is_defined(__ARG_PLACEHOLDER_##val) ++#define ____is_defined(arg1_or_junk) __take_second_arg(arg1_or_junk 1, 0) ++#define __take_second_arg(__ignored, val, ...) val + + /* + * IS_BUILTIN(CONFIG_FOO) evaluates to 1 if CONFIG_FOO is set to 'y', 0 +@@ -42,7 +43,7 @@ + * built-in code when CONFIG_FOO is set to 'm'. + */ + #define IS_REACHABLE(option) (config_enabled(option) || \ +- (config_enabled(option##_MODULE) && config_enabled(MODULE))) ++ (config_enabled(option##_MODULE) && __is_defined(MODULE))) + + /* + * IS_ENABLED(CONFIG_FOO) evaluates to 1 if CONFIG_FOO is set to 'y' or 'm', +diff --git a/include/linux/ktime.h b/include/linux/ktime.h +index 2b6a204bd8d4..3ffc69ebe967 100644 +--- a/include/linux/ktime.h ++++ b/include/linux/ktime.h +@@ -63,6 +63,13 @@ static inline ktime_t ktime_set(const s64 secs, const unsigned long nsecs) + #define ktime_add(lhs, rhs) \ + ({ (ktime_t){ .tv64 = (lhs).tv64 + (rhs).tv64 }; }) + ++/* ++ * Same as ktime_add(), but avoids undefined behaviour on overflow; however, ++ * this means that you must check the result for overflow yourself. ++ */ ++#define ktime_add_unsafe(lhs, rhs) \ ++ ({ (ktime_t){ .tv64 = (u64) (lhs).tv64 + (rhs).tv64 }; }) ++ + /* + * Add a ktime_t variable and a scalar nanosecond value. + * res = kt + nsval: +diff --git a/include/linux/mmu_context.h b/include/linux/mmu_context.h +index 70fffeba7495..a4441784503b 100644 +--- a/include/linux/mmu_context.h ++++ b/include/linux/mmu_context.h +@@ -1,9 +1,16 @@ + #ifndef _LINUX_MMU_CONTEXT_H + #define _LINUX_MMU_CONTEXT_H + ++#include <asm/mmu_context.h> ++ + struct mm_struct; + + void use_mm(struct mm_struct *mm); + void unuse_mm(struct mm_struct *mm); + ++/* Architectures that care about IRQ state in switch_mm can override this. */ ++#ifndef switch_mm_irqs_off ++# define switch_mm_irqs_off switch_mm ++#endif ++ + #endif +diff --git a/include/linux/mtd/map.h b/include/linux/mtd/map.h +index dfff2baf836b..0deabc012551 100644 +--- a/include/linux/mtd/map.h ++++ b/include/linux/mtd/map.h +@@ -265,75 +265,67 @@ void map_destroy(struct mtd_info *mtd); + #define INVALIDATE_CACHED_RANGE(map, from, size) \ + do { if (map->inval_cache) map->inval_cache(map, from, size); } while (0) + +- +-static inline int map_word_equal(struct map_info *map, map_word val1, map_word val2) +-{ +- int i; +- +- for (i = 0; i < map_words(map); i++) { +- if (val1.x[i] != val2.x[i]) +- return 0; +- } +- +- return 1; +-} +- +-static inline map_word map_word_and(struct map_info *map, map_word val1, map_word val2) +-{ +- map_word r; +- int i; +- +- for (i = 0; i < map_words(map); i++) +- r.x[i] = val1.x[i] & val2.x[i]; +- +- return r; +-} +- +-static inline map_word map_word_clr(struct map_info *map, map_word val1, map_word val2) +-{ +- map_word r; +- int i; +- +- for (i = 0; i < map_words(map); i++) +- r.x[i] = val1.x[i] & ~val2.x[i]; +- +- return r; +-} +- +-static inline map_word map_word_or(struct map_info *map, map_word val1, map_word val2) +-{ +- map_word r; +- int i; +- +- for (i = 0; i < map_words(map); i++) +- r.x[i] = val1.x[i] | val2.x[i]; +- +- return r; +-} +- +-static inline int map_word_andequal(struct map_info *map, map_word val1, map_word val2, map_word val3) +-{ +- int i; +- +- for (i = 0; i < map_words(map); i++) { +- if ((val1.x[i] & val2.x[i]) != val3.x[i]) +- return 0; +- } +- +- return 1; +-} +- +-static inline int map_word_bitsset(struct map_info *map, map_word val1, map_word val2) +-{ +- int i; +- +- for (i = 0; i < map_words(map); i++) { +- if (val1.x[i] & val2.x[i]) +- return 1; +- } +- +- return 0; +-} ++#define map_word_equal(map, val1, val2) \ ++({ \ ++ int i, ret = 1; \ ++ for (i = 0; i < map_words(map); i++) \ ++ if ((val1).x[i] != (val2).x[i]) { \ ++ ret = 0; \ ++ break; \ ++ } \ ++ ret; \ ++}) ++ ++#define map_word_and(map, val1, val2) \ ++({ \ ++ map_word r; \ ++ int i; \ ++ for (i = 0; i < map_words(map); i++) \ ++ r.x[i] = (val1).x[i] & (val2).x[i]; \ ++ r; \ ++}) ++ ++#define map_word_clr(map, val1, val2) \ ++({ \ ++ map_word r; \ ++ int i; \ ++ for (i = 0; i < map_words(map); i++) \ ++ r.x[i] = (val1).x[i] & ~(val2).x[i]; \ ++ r; \ ++}) ++ ++#define map_word_or(map, val1, val2) \ ++({ \ ++ map_word r; \ ++ int i; \ ++ for (i = 0; i < map_words(map); i++) \ ++ r.x[i] = (val1).x[i] | (val2).x[i]; \ ++ r; \ ++}) ++ ++#define map_word_andequal(map, val1, val2, val3) \ ++({ \ ++ int i, ret = 1; \ ++ for (i = 0; i < map_words(map); i++) { \ ++ if (((val1).x[i] & (val2).x[i]) != (val2).x[i]) { \ ++ ret = 0; \ ++ break; \ ++ } \ ++ } \ ++ ret; \ ++}) ++ ++#define map_word_bitsset(map, val1, val2) \ ++({ \ ++ int i, ret = 0; \ ++ for (i = 0; i < map_words(map); i++) { \ ++ if ((val1).x[i] & (val2).x[i]) { \ ++ ret = 1; \ ++ break; \ ++ } \ ++ } \ ++ ret; \ ++}) + + static inline map_word map_word_load(struct map_info *map, const void *ptr) + { +diff --git a/include/linux/mtd/sh_flctl.h b/include/linux/mtd/sh_flctl.h +index 1c28f8879b1c..067b37aff4a1 100644 +--- a/include/linux/mtd/sh_flctl.h ++++ b/include/linux/mtd/sh_flctl.h +@@ -148,6 +148,7 @@ struct sh_flctl { + struct platform_device *pdev; + struct dev_pm_qos_request pm_qos; + void __iomem *reg; ++ resource_size_t fifo; + + uint8_t done_buff[2048 + 64]; /* max size 2048 + 64 */ + int read_bytes; +diff --git a/include/linux/nospec.h b/include/linux/nospec.h +new file mode 100644 +index 000000000000..b99bced39ac2 +--- /dev/null ++++ b/include/linux/nospec.h +@@ -0,0 +1,72 @@ ++// SPDX-License-Identifier: GPL-2.0 ++// Copyright(c) 2018 Linus Torvalds. All rights reserved. ++// Copyright(c) 2018 Alexei Starovoitov. All rights reserved. ++// Copyright(c) 2018 Intel Corporation. All rights reserved. ++ ++#ifndef _LINUX_NOSPEC_H ++#define _LINUX_NOSPEC_H ++ ++/** ++ * array_index_mask_nospec() - generate a ~0 mask when index < size, 0 otherwise ++ * @index: array element index ++ * @size: number of elements in array ++ * ++ * When @index is out of bounds (@index >= @size), the sign bit will be ++ * set. Extend the sign bit to all bits and invert, giving a result of ++ * zero for an out of bounds index, or ~0 if within bounds [0, @size). ++ */ ++#ifndef array_index_mask_nospec ++static inline unsigned long array_index_mask_nospec(unsigned long index, ++ unsigned long size) ++{ ++ /* ++ * Warn developers about inappropriate array_index_nospec() usage. ++ * ++ * Even if the CPU speculates past the WARN_ONCE branch, the ++ * sign bit of @index is taken into account when generating the ++ * mask. ++ * ++ * This warning is compiled out when the compiler can infer that ++ * @index and @size are less than LONG_MAX. ++ */ ++ if (WARN_ONCE(index > LONG_MAX || size > LONG_MAX, ++ "array_index_nospec() limited to range of [0, LONG_MAX]\n")) ++ return 0; ++ ++ /* ++ * Always calculate and emit the mask even if the compiler ++ * thinks the mask is not needed. The compiler does not take ++ * into account the value of @index under speculation. ++ */ ++ OPTIMIZER_HIDE_VAR(index); ++ return ~(long)(index | (size - 1UL - index)) >> (BITS_PER_LONG - 1); ++} ++#endif ++ ++/* ++ * array_index_nospec - sanitize an array index after a bounds check ++ * ++ * For a code sequence like: ++ * ++ * if (index < size) { ++ * index = array_index_nospec(index, size); ++ * val = array[index]; ++ * } ++ * ++ * ...if the CPU speculates past the bounds check then ++ * array_index_nospec() will clamp the index within the range of [0, ++ * size). ++ */ ++#define array_index_nospec(index, size) \ ++({ \ ++ typeof(index) _i = (index); \ ++ typeof(size) _s = (size); \ ++ unsigned long _mask = array_index_mask_nospec(_i, _s); \ ++ \ ++ BUILD_BUG_ON(sizeof(_i) > sizeof(long)); \ ++ BUILD_BUG_ON(sizeof(_s) > sizeof(long)); \ ++ \ ++ _i &= _mask; \ ++ _i; \ ++}) ++#endif /* _LINUX_NOSPEC_H */ +diff --git a/include/linux/sh_eth.h b/include/linux/sh_eth.h +index 8c9131db2b25..b050ef51e27e 100644 +--- a/include/linux/sh_eth.h ++++ b/include/linux/sh_eth.h +@@ -16,7 +16,6 @@ struct sh_eth_plat_data { + unsigned char mac_addr[ETH_ALEN]; + unsigned no_ether_link:1; + unsigned ether_link_active_low:1; +- unsigned needs_init:1; + }; + + #endif +diff --git a/include/linux/string.h b/include/linux/string.h +index e40099e585c9..f8902cc0c10d 100644 +--- a/include/linux/string.h ++++ b/include/linux/string.h +@@ -118,6 +118,7 @@ extern char *kstrdup(const char *s, gfp_t gfp); + extern const char *kstrdup_const(const char *s, gfp_t gfp); + extern char *kstrndup(const char *s, size_t len, gfp_t gfp); + extern void *kmemdup(const void *src, size_t len, gfp_t gfp); ++extern char *kmemdup_nul(const char *s, size_t len, gfp_t gfp); + + extern char **argv_split(gfp_t gfp, const char *str, int *argcp); + extern void argv_free(char **argv); +diff --git a/include/linux/tcp.h b/include/linux/tcp.h +index e8bbf403618f..5eeeca0b25f1 100644 +--- a/include/linux/tcp.h ++++ b/include/linux/tcp.h +@@ -29,9 +29,14 @@ static inline struct tcphdr *tcp_hdr(const struct sk_buff *skb) + return (struct tcphdr *)skb_transport_header(skb); + } + ++static inline unsigned int __tcp_hdrlen(const struct tcphdr *th) ++{ ++ return th->doff * 4; ++} ++ + static inline unsigned int tcp_hdrlen(const struct sk_buff *skb) + { +- return tcp_hdr(skb)->doff * 4; ++ return __tcp_hdrlen(tcp_hdr(skb)); + } + + static inline struct tcphdr *inner_tcp_hdr(const struct sk_buff *skb) +diff --git a/include/net/arp.h b/include/net/arp.h +index 5e0f891d476c..1b3f86981757 100644 +--- a/include/net/arp.h ++++ b/include/net/arp.h +@@ -19,6 +19,9 @@ static inline u32 arp_hashfn(const void *pkey, const struct net_device *dev, u32 + + static inline struct neighbour *__ipv4_neigh_lookup_noref(struct net_device *dev, u32 key) + { ++ if (dev->flags & (IFF_LOOPBACK | IFF_POINTOPOINT)) ++ key = INADDR_ANY; ++ + return ___neigh_lookup_noref(&arp_tbl, neigh_key_eq32, arp_hashfn, &key, dev); + } + +diff --git a/include/net/ip.h b/include/net/ip.h +index 117bde93995d..80b849cadc35 100644 +--- a/include/net/ip.h ++++ b/include/net/ip.h +@@ -33,6 +33,8 @@ + #include <net/flow.h> + #include <net/flow_keys.h> + ++#define IPV4_MIN_MTU 68 /* RFC 791 */ ++ + struct sock; + + struct inet_skb_parm { +diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h +index f733656404de..01af6cd44c67 100644 +--- a/include/net/net_namespace.h ++++ b/include/net/net_namespace.h +@@ -203,6 +203,11 @@ int net_eq(const struct net *net1, const struct net *net2) + return net1 == net2; + } + ++static inline int check_net(const struct net *net) ++{ ++ return atomic_read(&net->count) != 0; ++} ++ + void net_drop_ns(void *); + + #else +@@ -227,6 +232,11 @@ int net_eq(const struct net *net1, const struct net *net2) + return 1; + } + ++static inline int check_net(const struct net *net) ++{ ++ return 1; ++} ++ + #define net_drop_ns NULL + #endif + +diff --git a/include/net/netlink.h b/include/net/netlink.h +index 2a5dbcc90d1c..9bb53469b704 100644 +--- a/include/net/netlink.h ++++ b/include/net/netlink.h +@@ -745,7 +745,10 @@ static inline int nla_parse_nested(struct nlattr *tb[], int maxtype, + */ + static inline int nla_put_u8(struct sk_buff *skb, int attrtype, u8 value) + { +- return nla_put(skb, attrtype, sizeof(u8), &value); ++ /* temporary variables to work around GCC PR81715 with asan-stack=1 */ ++ u8 tmp = value; ++ ++ return nla_put(skb, attrtype, sizeof(u8), &tmp); + } + + /** +@@ -756,7 +759,9 @@ static inline int nla_put_u8(struct sk_buff *skb, int attrtype, u8 value) + */ + static inline int nla_put_u16(struct sk_buff *skb, int attrtype, u16 value) + { +- return nla_put(skb, attrtype, sizeof(u16), &value); ++ u16 tmp = value; ++ ++ return nla_put(skb, attrtype, sizeof(u16), &tmp); + } + + /** +@@ -767,7 +772,9 @@ static inline int nla_put_u16(struct sk_buff *skb, int attrtype, u16 value) + */ + static inline int nla_put_be16(struct sk_buff *skb, int attrtype, __be16 value) + { +- return nla_put(skb, attrtype, sizeof(__be16), &value); ++ __be16 tmp = value; ++ ++ return nla_put(skb, attrtype, sizeof(__be16), &tmp); + } + + /** +@@ -778,7 +785,9 @@ static inline int nla_put_be16(struct sk_buff *skb, int attrtype, __be16 value) + */ + static inline int nla_put_net16(struct sk_buff *skb, int attrtype, __be16 value) + { +- return nla_put_be16(skb, attrtype | NLA_F_NET_BYTEORDER, value); ++ __be16 tmp = value; ++ ++ return nla_put_be16(skb, attrtype | NLA_F_NET_BYTEORDER, tmp); + } + + /** +@@ -789,7 +798,9 @@ static inline int nla_put_net16(struct sk_buff *skb, int attrtype, __be16 value) + */ + static inline int nla_put_le16(struct sk_buff *skb, int attrtype, __le16 value) + { +- return nla_put(skb, attrtype, sizeof(__le16), &value); ++ __le16 tmp = value; ++ ++ return nla_put(skb, attrtype, sizeof(__le16), &tmp); + } + + /** +@@ -800,7 +811,9 @@ static inline int nla_put_le16(struct sk_buff *skb, int attrtype, __le16 value) + */ + static inline int nla_put_u32(struct sk_buff *skb, int attrtype, u32 value) + { +- return nla_put(skb, attrtype, sizeof(u32), &value); ++ u32 tmp = value; ++ ++ return nla_put(skb, attrtype, sizeof(u32), &tmp); + } + + /** +@@ -811,7 +824,9 @@ static inline int nla_put_u32(struct sk_buff *skb, int attrtype, u32 value) + */ + static inline int nla_put_be32(struct sk_buff *skb, int attrtype, __be32 value) + { +- return nla_put(skb, attrtype, sizeof(__be32), &value); ++ __be32 tmp = value; ++ ++ return nla_put(skb, attrtype, sizeof(__be32), &tmp); + } + + /** +@@ -822,7 +837,9 @@ static inline int nla_put_be32(struct sk_buff *skb, int attrtype, __be32 value) + */ + static inline int nla_put_net32(struct sk_buff *skb, int attrtype, __be32 value) + { +- return nla_put_be32(skb, attrtype | NLA_F_NET_BYTEORDER, value); ++ __be32 tmp = value; ++ ++ return nla_put_be32(skb, attrtype | NLA_F_NET_BYTEORDER, tmp); + } + + /** +@@ -833,7 +850,9 @@ static inline int nla_put_net32(struct sk_buff *skb, int attrtype, __be32 value) + */ + static inline int nla_put_le32(struct sk_buff *skb, int attrtype, __le32 value) + { +- return nla_put(skb, attrtype, sizeof(__le32), &value); ++ __le32 tmp = value; ++ ++ return nla_put(skb, attrtype, sizeof(__le32), &tmp); + } + + /** +@@ -844,7 +863,9 @@ static inline int nla_put_le32(struct sk_buff *skb, int attrtype, __le32 value) + */ + static inline int nla_put_u64(struct sk_buff *skb, int attrtype, u64 value) + { +- return nla_put(skb, attrtype, sizeof(u64), &value); ++ u64 tmp = value; ++ ++ return nla_put(skb, attrtype, sizeof(u64), &tmp); + } + + /** +@@ -855,7 +876,9 @@ static inline int nla_put_u64(struct sk_buff *skb, int attrtype, u64 value) + */ + static inline int nla_put_be64(struct sk_buff *skb, int attrtype, __be64 value) + { +- return nla_put(skb, attrtype, sizeof(__be64), &value); ++ __be64 tmp = value; ++ ++ return nla_put(skb, attrtype, sizeof(__be64), &tmp); + } + + /** +@@ -866,7 +889,9 @@ static inline int nla_put_be64(struct sk_buff *skb, int attrtype, __be64 value) + */ + static inline int nla_put_net64(struct sk_buff *skb, int attrtype, __be64 value) + { +- return nla_put_be64(skb, attrtype | NLA_F_NET_BYTEORDER, value); ++ __be64 tmp = value; ++ ++ return nla_put_be64(skb, attrtype | NLA_F_NET_BYTEORDER, tmp); + } + + /** +@@ -877,7 +902,9 @@ static inline int nla_put_net64(struct sk_buff *skb, int attrtype, __be64 value) + */ + static inline int nla_put_le64(struct sk_buff *skb, int attrtype, __le64 value) + { +- return nla_put(skb, attrtype, sizeof(__le64), &value); ++ __le64 tmp = value; ++ ++ return nla_put(skb, attrtype, sizeof(__le64), &tmp); + } + + /** +@@ -888,7 +915,9 @@ static inline int nla_put_le64(struct sk_buff *skb, int attrtype, __le64 value) + */ + static inline int nla_put_s8(struct sk_buff *skb, int attrtype, s8 value) + { +- return nla_put(skb, attrtype, sizeof(s8), &value); ++ s8 tmp = value; ++ ++ return nla_put(skb, attrtype, sizeof(s8), &tmp); + } + + /** +@@ -899,7 +928,9 @@ static inline int nla_put_s8(struct sk_buff *skb, int attrtype, s8 value) + */ + static inline int nla_put_s16(struct sk_buff *skb, int attrtype, s16 value) + { +- return nla_put(skb, attrtype, sizeof(s16), &value); ++ s16 tmp = value; ++ ++ return nla_put(skb, attrtype, sizeof(s16), &tmp); + } + + /** +@@ -910,7 +941,9 @@ static inline int nla_put_s16(struct sk_buff *skb, int attrtype, s16 value) + */ + static inline int nla_put_s32(struct sk_buff *skb, int attrtype, s32 value) + { +- return nla_put(skb, attrtype, sizeof(s32), &value); ++ s32 tmp = value; ++ ++ return nla_put(skb, attrtype, sizeof(s32), &tmp); + } + + /** +@@ -921,7 +954,9 @@ static inline int nla_put_s32(struct sk_buff *skb, int attrtype, s32 value) + */ + static inline int nla_put_s64(struct sk_buff *skb, int attrtype, s64 value) + { +- return nla_put(skb, attrtype, sizeof(s64), &value); ++ s64 tmp = value; ++ ++ return nla_put(skb, attrtype, sizeof(s64), &tmp); + } + + /** +@@ -969,7 +1004,9 @@ static inline int nla_put_msecs(struct sk_buff *skb, int attrtype, + static inline int nla_put_in_addr(struct sk_buff *skb, int attrtype, + __be32 addr) + { +- return nla_put_be32(skb, attrtype, addr); ++ __be32 tmp = addr; ++ ++ return nla_put_be32(skb, attrtype, tmp); + } + + /** +diff --git a/include/net/red.h b/include/net/red.h +index 76e0b5f922c6..3618cdfec884 100644 +--- a/include/net/red.h ++++ b/include/net/red.h +@@ -167,6 +167,17 @@ static inline void red_set_vars(struct red_vars *v) + v->qcount = -1; + } + ++static inline bool red_check_params(u32 qth_min, u32 qth_max, u8 Wlog) ++{ ++ if (fls(qth_min) + Wlog > 32) ++ return false; ++ if (fls(qth_max) + Wlog > 32) ++ return false; ++ if (qth_max < qth_min) ++ return false; ++ return true; ++} ++ + static inline void red_set_parms(struct red_parms *p, + u32 qth_min, u32 qth_max, u8 Wlog, u8 Plog, + u8 Scell_log, u8 *stab, u32 max_P) +@@ -178,7 +189,7 @@ static inline void red_set_parms(struct red_parms *p, + p->qth_max = qth_max << Wlog; + p->Wlog = Wlog; + p->Plog = Plog; +- if (delta < 0) ++ if (delta <= 0) + delta = 1; + p->qth_delta = delta; + if (!max_P) { +diff --git a/include/scsi/sg.h b/include/scsi/sg.h +index 3afec7032448..20bc71c3e0b8 100644 +--- a/include/scsi/sg.h ++++ b/include/scsi/sg.h +@@ -197,7 +197,6 @@ typedef struct sg_req_info { /* used by SG_GET_REQUEST_TABLE ioctl() */ + #define SG_DEFAULT_RETRIES 0 + + /* Defaults, commented if they differ from original sg driver */ +-#define SG_DEF_FORCE_LOW_DMA 0 /* was 1 -> memory below 16MB on i386 */ + #define SG_DEF_FORCE_PACK_ID 0 + #define SG_DEF_KEEP_ORPHAN 0 + #define SG_DEF_RESERVED_SIZE SG_SCATTER_SZ /* load time option */ +diff --git a/include/trace/events/clk.h b/include/trace/events/clk.h +index 758607226bfd..2cd449328aee 100644 +--- a/include/trace/events/clk.h ++++ b/include/trace/events/clk.h +@@ -134,12 +134,12 @@ DECLARE_EVENT_CLASS(clk_parent, + + TP_STRUCT__entry( + __string( name, core->name ) +- __string( pname, parent->name ) ++ __string( pname, parent ? parent->name : "none" ) + ), + + TP_fast_assign( + __assign_str(name, core->name); +- __assign_str(pname, parent->name); ++ __assign_str(pname, parent ? parent->name : "none"); + ), + + TP_printk("%s %s", __get_str(name), __get_str(pname)) +diff --git a/include/trace/events/kvm.h b/include/trace/events/kvm.h +index a44062da684b..c0cf08e9f38a 100644 +--- a/include/trace/events/kvm.h ++++ b/include/trace/events/kvm.h +@@ -204,7 +204,7 @@ TRACE_EVENT(kvm_ack_irq, + { KVM_TRACE_MMIO_WRITE, "write" } + + TRACE_EVENT(kvm_mmio, +- TP_PROTO(int type, int len, u64 gpa, u64 val), ++ TP_PROTO(int type, int len, u64 gpa, void *val), + TP_ARGS(type, len, gpa, val), + + TP_STRUCT__entry( +@@ -218,7 +218,10 @@ TRACE_EVENT(kvm_mmio, + __entry->type = type; + __entry->len = len; + __entry->gpa = gpa; +- __entry->val = val; ++ __entry->val = 0; ++ if (val) ++ memcpy(&__entry->val, val, ++ min_t(u32, sizeof(__entry->val), len)); + ), + + TP_printk("mmio %s len %u gpa 0x%llx val 0x%llx", +diff --git a/include/uapi/linux/eventpoll.h b/include/uapi/linux/eventpoll.h +index bc81fb2e1f0e..6f04cb419115 100644 +--- a/include/uapi/linux/eventpoll.h ++++ b/include/uapi/linux/eventpoll.h +@@ -26,6 +26,19 @@ + #define EPOLL_CTL_DEL 2 + #define EPOLL_CTL_MOD 3 + ++/* Epoll event masks */ ++#define EPOLLIN 0x00000001 ++#define EPOLLPRI 0x00000002 ++#define EPOLLOUT 0x00000004 ++#define EPOLLERR 0x00000008 ++#define EPOLLHUP 0x00000010 ++#define EPOLLRDNORM 0x00000040 ++#define EPOLLRDBAND 0x00000080 ++#define EPOLLWRNORM 0x00000100 ++#define EPOLLWRBAND 0x00000200 ++#define EPOLLMSG 0x00000400 ++#define EPOLLRDHUP 0x00002000 ++ + /* + * Request the handling of system wakeup events so as to prevent system suspends + * from happening while those events are being processed. +diff --git a/ipc/msg.c b/ipc/msg.c +index 3b2b0f5149ab..55730c74a42a 100644 +--- a/ipc/msg.c ++++ b/ipc/msg.c +@@ -740,7 +740,10 @@ static inline int convert_mode(long *msgtyp, int msgflg) + if (*msgtyp == 0) + return SEARCH_ANY; + if (*msgtyp < 0) { +- *msgtyp = -*msgtyp; ++ if (*msgtyp == LONG_MIN) /* -LONG_MIN is undefined */ ++ *msgtyp = LONG_MAX; ++ else ++ *msgtyp = -*msgtyp; + return SEARCH_LESSEQUAL; + } + if (msgflg & MSG_EXCEPT) +diff --git a/kernel/acct.c b/kernel/acct.c +index 74963d192c5d..37f1dc696fbd 100644 +--- a/kernel/acct.c ++++ b/kernel/acct.c +@@ -99,7 +99,7 @@ static int check_free_space(struct bsd_acct_struct *acct) + { + struct kstatfs sbuf; + +- if (time_is_before_jiffies(acct->needcheck)) ++ if (time_is_after_jiffies(acct->needcheck)) + goto out; + + /* May block */ +diff --git a/kernel/async.c b/kernel/async.c +index 4c3773c0bf63..f1fd155abff6 100644 +--- a/kernel/async.c ++++ b/kernel/async.c +@@ -84,20 +84,24 @@ static atomic_t entry_count; + + static async_cookie_t lowest_in_progress(struct async_domain *domain) + { +- struct list_head *pending; ++ struct async_entry *first = NULL; + async_cookie_t ret = ASYNC_COOKIE_MAX; + unsigned long flags; + + spin_lock_irqsave(&async_lock, flags); + +- if (domain) +- pending = &domain->pending; +- else +- pending = &async_global_pending; ++ if (domain) { ++ if (!list_empty(&domain->pending)) ++ first = list_first_entry(&domain->pending, ++ struct async_entry, domain_list); ++ } else { ++ if (!list_empty(&async_global_pending)) ++ first = list_first_entry(&async_global_pending, ++ struct async_entry, global_list); ++ } + +- if (!list_empty(pending)) +- ret = list_first_entry(pending, struct async_entry, +- domain_list)->cookie; ++ if (first) ++ ret = first->cookie; + + spin_unlock_irqrestore(&async_lock, flags); + return ret; +diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c +index 54f0e7fcd0e2..199b54e75359 100644 +--- a/kernel/bpf/core.c ++++ b/kernel/bpf/core.c +@@ -361,7 +361,7 @@ select_insn: + DST = tmp; + CONT; + ALU_MOD_X: +- if (unlikely(SRC == 0)) ++ if (unlikely((u32)SRC == 0)) + return 0; + tmp = (u32) DST; + DST = do_div(tmp, (u32) SRC); +@@ -380,7 +380,7 @@ select_insn: + DST = div64_u64(DST, SRC); + CONT; + ALU_DIV_X: +- if (unlikely(SRC == 0)) ++ if (unlikely((u32)SRC == 0)) + return 0; + tmp = (u32) DST; + do_div(tmp, (u32) SRC); +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 1bdc6f910a1d..03d74868c709 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -1020,6 +1020,11 @@ static int check_alu_op(struct reg_state *regs, struct bpf_insn *insn) + return -EINVAL; + } + ++ if (opcode == BPF_ARSH && BPF_CLASS(insn->code) != BPF_ALU64) { ++ verbose("BPF_ARSH not supported for 32 bit ALU\n"); ++ return -EINVAL; ++ } ++ + if ((opcode == BPF_LSH || opcode == BPF_RSH || + opcode == BPF_ARSH) && BPF_SRC(insn->code) == BPF_K) { + int size = BPF_CLASS(insn->code) == BPF_ALU64 ? 64 : 32; +diff --git a/kernel/futex.c b/kernel/futex.c +index 585cf96dab32..4195616b27d9 100644 +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -1514,6 +1514,9 @@ static int futex_requeue(u32 __user *uaddr1, unsigned int flags, + struct futex_hash_bucket *hb1, *hb2; + struct futex_q *this, *next; + ++ if (nr_wake < 0 || nr_requeue < 0) ++ return -EINVAL; ++ + if (requeue_pi) { + /* + * Requeue PI only works on two distinct uaddrs. This +@@ -1831,8 +1834,12 @@ static int unqueue_me(struct futex_q *q) + + /* In the common case we don't take the spinlock, which is nice. */ + retry: +- lock_ptr = q->lock_ptr; +- barrier(); ++ /* ++ * q->lock_ptr can change between this read and the following spin_lock. ++ * Use READ_ONCE to forbid the compiler from reloading q->lock_ptr and ++ * optimizing lock_ptr out of the logic below. ++ */ ++ lock_ptr = READ_ONCE(q->lock_ptr); + if (lock_ptr != NULL) { + spin_lock(lock_ptr); + /* +diff --git a/kernel/gcov/Kconfig b/kernel/gcov/Kconfig +index c92e44855ddd..1276aabaab55 100644 +--- a/kernel/gcov/Kconfig ++++ b/kernel/gcov/Kconfig +@@ -37,6 +37,7 @@ config ARCH_HAS_GCOV_PROFILE_ALL + + config GCOV_PROFILE_ALL + bool "Profile entire Kernel" ++ depends on !COMPILE_TEST + depends on GCOV_KERNEL + depends on ARCH_HAS_GCOV_PROFILE_ALL + default n +diff --git a/kernel/groups.c b/kernel/groups.c +index 74d431d25251..5ea9847f172f 100644 +--- a/kernel/groups.c ++++ b/kernel/groups.c +@@ -101,7 +101,7 @@ static int groups_from_user(struct group_info *group_info, + } + + /* a simple Shell sort */ +-static void groups_sort(struct group_info *group_info) ++void groups_sort(struct group_info *group_info) + { + int base, max, stride; + int gidsetsize = group_info->ngroups; +@@ -128,6 +128,7 @@ static void groups_sort(struct group_info *group_info) + stride /= 3; + } + } ++EXPORT_SYMBOL(groups_sort); + + /* a simple bsearch */ + int groups_search(const struct group_info *group_info, kgid_t grp) +@@ -159,7 +160,6 @@ int groups_search(const struct group_info *group_info, kgid_t grp) + void set_groups(struct cred *new, struct group_info *group_info) + { + put_group_info(new->group_info); +- groups_sort(group_info); + get_group_info(group_info); + new->group_info = group_info; + } +@@ -243,6 +243,7 @@ SYSCALL_DEFINE2(setgroups, int, gidsetsize, gid_t __user *, grouplist) + return retval; + } + ++ groups_sort(group_info); + retval = set_current_groups(group_info); + put_group_info(group_info); + +diff --git a/kernel/module.c b/kernel/module.c +index 6920d1080cdd..c38bf6e486a4 100644 +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -2233,7 +2233,7 @@ static char elf_type(const Elf_Sym *sym, const struct load_info *info) + } + if (sym->st_shndx == SHN_UNDEF) + return 'U'; +- if (sym->st_shndx == SHN_ABS) ++ if (sym->st_shndx == SHN_ABS || sym->st_shndx == info->index.pcpu) + return 'a'; + if (sym->st_shndx >= SHN_LORESERVE) + return '?'; +@@ -2262,7 +2262,7 @@ static char elf_type(const Elf_Sym *sym, const struct load_info *info) + } + + static bool is_core_symbol(const Elf_Sym *src, const Elf_Shdr *sechdrs, +- unsigned int shnum) ++ unsigned int shnum, unsigned int pcpundx) + { + const Elf_Shdr *sec; + +@@ -2271,6 +2271,11 @@ static bool is_core_symbol(const Elf_Sym *src, const Elf_Shdr *sechdrs, + || !src->st_name) + return false; + ++#ifdef CONFIG_KALLSYMS_ALL ++ if (src->st_shndx == pcpundx) ++ return true; ++#endif ++ + sec = sechdrs + src->st_shndx; + if (!(sec->sh_flags & SHF_ALLOC) + #ifndef CONFIG_KALLSYMS_ALL +@@ -2308,7 +2313,8 @@ static void layout_symtab(struct module *mod, struct load_info *info) + /* Compute total space required for the core symbols' strtab. */ + for (ndst = i = 0; i < nsrc; i++) { + if (i == 0 || +- is_core_symbol(src+i, info->sechdrs, info->hdr->e_shnum)) { ++ is_core_symbol(src+i, info->sechdrs, info->hdr->e_shnum, ++ info->index.pcpu)) { + strtab_size += strlen(&info->strtab[src[i].st_name])+1; + ndst++; + } +@@ -2366,7 +2372,8 @@ static void add_kallsyms(struct module *mod, const struct load_info *info) + src = mod->kallsyms->symtab; + for (ndst = i = 0; i < mod->kallsyms->num_symtab; i++) { + if (i == 0 || +- is_core_symbol(src+i, info->sechdrs, info->hdr->e_shnum)) { ++ is_core_symbol(src+i, info->sechdrs, info->hdr->e_shnum, ++ info->index.pcpu)) { + dst[ndst] = src[i]; + dst[ndst++].st_name = s - mod->core_kallsyms.strtab; + s += strlcpy(s, &mod->kallsyms->strtab[src[i].st_name], +@@ -2726,8 +2733,12 @@ static int check_modinfo(struct module *mod, struct load_info *info, int flags) + return -ENOEXEC; + } + +- if (!get_modinfo(info, "intree")) ++ if (!get_modinfo(info, "intree")) { ++ if (!test_taint(TAINT_OOT_MODULE)) ++ pr_warn("%s: loading out-of-tree module taints kernel.\n", ++ mod->name); + add_taint_module(mod, TAINT_OOT_MODULE, LOCKDEP_STILL_OK); ++ } + + if (get_modinfo(info, "staging")) { + add_taint_module(mod, TAINT_CRAP, LOCKDEP_STILL_OK); +@@ -2892,6 +2903,8 @@ static int move_module(struct module *mod, struct load_info *info) + + static int check_module_license_and_versions(struct module *mod) + { ++ int prev_taint = test_taint(TAINT_PROPRIETARY_MODULE); ++ + /* + * ndiswrapper is under GPL by itself, but loads proprietary modules. + * Don't use add_taint_module(), as it would prevent ndiswrapper from +@@ -2910,6 +2923,9 @@ static int check_module_license_and_versions(struct module *mod) + add_taint_module(mod, TAINT_PROPRIETARY_MODULE, + LOCKDEP_NOW_UNRELIABLE); + ++ if (!prev_taint && test_taint(TAINT_PROPRIETARY_MODULE)) ++ pr_warn("%s: module license taints kernel.\n", mod->name); ++ + #ifdef CONFIG_MODVERSIONS + if ((mod->num_syms && !mod->crcs) + || (mod->num_gpl_syms && !mod->gpl_crcs) +diff --git a/kernel/profile.c b/kernel/profile.c +index a7bcd28d6e9f..7ad939c708b9 100644 +--- a/kernel/profile.c ++++ b/kernel/profile.c +@@ -44,7 +44,7 @@ int prof_on __read_mostly; + EXPORT_SYMBOL_GPL(prof_on); + + static cpumask_var_t prof_cpu_mask; +-#ifdef CONFIG_SMP ++#if defined(CONFIG_SMP) && defined(CONFIG_PROC_FS) + static DEFINE_PER_CPU(struct profile_hit *[2], cpu_profile_hits); + static DEFINE_PER_CPU(int, cpu_profile_flip); + static DEFINE_MUTEX(profile_flip_mutex); +@@ -201,7 +201,7 @@ int profile_event_unregister(enum profile_type type, struct notifier_block *n) + } + EXPORT_SYMBOL_GPL(profile_event_unregister); + +-#ifdef CONFIG_SMP ++#if defined(CONFIG_SMP) && defined(CONFIG_PROC_FS) + /* + * Each cpu has a pair of open-addressed hashtables for pending + * profile hits. read_profile() IPI's all cpus to request them +diff --git a/kernel/sched/core.c b/kernel/sched/core.c +index 8fbedeb5553f..9c905bd94ff0 100644 +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -32,7 +32,7 @@ + #include <linux/init.h> + #include <linux/uaccess.h> + #include <linux/highmem.h> +-#include <asm/mmu_context.h> ++#include <linux/mmu_context.h> + #include <linux/interrupt.h> + #include <linux/capability.h> + #include <linux/completion.h> +@@ -2339,7 +2339,7 @@ context_switch(struct rq *rq, struct task_struct *prev, + atomic_inc(&oldmm->mm_count); + enter_lazy_tlb(oldmm, next); + } else +- switch_mm(oldmm, mm, next); ++ switch_mm_irqs_off(oldmm, mm, next); + + if (!prev->mm) { + prev->active_mm = NULL; +diff --git a/kernel/signal.c b/kernel/signal.c +index 525a4cda5598..46a2471173b8 100644 +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -72,7 +72,7 @@ static int sig_task_ignored(struct task_struct *t, int sig, bool force) + handler = sig_handler(t, sig); + + if (unlikely(t->signal->flags & SIGNAL_UNKILLABLE) && +- handler == SIG_DFL && !force) ++ handler == SIG_DFL && !(force && sig_kernel_only(sig))) + return 1; + + return sig_handler_ignored(handler, sig); +@@ -88,13 +88,15 @@ static int sig_ignored(struct task_struct *t, int sig, bool force) + if (sigismember(&t->blocked, sig) || sigismember(&t->real_blocked, sig)) + return 0; + +- if (!sig_task_ignored(t, sig, force)) +- return 0; +- + /* +- * Tracers may want to know about even ignored signals. ++ * Tracers may want to know about even ignored signal unless it ++ * is SIGKILL which can't be reported anyway but can be ignored ++ * by SIGNAL_UNKILLABLE task. + */ +- return !t->ptrace; ++ if (t->ptrace && sig != SIGKILL) ++ return 0; ++ ++ return sig_task_ignored(t, sig, force); + } + + /* +@@ -960,9 +962,9 @@ static void complete_signal(int sig, struct task_struct *p, int group) + * then start taking the whole group down immediately. + */ + if (sig_fatal(p, sig) && +- !(signal->flags & (SIGNAL_UNKILLABLE | SIGNAL_GROUP_EXIT)) && ++ !(signal->flags & SIGNAL_GROUP_EXIT) && + !sigismember(&t->real_blocked, sig) && +- (sig == SIGKILL || !t->ptrace)) { ++ (sig == SIGKILL || !p->ptrace)) { + /* + * This signal will be fatal to the whole group. + */ +diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c +index 93ef7190bdea..e82a5f40a0ac 100644 +--- a/kernel/time/hrtimer.c ++++ b/kernel/time/hrtimer.c +@@ -292,7 +292,7 @@ EXPORT_SYMBOL_GPL(__ktime_divns); + */ + ktime_t ktime_add_safe(const ktime_t lhs, const ktime_t rhs) + { +- ktime_t res = ktime_add(lhs, rhs); ++ ktime_t res = ktime_add_unsafe(lhs, rhs); + + /* + * We use KTIME_SEC_MAX here, the maximum timeout which we can +diff --git a/kernel/time/posix-timers.c b/kernel/time/posix-timers.c +index 31ea01f42e1f..2cca2e79c643 100644 +--- a/kernel/time/posix-timers.c ++++ b/kernel/time/posix-timers.c +@@ -500,17 +500,22 @@ static struct pid *good_sigevent(sigevent_t * event) + { + struct task_struct *rtn = current->group_leader; + +- if ((event->sigev_notify & SIGEV_THREAD_ID ) && +- (!(rtn = find_task_by_vpid(event->sigev_notify_thread_id)) || +- !same_thread_group(rtn, current) || +- (event->sigev_notify & ~SIGEV_THREAD_ID) != SIGEV_SIGNAL)) ++ switch (event->sigev_notify) { ++ case SIGEV_SIGNAL | SIGEV_THREAD_ID: ++ rtn = find_task_by_vpid(event->sigev_notify_thread_id); ++ if (!rtn || !same_thread_group(rtn, current)) ++ return NULL; ++ /* FALLTHRU */ ++ case SIGEV_SIGNAL: ++ case SIGEV_THREAD: ++ if (event->sigev_signo <= 0 || event->sigev_signo > SIGRTMAX) ++ return NULL; ++ /* FALLTHRU */ ++ case SIGEV_NONE: ++ return task_pid(rtn); ++ default: + return NULL; +- +- if (((event->sigev_notify & ~SIGEV_THREAD_ID) != SIGEV_NONE) && +- ((event->sigev_signo <= 0) || (event->sigev_signo > SIGRTMAX))) +- return NULL; +- +- return task_pid(rtn); ++ } + } + + void posix_timers_register_clock(const clockid_t clock_id, +@@ -738,8 +743,7 @@ common_timer_get(struct k_itimer *timr, struct itimerspec *cur_setting) + /* interval timer ? */ + if (iv.tv64) + cur_setting->it_interval = ktime_to_timespec(iv); +- else if (!hrtimer_active(timer) && +- (timr->it_sigev_notify & ~SIGEV_THREAD_ID) != SIGEV_NONE) ++ else if (!hrtimer_active(timer) && timr->it_sigev_notify != SIGEV_NONE) + return; + + now = timer->base->get_time(); +@@ -750,7 +754,7 @@ common_timer_get(struct k_itimer *timr, struct itimerspec *cur_setting) + * expiry is > now. + */ + if (iv.tv64 && (timr->it_requeue_pending & REQUEUE_PENDING || +- (timr->it_sigev_notify & ~SIGEV_THREAD_ID) == SIGEV_NONE)) ++ timr->it_sigev_notify == SIGEV_NONE)) + timr->it_overrun += (unsigned int) hrtimer_forward(timer, now, iv); + + remaining = ktime_sub(hrtimer_get_expires(timer), now); +@@ -760,7 +764,7 @@ common_timer_get(struct k_itimer *timr, struct itimerspec *cur_setting) + * A single shot SIGEV_NONE timer must return 0, when + * it is expired ! + */ +- if ((timr->it_sigev_notify & ~SIGEV_THREAD_ID) != SIGEV_NONE) ++ if (timr->it_sigev_notify != SIGEV_NONE) + cur_setting->it_value.tv_nsec = 1; + } else + cur_setting->it_value = ktime_to_timespec(remaining); +@@ -858,7 +862,7 @@ common_timer_set(struct k_itimer *timr, int flags, + timr->it.real.interval = timespec_to_ktime(new_setting->it_interval); + + /* SIGEV_NONE timers are not queued ! See common_timer_get */ +- if (((timr->it_sigev_notify & ~SIGEV_THREAD_ID) == SIGEV_NONE)) { ++ if (timr->it_sigev_notify == SIGEV_NONE) { + /* Setup correct expiry time for relative timers */ + if (mode == HRTIMER_MODE_REL) { + hrtimer_add_expires(timer, timer->base->get_time()); +diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c +index 483cecfa5c17..1994901ef239 100644 +--- a/kernel/trace/blktrace.c ++++ b/kernel/trace/blktrace.c +@@ -57,7 +57,8 @@ static struct tracer_flags blk_tracer_flags = { + }; + + /* Global reference count of probes */ +-static atomic_t blk_probes_ref = ATOMIC_INIT(0); ++static DEFINE_MUTEX(blk_probe_mutex); ++static int blk_probes_ref; + + static void blk_register_tracepoints(void); + static void blk_unregister_tracepoints(void); +@@ -300,11 +301,26 @@ static void blk_trace_free(struct blk_trace *bt) + kfree(bt); + } + ++static void get_probe_ref(void) ++{ ++ mutex_lock(&blk_probe_mutex); ++ if (++blk_probes_ref == 1) ++ blk_register_tracepoints(); ++ mutex_unlock(&blk_probe_mutex); ++} ++ ++static void put_probe_ref(void) ++{ ++ mutex_lock(&blk_probe_mutex); ++ if (!--blk_probes_ref) ++ blk_unregister_tracepoints(); ++ mutex_unlock(&blk_probe_mutex); ++} ++ + static void blk_trace_cleanup(struct blk_trace *bt) + { + blk_trace_free(bt); +- if (atomic_dec_and_test(&blk_probes_ref)) +- blk_unregister_tracepoints(); ++ put_probe_ref(); + } + + int blk_trace_remove(struct request_queue *q) +@@ -527,8 +543,7 @@ int do_blk_trace_setup(struct request_queue *q, char *name, dev_t dev, + goto err; + } + +- if (atomic_inc_return(&blk_probes_ref) == 1) +- blk_register_tracepoints(); ++ get_probe_ref(); + + return 0; + err: +@@ -1474,9 +1489,7 @@ static int blk_trace_remove_queue(struct request_queue *q) + if (bt == NULL) + return -EINVAL; + +- if (atomic_dec_and_test(&blk_probes_ref)) +- blk_unregister_tracepoints(); +- ++ put_probe_ref(); + blk_trace_free(bt); + return 0; + } +@@ -1510,8 +1523,7 @@ static int blk_trace_setup_queue(struct request_queue *q, + goto free_bt; + } + +- if (atomic_inc_return(&blk_probes_ref) == 1) +- blk_register_tracepoints(); ++ get_probe_ref(); + return 0; + + free_bt: +diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c +index 75c5271a56c2..40bc77080fad 100644 +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -332,6 +332,8 @@ EXPORT_SYMBOL_GPL(ring_buffer_event_data); + /* Missed count stored at end */ + #define RB_MISSED_STORED (1 << 30) + ++#define RB_MISSED_FLAGS (RB_MISSED_EVENTS|RB_MISSED_STORED) ++ + struct buffer_data_page { + u64 time_stamp; /* page time stamp */ + local_t commit; /* write committed index */ +@@ -383,7 +385,9 @@ static void rb_init_page(struct buffer_data_page *bpage) + */ + size_t ring_buffer_page_len(void *page) + { +- return local_read(&((struct buffer_data_page *)page)->commit) ++ struct buffer_data_page *bpage = page; ++ ++ return (local_read(&bpage->commit) & ~RB_MISSED_FLAGS) + + BUF_PAGE_HDR_SIZE; + } + +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index 7a26798ffbf9..d03f7eadc1f3 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -5719,7 +5719,7 @@ tracing_buffers_splice_read(struct file *file, loff_t *ppos, + .spd_release = buffer_spd_release, + }; + struct buffer_ref *ref; +- int entries, size, i; ++ int entries, i; + ssize_t ret = 0; + + #ifdef CONFIG_TRACER_MAX_TRACE +@@ -5770,14 +5770,6 @@ tracing_buffers_splice_read(struct file *file, loff_t *ppos, + break; + } + +- /* +- * zero out any left over data, this is going to +- * user land. +- */ +- size = ring_buffer_page_len(ref->page); +- if (size < PAGE_SIZE) +- memset(ref->page + size, 0, PAGE_SIZE - size); +- + page = virt_to_page(ref->page); + + spd.pages[i] = page; +@@ -6448,6 +6440,7 @@ allocate_trace_buffer(struct trace_array *tr, struct trace_buffer *buf, int size + buf->data = alloc_percpu(struct trace_array_cpu); + if (!buf->data) { + ring_buffer_free(buf->buffer); ++ buf->buffer = NULL; + return -ENOMEM; + } + +@@ -6471,7 +6464,9 @@ static int allocate_trace_buffers(struct trace_array *tr, int size) + allocate_snapshot ? size : 1); + if (WARN_ON(ret)) { + ring_buffer_free(tr->trace_buffer.buffer); ++ tr->trace_buffer.buffer = NULL; + free_percpu(tr->trace_buffer.data); ++ tr->trace_buffer.data = NULL; + return -ENOMEM; + } + tr->allocated_snapshot = allocate_snapshot; +diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c +index 6459f77e2c72..d19406850b0d 100644 +--- a/kernel/trace/trace_events.c ++++ b/kernel/trace/trace_events.c +@@ -1819,6 +1819,7 @@ void trace_event_enum_update(struct trace_enum_map **map, int len) + { + struct ftrace_event_call *call, *p; + const char *last_system = NULL; ++ bool first = false; + int last_i; + int i; + +@@ -1826,15 +1827,28 @@ void trace_event_enum_update(struct trace_enum_map **map, int len) + list_for_each_entry_safe(call, p, &ftrace_events, list) { + /* events are usually grouped together with systems */ + if (!last_system || call->class->system != last_system) { ++ first = true; + last_i = 0; + last_system = call->class->system; + } + ++ /* ++ * Since calls are grouped by systems, the likelyhood that the ++ * next call in the iteration belongs to the same system as the ++ * previous call is high. As an optimization, we skip seaching ++ * for a map[] that matches the call's system if the last call ++ * was from the same system. That's what last_i is for. If the ++ * call has the same system as the previous call, then last_i ++ * will be the index of the first map[] that has a matching ++ * system. ++ */ + for (i = last_i; i < len; i++) { + if (call->class->system == map[i]->system) { + /* Save the first system if need be */ +- if (!last_i) ++ if (first) { + last_i = i; ++ first = false; ++ } + update_event_printk(call, map[i]); + } + } +diff --git a/kernel/uid16.c b/kernel/uid16.c +index d58cc4d8f0d1..651aaa5221ec 100644 +--- a/kernel/uid16.c ++++ b/kernel/uid16.c +@@ -190,6 +190,7 @@ SYSCALL_DEFINE2(setgroups16, int, gidsetsize, old_gid_t __user *, grouplist) + return retval; + } + ++ groups_sort(group_info); + retval = set_current_groups(group_info); + put_group_info(group_info); + +diff --git a/lib/oid_registry.c b/lib/oid_registry.c +index 318f382a010d..150e04d70303 100644 +--- a/lib/oid_registry.c ++++ b/lib/oid_registry.c +@@ -116,7 +116,7 @@ int sprint_oid(const void *data, size_t datasize, char *buffer, size_t bufsize) + int count; + + if (v >= end) +- return -EBADMSG; ++ goto bad; + + n = *v++; + ret = count = snprintf(buffer, bufsize, "%u.%u", n / 40, n % 40); +@@ -134,7 +134,7 @@ int sprint_oid(const void *data, size_t datasize, char *buffer, size_t bufsize) + num = n & 0x7f; + do { + if (v >= end) +- return -EBADMSG; ++ goto bad; + n = *v++; + num <<= 7; + num |= n & 0x7f; +@@ -148,6 +148,10 @@ int sprint_oid(const void *data, size_t datasize, char *buffer, size_t bufsize) + } + + return ret; ++ ++bad: ++ snprintf(buffer, bufsize, "(bad)"); ++ return -EBADMSG; + } + EXPORT_SYMBOL_GPL(sprint_oid); + +diff --git a/mm/cma.c b/mm/cma.c +index 3a7a67b93394..3b4e38689202 100644 +--- a/mm/cma.c ++++ b/mm/cma.c +@@ -54,7 +54,7 @@ unsigned long cma_get_size(const struct cma *cma) + } + + static unsigned long cma_bitmap_aligned_mask(const struct cma *cma, +- int align_order) ++ unsigned int align_order) + { + if (align_order <= cma->order_per_bit) + return 0; +@@ -62,17 +62,14 @@ static unsigned long cma_bitmap_aligned_mask(const struct cma *cma, + } + + /* +- * Find a PFN aligned to the specified order and return an offset represented in +- * order_per_bits. ++ * Find the offset of the base PFN from the specified align_order. ++ * The value returned is represented in order_per_bits. + */ + static unsigned long cma_bitmap_aligned_offset(const struct cma *cma, +- int align_order) ++ unsigned int align_order) + { +- if (align_order <= cma->order_per_bit) +- return 0; +- +- return (ALIGN(cma->base_pfn, (1UL << align_order)) +- - cma->base_pfn) >> cma->order_per_bit; ++ return (cma->base_pfn & ((1UL << align_order) - 1)) ++ >> cma->order_per_bit; + } + + static unsigned long cma_bitmap_pages_to_bits(const struct cma *cma, +diff --git a/mm/early_ioremap.c b/mm/early_ioremap.c +index e10ccd299d66..5edcf1b37fa6 100644 +--- a/mm/early_ioremap.c ++++ b/mm/early_ioremap.c +@@ -102,7 +102,7 @@ __early_ioremap(resource_size_t phys_addr, unsigned long size, pgprot_t prot) + enum fixed_addresses idx; + int i, slot; + +- WARN_ON(system_state != SYSTEM_BOOTING); ++ WARN_ON(system_state >= SYSTEM_RUNNING); + + slot = -1; + for (i = 0; i < FIX_BTMAPS_SLOTS; i++) { +diff --git a/mm/memcontrol.c b/mm/memcontrol.c +index 221762e24a68..696b5bbac2e0 100644 +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -5641,7 +5641,7 @@ static void uncharge_list(struct list_head *page_list) + next = page->lru.next; + + VM_BUG_ON_PAGE(PageLRU(page), page); +- VM_BUG_ON_PAGE(page_count(page), page); ++ VM_BUG_ON_PAGE(!PageHWPoison(page) && page_count(page), page); + + if (!page->mem_cgroup) + continue; +diff --git a/mm/memory-failure.c b/mm/memory-failure.c +index 321f5632c17b..7c57635958f2 100644 +--- a/mm/memory-failure.c ++++ b/mm/memory-failure.c +@@ -582,6 +582,13 @@ static int delete_from_lru_cache(struct page *p) + */ + ClearPageActive(p); + ClearPageUnevictable(p); ++ ++ /* ++ * Poisoned page might never drop its ref count to 0 so we have ++ * to uncharge it manually from its memcg. ++ */ ++ mem_cgroup_uncharge(p); ++ + /* + * drop the page count elevated by isolate_lru_page() + */ +diff --git a/mm/memory.c b/mm/memory.c +index fc449016d10e..942daab4dc57 100644 +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -71,7 +71,7 @@ + + #include "internal.h" + +-#ifdef LAST_CPUPID_NOT_IN_PAGE_FLAGS ++#if defined(LAST_CPUPID_NOT_IN_PAGE_FLAGS) && !defined(CONFIG_COMPILE_TEST) + #warning Unfortunate NUMA and NUMA Balancing config, growing page-frame for last_cpupid. + #endif + +diff --git a/mm/mmap.c b/mm/mmap.c +index 1094833d0e82..d730c1b91a12 100644 +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -2179,7 +2179,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address) + if (gap_addr < address) + return -ENOMEM; + next = vma->vm_next; +- if (next && next->vm_start < gap_addr) { ++ if (next && next->vm_start < gap_addr && ++ (next->vm_flags & (VM_WRITE|VM_READ|VM_EXEC))) { + if (!(next->vm_flags & VM_GROWSUP)) + return -ENOMEM; + /* Check that both stack segments have the same anon_vma? */ +@@ -2260,7 +2261,8 @@ int expand_downwards(struct vm_area_struct *vma, + if (gap_addr > address) + return -ENOMEM; + prev = vma->vm_prev; +- if (prev && prev->vm_end > gap_addr) { ++ if (prev && prev->vm_end > gap_addr && ++ (prev->vm_flags & (VM_WRITE|VM_READ|VM_EXEC))) { + if (!(prev->vm_flags & VM_GROWSDOWN)) + return -ENOMEM; + /* Check that both stack segments have the same anon_vma? */ +diff --git a/mm/mmu_context.c b/mm/mmu_context.c +index f802c2d216a7..6f4d27c5bb32 100644 +--- a/mm/mmu_context.c ++++ b/mm/mmu_context.c +@@ -4,9 +4,9 @@ + */ + + #include <linux/mm.h> ++#include <linux/sched.h> + #include <linux/mmu_context.h> + #include <linux/export.h> +-#include <linux/sched.h> + + #include <asm/mmu_context.h> + +diff --git a/mm/page-writeback.c b/mm/page-writeback.c +index eb59f7eea508..308757ae508d 100644 +--- a/mm/page-writeback.c ++++ b/mm/page-writeback.c +@@ -967,6 +967,7 @@ static void bdi_update_dirty_ratelimit(struct backing_dev_info *bdi, + unsigned long pos_ratio; + unsigned long step; + unsigned long x; ++ unsigned long shift; + + /* + * The dirty rate will match the writeout rate in long term, except +@@ -1094,11 +1095,11 @@ static void bdi_update_dirty_ratelimit(struct backing_dev_info *bdi, + * rate itself is constantly fluctuating. So decrease the track speed + * when it gets close to the target. Helps eliminate pointless tremors. + */ +- step >>= dirty_ratelimit / (2 * step + 1); +- /* +- * Limit the tracking speed to avoid overshooting. +- */ +- step = (step + 7) / 8; ++ shift = dirty_ratelimit / (2 * step + 1); ++ if (shift < BITS_PER_LONG) ++ step = DIV_ROUND_UP(step >> shift, 8); ++ else ++ step = 0; + + if (dirty_ratelimit < balanced_dirty_ratelimit) + dirty_ratelimit += step; +diff --git a/mm/util.c b/mm/util.c +index 68ff8a5361e7..4baa25c35af8 100644 +--- a/mm/util.c ++++ b/mm/util.c +@@ -80,6 +80,8 @@ EXPORT_SYMBOL(kstrdup_const); + * @s: the string to duplicate + * @max: read at most @max chars from @s + * @gfp: the GFP mask used in the kmalloc() call when allocating memory ++ * ++ * Note: Use kmemdup_nul() instead if the size is known exactly. + */ + char *kstrndup(const char *s, size_t max, gfp_t gfp) + { +@@ -117,6 +119,28 @@ void *kmemdup(const void *src, size_t len, gfp_t gfp) + } + EXPORT_SYMBOL(kmemdup); + ++/** ++ * kmemdup_nul - Create a NUL-terminated string from unterminated data ++ * @s: The data to stringify ++ * @len: The size of the data ++ * @gfp: the GFP mask used in the kmalloc() call when allocating memory ++ */ ++char *kmemdup_nul(const char *s, size_t len, gfp_t gfp) ++{ ++ char *buf; ++ ++ if (!s) ++ return NULL; ++ ++ buf = kmalloc_track_caller(len + 1, gfp); ++ if (buf) { ++ memcpy(buf, s, len); ++ buf[len] = '\0'; ++ } ++ return buf; ++} ++EXPORT_SYMBOL(kmemdup_nul); ++ + /** + * memdup_user - duplicate memory region from user space + * +diff --git a/mm/vmscan.c b/mm/vmscan.c +index f16e330e1096..c6033260e739 100644 +--- a/mm/vmscan.c ++++ b/mm/vmscan.c +@@ -223,10 +223,13 @@ EXPORT_SYMBOL(register_shrinker); + */ + void unregister_shrinker(struct shrinker *shrinker) + { ++ if (!shrinker->nr_deferred) ++ return; + down_write(&shrinker_rwsem); + list_del(&shrinker->list); + up_write(&shrinker_rwsem); + kfree(shrinker->nr_deferred); ++ shrinker->nr_deferred = NULL; + } + EXPORT_SYMBOL(unregister_shrinker); + +diff --git a/mm/vmstat.c b/mm/vmstat.c +index 4f5cd974e11a..9b525cd66ca6 100644 +--- a/mm/vmstat.c ++++ b/mm/vmstat.c +@@ -1326,7 +1326,9 @@ static int vmstat_show(struct seq_file *m, void *arg) + unsigned long *l = arg; + unsigned long off = l - (unsigned long *)m->private; + +- seq_printf(m, "%s %lu\n", vmstat_text[off], *l); ++ seq_puts(m, vmstat_text[off]); ++ seq_put_decimal_ull(m, ' ', *l); ++ seq_putc(m, '\n'); + return 0; + } + +diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c +index ce53c8691604..6ce54eed45e8 100644 +--- a/net/8021q/vlan.c ++++ b/net/8021q/vlan.c +@@ -111,12 +111,7 @@ void unregister_vlan_dev(struct net_device *dev, struct list_head *head) + vlan_gvrp_uninit_applicant(real_dev); + } + +- /* Take it out of our own structures, but be sure to interlock with +- * HW accelerating devices or SW vlan input packet processing if +- * VLAN is not 0 (leave it there for 802.1p). +- */ +- if (vlan_id) +- vlan_vid_del(real_dev, vlan->vlan_proto, vlan_id); ++ vlan_vid_del(real_dev, vlan->vlan_proto, vlan_id); + + /* Get rid of the vlan's reference to real_dev */ + dev_put(real_dev); +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 9b6b35977f48..915a584b4e19 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -3346,9 +3346,10 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data + break; + + case L2CAP_CONF_EFS: +- remote_efs = 1; +- if (olen == sizeof(efs)) ++ if (olen == sizeof(efs)) { ++ remote_efs = 1; + memcpy(&efs, (void *) val, olen); ++ } + break; + + case L2CAP_CONF_EWS: +@@ -3567,16 +3568,17 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, + break; + + case L2CAP_CONF_EFS: +- if (olen == sizeof(efs)) ++ if (olen == sizeof(efs)) { + memcpy(&efs, (void *)val, olen); + +- if (chan->local_stype != L2CAP_SERV_NOTRAFIC && +- efs.stype != L2CAP_SERV_NOTRAFIC && +- efs.stype != chan->local_stype) +- return -ECONNREFUSED; ++ if (chan->local_stype != L2CAP_SERV_NOTRAFIC && ++ efs.stype != L2CAP_SERV_NOTRAFIC && ++ efs.stype != chan->local_stype) ++ return -ECONNREFUSED; + +- l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs), +- (unsigned long) &efs, endptr - ptr); ++ l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs), ++ (unsigned long) &efs, endptr - ptr); ++ } + break; + + case L2CAP_CONF_FCS: +diff --git a/net/can/af_can.c b/net/can/af_can.c +index 62c635f2bcfc..2a55c0ce9490 100644 +--- a/net/can/af_can.c ++++ b/net/can/af_can.c +@@ -714,13 +714,12 @@ static int can_rcv(struct sk_buff *skb, struct net_device *dev, + if (unlikely(!net_eq(dev_net(dev), &init_net))) + goto drop; + +- if (WARN_ONCE(dev->type != ARPHRD_CAN || +- skb->len != CAN_MTU || +- cfd->len > CAN_MAX_DLEN, +- "PF_CAN: dropped non conform CAN skbuf: " +- "dev type %d, len %d, datalen %d\n", +- dev->type, skb->len, cfd->len)) ++ if (unlikely(dev->type != ARPHRD_CAN || skb->len != CAN_MTU || ++ cfd->len > CAN_MAX_DLEN)) { ++ pr_warn_once("PF_CAN: dropped non conform CAN skbuf: dev type %d, len %d, datalen %d\n", ++ dev->type, skb->len, cfd->len); + goto drop; ++ } + + can_receive(skb, dev); + return NET_RX_SUCCESS; +@@ -738,13 +737,12 @@ static int canfd_rcv(struct sk_buff *skb, struct net_device *dev, + if (unlikely(!net_eq(dev_net(dev), &init_net))) + goto drop; + +- if (WARN_ONCE(dev->type != ARPHRD_CAN || +- skb->len != CANFD_MTU || +- cfd->len > CANFD_MAX_DLEN, +- "PF_CAN: dropped non conform CAN FD skbuf: " +- "dev type %d, len %d, datalen %d\n", +- dev->type, skb->len, cfd->len)) ++ if (unlikely(dev->type != ARPHRD_CAN || skb->len != CANFD_MTU || ++ cfd->len > CANFD_MAX_DLEN)) { ++ pr_warn_once("PF_CAN: dropped non conform CAN FD skbuf: dev type %d, len %d, datalen %d\n", ++ dev->type, skb->len, cfd->len); + goto drop; ++ } + + can_receive(skb, dev); + return NET_RX_SUCCESS; +diff --git a/net/core/dev.c b/net/core/dev.c +index 4d4213b6f7f6..0ccae464b46e 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -2513,7 +2513,7 @@ struct sk_buff *__skb_gso_segment(struct sk_buff *skb, + + segs = skb_mac_gso_segment(skb, features); + +- if (unlikely(skb_needs_check(skb, tx_path))) ++ if (unlikely(skb_needs_check(skb, tx_path) && !IS_ERR(segs))) + skb_warn_bad_offload(skb); + + return segs; +@@ -2803,10 +2803,21 @@ static void qdisc_pkt_len_init(struct sk_buff *skb) + hdr_len = skb_transport_header(skb) - skb_mac_header(skb); + + /* + transport layer */ +- if (likely(shinfo->gso_type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6))) +- hdr_len += tcp_hdrlen(skb); +- else +- hdr_len += sizeof(struct udphdr); ++ if (likely(shinfo->gso_type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6))) { ++ const struct tcphdr *th; ++ struct tcphdr _tcphdr; ++ ++ th = skb_header_pointer(skb, skb_transport_offset(skb), ++ sizeof(_tcphdr), &_tcphdr); ++ if (likely(th)) ++ hdr_len += __tcp_hdrlen(th); ++ } else { ++ struct udphdr _udphdr; ++ ++ if (skb_header_pointer(skb, skb_transport_offset(skb), ++ sizeof(_udphdr), &_udphdr)) ++ hdr_len += sizeof(struct udphdr); ++ } + + if (shinfo->gso_type & SKB_GSO_DODGY) + gso_segs = DIV_ROUND_UP(skb->len - hdr_len, +diff --git a/net/core/neighbour.c b/net/core/neighbour.c +index cb9a7ab5444c..5fd6c6e699aa 100644 +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -492,7 +492,7 @@ struct neighbour *__neigh_create(struct neigh_table *tbl, const void *pkey, + if (atomic_read(&tbl->entries) > (1 << nht->hash_shift)) + nht = neigh_hash_grow(tbl, nht->hash_shift + 1); + +- hash_val = tbl->hash(pkey, dev, nht->hash_rnd) >> (32 - nht->hash_shift); ++ hash_val = tbl->hash(n->primary_key, dev, nht->hash_rnd) >> (32 - nht->hash_shift); + + if (n->parms->dead) { + rc = ERR_PTR(-EINVAL); +@@ -504,7 +504,7 @@ struct neighbour *__neigh_create(struct neigh_table *tbl, const void *pkey, + n1 != NULL; + n1 = rcu_dereference_protected(n1->next, + lockdep_is_held(&tbl->lock))) { +- if (dev == n1->dev && !memcmp(n1->primary_key, pkey, key_len)) { ++ if (dev == n1->dev && !memcmp(n1->primary_key, n->primary_key, key_len)) { + if (want_ref) + neigh_hold(n1); + rc = n1; +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index 97a1fa140a9b..853e82075ebd 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -3694,7 +3694,7 @@ void skb_complete_tx_timestamp(struct sk_buff *skb, + struct sock *sk = skb->sk; + + if (!skb_may_tx_timestamp(sk, false)) +- return; ++ goto err; + + /* Take a reference to prevent skb_orphan() from freeing the socket, + * but only if the socket refcount is not zero. +@@ -3703,7 +3703,11 @@ void skb_complete_tx_timestamp(struct sk_buff *skb, + *skb_hwtstamps(skb) = *hwtstamps; + __skb_complete_tx_timestamp(skb, sk, SCM_TSTAMP_SND); + sock_put(sk); ++ return; + } ++ ++err: ++ kfree_skb(skb); + } + EXPORT_SYMBOL_GPL(skb_complete_tx_timestamp); + +diff --git a/net/core/sock.c b/net/core/sock.c +index 76e0b874f378..7697148eec4f 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -729,7 +729,7 @@ int sock_setsockopt(struct socket *sock, int level, int optname, + val = min_t(u32, val, sysctl_wmem_max); + set_sndbuf: + sk->sk_userlocks |= SOCK_SNDBUF_LOCK; +- sk->sk_sndbuf = max_t(u32, val * 2, SOCK_MIN_SNDBUF); ++ sk->sk_sndbuf = max_t(int, val * 2, SOCK_MIN_SNDBUF); + /* Wake up sending tasks if we upped the value. */ + sk->sk_write_space(sk); + break; +@@ -765,7 +765,7 @@ set_rcvbuf: + * returning the value we actually used in getsockopt + * is the most desirable behavior. + */ +- sk->sk_rcvbuf = max_t(u32, val * 2, SOCK_MIN_RCVBUF); ++ sk->sk_rcvbuf = max_t(int, val * 2, SOCK_MIN_RCVBUF); + break; + + case SO_RCVBUFFORCE: +diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c +index a6beb7b6ae55..f5ef2115871f 100644 +--- a/net/core/sysctl_net_core.c ++++ b/net/core/sysctl_net_core.c +@@ -360,14 +360,16 @@ static struct ctl_table net_core_table[] = { + .data = &sysctl_net_busy_poll, + .maxlen = sizeof(unsigned int), + .mode = 0644, +- .proc_handler = proc_dointvec ++ .proc_handler = proc_dointvec_minmax, ++ .extra1 = &zero, + }, + { + .procname = "busy_read", + .data = &sysctl_net_busy_read, + .maxlen = sizeof(unsigned int), + .mode = 0644, +- .proc_handler = proc_dointvec ++ .proc_handler = proc_dointvec_minmax, ++ .extra1 = &zero, + }, + #endif + #ifdef CONFIG_NET_SCHED +diff --git a/net/dccp/ccids/ccid2.c b/net/dccp/ccids/ccid2.c +index 5e3a7302f774..7753681195c1 100644 +--- a/net/dccp/ccids/ccid2.c ++++ b/net/dccp/ccids/ccid2.c +@@ -140,6 +140,9 @@ static void ccid2_hc_tx_rto_expire(unsigned long data) + + ccid2_pr_debug("RTO_EXPIRE\n"); + ++ if (sk->sk_state == DCCP_CLOSED) ++ goto out; ++ + /* back-off timer */ + hc->tx_rto <<= 1; + if (hc->tx_rto > DCCP_RTO_MAX) +diff --git a/net/dccp/proto.c b/net/dccp/proto.c +index 522658179cca..a20dc23360f9 100644 +--- a/net/dccp/proto.c ++++ b/net/dccp/proto.c +@@ -259,6 +259,7 @@ int dccp_disconnect(struct sock *sk, int flags) + { + struct inet_connection_sock *icsk = inet_csk(sk); + struct inet_sock *inet = inet_sk(sk); ++ struct dccp_sock *dp = dccp_sk(sk); + int err = 0; + const int old_state = sk->sk_state; + +@@ -278,6 +279,10 @@ int dccp_disconnect(struct sock *sk, int flags) + sk->sk_err = ECONNRESET; + + dccp_clear_xmit_timers(sk); ++ ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk); ++ ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk); ++ dp->dccps_hc_rx_ccid = NULL; ++ dp->dccps_hc_tx_ccid = NULL; + + __skb_queue_purge(&sk->sk_receive_queue); + __skb_queue_purge(&sk->sk_write_queue); +diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c +index 2783c538ec19..e31f0da7537a 100644 +--- a/net/decnet/af_decnet.c ++++ b/net/decnet/af_decnet.c +@@ -1337,6 +1337,12 @@ static int dn_setsockopt(struct socket *sock, int level, int optname, char __use + lock_sock(sk); + err = __dn_setsockopt(sock, level, optname, optval, optlen, 0); + release_sock(sk); ++#ifdef CONFIG_NETFILTER ++ /* we need to exclude all possible ENOPROTOOPTs except default case */ ++ if (err == -ENOPROTOOPT && optname != DSO_LINKINFO && ++ optname != DSO_STREAM && optname != DSO_SEQPACKET) ++ err = nf_setsockopt(sk, PF_DECnet, optname, optval, optlen); ++#endif + + return err; + } +@@ -1444,15 +1450,6 @@ static int __dn_setsockopt(struct socket *sock, int level,int optname, char __us + dn_nsp_send_disc(sk, 0x38, 0, sk->sk_allocation); + break; + +- default: +-#ifdef CONFIG_NETFILTER +- return nf_setsockopt(sk, PF_DECnet, optname, optval, optlen); +-#endif +- case DSO_LINKINFO: +- case DSO_STREAM: +- case DSO_SEQPACKET: +- return -ENOPROTOOPT; +- + case DSO_MAXWINDOW: + if (optlen != sizeof(unsigned long)) + return -EINVAL; +@@ -1500,6 +1497,12 @@ static int __dn_setsockopt(struct socket *sock, int level,int optname, char __us + return -EINVAL; + scp->info_loc = u.info; + break; ++ ++ case DSO_LINKINFO: ++ case DSO_STREAM: ++ case DSO_SEQPACKET: ++ default: ++ return -ENOPROTOOPT; + } + + return 0; +@@ -1513,6 +1516,20 @@ static int dn_getsockopt(struct socket *sock, int level, int optname, char __use + lock_sock(sk); + err = __dn_getsockopt(sock, level, optname, optval, optlen, 0); + release_sock(sk); ++#ifdef CONFIG_NETFILTER ++ if (err == -ENOPROTOOPT && optname != DSO_STREAM && ++ optname != DSO_SEQPACKET && optname != DSO_CONACCEPT && ++ optname != DSO_CONREJECT) { ++ int len; ++ ++ if (get_user(len, optlen)) ++ return -EFAULT; ++ ++ err = nf_getsockopt(sk, PF_DECnet, optname, optval, &len); ++ if (err >= 0) ++ err = put_user(len, optlen); ++ } ++#endif + + return err; + } +@@ -1578,26 +1595,6 @@ static int __dn_getsockopt(struct socket *sock, int level,int optname, char __us + r_data = &link; + break; + +- default: +-#ifdef CONFIG_NETFILTER +- { +- int ret, len; +- +- if (get_user(len, optlen)) +- return -EFAULT; +- +- ret = nf_getsockopt(sk, PF_DECnet, optname, optval, &len); +- if (ret >= 0) +- ret = put_user(len, optlen); +- return ret; +- } +-#endif +- case DSO_STREAM: +- case DSO_SEQPACKET: +- case DSO_CONACCEPT: +- case DSO_CONREJECT: +- return -ENOPROTOOPT; +- + case DSO_MAXWINDOW: + if (r_len > sizeof(unsigned long)) + r_len = sizeof(unsigned long); +@@ -1629,6 +1626,13 @@ static int __dn_getsockopt(struct socket *sock, int level,int optname, char __us + r_len = sizeof(unsigned char); + r_data = &scp->info_rem; + break; ++ ++ case DSO_STREAM: ++ case DSO_SEQPACKET: ++ case DSO_CONACCEPT: ++ case DSO_CONREJECT: ++ default: ++ return -ENOPROTOOPT; + } + + if (r_data) { +diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c +index a7e74fbf2ce6..24b4174a84bf 100644 +--- a/net/ipv4/arp.c ++++ b/net/ipv4/arp.c +@@ -221,11 +221,16 @@ static bool arp_key_eq(const struct neighbour *neigh, const void *pkey) + + static int arp_constructor(struct neighbour *neigh) + { +- __be32 addr = *(__be32 *)neigh->primary_key; ++ __be32 addr; + struct net_device *dev = neigh->dev; + struct in_device *in_dev; + struct neigh_parms *parms; ++ u32 inaddr_any = INADDR_ANY; + ++ if (dev->flags & (IFF_LOOPBACK | IFF_POINTOPOINT)) ++ memcpy(neigh->primary_key, &inaddr_any, arp_tbl.key_len); ++ ++ addr = *(__be32 *)neigh->primary_key; + rcu_read_lock(); + in_dev = __in_dev_get_rcu(dev); + if (!in_dev) { +diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c +index a57056d87a43..1d2fba4aeeb2 100644 +--- a/net/ipv4/devinet.c ++++ b/net/ipv4/devinet.c +@@ -1359,7 +1359,7 @@ skip: + + static bool inetdev_valid_mtu(unsigned int mtu) + { +- return mtu >= 68; ++ return mtu >= IPV4_MIN_MTU; + } + + static void inetdev_send_gratuitous_arp(struct net_device *dev, +diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c +index a8db70b7fe45..5095491e6141 100644 +--- a/net/ipv4/fib_frontend.c ++++ b/net/ipv4/fib_frontend.c +@@ -1181,7 +1181,7 @@ fail: + + static void ip_fib_net_exit(struct net *net) + { +- unsigned int i; ++ int i; + + rtnl_lock(); + #ifdef CONFIG_IP_MULTIPLE_TABLES +@@ -1189,7 +1189,12 @@ static void ip_fib_net_exit(struct net *net) + RCU_INIT_POINTER(net->ipv4.fib_main, NULL); + RCU_INIT_POINTER(net->ipv4.fib_default, NULL); + #endif +- for (i = 0; i < FIB_TABLE_HASHSZ; i++) { ++ /* Destroy the tables in reverse order to guarantee that the ++ * local table, ID 255, is destroyed before the main table, ID ++ * 254. This is necessary as the local table may contain ++ * references to data contained in the main table. ++ */ ++ for (i = FIB_TABLE_HASHSZ - 1; i >= 0; i--) { + struct hlist_head *head = &net->ipv4.fib_table_hash[i]; + struct hlist_node *tmp; + struct fib_table *tb; +diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c +index e2d3d62297ec..c17485bcb18a 100644 +--- a/net/ipv4/igmp.c ++++ b/net/ipv4/igmp.c +@@ -89,6 +89,7 @@ + #include <linux/rtnetlink.h> + #include <linux/times.h> + #include <linux/pkt_sched.h> ++#include <linux/byteorder/generic.h> + + #include <net/net_namespace.h> + #include <net/arp.h> +@@ -319,6 +320,23 @@ igmp_scount(struct ip_mc_list *pmc, int type, int gdeleted, int sdeleted) + return scount; + } + ++/* source address selection per RFC 3376 section 4.2.13 */ ++static __be32 igmpv3_get_srcaddr(struct net_device *dev, ++ const struct flowi4 *fl4) ++{ ++ struct in_device *in_dev = __in_dev_get_rcu(dev); ++ ++ if (!in_dev) ++ return htonl(INADDR_ANY); ++ ++ for_ifa(in_dev) { ++ if (fl4->saddr == ifa->ifa_local) ++ return fl4->saddr; ++ } endfor_ifa(in_dev); ++ ++ return htonl(INADDR_ANY); ++} ++ + static struct sk_buff *igmpv3_newpack(struct net_device *dev, unsigned int mtu) + { + struct sk_buff *skb; +@@ -366,7 +384,11 @@ static struct sk_buff *igmpv3_newpack(struct net_device *dev, unsigned int mtu) + pip->frag_off = htons(IP_DF); + pip->ttl = 1; + pip->daddr = fl4.daddr; +- pip->saddr = fl4.saddr; ++ ++ rcu_read_lock(); ++ pip->saddr = igmpv3_get_srcaddr(dev, &fl4); ++ rcu_read_unlock(); ++ + pip->protocol = IPPROTO_IGMP; + pip->tot_len = 0; /* filled in later */ + ip_select_ident(net, skb, NULL); +@@ -402,16 +424,17 @@ static int grec_size(struct ip_mc_list *pmc, int type, int gdel, int sdel) + } + + static struct sk_buff *add_grhead(struct sk_buff *skb, struct ip_mc_list *pmc, +- int type, struct igmpv3_grec **ppgr) ++ int type, struct igmpv3_grec **ppgr, unsigned int mtu) + { + struct net_device *dev = pmc->interface->dev; + struct igmpv3_report *pih; + struct igmpv3_grec *pgr; + +- if (!skb) +- skb = igmpv3_newpack(dev, dev->mtu); +- if (!skb) +- return NULL; ++ if (!skb) { ++ skb = igmpv3_newpack(dev, mtu); ++ if (!skb) ++ return NULL; ++ } + pgr = (struct igmpv3_grec *)skb_put(skb, sizeof(struct igmpv3_grec)); + pgr->grec_type = type; + pgr->grec_auxwords = 0; +@@ -433,10 +456,15 @@ static struct sk_buff *add_grec(struct sk_buff *skb, struct ip_mc_list *pmc, + struct igmpv3_grec *pgr = NULL; + struct ip_sf_list *psf, *psf_next, *psf_prev, **psf_list; + int scount, stotal, first, isquery, truncate; ++ unsigned int mtu; + + if (pmc->multiaddr == IGMP_ALL_HOSTS) + return skb; + ++ mtu = READ_ONCE(dev->mtu); ++ if (mtu < IPV4_MIN_MTU) ++ return skb; ++ + isquery = type == IGMPV3_MODE_IS_INCLUDE || + type == IGMPV3_MODE_IS_EXCLUDE; + truncate = type == IGMPV3_MODE_IS_EXCLUDE || +@@ -457,7 +485,7 @@ static struct sk_buff *add_grec(struct sk_buff *skb, struct ip_mc_list *pmc, + AVAILABLE(skb) < grec_size(pmc, type, gdeleted, sdeleted)) { + if (skb) + igmpv3_sendpack(skb); +- skb = igmpv3_newpack(dev, dev->mtu); ++ skb = igmpv3_newpack(dev, mtu); + } + } + first = 1; +@@ -484,12 +512,12 @@ static struct sk_buff *add_grec(struct sk_buff *skb, struct ip_mc_list *pmc, + pgr->grec_nsrcs = htons(scount); + if (skb) + igmpv3_sendpack(skb); +- skb = igmpv3_newpack(dev, dev->mtu); ++ skb = igmpv3_newpack(dev, mtu); + first = 1; + scount = 0; + } + if (first) { +- skb = add_grhead(skb, pmc, type, &pgr); ++ skb = add_grhead(skb, pmc, type, &pgr, mtu); + first = 0; + } + if (!skb) +@@ -523,7 +551,7 @@ empty_source: + igmpv3_sendpack(skb); + skb = NULL; /* add_grhead will get a new one */ + } +- skb = add_grhead(skb, pmc, type, &pgr); ++ skb = add_grhead(skb, pmc, type, &pgr, mtu); + } + } + if (pgr) +diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c +index b6c7bdea4853..67c1333422a4 100644 +--- a/net/ipv4/ip_sockglue.c ++++ b/net/ipv4/ip_sockglue.c +@@ -1203,11 +1203,8 @@ int ip_setsockopt(struct sock *sk, int level, + if (err == -ENOPROTOOPT && optname != IP_HDRINCL && + optname != IP_IPSEC_POLICY && + optname != IP_XFRM_POLICY && +- !ip_mroute_opt(optname)) { +- lock_sock(sk); ++ !ip_mroute_opt(optname)) + err = nf_setsockopt(sk, PF_INET, optname, optval, optlen); +- release_sock(sk); +- } + #endif + return err; + } +@@ -1232,12 +1229,9 @@ int compat_ip_setsockopt(struct sock *sk, int level, int optname, + if (err == -ENOPROTOOPT && optname != IP_HDRINCL && + optname != IP_IPSEC_POLICY && + optname != IP_XFRM_POLICY && +- !ip_mroute_opt(optname)) { +- lock_sock(sk); +- err = compat_nf_setsockopt(sk, PF_INET, optname, +- optval, optlen); +- release_sock(sk); +- } ++ !ip_mroute_opt(optname)) ++ err = compat_nf_setsockopt(sk, PF_INET, optname, optval, ++ optlen); + #endif + return err; + } +@@ -1497,10 +1491,7 @@ int ip_getsockopt(struct sock *sk, int level, + if (get_user(len, optlen)) + return -EFAULT; + +- lock_sock(sk); +- err = nf_getsockopt(sk, PF_INET, optname, optval, +- &len); +- release_sock(sk); ++ err = nf_getsockopt(sk, PF_INET, optname, optval, &len); + if (err >= 0) + err = put_user(len, optlen); + return err; +@@ -1532,9 +1523,7 @@ int compat_ip_getsockopt(struct sock *sk, int level, int optname, + if (get_user(len, optlen)) + return -EFAULT; + +- lock_sock(sk); + err = compat_nf_getsockopt(sk, PF_INET, optname, optval, &len); +- release_sock(sk); + if (err >= 0) + err = put_user(len, optlen); + return err; +diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c +index 35080a708b59..169bf7d1d8ca 100644 +--- a/net/ipv4/ip_tunnel.c ++++ b/net/ipv4/ip_tunnel.c +@@ -393,8 +393,8 @@ static int ip_tunnel_bind_dev(struct net_device *dev) + dev->needed_headroom = t_hlen + hlen; + mtu -= (dev->hard_header_len + t_hlen); + +- if (mtu < 68) +- mtu = 68; ++ if (mtu < IPV4_MIN_MTU) ++ mtu = IPV4_MIN_MTU; + + return mtu; + } +diff --git a/net/ipv4/ipconfig.c b/net/ipv4/ipconfig.c +index 8e7328c6a390..6389616ccc3f 100644 +--- a/net/ipv4/ipconfig.c ++++ b/net/ipv4/ipconfig.c +@@ -148,7 +148,11 @@ static char vendor_class_identifier[253] __initdata; + + /* Persistent data: */ + ++#ifdef IPCONFIG_DYNAMIC + static int ic_proto_used; /* Protocol used, if any */ ++#else ++#define ic_proto_used 0 ++#endif + static __be32 ic_nameservers[CONF_NAMESERVERS_MAX]; /* DNS Server IP addresses */ + static u8 ic_domain[64]; /* DNS (not NIS) domain name */ + +diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c +index ebf5821caefb..7510a851d316 100644 +--- a/net/ipv4/netfilter/arp_tables.c ++++ b/net/ipv4/netfilter/arp_tables.c +@@ -1330,8 +1330,8 @@ static int translate_compat_table(struct xt_table_info **pinfo, + + newinfo->number = compatr->num_entries; + for (i = 0; i < NF_ARP_NUMHOOKS; i++) { +- newinfo->hook_entry[i] = info->hook_entry[i]; +- newinfo->underflow[i] = info->underflow[i]; ++ newinfo->hook_entry[i] = compatr->hook_entry[i]; ++ newinfo->underflow[i] = compatr->underflow[i]; + } + entry1 = newinfo->entries[raw_smp_processor_id()]; + pos = entry1; +diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c +index 771ab3d01ad3..d098013855f0 100644 +--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c ++++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c +@@ -365,7 +365,7 @@ static int clusterip_tg_check(const struct xt_tgchk_param *par) + struct ipt_clusterip_tgt_info *cipinfo = par->targinfo; + const struct ipt_entry *e = par->entryinfo; + struct clusterip_config *config; +- int ret; ++ int ret, i; + + if (cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP && + cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP_SPT && +@@ -379,8 +379,18 @@ static int clusterip_tg_check(const struct xt_tgchk_param *par) + pr_info("Please specify destination IP\n"); + return -EINVAL; + } +- +- /* FIXME: further sanity checks */ ++ if (cipinfo->num_local_nodes > ARRAY_SIZE(cipinfo->local_nodes)) { ++ pr_info("bad num_local_nodes %u\n", cipinfo->num_local_nodes); ++ return -EINVAL; ++ } ++ for (i = 0; i < cipinfo->num_local_nodes; i++) { ++ if (cipinfo->local_nodes[i] - 1 >= ++ sizeof(config->local_nodes) * 8) { ++ pr_info("bad local_nodes[%d] %u\n", ++ i, cipinfo->local_nodes[i]); ++ return -EINVAL; ++ } ++ } + + config = clusterip_config_find_get(par->net, e->ip.dst.s_addr, 1); + if (!config) { +diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c +index 30ad9554b5e9..406d69f033ac 100644 +--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c ++++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c +@@ -261,15 +261,19 @@ getorigdst(struct sock *sk, int optval, void __user *user, int *len) + struct nf_conntrack_tuple tuple; + + memset(&tuple, 0, sizeof(tuple)); ++ ++ lock_sock(sk); + tuple.src.u3.ip = inet->inet_rcv_saddr; + tuple.src.u.tcp.port = inet->inet_sport; + tuple.dst.u3.ip = inet->inet_daddr; + tuple.dst.u.tcp.port = inet->inet_dport; + tuple.src.l3num = PF_INET; + tuple.dst.protonum = sk->sk_protocol; ++ release_sock(sk); + + /* We only do TCP and SCTP at the moment: is there a better way? */ +- if (sk->sk_protocol != IPPROTO_TCP && sk->sk_protocol != IPPROTO_SCTP) { ++ if (tuple.dst.protonum != IPPROTO_TCP && ++ tuple.dst.protonum != IPPROTO_SCTP) { + pr_debug("SO_ORIGINAL_DST: Not a TCP/SCTP socket\n"); + return -ENOPROTOOPT; + } +diff --git a/net/ipv4/netfilter/nf_nat_snmp_basic.c b/net/ipv4/netfilter/nf_nat_snmp_basic.c +index cc626e1b06d3..64a8bbc06f23 100644 +--- a/net/ipv4/netfilter/nf_nat_snmp_basic.c ++++ b/net/ipv4/netfilter/nf_nat_snmp_basic.c +@@ -1260,16 +1260,6 @@ static const struct nf_conntrack_expect_policy snmp_exp_policy = { + .timeout = 180, + }; + +-static struct nf_conntrack_helper snmp_helper __read_mostly = { +- .me = THIS_MODULE, +- .help = help, +- .expect_policy = &snmp_exp_policy, +- .name = "snmp", +- .tuple.src.l3num = AF_INET, +- .tuple.src.u.udp.port = cpu_to_be16(SNMP_PORT), +- .tuple.dst.protonum = IPPROTO_UDP, +-}; +- + static struct nf_conntrack_helper snmp_trap_helper __read_mostly = { + .me = THIS_MODULE, + .help = help, +@@ -1288,17 +1278,10 @@ static struct nf_conntrack_helper snmp_trap_helper __read_mostly = { + + static int __init nf_nat_snmp_basic_init(void) + { +- int ret = 0; +- + BUG_ON(nf_nat_snmp_hook != NULL); + RCU_INIT_POINTER(nf_nat_snmp_hook, help); + +- ret = nf_conntrack_helper_register(&snmp_trap_helper); +- if (ret < 0) { +- nf_conntrack_helper_unregister(&snmp_helper); +- return ret; +- } +- return ret; ++ return nf_conntrack_helper_register(&snmp_trap_helper); + } + + static void __exit nf_nat_snmp_basic_fini(void) +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index a1de8300cfce..94a4b28e5da6 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -2137,6 +2137,9 @@ adjudge_to_death: + tcp_send_active_reset(sk, GFP_ATOMIC); + NET_INC_STATS_BH(sock_net(sk), + LINUX_MIB_TCPABORTONMEMORY); ++ } else if (!check_net(sock_net(sk))) { ++ /* Not possible to send reset; just close */ ++ tcp_set_state(sk, TCP_CLOSE); + } + } + +@@ -2232,6 +2235,12 @@ int tcp_disconnect(struct sock *sk, int flags) + + WARN_ON(inet->inet_num && !icsk->icsk_bind_hash); + ++ if (sk->sk_frag.page) { ++ put_page(sk->sk_frag.page); ++ sk->sk_frag.page = NULL; ++ sk->sk_frag.offset = 0; ++ } ++ + sk->sk_error_report(sk); + return err; + } +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index 2923f7f7932a..38e9dc5b735d 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -814,7 +814,7 @@ static void tcp_v4_reqsk_send_ack(struct sock *sk, struct sk_buff *skb, + tcp_time_stamp, + req->ts_recent, + 0, +- tcp_md5_do_lookup(sk, (union tcp_md5_addr *)&ip_hdr(skb)->daddr, ++ tcp_md5_do_lookup(sk, (union tcp_md5_addr *)&ip_hdr(skb)->saddr, + AF_INET), + inet_rsk(req)->no_srccheck ? IP_REPLY_ARG_NOSRCCHECK : 0, + ip_hdr(skb)->tos); +diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c +index f8c6b2343301..4a3f230ef91b 100644 +--- a/net/ipv4/tcp_timer.c ++++ b/net/ipv4/tcp_timer.c +@@ -46,11 +46,19 @@ static void tcp_write_err(struct sock *sk) + * to prevent DoS attacks. It is called when a retransmission timeout + * or zero probe timeout occurs on orphaned socket. + * ++ * Also close if our net namespace is exiting; in that case there is no ++ * hope of ever communicating again since all netns interfaces are already ++ * down (or about to be down), and we need to release our dst references, ++ * which have been moved to the netns loopback interface, so the namespace ++ * can finish exiting. This condition is only possible if we are a kernel ++ * socket, as those do not hold references to the namespace. ++ * + * Criteria is still not confirmed experimentally and may change. + * We kill the socket, if: + * 1. If number of orphaned sockets exceeds an administratively configured + * limit. + * 2. If we have strong memory pressure. ++ * 3. If our net namespace is exiting. + */ + static int tcp_out_of_resources(struct sock *sk, bool do_reset) + { +@@ -79,6 +87,13 @@ static int tcp_out_of_resources(struct sock *sk, bool do_reset) + NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPABORTONMEMORY); + return 1; + } ++ ++ if (!check_net(sock_net(sk))) { ++ /* Not possible to send reset; just close */ ++ tcp_done(sk); ++ return 1; ++ } ++ + return 0; + } + +diff --git a/net/ipv4/tcp_vegas.c b/net/ipv4/tcp_vegas.c +index a6cea1d5e20d..33c0879612f5 100644 +--- a/net/ipv4/tcp_vegas.c ++++ b/net/ipv4/tcp_vegas.c +@@ -158,7 +158,7 @@ EXPORT_SYMBOL_GPL(tcp_vegas_cwnd_event); + + static inline u32 tcp_vegas_ssthresh(struct tcp_sock *tp) + { +- return min(tp->snd_ssthresh, tp->snd_cwnd-1); ++ return min(tp->snd_ssthresh, tp->snd_cwnd); + } + + static void tcp_vegas_cong_avoid(struct sock *sk, u32 ack, u32 acked) +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index 7a6317671d32..97397a3df219 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -1217,14 +1217,16 @@ static int ip6_setup_cork(struct sock *sk, struct inet_cork_full *cork, + v6_cork->tclass = tclass; + if (rt->dst.flags & DST_XFRM_TUNNEL) + mtu = np->pmtudisc >= IPV6_PMTUDISC_PROBE ? +- rt->dst.dev->mtu : dst_mtu(&rt->dst); ++ READ_ONCE(rt->dst.dev->mtu) : dst_mtu(&rt->dst); + else + mtu = np->pmtudisc >= IPV6_PMTUDISC_PROBE ? +- rt->dst.dev->mtu : dst_mtu(rt->dst.path); ++ READ_ONCE(rt->dst.dev->mtu) : dst_mtu(rt->dst.path); + if (np->frag_size < mtu) { + if (np->frag_size) + mtu = np->frag_size; + } ++ if (mtu < IPV6_MIN_MTU) ++ return -EINVAL; + cork->base.fragsize = mtu; + if (dst_allfrag(rt->dst.path)) + cork->base.flags |= IPCORK_ALLFRAG; +@@ -1757,10 +1759,13 @@ struct sk_buff *ip6_make_skb(struct sock *sk, + cork.base.flags = 0; + cork.base.addr = 0; + cork.base.opt = NULL; ++ cork.base.dst = NULL; + v6_cork.opt = NULL; + err = ip6_setup_cork(sk, &cork, &v6_cork, hlimit, tclass, opt, rt, fl6); +- if (err) ++ if (err) { ++ ip6_cork_release(&cork, &v6_cork); + return ERR_PTR(err); ++ } + + if (dontfrag < 0) + dontfrag = inet6_sk(sk)->dontfrag; +diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c +index 1c4db0fe7f88..672dd08dc3dd 100644 +--- a/net/ipv6/ip6mr.c ++++ b/net/ipv6/ip6mr.c +@@ -496,6 +496,7 @@ static void *ipmr_mfc_seq_start(struct seq_file *seq, loff_t *pos) + return ERR_PTR(-ENOENT); + + it->mrt = mrt; ++ it->cache = NULL; + return *pos ? ipmr_mfc_seq_idx(net, seq->private, *pos - 1) + : SEQ_START_TOKEN; + } +diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c +index 4449ad1f8114..2ad727bba3a5 100644 +--- a/net/ipv6/ipv6_sockglue.c ++++ b/net/ipv6/ipv6_sockglue.c +@@ -896,12 +896,8 @@ int ipv6_setsockopt(struct sock *sk, int level, int optname, + #ifdef CONFIG_NETFILTER + /* we need to exclude all possible ENOPROTOOPTs except default case */ + if (err == -ENOPROTOOPT && optname != IPV6_IPSEC_POLICY && +- optname != IPV6_XFRM_POLICY) { +- lock_sock(sk); +- err = nf_setsockopt(sk, PF_INET6, optname, optval, +- optlen); +- release_sock(sk); +- } ++ optname != IPV6_XFRM_POLICY) ++ err = nf_setsockopt(sk, PF_INET6, optname, optval, optlen); + #endif + return err; + } +@@ -931,12 +927,9 @@ int compat_ipv6_setsockopt(struct sock *sk, int level, int optname, + #ifdef CONFIG_NETFILTER + /* we need to exclude all possible ENOPROTOOPTs except default case */ + if (err == -ENOPROTOOPT && optname != IPV6_IPSEC_POLICY && +- optname != IPV6_XFRM_POLICY) { +- lock_sock(sk); +- err = compat_nf_setsockopt(sk, PF_INET6, optname, +- optval, optlen); +- release_sock(sk); +- } ++ optname != IPV6_XFRM_POLICY) ++ err = compat_nf_setsockopt(sk, PF_INET6, optname, optval, ++ optlen); + #endif + return err; + } +@@ -1338,10 +1331,7 @@ int ipv6_getsockopt(struct sock *sk, int level, int optname, + if (get_user(len, optlen)) + return -EFAULT; + +- lock_sock(sk); +- err = nf_getsockopt(sk, PF_INET6, optname, optval, +- &len); +- release_sock(sk); ++ err = nf_getsockopt(sk, PF_INET6, optname, optval, &len); + if (err >= 0) + err = put_user(len, optlen); + } +@@ -1380,10 +1370,7 @@ int compat_ipv6_getsockopt(struct sock *sk, int level, int optname, + if (get_user(len, optlen)) + return -EFAULT; + +- lock_sock(sk); +- err = compat_nf_getsockopt(sk, PF_INET6, +- optname, optval, &len); +- release_sock(sk); ++ err = compat_nf_getsockopt(sk, PF_INET6, optname, optval, &len); + if (err >= 0) + err = put_user(len, optlen); + } +diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c +index 9a63110b6548..47de89f57a80 100644 +--- a/net/ipv6/mcast.c ++++ b/net/ipv6/mcast.c +@@ -1668,16 +1668,16 @@ static int grec_size(struct ifmcaddr6 *pmc, int type, int gdel, int sdel) + } + + static struct sk_buff *add_grhead(struct sk_buff *skb, struct ifmcaddr6 *pmc, +- int type, struct mld2_grec **ppgr) ++ int type, struct mld2_grec **ppgr, unsigned int mtu) + { +- struct net_device *dev = pmc->idev->dev; + struct mld2_report *pmr; + struct mld2_grec *pgr; + +- if (!skb) +- skb = mld_newpack(pmc->idev, dev->mtu); +- if (!skb) +- return NULL; ++ if (!skb) { ++ skb = mld_newpack(pmc->idev, mtu); ++ if (!skb) ++ return NULL; ++ } + pgr = (struct mld2_grec *)skb_put(skb, sizeof(struct mld2_grec)); + pgr->grec_type = type; + pgr->grec_auxwords = 0; +@@ -1700,10 +1700,15 @@ static struct sk_buff *add_grec(struct sk_buff *skb, struct ifmcaddr6 *pmc, + struct mld2_grec *pgr = NULL; + struct ip6_sf_list *psf, *psf_next, *psf_prev, **psf_list; + int scount, stotal, first, isquery, truncate; ++ unsigned int mtu; + + if (pmc->mca_flags & MAF_NOREPORT) + return skb; + ++ mtu = READ_ONCE(dev->mtu); ++ if (mtu < IPV6_MIN_MTU) ++ return skb; ++ + isquery = type == MLD2_MODE_IS_INCLUDE || + type == MLD2_MODE_IS_EXCLUDE; + truncate = type == MLD2_MODE_IS_EXCLUDE || +@@ -1724,7 +1729,7 @@ static struct sk_buff *add_grec(struct sk_buff *skb, struct ifmcaddr6 *pmc, + AVAILABLE(skb) < grec_size(pmc, type, gdeleted, sdeleted)) { + if (skb) + mld_sendpack(skb); +- skb = mld_newpack(idev, dev->mtu); ++ skb = mld_newpack(idev, mtu); + } + } + first = 1; +@@ -1751,12 +1756,12 @@ static struct sk_buff *add_grec(struct sk_buff *skb, struct ifmcaddr6 *pmc, + pgr->grec_nsrcs = htons(scount); + if (skb) + mld_sendpack(skb); +- skb = mld_newpack(idev, dev->mtu); ++ skb = mld_newpack(idev, mtu); + first = 1; + scount = 0; + } + if (first) { +- skb = add_grhead(skb, pmc, type, &pgr); ++ skb = add_grhead(skb, pmc, type, &pgr, mtu); + first = 0; + } + if (!skb) +@@ -1790,7 +1795,7 @@ empty_source: + mld_sendpack(skb); + skb = NULL; /* add_grhead will get a new one */ + } +- skb = add_grhead(skb, pmc, type, &pgr); ++ skb = add_grhead(skb, pmc, type, &pgr, mtu); + } + } + if (pgr) +diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c +index 4ba0c34c627b..6bb16657db3a 100644 +--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c ++++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c +@@ -232,20 +232,27 @@ static struct nf_hook_ops ipv6_conntrack_ops[] __read_mostly = { + static int + ipv6_getorigdst(struct sock *sk, int optval, void __user *user, int *len) + { +- const struct inet_sock *inet = inet_sk(sk); ++ struct nf_conntrack_tuple tuple = { .src.l3num = NFPROTO_IPV6 }; + const struct ipv6_pinfo *inet6 = inet6_sk(sk); ++ const struct inet_sock *inet = inet_sk(sk); + const struct nf_conntrack_tuple_hash *h; + struct sockaddr_in6 sin6; +- struct nf_conntrack_tuple tuple = { .src.l3num = NFPROTO_IPV6 }; + struct nf_conn *ct; ++ __be32 flow_label; ++ int bound_dev_if; + ++ lock_sock(sk); + tuple.src.u3.in6 = sk->sk_v6_rcv_saddr; + tuple.src.u.tcp.port = inet->inet_sport; + tuple.dst.u3.in6 = sk->sk_v6_daddr; + tuple.dst.u.tcp.port = inet->inet_dport; + tuple.dst.protonum = sk->sk_protocol; ++ bound_dev_if = sk->sk_bound_dev_if; ++ flow_label = inet6->flow_label; ++ release_sock(sk); + +- if (sk->sk_protocol != IPPROTO_TCP && sk->sk_protocol != IPPROTO_SCTP) ++ if (tuple.dst.protonum != IPPROTO_TCP && ++ tuple.dst.protonum != IPPROTO_SCTP) + return -ENOPROTOOPT; + + if (*len < 0 || (unsigned int) *len < sizeof(sin6)) +@@ -263,14 +270,13 @@ ipv6_getorigdst(struct sock *sk, int optval, void __user *user, int *len) + + sin6.sin6_family = AF_INET6; + sin6.sin6_port = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u.tcp.port; +- sin6.sin6_flowinfo = inet6->flow_label & IPV6_FLOWINFO_MASK; ++ sin6.sin6_flowinfo = flow_label & IPV6_FLOWINFO_MASK; + memcpy(&sin6.sin6_addr, + &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u3.in6, + sizeof(sin6.sin6_addr)); + + nf_ct_put(ct); +- sin6.sin6_scope_id = ipv6_iface_scope_id(&sin6.sin6_addr, +- sk->sk_bound_dev_if); ++ sin6.sin6_scope_id = ipv6_iface_scope_id(&sin6.sin6_addr, bound_dev_if); + return copy_to_user(user, &sin6, sizeof(sin6)) ? -EFAULT : 0; + } + +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +index 2f0f1b415fbe..9f274781ba57 100644 +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -940,7 +940,7 @@ static void tcp_v6_reqsk_send_ack(struct sock *sk, struct sk_buff *skb, + tcp_rsk(req)->snt_isn + 1 : tcp_sk(sk)->snd_nxt, + tcp_rsk(req)->rcv_nxt, req->rcv_wnd, + tcp_time_stamp, req->ts_recent, sk->sk_bound_dev_if, +- tcp_v6_md5_do_lookup(sk, &ipv6_hdr(skb)->daddr), ++ tcp_v6_md5_do_lookup(sk, &ipv6_hdr(skb)->saddr), + 0, 0); + } + +diff --git a/net/key/af_key.c b/net/key/af_key.c +index 39c78c9e1c68..354c43a1c43d 100644 +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -401,6 +401,11 @@ static int verify_address_len(const void *p) + #endif + int len; + ++ if (sp->sadb_address_len < ++ DIV_ROUND_UP(sizeof(*sp) + offsetofend(typeof(*addr), sa_family), ++ sizeof(uint64_t))) ++ return -EINVAL; ++ + switch (addr->sa_family) { + case AF_INET: + len = DIV_ROUND_UP(sizeof(*sp) + sizeof(*sin), sizeof(uint64_t)); +@@ -511,6 +516,9 @@ static int parse_exthdrs(struct sk_buff *skb, const struct sadb_msg *hdr, void * + uint16_t ext_type; + int ext_len; + ++ if (len < sizeof(*ehdr)) ++ return -EINVAL; ++ + ext_len = ehdr->sadb_ext_len; + ext_len *= sizeof(uint64_t); + ext_type = ehdr->sadb_ext_type; +diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c +index 37e0aa4891a2..cd85cbf9bf39 100644 +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -2857,7 +2857,7 @@ cfg80211_beacon_dup(struct cfg80211_beacon_data *beacon) + } + if (beacon->probe_resp_len) { + new_beacon->probe_resp_len = beacon->probe_resp_len; +- beacon->probe_resp = pos; ++ new_beacon->probe_resp = pos; + memcpy(pos, beacon->probe_resp, beacon->probe_resp_len); + pos += beacon->probe_resp_len; + } +diff --git a/net/mac80211/mesh_hwmp.c b/net/mac80211/mesh_hwmp.c +index 214e63b84e5c..4efc60236cdb 100644 +--- a/net/mac80211/mesh_hwmp.c ++++ b/net/mac80211/mesh_hwmp.c +@@ -763,7 +763,7 @@ static void hwmp_rann_frame_process(struct ieee80211_sub_if_data *sdata, + struct mesh_path *mpath; + u8 ttl, flags, hopcount; + const u8 *orig_addr; +- u32 orig_sn, metric, metric_txsta, interval; ++ u32 orig_sn, new_metric, orig_metric, last_hop_metric, interval; + bool root_is_gate; + + ttl = rann->rann_ttl; +@@ -774,7 +774,7 @@ static void hwmp_rann_frame_process(struct ieee80211_sub_if_data *sdata, + interval = le32_to_cpu(rann->rann_interval); + hopcount = rann->rann_hopcount; + hopcount++; +- metric = le32_to_cpu(rann->rann_metric); ++ orig_metric = le32_to_cpu(rann->rann_metric); + + /* Ignore our own RANNs */ + if (ether_addr_equal(orig_addr, sdata->vif.addr)) +@@ -791,7 +791,10 @@ static void hwmp_rann_frame_process(struct ieee80211_sub_if_data *sdata, + return; + } + +- metric_txsta = airtime_link_metric_get(local, sta); ++ last_hop_metric = airtime_link_metric_get(local, sta); ++ new_metric = orig_metric + last_hop_metric; ++ if (new_metric < orig_metric) ++ new_metric = MAX_METRIC; + + mpath = mesh_path_lookup(sdata, orig_addr); + if (!mpath) { +@@ -804,7 +807,7 @@ static void hwmp_rann_frame_process(struct ieee80211_sub_if_data *sdata, + } + + if (!(SN_LT(mpath->sn, orig_sn)) && +- !(mpath->sn == orig_sn && metric < mpath->rann_metric)) { ++ !(mpath->sn == orig_sn && new_metric < mpath->rann_metric)) { + rcu_read_unlock(); + return; + } +@@ -822,7 +825,7 @@ static void hwmp_rann_frame_process(struct ieee80211_sub_if_data *sdata, + } + + mpath->sn = orig_sn; +- mpath->rann_metric = metric + metric_txsta; ++ mpath->rann_metric = new_metric; + mpath->is_root = true; + /* Recording RANNs sender address to send individually + * addressed PREQs destined for root mesh STA */ +@@ -842,7 +845,7 @@ static void hwmp_rann_frame_process(struct ieee80211_sub_if_data *sdata, + mesh_path_sel_frame_tx(MPATH_RANN, flags, orig_addr, + orig_sn, 0, NULL, 0, broadcast_addr, + hopcount, ttl, interval, +- metric + metric_txsta, 0, sdata); ++ new_metric, 0, sdata); + } + + rcu_read_unlock(); +diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c +index bc3f791845aa..e951ca98757e 100644 +--- a/net/netfilter/nf_conntrack_core.c ++++ b/net/netfilter/nf_conntrack_core.c +@@ -695,6 +695,7 @@ nf_conntrack_tuple_taken(const struct nf_conntrack_tuple *tuple, + * least once for the stats anyway. + */ + rcu_read_lock_bh(); ++ begin: + hlist_nulls_for_each_entry_rcu(h, n, &net->ct.hash[hash], hnnode) { + ct = nf_ct_tuplehash_to_ctrack(h); + if (ct != ignored_conntrack && +@@ -706,6 +707,12 @@ nf_conntrack_tuple_taken(const struct nf_conntrack_tuple *tuple, + } + NF_CT_STAT_INC(net, searched); + } ++ ++ if (get_nulls_value(n) != hash) { ++ NF_CT_STAT_INC(net, search_restart); ++ goto begin; ++ } ++ + rcu_read_unlock_bh(); + + return 0; +diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c +index 4f4c88d70a8f..cba342b37b62 100644 +--- a/net/netfilter/nf_conntrack_expect.c ++++ b/net/netfilter/nf_conntrack_expect.c +@@ -557,7 +557,7 @@ static int exp_seq_show(struct seq_file *s, void *v) + helper = rcu_dereference(nfct_help(expect->master)->helper); + if (helper) { + seq_printf(s, "%s%s", expect->flags ? " " : "", helper->name); +- if (helper->expect_policy[expect->class].name) ++ if (helper->expect_policy[expect->class].name[0]) + seq_printf(s, "/%s", + helper->expect_policy[expect->class].name); + } +diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c +index 885b4aba3695..1665c2159e4b 100644 +--- a/net/netfilter/nf_conntrack_sip.c ++++ b/net/netfilter/nf_conntrack_sip.c +@@ -1434,9 +1434,12 @@ static int process_sip_request(struct sk_buff *skb, unsigned int protoff, + handler = &sip_handlers[i]; + if (handler->request == NULL) + continue; +- if (*datalen < handler->len || ++ if (*datalen < handler->len + 2 || + strncasecmp(*dptr, handler->method, handler->len)) + continue; ++ if ((*dptr)[handler->len] != ' ' || ++ !isalpha((*dptr)[handler->len+1])) ++ continue; + + if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_CSEQ, + &matchoff, &matchlen) <= 0) { +diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c +index 6d10002d23f8..ac143ae4f7b6 100644 +--- a/net/netfilter/nfnetlink_cthelper.c ++++ b/net/netfilter/nfnetlink_cthelper.c +@@ -17,6 +17,7 @@ + #include <linux/types.h> + #include <linux/list.h> + #include <linux/errno.h> ++#include <linux/capability.h> + #include <net/netlink.h> + #include <net/sock.h> + +@@ -32,6 +33,13 @@ MODULE_LICENSE("GPL"); + MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>"); + MODULE_DESCRIPTION("nfnl_cthelper: User-space connection tracking helpers"); + ++struct nfnl_cthelper { ++ struct list_head list; ++ struct nf_conntrack_helper helper; ++}; ++ ++static LIST_HEAD(nfnl_cthelper_list); ++ + static int + nfnl_userspace_cthelper(struct sk_buff *skb, unsigned int protoff, + struct nf_conn *ct, enum ip_conntrack_info ctinfo) +@@ -205,18 +213,20 @@ nfnl_cthelper_create(const struct nlattr * const tb[], + struct nf_conntrack_tuple *tuple) + { + struct nf_conntrack_helper *helper; ++ struct nfnl_cthelper *nfcth; + int ret; + + if (!tb[NFCTH_TUPLE] || !tb[NFCTH_POLICY] || !tb[NFCTH_PRIV_DATA_LEN]) + return -EINVAL; + +- helper = kzalloc(sizeof(struct nf_conntrack_helper), GFP_KERNEL); +- if (helper == NULL) ++ nfcth = kzalloc(sizeof(*nfcth), GFP_KERNEL); ++ if (nfcth == NULL) + return -ENOMEM; ++ helper = &nfcth->helper; + + ret = nfnl_cthelper_parse_expect_policy(helper, tb[NFCTH_POLICY]); + if (ret < 0) +- goto err; ++ goto err1; + + strncpy(helper->name, nla_data(tb[NFCTH_NAME]), NF_CT_HELPER_NAME_LEN); + helper->data_len = ntohl(nla_get_be32(tb[NFCTH_PRIV_DATA_LEN])); +@@ -247,14 +257,100 @@ nfnl_cthelper_create(const struct nlattr * const tb[], + + ret = nf_conntrack_helper_register(helper); + if (ret < 0) +- goto err; ++ goto err2; + ++ list_add_tail(&nfcth->list, &nfnl_cthelper_list); + return 0; +-err: +- kfree(helper); ++err2: ++ kfree(helper->expect_policy); ++err1: ++ kfree(nfcth); + return ret; + } + ++static int ++nfnl_cthelper_update_policy_one(const struct nf_conntrack_expect_policy *policy, ++ struct nf_conntrack_expect_policy *new_policy, ++ const struct nlattr *attr) ++{ ++ struct nlattr *tb[NFCTH_POLICY_MAX + 1]; ++ int err; ++ ++ err = nla_parse_nested(tb, NFCTH_POLICY_MAX, attr, ++ nfnl_cthelper_expect_pol); ++ if (err < 0) ++ return err; ++ ++ if (!tb[NFCTH_POLICY_NAME] || ++ !tb[NFCTH_POLICY_EXPECT_MAX] || ++ !tb[NFCTH_POLICY_EXPECT_TIMEOUT]) ++ return -EINVAL; ++ ++ if (nla_strcmp(tb[NFCTH_POLICY_NAME], policy->name)) ++ return -EBUSY; ++ ++ new_policy->max_expected = ++ ntohl(nla_get_be32(tb[NFCTH_POLICY_EXPECT_MAX])); ++ new_policy->timeout = ++ ntohl(nla_get_be32(tb[NFCTH_POLICY_EXPECT_TIMEOUT])); ++ ++ return 0; ++} ++ ++static int nfnl_cthelper_update_policy_all(struct nlattr *tb[], ++ struct nf_conntrack_helper *helper) ++{ ++ struct nf_conntrack_expect_policy new_policy[helper->expect_class_max + 1]; ++ struct nf_conntrack_expect_policy *policy; ++ int i, err; ++ ++ /* Check first that all policy attributes are well-formed, so we don't ++ * leave things in inconsistent state on errors. ++ */ ++ for (i = 0; i < helper->expect_class_max + 1; i++) { ++ ++ if (!tb[NFCTH_POLICY_SET + i]) ++ return -EINVAL; ++ ++ err = nfnl_cthelper_update_policy_one(&helper->expect_policy[i], ++ &new_policy[i], ++ tb[NFCTH_POLICY_SET + i]); ++ if (err < 0) ++ return err; ++ } ++ /* Now we can safely update them. */ ++ for (i = 0; i < helper->expect_class_max + 1; i++) { ++ policy = (struct nf_conntrack_expect_policy *) ++ &helper->expect_policy[i]; ++ policy->max_expected = new_policy->max_expected; ++ policy->timeout = new_policy->timeout; ++ } ++ ++ return 0; ++} ++ ++static int nfnl_cthelper_update_policy(struct nf_conntrack_helper *helper, ++ const struct nlattr *attr) ++{ ++ struct nlattr *tb[NFCTH_POLICY_SET_MAX + 1]; ++ unsigned int class_max; ++ int err; ++ ++ err = nla_parse_nested(tb, NFCTH_POLICY_SET_MAX, attr, ++ nfnl_cthelper_expect_policy_set); ++ if (err < 0) ++ return err; ++ ++ if (!tb[NFCTH_POLICY_SET_NUM]) ++ return -EINVAL; ++ ++ class_max = ntohl(nla_get_be32(tb[NFCTH_POLICY_SET_NUM])); ++ if (helper->expect_class_max + 1 != class_max) ++ return -EBUSY; ++ ++ return nfnl_cthelper_update_policy_all(tb, helper); ++} ++ + static int + nfnl_cthelper_update(const struct nlattr * const tb[], + struct nf_conntrack_helper *helper) +@@ -265,8 +361,7 @@ nfnl_cthelper_update(const struct nlattr * const tb[], + return -EBUSY; + + if (tb[NFCTH_POLICY]) { +- ret = nfnl_cthelper_parse_expect_policy(helper, +- tb[NFCTH_POLICY]); ++ ret = nfnl_cthelper_update_policy(helper, tb[NFCTH_POLICY]); + if (ret < 0) + return ret; + } +@@ -295,7 +390,11 @@ nfnl_cthelper_new(struct sock *nfnl, struct sk_buff *skb, + const char *helper_name; + struct nf_conntrack_helper *cur, *helper = NULL; + struct nf_conntrack_tuple tuple; +- int ret = 0, i; ++ struct nfnl_cthelper *nlcth; ++ int ret = 0; ++ ++ if (!capable(CAP_NET_ADMIN)) ++ return -EPERM; + + if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE]) + return -EINVAL; +@@ -306,31 +405,22 @@ nfnl_cthelper_new(struct sock *nfnl, struct sk_buff *skb, + if (ret < 0) + return ret; + +- rcu_read_lock(); +- for (i = 0; i < nf_ct_helper_hsize && !helper; i++) { +- hlist_for_each_entry_rcu(cur, &nf_ct_helper_hash[i], hnode) { ++ list_for_each_entry(nlcth, &nfnl_cthelper_list, list) { ++ cur = &nlcth->helper; + +- /* skip non-userspace conntrack helpers. */ +- if (!(cur->flags & NF_CT_HELPER_F_USERSPACE)) +- continue; ++ if (strncmp(cur->name, helper_name, NF_CT_HELPER_NAME_LEN)) ++ continue; + +- if (strncmp(cur->name, helper_name, +- NF_CT_HELPER_NAME_LEN) != 0) +- continue; ++ if ((tuple.src.l3num != cur->tuple.src.l3num || ++ tuple.dst.protonum != cur->tuple.dst.protonum)) ++ continue; + +- if ((tuple.src.l3num != cur->tuple.src.l3num || +- tuple.dst.protonum != cur->tuple.dst.protonum)) +- continue; ++ if (nlh->nlmsg_flags & NLM_F_EXCL) ++ return -EEXIST; + +- if (nlh->nlmsg_flags & NLM_F_EXCL) { +- ret = -EEXIST; +- goto err; +- } +- helper = cur; +- break; +- } ++ helper = cur; ++ break; + } +- rcu_read_unlock(); + + if (helper == NULL) + ret = nfnl_cthelper_create(tb, &tuple); +@@ -338,9 +428,6 @@ nfnl_cthelper_new(struct sock *nfnl, struct sk_buff *skb, + ret = nfnl_cthelper_update(tb, helper); + + return ret; +-err: +- rcu_read_unlock(); +- return ret; + } + + static int +@@ -504,13 +591,17 @@ static int + nfnl_cthelper_get(struct sock *nfnl, struct sk_buff *skb, + const struct nlmsghdr *nlh, const struct nlattr * const tb[]) + { +- int ret = -ENOENT, i; ++ int ret = -ENOENT; + struct nf_conntrack_helper *cur; + struct sk_buff *skb2; + char *helper_name = NULL; + struct nf_conntrack_tuple tuple; ++ struct nfnl_cthelper *nlcth; + bool tuple_set = false; + ++ if (!capable(CAP_NET_ADMIN)) ++ return -EPERM; ++ + if (nlh->nlmsg_flags & NLM_F_DUMP) { + struct netlink_dump_control c = { + .dump = nfnl_cthelper_dump_table, +@@ -529,45 +620,39 @@ nfnl_cthelper_get(struct sock *nfnl, struct sk_buff *skb, + tuple_set = true; + } + +- for (i = 0; i < nf_ct_helper_hsize; i++) { +- hlist_for_each_entry_rcu(cur, &nf_ct_helper_hash[i], hnode) { +- +- /* skip non-userspace conntrack helpers. */ +- if (!