diff options
| -rw-r--r-- | 0000_README | 4 | ||||
| -rw-r--r-- | 1036_linux-3.18.37.patch | 11191 |
2 files changed, 11195 insertions, 0 deletions
diff --git a/0000_README b/0000_README index fcefa63b..1863a892 100644 --- a/0000_README +++ b/0000_README @@ -187,6 +187,10 @@ Patch: 1035_linux-3.18.36.patch From: http://www.kernel.org Desc: Linux 3.18.36 +Patch: 1036_linux-3.18.37.patch +From: http://www.kernel.org +Desc: Linux 3.18.37 + Patch: 1500_XATTR_USER_PREFIX.patch From: https://bugs.gentoo.org/show_bug.cgi?id=470644 Desc: Support for namespace user.pax.* on tmpfs. diff --git a/1036_linux-3.18.37.patch b/1036_linux-3.18.37.patch new file mode 100644 index 00000000..40419a5f --- /dev/null +++ b/1036_linux-3.18.37.patch @@ -0,0 +1,11191 @@ +diff --git a/Documentation/scsi/scsi_eh.txt b/Documentation/scsi/scsi_eh.txt +index a0c85110a07e..689ab9b9953a 100644 +--- a/Documentation/scsi/scsi_eh.txt ++++ b/Documentation/scsi/scsi_eh.txt +@@ -263,19 +263,23 @@ scmd->allowed. + + 3. scmd recovered + ACTION: scsi_eh_finish_cmd() is invoked to EH-finish scmd +- - shost->host_failed-- + - clear scmd->eh_eflags + - scsi_setup_cmd_retry() + - move from local eh_work_q to local eh_done_q + LOCKING: none ++ CONCURRENCY: at most one thread per separate eh_work_q to ++ keep queue manipulation lockless + + 4. EH completes + ACTION: scsi_eh_flush_done_q() retries scmds or notifies upper +- layer of failure. ++ layer of failure. May be called concurrently but must have ++ a no more than one thread per separate eh_work_q to ++ manipulate the queue locklessly + - scmd is removed from eh_done_q and scmd->eh_entry is cleared + - if retry is necessary, scmd is requeued using + scsi_queue_insert() + - otherwise, scsi_finish_command() is invoked for scmd ++ - zero shost->host_failed + LOCKING: queue or finish function performs appropriate locking + + +diff --git a/Documentation/sysctl/fs.txt b/Documentation/sysctl/fs.txt +index 88152f214f48..302b5ed616a6 100644 +--- a/Documentation/sysctl/fs.txt ++++ b/Documentation/sysctl/fs.txt +@@ -32,6 +32,8 @@ Currently, these files are in /proc/sys/fs: + - nr_open + - overflowuid + - overflowgid ++- pipe-user-pages-hard ++- pipe-user-pages-soft + - protected_hardlinks + - protected_symlinks + - suid_dumpable +@@ -159,6 +161,27 @@ The default is 65534. + + ============================================================== + ++pipe-user-pages-hard: ++ ++Maximum total number of pages a non-privileged user may allocate for pipes. ++Once this limit is reached, no new pipes may be allocated until usage goes ++below the limit again. When set to 0, no limit is applied, which is the default ++setting. ++ ++============================================================== ++ ++pipe-user-pages-soft: ++ ++Maximum total number of pages a non-privileged user may allocate for pipes ++before the pipe size gets limited to a single page. Once this limit is reached, ++new pipes will be limited to a single page in size for this user in order to ++limit total memory usage, and trying to increase them using fcntl() will be ++denied until usage goes below the limit again. The default value allows to ++allocate up to 1024 pipes at their default size. When set to 0, no limit is ++applied. ++ ++============================================================== ++ + protected_hardlinks: + + A long-standing class of security issues is the hardlink-based +diff --git a/Makefile b/Makefile +index 497f437efebf..e6953a43fe64 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 3 + PATCHLEVEL = 18 +-SUBLEVEL = 36 ++SUBLEVEL = 37 + EXTRAVERSION = + NAME = Diseased Newt + +diff --git a/arch/arc/Makefile b/arch/arc/Makefile +index 10bc3d4e8a44..dada919aba27 100644 +--- a/arch/arc/Makefile ++++ b/arch/arc/Makefile +@@ -34,7 +34,6 @@ cflags-$(atleast_gcc44) += -fsection-anchors + cflags-$(CONFIG_ARC_HAS_LLSC) += -mlock + cflags-$(CONFIG_ARC_HAS_SWAPE) += -mswape + cflags-$(CONFIG_ARC_HAS_RTSC) += -mrtsc +-cflags-$(CONFIG_ARC_DW2_UNWIND) += -fasynchronous-unwind-tables + + # By default gcc 4.8 generates dwarf4 which kernel unwinder can't grok + ifeq ($(atleast_gcc48),y) +diff --git a/arch/arc/kernel/stacktrace.c b/arch/arc/kernel/stacktrace.c +index fb98769b6a98..3e349aefdb9e 100644 +--- a/arch/arc/kernel/stacktrace.c ++++ b/arch/arc/kernel/stacktrace.c +@@ -131,7 +131,7 @@ arc_unwind_core(struct task_struct *tsk, struct pt_regs *regs, + * prelogue is setup (callee regs saved and then fp set and not other + * way around + */ +- pr_warn("CONFIG_ARC_DW2_UNWIND needs to be enabled\n"); ++ pr_warn_once("CONFIG_ARC_DW2_UNWIND needs to be enabled\n"); + return 0; + + #endif +diff --git a/arch/arm/include/asm/pgtable-2level.h b/arch/arm/include/asm/pgtable-2level.h +index f0279411847d..67a251a815f1 100644 +--- a/arch/arm/include/asm/pgtable-2level.h ++++ b/arch/arm/include/asm/pgtable-2level.h +@@ -163,6 +163,7 @@ static inline pmd_t *pmd_offset(pud_t *pud, unsigned long addr) + + #define pmd_large(pmd) (pmd_val(pmd) & 2) + #define pmd_bad(pmd) (pmd_val(pmd) & 2) ++#define pmd_present(pmd) (pmd_val(pmd)) + + #define copy_pmd(pmdpd,pmdps) \ + do { \ +diff --git a/arch/arm/include/asm/pgtable-3level.h b/arch/arm/include/asm/pgtable-3level.h +index a31ecdad4b59..b5ef8c7c6220 100644 +--- a/arch/arm/include/asm/pgtable-3level.h ++++ b/arch/arm/include/asm/pgtable-3level.h +@@ -212,6 +212,7 @@ static inline pmd_t *pmd_offset(pud_t *pud, unsigned long addr) + : !!(pmd_val(pmd) & (val))) + #define pmd_isclear(pmd, val) (!(pmd_val(pmd) & (val))) + ++#define pmd_present(pmd) (pmd_isset((pmd), L_PMD_SECT_VALID)) + #define pmd_young(pmd) (pmd_isset((pmd), PMD_SECT_AF)) + #define pte_special(pte) (pte_isset((pte), L_PTE_SPECIAL)) + static inline pte_t pte_mkspecial(pte_t pte) +@@ -257,8 +258,11 @@ PMD_BIT_FUNC(mkyoung, |= PMD_SECT_AF); + #define pfn_pmd(pfn,prot) (__pmd(((phys_addr_t)(pfn) << PAGE_SHIFT) | pgprot_val(prot))) + #define mk_pmd(page,prot) pfn_pmd(page_to_pfn(page),prot) + +-/* represent a notpresent pmd by zero, this is used by pmdp_invalidate */ +-#define pmd_mknotpresent(pmd) (__pmd(0)) ++/* represent a notpresent pmd by faulting entry, this is used by pmdp_invalidate */ ++static inline pmd_t pmd_mknotpresent(pmd_t pmd) ++{ ++ return __pmd(pmd_val(pmd) & ~L_PMD_SECT_VALID); ++} + + static inline pmd_t pmd_modify(pmd_t pmd, pgprot_t newprot) + { +diff --git a/arch/arm/include/asm/pgtable.h b/arch/arm/include/asm/pgtable.h +index 3b30062975b2..e42bbd9ec427 100644 +--- a/arch/arm/include/asm/pgtable.h ++++ b/arch/arm/include/asm/pgtable.h +@@ -182,7 +182,6 @@ extern pgd_t swapper_pg_dir[PTRS_PER_PGD]; + #define pgd_offset_k(addr) pgd_offset(&init_mm, addr) + + #define pmd_none(pmd) (!pmd_val(pmd)) +-#define pmd_present(pmd) (pmd_val(pmd)) + + static inline pte_t *pmd_page_vaddr(pmd_t pmd) + { +diff --git a/arch/arm/kvm/arm.c b/arch/arm/kvm/arm.c +index ed5834e8e2ac..e8193b987313 100644 +--- a/arch/arm/kvm/arm.c ++++ b/arch/arm/kvm/arm.c +@@ -251,6 +251,7 @@ void kvm_arch_vcpu_free(struct kvm_vcpu *vcpu) + kvm_mmu_free_memory_caches(vcpu); + kvm_timer_vcpu_terminate(vcpu); + kvm_vgic_vcpu_destroy(vcpu); ++ kvm_vcpu_uninit(vcpu); + kmem_cache_free(kvm_vcpu_cache, vcpu); + } + +diff --git a/arch/arm/mach-omap2/cpuidle34xx.c b/arch/arm/mach-omap2/cpuidle34xx.c +index e18709d3b95d..38e1bdcaf015 100644 +--- a/arch/arm/mach-omap2/cpuidle34xx.c ++++ b/arch/arm/mach-omap2/cpuidle34xx.c +@@ -34,6 +34,7 @@ + #include "pm.h" + #include "control.h" + #include "common.h" ++#include "soc.h" + + /* Mach specific information to be recorded in the C-state driver_data */ + struct omap3_idle_statedata { +@@ -322,6 +323,69 @@ static struct cpuidle_driver omap3_idle_driver = { + .safe_state_index = 0, + }; + ++/* ++ * Numbers based on measurements made in October 2009 for PM optimized kernel ++ * with CPU freq enabled on device Nokia N900. Assumes OPP2 (main idle OPP, ++ * and worst case latencies). ++ */ ++static struct cpuidle_driver omap3430_idle_driver = { ++ .name = "omap3430_idle", ++ .owner = THIS_MODULE, ++ .states = { ++ { ++ .enter = omap3_enter_idle_bm, ++ .exit_latency = 110 + 162, ++ .target_residency = 5, ++ .name = "C1", ++ .desc = "MPU ON + CORE ON", ++ }, ++ { ++ .enter = omap3_enter_idle_bm, ++ .exit_latency = 106 + 180, ++ .target_residency = 309, ++ .name = "C2", ++ .desc = "MPU ON + CORE ON", ++ }, ++ { ++ .enter = omap3_enter_idle_bm, ++ .exit_latency = 107 + 410, ++ .target_residency = 46057, ++ .name = "C3", ++ .desc = "MPU RET + CORE ON", ++ }, ++ { ++ .enter = omap3_enter_idle_bm, ++ .exit_latency = 121 + 3374, ++ .target_residency = 46057, ++ .name = "C4", ++ .desc = "MPU OFF + CORE ON", ++ }, ++ { ++ .enter = omap3_enter_idle_bm, ++ .exit_latency = 855 + 1146, ++ .target_residency = 46057, ++ .name = "C5", ++ .desc = "MPU RET + CORE RET", ++ }, ++ { ++ .enter = omap3_enter_idle_bm, ++ .exit_latency = 7580 + 4134, ++ .target_residency = 484329, ++ .name = "C6", ++ .desc = "MPU OFF + CORE RET", ++ }, ++ { ++ .enter = omap3_enter_idle_bm, ++ .exit_latency = 7505 + 15274, ++ .target_residency = 484329, ++ .name = "C7", ++ .desc = "MPU OFF + CORE OFF", ++ }, ++ }, ++ .state_count = ARRAY_SIZE(omap3_idle_data), ++ .safe_state_index = 0, ++}; ++ + /* Public functions */ + + /** +@@ -340,5 +404,8 @@ int __init omap3_idle_init(void) + if (!mpu_pd || !core_pd || !per_pd || !cam_pd) + return -ENODEV; + +- return cpuidle_register(&omap3_idle_driver, NULL); ++ if (cpu_is_omap3430()) ++ return cpuidle_register(&omap3430_idle_driver, NULL); ++ else ++ return cpuidle_register(&omap3_idle_driver, NULL); + } +diff --git a/arch/arm/mach-s3c64xx/dev-audio.c b/arch/arm/mach-s3c64xx/dev-audio.c +index ff780a8d8366..9a42736ef4ac 100644 +--- a/arch/arm/mach-s3c64xx/dev-audio.c ++++ b/arch/arm/mach-s3c64xx/dev-audio.c +@@ -54,12 +54,12 @@ static int s3c64xx_i2s_cfg_gpio(struct platform_device *pdev) + + static struct resource s3c64xx_iis0_resource[] = { + [0] = DEFINE_RES_MEM(S3C64XX_PA_IIS0, SZ_256), +- [1] = DEFINE_RES_DMA(DMACH_I2S0_OUT), +- [2] = DEFINE_RES_DMA(DMACH_I2S0_IN), + }; + +-static struct s3c_audio_pdata i2sv3_pdata = { ++static struct s3c_audio_pdata i2s0_pdata = { + .cfg_gpio = s3c64xx_i2s_cfg_gpio, ++ .dma_playback = DMACH_I2S0_OUT, ++ .dma_capture = DMACH_I2S0_IN, + }; + + struct platform_device s3c64xx_device_iis0 = { +@@ -68,15 +68,19 @@ struct platform_device s3c64xx_device_iis0 = { + .num_resources = ARRAY_SIZE(s3c64xx_iis0_resource), + .resource = s3c64xx_iis0_resource, + .dev = { +- .platform_data = &i2sv3_pdata, ++ .platform_data = &i2s0_pdata, + }, + }; + EXPORT_SYMBOL(s3c64xx_device_iis0); + + static struct resource s3c64xx_iis1_resource[] = { + [0] = DEFINE_RES_MEM(S3C64XX_PA_IIS1, SZ_256), +- [1] = DEFINE_RES_DMA(DMACH_I2S1_OUT), +- [2] = DEFINE_RES_DMA(DMACH_I2S1_IN), ++}; ++ ++static struct s3c_audio_pdata i2s1_pdata = { ++ .cfg_gpio = s3c64xx_i2s_cfg_gpio, ++ .dma_playback = DMACH_I2S1_OUT, ++ .dma_capture = DMACH_I2S1_IN, + }; + + struct platform_device s3c64xx_device_iis1 = { +@@ -85,19 +89,19 @@ struct platform_device s3c64xx_device_iis1 = { + .num_resources = ARRAY_SIZE(s3c64xx_iis1_resource), + .resource = s3c64xx_iis1_resource, + .dev = { +- .platform_data = &i2sv3_pdata, ++ .platform_data = &i2s1_pdata, + }, + }; + EXPORT_SYMBOL(s3c64xx_device_iis1); + + static struct resource s3c64xx_iisv4_resource[] = { + [0] = DEFINE_RES_MEM(S3C64XX_PA_IISV4, SZ_256), +- [1] = DEFINE_RES_DMA(DMACH_HSI_I2SV40_TX), +- [2] = DEFINE_RES_DMA(DMACH_HSI_I2SV40_RX), + }; + + static struct s3c_audio_pdata i2sv4_pdata = { + .cfg_gpio = s3c64xx_i2s_cfg_gpio, ++ .dma_playback = DMACH_HSI_I2SV40_TX, ++ .dma_capture = DMACH_HSI_I2SV40_RX, + .type = { + .i2s = { + .quirks = QUIRK_PRI_6CHAN, +@@ -142,12 +146,12 @@ static int s3c64xx_pcm_cfg_gpio(struct platform_device *pdev) + + static struct resource s3c64xx_pcm0_resource[] = { + [0] = DEFINE_RES_MEM(S3C64XX_PA_PCM0, SZ_256), +- [1] = DEFINE_RES_DMA(DMACH_PCM0_TX), +- [2] = DEFINE_RES_DMA(DMACH_PCM0_RX), + }; + + static struct s3c_audio_pdata s3c_pcm0_pdata = { + .cfg_gpio = s3c64xx_pcm_cfg_gpio, ++ .dma_capture = DMACH_PCM0_RX, ++ .dma_playback = DMACH_PCM0_TX, + }; + + struct platform_device s3c64xx_device_pcm0 = { +@@ -163,12 +167,12 @@ EXPORT_SYMBOL(s3c64xx_device_pcm0); + + static struct resource s3c64xx_pcm1_resource[] = { + [0] = DEFINE_RES_MEM(S3C64XX_PA_PCM1, SZ_256), +- [1] = DEFINE_RES_DMA(DMACH_PCM1_TX), +- [2] = DEFINE_RES_DMA(DMACH_PCM1_RX), + }; + + static struct s3c_audio_pdata s3c_pcm1_pdata = { + .cfg_gpio = s3c64xx_pcm_cfg_gpio, ++ .dma_playback = DMACH_PCM1_TX, ++ .dma_capture = DMACH_PCM1_RX, + }; + + struct platform_device s3c64xx_device_pcm1 = { +@@ -196,13 +200,14 @@ static int s3c64xx_ac97_cfg_gpe(struct platform_device *pdev) + + static struct resource s3c64xx_ac97_resource[] = { + [0] = DEFINE_RES_MEM(S3C64XX_PA_AC97, SZ_256), +- [1] = DEFINE_RES_DMA(DMACH_AC97_PCMOUT), +- [2] = DEFINE_RES_DMA(DMACH_AC97_PCMIN), +- [3] = DEFINE_RES_DMA(DMACH_AC97_MICIN), +- [4] = DEFINE_RES_IRQ(IRQ_AC97), ++ [1] = DEFINE_RES_IRQ(IRQ_AC97), + }; + +-static struct s3c_audio_pdata s3c_ac97_pdata; ++static struct s3c_audio_pdata s3c_ac97_pdata = { ++ .dma_playback = DMACH_AC97_PCMOUT, ++ .dma_capture = DMACH_AC97_PCMIN, ++ .dma_capture_mic = DMACH_AC97_MICIN, ++}; + + static u64 s3c64xx_ac97_dmamask = DMA_BIT_MASK(32); + +diff --git a/arch/arm/mach-s3c64xx/include/mach/dma.h b/arch/arm/mach-s3c64xx/include/mach/dma.h +index 059b1fc85037..41a304803497 100644 +--- a/arch/arm/mach-s3c64xx/include/mach/dma.h ++++ b/arch/arm/mach-s3c64xx/include/mach/dma.h +@@ -14,38 +14,38 @@ + #define S3C64XX_DMA_CHAN(name) ((unsigned long)(name)) + + /* DMA0/SDMA0 */ +-#define DMACH_UART0 S3C64XX_DMA_CHAN("uart0_tx") +-#define DMACH_UART0_SRC2 S3C64XX_DMA_CHAN("uart0_rx") +-#define DMACH_UART1 S3C64XX_DMA_CHAN("uart1_tx") +-#define DMACH_UART1_SRC2 S3C64XX_DMA_CHAN("uart1_rx") +-#define DMACH_UART2 S3C64XX_DMA_CHAN("uart2_tx") +-#define DMACH_UART2_SRC2 S3C64XX_DMA_CHAN("uart2_rx") +-#define DMACH_UART3 S3C64XX_DMA_CHAN("uart3_tx") +-#define DMACH_UART3_SRC2 S3C64XX_DMA_CHAN("uart3_rx") +-#define DMACH_PCM0_TX S3C64XX_DMA_CHAN("pcm0_tx") +-#define DMACH_PCM0_RX S3C64XX_DMA_CHAN("pcm0_rx") +-#define DMACH_I2S0_OUT S3C64XX_DMA_CHAN("i2s0_tx") +-#define DMACH_I2S0_IN S3C64XX_DMA_CHAN("i2s0_rx") ++#define DMACH_UART0 "uart0_tx" ++#define DMACH_UART0_SRC2 "uart0_rx" ++#define DMACH_UART1 "uart1_tx" ++#define DMACH_UART1_SRC2 "uart1_rx" ++#define DMACH_UART2 "uart2_tx" ++#define DMACH_UART2_SRC2 "uart2_rx" ++#define DMACH_UART3 "uart3_tx" ++#define DMACH_UART3_SRC2 "uart3_rx" ++#define DMACH_PCM0_TX "pcm0_tx" ++#define DMACH_PCM0_RX "pcm0_rx" ++#define DMACH_I2S0_OUT "i2s0_tx" ++#define DMACH_I2S0_IN "i2s0_rx" + #define DMACH_SPI0_TX S3C64XX_DMA_CHAN("spi0_tx") + #define DMACH_SPI0_RX S3C64XX_DMA_CHAN("spi0_rx") +-#define DMACH_HSI_I2SV40_TX S3C64XX_DMA_CHAN("i2s2_tx") +-#define DMACH_HSI_I2SV40_RX S3C64XX_DMA_CHAN("i2s2_rx") ++#define DMACH_HSI_I2SV40_TX "i2s2_tx" ++#define DMACH_HSI_I2SV40_RX "i2s2_rx" + + /* DMA1/SDMA1 */ +-#define DMACH_PCM1_TX S3C64XX_DMA_CHAN("pcm1_tx") +-#define DMACH_PCM1_RX S3C64XX_DMA_CHAN("pcm1_rx") +-#define DMACH_I2S1_OUT S3C64XX_DMA_CHAN("i2s1_tx") +-#define DMACH_I2S1_IN S3C64XX_DMA_CHAN("i2s1_rx") ++#define DMACH_PCM1_TX "pcm1_tx" ++#define DMACH_PCM1_RX "pcm1_rx" ++#define DMACH_I2S1_OUT "i2s1_tx" ++#define DMACH_I2S1_IN "i2s1_rx" + #define DMACH_SPI1_TX S3C64XX_DMA_CHAN("spi1_tx") + #define DMACH_SPI1_RX S3C64XX_DMA_CHAN("spi1_rx") +-#define DMACH_AC97_PCMOUT S3C64XX_DMA_CHAN("ac97_out") +-#define DMACH_AC97_PCMIN S3C64XX_DMA_CHAN("ac97_in") +-#define DMACH_AC97_MICIN S3C64XX_DMA_CHAN("ac97_mic") +-#define DMACH_PWM S3C64XX_DMA_CHAN("pwm") +-#define DMACH_IRDA S3C64XX_DMA_CHAN("irda") +-#define DMACH_EXTERNAL S3C64XX_DMA_CHAN("external") +-#define DMACH_SECURITY_RX S3C64XX_DMA_CHAN("sec_rx") +-#define DMACH_SECURITY_TX S3C64XX_DMA_CHAN("sec_tx") ++#define DMACH_AC97_PCMOUT "ac97_out" ++#define DMACH_AC97_PCMIN "ac97_in" ++#define DMACH_AC97_MICIN "ac97_mic" ++#define DMACH_PWM "pwm" ++#define DMACH_IRDA "irda" ++#define DMACH_EXTERNAL "external" ++#define DMACH_SECURITY_RX "sec_rx" ++#define DMACH_SECURITY_TX "sec_tx" + + enum dma_ch { + DMACH_MAX = 32 +diff --git a/arch/arm/plat-samsung/devs.c b/arch/arm/plat-samsung/devs.c +index 83c7d154bde0..8b67db8c1213 100644 +--- a/arch/arm/plat-samsung/devs.c ++++ b/arch/arm/plat-samsung/devs.c +@@ -65,6 +65,7 @@ + #include <linux/platform_data/usb-ohci-s3c2410.h> + #include <plat/usb-phy.h> + #include <plat/regs-spi.h> ++#include <linux/platform_data/asoc-s3c.h> + #include <linux/platform_data/spi-s3c64xx.h> + + static u64 samsung_device_dma_mask = DMA_BIT_MASK(32); +@@ -74,9 +75,12 @@ static u64 samsung_device_dma_mask = DMA_BIT_MASK(32); + static struct resource s3c_ac97_resource[] = { + [0] = DEFINE_RES_MEM(S3C2440_PA_AC97, S3C2440_SZ_AC97), + [1] = DEFINE_RES_IRQ(IRQ_S3C244X_AC97), +- [2] = DEFINE_RES_DMA_NAMED(DMACH_PCM_OUT, "PCM out"), +- [3] = DEFINE_RES_DMA_NAMED(DMACH_PCM_IN, "PCM in"), +- [4] = DEFINE_RES_DMA_NAMED(DMACH_MIC_IN, "Mic in"), ++}; ++ ++static struct s3c_audio_pdata s3c_ac97_pdata = { ++ .dma_playback = (void *)DMACH_PCM_OUT, ++ .dma_capture = (void *)DMACH_PCM_IN, ++ .dma_capture_mic = (void *)DMACH_MIC_IN, + }; + + struct platform_device s3c_device_ac97 = { +@@ -87,6 +91,7 @@ struct platform_device s3c_device_ac97 = { + .dev = { + .dma_mask = &samsung_device_dma_mask, + .coherent_dma_mask = DMA_BIT_MASK(32), ++ .platform_data = &s3c_ac97_pdata, + } + }; + #endif /* CONFIG_CPU_S3C2440 */ +diff --git a/arch/arm64/kernel/pci.c b/arch/arm64/kernel/pci.c +index ce5836c14ec1..6f93c24ca801 100644 +--- a/arch/arm64/kernel/pci.c ++++ b/arch/arm64/kernel/pci.c +@@ -46,25 +46,3 @@ int pcibios_add_device(struct pci_dev *dev) + + return 0; + } +- +- +-#ifdef CONFIG_PCI_DOMAINS_GENERIC +-static bool dt_domain_found = false; +- +-void pci_bus_assign_domain_nr(struct pci_bus *bus, struct device *parent) +-{ +- int domain = of_get_pci_domain_nr(parent->of_node); +- +- if (domain >= 0) { +- dt_domain_found = true; +- } else if (dt_domain_found == true) { +- dev_err(parent, "Node %s is missing \"linux,pci-domain\" property in DT\n", +- parent->of_node->full_name); +- return; +- } else { +- domain = pci_get_new_domain_nr(); +- } +- +- bus->domain_nr = domain; +-} +-#endif +diff --git a/arch/arm64/mm/flush.c b/arch/arm64/mm/flush.c +index b6f14e8d2121..bfb8eb168f2d 100644 +--- a/arch/arm64/mm/flush.c ++++ b/arch/arm64/mm/flush.c +@@ -74,10 +74,6 @@ void __sync_icache_dcache(pte_t pte, unsigned long addr) + { + struct page *page = pte_page(pte); + +- /* no flushing needed for anonymous pages */ +- if (!page_mapping(page)) +- return; +- + if (!test_and_set_bit(PG_dcache_clean, &page->flags)) { + __flush_dcache_area(page_address(page), + PAGE_SIZE << compound_order(page)); +diff --git a/arch/mips/include/asm/kvm_host.h b/arch/mips/include/asm/kvm_host.h +index 1616b56eadfe..b369199d9f39 100644 +--- a/arch/mips/include/asm/kvm_host.h ++++ b/arch/mips/include/asm/kvm_host.h +@@ -377,6 +377,7 @@ struct kvm_mips_tlb { + #define KVM_MIPS_GUEST_TLB_SIZE 64 + struct kvm_vcpu_arch { + void *host_ebase, *guest_ebase; ++ int (*vcpu_run)(struct kvm_run *run, struct kvm_vcpu *vcpu); + unsigned long host_stack; + unsigned long host_gp; + +diff --git a/arch/mips/include/asm/processor.h b/arch/mips/include/asm/processor.h +index f1df4cb4a286..578ece1e4a99 100644 +--- a/arch/mips/include/asm/processor.h ++++ b/arch/mips/include/asm/processor.h +@@ -51,7 +51,7 @@ extern unsigned int vced_count, vcei_count; + * User space process size: 2GB. This is hardcoded into a few places, + * so don't change it unless you know what you are doing. + */ +-#define TASK_SIZE 0x7fff8000UL ++#define TASK_SIZE 0x80000000UL + #endif + + #ifdef __KERNEL__ +diff --git a/arch/mips/kernel/setup.c b/arch/mips/kernel/setup.c +index f3b635f86c39..2168355591f5 100644 +--- a/arch/mips/kernel/setup.c ++++ b/arch/mips/kernel/setup.c +@@ -685,6 +685,9 @@ static void __init arch_mem_init(char **cmdline_p) + for_each_memblock(reserved, reg) + if (reg->size != 0) + reserve_bootmem(reg->base, reg->size, BOOTMEM_DEFAULT); ++ ++ reserve_bootmem_region(__pa_symbol(&__nosave_begin), ++ __pa_symbol(&__nosave_end)); /* Reserve for hibernation */ + } + + static void __init resource_init(void) +diff --git a/arch/mips/kvm/interrupt.h b/arch/mips/kvm/interrupt.h +index 4ab4bdfad703..2143884709e4 100644 +--- a/arch/mips/kvm/interrupt.h ++++ b/arch/mips/kvm/interrupt.h +@@ -28,6 +28,7 @@ + #define MIPS_EXC_MAX 12 + /* XXXSL More to follow */ + ++extern char __kvm_mips_vcpu_run_end[]; + extern char mips32_exception[], mips32_exceptionEnd[]; + extern char mips32_GuestException[], mips32_GuestExceptionEnd[]; + +diff --git a/arch/mips/kvm/locore.S b/arch/mips/kvm/locore.S +index 4a68b176d6e4..21c257579a06 100644 +--- a/arch/mips/kvm/locore.S ++++ b/arch/mips/kvm/locore.S +@@ -231,6 +231,7 @@ FEXPORT(__kvm_mips_load_k0k1) + + /* Jump to guest */ + eret ++EXPORT(__kvm_mips_vcpu_run_end) + + VECTOR(MIPSX(exception), unknown) + /* Find out what mode we came from and jump to the proper handler. */ +diff --git a/arch/mips/kvm/mips.c b/arch/mips/kvm/mips.c +index a53eaf50c224..26059bf34b1a 100644 +--- a/arch/mips/kvm/mips.c ++++ b/arch/mips/kvm/mips.c +@@ -306,6 +306,15 @@ struct kvm_vcpu *kvm_arch_vcpu_create(struct kvm *kvm, unsigned int id) + memcpy(gebase + offset, mips32_GuestException, + mips32_GuestExceptionEnd - mips32_GuestException); + ++#ifdef MODULE ++ offset += mips32_GuestExceptionEnd - mips32_GuestException; ++ memcpy(gebase + offset, (char *)__kvm_mips_vcpu_run, ++ __kvm_mips_vcpu_run_end - (char *)__kvm_mips_vcpu_run); ++ vcpu->arch.vcpu_run = gebase + offset; ++#else ++ vcpu->arch.vcpu_run = __kvm_mips_vcpu_run; ++#endif ++ + /* Invalidate the icache for these ranges */ + local_flush_icache_range((unsigned long)gebase, + (unsigned long)gebase + ALIGN(size, PAGE_SIZE)); +@@ -392,7 +401,7 @@ int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *run) + /* Disable hardware page table walking while in guest */ + htw_stop(); + +- r = __kvm_mips_vcpu_run(run, vcpu); ++ r = vcpu->arch.vcpu_run(run, vcpu); + + /* Re-enable HTW before enabling interrupts */ + htw_start(); +diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c +index 923cd2daba89..5d2ea3f90f72 100644 +--- a/arch/powerpc/kernel/process.c ++++ b/arch/powerpc/kernel/process.c +@@ -1224,6 +1224,16 @@ void start_thread(struct pt_regs *regs, unsigned long start, unsigned long sp) + current->thread.regs = regs - 1; + } + ++#ifdef CONFIG_PPC_TRANSACTIONAL_MEM ++ /* ++ * Clear any transactional state, we're exec()ing. The cause is ++ * not important as there will never be a recheckpoint so it's not ++ * user visible. ++ */ ++ if (MSR_TM_SUSPENDED(mfmsr())) ++ tm_reclaim_current(0); ++#endif ++ + memset(regs->gpr, 0, sizeof(regs->gpr)); + regs->ctr = 0; + regs->link = 0; +diff --git a/arch/powerpc/kernel/prom.c b/arch/powerpc/kernel/prom.c +index d2804fd65c4b..7a218ab7e941 100644 +--- a/arch/powerpc/kernel/prom.c ++++ b/arch/powerpc/kernel/prom.c +@@ -162,11 +162,12 @@ static struct ibm_pa_feature { + {0, MMU_FTR_CI_LARGE_PAGE, 0, 0, 1, 2, 0}, + {CPU_FTR_REAL_LE, 0, PPC_FEATURE_TRUE_LE, 0, 5, 0, 0}, + /* +- * If the kernel doesn't support TM (ie. CONFIG_PPC_TRANSACTIONAL_MEM=n), +- * we don't want to turn on CPU_FTR_TM here, so we use CPU_FTR_TM_COMP +- * which is 0 if the kernel doesn't support TM. ++ * If the kernel doesn't support TM (ie CONFIG_PPC_TRANSACTIONAL_MEM=n), ++ * we don't want to turn on TM here, so we use the *_COMP versions ++ * which are 0 if the kernel doesn't support TM. + */ +- {CPU_FTR_TM_COMP, 0, 0, 0, 22, 0, 0}, ++ {CPU_FTR_TM_COMP, 0, 0, ++ PPC_FEATURE2_HTM_COMP|PPC_FEATURE2_HTM_NOSC_COMP, 22, 0, 0}, + }; + + static void __init scan_features(unsigned long node, const unsigned char *ftrs, +diff --git a/arch/s390/kernel/ipl.c b/arch/s390/kernel/ipl.c +index 39badb9ca0b3..f5ec05984364 100644 +--- a/arch/s390/kernel/ipl.c ++++ b/arch/s390/kernel/ipl.c +@@ -2102,13 +2102,6 @@ void s390_reset_system(void (*func)(void *), void *data) + S390_lowcore.program_new_psw.addr = + PSW_ADDR_AMODE | (unsigned long) s390_base_pgm_handler; + +- /* +- * Clear subchannel ID and number to signal new kernel that no CCW or +- * SCSI IPL has been done (for kexec and kdump) +- */ +- S390_lowcore.subchannel_id = 0; +- S390_lowcore.subchannel_nr = 0; +- + /* Store status at absolute zero */ + store_status(); + +diff --git a/arch/sparc/include/asm/head_64.h b/arch/sparc/include/asm/head_64.h +index 10e9dabc4c41..f0700cfeedd7 100644 +--- a/arch/sparc/include/asm/head_64.h ++++ b/arch/sparc/include/asm/head_64.h +@@ -15,6 +15,10 @@ + + #define PTREGS_OFF (STACK_BIAS + STACKFRAME_SZ) + ++#define RTRAP_PSTATE (PSTATE_TSO|PSTATE_PEF|PSTATE_PRIV|PSTATE_IE) ++#define RTRAP_PSTATE_IRQOFF (PSTATE_TSO|PSTATE_PEF|PSTATE_PRIV) ++#define RTRAP_PSTATE_AG_IRQOFF (PSTATE_TSO|PSTATE_PEF|PSTATE_PRIV|PSTATE_AG) ++ + #define __CHEETAH_ID 0x003e0014 + #define __JALAPENO_ID 0x003e0016 + #define __SERRANO_ID 0x003e0022 +diff --git a/arch/sparc/include/asm/ttable.h b/arch/sparc/include/asm/ttable.h +index 71b5a67522ab..781b9f1dbdc2 100644 +--- a/arch/sparc/include/asm/ttable.h ++++ b/arch/sparc/include/asm/ttable.h +@@ -589,8 +589,8 @@ user_rtt_fill_64bit: \ + restored; \ + nop; nop; nop; nop; nop; nop; \ + nop; nop; nop; nop; nop; \ +- ba,a,pt %xcc, user_rtt_fill_fixup; \ +- ba,a,pt %xcc, user_rtt_fill_fixup; \ ++ ba,a,pt %xcc, user_rtt_fill_fixup_dax; \ ++ ba,a,pt %xcc, user_rtt_fill_fixup_mna; \ + ba,a,pt %xcc, user_rtt_fill_fixup; + + +@@ -652,8 +652,8 @@ user_rtt_fill_32bit: \ + restored; \ + nop; nop; nop; nop; nop; \ + nop; nop; nop; \ +- ba,a,pt %xcc, user_rtt_fill_fixup; \ +- ba,a,pt %xcc, user_rtt_fill_fixup; \ ++ ba,a,pt %xcc, user_rtt_fill_fixup_dax; \ ++ ba,a,pt %xcc, user_rtt_fill_fixup_mna; \ + ba,a,pt %xcc, user_rtt_fill_fixup; + + +diff --git a/arch/sparc/kernel/Makefile b/arch/sparc/kernel/Makefile +index 7cf9c6ea3f1f..fdb13327fded 100644 +--- a/arch/sparc/kernel/Makefile ++++ b/arch/sparc/kernel/Makefile +@@ -21,6 +21,7 @@ CFLAGS_REMOVE_perf_event.o := -pg + CFLAGS_REMOVE_pcr.o := -pg + endif + ++obj-$(CONFIG_SPARC64) += urtt_fill.o + obj-$(CONFIG_SPARC32) += entry.o wof.o wuf.o + obj-$(CONFIG_SPARC32) += etrap_32.o + obj-$(CONFIG_SPARC32) += rtrap_32.o +diff --git a/arch/sparc/kernel/cherrs.S b/arch/sparc/kernel/cherrs.S +index 4ee1ad420862..655628def68e 100644 +--- a/arch/sparc/kernel/cherrs.S ++++ b/arch/sparc/kernel/cherrs.S +@@ -214,8 +214,7 @@ do_dcpe_tl1_nonfatal: /* Ok we may use interrupt globals safely. */ + subcc %g1, %g2, %g1 ! Next cacheline + bge,pt %icc, 1b + nop +- ba,pt %xcc, dcpe_icpe_tl1_common +- nop ++ ba,a,pt %xcc, dcpe_icpe_tl1_common + + do_dcpe_tl1_fatal: + sethi %hi(1f), %g7 +@@ -224,8 +223,7 @@ do_dcpe_tl1_fatal: + mov 0x2, %o0 + call cheetah_plus_parity_error + add %sp, PTREGS_OFF, %o1 +- ba,pt %xcc, rtrap +- nop ++ ba,a,pt %xcc, rtrap + .size do_dcpe_tl1,.-do_dcpe_tl1 + + .globl do_icpe_tl1 +@@ -259,8 +257,7 @@ do_icpe_tl1_nonfatal: /* Ok we may use interrupt globals safely. */ + subcc %g1, %g2, %g1 + bge,pt %icc, 1b + nop +- ba,pt %xcc, dcpe_icpe_tl1_common +- nop ++ ba,a,pt %xcc, dcpe_icpe_tl1_common + + do_icpe_tl1_fatal: + sethi %hi(1f), %g7 +@@ -269,8 +266,7 @@ do_icpe_tl1_fatal: + mov 0x3, %o0 + call cheetah_plus_parity_error + add %sp, PTREGS_OFF, %o1 +- ba,pt %xcc, rtrap +- nop ++ ba,a,pt %xcc, rtrap + .size do_icpe_tl1,.-do_icpe_tl1 + + .type dcpe_icpe_tl1_common,#function +@@ -456,7 +452,7 @@ __cheetah_log_error: + cmp %g2, 0x63 + be c_cee + nop +- ba,pt %xcc, c_deferred ++ ba,a,pt %xcc, c_deferred + .size __cheetah_log_error,.-__cheetah_log_error + + /* Cheetah FECC trap handling, we get here from tl{0,1}_fecc +diff --git a/arch/sparc/kernel/entry.S b/arch/sparc/kernel/entry.S +index 33c02b15f478..a83707c83be8 100644 +--- a/arch/sparc/kernel/entry.S ++++ b/arch/sparc/kernel/entry.S +@@ -948,7 +948,24 @@ linux_syscall_trace: + cmp %o0, 0 + bne 3f + mov -ENOSYS, %o0 ++ ++ /* Syscall tracing can modify the registers. */ ++ ld [%sp + STACKFRAME_SZ + PT_G1], %g1 ++ sethi %hi(sys_call_table), %l7 ++ ld [%sp + STACKFRAME_SZ + PT_I0], %i0 ++ or %l7, %lo(sys_call_table), %l7 ++ ld [%sp + STACKFRAME_SZ + PT_I1], %i1 ++ ld [%sp + STACKFRAME_SZ + PT_I2], %i2 ++ ld [%sp + STACKFRAME_SZ + PT_I3], %i3 ++ ld [%sp + STACKFRAME_SZ + PT_I4], %i4 ++ ld [%sp + STACKFRAME_SZ + PT_I5], %i5 ++ cmp %g1, NR_syscalls ++ bgeu 3f ++ mov -ENOSYS, %o0 ++ ++ sll %g1, 2, %l4 + mov %i0, %o0 ++ ld [%l7 + %l4], %l7 + mov %i1, %o1 + mov %i2, %o2 + mov %i3, %o3 +diff --git a/arch/sparc/kernel/fpu_traps.S b/arch/sparc/kernel/fpu_traps.S +index a6864826a4bd..336d2750fe78 100644 +--- a/arch/sparc/kernel/fpu_traps.S ++++ b/arch/sparc/kernel/fpu_traps.S +@@ -100,8 +100,8 @@ do_fpdis: + fmuld %f0, %f2, %f26 + faddd %f0, %f2, %f28 + fmuld %f0, %f2, %f30 +- b,pt %xcc, fpdis_exit +- nop ++ ba,a,pt %xcc, fpdis_exit ++ + 2: andcc %g5, FPRS_DU, %g0 + bne,pt %icc, 3f + fzero %f32 +@@ -144,8 +144,8 @@ do_fpdis: + fmuld %f32, %f34, %f58 + faddd %f32, %f34, %f60 + fmuld %f32, %f34, %f62 +- ba,pt %xcc, fpdis_exit +- nop ++ ba,a,pt %xcc, fpdis_exit ++ + 3: mov SECONDARY_CONTEXT, %g3 + add %g6, TI_FPREGS, %g1 + +@@ -197,8 +197,7 @@ fpdis_exit2: + fp_other_bounce: + call do_fpother + add %sp, PTREGS_OFF, %o0 +- ba,pt %xcc, rtrap +- nop ++ ba,a,pt %xcc, rtrap + .size fp_other_bounce,.-fp_other_bounce + + .align 32 +diff --git a/arch/sparc/kernel/head_64.S b/arch/sparc/kernel/head_64.S +index 3d61fcae7ee3..8ff57630a486 100644 +--- a/arch/sparc/kernel/head_64.S ++++ b/arch/sparc/kernel/head_64.S +@@ -461,9 +461,8 @@ sun4v_chip_type: + subcc %g3, 1, %g3 + bne,pt %xcc, 41b + add %g1, 1, %g1 +- mov SUN4V_CHIP_SPARC64X, %g4 + ba,pt %xcc, 5f +- nop ++ mov SUN4V_CHIP_SPARC64X, %g4 + + 49: + mov SUN4V_CHIP_UNKNOWN, %g4 +@@ -548,8 +547,7 @@ sun4u_init: + stxa %g0, [%g7] ASI_DMMU + membar #Sync + +- ba,pt %xcc, sun4u_continue +- nop ++ ba,a,pt %xcc, sun4u_continue + + sun4v_init: + /* Set ctx 0 */ +@@ -560,14 +558,12 @@ sun4v_init: + mov SECONDARY_CONTEXT, %g7 + stxa %g0, [%g7] ASI_MMU + membar #Sync +- ba,pt %xcc, niagara_tlb_fixup +- nop ++ ba,a,pt %xcc, niagara_tlb_fixup + + sun4u_continue: + BRANCH_IF_ANY_CHEETAH(g1, g7, cheetah_tlb_fixup) + +- ba,pt %xcc, spitfire_tlb_fixup +- nop ++ ba,a,pt %xcc, spitfire_tlb_fixup + + niagara_tlb_fixup: + mov 3, %g2 /* Set TLB type to hypervisor. */ +@@ -639,8 +635,7 @@ niagara_patch: + call hypervisor_patch_cachetlbops + nop + +- ba,pt %xcc, tlb_fixup_done +- nop ++ ba,a,pt %xcc, tlb_fixup_done + + cheetah_tlb_fixup: + mov 2, %g2 /* Set TLB type to cheetah+. */ +@@ -659,8 +654,7 @@ cheetah_tlb_fixup: + call cheetah_patch_cachetlbops + nop + +- ba,pt %xcc, tlb_fixup_done +- nop ++ ba,a,pt %xcc, tlb_fixup_done + + spitfire_tlb_fixup: + /* Set TLB type to spitfire. */ +@@ -782,8 +776,7 @@ setup_trap_table: + call %o1 + add %sp, (2047 + 128), %o0 + +- ba,pt %xcc, 2f +- nop ++ ba,a,pt %xcc, 2f + + 1: sethi %hi(sparc64_ttable_tl0), %o0 + set prom_set_trap_table_name, %g2 +@@ -822,8 +815,7 @@ setup_trap_table: + + BRANCH_IF_ANY_CHEETAH(o2, o3, 1f) + +- ba,pt %xcc, 2f +- nop ++ ba,a,pt %xcc, 2f + + /* Disable STICK_INT interrupts. */ + 1: +diff --git a/arch/sparc/kernel/misctrap.S b/arch/sparc/kernel/misctrap.S +index 753b4f031bfb..34b4933900bf 100644 +--- a/arch/sparc/kernel/misctrap.S ++++ b/arch/sparc/kernel/misctrap.S +@@ -18,8 +18,7 @@ __do_privact: + 109: or %g7, %lo(109b), %g7 + call do_privact + add %sp, PTREGS_OFF, %o0 +- ba,pt %xcc, rtrap +- nop ++ ba,a,pt %xcc, rtrap + .size __do_privact,.-__do_privact + + .type do_mna,#function +@@ -46,8 +45,7 @@ do_mna: + mov %l5, %o2 + call mem_address_unaligned + add %sp, PTREGS_OFF, %o0 +- ba,pt %xcc, rtrap +- nop ++ ba,a,pt %xcc, rtrap + .size do_mna,.-do_mna + + .type do_lddfmna,#function +@@ -65,8 +63,7 @@ do_lddfmna: + mov %l5, %o2 + call handle_lddfmna + add %sp, PTREGS_OFF, %o0 +- ba,pt %xcc, rtrap +- nop ++ ba,a,pt %xcc, rtrap + .size do_lddfmna,.-do_lddfmna + + .type do_stdfmna,#function +@@ -84,8 +81,7 @@ do_stdfmna: + mov %l5, %o2 + call handle_stdfmna + add %sp, PTREGS_OFF, %o0 +- ba,pt %xcc, rtrap +- nop ++ ba,a,pt %xcc, rtrap + .size do_stdfmna,.-do_stdfmna + + .type breakpoint_trap,#function +diff --git a/arch/sparc/kernel/pci.c b/arch/sparc/kernel/pci.c +index b36365f49478..f9288bf12fea 100644 +--- a/arch/sparc/kernel/pci.c ++++ b/arch/sparc/kernel/pci.c +@@ -995,6 +995,23 @@ void pcibios_set_master(struct pci_dev *dev) + /* No special bus mastering setup handling */ + } + ++#ifdef CONFIG_PCI_IOV ++int pcibios_add_device(struct pci_dev *dev) ++{ ++ struct pci_dev *pdev; ++ ++ /* Add sriov arch specific initialization here. ++ * Copy dev_archdata from PF to VF ++ */ ++ if (dev->is_virtfn) { ++ pdev = dev->physfn; ++ memcpy(&dev->dev.archdata, &pdev->dev.archdata, ++ sizeof(struct dev_archdata)); ++ } ++ return 0; ++} ++#endif /* CONFIG_PCI_IOV */ ++ + static int __init pcibios_init(void) + { + pci_dfl_cache_line_size = 64 >> 2; +diff --git a/arch/sparc/kernel/rtrap_64.S b/arch/sparc/kernel/rtrap_64.S +index 39f0c662f4c8..8de386dc8150 100644 +--- a/arch/sparc/kernel/rtrap_64.S ++++ b/arch/sparc/kernel/rtrap_64.S +@@ -14,10 +14,6 @@ + #include <asm/visasm.h> + #include <asm/processor.h> + +-#define RTRAP_PSTATE (PSTATE_TSO|PSTATE_PEF|PSTATE_PRIV|PSTATE_IE) +-#define RTRAP_PSTATE_IRQOFF (PSTATE_TSO|PSTATE_PEF|PSTATE_PRIV) +-#define RTRAP_PSTATE_AG_IRQOFF (PSTATE_TSO|PSTATE_PEF|PSTATE_PRIV|PSTATE_AG) +- + #ifdef CONFIG_CONTEXT_TRACKING + # define SCHEDULE_USER schedule_user + #else +@@ -236,52 +232,17 @@ rt_continue: ldx [%sp + PTREGS_OFF + PT_V9_G1], %g1 + wrpr %g1, %cwp + ba,a,pt %xcc, user_rtt_fill_64bit + +-user_rtt_fill_fixup: +- rdpr %cwp, %g1 +- add %g1, 1, %g1 +- wrpr %g1, 0x0, %cwp +- +- rdpr %wstate, %g2 +- sll %g2, 3, %g2 +- wrpr %g2, 0x0, %wstate +- +- /* We know %canrestore and %otherwin are both zero. */ +- +- sethi %hi(sparc64_kern_pri_context), %g2 +- ldx [%g2 + %lo(sparc64_kern_pri_context)], %g2 +- mov PRIMARY_CONTEXT, %g1 +- +-661: stxa %g2, [%g1] ASI_DMMU +- .section .sun4v_1insn_patch, "ax" +- .word 661b +- stxa %g2, [%g1] ASI_MMU +- .previous +- +- sethi %hi(KERNBASE), %g1 +- flush %g1 ++user_rtt_fill_fixup_dax: ++ ba,pt %xcc, user_rtt_fill_fixup_common ++ mov 1, %g3 + +- or %g4, FAULT_CODE_WINFIXUP, %g4 +- stb %g4, [%g6 + TI_FAULT_CODE] +- stx %g5, [%g6 + TI_FAULT_ADDR] ++user_rtt_fill_fixup_mna: ++ ba,pt %xcc, user_rtt_fill_fixup_common ++ mov 2, %g3 + +- mov %g6, %l1 +- wrpr %g0, 0x0, %tl +- +-661: nop +- .section .sun4v_1insn_patch, "ax" +- .word 661b +- SET_GL(0) +- .previous +- +- wrpr %g0, RTRAP_PSTATE, %pstate +- +- mov %l1, %g6 +- ldx [%g6 + TI_TASK], %g4 +- LOAD_PER_CPU_BASE(%g5, %g6, %g1, %g2, %g3) +- call do_sparc64_fault +- add %sp, PTREGS_OFF, %o0 +- ba,pt %xcc, rtrap +- nop ++user_rtt_fill_fixup: ++ ba,pt %xcc, user_rtt_fill_fixup_common ++ clr %g3 + + user_rtt_pre_restore: + add %g1, 1, %g1 +diff --git a/arch/sparc/kernel/signal32.c b/arch/sparc/kernel/signal32.c +index 62deba7be1a9..94646266f0e4 100644 +--- a/arch/sparc/kernel/signal32.c ++++ b/arch/sparc/kernel/signal32.c +@@ -138,12 +138,24 @@ int copy_siginfo_from_user32(siginfo_t *to, compat_siginfo_t __user *from) + return 0; + } + ++/* Checks if the fp is valid. We always build signal frames which are ++ * 16-byte aligned, therefore we can always enforce that the restore ++ * frame has that property as well. ++ */ ++static bool invalid_frame_pointer(void __user *fp, int fplen) ++{ ++ if ((((unsigned long) fp) & 15) || ++ ((unsigned long)fp) > 0x100000000ULL - fplen) ++ return true; ++ return false; ++} ++ + void do_sigreturn32(struct pt_regs *regs) + { + struct signal_frame32 __user *sf; + compat_uptr_t fpu_save; + compat_uptr_t rwin_save; +- unsigned int psr; ++ unsigned int psr, ufp; + unsigned pc, npc; + sigset_t set; + compat_sigset_t seta; +@@ -158,11 +170,16 @@ void do_sigreturn32(struct pt_regs *regs) + sf = (struct signal_frame32 __user *) regs->u_regs[UREG_FP]; + + /* 1. Make sure we are not getting garbage from the user */ +- if (!access_ok(VERIFY_READ, sf, sizeof(*sf)) || +- (((unsigned long) sf) & 3)) ++ if (invalid_frame_pointer(sf, sizeof(*sf))) ++ goto segv; ++ ++ if (get_user(ufp, &sf->info.si_regs.u_regs[UREG_FP])) ++ goto segv; ++ ++ if (ufp & 0x7) + goto segv; + +- if (get_user(pc, &sf->info.si_regs.pc) || ++ if (__get_user(pc, &sf->info.si_regs.pc) || + __get_user(npc, &sf->info.si_regs.npc)) + goto segv; + +@@ -227,7 +244,7 @@ segv: + asmlinkage void do_rt_sigreturn32(struct pt_regs *regs) + { + struct rt_signal_frame32 __user *sf; +- unsigned int psr, pc, npc; ++ unsigned int psr, pc, npc, ufp; + compat_uptr_t fpu_save; + compat_uptr_t rwin_save; + sigset_t set; +@@ -242,11 +259,16 @@ asmlinkage void do_rt_sigreturn32(struct pt_regs *regs) + sf = (struct rt_signal_frame32 __user *) regs->u_regs[UREG_FP]; + + /* 1. Make sure we are not getting garbage from the user */ +- if (!access_ok(VERIFY_READ, sf, sizeof(*sf)) || +- (((unsigned long) sf) & 3)) ++ if (invalid_frame_pointer(sf, sizeof(*sf))) + goto segv; + +- if (get_user(pc, &sf->regs.pc) || ++ if (get_user(ufp, &sf->regs.u_regs[UREG_FP])) ++ goto segv; ++ ++ if (ufp & 0x7) ++ goto segv; ++ ++ if (__get_user(pc, &sf->regs.pc) || + __get_user(npc, &sf->regs.npc)) + goto segv; + +@@ -307,14 +329,6 @@ segv: + force_sig(SIGSEGV, current); + } + +-/* Checks if the fp is valid */ +-static int invalid_frame_pointer(void __user *fp, int fplen) +-{ +- if ((((unsigned long) fp) & 7) || ((unsigned long)fp) > 0x100000000ULL - fplen) +- return 1; +- return 0; +-} +- + static void __user *get_sigframe(struct ksignal *ksig, struct pt_regs *regs, unsigned long framesize) + { + unsigned long sp; +diff --git a/arch/sparc/kernel/signal_32.c b/arch/sparc/kernel/signal_32.c +index 9ee72fc8e0e4..8492291424ab 100644 +--- a/arch/sparc/kernel/signal_32.c ++++ b/arch/sparc/kernel/signal_32.c +@@ -60,10 +60,22 @@ struct rt_signal_frame { + #define SF_ALIGNEDSZ (((sizeof(struct signal_frame) + 7) & (~7))) + #define RT_ALIGNEDSZ (((sizeof(struct rt_signal_frame) + 7) & (~7))) + ++/* Checks if the fp is valid. We always build signal frames which are ++ * 16-byte aligned, therefore we can always enforce that the restore ++ * frame has that property as well. ++ */ ++static inline bool invalid_frame_pointer(void __user *fp, int fplen) ++{ ++ if ((((unsigned long) fp) & 15) || !__access_ok((unsigned long)fp, fplen)) ++ return true; ++ ++ return false; ++} ++ + asmlinkage void do_sigreturn(struct pt_regs *regs) + { ++ unsigned long up_psr, pc, npc, ufp; + struct signal_frame __user *sf; +- unsigned long up_psr, pc, npc; + sigset_t set; + __siginfo_fpu_t __user *fpu_save; + __siginfo_rwin_t __user *rwin_save; +@@ -77,10 +89,13 @@ asmlinkage void do_sigreturn(struct pt_regs *regs) + sf = (struct signal_frame __user *) regs->u_regs[UREG_FP]; + + /* 1. Make sure we are not getting garbage from the user */ +- if (!access_ok(VERIFY_READ, sf, sizeof(*sf))) ++ if (!invalid_frame_pointer(sf, sizeof(*sf))) ++ goto segv_and_exit; ++ ++ if (get_user(ufp, &sf->info.si_regs.u_regs[UREG_FP])) + goto segv_and_exit; + +- if (((unsigned long) sf) & 3) ++ if (ufp & 0x7) + goto segv_and_exit; + + err = __get_user(pc, &sf->info.si_regs.pc); +@@ -127,7 +142,7 @@ segv_and_exit: + asmlinkage void do_rt_sigreturn(struct pt_regs *regs) + { + struct rt_signal_frame __user *sf; +- unsigned int psr, pc, npc; ++ unsigned int psr, pc, npc, ufp; + __siginfo_fpu_t __user *fpu_save; + __siginfo_rwin_t __user *rwin_save; + sigset_t set; +@@ -135,8 +150,13 @@ asmlinkage void do_rt_sigreturn(struct pt_regs *regs) + + synchronize_user_stack(); + sf = (struct rt_signal_frame __user *) regs->u_regs[UREG_FP]; +- if (!access_ok(VERIFY_READ, sf, sizeof(*sf)) || +- (((unsigned long) sf) & 0x03)) ++ if (!invalid_frame_pointer(sf, sizeof(*sf))) ++ goto segv; ++ ++ if (get_user(ufp, &sf->regs.u_regs[UREG_FP])) ++ goto segv; ++ ++ if (ufp & 0x7) + goto segv; + + err = __get_user(pc, &sf->regs.pc); +@@ -178,15 +198,6 @@ segv: + force_sig(SIGSEGV, current); + } + +-/* Checks if the fp is valid */ +-static inline int invalid_frame_pointer(void __user *fp, int fplen) +-{ +- if ((((unsigned long) fp) & 7) || !__access_ok((unsigned long)fp, fplen)) +- return 1; +- +- return 0; +-} +- + static inline void __user *get_sigframe(struct ksignal *ksig, struct pt_regs *regs, unsigned long framesize) + { + unsigned long sp = regs->u_regs[UREG_FP]; +diff --git a/arch/sparc/kernel/signal_64.c b/arch/sparc/kernel/signal_64.c +index 1a6999868031..9acf9822cbbd 100644 +--- a/arch/sparc/kernel/signal_64.c ++++ b/arch/sparc/kernel/signal_64.c +@@ -52,7 +52,7 @@ asmlinkage void sparc64_set_context(struct pt_regs *regs) + unsigned char fenab; + int err; + +- flush_user_windows(); ++ synchronize_user_stack(); + if (get_thread_wsaved() || + (((unsigned long)ucp) & (sizeof(unsigned long)-1)) || + (!__access_ok(ucp, sizeof(*ucp)))) +@@ -234,6 +234,17 @@ do_sigsegv: + goto out; + } + ++/* Checks if the fp is valid. We always build rt signal frames which ++ * are 16-byte aligned, therefore we can always enforce that the ++ * restore frame has that property as well. ++ */ ++static bool invalid_frame_pointer(void __user *fp) ++{ ++ if (((unsigned long) fp) & 15) ++ return true; ++ return false; ++} ++ + struct rt_signal_frame { + struct sparc_stackf ss; + siginfo_t info; +@@ -246,8 +257,8 @@ struct rt_signal_frame { + + void do_rt_sigreturn(struct pt_regs *regs) + { ++ unsigned long tpc, tnpc, tstate, ufp; + struct rt_signal_frame __user *sf; +- unsigned long tpc, tnpc, tstate; + __siginfo_fpu_t __user *fpu_save; + __siginfo_rwin_t __user *rwin_save; + sigset_t set; +@@ -261,10 +272,16 @@ void do_rt_sigreturn(struct pt_regs *regs) + (regs->u_regs [UREG_FP] + STACK_BIAS); + + /* 1. Make sure we are not getting garbage from the user */ +- if (((unsigned long) sf) & 3) ++ if (invalid_frame_pointer(sf)) ++ goto segv; ++ ++ if (get_user(ufp, &sf->regs.u_regs[UREG_FP])) + goto segv; + +- err = get_user(tpc, &sf->regs.tpc); ++ if ((ufp + STACK_BIAS) & 0x7) ++ goto segv; ++ ++ err = __get_user(tpc, &sf->regs.tpc); + err |= __get_user(tnpc, &sf->regs.tnpc); + if (test_thread_flag(TIF_32BIT)) { + tpc &= 0xffffffff; +@@ -308,14 +325,6 @@ segv: + force_sig(SIGSEGV, current); + } + +-/* Checks if the fp is valid */ +-static int invalid_frame_pointer(void __user *fp) +-{ +- if (((unsigned long) fp) & 15) +- return 1; +- return 0; +-} +- + static inline void __user *get_sigframe(struct ksignal *ksig, struct pt_regs *regs, unsigned long framesize) + { + unsigned long sp = regs->u_regs[UREG_FP] + STACK_BIAS; +diff --git a/arch/sparc/kernel/sigutil_32.c b/arch/sparc/kernel/sigutil_32.c +index 0f6eebe71e6c..e5fe8cef9a69 100644 +--- a/arch/sparc/kernel/sigutil_32.c ++++ b/arch/sparc/kernel/sigutil_32.c +@@ -48,6 +48,10 @@ int save_fpu_state(struct pt_regs *regs, __siginfo_fpu_t __user *fpu) + int restore_fpu_state(struct pt_regs *regs, __siginfo_fpu_t __user *fpu) + { + int err; ++ ++ if (((unsigned long) fpu) & 3) ++ return -EFAULT; ++ + #ifdef CONFIG_SMP + if (test_tsk_thread_flag(current, TIF_USEDFPU)) + regs->psr &= ~PSR_EF; +@@ -97,7 +101,10 @@ int restore_rwin_state(__siginfo_rwin_t __user *rp) + struct thread_info *t = current_thread_info(); + int i, wsaved, err; + +- __get_user(wsaved, &rp->wsaved); ++ if (((unsigned long) rp) & 3) ++ return -EFAULT; ++ ++ get_user(wsaved, &rp->wsaved); + if (wsaved > NSWINS) + return -EFAULT; + +diff --git a/arch/sparc/kernel/sigutil_64.c b/arch/sparc/kernel/sigutil_64.c +index 387834a9c56a..36aadcbeac69 100644 +--- a/arch/sparc/kernel/sigutil_64.c ++++ b/arch/sparc/kernel/sigutil_64.c +@@ -37,7 +37,10 @@ int restore_fpu_state(struct pt_regs *regs, __siginfo_fpu_t __user *fpu) + unsigned long fprs; + int err; + +- err = __get_user(fprs, &fpu->si_fprs); ++ if (((unsigned long) fpu) & 7) ++ return -EFAULT; ++ ++ err = get_user(fprs, &fpu->si_fprs); + fprs_write(0); + regs->tstate &= ~TSTATE_PEF; + if (fprs & FPRS_DL) +@@ -72,7 +75,10 @@ int restore_rwin_state(__siginfo_rwin_t __user *rp) + struct thread_info *t = current_thread_info(); + int i, wsaved, err; + +- __get_user(wsaved, &rp->wsaved); ++ if (((unsigned long) rp) & 7) ++ return -EFAULT; ++ ++ get_user(wsaved, &rp->wsaved); + if (wsaved > NSWINS) + return -EFAULT; + +diff --git a/arch/sparc/kernel/spiterrs.S b/arch/sparc/kernel/spiterrs.S +index c357e40ffd01..4a73009f66a5 100644 +--- a/arch/sparc/kernel/spiterrs.S ++++ b/arch/sparc/kernel/spiterrs.S +@@ -85,8 +85,7 @@ __spitfire_cee_trap_continue: + ba,pt %xcc, etraptl1 + rd %pc, %g7 + +- ba,pt %xcc, 2f +- nop ++ ba,a,pt %xcc, 2f + + 1: ba,pt %xcc, etrap_irq + rd %pc, %g7 +@@ -100,8 +99,7 @@ __spitfire_cee_trap_continue: + mov %l5, %o2 + call spitfire_access_error + add %sp, PTREGS_OFF, %o0 +- ba,pt %xcc, rtrap +- nop ++ ba,a,pt %xcc, rtrap + .size __spitfire_access_error,.