diff --git a/patch/kernel/meson64-legacy/patch-4.9.232-233.patch b/patch/kernel/meson64-legacy/patch-4.9.232-233.patch new file mode 100644 index 000000000..11e0719b5 --- /dev/null +++ b/patch/kernel/meson64-legacy/patch-4.9.232-233.patch @@ -0,0 +1,5978 @@ +diff --git a/Documentation/ABI/testing/sysfs-bus-iio b/Documentation/ABI/testing/sysfs-bus-iio +index 0406076e44059..743ffbcc6b5f0 100644 +--- a/Documentation/ABI/testing/sysfs-bus-iio ++++ b/Documentation/ABI/testing/sysfs-bus-iio +@@ -1491,7 +1491,8 @@ What: /sys/bus/iio/devices/iio:deviceX/in_concentrationX_voc_raw + KernelVersion: 4.3 + Contact: linux-iio@vger.kernel.org + Description: +- Raw (unscaled no offset etc.) percentage reading of a substance. ++ Raw (unscaled no offset etc.) reading of a substance. Units ++ after application of scale and offset are percents. + + What: /sys/bus/iio/devices/iio:deviceX/in_resistance_raw + What: /sys/bus/iio/devices/iio:deviceX/in_resistanceX_raw +diff --git a/Makefile b/Makefile +index 934db3609c16f..af68e8c3fb962 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 9 +-SUBLEVEL = 232 ++SUBLEVEL = 233 + EXTRAVERSION = + NAME = Roaring Lionus + +diff --git a/arch/arm/include/asm/percpu.h b/arch/arm/include/asm/percpu.h +index a89b4076cde47..72821b4721add 100644 +--- a/arch/arm/include/asm/percpu.h ++++ b/arch/arm/include/asm/percpu.h +@@ -16,6 +16,8 @@ + #ifndef _ASM_ARM_PERCPU_H_ + #define _ASM_ARM_PERCPU_H_ + ++#include ++ + /* + * Same as asm-generic/percpu.h, except that we store the per cpu offset + * in the TPIDRPRW. TPIDRPRW only exists on V6K and V7 +diff --git a/arch/arm/kernel/hw_breakpoint.c b/arch/arm/kernel/hw_breakpoint.c +index 25538a9358741..283084f6286d9 100644 +--- a/arch/arm/kernel/hw_breakpoint.c ++++ b/arch/arm/kernel/hw_breakpoint.c +@@ -688,6 +688,12 @@ static void disable_single_step(struct perf_event *bp) + arch_install_hw_breakpoint(bp); + } + ++static int watchpoint_fault_on_uaccess(struct pt_regs *regs, ++ struct arch_hw_breakpoint *info) ++{ ++ return !user_mode(regs) && info->ctrl.privilege == ARM_BREAKPOINT_USER; ++} ++ + static void watchpoint_handler(unsigned long addr, unsigned int fsr, + struct pt_regs *regs) + { +@@ -747,16 +753,27 @@ static void watchpoint_handler(unsigned long addr, unsigned int fsr, + } + + pr_debug("watchpoint fired: address = 0x%x\n", info->trigger); ++ ++ /* ++ * If we triggered a user watchpoint from a uaccess routine, ++ * then handle the stepping ourselves since userspace really ++ * can't help us with this. ++ */ ++ if (watchpoint_fault_on_uaccess(regs, info)) ++ goto step; ++ + perf_bp_event(wp, regs); + + /* +- * If no overflow handler is present, insert a temporary +- * mismatch breakpoint so we can single-step over the +- * watchpoint trigger. ++ * Defer stepping to the overflow handler if one is installed. ++ * Otherwise, insert a temporary mismatch breakpoint so that ++ * we can single-step over the watchpoint trigger. + */ +- if (is_default_overflow_handler(wp)) +- enable_single_step(wp, instruction_pointer(regs)); ++ if (!is_default_overflow_handler(wp)) ++ goto unlock; + ++step: ++ enable_single_step(wp, instruction_pointer(regs)); + unlock: + rcu_read_unlock(); + } +diff --git a/arch/arm/kernel/stacktrace.c b/arch/arm/kernel/stacktrace.c +index 92b72375c4c72..6e8a50de40e2b 100644 +--- a/arch/arm/kernel/stacktrace.c ++++ b/arch/arm/kernel/stacktrace.c +@@ -19,6 +19,19 @@ + * A simple function epilogue looks like this: + * ldm sp, {fp, sp, pc} + * ++ * When compiled with clang, pc and sp are not pushed. A simple function ++ * prologue looks like this when built with clang: ++ * ++ * stmdb {..., fp, lr} ++ * add fp, sp, #x ++ * sub sp, sp, #y ++ * ++ * A simple function epilogue looks like this when built with clang: ++ * ++ * sub sp, fp, #x ++ * ldm {..., fp, pc} ++ * ++ * + * Note that with framepointer enabled, even the leaf functions have the same + * prologue and epilogue, therefore we can ignore the LR value in this case. + */ +@@ -31,6 +44,16 @@ int notrace unwind_frame(struct stackframe *frame) + low = frame->sp; + high = ALIGN(low, THREAD_SIZE); + ++#ifdef CONFIG_CC_IS_CLANG ++ /* check current frame pointer is within bounds */ ++ if (fp < low + 4 || fp > high - 4) ++ return -EINVAL; ++ ++ frame->sp = frame->fp; ++ frame->fp = *(unsigned long *)(fp); ++ frame->pc = frame->lr; ++ frame->lr = *(unsigned long *)(fp + 4); ++#else + /* check current frame pointer is within bounds */ + if (fp < low + 12 || fp > high - 4) + return -EINVAL; +@@ -39,6 +62,7 @@ int notrace unwind_frame(struct stackframe *frame) + frame->fp = *(unsigned long *)(fp - 12); + frame->sp = *(unsigned long *)(fp - 8); + frame->pc = *(unsigned long *)(fp - 4); ++#endif + + return 0; + } +diff --git a/arch/arm/mach-at91/pm.c b/arch/arm/mach-at91/pm.c +index 8ba0e2e5ad97c..0efac1404418e 100644 +--- a/arch/arm/mach-at91/pm.c ++++ b/arch/arm/mach-at91/pm.c +@@ -411,13 +411,13 @@ static void __init at91_pm_sram_init(void) + sram_pool = gen_pool_get(&pdev->dev, NULL); + if (!sram_pool) { + pr_warn("%s: sram pool unavailable!\n", __func__); +- return; ++ goto out_put_device; + } + + sram_base = gen_pool_alloc(sram_pool, at91_pm_suspend_in_sram_sz); + if (!sram_base) { + pr_warn("%s: unable to alloc sram!\n", __func__); +- return; ++ goto out_put_device; + } + + sram_pbase = gen_pool_virt_to_phys(sram_pool, sram_base); +@@ -425,12 +425,17 @@ static void __init at91_pm_sram_init(void) + at91_pm_suspend_in_sram_sz, false); + if (!at91_suspend_sram_fn) { + pr_warn("SRAM: Could not map\n"); +- return; ++ goto out_put_device; + } + + /* Copy the pm suspend handler to SRAM */ + at91_suspend_sram_fn = fncpy(at91_suspend_sram_fn, + &at91_pm_suspend_in_sram, at91_pm_suspend_in_sram_sz); ++ return; ++ ++out_put_device: ++ put_device(&pdev->dev); ++ return; + } + + static const struct of_device_id atmel_pmc_ids[] __initconst = { +diff --git a/arch/arm/mach-socfpga/pm.c b/arch/arm/mach-socfpga/pm.c +index c378ab0c24317..93f2245c97750 100644 +--- a/arch/arm/mach-socfpga/pm.c ++++ b/arch/arm/mach-socfpga/pm.c +@@ -60,14 +60,14 @@ static int socfpga_setup_ocram_self_refresh(void) + if (!ocram_pool) { + pr_warn("%s: ocram pool unavailable!\n", __func__); + ret = -ENODEV; +- goto put_node; ++ goto put_device; + } + + ocram_base = gen_pool_alloc(ocram_pool, socfpga_sdram_self_refresh_sz); + if (!ocram_base) { + pr_warn("%s: unable to alloc ocram!\n", __func__); + ret = -ENOMEM; +- goto put_node; ++ goto put_device; + } + + ocram_pbase = gen_pool_virt_to_phys(ocram_pool, ocram_base); +@@ -78,7 +78,7 @@ static int socfpga_setup_ocram_self_refresh(void) + if (!suspend_ocram_base) { + pr_warn("%s: __arm_ioremap_exec failed!\n", __func__); + ret = -ENOMEM; +- goto put_node; ++ goto put_device; + } + + /* Copy the code that puts DDR in self refresh to ocram */ +@@ -92,6 +92,8 @@ static int socfpga_setup_ocram_self_refresh(void) + if (!socfpga_sdram_self_refresh_in_ocram) + ret = -EFAULT; + ++put_device: ++ put_device(&pdev->dev); + put_node: + of_node_put(np); + +diff --git a/arch/arm64/boot/dts/exynos/exynos7-espresso.dts b/arch/arm64/boot/dts/exynos/exynos7-espresso.dts +index c528dd52ba2d3..2f7d144d556da 100644 +--- a/arch/arm64/boot/dts/exynos/exynos7-espresso.dts ++++ b/arch/arm64/boot/dts/exynos/exynos7-espresso.dts +@@ -131,6 +131,7 @@ + regulator-min-microvolt = <700000>; + regulator-max-microvolt = <1150000>; + regulator-enable-ramp-delay = <125>; ++ regulator-always-on; + }; + + ldo8_reg: LDO8 { +diff --git a/arch/arm64/boot/dts/qcom/msm8916-pins.dtsi b/arch/arm64/boot/dts/qcom/msm8916-pins.dtsi +index 10c83e11c272f..fabc0cebe2aa2 100644 +--- a/arch/arm64/boot/dts/qcom/msm8916-pins.dtsi ++++ b/arch/arm64/boot/dts/qcom/msm8916-pins.dtsi +@@ -542,7 +542,7 @@ + pins = "gpio63", "gpio64", "gpio65", "gpio66", + "gpio67", "gpio68"; + drive-strength = <8>; +- bias-pull-none; ++ bias-disable; + }; + }; + cdc_pdm_lines_sus: pdm_lines_off { +@@ -571,7 +571,7 @@ + pins = "gpio113", "gpio114", "gpio115", + "gpio116"; + drive-strength = <8>; +- bias-pull-none; ++ bias-disable; + }; + }; + +@@ -599,7 +599,7 @@ + pinconf { + pins = "gpio110"; + drive-strength = <8>; +- bias-pull-none; ++ bias-disable; + }; + }; + +@@ -625,7 +625,7 @@ + pinconf { + pins = "gpio116"; + drive-strength = <8>; +- bias-pull-none; ++ bias-disable; + }; + }; + ext_mclk_tlmm_lines_sus: mclk_lines_off { +@@ -653,7 +653,7 @@ + pins = "gpio112", "gpio117", "gpio118", + "gpio119"; + drive-strength = <8>; +- bias-pull-none; ++ bias-disable; + }; + }; + ext_sec_tlmm_lines_sus: tlmm_lines_off { +diff --git a/arch/arm64/include/asm/checksum.h b/arch/arm64/include/asm/checksum.h +index 09f65339d66df..e6d66c508d81b 100644 +--- a/arch/arm64/include/asm/checksum.h ++++ b/arch/arm64/include/asm/checksum.h +@@ -30,16 +30,17 @@ static inline __sum16 ip_fast_csum(const void *iph, unsigned int ihl) + { + __uint128_t tmp; + u64 sum; ++ int n = ihl; /* we want it signed */ + + tmp = *(const __uint128_t *)iph; + iph += 16; +- ihl -= 4; ++ n -= 4; + tmp += ((tmp >> 64) | (tmp << 64)); + sum = tmp >> 64; + do { + sum += *(const u32 *)iph; + iph += 4; +- } while (--ihl); ++ } while (--n > 0); + + sum += ((sum >> 32) | (sum << 32)); + return csum_fold(sum >> 32); +diff --git a/arch/m68k/mac/iop.c b/arch/m68k/mac/iop.c +index 7990b6f50105b..cb516cacc819b 100644 +--- a/arch/m68k/mac/iop.c ++++ b/arch/m68k/mac/iop.c +@@ -173,7 +173,7 @@ static __inline__ void iop_writeb(volatile struct mac_iop *iop, __u16 addr, __u8 + + static __inline__ void iop_stop(volatile struct mac_iop *iop) + { +- iop->status_ctrl &= ~IOP_RUN; ++ iop->status_ctrl = IOP_AUTOINC; + } + + static __inline__ void iop_start(volatile struct mac_iop *iop) +@@ -181,14 +181,9 @@ static __inline__ void iop_start(volatile struct mac_iop *iop) + iop->status_ctrl = IOP_RUN | IOP_AUTOINC; + } + +-static __inline__ void iop_bypass(volatile struct mac_iop *iop) +-{ +- iop->status_ctrl |= IOP_BYPASS; +-} +- + static __inline__ void iop_interrupt(volatile struct mac_iop *iop) + { +- iop->status_ctrl |= IOP_IRQ; ++ iop->status_ctrl = IOP_IRQ | IOP_RUN | IOP_AUTOINC; + } + + static int iop_alive(volatile struct mac_iop *iop) +@@ -239,7 +234,6 @@ void __init iop_preinit(void) + } else { + iop_base[IOP_NUM_SCC] = (struct mac_iop *) SCC_IOP_BASE_QUADRA; + } +- iop_base[IOP_NUM_SCC]->status_ctrl = 0x87; + iop_scc_present = 1; + } else { + iop_base[IOP_NUM_SCC] = NULL; +@@ -251,7 +245,7 @@ void __init iop_preinit(void) + } else { + iop_base[IOP_NUM_ISM] = (struct mac_iop *) ISM_IOP_BASE_QUADRA; + } +- iop_base[IOP_NUM_ISM]->status_ctrl = 0; ++ iop_stop(iop_base[IOP_NUM_ISM]); + iop_ism_present = 1; + } else { + iop_base[IOP_NUM_ISM] = NULL; +@@ -416,7 +410,8 @@ static void iop_handle_send(uint iop_num, uint chan) + iop_free_msg(msg2); + + iop_send_queue[iop_num][chan] = msg; +- if (msg) iop_do_send(msg); ++ if (msg && iop_readb(iop, IOP_ADDR_SEND_STATE + chan) == IOP_MSG_IDLE) ++ iop_do_send(msg); + } + + /* +@@ -497,16 +492,12 @@ int iop_send_message(uint iop_num, uint chan, void *privdata, + + if (!(q = iop_send_queue[iop_num][chan])) { + iop_send_queue[iop_num][chan] = msg; ++ iop_do_send(msg); + } else { + while (q->next) q = q->next; + q->next = msg; + } + +- if (iop_readb(iop_base[iop_num], +- IOP_ADDR_SEND_STATE + chan) == IOP_MSG_IDLE) { +- iop_do_send(msg); +- } +- + return 0; + } + +diff --git a/arch/mips/include/uapi/asm/Kbuild b/arch/mips/include/uapi/asm/Kbuild +index f2cf414611467..6298280cb2fe0 100644 +--- a/arch/mips/include/uapi/asm/Kbuild ++++ b/arch/mips/include/uapi/asm/Kbuild +@@ -39,3 +39,6 @@ header-y += termbits.h + header-y += termios.h + header-y += types.h + header-y += unistd.h ++header-y += hwcap.h ++header-y += reg.h ++header-y += ucontext.h +diff --git a/arch/mips/kernel/topology.c b/arch/mips/kernel/topology.c +index cf3eb61fad121..68da7613874aa 100644 +--- a/arch/mips/kernel/topology.c ++++ b/arch/mips/kernel/topology.c +@@ -19,7 +19,7 @@ static int __init topology_init(void) + for_each_present_cpu(i) { + struct cpu *c = &per_cpu(cpu_devices, i); + +- c->hotpluggable = 1; ++ c->hotpluggable = !!i; + ret = register_cpu(c, i); + if (ret) + printk(KERN_WARNING "topology_init: register_cpu %d " +diff --git a/arch/parisc/include/asm/cmpxchg.h b/arch/parisc/include/asm/cmpxchg.h +index 90253bdc2ee5e..536690a68917c 100644 +--- a/arch/parisc/include/asm/cmpxchg.h ++++ b/arch/parisc/include/asm/cmpxchg.h +@@ -59,6 +59,7 @@ extern void __cmpxchg_called_with_bad_pointer(void); + extern unsigned long __cmpxchg_u32(volatile unsigned int *m, unsigned int old, + unsigned int new_); + extern u64 __cmpxchg_u64(volatile u64 *ptr, u64 old, u64 new_); ++extern u8 __cmpxchg_u8(volatile u8 *ptr, u8 old, u8 new_); + + /* don't worry...optimizer will get rid of most of this */ + static inline unsigned long +@@ -70,6 +71,7 @@ __cmpxchg(volatile void *ptr, unsigned long old, unsigned long new_, int size) + #endif + case 4: return __cmpxchg_u32((unsigned int *)ptr, + (unsigned int)old, (unsigned int)new_); ++ case 1: return __cmpxchg_u8((u8 *)ptr, (u8)old, (u8)new_); + } + __cmpxchg_called_with_bad_pointer(); + return old; +diff --git a/arch/parisc/lib/bitops.c b/arch/parisc/lib/bitops.c +index 8e45b0a97abf6..3284a7adb0a35 100644 +--- a/arch/parisc/lib/bitops.c ++++ b/arch/parisc/lib/bitops.c +@@ -78,3 +78,15 @@ unsigned long __cmpxchg_u32(volatile unsigned int *ptr, unsigned int old, unsign + _atomic_spin_unlock_irqrestore(ptr, flags); + return (unsigned long)prev; + } ++ ++u8 __cmpxchg_u8(volatile u8 *ptr, u8 old, u8 new) ++{ ++ unsigned long flags; ++ u8 prev; ++ ++ _atomic_spin_lock_irqsave(ptr, flags); ++ if ((prev = *ptr) == old) ++ *ptr = new; ++ _atomic_spin_unlock_irqrestore(ptr, flags); ++ return prev; ++} +diff --git a/arch/powerpc/include/asm/percpu.h b/arch/powerpc/include/asm/percpu.h +index 2cedefddba37f..61c78205a1d36 100644 +--- a/arch/powerpc/include/asm/percpu.h ++++ b/arch/powerpc/include/asm/percpu.h +@@ -9,8 +9,6 @@ + + #ifdef CONFIG_SMP + +-#include +- + #define __my_cpu_offset local_paca->data_offset + + #endif /* CONFIG_SMP */ +@@ -18,4 +16,6 @@ + + #include + ++#include ++ + #endif /* _ASM_POWERPC_PERCPU_H_ */ +diff --git a/arch/powerpc/include/uapi/asm/Kbuild b/arch/powerpc/include/uapi/asm/Kbuild +index dab3717e3ea09..95cff47822180 100644 +--- a/arch/powerpc/include/uapi/asm/Kbuild ++++ b/arch/powerpc/include/uapi/asm/Kbuild +@@ -45,3 +45,4 @@ header-y += tm.h + header-y += types.h + header-y += ucontext.h + header-y += unistd.h ++header-y += perf_regs.h +diff --git a/arch/powerpc/kernel/vdso.c b/arch/powerpc/kernel/vdso.c +index 4111d30badfad..d24aea160352b 100644 +--- a/arch/powerpc/kernel/vdso.c ++++ b/arch/powerpc/kernel/vdso.c +@@ -704,7 +704,7 @@ int vdso_getcpu_init(void) + node = cpu_to_node(cpu); + WARN_ON_ONCE(node > 0xffff); + +- val = (cpu & 0xfff) | ((node & 0xffff) << 16); ++ val = (cpu & 0xffff) | ((node & 0xffff) << 16); + mtspr(SPRN_SPRG_VDSO_WRITE, val); + get_paca()->sprg_vdso = val; + +diff --git a/arch/powerpc/platforms/pseries/hotplug-memory.c b/arch/powerpc/platforms/pseries/hotplug-memory.c +index eee45b9220e04..1fd0b684bf5fc 100644 +--- a/arch/powerpc/platforms/pseries/hotplug-memory.c ++++ b/arch/powerpc/platforms/pseries/hotplug-memory.c +@@ -29,7 +29,7 @@ static bool rtas_hp_event; + unsigned long pseries_memory_block_size(void) + { + struct device_node *np; +- unsigned int memblock_size = MIN_MEMORY_BLOCK_SIZE; ++ u64 memblock_size = MIN_MEMORY_BLOCK_SIZE; + struct resource r; + + np = of_find_node_by_path("/ibm,dynamic-reconfiguration-memory"); +diff --git a/arch/sh/boards/mach-landisk/setup.c b/arch/sh/boards/mach-landisk/setup.c +index f1147caebacf0..af69fb7fef7c7 100644 +--- a/arch/sh/boards/mach-landisk/setup.c ++++ b/arch/sh/boards/mach-landisk/setup.c +@@ -85,6 +85,9 @@ device_initcall(landisk_devices_setup); + + static void __init landisk_setup(char **cmdline_p) + { ++ /* I/O port identity mapping */ ++ __set_io_port_base(0); ++ + /* LED ON */ + __raw_writeb(__raw_readb(PA_LED) | 0x03, PA_LED); + +diff --git a/arch/sh/kernel/entry-common.S b/arch/sh/kernel/entry-common.S +index 28cc61216b649..ed5b758c650d7 100644 +--- a/arch/sh/kernel/entry-common.S ++++ b/arch/sh/kernel/entry-common.S +@@ -203,7 +203,7 @@ syscall_trace_entry: + mov.l @(OFF_R7,r15), r7 ! arg3 + mov.l @(OFF_R3,r15), r3 ! syscall_nr + ! +- mov.l 2f, r10 ! Number of syscalls ++ mov.l 6f, r10 ! Number of syscalls + cmp/hs r10, r3 + bf syscall_call + mov #-ENOSYS, r0 +@@ -357,7 +357,7 @@ ENTRY(system_call) + tst r9, r8 + bf syscall_trace_entry + ! +- mov.l 2f, r8 ! Number of syscalls ++ mov.l 6f, r8 ! Number of syscalls + cmp/hs r8, r3 + bt syscall_badsys + ! +@@ -396,7 +396,7 @@ syscall_exit: + #if !defined(CONFIG_CPU_SH2) + 1: .long TRA + #endif +-2: .long NR_syscalls ++6: .long NR_syscalls + 3: .long sys_call_table + 7: .long do_syscall_trace_enter + 8: .long do_syscall_trace_leave +diff --git a/arch/x86/kernel/i8259.c b/arch/x86/kernel/i8259.c +index 26d5451b6b421..32e459ecff7a9 100644 +--- a/arch/x86/kernel/i8259.c ++++ b/arch/x86/kernel/i8259.c +@@ -205,7 +205,7 @@ spurious_8259A_irq: + * lets ACK and report it. [once per IRQ] + */ + if (!(spurious_irq_mask & irqmask)) { +- printk(KERN_DEBUG ++ printk_deferred(KERN_DEBUG + "spurious 8259A interrupt: IRQ%d.