(cur->flags & NF_CT_HELPER_F_USERSPACE)) +- continue; ++ list_for_each_entry(nlcth, &nfnl_cthelper_list, list) { ++ cur = &nlcth->helper; ++ if (helper_name && ++ strncmp(cur->name, helper_name, NF_CT_HELPER_NAME_LEN)) ++ continue; + +- if (helper_name && strncmp(cur->name, helper_name, +- NF_CT_HELPER_NAME_LEN) != 0) { +- continue; +- } +- if (tuple_set && +- (tuple.src.l3num != cur->tuple.src.l3num || +- tuple.dst.protonum != cur->tuple.dst.protonum)) +- continue; ++ if (tuple_set && ++ (tuple.src.l3num != cur->tuple.src.l3num || ++ tuple.dst.protonum != cur->tuple.dst.protonum)) ++ continue; + +- skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); +- if (skb2 == NULL) { +- ret = -ENOMEM; +- break; +- } ++ skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); ++ if (skb2 == NULL) { ++ ret = -ENOMEM; ++ break; ++ } + +- ret = nfnl_cthelper_fill_info(skb2, NETLINK_CB(skb).portid, +- nlh->nlmsg_seq, +- NFNL_MSG_TYPE(nlh->nlmsg_type), +- NFNL_MSG_CTHELPER_NEW, cur); +- if (ret <= 0) { +- kfree_skb(skb2); +- break; +- } ++ ret = nfnl_cthelper_fill_info(skb2, NETLINK_CB(skb).portid, ++ nlh->nlmsg_seq, ++ NFNL_MSG_TYPE(nlh->nlmsg_type), ++ NFNL_MSG_CTHELPER_NEW, cur); ++ if (ret <= 0) { ++ kfree_skb(skb2); ++ break; ++ } + +- ret = netlink_unicast(nfnl, skb2, NETLINK_CB(skb).portid, +- MSG_DONTWAIT); +- if (ret > 0) +- ret = 0; ++ ret = netlink_unicast(nfnl, skb2, NETLINK_CB(skb).portid, ++ MSG_DONTWAIT); ++ if (ret > 0) ++ ret = 0; + +- /* this avoids a loop in nfnetlink. */ +- return ret == -EAGAIN ? -ENOBUFS : ret; +- } ++ /* this avoids a loop in nfnetlink. */ ++ return ret == -EAGAIN ? -ENOBUFS : ret; + } + return ret; + } +@@ -578,10 +663,13 @@ nfnl_cthelper_del(struct sock *nfnl, struct sk_buff *skb, + { + char *helper_name = NULL; + struct nf_conntrack_helper *cur; +- struct hlist_node *tmp; + struct nf_conntrack_tuple tuple; + bool tuple_set = false, found = false; +- int i, j = 0, ret; ++ struct nfnl_cthelper *nlcth, *n; ++ int j = 0, ret; ++ ++ if (!capable(CAP_NET_ADMIN)) ++ return -EPERM; + + if (tb[NFCTH_NAME]) + helper_name = nla_data(tb[NFCTH_NAME]); +@@ -594,28 +682,27 @@ nfnl_cthelper_del(struct sock *nfnl, struct sk_buff *skb, + tuple_set = true; + } + +- for (i = 0; i < nf_ct_helper_hsize; i++) { +- hlist_for_each_entry_safe(cur, tmp, &nf_ct_helper_hash[i], +- hnode) { +- /* skip non-userspace conntrack helpers. */ +- if (!(cur->flags & NF_CT_HELPER_F_USERSPACE)) +- continue; ++ list_for_each_entry_safe(nlcth, n, &nfnl_cthelper_list, list) { ++ cur = &nlcth->helper; ++ j++; + +- j++; ++ if (helper_name && ++ strncmp(cur->name, helper_name, NF_CT_HELPER_NAME_LEN)) ++ continue; + +- if (helper_name && strncmp(cur->name, helper_name, +- NF_CT_HELPER_NAME_LEN) != 0) { +- continue; +- } +- if (tuple_set && +- (tuple.src.l3num != cur->tuple.src.l3num || +- tuple.dst.protonum != cur->tuple.dst.protonum)) +- continue; ++ if (tuple_set && ++ (tuple.src.l3num != cur->tuple.src.l3num || ++ tuple.dst.protonum != cur->tuple.dst.protonum)) ++ continue; + +- found = true; +- nf_conntrack_helper_unregister(cur); +- } ++ found = true; ++ nf_conntrack_helper_unregister(cur); ++ kfree(cur->expect_policy); ++ ++ list_del(&nlcth->list); ++ kfree(nlcth); + } ++ + /* Make sure we return success if we flush and there is no helpers */ + return (found || j == 0) ? 0 : -ENOENT; + } +@@ -664,20 +751,16 @@ err_out: + static void __exit nfnl_cthelper_exit(void) + { + struct nf_conntrack_helper *cur; +- struct hlist_node *tmp; +- int i; ++ struct nfnl_cthelper *nlcth, *n; + + nfnetlink_subsys_unregister(&nfnl_cthelper_subsys); + +- for (i=0; i<nf_ct_helper_hsize; i++) { +- hlist_for_each_entry_safe(cur, tmp, &nf_ct_helper_hash[i], +- hnode) { +- /* skip non-userspace conntrack helpers. */ +- if (!(cur->flags & NF_CT_HELPER_F_USERSPACE)) +- continue; ++ list_for_each_entry_safe(nlcth, n, &nfnl_cthelper_list, list) { ++ cur = &nlcth->helper; + +- nf_conntrack_helper_unregister(cur); +- } ++ nf_conntrack_helper_unregister(cur); ++ kfree(cur->expect_policy); ++ kfree(nlcth); + } + } + +diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c +index 703fc9ba6f20..f4fcd9441561 100644 +--- a/net/netfilter/x_tables.c ++++ b/net/netfilter/x_tables.c +@@ -38,8 +38,6 @@ MODULE_LICENSE("GPL"); + MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>"); + MODULE_DESCRIPTION("{ip,ip6,arp,eb}_tables backend module"); + +-#define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1)) +- + struct compat_delta { + unsigned int offset; /* offset in kernel */ + int delta; /* delta in 32bit user land */ +@@ -211,6 +209,9 @@ xt_request_find_match(uint8_t nfproto, const char *name, uint8_t revision) + { + struct xt_match *match; + ++ if (strnlen(name, XT_EXTENSION_MAXNAMELEN) == XT_EXTENSION_MAXNAMELEN) ++ return ERR_PTR(-EINVAL); ++ + match = xt_find_match(nfproto, name, revision); + if (IS_ERR(match)) { + request_module("%st_%s", xt_prefix[nfproto], name); +@@ -253,6 +254,9 @@ struct xt_target *xt_request_find_target(u8 af, const char *name, u8 revision) + { + struct xt_target *target; + ++ if (strnlen(name, XT_EXTENSION_MAXNAMELEN) == XT_EXTENSION_MAXNAMELEN) ++ return ERR_PTR(-EINVAL); ++ + target = xt_find_target(af, name, revision); + if (IS_ERR(target)) { + request_module("%st_%s", xt_prefix[af], name); +@@ -951,7 +955,7 @@ struct xt_table_info *xt_alloc_table_info(unsigned int size) + int cpu; + + /* Pedantry: prevent them from hitting BUG() in vmalloc.c --RR */ +- if ((SMP_ALIGN(size) >> PAGE_SHIFT) + 2 > totalram_pages) ++ if ((size >> PAGE_SHIFT) + 2 > totalram_pages) + return NULL; + + newinfo = kzalloc(XT_TABLE_INFO_SZ, GFP_KERNEL); +diff --git a/net/netfilter/xt_RATEEST.c b/net/netfilter/xt_RATEEST.c +index 604df6fae6fc..0be96f8475f7 100644 +--- a/net/netfilter/xt_RATEEST.c ++++ b/net/netfilter/xt_RATEEST.c +@@ -40,23 +40,31 @@ static void xt_rateest_hash_insert(struct xt_rateest *est) + hlist_add_head(&est->list, &rateest_hash[h]); + } + +-struct xt_rateest *xt_rateest_lookup(const char *name) ++static struct xt_rateest *__xt_rateest_lookup(const char *name) + { + struct xt_rateest *est; + unsigned int h; + + h = xt_rateest_hash(name); +- mutex_lock(&xt_rateest_mutex); + hlist_for_each_entry(est, &rateest_hash[h], list) { + if (strcmp(est->name, name) == 0) { + est->refcnt++; +- mutex_unlock(&xt_rateest_mutex); + return est; + } + } +- mutex_unlock(&xt_rateest_mutex); ++ + return NULL; + } ++ ++struct xt_rateest *xt_rateest_lookup(const char *name) ++{ ++ struct xt_rateest *est; ++ ++ mutex_lock(&xt_rateest_mutex); ++ est = __xt_rateest_lookup(name); ++ mutex_unlock(&xt_rateest_mutex); ++ return est; ++} + EXPORT_SYMBOL_GPL(xt_rateest_lookup); + + void xt_rateest_put(struct xt_rateest *est) +@@ -104,8 +112,10 @@ static int xt_rateest_tg_checkentry(const struct xt_tgchk_param *par) + rnd_inited = true; + } + +- est = xt_rateest_lookup(info->name); ++ mutex_lock(&xt_rateest_mutex); ++ est = __xt_rateest_lookup(info->name); + if (est) { ++ mutex_unlock(&xt_rateest_mutex); + /* + * If estimator parameters are specified, they must match the + * existing estimator. +@@ -143,11 +153,13 @@ static int xt_rateest_tg_checkentry(const struct xt_tgchk_param *par) + + info->est = est; + xt_rateest_hash_insert(est); ++ mutex_unlock(&xt_rateest_mutex); + return 0; + + err2: + kfree(est); + err1: ++ mutex_unlock(&xt_rateest_mutex); + return ret; + } + +diff --git a/net/netfilter/xt_osf.c b/net/netfilter/xt_osf.c +index 0778855ea5e7..20f7bd64ad40 100644 +--- a/net/netfilter/xt_osf.c ++++ b/net/netfilter/xt_osf.c +@@ -19,6 +19,7 @@ + #include <linux/module.h> + #include <linux/kernel.h> + ++#include <linux/capability.h> + #include <linux/if.h> + #include <linux/inetdevice.h> + #include <linux/ip.h> +@@ -69,6 +70,9 @@ static int xt_osf_add_callback(struct sock *ctnl, struct sk_buff *skb, + struct xt_osf_finger *kf = NULL, *sf; + int err = 0; + ++ if (!capable(CAP_NET_ADMIN)) ++ return -EPERM; ++ + if (!osf_attrs[OSF_ATTR_FINGER]) + return -EINVAL; + +@@ -112,6 +116,9 @@ static int xt_osf_remove_callback(struct sock *ctnl, struct sk_buff *skb, + struct xt_osf_finger *sf; + int err = -ENOENT; + ++ if (!capable(CAP_NET_ADMIN)) ++ return -EPERM; ++ + if (!osf_attrs[OSF_ATTR_FINGER]) + return -EINVAL; + +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index a5815be7c81c..66c340bc0553 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -94,6 +94,44 @@ EXPORT_SYMBOL_GPL(nl_table); + + static DECLARE_WAIT_QUEUE_HEAD(nl_table_wait); + ++static struct lock_class_key nlk_cb_mutex_keys[MAX_LINKS]; ++ ++static const char *const nlk_cb_mutex_key_strings[MAX_LINKS + 1] = { ++ "nlk_cb_mutex-ROUTE", ++ "nlk_cb_mutex-1", ++ "nlk_cb_mutex-USERSOCK", ++ "nlk_cb_mutex-FIREWALL", ++ "nlk_cb_mutex-SOCK_DIAG", ++ "nlk_cb_mutex-NFLOG", ++ "nlk_cb_mutex-XFRM", ++ "nlk_cb_mutex-SELINUX", ++ "nlk_cb_mutex-ISCSI", ++ "nlk_cb_mutex-AUDIT", ++ "nlk_cb_mutex-FIB_LOOKUP", ++ "nlk_cb_mutex-CONNECTOR", ++ "nlk_cb_mutex-NETFILTER", ++ "nlk_cb_mutex-IP6_FW", ++ "nlk_cb_mutex-DNRTMSG", ++ "nlk_cb_mutex-KOBJECT_UEVENT", ++ "nlk_cb_mutex-GENERIC", ++ "nlk_cb_mutex-17", ++ "nlk_cb_mutex-SCSITRANSPORT", ++ "nlk_cb_mutex-ECRYPTFS", ++ "nlk_cb_mutex-RDMA", ++ "nlk_cb_mutex-CRYPTO", ++ "nlk_cb_mutex-SMC", ++ "nlk_cb_mutex-23", ++ "nlk_cb_mutex-24", ++ "nlk_cb_mutex-25", ++ "nlk_cb_mutex-26", ++ "nlk_cb_mutex-27", ++ "nlk_cb_mutex-28", ++ "nlk_cb_mutex-29", ++ "nlk_cb_mutex-30", ++ "nlk_cb_mutex-31", ++ "nlk_cb_mutex-MAX_LINKS" ++}; ++ + static int netlink_dump(struct sock *sk); + static void netlink_skb_destructor(struct sk_buff *skb); + +@@ -221,6 +259,9 @@ static int __netlink_deliver_tap_skb(struct sk_buff *skb, + struct sock *sk = skb->sk; + int ret = -ENOMEM; + ++ if (!net_eq(dev_net(dev), sock_net(sk))) ++ return 0; ++ + dev_hold(dev); + + if (netlink_skb_is_mmaped(skb) || is_vmalloc_addr(skb->head)) +@@ -1177,6 +1218,9 @@ static int __netlink_create(struct net *net, struct socket *sock, + } else { + nlk->cb_mutex = &nlk->cb_def_mutex; + mutex_init(nlk->cb_mutex); ++ lockdep_set_class_and_name(nlk->cb_mutex, ++ nlk_cb_mutex_keys + protocol, ++ nlk_cb_mutex_key_strings[protocol]); + } + init_waitqueue_head(&nlk->wait); + #ifdef CONFIG_NETLINK_MMAP +diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c +index c691b1a1eee0..a2601b0c4b0f 100644 +--- a/net/openvswitch/flow_netlink.c ++++ b/net/openvswitch/flow_netlink.c +@@ -1531,14 +1531,11 @@ int ovs_nla_put_mask(const struct sw_flow *flow, struct sk_buff *skb) + + #define MAX_ACTIONS_BUFSIZE (32 * 1024) + +-static struct sw_flow_actions *nla_alloc_flow_actions(int size, bool log) ++static struct sw_flow_actions *nla_alloc_flow_actions(int size) + { + struct sw_flow_actions *sfa; + +- if (size > MAX_ACTIONS_BUFSIZE) { +- OVS_NLERR(log, "Flow action size %u bytes exceeds max", size); +- return ERR_PTR(-EINVAL); +- } ++ WARN_ON_ONCE(size > MAX_ACTIONS_BUFSIZE); + + sfa = kmalloc(sizeof(*sfa) + size, GFP_KERNEL); + if (!sfa) +@@ -1571,12 +1568,15 @@ static struct nlattr *reserve_sfa_size(struct sw_flow_actions **sfa, + new_acts_size = ksize(*sfa) * 2; + + if (new_acts_size > MAX_ACTIONS_BUFSIZE) { +- if ((MAX_ACTIONS_BUFSIZE - next_offset) < req_size) ++ if ((MAX_ACTIONS_BUFSIZE - next_offset) < req_size) { ++ OVS_NLERR(log, "Flow action size exceeds max %u", ++ MAX_ACTIONS_BUFSIZE); + return ERR_PTR(-EMSGSIZE); ++ } + new_acts_size = MAX_ACTIONS_BUFSIZE; + } + +- acts = nla_alloc_flow_actions(new_acts_size, log); ++ acts = nla_alloc_flow_actions(new_acts_size); + if (IS_ERR(acts)) + return (void *)acts; + +@@ -2170,7 +2170,7 @@ int ovs_nla_copy_actions(const struct nlattr *attr, + { + int err; + +- *sfa = nla_alloc_flow_actions(nla_len(attr), log); ++ *sfa = nla_alloc_flow_actions(min(nla_len(attr), MAX_ACTIONS_BUFSIZE)); + if (IS_ERR(*sfa)) + return PTR_ERR(*sfa); + +diff --git a/net/rds/rdma.c b/net/rds/rdma.c +index 612c3050d514..b1ec96bca937 100644 +--- a/net/rds/rdma.c ++++ b/net/rds/rdma.c +@@ -516,6 +516,9 @@ int rds_rdma_extra_size(struct rds_rdma_args *args) + + local_vec = (struct rds_iovec __user *)(unsigned long) args->local_vec_addr; + ++ if (args->nr_local == 0) ++ return -EINVAL; ++ + /* figure out the number of pages in the vector */ + for (i = 0; i < args->nr_local; i++) { + if (copy_from_user(&vec, &local_vec[i], +@@ -863,6 +866,7 @@ int rds_cmsg_atomic(struct rds_sock *rs, struct rds_message *rm, + err: + if (page) + put_page(page); ++ rm->atomic.op_active = 0; + kfree(rm->atomic.op_notifier); + + return ret; +diff --git a/net/sched/sch_choke.c b/net/sched/sch_choke.c +index 3f6437db9b0f..ec11aced121d 100644 +--- a/net/sched/sch_choke.c ++++ b/net/sched/sch_choke.c +@@ -431,6 +431,9 @@ static int choke_change(struct Qdisc *sch, struct nlattr *opt) + + ctl = nla_data(tb[TCA_CHOKE_PARMS]); + ++ if (!red_check_params(ctl->qth_min, ctl->qth_max, ctl->Wlog)) ++ return -EINVAL; ++ + if (ctl->limit > CHOKE_MAX_QUEUE) + return -EINVAL; + +diff --git a/net/sched/sch_gred.c b/net/sched/sch_gred.c +index 634529e0ce6b..5a476126a8fb 100644 +--- a/net/sched/sch_gred.c ++++ b/net/sched/sch_gred.c +@@ -388,6 +388,9 @@ static inline int gred_change_vq(struct Qdisc *sch, int dp, + struct gred_sched *table = qdisc_priv(sch); + struct gred_sched_data *q = table->tab[dp]; + ++ if (!red_check_params(ctl->qth_min, ctl->qth_max, ctl->Wlog)) ++ return -EINVAL; ++ + if (!q) { + table->tab[dp] = q = *prealloc; + *prealloc = NULL; +diff --git a/net/sched/sch_red.c b/net/sched/sch_red.c +index 8c0508c0e287..0505b8408c8b 100644 +--- a/net/sched/sch_red.c ++++ b/net/sched/sch_red.c +@@ -199,6 +199,8 @@ static int red_change(struct Qdisc *sch, struct nlattr *opt) + max_P = tb[TCA_RED_MAX_P] ? nla_get_u32(tb[TCA_RED_MAX_P]) : 0; + + ctl = nla_data(tb[TCA_RED_PARMS]); ++ if (!red_check_params(ctl->qth_min, ctl->qth_max, ctl->Wlog)) ++ return -EINVAL; + + if (ctl->limit > 0) { + child = fifo_create_dflt(sch, &bfifo_qdisc_ops, ctl->limit); +diff --git a/net/sched/sch_sfq.c b/net/sched/sch_sfq.c +index 78d0eaf5de61..0dd1f2b2eb10 100644 +--- a/net/sched/sch_sfq.c ++++ b/net/sched/sch_sfq.c +@@ -656,6 +656,9 @@ static int sfq_change(struct Qdisc *sch, struct nlattr *opt) + if (ctl->divisor && + (!is_power_of_2(ctl->divisor) || ctl->divisor > 65536)) + return -EINVAL; ++ if (ctl_v1 && !red_check_params(ctl_v1->qth_min, ctl_v1->qth_max, ++ ctl_v1->Wlog)) ++ return -EINVAL; + if (ctl_v1 && ctl_v1->qth_min) { + p = kmalloc(sizeof(*p), GFP_KERNEL); + if (!p) +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index 946d1c28f93f..c44e3d208804 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -83,7 +83,7 @@ + static int sctp_writeable(struct sock *sk); + static void sctp_wfree(struct sk_buff *skb); + static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p, +- size_t msg_len, struct sock **orig_sk); ++ size_t msg_len); + static int sctp_wait_for_packet(struct sock *sk, int *err, long *timeo_p); + static int sctp_wait_for_connect(struct sctp_association *, long *timeo_p); + static int sctp_wait_for_accept(struct sock *sk, long timeo); +@@ -332,16 +332,14 @@ static struct sctp_af *sctp_sockaddr_af(struct sctp_sock *opt, + if (len < sizeof (struct sockaddr)) + return NULL; + ++ if (!opt->pf->af_supported(addr->sa.sa_family, opt)) ++ return NULL; ++ + /* V4 mapped address are really of AF_INET family */ + if (addr->sa.sa_family == AF_INET6 && +- ipv6_addr_v4mapped(&addr->v6.sin6_addr)) { +- if (!opt->pf->af_supported(AF_INET, opt)) +- return NULL; +- } else { +- /* Does this PF support this AF? */ +- if (!opt->pf->af_supported(addr->sa.sa_family, opt)) +- return NULL; +- } ++ ipv6_addr_v4mapped(&addr->v6.sin6_addr) && ++ !opt->pf->af_supported(AF_INET, opt)) ++ return NULL; + + /* If we get this far, af is valid. */ + af = sctp_get_af_specific(addr->sa.sa_family); +@@ -1948,7 +1946,7 @@ static int sctp_sendmsg(struct sock *sk, struct msghdr *msg, size_t msg_len) + timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT); + if (!sctp_wspace(asoc)) { + /* sk can be changed by peel off when waiting for buf. */ +- err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len, &sk); ++ err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len); + if (err) { + if (err == -ESRCH) { + /* asoc is already dead. */ +@@ -4163,7 +4161,7 @@ static int sctp_init_sock(struct sock *sk) + SCTP_DBG_OBJCNT_INC(sock); + + local_bh_disable(); +- percpu_counter_inc(&sctp_sockets_allocated); ++ sk_sockets_allocated_inc(sk); + sock_prot_inuse_add(net, sk->sk_prot, 1); + + /* Nothing can fail after this block, otherwise +@@ -4207,7 +4205,7 @@ static void sctp_destroy_sock(struct sock *sk) + } + sctp_endpoint_free(sp->ep); + local_bh_disable(); +- percpu_counter_dec(&sctp_sockets_allocated); ++ sk_sockets_allocated_dec(sk); + sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1); + local_bh_enable(); + } +@@ -6979,12 +6977,12 @@ void sctp_sock_rfree(struct sk_buff *skb) + + /* Helper function to wait for space in the sndbuf. */ + static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p, +- size_t msg_len, struct sock **orig_sk) ++ size_t msg_len) + { + struct sock *sk = asoc->base.sk; +- int err = 0; + long current_timeo = *timeo_p; + DEFINE_WAIT(wait); ++ int err = 0; + + pr_debug("%s: asoc:%p, timeo:%ld, msg_len:%zu\n", __func__, asoc, + *timeo_p, msg_len); +@@ -7014,17 +7012,13 @@ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p, + current_timeo = schedule_timeout(current_timeo); + BUG_ON(sk != asoc->base.sk); + lock_sock(sk); +- if (sk != asoc->base.sk) { +- release_sock(sk); +- sk = asoc->base.sk; +- lock_sock(sk); +- } ++ if (sk != asoc->base.sk) ++ goto do_error; + + *timeo_p = current_timeo; + } + + out: +- *orig_sk = sk; + finish_wait(&asoc->wait, &wait); + + /* Release the association's refcnt. */ +diff --git a/net/sunrpc/auth_gss/gss_rpc_xdr.c b/net/sunrpc/auth_gss/gss_rpc_xdr.c +index 2410d557ae39..89731c9023f0 100644 +--- a/net/sunrpc/auth_gss/gss_rpc_xdr.c ++++ b/net/sunrpc/auth_gss/gss_rpc_xdr.c +@@ -231,6 +231,7 @@ static int gssx_dec_linux_creds(struct xdr_stream *xdr, + goto out_free_groups; + GROUP_AT(creds->cr_group_info, i) = kgid; + } ++ groups_sort(creds->cr_group_info); + + return 0; + out_free_groups: +diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c +index 033fec307528..036bbf2b44c1 100644 +--- a/net/sunrpc/auth_gss/svcauth_gss.c ++++ b/net/sunrpc/auth_gss/svcauth_gss.c +@@ -481,6 +481,7 @@ static int rsc_parse(struct cache_detail *cd, + goto out; + GROUP_AT(rsci.cred.cr_group_info, i) = kgid; + } ++ groups_sort(rsci.cred.cr_group_info); + + /* mech name */ + len = qword_get(&mesg, buf, mlen); +diff --git a/net/sunrpc/svcauth_unix.c b/net/sunrpc/svcauth_unix.c +index 621ca7b4a155..98db1715cb17 100644 +--- a/net/sunrpc/svcauth_unix.c ++++ b/net/sunrpc/svcauth_unix.c +@@ -520,6 +520,7 @@ static int unix_gid_parse(struct cache_detail *cd, + GROUP_AT(ug.gi, i) = kgid; + } + ++ groups_sort(ug.gi); + ugp = unix_gid_lookup(cd, uid); + if (ugp) { + struct cache_head *ch; +@@ -827,6 +828,7 @@ svcauth_unix_accept(struct svc_rqst *rqstp, __be32 *authp) + kgid_t kgid = make_kgid(&init_user_ns, svc_getnl(argv)); + GROUP_AT(cred->cr_group_info, i) = kgid; + } ++ groups_sort(cred->cr_group_info); + if (svc_getu32(argv) != htonl(RPC_AUTH_NULL) || svc_getu32(argv) != 0) { + *authp = rpc_autherr_badverf; + return SVC_DENIED; +diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c +index 5e3ad598d3f5..14972988d29d 100644 +--- a/net/sunrpc/xprtsock.c ++++ b/net/sunrpc/xprtsock.c +@@ -2189,6 +2189,7 @@ static void xs_tcp_setup_socket(struct work_struct *work) + case -ECONNREFUSED: + case -ECONNRESET: + case -ENETUNREACH: ++ case -EHOSTUNREACH: + case -EADDRINUSE: + case -ENOBUFS: + /* retry with existing socket, after a delay */ +diff --git a/net/wireless/core.c b/net/wireless/core.c +index 71e9b84847f3..a0e465845735 100644 +--- a/net/wireless/core.c ++++ b/net/wireless/core.c +@@ -390,6 +390,8 @@ struct wiphy *wiphy_new_nm(const struct cfg80211_ops *ops, int sizeof_priv, + if (rv) + goto use_default_name; + } else { ++ int rv; ++ + use_default_name: + /* NOTE: This is *probably* safe w/out holding rtnl because of + * the restrictions on phy names. Probably this call could +@@ -397,7 +399,11 @@ use_default_name: + * phyX. But, might should add some locking and check return + * value, and use a different name if this one exists? + */ +- dev_set_name(&rdev->wiphy.dev, PHY_NAME "%d", rdev->wiphy_idx); ++ rv = dev_set_name(&rdev->wiphy.dev, PHY_NAME "%d", rdev->wiphy_idx); ++ if (rv < 0) { ++ kfree(rdev); ++ return NULL; ++ } + } + + INIT_LIST_HEAD(&rdev->wdev_list); +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index acb4ccf448ba..f96aa76865de 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -15,6 +15,7 @@ + #include <linux/nl80211.h> + #include <linux/rtnetlink.h> + #include <linux/netlink.h> ++#include <linux/nospec.h> + #include <linux/etherdevice.h> + #include <net/net_namespace.h> + #include <net/genetlink.h> +@@ -1874,20 +1875,22 @@ static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = { + static int parse_txq_params(struct nlattr *tb[], + struct ieee80211_txq_params *txq_params) + { ++ u8 ac; ++ + if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] || + !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] || + !tb[NL80211_TXQ_ATTR_AIFS]) + return -EINVAL; + +- txq_params->ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]); ++ ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]); + txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]); + txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]); + txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]); + txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]); + +- if (txq_params->ac >= NL80211_NUM_ACS) ++ if (ac >= NL80211_NUM_ACS) + return -EINVAL; +- ++ txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS); + return 0; + } + +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index 30593cadd428..84541b35629a 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -1353,11 +1353,14 @@ static void copy_templates(struct xfrm_policy *xp, struct xfrm_user_tmpl *ut, + + static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family) + { ++ u16 prev_family; + int i; + + if (nr > XFRM_MAX_DEPTH) + return -EINVAL; + ++ prev_family = family; ++ + for (i = 0; i < nr; i++) { + /* We never validated the ut->family value, so many + * applications simply leave it at zero. The check was +@@ -1369,6 +1372,12 @@ static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family) + if (!ut[i].family) + ut[i].family = family; + ++ if ((ut[i].mode == XFRM_MODE_TRANSPORT) && ++ (ut[i].family != prev_family)) ++ return -EINVAL; ++ ++ prev_family = ut[i].family; ++ + switch (ut[i].family) { + case AF_INET: + break; +@@ -1379,6 +1388,21 @@ static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family) + default: + return -EINVAL; + } ++ ++ switch (ut[i].id.proto) { ++ case IPPROTO_AH: ++ case IPPROTO_ESP: ++ case IPPROTO_COMP: ++#if IS_ENABLED(CONFIG_IPV6) ++ case IPPROTO_ROUTING: ++ case IPPROTO_DSTOPTS: ++#endif ++ case IPSEC_PROTO_ANY: ++ break; ++ default: ++ return -EINVAL; ++ } ++ + } + + return 0; +diff --git a/scripts/Makefile.build b/scripts/Makefile.build +index 01df30af4d4a..18209917e379 100644 +--- a/scripts/Makefile.build ++++ b/scripts/Makefile.build +@@ -158,7 +158,8 @@ cmd_cc_i_c = $(CPP) $(c_flags) -o $@ $< + $(obj)/%.i: $(src)/%.c FORCE + $(call if_changed_dep,cc_i_c) + +-cmd_gensymtypes = \ ++# These mirror gensymtypes_S and co below, keep them in synch. ++cmd_gensymtypes_c = \ + $(CPP) -D__GENKSYMS__ $(c_flags) $< | \ + $(GENKSYMS) $(if $(1), -T $(2)) \ + $(patsubst y,-s _,$(CONFIG_HAVE_UNDERSCORE_SYMBOL_PREFIX)) \ +@@ -168,7 +169,7 @@ cmd_gensymtypes = \ + quiet_cmd_cc_symtypes_c = SYM $(quiet_modtag) $@ + cmd_cc_symtypes_c = \ + set -e; \ +- $(call cmd_gensymtypes,true,$@) >/dev/null; \ ++ $(call cmd_gensymtypes_c,true,$@) >/dev/null; \ + test -s $@ || rm -f $@ + + $(obj)/%.symtypes : $(src)/%.c FORCE +@@ -197,9 +198,10 @@ else + # the actual value of the checksum generated by genksyms + + cmd_cc_o_c = $(CC) $(c_flags) -c -o $(@D)/.tmp_$(@F) $< +-cmd_modversions = \ ++ ++cmd_modversions_c = \ + if $(OBJDUMP) -h $(@D)/.tmp_$(@F) | grep -q __ksymtab; then \ +- $(call cmd_gensymtypes,$(KBUILD_SYMTYPES),$(@:.o=.symtypes)) \ ++ $(call cmd_gensymtypes_c,$(KBUILD_SYMTYPES),$(@:.o=.symtypes)) \ + > $(@D)/.tmp_$(@F:.o=.ver); \ + \ + $(LD) $(LDFLAGS) -r -o $@ $(@D)/.tmp_$(@F) \ +@@ -244,7 +246,7 @@ endif + define rule_cc_o_c + $(call echo-cmd,checksrc) $(cmd_checksrc) \ + $(call echo-cmd,cc_o_c) $(cmd_cc_o_c); \ +- $(cmd_modversions) \ ++ $(cmd_modversions_c) \ + $(call echo-cmd,record_mcount) \ + $(cmd_record_mcount) \ + scripts/basic/fixdep $(depfile) $@ '$(call make-cmd,cc_o_c)' > \ +@@ -253,6 +255,15 @@ define rule_cc_o_c + mv -f $(dot-target).tmp $(dot-target).cmd + endef + ++define rule_as_o_S ++ $(call echo-cmd,as_o_S) $(cmd_as_o_S); \ ++ scripts/basic/fixdep $(depfile) $@ '$(call make-cmd,as_o_S)' > \ ++ $(dot-target).tmp; \ ++ $(cmd_modversions_S) \ ++ rm -f $(depfile); \ ++ mv -f $(dot-target).tmp $(dot-target).cmd ++endef ++ + # Built-in and composite module parts + $(obj)/%.o: $(src)/%.c $(recordmcount_source) FORCE + $(call cmd,force_checksrc) +@@ -281,6 +292,38 @@ modkern_aflags := $(KBUILD_AFLAGS_KERNEL) $(AFLAGS_KERNEL) + $(real-objs-m) : modkern_aflags := $(KBUILD_AFLAGS_MODULE) $(AFLAGS_MODULE) + $(real-objs-m:.o=.s): modkern_aflags := $(KBUILD_AFLAGS_MODULE) $(AFLAGS_MODULE) + ++# .S file exports must have their C prototypes defined in asm/asm-prototypes.h ++# or a file that it includes, in order to get versioned symbols. We build a ++# dummy C file that includes asm-prototypes and the EXPORT_SYMBOL lines from ++# the .S file (with trailing ';'), and run genksyms on that, to extract vers. ++# ++# This is convoluted. The .S file must first be preprocessed to run guards and ++# expand names, then the resulting exports must be constructed into plain ++# EXPORT_SYMBOL(symbol); to build our dummy C file, and that gets preprocessed ++# to make the genksyms input. ++# ++# These mirror gensymtypes_c and co above, keep them in synch. ++cmd_gensymtypes_S = \ ++ (echo "\#include <linux/kernel.h>" ; \ ++ echo "\#include <asm/asm-prototypes.h>" ; \ ++ $(CPP) $(a_flags) $< | \ ++ grep "\<___EXPORT_SYMBOL\>" | \ ++ sed 's/.*___EXPORT_SYMBOL[[:space:]]*\([a-zA-Z0-9_]*\)[[:space:]]*,.*/EXPORT_SYMBOL(\1);/' ) | \ ++ $(CPP) -D__GENKSYMS__ $(c_flags) -xc - | \ ++ $(GENKSYMS) $(if $(1), -T $(2)) \ ++ $(patsubst y,-s _,$(CONFIG_HAVE_UNDERSCORE_SYMBOL_PREFIX)) \ ++ $(if $(KBUILD_PRESERVE),-p) \ ++ -r $(firstword $(wildcard $(2:.symtypes=.symref) /dev/null)) ++ ++quiet_cmd_cc_symtypes_S = SYM $(quiet_modtag) $@ ++cmd_cc_symtypes_S = \ ++ set -e; \ ++ $(call cmd_gensymtypes_S,true,$@) >/dev/null; \ ++ test -s $@ || rm -f $@ ++ ++$(obj)/%.symtypes : $(src)/%.S FORCE ++ $(call cmd,cc_symtypes_S) ++ + quiet_cmd_as_s_S = CPP $(quiet_modtag) $@ + cmd_as_s_S = $(CPP) $(a_flags) -o $@ $< + +@@ -288,10 +331,40 @@ $(obj)/%.s: $(src)/%.S FORCE + $(call if_changed_dep,as_s_S) + + quiet_cmd_as_o_S = AS $(quiet_modtag) $@ +-cmd_as_o_S = $(CC) $(a_flags) -c -o $@ $< ++ ++ifndef CONFIG_MODVERSIONS ++cmd_as_o_S = $(CC) $(a_flags) -c -o $@ $< ++ ++else ++ ++ASM_PROTOTYPES := $(wildcard $(srctree)/arch/$(SRCARCH)/include/asm/asm-prototypes.h) ++ ++ifeq ($(ASM_PROTOTYPES),) ++cmd_as_o_S = $(CC) $(a_flags) -c -o $@ $< ++ ++else ++ ++# versioning matches the C process described above, with difference that ++# we parse asm-prototypes.h C header to get function definitions. ++ ++cmd_as_o_S = $(CC) $(a_flags) -c -o $(@D)/.tmp_$(@F) $< ++ ++cmd_modversions_S = \ ++ if $(OBJDUMP) -h $(@D)/.tmp_$(@F) | grep -q __ksymtab; then \ ++ $(call cmd_gensymtypes_S,$(KBUILD_SYMTYPES),$(@:.o=.symtypes)) \ ++ > $(@D)/.tmp_$(@F:.o=.ver); \ ++ \ ++ $(LD) $(LDFLAGS) -r -o $@ $(@D)/.tmp_$(@F) \ ++ -T $(@D)/.tmp_$(@F:.o=.ver); \ ++ rm -f $(@D)/.tmp_$(@F) $(@D)/.tmp_$(@F:.o=.ver); \ ++ else \ ++ mv -f $(@D)/.tmp_$(@F) $@; \ ++ fi; ++endif ++endif + + $(obj)/%.o: $(src)/%.S FORCE +- $(call if_changed_dep,as_o_S) ++ $(call if_changed_rule,as_o_S) + + targets += $(real-objs-y) $(real-objs-m) $(lib-y) + targets += $(extra-y) $(MAKECMDGOALS) $(always) +diff --git a/scripts/genksyms/genksyms.c b/scripts/genksyms/genksyms.c +index 88632df4381b..dafaf96e0a34 100644 +--- a/scripts/genksyms/genksyms.c ++++ b/scripts/genksyms/genksyms.c +@@ -423,13 +423,15 @@ static struct string_list *read_node(FILE *f) + struct string_list node = { + .string = buffer, + .tag = SYM_NORMAL }; +- int c; ++ int c, in_string = 0; + + while ((c = fgetc(f)) != EOF) { +- if (c == ' ') { ++ if (!in_string && c == ' ') { + if (node.string == buffer) + continue; + break; ++ } else if (c == '"') { ++ in_string = !in_string; + } else if (c == '\n') { + if (node.string == buffer) + return NULL; +diff --git a/scripts/kernel-doc b/scripts/kernel-doc +index 9922e66883a5..f936d9e5db91 100755 +--- a/scripts/kernel-doc ++++ b/scripts/kernel-doc +@@ -2616,4 +2616,4 @@ if ($verbose && $warnings) { + print STDERR "$warnings warnings\n"; + } + +-exit($errors); ++exit($output_mode eq "none" ? 0 : $errors); +diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c +index 91ee1b2e0f9a..a9f02fe15ce3 100644 +--- a/scripts/mod/modpost.c ++++ b/scripts/mod/modpost.c +@@ -593,7 +593,8 @@ static int ignore_undef_symbol(struct elf_info *info, const char *symname) + if (strncmp(symname, "_restgpr0_", sizeof("_restgpr0_") - 1) == 0 || + strncmp(symname, "_savegpr0_", sizeof("_savegpr0_") - 1) == 0 || + strncmp(symname, "_restvr_", sizeof("_restvr_") - 1) == 0 || +- strncmp(symname, "_savevr_", sizeof("_savevr_") - 1) == 0) ++ strncmp(symname, "_savevr_", sizeof("_savevr_") - 1) == 0 || ++ strcmp(symname, ".TOC.") == 0) + return 1; + /* Do not ignore this symbol */ + return 0; +diff --git a/security/keys/encrypted-keys/encrypted.c b/security/keys/encrypted-keys/encrypted.c +index 89d5695c51cd..20251ee5c491 100644 +--- a/security/keys/encrypted-keys/encrypted.c ++++ b/security/keys/encrypted-keys/encrypted.c +@@ -141,23 +141,22 @@ static int valid_ecryptfs_desc(const char *ecryptfs_desc) + */ + static int valid_master_desc(const char *new_desc, const char *orig_desc) + { +- if (!memcmp(new_desc, KEY_TRUSTED_PREFIX, KEY_TRUSTED_PREFIX_LEN)) { +- if (strlen(new_desc) == KEY_TRUSTED_PREFIX_LEN) +- goto out; +- if (orig_desc) +- if (memcmp(new_desc, orig_desc, KEY_TRUSTED_PREFIX_LEN)) +- goto out; +- } else if (!memcmp(new_desc, KEY_USER_PREFIX, KEY_USER_PREFIX_LEN)) { +- if (strlen(new_desc) == KEY_USER_PREFIX_LEN) +- goto out; +- if (orig_desc) +- if (memcmp(new_desc, orig_desc, KEY_USER_PREFIX_LEN)) +- goto out; +- } else +- goto out; ++ int prefix_len; ++ ++ if (!strncmp(new_desc, KEY_TRUSTED_PREFIX, KEY_TRUSTED_PREFIX_LEN)) ++ prefix_len = KEY_TRUSTED_PREFIX_LEN; ++ else if (!strncmp(new_desc, KEY_USER_PREFIX, KEY_USER_PREFIX_LEN)) ++ prefix_len = KEY_USER_PREFIX_LEN; ++ else ++ return -EINVAL; ++ ++ if (!new_desc[prefix_len]) ++ return -EINVAL; ++ ++ if (orig_desc && strncmp(new_desc, orig_desc, prefix_len)) ++ return -EINVAL; ++ + return 0; +-out: +- return -EINVAL; + } + + /* +diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c +index 9e2d82070915..31d1d2ebd6f2 100644 +--- a/security/selinux/ss/services.c ++++ b/security/selinux/ss/services.c +@@ -823,6 +823,9 @@ int security_bounded_transition(u32 old_sid, u32 new_sid) + int index; + int rc; + ++ if (!ss_initialized) ++ return 0; ++ + read_lock(&policy_rwlock); + + rc = -EINVAL; +@@ -1236,27 +1239,25 @@ static int security_context_to_sid_core(const char *scontext, u32 scontext_len, + if (!scontext_len) + return -EINVAL; + ++ /* Copy the string to allow changes and ensure a NUL terminator */ ++ scontext2 = kmemdup_nul(scontext, scontext_len, gfp_flags); ++ if (!scontext2) ++ return -ENOMEM; ++ + if (!ss_initialized) { + int i; + + for (i = 1; i < SECINITSID_NUM; i++) { +- if (!strcmp(initial_sid_to_string[i], scontext)) { ++ if (!strcmp(initial_sid_to_string[i], scontext2)) { + *sid = i; +- return 0; ++ goto out; + } + } + *sid = SECINITSID_KERNEL; +- return 0; ++ goto out; + } + *sid = SECSID_NULL; + +- /* Copy the string so that we can modify the copy as we parse it. */ +- scontext2 = kmalloc(scontext_len + 1, gfp_flags); +- if (!scontext2) +- return -ENOMEM; +- memcpy(scontext2, scontext, scontext_len); +- scontext2[scontext_len] = 0; +- + if (force) { + /* Save another copy for storing in uninterpreted form */ + rc = -ENOMEM; +diff --git a/sound/core/oss/pcm_oss.c b/sound/core/oss/pcm_oss.c +index 33e72c809e50..494b7b533366 100644 +--- a/sound/core/oss/pcm_oss.c ++++ b/sound/core/oss/pcm_oss.c +@@ -465,7 +465,6 @@ static int snd_pcm_hw_param_near(struct snd_pcm_substream *pcm, + v = snd_pcm_hw_param_last(pcm, params, var, dir); + else + v = snd_pcm_hw_param_first(pcm, params, var, dir); +- snd_BUG_ON(v < 0); + return v; + } + +@@ -1370,8 +1369,11 @@ static ssize_t snd_pcm_oss_write1(struct snd_pcm_substream *substream, const cha + + if ((tmp = snd_pcm_oss_make_ready(substream)) < 0) + return tmp; +- mutex_lock(&runtime->oss.params_lock); + while (bytes > 0) { ++ if (mutex_lock_interruptible(&runtime->oss.params_lock)) { ++ tmp = -ERESTARTSYS; ++ break; ++ } + if (bytes < runtime->oss.period_bytes || runtime->oss.buffer_used > 0) { + tmp = bytes; + if (tmp + runtime->oss.buffer_used > runtime->oss.period_bytes) +@@ -1415,14 +1417,18 @@ static ssize_t snd_pcm_oss_write1(struct snd_pcm_substream *substream, const cha + xfer += tmp; + if ((substream->f_flags & O_NONBLOCK) != 0 && + tmp != runtime->oss.period_bytes) +- break; ++ tmp = -EAGAIN; + } +- } +- mutex_unlock(&runtime->oss.params_lock); +- return xfer; +- + err: +- mutex_unlock(&runtime->oss.params_lock); ++ mutex_unlock(&runtime->oss.params_lock); ++ if (tmp < 0) ++ break; ++ if (signal_pending(current)) { ++ tmp = -ERESTARTSYS; ++ break; ++ } ++ tmp = 0; ++ } + return xfer > 0 ? (snd_pcm_sframes_t)xfer : tmp; + } + +@@ -1470,8 +1476,11 @@ static ssize_t snd_pcm_oss_read1(struct snd_pcm_substream *substream, char __use + + if ((tmp = snd_pcm_oss_make_ready(substream)) < 0) + return tmp; +- mutex_lock(&runtime->oss.params_lock); + while (bytes > 0) { ++ if (mutex_lock_interruptible(&runtime->oss.params_lock)) { ++ tmp = -ERESTARTSYS; ++ break; ++ } + if (bytes < runtime->oss.period_bytes || runtime->oss.buffer_used > 0) { + if (runtime->oss.buffer_used == 0) { + tmp = snd_pcm_oss_read2(substream, runtime->oss.buffer, runtime->oss.period_bytes, 1); +@@ -1502,12 +1511,16 @@ static ssize_t snd_pcm_oss_read1(struct snd_pcm_substream *substream, char __use + bytes -= tmp; + xfer += tmp; + } +- } +- mutex_unlock(&runtime->oss.params_lock); +- return xfer; +- + err: +- mutex_unlock(&runtime->oss.params_lock); ++ mutex_unlock(&runtime->oss.params_lock); ++ if (tmp < 0) ++ break; ++ if (signal_pending(current)) { ++ tmp = -ERESTARTSYS; ++ break; ++ } ++ tmp = 0; ++ } + return xfer > 0 ? (snd_pcm_sframes_t)xfer : tmp; + } + +diff --git a/sound/core/oss/pcm_plugin.c b/sound/core/oss/pcm_plugin.c +index 727ac44d39f4..a84a1d3d23e5 100644 +--- a/sound/core/oss/pcm_plugin.c ++++ b/sound/core/oss/pcm_plugin.c +@@ -591,18 +591,26 @@ snd_pcm_sframes_t snd_pcm_plug_write_transfer(struct snd_pcm_substream *plug, st + snd_pcm_sframes_t frames = size; + + plugin = snd_pcm_plug_first(plug); +- while (plugin && frames > 0) { ++ while (plugin) { ++ if (frames <= 0) ++ return frames; + if ((next = plugin->next) != NULL) { + snd_pcm_sframes_t frames1 = frames; +- if (plugin->dst_frames) ++ if (plugin->dst_frames) { + frames1 = plugin->dst_frames(plugin, frames); ++ if (frames1 <= 0) ++ return frames1; ++ } + if ((err = next->client_channels(next, frames1, &dst_channels)) < 0) { + return err; + } + if (err != frames1) { + frames = err; +- if (plugin->src_frames) ++ if (plugin->src_frames) { + frames = plugin->src_frames(plugin, frames1); ++ if (frames <= 0) ++ return frames; ++ } + } + } else + dst_channels = NULL; +diff --git a/sound/core/pcm_lib.c b/sound/core/pcm_lib.c +index 9a7cc9a56a21..169df070c22b 100644 +--- a/sound/core/pcm_lib.c ++++ b/sound/core/pcm_lib.c +@@ -578,7 +578,6 @@ static inline unsigned int muldiv32(unsigned int a, unsigned int b, + { + u_int64_t n = (u_int64_t) a * b; + if (c == 0) { +- snd_BUG_ON(!n); + *r = 0; + return UINT_MAX; + } +@@ -1663,7 +1662,7 @@ int snd_pcm_hw_param_first(struct snd_pcm_substream *pcm, + return changed; + if (params->rmask) { + int err = snd_pcm_hw_refine(pcm, params); +- if (snd_BUG_ON(err < 0)) ++ if (err < 0) + return err; + } + return snd_pcm_hw_param_value(params, var, dir); +@@ -1710,7 +1709,7 @@ int snd_pcm_hw_param_last(struct snd_pcm_substream *pcm, + return changed; + if (params->rmask) { + int err = snd_pcm_hw_refine(pcm, params); +- if (snd_BUG_ON(err < 0)) ++ if (err < 0) + return err; + } + return snd_pcm_hw_param_value(params, var, dir); +diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c +index b450a27588c8..16f8124b1150 100644 +--- a/sound/core/rawmidi.c ++++ b/sound/core/rawmidi.c +@@ -579,15 +579,14 @@ static int snd_rawmidi_info_user(struct snd_rawmidi_substream *substream, + return 0; + } + +-int snd_rawmidi_info_select(struct snd_card *card, struct snd_rawmidi_info *info) ++static int __snd_rawmidi_info_select(struct snd_card *card, ++ struct snd_rawmidi_info *info) + { + struct snd_rawmidi *rmidi; + struct snd_rawmidi_str *pstr; + struct snd_rawmidi_substream *substream; + +- mutex_lock(®ister_mutex); + rmidi = snd_rawmidi_search(card, info->device); +- mutex_unlock(®ister_mutex); + if (!rmidi) + return -ENXIO; + if (info->stream < 0 || info->stream > 1) +@@ -603,6 +602,16 @@ int snd_rawmidi_info_select(struct snd_card *card, struct snd_rawmidi_info *info + } + return -ENXIO; + } ++ ++int snd_rawmidi_info_select(struct snd_card *card, struct snd_rawmidi_info *info) ++{ ++ int ret; ++ ++ mutex_lock(®ister_mutex); ++ ret = __snd_rawmidi_info_select(card, info); ++ mutex_unlock(®ister_mutex); ++ return ret; ++} + EXPORT_SYMBOL(snd_rawmidi_info_select); + + static int snd_rawmidi_info_select_user(struct snd_card *card, +diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c +index e3767122dd0b..b9ce5da25938 100644 +--- a/sound/core/seq/seq_clientmgr.c ++++ b/sound/core/seq/seq_clientmgr.c +@@ -236,6 +236,7 @@ static struct snd_seq_client *seq_create_client1(int client_index, int poolsize) + rwlock_init(&client->ports_lock); + mutex_init(&client->ports_mutex); + INIT_LIST_HEAD(&client->ports_list_head); ++ mutex_init(&client->ioctl_mutex); + + /* find free slot in the client table */ + spin_lock_irqsave(&clients_lock, flags); +@@ -1011,7 +1012,7 @@ static ssize_t snd_seq_write(struct file *file, const char __user *buf, + { + struct snd_seq_client *client = file->private_data; + int written = 0, len; +- int err = -EINVAL; ++ int err; + struct snd_seq_event event; + + if (!(snd_seq_file_flags(file) & SNDRV_SEQ_LFLG_OUTPUT)) +@@ -1026,11 +1027,15 @@ static ssize_t snd_seq_write(struct file *file, const char __user *buf, + + /* allocate the pool now if the pool is not allocated yet */ + if (client->pool->size > 0 && !snd_seq_write_pool_allocated(client)) { +- if (snd_seq_pool_init(client->pool) < 0) ++ mutex_lock(&client->ioctl_mutex); ++ err = snd_seq_pool_init(client->pool); ++ mutex_unlock(&client->ioctl_mutex); ++ if (err < 0) + return -ENOMEM; + } + + /* only process whole events */ ++ err = -EINVAL; + while (count >= sizeof(struct snd_seq_event)) { + /* Read in the event header from the user */ + len = sizeof(event); +@@ -2195,6 +2200,7 @@ static int snd_seq_do_ioctl(struct snd_seq_client *client, unsigned int cmd, + void __user *arg) + { + struct seq_ioctl_table *p; ++ int ret; + + switch (cmd) { + case SNDRV_SEQ_IOCTL_PVERSION: +@@ -2208,8 +2214,12 @@ static int snd_seq_do_ioctl(struct snd_seq_client *client, unsigned int cmd, + if (! arg) + return -EFAULT; + for (p = ioctl_tables; p->cmd; p++) { +- if (p->cmd == cmd) +- return p->func(client, arg); ++ if (p->cmd == cmd) { ++ mutex_lock(&client->ioctl_mutex); ++ ret = p->func(client, arg); ++ mutex_unlock(&client->ioctl_mutex); ++ return ret; ++ } + } + pr_debug("ALSA: seq unknown ioctl() 0x%x (type='%c', number=0x%02x)\n", + cmd, _IOC_TYPE(cmd), _IOC_NR(cmd)); +diff --git a/sound/core/seq/seq_clientmgr.h b/sound/core/seq/seq_clientmgr.h +index 20f0a725ec7d..91f8f165bfdc 100644 +--- a/sound/core/seq/seq_clientmgr.h ++++ b/sound/core/seq/seq_clientmgr.h +@@ -59,6 +59,7 @@ struct snd_seq_client { + struct list_head ports_list_head; + rwlock_t ports_lock; + struct mutex ports_mutex; ++ struct mutex ioctl_mutex; + int convert32; /* convert 32->64bit */ + + /* output pool */ +diff --git a/sound/drivers/aloop.c b/sound/drivers/aloop.c +index 7f9126efc1e5..83ae083b192f 100644 +--- a/sound/drivers/aloop.c ++++ b/sound/drivers/aloop.c +@@ -39,6 +39,7 @@ + #include <sound/core.h> + #include <sound/control.h> + #include <sound/pcm.h> ++#include <sound/pcm_params.h> + #include <sound/info.h> + #include <sound/initval.h> + +@@ -305,19 +306,6 @@ static int loopback_trigger(struct snd_pcm_substream *substream, int cmd) + return 0; + } + +-static void params_change_substream(struct loopback_pcm *dpcm, +- struct snd_pcm_runtime *runtime) +-{ +- struct snd_pcm_runtime *dst_runtime; +- +- if (dpcm == NULL || dpcm->substream == NULL) +- return; +- dst_runtime = dpcm->substream->runtime; +- if (dst_runtime == NULL) +- return; +- dst_runtime->hw = dpcm->cable->hw; +-} +- + static void params_change(struct snd_pcm_substream *substream) + { + struct snd_pcm_runtime *runtime = substream->runtime; +@@ -329,10 +317,6 @@ static void params_change(struct snd_pcm_substream *substream) + cable->hw.rate_max = runtime->rate; + cable->hw.channels_min = runtime->channels; + cable->hw.channels_max = runtime->channels; +- params_change_substream(cable->streams[SNDRV_PCM_STREAM_PLAYBACK], +- runtime); +- params_change_substream(cable->streams[SNDRV_PCM_STREAM_CAPTURE], +- runtime); + } + + static int loopback_prepare(struct snd_pcm_substream *substream) +@@ -620,26 +604,29 @@ static unsigned int get_cable_index(struct snd_pcm_substream *substream) + static int rule_format(struct snd_pcm_hw_params *params, + struct snd_pcm_hw_rule *rule) + { ++ struct loopback_pcm *dpcm = rule->private; ++ struct loopback_cable *cable = dpcm->cable; ++ struct snd_mask m; + +- struct snd_pcm_hardware *hw = rule->private; +- struct snd_mask *maskp = hw_param_mask(params, rule->var); +- +- maskp->bits[0] &= (u_int32_t)hw->formats; +- maskp->bits[1] &= (u_int32_t)(hw->formats >> 32); +- memset(maskp->bits + 2, 0, (SNDRV_MASK_MAX-64) / 8); /* clear rest */ +- if (! maskp->bits[0] && ! maskp->bits[1]) +- return -EINVAL; +- return 0; ++ snd_mask_none(&m); ++ mutex_lock(&dpcm->loopback->cable_lock); ++ m.bits[0] = (u_int32_t)cable->hw.formats; ++ m.bits[1] = (u_int32_t)(cable->hw.formats >> 32); ++ mutex_unlock(&dpcm->loopback->cable_lock); ++ return snd_mask_refine(hw_param_mask(params, rule->var), &m); + } + + static int rule_rate(struct snd_pcm_hw_params *params, + struct snd_pcm_hw_rule *rule) + { +- struct snd_pcm_hardware *hw = rule->private; ++ struct loopback_pcm *dpcm = rule->private; ++ struct loopback_cable *cable = dpcm->cable; + struct snd_interval t; + +- t.min = hw->rate_min; +- t.max = hw->rate_max; ++ mutex_lock(&dpcm->loopback->cable_lock); ++ t.min = cable->hw.rate_min; ++ t.max = cable->hw.rate_max; ++ mutex_unlock(&dpcm->loopback->cable_lock); + t.openmin = t.openmax = 0; + t.integer = 0; + return snd_interval_refine(hw_param_interval(params, rule->var), &t); +@@ -648,22 +635,44 @@ static int rule_rate(struct snd_pcm_hw_params *params, + static int rule_channels(struct snd_pcm_hw_params *params, + struct snd_pcm_hw_rule *rule) + { +- struct snd_pcm_hardware *hw = rule->private; ++ struct loopback_pcm *dpcm = rule->private; ++ struct loopback_cable *cable = dpcm->cable; + struct snd_interval t; + +- t.min = hw->channels_min; +- t.max = hw->channels_max; ++ mutex_lock(&dpcm->loopback->cable_lock); ++ t.min = cable->hw.channels_min; ++ t.max = cable->hw.channels_max; ++ mutex_unlock(&dpcm->loopback->cable_lock); + t.openmin = t.openmax = 0; + t.integer = 0; + return snd_interval_refine(hw_param_interval(params, rule->var), &t); + } + ++static void free_cable(struct snd_pcm_substream *substream) ++{ ++ struct loopback *loopback = substream->private_data; ++ int dev = get_cable_index(substream); ++ struct loopback_cable *cable; ++ ++ cable = loopback->cables[substream->number][dev]; ++ if (!cable) ++ return; ++ if (cable->streams[!substream->stream]) { ++ /* other stream is still alive */ ++ cable->streams[substream->stream] = NULL; ++ } else { ++ /* free the cable */ ++ loopback->cables[substream->number][dev] = NULL; ++ kfree(cable); ++ } ++} ++ + static int loopback_open(struct snd_pcm_substream *substream) + { + struct snd_pcm_runtime *runtime = substream->runtime; + struct loopback *loopback = substream->private_data; + struct loopback_pcm *dpcm; +- struct loopback_cable *cable; ++ struct loopback_cable *cable = NULL; + int err = 0; + int dev = get_cable_index(substream); + +@@ -682,7 +691,6 @@ static int loopback_open(struct snd_pcm_substream *substream) + if (!cable) { + cable = kzalloc(sizeof(*cable), GFP_KERNEL); + if (!cable) { +- kfree(dpcm); + err = -ENOMEM; + goto unlock; + } +@@ -700,19 +708,19 @@ static int loopback_open(struct snd_pcm_substream *substream) + /* are cached -> they do not reflect the actual state */ + err = snd_pcm_hw_rule_add(runtime, 0, + SNDRV_PCM_HW_PARAM_FORMAT, +- rule_format, &runtime->hw, ++ rule_format, dpcm, + SNDRV_PCM_HW_PARAM_FORMAT, -1); + if (err < 0) + goto unlock; + err = snd_pcm_hw_rule_add(runtime, 0, + SNDRV_PCM_HW_PARAM_RATE, +- rule_rate, &runtime->hw, ++ rule_rate, dpcm, + SNDRV_PCM_HW_PARAM_RATE, -1); + if (err < 0) + goto unlock; + err = snd_pcm_hw_rule_add(runtime, 0, + SNDRV_PCM_HW_PARAM_CHANNELS, +- rule_channels, &runtime->hw, ++ rule_channels, dpcm, + SNDRV_PCM_HW_PARAM_CHANNELS, -1); + if (err < 0) + goto unlock; +@@ -724,6 +732,10 @@ static int loopback_open(struct snd_pcm_substream *substream) + else + runtime->hw = cable->hw; + unlock: ++ if (err < 0) { ++ free_cable(substream); ++ kfree(dpcm); ++ } + mutex_unlock(&loopback->cable_lock); + return err; + } +@@ -732,20 +744,10 @@ static int loopback_close(struct snd_pcm_substream *substream) + { + struct loopback *loopback = substream->private_data; + struct loopback_pcm *dpcm = substream->runtime->private_data; +- struct loopback_cable *cable; +- int dev = get_cable_index(substream); + + loopback_timer_stop(dpcm); + mutex_lock(&loopback->cable_lock); +- cable = loopback->cables[substream->number][dev]; +- if (cable->streams[!substream->stream]) { +- /* other stream is still alive */ +- cable->streams[substream->stream] = NULL; +- } else { +- /* free the cable */ +- loopback->cables[substream->number][dev] = NULL; +- kfree(cable); +- } ++ free_cable(substream); + mutex_unlock(&loopback->cable_lock); + return 0; + } +diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c +index 0374bd5b61c8..1fb951225318 100644 +--- a/sound/pci/hda/patch_ca0132.c ++++ b/sound/pci/hda/patch_ca0132.c +@@ -1452,6 +1452,9 @@ static int dspio_scp(struct hda_codec *codec, + } else if (ret_size != reply_data_size) { + codec_dbg(codec, "RetLen and HdrLen .NE.\n"); + return -EINVAL; ++ } else if (!reply) { ++ codec_dbg(codec, "NULL reply\n"); ++ return -EINVAL; + } else { + *reply_len = ret_size*sizeof(unsigned int); + memcpy(reply, scp_reply.data, *reply_len); +diff --git a/sound/pci/hda/patch_cirrus.c b/sound/pci/hda/patch_cirrus.c +index aeb054ca9ed9..b3d222d96a1b 100644 +--- a/sound/pci/hda/patch_cirrus.c ++++ b/sound/pci/hda/patch_cirrus.c +@@ -394,6 +394,7 @@ static const struct snd_pci_quirk cs420x_fixup_tbl[] = { + /*SND_PCI_QUIRK(0x8086, 0x7270, "IMac 27 Inch", CS420X_IMAC27),*/ + + /* codec SSID */ ++ SND_PCI_QUIRK(0x106b, 0x0600, "iMac 14,1", CS420X_IMAC27_122), + SND_PCI_QUIRK(0x106b, 0x1c00, "MacBookPro 8,1", CS420X_MBP81), + SND_PCI_QUIRK(0x106b, 0x2000, "iMac 12,2", CS420X_IMAC27_122), + SND_PCI_QUIRK(0x106b, 0x2800, "MacBookPro 10,1", CS420X_MBP101), +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 75c4e14f4156..861dc57cb082 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -3119,6 +3119,19 @@ static void alc269_fixup_pincfg_no_hp_to_lineout(struct hda_codec *codec, + spec->parse_flags = HDA_PINCFG_NO_HP_FIXUP; + } + ++static void alc269_fixup_pincfg_U7x7_headset_mic(struct hda_codec *codec, ++ const struct hda_fixup *fix, ++ int action) ++{ ++ unsigned int cfg_headphone = snd_hda_codec_get_pincfg(codec, 0x21); ++ unsigned int cfg_headset_mic = snd_hda_codec_get_pincfg(codec, 0x19); ++ ++ if (cfg_headphone && cfg_headset_mic == 0x411111f0) ++ snd_hda_codec_set_pincfg(codec, 0x19, ++ (cfg_headphone & ~AC_DEFCFG_DEVICE) | ++ (AC_JACK_MIC_IN << AC_DEFCFG_DEVICE_SHIFT)); ++} ++ + static void alc269_fixup_hweq(struct hda_codec *codec, + const struct hda_fixup *fix, int action) + { +@@ -4675,6 +4688,7 @@ enum { + ALC269_FIXUP_LIFEBOOK_EXTMIC, + ALC269_FIXUP_LIFEBOOK_HP_PIN, + ALC269_FIXUP_LIFEBOOK_NO_HP_TO_LINEOUT, ++ ALC255_FIXUP_LIFEBOOK_U7x7_HEADSET_MIC, + ALC269_FIXUP_AMIC, + ALC269_FIXUP_DMIC, + ALC269VB_FIXUP_AMIC, +@@ -4732,6 +4746,7 @@ enum { + ALC286_FIXUP_HP_GPIO_LED, + ALC280_FIXUP_HP_GPIO2_MIC_HOTKEY, + ALC280_FIXUP_HP_DOCK_PINS, ++ ALC269_FIXUP_HP_DOCK_GPIO_MIC1_LED, + ALC280_FIXUP_HP_9480M, + ALC288_FIXUP_DELL_HEADSET_MODE, + ALC288_FIXUP_DELL1_MIC_NO_PRESENCE, +@@ -4864,6 +4879,10 @@ static const struct hda_fixup alc269_fixups[] = { + .type = HDA_FIXUP_FUNC, + .v.func = alc269_fixup_pincfg_no_hp_to_lineout, + }, ++ [ALC255_FIXUP_LIFEBOOK_U7x7_HEADSET_MIC] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc269_fixup_pincfg_U7x7_headset_mic, ++ }, + [ALC269_FIXUP_AMIC] = { + .type = HDA_FIXUP_PINS, + .v.pins = (const struct hda_pintbl[]) { +@@ -5270,6 +5289,16 @@ static const struct hda_fixup alc269_fixups[] = { + .chained = true, + .chain_id = ALC280_FIXUP_HP_GPIO4 + }, ++ [ALC269_FIXUP_HP_DOCK_GPIO_MIC1_LED] = { ++ .type = HDA_FIXUP_PINS, ++ .v.pins = (const struct hda_pintbl[]) { ++ { 0x1b, 0x21011020 }, /* line-out */ ++ { 0x18, 0x2181103f }, /* line-in */ ++ { }, ++ }, ++ .chained = true, ++ .chain_id = ALC269_FIXUP_HP_GPIO_MIC1_LED ++ }, + [ALC280_FIXUP_HP_9480M] = { + .type = HDA_FIXUP_FUNC, + .v.func = alc280_fixup_hp_9480m, +@@ -5482,6 +5511,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1028, 0x075b, "Dell XPS 13 9360", ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE), + SND_PCI_QUIRK(0x1028, 0x075d, "Dell AIO", ALC298_FIXUP_SPK_VOLUME), + SND_PCI_QUIRK(0x1028, 0x0798, "Dell Inspiron 17 7000 Gaming", ALC256_FIXUP_DELL_INSPIRON_7559_SUBWOOFER), ++ SND_PCI_QUIRK(0x1028, 0x082a, "Dell XPS 13 9360", ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE), + SND_PCI_QUIRK(0x1028, 0x164a, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1028, 0x164b, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x103c, 0x1586, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC2), +@@ -5522,7 +5552,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x103c, 0x2256, "HP", ALC269_FIXUP_HP_GPIO_MIC1_LED), + SND_PCI_QUIRK(0x103c, 0x2257, "HP", ALC269_FIXUP_HP_GPIO_MIC1_LED), + SND_PCI_QUIRK(0x103c, 0x2259, "HP", ALC269_FIXUP_HP_GPIO_MIC1_LED), +- SND_PCI_QUIRK(0x103c, 0x225a, "HP", ALC269_FIXUP_HP_GPIO_MIC1_LED), ++ SND_PCI_QUIRK(0x103c, 0x225a, "HP", ALC269_FIXUP_HP_DOCK_GPIO_MIC1_LED), + SND_PCI_QUIRK(0x103c, 0x2260, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC1), + SND_PCI_QUIRK(0x103c, 0x2263, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC1), + SND_PCI_QUIRK(0x103c, 0x2264, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC1), +@@ -5568,6 +5598,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x10cf, 0x159f, "Lifebook E780", ALC269_FIXUP_LIFEBOOK_NO_HP_TO_LINEOUT), + SND_PCI_QUIRK(0x10cf, 0x15dc, "Lifebook T731", ALC269_FIXUP_LIFEBOOK_HP_PIN), + SND_PCI_QUIRK(0x10cf, 0x1757, "Lifebook E752", ALC269_FIXUP_LIFEBOOK_HP_PIN), ++ SND_PCI_QUIRK(0x10cf, 0x1629, "Lifebook U7x7", ALC255_FIXUP_LIFEBOOK_U7x7_HEADSET_MIC), + SND_PCI_QUIRK(0x10cf, 0x1845, "Lifebook U904", ALC269_FIXUP_LIFEBOOK_EXTMIC), + SND_PCI_QUIRK(0x144d, 0xc109, "Samsung Ativ book 9 (NP900X3G)", ALC269_FIXUP_INV_DMIC), + SND_PCI_QUIRK(0x1458, 0xfa53, "Gigabyte BXBT-2807", ALC283_FIXUP_BXBT2807_MIC), +@@ -5684,6 +5715,7 @@ static const struct hda_model_fixup alc269_fixup_models[] = { + {.id = ALC269_FIXUP_HEADSET_MIC, .name = "headset-mic"}, + {.id = ALC269_FIXUP_LENOVO_DOCK, .name = "lenovo-dock"}, + {.id = ALC269_FIXUP_HP_GPIO_LED, .name = "hp-gpio-led"}, ++ {.id = ALC269_FIXUP_HP_DOCK_GPIO_MIC1_LED, .name = "hp-dock-gpio-mic1-led"}, + {.id = ALC269_FIXUP_DELL1_MIC_NO_PRESENCE, .name = "dell-headset-multi"}, + {.id = ALC269_FIXUP_DELL2_MIC_NO_PRESENCE, .name = "dell-headset-dock"}, + {.id = ALC283_FIXUP_CHROME_BOOK, .name = "alc283-dac-wcaps"}, +diff --git a/sound/soc/codecs/pcm512x-spi.c b/sound/soc/codecs/pcm512x-spi.c +index 7b64a9cef704..8adb0912d5f8 100644 +--- a/sound/soc/codecs/pcm512x-spi.c ++++ b/sound/soc/codecs/pcm512x-spi.c +@@ -71,3 +71,7 @@ static struct spi_driver pcm512x_spi_driver = { + }; + + module_spi_driver(pcm512x_spi_driver); ++ ++MODULE_DESCRIPTION("ASoC PCM512x codec driver - SPI"); ++MODULE_AUTHOR("Mark Brown <broonie@kernel.org>"); ++MODULE_LICENSE("GPL v2"); +diff --git a/sound/soc/codecs/twl4030.c b/sound/soc/codecs/twl4030.c +index d04693e9cf9f..3a98c0910560 100644 +--- a/sound/soc/codecs/twl4030.c ++++ b/sound/soc/codecs/twl4030.c +@@ -232,7 +232,7 @@ static struct twl4030_codec_data *twl4030_get_pdata(struct snd_soc_codec *codec) + struct twl4030_codec_data *pdata = dev_get_platdata(codec->dev); + struct device_node *twl4030_codec_node = NULL; + +- twl4030_codec_node = of_find_node_by_name(codec->dev->parent->of_node, ++ twl4030_codec_node = of_get_child_by_name(codec->dev->parent->of_node, + "codec"); + + if (!pdata && twl4030_codec_node) { +@@ -241,9 +241,11 @@ static struct twl4030_codec_data *twl4030_get_pdata(struct snd_soc_codec *codec) + GFP_KERNEL); + if (!pdata) { + dev_err(codec->dev, "Can not allocate memory\n"); ++ of_node_put(twl4030_codec_node); + return NULL; + } + twl4030_setup_pdata_of(pdata, twl4030_codec_node); ++ of_node_put(twl4030_codec_node); + } + + return pdata; +diff --git a/sound/soc/ux500/mop500.c b/sound/soc/ux500/mop500.c +index 4e0c0e502ade..49a1b8050bc7 100644 +--- a/sound/soc/ux500/mop500.c ++++ b/sound/soc/ux500/mop500.c +@@ -163,3 +163,7 @@ static struct platform_driver snd_soc_mop500_driver = { + }; + + module_platform_driver(snd_soc_mop500_driver); ++ ++MODULE_LICENSE("GPL v2"); ++MODULE_DESCRIPTION("ASoC MOP500 board driver"); ++MODULE_AUTHOR("Ola Lilja"); +diff --git a/sound/soc/ux500/ux500_pcm.c b/sound/soc/ux500/ux500_pcm.c +index 51a66a87305a..b4ab903fca1b 100644 +--- a/sound/soc/ux500/ux500_pcm.c ++++ b/sound/soc/ux500/ux500_pcm.c +@@ -166,3 +166,8 @@ int ux500_pcm_unregister_platform(struct platform_device *pdev) + return 0; + } + EXPORT_SYMBOL_GPL(ux500_pcm_unregister_platform); ++ ++MODULE_AUTHOR("Ola Lilja"); ++MODULE_AUTHOR("Roger Nilsson"); ++MODULE_DESCRIPTION("ASoC UX500 driver"); ++MODULE_LICENSE("GPL v2"); +diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c +index 2ee449fbe55f..76f7c95b38af 100644 +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -343,17 +343,20 @@ static int get_ctl_value_v2(struct usb_mixer_elem_info *cval, int request, + int validx, int *value_ret) + { + struct snd_usb_audio *chip = cval->head.mixer->chip; +- unsigned char buf[4 + 3 * sizeof(__u32)]; /* enough space for one range */ ++ /* enough space for one range */ ++ unsigned char buf[sizeof(__u16) + 3 * sizeof(__u32)]; + unsigned char *val; +- int idx = 0, ret, size; ++ int idx = 0, ret, val_size, size; + __u8 bRequest; + ++ val_size = uac2_ctl_value_size(cval->val_type); ++ + if (request == UAC_GET_CUR) { + bRequest = UAC2_CS_CUR; +- size = uac2_ctl_value_size(cval->val_type); ++ size = val_size; + } else { + bRequest = UAC2_CS_RANGE; +- size = sizeof(buf); ++ size = sizeof(__u16) + 3 * val_size; + } + + memset(buf, 0, sizeof(buf)); +@@ -386,16 +389,17 @@ error: + val = buf + sizeof(__u16); + break; + case UAC_GET_MAX: +- val = buf + sizeof(__u16) * 2; ++ val = buf + sizeof(__u16) + val_size; + break; + case UAC_GET_RES: +- val = buf + sizeof(__u16) * 3; ++ val = buf + sizeof(__u16) + val_size * 2; + break; + default: + return -EINVAL; + } + +- *value_ret = convert_signed_value(cval, snd_usb_combine_bytes(val, sizeof(__u16))); ++ *value_ret = convert_signed_value(cval, ++ snd_usb_combine_bytes(val, val_size)); + + return 0; + } +@@ -2095,20 +2099,25 @@ static int parse_audio_selector_unit(struct mixer_build *state, int unitid, + kctl->private_value = (unsigned long)namelist; + kctl->private_free = usb_mixer_selector_elem_free; + +- nameid = uac_selector_unit_iSelector(desc); ++ /* check the static mapping table at first */ + len = check_mapped_name(map, kctl->id.name, sizeof(kctl->id.name)); +- if (len) +- ; +- else if (nameid) +- len = snd_usb_copy_string_desc(state, nameid, kctl->id.name, +- sizeof(kctl->id.name)); +- else +- len = get_term_name(state, &state->oterm, +- kctl->id.name, sizeof(kctl->id.name), 0); +- + if (!len) { +- strlcpy(kctl->id.name, "USB", sizeof(kctl->id.name)); ++ /* no mapping ? */ ++ /* if iSelector is given, use it */ ++ nameid = uac_selector_unit_iSelector(desc); ++ if (nameid) ++ len = snd_usb_copy_string_desc(state, nameid, ++ kctl->id.name, ++ sizeof(kctl->id.name)); ++ /* ... or pick up the terminal name at next */ ++ if (!len) ++ len = get_term_name(state, &state->oterm, ++ kctl->id.name, sizeof(kctl->id.name), 0); ++ /* ... or use the fixed string "USB" as the last resort */ ++ if (!len) ++ strlcpy(kctl->id.name, "USB", sizeof(kctl->id.name)); + ++ /* and add the proper suffix */ + if (desc->bDescriptorSubtype == UAC2_CLOCK_SELECTOR) + append_ctl_name(kctl, " Clock Source"); + else if ((state->oterm.type & 0xff00) == 0x0100) +diff --git a/sound/usb/pcm.c b/sound/usb/pcm.c +index a51155197277..3351e2f9656d 100644 +--- a/sound/usb/pcm.c ++++ b/sound/usb/pcm.c +@@ -343,6 +343,15 @@ static int set_sync_ep_implicit_fb_quirk(struct snd_usb_substream *subs, + ep = 0x81; + iface = usb_ifnum_to_if(dev, 2); + ++ if (!iface || iface->num_altsetting == 0) ++ return -EINVAL; ++ ++ alts = &iface->altsetting[1]; ++ goto add_sync_ep; ++ case USB_ID(0x1397, 0x0002): ++ ep = 0x81; ++ iface = usb_ifnum_to_if(dev, 1); ++ + if (!iface || iface->num_altsetting == 0) + return -EINVAL; + +diff --git a/tools/perf/bench/numa.c b/tools/perf/bench/numa.c +index ba5efa4710b5..d464305c7c6c 100644 +--- a/tools/perf/bench/numa.c ++++ b/tools/perf/bench/numa.c +@@ -203,6 +203,47 @@ static const char * const numa_usage[] = { + NULL + }; + ++/* ++ * To get number of numa nodes present. ++ */ ++static int nr_numa_nodes(void) ++{ ++ int i, nr_nodes = 0; ++ ++ for (i = 0; i < g->p.nr_nodes; i++) { ++ if (numa_bitmask_isbitset(numa_nodes_ptr, i)) ++ nr_nodes++; ++ } ++ ++ return nr_nodes; ++} ++ ++/* ++ * To check if given numa node is present. ++ */ ++static int is_node_present(int node) ++{ ++ return numa_bitmask_isbitset(numa_nodes_ptr, node); ++} ++ ++/* ++ * To check given numa node has cpus. ++ */ ++static bool node_has_cpus(int node) ++{ ++ struct bitmask *cpu = numa_allocate_cpumask(); ++ unsigned int i; ++ ++ if (cpu && !numa_node_to_cpus(node, cpu)) { ++ for (i = 0; i < cpu->size; i++) { ++ if (numa_bitmask_isbitset(cpu, i)) ++ return true; ++ } ++ } ++ ++ return false; /* lets fall back to nocpus safely */ ++} ++ + static cpu_set_t bind_to_cpu(int target_cpu) + { + cpu_set_t orig_mask, mask; +@@ -231,12 +272,12 @@ static cpu_set_t bind_to_cpu(int target_cpu) + + static cpu_set_t bind_to_node(int target_node) + { +- int cpus_per_node = g->p.nr_cpus/g->p.nr_nodes; ++ int cpus_per_node = g->p.nr_cpus / nr_numa_nodes(); + cpu_set_t orig_mask, mask; + int cpu; + int ret; + +- BUG_ON(cpus_per_node*g->p.nr_nodes != g->p.nr_cpus); ++ BUG_ON(cpus_per_node * nr_numa_nodes() != g->p.nr_cpus); + BUG_ON(!cpus_per_node); + + ret = sched_getaffinity(0, sizeof(orig_mask), &orig_mask); +@@ -636,7 +677,7 @@ static int parse_setup_node_list(void) + int i; + + for (i = 0; i < mul; i++) { +- if (t >= g->p.nr_tasks) { ++ if (t >= g->p.nr_tasks || !node_has_cpus(bind_node)) { + printf("\n# NOTE: ignoring bind NODEs starting at NODE#%d\n", bind_node); + goto out; + } +@@ -951,6 +992,8 @@ static void calc_convergence(double runtime_ns_max, double *convergence) + sum = 0; + + for (node = 0; node < g->p.nr_nodes; node++) { ++ if (!is_node_present(node)) ++ continue; + nr = nodes[node]; + nr_min = min(nr, nr_min); + nr_max = max(nr, nr_max); +@@ -971,8 +1014,11 @@ static void calc_convergence(double runtime_ns_max, double *convergence) + process_groups = 0; + + for (node = 0; node < g->p.nr_nodes; node++) { +- int processes = count_node_processes(node); ++ int processes; + ++ if (!is_node_present(node)) ++ continue; ++ processes = count_node_processes(node); + nr = nodes[node]; + tprintf(" %2d/%-2d", nr, processes); + +@@ -1270,7 +1316,7 @@ static void print_summary(void) + + printf("\n ###\n"); + printf(" # %d %s will execute (on %d nodes, %d CPUs):\n", +- g->p.nr_tasks, g->p.nr_tasks == 1 ? "task" : "tasks", g->p.nr_nodes, g->p.nr_cpus); ++ g->p.nr_tasks, g->p.nr_tasks == 1 ? "task" : "tasks", nr_numa_nodes(), g->p.nr_cpus); + printf(" # %5dx %5ldMB global shared mem operations\n", + g->p.nr_loops, g->p.bytes_global/1024/1024); + printf(" # %5dx %5ldMB process shared mem operations\n", +diff --git a/tools/perf/builtin-top.c b/tools/perf/builtin-top.c +index 65e138019b99..866b911bcda5 100644 +--- a/tools/perf/builtin-top.c ++++ b/tools/perf/builtin-top.c +@@ -69,6 +69,7 @@ + #include <linux/types.h> + + static volatile int done; ++static volatile int resize; + + #define HEADER_LINE_NR 5 + +@@ -78,10 +79,13 @@ static void perf_top__update_print_entries(struct perf_top *top) + } + + static void perf_top__sig_winch(int sig __maybe_unused, +- siginfo_t *info __maybe_unused, void *arg) ++ siginfo_t *info __maybe_unused, void *arg __maybe_unused) + { +- struct perf_top *top = arg; ++ resize = 1; ++} + ++static void perf_top__resize(struct perf_top *top) ++{ + get_term_dimensions(&top->winsize); + perf_top__update_print_entries(top); + } +@@ -460,7 +464,7 @@ static bool perf_top__handle_keypress(struct perf_top *top, int c) + .sa_sigaction = perf_top__sig_winch, + .sa_flags = SA_SIGINFO, + }; +- perf_top__sig_winch(SIGWINCH, NULL, top); ++ perf_top__resize(top); + sigaction(SIGWINCH, &act, NULL); + } else { + signal(SIGWINCH, SIG_DFL); +@@ -998,6 +1002,11 @@ static int __cmd_top(struct perf_top *top) + + if (hits == top->samples) + ret = perf_evlist__poll(top->evlist, 100); ++ ++ if (resize) { ++ perf_top__resize(top); ++ resize = 0; ++ } + } + + ret = 0; +diff --git a/tools/usb/usbip/libsrc/usbip_common.c b/tools/usb/usbip/libsrc/usbip_common.c +index ac73710473de..8000445ff884 100644 +--- a/tools/usb/usbip/libsrc/usbip_common.c ++++ b/tools/usb/usbip/libsrc/usbip_common.c +@@ -215,9 +215,16 @@ int read_usb_interface(struct usbip_usb_device *udev, int i, + struct usbip_usb_interface *uinf) + { + char busid[SYSFS_BUS_ID_SIZE]; ++ int size; + struct udev_device *sif; + +- sprintf(busid, "%s:%d.%d", udev->busid, udev->bConfigurationValue, i); ++ size = snprintf(busid, sizeof(busid), "%s:%d.%d", ++ udev->busid, udev->bConfigurationValue, i); ++ if (size < 0 || (unsigned int)size >= sizeof(busid)) { ++ err("busid length %i >= %lu or < 0", size, ++ (unsigned long)sizeof(busid)); ++ return -1; ++ } + + sif = udev_device_new_from_subsystem_sysname(udev_context, "usb", busid); + if (!sif) { +diff --git a/tools/usb/usbip/libsrc/usbip_host_driver.c b/tools/usb/usbip/libsrc/usbip_host_driver.c +index bef08d5c44e8..071b9ce99420 100644 +--- a/tools/usb/usbip/libsrc/usbip_host_driver.c ++++ b/tools/usb/usbip/libsrc/usbip_host_driver.c +@@ -39,13 +39,19 @@ struct udev *udev_context; + static int32_t read_attr_usbip_status(struct usbip_usb_device *udev) + { + char status_attr_path[SYSFS_PATH_MAX]; ++ int size; + int fd; + int length; + char status; + int value = 0; + +- snprintf(status_attr_path, SYSFS_PATH_MAX, "%s/usbip_status", +- udev->path); ++ size = snprintf(status_attr_path, SYSFS_PATH_MAX, "%s/usbip_status", ++ udev->path); ++ if (size < 0 || (unsigned int)size >= sizeof(status_attr_path)) { ++ err("usbip_status path length %i >= %lu or < 0", size, ++ (unsigned long)sizeof(status_attr_path)); ++ return -1; ++ } + + fd = open(status_attr_path, O_RDONLY); + if (fd < 0) { +@@ -225,6 +231,7 @@ int usbip_host_export_device(struct usbip_exported_device *edev, int sockfd) + { + char attr_name[] = "usbip_sockfd"; + char sockfd_attr_path[SYSFS_PATH_MAX]; ++ int size; + char sockfd_buff[30]; + int ret; + +@@ -244,10 +251,20 @@ int usbip_host_export_device(struct usbip_exported_device *edev, int sockfd) + } + + /* only the first interface is true */ +- snprintf(sockfd_attr_path, sizeof(sockfd_attr_path), "%s/%s", +- edev->udev.path, attr_name); ++ size = snprintf(sockfd_attr_path, sizeof(sockfd_attr_path), "%s/%s", ++ edev->udev.path, attr_name); ++ if (size < 0 || (unsigned int)size >= sizeof(sockfd_attr_path)) { ++ err("exported device path length %i >= %lu or < 0", size, ++ (unsigned long)sizeof(sockfd_attr_path)); ++ return -1; ++ } + +- snprintf(sockfd_buff, sizeof(sockfd_buff), "%d\n", sockfd); ++ size = snprintf(sockfd_buff, sizeof(sockfd_buff), "%d\n", sockfd); ++ if (size < 0 || (unsigned int)size >= sizeof(sockfd_buff)) { ++ err("socket length %i >= %lu or < 0", size, ++ (unsigned long)sizeof(sockfd_buff)); ++ return -1; ++ } + + ret = write_sysfs_attribute(sockfd_attr_path, sockfd_buff, + strlen(sockfd_buff)); +diff --git a/tools/usb/usbip/libsrc/vhci_driver.c b/tools/usb/usbip/libsrc/vhci_driver.c +index ad9204773533..1274f326242c 100644 +--- a/tools/usb/usbip/libsrc/vhci_driver.c ++++ b/tools/usb/usbip/libsrc/vhci_driver.c +@@ -55,12 +55,12 @@ static int parse_status(const char *value) + + while (*c != '\0') { + int port, status, speed, devid; +- unsigned long socket; ++ int sockfd; + char lbusid[SYSFS_BUS_ID_SIZE]; + +- ret = sscanf(c, "%d %d %d %x %lx %31s\n", ++ ret = sscanf(c, "%d %d %d %x %u %31s\n", + &port, &status, &speed, +- &devid, &socket, lbusid); ++ &devid, &sockfd, lbusid); + + if (ret < 5) { + dbg("sscanf failed: %d", ret); +@@ -69,7 +69,7 @@ static int parse_status(const char *value) + + dbg("port %d status %d speed %d devid %x", + port, status, speed, devid); +- dbg("socket %lx lbusid %s", socket, lbusid); ++ dbg("sockfd %u lbusid %s", sockfd, lbusid); + + + /* if a device is connected, look at it */ +diff --git a/tools/usb/usbip/src/usbip.c b/tools/usb/usbip/src/usbip.c +index d7599d943529..73d8eee8130b 100644 +--- a/tools/usb/usbip/src/usbip.c ++++ b/tools/usb/usbip/src/usbip.c +@@ -176,6 +176,8 @@ int main(int argc, char *argv[]) + break; + case '?': + printf("usbip: invalid option\n"); ++ /* Terminate after printing error */ ++ /* FALLTHRU */ + default: + usbip_usage(); + goto out; +diff --git a/tools/usb/usbip/src/usbip_bind.c b/tools/usb/usbip/src/usbip_bind.c +index fa46141ae68b..e121cfb1746a 100644 +--- a/tools/usb/usbip/src/usbip_bind.c ++++ b/tools/usb/usbip/src/usbip_bind.c +@@ -144,6 +144,7 @@ static int bind_device(char *busid) + int rc; + struct udev *udev; + struct udev_device *dev; ++ const char *devpath; + + /* Check whether the device with this bus ID exists. */ + udev = udev_new(); +@@ -152,8 +153,16 @@ static int bind_device(char *busid) + err("device with the specified bus ID does not exist"); + return -1; + } ++ devpath = udev_device_get_devpath(dev); + udev_unref(udev); + ++ /* If the device is already attached to vhci_hcd - bail out */ ++ if (strstr(devpath, USBIP_VHCI_DRV_NAME)) { ++ err("bind loop detected: device: %s is attached to %s\n", ++ devpath, USBIP_VHCI_DRV_NAME); ++ return -1; ++ } ++ + rc = unbind_other(busid); + if (rc == UNBIND_ST_FAILED) { + err("could not unbind driver from device on busid %s", busid); +diff --git a/tools/usb/usbip/src/usbip_list.c b/tools/usb/usbip/src/usbip_list.c +index d5ce34a410e7..ac6081c3db82 100644 +--- a/tools/usb/usbip/src/usbip_list.c ++++ b/tools/usb/usbip/src/usbip_list.c +@@ -180,6 +180,7 @@ static int list_devices(bool parsable) + const char *busid; + char product_name[128]; + int ret = -1; ++ const char *devpath; + + /* Create libudev context. */ + udev = udev_new(); +@@ -202,6 +203,14 @@ static int list_devices(bool parsable) + path = udev_list_entry_get_name(dev_list_entry); + dev = udev_device_new_from_syspath(udev, path); + ++ /* Ignore devices attached to vhci_hcd */ ++ devpath = udev_device_get_devpath(dev); ++ if (strstr(devpath, USBIP_VHCI_DRV_NAME)) { ++ dbg("Skip the device %s already attached to %s\n", ++ devpath, USBIP_VHCI_DRV_NAME); ++ continue; ++ } ++ + /* Get device information. */ + idVendor = udev_device_get_sysattr_value(dev, "idVendor"); + idProduct = udev_device_get_sysattr_value(dev, "idProduct"); +diff --git a/tools/usb/usbip/src/utils.c b/tools/usb/usbip/src/utils.c +index 2b3d6d235015..3d7b42e77299 100644 +--- a/tools/usb/usbip/src/utils.c ++++ b/tools/usb/usbip/src/utils.c +@@ -30,6 +30,7 @@ int modify_match_busid(char *busid, int add) + char command[SYSFS_BUS_ID_SIZE + 4]; + char match_busid_attr_path[SYSFS_PATH_MAX]; + int rc; ++ int cmd_size; + + snprintf(match_busid_attr_path, sizeof(match_busid_attr_path), + "%s/%s/%s/%s/%s/%s", SYSFS_MNT_PATH, SYSFS_BUS_NAME, +@@ -37,12 +38,14 @@ int modify_match_busid(char *busid, int add) + attr_name); + + if (add) +- snprintf(command, SYSFS_BUS_ID_SIZE + 4, "add %s", busid); ++ cmd_size = snprintf(command, SYSFS_BUS_ID_SIZE + 4, "add %s", ++ busid); + else +- snprintf(command, SYSFS_BUS_ID_SIZE + 4, "del %s", busid); ++ cmd_size = snprintf(command, SYSFS_BUS_ID_SIZE + 4, "del %s", ++ busid); + + rc = write_sysfs_attribute(match_busid_attr_path, command, +- sizeof(command)); ++ cmd_size); + if (rc < 0) { + dbg("failed to write match_busid: %s", strerror(errno)); + return -1; diff --git a/1050_linux-4.1.51.patch b/1050_linux-4.1.51.patch new file mode 100644 index 00000000..e7f030aa --- /dev/null +++ b/1050_linux-4.1.51.patch @@ -0,0 +1,2698 @@ +diff --git a/Makefile b/Makefile +index a655f63aedeb..caccc6f16d62 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 1 +-SUBLEVEL = 50 ++SUBLEVEL = 51 + EXTRAVERSION = + NAME = Series 4800 + +diff --git a/arch/arm/include/asm/kvm_emulate.h b/arch/arm/include/asm/kvm_emulate.h +index 642934a5ae9b..fc2acaefafb0 100644 +--- a/arch/arm/include/asm/kvm_emulate.h ++++ b/arch/arm/include/asm/kvm_emulate.h +@@ -28,6 +28,18 @@ + unsigned long *vcpu_reg(struct kvm_vcpu *vcpu, u8 reg_num); + unsigned long *vcpu_spsr(struct kvm_vcpu *vcpu); + ++static inline unsigned long vcpu_get_reg(struct kvm_vcpu *vcpu, ++ u8 reg_num) ++{ ++ return *vcpu_reg(vcpu, reg_num); ++} ++ ++static inline void vcpu_set_reg(struct kvm_vcpu *vcpu, u8 reg_num, ++ unsigned long val) ++{ ++ *vcpu_reg(vcpu, reg_num) = val; ++} ++ + bool kvm_condition_valid(struct kvm_vcpu *vcpu); + void kvm_skip_instr(struct kvm_vcpu *vcpu, bool is_wide_instr); + void kvm_inject_undefined(struct kvm_vcpu *vcpu); +diff --git a/arch/arm/kvm/mmio.c b/arch/arm/kvm/mmio.c +index 04e5004b34e1..387ee2a11e36 100644 +--- a/arch/arm/kvm/mmio.c ++++ b/arch/arm/kvm/mmio.c +@@ -115,7 +115,7 @@ int kvm_handle_mmio_return(struct kvm_vcpu *vcpu, struct kvm_run *run) + trace_kvm_mmio(KVM_TRACE_MMIO_READ, len, run->mmio.phys_addr, + &data); + data = vcpu_data_host_to_guest(vcpu, data, len); +- *vcpu_reg(vcpu, vcpu->arch.mmio_decode.rt) = data; ++ vcpu_set_reg(vcpu, vcpu->arch.mmio_decode.rt, data); + } + + return 0; +@@ -186,7 +186,8 @@ int io_mem_abort(struct kvm_vcpu *vcpu, struct kvm_run *run, + rt = vcpu->arch.mmio_decode.rt; + + if (is_write) { +- data = vcpu_data_guest_to_host(vcpu, *vcpu_reg(vcpu, rt), len); ++ data = vcpu_data_guest_to_host(vcpu, vcpu_get_reg(vcpu, rt), ++ len); + + trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, len, fault_ipa, &data); + mmio_write_buf(data_buf, len, data); +diff --git a/arch/arm/mach-mvebu/Kconfig b/arch/arm/mach-mvebu/Kconfig +index 97473168d6b6..60ad79edbc3c 100644 +--- a/arch/arm/mach-mvebu/Kconfig ++++ b/arch/arm/mach-mvebu/Kconfig +@@ -37,7 +37,7 @@ config MACH_ARMADA_370 + config MACH_ARMADA_375 + bool "Marvell Armada 375 boards" if ARCH_MULTI_V7 + select ARM_ERRATA_720789 +- select ARM_ERRATA_753970 ++ select PL310_ERRATA_753970 + select ARM_GIC + select ARMADA_375_CLK + select HAVE_ARM_SCU +@@ -52,7 +52,7 @@ config MACH_ARMADA_375 + config MACH_ARMADA_38X + bool "Marvell Armada 380/385 boards" if ARCH_MULTI_V7 + select ARM_ERRATA_720789 +- select ARM_ERRATA_753970 ++ select PL310_ERRATA_753970 + select ARM_GIC + select ARMADA_38X_CLK + select HAVE_ARM_SCU +diff --git a/arch/arm/mach-omap2/omap-secure.c b/arch/arm/mach-omap2/omap-secure.c +index 9ff92050053c..fa7f308c9027 100644 +--- a/arch/arm/mach-omap2/omap-secure.c ++++ b/arch/arm/mach-omap2/omap-secure.c +@@ -73,6 +73,7 @@ phys_addr_t omap_secure_ram_mempool_base(void) + return omap_secure_memblock_base; + } + ++#if defined(CONFIG_ARCH_OMAP3) && defined(CONFIG_PM) + u32 omap3_save_secure_ram(void __iomem *addr, int size) + { + u32 ret; +@@ -91,6 +92,7 @@ u32 omap3_save_secure_ram(void __iomem *addr, int size) + + return ret; + } ++#endif + + /** + * rx51_secure_dispatcher: Routine to dispatch secure PPA API calls +diff --git a/arch/arm64/include/asm/kvm_emulate.h b/arch/arm64/include/asm/kvm_emulate.h +index 3e3c4c7a5082..0504f1347af0 100644 +--- a/arch/arm64/include/asm/kvm_emulate.h ++++ b/arch/arm64/include/asm/kvm_emulate.h +@@ -109,6 +109,19 @@ static inline unsigned long *vcpu_reg(const struct kvm_vcpu *vcpu, u8 reg_num) + return (unsigned long *)&vcpu_gp_regs(vcpu)->regs.regs[reg_num]; + } + ++static inline unsigned long vcpu_get_reg(const struct kvm_vcpu *vcpu, ++ u8 reg_num) ++{ ++ return (reg_num == 31) ? 0 : vcpu_gp_regs(vcpu)->regs.regs[reg_num]; ++} ++ ++static inline void vcpu_set_reg(struct kvm_vcpu *vcpu, u8 reg_num, ++ unsigned long val) ++{ ++ if (reg_num != 31) ++ vcpu_gp_regs(vcpu)->regs.regs[reg_num] = val; ++} ++ + /* Get vcpu SPSR for current mode */ + static inline unsigned long *vcpu_spsr(const struct kvm_vcpu *vcpu) + { +diff --git a/arch/mips/ath25/board.c b/arch/mips/ath25/board.c +index b8bb78282d6a..7df779f2cb63 100644 +--- a/arch/mips/ath25/board.c ++++ b/arch/mips/ath25/board.c +@@ -135,6 +135,8 @@ int __init ath25_find_config(phys_addr_t base, unsigned long size) + } + + board_data = kzalloc(BOARD_CONFIG_BUFSZ, GFP_KERNEL); ++ if (!board_data) ++ goto error; + ath25_board.config = (struct ath25_boarddata *)board_data; + memcpy_fromio(board_data, bcfg, 0x100); + if (broken_boarddata) { +diff --git a/arch/mips/cavium-octeon/octeon-irq.c b/arch/mips/cavium-octeon/octeon-irq.c +index 10f762557b92..bacefffee16e 100644 +--- a/arch/mips/cavium-octeon/octeon-irq.c ++++ b/arch/mips/cavium-octeon/octeon-irq.c +@@ -2242,6 +2242,8 @@ static int __init octeon_irq_init_cib(struct device_node *ciu_node, + } + + host_data = kzalloc(sizeof(*host_data), GFP_KERNEL); ++ if (!host_data) ++ return -ENOMEM; + raw_spin_lock_init(&host_data->lock); + + addr = of_get_address(ciu_node, 0, NULL, NULL); +diff --git a/arch/mips/kernel/smp-bmips.c b/arch/mips/kernel/smp-bmips.c +index 336708ae5c5b..ee306af6f3d9 100644 +--- a/arch/mips/kernel/smp-bmips.c ++++ b/arch/mips/kernel/smp-bmips.c +@@ -166,11 +166,11 @@ static void bmips_prepare_cpus(unsigned int max_cpus) + return; + } + +- if (request_irq(IPI0_IRQ, bmips_ipi_interrupt, IRQF_PERCPU, +- "smp_ipi0", NULL)) ++ if (request_irq(IPI0_IRQ, bmips_ipi_interrupt, ++ IRQF_PERCPU | IRQF_NO_SUSPEND, "smp_ipi0", NULL)) + panic("Can't request IPI0 interrupt"); +- if (request_irq(IPI1_IRQ, bmips_ipi_interrupt, IRQF_PERCPU, +- "smp_ipi1", NULL)) ++ if (request_irq(IPI1_IRQ, bmips_ipi_interrupt, ++ IRQF_PERCPU | IRQF_NO_SUSPEND, "smp_ipi1", NULL)) + panic("Can't request IPI1 interrupt"); + } + +diff --git a/arch/sh/boards/mach-se/770x/setup.c b/arch/sh/boards/mach-se/770x/setup.c +index 658326f44df8..5e0267624d8d 100644 +--- a/arch/sh/boards/mach-se/770x/setup.c ++++ b/arch/sh/boards/mach-se/770x/setup.c +@@ -8,6 +8,7 @@ + */ + #include <linux/init.h> + #include <linux/platform_device.h> ++#include <linux/sh_eth.h> + #include <mach-se/mach/se.h> + #include <mach-se/mach/mrshpc.h> + #include <asm/machvec.h> +@@ -114,6 +115,11 @@ static struct platform_device heartbeat_device = { + #if defined(CONFIG_CPU_SUBTYPE_SH7710) ||\ + defined(CONFIG_CPU_SUBTYPE_SH7712) + /* SH771X Ethernet driver */ ++static struct sh_eth_plat_data sh_eth_plat = { ++ .phy = PHY_ID, ++ .phy_interface = PHY_INTERFACE_MODE_MII, ++}; ++ + static struct resource sh_eth0_resources[] = { + [0] = { + .start = SH_ETH0_BASE, +@@ -131,7 +137,7 @@ static struct platform_device sh_eth0_device = { + .name = "sh771x-ether", + .id = 0, + .dev = { +- .platform_data = PHY_ID, ++ .platform_data = &sh_eth_plat, + }, + .num_resources = ARRAY_SIZE(sh_eth0_resources), + .resource = sh_eth0_resources, +@@ -154,7 +160,7 @@ static struct platform_device sh_eth1_device = { + .name = "sh771x-ether", + .id = 1, + .dev = { +- .platform_data = PHY_ID, ++ .platform_data = &sh_eth_plat, + }, + .num_resources = ARRAY_SIZE(sh_eth1_resources), + .resource = sh_eth1_resources, +diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c +index 8de489937b89..f726068e1804 100644 +--- a/arch/x86/kernel/cpu/mcheck/mce.c ++++ b/arch/x86/kernel/cpu/mcheck/mce.c +@@ -57,6 +57,9 @@ static DEFINE_MUTEX(mce_chrdev_read_mutex); + rcu_read_lock_sched_held() || \ + lockdep_is_held(&mce_chrdev_read_mutex)) + ++/* sysfs synchronization */ ++static DEFINE_MUTEX(mce_sysfs_mutex); ++ + #define CREATE_TRACE_POINTS + #include <trace/events/mce.h> + +@@ -2183,6 +2186,7 @@ static ssize_t set_ignore_ce(struct device *s, + if (kstrtou64(buf, 0, &new) < 0) + return -EINVAL; + ++ mutex_lock(&mce_sysfs_mutex); + if (mca_cfg.ignore_ce ^ !!new) { + if (new) { + /* disable ce features */ +@@ -2195,6 +2199,8 @@ static ssize_t set_ignore_ce(struct device *s, + on_each_cpu(mce_enable_ce, (void *)1, 1); + } + } ++ mutex_unlock(&mce_sysfs_mutex); ++ + return size; + } + +@@ -2207,6 +2213,7 @@ static ssize_t set_cmci_disabled(struct device *s, + if (kstrtou64(buf, 0, &new) < 0) + return -EINVAL; + ++ mutex_lock(&mce_sysfs_mutex); + if (mca_cfg.cmci_disabled ^ !!new) { + if (new) { + /* disable cmci */ +@@ -2218,6 +2225,8 @@ static ssize_t set_cmci_disabled(struct device *s, + on_each_cpu(mce_enable_ce, NULL, 1); + } + } ++ mutex_unlock(&mce_sysfs_mutex); ++ + return size; + } + +@@ -2225,8 +2234,19 @@ static ssize_t store_int_with_restart(struct device *s, + struct device_attribute *attr, + const char *buf, size_t size) + { +- ssize_t ret = device_store_int(s, attr, buf, size); ++ unsigned long old_check_interval = check_interval; ++ ssize_t ret = device_store_ulong(s, attr, buf, size); ++ ++ if (check_interval == old_check_interval) ++ return ret; ++ ++ if (check_interval < 1) ++ check_interval = 1; ++ ++ mutex_lock(&mce_sysfs_mutex); + mce_restart(); ++ mutex_unlock(&mce_sysfs_mutex); ++ + return ret; + } + +diff --git a/arch/x86/kernel/machine_kexec_64.c b/arch/x86/kernel/machine_kexec_64.c +index 415480d3ea84..49ab807eca1c 100644 +--- a/arch/x86/kernel/machine_kexec_64.c ++++ b/arch/x86/kernel/machine_kexec_64.c +@@ -517,6 +517,7 @@ int arch_kexec_apply_relocations_add(const Elf64_Ehdr *ehdr, + goto overflow; + break; + case R_X86_64_PC32: ++ case R_X86_64_PLT32: + value -= (u64)address; + *(u32 *)location = value; + break; +diff --git a/arch/x86/kernel/module.c b/arch/x86/kernel/module.c +index 005c03e93fc5..94779f66bf49 100644 +--- a/arch/x86/kernel/module.c ++++ b/arch/x86/kernel/module.c +@@ -170,19 +170,28 @@ int apply_relocate_add(Elf64_Shdr *sechdrs, + case R_X86_64_NONE: + break; + case R_X86_64_64: ++ if (*(u64 *)loc != 0) ++ goto invalid_relocation; + *(u64 *)loc = val; + break; + case R_X86_64_32: ++ if (*(u32 *)loc != 0) ++ goto invalid_relocation; + *(u32 *)loc = val; + if (val != *(u32 *)loc) + goto overflow; + break; + case R_X86_64_32S: ++ if (*(s32 *)loc != 0) ++ goto invalid_relocation; + *(s32 *)loc = val; + if ((s64)val != *(s32 *)loc) + goto overflow; + break; + case R_X86_64_PC32: ++ case R_X86_64_PLT32: ++ if (*(u32 *)loc != 0) ++ goto invalid_relocation; + val -= (u64)loc; + *(u32 *)loc = val; + #if 0 +@@ -198,6 +207,11 @@ int apply_relocate_add(Elf64_Shdr *sechdrs, + } + return 0; + ++invalid_relocation: ++ pr_err("x86/modules: Skipping invalid relocation target, existing value is nonzero for type %d, loc %p, val %Lx\n", ++ (int)ELF64_R_TYPE(rel[i].r_info), loc, val); ++ return -ENOEXEC; ++ + overflow: + pr_err("overflow in relocation type %d val %Lx\n", + (int)ELF64_R_TYPE(rel[i].r_info), val); +diff --git a/arch/x86/lib/checksum_32.S b/arch/x86/lib/checksum_32.S +index b7518368492a..9bc944a91274 100644 +--- a/arch/x86/lib/checksum_32.S ++++ b/arch/x86/lib/checksum_32.S +@@ -29,8 +29,7 @@ + #include <asm/dwarf2.h> + #include <asm/errno.h> + #include <asm/asm.h> +-#include <asm/nospec-branch.h> +- ++ + /* + * computes a partial checksum, e.g. for TCP/UDP fragments + */ +@@ -160,7 +159,7 @@ ENTRY(csum_partial) + negl %ebx + lea 45f(%ebx,%ebx,2), %ebx + testl %esi, %esi +- JMP_NOSPEC %ebx ++ jmp *%ebx + + # Handle 2-byte-aligned regions + 20: addw (%esi), %ax +@@ -447,7 +446,7 @@ ENTRY(csum_partial_copy_generic) + andl $-32,%edx + lea 3f(%ebx,%ebx), %ebx + testl %esi, %esi +- JMP_NOSPEC %ebx ++ jmp *%ebx + 1: addl $64,%esi + addl $64,%edi + SRC(movb -32(%edx),%bl) ; SRC(movb (%edx),%bl) +diff --git a/arch/x86/tools/relocs.c b/arch/x86/tools/relocs.c +index 73eb7fd4aec4..5b6c8486a0be 100644 +--- a/arch/x86/tools/relocs.c ++++ b/arch/x86/tools/relocs.c +@@ -769,9 +769,12 @@ static int do_reloc64(struct section *sec, Elf_Rel *rel, ElfW(Sym) *sym, + break; + + case R_X86_64_PC32: ++ case R_X86_64_PLT32: + /* + * PC relative relocations don't need to be adjusted unless + * referencing a percpu symbol. ++ * ++ * NB: R_X86_64_PLT32 can be treated as R_X86_64_PC32. + */ + if (is_percpu_sym(sym, symname)) + add_reloc(&relocs32neg, offset); +diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c +index 7104d9e1b5f9..4d1cc6982518 100644 +--- a/block/blk-cgroup.c ++++ b/block/blk-cgroup.c +@@ -870,10 +870,8 @@ int blkcg_init_queue(struct request_queue *q) + if (preloaded) + radix_tree_preload_end(); + +- if (IS_ERR(blkg)) { +- blkg_free(new_blkg); ++ if (IS_ERR(blkg)) + return PTR_ERR(blkg); +- } + + q->root_blkg = blkg; + q->root_rl.blkg = blkg; +diff --git a/drivers/block/loop.c b/drivers/block/loop.c +index b5dbce192c6b..9e72be28ee9f 100644 +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -207,7 +207,7 @@ static int lo_write_bvec(struct file *file, struct bio_vec *bvec, loff_t *ppos) + struct iov_iter i; + ssize_t bw; + +- iov_iter_bvec(&i, ITER_BVEC, bvec, 1, bvec->bv_len); ++ iov_iter_bvec(&i, ITER_BVEC | WRITE, bvec, 1, bvec->bv_len); + + file_start_write(file); + bw = vfs_iter_write(file, &i, ppos); +diff --git a/drivers/char/tpm/st33zp24/st33zp24.c b/drivers/char/tpm/st33zp24/st33zp24.c +index 8d626784cd8d..49e4040eeb55 100644 +--- a/drivers/char/tpm/st33zp24/st33zp24.c ++++ b/drivers/char/tpm/st33zp24/st33zp24.c +@@ -485,7 +485,7 @@ static int st33zp24_recv(struct tpm_chip *chip, unsigned char *buf, + size_t count) + { + int size = 0; +- int expected; ++ u32 expected; + + if (!chip) + return -EBUSY; +@@ -502,7 +502,7 @@ static int st33zp24_recv(struct tpm_chip *chip, unsigned char *buf, + } + + expected = be32_to_cpu(*(__be32 *)(buf + 2)); +- if (expected > count) { ++ if (expected > count || expected < TPM_HEADER_SIZE) { + size = -EIO; + goto out; + } +diff --git a/drivers/char/tpm/tpm_i2c_infineon.c b/drivers/char/tpm/tpm_i2c_infineon.c +index 33c5f360ab01..ff9ed941862a 100644 +--- a/drivers/char/tpm/tpm_i2c_infineon.c ++++ b/drivers/char/tpm/tpm_i2c_infineon.c +@@ -436,7 +436,8 @@ static int recv_data(struct tpm_chip *chip, u8 *buf, size_t count) + static int tpm_tis_i2c_recv(struct tpm_chip *chip, u8 *buf, size_t count) + { + int size = 0; +- int expected, status; ++ int status; ++ u32 expected; + + if (count < TPM_HEADER_SIZE) { + size = -EIO; +@@ -451,7 +452,7 @@ static int tpm_tis_i2c_recv(struct tpm_chip *chip, u8 *buf, size_t count) + } + + expected = be32_to_cpu(*(__be32 *)(buf + 2)); +- if ((size_t) expected > count) { ++ if (((size_t) expected > count) || (expected < TPM_HEADER_SIZE)) { + size = -EIO; + goto out; + } +diff --git a/drivers/char/tpm/tpm_i2c_nuvoton.c b/drivers/char/tpm/tpm_i2c_nuvoton.c +index eac6dc93589f..134cef873aeb 100644 +--- a/drivers/char/tpm/tpm_i2c_nuvoton.c ++++ b/drivers/char/tpm/tpm_i2c_nuvoton.c +@@ -275,7 +275,11 @@ static int i2c_nuvoton_recv(struct tpm_chip *chip, u8 *buf, size_t count) + struct device *dev = chip->pdev; + struct i2c_client *client = to_i2c_client(dev); + s32 rc; +- int expected, status, burst_count, retries, size = 0; ++ int status; ++ int burst_count; ++ int retries; ++ int size = 0; ++ u32 expected; + + if (count < TPM_HEADER_SIZE) { + i2c_nuvoton_ready(chip); /* return to idle */ +@@ -317,7 +321,7 @@ static int i2c_nuvoton_recv(struct tpm_chip *chip, u8 *buf, size_t count) + * to machine native + */ + expected = be32_to_cpu(*(__be32 *) (buf + 2)); +- if (expected > count) { ++ if (expected > count || expected < size) { + dev_err(dev, "%s() expected > count\n", __func__); + size = -EIO; + continue; +diff --git a/drivers/cpufreq/s3c24xx-cpufreq.c b/drivers/cpufreq/s3c24xx-cpufreq.c +index 733aa5153e74..e23fd9a9b8c4 100644 +--- a/drivers/cpufreq/s3c24xx-cpufreq.c ++++ b/drivers/cpufreq/s3c24xx-cpufreq.c +@@ -364,7 +364,13 @@ struct clk *s3c_cpufreq_clk_get(struct device *dev, const char *name) + static int s3c_cpufreq_init(struct cpufreq_policy *policy) + { + policy->clk = clk_arm; +- return cpufreq_generic_init(policy, ftab, cpu_cur.info->latency); ++ ++ policy->cpuinfo.transition_latency = cpu_cur.info->latency; ++ ++ if (ftab) ++ return cpufreq_table_validate_and_show(policy, ftab); ++ ++ return 0; + } + + static int __init s3c_cpufreq_initclks(void) +diff --git a/drivers/gpu/drm/radeon/cik.c b/drivers/gpu/drm/radeon/cik.c +index 2bf5fcb0062a..f80c719642b4 100644 +--- a/drivers/gpu/drm/radeon/cik.c ++++ b/drivers/gpu/drm/radeon/cik.c +@@ -3574,35 +3574,8 @@ static void cik_gpu_init(struct radeon_device *rdev) + case CHIP_KAVERI: + rdev->config.cik.max_shader_engines = 1; + rdev->config.cik.max_tile_pipes = 4; +- if ((rdev->pdev->device == 0x1304) || +- (rdev->pdev->device == 0x1305) || +- (rdev->pdev->device == 0x130C) || +- (rdev->pdev->device == 0x130F) || +- (rdev->pdev->device == 0x1310) || +- (rdev->pdev->device == 0x1311) || +- (rdev->pdev->device == 0x131C)) { +- rdev->config.cik.max_cu_per_sh = 8; +- rdev->config.cik.max_backends_per_se = 2; +- } else if ((rdev->pdev->device == 0x1309) || +- (rdev->pdev->device == 0x130A) || +- (rdev->pdev->device == 0x130D) || +- (rdev->pdev->device == 0x1313) || +- (rdev->pdev->device == 0x131D)) { +- rdev->config.cik.max_cu_per_sh = 6; +- rdev->config.cik.max_backends_per_se = 2; +- } else if ((rdev->pdev->device == 0x1306) || +- (rdev->pdev->device == 0x1307) || +- (rdev->pdev->device == 0x130B) || +- (rdev->pdev->device == 0x130E) || +- (rdev->pdev->device == 0x1315) || +- (rdev->pdev->device == 0x1318) || +- (rdev->pdev->device == 0x131B)) { +- rdev->config.cik.max_cu_per_sh = 4; +- rdev->config.cik.max_backends_per_se = 1; +- } else { +- rdev->config.cik.max_cu_per_sh = 3; +- rdev->config.cik.max_backends_per_se = 1; +- } ++ rdev->config.cik.max_cu_per_sh = 8; ++ rdev->config.cik.max_backends_per_se = 2; + rdev->config.cik.max_sh_per_se = 1; + rdev->config.cik.max_texture_channel_caches = 4; + rdev->config.cik.max_gprs = 256; +diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c b/drivers/gpu/drm/ttm/ttm_page_alloc.c +index 5d8dfe027b30..75d51ec98e06 100644 +--- a/drivers/gpu/drm/ttm/ttm_page_alloc.c ++++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c +@@ -818,6 +818,8 @@ int ttm_page_alloc_init(struct ttm_mem_global *glob, unsigned max_pages) + pr_info("Initializing pool allocator\n"); + + _manager = kzalloc(sizeof(*_manager), GFP_KERNEL); ++ if (!