-__spitfire_access_error + + /* This is the trap handler entry point for ECC correctable +@@ -179,8 +177,7 @@ __spitfire_data_access_exception_tl1: + mov %l5, %o2 + call spitfire_data_access_exception_tl1 + add %sp, PTREGS_OFF, %o0 +- ba,pt %xcc, rtrap +- nop ++ ba,a,pt %xcc, rtrap + .size __spitfire_data_access_exception_tl1,.-__spitfire_data_access_exception_tl1 + + .type __spitfire_data_access_exception,#function +@@ -200,8 +197,7 @@ __spitfire_data_access_exception: + mov %l5, %o2 + call spitfire_data_access_exception + add %sp, PTREGS_OFF, %o0 +- ba,pt %xcc, rtrap +- nop ++ ba,a,pt %xcc, rtrap + .size __spitfire_data_access_exception,.-__spitfire_data_access_exception + + .type __spitfire_insn_access_exception_tl1,#function +@@ -220,8 +216,7 @@ __spitfire_insn_access_exception_tl1: + mov %l5, %o2 + call spitfire_insn_access_exception_tl1 + add %sp, PTREGS_OFF, %o0 +- ba,pt %xcc, rtrap +- nop ++ ba,a,pt %xcc, rtrap + .size __spitfire_insn_access_exception_tl1,.-__spitfire_insn_access_exception_tl1 + + .type __spitfire_insn_access_exception,#function +@@ -240,6 +235,5 @@ __spitfire_insn_access_exception: + mov %l5, %o2 + call spitfire_insn_access_exception + add %sp, PTREGS_OFF, %o0 +- ba,pt %xcc, rtrap +- nop ++ ba,a,pt %xcc, rtrap + .size __spitfire_insn_access_exception,.-__spitfire_insn_access_exception +diff --git a/arch/sparc/kernel/syscalls.S b/arch/sparc/kernel/syscalls.S +index 33a17e7b3ccd..6ec7531f27fc 100644 +--- a/arch/sparc/kernel/syscalls.S ++++ b/arch/sparc/kernel/syscalls.S +@@ -148,7 +148,25 @@ linux_syscall_trace32: + add %sp, PTREGS_OFF, %o0 + brnz,pn %o0, 3f + mov -ENOSYS, %o0 ++ ++ /* Syscall tracing can modify the registers. */ ++ ldx [%sp + PTREGS_OFF + PT_V9_G1], %g1 ++ sethi %hi(sys_call_table32), %l7 ++ ldx [%sp + PTREGS_OFF + PT_V9_I0], %i0 ++ or %l7, %lo(sys_call_table32), %l7 ++ ldx [%sp + PTREGS_OFF + PT_V9_I1], %i1 ++ ldx [%sp + PTREGS_OFF + PT_V9_I2], %i2 ++ ldx [%sp + PTREGS_OFF + PT_V9_I3], %i3 ++ ldx [%sp + PTREGS_OFF + PT_V9_I4], %i4 ++ ldx [%sp + PTREGS_OFF + PT_V9_I5], %i5 ++ ++ cmp %g1, NR_syscalls ++ bgeu,pn %xcc, 3f ++ mov -ENOSYS, %o0 ++ ++ sll %g1, 2, %l4 + srl %i0, 0, %o0 ++ lduw [%l7 + %l4], %l7 + srl %i4, 0, %o4 + srl %i1, 0, %o1 + srl %i2, 0, %o2 +@@ -160,7 +178,25 @@ linux_syscall_trace: + add %sp, PTREGS_OFF, %o0 + brnz,pn %o0, 3f + mov -ENOSYS, %o0 ++ ++ /* Syscall tracing can modify the registers. */ ++ ldx [%sp + PTREGS_OFF + PT_V9_G1], %g1 ++ sethi %hi(sys_call_table64), %l7 ++ ldx [%sp + PTREGS_OFF + PT_V9_I0], %i0 ++ or %l7, %lo(sys_call_table64), %l7 ++ ldx [%sp + PTREGS_OFF + PT_V9_I1], %i1 ++ ldx [%sp + PTREGS_OFF + PT_V9_I2], %i2 ++ ldx [%sp + PTREGS_OFF + PT_V9_I3], %i3 ++ ldx [%sp + PTREGS_OFF + PT_V9_I4], %i4 ++ ldx [%sp + PTREGS_OFF + PT_V9_I5], %i5 ++ ++ cmp %g1, NR_syscalls ++ bgeu,pn %xcc, 3f ++ mov -ENOSYS, %o0 ++ ++ sll %g1, 2, %l4 + mov %i0, %o0 ++ lduw [%l7 + %l4], %l7 + mov %i1, %o1 + mov %i2, %o2 + mov %i3, %o3 +diff --git a/arch/sparc/kernel/urtt_fill.S b/arch/sparc/kernel/urtt_fill.S +new file mode 100644 +index 000000000000..5604a2b051d4 +--- /dev/null ++++ b/arch/sparc/kernel/urtt_fill.S +@@ -0,0 +1,98 @@ ++#include <asm/thread_info.h> ++#include <asm/trap_block.h> ++#include <asm/spitfire.h> ++#include <asm/ptrace.h> ++#include <asm/head.h> ++ ++ .text ++ .align 8 ++ .globl user_rtt_fill_fixup_common ++user_rtt_fill_fixup_common: ++ rdpr %cwp, %g1 ++ add %g1, 1, %g1 ++ wrpr %g1, 0x0, %cwp ++ ++ rdpr %wstate, %g2 ++ sll %g2, 3, %g2 ++ wrpr %g2, 0x0, %wstate ++ ++ /* We know %canrestore and %otherwin are both zero. */ ++ ++ sethi %hi(sparc64_kern_pri_context), %g2 ++ ldx [%g2 + %lo(sparc64_kern_pri_context)], %g2 ++ mov PRIMARY_CONTEXT, %g1 ++ ++661: stxa %g2, [%g1] ASI_DMMU ++ .section .sun4v_1insn_patch, "ax" ++ .word 661b ++ stxa %g2, [%g1] ASI_MMU ++ .previous ++ ++ sethi %hi(KERNBASE), %g1 ++ flush %g1 ++ ++ mov %g4, %l4 ++ mov %g5, %l5 ++ brnz,pn %g3, 1f ++ mov %g3, %l3 ++ ++ or %g4, FAULT_CODE_WINFIXUP, %g4 ++ stb %g4, [%g6 + TI_FAULT_CODE] ++ stx %g5, [%g6 + TI_FAULT_ADDR] ++1: ++ mov %g6, %l1 ++ wrpr %g0, 0x0, %tl ++ ++661: nop ++ .section .sun4v_1insn_patch, "ax" ++ .word 661b ++ SET_GL(0) ++ .previous ++ ++ wrpr %g0, RTRAP_PSTATE, %pstate ++ ++ mov %l1, %g6 ++ ldx [%g6 + TI_TASK], %g4 ++ LOAD_PER_CPU_BASE(%g5, %g6, %g1, %g2, %g3) ++ ++ brnz,pn %l3, 1f ++ nop ++ ++ call do_sparc64_fault ++ add %sp, PTREGS_OFF, %o0 ++ ba,pt %xcc, rtrap ++ nop ++ ++1: cmp %g3, 2 ++ bne,pn %xcc, 2f ++ nop ++ ++ sethi %hi(tlb_type), %g1 ++ lduw [%g1 + %lo(tlb_type)], %g1 ++ cmp %g1, 3 ++ bne,pt %icc, 1f ++ add %sp, PTREGS_OFF, %o0 ++ mov %l4, %o2 ++ call sun4v_do_mna ++ mov %l5, %o1 ++ ba,a,pt %xcc, rtrap ++1: mov %l4, %o1 ++ mov %l5, %o2 ++ call mem_address_unaligned ++ nop ++ ba,a,pt %xcc, rtrap ++ ++2: sethi %hi(tlb_type), %g1 ++ mov %l4, %o1 ++ lduw [%g1 + %lo(tlb_type)], %g1 ++ mov %l5, %o2 ++ cmp %g1, 3 ++ bne,pt %icc, 1f ++ add %sp, PTREGS_OFF, %o0 ++ call sun4v_data_access_exception ++ nop ++ ba,a,pt %xcc, rtrap ++ ++1: call spitfire_data_access_exception ++ nop ++ ba,a,pt %xcc, rtrap +diff --git a/arch/sparc/kernel/utrap.S b/arch/sparc/kernel/utrap.S +index b7f0f3f3a909..c731e8023d3e 100644 +--- a/arch/sparc/kernel/utrap.S ++++ b/arch/sparc/kernel/utrap.S +@@ -11,8 +11,7 @@ utrap_trap: /* %g3=handler,%g4=level */ + mov %l4, %o1 + call bad_trap + add %sp, PTREGS_OFF, %o0 +- ba,pt %xcc, rtrap +- nop ++ ba,a,pt %xcc, rtrap + + invoke_utrap: + sllx %g3, 3, %g3 +diff --git a/arch/sparc/kernel/vmlinux.lds.S b/arch/sparc/kernel/vmlinux.lds.S +index 09243057cb0b..7028b4dab903 100644 +--- a/arch/sparc/kernel/vmlinux.lds.S ++++ b/arch/sparc/kernel/vmlinux.lds.S +@@ -33,6 +33,10 @@ ENTRY(_start) + jiffies = jiffies_64; + #endif + ++#ifdef CONFIG_SPARC64 ++ASSERT((swapper_tsb == 0x0000000000408000), "Error: sparc64 early assembler too large") ++#endif ++ + SECTIONS + { + #ifdef CONFIG_SPARC64 +diff --git a/arch/sparc/kernel/winfixup.S b/arch/sparc/kernel/winfixup.S +index 1e67ce958369..855019a8590e 100644 +--- a/arch/sparc/kernel/winfixup.S ++++ b/arch/sparc/kernel/winfixup.S +@@ -32,8 +32,7 @@ fill_fixup: + rd %pc, %g7 + call do_sparc64_fault + add %sp, PTREGS_OFF, %o0 +- ba,pt %xcc, rtrap +- nop ++ ba,a,pt %xcc, rtrap + + /* Be very careful about usage of the trap globals here. + * You cannot touch %g5 as that has the fault information. +diff --git a/arch/sparc/mm/init_64.c b/arch/sparc/mm/init_64.c +index 2d91c62f7f5f..7dd57626da19 100644 +--- a/arch/sparc/mm/init_64.c ++++ b/arch/sparc/mm/init_64.c +@@ -1300,10 +1300,18 @@ static int __init numa_parse_sun4u(void) + + static int __init bootmem_init_numa(void) + { ++ int i, j; + int err = -1; + + numadbg("bootmem_init_numa()\n"); + ++ /* Some sane defaults for numa latency values */ ++ for (i = 0; i < MAX_NUMNODES; i++) { ++ for (j = 0; j < MAX_NUMNODES; j++) ++ numa_latency[i][j] = (i == j) ? ++ LOCAL_DISTANCE : REMOTE_DISTANCE; ++ } ++ + if (numa_enabled) { + if (tlb_type == hypervisor) + err = numa_parse_mdesc(); +@@ -2730,9 +2738,10 @@ void hugetlb_setup(struct pt_regs *regs) + * the Data-TLB for huge pages. + */ + if (tlb_type == cheetah_plus) { ++ bool need_context_reload = false; + unsigned long ctx; + +- spin_lock(&ctx_alloc_lock); ++ spin_lock_irq(&ctx_alloc_lock); + ctx = mm->context.sparc64_ctx_val; + ctx &= ~CTX_PGSZ_MASK; + ctx |= CTX_PGSZ_BASE << CTX_PGSZ0_SHIFT; +@@ -2751,9 +2760,12 @@ void hugetlb_setup(struct pt_regs *regs) + * also executing in this address space. + */ + mm->context.sparc64_ctx_val = ctx; +- on_each_cpu(context_reload, mm, 0); ++ need_context_reload = true; + } +- spin_unlock(&ctx_alloc_lock); ++ spin_unlock_irq(&ctx_alloc_lock); ++ ++ if (need_context_reload) ++ on_each_cpu(context_reload, mm, 0); + } + } + #endif +diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c +index f2e281cf8c19..a78aa118afc2 100644 +--- a/arch/x86/kernel/kprobes/core.c ++++ b/arch/x86/kernel/kprobes/core.c +@@ -931,7 +931,19 @@ int kprobe_fault_handler(struct pt_regs *regs, int trapnr) + * normal page fault. + */ + regs->ip = (unsigned long)cur->addr; ++ /* ++ * Trap flag (TF) has been set here because this fault ++ * happened where the single stepping will be done. ++ * So clear it by resetting the current kprobe: ++ */ ++ regs->flags &= ~X86_EFLAGS_TF; ++ ++ /* ++ * If the TF flag was set before the kprobe hit, ++ * don't touch it: ++ */ + regs->flags |= kcb->kprobe_old_flags; ++ + if (kcb->kprobe_status == KPROBE_REENTER) + restore_previous_kprobe(kcb); + else +diff --git a/arch/x86/mm/kmmio.c b/arch/x86/mm/kmmio.c +index 637ab34ed632..ddb2244b06a1 100644 +--- a/arch/x86/mm/kmmio.c ++++ b/arch/x86/mm/kmmio.c +@@ -33,7 +33,7 @@ + struct kmmio_fault_page { + struct list_head list; + struct kmmio_fault_page *release_next; +- unsigned long page; /* location of the fault page */ ++ unsigned long addr; /* the requested address */ + pteval_t old_presence; /* page presence prior to arming */ + bool armed; + +@@ -70,9 +70,16 @@ unsigned int kmmio_count; + static struct list_head kmmio_page_table[KMMIO_PAGE_TABLE_SIZE]; + static LIST_HEAD(kmmio_probes); + +-static struct list_head *kmmio_page_list(unsigned long page) ++static struct list_head *kmmio_page_list(unsigned long addr) + { +- return &kmmio_page_table[hash_long(page, KMMIO_PAGE_HASH_BITS)]; ++ unsigned int l; ++ pte_t *pte = lookup_address(addr, &l); ++ ++ if (!pte) ++ return NULL; ++ addr &= page_level_mask(l); ++ ++ return &kmmio_page_table[hash_long(addr, KMMIO_PAGE_HASH_BITS)]; + } + + /* Accessed per-cpu */ +@@ -98,15 +105,19 @@ static struct kmmio_probe *get_kmmio_probe(unsigned long addr) + } + + /* You must be holding RCU read lock. */ +-static struct kmmio_fault_page *get_kmmio_fault_page(unsigned long page) ++static struct kmmio_fault_page *get_kmmio_fault_page(unsigned long addr) + { + struct list_head *head; + struct kmmio_fault_page *f; ++ unsigned int l; ++ pte_t *pte = lookup_address(addr, &l); + +- page &= PAGE_MASK; +- head = kmmio_page_list(page); ++ if (!pte) ++ return NULL; ++ addr &= page_level_mask(l); ++ head = kmmio_page_list(addr); + list_for_each_entry_rcu(f, head, list) { +- if (f->page == page) ++ if (f->addr == addr) + return f; + } + return NULL; +@@ -137,10 +148,10 @@ static void clear_pte_presence(pte_t *pte, bool clear, pteval_t *old) + static int clear_page_presence(struct kmmio_fault_page *f, bool clear) + { + unsigned int level; +- pte_t *pte = lookup_address(f->page, &level); ++ pte_t *pte = lookup_address(f->addr, &level); + + if (!pte) { +- pr_err("no pte for page 0x%08lx\n", f->page); ++ pr_err("no pte for addr 0x%08lx\n", f->addr); + return -1; + } + +@@ -156,7 +167,7 @@ static int clear_page_presence(struct kmmio_fault_page *f, bool clear) + return -1; + } + +- __flush_tlb_one(f->page); ++ __flush_tlb_one(f->addr); + return 0; + } + +@@ -176,12 +187,12 @@ static int arm_kmmio_fault_page(struct kmmio_fault_page *f) + int ret; + WARN_ONCE(f->armed, KERN_ERR pr_fmt("kmmio page already armed.\n")); + if (f->armed) { +- pr_warning("double-arm: page 0x%08lx, ref %d, old %d\n", +- f->page, f->count, !!f->old_presence); ++ pr_warning("double-arm: addr 0x%08lx, ref %d, old %d\n", ++ f->addr, f->count, !!f->old_presence); + } + ret = clear_page_presence(f, true); +- WARN_ONCE(ret < 0, KERN_ERR pr_fmt("arming 0x%08lx failed.\n"), +- f->page); ++ WARN_ONCE(ret < 0, KERN_ERR pr_fmt("arming at 0x%08lx failed.\n"), ++ f->addr); + f->armed = true; + return ret; + } +@@ -191,7 +202,7 @@ static void disarm_kmmio_fault_page(struct kmmio_fault_page *f) + { + int ret = clear_page_presence(f, false); + WARN_ONCE(ret < 0, +- KERN_ERR "kmmio disarming 0x%08lx failed.\n", f->page); ++ KERN_ERR "kmmio disarming at 0x%08lx failed.\n", f->addr); + f->armed = false; + } + +@@ -215,6 +226,12 @@ int kmmio_handler(struct pt_regs *regs, unsigned long addr) + struct kmmio_context *ctx; + struct kmmio_fault_page *faultpage; + int ret = 0; /* default to fault not handled */ ++ unsigned long page_base = addr; ++ unsigned int l; ++ pte_t *pte = lookup_address(addr, &l); ++ if (!pte) ++ return -EINVAL; ++ page_base &= page_level_mask(l); + + /* + * Preemption is now disabled to prevent process switch during +@@ -227,7 +244,7 @@ int kmmio_handler(struct pt_regs *regs, unsigned long addr) + preempt_disable(); + rcu_read_lock(); + +- faultpage = get_kmmio_fault_page(addr); ++ faultpage = get_kmmio_fault_page(page_base); + if (!faultpage) { + /* + * Either this page fault is not caused by kmmio, or +@@ -239,7 +256,7 @@ int kmmio_handler(struct pt_regs *regs, unsigned long addr) + + ctx = &get_cpu_var(kmmio_ctx); + if (ctx->active) { +- if (addr == ctx->addr) { ++ if (page_base == ctx->addr) { + /* + * A second fault on the same page means some other + * condition needs handling by do_page_fault(), the +@@ -267,9 +284,9 @@ int kmmio_handler(struct pt_regs *regs, unsigned long addr) + ctx->active++; + + ctx->fpage = faultpage; +- ctx->probe = get_kmmio_probe(addr); ++ ctx->probe = get_kmmio_probe(page_base); + ctx->saved_flags = (regs->flags & (X86_EFLAGS_TF | X86_EFLAGS_IF)); +- ctx->addr = addr; ++ ctx->addr = page_base; + + if (ctx->probe && ctx->probe->pre_handler) + ctx->probe->pre_handler(ctx->probe, regs, addr); +@@ -354,12 +371,11 @@ out: + } + + /* You must be holding kmmio_lock. */ +-static int add_kmmio_fault_page(unsigned long page) ++static int add_kmmio_fault_page(unsigned long addr) + { + struct kmmio_fault_page *f; + +- page &= PAGE_MASK; +- f = get_kmmio_fault_page(page); ++ f = get_kmmio_fault_page(addr); + if (f) { + if (!f->count) + arm_kmmio_fault_page(f); +@@ -372,26 +388,25 @@ static int add_kmmio_fault_page(unsigned long page) + return -1; + + f->count = 1; +- f->page = page; ++ f->addr = addr; + + if (arm_kmmio_fault_page(f)) { + kfree(f); + return -1; + } + +- list_add_rcu(&f->list, kmmio_page_list(f->page)); ++ list_add_rcu(&f->list, kmmio_page_list(f->addr)); + + return 0; + } + + /* You must be holding kmmio_lock. */ +-static void release_kmmio_fault_page(unsigned long page, ++static void release_kmmio_fault_page(unsigned long addr, + struct kmmio_fault_page **release_list) + { + struct kmmio_fault_page *f; + +- page &= PAGE_MASK; +- f = get_kmmio_fault_page(page); ++ f = get_kmmio_fault_page(addr); + if (!f) + return; + +@@ -420,18 +435,27 @@ int register_kmmio_probe(struct kmmio_probe *p) + int ret = 0; + unsigned long size = 0; + const unsigned long size_lim = p->len + (p->addr & ~PAGE_MASK); ++ unsigned int l; ++ pte_t *pte; + + spin_lock_irqsave(&kmmio_lock, flags); + if (get_kmmio_probe(p->addr)) { + ret = -EEXIST; + goto out; + } ++ ++ pte = lookup_address(p->addr, &l); ++ if (!pte) { ++ ret = -EINVAL; ++ goto out; ++ } ++ + kmmio_count++; + list_add_rcu(&p->list, &kmmio_probes); + while (size < size_lim) { + if (add_kmmio_fault_page(p->addr + size)) + pr_err("Unable to set page fault.\n"); +- size += PAGE_SIZE; ++ size += page_level_size(l); + } + out: + spin_unlock_irqrestore(&kmmio_lock, flags); +@@ -506,11 +530,17 @@ void unregister_kmmio_probe(struct kmmio_probe *p) + const unsigned long size_lim = p->len + (p->addr & ~PAGE_MASK); + struct kmmio_fault_page *release_list = NULL; + struct kmmio_delayed_release *drelease; ++ unsigned int l; ++ pte_t *pte; ++ ++ pte = lookup_address(p->addr, &l); ++ if (!pte) ++ return; + + spin_lock_irqsave(&kmmio_lock, flags); + while (size < size_lim) { + release_kmmio_fault_page(p->addr + size, &release_list); +- size += PAGE_SIZE; ++ size += page_level_size(l); + } + list_del_rcu(&p->list); + kmmio_count--; +diff --git a/crypto/asymmetric_keys/pkcs7_trust.c b/crypto/asymmetric_keys/pkcs7_trust.c +index 1d29376072da..841a04c1b258 100644 +--- a/crypto/asymmetric_keys/pkcs7_trust.c ++++ b/crypto/asymmetric_keys/pkcs7_trust.c +@@ -174,6 +174,8 @@ int pkcs7_validate_trust(struct pkcs7_message *pkcs7, + int cached_ret = -ENOKEY; + int ret; + ++ *_trusted = false; ++ + for (p = pkcs7->certs; p; p = p->next) + p->seen = false; + +diff --git a/drivers/ata/libata-eh.c b/drivers/ata/libata-eh.c +index 4ec95b76f6a1..0550c76f4e6c 100644 +--- a/drivers/ata/libata-eh.c ++++ b/drivers/ata/libata-eh.c +@@ -605,7 +605,7 @@ void ata_scsi_error(struct Scsi_Host *host) + ata_scsi_port_error_handler(host, ap); + + /* finish or retry handled scmd's and clean up */ +- WARN_ON(host->host_failed || !list_empty(&eh_work_q)); ++ WARN_ON(!list_empty(&eh_work_q)); + + DPRINTK("EXIT\n"); + } +diff --git a/drivers/base/module.c b/drivers/base/module.c +index db930d3ee312..2a215780eda2 100644 +--- a/drivers/base/module.c ++++ b/drivers/base/module.c +@@ -24,10 +24,12 @@ static char *make_driver_name(struct device_driver *drv) + + static void module_create_drivers_dir(struct module_kobject *mk) + { +- if (!mk || mk->drivers_dir) +- return; ++ static DEFINE_MUTEX(drivers_dir_mutex); + +- mk->drivers_dir = kobject_create_and_add("drivers", &mk->kobj); ++ mutex_lock(&drivers_dir_mutex); ++ if (mk && !mk->drivers_dir) ++ mk->drivers_dir = kobject_create_and_add("drivers", &mk->kobj); ++ mutex_unlock(&drivers_dir_mutex); + } + + void module_add_driver(struct module *mod, struct device_driver *drv) +diff --git a/drivers/block/mtip32xx/mtip32xx.c b/drivers/block/mtip32xx/mtip32xx.c +index d7e0b9b806e9..93e542cb4911 100644 +--- a/drivers/block/mtip32xx/mtip32xx.c ++++ b/drivers/block/mtip32xx/mtip32xx.c +@@ -2946,9 +2946,15 @@ static int mtip_service_thread(void *data) + * is in progress nor error handling is active + */ + wait_event_interruptible(port->svc_wait, (port->flags) && +- !(port->flags & MTIP_PF_PAUSE_IO)); ++ (port->flags & MTIP_PF_SVC_THD_WORK)); + +- set_bit(MTIP_PF_SVC_THD_ACTIVE_BIT, &port->flags); ++ if (kthread_should_stop() || ++ test_bit(MTIP_PF_SVC_THD_STOP_BIT, &port->flags)) ++ goto st_out; ++ ++ if (unlikely(test_bit(MTIP_DDF_REMOVE_PENDING_BIT, ++ &dd->dd_flag))) ++ goto st_out; + + if (kthread_should_stop() || + test_bit(MTIP_PF_SVC_THD_STOP_BIT, &port->flags)) +@@ -2962,6 +2968,8 @@ static int mtip_service_thread(void *data) + &dd->dd_flag))) + goto st_out; + ++ set_bit(MTIP_PF_SVC_THD_ACTIVE_BIT, &port->flags); ++ + restart_eh: + /* Demux bits: start with error handling */ + if (test_bit(MTIP_PF_EH_ACTIVE_BIT, &port->flags)) { +@@ -3004,10 +3012,8 @@ restart_eh: + } + + if (test_bit(MTIP_PF_REBUILD_BIT, &port->flags)) { +- if (mtip_ftl_rebuild_poll(dd) < 0) +- set_bit(MTIP_DDF_REBUILD_FAILED_BIT, +- &dd->dd_flag); +- clear_bit(MTIP_PF_REBUILD_BIT, &port->flags); ++ if (mtip_ftl_rebuild_poll(dd) == 0) ++ clear_bit(MTIP_PF_REBUILD_BIT, &port->flags); + } + } + +@@ -3886,7 +3892,6 @@ static int mtip_block_initialize(struct driver_data *dd) + + mtip_hw_debugfs_init(dd); + +-skip_create_disk: + memset(&dd->tags, 0, sizeof(dd->tags)); + dd->tags.ops = &mtip_mq_ops; + dd->tags.nr_hw_queues = 1; +@@ -3916,6 +3921,7 @@ skip_create_disk: + dd->disk->queue = dd->queue; + dd->queue->queuedata = dd; + ++skip_create_disk: + /* Initialize the protocol layer. */ + wait_for_rebuild = mtip_hw_get_identify(dd); + if (wait_for_rebuild < 0) { +@@ -4077,7 +4083,8 @@ static int mtip_block_remove(struct driver_data *dd) + dd->bdev = NULL; + } + if (dd->disk) { +- del_gendisk(dd->disk); ++ if (test_bit(MTIP_DDF_INIT_DONE_BIT, &dd->dd_flag)) ++ del_gendisk(dd->disk); + if (dd->disk->queue) { + blk_cleanup_queue(dd->queue); + blk_mq_free_tag_set(&dd->tags); +@@ -4118,7 +4125,8 @@ static int mtip_block_shutdown(struct driver_data *dd) + dev_info(&dd->pdev->dev, + "Shutting down %s ...\n", dd->disk->disk_name); + +- del_gendisk(dd->disk); ++ if (test_bit(MTIP_DDF_INIT_DONE_BIT, &dd->dd_flag)) ++ del_gendisk(dd->disk); + if (dd->disk->queue) { + blk_cleanup_queue(dd->queue); + blk_mq_free_tag_set(&dd->tags); +diff --git a/drivers/block/mtip32xx/mtip32xx.h b/drivers/block/mtip32xx/mtip32xx.h +index 76695265dffb..578ad36c9913 100644 +--- a/drivers/block/mtip32xx/mtip32xx.h ++++ b/drivers/block/mtip32xx/mtip32xx.h +@@ -145,6 +145,11 @@ enum { + MTIP_PF_SR_CLEANUP_BIT = 7, + MTIP_PF_SVC_THD_STOP_BIT = 8, + ++ MTIP_PF_SVC_THD_WORK = ((1 << MTIP_PF_EH_ACTIVE_BIT) | ++ (1 << MTIP_PF_ISSUE_CMDS_BIT) | ++ (1 << MTIP_PF_REBUILD_BIT) | ++ (1 << MTIP_PF_SVC_THD_STOP_BIT)), ++ + /* below are bit numbers in 'dd_flag' defined in driver_data */ + MTIP_DDF_SEC_LOCK_BIT = 0, + MTIP_DDF_REMOVE_PENDING_BIT = 1, +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c +index a98c41f72c63..101232982c58 100644 +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -578,8 +578,8 @@ static void do_nbd_request(struct request_queue *q) + BUG_ON(nbd->magic != NBD_MAGIC); + + if (unlikely(!nbd->sock)) { +- dev_err(disk_to_dev(nbd->disk), +- "Attempted send on closed socket\n"); ++ dev_err_ratelimited(disk_to_dev(nbd->disk), ++ "Attempted send on closed socket\n"); + req->errors++; + nbd_end_request(req); + spin_lock_irq(q->queue_lock); +diff --git a/drivers/block/paride/pd.c b/drivers/block/paride/pd.c +index d48715b287e6..b0414702e61a 100644 +--- a/drivers/block/paride/pd.c ++++ b/drivers/block/paride/pd.c +@@ -126,7 +126,7 @@ + */ + #include <linux/types.h> + +-static bool verbose = 0; ++static int verbose = 0; + static int major = PD_MAJOR; + static char *name = PD_NAME; + static int cluster = 64; +@@ -161,7 +161,7 @@ enum {D_PRT, D_PRO, D_UNI, D_MOD, D_GEO, D_SBY, D_DLY, D_SLV}; + static DEFINE_MUTEX(pd_mutex); + static DEFINE_SPINLOCK(pd_lock); + +-module_param(verbose, bool, 0); ++module_param(verbose, int, 0); + module_param(major, int, 0); + module_param(name, charp, 0); + module_param(cluster, int, 0); +diff --git a/drivers/block/paride/pt.c b/drivers/block/paride/pt.c +index 2596042eb987..ada45058e04d 100644 +--- a/drivers/block/paride/pt.c ++++ b/drivers/block/paride/pt.c +@@ -117,7 +117,7 @@ + + */ + +-static bool verbose = 0; ++static int verbose = 0; + static int major = PT_MAJOR; + static char *name = PT_NAME; + static int disable = 0; +@@ -152,7 +152,7 @@ static int (*drives[4])[6] = {&drive0, &drive1, &drive2, &drive3}; + + #include <asm/uaccess.h> + +-module_param(verbose, bool, 0); ++module_param(verbose, int, 0); + module_param(major, int, 0); + module_param(name, charp, 0); + module_param_array(drive0, int, NULL, 0); +diff --git a/drivers/clk/qcom/gcc-msm8960.c b/drivers/clk/qcom/gcc-msm8960.c +index 007534f7a2d7..9004a4e88800 100644 +--- a/drivers/clk/qcom/gcc-msm8960.c ++++ b/drivers/clk/qcom/gcc-msm8960.c +@@ -2740,7 +2740,7 @@ static struct clk_rcg ce3_src = { + }, + .freq_tbl = clk_tbl_ce3, + .clkr = { +- .enable_reg = 0x2c08, ++ .enable_reg = 0x36c0, + .enable_mask = BIT(7), + .hw.init = &(struct clk_init_data){ + .name = "ce3_src", +@@ -2756,7 +2756,7 @@ static struct clk_branch ce3_core_clk = { + .halt_reg = 0x2fdc, + .halt_bit = 5, + .clkr = { +- .enable_reg = 0x36c4, ++ .enable_reg = 0x36cc, + .enable_mask = BIT(4), + .hw.init = &(struct clk_init_data){ + .name = "ce3_core_clk", +diff --git a/drivers/clk/rockchip/clk.c b/drivers/clk/rockchip/clk.c +index 880a266f0143..a25261aaf793 100644 +--- a/drivers/clk/rockchip/clk.c ++++ b/drivers/clk/rockchip/clk.c +@@ -70,7 +70,7 @@ static struct clk *rockchip_clk_register_branch(const char *name, + if (gate_offset >= 0) { + gate = kzalloc(sizeof(*gate), GFP_KERNEL); + if (!gate) +- return ERR_PTR(-ENOMEM); ++ goto err_gate; + + gate->flags = gate_flags; + gate->reg = base + gate_offset; +@@ -82,7 +82,7 @@ static struct clk *rockchip_clk_register_branch(const char *name, + if (div_width > 0) { + div = kzalloc(sizeof(*div), GFP_KERNEL); + if (!div) +- return ERR_PTR(-ENOMEM); ++ goto err_div; + + div->flags = div_flags; + div->reg = base + muxdiv_offset; +@@ -100,6 +100,11 @@ static struct clk *rockchip_clk_register_branch(const char *name, + flags); + + return clk; ++err_div: ++ kfree(gate); ++err_gate: ++ kfree(mux); ++ return ERR_PTR(-ENOMEM); + } + + static struct clk *rockchip_clk_register_frac_branch(const char *name, +diff --git a/drivers/clk/versatile/clk-sp810.c b/drivers/clk/versatile/clk-sp810.c +index 5122ef25f595..e63c3ef9b5ec 100644 +--- a/drivers/clk/versatile/clk-sp810.c ++++ b/drivers/clk/versatile/clk-sp810.c +@@ -141,6 +141,7 @@ void __init clk_sp810_of_setup(struct device_node *node) + const char *parent_names[2]; + char name[12]; + struct clk_init_data init; ++ static int instance; + int i; + + if (!sp810) { +@@ -172,7 +173,7 @@ void __init clk_sp810_of_setup(struct device_node *node) + init.num_parents = ARRAY_SIZE(parent_names); + + for (i = 0; i < ARRAY_SIZE(sp810->timerclken); i++) { +- snprintf(name, ARRAY_SIZE(name), "timerclken%d", i); ++ snprintf(name, sizeof(name), "sp810_%d_%d", instance, i); + + sp810->timerclken[i].sp810 = sp810; + sp810->timerclken[i].channel = i; +@@ -184,5 +185,6 @@ void __init clk_sp810_of_setup(struct device_node *node) + } + + of_clk_add_provider(node, clk_sp810_timerclken_of_get, sp810); ++ instance++; + } + CLK_OF_DECLARE(sp810, "arm,sp810", clk_sp810_of_setup); +diff --git a/drivers/crypto/ux500/hash/hash_core.c b/drivers/crypto/ux500/hash/hash_core.c +index 8e5e0187506f..3ff21c3e9ab2 100644 +--- a/drivers/crypto/ux500/hash/hash_core.c ++++ b/drivers/crypto/ux500/hash/hash_core.c +@@ -797,7 +797,7 @@ static int hash_process_data(struct hash_device_data *device_data, + &device_data->state); + memmove(req_ctx->state.buffer, + device_data->state.buffer, +- HASH_BLOCK_SIZE / sizeof(u32)); ++ HASH_BLOCK_SIZE); + if (ret) { + dev_err(device_data->dev, + "%s: hash_resume_state() failed!\n", +@@ -848,7 +848,7 @@ static int hash_process_data(struct hash_device_data *device_data, + + memmove(device_data->state.buffer, + req_ctx->state.buffer, +- HASH_BLOCK_SIZE / sizeof(u32)); ++ HASH_BLOCK_SIZE); + if (ret) { + dev_err(device_data->dev, "%s: hash_save_state() failed!\n", + __func__); +diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c +index 8590099ac148..71e090c8c85e 100644 +--- a/drivers/firmware/efi/efi.c ++++ b/drivers/firmware/efi/efi.c +@@ -154,6 +154,7 @@ static int generic_ops_register(void) + { + generic_ops.get_variable = efi.get_variable; + generic_ops.set_variable = efi.set_variable; ++ generic_ops.set_variable_nonblocking = efi.set_variable_nonblocking; + generic_ops.get_next_variable = efi.get_next_variable; + generic_ops.query_variable_store = efi_query_variable_store; + +diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c +index c2d76fed3abf..234e89c013dd 100644 +--- a/drivers/gpu/drm/i915/intel_display.c ++++ b/drivers/gpu/drm/i915/intel_display.c +@@ -6526,12 +6526,14 @@ static void ironlake_init_pch_refclk(struct drm_device *dev) + { + struct drm_i915_private *dev_priv = dev->dev_private; + struct intel_encoder *encoder; ++ int i; + u32 val, final; + bool has_lvds = false; + bool has_cpu_edp = false; + bool has_panel = false; + bool has_ck505 = false; + bool can_ssc = false; ++ bool using_ssc_source = false; + + /* We need to take the global config into account */ + for_each_intel_encoder(dev, encoder) { +@@ -6556,8 +6558,22 @@ static void ironlake_init_pch_refclk(struct drm_device *dev) + can_ssc = true; + } + +- DRM_DEBUG_KMS("has_panel %d has_lvds %d has_ck505 %d\n", +- has_panel, has_lvds, has_ck505); ++ /* Check if any DPLLs are using the SSC source */ ++ for (i = 0; i < dev_priv->num_shared_dpll; i++) { ++ u32 temp = I915_READ(PCH_DPLL(i)); ++ ++ if (!(temp & DPLL_VCO_ENABLE)) ++ continue; ++ ++ if ((temp & PLL_REF_INPUT_MASK) == ++ PLLB_REF_INPUT_SPREADSPECTRUMIN) { ++ using_ssc_source = true; ++ break; ++ } ++ } ++ ++ DRM_DEBUG_KMS("has_panel %d has_lvds %d has_ck505 %d using_ssc_source %d\n", ++ has_panel, has_lvds, has_ck505, using_ssc_source); + + /* Ironlake: try to setup display ref clock before DPLL + * enabling. This is only under driver's control after +@@ -6594,9 +6610,9 @@ static void ironlake_init_pch_refclk(struct drm_device *dev) + final |= DREF_CPU_SOURCE_OUTPUT_NONSPREAD; + } else + final |= DREF_CPU_SOURCE_OUTPUT_DISABLE; +- } else { +- final |= DREF_SSC_SOURCE_DISABLE; +- final |= DREF_CPU_SOURCE_OUTPUT_DISABLE; ++ } else if (using_ssc_source) { ++ final |= DREF_SSC_SOURCE_ENABLE; ++ final |= DREF_SSC1_ENABLE; + } + + if (final == val) +@@ -6642,7 +6658,7 @@ static void ironlake_init_pch_refclk(struct drm_device *dev) + POSTING_READ(PCH_DREF_CONTROL); + udelay(200); + } else { +- DRM_DEBUG_KMS("Disabling SSC entirely\n"); ++ DRM_DEBUG_KMS("Disabling CPU source output\n"); + + val &= ~DREF_CPU_SOURCE_OUTPUT_MASK; + +@@ -6653,16 +6669,20 @@ static void ironlake_init_pch_refclk(struct drm_device *dev) + POSTING_READ(PCH_DREF_CONTROL); + udelay(200); + +- /* Turn off the SSC source */ +- val &= ~DREF_SSC_SOURCE_MASK; +- val |= DREF_SSC_SOURCE_DISABLE; ++ if (!using_ssc_source) { ++ DRM_DEBUG_KMS("Disabling SSC source\n"); + +- /* Turn off SSC1 */ +- val &= ~DREF_SSC1_ENABLE; ++ /* Turn off the SSC source */ ++ val &= ~DREF_SSC_SOURCE_MASK; ++ val |= DREF_SSC_SOURCE_DISABLE; + +- I915_WRITE(PCH_DREF_CONTROL, val); +- POSTING_READ(PCH_DREF_CONTROL); +- udelay(200); ++ /* Turn off SSC1 */ ++ val &= ~DREF_SSC1_ENABLE; ++ ++ I915_WRITE(PCH_DREF_CONTROL, val); ++ POSTING_READ(PCH_DREF_CONTROL); ++ udelay(200); ++ } + } + + BUG_ON(val != final); +diff --git a/drivers/gpu/drm/nouveau/nouveau_fbcon.c b/drivers/gpu/drm/nouveau/nouveau_fbcon.c +index ff6358f8a9c6..993c9a0377da 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_fbcon.c ++++ b/drivers/gpu/drm/nouveau/nouveau_fbcon.c +@@ -568,7 +568,8 @@ nouveau_fbcon_init(struct drm_device *dev) + if (ret) + goto fini; + +- fbcon->helper.fbdev->pixmap.buf_align = 4; ++ if (fbcon->helper.fbdev) ++ fbcon->helper.fbdev->pixmap.buf_align = 4; + return 0; + + fini: +diff --git a/drivers/gpu/drm/radeon/atombios_crtc.c b/drivers/gpu/drm/radeon/atombios_crtc.c +index ce8cab52285b..2f2e50a0feb4 100644 +--- a/drivers/gpu/drm/radeon/atombios_crtc.c ++++ b/drivers/gpu/drm/radeon/atombios_crtc.c +@@ -1730,6 +1730,7 @@ static u32 radeon_get_pll_use_mask(struct drm_crtc *crtc) + static int radeon_get_shared_dp_ppll(struct drm_crtc *crtc) + { + struct drm_device *dev = crtc->dev; ++ struct radeon_device *rdev = dev->dev_private; + struct drm_crtc *test_crtc; + struct radeon_crtc *test_radeon_crtc; + +@@ -1739,6 +1740,10 @@ static int radeon_get_shared_dp_ppll(struct drm_crtc *crtc) + test_radeon_crtc = to_radeon_crtc(test_crtc); + if (test_radeon_crtc->encoder && + ENCODER_MODE_IS_DP(atombios_get_encoder_mode(test_radeon_crtc->encoder))) { ++ /* PPLL2 is exclusive to UNIPHYA on DCE61 */ ++ if (ASIC_IS_DCE61(rdev) && !ASIC_IS_DCE8(rdev) && ++ test_radeon_crtc->pll_id == ATOM_PPLL2) ++ continue; + /* for DP use the same PLL for all */ + if (test_radeon_crtc->pll_id != ATOM_PPLL_INVALID) + return test_radeon_crtc->pll_id; +@@ -1760,6 +1765,7 @@ static int radeon_get_shared_nondp_ppll(struct drm_crtc *crtc) + { + struct radeon_crtc *radeon_crtc = to_radeon_crtc(crtc); + struct drm_device *dev = crtc->dev; ++ struct radeon_device *rdev = dev->dev_private; + struct drm_crtc *test_crtc; + struct radeon_crtc *test_radeon_crtc; + u32 adjusted_clock, test_adjusted_clock; +@@ -1775,6 +1781,10 @@ static int radeon_get_shared_nondp_ppll(struct drm_crtc *crtc) + test_radeon_crtc = to_radeon_crtc(test_crtc); + if (test_radeon_crtc->encoder && + !ENCODER_MODE_IS_DP(atombios_get_encoder_mode(test_radeon_crtc->encoder))) { ++ /* PPLL2 is exclusive to UNIPHYA on DCE61 */ ++ if (ASIC_IS_DCE61(rdev) && !ASIC_IS_DCE8(rdev) && ++ test_radeon_crtc->pll_id == ATOM_PPLL2) ++ continue; + /* check if we are already driving this connector with another crtc */ + if (test_radeon_crtc->connector == radeon_crtc->connector) { + /* if we are, return that pll */ +diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c +index 5d54ab0fbe2b..6b99d3956baa 100644 +--- a/drivers/gpu/drm/radeon/radeon_device.c ++++ b/drivers/gpu/drm/radeon/radeon_device.c +@@ -599,6 +599,23 @@ void radeon_gtt_location(struct radeon_device *rdev, struct radeon_mc *mc) + /* + * GPU helpers function. + */ ++ ++/** ++ * radeon_device_is_virtual - check if we are running is a virtual environment ++ * ++ * Check if the asic has been passed through to a VM (all asics). ++ * Used at driver startup. ++ * Returns true if virtual or false if not. ++ */ ++static bool radeon_device_is_virtual(void) ++{ ++#ifdef CONFIG_X86 ++ return boot_cpu_has(X86_FEATURE_HYPERVISOR); ++#else ++ return false; ++#endif ++} ++ + /** + * radeon_card_posted - check if the hw has already been initialized + * +@@ -612,6 +629,10 @@ bool radeon_card_posted(struct radeon_device *rdev) + { + uint32_t reg; + ++ /* for pass through, always force asic_init */ ++ if (radeon_device_is_virtual()) ++ return false; ++ + /* required for EFI mode on macbook2,1 which uses an r5xx asic */ + if (efi_enabled(EFI_BOOT) && + (rdev->pdev->subsystem_vendor == PCI_VENDOR_ID_APPLE) && +diff --git a/drivers/gpu/drm/radeon/si_dpm.c b/drivers/gpu/drm/radeon/si_dpm.c +index 481e718086fc..c3530caa7ddd 100644 +--- a/drivers/gpu/drm/radeon/si_dpm.c ++++ b/drivers/gpu/drm/radeon/si_dpm.c +@@ -2922,6 +2922,7 @@ static struct si_dpm_quirk si_dpm_quirk_list[] = { + /* PITCAIRN - https://bugs.freedesktop.org/show_bug.cgi?id=76490 */ + { PCI_VENDOR_ID_ATI, 0x6810, 0x1462, 0x3036, 0, 120000 }, + { PCI_VENDOR_ID_ATI, 0x6811, 0x174b, 0xe271, 0, 120000 }, ++ { PCI_VENDOR_ID_ATI, 0x6811, 0x174b, 0x2015, 0, 120000 }, + { PCI_VENDOR_ID_ATI, 0x6810, 0x174b, 0xe271, 85000, 90000 }, + { PCI_VENDOR_ID_ATI, 0x6811, 0x1762, 0x2015, 0, 120000 }, + { PCI_VENDOR_ID_ATI, 0x6811, 0x1043, 0x2015, 0, 120000 }, +@@ -2956,6 +2957,10 @@ static void si_apply_state_adjust_rules(struct radeon_device *rdev, + } + ++p; + } ++ /* limit mclk on all R7 370 parts for stability */ ++ if (rdev->pdev->device == 0x6811 && ++ rdev->pdev->revision == 0x81) ++ max_mclk = 120000; + + if ((rdev->pm.dpm.new_active_crtc_count > 1) || + ni_dpm_vblank_too_short(rdev)) +diff --git a/drivers/gpu/drm/udl/udl_fb.c b/drivers/gpu/drm/udl/udl_fb.c +index 5fc16cecd3ba..cd8d183dcfe5 100644 +--- a/drivers/gpu/drm/udl/udl_fb.c ++++ b/drivers/gpu/drm/udl/udl_fb.c +@@ -546,7 +546,7 @@ static int udlfb_create(struct drm_fb_helper *helper, + + return ret; + out_gfree: +- drm_gem_object_unreference(&ufbdev->ufb.obj->base); ++ drm_gem_object_unreference_unlocked(&ufbdev->ufb.obj->base); + out: + return ret; + } +diff --git a/drivers/gpu/drm/udl/udl_gem.c b/drivers/gpu/drm/udl/udl_gem.c +index 8044f5fb7c49..6de963b70eee 100644 +--- a/drivers/gpu/drm/udl/udl_gem.c ++++ b/drivers/gpu/drm/udl/udl_gem.c +@@ -51,7 +51,7 @@ udl_gem_create(struct drm_file *file, + return ret; + } + +- drm_gem_object_unreference(&obj->base); ++ drm_gem_object_unreference_unlocked(&obj->base); + *handle_p = handle; + return 0; + } +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c +index cb4bc0dadba5..19a3a12f3257 100644 +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -1834,6 +1834,7 @@ static const struct hid_device_id hid_have_special_driver[] = { + { HID_USB_DEVICE(USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_ELITE_KBD) }, + { HID_USB_DEVICE(USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_CORDLESS_DESKTOP_LX500) }, + { HID_USB_DEVICE(USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_EXTREME_3D) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_DUAL_ACTION) }, + { HID_USB_DEVICE(USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_WHEEL) }, + { HID_USB_DEVICE(USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_RUMBLEPAD_CORD) }, + { HID_USB_DEVICE(USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_RUMBLEPAD) }, +diff --git a/drivers/hid/hid-elo.c b/drivers/hid/hid-elo.c +index 4e49462870ab..d0c8a1c1e1fe 100644 +--- a/drivers/hid/hid-elo.c ++++ b/drivers/hid/hid-elo.c +@@ -259,7 +259,7 @@ static void elo_remove(struct hid_device *hdev) + struct elo_priv *priv = hid_get_drvdata(hdev); + + hid_hw_stop(hdev); +- flush_workqueue(wq); ++ cancel_delayed_work_sync(&priv->work); + kfree(priv); + } + +diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c +index 2f1ddca6f2e0..700145b15088 100644 +--- a/drivers/hid/usbhid/hiddev.c ++++ b/drivers/hid/usbhid/hiddev.c +@@ -516,13 +516,13 @@ static noinline int hiddev_ioctl_usage(struct hiddev *hiddev, unsigned int cmd, + goto inval; + } else if (uref->usage_index >= field->report_count) + goto inval; +- +- else if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) && +- (uref_multi->num_values > HID_MAX_MULTI_USAGES || +- uref->usage_index + uref_multi->num_values > field->report_count)) +- goto inval; + } + ++ if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) && ++ (uref_multi->num_values > HID_MAX_MULTI_USAGES || ++ uref->usage_index + uref_multi->num_values > field->report_count)) ++ goto inval; ++ + switch (cmd) { + case HIDIOCGUSAGE: + uref->value = field->value[uref->usage_index]; +diff --git a/drivers/hwmon/max1111.c b/drivers/hwmon/max1111.c +index f67d71ee8386..159f50d0ae39 100644 +--- a/drivers/hwmon/max1111.c ++++ b/drivers/hwmon/max1111.c +@@ -85,6 +85,9 @@ static struct max1111_data *the_max1111; + + int max1111_read_channel(int channel) + { ++ if (!the_max1111 || !the_max1111->spi) ++ return -ENODEV; ++ + return max1111_read(&the_max1111->spi->dev, channel); + } + EXPORT_SYMBOL(max1111_read_channel); +@@ -258,6 +261,9 @@ static int max1111_remove(struct spi_device *spi) + { + struct max1111_data *data = spi_get_drvdata(spi); + ++#ifdef CONFIG_SHARPSL_PM ++ the_max1111 = NULL; ++#endif + hwmon_device_unregister(data->hwmon_dev); + sysfs_remove_group(&spi->dev.kobj, &max1110_attr_group); + sysfs_remove_group(&spi->dev.kobj, &max1111_attr_group); +diff --git a/drivers/i2c/busses/i2c-exynos5.c b/drivers/i2c/busses/i2c-exynos5.c +index 81e6263cd7da..91a6362bbef6 100644 +--- a/drivers/i2c/busses/i2c-exynos5.c ++++ b/drivers/i2c/busses/i2c-exynos5.c +@@ -671,7 +671,9 @@ static int exynos5_i2c_xfer(struct i2c_adapter *adap, + return -EIO; + } + +- clk_prepare_enable(i2c->clk); ++ ret = clk_enable(i2c->clk); ++ if (ret) ++ return ret; + + for (i = 0; i < num; i++, msgs++) { + stop = (i == num - 1); +@@ -695,7 +697,7 @@ static int exynos5_i2c_xfer(struct i2c_adapter *adap, + } + + out: +- clk_disable_unprepare(i2c->clk); ++ clk_disable(i2c->clk); + return ret; + } + +@@ -747,7 +749,9 @@ static int exynos5_i2c_probe(struct platform_device *pdev) + return -ENOENT; + } + +- clk_prepare_enable(i2c->clk); ++ ret = clk_prepare_enable(i2c->clk); ++ if (ret) ++ return ret; + + mem = platform_get_resource(pdev, IORESOURCE_MEM, 0); + i2c->regs = devm_ioremap_resource(&pdev->dev, mem); +@@ -799,6 +803,10 @@ static int exynos5_i2c_probe(struct platform_device *pdev) + + platform_set_drvdata(pdev, i2c); + ++ clk_disable(i2c->clk); ++ ++ return 0; ++ + err_clk: + clk_disable_unprepare(i2c->clk); + return ret; +@@ -810,6 +818,8 @@ static int exynos5_i2c_remove(struct platform_device *pdev) + + i2c_del_adapter(&i2c->adap); + ++ clk_unprepare(i2c->clk); ++ + return 0; + } + +@@ -821,6 +831,8 @@ static int exynos5_i2c_suspend_noirq(struct device *dev) + + i2c->suspended = 1; + ++ clk_unprepare(i2c->clk); ++ + return 0; + } + +@@ -830,7 +842,9 @@ static int exynos5_i2c_resume_noirq(struct device *dev) + struct exynos5_i2c *i2c = platform_get_drvdata(pdev); + int ret = 0; + +- clk_prepare_enable(i2c->clk); ++ ret = clk_prepare_enable(i2c->clk); ++ if (ret) ++ return ret; + + ret = exynos5_hsi2c_clock_setup(i2c); + if (ret) { +@@ -839,7 +853,7 @@ static int exynos5_i2c_resume_noirq(struct device *dev) + } + + exynos5_i2c_init(i2c); +- clk_disable_unprepare(i2c->clk); ++ clk_disable(i2c->clk); + i2c->suspended = 0; + + return 0; +diff --git a/drivers/infiniband/hw/mlx4/ah.c b/drivers/infiniband/hw/mlx4/ah.c +index e65ee1947279..b33fa45a13cc 100644 +--- a/drivers/infiniband/hw/mlx4/ah.c ++++ b/drivers/infiniband/hw/mlx4/ah.c +@@ -46,6 +46,7 @@ static struct ib_ah *create_ib_ah(struct ib_pd *pd, struct ib_ah_attr *ah_attr, + + ah->av.ib.port_pd = cpu_to_be32(to_mpd(pd)->pdn | (ah_attr->port_num << 24)); + ah->av.ib.g_slid = ah_attr->src_path_bits; ++ ah->av.ib.sl_tclass_flowlabel = cpu_to_be32(ah_attr->sl << 28); + if (ah_attr->ah_flags & IB_AH_GRH) { + ah->av.ib.g_slid |= 0x80; + ah->av.ib.gid_index = ah_attr->grh.sgid_index; +@@ -63,7 +64,6 @@ static struct ib_ah *create_ib_ah(struct ib_pd *pd, struct ib_ah_attr *ah_attr, + !(1 << ah->av.ib.stat_rate & dev->caps.stat_rate_support)) + --ah->av.ib.stat_rate; + } +- ah->av.ib.sl_tclass_flowlabel = cpu_to_be32(ah_attr->sl << 28); + + return &ah->ibah; + } +diff --git a/drivers/input/misc/pmic8xxx-pwrkey.c b/drivers/input/misc/pmic8xxx-pwrkey.c +index c91e3d33aea9..88db9204bac2 100644 +--- a/drivers/input/misc/pmic8xxx-pwrkey.c ++++ b/drivers/input/misc/pmic8xxx-pwrkey.c +@@ -94,7 +94,8 @@ static int pmic8xxx_pwrkey_probe(struct platform_device *pdev) + if (of_property_read_u32(pdev->dev.of_node, "debounce", &kpd_delay)) + kpd_delay = 15625; + +- if (kpd_delay > 62500 || kpd_delay == 0) { ++ /* Valid range of pwr key trigger delay is 1/64 sec to 2 seconds. */ ++ if (kpd_delay > USEC_PER_SEC * 2 || kpd_delay < USEC_PER_SEC / 64) { + dev_err(&pdev->dev, "invalid power key trigger delay\n"); + return -EINVAL; + } +@@ -124,8 +125,8 @@ static int pmic8xxx_pwrkey_probe(struct platform_device *pdev) + pwr->name = "pmic8xxx_pwrkey"; + pwr->phys = "pmic8xxx_pwrkey/input0"; + +- delay = (kpd_delay << 10) / USEC_PER_SEC; +- delay = 1 + ilog2(delay); ++ delay = (kpd_delay << 6) / USEC_PER_SEC; ++ delay = ilog2(delay); + + err = regmap_read(regmap, PON_CNTL_1, &pon_cntl); + if (err < 0) { +diff --git a/drivers/input/mouse/elantech.c b/drivers/input/mouse/elantech.c +index b3b2a137e55e..8c964907d291 100644 +--- a/drivers/input/mouse/elantech.c ++++ b/drivers/input/mouse/elantech.c +@@ -1550,12 +1550,7 @@ static int elantech_set_properties(struct elantech_data *etd) + case 5: + etd->hw_version = 3; + break; +- case 6: +- case 7: +- case 8: +- case 9: +- case 10: +- case 13: ++ case 6 ... 