\n", irq); + spurious_irq_mask |= irqmask; + } +diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S +index 097268f85e4ee..a1082dc61bb96 100644 +--- a/arch/x86/kernel/vmlinux.lds.S ++++ b/arch/x86/kernel/vmlinux.lds.S +@@ -329,7 +329,8 @@ SECTIONS + .bss : AT(ADDR(.bss) - LOAD_OFFSET) { + __bss_start = .; + *(.bss..page_aligned) +- *(.bss) ++ . = ALIGN(PAGE_SIZE); ++ *(BSS_MAIN) + . = ALIGN(PAGE_SIZE); + __bss_stop = .; + } +diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c +index 3988e26af3b58..bfed29a4c2cec 100644 +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -1756,7 +1756,7 @@ void kvm_set_lapic_tscdeadline_msr(struct kvm_vcpu *vcpu, u64 data) + { + struct kvm_lapic *apic = vcpu->arch.apic; + +- if (!lapic_in_kernel(vcpu) || apic_lvtt_oneshot(apic) || ++ if (!kvm_apic_present(vcpu) || apic_lvtt_oneshot(apic) || + apic_lvtt_period(apic)) + return; + +diff --git a/arch/xtensa/kernel/perf_event.c b/arch/xtensa/kernel/perf_event.c +index 0fecc8a2c0b58..f6dd8e148be8c 100644 +--- a/arch/xtensa/kernel/perf_event.c ++++ b/arch/xtensa/kernel/perf_event.c +@@ -404,7 +404,7 @@ static struct pmu xtensa_pmu = { + .read = xtensa_pmu_read, + }; + +-static int xtensa_pmu_setup(int cpu) ++static int xtensa_pmu_setup(unsigned int cpu) + { + unsigned i; + +diff --git a/drivers/acpi/acpica/exprep.c b/drivers/acpi/acpica/exprep.c +index aed8d34592209..c2c391d5c5a1c 100644 +--- a/drivers/acpi/acpica/exprep.c ++++ b/drivers/acpi/acpica/exprep.c +@@ -507,10 +507,6 @@ acpi_status acpi_ex_prep_field_value(struct acpi_create_field_info *info) + (u8)access_byte_width; + } + } +- /* An additional reference for the container */ +- +- acpi_ut_add_reference(obj_desc->field.region_obj); +- + ACPI_DEBUG_PRINT((ACPI_DB_BFIELD, + "RegionField: BitOff %X, Off %X, Gran %X, Region %p\n", + obj_desc->field.start_field_bit_offset, +diff --git a/drivers/acpi/acpica/utdelete.c b/drivers/acpi/acpica/utdelete.c +index 529d6c38ea7ce..03a2282ceb9ca 100644 +--- a/drivers/acpi/acpica/utdelete.c ++++ b/drivers/acpi/acpica/utdelete.c +@@ -591,11 +591,6 @@ acpi_ut_update_object_reference(union acpi_operand_object *object, u16 action) + next_object = object->buffer_field.buffer_obj; + break; + +- case ACPI_TYPE_LOCAL_REGION_FIELD: +- +- next_object = object->field.region_obj; +- break; +- + case ACPI_TYPE_LOCAL_BANK_FIELD: + + next_object = object->bank_field.bank_obj; +@@ -636,6 +631,7 @@ acpi_ut_update_object_reference(union acpi_operand_object *object, u16 action) + } + break; + ++ case ACPI_TYPE_LOCAL_REGION_FIELD: + case ACPI_TYPE_REGION: + default: + +diff --git a/drivers/atm/atmtcp.c b/drivers/atm/atmtcp.c +index 480fa6ffbc090..04fca6db273ef 100644 +--- a/drivers/atm/atmtcp.c ++++ b/drivers/atm/atmtcp.c +@@ -432,9 +432,15 @@ static int atmtcp_remove_persistent(int itf) + return -EMEDIUMTYPE; + } + dev_data = PRIV(dev); +- if (!dev_data->persist) return 0; ++ if (!dev_data->persist) { ++ atm_dev_put(dev); ++ return 0; ++ } + dev_data->persist = 0; +- if (PRIV(dev)->vcc) return 0; ++ if (PRIV(dev)->vcc) { ++ atm_dev_put(dev); ++ return 0; ++ } + kfree(dev_data); + atm_dev_put(dev); + atm_dev_deregister(dev); +diff --git a/drivers/char/agp/intel-gtt.c b/drivers/char/agp/intel-gtt.c +index 871e7f4994e8c..667882e996ecc 100644 +--- a/drivers/char/agp/intel-gtt.c ++++ b/drivers/char/agp/intel-gtt.c +@@ -303,8 +303,10 @@ static int intel_gtt_setup_scratch_page(void) + if (intel_private.needs_dmar) { + dma_addr = pci_map_page(intel_private.pcidev, page, 0, + PAGE_SIZE, PCI_DMA_BIDIRECTIONAL); +- if (pci_dma_mapping_error(intel_private.pcidev, dma_addr)) ++ if (pci_dma_mapping_error(intel_private.pcidev, dma_addr)) { ++ __free_page(page); + return -EINVAL; ++ } + + intel_private.scratch_page_dma = dma_addr; + } else +diff --git a/drivers/char/random.c b/drivers/char/random.c +index 4cbc73173701d..c417aa19f9962 100644 +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -1211,6 +1211,7 @@ void add_interrupt_randomness(int irq, int irq_flags) + + fast_mix(fast_pool); + add_interrupt_bench(cycles); ++ this_cpu_add(net_rand_state.s1, fast_pool->pool[cycles & 3]); + + if (unlikely(crng_init == 0)) { + if ((fast_pool->count >= 64) && +diff --git a/drivers/clk/sirf/clk-atlas6.c b/drivers/clk/sirf/clk-atlas6.c +index 665fa681b2e1e..1e6bdf22c3b64 100644 +--- a/drivers/clk/sirf/clk-atlas6.c ++++ b/drivers/clk/sirf/clk-atlas6.c +@@ -136,7 +136,7 @@ static void __init atlas6_clk_init(struct device_node *np) + + for (i = pll1; i < maxclk; i++) { + atlas6_clks[i] = clk_register(NULL, atlas6_clk_hw_array[i]); +- BUG_ON(!atlas6_clks[i]); ++ BUG_ON(IS_ERR(atlas6_clks[i])); + } + clk_register_clkdev(atlas6_clks[cpu], NULL, "cpu"); + clk_register_clkdev(atlas6_clks[io], NULL, "io"); +diff --git a/drivers/crypto/ccp/ccp-dev.h b/drivers/crypto/ccp/ccp-dev.h +index cfe21d0337454..56c8c9ba12bcc 100644 +--- a/drivers/crypto/ccp/ccp-dev.h ++++ b/drivers/crypto/ccp/ccp-dev.h +@@ -444,6 +444,7 @@ struct ccp_sg_workarea { + int nents; + + struct scatterlist *dma_sg; ++ struct scatterlist *dma_sg_head; + struct device *dma_dev; + unsigned int dma_count; + enum dma_data_direction dma_dir; +diff --git a/drivers/crypto/ccp/ccp-ops.c b/drivers/crypto/ccp/ccp-ops.c +index 7d4cd518e6022..c3f13d6505e15 100644 +--- a/drivers/crypto/ccp/ccp-ops.c ++++ b/drivers/crypto/ccp/ccp-ops.c +@@ -52,7 +52,7 @@ static u32 ccp_gen_jobid(struct ccp_device *ccp) + static void ccp_sg_free(struct ccp_sg_workarea *wa) + { + if (wa->dma_count) +- dma_unmap_sg(wa->dma_dev, wa->dma_sg, wa->nents, wa->dma_dir); ++ dma_unmap_sg(wa->dma_dev, wa->dma_sg_head, wa->nents, wa->dma_dir); + + wa->dma_count = 0; + } +@@ -81,6 +81,7 @@ static int ccp_init_sg_workarea(struct ccp_sg_workarea *wa, struct device *dev, + return 0; + + wa->dma_sg = sg; ++ wa->dma_sg_head = sg; + wa->dma_dev = dev; + wa->dma_dir = dma_dir; + wa->dma_count = dma_map_sg(dev, sg, wa->nents, dma_dir); +@@ -93,14 +94,28 @@ static int ccp_init_sg_workarea(struct ccp_sg_workarea *wa, struct device *dev, + static void ccp_update_sg_workarea(struct ccp_sg_workarea *wa, unsigned int len) + { + unsigned int nbytes = min_t(u64, len, wa->bytes_left); ++ unsigned int sg_combined_len = 0; + + if (!wa->sg) + return; + + wa->sg_used += nbytes; + wa->bytes_left -= nbytes; +- if (wa->sg_used == wa->sg->length) { +- wa->sg = sg_next(wa->sg); ++ if (wa->sg_used == sg_dma_len(wa->dma_sg)) { ++ /* Advance to the next DMA scatterlist entry */ ++ wa->dma_sg = sg_next(wa->dma_sg); ++ ++ /* In the case that the DMA mapped scatterlist has entries ++ * that have been merged, the non-DMA mapped scatterlist ++ * must be advanced multiple times for each merged entry. ++ * This ensures that the current non-DMA mapped entry ++ * corresponds to the current DMA mapped entry. ++ */ ++ do { ++ sg_combined_len += wa->sg->length; ++ wa->sg = sg_next(wa->sg); ++ } while (wa->sg_used > sg_combined_len); ++ + wa->sg_used = 0; + } + } +@@ -298,7 +313,7 @@ static unsigned int ccp_queue_buf(struct ccp_data *data, unsigned int from) + /* Update the structures and generate the count */ + buf_count = 0; + while (sg_wa->bytes_left && (buf_count < dm_wa->length)) { +- nbytes = min(sg_wa->sg->length - sg_wa->sg_used, ++ nbytes = min(sg_dma_len(sg_wa->dma_sg) - sg_wa->sg_used, + dm_wa->length - buf_count); + nbytes = min_t(u64, sg_wa->bytes_left, nbytes); + +@@ -330,11 +345,11 @@ static void ccp_prepare_data(struct ccp_data *src, struct ccp_data *dst, + * and destination. The resulting len values will always be <= UINT_MAX + * because the dma length is an unsigned int. + */ +- sg_src_len = sg_dma_len(src->sg_wa.sg) - src->sg_wa.sg_used; ++ sg_src_len = sg_dma_len(src->sg_wa.dma_sg) - src->sg_wa.sg_used; + sg_src_len = min_t(u64, src->sg_wa.bytes_left, sg_src_len); + + if (dst) { +- sg_dst_len = sg_dma_len(dst->sg_wa.sg) - dst->sg_wa.sg_used; ++ sg_dst_len = sg_dma_len(dst->sg_wa.dma_sg) - dst->sg_wa.sg_used; + sg_dst_len = min_t(u64, src->sg_wa.bytes_left, sg_dst_len); + op_len = min(sg_src_len, sg_dst_len); + } else { +@@ -364,7 +379,7 @@ static void ccp_prepare_data(struct ccp_data *src, struct ccp_data *dst, + /* Enough data in the sg element, but we need to + * adjust for any previously copied data + */ +- op->src.u.dma.address = sg_dma_address(src->sg_wa.sg); ++ op->src.u.dma.address = sg_dma_address(src->sg_wa.dma_sg); + op->src.u.dma.offset = src->sg_wa.sg_used; + op->src.u.dma.length = op_len & ~(block_size - 1); + +@@ -385,7 +400,7 @@ static void ccp_prepare_data(struct ccp_data *src, struct ccp_data *dst, + /* Enough room in the sg element, but we need to + * adjust for any previously used area + */ +- op->dst.u.dma.address = sg_dma_address(dst->sg_wa.sg); ++ op->dst.u.dma.address = sg_dma_address(dst->sg_wa.dma_sg); + op->dst.u.dma.offset = dst->sg_wa.sg_used; + op->dst.u.dma.length = op->src.u.dma.length; + } +@@ -1216,8 +1231,9 @@ static int ccp_run_sha_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd) + digest_size); + break; + default: ++ kfree(hmac_buf); + ret = -EINVAL; +- goto e_ctx; ++ goto e_data; + } + + memset(&hmac_cmd, 0, sizeof(hmac_cmd)); +@@ -1446,7 +1462,7 @@ static int ccp_run_passthru_cmd(struct ccp_cmd_queue *cmd_q, + dst.sg_wa.sg_used = 0; + for (i = 1; i <= src.sg_wa.dma_count; i++) { + if (!dst.sg_wa.sg || +- (dst.sg_wa.sg->length < src.sg_wa.sg->length)) { ++ (sg_dma_len(dst.sg_wa.sg) < sg_dma_len(src.sg_wa.sg))) { + ret = -EINVAL; + goto e_dst; + } +@@ -1472,8 +1488,8 @@ static int ccp_run_passthru_cmd(struct ccp_cmd_queue *cmd_q, + goto e_dst; + } + +- dst.sg_wa.sg_used += src.sg_wa.sg->length; +- if (dst.sg_wa.sg_used == dst.sg_wa.sg->length) { ++ dst.sg_wa.sg_used += sg_dma_len(src.sg_wa.sg); ++ if (dst.sg_wa.sg_used == sg_dma_len(dst.sg_wa.sg)) { + dst.sg_wa.sg = sg_next(dst.sg_wa.sg); + dst.sg_wa.sg_used = 0; + } +diff --git