_manager) ++ return -ENOMEM; + + ttm_page_pool_init_locked(&_manager->wc_pool, GFP_HIGHUSER, "wc"); + +diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c +index 81dd84d0b68b..9e7dd06031ae 100644 +--- a/drivers/infiniband/core/ucma.c ++++ b/drivers/infiniband/core/ucma.c +@@ -1050,6 +1050,9 @@ static ssize_t ucma_init_qp_attr(struct ucma_file *file, + if (copy_from_user(&cmd, inbuf, sizeof(cmd))) + return -EFAULT; + ++ if (cmd.qp_state > IB_QPS_ERR) ++ return -EINVAL; ++ + ctx = ucma_get_ctx(file, cmd.id); + if (IS_ERR(ctx)) + return PTR_ERR(ctx); +@@ -1187,6 +1190,9 @@ static ssize_t ucma_set_option(struct ucma_file *file, const char __user *inbuf, + if (IS_ERR(ctx)) + return PTR_ERR(ctx); + ++ if (unlikely(cmd.optval > KMALLOC_MAX_SIZE)) ++ return -EINVAL; ++ + optval = memdup_user((void __user *) (unsigned long) cmd.optval, + cmd.optlen); + if (IS_ERR(optval)) { +diff --git a/drivers/infiniband/hw/mlx5/cq.c b/drivers/infiniband/hw/mlx5/cq.c +index 2ee6b1051975..ca920c633f25 100644 +--- a/drivers/infiniband/hw/mlx5/cq.c ++++ b/drivers/infiniband/hw/mlx5/cq.c +@@ -959,7 +959,12 @@ static int resize_user(struct mlx5_ib_dev *dev, struct mlx5_ib_cq *cq, + if (ucmd.reserved0 || ucmd.reserved1) + return -EINVAL; + +- umem = ib_umem_get(context, ucmd.buf_addr, entries * ucmd.cqe_size, ++ /* check multiplication overflow */ ++ if (ucmd.cqe_size && SIZE_MAX / ucmd.cqe_size <= entries - 1) ++ return -EINVAL; ++ ++ umem = ib_umem_get(context, ucmd.buf_addr, ++ (size_t)ucmd.cqe_size * entries, + IB_ACCESS_LOCAL_WRITE, 1); + if (IS_ERR(umem)) { + err = PTR_ERR(umem); +diff --git a/drivers/input/keyboard/matrix_keypad.c b/drivers/input/keyboard/matrix_keypad.c +index b370a59cb759..bfa9792b3184 100644 +--- a/drivers/input/keyboard/matrix_keypad.c ++++ b/drivers/input/keyboard/matrix_keypad.c +@@ -216,8 +216,10 @@ static void matrix_keypad_stop(struct input_dev *dev) + { + struct matrix_keypad *keypad = input_get_drvdata(dev); + ++ spin_lock_irq(&keypad->lock); + keypad->stopped = true; +- mb(); ++ spin_unlock_irq(&keypad->lock); ++ + flush_work(&keypad->work.work); + /* + * matrix_keypad_scan() will leave IRQs enabled; +diff --git a/drivers/input/keyboard/tca8418_keypad.c b/drivers/input/keyboard/tca8418_keypad.c +index 5c4f7f8f2c20..05c3f25dd8c2 100644 +--- a/drivers/input/keyboard/tca8418_keypad.c ++++ b/drivers/input/keyboard/tca8418_keypad.c +@@ -189,8 +189,6 @@ static void tca8418_read_keypad(struct tca8418_keypad *keypad_data) + input_event(input, EV_MSC, MSC_SCAN, code); + input_report_key(input, keymap[code], state); + +- /* Read for next loop */ +- error = tca8418_read_byte(keypad_data, REG_KEY_EVENT_A, ®); + } while (1); + + input_sync(input); +diff --git a/drivers/leds/led-core.c b/drivers/leds/led-core.c +index 9886dace5ad2..ba6db252e1cb 100644 +--- a/drivers/leds/led-core.c ++++ b/drivers/leds/led-core.c +@@ -76,7 +76,7 @@ void led_blink_set(struct led_classdev *led_cdev, + unsigned long *delay_on, + unsigned long *delay_off) + { +- del_timer_sync(&led_cdev->blink_timer); ++ led_stop_software_blink(led_cdev); + + led_cdev->flags &= ~LED_BLINK_ONESHOT; + led_cdev->flags &= ~LED_BLINK_ONESHOT_STOP; +diff --git a/drivers/leds/led-triggers.c b/drivers/leds/led-triggers.c +index e8b1120f486d..eef3e64ca0a8 100644 +--- a/drivers/leds/led-triggers.c ++++ b/drivers/leds/led-triggers.c +@@ -88,21 +88,23 @@ ssize_t led_trigger_show(struct device *dev, struct device_attribute *attr, + down_read(&led_cdev->trigger_lock); + + if (!led_cdev->trigger) +- len += sprintf(buf+len, "[none] "); ++ len += scnprintf(buf+len, PAGE_SIZE - len, "[none] "); + else +- len += sprintf(buf+len, "none "); ++ len += scnprintf(buf+len, PAGE_SIZE - len, "none "); + + list_for_each_entry(trig, &trigger_list, next_trig) { + if (led_cdev->trigger && !strcmp(led_cdev->trigger->name, + trig->name)) +- len += sprintf(buf+len, "[%s] ", trig->name); ++ len += scnprintf(buf+len, PAGE_SIZE - len, "[%s] ", ++ trig->name); + else +- len += sprintf(buf+len, "%s ", trig->name); ++ len += scnprintf(buf+len, PAGE_SIZE - len, "%s ", ++ trig->name); + } + up_read(&led_cdev->trigger_lock); + up_read(&triggers_list_lock); + +- len += sprintf(len+buf, "\n"); ++ len += scnprintf(len+buf, PAGE_SIZE - len, "\n"); + return len; + } + EXPORT_SYMBOL_GPL(led_trigger_show); +diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c +index 6f7bc8a8674b..b8013e386c76 100644 +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -966,6 +966,7 @@ int bch_cached_dev_attach(struct cached_dev *dc, struct cache_set *c) + uint32_t rtime = cpu_to_le32(get_seconds()); + struct uuid_entry *u; + char buf[BDEVNAME_SIZE]; ++ struct cached_dev *exist_dc, *t; + + bdevname(dc->bdev, buf); + +@@ -989,6 +990,16 @@ int bch_cached_dev_attach(struct cached_dev *dc, struct cache_set *c) + return -EINVAL; + } + ++ /* Check whether already attached */ ++ list_for_each_entry_safe(exist_dc, t, &c->cached_devs, list) { ++ if (!memcmp(dc->sb.uuid, exist_dc->sb.uuid, 16)) { ++ pr_err("Tried to attach %s but duplicate UUID already attached", ++ buf); ++ ++ return -EINVAL; ++ } ++ } ++ + u = uuid_find(c, dc->sb.uuid); + + if (u && +diff --git a/drivers/md/dm-io.c b/drivers/md/dm-io.c +index 74adcd2c967e..01d7b5785b8e 100644 +--- a/drivers/md/dm-io.c ++++ b/drivers/md/dm-io.c +@@ -299,6 +299,7 @@ static void do_region(int rw, unsigned region, struct dm_io_region *where, + else if (rw & REQ_WRITE_SAME) + special_cmd_max_sectors = q->limits.max_write_same_sectors; + if ((rw & (REQ_DISCARD | REQ_WRITE_SAME)) && special_cmd_max_sectors == 0) { ++ atomic_inc(&io->count); + dec_count(io, region, -EOPNOTSUPP); + return; + } +diff --git a/drivers/mtd/nand/gpmi-nand/gpmi-nand.c b/drivers/mtd/nand/gpmi-nand/gpmi-nand.c +index 1b8f3500e6d2..d25f2563ffda 100644 +--- a/drivers/mtd/nand/gpmi-nand/gpmi-nand.c ++++ b/drivers/mtd/nand/gpmi-nand/gpmi-nand.c +@@ -1029,9 +1029,6 @@ static int gpmi_ecc_read_page(struct mtd_info *mtd, struct nand_chip *chip, + return ret; + } + +- /* handle the block mark swapping */ +- block_mark_swapping(this, payload_virt, auxiliary_virt); +- + /* Loop over status bytes, accumulating ECC status. */ + status = auxiliary_virt + nfc_geo->auxiliary_status_offset; + +@@ -1047,6 +1044,9 @@ static int gpmi_ecc_read_page(struct mtd_info *mtd, struct nand_chip *chip, + max_bitflips = max_t(unsigned int, max_bitflips, *status); + } + ++ /* handle the block mark swapping */ ++ block_mark_swapping(this, buf, auxiliary_virt); ++ + if (oob_required) { + /* + * It's time to deliver the OOB bytes. See gpmi_ecc_read_oob() +diff --git a/drivers/mtd/ubi/vmt.c b/drivers/mtd/ubi/vmt.c +index 812ecf2d253a..9965acb8aca0 100644 +--- a/drivers/mtd/ubi/vmt.c ++++ b/drivers/mtd/ubi/vmt.c +@@ -310,6 +310,12 @@ int ubi_create_volume(struct ubi_device *ubi, struct ubi_mkvol_req *req) + vol->last_eb_bytes = vol->usable_leb_size; + } + ++ /* Make volume "available" before it becomes accessible via sysfs */ ++ spin_lock(&ubi->volumes_lock); ++ ubi->volumes[vol_id] = vol; ++ ubi->vol_count += 1; ++ spin_unlock(&ubi->volumes_lock); ++ + /* Register character device for the volume */ + cdev_init(&vol->cdev, &ubi_vol_cdev_operations); + vol->cdev.owner = THIS_MODULE; +@@ -352,11 +358,6 @@ int ubi_create_volume(struct ubi_device *ubi, struct ubi_mkvol_req *req) + if (err) + goto out_sysfs; + +- spin_lock(&ubi->volumes_lock); +- ubi->volumes[vol_id] = vol; +- ubi->vol_count += 1; +- spin_unlock(&ubi->volumes_lock); +- + ubi_volume_notify(ubi, vol, UBI_VOLUME_ADDED); + self_check_volumes(ubi); + return err; +@@ -376,6 +377,10 @@ out_sysfs: + out_cdev: + cdev_del(&vol->cdev); + out_mapping: ++ spin_lock(&ubi->volumes_lock); ++ ubi->volumes[vol_id] = NULL; ++ ubi->vol_count -= 1; ++ spin_unlock(&ubi->volumes_lock); + if (do_free) + kfree(vol->eba_tbl); + out_acc: +diff --git a/drivers/net/ethernet/arc/emac_main.c b/drivers/net/ethernet/arc/emac_main.c +index abe1eabc0171..9cc5daed13ed 100644 +--- a/drivers/net/ethernet/arc/emac_main.c ++++ b/drivers/net/ethernet/arc/emac_main.c +@@ -250,39 +250,48 @@ static int arc_emac_rx(struct net_device *ndev, int budget) + continue; + } + +- pktlen = info & LEN_MASK; +- stats->rx_packets++; +- stats->rx_bytes += pktlen; +- skb = rx_buff->skb; +- skb_put(skb, pktlen); +- skb->dev = ndev; +- skb->protocol = eth_type_trans(skb, ndev); +- +- dma_unmap_single(&ndev->dev, dma_unmap_addr(rx_buff, addr), +- dma_unmap_len(rx_buff, len), DMA_FROM_DEVICE); +- +- /* Prepare the BD for next cycle */ +- rx_buff->skb = netdev_alloc_skb_ip_align(ndev, +- EMAC_BUFFER_SIZE); +- if (unlikely(!rx_buff->skb)) { ++ /* Prepare the BD for next cycle. netif_receive_skb() ++ * only if new skb was allocated and mapped to avoid holes ++ * in the RX fifo. ++ */ ++ skb = netdev_alloc_skb_ip_align(ndev, EMAC_BUFFER_SIZE); ++ if (unlikely(!skb)) { ++ if (net_ratelimit()) ++ netdev_err(ndev, "cannot allocate skb\n"); ++ /* Return ownership to EMAC */ ++ rxbd->info = cpu_to_le32(FOR_EMAC | EMAC_BUFFER_SIZE); + stats->rx_errors++; +- /* Because receive_skb is below, increment rx_dropped */ + stats->rx_dropped++; + continue; + } + +- /* receive_skb only if new skb was allocated to avoid holes */ +- netif_receive_skb(skb); +- +- addr = dma_map_single(&ndev->dev, (void *)rx_buff->skb->data, ++ addr = dma_map_single(&ndev->dev, (void *)skb->data, + EMAC_BUFFER_SIZE, DMA_FROM_DEVICE); + if (dma_mapping_error(&ndev->dev, addr)) { + if (net_ratelimit()) +- netdev_err(ndev, "cannot dma map\n"); +- dev_kfree_skb(rx_buff->skb); ++ netdev_err(ndev, "cannot map dma buffer\n"); ++ dev_kfree_skb(skb); ++ /* Return ownership to EMAC */ ++ rxbd->info = cpu_to_le32(FOR_EMAC | EMAC_BUFFER_SIZE); + stats->rx_errors++; ++ stats->rx_dropped++; + continue; + } ++ ++ /* unmap previosly mapped skb */ ++ dma_unmap_single(&ndev->dev, dma_unmap_addr(rx_buff, addr), ++ dma_unmap_len(rx_buff, len), DMA_FROM_DEVICE); ++ ++ pktlen = info & LEN_MASK; ++ stats->rx_packets++; ++ stats->rx_bytes += pktlen; ++ skb_put(rx_buff->skb, pktlen); ++ rx_buff->skb->dev = ndev; ++ rx_buff->skb->protocol = eth_type_trans(rx_buff->skb, ndev); ++ ++ netif_receive_skb(rx_buff->skb); ++ ++ rx_buff->skb = skb; + dma_unmap_addr_set(rx_buff, addr, addr); + dma_unmap_len_set(rx_buff, len, EMAC_BUFFER_SIZE); + +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c +index 5d9843bc73a1..0eb43586c034 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c +@@ -2996,7 +2996,7 @@ int bnx2x_nic_unload(struct bnx2x *bp, int unload_mode, bool keep_link) + + del_timer_sync(&bp->timer); + +- if (IS_PF(bp)) { ++ if (IS_PF(bp) && !BP_NOMCP(bp)) { + /* Set ALWAYS_ALIVE bit in shmem */ + bp->fw_drv_pulse_wr_seq |= DRV_PULSE_ALWAYS_ALIVE; + bnx2x_drv_pulse(bp); +@@ -3078,7 +3078,7 @@ int bnx2x_nic_unload(struct bnx2x *bp, int unload_mode, bool keep_link) + bp->cnic_loaded = false; + + /* Clear driver version indication in shmem */ +- if (IS_PF(bp)) ++ if (IS_PF(bp) && !BP_NOMCP(bp)) + bnx2x_update_mng_version(bp); + + /* Check if there are pending parity attentions. If there are - set +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c +index a1d149515531..a33580119b7c 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c +@@ -9488,6 +9488,15 @@ static int bnx2x_init_shmem(struct bnx2x *bp) + + do { + bp->common.shmem_base = REG_RD(bp, MISC_REG_SHARED_MEM_ADDR); ++ ++ /* If we read all 0xFFs, means we are in PCI error state and ++ * should bail out to avoid crashes on adapter's FW reads. ++ */ ++ if (bp->common.shmem_base == 0xFFFFFFFF) { ++ bp->flags |= NO_MCP_FLAG; ++ return -ENODEV; ++ } ++ + if (bp->common.shmem_base) { + val = SHMEM_RD(bp, validity_map[BP_PORT(bp)]); + if (val & SHR_MEM_VALIDITY_MB) +@@ -13791,7 +13800,10 @@ static pci_ers_result_t bnx2x_io_slot_reset(struct pci_dev *pdev) + BNX2X_ERR("IO slot reset --> driver unload\n"); + + /* MCP should have been reset; Need to wait for validity */ +- bnx2x_init_shmem(bp); ++ if (bnx2x_init_shmem(bp)) { ++ rtnl_unlock(); ++ return PCI_ERS_RESULT_DISCONNECT; ++ } + + if (IS_PF(bp) && SHMEM2_HAS(bp, drv_capabilities_flag)) { + u32 v; +diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c +index 7b150085e34d..3640d6abc1e6 100644 +--- a/drivers/net/ethernet/broadcom/tg3.c ++++ b/drivers/net/ethernet/broadcom/tg3.c +@@ -10051,6 +10051,16 @@ static int tg3_reset_hw(struct tg3 *tp, bool reset_phy) + + tw32(GRC_MODE, tp->grc_mode | val); + ++ /* On one of the AMD platform, MRRS is restricted to 4000 because of ++ * south bridge limitation. As a workaround, Driver is setting MRRS ++ * to 2048 instead of default 4096. ++ */ ++ if (tp->pdev->subsystem_vendor == PCI_VENDOR_ID_DELL && ++ tp->pdev->subsystem_device == TG3PCI_SUBDEVICE_ID_DELL_5762) { ++ val = tr32(TG3PCI_DEV_STATUS_CTRL) & ~MAX_READ_REQ_MASK; ++ tw32(TG3PCI_DEV_STATUS_CTRL, val | MAX_READ_REQ_SIZE_2048); ++ } ++ + /* Setup the timer prescalar register. Clock is always 66Mhz. */ + val = tr32(GRC_MISC_CFG); + val &= ~0xff; +@@ -14230,7 +14240,8 @@ static int tg3_change_mtu(struct net_device *dev, int new_mtu) + */ + if (tg3_asic_rev(tp) == ASIC_REV_57766 || + tg3_asic_rev(tp) == ASIC_REV_5717 || +- tg3_asic_rev(tp) == ASIC_REV_5719) ++ tg3_asic_rev(tp) == ASIC_REV_5719 || ++ tg3_asic_rev(tp) == ASIC_REV_5720) + reset_phy = true; + + err = tg3_restart_hw(tp, reset_phy); +diff --git a/drivers/net/ethernet/broadcom/tg3.h b/drivers/net/ethernet/broadcom/tg3.h +index 31c9f8295953..19532961e173 100644 +--- a/drivers/net/ethernet/broadcom/tg3.h ++++ b/drivers/net/ethernet/broadcom/tg3.h +@@ -95,6 +95,7 @@ + #define TG3PCI_SUBDEVICE_ID_DELL_JAGUAR 0x0106 + #define TG3PCI_SUBDEVICE_ID_DELL_MERLOT 0x0109 + #define TG3PCI_SUBDEVICE_ID_DELL_SLIM_MERLOT 0x010a ++#define TG3PCI_SUBDEVICE_ID_DELL_5762 0x07f0 + #define TG3PCI_SUBVENDOR_ID_COMPAQ PCI_VENDOR_ID_COMPAQ + #define TG3PCI_SUBDEVICE_ID_COMPAQ_BANSHEE 0x007c + #define TG3PCI_SUBDEVICE_ID_COMPAQ_BANSHEE_2 0x009a +@@ -280,6 +281,9 @@ + #define TG3PCI_STD_RING_PROD_IDX 0x00000098 /* 64-bit */ + #define TG3PCI_RCV_RET_RING_CON_IDX 0x000000a0 /* 64-bit */ + /* 0xa8 --> 0xb8 unused */ ++#define TG3PCI_DEV_STATUS_CTRL 0x000000b4 ++#define MAX_READ_REQ_SIZE_2048 0x00004000 ++#define MAX_READ_REQ_MASK 0x00007000 + #define TG3PCI_DUAL_MAC_CTRL 0x000000b8 + #define DUAL_MAC_CTRL_CH_MASK 0x00000003 + #define DUAL_MAC_CTRL_ID 0x00000004 +diff --git a/drivers/net/ethernet/freescale/gianfar_ptp.c b/drivers/net/ethernet/freescale/gianfar_ptp.c +index 8e3cd77aa347..9e5d64f559a4 100644 +--- a/drivers/net/ethernet/freescale/gianfar_ptp.c ++++ b/drivers/net/ethernet/freescale/gianfar_ptp.c +@@ -314,11 +314,10 @@ static int ptp_gianfar_adjtime(struct ptp_clock_info *ptp, s64 delta) + now = tmr_cnt_read(etsects); + now += delta; + tmr_cnt_write(etsects, now); ++ set_fipers(etsects); + + spin_unlock_irqrestore(&etsects->lock, flags); + +- set_fipers(etsects); +- + return 0; + } + +diff --git a/drivers/net/ethernet/intel/e1000/e1000.h b/drivers/net/ethernet/intel/e1000/e1000.h +index 69707108d23c..4cd6dac110f0 100644 +--- a/drivers/net/ethernet/intel/e1000/e1000.h ++++ b/drivers/net/ethernet/intel/e1000/e1000.h +@@ -328,7 +328,8 @@ struct e1000_adapter { + enum e1000_state_t { + __E1000_TESTING, + __E1000_RESETTING, +- __E1000_DOWN ++ __E1000_DOWN, ++ __E1000_DISABLED + }; + + #undef pr_fmt +diff --git a/drivers/net/ethernet/intel/e1000/e1000_main.c b/drivers/net/ethernet/intel/e1000/e1000_main.c +index 983eb4e6f7aa..4d80c92fa96d 100644 +--- a/drivers/net/ethernet/intel/e1000/e1000_main.c ++++ b/drivers/net/ethernet/intel/e1000/e1000_main.c +@@ -940,7 +940,7 @@ static int e1000_init_hw_struct(struct e1000_adapter *adapter, + static int e1000_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + { + struct net_device *netdev; +- struct e1000_adapter *adapter; ++ struct e1000_adapter *adapter = NULL; + struct e1000_hw *hw; + + static int cards_found = 0; +@@ -950,6 +950,7 @@ static int e1000_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + u16 tmp = 0; + u16 eeprom_apme_mask = E1000_EEPROM_APME; + int bars, need_ioport; ++ bool disable_dev = false; + + /* do not allocate ioport bars when not needed */ + need_ioport = e1000_is_need_ioport(pdev); +@@ -1250,11 +1251,13 @@ err_mdio_ioremap: + iounmap(hw->ce4100_gbe_mdio_base_virt); + iounmap(hw->hw_addr); + err_ioremap: ++ disable_dev = !test_and_set_bit(__E1000_DISABLED, &adapter->flags); + free_netdev(netdev); + err_alloc_etherdev: + pci_release_selected_regions(pdev, bars); + err_pci_reg: +- pci_disable_device(pdev); ++ if (!adapter || disable_dev) ++ pci_disable_device(pdev); + return err; + } + +@@ -1272,6 +1275,7 @@ static void e1000_remove(struct pci_dev *pdev) + struct net_device *netdev = pci_get_drvdata(pdev); + struct e1000_adapter *adapter = netdev_priv(netdev); + struct e1000_hw *hw = &adapter->hw; ++ bool disable_dev; + + e1000_down_and_stop(adapter); + e1000_release_manageability(adapter); +@@ -1290,9 +1294,11 @@ static void e1000_remove(struct pci_dev *pdev) + iounmap(hw->flash_address); + pci_release_selected_regions(pdev, adapter->bars); + ++ disable_dev = !test_and_set_bit(__E1000_DISABLED, &adapter->flags); + free_netdev(netdev); + +- pci_disable_device(pdev); ++ if (disable_dev) ++ pci_disable_device(pdev); + } + + /** +@@ -5137,7 +5143,8 @@ static int __e1000_shutdown(struct pci_dev *pdev, bool *enable_wake) + if (netif_running(netdev)) + e1000_free_irq(adapter); + +- pci_disable_device(pdev); ++ if (!test_and_set_bit(__E1000_DISABLED, &adapter->flags)) ++ pci_disable_device(pdev); + + return 0; + } +@@ -5181,6 +5188,10 @@ static int e1000_resume(struct pci_dev *pdev) + pr_err("Cannot enable PCI device from suspend\n"); + return err; + } ++ ++ /* flush memory to make sure state is correct */ ++ smp_mb__before_atomic(); ++ clear_bit(__E1000_DISABLED, &adapter->flags); + pci_set_master(pdev); + + pci_enable_wake(pdev, PCI_D3hot, 0); +@@ -5255,7 +5266,9 @@ static pci_ers_result_t e1000_io_error_detected(struct pci_dev *pdev, + + if (netif_running(netdev)) + e1000_down(adapter); +- pci_disable_device(pdev); ++ ++ if (!test_and_set_bit(__E1000_DISABLED, &adapter->flags)) ++ pci_disable_device(pdev); + + /* Request a slot slot reset. */ + return PCI_ERS_RESULT_NEED_RESET; +@@ -5283,6 +5296,10 @@ static pci_ers_result_t e1000_io_slot_reset(struct pci_dev *pdev) + pr_err("Cannot re-enable PCI device after reset.\n"); + return PCI_ERS_RESULT_DISCONNECT; + } ++ ++ /* flush memory to make sure state is correct */ ++ smp_mb__before_atomic(); ++ clear_bit(__E1000_DISABLED, &adapter->flags); + pci_set_master(pdev); + + pci_enable_wake(pdev, PCI_D3hot, 0); +diff --git a/drivers/net/phy/mdio-sun4i.c b/drivers/net/phy/mdio-sun4i.c +index 15bc7f9ea224..afd76e07088b 100644 +--- a/drivers/net/phy/mdio-sun4i.c ++++ b/drivers/net/phy/mdio-sun4i.c +@@ -128,8 +128,10 @@ static int sun4i_mdio_probe(struct platform_device *pdev) + + data->regulator = devm_regulator_get(&pdev->dev, "phy"); + if (IS_ERR(data->regulator)) { +- if (PTR_ERR(data->regulator) == -EPROBE_DEFER) +- return -EPROBE_DEFER; ++ if (PTR_ERR(data->regulator) == -EPROBE_DEFER) { ++ ret = -EPROBE_DEFER; ++ goto err_out_free_mdiobus; ++ } + + dev_info(&pdev->dev, "no regulator found\n"); + } else { +diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c +index c30c1fc7889a..ebd3fcf6dc62 100644 +--- a/drivers/net/ppp/ppp_generic.c ++++ b/drivers/net/ppp/ppp_generic.c +@@ -2912,6 +2912,15 @@ ppp_connect_channel(struct channel *pch, int unit) + goto outl; + + ppp_lock(ppp); ++ spin_lock_bh(&pch->downl); ++ if (!pch->chan) { ++ /* Don't connect unregistered channels */ ++ spin_unlock_bh(&pch->downl); ++ ppp_unlock(ppp); ++ ret = -ENOTCONN; ++ goto outl; ++ } ++ spin_unlock_bh(&pch->downl); + if (pch->file.hdrlen > ppp->file.hdrlen) + ppp->file.hdrlen = pch->file.hdrlen; + hdrlen = pch->file.hdrlen + 2; /* for protocol bytes */ +diff --git a/drivers/net/wan/hdlc_ppp.c b/drivers/net/wan/hdlc_ppp.c +index 0d7645581f91..4842344a96f1 100644 +--- a/drivers/net/wan/hdlc_ppp.c ++++ b/drivers/net/wan/hdlc_ppp.c +@@ -574,7 +574,10 @@ static void ppp_timer(unsigned long arg) + ppp_cp_event(proto->dev, proto->pid, TO_GOOD, 0, 0, + 0, NULL); + proto->restart_counter--; +- } else ++ } else if (netif_carrier_ok(proto->dev)) ++ ppp_cp_event(proto->dev, proto->pid, TO_GOOD, 0, 0, ++ 0, NULL); ++ else + ppp_cp_event(proto->dev, proto->pid, TO_BAD, 0, 0, + 0, NULL); + break; +diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c +index 9e8461466534..fd9f6ce14e8e 100644 +--- a/drivers/net/xen-netfront.c ++++ b/drivers/net/xen-netfront.c +@@ -1284,6 +1284,7 @@ static struct net_device *xennet_create_dev(struct xenbus_device *dev) + + netif_carrier_off(netdev); + ++ xenbus_switch_state(dev, XenbusStateInitialising); + return netdev; + + exit: +diff --git a/drivers/s390/block/dasd_3990_erp.c b/drivers/s390/block/dasd_3990_erp.c +index d26134713682..d05c553eb552 100644 +--- a/drivers/s390/block/dasd_3990_erp.c ++++ b/drivers/s390/block/dasd_3990_erp.c +@@ -2743,6 +2743,16 @@ dasd_3990_erp_action(struct dasd_ccw_req * cqr) + erp = dasd_3990_erp_handle_match_erp(cqr, erp); + } + ++ ++ /* ++ * For path verification work we need to stick with the path that was ++ * originally chosen so that the per path configuration data is ++ * assigned correctly. ++ */ ++ if (test_bit(DASD_CQR_VERIFY_PATH, &erp->flags) && cqr->lpm) { ++ erp->lpm = cqr->lpm; ++ } ++ + if (device->features & DASD_FEATURE_ERPLOG) { + /* print current erp_chain */ + dev_err(&device->cdev->dev, +diff --git a/drivers/s390/net/qeth_core.h b/drivers/s390/net/qeth_core.h +index 77336d85a717..02780b8c1c15 100644 +--- a/drivers/s390/net/qeth_core.h ++++ b/drivers/s390/net/qeth_core.h +@@ -588,6 +588,11 @@ struct qeth_cmd_buffer { + void (*callback) (struct qeth_channel *, struct qeth_cmd_buffer *); + }; + ++static inline struct qeth_ipa_cmd *__ipa_cmd(struct qeth_cmd_buffer *iob) ++{ ++ return (struct qeth_ipa_cmd *)(iob->data + IPA_PDU_HEADER_SIZE); ++} ++ + /** + * definition of a qeth channel, used for read and write + */ +diff --git a/drivers/s390/net/qeth_core_main.c b/drivers/s390/net/qeth_core_main.c +index a81215d87ce1..9e9964ca696b 100644 +--- a/drivers/s390/net/qeth_core_main.c ++++ b/drivers/s390/net/qeth_core_main.c +@@ -2061,7 +2061,7 @@ int qeth_send_control_data(struct qeth_card *card, int len, + unsigned long flags; + struct qeth_reply *reply = NULL; + unsigned long timeout, event_timeout; +- struct qeth_ipa_cmd *cmd; ++ struct qeth_ipa_cmd *cmd = NULL; + + QETH_CARD_TEXT(card, 2, "sendctl"); + +@@ -2075,23 +2075,27 @@ int qeth_send_control_data(struct qeth_card *card, int len, + } + reply->callback = reply_cb; + reply->param = reply_param; +- if (card->state == CARD_STATE_DOWN) +- reply->seqno = QETH_IDX_COMMAND_SEQNO; +- else +- reply->seqno = card->seqno.ipa++; ++ + init_waitqueue_head(&reply->wait_q); +- spin_lock_irqsave(&card->lock, flags); +- list_add_tail(&reply->list, &card->cmd_waiter_list); +- spin_unlock_irqrestore(&card->lock, flags); + QETH_DBF_HEX(CTRL, 2, iob->data, QETH_DBF_CTRL_LEN); + + while (atomic_cmpxchg(&card->write.irq_pending, 0, 1)) ; +- qeth_prepare_control_data(card, len, iob); + +- if (IS_IPA(iob->data)) ++ if (IS_IPA(iob->data)) { ++ cmd = __ipa_cmd(iob); ++ cmd->hdr.seqno = card->seqno.ipa++; ++ reply->seqno = cmd->hdr.seqno; + event_timeout = QETH_IPA_TIMEOUT; +- else ++ } else { ++ reply->seqno = QETH_IDX_COMMAND_SEQNO; + event_timeout = QETH_TIMEOUT; ++ } ++ qeth_prepare_control_data(card, len, iob); ++ ++ spin_lock_irqsave(&card->lock, flags); ++ list_add_tail(&reply->list, &card->cmd_waiter_list); ++ spin_unlock_irqrestore(&card->lock, flags); ++ + timeout = jiffies + event_timeout; + + QETH_CARD_TEXT(card, 6, "noirqpnd"); +@@ -2116,9 +2120,8 @@ int qeth_send_control_data(struct qeth_card *card, int len, + + /* we have only one long running ipassist, since we can ensure + process context of this command we can sleep */ +- cmd = (struct qeth_ipa_cmd *)(iob->data+IPA_PDU_HEADER_SIZE); +- if ((cmd->hdr.command == IPA_CMD_SETIP) && +- (cmd->hdr.prot_version == QETH_PROT_IPV4)) { ++ if (cmd && cmd->hdr.command == IPA_CMD_SETIP && ++ cmd->hdr.prot_version == QETH_PROT_IPV4) { + if (!wait_event_timeout(reply->wait_q, + atomic_read(&reply->received), event_timeout)) + goto time_err; +@@ -2925,7 +2928,7 @@ static void qeth_fill_ipacmd_header(struct qeth_card *card, + memset(cmd, 0, sizeof(struct qeth_ipa_cmd)); + cmd->hdr.command = command; + cmd->hdr.initiator = IPA_CMD_INITIATOR_HOST; +- cmd->hdr.seqno = card->seqno.ipa; ++ /* cmd->hdr.seqno is set by qeth_send_control_data() */ + cmd->hdr.adapter_type = qeth_get_ipa_adp_type(card->info.link_type); + cmd->hdr.rel_adapter_no = (__u8) card->info.portno; + if (card->options.layer2) +diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c +index 60f9651f2643..ad7170bffc05 100644 +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -365,6 +365,7 @@ qla24xx_abort_sp_done(void *data, void *ptr, int res) + srb_t *sp = (srb_t *)ptr; + struct srb_iocb *abt = &sp->u.iocb_cmd; + ++ del_timer(&sp->u.iocb_cmd.timer); + complete(&abt->u.abt.comp); + } + +diff --git a/drivers/scsi/qla2xxx/qla_target.c b/drivers/scsi/qla2xxx/qla_target.c +index 4de1394ebf22..1be1c2dca118 100644 +--- a/drivers/scsi/qla2xxx/qla_target.c ++++ b/drivers/scsi/qla2xxx/qla_target.c +@@ -5513,7 +5513,7 @@ static fc_port_t *qlt_get_port_database(struct scsi_qla_host *vha, + fc_port_t *fcport; + int rc; + +- fcport = kzalloc(sizeof(*fcport), GFP_KERNEL); ++ fcport = qla2x00_alloc_fcport(vha, GFP_KERNEL); + if (!fcport) { + ql_dbg(ql_dbg_tgt_mgt, vha, 0xf06f, + "qla_target(%d): Allocation of tmp FC port failed", +diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c +index 98b56a7069d3..af4dc8501269 100644 +--- a/drivers/scsi/storvsc_drv.c ++++ b/drivers/scsi/storvsc_drv.c +@@ -1067,10 +1067,11 @@ static void storvsc_handle_error(struct vmscsi_request *vm_srb, + case TEST_UNIT_READY: + break; + default: +- set_host_byte(scmnd, DID_TARGET_FAILURE); ++ set_host_byte(scmnd, DID_ERROR); + } + break; + case SRB_STATUS_INVALID_LUN: ++ set_host_byte(scmnd, DID_NO_CONNECT); + do_work = true; + process_err_fn = storvsc_remove_lun; + break; +diff --git a/drivers/spi/spi-atmel.c b/drivers/spi/spi-atmel.c +index a2f40b1b2225..3fef713f693b 100644 +--- a/drivers/spi/spi-atmel.c ++++ b/drivers/spi/spi-atmel.c +@@ -1423,12 +1423,12 @@ static int atmel_spi_remove(struct platform_device *pdev) + pm_runtime_get_sync(&pdev->dev); + + /* reset the hardware and block queue progress */ +- spin_lock_irq(&as->lock); + if (as->use_dma) { + atmel_spi_stop_dma(as); + atmel_spi_release_dma(as); + } + ++ spin_lock_irq(&as->lock); + spi_writel(as, CR, SPI_BIT(SWRST)); + spi_writel(as, CR, SPI_BIT(SWRST)); /* AT91SAM9263 Rev B workaround */ + spi_readl(as, SR); +diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ashmem.c +index c40bd7fbc210..68a5a950bf34 100644 +--- a/drivers/staging/android/ashmem.c ++++ b/drivers/staging/android/ashmem.c +@@ -330,24 +330,23 @@ static loff_t ashmem_llseek(struct file *file, loff_t offset, int origin) + mutex_lock(&ashmem_mutex); + + if (asma->size == 0) { +- ret = -EINVAL; +- goto out; ++ mutex_unlock(&ashmem_mutex); ++ return -EINVAL; + } + + if (!asma->file) { +- ret = -EBADF; +- goto out; ++ mutex_unlock(&ashmem_mutex); ++ return -EBADF; + } + ++ mutex_unlock(&ashmem_mutex); ++ + ret = vfs_llseek(asma->file, offset, origin); + if (ret < 0) +- goto out; ++ return ret; + + /** Copy f_pos from backing file, since f_ops->llseek() sets it */ + file->f_pos = asma->file->f_pos; +- +-out: +- mutex_unlock(&ashmem_mutex); + return ret; + } + +diff --git a/drivers/tty/serial/8250/8250_pci.c b/drivers/tty/serial/8250/8250_pci.c +index 0a1e9f4d9882..e2956ccdd82c 100644 +--- a/drivers/tty/serial/8250/8250_pci.c ++++ b/drivers/tty/serial/8250/8250_pci.c +@@ -5396,6 +5396,17 @@ static struct pci_device_id serial_pci_tbl[] = { + { PCI_VENDOR_ID_INTASHIELD, PCI_DEVICE_ID_INTASHIELD_IS400, + PCI_ANY_ID, PCI_ANY_ID, 0, 0, /* 135a.0dc0 */ + pbn_b2_4_115200 }, ++ /* ++ * BrainBoxes UC-260 ++ */ ++ { PCI_VENDOR_ID_INTASHIELD, 0x0D21, ++ PCI_ANY_ID, PCI_ANY_ID, ++ PCI_CLASS_COMMUNICATION_MULTISERIAL << 8, 0xffff00, ++ pbn_b2_4_115200 }, ++ { PCI_VENDOR_ID_INTASHIELD, 0x0E34, ++ PCI_ANY_ID, PCI_ANY_ID, ++ PCI_CLASS_COMMUNICATION_MULTISERIAL << 8, 0xffff00, ++ pbn_b2_4_115200 }, + /* + * Perle PCI-RAS cards + */ +diff --git a/drivers/tty/serial/atmel_serial.c b/drivers/tty/serial/atmel_serial.c +index 1f45a0302b7c..839ba41b6232 100644 +--- a/drivers/tty/serial/atmel_serial.c ++++ b/drivers/tty/serial/atmel_serial.c +@@ -1687,6 +1687,7 @@ static void atmel_get_ip_name(struct uart_port *port) + switch (version) { + case 0x302: + case 0x10213: ++ case 0x10302: + dev_dbg(port->dev, "This version is usart\n"); + atmel_port->is_usart = true; + break; +diff --git a/drivers/tty/serial/sh-sci.c b/drivers/tty/serial/sh-sci.c +index 19316609d4f9..c8c564c71c75 100644 +--- a/drivers/tty/serial/sh-sci.c ++++ b/drivers/tty/serial/sh-sci.c +@@ -736,6 +736,8 @@ static void sci_receive_chars(struct uart_port *port) + /* Tell the rest of the system the news. New characters! */ + tty_flip_buffer_push(tport); + } else { ++ /* TTY buffers full; read from RX reg to prevent lockup */ ++ serial_port_in(port, SCxRDR); + serial_port_in(port, SCxSR); /* dummy read */ + serial_port_out(port, SCxSR, SCxSR_RDxF_CLEAR(port)); + } +diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c +index f368d2053da5..251b44300b38 100644 +--- a/drivers/usb/core/message.c ++++ b/drivers/usb/core/message.c +@@ -147,6 +147,10 @@ int usb_control_msg(struct usb_device *dev, unsigned int pipe, __u8 request, + + ret = usb_internal_control_msg(dev, pipe, dr, data, size, timeout); + ++ /* Linger a bit, prior to the next control message. */ ++ if (dev->quirks & USB_QUIRK_DELAY_CTRL_MSG) ++ msleep(200); ++ + kfree(dr); + + return ret; +diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c +index 774c97bb1c08..4f1c6f8d4352 100644 +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -229,7 +229,8 @@ static const struct usb_device_id usb_quirk_list[] = { + { USB_DEVICE(0x1b1c, 0x1b13), .driver_info = USB_QUIRK_DELAY_INIT }, + + /* Corsair Strafe RGB */ +- { USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT }, ++ { USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT | ++ USB_QUIRK_DELAY_CTRL_MSG }, + + /* Corsair K70 LUX */ + { USB_DEVICE(0x1b1c, 0x1b36), .driver_info = USB_QUIRK_DELAY_INIT }, +diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c +index 6b62bb5c021c..3f4c6d97a4ff 100644 +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -1333,7 +1333,6 @@ ffs_fs_kill_sb(struct super_block *sb) + if (sb->s_fs_info) { + ffs_release_dev(sb->s_fs_info); + ffs_data_closed(sb->s_fs_info); +- ffs_data_put(sb->s_fs_info); + } + } + +diff --git a/drivers/usb/mon/mon_text.c b/drivers/usb/mon/mon_text.c +index ad408251d955..108dcc5f5350 100644 +--- a/drivers/usb/mon/mon_text.c ++++ b/drivers/usb/mon/mon_text.c +@@ -82,6 +82,8 @@ struct mon_reader_text { + + wait_queue_head_t wait; + int printf_size; ++ size_t printf_offset; ++ size_t printf_togo; + char *printf_buf; + struct mutex printf_lock; + +@@ -373,73 +375,103 @@ err_alloc: + return rc; + } + +-/* +- * For simplicity, we read one record in one system call and throw out +- * what does not fit. This means that the following does not work: +- * dd if=/dbg/usbmon/0t bs=10 +- * Also, we do not allow seeks and do not bother advancing the offset. +- */ ++static ssize_t mon_text_copy_to_user(struct mon_reader_text *rp, ++ char __user * const buf, const size_t nbytes) ++{ ++ const size_t togo = min(nbytes, rp->printf_togo); ++ ++ if (copy_to_user(buf, &rp->printf_buf[rp->printf_offset], togo)) ++ return -EFAULT; ++ rp->printf_togo -= togo; ++ rp->printf_offset += togo; ++ return togo; ++} ++ ++/* ppos is not advanced since the llseek operation is not permitted. */ + static ssize_t mon_text_read_t(struct file *file, char __user *buf, +- size_t nbytes, loff_t *ppos) ++ size_t nbytes, loff_t *ppos) + { + struct mon_reader_text *rp = file->private_data; + struct mon_event_text *ep; + struct mon_text_ptr ptr; ++ ssize_t ret; + +- if (IS_ERR(ep = mon_text_read_wait(rp, file))) +- return PTR_ERR(ep); + mutex_lock(&rp->printf_lock); +- ptr.cnt = 0; +- ptr.pbuf = rp->printf_buf; +- ptr.limit = rp->printf_size; +- +- mon_text_read_head_t(rp, &ptr, ep); +- mon_text_read_statset(rp, &ptr, ep); +- ptr.cnt += snprintf(ptr.pbuf + ptr.cnt, ptr.limit - ptr.cnt, +- " %d", ep->length); +- mon_text_read_data(rp, &ptr, ep); +- +- if (copy_to_user(buf, rp->printf_buf, ptr.cnt)) +- ptr.cnt = -EFAULT; ++ ++ if (rp->printf_togo == 0) { ++ ++ ep = mon_text_read_wait(rp, file); ++ if (IS_ERR(ep)) { ++ mutex_unlock(&rp->printf_lock); ++ return PTR_ERR(ep); ++ } ++ ptr.cnt = 0; ++ ptr.pbuf = rp->printf_buf; ++ ptr.limit = rp->printf_size; ++ ++ mon_text_read_head_t(rp, &ptr, ep); ++ mon_text_read_statset(rp, &ptr, ep); ++ ptr.cnt += snprintf(ptr.pbuf + ptr.cnt, ptr.limit - ptr.cnt, ++ " %d", ep->length); ++ mon_text_read_data(rp, &ptr, ep); ++ ++ rp->printf_togo = ptr.cnt; ++ rp->printf_offset = 0; ++ ++ kmem_cache_free(rp->e_slab, ep); ++ } ++ ++ ret = mon_text_copy_to_user(rp, buf, nbytes); + mutex_unlock(&rp->printf_lock); +- kmem_cache_free(rp->e_slab, ep); +- return ptr.cnt; ++ return ret; + } + ++/* ppos is not advanced since the llseek operation is not permitted. */ + static ssize_t mon_text_read_u(struct file *file, char __user *buf, +- size_t nbytes, loff_t *ppos) ++ size_t nbytes, loff_t *ppos) + { + struct mon_reader_text *rp = file->private_data; + struct mon_event_text *ep; + struct mon_text_ptr ptr; ++ ssize_t ret; + +- if (IS_ERR(ep = mon_text_read_wait(rp, file))) +- return PTR_ERR(ep); + mutex_lock(&rp->printf_lock); +- ptr.cnt = 0; +- ptr.pbuf = rp->printf_buf; +- ptr.limit = rp->printf_size; + +- mon_text_read_head_u(rp, &ptr, ep); +- if (ep->type == 'E') { +- mon_text_read_statset(rp, &ptr, ep); +- } else if (ep->xfertype == USB_ENDPOINT_XFER_ISOC) { +- mon_text_read_isostat(rp, &ptr, ep); +- mon_text_read_isodesc(rp, &ptr, ep); +- } else if (ep->xfertype == USB_ENDPOINT_XFER_INT) { +- mon_text_read_intstat(rp, &ptr, ep); +- } else { +- mon_text_read_statset(rp, &ptr, ep); ++ if (rp->printf_togo == 0) { ++ ++ ep = mon_text_read_wait(rp, file); ++ if (IS_ERR(ep)) { ++ mutex_unlock(&rp->printf_lock); ++ return PTR_ERR(ep); ++ } ++ ptr.cnt = 0; ++ ptr.pbuf = rp->printf_buf; ++ ptr.limit = rp->printf_size; ++ ++ mon_text_read_head_u(rp, &ptr, ep); ++ if (ep->type == 'E') { ++ mon_text_read_statset(rp, &ptr, ep); ++ } else if (ep->xfertype == USB_ENDPOINT_XFER_ISOC) { ++ mon_text_read_isostat(rp, &ptr, ep); ++ mon_text_read_isodesc(rp, &ptr, ep); ++ } else if (ep->xfertype == USB_ENDPOINT_XFER_INT) { ++ mon_text_read_intstat(rp, &ptr, ep); ++ } else { ++ mon_text_read_statset(rp, &ptr, ep); ++ } ++ ptr.cnt += snprintf(ptr.pbuf + ptr.cnt, ptr.limit - ptr.cnt, ++ " %d", ep->length); ++ mon_text_read_data(rp, &ptr, ep); ++ ++ rp->printf_togo = ptr.cnt; ++ rp->printf_offset = 0; ++ ++ kmem_cache_free(rp->e_slab, ep); + } +- ptr.cnt += snprintf(ptr.pbuf + ptr.cnt, ptr.limit - ptr.cnt, +- " %d", ep->length); +- mon_text_read_data(rp, &ptr, ep); + +- if (copy_to_user(buf, rp->printf_buf, ptr.cnt)) +- ptr.cnt = -EFAULT; ++ ret = mon_text_copy_to_user(rp, buf, nbytes); + mutex_unlock(&rp->printf_lock); +- kmem_cache_free(rp->e_slab, ep); +- return ptr.cnt; ++ return ret; + } + + static struct mon_event_text *mon_text_read_wait(struct mon_reader_text *rp, +diff --git a/drivers/usb/storage/uas.c b/drivers/usb/storage/uas.c +index 021d6880a3ed..b3c7670f0652 100644 +--- a/drivers/usb/storage/uas.c ++++ b/drivers/usb/storage/uas.c +@@ -1052,7 +1052,7 @@ static int uas_post_reset(struct usb_interface *intf) + return 0; + + err = uas_configure_endpoints(devinfo); +- if (err && err != ENODEV) ++ if (err && err != -ENODEV) + shost_printk(KERN_ERR, shost, + "%s: alloc streams error %d after reset", + __func__, err); +diff --git a/drivers/usb/storage/unusual_devs.h b/drivers/usb/storage/unusual_devs.h +index cd2e880979f2..b9e9eaa8c45c 100644 +--- a/drivers/usb/storage/unusual_devs.h ++++ b/drivers/usb/storage/unusual_devs.h +@@ -2131,6 +2131,13 @@ UNUSUAL_DEV( 0x22b8, 0x3010, 0x0001, 0x0001, + USB_SC_DEVICE, USB_PR_DEVICE, NULL, + US_FL_FIX_CAPACITY | US_FL_IGNORE_RESIDUE ), + ++/* Reported by Teijo Kinnunen <teijo.kinnunen@code-q.fi> */ ++UNUSUAL_DEV( 0x152d, 0x2567, 0x0117, 0x0117, ++ "JMicron", ++ "USB to ATA/ATAPI Bridge", ++ USB_SC_DEVICE, USB_PR_DEVICE, NULL, ++ US_FL_BROKEN_FUA ), ++ + /* Reported-by George Cherian <george.cherian@cavium.com> */ + UNUSUAL_DEV(0x152d, 0x9561, 0x0000, 0x9999, + "JMicron", +diff --git a/drivers/watchdog/hpwdt.c b/drivers/watchdog/hpwdt.c +index ada3e44f9932..792d5fbad4e5 100644 +--- a/drivers/watchdog/hpwdt.c ++++ b/drivers/watchdog/hpwdt.c +@@ -51,6 +51,7 @@ static char expect_release; + static unsigned long hpwdt_is_open; + + static void __iomem *pci_mem_addr; /* the PCI-memory address */ ++static unsigned long __iomem *hpwdt_nmistat; + static unsigned long __iomem *hpwdt_timer_reg; + static unsigned long __iomem *hpwdt_timer_con; + +@@ -474,6 +475,11 @@ static int hpwdt_time_left(void) + } + + #ifdef CONFIG_HPWDT_NMI_DECODING ++static int hpwdt_my_nmi(void) ++{ ++ return ioread8(hpwdt_nmistat) & 0x6; ++} ++ + /* + * NMI Handler + */ +@@ -485,6 +491,9 @@ static int hpwdt_pretimeout(unsigned int ulReason, struct pt_regs *regs) + if (!hpwdt_nmi_decoding) + goto out; + ++ if ((ulReason == NMI_UNKNOWN) && !hpwdt_my_nmi()) ++ return NMI_DONE; ++ + spin_lock_irqsave(&rom_lock, rom_pl); + if (!die_nmi_called && !is_icru && !is_uefi) + asminline_call(&cmn_regs, cru_rom_addr); +@@ -686,7 +695,7 @@ static void dmi_find_icru(const struct dmi_header *dm, void *dummy) + smbios_proliant_ptr = (struct smbios_proliant_info *) dm; + if (smbios_proliant_ptr->misc_features & 0x01) + is_icru = 1; +- if (smbios_proliant_ptr->misc_features & 0x408) ++ if (smbios_proliant_ptr->misc_features & 0x1400) + is_uefi = 1; + } + } +@@ -826,6 +835,7 @@ static int hpwdt_init_one(struct pci_dev *dev, + retval = -ENOMEM; + goto error_pci_iomap; + } ++ hpwdt_nmistat = pci_mem_addr + 0x6e; + hpwdt_timer_reg = pci_mem_addr + 0x70; + hpwdt_timer_con = pci_mem_addr + 0x72; + +diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c +index cea37ee4c615..078982f509e3 100644 +--- a/drivers/xen/gntdev.c ++++ b/drivers/xen/gntdev.c +@@ -378,10 +378,8 @@ static int unmap_grant_pages(struct grant_map *map, int offset, int pages) + } + range = 0; + while (range < pages) { +- if (map->unmap_ops[offset+range].handle == -1) { +- range--; ++ if (map->unmap_ops[offset+range].handle == -1) + break; +- } + range++; + } + err = __unmap_grant_pages(map, offset, range); +@@ -876,8 +874,10 @@ unlock_out: + out_unlock_put: + mutex_unlock(&priv->lock); + out_put_map: +- if (use_ptemod) ++ if (use_ptemod) { + map->vma = NULL; ++ unmap_grant_pages(map, 0, map->count); ++ } + gntdev_put_map(priv, map); + return err; + } +diff --git a/fs/btrfs/acl.c b/fs/btrfs/acl.c +index fb3e64d37cb4..6b16b8653d98 100644 +--- a/fs/btrfs/acl.c ++++ b/fs/btrfs/acl.c +@@ -82,12 +82,6 @@ static int __btrfs_set_acl(struct btrfs_trans_handle *trans, + switch (type) { + case ACL_TYPE_ACCESS: + name = POSIX_ACL_XATTR_ACCESS; +- if (acl) { +- ret = posix_acl_update_mode(inode, &inode->i_mode, &acl); +- if (ret) +- return ret; +- } +- ret = 0; + break; + case ACL_TYPE_DEFAULT: + if (!S_ISDIR(inode->i_mode)) +@@ -123,7 +117,18 @@ out: + + int btrfs_set_acl(struct inode *inode, struct posix_acl *acl, int type) + { +- return __btrfs_set_acl(NULL, inode, acl, type); ++ int ret; ++ umode_t old_mode = inode->i_mode; ++ ++ if (type == ACL_TYPE_ACCESS && acl) { ++ ret = posix_acl_update_mode(inode, &inode->i_mode, &acl); ++ if (ret) ++ return ret; ++ } ++ ret = __btrfs_set_acl(NULL, inode, acl, type); ++ if (ret) ++ inode->i_mode = old_mode; ++ return ret; + } + + /* +diff --git a/fs/super.c b/fs/super.c +index 928c20f47af9..3fa6b945a34e 100644 +--- a/fs/super.c ++++ b/fs/super.c +@@ -481,7 +481,11 @@ retry: + hlist_add_head(&s->s_instances, &type->fs_supers); + spin_unlock(&sb_lock); + get_filesystem(type); +- register_shrinker(&s->s_shrink); ++ err = register_shrinker(&s->s_shrink); ++ if (err) { ++ deactivate_locked_super(s); ++ s = ERR_PTR(err); ++ } + return s; + } + +diff --git a/fs/xfs/xfs_qm.c b/fs/xfs/xfs_qm.c +index 7d81032a645f..7806b3e0bf18 100644 +--- a/fs/xfs/xfs_qm.c ++++ b/fs/xfs/xfs_qm.c +@@ -47,7 +47,7 @@ + STATIC int xfs_qm_init_quotainos(xfs_mount_t *); + STATIC int xfs_qm_init_quotainfo(xfs_mount_t *); + +- ++STATIC void xfs_qm_destroy_quotainos(xfs_quotainfo_t *qi); + STATIC void xfs_qm_dqfree_one(struct xfs_dquot *dqp); + /* + * We use the batch lookup interface to iterate over the dquots as it +@@ -660,9 +660,17 @@ xfs_qm_init_quotainfo( + qinf->qi_shrinker.scan_objects = xfs_qm_shrink_scan; + qinf->qi_shrinker.seeks = DEFAULT_SEEKS; + qinf->qi_shrinker.flags = SHRINKER_NUMA_AWARE; +- register_shrinker(&qinf->qi_shrinker); ++ ++ error = register_shrinker(&qinf->qi_shrinker); ++ if (error) ++ goto out_free_inos; ++ + return 0; + ++out_free_inos: ++ mutex_destroy(&qinf->qi_quotaofflock); ++ mutex_destroy(&qinf->qi_tree_lock); ++ xfs_qm_destroy_quotainos(qinf); + out_free_lru: + list_lru_destroy(&qinf->qi_lru); + out_free_qinf: +@@ -671,7 +679,6 @@ out_free_qinf: + return error; + } + +- + /* + * Gets called when unmounting a filesystem or when all quotas get + * turned off. +@@ -688,19 +695,8 @@ xfs_qm_destroy_quotainfo( + + unregister_shrinker(&qi->qi_shrinker); + list_lru_destroy(&qi->qi_lru); +- +- if (qi->qi_uquotaip) { +- IRELE(qi->qi_uquotaip); +- qi->qi_uquotaip = NULL; /* paranoia */ +- } +- if (qi->qi_gquotaip) { +- IRELE(qi->qi_gquotaip); +- qi->qi_gquotaip = NULL; +- } +- if (qi->qi_pquotaip) { +- IRELE(qi->qi_pquotaip); +- qi->qi_pquotaip = NULL; +- } ++ xfs_qm_destroy_quotainos(qi); ++ mutex_destroy(&qi->qi_tree_lock); + mutex_destroy(&qi->qi_quotaofflock); + kmem_free(qi); + mp->m_quotainfo = NULL; +@@ -1562,6 +1558,24 @@ error_rele: + return error; + } + ++STATIC void ++xfs_qm_destroy_quotainos( ++ xfs_quotainfo_t *qi) ++{ ++ if (qi->qi_uquotaip) { ++ IRELE(qi->qi_uquotaip); ++ qi->qi_uquotaip = NULL; /* paranoia */ ++ } ++ if (qi->qi_gquotaip) { ++ IRELE(qi->qi_gquotaip); ++ qi->qi_gquotaip = NULL; ++ } ++ if (qi->qi_pquotaip) { ++ IRELE(qi->qi_pquotaip); ++ qi->qi_pquotaip = NULL; ++ } ++} ++ + STATIC void + xfs_qm_dqfree_one( + struct xfs_dquot *dqp) +diff --git a/include/linux/nospec.h b/include/linux/nospec.h +index b99bced39ac2..115381228203 100644 +--- a/include/linux/nospec.h ++++ b/include/linux/nospec.h +@@ -5,6 +5,7 @@ + + #ifndef _LINUX_NOSPEC_H + #define _LINUX_NOSPEC_H ++#include <asm/barrier.h> + + /** + * array_index_mask_nospec() - generate a ~0 mask when index < size, 0 otherwise +@@ -66,7 +67,6 @@ static inline unsigned long array_index_mask_nospec(unsigned long index, + BUILD_BUG_ON(sizeof(_i) > sizeof(long)); \ + BUILD_BUG_ON(sizeof(_s) > sizeof(long)); \ + \ +- _i &= _mask; \ +- _i; \ ++ (typeof(_i)) (_i & _mask); \ + }) + #endif /* _LINUX_NOSPEC_H */ +diff --git a/include/linux/usb/quirks.h b/include/linux/usb/quirks.h +index de2a722fe3cf..ea4f81c2a6d5 100644 +--- a/include/linux/usb/quirks.h ++++ b/include/linux/usb/quirks.h +@@ -56,4 +56,7 @@ + */ + #define USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL BIT(11) + ++/* Device needs a pause after every control message. */ ++#define USB_QUIRK_DELAY_CTRL_MSG BIT(13) ++ + #endif /* __LINUX_USB_QUIRKS_H */ +diff --git a/include/linux/workqueue.h b/include/linux/workqueue.h +index deee212af8e0..e450bdbc4d84 100644 +--- a/include/linux/workqueue.h ++++ b/include/linux/workqueue.h +@@ -449,6 +449,7 @@ extern bool cancel_delayed_work_sync(struct delayed_work *dwork); + + extern void workqueue_set_max_active(struct workqueue_struct *wq, + int max_active); ++extern struct work_struct *current_work(void); + extern bool current_is_workqueue_rescuer(void); + extern bool workqueue_congested(int cpu, struct workqueue_struct *wq); + extern unsigned int work_busy(struct work_struct *work); +diff --git a/include/net/udplite.h b/include/net/udplite.h +index 80761938b9a7..8228155b305e 100644 +--- a/include/net/udplite.h ++++ b/include/net/udplite.h +@@ -62,6 +62,7 @@ static inline int udplite_checksum_init(struct sk_buff *skb, struct udphdr *uh) + UDP_SKB_CB(skb)->cscov = cscov; + if (skb->ip_summed == CHECKSUM_COMPLETE) + skb->ip_summed = CHECKSUM_NONE; ++ skb->csum_valid = 0; + } + + return 0; +diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c +index e82a5f40a0ac..20df094556ae 100644 +--- a/kernel/time/hrtimer.c ++++ b/kernel/time/hrtimer.c +@@ -1148,7 +1148,12 @@ static void __hrtimer_init(struct hrtimer *timer, clockid_t clock_id, + + cpu_base = raw_cpu_ptr(&hrtimer_bases); + +- if (clock_id == CLOCK_REALTIME && mode != HRTIMER_MODE_ABS) ++ /* ++ * POSIX magic: Relative CLOCK_REALTIME timers are not affected by ++ * clock modifications, so they needs to become CLOCK_MONOTONIC to ++ * ensure POSIX compliance. ++ */ ++ if (clock_id == CLOCK_REALTIME && mode & HRTIMER_MODE_REL) + clock_id = CLOCK_MONOTONIC; + + base = hrtimer_clockid_to_base(clock_id); +diff --git a/kernel/workqueue.c b/kernel/workqueue.c +index 376db986db9b..782ba721984b 100644 +--- a/kernel/workqueue.c ++++ b/kernel/workqueue.c +@@ -4062,6 +4062,22 @@ void workqueue_set_max_active(struct workqueue_struct *wq, int max_active) + } + EXPORT_SYMBOL_GPL(workqueue_set_max_active); + ++/** ++ * current_work - retrieve %current task's work struct ++ * ++ * Determine if %current task is a workqueue worker and what it's working on. ++ * Useful to find out the context that the %current task is running in. ++ * ++ * Return: work struct if %current task is a workqueue worker, %NULL otherwise. ++ */ ++struct work_struct *current_work(void) ++{ ++ struct worker *worker = current_wq_worker(); ++ ++ return worker ? worker->current_work : NULL; ++} ++EXPORT_SYMBOL(current_work); ++ + /** + * current_is_workqueue_rescuer - is %current workqueue rescuer? + * +diff --git a/lib/mpi/longlong.h b/lib/mpi/longlong.h +index a89d041592c8..e2851aafd1d3 100644 +--- a/lib/mpi/longlong.h ++++ b/lib/mpi/longlong.h +@@ -671,7 +671,23 @@ do { \ + ************** MIPS/64 ************** + ***************************************/ + #if (defined(__mips) && __mips >= 3) && W_TYPE_SIZE == 64 +-#if (__GNUC__ >= 5) || (__GNUC__ >= 4 && __GNUC_MINOR__ >= 4) ++#if defined(__mips_isa_rev) && __mips_isa_rev >= 6 ++/* ++ * GCC ends up emitting a __multi3 intrinsic call for MIPS64r6 with the plain C ++ * code below, so we special case MIPS64r6 until the compiler can do better. ++ */ ++#define umul_ppmm(w1, w0, u, v) \ ++do { \ ++ __asm__ ("dmulu %0,%1,%2" \ ++ : "=d" ((UDItype)(w0)) \ ++ : "d" ((UDItype)(u)), \ ++ "d" ((UDItype)(v))); \ ++ __asm__ ("dmuhu %0,%1,%2" \ ++ : "=d" ((UDItype)(w1)) \ ++ : "d" ((UDItype)(u)), \ ++ "d" ((UDItype)(v))); \ ++} while (0) ++#elif (__GNUC__ >= 5) || (__GNUC__ >= 4 && __GNUC_MINOR__ >= 4) + #define umul_ppmm(w1, w0, u, v) \ + do { \ + typedef unsigned int __ll_UTItype __attribute__((mode(TI))); \ +diff --git a/net/bridge/br_sysfs_if.c b/net/bridge/br_sysfs_if.c +index 4905845a94e9..b5c4941fc068 100644 +--- a/net/bridge/br_sysfs_if.c ++++ b/net/bridge/br_sysfs_if.c +@@ -229,6 +229,9 @@ static ssize_t brport_show(struct kobject *kobj, + struct brport_attribute *brport_attr = to_brport_attr(attr); + struct net_bridge_port *p = to_brport(kobj); + ++ if (!brport_attr->show) ++ return -EINVAL; ++ + return brport_attr->show(p, buf); + } + +diff --git a/net/bridge/netfilter/ebt_among.c b/net/bridge/netfilter/ebt_among.c +index 9024283d2bca..9637a681bdda 100644 +--- a/net/bridge/netfilter/ebt_among.c ++++ b/net/bridge/netfilter/ebt_among.c +@@ -172,18 +172,35 @@ ebt_among_mt(const struct sk_buff *skb, struct xt_action_param *par) + return true; + } + ++static bool poolsize_invalid(const struct ebt_mac_wormhash *w) ++{ ++ return w && w->poolsize >= (INT_MAX / sizeof(struct ebt_mac_wormhash_tuple)); ++} ++ + static int ebt_among_mt_check(const struct xt_mtchk_param *par) + { + const struct ebt_among_info *info = par->matchinfo; + const struct ebt_entry_match *em = + container_of(par->matchinfo, const struct ebt_entry_match, data); +- int expected_length = sizeof(struct ebt_among_info); ++ unsigned int expected_length = sizeof(struct ebt_among_info); + const struct ebt_mac_wormhash *wh_dst, *wh_src; + int err; + ++ if (expected_length > em->match_size) ++ return -EINVAL; ++ + wh_dst = ebt_among_wh_dst(info); +- wh_src = ebt_among_wh_src(info); ++ if (poolsize_invalid(wh_dst)) ++ return -EINVAL; ++ + expected_length += ebt_mac_wormhash_size(wh_dst); ++ if (expected_length > em->match_size) ++ return -EINVAL; ++ ++ wh_src = ebt_among_wh_src(info); ++ if (poolsize_invalid(wh_src)) ++ return -EINVAL; ++ + expected_length += ebt_mac_wormhash_size(wh_src); + + if (em->match_size != EBT_ALIGN(expected_length)) { +diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c +index 91180a7fc943..3069eafeb33d 100644 +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -2019,7 +2019,9 @@ static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32, + if (match_kern) + match_kern->match_size = ret; + +- WARN_ON(type == EBT_COMPAT_TARGET && size_left); ++ if (WARN_ON(type == EBT_COMPAT_TARGET && size_left)) ++ return -EINVAL; ++ + match32 = (struct compat_ebt_entry_mwt *) buf; + } + +@@ -2076,6 +2078,15 @@ static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base, + * + * offsets are relative to beginning of struct ebt_entry (i.e., 0). + */ ++ for (i = 0; i < 4 ; ++i) { ++ if (offsets[i] >= *total) ++ return -EINVAL; ++ if (i == 0) ++ continue; ++ if (offsets[i-1] > offsets[i]) ++ return -EINVAL; ++ } ++ + for (i = 0, j = 1 ; j < 4 ; j++, i++) { + struct compat_ebt_entry_mwt *match32; + unsigned int size; +diff --git a/net/core/dev.c b/net/core/dev.c +index 0ccae464b46e..c2d927f91a30 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -2129,8 +2129,11 @@ EXPORT_SYMBOL(netif_set_xps_queue); + */ + int netif_set_real_num_tx_queues(struct net_device *dev, unsigned int txq) + { ++ bool disabling; + int rc; + ++ disabling = txq < dev->real_num_tx_queues; ++ + if (txq < 1 || txq > dev->num_tx_queues) + return -EINVAL; + +@@ -2146,15 +2149,19 @@ int netif_set_real_num_tx_queues(struct net_device *dev, unsigned int txq) + if (dev->num_tc) + netif_setup_tc(dev, txq); + +- if (txq < dev->real_num_tx_queues) { ++ dev->real_num_tx_queues = txq; ++ ++ if (disabling) { ++ synchronize_net(); + qdisc_reset_all_tx_gt(dev, txq); + #ifdef CONFIG_XPS + netif_reset_xps_queues_gt(dev, txq); + #endif + } ++ } else { ++ dev->real_num_tx_queues = txq; + } + +- dev->real_num_tx_queues = txq; + return 0; + } + EXPORT_SYMBOL(netif_set_real_num_tx_queues); +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index 6a9a495aff23..7a6400345cb9 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -122,10 +122,13 @@ static int ip_rt_redirect_silence __read_mostly = ((HZ / 50) << (9 + 1)); + static int ip_rt_error_cost __read_mostly = HZ; + static int ip_rt_error_burst __read_mostly = 5 * HZ; + static int ip_rt_mtu_expires __read_mostly = 10 * 60 * HZ; +-static int ip_rt_min_pmtu __read_mostly = 512 + 20 + 20; ++static u32 ip_rt_min_pmtu __read_mostly = 512 + 20 + 20; + static int ip_rt_min_advmss __read_mostly = 256; + + static int ip_rt_gc_timeout __read_mostly = RT_GC_TIMEOUT; ++ ++static int ip_min_valid_pmtu __read_mostly = IPV4_MIN_MTU; ++ + /* + * Interface to generic destination cache. + */ +@@ -2689,7 +2692,8 @@ static struct ctl_table ipv4_route_table[] = { + .data = &ip_rt_min_pmtu, + .maxlen = sizeof(int), + .mode = 0644, +- .proc_handler = proc_dointvec, ++ .proc_handler = proc_dointvec_minmax, ++ .extra1 = &ip_min_valid_pmtu, + }, + { + .procname = "min_adv_mss", +diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c +index 456718921552..75758e3d6c81 100644 +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -1733,6 +1733,11 @@ static inline int udp4_csum_init(struct sk_buff *skb, struct udphdr *uh, + err = udplite_checksum_init(skb, uh); + if (err) + return err; ++ ++ if (UDP_SKB_CB(skb)->partial_cov) { ++ skb->csum = inet_compute_pseudo(skb, proto); ++ return 0; ++ } + } + + return skb_checksum_init_zero_check(skb, proto, uh->check, +diff --git a/net/ipv6/ip6_checksum.c b/net/ipv6/ip6_checksum.c +index 9a4d7322fb22..391a8fedb27e 100644 +--- a/net/ipv6/ip6_checksum.c ++++ b/net/ipv6/ip6_checksum.c +@@ -73,6 +73,11 @@ int udp6_csum_init(struct sk_buff *skb, struct udphdr *uh, int proto) + err = udplite_checksum_init(skb, uh); + if (err) + return err; ++ ++ if (UDP_SKB_CB(skb)->partial_cov) { ++ skb->csum = ip6_compute_pseudo(skb, proto); ++ return 0; ++ } + } + + /* To support RFC 6936 (allow zero checksum in UDP/IPV6 for tunnels) +diff --git a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c +index e76900e0aa92..25df2ce92ad8 100644 +--- a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c ++++ b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c +@@ -99,6 +99,10 @@ static bool nf_nat_ipv6_manip_pkt(struct sk_buff *skb, + !l4proto->manip_pkt(skb, &nf_nat_l3proto_ipv6, iphdroff, hdroff, + target, maniptype)) + return false; ++ ++ /* must reload, offset might have changed */ ++ ipv6h = (void *)skb->data + iphdroff; ++ + manip_addr: + if (maniptype == NF_NAT_MANIP_SRC) + ipv6h->saddr = target->src.u3.in6; +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index 135fe458bfac..d17efa1b8473 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -1379,6 +1379,7 @@ struct dst_entry *icmp6_dst_alloc(struct net_device *dev, + } + + rt->dst.flags |= DST_HOST; ++ rt->dst.input = ip6_input; + rt->dst.output = ip6_output; + atomic_set(&rt->dst.__refcnt, 1); + rt->rt6i_gateway = fl6->daddr; +diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c +index 295502b261a8..f4034c4eadf7 100644 +--- a/net/ipv6/sit.c ++++ b/net/ipv6/sit.c +@@ -176,7 +176,7 @@ static void ipip6_tunnel_clone_6rd(struct net_device *dev, struct sit_net *sitn) + #ifdef CONFIG_IPV6_SIT_6RD + struct ip_tunnel *t = netdev_priv(dev); + +- if (t->dev == sitn->fb_tunnel_dev) { ++ if (dev == sitn->fb_tunnel_dev) { + ipv6_addr_set(&t->ip6rd.prefix, htonl(0x20020000), 0, 0, 0); + t->ip6rd.relay_prefix = 0; + t->ip6rd.prefixlen = 16; +diff --git a/net/netfilter/nf_nat_proto_common.c b/net/netfilter/nf_nat_proto_common.c +index fbce552a796e..7d7466dbf663 100644 +--- a/net/netfilter/nf_nat_proto_common.c ++++ b/net/netfilter/nf_nat_proto_common.c +@@ -41,7 +41,7 @@ void nf_nat_l4proto_unique_tuple(const struct nf_nat_l3proto *l3proto, + const struct nf_conn *ct, + u16 *rover) + { +- unsigned int range_size, min, i; ++ unsigned int range_size, min, max, i; + __be16 *portptr; + u_int16_t off; + +@@ -71,7 +71,10 @@ void nf_nat_l4proto_unique_tuple(const struct nf_nat_l3proto *l3proto, + } + } else { + min = ntohs(range->min_proto.all); +- range_size = ntohs(range->max_proto.all) - min + 1; ++ max = ntohs(range->max_proto.all); ++ if (unlikely(max < min)) ++ swap(max, min); ++ range_size = max - min + 1; + } + + if (range->flags & NF_NAT_RANGE_PROTO_RANDOM) { +diff --git a/net/netfilter/xt_IDLETIMER.c b/net/netfilter/xt_IDLETIMER.c +index f407ebc13481..95b6dedc5ac7 100644 +--- a/net/netfilter/xt_IDLETIMER.c ++++ b/net/netfilter/xt_IDLETIMER.c +@@ -146,11 +146,11 @@ static int idletimer_tg_create(struct idletimer_tg_info *info) + (unsigned long) info->timer); + info->timer->refcnt = 1; + ++ INIT_WORK(&info->timer->work, idletimer_tg_work); ++ + mod_timer(&info->timer->timer, + msecs_to_jiffies(info->timeout * 1000) + jiffies); + +- INIT_WORK(&info->timer->work, idletimer_tg_work); +- + return 0; + + out_free_attr: +@@ -191,7 +191,10 @@ static int idletimer_tg_checkentry(const struct xt_tgchk_param *par) + pr_debug("timeout value is zero\n"); + return -EINVAL; + } +- ++ if (info->timeout >= INT_MAX / 1000) { ++ pr_debug("timeout value is too big\n"); ++ return -EINVAL; ++ } + if (info->label[0] == '\0' || + strnlen(info->label, + MAX_IDLETIMER_LABEL_SIZE) == MAX_IDLETIMER_LABEL_SIZE) { +diff --git a/net/netfilter/xt_LED.c b/net/netfilter/xt_LED.c +index 3ba31c194cce..0858fe17e14a 100644 +--- a/net/netfilter/xt_LED.c ++++ b/net/netfilter/xt_LED.c +@@ -141,10 +141,11 @@ static int led_tg_check(const struct xt_tgchk_param *par) + goto exit_alloc; + } + +- /* See if we need to set up a timer */ +- if (ledinfo->delay > 0) +- setup_timer(&ledinternal->timer, led_timeout_callback, +- (unsigned long)ledinternal); ++ /* Since the letinternal timer can be shared between multiple targets, ++ * always set it up, even if the current target does not need it ++ */ ++ setup_timer(&ledinternal->timer, led_timeout_callback, ++ (unsigned long)ledinternal); + + list_add_tail(&ledinternal->list, &xt_led_triggers); + +@@ -181,8 +182,7 @@ static void led_tg_destroy(const struct xt_tgdtor_param *par) + + list_del(&ledinternal->list); + +- if (ledinfo->delay > 0) +- del_timer_sync(&ledinternal->timer); ++ del_timer_sync(&ledinternal->timer); + + led_trigger_unregister(&ledinternal->netfilter_led_trigger); + +diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c +index 3d111b053e3e..97c22c818134 100644 +--- a/net/netlink/genetlink.c ++++ b/net/netlink/genetlink.c +@@ -1118,6 +1118,7 @@ static int genlmsg_mcast(struct sk_buff *skb, u32 portid, unsigned long group, + { + struct sk_buff *tmp; + struct net *net, *prev = NULL; ++ bool delivered = false; + int err; + + for_each_net_rcu(net) { +@@ -1129,14 +1130,21 @@ static int genlmsg_mcast(struct sk_buff *skb, u32 portid, unsigned long group, + } + err = nlmsg_multicast(prev->genl_sock, tmp, + portid, group, flags); +- if (err) ++ if (!err) ++ delivered = true; ++ else if (err != -ESRCH) + goto error; + } + + prev = net; + } + +- return nlmsg_multicast(prev->genl_sock, skb, portid, group, flags); ++ err = nlmsg_multicast(prev->genl_sock, skb, portid, group, flags); ++ if (!err) ++ delivered = true; ++ else if (err != -ESRCH) ++ goto error; ++ return delivered ? 0 : -ESRCH; + error: + kfree_skb(skb); + return err; +diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c +index 83a07d468644..5235f56d735d 100644 +--- a/net/sctp/sm_make_chunk.c ++++ b/net/sctp/sm_make_chunk.c +@@ -1367,10 +1367,14 @@ static struct sctp_chunk *_sctp_make_chunk(const struct sctp_association *asoc, + sctp_chunkhdr_t *chunk_hdr; + struct sk_buff *skb; + struct sock *sk; ++ int chunklen; ++ ++ chunklen = sizeof(*chunk_hdr) + paylen; ++ if (chunklen > SCTP_MAX_CHUNK_LEN) ++ goto nodata; + + /* No need to allocate LL here, as this is only a chunk. */ +- skb = alloc_skb(WORD_ROUND(sizeof(sctp_chunkhdr_t) + paylen), +- GFP_ATOMIC); ++ skb = alloc_skb(chunklen, GFP_ATOMIC); + if (!skb) + goto nodata; + +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index c44e3d208804..195b54a19f1e 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -4455,7 +4455,7 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv + len = sizeof(int); + if (put_user(len, optlen)) + return -EFAULT; +- if (copy_to_user(optval, &sctp_sk(sk)->autoclose, sizeof(int))) ++ if (copy_to_user(optval, &sctp_sk(sk)->autoclose, len)) + return -EFAULT; + return 0; + } +@@ -5032,6 +5032,9 @@ copy_getaddrs: + err = -EFAULT; + goto out; + } ++ /* XXX: We should have accounted for sizeof(struct sctp_getaddrs) too, ++ * but we can't change it anymore. ++ */ + if (put_user(bytes_copied, optlen)) + err = -EFAULT; + out: +@@ -5468,7 +5471,7 @@ static int sctp_getsockopt_maxseg(struct sock *sk, int len, + params.assoc_id = 0; + } else if (len >= sizeof(struct sctp_assoc_value)) { + len = sizeof(struct sctp_assoc_value); +- if (copy_from_user(¶ms, optval, sizeof(params))) ++ if (copy_from_user(¶ms, optval, len)) + return -EFAULT; + } else + return -EINVAL; +@@ -5637,7 +5640,9 @@ static int sctp_getsockopt_active_key(struct sock *sk, int len, + + if (len < sizeof(struct sctp_authkeyid)) + return -EINVAL; +- if (copy_from_user(&val, optval, sizeof(struct sctp_authkeyid))) ++ ++ len = sizeof(struct sctp_authkeyid); ++ if (copy_from_user(&val, optval, len)) + return -EFAULT; + + asoc = sctp_id2assoc(sk, val.scact_assoc_id); +@@ -5649,7 +5654,6 @@ static int sctp_getsockopt_active_key(struct sock *sk, int len, + else + val.scact_keynumber = ep->active_key_id; + +- len = sizeof(struct sctp_authkeyid); + if (put_user(len, optlen)) + return -EFAULT; + if (copy_to_user(optval, &val, len)) +@@ -5675,7 +5679,7 @@ static int sctp_getsockopt_peer_auth_chunks(struct sock *sk, int len, + if (len < sizeof(struct sctp_authchunks)) + return -EINVAL; + +- if (copy_from_user(&val, optval, sizeof(struct sctp_authchunks))) ++ if (copy_from_user(&val, optval, sizeof(val))) + return -EFAULT; + + to = p->gauth_chunks; +@@ -5720,7 +5724,7 @@ static int sctp_getsockopt_local_auth_chunks(struct sock *sk, int len, + if (len < sizeof(struct sctp_authchunks)) + return -EINVAL; + +- if (copy_from_user(&val, optval, sizeof(struct sctp_authchunks))) ++ if (copy_from_user(&val, optval, sizeof(val))) + return -EFAULT; + + to = p->gauth_chunks; +diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c +index b9ce5da25938..dac0a54e39de 100644 +--- a/sound/core/seq/seq_clientmgr.c ++++ b/sound/core/seq/seq_clientmgr.c +@@ -919,7 +919,8 @@ int snd_seq_dispatch_event(struct snd_seq_event_cell *cell, int atomic, int hop) + static int snd_seq_client_enqueue_event(struct snd_seq_client *client, + struct snd_seq_event *event, + struct file *file, int blocking, +- int atomic, int hop) ++ int atomic, int hop, ++ struct mutex *mutexp) + { + struct snd_seq_event_cell *cell; + int err; +@@ -957,7 +958,8 @@ static int snd_seq_client_enqueue_event(struct snd_seq_client *client, + return -ENXIO; /* queue is not allocated */ + + /* allocate an event cell */ +- err = snd_seq_event_dup(client->pool, event, &cell, !blocking || atomic, file); ++ err = snd_seq_event_dup(client->pool, event, &cell, !blocking || atomic, ++ file, mutexp); + if (err < 0) + return err; + +@@ -1026,12 +1028,11 @@ static ssize_t snd_seq_write(struct file *file, const char __user *buf, + return -ENXIO; + + /* allocate the pool now if the pool is not allocated yet */ ++ mutex_lock(&client->ioctl_mutex); + if (client->pool->size > 0 && !snd_seq_write_pool_allocated(client)) { +- mutex_lock(&client->ioctl_mutex); + err = snd_seq_pool_init(client->pool); +- mutex_unlock(&client->ioctl_mutex); + if (err < 0) +- return -ENOMEM; ++ goto out; + } + + /* only process whole events */ +@@ -1082,7 +1083,7 @@ static ssize_t snd_seq_write(struct file *file, const char __user *buf, + /* ok, enqueue it */ + err = snd_seq_client_enqueue_event(client, &event, file, + !(file->f_flags & O_NONBLOCK), +- 0, 0); ++ 0, 0, &client->ioctl_mutex); + if (err < 0) + break; + +@@ -1093,6 +1094,8 @@ static ssize_t snd_seq_write(struct file *file, const char __user *buf, + written += len; + } + ++ out: ++ mutex_unlock(&client->ioctl_mutex); + return written ? written : err; + } + +@@ -1924,6 +1927,9 @@ static int snd_seq_ioctl_set_client_pool(struct snd_seq_client *client, + (! snd_seq_write_pool_allocated(client) || + info.output_pool != client->pool->size)) { + if (snd_seq_write_pool_allocated(client)) { ++ /* is the pool in use? */ ++ if (atomic_read(&client->pool->counter)) ++ return -EBUSY; + /* remove all existing cells */ + snd_seq_pool_mark_closing(client->pool); + snd_seq_queue_client_leave_cells(client->number); +@@ -2348,7 +2354,8 @@ static int kernel_client_enqueue(int client, struct snd_seq_event *ev, + if (! cptr->accept_output) + result = -EPERM; + else /* send it */ +- result = snd_seq_client_enqueue_event(cptr, ev, file, blocking, atomic, hop); ++ result = snd_seq_client_enqueue_event(cptr, ev, file, blocking, ++ atomic, hop, NULL); + + snd_seq_client_unlock(cptr); + return result; +diff --git a/sound/core/seq/seq_fifo.c b/sound/core/seq/seq_fifo.c +index 3490d21ab9e7..9acbed1ac982 100644 +--- a/sound/core/seq/seq_fifo.c ++++ b/sound/core/seq/seq_fifo.c +@@ -123,7 +123,7 @@ int snd_seq_fifo_event_in(struct snd_seq_fifo *f, + return -EINVAL; + + snd_use_lock_use(&f->use_lock); +- err = snd_seq_event_dup(f->pool, event, &cell, 1, NULL); /* always non-blocking */ ++ err = snd_seq_event_dup(f->pool, event, &cell, 1, NULL, NULL); /* always non-blocking */ + if (err < 0) { + if ((err == -ENOMEM) || (err == -EAGAIN)) + atomic_inc(&f->overflow); +diff --git a/sound/core/seq/seq_memory.c b/sound/core/seq/seq_memory.c +index 5847c4475bf3..4c8cbcd89887 100644 +--- a/sound/core/seq/seq_memory.c ++++ b/sound/core/seq/seq_memory.c +@@ -221,7 +221,8 @@ void snd_seq_cell_free(struct snd_seq_event_cell * cell) + */ + static int snd_seq_cell_alloc(struct snd_seq_pool *pool, + struct snd_seq_event_cell **cellp, +- int nonblock, struct file *file) ++ int nonblock, struct file *file, ++ struct mutex *mutexp) + { + struct snd_seq_event_cell *cell; + unsigned long flags; +@@ -245,7 +246,11 @@ static int snd_seq_cell_alloc(struct snd_seq_pool *pool, + set_current_state(TASK_INTERRUPTIBLE); + add_wait_queue(&pool->output_sleep, &wait); + spin_unlock_irq(&pool->lock); ++ if (mutexp) ++ mutex_unlock(mutexp); + schedule(); ++ if (mutexp) ++ mutex_lock(mutexp); + spin_lock_irq(&pool->lock); + remove_wait_queue(&pool->output_sleep, &wait); + /* interrupted? */ +@@ -288,7 +293,7 @@ __error: + */ + int snd_seq_event_dup(struct snd_seq_pool *pool, struct snd_seq_event *event, + struct snd_seq_event_cell **cellp, int nonblock, +- struct file *file) ++ struct file *file, struct mutex *mutexp) + { + int ncells, err; + unsigned int extlen; +@@ -305,7 +310,7 @@ int snd_seq_event_dup(struct snd_seq_pool *pool, struct snd_seq_event *event, + if (ncells >= pool->total_elements) + return -ENOMEM; + +- err = snd_seq_cell_alloc(pool, &cell, nonblock, file); ++ err = snd_seq_cell_alloc(pool, &cell, nonblock, file, mutexp); + if (err < 0) + return err; + +@@ -331,7 +336,8 @@ int snd_seq_event_dup(struct snd_seq_pool *pool, struct snd_seq_event *event, + int size = sizeof(struct snd_seq_event); + if (len < size) + size = len; +- err = snd_seq_cell_alloc(pool, &tmp, nonblock, file); ++ err = snd_seq_cell_alloc(pool, &tmp, nonblock, file, ++ mutexp); + if (err < 0) + goto __error; + if (cell->event.data.ext.ptr == NULL) +diff --git a/sound/core/seq/seq_memory.h b/sound/core/seq/seq_memory.h +index 32f959c17786..3abe306c394a 100644 +--- a/sound/core/seq/seq_memory.h ++++ b/sound/core/seq/seq_memory.h +@@ -66,7 +66,8 @@ struct snd_seq_pool { + void snd_seq_cell_free(struct snd_seq_event_cell *cell); + + int snd_seq_event_dup(struct snd_seq_pool *pool, struct snd_seq_event *event, +- struct snd_seq_event_cell **cellp, int nonblock, struct file *file); ++ struct snd_seq_event_cell **cellp, int nonblock, ++ struct file *file, struct mutex *mutexp); + + /* return number of unused (free) cells */ + static inline int snd_seq_unused_cells(struct snd_seq_pool *pool) +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 861dc57cb082..0fd1402e427b 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -4615,6 +4615,16 @@ static void alc298_fixup_speaker_volume(struct hda_codec *codec, + } + } + ++/* disable DAC3 (0x06) selection on NID 0x17 as it has no volume amp control */ ++static void alc295_fixup_disable_dac3(struct hda_codec *codec, ++ const struct hda_fixup *fix, int action) ++{ ++ if (action == HDA_FIXUP_ACT_PRE_PROBE) { ++ hda_nid_t conn[2] = { 0x02, 0x03 }; ++ snd_hda_override_conn_list(codec, 0x17, 2, conn); ++ } ++} ++ + /* Hook to update amp GPIO4 for automute */ + static void alc280_hp_gpio4_automute_hook(struct hda_codec *codec, + struct hda_jack_callback *jack) +@@ -4764,6 +4774,7 @@ enum { + ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY, + ALC255_FIXUP_DELL_SPK_NOISE, + ALC225_FIXUP_DELL1_MIC_NO_PRESENCE, ++ ALC295_FIXUP_DISABLE_DAC3, + ALC280_FIXUP_HP_HEADSET_MIC, + ALC221_FIXUP_HP_FRONT_MIC, + ALC292_FIXUP_TPT460, +@@ -5453,6 +5464,10 @@ static const struct hda_fixup alc269_fixups[] = { + .chained = true, + .chain_id = ALC298_FIXUP_DELL_AIO_MIC_NO_PRESENCE, + }, ++ [ALC295_FIXUP_DISABLE_DAC3] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc295_fixup_disable_dac3, ++ }, + [ALC256_FIXUP_DELL_INSPIRON_7559_SUBWOOFER] = { + .type = HDA_FIXUP_PINS, + .v.pins = (const struct hda_pintbl[]) { +@@ -5510,6 +5525,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1028, 0x0725, "Dell Inspiron 3162", ALC255_FIXUP_DELL_SPK_NOISE), + SND_PCI_QUIRK(0x1028, 0x075b, "Dell XPS 13 9360", ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE), + SND_PCI_QUIRK(0x1028, 0x075d, "Dell AIO", ALC298_FIXUP_SPK_VOLUME), ++ SND_PCI_QUIRK(0x1028, 0x07b0, "Dell Precision 7520", ALC295_FIXUP_DISABLE_DAC3), + SND_PCI_QUIRK(0x1028, 0x0798, "Dell Inspiron 17 7000 Gaming", ALC256_FIXUP_DELL_INSPIRON_7559_SUBWOOFER), + SND_PCI_QUIRK(0x1028, 0x082a, "Dell XPS 13 9360", ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE), + SND_PCI_QUIRK(0x1028, 0x164a, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE), +diff --git a/sound/usb/quirks-table.h b/sound/usb/quirks-table.h +index 32719f28aa86..c7c8aac1ace6 100644 +--- a/sound/usb/quirks-table.h ++++ b/sound/usb/quirks-table.h +@@ -3274,4 +3274,51 @@ AU0828_DEVICE(0x2040, 0x7270, "Hauppauge", "HVR-950Q"), + } + }, + ++{ ++ /* ++ * Bower's & Wilkins PX headphones only support the 48 kHz sample rate ++ * even though it advertises more. The capture interface doesn't work ++ * even on windows. ++ */ ++ USB_DEVICE(0x19b5, 0x0021), ++ .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) { ++ .ifnum = QUIRK_ANY_INTERFACE, ++ .type = QUIRK_COMPOSITE, ++ .data = (const struct snd_usb_audio_quirk[]) { ++ { ++ .ifnum = 0, ++ .type = QUIRK_AUDIO_STANDARD_MIXER, ++ }, ++ /* Capture */ ++ { ++ .ifnum = 1, ++ .type = QUIRK_IGNORE_INTERFACE, ++ }, ++ /* Playback */ ++ { ++ .ifnum = 2, ++ .type = QUIRK_AUDIO_FIXED_ENDPOINT, ++ .data = &(const struct audioformat) { ++ .formats = SNDRV_PCM_FMTBIT_S16_LE, ++ .channels = 2, ++ .iface = 2, ++ .altsetting = 1, ++ .altset_idx = 1, ++ .attributes = UAC_EP_CS_ATTR_FILL_MAX | ++ UAC_EP_CS_ATTR_SAMPLE_RATE, ++ .endpoint = 0x03, ++ .ep_attr = USB_ENDPOINT_XFER_ISOC, ++ .rates = SNDRV_PCM_RATE_48000, ++ .rate_min = 48000, ++ .rate_max = 48000, ++ .nr_rates = 1, ++ .rate_table = (unsigned int[]) { ++ 48000 ++ } ++ } ++ }, ++ } ++ } ++}, ++ + #undef USB_DEVICE_VENDOR_SPEC diff --git a/1051_linux-4.1.52.patch b/1051_linux-4.1.52.patch new file mode 100644 index 00000000..6648ea59 --- /dev/null +++ b/1051_linux-4.1.52.patch @@ -0,0 +1,15535 @@ +diff --git a/Documentation/devicetree/bindings/pinctrl/pinctrl-palmas.txt b/Documentation/devicetree/bindings/pinctrl/pinctrl-palmas.txt +index caf297bee1fb..c28d4eb83b76 100644 +--- a/Documentation/devicetree/bindings/pinctrl/pinctrl-palmas.txt ++++ b/Documentation/devicetree/bindings/pinctrl/pinctrl-palmas.txt +@@ -35,6 +35,15 @@ Optional properties: + - ti,palmas-enable-dvfs2: Enable DVFS2. Configure pins for DVFS2 mode. + Selection primary or secondary function associated to GPADC_START + and SYSEN2 pin/pad for DVFS2 interface ++- ti,palmas-override-powerhold: This is applicable for PMICs for which ++ GPIO7 is configured in POWERHOLD mode which has higher priority ++ over DEV_ON bit and keeps the PMIC supplies on even after the DEV_ON ++ bit is turned off. This property enables driver to over ride the ++ POWERHOLD value to GPIO7 so as to turn off the PMIC in power off ++ scenarios. So for GPIO7 if ti,palmas-override-powerhold is set ++ then the GPIO_7 field should never be muxed to anything else. ++ It should be set to POWERHOLD by default and only in case of ++ power off scenarios the driver will over ride the mux value. + + This binding uses the following generic properties as defined in + pinctrl-bindings.txt: +diff --git a/Makefile b/Makefile +index caccc6f16d62..1f5560281f70 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 1 +-SUBLEVEL = 51 ++SUBLEVEL = 52 + EXTRAVERSION = + NAME = Series 4800 + +@@ -772,6 +772,15 @@ KBUILD_CFLAGS += $(call cc-disable-warning, pointer-sign) + # disable invalid "can't wrap" optimizations for signed / pointers + KBUILD_CFLAGS += $(call cc-option,-fno-strict-overflow) + ++# clang sets -fmerge-all-constants by default as optimization, but this ++# is non-conforming behavior for C and in fact breaks the kernel, so we ++# need to disable it here generally. ++KBUILD_CFLAGS += $(call cc-option,-fno-merge-all-constants) ++ ++# for gcc -fno-merge-all-constants disables everything, but it is fine ++# to have actual conforming behavior enabled. ++KBUILD_CFLAGS += $(call cc-option,-fmerge-constants) ++ + # Make sure -fstack-check isn't enabled (like gentoo apparently did) + KBUILD_CFLAGS += $(call cc-option,-fno-stack-check,) + +diff --git a/arch/alpha/kernel/console.c b/arch/alpha/kernel/console.c +index 6a61deed4a85..ab228ed45945 100644 +--- a/arch/alpha/kernel/console.c ++++ b/arch/alpha/kernel/console.c +@@ -20,6 +20,7 @@ + struct pci_controller *pci_vga_hose; + static struct resource alpha_vga = { + .name = "alpha-vga+", ++ .flags = IORESOURCE_IO, + .start = 0x3C0, + .end = 0x3DF + }; +diff --git a/arch/arm/boot/dts/am335x-pepper.dts b/arch/arm/boot/dts/am335x-pepper.dts +index 0d35ab64641c..ac3ca3636405 100644 +--- a/arch/arm/boot/dts/am335x-pepper.dts ++++ b/arch/arm/boot/dts/am335x-pepper.dts +@@ -138,7 +138,7 @@ + &audio_codec { + status = "okay"; + +- gpio-reset = <&gpio1 16 GPIO_ACTIVE_LOW>; ++ reset-gpios = <&gpio1 16 GPIO_ACTIVE_LOW>; + AVDD-supply = <&ldo3_reg>; + IOVDD-supply = <&ldo3_reg>; + DRVDD-supply = <&ldo3_reg>; +diff --git a/arch/arm/boot/dts/am57xx-beagle-x15.dts b/arch/arm/boot/dts/am57xx-beagle-x15.dts +index e8397879d0a7..825237d03168 100644 +--- a/arch/arm/boot/dts/am57xx-beagle-x15.dts ++++ b/arch/arm/boot/dts/am57xx-beagle-x15.dts +@@ -299,6 +299,7 @@ + interrupt-controller; + + ti,system-power-controller; ++ ti,palmas-override-powerhold; + + tps659038_pmic { + compatible = "ti,tps659038-pmic"; +diff --git a/arch/arm/boot/dts/at91sam9g25.dtsi b/arch/arm/boot/dts/at91sam9g25.dtsi +index a7da0dd0c98f..0898213f3bb2 100644 +--- a/arch/arm/boot/dts/at91sam9g25.dtsi ++++ b/arch/arm/boot/dts/at91sam9g25.dtsi +@@ -21,7 +21,7 @@ + atmel,mux-mask = < + /* A B C */ + 0xffffffff 0xffe0399f 0xc000001c /* pioA */ +- 0x0007ffff 0x8000fe3f 0x00000000 /* pioB */ ++ 0x0007ffff 0x00047e3f 0x00000000 /* pioB */ + 0x80000000 0x07c0ffff 0xb83fffff /* pioC */ + 0x003fffff 0x003f8000 0x00000000 /* pioD */ + >; +diff --git a/arch/arm/boot/dts/dra7-evm.dts b/arch/arm/boot/dts/dra7-evm.dts +index 096f68be99e2..1e6369c24645 100644 +--- a/arch/arm/boot/dts/dra7-evm.dts ++++ b/arch/arm/boot/dts/dra7-evm.dts +@@ -285,6 +285,8 @@ + tps659038: tps659038@58 { + compatible = "ti,tps659038"; + reg = <0x58>; ++ ti,palmas-override-powerhold; ++ ti,system-power-controller; + + tps659038_pmic { + compatible = "ti,tps659038-pmic"; +diff --git a/arch/arm/boot/dts/imx6qdl-wandboard.dtsi b/arch/arm/boot/dts/imx6qdl-wandboard.dtsi +index 9e096d811bed..7a032dd84bb2 100644 +--- a/arch/arm/boot/dts/imx6qdl-wandboard.dtsi ++++ b/arch/arm/boot/dts/imx6qdl-wandboard.dtsi +@@ -88,6 +88,7 @@ + clocks = <&clks 201>; + VDDA-supply = <®_2p5v>; + VDDIO-supply = <®_3p3v>; ++ lrclk-strength = <3>; + }; + }; + +diff --git a/arch/arm/boot/dts/ls1021a.dtsi b/arch/arm/boot/dts/ls1021a.dtsi +index c70bb27ac65a..3429ceb1d577 100644 +--- a/arch/arm/boot/dts/ls1021a.dtsi ++++ b/arch/arm/boot/dts/ls1021a.dtsi +@@ -128,7 +128,7 @@ + }; + + esdhc: esdhc@1560000 { +- compatible = "fsl,esdhc"; ++ compatible = "fsl,ls1021a-esdhc", "fsl,esdhc"; + reg = <0x0 0x1560000 0x0 0x10000>; + interrupts = <GIC_SPI 94 IRQ_TYPE_LEVEL_HIGH>; + clock-frequency = <0>; +diff --git a/arch/arm/boot/dts/moxart-uc7112lx.dts b/arch/arm/boot/dts/moxart-uc7112lx.dts +index 10d088df0c35..4a962a26482d 100644 +--- a/arch/arm/boot/dts/moxart-uc7112lx.dts ++++ b/arch/arm/boot/dts/moxart-uc7112lx.dts +@@ -6,7 +6,7 @@ + */ + + /dts-v1/; +-/include/ "moxart.dtsi" ++#include "moxart.dtsi" + + / { + model = "MOXA UC-7112-LX"; +diff --git a/arch/arm/boot/dts/moxart.dtsi b/arch/arm/boot/dts/moxart.dtsi +index 1fd27ed65a01..64f2f44235d0 100644 +--- a/arch/arm/boot/dts/moxart.dtsi ++++ b/arch/arm/boot/dts/moxart.dtsi +@@ -6,6 +6,7 @@ + */ + + /include/ "skeleton.dtsi" ++#include <dt-bindings/interrupt-controller/irq.h> + + / { + compatible = "moxa,moxart"; +@@ -36,8 +37,8 @@ + ranges; + + intc: interrupt-controller@98800000 { +- compatible = "moxa,moxart-ic"; +- reg = <0x98800000 0x38>; ++ compatible = "moxa,moxart-ic", "faraday,ftintc010"; ++ reg = <0x98800000 0x100>; + interrupt-controller; + #interrupt-cells = <2>; + interrupt-mask = <0x00080000>; +@@ -59,7 +60,7 @@ + timer: timer@98400000 { + compatible = "moxa,moxart-timer"; + reg = <0x98400000 0x42>; +- interrupts = <19 1>; ++ interrupts = <19 IRQ_TYPE_EDGE_FALLING>; + clocks = <&clk_apb>; + }; + +@@ -80,7 +81,7 @@ + dma: dma@90500000 { + compatible = "moxa,moxart-dma"; + reg = <0x90500080 0x40>; +- interrupts = <24 0>; ++ interrupts = <24 IRQ_TYPE_LEVEL_HIGH>; + #dma-cells = <1>; + }; + +@@ -93,7 +94,7 @@ + sdhci: sdhci@98e00000 { + compatible = "moxa,moxart-sdhci"; + reg = <0x98e00000 0x5C>; +- interrupts = <5 0>; ++ interrupts = <5 IRQ_TYPE_LEVEL_HIGH>; + clocks = <&clk_apb>; + dmas = <&dma 5>, + <&dma 5>; +@@ -120,7 +121,7 @@ + mac0: mac@90900000 { + compatible = "moxa,moxart-mac"; + reg = <0x90900000 0x90>; +- interrupts = <25 0>; ++ interrupts = <25 IRQ_TYPE_LEVEL_HIGH>; + phy-handle = <ðphy0>; + phy-mode = "mii"; + status = "disabled"; +@@ -129,7 +130,7 @@ + mac1: mac@92000000 { + compatible = "moxa,moxart-mac"; + reg = <0x92000000 0x90>; +- interrupts = <27 0>; ++ interrupts = <27 IRQ_TYPE_LEVEL_HIGH>; + phy-handle = <ðphy1>; + phy-mode = "mii"; + status = "disabled"; +@@ -138,7 +139,7 @@ + uart0: uart@98200000 { + compatible = "ns16550a"; + reg = <0x98200000 0x20>; +- interrupts = <31 8>; ++ interrupts = <31 IRQ_TYPE_LEVEL_HIGH>; + reg-shift = <2>; + reg-io-width = <4>; + clock-frequency = <14745600>; +diff --git a/arch/arm/boot/dts/omap3-n900.dts b/arch/arm/boot/dts/omap3-n900.dts +index 27cd4abfc74d..731860314ab5 100644 +--- a/arch/arm/boot/dts/omap3-n900.dts ++++ b/arch/arm/boot/dts/omap3-n900.dts +@@ -488,7 +488,7 @@ + tlv320aic3x: tlv320aic3x@18 { + compatible = "ti,tlv320aic3x"; + reg = <0x18>; +- gpio-reset = <&gpio2 28 GPIO_ACTIVE_HIGH>; /* 60 */ ++ reset-gpios = <&gpio2 28 GPIO_ACTIVE_LOW>; /* 60 */ + ai3x-gpio-func = < + 0 /* AIC3X_GPIO1_FUNC_DISABLED */ + 5 /* AIC3X_GPIO2_FUNC_DIGITAL_MIC_INPUT */ +@@ -505,7 +505,7 @@ + tlv320aic3x_aux: tlv320aic3x@19 { + compatible = "ti,tlv320aic3x"; + reg = <0x19>; +- gpio-reset = <&gpio2 28 GPIO_ACTIVE_HIGH>; /* 60 */ ++ reset-gpios = <&gpio2 28 GPIO_ACTIVE_LOW>; /* 60 */ + + AVDD-supply = <&vmmc2>; + DRVDD-supply = <&vmmc2>; +diff --git a/arch/arm/boot/dts/r8a7790.dtsi b/arch/arm/boot/dts/r8a7790.dtsi +index 4bb2f4c17321..07f31efec974 100644 +--- a/arch/arm/boot/dts/r8a7790.dtsi ++++ b/arch/arm/boot/dts/r8a7790.dtsi +@@ -1227,8 +1227,11 @@ + compatible = "renesas,r8a7790-mstp-clocks", "renesas,cpg-mstp-clocks"; + reg = <0 0xe6150998 0 4>, <0 0xe61509a8 0 4>; + clocks = <&p_clk>, +- <&p_clk>, <&p_clk>, <&p_clk>, <&p_clk>, <&p_clk>, +- <&p_clk>, <&p_clk>, <&p_clk>, <&p_clk>, <&p_clk>, ++ <&mstp10_clks R8A7790_CLK_SSI_ALL>, <&mstp10_clks R8A7790_CLK_SSI_ALL>, ++ <&mstp10_clks R8A7790_CLK_SSI_ALL>, <&mstp10_clks R8A7790_CLK_SSI_ALL>, ++ <&mstp10_clks R8A7790_CLK_SSI_ALL>, <&mstp10_clks R8A7790_CLK_SSI_ALL>, ++ <&mstp10_clks R8A7790_CLK_SSI_ALL>, <&mstp10_clks R8A7790_CLK_SSI_ALL>, ++ <&mstp10_clks R8A7790_CLK_SSI_ALL>, <&mstp10_clks R8A7790_CLK_SSI_ALL>, + <&p_clk>, + <&mstp10_clks R8A7790_CLK_SCU_ALL>, <&mstp10_clks R8A7790_CLK_SCU_ALL>, + <&mstp10_clks R8A7790_CLK_SCU_ALL>, <&mstp10_clks R8A7790_CLK_SCU_ALL>, +diff --git a/arch/arm/boot/dts/r8a7791-koelsch.dts b/arch/arm/boot/dts/r8a7791-koelsch.dts +index 824ddab9c3ad..19106ceecd3a 100644 +--- a/arch/arm/boot/dts/r8a7791-koelsch.dts ++++ b/arch/arm/boot/dts/r8a7791-koelsch.dts +@@ -273,7 +273,7 @@ + x2_clk: x2-clock { + compatible = "fixed-clock"; + #clock-cells = <0>; +- clock-frequency = <148500000>; ++ clock-frequency = <74250000>; + }; + + x13_clk: x13-clock { +diff --git a/arch/arm/boot/dts/r8a7791.dtsi b/arch/arm/boot/dts/r8a7791.dtsi +index 4696062f6dde..96cd539ee4c6 100644 +--- a/arch/arm/boot/dts/r8a7791.dtsi ++++ b/arch/arm/boot/dts/r8a7791.dtsi +@@ -1232,8 +1232,11 @@ + compatible = "renesas,r8a7791-mstp-clocks", "renesas,cpg-mstp-clocks"; + reg = <0 0xe6150998 0 4>, <0 0xe61509a8 0 4>; + clocks = <&p_clk>, +- <&p_clk>, <&p_clk>, <&p_clk>, <&p_clk>, <&p_clk>, +- <&p_clk>, <&p_clk>, <&p_clk>, <&p_clk>, <&p_clk>, ++ <&mstp10_clks R8A7791_CLK_SSI_ALL>, <&mstp10_clks R8A7791_CLK_SSI_ALL>, ++ <&mstp10_clks R8A7791_CLK_SSI_ALL>, <&mstp10_clks R8A7791_CLK_SSI_ALL>, ++ <&mstp10_clks R8A7791_CLK_SSI_ALL>, <&mstp10_clks R8A7791_CLK_SSI_ALL>, ++ <&mstp10_clks R8A7791_CLK_SSI_ALL>, <&mstp10_clks R8A7791_CLK_SSI_ALL>, ++ <&mstp10_clks R8A7791_CLK_SSI_ALL>, <&mstp10_clks R8A7791_CLK_SSI_ALL>, + <&p_clk>, + <&mstp10_clks R8A7791_CLK_SCU_ALL>, <&mstp10_clks R8A7791_CLK_SCU_ALL>, + <&mstp10_clks R8A7791_CLK_SCU_ALL>, <&mstp10_clks R8A7791_CLK_SCU_ALL>, +diff --git a/arch/arm/include/asm/xen/events.h b/arch/arm/include/asm/xen/events.h +index 8b1f37bfeeec..b7aadab9b0e8 100644 +--- a/arch/arm/include/asm/xen/events.h ++++ b/arch/arm/include/asm/xen/events.h +@@ -16,7 +16,7 @@ static inline int xen_irqs_disabled(struct pt_regs *regs) + return raw_irqs_disabled_flags(regs->ARM_cpsr); + } + +-#define xchg_xen_ulong(ptr, val) atomic64_xchg(container_of((ptr), \ ++#define xchg_xen_ulong(ptr, val) atomic64_xchg(container_of((long long*)(ptr),\ + atomic64_t, \ + counter), (val)) + +diff --git a/arch/arm/kernel/ftrace.c b/arch/arm/kernel/ftrace.c +index 709ee1d6d4df..faa9a905826e 100644 +--- a/arch/arm/kernel/ftrace.c ++++ b/arch/arm/kernel/ftrace.c +@@ -29,11 +29,6 @@ + #endif + + #ifdef CONFIG_DYNAMIC_FTRACE +-#ifdef CONFIG_OLD_MCOUNT +-#define OLD_MCOUNT_ADDR ((unsigned long) mcount) +-#define OLD_FTRACE_ADDR ((unsigned long) ftrace_caller_old) +- +-#define OLD_NOP 0xe1a00000 /* mov r0, r0 */ + + static int __ftrace_modify_code(void *data) + { +@@ -51,6 +46,12 @@ void arch_ftrace_update_code(int command) + stop_machine(__ftrace_modify_code, &command, NULL); + } + ++#ifdef CONFIG_OLD_MCOUNT ++#define OLD_MCOUNT_ADDR ((unsigned long) mcount) ++#define OLD_FTRACE_ADDR ((unsigned long) ftrace_caller_old) ++ ++#define OLD_NOP 0xe1a00000 /* mov r0, r0 */ ++ + static unsigned long ftrace_nop_replace(struct dyn_ftrace *rec) + { + return rec->arch.old_mcount ? OLD_NOP : NOP; +diff --git a/arch/arm/kernel/perf_event.c b/arch/arm/kernel/perf_event.c +index 4a86a0133ac3..016c87fc9b69 100644 +--- a/arch/arm/kernel/perf_event.c ++++ b/arch/arm/kernel/perf_event.c +@@ -311,10 +311,16 @@ validate_group(struct perf_event *event) + return 0; + } + ++static struct arm_pmu_platdata *armpmu_get_platdata(struct arm_pmu *armpmu) ++{ ++ struct platform_device *pdev = armpmu->plat_device; ++ ++ return pdev ? dev_get_platdata(&pdev->dev) : NULL; ++} ++ + static irqreturn_t armpmu_dispatch_irq(int irq, void *dev) + { + struct arm_pmu *armpmu; +- struct platform_device *plat_device; + struct arm_pmu_platdata *plat; + int ret; + u64 start_clock, finish_clock; +@@ -326,8 +332,8 @@ static irqreturn_t armpmu_dispatch_irq(int irq, void *dev) + * dereference. + */ + armpmu = *(void **)dev; +- plat_device = armpmu->plat_device; +- plat = dev_get_platdata(&plat_device->dev); ++ ++ plat = armpmu_get_platdata(armpmu); + + start_clock = sched_clock(); + if (plat && plat->handle_irq) +diff --git a/arch/arm/mach-davinci/devices-da8xx.c b/arch/arm/mach-davinci/devices-da8xx.c +index ddfdd820e6f2..6bad2a02a2f9 100644 +--- a/arch/arm/mach-davinci/devices-da8xx.c ++++ b/arch/arm/mach-davinci/devices-da8xx.c +@@ -827,6 +827,8 @@ static struct platform_device da8xx_dsp = { + .resource = da8xx_rproc_resources, + }; + ++static bool rproc_mem_inited __initdata; ++ + #if IS_ENABLED(CONFIG_DA8XX_REMOTEPROC) + + static phys_addr_t rproc_base __initdata; +@@ -865,6 +867,8 @@ void __init da8xx_rproc_reserve_cma(void) + ret = dma_declare_contiguous(&da8xx_dsp.dev, rproc_size, rproc_base, 0); + if (ret) + pr_err("%s: dma_declare_contiguous failed %d\n", __func__, ret); ++ else ++ rproc_mem_inited = true; + } + + #else +@@ -879,6 +883,12 @@ int __init da8xx_register_rproc(void) + { + int ret; + ++ if (!rproc_mem_inited) { ++ pr_warn("%s: memory not reserved for DSP, not registering DSP device\n", ++ __func__); ++ return -ENOMEM; ++ } ++ + ret = platform_device_register(&da8xx_dsp); + if (ret) + pr_err("%s: can't register DSP device: %d\n", __func__, ret); +diff --git a/arch/arm/mach-imx/clk-imx6q.c b/arch/arm/mach-imx/clk-imx6q.c +index a2e8ef3c0bd9..777531ef58d6 100644 +--- a/arch/arm/mach-imx/clk-imx6q.c ++++ b/arch/arm/mach-imx/clk-imx6q.c +@@ -402,7 +402,7 @@ static void __init imx6q_clocks_init(struct device_node *ccm_node) + clk[IMX6QDL_CLK_GPU2D_CORE] = imx_clk_gate2("gpu2d_core", "gpu2d_core_podf", base + 0x6c, 24); + clk[IMX6QDL_CLK_GPU3D_CORE] = imx_clk_gate2("gpu3d_core", "gpu3d_core_podf", base + 0x6c, 26); + clk[IMX6QDL_CLK_HDMI_IAHB] = imx_clk_gate2("hdmi_iahb", "ahb", base + 0x70, 0); +- clk[IMX6QDL_CLK_HDMI_ISFR] = imx_clk_gate2("hdmi_isfr", "video_27m", base + 0x70, 4); ++ clk[IMX6QDL_CLK_HDMI_ISFR] = imx_clk_gate2("hdmi_isfr", "mipi_core_cfg", base + 0x70, 4); + clk[IMX6QDL_CLK_I2C1] = imx_clk_gate2("i2c1", "ipg_per", base + 0x70, 6); + clk[IMX6QDL_CLK_I2C2] = imx_clk_gate2("i2c2", "ipg_per", base + 0x70, 8); + clk[IMX6QDL_CLK_I2C3] = imx_clk_gate2("i2c3", "ipg_per", base + 0x70, 10); +diff --git a/arch/arm/mach-omap2/clockdomains7xx_data.c b/arch/arm/mach-omap2/clockdomains7xx_data.c +index 7581e036bda6..70e3b711e79c 100644 +--- a/arch/arm/mach-omap2/clockdomains7xx_data.c ++++ b/arch/arm/mach-omap2/clockdomains7xx_data.c +@@ -524,7 +524,7 @@ static struct clockdomain pcie_7xx_clkdm = { + .dep_bit = DRA7XX_PCIE_STATDEP_SHIFT, + .wkdep_srcs = pcie_wkup_sleep_deps, + .sleepdep_srcs = pcie_wkup_sleep_deps, +- .flags = CLKDM_CAN_HWSUP_SWSUP, ++ .flags = CLKDM_CAN_SWSUP, + }; + + static struct clockdomain atl_7xx_clkdm = { +diff --git a/arch/arm64/include/asm/futex.h b/arch/arm64/include/asm/futex.h +index 5f750dc96e0f..49d057eb93d6 100644 +--- a/arch/arm64/include/asm/futex.h ++++ b/arch/arm64/include/asm/futex.h +@@ -44,16 +44,16 @@ + : "memory") + + static inline int +-futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr) ++futex_atomic_op_inuser(unsigned int encoded_op, u32 __user *uaddr) + { + int op = (encoded_op >> 28) & 7; + int cmp = (encoded_op >> 24) & 15; +- int oparg = (encoded_op << 8) >> 20; +- int cmparg = (encoded_op << 20) >> 20; ++ int oparg = (int)(encoded_op << 8) >> 20; ++ int cmparg = (int)(encoded_op << 20) >> 20; + int oldval = 0, ret, tmp; + + if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28)) +- oparg = 1 << oparg; ++ oparg = 1U << (oparg & 0x1f); + + if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32))) + return -EFAULT; +diff --git a/arch/frv/include/asm/timex.h b/arch/frv/include/asm/timex.h +index a89bddefdacf..139093fab326 100644 +--- a/arch/frv/include/asm/timex.h ++++ b/arch/frv/include/asm/timex.h +@@ -16,5 +16,11 @@ static inline cycles_t get_cycles(void) + #define vxtime_lock() do {} while (0) + #define vxtime_unlock() do {} while (0) + ++/* This attribute is used in include/linux/jiffies.h alongside with ++ * __cacheline_aligned_in_smp. It is assumed that __cacheline_aligned_in_smp ++ * for frv does not contain another section specification. ++ */ ++#define __jiffy_arch_data __attribute__((__section__(".data"))) ++ + #endif + +diff --git a/arch/ia64/kernel/module.c b/arch/ia64/kernel/module.c +index 29754aae5177..4268a78d8a5b 100644 +--- a/arch/ia64/kernel/module.c ++++ b/arch/ia64/kernel/module.c +@@ -153,7 +153,7 @@ slot (const struct insn *insn) + static int + apply_imm64 (struct module *mod, struct insn *insn, uint64_t val) + { +- if (slot(insn) != 2) { ++ if (slot(insn) != 1 && slot(insn) != 2) { + printk(KERN_ERR "%s: invalid slot number %d for IMM64\n", + mod->name, slot(insn)); + return 0; +@@ -165,7 +165,7 @@ apply_imm64 (struct module *mod, struct insn *insn, uint64_t val) + static int + apply_imm60 (struct module *mod, struct insn *insn, uint64_t val) + { +- if (slot(insn) != 2) { ++ if (slot(insn) != 1 && slot(insn) != 2) { + printk(KERN_ERR "%s: invalid slot number %d for IMM60\n", + mod->name, slot(insn)); + return 0; +diff --git a/arch/mips/include/asm/kprobes.h b/arch/mips/include/asm/kprobes.h +index daba1f9a4f79..174aedce3167 100644 +--- a/arch/mips/include/asm/kprobes.h ++++ b/arch/mips/include/asm/kprobes.h +@@ -40,7 +40,8 @@ typedef union mips_instruction kprobe_opcode_t; + + #define flush_insn_slot(p) \ + do { \ +- flush_icache_range((unsigned long)p->addr, \ ++ if (p->addr) \ ++ flush_icache_range((unsigned long)p->addr, \ + (unsigned long)p->addr + \ + (MAX_INSN_SIZE * sizeof(kprobe_opcode_t))); \ + } while (0) +diff --git a/arch/mips/kernel/mips-r2-to-r6-emul.c b/arch/mips/kernel/mips-r2-to-r6-emul.c +index d477508450de..805b71ed5129 100644 +--- a/arch/mips/kernel/mips-r2-to-r6-emul.c ++++ b/arch/mips/kernel/mips-r2-to-r6-emul.c +@@ -1096,10 +1096,20 @@ repeat: + } + break; + +- case beql_op: +- case bnel_op: + case blezl_op: + case bgtzl_op: ++ /* ++ * For BLEZL and BGTZL, rt field must be set to 0. If this ++ * is not the case, this may be an encoding of a MIPS R6 ++ * instruction, so return to CPU execution if this occurs ++ */ ++ if (MIPSInst_RT(inst)) { ++ err = SIGILL; ++ break; ++ } ++ /* fall through */ ++ case beql_op: ++ case bnel_op: + if (delay_slot(regs)) { + err = SIGILL; + break; +@@ -2329,6 +2339,8 @@ static int mipsr2_stats_clear_show(struct seq_file *s, void *unused) + __this_cpu_write((mipsr2bremustats).bgezl, 0); + __this_cpu_write((mipsr2bremustats).bltzll, 0); + __this_cpu_write((mipsr2bremustats).bgezll, 0); ++ __this_cpu_write((mipsr2bremustats).bltzall, 0); ++ __this_cpu_write((mipsr2bremustats).bgezall, 0); + __this_cpu_write((mipsr2bremustats).bltzal, 0); + __this_cpu_write((mipsr2bremustats).bgezal, 0); + __this_cpu_write((mipsr2bremustats).beql, 0); +diff --git a/arch/mips/lib/memset.S b/arch/mips/lib/memset.S +index b8e63fd00375..cda33475a481 100644 +--- a/arch/mips/lib/memset.S ++++ b/arch/mips/lib/memset.S +@@ -218,7 +218,7 @@ + 1: PTR_ADDIU a0, 1 /* fill bytewise */ + R10KCBARRIER(0(ra)) + bne t1, a0, 1b +- sb a1, -1(a0) ++ EX(sb, a1, -1(a0), .Lsmall_fixup\@) + + 2: jr ra /* done */ + move a2, zero +@@ -249,13 +249,18 @@ + PTR_L t0, TI_TASK($28) + andi a2, STORMASK + LONG_L t0, THREAD_BUADDR(t0) +- LONG_ADDU a2, t1 ++ LONG_ADDU a2, a0 + jr ra + LONG_SUBU a2, t0 + + .Llast_fixup\@: + jr ra +- andi v1, a2, STORMASK ++ nop ++ ++.Lsmall_fixup\@: ++ PTR_SUBU a2, t1, a0 ++ jr ra ++ PTR_ADDIU a2, 1 + + .endm + +diff --git a/arch/mips/mm/pgtable-32.c b/arch/mips/mm/pgtable-32.c +index adc6911ba748..b19a3c506b1e 100644 +--- a/arch/mips/mm/pgtable-32.c ++++ b/arch/mips/mm/pgtable-32.c +@@ -51,15 +51,15 @@ void __init pagetable_init(void) + /* + * Fixed mappings: + */ +- vaddr = __fix_to_virt(__end_of_fixed_addresses - 1) & PMD_MASK; +- fixrange_init(vaddr, vaddr + FIXADDR_SIZE, pgd_base); ++ vaddr = __fix_to_virt(__end_of_fixed_addresses - 1); ++ fixrange_init(vaddr & PMD_MASK, vaddr + FIXADDR_SIZE, pgd_base); + + #ifdef CONFIG_HIGHMEM + /* + * Permanent kmaps: + */ + vaddr = PKMAP_BASE; +- fixrange_init(vaddr, vaddr + PAGE_SIZE*LAST_PKMAP, pgd_base); ++ fixrange_init(vaddr & PMD_MASK, vaddr + PAGE_SIZE*LAST_PKMAP, pgd_base); + + pgd = swapper_pg_dir + __pgd_offset(vaddr); + pud = pud_offset(pgd, vaddr); +diff --git a/arch/mips/net/bpf_jit.c b/arch/mips/net/bpf_jit.c +index d6d27d51d131..5cf32b77f128 100644 +--- a/arch/mips/net/bpf_jit.c ++++ b/arch/mips/net/bpf_jit.c +@@ -562,7 +562,8 @@ static void save_bpf_jit_regs(struct jit_ctx *ctx, unsigned offset) + u32 sflags, tmp_flags; + + /* Adjust the stack pointer */ +- emit_stack_offset(-align_sp(offset), ctx); ++ if (offset) ++ emit_stack_offset(-align_sp(offset), ctx); + + if (ctx->flags & SEEN_CALL) { + /* Argument save area */ +@@ -641,7 +642,8 @@ static void restore_bpf_jit_regs(struct jit_ctx *ctx, + emit_load_stack_reg(r_ra, r_sp, real_off, ctx); + + /* Restore the sp and discard the scrach memory */ +- emit_stack_offset(align_sp(offset), ctx); ++ if (offset) ++ emit_stack_offset(align_sp(offset), ctx); + } + + static unsigned int get_stack_depth(struct jit_ctx *ctx) +@@ -685,8 +687,14 @@ static void build_prologue(struct jit_ctx *ctx) + if (ctx->flags & SEEN_X) + emit_jit_reg_move(r_X, r_zero, ctx); + +- /* Do not leak kernel data to userspace */ +- if (bpf_needs_clear_a(&ctx->skf->insns[0])) ++ /* ++ * Do not leak kernel data to userspace, we only need to clear ++ * r_A if it is ever used. In fact if it is never used, we ++ * will not save/restore it, so clearing it in this case would ++ * corrupt the state of the caller. ++ */ ++ if (bpf_needs_clear_a(&ctx->skf->insns[0]) && ++ (ctx->flags & SEEN_A)) + emit_jit_reg_move(r_A, r_zero, ctx); + } + +diff --git a/arch/parisc/kernel/drivers.c b/arch/parisc/kernel/drivers.c +index dba508fe1683..4f7060ec6875 100644 +--- a/arch/parisc/kernel/drivers.c ++++ b/arch/parisc/kernel/drivers.c +@@ -648,6 +648,10 @@ static int match_pci_device(struct device *dev, int index, + (modpath->mod == PCI_FUNC(devfn))); + } + ++ /* index might be out of bounds for bc[] */ ++ if (index >= 6) ++ return 0; ++ + id = PCI_SLOT(pdev->devfn) | (PCI_FUNC(pdev->devfn) << 5); + return (modpath->bc[index] == id); + } +diff --git a/arch/powerpc/include/asm/barrier.h b/arch/powerpc/include/asm/barrier.h +index a3bf5be111ff..bedaf3e3c558 100644 +--- a/arch/powerpc/include/asm/barrier.h ++++ b/arch/powerpc/include/asm/barrier.h +@@ -36,7 +36,8 @@ + + #define set_mb(var, value) do { var = value; mb(); } while (0) + +-#ifdef __SUBARCH_HAS_LWSYNC ++/* The sub-arch has lwsync */ ++#if defined(__powerpc64__) || defined(CONFIG_PPC_E500MC) + # define SMPWMB LWSYNC + #else + # define SMPWMB eieio +diff --git a/arch/powerpc/include/asm/opal.h b/arch/powerpc/include/asm/opal.h +index 042af1abfc4d..e1b164f4a8f0 100644 +--- a/arch/powerpc/include/asm/opal.h ++++ b/arch/powerpc/include/asm/opal.h +@@ -21,6 +21,9 @@ + /* We calculate number of sg entries based on PAGE_SIZE */ + #define SG_ENTRIES_PER_NODE ((PAGE_SIZE - 16) / sizeof(struct opal_sg_entry)) + ++/* Default time to sleep or delay between OPAL_BUSY/OPAL_BUSY_EVENT loops */ ++#define OPAL_BUSY_DELAY_MS 10 ++ + /* /sys/firmware/opal */ + extern struct kobject *opal_kobj; + +diff --git a/arch/powerpc/include/asm/synch.h b/arch/powerpc/include/asm/synch.h +index c50868681f9e..e8d6a842f4bb 100644 +--- a/arch/powerpc/include/asm/synch.h ++++ b/arch/powerpc/include/asm/synch.h +@@ -5,10 +5,6 @@ + #include <linux/stringify.h> + #include <asm/feature-fixups.h> + +-#if defined(__powerpc64__) || defined(CONFIG_PPC_E500MC) +-#define __SUBARCH_HAS_LWSYNC +-#endif +- + #ifndef __ASSEMBLY__ + extern unsigned int __start___lwsync_fixup, __stop___lwsync_fixup; + extern void do_lwsync_fixups(unsigned long value, void *fixup_start, +diff --git a/arch/powerpc/kernel/eeh_pe.c b/arch/powerpc/kernel/eeh_pe.c +index c3e0420b8a42..a9fec93c2144 100644 +--- a/arch/powerpc/kernel/eeh_pe.c ++++ b/arch/powerpc/kernel/eeh_pe.c +@@ -766,7 +766,8 @@ static void eeh_restore_bridge_bars(struct eeh_dev *edev) + eeh_ops->write_config(pdn, 15*4, 4, edev->config_space[15]); + + /* PCI Command: 0x4 */ +- eeh_ops->write_config(pdn, PCI_COMMAND, 4, edev->config_space[1]); ++ eeh_ops->write_config(pdn, PCI_COMMAND, 4, edev->config_space[1] | ++ PCI_COMMAND_MEMORY | PCI_COMMAND_MASTER); + + /* Check the PCIe link is ready */ + eeh_bridge_check_link(edev); +diff --git a/arch/powerpc/kernel/time.c b/arch/powerpc/kernel/time.c +index 56f44848b044..4094e9013c18 100644 +--- a/arch/powerpc/kernel/time.c ++++ b/arch/powerpc/kernel/time.c +@@ -685,12 +685,20 @@ static int __init get_freq(char *name, int cells, unsigned long *val) + static void start_cpu_decrementer(void) + { + #if defined(CONFIG_BOOKE) || defined(CONFIG_40x) ++ unsigned int tcr; ++ + /* Clear any pending timer interrupts */ + mtspr(SPRN_TSR, TSR_ENW | TSR_WIS | TSR_DIS | TSR_FIS); + +- /* Enable decrementer interrupt */ +- mtspr(SPRN_TCR, TCR_DIE); +-#endif /* defined(CONFIG_BOOKE) || defined(CONFIG_40x) */ ++ tcr = mfspr(SPRN_TCR); ++ /* ++ * The watchdog may have already been enabled by u-boot. So leave ++ * TRC[WP] (Watchdog Period) alone. ++ */ ++ tcr &= TCR_WP_MASK; /* Clear all bits except for TCR[WP] */ ++ tcr |= TCR_DIE; /* Enable decrementer */ ++ mtspr(SPRN_TCR, tcr); ++#endif + } + + void __init generic_calibrate_decr(void) +diff --git a/arch/powerpc/kvm/book3s_64_mmu_host.c b/arch/powerpc/kvm/book3s_64_mmu_host.c +index b982d925c710..c74c9c4134b5 100644 +--- a/arch/powerpc/kvm/book3s_64_mmu_host.c ++++ b/arch/powerpc/kvm/book3s_64_mmu_host.c +@@ -176,12 +176,15 @@ map_again: + ret = ppc_md.hpte_insert(hpteg, vpn, hpaddr, rflags, vflags, + hpsize, hpsize, MMU_SEGSIZE_256M); + +- if (ret < 0) { ++ if (ret == -1) { + /* If we couldn't map a primary PTE, try a secondary */ + hash = ~hash; + vflags ^= HPTE_V_SECONDARY; + attempt++; + goto map_again; ++ } else if (ret < 0) { ++ r = -EIO; ++ goto out_unlock; + } else { + trace_kvm_book3s_64_mmu_map(rflags, hpteg, + vpn, hpaddr, orig_pte); +diff --git a/arch/powerpc/kvm/book3s_pr.c b/arch/powerpc/kvm/book3s_pr.c +index f57383941d03..7e66365cd0c9 100644 +--- a/arch/powerpc/kvm/book3s_pr.c ++++ b/arch/powerpc/kvm/book3s_pr.c +@@ -625,7 +625,11 @@ int kvmppc_handle_pagefault(struct kvm_run *run, struct kvm_vcpu *vcpu, + kvmppc_mmu_unmap_page(vcpu, &pte); + } + /* The guest's PTE is not mapped yet. Map on the host */ +- kvmppc_mmu_map_page(vcpu, &pte, iswrite); ++ if (kvmppc_mmu_map_page(vcpu, &pte, iswrite) == -EIO) { ++ /* Exit KVM if mapping failed */ ++ run->exit_reason = KVM_EXIT_INTERNAL_ERROR; ++ return RESUME_HOST; ++ } + if (data) + vcpu->stat.sp_storage++; + else if (vcpu->arch.mmu.is_dcbz32(vcpu) && +diff --git a/arch/powerpc/kvm/book3s_pr_papr.c b/arch/powerpc/kvm/book3s_pr_papr.c +index f2c75a1e0536..0d91baf63fed 100644 +--- a/arch/powerpc/kvm/book3s_pr_papr.c ++++ b/arch/powerpc/kvm/book3s_pr_papr.c +@@ -50,7 +50,9 @@ static int kvmppc_h_pr_enter(struct kvm_vcpu *vcpu) + pteg_addr = get_pteg_addr(vcpu, pte_index); + + mutex_lock(&vcpu->kvm->arch.hpt_mutex); +- copy_from_user(pteg, (void __user *)pteg_addr, sizeof(pteg)); ++ ret = H_FUNCTION; ++ if (copy_from_user(pteg, (void __user *)pteg_addr, sizeof(pteg))) ++ goto done; + hpte = pteg; + + ret = H_PTEG_FULL; +@@ -71,7 +73,9 @@ static int kvmppc_h_pr_enter(struct kvm_vcpu *vcpu) + hpte[0] = cpu_to_be64(kvmppc_get_gpr(vcpu, 6)); + hpte[1] = cpu_to_be64(kvmppc_get_gpr(vcpu, 7)); + pteg_addr += i * HPTE_SIZE; +- copy_to_user((void __user *)pteg_addr, hpte, HPTE_SIZE); ++ ret = H_FUNCTION; ++ if (copy_to_user((void __user *)pteg_addr, hpte, HPTE_SIZE)) ++ goto done; + kvmppc_set_gpr(vcpu, 4, pte_index | i); + ret = H_SUCCESS; + +@@ -93,7 +97,9 @@ static int kvmppc_h_pr_remove(struct kvm_vcpu *vcpu) + + pteg = get_pteg_addr(vcpu, pte_index); + mutex_lock(&vcpu->kvm->arch.hpt_mutex); +- copy_from_user(pte, (void __user *)pteg, sizeof(pte)); ++ ret = H_FUNCTION; ++ if (copy_from_user(pte, (void __user *)pteg, sizeof(pte))) ++ goto done; + pte[0] = be64_to_cpu((__force __be64)pte[0]); + pte[1] = be64_to_cpu((__force __be64)pte[1]); + +@@ -103,7 +109,9 @@ static int kvmppc_h_pr_remove(struct kvm_vcpu *vcpu) + ((flags & H_ANDCOND) && (pte[0] & avpn) != 0)) + goto done; + +- copy_to_user((void __user *)pteg, &v, sizeof(v)); ++ ret = H_FUNCTION; ++ if (copy_to_user((void __user *)pteg, &v, sizeof(v))) ++ goto done; + + rb = compute_tlbie_rb(pte[0], pte[1], pte_index); + vcpu->arch.mmu.tlbie(vcpu, rb, rb & 1 ? true : false); +@@ -171,7 +179,10 @@ static int kvmppc_h_pr_bulk_remove(struct kvm_vcpu *vcpu) + } + + pteg = get_pteg_addr(vcpu, tsh & H_BULK_REMOVE_PTEX); +- copy_from_user(pte, (void __user *)pteg, sizeof(pte)); ++ if (copy_from_user(pte, (void __user *)pteg, sizeof(pte))) { ++ ret = H_FUNCTION; ++ break; ++ } + pte[0] = be64_to_cpu((__force __be64)pte[0]); + pte[1] = be64_to_cpu((__force __be64)pte[1]); + +@@ -184,7 +195,10 @@ static int kvmppc_h_pr_bulk_remove(struct kvm_vcpu *vcpu) + tsh |= H_BULK_REMOVE_NOT_FOUND; + } else { + /* Splat the pteg in (userland) hpt */ +- copy_to_user((void __user *)pteg, &v, sizeof(v)); ++ if (copy_to_user((void __user *)pteg, &v, sizeof(v))) { ++ ret = H_FUNCTION; ++ break; ++ } + + rb = compute_tlbie_rb(pte[0], pte[1], + tsh & H_BULK_REMOVE_PTEX); +@@ -211,7 +225,9 @@ static int kvmppc_h_pr_protect(struct kvm_vcpu *vcpu) + + pteg = get_pteg_addr(vcpu, pte_index); + mutex_lock(&vcpu->kvm->arch.hpt_mutex); +- copy_from_user(pte, (void __user *)pteg, sizeof(pte)); ++ ret = H_FUNCTION; ++ if (copy_from_user(pte, (void __user *)pteg, sizeof(pte))) ++ goto done; + pte[0] = be64_to_cpu((__force __be64)pte[0]); + pte[1] = be64_to_cpu((__force __be64)pte[1]); + +@@ -234,7 +250,9 @@ static int kvmppc_h_pr_protect(struct kvm_vcpu *vcpu) + vcpu->arch.mmu.tlbie(vcpu, rb, rb & 1 ? true : false); + pte[0] = (__force u64)cpu_to_be64(pte[0]); + pte[1] = (__force u64)cpu_to_be64(pte[1]); +- copy_to_user((void __user *)pteg, pte, sizeof(pte)); ++ ret = H_FUNCTION; ++ if (copy_to_user((void __user *)pteg, pte, sizeof(pte))) ++ goto done; + ret = H_SUCCESS; + + done: +diff --git a/arch/powerpc/mm/fault.c b/arch/powerpc/mm/fault.c +index b396868d2aa7..f962209a6037 100644 +--- a/arch/powerpc/mm/fault.c ++++ b/arch/powerpc/mm/fault.c +@@ -293,7 +293,7 @@ int __kprobes do_page_fault(struct pt_regs *regs, unsigned long address, + * can result in fault, which will cause a deadlock when called with + * mmap_sem held + */ +- if (user_mode(regs)) ++ if (!is_exec && user_mode(regs)) + store_update_sp = store_updates_sp(regs); + + if (user_mode(regs)) +diff --git a/arch/powerpc/platforms/cell/spufs/coredump.c b/arch/powerpc/platforms/cell/spufs/coredump.c +index be6212ddbf06..7e42e3ec2142 100644 +--- a/arch/powerpc/platforms/cell/spufs/coredump.c ++++ b/arch/powerpc/platforms/cell/spufs/coredump.c +@@ -174,6 +174,8 @@ static int spufs_arch_write_note(struct spu_context *ctx, int i, + if (!dump_skip(cprm, + roundup(cprm->written - total + sz, 4) - cprm->written)) + goto Eio; ++ ++ rc = 0; + out: + free_page((unsigned long)buf); + return rc; +diff --git a/arch/powerpc/platforms/powernv/opal-nvram.c b/arch/powerpc/platforms/powernv/opal-nvram.c +index 9db4398ded5d..1bceb95f422d 100644 +--- a/arch/powerpc/platforms/powernv/opal-nvram.c ++++ b/arch/powerpc/platforms/powernv/opal-nvram.c +@@ -11,6 +11,7 @@ + + #define DEBUG + ++#include <linux/delay.h> + #include <linux/kernel.h> + #include <linux/init.h> + #include <linux/of.h> +@@ -56,9 +57,17 @@ static ssize_t opal_nvram_write(char *buf, size_t count, loff_t *index) + + while (rc == OPAL_BUSY || rc == OPAL_BUSY_EVENT) { + rc = opal_write_nvram(__pa(buf), count, off); +- if (rc == OPAL_BUSY_EVENT) ++ if (rc == OPAL_BUSY_EVENT) { ++ msleep(OPAL_BUSY_DELAY_MS); + opal_poll_events(NULL); ++ } else if (rc == OPAL_BUSY) { ++ msleep(OPAL_BUSY_DELAY_MS); ++ } + } ++ ++ if (rc) ++ return -EIO; ++ + *index += count; + return count; + } +diff --git a/arch/s390/hypfs/inode.c b/arch/s390/hypfs/inode.c +index 2eeb0a0f506d..8e40530fd39c 100644 +--- a/arch/s390/hypfs/inode.c ++++ b/arch/s390/hypfs/inode.c +@@ -323,7 +323,7 @@ static void hypfs_kill_super(struct super_block *sb) + + if (sb->s_root) + hypfs_delete_tree(sb->s_root); +- if (sb_info->update_file) ++ if (sb_info && sb_info->update_file) + hypfs_remove(sb_info->update_file); + kfree(sb->s_fs_info); + sb->s_fs_info = NULL; +diff --git a/arch/s390/kernel/ipl.c b/arch/s390/kernel/ipl.c +index 7963c6aa1196..09548603d782 100644 +--- a/arch/s390/kernel/ipl.c ++++ b/arch/s390/kernel/ipl.c +@@ -770,6 +770,7 @@ static ssize_t reipl_generic_loadparm_store(struct ipl_parameter_block *ipb, + /* copy and convert to ebcdic */ + memcpy(ipb->hdr.loadparm, buf, lp_len); + ASCEBC(ipb->hdr.loadparm, LOADPARM_LEN); ++ ipb->hdr.flags |= DIAG308_FLAGS_LP_VALID; + return len; + } + +diff --git a/arch/s390/kernel/vmlinux.lds.S b/arch/s390/kernel/vmlinux.lds.S +index 445657fe658c..6c553f6e791a 100644 +--- a/arch/s390/kernel/vmlinux.lds.S ++++ b/arch/s390/kernel/vmlinux.lds.S +@@ -21,8 +21,14 @@ SECTIONS + { + . = 0x00000000; + .text : { +- _text = .; /* Text and read-only data */ ++ /* Text and read-only data */ + HEAD_TEXT ++ /* ++ * E.g. perf doesn't like symbols starting at address zero, ++ * therefore skip the initial PSW and channel program located ++ * at address zero and let _text start at 0x200. ++ */ ++ _text = 0x200; + TEXT_TEXT + SCHED_TEXT + LOCK_TEXT +diff --git a/arch/sparc/kernel/ldc.c b/arch/sparc/kernel/ldc.c +index 7d3ca30fcd15..00e6b6c1dd79 100644 +--- a/arch/sparc/kernel/ldc.c ++++ b/arch/sparc/kernel/ldc.c +@@ -1733,9 +1733,14 @@ static int read_nonraw(struct ldc_channel *lp, void *buf, unsigned int size) + + lp->rcv_nxt = p->seqid; + ++ /* ++ * If this is a control-only packet, there is nothing ++ * else to do but advance the rx queue since the packet ++ * was already processed above. ++ */ + if (!