14: + etd->hw_version = 4; + break; + default: +diff --git a/drivers/input/touchscreen/wacom_w8001.c b/drivers/input/touchscreen/wacom_w8001.c +index 2792ca397dd0..3ed0ce1e4dcb 100644 +--- a/drivers/input/touchscreen/wacom_w8001.c ++++ b/drivers/input/touchscreen/wacom_w8001.c +@@ -27,7 +27,7 @@ MODULE_AUTHOR("Jaya Kumar <jayakumar.lkml@gmail.com>"); + MODULE_DESCRIPTION(DRIVER_DESC); + MODULE_LICENSE("GPL"); + +-#define W8001_MAX_LENGTH 11 ++#define W8001_MAX_LENGTH 13 + #define W8001_LEAD_MASK 0x80 + #define W8001_LEAD_BYTE 0x80 + #define W8001_TAB_MASK 0x40 +diff --git a/drivers/input/touchscreen/zforce_ts.c b/drivers/input/touchscreen/zforce_ts.c +index 8ba48f5eff7b..ce1a855d8b9a 100644 +--- a/drivers/input/touchscreen/zforce_ts.c ++++ b/drivers/input/touchscreen/zforce_ts.c +@@ -359,8 +359,8 @@ static int zforce_touch_event(struct zforce_ts *ts, u8 *payload) + point.coord_x = point.coord_y = 0; + } + +- point.state = payload[9 * i + 5] & 0x03; +- point.id = (payload[9 * i + 5] & 0xfc) >> 2; ++ point.state = payload[9 * i + 5] & 0x0f; ++ point.id = (payload[9 * i + 5] & 0xf0) >> 4; + + /* determine touch major, minor and orientation */ + point.area_major = max(payload[9 * i + 6], +diff --git a/drivers/media/platform/vsp1/vsp1_sru.c b/drivers/media/platform/vsp1/vsp1_sru.c +index b7d3c8b9f189..47f1a4879837 100644 +--- a/drivers/media/platform/vsp1/vsp1_sru.c ++++ b/drivers/media/platform/vsp1/vsp1_sru.c +@@ -154,6 +154,7 @@ static int sru_s_stream(struct v4l2_subdev *subdev, int enable) + mutex_lock(sru->ctrls.lock); + ctrl0 |= vsp1_sru_read(sru, VI6_SRU_CTRL0) + & (VI6_SRU_CTRL0_PARAM0_MASK | VI6_SRU_CTRL0_PARAM1_MASK); ++ vsp1_sru_write(sru, VI6_SRU_CTRL0, ctrl0); + mutex_unlock(sru->ctrls.lock); + + vsp1_sru_write(sru, VI6_SRU_CTRL1, VI6_SRU_CTRL1_PARAM5); +diff --git a/drivers/misc/Kconfig b/drivers/misc/Kconfig +index bbeb4516facf..878d5430973c 100644 +--- a/drivers/misc/Kconfig ++++ b/drivers/misc/Kconfig +@@ -429,7 +429,7 @@ config ARM_CHARLCD + still useful. + + config BMP085 +- bool ++ tristate + depends on SYSFS + + config BMP085_I2C +diff --git a/drivers/misc/ad525x_dpot.c b/drivers/misc/ad525x_dpot.c +index a43053daad0e..46272b0ae2dd 100644 +--- a/drivers/misc/ad525x_dpot.c ++++ b/drivers/misc/ad525x_dpot.c +@@ -215,7 +215,7 @@ static s32 dpot_read_i2c(struct dpot_data *dpot, u8 reg) + */ + value = swab16(value); + +- if (dpot->uid == DPOT_UID(AD5271_ID)) ++ if (dpot->uid == DPOT_UID(AD5274_ID)) + value = value >> 2; + return value; + default: +diff --git a/drivers/mtd/ubi/eba.c b/drivers/mtd/ubi/eba.c +index 0aa7087438fa..e40db2fd2da3 100644 +--- a/drivers/mtd/ubi/eba.c ++++ b/drivers/mtd/ubi/eba.c +@@ -861,7 +861,7 @@ write_error: + int ubi_eba_atomic_leb_change(struct ubi_device *ubi, struct ubi_volume *vol, + int lnum, const void *buf, int len) + { +- int err, pnum, tries = 0, vol_id = vol->vol_id; ++ int err, pnum, old_pnum, tries = 0, vol_id = vol->vol_id; + struct ubi_vid_hdr *vid_hdr; + uint32_t crc; + +@@ -924,16 +924,17 @@ retry: + goto write_error; + } + +- if (vol->eba_tbl[lnum] >= 0) { +- err = ubi_wl_put_peb(ubi, vol_id, lnum, vol->eba_tbl[lnum], 0); +- if (err) +- goto out_leb_unlock; +- } +- + down_read(&ubi->fm_sem); ++ old_pnum = vol->eba_tbl[lnum]; + vol->eba_tbl[lnum] = pnum; + up_read(&ubi->fm_sem); + ++ if (old_pnum >= 0) { ++ err = ubi_wl_put_peb(ubi, vol_id, lnum, old_pnum, 0); ++ if (err) ++ goto out_leb_unlock; ++ } ++ + out_leb_unlock: + leb_write_unlock(ubi, vol_id, lnum); + out_mutex: +diff --git a/drivers/net/can/at91_can.c b/drivers/net/can/at91_can.c +index 05e1aa090add..2c4e54f764c5 100644 +--- a/drivers/net/can/at91_can.c ++++ b/drivers/net/can/at91_can.c +@@ -734,9 +734,10 @@ static int at91_poll_rx(struct net_device *dev, int quota) + + /* upper group completed, look again in lower */ + if (priv->rx_next > get_mb_rx_low_last(priv) && +- quota > 0 && mb > get_mb_rx_last(priv)) { ++ mb > get_mb_rx_last(priv)) { + priv->rx_next = get_mb_rx_first(priv); +- goto again; ++ if (quota > 0) ++ goto again; + } + + return received; +diff --git a/drivers/net/can/c_can/c_can.c b/drivers/net/can/c_can/c_can.c +index 60285820f7b4..055457619c1e 100644 +--- a/drivers/net/can/c_can/c_can.c ++++ b/drivers/net/can/c_can/c_can.c +@@ -331,9 +331,23 @@ static void c_can_setup_tx_object(struct net_device *dev, int iface, + + priv->write_reg(priv, C_CAN_IFACE(MSGCTRL_REG, iface), ctrl); + +- for (i = 0; i < frame->can_dlc; i += 2) { +- priv->write_reg(priv, C_CAN_IFACE(DATA1_REG, iface) + i / 2, +- frame->data[i] | (frame->data[i + 1] << 8)); ++ if (priv->type == BOSCH_D_CAN) { ++ u32 data = 0, dreg = C_CAN_IFACE(DATA1_REG, iface); ++ ++ for (i = 0; i < frame->can_dlc; i += 4, dreg += 2) { ++ data = (u32)frame->data[i]; ++ data |= (u32)frame->data[i + 1] << 8; ++ data |= (u32)frame->data[i + 2] << 16; ++ data |= (u32)frame->data[i + 3] << 24; ++ priv->write_reg32(priv, dreg, data); ++ } ++ } else { ++ for (i = 0; i < frame->can_dlc; i += 2) { ++ priv->write_reg(priv, ++ C_CAN_IFACE(DATA1_REG, iface) + i / 2, ++ frame->data[i] | ++ (frame->data[i + 1] << 8)); ++ } + } + } + +@@ -401,10 +415,20 @@ static int c_can_read_msg_object(struct net_device *dev, int iface, u32 ctrl) + } else { + int i, dreg = C_CAN_IFACE(DATA1_REG, iface); + +- for (i = 0; i < frame->can_dlc; i += 2, dreg ++) { +- data = priv->read_reg(priv, dreg); +- frame->data[i] = data; +- frame->data[i + 1] = data >> 8; ++ if (priv->type == BOSCH_D_CAN) { ++ for (i = 0; i < frame->can_dlc; i += 4, dreg += 2) { ++ data = priv->read_reg32(priv, dreg); ++ frame->data[i] = data; ++ frame->data[i + 1] = data >> 8; ++ frame->data[i + 2] = data >> 16; ++ frame->data[i + 3] = data >> 24; ++ } ++ } else { ++ for (i = 0; i < frame->can_dlc; i += 2, dreg++) { ++ data = priv->read_reg(priv, dreg); ++ frame->data[i] = data; ++ frame->data[i + 1] = data >> 8; ++ } + } + } + +diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c +index 80185ebc7a43..bcefb375d232 100644 +--- a/drivers/net/can/dev.c ++++ b/drivers/net/can/dev.c +@@ -717,6 +717,9 @@ static int can_validate(struct nlattr *tb[], struct nlattr *data[]) + * - control mode with CAN_CTRLMODE_FD set + */ + ++ if (!data) ++ return 0; ++ + if (data[IFLA_CAN_CTRLMODE]) { + struct can_ctrlmode *cm = nla_data(data[IFLA_CAN_CTRLMODE]); + +@@ -927,6 +930,11 @@ static int can_newlink(struct net *src_net, struct net_device *dev, + return -EOPNOTSUPP; + } + ++static void can_dellink(struct net_device *dev, struct list_head *head) ++{ ++ return; ++} ++ + static struct rtnl_link_ops can_link_ops __read_mostly = { + .kind = "can", + .maxtype = IFLA_CAN_MAX, +@@ -935,6 +943,7 @@ static struct rtnl_link_ops can_link_ops __read_mostly = { + .validate = can_validate, + .newlink = can_newlink, + .changelink = can_changelink, ++ .dellink = can_dellink, + .get_size = can_get_size, + .fill_info = can_fill_info, + .get_xstats_size = can_get_xstats_size, +diff --git a/drivers/net/ethernet/atheros/atlx/atl2.c b/drivers/net/ethernet/atheros/atlx/atl2.c +index 84a09e8ddd9c..5086ec9214c3 100644 +--- a/drivers/net/ethernet/atheros/atlx/atl2.c ++++ b/drivers/net/ethernet/atheros/atlx/atl2.c +@@ -1412,7 +1412,7 @@ static int atl2_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + + err = -EIO; + +- netdev->hw_features = NETIF_F_SG | NETIF_F_HW_VLAN_CTAG_RX; ++ netdev->hw_features = NETIF_F_HW_VLAN_CTAG_RX; + netdev->features |= (NETIF_F_HW_VLAN_CTAG_TX | NETIF_F_HW_VLAN_CTAG_RX); + + /* Init PHY as early as possible due to power saving issue */ +diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +index bb27028d392b..1db35f8053a1 100644 +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +@@ -912,7 +912,7 @@ static unsigned int __bcmgenet_tx_reclaim(struct net_device *dev, + dev->stats.tx_bytes += tx_cb_ptr->skb->len; + dma_unmap_single(&dev->dev, + dma_unmap_addr(tx_cb_ptr, dma_addr), +- tx_cb_ptr->skb->len, ++ dma_unmap_len(tx_cb_ptr, dma_len), + DMA_TO_DEVICE); + bcmgenet_free_cb(tx_cb_ptr); + } else if (dma_unmap_addr(tx_cb_ptr, dma_addr)) { +@@ -1019,7 +1019,7 @@ static int bcmgenet_xmit_single(struct net_device *dev, + } + + dma_unmap_addr_set(tx_cb_ptr, dma_addr, mapping); +- dma_unmap_len_set(tx_cb_ptr, dma_len, skb->len); ++ dma_unmap_len_set(tx_cb_ptr, dma_len, skb_len); + length_status = (skb_len << DMA_BUFLENGTH_SHIFT) | dma_desc_flags | + (priv->hw_params->qtag_mask << DMA_TX_QTAG_SHIFT) | + DMA_TX_APPEND_CRC; +diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c +index 96ba23e90111..2ee3c9537772 100644 +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -1539,9 +1539,15 @@ fec_enet_rx(struct net_device *ndev, int budget) + struct fec_enet_private *fep = netdev_priv(ndev); + + for_each_set_bit(queue_id, &fep->work_rx, FEC_ENET_MAX_RX_QS) { +- clear_bit(queue_id, &fep->work_rx); +- pkt_received += fec_enet_rx_queue(ndev, ++ int ret; ++ ++ ret = fec_enet_rx_queue(ndev, + budget - pkt_received, queue_id); ++ ++ if (ret < budget - pkt_received) ++ clear_bit(queue_id, &fep->work_rx); ++ ++ pkt_received += ret; + } + return pkt_received; + } +diff --git a/drivers/net/ethernet/jme.c b/drivers/net/ethernet/jme.c +index 4a1be34d7214..70039afd68fa 100644 +--- a/drivers/net/ethernet/jme.c ++++ b/drivers/net/ethernet/jme.c +@@ -270,11 +270,17 @@ jme_reset_mac_processor(struct jme_adapter *jme) + } + + static inline void +-jme_clear_pm(struct jme_adapter *jme) ++jme_clear_pm_enable_wol(struct jme_adapter *jme) + { + jwrite32(jme, JME_PMCS, PMCS_STMASK | jme->reg_pmcs); + } + ++static inline void ++jme_clear_pm_disable_wol(struct jme_adapter *jme) ++{ ++ jwrite32(jme, JME_PMCS, PMCS_STMASK); ++} ++ + static int + jme_reload_eeprom(struct jme_adapter *jme) + { +@@ -1857,7 +1863,7 @@ jme_open(struct net_device *netdev) + struct jme_adapter *jme = netdev_priv(netdev); + int rc; + +- jme_clear_pm(jme); ++ jme_clear_pm_disable_wol(jme); + JME_NAPI_ENABLE(jme); + + tasklet_init(&jme->linkch_task, jme_link_change_tasklet, +@@ -1929,11 +1935,11 @@ jme_wait_link(struct jme_adapter *jme) + static void + jme_powersave_phy(struct jme_adapter *jme) + { +- if (jme->reg_pmcs) { ++ if (jme->reg_pmcs && device_may_wakeup(&jme->pdev->dev)) { + jme_set_100m_half(jme); + if (jme->reg_pmcs & (PMCS_LFEN | PMCS_LREN)) + jme_wait_link(jme); +- jme_clear_pm(jme); ++ jme_clear_pm_enable_wol(jme); + } else { + jme_phy_off(jme); + } +@@ -2650,9 +2656,6 @@ jme_set_wol(struct net_device *netdev, + if (wol->wolopts & WAKE_MAGIC) + jme->reg_pmcs |= PMCS_MFEN; + +- jwrite32(jme, JME_PMCS, jme->reg_pmcs); +- device_set_wakeup_enable(&jme->pdev->dev, !!(jme->reg_pmcs)); +- + return 0; + } + +@@ -3176,8 +3179,8 @@ jme_init_one(struct pci_dev *pdev, + jme->mii_if.mdio_read = jme_mdio_read; + jme->mii_if.mdio_write = jme_mdio_write; + +- jme_clear_pm(jme); +- device_set_wakeup_enable(&pdev->dev, true); ++ jme_clear_pm_disable_wol(jme); ++ device_init_wakeup(&pdev->dev, true); + + jme_set_phyfifo_5level(jme); + jme->pcirev = pdev->revision; +@@ -3308,7 +3311,7 @@ jme_resume(struct device *dev) + if (!netif_running(netdev)) + return 0; + +- jme_clear_pm(jme); ++ jme_clear_pm_disable_wol(jme); + jme_phy_on(jme); + if (test_bit(JME_FLAG_SSET, &jme->flags)) + jme_set_settings(netdev, &jme->old_ecmd); +@@ -3316,13 +3319,14 @@ jme_resume(struct device *dev) + jme_reset_phy_processor(jme); + jme_phy_calibration(jme); + jme_phy_setEA(jme); +- jme_start_irq(jme); + netif_device_attach(netdev); + + atomic_inc(&jme->link_changing); + + jme_reset_link(jme); + ++ jme_start_irq(jme); ++ + return 0; + } + +diff --git a/drivers/net/ethernet/mellanox/mlx4/en_tx.c b/drivers/net/ethernet/mellanox/mlx4/en_tx.c +index 5980d3fe597c..fdc592ac2529 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/en_tx.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_tx.c +@@ -391,7 +391,6 @@ static bool mlx4_en_process_tx_cq(struct net_device *dev, + u32 packets = 0; + u32 bytes = 0; + int factor = priv->cqe_factor; +- u64 timestamp = 0; + int done = 0; + int budget = priv->tx_work_limit; + u32 last_nr_txbb; +@@ -431,9 +430,12 @@ static bool mlx4_en_process_tx_cq(struct net_device *dev, + new_index = be16_to_cpu(cqe->wqe_index) & size_mask; + + do { ++ u64 timestamp = 0; ++ + txbbs_skipped += last_nr_txbb; + ring_index = (ring_index + last_nr_txbb) & size_mask; +- if (ring->tx_info[ring_index].ts_requested) ++ ++ if (unlikely(ring->tx_info[ring_index].ts_requested)) + timestamp = mlx4_en_get_cqe_ts(cqe); + + /* free next descriptor */ +diff --git a/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c b/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c +index cd5cf6d957c7..e57df91bad06 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c ++++ b/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c +@@ -2922,7 +2922,7 @@ static int verify_qp_parameters(struct mlx4_dev *dev, + case QP_TRANS_RTS2RTS: + case QP_TRANS_SQD2SQD: + case QP_TRANS_SQD2RTS: +- if (slave != mlx4_master_func_num(dev)) ++ if (slave != mlx4_master_func_num(dev)) { + if (optpar & MLX4_QP_OPTPAR_PRIMARY_ADDR_PATH) { + port = (qp_ctx->pri_path.sched_queue >> 6 & 1) + 1; + if (dev->caps.port_mask[port] != MLX4_PORT_TYPE_IB) +@@ -2941,6 +2941,7 @@ static int verify_qp_parameters(struct mlx4_dev *dev, + if (qp_ctx->alt_path.mgid_index >= num_gids) + return -EINVAL; + } ++ } + break; + default: + break; +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic.h b/drivers/net/ethernet/qlogic/qlcnic/qlcnic.h +index e56c1bb36141..76b2cfe12504 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic.h ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic.h +@@ -567,6 +567,7 @@ struct qlcnic_adapter_stats { + u64 tx_dma_map_error; + u64 spurious_intr; + u64 mac_filter_limit_overrun; ++ u64 mbx_spurious_intr; + }; + + /* +@@ -1092,7 +1093,7 @@ struct qlcnic_mailbox { + unsigned long status; + spinlock_t queue_lock; /* Mailbox queue lock */ + spinlock_t aen_lock; /* Mailbox response/AEN lock */ +- atomic_t rsp_status; ++ u32 rsp_status; + u32 num_cmds; + }; + +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c +index 840bf36b5e9d..dd618d7ed257 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c +@@ -489,7 +489,7 @@ irqreturn_t qlcnic_83xx_clear_legacy_intr(struct qlcnic_adapter *adapter) + + static inline void qlcnic_83xx_notify_mbx_response(struct qlcnic_mailbox *mbx) + { +- atomic_set(&mbx->rsp_status, QLC_83XX_MBX_RESPONSE_ARRIVED); ++ mbx->rsp_status = QLC_83XX_MBX_RESPONSE_ARRIVED; + complete(&mbx->completion); + } + +@@ -508,7 +508,7 @@ static void qlcnic_83xx_poll_process_aen(struct qlcnic_adapter *adapter) + if (event & QLCNIC_MBX_ASYNC_EVENT) { + __qlcnic_83xx_process_aen(adapter); + } else { +- if (atomic_read(&mbx->rsp_status) != rsp_status) ++ if (mbx->rsp_status != rsp_status) + qlcnic_83xx_notify_mbx_response(mbx); + } + out: +@@ -1023,7 +1023,7 @@ static void qlcnic_83xx_process_aen(struct qlcnic_adapter *adapter) + if (event & QLCNIC_MBX_ASYNC_EVENT) { + __qlcnic_83xx_process_aen(adapter); + } else { +- if (atomic_read(&mbx->rsp_status) != rsp_status) ++ if (mbx->rsp_status != rsp_status) + qlcnic_83xx_notify_mbx_response(mbx); + } + } +@@ -2338,9 +2338,9 @@ static void qlcnic_83xx_handle_link_aen(struct qlcnic_adapter *adapter, + + static irqreturn_t qlcnic_83xx_handle_aen(int irq, void *data) + { ++ u32 mask, resp, event, rsp_status = QLC_83XX_MBX_RESPONSE_ARRIVED; + struct qlcnic_adapter *adapter = data; + struct qlcnic_mailbox *mbx; +- u32 mask, resp, event; + unsigned long flags; + + mbx = adapter->ahw->mailbox; +@@ -2350,10 +2350,14 @@ static irqreturn_t qlcnic_83xx_handle_aen(int irq, void *data) + goto out; + + event = readl(QLCNIC_MBX_FW(adapter->ahw, 0)); +- if (event & QLCNIC_MBX_ASYNC_EVENT) ++ if (event & QLCNIC_MBX_ASYNC_EVENT) { + __qlcnic_83xx_process_aen(adapter); +- else +- qlcnic_83xx_notify_mbx_response(mbx); ++ } else { ++ if (mbx->rsp_status != rsp_status) ++ qlcnic_83xx_notify_mbx_response(mbx); ++ else ++ adapter->stats.mbx_spurious_intr++; ++ } + + out: + mask = QLCRDX(adapter->ahw, QLCNIC_DEF_INT_MASK); +@@ -4025,10 +4029,10 @@ static void qlcnic_83xx_mailbox_worker(struct work_struct *work) + struct qlcnic_adapter *adapter = mbx->adapter; + struct qlcnic_mbx_ops *mbx_ops = mbx->ops; + struct device *dev = &adapter->pdev->dev; +- atomic_t *rsp_status = &mbx->rsp_status; + struct list_head *head = &mbx->cmd_q; + struct qlcnic_hardware_context *ahw; + struct qlcnic_cmd_args *cmd = NULL; ++ unsigned long flags; + + ahw = adapter->ahw; + +@@ -4038,7 +4042,9 @@ static void qlcnic_83xx_mailbox_worker(struct work_struct *work) + return; + } + +- atomic_set(rsp_status, QLC_83XX_MBX_RESPONSE_WAIT); ++ spin_lock_irqsave(&mbx->aen_lock, flags); ++ mbx->rsp_status = QLC_83XX_MBX_RESPONSE_WAIT; ++ spin_unlock_irqrestore(&mbx->aen_lock, flags); + + spin_lock(&mbx->queue_lock); + +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c +index 494e8105adee..0a2318cad34d 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c +@@ -59,7 +59,8 @@ static const struct qlcnic_stats qlcnic_gstrings_stats[] = { + QLC_OFF(stats.mac_filter_limit_overrun)}, + {"spurious intr", QLC_SIZEOF(stats.spurious_intr), + QLC_OFF(stats.spurious_intr)}, +- ++ {"mbx spurious intr", QLC_SIZEOF(stats.mbx_spurious_intr), ++ QLC_OFF(stats.mbx_spurious_intr)}, + }; + + static const char qlcnic_device_gstrings_stats[][ETH_GSTRING_LEN] = { +diff --git a/drivers/net/ethernet/qlogic/qlge/qlge_main.c b/drivers/net/ethernet/qlogic/qlge/qlge_main.c +index 6c904a6cad2a..7bbb04124dc1 100644 +--- a/drivers/net/ethernet/qlogic/qlge/qlge_main.c ++++ b/drivers/net/ethernet/qlogic/qlge/qlge_main.c +@@ -1648,7 +1648,18 @@ static void ql_process_mac_rx_skb(struct ql_adapter *qdev, + return; + } + skb_reserve(new_skb, NET_IP_ALIGN); ++ ++ pci_dma_sync_single_for_cpu(qdev->pdev, ++ dma_unmap_addr(sbq_desc, mapaddr), ++ dma_unmap_len(sbq_desc, maplen), ++ PCI_DMA_FROMDEVICE); ++ + memcpy(skb_put(new_skb, length), skb->data, length); ++ ++ pci_dma_sync_single_for_device(qdev->pdev, ++ dma_unmap_addr(sbq_desc, mapaddr), ++ dma_unmap_len(sbq_desc, maplen), ++ PCI_DMA_FROMDEVICE); + skb = new_skb; + + /* Frame error, so drop the packet. */ +diff --git a/drivers/net/ethernet/qualcomm/qca_spi.c b/drivers/net/ethernet/qualcomm/qca_spi.c +index f77b58911558..f55be6ddf3a7 100644 +--- a/drivers/net/ethernet/qualcomm/qca_spi.c ++++ b/drivers/net/ethernet/qualcomm/qca_spi.c +@@ -812,7 +812,7 @@ qcaspi_netdev_setup(struct net_device *dev) + dev->netdev_ops = &qcaspi_netdev_ops; + qcaspi_set_ethtool_ops(dev); + dev->watchdog_timeo = QCASPI_TX_TIMEOUT; +- dev->flags = IFF_MULTICAST; ++ dev->priv_flags &= ~IFF_TX_SKB_SHARING; + dev->tx_queue_len = 100; + + qca = netdev_priv(dev); +diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c +index b474dbfcdb4f..c44bae495804 100644 +--- a/drivers/net/ethernet/renesas/sh_eth.c ++++ b/drivers/net/ethernet/renesas/sh_eth.c +@@ -1112,6 +1112,7 @@ static void sh_eth_ring_format(struct net_device *ndev) + int rx_ringsize = sizeof(*rxdesc) * mdp->num_rx_ring; + int tx_ringsize = sizeof(*txdesc) * mdp->num_tx_ring; + int skbuff_size = mdp->rx_buf_sz + SH_ETH_RX_ALIGN - 1; ++ dma_addr_t dma_addr; + + mdp->cur_rx = 0; + mdp->cur_tx = 0; +@@ -1125,18 +1126,23 @@ static void sh_eth_ring_format(struct net_device *ndev) + /* skb */ + mdp->rx_skbuff[i] = NULL; + skb = netdev_alloc_skb(ndev, skbuff_size); +- mdp->rx_skbuff[i] = skb; + if (skb == NULL) + break; + sh_eth_set_receive_align(skb); + + /* RX descriptor */ + rxdesc = &mdp->rx_ring[i]; +- /* The size of the buffer is a multiple of 16 bytes. */ +- rxdesc->buffer_length = ALIGN(mdp->rx_buf_sz, 16); +- dma_map_single(&ndev->dev, skb->data, rxdesc->buffer_length, +- DMA_FROM_DEVICE); +- rxdesc->addr = virt_to_phys(PTR_ALIGN(skb->data, 4)); ++ /* The size of the buffer is a multiple of 32 bytes. */ ++ rxdesc->buffer_length = ALIGN(mdp->rx_buf_sz, 32); ++ dma_addr = dma_map_single(&ndev->dev, skb->data, ++ rxdesc->buffer_length, ++ DMA_FROM_DEVICE); ++ if (dma_mapping_error(&ndev->dev, dma_addr)) { ++ kfree_skb(skb); ++ break; ++ } ++ mdp->rx_skbuff[i] = skb; ++ rxdesc->addr = dma_addr; + rxdesc->status = cpu_to_edmac(mdp, RD_RACT | RD_RFP); + + /* Rx descriptor address set */ +@@ -1151,7 +1157,8 @@ static void sh_eth_ring_format(struct net_device *ndev) + mdp->dirty_rx = (u32) (i - mdp->num_rx_ring); + + /* Mark the last entry as wrapping the ring. */ +- rxdesc->status |= cpu_to_edmac(mdp, RD_RDEL); ++ if (rxdesc) ++ rxdesc->status |= cpu_to_edmac(mdp, RD_RDEL); + + memset(mdp->tx_ring, 0, tx_ringsize); + +@@ -1391,6 +1398,7 @@ static int sh_eth_rx(struct net_device *ndev, u32 intr_status, int *quota) + u16 pkt_len = 0; + u32 desc_status; + int skbuff_size = mdp->rx_buf_sz + SH_ETH_RX_ALIGN - 1; ++ dma_addr_t dma_addr; + + rxdesc = &mdp->rx_ring[entry]; + while (!(rxdesc->status & cpu_to_edmac(mdp, RD_RACT))) { +@@ -1441,9 +1449,9 @@ static int sh_eth_rx(struct net_device *ndev, u32 intr_status, int *quota) + mdp->rx_skbuff[entry] = NULL; + if (mdp->cd->rpadir) + skb_reserve(skb, NET_IP_ALIGN); +- dma_sync_single_for_cpu(&ndev->dev, rxdesc->addr, +- ALIGN(mdp->rx_buf_sz, 16), +- DMA_FROM_DEVICE); ++ dma_unmap_single(&ndev->dev, rxdesc->addr, ++ ALIGN(mdp->rx_buf_sz, 32), ++ DMA_FROM_DEVICE); + skb_put(skb, pkt_len); + skb->protocol = eth_type_trans(skb, ndev); + netif_receive_skb(skb); +@@ -1458,20 +1466,25 @@ static int sh_eth_rx(struct net_device *ndev, u32 intr_status, int *quota) + for (; mdp->cur_rx - mdp->dirty_rx > 0; mdp->dirty_rx++) { + entry = mdp->dirty_rx % mdp->num_rx_ring; + rxdesc = &mdp->rx_ring[entry]; +- /* The size of the buffer is 16 byte boundary. */ +- rxdesc->buffer_length = ALIGN(mdp->rx_buf_sz, 16); ++ /* The size of the buffer is 32 byte boundary. */ ++ rxdesc->buffer_length = ALIGN(mdp->rx_buf_sz, 32); + + if (mdp->rx_skbuff[entry] == NULL) { + skb = netdev_alloc_skb(ndev, skbuff_size); +- mdp->rx_skbuff[entry] = skb; + if (skb == NULL) + break; /* Better luck next round. */ + sh_eth_set_receive_align(skb); +- dma_map_single(&ndev->dev, skb->data, +- rxdesc->buffer_length, DMA_FROM_DEVICE); ++ dma_addr = dma_map_single(&ndev->dev, skb->data, ++ rxdesc->buffer_length, ++ DMA_FROM_DEVICE); ++ if (dma_mapping_error(&ndev->dev, dma_addr)) { ++ kfree_skb(skb); ++ break; ++ } ++ mdp->rx_skbuff[entry] = skb; + + skb_checksum_none_assert(skb); +- rxdesc->addr = virt_to_phys(PTR_ALIGN(skb->data, 4)); ++ rxdesc->addr = dma_addr; + } + if (entry >= mdp->num_rx_ring - 1) + rxdesc->status |= +diff --git a/drivers/net/ethernet/sfc/ef10.c b/drivers/net/ethernet/sfc/ef10.c +index 63ec209cdfd3..010009d64017 100644 +--- a/drivers/net/ethernet/sfc/ef10.c ++++ b/drivers/net/ethernet/sfc/ef10.c +@@ -452,6 +452,17 @@ fail: + return rc; + } + ++static void efx_ef10_forget_old_piobufs(struct efx_nic *efx) ++{ ++ struct efx_channel *channel; ++ struct efx_tx_queue *tx_queue; ++ ++ /* All our existing PIO buffers went away */ ++ efx_for_each_channel(channel, efx) ++ efx_for_each_channel_tx_queue(tx_queue, channel) ++ tx_queue->piobuf = NULL; ++} ++ + #else /* !EFX_USE_PIO */ + + static int efx_ef10_alloc_piobufs(struct efx_nic *efx, unsigned int n) +@@ -468,6 +479,10 @@ static void efx_ef10_free_piobufs(struct efx_nic *efx) + { + } + ++static void efx_ef10_forget_old_piobufs(struct efx_nic *efx) ++{ ++} ++ + #endif /* EFX_USE_PIO */ + + static void efx_ef10_remove(struct efx_nic *efx) +@@ -699,6 +714,7 @@ static void efx_ef10_reset_mc_allocations(struct efx_nic *efx) + nic_data->must_realloc_vis = true; + nic_data->must_restore_filters = true; + nic_data->must_restore_piobufs = true; ++ efx_ef10_forget_old_piobufs(efx); + nic_data->rx_rss_context = EFX_EF10_RSS_CONTEXT_INVALID; + } + +diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c +index fc7b3d76f08e..e3fbbbbd84e7 100644 +--- a/drivers/net/ppp/ppp_generic.c ++++ b/drivers/net/ppp/ppp_generic.c +@@ -561,7 +561,7 @@ static int get_filter(void __user *arg, struct sock_filter **p) + + static long ppp_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + { +- struct ppp_file *pf = file->private_data; ++ struct ppp_file *pf; + struct ppp *ppp; + int err = -EFAULT, val, val2, i; + struct ppp_idle idle; +@@ -571,9 +571,14 @@ static long ppp_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + void __user *argp = (void __user *)arg; + int __user *p = argp; + +- if (!pf) +- return ppp_unattached_ioctl(current->nsproxy->net_ns, +- pf, file, cmd, arg); ++ mutex_lock(&ppp_mutex); ++ ++ pf = file->private_data; ++ if (!pf) { ++ err = ppp_unattached_ioctl(current->nsproxy->net_ns, ++ pf, file, cmd, arg); ++ goto out; ++ } + + if (cmd == PPPIOCDETACH) { + /* +@@ -588,7 +593,6 @@ static long ppp_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + * this fd and reopening /dev/ppp. + */ + err = -EINVAL; +- mutex_lock(&ppp_mutex); + if (pf->kind == INTERFACE) { + ppp = PF_TO_PPP(pf); + if (file == ppp->owner) +@@ -600,15 +604,13 @@ static long ppp_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + } else + pr_warn("PPPIOCDETACH file->f_count=%ld\n", + atomic_long_read(&file->f_count)); +- mutex_unlock(&ppp_mutex); +- return err; ++ goto out; + } + + if (pf->kind == CHANNEL) { + struct channel *pch; + struct ppp_channel *chan; + +- mutex_lock(&ppp_mutex); + pch = PF_TO_CHANNEL(pf); + + switch (cmd) { +@@ -630,17 +632,16 @@ static long ppp_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + err = chan->ops->ioctl(chan, cmd, arg); + up_read(&pch->chan_sem); + } +- mutex_unlock(&ppp_mutex); +- return err; ++ goto out; + } + + if (pf->kind != INTERFACE) { + /* can't happen */ + pr_err("PPP: not interface or channel??\n"); +- return -EINVAL; ++ err = -EINVAL; ++ goto out; + } + +- mutex_lock(&ppp_mutex); + ppp = PF_TO_PPP(pf); + switch (cmd) { + case PPPIOCSMRU: +@@ -815,7 +816,10 @@ static long ppp_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + default: + err = -ENOTTY; + } ++ ++out: + mutex_unlock(&ppp_mutex); ++ + return err; + } + +@@ -828,7 +832,6 @@ static int ppp_unattached_ioctl(struct net *net, struct ppp_file *pf, + struct ppp_net *pn; + int __user *p = (int __user *)arg; + +- mutex_lock(&ppp_mutex); + switch (cmd) { + case PPPIOCNEWUNIT: + /* Create a new ppp unit */ +@@ -879,7 +882,7 @@ static int ppp_unattached_ioctl(struct net *net, struct ppp_file *pf, + default: + err = -ENOTTY; + } +- mutex_unlock(&ppp_mutex); ++ + return err; + } + +@@ -2242,7 +2245,7 @@ int ppp_register_net_channel(struct net *net, struct ppp_channel *chan) + + pch->ppp = NULL; + pch->chan = chan; +- pch->chan_net = net; ++ pch->chan_net = get_net(net); + chan->ppp = pch; + init_ppp_file(&pch->file, CHANNEL); + pch->file.hdrlen = chan->hdrlen; +@@ -2339,6 +2342,8 @@ ppp_unregister_channel(struct ppp_channel *chan) + spin_lock_bh(&pn->all_channels_lock); + list_del(&pch->list); + spin_unlock_bh(&pn->all_channels_lock); ++ put_net(pch->chan_net); ++ pch->chan_net = NULL; + + pch->file.dead = 1; + wake_up_interruptible(&pch->file.rwait); +diff --git a/drivers/net/tun.c b/drivers/net/tun.c +index 9dd3746994a4..a4685a22f665 100644 +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -499,11 +499,13 @@ static void tun_detach_all(struct net_device *dev) + for (i = 0; i < n; i++) { + tfile = rtnl_dereference(tun->tfiles[i]); + BUG_ON(!tfile); ++ tfile->socket.sk->sk_shutdown = RCV_SHUTDOWN; + tfile->socket.sk->sk_data_ready(tfile->socket.sk); + RCU_INIT_POINTER(tfile->tun, NULL); + --tun->numqueues; + } + list_for_each_entry(tfile, &tun->disabled, next) { ++ tfile->socket.sk->sk_shutdown = RCV_SHUTDOWN; + tfile->socket.sk->sk_data_ready(tfile->socket.sk); + RCU_INIT_POINTER(tfile->tun, NULL); + } +@@ -558,6 +560,7 @@ static int tun_attach(struct tun_struct *tun, struct file *file, bool skip_filte + goto out; + } + tfile->queue_index = tun->numqueues; ++ tfile->socket.sk->sk_shutdown &= ~RCV_SHUTDOWN; + rcu_assign_pointer(tfile->tun, tun); + rcu_assign_pointer(tun->tfiles[tun->numqueues], tfile); + tun->numqueues++; +@@ -1356,9 +1359,6 @@ static ssize_t tun_do_read(struct tun_struct *tun, struct tun_file *tfile, + if (!len) + return ret; + +- if (tun->dev->reg_state != NETREG_REGISTERED) +- return -EIO; +- + /* Read frames from queue */ + skb = __skb_recv_datagram(tfile->socket.sk, noblock ? MSG_DONTWAIT : 0, + &peeked, &off, &err); +diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c +index 8067b8fbb0ee..614b4ca6420a 100644 +--- a/drivers/net/usb/cdc_ncm.c ++++ b/drivers/net/usb/cdc_ncm.c +@@ -815,7 +815,11 @@ advance: + + iface_no = ctx->data->cur_altsetting->desc.bInterfaceNumber; + +- /* reset data interface */ ++ /* Reset data interface. Some devices will not reset properly ++ * unless they are configured first. Toggle the altsetting to ++ * force a reset ++ */ ++ usb_set_interface(dev->udev, iface_no, data_altsetting); + temp = usb_set_interface(dev->udev, iface_no, 0); + if (temp) { + dev_dbg(&intf->dev, "set interface failed\n"); +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index a5771515d9ab..73f55a98798f 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -748,6 +748,7 @@ static const struct usb_device_id products[] = { + {QMI_FIXED_INTF(0x19d2, 0x1426, 2)}, /* ZTE MF91 */ + {QMI_FIXED_INTF(0x19d2, 0x1428, 2)}, /* Telewell TW-LTE 4G v2 */ + {QMI_FIXED_INTF(0x19d2, 0x2002, 4)}, /* ZTE (Vodafone) K3765-Z */ ++ {QMI_FIXED_INTF(0x2001, 0x7e19, 4)}, /* D-Link DWM-221 B1 */ + {QMI_FIXED_INTF(0x0f3d, 0x68a2, 8)}, /* Sierra Wireless MC7700 */ + {QMI_FIXED_INTF(0x114f, 0x68a2, 8)}, /* Sierra Wireless MC7750 */ + {QMI_FIXED_INTF(0x1199, 0x68a2, 8)}, /* Sierra Wireless MC7710 in QMI mode */ +@@ -766,8 +767,10 @@ static const struct usb_device_id products[] = { + {QMI_FIXED_INTF(0x1199, 0x9061, 8)}, /* Sierra Wireless Modem */ + {QMI_FIXED_INTF(0x1199, 0x9070, 8)}, /* Sierra Wireless MC74xx/EM74xx */ + {QMI_FIXED_INTF(0x1199, 0x9070, 10)}, /* Sierra Wireless MC74xx/EM74xx */ +- {QMI_FIXED_INTF(0x1199, 0x9071, 8)}, /* Sierra Wireless MC74xx/EM74xx */ +- {QMI_FIXED_INTF(0x1199, 0x9071, 10)}, /* Sierra Wireless MC74xx/EM74xx */ ++ {QMI_FIXED_INTF(0x1199, 0x9071, 8)}, /* Sierra Wireless MC74xx */ ++ {QMI_FIXED_INTF(0x1199, 0x9071, 10)}, /* Sierra Wireless MC74xx */ ++ {QMI_FIXED_INTF(0x1199, 0x9079, 8)}, /* Sierra Wireless EM74xx */ ++ {QMI_FIXED_INTF(0x1199, 0x9079, 10)}, /* Sierra Wireless EM74xx */ + {QMI_FIXED_INTF(0x1bbb, 0x011e, 4)}, /* Telekom Speedstick LTE II (Alcatel One Touch L100V LTE) */ + {QMI_FIXED_INTF(0x1bbb, 0x0203, 2)}, /* Alcatel L800MA */ + {QMI_FIXED_INTF(0x2357, 0x0201, 4)}, /* TP-LINK HSUPA Modem MA180 */ +diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c +index 7a598932f922..bb570916e340 100644 +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -1755,6 +1755,13 @@ out3: + if (info->unbind) + info->unbind (dev, udev); + out1: ++ /* subdrivers must undo all they did in bind() if they ++ * fail it, but we may fail later and a deferred kevent ++ * may trigger an error resubmitting itself and, worse, ++ * schedule a timer. So we kill it all just in case. ++ */ ++ cancel_work_sync(&dev->kevent); ++ del_timer_sync(&dev->delay); + free_netdev(net); + out: + return status; +diff --git a/drivers/net/wan/farsync.c b/drivers/net/wan/farsync.c +index 44541dbc5c28..69b994f3b8c5 100644 +--- a/drivers/net/wan/farsync.c ++++ b/drivers/net/wan/farsync.c +@@ -2516,7 +2516,7 @@ fst_add_one(struct pci_dev *pdev, const struct pci_device_id *ent) + dev->mem_start = card->phys_mem + + BUF_OFFSET ( txBuffer[i][0][0]); + dev->mem_end = card->phys_mem +- + BUF_OFFSET ( txBuffer[i][NUM_TX_BUFFER][0]); ++ + BUF_OFFSET ( txBuffer[i][NUM_TX_BUFFER - 1][LEN_RX_BUFFER - 1]); + dev->base_addr = card->pci_conf; + dev->irq = card->irq; + +diff --git a/drivers/net/wireless/ath/ath9k/eeprom.c b/drivers/net/wireless/ath/ath9k/eeprom.c +index 971d770722cf..2ac05486424b 100644 +--- a/drivers/net/wireless/ath/ath9k/eeprom.c ++++ b/drivers/net/wireless/ath/ath9k/eeprom.c +@@ -408,10 +408,9 @@ void ath9k_hw_get_gain_boundaries_pdadcs(struct ath_hw *ah, + + if (match) { + if (AR_SREV_9287(ah)) { +- /* FIXME: array overrun? */ + for (i = 0; i < numXpdGains; i++) { + minPwrT4[i] = data_9287[idxL].pwrPdg[i][0]; +- maxPwrT4[i] = data_9287[idxL].pwrPdg[i][4]; ++ maxPwrT4[i] = data_9287[idxL].pwrPdg[i][intercepts - 1]; + ath9k_hw_fill_vpd_table(minPwrT4[i], maxPwrT4[i], + data_9287[idxL].pwrPdg[i], + data_9287[idxL].vpdPdg[i], +@@ -421,7 +420,7 @@ void ath9k_hw_get_gain_boundaries_pdadcs(struct ath_hw *ah, + } else if (eeprom_4k) { + for (i = 0; i < numXpdGains; i++) { + minPwrT4[i] = data_4k[idxL].pwrPdg[i][0]; +- maxPwrT4[i] = data_4k[idxL].pwrPdg[i][4]; ++ maxPwrT4[i] = data_4k[idxL].pwrPdg[i][intercepts - 1]; + ath9k_hw_fill_vpd_table(minPwrT4[i], maxPwrT4[i], + data_4k[idxL].pwrPdg[i], + data_4k[idxL].vpdPdg[i], +@@ -431,7 +430,7 @@ void ath9k_hw_get_gain_boundaries_pdadcs(struct ath_hw *ah, + } else { + for (i = 0; i < numXpdGains; i++) { + minPwrT4[i] = data_def[idxL].pwrPdg[i][0]; +- maxPwrT4[i] = data_def[idxL].pwrPdg[i][4]; ++ maxPwrT4[i] = data_def[idxL].pwrPdg[i][intercepts - 1]; + ath9k_hw_fill_vpd_table(minPwrT4[i], maxPwrT4[i], + data_def[idxL].pwrPdg[i], + data_def[idxL].vpdPdg[i], +diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c +index ce0aa47222f6..94ff20e9a8a0 100644 +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -10,6 +10,8 @@ + #include <linux/kernel.h> + #include <linux/delay.h> + #include <linux/init.h> ++#include <linux/of.h> ++#include <linux/of_pci.h> + #include <linux/pci.h> + #include <linux/pm.h> + #include <linux/slab.h> +@@ -4490,6 +4492,55 @@ int pci_get_new_domain_nr(void) + { + return atomic_inc_return(&__domain_nr); + } ++ ++#ifdef CONFIG_PCI_DOMAINS_GENERIC ++void pci_bus_assign_domain_nr(struct pci_bus *bus, struct device *parent) ++{ ++ static int use_dt_domains = -1; ++ int domain = -1; ++ ++ if (parent) ++ domain = of_get_pci_domain_nr(parent->of_node); ++ /* ++ * Check DT domain and use_dt_domains values. ++ * ++ * If DT domain property is valid (domain >= 0) and ++ * use_dt_domains != 0, the DT assignment is valid since this means ++ * we have not previously allocated a domain number by using ++ * pci_get_new_domain_nr(); we should also update use_dt_domains to ++ * 1, to indicate that we have just assigned a domain number from ++ * DT. ++ * ++ * If DT domain property value is not valid (ie domain < 0), and we ++ * have not previously assigned a domain number from DT ++ * (use_dt_domains != 1) we should assign a domain number by ++ * using the: ++ * ++ * pci_get_new_domain_nr() ++ * ++ * API and update the use_dt_domains value to keep track of method we ++ * are using to assign domain numbers (use_dt_domains = 0). ++ * ++ * All other combinations imply we have a platform that is trying ++ * to mix domain numbers obtained from DT and pci_get_new_domain_nr(), ++ * which is a recipe for domain mishandling and it is prevented by ++ * invalidating the domain value (domain = -1) and printing a ++ * corresponding error. ++ */ ++ if (domain >= 0 && use_dt_domains) { ++ use_dt_domains = 1; ++ } else if (domain < 0 && use_dt_domains != 1) { ++ use_dt_domains = 0; ++ domain = pci_get_new_domain_nr(); ++ } else { ++ dev_err(parent, "Node %s has inconsistent \"linux,pci-domain\" property in DT\n", ++ parent->of_node->full_name); ++ domain = -1; ++ } ++ ++ bus->domain_nr = domain; ++} ++#endif + #endif + + /** +diff --git a/drivers/pinctrl/freescale/pinctrl-imx.c b/drivers/pinctrl/freescale/pinctrl-imx.c +index 6f806f93662a..857f29ba406a 100644 +--- a/drivers/pinctrl/freescale/pinctrl-imx.c ++++ b/drivers/pinctrl/freescale/pinctrl-imx.c +@@ -205,9 +205,9 @@ static int imx_pmx_set(struct pinctrl_dev *pctldev, unsigned selector, + pin_reg = &info->pin_regs[pin_id]; + + if (pin_reg->mux_reg == -1) { +- dev_err(ipctl->dev, "Pin(%s) does not support mux function\n", ++ dev_dbg(ipctl->dev, "Pin(%s) does not support mux function\n", + info->pins[pin_id].name); +- return -EINVAL; ++ continue; + } + + if (info->flags & SHARE_MUX_CONF_REG) { +diff --git a/drivers/pinctrl/nomadik/pinctrl-nomadik.c b/drivers/pinctrl/nomadik/pinctrl-nomadik.c +index 746db6acf648..25d5a21c51e5 100644 +--- a/drivers/pinctrl/nomadik/pinctrl-nomadik.c ++++ b/drivers/pinctrl/nomadik/pinctrl-nomadik.c +@@ -1025,7 +1025,7 @@ static void nmk_gpio_dbg_show_one(struct seq_file *s, + int pullidx = 0; + + if (pull) +- pullidx = data_out ? 1 : 2; ++ pullidx = data_out ? 2 : 1; + + seq_printf(s, " gpio-%-3d (%-20.20s) in %s %s", + gpio, +diff --git a/drivers/pinctrl/pinctrl-single.c b/drivers/pinctrl/pinctrl-single.c +index fb94b772ad62..f94d46c57dc5 100644 +--- a/drivers/pinctrl/pinctrl-single.c ++++ b/drivers/pinctrl/pinctrl-single.c +@@ -1273,9 +1273,9 @@ static int pcs_parse_bits_in_pinctrl_entry(struct pcs_device *pcs, + + /* Parse pins in each row from LSB */ + while (mask) { +- bit_pos = ffs(mask); ++ bit_pos = __ffs(mask); + pin_num_from_lsb = bit_pos / pcs->bits_per_pin; +- mask_pos = ((pcs->fmask) << (bit_pos - 1)); ++ mask_pos = ((pcs->fmask) << bit_pos); + val_pos = val & mask_pos; + submask = mask & mask_pos; + +@@ -1576,6 +1576,9 @@ static inline void pcs_irq_set(struct pcs_soc_data *pcs_soc, + else + mask &= ~soc_mask; + pcs->write(mask, pcswi->reg); ++ ++ /* flush posted write */ ++ mask = pcs->read(pcswi->reg); + raw_spin_unlock(&pcs->lock); + } + +@@ -1851,7 +1854,7 @@ static int pcs_probe(struct platform_device *pdev) + ret = of_property_read_u32(np, "pinctrl-single,function-mask", + &pcs->fmask); + if (!ret) { +- pcs->fshift = ffs(pcs->fmask) - 1; ++ pcs->fshift = __ffs(pcs->fmask); + pcs->fmax = pcs->fmask >> pcs->fshift; + } else { + /* If mask property doesn't exist, function mux is invalid. */ +diff --git a/drivers/regulator/s5m8767.c b/drivers/regulator/s5m8767.c +index 0ab5cbeeb797..c53fe2645548 100644 +--- a/drivers/regulator/s5m8767.c ++++ b/drivers/regulator/s5m8767.c +@@ -202,9 +202,10 @@ static int s5m8767_get_register(struct s5m8767_info *s5m8767, int reg_id, + } + } + +- if (i < s5m8767->num_regulators) +- *enable_ctrl = +- s5m8767_opmode_reg[reg_id][mode] << S5M8767_ENCTRL_SHIFT; ++ if (i >= s5m8767->num_regulators) ++ return -EINVAL; ++ ++ *enable_ctrl = s5m8767_opmode_reg[reg_id][mode] << S5M8767_ENCTRL_SHIFT; + + return 0; + } +@@ -936,8 +937,12 @@ static int s5m8767_pmic_probe(struct platform_device *pdev) + else + regulators[id].vsel_mask = 0xff; + +- s5m8767_get_register(s5m8767, id, &enable_reg, ++ ret = s5m8767_get_register(s5m8767, id, &enable_reg, + &enable_val); ++ if (ret) { ++ dev_err(s5m8767->dev, "error reading registers\n"); ++ return ret; ++ } + regulators[id].enable_reg = enable_reg; + regulators[id].enable_mask = S5M8767_ENCTRL_MASK; + regulators[id].enable_val = enable_val; +diff --git a/drivers/rtc/rtc-hym8563.c b/drivers/rtc/rtc-hym8563.c +index b936bb4096b5..280584b2813b 100644 +--- a/drivers/rtc/rtc-hym8563.c ++++ b/drivers/rtc/rtc-hym8563.c +@@ -144,7 +144,7 @@ static int hym8563_rtc_set_time(struct device *dev, struct rtc_time *tm) + * it does not seem to carry it over a subsequent write/read. + * So we'll limit ourself to 100 years, starting at 2000 for now. + */ +- buf[6] = tm->tm_year - 100; ++ buf[6] = bin2bcd(tm->tm_year - 100); + + /* + * CTL1 only contains TEST-mode bits apart from stop, +diff --git a/drivers/rtc/rtc-max77686.c b/drivers/rtc/rtc-max77686.c +index cf73e969c8cc..b69d409c9d9c 100644 +--- a/drivers/rtc/rtc-max77686.c ++++ b/drivers/rtc/rtc-max77686.c +@@ -463,7 +463,7 @@ static int max77686_rtc_probe(struct platform_device *pdev) + + info->virq = regmap_irq_get_virq(max77686->rtc_irq_data, + MAX77686_RTCIRQ_RTCA1); +- if (!info->virq) { ++ if (info->virq <= 0) { + ret = -ENXIO; + goto err_rtc; + } +diff --git a/drivers/rtc/rtc-vr41xx.c b/drivers/rtc/rtc-vr41xx.c +index 88c9c92e89fd..4b0966ed5394 100644 +--- a/drivers/rtc/rtc-vr41xx.c ++++ b/drivers/rtc/rtc-vr41xx.c +@@ -272,12 +272,13 @@ static irqreturn_t rtclong1_interrupt(int irq, void *dev_id) + } + + static const struct rtc_class_ops vr41xx_rtc_ops = { +- .release = vr41xx_rtc_release, +- .ioctl = vr41xx_rtc_ioctl, +- .read_time = vr41xx_rtc_read_time, +- .set_time = vr41xx_rtc_set_time, +- .read_alarm = vr41xx_rtc_read_alarm, +- .set_alarm = vr41xx_rtc_set_alarm, ++ .release = vr41xx_rtc_release, ++ .ioctl = vr41xx_rtc_ioctl, ++ .read_time = vr41xx_rtc_read_time, ++ .set_time = vr41xx_rtc_set_time, ++ .read_alarm = vr41xx_rtc_read_alarm, ++ .set_alarm = vr41xx_rtc_set_alarm, ++ .alarm_irq_enable = vr41xx_rtc_alarm_irq_enable, + }; + + static int rtc_probe(struct platform_device *pdev) +diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c +index 0b2c53af85c7..6a6b3db5780d 100644 +--- a/drivers/scsi/lpfc/lpfc_init.c ++++ b/drivers/scsi/lpfc/lpfc_init.c +@@ -2822,7 +2822,7 @@ lpfc_online(struct lpfc_hba *phba) + } + + vports = lpfc_create_vport_work_array(phba); +- if (vports != NULL) ++ if (vports != NULL) { + for (i = 0; i <= phba->max_vports && vports[i] != NULL; i++) { + struct Scsi_Host *shost; + shost = lpfc_shost_from_vport(vports[i]); +@@ -2839,7 +2839,8 @@ lpfc_online(struct lpfc_hba *phba) + } + spin_unlock_irq(shost->host_lock); + } +- lpfc_destroy_vport_work_array(phba, vports); ++ } ++ lpfc_destroy_vport_work_array(phba, vports); + + lpfc_unblock_mgmt_io(phba); + return 0; +diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c +index 6e503802947a..b1af2987b0c8 100644 +--- a/drivers/scsi/megaraid/megaraid_sas_base.c ++++ b/drivers/scsi/megaraid/megaraid_sas_base.c +@@ -6096,12 +6096,13 @@ megasas_mgmt_fw_ioctl(struct megasas_instance *instance, + } + + for (i = 0; i < ioc->sge_count; i++) { +- if (kbuff_arr[i]) ++ if (kbuff_arr[i]) { + dma_free_coherent(&instance->pdev->dev, + le32_to_cpu(kern_sge32[i].length), + kbuff_arr[i], + le32_to_cpu(kern_sge32[i].phys_addr)); + kbuff_arr[i] = NULL; ++ } + } + + if (instance->ctrl_context && cmd->mpt_pthr_cmd_blocked) +diff --git a/drivers/scsi/scsi_error.c b/drivers/scsi/scsi_error.c +index 3d12c52c3f81..29a67a85ee71 100644 +--- a/drivers/scsi/scsi_error.c ++++ b/drivers/scsi/scsi_error.c +@@ -1115,7 +1115,6 @@ static int scsi_eh_action(struct scsi_cmnd *scmd, int rtn) + */ + void scsi_eh_finish_cmd(struct scsi_cmnd *scmd, struct list_head *done_q) + { +- scmd->device->host->host_failed--; + scmd->eh_eflags = 0; + list_move_tail(&scmd->eh_entry, done_q); + } +@@ -2213,6 +2212,9 @@ int scsi_error_handler(void *data) + else + scsi_unjam_host(shost); + ++ /* All scmds have been handled */ ++ shost->host_failed = 0; ++ + /* + * Note - if the above fails completely, the action is to take + * individual devices offline and flush the queue of any +diff --git a/drivers/spi/spi-rockchip.c b/drivers/spi/spi-rockchip.c +index 87bc16f491f0..4703aeb7c25d 100644 +--- a/drivers/spi/spi-rockchip.c ++++ b/drivers/spi/spi-rockchip.c +@@ -264,7 +264,10 @@ static inline u32 rx_max(struct rockchip_spi *rs) + static void rockchip_spi_set_cs(struct spi_device *spi, bool enable) + { + u32 ser; +- struct rockchip_spi *rs = spi_master_get_devdata(spi->master); ++ struct spi_master *master = spi->master; ++ struct rockchip_spi *rs = spi_master_get_devdata(master); ++ ++ pm_runtime_get_sync(rs->dev); + + ser = readl_relaxed(rs->regs + ROCKCHIP_SPI_SER) & SER_MASK; + +@@ -289,6 +292,8 @@ static void rockchip_spi_set_cs(struct spi_device *spi, bool enable) + ser &= ~(1 << spi->chip_select); + + writel_relaxed(ser, rs->regs + ROCKCHIP_SPI_SER); ++ ++ pm_runtime_put_sync(rs->dev); + } + + static int rockchip_spi_prepare_message(struct spi_master *master, +diff --git a/drivers/spi/spi-sun4i.c b/drivers/spi/spi-sun4i.c +index 85204c93f3d3..19169bf9bf4d 100644 +--- a/drivers/spi/spi-sun4i.c ++++ b/drivers/spi/spi-sun4i.c +@@ -170,13 +170,17 @@ static int sun4i_spi_transfer_one(struct spi_master *master, + { + struct sun4i_spi *sspi = spi_master_get_devdata(master); + unsigned int mclk_rate, div, timeout; ++ unsigned int start, end, tx_time; + unsigned int tx_len = 0; + int ret = 0; + u32 reg; + + /* We don't support transfer larger than the FIFO */ + if (tfr->len > SUN4I_FIFO_DEPTH) +- return -EINVAL; ++ return -EMSGSIZE; ++ ++ if (tfr->tx_buf && tfr->len >= SUN4I_FIFO_DEPTH) ++ return -EMSGSIZE; + + reinit_completion(&sspi->done); + sspi->tx_buf = tfr->tx_buf; +@@ -229,8 +233,8 @@ static int sun4i_spi_transfer_one(struct spi_master *master, + + /* Ensure that we have a parent clock fast enough */ + mclk_rate = clk_get_rate(sspi->mclk); +- if (mclk_rate < (2 * spi->max_speed_hz)) { +- clk_set_rate(sspi->mclk, 2 * spi->max_speed_hz); ++ if (mclk_rate < (2 * tfr->speed_hz)) { ++ clk_set_rate(sspi->mclk, 2 * tfr->speed_hz); + mclk_rate = clk_get_rate(sspi->mclk); + } + +@@ -248,14 +252,14 @@ static int sun4i_spi_transfer_one(struct spi_master *master, + * First try CDR2, and if we can't reach the expected + * frequency, fall back to CDR1. + */ +- div = mclk_rate / (2 * spi->max_speed_hz); ++ div = mclk_rate / (2 * tfr->speed_hz); + if (div <= (SUN4I_CLK_CTL_CDR2_MASK + 1)) { + if (div > 0) + div--; + + reg = SUN4I_CLK_CTL_CDR2(div) | SUN4I_CLK_CTL_DRS; + } else { +- div = ilog2(mclk_rate) - ilog2(spi->max_speed_hz); ++ div = ilog2(mclk_rate) - ilog2(tfr->speed_hz); + reg = SUN4I_CLK_CTL_CDR1(div); + } + +@@ -269,8 +273,12 @@ static int sun4i_spi_transfer_one(struct spi_master *master, + sun4i_spi_write(sspi, SUN4I_BURST_CNT_REG, SUN4I_BURST_CNT(tfr->len)); + sun4i_spi_write(sspi, SUN4I_XMIT_CNT_REG, SUN4I_XMIT_CNT(tx_len)); + +- /* Fill the TX FIFO */ +- sun4i_spi_fill_fifo(sspi, SUN4I_FIFO_DEPTH); ++ /* ++ * Fill the TX FIFO ++ * Filling the FIFO fully causes timeout for some reason ++ * at least on spi2 on A10s ++ */ ++ sun4i_spi_fill_fifo(sspi, SUN4I_FIFO_DEPTH - 1); + + /* Enable the interrupts */ + sun4i_spi_write(sspi, SUN4I_INT_CTL_REG, SUN4I_INT_CTL_TC); +@@ -279,9 +287,16 @@ static int sun4i_spi_transfer_one(struct spi_master *master, + reg = sun4i_spi_read(sspi, SUN4I_CTL_REG); + sun4i_spi_write(sspi, SUN4I_CTL_REG, reg | SUN4I_CTL_XCH); + ++ tx_time = max(tfr->len * 8 * 2 / (tfr->speed_hz / 1000), 100U); ++ start = jiffies; + timeout = wait_for_completion_timeout(&sspi->done, +- msecs_to_jiffies(1000)); ++ msecs_to_jiffies(tx_time)); ++ end = jiffies; + if (!timeout) { ++ dev_warn(&master->dev, ++ "%s: timeout transferring %u bytes@%iHz for %i(%i)ms", ++ dev_name(&spi->dev), tfr->len, tfr->speed_hz, ++ jiffies_to_msecs(end - start), tx_time); + ret = -ETIMEDOUT; + goto out; + } +diff --git a/drivers/spi/spi-sun6i.c b/drivers/spi/spi-sun6i.c +index bd24093f4038..04e90851504c 100644 +--- a/drivers/spi/spi-sun6i.c ++++ b/drivers/spi/spi-sun6i.c +@@ -160,6 +160,7 @@ static int sun6i_spi_transfer_one(struct spi_master *master, + { + struct sun6i_spi *sspi = spi_master_get_devdata(master); + unsigned int mclk_rate, div, timeout; ++ unsigned int start, end, tx_time; + unsigned int tx_len = 0; + int ret = 0; + u32 reg; +@@ -217,8 +218,8 @@ static int sun6i_spi_transfer_one(struct spi_master *master, + + /* Ensure that we have a parent clock fast enough */ + mclk_rate = clk_get_rate(sspi->mclk); +- if (mclk_rate < (2 * spi->max_speed_hz)) { +- clk_set_rate(sspi->mclk, 2 * spi->max_speed_hz); ++ if (mclk_rate < (2 * tfr->speed_hz)) { ++ clk_set_rate(sspi->mclk, 2 * tfr->speed_hz); + mclk_rate = clk_get_rate(sspi->mclk); + } + +@@ -236,14 +237,14 @@ static int sun6i_spi_transfer_one(struct spi_master *master, + * First try CDR2, and if we can't reach the expected + * frequency, fall back to CDR1. + */ +- div = mclk_rate / (2 * spi->max_speed_hz); ++ div = mclk_rate / (2 * tfr->speed_hz); + if (div <= (SUN6I_CLK_CTL_CDR2_MASK + 1)) { + if (div > 0) + div--; + + reg = SUN6I_CLK_CTL_CDR2(div) | SUN6I_CLK_CTL_DRS; + } else { +- div = ilog2(mclk_rate) - ilog2(spi->max_speed_hz); ++ div = ilog2(mclk_rate) - ilog2(tfr->speed_hz); + reg = SUN6I_CLK_CTL_CDR1(div); + } + +@@ -269,9 +270,16 @@ static int sun6i_spi_transfer_one(struct spi_master *master, + reg = sun6i_spi_read(sspi, SUN6I_TFR_CTL_REG); + sun6i_spi_write(sspi, SUN6I_TFR_CTL_REG, reg | SUN6I_TFR_CTL_XCH); + ++ tx_time = max(tfr->len * 8 * 2 / (tfr->speed_hz / 1000), 100U); ++ start = jiffies; + timeout = wait_for_completion_timeout(&sspi->done, +- msecs_to_jiffies(1000)); ++ msecs_to_jiffies(tx_time)); ++ end = jiffies; + if (!timeout) { ++ dev_warn(&master->dev, ++ "%s: timeout transferring %u bytes@%iHz for %i(%i)ms", ++ dev_name(&spi->dev), tfr->len, tfr->speed_hz, ++ jiffies_to_msecs(end - start), tx_time); + ret = -ETIMEDOUT; + goto out; + } +diff --git a/drivers/tty/serial/8250/8250_core.c b/drivers/tty/serial/8250/8250_core.c +index e5c31eadb0ac..04da6f0e3326 100644 +--- a/drivers/tty/serial/8250/8250_core.c ++++ b/drivers/tty/serial/8250/8250_core.c +@@ -738,22 +738,16 @@ static int size_fifo(struct uart_8250_port *up) + */ + static unsigned int autoconfig_read_divisor_id(struct uart_8250_port *p) + { +- unsigned char old_dll, old_dlm, old_lcr; +- unsigned int id; ++ unsigned char old_lcr; ++ unsigned int id, old_dl; + + old_lcr = serial_in(p, UART_LCR); + serial_out(p, UART_LCR, UART_LCR_CONF_MODE_A); ++ old_dl = serial_dl_read(p); ++ serial_dl_write(p, 0); ++ id = serial_dl_read(p); ++ serial_dl_write(p, old_dl); + +- old_dll = serial_in(p, UART_DLL); +- old_dlm = serial_in(p, UART_DLM); +- +- serial_out(p, UART_DLL, 0); +- serial_out(p, UART_DLM, 0); +- +- id = serial_in(p, UART_DLL) | serial_in(p, UART_DLM) << 8; +- +- serial_out(p, UART_DLL, old_dll); +- serial_out(p, UART_DLM, old_dlm); + serial_out(p, UART_LCR, old_lcr); + + return id; +diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c +index 587d63bcbd0e..b7213637f498 100644 +--- a/drivers/tty/serial/samsung.c ++++ b/drivers/tty/serial/samsung.c +@@ -749,6 +749,8 @@ static void s3c24xx_serial_set_termios(struct uart_port *port, + /* check to see if we need to change clock source */ + + if (ourport->baudclk != clk) { ++ clk_prepare_enable(clk); ++ + s3c24xx_serial_setsource(port, clk_sel); + + if (!IS_ERR(ourport->baudclk)) { +@@ -756,8 +758,6 @@ static void s3c24xx_serial_set_termios(struct uart_port *port, + ourport->baudclk = ERR_PTR(-EINVAL); + } + +- clk_prepare_enable(clk); +- + ourport->baudclk = clk; + ourport->baudclk_rate = clk ? clk_get_rate(clk) : 0; + } +diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c +index 53c25bca7d05..9062636d3154 100644 +--- a/drivers/tty/vt/vt.c ++++ b/drivers/tty/vt/vt.c +@@ -3591,9 +3591,10 @@ static int do_register_con_driver(const struct consw *csw, int first, int last) + goto err; + + desc = csw->con_startup(); +- +- if (!desc) ++ if (!desc) { ++ retval = -ENODEV; + goto err; ++ } + + retval = -EINVAL; + +diff --git a/drivers/usb/common/usb-otg-fsm.c b/drivers/usb/common/usb-otg-fsm.c +index c812fefe0e50..27baa36cca00 100644 +--- a/drivers/usb/common/usb-otg-fsm.c ++++ b/drivers/usb/common/usb-otg-fsm.c +@@ -21,6 +21,7 @@ + * 675 Mass Ave, Cambridge, MA 02139, USA. + */ + ++#include <linux/module.h> + #include <linux/kernel.h> + #include <linux/types.h> + #include <linux/mutex.h> +@@ -365,3 +366,4 @@ int otg_statemachine(struct otg_fsm *fsm) + return state_changed; + } + EXPORT_SYMBOL_GPL(otg_statemachine); ++MODULE_LICENSE("GPL"); +diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c +index 87cc0654b49e..096bb82c69c4 100644 +--- a/drivers/usb/core/hcd.c ++++ b/drivers/usb/core/hcd.c +@@ -2523,26 +2523,23 @@ EXPORT_SYMBOL_GPL(usb_create_hcd); + * Don't deallocate the bandwidth_mutex until the last shared usb_hcd is + * deallocated. + * +- * Make sure to only deallocate the bandwidth_mutex when the primary HCD is +- * freed. When hcd_release() is called for either hcd in a peer set +- * invalidate the peer's ->shared_hcd and ->primary_hcd pointers to +- * block new peering attempts ++ * Make sure to deallocate the bandwidth_mutex only when the last HCD is ++ * freed. When hcd_release() is called for either hcd in a peer set, ++ * invalidate the peer's ->shared_hcd and ->primary_hcd pointers. + */ + static void hcd_release(struct kref *kref) + { + struct usb_hcd *hcd = container_of (kref, struct usb_hcd, kref); + + mutex_lock(&usb_port_peer_mutex); +- if (usb_hcd_is_primary_hcd(hcd)) { +- kfree(hcd->address0_mutex); +- kfree(hcd->bandwidth_mutex); +- } + if (hcd->shared_hcd) { + struct usb_hcd *peer = hcd->shared_hcd; + + peer->shared_hcd = NULL; +- if (peer->primary_hcd == hcd) +- peer->primary_hcd = NULL; ++ peer->primary_hcd = NULL; ++ } else { ++ kfree(hcd->address0_mutex); ++ kfree(hcd->bandwidth_mutex); + } + mutex_unlock(&usb_port_peer_mutex); + kfree(hcd); +diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c +index 6b53fc3ec636..0673a5abc21d 100644 +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -44,6 +44,9 @@ static const struct usb_device_id usb_quirk_list[] = { + /* Creative SB Audigy 2 NX */ + { USB_DEVICE(0x041e, 0x3020), .driver_info = USB_QUIRK_RESET_RESUME }, + ++ /* USB3503 */ ++ { USB_DEVICE(0x0424, 0x3503), .driver_info = USB_QUIRK_RESET_RESUME }, ++ + /* Microsoft Wireless Laser Mouse 6000 Receiver */ + { USB_DEVICE(0x045e, 0x00e1), .driver_info = USB_QUIRK_RESET_RESUME }, + +@@ -167,6 +170,10 @@ static const struct usb_device_id usb_quirk_list[] = { + /* MAYA44USB sound device */ + { USB_DEVICE(0x0a92, 0x0091), .driver_info = USB_QUIRK_RESET_RESUME }, + ++ /* ASUS Base Station(T100) */ ++ { USB_DEVICE(0x0b05, 0x17e0), .driver_info = ++ USB_QUIRK_IGNORE_REMOTE_WAKEUP }, ++ + /* Action Semiconductor flash disk */ + { USB_DEVICE(0x10d6, 0x2200), .driver_info = + USB_QUIRK_STRING_FETCH_255 }, +@@ -182,26 +189,22 @@ static const struct usb_device_id usb_quirk_list[] = { + { USB_DEVICE(0x1908, 0x1315), .driver_info = + USB_QUIRK_HONOR_BNUMINTERFACES }, + +- /* INTEL VALUE SSD */ +- { USB_DEVICE(0x8086, 0xf1a5), .driver_info = USB_QUIRK_RESET_RESUME }, +- +- /* USB3503 */ +- { USB_DEVICE(0x0424, 0x3503), .driver_info = USB_QUIRK_RESET_RESUME }, +- +- /* ASUS Base Station(T100) */ +- { USB_DEVICE(0x0b05, 0x17e0), .driver_info = +- USB_QUIRK_IGNORE_REMOTE_WAKEUP }, +- + /* Protocol and OTG Electrical Test Device */ + { USB_DEVICE(0x1a0a, 0x0200), .driver_info = + USB_QUIRK_LINEAR_UFRAME_INTR_BINTERVAL }, + ++ /* Acer C120 LED Projector */ ++ { USB_DEVICE(0x1de1, 0xc102), .driver_info = USB_QUIRK_NO_LPM }, ++ + /* Blackmagic Design Intensity Shuttle */ + { USB_DEVICE(0x1edb, 0xbd3b), .driver_info = USB_QUIRK_NO_LPM }, + + /* Blackmagic Design UltraStudio SDI */ + { USB_DEVICE(0x1edb, 0xbd4f), .driver_info = USB_QUIRK_NO_LPM }, + ++ /* INTEL VALUE SSD */ ++ { USB_DEVICE(0x8086, 0xf1a5), .driver_info = USB_QUIRK_RESET_RESUME }, ++ + { } /* terminating entry must be last */ + }; + +diff --git a/drivers/usb/dwc3/dwc3-exynos.c b/drivers/usb/dwc3/dwc3-exynos.c +index 3951a65fea04..e184d17588ab 100644 +--- a/drivers/usb/dwc3/dwc3-exynos.c ++++ b/drivers/usb/dwc3/dwc3-exynos.c +@@ -106,7 +106,6 @@ static int dwc3_exynos_remove_child(struct device *dev, void *unused) + static int dwc3_exynos_probe(struct platform_device *pdev) + { + struct dwc3_exynos *exynos; +- struct clk *clk; + struct device *dev = &pdev->dev; + struct device_node *node = dev->of_node; + +@@ -127,21 +126,13 @@ static int dwc3_exynos_probe(struct platform_device *pdev) + + platform_set_drvdata(pdev, exynos); + +- ret = dwc3_exynos_register_phys(exynos); +- if (ret) { +- dev_err(dev, "couldn't register PHYs\n"); +- return ret; +- } ++ exynos->dev = dev; + +- clk = devm_clk_get(dev, "usbdrd30"); +- if (IS_ERR(clk)) { ++ exynos->clk = devm_clk_get(dev, "usbdrd30"); ++ if (IS_ERR(exynos->clk)) { + dev_err(dev, "couldn't get clock\n"); + return -EINVAL; + } +- +- exynos->dev = dev; +- exynos->clk = clk; +- + clk_prepare_enable(exynos->clk); + + exynos->vdd33 = devm_regulator_get(dev, "vdd33"); +@@ -166,26 +157,35 @@ static int dwc3_exynos_probe(struct platform_device *pdev) + goto err3; + } + ++ ret = dwc3_exynos_register_phys(exynos); ++ if (ret) { ++ dev_err(dev, "couldn't register PHYs\n"); ++ goto err4; ++ } ++ + if (node) { + ret = of_platform_populate(node, NULL, NULL, dev); + if (ret) { + dev_err(dev, "failed to add dwc3 core\n"); +- goto err4; ++ goto err5; + } + } else { + dev_err(dev, "no device node, failed to add dwc3 core\n"); + ret = -ENODEV; +- goto err4; ++ goto err5; + } + + return 0; + ++err5: ++ platform_device_unregister(exynos->usb2_phy); ++ platform_device_unregister(exynos->usb3_phy); + err4: + regulator_disable(exynos->vdd10); + err3: + regulator_disable(exynos->vdd33); + err2: +- clk_disable_unprepare(clk); ++ clk_disable_unprepare(exynos->clk); + return ret; + } + +diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c +index db2becd31a51..54f964bbc79a 100644 +--- a/drivers/usb/gadget/legacy/inode.c ++++ b/drivers/usb/gadget/legacy/inode.c +@@ -1018,8 +1018,11 @@ ep0_read (struct file *fd, char __user *buf, size_t len, loff_t *ptr) + struct usb_ep *ep = dev->gadget->ep0; + struct usb_request *req = dev->req; + +- if ((retval = setup_req (ep, req, 0)) == 0) +- retval = usb_ep_queue (ep, req, GFP_ATOMIC); ++ if ((retval = setup_req (ep, req, 0)) == 0) { ++ spin_unlock_irq (&dev->lock); ++ retval = usb_ep_queue (ep, req, GFP_KERNEL); ++ spin_lock_irq (&dev->lock); ++ } + dev->state = STATE_DEV_CONNECTED; + + /* assume that was SET_CONFIGURATION */ +@@ -1550,8 +1553,11 @@ delegate: + w_length); + if (value < 0) + break; ++ ++ spin_unlock (&dev->lock); + value = usb_ep_queue (gadget->ep0, dev->req, +- GFP_ATOMIC); ++ GFP_KERNEL); ++ spin_lock (&dev->lock); + if (value < 0) { + clean_req (gadget->ep0, dev->req); + break; +@@ -1574,11 +1580,14 @@ delegate: + if (value >= 0 && dev->state != STATE_DEV_SETUP) { + req->length = value; + req->zero = value < w_length; +- value = usb_ep_queue (gadget->ep0, req, GFP_ATOMIC); ++ ++ spin_unlock (&dev->lock); ++ value = usb_ep_queue (gadget->ep0, req, GFP_KERNEL); + if (value < 0) { + DBG (dev, "ep_queue --> %d\n", value); + req->status = 0; + } ++ return value; + } + + /* device stalls when value < 0 */ +diff --git a/drivers/usb/host/ehci-tegra.c b/drivers/usb/host/ehci-tegra.c +index aaa01971efe9..aad253559bcd 100644 +--- a/drivers/usb/host/ehci-tegra.c ++++ b/drivers/usb/host/ehci-tegra.c +@@ -89,7 +89,7 @@ static int tegra_reset_usb_controller(struct platform_device *pdev) + if (!usb1_reset_attempted) { + struct reset_control *usb1_reset; + +- usb1_reset = of_reset_control_get(phy_np, "usb"); ++ usb1_reset = of_reset_control_get(phy_np, "utmi-pads"); + if (IS_ERR(usb1_reset)) { + dev_warn(&pdev->dev, + "can't get utmi-pads reset from the PHY\n"); +diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c +index c6027acb6263..54caaf87c567 100644 +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -37,6 +37,7 @@ + /* Device for a quirk */ + #define PCI_VENDOR_ID_FRESCO_LOGIC 0x1b73 + #define PCI_DEVICE_ID_FRESCO_LOGIC_PDK 0x1000 ++#define PCI_DEVICE_ID_FRESCO_LOGIC_FL1009 0x1009 + #define PCI_DEVICE_ID_FRESCO_LOGIC_FL1400 0x1400 + + #define PCI_VENDOR_ID_ETRON 0x1b6f +@@ -108,6 +109,10 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci) + xhci->quirks |= XHCI_TRUST_TX_LENGTH; + } + ++ if (pdev->vendor == PCI_VENDOR_ID_FRESCO_LOGIC && ++ pdev->device == PCI_DEVICE_ID_FRESCO_LOGIC_FL1009) ++ xhci->quirks |= XHCI_BROKEN_STREAMS; ++ + if (pdev->vendor == PCI_VENDOR_ID_NEC) + xhci->quirks |= XHCI_NEC_HOST; + +diff --git a/drivers/usb/host/xhci-plat.c b/drivers/usb/host/xhci-plat.c +index 22516f41c6f4..3dd487872bf1 100644 +--- a/drivers/usb/host/xhci-plat.c ++++ b/drivers/usb/host/xhci-plat.c +@@ -118,6 +118,9 @@ static int xhci_plat_probe(struct platform_device *pdev) + ret = clk_prepare_enable(clk); + if (ret) + goto put_hcd; ++ } else if (PTR_ERR(clk) == -EPROBE_DEFER) { ++ ret = -EPROBE_DEFER; ++ goto put_hcd; + } + + if (of_device_is_compatible(pdev->dev.of_node, +diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c +index 04e75258fb46..69464630be54 100644 +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -289,6 +289,14 @@ static int xhci_abort_cmd_ring(struct xhci_hcd *xhci) + + temp_64 = xhci_read_64(xhci, &xhci->op_regs->cmd_ring); + xhci->cmd_ring_state = CMD_RING_STATE_ABORTED; ++ ++ /* ++ * Writing the CMD_RING_ABORT bit should cause a cmd completion event, ++ * however on some host hw the CMD_RING_RUNNING bit is correctly cleared ++ * but the completion event in never sent. Use the cmd timeout timer to ++ * handle those cases. Use twice the time to cover the bit polling retry ++ */ ++ mod_timer(&xhci->cmd_timer, jiffies + (2 * XHCI_CMD_DEFAULT_TIMEOUT)); + xhci_write_64(xhci, temp_64 | CMD_RING_ABORT, + &xhci->op_regs->cmd_ring); + +@@ -304,6 +312,7 @@ static int xhci_abort_cmd_ring(struct xhci_hcd *xhci) + if (ret < 0) { + xhci_err(xhci, "Stopped the command ring failed, " + "maybe the host is dead\n"); ++ del_timer(&xhci->cmd_timer); + xhci->xhc_state |= XHCI_STATE_DYING; + xhci_quiesce(xhci); + xhci_halt(xhci); +@@ -1245,22 +1254,21 @@ void xhci_handle_command_timeout(unsigned long data) + int ret; + unsigned long flags; + u64 hw_ring_state; +- struct xhci_command *cur_cmd = NULL; ++ bool second_timeout = false; + xhci = (struct xhci_hcd *) data; + + /* mark this command to be cancelled */ + spin_lock_irqsave(&xhci->lock, flags); + if (xhci->current_cmd) { +- cur_cmd = xhci->current_cmd; +- cur_cmd->status = COMP_CMD_ABORT; ++ if (xhci->current_cmd->status == COMP_CMD_ABORT) ++ second_timeout = true; ++ xhci->current_cmd->status = COMP_CMD_ABORT; + } + +- + /* Make sure command ring is running before aborting it */ + hw_ring_state = xhci_read_64(xhci, &xhci->op_regs->cmd_ring); + if ((xhci->cmd_ring_state & CMD_RING_STATE_RUNNING) && + (hw_ring_state & CMD_RING_RUNNING)) { +- + spin_unlock_irqrestore(&xhci->lock, flags); + xhci_dbg(xhci, "Command timeout\n"); + ret = xhci_abort_cmd_ring(xhci); +@@ -1272,6 +1280,15 @@ void xhci_handle_command_timeout(unsigned long data) + } + return; + } ++ ++ /* command ring failed to restart, or host removed. Bail out */ ++ if (second_timeout || xhci->xhc_state & XHCI_STATE_REMOVING) { ++ spin_unlock_irqrestore(&xhci->lock, flags); ++ xhci_dbg(xhci, "command timed out twice, ring start fail?\n"); ++ xhci_cleanup_command_queue(xhci); ++ return; ++ } ++ + /* command timeout on stopped ring, ring can't be aborted */ + xhci_dbg(xhci, "Command timeout on stopped ring\n"); + xhci_handle_stopped_cmd_ring(xhci, xhci->current_cmd); +diff --git a/drivers/usb/musb/musb_host.c b/drivers/usb/musb/musb_host.c +index 4500610356f2..7da914bc2094 100644 +--- a/drivers/usb/musb/musb_host.c ++++ b/drivers/usb/musb/musb_host.c +@@ -583,14 +583,13 @@ musb_rx_reinit(struct musb *musb, struct musb_qh *qh, struct musb_hw_ep *ep) + musb_writew(ep->regs, MUSB_TXCSR, 0); + + /* scrub all previous state, clearing toggle */ +- } else { +- csr = musb_readw(ep->regs, MUSB_RXCSR); +- if (csr & MUSB_RXCSR_RXPKTRDY) +- WARNING("rx%d, packet/%d ready?\n", ep->epnum, +- musb_readw(ep->regs, MUSB_RXCOUNT)); +- +- musb_h_flush_rxfifo(ep, MUSB_RXCSR_CLRDATATOG); + } ++ csr = musb_readw(ep->regs, MUSB_RXCSR); ++ if (csr & MUSB_RXCSR_RXPKTRDY) ++ WARNING("rx%d, packet/%d ready?\n", ep->epnum, ++ musb_readw(ep->regs, MUSB_RXCOUNT)); ++ ++ musb_h_flush_rxfifo(ep, MUSB_RXCSR_CLRDATATOG); + + /* target addr and (for multipoint) hub addr/port */ + if (musb->is_multipoint) { +@@ -950,9 +949,15 @@ static void musb_bulk_nak_timeout(struct musb *musb, struct musb_hw_ep *ep, + if (is_in) { + dma = is_dma_capable() ? ep->rx_channel : NULL; + +- /* clear nak timeout bit */ ++ /* ++ * Need to stop the transaction by clearing REQPKT first ++ * then the NAK Timeout bit ref MUSBMHDRC USB 2.0 HIGH-SPEED ++ * DUAL-ROLE CONTROLLER Programmer's Guide, section 9.2.2 ++ */ + rx_csr = musb_readw(epio, MUSB_RXCSR); + rx_csr |= MUSB_RXCSR_H_WZC_BITS; ++ rx_csr &= ~MUSB_RXCSR_H_REQPKT; ++ musb_writew(epio, MUSB_RXCSR, rx_csr); + rx_csr &= ~MUSB_RXCSR_DATAERROR; + musb_writew(epio, MUSB_RXCSR, rx_csr); + +diff --git a/drivers/usb/usbip/usbip_common.c b/drivers/usb/usbip/usbip_common.c +index facaaf003f19..e40da7759a0e 100644 +--- a/drivers/usb/usbip/usbip_common.c ++++ b/drivers/usb/usbip/usbip_common.c +@@ -741,6 +741,17 @@ int usbip_recv_xbuff(struct usbip_device *ud, struct urb *urb) + if (!(size > 0)) + return 0; + ++ if (size > urb->transfer_buffer_length) { ++ /* should not happen, probably malicious packet */ ++ if (ud->side == USBIP_STUB) { ++ usbip_event_add(ud, SDEV_EVENT_ERROR_TCP); ++ return 0; ++ } else { ++ usbip_event_add(ud, VDEV_EVENT_ERROR_TCP); ++ return -EPIPE; ++ } ++ } ++ + ret = usbip_recv(ud->tcp_socket, urb->transfer_buffer, size); + if (ret != size) { + dev_err(&urb->dev->dev, "recv xbuf, %d\n", ret); +diff --git a/drivers/video/fbdev/Kconfig b/drivers/video/fbdev/Kconfig +index a5f88377cec5..cdd965fae22c 100644 +--- a/drivers/video/fbdev/Kconfig ++++ b/drivers/video/fbdev/Kconfig +@@ -2266,7 +2266,6 @@ config XEN_FBDEV_FRONTEND + select FB_SYS_IMAGEBLIT + select FB_SYS_FOPS + select FB_DEFERRED_IO +- select INPUT_XEN_KBDDEV_FRONTEND if INPUT_MISC + select XEN_XENBUS_FRONTEND + default y + help +diff --git a/drivers/video/fbdev/da8xx-fb.c b/drivers/video/fbdev/da8xx-fb.c +index 10c876c95772..4515e4cddbca 100644 +--- a/drivers/video/fbdev/da8xx-fb.c ++++ b/drivers/video/fbdev/da8xx-fb.c +@@ -209,8 +209,7 @@ static struct fb_videomode known_lcd_panels[] = { + .lower_margin = 2, + .hsync_len = 0, + .vsync_len = 0, +- .sync = FB_SYNC_CLK_INVERT | +- FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT, ++ .sync = FB_SYNC_CLK_INVERT, + }, + /* Sharp LK043T1DG01 */ + [1] = { +@@ -224,7 +223,7 @@ static struct fb_videomode known_lcd_panels[] = { + .lower_margin = 2, + .hsync_len = 41, + .vsync_len = 10, +- .sync = FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT, ++ .sync = 0, + .flag = 0, + }, + [2] = { +@@ -239,7 +238,7 @@ static struct fb_videomode known_lcd_panels[] = { + .lower_margin = 10, + .hsync_len = 10, + .vsync_len = 10, +- .sync = FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT, ++ .sync = 0, + .flag = 0, + }, + [3] = { +diff --git a/drivers/xen/xen-pciback/conf_space.c b/drivers/xen/xen-pciback/conf_space.c +index 9c234209d8b5..47a4177b16d2 100644 +--- a/drivers/xen/xen-pciback/conf_space.c ++++ b/drivers/xen/xen-pciback/conf_space.c +@@ -183,8 +183,7 @@ int xen_pcibk_config_read(struct pci_dev *dev, int offset, int size, + field_start = OFFSET(cfg_entry); + field_end = OFFSET(cfg_entry) + field->size; + +- if ((req_start >= field_start && req_start < field_end) +- || (req_end > field_start && req_end <= field_end)) { ++ if (req_end > field_start && field_end > req_start) { + err = conf_space_read(dev, cfg_entry, field_start, + &tmp_val); + if (err) +@@ -230,8 +229,7 @@ int xen_pcibk_config_write(struct pci_dev *dev, int offset, int size, u32 value) + field_start = OFFSET(cfg_entry); + field_end = OFFSET(cfg_entry) + field->size; + +- if ((req_start >= field_start && req_start < field_end) +- || (req_end > field_start && req_end <= field_end)) { ++ if (req_end > field_start && field_end > req_start) { + tmp_val = 0; + + err = xen_pcibk_config_read(dev, field_start, +diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c +index f54511dd287e..39c68ef10808 100644 +--- a/fs/btrfs/ctree.c ++++ b/fs/btrfs/ctree.c +@@ -1542,6 +1542,7 @@ noinline int btrfs_cow_block(struct btrfs_trans_handle *trans, + trans->transid, root->fs_info->generation); + + if (!should_cow_block(trans, root, buf)) { ++ trans->dirty = true; + *cow_ret = buf; + return 0; + } +@@ -2762,8 +2763,10 @@ again: + * then we don't want to set the path blocking, + * so we test it here + */ +- if (!should_cow_block(trans, root, b)) ++ if (!should_cow_block(trans, root, b)) { ++ trans->dirty = true; + goto cow_done; ++ } + + /* + * must have write locks on this node and the +diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c +index 950479f2d337..a067065efa6b 100644 +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -7237,7 +7237,7 @@ btrfs_init_new_buffer(struct btrfs_trans_handle *trans, struct btrfs_root *root, + set_extent_dirty(&trans->transaction->dirty_pages, buf->start, + buf->start + buf->len - 1, GFP_NOFS); + } +- trans->blocks_used++; ++ trans->dirty = true; + /* this returns a buffer locked for blocking */ + return buf; + } +@@ -9196,9 +9196,8 @@ void btrfs_create_pending_block_groups(struct btrfs_trans_handle *trans, + int ret = 0; + + list_for_each_entry_safe(block_group, tmp, &trans->new_bgs, bg_list) { +- list_del_init(&block_group->bg_list); + if (ret) +- continue; ++ goto next; + + spin_lock(&block_group->lock); + memcpy(&item, &block_group->item, sizeof(item)); +@@ -9213,6 +9212,8 @@ void btrfs_create_pending_block_groups(struct btrfs_trans_handle *trans, + key.objectid, key.offset); + if (ret) + btrfs_abort_transaction(trans, extent_root, ret); ++next: ++ list_del_init(&block_group->bg_list); + } + } + +diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c +index 1c1ee12ab0cf..d96b2bc444c8 100644 +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -1656,7 +1656,7 @@ static noinline int btrfs_ioctl_snap_create_transid(struct file *file, + + src_inode = file_inode(src.file); + if (src_inode->i_sb != file_inode(file)->i_sb) { +- btrfs_info(BTRFS_I(src_inode)->root->fs_info, ++ btrfs_info(BTRFS_I(file_inode(file))->root->fs_info, + "Snapshot src from another FS"); + ret = -EXDEV; + } else if (!inode_owner_or_capable(src_inode)) { +diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c +index 7ceaaf2010f9..cf6d11bb8dcb 100644 +--- a/fs/btrfs/super.c ++++ b/fs/btrfs/super.c +@@ -262,7 +262,7 @@ void __btrfs_abort_transaction(struct btrfs_trans_handle *trans, + trans->aborted = errno; + /* Nothing used. The other threads that have joined this + * transaction may be able to continue. */ +- if (!trans->blocks_used) { ++ if (!trans->dirty && list_empty(&trans->new_bgs)) { + const char *errstr; + + errstr = btrfs_decode_error(errno); +diff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c +index 240019f36b2a..30dbf315c2d6 100644 +--- a/fs/btrfs/transaction.c ++++ b/fs/btrfs/transaction.c +@@ -472,7 +472,6 @@ again: + + h->transid = cur_trans->transid; + h->transaction = cur_trans; +- h->blocks_used = 0; + h->bytes_reserved = 0; + h->root = root; + h->delayed_ref_updates = 0; +diff --git a/fs/btrfs/transaction.h b/fs/btrfs/transaction.h +index 1ba9c3e04191..1cf5de30368a 100644 +--- a/fs/btrfs/transaction.h ++++ b/fs/btrfs/transaction.h +@@ -88,7 +88,6 @@ struct btrfs_trans_handle { + u64 qgroup_reserved; + unsigned long use_count; + unsigned long blocks_reserved; +- unsigned long blocks_used; + unsigned long delayed_ref_updates; + struct btrfs_transaction *transaction; + struct btrfs_block_rsv *block_rsv; +@@ -98,6 +97,7 @@ struct btrfs_trans_handle { + bool allocating_chunk; + bool reloc_reserved; + bool sync; ++ bool dirty; + unsigned int type; + /* + * this root is only needed to validate that the root passed to +diff --git a/fs/cifs/cifs_unicode.c b/fs/cifs/cifs_unicode.c +index 0303c6793d90..f7fb4b8658ba 100644 +--- a/fs/cifs/cifs_unicode.c ++++ b/fs/cifs/cifs_unicode.c +@@ -136,6 +136,12 @@ convert_sfm_char(const __u16 src_char, char *target) + case SFM_SLASH: + *target = '\\'; + break; ++ case SFM_SPACE: ++ *target = ' '; ++ break; ++ case SFM_PERIOD: ++ *target = '.'; ++ break; + default: + return false; + } +@@ -364,7 +370,7 @@ static __le16 convert_to_sfu_char(char src_char) + return dest_char; + } + +-static __le16 convert_to_sfm_char(char src_char) ++static __le16 convert_to_sfm_char(char src_char, bool end_of_string) + { + __le16 dest_char; + +@@ -387,6 +393,18 @@ static __le16 convert_to_sfm_char(char src_char) + case '|': + dest_char = cpu_to_le16(SFM_PIPE); + break; ++ case '.': ++ if (end_of_string) ++ dest_char = cpu_to_le16(SFM_PERIOD); ++ else ++ dest_char = 0; ++ break; ++ case ' ': ++ if (end_of_string) ++ dest_char = cpu_to_le16(SFM_SPACE); ++ else ++ dest_char = 0; ++ break; + default: + dest_char = 0; + } +@@ -424,9 +442,16 @@ cifsConvertToUTF16(__le16 *target, const char *source, int srclen, + /* see if we must remap this char */ + if (map_chars == SFU_MAP_UNI_RSVD) + dst_char = convert_to_sfu_char(src_char); +- else if (map_chars == SFM_MAP_UNI_RSVD) +- dst_char = convert_to_sfm_char(src_char); +- else ++ else if (map_chars == SFM_MAP_UNI_RSVD) { ++ bool end_of_string; ++ ++ if (i == srclen - 1) ++ end_of_string = true; ++ else ++ end_of_string = false; ++ ++ dst_char = convert_to_sfm_char(src_char, end_of_string); ++ } else + dst_char = 0; + /* + * FIXME: We can not handle remapping backslash (UNI_SLASH) +diff --git a/fs/cifs/cifs_unicode.h b/fs/cifs/cifs_unicode.h +index bdc52cb9a676..479bc0a941f3 100644 +--- a/fs/cifs/cifs_unicode.h ++++ b/fs/cifs/cifs_unicode.h +@@ -64,6 +64,8 @@ + #define SFM_LESSTHAN ((__u16) 0xF023) + #define SFM_PIPE ((__u16) 0xF027) + #define SFM_SLASH ((__u16) 0xF026) ++#define SFM_PERIOD ((__u16) 0xF028) ++#define SFM_SPACE ((__u16) 0xF029) + + /* + * Mapping mechanism to use when one of the seven reserved characters is +diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c +index 82ebe7dbd834..db97215a23b2 100644 +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -413,7 +413,9 @@ cifs_echo_request(struct work_struct *work) + * server->ops->need_neg() == true. Also, no need to ping if + * we got a response recently. + */ +- if (!server->ops->need_neg || server->ops->need_neg(server) || ++ ++ if (server->tcpStatus == CifsNeedReconnect || ++ server->tcpStatus == CifsExiting || server->tcpStatus == CifsNew || + (server->ops->can_echo && !server->ops->can_echo(server)) || + time_before(jiffies, server->lstrp + SMB_ECHO_INTERVAL - HZ)) + goto requeue_echo; +diff --git a/fs/cifs/ntlmssp.h b/fs/cifs/ntlmssp.h +index 848249fa120f..3079b38f0afb 100644 +--- a/fs/cifs/ntlmssp.h ++++ b/fs/cifs/ntlmssp.h +@@ -133,6 +133,6 @@ typedef struct _AUTHENTICATE_MESSAGE { + + int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len, struct cifs_ses *ses); + void build_ntlmssp_negotiate_blob(unsigned char *pbuffer, struct cifs_ses *ses); +-int build_ntlmssp_auth_blob(unsigned char *pbuffer, u16 *buflen, ++int build_ntlmssp_auth_blob(unsigned char **pbuffer, u16 *buflen, + struct cifs_ses *ses, + const struct nls_table *nls_cp); +diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c +index fe423e18450f..693da83a65f0 100644 +--- a/fs/cifs/sess.c ++++ b/fs/cifs/sess.c +@@ -364,19 +364,43 @@ void build_ntlmssp_negotiate_blob(unsigned char *pbuffer, + sec_blob->DomainName.MaximumLength = 0; + } + +-/* We do not malloc the blob, it is passed in pbuffer, because its +- maximum possible size is fixed and small, making this approach cleaner. +- This function returns the length of the data in the blob */ +-int build_ntlmssp_auth_blob(unsigned char *pbuffer, ++static int size_of_ntlmssp_blob(struct cifs_ses *ses) ++{ ++ int sz = sizeof(AUTHENTICATE_MESSAGE) + ses->auth_key.len ++ - CIFS_SESS_KEY_SIZE + CIFS_CPHTXT_SIZE + 2; ++ ++ if (ses->domainName) ++ sz += 2 * strnlen(ses->domainName, CIFS_MAX_DOMAINNAME_LEN); ++ else ++ sz += 2; ++ ++ if (ses->user_name) ++ sz += 2 * strnlen(ses->user_name, CIFS_MAX_USERNAME_LEN); ++ else ++ sz += 2; ++ ++ return sz; ++} ++ ++int build_ntlmssp_auth_blob(unsigned char **pbuffer, + u16 *buflen, + struct cifs_ses *ses, + const struct nls_table *nls_cp) + { + int rc; +- AUTHENTICATE_MESSAGE *sec_blob = (AUTHENTICATE_MESSAGE *)pbuffer; ++ AUTHENTICATE_MESSAGE *sec_blob; + __u32 flags; + unsigned char *tmp; + ++ rc = setup_ntlmv2_rsp(ses, nls_cp); ++ if (rc) { ++ cifs_dbg(VFS, "Error %d during NTLMSSP authentication\n", rc); ++ *buflen = 0; ++ goto setup_ntlmv2_ret; ++ } ++ *pbuffer = kmalloc(size_of_ntlmssp_blob(ses), GFP_KERNEL); ++ sec_blob = (AUTHENTICATE_MESSAGE *)*pbuffer; ++ + memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8); + sec_blob->MessageType = NtLmAuthenticate; + +@@ -391,7 +415,7 @@ int build_ntlmssp_auth_blob(unsigned char *pbuffer, + flags |= NTLMSSP_NEGOTIATE_KEY_XCH; + } + +- tmp = pbuffer + sizeof(AUTHENTICATE_MESSAGE); ++ tmp = *pbuffer + sizeof(AUTHENTICATE_MESSAGE); + sec_blob->NegotiateFlags = cpu_to_le32(flags); + + sec_blob->LmChallengeResponse.BufferOffset = +@@ -399,13 +423,9 @@ int build_ntlmssp_auth_blob(unsigned char *pbuffer, + sec_blob->LmChallengeResponse.Length = 0; + sec_blob->LmChallengeResponse.MaximumLength = 0; + +- sec_blob->NtChallengeResponse.BufferOffset = cpu_to_le32(tmp - pbuffer); ++ sec_blob->NtChallengeResponse.BufferOffset = ++ cpu_to_le32(tmp - *pbuffer); + if (ses->user_name != NULL) { +- rc = setup_ntlmv2_rsp(ses, nls_cp); +- if (rc) { +- cifs_dbg(VFS, "Error %d during NTLMSSP authentication\n", rc); +- goto setup_ntlmv2_ret; +- } + memcpy(tmp, ses->auth_key.response + CIFS_SESS_KEY_SIZE, + ses->auth_key.len - CIFS_SESS_KEY_SIZE); + tmp += ses->auth_key.len - CIFS_SESS_KEY_SIZE; +@@ -423,7 +443,7 @@ int build_ntlmssp_auth_blob(unsigned char *pbuffer, + } + + if (ses->domainName == NULL) { +- sec_blob->DomainName.BufferOffset = cpu_to_le32(tmp - pbuffer); ++ sec_blob->DomainName.BufferOffset = cpu_to_le32(tmp - *pbuffer); + sec_blob->DomainName.Length = 0; + sec_blob->DomainName.MaximumLength = 0; + tmp += 2; +@@ -432,14 +452,14 @@ int build_ntlmssp_auth_blob(unsigned char *pbuffer, + len = cifs_strtoUTF16((__le16 *)tmp, ses->domainName, + CIFS_MAX_USERNAME_LEN, nls_cp); + len *= 2; /* unicode is 2 bytes each */ +- sec_blob->DomainName.BufferOffset = cpu_to_le32(tmp - pbuffer); ++ sec_blob->DomainName.BufferOffset = cpu_to_le32(tmp - *pbuffer); + sec_blob->DomainName.Length = cpu_to_le16(len); + sec_blob->DomainName.MaximumLength = cpu_to_le16(len); + tmp += len; + } + + if (ses->user_name == NULL) { +- sec_blob->UserName.BufferOffset = cpu_to_le32(tmp - pbuffer); ++ sec_blob->UserName.BufferOffset = cpu_to_le32(tmp - *pbuffer); + sec_blob->UserName.Length = 0; + sec_blob->UserName.MaximumLength = 0; + tmp += 2; +@@ -448,13 +468,13 @@ int build_ntlmssp_auth_blob(unsigned char *pbuffer, + len = cifs_strtoUTF16((__le16 *)tmp, ses->user_name, + CIFS_MAX_USERNAME_LEN, nls_cp); + len *= 2; /* unicode is 2 bytes each */ +- sec_blob->UserName.BufferOffset = cpu_to_le32(tmp - pbuffer); ++ sec_blob->UserName.BufferOffset = cpu_to_le32(tmp - *pbuffer); + sec_blob->UserName.Length = cpu_to_le16(len); + sec_blob->UserName.MaximumLength = cpu_to_le16(len); + tmp += len; + } + +- sec_blob->WorkstationName.BufferOffset = cpu_to_le32(tmp - pbuffer); ++ sec_blob->WorkstationName.BufferOffset = cpu_to_le32(tmp - *pbuffer); + sec_blob->WorkstationName.Length = 0; + sec_blob->WorkstationName.MaximumLength = 0; + tmp += 2; +@@ -463,19 +483,19 @@ int build_ntlmssp_auth_blob(unsigned char *pbuffer, + (ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_EXTENDED_SEC)) + && !calc_seckey(ses)) { + memcpy(tmp, ses->ntlmssp->ciphertext, CIFS_CPHTXT_SIZE); +- sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - pbuffer); ++ sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - *pbuffer); + sec_blob->SessionKey.Length = cpu_to_le16(CIFS_CPHTXT_SIZE); + sec_blob->SessionKey.MaximumLength = + cpu_to_le16(CIFS_CPHTXT_SIZE); + tmp += CIFS_CPHTXT_SIZE; + } else { +- sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - pbuffer); ++ sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - *pbuffer); + sec_blob->SessionKey.Length = 0; + sec_blob->SessionKey.MaximumLength = 0; + } + ++ *buflen = tmp - *pbuffer; + setup_ntlmv2_ret: +- *buflen = tmp - pbuffer; + return rc; + } + +@@ -1266,7 +1286,7 @@ sess_auth_rawntlmssp_authenticate(struct sess_data *sess_data) + struct cifs_ses *ses = sess_data->ses; + __u16 bytes_remaining; + char *bcc_ptr; +- char *ntlmsspblob = NULL; ++ unsigned char *ntlmsspblob = NULL; + u16 blob_len; + + cifs_dbg(FYI, "rawntlmssp session setup authenticate phase\n"); +@@ -1279,19 +1299,7 @@ sess_auth_rawntlmssp_authenticate(struct sess_data *sess_data) + /* Build security blob before we assemble the request */ + pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; + smb_buf = (struct smb_hdr *)pSMB; +- /* +- * 5 is an empirical value, large enough to hold +- * authenticate message plus max 10 of av paris, +- * domain, user, workstation names, flags, etc. +- */ +- ntlmsspblob = kzalloc(5*sizeof(struct _AUTHENTICATE_MESSAGE), +- GFP_KERNEL); +- if (!ntlmsspblob) { +- rc = -ENOMEM; +- goto out; +- } +- +- rc = build_ntlmssp_auth_blob(ntlmsspblob, ++ rc = build_ntlmssp_auth_blob(&ntlmsspblob, + &blob_len, ses, sess_data->nls_cp); + if (rc) + goto out_free_ntlmsspblob; +diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c +index e8d1f8c59b56..d759ecdfa9d6 100644 +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -46,6 +46,7 @@ + #include "smb2status.h" + #include "smb2glob.h" + #include "cifspdu.h" ++#include "cifs_spnego.h" + + /* + * The following table defines the expected "StructureSize" of SMB2 requests +@@ -427,20 +428,15 @@ SMB2_negotiate(const unsigned int xid, struct cifs_ses *ses) + cifs_dbg(FYI, "missing security blob on negprot\n"); + + rc = cifs_enable_signing(server, ses->sign); +-#ifdef CONFIG_SMB2_ASN1 /* BB REMOVEME when updated asn1.c ready */ + if (rc) + goto neg_exit; +- if (blob_length) +- rc = decode_neg_token_init(security_blob, blob_length, +- &server->sec_type); +- if (rc == 1) +- rc = 0; +- else if (rc == 0) { +- rc = -EIO; +- goto neg_exit; ++ if (blob_length) { ++ rc = decode_negTokenInit(security_blob, blob_length, server); ++ if (rc == 1) ++ rc = 0; ++ else if (rc == 0) ++ rc = -EIO; + } +-#endif +- + neg_exit: + free_rsp_buf(resp_buftype, rsp); + return rc; +@@ -534,8 +530,9 @@ SMB2_sess_setup(const unsigned int xid, struct cifs_ses *ses, + __le32 phase = NtLmNegotiate; /* NTLMSSP, if needed, is multistage */ + struct TCP_Server_Info *server = ses->server; + u16 blob_length = 0; +- char *security_blob; +- char *ntlmssp_blob = NULL; ++ struct key *spnego_key = NULL; ++ char *security_blob = NULL; ++ unsigned char *ntlmssp_blob = NULL; + bool use_spnego = false; /* else use raw ntlmssp */ + + cifs_dbg(FYI, "Session Setup\n"); +@@ -562,7 +559,8 @@ SMB2_sess_setup(const unsigned int xid, struct cifs_ses *ses, + ses->ntlmssp->sesskey_per_smbsess = true; + + /* FIXME: allow for other auth types besides NTLMSSP (e.g. krb5) */ +- ses->sectype = RawNTLMSSP; ++ if (ses->sectype != Kerberos && ses->sectype != RawNTLMSSP) ++ ses->sectype = RawNTLMSSP; + + ssetup_ntlmssp_authenticate: + if (phase == NtLmChallenge) +@@ -591,7 +589,48 @@ ssetup_ntlmssp_authenticate: + iov[0].iov_base = (char *)req; + /* 4 for rfc1002 length field and 1 for pad */ + iov[0].iov_len = get_rfc1002_length(req) + 4 - 1; +- if (phase == NtLmNegotiate) { ++ ++ if (ses->sectype == Kerberos) { ++#ifdef CONFIG_CIFS_UPCALL ++ struct cifs_spnego_msg *msg; ++ ++ spnego_key = cifs_get_spnego_key(ses); ++ if (IS_ERR(spnego_key)) { ++ rc = PTR_ERR(spnego_key); ++ spnego_key = NULL; ++ goto ssetup_exit; ++ } ++ ++ msg = spnego_key->payload.data; ++ /* ++ * check version field to make sure that cifs.upcall is ++ * sending us a response in an expected form ++ */ ++ if (msg->version != CIFS_SPNEGO_UPCALL_VERSION) { ++ cifs_dbg(VFS, ++ "bad cifs.upcall version. Expected %d got %d", ++ CIFS_SPNEGO_UPCALL_VERSION, msg->version); ++ rc = -EKEYREJECTED; ++ goto ssetup_exit; ++ } ++ ses->auth_key.response = kmemdup(msg->data, msg->sesskey_len, ++ GFP_KERNEL); ++ if (!ses->auth_key.response) { ++ cifs_dbg(VFS, ++ "Kerberos can't allocate (%u bytes) memory", ++ msg->sesskey_len); ++ rc = -ENOMEM; ++ goto ssetup_exit; ++ } ++ ses->auth_key.len = msg->sesskey_len; ++ blob_length = msg->secblob_len; ++ iov[1].iov_base = msg->data + msg->sesskey_len; ++ iov[1].iov_len = blob_length; ++#else ++ rc = -EOPNOTSUPP; ++ goto ssetup_exit; ++#endif /* CONFIG_CIFS_UPCALL */ ++ } else if (phase == NtLmNegotiate) { /* if not krb5 must be ntlmssp */ + ntlmssp_blob = kmalloc(sizeof(struct _NEGOTIATE_MESSAGE), + GFP_KERNEL); + if (ntlmssp_blob == NULL) { +@@ -614,15 +653,11 @@ ssetup_ntlmssp_authenticate: + /* with raw NTLMSSP we don't encapsulate in SPNEGO */ + security_blob = ntlmssp_blob; + } ++ iov[1].iov_base = security_blob; ++ iov[1].iov_len = blob_length; + } else if (phase == NtLmAuthenticate) { + req->hdr.SessionId = ses->Suid; +- ntlmssp_blob = kzalloc(sizeof(struct _NEGOTIATE_MESSAGE) + 500, +- GFP_KERNEL); +- if (ntlmssp_blob == NULL) { +- rc = -ENOMEM; +- goto ssetup_exit; +- } +- rc = build_ntlmssp_auth_blob(ntlmssp_blob, &blob_length, ses, ++ rc = build_ntlmssp_auth_blob(&ntlmssp_blob, &blob_length, ses, + nls_cp); + if (rc) { + cifs_dbg(FYI, "build_ntlmssp_auth_blob failed %d\n", +@@ -641,6 +676,8 @@ ssetup_ntlmssp_authenticate: + } else { + security_blob = ntlmssp_blob; + } ++ iov[1].iov_base = security_blob; ++ iov[1].iov_len = blob_length; + } else { + cifs_dbg(VFS, "illegal ntlmssp phase\n"); + rc = -EIO; +@@ -652,8 +689,6 @@ ssetup_ntlmssp_authenticate: + cpu_to_le16(sizeof(struct smb2_sess_setup_req) - + 1 /* pad */ - 4 /* rfc1001 len */); + req->SecurityBufferLength = cpu_to_le16(blob_length); +- iov[1].iov_base = security_blob; +- iov[1].iov_len = blob_length; + + inc_rfc1001_len(req, blob_length - 1 /* pad */); + +@@ -664,6 +699,7 @@ ssetup_ntlmssp_authenticate: + + kfree(security_blob); + rsp = (struct smb2_sess_setup_rsp *)iov[0].iov_base; ++ ses->Suid = rsp->hdr.SessionId; + if (resp_buftype != CIFS_NO_BUFFER && + rsp->hdr.Status == STATUS_MORE_PROCESSING_REQUIRED) { + if (phase != NtLmNegotiate) { +@@ -681,7 +717,6 @@ ssetup_ntlmssp_authenticate: + /* NTLMSSP Negotiate sent now processing challenge (response) */ + phase = NtLmChallenge; /* process ntlmssp challenge */ + rc = 0; /* MORE_PROCESSING is not an error here but expected */ +- ses->Suid = rsp->hdr.SessionId; + rc = decode_ntlmssp_challenge(rsp->Buffer, + le16_to_cpu(rsp->SecurityBufferLength), ses); + } +@@ -738,6 +773,10 @@ keygen_exit: + kfree(ses->auth_key.response); + ses->auth_key.response = NULL; + } ++ if (spnego_key) { ++ key_invalidate(spnego_key); ++ key_put(spnego_key); ++ } + kfree(ses->ntlmssp); + + return rc; +@@ -1584,6 +1623,33 @@ SMB2_echo(struct TCP_Server_Info *server) + + cifs_dbg(FYI, "In echo request\n"); + ++ if (server->tcpStatus == CifsNeedNegotiate) { ++ struct list_head *tmp, *tmp2; ++ struct cifs_ses *ses; ++ struct cifs_tcon *tcon; ++ ++ cifs_dbg(FYI, "Need negotiate, reconnecting tcons\n"); ++ spin_lock(&cifs_tcp_ses_lock); ++ list_for_each(tmp, &server->smb_ses_list) { ++ ses = list_entry(tmp, struct cifs_ses, smb_ses_list); ++ list_for_each(tmp2, &ses->tcon_list) { ++ tcon = list_entry(tmp2, struct cifs_tcon, ++ tcon_list); ++ /* add check for persistent handle reconnect */ ++ if (tcon && tcon->need_reconnect) { ++ spin_unlock(&cifs_tcp_ses_lock); ++ rc = smb2_reconnect(SMB2_ECHO, tcon); ++ spin_lock(&cifs_tcp_ses_lock); ++ } ++ } ++ } ++ spin_unlock(&cifs_tcp_ses_lock); ++ } ++ ++ /* if no session, renegotiate failed above */ ++ if (server->tcpStatus == CifsNeedNegotiate) ++ return -EIO; ++ + rc = small_smb2_init(SMB2_ECHO, NULL, (void **)&req); + if (rc) + return rc; +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index 2ea75cbeb697..6d7293082086 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -4841,6 +4841,8 @@ int ext4_mark_inode_dirty(handle_t *handle, struct inode *inode) + might_sleep(); + trace_ext4_mark_inode_dirty(inode, _RET_IP_); + err = ext4_reserve_inode_write(handle, inode, &iloc); ++ if (err) ++ return err; + if (ext4_handle_valid(handle) && + EXT4_I(inode)->i_extra_isize < sbi->s_want_extra_isize && + !ext4_test_inode_state(inode, EXT4_STATE_NO_EXPAND)) { +@@ -4871,9 +4873,7 @@ int ext4_mark_inode_dirty(handle_t *handle, struct inode *inode) + } + } + } +- if (!err) +- err = ext4_mark_iloc_dirty(handle, inode, &iloc); +- return err; ++ return ext4_mark_iloc_dirty(handle, inode, &iloc); + } + + /* +diff --git a/fs/locks.c b/fs/locks.c +index 298d1f5c66f0..253ca5c2b9c7 100644 +--- a/fs/locks.c ++++ b/fs/locks.c +@@ -1580,7 +1580,7 @@ generic_add_lease(struct file *filp, long arg, struct file_lock **flp, void **pr + { + struct file_lock *fl, **before, **my_before = NULL, *lease; + struct dentry *dentry = filp->f_path.dentry; +- struct inode *inode = dentry->d_inode; ++ struct inode *inode = file_inode(filp); + bool is_deleg = (*flp)->fl_flags & FL_DELEG; + int error; + LIST_HEAD(dispose); +diff --git a/fs/namespace.c b/fs/namespace.c +index db31a49e01fd..d0cd3f4012ec 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -1494,6 +1494,7 @@ void __detach_mounts(struct dentry *dentry) + goto out_unlock; + + lock_mount_hash(); ++ event++; + while (!hlist_empty(&mp->m_list)) { + mnt = hlist_entry(mp->m_list.first, struct mount, mnt_mp_list); + umount_tree(mnt, 0); +diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c +index 7a8d67cd823d..29b7a75064af 100644 +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -1529,9 +1529,9 @@ int nfs_atomic_open(struct inode *dir, struct dentry *dentry, + err = PTR_ERR(inode); + trace_nfs_atomic_open_exit(dir, ctx, open_flags, err); + put_nfs_open_context(ctx); ++ d_drop(dentry); + switch (err) { + case -ENOENT: +- d_drop(dentry); + d_add(dentry, NULL); + nfs_set_verifier(dentry, nfs_save_change_attribute(dir)); + break; +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index 575fb0ebf980..43fb57831567 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -2635,12 +2635,11 @@ static void nfs4_close_prepare(struct rpc_task *task, void *data) + call_close |= is_wronly; + else if (is_wronly) + calldata->arg.fmode |= FMODE_WRITE; ++ if (calldata->arg.fmode != (FMODE_READ|FMODE_WRITE)) ++ call_close |= is_rdwr; + } else if (is_rdwr) + calldata->arg.fmode |= FMODE_READ|FMODE_WRITE; + +- if (calldata->arg.fmode == 0) +- call_close |= is_rdwr; +- + if (!nfs4_valid_open_stateid(state)) + call_close = 0; + spin_unlock(&state->owner->so_lock); +diff --git a/fs/nfsd/nfs4callback.c b/fs/nfsd/nfs4callback.c +index 7cbdf1b2e4ab..9701a76f562e 100644 +--- a/fs/nfsd/nfs4callback.c ++++ b/fs/nfsd/nfs4callback.c +@@ -630,22 +630,6 @@ static struct rpc_cred *get_backchannel_cred(struct nfs4_client *clp, struct rpc + } + } + +-static struct rpc_clnt *create_backchannel_client(struct rpc_create_args *args) +-{ +- struct rpc_xprt *xprt; +- +- if (args->protocol != XPRT_TRANSPORT_BC_TCP) +- return rpc_create(args); +- +- xprt = args->bc_xprt->xpt_bc_xprt; +- if (xprt) { +- xprt_get(xprt); +- return rpc_create_xprt(args, xprt); +- } +- +- return rpc_create(args); +-} +- + static int setup_callback_client(struct nfs4_client *clp, struct nfs4_cb_conn *conn, struct nfsd4_session *ses) + { + int maxtime = max_cb_time(clp->net); +@@ -688,7 +672,7 @@ static int setup_callback_client(struct nfs4_client *clp, struct nfs4_cb_conn *c + args.authflavor = ses->se_cb_sec.flavor; + } + /* Create RPC client */ +- client = create_backchannel_client(&args); ++ client = rpc_create(&args); + if (IS_ERR(client)) { + dprintk("NFSD: couldn't create callback client: %ld\n", + PTR_ERR(client)); +diff --git a/fs/nilfs2/the_nilfs.c b/fs/nilfs2/the_nilfs.c +index 9da25fe9ea61..ed3a2d9ec5f7 100644 +--- a/fs/nilfs2/the_nilfs.c ++++ b/fs/nilfs2/the_nilfs.c +@@ -443,7 +443,7 @@ static int nilfs_valid_sb(struct nilfs_super_block *sbp) + if (!sbp || le16_to_cpu(sbp->s_magic) != NILFS_SUPER_MAGIC) + return 0; + bytes = le16_to_cpu(sbp->s_bytes); +- if (bytes > BLOCK_SIZE) ++ if (bytes < sumoff + 4 || bytes > BLOCK_SIZE) + return 0; + crc = crc32_le(le32_to_cpu(sbp->s_crc_seed), (unsigned char *)sbp, + sumoff); +diff --git a/fs/pipe.c b/fs/pipe.c +index 21981e58e2a6..e3ba6c3a1743 100644 +--- a/fs/pipe.c ++++ b/fs/pipe.c +@@ -39,6 +39,12 @@ unsigned int pipe_max_size = 1048576; + */ + unsigned int pipe_min_size = PAGE_SIZE; + ++/* Maximum allocatable pages per user. Hard limit is unset by default, soft ++ * matches default values. ++ */ ++unsigned long pipe_user_pages_hard; ++unsigned long pipe_user_pages_soft = PIPE_DEF_BUFFERS * INR_OPEN_CUR; ++ + /* + * We use a start+len construction, which provides full use of the + * allocated memory. +@@ -585,20 +591,49 @@ pipe_fasync(int fd, struct file *filp, int on) + return retval; + } + ++static void account_pipe_buffers(struct pipe_inode_info *pipe, ++ unsigned long old, unsigned long new) ++{ ++ atomic_long_add(new - old, &pipe->user->pipe_bufs); ++} ++ ++static bool too_many_pipe_buffers_soft(struct user_struct *user) ++{ ++ return pipe_user_pages_soft && ++ atomic_long_read(&user->pipe_bufs) >= pipe_user_pages_soft; ++} ++ ++static bool too_many_pipe_buffers_hard(struct user_struct *user) ++{ ++ return pipe_user_pages_hard && ++ atomic_long_read(&user->pipe_bufs) >= pipe_user_pages_hard; ++} ++ + struct pipe_inode_info *alloc_pipe_info(void) + { + struct pipe_inode_info *pipe; + + pipe = kzalloc(sizeof(struct pipe_inode_info), GFP_KERNEL); + if (pipe) { +- pipe->bufs = kzalloc(sizeof(struct pipe_buffer) * PIPE_DEF_BUFFERS, GFP_KERNEL); ++ unsigned long pipe_bufs = PIPE_DEF_BUFFERS; ++ struct user_struct *user = get_current_user(); ++ ++ if (!too_many_pipe_buffers_hard(user)) { ++ if (too_many_pipe_buffers_soft(user)) ++ pipe_bufs = 1; ++ pipe->bufs = kzalloc(sizeof(struct pipe_buffer) * pipe_bufs, GFP_KERNEL); ++ } ++ + if (pipe->bufs) { + init_waitqueue_head(&pipe->wait); + pipe->r_counter = pipe->w_counter = 1; +- pipe->buffers = PIPE_DEF_BUFFERS; ++ pipe->buffers = pipe_bufs; ++ pipe->user = user; ++ account_pipe_buffers(pipe, 0, pipe_bufs); + mutex_init(&pipe->mutex); + return pipe; + } ++ free_uid(user); + kfree(pipe); + } + +@@ -609,6 +644,8 @@ void free_pipe_info(struct pipe_inode_info *pipe) + { + int i; + ++ account_pipe_buffers(pipe, pipe->buffers, 0); ++ free_uid(pipe->user); + for (i = 0; i < pipe->buffers; i++) { + struct pipe_buffer *buf = pipe->bufs + i; + if (buf->ops) +@@ -999,6 +1036,7 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long nr_pages) + memcpy(bufs + head, pipe->bufs, tail * sizeof(struct pipe_buffer)); + } + ++ account_pipe_buffers(pipe, pipe->buffers, nr_pages); + pipe->curbuf = 0; + kfree(pipe->bufs); + pipe->bufs = bufs; +@@ -1070,6 +1108,11 @@ long pipe_fcntl(struct file *file, unsigned int cmd, unsigned long arg) + if (!capable(CAP_SYS_RESOURCE) && size > pipe_max_size) { + ret = -EPERM; + goto out; ++ } else if ((too_many_pipe_buffers_hard(pipe->user) || ++ too_many_pipe_buffers_soft(pipe->user)) && ++ !