a/drivers/crypto/qat/qat_common/qat_uclo.c b/drivers/crypto/qat/qat_common/qat_uclo.c +index e2454d90d9498..4f1cd83bf56f9 100644 +--- a/drivers/crypto/qat/qat_common/qat_uclo.c ++++ b/drivers/crypto/qat/qat_common/qat_uclo.c +@@ -332,13 +332,18 @@ static int qat_uclo_create_batch_init_list(struct icp_qat_fw_loader_handle + } + return 0; + out_err: ++ /* Do not free the list head unless we allocated it. */ ++ tail_old = tail_old->next; ++ if (flag) { ++ kfree(*init_tab_base); ++ *init_tab_base = NULL; ++ } ++ + while (tail_old) { + mem_init = tail_old->next; + kfree(tail_old); + tail_old = mem_init; + } +- if (flag) +- kfree(*init_tab_base); + return -ENOMEM; + } + +diff --git a/drivers/edac/edac_device_sysfs.c b/drivers/edac/edac_device_sysfs.c +index 93da1a45c7161..470b02fc2de96 100644 +--- a/drivers/edac/edac_device_sysfs.c ++++ b/drivers/edac/edac_device_sysfs.c +@@ -275,6 +275,7 @@ int edac_device_register_sysfs_main_kobj(struct edac_device_ctl_info *edac_dev) + + /* Error exit stack */ + err_kobj_reg: ++ kobject_put(&edac_dev->kobj); + module_put(edac_dev->owner); + + err_out: +diff --git a/drivers/edac/edac_pci_sysfs.c b/drivers/edac/edac_pci_sysfs.c +index 6e3428ba400f3..622d117e25335 100644 +--- a/drivers/edac/edac_pci_sysfs.c ++++ b/drivers/edac/edac_pci_sysfs.c +@@ -386,7 +386,7 @@ static int edac_pci_main_kobj_setup(void) + + /* Error unwind statck */ + kobject_init_and_add_fail: +- kfree(edac_pci_top_main_kobj); ++ kobject_put(edac_pci_top_main_kobj); + + kzalloc_fail: + module_put(THIS_MODULE); +diff --git a/drivers/gpio/gpiolib-of.c b/drivers/gpio/gpiolib-of.c +index b863386be9113..9e40914c09840 100644 +--- a/drivers/gpio/gpiolib-of.c ++++ b/drivers/gpio/gpiolib-of.c +@@ -80,7 +80,7 @@ struct gpio_desc *of_get_named_gpiod_flags(struct device_node *np, + &gpiospec); + if (ret) { + pr_debug("%s: can't parse '%s' property of node '%s[%d]'\n", +- __func__, propname, np->full_name, index); ++ __func__, propname, np ? np->full_name : NULL, index); + return ERR_PTR(ret); + } + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c +index 24941a7b659f4..ab5134d920d96 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c +@@ -452,8 +452,9 @@ static int amdgpu_info_ioctl(struct drm_device *dev, void *data, struct drm_file + return n ? -EFAULT : 0; + } + case AMDGPU_INFO_DEV_INFO: { +- struct drm_amdgpu_info_device dev_info = {}; ++ struct drm_amdgpu_info_device dev_info; + ++ memset(&dev_info, 0, sizeof(dev_info)); + dev_info.device_id = dev->pdev->device; + dev_info.chip_rev = adev->rev_id; + dev_info.external_rev = adev->external_rev_id; +diff --git a/drivers/gpu/drm/drm_debugfs.c b/drivers/gpu/drm/drm_debugfs.c +index 1205790ed960c..5ffe4b664cfbf 100644 +--- a/drivers/gpu/drm/drm_debugfs.c ++++ b/drivers/gpu/drm/drm_debugfs.c +@@ -287,13 +287,13 @@ static ssize_t connector_write(struct file *file, const char __user *ubuf, + + buf[len] = '\0'; + +- if (!strcmp(buf, "on")) ++ if (sysfs_streq(buf, "on")) + connector->force = DRM_FORCE_ON; +- else if (!strcmp(buf, "digital")) ++ else if (sysfs_streq(buf, "digital")) + connector->force = DRM_FORCE_ON_DIGITAL; +- else if (!strcmp(buf, "off")) ++ else if (sysfs_streq(buf, "off")) + connector->force = DRM_FORCE_OFF; +- else if (!strcmp(buf, "unspecified")) ++ else if (sysfs_streq(buf, "unspecified")) + connector->force = DRM_FORCE_UNSPECIFIED; + else + return -EINVAL; +diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c +index ae5c0952a7a3b..3133aa6e89c18 100644 +--- a/drivers/gpu/drm/drm_gem.c ++++ b/drivers/gpu/drm/drm_gem.c +@@ -694,9 +694,6 @@ err: + * @file_priv: drm file-private structure + * + * Open an object using the global name, returning a handle and the size. +- * +- * This handle (of course) holds a reference to the object, so the object +- * will not go away until the handle is deleted. + */ + int + drm_gem_open_ioctl(struct drm_device *dev, void *data, +@@ -721,14 +718,15 @@ drm_gem_open_ioctl(struct drm_device *dev, void *data, + + /* drm_gem_handle_create_tail unlocks dev->object_name_lock. */ + ret = drm_gem_handle_create_tail(file_priv, obj, &handle); +- drm_gem_object_unreference_unlocked(obj); + if (ret) +- return ret; ++ goto err; + + args->handle = handle; + args->size = obj->size; + +- return 0; ++err: ++ drm_gem_object_unreference_unlocked(obj); ++ return ret; + } + + /** +diff --git a/drivers/gpu/drm/drm_mipi_dsi.c b/drivers/gpu/drm/drm_mipi_dsi.c +index 1160a579e0dc0..99415808e9f91 100644 +--- a/drivers/gpu/drm/drm_mipi_dsi.c ++++ b/drivers/gpu/drm/drm_mipi_dsi.c +@@ -1029,11 +1029,11 @@ EXPORT_SYMBOL(mipi_dsi_dcs_set_pixel_format); + */ + int mipi_dsi_dcs_set_tear_scanline(struct mipi_dsi_device *dsi, u16 scanline) + { +- u8 payload[3] = { MIPI_DCS_SET_TEAR_SCANLINE, scanline >> 8, +- scanline & 0xff }; ++ u8 payload[2] = { scanline >> 8, scanline & 0xff }; + ssize_t err; + +- err = mipi_dsi_generic_write(dsi, payload, sizeof(payload)); ++ err = mipi_dsi_dcs_write(dsi, MIPI_DCS_SET_TEAR_SCANLINE, payload, ++ sizeof(payload)); + if (err < 0) + return err; + +diff --git a/drivers/gpu/drm/imx/imx-tve.c b/drivers/gpu/drm/imx/imx-tve.c +index 89cf0090feaca..9ae515f3171ec 100644 +--- a/drivers/gpu/drm/imx/imx-tve.c ++++ b/drivers/gpu/drm/imx/imx-tve.c +@@ -511,6 +511,13 @@ static int imx_tve_register(struct drm_device *drm, struct imx_tve *tve) + return 0; + } + ++static void imx_tve_disable_regulator(void *data) ++{ ++ struct imx_tve *tve = data; ++ ++ regulator_disable(tve->dac_reg); ++} ++ + static bool imx_tve_readable_reg(struct device *dev, unsigned int reg) + { + return (reg % 4 == 0) && (reg <= 0xdc); +@@ -635,6 +642,9 @@ static int imx_tve_bind(struct device *dev, struct device *master, void *data) + ret = regulator_enable(tve->dac_reg); + if (ret) + return ret; ++ ret = devm_add_action_or_reset(dev, imx_tve_disable_regulator, tve); ++ if (ret) ++ return ret; + } + + tve->clk = devm_clk_get(dev, "tve"); +@@ -681,18 +691,8 @@ static int imx_tve_bind(struct device *dev, struct device *master, void *data) + return 0; + } + +-static void imx_tve_unbind(struct device *dev, struct device *master, +- void *data) +-{ +- struct imx_tve *tve = dev_get_drvdata(dev); +- +- if (!IS_ERR(tve->dac_reg)) +- regulator_disable(tve->dac_reg); +-} +- + static const struct component_ops imx_tve_ops = { + .bind = imx_tve_bind, +- .unbind = imx_tve_unbind, + }; + + static int imx_tve_probe(struct platform_device *pdev) +diff --git a/drivers/gpu/drm/nouveau/nouveau_drm.c b/drivers/gpu/drm/nouveau/nouveau_drm.c +index 42829a942e33c..4e12d3d59651b 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_drm.c ++++ b/drivers/gpu/drm/nouveau/nouveau_drm.c +@@ -823,8 +823,10 @@ nouveau_drm_open(struct drm_device *dev, struct drm_file *fpriv) + + /* need to bring up power immediately if opening device */ + ret = pm_runtime_get_sync(dev->dev); +- if (ret < 0 && ret != -EACCES) ++ if (ret < 0 && ret != -EACCES) { ++ pm_runtime_put_autosuspend(dev->dev); + return ret; ++ } + + get_task_comm(tmpname, current); + snprintf(name, sizeof(name), "%s[%d]", tmpname, pid_nr(fpriv->pid)); +@@ -912,8 +914,10 @@ nouveau_drm_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + long ret; + + ret = pm_runtime_get_sync(dev->dev); +- if (ret < 0 && ret != -EACCES) ++ if (ret < 0 && ret != -EACCES) { ++ pm_runtime_put_autosuspend(dev->dev); + return ret; ++ } + + switch (_IOC_NR(cmd) - DRM_COMMAND_BASE) { + case DRM_NOUVEAU_NVIF: +diff --git a/drivers/gpu/drm/nouveau/nouveau_fbcon.c b/drivers/gpu/drm/nouveau/nouveau_fbcon.c +index 2b79e27dd89c6..275abc424ce25 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_fbcon.c ++++ b/drivers/gpu/drm/nouveau/nouveau_fbcon.c +@@ -584,6 +584,7 @@ fini: + drm_fb_helper_fini(&fbcon->helper); + free: + kfree(fbcon); ++ drm->fbcon = NULL; + return ret; + } + +diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c +index 505dca48b9f80..be6672da33a65 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_gem.c ++++ b/drivers/gpu/drm/nouveau/nouveau_gem.c +@@ -42,8 +42,10 @@ nouveau_gem_object_del(struct drm_gem_object *gem) + int ret; + + ret = pm_runtime_get_sync(dev); +- if (WARN_ON(ret < 0 && ret != -EACCES)) ++ if (WARN_ON(ret < 0 && ret != -EACCES)) { ++ pm_runtime_put_autosuspend(dev); + return; ++ } + + if (gem->import_attach) + drm_prime_gem_destroy(gem, nvbo->bo.sg); +diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c +index 68a2b25deb50d..57f32d1bb3127 100644 +--- a/drivers/gpu/drm/panel/panel-simple.c ++++ b/drivers/gpu/drm/panel/panel-simple.c +@@ -1041,7 +1041,7 @@ static const struct drm_display_mode lg_lb070wv8_mode = { + static const struct panel_desc lg_lb070wv8 = { + .modes = &lg_lb070wv8_mode, + .num_modes = 1, +- .bpc = 16, ++ .bpc = 8, + .size = { + .width = 151, + .height = 91, +diff --git a/drivers/gpu/drm/radeon/ci_dpm.c b/drivers/gpu/drm/radeon/ci_dpm.c +index be43582811dfc..50bad42527b1c 100644 +--- a/drivers/gpu/drm/radeon/ci_dpm.c ++++ b/drivers/gpu/drm/radeon/ci_dpm.c +@@ -4348,7 +4348,7 @@ static int ci_set_mc_special_registers(struct