(p->type & LDC_DATA)) { + new = rx_advance(lp, new); +- goto no_data; ++ break; + } + if (p->stype & (LDC_ACK | LDC_NACK)) { + err = data_ack_nack(lp, p); +diff --git a/arch/um/os-Linux/signal.c b/arch/um/os-Linux/signal.c +index 7b605e4dfffa..2ac6a7e5a179 100644 +--- a/arch/um/os-Linux/signal.c ++++ b/arch/um/os-Linux/signal.c +@@ -135,7 +135,7 @@ static void (*handlers[_NSIG])(int sig, struct siginfo *si, mcontext_t *mc) = { + + static void hard_handler(int sig, siginfo_t *si, void *p) + { +- struct ucontext *uc = p; ++ ucontext_t *uc = p; + mcontext_t *mc = &uc->uc_mcontext; + unsigned long pending = 1UL << sig; + +diff --git a/arch/x86/Makefile b/arch/x86/Makefile +index 2fda005bb334..696c82f9035d 100644 +--- a/arch/x86/Makefile ++++ b/arch/x86/Makefile +@@ -158,6 +158,15 @@ KBUILD_CFLAGS += $(cfi) $(cfi-sigframe) $(cfi-sections) $(asinstr) $(avx_instr) + + LDFLAGS := -m elf_$(UTS_MACHINE) + ++# ++# The 64-bit kernel must be aligned to 2MB. Pass -z max-page-size=0x200000 to ++# the linker to force 2MB page size regardless of the default page size used ++# by the linker. ++# ++ifdef CONFIG_X86_64 ++LDFLAGS += $(call ld-option, -z max-page-size=0x200000) ++endif ++ + # Speed up the build + KBUILD_CFLAGS += -pipe + # Workaround for a gcc prelease that unfortunately was shipped in a suse release +diff --git a/arch/x86/boot/compressed/misc.c b/arch/x86/boot/compressed/misc.c +index e28437e0f708..fc48e8e11a95 100644 +--- a/arch/x86/boot/compressed/misc.c ++++ b/arch/x86/boot/compressed/misc.c +@@ -349,6 +349,10 @@ static void parse_elf(void *output) + + switch (phdr->p_type) { + case PT_LOAD: ++#ifdef CONFIG_X86_64 ++ if ((phdr->p_align % 0x200000) != 0) ++ error("Alignment of LOAD segment isn't multiple of 2MB"); ++#endif + #ifdef CONFIG_RELOCATABLE + dest = output; + dest += (phdr->p_paddr - LOAD_PHYSICAL_ADDR); +diff --git a/arch/x86/crypto/cast5_avx_glue.c b/arch/x86/crypto/cast5_avx_glue.c +index 236c80974457..75385fcf1074 100644 +--- a/arch/x86/crypto/cast5_avx_glue.c ++++ b/arch/x86/crypto/cast5_avx_glue.c +@@ -67,8 +67,6 @@ static int ecb_crypt(struct blkcipher_desc *desc, struct blkcipher_walk *walk, + void (*fn)(struct cast5_ctx *ctx, u8 *dst, const u8 *src); + int err; + +- fn = (enc) ? cast5_ecb_enc_16way : cast5_ecb_dec_16way; +- + err = blkcipher_walk_virt(desc, walk); + desc->flags &= ~CRYPTO_TFM_REQ_MAY_SLEEP; + +@@ -80,6 +78,7 @@ static int ecb_crypt(struct blkcipher_desc *desc, struct blkcipher_walk *walk, + + /* Process multi-block batch */ + if (nbytes >= bsize * CAST5_PARALLEL_BLOCKS) { ++ fn = (enc) ? cast5_ecb_enc_16way : cast5_ecb_dec_16way; + do { + fn(ctx, wdst, wsrc); + +diff --git a/arch/x86/include/asm/vmx.h b/arch/x86/include/asm/vmx.h +index da772edd19ab..b1965b6bbd68 100644 +--- a/arch/x86/include/asm/vmx.h ++++ b/arch/x86/include/asm/vmx.h +@@ -306,6 +306,7 @@ enum vmcs_field { + #define INTR_TYPE_NMI_INTR (2 << 8) /* NMI */ + #define INTR_TYPE_HARD_EXCEPTION (3 << 8) /* processor exception */ + #define INTR_TYPE_SOFT_INTR (4 << 8) /* software interrupt */ ++#define INTR_TYPE_PRIV_SW_EXCEPTION (5 << 8) /* ICE breakpoint - undocumented */ + #define INTR_TYPE_SOFT_EXCEPTION (6 << 8) /* software exception */ + + /* GUEST_INTERRUPTIBILITY_INFO flags. */ +diff --git a/arch/x86/include/uapi/asm/msr-index.h b/arch/x86/include/uapi/asm/msr-index.h +index 06b407f79b24..da43f226e5a2 100644 +--- a/arch/x86/include/uapi/asm/msr-index.h ++++ b/arch/x86/include/uapi/asm/msr-index.h +@@ -307,6 +307,9 @@ + #define FAM10H_MMIO_CONF_BASE_MASK 0xfffffffULL + #define FAM10H_MMIO_CONF_BASE_SHIFT 20 + #define MSR_FAM10H_NODE_ID 0xc001100c ++#define MSR_F10H_DECFG 0xc0011029 ++#define MSR_F10H_DECFG_LFENCE_SERIALIZE_BIT 1 ++#define MSR_F10H_DECFG_LFENCE_SERIALIZE BIT_ULL(MSR_F10H_DECFG_LFENCE_SERIALIZE_BIT) + + /* K8 MSRs */ + #define MSR_K8_TOP_MEM1 0xc001001a +diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c +index c6c4248ab138..1d64ba0c9496 100644 +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -712,8 +712,32 @@ static void init_amd(struct cpuinfo_x86 *c) + set_cpu_cap(c, X86_FEATURE_K8); + + if (cpu_has_xmm2) { +- /* MFENCE stops RDTSC speculation */ +- set_cpu_cap(c, X86_FEATURE_MFENCE_RDTSC); ++ unsigned long long val; ++ int ret; ++ ++ /* ++ * A serializing LFENCE has less overhead than MFENCE, so ++ * use it for execution serialization. On families which ++ * don't have that MSR, LFENCE is already serializing. ++ * msr_set_bit() uses the safe accessors, too, even if the MSR ++ * is not present. ++ */ ++ msr_set_bit(MSR_F10H_DECFG, ++ MSR_F10H_DECFG_LFENCE_SERIALIZE_BIT); ++ ++ /* ++ * Verify that the MSR write was successful (could be running ++ * under a hypervisor) and only then assume that LFENCE is ++ * serializing. ++ */ ++ ret = rdmsrl_safe(MSR_F10H_DECFG, &val); ++ if (!ret && (val & MSR_F10H_DECFG_LFENCE_SERIALIZE)) { ++ /* A serializing LFENCE stops RDTSC speculation */ ++ set_cpu_cap(c, X86_FEATURE_LFENCE_RDTSC); ++ } else { ++ /* MFENCE stops RDTSC speculation */ ++ set_cpu_cap(c, X86_FEATURE_MFENCE_RDTSC); ++ } + } + + /* +diff --git a/arch/x86/kernel/cpu/perf_event_intel.c b/arch/x86/kernel/cpu/perf_event_intel.c +index 185ebd2c0c3c..5d77df85c529 100644 +--- a/arch/x86/kernel/cpu/perf_event_intel.c ++++ b/arch/x86/kernel/cpu/perf_event_intel.c +@@ -2493,7 +2493,7 @@ static unsigned bdw_limit_period(struct perf_event *event, unsigned left) + X86_CONFIG(.event=0xc0, .umask=0x01)) { + if (left < 128) + left = 128; +- left &= ~0x3fu; ++ left &= ~0x3fULL; + } + return left; + } +diff --git a/arch/x86/kernel/i8259.c b/arch/x86/kernel/i8259.c +index e7cc5370cd2f..6c7e7986939a 100644 +--- a/arch/x86/kernel/i8259.c ++++ b/arch/x86/kernel/i8259.c +@@ -405,6 +405,7 @@ struct legacy_pic default_legacy_pic = { + }; + + struct legacy_pic *legacy_pic = &default_legacy_pic; ++EXPORT_SYMBOL(legacy_pic); + + static int __init i8259A_init_ops(void) + { +diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c +index 228c233a2f36..106d4ac16a43 100644 +--- a/arch/x86/kernel/kprobes/core.c ++++ b/arch/x86/kernel/kprobes/core.c +@@ -49,6 +49,7 @@ + #include <linux/kdebug.h> + #include <linux/kallsyms.h> + #include <linux/ftrace.h> ++#include <linux/moduleloader.h> + + #include <asm/cacheflush.h> + #include <asm/desc.h> +@@ -196,6 +197,8 @@ retry: + return (opcode != 0x62 && opcode != 0x67); + case 0x70: + return 0; /* can't boost conditional jump */ ++ case 0x90: ++ return opcode != 0x9a; /* can't boost call far */ + case 0xc0: + /* can't boost software-interruptions */ + return (0xc1 < opcode && opcode < 0xcc) || opcode == 0xcf; +@@ -400,10 +403,20 @@ int __copy_instruction(u8 *dest, u8 *src) + return length; + } + ++/* Recover page to RW mode before releasing it */ ++void free_insn_page(void *page) ++{ ++ set_memory_nx((unsigned long)page & PAGE_MASK, 1); ++ set_memory_rw((unsigned long)page & PAGE_MASK, 1); ++ module_memfree(page); ++} ++ + static int arch_copy_kprobe(struct kprobe *p) + { + int ret; + ++ set_memory_rw((unsigned long)p->ainsn.insn & PAGE_MASK, 1); ++ + /* Copy an instruction with recovering if other optprobe modifies it.*/ + ret = __copy_instruction(p->ainsn.insn, p->addr); + if (!ret) +@@ -418,6 +431,8 @@ static int arch_copy_kprobe(struct kprobe *p) + else + p->ainsn.boostable = -1; + ++ set_memory_ro((unsigned long)p->ainsn.insn & PAGE_MASK, 1); ++ + /* Check whether the instruction modifies Interrupt Flag or not */ + p->ainsn.if_modifier = is_IF_modifier(p->ainsn.insn); + +diff --git a/arch/x86/kernel/kprobes/opt.c b/arch/x86/kernel/kprobes/opt.c +index c9d488f3e4cd..085415d88326 100644 +--- a/arch/x86/kernel/kprobes/opt.c ++++ b/arch/x86/kernel/kprobes/opt.c +@@ -349,6 +349,7 @@ int arch_prepare_optimized_kprobe(struct optimized_kprobe *op, + } + + buf = (u8 *)op->optinsn.insn; ++ set_memory_rw((unsigned long)buf & PAGE_MASK, 1); + + /* Copy instructions into the out-of-line buffer */ + ret = copy_optimized_instructions(buf + TMPL_END_IDX, op->kp.addr); +@@ -371,6 +372,8 @@ int arch_prepare_optimized_kprobe(struct optimized_kprobe *op, + synthesize_reljump(buf + TMPL_END_IDX + op->optinsn.size, + (u8 *)op->kp.addr + op->optinsn.size); + ++ set_memory_ro((unsigned long)buf & PAGE_MASK, 1); ++ + flush_icache_range((unsigned long) buf, + (unsigned long) buf + TMPL_END_IDX + + op->optinsn.size + RELATIVEJUMP_SIZE); +diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c +index f6911cc90a81..a92919864e04 100644 +--- a/arch/x86/kernel/smpboot.c ++++ b/arch/x86/kernel/smpboot.c +@@ -1400,6 +1400,8 @@ static inline void mwait_play_dead(void) + void *mwait_ptr; + int i; + ++ if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD) ++ return; + if (!this_cpu_has(X86_FEATURE_MWAIT)) + return; + if (!this_cpu_has(X86_FEATURE_CLFLUSH)) +diff --git a/arch/x86/kernel/tsc.c b/arch/x86/kernel/tsc.c +index 21187ebee7d0..8fdcdbf5f309 100644 +--- a/arch/x86/kernel/tsc.c ++++ b/arch/x86/kernel/tsc.c +@@ -356,6 +356,8 @@ static int __init tsc_setup(char *str) + tsc_clocksource_reliable = 1; + if (!strncmp(str, "noirqtime", 9)) + no_sched_irq_time = 1; ++ if (!strcmp(str, "unstable")) ++ mark_tsc_unstable("boot parameter"); + return 1; + } + +@@ -397,7 +399,7 @@ static unsigned long calc_hpet_ref(u64 deltatsc, u64 hpet1, u64 hpet2) + hpet2 -= hpet1; + tmp = ((u64)hpet2 * hpet_readl(HPET_PERIOD)); + do_div(tmp, 1000000); +- do_div(deltatsc, tmp); ++ deltatsc = div64_u64(deltatsc, tmp); + + return (unsigned long) deltatsc; + } +diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c +index 6b87d8bcdcdd..28d48339af32 100644 +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -1470,6 +1470,7 @@ static void svm_get_segment(struct kvm_vcpu *vcpu, + */ + if (var->unusable) + var->db = 0; ++ /* This is symmetric with svm_set_segment() */ + var->dpl = to_svm(vcpu)->vmcb->save.cpl; + break; + } +@@ -1614,18 +1615,14 @@ static void svm_set_segment(struct kvm_vcpu *vcpu, + s->base = var->base; + s->limit = var->limit; + s->selector = var->selector; +- if (var->unusable) +- s->attrib = 0; +- else { +- s->attrib = (var->type & SVM_SELECTOR_TYPE_MASK); +- s->attrib |= (var->s & 1) << SVM_SELECTOR_S_SHIFT; +- s->attrib |= (var->dpl & 3) << SVM_SELECTOR_DPL_SHIFT; +- s->attrib |= (var->present & 1) << SVM_SELECTOR_P_SHIFT; +- s->attrib |= (var->avl & 1) << SVM_SELECTOR_AVL_SHIFT; +- s->attrib |= (var->l & 1) << SVM_SELECTOR_L_SHIFT; +- s->attrib |= (var->db & 1) << SVM_SELECTOR_DB_SHIFT; +- s->attrib |= (var->g & 1) << SVM_SELECTOR_G_SHIFT; +- } ++ s->attrib = (var->type & SVM_SELECTOR_TYPE_MASK); ++ s->attrib |= (var->s & 1) << SVM_SELECTOR_S_SHIFT; ++ s->attrib |= (var->dpl & 3) << SVM_SELECTOR_DPL_SHIFT; ++ s->attrib |= ((var->present & 1) && !var->unusable) << SVM_SELECTOR_P_SHIFT; ++ s->attrib |= (var->avl & 1) << SVM_SELECTOR_AVL_SHIFT; ++ s->attrib |= (var->l & 1) << SVM_SELECTOR_L_SHIFT; ++ s->attrib |= (var->db & 1) << SVM_SELECTOR_DB_SHIFT; ++ s->attrib |= (var->g & 1) << SVM_SELECTOR_G_SHIFT; + + /* + * This is always accurate, except if SYSRET returned to a segment +@@ -1634,7 +1631,8 @@ static void svm_set_segment(struct kvm_vcpu *vcpu, + * would entail passing the CPL to userspace and back. + */ + if (seg == VCPU_SREG_SS) +- svm->vmcb->save.cpl = (s->attrib >> SVM_SELECTOR_DPL_SHIFT) & 3; ++ /* This is symmetric with svm_get_segment() */ ++ svm->vmcb->save.cpl = (var->dpl & 3); + + mark_dirty(svm->vmcb, VMCB_SEG); + } +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index ffd5502dd215..67f2d8e44fda 100644 +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -942,6 +942,13 @@ static inline bool is_machine_check(u32 intr_info) + (INTR_TYPE_HARD_EXCEPTION | MC_VECTOR | INTR_INFO_VALID_MASK); + } + ++/* Undocumented: icebp/int1 */ ++static inline bool is_icebp(u32 intr_info) ++{ ++ return (intr_info & (INTR_INFO_INTR_TYPE_MASK | INTR_INFO_VALID_MASK)) ++ == (INTR_TYPE_PRIV_SW_EXCEPTION | INTR_INFO_VALID_MASK); ++} ++ + static inline bool cpu_has_vmx_msr_bitmap(void) + { + return vmcs_config.cpu_based_exec_ctrl & CPU_BASED_USE_MSR_BITMAPS; +@@ -5151,7 +5158,7 @@ static int handle_exception(struct kvm_vcpu *vcpu) + (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP))) { + vcpu->arch.dr6 &= ~15; + vcpu->arch.dr6 |= dr6 | DR6_RTM; +- if (!(dr6 & ~DR6_RESERVED)) /* icebp */ ++ if (is_icebp(intr_info)) + skip_emulated_instruction(vcpu); + + kvm_queue_exception(vcpu, DB_VECTOR); +@@ -7417,11 +7424,13 @@ static bool nested_vmx_exit_handled_cr(struct kvm_vcpu *vcpu, + { + unsigned long exit_qualification = vmcs_readl(EXIT_QUALIFICATION); + int cr = exit_qualification & 15; +- int reg = (exit_qualification >> 8) & 15; +- unsigned long val = kvm_register_readl(vcpu, reg); ++ int reg; ++ unsigned long val; + + switch ((exit_qualification >> 4) & 3) { + case 0: /* mov to cr */ ++ reg = (exit_qualification >> 8) & 15; ++ val = kvm_register_readl(vcpu, reg); + switch (cr) { + case 0: + if (vmcs12->cr0_guest_host_mask & +@@ -7476,6 +7485,7 @@ static bool nested_vmx_exit_handled_cr(struct kvm_vcpu *vcpu, + * lmsw can change bits 1..3 of cr0, and only set bit 0 of + * cr0. Other attempted changes are ignored, with no exit. + */ ++ val = (exit_qualification >> LMSW_SOURCE_DATA_SHIFT) & 0x0f; + if (vmcs12->cr0_guest_host_mask & 0xe & + (val ^ vmcs12->cr0_read_shadow)) + return true; +diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c +index 27bc31f0da52..f6ca8a0d14ee 100644 +--- a/arch/x86/mm/fault.c ++++ b/arch/x86/mm/fault.c +@@ -285,7 +285,7 @@ static noinline int vmalloc_fault(unsigned long address) + if (!pmd_k) + return -1; + +- if (pmd_huge(*pmd_k)) ++ if (pmd_large(*pmd_k)) + return 0; + + pte_k = pte_offset_kernel(pmd_k, address); +@@ -403,7 +403,7 @@ static noinline int vmalloc_fault(unsigned long address) + if (pud_none(*pud) || pud_pfn(*pud) != pud_pfn(*pud_ref)) + BUG(); + +- if (pud_huge(*pud)) ++ if (pud_large(*pud)) + return 0; + + pmd = pmd_offset(pud, address); +@@ -414,7 +414,7 @@ static noinline int vmalloc_fault(unsigned long address) + if (pmd_none(*pmd) || pmd_pfn(*pmd) != pmd_pfn(*pmd_ref)) + BUG(); + +- if (pmd_huge(*pmd)) ++ if (pmd_large(*pmd)) + return 0; + + pte_ref = pte_offset_kernel(pmd_ref, address); +diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c +index ddeff4844a10..31657a66e3fd 100644 +--- a/arch/x86/net/bpf_jit_comp.c ++++ b/arch/x86/net/bpf_jit_comp.c +@@ -971,7 +971,7 @@ void bpf_int_jit_compile(struct bpf_prog *prog) + * may converge on the last pass. In such case do one more + * pass to emit the final image + */ +- for (pass = 0; pass < 10 || image; pass++) { ++ for (pass = 0; pass < 20 || image; pass++) { + proglen = do_jit(prog, addrs, image, oldproglen, &ctx); + if (proglen <= 0) { + image = NULL; +@@ -994,6 +994,7 @@ void bpf_int_jit_compile(struct bpf_prog *prog) + goto out; + } + oldproglen = proglen; ++ cond_resched(); + } + + if (bpf_jit_enable > 1) +diff --git a/arch/x86/um/stub_segv.c b/arch/x86/um/stub_segv.c +index 1518d2805ae8..fd6825537b97 100644 +--- a/arch/x86/um/stub_segv.c ++++ b/arch/x86/um/stub_segv.c +@@ -10,7 +10,7 @@ + void __attribute__ ((__section__ (".__syscall_stub"))) + stub_segv_handler(int sig, siginfo_t *info, void *p) + { +- struct ucontext *uc = p; ++ ucontext_t *uc = p; + + GET_FAULTINFO_FROM_MC(*((struct faultinfo *) STUB_DATA), + &uc->uc_mcontext); +diff --git a/block/bio-integrity.c b/block/bio-integrity.c +index 39ce74d10e2b..21978fcd877a 100644 +--- a/block/bio-integrity.c ++++ b/block/bio-integrity.c +@@ -165,6 +165,9 @@ bool bio_integrity_enabled(struct bio *bio) + if (!bio_is_rw(bio)) + return false; + ++ if (!bio_sectors(bio)) ++ return false; ++ + /* Already protected? */ + if (bio_integrity(bio)) + return false; +diff --git a/block/blk-mq.c b/block/blk-mq.c +index 2dc1fd6c5bdb..0145b2ceafae 100644 +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -1607,7 +1607,8 @@ static void blk_mq_exit_hctx(struct request_queue *q, + { + unsigned flush_start_tag = set->queue_depth; + +- blk_mq_tag_idle(hctx); ++ if (blk_mq_hw_queue_mapped(hctx)) ++ blk_mq_tag_idle(hctx); + + if (set->ops->exit_request) + set->ops->exit_request(set->driver_data, +diff --git a/block/blk-throttle.c b/block/blk-throttle.c +index 5b9c6d5c3636..fd51c8be247d 100644 +--- a/block/blk-throttle.c ++++ b/block/blk-throttle.c +@@ -648,6 +648,17 @@ static void throtl_dequeue_tg(struct throtl_grp *tg) + static void throtl_schedule_pending_timer(struct throtl_service_queue *sq, + unsigned long expires) + { ++ unsigned long max_expire = jiffies + 8 * throtl_slice; ++ ++ /* ++ * Since we are adjusting the throttle limit dynamically, the sleep ++ * time calculated according to previous limit might be invalid. It's ++ * possible the cgroup sleep time is very long and no other cgroups ++ * have IO running so notify the limit changes. Make sure the cgroup ++ * doesn't sleep too long to avoid the missed notification. ++ */ ++ if (time_after(expires, max_expire)) ++ expires = max_expire; + mod_timer(&sq->pending_timer, expires); + throtl_log(sq, "schedule timer. delay=%lu jiffies=%lu", + expires - jiffies, jiffies); +diff --git a/block/partition-generic.c b/block/partition-generic.c +index 0d9e5f97f0a8..94de2055365e 100644 +--- a/block/partition-generic.c ++++ b/block/partition-generic.c +@@ -309,8 +309,10 @@ struct hd_struct *add_partition(struct gendisk *disk, int partno, + + if (info) { + struct partition_meta_info *pinfo = alloc_part_info(disk); +- if (!pinfo) ++ if (!pinfo) { ++ err = -ENOMEM; + goto out_free_stats; ++ } + memcpy(pinfo, info, sizeof(*info)); + p->info = pinfo; + } +diff --git a/block/partitions/msdos.c b/block/partitions/msdos.c +index 5610cd537da7..7d8d50c11ce7 100644 +--- a/block/partitions/msdos.c ++++ b/block/partitions/msdos.c +@@ -300,7 +300,9 @@ static void parse_bsd(struct parsed_partitions *state, + continue; + bsd_start = le32_to_cpu(p->p_offset); + bsd_size = le32_to_cpu(p->p_size); +- if (memcmp(flavour, "bsd\0", 4) == 0) ++ /* FreeBSD has relative offset if C partition offset is zero */ ++ if (memcmp(flavour, "bsd\0", 4) == 0 && ++ le32_to_cpu(l->d_partitions[2].p_offset) == 0) + bsd_start += offset; + if (offset == bsd_start && size == bsd_size) + /* full parent partition, we have it already */ +diff --git a/crypto/ahash.c b/crypto/ahash.c +index 7006dbfd39bd..6978ad86e516 100644 +--- a/crypto/ahash.c ++++ b/crypto/ahash.c +@@ -91,13 +91,14 @@ int crypto_hash_walk_done(struct crypto_hash_walk *walk, int err) + + if (nbytes && walk->offset & alignmask && !err) { + walk->offset = ALIGN(walk->offset, alignmask + 1); +- walk->data += walk->offset; +- + nbytes = min(nbytes, + ((unsigned int)(PAGE_SIZE)) - walk->offset); + walk->entrylen -= nbytes; + +- return nbytes; ++ if (nbytes) { ++ walk->data += walk->offset; ++ return nbytes; ++ } + } + + if (walk->flags & CRYPTO_ALG_ASYNC) +diff --git a/crypto/async_tx/async_pq.c b/crypto/async_tx/async_pq.c +index 5d355e0c2633..f3c4f0cd62dd 100644 +--- a/crypto/async_tx/async_pq.c ++++ b/crypto/async_tx/async_pq.c +@@ -62,9 +62,6 @@ do_async_gen_syndrome(struct dma_chan *chan, + dma_addr_t dma_dest[2]; + int src_off = 0; + +- if (submit->flags & ASYNC_TX_FENCE) +- dma_flags |= DMA_PREP_FENCE; +- + while (src_cnt > 0) { + submit->flags = flags_orig; + pq_src_cnt = min(src_cnt, dma_maxpq(dma, dma_flags)); +@@ -83,6 +80,8 @@ do_async_gen_syndrome(struct dma_chan *chan, + if (cb_fn_orig) + dma_flags |= DMA_PREP_INTERRUPT; + } ++ if (submit->flags & ASYNC_TX_FENCE) ++ dma_flags |= DMA_PREP_FENCE; + + /* Drivers force forward progress in case they can not provide + * a descriptor +diff --git a/drivers/acpi/acpica/evxfevnt.c b/drivers/acpi/acpica/evxfevnt.c +index faad911d46b5..fe425951b2d1 100644 +--- a/drivers/acpi/acpica/evxfevnt.c ++++ b/drivers/acpi/acpica/evxfevnt.c +@@ -180,6 +180,12 @@ acpi_status acpi_enable_event(u32 event, u32 flags) + + ACPI_FUNCTION_TRACE(acpi_enable_event); + ++ /* If Hardware Reduced flag is set, there are no fixed events */ ++ ++ if (acpi_gbl_reduced_hardware) { ++ return_ACPI_STATUS(AE_OK); ++ } ++ + /* Decode the Fixed Event */ + + if (event > ACPI_EVENT_MAX) { +@@ -237,6 +243,12 @@ acpi_status acpi_disable_event(u32 event, u32 flags) + + ACPI_FUNCTION_TRACE(acpi_disable_event); + ++ /* If Hardware Reduced flag is set, there are no fixed events */ ++ ++ if (acpi_gbl_reduced_hardware) { ++ return_ACPI_STATUS(AE_OK); ++ } ++ + /* Decode the Fixed Event */ + + if (event > ACPI_EVENT_MAX) { +@@ -290,6 +302,12 @@ acpi_status acpi_clear_event(u32 event) + + ACPI_FUNCTION_TRACE(acpi_clear_event); + ++ /* If Hardware Reduced flag is set, there are no fixed events */ ++ ++ if (acpi_gbl_reduced_hardware) { ++ return_ACPI_STATUS(AE_OK); ++ } ++ + /* Decode the Fixed Event */ + + if (event > ACPI_EVENT_MAX) { +diff --git a/drivers/acpi/acpica/psobject.c b/drivers/acpi/acpica/psobject.c +index 2f5ddd806c58..7a09290628ec 100644 +--- a/drivers/acpi/acpica/psobject.c ++++ b/drivers/acpi/acpica/psobject.c +@@ -118,6 +118,9 @@ static acpi_status acpi_ps_get_aml_opcode(struct acpi_walk_state *walk_state) + (u32)(walk_state->aml_offset + + sizeof(struct acpi_table_header))); + ++ ACPI_ERROR((AE_INFO, ++ "Aborting disassembly, AML byte code is corrupt")); ++ + /* Dump the context surrounding the invalid opcode */ + + acpi_ut_dump_buffer(((u8 *)walk_state->parser_state. +@@ -126,6 +129,14 @@ static acpi_status acpi_ps_get_aml_opcode(struct acpi_walk_state *walk_state) + sizeof(struct acpi_table_header) - + 16)); + acpi_os_printf(" */\n"); ++ ++ /* ++ * Just abort the disassembly, cannot continue because the ++ * parser is essentially lost. The disassembler can then ++ * randomly fail because an ill-constructed parse tree ++ * can result. ++ */ ++ return_ACPI_STATUS(AE_AML_BAD_OPCODE); + #endif + } + +@@ -290,6 +301,9 @@ acpi_ps_create_op(struct acpi_walk_state *walk_state, + if (status == AE_CTRL_PARSE_CONTINUE) { + return_ACPI_STATUS(AE_CTRL_PARSE_CONTINUE); + } ++ if (ACPI_FAILURE(status)) { ++ return_ACPI_STATUS(status); ++ } + + /* Create Op structure and append to parent's argument list */ + +diff --git a/drivers/acpi/pci_irq.c b/drivers/acpi/pci_irq.c +index b1def411c0b8..7249ba6b511f 100644 +--- a/drivers/acpi/pci_irq.c ++++ b/drivers/acpi/pci_irq.c +@@ -136,9 +136,6 @@ static void do_prt_fixups(struct acpi_prt_entry *entry, + quirk = &prt_quirks[i]; + + /* All current quirks involve link devices, not GSIs */ +- if (!prt->source) +- continue; +- + if (dmi_check_system(quirk->system) && + entry->id.segment == quirk->segment && + entry->id.bus == quirk->bus && +diff --git a/drivers/acpi/pmic/intel_pmic_xpower.c b/drivers/acpi/pmic/intel_pmic_xpower.c +index 6a082d4de12c..24a793957bc0 100644 +--- a/drivers/acpi/pmic/intel_pmic_xpower.c ++++ b/drivers/acpi/pmic/intel_pmic_xpower.c +@@ -28,97 +28,97 @@ static struct pmic_table power_table[] = { + .address = 0x00, + .reg = 0x13, + .bit = 0x05, +- }, ++ }, /* ALD1 */ + { + .address = 0x04, + .reg = 0x13, + .bit = 0x06, +- }, ++ }, /* ALD2 */ + { + .address = 0x08, + .reg = 0x13, + .bit = 0x07, +- }, ++ }, /* ALD3 */ + { + .address = 0x0c, + .reg = 0x12, + .bit = 0x03, +- }, ++ }, /* DLD1 */ + { + .address = 0x10, + .reg = 0x12, + .bit = 0x04, +- }, ++ }, /* DLD2 */ + { + .address = 0x14, + .reg = 0x12, + .bit = 0x05, +- }, ++ }, /* DLD3 */ + { + .address = 0x18, + .reg = 0x12, + .bit = 0x06, +- }, ++ }, /* DLD4 */ + { + .address = 0x1c, + .reg = 0x12, + .bit = 0x00, +- }, ++ }, /* ELD1 */ + { + .address = 0x20, + .reg = 0x12, + .bit = 0x01, +- }, ++ }, /* ELD2 */ + { + .address = 0x24, + .reg = 0x12, + .bit = 0x02, +- }, ++ }, /* ELD3 */ + { + .address = 0x28, + .reg = 0x13, + .bit = 0x02, +- }, ++ }, /* FLD1 */ + { + .address = 0x2c, + .reg = 0x13, + .bit = 0x03, +- }, ++ }, /* FLD2 */ + { + .address = 0x30, + .reg = 0x13, + .bit = 0x04, +- }, ++ }, /* FLD3 */ + { +- .address = 0x38, ++ .address = 0x34, + .reg = 0x10, + .bit = 0x03, +- }, ++ }, /* BUC1 */ + { +- .address = 0x3c, ++ .address = 0x38, + .reg = 0x10, + .bit = 0x06, +- }, ++ }, /* BUC2 */ + { +- .address = 0x40, ++ .address = 0x3c, + .reg = 0x10, + .bit = 0x05, +- }, ++ }, /* BUC3 */ + { +- .address = 0x44, ++ .address = 0x40, + .reg = 0x10, + .bit = 0x04, +- }, ++ }, /* BUC4 */ + { +- .address = 0x48, ++ .address = 0x44, + .reg = 0x10, + .bit = 0x01, +- }, ++ }, /* BUC5 */ + { +- .address = 0x4c, ++ .address = 0x48, + .reg = 0x10, + .bit = 0x00 +- }, ++ }, /* BUC6 */ + }; + + /* TMP0 - TMP5 are the same, all from GPADC */ +diff --git a/drivers/acpi/processor_driver.c b/drivers/acpi/processor_driver.c +index d9f71581b79b..bdc3063f694d 100644 +--- a/drivers/acpi/processor_driver.c ++++ b/drivers/acpi/processor_driver.c +@@ -231,11 +231,16 @@ static int __acpi_processor_start(struct acpi_device *device) + static int acpi_processor_start(struct device *dev) + { + struct acpi_device *device = ACPI_COMPANION(dev); ++ int ret; + + if (!device) + return -ENODEV; + +- return __acpi_processor_start(device); ++ /* Protect against concurrent CPU hotplug operations */ ++ get_online_cpus(); ++ ret = __acpi_processor_start(device); ++ put_online_cpus(); ++ return ret; + } + + static int acpi_processor_stop(struct device *dev) +diff --git a/drivers/acpi/processor_throttling.c b/drivers/acpi/processor_throttling.c +index f3df4b5e5fc9..cd7398b7aa67 100644 +--- a/drivers/acpi/processor_throttling.c ++++ b/drivers/acpi/processor_throttling.c +@@ -66,8 +66,8 @@ struct acpi_processor_throttling_arg { + #define THROTTLING_POSTCHANGE (2) + + static int acpi_processor_get_throttling(struct acpi_processor *pr); +-int acpi_processor_set_throttling(struct acpi_processor *pr, +- int state, bool force); ++static int __acpi_processor_set_throttling(struct acpi_processor *pr, ++ int state, bool force, bool direct); + + static int acpi_processor_update_tsd_coord(void) + { +@@ -895,7 +895,8 @@ static int acpi_processor_get_throttling_ptc(struct acpi_processor *pr) + ACPI_DEBUG_PRINT((ACPI_DB_INFO, + "Invalid throttling state, reset\n")); + state = 0; +- ret = acpi_processor_set_throttling(pr, state, true); ++ ret = __acpi_processor_set_throttling(pr, state, true, ++ true); + if (ret) + return ret; + } +@@ -905,36 +906,31 @@ static int acpi_processor_get_throttling_ptc(struct acpi_processor *pr) + return 0; + } + +-static int acpi_processor_get_throttling(struct acpi_processor *pr) ++static long __acpi_processor_get_throttling(void *data) + { +- cpumask_var_t saved_mask; +- int ret; ++ struct acpi_processor *pr = data; ++ ++ return pr->throttling.acpi_processor_get_throttling(pr); ++} + ++static int acpi_processor_get_throttling(struct acpi_processor *pr) ++{ + if (!pr) + return -EINVAL; + + if (!pr->flags.throttling) + return -ENODEV; + +- if (!alloc_cpumask_var(&saved_mask, GFP_KERNEL)) +- return -ENOMEM; +- + /* +- * Migrate task to the cpu pointed by pr. ++ * This is either called from the CPU hotplug callback of ++ * processor_driver or via the ACPI probe function. In the latter ++ * case the CPU is not guaranteed to be online. Both call sites are ++ * protected against CPU hotplug. + */ +- cpumask_copy(saved_mask, ¤t->cpus_allowed); +- /* FIXME: use work_on_cpu() */ +- if (set_cpus_allowed_ptr(current, cpumask_of(pr->id))) { +- /* Can't migrate to the target pr->id CPU. Exit */ +- free_cpumask_var(saved_mask); ++ if (!cpu_online(pr->id)) + return -ENODEV; +- } +- ret = pr->throttling.acpi_processor_get_throttling(pr); +- /* restore the previous state */ +- set_cpus_allowed_ptr(current, saved_mask); +- free_cpumask_var(saved_mask); + +- return ret; ++ return work_on_cpu(pr->id, __acpi_processor_get_throttling, pr); + } + + static int acpi_processor_get_fadt_info(struct acpi_processor *pr) +@@ -1084,8 +1080,15 @@ static long acpi_processor_throttling_fn(void *data) + arg->target_state, arg->force); + } + +-int acpi_processor_set_throttling(struct acpi_processor *pr, +- int state, bool force) ++static int call_on_cpu(int cpu, long (*fn)(void *), void *arg, bool direct) ++{ ++ if (direct) ++ return fn(arg); ++ return work_on_cpu(cpu, fn, arg); ++} ++ ++static int __acpi_processor_set_throttling(struct acpi_processor *pr, ++ int state, bool force, bool direct) + { + int ret = 0; + unsigned int i; +@@ -1134,7 +1137,8 @@ int acpi_processor_set_throttling(struct acpi_processor *pr, + arg.pr = pr; + arg.target_state = state; + arg.force = force; +- ret = work_on_cpu(pr->id, acpi_processor_throttling_fn, &arg); ++ ret = call_on_cpu(pr->id, acpi_processor_throttling_fn, &arg, ++ direct); + } else { + /* + * When the T-state coordination is SW_ALL or HW_ALL, +@@ -1167,8 +1171,8 @@ int acpi_processor_set_throttling(struct acpi_processor *pr, + arg.pr = match_pr; + arg.target_state = state; + arg.force = force; +- ret = work_on_cpu(pr->id, acpi_processor_throttling_fn, +- &arg); ++ ret = call_on_cpu(pr->id, acpi_processor_throttling_fn, ++ &arg, direct); + } + } + /* +@@ -1186,6 +1190,12 @@ int acpi_processor_set_throttling(struct acpi_processor *pr, + return ret; + } + ++int acpi_processor_set_throttling(struct acpi_processor *pr, int state, ++ bool force) ++{ ++ return __acpi_processor_set_throttling(pr, state, force, false); ++} ++ + int acpi_processor_get_throttling_info(struct acpi_processor *pr) + { + int result = 0; +diff --git a/drivers/amba/bus.c b/drivers/amba/bus.c +index f0099360039e..1accc01fb0ca 100644 +--- a/drivers/amba/bus.c ++++ b/drivers/amba/bus.c +@@ -68,11 +68,12 @@ static ssize_t driver_override_show(struct device *_dev, + struct device_attribute *attr, char *buf) + { + struct amba_device *dev = to_amba_device(_dev); ++ ssize_t len; + +- if (!dev->driver_override) +- return 0; +- +- return sprintf(buf, "%s\n", dev->driver_override); ++ device_lock(_dev); ++ len = sprintf(buf, "%s\n", dev->driver_override); ++ device_unlock(_dev); ++ return len; + } + + static ssize_t driver_override_store(struct device *_dev, +@@ -80,9 +81,10 @@ static ssize_t driver_override_store(struct device *_dev, + const char *buf, size_t count) + { + struct amba_device *dev = to_amba_device(_dev); +- char *driver_override, *old = dev->driver_override, *cp; ++ char *driver_override, *old, *cp; + +- if (count > PATH_MAX) ++ /* We need to keep extra room for a newline */ ++ if (count >= (PAGE_SIZE - 1)) + return -EINVAL; + + driver_override = kstrndup(buf, count, GFP_KERNEL); +@@ -93,12 +95,15 @@ static ssize_t driver_override_store(struct device *_dev, + if (cp) + *cp = '\0'; + ++ device_lock(_dev); ++ old = dev->driver_override; + if (strlen(driver_override)) { + dev->driver_override = driver_override; + } else { + kfree(driver_override); + dev->driver_override = NULL; + } ++ device_unlock(_dev); + + kfree(old); + +diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c +index 3b0cebb2122b..19733cdcd45c 100644 +--- a/drivers/ata/ahci.c ++++ b/drivers/ata/ahci.c +@@ -542,7 +542,9 @@ static const struct pci_device_id ahci_pci_tbl[] = { + .driver_data = board_ahci_yes_fbs }, + { PCI_DEVICE(PCI_VENDOR_ID_MARVELL_EXT, 0x9230), + .driver_data = board_ahci_yes_fbs }, +- { PCI_DEVICE(PCI_VENDOR_ID_TTI, 0x0642), ++ { PCI_DEVICE(PCI_VENDOR_ID_TTI, 0x0642), /* highpoint rocketraid 642L */ ++ .driver_data = board_ahci_yes_fbs }, ++ { PCI_DEVICE(PCI_VENDOR_ID_TTI, 0x0645), /* highpoint rocketraid 644L */ + .driver_data = board_ahci_yes_fbs }, + + /* Promise */ +diff --git a/drivers/ata/libahci_platform.c b/drivers/ata/libahci_platform.c +index d89305d289f6..cf7fdb79c992 100644 +--- a/drivers/ata/libahci_platform.c ++++ b/drivers/ata/libahci_platform.c +@@ -514,8 +514,9 @@ int ahci_platform_init_host(struct platform_device *pdev, + + irq = platform_get_irq(pdev, 0); + if (irq <= 0) { +- dev_err(dev, "no irq\n"); +- return -EINVAL; ++ if (irq != -EPROBE_DEFER) ++ dev_err(dev, "no irq\n"); ++ return irq; + } + + /* prepare host */ +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index b31d6853ba7a..accad0598253 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -4226,6 +4226,28 @@ static const struct ata_blacklist_entry ata_device_blacklist [] = { + { "PIONEER DVD-RW DVR-212D", NULL, ATA_HORKAGE_NOSETXFER }, + { "PIONEER DVD-RW DVR-216D", NULL, ATA_HORKAGE_NOSETXFER }, + ++ /* Crucial BX100 SSD 500GB has broken LPM support */ ++ { "CT500BX100SSD1", NULL, ATA_HORKAGE_NOLPM }, ++ ++ /* 512GB MX100 with MU01 firmware has both queued TRIM and LPM issues */ ++ { "Crucial_CT512MX100*", "MU01", ATA_HORKAGE_NO_NCQ_TRIM | ++ ATA_HORKAGE_ZERO_AFTER_TRIM | ++ ATA_HORKAGE_NOLPM, }, ++ /* 512GB MX100 with newer firmware has only LPM issues */ ++ { "Crucial_CT512MX100*", NULL, ATA_HORKAGE_ZERO_AFTER_TRIM | ++ ATA_HORKAGE_NOLPM, }, ++ ++ /* 480GB+ M500 SSDs have both queued TRIM and LPM issues */ ++ { "Crucial_CT480M500*", NULL, ATA_HORKAGE_NO_NCQ_TRIM | ++ ATA_HORKAGE_ZERO_AFTER_TRIM | ++ ATA_HORKAGE_NOLPM, }, ++ { "Crucial_CT960M500*", NULL, ATA_HORKAGE_NO_NCQ_TRIM | ++ ATA_HORKAGE_ZERO_AFTER_TRIM | ++ ATA_HORKAGE_NOLPM, }, ++ ++ /* Sandisk devices which are known to not handle LPM well */ ++ { "SanDisk SD7UB3Q*G1001", NULL, ATA_HORKAGE_NOLPM, }, ++ + /* devices that don't properly handle queued TRIM commands */ + { "Micron_M500_*", NULL, ATA_HORKAGE_NO_NCQ_TRIM | + ATA_HORKAGE_ZERO_AFTER_TRIM, }, +@@ -4237,7 +4259,9 @@ static const struct ata_blacklist_entry ata_device_blacklist [] = { + ATA_HORKAGE_ZERO_AFTER_TRIM, }, + { "Crucial_CT*MX100*", "MU01", ATA_HORKAGE_NO_NCQ_TRIM | + ATA_HORKAGE_ZERO_AFTER_TRIM, }, +- { "Samsung SSD 8*", NULL, ATA_HORKAGE_NO_NCQ_TRIM | ++ { "Samsung SSD 840*", NULL, ATA_HORKAGE_NO_NCQ_TRIM | ++ ATA_HORKAGE_ZERO_AFTER_TRIM, }, ++ { "Samsung SSD 850*", NULL, ATA_HORKAGE_NO_NCQ_TRIM | + ATA_HORKAGE_ZERO_AFTER_TRIM, }, + { "FCCT*M500*", NULL, ATA_HORKAGE_NO_NCQ_TRIM | + ATA_HORKAGE_ZERO_AFTER_TRIM, }, +@@ -5078,8 +5102,7 @@ void ata_qc_issue(struct ata_queued_cmd *qc) + * We guarantee to LLDs that they will have at least one + * non-zero sg if the command is a data command. + */ +- if (WARN_ON_ONCE(ata_is_data(prot) && +- (!qc->sg || !qc->n_elem || !qc->nbytes))) ++ if (ata_is_data(prot) && (!qc->sg || !qc->n_elem || !qc->nbytes)) + goto sys_err; + + if (ata_is_dma(prot) || (ata_is_pio(prot) && +diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c +index 4d4cdade9d7e..c471bb8637f9 100644 +--- a/drivers/ata/libata-scsi.c ++++ b/drivers/ata/libata-scsi.c +@@ -3465,7 +3465,9 @@ static inline int __ata_scsi_queuecmd(struct scsi_cmnd *scmd, + if (likely((scsi_op != ATA_16) || !atapi_passthru16)) { + /* relay SCSI command to ATAPI device */ + int len = COMMAND_SIZE(scsi_op); +- if (unlikely(len > scmd->cmd_len || len > dev->cdb_len)) ++ if (unlikely(len > scmd->cmd_len || ++ len > dev->cdb_len || ++ scmd->cmd_len > ATAPI_CDB_LEN)) + goto bad_cdb_len; + + xlat_func = atapi_xlat; +diff --git a/drivers/block/loop.c b/drivers/block/loop.c +index 9e72be28ee9f..53d22cc3cd3e 100644 +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -471,6 +471,9 @@ static int loop_switch(struct loop_device *lo, struct file *file) + */ + static int loop_flush(struct loop_device *lo) + { ++ /* loop not yet configured, no running thread, nothing to flush */ ++ if (lo->lo_state != Lo_bound) ++ return 0; + return loop_switch(lo, NULL); + } + +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index 32f5b87fe93c..68a92550b4cd 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -203,7 +203,6 @@ static const struct usb_device_id blacklist_table[] = { + { USB_DEVICE(0x0930, 0x0227), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0b05, 0x17d0), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0x0036), .driver_info = BTUSB_ATH3012 }, +- { USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0x3008), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0x311d), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0x311e), .driver_info = BTUSB_ATH3012 }, +@@ -236,6 +235,7 @@ static const struct usb_device_id blacklist_table[] = { + { USB_DEVICE(0x0489, 0xe03c), .driver_info = BTUSB_ATH3012 }, + + /* QCA ROME chipset */ ++ { USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_QCA_ROME }, + { USB_DEVICE(0x0cf3, 0xe007), .driver_info = BTUSB_QCA_ROME }, + { USB_DEVICE(0x0cf3, 0xe300), .driver_info = BTUSB_QCA_ROME }, + { USB_DEVICE(0x0cf3, 0xe360), .driver_info = BTUSB_QCA_ROME }, +diff --git a/drivers/bus/brcmstb_gisb.c b/drivers/bus/brcmstb_gisb.c +index 738612c45266..8f78990205ec 100644 +--- a/drivers/bus/brcmstb_gisb.c ++++ b/drivers/bus/brcmstb_gisb.c +@@ -33,8 +33,6 @@ + #define ARB_ERR_CAP_CLEAR (1 << 0) + #define ARB_ERR_CAP_STATUS_TIMEOUT (1 << 12) + #define ARB_ERR_CAP_STATUS_TEA (1 << 11) +-#define ARB_ERR_CAP_STATUS_BS_SHIFT (1 << 2) +-#define ARB_ERR_CAP_STATUS_BS_MASK 0x3c + #define ARB_ERR_CAP_STATUS_WRITE (1 << 1) + #define ARB_ERR_CAP_STATUS_VALID (1 << 0) + +@@ -43,7 +41,6 @@ enum { + ARB_ERR_CAP_CLR, + ARB_ERR_CAP_HI_ADDR, + ARB_ERR_CAP_ADDR, +- ARB_ERR_CAP_DATA, + ARB_ERR_CAP_STATUS, + ARB_ERR_CAP_MASTER, + }; +@@ -53,7 +50,6 @@ static const int gisb_offsets_bcm7038[] = { + [ARB_ERR_CAP_CLR] = 0x0c4, + [ARB_ERR_CAP_HI_ADDR] = -1, + [ARB_ERR_CAP_ADDR] = 0x0c8, +- [ARB_ERR_CAP_DATA] = 0x0cc, + [ARB_ERR_CAP_STATUS] = 0x0d0, + [ARB_ERR_CAP_MASTER] = -1, + }; +@@ -63,7 +59,6 @@ static const int gisb_offsets_bcm7400[] = { + [ARB_ERR_CAP_CLR] = 0x0c8, + [ARB_ERR_CAP_HI_ADDR] = -1, + [ARB_ERR_CAP_ADDR] = 0x0cc, +- [ARB_ERR_CAP_DATA] = 0x0d0, + [ARB_ERR_CAP_STATUS] = 0x0d4, + [ARB_ERR_CAP_MASTER] = 0x0d8, + }; +@@ -73,7 +68,6 @@ static const int gisb_offsets_bcm7435[] = { + [ARB_ERR_CAP_CLR] = 0x168, + [ARB_ERR_CAP_HI_ADDR] = -1, + [ARB_ERR_CAP_ADDR] = 0x16c, +- [ARB_ERR_CAP_DATA] = 0x170, + [ARB_ERR_CAP_STATUS] = 0x174, + [ARB_ERR_CAP_MASTER] = 0x178, + }; +@@ -83,7 +77,6 @@ static const int gisb_offsets_bcm7445[] = { + [ARB_ERR_CAP_CLR] = 0x7e4, + [ARB_ERR_CAP_HI_ADDR] = 0x7e8, + [ARB_ERR_CAP_ADDR] = 0x7ec, +- [ARB_ERR_CAP_DATA] = 0x7f0, + [ARB_ERR_CAP_STATUS] = 0x7f4, + [ARB_ERR_CAP_MASTER] = 0x7f8, + }; +@@ -104,13 +97,27 @@ static u32 gisb_read(struct brcmstb_gisb_arb_device *gdev, int reg) + { + int offset = gdev->gisb_offsets[reg]; + +- /* return 1 if the hardware doesn't have ARB_ERR_CAP_MASTER */ +- if (offset == -1) +- return 1; ++ if (offset < 0) { ++ /* return 1 if the hardware doesn't have ARB_ERR_CAP_MASTER */ ++ if (reg == ARB_ERR_CAP_MASTER) ++ return 1; ++ else ++ return 0; ++ } + + return ioread32(gdev->base + offset); + } + ++static u64 gisb_read_address(struct brcmstb_gisb_arb_device *gdev) ++{ ++ u64 value; ++ ++ value = gisb_read(gdev, ARB_ERR_CAP_ADDR); ++ value |= (u64)gisb_read(gdev, ARB_ERR_CAP_HI_ADDR) << 32; ++ ++ return value; ++} ++ + static void gisb_write(struct brcmstb_gisb_arb_device *gdev, u32 val, int reg) + { + int offset = gdev->gisb_offsets[reg]; +@@ -173,7 +180,7 @@ static int brcmstb_gisb_arb_decode_addr(struct brcmstb_gisb_arb_device *gdev, + const char *reason) + { + u32 cap_status; +- unsigned long arb_addr; ++ u64 arb_addr; + u32 master; + const char *m_name; + char m_fmt[11]; +@@ -185,10 +192,7 @@ static int brcmstb_gisb_arb_decode_addr(struct brcmstb_gisb_arb_device *gdev, + return 1; + + /* Read the address and master */ +- arb_addr = gisb_read(gdev, ARB_ERR_CAP_ADDR) & 0xffffffff; +-#if (IS_ENABLED(CONFIG_PHYS_ADDR_T_64BIT)) +- arb_addr |= (u64)gisb_read(gdev, ARB_ERR_CAP_HI_ADDR) << 32; +-#endif ++ arb_addr = gisb_read_address(gdev); + master = gisb_read(gdev, ARB_ERR_CAP_MASTER); + + m_name = brcmstb_gisb_master_to_str(gdev, master); +@@ -197,7 +201,7 @@ static int brcmstb_gisb_arb_decode_addr(struct brcmstb_gisb_arb_device *gdev, + m_name = m_fmt; + } + +- pr_crit("%s: %s at 0x%lx [%c %s], core: %s\n", ++ pr_crit("%s: %s at 0x%llx [%c %s], core: %s\n", + __func__, reason, arb_addr, + cap_status & ARB_ERR_CAP_STATUS_WRITE ? 'W' : 'R', + cap_status & ARB_ERR_CAP_STATUS_TIMEOUT ? "timeout" : "", +diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c +index 5d28a45d2960..3922ce87c2e4 100644 +--- a/drivers/cdrom/cdrom.c ++++ b/drivers/cdrom/cdrom.c +@@ -2357,7 +2357,7 @@ static int cdrom_ioctl_media_changed(struct cdrom_device_info *cdi, + if (!CDROM_CAN(CDC_SELECT_DISC) || arg == CDSL_CURRENT) + return media_changed(cdi, 1); + +- if ((unsigned int)arg >= cdi->capacity) ++ if (arg >= cdi->capacity) + return -EINVAL; + + info = kmalloc(sizeof(*info), GFP_KERNEL); +diff --git a/drivers/char/agp/intel-gtt.c b/drivers/char/agp/intel-gtt.c +index c6dea3f6917b..b38e31221a7e 100644 +--- a/drivers/char/agp/intel-gtt.c ++++ b/drivers/char/agp/intel-gtt.c +@@ -859,6 +859,8 @@ void intel_gtt_insert_sg_entries(struct sg_table *st, + } + } + wmb(); ++ if (intel_private.driver->chipset_flush) ++ intel_private.driver->chipset_flush(); + } + EXPORT_SYMBOL(intel_gtt_insert_sg_entries); + +diff --git a/drivers/char/ipmi/ipmi_ssif.c b/drivers/char/ipmi/ipmi_ssif.c +index 9156bbd90b56..0166be52aacb 100644 +--- a/drivers/char/ipmi/ipmi_ssif.c ++++ b/drivers/char/ipmi/ipmi_ssif.c +@@ -408,6 +408,7 @@ static void start_event_fetch(struct ssif_info *ssif_info, unsigned long *flags) + msg = ipmi_alloc_smi_msg(); + if (!msg) { + ssif_info->ssif_state = SSIF_NORMAL; ++ ipmi_ssif_unlock_cond(ssif_info, flags); + return; + } + +@@ -430,6 +431,7 @@ static void start_recv_msg_fetch(struct ssif_info *ssif_info, + msg = ipmi_alloc_smi_msg(); + if (!msg) { + ssif_info->ssif_state = SSIF_NORMAL; ++ ipmi_ssif_unlock_cond(ssif_info, flags); + return; + } + +diff --git a/drivers/char/ipmi/ipmi_watchdog.c b/drivers/char/ipmi/ipmi_watchdog.c +index f335fcee09af..0109d3fb5fbc 100644 +--- a/drivers/char/ipmi/ipmi_watchdog.c ++++ b/drivers/char/ipmi/ipmi_watchdog.c +@@ -509,7 +509,7 @@ static void panic_halt_ipmi_heartbeat(void) + msg.cmd = IPMI_WDOG_RESET_TIMER; + msg.data = NULL; + msg.data_len = 0; +- atomic_add(2, &panic_done_count); ++ atomic_add(1, &panic_done_count); + rv = ipmi_request_supply_msgs(watchdog_user, + (struct ipmi_addr *) &addr, + 0, +@@ -519,7 +519,7 @@ static void panic_halt_ipmi_heartbeat(void) + &panic_halt_heartbeat_recv_msg, + 1); + if (rv) +- atomic_sub(2, &panic_done_count); ++ atomic_sub(1, &panic_done_count); + } + + static struct ipmi_smi_msg panic_halt_smi_msg = { +@@ -543,12 +543,12 @@ static void panic_halt_ipmi_set_timeout(void) + /* Wait for the messages to be free. */ + while (atomic_read(&panic_done_count) != 0) + ipmi_poll_interface(watchdog_user); +- atomic_add(2, &panic_done_count); ++ atomic_add(1, &panic_done_count); + rv = i_ipmi_set_timeout(&panic_halt_smi_msg, + &panic_halt_recv_msg, + &send_heartbeat_now); + if (rv) { +- atomic_sub(2, &panic_done_count); ++ atomic_sub(1, &panic_done_count); + printk(KERN_WARNING PFX + "Unable to extend the watchdog timeout."); + } else { +diff --git a/drivers/char/random.c b/drivers/char/random.c +index d55156fc064d..4ba5c7e4e254 100644 +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -704,7 +704,7 @@ retry: + + static void credit_entropy_bits_safe(struct entropy_store *r, int nbits) + { +- const int nbits_max = (int)(~0U >> (ENTROPY_SHIFT + 1)); ++ const int nbits_max = r->poolinfo->poolwords * 32; + + /* Cap the value to avoid overflows */ + nbits = min(nbits, nbits_max); +@@ -863,12 +863,16 @@ static void add_interrupt_bench(cycles_t start) + static __u32 get_reg(struct fast_pool *f, struct pt_regs *regs) + { + __u32 *ptr = (__u32 *) regs; ++ unsigned int idx; + + if (regs == NULL) + return 0; +- if (f->reg_idx >= sizeof(struct pt_regs) / sizeof(__u32)) +- f->reg_idx = 0; +- return *(ptr + f->reg_idx++); ++ idx = READ_ONCE(f->reg_idx); ++ if (idx >= sizeof(struct pt_regs) / sizeof(__u32)) ++ idx = 0; ++ ptr += idx++; ++ WRITE_ONCE(f->reg_idx, idx); ++ return *ptr; + } + + void add_interrupt_randomness(int irq, int irq_flags) +diff --git a/drivers/char/tpm/tpm_tis.c b/drivers/char/tpm/tpm_tis.c +index 5809567d3cf0..d696e5c3d079 100644 +--- a/drivers/char/tpm/tpm_tis.c ++++ b/drivers/char/tpm/tpm_tis.c +@@ -283,7 +283,8 @@ static int recv_data(struct tpm_chip *chip, u8 *buf, size_t count) + static int tpm_tis_recv(struct tpm_chip *chip, u8 *buf, size_t count) + { + int size = 0; +- int expected, status; ++ int status; ++ u32 expected; + + if (count < TPM_HEADER_SIZE) { + size = -EIO; +@@ -298,7 +299,7 @@ static int tpm_tis_recv(struct tpm_chip *chip, u8 *buf, size_t count) + } + + expected = be32_to_cpu(*(__be32 *) (buf + 2)); +- if (expected > count) { ++ if (expected > count || expected < TPM_HEADER_SIZE) { + size = -EIO; + goto out; + } +diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c +index 374b0006aa7a..a7adfc633db9 100644 +--- a/drivers/char/virtio_console.c ++++ b/drivers/char/virtio_console.c +@@ -1399,7 +1399,6 @@ static int add_port(struct ports_device *portdev, u32 id) + { + char debugfs_name[16]; + struct port *port; +- struct port_buffer *buf; + dev_t devt; + unsigned int nr_added_bufs; + int err; +@@ -1510,8 +1509,6 @@ static int add_port(struct ports_device *portdev, u32 id) + return 0; + + free_inbufs: +- while ((buf = virtqueue_detach_unused_buf(port->in_vq))) +- free_buf(buf, true); + free_device: + device_destroy(pdrvdata.class, port->dev->devt); + free_cdev: +@@ -1536,34 +1533,14 @@ static void remove_port(struct kref *kref) + + static void remove_port_data(struct port *port) + { +- struct port_buffer *buf; +- + spin_lock_irq(&port->inbuf_lock); + /* Remove unused data this port might have received. */ + discard_port_data(port); + spin_unlock_irq(&port->inbuf_lock); + +- /* Remove buffers we queued up for the Host to send us data in. */ +- do { +- spin_lock_irq(&port->inbuf_lock); +- buf = virtqueue_detach_unused_buf(port->in_vq); +- spin_unlock_irq(&port->inbuf_lock); +- if (buf) +- free_buf(buf, true); +- } while (buf); +- + spin_lock_irq(&port->outvq_lock); + reclaim_consumed_buffers(port); + spin_unlock_irq(&port->outvq_lock); +- +- /* Free pending buffers from the out-queue. */ +- do { +- spin_lock_irq(&port->outvq_lock); +- buf = virtqueue_detach_unused_buf(port->out_vq); +- spin_unlock_irq(&port->outvq_lock); +- if (buf) +- free_buf(buf, true); +- } while (buf); + } + + /* +@@ -1788,13 +1765,24 @@ static void control_work_handler(struct work_struct *work) + spin_unlock(&portdev->c_ivq_lock); + } + ++static void flush_bufs(struct virtqueue *vq, bool can_sleep) ++{ ++ struct port_buffer *buf; ++ unsigned int len; ++ ++ while ((buf = virtqueue_get_buf(vq, &len))) ++ free_buf(buf, can_sleep); ++} ++ + static void out_intr(struct virtqueue *vq) + { + struct port *port; + + port = find_port_by_vq(vq->vdev->priv, vq); +- if (!port) ++ if (!port) { ++ flush_bufs(vq, false); + return; ++ } + + wake_up_interruptible(&port->waitqueue); + } +@@ -1805,8 +1793,10 @@ static void in_intr(struct virtqueue *vq) + unsigned long flags; + + port = find_port_by_vq(vq->vdev->priv, vq); +- if (!port) ++ if (!port) { ++ flush_bufs(vq, false); + return; ++ } + + spin_lock_irqsave(&port->inbuf_lock, flags); + port->inbuf = get_inbuf(port); +@@ -1981,6 +1971,15 @@ static const struct file_operations portdev_fops = { + + static void remove_vqs(struct ports_device *portdev) + { ++ struct virtqueue *vq; ++ ++ virtio_device_for_each_vq(portdev->vdev, vq) { ++ struct port_buffer *buf; ++ ++ flush_bufs(vq, true); ++ while ((buf = virtqueue_detach_unused_buf(vq))) ++ free_buf(buf, true); ++ } + portdev->vdev->config->del_vqs(portdev->vdev); + kfree(portdev->in_vqs); + kfree(portdev->out_vqs); +diff --git a/drivers/clk/clk-si5351.c b/drivers/clk/clk-si5351.c +index 30335d3b99af..9db6d57f7ccc 100644 +--- a/drivers/clk/clk-si5351.c ++++ b/drivers/clk/clk-si5351.c +@@ -72,7 +72,7 @@ static const char * const si5351_input_names[] = { + "xtal", "clkin" + }; + static const char * const si5351_pll_names[] = { +- "plla", "pllb", "vxco" ++ "si5351_plla", "si5351_pllb", "si5351_vxco" + }; + static const char * const si5351_msynth_names[] = { + "ms0", "ms1", "ms2", "ms3", "ms4", "ms5", "ms6", "ms7" +diff --git a/drivers/clk/mvebu/armada-38x.c b/drivers/clk/mvebu/armada-38x.c +index 8bccf4ecdab6..9ff4ea63932d 100644 +--- a/drivers/clk/mvebu/armada-38x.c ++++ b/drivers/clk/mvebu/armada-38x.c +@@ -46,10 +46,11 @@ static u32 __init armada_38x_get_tclk_freq(void __iomem *sar) + } + + static const u32 armada_38x_cpu_frequencies[] __initconst = { +- 0, 0, 0, 0, +- 1066 * 1000 * 1000, 0, 0, 0, ++ 666 * 1000 * 1000, 0, 800 * 1000 * 1000, 0, ++ 1066 * 1000 * 1000, 0, 1200 * 1000 * 1000, 0, + 1332 * 1000 * 1000, 0, 0, 0, +- 1600 * 1000 * 1000, ++ 1600 * 1000 * 1000, 0, 0, 0, ++ 1866 * 1000 * 1000, 0, 0, 2000 * 1000 * 1000, + }; + + static u32 __init armada_38x_get_cpu_freq(void __iomem *sar) +@@ -75,11 +76,11 @@ static const struct coreclk_ratio armada_38x_coreclk_ratios[] __initconst = { + }; + + static const int armada_38x_cpu_l2_ratios[32][2] __initconst = { +- {0, 1}, {0, 1}, {0, 1}, {0, 1}, +- {1, 2}, {0, 1}, {0, 1}, {0, 1}, ++ {1, 2}, {0, 1}, {1, 2}, {0, 1}, ++ {1, 2}, {0, 1}, {1, 2}, {0, 1}, + {1, 2}, {0, 1}, {0, 1}, {0, 1}, + {1, 2}, {0, 1}, {0, 1}, {0, 1}, +- {0, 1}, {0, 1}, {0, 1}, {0, 1}, ++ {1, 2}, {0, 1}, {0, 1}, {1, 2}, + {0, 1}, {0, 1}, {0, 1}, {0, 1}, + {0, 1}, {0, 1}, {0, 1}, {0, 1}, + {0, 1}, {0, 1}, {0, 1}, {0, 1}, +@@ -90,7 +91,7 @@ static const int armada_38x_cpu_ddr_ratios[32][2] __initconst = { + {1, 2}, {0, 1}, {0, 1}, {0, 1}, + {1, 2}, {0, 1}, {0, 1}, {0, 1}, + {1, 2}, {0, 1}, {0, 1}, {0, 1}, +- {0, 1}, {0, 1}, {0, 1}, {0, 1}, ++ {1, 2}, {0, 1}, {0, 1}, {7, 15}, + {0, 1}, {0, 1}, {0, 1}, {0, 1}, + {0, 1}, {0, 1}, {0, 1}, {0, 1}, + {0, 1}, {0, 1}, {0, 1}, {0, 1}, +diff --git a/drivers/cpufreq/sh-cpufreq.c b/drivers/cpufreq/sh-cpufreq.c +index 86628e22b2a3..719c3d9f07fb 100644 +--- a/drivers/cpufreq/sh-cpufreq.c ++++ b/drivers/cpufreq/sh-cpufreq.c +@@ -30,54 +30,63 @@ + + static DEFINE_PER_CPU(struct clk, sh_cpuclk); + ++struct cpufreq_target { ++ struct cpufreq_policy *policy; ++ unsigned int freq; ++}; ++ + static unsigned int sh_cpufreq_get(unsigned int cpu) + { + return (clk_get_rate(&per_cpu(sh_cpuclk, cpu)) + 500) / 1000; + } + +-/* +- * Here we notify other drivers of the proposed change and the final change. +- */ +-static int sh_cpufreq_target(struct cpufreq_policy *policy, +- unsigned int target_freq, +- unsigned int relation) ++static long __sh_cpufreq_target(void *arg) + { +- unsigned int cpu = policy->cpu; ++ struct cpufreq_target *target = arg; ++ struct cpufreq_policy *policy = target->policy; ++ int cpu = policy->cpu; + struct clk *cpuclk = &per_cpu(sh_cpuclk, cpu); +- cpumask_t cpus_allowed; + struct cpufreq_freqs freqs; + struct device *dev; + long freq; + +- cpus_allowed = current->cpus_allowed; +- set_cpus_allowed_ptr(current, cpumask_of(cpu)); +- +- BUG_ON(smp_processor_id() != cpu); ++ if (smp_processor_id() != cpu) ++ return -ENODEV; + + dev = get_cpu_device(cpu); + + /* Convert target_freq from kHz to Hz */ +- freq = clk_round_rate(cpuclk, target_freq * 1000); ++ freq = clk_round_rate(cpuclk, target->freq * 1000); + + if (freq < (policy->min * 1000) || freq > (policy->max * 1000)) + return -EINVAL; + +- dev_dbg(dev, "requested frequency %u Hz\n", target_freq * 1000); ++ dev_dbg(dev, "requested frequency %u Hz\n", target->freq * 1000); + + freqs.old = sh_cpufreq_get(cpu); + freqs.new = (freq + 500) / 1000; + freqs.flags = 0; + +- cpufreq_freq_transition_begin(policy, &freqs); +- set_cpus_allowed_ptr(current, &cpus_allowed); ++ cpufreq_freq_transition_begin(target->policy, &freqs); + clk_set_rate(cpuclk, freq); +- cpufreq_freq_transition_end(policy, &freqs, 0); ++ cpufreq_freq_transition_end(target->policy, &freqs, 0); + + dev_dbg(dev, "set frequency %lu Hz\n", freq); +- + return 0; + } + ++/* ++ * Here we notify other drivers of the proposed change and the final change. ++ */ ++static int sh_cpufreq_target(struct cpufreq_policy *policy, ++ unsigned int target_freq, ++ unsigned int relation) ++{ ++ struct cpufreq_target data = { .policy = policy, .freq = target_freq }; ++ ++ return work_on_cpu(policy->cpu, __sh_cpufreq_target, &data); ++} ++ + static int sh_cpufreq_verify(struct cpufreq_policy *policy) + { + struct clk *cpuclk = &per_cpu(sh_cpuclk, policy->cpu); +diff --git a/drivers/cpuidle/dt_idle_states.c b/drivers/cpuidle/dt_idle_states.c +index a5c111b67f37..ea11a33e7fff 100644 +--- a/drivers/cpuidle/dt_idle_states.c ++++ b/drivers/cpuidle/dt_idle_states.c +@@ -174,8 +174,10 @@ int dt_init_idle_driver(struct cpuidle_driver *drv, + if (!state_node) + break; + +- if (!of_device_is_available(state_node)) ++ if (!of_device_is_available(state_node)) { ++ of_node_put(state_node); + continue; ++ } + + if (!idle_state_valid(state_node, i, cpumask)) { + pr_warn("%s idle state not valid, bailing out\n", +diff --git a/drivers/dma/at_xdmac.c b/drivers/dma/at_xdmac.c +index c5e6c82516ce..e4b4c5c07037 100644 +--- a/drivers/dma/at_xdmac.c ++++ b/drivers/dma/at_xdmac.c +@@ -1003,10 +1003,10 @@ at_xdmac_tx_status(struct dma_chan *chan, dma_cookie_t cookie, + for (retry = 0; retry < AT_XDMAC_RESIDUE_MAX_RETRIES; retry++) { + check_nda = at_xdmac_chan_read(atchan, AT_XDMAC_CNDA) & 0xfffffffc; + rmb(); +- initd = !!(at_xdmac_chan_read(atchan, AT_XDMAC_CC) & AT_XDMAC_CC_INITD); +- rmb(); + cur_ubc = at_xdmac_chan_read(atchan, AT_XDMAC_CUBC); + rmb(); ++ initd = !!(at_xdmac_chan_read(atchan, AT_XDMAC_CC) & AT_XDMAC_CC_INITD); ++ rmb(); + cur_nda = at_xdmac_chan_read(atchan, AT_XDMAC_CNDA) & 0xfffffffc; + rmb(); + +diff --git a/drivers/dma/imx-sdma.c b/drivers/dma/imx-sdma.c +index 62bbd79338e0..348259b0db52 100644 +--- a/drivers/dma/imx-sdma.c ++++ b/drivers/dma/imx-sdma.c +@@ -1503,17 +1503,24 @@ static int sdma_probe(struct platform_device *pdev) + if (IS_ERR(sdma->clk_ahb)) + return PTR_ERR(sdma->clk_ahb); + +- clk_prepare(sdma->clk_ipg); +- clk_prepare(sdma->clk_ahb); ++ ret = clk_prepare(sdma->clk_ipg); ++ if (ret) ++ return ret; ++ ++ ret = clk_prepare(sdma->clk_ahb); ++ if (ret) ++ goto err_clk; + + ret = devm_request_irq(&pdev->dev, irq, sdma_int_handler, 0, "sdma", + sdma); + if (ret) +- return ret; ++ goto err_irq; + + sdma->script_addrs = kzalloc(sizeof(*sdma->script_addrs), GFP_KERNEL); +- if (!sdma->script_addrs) +- return -ENOMEM; ++ if (!sdma->script_addrs) { ++ ret = -ENOMEM; ++ goto err_irq; ++ } + + /* initially no scripts available */ + saddr_arr = (s32 *)sdma->script_addrs; +@@ -1618,6 +1625,10 @@ err_register: + dma_async_device_unregister(&sdma->dma_device); + err_init: + kfree(sdma->script_addrs); ++err_irq: ++ clk_unprepare(sdma->clk_ahb); ++err_clk: ++ clk_unprepare(sdma->clk_ipg); + return ret; + } + +@@ -1628,6 +1639,8 @@ static int sdma_remove(struct platform_device *pdev) + + dma_async_device_unregister(&sdma->dma_device); + kfree(sdma->script_addrs); ++ clk_unprepare(sdma->clk_ahb); ++ clk_unprepare(sdma->clk_ipg); + /* Kill the tasklet */ + for (i = 0; i < MAX_DMA_CHANNELS; i++) { + struct sdma_channel *sdmac = &sdma->channel[i]; +diff --git a/drivers/edac/mv64x60_edac.c b/drivers/edac/mv64x60_edac.c +index 0574e1bbe45c..3ce5609b4611 100644 +--- a/drivers/edac/mv64x60_edac.c ++++ b/drivers/edac/mv64x60_edac.c +@@ -763,7 +763,7 @@ static int mv64x60_mc_err_probe(struct platform_device *pdev) + /* Non-ECC RAM? */ + printk(KERN_WARNING "%s: No ECC DIMMs discovered\n", __func__); + res = -ENODEV; +- goto err2; ++ goto err; + } + + edac_dbg(3, "init mci\n"); +diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c +index 95752d38b7fe..2ce21d9340cd 100644 +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -1998,7 +1998,8 @@ struct gpio_desc *__must_check __gpiod_get_index(struct device *dev, + return desc; + } + +- status = gpiod_request(desc, con_id); ++ /* If a connection label was passed use that, else use the device name as label */ ++ status = gpiod_request(desc, con_id ? con_id : dev_name(dev)); + if (status < 0) + return ERR_PTR(status); + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_topology.c b/drivers/gpu/drm/amd/amdkfd/kfd_topology.c +index c25728bc388a..fc924d375d95 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_topology.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_topology.c +@@ -519,11 +519,17 @@ static ssize_t sysprops_show(struct kobject *kobj, struct attribute *attr, + return ret; + } + ++static void kfd_topology_kobj_release(struct kobject *kobj) ++{ ++ kfree(kobj); ++} ++ + static const struct sysfs_ops sysprops_ops = { + .show = sysprops_show, + }; + + static struct kobj_type sysprops_type = { ++ .release = kfd_topology_kobj_release, + .sysfs_ops = &sysprops_ops, + }; + +@@ -559,6 +565,7 @@ static const struct sysfs_ops iolink_ops = { + }; + + static struct kobj_type iolink_type = { ++ .release = kfd_topology_kobj_release, + .sysfs_ops = &iolink_ops, + }; + +@@ -586,6 +593,7 @@ static const struct sysfs_ops mem_ops = { + }; + + static struct kobj_type mem_type = { ++ .release = kfd_topology_kobj_release, + .sysfs_ops = &mem_ops, + }; + +@@ -625,6 +633,7 @@ static const struct sysfs_ops cache_ops = { + }; + + static struct kobj_type cache_type = { ++ .release = kfd_topology_kobj_release, + .sysfs_ops = &cache_ops, + }; + +@@ -747,6 +756,7 @@ static const struct sysfs_ops node_ops = { + }; + + static struct kobj_type node_type = { ++ .release = kfd_topology_kobj_release, + .sysfs_ops = &node_ops, + }; + +diff --git a/drivers/gpu/drm/drm_edid.c b/drivers/gpu/drm/drm_edid.c +index 53bc7a628909..27d5c7867e92 100644 +--- a/drivers/gpu/drm/drm_edid.c ++++ b/drivers/gpu/drm/drm_edid.c +@@ -3103,8 +3103,7 @@ monitor_name(struct detailed_timing *t, void *data) + * @edid: EDID to parse + * + * Fill the ELD (EDID-Like Data) buffer for passing to the audio driver. The +- * Conn_Type, HDCP and Port_ID ELD fields are left for the graphics driver to +- * fill in. ++ * HDCP and Port_ID ELD fields are left for the graphics driver to fill in. + */ + void drm_edid_to_eld(struct drm_connector *connector, struct edid *edid) + { +@@ -3177,6 +3176,12 @@ void drm_edid_to_eld(struct drm_connector *connector, struct edid *edid) + } + eld[5] |= sad_count << 4; + ++ if (connector->connector_type == DRM_MODE_CONNECTOR_DisplayPort || ++ connector->connector_type == DRM_MODE_CONNECTOR_eDP) ++ eld[DRM_ELD_SAD_COUNT_CONN_TYPE] |= DRM_ELD_CONN_TYPE_DP; ++ else ++ eld[DRM_ELD_SAD_COUNT_CONN_TYPE] |= DRM_ELD_CONN_TYPE_HDMI; ++ + eld[DRM_ELD_BASELINE_ELD_LEN] = + DIV_ROUND_UP(drm_eld_calc_baseline_block_size(eld), 4); + +diff --git a/drivers/gpu/drm/drm_irq.c b/drivers/gpu/drm/drm_irq.c +index af9662e58272..5ab0f02a2ab1 100644 +--- a/drivers/gpu/drm/drm_irq.c ++++ b/drivers/gpu/drm/drm_irq.c +@@ -1090,9 +1090,9 @@ void drm_vblank_put(struct drm_device *dev, int crtc) + if (atomic_dec_and_test(&vblank->refcount)) { + if (drm_vblank_offdelay == 0) + return; +- else if (dev->vblank_disable_immediate || drm_vblank_offdelay < 0) ++ else if (drm_vblank_offdelay < 0) + vblank_disable_fn((unsigned long)vblank); +- else ++ else if (!dev->vblank_disable_immediate) + mod_timer(&vblank->disable_timer, + jiffies + ((drm_vblank_offdelay * HZ)/1000)); + } +@@ -1750,6 +1750,16 @@ bool drm_handle_vblank(struct drm_device *dev, int crtc) + wake_up(&vblank->queue); + drm_handle_vblank_events(dev, crtc); + ++ /* With instant-off, we defer disabling the interrupt until after ++ * we finish processing the following vblank. The disable has to ++ * be last (after drm_handle_vblank_events) so that the timestamp ++ * is always accurate. ++ */ ++ if (dev->vblank_disable_immediate && ++ drm_vblank_offdelay > 0 && ++ !atomic_read(&vblank->refcount)) ++ vblank_disable_fn((unsigned long)vblank); ++ + spin_unlock_irqrestore(&dev->event_lock, irqflags); + + return true; +diff --git a/drivers/gpu/drm/exynos/exynos_drm_gem.c b/drivers/gpu/drm/exynos/exynos_drm_gem.c +index 0d5b9698d384..e7d6139528ca 100644 +--- a/drivers/gpu/drm/exynos/exynos_drm_gem.c ++++ b/drivers/gpu/drm/exynos/exynos_drm_gem.c +@@ -241,6 +241,15 @@ struct exynos_drm_gem_obj *exynos_drm_gem_create(struct drm_device *dev, + + exynos_gem_obj->buffer = buf; + ++ if (!is_drm_iommu_supported(dev) && (flags & EXYNOS_BO_NONCONTIG)) { ++ /* ++ * when no IOMMU is available, all allocated buffers are ++ * contiguous anyway, so drop EXYNOS_BO_NONCONTIG flag ++ */ ++ flags &= ~EXYNOS_BO_NONCONTIG; ++ DRM_WARN("Non-contiguous allocation is not supported without IOMMU, falling back to contiguous buffer\n"); ++ } ++ + /* set memory type and cache attribute from user side. */ + exynos_gem_obj->flags = flags; + +diff --git a/drivers/gpu/drm/msm/msm_gem.c b/drivers/gpu/drm/msm/msm_gem.c +index 52839769eb6c..e101c2868734 100644 +--- a/drivers/gpu/drm/msm/msm_gem.c ++++ b/drivers/gpu/drm/msm/msm_gem.c +@@ -89,14 +89,17 @@ static struct page **get_pages(struct drm_gem_object *obj) + return p; + } + ++ msm_obj->pages = p; ++ + msm_obj->sgt = drm_prime_pages_to_sg(p, npages); + if (IS_ERR(msm_obj->sgt)) { ++ void *ptr = ERR_CAST(msm_obj->sgt); ++ + dev_err(dev->dev, "failed to allocate sgt\n"); +- return ERR_CAST(msm_obj->sgt); ++ msm_obj->sgt = NULL; ++ return ptr; + } + +- msm_obj->pages = p; +- + /* For non-cached buffers, ensure the new pages are clean + * because display controller, GPU, etc. are not coherent: + */ +@@ -119,7 +122,10 @@ static void put_pages(struct drm_gem_object *obj) + if (msm_obj->flags & (MSM_BO_WC|MSM_BO_UNCACHED)) + dma_unmap_sg(obj->dev->dev, msm_obj->sgt->sgl, + msm_obj->sgt->nents, DMA_BIDIRECTIONAL); +- sg_free_table(msm_obj->sgt); ++ ++ if (msm_obj->sgt) ++ sg_free_table(msm_obj->sgt); ++ + kfree(msm_obj->sgt); + + if (use_pages(obj)) +diff --git a/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c b/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c +index 6e6634cd1d17..9eedb17a6b1b 100644 +--- a/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c ++++ b/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c +@@ -287,7 +287,12 @@ static int dmm_txn_commit(struct dmm_txn *txn, bool wait) + msecs_to_jiffies(1))) { + dev_err(dmm->dev, "timed out waiting for done\n"); + ret = -ETIMEDOUT; ++ goto cleanup; + } ++ ++ /* Check the engine status before continue */ ++ ret = wait_status(engine, DMM_PATSTATUS_READY | ++ DMM_PATSTATUS_VALID | DMM_PATSTATUS_DONE); + } + + cleanup: +diff --git a/drivers/gpu/drm/omapdrm/omap_gem.c b/drivers/gpu/drm/omapdrm/omap_gem.c +index e9718b99a8a9..ee43b48ded73 100644 +--- a/drivers/gpu/drm/omapdrm/omap_gem.c ++++ b/drivers/gpu/drm/omapdrm/omap_gem.c +@@ -158,7 +158,7 @@ static void evict_entry(struct drm_gem_object *obj, + size_t size = PAGE_SIZE * n; + loff_t off = mmap_offset(obj) + + (entry->obj_pgoff << PAGE_SHIFT); +- const int m = 1 + ((omap_obj->width << fmt) / PAGE_SIZE); ++ const int m = DIV_ROUND_UP(omap_obj->width << fmt, PAGE_SIZE); + + if (m > 1) { + int i; +@@ -415,7 +415,7 @@ static int fault_2d(struct drm_gem_object *obj, + * into account in some of the math, so figure out virtual stride + * in pages + */ +- const int m = 1 + ((omap_obj->width << fmt) / PAGE_SIZE); ++ const int m = DIV_ROUND_UP(omap_obj->width << fmt, PAGE_SIZE); + + /* We don't use vmf->pgoff since that has the fake offset: */ + pgoff = ((unsigned long)vmf->virtual_address - +diff --git a/drivers/gpu/drm/radeon/radeon_connectors.c b/drivers/gpu/drm/radeon/radeon_connectors.c +index 9f699e87320a..6806772f3647 100644 +--- a/drivers/gpu/drm/radeon/radeon_connectors.c ++++ b/drivers/gpu/drm/radeon/radeon_connectors.c +@@ -89,25 +89,18 @@ void radeon_connector_hotplug(struct drm_connector *connector) + /* don't do anything if sink is not display port, i.e., + * passive dp->(dvi|hdmi) adaptor + */ +- if (dig_connector->dp_sink_type == CONNECTOR_OBJECT_ID_DISPLAYPORT) { +- int saved_dpms = connector->dpms; +- /* Only turn off the display if it's physically disconnected */ +- if (!radeon_hpd_sense(rdev, radeon_connector->hpd.hpd)) { +- drm_helper_connector_dpms(connector, DRM_MODE_DPMS_OFF); +- } else if (radeon_dp_needs_link_train(radeon_connector)) { +- /* Don't try to start link training before we +- * have the dpcd */ +- if (!radeon_dp_getdpcd(radeon_connector)) +- return; +- +- /* set it to OFF so that drm_helper_connector_dpms() +- * won't return immediately since the current state +- * is ON at this point. +- */ +- connector->dpms = DRM_MODE_DPMS_OFF; +- drm_helper_connector_dpms(connector, DRM_MODE_DPMS_ON); +- } +- connector->dpms = saved_dpms; ++ if (dig_connector->dp_sink_type == CONNECTOR_OBJECT_ID_DISPLAYPORT && ++ radeon_hpd_sense(rdev, radeon_connector->hpd.hpd) && ++ radeon_dp_needs_link_train(radeon_connector)) { ++ /* Don't start link training before we have the DPCD */ ++ if (!radeon_dp_getdpcd(radeon_connector)) ++ return; ++ ++ /* Turn the connector off and back on immediately, which ++ * will trigger link training ++ */ ++ drm_helper_connector_dpms(connector, DRM_MODE_DPMS_OFF); ++ drm_helper_connector_dpms(connector, DRM_MODE_DPMS_ON); + } + } + } +diff --git a/drivers/gpu/drm/radeon/radeon_display.c b/drivers/gpu/drm/radeon/radeon_display.c +index 6743174acdbc..9dad7810d21b 100644 +--- a/drivers/gpu/drm/radeon/radeon_display.c ++++ b/drivers/gpu/drm/radeon/radeon_display.c +@@ -1321,6 +1321,12 @@ radeon_user_framebuffer_create(struct drm_device *dev, + return ERR_PTR(-ENOENT); + } + ++ /* Handle is imported dma-buf, so cannot be migrated to VRAM for scanout */ ++ if (obj->import_attach) { ++ DRM_DEBUG_KMS("Cannot create framebuffer from imported dma_buf\n"); ++ return ERR_PTR(-EINVAL); ++ } ++ + radeon_fb = kzalloc(sizeof(*radeon_fb), GFP_KERNEL); + if (radeon_fb == NULL) { + drm_gem_object_unreference_unlocked(obj); +diff --git a/drivers/gpu/drm/radeon/radeon_object.c b/drivers/gpu/drm/radeon/radeon_object.c +index 741065bd14b3..ad172473f047 100644 +--- a/drivers/gpu/drm/radeon/radeon_object.c ++++ b/drivers/gpu/drm/radeon/radeon_object.c +@@ -232,9 +232,10 @@ int radeon_bo_create(struct radeon_device *rdev, + * may be slow + * See https://bugs.freedesktop.org/show_bug.cgi?id=88758 + */ +- ++#ifndef CONFIG_COMPILE_TEST + #warning Please enable CONFIG_MTRR and CONFIG_X86_PAT for better performance \ + thanks to write-combining ++#endif + + DRM_INFO_ONCE("Please enable CONFIG_MTRR and CONFIG_X86_PAT for " + "better performance thanks to write-combining\n"); +diff --git a/drivers/gpu/drm/radeon/si_dpm.c b/drivers/gpu/drm/radeon/si_dpm.c +index 128bd66b8cb0..f11a37832d78 100644 +--- a/drivers/gpu/drm/radeon/si_dpm.c ++++ b/drivers/gpu/drm/radeon/si_dpm.c +@@ -5895,9 +5895,9 @@ static void si_set_pcie_lane_width_in_smc(struct radeon_device *rdev, + { + u32 lane_width; + u32 new_lane_width = +- (radeon_new_state->caps & ATOM_PPLIB_PCIE_LINK_WIDTH_MASK) >> ATOM_PPLIB_PCIE_LINK_WIDTH_SHIFT; ++ ((radeon_new_state->caps & ATOM_PPLIB_PCIE_LINK_WIDTH_MASK) >> ATOM_PPLIB_PCIE_LINK_WIDTH_SHIFT) + 1; + u32 current_lane_width = +- (radeon_current_state->caps & ATOM_PPLIB_PCIE_LINK_WIDTH_MASK) >> ATOM_PPLIB_PCIE_LINK_WIDTH_SHIFT; ++ ((radeon_current_state->caps & ATOM_PPLIB_PCIE_LINK_WIDTH_MASK) >> ATOM_PPLIB_PCIE_LINK_WIDTH_SHIFT) + 1; + + if (new_lane_width != current_lane_width) { + radeon_set_pcie_lanes(rdev, new_lane_width); +diff --git a/drivers/gpu/drm/udl/udl_fb.c b/drivers/gpu/drm/udl/udl_fb.c +index cd8d183dcfe5..ccb26652198b 100644 +--- a/drivers/gpu/drm/udl/udl_fb.c ++++ b/drivers/gpu/drm/udl/udl_fb.c +@@ -256,10 +256,15 @@ static int udl_fb_mmap(struct fb_info *info, struct vm_area_struct *vma) + { + unsigned long start = vma->vm_start; + unsigned long size = vma->vm_end - vma->vm_start; +- unsigned long offset = vma->vm_pgoff << PAGE_SHIFT; ++ unsigned long offset; + unsigned long page, pos; + +- if (offset + size > info->fix.smem_len) ++ if (vma->vm_pgoff > (~0UL >> PAGE_SHIFT)) ++ return -EINVAL; ++ ++ offset = vma->vm_pgoff << PAGE_SHIFT; ++ ++ if (offset > info->fix.smem_len || size > info->fix.smem_len - offset) + return -EINVAL; + + pos = (unsigned long)info->fix.smem_start + offset; +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c +index d8638d8221ea..8331dfddbd2c 100644 +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -1308,7 +1308,7 @@ u8 *hid_alloc_report_buf(struct hid_report *report, gfp_t flags) + * of implement() working on 8 byte chunks + */ + +- int len = hid_report_len(report) + 7; ++ u32 len = hid_report_len(report) + 7; + + return kmalloc(len, flags); + } +@@ -1373,7 +1373,7 @@ void __hid_request(struct hid_device *hid, struct hid_report *report, + { + char *buf; + int ret; +- int len; ++ u32 len; + + buf = hid_alloc_report_buf(report, GFP_KERNEL); + if (!buf) +@@ -1399,14 +1399,14 @@ out: + } + EXPORT_SYMBOL_GPL(__hid_request); + +-int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, int size, ++int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size, + int interrupt) + { + struct hid_report_enum *report_enum = hid->report_enum + type; + struct hid_report *report; + struct hid_driver *hdrv; + unsigned int a; +- int rsize, csize = size; ++ u32 rsize, csize = size; + u8 *cdata = data; + int ret = 0; + +@@ -1464,7 +1464,7 @@ EXPORT_SYMBOL_GPL(hid_report_raw_event); + * + * This is data entry for lower layers. + */ +-int hid_input_report(struct hid_device *hid, int type, u8 *data, int size, int interrupt) ++int hid_input_report(struct hid_device *hid, int type, u8 *data, u32 size, int interrupt) + { + struct hid_report_enum *report_enum; + struct hid_driver *hdrv; +diff --git a/drivers/hid/hid-elo.c b/drivers/hid/hid-elo.c +index d0c8a1c1e1fe..2fc43ad7f0b6 100644 +--- a/drivers/hid/hid-elo.c ++++ b/drivers/hid/hid-elo.c +@@ -42,6 +42,12 @@ static void elo_input_configured(struct hid_device *hdev, + { + struct input_dev *input = hidinput->input; + ++ /* ++ * ELO devices have one Button usage in GenDesk field, which makes ++ * hid-input map it to BTN_LEFT; that confuses userspace, which then ++ * considers the device to be a mouse/touchpad instead of touchscreen. ++ */ ++ clear_bit(BTN_LEFT, input->keybit); + set_bit(BTN_TOUCH, input->keybit); + set_bit(ABS_PRESSURE, input->absbit); + input_set_abs_params(input, ABS_PRESSURE, 0, 256, 0, 0); +diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c +index 32d52d29cc68..b4ace7561555 100644 +--- a/drivers/hid/hid-input.c ++++ b/drivers/hid/hid-input.c +@@ -1128,18 +1128,26 @@ void hidinput_hid_event(struct hid_device *hid, struct hid_field *field, struct + + /* + * Ignore out-of-range values as per HID specification, +- * section 5.10 and 6.2.25. ++ * section 5.10 and 6.2.25, when NULL state bit is present. ++ * When it's not, clamp the value to match Microsoft's input ++ * driver as mentioned in "Required HID usages for digitizers": ++ * https://msdn.microsoft.com/en-us/library/windows/hardware/dn672278(v=vs.85).asp + * + * The logical_minimum < logical_maximum check is done so that we + * don't unintentionally discard values sent by devices which + * don't specify logical min and max. + */ + if ((field->flags & HID_MAIN_ITEM_VARIABLE) && +- (field->logical_minimum < field->logical_maximum) && +- (value < field->logical_minimum || +- value > field->logical_maximum)) { +- dbg_hid("Ignoring out-of-range value %x\n", value); +- return; ++ (field->logical_minimum < field->logical_maximum)) { ++ if (field->flags & HID_MAIN_ITEM_NULL_STATE && ++ (value < field->logical_minimum || ++ value > field->logical_maximum)) { ++ dbg_hid("Ignoring out-of-range value %x\n", value); ++ return; ++ } ++ value = clamp(value, ++ field->logical_minimum, ++ field->logical_maximum); + } + + /* +diff --git a/drivers/hid/hidraw.c b/drivers/hid/hidraw.c +index 9c2d7c23f296..c0c4df198725 100644 +--- a/drivers/hid/hidraw.c ++++ b/drivers/hid/hidraw.c +@@ -197,6 +197,11 @@ static ssize_t hidraw_get_report(struct file *file, char __user *buffer, size_t + int ret = 0, len; + unsigned char report_number; + ++ if (!hidraw_table[minor] || !hidraw_table[minor]->exist) { ++ ret = -ENODEV; ++ goto out; ++ } ++ + dev = hidraw_table[minor]->hid; + + if (!dev->ll_driver->raw_request) { +diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c +index a9054be9bca2..fd72f894865d 100644 +--- a/drivers/hid/i2c-hid/i2c-hid.c ++++ b/drivers/hid/i2c-hid/i2c-hid.c +@@ -137,10 +137,10 @@ struct i2c_hid { + * register of the HID + * descriptor. */ + unsigned int bufsize; /* i2c buffer size */ +- char *inbuf; /* Input buffer */ +- char *rawbuf; /* Raw Input buffer */ +- char *cmdbuf; /* Command buffer */ +- char *argsbuf; /* Command arguments buffer */ ++ u8 *inbuf; /* Input buffer */ ++ u8 *rawbuf; /* Raw Input buffer */ ++ u8 *cmdbuf; /* Command buffer */ ++ u8 *argsbuf; /* Command arguments buffer */ + + unsigned long flags; /* device flags */ + +@@ -385,7 +385,8 @@ static int i2c_hid_hwreset(struct i2c_client *client) + + static void i2c_hid_get_input(struct i2c_hid *ihid) + { +- int ret, ret_size; ++ int ret; ++ u32 ret_size; + int size = le16_to_cpu(ihid->hdesc.wMaxInputLength); + + if (size > ihid->bufsize) +@@ -410,7 +411,7 @@ static void i2c_hid_get_input(struct i2c_hid *ihid) + return; + } + +- if (ret_size > size) { ++ if ((ret_size > size) || (ret_size <= 2)) { + dev_err(&ihid->client->dev, "%s: incomplete report (%d/%d)\n", + __func__, size, ret_size); + return; +diff --git a/drivers/hsi/clients/ssi_protocol.c b/drivers/hsi/clients/ssi_protocol.c +index e5c7a969f28b..0cb78f30696b 100644 +--- a/drivers/hsi/clients/ssi_protocol.c ++++ b/drivers/hsi/clients/ssi_protocol.c +@@ -976,7 +976,7 @@ static int ssip_pn_xmit(struct sk_buff *skb, struct net_device *dev) + goto drop; + /* Pad to 32-bits - FIXME: Revisit*/ + if ((skb->len & 3) && skb_pad(skb, 4 - (skb->len & 3))) +- goto drop; ++ goto inc_dropped; + + /* + * Modem sends Phonet messages over SSI with its own endianess... +@@ -1028,8 +1028,9 @@ static int ssip_pn_xmit(struct sk_buff *skb, struct net_device *dev) + drop2: + hsi_free_msg(msg); + drop: +- dev->stats.tx_dropped++; + dev_kfree_skb(skb); ++inc_dropped: ++ dev->stats.tx_dropped++; + + return 0; + } +diff --git a/drivers/hwtracing/coresight/coresight-tpiu.c b/drivers/hwtracing/coresight/coresight-tpiu.c +index 3b33af2416bb..12dc09db55e5 100644 +--- a/drivers/hwtracing/coresight/coresight-tpiu.c ++++ b/drivers/hwtracing/coresight/coresight-tpiu.c +@@ -44,8 +44,11 @@ + #define TPIU_ITATBCTR0 0xef8 + + /** register definition **/ ++/* FFSR - 0x300 */ ++#define FFSR_FT_STOPPED BIT(1) + /* FFCR - 0x304 */ + #define FFCR_FON_MAN BIT(6) ++#define FFCR_STOP_FI BIT(12) + + /** + * @base: memory mapped base address for this component. +@@ -88,10 +91,14 @@ static void tpiu_disable_hw(struct tpiu_drvdata *drvdata) + { + CS_UNLOCK(drvdata->base); + +- /* Clear formatter controle reg. */ +- writel_relaxed(0x0, drvdata->base + TPIU_FFCR); ++ /* Clear formatter and stop on flush */ ++ writel_relaxed(FFCR_STOP_FI, drvdata->base + TPIU_FFCR); + /* Generate manual flush */ +- writel_relaxed(FFCR_FON_MAN, drvdata->base + TPIU_FFCR); ++ writel_relaxed(FFCR_STOP_FI | FFCR_FON_MAN, drvdata->base + TPIU_FFCR); ++ /* Wait for flush to complete */ ++ coresight_timeout(drvdata->base, TPIU_FFCR, FFCR_FON_MAN, 0); ++ /* Wait for formatter to stop */ ++ coresight_timeout(drvdata->base, TPIU_FFSR, FFSR_FT_STOPPED, 1); + + CS_LOCK(drvdata->base); + } +diff --git a/drivers/hwtracing/coresight/of_coresight.c b/drivers/hwtracing/coresight/of_coresight.c +index 35e51ce93a5c..62a56654df97 100644 +--- a/drivers/hwtracing/coresight/of_coresight.c ++++ b/drivers/hwtracing/coresight/of_coresight.c +@@ -150,7 +150,7 @@ struct coresight_platform_data *of_get_coresight_platform_data( + continue; + + /* The local out port number */ +- pdata->outports[i] = endpoint.id; ++ pdata->outports[i] = endpoint.port; + + /* + * Get a handle on the remote port and parent +diff --git a/drivers/i2c/busses/i2c-scmi.c b/drivers/i2c/busses/i2c-scmi.c +index dfc98df7b1b6..7aa7b9cb6203 100644 +--- a/drivers/i2c/busses/i2c-scmi.c ++++ b/drivers/i2c/busses/i2c-scmi.c +@@ -18,6 +18,9 @@ + #define ACPI_SMBUS_HC_CLASS "smbus" + #define ACPI_SMBUS_HC_DEVICE_NAME "cmi" + ++/* SMBUS HID definition as supported by Microsoft Windows */ ++#define ACPI_SMBUS_MS_HID "SMB0001" ++ + ACPI_MODULE_NAME("smbus_cmi"); + + struct smbus_methods_t { +@@ -51,6 +54,7 @@ static const struct smbus_methods_t ibm_smbus_methods = { + static const struct acpi_device_id acpi_smbus_cmi_ids[] = { + {"SMBUS01", (kernel_ulong_t)&smbus_methods}, + {ACPI_SMBUS_IBM_HID, (kernel_ulong_t)&ibm_smbus_methods}, ++ {ACPI_SMBUS_MS_HID, (kernel_ulong_t)&smbus_methods}, + {"", 0} + }; + MODULE_DEVICE_TABLE(acpi, acpi_smbus_cmi_ids); +diff --git a/drivers/iio/accel/st_accel_core.c b/drivers/iio/accel/st_accel_core.c +index 2ae7150442fc..2f94d1164730 100644 +--- a/drivers/iio/accel/st_accel_core.c ++++ b/drivers/iio/accel/st_accel_core.c +@@ -535,6 +535,8 @@ static const struct iio_trigger_ops st_accel_trigger_ops = { + int st_accel_common_probe(struct iio_dev *indio_dev) + { + struct st_sensor_data *adata = iio_priv(indio_dev); ++ struct st_sensors_platform_data *pdata = ++ (struct st_sensors_platform_data *)adata->dev->platform_data; + int irq = adata->get_irq_data_ready(indio_dev); + int err; + +@@ -559,11 +561,10 @@ int st_accel_common_probe(struct iio_dev *indio_dev) + &adata->sensor_settings->fs.fs_avl[0]; + adata->odr = adata->sensor_settings->odr.odr_avl[0].hz; + +- if (!adata->dev->platform_data) +- adata->dev->platform_data = +- (struct st_sensors_platform_data *)&default_accel_pdata; ++ if (!pdata) ++ pdata = (struct st_sensors_platform_data *)&default_accel_pdata; + +- err = st_sensors_init_sensor(indio_dev, adata->dev->platform_data); ++ err = st_sensors_init_sensor(indio_dev, pdata); + if (err < 0) + return err; + +diff --git a/drivers/iio/magnetometer/st_magn_spi.c b/drivers/iio/magnetometer/st_magn_spi.c +index 7adacf160146..899ed591d666 100644 +--- a/drivers/iio/magnetometer/st_magn_spi.c ++++ b/drivers/iio/magnetometer/st_magn_spi.c +@@ -48,8 +48,6 @@ static int st_magn_spi_remove(struct spi_device *spi) + } + + static const struct spi_device_id st_magn_id_table[] = { +- { LSM303DLHC_MAGN_DEV_NAME }, +- { LSM303DLM_MAGN_DEV_NAME }, + { LIS3MDL_MAGN_DEV_NAME }, + {}, + }; +diff --git a/drivers/iio/pressure/st_pressure_core.c b/drivers/iio/pressure/st_pressure_core.c +index 1f7f844bc0b8..c80bc75790e7 100644 +--- a/drivers/iio/pressure/st_pressure_core.c ++++ b/drivers/iio/pressure/st_pressure_core.c +@@ -432,6 +432,8 @@ static const struct iio_trigger_ops st_press_trigger_ops = { + int st_press_common_probe(struct iio_dev *indio_dev) + { + struct st_sensor_data *press_data = iio_priv(indio_dev); ++ struct st_sensors_platform_data *pdata = ++ (struct st_sensors_platform_data *)press_data->dev->platform_data; + int irq = press_data->get_irq_data_ready(indio_dev); + int err; + +@@ -460,12 +462,10 @@ int st_press_common_probe(struct iio_dev *indio_dev) + press_data->odr = press_data->sensor_settings->odr.odr_avl[0].hz; + + /* Some devices don't support a data ready pin. */ +- if (!press_data->dev->platform_data && +- press_data->sensor_settings->drdy_irq.addr) +- press_data->dev->platform_data = +- (struct st_sensors_platform_data *)&default_press_pdata; ++ if (!pdata && press_data->sensor_settings->drdy_irq.addr) ++ pdata = (struct st_sensors_platform_data *)&default_press_pdata; + +- err = st_sensors_init_sensor(indio_dev, press_data->dev->platform_data); ++ err = st_sensors_init_sensor(indio_dev, pdata); + if (err < 0) + return err; + +diff --git a/drivers/infiniband/core/addr.c b/drivers/infiniband/core/addr.c +index 38339d220d7f..33d69b5d70ec 100644 +--- a/drivers/infiniband/core/addr.c ++++ b/drivers/infiniband/core/addr.c +@@ -86,6 +86,22 @@ int rdma_addr_size(struct sockaddr *addr) + } + EXPORT_SYMBOL(rdma_addr_size); + ++int rdma_addr_size_in6(struct sockaddr_in6 *addr) ++{ ++ int ret = rdma_addr_size((struct sockaddr *) addr); ++ ++ return ret <= sizeof(*addr) ? ret : 0; ++} ++EXPORT_SYMBOL(rdma_addr_size_in6); ++ ++int rdma_addr_size_kss(struct __kernel_sockaddr_storage *addr) ++{ ++ int ret = rdma_addr_size((struct sockaddr *) addr); ++ ++ return ret <= sizeof(*addr) ? ret : 0; ++} ++EXPORT_SYMBOL(rdma_addr_size_kss); ++ + static struct rdma_addr_client self; + + void rdma_addr_register_client(struct rdma_addr_client *client) +diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c +index de1c8a78374e..8c89dac48a04 100644 +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -3363,6 +3363,9 @@ int rdma_join_multicast(struct rdma_cm_id *id, struct sockaddr *addr, + struct cma_multicast *mc; + int ret; + ++ if (!id->device) ++ return -EINVAL; ++ + id_priv = container_of(id, struct rdma_id_private, id); + if (!cma_comp(id_priv, RDMA_CM_ADDR_BOUND) && + !cma_comp(id_priv, RDMA_CM_ADDR_RESOLVED)) +@@ -3645,7 +3648,7 @@ static int cma_get_id_stats(struct sk_buff *skb, struct netlink_callback *cb) + RDMA_NL_RDMA_CM_ATTR_SRC_ADDR)) + goto out; + if (ibnl_put_attr(skb, nlh, +- rdma_addr_size(cma_src_addr(id_priv)), ++ rdma_addr_size(cma_dst_addr(id_priv)), + cma_dst_addr(id_priv), + RDMA_NL_RDMA_CM_ATTR_DST_ADDR)) + goto out; +diff --git a/drivers/infiniband/core/iwpm_util.c b/drivers/infiniband/core/iwpm_util.c +index a626795bf9c7..f1c37b7c666f 100644 +--- a/drivers/infiniband/core/iwpm_util.c ++++ b/drivers/infiniband/core/iwpm_util.c +@@ -654,6 +654,7 @@ int iwpm_send_mapinfo(u8 nl_client, int iwpm_pid) + } + skb_num++; + spin_lock_irqsave(&iwpm_mapinfo_lock, flags); ++ ret = -EINVAL; + for (i = 0; i < IWPM_MAPINFO_HASH_SIZE; i++) { + hlist_for_each_entry(map_info, &iwpm_hash_bucket[i], + hlist_node) { +diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c +index 9e7dd06031ae..2daae8b758f1 100644 +--- a/drivers/infiniband/core/ucma.c ++++ b/drivers/infiniband/core/ucma.c +@@ -411,6 +411,9 @@ err1: + mutex_lock(&mut); + idr_remove(&ctx_idr, ctx->id); + mutex_unlock(&mut); ++ mutex_lock(&file->mut); ++ list_del(&ctx->list); ++ mutex_unlock(&file->mut); + kfree(ctx); + return ret; + } +@@ -522,6 +525,9 @@ static ssize_t ucma_bind_ip(struct ucma_file *file, const char __user *inbuf, + if (copy_from_user(&cmd, inbuf, sizeof(cmd))) + return -EFAULT; + ++ if (!rdma_addr_size_in6(&cmd.addr)) ++ return -EINVAL; ++ + ctx = ucma_get_ctx(file, cmd.id); + if (IS_ERR(ctx)) + return PTR_ERR(ctx); +@@ -535,22 +541,21 @@ static ssize_t ucma_bind(struct ucma_file *file, const char __user *inbuf, + int in_len, int out_len) + { + struct rdma_ucm_bind cmd; +- struct sockaddr *addr; + struct ucma_context *ctx; + int ret; + + if (copy_from_user(&cmd, inbuf, sizeof(cmd))) + return -EFAULT; + +- addr = (struct sockaddr *) &cmd.addr; +- if (cmd.reserved || !cmd.addr_size || (cmd.addr_size != rdma_addr_size(addr))) ++ if (cmd.reserved || !cmd.addr_size || ++ cmd.addr_size != rdma_addr_size_kss(&cmd.addr)) + return -EINVAL; + + ctx = ucma_get_ctx(file, cmd.id); + if (IS_ERR(ctx)) + return PTR_ERR(ctx); + +- ret = rdma_bind_addr(ctx->cm_id, addr); ++ ret = rdma_bind_addr(ctx->cm_id, (struct sockaddr *) &cmd.addr); + ucma_put_ctx(ctx); + return ret; + } +@@ -566,13 +571,16 @@ static ssize_t ucma_resolve_ip(struct ucma_file *file, + if (copy_from_user(&cmd, inbuf, sizeof(cmd))) + return -EFAULT; + ++ if ((cmd.src_addr.sin6_family && !rdma_addr_size_in6(&cmd.src_addr)) || ++ !rdma_addr_size_in6(&cmd.dst_addr)) ++ return -EINVAL; ++ + ctx = ucma_get_ctx(file, cmd.id); + if (IS_ERR(ctx)) + return PTR_ERR(ctx); + + ret = rdma_resolve_addr(ctx->cm_id, (struct sockaddr *) &cmd.src_addr, +- (struct sockaddr *) &cmd.dst_addr, +- cmd.timeout_ms); ++ (struct sockaddr *) &cmd.dst_addr, cmd.timeout_ms); + ucma_put_ctx(ctx); + return ret; + } +@@ -582,24 +590,23 @@ static ssize_t ucma_resolve_addr(struct ucma_file *file, + int in_len, int out_len) + { + struct rdma_ucm_resolve_addr cmd; +- struct sockaddr *src, *dst; + struct ucma_context *ctx; + int ret; + + if (copy_from_user(&cmd, inbuf, sizeof(cmd))) + return -EFAULT; + +- src = (struct sockaddr *) &cmd.src_addr; +- dst = (struct sockaddr *) &cmd.dst_addr; +- if (cmd.reserved || (cmd.src_size && (cmd.src_size != rdma_addr_size(src))) || +- !cmd.dst_size || (cmd.dst_size != rdma_addr_size(dst))) ++ if (cmd.reserved || ++ (cmd.src_size && (cmd.src_size != rdma_addr_size_kss(&cmd.src_addr))) || ++ !cmd.dst_size || (cmd.dst_size != rdma_addr_size_kss(&cmd.dst_addr))) + return -EINVAL; + + ctx = ucma_get_ctx(file, cmd.id); + if (IS_ERR(ctx)) + return PTR_ERR(ctx); + +- ret = rdma_resolve_addr(ctx->cm_id, src, dst, cmd.timeout_ms); ++ ret = rdma_resolve_addr(ctx->cm_id, (struct sockaddr *) &cmd.src_addr, ++ (struct sockaddr *) &cmd.dst_addr, cmd.timeout_ms); + ucma_put_ctx(ctx); + return ret; + } +@@ -1057,6 +1064,11 @@ static ssize_t ucma_init_qp_attr(struct ucma_file *file, + if (IS_ERR(ctx)) + return PTR_ERR(ctx); + ++ if (!ctx->cm_id->device) { ++ ret = -EINVAL; ++ goto out; ++ } ++ + resp.qp_attr_mask = 0; + memset(&qp_attr, 0, sizeof qp_attr); + qp_attr.qp_state = cmd.qp_state; +@@ -1127,6 +1139,9 @@ static int ucma_set_ib_path(struct ucma_context *ctx, + if (!optlen) + return -EINVAL; + ++ if (!ctx->cm_id->device) ++ return -EINVAL; ++ + memset(&sa_path, 0, sizeof(sa_path)); + sa_path.vlan_id = 0xffff; + +@@ -1214,7 +1229,7 @@ static ssize_t ucma_notify(struct ucma_file *file, const char __user *inbuf, + { + struct rdma_ucm_notify cmd; + struct ucma_context *ctx; +- int ret; ++ int ret = -EINVAL; + + if (copy_from_user(&cmd, inbuf, sizeof(cmd))) + return -EFAULT; +@@ -1223,7 +1238,9 @@ static ssize_t ucma_notify(struct ucma_file *file, const char __user *inbuf, + if (IS_ERR(ctx)) + return PTR_ERR(ctx); + +- ret = rdma_notify(ctx->cm_id, (enum ib_event_type) cmd.event); ++ if (ctx->cm_id->device) ++ ret = rdma_notify(ctx->cm_id, (enum ib_event_type)cmd.event); ++ + ucma_put_ctx(ctx); + return ret; + } +@@ -1241,7 +1258,7 @@ static ssize_t ucma_process_join(struct ucma_file *file, + return -ENOSPC; + + addr = (struct sockaddr *) &cmd->addr; +- if (cmd->reserved || !cmd->addr_size || (cmd->addr_size != rdma_addr_size(addr))) ++ if (cmd->reserved || (cmd->addr_size != rdma_addr_size(addr))) + return -EINVAL; + + ctx = ucma_get_ctx(file, cmd->id); +@@ -1300,7 +1317,10 @@ static ssize_t ucma_join_ip_multicast(struct ucma_file *file, + join_cmd.response = cmd.response; + join_cmd.uid = cmd.uid; + join_cmd.id = cmd.id; +- join_cmd.addr_size = rdma_addr_size((struct sockaddr *) &cmd.addr); ++ join_cmd.addr_size = rdma_addr_size_in6(&cmd.addr); ++ if (!join_cmd.addr_size) ++ return -EINVAL; ++ + join_cmd.reserved = 0; + memcpy(&join_cmd.addr, &cmd.addr, join_cmd.addr_size); + +@@ -1316,6 +1336,9 @@ static ssize_t ucma_join_multicast(struct ucma_file *file, + if (copy_from_user(&cmd, inbuf, sizeof(cmd))) + return -EFAULT; + ++ if (!rdma_addr_size_kss(&cmd.addr)) ++ return -EINVAL; ++ + return ucma_process_join(file, &cmd, out_len); + } + +diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c +index 38acb3cfc545..bda76b9cf396 100644 +--- a/drivers/infiniband/core/umem.c ++++ b/drivers/infiniband/core/umem.c +@@ -352,7 +352,7 @@ int ib_umem_copy_from(void *dst, struct ib_umem *umem, size_t offset, + return -EINVAL; + } + +- ret = sg_pcopy_to_buffer(umem->sg_head.sgl, umem->nmap, dst, length, ++ ret = sg_pcopy_to_buffer(umem->sg_head.sgl, umem->npages, dst, length, + offset + ib_umem_offset(umem)); + + if (ret < 0) +diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c +index d35f62d4f4c5..5d4ef3567743 100644 +--- a/drivers/infiniband/hw/mlx5/qp.c ++++ b/drivers/infiniband/hw/mlx5/qp.c +@@ -236,7 +236,11 @@ static int set_rq_size(struct mlx5_ib_dev *dev, struct ib_qp_cap *cap, + } else { + if (ucmd) { + qp->rq.wqe_cnt = ucmd->rq_wqe_count; ++ if (ucmd->rq_wqe_shift > BITS_PER_BYTE * sizeof(ucmd->rq_wqe_shift)) ++ return -EINVAL; + qp->rq.wqe_shift = ucmd->rq_wqe_shift; ++ if ((1 << qp->rq.wqe_shift) / sizeof(struct mlx5_wqe_data_seg) < qp->wq_sig) ++ return -EINVAL; + qp->rq.max_gs = (1 << qp->rq.wqe_shift) / sizeof(struct mlx5_wqe_data_seg) - qp->wq_sig; + qp->rq.max_post = qp->rq.wqe_cnt; + } else { +diff --git a/drivers/infiniband/hw/ocrdma/ocrdma_stats.c b/drivers/infiniband/hw/ocrdma/ocrdma_stats.c +index 48d7ef51aa0c..9b8a2c000280 100644 +--- a/drivers/infiniband/hw/ocrdma/ocrdma_stats.c ++++ b/drivers/infiniband/hw/ocrdma/ocrdma_stats.c +@@ -819,7 +819,7 @@ void ocrdma_add_port_stats(struct ocrdma_dev *dev) + + dev->reset_stats.type = OCRDMA_RESET_STATS; + dev->reset_stats.dev = dev; +- if (!debugfs_create_file("reset_stats", S_IRUSR, dev->dir, ++ if (!debugfs_create_file("reset_stats", 0200, dev->dir, + &dev->reset_stats, &ocrdma_dbg_ops)) + goto err; + +diff --git a/drivers/infiniband/ulp/ipoib/ipoib_ib.c b/drivers/infiniband/ulp/ipoib/ipoib_ib.c +index 545c7ef480e8..18f732aa1510 100644 +--- a/drivers/infiniband/ulp/ipoib/ipoib_ib.