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN)) { ++ ret = -EPERM; ++ goto out; + } + ret = pipe_set_size(pipe, nr_pages); + break; +diff --git a/fs/proc/base.c b/fs/proc/base.c +index 76b296fe93c9..dc98620634a3 100644 +--- a/fs/proc/base.c ++++ b/fs/proc/base.c +@@ -752,7 +752,8 @@ static ssize_t environ_read(struct file *file, char __user *buf, + int ret = 0; + struct mm_struct *mm = file->private_data; + +- if (!mm) ++ /* Ensure the process spawned far enough to have an environment. */ ++ if (!mm || !mm->env_end) + return 0; + + page = (char *)__get_free_page(GFP_TEMPORARY); +diff --git a/fs/ubifs/file.c b/fs/ubifs/file.c +index b5b593c45270..d37140e5b722 100644 +--- a/fs/ubifs/file.c ++++ b/fs/ubifs/file.c +@@ -54,6 +54,7 @@ + #include <linux/mount.h> + #include <linux/namei.h> + #include <linux/slab.h> ++#include <linux/migrate.h> + + static int read_block(struct inode *inode, void *addr, unsigned int block, + struct ubifs_data_node *dn) +@@ -1419,6 +1420,26 @@ static int ubifs_set_page_dirty(struct page *page) + return ret; + } + ++#ifdef CONFIG_MIGRATION ++static int ubifs_migrate_page(struct address_space *mapping, ++ struct page *newpage, struct page *page, enum migrate_mode mode) ++{ ++ int rc; ++ ++ rc = migrate_page_move_mapping(mapping, newpage, page, NULL, mode, 0); ++ if (rc != MIGRATEPAGE_SUCCESS) ++ return rc; ++ ++ if (PagePrivate(page)) { ++ ClearPagePrivate(page); ++ SetPagePrivate(newpage); ++ } ++ ++ migrate_page_copy(newpage, page); ++ return MIGRATEPAGE_SUCCESS; ++} ++#endif ++ + static int ubifs_releasepage(struct page *page, gfp_t unused_gfp_flags) + { + /* +@@ -1556,6 +1577,9 @@ const struct address_space_operations ubifs_file_address_operations = { + .write_end = ubifs_write_end, + .invalidatepage = ubifs_invalidatepage, + .set_page_dirty = ubifs_set_page_dirty, ++#ifdef CONFIG_MIGRATION ++ .migratepage = ubifs_migrate_page, ++#endif + .releasepage = ubifs_releasepage, + }; + +diff --git a/fs/xfs/libxfs/xfs_alloc.c b/fs/xfs/libxfs/xfs_alloc.c +index eff34218f405..2300743e701e 100644 +--- a/fs/xfs/libxfs/xfs_alloc.c ++++ b/fs/xfs/libxfs/xfs_alloc.c +@@ -515,6 +515,7 @@ xfs_agfl_write_verify( + } + + const struct xfs_buf_ops xfs_agfl_buf_ops = { ++ .name = "xfs_agfl", + .verify_read = xfs_agfl_read_verify, + .verify_write = xfs_agfl_write_verify, + }; +@@ -2271,6 +2272,7 @@ xfs_agf_write_verify( + } + + const struct xfs_buf_ops xfs_agf_buf_ops = { ++ .name = "xfs_agf", + .verify_read = xfs_agf_read_verify, + .verify_write = xfs_agf_write_verify, + }; +diff --git a/fs/xfs/libxfs/xfs_alloc_btree.c b/fs/xfs/libxfs/xfs_alloc_btree.c +index e0e83e24d3ef..3bd94d5a5068 100644 +--- a/fs/xfs/libxfs/xfs_alloc_btree.c ++++ b/fs/xfs/libxfs/xfs_alloc_btree.c +@@ -380,6 +380,7 @@ xfs_allocbt_write_verify( + } + + const struct xfs_buf_ops xfs_allocbt_buf_ops = { ++ .name = "xfs_allocbt", + .verify_read = xfs_allocbt_read_verify, + .verify_write = xfs_allocbt_write_verify, + }; +diff --git a/fs/xfs/libxfs/xfs_attr_leaf.c b/fs/xfs/libxfs/xfs_attr_leaf.c +index b7cd0a0541af..905b0cdb0107 100644 +--- a/fs/xfs/libxfs/xfs_attr_leaf.c ++++ b/fs/xfs/libxfs/xfs_attr_leaf.c +@@ -251,6 +251,7 @@ xfs_attr3_leaf_read_verify( + } + + const struct xfs_buf_ops xfs_attr3_leaf_buf_ops = { ++ .name = "xfs_attr3_leaf", + .verify_read = xfs_attr3_leaf_read_verify, + .verify_write = xfs_attr3_leaf_write_verify, + }; +diff --git a/fs/xfs/libxfs/xfs_attr_remote.c b/fs/xfs/libxfs/xfs_attr_remote.c +index 7510ab8058a4..fda9c2aad37c 100644 +--- a/fs/xfs/libxfs/xfs_attr_remote.c ++++ b/fs/xfs/libxfs/xfs_attr_remote.c +@@ -198,6 +198,7 @@ xfs_attr3_rmt_write_verify( + } + + const struct xfs_buf_ops xfs_attr3_rmt_buf_ops = { ++ .name = "xfs_attr3_rmt", + .verify_read = xfs_attr3_rmt_read_verify, + .verify_write = xfs_attr3_rmt_write_verify, + }; +diff --git a/fs/xfs/libxfs/xfs_bmap_btree.c b/fs/xfs/libxfs/xfs_bmap_btree.c +index fba753308f31..e6bde91a7d0c 100644 +--- a/fs/xfs/libxfs/xfs_bmap_btree.c ++++ b/fs/xfs/libxfs/xfs_bmap_btree.c +@@ -722,6 +722,7 @@ xfs_bmbt_write_verify( + } + + const struct xfs_buf_ops xfs_bmbt_buf_ops = { ++ .name = "xfs_bmbt", + .verify_read = xfs_bmbt_read_verify, + .verify_write = xfs_bmbt_write_verify, + }; +diff --git a/fs/xfs/libxfs/xfs_da_btree.c b/fs/xfs/libxfs/xfs_da_btree.c +index fd827530afec..837b366c3fcf 100644 +--- a/fs/xfs/libxfs/xfs_da_btree.c ++++ b/fs/xfs/libxfs/xfs_da_btree.c +@@ -243,6 +243,7 @@ xfs_da3_node_read_verify( + } + + const struct xfs_buf_ops xfs_da3_node_buf_ops = { ++ .name = "xfs_da3_node", + .verify_read = xfs_da3_node_read_verify, + .verify_write = xfs_da3_node_write_verify, + }; +diff --git a/fs/xfs/libxfs/xfs_dir2_block.c b/fs/xfs/libxfs/xfs_dir2_block.c +index 9628ceccfa02..11a3beed2e57 100644 +--- a/fs/xfs/libxfs/xfs_dir2_block.c ++++ b/fs/xfs/libxfs/xfs_dir2_block.c +@@ -123,6 +123,7 @@ xfs_dir3_block_write_verify( + } + + const struct xfs_buf_ops xfs_dir3_block_buf_ops = { ++ .name = "xfs_dir3_block", + .verify_read = xfs_dir3_block_read_verify, + .verify_write = xfs_dir3_block_write_verify, + }; +diff --git a/fs/xfs/libxfs/xfs_dir2_data.c b/fs/xfs/libxfs/xfs_dir2_data.c +index fdd803fecb8e..47504a191bb3 100644 +--- a/fs/xfs/libxfs/xfs_dir2_data.c ++++ b/fs/xfs/libxfs/xfs_dir2_data.c +@@ -302,11 +302,13 @@ xfs_dir3_data_write_verify( + } + + const struct xfs_buf_ops xfs_dir3_data_buf_ops = { ++ .name = "xfs_dir3_data", + .verify_read = xfs_dir3_data_read_verify, + .verify_write = xfs_dir3_data_write_verify, + }; + + static const struct xfs_buf_ops xfs_dir3_data_reada_buf_ops = { ++ .name = "xfs_dir3_data_reada", + .verify_read = xfs_dir3_data_reada_verify, + .verify_write = xfs_dir3_data_write_verify, + }; +diff --git a/fs/xfs/libxfs/xfs_dir2_leaf.c b/fs/xfs/libxfs/xfs_dir2_leaf.c +index a19174eb3cb2..a03f595674bf 100644 +--- a/fs/xfs/libxfs/xfs_dir2_leaf.c ++++ b/fs/xfs/libxfs/xfs_dir2_leaf.c +@@ -244,11 +244,13 @@ xfs_dir3_leafn_write_verify( + } + + const struct xfs_buf_ops xfs_dir3_leaf1_buf_ops = { ++ .name = "xfs_dir3_leaf1", + .verify_read = xfs_dir3_leaf1_read_verify, + .verify_write = xfs_dir3_leaf1_write_verify, + }; + + const struct xfs_buf_ops xfs_dir3_leafn_buf_ops = { ++ .name = "xfs_dir3_leafn", + .verify_read = xfs_dir3_leafn_read_verify, + .verify_write = xfs_dir3_leafn_write_verify, + }; +diff --git a/fs/xfs/libxfs/xfs_dir2_node.c b/fs/xfs/libxfs/xfs_dir2_node.c +index 2ae6ac2c11ae..75431b220174 100644 +--- a/fs/xfs/libxfs/xfs_dir2_node.c ++++ b/fs/xfs/libxfs/xfs_dir2_node.c +@@ -149,6 +149,7 @@ xfs_dir3_free_write_verify( + } + + const struct xfs_buf_ops xfs_dir3_free_buf_ops = { ++ .name = "xfs_dir3_free", + .verify_read = xfs_dir3_free_read_verify, + .verify_write = xfs_dir3_free_write_verify, + }; +diff --git a/fs/xfs/libxfs/xfs_dquot_buf.c b/fs/xfs/libxfs/xfs_dquot_buf.c +index 89b7ddfe5377..c6fba7314e8f 100644 +--- a/fs/xfs/libxfs/xfs_dquot_buf.c ++++ b/fs/xfs/libxfs/xfs_dquot_buf.c +@@ -303,6 +303,7 @@ xfs_dquot_buf_write_verify( + } + + const struct xfs_buf_ops xfs_dquot_buf_ops = { ++ .name = "xfs_dquot", + .verify_read = xfs_dquot_buf_read_verify, + .verify_write = xfs_dquot_buf_write_verify, + }; +diff --git a/fs/xfs/libxfs/xfs_ialloc.c b/fs/xfs/libxfs/xfs_ialloc.c +index 23dcb72fc5e6..196f29690484 100644 +--- a/fs/xfs/libxfs/xfs_ialloc.c ++++ b/fs/xfs/libxfs/xfs_ialloc.c +@@ -2105,6 +2105,7 @@ xfs_agi_write_verify( + } + + const struct xfs_buf_ops xfs_agi_buf_ops = { ++ .name = "xfs_agi", + .verify_read = xfs_agi_read_verify, + .verify_write = xfs_agi_write_verify, + }; +diff --git a/fs/xfs/libxfs/xfs_ialloc_btree.c b/fs/xfs/libxfs/xfs_ialloc_btree.c +index c9b06f30fe86..14ae3e295e7c 100644 +--- a/fs/xfs/libxfs/xfs_ialloc_btree.c ++++ b/fs/xfs/libxfs/xfs_ialloc_btree.c +@@ -297,6 +297,7 @@ xfs_inobt_write_verify( + } + + const struct xfs_buf_ops xfs_inobt_buf_ops = { ++ .name = "xfs_inobt", + .verify_read = xfs_inobt_read_verify, + .verify_write = xfs_inobt_write_verify, + }; +diff --git a/fs/xfs/libxfs/xfs_inode_buf.c b/fs/xfs/libxfs/xfs_inode_buf.c +index 8249599238c3..1bf2f1ccd957 100644 +--- a/fs/xfs/libxfs/xfs_inode_buf.c ++++ b/fs/xfs/libxfs/xfs_inode_buf.c +@@ -141,11 +141,13 @@ xfs_inode_buf_write_verify( + } + + const struct xfs_buf_ops xfs_inode_buf_ops = { ++ .name = "xfs_inode", + .verify_read = xfs_inode_buf_read_verify, + .verify_write = xfs_inode_buf_write_verify, + }; + + const struct xfs_buf_ops xfs_inode_buf_ra_ops = { ++ .name = "xxfs_inode_ra", + .verify_read = xfs_inode_buf_readahead_verify, + .verify_write = xfs_inode_buf_write_verify, + }; +diff --git a/fs/xfs/libxfs/xfs_sb.c b/fs/xfs/libxfs/xfs_sb.c +index 5f902fa7913f..acfcdc625aca 100644 +--- a/fs/xfs/libxfs/xfs_sb.c ++++ b/fs/xfs/libxfs/xfs_sb.c +@@ -704,11 +704,13 @@ xfs_sb_write_verify( + } + + const struct xfs_buf_ops xfs_sb_buf_ops = { ++ .name = "xfs_sb", + .verify_read = xfs_sb_read_verify, + .verify_write = xfs_sb_write_verify, + }; + + const struct xfs_buf_ops xfs_sb_quiet_buf_ops = { ++ .name = "xfs_sb_quiet", + .verify_read = xfs_sb_quiet_read_verify, + .verify_write = xfs_sb_write_verify, + }; +diff --git a/fs/xfs/libxfs/xfs_symlink_remote.c b/fs/xfs/libxfs/xfs_symlink_remote.c +index a7dce9aea5b5..ccbbbbc7f25a 100644 +--- a/fs/xfs/libxfs/xfs_symlink_remote.c ++++ b/fs/xfs/libxfs/xfs_symlink_remote.c +@@ -166,6 +166,7 @@ xfs_symlink_write_verify( + } + + const struct xfs_buf_ops xfs_symlink_buf_ops = { ++ .name = "xfs_symlink", + .verify_read = xfs_symlink_read_verify, + .verify_write = xfs_symlink_write_verify, + }; +diff --git a/fs/xfs/xfs_buf.h b/fs/xfs/xfs_buf.h +index 82002c00af90..136319ccabf5 100644 +--- a/fs/xfs/xfs_buf.h ++++ b/fs/xfs/xfs_buf.h +@@ -131,6 +131,7 @@ struct xfs_buf_map { + struct xfs_buf_map (map) = { .bm_bn = (blkno), .bm_len = (numblk) }; + + struct xfs_buf_ops { ++ char *name; + void (*verify_read)(struct xfs_buf *); + void (*verify_write)(struct xfs_buf *); + }; +diff --git a/fs/xfs/xfs_error.c b/fs/xfs/xfs_error.c +index b92fd7bc49e3..d55a1ce6d880 100644 +--- a/fs/xfs/xfs_error.c ++++ b/fs/xfs/xfs_error.c +@@ -166,9 +166,9 @@ xfs_verifier_error( + { + struct xfs_mount *mp = bp->b_target->bt_mount; + +- xfs_alert(mp, "Metadata %s detected at %pF, block 0x%llx", ++ xfs_alert(mp, "Metadata %s detected at %pF, %s block 0x%llx", + bp->b_error == -EFSBADCRC ? "CRC error" : "corruption", +- __return_address, bp->b_bn); ++ __return_address, bp->b_ops->name, bp->b_bn); + + xfs_alert(mp, "Unmount and run xfs_repair"); + +diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h +index a3e215bb0241..7741efa43b35 100644 +--- a/include/linux/netfilter/x_tables.h ++++ b/include/linux/netfilter/x_tables.h +@@ -239,11 +239,18 @@ void xt_unregister_match(struct xt_match *target); + int xt_register_matches(struct xt_match *match, unsigned int n); + void xt_unregister_matches(struct xt_match *match, unsigned int n); + ++int xt_check_entry_offsets(const void *base, const char *elems, ++ unsigned int target_offset, ++ unsigned int next_offset); ++ + int xt_check_match(struct xt_mtchk_param *, unsigned int size, u_int8_t proto, + bool inv_proto); + int xt_check_target(struct xt_tgchk_param *, unsigned int size, u_int8_t proto, + bool inv_proto); + ++void *xt_copy_counters_from_user(const void __user *user, unsigned int len, ++ struct xt_counters_info *info, bool compat); ++ + struct xt_table *xt_register_table(struct net *net, + const struct xt_table *table, + struct xt_table_info *bootstrap, +@@ -421,7 +428,7 @@ void xt_compat_init_offsets(u_int8_t af, unsigned int number); + int xt_compat_calc_jump(u_int8_t af, unsigned int offset); + + int xt_compat_match_offset(const struct xt_match *match); +-int xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr, ++void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr, + unsigned int *size); + int xt_compat_match_to_user(const struct xt_entry_match *m, + void __user **dstptr, unsigned int *size); +@@ -431,6 +438,9 @@ void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr, + unsigned int *size); + int xt_compat_target_to_user(const struct xt_entry_target *t, + void __user **dstptr, unsigned int *size); ++int xt_compat_check_entry_offsets(const void *base, const char *elems, ++ unsigned int target_offset, ++ unsigned int next_offset); + + #endif /* CONFIG_COMPAT */ + #endif /* _X_TABLES_H */ +diff --git a/include/linux/pipe_fs_i.h b/include/linux/pipe_fs_i.h +index eb8b8ac6df3c..24f5470d3944 100644 +--- a/include/linux/pipe_fs_i.h ++++ b/include/linux/pipe_fs_i.h +@@ -42,6 +42,7 @@ struct pipe_buffer { + * @fasync_readers: reader side fasync + * @fasync_writers: writer side fasync + * @bufs: the circular array of pipe buffers ++ * @user: the user who created this pipe + **/ + struct pipe_inode_info { + struct mutex mutex; +@@ -57,6 +58,7 @@ struct pipe_inode_info { + struct fasync_struct *fasync_readers; + struct fasync_struct *fasync_writers; + struct pipe_buffer *bufs; ++ struct user_struct *user; + }; + + /* +@@ -123,6 +125,8 @@ void pipe_unlock(struct pipe_inode_info *); + void pipe_double_lock(struct pipe_inode_info *, struct pipe_inode_info *); + + extern unsigned int pipe_max_size, pipe_min_size; ++extern unsigned long pipe_user_pages_hard; ++extern unsigned long pipe_user_pages_soft; + int pipe_proc_fn(struct ctl_table *, int, void __user *, size_t *, loff_t *); + + +diff --git a/include/linux/platform_data/asoc-s3c.h b/include/linux/platform_data/asoc-s3c.h +index a6591c693ebb..e8d9f84ec931 100644 +--- a/include/linux/platform_data/asoc-s3c.h ++++ b/include/linux/platform_data/asoc-s3c.h +@@ -38,6 +38,10 @@ struct samsung_i2s { + */ + struct s3c_audio_pdata { + int (*cfg_gpio)(struct platform_device *); ++ void *dma_playback; ++ void *dma_capture; ++ void *dma_play_sec; ++ void *dma_capture_mic; + union { + struct samsung_i2s i2s; + } type; +diff --git a/include/linux/sched.h b/include/linux/sched.h +index 2a0bcc8411dc..ebfd7a5ea6d4 100644 +--- a/include/linux/sched.h ++++ b/include/linux/sched.h +@@ -759,6 +759,7 @@ struct user_struct { + #endif + unsigned long locked_shm; /* How many pages of mlocked shm ? */ + unsigned long unix_inflight; /* How many files in flight in unix sockets */ ++ atomic_long_t pipe_bufs; /* how many pages are allocated in pipe buffers */ + + #ifdef CONFIG_KEYS + struct key *uid_keyring; /* UID specific keyring */ +diff --git a/include/linux/sunrpc/clnt.h b/include/linux/sunrpc/clnt.h +index b363a0f6dfe1..3fbae6853df3 100644 +--- a/include/linux/sunrpc/clnt.h ++++ b/include/linux/sunrpc/clnt.h +@@ -131,8 +131,6 @@ struct rpc_create_args { + #define RPC_CLNT_CREATE_NO_RETRANS_TIMEOUT (1UL << 9) + + struct rpc_clnt *rpc_create(struct rpc_create_args *args); +-struct rpc_clnt *rpc_create_xprt(struct rpc_create_args *args, +- struct rpc_xprt *xprt); + struct rpc_clnt *rpc_bind_new_program(struct rpc_clnt *, + const struct rpc_program *, u32); + void rpc_task_reset_client(struct rpc_task *task, struct rpc_clnt *clnt); +diff --git a/include/linux/swap.h b/include/linux/swap.h +index 37a585beef5c..1dc0e886227d 100644 +--- a/include/linux/swap.h ++++ b/include/linux/swap.h +@@ -315,7 +315,7 @@ extern void lru_add_drain(void); + extern void lru_add_drain_cpu(int cpu); + extern void lru_add_drain_all(void); + extern void rotate_reclaimable_page(struct page *page); +-extern void deactivate_page(struct page *page); ++extern void deactivate_file_page(struct page *page); + extern void swap_setup(void); + + extern void add_page_to_unevictable_list(struct page *page); +diff --git a/include/linux/usb/ehci_def.h b/include/linux/usb/ehci_def.h +index daec99af5d54..1c88b177cb9c 100644 +--- a/include/linux/usb/ehci_def.h ++++ b/include/linux/usb/ehci_def.h +@@ -178,11 +178,11 @@ struct ehci_regs { + * PORTSCx + */ + /* HOSTPC: offset 0x84 */ +- u32 hostpc[1]; /* HOSTPC extension */ ++ u32 hostpc[0]; /* HOSTPC extension */ + #define HOSTPC_PHCD (1<<22) /* Phy clock disable */ + #define HOSTPC_PSPD (3<<25) /* Port speed detection */ + +- u32 reserved5[16]; ++ u32 reserved5[17]; + + /* USBMODE_EX: offset 0xc8 */ + u32 usbmode_ex; /* USB Device mode extension */ +diff --git a/include/net/codel.h b/include/net/codel.h +index aeee28081245..7302a4df618c 100644 +--- a/include/net/codel.h ++++ b/include/net/codel.h +@@ -158,11 +158,13 @@ struct codel_vars { + * struct codel_stats - contains codel shared variables and stats + * @maxpacket: largest packet we've seen so far + * @drop_count: temp count of dropped packets in dequeue() ++ * @drop_len: bytes of dropped packets in dequeue() + * ecn_mark: number of packets we ECN marked instead of dropping + */ + struct codel_stats { + u32 maxpacket; + u32 drop_count; ++ u32 drop_len; + u32 ecn_mark; + }; + +@@ -297,6 +299,7 @@ static struct sk_buff *codel_dequeue(struct Qdisc *sch, + vars->rec_inv_sqrt); + goto end; + } ++ stats->drop_len += qdisc_pkt_len(skb); + qdisc_drop(skb, sch); + stats->drop_count++; + skb = dequeue_func(vars, sch); +@@ -319,6 +322,7 @@ static struct sk_buff *codel_dequeue(struct Qdisc *sch, + if (params->ecn && INET_ECN_set_ce(skb)) { + stats->ecn_mark++; + } else { ++ stats->drop_len += qdisc_pkt_len(skb); + qdisc_drop(skb, sch); + stats->drop_count++; + +diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h +index 5ccfe161f359..f10b01467f07 100644 +--- a/include/net/sch_generic.h ++++ b/include/net/sch_generic.h +@@ -393,7 +393,8 @@ struct Qdisc *dev_graft_qdisc(struct netdev_queue *dev_queue, + struct Qdisc *qdisc); + void qdisc_reset(struct Qdisc *qdisc); + void qdisc_destroy(struct Qdisc *qdisc); +-void qdisc_tree_decrease_qlen(struct Qdisc *qdisc, unsigned int n); ++void qdisc_tree_reduce_backlog(struct Qdisc *qdisc, unsigned int n, ++ unsigned int len); + struct Qdisc *qdisc_alloc(struct netdev_queue *dev_queue, + const struct Qdisc_ops *ops); + struct Qdisc *qdisc_create_dflt(struct netdev_queue *dev_queue, +@@ -689,6 +690,23 @@ static inline void qdisc_reset_queue(struct Qdisc *sch) + sch->qstats.backlog = 0; + } + ++static inline struct Qdisc *qdisc_replace(struct Qdisc *sch, struct Qdisc *new, ++ struct Qdisc **pold) ++{ ++ struct Qdisc *old; ++ ++ sch_tree_lock(sch); ++ old = *pold; ++ *pold = new; ++ if (old != NULL) { ++ qdisc_tree_reduce_backlog(old, old->q.qlen, old->qstats.backlog); ++ qdisc_reset(old); ++ } ++ sch_tree_unlock(sch); ++ ++ return old; ++} ++ + static inline unsigned int __qdisc_queue_drop(struct Qdisc *sch, + struct sk_buff_head *list) + { +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 67f5f177c071..eac45b688c08 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -1737,7 +1737,6 @@ static int replace_map_fd_with_map_ptr(struct verifier_env *env) + if (IS_ERR(map)) { + verbose("fd %d is not pointing to valid bpf_map\n", + insn->imm); +- fdput(f); + return PTR_ERR(map); + } + +diff --git a/kernel/cgroup.c b/kernel/cgroup.c +index 136eceadeed1..f033fbd94ac3 100644 +--- a/kernel/cgroup.c ++++ b/kernel/cgroup.c +@@ -4489,7 +4489,7 @@ static int create_css(struct cgroup *cgrp, struct cgroup_subsys *ss, + + err = cgroup_idr_alloc(&ss->css_idr, NULL, 2, 0, GFP_NOWAIT); + if (err < 0) +- goto err_free_percpu_ref; ++ goto err_free_css; + css->id = err; + + if (visible) { +@@ -4521,9 +4521,6 @@ err_list_del: + list_del_rcu(&css->sibling); + cgroup_clear_dir(css->cgroup, 1 << css->ss->id); + err_free_id: +- cgroup_idr_remove(&ss->css_idr, css->id); +-err_free_percpu_ref: +- percpu_ref_exit(&css->refcnt); + err_free_css: + call_rcu(&css->rcu_head, css_free_rcu_fn); + return err; +diff --git a/kernel/futex.c b/kernel/futex.c +index d58859d62b8b..8874a7b431e4 100644 +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -1381,8 +1381,8 @@ void requeue_futex(struct futex_q *q, struct futex_hash_bucket *hb1, + if (likely(&hb1->chain != &hb2->chain)) { + plist_del(&q->list, &hb1->chain); + hb_waiters_dec(hb1); +- plist_add(&q->list, &hb2->chain); + hb_waiters_inc(hb2); ++ plist_add(&q->list, &hb2->chain); + q->lock_ptr = &hb2->lock; + } + get_futex_key_refs(key2); +diff --git a/kernel/sched/core.c b/kernel/sched/core.c +index 4317f0156092..2f774edcc4e8 100644 +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -4595,14 +4595,16 @@ void show_state_filter(unsigned long state_filter) + /* + * reset the NMI-timeout, listing all files on a slow + * console might take a lot of time: ++ * Also, reset softlockup watchdogs on all CPUs, because ++ * another CPU might be blocked waiting for us to process ++ * an IPI. + */ + touch_nmi_watchdog(); ++ touch_all_softlockup_watchdogs(); + if (!state_filter || (p->state & state_filter)) + sched_show_task(p); + } + +- touch_all_softlockup_watchdogs(); +- + #ifdef CONFIG_SCHED_DEBUG + sysrq_sched_debug_show(); + #endif +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index cd0e835ecb85..07da431802e4 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -1656,6 +1656,20 @@ static struct ctl_table fs_table[] = { + .proc_handler = &pipe_proc_fn, + .extra1 = &pipe_min_size, + }, ++ { ++ .procname = "pipe-user-pages-hard", ++ .data = &pipe_user_pages_hard, ++ .maxlen = sizeof(pipe_user_pages_hard), ++ .mode = 0644, ++ .proc_handler = proc_doulongvec_minmax, ++ }, ++ { ++ .procname = "pipe-user-pages-soft", ++ .data = &pipe_user_pages_soft, ++ .maxlen = sizeof(pipe_user_pages_soft), ++ .mode = 0644, ++ .proc_handler = proc_doulongvec_minmax, ++ }, + { } + }; + +diff --git a/kernel/trace/trace_printk.c b/kernel/trace/trace_printk.c +index 14ffaa59a9e9..9008103db583 100644 +--- a/kernel/trace/trace_printk.c ++++ b/kernel/trace/trace_printk.c +@@ -38,6 +38,10 @@ struct trace_bprintk_fmt { + static inline struct trace_bprintk_fmt *lookup_format(const char *fmt) + { + struct trace_bprintk_fmt *pos; ++ ++ if (!fmt) ++ return ERR_PTR(-EINVAL); ++ + list_for_each_entry(pos, &trace_bprintk_fmt_list, list) { + if (!strcmp(pos->fmt, fmt)) + return pos; +@@ -59,7 +63,8 @@ void hold_module_trace_bprintk_format(const char **start, const char **end) + for (iter = start; iter < end; iter++) { + struct trace_bprintk_fmt *tb_fmt = lookup_format(*iter); + if (tb_fmt) { +- *iter = tb_fmt->fmt; ++ if (!IS_ERR(tb_fmt)) ++ *iter = tb_fmt->fmt; + continue; + } + +diff --git a/mm/compaction.c b/mm/compaction.c +index 8d010df763dc..9f8b1dd5303c 100644 +--- a/mm/compaction.c ++++ b/mm/compaction.c +@@ -371,6 +371,24 @@ static unsigned long isolate_freepages_block(struct compact_control *cc, + + if (!valid_page) + valid_page = page; ++ ++ /* ++ * For compound pages such as THP and hugetlbfs, we can save ++ * potentially a lot of iterations if we skip them at once. ++ * The check is racy, but we can consider only valid values ++ * and the only danger is skipping too much. ++ */ ++ if (PageCompound(page)) { ++ unsigned int comp_order = compound_order(page); ++ ++ if (likely(comp_order < MAX_ORDER)) { ++ blockpfn += (1UL << comp_order) - 1; ++ cursor += (1UL << comp_order) - 1; ++ } ++ ++ goto isolate_fail; ++ } ++ + if (!PageBuddy(page)) + goto isolate_fail; + +@@ -402,18 +420,23 @@ static unsigned long isolate_freepages_block(struct compact_control *cc, + + /* Found a free page, break it into order-0 pages */ + isolated = split_free_page(page); ++ if (!isolated) ++ break; ++ + total_isolated += isolated; ++ cc->nr_freepages += isolated; + for (i = 0; i < isolated; i++) { + list_add(&page->lru, freelist); + page++; + } +- +- /* If a page was split, advance to the end of it */ +- if (isolated) { +- blockpfn += isolated - 1; +- cursor += isolated - 1; +- continue; ++ if (!strict && cc->nr_migratepages <= cc->nr_freepages) { ++ blockpfn += isolated; ++ break; + } ++ /* Advance to the end of split page */ ++ blockpfn += isolated - 1; ++ cursor += isolated - 1; ++ continue; + + isolate_fail: + if (strict) +@@ -423,6 +446,16 @@ isolate_fail: + + } + ++ if (locked) ++ spin_unlock_irqrestore(&cc->zone->lock, flags); ++ ++ /* ++ * There is a tiny chance that we have read bogus compound_order(), ++ * so be careful to not go outside of the pageblock. ++ */ ++ if (unlikely(blockpfn > end_pfn)) ++ blockpfn = end_pfn; ++ + /* Record how far we have got within the block */ + *start_pfn = blockpfn; + +@@ -436,9 +469,6 @@ isolate_fail: + if (strict && blockpfn < end_pfn) + total_isolated = 0; + +- if (locked) +- spin_unlock_irqrestore(&cc->zone->lock, flags); +- + /* Update the pageblock-skip if the whole pageblock was scanned */ + if (blockpfn == end_pfn) + update_pageblock_skip(cc, valid_page, total_isolated, false); +@@ -864,7 +894,12 @@ static void isolate_freepages(struct compact_control *cc) + + /* Found a block suitable for isolating free pages from. */ + isolated = isolate_freepages_block(cc, &isolate_start_pfn, +- block_end_pfn, freelist, false); ++ block_end_pfn, freelist, false); ++ /* If isolation failed early, do not continue needlessly */ ++ if (!isolated && isolate_start_pfn < block_end_pfn && ++ cc->nr_migratepages > cc->nr_freepages) ++ break; ++ + nr_freepages += isolated; + + /* +diff --git a/mm/migrate.c b/mm/migrate.c +index cd4fd10c4ec3..3594defceff9 100644 +--- a/mm/migrate.c ++++ b/mm/migrate.c +@@ -421,6 +421,7 @@ int migrate_page_move_mapping(struct address_space *mapping, + + return MIGRATEPAGE_SUCCESS; + } ++EXPORT_SYMBOL(migrate_page_move_mapping); + + /* + * The expected number of remaining references is the same as that +@@ -580,6 +581,7 @@ void migrate_page_copy(struct page *newpage, struct page *page) + if (PageWriteback(newpage)) + end_page_writeback(newpage); + } ++EXPORT_SYMBOL(migrate_page_copy); + + /************************************************************ + * Migration functions +diff --git a/mm/page_isolation.c b/mm/page_isolation.c +index ec66134fb2a5..03648ced21c2 100644 +--- a/mm/page_isolation.c ++++ b/mm/page_isolation.c +@@ -299,11 +299,11 @@ struct page *alloc_migrate_target(struct page *page, unsigned long private, + * now as a simple work-around, we use the next node for destination. + */ + if (PageHuge(page)) { +- nodemask_t src = nodemask_of_node(page_to_nid(page)); +- nodemask_t dst; +- nodes_complement(dst, src); ++ int node = next_online_node(page_to_nid(page)); ++ if (node == MAX_NUMNODES) ++ node = first_online_node; + return alloc_huge_page_node(page_hstate(compound_head(page)), +- next_node(page_to_nid(page), dst)); ++ node); + } + + if (PageHighMem(page)) +diff --git a/mm/percpu.c b/mm/percpu.c +index 88bb6c92d83a..5ae6e0284967 100644 +--- a/mm/percpu.c ++++ b/mm/percpu.c +@@ -110,7 +110,7 @@ struct pcpu_chunk { + int map_used; /* # of map entries used before the sentry */ + int map_alloc; /* # of map entries allocated */ + int *map; /* allocation map */ +- struct work_struct map_extend_work;/* async ->map[] extension */ ++ struct list_head map_extend_list;/* on pcpu_map_extend_chunks */ + + void *data; /* chunk data */ + int first_free; /* no free below this */ +@@ -160,10 +160,13 @@ static struct pcpu_chunk *pcpu_reserved_chunk; + static int pcpu_reserved_chunk_limit; + + static DEFINE_SPINLOCK(pcpu_lock); /* all internal data structures */ +-static DEFINE_MUTEX(pcpu_alloc_mutex); /* chunk create/destroy, [de]pop */ ++static DEFINE_MUTEX(pcpu_alloc_mutex); /* chunk create/destroy, [de]pop, map ext */ + + static struct list_head *pcpu_slot __read_mostly; /* chunk list slots */ + ++/* chunks which need their map areas extended, protected by pcpu_lock */ ++static LIST_HEAD(pcpu_map_extend_chunks); ++ + /* + * The number of empty populated pages, protected by pcpu_lock. The + * reserved chunk doesn't contribute to the count. +@@ -397,13 +400,19 @@ static int pcpu_need_to_extend(struct pcpu_chunk *chunk, bool is_atomic) + { + int margin, new_alloc; + ++ lockdep_assert_held(&pcpu_lock); ++ + if (is_atomic) { + margin = 3; + + if (chunk->map_alloc < +- chunk->map_used + PCPU_ATOMIC_MAP_MARGIN_LOW && +- pcpu_async_enabled) +- schedule_work(&chunk->map_extend_work); ++ chunk->map_used + PCPU_ATOMIC_MAP_MARGIN_LOW) { ++ if (list_empty(&chunk->map_extend_list)) { ++ list_add_tail(&chunk->map_extend_list, ++ &pcpu_map_extend_chunks); ++ pcpu_schedule_balance_work(); ++ } ++ } + } else { + margin = PCPU_ATOMIC_MAP_MARGIN_HIGH; + } +@@ -437,6 +446,8 @@ static int pcpu_extend_area_map(struct pcpu_chunk *chunk, int new_alloc) + size_t old_size = 0, new_size = new_alloc * sizeof(new[0]); + unsigned long flags; + ++ lockdep_assert_held(&pcpu_alloc_mutex); ++ + new = pcpu_mem_zalloc(new_size); + if (!new) + return -ENOMEM; +@@ -469,20 +480,6 @@ out_unlock: + return 0; + } + +-static void pcpu_map_extend_workfn(struct work_struct *work) +-{ +- struct pcpu_chunk *chunk = container_of(work, struct pcpu_chunk, +- map_extend_work); +- int new_alloc; +- +- spin_lock_irq(&pcpu_lock); +- new_alloc = pcpu_need_to_extend(chunk, false); +- spin_unlock_irq(&pcpu_lock); +- +- if (new_alloc) +- pcpu_extend_area_map(chunk, new_alloc); +-} +- + /** + * pcpu_fit_in_area - try to fit the requested allocation in a candidate area + * @chunk: chunk the candidate area belongs to +@@ -742,7 +739,7 @@ static struct pcpu_chunk *pcpu_alloc_chunk(void) + chunk->map_used = 1; + + INIT_LIST_HEAD(&chunk->list); +- INIT_WORK(&chunk->map_extend_work, pcpu_map_extend_workfn); ++ INIT_LIST_HEAD(&chunk->map_extend_list); + chunk->free_size = pcpu_unit_size; + chunk->contig_hint = pcpu_unit_size; + +@@ -897,6 +894,9 @@ static void __percpu *pcpu_alloc(size_t size, size_t align, bool reserved, + return NULL; + } + ++ if (!is_atomic) ++ mutex_lock(&pcpu_alloc_mutex); ++ + spin_lock_irqsave(&pcpu_lock, flags); + + /* serve reserved allocations from the reserved chunk if available */ +@@ -969,12 +969,9 @@ restart: + if (is_atomic) + goto fail; + +- mutex_lock(&pcpu_alloc_mutex); +- + if (list_empty(&pcpu_slot[pcpu_nr_slots - 1])) { + chunk = pcpu_create_chunk(); + if (!chunk) { +- mutex_unlock(&pcpu_alloc_mutex); + err = "failed to allocate new chunk"; + goto fail; + } +@@ -985,7 +982,6 @@ restart: + spin_lock_irqsave(&pcpu_lock, flags); + } + +- mutex_unlock(&pcpu_alloc_mutex); + goto restart; + + area_found: +@@ -995,8 +991,6 @@ area_found: + if (!is_atomic) { + int page_start, page_end, rs, re; + +- mutex_lock(&pcpu_alloc_mutex); +- + page_start = PFN_DOWN(off); + page_end = PFN_UP(off + size); + +@@ -1007,7 +1001,6 @@ area_found: + + spin_lock_irqsave(&pcpu_lock, flags); + if (ret) { +- mutex_unlock(&pcpu_alloc_mutex); + pcpu_free_area(chunk, off, &occ_pages); + err = "failed to populate"; + goto fail_unlock; +@@ -1047,6 +1040,8 @@ fail: + /* see the flag handling in pcpu_blance_workfn() */ + pcpu_atomic_alloc_failed = true; + pcpu_schedule_balance_work(); ++ } else { ++ mutex_unlock(&pcpu_alloc_mutex); + } + return NULL; + } +@@ -1131,6 +1126,7 @@ static void pcpu_balance_workfn(struct work_struct *work) + if (chunk == list_first_entry(free_head, struct pcpu_chunk, list)) + continue; + ++ list_del_init(&chunk->map_extend_list); + list_move(&chunk->list, &to_free); + } + +@@ -1148,6 +1144,25 @@ static void pcpu_balance_workfn(struct work_struct *work) + pcpu_destroy_chunk(chunk); + } + ++ /* service chunks which requested async area map extension */ ++ do { ++ int new_alloc = 0; ++ ++ spin_lock_irq(&pcpu_lock); ++ ++ chunk = list_first_entry_or_null(&pcpu_map_extend_chunks, ++ struct pcpu_chunk, map_extend_list); ++ if (chunk) { ++ list_del_init(&chunk->map_extend_list); ++ new_alloc = pcpu_need_to_extend(chunk, false); ++ } ++ ++ spin_unlock_irq(&pcpu_lock); ++ ++ if (new_alloc) ++ pcpu_extend_area_map(chunk, new_alloc); ++ } while (chunk); ++ + /* + * Ensure there are certain number of free populated pages for + * atomic allocs. Fill up from the most packed so that atomic +@@ -1648,7 +1663,7 @@ int __init pcpu_setup_first_chunk(const struct pcpu_alloc_info *ai, + */ + schunk = memblock_virt_alloc(pcpu_chunk_struct_size, 0); + INIT_LIST_HEAD(&schunk->list); +- INIT_WORK(&schunk->map_extend_work, pcpu_map_extend_workfn); ++ INIT_LIST_HEAD(&schunk->map_extend_list); + schunk->base_addr = base_addr; + schunk->map = smap; + schunk->map_alloc = ARRAY_SIZE(smap); +@@ -1678,7 +1693,7 @@ int __init pcpu_setup_first_chunk(const struct pcpu_alloc_info *ai, + if (dyn_size) { + dchunk = memblock_virt_alloc(pcpu_chunk_struct_size, 0); + INIT_LIST_HEAD(&dchunk->list); +- INIT_WORK(&dchunk->map_extend_work, pcpu_map_extend_workfn); ++ INIT_LIST_HEAD(&dchunk->map_extend_list); + dchunk->base_addr = base_addr; + dchunk->map = dmap; + dchunk->map_alloc = ARRAY_SIZE(dmap); +diff --git a/mm/shmem.c b/mm/shmem.c +index 0b4ba556703a..fac22b578eb9 100644 +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -2140,9 +2140,11 @@ static long shmem_fallocate(struct file *file, int mode, loff_t offset, + NULL); + if (error) { + /* Remove the !PageUptodate pages we added */ +- shmem_undo_range(inode, +- (loff_t)start << PAGE_CACHE_SHIFT, +- (loff_t)index << PAGE_CACHE_SHIFT, true); ++ if (index > start) { ++ shmem_undo_range(inode, ++ (loff_t)start << PAGE_CACHE_SHIFT, ++ ((loff_t)index << PAGE_CACHE_SHIFT) - 1, true); ++ } + goto undone; + } + +diff --git a/mm/swap.c b/mm/swap.c +index 8a12b33936b4..9ccec11ed3fb 100644 +--- a/mm/swap.c ++++ b/mm/swap.c +@@ -42,7 +42,7 @@ int page_cluster; + + static DEFINE_PER_CPU(struct pagevec, lru_add_pvec); + static DEFINE_PER_CPU(struct pagevec, lru_rotate_pvecs); +-static DEFINE_PER_CPU(struct pagevec, lru_deactivate_pvecs); ++static DEFINE_PER_CPU(struct pagevec, lru_deactivate_file_pvecs); + + /* + * This path almost never happens for VM activity - pages are normally +@@ -475,7 +475,7 @@ void rotate_reclaimable_page(struct page *page) + page_cache_get(page); + local_irq_save(flags); + pvec = this_cpu_ptr(&lru_rotate_pvecs); +- if (!pagevec_add(pvec, page)) ++ if (!pagevec_add(pvec, page) || PageCompound(page)) + pagevec_move_tail(pvec); + local_irq_restore(flags); + } +@@ -531,7 +531,7 @@ void activate_page(struct page *page) + struct pagevec *pvec = &get_cpu_var(activate_page_pvecs); + + page_cache_get(page); +- if (!pagevec_add(pvec, page)) ++ if (!pagevec_add(pvec, page) || PageCompound(page)) + pagevec_lru_move_fn(pvec, __activate_page, NULL); + put_cpu_var(activate_page_pvecs); + } +@@ -623,9 +623,8 @@ static void __lru_cache_add(struct page *page) + struct pagevec *pvec = &get_cpu_var(lru_add_pvec); + + page_cache_get(page); +- if (!pagevec_space(pvec)) ++ if (!pagevec_space(pvec) || PageCompound(page)) + __pagevec_lru_add(pvec); +- pagevec_add(pvec, page); + put_cpu_var(lru_add_pvec); + } + +@@ -743,7 +742,7 @@ void lru_cache_add_active_or_unevictable(struct page *page, + * be write it out by flusher threads as this is much more effective + * than the single-page writeout from reclaim. + */ +-static void lru_deactivate_fn(struct page *page, struct lruvec *lruvec, ++static void lru_deactivate_file_fn(struct page *page, struct lruvec *lruvec, + void *arg) + { + int lru, file; +@@ -811,36 +810,36 @@ void lru_add_drain_cpu(int cpu) + local_irq_restore(flags); + } + +- pvec = &per_cpu(lru_deactivate_pvecs, cpu); ++ pvec = &per_cpu(lru_deactivate_file_pvecs, cpu); + if (pagevec_count(pvec)) +- pagevec_lru_move_fn(pvec, lru_deactivate_fn, NULL); ++ pagevec_lru_move_fn(pvec, lru_deactivate_file_fn, NULL); + + activate_page_drain(cpu); + } + + /** +- * deactivate_page - forcefully deactivate a page ++ * deactivate_file_page - forcefully deactivate a file page + * @page: page to deactivate + * + * This function hints the VM that @page is a good reclaim candidate, + * for example if its invalidation fails due to the page being dirty + * or under writeback. + */ +-void deactivate_page(struct page *page) ++void deactivate_file_page(struct page *page) + { + /* +- * In a workload with many unevictable page such as mprotect, unevictable +- * page deactivation for accelerating reclaim is pointless. ++ * In a workload with many unevictable page such as mprotect, ++ * unevictable page deactivation for accelerating reclaim is pointless. + */ + if (PageUnevictable(page)) + return; + + if (likely(get_page_unless_zero(page))) { +- struct pagevec *pvec = &get_cpu_var(lru_deactivate_pvecs); ++ struct pagevec *pvec = &get_cpu_var(lru_deactivate_file_pvecs); + +- if (!pagevec_add(pvec, page)) +- pagevec_lru_move_fn(pvec, lru_deactivate_fn, NULL); +- put_cpu_var(lru_deactivate_pvecs); ++ if (!pagevec_add(pvec, page) || PageCompound(page)) ++ pagevec_lru_move_fn(pvec, lru_deactivate_file_fn, NULL); ++ put_cpu_var(lru_deactivate_file_pvecs); + } + } + +@@ -872,7 +871,7 @@ void lru_add_drain_all(void) + + if (pagevec_count(&per_cpu(lru_add_pvec, cpu)) || + pagevec_count(&per_cpu(lru_rotate_pvecs, cpu)) || +- pagevec_count(&per_cpu(lru_deactivate_pvecs, cpu)) || ++ pagevec_count(&per_cpu(lru_deactivate_file_pvecs, cpu)) || + need_activate_page_drain(cpu)) { + INIT_WORK(work, lru_add_drain_per_cpu); + schedule_work_on(cpu, work); +diff --git a/mm/truncate.c b/mm/truncate.c +index f1e4d6052369..dff252c03f3b 100644 +--- a/mm/truncate.c ++++ b/mm/truncate.c +@@ -513,7 +513,7 @@ unsigned long invalidate_mapping_pages(struct address_space *mapping, + * of interest and try to speed up its reclaim. + */ + if (!ret) +- deactivate_page(page); ++ deactivate_file_page(page); + count += ret; + } + pagevec_remove_exceptionals(&pvec); +diff --git a/net/batman-adv/routing.c b/net/batman-adv/routing.c +index 35f76f2f7824..bbb1d04e7f8f 100644 +--- a/net/batman-adv/routing.c ++++ b/net/batman-adv/routing.c +@@ -88,6 +88,15 @@ static void _batadv_update_route(struct batadv_priv *bat_priv, + neigh_node = NULL; + + spin_lock_bh(&orig_node->neigh_list_lock); ++ /* curr_router used earlier may not be the current orig_ifinfo->router ++ * anymore because it was dereferenced outside of the neigh_list_lock ++ * protected region. After the new best neighbor has replace the current ++ * best neighbor the reference counter needs to decrease. Consequently, ++ * the code needs to ensure the curr_router variable contains a pointer ++ * to the replaced best neighbor. ++ */ ++ curr_router = rcu_dereference_protected(orig_ifinfo->router, true); ++ + rcu_assign_pointer(orig_ifinfo->router, neigh_node); + spin_unlock_bh(&orig_node->neigh_list_lock); + batadv_orig_ifinfo_free_ref(orig_ifinfo); +diff --git a/net/batman-adv/send.c b/net/batman-adv/send.c +index 3d64ed20c393..6004c2de7b2a 100644 +--- a/net/batman-adv/send.c ++++ b/net/batman-adv/send.c +@@ -611,6 +611,9 @@ batadv_purge_outstanding_packets(struct batadv_priv *bat_priv, + + if (pending) { + hlist_del(&forw_packet->list); ++ if (!forw_packet->own) ++ atomic_inc(&bat_priv->bcast_queue_left); ++ + batadv_forw_packet_free(forw_packet); + } + } +@@ -638,6 +641,9 @@ batadv_purge_outstanding_packets(struct batadv_priv *bat_priv, + + if (pending) { + hlist_del(&forw_packet->list); ++ if (!forw_packet->own) ++ atomic_inc(&bat_priv->batman_queue_left); ++ + batadv_forw_packet_free(forw_packet); + } + } +diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c +index 492b0593dc2f..0bb7cae486b3 100644 +--- a/net/batman-adv/soft-interface.c ++++ b/net/batman-adv/soft-interface.c +@@ -378,11 +378,17 @@ void batadv_interface_rx(struct net_device *soft_iface, + */ + nf_reset(skb); + ++ if (unlikely(!pskb_may_pull(skb, ETH_HLEN))) ++ goto dropped; ++ + vid = batadv_get_vid(skb, 0); + ethhdr = eth_hdr(skb); + + switch (ntohs(ethhdr->h_proto)) { + case ETH_P_8021Q: ++ if (!pskb_may_pull(skb, VLAN_ETH_HLEN)) ++ goto dropped; ++ + vhdr = (struct vlan_ethhdr *)skb->data; + + if (vhdr->h_vlan_encapsulated_proto != ethertype) +@@ -394,8 +400,6 @@ void batadv_interface_rx(struct net_device *soft_iface, + } + + /* skb->dev & skb->pkt_type are set here */ +- if (unlikely(!pskb_may_pull(skb, ETH_HLEN))) +- goto dropped; + skb->protocol = eth_type_trans(skb, soft_iface); + + /* should not be necessary anymore as we use skb_pull_rcsum() +diff --git a/net/bridge/br_ioctl.c b/net/bridge/br_ioctl.c +index 8d423bc649b9..f876f707fd9e 100644 +--- a/net/bridge/br_ioctl.c ++++ b/net/bridge/br_ioctl.c +@@ -21,18 +21,19 @@ + #include <asm/uaccess.h> + #include "br_private.h" + +-/* called with RTNL */ + static int get_bridge_ifindices(struct net *net, int *indices, int num) + { + struct net_device *dev; + int i = 0; + +- for_each_netdev(net, dev) { ++ rcu_read_lock(); ++ for_each_netdev_rcu(net, dev) { + if (i >= num) + break; + if (dev->priv_flags & IFF_EBRIDGE) + indices[i++] = dev->ifindex; + } ++ rcu_read_unlock(); + + return i; + } +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c +index c412db774603..e1574edf4e43 100644 +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -1019,14 +1019,16 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb, struct net_device *dev, + goto nla_put_failure; + + if (1) { +- struct rtnl_link_ifmap map = { +- .mem_start = dev->mem_start, +- .mem_end = dev->mem_end, +- .base_addr = dev->base_addr, +- .irq = dev->irq, +- .dma = dev->dma, +- .port = dev->if_port, +- }; ++ struct rtnl_link_ifmap map; ++ ++ memset(&map, 0, sizeof(map)); ++ map.mem_start = dev->mem_start; ++ map.mem_end = dev->mem_end; ++ map.base_addr = dev->base_addr; ++ map.irq = dev->irq; ++ map.dma = dev->dma; ++ map.port = dev->if_port; ++ + if (nla_put(skb, IFLA_MAP, sizeof(map), &map)) + goto nla_put_failure; + } +diff --git a/net/decnet/dn_route.c b/net/decnet/dn_route.c +index daccc4a36d80..4047341f6c07 100644 +--- a/net/decnet/dn_route.c ++++ b/net/decnet/dn_route.c +@@ -1042,10 +1042,13 @@ source_ok: + if (!fld.daddr) { + fld.daddr = fld.saddr; + +- err = -EADDRNOTAVAIL; + if (dev_out) + dev_put(dev_out); ++ err = -EINVAL; + dev_out = init_net.loopback_dev; ++ if (!dev_out->dn_ptr) ++ goto out; ++ err = -EADDRNOTAVAIL; + dev_hold(dev_out); + if (!fld.daddr) { + fld.daddr = +@@ -1118,6 +1121,8 @@ source_ok: + if (dev_out == NULL) + goto out; + dn_db = rcu_dereference_raw(dev_out->dn_ptr); ++ if (!dn_db) ++ goto e_inval; + /* Possible improvement - check all devices for local addr */ + if (dn_dev_islocal(dev_out, fld.daddr)) { + dev_put(dev_out); +@@ -1159,6 +1164,8 @@ select_source: + dev_put(dev_out); + dev_out = init_net.loopback_dev; + dev_hold(dev_out); ++ if (!dev_out->dn_ptr) ++ goto e_inval; + fld.flowidn_oif = dev_out->ifindex; + if (res.fi) + dn_fib_info_put(res.fi); +diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c +index 214882e7d6de..464293c34b7a 100644 +--- a/net/ipv4/devinet.c ++++ b/net/ipv4/devinet.c +@@ -334,6 +334,9 @@ static void __inet_del_ifa(struct in_device *in_dev, struct in_ifaddr **ifap, + + ASSERT_RTNL(); + ++ if (in_dev->dead) ++ goto no_promotions; ++ + /* 1. Deleting primary ifaddr forces deletion all secondaries + * unless alias promotion is set + **/ +@@ -380,6 +383,7 @@ static void __inet_del_ifa(struct in_device *in_dev, struct in_ifaddr **ifap, + fib_del_ifaddr(ifa, ifa1); + } + ++no_promotions: + /* 2. Unlink it */ + + *ifap = ifa1->ifa_next; +diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c +index 23104a3f2924..d4c698ce0838 100644 +--- a/net/ipv4/fib_frontend.c ++++ b/net/ipv4/fib_frontend.c +@@ -814,6 +814,9 @@ void fib_del_ifaddr(struct in_ifaddr *ifa, struct in_ifaddr *iprim) + subnet = 1; + } + ++ if (in_dev->dead) ++ goto no_promotions; ++ + /* Deletion is more complicated than add. + * We should take care of not to delete too much :-) + * +@@ -889,6 +892,7 @@ void fib_del_ifaddr(struct in_ifaddr *ifa, struct in_ifaddr *iprim) + } + } + ++no_promotions: + if (!