radeon_device *rdev, + table->mc_reg_table_entry[k].mc_data[j] |= 0x100; + } + j++; +- if (j > SMU7_DISCRETE_MC_REGISTER_ARRAY_SIZE) ++ if (j >= SMU7_DISCRETE_MC_REGISTER_ARRAY_SIZE) + return -EINVAL; + + if (!pi->mem_gddr5) { +diff --git a/drivers/gpu/drm/radeon/radeon_display.c b/drivers/gpu/drm/radeon/radeon_display.c +index 432ad7d73cb9b..99e23800cadc7 100644 +--- a/drivers/gpu/drm/radeon/radeon_display.c ++++ b/drivers/gpu/drm/radeon/radeon_display.c +@@ -639,8 +639,10 @@ radeon_crtc_set_config(struct drm_mode_set *set) + dev = set->crtc->dev; + + ret = pm_runtime_get_sync(dev->dev); +- if (ret < 0) ++ if (ret < 0) { ++ pm_runtime_put_autosuspend(dev->dev); + return ret; ++ } + + ret = drm_crtc_helper_set_config(set); + +diff --git a/drivers/gpu/drm/radeon/radeon_drv.c b/drivers/gpu/drm/radeon/radeon_drv.c +index 30bd4a6a9d466..7648fd0d10751 100644 +--- a/drivers/gpu/drm/radeon/radeon_drv.c ++++ b/drivers/gpu/drm/radeon/radeon_drv.c +@@ -496,8 +496,10 @@ long radeon_drm_ioctl(struct file *filp, + long ret; + dev = file_priv->minor->dev; + ret = pm_runtime_get_sync(dev->dev); +- if (ret < 0) ++ if (ret < 0) { ++ pm_runtime_put_autosuspend(dev->dev); + return ret; ++ } + + ret = drm_ioctl(filp, cmd, arg); + +diff --git a/drivers/gpu/drm/radeon/radeon_kms.c b/drivers/gpu/drm/radeon/radeon_kms.c +index 4388ddeec8d24..96d2a564d9a3c 100644 +--- a/drivers/gpu/drm/radeon/radeon_kms.c ++++ b/drivers/gpu/drm/radeon/radeon_kms.c +@@ -634,8 +634,10 @@ int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv) + file_priv->driver_priv = NULL; + + r = pm_runtime_get_sync(dev->dev); +- if (r < 0) ++ if (r < 0) { ++ pm_runtime_put_autosuspend(dev->dev); + return r; ++ } + + /* new gpu have virtual address space support */ + if (rdev->family >= CHIP_CAYMAN) { +diff --git a/drivers/gpu/drm/tilcdc/tilcdc_panel.c b/drivers/gpu/drm/tilcdc/tilcdc_panel.c +index 2134bb20fbe9d..2836154dbb126 100644 +--- a/drivers/gpu/drm/tilcdc/tilcdc_panel.c ++++ b/drivers/gpu/drm/tilcdc/tilcdc_panel.c +@@ -159,12 +159,16 @@ static int panel_connector_get_modes(struct drm_connector *connector) + int i; + + for (i = 0; i < timings->num_timings; i++) { +- struct drm_display_mode *mode = drm_mode_create(dev); ++ struct drm_display_mode *mode; + struct videomode vm; + + if (videomode_from_timings(timings, &vm, i)) + break; + ++ mode = drm_mode_create(dev); ++ if (!mode) ++ break; ++ + drm_display_mode_from_videomode(&vm, mode); + + mode->type = DRM_MODE_TYPE_DRIVER; +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +index 33ca24ab983e1..39ac7566b705b 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +@@ -2109,7 +2109,7 @@ int vmw_kms_fbdev_init_data(struct vmw_private *dev_priv, + ++i; + } + +- if (i != unit) { ++ if (&con->head == &dev_priv->dev->mode_config.connector_list) { + DRM_ERROR("Could not find initial display unit.\n"); + return -EINVAL; + } +@@ -2131,13 +2131,13 @@ int vmw_kms_fbdev_init_data(struct vmw_private *dev_priv, + break; + } + +- if (mode->type & DRM_MODE_TYPE_PREFERRED) +- *p_mode = mode; +- else { ++ if (&mode->head == &con->modes) { + WARN_ONCE(true, "Could not find initial preferred mode.\n"); + *p_mode = list_first_entry(&con->modes, + struct drm_display_mode, + head); ++ } else { ++ *p_mode = mode; + } + + return 0; +diff --git a/drivers/gpu/ipu-v3/ipu-image-convert.c b/drivers/gpu/ipu-v3/ipu-image-convert.c +index 50b73f3876fb7..098b86eb26d74 100644 +--- a/drivers/gpu/ipu-v3/ipu-image-convert.c ++++ b/drivers/gpu/ipu-v3/ipu-image-convert.c +@@ -987,9 +987,10 @@ done: + return IRQ_WAKE_THREAD; + } + +-static irqreturn_t norotate_irq(int irq, void *data) ++static irqreturn_t eof_irq(int irq, void *data) + { + struct ipu_image_convert_chan *chan = data; ++ struct ipu_image_convert_priv *priv = chan->priv; + struct ipu_image_convert_ctx *ctx; + struct ipu_image_convert_run *run; + unsigned long flags; +@@ -1006,45 +1007,26 @@ static irqreturn_t norotate_irq(int irq, void *data) + + ctx = run->ctx; + +- if (ipu_rot_mode_is_irt(ctx->rot_mode)) { +- /* this is a rotation operation, just ignore */ +- spin_unlock_irqrestore(&chan->irqlock, flags); +- return IRQ_HANDLED; +- } +- +- ret = do_irq(run); +-out: +- spin_unlock_irqrestore(&chan->irqlock, flags); +- return ret; +-} +- +-static irqreturn_t rotate_irq(int irq, void *data) +-{ +- struct ipu_image_convert_chan *chan = data; +- struct ipu_image_convert_priv *priv = chan->priv; +- struct ipu_image_convert_ctx *ctx; +- struct ipu_image_convert_run *run; +- unsigned long flags; +- irqreturn_t ret; +- +- spin_lock_irqsave(&chan->irqlock, flags); +- +- /* get current run and its context */ +- run = chan->current_run; +- if (!run) { ++ if (irq == chan->out_eof_irq) { ++ if (ipu_rot_mode_is_irt(ctx->rot_mode)) { ++ /* this is a rotation op, just ignore */ ++ ret = IRQ_HANDLED; ++ goto out; ++ } ++ } else if (irq == chan->rot_out_eof_irq) { ++ if (!ipu_rot_mode_is_irt(ctx->rot_mode)) { ++ /* this was NOT a rotation op, shouldn't happen */ ++ dev_err(priv->ipu->dev, ++ "Unexpected rotation interrupt\n"); ++ ret = IRQ_HANDLED; ++ goto out; ++ } ++ } else { ++ dev_err(priv->ipu->dev, "Received unknown irq %d\n", irq); + ret = IRQ_NONE; + goto out; + } + +- ctx = run->ctx; +- +- if (!ipu_rot_mode_is_irt(ctx->rot_mode)) { +- /* this was NOT a rotation operation, shouldn't happen */ +- dev_err(priv->ipu->dev, "Unexpected rotation interrupt\n"); +- spin_unlock_irqrestore(&chan->irqlock, flags); +- return IRQ_HANDLED; +- } +- + ret = do_irq(run); + out: + spin_unlock_irqrestore(&chan->irqlock, flags); +@@ -1137,7 +1119,7 @@ static int get_ipu_resources(struct ipu_image_convert_chan *chan) + chan->out_chan, + IPU_IRQ_EOF); + +- ret = request_threaded_irq(chan->out_eof_irq, norotate_irq, do_bh, ++ ret = request_threaded_irq(chan->out_eof_irq, eof_irq, do_bh, + 0, "ipu-ic", chan); + if (ret < 0) { + dev_err(priv->ipu->dev, "could not acquire irq %d\n", +@@ -1150,7 +1132,7 @@ static int get_ipu_resources(struct ipu_image_convert_chan *chan) + chan->rotation_out_chan, + IPU_IRQ_EOF); + +- ret = request_threaded_irq(chan->rot_out_eof_irq, rotate_irq, do_bh, ++ ret = request_threaded_irq(chan->rot_out_eof_irq, eof_irq, do_bh, + 0, "ipu-ic", chan); + if (ret < 0) { + dev_err(priv->ipu->dev, "could not acquire irq %d\n", +diff --git a/drivers/i2c/busses/i2c-cadence.c b/drivers/i2c/busses/i2c-cadence.c +index 59c08d5b75d6a..45d6771fac8ce 100644 +--- a/drivers/i2c/busses/i2c-cadence.c ++++ b/drivers/i2c/busses/i2c-cadence.c +@@ -382,10 +382,8 @@ static void cdns_i2c_mrecv(struct cdns_i2c *id) + * Check for the message size against FIFO depth and set the + * 'hold bus' bit if it is greater than FIFO depth. + */ +- if ((id->recv_count > CDNS_I2C_FIFO_DEPTH) || id->bus_hold_flag) ++ if (id->recv_count > CDNS_I2C_FIFO_DEPTH) + ctrl_reg |= CDNS_I2C_CR_HOLD; +- else +- ctrl_reg = ctrl_reg & ~CDNS_I2C_CR_HOLD; + + cdns_i2c_writereg(ctrl_reg, CDNS_I2C_CR_OFFSET); + +@@ -442,11 +440,8 @@ static void cdns_i2c_msend(struct cdns_i2c *id) + * Check for the message size against FIFO depth and set the + * 'hold bus' bit if it is greater than FIFO depth. + */ +- if ((id->send_count > CDNS_I2C_FIFO_DEPTH) || id->bus_hold_flag) ++ if (id->send_count > CDNS_I2C_FIFO_DEPTH) + ctrl_reg |= CDNS_I2C_CR_HOLD; +- else +- ctrl_reg = ctrl_reg & ~CDNS_I2C_CR_HOLD; +- + cdns_i2c_writereg(ctrl_reg, CDNS_I2C_CR_OFFSET); + + /* Clear the interrupts in interrupt status register. */ +diff --git a/drivers/i2c/busses/i2c-rcar.c b/drivers/i2c/busses/i2c-rcar.c +index 93b8069041bb1..4231673435e7b 100644 +--- a/drivers/i2c/busses/i2c-rcar.c ++++ b/drivers/i2c/busses/i2c-rcar.c +@@ -527,13 +527,14 @@ static bool rcar_i2c_slave_irq(struct rcar_i2c_priv *priv) + rcar_i2c_write(priv, ICSIER, SDR | SSR | SAR); + } + +- rcar_i2c_write(priv, ICSSR, ~SAR & 0xff); ++ /* Clear SSR, too, because of old STOPs to other clients than us */ ++ rcar_i2c_write(priv, ICSSR, ~(SAR | SSR) & 0xff); + } + + /* master sent stop */ + if (ssr_filtered & SSR) { + i2c_slave_event(priv->slave, I2C_SLAVE_STOP, &value); +- rcar_i2c_write(priv, ICSIER, SAR | SSR); ++ rcar_i2c_write(priv, ICSIER, SAR); + rcar_i2c_write(priv, ICSSR, ~SSR & 0xff); + } + +@@ -762,7 +763,7 @@ static int rcar_reg_slave(struct i2c_client *slave) + priv->slave = slave; + rcar_i2c_write(priv, ICSAR, slave->addr); + rcar_i2c_write(priv, ICSSR, 0); +- rcar_i2c_write(priv, ICSIER, SAR | SSR); ++ rcar_i2c_write(priv, ICSIER, SAR); + rcar_i2c_write(priv, ICSCR, SIE | SDBS); + + return 0; +diff --git a/drivers/iio/dac/ad5592r-base.c b/drivers/iio/dac/ad5592r-base.c +index 69bde59098542..5c998ac8c840b 100644 +--- a/drivers/iio/dac/ad5592r-base.c ++++ b/drivers/iio/dac/ad5592r-base.c +@@ -417,7 +417,7 @@ static int ad5592r_read_raw(struct iio_dev *iio_dev, + s64 tmp = *val * (3767897513LL / 25LL); + *val = div_s64_rem(tmp, 1000000000LL, val2); + +- ret = IIO_VAL_INT_PLUS_MICRO; ++ return IIO_VAL_INT_PLUS_MICRO; + } else { + int mult; + +@@ -448,7 +448,7 @@ static int ad5592r_read_raw(struct iio_dev *iio_dev, + ret = IIO_VAL_INT; + break; + default: +- ret = -EINVAL; ++ return -EINVAL; + } + + unlock: +diff --git a/drivers/input/mouse/sentelic.c b/drivers/input/mouse/sentelic.c +index 11c32ac8234b2..779d0b9341c0d 100644 +--- a/drivers/input/mouse/sentelic.c ++++ b/drivers/input/mouse/sentelic.c +@@ -454,7 +454,7 @@ static ssize_t fsp_attr_set_setreg(struct psmouse *psmouse, void *data, + + fsp_reg_write_enable(psmouse, false); + +- return count; ++ return retval; + } + + PSMOUSE_DEFINE_WO_ATTR(setreg, S_IWUSR, NULL, fsp_attr_set_setreg); +diff --git a/drivers/iommu/omap-iommu-debug.c b/drivers/iommu/omap-iommu-debug.c +index 505548aafeff2..cec33e90e3998 100644 +--- a/drivers/iommu/omap-iommu-debug.c ++++ b/drivers/iommu/omap-iommu-debug.c +@@ -101,8 +101,11 @@ static ssize_t debug_read_regs(struct file *file, char __user *userbuf, + mutex_lock(&iommu_debug_lock); + + bytes = omap_iommu_dump_ctx(obj, p, count); ++ if (bytes < 0) ++ goto err; + bytes = simple_read_from_buffer(userbuf, count, ppos, buf, bytes); + ++err: + mutex_unlock(&iommu_debug_lock); + kfree(buf); + +diff --git a/drivers/leds/led-class.c b/drivers/leds/led-class.c +index aa84e5b375931..7d3f23bad88dd 100644 +--- a/drivers/leds/led-class.c ++++ b/drivers/leds/led-class.c +@@ -110,6 +110,7 @@ void led_classdev_suspend(struct led_classdev *led_cdev) + { + led_cdev->flags |= LED_SUSPENDED; + led_set_brightness_nopm(led_cdev, 0); ++ flush_work(&led_cdev->set_brightness_work); + } + EXPORT_SYMBOL_GPL(led_classdev_suspend); + +diff --git a/drivers/leds/leds-88pm860x.c b/drivers/leds/leds-88pm860x.c +index 77a104d2b1243..13f414ff6fd00 100644 +--- a/drivers/leds/leds-88pm860x.c ++++ b/drivers/leds/leds-88pm860x.c +@@ -207,21 +207,33 @@ static int pm860x_led_probe(struct platform_device *pdev) + data->cdev.brightness_set_blocking = pm860x_led_set; + mutex_init(&data->lock); + +- ret = devm_led_classdev_register(chip->dev, &data->cdev); ++ ret = led_classdev_register(chip->dev, &data->cdev); + if (ret < 0) { + dev_err(&pdev->dev, "Failed to register LED: %d\n", ret); + return ret; + } + pm860x_led_set(&data->cdev, 0); ++ ++ platform_set_drvdata(pdev, data); ++ + return 0; + } + ++static int pm860x_led_remove(struct platform_device *pdev) ++{ ++ struct pm860x_led *data = platform_get_drvdata(pdev); ++ ++ led_classdev_unregister(&data->cdev); ++ ++ return 0; ++} + + static struct platform_driver pm860x_led_driver = { + .driver = { + .name = "88pm860x-led", + }, + .probe = pm860x_led_probe, ++ .remove = pm860x_led_remove, + }; + + module_platform_driver(pm860x_led_driver); +diff --git a/drivers/leds/leds-da903x.c b/drivers/leds/leds-da903x.c +index 5ff7d72f73aa4..ecc265bb69a02 100644 +--- a/drivers/leds/leds-da903x.c ++++ b/drivers/leds/leds-da903x.c +@@ -113,12 +113,23 @@ static int da903x_led_probe(struct platform_device *pdev) + led->flags = pdata->flags; + led->master = pdev->dev.parent; + +- ret = devm_led_classdev_register(led->master, &led->cdev); ++ ret = led_classdev_register(led->master, &led->cdev); + if (ret) { + dev_err(&pdev->dev, "failed to register LED %d\n", id); + return ret; + } + ++ platform_set_drvdata(pdev, led); ++ ++ return 0; ++} ++ ++static int da903x_led_remove(struct platform_device *pdev) ++{ ++ struct da903x_led *led = platform_get_drvdata(pdev); ++ ++ led_classdev_unregister(&led->cdev); ++ + return 0; + } + +@@ -127,6 +138,7 @@ static struct platform_driver da903x_led_driver = { + .name = "da903x-led", + }, + .probe = da903x_led_probe, ++ .remove = da903x_led_remove, + }; + + module_platform_driver(da903x_led_driver); +diff --git a/drivers/leds/leds-lm3533.c b/drivers/leds/leds-lm3533.c +index 5b529dc013d29..3d147489fc452 100644 +--- a/drivers/leds/leds-lm3533.c ++++ b/drivers/leds/leds-lm3533.c +@@ -698,7 +698,7 @@ static int lm3533_led_probe(struct platform_device *pdev) + + platform_set_drvdata(pdev, led); + +- ret = devm_led_classdev_register(pdev->dev.parent, &led->cdev); ++ ret = led_classdev_register(pdev->dev.parent, &led->cdev); + if (ret) { + dev_err(&pdev->dev, "failed to register LED %d\n", pdev->id); + return ret; +@@ -708,13 +708,18 @@ static int lm3533_led_probe(struct platform_device *pdev) + + ret = lm3533_led_setup(led, pdata); + if (ret) +- return ret; ++ goto err_deregister; + + ret = lm3533_ctrlbank_enable(&led->cb); + if (ret) +- return ret; ++ goto err_deregister; + + return 0; ++ ++err_deregister: ++ led_classdev_unregister(&led->cdev); ++ ++ return ret; + } + + static int lm3533_led_remove(struct platform_device *pdev) +@@ -724,6 +729,7 @@ static int lm3533_led_remove(struct platform_device *pdev) + dev_dbg(&pdev->dev, "%s\n", __func__); + + lm3533_ctrlbank_disable(&led->cb); ++ led_classdev_unregister(&led->cdev); + + return 0; + } +diff --git a/drivers/leds/leds-lm355x.c b/drivers/leds/leds-lm355x.c +index 6cb94f9a2f3f3..b9c60dd2b1327 100644 +--- a/drivers/leds/leds-lm355x.c ++++ b/drivers/leds/leds-lm355x.c +@@ -168,18 +168,19 @@ static int lm355x_chip_init(struct lm355x_chip_data *chip) + /* input and output pins configuration */ + switch (chip->type) { + case CHIP_LM3554: +- reg_val = pdata->pin_tx2 | pdata->ntc_pin; ++ reg_val = (u32)pdata->pin_tx2 | (u32)pdata->ntc_pin; + ret = regmap_update_bits(chip->regmap, 0xE0, 0x28, reg_val); + if (ret < 0) + goto out; +- reg_val = pdata->pass_mode; ++ reg_val = (u32)pdata->pass_mode; + ret = regmap_update_bits(chip->regmap, 0xA0, 0x04, reg_val); + if (ret < 0) + goto out; + break; + + case CHIP_LM3556: +- reg_val = pdata->pin_tx2 | pdata->ntc_pin | pdata->pass_mode; ++ reg_val = (u32)pdata->pin_tx2 | (u32)pdata->ntc_pin | ++ (u32)pdata->pass_mode; + ret = regmap_update_bits(chip->regmap, 0x0A, 0xC4, reg_val); + if (ret < 0) + goto out; +diff --git a/drivers/leds/leds-wm831x-status.c b/drivers/leds/leds-wm831x-status.c +index be93b20e792a7..4f0ba19c35773 100644 +--- a/drivers/leds/leds-wm831x-status.c ++++ b/drivers/leds/leds-wm831x-status.c +@@ -283,12 +283,23 @@ static int wm831x_status_probe(struct platform_device *pdev) + drvdata->cdev.blink_set = wm831x_status_blink_set; + drvdata->cdev.groups = wm831x_status_groups; + +- ret = devm_led_classdev_register(wm831x->dev, &drvdata->cdev); ++ ret = led_classdev_register(wm831x->dev, &drvdata->cdev); + if (ret < 0) { + dev_err(&pdev->dev, "Failed to register LED: %d\n", ret); + return ret; + } + ++ platform_set_drvdata(pdev, drvdata); ++ ++ return 0; ++} ++ ++static int wm831x_status_remove(struct platform_device *pdev) ++{ ++ struct wm831x_status *drvdata = platform_get_drvdata(pdev); ++ ++ led_classdev_unregister(&drvdata->cdev); ++ + return 0; + } + +@@ -297,6 +308,7 @@ static struct platform_driver wm831x_status_driver = { + .name = "wm831x-status", + }, + .probe = wm831x_status_probe, ++ .remove = wm831x_status_remove, + }; + + module_platform_driver(wm831x_status_driver); +diff --git a/drivers/md/bcache/bset.c b/drivers/md/bcache/bset.c +index 158eae17031c4..1440436214291 100644 +--- a/drivers/md/bcache/bset.c ++++ b/drivers/md/bcache/bset.c +@@ -317,7 +317,7 @@ int bch_btree_keys_alloc(struct btree_keys *b, unsigned page_order, gfp_t gfp) + + b->page_order = page_order; + +- t->data = (void *) __get_free_pages(gfp, b->page_order); ++ t->data = (void *) __get_free_pages(__GFP_COMP|gfp, b->page_order); + if (!t->data) + goto err; + +diff --git a/drivers/md/bcache/btree.c b/drivers/md/bcache/btree.c +index 12849829077dd..764d519a7f1c6 100644 +--- a/drivers/md/bcache/btree.c ++++ b/drivers/md/bcache/btree.c +@@ -790,7 +790,7 @@ int bch_btree_cache_alloc(struct cache_set *c) + mutex_init(&c->verify_lock); + + c->verify_ondisk = (void *) +- __get_free_pages(GFP_KERNEL, ilog2(bucket_pages(c))); ++ __get_free_pages(GFP_KERNEL|__GFP_COMP, ilog2(bucket_pages(c))); + + c->verify_data = mca_bucket_alloc(c, &ZERO_KEY, GFP_KERNEL); + +diff --git a/drivers/md/bcache/journal.c b/drivers/md/bcache/journal.c +index 6ee5370eb9169..423cb1a310d62 100644 +--- a/drivers/md/bcache/journal.c ++++ b/drivers/md/bcache/journal.c +@@ -839,8 +839,8 @@ int bch_journal_alloc(struct cache_set *c) + j->w[1].c = c; + + if (!(init_fifo(&j->pin, JOURNAL_PIN, GFP_KERNEL)) || +- !(j->w[0].data = (void *) __get_free_pages(GFP_KERNEL, JSET_BITS)) || +- !(j->w[1].data = (void *) __get_free_pages(GFP_KERNEL, JSET_BITS))) ++ !(j->w[0].data = (void *) __get_free_pages(GFP_KERNEL|__GFP_COMP, JSET_BITS)) || ++ !