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_ib.c +@@ -963,6 +963,19 @@ static inline int update_parent_pkey(struct ipoib_dev_priv *priv) + */ + priv->dev->broadcast[8] = priv->pkey >> 8; + priv->dev->broadcast[9] = priv->pkey & 0xff; ++ ++ /* ++ * Update the broadcast address in the priv->broadcast object, ++ * in case it already exists, otherwise no one will do that. ++ */ ++ if (priv->broadcast) { ++ spin_lock_irq(&priv->lock); ++ memcpy(priv->broadcast->mcmember.mgid.raw, ++ priv->dev->broadcast + 4, ++ sizeof(union ib_gid)); ++ spin_unlock_irq(&priv->lock); ++ } ++ + return 0; + } + +diff --git a/drivers/infiniband/ulp/ipoib/ipoib_main.c b/drivers/infiniband/ulp/ipoib/ipoib_main.c +index 7599fb0b2d98..17a1bb19b8d1 100644 +--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c +@@ -488,6 +488,22 @@ static void path_rec_completion(int status, + spin_lock_irqsave(&priv->lock, flags); + + if (!IS_ERR_OR_NULL(ah)) { ++ /* ++ * pathrec.dgid is used as the database key from the LLADDR, ++ * it must remain unchanged even if the SA returns a different ++ * GID to use in the AH. ++ */ ++ if (memcmp(pathrec->dgid.raw, path->pathrec.dgid.raw, ++ sizeof(union ib_gid))) { ++ ipoib_dbg( ++ priv, ++ "%s got PathRec for gid %pI6 while asked for %pI6\n", ++ dev->name, pathrec->dgid.raw, ++ path->pathrec.dgid.raw); ++ memcpy(pathrec->dgid.raw, path->pathrec.dgid.raw, ++ sizeof(union ib_gid)); ++ } ++ + path->pathrec = *pathrec; + + old_ah = path->ah; +diff --git a/drivers/infiniband/ulp/srp/ib_srp.c b/drivers/infiniband/ulp/srp/ib_srp.c +index 18e688d68e66..d210df3f7188 100644 +--- a/drivers/infiniband/ulp/srp/ib_srp.c ++++ b/drivers/infiniband/ulp/srp/ib_srp.c +@@ -2510,9 +2510,11 @@ static int srp_abort(struct scsi_cmnd *scmnd) + ret = FAST_IO_FAIL; + else + ret = FAILED; +- srp_free_req(ch, req, scmnd, 0); +- scmnd->result = DID_ABORT << 16; +- scmnd->scsi_done(scmnd); ++ if (ret == SUCCESS) { ++ srp_free_req(ch, req, scmnd, 0); ++ scmnd->result = DID_ABORT << 16; ++ scmnd->scsi_done(scmnd); ++ } + + return ret; + } +@@ -3245,12 +3247,10 @@ static ssize_t srp_create_target(struct device *dev, + num_online_nodes()); + const int ch_end = ((node_idx + 1) * target->ch_count / + num_online_nodes()); +- const int cv_start = (node_idx * ibdev->num_comp_vectors / +- num_online_nodes() + target->comp_vector) +- % ibdev->num_comp_vectors; +- const int cv_end = ((node_idx + 1) * ibdev->num_comp_vectors / +- num_online_nodes() + target->comp_vector) +- % ibdev->num_comp_vectors; ++ const int cv_start = node_idx * ibdev->num_comp_vectors / ++ num_online_nodes(); ++ const int cv_end = (node_idx + 1) * ibdev->num_comp_vectors / ++ num_online_nodes(); + int cpu_idx = 0; + + for_each_online_cpu(cpu) { +diff --git a/drivers/infiniband/ulp/srpt/ib_srpt.c b/drivers/infiniband/ulp/srpt/ib_srpt.c +index 6c30192dcb78..ee696c6a769d 100644 +--- a/drivers/infiniband/ulp/srpt/ib_srpt.c ++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c +@@ -2981,12 +2981,8 @@ static void srpt_queue_response(struct se_cmd *cmd) + } + spin_unlock_irqrestore(&ioctx->spinlock, flags); + +- if (unlikely(transport_check_aborted_status(&ioctx->cmd, false) +- || WARN_ON_ONCE(state == SRPT_STATE_CMD_RSP_SENT))) { +- atomic_inc(&ch->req_lim_delta); +- srpt_abort_cmd(ioctx); ++ if (unlikely(WARN_ON_ONCE(state == SRPT_STATE_CMD_RSP_SENT))) + return; +- } + + dir = ioctx->cmd.data_direction; + +diff --git a/drivers/input/misc/drv260x.c b/drivers/input/misc/drv260x.c +index 009f75d25268..4e5ad9e120d6 100644 +--- a/drivers/input/misc/drv260x.c ++++ b/drivers/input/misc/drv260x.c +@@ -521,7 +521,7 @@ static int drv260x_probe(struct i2c_client *client, + if (!haptics) + return -ENOMEM; + +- haptics->rated_voltage = DRV260X_DEF_OD_CLAMP_VOLT; ++ haptics->overdrive_voltage = DRV260X_DEF_OD_CLAMP_VOLT; + haptics->rated_voltage = DRV260X_DEF_RATED_VOLT; + + if (pdata) { +diff --git a/drivers/input/mouse/elan_i2c_core.c b/drivers/input/mouse/elan_i2c_core.c +index fd5068b2542d..152d057ed87c 100644 +--- a/drivers/input/mouse/elan_i2c_core.c ++++ b/drivers/input/mouse/elan_i2c_core.c +@@ -972,6 +972,13 @@ static int elan_probe(struct i2c_client *client, + return error; + } + ++ /* Make sure there is something at this address */ ++ error = i2c_smbus_read_byte(client); ++ if (error < 0) { ++ dev_dbg(&client->dev, "nothing at this address: %d\n", error); ++ return -ENXIO; ++ } ++ + /* Initialize the touchpad. */ + error = elan_initialize(data); + if (error) +diff --git a/drivers/input/mouse/elan_i2c_i2c.c b/drivers/input/mouse/elan_i2c_i2c.c +index a0acbbf83bfd..4ea436c173be 100644 +--- a/drivers/input/mouse/elan_i2c_i2c.c ++++ b/drivers/input/mouse/elan_i2c_i2c.c +@@ -555,7 +555,14 @@ static int elan_i2c_finish_fw_update(struct i2c_client *client, + long ret; + int error; + int len; +- u8 buffer[ETP_I2C_INF_LENGTH]; ++ u8 buffer[ETP_I2C_REPORT_LEN]; ++ ++ len = i2c_master_recv(client, buffer, ETP_I2C_REPORT_LEN); ++ if (len != ETP_I2C_REPORT_LEN) { ++ error = len < 0 ? len : -EIO; ++ dev_warn(dev, "failed to read I2C data after FW WDT reset: %d (%d)\n", ++ error, len); ++ } + + reinit_completion(completion); + enable_irq(client->irq); +diff --git a/drivers/input/mousedev.c b/drivers/input/mousedev.c +index b604564dec5c..30328e57fdda 100644 +--- a/drivers/input/mousedev.c ++++ b/drivers/input/mousedev.c +@@ -15,6 +15,7 @@ + #define MOUSEDEV_MINORS 31 + #define MOUSEDEV_MIX 63 + ++#include <linux/bitops.h> + #include <linux/sched.h> + #include <linux/slab.h> + #include <linux/poll.h> +@@ -103,7 +104,7 @@ struct mousedev_client { + spinlock_t packet_lock; + int pos_x, pos_y; + +- signed char ps2[6]; ++ u8 ps2[6]; + unsigned char ready, buffer, bufsiz; + unsigned char imexseq, impsseq; + enum mousedev_emul mode; +@@ -291,11 +292,10 @@ static void mousedev_notify_readers(struct mousedev *mousedev, + } + + client->pos_x += packet->dx; +- client->pos_x = client->pos_x < 0 ? +- 0 : (client->pos_x >= xres ? xres : client->pos_x); ++ client->pos_x = clamp_val(client->pos_x, 0, xres); ++ + client->pos_y += packet->dy; +- client->pos_y = client->pos_y < 0 ? +- 0 : (client->pos_y >= yres ? yres : client->pos_y); ++ client->pos_y = clamp_val(client->pos_y, 0, yres); + + p->dx += packet->dx; + p->dy += packet->dy; +@@ -571,44 +571,50 @@ static int mousedev_open(struct inode *inode, struct file *file) + return error; + } + +-static inline int mousedev_limit_delta(int delta, int limit) +-{ +- return delta > limit ? limit : (delta < -limit ? -limit : delta); +-} +- +-static void mousedev_packet(struct mousedev_client *client, +- signed char *ps2_data) ++static void mousedev_packet(struct mousedev_client *client, u8 *ps2_data) + { + struct mousedev_motion *p = &client->packets[client->tail]; ++ s8 dx, dy, dz; ++ ++ dx = clamp_val(p->dx, -127, 127); ++ p->dx -= dx; ++ ++ dy = clamp_val(p->dy, -127, 127); ++ p->dy -= dy; + +- ps2_data[0] = 0x08 | +- ((p->dx < 0) << 4) | ((p->dy < 0) << 5) | (p->buttons & 0x07); +- ps2_data[1] = mousedev_limit_delta(p->dx, 127); +- ps2_data[2] = mousedev_limit_delta(p->dy, 127); +- p->dx -= ps2_data[1]; +- p->dy -= ps2_data[2]; ++ ps2_data[0] = BIT(3); ++ ps2_data[0] |= ((dx & BIT(7)) >> 3) | ((dy & BIT(7)) >> 2); ++ ps2_data[0] |= p->buttons & 0x07; ++ ps2_data[1] = dx; ++ ps2_data[2] = dy; + + switch (client->mode) { + case MOUSEDEV_EMUL_EXPS: +- ps2_data[3] = mousedev_limit_delta(p->dz, 7); +- p->dz -= ps2_data[3]; +- ps2_data[3] = (ps2_data[3] & 0x0f) | ((p->buttons & 0x18) << 1); ++ dz = clamp_val(p->dz, -7, 7); ++ p->dz -= dz; ++ ++ ps2_data[3] = (dz & 0x0f) | ((p->buttons & 0x18) << 1); + client->bufsiz = 4; + break; + + case MOUSEDEV_EMUL_IMPS: +- ps2_data[0] |= +- ((p->buttons & 0x10) >> 3) | ((p->buttons & 0x08) >> 1); +- ps2_data[3] = mousedev_limit_delta(p->dz, 127); +- p->dz -= ps2_data[3]; ++ dz = clamp_val(p->dz, -127, 127); ++ p->dz -= dz; ++ ++ ps2_data[0] |= ((p->buttons & 0x10) >> 3) | ++ ((p->buttons & 0x08) >> 1); ++ ps2_data[3] = dz; ++ + client->bufsiz = 4; + break; + + case MOUSEDEV_EMUL_PS2: + default: +- ps2_data[0] |= +- ((p->buttons & 0x10) >> 3) | ((p->buttons & 0x08) >> 1); + p->dz = 0; ++ ++ ps2_data[0] |= ((p->buttons & 0x10) >> 3) | ++ ((p->buttons & 0x08) >> 1); ++ + client->bufsiz = 3; + break; + } +@@ -714,7 +720,7 @@ static ssize_t mousedev_read(struct file *file, char __user *buffer, + { + struct mousedev_client *client = file->private_data; + struct mousedev *mousedev = client->mousedev; +- signed char data[sizeof(client->ps2)]; ++ u8 data[sizeof(client->ps2)]; + int retval = 0; + + if (!client->ready && !client->buffer && mousedev->exist && +diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h +index 74d69fdbdec9..10e340943218 100644 +--- a/drivers/input/serio/i8042-x86ia64io.h ++++ b/drivers/input/serio/i8042-x86ia64io.h +@@ -602,6 +602,13 @@ static const struct dmi_system_id __initconst i8042_dmi_reset_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "20046"), + }, + }, ++ { ++ /* Lenovo ThinkPad L460 */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad L460"), ++ }, ++ }, + { + /* Clevo P650RS, 650RP6, Sager NP8152-S, and others */ + .matches = { +diff --git a/drivers/input/touchscreen/ar1021_i2c.c b/drivers/input/touchscreen/ar1021_i2c.c +index f0b954d46a25..b89fbc4d3096 100644 +--- a/drivers/input/touchscreen/ar1021_i2c.c ++++ b/drivers/input/touchscreen/ar1021_i2c.c +@@ -152,7 +152,7 @@ static int __maybe_unused ar1021_i2c_resume(struct device *dev) + static SIMPLE_DEV_PM_OPS(ar1021_i2c_pm, ar1021_i2c_suspend, ar1021_i2c_resume); + + static const struct i2c_device_id ar1021_i2c_id[] = { +- { "MICROCHIP_AR1021_I2C", 0 }, ++ { "ar1021", 0 }, + { }, + }; + MODULE_DEVICE_TABLE(i2c, ar1021_i2c_id); +diff --git a/drivers/input/touchscreen/tsc2007.c b/drivers/input/touchscreen/tsc2007.c +index ccc8aa615709..0299a2882ff7 100644 +--- a/drivers/input/touchscreen/tsc2007.c ++++ b/drivers/input/touchscreen/tsc2007.c +@@ -455,6 +455,14 @@ static int tsc2007_probe(struct i2c_client *client, + + tsc2007_stop(ts); + ++ /* power down the chip (TSC2007_SETUP does not ACK on I2C) */ ++ err = tsc2007_xfer(ts, PWRDOWN); ++ if (err < 0) { ++ dev_err(&client->dev, ++ "Failed to setup chip: %d\n", err); ++ return err; /* usually, chip does not respond */ ++ } ++ + err = input_register_device(input_dev); + if (err) { + dev_err(&client->dev, +diff --git a/drivers/iommu/iova.c b/drivers/iommu/iova.c +index 9dd8208312c2..3100bc0cc805 100644 +--- a/drivers/iommu/iova.c ++++ b/drivers/iommu/iova.c +@@ -163,7 +163,7 @@ static int __alloc_and_insert_iova_range(struct iova_domain *iovad, + break; /* found a free slot */ + } + adjust_limit_pfn: +- limit_pfn = curr_iova->pfn_lo - 1; ++ limit_pfn = curr_iova->pfn_lo ? (curr_iova->pfn_lo - 1) : 0; + move_left: + prev = curr; + curr = rb_prev(curr); +diff --git a/drivers/iommu/omap-iommu.c b/drivers/iommu/omap-iommu.c +index a22c33d6a486..f604a74cc890 100644 +--- a/drivers/iommu/omap-iommu.c ++++ b/drivers/iommu/omap-iommu.c +@@ -1386,6 +1386,7 @@ static int __init omap_iommu_init(void) + const unsigned long flags = SLAB_HWCACHE_ALIGN; + size_t align = 1 << 10; /* L2 pagetable alignement */ + struct device_node *np; ++ int ret; + + np = of_find_matching_node(NULL, omap_iommu_of_match); + if (!np) +@@ -1399,11 +1400,25 @@ static int __init omap_iommu_init(void) + return -ENOMEM; + iopte_cachep = p; + +- bus_set_iommu(&platform_bus_type, &omap_iommu_ops); +- + omap_iommu_debugfs_init(); + +- return platform_driver_register(&omap_iommu_driver); ++ ret = platform_driver_register(&omap_iommu_driver); ++ if (ret) { ++ pr_err("%s: failed to register driver\n", __func__); ++ goto fail_driver; ++ } ++ ++ ret = bus_set_iommu(&platform_bus_type, &omap_iommu_ops); ++ if (ret) ++ goto fail_bus; ++ ++ return 0; ++ ++fail_bus: ++ platform_driver_unregister(&omap_iommu_driver); ++fail_driver: ++ kmem_cache_destroy(iopte_cachep); ++ return ret; + } + /* must be ready before omap3isp is probed */ + subsys_initcall(omap_iommu_init); +diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c +index 9a791dd52199..eff99f862e83 100644 +--- a/drivers/irqchip/irq-gic-v3-its.c ++++ b/drivers/irqchip/irq-gic-v3-its.c +@@ -674,7 +674,7 @@ static struct irq_chip its_msi_irq_chip = { + * This gives us (((1UL << id_bits) - 8192) >> 5) possible allocations. + */ + #define IRQS_PER_CHUNK_SHIFT 5 +-#define IRQS_PER_CHUNK (1 << IRQS_PER_CHUNK_SHIFT) ++#define IRQS_PER_CHUNK (1UL << IRQS_PER_CHUNK_SHIFT) + + static unsigned long *lpi_bitmap; + static u32 lpi_chunks; +@@ -1145,11 +1145,10 @@ static struct its_device *its_create_device(struct its_node *its, u32 dev_id, + + dev = kzalloc(sizeof(*dev), GFP_KERNEL); + /* +- * At least one bit of EventID is being used, hence a minimum +- * of two entries. No, the architecture doesn't let you +- * express an ITT with a single entry. ++ * We allocate at least one chunk worth of LPIs bet device, ++ * and thus that many ITEs. The device may require less though. + */ +- nr_ites = max(2UL, roundup_pow_of_two(nvecs)); ++ nr_ites = max(IRQS_PER_CHUNK, roundup_pow_of_two(nvecs)); + sz = nr_ites * its->ite_size; + sz = max(sz, ITS_ITT_ALIGN) + ITS_ITT_ALIGN - 1; + itt = kzalloc(sz, GFP_KERNEL); +diff --git a/drivers/isdn/mISDN/stack.c b/drivers/isdn/mISDN/stack.c +index 9cb4b621fbc3..b92a19a594a1 100644 +--- a/drivers/isdn/mISDN/stack.c ++++ b/drivers/isdn/mISDN/stack.c +@@ -72,7 +72,7 @@ send_socklist(struct mISDN_sock_list *sl, struct sk_buff *skb) + if (sk->sk_state != MISDN_BOUND) + continue; + if (!cskb) +- cskb = skb_copy(skb, GFP_KERNEL); ++ cskb = skb_copy(skb, GFP_ATOMIC); + if (!cskb) { + printk(KERN_WARNING "%s no skb\n", __func__); + break; +diff --git a/drivers/leds/leds-pca955x.c b/drivers/leds/leds-pca955x.c +index c3a08b60535b..760deffa9ad3 100644 +--- a/drivers/leds/leds-pca955x.c ++++ b/drivers/leds/leds-pca955x.c +@@ -281,7 +281,7 @@ static int pca955x_probe(struct i2c_client *client, + "slave address 0x%02x\n", + id->name, chip->bits, client->addr); + +- if (!i2c_check_functionality(adapter, I2C_FUNC_I2C)) ++ if (!i2c_check_functionality(adapter, I2C_FUNC_SMBUS_BYTE_DATA)) + return -EIO; + + if (pdata) { +diff --git a/drivers/md/bcache/alloc.c b/drivers/md/bcache/alloc.c +index 4d46f2ce606f..aa84fcfd59fc 100644 +--- a/drivers/md/bcache/alloc.c ++++ b/drivers/md/bcache/alloc.c +@@ -514,15 +514,21 @@ struct open_bucket { + + /* + * We keep multiple buckets open for writes, and try to segregate different +- * write streams for better cache utilization: first we look for a bucket where +- * the last write to it was sequential with the current write, and failing that +- * we look for a bucket that was last used by the same task. ++ * write streams for better cache utilization: first we try to segregate flash ++ * only volume write streams from cached devices, secondly we look for a bucket ++ * where the last write to it was sequential with the current write, and ++ * failing that we look for a bucket that was last used by the same task. + * + * The ideas is if you've got multiple tasks pulling data into the cache at the + * same time, you'll get better cache utilization if you try to segregate their + * data and preserve locality. + * +- * For example, say you've starting Firefox at the same time you're copying a ++ * For example, dirty sectors of flash only volume is not reclaimable, if their ++ * dirty sectors mixed with dirty sectors of cached device, such buckets will ++ * be marked as dirty and won't be reclaimed, though the dirty data of cached ++ * device have been written back to backend device. ++ * ++ * And say you've starting Firefox at the same time you're copying a + * bunch of files. Firefox will likely end up being fairly hot and stay in the + * cache awhile, but the data you copied might not be; if you wrote all that + * data to the same buckets it'd get invalidated at the same time. +@@ -539,7 +545,10 @@ static struct open_bucket *pick_data_bucket(struct cache_set *c, + struct open_bucket *ret, *ret_task = NULL; + + list_for_each_entry_reverse(ret, &c->data_buckets, list) +- if (!bkey_cmp(&ret->key, search)) ++ if (UUID_FLASH_ONLY(&c->uuids[KEY_INODE(&ret->key)]) != ++ UUID_FLASH_ONLY(&c->uuids[KEY_INODE(search)])) ++ continue; ++ else if (!bkey_cmp(&ret->key, search)) + goto found; + else if (ret->last_write_point == write_point) + ret_task = ret; +diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c +index b8013e386c76..80812d05b3e2 100644 +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -921,6 +921,12 @@ static void cached_dev_detach_finish(struct work_struct *w) + + mutex_lock(&bch_register_lock); + ++ cancel_delayed_work_sync(&dc->writeback_rate_update); ++ if (!IS_ERR_OR_NULL(dc->writeback_thread)) { ++ kthread_stop(dc->writeback_thread); ++ dc->writeback_thread = NULL; ++ } ++ + memset(&dc->sb.set_uuid, 0, 16); + SET_BDEV_STATE(&dc->sb, BDEV_STATE_NONE); + +diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c +index df060fd016f6..e8200892ed41 100644 +--- a/drivers/md/dm-ioctl.c ++++ b/drivers/md/dm-ioctl.c +@@ -1773,12 +1773,12 @@ static int validate_params(uint cmd, struct dm_ioctl *param) + cmd == DM_LIST_VERSIONS_CMD) + return 0; + +- if ((cmd == DM_DEV_CREATE_CMD)) { ++ if (cmd == DM_DEV_CREATE_CMD) { + if (!*param->name) { + DMWARN("name not supplied when creating device"); + return -EINVAL; + } +- } else if ((*param->uuid && *param->name)) { ++ } else if (*param->uuid && *param->name) { + DMWARN("only supply one of name or uuid, cmd(%u)", cmd); + return -EINVAL; + } +diff --git a/drivers/md/md-cluster.c b/drivers/md/md-cluster.c +index 4eb5cb18f98d..f490382173b6 100644 +--- a/drivers/md/md-cluster.c ++++ b/drivers/md/md-cluster.c +@@ -850,8 +850,10 @@ static int add_new_disk_start(struct mddev *mddev, struct md_rdev *rdev) + cmsg.raid_slot = rdev->desc_nr; + lock_comm(cinfo); + ret = __sendmsg(cinfo, &cmsg); +- if (ret) ++ if (ret) { ++ unlock_comm(cinfo); + return ret; ++ } + cinfo->no_new_dev_lockres->flags |= DLM_LKF_NOQUEUE; + ret = dlm_lock_sync(cinfo->no_new_dev_lockres, DLM_LOCK_EX); + cinfo->no_new_dev_lockres->flags &= ~DLM_LKF_NOQUEUE; +diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c +index 4cbc3df79a2a..641259fe891b 100644 +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -3702,6 +3702,7 @@ static int run(struct mddev *mddev) + + if (blk_queue_discard(bdev_get_queue(rdev->bdev))) + discard_supported = true; ++ first = 0; + } + + if (mddev->queue) { +@@ -4110,6 +4111,7 @@ static int raid10_start_reshape(struct mddev *mddev) + diff = 0; + if (first || diff < min_offset_diff) + min_offset_diff = diff; ++ first = 0; + } + } + +diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c +index 907aa9c6e894..8de0b1684dc6 100644 +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -110,8 +110,7 @@ static inline void unlock_device_hash_lock(struct r5conf *conf, int hash) + static inline void lock_all_device_hash_locks_irq(struct r5conf *conf) + { + int i; +- local_irq_disable(); +- spin_lock(conf->hash_locks); ++ spin_lock_irq(conf->hash_locks); + for (i = 1; i < NR_STRIPE_HASH_LOCKS; i++) + spin_lock_nest_lock(conf->hash_locks + i, conf->hash_locks); + spin_lock(&conf->device_lock); +@@ -121,9 +120,9 @@ static inline void unlock_all_device_hash_locks_irq(struct r5conf *conf) + { + int i; + spin_unlock(&conf->device_lock); +- for (i = NR_STRIPE_HASH_LOCKS; i; i--) +- spin_unlock(conf->hash_locks + i - 1); +- local_irq_enable(); ++ for (i = NR_STRIPE_HASH_LOCKS - 1; i; i--) ++ spin_unlock(conf->hash_locks + i); ++ spin_unlock_irq(conf->hash_locks); + } + + /* bio's attached to a stripe+device for I/O are linked together in bi_sector +@@ -728,12 +727,11 @@ static bool is_full_stripe_write(struct stripe_head *sh) + + static void lock_two_stripes(struct stripe_head *sh1, struct stripe_head *sh2) + { +- local_irq_disable(); + if (sh1 > sh2) { +- spin_lock(&sh2->stripe_lock); ++ spin_lock_irq(&sh2->stripe_lock); + spin_lock_nested(&sh1->stripe_lock, 1); + } else { +- spin_lock(&sh1->stripe_lock); ++ spin_lock_irq(&sh1->stripe_lock); + spin_lock_nested(&sh2->stripe_lock, 1); + } + } +@@ -741,8 +739,7 @@ static void lock_two_stripes(struct stripe_head *sh1, struct stripe_head *sh2) + static void unlock_two_stripes(struct stripe_head *sh1, struct stripe_head *sh2) + { + spin_unlock(&sh1->stripe_lock); +- spin_unlock(&sh2->stripe_lock); +- local_irq_enable(); ++ spin_unlock_irq(&sh2->stripe_lock); + } + + /* Only freshly new full stripe normal write stripe can be added to a batch list */ +@@ -3368,9 +3365,20 @@ static int fetch_block(struct stripe_head *sh, struct stripe_head_state *s, + BUG_ON(test_bit(R5_Wantcompute, &dev->flags)); + BUG_ON(test_bit(R5_Wantread, &dev->flags)); + BUG_ON(sh->batch_head); ++ ++ /* ++ * In the raid6 case if the only non-uptodate disk is P ++ * then we already trusted P to compute the other failed ++ * drives. It is safe to compute rather than re-read P. ++ * In other cases we only compute blocks from failed ++ * devices, otherwise check/repair might fail to detect ++ * a real inconsistency. ++ */ ++ + if ((s->uptodate == disks - 1) && ++ ((sh->qd_idx >= 0 && sh->pd_idx == disk_idx) || + (s->failed && (disk_idx == s->failed_num[0] || +- disk_idx == s->failed_num[1]))) { ++ disk_idx == s->failed_num[1])))) { + /* have disk failed, and we're requested to fetch it; + * do compute it + */ +diff --git a/drivers/media/dvb-core/dvb_ca_en50221.c b/drivers/media/dvb-core/dvb_ca_en50221.c +index 72937756f60c..c084ad3f2811 100644 +--- a/drivers/media/dvb-core/dvb_ca_en50221.c ++++ b/drivers/media/dvb-core/dvb_ca_en50221.c +@@ -749,6 +749,29 @@ static int dvb_ca_en50221_write_data(struct dvb_ca_private *ca, int slot, u8 * b + goto exit; + } + ++ /* ++ * It may need some time for the CAM to settle down, or there might ++ * be a race condition between the CAM, writing HC and our last ++ * check for DA. This happens, if the CAM asserts DA, just after ++ * checking DA before we are setting HC. In this case it might be ++ * a bug in the CAM to keep the FR bit, the lower layer/HW ++ * communication requires a longer timeout or the CAM needs more ++ * time internally. But this happens in reality! ++ * We need to read the status from the HW again and do the same ++ * we did for the previous check for DA ++ */ ++ status = ca->pub->read_cam_control(ca->pub, slot, CTRLIF_STATUS); ++ if (status < 0) ++ goto exit; ++ ++ if (status & (STATUSREG_DA | STATUSREG_RE)) { ++ if (status & STATUSREG_DA) ++ dvb_ca_en50221_thread_wakeup(ca); ++ ++ status = -EAGAIN; ++ goto exit; ++ } ++ + /* send the amount of data */ + if ((status = ca->pub->write_cam_control(ca->pub, slot, CTRLIF_SIZE_HIGH, bytes_write >> 8)) != 0) + goto exit; +diff --git a/drivers/media/dvb-frontends/si2168.c b/drivers/media/dvb-frontends/si2168.c +index 391e98395b41..c2cad898072a 100644 +--- a/drivers/media/dvb-frontends/si2168.c ++++ b/drivers/media/dvb-frontends/si2168.c +@@ -14,6 +14,8 @@ + * GNU General Public License for more details. + */ + ++#include <linux/delay.h> ++ + #include "si2168_priv.h" + + static const struct dvb_frontend_ops si2168_ops; +@@ -375,6 +377,7 @@ static int si2168_init(struct dvb_frontend *fe) + if (ret) + goto err; + ++ udelay(100); + memcpy(cmd.args, "\x85", 1); + cmd.wlen = 1; + cmd.rlen = 1; +diff --git a/drivers/media/i2c/cx25840/cx25840-core.c b/drivers/media/i2c/cx25840/cx25840-core.c +index bd496447749a..8e4eccc1d952 100644 +--- a/drivers/media/i2c/cx25840/cx25840-core.c ++++ b/drivers/media/i2c/cx25840/cx25840-core.c +@@ -420,11 +420,13 @@ static void cx25840_initialize(struct i2c_client *client) + INIT_WORK(&state->fw_work, cx25840_work_handler); + init_waitqueue_head(&state->fw_wait); + q = create_singlethread_workqueue("cx25840_fw"); +- prepare_to_wait(&state->fw_wait, &wait, TASK_UNINTERRUPTIBLE); +- queue_work(q, &state->fw_work); +- schedule(); +- finish_wait(&state->fw_wait, &wait); +- destroy_workqueue(q); ++ if (q) { ++ prepare_to_wait(&state->fw_wait, &wait, TASK_UNINTERRUPTIBLE); ++ queue_work(q, &state->fw_work); ++ schedule(); ++ finish_wait(&state->fw_wait, &wait); ++ destroy_workqueue(q); ++ } + + /* 6. */ + cx25840_write(client, 0x115, 0x8c); +@@ -631,11 +633,13 @@ static void cx23885_initialize(struct i2c_client *client) + INIT_WORK(&state->fw_work, cx25840_work_handler); + init_waitqueue_head(&state->fw_wait); + q = create_singlethread_workqueue("cx25840_fw"); +- prepare_to_wait(&state->fw_wait, &wait, TASK_UNINTERRUPTIBLE); +- queue_work(q, &state->fw_work); +- schedule(); +- finish_wait(&state->fw_wait, &wait); +- destroy_workqueue(q); ++ if (q) { ++ prepare_to_wait(&state->fw_wait, &wait, TASK_UNINTERRUPTIBLE); ++ queue_work(q, &state->fw_work); ++ schedule(); ++ finish_wait(&state->fw_wait, &wait); ++ destroy_workqueue(q); ++ } + + /* Call the cx23888 specific std setup func, we no longer rely on + * the generic cx24840 func. +@@ -746,11 +750,13 @@ static void cx231xx_initialize(struct i2c_client *client) + INIT_WORK(&state->fw_work, cx25840_work_handler); + init_waitqueue_head(&state->fw_wait); + q = create_singlethread_workqueue("cx25840_fw"); +- prepare_to_wait(&state->fw_wait, &wait, TASK_UNINTERRUPTIBLE); +- queue_work(q, &state->fw_work); +- schedule(); +- finish_wait(&state->fw_wait, &wait); +- destroy_workqueue(q); ++ if (q) { ++ prepare_to_wait(&state->fw_wait, &wait, TASK_UNINTERRUPTIBLE); ++ queue_work(q, &state->fw_work); ++ schedule(); ++ finish_wait(&state->fw_wait, &wait); ++ destroy_workqueue(q); ++ } + + cx25840_std_setup(client); + +diff --git a/drivers/media/i2c/soc_camera/ov6650.c b/drivers/media/i2c/soc_camera/ov6650.c +index f4eef2fa6f6f..cd8f8151d834 100644 +--- a/drivers/media/i2c/soc_camera/ov6650.c ++++ b/drivers/media/i2c/soc_camera/ov6650.c +@@ -1016,7 +1016,7 @@ static int ov6650_probe(struct i2c_client *client, + priv->code = MEDIA_BUS_FMT_YUYV8_2X8; + priv->colorspace = V4L2_COLORSPACE_JPEG; + +- priv->clk = v4l2_clk_get(&client->dev, "mclk"); ++ priv->clk = v4l2_clk_get(&client->dev, NULL); + if (IS_ERR(priv->clk)) { + ret = PTR_ERR(priv->clk); + goto eclkget; +diff --git a/drivers/media/pci/bt8xx/bt878.c b/drivers/media/pci/bt8xx/bt878.c +index 8aa726651630..90fcccc05b56 100644 +--- a/drivers/media/pci/bt8xx/bt878.c ++++ b/drivers/media/pci/bt8xx/bt878.c +@@ -422,8 +422,7 @@ static int bt878_probe(struct pci_dev *dev, const struct pci_device_id *pci_id) + bt878_num); + if (bt878_num >= BT878_MAX) { + printk(KERN_ERR "bt878: Too many devices inserted\n"); +- result = -ENOMEM; +- goto fail0; ++ return -ENOMEM; + } + if (pci_enable_device(dev)) + return -EIO; +diff --git a/drivers/media/rc/mceusb.c b/drivers/media/rc/mceusb.c +index f838d9c7ed12..0fba4a2c1602 100644 +--- a/drivers/media/rc/mceusb.c ++++ b/drivers/media/rc/mceusb.c +@@ -1370,8 +1370,13 @@ static int mceusb_dev_probe(struct usb_interface *intf, + goto rc_dev_fail; + + /* wire up inbound data handler */ +- usb_fill_int_urb(ir->urb_in, dev, pipe, ir->buf_in, maxp, +- mceusb_dev_recv, ir, ep_in->bInterval); ++ if (usb_endpoint_xfer_int(ep_in)) ++ usb_fill_int_urb(ir->urb_in, dev, pipe, ir->buf_in, maxp, ++ mceusb_dev_recv, ir, ep_in->bInterval); ++ else ++ usb_fill_bulk_urb(ir->urb_in, dev, pipe, ir->buf_in, maxp, ++ mceusb_dev_recv, ir); ++ + ir->urb_in->transfer_dma = ir->dma_in; + ir->urb_in->transfer_flags |= URB_NO_TRANSFER_DMA_MAP; + +diff --git a/drivers/media/usb/cpia2/cpia2_v4l.c b/drivers/media/usb/cpia2/cpia2_v4l.c +index 9caea8344547..d793c630f1dd 100644 +--- a/drivers/media/usb/cpia2/cpia2_v4l.c ++++ b/drivers/media/usb/cpia2/cpia2_v4l.c +@@ -812,7 +812,7 @@ static int cpia2_querybuf(struct file *file, void *fh, struct v4l2_buffer *buf) + struct camera_data *cam = video_drvdata(file); + + if(buf->type != V4L2_BUF_TYPE_VIDEO_CAPTURE || +- buf->index > cam->num_frames) ++ buf->index >= cam->num_frames) + return -EINVAL; + + buf->m.offset = cam->buffers[buf->index].data - cam->frame_buffer; +@@ -863,7 +863,7 @@ static int cpia2_qbuf(struct file *file, void *fh, struct v4l2_buffer *buf) + + if(buf->type != V4L2_BUF_TYPE_VIDEO_CAPTURE || + buf->memory != V4L2_MEMORY_MMAP || +- buf->index > cam->num_frames) ++ buf->index >= cam->num_frames) + return -EINVAL; + + DBG("QBUF #%d\n", buf->index); +diff --git a/drivers/media/usb/usbtv/usbtv-core.c b/drivers/media/usb/usbtv/usbtv-core.c +index 3bbc77aa6a33..483457d4904f 100644 +--- a/drivers/media/usb/usbtv/usbtv-core.c ++++ b/drivers/media/usb/usbtv/usbtv-core.c +@@ -95,6 +95,8 @@ static int usbtv_probe(struct usb_interface *intf, + return 0; + + usbtv_audio_fail: ++ /* we must not free at this point */ ++ usb_get_dev(usbtv->udev); + usbtv_video_free(usbtv); + + usbtv_video_fail: +diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c +index e03aa0961360..0686cbc94675 100644 +--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c ++++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c +@@ -101,7 +101,7 @@ static int get_v4l2_window32(struct v4l2_window __user *kp, + static int put_v4l2_window32(struct v4l2_window __user *kp, + struct v4l2_window32 __user *up) + { +- struct v4l2_clip __user *kclips = kp->clips; ++ struct v4l2_clip __user *kclips; + struct v4l2_clip32 __user *uclips; + compat_caddr_t p; + u32 clipcount; +@@ -116,6 +116,8 @@ static int put_v4l2_window32(struct v4l2_window __user *kp, + if (!clipcount) + return 0; + ++ if (get_user(kclips, &kp->clips)) ++ return -EFAULT; + if (get_user(p, &up->clips)) + return -EFAULT; + uclips = compat_ptr(p); +diff --git a/drivers/mfd/palmas.c b/drivers/mfd/palmas.c +index 28cb048f4760..907247bc2501 100644 +--- a/drivers/mfd/palmas.c ++++ b/drivers/mfd/palmas.c +@@ -430,6 +430,20 @@ static void palmas_power_off(void) + { + unsigned int addr; + int ret, slave; ++ struct device_node *np = palmas_dev->dev->of_node; ++ ++ if (of_property_read_bool(np, "ti,palmas-override-powerhold")) { ++ addr = PALMAS_BASE_TO_REG(PALMAS_PU_PD_OD_BASE, ++ PALMAS_PRIMARY_SECONDARY_PAD2); ++ slave = PALMAS_BASE_TO_SLAVE(PALMAS_PU_PD_OD_BASE); ++ ++ ret = regmap_update_bits(palmas_dev->regmap[slave], addr, ++ PALMAS_PRIMARY_SECONDARY_PAD2_GPIO_7_MASK, 0); ++ if (ret) ++ dev_err(palmas_dev->dev, ++ "Unable to write PRIMARY_SECONDARY_PAD2 %d\n", ++ ret); ++ } + + if (!palmas_dev) + return; +diff --git a/drivers/misc/enclosure.c b/drivers/misc/enclosure.c +index cc91f7b3d90c..eb29113e0bac 100644 +--- a/drivers/misc/enclosure.c ++++ b/drivers/misc/enclosure.c +@@ -148,7 +148,7 @@ enclosure_register(struct device *dev, const char *name, int components, + for (i = 0; i < components; i++) { + edev->component[i].number = -1; + edev->component[i].slot = -1; +- edev->component[i].power_status = 1; ++ edev->component[i].power_status = -1; + } + + mutex_lock(&container_list_lock); +@@ -600,6 +600,11 @@ static ssize_t get_component_power_status(struct device *cdev, + + if (edev->cb->get_power_status) + edev->cb->get_power_status(edev, ecomp); ++ ++ /* If still uninitialized, the callback failed or does not exist. */ ++ if (ecomp->power_status == -1) ++ return (edev->cb->get_power_status) ? -EIO : -ENOTTY; ++ + return snprintf(buf, 40, "%s\n", ecomp->power_status ? "on" : "off"); + } + +diff --git a/drivers/misc/mei/main.c b/drivers/misc/mei/main.c +index e40bcd03bd47..2353ec9dd7d2 100644 +--- a/drivers/misc/mei/main.c ++++ b/drivers/misc/mei/main.c +@@ -503,7 +503,6 @@ static long mei_ioctl(struct file *file, unsigned int cmd, unsigned long data) + break; + + default: +- dev_err(dev->dev, ": unsupported ioctl %d.\n", cmd); + rets = -ENOIOCTLCMD; + } + +diff --git a/drivers/misc/vmw_vmci/vmci_queue_pair.c b/drivers/misc/vmw_vmci/vmci_queue_pair.c +index f42d9c4e4561..cc277f7849b0 100644 +--- a/drivers/misc/vmw_vmci/vmci_queue_pair.c ++++ b/drivers/misc/vmw_vmci/vmci_queue_pair.c +@@ -298,8 +298,11 @@ static void *qp_alloc_queue(u64 size, u32 flags) + size_t pas_size; + size_t vas_size; + size_t queue_size = sizeof(*queue) + sizeof(*queue->kernel_if); +- const u64 num_pages = DIV_ROUND_UP(size, PAGE_SIZE) + 1; ++ u64 num_pages; + ++ if (size > SIZE_MAX - PAGE_SIZE) ++ return NULL; ++ num_pages = DIV_ROUND_UP(size, PAGE_SIZE) + 1; + if (num_pages > + (SIZE_MAX - queue_size) / + (sizeof(*queue->kernel_if->u.g.pas) + +@@ -624,9 +627,12 @@ static struct vmci_queue *qp_host_alloc_queue(u64 size) + { + struct vmci_queue *queue; + size_t queue_page_size; +- const u64 num_pages = DIV_ROUND_UP(size, PAGE_SIZE) + 1; ++ u64 num_pages; + const size_t queue_size = sizeof(*queue) + sizeof(*(queue->kernel_if)); + ++ if (size > SIZE_MAX - PAGE_SIZE) ++ return NULL; ++ num_pages = DIV_ROUND_UP(size, PAGE_SIZE) + 1; + if (num_pages > (SIZE_MAX - queue_size) / + sizeof(*queue->kernel_if->u.h.page)) + return NULL; +diff --git a/drivers/mmc/core/core.c b/drivers/mmc/core/core.c +index b5d8906ac34f..9368d49d3e83 100644 +--- a/drivers/mmc/core/core.c ++++ b/drivers/mmc/core/core.c +@@ -2668,6 +2668,14 @@ int mmc_pm_notify(struct notifier_block *notify_block, + if (!err) + break; + ++ if (!mmc_card_is_removable(host)) { ++ dev_warn(mmc_dev(host), ++ "pre_suspend failed for non-removable host: " ++ "%d\n", err); ++ /* Avoid removing non-removable hosts */ ++ break; ++ } ++ + /* Calling bus_ops->remove() with a claimed host can deadlock */ + host->bus_ops->remove(host); + mmc_claim_host(host); +diff --git a/drivers/mmc/host/jz4740_mmc.c b/drivers/mmc/host/jz4740_mmc.c +index 76e8bce6f46e..ad572a0f2124 100644 +--- a/drivers/mmc/host/jz4740_mmc.c ++++ b/drivers/mmc/host/jz4740_mmc.c +@@ -368,9 +368,9 @@ static void jz4740_mmc_set_irq_enabled(struct jz4740_mmc_host *host, + host->irq_mask &= ~irq; + else + host->irq_mask |= irq; +- spin_unlock_irqrestore(&host->lock, flags); + + writew(host->irq_mask, host->base + JZ_REG_MMC_IMASK); ++ spin_unlock_irqrestore(&host->lock, flags); + } + + static void jz4740_mmc_clock_enable(struct jz4740_mmc_host *host, +diff --git a/drivers/mmc/host/omap_hsmmc.c b/drivers/mmc/host/omap_hsmmc.c +index d0abdffb0d7c..18b716bb5752 100644 +--- a/drivers/mmc/host/omap_hsmmc.c ++++ b/drivers/mmc/host/omap_hsmmc.c +@@ -1693,8 +1693,8 @@ static int omap_hsmmc_configure_wake_irq(struct omap_hsmmc_host *host) + */ + if (host->pdata->controller_flags & OMAP_HSMMC_SWAKEUP_MISSING) { + struct pinctrl *p = devm_pinctrl_get(host->dev); +- if (!p) { +- ret = -ENODEV; ++ if (IS_ERR(p)) { ++ ret = PTR_ERR(p); + goto err_free_irq; + } + if (IS_ERR(pinctrl_lookup_state(p, PINCTRL_STATE_DEFAULT))) { +diff --git a/drivers/mtd/chips/cfi_cmdset_0001.c b/drivers/mtd/chips/cfi_cmdset_0001.c +index 286b97a304cf..4509ee0b294a 100644 +--- a/drivers/mtd/chips/cfi_cmdset_0001.c ++++ b/drivers/mtd/chips/cfi_cmdset_0001.c +@@ -45,6 +45,7 @@ + #define I82802AB 0x00ad + #define I82802AC 0x00ac + #define PF38F4476 0x881c ++#define M28F00AP30 0x8963 + /* STMicroelectronics chips */ + #define M50LPW080 0x002F + #define M50FLW080A 0x0080 +@@ -375,6 +376,17 @@ static void cfi_fixup_major_minor(struct cfi_private *cfi, + extp->MinorVersion = '1'; + } + ++static int cfi_is_micron_28F00AP30(struct cfi_private *cfi, struct flchip *chip) ++{ ++ /* ++ * Micron(was Numonyx) 1Gbit bottom boot are buggy w.r.t ++ * Erase Supend for their small Erase Blocks(0x8000) ++ */ ++ if (cfi->mfr == CFI_MFR_INTEL && cfi->id == M28F00AP30) ++ return 1; ++ return 0; ++} ++ + static inline struct cfi_pri_intelext * + read_pri_intelext(struct map_info *map, __u16 adr) + { +@@ -825,21 +837,30 @@ static int chip_ready (struct map_info *map, struct flchip *chip, unsigned long + (mode == FL_WRITING && (cfip->SuspendCmdSupport & 1)))) + goto sleep; + ++ /* Do not allow suspend iff read/write to EB address */ ++ if ((adr & chip->in_progress_block_mask) == ++ chip->in_progress_block_addr) ++ goto sleep; ++ ++ /* do not suspend small EBs, buggy Micron Chips */ ++ if (cfi_is_micron_28F00AP30(cfi, chip) && ++ (chip->in_progress_block_mask == ~(0x8000-1))) ++ goto sleep; + + /* Erase suspend */ +- map_write(map, CMD(0xB0), adr); ++ map_write(map, CMD(0xB0), chip->in_progress_block_addr); + + /* If the flash has finished erasing, then 'erase suspend' + * appears to make some (28F320) flash devices switch to + * 'read' mode. Make sure that we switch to 'read status' + * mode so we get the right data. --rmk + */ +- map_write(map, CMD(0x70), adr); ++ map_write(map, CMD(0x70), chip->in_progress_block_addr); + chip->oldstate = FL_ERASING; + chip->state = FL_ERASE_SUSPENDING; + chip->erase_suspended = 1; + for (;;) { +- status = map_read(map, adr); ++ status = map_read(map, chip->in_progress_block_addr); + if (map_word_andequal(map, status, status_OK, status_OK)) + break; + +@@ -1035,8 +1056,8 @@ static void put_chip(struct map_info *map, struct flchip *chip, unsigned long ad + sending the 0x70 (Read Status) command to an erasing + chip and expecting it to be ignored, that's what we + do. */ +- map_write(map, CMD(0xd0), adr); +- map_write(map, CMD(0x70), adr); ++ map_write(map, CMD(0xd0), chip->in_progress_block_addr); ++ map_write(map, CMD(0x70), chip->in_progress_block_addr); + chip->oldstate = FL_READY; + chip->state = FL_ERASING; + break; +@@ -1927,6 +1948,8 @@ static int __xipram do_erase_oneblock(struct map_info *map, struct flchip *chip, + map_write(map, CMD(0xD0), adr); + chip->state = FL_ERASING; + chip->erase_suspended = 0; ++ chip->in_progress_block_addr = adr; ++ chip->in_progress_block_mask = ~(len - 1); + + ret = INVAL_CACHE_AND_WAIT(map, chip, adr, + adr, len, +diff --git a/drivers/mtd/chips/cfi_cmdset_0002.c b/drivers/mtd/chips/cfi_cmdset_0002.c +index c50d8cf0f60d..16faa97ac3f2 100644 +--- a/drivers/mtd/chips/cfi_cmdset_0002.c ++++ b/drivers/mtd/chips/cfi_cmdset_0002.c +@@ -814,9 +814,10 @@ static int get_chip(struct map_info *map, struct flchip *chip, unsigned long adr + (mode == FL_WRITING && (cfip->EraseSuspend & 0x2)))) + goto sleep; + +- /* We could check to see if we're trying to access the sector +- * that is currently being erased. However, no user will try +- * anything like that so we just wait for the timeout. */ ++ /* Do not allow suspend iff read/write to EB address */ ++ if ((adr & chip->in_progress_block_mask) == ++ chip->in_progress_block_addr) ++ goto sleep; + + /* Erase suspend */ + /* It's harmless to issue the Erase-Suspend and Erase-Resume +@@ -2265,6 +2266,7 @@ static int __xipram do_erase_chip(struct map_info *map, struct flchip *chip) + chip->state = FL_ERASING; + chip->erase_suspended = 0; + chip->in_progress_block_addr = adr; ++ chip->in_progress_block_mask = ~(map->size - 1); + + INVALIDATE_CACHE_UDELAY(map, chip, + adr, map->size, +@@ -2354,6 +2356,7 @@ static int __xipram do_erase_oneblock(struct map_info *map, struct flchip *chip, + chip->state = FL_ERASING; + chip->erase_suspended = 0; + chip->in_progress_block_addr = adr; ++ chip->in_progress_block_mask = ~(len - 1); + + INVALIDATE_CACHE_UDELAY(map, chip, + adr, len, +diff --git a/drivers/mtd/chips/jedec_probe.c b/drivers/mtd/chips/jedec_probe.c +index 7c0b27d132b1..b479bd81120b 100644 +--- a/drivers/mtd/chips/jedec_probe.c ++++ b/drivers/mtd/chips/jedec_probe.c +@@ -1889,6 +1889,8 @@ static inline u32 jedec_read_mfr(struct map_info *map, uint32_t base, + do { + uint32_t ofs = cfi_build_cmd_addr(0 + (bank << 8), map, cfi); + mask = (1 << (cfi->device_type * 8)) - 1; ++ if (ofs >= map->size) ++ return 0; + result = map_read(map, base + ofs); + bank++; + } while ((result.x[0] & mask) == CFI_MFR_CONTINUATION); +diff --git a/drivers/mtd/nand/nand_base.c b/drivers/mtd/nand/nand_base.c +index 14a5f559e300..eb5ff54c9263 100644 +--- a/drivers/mtd/nand/nand_base.c ++++ b/drivers/mtd/nand/nand_base.c +@@ -618,7 +618,8 @@ static void nand_command(struct mtd_info *mtd, unsigned int command, + chip->cmd_ctrl(mtd, readcmd, ctrl); + ctrl &= ~NAND_CTRL_CHANGE; + } +- chip->cmd_ctrl(mtd, command, ctrl); ++ if (command != NAND_CMD_NONE) ++ chip->cmd_ctrl(mtd, command, ctrl); + + /* Address cycle, when necessary */ + ctrl = NAND_CTRL_ALE | NAND_CTRL_CHANGE; +@@ -647,6 +648,7 @@ static void nand_command(struct mtd_info *mtd, unsigned int command, + */ + switch (command) { + ++ case NAND_CMD_NONE: + case NAND_CMD_PAGEPROG: + case NAND_CMD_ERASE1: + case NAND_CMD_ERASE2: +@@ -709,7 +711,9 @@ static void nand_command_lp(struct mtd_info *mtd, unsigned int command, + } + + /* Command latch cycle */ +- chip->cmd_ctrl(mtd, command, NAND_NCE | NAND_CLE | NAND_CTRL_CHANGE); ++ if (command != NAND_CMD_NONE) ++ chip->cmd_ctrl(mtd, command, ++ NAND_NCE | NAND_CLE | NAND_CTRL_CHANGE); + + if (column != -1 || page_addr != -1) { + int ctrl = NAND_CTRL_CHANGE | NAND_NCE | NAND_ALE; +@@ -742,6 +746,7 @@ static void nand_command_lp(struct mtd_info *mtd, unsigned int command, + */ + switch (command) { + ++ case NAND_CMD_NONE: + case NAND_CMD_CACHEDPROG: + case NAND_CMD_PAGEPROG: + case NAND_CMD_ERASE1: +diff --git a/drivers/mtd/ubi/block.c b/drivers/mtd/ubi/block.c +index c9eb78f10a0d..421ae660d579 100644 +--- a/drivers/mtd/ubi/block.c ++++ b/drivers/mtd/ubi/block.c +@@ -241,7 +241,7 @@ static int ubiblock_open(struct block_device *bdev, fmode_t mode) + * in any case. + */ + if (mode & FMODE_WRITE) { +- ret = -EPERM; ++ ret = -EROFS; + goto out_unlock; + } + +diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c +index 9fd4f7838080..db6957a2b011 100644 +--- a/drivers/mtd/ubi/build.c ++++ b/drivers/mtd/ubi/build.c +@@ -907,6 +907,17 @@ int ubi_attach_mtd_dev(struct mtd_info *mtd, int ubi_num, + return -EINVAL; + } + ++ /* ++ * Both UBI and UBIFS have been designed for SLC NAND and NOR flashes. ++ * MLC NAND is different and needs special care, otherwise UBI or UBIFS ++ * will die soon and you will lose all your data. ++ */ ++ if (mtd->type == MTD_MLCNANDFLASH) { ++ pr_err("ubi: refuse attaching mtd%d - MLC NAND is not supported\n", ++ mtd->index); ++ return -EINVAL; ++ } ++ + if (ubi_num == UBI_DEV_NUM_AUTO) { + /* Search for an empty slot in the @ubi_devices array */ + for (ubi_num = 0; ubi_num < UBI_MAX_DEVICES; ubi_num++) +diff --git a/drivers/mtd/ubi/fastmap-wl.c b/drivers/mtd/ubi/fastmap-wl.c +index b2a665398bca..4c1d12bacfd0 100644 +--- a/drivers/mtd/ubi/fastmap-wl.c ++++ b/drivers/mtd/ubi/fastmap-wl.c +@@ -331,7 +331,6 @@ static void ubi_fastmap_close(struct ubi_device *ubi) + { + int i; + +- flush_work(&ubi->fm_work); + return_unused_pool_pebs(ubi, &ubi->fm_pool); + return_unused_pool_pebs(ubi, &ubi->fm_wl_pool); + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 16f9c742bc30..32fe93a2d73e 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1476,39 +1476,6 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev) + goto err_close; + } + +- /* If the mode uses primary, then the following is handled by +- * bond_change_active_slave(). +- */ +- if (!bond_uses_primary(bond)) { +- /* set promiscuity level to new slave */ +- if (bond_dev->flags & IFF_PROMISC) { +- res = dev_set_promiscuity(slave_dev, 1); +- if (res) +- goto err_close; +- } +- +- /* set allmulti level to new slave */ +- if (bond_dev->flags & IFF_ALLMULTI) { +- res = dev_set_allmulti(slave_dev, 1); +- if (res) +- goto err_close; +- } +- +- netif_addr_lock_bh(bond_dev); +- +- dev_mc_sync_multiple(slave_dev, bond_dev); +- dev_uc_sync_multiple(slave_dev, bond_dev); +- +- netif_addr_unlock_bh(bond_dev); +- } +- +- if (BOND_MODE(bond) == BOND_MODE_8023AD) { +- /* add lacpdu mc addr to mc list */ +- u8 lacpdu_multicast[ETH_ALEN] = MULTICAST_LACPDU_ADDR; +- +- dev_mc_add(slave_dev, lacpdu_multicast); +- } +- + res = vlan_vids_add_by_dev(slave_dev, bond_dev); + if (res) { + netdev_err(bond_dev, "Couldn't add bond vlan ids to %s\n", +@@ -1633,8 +1600,7 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev) + } /* switch(bond_mode) */ + + #ifdef CONFIG_NET_POLL_CONTROLLER +- slave_dev->npinfo = bond->dev->npinfo; +- if (slave_dev->npinfo) { ++ if (bond->dev->npinfo) { + if (slave_enable_netpoll(new_slave)) { + netdev_info(bond_dev, "master_dev is using netpoll, but new slave device does not support netpoll\n"); + res = -EBUSY; +@@ -1665,6 +1631,40 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev) + goto err_upper_unlink; + } + ++ /* If the mode uses primary, then the following is handled by ++ * bond_change_active_slave(). ++ */ ++ if (!bond_uses_primary(bond)) { ++ /* set promiscuity level to new slave */ ++ if (bond_dev->flags & IFF_PROMISC) { ++ res = dev_set_promiscuity(slave_dev, 1); ++ if (res) ++ goto err_sysfs_del; ++ } ++ ++ /* set allmulti level to new slave */ ++ if (bond_dev->flags & IFF_ALLMULTI) { ++ res = dev_set_allmulti(slave_dev, 1); ++ if (res) { ++ if (bond_dev->flags & IFF_PROMISC) ++ dev_set_promiscuity(slave_dev, -1); ++ goto err_sysfs_del; ++ } ++ } ++ ++ netif_addr_lock_bh(bond_dev); ++ dev_mc_sync_multiple(slave_dev, bond_dev); ++ dev_uc_sync_multiple(slave_dev, bond_dev); ++ netif_addr_unlock_bh(bond_dev); ++ ++ if (BOND_MODE(bond) == BOND_MODE_8023AD) { ++ /* add lacpdu mc addr to mc list */ ++ u8 lacpdu_multicast[ETH_ALEN] = MULTICAST_LACPDU_ADDR; ++ ++ dev_mc_add(slave_dev, lacpdu_multicast); ++ } ++ } ++ + bond->slave_cnt++; + bond_compute_features(bond); + bond_set_carrier(bond); +@@ -1688,6 +1688,9 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev) + return 0; + + /* Undo stages on error */ ++err_sysfs_del: ++ bond_sysfs_slave_del(new_slave); ++ + err_upper_unlink: + bond_upper_dev_unlink(bond_dev, slave_dev); + +@@ -1695,9 +1698,6 @@ err_unregister: + netdev_rx_handler_unregister(slave_dev); + + err_detach: +- if (!bond_uses_primary(bond)) +- bond_hw_addr_flush(bond_dev, slave_dev); +- + vlan_vids_del_by_dev(slave_dev, bond_dev); + if (rcu_access_pointer(bond->primary_slave) == new_slave) + RCU_INIT_POINTER(bond->primary_slave, NULL); +@@ -2533,11 +2533,13 @@ static void bond_loadbalance_arp_mon(struct work_struct *work) + bond_for_each_slave_rcu(bond, slave, iter) { + unsigned long trans_start = dev_trans_start(slave->dev); + ++ slave->new_link = BOND_LINK_NOCHANGE; ++ + if (slave->link != BOND_LINK_UP) { + if (bond_time_in_interval(bond, trans_start, 1) && + bond_time_in_interval(bond, slave->last_rx, 1)) { + +- slave->link = BOND_LINK_UP; ++ slave->new_link = BOND_LINK_UP; + slave_state_changed = 1; + + /* primary_slave has no meaning in round-robin +@@ -2564,7 +2566,7 @@ static void bond_loadbalance_arp_mon(struct work_struct *work) + if (!bond_time_in_interval(bond, trans_start, 2) || + !bond_time_in_interval(bond, slave->last_rx, 2)) { + +- slave->link = BOND_LINK_DOWN; ++ slave->new_link = BOND_LINK_DOWN; + slave_state_changed = 1; + + if (slave->link_failure_count < UINT_MAX) +@@ -2595,6 +2597,11 @@ static void bond_loadbalance_arp_mon(struct work_struct *work) + if (!rtnl_trylock()) + goto re_arm; + ++ bond_for_each_slave(bond, slave, iter) { ++ if (slave->new_link != BOND_LINK_NOCHANGE) ++ slave->link = slave->new_link; ++ } ++ + if (slave_state_changed) { + bond_slave_state_change(bond); + if (BOND_MODE(bond) == BOND_MODE_XOR) +@@ -3261,12 +3268,17 @@ static void bond_fold_stats(struct rtnl_link_stats64 *_res, + for (i = 0; i < sizeof(*_res) / sizeof(u64); i++) { + u64 nv = new[i]; + u64 ov = old[i]; ++ s64 delta = nv - ov; + + /* detects if this particular field is 32bit only */ + if (((nv | ov) >> 32) == 0) +- res[i] += (u32)nv - (u32)ov; +- else +- res[i] += nv - ov; ++ delta = (s64)(s32)((u32)nv - (u32)ov); ++ ++ /* filter anomalies, some drivers reset their stats ++ * at down/up events. ++ */ ++ if (delta > 0) ++ res[i] += delta; + } + } + +diff --git a/drivers/net/can/cc770/cc770.c b/drivers/net/can/cc770/cc770.c +index c11d44984036..76b3c1462139 100644 +--- a/drivers/net/can/cc770/cc770.c ++++ b/drivers/net/can/cc770/cc770.c +@@ -390,37 +390,23 @@ static int cc770_get_berr_counter(const struct net_device *dev, + return 0; + } + +-static netdev_tx_t cc770_start_xmit(struct sk_buff *skb, struct net_device *dev) ++static void cc770_tx(struct net_device *dev, int mo) + { + struct cc770_priv *priv = netdev_priv(dev); +- struct net_device_stats *stats = &dev->stats; +- struct can_frame *cf = (struct can_frame *)skb->data; +- unsigned int mo = obj2msgobj(CC770_OBJ_TX); ++ struct can_frame *cf = (struct can_frame *)priv->tx_skb->data; + u8 dlc, rtr; + u32 id; + int i; + +- if (can_dropped_invalid_skb(dev, skb)) +- return NETDEV_TX_OK; +- +- if ((cc770_read_reg(priv, +- msgobj[mo].ctrl1) & TXRQST_UNC) == TXRQST_SET) { +- netdev_err(dev, "TX register is still occupied!\n"); +- return NETDEV_TX_BUSY; +- } +- +- netif_stop_queue(dev); +- + dlc = cf->can_dlc; + id = cf->can_id; +- if (cf->can_id & CAN_RTR_FLAG) +- rtr = 0; +- else +- rtr = MSGCFG_DIR; ++ rtr = cf->can_id & CAN_RTR_FLAG ? 0 : MSGCFG_DIR; ++ ++ cc770_write_reg(priv, msgobj[mo].ctrl0, ++ MSGVAL_RES | TXIE_RES | RXIE_RES | INTPND_RES); + cc770_write_reg(priv, msgobj[mo].ctrl1, + RMTPND_RES | TXRQST_RES | CPUUPD_SET | NEWDAT_RES); +- cc770_write_reg(priv, msgobj[mo].ctrl0, +- MSGVAL_SET | TXIE_SET | RXIE_RES | INTPND_RES); ++ + if (id & CAN_EFF_FLAG) { + id &= CAN_EFF_MASK; + cc770_write_reg(priv, msgobj[mo].config, +@@ -439,22 +425,30 @@ static netdev_tx_t cc770_start_xmit(struct sk_buff *skb, struct net_device *dev) + for (i = 0; i < dlc; i++) + cc770_write_reg(priv, msgobj[mo].data[i], cf->data[i]); + +- /* Store echo skb before starting the transfer */ +- can_put_echo_skb(skb, dev, 0); +- + cc770_write_reg(priv, msgobj[mo].ctrl1, +- RMTPND_RES | TXRQST_SET | CPUUPD_RES | NEWDAT_UNC); ++ RMTPND_UNC | TXRQST_SET | CPUUPD_RES | NEWDAT_UNC); ++ cc770_write_reg(priv, msgobj[mo].ctrl0, ++ MSGVAL_SET | TXIE_SET | RXIE_SET | INTPND_UNC); ++} + +- stats->tx_bytes += dlc; ++static netdev_tx_t cc770_start_xmit(struct sk_buff *skb, struct net_device *dev) ++{ ++ struct cc770_priv *priv = netdev_priv(dev); ++ unsigned int mo = obj2msgobj(CC770_OBJ_TX); + ++ if (can_dropped_invalid_skb(dev, skb)) ++ return NETDEV_TX_OK; + +- /* +- * HM: We had some cases of repeated IRQs so make sure the +- * INT is acknowledged I know it's already further up, but +- * doing again fixed the issue +- */ +- cc770_write_reg(priv, msgobj[mo].ctrl0, +- MSGVAL_UNC | TXIE_UNC | RXIE_UNC | INTPND_RES); ++ netif_stop_queue(dev); ++ ++ if ((cc770_read_reg(priv, ++ msgobj[mo].ctrl1) & TXRQST_UNC) == TXRQST_SET) { ++ netdev_err(dev, "TX register is still occupied!\n"); ++ return NETDEV_TX_BUSY; ++ } ++ ++ priv->tx_skb = skb; ++ cc770_tx(dev, mo); + + return NETDEV_TX_OK; + } +@@ -680,19 +674,46 @@ static void cc770_tx_interrupt(struct net_device *dev, unsigned int o) + struct cc770_priv *priv = netdev_priv(dev); + struct net_device_stats *stats = &dev->stats; + unsigned int mo = obj2msgobj(o); ++ struct can_frame *cf; ++ u8 ctrl1; ++ ++ ctrl1 = cc770_read_reg(priv, msgobj[mo].ctrl1); + +- /* Nothing more to send, switch off interrupts */ + cc770_write_reg(priv, msgobj[mo].ctrl0, + MSGVAL_RES | TXIE_RES | RXIE_RES | INTPND_RES); +- /* +- * We had some cases of repeated IRQ so make sure the +- * INT is acknowledged ++ cc770_write_reg(priv, msgobj[mo].ctrl1, ++ RMTPND_RES | TXRQST_RES | MSGLST_RES | NEWDAT_RES); ++ ++ if (unlikely(!priv->tx_skb)) { ++ netdev_err(dev, "missing tx skb in tx interrupt\n"); ++ return; ++ } ++ ++ if (unlikely(ctrl1 & MSGLST_SET)) { ++ stats->rx_over_errors++; ++ stats->rx_errors++; ++ } ++ ++ /* When the CC770 is sending an RTR message and it receives a regular ++ * message that matches the id of the RTR message, it will overwrite the ++ * outgoing message in the TX register. When this happens we must ++ * process the received message and try to transmit the outgoing skb ++ * again. + */ +- cc770_write_reg(priv, msgobj[mo].ctrl0, +- MSGVAL_UNC | TXIE_UNC | RXIE_UNC | INTPND_RES); ++ if (unlikely(ctrl1 & NEWDAT_SET)) { ++ cc770_rx(dev, mo, ctrl1); ++ cc770_tx(dev, mo); ++ return; ++ } + ++ cf = (struct can_frame *)priv->tx_skb->data; ++ stats->tx_bytes += cf->can_dlc; + stats->tx_packets++; ++ ++ can_put_echo_skb(priv->tx_skb, dev, 0); + can_get_echo_skb(dev, 0); ++ priv->tx_skb = NULL; ++ + netif_wake_queue(dev); + } + +@@ -804,6 +825,7 @@ struct net_device *alloc_cc770dev(int sizeof_priv) + priv->can.do_set_bittiming = cc770_set_bittiming; + priv->can.do_set_mode = cc770_set_mode; + priv->can.ctrlmode_supported = CAN_CTRLMODE_3_SAMPLES; ++ priv->tx_skb = NULL; + + memcpy(priv->obj_flags, cc770_obj_flags, sizeof(cc770_obj_flags)); + +diff --git a/drivers/net/can/cc770/cc770.h b/drivers/net/can/cc770/cc770.h +index a1739db98d91..95752e1d1283 100644 +--- a/drivers/net/can/cc770/cc770.h ++++ b/drivers/net/can/cc770/cc770.h +@@ -193,6 +193,8 @@ struct cc770_priv { + u8 cpu_interface; /* CPU interface register */ + u8 clkout; /* Clock out register */ + u8 bus_config; /* Bus conffiguration register */ ++ ++ struct sk_buff *tx_skb; + }; + + struct net_device *alloc_cc770dev(int sizeof_priv); +diff --git a/drivers/net/ethernet/apm/xgene/xgene_enet_hw.c b/drivers/net/ethernet/apm/xgene/xgene_enet_hw.c +index b927021c6c40..af3db6b146ab 100644 +--- a/drivers/net/ethernet/apm/xgene/xgene_enet_hw.c ++++ b/drivers/net/ethernet/apm/xgene/xgene_enet_hw.c +@@ -535,6 +535,7 @@ static void xgene_enet_cle_bypass(struct xgene_enet_pdata *pdata, + xgene_enet_rd_csr(pdata, CLE_BYPASS_REG0_0_ADDR, &cb); + cb |= CFG_CLE_BYPASS_EN0; + CFG_CLE_IP_PROTOCOL0_SET(&cb, 3); ++ CFG_CLE_IP_HDR_LEN_SET(&cb, 0); + xgene_enet_wr_csr(pdata, CLE_BYPASS_REG0_0_ADDR, cb); + + xgene_enet_rd_csr(pdata, CLE_BYPASS_REG1_0_ADDR, &cb); +diff --git a/drivers/net/ethernet/apm/xgene/xgene_enet_hw.h b/drivers/net/ethernet/apm/xgene/xgene_enet_hw.h +index d9bc89d69266..2a2b41a4c9bf 100644 +--- a/drivers/net/ethernet/apm/xgene/xgene_enet_hw.h ++++ b/drivers/net/ethernet/apm/xgene/xgene_enet_hw.h +@@ -145,6 +145,7 @@ enum xgene_enet_rm { + #define CFG_TXCLK_MUXSEL0_SET(dst, val) xgene_set_bits(dst, val, 29, 3) + + #define CFG_CLE_IP_PROTOCOL0_SET(dst, val) xgene_set_bits(dst, val, 16, 2) ++#define CFG_CLE_IP_HDR_LEN_SET(dst, val) xgene_set_bits(dst, val, 8, 5) + #define CFG_CLE_DSTQID0_SET(dst, val) xgene_set_bits(dst, val, 0, 12) + #define CFG_CLE_FPSEL0_SET(dst, val) xgene_set_bits(dst, val, 16, 4) + #define CFG_MACMODE_SET(dst, val) xgene_set_bits(dst, val, 18, 2) +diff --git a/drivers/net/ethernet/arc/emac_rockchip.c b/drivers/net/ethernet/arc/emac_rockchip.c +index c31c7407b753..425dae560322 100644 +--- a/drivers/net/ethernet/arc/emac_rockchip.c ++++ b/drivers/net/ethernet/arc/emac_rockchip.c +@@ -150,8 +150,10 @@ static int emac_rockchip_probe(struct platform_device *pdev) + /* Optional regulator for PHY */ + priv->regulator = devm_regulator_get_optional(dev, "phy"); + if (IS_ERR(priv->regulator)) { +- if (PTR_ERR(priv->regulator) == -EPROBE_DEFER) +- return -EPROBE_DEFER; ++ if (PTR_ERR(priv->regulator) == -EPROBE_DEFER) { ++ err = -EPROBE_DEFER; ++ goto out_clk_disable; ++ } + dev_err(dev, "no regulator found\n"); + priv->regulator = NULL; + } +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c +index 0eb43586c034..a3348ba658d3 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c +@@ -2024,6 +2024,7 @@ static void bnx2x_set_rx_buf_size(struct bnx2x *bp) + ETH_OVREHEAD + + mtu + + BNX2X_FW_RX_ALIGN_END; ++ fp->rx_buf_size = SKB_DATA_ALIGN(fp->rx_buf_size); + /* Note : rx_buf_size doesn't take into account NET_SKB_PAD */ + if (fp->rx_buf_size + NET_SKB_PAD <= PAGE_SIZE) + fp->rx_frag_size = fp->rx_buf_size + NET_SKB_PAD; +@@ -3877,15 +3878,26 @@ netdev_tx_t bnx2x_start_xmit(struct sk_buff *skb, struct net_device *dev) + /* when transmitting in a vf, start bd must hold the ethertype + * for fw to enforce it + */ ++ u16 vlan_tci = 0; + #ifndef BNX2X_STOP_ON_ERROR +- if (IS_VF(bp)) ++ if (IS_VF(bp)) { + #endif +- tx_start_bd->vlan_or_ethertype = +- cpu_to_le16(ntohs(eth->h_proto)); ++ /* Still need to consider inband vlan for enforced */ ++ if (__vlan_get_tag(skb, &vlan_tci)) { ++ tx_start_bd->vlan_or_ethertype = ++ cpu_to_le16(ntohs(eth->h_proto)); ++ } else { ++ tx_start_bd->bd_flags.as_bitfield |= ++ (X_ETH_INBAND_VLAN << ++ ETH_TX_BD_FLAGS_VLAN_MODE_SHIFT); ++ tx_start_bd->vlan_or_ethertype = ++ cpu_to_le16(vlan_tci); ++ } + #ifndef BNX2X_STOP_ON_ERROR +- else ++ } else { + /* used by FW for packet accounting */ + tx_start_bd->vlan_or_ethertype = cpu_to_le16(pkt_prod); ++ } + #endif + } + +diff --git a/drivers/net/ethernet/brocade/bna/bfa_ioc.c b/drivers/net/ethernet/brocade/bna/bfa_ioc.c +index 5be892ffdaed..767132ec00f9 100644 +--- a/drivers/net/ethernet/brocade/bna/bfa_ioc.c ++++ b/drivers/net/ethernet/brocade/bna/bfa_ioc.c +@@ -2861,7 +2861,7 @@ bfa_ioc_get_adapter_optrom_ver(struct bfa_ioc *ioc, char *optrom_ver) + static void + bfa_ioc_get_adapter_manufacturer(struct bfa_ioc *ioc, char *manufacturer) + { +- memcpy(manufacturer, BFA_MFG_NAME, BFA_ADAPTER_MFG_NAME_LEN); ++ strncpy(manufacturer, BFA_MFG_NAME, BFA_ADAPTER_MFG_NAME_LEN); + } + + static void +diff --git a/drivers/net/ethernet/chelsio/cxgb4vf/sge.c b/drivers/net/ethernet/chelsio/cxgb4vf/sge.c +index 482f6de6817d..ae96b4a32d90 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4vf/sge.c ++++ b/drivers/net/ethernet/chelsio/cxgb4vf/sge.c +@@ -2573,8 +2573,8 @@ void t4vf_sge_stop(struct adapter *adapter) + int t4vf_sge_init(struct adapter *adapter) + { + struct sge_params *sge_params = &adapter->params.sge; +- u32 fl0 = sge_params->sge_fl_buffer_size[0]; +- u32 fl1 = sge_params->sge_fl_buffer_size[1]; ++ u32 fl_small_pg = sge_params->sge_fl_buffer_size[0]; ++ u32 fl_large_pg = sge_params->sge_fl_buffer_size[1]; + struct sge *s = &adapter->sge; + unsigned int ingpadboundary, ingpackboundary; + +@@ -2583,9 +2583,20 @@ int t4vf_sge_init(struct adapter *adapter) + * the Physical Function Driver. Ideally we should be able to deal + * with _any_ configuration. Practice is different ... + */ +- if (fl0 != PAGE_SIZE || (fl1 != 0 && fl1 <= fl0)) { ++ ++ /* We only bother using the Large Page logic if the Large Page Buffer ++ * is larger than our Page Size Buffer. ++ */ ++ if (fl_large_pg <= fl_small_pg) ++ fl_large_pg = 0; ++ ++ /* The Page Size Buffer must be exactly equal to our Page Size and the ++ * Large Page Size Buffer should be 0 (per above) or a power of 2. ++ */ ++ if (fl_small_pg != PAGE_SIZE || ++ (fl_large_pg & (fl_large_pg - 1)) != 0) { + dev_err(adapter->pdev_dev, "bad SGE FL buffer sizes [%d, %d]\n", +- fl0, fl1); ++ fl_small_pg, fl_large_pg); + return -EINVAL; + } + if ((sge_params->sge_control & RXPKTCPLMODE_F) == 0) { +@@ -2596,8 +2607,8 @@ int t4vf_sge_init(struct adapter *adapter) + /* + * Now translate the adapter parameters into our internal forms. + */ +- if (fl1) +- s->fl_pg_order = ilog2(fl1) - PAGE_SHIFT; ++ if (fl_large_pg) ++ s->fl_pg_order = ilog2(fl_large_pg) - PAGE_SHIFT; + s->stat_len = ((sge_params->sge_control & EGRSTATUSPAGESIZE_F) + ? 128 : 64); + s->pktshift = PKTSHIFT_G(sge_params->sge_control); +diff --git a/drivers/net/ethernet/faraday/ftgmac100.c b/drivers/net/ethernet/faraday/ftgmac100.c +index 6d0c5d5eea6d..58c0fccdd8cb 100644 +--- a/drivers/net/ethernet/faraday/ftgmac100.c ++++ b/drivers/net/ethernet/faraday/ftgmac100.c +@@ -28,6 +28,7 @@ + #include <linux/io.h> + #include <linux/module.h> + #include <linux/netdevice.h> ++#include <linux/of.h> + #include <linux/phy.h> + #include <linux/platform_device.h> + #include <net/ip.h> +diff --git a/drivers/net/ethernet/freescale/fsl_pq_mdio.c b/drivers/net/ethernet/freescale/fsl_pq_mdio.c +index 3c40f6b99224..28e97686f6aa 100644 +--- a/drivers/net/ethernet/freescale/fsl_pq_mdio.c ++++ b/drivers/net/ethernet/freescale/fsl_pq_mdio.c +@@ -370,7 +370,7 @@ static int fsl_pq_mdio_probe(struct platform_device *pdev) + { + const struct of_device_id *id = + of_match_device(fsl_pq_mdio_match, &pdev->dev); +- const struct fsl_pq_mdio_data *data = id->data; ++ const struct fsl_pq_mdio_data *data; + struct device_node *np = pdev->dev.of_node; + struct resource res; + struct device_node *tbi; +@@ -378,6 +378,13 @@ static int fsl_pq_mdio_probe(struct platform_device *pdev) + struct mii_bus *new_bus; + int err; + ++ if (!id) { ++ dev_err(&pdev->dev, "Failed to match device\n"); ++ return -ENODEV; ++ } ++ ++ data = id->data; ++ + dev_dbg(&pdev->dev, "found %s compatible node\n", id->compatible); + + new_bus = mdiobus_alloc_size(sizeof(*priv)); +diff --git a/drivers/net/ethernet/ibm/emac/core.c b/drivers/net/ethernet/ibm/emac/core.c +index b9df0cbd0a38..9571f7dad162 100644 +--- a/drivers/net/ethernet/ibm/emac/core.c ++++ b/drivers/net/ethernet/ibm/emac/core.c +@@ -342,6 +342,7 @@ static int emac_reset(struct emac_instance *dev) + { + struct emac_regs __iomem *p = dev->emacp; + int n = 20; ++ bool __maybe_unused try_internal_clock = false; + + DBG(dev, "reset" NL); + +@@ -354,6 +355,7 @@ static int emac_reset(struct emac_instance *dev) + } + + #ifdef CONFIG_PPC_DCR_NATIVE ++do_retry: + /* + * PPC460EX/GT Embedded Processor Advanced User's Manual + * section 28.10.1 Mode Register 0 (EMACx_MR0) states: +@@ -361,10 +363,19 @@ static int emac_reset(struct emac_instance *dev) + * of the EMAC. If none is present, select the internal clock + * (SDR0_ETH_CFG[EMACx_PHY_CLK] = 1). + * After a soft reset, select the external clock. ++ * ++ * The AR8035-A PHY Meraki MR24 does not provide a TX Clk if the ++ * ethernet cable is not attached. This causes the reset to timeout ++ * and the PHY detection code in emac_init_phy() is unable to ++ * communicate and detect the AR8035-A PHY. As a result, the emac ++ * driver bails out early and the user has no ethernet. ++ * In order to stay compatible with existing configurations, the ++ * driver will temporarily switch to the internal clock, after ++ * the first reset fails. + */ + if (emac_has_feature(dev, EMAC_FTR_460EX_PHY_CLK_FIX)) { +- if (dev->phy_address == 0xffffffff && +- dev->phy_map == 0xffffffff) { ++ if (try_internal_clock || (dev->phy_address == 0xffffffff && ++ dev->phy_map == 0xffffffff)) { + /* No PHY: select internal loop clock before reset */ + dcri_clrset(SDR0, SDR0_ETH_CFG, + 0, SDR0_ETH_CFG_ECS << dev->cell_index); +@@ -382,8 +393,15 @@ static int emac_reset(struct emac_instance *dev) + + #ifdef CONFIG_PPC_DCR_NATIVE + if (emac_has_feature(dev, EMAC_FTR_460EX_PHY_CLK_FIX)) { +- if (dev->phy_address == 0xffffffff && +- dev->phy_map == 0xffffffff) { ++ if (!n && !try_internal_clock) { ++ /* first attempt has timed out. */ ++ n = 20; ++ try_internal_clock = true; ++ goto do_retry; ++ } ++ ++ if (try_internal_clock || (dev->phy_address == 0xffffffff && ++ dev->phy_map == 0xffffffff)) { + /* No PHY: restore external clock source after reset */ + dcri_clrset(SDR0, SDR0_ETH_CFG, + SDR0_ETH_CFG_ECS << dev->cell_index, 0); +diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c +index 39e9d7db23df..66cbf19b7635 100644 +--- a/drivers/net/ethernet/intel/e1000e/netdev.c ++++ b/drivers/net/ethernet/intel/e1000e/netdev.c +@@ -1182,6 +1182,7 @@ static void e1000e_tx_hwtstamp_work(struct work_struct *work) + struct e1000_hw *hw = &adapter->hw; + + if (er32(TSYNCTXCTL) & E1000_TSYNCTXCTL_VALID) { ++ struct sk_buff *skb = adapter->tx_hwtstamp_skb; + struct skb_shared_hwtstamps shhwtstamps; + u64 txstmp; + +@@ -1190,9 +1191,14 @@ static void e1000e_tx_hwtstamp_work(struct work_struct *work) + + e1000e_systim_to_hwtstamp(adapter, &shhwtstamps, txstmp); + +- skb_tstamp_tx(adapter->tx_hwtstamp_skb, &shhwtstamps); +- dev_kfree_skb_any(adapter->tx_hwtstamp_skb); ++ /* Clear the global tx_hwtstamp_skb pointer and force writes ++ * prior to notifying the stack of a Tx timestamp. ++ */ + adapter->tx_hwtstamp_skb = NULL; ++ wmb(); /* force write prior to skb_tstamp_tx */ ++ ++ skb_tstamp_tx(skb, &shhwtstamps); ++ dev_kfree_skb_any(skb); + } else if (time_after(jiffies, adapter->tx_hwtstamp_start + + adapter->tx_timeout_factor * HZ)) { + dev_kfree_skb_any(adapter->tx_hwtstamp_skb); +@@ -3524,6 +3530,12 @@ s32 e1000e_get_base_timinca(struct e1000_adapter *adapter, u32 *timinca) + + switch (hw->mac.type) { + case e1000_pch2lan: ++ /* Stable 96MHz frequency */ ++ incperiod = INCPERIOD_96MHz; ++ incvalue = INCVALUE_96MHz; ++ shift = INCVALUE_SHIFT_96MHz; ++ adapter->cc.shift = shift + INCPERIOD_SHIFT_96MHz; ++ break; + case e1000_pch_lpt: + case e1000_pch_spt: + /* On I217, I218 and I219, the clock frequency is 25MHz +@@ -6375,12 +6387,17 @@ static int e1000e_pm_thaw(struct device *dev) + static int e1000e_pm_suspend(struct device *dev) + { + struct pci_dev *pdev = to_pci_dev(dev); ++ int rc; + + e1000e_flush_lpic(pdev); + + e1000e_pm_freeze(dev); + +- return __e1000_shutdown(pdev, false); ++ rc = __e1000_shutdown(pdev, false); ++ if (rc) ++ e1000e_pm_thaw(dev); ++ ++ return rc; + } + + static int e1000e_pm_resume(struct device *dev) +diff --git a/drivers/net/ethernet/intel/fm10k/fm10k_ethtool.c b/drivers/net/ethernet/intel/fm10k/fm10k_ethtool.c +index 4b9d9f88af70..502a54e9ac33 100644 +--- a/drivers/net/ethernet/intel/fm10k/fm10k_ethtool.c ++++ b/drivers/net/ethernet/intel/fm10k/fm10k_ethtool.c +@@ -869,7 +869,7 @@ static void fm10k_self_test(struct net_device *dev, + + memset(data, 0, sizeof(*data) * FM10K_TEST_LEN); + +- if (FM10K_REMOVED(hw)) { ++ if (FM10K_REMOVED(hw->hw_addr)) { + netif_err(interface, drv, dev, + "Interface removed - test blocked\n"); + eth_test->flags |= ETH_TEST_FL_FAILED; +diff --git a/drivers/net/ethernet/marvell/sky2.c b/drivers/net/ethernet/marvell/sky2.c +index d9f4498832a1..bc39fd5e22ad 100644 +--- a/drivers/net/ethernet/marvell/sky2.c ++++ b/drivers/net/ethernet/marvell/sky2.c +@@ -5067,7 +5067,7 @@ static int sky2_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + INIT_WORK(&hw->restart_work, sky2_restart); + + pci_set_drvdata(pdev, hw); +- pdev->d3_delay = 150; ++ pdev->d3_delay = 200; + + return 0; + +diff --git a/drivers/net/ethernet/mellanox/mlx4/mcg.c b/drivers/net/ethernet/mellanox/mlx4/mcg.c +index bd9ea0d01aae..b0d677cad93a 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/mcg.c ++++ b/drivers/net/ethernet/mellanox/mlx4/mcg.c +@@ -35,6 +35,7 @@ + #include <linux/etherdevice.h> + + #include <linux/mlx4/cmd.h> ++#include <linux/mlx4/qp.h> + #include <linux/export.h> + + #include "mlx4.h" +@@ -985,16 +986,21 @@ int mlx4_flow_attach(struct mlx4_dev *dev, + if (IS_ERR(mailbox)) + return PTR_ERR(mailbox); + ++ if (!mlx4_qp_lookup(dev, rule->qpn)) { ++ mlx4_err_rule(dev, "QP doesn't exist\n", rule); ++ ret = -EINVAL; ++ goto out; ++ } ++ + trans_rule_ctrl_to_hw(rule, mailbox->buf); + + size += sizeof(struct mlx4_net_trans_rule_hw_ctrl); + + list_for_each_entry(cur, &rule->list, list) { + ret = parse_trans_rule(dev, cur, mailbox->buf + size); +- if (ret < 0) { +- mlx4_free_cmd_mailbox(dev, mailbox); +- return ret; +- } ++ if (ret < 0) ++ goto out; ++ + size += ret; + } + +@@ -1021,6 +1027,7 @@ int mlx4_flow_attach(struct mlx4_dev *dev, + } + } + ++out: + mlx4_free_cmd_mailbox(dev, mailbox); + + return ret; +diff --git a/drivers/net/ethernet/mellanox/mlx4/qp.c b/drivers/net/ethernet/mellanox/mlx4/qp.c +index eb1dcb7e9e96..c20e2d2f911a 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/qp.c ++++ b/drivers/net/ethernet/mellanox/mlx4/qp.c +@@ -381,6 +381,19 @@ static void mlx4_qp_free_icm(struct mlx4_dev *dev, int qpn) + __mlx4_qp_free_icm(dev, qpn); + } + ++struct mlx4_qp *mlx4_qp_lookup(struct mlx4_dev *dev, u32 qpn) ++{ ++ struct mlx4_qp_table *qp_table = &mlx4_priv(dev)->qp_table; ++ struct mlx4_qp *qp; ++ ++ spin_lock(&qp_table->lock); ++ ++ qp = __mlx4_qp_lookup(dev, qpn); ++ ++ spin_unlock(&qp_table->lock); ++ return qp; ++} ++ + int mlx4_qp_alloc(struct mlx4_dev *dev, int qpn, struct mlx4_qp *qp, gfp_t gfp) + { + struct mlx4_priv *priv = mlx4_priv(dev); +diff --git a/drivers/net/ethernet/qlogic/netxen/netxen_nic_ctx.c b/drivers/net/ethernet/qlogic/netxen/netxen_nic_ctx.c +index b8d5270359cd..e30676515529 100644 +--- a/drivers/net/ethernet/qlogic/netxen/netxen_nic_ctx.c ++++ b/drivers/net/ethernet/qlogic/netxen/netxen_nic_ctx.c +@@ -247,7 +247,7 @@ nx_fw_cmd_set_mtu(struct netxen_adapter *adapter, int mtu) + cmd.req.arg3 = 0; + + if (recv_ctx->state == NX_HOST_CTX_STATE_ACTIVE) +- netxen_issue_cmd(adapter, &cmd); ++ rcode = netxen_issue_cmd(adapter, &cmd); + + if (rcode != NX_RCODE_SUCCESS) + return -EIO; +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_hw.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_hw.c +index 75ee9e4ced51..01e250935787 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_hw.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_hw.c +@@ -341,7 +341,7 @@ qlcnic_pcie_sem_lock(struct qlcnic_adapter *adapter, int sem, u32 id_reg) + } + return -EIO; + } +- usleep_range(1000, 1500); ++ udelay(1200); + } + + if (id_reg) +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c +index e6312465fe45..d732c63cd496 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c +@@ -126,6 +126,8 @@ static int qlcnic_sriov_virtid_fn(struct qlcnic_adapter *adapter, int vf_id) + return 0; + + pos = pci_find_ext_capability(dev, PCI_EXT_CAP_ID_SRIOV); ++ if (!pos) ++ return 0; + pci_read_config_word(dev, pos + PCI_SRIOV_VF_OFFSET, &offset); + pci_read_config_word(dev, pos + PCI_SRIOV_VF_STRIDE, &stride); + +diff --git a/drivers/net/ethernet/qlogic/qlge/qlge_dbg.c b/drivers/net/ethernet/qlogic/qlge/qlge_dbg.c +index be258d90de9e..e3223f2fe2ff 100644 +--- a/drivers/net/ethernet/qlogic/qlge/qlge_dbg.c ++++ b/drivers/net/ethernet/qlogic/qlge/qlge_dbg.c +@@ -765,7 +765,7 @@ int ql_core_dump(struct ql_adapter *qdev, struct ql_mpi_coredump *mpi_coredump) + sizeof(struct mpi_coredump_global_header); + mpi_coredump->mpi_global_header.imageSize = + sizeof(struct ql_mpi_coredump); +- memcpy(mpi_coredump->mpi_global_header.idString, "MPI Coredump", ++ strncpy(mpi_coredump->mpi_global_header.idString, "MPI Coredump", + sizeof(mpi_coredump->mpi_global_header.idString)); + + /* Get generic NIC reg dump */ +@@ -1255,7 +1255,7 @@ static void ql_gen_reg_dump(struct ql_adapter *qdev, + sizeof(struct mpi_coredump_global_header); + mpi_coredump->mpi_global_header.imageSize = + sizeof(struct ql_reg_dump); +- memcpy(mpi_coredump->mpi_global_header.idString, "MPI Coredump", ++ strncpy(mpi_coredump->mpi_global_header.idString, "MPI Coredump", + sizeof(mpi_coredump->mpi_global_header.idString)); + + +diff --git a/drivers/net/ethernet/qualcomm/qca_spi.c b/drivers/net/ethernet/qualcomm/qca_spi.c +index cba41860167c..32113fafc07b 100644 +--- a/drivers/net/ethernet/qualcomm/qca_spi.c ++++ b/drivers/net/ethernet/qualcomm/qca_spi.c +@@ -296,8 +296,9 @@ qcaspi_receive(struct qcaspi *qca) + + /* Allocate rx SKB if we don't have one available. */ + if (!qca->rx_skb) { +- qca->rx_skb = netdev_alloc_skb(net_dev, +- net_dev->mtu + VLAN_ETH_HLEN); ++ qca->rx_skb = netdev_alloc_skb_ip_align(net_dev, ++ net_dev->mtu + ++ VLAN_ETH_HLEN); + if (!qca->rx_skb) { + netdev_dbg(net_dev, "out of RX resources\n"); + qca->stats.out_of_mem++; +@@ -377,7 +378,7 @@ qcaspi_receive(struct qcaspi *qca) + qca->rx_skb, qca->rx_skb->dev); + qca->rx_skb->ip_summed = CHECKSUM_UNNECESSARY; + netif_rx_ni(qca->rx_skb); +- qca->rx_skb = netdev_alloc_skb(net_dev, ++ qca->rx_skb = netdev_alloc_skb_ip_align(net_dev, + net_dev->mtu + VLAN_ETH_HLEN); + if (!qca->rx_skb) { + netdev_dbg(net_dev, "out of RX resources\n"); +@@ -759,7 +760,8 @@ qcaspi_netdev_init(struct net_device *dev) + if (!qca->rx_buffer) + return -ENOBUFS; + +- qca->rx_skb = netdev_alloc_skb(dev, qca->net_dev->mtu + VLAN_ETH_HLEN); ++ qca->rx_skb = netdev_alloc_skb_ip_align(dev, qca->net_dev->mtu + ++ VLAN_ETH_HLEN); + if (!qca->rx_skb) { + kfree(qca->rx_buffer); + netdev_info(qca->net_dev, "Failed to allocate RX sk_buff.\n"); +diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c +index 0ae76e419482..c64ed1613928 100644 +--- a/drivers/net/ethernet/renesas/sh_eth.c ++++ b/drivers/net/ethernet/renesas/sh_eth.c +@@ -3217,7 +3217,7 @@ static int sh_eth_drv_probe(struct platform_device *pdev) + /* MDIO bus init */ + ret = sh_mdio_init(mdp, pd); + if (ret) { +- dev_err(&ndev->dev, "failed to initialise MDIO\n"); ++ dev_err(&pdev->dev, "failed to initialise MDIO\n"); + goto out_release; + } + +diff --git a/drivers/net/ethernet/ti/cpsw.c b/drivers/net/ethernet/ti/cpsw.c +index b536b4c82752..9d12f7012798 100644 +--- a/drivers/net/ethernet/ti/cpsw.c ++++ b/drivers/net/ethernet/ti/cpsw.c +@@ -291,6 +291,10 @@ struct cpsw_ss_regs { + /* Bit definitions for the CPSW1_TS_SEQ_LTYPE register */ + #define CPSW_V1_SEQ_ID_OFS_SHIFT 16 + ++#define CPSW_MAX_BLKS_TX 15 ++#define CPSW_MAX_BLKS_TX_SHIFT 4 ++#define CPSW_MAX_BLKS_RX 5 ++ + struct cpsw_host_regs { + u32 max_blks; + u32 blk_cnt; +@@ -1126,11 +1130,23 @@ static void cpsw_slave_open(struct cpsw_slave *slave, struct cpsw_priv *priv) + switch (priv->version) { + case CPSW_VERSION_1: + slave_write(slave, TX_PRIORITY_MAPPING, CPSW1_TX_PRI_MAP); ++ /* Increase RX FIFO size to 5 for supporting fullduplex ++ * flow control mode ++ */ ++ slave_write(slave, ++ (CPSW_MAX_BLKS_TX << CPSW_MAX_BLKS_TX_SHIFT) | ++ CPSW_MAX_BLKS_RX, CPSW1_MAX_BLKS); + break; + case CPSW_VERSION_2: + case CPSW_VERSION_3: + case CPSW_VERSION_4: + slave_write(slave, TX_PRIORITY_MAPPING, CPSW2_TX_PRI_MAP); ++ /* Increase RX FIFO size to 5 for supporting fullduplex ++ * flow control mode ++ */ ++ slave_write(slave, ++ (CPSW_MAX_BLKS_TX << CPSW_MAX_BLKS_TX_SHIFT) | ++ CPSW_MAX_BLKS_RX, CPSW2_MAX_BLKS); + break; + } + +diff --git a/drivers/net/hamradio/hdlcdrv.c b/drivers/net/hamradio/hdlcdrv.c +index 49fe59b180a8..a75ce9051a7f 100644 +--- a/drivers/net/hamradio/hdlcdrv.c ++++ b/drivers/net/hamradio/hdlcdrv.c +@@ -574,6 +574,8 @@ static int hdlcdrv_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd) + case HDLCDRVCTL_CALIBRATE: + if(!capable(CAP_SYS_RAWIO)) + return -EPERM; ++ if (s->par.bitrate <= 0) ++ return -EINVAL; + if (bi.data.calibrate > INT_MAX / s->par.bitrate) + return -EINVAL; + s->hdlctx.calibrate = bi.data.calibrate * s->par.bitrate / 16; +diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c +index f3cd85ecd795..7439df3dd667 100644 +--- a/drivers/net/ipvlan/ipvlan_core.c ++++ b/drivers/net/ipvlan/ipvlan_core.c +@@ -275,6 +275,10 @@ static int ipvlan_rcv_frame(struct ipvl_addr *addr, struct sk_buff *skb, + if (dev_forward_skb(ipvlan->dev, skb) == NET_RX_SUCCESS) + success = true; + } else { ++ if (!ether_addr_equal_64bits(eth_hdr(skb)->h_dest, ++ ipvlan->phy_dev->dev_addr)) ++ skb->pkt_type = PACKET_OTHERHOST; ++ + ret = RX_HANDLER_ANOTHER; + success = true; + } +diff --git a/drivers/net/phy/phy.c b/drivers/net/phy/phy.c +index 1ca78b46c01b..0afda59439d5 100644 +--- a/drivers/net/phy/phy.c ++++ b/drivers/net/phy/phy.c +@@ -123,6 +123,12 @@ static inline int phy_aneg_done(struct phy_device *phydev) + if (phydev->drv->aneg_done) + return phydev->drv->aneg_done(phydev); + ++ /* Avoid genphy_aneg_done() if the Clause 45 PHY does not ++ * implement Clause 22 registers ++ */ ++ if (phydev->is_c45 && !(phydev->c45_ids.devices_in_package & BIT(0))) ++ return -EINVAL; ++ + return genphy_aneg_done(phydev); + } + +diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c +index 31aa93907b77..0123d7d1a391 100644 +--- a/drivers/net/ppp/pppoe.c ++++ b/drivers/net/ppp/pppoe.c +@@ -638,6 +638,10 @@ static int pppoe_connect(struct socket *sock, struct sockaddr *uservaddr, + lock_sock(sk); + + error = -EINVAL; ++ ++ if (sockaddr_len != sizeof(struct sockaddr_pppox)) ++ goto end; ++ + if (sp->sa_protocol != PX_PROTO_OE) + goto end; + +diff --git a/drivers/net/ppp/pptp.c b/drivers/net/ppp/pptp.c +index b35199cc8f34..17407494531e 100644 +--- a/drivers/net/ppp/pptp.c ++++ b/drivers/net/ppp/pptp.c +@@ -502,7 +502,6 @@ static int pptp_connect(struct socket *sock, struct sockaddr *uservaddr, + po->chan.mtu = dst_mtu(&rt->dst); + if (!po->chan.mtu) + po->chan.mtu = PPP_MRU; +- ip_rt_put(rt); + po->chan.mtu -= PPTP_HEADER_OVERHEAD; + + po->chan.hdrlen = 2 + sizeof(struct pptp_gre_header); +diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c +index 27ed25252aac..cfd81eb1b532 100644 +--- a/drivers/net/slip/slhc.c ++++ b/drivers/net/slip/slhc.c +@@ -509,6 +509,10 @@ slhc_uncompress(struct slcompress *comp, unsigned char *icp, int isize) + if(x < 0 || x > comp->rslot_limit) + goto bad; + ++ /* Check if the cstate is initialized */ ++ if (!comp->rstate[x].initialized) ++ goto bad; ++ + comp->flags &=~ SLF_TOSS; + comp->recv_current = x; + } else { +@@ -673,6 +677,7 @@ slhc_remember(struct slcompress *comp, unsigned char *icp, int isize) + if (cs->cs_tcp.doff > 5) + memcpy(cs->cs_tcpopt, icp + ihl*4 + sizeof(struct tcphdr), (cs->cs_tcp.doff - 5) * 4); + cs->cs_hsize = ihl*2 + cs->cs_tcp.doff*2; ++ cs->initialized = true; + /* Put headers back on packet + * Neither header checksum is recalculated + */ +diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c +index a16b054a4fa6..463b8d013deb 100644 +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -247,6 +247,17 @@ static void __team_option_inst_mark_removed_port(struct team *team, + } + } + ++static bool __team_option_inst_tmp_find(const struct list_head *opts, ++ const struct team_option_inst *needle) ++{ ++ struct team_option_inst *opt_inst; ++ ++ list_for_each_entry(opt_inst, opts, tmp_list) ++ if (opt_inst == needle) ++ return true; ++ return false; ++} ++ + static int __team_options_register(struct team *team, + const struct team_option *option, + size_t option_count) +@@ -1034,14 +1045,11 @@ static void team_port_leave(struct team *team, struct team_port *port) + } + + #ifdef CONFIG_NET_POLL_CONTROLLER +-static int team_port_enable_netpoll(struct team *team, struct team_port *port) ++static int __team_port_enable_netpoll(struct team_port *port) + { + struct netpoll *np; + int err; + +- if (!team->dev->npinfo) +- return 0; +- + np = kzalloc(sizeof(*np), GFP_KERNEL); + if (!np) + return -ENOMEM; +@@ -1055,6 +1063,14 @@ static int team_port_enable_netpoll(struct team *team, struct team_port *port) + return err; + } + ++static int team_port_enable_netpoll(struct team_port *port) ++{ ++ if (!port->team->dev->npinfo) ++ return 0; ++ ++ return __team_port_enable_netpoll(port); ++} ++ + static void team_port_disable_netpoll(struct team_port *port) + { + struct netpoll *np = port->np; +@@ -1069,7 +1085,7 @@ static void team_port_disable_netpoll(struct team_port *port) + kfree(np); + } + #else +-static int team_port_enable_netpoll(struct team *team, struct team_port *port) ++static int team_port_enable_netpoll(struct team_port *port) + { + return 0; + } +@@ -1176,7 +1192,7 @@ static int team_port_add(struct team *team, struct net_device *port_dev) + goto err_vids_add; + } + +- err = team_port_enable_netpoll(team, port); ++ err = team_port_enable_netpoll(port); + if (err) { + netdev_err(dev, "Failed to enable netpoll on device %s\n", + portname); +@@ -1884,7 +1900,7 @@ static int team_netpoll_setup(struct net_device *dev, + + mutex_lock(&team->lock); + list_for_each_entry(port, &team->port_list, list) { +- err = team_port_enable_netpoll(team, port); ++ err = __team_port_enable_netpoll(port); + if (err) { + __team_netpoll_cleanup(team); + break; +@@ -2371,7 +2387,7 @@ send_done: + if (!nlh) { + err = __send_and_alloc_skb(&skb, team, portid, send_func); + if (err) +- goto errout; ++ return err; + goto send_done; + } + +@@ -2535,6 +2551,14 @@ static int team_nl_cmd_options_set(struct sk_buff *skb, struct genl_info *info) + if (err) + goto team_put; + opt_inst->changed = true; ++ ++ /* dumb/evil user-space can send us duplicate opt, ++ * keep only the last one ++ */ ++ if (__team_option_inst_tmp_find(&opt_inst_list, ++ opt_inst)) ++ continue; ++ + list_add(&opt_inst->tmp_list, &opt_inst_list); + } + if (!opt_found) { +@@ -2651,7 +2675,7 @@ send_done: + if (!nlh) { + err = __send_and_alloc_skb(&skb, team, portid, send_func); + if (err) +- goto errout; ++ return err; + goto send_done; + } + +diff --git a/drivers/net/usb/cdc_ether.c b/drivers/net/usb/cdc_ether.c +index 4545e78840b0..5243d2797c3d 100644 +--- a/drivers/net/usb/cdc_ether.c ++++ b/drivers/net/usb/cdc_ether.c +@@ -750,6 +750,12 @@ static const struct usb_device_id products[] = { + USB_CDC_SUBCLASS_ETHERNET, + USB_CDC_PROTO_NONE), + .driver_info = (unsigned long)&wwan_info, ++}, { ++ /* Cinterion AHS3 modem by GEMALTO */ ++ USB_DEVICE_AND_INTERFACE_INFO(0x1e2d, 0x0055, USB_CLASS_COMM, ++ USB_CDC_SUBCLASS_ETHERNET, ++ USB_CDC_PROTO_NONE), ++ .driver_info = (unsigned long)&wwan_info, + }, { + /* Telit modules */ + USB_VENDOR_AND_INTERFACE_INFO(0x1bc7, USB_CLASS_COMM, +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index 3d97fd391793..23a327e93732 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -674,6 +674,7 @@ static const struct usb_device_id products[] = { + {QMI_FIXED_INTF(0x05c6, 0x9080, 8)}, + {QMI_FIXED_INTF(0x05c6, 0x9083, 3)}, + {QMI_FIXED_INTF(0x05c6, 0x9084, 4)}, ++ {QMI_FIXED_INTF(0x05c6, 0x90b2, 3)}, /* ublox R410M */ + {QMI_FIXED_INTF(0x05c6, 0x920d, 0)}, + {QMI_FIXED_INTF(0x05c6, 0x920d, 5)}, + {QMI_FIXED_INTF(0x0846, 0x68a2, 8)}, +diff --git a/drivers/net/veth.c b/drivers/net/veth.c +index 2e61a799f32a..611c78be4da9 100644 +--- a/drivers/net/veth.c ++++ b/drivers/net/veth.c +@@ -397,6 +397,9 @@ static int veth_newlink(struct net *src_net, struct net_device *dev, + if (ifmp && (dev->ifindex != 0)) + peer->ifindex = ifmp->ifi_index; + ++ peer->gso_max_size = dev->gso_max_size; ++ peer->gso_max_segs = dev->gso_max_segs; ++ + err = register_netdevice(peer); + put_net(net); + net = NULL; +diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c +index 64ca961bca18..9ecc6ca5e4b4 100644 +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -852,7 +852,7 @@ static int xmit_skb(struct send_queue *sq, struct sk_buff *skb) + struct virtio_net_hdr_mrg_rxbuf *hdr; + const unsigned char *dest = ((struct ethhdr *)skb->data)->h_dest; + struct virtnet_info *vi = sq->vq->vdev->priv; +- unsigned num_sg; ++ int num_sg; + unsigned hdr_len = vi->hdr_len; + bool can_push; + +@@ -905,11 +905,16 @@ static int xmit_skb(struct send_queue *sq, struct sk_buff *skb) + if (can_push) { + __skb_push(skb, hdr_len); + num_sg = skb_to_sgvec(skb, sq->sg, 0, skb->len); ++ if (unlikely(num_sg < 0)) ++ return num_sg; + /* Pull header back to avoid skew in tx bytes calculations. */ + __skb_pull(skb, hdr_len); + } else { + sg_set_buf(sq->sg, hdr, hdr_len); +- num_sg = skb_to_sgvec(skb, sq->sg + 1, 0, skb->len) + 1; ++ num_sg = skb_to_sgvec(skb, sq->sg + 1, 0, skb->len); ++ if (unlikely(num_sg < 0)) ++ return num_sg; ++ num_sg++; + } + return virtqueue_add_outbuf(sq->vq, sq->sg, num_sg, skb, GFP_ATOMIC); + } +diff --git a/drivers/net/vmxnet3/vmxnet3_drv.c b/drivers/net/vmxnet3/vmxnet3_drv.c +index 0b9c8d61f7d1..51998a85e314 100644 +--- a/drivers/net/vmxnet3/vmxnet3_drv.c ++++ b/drivers/net/vmxnet3/vmxnet3_drv.c +@@ -2655,6 +2655,11 @@ vmxnet3_force_close(struct vmxnet3_adapter *adapter) + /* we need to enable NAPI, otherwise dev_close will deadlock */ + for (i = 0; i < adapter->num_rx_queues; i++) + napi_enable(&adapter->rx_queue[i].napi); ++ /* ++ * Need to clear the quiesce bit to ensure that vmxnet3_close ++ * can quiesce the device properly ++ */ ++ clear_bit(VMXNET3_STATE_BIT_QUIESCED, &adapter->state); + dev_close(adapter->netdev); + } + +diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c +index 1ad3700ed9c7..8ddefc96fb50 100644 +--- a/drivers/net/vxlan.c ++++ b/drivers/net/vxlan.c +@@ -1001,7 +1001,7 @@ static bool vxlan_snoop(struct net_device *dev, + return false; + + /* Don't migrate static entries, drop packets */ +- if (f->state & NUD_NOARP) ++ if (f->state & (NUD_PERMANENT | NUD_NOARP)) + return true; + + if (net_ratelimit()) +diff --git a/drivers/net/wan/pc300too.c b/drivers/net/wan/pc300too.c +index db363856e0b5..2b064998915f 100644 +--- a/drivers/net/wan/pc300too.c ++++ b/drivers/net/wan/pc300too.c +@@ -347,6 +347,7 @@ static int pc300_pci_init_one(struct pci_dev *pdev, + card->rambase == NULL) { + pr_err("ioremap() failed\n"); + pc300_pci_remove_one(pdev); ++ return -ENOMEM; + } + + /* PLX PCI 9050 workaround for local configuration register read bug */ +diff --git a/drivers/net/wireless/ath/ath10k/debug.c b/drivers/net/wireless/ath/ath10k/debug.c +index 1b69427fbb29..8b1ab8880113 100644 +--- a/drivers/net/wireless/ath/ath10k/debug.c ++++ b/drivers/net/wireless/ath/ath10k/debug.c +@@ -1853,6 +1853,15 @@ static ssize_t ath10k_write_simulate_radar(struct file *file, + size_t count, loff_t *ppos) + { + struct ath10k *ar = file->private_data; ++ struct ath10k_vif *arvif; ++ ++ /* Just check for for the first vif alone, as all the vifs will be ++ * sharing the same channel and if the channel is disabled, all the ++ * vifs will share the same 'is_started' state. ++ */ ++ arvif = list_first_entry(&ar->arvifs, typeof(*arvif), list); ++ if (!arvif->is_started) ++ return -EINVAL; + + ieee80211_radar_detected(ar->hw); + +diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c +index 6757d9c63bf2..561a777ba8c7 100644 +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -4001,9 +4001,8 @@ static void ath10k_sta_rc_update_wk(struct work_struct *wk) + sta->addr, smps, err); + } + +- if (changed & IEEE80211_RC_SUPP_RATES_CHANGED || +- changed & IEEE80211_RC_NSS_CHANGED) { +- ath10k_dbg(ar, ATH10K_DBG_MAC, "mac update sta %pM supp rates/nss\n", ++ if (changed & IEEE80211_RC_SUPP_RATES_CHANGED) { ++ ath10k_dbg(ar, ATH10K_DBG_MAC, "mac update sta %pM supp rates\n", + sta->addr); + + err = ath10k_station_assoc(ar, arvif->vif, sta, true); +diff --git a/drivers/net/wireless/ath/ath5k/debug.c b/drivers/net/wireless/ath/ath5k/debug.c +index c70782e8f07b..b5802e37ab24 100644 +--- a/drivers/net/wireless/ath/ath5k/debug.c ++++ b/drivers/net/wireless/ath/ath5k/debug.c +@@ -939,7 +939,10 @@ static int open_file_eeprom(struct inode *inode, struct file *file) + } + + for (i = 0; i < eesize; ++i) { +- AR5K_EEPROM_READ(i, val); ++ if (!ath5k_hw_nvram_read(ah, i, &val)) { ++ ret = -EIO; ++ goto freebuf; ++ } + buf[i] = val; + } + +diff --git a/drivers/net/wireless/ath/ath9k/hw.c b/drivers/net/wireless/ath/ath9k/hw.c +index 5e15e8e10ed3..bb64d7377a96 100644 +--- a/drivers/net/wireless/ath/ath9k/hw.c ++++ b/drivers/net/wireless/ath/ath9k/hw.c +@@ -1593,6 +1593,10 @@ bool ath9k_hw_check_alive(struct ath_hw *ah) + int count = 50; + u32 reg, last_val; + ++ /* Check if chip failed to wake up */ ++ if (REG_READ(ah, AR_CFG) == 0xdeadbeef) ++ return false; ++ + if (AR_SREV_9300(ah)) + return !ath9k_hw_detect_mac_hang(ah); + +diff --git a/drivers/net/wireless/ath/regd.c b/drivers/net/wireless/ath/regd.c +index 06ea6cc9e30a..62077bda8dde 100644 +--- a/drivers/net/wireless/ath/regd.c ++++ b/drivers/net/wireless/ath/regd.c +@@ -254,8 +254,12 @@ bool ath_is_49ghz_allowed(u16 regdomain) + EXPORT_SYMBOL(ath_is_49ghz_allowed); + + /* Frequency is one where radar detection is required */ +-static bool ath_is_radar_freq(u16 center_freq) ++static bool ath_is_radar_freq(u16 center_freq, ++ struct ath_regulatory *reg) ++ + { ++ if (reg->country_code == CTRY_INDIA) ++ return (center_freq >= 5500 && center_freq <= 5700); + return (center_freq >= 5260 && center_freq <= 5700); + } + +@@ -306,7 +310,7 @@ __ath_reg_apply_beaconing_flags(struct wiphy *wiphy, + enum nl80211_reg_initiator initiator, + struct ieee80211_channel *ch) + { +- if (ath_is_radar_freq(ch->center_freq) || ++ if (ath_is_radar_freq(ch->center_freq, reg) || + (ch->flags & IEEE80211_CHAN_RADAR)) + return; + +@@ -395,8 +399,9 @@ ath_reg_apply_ir_flags(struct wiphy *wiphy, + } + } + +-/* Always apply Radar/DFS rules on freq range 5260 MHz - 5700 MHz */ +-static void ath_reg_apply_radar_flags(struct wiphy *wiphy) ++/* Always apply Radar/DFS rules on freq range 5500 MHz - 5700 MHz */ ++static void ath_reg_apply_radar_flags(struct wiphy *wiphy, ++ struct ath_regulatory *reg) + { + struct ieee80211_supported_band *sband; + struct ieee80211_channel *ch; +@@ -409,7 +414,7 @@ static void ath_reg_apply_radar_flags(struct wiphy *wiphy) + + for (i = 0; i < sband->n_channels; i++) { + ch = &sband->channels[i]; +- if (!ath_is_radar_freq(ch->center_freq)) ++ if (!ath_is_radar_freq(ch->center_freq, reg)) + continue; + /* We always enable radar detection/DFS on this + * frequency range. Additionally we also apply on +@@ -505,7 +510,7 @@ void ath_reg_notifier_apply(struct wiphy *wiphy, + struct ath_common *common = container_of(reg, struct ath_common, + regulatory); + /* We always apply this */ +- ath_reg_apply_radar_flags(wiphy); ++ ath_reg_apply_radar_flags(wiphy, reg); + + /* + * This would happen when we have sent a custom regulatory request +@@ -653,7 +658,7 @@ ath_regd_init_wiphy(struct ath_regulatory *reg, + } + + wiphy_apply_custom_regulatory(wiphy, regd); +- ath_reg_apply_radar_flags(wiphy); ++ ath_reg_apply_radar_flags(wiphy, reg); + ath_reg_apply_world_flags(wiphy, NL80211_REGDOM_SET_BY_DRIVER, reg); + return 0; + } +diff --git a/drivers/net/wireless/ath/wil6210/main.c b/drivers/net/wireless/ath/wil6210/main.c +index a058151f5eed..ec51447365c1 100644 +--- a/drivers/net/wireless/ath/wil6210/main.c ++++ b/drivers/net/wireless/ath/wil6210/main.c +@@ -118,9 +118,15 @@ void wil_memcpy_fromio_32(void *dst, const volatile void __iomem *src, + u32 *d = dst; + const volatile u32 __iomem *s = src; + +- /* size_t is unsigned, if (count%4 != 0) it will wrap */ +- for (count += 4; count > 4; count -= 4) ++ for (; count >= 4; count -= 4) + *d++ = __raw_readl(s++); ++ ++ if (unlikely(count)) { ++ /* count can be 1..3 */ ++ u32 tmp = __raw_readl(s); ++ ++ memcpy(d, &tmp, count); ++ } + } + + void wil_memcpy_toio_32(volatile void __iomem *dst, const void *src, +@@ -129,8 +135,16 @@ void wil_memcpy_toio_32(volatile void __iomem *dst, const void *src, + volatile u32 __iomem *d = dst; + const u32 *s = src; + +- for (count += 4; count > 4; count -= 4) ++ for (; count >= 4; count -= 4) + __raw_writel(*s++, d++); ++ ++ if (unlikely(count)) { ++ /* count can be 1..3 */ ++ u32 tmp = 0; ++ ++ memcpy(&tmp, s, count); ++ __raw_writel(tmp, d); ++ } + } + + static void wil_disconnect_cid(struct wil6210_priv *wil, int cid, +diff --git a/drivers/net/wireless/brcm80211/brcmfmac/p2p.c b/drivers/net/wireless/brcm80211/brcmfmac/p2p.c +index 710fbe570eb2..a85ac706f892 100644 +--- a/drivers/net/wireless/brcm80211/brcmfmac/p2p.c ++++ b/drivers/net/wireless/brcm80211/brcmfmac/p2p.c +@@ -460,25 +460,23 @@ static int brcmf_p2p_set_firmware(struct brcmf_if *ifp, u8 *p2p_mac) + * @dev_addr: optional device address. + * + * P2P needs mac addresses for P2P device and interface. If no device +- * address it specified, these are derived from the primary net device, ie. +- * the permanent ethernet address of the device. ++ * address it specified, these are derived from a random ethernet ++ * address. + */ + static void brcmf_p2p_generate_bss_mac(struct brcmf_p2p_info *p2p, u8 *dev_addr) + { +- struct brcmf_if *pri_ifp = p2p->bss_idx[P2PAPI_BSSCFG_PRIMARY].vif->ifp; +- bool local_admin = false; ++ bool random_addr = false; + +- if (!dev_addr || is_zero_ether_addr(dev_addr)) { +- dev_addr = pri_ifp->mac_addr; +- local_admin = true; +- } ++ if (!dev_addr || is_zero_ether_addr(dev_addr)) ++ random_addr = true; + +- /* Generate the P2P Device Address. This consists of the device's +- * primary MAC address with the locally administered bit set. ++ /* Generate the P2P Device Address obtaining a random ethernet ++ * address with the locally administered bit set. + */ +- memcpy(p2p->dev_addr, dev_addr, ETH_ALEN); +- if (local_admin) +- p2p->dev_addr[0] |= 0x02; ++ if (random_addr) ++ eth_random_addr(p2p->dev_addr); ++ else ++ memcpy(p2p->dev_addr, dev_addr, ETH_ALEN); + + /* Generate the P2P Interface Address. If the discovery and connection + * BSSCFGs need to simultaneously co-exist, then this address must be +diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c +index aafb97ce080d..eadb9ded7070 100644 +--- a/drivers/net/wireless/mac80211_hwsim.c ++++ b/drivers/net/wireless/mac80211_hwsim.c +@@ -699,16 +699,21 @@ static int hwsim_fops_ps_write(void *dat, u64 val) + val != PS_MANUAL_POLL) + return -EINVAL; + +- old_ps = data->ps; +- data->ps = val; +- +- local_bh_disable(); + if (val == PS_MANUAL_POLL) { ++ if (data->ps != PS_ENABLED) ++ return -EINVAL; ++ local_bh_disable(); + ieee80211_iterate_active_interfaces_atomic( + data->hw, IEEE80211_IFACE_ITER_NORMAL, + hwsim_send_ps_poll, data); +- data->ps_poll_pending = true; +- } else if (old_ps == PS_DISABLED && val != PS_DISABLED) { ++ local_bh_enable(); ++ return 0; ++ } ++ old_ps = data->ps; ++ data->ps = val; ++ ++ local_bh_disable(); ++ if (old_ps == PS_DISABLED && val != PS_DISABLED) { + ieee80211_iterate_active_interfaces_atomic( + data->hw, IEEE80211_IFACE_ITER_NORMAL, + hwsim_send_nullfunc_ps, data); +diff --git a/drivers/net/wireless/ray_cs.c b/drivers/net/wireless/ray_cs.c +index 477f86354dc5..4482debcfe84 100644 +--- a/drivers/net/wireless/ray_cs.c ++++ b/drivers/net/wireless/ray_cs.c +@@ -247,7 +247,10 @@ static const UCHAR b4_default_startup_parms[] = { + 0x04, 0x08, /* Noise gain, limit offset */ + 0x28, 0x28, /* det rssi, med busy offsets */ + 7, /* det sync thresh */ +- 0, 2, 2 /* test mode, min, max */ ++ 0, 2, 2, /* test mode, min, max */ ++ 0, /* rx/tx delay */ ++ 0, 0, 0, 0, 0, 0, /* current BSS id */ ++ 0 /* hop set */ + }; + + /*===========================================================================*/ +@@ -598,7 +601,7 @@ static void init_startup_params(ray_dev_t *local) + * a_beacon_period = hops a_beacon_period = KuS + *//* 64ms = 010000 */ + if (local->fw_ver == 0x55) { +- memcpy((UCHAR *) &local->sparm.b4, b4_default_startup_parms, ++ memcpy(&local->sparm.b4, b4_default_startup_parms, + sizeof(struct b4_startup_params)); + /* Translate sane kus input values to old build 4/5 format */ + /* i = hop time in uS truncated to 3 bytes */ +diff --git a/drivers/net/wireless/rndis_wlan.c b/drivers/net/wireless/rndis_wlan.c +index d72ff8e7125d..3f2554fb1a62 100644 +--- a/drivers/net/wireless/rndis_wlan.c ++++ b/drivers/net/wireless/rndis_wlan.c +@@ -3425,6 +3425,10 @@ static int rndis_wlan_bind(struct usbnet *usbdev, struct usb_interface *intf) + + /* because rndis_command() sleeps we need to use workqueue */ + priv->workqueue = create_singlethread_workqueue("rndis_wlan"); ++ if (!priv->workqueue) { ++ wiphy_free(wiphy); ++ return -ENOMEM; ++ } + INIT_WORK(&priv->work, rndis_wlan_worker); + INIT_DELAYED_WORK(&priv->dev_poller_work, rndis_device_poller); + INIT_DELAYED_WORK(&priv->scan_work, rndis_get_scan_results); +diff --git a/drivers/net/wireless/rtl818x/rtl8187/dev.c b/drivers/net/wireless/rtl818x/rtl8187/dev.c +index 629ad8cfa17b..6952aaa232f7 100644 +--- a/drivers/net/wireless/rtl818x/rtl8187/dev.c ++++ b/drivers/net/wireless/rtl818x/rtl8187/dev.c +@@ -1454,6 +1454,7 @@ static int rtl8187_probe(struct usb_interface *intf, + goto err_free_dev; + } + mutex_init(&priv->io_mutex); ++ mutex_init(&priv->conf_mutex); + + SET_IEEE80211_DEV(dev, &intf->dev); + usb_set_intfdata(intf, dev); +@@ -1627,7 +1628,6 @@ static int rtl8187_probe(struct usb_interface *intf, + printk(KERN_ERR "rtl8187: Cannot register device\n"); + goto err_free_dmabuf; + } +- mutex_init(&priv->conf_mutex); + skb_queue_head_init(&priv->b_tx_status.queue); + + wiphy_info(dev->wiphy, "hwaddr %pM, %s V%d + %s, rfkill mask %d\n", +diff --git a/drivers/net/wireless/rtlwifi/pci.c b/drivers/net/wireless/rtlwifi/pci.c +index 5b4048041147..1f75586ab3a6 100644 +--- a/drivers/net/wireless/rtlwifi/pci.c ++++ b/drivers/net/wireless/rtlwifi/pci.c +@@ -1576,7 +1576,14 @@ int rtl_pci_reset_trx_ring(struct ieee80211_hw *hw) + dev_kfree_skb_irq(skb); + ring->idx = (ring->idx + 1) % ring->entries; + } ++ ++ if (rtlpriv->use_new_trx_flow) { ++ rtlpci->tx_ring[i].cur_tx_rp = 0; ++ rtlpci->tx_ring[i].cur_tx_wp = 0; ++ } ++ + ring->idx = 0; ++ ring->entries = rtlpci->txringcount[i]; + } + } + spin_unlock_irqrestore(&rtlpriv->locks.irq_th_lock, flags); +diff --git a/drivers/net/wireless/rtlwifi/rtl8192ee/fw.c b/drivers/net/wireless/rtlwifi/rtl8192ee/fw.c +index c5d4b8013cde..5a0fffaed0f5 100644 +--- a/drivers/net/wireless/rtlwifi/rtl8192ee/fw.c ++++ b/drivers/net/wireless/rtlwifi/rtl8192ee/fw.c +@@ -664,7 +664,7 @@ void rtl92ee_set_fw_rsvdpagepkt(struct ieee80211_hw *hw, bool b_dl_finished) + struct rtl_priv *rtlpriv = rtl_priv(hw); + struct rtl_mac *mac = rtl_mac(rtl_priv(hw)); + struct sk_buff *skb = NULL; +- ++ bool rtstatus; + u32 totalpacketlen; + u8 u1rsvdpageloc[5] = { 0 }; + bool b_dlok = false; +@@ -727,7 +727,9 @@ void rtl92ee_set_fw_rsvdpagepkt(struct ieee80211_hw *hw, bool b_dl_finished) + memcpy((u8 *)skb_put(skb, totalpacketlen), + &reserved_page_packet, totalpacketlen); + +- b_dlok = true; ++ rtstatus = rtl_cmd_send_packet(hw, skb); ++ if (rtstatus) ++ b_dlok = true; + + if (b_dlok) { + RT_TRACE(rtlpriv, COMP_POWER, DBG_LOUD , +diff --git a/drivers/net/wireless/rtlwifi/rtl8821ae/dm.c b/drivers/net/wireless/rtlwifi/rtl8821ae/dm.c +index 342678d2ed42..19f0db505a50 100644 +--- a/drivers/net/wireless/rtlwifi/rtl8821ae/dm.c ++++ b/drivers/net/wireless/rtlwifi/rtl8821ae/dm.c +@@ -2490,9 +2490,9 @@ void rtl8821ae_dm_txpower_tracking_callback_thermalmeter( + for (p = RF90_PATH_A; p < MAX_PATH_NUM_8821A; p++) + rtldm->swing_idx_ofdm_base[p] = rtldm->swing_idx_ofdm[p]; + +- RT_TRACE(rtlpriv, COMP_POWER_TRACKING, DBG_LOUD, +- "pDM_Odm->RFCalibrateInfo.ThermalValue = %d ThermalValue= %d\n", +- rtldm->thermalvalue, thermal_value); ++ RT_TRACE(rtlpriv, COMP_POWER_TRACKING, DBG_LOUD, ++ "pDM_Odm->RFCalibrateInfo.ThermalValue = %d ThermalValue= %d\n", ++ rtldm->thermalvalue, thermal_value); + /*Record last Power Tracking Thermal Value*/ + rtldm->thermalvalue = thermal_value; + } +diff --git a/drivers/net/wireless/rtlwifi/rtl8821ae/hw.c b/drivers/net/wireless/rtlwifi/rtl8821ae/hw.c +index 76e52dfb2be5..cf0e54b8846c 100644 +--- a/drivers/net/wireless/rtlwifi/rtl8821ae/hw.c ++++ b/drivers/net/wireless/rtlwifi/rtl8821ae/hw.c +@@ -1377,6 +1377,7 @@ static void _rtl8821ae_get_wakeup_reason(struct ieee80211_hw *hw) + + ppsc->wakeup_reason = 0; + ++ do_gettimeofday(&ts); + rtlhal->last_suspend_sec = ts.tv_sec; + + switch (fw_reason) { +diff --git a/drivers/net/wireless/ti/wl1251/main.c b/drivers/net/wireless/ti/wl1251/main.c +index 040bf3c66958..0ac639ed4be9 100644 +--- a/drivers/net/wireless/ti/wl1251/main.c ++++ b/drivers/net/wireless/ti/wl1251/main.c +@@ -1201,8 +1201,7 @@ static void wl1251_op_bss_info_changed(struct ieee80211_hw *hw, + WARN_ON(wl->bss_type != BSS_TYPE_STA_BSS); + + enable = bss_conf->arp_addr_cnt == 1 && bss_conf->assoc; +- wl1251_acx_arp_ip_filter(wl, enable, addr); +- ++ ret = wl1251_acx_arp_ip_filter(wl, enable, addr); + if (ret < 0) + goto out_sleep; + } +diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c +index fd9f6ce14e8e..58cb86417da0 100644 +--- a/drivers/net/xen-netfront.c ++++ b/drivers/net/xen-netfront.c +@@ -1986,7 +1986,10 @@ static void netback_changed(struct xenbus_device *dev, + case XenbusStateInitialised: + case XenbusStateReconfiguring: + case XenbusStateReconfigured: ++ break; ++ + case XenbusStateUnknown: ++ wake_up_all(&module_unload_q); + break; + + case XenbusStateInitWait: +@@ -2117,7 +2120,9 @@ static int xennet_remove(struct xenbus_device *dev) + xenbus_switch_state(dev, XenbusStateClosing); + wait_event(module_unload_q, + xenbus_read_driver_state(dev->otherend) == +- XenbusStateClosing); ++ XenbusStateClosing || ++ xenbus_read_driver_state(dev->otherend) == ++ XenbusStateUnknown); + + xenbus_switch_state(dev, XenbusStateClosed); + wait_event(module_unload_q, +diff --git a/drivers/of/device.c b/drivers/of/device.c +index 493b21bd1199..6601cc62a990 100644 +--- a/drivers/of/device.c ++++ b/drivers/of/device.c +@@ -210,7 +210,7 @@ ssize_t of_device_get_modalias(struct device *dev, char *str, ssize_t len) + str[i] = '_'; + } + +- return tsize; ++ return repend; + } + EXPORT_SYMBOL_GPL(of_device_get_modalias); + +diff --git a/drivers/parport/parport_pc.c b/drivers/parport/parport_pc.c +index 53d15b30636a..e914007f5523 100644 +--- a/drivers/parport/parport_pc.c ++++ b/drivers/parport/parport_pc.c +@@ -2646,6 +2646,7 @@ enum parport_pc_pci_cards { + netmos_9901, + netmos_9865, + quatech_sppxp100, ++ wch_ch382l, + }; + + +@@ -2708,6 +2709,7 @@ static struct parport_pc_pci { + /* netmos_9901 */ { 1, { { 0, -1 }, } }, + /* netmos_9865 */ { 1, { { 0, -1 }, } }, + /* quatech_sppxp100 */ { 1, { { 0, 1 }, } }, ++ /* wch_ch382l */ { 1, { { 2, -1 }, } }, + }; + + static const struct pci_device_id parport_pc_pci_tbl[] = { +@@ -2797,6 +2799,8 @@ static const struct pci_device_id parport_pc_pci_tbl[] = { + /* Quatech SPPXP-100 Parallel port PCI ExpressCard */ + { PCI_VENDOR_ID_QUATECH, PCI_DEVICE_ID_QUATECH_SPPXP_100, + PCI_ANY_ID, PCI_ANY_ID, 0, 0, quatech_sppxp100 }, ++ /* WCH CH382L PCI-E single parallel port card */ ++ { 0x1c00, 0x3050, 0x1c00, 0x3050, 0, 0, wch_ch382l }, + { 0, } /* terminate list */ + }; + MODULE_DEVICE_TABLE(pci, parport_pc_pci_tbl); +diff --git a/drivers/pci/hotplug/acpiphp_glue.c b/drivers/pci/hotplug/acpiphp_glue.c +index b60309ee80ed..031f64da6151 100644 +--- a/drivers/pci/hotplug/acpiphp_glue.c ++++ b/drivers/pci/hotplug/acpiphp_glue.c +@@ -587,6 +587,7 @@ static unsigned int get_slot_status(struct acpiphp_slot *slot) + { + unsigned long long sta = 0; + struct acpiphp_func *func; ++ u32 dvid; + + list_for_each_entry(func, &slot->funcs, sibling) { + if (func->flags & FUNC_HAS_STA) { +@@ -597,19 +598,27 @@ static unsigned int get_slot_status(struct acpiphp_slot *slot) + if (ACPI_SUCCESS(status) && sta) + break; + } else { +- u32 dvid; +- +- pci_bus_read_config_dword(slot->bus, +- PCI_DEVFN(slot->device, +- func->function), +- PCI_VENDOR_ID, &dvid); +- if (dvid != 0xffffffff) { ++ if (pci_bus_read_dev_vendor_id(slot->bus, ++ PCI_DEVFN(slot->device, func->function), ++ &dvid, 0)) { + sta = ACPI_STA_ALL; + break; + } + } + } + ++ if (!sta) { ++ /* ++ * Check for the slot itself since it may be that the ++ * ACPI slot is a device below PCIe upstream port so in ++ * that case it may not even be reachable yet. ++ */ ++ if (pci_bus_read_dev_vendor_id(slot->bus, ++ PCI_DEVFN(slot->device, 0), &dvid, 0)) { ++ sta = ACPI_STA_ALL; ++ } ++ } ++ + return (unsigned int)sta; + } + +diff --git a/drivers/pci/pci-driver.c b/drivers/pci/pci-driver.c +index 1363fe636281..afb80eb5a528 100644 +--- a/drivers/pci/pci-driver.c ++++ b/drivers/pci/pci-driver.c +@@ -450,8 +450,6 @@ static void pci_device_shutdown(struct device *dev) + + if (drv && drv->shutdown) + drv->shutdown(pci_dev); +- pci_msi_shutdown(pci_dev); +- pci_msix_shutdown(pci_dev); + + #ifdef CONFIG_KEXEC + /* +diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c +index c7dc06636bf6..005fc2478ef4 100644 +--- a/drivers/pci/probe.c ++++ b/drivers/pci/probe.c +@@ -227,7 +227,7 @@ int __pci_read_base(struct pci_dev *dev, enum pci_bar_type type, + res->flags |= IORESOURCE_ROM_ENABLE; + l64 = l & PCI_ROM_ADDRESS_MASK; + sz64 = sz & PCI_ROM_ADDRESS_MASK; +- mask64 = (u32)PCI_ROM_ADDRESS_MASK; ++ mask64 = PCI_ROM_ADDRESS_MASK; + } + + if (res->flags & IORESOURCE_MEM_64) { +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c +index 7b9e3564fc43..4de72003515f 100644 +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -3645,6 +3645,8 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9230, + quirk_dma_func1_alias); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_TTI, 0x0642, + quirk_dma_func1_alias); ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_TTI, 0x0645, ++ quirk_dma_func1_alias); + /* https://bugs.gentoo.org/show_bug.cgi?id=497630 */ + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_JMICRON, + PCI_DEVICE_ID_JMICRON_JMB388_ESD, +diff --git a/drivers/pci/setup-res.c b/drivers/pci/setup-res.c +index 00f32ff6f74e..c03763d68a95 100644 +--- a/drivers/pci/setup-res.c ++++ b/drivers/pci/setup-res.c +@@ -59,7 +59,7 @@ static void pci_std_update_resource(struct pci_dev *dev, int resno) + mask = (u32)PCI_BASE_ADDRESS_IO_MASK; + new |= res->flags & ~PCI_BASE_ADDRESS_IO_MASK; + } else if (resno == PCI_ROM_RESOURCE) { +- mask = (u32)PCI_ROM_ADDRESS_MASK; ++ mask = PCI_ROM_ADDRESS_MASK; + } else { + mask = (u32)PCI_BASE_ADDRESS_MEM_MASK; + new |= res->flags & ~PCI_BASE_ADDRESS_MEM_MASK; +diff --git a/drivers/pinctrl/core.c b/drivers/pinctrl/core.c +index 18ee2089df4a..db43f8b34e2a 100644 +--- a/drivers/pinctrl/core.c ++++ b/drivers/pinctrl/core.c +@@ -977,19 +977,16 @@ struct pinctrl_state *pinctrl_lookup_state(struct pinctrl *p, + EXPORT_SYMBOL_GPL(pinctrl_lookup_state); + + /** +- * pinctrl_select_state() - select/activate/program a pinctrl state to HW ++ * pinctrl_commit_state() - select/activate/program a pinctrl state to HW + * @p: the pinctrl handle for the device that requests configuration + * @state: the state handle to select/activate/program + */ +-int pinctrl_select_state(struct pinctrl *p, struct pinctrl_state *state) ++static int pinctrl_commit_state(struct pinctrl *p, struct pinctrl_state *state) + { + struct pinctrl_setting *setting, *setting2; + struct pinctrl_state *old_state = p->state; + int ret; + +- if (p->state == state) +- return 0; +- + if (p->state) { + /* + * For each pinmux setting in the old state, forget SW's record +@@ -1053,6 +1050,19 @@ unapply_new_state: + + return ret; + } ++ ++/** ++ * pinctrl_select_state() - select/activate/program a pinctrl state to HW ++ * @p: the pinctrl handle for the device that requests configuration ++ * @state: the state handle to select/activate/program ++ */ ++int pinctrl_select_state(struct pinctrl *p, struct pinctrl_state *state) ++{ ++ if (p->state == state) ++ return 0; ++ ++ return pinctrl_commit_state(p, state); ++} + EXPORT_SYMBOL_GPL(pinctrl_select_state); + + static void devm_pinctrl_release(struct device *dev, void *res) +@@ -1221,7 +1231,7 @@ void pinctrl_unregister_map(struct pinctrl_map const *map) + int pinctrl_force_sleep(struct pinctrl_dev *pctldev) + { + if (!IS_ERR(pctldev->p) && !IS_ERR(pctldev->hog_sleep)) +- return pinctrl_select_state(pctldev->p, pctldev->hog_sleep); ++ return pinctrl_commit_state(pctldev->p, pctldev->hog_sleep); + return 0; + } + EXPORT_SYMBOL_GPL(pinctrl_force_sleep); +@@ -1233,7 +1243,7 @@ EXPORT_SYMBOL_GPL(pinctrl_force_sleep); + int pinctrl_force_default(struct pinctrl_dev *pctldev) + { + if (!IS_ERR(pctldev->p) && !IS_ERR(pctldev->hog_default)) +- return pinctrl_select_state(pctldev->p, pctldev->hog_default); ++ return pinctrl_commit_state(pctldev->p, pctldev->hog_default); + return 0; + } + EXPORT_SYMBOL_GPL(pinctrl_force_default); +diff --git a/drivers/platform/x86/asus-nb-wmi.c b/drivers/platform/x86/asus-nb-wmi.c +index abdaed34c728..5ea4c5a72a66 100644 +--- a/drivers/platform/x86/asus-nb-wmi.c ++++ b/drivers/platform/x86/asus-nb-wmi.c +@@ -99,6 +99,15 @@ static const struct dmi_system_id asus_quirks[] = { + */ + .driver_data = &quirk_asus_wapf4, + }, ++ { ++ .callback = dmi_matched, ++ .ident = "ASUSTeK COMPUTER INC. X302UA", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "X302UA"), ++ }, ++ .driver_data = &quirk_asus_wapf4, ++ }, + { + .callback = dmi_matched, + .ident = "ASUSTeK COMPUTER INC. X401U", +diff --git a/drivers/power/pda_power.c b/drivers/power/pda_power.c +index dfe1ee89f7c7..922a86787c5c 100644 +--- a/drivers/power/pda_power.c ++++ b/drivers/power/pda_power.c +@@ -30,9 +30,9 @@ static inline unsigned int get_irq_flags(struct resource *res) + static struct device *dev; + static struct pda_power_pdata *pdata; + static struct resource *ac_irq, *usb_irq; +-static struct timer_list charger_timer; +-static struct timer_list supply_timer; +-static struct timer_list polling_timer; ++static struct delayed_work charger_work; ++static struct delayed_work polling_work; ++static struct delayed_work supply_work; + static int polling; + static struct power_supply *pda_psy_ac, *pda_psy_usb; + +@@ -140,7 +140,7 @@ static void update_charger(void) + } + } + +-static void supply_timer_func(unsigned long unused) ++static void supply_work_func(struct work_struct *work) + { + if (ac_status == PDA_PSY_TO_CHANGE) { + ac_status = new_ac_status; +@@ -161,11 +161,12 @@ static void psy_changed(void) + * Okay, charger set. Now wait a bit before notifying supplicants, + * charge power should stabilize. + */ +- mod_timer(&supply_timer, +- jiffies + msecs_to_jiffies(pdata->wait_for_charger)); ++ cancel_delayed_work(&supply_work); ++ schedule_delayed_work(&supply_work, ++ msecs_to_jiffies(pdata->wait_for_charger)); + } + +-static void charger_timer_func(unsigned long unused) ++static void charger_work_func(struct work_struct *work) + { + update_status(); + psy_changed(); +@@ -184,13 +185,14 @@ static irqreturn_t power_changed_isr(int irq, void *power_supply) + * Wait a bit before reading ac/usb line status and setting charger, + * because ac/usb status readings may lag from irq. + */ +- mod_timer(&charger_timer, +- jiffies + msecs_to_jiffies(pdata->wait_for_status)); ++ cancel_delayed_work(&charger_work); ++ schedule_delayed_work(&charger_work, ++ msecs_to_jiffies(pdata->wait_for_status)); + + return IRQ_HANDLED; + } + +-static void polling_timer_func(unsigned long unused) ++static void polling_work_func(struct work_struct *work) + { + int changed = 0; + +@@ -211,8 +213,9 @@ static void polling_timer_func(unsigned long unused) + if (changed) + psy_changed(); + +- mod_timer(&polling_timer, +- jiffies + msecs_to_jiffies(pdata->polling_interval)); ++ cancel_delayed_work(&polling_work); ++ schedule_delayed_work(&polling_work, ++ msecs_to_jiffies(pdata->polling_interval)); + } + + #if IS_ENABLED(CONFIG_USB_PHY) +@@ -250,8 +253,9 @@ static int otg_handle_notification(struct notifier_block *nb, + * Wait a bit before reading ac/usb line status and setting charger, + * because ac/usb status readings may lag from irq. + */ +- mod_timer(&charger_timer, +- jiffies + msecs_to_jiffies(pdata->wait_for_status)); ++ cancel_delayed_work(&charger_work); ++ schedule_delayed_work(&charger_work, ++ msecs_to_jiffies(pdata->wait_for_status)); + + return NOTIFY_OK; + } +@@ -300,8 +304,8 @@ static int pda_power_probe(struct platform_device *pdev) + if (!pdata->ac_max_uA) + pdata->ac_max_uA = 500000; + +- setup_timer(&charger_timer, charger_timer_func, 0); +- setup_timer(&supply_timer, supply_timer_func, 0); ++ INIT_DELAYED_WORK(&charger_work, charger_work_func); ++ INIT_DELAYED_WORK(&supply_work, supply_work_func); + + ac_irq = platform_get_resource_byname(pdev, IORESOURCE_IRQ, "ac"); + usb_irq = platform_get_resource_byname(pdev, IORESOURCE_IRQ, "usb"); +@@ -385,9 +389,10 @@ static int pda_power_probe(struct platform_device *pdev) + + if (polling) { + dev_dbg(dev, "will poll for status\n"); +- setup_timer(&polling_timer, polling_timer_func, 0); +- mod_timer(&polling_timer, +- jiffies + msecs_to_jiffies(pdata->polling_interval)); ++ INIT_DELAYED_WORK(&polling_work, polling_work_func); ++ cancel_delayed_work(&polling_work); ++ schedule_delayed_work(&polling_work, ++ msecs_to_jiffies(pdata->polling_interval)); + } + + if (ac_irq || usb_irq) +@@ -433,9 +438,9 @@ static int pda_power_remove(struct platform_device *pdev) + free_irq(ac_irq->start, pda_psy_ac); + + if (polling) +- del_timer_sync(&polling_timer); +- del_timer_sync(&charger_timer); +- del_timer_sync(&supply_timer); ++ cancel_delayed_work_sync(&polling_work); ++ cancel_delayed_work_sync(&charger_work); ++ cancel_delayed_work_sync(&supply_work); + + if (pdata->is_usb_online) + power_supply_unregister(pda_psy_usb); +diff --git a/drivers/powercap/powercap_sys.c b/drivers/powercap/powercap_sys.c +index 84419af16f77..fd12ccc11e26 100644 +--- a/drivers/powercap/powercap_sys.c ++++ b/drivers/powercap/powercap_sys.c +@@ -538,6 +538,7 @@ struct powercap_zone *powercap_register_zone( + + power_zone->id = result; + idr_init(&power_zone->idr); ++ result = -ENOMEM; + power_zone->name = kstrdup(name, GFP_KERNEL); + if (!power_zone->name) + goto err_name_alloc; +diff --git a/drivers/pwm/pwm-tegra.c b/drivers/pwm/pwm-tegra.c +index cabd7d8e05cc..3e07855bbea7 100644 +--- a/drivers/pwm/pwm-tegra.c ++++ b/drivers/pwm/pwm-tegra.c +@@ -69,6 +69,7 @@ static int tegra_pwm_config(struct pwm_chip *chip, struct pwm_device *pwm, + struct tegra_pwm_chip *pc = to_tegra_pwm_chip(chip); + unsigned long long c; + unsigned long rate, hz; ++ unsigned long long ns100 = NSEC_PER_SEC; + u32 val = 0; + int err; + +@@ -87,9 +88,11 @@ static int tegra_pwm_config(struct pwm_chip *chip, struct pwm_device *pwm, + * cycles at the PWM clock rate will take period_ns nanoseconds. + */ + rate = clk_get_rate(pc->clk) >> PWM_DUTY_WIDTH; +- hz = NSEC_PER_SEC / period_ns; + +- rate = (rate + (hz / 2)) / hz; ++ /* Consider precision in PWM_SCALE_WIDTH rate calculation */ ++ ns100 *= 100; ++ hz = DIV_ROUND_CLOSEST_ULL(ns100, period_ns); ++ rate = DIV_ROUND_CLOSEST(rate * 100, hz); + + /* + * Since the actual PWM divider is the register's frequency divider +diff --git a/drivers/rtc/interface.c b/drivers/rtc/interface.c +index 038da40e4038..f84c0506afd0 100644 +--- a/drivers/rtc/interface.c ++++ b/drivers/rtc/interface.c +@@ -262,6 +262,13 @@ int __rtc_read_alarm(struct rtc_device *rtc, struct rtc_wkalrm *alarm) + missing = year; + } + ++ /* Can't proceed if alarm is still invalid after replacing ++ * missing fields. ++ */ ++ err = rtc_valid_tm(&alarm->time); ++ if (err) ++ goto done; ++ + /* with luck, no rollover is needed */ + t_now = rtc_tm_to_time64(&now); + t_alm = rtc_tm_to_time64(&alarm->time); +@@ -313,9 +320,9 @@ int __rtc_read_alarm(struct rtc_device *rtc, struct rtc_wkalrm *alarm) + dev_warn(&rtc->dev, "alarm rollover not handled\n"); + } + +-done: + err = rtc_valid_tm(&alarm->time); + ++done: + if (err) { + dev_warn(&rtc->dev, "invalid alarm value: %d-%d-%d %d:%d:%d\n", + alarm->time.tm_year + 1900, alarm->time.tm_mon + 1, +diff --git a/drivers/rtc/rtc-ds1374.c b/drivers/rtc/rtc-ds1374.c +index 167783fa7ac1..216ad22996b8 100644 +--- a/drivers/rtc/rtc-ds1374.c ++++ b/drivers/rtc/rtc-ds1374.c +@@ -527,6 +527,10 @@ static long ds1374_wdt_ioctl(struct file *file, unsigned int cmd, + if (get_user(new_margin, (int __user *)arg)) + return -EFAULT; + ++ /* the hardware's tick rate is 4096 Hz, so ++ * the counter value needs to be scaled accordingly ++ */ ++ new_margin <<= 12; + if (new_margin < 1 || new_margin > 16777216) + return -EINVAL; + +@@ -535,7 +539,8 @@ static long ds1374_wdt_ioctl(struct file *file, unsigned int cmd, + ds1374_wdt_ping(); + /* fallthrough */ + case WDIOC_GETTIMEOUT: +- return put_user(wdt_margin, (int __user *)arg); ++ /* when returning ... inverse is true */ ++ return put_user((wdt_margin >> 12), (int __user *)arg); + case WDIOC_SETOPTIONS: + if (copy_from_user(&options, (int __user *)arg, sizeof(int))) + return -EFAULT; +@@ -543,14 +548,15 @@ static long ds1374_wdt_ioctl(struct file *file, unsigned int cmd, + if (options & WDIOS_DISABLECARD) { + pr_info("disable watchdog\n"); + ds1374_wdt_disable(); ++ return 0; + } + + if (options & WDIOS_ENABLECARD) { + pr_info("enable watchdog\n"); + ds1374_wdt_settimeout(wdt_margin); + ds1374_wdt_ping(); ++ return 0; + } +- + return -EINVAL; + } + return -ENOTTY; +diff --git a/drivers/rtc/rtc-opal.c b/drivers/rtc/rtc-opal.c +index 482af0dda0b0..ff217034f6d6 100644 +--- a/drivers/rtc/rtc-opal.c ++++ b/drivers/rtc/rtc-opal.c +@@ -150,6 +150,16 @@ static int opal_get_tpo_time(struct device *dev, struct rtc_wkalrm *alarm) + + y_m_d = be32_to_cpu(__y_m_d); + h_m_s_ms = ((u64)be32_to_cpu(__h_m) << 32); ++ ++ /* check if no alarm is set */ ++ if (y_m_d == 0 && h_m_s_ms == 0) { ++ pr_debug("No alarm is set\n"); ++ rc = -ENOENT; ++ goto exit; ++ } else { ++ pr_debug("Alarm set to %x %llx\n", y_m_d, h_m_s_ms); ++ } ++ + opal_to_tm(y_m_d, h_m_s_ms, &alarm->time); + + exit: +diff --git a/drivers/s390/cio/chsc.c b/drivers/s390/cio/chsc.c +index e3bf885f4a6c..d5f02c3da878 100644 +--- a/drivers/s390/cio/chsc.c ++++ b/drivers/s390/cio/chsc.c +@@ -362,6 +362,7 @@ static void chsc_process_sei_link_incident(struct chsc_sei_nt0_area *sei_area) + + static void chsc_process_sei_res_acc(struct chsc_sei_nt0_area *sei_area) + { ++ struct channel_path *chp; + struct chp_link link; + struct chp_id chpid; + int status; +@@ -374,10 +375,17 @@ static void chsc_process_sei_res_acc(struct chsc_sei_nt0_area *sei_area) + chpid.id = sei_area->rsid; + /* allocate a new channel path structure, if needed */ + status = chp_get_status(chpid); +- if (status < 0) +- chp_new(chpid); +- else if (!status) ++ if (!status) + return; ++ ++ if (status < 0) { ++ chp_new(chpid); ++ } else { ++ chp = chpid_to_chp(chpid); ++ mutex_lock(&chp->lock); ++ chp_update_desc(chp); ++ mutex_unlock(&chp->lock); ++ } + memset(&link, 0, sizeof(struct chp_link)); + link.chpid = chpid; + if ((sei_area->vf & 0xc0) != 0) { +diff --git a/drivers/s390/cio/qdio_main.c b/drivers/s390/cio/qdio_main.c +index 848e3b64ea6e..fb7298920c8c 100644 +--- a/drivers/s390/cio/qdio_main.c ++++ b/drivers/s390/cio/qdio_main.c +@@ -126,7 +126,7 @@ static inline int qdio_check_ccq(struct qdio_q *q, unsigned int ccq) + static int qdio_do_eqbs(struct qdio_q *q, unsigned char *state, + int start, int count, int auto_ack) + { +- int rc, tmp_count = count, tmp_start = start, nr = q->nr, retried = 0; ++ int rc, tmp_count = count, tmp_start = start, nr = q->nr; + unsigned int ccq = 0; + + qperf_inc(q, eqbs); +@@ -149,14 +149,7 @@ again: + qperf_inc(q, eqbs_partial); + DBF_DEV_EVENT(DBF_WARN, q->irq_ptr, "EQBS part:%02x", + tmp_count); +- /* +- * Retry once, if that fails bail out and process the +- * extracted buffers before trying again. +- */ +- if (!retried++) +- goto again; +- else +- return count - tmp_count; ++ return count - tmp_count; + } + + DBF_ERROR("%4x EQBS ERROR", SCH_NO(q)); +@@ -212,7 +205,10 @@ again: + return 0; + } + +-/* returns number of examined buffers and their common state in *state */ ++/* ++ * Returns number of examined buffers and their common state in *state. ++ * Requested number of buffers-to-examine must be > 0. ++ */ + static inline int get_buf_states(struct qdio_q *q, unsigned int bufnr, + unsigned char *state, unsigned int count, + int auto_ack, int merge_pending) +@@ -223,17 +219,23 @@ static inline int get_buf_states(struct qdio_q *q, unsigned int bufnr, + if (is_qebsm(q)) + return qdio_do_eqbs(q, state, bufnr, count, auto_ack); + +- for (i = 0; i < count; i++) { +- if (!