(ok & BRD_OK)) + fib_magic(RTM_DELROUTE, RTN_BROADCAST, ifa->ifa_broadcast, 32, prim); + if (subnet && ifa->ifa_prefixlen < 31) { +diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c +index f95b6f93814b..655e1b05ff74 100644 +--- a/net/ipv4/netfilter/arp_tables.c ++++ b/net/ipv4/netfilter/arp_tables.c +@@ -355,11 +355,24 @@ unsigned int arpt_do_table(struct sk_buff *skb, + } + + /* All zeroes == unconditional rule. */ +-static inline bool unconditional(const struct arpt_arp *arp) ++static inline bool unconditional(const struct arpt_entry *e) + { + static const struct arpt_arp uncond; + +- return memcmp(arp, &uncond, sizeof(uncond)) == 0; ++ return e->target_offset == sizeof(struct arpt_entry) && ++ memcmp(&e->arp, &uncond, sizeof(uncond)) == 0; ++} ++ ++static bool find_jump_target(const struct xt_table_info *t, ++ const struct arpt_entry *target) ++{ ++ struct arpt_entry *iter; ++ ++ xt_entry_foreach(iter, t->entries, t->size) { ++ if (iter == target) ++ return true; ++ } ++ return false; + } + + /* Figures out from what hook each rule can be called: returns 0 if +@@ -398,11 +411,10 @@ static int mark_source_chains(const struct xt_table_info *newinfo, + |= ((1 << hook) | (1 << NF_ARP_NUMHOOKS)); + + /* Unconditional return/END. */ +- if ((e->target_offset == sizeof(struct arpt_entry) && ++ if ((unconditional(e) && + (strcmp(t->target.u.user.name, + XT_STANDARD_TARGET) == 0) && +- t->verdict < 0 && unconditional(&e->arp)) || +- visited) { ++ t->verdict < 0) || visited) { + unsigned int oldpos, size; + + if ((strcmp(t->target.u.user.name, +@@ -435,6 +447,8 @@ static int mark_source_chains(const struct xt_table_info *newinfo, + size = e->next_offset; + e = (struct arpt_entry *) + (entry0 + pos + size); ++ if (pos + size >= newinfo->size) ++ return 0; + e->counters.pcnt = pos; + pos += size; + } else { +@@ -454,9 +468,15 @@ static int mark_source_chains(const struct xt_table_info *newinfo, + /* This a jump; chase it. */ + duprintf("Jump rule %u -> %u\n", + pos, newpos); ++ e = (struct arpt_entry *) ++ (entry0 + newpos); ++ if (!find_jump_target(newinfo, e)) ++ return 0; + } else { + /* ... this is a fallthru */ + newpos = pos + e->next_offset; ++ if (newpos >= newinfo->size) ++ return 0; + } + e = (struct arpt_entry *) + (entry0 + newpos); +@@ -470,25 +490,6 @@ static int mark_source_chains(const struct xt_table_info *newinfo, + return 1; + } + +-static inline int check_entry(const struct arpt_entry *e, const char *name) +-{ +- const struct xt_entry_target *t; +- +- if (!arp_checkentry(&e->arp)) { +- duprintf("arp_tables: arp check failed %p %s.\n", e, name); +- return -EINVAL; +- } +- +- if (e->target_offset + sizeof(struct xt_entry_target) > e->next_offset) +- return -EINVAL; +- +- t = arpt_get_target_c(e); +- if (e->target_offset + t->u.target_size > e->next_offset) +- return -EINVAL; +- +- return 0; +-} +- + static inline int check_target(struct arpt_entry *e, const char *name) + { + struct xt_entry_target *t = arpt_get_target(e); +@@ -518,10 +519,6 @@ find_check_entry(struct arpt_entry *e, const char *name, unsigned int size) + struct xt_target *target; + int ret; + +- ret = check_entry(e, name); +- if (ret) +- return ret; +- + t = arpt_get_target(e); + target = xt_request_find_target(NFPROTO_ARP, t->u.user.name, + t->u.user.revision); +@@ -547,7 +544,7 @@ static bool check_underflow(const struct arpt_entry *e) + const struct xt_entry_target *t; + unsigned int verdict; + +- if (!unconditional(&e->arp)) ++ if (!unconditional(e)) + return false; + t = arpt_get_target_c(e); + if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0) +@@ -566,9 +563,11 @@ static inline int check_entry_size_and_hooks(struct arpt_entry *e, + unsigned int valid_hooks) + { + unsigned int h; ++ int err; + + if ((unsigned long)e % __alignof__(struct arpt_entry) != 0 || +- (unsigned char *)e + sizeof(struct arpt_entry) >= limit) { ++ (unsigned char *)e + sizeof(struct arpt_entry) >= limit || ++ (unsigned char *)e + e->next_offset > limit) { + duprintf("Bad offset %p\n", e); + return -EINVAL; + } +@@ -580,6 +579,14 @@ static inline int check_entry_size_and_hooks(struct arpt_entry *e, + return -EINVAL; + } + ++ if (!arp_checkentry(&e->arp)) ++ return -EINVAL; ++ ++ err = xt_check_entry_offsets(e, e->elems, e->target_offset, ++ e->next_offset); ++ if (err) ++ return err; ++ + /* Check hooks & underflows */ + for (h = 0; h < NF_ARP_NUMHOOKS; h++) { + if (!(valid_hooks & (1 << h))) +@@ -588,9 +595,9 @@ static inline int check_entry_size_and_hooks(struct arpt_entry *e, + newinfo->hook_entry[h] = hook_entries[h]; + if ((unsigned char *)e - base == underflows[h]) { + if (!check_underflow(e)) { +- pr_err("Underflows must be unconditional and " +- "use the STANDARD target with " +- "ACCEPT/DROP\n"); ++ pr_debug("Underflows must be unconditional and " ++ "use the STANDARD target with " ++ "ACCEPT/DROP\n"); + return -EINVAL; + } + newinfo->underflow[h] = underflows[h]; +@@ -680,10 +687,8 @@ static int translate_table(struct xt_table_info *newinfo, void *entry0, + } + } + +- if (!mark_source_chains(newinfo, repl->valid_hooks, entry0)) { +- duprintf("Looping hook\n"); ++ if (!mark_source_chains(newinfo, repl->valid_hooks, entry0)) + return -ELOOP; +- } + + /* Finally, each sanity check must pass */ + i = 0; +@@ -1116,56 +1121,18 @@ static int do_add_counters(struct net *net, const void __user *user, + unsigned int i, curcpu; + struct xt_counters_info tmp; + struct xt_counters *paddc; +- unsigned int num_counters; +- const char *name; +- int size; +- void *ptmp; + struct xt_table *t; + const struct xt_table_info *private; + int ret = 0; + void *loc_cpu_entry; + struct arpt_entry *iter; + unsigned int addend; +-#ifdef CONFIG_COMPAT +- struct compat_xt_counters_info compat_tmp; + +- if (compat) { +- ptmp = &compat_tmp; +- size = sizeof(struct compat_xt_counters_info); +- } else +-#endif +- { +- ptmp = &tmp; +- size = sizeof(struct xt_counters_info); +- } ++ paddc = xt_copy_counters_from_user(user, len, &tmp, compat); ++ if (IS_ERR(paddc)) ++ return PTR_ERR(paddc); + +- if (copy_from_user(ptmp, user, size) != 0) +- return -EFAULT; +- +-#ifdef CONFIG_COMPAT +- if (compat) { +- num_counters = compat_tmp.num_counters; +- name = compat_tmp.name; +- } else +-#endif +- { +- num_counters = tmp.num_counters; +- name = tmp.name; +- } +- +- if (len != size + num_counters * sizeof(struct xt_counters)) +- return -EINVAL; +- +- paddc = vmalloc(len - size); +- if (!paddc) +- return -ENOMEM; +- +- if (copy_from_user(paddc, user + size, len - size) != 0) { +- ret = -EFAULT; +- goto free; +- } +- +- t = xt_find_table_lock(net, NFPROTO_ARP, name); ++ t = xt_find_table_lock(net, NFPROTO_ARP, tmp.name); + if (IS_ERR_OR_NULL(t)) { + ret = t ? PTR_ERR(t) : -ENOENT; + goto free; +@@ -1173,7 +1140,7 @@ static int do_add_counters(struct net *net, const void __user *user, + + local_bh_disable(); + private = t->private; +- if (private->number != num_counters) { ++ if (private->number != tmp.num_counters) { + ret = -EINVAL; + goto unlock_up_free; + } +@@ -1199,6 +1166,18 @@ static int do_add_counters(struct net *net, const void __user *user, + } + + #ifdef CONFIG_COMPAT ++struct compat_arpt_replace { ++ char name[XT_TABLE_MAXNAMELEN]; ++ u32 valid_hooks; ++ u32 num_entries; ++ u32 size; ++ u32 hook_entry[NF_ARP_NUMHOOKS]; ++ u32 underflow[NF_ARP_NUMHOOKS]; ++ u32 num_counters; ++ compat_uptr_t counters; ++ struct compat_arpt_entry entries[0]; ++}; ++ + static inline void compat_release_entry(struct compat_arpt_entry *e) + { + struct xt_entry_target *t; +@@ -1207,24 +1186,22 @@ static inline void compat_release_entry(struct compat_arpt_entry *e) + module_put(t->u.kernel.target->me); + } + +-static inline int ++static int + check_compat_entry_size_and_hooks(struct compat_arpt_entry *e, + struct xt_table_info *newinfo, + unsigned int *size, + const unsigned char *base, +- const unsigned char *limit, +- const unsigned int *hook_entries, +- const unsigned int *underflows, +- const char *name) ++ const unsigned char *limit) + { + struct xt_entry_target *t; + struct xt_target *target; + unsigned int entry_offset; +- int ret, off, h; ++ int ret, off; + + duprintf("check_compat_entry_size_and_hooks %p\n", e); + if ((unsigned long)e % __alignof__(struct compat_arpt_entry) != 0 || +- (unsigned char *)e + sizeof(struct compat_arpt_entry) >= limit) { ++ (unsigned char *)e + sizeof(struct compat_arpt_entry) >= limit || ++ (unsigned char *)e + e->next_offset > limit) { + duprintf("Bad offset %p, limit = %p\n", e, limit); + return -EINVAL; + } +@@ -1236,8 +1213,11 @@ check_compat_entry_size_and_hooks(struct compat_arpt_entry *e, + return -EINVAL; + } + +- /* For purposes of check_entry casting the compat entry is fine */ +- ret = check_entry((struct arpt_entry *)e, name); ++ if (!arp_checkentry(&e->arp)) ++ return -EINVAL; ++ ++ ret = xt_compat_check_entry_offsets(e, e->elems, e->target_offset, ++ e->next_offset); + if (ret) + return ret; + +@@ -1261,17 +1241,6 @@ check_compat_entry_size_and_hooks(struct compat_arpt_entry *e, + if (ret) + goto release_target; + +- /* Check hooks & underflows */ +- for (h = 0; h < NF_ARP_NUMHOOKS; h++) { +- if ((unsigned char *)e - base == hook_entries[h]) +- newinfo->hook_entry[h] = hook_entries[h]; +- if ((unsigned char *)e - base == underflows[h]) +- newinfo->underflow[h] = underflows[h]; +- } +- +- /* Clear counters and comefrom */ +- memset(&e->counters, 0, sizeof(e->counters)); +- e->comefrom = 0; + return 0; + + release_target: +@@ -1280,18 +1249,17 @@ out: + return ret; + } + +-static int ++static void + compat_copy_entry_from_user(struct compat_arpt_entry *e, void **dstptr, +- unsigned int *size, const char *name, ++ unsigned int *size, + struct xt_table_info *newinfo, unsigned char *base) + { + struct xt_entry_target *t; + struct xt_target *target; + struct arpt_entry *de; + unsigned int origsize; +- int ret, h; ++ int h; + +- ret = 0; + origsize = *size; + de = (struct arpt_entry *)*dstptr; + memcpy(de, e, sizeof(struct arpt_entry)); +@@ -1312,144 +1280,81 @@ compat_copy_entry_from_user(struct compat_arpt_entry *e, void **dstptr, + if ((unsigned char *)de - base < newinfo->underflow[h]) + newinfo->underflow[h] -= origsize - *size; + } +- return ret; + } + +-static int translate_compat_table(const char *name, +- unsigned int valid_hooks, +- struct xt_table_info **pinfo, ++static int translate_compat_table(struct xt_table_info **pinfo, + void **pentry0, +- unsigned int total_size, +- unsigned int number, +- unsigned int *hook_entries, +- unsigned int *underflows) ++ const struct compat_arpt_replace *compatr) + { + unsigned int i, j; + struct xt_table_info *newinfo, *info; + void *pos, *entry0, *entry1; + struct compat_arpt_entry *iter0; +- struct arpt_entry *iter1; ++ struct arpt_replace repl; + unsigned int size; + int ret = 0; + + info = *pinfo; + entry0 = *pentry0; +- size = total_size; +- info->number = number; +- +- /* Init all hooks to impossible value. */ +- for (i = 0; i < NF_ARP_NUMHOOKS; i++) { +- info->hook_entry[i] = 0xFFFFFFFF; +- info->underflow[i] = 0xFFFFFFFF; +- } ++ size = compatr->size; ++ info->number = compatr->num_entries; + + duprintf("translate_compat_table: size %u\n", info->size); + j = 0; + xt_compat_lock(NFPROTO_ARP); +- xt_compat_init_offsets(NFPROTO_ARP, number); ++ xt_compat_init_offsets(NFPROTO_ARP, compatr->num_entries); + /* Walk through entries, checking offsets. */ +- xt_entry_foreach(iter0, entry0, total_size) { ++ xt_entry_foreach(iter0, entry0, compatr->size) { + ret = check_compat_entry_size_and_hooks(iter0, info, &size, + entry0, +- entry0 + total_size, +- hook_entries, +- underflows, +- name); ++ entry0 + compatr->size); + if (ret != 0) + goto out_unlock; + ++j; + } + + ret = -EINVAL; +- if (j != number) { ++ if (j != compatr->num_entries) { + duprintf("translate_compat_table: %u not %u entries\n", +- j, number); ++ j, compatr->num_entries); + goto out_unlock; + } + +- /* Check hooks all assigned */ +- for (i = 0; i < NF_ARP_NUMHOOKS; i++) { +- /* Only hooks which are valid */ +- if (!(valid_hooks & (1 << i))) +- continue; +- if (info->hook_entry[i] == 0xFFFFFFFF) { +- duprintf("Invalid hook entry %u %u\n", +- i, hook_entries[i]); +- goto out_unlock; +- } +- if (info->underflow[i] == 0xFFFFFFFF) { +- duprintf("Invalid underflow %u %u\n", +- i, underflows[i]); +- goto out_unlock; +- } +- } +- + ret = -ENOMEM; + newinfo = xt_alloc_table_info(size); + if (!newinfo) + goto out_unlock; + +- newinfo->number = number; ++ newinfo->number = compatr->num_entries; + for (i = 0; i < NF_ARP_NUMHOOKS; i++) { + newinfo->hook_entry[i] = info->hook_entry[i]; + newinfo->underflow[i] = info->underflow[i]; + } + entry1 = newinfo->entries[raw_smp_processor_id()]; + pos = entry1; +- size = total_size; +- xt_entry_foreach(iter0, entry0, total_size) { +- ret = compat_copy_entry_from_user(iter0, &pos, &size, +- name, newinfo, entry1); +- if (ret != 0) +- break; +- } ++ size = compatr->size; ++ xt_entry_foreach(iter0, entry0, compatr->size) ++ compat_copy_entry_from_user(iter0, &pos, &size, ++ newinfo, entry1); ++ ++ /* all module references in entry0 are now gone */ ++ + xt_compat_flush_offsets(NFPROTO_ARP); + xt_compat_unlock(NFPROTO_ARP); +- if (ret) +- goto free_newinfo; + +- ret = -ELOOP; +- if (!mark_source_chains(newinfo, valid_hooks, entry1)) +- goto free_newinfo; ++ memcpy(&repl, compatr, sizeof(*compatr)); + +- i = 0; +- xt_entry_foreach(iter1, entry1, newinfo->size) { +- ret = check_target(iter1, name); +- if (ret != 0) +- break; +- ++i; +- if (strcmp(arpt_get_target(iter1)->u.user.name, +- XT_ERROR_TARGET) == 0) +- ++newinfo->stacksize; +- } +- if (ret) { +- /* +- * The first i matches need cleanup_entry (calls ->destroy) +- * because they had called ->check already. The other j-i +- * entries need only release. +- */ +- int skip = i; +- j -= i; +- xt_entry_foreach(iter0, entry0, newinfo->size) { +- if (skip-- > 0) +- continue; +- if (j-- == 0) +- break; +- compat_release_entry(iter0); +- } +- xt_entry_foreach(iter1, entry1, newinfo->size) { +- if (i-- == 0) +- break; +- cleanup_entry(iter1); +- } +- xt_free_table_info(newinfo); +- return ret; ++ for (i = 0; i < NF_ARP_NUMHOOKS; i++) { ++ repl.hook_entry[i] = newinfo->hook_entry[i]; ++ repl.underflow[i] = newinfo->underflow[i]; + } + +- /* And one copy for every other CPU */ +- for_each_possible_cpu(i) +- if (newinfo->entries[i] && newinfo->entries[i] != entry1) +- memcpy(newinfo->entries[i], entry1, newinfo->size); ++ repl.num_counters = 0; ++ repl.counters = NULL; ++ repl.size = newinfo->size; ++ ret = translate_table(newinfo, entry1, &repl); ++ if (ret) ++ goto free_newinfo; + + *pinfo = newinfo; + *pentry0 = entry1; +@@ -1458,31 +1363,18 @@ static int translate_compat_table(const char *name, + + free_newinfo: + xt_free_table_info(newinfo); +-out: +- xt_entry_foreach(iter0, entry0, total_size) { ++ return ret; ++out_unlock: ++ xt_compat_flush_offsets(NFPROTO_ARP); ++ xt_compat_unlock(NFPROTO_ARP); ++ xt_entry_foreach(iter0, entry0, compatr->size) { + if (j-- == 0) + break; + compat_release_entry(iter0); + } + return ret; +-out_unlock: +- xt_compat_flush_offsets(NFPROTO_ARP); +- xt_compat_unlock(NFPROTO_ARP); +- goto out; + } + +-struct compat_arpt_replace { +- char name[XT_TABLE_MAXNAMELEN]; +- u32 valid_hooks; +- u32 num_entries; +- u32 size; +- u32 hook_entry[NF_ARP_NUMHOOKS]; +- u32 underflow[NF_ARP_NUMHOOKS]; +- u32 num_counters; +- compat_uptr_t counters; +- struct compat_arpt_entry entries[0]; +-}; +- + static int compat_do_replace(struct net *net, void __user *user, + unsigned int len) + { +@@ -1513,10 +1405,7 @@ static int compat_do_replace(struct net *net, void __user *user, + goto free_newinfo; + } + +- ret = translate_compat_table(tmp.name, tmp.valid_hooks, +- &newinfo, &loc_cpu_entry, tmp.size, +- tmp.num_entries, tmp.hook_entry, +- tmp.underflow); ++ ret = translate_compat_table(&newinfo, &loc_cpu_entry, &tmp); + if (ret != 0) + goto free_newinfo; + +diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c +index 99e810f84671..865e738d3804 100644 +--- a/net/ipv4/netfilter/ip_tables.c ++++ b/net/ipv4/netfilter/ip_tables.c +@@ -168,11 +168,12 @@ get_entry(const void *base, unsigned int offset) + + /* All zeroes == unconditional rule. */ + /* Mildly perf critical (only if packet tracing is on) */ +-static inline bool unconditional(const struct ipt_ip *ip) ++static inline bool unconditional(const struct ipt_entry *e) + { + static const struct ipt_ip uncond; + +- return memcmp(ip, &uncond, sizeof(uncond)) == 0; ++ return e->target_offset == sizeof(struct ipt_entry) && ++ memcmp(&e->ip, &uncond, sizeof(uncond)) == 0; + #undef FWINV + } + +@@ -229,11 +230,10 @@ get_chainname_rulenum(const struct ipt_entry *s, const struct ipt_entry *e, + } else if (s == e) { + (*rulenum)++; + +- if (s->target_offset == sizeof(struct ipt_entry) && ++ if (unconditional(s) && + strcmp(t->target.u.kernel.target->name, + XT_STANDARD_TARGET) == 0 && +- t->verdict < 0 && +- unconditional(&s->ip)) { ++ t->verdict < 0) { + /* Tail of chains: STANDARD target (return/policy) */ + *comment = *chainname == hookname + ? comments[NF_IP_TRACE_COMMENT_POLICY] +@@ -439,6 +439,18 @@ ipt_do_table(struct sk_buff *skb, + #endif + } + ++static bool find_jump_target(const struct xt_table_info *t, ++ const struct ipt_entry *target) ++{ ++ struct ipt_entry *iter; ++ ++ xt_entry_foreach(iter, t->entries, t->size) { ++ if (iter == target) ++ return true; ++ } ++ return false; ++} ++ + /* Figures out from what hook each rule can be called: returns 0 if + there are loops. Puts hook bitmask in comefrom. */ + static int +@@ -472,11 +484,10 @@ mark_source_chains(const struct xt_table_info *newinfo, + e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS)); + + /* Unconditional return/END. */ +- if ((e->target_offset == sizeof(struct ipt_entry) && ++ if ((unconditional(e) && + (strcmp(t->target.u.user.name, + XT_STANDARD_TARGET) == 0) && +- t->verdict < 0 && unconditional(&e->ip)) || +- visited) { ++ t->verdict < 0) || visited) { + unsigned int oldpos, size; + + if ((strcmp(t->target.u.user.name, +@@ -517,6 +528,8 @@ mark_source_chains(const struct xt_table_info *newinfo, + size = e->next_offset; + e = (struct ipt_entry *) + (entry0 + pos + size); ++ if (pos + size >= newinfo->size) ++ return 0; + e->counters.pcnt = pos; + pos += size; + } else { +@@ -535,9 +548,15 @@ mark_source_chains(const struct xt_table_info *newinfo, + /* This a jump; chase it. */ + duprintf("Jump rule %u -> %u\n", + pos, newpos); ++ e = (struct ipt_entry *) ++ (entry0 + newpos); ++ if (!find_jump_target(newinfo, e)) ++ return 0; + } else { + /* ... this is a fallthru */ + newpos = pos + e->next_offset; ++ if (newpos >= newinfo->size) ++ return 0; + } + e = (struct ipt_entry *) + (entry0 + newpos); +@@ -565,27 +584,6 @@ static void cleanup_match(struct xt_entry_match *m, struct net *net) + } + + static int +-check_entry(const struct ipt_entry *e, const char *name) +-{ +- const struct xt_entry_target *t; +- +- if (!ip_checkentry(&e->ip)) { +- duprintf("ip check failed %p %s.\n", e, name); +- return -EINVAL; +- } +- +- if (e->target_offset + sizeof(struct xt_entry_target) > +- e->next_offset) +- return -EINVAL; +- +- t = ipt_get_target_c(e); +- if (e->target_offset + t->u.target_size > e->next_offset) +- return -EINVAL; +- +- return 0; +-} +- +-static int + check_match(struct xt_entry_match *m, struct xt_mtchk_param *par) + { + const struct ipt_ip *ip = par->entryinfo; +@@ -662,10 +660,6 @@ find_check_entry(struct ipt_entry *e, struct net *net, const char *name, + struct xt_mtchk_param mtpar; + struct xt_entry_match *ematch; + +- ret = check_entry(e, name); +- if (ret) +- return ret; +- + j = 0; + mtpar.net = net; + mtpar.table = name; +@@ -709,7 +703,7 @@ static bool check_underflow(const struct ipt_entry *e) + const struct xt_entry_target *t; + unsigned int verdict; + +- if (!unconditional(&e->ip)) ++ if (!unconditional(e)) + return false; + t = ipt_get_target_c(e); + if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0) +@@ -729,9 +723,11 @@ check_entry_size_and_hooks(struct ipt_entry *e, + unsigned int valid_hooks) + { + unsigned int h; ++ int err; + + if ((unsigned long)e % __alignof__(struct ipt_entry) != 0 || +- (unsigned char *)e + sizeof(struct ipt_entry) >= limit) { ++ (unsigned char *)e + sizeof(struct ipt_entry) >= limit || ++ (unsigned char *)e + e->next_offset > limit) { + duprintf("Bad offset %p\n", e); + return -EINVAL; + } +@@ -743,6 +739,14 @@ check_entry_size_and_hooks(struct ipt_entry *e, + return -EINVAL; + } + ++ if (!ip_checkentry(&e->ip)) ++ return -EINVAL; ++ ++ err = xt_check_entry_offsets(e, e->elems, e->target_offset, ++ e->next_offset); ++ if (err) ++ return err; ++ + /* Check hooks & underflows */ + for (h = 0; h < NF_INET_NUMHOOKS; h++) { + if (!(valid_hooks & (1 << h))) +@@ -751,9 +755,9 @@ check_entry_size_and_hooks(struct ipt_entry *e, + newinfo->hook_entry[h] = hook_entries[h]; + if ((unsigned char *)e - base == underflows[h]) { + if (!check_underflow(e)) { +- pr_err("Underflows must be unconditional and " +- "use the STANDARD target with " +- "ACCEPT/DROP\n"); ++ pr_debug("Underflows must be unconditional and " ++ "use the STANDARD target with " ++ "ACCEPT/DROP\n"); + return -EINVAL; + } + newinfo->underflow[h] = underflows[h]; +@@ -1304,56 +1308,18 @@ do_add_counters(struct net *net, const void __user *user, + unsigned int i, curcpu; + struct xt_counters_info tmp; + struct xt_counters *paddc; +- unsigned int num_counters; +- const char *name; +- int size; +- void *ptmp; + struct xt_table *t; + const struct xt_table_info *private; + int ret = 0; + void *loc_cpu_entry; + struct ipt_entry *iter; + unsigned int addend; +-#ifdef CONFIG_COMPAT +- struct compat_xt_counters_info compat_tmp; +- +- if (compat) { +- ptmp = &compat_tmp; +- size = sizeof(struct compat_xt_counters_info); +- } else +-#endif +- { +- ptmp = &tmp; +- size = sizeof(struct xt_counters_info); +- } +- +- if (copy_from_user(ptmp, user, size) != 0) +- return -EFAULT; +- +-#ifdef CONFIG_COMPAT +- if (compat) { +- num_counters = compat_tmp.num_counters; +- name = compat_tmp.name; +- } else +-#endif +- { +- num_counters = tmp.num_counters; +- name = tmp.name; +- } + +- if (len != size + num_counters * sizeof(struct xt_counters)) +- return -EINVAL; +- +- paddc = vmalloc(len - size); +- if (!paddc) +- return -ENOMEM; +- +- if (copy_from_user(paddc, user + size, len - size) != 0) { +- ret = -EFAULT; +- goto free; +- } ++ paddc = xt_copy_counters_from_user(user, len, &tmp, compat); ++ if (IS_ERR(paddc)) ++ return PTR_ERR(paddc); + +- t = xt_find_table_lock(net, AF_INET, name); ++ t = xt_find_table_lock(net, AF_INET, tmp.name); + if (IS_ERR_OR_NULL(t)) { + ret = t ? PTR_ERR(t) : -ENOENT; + goto free; +@@ -1361,7 +1327,7 @@ do_add_counters(struct net *net, const void __user *user, + + local_bh_disable(); + private = t->private; +- if (private->number != num_counters) { ++ if (private->number != tmp.num_counters) { + ret = -EINVAL; + goto unlock_up_free; + } +@@ -1440,7 +1406,6 @@ compat_copy_entry_to_user(struct ipt_entry *e, void __user **dstptr, + + static int + compat_find_calc_match(struct xt_entry_match *m, +- const char *name, + const struct ipt_ip *ip, + unsigned int hookmask, + int *size) +@@ -1476,21 +1441,19 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e, + struct xt_table_info *newinfo, + unsigned int *size, + const unsigned char *base, +- const unsigned char *limit, +- const unsigned int *hook_entries, +- const unsigned int *underflows, +- const char *name) ++ const unsigned char *limit) + { + struct xt_entry_match *ematch; + struct xt_entry_target *t; + struct xt_target *target; + unsigned int entry_offset; + unsigned int j; +- int ret, off, h; ++ int ret, off; + + duprintf("check_compat_entry_size_and_hooks %p\n", e); + if ((unsigned long)e % __alignof__(struct compat_ipt_entry) != 0 || +- (unsigned char *)e + sizeof(struct compat_ipt_entry) >= limit) { ++ (unsigned char *)e + sizeof(struct compat_ipt_entry) >= limit || ++ (unsigned char *)e + e->next_offset > limit) { + duprintf("Bad offset %p, limit = %p\n", e, limit); + return -EINVAL; + } +@@ -1502,8 +1465,11 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e, + return -EINVAL; + } + +- /* For purposes of check_entry casting the compat entry is fine */ +- ret = check_entry((struct ipt_entry *)e, name); ++ if (!ip_checkentry(&e->ip)) ++ return -EINVAL; ++ ++ ret = xt_compat_check_entry_offsets(e, e->elems, ++ e->target_offset, e->next_offset); + if (ret) + return ret; + +@@ -1511,8 +1477,8 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e, + entry_offset = (void *)e - (void *)base; + j = 0; + xt_ematch_foreach(ematch, e) { +- ret = compat_find_calc_match(ematch, name, +- &e->ip, e->comefrom, &off); ++ ret = compat_find_calc_match(ematch, &e->ip, e->comefrom, ++ &off); + if (ret != 0) + goto release_matches; + ++j; +@@ -1535,17 +1501,6 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e, + if (ret) + goto out; + +- /* Check hooks & underflows */ +- for (h = 0; h < NF_INET_NUMHOOKS; h++) { +- if ((unsigned char *)e - base == hook_entries[h]) +- newinfo->hook_entry[h] = hook_entries[h]; +- if ((unsigned char *)e - base == underflows[h]) +- newinfo->underflow[h] = underflows[h]; +- } +- +- /* Clear counters and comefrom */ +- memset(&e->counters, 0, sizeof(e->counters)); +- e->comefrom = 0; + return 0; + + out: +@@ -1559,19 +1514,18 @@ release_matches: + return ret; + } + +-static int ++static void + compat_copy_entry_from_user(struct compat_ipt_entry *e, void **dstptr, +- unsigned int *size, const char *name, ++ unsigned int *size, + struct xt_table_info *newinfo, unsigned char *base) + { + struct xt_entry_target *t; + struct xt_target *target; + struct ipt_entry *de; + unsigned int origsize; +- int ret, h; ++ int h; + struct xt_entry_match *ematch; + +- ret = 0; + origsize = *size; + de = (struct ipt_entry *)*dstptr; + memcpy(de, e, sizeof(struct ipt_entry)); +@@ -1580,198 +1534,104 @@ compat_copy_entry_from_user(struct compat_ipt_entry *e, void **dstptr, + *dstptr += sizeof(struct ipt_entry); + *size += sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry); + +- xt_ematch_foreach(ematch, e) { +- ret = xt_compat_match_from_user(ematch, dstptr, size); +- if (ret != 0) +- return ret; +- } ++ xt_ematch_foreach(ematch, e) ++ xt_compat_match_from_user(ematch, dstptr, size); ++ + de->target_offset = e->target_offset - (origsize - *size); + t = compat_ipt_get_target(e); + target = t->u.kernel.target; + xt_compat_target_from_user(t, dstptr, size); + + de->next_offset = e->next_offset - (origsize - *size); ++ + for (h = 0; h < NF_INET_NUMHOOKS; h++) { + if ((unsigned char *)de - base < newinfo->hook_entry[h]) + newinfo->hook_entry[h] -= origsize - *size; + if ((unsigned char *)de - base < newinfo->underflow[h]) + newinfo->underflow[h] -= origsize - *size; + } +- return ret; +-} +- +-static int +-compat_check_entry(struct ipt_entry *e, struct net *net, const char *name) +-{ +- struct xt_entry_match *ematch; +- struct xt_mtchk_param mtpar; +- unsigned int j; +- int ret = 0; +- +- j = 0; +- mtpar.net = net; +- mtpar.table = name; +- mtpar.entryinfo = &e->ip; +- mtpar.hook_mask = e->comefrom; +- mtpar.family = NFPROTO_IPV4; +- xt_ematch_foreach(ematch, e) { +- ret = check_match(ematch, &mtpar); +- if (ret != 0) +- goto cleanup_matches; +- ++j; +- } +- +- ret = check_target(e, net, name); +- if (ret) +- goto cleanup_matches; +- return 0; +- +- cleanup_matches: +- xt_ematch_foreach(ematch, e) { +- if (j-- == 0) +- break; +- cleanup_match(ematch, net); +- } +- return ret; + } + + static int + translate_compat_table(struct net *net, +- const char *name, +- unsigned int valid_hooks, + struct xt_table_info **pinfo, + void **pentry0, +- unsigned int total_size, +- unsigned int number, +- unsigned int *hook_entries, +- unsigned int *underflows) ++ const struct compat_ipt_replace *compatr) + { + unsigned int i, j; + struct xt_table_info *newinfo, *info; + void *pos, *entry0, *entry1; + struct compat_ipt_entry *iter0; +- struct ipt_entry *iter1; ++ struct ipt_replace repl; + unsigned int size; + int ret; + + info = *pinfo; + entry0 = *pentry0; +- size = total_size; +- info->number = number; +- +- /* Init all hooks to impossible value. */ +- for (i = 0; i < NF_INET_NUMHOOKS; i++) { +- info->hook_entry[i] = 0xFFFFFFFF; +- info->underflow[i] = 0xFFFFFFFF; +- } ++ size = compatr->size; ++ info->number = compatr->num_entries; + + duprintf("translate_compat_table: size %u\n", info->size); + j = 0; + xt_compat_lock(AF_INET); +- xt_compat_init_offsets(AF_INET, number); ++ xt_compat_init_offsets(AF_INET, compatr->num_entries); + /* Walk through entries, checking offsets. */ +- xt_entry_foreach(iter0, entry0, total_size) { ++ xt_entry_foreach(iter0, entry0, compatr->size) { + ret = check_compat_entry_size_and_hooks(iter0, info, &size, + entry0, +- entry0 + total_size, +- hook_entries, +- underflows, +- name); ++ entry0 + compatr->size); + if (ret != 0) + goto out_unlock; + ++j; + } + + ret = -EINVAL; +- if (j != number) { ++ if (j != compatr->num_entries) { + duprintf("translate_compat_table: %u not %u entries\n", +- j, number); ++ j, compatr->num_entries); + goto out_unlock; + } + +- /* Check hooks all assigned */ +- for (i = 0; i < NF_INET_NUMHOOKS; i++) { +- /* Only hooks which are valid */ +- if (!(valid_hooks & (1 << i))) +- continue; +- if (info->hook_entry[i] == 0xFFFFFFFF) { +- duprintf("Invalid hook entry %u %u\n", +- i, hook_entries[i]); +- goto out_unlock; +- } +- if (info->underflow[i] == 0xFFFFFFFF) { +- duprintf("Invalid underflow %u %u\n", +- i, underflows[i]); +- goto out_unlock; +- } +- } +- + ret = -ENOMEM; + newinfo = xt_alloc_table_info(size); + if (!newinfo) + goto out_unlock; + +- newinfo->number = number; ++ newinfo->number = compatr->num_entries; + for (i = 0; i < NF_INET_NUMHOOKS; i++) { +- newinfo->hook_entry[i] = info->hook_entry[i]; +- newinfo->underflow[i] = info->underflow[i]; ++ newinfo->hook_entry[i] = compatr->hook_entry[i]; ++ newinfo->underflow[i] = compatr->underflow[i]; + } + entry1 = newinfo->entries[raw_smp_processor_id()]; + pos = entry1; +- size = total_size; +- xt_entry_foreach(iter0, entry0, total_size) { +- ret = compat_copy_entry_from_user(iter0, &pos, &size, +- name, newinfo, entry1); +- if (ret != 0) +- break; +- } ++ size = compatr->size; ++ xt_entry_foreach(iter0, entry0, compatr->size) ++ compat_copy_entry_from_user(iter0, &pos, &size, ++ newinfo, entry1); ++ ++ /* all module references in entry0 are now gone. ++ * entry1/newinfo contains a 64bit ruleset that looks exactly as ++ * generated by 64bit userspace. ++ * ++ * Call standard translate_table() to validate all hook_entrys, ++ * underflows, check for loops, etc. ++ */ + xt_compat_flush_offsets(AF_INET); + xt_compat_unlock(AF_INET); +- if (ret) +- goto free_newinfo; + +- ret = -ELOOP; +- if (!mark_source_chains(newinfo, valid_hooks, entry1)) +- goto free_newinfo; ++ memcpy(&repl, compatr, sizeof(*compatr)); + +- i = 0; +- xt_entry_foreach(iter1, entry1, newinfo->size) { +- ret = compat_check_entry(iter1, net, name); +- if (ret != 0) +- break; +- ++i; +- if (strcmp(ipt_get_target(iter1)->u.user.name, +- XT_ERROR_TARGET) == 0) +- ++newinfo->stacksize; +- } +- if (ret) { +- /* +- * The first i matches need cleanup_entry (calls ->destroy) +- * because they had called ->check already. The other j-i +- * entries need only release. +- */ +- int skip = i; +- j -= i; +- xt_entry_foreach(iter0, entry0, newinfo->size) { +- if (skip-- > 0) +- continue; +- if (j-- == 0) +- break; +- compat_release_entry(iter0); +- } +- xt_entry_foreach(iter1, entry1, newinfo->size) { +- if (i-- == 0) +- break; +- cleanup_entry(iter1, net); +- } +- xt_free_table_info(newinfo); +- return ret; ++ for (i = 0; i < NF_INET_NUMHOOKS; i++) { ++ repl.hook_entry[i] = newinfo->hook_entry[i]; ++ repl.underflow[i] = newinfo->underflow[i]; + } + +- /* And one copy for every other CPU */ +- for_each_possible_cpu(i) +- if (newinfo->entries[i] && newinfo->entries[i] != entry1) +- memcpy(newinfo->entries[i], entry1, newinfo->size); ++ repl.num_counters = 0; ++ repl.counters = NULL; ++ repl.size = newinfo->size; ++ ret = translate_table(net, newinfo, entry1, &repl); ++ if (ret) ++ goto free_newinfo; + + *pinfo = newinfo; + *pentry0 = entry1; +@@ -1780,17 +1640,16 @@ translate_compat_table(struct net *net, + + free_newinfo: + xt_free_table_info(newinfo); +-out: +- xt_entry_foreach(iter0, entry0, total_size) { ++ return ret; ++out_unlock: ++ xt_compat_flush_offsets(AF_INET); ++ xt_compat_unlock(AF_INET); ++ xt_entry_foreach(iter0, entry0, compatr->size) { + if (j-- == 0) + break; + compat_release_entry(iter0); + } + return ret; +-out_unlock: +- xt_compat_flush_offsets(AF_INET); +- xt_compat_unlock(AF_INET); +- goto out; + } + + static int +@@ -1824,10 +1683,7 @@ compat_do_replace(struct net *net, void __user *user, unsigned int len) + goto free_newinfo; + } + +- ret = translate_compat_table(net, tmp.name, tmp.valid_hooks, +- &newinfo, &loc_cpu_entry, tmp.size, +- tmp.num_entries, tmp.hook_entry, +- tmp.underflow); ++ ret = translate_compat_table(net, &newinfo, &loc_cpu_entry, &tmp); + if (ret != 0) + goto free_newinfo; + +diff --git a/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c b/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c +index c6eb42100e9a..ea91058b5f6f 100644 +--- a/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c ++++ b/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c +@@ -108,10 +108,18 @@ static int masq_inet_event(struct notifier_block *this, + unsigned long event, + void *ptr) + { +- struct net_device *dev = ((struct in_ifaddr *)ptr)->ifa_dev->dev; ++ struct in_device *idev = ((struct in_ifaddr *)ptr)->ifa_dev; + struct netdev_notifier_info info; + +- netdev_notifier_info_init(&info, dev); ++ /* The masq_dev_notifier will catch the case of the device going ++ * down. So if the inetdev is dead and being destroyed we have ++ * no work to do. Otherwise this is an individual address removal ++ * and we have to perform the flush. ++ */ ++ if (idev->dead) ++ return NOTIFY_DONE; ++ ++ netdev_notifier_info_init(&info, idev->dev); + return masq_device_event(this, event, &info); + } + +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index b7ac498fed5f..12c5df33c0b7 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -1924,6 +1924,18 @@ static struct rtable *__mkroute_output(const struct fib_result *res, + */ + if (fi && res->prefixlen < 4) + fi = NULL; ++ } else if ((type == RTN_LOCAL) && (orig_oif != 0) && ++ (orig_oif != dev_out->ifindex)) { ++ /* For local routes that require a particular output interface ++ * we do not want to cache the result. Caching the result ++ * causes incorrect behaviour when there are multiple source ++ * addresses on the interface, the end result being that if the ++ * intended recipient is waiting on that interface for the ++ * packet he won't receive it because it will be delivered on ++ * the loopback interface and the IP_PKTINFO ipi_ifindex will ++ * be set to the loopback interface as well. ++ */ ++ fi = NULL; + } + + fnhe = NULL; +diff --git a/net/ipv4/tcp_metrics.c b/net/ipv4/tcp_metrics.c +index ed9c9a91851c..c90e76c2eca0 100644 +--- a/net/ipv4/tcp_metrics.c ++++ b/net/ipv4/tcp_metrics.c +@@ -550,7 +550,7 @@ reset: + */ + if (crtt > tp->srtt_us) { + /* Set RTO like tcp_rtt_estimator(), but from cached RTT. */ +- crtt /= 8 * USEC_PER_MSEC; ++ crtt /= 8 * USEC_PER_SEC / HZ; + inet_csk(sk)->icsk_rto = crtt + max(2 * crtt, tcp_rto_min(sk)); + } else if (tp->srtt_us == 0) { + /* RFC6298: 5.7 We've failed to get a valid RTT sample from +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index 9c7d88870e2b..af2f64eeb98f 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -2532,8 +2532,10 @@ int __tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb) + */ + if (unlikely((NET_IP_ALIGN && ((unsigned long)skb->data & 3)) || + skb_headroom(skb) >= 0xFFFF)) { +- struct sk_buff *nskb = __pskb_copy(skb, MAX_TCP_HEADER, +- GFP_ATOMIC); ++ struct sk_buff *nskb; ++ ++ skb_mstamp_get(&skb->skb_mstamp); ++ nskb = __pskb_copy(skb, MAX_TCP_HEADER, GFP_ATOMIC); + err = nskb ? tcp_transmit_skb(sk, nskb, 0, GFP_ATOMIC) : + -ENOBUFS; + } else { +diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c +index 4ea975324888..2a5d388d76a4 100644 +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -1965,10 +1965,14 @@ void udp_v4_early_demux(struct sk_buff *skb) + if (!in_dev) + return; + +- ours = ip_check_mc_rcu(in_dev, iph->daddr, iph->saddr, +- iph->protocol); +- if (!ours) +- return; ++ /* we are supposed to accept bcast packets */ ++ if (skb->pkt_type == PACKET_MULTICAST) { ++ ours = ip_check_mc_rcu(in_dev, iph->daddr, iph->saddr, ++ iph->protocol); ++ if (!ours) ++ return; ++ } ++ + sk = __udp4_lib_mcast_demux_lookup(net, uh->dest, iph->daddr, + uh->source, iph->saddr, dif); + } else if (skb->pkt_type == PACKET_HOST) { +diff --git a/net/ipv6/exthdrs_core.c b/net/ipv6/exthdrs_core.c +index 8af3eb57f438..c7c8f71d0d48 100644 +--- a/net/ipv6/exthdrs_core.c ++++ b/net/ipv6/exthdrs_core.c +@@ -257,7 +257,11 @@ int ipv6_find_hdr(const struct sk_buff *skb, unsigned int *offset, + *fragoff = _frag_off; + return hp->nexthdr; + } +- return -ENOENT; ++ if (!found) ++ return -ENOENT; ++ if (fragoff) ++ *fragoff = _frag_off; ++ break; + } + hdrlen = 8; + } else if (nexthdr == NEXTHDR_AUTH) { +diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c +index 9cb94cfa0ae7..6987d3cb4163 100644 +--- a/net/ipv6/ip6_tunnel.c ++++ b/net/ipv6/ip6_tunnel.c +@@ -273,12 +273,12 @@ static int ip6_tnl_create2(struct net_device *dev) + + t = netdev_priv(dev); + ++ dev->rtnl_link_ops = &ip6_link_ops; + err = register_netdevice(dev); + if (err < 0) + goto out; + + strcpy(t->parms.name, dev->name); +- dev->rtnl_link_ops = &ip6_link_ops; + + dev_hold(dev); + ip6_tnl_link(ip6n, t); +diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c +index e080fbbbc0e5..1b6ed70bab37 100644 +--- a/net/ipv6/netfilter/ip6_tables.c ++++ b/net/ipv6/netfilter/ip6_tables.c +@@ -195,11 +195,12 @@ get_entry(const void *base, unsigned int offset) + + /* All zeroes == unconditional rule. */ + /* Mildly perf critical (only if packet tracing is on) */ +-static inline bool unconditional(const struct ip6t_ip6 *ipv6) ++static inline bool unconditional(const struct ip6t_entry *e) + { + static const struct ip6t_ip6 uncond; + +- return memcmp(ipv6, &uncond, sizeof(uncond)) == 0; ++ return e->target_offset == sizeof(struct ip6t_entry) && ++ memcmp(&e->ipv6, &uncond, sizeof(uncond)) == 0; + } + + static inline const struct xt_entry_target * +@@ -255,11 +256,10 @@ get_chainname_rulenum(const struct ip6t_entry *s, const struct ip6t_entry *e, + } else if (s == e) { + (*rulenum)++; + +- if (s->target_offset == sizeof(struct ip6t_entry) && ++ if (unconditional(s) && + strcmp(t->target.u.kernel.target->name, + XT_STANDARD_TARGET) == 0 && +- t->verdict < 0 && +- unconditional(&s->ipv6)) { ++ t->verdict < 0) { + /* Tail of chains: STANDARD target (return/policy) */ + *comment = *chainname == hookname + ? comments[NF_IP6_TRACE_COMMENT_POLICY] +@@ -449,6 +449,18 @@ ip6t_do_table(struct sk_buff *skb, + #endif + } + ++static bool find_jump_target(const struct xt_table_info *t, ++ const struct ip6t_entry *target) ++{ ++ struct ip6t_entry *iter; ++ ++ xt_entry_foreach(iter, t->entries, t->size) { ++ if (iter == target) ++ return true; ++ } ++ return false; ++} ++ + /* Figures out from what hook each rule can be called: returns 0 if + there are loops. Puts hook bitmask in comefrom. */ + static int +@@ -482,11 +494,10 @@ mark_source_chains(const struct xt_table_info *newinfo, + e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS)); + + /* Unconditional return/END. */ +- if ((e->target_offset == sizeof(struct ip6t_entry) && ++ if ((unconditional(e) && + (strcmp(t->target.u.user.name, + XT_STANDARD_TARGET) == 0) && +- t->verdict < 0 && +- unconditional(&e->ipv6)) || visited) { ++ t->verdict < 0) || visited) { + unsigned int oldpos, size; + + if ((strcmp(t->target.u.user.name, +@@ -527,6 +538,8 @@ mark_source_chains(const struct xt_table_info *newinfo, + size = e->next_offset; + e = (struct ip6t_entry *) + (entry0 + pos + size); ++ if (pos + size >= newinfo->size) ++ return 0; + e->counters.pcnt = pos; + pos += size; + } else { +@@ -545,9 +558,15 @@ mark_source_chains(const struct xt_table_info *newinfo, + /* This a jump; chase it. */ + duprintf("Jump rule %u -> %u\n", + pos, newpos); ++ e = (struct ip6t_entry *) ++ (entry0 + newpos); ++ if (!find_jump_target(newinfo, e)) ++ return 0; + } else { + /* ... this is a fallthru */ + newpos = pos + e->next_offset; ++ if (newpos >= newinfo->size) ++ return 0; + } + e = (struct ip6t_entry *) + (entry0 + newpos); +@@ -574,27 +593,6 @@ static void cleanup_match(struct xt_entry_match *m, struct net *net) + module_put(par.match->me); + } + +-static int +-check_entry(const struct ip6t_entry *e, const char *name) +-{ +- const struct xt_entry_target *t; +- +- if (!ip6_checkentry(&e->ipv6)) { +- duprintf("ip_tables: ip check failed %p %s.