(j->w[1].data = (void *) __get_free_pages(GFP_KERNEL|__GFP_COMP, JSET_BITS))) + return -ENOMEM; + + return 0; +diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c +index 526e9d5a4fb16..95e9a33de06a2 100644 +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -1468,7 +1468,7 @@ void bch_cache_set_unregister(struct cache_set *c) + } + + #define alloc_bucket_pages(gfp, c) \ +- ((void *) __get_free_pages(__GFP_ZERO|gfp, ilog2(bucket_pages(c)))) ++ ((void *) __get_free_pages(__GFP_ZERO|__GFP_COMP|gfp, ilog2(bucket_pages(c)))) + + struct cache_set *bch_cache_set_alloc(struct cache_sb *sb) + { +@@ -1778,7 +1778,14 @@ found: + sysfs_create_link(&c->kobj, &ca->kobj, buf)) + goto err; + +- if (ca->sb.seq > c->sb.seq) { ++ /* ++ * A special case is both ca->sb.seq and c->sb.seq are 0, ++ * such condition happens on a new created cache device whose ++ * super block is never flushed yet. In this case c->sb.version ++ * and other members should be updated too, otherwise we will ++ * have a mistaken super block version in cache set. ++ */ ++ if (ca->sb.seq > c->sb.seq || c->sb.seq == 0) { + c->sb.version = ca->sb.version; + memcpy(c->sb.set_uuid, ca->sb.set_uuid, 16); + c->sb.flags = ca->sb.flags; +diff --git a/drivers/md/md-cluster.c b/drivers/md/md-cluster.c +index e870b09b2c84d..d08c63aaf10bb 100644 +--- a/drivers/md/md-cluster.c ++++ b/drivers/md/md-cluster.c +@@ -1234,6 +1234,7 @@ static void unlock_all_bitmaps(struct mddev *mddev) + } + } + kfree(cinfo->other_bitmap_lockres); ++ cinfo->other_bitmap_lockres = NULL; + } + } + +diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c +index 1143860f00283..30a853b187802 100644 +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -3364,6 +3364,7 @@ static int need_this_block(struct stripe_head *sh, struct stripe_head_state *s, + * is missing/faulty, then we need to read everything we can. + */ + if (sh->raid_conf->level != 6 && ++ sh->raid_conf->rmw_level != PARITY_DISABLE_RMW && + sh->sector < sh->raid_conf->mddev->recovery_cp) + /* reconstruct-write isn't being forced */ + return 0; +@@ -4498,7 +4499,7 @@ static void handle_stripe(struct stripe_head *sh) + * or to load a block that is being partially written. + */ + if (s.to_read || s.non_overwrite +- || (conf->level == 6 && s.to_write && s.failed) ++ || (s.to_write && s.failed) + || (s.syncing && (s.uptodate + s.compute < disks)) + || s.replacing + || s.expanding) +diff --git a/drivers/media/firewire/firedtv-fw.c b/drivers/media/firewire/firedtv-fw.c +index 247f0e7cb5f7f..5d634706a7eaa 100644 +--- a/drivers/media/firewire/firedtv-fw.c ++++ b/drivers/media/firewire/firedtv-fw.c +@@ -271,6 +271,8 @@ static int node_probe(struct fw_unit *unit, const struct ieee1394_device_id *id) + + name_len = fw_csr_string(unit->directory, CSR_MODEL, + name, sizeof(name)); ++ if (name_len < 0) ++ return name_len; + for (i = ARRAY_SIZE(model_names); --i; ) + if (strlen(model_names[i]) <= name_len && + strncmp(name, model_names[i], name_len) == 0) +diff --git a/drivers/media/pci/cx23885/cx23888-ir.c b/drivers/media/pci/cx23885/cx23888-ir.c +index c1aa888af7054..83864a99d3a66 100644 +--- a/drivers/media/pci/cx23885/cx23888-ir.c ++++ b/drivers/media/pci/cx23885/cx23888-ir.c +@@ -1179,8 +1179,11 @@ int cx23888_ir_probe(struct cx23885_dev *dev) + return -ENOMEM; + + spin_lock_init(&state->rx_kfifo_lock); +- if (kfifo_alloc(&state->rx_kfifo, CX23888_IR_RX_KFIFO_SIZE, GFP_KERNEL)) ++ if (kfifo_alloc(&state->rx_kfifo, CX23888_IR_RX_KFIFO_SIZE, ++ GFP_KERNEL)) { ++ kfree(state); + return -ENOMEM; ++ } + + state->dev = dev; + sd = &state->sd; +diff --git a/drivers/media/platform/exynos4-is/media-dev.c b/drivers/media/platform/exynos4-is/media-dev.c +index ef6ccb5b89525..cdaf3a8e2555e 100644 +--- a/drivers/media/platform/exynos4-is/media-dev.c ++++ b/drivers/media/platform/exynos4-is/media-dev.c +@@ -1257,6 +1257,9 @@ static int fimc_md_get_pinctrl(struct fimc_md *fmd) + + pctl->state_idle = pinctrl_lookup_state(pctl->pinctrl, + PINCTRL_STATE_IDLE); ++ if (IS_ERR(pctl->state_idle)) ++ return PTR_ERR(pctl->state_idle); ++ + return 0; + } + +diff --git a/drivers/media/platform/omap3isp/isppreview.c b/drivers/media/platform/omap3isp/isppreview.c +index e981eb2330f18..ac005ae4d21b4 100644 +--- a/drivers/media/platform/omap3isp/isppreview.c ++++ b/drivers/media/platform/omap3isp/isppreview.c +@@ -2290,7 +2290,7 @@ static int preview_init_entities(struct isp_prev_device *prev) + me->ops = &preview_media_ops; + ret = media_entity_pads_init(me, PREV_PADS_NUM, pads); + if (ret < 0) +- return ret; ++ goto error_handler_free; + + preview_init_formats(sd, NULL); + +@@ -2323,6 +2323,8 @@ error_video_out: + omap3isp_video_cleanup(&prev->video_in); + error_video_in: + media_entity_cleanup(&prev->subdev.entity); ++error_handler_free: ++ v4l2_ctrl_handler_free(&prev->ctrls); + return ret; + } + +diff --git a/drivers/mfd/arizona-core.c b/drivers/mfd/arizona-core.c +index 1f0c2b594654e..3382845d4b67d 100644 +--- a/drivers/mfd/arizona-core.c ++++ b/drivers/mfd/arizona-core.c +@@ -1537,6 +1537,15 @@ err_irq: + arizona_irq_exit(arizona); + err_pm: + pm_runtime_disable(arizona->dev); ++ ++ switch (arizona->pdata.clk32k_src) { ++ case ARIZONA_32KZ_MCLK1: ++ case ARIZONA_32KZ_MCLK2: ++ arizona_clk32k_disable(arizona); ++ break; ++ default: ++ break; ++ } + err_reset: + arizona_enable_reset(arizona); + regulator_disable(arizona->dcvdd); +@@ -1558,6 +1567,15 @@ int arizona_dev_exit(struct arizona *arizona) + regulator_disable(arizona->dcvdd); + regulator_put(arizona->dcvdd); + ++ switch (arizona->pdata.clk32k_src) { ++ case ARIZONA_32KZ_MCLK1: ++ case ARIZONA_32KZ_MCLK2: ++ arizona_clk32k_disable(arizona); ++ break; ++ default: ++ break; ++ } ++ + mfd_remove_devices(arizona->dev); + arizona_free_irq(arizona, ARIZONA_IRQ_UNDERCLOCKED, arizona); + arizona_free_irq(arizona, ARIZONA_IRQ_OVERCLOCKED, arizona); +diff --git a/drivers/mfd/dln2.c b/drivers/mfd/dln2.c +index 672831d5ee32e..97a69cd6f1278 100644 +--- a/drivers/mfd/dln2.c ++++ b/drivers/mfd/dln2.c +@@ -294,7 +294,11 @@ static void dln2_rx(struct urb *urb) + len = urb->actual_length - sizeof(struct dln2_header); + + if (handle == DLN2_HANDLE_EVENT) { ++ unsigned long flags; ++ ++ spin_lock_irqsave(&dln2->event_cb_lock, flags); + dln2_run_event_callbacks(dln2, id, echo, data, len); ++ spin_unlock_irqrestore(&dln2->event_cb_lock, flags); + } else { + /* URB will be re-submitted in _dln2_transfer (free_rx_slot) */ + if (dln2_transfer_complete(dln2, urb, handle, echo)) +diff --git a/drivers/misc/cxl/sysfs.c b/drivers/misc/cxl/sysfs.c +index a8b6d6a635e96..e97b3b26805d1 100644 +--- a/drivers/misc/cxl/sysfs.c ++++ b/drivers/misc/cxl/sysfs.c +@@ -598,7 +598,7 @@ static struct afu_config_record *cxl_sysfs_afu_new_cr(struct cxl_afu *afu, int c + rc = kobject_init_and_add(&cr->kobj, &afu_config_record_type, + &afu->dev.kobj, "cr%i", cr->cr); + if (rc) +- goto err; ++ goto err1; + + rc = sysfs_create_bin_file(&cr->kobj, &cr->config_attr); + if (rc) +diff --git a/drivers/mtd/mtdchar.c b/drivers/mtd/mtdchar.c +index 95b6a6640bca4..331183548bc58 100644 +--- a/drivers/mtd/mtdchar.c ++++ b/drivers/mtd/mtdchar.c +@@ -372,9 +372,6 @@ static int mtdchar_writeoob(struct file *file, struct mtd_info *mtd, + uint32_t retlen; + int ret = 0; + +- if (!(file->f_mode & FMODE_WRITE)) +- return -EPERM; +- + if (length > 4096) + return -EINVAL; + +@@ -681,6 +678,48 @@ static int mtdchar_ioctl(struct file *file, u_int cmd, u_long arg) + return -EFAULT; + } + ++ /* ++ * Check the file mode to require "dangerous" commands to have write ++ * permissions. ++ */ ++ switch (cmd) { ++ /* "safe" commands */ ++ case MEMGETREGIONCOUNT: ++ case MEMGETREGIONINFO: ++ case MEMGETINFO: ++ case MEMREADOOB: ++ case MEMREADOOB64: ++ case MEMLOCK: ++ case MEMUNLOCK: ++ case MEMISLOCKED: ++ case MEMGETOOBSEL: ++ case MEMGETBADBLOCK: ++ case MEMSETBADBLOCK: ++ case OTPSELECT: ++ case OTPGETREGIONCOUNT: ++ case OTPGETREGIONINFO: ++ case OTPLOCK: ++ case ECCGETLAYOUT: ++ case ECCGETSTATS: ++ case MTDFILEMODE: ++ case BLKPG: ++ case BLKRRPART: ++ break; ++ ++ /* "dangerous" commands */ ++ case MEMERASE: ++ case MEMERASE64: ++ case MEMWRITEOOB: ++ case MEMWRITEOOB64: ++ case MEMWRITE: ++ if (!(file->f_mode & FMODE_WRITE)) ++ return -EPERM; ++ break; ++ ++ default: ++ return -ENOTTY; ++ } ++ + switch (cmd) { + case MEMGETREGIONCOUNT: + if (copy_to_user(argp, &(mtd->numeraseregions), sizeof(int))) +@@ -728,9 +767,6 @@ static int mtdchar_ioctl(struct file *file, u_int cmd, u_long arg) + { + struct erase_info *erase; + +- if(!(file->f_mode & FMODE_WRITE)) +- return -EPERM; +- + erase=kzalloc(sizeof(struct erase_info),GFP_KERNEL); + if (!erase) + ret = -ENOMEM; +@@ -1051,9 +1087,6 @@ static int mtdchar_ioctl(struct file *file, u_int cmd, u_long arg) + ret = 0; + break; + } +- +- default: +- ret = -ENOTTY; + } + + return ret; +@@ -1097,6 +1130,11 @@ static long mtdchar_compat_ioctl(struct file *file, unsigned int cmd, + struct mtd_oob_buf32 buf; + struct mtd_oob_buf32 __user *buf_user = argp; + ++ if (!