__state) { +- __state = q->slsb.val[bufnr]; +- if (merge_pending && __state == SLSB_P_OUTPUT_PENDING) +- __state = SLSB_P_OUTPUT_EMPTY; +- } else if (merge_pending) { +- if ((q->slsb.val[bufnr] & __state) != __state) +- break; +- } else if (q->slsb.val[bufnr] != __state) +- break; ++ /* get initial state: */ ++ __state = q->slsb.val[bufnr]; ++ if (merge_pending && __state == SLSB_P_OUTPUT_PENDING) ++ __state = SLSB_P_OUTPUT_EMPTY; ++ ++ for (i = 1; i < count; i++) { + bufnr = next_buf(bufnr); ++ ++ /* merge PENDING into EMPTY: */ ++ if (merge_pending && ++ q->slsb.val[bufnr] == SLSB_P_OUTPUT_PENDING && ++ __state == SLSB_P_OUTPUT_EMPTY) ++ continue; ++ ++ /* stop if next state differs from initial state: */ ++ if (q->slsb.val[bufnr] != __state) ++ break; + } + *state = __state; + return i; +diff --git a/drivers/s390/net/qeth_core_main.c b/drivers/s390/net/qeth_core_main.c +index 9e9964ca696b..81d23bbbd316 100644 +--- a/drivers/s390/net/qeth_core_main.c ++++ b/drivers/s390/net/qeth_core_main.c +@@ -517,8 +517,7 @@ static inline int qeth_is_cq(struct qeth_card *card, unsigned int queue) + queue == card->qdio.no_in_queues - 1; + } + +- +-static int qeth_issue_next_read(struct qeth_card *card) ++static int __qeth_issue_next_read(struct qeth_card *card) + { + int rc; + struct qeth_cmd_buffer *iob; +@@ -549,6 +548,17 @@ static int qeth_issue_next_read(struct qeth_card *card) + return rc; + } + ++static int qeth_issue_next_read(struct qeth_card *card) ++{ ++ int ret; ++ ++ spin_lock_irq(get_ccwdev_lock(CARD_RDEV(card))); ++ ret = __qeth_issue_next_read(card); ++ spin_unlock_irq(get_ccwdev_lock(CARD_RDEV(card))); ++ ++ return ret; ++} ++ + static struct qeth_reply *qeth_alloc_reply(struct qeth_card *card) + { + struct qeth_reply *reply; +@@ -951,7 +961,7 @@ void qeth_clear_thread_running_bit(struct qeth_card *card, unsigned long thread) + spin_lock_irqsave(&card->thread_mask_lock, flags); + card->thread_running_mask &= ~thread; + spin_unlock_irqrestore(&card->thread_mask_lock, flags); +- wake_up(&card->wait_q); ++ wake_up_all(&card->wait_q); + } + EXPORT_SYMBOL_GPL(qeth_clear_thread_running_bit); + +@@ -1155,6 +1165,7 @@ static void qeth_irq(struct ccw_device *cdev, unsigned long intparm, + } + rc = qeth_get_problem(cdev, irb); + if (rc) { ++ card->read_or_write_problem = 1; + qeth_clear_ipacmd_list(card); + qeth_schedule_recovery(card); + goto out; +@@ -1173,7 +1184,7 @@ static void qeth_irq(struct ccw_device *cdev, unsigned long intparm, + return; + if (channel == &card->read && + channel->state == CH_STATE_UP) +- qeth_issue_next_read(card); ++ __qeth_issue_next_read(card); + + iob = channel->iob; + index = channel->buf_no; +@@ -5017,8 +5028,6 @@ static void qeth_core_free_card(struct qeth_card *card) + QETH_DBF_HEX(SETUP, 2, &card, sizeof(void *)); + qeth_clean_channel(&card->read); + qeth_clean_channel(&card->write); +- if (card->dev) +- free_netdev(card->dev); + kfree(card->ip_tbd_list); + qeth_free_qdio_buffers(card); + unregister_service_level(&card->qeth_service_level); +diff --git a/drivers/s390/net/qeth_l2_main.c b/drivers/s390/net/qeth_l2_main.c +index b0413f5611cf..3f79f83451ae 100644 +--- a/drivers/s390/net/qeth_l2_main.c ++++ b/drivers/s390/net/qeth_l2_main.c +@@ -913,8 +913,8 @@ static void qeth_l2_remove_device(struct ccwgroup_device *cgdev) + qeth_l2_set_offline(cgdev); + + if (card->dev) { +- netif_napi_del(&card->napi); + unregister_netdev(card->dev); ++ free_netdev(card->dev); + card->dev = NULL; + } + return; +diff --git a/drivers/s390/net/qeth_l3_main.c b/drivers/s390/net/qeth_l3_main.c +index 6dbf0d5a2a22..34c8a4d20498 100644 +--- a/drivers/s390/net/qeth_l3_main.c ++++ b/drivers/s390/net/qeth_l3_main.c +@@ -3358,8 +3358,8 @@ static void qeth_l3_remove_device(struct ccwgroup_device *cgdev) + qeth_l3_set_offline(cgdev); + + if (card->dev) { +- netif_napi_del(&card->napi); + unregister_netdev(card->dev); ++ free_netdev(card->dev); + card->dev = NULL; + } + +diff --git a/drivers/scsi/bnx2fc/bnx2fc.h b/drivers/scsi/bnx2fc/bnx2fc.h +index 1346e052e03c..8009158a6639 100644 +--- a/drivers/scsi/bnx2fc/bnx2fc.h ++++ b/drivers/scsi/bnx2fc/bnx2fc.h +@@ -191,6 +191,7 @@ struct bnx2fc_hba { + struct bnx2fc_cmd_mgr *cmd_mgr; + spinlock_t hba_lock; + struct mutex hba_mutex; ++ struct mutex hba_stats_mutex; + unsigned long adapter_state; + #define ADAPTER_STATE_UP 0 + #define ADAPTER_STATE_GOING_DOWN 1 +diff --git a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c +index 98d06d151958..d477c687af55 100644 +--- a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c ++++ b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c +@@ -641,15 +641,17 @@ static struct fc_host_statistics *bnx2fc_get_host_stats(struct Scsi_Host *shost) + if (!fw_stats) + return NULL; + ++ mutex_lock(&hba->hba_stats_mutex); ++ + bnx2fc_stats = fc_get_host_stats(shost); + + init_completion(&hba->stat_req_done); + if (bnx2fc_send_stat_req(hba)) +- return bnx2fc_stats; ++ goto unlock_stats_mutex; + rc = wait_for_completion_timeout(&hba->stat_req_done, (2 * HZ)); + if (!rc) { + BNX2FC_HBA_DBG(lport, "FW stat req timed out\n"); +- return bnx2fc_stats; ++ goto unlock_stats_mutex; + } + BNX2FC_STATS(hba, rx_stat2, fc_crc_cnt); + bnx2fc_stats->invalid_crc_count += hba->bfw_stats.fc_crc_cnt; +@@ -671,6 +673,9 @@ static struct fc_host_statistics *bnx2fc_get_host_stats(struct Scsi_Host *shost) + + memcpy(&hba->prev_stats, hba->stats_buffer, + sizeof(struct fcoe_statistics_params)); ++ ++unlock_stats_mutex: ++ mutex_unlock(&hba->hba_stats_mutex); + return bnx2fc_stats; + } + +@@ -1303,6 +1308,7 @@ static struct bnx2fc_hba *bnx2fc_hba_create(struct cnic_dev *cnic) + } + spin_lock_init(&hba->hba_lock); + mutex_init(&hba->hba_mutex); ++ mutex_init(&hba->hba_stats_mutex); + + hba->cnic = cnic; + +diff --git a/drivers/scsi/csiostor/csio_hw.c b/drivers/scsi/csiostor/csio_hw.c +index 2e66f34ebb79..13580192691f 100644 +--- a/drivers/scsi/csiostor/csio_hw.c ++++ b/drivers/scsi/csiostor/csio_hw.c +@@ -1769,7 +1769,6 @@ csio_hw_use_fwconfig(struct csio_hw *hw, int reset, u32 *fw_cfg_param) + goto bye; + } + +- mempool_free(mbp, hw->mb_mempool); + if (finicsum != cfcsum) { + csio_warn(hw, + "Config File checksum mismatch: csum=%#x, computed=%#x\n", +@@ -1780,6 +1779,10 @@ csio_hw_use_fwconfig(struct csio_hw *hw, int reset, u32 *fw_cfg_param) + rv = csio_hw_validate_caps(hw, mbp); + if (rv != 0) + goto bye; ++ ++ mempool_free(mbp, hw->mb_mempool); ++ mbp = NULL; ++ + /* + * Note that we're operating with parameters + * not supplied by the driver, rather than from hard-wired +diff --git a/drivers/scsi/ipr.c b/drivers/scsi/ipr.c +index cd52c070701b..3a9648d7f441 100644 +--- a/drivers/scsi/ipr.c ++++ b/drivers/scsi/ipr.c +@@ -835,8 +835,10 @@ static void ipr_sata_eh_done(struct ipr_cmnd *ipr_cmd) + + qc->err_mask |= AC_ERR_OTHER; + sata_port->ioasa.status |= ATA_BUSY; +- list_add_tail(&ipr_cmd->queue, &ipr_cmd->hrrq->hrrq_free_q); + ata_qc_complete(qc); ++ if (ipr_cmd->eh_comp) ++ complete(ipr_cmd->eh_comp); ++ list_add_tail(&ipr_cmd->queue, &ipr_cmd->hrrq->hrrq_free_q); + } + + /** +@@ -5859,8 +5861,10 @@ static void ipr_erp_done(struct ipr_cmnd *ipr_cmd) + res->in_erp = 0; + } + scsi_dma_unmap(ipr_cmd->scsi_cmd); +- list_add_tail(&ipr_cmd->queue, &ipr_cmd->hrrq->hrrq_free_q); + scsi_cmd->scsi_done(scsi_cmd); ++ if (ipr_cmd->eh_comp) ++ complete(ipr_cmd->eh_comp); ++ list_add_tail(&ipr_cmd->queue, &ipr_cmd->hrrq->hrrq_free_q); + } + + /** +@@ -6250,8 +6254,10 @@ static void ipr_erp_start(struct ipr_ioa_cfg *ioa_cfg, + } + + scsi_dma_unmap(ipr_cmd->scsi_cmd); +- list_add_tail(&ipr_cmd->queue, &ipr_cmd->hrrq->hrrq_free_q); + scsi_cmd->scsi_done(scsi_cmd); ++ if (ipr_cmd->eh_comp) ++ complete(ipr_cmd->eh_comp); ++ list_add_tail(&ipr_cmd->queue, &ipr_cmd->hrrq->hrrq_free_q); + } + + /** +@@ -6277,8 +6283,10 @@ static void ipr_scsi_done(struct ipr_cmnd *ipr_cmd) + scsi_dma_unmap(scsi_cmd); + + spin_lock_irqsave(ipr_cmd->hrrq->lock, lock_flags); +- list_add_tail(&ipr_cmd->queue, &ipr_cmd->hrrq->hrrq_free_q); + scsi_cmd->scsi_done(scsi_cmd); ++ if (ipr_cmd->eh_comp) ++ complete(ipr_cmd->eh_comp); ++ list_add_tail(&ipr_cmd->queue, &ipr_cmd->hrrq->hrrq_free_q); + spin_unlock_irqrestore(ipr_cmd->hrrq->lock, lock_flags); + } else { + spin_lock_irqsave(ioa_cfg->host->host_lock, lock_flags); +diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c +index 8826110991eb..e14bfcd37692 100644 +--- a/drivers/scsi/libiscsi.c ++++ b/drivers/scsi/libiscsi.c +@@ -1695,6 +1695,15 @@ int iscsi_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *sc) + */ + switch (session->state) { + case ISCSI_STATE_FAILED: ++ /* ++ * cmds should fail during shutdown, if the session ++ * state is bad, allowing completion to happen ++ */ ++ if (unlikely(system_state != SYSTEM_RUNNING)) { ++ reason = FAILURE_SESSION_FAILED; ++ sc->result = DID_NO_CONNECT << 16; ++ break; ++ } + case ISCSI_STATE_IN_RECOVERY: + reason = FAILURE_SESSION_IN_RECOVERY; + sc->result = DID_IMM_RETRY << 16; +@@ -1979,6 +1988,19 @@ static enum blk_eh_timer_return iscsi_eh_cmd_timed_out(struct scsi_cmnd *sc) + } + + if (session->state != ISCSI_STATE_LOGGED_IN) { ++ /* ++ * During shutdown, if session is prematurely disconnected, ++ * recovery won't happen and there will be hung cmds. Not ++ * handling cmds would trigger EH, also bad in this case. ++ * Instead, handle cmd, allow completion to happen and let ++ * upper layer to deal with the result. ++ */ ++ if (unlikely(system_state != SYSTEM_RUNNING)) { ++ sc->result = DID_NO_CONNECT << 16; ++ ISCSI_DBG_EH(session, "sc on shutdown, handled\n"); ++ rc = BLK_EH_HANDLED; ++ goto done; ++ } + /* + * We are probably in the middle of iscsi recovery so let + * that complete and handle the error. +@@ -2083,7 +2105,7 @@ done: + task->last_timeout = jiffies; + spin_unlock(&session->frwd_lock); + ISCSI_DBG_EH(session, "return %s\n", rc == BLK_EH_RESET_TIMER ? +- "timer reset" : "nh"); ++ "timer reset" : "shutdown or nh"); + return rc; + } + +diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c +index 022bb6e10d98..12886f96b286 100644 +--- a/drivers/scsi/libsas/sas_expander.c ++++ b/drivers/scsi/libsas/sas_expander.c +@@ -282,6 +282,7 @@ static void sas_set_ex_phy(struct domain_device *dev, int phy_id, void *rsp) + phy->phy->minimum_linkrate = dr->pmin_linkrate; + phy->phy->maximum_linkrate = dr->pmax_linkrate; + phy->phy->negotiated_linkrate = phy->linkrate; ++ phy->phy->enabled = (phy->linkrate != SAS_PHY_DISABLED); + + skip: + if (new_phy) +@@ -675,7 +676,7 @@ int sas_smp_get_phy_events(struct sas_phy *phy) + res = smp_execute_task(dev, req, RPEL_REQ_SIZE, + resp, RPEL_RESP_SIZE); + +- if (!res) ++ if (res) + goto out; + + phy->invalid_dword_count = scsi_to_u32(&resp[12]); +@@ -684,6 +685,7 @@ int sas_smp_get_phy_events(struct sas_phy *phy) + phy->phy_reset_problem_count = scsi_to_u32(&resp[24]); + + out: ++ kfree(req); + kfree(resp); + return res; + +diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c +index 625e3ee877ee..570332956ae7 100644 +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -13517,6 +13517,9 @@ lpfc_wq_create(struct lpfc_hba *phba, struct lpfc_queue *wq, + case LPFC_Q_CREATE_VERSION_1: + bf_set(lpfc_mbx_wq_create_wqe_count, &wq_create->u.request_1, + wq->entry_count); ++ bf_set(lpfc_mbox_hdr_version, &shdr->request, ++ LPFC_Q_CREATE_VERSION_1); ++ + switch (wq->entry_size) { + default: + case 64: +diff --git a/drivers/scsi/mac_esp.c b/drivers/scsi/mac_esp.c +index 14c0334f41e4..26c67c42985c 100644 +--- a/drivers/scsi/mac_esp.c ++++ b/drivers/scsi/mac_esp.c +@@ -55,6 +55,7 @@ struct mac_esp_priv { + int error; + }; + static struct esp *esp_chips[2]; ++static DEFINE_SPINLOCK(esp_chips_lock); + + #define MAC_ESP_GET_PRIV(esp) ((struct mac_esp_priv *) \ + platform_get_drvdata((struct platform_device *) \ +@@ -562,15 +563,18 @@ static int esp_mac_probe(struct platform_device *dev) + } + + host->irq = IRQ_MAC_SCSI; +- esp_chips[dev->id] = esp; +- mb(); +- if (esp_chips[!dev->id] == NULL) { +- err = request_irq(host->irq, mac_scsi_esp_intr, 0, "ESP", NULL); +- if (err < 0) { +- esp_chips[dev->id] = NULL; +- goto fail_free_priv; +- } ++ ++ /* The request_irq() call is intended to succeed for the first device ++ * and fail for the second device. ++ */ ++ err = request_irq(host->irq, mac_scsi_esp_intr, 0, "ESP", NULL); ++ spin_lock(&esp_chips_lock); ++ if (err < 0 && esp_chips[!dev->id] == NULL) { ++ spin_unlock(&esp_chips_lock); ++ goto fail_free_priv; + } ++ esp_chips[dev->id] = esp; ++ spin_unlock(&esp_chips_lock); + + err = scsi_esp_register(esp, &dev->dev); + if (err) +@@ -579,8 +583,13 @@ static int esp_mac_probe(struct platform_device *dev) + return 0; + + fail_free_irq: +- if (esp_chips[!dev->id] == NULL) ++ spin_lock(&esp_chips_lock); ++ esp_chips[dev->id] = NULL; ++ if (esp_chips[!dev->id] == NULL) { ++ spin_unlock(&esp_chips_lock); + free_irq(host->irq, esp); ++ } else ++ spin_unlock(&esp_chips_lock); + fail_free_priv: + kfree(mep); + fail_free_command_block: +@@ -599,9 +608,13 @@ static int esp_mac_remove(struct platform_device *dev) + + scsi_esp_unregister(esp); + ++ spin_lock(&esp_chips_lock); + esp_chips[dev->id] = NULL; +- if (!(esp_chips[0] || esp_chips[1])) ++ if (esp_chips[!dev->id] == NULL) { ++ spin_unlock(&esp_chips_lock); + free_irq(irq, NULL); ++ } else ++ spin_unlock(&esp_chips_lock); + + kfree(mep); + +diff --git a/drivers/scsi/scsi_devinfo.c b/drivers/scsi/scsi_devinfo.c +index 55df57341858..17c12263dbd1 100644 +--- a/drivers/scsi/scsi_devinfo.c ++++ b/drivers/scsi/scsi_devinfo.c +@@ -180,7 +180,7 @@ static struct { + {"HITACHI", "6586-", "*", BLIST_SPARSELUN | BLIST_LARGELUN}, + {"HITACHI", "6588-", "*", BLIST_SPARSELUN | BLIST_LARGELUN}, + {"HP", "A6189A", NULL, BLIST_SPARSELUN | BLIST_LARGELUN}, /* HP VA7400 */ +- {"HP", "OPEN-", "*", BLIST_REPORTLUN2}, /* HP XP Arrays */ ++ {"HP", "OPEN-", "*", BLIST_REPORTLUN2 | BLIST_TRY_VPD_PAGES}, /* HP XP Arrays */ + {"HP", "NetRAID-4M", NULL, BLIST_FORCELUN}, + {"HP", "HSV100", NULL, BLIST_REPORTLUN2 | BLIST_NOSTARTONADD}, + {"HP", "C1557A", NULL, BLIST_FORCELUN}, +diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c +index a678dd10905f..1977738cb0f5 100644 +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -1811,6 +1811,8 @@ sd_spinup_disk(struct scsi_disk *sdkp) + break; /* standby */ + if (sshdr.asc == 4 && sshdr.ascq == 0xc) + break; /* unavailable */ ++ if (sshdr.asc == 4 && sshdr.ascq == 0x1b) ++ break; /* sanitize in progress */ + /* + * Issue command to spin up drive when not ready + */ +diff --git a/drivers/scsi/ses.c b/drivers/scsi/ses.c +index dcb0d76d7312..2ecf9844eb2e 100644 +--- a/drivers/scsi/ses.c ++++ b/drivers/scsi/ses.c +@@ -528,7 +528,6 @@ static void ses_enclosure_data_process(struct enclosure_device *edev, + ecomp = &edev->component[components++]; + + if (!IS_ERR(ecomp)) { +- ses_get_power_status(edev, ecomp); + if (addl_desc_ptr) + ses_process_descriptor( + ecomp, +diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c +index 2589a75f0810..b03ca046c79f 100644 +--- a/drivers/scsi/sg.c ++++ b/drivers/scsi/sg.c +@@ -535,6 +535,7 @@ sg_read(struct file *filp, char __user *buf, size_t count, loff_t * ppos) + } else + count = (old_hdr->result == 0) ? 0 : -EIO; + sg_finish_rem_req(srp); ++ sg_remove_request(sfp, srp); + retval = count; + free_old_hdr: + kfree(old_hdr); +@@ -575,6 +576,7 @@ sg_new_read(Sg_fd * sfp, char __user *buf, size_t count, Sg_request * srp) + } + err_out: + err2 = sg_finish_rem_req(srp); ++ sg_remove_request(sfp, srp); + return err ? : err2 ? : count; + } + +@@ -674,18 +676,14 @@ sg_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos) + * is a non-zero input_size, so emit a warning. + */ + if (hp->dxfer_direction == SG_DXFER_TO_FROM_DEV) { +- static char cmd[TASK_COMM_LEN]; +- if (strcmp(current->comm, cmd)) { +- printk_ratelimited(KERN_WARNING +- "sg_write: data in/out %d/%d bytes " +- "for SCSI command 0x%x-- guessing " +- "data in;\n program %s not setting " +- "count and/or reply_len properly\n", +- old_hdr.reply_len - (int)SZ_SG_HEADER, +- input_size, (unsigned int) cmnd[0], +- current->comm); +- strcpy(cmd, current->comm); +- } ++ printk_ratelimited(KERN_WARNING ++ "sg_write: data in/out %d/%d bytes " ++ "for SCSI command 0x%x-- guessing " ++ "data in;\n program %s not setting " ++ "count and/or reply_len properly\n", ++ old_hdr.reply_len - (int)SZ_SG_HEADER, ++ input_size, (unsigned int) cmnd[0], ++ current->comm); + } + k = sg_common_write(sfp, srp, cmnd, sfp->timeout, blocking); + return (k < 0) ? k : count; +@@ -764,6 +762,35 @@ sg_new_write(Sg_fd *sfp, struct file *file, const char __user *buf, + return count; + } + ++static bool sg_is_valid_dxfer(sg_io_hdr_t *hp) ++{ ++ switch (hp->dxfer_direction) { ++ case SG_DXFER_NONE: ++ if (hp->dxferp || hp->dxfer_len > 0) ++ return false; ++ return true; ++ case SG_DXFER_FROM_DEV: ++ /* ++ * for SG_DXFER_FROM_DEV we always set dxfer_len to > 0. dxferp ++ * can either be NULL or != NULL so there's no point in checking ++ * it either. So just return true. ++ */ ++ return true; ++ case SG_DXFER_TO_DEV: ++ case SG_DXFER_TO_FROM_DEV: ++ if (!hp->dxferp || hp->dxfer_len == 0) ++ return false; ++ return true; ++ case SG_DXFER_UNKNOWN: ++ if ((!hp->dxferp && hp->dxfer_len) || ++ (hp->dxferp && hp->dxfer_len == 0)) ++ return false; ++ return true; ++ default: ++ return false; ++ } ++} ++ + static int + sg_common_write(Sg_fd * sfp, Sg_request * srp, + unsigned char *cmnd, int timeout, int blocking) +@@ -784,17 +811,22 @@ sg_common_write(Sg_fd * sfp, Sg_request * srp, + "sg_common_write: scsi opcode=0x%02x, cmd_size=%d\n", + (int) cmnd[0], (int) hp->cmd_len)); + ++ if (!sg_is_valid_dxfer(hp)) ++ return -EINVAL; ++ + k = sg_start_req(srp, cmnd); + if (k) { + SCSI_LOG_TIMEOUT(1, sg_printk(KERN_INFO, sfp->parentdp, + "sg_common_write: start_req err=%d\n", k)); + sg_finish_rem_req(srp); ++ sg_remove_request(sfp, srp); + return k; /* probably out of space --> ENOMEM */ + } + if (atomic_read(&sdp->detaching)) { + if (srp->bio) + blk_end_request_all(srp->rq, -EIO); + sg_finish_rem_req(srp); ++ sg_remove_request(sfp, srp); + return -ENODEV; + } + +@@ -1284,6 +1316,7 @@ sg_rq_end_io_usercontext(struct work_struct *work) + struct sg_fd *sfp = srp->parentfp; + + sg_finish_rem_req(srp); ++ sg_remove_request(sfp, srp); + kref_put(&sfp->f_ref, sg_remove_sfp); + } + +@@ -1828,8 +1861,6 @@ sg_finish_rem_req(Sg_request *srp) + else + sg_remove_scat(sfp, req_schp); + +- sg_remove_request(sfp, srp); +- + return ret; + } + +@@ -2066,11 +2097,12 @@ sg_get_rq_mark(Sg_fd * sfp, int pack_id) + if ((1 == resp->done) && (!resp->sg_io_owned) && + ((-1 == pack_id) || (resp->header.pack_id == pack_id))) { + resp->done = 2; /* guard against other readers */ +- break; ++ write_unlock_irqrestore(&sfp->rq_list_lock, iflags); ++ return resp; + } + } + write_unlock_irqrestore(&sfp->rq_list_lock, iflags); +- return resp; ++ return NULL; + } + + /* always adds to end of list */ +@@ -2176,12 +2208,17 @@ sg_remove_sfp_usercontext(struct work_struct *work) + struct sg_fd *sfp = container_of(work, struct sg_fd, ew.work); + struct sg_device *sdp = sfp->parentdp; + Sg_request *srp; ++ unsigned long iflags; + + /* Cleanup any responses which were never read(). */ ++ write_lock_irqsave(&sfp->rq_list_lock, iflags); + while (!list_empty(&sfp->rq_list)) { + srp = list_first_entry(&sfp->rq_list, Sg_request, entry); + sg_finish_rem_req(srp); ++ list_del(&srp->entry); ++ srp->parentfp = NULL; + } ++ write_unlock_irqrestore(&sfp->rq_list_lock, iflags); + + if (sfp->reserve.bufflen > 0) { + SCSI_LOG_TIMEOUT(6, sg_printk(KERN_INFO, sdp, +diff --git a/drivers/scsi/virtio_scsi.c b/drivers/scsi/virtio_scsi.c +index d836414c920d..ac2b06a7142e 100644 +--- a/drivers/scsi/virtio_scsi.c ++++ b/drivers/scsi/virtio_scsi.c +@@ -28,6 +28,7 @@ + #include <scsi/scsi_device.h> + #include <scsi/scsi_cmnd.h> + #include <scsi/scsi_tcq.h> ++#include <scsi/scsi_devinfo.h> + #include <linux/seqlock.h> + + #define VIRTIO_SCSI_MEMPOOL_SZ 64 +@@ -699,6 +700,28 @@ static int virtscsi_device_reset(struct scsi_cmnd *sc) + return virtscsi_tmf(vscsi, cmd); + } + ++static int virtscsi_device_alloc(struct scsi_device *sdevice) ++{ ++ /* ++ * Passed through SCSI targets (e.g. with qemu's 'scsi-block') ++ * may have transfer limits which come from the host SCSI ++ * controller or something on the host side other than the ++ * target itself. ++ * ++ * To make this work properly, the hypervisor can adjust the ++ * target's VPD information to advertise these limits. But ++ * for that to work, the guest has to look at the VPD pages, ++ * which we won't do by default if it is an SPC-2 device, even ++ * if it does actually support it. ++ * ++ * So, set the blist to always try to read the VPD pages. ++ */ ++ sdevice->sdev_bflags = BLIST_TRY_VPD_PAGES; ++ ++ return 0; ++} ++ ++ + /** + * virtscsi_change_queue_depth() - Change a virtscsi target's queue depth + * @sdev: Virtscsi target whose queue depth to change +@@ -770,6 +793,7 @@ static struct scsi_host_template virtscsi_host_template_single = { + .change_queue_depth = virtscsi_change_queue_depth, + .eh_abort_handler = virtscsi_abort, + .eh_device_reset_handler = virtscsi_device_reset, ++ .slave_alloc = virtscsi_device_alloc, + + .can_queue = 1024, + .dma_boundary = UINT_MAX, +@@ -790,6 +814,7 @@ static struct scsi_host_template virtscsi_host_template_multi = { + .eh_abort_handler = virtscsi_abort, + .eh_device_reset_handler = virtscsi_device_reset, + ++ .slave_alloc = virtscsi_device_alloc, + .can_queue = 1024, + .dma_boundary = UINT_MAX, + .use_clustering = ENABLE_CLUSTERING, +diff --git a/drivers/spi/spi-dw-mmio.c b/drivers/spi/spi-dw-mmio.c +index 7edede6e024b..d075ee4de8b5 100644 +--- a/drivers/spi/spi-dw-mmio.c ++++ b/drivers/spi/spi-dw-mmio.c +@@ -121,8 +121,8 @@ static int dw_spi_mmio_remove(struct platform_device *pdev) + { + struct dw_spi_mmio *dwsmmio = platform_get_drvdata(pdev); + +- clk_disable_unprepare(dwsmmio->clk); + dw_spi_remove_host(&dwsmmio->dws); ++ clk_disable_unprepare(dwsmmio->clk); + + return 0; + } +diff --git a/drivers/spi/spi-omap2-mcspi.c b/drivers/spi/spi-omap2-mcspi.c +index d1a5b9fc3eba..f1c1d84f9268 100644 +--- a/drivers/spi/spi-omap2-mcspi.c ++++ b/drivers/spi/spi-omap2-mcspi.c +@@ -436,6 +436,8 @@ omap2_mcspi_rx_dma(struct spi_device *spi, struct spi_transfer *xfer, + int elements = 0; + int word_len, element_count; + struct omap2_mcspi_cs *cs = spi->controller_state; ++ void __iomem *chstat_reg = cs->base + OMAP2_MCSPI_CHSTAT0; ++ + mcspi = spi_master_get_devdata(spi->master); + mcspi_dma = &mcspi->dma_channels[spi->chip_select]; + count = xfer->len; +@@ -496,8 +498,8 @@ omap2_mcspi_rx_dma(struct spi_device *spi, struct spi_transfer *xfer, + if (l & OMAP2_MCSPI_CHCONF_TURBO) { + elements--; + +- if (likely(mcspi_read_cs_reg(spi, OMAP2_MCSPI_CHSTAT0) +- & OMAP2_MCSPI_CHSTAT_RXS)) { ++ if (!mcspi_wait_for_reg_bit(chstat_reg, ++ OMAP2_MCSPI_CHSTAT_RXS)) { + u32 w; + + w = mcspi_read_cs_reg(spi, OMAP2_MCSPI_RX0); +@@ -515,8 +517,7 @@ omap2_mcspi_rx_dma(struct spi_device *spi, struct spi_transfer *xfer, + return count; + } + } +- if (likely(mcspi_read_cs_reg(spi, OMAP2_MCSPI_CHSTAT0) +- & OMAP2_MCSPI_CHSTAT_RXS)) { ++ if (!mcspi_wait_for_reg_bit(chstat_reg, OMAP2_MCSPI_CHSTAT_RXS)) { + u32 w; + + w = mcspi_read_cs_reg(spi, OMAP2_MCSPI_RX0); +diff --git a/drivers/spi/spi-sun6i.c b/drivers/spi/spi-sun6i.c +index e77add01b0e9..48888ab630c2 100644 +--- a/drivers/spi/spi-sun6i.c ++++ b/drivers/spi/spi-sun6i.c +@@ -457,7 +457,7 @@ err_free_master: + + static int sun6i_spi_remove(struct platform_device *pdev) + { +- pm_runtime_disable(&pdev->dev); ++ pm_runtime_force_suspend(&pdev->dev); + + return 0; + } +diff --git a/drivers/staging/speakup/kobjects.c b/drivers/staging/speakup/kobjects.c +index 0211df60004a..4bd93e584075 100644 +--- a/drivers/staging/speakup/kobjects.c ++++ b/drivers/staging/speakup/kobjects.c +@@ -830,7 +830,9 @@ static ssize_t message_show(struct kobject *kobj, + struct msg_group_t *group = spk_find_msg_group(attr->attr.name); + unsigned long flags; + +- BUG_ON(!group); ++ if (WARN_ON(!group)) ++ return -EINVAL; ++ + spin_lock_irqsave(&speakup_info.spinlock, flags); + retval = message_show_helper(buf, group->start, group->end); + spin_unlock_irqrestore(&speakup_info.spinlock, flags); +@@ -842,7 +844,9 @@ static ssize_t message_store(struct kobject *kobj, struct kobj_attribute *attr, + { + struct msg_group_t *group = spk_find_msg_group(attr->attr.name); + +- BUG_ON(!group); ++ if (WARN_ON(!group)) ++ return -EINVAL; ++ + return message_store_helper(buf, count, group); + } + +diff --git a/drivers/staging/wlan-ng/prism2mgmt.c b/drivers/staging/wlan-ng/prism2mgmt.c +index 013a6240f193..c1ad0aea23b9 100644 +--- a/drivers/staging/wlan-ng/prism2mgmt.c ++++ b/drivers/staging/wlan-ng/prism2mgmt.c +@@ -169,7 +169,7 @@ int prism2mgmt_scan(wlandevice_t *wlandev, void *msgp) + hw->ident_sta_fw.variant) > + HFA384x_FIRMWARE_VERSION(1, 5, 0)) { + if (msg->scantype.data != P80211ENUM_scantype_active) +- word = cpu_to_le16(msg->maxchanneltime.data); ++ word = msg->maxchanneltime.data; + else + word = 0; + +diff --git a/drivers/thunderbolt/nhi.c b/drivers/thunderbolt/nhi.c +index c68fe1222c16..5f3c4f45ab65 100644 +--- a/drivers/thunderbolt/nhi.c ++++ b/drivers/thunderbolt/nhi.c +@@ -627,6 +627,7 @@ static const struct dev_pm_ops nhi_pm_ops = { + * we just disable hotplug, the + * pci-tunnels stay alive. + */ ++ .thaw_noirq = nhi_resume_noirq, + .restore_noirq = nhi_resume_noirq, + }; + +diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c +index 2ec337612a79..c41dfe40fd23 100644 +--- a/drivers/tty/n_gsm.c ++++ b/drivers/tty/n_gsm.c +@@ -137,6 +137,9 @@ struct gsm_dlci { + struct mutex mutex; + + /* Link layer */ ++ int mode; ++#define DLCI_MODE_ABM 0 /* Normal Asynchronous Balanced Mode */ ++#define DLCI_MODE_ADM 1 /* Asynchronous Disconnected Mode */ + spinlock_t lock; /* Protects the internal state */ + struct timer_list t1; /* Retransmit timer for SABM and UA */ + int retries; +@@ -1380,7 +1383,13 @@ retry: + ctrl->data = data; + ctrl->len = clen; + gsm->pending_cmd = ctrl; +- gsm->cretries = gsm->n2; ++ ++ /* If DLCI0 is in ADM mode skip retries, it won't respond */ ++ if (gsm->dlci[0]->mode == DLCI_MODE_ADM) ++ gsm->cretries = 1; ++ else ++ gsm->cretries = gsm->n2; ++ + mod_timer(&gsm->t2_timer, jiffies + gsm->t2 * HZ / 100); + gsm_control_transmit(gsm, ctrl); + spin_unlock_irqrestore(&gsm->control_lock, flags); +@@ -1467,6 +1476,10 @@ static void gsm_dlci_open(struct gsm_dlci *dlci) + * in which case an opening port goes back to closed and a closing port + * is simply put into closed state (any further frames from the other + * end will get a DM response) ++ * ++ * Some control dlci can stay in ADM mode with other dlci working just ++ * fine. In that case we can just keep the control dlci open after the ++ * DLCI_OPENING retries time out. + */ + + static void gsm_dlci_t1(unsigned long data) +@@ -1480,8 +1493,16 @@ static void gsm_dlci_t1(unsigned long data) + if (dlci->retries) { + gsm_command(dlci->gsm, dlci->addr, SABM|PF); + mod_timer(&dlci->t1, jiffies + gsm->t1 * HZ / 100); +- } else ++ } else if (!dlci->addr && gsm->control == (DM | PF)) { ++ if (debug & 8) ++ pr_info("DLCI %d opening in ADM mode.\n", ++ dlci->addr); ++ dlci->mode = DLCI_MODE_ADM; ++ gsm_dlci_open(dlci); ++ } else { + gsm_dlci_close(dlci); ++ } ++ + break; + case DLCI_CLOSING: + dlci->retries--; +@@ -1499,8 +1520,8 @@ static void gsm_dlci_t1(unsigned long data) + * @dlci: DLCI to open + * + * Commence opening a DLCI from the Linux side. We issue SABM messages +- * to the modem which should then reply with a UA, at which point we +- * will move into open state. Opening is done asynchronously with retry ++ * to the modem which should then reply with a UA or ADM, at which point ++ * we will move into open state. Opening is done asynchronously with retry + * running off timers and the responses. + */ + +@@ -2871,11 +2892,22 @@ static int gsmtty_modem_update(struct gsm_dlci *dlci, u8 brk) + static int gsm_carrier_raised(struct tty_port *port) + { + struct gsm_dlci *dlci = container_of(port, struct gsm_dlci, port); ++ struct gsm_mux *gsm = dlci->gsm; ++ + /* Not yet open so no carrier info */ + if (dlci->state != DLCI_OPEN) + return 0; + if (debug & 2) + return 1; ++ ++ /* ++ * Basic mode with control channel in ADM mode may not respond ++ * to CMD_MSC at all and modem_rx is empty. ++ */ ++ if (gsm->encoding == 0 && gsm->dlci[0]->mode == DLCI_MODE_ADM && ++ !dlci->modem_rx) ++ return 1; ++ + return dlci->modem_rx & TIOCM_CD; + } + +diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c +index 66e257b5a5b7..4693a1d0151f 100644 +--- a/drivers/tty/n_tty.c ++++ b/drivers/tty/n_tty.c +@@ -2259,6 +2259,12 @@ static ssize_t n_tty_read(struct tty_struct *tty, struct file *file, + } + if (tty_hung_up_p(file)) + break; ++ /* ++ * Abort readers for ttys which never actually ++ * get hung up. See __tty_hangup(). ++ */ ++ if (test_bit(TTY_HUPPING, &tty->flags)) ++ break; + if (!timeout) + break; + if (file->f_flags & O_NONBLOCK) { +diff --git a/drivers/tty/serial/8250/8250_omap.c b/drivers/tty/serial/8250/8250_omap.c +index 531d76a276e4..89974a112cab 100644 +--- a/drivers/tty/serial/8250/8250_omap.c ++++ b/drivers/tty/serial/8250/8250_omap.c +@@ -612,6 +612,10 @@ static int omap_8250_startup(struct uart_port *port) + up->lsr_saved_flags = 0; + up->msr_saved_flags = 0; + ++ /* Disable DMA for console UART */ ++ if (uart_console(port)) ++ up->dma = NULL; ++ + if (up->dma) { + ret = serial8250_request_dma(up); + if (ret) { +diff --git a/drivers/tty/serial/sccnxp.c b/drivers/tty/serial/sccnxp.c +index fcf803ffad19..cdd2f942317c 100644 +--- a/drivers/tty/serial/sccnxp.c ++++ b/drivers/tty/serial/sccnxp.c +@@ -884,14 +884,19 @@ static int sccnxp_probe(struct platform_device *pdev) + + clk = devm_clk_get(&pdev->dev, NULL); + if (IS_ERR(clk)) { +- if (PTR_ERR(clk) == -EPROBE_DEFER) { +- ret = -EPROBE_DEFER; ++ ret = PTR_ERR(clk); ++ if (ret == -EPROBE_DEFER) + goto err_out; +- } ++ uartclk = 0; ++ } else { ++ clk_prepare_enable(clk); ++ uartclk = clk_get_rate(clk); ++ } ++ ++ if (!uartclk) { + dev_notice(&pdev->dev, "Using default clock frequency\n"); + uartclk = s->chip->freq_std; +- } else +- uartclk = clk_get_rate(clk); ++ } + + /* Check input frequency */ + if ((uartclk < s->chip->freq_min) || (uartclk > s->chip->freq_max)) { +diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c +index be96970646a9..152cd369ce84 100644 +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -690,6 +690,14 @@ static void __tty_hangup(struct tty_struct *tty, int exit_session) + return; + } + ++ /* ++ * Some console devices aren't actually hung up for technical and ++ * historical reasons, which can lead to indefinite interruptible ++ * sleep in n_tty_read(). The following explicitly tells ++ * n_tty_read() to abort readers. ++ */ ++ set_bit(TTY_HUPPING, &tty->flags); ++ + /* inuse_filps is protected by the single tty lock, + this really needs to change if we want to flush the + workqueue with the lock held */ +@@ -745,6 +753,7 @@ static void __tty_hangup(struct tty_struct *tty, int exit_session) + * can't yet guarantee all that. + */ + set_bit(TTY_HUPPED, &tty->flags); ++ clear_bit(TTY_HUPPING, &tty->flags); + tty_unlock(tty); + + if (f) +@@ -3151,7 +3160,10 @@ struct tty_struct *alloc_tty_struct(struct tty_driver *driver, int idx) + + kref_init(&tty->kref); + tty->magic = TTY_MAGIC; +- tty_ldisc_init(tty); ++ if (tty_ldisc_init(tty)) { ++ kfree(tty); ++ return NULL; ++ } + tty->session = NULL; + tty->pgrp = NULL; + mutex_init(&tty->legacy_mutex); +diff --git a/drivers/tty/tty_ldisc.c b/drivers/tty/tty_ldisc.c +index 3737f55272d2..f4cfe7ca7d6d 100644 +--- a/drivers/tty/tty_ldisc.c ++++ b/drivers/tty/tty_ldisc.c +@@ -171,12 +171,11 @@ static struct tty_ldisc *tty_ldisc_get(struct tty_struct *tty, int disc) + return ERR_CAST(ldops); + } + +- ld = kmalloc(sizeof(struct tty_ldisc), GFP_KERNEL); +- if (ld == NULL) { +- put_ldops(ldops); +- return ERR_PTR(-ENOMEM); +- } +- ++ /* ++ * There is no way to handle allocation failure of only 16 bytes. ++ * Let's simplify error handling and save more memory. ++ */ ++ ld = kmalloc(sizeof(struct tty_ldisc), GFP_KERNEL | __GFP_NOFAIL); + ld->ops = ldops; + ld->tty = tty; + +@@ -800,12 +799,13 @@ void tty_ldisc_release(struct tty_struct *tty) + * the tty structure is not completely set up when this call is made. + */ + +-void tty_ldisc_init(struct tty_struct *tty) ++int tty_ldisc_init(struct tty_struct *tty) + { + struct tty_ldisc *ld = tty_ldisc_get(tty, N_TTY); + if (IS_ERR(ld)) +- panic("n_tty: init_tty"); ++ return PTR_ERR(ld); + tty->ldisc = ld; ++ return 0; + } + + /** +diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c +index 50b67ff2b6ea..c989a6aa2561 100644 +--- a/drivers/tty/vt/vt.c ++++ b/drivers/tty/vt/vt.c +@@ -1305,6 +1305,11 @@ static void csi_m(struct vc_data *vc) + case 3: + vc->vc_italic = 1; + break; ++ case 21: ++ /* ++ * No console drivers support double underline, so ++ * convert it to a single underline. ++ */ + case 4: + vc->vc_underline = 1; + break; +@@ -1341,7 +1346,6 @@ static void csi_m(struct vc_data *vc) + vc->vc_disp_ctrl = 1; + vc->vc_toggle_meta = 1; + break; +- case 21: + case 22: + vc->vc_intensity = 1; + break; +@@ -1711,7 +1715,7 @@ static void reset_terminal(struct vc_data *vc, int do_clear) + default_attr(vc); + update_attr(vc); + +- vc->vc_tab_stop[0] = 0x01010100; ++ vc->vc_tab_stop[0] = + vc->vc_tab_stop[1] = + vc->vc_tab_stop[2] = + vc->vc_tab_stop[3] = +@@ -1754,7 +1758,7 @@ static void do_con_trol(struct tty_struct *tty, struct vc_data *vc, int c) + vc->vc_pos -= (vc->vc_x << 1); + while (vc->vc_x < vc->vc_cols - 1) { + vc->vc_x++; +- if (vc->vc_tab_stop[vc->vc_x >> 5] & (1 << (vc->vc_x & 31))) ++ if (vc->vc_tab_stop[7 & (vc->vc_x >> 5)] & (1 << (vc->vc_x & 31))) + break; + } + vc->vc_pos += (vc->vc_x << 1); +@@ -1814,7 +1818,7 @@ static void do_con_trol(struct tty_struct *tty, struct vc_data *vc, int c) + lf(vc); + return; + case 'H': +- vc->vc_tab_stop[vc->vc_x >> 5] |= (1 << (vc->vc_x & 31)); ++ vc->vc_tab_stop[7 & (vc->vc_x >> 5)] |= (1 << (vc->vc_x & 31)); + return; + case 'Z': + respond_ID(tty); +@@ -2007,7 +2011,7 @@ static void do_con_trol(struct tty_struct *tty, struct vc_data *vc, int c) + return; + case 'g': + if (!vc->vc_par[0]) +- vc->vc_tab_stop[vc->vc_x >> 5] &= ~(1 << (vc->vc_x & 31)); ++ vc->vc_tab_stop[7 & (vc->vc_x >> 5)] &= ~(1 << (vc->vc_x & 31)); + else if (vc->vc_par[0] == 3) { + vc->vc_tab_stop[0] = + vc->vc_tab_stop[1] = +diff --git a/drivers/usb/chipidea/core.c b/drivers/usb/chipidea/core.c +index 3ad48e1c0c57..f37a908b2884 100644 +--- a/drivers/usb/chipidea/core.c ++++ b/drivers/usb/chipidea/core.c +@@ -656,7 +656,7 @@ static inline void ci_role_destroy(struct ci_hdrc *ci) + { + ci_hdrc_gadget_destroy(ci); + ci_hdrc_host_destroy(ci); +- if (ci->is_otg) ++ if (ci->is_otg && ci->roles[CI_ROLE_GADGET]) + ci_hdrc_otg_destroy(ci); + } + +@@ -755,27 +755,35 @@ static int ci_hdrc_probe(struct platform_device *pdev) + /* initialize role(s) before the interrupt is requested */ + if (dr_mode == USB_DR_MODE_OTG || dr_mode == USB_DR_MODE_HOST) { + ret = ci_hdrc_host_init(ci); +- if (ret) +- dev_info(dev, "doesn't support host\n"); ++ if (ret) { ++ if (ret == -ENXIO) ++ dev_info(dev, "doesn't support host\n"); ++ else ++ goto deinit_phy; ++ } + } + + if (dr_mode == USB_DR_MODE_OTG || dr_mode == USB_DR_MODE_PERIPHERAL) { + ret = ci_hdrc_gadget_init(ci); +- if (ret) +- dev_info(dev, "doesn't support gadget\n"); ++ if (ret) { ++ if (ret == -ENXIO) ++ dev_info(dev, "doesn't support gadget\n"); ++ else ++ goto deinit_host; ++ } + } + + if (!ci->roles[CI_ROLE_HOST] && !ci->roles[CI_ROLE_GADGET]) { + dev_err(dev, "no supported roles\n"); + ret = -ENODEV; +- goto deinit_phy; ++ goto deinit_gadget; + } + + if (ci->is_otg && ci->roles[CI_ROLE_GADGET]) { + ret = ci_hdrc_otg_init(ci); + if (ret) { + dev_err(dev, "init otg fails, ret = %d\n", ret); +- goto stop; ++ goto deinit_gadget; + } + } + +@@ -835,7 +843,12 @@ static int ci_hdrc_probe(struct platform_device *pdev) + return 0; + + stop: +- ci_role_destroy(ci); ++ if (ci->is_otg && ci->roles[CI_ROLE_GADGET]) ++ ci_hdrc_otg_destroy(ci); ++deinit_gadget: ++ ci_hdrc_gadget_destroy(ci); ++deinit_host: ++ ci_hdrc_host_destroy(ci); + deinit_phy: + ci_usb_phy_exit(ci); + +diff --git a/drivers/usb/core/generic.c b/drivers/usb/core/generic.c +index 358ca8dd784f..a5240b4d7ab9 100644 +--- a/drivers/usb/core/generic.c ++++ b/drivers/usb/core/generic.c +@@ -208,8 +208,13 @@ static int generic_suspend(struct usb_device *udev, pm_message_t msg) + if (!udev->parent) + rc = hcd_bus_suspend(udev, msg); + +- /* Non-root devices don't need to do anything for FREEZE or PRETHAW */ +- else if (msg.event == PM_EVENT_FREEZE || msg.event == PM_EVENT_PRETHAW) ++ /* ++ * Non-root USB2 devices don't need to do anything for FREEZE ++ * or PRETHAW. USB3 devices don't support global suspend and ++ * needs to be selectively suspended. ++ */ ++ else if ((msg.event == PM_EVENT_FREEZE || msg.event == PM_EVENT_PRETHAW) ++ && (udev->speed < USB_SPEED_SUPER)) + rc = 0; + else + rc = usb_port_suspend(udev, msg); +diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c +index de0843cdeb9f..2a06bd656963 100644 +--- a/drivers/usb/core/hcd.c ++++ b/drivers/usb/core/hcd.c +@@ -2288,6 +2288,7 @@ void usb_hcd_resume_root_hub (struct usb_hcd *hcd) + + spin_lock_irqsave (&hcd_root_hub_lock, flags); + if (hcd->rh_registered) { ++ pm_wakeup_event(&hcd->self.root_hub->dev, 0); + set_bit(HCD_FLAG_WAKEUP_PENDING, &hcd->flags); + queue_work(pm_wq, &hcd->wakeup_work); + } +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index 1ba74441d7bf..a2686b95c3dd 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -633,12 +633,17 @@ void usb_wakeup_notification(struct usb_device *hdev, + unsigned int portnum) + { + struct usb_hub *hub; ++ struct usb_port *port_dev; + + if (!hdev) + return; + + hub = usb_hub_to_struct_hub(hdev); + if (hub) { ++ port_dev = hub->ports[portnum - 1]; ++ if (port_dev && port_dev->child) ++ pm_wakeup_event(&port_dev->child->dev, 0); ++ + set_bit(portnum, hub->wakeup_bits); + kick_hub_wq(hub); + } +@@ -3375,8 +3380,11 @@ int usb_port_resume(struct usb_device *udev, pm_message_t msg) + + /* Skip the initial Clear-Suspend step for a remote wakeup */ + status = hub_port_status(hub, port1, &portstatus, &portchange); +- if (status == 0 && !port_is_suspended(hub, portstatus)) ++ if (status == 0 && !port_is_suspended(hub, portstatus)) { ++ if (portchange & USB_PORT_STAT_C_SUSPEND) ++ pm_wakeup_event(&udev->dev, 0); + goto SuspendCleared; ++ } + + /* see 7.1.7.7; affects power usage, but not budgeting */ + if (hub_is_superspeed(hub->hdev)) +diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c +index 4f1c6f8d4352..40ce175655e6 100644 +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -45,6 +45,9 @@ static const struct usb_device_id usb_quirk_list[] = { + { USB_DEVICE(0x03f0, 0x0701), .driver_info = + USB_QUIRK_STRING_FETCH_255 }, + ++ /* HP v222w 16GB Mini USB Drive */ ++ { USB_DEVICE(0x03f0, 0x3f40), .driver_info = USB_QUIRK_DELAY_INIT }, ++ + /* Creative SB Audigy 2 NX */ + { USB_DEVICE(0x041e, 0x3020), .driver_info = USB_QUIRK_RESET_RESUME }, + +diff --git a/drivers/usb/dwc3/dwc3-keystone.c b/drivers/usb/dwc3/dwc3-keystone.c +index fe3b9335a74e..88a5b798b1ea 100644 +--- a/drivers/usb/dwc3/dwc3-keystone.c ++++ b/drivers/usb/dwc3/dwc3-keystone.c +@@ -112,6 +112,10 @@ static int kdwc3_probe(struct platform_device *pdev) + dev->dma_mask = &kdwc3_dma_mask; + + kdwc->clk = devm_clk_get(kdwc->dev, "usb"); ++ if (IS_ERR(kdwc->clk)) { ++ dev_err(kdwc->dev, "unable to get usb clock\n"); ++ return PTR_ERR(kdwc->clk); ++ } + + error = clk_prepare_enable(kdwc->clk); + if (error < 0) { +diff --git a/drivers/usb/dwc3/dwc3-pci.c b/drivers/usb/dwc3/dwc3-pci.c +index c702f5d941d9..01816e8411fc 100644 +--- a/drivers/usb/dwc3/dwc3-pci.c ++++ b/drivers/usb/dwc3/dwc3-pci.c +@@ -124,7 +124,7 @@ static int dwc3_pci_probe(struct pci_dev *pci, + ret = platform_device_add_resources(dwc3, res, ARRAY_SIZE(res)); + if (ret) { + dev_err(dev, "couldn't add resources to dwc3 device\n"); +- return ret; ++ goto err; + } + + pci_set_drvdata(pci, dwc3); +diff --git a/drivers/usb/gadget/function/f_hid.c b/drivers/usb/gadget/function/f_hid.c +index 466640afa7be..4a7861022d20 100644 +--- a/drivers/usb/gadget/function/f_hid.c ++++ b/drivers/usb/gadget/function/f_hid.c +@@ -223,6 +223,13 @@ static ssize_t f_hidg_read(struct file *file, char __user *buffer, + /* pick the first one */ + list = list_first_entry(&hidg->completed_out_req, + struct f_hidg_req_list, list); ++ ++ /* ++ * Remove this from list to protect it from beign free() ++ * while host disables our function ++ */ ++ list_del(&list->list); ++ + req = list->req; + count = min_t(unsigned int, count, req->actual - list->pos); + spin_unlock_irqrestore(&hidg->spinlock, flags); +@@ -238,15 +245,20 @@ static ssize_t f_hidg_read(struct file *file, char __user *buffer, + * call, taking into account its current read position. + */ + if (list->pos == req->actual) { +- spin_lock_irqsave(&hidg->spinlock, flags); +- list_del(&list->list); + kfree(list); +- spin_unlock_irqrestore(&hidg->spinlock, flags); + + req->length = hidg->report_length; + ret = usb_ep_queue(hidg->out_ep, req, GFP_KERNEL); +- if (ret < 0) ++ if (ret < 0) { ++ free_ep_req(hidg->out_ep, req); + return ret; ++ } ++ } else { ++ spin_lock_irqsave(&hidg->spinlock, flags); ++ list_add(&list->list, &hidg->completed_out_req); ++ spin_unlock_irqrestore(&hidg->spinlock, flags); ++ ++ wake_up(&hidg->read_queue); + } + + return count; +@@ -490,6 +502,7 @@ static void hidg_disable(struct usb_function *f) + { + struct f_hidg *hidg = func_to_hidg(f); + struct f_hidg_req_list *list, *next; ++ unsigned long flags; + + usb_ep_disable(hidg->in_ep); + hidg->in_ep->driver_data = NULL; +@@ -497,10 +510,13 @@ static void hidg_disable(struct usb_function *f) + usb_ep_disable(hidg->out_ep); + hidg->out_ep->driver_data = NULL; + ++ spin_lock_irqsave(&hidg->spinlock, flags); + list_for_each_entry_safe(list, next, &hidg->completed_out_req, list) { ++ free_ep_req(hidg->out_ep, list->req); + list_del(&list->list); + kfree(list); + } ++ spin_unlock_irqrestore(&hidg->spinlock, flags); + } + + static int hidg_set_alt(struct usb_function *f, unsigned intf, unsigned alt) +diff --git a/drivers/usb/gadget/function/f_midi.c b/drivers/usb/gadget/function/f_midi.c +index d97f362b3604..a32ed6359b03 100644 +--- a/drivers/usb/gadget/function/f_midi.c ++++ b/drivers/usb/gadget/function/f_midi.c +@@ -201,12 +201,6 @@ static inline struct usb_request *midi_alloc_ep_req(struct usb_ep *ep, + return alloc_ep_req(ep, length, length); + } + +-static void free_ep_req(struct usb_ep *ep, struct usb_request *req) +-{ +- kfree(req->buf); +- usb_ep_free_request(ep, req); +-} +- + static const uint8_t f_midi_cin_length[] = { + 0, 0, 2, 3, 3, 1, 2, 3, 3, 3, 3, 3, 2, 2, 3, 1 + }; +diff --git a/drivers/usb/gadget/function/f_sourcesink.c b/drivers/usb/gadget/function/f_sourcesink.c +index 3a5ae9900b1e..eedea7f093d1 100644 +--- a/drivers/usb/gadget/function/f_sourcesink.c ++++ b/drivers/usb/gadget/function/f_sourcesink.c +@@ -307,12 +307,6 @@ static inline struct usb_request *ss_alloc_ep_req(struct usb_ep *ep, int len) + return alloc_ep_req(ep, len, buflen); + } + +-void free_ep_req(struct usb_ep *ep, struct usb_request *req) +-{ +- kfree(req->buf); +- usb_ep_free_request(ep, req); +-} +- + static void disable_ep(struct usb_composite_dev *cdev, struct usb_ep *ep) + { + int value; +diff --git a/drivers/usb/gadget/function/g_zero.h b/drivers/usb/gadget/function/g_zero.h +index 15f180904f8a..5ed90b437f18 100644 +--- a/drivers/usb/gadget/function/g_zero.h ++++ b/drivers/usb/gadget/function/g_zero.h +@@ -59,7 +59,6 @@ void lb_modexit(void); + int lb_modinit(void); + + /* common utilities */ +-void free_ep_req(struct usb_ep *ep, struct usb_request *req); + void disable_endpoints(struct usb_composite_dev *cdev, + struct usb_ep *in, struct usb_ep *out, + struct usb_ep *iso_in, struct usb_ep *iso_out); +diff --git a/drivers/usb/gadget/u_f.c b/drivers/usb/gadget/u_f.c +index c6276f0268ae..907f8144813c 100644 +--- a/drivers/usb/gadget/u_f.c ++++ b/drivers/usb/gadget/u_f.c +@@ -11,16 +11,18 @@ + * published by the Free Software Foundation. + */ + +-#include <linux/usb/gadget.h> + #include "u_f.h" ++#include <linux/usb/ch9.h> + +-struct usb_request *alloc_ep_req(struct usb_ep *ep, int len, int default_len) ++struct usb_request *alloc_ep_req(struct usb_ep *ep, size_t len, int default_len) + { + struct usb_request *req; + + req = usb_ep_alloc_request(ep, GFP_ATOMIC); + if (req) { + req->length = len ?: default_len; ++ if (usb_endpoint_dir_out(ep->desc)) ++ req->length = usb_ep_align(ep, req->length); + req->buf = kmalloc(req->length, GFP_ATOMIC); + if (!req->buf) { + usb_ep_free_request(ep, req); +diff --git a/drivers/usb/gadget/u_f.h b/drivers/usb/gadget/u_f.h +index 1d5f0eb68552..69a1d10df04f 100644 +--- a/drivers/usb/gadget/u_f.h ++++ b/drivers/usb/gadget/u_f.h +@@ -16,6 +16,8 @@ + #ifndef __U_F_H__ + #define __U_F_H__ + ++#include <linux/usb/gadget.h> ++ + /* Variable Length Array Macros **********************************************/ + #define vla_group(groupname) size_t groupname##__next = 0 + #define vla_group_size(groupname) groupname##__next +@@ -45,8 +47,26 @@ + struct usb_ep; + struct usb_request; + +-struct usb_request *alloc_ep_req(struct usb_ep *ep, int len, int default_len); +- +-#endif /* __U_F_H__ */ ++/** ++ * alloc_ep_req - returns a usb_request allocated by the gadget driver and ++ * allocates the request's buffer. ++ * ++ * @ep: the endpoint to allocate a usb_request ++ * @len: usb_requests's buffer suggested size ++ * @default_len: used if @len is not provided, ie, is 0 ++ * ++ * In case @ep direction is OUT, the @len will be aligned to ep's ++ * wMaxPacketSize. In order to avoid memory leaks or drops, *always* use ++ * usb_requests's length (req->length) to refer to the allocated buffer size. ++ * Requests allocated via alloc_ep_req() *must* be freed by free_ep_req(). ++ */ ++struct usb_request *alloc_ep_req(struct usb_ep *ep, size_t len, int default_len); + ++/* Frees a usb_request previously allocated by alloc_ep_req() */ ++static inline void free_ep_req(struct usb_ep *ep, struct usb_request *req) ++{ ++ kfree(req->buf); ++ usb_ep_free_request(ep, req); ++} + ++#endif /* __U_F_H__ */ +diff --git a/drivers/usb/gadget/udc/bdc/bdc_core.c b/drivers/usb/gadget/udc/bdc/bdc_core.c +index 5c8f4effb62a..caec234822c6 100644 +--- a/drivers/usb/gadget/udc/bdc/bdc_core.c ++++ b/drivers/usb/gadget/udc/bdc/bdc_core.c +@@ -476,7 +476,7 @@ static int bdc_probe(struct platform_device *pdev) + bdc->dev = dev; + dev_dbg(bdc->dev, "bdc->regs: %p irq=%d\n", bdc->regs, bdc->irq); + +- temp = bdc_readl(bdc->regs, BDC_BDCSC); ++ temp = bdc_readl(bdc->regs, BDC_BDCCAP1); + if ((temp & BDC_P64) && + !dma_set_mask_and_coherent(dev, DMA_BIT_MASK(64))) { + dev_dbg(bdc->dev, "Using 64-bit address\n"); +diff --git a/drivers/usb/gadget/udc/bdc/bdc_pci.c b/drivers/usb/gadget/udc/bdc/bdc_pci.c +index 02968842b359..708e36f530d8 100644 +--- a/drivers/usb/gadget/udc/bdc/bdc_pci.c ++++ b/drivers/usb/gadget/udc/bdc/bdc_pci.c +@@ -82,6 +82,7 @@ static int bdc_pci_probe(struct pci_dev *pci, const struct pci_device_id *id) + if (ret) { + dev_err(&pci->dev, + "couldn't add resources to bdc device\n"); ++ platform_device_put(bdc); + return ret; + } + +diff --git a/drivers/usb/gadget/udc/dummy_hcd.c b/drivers/usb/gadget/udc/dummy_hcd.c +index 35f730324b63..a5a260b7ff25 100644 +--- a/drivers/usb/gadget/udc/dummy_hcd.c ++++ b/drivers/usb/gadget/udc/dummy_hcd.c +@@ -2026,16 +2026,13 @@ static int dummy_hub_control( + } + break; + case USB_PORT_FEAT_POWER: +- if (hcd->speed == HCD_USB3) { +- if (dum_hcd->port_status & USB_PORT_STAT_POWER) +- dev_dbg(dummy_dev(dum_hcd), +- "power-off\n"); +- } else +- if (dum_hcd->port_status & +- USB_SS_PORT_STAT_POWER) +- dev_dbg(dummy_dev(dum_hcd), +- "power-off\n"); +- /* FALLS THROUGH */ ++ dev_dbg(dummy_dev(dum_hcd), "power-off\n"); ++ if (hcd->speed == HCD_USB3) ++ dum_hcd->port_status &= ~USB_SS_PORT_STAT_POWER; ++ else ++ dum_hcd->port_status &= ~USB_PORT_STAT_POWER; ++ set_link_state(dum_hcd); ++ break; + default: + dum_hcd->port_status &= ~(1 << wValue); + set_link_state(dum_hcd); +@@ -2206,14 +2203,13 @@ static int dummy_hub_control( + if ((dum_hcd->port_status & + USB_SS_PORT_STAT_POWER) != 0) { + dum_hcd->port_status |= (1 << wValue); +- set_link_state(dum_hcd); + } + } else + if ((dum_hcd->port_status & + USB_PORT_STAT_POWER) != 0) { + dum_hcd->port_status |= (1 << wValue); +- set_link_state(dum_hcd); + } ++ set_link_state(dum_hcd); + } + break; + case GetPortErrorCount: +diff --git a/drivers/usb/host/xhci-plat.c b/drivers/usb/host/xhci-plat.c +index e92b9903faa4..23c5bdab988d 100644 +--- a/drivers/usb/host/xhci-plat.c ++++ b/drivers/usb/host/xhci-plat.c +@@ -266,7 +266,6 @@ MODULE_DEVICE_TABLE(of, usb_xhci_of_match); + static struct platform_driver usb_xhci_driver = { + .probe = xhci_plat_probe, + .remove = xhci_plat_remove, +- .shutdown = usb_hcd_platform_shutdown, + .driver = { + .name = "xhci-hcd", + .pm = DEV_PM_OPS, +diff --git a/drivers/usb/musb/musb_gadget_ep0.c b/drivers/usb/musb/musb_gadget_ep0.c +index 10d30afe4a3c..a0d1417362cd 100644 +--- a/drivers/usb/musb/musb_gadget_ep0.c ++++ b/drivers/usb/musb/musb_gadget_ep0.c +@@ -114,15 +114,19 @@ static int service_tx_status_request( + } + + is_in = epnum & USB_DIR_IN; +- if (is_in) { +- epnum &= 0x0f; ++ epnum &= 0x0f; ++ if (epnum >= MUSB_C_NUM_EPS) { ++ handled = -EINVAL; ++ break; ++ } ++ ++ if (is_in) + ep = &musb->endpoints[epnum].ep_in; +- } else { ++ else + ep = &musb->endpoints[epnum].ep_out; +- } + regs = musb->endpoints[epnum].regs; + +- if (epnum >= MUSB_C_NUM_EPS || !ep->desc) { ++ if (!ep->desc) { + handled = -EINVAL; + break; + } +diff --git a/drivers/usb/musb/musb_host.c b/drivers/usb/musb/musb_host.c +index 1d0c096c1b84..4b707d527855 100644 +--- a/drivers/usb/musb/musb_host.c ++++ b/drivers/usb/musb/musb_host.c +@@ -1002,7 +1002,9 @@ static void musb_bulk_nak_timeout(struct musb *musb, struct musb_hw_ep *ep, + /* set tx_reinit and schedule the next qh */ + ep->tx_reinit = 1; + } +- musb_start_urb(musb, is_in, next_qh); ++ ++ if (next_qh) ++ musb_start_urb(musb, is_in, next_qh); + } + } + +diff --git a/drivers/usb/serial/Kconfig b/drivers/usb/serial/Kconfig +index 941716c1177e..3d09c1037e36 100644 +--- a/drivers/usb/serial/Kconfig ++++ b/drivers/usb/serial/Kconfig +@@ -62,6 +62,7 @@ config USB_SERIAL_SIMPLE + - Fundamental Software dongle. + - Google USB serial devices + - HP4x calculators ++ - Libtransistor USB console + - a number of Motorola phones + - Motorola Tetra devices + - Novatel Wireless GPS receivers +diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c +index 142c876e7b19..1011fc41deb7 100644 +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -149,6 +149,7 @@ static const struct usb_device_id id_table[] = { + { USB_DEVICE(0x12B8, 0xEC62) }, /* Link G4+ ECU */ + { USB_DEVICE(0x13AD, 0x9999) }, /* Baltech card reader */ + { USB_DEVICE(0x1555, 0x0004) }, /* Owen AC4 USB-RS485 Converter */ ++ { USB_DEVICE(0x155A, 0x1006) }, /* ELDAT Easywave RX09 */ + { USB_DEVICE(0x166A, 0x0201) }, /* Clipsal 5500PACA C-Bus Pascal Automation Controller */ + { USB_DEVICE(0x166A, 0x0301) }, /* Clipsal 5800PC C-Bus Wireless PC Interface */ + { USB_DEVICE(0x166A, 0x0303) }, /* Clipsal 5500PCU C-Bus USB interface */ +@@ -207,6 +208,7 @@ static const struct usb_device_id id_table[] = { + { USB_DEVICE(0x3195, 0xF190) }, /* Link Instruments MSO-19 */ + { USB_DEVICE(0x3195, 0xF280) }, /* Link Instruments MSO-28 */ + { USB_DEVICE(0x3195, 0xF281) }, /* Link Instruments MSO-28 */ ++ { USB_DEVICE(0x3923, 0x7A0B) }, /* National Instruments USB Serial Console */ + { USB_DEVICE(0x413C, 0x9500) }, /* DW700 GPS USB interface */ + { } /* Terminating Entry */ + }; +diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c +index 252f580cf3e7..00b5cc4c9f38 100644 +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -773,6 +773,7 @@ static const struct usb_device_id id_table_combined[] = { + .driver_info = (kernel_ulong_t)&ftdi_NDI_device_quirk }, + { USB_DEVICE(TELLDUS_VID, TELLDUS_TELLSTICK_PID) }, + { USB_DEVICE(NOVITUS_VID, NOVITUS_BONO_E_PID) }, ++ { USB_DEVICE(FTDI_VID, RTSYSTEMS_USB_VX8_PID) }, + { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_S03_PID) }, + { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_59_PID) }, + { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_57A_PID) }, +@@ -935,6 +936,7 @@ static const struct usb_device_id id_table_combined[] = { + { USB_DEVICE(FTDI_VID, FTDI_SCIENCESCOPE_LS_LOGBOOK_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_SCIENCESCOPE_HS_LOGBOOK_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_CINTERION_MC55I_PID) }, ++ { USB_DEVICE(FTDI_VID, FTDI_FHE_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_DOTEC_PID) }, + { USB_DEVICE(QIHARDWARE_VID, MILKYMISTONE_JTAGSERIAL_PID), + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, +@@ -1904,7 +1906,8 @@ static int ftdi_8u2232c_probe(struct usb_serial *serial) + return ftdi_jtag_probe(serial); + + if (udev->product && +- (!strcmp(udev->product, "BeagleBone/XDS100V2") || ++ (!strcmp(udev->product, "Arrow USB Blaster") || ++ !strcmp(udev->product, "BeagleBone/XDS100V2") || + !strcmp(udev->product, "SNAP Connect E10"))) + return ftdi_jtag_probe(serial); + +diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h +index 6d847ecb423f..eaaada41359e 100644 +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -903,6 +903,9 @@ + /* + * RT Systems programming cables for various ham radios + */ ++/* This device uses the VID of FTDI */ ++#define RTSYSTEMS_USB_VX8_PID 0x9e50 /* USB-VX8 USB to 7 pin modular plug for Yaesu VX-8 radio */ ++ + #define RTSYSTEMS_VID 0x2100 /* Vendor ID */ + #define RTSYSTEMS_USB_S03_PID 0x9001 /* RTS-03 USB to Serial Adapter */ + #define RTSYSTEMS_USB_59_PID 0x9e50 /* USB-59 USB to 8 pin plug */ +@@ -1421,6 +1424,12 @@ + */ + #define FTDI_CINTERION_MC55I_PID 0xA951 + ++/* ++ * Product: FirmwareHubEmulator ++ * Manufacturer: Harman Becker Automotive Systems ++ */ ++#define FTDI_FHE_PID 0xA9A0 ++ + /* + * Product: Comet Caller ID decoder + * Manufacturer: Crucible Technologies +diff --git a/drivers/usb/serial/usb-serial-simple.c b/drivers/usb/serial/usb-serial-simple.c +index 6aa7ff2c1cf7..2674da40d9cd 100644 +--- a/drivers/usb/serial/usb-serial-simple.c ++++ b/drivers/usb/serial/usb-serial-simple.c +@@ -66,6 +66,11 @@ DEVICE(flashloader, FLASHLOADER_IDS); + 0x01) } + DEVICE(google, GOOGLE_IDS); + ++/* Libtransistor USB console */ ++#define LIBTRANSISTOR_IDS() \ ++ { USB_DEVICE(0x1209, 0x8b00) } ++DEVICE(libtransistor, LIBTRANSISTOR_IDS); ++ + /* ViVOpay USB Serial Driver */ + #define VIVOPAY_IDS() \ + { USB_DEVICE(0x1d5f, 0x1004) } /* ViVOpay 8800 */ +@@ -113,6 +118,7 @@ static struct usb_serial_driver * const serial_drivers[] = { + &funsoft_device, + &flashloader_device, + &google_device, ++ &libtransistor_device, + &vivopay_device, + &moto_modem_device, + &motorola_tetra_device, +@@ -129,6 +135,7 @@ static const struct usb_device_id id_table[] = { + FUNSOFT_IDS(), + FLASHLOADER_IDS(), + GOOGLE_IDS(), ++ LIBTRANSISTOR_IDS(), + VIVOPAY_IDS(), + MOTO_IDS(), + MOTOROLA_TETRA_IDS(), +diff --git a/drivers/usb/serial/visor.c b/drivers/usb/serial/visor.c +index 337a0be89fcf..dbc3801b43eb 100644 +--- a/drivers/usb/serial/visor.c ++++ b/drivers/usb/serial/visor.c +@@ -338,47 +338,48 @@ static int palm_os_3_probe(struct usb_serial *serial, + goto exit; + } + +- if (retval == sizeof(*connection_info)) { +- connection_info = (struct visor_connection_info *) +- transfer_buffer; +- +- num_ports = le16_to_cpu(connection_info->num_ports); +- for (i = 0; i < num_ports; ++i) { +- switch ( +- connection_info->connections[i].port_function_id) { +- case VISOR_FUNCTION_GENERIC: +- string = "Generic"; +- break; +- case VISOR_FUNCTION_DEBUGGER: +- string = "Debugger"; +- break; +- case VISOR_FUNCTION_HOTSYNC: +- string = "HotSync"; +- break; +- case VISOR_FUNCTION_CONSOLE: +- string = "Console"; +- break; +- case VISOR_FUNCTION_REMOTE_FILE_SYS: +- string = "Remote File System"; +- break; +- default: +- string = "unknown"; +- break; +- } +- dev_info(dev, "%s: port %d, is for %s use\n", +- serial->type->description, +- connection_info->connections[i].port, string); +- } ++ if (retval != sizeof(*connection_info)) { ++ dev_err(dev, "Invalid connection information received from device\n"); ++ retval = -ENODEV; ++ goto exit; + } +- /* +- * Handle devices that report invalid stuff here. +- */ ++ ++ connection_info = (struct visor_connection_info *)transfer_buffer; ++ ++ num_ports = le16_to_cpu(connection_info->num_ports); ++ ++ /* Handle devices that report invalid stuff here. */ + if (num_ports == 0 || num_ports > 2) { + dev_warn(dev, "%s: No valid connect info available\n", + serial->type->description); + num_ports = 2; + } + ++ for (i = 0; i < num_ports; ++i) { ++ switch (connection_info->connections[i].port_function_id) { ++ case VISOR_FUNCTION_GENERIC: ++ string = "Generic"; ++ break; ++ case VISOR_FUNCTION_DEBUGGER: ++ string = "Debugger"; ++ break; ++ case VISOR_FUNCTION_HOTSYNC: ++ string = "HotSync"; ++ break; ++ case VISOR_FUNCTION_CONSOLE: ++ string = "Console"; ++ break; ++ case VISOR_FUNCTION_REMOTE_FILE_SYS: ++ string = "Remote File System"; ++ break; ++ default: ++ string = "unknown"; ++ break; ++ } ++ dev_info(dev, "%s: port %d, is for %s use\n", ++ serial->type->description, ++ connection_info->connections[i].port, string); ++ } + dev_info(dev, "%s: Number of ports: %d\n", serial->type->description, + num_ports); + +diff --git a/drivers/usb/storage/ene_ub6250.c b/drivers/usb/storage/ene_ub6250.c +index 26c26e3e21d3..e82e179f3558 100644 +--- a/drivers/usb/storage/ene_ub6250.c ++++ b/drivers/usb/storage/ene_ub6250.c +@@ -1950,6 +1950,8 @@ static int ene_load_bincode(struct us_data *us, unsigned char flag) + bcb->CDB[0] = 0xEF; + + result = ene_send_scsi_cmd(us, FDIR_WRITE, buf, 0); ++ if (us->srb != NULL) ++ scsi_set_resid(us->srb, 0); + info->BIN_FLAG = flag; + kfree(buf); + +@@ -2303,21 +2305,22 @@ static int ms_scsi_irp(struct us_data *us, struct scsi_cmnd *srb) + + static int ene_transport(struct scsi_cmnd *srb, struct us_data *us) + { +- int result = 0; ++ int result = USB_STOR_XFER_GOOD; + struct ene_ub6250_info *info = (struct ene_ub6250_info *)(us->extra); + + /*US_DEBUG(usb_stor_show_command(us, srb)); */ + scsi_set_resid(srb, 0); +- if (unlikely(!(info->SD_Status.Ready || info->MS_Status.Ready))) { ++ if (unlikely(!(info->SD_Status.Ready || info->MS_Status.Ready))) + result = ene_init(us); +- } else { ++ if (result == USB_STOR_XFER_GOOD) { ++ result = USB_STOR_TRANSPORT_ERROR; + if (info->SD_Status.Ready) + result = sd_scsi_irp(us, srb); + + if (info->MS_Status.Ready) + result = ms_scsi_irp(us, srb); + } +- return 0; ++ return result; + } + + +diff --git a/drivers/usb/usbip/stub_main.c b/drivers/usb/usbip/stub_main.c +index 325b4c05acdd..f761e02e75c9 100644 +--- a/drivers/usb/usbip/stub_main.c ++++ b/drivers/usb/usbip/stub_main.c +@@ -201,7 +201,12 @@ static ssize_t rebind_store(struct device_driver *dev, const char *buf, + if (!bid) + return -ENODEV; + ++ /* device_attach() callers should hold parent lock for USB */ ++ if (bid->udev->dev.parent) ++ device_lock(bid->udev->dev.parent); + ret = device_attach(&bid->udev->dev); ++ if (bid->udev->dev.parent) ++ device_unlock(bid->udev->dev.parent); + if (ret < 0) { + dev_err(&bid->udev->dev, "rebind failed\n"); + return ret; +diff --git a/drivers/usb/usbip/usbip_common.h b/drivers/usb/usbip/usbip_common.h +index f875ccaa55f9..0fc5ace57c0e 100644 +--- a/drivers/usb/usbip/usbip_common.h ++++ b/drivers/usb/usbip/usbip_common.h +@@ -248,7 +248,7 @@ enum usbip_side { + #define SDEV_EVENT_ERROR_SUBMIT (USBIP_EH_SHUTDOWN | USBIP_EH_RESET) + #define SDEV_EVENT_ERROR_MALLOC (USBIP_EH_SHUTDOWN | USBIP_EH_UNUSABLE) + +-#define VDEV_EVENT_REMOVED (USBIP_EH_SHUTDOWN | USBIP_EH_BYE) ++#define VDEV_EVENT_REMOVED (USBIP_EH_SHUTDOWN | USBIP_EH_RESET | USBIP_EH_BYE) + #define VDEV_EVENT_DOWN (USBIP_EH_SHUTDOWN | USBIP_EH_RESET) + #define VDEV_EVENT_ERROR_TCP (USBIP_EH_SHUTDOWN | USBIP_EH_RESET) + #define VDEV_EVENT_ERROR_MALLOC (USBIP_EH_SHUTDOWN | USBIP_EH_UNUSABLE) +diff --git a/drivers/vfio/pci/vfio_pci_config.c b/drivers/vfio/pci/vfio_pci_config.c +index ff75ca31a199..a9fc4a6d010a 100644 +--- a/drivers/vfio/pci/vfio_pci_config.c ++++ b/drivers/vfio/pci/vfio_pci_config.c +@@ -685,6 +685,62 @@ static int __init init_pci_cap_pcix_perm(struct perm_bits *perm) + return 0; + } + ++static int vfio_exp_config_write(struct vfio_pci_device *vdev, int pos, ++ int count, struct perm_bits *perm, ++ int offset, __le32 val) ++{ ++ __le16 *ctrl = (__le16 *)(vdev->vconfig + pos - ++ offset + PCI_EXP_DEVCTL); ++ int readrq = le16_to_cpu(*ctrl) & PCI_EXP_DEVCTL_READRQ; ++ ++ count = vfio_default_config_write(vdev, pos, count, perm, offset, val); ++ if (count < 0) ++ return count; ++ ++ /* ++ * The FLR bit is virtualized, if set and the device supports PCIe ++ * FLR, issue a reset_function. Regardless, clear the bit, the spec ++ * requires it to be always read as zero. NB, reset_function might ++ * not use a PCIe FLR, we don't have that level of granularity. ++ */ ++ if (*ctrl & cpu_to_le16(PCI_EXP_DEVCTL_BCR_FLR)) { ++ u32 cap; ++ int ret; ++ ++ *ctrl &= ~cpu_to_le16(PCI_EXP_DEVCTL_BCR_FLR); ++ ++ ret = pci_user_read_config_dword(vdev->pdev, ++ pos - offset + PCI_EXP_DEVCAP, ++ &cap); ++ ++ if (!ret && (cap & PCI_EXP_DEVCAP_FLR)) ++ pci_try_reset_function(vdev->pdev); ++ } ++ ++ /* ++ * MPS is virtualized to the user, writes do not change the physical ++ * register since determining a proper MPS value requires a system wide ++ * device view. The MRRS is largely independent of MPS, but since the ++ * user does not have that system-wide view, they might set a safe, but ++ * inefficiently low value. Here we allow writes through to hardware, ++ * but we set the floor to the physical device MPS setting, so that ++ * we can at least use full TLPs, as defined by the MPS value. ++ * ++ * NB, if any devices actually depend on an artificially low MRRS ++ * setting, this will need to be revisited, perhaps with a quirk ++ * though pcie_set_readrq(). ++ */ ++ if (readrq != (le16_to_cpu(*ctrl) & PCI_EXP_DEVCTL_READRQ)) { ++ readrq = 128 << ++ ((le16_to_cpu(*ctrl) & PCI_EXP_DEVCTL_READRQ) >> 12); ++ readrq = max(readrq, pcie_get_mps(vdev->pdev)); ++ ++ pcie_set_readrq(vdev->pdev, readrq); ++ } ++ ++ return count; ++} ++ + /* Permissions for PCI Express capability */ + static int __init init_pci_cap_exp_perm(struct perm_bits *perm) + { +@@ -692,26 +748,67 @@ static int __init init_pci_cap_exp_perm(struct perm_bits *perm) + if (alloc_perm_bits(perm, PCI_CAP_EXP_ENDPOINT_SIZEOF_V2)) + return -ENOMEM; + ++ perm->writefn = vfio_exp_config_write; ++ + p_setb(perm, PCI_CAP_LIST_NEXT, (u8)ALL_VIRT, NO_WRITE); + + /* +- * Allow writes to device control fields (includes FLR!) +- * but not to devctl_phantom which could confuse IOMMU +- * or to the ARI bit in devctl2 which is set at probe time ++ * Allow writes to device control fields, except devctl_phantom, ++ * which could confuse IOMMU, MPS, which can break communication ++ * with other physical devices, and the ARI bit in devctl2, which ++ * is set at probe time. FLR and MRRS get virtualized via our ++ * writefn. + */ +- p_setw(perm, PCI_EXP_DEVCTL, NO_VIRT, ~PCI_EXP_DEVCTL_PHANTOM); ++ p_setw(perm, PCI_EXP_DEVCTL, ++ PCI_EXP_DEVCTL_BCR_FLR | PCI_EXP_DEVCTL_PAYLOAD | ++ PCI_EXP_DEVCTL_READRQ, ~PCI_EXP_DEVCTL_PHANTOM); + p_setw(perm, PCI_EXP_DEVCTL2, NO_VIRT, ~PCI_EXP_DEVCTL2_ARI); + return 0; + } + ++static int vfio_af_config_write(struct vfio_pci_device *vdev, int pos, ++ int count, struct perm_bits *perm, ++ int offset, __le32 val) ++{ ++ u8 *ctrl = vdev->vconfig + pos - offset + PCI_AF_CTRL; ++ ++ count = vfio_default_config_write(vdev, pos, count, perm, offset, val); ++ if (count < 0) ++ return count; ++ ++ /* ++ * The FLR bit is virtualized, if set and the device supports AF ++ * FLR, issue a reset_function. Regardless, clear the bit, the spec ++ * requires it to be always read as zero. NB, reset_function might ++ * not use an AF FLR, we don't have that level of granularity. ++ */ ++ if (*ctrl & PCI_AF_CTRL_FLR) { ++ u8 cap; ++ int ret; ++ ++ *ctrl &= ~PCI_AF_CTRL_FLR; ++ ++ ret = pci_user_read_config_byte(vdev->pdev, ++ pos - offset + PCI_AF_CAP, ++ &cap); ++ ++ if (!ret && (cap & PCI_AF_CAP_FLR) && (cap & PCI_AF_CAP_TP)) ++ pci_try_reset_function(vdev->pdev); ++ } ++ ++ return count; ++} ++ + /* Permissions for Advanced Function capability */ + static int __init init_pci_cap_af_perm(struct perm_bits *perm) + { + if (alloc_perm_bits(perm, pci_cap_length[PCI_CAP_ID_AF])) + return -ENOMEM; + ++ perm->writefn = vfio_af_config_write; ++ + p_setb(perm, PCI_CAP_LIST_NEXT, (u8)ALL_VIRT, NO_WRITE); +- p_setb(perm, PCI_AF_CTRL, NO_VIRT, PCI_AF_CTRL_FLR); ++ p_setb(perm, PCI_AF_CTRL, PCI_AF_CTRL_FLR, PCI_AF_CTRL_FLR); + return 0; + } + +diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c +index fa49d3294cd5..1fd31650e01c 100644 +--- a/drivers/vhost/vhost.c ++++ b/drivers/vhost/vhost.c +@@ -96,8 +96,7 @@ int vhost_poll_start(struct vhost_poll *poll, struct file *file) + if (mask) + vhost_poll_wakeup(&poll->wait, 0, 0, (void *)mask); + if (mask & POLLERR) { +- if (poll->wqh) +- remove_wait_queue(poll->wqh, &poll->wait); ++ vhost_poll_stop(poll); + ret = -EINVAL; + } + +diff --git a/drivers/video/console/vgacon.c b/drivers/video/console/vgacon.c +index 517f565b65d7..598ec7545e84 100644 +--- a/drivers/video/console/vgacon.c ++++ b/drivers/video/console/vgacon.c +@@ -409,7 +409,10 @@ static const char *vgacon_startup(void) + vga_video_port_val = VGA_CRT_DM; + if ((screen_info.orig_video_ega_bx & 0xff) != 0x10) { + static struct resource ega_console_resource = +- { .name = "ega", .start = 0x3B0, .end = 0x3BF }; ++ { .name = "ega", ++ .flags = IORESOURCE_IO, ++ .start = 0x3B0, ++ .end = 0x3BF }; + vga_video_type = VIDEO_TYPE_EGAM; + vga_vram_size = 0x8000; + display_desc = "EGA+"; +@@ -417,9 +420,15 @@ static const char *vgacon_startup(void) + &ega_console_resource); + } else { + static struct resource mda1_console_resource = +- { .name = "mda", .start = 0x3B0, .end = 0x3BB }; ++ { .name = "mda", ++ .flags = IORESOURCE_IO, ++ .start = 0x3B0, ++ .end = 0x3BB }; + static struct resource mda2_console_resource = +- { .name = "mda", .start = 0x3BF, .end = 0x3BF }; ++ { .name = "mda", ++ .flags = IORESOURCE_IO, ++ .start = 0x3BF, ++ .end = 0x3BF }; + vga_video_type = VIDEO_TYPE_MDA; + vga_vram_size = 0x2000; + display_desc = "*MDA"; +@@ -441,15 +450,21 @@ static const char *vgacon_startup(void) + vga_vram_size = 0x8000; + + if (!screen_info.orig_video_isVGA) { +- static struct resource ega_console_resource +- = { .name = "ega", .start = 0x3C0, .end = 0x3DF }; ++ static struct resource ega_console_resource = ++ { .name = "ega", ++ .flags = IORESOURCE_IO, ++ .start = 0x3C0, ++ .end = 0x3DF }; + vga_video_type = VIDEO_TYPE_EGAC; + display_desc = "EGA"; + request_resource(&ioport_resource, + &ega_console_resource); + } else { +- static struct resource vga_console_resource +- = { .name = "vga+", .start = 0x3C0, .end = 0x3DF }; ++ static struct resource vga_console_resource = ++ { .name = "vga+", ++ .flags = IORESOURCE_IO, ++ .start = 0x3C0, ++ .end = 0x3DF }; + vga_video_type = VIDEO_TYPE_VGAC; + display_desc = "VGA+"; + request_resource(&ioport_resource, +@@ -493,7 +508,10 @@ static const char *vgacon_startup(void) + } + } else { + static struct resource cga_console_resource = +- { .name = "cga", .start = 0x3D4, .end = 0x3D5 }; ++ { .name = "cga", ++ .flags = IORESOURCE_IO, ++ .start = 0x3D4, ++ .end = 0x3D5 }; + vga_video_type = VIDEO_TYPE_CGA; + vga_vram_size = 0x2000; + display_desc = "*CGA"; +diff --git a/drivers/video/fbdev/amba-clcd.c b/drivers/video/fbdev/amba-clcd.c +index 9362424c2340..924b3d6c3e9b 100644 +--- a/drivers/video/fbdev/amba-clcd.c ++++ b/drivers/video/fbdev/amba-clcd.c +@@ -759,8 +759,8 @@ static int clcdfb_of_dma_setup(struct clcd_fb *fb) + if (err) + return err; + +- framesize = fb->panel->mode.xres * fb->panel->mode.yres * +- fb->panel->bpp / 8; ++ framesize = PAGE_ALIGN(fb->panel->mode.xres * fb->panel->mode.yres * ++ fb->panel->bpp / 8); + fb->fb.screen_base = dma_alloc_coherent(&fb->dev->dev, framesize, + &dma, GFP_KERNEL); + if (!fb->fb.screen_base) +diff --git a/drivers/video/fbdev/sm501fb.c b/drivers/video/fbdev/sm501fb.c +index d0a4e2f79a57..d215faacce04 100644 +--- a/drivers/video/fbdev/sm501fb.c ++++ b/drivers/video/fbdev/sm501fb.c +@@ -1600,6 +1600,7 @@ static int sm501fb_start(struct sm501fb_info *info, + info->fbmem = ioremap(res->start, resource_size(res)); + if (info->fbmem == NULL) { + dev_err(dev, "cannot remap framebuffer\n"); ++ ret = -ENXIO; + goto err_mem_res; + } + +diff --git a/drivers/video/fbdev/udlfb.c b/drivers/video/fbdev/udlfb.c +index d2a985e59fcd..105a269ff66a 100644 +--- a/drivers/video/fbdev/udlfb.c ++++ b/drivers/video/fbdev/udlfb.c +@@ -1487,15 +1487,25 @@ static struct device_attribute fb_device_attrs[] = { + static int dlfb_select_std_channel(struct dlfb_data *dev) + { + int ret; +- u8 set_def_chn[] = { 0x57, 0xCD, 0xDC, 0xA7, ++ void *buf; ++ static const u8 set_def_chn[] = { ++ 0x57, 0xCD, 0xDC, 0xA7, + 0x1C, 0x88, 0x5E, 0x15, + 0x60, 0xFE, 0xC6, 0x97, + 0x16, 0x3D, 0x47, 0xF2 }; + ++ buf = kmemdup(set_def_chn, sizeof(set_def_chn), GFP_KERNEL); ++ ++ if (!buf) ++ return -ENOMEM; ++ + ret = usb_control_msg(dev->udev, usb_sndctrlpipe(dev->udev, 0), + NR_USB_REQUEST_CHANNEL, + (USB_DIR_OUT | USB_TYPE_VENDOR), 0, 0, +- set_def_chn, sizeof(set_def_chn), USB_CTRL_SET_TIMEOUT); ++ buf, sizeof(set_def_chn), USB_CTRL_SET_TIMEOUT); ++ ++ kfree(buf); ++ + return ret; + } + +diff --git a/drivers/video/fbdev/vfb.c b/drivers/video/fbdev/vfb.c +index 70a897b1e458..146cc3516f61 100644 +--- a/drivers/video/fbdev/vfb.c ++++ b/drivers/video/fbdev/vfb.c +@@ -284,8 +284,23 @@ static int vfb_check_var(struct fb_var_screeninfo *var, + */ + static int vfb_set_par(struct fb_info *info) + { ++ switch (info->var.bits_per_pixel) { ++ case 1: ++ info->fix.visual = FB_VISUAL_MONO01; ++ break; ++ case 8: ++ info->fix.visual = FB_VISUAL_PSEUDOCOLOR; ++ break; ++ case 16: ++ case 24: ++ case 32: ++ info->fix.visual = FB_VISUAL_TRUECOLOR; ++ break; ++ } ++ + info->fix.line_length = get_line_length(info->var.xres_virtual, + info->var.bits_per_pixel); ++ + return 0; + } + +@@ -526,6 +541,8 @@ static int vfb_probe(struct platform_device *dev) + goto err2; + platform_set_drvdata(dev, info); + ++ vfb_set_par(info); ++ + fb_info(info, "Virtual frame buffer device, using %ldK of video memory\n", + videomemorysize >> 10); + return 0; +diff --git a/drivers/video/hdmi.c b/drivers/video/hdmi.c +index 162689227a23..b73520aaf697 100644 +--- a/drivers/video/hdmi.c ++++ b/drivers/video/hdmi.c +@@ -321,6 +321,17 @@ int hdmi_vendor_infoframe_init(struct hdmi_vendor_infoframe *frame) + } + EXPORT_SYMBOL(hdmi_vendor_infoframe_init); + ++static int hdmi_vendor_infoframe_length(const struct hdmi_vendor_infoframe *frame) ++{ ++ /* for side by side (half) we also need to provide 3D_Ext_Data */ ++ if (frame->s3d_struct >= HDMI_3D_STRUCTURE_SIDE_BY_SIDE_HALF) ++ return 6; ++ else if (frame->vic != 0 || frame->s3d_struct != HDMI_3D_STRUCTURE_INVALID) ++ return 5; ++ else ++ return 4; ++} ++ + /** + * hdmi_vendor_infoframe_pack() - write a HDMI vendor infoframe to binary buffer + * @frame: HDMI infoframe +@@ -341,19 +352,11 @@ ssize_t hdmi_vendor_infoframe_pack(struct hdmi_vendor_infoframe *frame, + u8 *ptr = buffer; + size_t length; + +- /* empty info frame */ +- if (frame->vic == 0 && frame->s3d_struct == HDMI_3D_STRUCTURE_INVALID) +- return -EINVAL; +- + /* only one of those can be supplied */ + if (frame->vic != 0 && frame->s3d_struct != HDMI_3D_STRUCTURE_INVALID) + return -EINVAL; + +- /* for side by side (half) we also need to provide 3D_Ext_Data */ +- if (frame->s3d_struct >= HDMI_3D_STRUCTURE_SIDE_BY_SIDE_HALF) +- frame->length = 6; +- else +- frame->length = 5; ++ frame->length = hdmi_vendor_infoframe_length(frame); + + length = HDMI_INFOFRAME_HEADER_SIZE + frame->length; + +@@ -372,14 +375,16 @@ ssize_t hdmi_vendor_infoframe_pack(struct hdmi_vendor_infoframe *frame, + ptr[5] = 0x0c; + ptr[6] = 0x00; + +- if (frame->vic) { +- ptr[7] = 0x1 << 5; /* video format */ +- ptr[8] = frame->vic; +- } else { ++ if (frame->s3d_struct != HDMI_3D_STRUCTURE_INVALID) { + ptr[7] = 0x2 << 5; /* video format */ + ptr[8] = (frame->s3d_struct & 0xf) << 4; + if (frame->s3d_struct >= HDMI_3D_STRUCTURE_SIDE_BY_SIDE_HALF) + ptr[9] = (frame->s3d_ext_data & 0xf) << 4; ++ } else if (frame->vic) { ++ ptr[7] = 0x1 << 5; /* video format */ ++ ptr[8] = frame->vic; ++ } else { ++ ptr[7] = 0x0 << 5; /* video format */ + } + + hdmi_infoframe_set_checksum(buffer, length); +@@ -1161,7 +1166,7 @@ hdmi_vendor_any_infoframe_unpack(union hdmi_vendor_any_infoframe *frame, + + if (ptr[0] != HDMI_INFOFRAME_TYPE_VENDOR || + ptr[1] != 1 || +- (ptr[2] != 5 && ptr[2] != 6)) ++ (ptr[2] != 4 && ptr[2] != 5 && ptr[2] != 6)) + return -EINVAL; + + length = ptr[2]; +@@ -1189,16 +1194,22 @@ hdmi_vendor_any_infoframe_unpack(union hdmi_vendor_any_infoframe *frame, + + hvf->length = length; + +- if (hdmi_video_format == 0x1) { +- hvf->vic = ptr[4]; +- } else if (hdmi_video_format == 0x2) { ++ if (hdmi_video_format == 0x2) { ++ if (length != 5 && length != 6) ++ return -EINVAL; + hvf->s3d_struct = ptr[4] >> 4; + if (hvf->s3d_struct >= HDMI_3D_STRUCTURE_SIDE_BY_SIDE_HALF) { +- if (length == 6) +- hvf->s3d_ext_data = ptr[5] >> 4; +- else ++ if (length != 6) + return -EINVAL; ++ hvf->s3d_ext_data = ptr[5] >> 4; + } ++ } else if (hdmi_video_format == 0x1) { ++ if (length != 5) ++ return -EINVAL; ++ hvf->vic = ptr[4]; ++ } else { ++ if (length != 4) ++ return -EINVAL; + } + + return 0; +diff --git a/drivers/watchdog/f71808e_wdt.c b/drivers/watchdog/f71808e_wdt.c +index 016bd9355190..aa93df5833dc 100644 +--- a/drivers/watchdog/f71808e_wdt.c ++++ b/drivers/watchdog/f71808e_wdt.c +@@ -450,7 +450,7 @@ static bool watchdog_is_running(void) + + is_running = (superio_inb(watchdog.sioaddr, SIO_REG_ENABLE) & BIT(0)) + && (superio_inb(watchdog.sioaddr, F71808FG_REG_WDT_CONF) +- & F71808FG_FLAG_WD_EN); ++ & BIT(F71808FG_FLAG_WD_EN)); + + superio_exit(watchdog.sioaddr); + +diff --git a/fs/aio.c b/fs/aio.c +index 480440f4701f..61ada5047da2 100644 +--- a/fs/aio.c ++++ b/fs/aio.c +@@ -68,9 +68,9 @@ struct aio_ring { + #define AIO_RING_PAGES 8 + + struct kioctx_table { +- struct rcu_head rcu; +- unsigned nr; +- struct kioctx *table[]; ++ struct rcu_head rcu; ++ unsigned nr; ++ struct kioctx __rcu *table[]; + }; + + struct kioctx_cpu { +@@ -115,7 +115,8 @@ struct kioctx { + struct page **ring_pages; + long nr_pages; + +- struct work_struct free_work; ++ struct rcu_head free_rcu; ++ struct work_struct free_work; /* see free_ioctx() */ + + /* + * signals when all in-flight requests are done +@@ -327,7 +328,7 @@ static int aio_ring_remap(struct file *file, struct vm_area_struct *vma) + for (i = 0; i < table->nr; i++) { + struct kioctx *ctx; + +- ctx = table->table[i]; ++ ctx = rcu_dereference(table->table[i]); + if (ctx && ctx->aio_ring_file == file) { + if (!atomic_read(&ctx->dead)) { + ctx->user_id = ctx->mmap_base = vma->vm_start; +@@ -559,6 +560,12 @@ static int kiocb_cancel(struct aio_kiocb *kiocb) + return cancel(&kiocb->common); + } + ++/* ++ * free_ioctx() should be RCU delayed to synchronize against the RCU ++ * protected lookup_ioctx() and also needs process context to call ++ * aio_free_ring(), so the double bouncing through kioctx->free_rcu and ++ * ->free_work. ++ */ + static void free_ioctx(struct work_struct *work) + { + struct kioctx *ctx = container_of(work, struct kioctx, free_work); +@@ -572,6 +579,14 @@ static void free_ioctx(struct work_struct *work) + kmem_cache_free(kioctx_cachep, ctx); + } + ++static void free_ioctx_rcufn(struct rcu_head *head) ++{ ++ struct kioctx *ctx = container_of(head, struct kioctx, free_rcu); ++ ++ INIT_WORK(&ctx->free_work, free_ioctx); ++ schedule_work(&ctx->free_work); ++} ++ + static void free_ioctx_reqs(struct percpu_ref *ref) + { + struct kioctx *ctx = container_of(ref, struct kioctx, reqs); +@@ -580,8 +595,8 @@ static void free_ioctx_reqs(struct percpu_ref *ref) + if (ctx->rq_wait && atomic_dec_and_test(&ctx->rq_wait->count)) + complete(&ctx->rq_wait->comp); + +- INIT_WORK(&ctx->free_work, free_ioctx); +- schedule_work(&ctx->free_work); ++ /* Synchronize against RCU protected table->table[] dereferences */ ++ call_rcu(&ctx->free_rcu, free_ioctx_rcufn); + } + + /* +@@ -622,9 +637,9 @@ static int ioctx_add_table(struct kioctx *ctx, struct mm_struct *mm) + while (1) { + if (table) + for (i = 0; i < table->nr; i++) +- if (!table->table[i]) { ++ if (!rcu_access_pointer(table->table[i])) { + ctx->id = i; +- table->table[i] = ctx; ++ rcu_assign_pointer(table->table[i], ctx); + spin_unlock(&mm->ioctx_lock); + + /* While kioctx setup is in progress, +@@ -799,11 +814,11 @@ static int kill_ioctx(struct mm_struct *mm, struct kioctx *ctx, + } + + table = rcu_dereference_raw(mm->ioctx_table); +- WARN_ON(ctx != table->table[ctx->id]); +- table->table[ctx->id] = NULL; ++ WARN_ON(ctx != rcu_access_pointer(table->table[ctx->id])); ++ RCU_INIT_POINTER(table->table[ctx->id], NULL); + spin_unlock(&mm->ioctx_lock); + +- /* percpu_ref_kill() will do the necessary call_rcu() */ ++ /* free_ioctx_reqs() will do the necessary RCU synchronization */ + wake_up_all(&ctx->wait); + + /* +@@ -845,7 +860,8 @@ void exit_aio(struct mm_struct *mm) + + skipped = 0; + for (i = 0; i < table->nr; ++i) { +- struct kioctx *ctx = table->table[i]; ++ struct kioctx *ctx = ++ rcu_dereference_protected(table->table[i], true); + + if (!ctx) { + skipped++; +@@ -1034,7 +1050,7 @@ static struct kioctx *lookup_ioctx(unsigned long ctx_id) + if (!table || id >= table->nr) + goto out; + +- ctx = table->table[id]; ++ ctx = rcu_dereference(table->table[id]); + if (ctx && ctx->user_id == ctx_id) { + percpu_ref_get(&ctx->users); + ret = ctx; +diff --git a/fs/autofs4/root.c b/fs/autofs4/root.c +index 7a54c6a867c8..500098cdb960 100644 +--- a/fs/autofs4/root.c ++++ b/fs/autofs4/root.c +@@ -746,7 +746,7 @@ static int autofs4_dir_mkdir(struct inode *dir, struct dentry *dentry, umode_t m + + autofs4_del_active(dentry); + +- inode = autofs4_get_inode(dir->i_sb, S_IFDIR | 0555); ++ inode = autofs4_get_inode(dir->i_sb, S_IFDIR | mode); + if (!inode) + return -ENOMEM; + d_add(dentry, inode); +diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c +index 885f533a34d9..f179946d67ed 100644 +--- a/fs/btrfs/extent_io.c ++++ b/fs/btrfs/extent_io.c +@@ -2466,7 +2466,7 @@ int end_extent_writepage(struct page *page, int err, u64 start, u64 end) + if (!uptodate) { + ClearPageUptodate(page); + SetPageError(page); +- ret = ret < 0 ? ret : -EIO; ++ ret = err < 0 ? err : -EIO; + mapping_set_error(page->mapping, ret); + } + return 0; +diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c +index 5fe5314270fd..68ca200b714a 100644 +--- a/fs/btrfs/send.c ++++ b/fs/btrfs/send.c +@@ -4759,13 +4759,19 @@ static int is_extent_unchanged(struct send_ctx *sctx, + while (key.offset < ekey->offset + left_len) { + ei = btrfs_item_ptr(eb, slot, struct btrfs_file_extent_item); + right_type = btrfs_file_extent_type(eb, ei); +- if (right_type != BTRFS_FILE_EXTENT_REG) { ++ if (right_type != BTRFS_FILE_EXTENT_REG && ++ right_type != BTRFS_FILE_EXTENT_INLINE) { + ret = 0; + goto out; + } + + right_disknr = btrfs_file_extent_disk_bytenr(eb, ei); +- right_len = btrfs_file_extent_num_bytes(eb, ei); ++ if (right_type == BTRFS_FILE_EXTENT_INLINE) { ++ right_len = btrfs_file_extent_inline_len(eb, slot, ei); ++ right_len = PAGE_ALIGN(right_len); ++ } else { ++ right_len = btrfs_file_extent_num_bytes(eb, ei); ++ } + right_offset = btrfs_file_extent_offset(eb, ei); + right_gen = btrfs_file_extent_generation(eb, ei); + +@@ -4779,6 +4785,19 @@ static int is_extent_unchanged(struct send_ctx *sctx, + goto out; + } + ++ /* ++ * We just wanted to see if when we have an inline extent, what ++ * follows it is a regular extent (wanted to check the above ++ * condition for inline extents too). This should normally not ++ * happen but it's possible for example when we have an inline ++ * compressed extent representing data with a size matching ++ * the page size (currently the same as sector size). ++ */ ++ if (right_type == BTRFS_FILE_EXTENT_INLINE) { ++ ret = 0; ++ goto out; ++ } ++ + left_offset_fixed = left_offset; + if (key.offset < ekey->offset) { + /* Fix the right offset for 2a and 7. */ +diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c +index 18a3573e1444..4a0318ee4ed1 100644 +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -4370,10 +4370,13 @@ static int __btrfs_alloc_chunk(struct btrfs_trans_handle *trans, + if (devs_max && ndevs > devs_max) + ndevs = devs_max; + /* +- * the primary goal is to maximize the number of stripes, so use as many +- * devices as possible, even if the stripes are not maximum sized. ++ * The primary goal is to maximize the number of stripes, so use as ++ * many devices as possible, even if the stripes are not maximum sized. ++ * ++ * The DUP profile stores more than one stripe per device, the ++ * max_avail is the total size so we have to adjust. + */ +- stripe_size = devices_info[ndevs-1].max_avail; ++ stripe_size = div_u64(devices_info[ndevs - 1].max_avail, dev_stripes); + num_stripes = ndevs * dev_stripes; + + /* +@@ -4413,8 +4416,6 @@ static int __btrfs_alloc_chunk(struct btrfs_trans_handle *trans, + stripe_size = devices_info[ndevs-1].max_avail; + } + +- stripe_size = div_u64(stripe_size, dev_stripes); +- + /* align to BTRFS_STRIPE_LEN */ + stripe_size = div_u64(stripe_size, raid_stripe_len); + stripe_size *= raid_stripe_len; +diff --git a/fs/cifs/dir.c b/fs/cifs/dir.c +index 49a0d6b027c1..76dacd5307b9 100644 +--- a/fs/cifs/dir.c ++++ b/fs/cifs/dir.c +@@ -673,6 +673,9 @@ int cifs_mknod(struct inode *inode, struct dentry *direntry, umode_t mode, + goto mknod_out; + } + ++ if (!S_ISCHR(mode) && !S_ISBLK(mode)) ++ goto mknod_out; ++ + if (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_UNX_EMUL)) + goto mknod_out; + +@@ -681,10 +684,8 @@ int cifs_mknod(struct inode *inode, struct dentry *direntry, umode_t mode, + + buf = kmalloc(sizeof(FILE_ALL_INFO), GFP_KERNEL); + if (buf == NULL) { +- kfree(full_path); + rc = -ENOMEM; +- free_xid(xid); +- return rc; ++ goto mknod_out; + } + + if (backup_cred(cifs_sb)) +@@ -731,7 +732,7 @@ int cifs_mknod(struct inode *inode, struct dentry *direntry, umode_t mode, + pdev->minor = cpu_to_le64(MINOR(device_number)); + rc = tcon->ses->server->ops->sync_write(xid, &fid, &io_parms, + &bytes_written, iov, 1); +- } /* else if (S_ISFIFO) */ ++ } + tcon->ses->server->ops->close(xid, tcon, &fid); + d_drop(direntry); + +diff --git a/fs/cifs/file.c b/fs/cifs/file.c +index 1366d2151389..6f20a8ca5e7c 100644 +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -582,7 +582,7 @@ cifs_relock_file(struct cifsFileInfo *cfile) + struct cifs_tcon *tcon = tlink_tcon(cfile->tlink); + int rc = 0; + +- down_read(&cinode->lock_sem); ++ down_read_nested(&cinode->lock_sem, SINGLE_DEPTH_NESTING); + if (cinode->can_cache_brlcks) { + /* can cache locks - no need to relock */ + up_read(&cinode->lock_sem); +diff --git a/fs/cifs/netmisc.c b/fs/cifs/netmisc.c +index abae6dd2c6b9..cc88f4f0325e 100644 +--- a/fs/cifs/netmisc.c ++++ b/fs/cifs/netmisc.c +@@ -980,10 +980,10 @@ struct timespec cnvrtDosUnixTm(__le16 le_date, __le16 le_time, int offset) + cifs_dbg(VFS, "illegal hours %d\n", st->Hours); + days = sd->Day; + month = sd->Month; +- if ((days > 31) || (month > 12)) { ++ if (days < 1 || days > 31 || month < 1 || month > 12) { + cifs_dbg(VFS, "illegal date, month %d day: %d\n", month, days); +- if (month > 12) +- month = 12; ++ days = clamp(days, 1, 31); ++ month = clamp(month, 1, 12); + } + month -= 1; + days += total_days_of_prev_months[month]; +diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c +index 5f9229ddf335..11b562ac8f31 100644 +--- a/fs/cifs/sess.c ++++ b/fs/cifs/sess.c +@@ -344,13 +344,12 @@ void build_ntlmssp_negotiate_blob(unsigned char *pbuffer, + /* BB is NTLMV2 session security format easier to use here? */ + flags = NTLMSSP_NEGOTIATE_56 | NTLMSSP_REQUEST_TARGET | + NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE | +- NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC; +- if (ses->server->sign) { ++ NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC | ++ NTLMSSP_NEGOTIATE_SEAL; ++ if (ses->server->sign) + flags |= NTLMSSP_NEGOTIATE_SIGN; +- if (!ses->server->session_estab || +- ses->ntlmssp->sesskey_per_smbsess) +- flags |= NTLMSSP_NEGOTIATE_KEY_XCH; +- } ++ if (!ses->server->session_estab || ses->ntlmssp->sesskey_per_smbsess) ++ flags |= NTLMSSP_NEGOTIATE_KEY_XCH; + + sec_blob->NegotiateFlags = cpu_to_le32(flags); + +@@ -407,13 +406,12 @@ int build_ntlmssp_auth_blob(unsigned char **pbuffer, + flags = NTLMSSP_NEGOTIATE_56 | + NTLMSSP_REQUEST_TARGET | NTLMSSP_NEGOTIATE_TARGET_INFO | + NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE | +- NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC; +- if (ses->server->sign) { ++ NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC | ++ NTLMSSP_NEGOTIATE_SEAL; ++ if (ses->server->sign) + flags |= NTLMSSP_NEGOTIATE_SIGN; +- if (!ses->server->session_estab || +- ses->ntlmssp->sesskey_per_smbsess) +- flags |= NTLMSSP_NEGOTIATE_KEY_XCH; +- } ++ if (!ses->server->session_estab || ses->ntlmssp->sesskey_per_smbsess) ++ flags |= NTLMSSP_NEGOTIATE_KEY_XCH; + + tmp = *pbuffer + sizeof(AUTHENTICATE_MESSAGE); + sec_blob->NegotiateFlags = cpu_to_le32(flags); +diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c +index 69422157c71b..4b4b1cbc69b2 100644 +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -754,10 +754,8 @@ ssetup_exit: + + if (!rc) { + mutex_lock(&server->srv_mutex); +- if (server->sign && server->ops->generate_signingkey) { ++ if (server->ops->generate_signingkey) { + rc = server->ops->generate_signingkey(ses); +- kfree(ses->auth_key.response); +- ses->auth_key.response = NULL; + if (rc) { + cifs_dbg(FYI, + "SMB3 session key generation failed\n"); +@@ -779,10 +777,6 @@ ssetup_exit: + } + + keygen_exit: +- if (!server->sign) { +- kfree(ses->auth_key.response); +- ses->auth_key.response = NULL; +- } + if (spnego_key) { + key_invalidate(spnego_key); + key_put(spnego_key); +@@ -921,15 +915,19 @@ SMB2_tcon(const unsigned int xid, struct cifs_ses *ses, const char *tree, + goto tcon_exit; + } + +- if (rsp->ShareType & SMB2_SHARE_TYPE_DISK) ++ switch (rsp->ShareType) { ++ case SMB2_SHARE_TYPE_DISK: + cifs_dbg(FYI, "connection to disk share\n"); +- else if (rsp->ShareType & SMB2_SHARE_TYPE_PIPE) { ++ break; ++ case SMB2_SHARE_TYPE_PIPE: + tcon->ipc = true; + cifs_dbg(FYI, "connection to pipe share\n"); +- } else if (rsp->ShareType & SMB2_SHARE_TYPE_PRINT) { +- tcon->print = true; ++ break; ++ case SMB2_SHARE_TYPE_PRINT: ++ tcon->ipc = true; + cifs_dbg(FYI, "connection to printer\n"); +- } else { ++ break; ++ default: + cifs_dbg(VFS, "unknown share type %d\n", rsp->ShareType); + rc = -EOPNOTSUPP; + goto tcon_error_exit; +@@ -1353,6 +1351,9 @@ SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid, + } else + iov[0].iov_len = get_rfc1002_length(req) + 4; + ++ /* validate negotiate request must be signed - see MS-SMB2 3.2.5.5 */ ++ if (opcode == FSCTL_VALIDATE_NEGOTIATE_INFO) ++ req->hdr.Flags |= SMB2_FLAGS_SIGNED; + + rc = SendReceive2(xid, ses, iov, num_iovecs, &resp_buftype, 0); + rsp = (struct smb2_ioctl_rsp *)iov[0].iov_base; +diff --git a/fs/compat_ioctl.c b/fs/compat_ioctl.c +index 6b8e2f091f5b..5e6798a3c9b6 100644 +--- a/fs/compat_ioctl.c ++++ b/fs/compat_ioctl.c +@@ -811,7 +811,7 @@ static int compat_ioctl_preallocate(struct file *file, + */ + #define XFORM(i) (((i) ^ ((i) << 27) ^ ((i) << 17)) & 0xffffffff) + +-#define COMPATIBLE_IOCTL(cmd) XFORM(cmd), ++#define COMPATIBLE_IOCTL(cmd) XFORM((u32)cmd), + /* ioctl should not be warned about even if it's not implemented. + Valid reasons to use this: + - It is implemented with ->compat_ioctl on some device, but programs +diff --git a/fs/dcache.c b/fs/dcache.c +index 5ca8f0b2b897..c19576fa779e 100644 +--- a/fs/dcache.c ++++ b/fs/dcache.c +@@ -607,11 +607,16 @@ again: + spin_unlock(&parent->d_lock); + goto again; + } +- rcu_read_unlock(); +- if (parent != dentry) ++ if (parent != dentry) { + spin_lock_nested(&dentry->d_lock, DENTRY_D_LOCK_NESTED); +- else ++ if (unlikely(dentry->d_lockref.count < 0)) { ++ spin_unlock(&parent->d_lock); ++ parent = NULL; ++ } ++ } else { + parent = NULL; ++ } ++ rcu_read_unlock(); + return parent; + } + +diff --git a/fs/ext4/file.c b/fs/ext4/file.c +index f57cf1c42ca3..79f974ba1999 100644 +--- a/fs/ext4/file.c ++++ b/fs/ext4/file.c +@@ -351,7 +351,7 @@ static int ext4_find_unwritten_pgoff(struct inode *inode, + int i, num; + unsigned long nr_pages; + +- num = min_t(pgoff_t, end - index, PAGEVEC_SIZE); ++ num = min_t(pgoff_t, end - index, PAGEVEC_SIZE - 1) + 1; + nr_pages = pagevec_lookup(&pvec, inode->i_mapping, index, + (pgoff_t)num); + if (nr_pages == 0) +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index c1feaf011515..25fcf7b2bdaa 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -1476,6 +1476,8 @@ static void mpage_release_unused_pages(struct mpage_da_data *mpd, + BUG_ON(!PageLocked(page)); + BUG_ON(PageWriteback(page)); + if (invalidate) { ++ if (page_mapped(page)) ++ clear_page_dirty_for_io(page); + block_invalidatepage(page, 0, PAGE_CACHE_SIZE); + ClearPageUptodate(page); + } +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index c67056a8c901..1f5062222425 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -2126,6 +2126,8 @@ static int ext4_check_descriptors(struct super_block *sb, + ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " + "Block bitmap for group %u overlaps " + "superblock", i); ++ if (!