\n", e, name); +- return -EINVAL; +- } +- +- if (e->target_offset + sizeof(struct xt_entry_target) > +- e->next_offset) +- return -EINVAL; +- +- t = ip6t_get_target_c(e); +- if (e->target_offset + t->u.target_size > e->next_offset) +- return -EINVAL; +- +- return 0; +-} +- + static int check_match(struct xt_entry_match *m, struct xt_mtchk_param *par) + { + const struct ip6t_ip6 *ipv6 = par->entryinfo; +@@ -673,10 +671,6 @@ find_check_entry(struct ip6t_entry *e, struct net *net, const char *name, + struct xt_mtchk_param mtpar; + struct xt_entry_match *ematch; + +- ret = check_entry(e, name); +- if (ret) +- return ret; +- + j = 0; + mtpar.net = net; + mtpar.table = name; +@@ -720,7 +714,7 @@ static bool check_underflow(const struct ip6t_entry *e) + const struct xt_entry_target *t; + unsigned int verdict; + +- if (!unconditional(&e->ipv6)) ++ if (!unconditional(e)) + return false; + t = ip6t_get_target_c(e); + if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0) +@@ -740,9 +734,11 @@ check_entry_size_and_hooks(struct ip6t_entry *e, + unsigned int valid_hooks) + { + unsigned int h; ++ int err; + + if ((unsigned long)e % __alignof__(struct ip6t_entry) != 0 || +- (unsigned char *)e + sizeof(struct ip6t_entry) >= limit) { ++ (unsigned char *)e + sizeof(struct ip6t_entry) >= limit || ++ (unsigned char *)e + e->next_offset > limit) { + duprintf("Bad offset %p\n", e); + return -EINVAL; + } +@@ -754,6 +750,14 @@ check_entry_size_and_hooks(struct ip6t_entry *e, + return -EINVAL; + } + ++ if (!ip6_checkentry(&e->ipv6)) ++ return -EINVAL; ++ ++ err = xt_check_entry_offsets(e, e->elems, e->target_offset, ++ e->next_offset); ++ if (err) ++ return err; ++ + /* Check hooks & underflows */ + for (h = 0; h < NF_INET_NUMHOOKS; h++) { + if (!(valid_hooks & (1 << h))) +@@ -762,9 +766,9 @@ check_entry_size_and_hooks(struct ip6t_entry *e, + newinfo->hook_entry[h] = hook_entries[h]; + if ((unsigned char *)e - base == underflows[h]) { + if (!check_underflow(e)) { +- pr_err("Underflows must be unconditional and " +- "use the STANDARD target with " +- "ACCEPT/DROP\n"); ++ pr_debug("Underflows must be unconditional and " ++ "use the STANDARD target with " ++ "ACCEPT/DROP\n"); + return -EINVAL; + } + newinfo->underflow[h] = underflows[h]; +@@ -1314,56 +1318,17 @@ do_add_counters(struct net *net, const void __user *user, unsigned int len, + unsigned int i, curcpu; + struct xt_counters_info tmp; + struct xt_counters *paddc; +- unsigned int num_counters; +- char *name; +- int size; +- void *ptmp; + struct xt_table *t; + const struct xt_table_info *private; + int ret = 0; + const void *loc_cpu_entry; + struct ip6t_entry *iter; + unsigned int addend; +-#ifdef CONFIG_COMPAT +- struct compat_xt_counters_info compat_tmp; +- +- if (compat) { +- ptmp = &compat_tmp; +- size = sizeof(struct compat_xt_counters_info); +- } else +-#endif +- { +- ptmp = &tmp; +- size = sizeof(struct xt_counters_info); +- } +- +- if (copy_from_user(ptmp, user, size) != 0) +- return -EFAULT; + +-#ifdef CONFIG_COMPAT +- if (compat) { +- num_counters = compat_tmp.num_counters; +- name = compat_tmp.name; +- } else +-#endif +- { +- num_counters = tmp.num_counters; +- name = tmp.name; +- } +- +- if (len != size + num_counters * sizeof(struct xt_counters)) +- return -EINVAL; +- +- paddc = vmalloc(len - size); +- if (!paddc) +- return -ENOMEM; +- +- if (copy_from_user(paddc, user + size, len - size) != 0) { +- ret = -EFAULT; +- goto free; +- } +- +- t = xt_find_table_lock(net, AF_INET6, name); ++ paddc = xt_copy_counters_from_user(user, len, &tmp, compat); ++ if (IS_ERR(paddc)) ++ return PTR_ERR(paddc); ++ t = xt_find_table_lock(net, AF_INET6, tmp.name); + if (IS_ERR_OR_NULL(t)) { + ret = t ? PTR_ERR(t) : -ENOENT; + goto free; +@@ -1372,7 +1337,7 @@ do_add_counters(struct net *net, const void __user *user, unsigned int len, + + local_bh_disable(); + private = t->private; +- if (private->number != num_counters) { ++ if (private->number != tmp.num_counters) { + ret = -EINVAL; + goto unlock_up_free; + } +@@ -1452,7 +1417,6 @@ compat_copy_entry_to_user(struct ip6t_entry *e, void __user **dstptr, + + static int + compat_find_calc_match(struct xt_entry_match *m, +- const char *name, + const struct ip6t_ip6 *ipv6, + unsigned int hookmask, + int *size) +@@ -1488,21 +1452,19 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e, + struct xt_table_info *newinfo, + unsigned int *size, + const unsigned char *base, +- const unsigned char *limit, +- const unsigned int *hook_entries, +- const unsigned int *underflows, +- const char *name) ++ const unsigned char *limit) + { + struct xt_entry_match *ematch; + struct xt_entry_target *t; + struct xt_target *target; + unsigned int entry_offset; + unsigned int j; +- int ret, off, h; ++ int ret, off; + + duprintf("check_compat_entry_size_and_hooks %p\n", e); + if ((unsigned long)e % __alignof__(struct compat_ip6t_entry) != 0 || +- (unsigned char *)e + sizeof(struct compat_ip6t_entry) >= limit) { ++ (unsigned char *)e + sizeof(struct compat_ip6t_entry) >= limit || ++ (unsigned char *)e + e->next_offset > limit) { + duprintf("Bad offset %p, limit = %p\n", e, limit); + return -EINVAL; + } +@@ -1514,8 +1476,11 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e, + return -EINVAL; + } + +- /* For purposes of check_entry casting the compat entry is fine */ +- ret = check_entry((struct ip6t_entry *)e, name); ++ if (!ip6_checkentry(&e->ipv6)) ++ return -EINVAL; ++ ++ ret = xt_compat_check_entry_offsets(e, e->elems, ++ e->target_offset, e->next_offset); + if (ret) + return ret; + +@@ -1523,8 +1488,8 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e, + entry_offset = (void *)e - (void *)base; + j = 0; + xt_ematch_foreach(ematch, e) { +- ret = compat_find_calc_match(ematch, name, +- &e->ipv6, e->comefrom, &off); ++ ret = compat_find_calc_match(ematch, &e->ipv6, e->comefrom, ++ &off); + if (ret != 0) + goto release_matches; + ++j; +@@ -1547,17 +1512,6 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e, + if (ret) + goto out; + +- /* Check hooks & underflows */ +- for (h = 0; h < NF_INET_NUMHOOKS; h++) { +- if ((unsigned char *)e - base == hook_entries[h]) +- newinfo->hook_entry[h] = hook_entries[h]; +- if ((unsigned char *)e - base == underflows[h]) +- newinfo->underflow[h] = underflows[h]; +- } +- +- /* Clear counters and comefrom */ +- memset(&e->counters, 0, sizeof(e->counters)); +- e->comefrom = 0; + return 0; + + out: +@@ -1571,18 +1525,17 @@ release_matches: + return ret; + } + +-static int ++static void + compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr, +- unsigned int *size, const char *name, ++ unsigned int *size, + struct xt_table_info *newinfo, unsigned char *base) + { + struct xt_entry_target *t; + struct ip6t_entry *de; + unsigned int origsize; +- int ret, h; ++ int h; + struct xt_entry_match *ematch; + +- ret = 0; + origsize = *size; + de = (struct ip6t_entry *)*dstptr; + memcpy(de, e, sizeof(struct ip6t_entry)); +@@ -1591,11 +1544,9 @@ compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr, + *dstptr += sizeof(struct ip6t_entry); + *size += sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry); + +- xt_ematch_foreach(ematch, e) { +- ret = xt_compat_match_from_user(ematch, dstptr, size); +- if (ret != 0) +- return ret; +- } ++ xt_ematch_foreach(ematch, e) ++ xt_compat_match_from_user(ematch, dstptr, size); ++ + de->target_offset = e->target_offset - (origsize - *size); + t = compat_ip6t_get_target(e); + xt_compat_target_from_user(t, dstptr, size); +@@ -1607,181 +1558,82 @@ compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr, + if ((unsigned char *)de - base < newinfo->underflow[h]) + newinfo->underflow[h] -= origsize - *size; + } +- return ret; +-} +- +-static int compat_check_entry(struct ip6t_entry *e, struct net *net, +- const char *name) +-{ +- unsigned int j; +- int ret = 0; +- struct xt_mtchk_param mtpar; +- struct xt_entry_match *ematch; +- +- j = 0; +- mtpar.net = net; +- mtpar.table = name; +- mtpar.entryinfo = &e->ipv6; +- mtpar.hook_mask = e->comefrom; +- mtpar.family = NFPROTO_IPV6; +- xt_ematch_foreach(ematch, e) { +- ret = check_match(ematch, &mtpar); +- if (ret != 0) +- goto cleanup_matches; +- ++j; +- } +- +- ret = check_target(e, net, name); +- if (ret) +- goto cleanup_matches; +- return 0; +- +- cleanup_matches: +- xt_ematch_foreach(ematch, e) { +- if (j-- == 0) +- break; +- cleanup_match(ematch, net); +- } +- return ret; + } + + static int + translate_compat_table(struct net *net, +- const char *name, +- unsigned int valid_hooks, + struct xt_table_info **pinfo, + void **pentry0, +- unsigned int total_size, +- unsigned int number, +- unsigned int *hook_entries, +- unsigned int *underflows) ++ const struct compat_ip6t_replace *compatr) + { + unsigned int i, j; + struct xt_table_info *newinfo, *info; + void *pos, *entry0, *entry1; + struct compat_ip6t_entry *iter0; +- struct ip6t_entry *iter1; ++ struct ip6t_replace repl; + unsigned int size; + int ret = 0; + + info = *pinfo; + entry0 = *pentry0; +- size = total_size; +- info->number = number; +- +- /* Init all hooks to impossible value. */ +- for (i = 0; i < NF_INET_NUMHOOKS; i++) { +- info->hook_entry[i] = 0xFFFFFFFF; +- info->underflow[i] = 0xFFFFFFFF; +- } ++ size = compatr->size; ++ info->number = compatr->num_entries; + + duprintf("translate_compat_table: size %u\n", info->size); + j = 0; + xt_compat_lock(AF_INET6); +- xt_compat_init_offsets(AF_INET6, number); ++ xt_compat_init_offsets(AF_INET6, compatr->num_entries); + /* Walk through entries, checking offsets. */ +- xt_entry_foreach(iter0, entry0, total_size) { ++ xt_entry_foreach(iter0, entry0, compatr->size) { + ret = check_compat_entry_size_and_hooks(iter0, info, &size, + entry0, +- entry0 + total_size, +- hook_entries, +- underflows, +- name); ++ entry0 + compatr->size); + if (ret != 0) + goto out_unlock; + ++j; + } + + ret = -EINVAL; +- if (j != number) { ++ if (j != compatr->num_entries) { + duprintf("translate_compat_table: %u not %u entries\n", +- j, number); ++ j, compatr->num_entries); + goto out_unlock; + } + +- /* Check hooks all assigned */ +- for (i = 0; i < NF_INET_NUMHOOKS; i++) { +- /* Only hooks which are valid */ +- if (!(valid_hooks & (1 << i))) +- continue; +- if (info->hook_entry[i] == 0xFFFFFFFF) { +- duprintf("Invalid hook entry %u %u\n", +- i, hook_entries[i]); +- goto out_unlock; +- } +- if (info->underflow[i] == 0xFFFFFFFF) { +- duprintf("Invalid underflow %u %u\n", +- i, underflows[i]); +- goto out_unlock; +- } +- } +- + ret = -ENOMEM; + newinfo = xt_alloc_table_info(size); + if (!newinfo) + goto out_unlock; + +- newinfo->number = number; ++ newinfo->number = compatr->num_entries; + for (i = 0; i < NF_INET_NUMHOOKS; i++) { +- newinfo->hook_entry[i] = info->hook_entry[i]; +- newinfo->underflow[i] = info->underflow[i]; ++ newinfo->hook_entry[i] = compatr->hook_entry[i]; ++ newinfo->underflow[i] = compatr->underflow[i]; + } + entry1 = newinfo->entries[raw_smp_processor_id()]; + pos = entry1; +- size = total_size; +- xt_entry_foreach(iter0, entry0, total_size) { +- ret = compat_copy_entry_from_user(iter0, &pos, &size, +- name, newinfo, entry1); +- if (ret != 0) +- break; +- } ++ size = compatr->size; ++ xt_entry_foreach(iter0, entry0, compatr->size) ++ compat_copy_entry_from_user(iter0, &pos, &size, ++ newinfo, entry1); ++ ++ /* all module references in entry0 are now gone. */ + xt_compat_flush_offsets(AF_INET6); + xt_compat_unlock(AF_INET6); +- if (ret) +- goto free_newinfo; + +- ret = -ELOOP; +- if (!mark_source_chains(newinfo, valid_hooks, entry1)) +- goto free_newinfo; ++ memcpy(&repl, compatr, sizeof(*compatr)); + +- i = 0; +- xt_entry_foreach(iter1, entry1, newinfo->size) { +- ret = compat_check_entry(iter1, net, name); +- if (ret != 0) +- break; +- ++i; +- if (strcmp(ip6t_get_target(iter1)->u.user.name, +- XT_ERROR_TARGET) == 0) +- ++newinfo->stacksize; +- } +- if (ret) { +- /* +- * The first i matches need cleanup_entry (calls ->destroy) +- * because they had called ->check already. The other j-i +- * entries need only release. +- */ +- int skip = i; +- j -= i; +- xt_entry_foreach(iter0, entry0, newinfo->size) { +- if (skip-- > 0) +- continue; +- if (j-- == 0) +- break; +- compat_release_entry(iter0); +- } +- xt_entry_foreach(iter1, entry1, newinfo->size) { +- if (i-- == 0) +- break; +- cleanup_entry(iter1, net); +- } +- xt_free_table_info(newinfo); +- return ret; ++ for (i = 0; i < NF_INET_NUMHOOKS; i++) { ++ repl.hook_entry[i] = newinfo->hook_entry[i]; ++ repl.underflow[i] = newinfo->underflow[i]; + } + +- /* And one copy for every other CPU */ +- for_each_possible_cpu(i) +- if (newinfo->entries[i] && newinfo->entries[i] != entry1) +- memcpy(newinfo->entries[i], entry1, newinfo->size); ++ repl.num_counters = 0; ++ repl.counters = NULL; ++ repl.size = newinfo->size; ++ ret = translate_table(net, newinfo, entry1, &repl); ++ if (ret) ++ goto free_newinfo; + + *pinfo = newinfo; + *pentry0 = entry1; +@@ -1790,17 +1642,16 @@ translate_compat_table(struct net *net, + + free_newinfo: + xt_free_table_info(newinfo); +-out: +- xt_entry_foreach(iter0, entry0, total_size) { ++ return ret; ++out_unlock: ++ xt_compat_flush_offsets(AF_INET6); ++ xt_compat_unlock(AF_INET6); ++ xt_entry_foreach(iter0, entry0, compatr->size) { + if (j-- == 0) + break; + compat_release_entry(iter0); + } + return ret; +-out_unlock: +- xt_compat_flush_offsets(AF_INET6); +- xt_compat_unlock(AF_INET6); +- goto out; + } + + static int +@@ -1834,10 +1685,7 @@ compat_do_replace(struct net *net, void __user *user, unsigned int len) + goto free_newinfo; + } + +- ret = translate_compat_table(net, tmp.name, tmp.valid_hooks, +- &newinfo, &loc_cpu_entry, tmp.size, +- tmp.num_entries, tmp.hook_entry, +- tmp.underflow); ++ ret = translate_compat_table(net, &newinfo, &loc_cpu_entry, &tmp); + if (ret != 0) + goto free_newinfo; + +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +index 78d180615495..b8e14a5ae0b1 100644 +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -1749,7 +1749,9 @@ static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i) + destp = ntohs(inet->inet_dport); + srcp = ntohs(inet->inet_sport); + +- if (icsk->icsk_pending == ICSK_TIME_RETRANS) { ++ if (icsk->icsk_pending == ICSK_TIME_RETRANS || ++ icsk->icsk_pending == ICSK_TIME_EARLY_RETRANS || ++ icsk->icsk_pending == ICSK_TIME_LOSS_PROBE) { + timer_active = 1; + timer_expires = icsk->icsk_timeout; + } else if (icsk->icsk_pending == ICSK_TIME_PROBE0) { +diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c +index a5ce70502699..7d0111696190 100644 +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -898,11 +898,9 @@ int __udp6_lib_rcv(struct sk_buff *skb, struct udp_table *udptable, + ret = udpv6_queue_rcv_skb(sk, skb); + sock_put(sk); + +- /* a return value > 0 means to resubmit the input, but +- * it wants the return to be -protocol, or 0 +- */ ++ /* a return value > 0 means to resubmit the input */ + if (ret > 0) +- return -ret; ++ return ret; + + return 0; + } +diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c +index 369a9822488c..e45d2b77bb42 100644 +--- a/net/l2tp/l2tp_ip.c ++++ b/net/l2tp/l2tp_ip.c +@@ -123,12 +123,11 @@ static int l2tp_ip_recv(struct sk_buff *skb) + struct l2tp_tunnel *tunnel = NULL; + int length; + +- /* Point to L2TP header */ +- optr = ptr = skb->data; +- + if (!pskb_may_pull(skb, 4)) + goto discard; + ++ /* Point to L2TP header */ ++ optr = ptr = skb->data; + session_id = ntohl(*((__be32 *) ptr)); + ptr += 4; + +@@ -156,6 +155,9 @@ static int l2tp_ip_recv(struct sk_buff *skb) + if (!pskb_may_pull(skb, length)) + goto discard; + ++ /* Point to L2TP header */ ++ optr = ptr = skb->data; ++ ptr += 4; + pr_debug("%s: ip recv\n", tunnel->name); + print_hex_dump_bytes("", DUMP_PREFIX_OFFSET, ptr, length); + } +diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c +index 38658826175c..b8e469b832df 100644 +--- a/net/l2tp/l2tp_ip6.c ++++ b/net/l2tp/l2tp_ip6.c +@@ -135,12 +135,11 @@ static int l2tp_ip6_recv(struct sk_buff *skb) + struct l2tp_tunnel *tunnel = NULL; + int length; + +- /* Point to L2TP header */ +- optr = ptr = skb->data; +- + if (!pskb_may_pull(skb, 4)) + goto discard; + ++ /* Point to L2TP header */ ++ optr = ptr = skb->data; + session_id = ntohl(*((__be32 *) ptr)); + ptr += 4; + +@@ -168,6 +167,9 @@ static int l2tp_ip6_recv(struct sk_buff *skb) + if (!pskb_may_pull(skb, length)) + goto discard; + ++ /* Point to L2TP header */ ++ optr = ptr = skb->data; ++ ptr += 4; + pr_debug("%s: ip recv\n", tunnel->name); + print_hex_dump_bytes("", DUMP_PREFIX_OFFSET, ptr, length); + } +diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c +index bb9cbc17d926..3e8691895385 100644 +--- a/net/llc/af_llc.c ++++ b/net/llc/af_llc.c +@@ -626,6 +626,7 @@ static void llc_cmsg_rcv(struct msghdr *msg, struct sk_buff *skb) + if (llc->cmsg_flags & LLC_CMSG_PKTINFO) { + struct llc_pktinfo info; + ++ memset(&info, 0, sizeof(info)); + info.lpi_ifindex = llc_sk(skb->sk)->dev->ifindex; + llc_pdu_decode_dsap(skb, &info.lpi_sap); + llc_pdu_decode_da(skb, info.lpi_mac); +diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c +index 074cdfa04cc4..c848d0b38c86 100644 +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -2090,7 +2090,7 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx) + struct ieee80211_sub_if_data *sdata = rx->sdata; + struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); + struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh; +- u16 q, hdrlen; ++ u16 ac, q, hdrlen; + + hdr = (struct ieee80211_hdr *) skb->data; + hdrlen = ieee80211_hdrlen(hdr->frame_control); +@@ -2160,7 +2160,8 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx) + ether_addr_equal(sdata->vif.addr, hdr->addr3)) + return RX_CONTINUE; + +- q = ieee80211_select_queue_80211(sdata, skb, hdr); ++ ac = ieee80211_select_queue_80211(sdata, skb, hdr); ++ q = sdata->vif.hw_queue[ac]; + if (ieee80211_queue_stopped(&local->hw, q)) { + IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_congestion); + return RX_DROP_MONITOR; +diff --git a/net/netfilter/ipvs/ip_vs_pe_sip.c b/net/netfilter/ipvs/ip_vs_pe_sip.c +index bed5f7042529..bb318e4623a3 100644 +--- a/net/netfilter/ipvs/ip_vs_pe_sip.c ++++ b/net/netfilter/ipvs/ip_vs_pe_sip.c +@@ -88,7 +88,7 @@ ip_vs_sip_fill_param(struct ip_vs_conn_param *p, struct sk_buff *skb) + dptr = skb->data + dataoff; + datalen = skb->len - dataoff; + +- if (get_callid(dptr, dataoff, datalen, &matchoff, &matchlen)) ++ if (get_callid(dptr, 0, datalen, &matchoff, &matchlen)) + return -EINVAL; + + /* N.B: pe_data is only set on success, +diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c +index 133eb4772f12..0c01ad4e078f 100644 +--- a/net/netfilter/x_tables.c ++++ b/net/netfilter/x_tables.c +@@ -418,6 +418,47 @@ int xt_check_match(struct xt_mtchk_param *par, + } + EXPORT_SYMBOL_GPL(xt_check_match); + ++/** xt_check_entry_match - check that matches end before start of target ++ * ++ * @match: beginning of xt_entry_match ++ * @target: beginning of this rules target (alleged end of matches) ++ * @alignment: alignment requirement of match structures ++ * ++ * Validates that all matches add up to the beginning of the target, ++ * and that each match covers at least the base structure size. ++ * ++ * Return: 0 on success, negative errno on failure. ++ */ ++static int xt_check_entry_match(const char *match, const char *target, ++ const size_t alignment) ++{ ++ const struct xt_entry_match *pos; ++ int length = target - match; ++ ++ if (length == 0) /* no matches */ ++ return 0; ++ ++ pos = (struct xt_entry_match *)match; ++ do { ++ if ((unsigned long)pos % alignment) ++ return -EINVAL; ++ ++ if (length < (int)sizeof(struct xt_entry_match)) ++ return -EINVAL; ++ ++ if (pos->u.match_size < sizeof(struct xt_entry_match)) ++ return -EINVAL; ++ ++ if (pos->u.match_size > length) ++ return -EINVAL; ++ ++ length -= pos->u.match_size; ++ pos = ((void *)((char *)(pos) + (pos)->u.match_size)); ++ } while (length > 0); ++ ++ return 0; ++} ++ + #ifdef CONFIG_COMPAT + int xt_compat_add_offset(u_int8_t af, unsigned int offset, int delta) + { +@@ -487,13 +528,14 @@ int xt_compat_match_offset(const struct xt_match *match) + } + EXPORT_SYMBOL_GPL(xt_compat_match_offset); + +-int xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr, +- unsigned int *size) ++void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr, ++ unsigned int *size) + { + const struct xt_match *match = m->u.kernel.match; + struct compat_xt_entry_match *cm = (struct compat_xt_entry_match *)m; + int pad, off = xt_compat_match_offset(match); + u_int16_t msize = cm->u.user.match_size; ++ char name[sizeof(m->u.user.name)]; + + m = *dstptr; + memcpy(m, cm, sizeof(*cm)); +@@ -507,10 +549,12 @@ int xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr, + + msize += off; + m->u.user.match_size = msize; ++ strlcpy(name, match->name, sizeof(name)); ++ module_put(match->me); ++ strncpy(m->u.user.name, name, sizeof(m->u.user.name)); + + *size += off; + *dstptr += msize; +- return 0; + } + EXPORT_SYMBOL_GPL(xt_compat_match_from_user); + +@@ -541,8 +585,125 @@ int xt_compat_match_to_user(const struct xt_entry_match *m, + return 0; + } + EXPORT_SYMBOL_GPL(xt_compat_match_to_user); ++ ++/* non-compat version may have padding after verdict */ ++struct compat_xt_standard_target { ++ struct compat_xt_entry_target t; ++ compat_uint_t verdict; ++}; ++ ++int xt_compat_check_entry_offsets(const void *base, const char *elems, ++ unsigned int target_offset, ++ unsigned int next_offset) ++{ ++ long size_of_base_struct = elems - (const char *)base; ++ const struct compat_xt_entry_target *t; ++ const char *e = base; ++ ++ if (target_offset < size_of_base_struct) ++ return -EINVAL; ++ ++ if (target_offset + sizeof(*t) > next_offset) ++ return -EINVAL; ++ ++ t = (void *)(e + target_offset); ++ if (t->u.target_size < sizeof(*t)) ++ return -EINVAL; ++ ++ if (target_offset + t->u.target_size > next_offset) ++ return -EINVAL; ++ ++ if (strcmp(t->u.user.name, XT_STANDARD_TARGET) == 0 && ++ COMPAT_XT_ALIGN(target_offset + sizeof(struct compat_xt_standard_target)) != next_offset) ++ return -EINVAL; ++ ++ /* compat_xt_entry match has less strict aligment requirements, ++ * otherwise they are identical. In case of padding differences ++ * we need to add compat version of xt_check_entry_match. ++ */ ++ BUILD_BUG_ON(sizeof(struct compat_xt_entry_match) != sizeof(struct xt_entry_match)); ++ ++ return xt_check_entry_match(elems, base + target_offset, ++ __alignof__(struct compat_xt_entry_match)); ++} ++EXPORT_SYMBOL(xt_compat_check_entry_offsets); + #endif /* CONFIG_COMPAT */ + ++/** ++ * xt_check_entry_offsets - validate arp/ip/ip6t_entry ++ * ++ * @base: pointer to arp/ip/ip6t_entry ++ * @elems: pointer to first xt_entry_match, i.e. ip(6)t_entry->elems ++ * @target_offset: the arp/ip/ip6_t->target_offset ++ * @next_offset: the arp/ip/ip6_t->next_offset ++ * ++ * validates that target_offset and next_offset are sane and that all ++ * match sizes (if any) align with the target offset. ++ * ++ * This function does not validate the targets or matches themselves, it ++ * only tests that all the offsets and sizes are correct, that all ++ * match structures are aligned, and that the last structure ends where ++ * the target structure begins. ++ * ++ * Also see xt_compat_check_entry_offsets for CONFIG_COMPAT version. ++ * ++ * The arp/ip/ip6t_entry structure @base must have passed following tests: ++ * - it must point to a valid memory location ++ * - base to base + next_offset must be accessible, i.e. not exceed allocated ++ * length. ++ * ++ * A well-formed entry looks like this: ++ * ++ * ip(6)t_entry match [mtdata] match [mtdata] target [tgdata] ip(6)t_entry ++ * e->elems[]-----' | | ++ * matchsize | | ++ * matchsize | | ++ * | | ++ * target_offset---------------------------------' | ++ * next_offset---------------------------------------------------' ++ * ++ * elems[]: flexible array member at end of ip(6)/arpt_entry struct. ++ * This is where matches (if any) and the target reside. ++ * target_offset: beginning of target. ++ * next_offset: start of the next rule; also: size of this rule. ++ * Since targets have a minimum size, target_offset + minlen <= next_offset. ++ * ++ * Every match stores its size, sum of sizes must not exceed target_offset. ++ * ++ * Return: 0 on success, negative errno on failure. ++ */ ++int xt_check_entry_offsets(const void *base, ++ const char *elems, ++ unsigned int target_offset, ++ unsigned int next_offset) ++{ ++ long size_of_base_struct = elems - (const char *)base; ++ const struct xt_entry_target *t; ++ const char *e = base; ++ ++ /* target start is within the ip/ip6/arpt_entry struct */ ++ if (target_offset < size_of_base_struct) ++ return -EINVAL; ++ ++ if (target_offset + sizeof(*t) > next_offset) ++ return -EINVAL; ++ ++ t = (void *)(e + target_offset); ++ if (t->u.target_size < sizeof(*t)) ++ return -EINVAL; ++ ++ if (target_offset + t->u.target_size > next_offset) ++ return -EINVAL; ++ ++ if (strcmp(t->u.user.name, XT_STANDARD_TARGET) == 0 && ++ XT_ALIGN(target_offset + sizeof(struct xt_standard_target)) != next_offset) ++ return -EINVAL; ++ ++ return xt_check_entry_match(elems, base + target_offset, ++ __alignof__(struct xt_entry_match)); ++} ++EXPORT_SYMBOL(xt_check_entry_offsets); ++ + int xt_check_target(struct xt_tgchk_param *par, + unsigned int size, u_int8_t proto, bool inv_proto) + { +@@ -593,6 +754,80 @@ int xt_check_target(struct xt_tgchk_param *par, + } + EXPORT_SYMBOL_GPL(xt_check_target); + ++/** ++ * xt_copy_counters_from_user - copy counters and metadata from userspace ++ * ++ * @user: src pointer to userspace memory ++ * @len: alleged size of userspace memory ++ * @info: where to store the xt_counters_info metadata ++ * @compat: true if we setsockopt call is done by 32bit task on 64bit kernel ++ * ++ * Copies counter meta data from @user and stores it in @info. ++ * ++ * vmallocs memory to hold the counters, then copies the counter data ++ * from @user to the new memory and returns a pointer to it. ++ * ++ * If @compat is true, @info gets converted automatically to the 64bit ++ * representation. ++ * ++ * The metadata associated with the counters is stored in @info. ++ * ++ * Return: returns pointer that caller has to test via IS_ERR(). ++ * If IS_ERR is false, caller has to vfree the pointer. ++ */ ++void *xt_copy_counters_from_user(const void __user *user, unsigned int len, ++ struct xt_counters_info *info, bool compat) ++{ ++ void *mem; ++ u64 size; ++ ++#ifdef CONFIG_COMPAT ++ if (compat) { ++ /* structures only differ in size due to alignment */ ++ struct compat_xt_counters_info compat_tmp; ++ ++ if (len <= sizeof(compat_tmp)) ++ return ERR_PTR(-EINVAL); ++ ++ len -= sizeof(compat_tmp); ++ if (copy_from_user(&compat_tmp, user, sizeof(compat_tmp)) != 0) ++ return ERR_PTR(-EFAULT); ++ ++ strlcpy(info->name, compat_tmp.name, sizeof(info->name)); ++ info->num_counters = compat_tmp.num_counters; ++ user += sizeof(compat_tmp); ++ } else ++#endif ++ { ++ if (len <= sizeof(*info)) ++ return ERR_PTR(-EINVAL); ++ ++ len -= sizeof(*info); ++ if (copy_from_user(info, user, sizeof(*info)) != 0) ++ return ERR_PTR(-EFAULT); ++ ++ info->name[sizeof(info->name) - 1] = '\0'; ++ user += sizeof(*info); ++ } ++ ++ size = sizeof(struct xt_counters); ++ size *= info->num_counters; ++ ++ if (size != (u64)len) ++ return ERR_PTR(-EINVAL); ++ ++ mem = vmalloc(len); ++ if (!mem) ++ return ERR_PTR(-ENOMEM); ++ ++ if (copy_from_user(mem, user, len) == 0) ++ return mem; ++ ++ vfree(mem); ++ return ERR_PTR(-EFAULT); ++} ++EXPORT_SYMBOL_GPL(xt_copy_counters_from_user); ++ + #ifdef CONFIG_COMPAT + int xt_compat_target_offset(const struct xt_target *target) + { +@@ -608,6 +843,7 @@ void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr, + struct compat_xt_entry_target *ct = (struct compat_xt_entry_target *)t; + int pad, off = xt_compat_target_offset(target); + u_int16_t tsize = ct->u.user.target_size; ++ char name[sizeof(t->u.user.name)]; + + t = *dstptr; + memcpy(t, ct, sizeof(*ct)); +@@ -621,6 +857,9 @@ void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr, + + tsize += off; + t->u.user.target_size = tsize; ++ strlcpy(name, target->name, sizeof(name)); ++ module_put(target->me); ++ strncpy(t->u.user.name, name, sizeof(t->u.user.name)); + + *size += off; + *dstptr += tsize; +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index fe106b50053e..15fc0938e1c4 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -2630,6 +2630,7 @@ static int netlink_dump(struct sock *sk) + struct netlink_callback *cb; + struct sk_buff *skb = NULL; + struct nlmsghdr *nlh; ++ struct module *module; + int len, err = -ENOBUFS; + int alloc_size; + +@@ -2699,9 +2700,11 @@ static int netlink_dump(struct sock *sk) + cb->done(cb); + + nlk->cb_running = false; ++ module = cb->module; ++ skb = cb->skb; + mutex_unlock(nlk->cb_mutex); +- module_put(cb->module); +- consume_skb(cb->skb); ++ module_put(module); ++ consume_skb(skb); + return 0; + + errout_skb: +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 22853af1b6b7..e73b3fb1a144 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -3143,6 +3143,7 @@ static int packet_mc_add(struct sock *sk, struct packet_mreq_max *mreq) + i->ifindex = mreq->mr_ifindex; + i->alen = mreq->mr_alen; + memcpy(i->addr, mreq->mr_address, i->alen); ++ memset(i->addr + i->alen, 0, sizeof(i->addr) - i->alen); + i->count = 1; + i->next = po->mclist; + po->mclist = i; +diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c +index a25fae3c8ad6..a2a7a81b2b0b 100644 +--- a/net/sched/sch_api.c ++++ b/net/sched/sch_api.c +@@ -740,14 +740,15 @@ static u32 qdisc_alloc_handle(struct net_device *dev) + return 0; + } + +-void qdisc_tree_decrease_qlen(struct Qdisc *sch, unsigned int n) ++void qdisc_tree_reduce_backlog(struct Qdisc *sch, unsigned int n, ++ unsigned int len) + { + const struct Qdisc_class_ops *cops; + unsigned long cl; + u32 parentid; + int drops; + +- if (n == 0) ++ if (n == 0 && len == 0) + return; + drops = max_t(int, n, 0); + while ((parentid = sch->parent)) { +@@ -766,10 +767,11 @@ void qdisc_tree_decrease_qlen(struct Qdisc *sch, unsigned int n) + cops->put(sch, cl); + } + sch->q.qlen -= n; ++ sch->qstats.backlog -= len; + __qdisc_qstats_drop(sch, drops); + } + } +-EXPORT_SYMBOL(qdisc_tree_decrease_qlen); ++EXPORT_SYMBOL(qdisc_tree_reduce_backlog); + + static void notify_and_destroy(struct net *net, struct sk_buff *skb, + struct nlmsghdr *n, u32 clid, +diff --git a/net/sched/sch_cbq.c b/net/sched/sch_cbq.c +index beeb75f80fdb..f6e7a60012b1 100644 +--- a/net/sched/sch_cbq.c ++++ b/net/sched/sch_cbq.c +@@ -1624,13 +1624,8 @@ static int cbq_graft(struct Qdisc *sch, unsigned long arg, struct Qdisc *new, + new->reshape_fail = cbq_reshape_fail; + #endif + } +- sch_tree_lock(sch); +- *old = cl->q; +- cl->q = new; +- qdisc_tree_decrease_qlen(*old, (*old)->q.qlen); +- qdisc_reset(*old); +- sch_tree_unlock(sch); + ++ *old = qdisc_replace(sch, new, &cl->q); + return 0; + } + +@@ -1914,7 +1909,7 @@ static int cbq_delete(struct Qdisc *sch, unsigned long arg) + { + struct cbq_sched_data *q = qdisc_priv(sch); + struct cbq_class *cl = (struct cbq_class *)arg; +- unsigned int qlen; ++ unsigned int qlen, backlog; + + if (cl->filters || cl->children || cl == &q->link) + return -EBUSY; +@@ -1922,8 +1917,9 @@ static int cbq_delete(struct Qdisc *sch, unsigned long arg) + sch_tree_lock(sch); + + qlen = cl->q->q.qlen; ++ backlog = cl->q->qstats.backlog; + qdisc_reset(cl->q); +- qdisc_tree_decrease_qlen(cl->q, qlen); ++ qdisc_tree_reduce_backlog(cl->q, qlen, backlog); + + if (cl->next_alive) + cbq_deactivate_class(cl); +diff --git a/net/sched/sch_choke.c b/net/sched/sch_choke.c +index c009eb9045ce..3f6437db9b0f 100644 +--- a/net/sched/sch_choke.c ++++ b/net/sched/sch_choke.c +@@ -128,8 +128,8 @@ static void choke_drop_by_idx(struct Qdisc *sch, unsigned int idx) + choke_zap_tail_holes(q); + + qdisc_qstats_backlog_dec(sch, skb); ++ qdisc_tree_reduce_backlog(sch, 1, qdisc_pkt_len(skb)); + qdisc_drop(skb, sch); +- qdisc_tree_decrease_qlen(sch, 1); + --sch->q.qlen; + } + +@@ -449,6 +449,7 @@ static int choke_change(struct Qdisc *sch, struct nlattr *opt) + old = q->tab; + if (old) { + unsigned int oqlen = sch->q.qlen, tail = 0; ++ unsigned dropped = 0; + + while (q->head != q->tail) { + struct sk_buff *skb = q->tab[q->head]; +@@ -460,11 +461,12 @@ static int choke_change(struct Qdisc *sch, struct nlattr *opt) + ntab[tail++] = skb; + continue; + } ++ dropped += qdisc_pkt_len(skb); + qdisc_qstats_backlog_dec(sch, skb); + --sch->q.qlen; + qdisc_drop(skb, sch); + } +- qdisc_tree_decrease_qlen(sch, oqlen - sch->q.qlen); ++ qdisc_tree_reduce_backlog(sch, oqlen - sch->q.qlen, dropped); + q->head = 0; + q->tail = tail; + } +diff --git a/net/sched/sch_codel.c b/net/sched/sch_codel.c +index de28f8e968e8..0d60ea5a5bb6 100644 +--- a/net/sched/sch_codel.c ++++ b/net/sched/sch_codel.c +@@ -79,12 +79,13 @@ static struct sk_buff *codel_qdisc_dequeue(struct Qdisc *sch) + + skb = codel_dequeue(sch, &q->params, &q->vars, &q->stats, dequeue); + +- /* We cant call qdisc_tree_decrease_qlen() if our qlen is 0, ++ /* We cant call qdisc_tree_reduce_backlog() if our qlen is 0, + * or HTB crashes. Defer it for next round. + */ + if (q->stats.drop_count && sch->q.qlen) { +- qdisc_tree_decrease_qlen(sch, q->stats.drop_count); ++ qdisc_tree_reduce_backlog(sch, q->stats.drop_count, q->stats.drop_len); + q->stats.drop_count = 0; ++ q->stats.drop_len = 0; + } + if (skb) + qdisc_bstats_update(sch, skb); +@@ -115,7 +116,7 @@ static int codel_change(struct Qdisc *sch, struct nlattr *opt) + { + struct codel_sched_data *q = qdisc_priv(sch); + struct nlattr *tb[TCA_CODEL_MAX + 1]; +- unsigned int qlen; ++ unsigned int qlen, dropped = 0; + int err; + + if (!opt) +@@ -149,10 +150,11 @@ static int codel_change(struct Qdisc *sch, struct nlattr *opt) + while (sch->q.qlen > sch->limit) { + struct sk_buff *skb = __skb_dequeue(&sch->q); + ++ dropped += qdisc_pkt_len(skb); + qdisc_qstats_backlog_dec(sch, skb); + qdisc_drop(skb, sch); + } +- qdisc_tree_decrease_qlen(sch, qlen - sch->q.qlen); ++ qdisc_tree_reduce_backlog(sch, qlen - sch->q.qlen, dropped); + + sch_tree_unlock(sch); + return 0; +diff --git a/net/sched/sch_drr.c b/net/sched/sch_drr.c +index 338706092c27..e599803caa1e 100644 +--- a/net/sched/sch_drr.c ++++ b/net/sched/sch_drr.c +@@ -53,9 +53,10 @@ static struct drr_class *drr_find_class(struct Qdisc *sch, u32 classid) + static void drr_purge_queue(struct drr_class *cl) + { + unsigned int len = cl->qdisc->q.qlen; ++ unsigned int backlog = cl->qdisc->qstats.backlog; + + qdisc_reset(cl->qdisc); +- qdisc_tree_decrease_qlen(cl->qdisc, len); ++ qdisc_tree_reduce_backlog(cl->qdisc, len, backlog); + } + + static const struct nla_policy drr_policy[TCA_DRR_MAX + 1] = { +@@ -226,11 +227,7 @@ static int drr_graft_class(struct Qdisc *sch, unsigned long arg, + new = &noop_qdisc; + } + +- sch_tree_lock(sch); +- drr_purge_queue(cl); +- *old = cl->qdisc; +- cl->qdisc = new; +- sch_tree_unlock(sch); ++ *old = qdisc_replace(sch, new, &cl->qdisc); + return 0; + } + +diff --git a/net/sched/sch_dsmark.c b/net/sched/sch_dsmark.c +index 227114f27f94..eb87a2a94d19 100644 +--- a/net/sched/sch_dsmark.c ++++ b/net/sched/sch_dsmark.c +@@ -67,13 +67,7 @@ static int dsmark_graft(struct Qdisc *sch, unsigned long arg, + new = &noop_qdisc; + } + +- sch_tree_lock(sch); +- *old = p->q; +- p->q = new; +- qdisc_tree_decrease_qlen(*old, (*old)->q.qlen); +- qdisc_reset(*old); +- sch_tree_unlock(sch); +- ++ *old = qdisc_replace(sch, new, &p->q); + return 0; + } + +@@ -262,6 +256,7 @@ static int dsmark_enqueue(struct sk_buff *skb, struct Qdisc *sch) + return err; + } + ++ qdisc_qstats_backlog_inc(sch, skb); + sch->q.qlen++; + + return NET_XMIT_SUCCESS; +@@ -284,6 +279,7 @@ static struct sk_buff *dsmark_dequeue(struct Qdisc *sch) + return NULL; + + qdisc_bstats_update(sch, skb); ++ qdisc_qstats_backlog_dec(sch, skb); + sch->q.qlen--; + + index = skb->tc_index & (p->indices - 1); +@@ -399,6 +395,7 @@ static void dsmark_reset(struct Qdisc *sch) + + pr_debug("%s(sch %p,[qdisc %p])\n", __func__, sch, p); + qdisc_reset(p->q); ++ sch->qstats.backlog = 0; + sch->q.qlen = 0; + } + +diff --git a/net/sched/sch_fq.c b/net/sched/sch_fq.c +index cbd7e1fd23b4..01fe9d532075 100644 +--- a/net/sched/sch_fq.c ++++ b/net/sched/sch_fq.c +@@ -644,6 +644,7 @@ static int fq_change(struct Qdisc *sch, struct nlattr *opt) + struct fq_sched_data *q = qdisc_priv(sch); + struct nlattr *tb[TCA_FQ_MAX + 1]; + int err, drop_count = 0; ++ unsigned drop_len = 0; + u32 fq_log; + + if (!opt) +@@ -709,10 +710,11 @@ static int fq_change(struct Qdisc *sch, struct nlattr *opt) + + if (!skb) + break; ++ drop_len += qdisc_pkt_len(skb); + kfree_skb(skb); + drop_count++; + } +- qdisc_tree_decrease_qlen(sch, drop_count); ++ qdisc_tree_reduce_backlog(sch, drop_count, drop_len); + + sch_tree_unlock(sch); + return err; +diff --git a/net/sched/sch_fq_codel.c b/net/sched/sch_fq_codel.c +index 1e52decb7b59..8d21f1b5d5b9 100644 +--- a/net/sched/sch_fq_codel.c ++++ b/net/sched/sch_fq_codel.c +@@ -173,7 +173,7 @@ static unsigned int fq_codel_drop(struct Qdisc *sch) + static int fq_codel_enqueue(struct sk_buff *skb, struct Qdisc *sch) + { + struct fq_codel_sched_data *q = qdisc_priv(sch); +- unsigned int idx; ++ unsigned int idx, prev_backlog; + struct fq_codel_flow *flow; + int uninitialized_var(ret); + +@@ -201,6 +201,7 @@ static int fq_codel_enqueue(struct sk_buff *skb, struct Qdisc *sch) + if (++sch->q.qlen <= sch->limit) + return NET_XMIT_SUCCESS; + ++ prev_backlog = sch->qstats.backlog; + q->drop_overlimit++; + /* Return Congestion Notification only if we dropped a packet + * from this flow. +@@ -209,7 +210,7 @@ static int fq_codel_enqueue(struct sk_buff *skb, struct Qdisc *sch) + return NET_XMIT_CN; + + /* As we dropped a packet, better let upper stack know this */ +- qdisc_tree_decrease_qlen(sch, 1); ++ qdisc_tree_reduce_backlog(sch, 1, prev_backlog - sch->qstats.backlog); + return NET_XMIT_SUCCESS; + } + +@@ -239,6 +240,7 @@ static struct sk_buff *fq_codel_dequeue(struct Qdisc *sch) + struct fq_codel_flow *flow; + struct list_head *head; + u32 prev_drop_count, prev_ecn_mark; ++ unsigned int prev_backlog; + + begin: + head = &q->new_flows; +@@ -257,6 +259,7 @@ begin: + + prev_drop_count = q->cstats.drop_count; + prev_ecn_mark = q->cstats.ecn_mark; ++ prev_backlog = sch->qstats.backlog; + + skb = codel_dequeue(sch, &q->cparams, &flow->cvars, &q->cstats, + dequeue); +@@ -274,12 +277,14 @@ begin: + } + qdisc_bstats_update(sch, skb); + flow->deficit -= qdisc_pkt_len(skb); +- /* We cant call qdisc_tree_decrease_qlen() if our qlen is 0, ++ /* We cant call qdisc_tree_reduce_backlog() if our qlen is 0, + * or HTB crashes. Defer it for next round. + */ + if (q->cstats.drop_count && sch->q.qlen) { +- qdisc_tree_decrease_qlen(sch, q->cstats.drop_count); ++ qdisc_tree_reduce_backlog(sch, q->cstats.drop_count, ++ q->cstats.drop_len); + q->cstats.drop_count = 0; ++ q->cstats.drop_len = 0; + } + return skb; + } +@@ -347,11 +352,13 @@ static int fq_codel_change(struct Qdisc *sch, struct nlattr *opt) + while (sch->q.qlen > sch->limit) { + struct sk_buff *skb = fq_codel_dequeue(sch); + ++ q->cstats.drop_len += qdisc_pkt_len(skb); + kfree_skb(skb); + q->cstats.drop_count++; + } +- qdisc_tree_decrease_qlen(sch, q->cstats.drop_count); ++ qdisc_tree_reduce_backlog(sch, q->cstats.drop_count, q->cstats.drop_len); + q->cstats.drop_count = 0; ++ q->cstats.drop_len = 0; + + sch_tree_unlock(sch); + return 0; +diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c +index 507edcf64088..49003540186c 100644 +--- a/net/sched/sch_generic.c ++++ b/net/sched/sch_generic.c +@@ -159,12 +159,15 @@ int sch_direct_xmit(struct sk_buff *skb, struct Qdisc *q, + if (validate) + skb = validate_xmit_skb_list(skb, dev); + +- if (skb) { ++ if (likely(skb)) { + HARD_TX_LOCK(dev, txq, smp_processor_id()); + if (!netif_xmit_frozen_or_stopped(txq)) + skb = dev_hard_start_xmit(skb, dev, txq, &ret); + + HARD_TX_UNLOCK(dev, txq); ++ } else { ++ spin_lock(root_lock); ++ return qdisc_qlen(q); + } + spin_lock(root_lock); + +diff --git a/net/sched/sch_hfsc.c b/net/sched/sch_hfsc.c +index e6c7416d0332..d3e21dac8b40 100644 +--- a/net/sched/sch_hfsc.c ++++ b/net/sched/sch_hfsc.c +@@ -895,9 +895,10 @@ static void + hfsc_purge_queue(struct Qdisc *sch, struct hfsc_class *cl) + { + unsigned int len = cl->qdisc->q.qlen; ++ unsigned int backlog = cl->qdisc->qstats.backlog; + + qdisc_reset(cl->qdisc); +- qdisc_tree_decrease_qlen(cl->qdisc, len); ++ qdisc_tree_reduce_backlog(cl->qdisc, len, backlog); + } + + static void +@@ -1215,11 +1216,7 @@ hfsc_graft_class(struct Qdisc *sch, unsigned long arg, struct Qdisc *new, + new = &noop_qdisc; + } + +- sch_tree_lock(sch); +- hfsc_purge_queue(sch, cl); +- *old = cl->qdisc; +- cl->qdisc = new; +- sch_tree_unlock(sch); ++ *old = qdisc_replace(sch, new, &cl->qdisc); + return 0; + } + +diff --git a/net/sched/sch_hhf.c b/net/sched/sch_hhf.c +index 15d3aabfe250..792c6f330f77 100644 +--- a/net/sched/sch_hhf.c ++++ b/net/sched/sch_hhf.c +@@ -390,6 +390,7 @@ static int hhf_enqueue(struct sk_buff *skb, struct Qdisc *sch) + struct hhf_sched_data *q = qdisc_priv(sch); + enum wdrr_bucket_idx idx; + struct wdrr_bucket *bucket; ++ unsigned int prev_backlog; + + idx = hhf_classify(skb, sch); + +@@ -417,6 +418,7 @@ static int hhf_enqueue(struct sk_buff *skb, struct Qdisc *sch) + if (++sch->q.qlen <= sch->limit) + return NET_XMIT_SUCCESS; + ++ prev_backlog = sch->qstats.backlog; + q->drop_overlimit++; + /* Return Congestion Notification only if we dropped a packet from this + * bucket. +@@ -425,7 +427,7 @@ static int hhf_enqueue(struct sk_buff *skb, struct Qdisc *sch) + return NET_XMIT_CN; + + /* As we dropped a packet, better let upper stack know this. */ +- qdisc_tree_decrease_qlen(sch, 1); ++ qdisc_tree_reduce_backlog(sch, 1, prev_backlog - sch->qstats.backlog); + return NET_XMIT_SUCCESS; + } + +@@ -535,7 +537,7 @@ static int hhf_change(struct Qdisc *sch, struct nlattr *opt) + { + struct hhf_sched_data *q = qdisc_priv(sch); + struct nlattr *tb[TCA_HHF_MAX + 1]; +- unsigned int qlen; ++ unsigned int qlen, prev_backlog; + int err; + u64 non_hh_quantum; + u32 new_quantum = q->quantum; +@@ -585,12 +587,14 @@ static int hhf_change(struct Qdisc *sch, struct nlattr *opt) + } + + qlen = sch->q.qlen; ++ prev_backlog = sch->qstats.backlog; + while (sch->q.qlen > sch->limit) { + struct sk_buff *skb = hhf_dequeue(sch); + + kfree_skb(skb); + } +- qdisc_tree_decrease_qlen(sch, qlen - sch->q.qlen); ++ qdisc_tree_reduce_backlog(sch, qlen - sch->q.qlen, ++ prev_backlog - sch->qstats.backlog); + + sch_tree_unlock(sch); + return 0; +diff --git a/net/sched/sch_htb.c b/net/sched/sch_htb.c +index f1acb0f60dc3..ccff00640713 100644 +--- a/net/sched/sch_htb.c ++++ b/net/sched/sch_htb.c +@@ -600,6 +600,7 @@ static int htb_enqueue(struct sk_buff *skb, struct Qdisc *sch) + htb_activate(q, cl); + } + ++ qdisc_qstats_backlog_inc(sch, skb); + sch->q.qlen++; + return NET_XMIT_SUCCESS; + } +@@ -889,6 +890,7 @@ static struct sk_buff *htb_dequeue(struct Qdisc *sch) + ok: + qdisc_bstats_update(sch, skb); + qdisc_unthrottled(sch); ++ qdisc_qstats_backlog_dec(sch, skb); + sch->q.qlen--; + return skb; + } +@@ -955,6 +957,7 @@ static unsigned int htb_drop(struct Qdisc *sch) + unsigned int len; + if (cl->un.leaf.q->ops->drop && + (len = cl->un.leaf.q->ops->drop(cl->un.leaf.q))) { ++ sch->qstats.backlog -= len; + sch->q.qlen--; + if (!cl->un.leaf.q->q.qlen) + htb_deactivate(q, cl); +@@ -984,12 +987,12 @@ static void htb_reset(struct Qdisc *sch) + } + cl->prio_activity = 0; + cl->cmode = HTB_CAN_SEND; +- + } + } + qdisc_watchdog_cancel(&q->watchdog); + __skb_queue_purge(&q->direct_queue); + sch->q.qlen = 0; ++ sch->qstats.backlog = 0; + memset(q->hlevel, 0, sizeof(q->hlevel)); + memset(q->row_mask, 0, sizeof(q->row_mask)); + for (i = 0; i < TC_HTB_NUMPRIO; i++) +@@ -1165,14 +1168,7 @@ static int htb_graft(struct Qdisc *sch, unsigned long arg, struct Qdisc *new, + cl->common.classid)) == NULL) + return -ENOBUFS; + +- sch_tree_lock(sch); +- *old = cl->un.leaf.q; +- cl->un.leaf.q = new; +- if (*old != NULL) { +- qdisc_tree_decrease_qlen(*old, (*old)->q.qlen); +- qdisc_reset(*old); +- } +- sch_tree_unlock(sch); ++ *old = qdisc_replace(sch, new, &cl->un.leaf.q); + return 0; + } + +@@ -1274,7 +1270,6 @@ static int htb_delete(struct Qdisc *sch, unsigned long arg) + { + struct htb_sched *q = qdisc_priv(sch); + struct htb_class *cl = (struct htb_class *)arg; +- unsigned int qlen; + struct Qdisc *new_q = NULL; + int last_child = 0; + +@@ -1294,9 +1289,11 @@ static int htb_delete(struct Qdisc *sch, unsigned long arg) + sch_tree_lock(sch); + + if (!cl->level) { +- qlen = cl->un.leaf.q->q.qlen; ++ unsigned int qlen = cl->un.leaf.q->q.qlen; ++ unsigned int backlog = cl->un.leaf.q->qstats.backlog; ++ + qdisc_reset(cl->un.leaf.q); +- qdisc_tree_decrease_qlen(cl->un.leaf.q, qlen); ++ qdisc_tree_reduce_backlog(cl->un.leaf.q, qlen, backlog); + } + + /* delete from hash and active; remainder in destroy_class */ +@@ -1430,10 +1427,11 @@ static int htb_change_class(struct Qdisc *sch, u32 classid, + sch_tree_lock(sch); + if (parent && !parent->level) { + unsigned int qlen = parent->un.leaf.q->q.qlen; ++ unsigned int backlog = parent->un.leaf.q->qstats.backlog; + + /* turn parent into inner node */ + qdisc_reset(parent->un.leaf.q); +- qdisc_tree_decrease_qlen(parent->un.leaf.q, qlen); ++ qdisc_tree_reduce_backlog(parent->un.leaf.q, qlen, backlog); + qdisc_destroy(parent->un.leaf.q); + if (parent->prio_activity) + htb_deactivate(q, parent); +diff --git a/net/sched/sch_multiq.c b/net/sched/sch_multiq.c +index 42dd218871e0..23437d62a8db 100644 +--- a/net/sched/sch_multiq.c ++++ b/net/sched/sch_multiq.c +@@ -218,7 +218,8 @@ static int multiq_tune(struct Qdisc *sch, struct nlattr *opt) + if (q->queues[i] != &noop_qdisc) { + struct Qdisc *child = q->queues[i]; + q->queues[i] = &noop_qdisc; +- qdisc_tree_decrease_qlen(child, child->q.qlen); ++ qdisc_tree_reduce_backlog(child, child->q.qlen, ++ child->qstats.backlog); + qdisc_destroy(child); + } + } +@@ -238,8 +239,9 @@ static int multiq_tune(struct Qdisc *sch, struct nlattr *opt) + q->queues[i] = child; + + if (old != &noop_qdisc) { +- qdisc_tree_decrease_qlen(old, +- old->q.qlen); ++ qdisc_tree_reduce_backlog(old, ++ old->q.qlen, ++ old->qstats.backlog); + qdisc_destroy(old); + } + sch_tree_unlock(sch); +@@ -303,13 +305,7 @@ static int multiq_graft(struct Qdisc *sch, unsigned long arg, struct Qdisc *new, + if (new == NULL) + new = &noop_qdisc; + +- sch_tree_lock(sch); +- *old = q->queues[band]; +- q->queues[band] = new; +- qdisc_tree_decrease_qlen(*old, (*old)->q.qlen); +- qdisc_reset(*old); +- sch_tree_unlock(sch); +- ++ *old = qdisc_replace(sch, new, &q->queues[band]); + return 0; + } + +diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c +index b34331967e02..f60db2b3e5ef 100644 +--- a/net/sched/sch_netem.c ++++ b/net/sched/sch_netem.c +@@ -408,6 +408,25 @@ static void tfifo_enqueue(struct sk_buff *nskb, struct Qdisc *sch) + sch->q.qlen++; + } + ++/* netem can't properly corrupt a megapacket (like we get from GSO), so instead ++ * when we statistically choose to corrupt one, we instead segment it, returning ++ * the first packet to be corrupted, and re-enqueue the remaining frames ++ */ ++static struct sk_buff *netem_segment(struct sk_buff *skb, struct Qdisc *sch) ++{ ++ struct sk_buff *segs; ++ netdev_features_t features = netif_skb_features(skb); ++ ++ segs = skb_gso_segment(skb, features & ~NETIF_F_GSO_MASK); ++ ++ if (IS_ERR_OR_NULL(segs)) { ++ qdisc_reshape_fail(skb, sch); ++ return NULL; ++ } ++ consume_skb(skb); ++ return segs; ++} ++ + /* + * Insert one skb into qdisc. + * Note: parent depends on return value to account for queue length. +@@ -420,7 +439,11 @@ static int netem_enqueue(struct sk_buff *skb, struct Qdisc *sch) + /* We don't fill cb now as skb_unshare() may invalidate it */ + struct netem_skb_cb *cb; + struct sk_buff *skb2; ++ struct sk_buff *segs = NULL; ++ unsigned int len = 0, last_len, prev_len = qdisc_pkt_len(skb); ++ int nb = 0; + int count = 1; ++ int rc = NET_XMIT_SUCCESS; + + /* Random duplication */ + if (q->duplicate && q->duplicate >= get_crandom(&q->dup_cor)) +@@ -466,10 +489,23 @@ static int netem_enqueue(struct sk_buff *skb, struct Qdisc *sch) + * do it now in software before we mangle it. + */ + if (q->corrupt && q->corrupt >= get_crandom(&q->corrupt_cor)) { ++ if (skb_is_gso(skb)) { ++ segs = netem_segment(skb, sch); ++ if (!segs) ++ return NET_XMIT_DROP; ++ } else { ++ segs = skb; ++ } ++ ++ skb = segs; ++ segs = segs->next; ++ + if (!