(sb->s_flags & MS_RDONLY)) ++ return 0; + } + if (block_bitmap < first_block || block_bitmap > last_block) { + ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " +@@ -2138,6 +2140,8 @@ static int ext4_check_descriptors(struct super_block *sb, + ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " + "Inode bitmap for group %u overlaps " + "superblock", i); ++ if (!(sb->s_flags & MS_RDONLY)) ++ return 0; + } + if (inode_bitmap < first_block || inode_bitmap > last_block) { + ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " +@@ -2150,6 +2154,8 @@ static int ext4_check_descriptors(struct super_block *sb, + ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " + "Inode table for group %u overlaps " + "superblock", i); ++ if (!(sb->s_flags & MS_RDONLY)) ++ return 0; + } + if (inode_table < first_block || + inode_table + sbi->s_itb_per_group - 1 > last_block) { +diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c +index e4d224315a1f..0bb394b4f04b 100644 +--- a/fs/jbd2/journal.c ++++ b/fs/jbd2/journal.c +@@ -275,11 +275,11 @@ loop: + goto loop; + + end_loop: +- write_unlock(&journal->j_state_lock); + del_timer_sync(&journal->j_commit_timer); + journal->j_task = NULL; + wake_up(&journal->j_wait_done_commit); + jbd_debug(1, "Journal thread exiting.\n"); ++ write_unlock(&journal->j_state_lock); + return 0; + } + +@@ -923,7 +923,7 @@ out: + } + + /* +- * This is a variaon of __jbd2_update_log_tail which checks for validity of ++ * This is a variation of __jbd2_update_log_tail which checks for validity of + * provided log tail and locks j_checkpoint_mutex. So it is safe against races + * with other threads updating log tail. + */ +@@ -1399,6 +1399,9 @@ int jbd2_journal_update_sb_log_tail(journal_t *journal, tid_t tail_tid, + journal_superblock_t *sb = journal->j_superblock; + int ret; + ++ if (is_journal_aborted(journal)) ++ return -EIO; ++ + BUG_ON(!mutex_is_locked(&journal->j_checkpoint_mutex)); + jbd_debug(1, "JBD2: updating superblock (start %lu, seq %u)\n", + tail_block, tail_tid); +diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c +index deff03371626..4ddcaf949a16 100644 +--- a/fs/jbd2/transaction.c ++++ b/fs/jbd2/transaction.c +@@ -515,6 +515,7 @@ int jbd2_journal_start_reserved(handle_t *handle, unsigned int type, + */ + ret = start_this_handle(journal, handle, GFP_NOFS); + if (ret < 0) { ++ handle->h_journal = journal; + jbd2_journal_free_reserved(handle); + return ret; + } +diff --git a/fs/jffs2/super.c b/fs/jffs2/super.c +index d86c5e3176a1..600da1a4df29 100644 +--- a/fs/jffs2/super.c ++++ b/fs/jffs2/super.c +@@ -345,7 +345,7 @@ static void jffs2_put_super (struct super_block *sb) + static void jffs2_kill_sb(struct super_block *sb) + { + struct jffs2_sb_info *c = JFFS2_SB_INFO(sb); +- if (!(sb->s_flags & MS_RDONLY)) ++ if (c && !(sb->s_flags & MS_RDONLY)) + jffs2_stop_garbage_collect_thread(c); + kill_mtd_super(sb); + kfree(c); +diff --git a/fs/lockd/svc.c b/fs/lockd/svc.c +index 55505cbe11af..375efc1ced83 100644 +--- a/fs/lockd/svc.c ++++ b/fs/lockd/svc.c +@@ -129,6 +129,8 @@ lockd(void *vrqstp) + { + int err = 0; + struct svc_rqst *rqstp = vrqstp; ++ struct net *net = &init_net; ++ struct lockd_net *ln = net_generic(net, lockd_net_id); + + /* try_to_freeze() is called from svc_recv() */ + set_freezable(); +@@ -173,6 +175,8 @@ lockd(void *vrqstp) + if (nlmsvc_ops) + nlmsvc_invalidate_all(); + nlm_shutdown_hosts(); ++ cancel_delayed_work_sync(&ln->grace_period_end); ++ locks_end_grace(&ln->lockd_manager); + return 0; + } + +@@ -267,8 +271,6 @@ static void lockd_down_net(struct svc_serv *serv, struct net *net) + if (ln->nlmsvc_users) { + if (--ln->nlmsvc_users == 0) { + nlm_shutdown_hosts_net(net); +- cancel_delayed_work_sync(&ln->grace_period_end); +- locks_end_grace(&ln->lockd_manager); + svc_shutdown_net(serv, net); + dprintk("lockd_down_net: per-net data destroyed; net=%p\n", net); + } +diff --git a/fs/namei.c b/fs/namei.c +index 0d97235019a9..4d333d26a028 100644 +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -219,9 +219,10 @@ getname_kernel(const char * filename) + if (len <= EMBEDDED_NAME_MAX) { + result->name = (char *)result->iname; + } else if (len <= PATH_MAX) { ++ const size_t size = offsetof(struct filename, iname[1]); + struct filename *tmp; + +- tmp = kmalloc(sizeof(*tmp), GFP_KERNEL); ++ tmp = kmalloc(size, GFP_KERNEL); + if (unlikely(!tmp)) { + __putname(result); + return ERR_PTR(-ENOMEM); +diff --git a/fs/namespace.c b/fs/namespace.c +index 58b281ad30d5..45fc042b84ce 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -1007,7 +1007,8 @@ static struct mount *clone_mnt(struct mount *old, struct dentry *root, + goto out_free; + } + +- mnt->mnt.mnt_flags = old->mnt.mnt_flags & ~(MNT_WRITE_HOLD|MNT_MARKED); ++ mnt->mnt.mnt_flags = old->mnt.mnt_flags; ++ mnt->mnt.mnt_flags &= ~(MNT_WRITE_HOLD|MNT_MARKED|MNT_INTERNAL); + /* Don't allow unprivileged users to change mount flags */ + if (flag & CL_UNPRIVILEGED) { + mnt->mnt.mnt_flags |= MNT_LOCK_ATIME; +diff --git a/fs/ncpfs/ncplib_kernel.c b/fs/ncpfs/ncplib_kernel.c +index 88dbbc9fcf4d..f571570a2e72 100644 +--- a/fs/ncpfs/ncplib_kernel.c ++++ b/fs/ncpfs/ncplib_kernel.c +@@ -980,6 +980,10 @@ ncp_read_kernel(struct ncp_server *server, const char *file_id, + goto out; + } + *bytes_read = ncp_reply_be16(server, 0); ++ if (*bytes_read > to_read) { ++ result = -EINVAL; ++ goto out; ++ } + source = ncp_reply_data(server, 2 + (offset & 1)); + + memcpy(target, source, *bytes_read); +diff --git a/fs/nfs/direct.c b/fs/nfs/direct.c +index cb050d1e8146..10b055105b36 100644 +--- a/fs/nfs/direct.c ++++ b/fs/nfs/direct.c +@@ -86,9 +86,9 @@ struct nfs_direct_req { + struct nfs_direct_mirror mirrors[NFS_PAGEIO_DESCRIPTOR_MIRROR_MAX]; + int mirror_count; + ++ loff_t io_start; /* Start offset for I/O */ + ssize_t count, /* bytes actually processed */ + bytes_left, /* bytes left to be sent */ +- io_start, /* start of IO */ + error; /* any reported error */ + struct completion completion; /* wait for i/o completion */ + +diff --git a/fs/nfs/flexfilelayout/flexfilelayout.c b/fs/nfs/flexfilelayout/flexfilelayout.c +index c2abdc7db6c3..4af8e428e4c9 100644 +--- a/fs/nfs/flexfilelayout/flexfilelayout.c ++++ b/fs/nfs/flexfilelayout/flexfilelayout.c +@@ -307,6 +307,7 @@ ff_layout_alloc_lseg(struct pnfs_layout_hdr *lh, + goto out_err_free; + + /* fh */ ++ rc = -EIO; + p = xdr_inline_decode(&stream, 4); + if (!p) + goto out_err_free; +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index 0fb0dc739fb2..9b6950a5fcc6 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -7531,6 +7531,12 @@ static int nfs41_reclaim_complete_handle_errors(struct rpc_task *task, struct nf + /* fall through */ + case -NFS4ERR_RETRY_UNCACHED_REP: + return -EAGAIN; ++ case -NFS4ERR_BADSESSION: ++ case -NFS4ERR_DEADSESSION: ++ case -NFS4ERR_CONN_NOT_BOUND_TO_SESSION: ++ nfs4_schedule_session_recovery(clp->cl_session, ++ task->tk_status); ++ break; + default: + nfs4_schedule_lease_recovery(clp); + } +@@ -7609,7 +7615,6 @@ static int nfs41_proc_reclaim_complete(struct nfs_client *clp, + if (status == 0) + status = task->tk_status; + rpc_put_task(task); +- return 0; + out: + dprintk("<-- %s status=%d\n", __func__, status); + return status; +diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c +index f8d2902ec118..0b50bdfbc32f 100644 +--- a/fs/nfs/nfs4state.c ++++ b/fs/nfs/nfs4state.c +@@ -1591,13 +1591,14 @@ static void nfs4_state_start_reclaim_reboot(struct nfs_client *clp) + nfs4_state_mark_reclaim_helper(clp, nfs4_state_mark_reclaim_reboot); + } + +-static void nfs4_reclaim_complete(struct nfs_client *clp, ++static int nfs4_reclaim_complete(struct nfs_client *clp, + const struct nfs4_state_recovery_ops *ops, + struct rpc_cred *cred) + { + /* Notify the server we're done reclaiming our state */ + if (ops->reclaim_complete) +- (void)ops->reclaim_complete(clp, cred); ++ return ops->reclaim_complete(clp, cred); ++ return 0; + } + + static void nfs4_clear_reclaim_server(struct nfs_server *server) +@@ -1644,13 +1645,16 @@ static void nfs4_state_end_reclaim_reboot(struct nfs_client *clp) + { + const struct nfs4_state_recovery_ops *ops; + struct rpc_cred *cred; ++ int err; + + if (!nfs4_state_clear_reclaim_reboot(clp)) + return; + ops = clp->cl_mvops->reboot_recovery_ops; + cred = nfs4_get_clid_cred(clp); +- nfs4_reclaim_complete(clp, ops, cred); ++ err = nfs4_reclaim_complete(clp, ops, cred); + put_rpccred(cred); ++ if (err == -NFS4ERR_CONN_NOT_BOUND_TO_SESSION) ++ set_bit(NFS4CLNT_RECLAIM_REBOOT, &clp->cl_state); + } + + static void nfs_delegation_clear_all(struct nfs_client *clp) +diff --git a/fs/nfs/pagelist.c b/fs/nfs/pagelist.c +index 93d355c8b467..50d40b129737 100644 +--- a/fs/nfs/pagelist.c ++++ b/fs/nfs/pagelist.c +@@ -1277,8 +1277,10 @@ void nfs_pageio_cond_complete(struct nfs_pageio_descriptor *desc, pgoff_t index) + mirror = &desc->pg_mirrors[midx]; + if (!list_empty(&mirror->pg_list)) { + prev = nfs_list_entry(mirror->pg_list.prev); +- if (index != prev->wb_index + 1) +- nfs_pageio_complete_mirror(desc, midx); ++ if (index != prev->wb_index + 1) { ++ nfs_pageio_complete(desc); ++ break; ++ } + } + } + } +diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c +index 1e58fa0a28a3..73c93f2d6353 100644 +--- a/fs/nfsd/nfs4proc.c ++++ b/fs/nfsd/nfs4proc.c +@@ -1256,14 +1256,14 @@ nfsd4_layoutget(struct svc_rqst *rqstp, + const struct nfsd4_layout_ops *ops; + struct nfs4_layout_stateid *ls; + __be32 nfserr; +- int accmode; ++ int accmode = NFSD_MAY_READ_IF_EXEC; + + switch (lgp->lg_seg.iomode) { + case IOMODE_READ: +- accmode = NFSD_MAY_READ; ++ accmode |= NFSD_MAY_READ; + break; + case IOMODE_RW: +- accmode = NFSD_MAY_READ | NFSD_MAY_WRITE; ++ accmode |= NFSD_MAY_READ | NFSD_MAY_WRITE; + break; + default: + dprintk("%s: invalid iomode %d\n", +diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c +index 5eaee287be23..9bfcd93448dc 100644 +--- a/fs/nfsd/vfs.c ++++ b/fs/nfsd/vfs.c +@@ -92,6 +92,12 @@ nfsd_cross_mnt(struct svc_rqst *rqstp, struct dentry **dpp, + err = follow_down(&path); + if (err < 0) + goto out; ++ if (path.mnt == exp->ex_path.mnt && path.dentry == dentry && ++ nfsd_mountpoint(dentry, exp) == 2) { ++ /* This is only a mountpoint in some other namespace */ ++ path_put(&path); ++ goto out; ++ } + + exp2 = rqst_exp_get_by_name(rqstp, &path); + if (IS_ERR(exp2)) { +@@ -165,16 +171,26 @@ static int nfsd_lookup_parent(struct svc_rqst *rqstp, struct dentry *dparent, st + /* + * For nfsd purposes, we treat V4ROOT exports as though there was an + * export at *every* directory. ++ * We return: ++ * '1' if this dentry *must* be an export point, ++ * '2' if it might be, if there is really a mount here, and ++ * '0' if there is no chance of an export point here. + */ + int nfsd_mountpoint(struct dentry *dentry, struct svc_export *exp) + { +- if (d_mountpoint(dentry)) ++ if (!d_inode(dentry)) ++ return 0; ++ if (exp->ex_flags & NFSEXP_V4ROOT) + return 1; + if (nfsd4_is_junction(dentry)) + return 1; +- if (!(exp->ex_flags & NFSEXP_V4ROOT)) +- return 0; +- return d_inode(dentry) != NULL; ++ if (d_mountpoint(dentry)) ++ /* ++ * Might only be a mountpoint in a different namespace, ++ * but we need to check. ++ */ ++ return 2; ++ return 0; + } + + __be32 +diff --git a/fs/notify/fanotify/fanotify.c b/fs/notify/fanotify/fanotify.c +index e0e5f7c3c99f..8a459b179183 100644 +--- a/fs/notify/fanotify/fanotify.c ++++ b/fs/notify/fanotify/fanotify.c +@@ -92,7 +92,7 @@ static bool fanotify_should_send_event(struct fsnotify_mark *inode_mark, + u32 event_mask, + void *data, int data_type) + { +- __u32 marks_mask, marks_ignored_mask; ++ __u32 marks_mask = 0, marks_ignored_mask = 0; + struct path *path = data; + + pr_debug("%s: inode_mark=%p vfsmnt_mark=%p mask=%x data=%p" +@@ -108,24 +108,20 @@ static bool fanotify_should_send_event(struct fsnotify_mark *inode_mark, + !d_can_lookup(path->dentry)) + return false; + +- if (inode_mark && vfsmnt_mark) { +- marks_mask = (vfsmnt_mark->mask | inode_mark->mask); +- marks_ignored_mask = (vfsmnt_mark->ignored_mask | inode_mark->ignored_mask); +- } else if (inode_mark) { +- /* +- * if the event is for a child and this inode doesn't care about +- * events on the child, don't send it! +- */ +- if ((event_mask & FS_EVENT_ON_CHILD) && +- !(inode_mark->mask & FS_EVENT_ON_CHILD)) +- return false; +- marks_mask = inode_mark->mask; +- marks_ignored_mask = inode_mark->ignored_mask; +- } else if (vfsmnt_mark) { +- marks_mask = vfsmnt_mark->mask; +- marks_ignored_mask = vfsmnt_mark->ignored_mask; +- } else { +- BUG(); ++ /* ++ * if the event is for a child and this inode doesn't care about ++ * events on the child, don't send it! ++ */ ++ if (inode_mark && ++ (!(event_mask & FS_EVENT_ON_CHILD) || ++ (inode_mark->mask & FS_EVENT_ON_CHILD))) { ++ marks_mask |= inode_mark->mask; ++ marks_ignored_mask |= inode_mark->ignored_mask; ++ } ++ ++ if (vfsmnt_mark) { ++ marks_mask |= vfsmnt_mark->mask; ++ marks_ignored_mask |= vfsmnt_mark->ignored_mask; + } + + if (d_is_dir(path->dentry) && +diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c +index d293034ae2cb..e73f0070a0fc 100644 +--- a/fs/overlayfs/inode.c ++++ b/fs/overlayfs/inode.c +@@ -274,6 +274,16 @@ ssize_t ovl_getxattr(struct dentry *dentry, const char *name, + return vfs_getxattr(realpath.dentry, name, value, size); + } + ++static bool ovl_can_list(const char *s) ++{ ++ /* List all non-trusted xatts */ ++ if (strncmp(s, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN) != 0) ++ return true; ++ ++ /* Never list trusted.overlay, list other trusted for superuser only */ ++ return !ovl_is_private_xattr(s) && capable(CAP_SYS_ADMIN); ++} ++ + ssize_t ovl_listxattr(struct dentry *dentry, char *list, size_t size) + { + struct path realpath; +@@ -298,7 +308,7 @@ ssize_t ovl_listxattr(struct dentry *dentry, char *list, size_t size) + return -EIO; + + len -= slen; +- if (ovl_is_private_xattr(s)) { ++ if (!ovl_can_list(s)) { + res -= slen; + memmove(s, s + slen, len); + } else { +diff --git a/fs/reiserfs/journal.c b/fs/reiserfs/journal.c +index 9d6486d416a3..00985f9db9f7 100644 +--- a/fs/reiserfs/journal.c ++++ b/fs/reiserfs/journal.c +@@ -1961,7 +1961,7 @@ static int do_journal_release(struct reiserfs_transaction_handle *th, + * will be requeued because superblock is being shutdown and doesn't + * have MS_ACTIVE set. + */ +- cancel_delayed_work_sync(&REISERFS_SB(sb)->old_work); ++ reiserfs_cancel_old_flush(sb); + /* wait for all commits to finish */ + cancel_delayed_work_sync(&SB_JOURNAL(sb)->j_work); + +@@ -2643,7 +2643,7 @@ static int journal_init_dev(struct super_block *super, + if (IS_ERR(journal->j_dev_bd)) { + result = PTR_ERR(journal->j_dev_bd); + journal->j_dev_bd = NULL; +- reiserfs_warning(super, ++ reiserfs_warning(super, "sh-457", + "journal_init_dev: Cannot open '%s': %i", + jdev_name, result); + return result; +diff --git a/fs/reiserfs/reiserfs.h b/fs/reiserfs/reiserfs.h +index 5dcf3ab83886..6ca00471afbf 100644 +--- a/fs/reiserfs/reiserfs.h ++++ b/fs/reiserfs/reiserfs.h +@@ -2948,6 +2948,7 @@ int reiserfs_allocate_list_bitmaps(struct super_block *s, + struct reiserfs_list_bitmap *, unsigned int); + + void reiserfs_schedule_old_flush(struct super_block *s); ++void reiserfs_cancel_old_flush(struct super_block *s); + void add_save_link(struct reiserfs_transaction_handle *th, + struct inode *inode, int truncate); + int remove_save_link(struct inode *inode, int truncate); +diff --git a/fs/reiserfs/super.c b/fs/reiserfs/super.c +index cf6fa25f884b..45ec0e91010a 100644 +--- a/fs/reiserfs/super.c ++++ b/fs/reiserfs/super.c +@@ -89,7 +89,9 @@ static void flush_old_commits(struct work_struct *work) + s = sbi->s_journal->j_work_sb; + + spin_lock(&sbi->old_work_lock); +- sbi->work_queued = 0; ++ /* Avoid clobbering the cancel state... */ ++ if (sbi->work_queued == 1) ++ sbi->work_queued = 0; + spin_unlock(&sbi->old_work_lock); + + reiserfs_sync_fs(s, 1); +@@ -116,21 +118,22 @@ void reiserfs_schedule_old_flush(struct super_block *s) + spin_unlock(&sbi->old_work_lock); + } + +-static void cancel_old_flush(struct super_block *s) ++void reiserfs_cancel_old_flush(struct super_block *s) + { + struct reiserfs_sb_info *sbi = REISERFS_SB(s); + +- cancel_delayed_work_sync(&REISERFS_SB(s)->old_work); + spin_lock(&sbi->old_work_lock); +- sbi->work_queued = 0; ++ /* Make sure no new flushes will be queued */ ++ sbi->work_queued = 2; + spin_unlock(&sbi->old_work_lock); ++ cancel_delayed_work_sync(&REISERFS_SB(s)->old_work); + } + + static int reiserfs_freeze(struct super_block *s) + { + struct reiserfs_transaction_handle th; + +- cancel_old_flush(s); ++ reiserfs_cancel_old_flush(s); + + reiserfs_write_lock(s); + if (!(s->s_flags & MS_RDONLY)) { +@@ -151,7 +154,13 @@ static int reiserfs_freeze(struct super_block *s) + + static int reiserfs_unfreeze(struct super_block *s) + { ++ struct reiserfs_sb_info *sbi = REISERFS_SB(s); ++ + reiserfs_allow_writes(s); ++ spin_lock(&sbi->old_work_lock); ++ /* Allow old_work to run again */ ++ sbi->work_queued = 0; ++ spin_unlock(&sbi->old_work_lock); + return 0; + } + +@@ -2177,7 +2186,7 @@ error_unlocked: + if (sbi->commit_wq) + destroy_workqueue(sbi->commit_wq); + +- cancel_delayed_work_sync(&REISERFS_SB(s)->old_work); ++ reiserfs_cancel_old_flush(s); + + reiserfs_free_bitmap_cache(s); + if (SB_BUFFER_WITH_SB(s)) +diff --git a/fs/ubifs/super.c b/fs/ubifs/super.c +index 75e6f04bb795..48ab0c462f21 100644 +--- a/fs/ubifs/super.c ++++ b/fs/ubifs/super.c +@@ -1724,8 +1724,11 @@ static void ubifs_remount_ro(struct ubifs_info *c) + + dbg_save_space_info(c); + +- for (i = 0; i < c->jhead_cnt; i++) +- ubifs_wbuf_sync(&c->jheads[i].wbuf); ++ for (i = 0; i < c->jhead_cnt; i++) { ++ err = ubifs_wbuf_sync(&c->jheads[i].wbuf); ++ if (err) ++ ubifs_ro_mode(c, err); ++ } + + c->mst_node->flags &= ~cpu_to_le32(UBIFS_MST_DIRTY); + c->mst_node->flags |= cpu_to_le32(UBIFS_MST_NO_ORPHS); +@@ -1791,8 +1794,11 @@ static void ubifs_put_super(struct super_block *sb) + int err; + + /* Synchronize write-buffers */ +- for (i = 0; i < c->jhead_cnt; i++) +- ubifs_wbuf_sync(&c->jheads[i].wbuf); ++ for (i = 0; i < c->jhead_cnt; i++) { ++ err = ubifs_wbuf_sync(&c->jheads[i].wbuf); ++ if (err) ++ ubifs_ro_mode(c, err); ++ } + + /* + * We are being cleanly unmounted which means the +diff --git a/include/linux/compiler-clang.h b/include/linux/compiler-clang.h +index d1e49d52b640..de179993e039 100644 +--- a/include/linux/compiler-clang.h ++++ b/include/linux/compiler-clang.h +@@ -10,3 +10,8 @@ + #undef uninitialized_var + #define uninitialized_var(x) x = *(&(x)) + #endif ++ ++/* same as gcc, this was present in clang-2.6 so we can assume it works ++ * with any version that can compile the kernel ++ */ ++#define __UNIQUE_ID(prefix) __PASTE(__PASTE(__UNIQUE_ID_, prefix), __COUNTER__) +diff --git a/include/linux/cpumask.h b/include/linux/cpumask.h +index a91b3b75da0f..bb3a4bb35183 100644 +--- a/include/linux/cpumask.h ++++ b/include/linux/cpumask.h +@@ -661,6 +661,11 @@ void alloc_bootmem_cpumask_var(cpumask_var_t *mask); + void free_cpumask_var(cpumask_var_t mask); + void free_bootmem_cpumask_var(cpumask_var_t mask); + ++static inline bool cpumask_available(cpumask_var_t mask) ++{ ++ return mask != NULL; ++} ++ + #else + typedef struct cpumask cpumask_var_t[1]; + +@@ -701,6 +706,11 @@ static inline void free_cpumask_var(cpumask_var_t mask) + static inline void free_bootmem_cpumask_var(cpumask_var_t mask) + { + } ++ ++static inline bool cpumask_available(cpumask_var_t mask) ++{ ++ return true; ++} + #endif /* CONFIG_CPUMASK_OFFSTACK */ + + /* It's common to want to use cpu_all_mask in struct member initializers, +diff --git a/include/linux/hid.h b/include/linux/hid.h +index 176b43670e5d..123852d873fa 100644 +--- a/include/linux/hid.h ++++ b/include/linux/hid.h +@@ -793,7 +793,7 @@ extern int hidinput_connect(struct hid_device *hid, unsigned int force); + extern void hidinput_disconnect(struct hid_device *); + + int hid_set_field(struct hid_field *, unsigned, __s32); +-int hid_input_report(struct hid_device *, int type, u8 *, int, int); ++int hid_input_report(struct hid_device *, int type, u8 *, u32, int); + int hidinput_find_field(struct hid_device *hid, unsigned int type, unsigned int code, struct hid_field **field); + struct hid_field *hidinput_get_led_field(struct hid_device *hid); + unsigned int hidinput_count_leds(struct hid_device *hid); +@@ -1096,13 +1096,13 @@ static inline void hid_hw_wait(struct hid_device *hdev) + * + * @report: the report we want to know the length + */ +-static inline int hid_report_len(struct hid_report *report) ++static inline u32 hid_report_len(struct hid_report *report) + { + /* equivalent to DIV_ROUND_UP(report->size, 8) + !!(report->id > 0) */ + return ((report->size - 1) >> 3) + 1 + (report->id > 0); + } + +-int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, int size, ++int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size, + int interrupt); + + /* HID quirks API */ +diff --git a/include/linux/if_vlan.h b/include/linux/if_vlan.h +index 99de81a5a4c6..adbf5b313ff8 100644 +--- a/include/linux/if_vlan.h ++++ b/include/linux/if_vlan.h +@@ -585,7 +585,7 @@ static inline bool skb_vlan_tagged(const struct sk_buff *skb) + * Returns true if the skb is tagged with multiple vlan headers, regardless + * of whether it is hardware accelerated or not. + */ +-static inline bool skb_vlan_tagged_multi(const struct sk_buff *skb) ++static inline bool skb_vlan_tagged_multi(struct sk_buff *skb) + { + __be16 protocol = skb->protocol; + +@@ -596,6 +596,9 @@ static inline bool skb_vlan_tagged_multi(const struct sk_buff *skb) + protocol != htons(ETH_P_8021AD))) + return false; + ++ if (unlikely(!pskb_may_pull(skb, VLAN_ETH_HLEN))) ++ return false; ++ + veh = (struct vlan_ethhdr *)skb->data; + protocol = veh->h_vlan_encapsulated_proto; + } +@@ -613,7 +616,7 @@ static inline bool skb_vlan_tagged_multi(const struct sk_buff *skb) + * + * Returns features without unsafe ones if the skb has multiple tags. + */ +-static inline netdev_features_t vlan_features_check(const struct sk_buff *skb, ++static inline netdev_features_t vlan_features_check(struct sk_buff *skb, + netdev_features_t features) + { + if (skb_vlan_tagged_multi(skb)) { +diff --git a/include/linux/jiffies.h b/include/linux/jiffies.h +index c367cbdf73ab..443dd702537f 100644 +--- a/include/linux/jiffies.h ++++ b/include/linux/jiffies.h +@@ -1,6 +1,7 @@ + #ifndef _LINUX_JIFFIES_H + #define _LINUX_JIFFIES_H + ++#include <linux/cache.h> + #include <linux/math64.h> + #include <linux/kernel.h> + #include <linux/types.h> +@@ -62,19 +63,17 @@ extern int register_refined_jiffies(long clock_tick_rate); + /* TICK_USEC is the time between ticks in usec assuming fake USER_HZ */ + #define TICK_USEC ((1000000UL + USER_HZ/2) / USER_HZ) + +-/* some arch's have a small-data section that can be accessed register-relative +- * but that can only take up to, say, 4-byte variables. jiffies being part of +- * an 8-byte variable may not be correctly accessed unless we force the issue +- */ +-#define __jiffy_data __attribute__((section(".data"))) ++#ifndef __jiffy_arch_data ++#define __jiffy_arch_data ++#endif + + /* + * The 64-bit value is not atomic - you MUST NOT read it + * without sampling the sequence number in jiffies_lock. + * get_jiffies_64() will do this for you as appropriate. + */ +-extern u64 __jiffy_data jiffies_64; +-extern unsigned long volatile __jiffy_data jiffies; ++extern u64 __cacheline_aligned_in_smp jiffies_64; ++extern unsigned long volatile __cacheline_aligned_in_smp __jiffy_arch_data jiffies; + + #if (BITS_PER_LONG < 64) + u64 get_jiffies_64(void); +diff --git a/include/linux/llist.h b/include/linux/llist.h +index fbf10a0bc095..4d86a9d273b3 100644 +--- a/include/linux/llist.h ++++ b/include/linux/llist.h +@@ -87,6 +87,23 @@ static inline void init_llist_head(struct llist_head *list) + #define llist_entry(ptr, type, member) \ + container_of(ptr, type, member) + ++/** ++ * member_address_is_nonnull - check whether the member address is not NULL ++ * @ptr: the object pointer (struct type * that contains the llist_node) ++ * @member: the name of the llist_node within the struct. ++ * ++ * This macro is conceptually the same as ++ * &ptr->member != NULL ++ * but it works around the fact that compilers can decide that taking a member ++ * address is never a NULL pointer. ++ * ++ * Real objects that start at a high address and have a member at NULL are ++ * unlikely to exist, but such pointers may be returned e.g. by the ++ * container_of() macro. ++ */ ++#define member_address_is_nonnull(ptr, member) \ ++ ((uintptr_t)(ptr) + offsetof(typeof(*(ptr)), member) != 0) ++ + /** + * llist_for_each - iterate over some deleted entries of a lock-less list + * @pos: the &struct llist_node to use as a loop cursor +@@ -121,7 +138,7 @@ static inline void init_llist_head(struct llist_head *list) + */ + #define llist_for_each_entry(pos, node, member) \ + for ((pos) = llist_entry((node), typeof(*(pos)), member); \ +- &(pos)->member != NULL; \ ++ member_address_is_nonnull(pos, member); \ + (pos) = llist_entry((pos)->member.next, typeof(*(pos)), member)) + + /** +@@ -143,7 +160,7 @@ static inline void init_llist_head(struct llist_head *list) + */ + #define llist_for_each_entry_safe(pos, n, node, member) \ + for (pos = llist_entry((node), typeof(*pos), member); \ +- &pos->member != NULL && \ ++ member_address_is_nonnull(pos, member) && \ + (n = llist_entry(pos->member.next, typeof(*n), member), true); \ + pos = n) + +diff --git a/include/linux/mlx4/qp.h b/include/linux/mlx4/qp.h +index 6fed539e5456..066818f0a0ac 100644 +--- a/include/linux/mlx4/qp.h ++++ b/include/linux/mlx4/qp.h +@@ -450,6 +450,7 @@ struct mlx4_update_qp_params { + u16 rate_val; + }; + ++struct mlx4_qp *mlx4_qp_lookup(struct mlx4_dev *dev, u32 qpn); + int mlx4_update_qp(struct mlx4_dev *dev, u32 qpn, + enum mlx4_update_qp_attr attr, + struct mlx4_update_qp_params *params); +diff --git a/include/linux/mtd/flashchip.h b/include/linux/mtd/flashchip.h +index b63fa457febd..3529683f691e 100644 +--- a/include/linux/mtd/flashchip.h ++++ b/include/linux/mtd/flashchip.h +@@ -85,6 +85,7 @@ struct flchip { + unsigned int write_suspended:1; + unsigned int erase_suspended:1; + unsigned long in_progress_block_addr; ++ unsigned long in_progress_block_mask; + + struct mutex mutex; + wait_queue_head_t wq; /* Wait on here when we're waiting for the chip +diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h +index cc615e273f80..b95f00cb6219 100644 +--- a/include/linux/netfilter/x_tables.h ++++ b/include/linux/netfilter/x_tables.h +@@ -247,6 +247,8 @@ unsigned int *xt_alloc_entry_offsets(unsigned int size); + bool xt_find_jump_offset(const unsigned int *offsets, + unsigned int target, unsigned int size); + ++int xt_check_proc_name(const char *name, unsigned int size); ++ + int xt_check_match(struct xt_mtchk_param *, unsigned int size, u_int8_t proto, + bool inv_proto); + int xt_check_target(struct xt_tgchk_param *, unsigned int size, u_int8_t proto, +diff --git a/include/linux/pagemap.h b/include/linux/pagemap.h +index 30a8f531236c..2629fc3e24e0 100644 +--- a/include/linux/pagemap.h ++++ b/include/linux/pagemap.h +@@ -146,7 +146,7 @@ static inline int page_cache_get_speculative(struct page *page) + + #ifdef CONFIG_TINY_RCU + # ifdef CONFIG_PREEMPT_COUNT +- VM_BUG_ON(!in_atomic()); ++ VM_BUG_ON(!in_atomic() && !irqs_disabled()); + # endif + /* + * Preempt must be disabled here - we rely on rcu_read_lock doing +@@ -184,7 +184,7 @@ static inline int page_cache_add_speculative(struct page *page, int count) + + #if !defined(CONFIG_SMP) && defined(CONFIG_TREE_RCU) + # ifdef CONFIG_PREEMPT_COUNT +- VM_BUG_ON(!in_atomic()); ++ VM_BUG_ON(!in_atomic() && !irqs_disabled()); + # endif + VM_BUG_ON_PAGE(page_count(page) == 0, page); + atomic_add(count, &page->_count); +diff --git a/include/linux/platform_data/isl9305.h b/include/linux/platform_data/isl9305.h +index 1419133fa69e..4ac1a070af0a 100644 +--- a/include/linux/platform_data/isl9305.h ++++ b/include/linux/platform_data/isl9305.h +@@ -24,7 +24,7 @@ + struct regulator_init_data; + + struct isl9305_pdata { +- struct regulator_init_data *init_data[ISL9305_MAX_REGULATOR]; ++ struct regulator_init_data *init_data[ISL9305_MAX_REGULATOR + 1]; + }; + + #endif +diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h +index 495ad8fbe240..30fb6495315b 100644 +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -847,10 +847,10 @@ struct sk_buff *skb_realloc_headroom(struct sk_buff *skb, + unsigned int headroom); + struct sk_buff *skb_copy_expand(const struct sk_buff *skb, int newheadroom, + int newtailroom, gfp_t priority); +-int skb_to_sgvec_nomark(struct sk_buff *skb, struct scatterlist *sg, +- int offset, int len); +-int skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, +- int len); ++int __must_check skb_to_sgvec_nomark(struct sk_buff *skb, struct scatterlist *sg, ++ int offset, int len); ++int __must_check skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, ++ int offset, int len); + int skb_cow_data(struct sk_buff *skb, int tailbits, struct sk_buff **trailer); + int skb_pad(struct sk_buff *skb, int pad); + #define dev_kfree_skb(a) consume_skb(a) +diff --git a/include/linux/tty.h b/include/linux/tty.h +index 52baf4089bd2..0d56f919bda3 100644 +--- a/include/linux/tty.h ++++ b/include/linux/tty.h +@@ -343,6 +343,7 @@ struct tty_file_private { + #define TTY_PTY_LOCK 16 /* pty private */ + #define TTY_NO_WRITE_SPLIT 17 /* Preserve write boundaries to driver */ + #define TTY_HUPPED 18 /* Post driver->hangup() */ ++#define TTY_HUPPING 19 /* Hangup in progress */ + #define TTY_LDISC_HALTED 22 /* Line discipline is halted */ + + #define TTY_WRITE_FLUSH(tty) tty_write_flush((tty)) +@@ -581,7 +582,7 @@ extern int tty_unregister_ldisc(int disc); + extern int tty_set_ldisc(struct tty_struct *tty, int ldisc); + extern int tty_ldisc_setup(struct tty_struct *tty, struct tty_struct *o_tty); + extern void tty_ldisc_release(struct tty_struct *tty); +-extern void tty_ldisc_init(struct tty_struct *tty); ++extern int __must_check tty_ldisc_init(struct tty_struct *tty); + extern void tty_ldisc_deinit(struct tty_struct *tty); + extern void tty_ldisc_begin(void); + +diff --git a/include/linux/usb/gadget.h b/include/linux/usb/gadget.h +index 4f3dfb7d0654..96a8870e38fe 100644 +--- a/include/linux/usb/gadget.h ++++ b/include/linux/usb/gadget.h +@@ -585,9 +585,21 @@ static inline struct usb_gadget *dev_to_usb_gadget(struct device *dev) + list_for_each_entry(tmp, &(gadget)->ep_list, ep_list) + + ++/** ++ * usb_ep_align - returns @len aligned to ep's maxpacketsize. ++ * @ep: the endpoint whose maxpacketsize is used to align @len ++ * @len: buffer size's length to align to @ep's maxpacketsize ++ * ++ * This helper is used to align buffer's size to an ep's maxpacketsize. ++ */ ++static inline size_t usb_ep_align(struct usb_ep *ep, size_t len) ++{ ++ return round_up(len, (size_t)le16_to_cpu(ep->desc->wMaxPacketSize)); ++} ++ + /** + * usb_ep_align_maybe - returns @len aligned to ep's maxpacketsize if gadget +- * requires quirk_ep_out_aligned_size, otherwise reguens len. ++ * requires quirk_ep_out_aligned_size, otherwise returns len. + * @g: controller to check for quirk + * @ep: the endpoint whose maxpacketsize is used to align @len + * @len: buffer size's length to align to @ep's maxpacketsize +@@ -598,8 +610,7 @@ static inline struct usb_gadget *dev_to_usb_gadget(struct device *dev) + static inline size_t + usb_ep_align_maybe(struct usb_gadget *g, struct usb_ep *ep, size_t len) + { +- return !g->quirk_ep_out_aligned_size ? len : +- round_up(len, (size_t)ep->desc->wMaxPacketSize); ++ return g->quirk_ep_out_aligned_size ? usb_ep_align(ep, len) : len; + } + + /** +diff --git a/include/linux/virtio.h b/include/linux/virtio.h +index 8f4d4bfa6d46..d7844d215381 100644 +--- a/include/linux/virtio.h ++++ b/include/linux/virtio.h +@@ -124,6 +124,9 @@ int virtio_device_freeze(struct virtio_device *dev); + int virtio_device_restore(struct virtio_device *dev); + #endif + ++#define virtio_device_for_each_vq(vdev, vq) \ ++ list_for_each_entry(vq, &vdev->vqs, list) ++ + /** + * virtio_driver - operations for a virtio I/O driver + * @driver: underlying device driver (populate name and owner). +diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h +index f8d6813cd5b2..0cd8002cdddd 100644 +--- a/include/net/cfg80211.h ++++ b/include/net/cfg80211.h +@@ -929,9 +929,9 @@ enum rate_info_flags { + * @RATE_INFO_BW_160: 160 MHz bandwidth + */ + enum rate_info_bw { ++ RATE_INFO_BW_20 = 0, + RATE_INFO_BW_5, + RATE_INFO_BW_10, +- RATE_INFO_BW_20, + RATE_INFO_BW_40, + RATE_INFO_BW_80, + RATE_INFO_BW_160, +diff --git a/include/net/inet_timewait_sock.h b/include/net/inet_timewait_sock.h +index 7682cb2ae237..378238f50208 100644 +--- a/include/net/inet_timewait_sock.h ++++ b/include/net/inet_timewait_sock.h +@@ -55,6 +55,7 @@ struct inet_timewait_sock { + #define tw_family __tw_common.skc_family + #define tw_state __tw_common.skc_state + #define tw_reuse __tw_common.skc_reuse ++#define tw_reuseport __tw_common.skc_reuseport + #define tw_ipv6only __tw_common.skc_ipv6only + #define tw_bound_dev_if __tw_common.skc_bound_dev_if + #define tw_node __tw_common.skc_nulls_node +diff --git a/include/net/nexthop.h b/include/net/nexthop.h +index 3334dbfa5aa4..7fc78663ec9d 100644 +--- a/include/net/nexthop.h ++++ b/include/net/nexthop.h +@@ -6,7 +6,7 @@ + + static inline int rtnh_ok(const struct rtnexthop *rtnh, int remaining) + { +- return remaining >= sizeof(*rtnh) && ++ return remaining >= (int)sizeof(*rtnh) && + rtnh->rtnh_len >= sizeof(*rtnh) && + rtnh->rtnh_len <= remaining; + } +diff --git a/include/net/slhc_vj.h b/include/net/slhc_vj.h +index 8716d5942b65..8fcf8908a694 100644 +--- a/include/net/slhc_vj.h ++++ b/include/net/slhc_vj.h +@@ -127,6 +127,7 @@ typedef __u32 int32; + */ + struct cstate { + byte_t cs_this; /* connection id number (xmit) */ ++ bool initialized; /* true if initialized */ + struct cstate *next; /* next in ring (xmit) */ + struct iphdr cs_ip; /* ip/tcp hdr from most recent packet */ + struct tcphdr cs_tcp; +diff --git a/include/net/tcp.h b/include/net/tcp.h +index 966d229d4482..dc542603d0f1 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -1123,9 +1123,11 @@ void tcp_select_initial_window(int __space, __u32 mss, __u32 *rcv_wnd, + + static inline int tcp_win_from_space(int space) + { +- return sysctl_tcp_adv_win_scale<=0 ? +- (space>>(-sysctl_tcp_adv_win_scale)) : +- space - (space>>sysctl_tcp_adv_win_scale); ++ int tcp_adv_win_scale = sysctl_tcp_adv_win_scale; ++ ++ return tcp_adv_win_scale <= 0 ? ++ (space>>(-tcp_adv_win_scale)) : ++ space - (space>>tcp_adv_win_scale); + } + + /* Note: caller must be prepared to deal with negative returns */ +diff --git a/include/net/x25.h b/include/net/x25.h +index c383aa4edbf0..6d30a01d281d 100644 +--- a/include/net/x25.h ++++ b/include/net/x25.h +@@ -298,10 +298,10 @@ void x25_check_rbuf(struct sock *); + + /* sysctl_net_x25.c */ + #ifdef CONFIG_SYSCTL +-void x25_register_sysctl(void); ++int x25_register_sysctl(void); + void x25_unregister_sysctl(void); + #else +-static inline void x25_register_sysctl(void) {}; ++static inline int x25_register_sysctl(void) { return 0; }; + static inline void x25_unregister_sysctl(void) {}; + #endif /* CONFIG_SYSCTL */ + +diff --git a/include/rdma/ib_addr.h b/include/rdma/ib_addr.h +index e6796dc8c764..561b0ca8cb19 100644 +--- a/include/rdma/ib_addr.h ++++ b/include/rdma/ib_addr.h +@@ -109,6 +109,8 @@ int rdma_copy_addr(struct rdma_dev_addr *dev_addr, struct net_device *dev, + const unsigned char *dst_dev_addr); + + int rdma_addr_size(struct sockaddr *addr); ++int rdma_addr_size_in6(struct sockaddr_in6 *addr); ++int rdma_addr_size_kss(struct __kernel_sockaddr_storage *addr); + + int rdma_addr_find_smac_by_sgid(union ib_gid *sgid, u8 *smac, u16 *vlan_id); + int rdma_addr_find_dmac_by_grh(union ib_gid *sgid, union ib_gid *dgid, u8 *smac, +diff --git a/include/sound/control.h b/include/sound/control.h +index 95aad6d3fd1a..8e752793b94a 100644 +--- a/include/sound/control.h ++++ b/include/sound/control.h +@@ -22,6 +22,7 @@ + * + */ + ++#include <linux/nospec.h> + #include <sound/asound.h> + + #define snd_kcontrol_chip(kcontrol) ((kcontrol)->private_data) +@@ -147,12 +148,14 @@ int snd_ctl_get_preferred_subdevice(struct snd_card *card, int type); + + static inline unsigned int snd_ctl_get_ioffnum(struct snd_kcontrol *kctl, struct snd_ctl_elem_id *id) + { +- return id->numid - kctl->id.numid; ++ unsigned int ioff = id->numid - kctl->id.numid; ++ return array_index_nospec(ioff, kctl->count); + } + + static inline unsigned int snd_ctl_get_ioffidx(struct snd_kcontrol *kctl, struct snd_ctl_elem_id *id) + { +- return id->index - kctl->id.index; ++ unsigned int ioff = id->index - kctl->id.index; ++ return array_index_nospec(ioff, kctl->count); + } + + static inline unsigned int snd_ctl_get_ioff(struct snd_kcontrol *kctl, struct snd_ctl_elem_id *id) +diff --git a/include/sound/pcm_oss.h b/include/sound/pcm_oss.h +index 760c969d885d..12bbf8c81112 100644 +--- a/include/sound/pcm_oss.h ++++ b/include/sound/pcm_oss.h +@@ -57,6 +57,7 @@ struct snd_pcm_oss_runtime { + char *buffer; /* vmallocated period */ + size_t buffer_used; /* used length from period buffer */ + struct mutex params_lock; ++ atomic_t rw_ref; /* concurrent read/write accesses */ + #ifdef CONFIG_SND_PCM_OSS_PLUGINS + struct snd_pcm_plugin *plugin_first; + struct snd_pcm_plugin *plugin_last; +diff --git a/include/uapi/linux/pci_regs.h b/include/uapi/linux/pci_regs.h +index 413417f3707b..7aa8cbc23b28 100644 +--- a/include/uapi/linux/pci_regs.h ++++ b/include/uapi/linux/pci_regs.h +@@ -106,7 +106,7 @@ + #define PCI_SUBSYSTEM_ID 0x2e + #define PCI_ROM_ADDRESS 0x30 /* Bits 31..11 are address, 10..1 reserved */ + #define PCI_ROM_ADDRESS_ENABLE 0x01 +-#define PCI_ROM_ADDRESS_MASK (~0x7ffUL) ++#define PCI_ROM_ADDRESS_MASK (~0x7ffU) + + #define PCI_CAPABILITY_LIST 0x34 /* Offset of first capability list entry */ + +diff --git a/include/uapi/linux/usb/audio.h b/include/uapi/linux/usb/audio.h +index d2314be4f0c0..19f9dc2c06f6 100644 +--- a/include/uapi/linux/usb/audio.h ++++ b/include/uapi/linux/usb/audio.h +@@ -369,7 +369,7 @@ static inline __u8 uac_processing_unit_bControlSize(struct uac_processing_unit_d + { + return (protocol == UAC_VERSION_1) ? + desc->baSourceID[desc->bNrInPins + 4] : +- desc->baSourceID[desc->bNrInPins + 6]; ++ 2; /* in UAC2, this value is constant */ + } + + static inline __u8 *uac_processing_unit_bmControls(struct uac_processing_unit_descriptor *desc, +@@ -377,7 +377,7 @@ static inline __u8 *uac_processing_unit_bmControls(struct uac_processing_unit_de + { + return (protocol == UAC_VERSION_1) ? + &desc->baSourceID[desc->bNrInPins + 5] : +- &desc->baSourceID[desc->bNrInPins + 7]; ++ &desc->baSourceID[desc->bNrInPins + 6]; + } + + static inline __u8 uac_processing_unit_iProcessing(struct uac_processing_unit_descriptor *desc, +diff --git a/ipc/shm.c b/ipc/shm.c +index c2384d0e4fa6..aa3090ddc9eb 100644 +--- a/ipc/shm.c ++++ b/ipc/shm.c +@@ -198,6 +198,12 @@ static int __shm_open(struct vm_area_struct *vma) + if (IS_ERR(shp)) + return PTR_ERR(shp); + ++ if (shp->shm_file != sfd->file) { ++ /* ID was reused */ ++ shm_unlock(shp); ++ return -EINVAL; ++ } ++ + shp->shm_atim = get_seconds(); + shp->shm_lprid = task_tgid_vnr(current); + shp->shm_nattch++; +@@ -414,8 +420,9 @@ static int shm_mmap(struct file *file, struct vm_area_struct *vma) + int ret; + + /* +- * In case of remap_file_pages() emulation, the file can represent +- * removed IPC ID: propogate shm_lock() error to caller. ++ * In case of remap_file_pages() emulation, the file can represent an ++ * IPC ID that was removed, and possibly even reused by another shm ++ * segment already. Propagate this case as an error to caller. + */ + ret =__shm_open(vma); + if (ret) +@@ -439,6 +446,7 @@ static int shm_release(struct inode *ino, struct file *file) + struct shm_file_data *sfd = shm_file_data(file); + + put_ipc_ns(sfd->ns); ++ fput(sfd->file); + shm_file_data(file) = NULL; + kfree(sfd); + return 0; +@@ -1198,7 +1206,16 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, + file->f_mapping = shp->shm_file->f_mapping; + sfd->id = shp->shm_perm.id; + sfd->ns = get_ipc_ns(ns); +- sfd->file = shp->shm_file; ++ /* ++ * We need to take a reference to the real shm file to prevent the ++ * pointer from becoming stale in cases where the lifetime of the outer ++ * file extends beyond that of the shm segment. It's not usually ++ * possible, but it can happen during remap_file_pages() emulation as ++ * that unmaps the memory, then does ->mmap() via file reference only. ++ * We'll deny the ->mmap() if the shm segment was since removed, but to ++ * detect shm ID reuse we need to compare the file pointers. ++ */ ++ sfd->file = get_file(shp->shm_file); + sfd->vm_ops = NULL; + + err = security_mmap_file(file, prot, flags); +diff --git a/kernel/bpf/arraymap.c b/kernel/bpf/arraymap.c +index 1c1b8ab34037..6c1783bff424 100644 +--- a/kernel/bpf/arraymap.c ++++ b/kernel/bpf/arraymap.c +@@ -75,7 +75,7 @@ static void *array_map_lookup_elem(struct bpf_map *map, void *key) + static int array_map_get_next_key(struct bpf_map *map, void *key, void *next_key) + { + struct bpf_array *array = container_of(map, struct bpf_array, map); +- u32 index = *(u32 *)key; ++ u32 index = key ? *(u32 *)key : U32_MAX; + u32 *next = (u32 *)next_key; + + if (index >= array->map.max_entries) { +diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c +index 83c209d9b17a..ef7173e82179 100644 +--- a/kernel/bpf/hashtab.c ++++ b/kernel/bpf/hashtab.c +@@ -149,12 +149,15 @@ static int htab_map_get_next_key(struct bpf_map *map, void *key, void *next_key) + struct hlist_head *head; + struct htab_elem *l, *next_l; + u32 hash, key_size; +- int i; ++ int i = 0; + + WARN_ON_ONCE(!rcu_read_lock_held()); + + key_size = map->key_size; + ++ if (!key) ++ goto find_first_elem; ++ + hash = htab_map_hash(key, key_size); + + head = select_bucket(htab, hash); +@@ -162,10 +165,8 @@ static int htab_map_get_next_key(struct bpf_map *map, void *key, void *next_key) + /* lookup the key */ + l = lookup_elem_raw(head, hash, key, key_size); + +- if (!l) { +- i = 0; ++ if (!l) + goto find_first_elem; +- } + + /* key was found, get next key in the same bucket */ + next_l = hlist_entry_safe(rcu_dereference_raw(hlist_next_rcu(&l->hash_node)), +diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c +index 3bae6c591914..0fcb43cb2006 100644 +--- a/kernel/bpf/syscall.c ++++ b/kernel/bpf/syscall.c +@@ -311,14 +311,18 @@ static int map_get_next_key(union bpf_attr *attr) + if (IS_ERR(map)) + return PTR_ERR(map); + +- err = -ENOMEM; +- key = kmalloc(map->key_size, GFP_USER); +- if (!key) +- goto err_put; +- +- err = -EFAULT; +- if (copy_from_user(key, ukey, map->key_size) != 0) +- goto free_key; ++ if (ukey) { ++ err = -ENOMEM; ++ key = kmalloc(map->key_size, GFP_USER); ++ if (!key) ++ goto err_put; ++ ++ err = -EFAULT; ++ if (copy_from_user(key, ukey, map->key_size) != 0) ++ goto free_key; ++ } else { ++ key = NULL; ++ } + + err = -ENOMEM; + next_key = kmalloc(map->key_size, GFP_USER); +diff --git a/kernel/events/callchain.c b/kernel/events/callchain.c +index d659487254d5..d37acf86037a 100644 +--- a/kernel/events/callchain.c ++++ b/kernel/events/callchain.c +@@ -107,14 +107,8 @@ int get_callchain_buffers(void) + goto exit; + } + +- if (count > 1) { +- /* If the allocation failed, give up */ +- if (!callchain_cpus_entries) +- err = -ENOMEM; +- goto exit; +- } +- +- err = alloc_callchain_buffers(); ++ if (count == 1) ++ err = alloc_callchain_buffers(); + exit: + if (err) + atomic_dec(&nr_callchain_events); +diff --git a/kernel/events/core.c b/kernel/events/core.c +index e5553bdaf6c2..c6e653201737 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -5107,9 +5107,6 @@ static void perf_output_read_one(struct perf_output_handle *handle, + __output_copy(handle, values, n * sizeof(u64)); + } + +-/* +- * XXX PERF_FORMAT_GROUP vs inherited events seems difficult. +- */ + static void perf_output_read_group(struct perf_output_handle *handle, + struct perf_event *event, + u64 enabled, u64 running) +@@ -5154,6 +5151,13 @@ static void perf_output_read_group(struct perf_output_handle *handle, + #define PERF_FORMAT_TOTAL_TIMES (PERF_FORMAT_TOTAL_TIME_ENABLED|\ + PERF_FORMAT_TOTAL_TIME_RUNNING) + ++/* ++ * XXX PERF_SAMPLE_READ vs inherited events seems difficult. ++ * ++ * The problem is that its both hard and excessively expensive to iterate the ++ * child list, not to mention that its impossible to IPI the children running ++ * on another CPU, from interrupt/NMI context. ++ */ + static void perf_output_read(struct perf_output_handle *handle, + struct perf_event *event) + { +@@ -7630,9 +7634,10 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu, + local64_set(&hwc->period_left, hwc->sample_period); + + /* +- * we currently do not support PERF_FORMAT_GROUP on inherited events ++ * We currently do not support PERF_SAMPLE_READ on inherited events. ++ * See perf_output_read(). + */ +- if (attr->inherit && (attr->read_format & PERF_FORMAT_GROUP)) ++ if (attr->inherit && (attr->sample_type & PERF_SAMPLE_READ)) + goto err_ns; + + if (!has_branch_stack(event)) +@@ -7800,9 +7805,9 @@ static int perf_copy_attr(struct perf_event_attr __user *uattr, + * __u16 sample size limit. + */ + if (attr->sample_stack_user >= USHRT_MAX) +- ret = -EINVAL; ++ return -EINVAL; + else if (!IS_ALIGNED(attr->sample_stack_user, sizeof(u64))) +- ret = -EINVAL; ++ return -EINVAL; + } + + if (attr->sample_type & PERF_SAMPLE_REGS_INTR) +diff --git a/kernel/events/hw_breakpoint.c b/kernel/events/hw_breakpoint.c +index 92ce5f4ccc26..a27245fdcd81 100644 +--- a/kernel/events/hw_breakpoint.c ++++ b/kernel/events/hw_breakpoint.c +@@ -427,16 +427,9 @@ EXPORT_SYMBOL_GPL(register_user_hw_breakpoint); + * modify_user_hw_breakpoint - modify a user-space hardware breakpoint + * @bp: the breakpoint structure to modify + * @attr: new breakpoint attributes +- * @triggered: callback to trigger when we hit the breakpoint +- * @tsk: pointer to 'task_struct' of the process to which the address belongs + */ + int modify_user_hw_breakpoint(struct perf_event *bp, struct perf_event_attr *attr) + { +- u64 old_addr = bp->attr.bp_addr; +- u64 old_len = bp->attr.bp_len; +- int old_type = bp->attr.bp_type; +- int err = 0; +- + /* + * modify_user_hw_breakpoint can be invoked with IRQs disabled and hence it + * will not be possible to raise IPIs that invoke __perf_event_disable. +@@ -451,27 +444,18 @@ int modify_user_hw_breakpoint(struct perf_event *bp, struct perf_event_attr *att + bp->attr.bp_addr = attr->bp_addr; + bp->attr.bp_type = attr->bp_type; + bp->attr.bp_len = attr->bp_len; ++ bp->attr.disabled = 1; + +- if (attr->disabled) +- goto end; +- +- err = validate_hw_breakpoint(bp); +- if (!err) +- perf_event_enable(bp); ++ if (!attr->disabled) { ++ int err = validate_hw_breakpoint(bp); + +- if (err) { +- bp->attr.bp_addr = old_addr; +- bp->attr.bp_type = old_type; +- bp->attr.bp_len = old_len; +- if (!bp->attr.disabled) +- perf_event_enable(bp); ++ if (err) ++ return err; + +- return err; ++ perf_event_enable(bp); ++ bp->attr.disabled = 0; + } + +-end: +- bp->attr.disabled = attr->disabled; +- + return 0; + } + EXPORT_SYMBOL_GPL(modify_user_hw_breakpoint); +diff --git a/kernel/futex.c b/kernel/futex.c +index 4195616b27d9..8944e397cd47 100644 +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -400,6 +400,7 @@ get_futex_key(u32 __user *uaddr, int fshared, union futex_key *key, int rw) + unsigned long address = (unsigned long)uaddr; + struct mm_struct *mm = current->mm; + struct page *page, *page_head; ++ struct address_space *mapping; + int err, ro = 0; + + /* +@@ -478,7 +479,19 @@ again: + } + #endif + +- lock_page(page_head); ++ /* ++ * The treatment of mapping from this point on is critical. The page ++ * lock protects many things but in this context the page lock ++ * stabilizes mapping, prevents inode freeing in the shared ++ * file-backed region case and guards against movement to swap cache. ++ * ++ * Strictly speaking the page lock is not needed in all cases being ++ * considered here and page lock forces unnecessarily serialization ++ * From this point on, mapping will be re-verified if necessary and ++ * page lock will be acquired only if it is unavoidable ++ */ ++ ++ mapping = READ_ONCE(page_head->mapping); + + /* + * If page_head->mapping is NULL, then it cannot be a PageAnon +@@ -495,18 +508,31 @@ again: + * shmem_writepage move it from filecache to swapcache beneath us: + * an unlikely race, but we do need to retry for page_head->mapping. + */ +- if (!page_head->mapping) { +- int shmem_swizzled = PageSwapCache(page_head); ++ if (unlikely(!mapping)) { ++ int shmem_swizzled; ++ ++ /* ++ * Page lock is required to identify which special case above ++ * applies. If this is really a shmem page then the page lock ++ * will prevent unexpected transitions. ++ */ ++ lock_page(page); ++ shmem_swizzled = PageSwapCache(page) || page->mapping; + unlock_page(page_head); + put_page(page_head); ++ + if (shmem_swizzled) + goto again; ++ + return -EFAULT; + } + + /* + * Private mappings are handled in a simple way. + * ++ * If the futex key is stored on an anonymous page, then the associated ++ * object is the mm which is implicitly pinned by the calling process. ++ * + * NOTE: When userspace waits on a MAP_SHARED mapping, even if + * it's a read-only handle, it's expected that futexes attach to + * the object not the particular process. +@@ -524,16 +550,74 @@ again: + key->both.offset |= FUT_OFF_MMSHARED; /* ref taken on mm */ + key->private.mm = mm; + key->private.address = address; ++ ++ get_futex_key_refs(key); /* implies smp_mb(); (B) */ ++ + } else { ++ struct inode *inode; ++ ++ /* ++ * The associated futex object in this case is the inode and ++ * the page->mapping must be traversed. Ordinarily this should ++ * be stabilised under page lock but it's not strictly ++ * necessary in this case as we just want to pin the inode, not ++ * update the radix tree or anything like that. ++ * ++ * The RCU read lock is taken as the inode is finally freed ++ * under RCU. If the mapping still matches expectations then the ++ * mapping->host can be safely accessed as being a valid inode. ++ */ ++ rcu_read_lock(); ++ ++ if (READ_ONCE(page_head->mapping) != mapping) { ++ rcu_read_unlock(); ++ put_page(page_head); ++ ++ goto again; ++ } ++ ++ inode = READ_ONCE(mapping->host); ++ if (!inode) { ++ rcu_read_unlock(); ++ put_page(page_head); ++ ++ goto again; ++ } ++ ++ /* ++ * Take a reference unless it is about to be freed. Previously ++ * this reference was taken by ihold under the page lock ++ * pinning the inode in place so i_lock was unnecessary. The ++ * only way for this check to fail is if the inode was ++ * truncated in parallel so warn for now if this happens. ++ * ++ * We are not calling into get_futex_key_refs() in file-backed ++ * cases, therefore a successful atomic_inc return below will ++ * guarantee that get_futex_key() will still imply smp_mb(); (B). ++ */ ++ if (WARN_ON_ONCE(!atomic_inc_not_zero(&inode->i_count))) { ++ rcu_read_unlock(); ++ put_page(page_head); ++ ++ goto again; ++ } ++ ++ /* Should be impossible but lets be paranoid for now */ ++ if (WARN_ON_ONCE(inode->i_mapping != mapping)) { ++ err = -EFAULT; ++ rcu_read_unlock(); ++ iput(inode); ++ ++ goto out; ++ } ++ + key->both.offset |= FUT_OFF_INODE; /* inode-based key */ +- key->shared.inode = page_head->mapping->host; ++ key->shared.inode = inode; + key->shared.pgoff = basepage_index(page); ++ rcu_read_unlock(); + } + +- get_futex_key_refs(key); /* implies MB (B) */ +- + out: +- unlock_page(page_head); + put_page(page_head); + return err; + } +diff --git a/kernel/irq/manage.c b/kernel/irq/manage.c +index f4b1f0a1dba5..76c9d6f62458 100644 +--- a/kernel/irq/manage.c ++++ b/kernel/irq/manage.c +@@ -1095,8 +1095,10 @@ __setup_irq(unsigned int irq, struct irq_desc *desc, struct irqaction *new) + * set the trigger type must match. Also all must + * agree on ONESHOT. + */ ++ unsigned int oldtype = irqd_get_trigger_type(&desc->irq_data); ++ + if (!((old->flags & new->flags) & IRQF_SHARED) || +- ((old->flags ^ new->flags) & IRQF_TRIGGER_MASK) || ++ (oldtype != (new->flags & IRQF_TRIGGER_MASK)) || + ((old->flags ^ new->flags) & IRQF_ONESHOT)) + goto mismatch; + +diff --git a/kernel/kprobes.c b/kernel/kprobes.c +index 7dd73a3059b8..04486d8e5809 100644 +--- a/kernel/kprobes.c ++++ b/kernel/kprobes.c +@@ -125,7 +125,7 @@ static void *alloc_insn_page(void) + return module_alloc(PAGE_SIZE); + } + +-static void free_insn_page(void *page) ++void __weak free_insn_page(void *page) + { + module_memfree(page); + } +diff --git a/kernel/pid.c b/kernel/pid.c +index 4fd07d5b7baf..365281244acc 100644 +--- a/kernel/pid.c ++++ b/kernel/pid.c +@@ -322,8 +322,10 @@ struct pid *alloc_pid(struct pid_namespace *ns) + } + + if (unlikely(is_child_reaper(pid))) { +- if (pid_ns_prepare_proc(ns)) ++ if (pid_ns_prepare_proc(ns)) { ++ disable_pid_allocation(ns); + goto out_free; ++ } + } + + get_pid_ns(ns); +diff --git a/kernel/printk/braille.c b/kernel/printk/braille.c +index 276762f3a460..e035876af5e2 100644 +--- a/kernel/printk/braille.c ++++ b/kernel/printk/braille.c +@@ -2,12 +2,13 @@ + + #include <linux/kernel.h> + #include <linux/console.h> ++#include <linux/errno.h> + #include <linux/string.h> + + #include "console_cmdline.h" + #include "braille.h" + +-char *_braille_console_setup(char **str, char **brl_options) ++int _braille_console_setup(char **str, char **brl_options) + { + if (!memcmp(*str, "brl,", 4)) { + *brl_options = ""; +@@ -15,14 +16,14 @@ char *_braille_console_setup(char **str, char **brl_options) + } else if (!memcmp(str, "brl=", 4)) { + *brl_options = *str + 4; + *str = strchr(*brl_options, ','); +- if (!*str) ++ if (!*str) { + pr_err("need port name after brl=\n"); +- else +- *((*str)++) = 0; +- } else +- return NULL; ++ return -EINVAL; ++ } ++ *((*str)++) = 0; ++ } + +- return *str; ++ return 0; + } + + int +diff --git a/kernel/printk/braille.h b/kernel/printk/braille.h +index 769d771145c8..749a6756843a 100644 +--- a/kernel/printk/braille.h ++++ b/kernel/printk/braille.h +@@ -9,7 +9,14 @@ braille_set_options(struct console_cmdline *c, char *brl_options) + c->brl_options = brl_options; + } + +-char * ++/* ++ * Setup console according to braille options. ++ * Return -EINVAL on syntax error, 0 on success (or no braille option was ++ * actually given). ++ * Modifies str to point to the serial options ++ * Sets brl_options to the parsed braille options. ++ */ ++int + _braille_console_setup(char **str, char **brl_options); + + int +@@ -25,10 +32,10 @@ braille_set_options(struct console_cmdline *c, char *brl_options) + { + } + +-static inline char * ++static inline int + _braille_console_setup(char **str, char **brl_options) + { +- return NULL; ++ return 0; + } + + static inline int +diff --git a/kernel/resource.c b/kernel/resource.c +index cbf725c24c3b..39ee5aeaf1e3 100644 +--- a/kernel/resource.c ++++ b/kernel/resource.c +@@ -600,7 +600,8 @@ static int __find_resource(struct resource *root, struct resource *old, + alloc.start = constraint->alignf(constraint->alignf_data, &avail, + size, constraint->align); + alloc.end = alloc.start + size - 1; +- if (resource_contains(&avail, &alloc)) { ++ if (alloc.start <= alloc.end && ++ resource_contains(&avail, &alloc)) { + new->start = alloc.start; + new->end = alloc.end; + return 0; +diff --git a/kernel/sched/core.c b/kernel/sched/core.c +index 9c905bd94ff0..5e7608c5b9ec 100644 +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -578,7 +578,8 @@ void resched_cpu(int cpu) + unsigned long flags; + + raw_spin_lock_irqsave(&rq->lock, flags); +- resched_curr(rq); ++ if (cpu_online(cpu) || cpu == smp_processor_id()) ++ resched_curr(rq); + raw_spin_unlock_irqrestore(&rq->lock, flags); + } + +diff --git a/kernel/time/sched_clock.c b/kernel/time/sched_clock.c +index a26036d37a38..382b159d8592 100644 +--- a/kernel/time/sched_clock.c ++++ b/kernel/time/sched_clock.c +@@ -205,6 +205,11 @@ sched_clock_register(u64 (*read)(void), int bits, unsigned long rate) + + update_clock_read_data(&rd); + ++ if (sched_clock_timer.function != NULL) { ++ /* update timeout for clock wrap */ ++ hrtimer_start(&sched_clock_timer, cd.wrap_kt, HRTIMER_MODE_REL); ++ } ++ + r = rate; + if (r >= 4000000) { + r /= 1000000; +diff --git a/kernel/time/timer_list.c b/kernel/time/timer_list.c +index e878c2e0ba45..e81d45097d05 100644 +--- a/kernel/time/timer_list.c ++++ b/kernel/time/timer_list.c +@@ -16,6 +16,7 @@ + #include <linux/sched.h> + #include <linux/seq_file.h> + #include <linux/kallsyms.h> ++#include <linux/nmi.h> + + #include <asm/uaccess.h> + +@@ -91,6 +92,9 @@ print_active_timers(struct seq_file *m, struct hrtimer_clock_base *base, + + next_one: + i = 0; ++ ++ touch_nmi_watchdog(); ++ + raw_spin_lock_irqsave(&base->cpu_base->lock, flags); + + curr = timerqueue_getnext(&base->active); +@@ -202,6 +206,8 @@ print_tickdevice(struct seq_file *m, struct tick_device *td, int cpu) + { + struct clock_event_device *dev = td->evtdev; + ++ touch_nmi_watchdog(); ++ + SEQ_printf(m, "Tick Device: mode: %d\n", td->mode); + if (cpu < 0) + SEQ_printf(m, "Broadcast device\n"); +diff --git a/kernel/trace/trace_kprobe.c b/kernel/trace/trace_kprobe.c +index 9a4aee1d3345..2bdb78ab3bd2 100644 +--- a/kernel/trace/trace_kprobe.c ++++ b/kernel/trace/trace_kprobe.c +@@ -611,7 +611,7 @@ static int create_trace_kprobe(int argc, char **argv) + bool is_return = false, is_delete = false; + char *symbol = NULL, *event = NULL, *group = NULL; + char *arg; +- unsigned long offset = 0; ++ long offset = 0; + void *addr = NULL; + char buf[MAX_EVENT_NAME_LEN]; + +@@ -679,7 +679,7 @@ static int create_trace_kprobe(int argc, char **argv) + symbol = argv[1]; + /* TODO: support .init module functions */ + ret = traceprobe_split_symbol_offset(symbol, &offset); +- if (ret) { ++ if (ret || offset < 0 || offset > UINT_MAX) { + pr_info("Failed to parse either an address or a symbol.\n"); + return ret; + } +diff --git a/kernel/trace/trace_probe.c b/kernel/trace/trace_probe.c +index 1769a81da8a7..741c00b90fdc 100644 +--- a/kernel/trace/trace_probe.c ++++ b/kernel/trace/trace_probe.c +@@ -293,7 +293,7 @@ static fetch_func_t get_fetch_size_function(const struct fetch_type *type, + } + + /* Split symbol and offset. */ +-int traceprobe_split_symbol_offset(char *symbol, unsigned long *offset) ++int traceprobe_split_symbol_offset(char *symbol, long *offset) + { + char *tmp; + int ret; +@@ -301,13 +301,11 @@ int traceprobe_split_symbol_offset(char *symbol, unsigned long *offset) + if (!offset) + return -EINVAL; + +- tmp = strchr(symbol, '+'); ++ tmp = strpbrk(symbol, "+-"); + if (tmp) { +- /* skip sign because kstrtoul doesn't accept '+' */ +- ret = kstrtoul(tmp + 1, 0, offset); ++ ret = kstrtol(tmp, 0, offset); + if (ret) + return ret; +- + *tmp = '\0'; + } else + *offset = 0; +diff --git a/kernel/trace/trace_probe.h b/kernel/trace/trace_probe.h +index ab283e146b70..80c4ff36896c 100644 +--- a/kernel/trace/trace_probe.h ++++ b/kernel/trace/trace_probe.h +@@ -335,7 +335,7 @@ extern int traceprobe_conflict_field_name(const char *name, + extern void traceprobe_update_arg(struct probe_arg *arg); + extern void traceprobe_free_probe_arg(struct probe_arg *arg); + +-extern int traceprobe_split_symbol_offset(char *symbol, unsigned long *offset); ++extern int traceprobe_split_symbol_offset(char *symbol, long *offset); + + extern ssize_t traceprobe_probes_write(struct file *file, + const char __user *buffer, size_t count, loff_t *ppos, +diff --git a/kernel/trace/trace_uprobe.c b/kernel/trace/trace_uprobe.c +index 6dd022c7b5bc..1b11c3c21a29 100644 +--- a/kernel/trace/trace_uprobe.c ++++ b/kernel/trace/trace_uprobe.c +@@ -149,6 +149,8 @@ static void FETCH_FUNC_NAME(memory, string)(struct pt_regs *regs, + return; + + ret = strncpy_from_user(dst, src, maxlen); ++ if (ret == maxlen) ++ dst[--ret] = '\0'; + + if (ret < 0) { /* Failed to fetch string */ + ((u8 *)get_rloc_data(dest))[0] = '\0'; +diff --git a/kernel/tracepoint.c b/kernel/tracepoint.c +index 3490407dc7b7..4b12034e15b0 100644 +--- a/kernel/tracepoint.c ++++ b/kernel/tracepoint.c +@@ -185,7 +185,7 @@ static int tracepoint_add_func(struct tracepoint *tp, + lockdep_is_held(&tracepoints_mutex)); + old = func_add(&tp_funcs, func); + if (IS_ERR(old)) { +- WARN_ON_ONCE(1); ++ WARN_ON_ONCE(PTR_ERR(old) != -ENOMEM); + return PTR_ERR(old); + } + +@@ -218,7 +218,7 @@ static int tracepoint_remove_func(struct tracepoint *tp, + lockdep_is_held(&tracepoints_mutex)); + old = func_remove(&tp_funcs, func); + if (IS_ERR(old)) { +- WARN_ON_ONCE(1); ++ WARN_ON_ONCE(PTR_ERR(old) != -ENOMEM); + return PTR_ERR(old); + } + +diff --git a/lib/kobject.c b/lib/kobject.c +index 3b841b97fccd..bb89e879d3a4 100644 +--- a/lib/kobject.c ++++ b/lib/kobject.c +@@ -234,14 +234,12 @@ static int kobject_add_internal(struct kobject *kobj) + + /* be noisy on error issues */ + if (error == -EEXIST) +- WARN(1, "%s failed for %s with " +- "-EEXIST, don't try to register things with " +- "the same name in the same directory.\n", +- __func__, kobject_name(kobj)); ++ pr_err("%s failed for %s with -EEXIST, don't try to register things with the same name in the same directory.\n", ++ __func__, kobject_name(kobj)); + else +- WARN(1, "%s failed for %s (error: %d parent: %s)\n", +- __func__, kobject_name(kobj), error, +- parent ? kobject_name(parent) : "'none'"); ++ pr_err("%s failed for %s (error: %d parent: %s)\n", ++ __func__, kobject_name(kobj), error, ++ parent ? kobject_name(parent) : "'none'"); + } else + kobj->state_in_sysfs = 1; + +diff --git a/mm/percpu.c b/mm/percpu.c +index a40d5e04a3d1..1b95b9fdd616 100644 +--- a/mm/percpu.c ++++ b/mm/percpu.c +@@ -68,6 +68,7 @@ + #include <linux/vmalloc.h> + #include <linux/workqueue.h> + #include <linux/kmemleak.h> ++#include <linux/sched.h> + + #include <asm/cacheflush.h> + #include <asm/sections.h> +diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c +index 93010f34c200..00fabb3424df 100644 +--- a/net/8021q/vlan_dev.c ++++ b/net/8021q/vlan_dev.c +@@ -29,6 +29,7 @@ + #include <linux/net_tstamp.h> + #include <linux/etherdevice.h> + #include <linux/ethtool.h> ++#include <linux/phy.h> + #include <net/arp.h> + + #include "vlan.h" +@@ -559,8 +560,7 @@ static int vlan_dev_init(struct net_device *dev) + NETIF_F_HIGHDMA | NETIF_F_SCTP_CSUM | + NETIF_F_ALL_FCOE; + +- dev->features |= real_dev->vlan_features | NETIF_F_LLTX | +- NETIF_F_GSO_SOFTWARE; ++ dev->features |= dev->hw_features | NETIF_F_LLTX; + dev->gso_max_size = real_dev->gso_max_size; + if (dev->features & NETIF_F_VLAN_FEATURES) + netdev_warn(real_dev, "VLAN features are set incorrectly. Q-in-Q configurations may not work correctly.\n"); +@@ -655,8 +655,11 @@ static int vlan_ethtool_get_ts_info(struct net_device *dev, + { + const struct vlan_dev_priv *vlan = vlan_dev_priv(dev); + const struct ethtool_ops *ops = vlan->real_dev->ethtool_ops; ++ struct phy_device *phydev = vlan->real_dev->phydev; + +- if (ops->get_ts_info) { ++ if (phydev && phydev->drv && phydev->drv->ts_info) { ++ return phydev->drv->ts_info(phydev, info); ++ } else if (ops->get_ts_info) { + return ops->get_ts_info(vlan->real_dev, info); + } else { + info->so_timestamping = SOF_TIMESTAMPING_RX_SOFTWARE | +diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c +index bd3357e69c5c..1732fe952089 100644 +--- a/net/batman-adv/bridge_loop_avoidance.c ++++ b/net/batman-adv/bridge_loop_avoidance.c +@@ -1589,10 +1589,22 @@ int batadv_bla_tx(struct batadv_priv *bat_priv, struct sk_buff *skb, + /* if yes, the client has roamed and we have + * to unclaim it. + */ +- batadv_handle_unclaim(bat_priv, primary_if, +- primary_if->net_dev->dev_addr, +- ethhdr->h_source, vid); +- goto allow; ++ if (batadv_has_timed_out(claim->lasttime, 100)) { ++ /* only unclaim if the last claim entry is ++ * older than 100 ms to make sure we really ++ * have a roaming client here. ++ */ ++ batadv_dbg(BATADV_DBG_BLA, bat_priv, "bla_tx(): Roaming client %pM detected. Unclaim it.\n", ++ ethhdr->h_source); ++ batadv_handle_unclaim(bat_priv, primary_if, ++ primary_if->net_dev->dev_addr, ++ ethhdr->h_source, vid); ++ goto allow; ++ } else { ++ batadv_dbg(BATADV_DBG_BLA, bat_priv, "bla_tx(): Race for claim %pM detected. Drop packet.\n", ++ ethhdr->h_source); ++ goto handled; ++ } + } + + /* check if it is a multicast/broadcast frame */ +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index c4802f3bd4c5..e0d20501df76 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -663,6 +663,7 @@ static void hci_set_event_mask_page_2(struct hci_request *req) + { + struct hci_dev *hdev = req->hdev; + u8 events[8] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; ++ bool changed = false; + + /* If Connectionless Slave Broadcast master role is supported + * enable all necessary events for it. +@@ -672,6 +673,7 @@ static void hci_set_event_mask_page_2(struct hci_request *req) + events[1] |= 0x80; /* Synchronization Train Complete */ + events[2] |= 0x10; /* Slave Page Response Timeout */ + events[2] |= 0x20; /* CSB Channel Map Change */ ++ changed = true; + } + + /* If Connectionless Slave Broadcast slave role is supported +@@ -682,13 +684,24 @@ static void hci_set_event_mask_page_2(struct hci_request *req) + events[2] |= 0x02; /* CSB Receive */ + events[2] |= 0x04; /* CSB Timeout */ + events[2] |= 0x08; /* Truncated Page Complete */ ++ changed = true; + } + + /* Enable Authenticated Payload Timeout Expired event if supported */ +- if (lmp_ping_capable(hdev) || hdev->le_features[0] & HCI_LE_PING) ++ if (lmp_ping_capable(hdev) || hdev->le_features[0] & HCI_LE_PING) { + events[2] |= 0x80; ++ changed = true; ++ } + +- hci_req_add(req, HCI_OP_SET_EVENT_MASK_PAGE_2, sizeof(events), events); ++ /* Some Broadcom based controllers indicate support for Set Event ++ * Mask Page 2 command, but then actually do not support it. Since ++ * the default value is all bits set to zero, the command is only ++ * required if the event mask has to be changed. In case no change ++ * to the event mask is needed, skip this command. ++ */ ++ if (changed) ++ hci_req_add(req, HCI_OP_SET_EVENT_MASK_PAGE_2, ++ sizeof(events), events); + } + + static void hci_init3_req(struct hci_request *req, unsigned long opt) +diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c +index e4b56fcb5d4e..e259b9da05f1 100644 +--- a/net/bluetooth/smp.c ++++ b/net/bluetooth/smp.c +@@ -2250,8 +2250,14 @@ static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb) + else + sec_level = authreq_to_seclevel(auth); + +- if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) ++ if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) { ++ /* If link is already encrypted with sufficient security we ++ * still need refresh encryption as per Core Spec 5.0 Vol 3, ++ * Part H 2.4.6 ++ */ ++ smp_ltk_encrypt(conn, hcon->sec_level); + return 0; ++ } + + if (sec_level > hcon->pending_sec_level) + hcon->pending_sec_level = sec_level; +diff --git a/net/bridge/netfilter/ebt_among.c b/net/bridge/netfilter/ebt_among.c +index 9637a681bdda..9adf16258cab 100644 +--- a/net/bridge/netfilter/ebt_among.c ++++ b/net/bridge/netfilter/ebt_among.c +@@ -177,6 +177,28 @@ static bool poolsize_invalid(const struct ebt_mac_wormhash *w) + return w && w->poolsize >= (INT_MAX / sizeof(struct ebt_mac_wormhash_tuple)); + } + ++static bool wormhash_offset_invalid(int off, unsigned int len) ++{ ++ if (off == 0) /* not present */ ++ return false; ++ ++ if (off < (int)sizeof(struct ebt_among_info) || ++ off % __alignof__(struct ebt_mac_wormhash)) ++ return true; ++ ++ off += sizeof(struct ebt_mac_wormhash); ++ ++ return off > len; ++} ++ ++static bool wormhash_sizes_valid(const struct ebt_mac_wormhash *wh, int a, int b) ++{ ++ if (a == 0) ++ a = sizeof(struct ebt_among_info); ++ ++ return ebt_mac_wormhash_size(wh) + a == b; ++} ++ + static int ebt_among_mt_check(const struct xt_mtchk_param *par) + { + const struct ebt_among_info *info = par->matchinfo; +@@ -189,6 +211,10 @@ static int ebt_among_mt_check(const struct xt_mtchk_param *par) + if (expected_length > em->match_size) + return -EINVAL; + ++ if (wormhash_offset_invalid(info->wh_dst_ofs, em->match_size) || ++ wormhash_offset_invalid(info->wh_src_ofs, em->match_size)) ++ return -EINVAL; ++ + wh_dst = ebt_among_wh_dst(info); + if (poolsize_invalid(wh_dst)) + return -EINVAL; +@@ -201,6 +227,14 @@ static int ebt_among_mt_check(const struct xt_mtchk_param *par) + if (poolsize_invalid(wh_src)) + return -EINVAL; + ++ if (info->wh_src_ofs < info->wh_dst_ofs) { ++ if (!wormhash_sizes_valid(wh_src, info->wh_src_ofs, info->wh_dst_ofs)) ++ return -EINVAL; ++ } else { ++ if (!wormhash_sizes_valid(wh_dst, info->wh_dst_ofs, info->wh_src_ofs)) ++ return -EINVAL; ++ } ++ + expected_length += ebt_mac_wormhash_size(wh_src); + + if (em->match_size != EBT_ALIGN(expected_length)) { +diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c +index d30864a8ed57..1e08c25c43f3 100644 +--- a/net/ceph/messenger.c ++++ b/net/ceph/messenger.c +@@ -2518,6 +2518,11 @@ static int try_write(struct ceph_connection *con) + int ret = 1; + + dout("try_write start %p state %lu\n", con, con->state); ++ if (con->state != CON_STATE_PREOPEN && ++ con->state != CON_STATE_CONNECTING && ++ con->state != CON_STATE_NEGOTIATING && ++ con->state != CON_STATE_OPEN) ++ return 0; + + more: + dout("try_write out_kvec_bytes %d\n", con->out_kvec_bytes); +@@ -2543,6 +2548,8 @@ more: + } + + more_kvec: ++ BUG_ON(!con->sock); ++ + /* kvec data queued? */ + if (con->out_kvec_left) { + ret = write_partial_kvec(con); +diff --git a/net/ceph/osdmap.c b/net/ceph/osdmap.c +index bc95e48d5cfb..378c9ed00d40 100644 +--- a/net/ceph/osdmap.c ++++ b/net/ceph/osdmap.c +@@ -295,6 +295,7 @@ static struct crush_map *crush_decode(void *pbyval, void *end) + u32 yes; + struct crush_rule *r; + ++ err = -EINVAL; + ceph_decode_32_safe(p, end, yes, bad); + if (!yes) { + dout("crush_decode NO rule %d off %x %p to %p\n", +diff --git a/net/core/dev.c b/net/core/dev.c +index c2d927f91a30..1cbbc79b4509 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -957,7 +957,7 @@ bool dev_valid_name(const char *name) + { + if (*name == '\0') + return false; +- if (strlen(name) >= IFNAMSIZ) ++ if (strnlen(name, IFNAMSIZ) == IFNAMSIZ) + return false; + if (!strcmp(name, ".") || !strcmp(name, "..")) + return false; +@@ -2430,7 +2430,7 @@ __be16 skb_network_protocol(struct sk_buff *skb, int *depth) + if (unlikely(!pskb_may_pull(skb, sizeof(struct ethhdr)))) + return 0; + +- eth = (struct ethhdr *)skb_mac_header(skb); ++ eth = (struct ethhdr *)skb->data; + type = eth->h_proto; + } + +@@ -2621,7 +2621,7 @@ netdev_features_t passthru_features_check(struct sk_buff *skb, + } + EXPORT_SYMBOL(passthru_features_check); + +-static netdev_features_t dflt_features_check(const struct sk_buff *skb, ++static netdev_features_t dflt_features_check(struct sk_buff *skb, + struct net_device *dev, + netdev_features_t features) + { +diff --git a/net/core/dev_addr_lists.c b/net/core/dev_addr_lists.c +index c0548d268e1a..e3e6a3e2ca22 100644 +--- a/net/core/dev_addr_lists.c ++++ b/net/core/dev_addr_lists.c +@@ -57,8 +57,8 @@ static int __hw_addr_add_ex(struct netdev_hw_addr_list *list, + return -EINVAL; + + list_for_each_entry(ha, &list->list, list) { +- if (!memcmp(ha->addr, addr, addr_len) && +- ha->type == addr_type) { ++ if (ha->type == addr_type && ++ !memcmp(ha->addr, addr, addr_len)) { + if (global) { + /* check if addr is already used as global */ + if (ha->global_use) +diff --git a/net/core/neighbour.c b/net/core/neighbour.c +index 5fd6c6e699aa..c305645b22bc 100644 +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -54,7 +54,8 @@ do { \ + static void neigh_timer_handler(unsigned long arg); + static void __neigh_notify(struct neighbour *n, int type, int flags); + static void neigh_update_notify(struct neighbour *neigh); +-static int pneigh_ifdown(struct neigh_table *tbl, struct net_device *dev); ++static int pneigh_ifdown_and_unlock(struct neigh_table *tbl, ++ struct net_device *dev); + + #ifdef CONFIG_PROC_FS + static const struct file_operations neigh_stat_seq_fops; +@@ -254,8 +255,7 @@ int neigh_ifdown(struct neigh_table *tbl, struct net_device *dev) + { + write_lock_bh(&tbl->lock); + neigh_flush_dev(tbl, dev); +- pneigh_ifdown(tbl, dev); +- write_unlock_bh(&tbl->lock); ++ pneigh_ifdown_and_unlock(tbl, dev); + + del_timer_sync(&tbl->proxy_timer); + pneigh_queue_purge(&tbl->proxy_queue); +@@ -641,9 +641,10 @@ int pneigh_delete(struct neigh_table *tbl, struct net *net, const void *pkey, + return -ENOENT; + } + +-static int pneigh_ifdown(struct neigh_table *tbl, struct net_device *dev) ++static int pneigh_ifdown_and_unlock(struct neigh_table *tbl, ++ struct net_device *dev) + { +- struct pneigh_entry *n, **np; ++ struct pneigh_entry *n, **np, *freelist = NULL; + u32 h; + + for (h = 0; h <= PNEIGH_HASHMASK; h++) { +@@ -651,16 +652,23 @@ static int pneigh_ifdown(struct neigh_table *tbl, struct net_device *dev) + while ((n = *np) != NULL) { + if (!dev || n->dev == dev) { + *np = n->next; +- if (tbl->pdestructor) +- tbl->pdestructor(n); +- if (n->dev) +- dev_put(n->dev); +- kfree(n); ++ n->next = freelist; ++ freelist = n; + continue; + } + np = &n->next; + } + } ++ write_unlock_bh(&tbl->lock); ++ while ((n = freelist)) { ++ freelist = n->next; ++ n->next = NULL; ++ if (tbl->pdestructor) ++ tbl->pdestructor(n); ++ if (n->dev) ++ dev_put(n->dev); ++ kfree(n); ++ } + return -ENOENT; + } + +@@ -1127,10 +1135,6 @@ int neigh_update(struct neighbour *neigh, const u8 *lladdr, u8 new, + lladdr = neigh->ha; + } + +- if (new & NUD_CONNECTED) +- neigh->confirmed = jiffies; +- neigh->updated = jiffies; +- + /* If entry was valid and address is not changed, + do not change entry state, if new one is STALE. + */ +@@ -1154,6 +1158,16 @@ int neigh_update(struct neighbour *neigh, const u8 *lladdr, u8 new, + } + } + ++ /* Update timestamps only once we know we will make a change to the ++ * neighbour entry. Otherwise we risk to move the locktime window with ++ * noop updates and ignore relevant ARP updates. ++ */ ++ if (new != old || lladdr != neigh->ha) { ++ if (new & NUD_CONNECTED) ++ neigh->confirmed = jiffies; ++ neigh->updated = jiffies; ++ } ++ + if (new != old) { + neigh_del_timer(neigh); + if (new & NUD_IN_TIMER) +diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c +index 572af0011997..9195a109ea79 100644 +--- a/net/core/net_namespace.c ++++ b/net/core/net_namespace.c +@@ -268,6 +268,25 @@ out_undo: + goto out; + } + ++static int __net_init net_defaults_init_net(struct net *net) ++{ ++ net->core.sysctl_somaxconn = SOMAXCONN; ++ return 0; ++} ++ ++static struct pernet_operations net_defaults_ops = { ++ .init = net_defaults_init_net, ++}; ++ ++static __init int net_defaults_init(void) ++{ ++ if (register_pernet_subsys(&net_defaults_ops)) ++ panic("Cannot initialize net default settings"); ++ ++ return 0; ++} ++ ++core_initcall(net_defaults_init); + + #ifdef CONFIG_NET_NS + static struct kmem_cache *net_cachep; +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index 853e82075ebd..ac1436be3cf7 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -875,6 +875,7 @@ static struct sk_buff *__skb_clone(struct sk_buff *n, struct sk_buff *skb) + n->hdr_len = skb->nohdr ? skb_headroom(skb) : skb->hdr_len; + n->cloned = 1; + n->nohdr = 0; ++ n->peeked = 0; + n->destructor = NULL; + C(tail); + C(end); +@@ -2587,7 +2588,8 @@ void skb_split(struct sk_buff *skb, struct sk_buff *skb1, const u32 len) + { + int pos = skb_headlen(skb); + +- skb_shinfo(skb1)->tx_flags = skb_shinfo(skb)->tx_flags & SKBTX_SHARED_FRAG; ++ skb_shinfo(skb1)->tx_flags |= skb_shinfo(skb)->tx_flags & ++ SKBTX_SHARED_FRAG; + if (len < pos) /* Split line is inside header. */ + skb_split_inside_header(skb, skb1, len, pos); + else /* Second chunk has no header, nothing to copy. */ +@@ -3133,8 +3135,8 @@ struct sk_buff *skb_segment(struct sk_buff *head_skb, + skb_copy_from_linear_data_offset(head_skb, offset, + skb_put(nskb, hsize), hsize); + +- skb_shinfo(nskb)->tx_flags = skb_shinfo(head_skb)->tx_flags & +- SKBTX_SHARED_FRAG; ++ skb_shinfo(nskb)->tx_flags |= skb_shinfo(head_skb)->tx_flags & ++ SKBTX_SHARED_FRAG; + + while (pos < offset + len) { + if (i >= nfrags) { +@@ -3347,24 +3349,18 @@ void __init skb_init(void) + NULL); + } + +-/** +- * skb_to_sgvec - Fill a scatter-gather list from a socket buffer +- * @skb: Socket buffer containing the buffers to be mapped +- * @sg: The scatter-gather list to map into +- * @offset: The offset into the buffer's contents to start mapping +- * @len: Length of buffer space to be mapped +- * +- * Fill the specified scatter-gather list with mappings/pointers into a +- * region of the buffer space attached to a socket buffer. +- */ + static int +-__skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len) ++__skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len, ++ unsigned int recursion_level) + { + int start = skb_headlen(skb); + int i, copy = start - offset; + struct sk_buff *frag_iter; + int elt = 0; + ++ if (unlikely(recursion_level >= 24)) ++ return -EMSGSIZE; ++ + if (copy > 0) { + if (copy > len) + copy = len; +@@ -3383,6 +3379,8 @@ __skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len) + end = start + skb_frag_size(&skb_shinfo(skb)->frags[i]); + if ((copy = end - offset) > 0) { + skb_frag_t *frag = &skb_shinfo(skb)->frags[i]; ++ if (unlikely(elt && sg_is_last(&sg[elt - 1]))) ++ return -EMSGSIZE; + + if (copy > len) + copy = len; +@@ -3397,16 +3395,22 @@ __skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len) + } + + skb_walk_frags(skb, frag_iter) { +- int end; ++ int end, ret; + + WARN_ON(start > offset + len); + + end = start + frag_iter->len; + if ((copy = end - offset) > 0) { ++ if (unlikely(elt && sg_is_last(&sg[elt - 1]))) ++ return -EMSGSIZE; ++ + if (copy > len) + copy = len; +- elt += __skb_to_sgvec(frag_iter, sg+elt, offset - start, +- copy); ++ ret = __skb_to_sgvec(frag_iter, sg+elt, offset - start, ++ copy, recursion_level + 1); ++ if (unlikely(ret < 0)) ++ return ret; ++ elt += ret; + if ((len -= copy) == 0) + return elt; + offset += copy; +@@ -3417,6 +3421,31 @@ __skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len) + return elt; + } + ++/** ++ * skb_to_sgvec - Fill a scatter-gather list from a socket buffer ++ * @skb: Socket buffer containing the buffers to be mapped ++ * @sg: The scatter-gather list to map into ++ * @offset: The offset into the buffer's contents to start mapping ++ * @len: Length of buffer space to be mapped ++ * ++ * Fill the specified scatter-gather list with mappings/pointers into a ++ * region of the buffer space attached to a socket buffer. Returns either ++ * the number of scatterlist items used, or -EMSGSIZE if the contents ++ * could not fit. ++ */ ++int skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len) ++{ ++ int nsg = __skb_to_sgvec(skb, sg, offset, len, 0); ++ ++ if (nsg <= 0) ++ return nsg; ++ ++ sg_mark_end(&sg[nsg - 1]); ++ ++ return nsg; ++} ++EXPORT_SYMBOL_GPL(skb_to_sgvec); ++ + /* As compared with skb_to_sgvec, skb_to_sgvec_nomark only map skb to given + * sglist without mark the sg which contain last skb data as the end. + * So the caller can mannipulate sg list as will when padding new data after +@@ -3439,19 +3468,11 @@ __skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len) + int skb_to_sgvec_nomark(struct sk_buff *skb, struct scatterlist *sg, + int offset, int len) + { +- return __skb_to_sgvec(skb, sg, offset, len); ++ return __skb_to_sgvec(skb, sg, offset, len, 0); + } + EXPORT_SYMBOL_GPL(skb_to_sgvec_nomark); + +-int skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len) +-{ +- int nsg = __skb_to_sgvec(skb, sg, offset, len); + +- sg_mark_end(&sg[nsg - 1]); +- +- return nsg; +-} +-EXPORT_SYMBOL_GPL(skb_to_sgvec); + + /** + * skb_cow_data - Check that a socket buffer's data buffers are writable +@@ -3589,7 +3610,7 @@ int sock_queue_err_skb(struct sock *sk, struct sk_buff *skb) + + skb_queue_tail(&sk->sk_error_queue, skb); + if (!sock_flag(sk, SOCK_DEAD)) +- sk->sk_data_ready(sk); ++ sk->sk_error_report(sk); + return 0; + } + EXPORT_SYMBOL(sock_queue_err_skb); +@@ -3733,7 +3754,8 @@ void __skb_tstamp_tx(struct sk_buff *orig_skb, + return; + + if (tsonly) { +- skb_shinfo(skb)->tx_flags = skb_shinfo(orig_skb)->tx_flags; ++ skb_shinfo(skb)->tx_flags |= skb_shinfo(orig_skb)->tx_flags & ++ SKBTX_ANY_TSTAMP; + skb_shinfo(skb)->tskey = skb_shinfo(orig_skb)->tskey; + } + +diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c +index f5ef2115871f..a9a4276609ef 100644 +--- a/net/core/sysctl_net_core.c ++++ b/net/core/sysctl_net_core.c +@@ -423,8 +423,6 @@ static __net_init int sysctl_core_net_init(struct net *net) + { + struct ctl_table *tbl; + +- net->core.sysctl_somaxconn = SOMAXCONN; +- + tbl = netns_core_table; + if (!net_eq(net, &init_net)) { + tbl = kmemdup(tbl, sizeof(netns_core_table), GFP_KERNEL); +diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c +index bafb2223b879..2fa37d32ae3b 100644 +--- a/net/dccp/ipv4.c ++++ b/net/dccp/ipv4.c +@@ -642,6 +642,7 @@ int dccp_v4_conn_request(struct sock *sk, struct sk_buff *skb) + ireq = inet_rsk(req); + sk_rcv_saddr_set(req_to_sk(req), ip_hdr(skb)->daddr); + sk_daddr_set(req_to_sk(req), ip_hdr(skb)->saddr); ++ ireq->ir_mark = inet_request_mark(sk, skb); + ireq->ireq_family = AF_INET; + ireq->ir_iif = sk->sk_bound_dev_if; + +diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c +index d61027e78e25..a56919d47403 100644 +--- a/net/dccp/ipv6.c ++++ b/net/dccp/ipv6.c +@@ -375,6 +375,7 @@ static int dccp_v6_conn_request(struct sock *sk, struct sk_buff *skb) + ireq->ir_v6_rmt_addr = ipv6_hdr(skb)->saddr; + ireq->ir_v6_loc_addr = ipv6_hdr(skb)->daddr; + ireq->ireq_family = AF_INET6; ++ ireq->ir_mark = inet_request_mark(sk, skb); + + if (ipv6_opt_accepted(sk, skb, IP6CB(skb)) || + np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo || +diff --git a/net/dccp/proto.c b/net/dccp/proto.c +index a20dc23360f9..be71e07ba6f1 100644 +--- a/net/dccp/proto.c ++++ b/net/dccp/proto.c +@@ -790,6 +790,11 @@ int dccp_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + if (skb == NULL) + goto out_release; + ++ if (sk->sk_state == DCCP_CLOSED) { ++ rc = -ENOTCONN; ++ goto out_discard; ++ } ++ + skb_reserve(skb, sk->sk_prot->max_header); + rc = memcpy_from_msg(skb_put(skb, len), msg, len); + if (rc != 0) +diff --git a/net/dns_resolver/dns_key.c b/net/dns_resolver/dns_key.c +index 31cd4fd75486..4b437445c2ea 100644 +--- a/net/dns_resolver/dns_key.c ++++ b/net/dns_resolver/dns_key.c +@@ -25,6 +25,7 @@ + #include <linux/moduleparam.h> + #include <linux/slab.h> + #include <linux/string.h> ++#include <linux/ratelimit.h> + #include <linux/kernel.h> + #include <linux/keyctl.h> + #include <linux/err.h> +@@ -91,9 +92,9 @@ dns_resolver_preparse(struct key_preparsed_payload *prep) + + next_opt = memchr(opt, '#', end - opt) ?: end; + opt_len = next_opt - opt; +- if (!opt_len) { +- printk(KERN_WARNING +- "Empty option to dns_resolver key\n"); ++ if (opt_len <= 0 || opt_len > 128) { ++ pr_warn_ratelimited("Invalid option length (%d) for dns_resolver key\n", ++ opt_len); + return -EINVAL; + } + +@@ -127,10 +128,8 @@ dns_resolver_preparse(struct key_preparsed_payload *prep) + } + + bad_option_value: +- printk(KERN_WARNING +- "Option '%*.*s' to dns_resolver key:" +- " bad/missing value\n", +- opt_nlen, opt_nlen, opt); ++ pr_warn_ratelimited("Option '%*.*s' to dns_resolver key: bad/missing value\n", ++ opt_nlen, opt_nlen, opt); + return -EINVAL; + } while (opt = next_opt + 1, opt < end); + } +diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c +index 627a2537634e..7c5040c4fa90 100644 +--- a/net/ieee802154/socket.c ++++ b/net/ieee802154/socket.c +@@ -310,12 +310,12 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t size) + skb->sk = sk; + skb->protocol = htons(ETH_P_IEEE802154); + +- dev_put(dev); +- + err = dev_queue_xmit(skb); + if (err > 0) + err = net_xmit_errno(err); + ++ dev_put(dev); ++ + return err ?: size; + + out_skb: +@@ -697,12 +697,12 @@ static int dgram_sendmsg(struct sock *sk, struct msghdr *msg, size_t size) + skb->sk = sk; + skb->protocol = htons(ETH_P_IEEE802154); + +- dev_put(dev); +- + err = dev_queue_xmit(skb); + if (err > 0) + err = net_xmit_errno(err); + ++ dev_put(dev); ++ + return err ?: size; + + out_skb: +diff --git a/net/ipv4/inet_timewait_sock.c b/net/ipv4/inet_timewait_sock.c +index bb96c1c4edd6..35ea352a9cef 100644 +--- a/net/ipv4/inet_timewait_sock.c ++++ b/net/ipv4/inet_timewait_sock.c +@@ -212,6 +212,7 @@ struct inet_timewait_sock *inet_twsk_alloc(const struct sock *sk, + tw->tw_dport = inet->inet_dport; + tw->tw_family = sk->sk_family; + tw->tw_reuse = sk->sk_reuse; ++ tw->tw_reuseport = sk->sk_reuseport; + tw->tw_hash = sk->sk_hash; + tw->tw_ipv6only = 0; + tw->tw_transparent = inet->transparent; +diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c +index 67c1333422a4..d4bdeed4e0a4 100644 +--- a/net/ipv4/ip_sockglue.c ++++ b/net/ipv4/ip_sockglue.c +@@ -239,7 +239,8 @@ int ip_cmsg_send(struct net *net, struct msghdr *msg, struct ipcm_cookie *ipc, + src_info = (struct in6_pktinfo *)CMSG_DATA(cmsg); + if (!ipv6_addr_v4mapped(&src_info->ipi6_addr)) + return -EINVAL; +- ipc->oif = src_info->ipi6_ifindex; ++ if (src_info->ipi6_ifindex) ++ ipc->oif = src_info->ipi6_ifindex; + ipc->addr = src_info->ipi6_addr.s6_addr32[3]; + continue; + } +@@ -262,7 +263,8 @@ int ip_cmsg_send(struct net *net, struct msghdr *msg, struct ipcm_cookie *ipc, + if (cmsg->cmsg_len != CMSG_LEN(sizeof(struct in_pktinfo))) + return -EINVAL; + info = (struct in_pktinfo *)CMSG_DATA(cmsg); +- ipc->oif = info->ipi_ifindex; ++ if (info->ipi_ifindex) ++ ipc->oif = info->ipi_ifindex; + ipc->addr = info->ipi_spec_dst.s_addr; + break; + } +diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c +index 169bf7d1d8ca..2385ec7083c6 100644 +--- a/net/ipv4/ip_tunnel.c ++++ b/net/ipv4/ip_tunnel.c +@@ -301,13 +301,14 @@ static struct net_device *__ip_tunnel_create(struct net *net, + struct net_device *dev; + char name[IFNAMSIZ]; + +- if (parms->name[0]) ++ err = -E2BIG; ++ if (parms->name[0]) { ++ if (!dev_valid_name(parms->name)) ++ goto failed; + strlcpy(name, parms->name, IFNAMSIZ); +- else { +- if (strlen(ops->kind) > (IFNAMSIZ - 3)) { +- err = -E2BIG; ++ } else { ++ if (strlen(ops->kind) > (IFNAMSIZ - 3)) + goto failed; +- } + strlcpy(name, ops->kind, IFNAMSIZ); + strncat(name, "%d", 2); + } +diff --git a/net/ipv4/netfilter/nf_nat_h323.c b/net/ipv4/netfilter/nf_nat_h323.c +index 574f7ebba0b6..ac8342dcb55e 100644 +--- a/net/ipv4/netfilter/nf_nat_h323.c ++++ b/net/ipv4/netfilter/nf_nat_h323.c +@@ -252,16 +252,16 @@ static int nat_rtp_rtcp(struct sk_buff *skb, struct nf_conn *ct, + if (set_h245_addr(skb, protoff, data, dataoff, taddr, + &ct->tuplehash[!dir].tuple.dst.u3, + htons((port & htons(1)) ? nated_port + 1 : +- nated_port)) == 0) { +- /* Save ports */ +- info->rtp_port[i][dir] = rtp_port; +- info->rtp_port[i][!dir] = htons(nated_port); +- } else { ++ nated_port))) { + nf_ct_unexpect_related(rtp_exp); + nf_ct_unexpect_related(rtcp_exp); + return -1; + } + ++ /* Save ports */ ++ info->rtp_port[i][dir] = rtp_port; ++ info->rtp_port[i][!dir] = htons(nated_port); ++ + /* Success */ + pr_debug("nf_nat_h323: expect RTP %pI4:%hu->%pI4:%hu\n", + &rtp_exp->tuple.src.u3.ip, +@@ -370,15 +370,15 @@ static int nat_h245(struct sk_buff *skb, struct nf_conn *ct, + /* Modify signal */ + if (set_h225_addr(skb, protoff, data, dataoff, taddr, + &ct->tuplehash[!dir].tuple.dst.u3, +- htons(nated_port)) == 0) { +- /* Save ports */ +- info->sig_port[dir] = port; +- info->sig_port[!dir] = htons(nated_port); +- } else { ++ htons(nated_port))) { + nf_ct_unexpect_related(exp); + return -1; + } + ++ /* Save ports */ ++ info->sig_port[dir] = port; ++ info->sig_port[!dir] = htons(nated_port); ++ + pr_debug("nf_nat_q931: expect H.245 %pI4:%hu->%pI4:%hu\n", + &exp->tuple.src.u3.ip, + ntohs(exp->tuple.src.u.tcp.port), +@@ -462,24 +462,27 @@ static int nat_q931(struct sk_buff *skb, struct nf_conn *ct, + /* Modify signal */ + if (set_h225_addr(skb, protoff, data, 0, &taddr[idx], + &ct->tuplehash[!dir].tuple.dst.u3, +- htons(nated_port)) == 0) { +- /* Save ports */ +- info->sig_port[dir] = port; +- info->sig_port[!dir] = htons(nated_port); +- +- /* Fix for Gnomemeeting */ +- if (idx > 0 && +- get_h225_addr(ct, *data, &taddr[0], &addr, &port) && +- (ntohl(addr.ip) & 0xff000000) == 0x7f000000) { +- set_h225_addr(skb, protoff, data, 0, &taddr[0], +- &ct->tuplehash[!dir].tuple.dst.u3, +- info->sig_port[!dir]); +- } +- } else { ++ htons(nated_port))) { + nf_ct_unexpect_related(exp); + return -1; + } + ++ /* Save ports */ ++ info->sig_port[dir] = port; ++ info->sig_port[!dir] = htons(nated_port); ++ ++ /* Fix for Gnomemeeting */ ++ if (idx > 0 && ++ get_h225_addr(ct, *data, &taddr[0], &addr, &port) && ++ (ntohl(addr.ip) & 0xff000000) == 0x7f000000) { ++ if (set_h225_addr(skb, protoff, data, 0, &taddr[0], ++ &ct->tuplehash[!dir].tuple.dst.u3, ++ info->sig_port[!dir])) { ++ nf_ct_unexpect_related(exp); ++ return -1; ++ } ++ } ++ + /* Success */ + pr_debug("nf_nat_ras: expect Q.931 %pI4:%hu->%pI4:%hu\n", + &exp->tuple.src.u3.ip, +@@ -550,9 +553,9 @@ static int nat_callforwarding(struct sk_buff *skb, struct nf_conn *ct, + } + + /* Modify signal */ +- if (!set_h225_addr(skb, protoff, data, dataoff, taddr, +- &ct->tuplehash[!dir].tuple.dst.u3, +- htons(nated_port)) == 0) { ++ if (set_h225_addr(skb, protoff, data, dataoff, taddr, ++ &ct->tuplehash[!dir].tuple.dst.u3, ++ htons(nated_port))) { + nf_ct_unexpect_related(exp); + return -1; + } +diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c +index 9a2294d01b9d..acf09ab17a62 100644 +--- a/net/ipv4/raw.c ++++ b/net/ipv4/raw.c +@@ -496,11 +496,16 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + int err; + struct ip_options_data opt_copy; + struct raw_frag_vec rfv; ++ int hdrincl; + + err = -EMSGSIZE; + if (len > 0xFFFF) + goto out; + ++ /* hdrincl should be READ_ONCE(inet->hdrincl) ++ * but READ_ONCE() doesn't work with bit fields ++ */ ++ hdrincl = inet->hdrincl; + /* + * Check the flags. + */ +@@ -575,7 +580,7 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + /* Linux does not mangle headers on raw sockets, + * so that IP options + IP_HDRINCL is non-sense. + */ +- if (inet->hdrincl) ++ if (hdrincl) + goto done; + if (ipc.opt->opt.srr) { + if (!daddr) +@@ -597,12 +602,12 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + + flowi4_init_output(&fl4, ipc.oif, sk->sk_mark, tos, + RT_SCOPE_UNIVERSE, +- inet->hdrincl ? IPPROTO_RAW : sk->sk_protocol, ++ hdrincl ? IPPROTO_RAW : sk->sk_protocol, + inet_sk_flowi_flags(sk) | +- (inet->hdrincl ? FLOWI_FLAG_KNOWN_NH : 0), ++ (hdrincl ? FLOWI_FLAG_KNOWN_NH : 0), + daddr, saddr, 0, 0); + +- if (!inet->hdrincl) { ++ if (!hdrincl) { + rfv.msg = msg; + rfv.hlen = 0; + +@@ -627,7 +632,7 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + goto do_confirm; + back_from_confirm: + +- if (inet->hdrincl) ++ if (hdrincl) + err = raw_send_hdrinc(sk, &fl4, msg, len, + &rt, msg->msg_flags); + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 94a4b28e5da6..07d65ae018ee 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -2416,7 +2416,7 @@ static int do_tcp_setsockopt(struct sock *sk, int level, + case TCP_REPAIR_QUEUE: + if (!tp->repair) + err = -EPERM; +- else if (val < TCP_QUEUES_NR) ++ else if ((unsigned int)val < TCP_QUEUES_NR) + tp->repair_queue = val; + else + err = -EINVAL; +@@ -2548,8 +2548,10 @@ static int do_tcp_setsockopt(struct sock *sk, int level, + + #ifdef CONFIG_TCP_MD5SIG + case TCP_MD5SIG: +- /* Read the IP->Key mappings from userspace */ +- err = tp->af_specific->md5_parse(sk, optval, optlen); ++ if ((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN)) ++ err = tp->af_specific->md5_parse(sk, optval, optlen); ++ else ++ err = -EINVAL; + break; + #endif + case TCP_USER_TIMEOUT: +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 4763c431f7d8..d61371cefaf0 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -3819,11 +3819,8 @@ const u8 *tcp_parse_md5sig_option(const struct tcphdr *th) + int length = (th->doff << 2) - sizeof(*th); + const u8 *ptr = (const u8 *)(th + 1); + +- /* If the TCP option is too short, we can short cut */ +- if (length < TCPOLEN_MD5SIG) +- return NULL; +- +- while (length > 0) { ++ /* If not enough data remaining, we can short cut */ ++ while (length >= TCPOLEN_MD5SIG) { + int opcode = *ptr++; + int opsize; + +@@ -5417,10 +5414,6 @@ void tcp_finish_connect(struct sock *sk, struct sk_buff *skb) + else + tp->pred_flags = 0; + +- if (!sock_flag(sk, SOCK_DEAD)) { +- sk->sk_state_change(sk); +- sk_wake_async(sk, SOCK_WAKE_IO, POLL_OUT); +- } + } + + static bool tcp_rcv_fastopen_synack(struct sock *sk, struct sk_buff *synack, +@@ -5484,6 +5477,7 @@ static int tcp_rcv_synsent_state_process(struct sock *sk, struct sk_buff *skb, + struct tcp_sock *tp = tcp_sk(sk); + struct tcp_fastopen_cookie foc = { .len = -1 }; + int saved_clamp = tp->rx_opt.mss_clamp; ++ bool fastopen_fail; + + tcp_parse_options(skb, &tp->rx_opt, 0, &foc); + if (tp->rx_opt.saw_tstamp && tp->rx_opt.rcv_tsecr) +@@ -5586,10 +5580,15 @@ static int tcp_rcv_synsent_state_process(struct sock *sk, struct sk_buff *skb, + + tcp_finish_connect(sk, skb); + +- if ((tp->syn_fastopen || tp->syn_data) && +- tcp_rcv_fastopen_synack(sk, skb, &foc)) +- return -1; ++ fastopen_fail = (tp->syn_fastopen || tp->syn_data) && ++ tcp_rcv_fastopen_synack(sk, skb, &foc); + ++ if (!sock_flag(sk, SOCK_DEAD)) { ++ sk->sk_state_change(sk); ++ sk_wake_async(sk, SOCK_WAKE_IO, POLL_OUT); ++ } ++ if (fastopen_fail) ++ return -1; + if (sk->sk_write_pending || + icsk->icsk_accept_queue.rskq_defer_accept || + icsk->icsk_ack.pingpong) { +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index 8441f9939d49..185ccfd781ed 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -886,7 +886,10 @@ ipv6_add_addr(struct inet6_dev *idev, const struct in6_addr *addr, + INIT_HLIST_NODE(&ifa->addr_lst); + ifa->scope = scope; + ifa->prefix_len = pfxlen; +- ifa->flags = flags | IFA_F_TENTATIVE; ++ ifa->flags = flags; ++ /* No need to add the TENTATIVE flag for addresses with NODAD */ ++ if (!(flags & IFA_F_NODAD)) ++ ifa->flags |= IFA_F_TENTATIVE; + ifa->valid_lft = valid_lft; + ifa->prefered_lft = prefered_lft; + ifa->cstamp = ifa->tstamp = jiffies; +diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c +index b1311da5d7b8..cda3cc6c3535 100644 +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -319,11 +319,13 @@ static struct ip6_tnl *ip6gre_tunnel_locate(struct net *net, + if (t || !create) + return t; + +- if (parms->name[0]) ++ if (parms->name[0]) { ++ if (!dev_valid_name(parms->name)) ++ return NULL; + strlcpy(name, parms->name, IFNAMSIZ); +- else ++ } else { + strcpy(name, "ip6gre%d"); +- ++ } + dev = alloc_netdev(sizeof(*t), name, NET_NAME_UNKNOWN, + ip6gre_tunnel_setup); + if (!dev) +diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c +index c7c2c33aa4af..2219f454c0db 100644 +--- a/net/ipv6/ip6_tunnel.c ++++ b/net/ipv6/ip6_tunnel.c +@@ -316,13 +316,16 @@ static struct ip6_tnl *ip6_tnl_create(struct net *net, struct __ip6_tnl_parm *p) + struct net_device *dev; + struct ip6_tnl *t; + char name[IFNAMSIZ]; +- int err = -ENOMEM; ++ int err = -E2BIG; + +- if (p->name[0]) ++ if (p->name[0]) { ++ if (!dev_valid_name(p->name)) ++ goto failed; + strlcpy(name, p->name, IFNAMSIZ); +- else ++ } else { + sprintf(name, "ip6tnl%%d"); +- ++ } ++ err = -ENOMEM; + dev = alloc_netdev(sizeof(*t), name, NET_NAME_UNKNOWN, + ip6_tnl_dev_setup); + if (!dev) +diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c +index c460e653b6a5..9b1c466fd0fd 100644 +--- a/net/ipv6/ip6_vti.c ++++ b/net/ipv6/ip6_vti.c +@@ -212,10 +212,13 @@ static struct ip6_tnl *vti6_tnl_create(struct net *net, struct __ip6_tnl_parm *p + char name[IFNAMSIZ]; + int err; + +- if (p->name[0]) ++ if (p->name[0]) { ++ if (!dev_valid_name(p->name)) ++ goto failed; + strlcpy(name, p->name, IFNAMSIZ); +- else ++ } else { + sprintf(name, "ip6_vti%%d"); ++ } + + dev = alloc_netdev(sizeof(*t), name, NET_NAME_UNKNOWN, vti6_dev_setup); + if (!dev) +@@ -614,6 +617,7 @@ static void vti6_link_config(struct ip6_tnl *t) + { + struct net_device *dev = t->dev; + struct __ip6_tnl_parm *p = &t->parms; ++ struct net_device *tdev = NULL; + + memcpy(dev->dev_addr, &p->laddr, sizeof(struct in6_addr)); + memcpy(dev->broadcast, &p->raddr, sizeof(struct in6_addr)); +@@ -626,6 +630,25 @@ static void vti6_link_config(struct ip6_tnl *t) + dev->flags |= IFF_POINTOPOINT; + else + dev->flags &= ~IFF_POINTOPOINT; ++ ++ if (p->flags & IP6_TNL_F_CAP_XMIT) { ++ int strict = (ipv6_addr_type(&p->raddr) & ++ (IPV6_ADDR_MULTICAST | IPV6_ADDR_LINKLOCAL)); ++ struct rt6_info *rt = rt6_lookup(t->net, ++ &p->raddr, &p->laddr, ++ p->link, strict); ++ ++ if (rt) ++ tdev = rt->dst.dev; ++ ip6_rt_put(rt); ++ } ++ ++ if (!tdev && p->link) ++ tdev = __dev_get_by_index(t->net, p->link); ++ ++ if (tdev) ++ dev->mtu = max_t(int, tdev->mtu - dev->hard_header_len, ++ IPV6_MIN_MTU); + } + + /** +diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c +index abb0bdda759a..460f63619552 100644 +--- a/net/ipv6/ndisc.c ++++ b/net/ipv6/ndisc.c +@@ -1452,7 +1452,8 @@ static void ndisc_fill_redirect_hdr_option(struct sk_buff *skb, + *(opt++) = (rd_len >> 3); + opt += 6; + +- memcpy(opt, ipv6_hdr(orig_skb), rd_len - 8); ++ skb_copy_bits(orig_skb, skb_network_offset(orig_skb), opt, ++ rd_len - 8); + } + + void ndisc_send_redirect(struct sk_buff *skb, const struct in6_addr *target) +@@ -1655,6 +1656,8 @@ static int ndisc_netdev_event(struct notifier_block *this, unsigned long event, + case NETDEV_CHANGEADDR: + neigh_changeaddr(&nd_tbl, dev); + fib6_run_gc(0, net, false); ++ /* fallthrough */ ++ case NETDEV_UP: + idev = in6_dev_get(dev); + if (!idev) + break; +diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c +index f4034c4eadf7..400548d53a43 100644 +--- a/net/ipv6/sit.c ++++ b/net/ipv6/sit.c +@@ -244,11 +244,13 @@ static struct ip_tunnel *ipip6_tunnel_locate(struct net *net, + if (!create) + goto failed; + +- if (parms->name[0]) ++ if (parms->name[0]) { ++ if (!dev_valid_name(parms->name)) ++ goto failed; + strlcpy(name, parms->name, IFNAMSIZ); +- else ++ } else { + strcpy(name, "sit%d"); +- ++ } + dev = alloc_netdev(sizeof(*t), name, NET_NAME_UNKNOWN, + ipip6_tunnel_setup); + if (!dev) +diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c +index 123f6f9f854c..8f9493b1bb1f 100644 +--- a/net/iucv/af_iucv.c ++++ b/net/iucv/af_iucv.c +@@ -2382,9 +2382,11 @@ static int afiucv_iucv_init(void) + af_iucv_dev->driver = &af_iucv_driver; + err = device_register(af_iucv_dev); + if (err) +- goto out_driver; ++ goto out_iucv_dev; + return 0; + ++out_iucv_dev: ++ put_device(af_iucv_dev); + out_driver: + driver_unregister(&af_iucv_driver); + out_iucv: +diff --git a/net/key/af_key.c b/net/key/af_key.c +index 354c43a1c43d..fd4b5a0cb7ee 100644 +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -3301,7 +3301,7 @@ static struct xfrm_policy *pfkey_compile_policy(struct sock *sk, int opt, + p += pol->sadb_x_policy_len*8; + sec_ctx = (struct sadb_x_sec_ctx *)p; + if (len < pol->sadb_x_policy_len*8 + +- sec_ctx->sadb_x_sec_len) { ++ sec_ctx->sadb_x_sec_len*8) { + *dir = -EINVAL; + goto out; + } +diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c +index 0c4de8dd58bf..0b92ff822534 100644 +--- a/net/l2tp/l2tp_core.c ++++ b/net/l2tp/l2tp_core.c +@@ -1521,9 +1521,14 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32 + encap = cfg->encap; + + /* Quick sanity checks */ ++ err = -EPROTONOSUPPORT; ++ if (sk->sk_type != SOCK_DGRAM) { ++ pr_debug("tunl %hu: fd %d wrong socket type\n", ++ tunnel_id, fd); ++ goto err; ++ } + switch (encap) { + case L2TP_ENCAPTYPE_UDP: +- err = -EPROTONOSUPPORT; + if (sk->sk_protocol != IPPROTO_UDP) { + pr_err("tunl %hu: fd %d wrong protocol, got %d, expected %d\n", + tunnel_id, fd, sk->sk_protocol, IPPROTO_UDP); +@@ -1531,7 +1536,6 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32 + } + break; + case L2TP_ENCAPTYPE_IP: +- err = -EPROTONOSUPPORT; + if (sk->sk_protocol != IPPROTO_L2TP) { + pr_err("tunl %hu: fd %d wrong protocol, got %d, expected %d\n", + tunnel_id, fd, sk->sk_protocol, IPPROTO_L2TP); +diff --git a/net/l2tp/l2tp_netlink.c b/net/l2tp/l2tp_netlink.c +index 1e412ad6ced5..ad2b93aafcd5 100644 +--- a/net/l2tp/l2tp_netlink.c ++++ b/net/l2tp/l2tp_netlink.c +@@ -725,6 +725,8 @@ static int l2tp_nl_session_send(struct sk_buff *skb, u32 portid, u32 seq, int fl + + if ((session->ifname[0] && + nla_put_string(skb, L2TP_ATTR_IFNAME, session->ifname)) || ++ (session->offset && ++ nla_put_u16(skb, L2TP_ATTR_OFFSET, session->offset)) || + (session->cookie_len && + nla_put(skb, L2TP_ATTR_COOKIE, session->cookie_len, + &session->cookie[0])) || +diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c +index 2d4d2230f976..ac518cc76c3e 100644 +--- a/net/l2tp/l2tp_ppp.c ++++ b/net/l2tp/l2tp_ppp.c +@@ -606,6 +606,13 @@ static int pppol2tp_connect(struct socket *sock, struct sockaddr *uservaddr, + lock_sock(sk); + + error = -EINVAL; ++ ++ if (sockaddr_len != sizeof(struct sockaddr_pppol2tp) && ++ sockaddr_len != sizeof(struct sockaddr_pppol2tpv3) && ++ sockaddr_len != sizeof(struct sockaddr_pppol2tpin6) && ++ sockaddr_len != sizeof(struct sockaddr_pppol2tpv3in6)) ++ goto end; ++ + if (sp->sa_protocol != PX_PROTO_OL2TP) + goto end; + +diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c +index c58f242c00f1..f5d8cf1b96f3 100644 +--- a/net/llc/af_llc.c ++++ b/net/llc/af_llc.c +@@ -197,9 +197,19 @@ static int llc_ui_release(struct socket *sock) + llc->laddr.lsap, llc->daddr.lsap); + if (!llc_send_disc(sk)) + llc_ui_wait_for_disc(sk, sk->sk_rcvtimeo); +- if (!sock_flag(sk, SOCK_ZAPPED)) ++ if (!sock_flag(sk, SOCK_ZAPPED)) { ++ struct llc_sap *sap = llc->sap; ++ ++ /* Hold this for release_sock(), so that llc_backlog_rcv() ++ * could still use it. ++ */ ++ llc_sap_hold(sap); + llc_sap_remove_socket(llc->sap, sk); +- release_sock(sk); ++ release_sock(sk); ++ llc_sap_put(sap); ++ } else { ++ release_sock(sk); ++ } + if (llc->dev) + dev_put(llc->dev); + sock_put(sk); +@@ -309,6 +319,8 @@ static int llc_ui_bind(struct socket *sock, struct sockaddr *uaddr, int addrlen) + int rc = -EINVAL; + + dprintk("%s: binding %02X\n", __func__, addr->sllc_sap); ++ ++ lock_sock(sk); + if (unlikely(!sock_flag(sk, SOCK_ZAPPED) || addrlen != sizeof(*addr))) + goto out; + rc = -EAFNOSUPPORT; +@@ -380,6 +392,7 @@ static int llc_ui_bind(struct socket *sock, struct sockaddr *uaddr, int addrlen) + out_put: + llc_sap_put(sap); + out: ++ release_sock(sk); + return rc; + } + +diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c +index 6e89ab8eac44..83aade477855 100644 +--- a/net/mac80211/iface.c ++++ b/net/mac80211/iface.c +@@ -1418,7 +1418,7 @@ static void ieee80211_setup_sdata(struct ieee80211_sub_if_data *sdata, + break; + case NL80211_IFTYPE_UNSPECIFIED: + case NUM_NL80211_IFTYPES: +- BUG(); ++ WARN_ON(1); + break; + } + +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c +index 844825829992..41d059ec04b4 100644 +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -4321,6 +4321,10 @@ static int ieee80211_prep_connection(struct ieee80211_sub_if_data *sdata, + if (WARN_ON(!ifmgd->auth_data && !ifmgd->assoc_data)) + return -EINVAL; + ++ /* If a reconfig is happening, bail out */ ++ if (local->in_reconfig) ++ return -EBUSY; ++ + if (assoc) { + rcu_read_lock(); + have_sta = sta_info_get(sdata, cbss->bssid); +diff --git a/net/mac80211/status.c b/net/mac80211/status.c +index 005fdbe39a8b..363c82b08d28 100644 +--- a/net/mac80211/status.c ++++ b/net/mac80211/status.c +@@ -193,6 +193,7 @@ static void ieee80211_frame_acked(struct sta_info *sta, struct sk_buff *skb) + } + + if (ieee80211_is_action(mgmt->frame_control) && ++ !ieee80211_has_protected(mgmt->frame_control) && + mgmt->u.action.category == WLAN_CATEGORY_HT && + mgmt->u.action.u.ht_smps.action == WLAN_HT_ACTION_SMPS && + ieee80211_sdata_running(sdata)) { +diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c +index c0e64d15cf34..ee4dfecdc596 100644 +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -855,8 +855,13 @@ restart: + } + out: + local_bh_enable(); +- if (last) ++ if (last) { ++ /* nf ct hash resize happened, now clear the leftover. */ ++ if ((struct nf_conn *)cb->args[1] == last) ++ cb->args[1] = 0; ++ + nf_ct_put(last); ++ } + + return skb->len; + } +diff --git a/net/netfilter/nfnetlink_queue_core.c b/net/netfilter/nfnetlink_queue_core.c +index 32d0437abdd8..86f7555a98d1 100644 +--- a/net/netfilter/nfnetlink_queue_core.c ++++ b/net/netfilter/nfnetlink_queue_core.c +@@ -993,10 +993,8 @@ nfqnl_recv_verdict(struct sock *ctnl, struct sk_buff *skb, + struct net *net = sock_net(ctnl); + struct nfnl_queue_net *q = nfnl_queue_pernet(net); + +- queue = instance_lookup(q, queue_num); +- if (!queue) +- queue = verdict_instance_lookup(q, queue_num, +- NETLINK_CB(skb).portid); ++ queue = verdict_instance_lookup(q, queue_num, ++ NETLINK_CB(skb).portid); + if (IS_ERR(queue)) + return PTR_ERR(queue); + +diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c +index f4fcd9441561..48e36611a869 100644 +--- a/net/netfilter/x_tables.c ++++ b/net/netfilter/x_tables.c +@@ -367,6 +367,36 @@ textify_hooks(char *buf, size_t size, unsigned int mask, uint8_t nfproto) + return buf; + } + ++/** ++ * xt_check_proc_name - check that name is suitable for /proc file creation ++ * ++ * @name: file name candidate ++ * @size: length of buffer ++ * ++ * some x_tables modules wish to create a file in /proc. ++ * This function makes sure that the name is suitable for this ++ * purpose, it checks that name is NUL terminated and isn't a 'special' ++ * name, like "..". ++ * ++ * returns negative number on error or 0 if name is useable. ++ */ ++int xt_check_proc_name(const char *name, unsigned int size) ++{ ++ if (name[0] == '\0') ++ return -EINVAL; ++ ++ if (strnlen(name, size) == size) ++ return -ENAMETOOLONG; ++ ++ if (strcmp(name, ".") == 0 || ++ strcmp(name, "..") == 0 || ++ strchr(name, '/')) ++ return -EINVAL; ++ ++ return 0; ++} ++EXPORT_SYMBOL(xt_check_proc_name); ++ + int xt_check_match(struct xt_mtchk_param *par, + unsigned int size, u_int8_t proto, bool inv_proto) + { +diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c +index 178696852bde..7381be0cdcdf 100644 +--- a/net/netfilter/xt_hashlimit.c ++++ b/net/netfilter/xt_hashlimit.c +@@ -668,8 +668,9 @@ static int hashlimit_mt_check(const struct xt_mtchk_param *par) + + if (info->cfg.gc_interval == 0 || info->cfg.expire == 0) + return -EINVAL; +- if (info->name[sizeof(info->name)-1] != '\0') +- return -EINVAL; ++ ret = xt_check_proc_name(info->name, sizeof(info->name)); ++ if (ret) ++ return ret; + if (par->family == NFPROTO_IPV4) { + if (info->cfg.srcmask > 32 || info->cfg.dstmask > 32) + return -EINVAL; +diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c +index 45e1b30e4fb2..f2780ee57163 100644 +--- a/net/netfilter/xt_recent.c ++++ b/net/netfilter/xt_recent.c +@@ -364,9 +364,9 @@ static int recent_mt_check(const struct xt_mtchk_param *par, + info->hit_count, XT_RECENT_MAX_NSTAMPS - 1); + return -EINVAL; + } +- if (info->name[0] == '\0' || +- strnlen(info->name, XT_RECENT_NAME_LEN) == XT_RECENT_NAME_LEN) +- return -EINVAL; ++ ret = xt_check_proc_name(info->name, sizeof(info->name)); ++ if (ret) ++ return ret; + + if (ip_pkt_list_tot && info->hit_count < ip_pkt_list_tot) + nstamp_mask = roundup_pow_of_two(ip_pkt_list_tot) - 1; +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index 66c340bc0553..45ecf1f433ad 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -1635,6 +1635,9 @@ static int netlink_connect(struct socket *sock, struct sockaddr *addr, + if (addr->sa_family != AF_NETLINK) + return -EINVAL; + ++ if (alen < sizeof(struct sockaddr_nl)) ++ return -EINVAL; ++ + if ((nladdr->nl_groups || nladdr->nl_pid) && + !netlink_allowed(sock, NL_CFG_F_NONROOT_SEND)) + return -EPERM; +@@ -2385,6 +2388,8 @@ static int netlink_sendmsg(struct socket *sock, struct msghdr *msg, size_t len) + + if (msg->msg_namelen) { + err = -EINVAL; ++ if (msg->msg_namelen < sizeof(struct sockaddr_nl)) ++ goto out; + if (addr->nl_family != AF_NETLINK) + goto out; + dst_portid = addr->nl_pid; +diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c +index 97c22c818134..1c58b0326c54 100644 +--- a/net/netlink/genetlink.c ++++ b/net/netlink/genetlink.c +@@ -1143,7 +1143,7 @@ static int genlmsg_mcast(struct sk_buff *skb, u32 portid, unsigned long group, + if (!err) + delivered = true; + else if (err != -ESRCH) +- goto error; ++ return err; + return delivered ? 0 : -ESRCH; + error: + kfree_skb(skb); +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 7f5d147aff63..b778a3460842 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2652,6 +2652,7 @@ static int packet_release(struct socket *sock) + + packet_flush_mclist(sk); + ++ lock_sock(sk); + if (po->rx_ring.pg_vec) { + memset(&req_u, 0, sizeof(req_u)); + packet_set_ring(sk, &req_u, 1, 0); +@@ -2661,6 +2662,7 @@ static int packet_release(struct socket *sock) + memset(&req_u, 0, sizeof(req_u)); + packet_set_ring(sk, &req_u, 1, 1); + } ++ release_sock(sk); + + fanout_release(sk); + +@@ -3320,6 +3322,7 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv + union tpacket_req_u req_u; + int len; + ++ lock_sock(sk); + switch (po->tp_version) { + case TPACKET_V1: + case TPACKET_V2: +@@ -3330,14 +3333,21 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv + len = sizeof(req_u.req3); + break; + } +- if (optlen < len) +- return -EINVAL; +- if (pkt_sk(sk)->has_vnet_hdr) +- return -EINVAL; +- if (copy_from_user(&req_u.req, optval, len)) +- return -EFAULT; +- return packet_set_ring(sk, &req_u, 0, +- optname == PACKET_TX_RING); ++ if (optlen < len) { ++ ret = -EINVAL; ++ } else { ++ if (pkt_sk(sk)->has_vnet_hdr) { ++ ret = -EINVAL; ++ } else { ++ if (copy_from_user(&req_u.req, optval, len)) ++ ret = -EFAULT; ++ else ++ ret = packet_set_ring(sk, &req_u, 0, ++ optname == PACKET_TX_RING); ++ } ++ } ++ release_sock(sk); ++ return ret; + } + case PACKET_COPY_THRESH: + { +@@ -3847,7 +3857,6 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, + /* Added to avoid minimal code churn */ + struct tpacket_req *req = &req_u->req; + +- lock_sock(sk); + /* Opening a Tx-ring is NOT supported in TPACKET_V3 */ + if (!closing && tx_ring && (po->tp_version > TPACKET_V2)) { + WARN(1, "Tx-ring is not supported.\n"); +@@ -3983,7 +3992,6 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, + if (pg_vec) + free_pg_vec(pg_vec, order, req->tp_block_nr); + out: +- release_sock(sk); + return err; + } + +diff --git a/net/rxrpc/rxkad.c b/net/rxrpc/rxkad.c +index f226709ebd8f..ca5f3662a485 100644 +--- a/net/rxrpc/rxkad.c ++++ b/net/rxrpc/rxkad.c +@@ -209,7 +209,7 @@ static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call, + struct sk_buff *trailer; + unsigned int len; + u16 check; +- int nsg; ++ int nsg, err; + + sp = rxrpc_skb(skb); + +@@ -240,7 +240,9 @@ static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call, + len &= ~(call->conn->size_align - 1); + + sg_init_table(sg, nsg); +- skb_to_sgvec(skb, sg, 0, len); ++ err = skb_to_sgvec(skb, sg, 0, len); ++ if (unlikely(err < 0)) ++ return err; + crypto_blkcipher_encrypt_iv(&desc, sg, sg, len); + + _leave(" = 0"); +@@ -336,7 +338,7 @@ static int rxkad_verify_packet_auth(const struct rxrpc_call *call, + struct sk_buff *trailer; + u32 data_size, buf; + u16 check; +- int nsg; ++ int nsg, ret; + + _enter(""); + +@@ -348,7 +350,9 @@ static int rxkad_verify_packet_auth(const struct rxrpc_call *call, + goto nomem; + + sg_init_table(sg, nsg); +- skb_to_sgvec(skb, sg, 0, 8); ++ ret = skb_to_sgvec(skb, sg, 0, 8); ++ if (unlikely(ret < 0)) ++ return ret; + + /* start the decryption afresh */ + memset(&iv, 0, sizeof(iv)); +@@ -411,7 +415,7 @@ static int rxkad_verify_packet_encrypt(const struct rxrpc_call *call, + struct sk_buff *trailer; + u32 data_size, buf; + u16 check; +- int nsg; ++ int nsg, ret; + + _enter(",{%d}", skb->len); + +@@ -430,7 +434,12 @@ static int rxkad_verify_packet_encrypt(const struct rxrpc_call *call, + } + + sg_init_table(sg, nsg); +- skb_to_sgvec(skb, sg, 0, skb->len); ++ ret = skb_to_sgvec(skb, sg, 0, skb->len); ++ if (unlikely(ret < 0)) { ++ if (sg != _sg) ++ kfree(sg); ++ return ret; ++ } + + /* decrypt from the session key */ + token = call->conn->key->payload.data; +diff --git a/net/sched/act_api.c b/net/sched/act_api.c +index c9387f62f634..97dbf5775c47 100644 +--- a/net/sched/act_api.c ++++ b/net/sched/act_api.c +@@ -93,8 +93,10 @@ static int tcf_dump_walker(struct sk_buff *skb, struct netlink_callback *cb, + a->order = n_i; + + nest = nla_nest_start(skb, a->order); +- if (nest == NULL) ++ if (nest == NULL) { ++ index--; + goto nla_put_failure; ++ } + err = tcf_action_dump_1(skb, a, 0, 0); + if (err < 0) { + index--; +diff --git a/net/sched/act_csum.c b/net/sched/act_csum.c +index 4cd5cf1aedf8..a40ed3d29988 100644 +--- a/net/sched/act_csum.c ++++ b/net/sched/act_csum.c +@@ -176,6 +176,9 @@ static int tcf_csum_ipv4_tcp(struct sk_buff *skb, + struct tcphdr *tcph; + const struct iphdr *iph; + ++ if (skb_is_gso(skb) && skb_shinfo(skb)->gso_type & SKB_GSO_TCPV4) ++ return 1; ++ + tcph = tcf_csum_skb_nextlayer(skb, ihl, ipl, sizeof(*tcph)); + if (tcph == NULL) + return 0; +@@ -197,6 +200,9 @@ static int tcf_csum_ipv6_tcp(struct sk_buff *skb, + struct tcphdr *tcph; + const struct ipv6hdr *ip6h; + ++ if (skb_is_gso(skb) && skb_shinfo(skb)->gso_type & SKB_GSO_TCPV6) ++ return 1; ++ + tcph = tcf_csum_skb_nextlayer(skb, ihl, ipl, sizeof(*tcph)); + if (tcph == NULL) + return 0; +@@ -220,6 +226,9 @@ static int tcf_csum_ipv4_udp(struct sk_buff *skb, + const struct iphdr *iph; + u16 ul; + ++ if (skb_is_gso(skb) && skb_shinfo(skb)->gso_type & SKB_GSO_UDP) ++ return 1; ++ + /* + * Support both UDP and UDPLITE checksum algorithms, Don't use + * udph->len to get the real length without any protocol check, +@@ -273,6 +282,9 @@ static int tcf_csum_ipv6_udp(struct sk_buff *skb, + const struct ipv6hdr *ip6h; + u16 ul; + ++ if (skb_is_gso(skb) && skb_shinfo(skb)->gso_type & SKB_GSO_UDP) ++ return 1; ++ + /* + * Support both UDP and UDPLITE checksum algorithms, Don't use + * udph->len to get the real length without any protocol check, +diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c +index 00db4424faf1..7fee02981619 100644 +--- a/net/sctp/ipv6.c ++++ b/net/sctp/ipv6.c +@@ -496,46 +496,49 @@ static void sctp_v6_to_addr(union sctp_addr *addr, struct in6_addr *saddr, + addr->v6.sin6_scope_id = 0; + } + +-/* Compare addresses exactly. +- * v4-mapped-v6 is also in consideration. +- */ +-static int sctp_v6_cmp_addr(const union sctp_addr *addr1, +- const union sctp_addr *addr2) ++static int __sctp_v6_cmp_addr(const union sctp_addr *addr1, ++ const union sctp_addr *addr2) + { + if (addr1->sa.sa_family != addr2->sa.sa_family) { + if (addr1->sa.sa_family == AF_INET && + addr2->sa.sa_family == AF_INET6 && +- ipv6_addr_v4mapped(&addr2->v6.sin6_addr)) { +- if (addr2->v6.sin6_port == addr1->v4.sin_port && +- addr2->v6.sin6_addr.s6_addr32[3] == +- addr1->v4.sin_addr.s_addr) +- return 1; +- } ++ ipv6_addr_v4mapped(&addr2->v6.sin6_addr) && ++ addr2->v6.sin6_addr.s6_addr32[3] == ++ addr1->v4.sin_addr.s_addr) ++ return 1; ++ + if (addr2->sa.sa_family == AF_INET && + addr1->sa.sa_family == AF_INET6 && +- ipv6_addr_v4mapped(&addr1->v6.sin6_addr)) { +- if (addr1->v6.sin6_port == addr2->v4.sin_port && +- addr1->v6.sin6_addr.s6_addr32[3] == +- addr2->v4.sin_addr.s_addr) +- return 1; +- } ++ ipv6_addr_v4mapped(&addr1->v6.sin6_addr) && ++ addr1->v6.sin6_addr.s6_addr32[3] == ++ addr2->v4.sin_addr.s_addr) ++ return 1; ++ + return 0; + } +- if (addr1->v6.sin6_port != addr2->v6.sin6_port) +- return 0; ++ + if (!ipv6_addr_equal(&addr1->v6.sin6_addr, &addr2->v6.sin6_addr)) + return 0; ++ + /* If this is a linklocal address, compare the scope_id. */ +- if (ipv6_addr_type(&addr1->v6.sin6_addr) & IPV6_ADDR_LINKLOCAL) { +- if (addr1->v6.sin6_scope_id && addr2->v6.sin6_scope_id && +- (addr1->v6.sin6_scope_id != addr2->v6.sin6_scope_id)) { +- return 0; +- } +- } ++ if ((ipv6_addr_type(&addr1->v6.sin6_addr) & IPV6_ADDR_LINKLOCAL) && ++ addr1->v6.sin6_scope_id && addr2->v6.sin6_scope_id && ++ addr1->v6.sin6_scope_id != addr2->v6.sin6_scope_id) ++ return 0; + + return 1; + } + ++/* Compare addresses exactly. ++ * v4-mapped-v6 is also in consideration. ++ */ ++static int sctp_v6_cmp_addr(const union sctp_addr *addr1, ++ const union sctp_addr *addr2) ++{ ++ return __sctp_v6_cmp_addr(addr1, addr2) && ++ addr1->v6.sin6_port == addr2->v6.sin6_port; ++} ++ + /* Initialize addr struct to INADDR_ANY. */ + static void sctp_v6_inaddr_any(union sctp_addr *addr, __be16 port) + { +@@ -700,8 +703,10 @@ static int sctp_v6_addr_to_user(struct sctp_sock *sp, union sctp_addr *addr) + sctp_v6_map_v4(addr); + } + +- if (addr->sa.sa_family == AF_INET) ++ if (addr->sa.sa_family == AF_INET) { ++ memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero)); + return sizeof(struct sockaddr_in); ++ } + return sizeof(struct sockaddr_in6); + } + +@@ -818,8 +823,8 @@ static int sctp_inet6_cmp_addr(const union sctp_addr *addr1, + const union sctp_addr *addr2, + struct sctp_sock *opt) + { +- struct sctp_af *af1, *af2; + struct sock *sk = sctp_opt2sk(opt); ++ struct sctp_af *af1, *af2; + + af1 = sctp_get_af_specific(addr1->sa.sa_family); + af2 = sctp_get_af_specific(addr2->sa.sa_family); +@@ -835,10 +840,7 @@ static int sctp_inet6_cmp_addr(const union sctp_addr *addr1, + if (sctp_is_any(sk, addr1) || sctp_is_any(sk, addr2)) + return 1; + +- if (addr1->sa.sa_family != addr2->sa.sa_family) +- return 0; +- +- return af1->cmp_addr(addr1, addr2); ++ return __sctp_v6_cmp_addr(addr1, addr2); + } + + /* Verify that the provided sockaddr looks bindable. Common verification, +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index 195b54a19f1e..25127a0aeb3c 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -335,11 +335,14 @@ static struct sctp_af *sctp_sockaddr_af(struct sctp_sock *opt, + if (!opt->pf->af_supported(addr->sa.sa_family, opt)) + return NULL; + +- /* V4 mapped address are really of AF_INET family */ +- if (addr->sa.sa_family == AF_INET6 && +- ipv6_addr_v4mapped(&addr->v6.sin6_addr) && +- !opt->pf->af_supported(AF_INET, opt)) +- return NULL; ++ if (addr->sa.sa_family == AF_INET6) { ++ if (len < SIN6_LEN_RFC2133) ++ return NULL; ++ /* V4 mapped address are really of AF_INET family */ ++ if (ipv6_addr_v4mapped(&addr->v6.sin6_addr) && ++ !opt->pf->af_supported(AF_INET, opt)) ++ return NULL; ++ } + + /* If we get this far, af is valid. */ + af = sctp_get_af_specific(addr->sa.sa_family); +@@ -1512,7 +1515,7 @@ static void sctp_close(struct sock *sk, long timeout) + + pr_debug("%s: sk:%p, timeout:%ld\n", __func__, sk, timeout); + +- lock_sock(sk); ++ lock_sock_nested(sk, SINGLE_DEPTH_NESTING); + sk->sk_shutdown = SHUTDOWN_MASK; + sk->sk_state = SCTP_SS_CLOSING; + +@@ -1563,7 +1566,7 @@ static void sctp_close(struct sock *sk, long timeout) + * held and that should be grabbed before socket lock. + */ + spin_lock_bh(&net->sctp.addr_wq_lock); +- bh_lock_sock(sk); ++ bh_lock_sock_nested(sk); + + /* Hold the sock, since sk_common_release() will put sock_put() + * and we have just a little more cleanup. +diff --git a/net/sunrpc/rpc_pipe.c b/net/sunrpc/rpc_pipe.c +index d81186d34558..9103dd15511c 100644 +--- a/net/sunrpc/rpc_pipe.c ++++ b/net/sunrpc/rpc_pipe.c +@@ -1375,6 +1375,7 @@ rpc_gssd_dummy_depopulate(struct dentry *pipe_dentry) + struct dentry *clnt_dir = pipe_dentry->d_parent; + struct dentry *gssd_dir = clnt_dir->d_parent; + ++ dget(pipe_dentry); + __rpc_rmpipe(d_inode(clnt_dir), pipe_dentry); + __rpc_depopulate(clnt_dir, gssd_dummy_info_file, 0, 1); + __rpc_depopulate(gssd_dir, gssd_dummy_clnt_dir, 0, 1); +diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c +index 14972988d29d..3721a6422610 100644 +--- a/net/sunrpc/xprtsock.c ++++ b/net/sunrpc/xprtsock.c +@@ -2192,7 +2192,12 @@ static void xs_tcp_setup_socket(struct work_struct *work) + case -EHOSTUNREACH: + case -EADDRINUSE: + case -ENOBUFS: +- /* retry with existing socket, after a delay */ ++ /* ++ * xs_tcp_force_close() wakes tasks with -EIO. ++ * We need to wake them first to ensure the ++ * correct error code. ++ */ ++ xprt_wake_pending_tasks(xprt, status); + xs_tcp_force_close(xprt); + goto out; + } +diff --git a/net/tipc/net.c b/net/tipc/net.c +index a54f3cbe2246..64ead4f47b70 100644 +--- a/net/tipc/net.c ++++ b/net/tipc/net.c +@@ -43,7 +43,8 @@ + + static const struct nla_policy tipc_nl_net_policy[TIPC_NLA_NET_MAX + 1] = { + [TIPC_NLA_NET_UNSPEC] = { .type = NLA_UNSPEC }, +- [TIPC_NLA_NET_ID] = { .type = NLA_U32 } ++ [TIPC_NLA_NET_ID] = { .type = NLA_U32 }, ++ [TIPC_NLA_NET_ADDR] = { .type = NLA_U32 }, + }; + + /* +diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c +index c3ab230e4493..a9072fb5c767 100644 +--- a/net/x25/af_x25.c ++++ b/net/x25/af_x25.c +@@ -1794,32 +1794,40 @@ void x25_kill_by_neigh(struct x25_neigh *nb) + + static int __init x25_init(void) + { +- int rc = proto_register(&x25_proto, 0); ++ int rc; + +- if (rc != 0) ++ rc = proto_register(&x25_proto, 0); ++ if (rc) + goto out; + + rc = sock_register(&x25_family_ops); +- if (rc != 0) ++ if (rc) + goto out_proto; + + dev_add_pack(&x25_packet_type); + + rc = register_netdevice_notifier(&x25_dev_notifier); +- if (rc != 0) ++ if (rc) + goto out_sock; + +- pr_info("Linux Version 0.2\n"); ++ rc = x25_register_sysctl(); ++ if (rc) ++ goto out_dev; + +- x25_register_sysctl(); + rc = x25_proc_init(); +- if (rc != 0) +- goto out_dev; ++ if (rc) ++ goto out_sysctl; ++ ++ pr_info("Linux Version 0.2\n"); ++ + out: + return rc; ++out_sysctl: ++ x25_unregister_sysctl(); + out_dev: + unregister_netdevice_notifier(&x25_dev_notifier); + out_sock: ++ dev_remove_pack(&x25_packet_type); + sock_unregister(AF_X25); + out_proto: + proto_unregister(&x25_proto); +diff --git a/net/x25/sysctl_net_x25.c b/net/x25/sysctl_net_x25.c +index 43239527a205..703d46aae7a2 100644 +--- a/net/x25/sysctl_net_x25.c ++++ b/net/x25/sysctl_net_x25.c +@@ -73,9 +73,12 @@ static struct ctl_table x25_table[] = { + { 0, }, + }; + +-void __init x25_register_sysctl(void) ++int __init x25_register_sysctl(void) + { + x25_table_header = register_net_sysctl(&init_net, "net/x25", x25_table); ++ if (!x25_table_header) ++ return -ENOMEM; ++ return 0; + } + + void x25_unregister_sysctl(void) +diff --git a/net/xfrm/xfrm_ipcomp.c b/net/xfrm/xfrm_ipcomp.c +index ccfdc7115a83..a00ec715aa46 100644 +--- a/net/xfrm/xfrm_ipcomp.c ++++ b/net/xfrm/xfrm_ipcomp.c +@@ -283,7 +283,7 @@ static struct crypto_comp * __percpu *ipcomp_alloc_tfms(const char *alg_name) + struct crypto_comp *tfm; + + /* This can be any valid CPU ID so we don't need locking. */ +- tfm = __this_cpu_read(*pos->tfms); ++ tfm = this_cpu_read(*pos->tfms); + + if (!strcmp(crypto_comp_name(tfm), alg_name)) { + pos->users++; +diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c +index 7306683a7207..94b522fc231e 100644 +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -1299,7 +1299,7 @@ EXPORT_SYMBOL(xfrm_policy_delete); + + int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol) + { +- struct net *net = xp_net(pol); ++ struct net *net = sock_net(sk); + struct xfrm_policy *old_pol; + + #ifdef CONFIG_XFRM_SUB_POLICY +diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c +index 96688cd0f6f1..733e8028f54f 100644 +--- a/net/xfrm/xfrm_state.c ++++ b/net/xfrm/xfrm_state.c +@@ -1208,6 +1208,8 @@ static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig) + x->curlft.add_time = orig->curlft.add_time; + x->km.state = orig->km.state; + x->km.seq = orig->km.seq; ++ x->replay = orig->replay; ++ x->preplay = orig->preplay; + + return x; + +@@ -1845,6 +1847,18 @@ int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen + struct xfrm_mgr *km; + struct xfrm_policy *pol = NULL; + ++#ifdef CONFIG_COMPAT ++ if (is_compat_task()) ++ return -EOPNOTSUPP; ++#endif ++ ++ if (!optval && !optlen) { ++ xfrm_sk_policy_insert(sk, XFRM_POLICY_IN, NULL); ++ xfrm_sk_policy_insert(sk, XFRM_POLICY_OUT, NULL); ++ __sk_dst_reset(sk); ++ return 0; ++ } ++ + if (optlen <= 0 || optlen > PAGE_SIZE) + return -EMSGSIZE; + +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index 84541b35629a..0f6285f9674e 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -120,22 +120,17 @@ static inline int verify_replay(struct xfrm_usersa_info *p, + struct nlattr *rt = attrs[XFRMA_REPLAY_ESN_VAL]; + struct xfrm_replay_state_esn *rs; + +- if (p->flags & XFRM_STATE_ESN) { +- if (!rt) +- return -EINVAL; ++ if (!rt) ++ return (p->flags & XFRM_STATE_ESN) ? -EINVAL : 0; + +- rs = nla_data(rt); ++ rs = nla_data(rt); + +- if (rs->bmp_len > XFRMA_REPLAY_ESN_MAX / sizeof(rs->bmp[0]) / 8) +- return -EINVAL; +- +- if (nla_len(rt) < xfrm_replay_state_esn_len(rs) && +- nla_len(rt) != sizeof(*rs)) +- return -EINVAL; +- } ++ if (rs->bmp_len > XFRMA_REPLAY_ESN_MAX / sizeof(rs->bmp[0]) / 8) ++ return -EINVAL; + +- if (!rt) +- return 0; ++ if (nla_len(rt) < xfrm_replay_state_esn_len(rs) && ++ nla_len(rt) != sizeof(*rs)) ++ return -EINVAL; + + /* As only ESP and AH support ESN feature. */ + if ((p->id.proto != IPPROTO_ESP) && (p->id.proto != IPPROTO_AH)) +@@ -2460,7 +2455,7 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh) + + #ifdef CONFIG_COMPAT + if (is_compat_task()) +- return -ENOTSUPP; ++ return -EOPNOTSUPP; + #endif + + type = nlh->nlmsg_type; +diff --git a/scripts/tags.sh b/scripts/tags.sh +index cdb491d84503..7056322b53f0 100755 +--- a/scripts/tags.sh ++++ b/scripts/tags.sh +@@ -106,6 +106,7 @@ all_compiled_sources() + case "$i" in + *.[cS]) + j=${i/\.[cS]/\.o} ++ j="${j#$tree}" + if [ -e $j ]; then + echo $i + fi +diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c +index e5f1561439db..b7e269317e0c 100644 +--- a/security/apparmor/lsm.c ++++ b/security/apparmor/lsm.c +@@ -735,7 +735,7 @@ module_param_named(logsyscall, aa_g_logsyscall, aabool, S_IRUSR | S_IWUSR); + + /* Maximum pathname length before accesses will start getting rejected */ + unsigned int aa_g_path_max = 2 * PATH_MAX; +-module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR | S_IWUSR); ++module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR); + + /* Determines how paranoid loading of policy is and how much verification + * on the loaded policy is done. +diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c +index 9ee9139b0b07..7f8c0322548c 100644 +--- a/security/integrity/ima/ima_appraise.c ++++ b/security/integrity/ima/ima_appraise.c +@@ -206,7 +206,8 @@ int ima_appraise_measurement(int func, struct integrity_iint_cache *iint, + if (opened & FILE_CREATED) + iint->flags |= IMA_NEW_FILE; + if ((iint->flags & IMA_NEW_FILE) && +- !(iint->flags & IMA_DIGSIG_REQUIRED)) ++ (!(iint->flags & IMA_DIGSIG_REQUIRED) || ++ (inode->i_size == 0))) + status = INTEGRITY_PASS; + goto out; + } +diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c +index 0034eb420b0e..de1e43f6adf1 100644 +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -321,18 +321,6 @@ static void superblock_free_security(struct super_block *sb) + kfree(sbsec); + } + +-/* The file system's label must be initialized prior to use. */ +- +-static const char *labeling_behaviors[7] = { +- "uses xattr", +- "uses transition SIDs", +- "uses task SIDs", +- "uses genfs_contexts", +- "not configured for labeling", +- "uses mountpoint labeling", +- "uses native labeling", +-}; +- + static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); + + static inline int inode_doinit(struct inode *inode) +@@ -444,10 +432,6 @@ static int sb_finish_set_opts(struct super_block *sb) + } + } + +- if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) +- printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n", +- sb->s_id, sb->s_type->name); +- + sbsec->flags |= SE_SBINITIALIZED; + if (selinux_is_sblabel_mnt(sb)) + sbsec->flags |= SBLABEL_MNT; +@@ -4106,10 +4090,18 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in + u32 sid, node_perm; + + if (family == PF_INET) { ++ if (addrlen < sizeof(struct sockaddr_in)) { ++ err = -EINVAL; ++ goto out; ++ } + addr4 = (struct sockaddr_in *)address; + snum = ntohs(addr4->sin_port); + addrp = (char *)&addr4->sin_addr.s_addr; + } else { ++ if (addrlen < SIN6_LEN_RFC2133) { ++ err = -EINVAL; ++ goto out; ++ } + addr6 = (struct sockaddr_in6 *)address; + snum = ntohs(addr6->sin6_port); + addrp = (char *)&addr6->sin6_addr.s6_addr; +diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c +index 31d1d2ebd6f2..f20b2b0a2a54 100644 +--- a/security/selinux/ss/services.c ++++ b/security/selinux/ss/services.c +@@ -154,7 +154,7 @@ static int selinux_set_mapping(struct policydb *pol, + } + + k = 0; +- while (p_in->perms && p_in->perms[k]) { ++ while (p_in->perms[k]) { + /* An empty permission string skips ahead */ + if (!*p_in->perms[k]) { + k++; +diff --git a/sound/core/oss/pcm_oss.c b/sound/core/oss/pcm_oss.c +index 494b7b533366..7b2719acbeba 100644 +--- a/sound/core/oss/pcm_oss.c ++++ b/sound/core/oss/pcm_oss.c +@@ -833,8 +833,25 @@ static int choose_rate(struct snd_pcm_substream *substream, + return snd_pcm_hw_param_near(substream, params, SNDRV_PCM_HW_PARAM_RATE, best_rate, NULL); + } + +-static int snd_pcm_oss_change_params(struct snd_pcm_substream *substream, +- bool trylock) ++/* parameter locking: returns immediately if tried during streaming */ ++static int lock_params(struct snd_pcm_runtime *runtime) ++{ ++ if (mutex_lock_interruptible(&runtime->oss.params_lock)) ++ return -ERESTARTSYS; ++ if (atomic_read(&runtime->oss.rw_ref)) { ++ mutex_unlock(&runtime->oss.params_lock); ++ return -EBUSY; ++ } ++ return 0; ++} ++ ++static void unlock_params(struct snd_pcm_runtime *runtime) ++{ ++ mutex_unlock(&runtime->oss.params_lock); ++} ++ ++/* call with params_lock held */ ++static int snd_pcm_oss_change_params_locked(struct snd_pcm_substream *substream) + { + struct snd_pcm_runtime *runtime = substream->runtime; + struct snd_pcm_hw_params *params, *sparams; +@@ -848,12 +865,9 @@ static int snd_pcm_oss_change_params(struct snd_pcm_substream *substream, + struct snd_mask sformat_mask; + struct snd_mask mask; + +- if (trylock) { +- if (!(mutex_trylock(&runtime->oss.params_lock))) +- return -EAGAIN; +- } else if (mutex_lock_interruptible(&runtime->oss.params_lock)) +- return -EINTR; +- sw_params = kmalloc(sizeof(*sw_params), GFP_KERNEL); ++ if (!runtime->oss.params) ++ return 0; ++ sw_params = kzalloc(sizeof(*sw_params), GFP_KERNEL); + params = kmalloc(sizeof(*params), GFP_KERNEL); + sparams = kmalloc(sizeof(*sparams), GFP_KERNEL); + if (!sw_params || !params || !sparams) { +@@ -991,7 +1005,6 @@ static int snd_pcm_oss_change_params(struct snd_pcm_substream *substream, + goto failure; + } + +- memset(sw_params, 0, sizeof(*sw_params)); + if (runtime->oss.trigger) { + sw_params->start_threshold = 1; + } else { +@@ -1079,6 +1092,23 @@ failure: + kfree(sw_params); + kfree(params); + kfree(sparams); ++ return err; ++} ++ ++/* this one takes the lock by itself */ ++static int snd_pcm_oss_change_params(struct snd_pcm_substream *substream, ++ bool trylock) ++{ ++ struct snd_pcm_runtime *runtime = substream->runtime; ++ int err; ++ ++ if (trylock) { ++ if (!(mutex_trylock(&runtime->oss.params_lock))) ++ return -EAGAIN; ++ } else if (mutex_lock_interruptible(&runtime->oss.params_lock)) ++ return -ERESTARTSYS; ++ ++ err = snd_pcm_oss_change_params_locked(substream); + mutex_unlock(&runtime->oss.params_lock); + return err; + } +@@ -1107,6 +1137,10 @@ static int snd_pcm_oss_get_active_substream(struct snd_pcm_oss_file *pcm_oss_fil + return 0; + } + ++/* call with params_lock held */ ++/* NOTE: this always call PREPARE unconditionally no matter whether ++ * runtime->oss.prepare is set or not ++ */ + static int snd_pcm_oss_prepare(struct snd_pcm_substream *substream) + { + int err; +@@ -1131,14 +1165,35 @@ static int snd_pcm_oss_make_ready(struct snd_pcm_substream *substream) + struct snd_pcm_runtime *runtime; + int err; + +- if (substream == NULL) +- return 0; + runtime = substream->runtime; + if (runtime->oss.params) { + err = snd_pcm_oss_change_params(substream, false); + if (err < 0) + return err; + } ++ if (runtime->oss.prepare) { ++ if (mutex_lock_interruptible(&runtime->oss.params_lock)) ++ return -ERESTARTSYS; ++ err = snd_pcm_oss_prepare(substream); ++ mutex_unlock(&runtime->oss.params_lock); ++ if (err < 0) ++ return err; ++ } ++ return 0; ++} ++ ++/* call with params_lock held */ ++static int snd_pcm_oss_make_ready_locked(struct snd_pcm_substream *substream) ++{ ++ struct snd_pcm_runtime *runtime; ++ int err; ++ ++ runtime = substream->runtime; ++ if (runtime->oss.params) { ++ err = snd_pcm_oss_change_params_locked(substream); ++ if (err < 0) ++ return err; ++ } + if (runtime->oss.prepare) { + err = snd_pcm_oss_prepare(substream); + if (err < 0) +@@ -1367,13 +1422,15 @@ static ssize_t snd_pcm_oss_write1(struct snd_pcm_substream *substream, const cha + if (atomic_read(&substream->mmap_count)) + return -ENXIO; + +- if ((tmp = snd_pcm_oss_make_ready(substream)) < 0) +- return tmp; ++ atomic_inc(&runtime->oss.rw_ref); + while (bytes > 0) { + if (mutex_lock_interruptible(&runtime->oss.params_lock)) { + tmp = -ERESTARTSYS; + break; + } ++ tmp = snd_pcm_oss_make_ready_locked(substream); ++ if (tmp < 0) ++ goto err; + if (bytes < runtime->oss.period_bytes || runtime->oss.buffer_used > 0) { + tmp = bytes; + if (tmp + runtime->oss.buffer_used > runtime->oss.period_bytes) +@@ -1429,6 +1486,7 @@ static ssize_t snd_pcm_oss_write1(struct snd_pcm_substream *substream, const cha + } + tmp = 0; + } ++ atomic_dec(&runtime->oss.rw_ref); + return xfer > 0 ? (snd_pcm_sframes_t)xfer : tmp; + } + +@@ -1474,13 +1532,15 @@ static ssize_t snd_pcm_oss_read1(struct snd_pcm_substream *substream, char __use + if (atomic_read(&substream->mmap_count)) + return -ENXIO; + +- if ((tmp = snd_pcm_oss_make_ready(substream)) < 0) +- return tmp; ++ atomic_inc(&runtime->oss.rw_ref); + while (bytes > 0) { + if (mutex_lock_interruptible(&runtime->oss.params_lock)) { + tmp = -ERESTARTSYS; + break; + } ++ tmp = snd_pcm_oss_make_ready_locked(substream); ++ if (tmp < 0) ++ goto err; + if (bytes < runtime->oss.period_bytes || runtime->oss.buffer_used > 0) { + if (runtime->oss.buffer_used == 0) { + tmp = snd_pcm_oss_read2(substream, runtime->oss.buffer, runtime->oss.period_bytes, 1); +@@ -1521,6 +1581,7 @@ static ssize_t snd_pcm_oss_read1(struct snd_pcm_substream *substream, char __use + } + tmp = 0; + } ++ atomic_dec(&runtime->oss.rw_ref); + return xfer > 0 ? (snd_pcm_sframes_t)xfer : tmp; + } + +@@ -1536,10 +1597,12 @@ static int snd_pcm_oss_reset(struct snd_pcm_oss_file *pcm_oss_file) + continue; + runtime = substream->runtime; + snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_DROP, NULL); ++ mutex_lock(&runtime->oss.params_lock); + runtime->oss.prepare = 1; + runtime->oss.buffer_used = 0; + runtime->oss.prev_hw_ptr_period = 0; + runtime->oss.period_ptr = 0; ++ mutex_unlock(&runtime->oss.params_lock); + } + return 0; + } +@@ -1625,9 +1688,13 @@ static int snd_pcm_oss_sync(struct snd_pcm_oss_file *pcm_oss_file) + goto __direct; + if ((err = snd_pcm_oss_make_ready(substream)) < 0) + return err; ++ atomic_inc(&runtime->oss.rw_ref); ++ if (mutex_lock_interruptible(&runtime->oss.params_lock)) { ++ atomic_dec(&runtime->oss.rw_ref); ++ return -ERESTARTSYS; ++ } + format = snd_pcm_oss_format_from(runtime->oss.format); + width = snd_pcm_format_physical_width(format); +- mutex_lock(&runtime->oss.params_lock); + if (runtime->oss.buffer_used > 0) { + #ifdef OSS_DEBUG + pcm_dbg(substream->pcm, "sync: buffer_used\n"); +@@ -1637,10 +1704,8 @@ static int snd_pcm_oss_sync(struct snd_pcm_oss_file *pcm_oss_file) + runtime->oss.buffer + runtime->oss.buffer_used, + size); + err = snd_pcm_oss_sync1(substream, runtime->oss.period_bytes); +- if (err < 0) { +- mutex_unlock(&runtime->oss.params_lock); +- return err; +- } ++ if (err < 0) ++ goto unlock; + } else if (runtime->oss.period_ptr > 0) { + #ifdef OSS_DEBUG + pcm_dbg(substream->pcm, "sync: period_ptr\n"); +@@ -1650,10 +1715,8 @@ static int snd_pcm_oss_sync(struct snd_pcm_oss_file *pcm_oss_file) + runtime->oss.buffer, + size * 8 / width); + err = snd_pcm_oss_sync1(substream, size); +- if (err < 0) { +- mutex_unlock(&runtime->oss.params_lock); +- return err; +- } ++ if (err < 0) ++ goto unlock; + } + /* + * The ALSA's period might be a bit large than OSS one. +@@ -1684,7 +1747,11 @@ static int snd_pcm_oss_sync(struct snd_pcm_oss_file *pcm_oss_file) + snd_pcm_lib_writev(substream, buffers, size); + } + } ++unlock: + mutex_unlock(&runtime->oss.params_lock); ++ atomic_dec(&runtime->oss.rw_ref); ++ if (err < 0) ++ return err; + /* + * finish sync: drain the buffer + */ +@@ -1695,7 +1762,9 @@ static int snd_pcm_oss_sync(struct snd_pcm_oss_file *pcm_oss_file) + substream->f_flags = saved_f_flags; + if (err < 0) + return err; ++ mutex_lock(&runtime->oss.params_lock); + runtime->oss.prepare = 1; ++ mutex_unlock(&runtime->oss.params_lock); + } + + substream = pcm_oss_file->streams[SNDRV_PCM_STREAM_CAPTURE]; +@@ -1706,8 +1775,10 @@ static int snd_pcm_oss_sync(struct snd_pcm_oss_file *pcm_oss_file) + err = snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_DROP, NULL); + if (err < 0) + return err; ++ mutex_lock(&runtime->oss.params_lock); + runtime->oss.buffer_used = 0; + runtime->oss.prepare = 1; ++ mutex_unlock(&runtime->oss.params_lock); + } + return 0; + } +@@ -1719,6 +1790,8 @@ static int snd_pcm_oss_set_rate(struct snd_pcm_oss_file *pcm_oss_file, int rate) + for (idx = 1; idx >= 0; --idx) { + struct snd_pcm_substream *substream = pcm_oss_file->streams[idx]; + struct snd_pcm_runtime *runtime; ++ int err; ++ + if (substream == NULL) + continue; + runtime = substream->runtime; +@@ -1726,10 +1799,14 @@ static int snd_pcm_oss_set_rate(struct snd_pcm_oss_file *pcm_oss_file, int rate) + rate = 1000; + else if (rate > 192000) + rate = 192000; ++ err = lock_params(runtime); ++ if (err < 0) ++ return err; + if (runtime->oss.rate != rate) { + runtime->oss.params = 1; + runtime->oss.rate = rate; + } ++ unlock_params(runtime); + } + return snd_pcm_oss_get_rate(pcm_oss_file); + } +@@ -1754,13 +1831,19 @@ static int snd_pcm_oss_set_channels(struct snd_pcm_oss_file *pcm_oss_file, unsig + for (idx = 1; idx >= 0; --idx) { + struct snd_pcm_substream *substream = pcm_oss_file->streams[idx]; + struct snd_pcm_runtime *runtime; ++ int err; ++ + if (substream == NULL) + continue; + runtime = substream->runtime; ++ err = lock_params(runtime); ++ if (err < 0) ++ return err; + if (runtime->oss.channels != channels) { + runtime->oss.params = 1; + runtime->oss.channels = channels; + } ++ unlock_params(runtime); + } + return snd_pcm_oss_get_channels(pcm_oss_file); + } +@@ -1814,10 +1897,9 @@ static int snd_pcm_oss_get_formats(struct snd_pcm_oss_file *pcm_oss_file) + return -ENOMEM; + _snd_pcm_hw_params_any(params); + err = snd_pcm_hw_refine(substream, params); +- format_mask = *hw_param_mask(params, SNDRV_PCM_HW_PARAM_FORMAT); +- kfree(params); + if (err < 0) +- return err; ++ goto error; ++ format_mask = *hw_param_mask(params, SNDRV_PCM_HW_PARAM_FORMAT); + for (fmt = 0; fmt < 32; ++fmt) { + if (snd_mask_test(&format_mask, fmt)) { + int f = snd_pcm_oss_format_to(fmt); +@@ -1825,12 +1907,16 @@ static int snd_pcm_oss_get_formats(struct snd_pcm_oss_file *pcm_oss_file) + formats |= f; + } + } +- return formats; ++ ++ error: ++ kfree(params); ++ return err < 0 ? err : formats; + } + + static int snd_pcm_oss_set_format(struct snd_pcm_oss_file *pcm_oss_file, int format) + { + int formats, idx; ++ int err; + + if (format != AFMT_QUERY) { + formats = snd_pcm_oss_get_formats(pcm_oss_file); +@@ -1844,10 +1930,14 @@ static int snd_pcm_oss_set_format(struct snd_pcm_oss_file *pcm_oss_file, int for + if (substream == NULL) + continue; + runtime = substream->runtime; ++ err = lock_params(runtime); ++ if (err < 0) ++ return err; + if (runtime->oss.format != format) { + runtime->oss.params = 1; + runtime->oss.format = format; + } ++ unlock_params(runtime); + } + } + return snd_pcm_oss_get_format(pcm_oss_file); +@@ -1867,8 +1957,6 @@ static int snd_pcm_oss_set_subdivide1(struct snd_pcm_substream *substream, int s + { + struct snd_pcm_runtime *runtime; + +- if (substream == NULL) +- return 0; + runtime = substream->runtime; + if (subdivide == 0) { + subdivide = runtime->oss.subdivision; +@@ -1892,9 +1980,17 @@ static int snd_pcm_oss_set_subdivide(struct snd_pcm_oss_file *pcm_oss_file, int + + for (idx = 1; idx >= 0; --idx) { + struct snd_pcm_substream *substream = pcm_oss_file->streams[idx]; ++ struct snd_pcm_runtime *runtime; ++ + if (substream == NULL) + continue; +- if ((err = snd_pcm_oss_set_subdivide1(substream, subdivide)) < 0) ++ runtime = substream->runtime; ++ err = lock_params(runtime); ++ if (err < 0) ++ return err; ++ err = snd_pcm_oss_set_subdivide1(substream, subdivide); ++ unlock_params(runtime); ++ if (err < 0) + return err; + } + return err; +@@ -1904,8 +2000,6 @@ static int snd_pcm_oss_set_fragment1(struct snd_pcm_substream *substream, unsign + { + struct snd_pcm_runtime *runtime; + +- if (substream == NULL) +- return 0; + runtime = substream->runtime; + if (runtime->oss.subdivision || runtime->oss.fragshift) + return -EINVAL; +@@ -1925,9 +2019,17 @@ static int snd_pcm_oss_set_fragment(struct snd_pcm_oss_file *pcm_oss_file, unsig + + for (idx = 1; idx >= 0; --idx) { + struct snd_pcm_substream *substream = pcm_oss_file->streams[idx]; ++ struct snd_pcm_runtime *runtime; ++ + if (substream == NULL) + continue; +- if ((err = snd_pcm_oss_set_fragment1(substream, val)) < 0) ++ runtime = substream->runtime; ++ err = lock_params(runtime); ++ if (err < 0) ++ return err; ++ err = snd_pcm_oss_set_fragment1(substream, val); ++ unlock_params(runtime); ++ if (err < 0) + return err; + } + return err; +@@ -2011,6 +2113,9 @@ static int snd_pcm_oss_set_trigger(struct snd_pcm_oss_file *pcm_oss_file, int tr + } + if (psubstream) { + runtime = psubstream->runtime; ++ cmd = 0; ++ if (mutex_lock_interruptible(&runtime->oss.params_lock)) ++ return -ERESTARTSYS; + if (trigger & PCM_ENABLE_OUTPUT) { + if (runtime->oss.trigger) + goto _skip1; +@@ -2028,13 +2133,19 @@ static int snd_pcm_oss_set_trigger(struct snd_pcm_oss_file *pcm_oss_file, int tr + cmd = SNDRV_PCM_IOCTL_DROP; + runtime->oss.prepare = 1; + } +- err = snd_pcm_kernel_ioctl(psubstream, cmd, NULL); +- if (err < 0) +- return err; +- } + _skip1: ++ mutex_unlock(&runtime->oss.params_lock); ++ if (cmd) { ++ err = snd_pcm_kernel_ioctl(psubstream, cmd, NULL); ++ if (err < 0) ++ return err; ++ } ++ } + if (csubstream) { + runtime = csubstream->runtime; ++ cmd = 0; ++ if (mutex_lock_interruptible(&runtime->oss.params_lock)) ++ return -ERESTARTSYS; + if (trigger & PCM_ENABLE_INPUT) { + if (runtime->oss.trigger) + goto _skip2; +@@ -2049,11 +2160,14 @@ static int snd_pcm_oss_set_trigger(struct snd_pcm_oss_file *pcm_oss_file, int tr + cmd = SNDRV_PCM_IOCTL_DROP; + runtime->oss.prepare = 1; + } +- err = snd_pcm_kernel_ioctl(csubstream, cmd, NULL); +- if (err < 0) +- return err; +- } + _skip2: ++ mutex_unlock(&runtime->oss.params_lock); ++ if (cmd) { ++ err = snd_pcm_kernel_ioctl(csubstream, cmd, NULL); ++ if (err < 0) ++ return err; ++ } ++ } + return 0; + } + +@@ -2305,6 +2419,7 @@ static void snd_pcm_oss_init_substream(struct snd_pcm_substream *substream, + runtime->oss.maxfrags = 0; + runtime->oss.subdivision = 0; + substream->pcm_release = snd_pcm_oss_release_substream; ++ atomic_set(&runtime->oss.rw_ref, 0); + } + + static int snd_pcm_oss_release_file(struct snd_pcm_oss_file *pcm_oss_file) +diff --git a/sound/core/pcm_compat.c b/sound/core/pcm_compat.c +index 1f64ab0c2a95..7ae080bae15c 100644 +--- a/sound/core/pcm_compat.c ++++ b/sound/core/pcm_compat.c +@@ -426,6 +426,8 @@ static int snd_pcm_ioctl_xfern_compat(struct snd_pcm_substream *substream, + return -ENOTTY; + if (substream->stream != dir) + return -EINVAL; ++ if (substream->runtime->status->state == SNDRV_PCM_STATE_OPEN) ++ return -EBADFD; + + if ((ch = substream->runtime->channels) > 128) + return -EINVAL; +diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c +index aa999e747c94..889087808ebe 100644 +--- a/sound/core/pcm_native.c ++++ b/sound/core/pcm_native.c +@@ -2729,6 +2729,7 @@ static int snd_pcm_sync_ptr(struct snd_pcm_substream *substream, + sync_ptr.s.status.hw_ptr = status->hw_ptr; + sync_ptr.s.status.tstamp = status->tstamp; + sync_ptr.s.status.suspended_state = status->suspended_state; ++ sync_ptr.s.status.audio_tstamp = status->audio_tstamp; + snd_pcm_stream_unlock_irq(substream); + if (copy_to_user(_sync_ptr, &sync_ptr, sizeof(sync_ptr))) + return -EFAULT; +@@ -3410,7 +3411,7 @@ int snd_pcm_lib_default_mmap(struct snd_pcm_substream *substream, + area, + substream->runtime->dma_area, + substream->runtime->dma_addr, +- area->vm_end - area->vm_start); ++ substream->runtime->dma_bytes); + #endif /* CONFIG_X86 */ + /* mmap with fault handler */ + area->vm_ops = &snd_pcm_vm_ops_data_fault; +diff --git a/sound/core/rawmidi_compat.c b/sound/core/rawmidi_compat.c +index 09a89094dcf7..4e304a24924a 100644 +--- a/sound/core/rawmidi_compat.c ++++ b/sound/core/rawmidi_compat.c +@@ -36,8 +36,6 @@ static int snd_rawmidi_ioctl_params_compat(struct snd_rawmidi_file *rfile, + struct snd_rawmidi_params params; + unsigned int val; + +- if (rfile->output == NULL) +- return -EINVAL; + if (get_user(params.stream, &src->stream) || + get_user(params.buffer_size, &src->buffer_size) || + get_user(params.avail_min, &src->avail_min) || +@@ -46,8 +44,12 @@ static int snd_rawmidi_ioctl_params_compat(struct snd_rawmidi_file *rfile, + params.no_active_sensing = val; + switch (params.stream) { + case SNDRV_RAWMIDI_STREAM_OUTPUT: ++ if (!rfile->output) ++ return -EINVAL; + return snd_rawmidi_output_params(rfile->output, ¶ms); + case SNDRV_RAWMIDI_STREAM_INPUT: ++ if (!rfile->input) ++ return -EINVAL; + return snd_rawmidi_input_params(rfile->input, ¶ms); + } + return -EINVAL; +@@ -67,16 +69,18 @@ static int snd_rawmidi_ioctl_status_compat(struct snd_rawmidi_file *rfile, + int err; + struct snd_rawmidi_status status; + +- if (rfile->output == NULL) +- return -EINVAL; + if (get_user(status.stream, &src->stream)) + return -EFAULT; + + switch (status.stream) { + case SNDRV_RAWMIDI_STREAM_OUTPUT: ++ if (!rfile->output) ++ return -EINVAL; + err = snd_rawmidi_output_status(rfile->output, &status); + break; + case SNDRV_RAWMIDI_STREAM_INPUT: ++ if (!rfile->input) ++ return -EINVAL; + err = snd_rawmidi_input_status(rfile->input, &status); + break; + default: +@@ -113,16 +117,18 @@ static int snd_rawmidi_ioctl_status_x32(struct snd_rawmidi_file *rfile, + int err; + struct snd_rawmidi_status status; + +- if (rfile->output == NULL) +- return -EINVAL; + if (get_user(status.stream, &src->stream)) + return -EFAULT; + + switch (status.stream) { + case SNDRV_RAWMIDI_STREAM_OUTPUT: ++ if (!rfile->output) ++ return -EINVAL; + err = snd_rawmidi_output_status(rfile->output, &status); + break; + case SNDRV_RAWMIDI_STREAM_INPUT: ++ if (!rfile->input) ++ return -EINVAL; + err = snd_rawmidi_input_status(rfile->input, &status); + break; + default: +diff --git a/sound/core/seq/oss/seq_oss_event.c b/sound/core/seq/oss/seq_oss_event.c +index c3908862bc8b..86ca584c27b2 100644 +--- a/sound/core/seq/oss/seq_oss_event.c ++++ b/sound/core/seq/oss/seq_oss_event.c +@@ -26,6 +26,7 @@ + #include <sound/seq_oss_legacy.h> + #include "seq_oss_readq.h" + #include "seq_oss_writeq.h" ++#include <linux/nospec.h> + + + /* +@@ -287,10 +288,10 @@ note_on_event(struct seq_oss_devinfo *dp, int dev, int ch, int note, int vel, st + { + struct seq_oss_synthinfo *info; + +- if (!snd_seq_oss_synth_is_valid(dp, dev)) ++ info = snd_seq_oss_synth_info(dp, dev); ++ if (!info) + return -ENXIO; + +- info = &dp->synths[dev]; + switch (info->arg.event_passing) { + case SNDRV_SEQ_OSS_PROCESS_EVENTS: + if (! info->ch || ch < 0 || ch >= info->nr_voices) { +@@ -298,6 +299,7 @@ note_on_event(struct seq_oss_devinfo *dp, int dev, int ch, int note, int vel, st + return set_note_event(dp, dev, SNDRV_SEQ_EVENT_NOTEON, ch, note, vel, ev); + } + ++ ch = array_index_nospec(ch, info->nr_voices); + if (note == 255 && info->ch[ch].note >= 0) { + /* volume control */ + int type; +@@ -347,10 +349,10 @@ note_off_event(struct seq_oss_devinfo *dp, int dev, int ch, int note, int vel, s + { + struct seq_oss_synthinfo *info; + +- if (!snd_seq_oss_synth_is_valid(dp, dev)) ++ info = snd_seq_oss_synth_info(dp, dev); ++ if (!info) + return -ENXIO; + +- info = &dp->synths[dev]; + switch (info->arg.event_passing) { + case SNDRV_SEQ_OSS_PROCESS_EVENTS: + if (! info->ch || ch < 0 || ch >= info->nr_voices) { +@@ -358,6 +360,7 @@ note_off_event(struct seq_oss_devinfo *dp, int dev, int ch, int note, int vel, s + return set_note_event(dp, dev, SNDRV_SEQ_EVENT_NOTEON, ch, note, vel, ev); + } + ++ ch = array_index_nospec(ch, info->nr_voices); + if (info->ch[ch].note >= 0) { + note = info->ch[ch].note; + info->ch[ch].vel = 0; +@@ -381,7 +384,7 @@ note_off_event(struct seq_oss_devinfo *dp, int dev, int ch, int note, int vel, s + static int + set_note_event(struct seq_oss_devinfo *dp, int dev, int type, int ch, int note, int vel, struct snd_seq_event *ev) + { +- if (! snd_seq_oss_synth_is_valid(dp, dev)) ++ if (!snd_seq_oss_synth_info(dp, dev)) + return -ENXIO; + + ev->type = type; +@@ -399,7 +402,7 @@ set_note_event(struct seq_oss_devinfo *dp, int dev, int type, int ch, int note, + static int + set_control_event(struct seq_oss_devinfo *dp, int dev, int type, int ch, int param, int val, struct snd_seq_event *ev) + { +- if (! snd_seq_oss_synth_is_valid(dp, dev)) ++ if (!snd_seq_oss_synth_info(dp, dev)) + return -ENXIO; + + ev->type = type; +diff --git a/sound/core/seq/oss/seq_oss_midi.c b/sound/core/seq/oss/seq_oss_midi.c +index 74c68a0f8abe..28c8e6720a08 100644 +--- a/sound/core/seq/oss/seq_oss_midi.c ++++ b/sound/core/seq/oss/seq_oss_midi.c +@@ -29,6 +29,7 @@ + #include "../seq_lock.h" + #include <linux/init.h> + #include <linux/slab.h> ++#include <linux/nospec.h> + + + /* +@@ -315,6 +316,7 @@ get_mididev(struct seq_oss_devinfo *dp, int dev) + { + if (dev < 0 || dev >= dp->max_mididev) + return NULL; ++ dev = array_index_nospec(dev, dp->max_mididev); + return get_mdev(dev); + } + +diff --git a/sound/core/seq/oss/seq_oss_synth.c b/sound/core/seq/oss/seq_oss_synth.c +index f38cf91b4faf..ff3fe10555eb 100644 +--- a/sound/core/seq/oss/seq_oss_synth.c ++++ b/sound/core/seq/oss/seq_oss_synth.c +@@ -26,6 +26,7 @@ + #include <linux/init.h> + #include <linux/module.h> + #include <linux/slab.h> ++#include <linux/nospec.h> + + /* + * constants +@@ -339,17 +340,13 @@ snd_seq_oss_synth_cleanup(struct seq_oss_devinfo *dp) + dp->max_synthdev = 0; + } + +-/* +- * check if the specified device is MIDI mapped device +- */ +-static int +-is_midi_dev(struct seq_oss_devinfo *dp, int dev) ++static struct seq_oss_synthinfo * ++get_synthinfo_nospec(struct seq_oss_devinfo *dp, int dev) + { + if (dev < 0 || dev >= dp->max_synthdev) +- return 0; +- if (dp->synths[dev].is_midi) +- return 1; +- return 0; ++ return NULL; ++ dev = array_index_nospec(dev, SNDRV_SEQ_OSS_MAX_SYNTH_DEVS); ++ return &dp->synths[dev]; + } + + /* +@@ -359,14 +356,20 @@ static struct seq_oss_synth * + get_synthdev(struct seq_oss_devinfo *dp, int dev) + { + struct seq_oss_synth *rec; +- if (dev < 0 || dev >= dp->max_synthdev) +- return NULL; +- if (! dp->synths[dev].opened) ++ struct seq_oss_synthinfo *info = get_synthinfo_nospec(dp, dev); ++ ++ if (!info) + return NULL; +- if (dp->synths[dev].is_midi) +- return &midi_synth_dev; +- if ((rec = get_sdev(dev)) == NULL) ++ if (!info->opened) + return NULL; ++ if (info->is_midi) { ++ rec = &midi_synth_dev; ++ snd_use_lock_use(&rec->use_lock); ++ } else { ++ rec = get_sdev(dev); ++ if (!rec) ++ return NULL; ++ } + if (! rec->opened) { + snd_use_lock_free(&rec->use_lock); + return NULL; +@@ -402,10 +405,8 @@ snd_seq_oss_synth_reset(struct seq_oss_devinfo *dp, int dev) + struct seq_oss_synth *rec; + struct seq_oss_synthinfo *info; + +- if (snd_BUG_ON(dev < 0 || dev >= dp->max_synthdev)) +- return; +- info = &dp->synths[dev]; +- if (! info->opened) ++ info = get_synthinfo_nospec(dp, dev); ++ if (!info || !info->opened) + return; + if (info->sysex) + info->sysex->len = 0; /* reset sysex */ +@@ -454,12 +455,14 @@ snd_seq_oss_synth_load_patch(struct seq_oss_devinfo *dp, int dev, int fmt, + const char __user *buf, int p, int c) + { + struct seq_oss_synth *rec; ++ struct seq_oss_synthinfo *info; + int rc; + +- if (dev < 0 || dev >= dp->max_synthdev) ++ info = get_synthinfo_nospec(dp, dev); ++ if (!info) + return -ENXIO; + +- if (is_midi_dev(dp, dev)) ++ if (info->is_midi) + return 0; + if ((rec = get_synthdev(dp, dev)) == NULL) + return -ENXIO; +@@ -467,24 +470,25 @@ snd_seq_oss_synth_load_patch(struct seq_oss_devinfo *dp, int dev, int fmt, + if (rec->oper.load_patch == NULL) + rc = -ENXIO; + else +- rc = rec->oper.load_patch(&dp->synths[dev].arg, fmt, buf, p, c); ++ rc = rec->oper.load_patch(&info->arg, fmt, buf, p, c); + snd_use_lock_free(&rec->use_lock); + return rc; + } + + /* +- * check if the device is valid synth device ++ * check if the device is valid synth device and return the synth info + */ +-int +-snd_seq_oss_synth_is_valid(struct seq_oss_devinfo *dp, int dev) ++struct seq_oss_synthinfo * ++snd_seq_oss_synth_info(struct seq_oss_devinfo *dp, int dev) + { + struct seq_oss_synth *rec; ++ + rec = get_synthdev(dp, dev); + if (rec) { + snd_use_lock_free(&rec->use_lock); +- return 1; ++ return get_synthinfo_nospec(dp, dev); + } +- return 0; ++ return NULL; + } + + +@@ -499,16 +503,18 @@ snd_seq_oss_synth_sysex(struct seq_oss_devinfo *dp, int dev, unsigned char *buf, + int i, send; + unsigned char *dest; + struct seq_oss_synth_sysex *sysex; ++ struct seq_oss_synthinfo *info; + +- if (! snd_seq_oss_synth_is_valid(dp, dev)) ++ info = snd_seq_oss_synth_info(dp, dev); ++ if (!info) + return -ENXIO; + +- sysex = dp->synths[dev].sysex; ++ sysex = info->sysex; + if (sysex == NULL) { + sysex = kzalloc(sizeof(*sysex), GFP_KERNEL); + if (sysex == NULL) + return -ENOMEM; +- dp->synths[dev].sysex = sysex; ++ info->sysex = sysex; + } + + send = 0; +@@ -553,10 +559,12 @@ snd_seq_oss_synth_sysex(struct seq_oss_devinfo *dp, int dev, unsigned char *buf, + int + snd_seq_oss_synth_addr(struct seq_oss_devinfo *dp, int dev, struct snd_seq_event *ev) + { +- if (! snd_seq_oss_synth_is_valid(dp, dev)) ++ struct seq_oss_synthinfo *info = snd_seq_oss_synth_info(dp, dev); ++ ++ if (!info) + return -EINVAL; +- snd_seq_oss_fill_addr(dp, ev, dp->synths[dev].arg.addr.client, +- dp->synths[dev].arg.addr.port); ++ snd_seq_oss_fill_addr(dp, ev, info->arg.addr.client, ++ info->arg.addr.port); + return 0; + } + +@@ -568,16 +576,18 @@ int + snd_seq_oss_synth_ioctl(struct seq_oss_devinfo *dp, int dev, unsigned int cmd, unsigned long addr) + { + struct seq_oss_synth *rec; ++ struct seq_oss_synthinfo *info; + int rc; + +- if (is_midi_dev(dp, dev)) ++ info = get_synthinfo_nospec(dp, dev); ++ if (!info || info->is_midi) + return -ENXIO; + if ((rec = get_synthdev(dp, dev)) == NULL) + return -ENXIO; + if (rec->oper.ioctl == NULL) + rc = -ENXIO; + else +- rc = rec->oper.ioctl(&dp->synths[dev].arg, cmd, addr); ++ rc = rec->oper.ioctl(&info->arg, cmd, addr); + snd_use_lock_free(&rec->use_lock); + return rc; + } +@@ -589,7 +599,10 @@ snd_seq_oss_synth_ioctl(struct seq_oss_devinfo *dp, int dev, unsigned int cmd, u + int + snd_seq_oss_synth_raw_event(struct seq_oss_devinfo *dp, int dev, unsigned char *data, struct snd_seq_event *ev) + { +- if (! snd_seq_oss_synth_is_valid(dp, dev) || is_midi_dev(dp, dev)) ++ struct seq_oss_synthinfo *info; ++ ++ info = snd_seq_oss_synth_info(dp, dev); ++ if (!info || info->is_midi) + return -ENXIO; + ev->type = SNDRV_SEQ_EVENT_OSS; + memcpy(ev->data.raw8.d, data, 8); +diff --git a/sound/core/seq/oss/seq_oss_synth.h b/sound/core/seq/oss/seq_oss_synth.h +index 74ac55f166b6..a63f9e22974d 100644 +--- a/sound/core/seq/oss/seq_oss_synth.h ++++ b/sound/core/seq/oss/seq_oss_synth.h +@@ -37,7 +37,8 @@ void snd_seq_oss_synth_cleanup(struct seq_oss_devinfo *dp); + void snd_seq_oss_synth_reset(struct seq_oss_devinfo *dp, int dev); + int snd_seq_oss_synth_load_patch(struct seq_oss_devinfo *dp, int dev, int fmt, + const char __user *buf, int p, int c); +-int snd_seq_oss_synth_is_valid(struct seq_oss_devinfo *dp, int dev); ++struct seq_oss_synthinfo *snd_seq_oss_synth_info(struct seq_oss_devinfo *dp, ++ int dev); + int snd_seq_oss_synth_sysex(struct seq_oss_devinfo *dp, int dev, unsigned char *buf, + struct snd_seq_event *ev); + int snd_seq_oss_synth_addr(struct seq_oss_devinfo *dp, int dev, struct snd_seq_event *ev); +diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c +index dac0a54e39de..64a1ae720e49 100644 +--- a/sound/core/seq/seq_clientmgr.c ++++ b/sound/core/seq/seq_clientmgr.c +@@ -270,12 +270,12 @@ static int seq_free_client1(struct snd_seq_client *client) + + if (!client) + return 0; +- snd_seq_delete_all_ports(client); +- snd_seq_queue_client_leave(client->number); + spin_lock_irqsave(&clients_lock, flags); + clienttablock[client->number] = 1; + clienttab[client->number] = NULL; + spin_unlock_irqrestore(&clients_lock, flags); ++ snd_seq_delete_all_ports(client); ++ snd_seq_queue_client_leave(client->number); + snd_use_lock_sync(&client->use_lock); + snd_seq_queue_client_termination(client->number); + if (client->pool) +diff --git a/sound/core/seq/seq_prioq.c b/sound/core/seq/seq_prioq.c +index bc1c8488fc2a..2bc6759e4adc 100644 +--- a/sound/core/seq/seq_prioq.c ++++ b/sound/core/seq/seq_prioq.c +@@ -87,7 +87,7 @@ void snd_seq_prioq_delete(struct snd_seq_prioq **fifo) + if (f->cells > 0) { + /* drain prioQ */ + while (f->cells > 0) +- snd_seq_cell_free(snd_seq_prioq_cell_out(f)); ++ snd_seq_cell_free(snd_seq_prioq_cell_out(f, NULL)); + } + + kfree(f); +@@ -214,8 +214,18 @@ int snd_seq_prioq_cell_in(struct snd_seq_prioq * f, + return 0; + } + ++/* return 1 if the current time >= event timestamp */ ++static int event_is_ready(struct snd_seq_event *ev, void *current_time) ++{ ++ if ((ev->flags & SNDRV_SEQ_TIME_STAMP_MASK) == SNDRV_SEQ_TIME_STAMP_TICK) ++ return snd_seq_compare_tick_time(current_time, &ev->time.tick); ++ else ++ return snd_seq_compare_real_time(current_time, &ev->time.time); ++} ++ + /* dequeue cell from prioq */ +-struct snd_seq_event_cell *snd_seq_prioq_cell_out(struct snd_seq_prioq *f) ++struct snd_seq_event_cell *snd_seq_prioq_cell_out(struct snd_seq_prioq *f, ++ void *current_time) + { + struct snd_seq_event_cell *cell; + unsigned long flags; +@@ -227,6 +237,8 @@ struct snd_seq_event_cell *snd_seq_prioq_cell_out(struct snd_seq_prioq *f) + spin_lock_irqsave(&f->lock, flags); + + cell = f->head; ++ if (cell && current_time && !event_is_ready(&cell->event, current_time)) ++ cell = NULL; + if (cell) { + f->head = cell->next; + +@@ -252,18 +264,6 @@ int snd_seq_prioq_avail(struct snd_seq_prioq * f) + return f->cells; + } + +- +-/* peek at cell at the head of the prioq */ +-struct snd_seq_event_cell *snd_seq_prioq_cell_peek(struct snd_seq_prioq * f) +-{ +- if (f == NULL) { +- pr_debug("ALSA: seq: snd_seq_prioq_cell_in() called with NULL prioq\n"); +- return NULL; +- } +- return f->head; +-} +- +- + static inline int prioq_match(struct snd_seq_event_cell *cell, + int client, int timestamp) + { +diff --git a/sound/core/seq/seq_prioq.h b/sound/core/seq/seq_prioq.h +index d38bb78d9345..2c315ca10fc4 100644 +--- a/sound/core/seq/seq_prioq.h ++++ b/sound/core/seq/seq_prioq.h +@@ -44,14 +44,12 @@ void snd_seq_prioq_delete(struct snd_seq_prioq **fifo); + int snd_seq_prioq_cell_in(struct snd_seq_prioq *f, struct snd_seq_event_cell *cell); + + /* dequeue cell from prioq */ +-struct snd_seq_event_cell *snd_seq_prioq_cell_out(struct snd_seq_prioq *f); ++struct snd_seq_event_cell *snd_seq_prioq_cell_out(struct snd_seq_prioq *f, ++ void *current_time); + + /* return number of events available in prioq */ + int snd_seq_prioq_avail(struct snd_seq_prioq *f); + +-/* peek at cell at the head of the prioq */ +-struct snd_seq_event_cell *snd_seq_prioq_cell_peek(struct snd_seq_prioq *f); +- + /* client left queue */ + void snd_seq_prioq_leave(struct snd_seq_prioq *f, int client, int timestamp); + +diff --git a/sound/core/seq/seq_queue.c b/sound/core/seq/seq_queue.c +index a7bd074f6c0e..b83fdc72011e 100644 +--- a/sound/core/seq/seq_queue.c ++++ b/sound/core/seq/seq_queue.c +@@ -277,30 +277,20 @@ void snd_seq_check_queue(struct snd_seq_queue *q, int atomic, int hop) + + __again: + /* Process tick queue... */ +- while ((cell = snd_seq_prioq_cell_peek(q->tickq)) != NULL) { +- if (snd_seq_compare_tick_time(&q->timer->tick.cur_tick, +- &cell->event.time.tick)) { +- cell = snd_seq_prioq_cell_out(q->tickq); +- if (cell) +- snd_seq_dispatch_event(cell, atomic, hop); +- } else { +- /* event remains in the queue */ ++ for (;;) { ++ cell = snd_seq_prioq_cell_out(q->tickq, ++ &q->timer->tick.cur_tick); ++ if (!cell) + break; +- } ++ snd_seq_dispatch_event(cell, atomic, hop); + } + +- + /* Process time queue... */ +- while ((cell = snd_seq_prioq_cell_peek(q->timeq)) != NULL) { +- if (snd_seq_compare_real_time(&q->timer->cur_time, +- &cell->event.time.time)) { +- cell = snd_seq_prioq_cell_out(q->timeq); +- if (cell) +- snd_seq_dispatch_event(cell, atomic, hop); +- } else { +- /* event remains in the queue */ ++ for (;;) { ++ cell = snd_seq_prioq_cell_out(q->timeq, &q->timer->cur_time); ++ if (!cell) + break; +- } ++ snd_seq_dispatch_event(cell, atomic, hop); + } + + /* free lock */ +diff --git a/sound/core/seq/seq_virmidi.c b/sound/core/seq/seq_virmidi.c +index 3b126af4a026..ef494ffc1369 100644 +--- a/sound/core/seq/seq_virmidi.c ++++ b/sound/core/seq/seq_virmidi.c +@@ -174,12 +174,12 @@ static void snd_virmidi_output_trigger(struct snd_rawmidi_substream *substream, + } + return; + } ++ spin_lock_irqsave(&substream->runtime->lock, flags); + if (vmidi->event.type != SNDRV_SEQ_EVENT_NONE) { + if (snd_seq_kernel_client_dispatch(vmidi->client, &vmidi->event, in_atomic(), 0) < 0) +- return; ++ goto out; + vmidi->event.type = SNDRV_SEQ_EVENT_NONE; + } +- spin_lock_irqsave(&substream->runtime->lock, flags); + while (1) { + count = __snd_rawmidi_transmit_peek(substream, buf, sizeof(buf)); + if (count <= 0) +diff --git a/sound/drivers/aloop.c b/sound/drivers/aloop.c +index 83ae083b192f..23df6a501648 100644 +--- a/sound/drivers/aloop.c ++++ b/sound/drivers/aloop.c +@@ -192,6 +192,11 @@ static inline void loopback_timer_stop(struct loopback_pcm *dpcm) + dpcm->timer.expires = 0; + } + ++static inline void loopback_timer_stop_sync(struct loopback_pcm *dpcm) ++{ ++ del_timer_sync(&dpcm->timer); ++} ++ + #define CABLE_VALID_PLAYBACK (1 << SNDRV_PCM_STREAM_PLAYBACK) + #define CABLE_VALID_CAPTURE (1 << SNDRV_PCM_STREAM_CAPTURE) + #define CABLE_VALID_BOTH (CABLE_VALID_PLAYBACK|CABLE_VALID_CAPTURE) +@@ -291,6 +296,8 @@ static int loopback_trigger(struct snd_pcm_substream *substream, int cmd) + cable->pause |= stream; + loopback_timer_stop(dpcm); + spin_unlock(&cable->lock); ++ if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) ++ loopback_active_notify(dpcm); + break; + case SNDRV_PCM_TRIGGER_PAUSE_RELEASE: + case SNDRV_PCM_TRIGGER_RESUME: +@@ -299,6 +306,8 @@ static int loopback_trigger(struct snd_pcm_substream *substream, int cmd) + cable->pause &= ~stream; + loopback_timer_start(dpcm); + spin_unlock(&cable->lock); ++ if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) ++ loopback_active_notify(dpcm); + break; + default: + return -EINVAL; +@@ -326,6 +335,8 @@ static int loopback_prepare(struct snd_pcm_substream *substream) + struct loopback_cable *cable = dpcm->cable; + int bps, salign; + ++ loopback_timer_stop_sync(dpcm); ++ + salign = (snd_pcm_format_width(runtime->format) * + runtime->channels) / 8; + bps = salign * runtime->rate; +@@ -659,7 +670,9 @@ static void free_cable(struct snd_pcm_substream *substream) + return; + if (cable->streams[!substream->stream]) { + /* other stream is still alive */ ++ spin_lock_irq(&cable->lock); + cable->streams[substream->stream] = NULL; ++ spin_unlock_irq(&cable->lock); + } else { + /* free the cable */ + loopback->cables[substream->number][dev] = NULL; +@@ -699,7 +712,6 @@ static int loopback_open(struct snd_pcm_substream *substream) + loopback->cables[substream->number][dev] = cable; + } + dpcm->cable = cable; +- cable->streams[substream->stream] = dpcm; + + snd_pcm_hw_constraint_integer(runtime, SNDRV_PCM_HW_PARAM_PERIODS); + +@@ -731,6 +743,11 @@ static int loopback_open(struct snd_pcm_substream *substream) + runtime->hw = loopback_pcm_hardware; + else + runtime->hw = cable->hw; ++ ++ spin_lock_irq(&cable->lock); ++ cable->streams[substream->stream] = dpcm; ++ spin_unlock_irq(&cable->lock); ++ + unlock: + if (err < 0) { + free_cable(substream); +@@ -745,7 +762,7 @@ static int loopback_close(struct snd_pcm_substream *substream) + struct loopback *loopback = substream->private_data; + struct loopback_pcm *dpcm = substream->runtime->private_data; + +- loopback_timer_stop(dpcm); ++ loopback_timer_stop_sync(dpcm); + mutex_lock(&loopback->cable_lock); + free_cable(substream); + mutex_unlock(&loopback->cable_lock); +@@ -815,9 +832,11 @@ static int loopback_rate_shift_get(struct snd_kcontrol *kcontrol, + { + struct loopback *loopback = snd_kcontrol_chip(kcontrol); + ++ mutex_lock(&loopback->cable_lock); + ucontrol->value.integer.value[0] = + loopback->setup[kcontrol->id.subdevice] + [kcontrol->id.device].rate_shift; ++ mutex_unlock(&loopback->cable_lock); + return 0; + } + +@@ -849,9 +868,11 @@ static int loopback_notify_get(struct snd_kcontrol *kcontrol, + { + struct loopback *loopback = snd_kcontrol_chip(kcontrol); + ++ mutex_lock(&loopback->cable_lock); + ucontrol->value.integer.value[0] = + loopback->setup[kcontrol->id.subdevice] + [kcontrol->id.device].notify; ++ mutex_unlock(&loopback->cable_lock); + return 0; + } + +@@ -863,12 +884,14 @@ static int loopback_notify_put(struct snd_kcontrol *kcontrol, + int change = 0; + + val = ucontrol->value.integer.value[0] ? 1 : 0; ++ mutex_lock(&loopback->cable_lock); + if (val != loopback->setup[kcontrol->id.subdevice] + [kcontrol->id.device].notify) { + loopback->setup[kcontrol->id.subdevice] + [kcontrol->id.device].notify = val; + change = 1; + } ++ mutex_unlock(&loopback->cable_lock); + return change; + } + +@@ -876,13 +899,18 @@ static int loopback_active_get(struct snd_kcontrol *kcontrol, + struct snd_ctl_elem_value *ucontrol) + { + struct loopback *loopback = snd_kcontrol_chip(kcontrol); +- struct loopback_cable *cable = loopback->cables +- [kcontrol->id.subdevice][kcontrol->id.device ^ 1]; ++ struct loopback_cable *cable; ++ + unsigned int val = 0; + +- if (cable != NULL) +- val = (cable->running & (1 << SNDRV_PCM_STREAM_PLAYBACK)) ? +- 1 : 0; ++ mutex_lock(&loopback->cable_lock); ++ cable = loopback->cables[kcontrol->id.subdevice][kcontrol->id.device ^ 1]; ++ if (cable != NULL) { ++ unsigned int running = cable->running ^ cable->pause; ++ ++ val = (running & (1 << SNDRV_PCM_STREAM_PLAYBACK)) ? 1 : 0; ++ } ++ mutex_unlock(&loopback->cable_lock); + ucontrol->value.integer.value[0] = val; + return 0; + } +@@ -925,9 +953,11 @@ static int loopback_rate_get(struct snd_kcontrol *kcontrol, + { + struct loopback *loopback = snd_kcontrol_chip(kcontrol); + ++ mutex_lock(&loopback->cable_lock); + ucontrol->value.integer.value[0] = + loopback->setup[kcontrol->id.subdevice] + [kcontrol->id.device].rate; ++ mutex_unlock(&loopback->cable_lock); + return 0; + } + +@@ -947,9 +977,11 @@ static int loopback_channels_get(struct snd_kcontrol *kcontrol, + { + struct loopback *loopback = snd_kcontrol_chip(kcontrol); + ++ mutex_lock(&loopback->cable_lock); + ucontrol->value.integer.value[0] = + loopback->setup[kcontrol->id.subdevice] + [kcontrol->id.device].channels; ++ mutex_unlock(&loopback->cable_lock); + return 0; + } + +diff --git a/sound/drivers/opl3/opl3_synth.c b/sound/drivers/opl3/opl3_synth.c +index ddcc1a325a61..42920a243328 100644 +--- a/sound/drivers/opl3/opl3_synth.c ++++ b/sound/drivers/opl3/opl3_synth.c +@@ -21,6 +21,7 @@ + + #include <linux/slab.h> + #include <linux/export.h> ++#include <linux/nospec.h> + #include <sound/opl3.h> + #include <sound/asound_fm.h> + +@@ -448,7 +449,7 @@ static int snd_opl3_set_voice(struct snd_opl3 * opl3, struct snd_dm_fm_voice * v + { + unsigned short reg_side; + unsigned char op_offset; +- unsigned char voice_offset; ++ unsigned char voice_offset, voice_op; + + unsigned short opl3_reg; + unsigned char reg_val; +@@ -473,7 +474,9 @@ static int snd_opl3_set_voice(struct snd_opl3 * opl3, struct snd_dm_fm_voice * v + voice_offset = voice->voice - MAX_OPL2_VOICES; + } + /* Get register offset of operator */ +- op_offset = snd_opl3_regmap[voice_offset][voice->op]; ++ voice_offset = array_index_nospec(voice_offset, MAX_OPL2_VOICES); ++ voice_op = array_index_nospec(voice->op, 4); ++ op_offset = snd_opl3_regmap[voice_offset][voice_op]; + + reg_val = 0x00; + /* Set amplitude modulation (tremolo) effect */ +diff --git a/sound/pci/hda/hda_hwdep.c b/sound/pci/hda/hda_hwdep.c +index 57df06e76968..cc009a4a3d1d 100644 +--- a/sound/pci/hda/hda_hwdep.c ++++ b/sound/pci/hda/hda_hwdep.c +@@ -21,6 +21,7 @@ + #include <linux/init.h> + #include <linux/slab.h> + #include <linux/compat.h> ++#include <linux/nospec.h> + #include <sound/core.h> + #include "hda_codec.h" + #include "hda_local.h" +@@ -51,7 +52,16 @@ static int get_wcap_ioctl(struct hda_codec *codec, + + if (get_user(verb, &arg->verb)) + return -EFAULT; +- res = get_wcaps(codec, verb >> 24); ++ /* open-code get_wcaps(verb>>24) with nospec */ ++ verb >>= 24; ++ if (verb < codec->core.start_nid || ++ verb >= codec->core.start_nid + codec->core.num_nodes) { ++ res = 0; ++ } else { ++ verb -= codec->core.start_nid; ++ verb = array_index_nospec(verb, codec->core.num_nodes); ++ res = codec->wcaps[verb]; ++ } + if (put_user(res, &arg->res)) + return -EFAULT; + return 0; +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c +index b8886d493083..8c9345949794 100644 +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -1393,7 +1393,8 @@ static void azx_check_snoop_available(struct azx *chip) + */ + u8 val; + pci_read_config_byte(chip->pci, 0x42, &val); +- if (!(val & 0x80) && chip->pci->revision == 0x30) ++ if (!(val & 0x80) && (chip->pci->revision == 0x30 || ++ chip->pci->revision == 0x20)) + snoop = false; + } + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 0fd1402e427b..64214c72a71b 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -3250,8 +3250,12 @@ static void alc269_fixup_mic_mute_hook(void *private_data, int enabled) + pinval = snd_hda_codec_get_pin_target(codec, spec->mute_led_nid); + pinval &= ~AC_PINCTL_VREFEN; + pinval |= enabled ? AC_PINCTL_VREF_HIZ : AC_PINCTL_VREF_80; +- if (spec->mute_led_nid) ++ if (spec->mute_led_nid) { ++ /* temporarily power up/down for setting VREF */ ++ snd_hda_power_up_pm(codec); + snd_hda_set_pin_ctl_cache(codec, spec->mute_led_nid, pinval); ++ snd_hda_power_down_pm(codec); ++ } + } + + /* Make sure the led works even in runtime suspend */ +@@ -6723,6 +6727,7 @@ enum { + ALC668_FIXUP_DELL_DISABLE_AAMIX, + ALC668_FIXUP_DELL_XPS13, + ALC662_FIXUP_ASUS_Nx50, ++ ALC668_FIXUP_ASUS_Nx51_HEADSET_MODE, + ALC668_FIXUP_ASUS_Nx51, + }; + +@@ -6970,14 +6975,21 @@ static const struct hda_fixup alc662_fixups[] = { + .chained = true, + .chain_id = ALC662_FIXUP_BASS_1A + }, ++ [ALC668_FIXUP_ASUS_Nx51_HEADSET_MODE] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc_fixup_headset_mode_alc668, ++ .chain_id = ALC662_FIXUP_BASS_CHMAP ++ }, + [ALC668_FIXUP_ASUS_Nx51] = { + .type = HDA_FIXUP_PINS, + .v.pins = (const struct hda_pintbl[]) { +- {0x1a, 0x90170151}, /* bass speaker */ ++ { 0x19, 0x03a1913d }, /* use as headphone mic, without its own jack detect */ ++ { 0x1a, 0x90170151 }, /* bass speaker */ ++ { 0x1b, 0x03a1113c }, /* use as headset mic, without its own jack detect */ + {} + }, + .chained = true, +- .chain_id = ALC662_FIXUP_BASS_CHMAP, ++ .chain_id = ALC668_FIXUP_ASUS_Nx51_HEADSET_MODE, + }, + }; + +diff --git a/sound/pci/rme9652/hdspm.c b/sound/pci/rme9652/hdspm.c +index 7f6190606f5e..61a8eafc575c 100644 +--- a/sound/pci/rme9652/hdspm.c ++++ b/sound/pci/rme9652/hdspm.c +@@ -137,6 +137,7 @@ + #include <linux/pci.h> + #include <linux/math64.h> + #include <linux/io.h> ++#include <linux/nospec.h> + + #include <sound/core.h> + #include <sound/control.h> +@@ -5692,40 +5693,43 @@ static int snd_hdspm_channel_info(struct snd_pcm_substream *substream, + struct snd_pcm_channel_info *info) + { + struct hdspm *hdspm = snd_pcm_substream_chip(substream); ++ unsigned int channel = info->channel; + + if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) { +- if (snd_BUG_ON(info->channel >= hdspm->max_channels_out)) { ++ if (snd_BUG_ON(channel >= hdspm->max_channels_out)) { + dev_info(hdspm->card->dev, + "snd_hdspm_channel_info: output channel out of range (%d)\n", +- info->channel); ++ channel); + return -EINVAL; + } + +- if (hdspm->channel_map_out[info->channel] < 0) { ++ channel = array_index_nospec(channel, hdspm->max_channels_out); ++ if (hdspm->channel_map_out[channel] < 0) { + dev_info(hdspm->card->dev, + "snd_hdspm_channel_info: output channel %d mapped out\n", +- info->channel); ++ channel); + return -EINVAL; + } + +- info->offset = hdspm->channel_map_out[info->channel] * ++ info->offset = hdspm->channel_map_out[channel] * + HDSPM_CHANNEL_BUFFER_BYTES; + } else { +- if (snd_BUG_ON(info->channel >= hdspm->max_channels_in)) { ++ if (snd_BUG_ON(channel >= hdspm->max_channels_in)) { + dev_info(hdspm->card->dev, + "snd_hdspm_channel_info: input channel out of range (%d)\n", +- info->channel); ++ channel); + return -EINVAL; + } + +- if (hdspm->channel_map_in[info->channel] < 0) { ++ channel = array_index_nospec(channel, hdspm->max_channels_in); ++ if (hdspm->channel_map_in[channel] < 0) { + dev_info(hdspm->card->dev, + "snd_hdspm_channel_info: input channel %d mapped out\n", +- info->channel); ++ channel); + return -EINVAL; + } + +- info->offset = hdspm->channel_map_in[info->channel] * ++ info->offset = hdspm->channel_map_in[channel] * + HDSPM_CHANNEL_BUFFER_BYTES; + } + +diff --git a/sound/pci/rme9652/rme9652.c b/sound/pci/rme9652/rme9652.c +index fdbc0aa2776a..c253bdf92e36 100644 +--- a/sound/pci/rme9652/rme9652.c ++++ b/sound/pci/rme9652/rme9652.c +@@ -26,6 +26,7 @@ + #include <linux/pci.h> + #include <linux/module.h> + #include <linux/io.h> ++#include <linux/nospec.h> + + #include <sound/core.h> + #include <sound/control.h> +@@ -2036,9 +2037,10 @@ static int snd_rme9652_channel_info(struct snd_pcm_substream *substream, + if (snd_BUG_ON(info->channel >= RME9652_NCHANNELS)) + return -EINVAL; + +- if ((chn = rme9652->channel_map[info->channel]) < 0) { ++ chn = rme9652->channel_map[array_index_nospec(info->channel, ++ RME9652_NCHANNELS)]; ++ if (chn < 0) + return -EINVAL; +- } + + info->offset = chn * RME9652_CHANNEL_BUFFER_BYTES; + info->first = 0; +diff --git a/sound/soc/codecs/ssm2602.c b/sound/soc/codecs/ssm2602.c +index 314eaece1b7d..ddf67da394de 100644 +--- a/sound/soc/codecs/ssm2602.c ++++ b/sound/soc/codecs/ssm2602.c +@@ -54,10 +54,17 @@ struct ssm2602_priv { + * using 2 wire for device control, so we cache them instead. + * There is no point in caching the reset register + */ +-static const u16 ssm2602_reg[SSM2602_CACHEREGNUM] = { +- 0x0097, 0x0097, 0x0079, 0x0079, +- 0x000a, 0x0008, 0x009f, 0x000a, +- 0x0000, 0x0000 ++static const struct reg_default ssm2602_reg[SSM2602_CACHEREGNUM] = { ++ { .reg = 0x00, .def = 0x0097 }, ++ { .reg = 0x01, .def = 0x0097 }, ++ { .reg = 0x02, .def = 0x0079 }, ++ { .reg = 0x03, .def = 0x0079 }, ++ { .reg = 0x04, .def = 0x000a }, ++ { .reg = 0x05, .def = 0x0008 }, ++ { .reg = 0x06, .def = 0x009f }, ++ { .reg = 0x07, .def = 0x000a }, ++ { .reg = 0x08, .def = 0x0000 }, ++ { .reg = 0x09, .def = 0x0000 } + }; + + +@@ -620,8 +627,8 @@ const struct regmap_config ssm2602_regmap_config = { + .volatile_reg = ssm2602_register_volatile, + + .cache_type = REGCACHE_RBTREE, +- .reg_defaults_raw = ssm2602_reg, +- .num_reg_defaults_raw = ARRAY_SIZE(ssm2602_reg), ++ .reg_defaults = ssm2602_reg, ++ .num_reg_defaults = ARRAY_SIZE(ssm2602_reg), + }; + EXPORT_SYMBOL_GPL(ssm2602_regmap_config); + +diff --git a/sound/soc/fsl/fsl_esai.c b/sound/soc/fsl/fsl_esai.c +index 5c7597191e3f..80e3ca115f15 100644 +--- a/sound/soc/fsl/fsl_esai.c ++++ b/sound/soc/fsl/fsl_esai.c +@@ -143,6 +143,13 @@ static int fsl_esai_divisor_cal(struct snd_soc_dai *dai, bool tx, u32 ratio, + + psr = ratio <= 256 * maxfp ? ESAI_xCCR_xPSR_BYPASS : ESAI_xCCR_xPSR_DIV8; + ++ /* Do not loop-search if PM (1 ~ 256) alone can serve the ratio */ ++ if (ratio <= 256) { ++ pm = ratio; ++ fp = 1; ++ goto out; ++ } ++ + /* Set the max fluctuation -- 0.1% of the max devisor */ + savesub = (psr ? 1 : 8) * 256 * maxfp / 1000; + +diff --git a/sound/soc/intel/atom/sst/sst_stream.c b/sound/soc/intel/atom/sst/sst_stream.c +index a74c64c7053c..e83da42a8c03 100644 +--- a/sound/soc/intel/atom/sst/sst_stream.c ++++ b/sound/soc/intel/atom/sst/sst_stream.c +@@ -221,7 +221,7 @@ int sst_send_byte_stream_mrfld(struct intel_sst_drv *sst_drv_ctx, + sst_free_block(sst_drv_ctx, block); + out: + test_and_clear_bit(pvt_id, &sst_drv_ctx->pvt_id); +- return 0; ++ return ret; + } + + /* +diff --git a/sound/soc/intel/boards/cht_bsw_rt5645.c b/sound/soc/intel/boards/cht_bsw_rt5645.c +index 20a28b22e30f..5c3a38612c01 100644 +--- a/sound/soc/intel/boards/cht_bsw_rt5645.c ++++ b/sound/soc/intel/boards/cht_bsw_rt5645.c +@@ -89,6 +89,7 @@ static const struct snd_soc_dapm_widget cht_dapm_widgets[] = { + SND_SOC_DAPM_HP("Headphone", NULL), + SND_SOC_DAPM_MIC("Headset Mic", NULL), + SND_SOC_DAPM_MIC("Int Mic", NULL), ++ SND_SOC_DAPM_MIC("Int Analog Mic", NULL), + SND_SOC_DAPM_SPK("Ext Spk", NULL), + SND_SOC_DAPM_SUPPLY("Platform Clock", SND_SOC_NOPM, 0, 0, + platform_clock_control, SND_SOC_DAPM_POST_PMD), +@@ -99,6 +100,8 @@ static const struct snd_soc_dapm_route cht_audio_map[] = { + {"IN1N", NULL, "Headset Mic"}, + {"DMIC L1", NULL, "Int Mic"}, + {"DMIC R1", NULL, "Int Mic"}, ++ {"IN2P", NULL, "Int Analog Mic"}, ++ {"IN2N", NULL, "Int Analog Mic"}, + {"Headphone", NULL, "HPOL"}, + {"Headphone", NULL, "HPOR"}, + {"Ext Spk", NULL, "SPOL"}, +@@ -112,6 +115,9 @@ static const struct snd_soc_dapm_route cht_audio_map[] = { + {"Headphone", NULL, "Platform Clock"}, + {"Headset Mic", NULL, "Platform Clock"}, + {"Int Mic", NULL, "Platform Clock"}, ++ {"Int Analog Mic", NULL, "Platform Clock"}, ++ {"Int Analog Mic", NULL, "micbias1"}, ++ {"Int Analog Mic", NULL, "micbias2"}, + {"Ext Spk", NULL, "Platform Clock"}, + }; + +@@ -119,6 +125,7 @@ static const struct snd_kcontrol_new cht_mc_controls[] = { + SOC_DAPM_PIN_SWITCH("Headphone"), + SOC_DAPM_PIN_SWITCH("Headset Mic"), + SOC_DAPM_PIN_SWITCH("Int Mic"), ++ SOC_DAPM_PIN_SWITCH("Int Analog Mic"), + SOC_DAPM_PIN_SWITCH("Ext Spk"), + }; + +diff --git a/sound/soc/nuc900/nuc900-ac97.c b/sound/soc/nuc900/nuc900-ac97.c +index b6615affe571..fde974d52bb2 100644 +--- a/sound/soc/nuc900/nuc900-ac97.c ++++ b/sound/soc/nuc900/nuc900-ac97.c +@@ -67,7 +67,7 @@ static unsigned short nuc900_ac97_read(struct snd_ac97 *ac97, + + /* polling the AC_R_FINISH */ + while (!(AUDIO_READ(nuc900_audio->mmio + ACTL_ACCON) & AC_R_FINISH) +- && timeout--) ++ && --timeout) + mdelay(1); + + if (!timeout) { +@@ -121,7 +121,7 @@ static void nuc900_ac97_write(struct snd_ac97 *ac97, unsigned short reg, + + /* polling the AC_W_FINISH */ + while ((AUDIO_READ(nuc900_audio->mmio + ACTL_ACCON) & AC_W_FINISH) +- && timeout--) ++ && --timeout) + mdelay(1); + + if (!timeout) +diff --git a/sound/soc/sh/rcar/ssi.c b/sound/soc/sh/rcar/ssi.c +index 4599983cfc8a..c3b9d01d4e91 100644 +--- a/sound/soc/sh/rcar/ssi.c ++++ b/sound/soc/sh/rcar/ssi.c +@@ -396,6 +396,13 @@ static irqreturn_t rsnd_ssi_interrupt(int irq, void *data) + struct snd_pcm_runtime *runtime = rsnd_io_to_runtime(io); + u32 *buf = (u32 *)(runtime->dma_area + + rsnd_dai_pointer_offset(io, 0)); ++ int shift = 0; ++ ++ switch (runtime->sample_bits) { ++ case 32: ++ shift = 8; ++ break; ++ } + + /* + * 8/16/32 data can be assesse to TDR/RDR register +@@ -403,9 +410,9 @@ static irqreturn_t rsnd_ssi_interrupt(int irq, void *data) + * see rsnd_ssi_init() + */ + if (rsnd_io_is_play(io)) +- rsnd_mod_write(mod, SSITDR, *buf); ++ rsnd_mod_write(mod, SSITDR, (*buf) << shift); + else +- *buf = rsnd_mod_read(mod, SSIRDR); ++ *buf = (rsnd_mod_read(mod, SSIRDR) >> shift); + + rsnd_dai_pointer_update(io, sizeof(*buf)); + } +diff --git a/sound/usb/line6/midi.c b/sound/usb/line6/midi.c +index cebea9b7f769..6a9be1df7851 100644 +--- a/sound/usb/line6/midi.c ++++ b/sound/usb/line6/midi.c +@@ -125,7 +125,7 @@ static int send_midi_async(struct usb_line6 *line6, unsigned char *data, + } + + usb_fill_int_urb(urb, line6->usbdev, +- usb_sndbulkpipe(line6->usbdev, ++ usb_sndintpipe(line6->usbdev, + line6->properties->ep_ctrl_w), + transfer_buffer, length, midi_sent, line6, + line6->interval); +diff --git a/sound/usb/mixer_maps.c b/sound/usb/mixer_maps.c +index 1f8fb0d904e0..f5cf23ffb35b 100644 +--- a/sound/usb/mixer_maps.c ++++ b/sound/usb/mixer_maps.c +@@ -351,8 +351,11 @@ static struct usbmix_name_map bose_companion5_map[] = { + /* + * Dell usb dock with ALC4020 codec had a firmware problem where it got + * screwed up when zero volume is passed; just skip it as a workaround ++ * ++ * Also the extension unit gives an access error, so skip it as well. + */ + static const struct usbmix_name_map dell_alc4020_map[] = { ++ { 4, NULL }, /* extension unit */ + { 16, NULL }, + { 19, NULL }, + { 0 } +diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c +index 09b9b74e4c1b..6b169043db1f 100644 +--- a/tools/perf/builtin-trace.c ++++ b/tools/perf/builtin-trace.c +@@ -1023,6 +1023,10 @@ static struct syscall_fmt { + { .name = "mlockall", .errmsg = true, + .arg_scnprintf = { [0] = SCA_HEX, /* addr */ }, }, + { .name = "mmap", .hexret = true, ++/* The standard mmap maps to old_mmap on s390x */ ++#if defined(__s390x__) ++ .alias = "old_mmap", ++#endif + .arg_scnprintf = { [0] = SCA_HEX, /* addr */ + [2] = SCA_MMAP_PROT, /* prot */ + [3] = SCA_MMAP_FLAGS, /* flags */ +diff --git a/tools/perf/tests/code-reading.c b/tools/perf/tests/code-reading.c +index f671ec37a7c4..0a9362680aa4 100644 +--- a/tools/perf/tests/code-reading.c ++++ b/tools/perf/tests/code-reading.c +@@ -140,6 +140,8 @@ static int read_object_code(u64 addr, size_t len, u8 cpumode, + unsigned char buf2[BUFSZ]; + size_t ret_len; + u64 objdump_addr; ++ const char *objdump_name; ++ char decomp_name[KMOD_DECOMP_LEN]; + int ret; + + pr_debug("Reading object code for memory address: %#"PRIx64"\n", addr); +@@ -200,9 +202,25 @@ static int read_object_code(u64 addr, size_t len, u8 cpumode, + state->done[state->done_cnt++] = al.map->start; + } + ++ objdump_name = al.map->dso->long_name; ++ if (dso__needs_decompress(al.map->dso)) { ++ if (dso__decompress_kmodule_path(al.map->dso, objdump_name, ++ decomp_name, ++ sizeof(decomp_name)) < 0) { ++ pr_debug("decompression failed\n"); ++ return -1; ++ } ++ ++ objdump_name = decomp_name; ++ } ++ + /* Read the object code using objdump */ + objdump_addr = map__rip_2objdump(al.map, al.addr); +- ret = read_via_objdump(al.map->dso->long_name, objdump_addr, buf2, len); ++ ret = read_via_objdump(objdump_name, objdump_addr, buf2, len); ++ ++ if (dso__needs_decompress(al.map->dso)) ++ unlink(objdump_name); ++ + if (ret > 0) { + /* + * The kernel maps are inaccurate - assume objdump is right in +diff --git a/tools/perf/util/event.c b/tools/perf/util/event.c +index 12ad79717d94..36822be05b07 100644 +--- a/tools/perf/util/event.c ++++ b/tools/perf/util/event.c +@@ -221,8 +221,8 @@ int perf_event__synthesize_mmap_events(struct perf_tool *tool, + if (machine__is_default_guest(machine)) + return 0; + +- snprintf(filename, sizeof(filename), "%s/proc/%d/maps", +- machine->root_dir, pid); ++ snprintf(filename, sizeof(filename), "%s/proc/%d/task/%d/maps", ++ machine->root_dir, pid, pid); + + fp = fopen(filename, "r"); + if (fp == NULL) { +diff --git a/tools/perf/util/ordered-events.c b/tools/perf/util/ordered-events.c +index 52be201b9b25..90a986740684 100644 +--- a/tools/perf/util/ordered-events.c ++++ b/tools/perf/util/ordered-events.c +@@ -79,7 +79,7 @@ static union perf_event *dup_event(struct ordered_events *oe, + + static void free_dup_event(struct ordered_events *oe, union perf_event *event) + { +- if (oe->copy_on_queue) { ++ if (event && oe->copy_on_queue) { + oe->cur_alloc_size -= event->header.size; + free(event); + } +@@ -150,6 +150,7 @@ void ordered_events__delete(struct ordered_events *oe, struct ordered_event *eve + list_move(&event->list, &oe->cache); + oe->nr_events--; + free_dup_event(oe, event->event); ++ event->event = NULL; + } + + int ordered_events__queue(struct ordered_events *oe, union perf_event *event, +diff --git a/tools/perf/util/session.c b/tools/perf/util/session.c +index 83054ef6c1a1..f947f069449c 100644 +--- a/tools/perf/util/session.c ++++ b/tools/perf/util/session.c +@@ -132,8 +132,14 @@ struct perf_session *perf_session__new(struct perf_data_file *file, + if (perf_session__open(session) < 0) + goto out_close; + +- perf_session__set_id_hdr_size(session); +- perf_session__set_comm_exec(session); ++ /* ++ * set session attributes that are present in perf.data ++ * but not in pipe-mode. ++ */ ++ if (!file->is_pipe) { ++ perf_session__set_id_hdr_size(session); ++ perf_session__set_comm_exec(session); ++ } + } + } + +@@ -146,7 +152,11 @@ struct perf_session *perf_session__new(struct perf_data_file *file, + pr_warning("Cannot read kernel map\n"); + } + +- if (tool && tool->ordering_requires_timestamps && ++ /* ++ * In pipe-mode, evlist is empty until PERF_RECORD_HEADER_ATTR is ++ * processed, so perf_evlist__sample_id_all is not meaningful here. ++ */ ++ if ((!file || !file->is_pipe) && tool && tool->ordering_requires_timestamps && + tool->ordered_events && !perf_evlist__sample_id_all(session->evlist)) { + dump_printf("WARNING: No sample_id_all support, falling back to unordered processing\n"); + tool->ordered_events = false; +@@ -1193,6 +1203,7 @@ static int __perf_session__process_pipe_events(struct perf_session *session) + buf = malloc(cur_size); + if (!buf) + return -errno; ++ ordered_events__set_copy_on_queue(oe, true); + more: + event = buf; + err = readn(fd, event, sizeof(struct perf_event_header)); +diff --git a/tools/perf/util/unwind-libdw.c b/tools/perf/util/unwind-libdw.c +index 2dcfe9a7c8d0..60edec383281 100644 +--- a/tools/perf/util/unwind-libdw.c ++++ b/tools/perf/util/unwind-libdw.c +@@ -37,6 +37,14 @@ static int __report_module(struct addr_location *al, u64 ip, + return 0; + + mod = dwfl_addrmodule(ui->dwfl, ip); ++ if (mod) { ++ Dwarf_Addr s; ++ ++ dwfl_module_info(mod, NULL, &s, NULL, NULL, NULL, NULL, NULL); ++ if (s != al->map->start) ++ mod = 0; ++ } ++ + if (!mod) + mod = dwfl_report_elf(ui->dwfl, dso->short_name, + dso->long_name, -1, al->map->start, +diff --git a/tools/testing/selftests/powerpc/tm/tm-resched-dscr.c b/tools/testing/selftests/powerpc/tm/tm-resched-dscr.c +index 42d4c8caad81..de8dc82e2567 100644 +--- a/tools/testing/selftests/powerpc/tm/tm-resched-dscr.c ++++ b/tools/testing/selftests/powerpc/tm/tm-resched-dscr.c +@@ -45,12 +45,12 @@ int test_body(void) + printf("Check DSCR TM context switch: "); + fflush(stdout); + for (;;) { +- rv = 1; + asm __volatile__ ( + /* set a known value into the DSCR */ + "ld 3, %[dscr1];" + "mtspr %[sprn_dscr], 3;" + ++ "li %[rv], 1;" + /* start and suspend a transaction */ + TBEGIN + "beq 1f;" +diff --git a/tools/testing/selftests/rcutorture/bin/configinit.sh b/tools/testing/selftests/rcutorture/bin/configinit.sh +index 15f1a17ca96e..0b679d8382c7 100755 +--- a/tools/testing/selftests/rcutorture/bin/configinit.sh ++++ b/tools/testing/selftests/rcutorture/bin/configinit.sh +@@ -51,7 +51,7 @@ then + mkdir $builddir + fi + else +- echo Bad build directory: \"$builddir\" ++ echo Bad build directory: \"$buildloc\" + exit 2 + fi + fi +diff --git a/tools/usb/usbip/src/usbipd.c b/tools/usb/usbip/src/usbipd.c +index 2a7cd2b8d966..8c5b0faba229 100644 +--- a/tools/usb/usbip/src/usbipd.c ++++ b/tools/usb/usbip/src/usbipd.c +@@ -451,7 +451,7 @@ static void set_signal(void) + sigaction(SIGTERM, &act, NULL); + sigaction(SIGINT, &act, NULL); + act.sa_handler = SIG_IGN; +- sigaction(SIGCLD, &act, NULL); ++ sigaction(SIGCHLD, &act, NULL); + } + + static const char *pid_file; |