(skb = skb_unshare(skb, GFP_ATOMIC)) || + (skb->ip_summed == CHECKSUM_PARTIAL && +- skb_checksum_help(skb))) +- return qdisc_drop(skb, sch); ++ skb_checksum_help(skb))) { ++ rc = qdisc_drop(skb, sch); ++ goto finish_segs; ++ } + + skb->data[prandom_u32() % skb_headlen(skb)] ^= + 1<<(prandom_u32() % 8); +@@ -529,6 +565,27 @@ static int netem_enqueue(struct sk_buff *skb, struct Qdisc *sch) + sch->qstats.requeues++; + } + ++finish_segs: ++ if (segs) { ++ while (segs) { ++ skb2 = segs->next; ++ segs->next = NULL; ++ qdisc_skb_cb(segs)->pkt_len = segs->len; ++ last_len = segs->len; ++ rc = qdisc_enqueue(segs, sch); ++ if (rc != NET_XMIT_SUCCESS) { ++ if (net_xmit_drop_count(rc)) ++ qdisc_qstats_drop(sch); ++ } else { ++ nb++; ++ len += last_len; ++ } ++ segs = skb2; ++ } ++ sch->q.qlen += nb; ++ if (nb > 1) ++ qdisc_tree_reduce_backlog(sch, 1 - nb, prev_len - len); ++ } + return NET_XMIT_SUCCESS; + } + +@@ -610,7 +667,8 @@ deliver: + if (unlikely(err != NET_XMIT_SUCCESS)) { + if (net_xmit_drop_count(err)) { + qdisc_qstats_drop(sch); +- qdisc_tree_decrease_qlen(sch, 1); ++ qdisc_tree_reduce_backlog(sch, 1, ++ qdisc_pkt_len(skb)); + } + } + goto tfifo_dequeue; +@@ -1049,15 +1107,7 @@ static int netem_graft(struct Qdisc *sch, unsigned long arg, struct Qdisc *new, + { + struct netem_sched_data *q = qdisc_priv(sch); + +- sch_tree_lock(sch); +- *old = q->qdisc; +- q->qdisc = new; +- if (*old) { +- qdisc_tree_decrease_qlen(*old, (*old)->q.qlen); +- qdisc_reset(*old); +- } +- sch_tree_unlock(sch); +- ++ *old = qdisc_replace(sch, new, &q->qdisc); + return 0; + } + +diff --git a/net/sched/sch_pie.c b/net/sched/sch_pie.c +index b783a446d884..71ae3b9629f9 100644 +--- a/net/sched/sch_pie.c ++++ b/net/sched/sch_pie.c +@@ -183,7 +183,7 @@ static int pie_change(struct Qdisc *sch, struct nlattr *opt) + { + struct pie_sched_data *q = qdisc_priv(sch); + struct nlattr *tb[TCA_PIE_MAX + 1]; +- unsigned int qlen; ++ unsigned int qlen, dropped = 0; + int err; + + if (!opt) +@@ -232,10 +232,11 @@ static int pie_change(struct Qdisc *sch, struct nlattr *opt) + while (sch->q.qlen > sch->limit) { + struct sk_buff *skb = __skb_dequeue(&sch->q); + ++ dropped += qdisc_pkt_len(skb); + qdisc_qstats_backlog_dec(sch, skb); + qdisc_drop(skb, sch); + } +- qdisc_tree_decrease_qlen(sch, qlen - sch->q.qlen); ++ qdisc_tree_reduce_backlog(sch, qlen - sch->q.qlen, dropped); + + sch_tree_unlock(sch); + return 0; +diff --git a/net/sched/sch_prio.c b/net/sched/sch_prio.c +index 8e5cd34aaa74..e671b1a4e815 100644 +--- a/net/sched/sch_prio.c ++++ b/net/sched/sch_prio.c +@@ -191,7 +191,7 @@ static int prio_tune(struct Qdisc *sch, struct nlattr *opt) + struct Qdisc *child = q->queues[i]; + q->queues[i] = &noop_qdisc; + if (child != &noop_qdisc) { +- qdisc_tree_decrease_qlen(child, child->q.qlen); ++ qdisc_tree_reduce_backlog(child, child->q.qlen, child->qstats.backlog); + qdisc_destroy(child); + } + } +@@ -210,8 +210,9 @@ static int prio_tune(struct Qdisc *sch, struct nlattr *opt) + q->queues[i] = child; + + if (old != &noop_qdisc) { +- qdisc_tree_decrease_qlen(old, +- old->q.qlen); ++ qdisc_tree_reduce_backlog(old, ++ old->q.qlen, ++ old->qstats.backlog); + qdisc_destroy(old); + } + sch_tree_unlock(sch); +@@ -268,13 +269,7 @@ static int prio_graft(struct Qdisc *sch, unsigned long arg, struct Qdisc *new, + if (new == NULL) + new = &noop_qdisc; + +- sch_tree_lock(sch); +- *old = q->queues[band]; +- q->queues[band] = new; +- qdisc_tree_decrease_qlen(*old, (*old)->q.qlen); +- qdisc_reset(*old); +- sch_tree_unlock(sch); +- ++ *old = qdisc_replace(sch, new, &q->queues[band]); + return 0; + } + +diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c +index 3ec7e88a43ca..e2b8fd47008b 100644 +--- a/net/sched/sch_qfq.c ++++ b/net/sched/sch_qfq.c +@@ -221,9 +221,10 @@ static struct qfq_class *qfq_find_class(struct Qdisc *sch, u32 classid) + static void qfq_purge_queue(struct qfq_class *cl) + { + unsigned int len = cl->qdisc->q.qlen; ++ unsigned int backlog = cl->qdisc->qstats.backlog; + + qdisc_reset(cl->qdisc); +- qdisc_tree_decrease_qlen(cl->qdisc, len); ++ qdisc_tree_reduce_backlog(cl->qdisc, len, backlog); + } + + static const struct nla_policy qfq_policy[TCA_QFQ_MAX + 1] = { +@@ -619,11 +620,7 @@ static int qfq_graft_class(struct Qdisc *sch, unsigned long arg, + new = &noop_qdisc; + } + +- sch_tree_lock(sch); +- qfq_purge_queue(cl); +- *old = cl->qdisc; +- cl->qdisc = new; +- sch_tree_unlock(sch); ++ *old = qdisc_replace(sch, new, &cl->qdisc); + return 0; + } + +diff --git a/net/sched/sch_red.c b/net/sched/sch_red.c +index 6c0534cc7758..8c0508c0e287 100644 +--- a/net/sched/sch_red.c ++++ b/net/sched/sch_red.c +@@ -210,7 +210,8 @@ static int red_change(struct Qdisc *sch, struct nlattr *opt) + q->flags = ctl->flags; + q->limit = ctl->limit; + if (child) { +- qdisc_tree_decrease_qlen(q->qdisc, q->qdisc->q.qlen); ++ qdisc_tree_reduce_backlog(q->qdisc, q->qdisc->q.qlen, ++ q->qdisc->qstats.backlog); + qdisc_destroy(q->qdisc); + q->qdisc = child; + } +@@ -313,12 +314,7 @@ static int red_graft(struct Qdisc *sch, unsigned long arg, struct Qdisc *new, + if (new == NULL) + new = &noop_qdisc; + +- sch_tree_lock(sch); +- *old = q->qdisc; +- q->qdisc = new; +- qdisc_tree_decrease_qlen(*old, (*old)->q.qlen); +- qdisc_reset(*old); +- sch_tree_unlock(sch); ++ *old = qdisc_replace(sch, new, &q->qdisc); + return 0; + } + +diff --git a/net/sched/sch_sfb.c b/net/sched/sch_sfb.c +index 5819dd82630d..e1d634e3c255 100644 +--- a/net/sched/sch_sfb.c ++++ b/net/sched/sch_sfb.c +@@ -518,7 +518,8 @@ static int sfb_change(struct Qdisc *sch, struct nlattr *opt) + + sch_tree_lock(sch); + +- qdisc_tree_decrease_qlen(q->qdisc, q->qdisc->q.qlen); ++ qdisc_tree_reduce_backlog(q->qdisc, q->qdisc->q.qlen, ++ q->qdisc->qstats.backlog); + qdisc_destroy(q->qdisc); + q->qdisc = child; + +@@ -614,12 +615,7 @@ static int sfb_graft(struct Qdisc *sch, unsigned long arg, struct Qdisc *new, + if (new == NULL) + new = &noop_qdisc; + +- sch_tree_lock(sch); +- *old = q->qdisc; +- q->qdisc = new; +- qdisc_tree_decrease_qlen(*old, (*old)->q.qlen); +- qdisc_reset(*old); +- sch_tree_unlock(sch); ++ *old = qdisc_replace(sch, new, &q->qdisc); + return 0; + } + +diff --git a/net/sched/sch_sfq.c b/net/sched/sch_sfq.c +index b877140beda5..4417fb25166f 100644 +--- a/net/sched/sch_sfq.c ++++ b/net/sched/sch_sfq.c +@@ -369,7 +369,7 @@ static int + sfq_enqueue(struct sk_buff *skb, struct Qdisc *sch) + { + struct sfq_sched_data *q = qdisc_priv(sch); +- unsigned int hash; ++ unsigned int hash, dropped; + sfq_index x, qlen; + struct sfq_slot *slot; + int uninitialized_var(ret); +@@ -484,7 +484,7 @@ enqueue: + return NET_XMIT_SUCCESS; + + qlen = slot->qlen; +- sfq_drop(sch); ++ dropped = sfq_drop(sch); + /* Return Congestion Notification only if we dropped a packet + * from this flow. + */ +@@ -492,7 +492,7 @@ enqueue: + return NET_XMIT_CN; + + /* As we dropped a packet, better let upper stack know this */ +- qdisc_tree_decrease_qlen(sch, 1); ++ qdisc_tree_reduce_backlog(sch, 1, dropped); + return NET_XMIT_SUCCESS; + } + +@@ -560,6 +560,7 @@ static void sfq_rehash(struct Qdisc *sch) + struct sfq_slot *slot; + struct sk_buff_head list; + int dropped = 0; ++ unsigned int drop_len = 0; + + __skb_queue_head_init(&list); + +@@ -588,6 +589,7 @@ static void sfq_rehash(struct Qdisc *sch) + if (x >= SFQ_MAX_FLOWS) { + drop: + qdisc_qstats_backlog_dec(sch, skb); ++ drop_len += qdisc_pkt_len(skb); + kfree_skb(skb); + dropped++; + continue; +@@ -617,7 +619,7 @@ drop: + } + } + sch->q.qlen -= dropped; +- qdisc_tree_decrease_qlen(sch, dropped); ++ qdisc_tree_reduce_backlog(sch, dropped, drop_len); + } + + static void sfq_perturbation(unsigned long arg) +@@ -641,7 +643,7 @@ static int sfq_change(struct Qdisc *sch, struct nlattr *opt) + struct sfq_sched_data *q = qdisc_priv(sch); + struct tc_sfq_qopt *ctl = nla_data(opt); + struct tc_sfq_qopt_v1 *ctl_v1 = NULL; +- unsigned int qlen; ++ unsigned int qlen, dropped = 0; + struct red_parms *p = NULL; + + if (opt->nla_len < nla_attr_size(sizeof(*ctl))) +@@ -690,8 +692,8 @@ static int sfq_change(struct Qdisc *sch, struct nlattr *opt) + + qlen = sch->q.qlen; + while (sch->q.qlen > q->limit) +- sfq_drop(sch); +- qdisc_tree_decrease_qlen(sch, qlen - sch->q.qlen); ++ dropped += sfq_drop(sch); ++ qdisc_tree_reduce_backlog(sch, qlen - sch->q.qlen, dropped); + + del_timer(&q->perturb_timer); + if (q->perturb_period) { +diff --git a/net/sched/sch_tbf.c b/net/sched/sch_tbf.c +index a4afde14e865..c2fbde742f37 100644 +--- a/net/sched/sch_tbf.c ++++ b/net/sched/sch_tbf.c +@@ -160,6 +160,7 @@ static int tbf_segment(struct sk_buff *skb, struct Qdisc *sch) + struct tbf_sched_data *q = qdisc_priv(sch); + struct sk_buff *segs, *nskb; + netdev_features_t features = netif_skb_features(skb); ++ unsigned int len = 0, prev_len = qdisc_pkt_len(skb); + int ret, nb; + + segs = skb_gso_segment(skb, features & ~NETIF_F_GSO_MASK); +@@ -172,6 +173,7 @@ static int tbf_segment(struct sk_buff *skb, struct Qdisc *sch) + nskb = segs->next; + segs->next = NULL; + qdisc_skb_cb(segs)->pkt_len = segs->len; ++ len += segs->len; + ret = qdisc_enqueue(segs, q->qdisc); + if (ret != NET_XMIT_SUCCESS) { + if (net_xmit_drop_count(ret)) +@@ -183,7 +185,7 @@ static int tbf_segment(struct sk_buff *skb, struct Qdisc *sch) + } + sch->q.qlen += nb; + if (nb > 1) +- qdisc_tree_decrease_qlen(sch, 1 - nb); ++ qdisc_tree_reduce_backlog(sch, 1 - nb, prev_len - len); + consume_skb(skb); + return nb > 0 ? NET_XMIT_SUCCESS : NET_XMIT_DROP; + } +@@ -399,7 +401,8 @@ static int tbf_change(struct Qdisc *sch, struct nlattr *opt) + + sch_tree_lock(sch); + if (child) { +- qdisc_tree_decrease_qlen(q->qdisc, q->qdisc->q.qlen); ++ qdisc_tree_reduce_backlog(q->qdisc, q->qdisc->q.qlen, ++ q->qdisc->qstats.backlog); + qdisc_destroy(q->qdisc); + q->qdisc = child; + } +@@ -502,13 +505,7 @@ static int tbf_graft(struct Qdisc *sch, unsigned long arg, struct Qdisc *new, + if (new == NULL) + new = &noop_qdisc; + +- sch_tree_lock(sch); +- *old = q->qdisc; +- q->qdisc = new; +- qdisc_tree_decrease_qlen(*old, (*old)->q.qlen); +- qdisc_reset(*old); +- sch_tree_unlock(sch); +- ++ *old = qdisc_replace(sch, new, &q->qdisc); + return 0; + } + +diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c +index 3267a5cbb3e8..18361cbfc882 100644 +--- a/net/sctp/ipv6.c ++++ b/net/sctp/ipv6.c +@@ -519,6 +519,8 @@ static int sctp_v6_cmp_addr(const union sctp_addr *addr1, + } + return 0; + } ++ if (addr1->v6.sin6_port != addr2->v6.sin6_port) ++ return 0; + if (!ipv6_addr_equal(&addr1->v6.sin6_addr, &addr2->v6.sin6_addr)) + return 0; + /* If this is a linklocal address, compare the scope_id. */ +diff --git a/net/socket.c b/net/socket.c +index 02fc7c8ea9ed..7f61789c78ff 100644 +--- a/net/socket.c ++++ b/net/socket.c +@@ -2410,31 +2410,31 @@ int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen, + break; + } + +-out_put: +- fput_light(sock->file, fput_needed); +- + if (err == 0) +- return datagrams; ++ goto out_put; + +- if (datagrams != 0) { ++ if (datagrams == 0) { ++ datagrams = err; ++ goto out_put; ++ } ++ ++ /* ++ * We may return less entries than requested (vlen) if the ++ * sock is non block and there aren't enough datagrams... ++ */ ++ if (err != -EAGAIN) { + /* +- * We may return less entries than requested (vlen) if the +- * sock is non block and there aren't enough datagrams... ++ * ... or if recvmsg returns an error after we ++ * received some datagrams, where we record the ++ * error to return on the next call or if the ++ * app asks about it using getsockopt(SO_ERROR). + */ +- if (err != -EAGAIN) { +- /* +- * ... or if recvmsg returns an error after we +- * received some datagrams, where we record the +- * error to return on the next call or if the +- * app asks about it using getsockopt(SO_ERROR). +- */ +- sock->sk->sk_err = -err; +- } +- +- return datagrams; ++ sock->sk->sk_err = -err; + } ++out_put: ++ fput_light(sock->file, fput_needed); + +- return err; ++ return datagrams; + } + + SYSCALL_DEFINE5(recvmmsg, int, fd, struct mmsghdr __user *, mmsg, +diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c +index 14d38ec5e53d..11e7b55f04e2 100644 +--- a/net/sunrpc/cache.c ++++ b/net/sunrpc/cache.c +@@ -1187,14 +1187,14 @@ int sunrpc_cache_pipe_upcall(struct cache_detail *detail, struct cache_head *h) + } + + crq->q.reader = 0; +- crq->item = cache_get(h); + crq->buf = buf; + crq->len = 0; + crq->readers = 0; + spin_lock(&queue_lock); +- if (test_bit(CACHE_PENDING, &h->flags)) ++ if (test_bit(CACHE_PENDING, &h->flags)) { ++ crq->item = cache_get(h); + list_add_tail(&crq->q.list, &detail->queue); +- else ++ } else + /* Lost a race, no longer PENDING, so don't enqueue */ + ret = -EAGAIN; + spin_unlock(&queue_lock); +diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c +index ae46f0198608..7b738b53f061 100644 +--- a/net/sunrpc/clnt.c ++++ b/net/sunrpc/clnt.c +@@ -439,7 +439,7 @@ out_no_rpciod: + return ERR_PTR(err); + } + +-struct rpc_clnt *rpc_create_xprt(struct rpc_create_args *args, ++static struct rpc_clnt *rpc_create_xprt(struct rpc_create_args *args, + struct rpc_xprt *xprt) + { + struct rpc_clnt *clnt = NULL; +@@ -471,7 +471,6 @@ struct rpc_clnt *rpc_create_xprt(struct rpc_create_args *args, + + return clnt; + } +-EXPORT_SYMBOL_GPL(rpc_create_xprt); + + /** + * rpc_create - create an RPC client and transport with one call +@@ -497,6 +496,15 @@ struct rpc_clnt *rpc_create(struct rpc_create_args *args) + }; + char servername[48]; + ++ if (args->bc_xprt) { ++ WARN_ON(args->protocol != XPRT_TRANSPORT_BC_TCP); ++ xprt = args->bc_xprt->xpt_bc_xprt; ++ if (xprt) { ++ xprt_get(xprt); ++ return rpc_create_xprt(args, xprt); ++ } ++ } ++ + if (args->flags & RPC_CLNT_CREATE_INFINITE_SLOTS) + xprtargs.flags |= XPRT_CREATE_INFINITE_SLOTS; + if (args->flags & RPC_CLNT_CREATE_NO_IDLE_TIMEOUT) +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 20d752634efb..287087b10a7e 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -305,7 +305,7 @@ static struct sock *unix_find_socket_byinode(struct inode *i) + &unix_socket_table[i->i_ino & (UNIX_HASH_SIZE - 1)]) { + struct dentry *dentry = unix_sk(s)->path.dentry; + +- if (dentry && dentry->d_inode == i) { ++ if (dentry && d_backing_inode(dentry) == i) { + sock_hold(s); + goto found; + } +@@ -898,7 +898,7 @@ static struct sock *unix_find_other(struct net *net, + err = kern_path(sunname->sun_path, LOOKUP_FOLLOW, &path); + if (err) + goto fail; +- inode = path.dentry->d_inode; ++ inode = d_backing_inode(path.dentry); + err = inode_permission(inode, MAY_WRITE); + if (err) + goto put_fail; +@@ -940,32 +940,20 @@ fail: + return NULL; + } + +-static int unix_mknod(const char *sun_path, umode_t mode, struct path *res) ++static int unix_mknod(struct dentry *dentry, struct path *path, umode_t mode, ++ struct path *res) + { +- struct dentry *dentry; +- struct path path; +- int err = 0; +- /* +- * Get the parent directory, calculate the hash for last +- * component. +- */ +- dentry = kern_path_create(AT_FDCWD, sun_path, &path, 0); +- err = PTR_ERR(dentry); +- if (IS_ERR(dentry)) +- return err; ++ int err; + +- /* +- * All right, let's create it. +- */ +- err = security_path_mknod(&path, dentry, mode, 0); ++ err = security_path_mknod(path, dentry, mode, 0); + if (!err) { +- err = vfs_mknod(path.dentry->d_inode, dentry, mode, 0); ++ err = vfs_mknod(d_inode(path->dentry), dentry, mode, 0); + if (!err) { +- res->mnt = mntget(path.mnt); ++ res->mnt = mntget(path->mnt); + res->dentry = dget(dentry); + } + } +- done_path_create(&path, dentry); ++ + return err; + } + +@@ -976,10 +964,12 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) + struct unix_sock *u = unix_sk(sk); + struct sockaddr_un *sunaddr = (struct sockaddr_un *)uaddr; + char *sun_path = sunaddr->sun_path; +- int err; ++ int err, name_err; + unsigned int hash; + struct unix_address *addr; + struct hlist_head *list; ++ struct path path; ++ struct dentry *dentry; + + err = -EINVAL; + if (sunaddr->sun_family != AF_UNIX) +@@ -995,14 +985,34 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) + goto out; + addr_len = err; + ++ name_err = 0; ++ dentry = NULL; ++ if (sun_path[0]) { ++ /* Get the parent directory, calculate the hash for last ++ * component. ++ */ ++ dentry = kern_path_create(AT_FDCWD, sun_path, &path, 0); ++ ++ if (IS_ERR(dentry)) { ++ /* delay report until after 'already bound' check */ ++ name_err = PTR_ERR(dentry); ++ dentry = NULL; ++ } ++ } ++ + err = mutex_lock_interruptible(&u->readlock); + if (err) +- goto out; ++ goto out_path; + + err = -EINVAL; + if (u->addr) + goto out_up; + ++ if (name_err) { ++ err = name_err == -EEXIST ? -EADDRINUSE : name_err; ++ goto out_up; ++ } ++ + err = -ENOMEM; + addr = kmalloc(sizeof(*addr)+addr_len, GFP_KERNEL); + if (!addr) +@@ -1013,11 +1023,11 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) + addr->hash = hash ^ sk->sk_type; + atomic_set(&addr->refcnt, 1); + +- if (sun_path[0]) { +- struct path path; ++ if (dentry) { ++ struct path u_path; + umode_t mode = S_IFSOCK | + (SOCK_INODE(sock)->i_mode & ~current_umask()); +- err = unix_mknod(sun_path, mode, &path); ++ err = unix_mknod(dentry, &path, mode, &u_path); + if (err) { + if (err == -EEXIST) + err = -EADDRINUSE; +@@ -1025,9 +1035,9 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) + goto out_up; + } + addr->hash = UNIX_HASH_SIZE; +- hash = path.dentry->d_inode->i_ino & (UNIX_HASH_SIZE-1); ++ hash = d_backing_inode(dentry)->i_ino & (UNIX_HASH_SIZE - 1); + spin_lock(&unix_table_lock); +- u->path = path; ++ u->path = u_path; + list = &unix_socket_table[hash]; + } else { + spin_lock(&unix_table_lock); +@@ -1050,6 +1060,10 @@ out_unlock: + spin_unlock(&unix_table_lock); + out_up: + mutex_unlock(&u->readlock); ++out_path: ++ if (dentry) ++ done_path_create(&path, dentry); ++ + out: + return err; + } +diff --git a/net/unix/diag.c b/net/unix/diag.c +index 86fa0f3b2caf..9d4218fc0a61 100644 +--- a/net/unix/diag.c ++++ b/net/unix/diag.c +@@ -25,7 +25,7 @@ static int sk_diag_dump_vfs(struct sock *sk, struct sk_buff *nlskb) + + if (dentry) { + struct unix_diag_vfs uv = { +- .udiag_vfs_ino = dentry->d_inode->i_ino, ++ .udiag_vfs_ino = d_backing_inode(dentry)->i_ino, + .udiag_vfs_dev = dentry->d_sb->s_dev, + }; + +diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c +index 85d232bed87d..e8d3313ea2c9 100644 +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -1796,27 +1796,8 @@ vsock_stream_recvmsg(struct kiocb *kiocb, + else if (sk->sk_shutdown & RCV_SHUTDOWN) + err = 0; + +- if (copied > 0) { +- /* We only do these additional bookkeeping/notification steps +- * if we actually copied something out of the queue pair +- * instead of just peeking ahead. +- */ +- +- if (!(flags & MSG_PEEK)) { +- /* If the other side has shutdown for sending and there +- * is nothing more to read, then modify the socket +- * state. +- */ +- if (vsk->peer_shutdown & SEND_SHUTDOWN) { +- if (vsock_stream_has_data(vsk) <= 0) { +- sk->sk_state = SS_UNCONNECTED; +- sock_set_flag(sk, SOCK_DONE); +- sk->sk_state_change(sk); +- } +- } +- } ++ if (copied > 0) + err = copied; +- } + + out_wait: + finish_wait(sk_sleep(sk), &wait); +diff --git a/net/x25/x25_facilities.c b/net/x25/x25_facilities.c +index 7ecd04c21360..997ff7b2509b 100644 +--- a/net/x25/x25_facilities.c ++++ b/net/x25/x25_facilities.c +@@ -277,6 +277,7 @@ int x25_negotiate_facilities(struct sk_buff *skb, struct sock *sk, + + memset(&theirs, 0, sizeof(theirs)); + memcpy(new, ours, sizeof(*new)); ++ memset(dte, 0, sizeof(*dte)); + + len = x25_parse_facilities(skb, &theirs, dte, &x25->vc_facil_mask); + if (len < 0) +diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c +index 00977873300c..d0e6d351aba8 100644 +--- a/net/xfrm/xfrm_input.c ++++ b/net/xfrm/xfrm_input.c +@@ -292,12 +292,15 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type) + XFRM_SKB_CB(skb)->seq.input.hi = seq_hi; + + skb_dst_force(skb); ++ dev_hold(skb->dev); + + nexthdr = x->type->input(x, skb); + + if (nexthdr == -EINPROGRESS) + return 0; + resume: ++ dev_put(skb->dev); ++ + spin_lock(&x->lock); + if (nexthdr <= 0) { + if (nexthdr == -EBADMSG) { +diff --git a/security/keys/key.c b/security/keys/key.c +index e17ba6aefdc0..f8bde20bed5d 100644 +--- a/security/keys/key.c ++++ b/security/keys/key.c +@@ -580,7 +580,7 @@ int key_reject_and_link(struct key *key, + + mutex_unlock(&key_construction_mutex); + +- if (keyring) ++ if (keyring && link_ret == 0) + __key_link_end(keyring, &key->index_key, edit); + + /* wake up anyone waiting for a key to be constructed */ +diff --git a/sound/core/timer.c b/sound/core/timer.c +index 4927a3c88340..2fd0dccf8505 100644 +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -1053,8 +1053,8 @@ static int snd_timer_s_start(struct snd_timer * timer) + njiff += timer->sticks - priv->correction; + priv->correction = 0; + } +- priv->last_expires = priv->tlist.expires = njiff; +- add_timer(&priv->tlist); ++ priv->last_expires = njiff; ++ mod_timer(&priv->tlist, njiff); + return 0; + } + +diff --git a/sound/drivers/dummy.c b/sound/drivers/dummy.c +index 387bb8f603ac..35cc884bca6b 100644 +--- a/sound/drivers/dummy.c ++++ b/sound/drivers/dummy.c +@@ -422,6 +422,7 @@ static int dummy_hrtimer_stop(struct snd_pcm_substream *substream) + + static inline void dummy_hrtimer_sync(struct dummy_hrtimer_pcm *dpcm) + { ++ hrtimer_cancel(&dpcm->timer); + tasklet_kill(&dpcm->tasklet); + } + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 5b2c7fe0ac85..77bd16739dbd 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -5544,8 +5544,7 @@ static const struct hda_model_fixup alc269_fixup_models[] = { + {0x15, 0x0221401f}, \ + {0x1a, 0x411111f0}, \ + {0x1b, 0x411111f0}, \ +- {0x1d, 0x40700001}, \ +- {0x1e, 0x411111f0} ++ {0x1d, 0x40700001} + + #define ALC298_STANDARD_PINS \ + {0x18, 0x411111f0}, \ +@@ -5813,35 +5812,48 @@ static const struct snd_hda_pin_quirk alc269_pin_fixup_tbl[] = { + {0x13, 0x411111f0}, + {0x16, 0x01014020}, + {0x18, 0x411111f0}, +- {0x19, 0x01a19030}), ++ {0x19, 0x01a19030}, ++ {0x1e, 0x411111f0}), + SND_HDA_PIN_QUIRK(0x10ec0292, 0x1028, "Dell", ALC269_FIXUP_DELL2_MIC_NO_PRESENCE, + ALC292_STANDARD_PINS, + {0x12, 0x90a60140}, + {0x13, 0x411111f0}, + {0x16, 0x01014020}, + {0x18, 0x02a19031}, +- {0x19, 0x01a1903e}), ++ {0x19, 0x01a1903e}, ++ {0x1e, 0x411111f0}), + SND_HDA_PIN_QUIRK(0x10ec0292, 0x1028, "Dell", ALC269_FIXUP_DELL3_MIC_NO_PRESENCE, + ALC292_STANDARD_PINS, + {0x12, 0x90a60140}, + {0x13, 0x411111f0}, + {0x16, 0x411111f0}, + {0x18, 0x411111f0}, +- {0x19, 0x411111f0}), ++ {0x19, 0x411111f0}, ++ {0x1e, 0x411111f0}), + SND_HDA_PIN_QUIRK(0x10ec0293, 0x1028, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE, + ALC292_STANDARD_PINS, + {0x12, 0x40000000}, + {0x13, 0x90a60140}, + {0x16, 0x21014020}, + {0x18, 0x411111f0}, +- {0x19, 0x21a19030}), ++ {0x19, 0x21a19030}, ++ {0x1e, 0x411111f0}), + SND_HDA_PIN_QUIRK(0x10ec0293, 0x1028, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE, + ALC292_STANDARD_PINS, + {0x12, 0x40000000}, + {0x13, 0x90a60140}, + {0x16, 0x411111f0}, + {0x18, 0x411111f0}, +- {0x19, 0x411111f0}), ++ {0x19, 0x411111f0}, ++ {0x1e, 0x411111f0}), ++ SND_HDA_PIN_QUIRK(0x10ec0293, 0x1028, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE, ++ ALC292_STANDARD_PINS, ++ {0x12, 0x40000000}, ++ {0x13, 0x90a60140}, ++ {0x16, 0x21014020}, ++ {0x18, 0x411111f0}, ++ {0x19, 0x21a19030}, ++ {0x1e, 0x411111ff}), + SND_HDA_PIN_QUIRK(0x10ec0298, 0x1028, "Dell", ALC298_FIXUP_DELL1_MIC_NO_PRESENCE, + ALC298_STANDARD_PINS, + {0x12, 0x90a60130}, +diff --git a/sound/soc/codecs/ssm4567.c b/sound/soc/codecs/ssm4567.c +index 4b5c17f8507e..9bb976e7d609 100644 +--- a/sound/soc/codecs/ssm4567.c ++++ b/sound/soc/codecs/ssm4567.c +@@ -206,6 +206,11 @@ static int ssm4567_set_power(struct ssm4567 *ssm4567, bool enable) + regcache_cache_only(ssm4567->regmap, !enable); + + if (enable) { ++ ret = regmap_write(ssm4567->regmap, SSM4567_REG_SOFT_RESET, ++ 0x00); ++ if (ret) ++ return ret; ++ + ret = regmap_update_bits(ssm4567->regmap, + SSM4567_REG_POWER_CTRL, + SSM4567_POWER_SPWDN, 0x00); +diff --git a/sound/soc/samsung/ac97.c b/sound/soc/samsung/ac97.c +index e1615113fd84..98e3b9313d55 100644 +--- a/sound/soc/samsung/ac97.c ++++ b/sound/soc/samsung/ac97.c +@@ -324,7 +324,7 @@ static const struct snd_soc_component_driver s3c_ac97_component = { + + static int s3c_ac97_probe(struct platform_device *pdev) + { +- struct resource *mem_res, *dmatx_res, *dmarx_res, *dmamic_res, *irq_res; ++ struct resource *mem_res, *irq_res; + struct s3c_audio_pdata *ac97_pdata; + int ret; + +@@ -335,24 +335,6 @@ static int s3c_ac97_probe(struct platform_device *pdev) + } + + /* Check for availability of necessary resource */ +- dmatx_res = platform_get_resource(pdev, IORESOURCE_DMA, 0); +- if (!dmatx_res) { +- dev_err(&pdev->dev, "Unable to get AC97-TX dma resource\n"); +- return -ENXIO; +- } +- +- dmarx_res = platform_get_resource(pdev, IORESOURCE_DMA, 1); +- if (!dmarx_res) { +- dev_err(&pdev->dev, "Unable to get AC97-RX dma resource\n"); +- return -ENXIO; +- } +- +- dmamic_res = platform_get_resource(pdev, IORESOURCE_DMA, 2); +- if (!dmamic_res) { +- dev_err(&pdev->dev, "Unable to get AC97-MIC dma resource\n"); +- return -ENXIO; +- } +- + irq_res = platform_get_resource(pdev, IORESOURCE_IRQ, 0); + if (!irq_res) { + dev_err(&pdev->dev, "AC97 IRQ not provided!\n"); +@@ -364,11 +346,11 @@ static int s3c_ac97_probe(struct platform_device *pdev) + if (IS_ERR(s3c_ac97.regs)) + return PTR_ERR(s3c_ac97.regs); + +- s3c_ac97_pcm_out.channel = dmatx_res->start; ++ s3c_ac97_pcm_out.slave = ac97_pdata->dma_playback; + s3c_ac97_pcm_out.dma_addr = mem_res->start + S3C_AC97_PCM_DATA; +- s3c_ac97_pcm_in.channel = dmarx_res->start; ++ s3c_ac97_pcm_in.slave = ac97_pdata->dma_capture; + s3c_ac97_pcm_in.dma_addr = mem_res->start + S3C_AC97_PCM_DATA; +- s3c_ac97_mic_in.channel = dmamic_res->start; ++ s3c_ac97_mic_in.slave = ac97_pdata->dma_capture_mic; + s3c_ac97_mic_in.dma_addr = mem_res->start + S3C_AC97_MIC_DATA; + + init_completion(&s3c_ac97.done); +diff --git a/sound/soc/samsung/dma.h b/sound/soc/samsung/dma.h +index 0e85dcfec023..085ef30f5ca2 100644 +--- a/sound/soc/samsung/dma.h ++++ b/sound/soc/samsung/dma.h +@@ -15,7 +15,7 @@ + #include <sound/dmaengine_pcm.h> + + struct s3c_dma_params { +- int channel; /* Channel ID */ ++ void *slave; /* Channel ID */ + dma_addr_t dma_addr; + int dma_size; /* Size of the DMA transfer */ + char *ch_name; +diff --git a/sound/soc/samsung/dmaengine.c b/sound/soc/samsung/dmaengine.c +index 506f5bf6d082..727008d57d14 100644 +--- a/sound/soc/samsung/dmaengine.c ++++ b/sound/soc/samsung/dmaengine.c +@@ -50,14 +50,14 @@ void samsung_asoc_init_dma_data(struct snd_soc_dai *dai, + + if (playback) { + playback_data = &playback->dma_data; +- playback_data->filter_data = (void *)playback->channel; ++ playback_data->filter_data = playback->slave; + playback_data->chan_name = playback->ch_name; + playback_data->addr = playback->dma_addr; + playback_data->addr_width = playback->dma_size; + } + if (capture) { + capture_data = &capture->dma_data; +- capture_data->filter_data = (void *)capture->channel; ++ capture_data->filter_data = capture->slave; + capture_data->chan_name = capture->ch_name; + capture_data->addr = capture->dma_addr; + capture_data->addr_width = capture->dma_size; +diff --git a/sound/soc/samsung/i2s.c b/sound/soc/samsung/i2s.c +index 9d513473b300..f2ce03dbf02f 100644 +--- a/sound/soc/samsung/i2s.c ++++ b/sound/soc/samsung/i2s.c +@@ -1167,27 +1167,14 @@ static int samsung_i2s_probe(struct platform_device *pdev) + } + + if (!np) { +- res = platform_get_resource(pdev, IORESOURCE_DMA, 0); +- if (!res) { +- dev_err(&pdev->dev, +- "Unable to get I2S-TX dma resource\n"); +- return -ENXIO; +- } +- pri_dai->dma_playback.channel = res->start; +- +- res = platform_get_resource(pdev, IORESOURCE_DMA, 1); +- if (!res) { +- dev_err(&pdev->dev, +- "Unable to get I2S-RX dma resource\n"); +- return -ENXIO; +- } +- pri_dai->dma_capture.channel = res->start; +- + if (i2s_pdata == NULL) { + dev_err(&pdev->dev, "Can't work without s3c_audio_pdata\n"); + return -EINVAL; + } + ++ pri_dai->dma_playback.slave = i2s_pdata->dma_playback; ++ pri_dai->dma_capture.slave = i2s_pdata->dma_capture; ++ + if (&i2s_pdata->type) + i2s_cfg = &i2s_pdata->type.i2s; + +@@ -1242,11 +1229,8 @@ static int samsung_i2s_probe(struct platform_device *pdev) + sec_dai->dma_playback.dma_addr = regs_base + I2STXDS; + sec_dai->dma_playback.ch_name = "tx-sec"; + +- if (!np) { +- res = platform_get_resource(pdev, IORESOURCE_DMA, 2); +- if (res) +- sec_dai->dma_playback.channel = res->start; +- } ++ if (!np) ++ sec_dai->dma_playback.slave = i2s_pdata->dma_play_sec; + + sec_dai->dma_playback.dma_size = 4; + sec_dai->base = regs_base; +diff --git a/sound/soc/samsung/pcm.c b/sound/soc/samsung/pcm.c +index bac034b15a27..9e6e33b17213 100644 +--- a/sound/soc/samsung/pcm.c ++++ b/sound/soc/samsung/pcm.c +@@ -486,7 +486,7 @@ static const struct snd_soc_component_driver s3c_pcm_component = { + static int s3c_pcm_dev_probe(struct platform_device *pdev) + { + struct s3c_pcm_info *pcm; +- struct resource *mem_res, *dmatx_res, *dmarx_res; ++ struct resource *mem_res; + struct s3c_audio_pdata *pcm_pdata; + int ret; + +@@ -499,18 +499,6 @@ static int s3c_pcm_dev_probe(struct platform_device *pdev) + pcm_pdata = pdev->dev.platform_data; + + /* Check for availability of necessary resource */ +- dmatx_res = platform_get_resource(pdev, IORESOURCE_DMA, 0); +- if (!dmatx_res) { +- dev_err(&pdev->dev, "Unable to get PCM-TX dma resource\n"); +- return -ENXIO; +- } +- +- dmarx_res = platform_get_resource(pdev, IORESOURCE_DMA, 1); +- if (!dmarx_res) { +- dev_err(&pdev->dev, "Unable to get PCM-RX dma resource\n"); +- return -ENXIO; +- } +- + mem_res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + if (!mem_res) { + dev_err(&pdev->dev, "Unable to get register resource\n"); +@@ -568,8 +556,10 @@ static int s3c_pcm_dev_probe(struct platform_device *pdev) + s3c_pcm_stereo_out[pdev->id].dma_addr = mem_res->start + + S3C_PCM_TXFIFO; + +- s3c_pcm_stereo_in[pdev->id].channel = dmarx_res->start; +- s3c_pcm_stereo_out[pdev->id].channel = dmatx_res->start; ++ if (pcm_pdata) { ++ s3c_pcm_stereo_in[pdev->id].slave = pcm_pdata->dma_capture; ++ s3c_pcm_stereo_out[pdev->id].slave = pcm_pdata->dma_playback; ++ } + + pcm->dma_capture = &s3c_pcm_stereo_in[pdev->id]; + pcm->dma_playback = &s3c_pcm_stereo_out[pdev->id]; +diff --git a/sound/soc/samsung/s3c-i2s-v2.c b/sound/soc/samsung/s3c-i2s-v2.c +index df65c5b494b1..b6ab3fc5789e 100644 +--- a/sound/soc/samsung/s3c-i2s-v2.c ++++ b/sound/soc/samsung/s3c-i2s-v2.c +@@ -709,7 +709,7 @@ static int s3c2412_i2s_resume(struct snd_soc_dai *dai) + #endif + + int s3c_i2sv2_register_component(struct device *dev, int id, +- struct snd_soc_component_driver *cmp_drv, ++ const struct snd_soc_component_driver *cmp_drv, + struct snd_soc_dai_driver *dai_drv) + { + struct snd_soc_dai_ops *ops = (struct snd_soc_dai_ops *)dai_drv->ops; +diff --git a/sound/soc/samsung/s3c-i2s-v2.h b/sound/soc/samsung/s3c-i2s-v2.h +index 90abab364b49..d0684145ed1f 100644 +--- a/sound/soc/samsung/s3c-i2s-v2.h ++++ b/sound/soc/samsung/s3c-i2s-v2.h +@@ -101,7 +101,7 @@ extern int s3c_i2sv2_probe(struct snd_soc_dai *dai, + * soc core. + */ + extern int s3c_i2sv2_register_component(struct device *dev, int id, +- struct snd_soc_component_driver *cmp_drv, ++ const struct snd_soc_component_driver *cmp_drv, + struct snd_soc_dai_driver *dai_drv); + + #endif /* __SND_SOC_S3C24XX_S3C_I2SV2_I2S_H */ +diff --git a/sound/soc/samsung/s3c2412-i2s.c b/sound/soc/samsung/s3c2412-i2s.c +index 27b339c6580e..e3650d1497ec 100644 +--- a/sound/soc/samsung/s3c2412-i2s.c ++++ b/sound/soc/samsung/s3c2412-i2s.c +@@ -34,13 +34,13 @@ + #include "s3c2412-i2s.h" + + static struct s3c_dma_params s3c2412_i2s_pcm_stereo_out = { +- .channel = DMACH_I2S_OUT, ++ .slave = (void *)(uintptr_t)DMACH_I2S_OUT, + .ch_name = "tx", + .dma_size = 4, + }; + + static struct s3c_dma_params s3c2412_i2s_pcm_stereo_in = { +- .channel = DMACH_I2S_IN, ++ .slave = (void *)(uintptr_t)DMACH_I2S_IN, + .ch_name = "rx", + .dma_size = 4, + }; +diff --git a/sound/soc/samsung/s3c24xx-i2s.c b/sound/soc/samsung/s3c24xx-i2s.c +index fb1d39324a65..60be3985a4ce 100644 +--- a/sound/soc/samsung/s3c24xx-i2s.c ++++ b/sound/soc/samsung/s3c24xx-i2s.c +@@ -32,13 +32,13 @@ + #include "s3c24xx-i2s.h" + + static struct s3c_dma_params s3c24xx_i2s_pcm_stereo_out = { +- .channel = DMACH_I2S_OUT, ++ .slave = (void *)(uintptr_t)DMACH_I2S_OUT, + .ch_name = "tx", + .dma_size = 2, + }; + + static struct s3c_dma_params s3c24xx_i2s_pcm_stereo_in = { +- .channel = DMACH_I2S_IN, ++ .slave = (void *)(uintptr_t)DMACH_I2S_IN, + .ch_name = "rx", + .dma_size = 2, + }; +diff --git a/sound/soc/samsung/spdif.c b/sound/soc/samsung/spdif.c +index d7d2e208f486..1de2686819cb 100644 +--- a/sound/soc/samsung/spdif.c ++++ b/sound/soc/samsung/spdif.c +@@ -359,7 +359,7 @@ static const struct snd_soc_component_driver samsung_spdif_component = { + static int spdif_probe(struct platform_device *pdev) + { + struct s3c_audio_pdata *spdif_pdata; +- struct resource *mem_res, *dma_res; ++ struct resource *mem_res; + struct samsung_spdif_info *spdif; + int ret; + +@@ -367,12 +367,6 @@ static int spdif_probe(struct platform_device *pdev) + + dev_dbg(&pdev->dev, "Entered %s\n", __func__); + +- dma_res = platform_get_resource(pdev, IORESOURCE_DMA, 0); +- if (!dma_res) { +- dev_err(&pdev->dev, "Unable to get dma resource.\n"); +- return -ENXIO; +- } +- + mem_res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + if (!mem_res) { + dev_err(&pdev->dev, "Unable to get register resource.\n"); +@@ -432,7 +426,7 @@ static int spdif_probe(struct platform_device *pdev) + + spdif_stereo_out.dma_size = 2; + spdif_stereo_out.dma_addr = mem_res->start + DATA_OUTBUF; +- spdif_stereo_out.channel = dma_res->start; ++ spdif_stereo_out.slave = spdif_pdata ? spdif_pdata->dma_playback : NULL; + + spdif->dma_playback = &spdif_stereo_out; + +diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c +index 982c2df6d0b5..7a44d07c797d 100644 +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -138,6 +138,7 @@ static int create_fixed_stream_quirk(struct snd_usb_audio *chip, + usb_audio_err(chip, "cannot memdup\n"); + return -ENOMEM; + } ++ INIT_LIST_HEAD(&fp->list); + if (fp->nr_rates > MAX_NR_RATES) { + kfree(fp); + return -EINVAL; +@@ -155,23 +156,18 @@ static int create_fixed_stream_quirk(struct snd_usb_audio *chip, + stream = (fp->endpoint & USB_DIR_IN) + ? SNDRV_PCM_STREAM_CAPTURE : SNDRV_PCM_STREAM_PLAYBACK; + err = snd_usb_add_audio_stream(chip, stream, fp); +- if (err < 0) { +- kfree(fp); +- kfree(rate_table); +- return err; +- } ++ if (err < 0) ++ goto error; + if (fp->iface != get_iface_desc(&iface->altsetting[0])->bInterfaceNumber || + fp->altset_idx >= iface->num_altsetting) { +- kfree(fp); +- kfree(rate_table); +- return -EINVAL; ++ err = -EINVAL; ++ goto error; + } + alts = &iface->altsetting[fp->altset_idx]; + altsd = get_iface_desc(alts); + if (altsd->bNumEndpoints < 1) { +- kfree(fp); +- kfree(rate_table); +- return -EINVAL; ++ err = -EINVAL; ++ goto error; + } + + fp->protocol = altsd->bInterfaceProtocol; +@@ -184,6 +180,12 @@ static int create_fixed_stream_quirk(struct snd_usb_audio *chip, + snd_usb_init_pitch(chip, fp->iface, alts, fp); + snd_usb_init_sample_rate(chip, fp->iface, alts, fp, fp->rate_max); + return 0; ++ ++ error: ++ list_del(&fp->list); /* unlink for avoiding double-free */ ++ kfree(fp); ++ kfree(rate_table); ++ return err; + } + + static int create_auto_pcm_quirk(struct snd_usb_audio *chip, +@@ -456,6 +458,7 @@ static int create_uaxx_quirk(struct snd_usb_audio *chip, + fp->ep_attr = get_endpoint(alts, 0)->bmAttributes; + fp->datainterval = 0; + fp->maxpacksize = le16_to_cpu(get_endpoint(alts, 0)->wMaxPacketSize); ++ INIT_LIST_HEAD(&fp->list); + + switch (fp->maxpacksize) { + case 0x120: +@@ -479,6 +482,7 @@ static int create_uaxx_quirk(struct snd_usb_audio *chip, + ? SNDRV_PCM_STREAM_CAPTURE : SNDRV_PCM_STREAM_PLAYBACK; + err = snd_usb_add_audio_stream(chip, stream, fp); + if (err < 0) { ++ list_del(&fp->list); /* unlink for avoiding double-free */ + kfree(fp); + return err; + } +diff --git a/sound/usb/stream.c b/sound/usb/stream.c +index 310a3822d2b7..25e8075f9ea3 100644 +--- a/sound/usb/stream.c ++++ b/sound/usb/stream.c +@@ -315,7 +315,9 @@ static struct snd_pcm_chmap_elem *convert_chmap(int channels, unsigned int bits, + /* + * add this endpoint to the chip instance. + * if a stream with the same endpoint already exists, append to it. +- * if not, create a new pcm stream. ++ * if not, create a new pcm stream. note, fp is added to the substream ++ * fmt_list and will be freed on the chip instance release. do not free ++ * fp or do remove it from the substream fmt_list to avoid double-free. + */ + int snd_usb_add_audio_stream(struct snd_usb_audio *chip, + int stream, +@@ -668,6 +670,7 @@ int snd_usb_parse_audio_interface(struct snd_usb_audio *chip, int iface_no) + * (fp->maxpacksize & 0x7ff); + fp->attributes = parse_uac_endpoint_attributes(chip, alts, protocol, iface_no); + fp->clock = clock; ++ INIT_LIST_HEAD(&fp->list); + + /* some quirks for attributes here */ + +@@ -716,6 +719,7 @@ int snd_usb_parse_audio_interface(struct snd_usb_audio *chip, int iface_no) + dev_dbg(&dev->dev, "%u:%d: add audio endpoint %#x\n", iface_no, altno, fp->endpoint); + err = snd_usb_add_audio_stream(chip, stream, fp); + if (err < 0) { ++ list_del(&fp->list); /* unlink for avoiding double-free */ + kfree(fp->rate_table); + kfree(fp->chmap); + kfree(fp); +diff --git a/tools/perf/Documentation/perf-stat.txt b/tools/perf/Documentation/perf-stat.txt +index 29ee857c09c6..6f9fbb44cd19 100644 +--- a/tools/perf/Documentation/perf-stat.txt ++++ b/tools/perf/Documentation/perf-stat.txt +@@ -50,6 +50,14 @@ OPTIONS + --scale:: + scale/normalize counter values + ++-d:: ++--detailed:: ++ print more detailed statistics, can be specified up to 3 times ++ ++ -d: detailed events, L1 and LLC data cache ++ -d -d: more detailed events, dTLB and iTLB events ++ -d -d -d: very detailed events, adding prefetch events ++ + -r:: + --repeat=<n>:: + repeat command and print average + stddev (max: 100). 0 means forever. +diff --git a/tools/perf/util/event.c b/tools/perf/util/event.c +index 4af6b279e34a..da4c17cccb71 100644 +--- a/tools/perf/util/event.c ++++ b/tools/perf/util/event.c +@@ -197,7 +197,7 @@ int perf_event__synthesize_mmap_events(struct perf_tool *tool, + strcpy(execname, ""); + + /* 00400000-0040c000 r-xp 00000000 fd:01 41038 /bin/cat */ +- n = sscanf(bf, "%"PRIx64"-%"PRIx64" %s %"PRIx64" %x:%x %u %s\n", ++ n = sscanf(bf, "%"PRIx64"-%"PRIx64" %s %"PRIx64" %x:%x %u %[^\n]\n", + &event->mmap2.start, &event->mmap2.len, prot, + &event->mmap2.pgoff, &event->mmap2.maj, + &event->mmap2.min, +diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c +index 2c9d47fbc498..7d32b4e82e86 100644 +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -2559,7 +2559,7 @@ static long kvm_vm_ioctl(struct file *filp, + if (copy_from_user(&routing, argp, sizeof(routing))) + goto out; + r = -EINVAL; +- if (routing.nr >= KVM_MAX_IRQ_ROUTES) ++ if (routing.nr > KVM_MAX_IRQ_ROUTES) + goto out; + if (routing.flags) + goto out; |