(file->f_mode & FMODE_WRITE)) { ++ ret = -EPERM; ++ break; ++ } ++ + if (copy_from_user(&buf, argp, sizeof(buf))) + ret = -EFAULT; + else +diff --git a/drivers/net/ethernet/freescale/fman/fman.c b/drivers/net/ethernet/freescale/fman/fman.c +index 380c4a2f65161..6a11f9916116c 100644 +--- a/drivers/net/ethernet/freescale/fman/fman.c ++++ b/drivers/net/ethernet/freescale/fman/fman.c +@@ -1446,8 +1446,7 @@ static void enable_time_stamp(struct fman *fman) + { + struct fman_fpm_regs __iomem *fpm_rg = fman->fpm_regs; + u16 fm_clk_freq = fman->state->fm_clk_freq; +- u32 tmp, intgr, ts_freq; +- u64 frac; ++ u32 tmp, intgr, ts_freq, frac; + + ts_freq = (u32)(1 << fman->state->count1_micro_bit); + /* configure timestamp so that bit 8 will count 1 microsecond +diff --git a/drivers/net/ethernet/freescale/fman/fman_dtsec.c b/drivers/net/ethernet/freescale/fman/fman_dtsec.c +index 641b916f122ba..332b60f03d225 100644 +--- a/drivers/net/ethernet/freescale/fman/fman_dtsec.c ++++ b/drivers/net/ethernet/freescale/fman/fman_dtsec.c +@@ -1095,7 +1095,7 @@ int dtsec_del_hash_mac_address(struct fman_mac *dtsec, enet_addr_t *eth_addr) + list_for_each(pos, + &dtsec->multicast_addr_hash->lsts[bucket]) { + hash_entry = ETH_HASH_ENTRY_OBJ(pos); +- if (hash_entry->addr == addr) { ++ if (hash_entry && hash_entry->addr == addr) { + list_del_init(&hash_entry->node); + kfree(hash_entry); + break; +@@ -1108,7 +1108,7 @@ int dtsec_del_hash_mac_address(struct fman_mac *dtsec, enet_addr_t *eth_addr) + list_for_each(pos, + &dtsec->unicast_addr_hash->lsts[bucket]) { + hash_entry = ETH_HASH_ENTRY_OBJ(pos); +- if (hash_entry->addr == addr) { ++ if (hash_entry && hash_entry->addr == addr) { + list_del_init(&hash_entry->node); + kfree(hash_entry); + break; +diff --git a/drivers/net/ethernet/freescale/fman/fman_mac.h b/drivers/net/ethernet/freescale/fman/fman_mac.h +index dd6d0526f6c1f..19f327efdaff3 100644 +--- a/drivers/net/ethernet/freescale/fman/fman_mac.h ++++ b/drivers/net/ethernet/freescale/fman/fman_mac.h +@@ -252,7 +252,7 @@ static inline struct eth_hash_t *alloc_hash_table(u16 size) + struct eth_hash_t *hash; + + /* Allocate address hash table */ +- hash = kmalloc_array(size, sizeof(struct eth_hash_t *), GFP_KERNEL); ++ hash = kmalloc(sizeof(*hash), GFP_KERNEL); + if (!hash) + return NULL; + +diff --git a/drivers/net/ethernet/freescale/fman/fman_memac.c b/drivers/net/ethernet/freescale/fman/fman_memac.c +index c30994a09a7c2..4b0be0cebd199 100644 +--- a/drivers/net/ethernet/freescale/fman/fman_memac.c ++++ b/drivers/net/ethernet/freescale/fman/fman_memac.c +@@ -851,7 +851,6 @@ int memac_set_tx_pause_frames(struct fman_mac *memac, u8 priority, + + tmp = ioread32be(®s->command_config); + tmp &= ~CMD_CFG_PFC_MODE; +- priority = 0; + + iowrite32be(tmp, ®s->command_config); + +@@ -953,7 +952,7 @@ int memac_del_hash_mac_address(struct fman_mac *memac, enet_addr_t *eth_addr) + + list_for_each(pos, &memac->multicast_addr_hash->lsts[hash]) { + hash_entry = ETH_HASH_ENTRY_OBJ(pos); +- if (hash_entry->addr == addr) { ++ if (hash_entry && hash_entry->addr == addr) { + list_del_init(&hash_entry->node); + kfree(hash_entry); + break; +diff --git a/drivers/net/ethernet/freescale/fman/fman_port.c b/drivers/net/ethernet/freescale/fman/fman_port.c +index 9f3bb50a23651..4986f6ba278a3 100644 +--- a/drivers/net/ethernet/freescale/fman/fman_port.c ++++ b/drivers/net/ethernet/freescale/fman/fman_port.c +@@ -1623,6 +1623,7 @@ static int fman_port_probe(struct platform_device *of_dev) + struct fman_port *port; + struct fman *fman; + struct device_node *fm_node, *port_node; ++ struct platform_device *fm_pdev; + struct resource res; + struct resource *dev_res; + u32 val; +@@ -1647,8 +1648,14 @@ static int fman_port_probe(struct platform_device *of_dev) + goto return_err; + } + +- fman = dev_get_drvdata(&of_find_device_by_node(fm_node)->dev); ++ fm_pdev = of_find_device_by_node(fm_node); + of_node_put(fm_node); ++ if (!fm_pdev) { ++ err = -EINVAL; ++ goto return_err; ++ } ++ ++ fman = dev_get_drvdata(&fm_pdev->dev); + if (!fman) { + err = -EINVAL; + goto return_err; +diff --git a/drivers/net/ethernet/freescale/fman/fman_tgec.c b/drivers/net/ethernet/freescale/fman/fman_tgec.c +index e575259d20f40..c8ad9b8a75f8e 100644 +--- a/drivers/net/ethernet/freescale/fman/fman_tgec.c ++++ b/drivers/net/ethernet/freescale/fman/fman_tgec.c +@@ -585,7 +585,7 @@ int tgec_del_hash_mac_address(struct fman_mac *tgec, enet_addr_t *eth_addr) + + list_for_each(pos, &tgec->multicast_addr_hash->lsts[hash]) { + hash_entry = ETH_HASH_ENTRY_OBJ(pos); +- if (hash_entry->addr == addr) { ++ if (hash_entry && hash_entry->addr == addr) { + list_del_init(&hash_entry->node); + kfree(hash_entry); + break; +diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c +index 20f7ab4aa2f15..d25b76440c114 100644 +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -1515,7 +1515,7 @@ req_rx_irq_failed: + req_tx_irq_failed: + for (j = 0; j < i; j++) { + free_irq(adapter->tx_scrq[j]->irq, adapter->tx_scrq[j]); +- irq_dispose_mapping(adapter->rx_scrq[j]->irq); ++ irq_dispose_mapping(adapter->tx_scrq[j]->irq); + } + release_sub_crqs_no_irqs(adapter); + return rc; +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index 90eab0521be12..43fb77c6c51ed 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -5381,9 +5381,18 @@ static void igb_reset_task(struct work_struct *work) + struct igb_adapter *adapter; + adapter = container_of(work, struct igb_adapter, reset_task); + ++ rtnl_lock(); ++ /* If we're already down or resetting, just bail */ ++ if (test_bit(__IGB_DOWN, &adapter->state) || ++ test_bit(__IGB_RESETTING, &adapter->state)) { ++ rtnl_unlock(); ++ return; ++ } ++ + igb_dump(adapter); + netdev_err(adapter->netdev, "Reset adapter\n"); + igb_reinit_locked(adapter); ++ rtnl_unlock(); + } + + /** +diff --git a/drivers/net/ethernet/mellanox/mlx4/main.c b/drivers/net/ethernet/mellanox/mlx4/main.c +index 751aac54f2d55..9b6a96074df80 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/main.c ++++ b/drivers/net/ethernet/mellanox/mlx4/main.c +@@ -4176,12 +4176,14 @@ end: + static void mlx4_shutdown(struct pci_dev *pdev) + { + struct mlx4_dev_persistent *persist = pci_get_drvdata(pdev); ++ struct mlx4_dev *dev = persist->dev; + + mlx4_info(persist->dev, "mlx4_shutdown was called\n"); + mutex_lock(&persist->interface_state_mutex); + if (persist->interface_state & MLX4_INTERFACE_STATE_UP) + mlx4_unload_one(pdev); + mutex_unlock(&persist->interface_state_mutex); ++ mlx4_pci_disable_device(dev); + } + + static const struct pci_error_handlers mlx4_err_handler = { +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c +index b210c171a3806..f3d3ad25f05e9 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c +@@ -139,7 +139,7 @@ int mlx5e_attr_get(struct net_device *dev, struct switchdev_attr *attr) + struct mlx5_eswitch_rep *rep = priv->ppriv; + struct mlx5_eswitch *esw = priv->mdev->priv.eswitch; + +- if (esw->mode == SRIOV_NONE) ++ if (esw->mode != SRIOV_OFFLOADS) + return -EOPNOTSUPP; + + switch (attr->id) { +diff --git a/drivers/net/ethernet/mellanox/mlxsw/core.c b/drivers/net/ethernet/mellanox/mlxsw/core.c +index aa33d58b9f81c..808d924dbe21e 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/core.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/core.c +@@ -1370,7 +1370,7 @@ static int mlxsw_core_reg_access_emad(struct mlxsw_core *mlxsw_core, + err = mlxsw_emad_reg_access(mlxsw_core, reg, payload, type, trans, + bulk_list, cb, cb_priv, tid); + if (err) { +- kfree(trans); ++ kfree_rcu(trans, rcu); + return err; + } + return 0; +@@ -1584,9 +1584,10 @@ void mlxsw_core_skb_receive(struct mlxsw_core *mlxsw_core, struct sk_buff *skb, + break; + } + } +- rcu_read_unlock(); +- if (!found) ++ if (!found) { ++ rcu_read_unlock(); + goto drop; ++ } + + pcpu_stats = this_cpu_ptr(mlxsw_core->pcpu_stats); + u64_stats_update_begin(&pcpu_stats->syncp); +@@ -1597,6 +1598,7 @@ void mlxsw_core_skb_receive(struct mlxsw_core *mlxsw_core, struct sk_buff *skb, + u64_stats_update_end(&pcpu_stats->syncp); + + rxl->func(skb, local_port, rxl_item->priv); ++ rcu_read_unlock(); + return; + + drop: +diff --git a/drivers/net/ethernet/qlogic/qed/qed_int.c b/drivers/net/ethernet/qlogic/qed/qed_int.c +index fd19372db2f86..6e1d38041d0ac 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_int.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_int.c +@@ -2158,7 +2158,8 @@ static int qed_int_attentions(struct qed_hwfn *p_hwfn) + index, attn_bits, attn_acks, asserted_bits, + deasserted_bits, p_sb_attn_sw->known_attn); + } else if (asserted_bits == 0x100) { +- DP_INFO(p_hwfn, "MFW indication via attention\n"); ++ DP_VERBOSE(p_hwfn, NETIF_MSG_INTR, ++ "MFW indication via attention\n"); + } else { + DP_VERBOSE(p_hwfn, NETIF_MSG_INTR, + "MFW indication [deassertion]\n"); +diff --git a/drivers/net/ethernet/qualcomm/emac/emac.c b/drivers/net/ethernet/qualcomm/emac/emac.c +index 57b35aeac51a0..adc088033c15d 100644 +--- a/drivers/net/ethernet/qualcomm/emac/emac.c ++++ b/drivers/net/ethernet/qualcomm/emac/emac.c +@@ -477,13 +477,24 @@ static int emac_clks_phase1_init(struct platform_device *pdev, + + ret = clk_prepare_enable(adpt->clk[EMAC_CLK_CFG_AHB]); + if (ret) +- return ret; ++ goto disable_clk_axi; + + ret = clk_set_rate(adpt->clk[EMAC_CLK_HIGH_SPEED], 19200000); + if (ret) +- return ret; ++ goto disable_clk_cfg_ahb; ++ ++ ret = clk_prepare_enable(adpt->clk[EMAC_CLK_HIGH_SPEED]); ++ if (ret) ++ goto disable_clk_cfg_ahb; + +- return clk_prepare_enable(adpt->clk[EMAC_CLK_HIGH_SPEED]); ++ return 0; ++ ++disable_clk_cfg_ahb: ++ clk_disable_unprepare(adpt->clk[EMAC_CLK_CFG_AHB]); ++disable_clk_axi: ++ clk_disable_unprepare(adpt->clk[EMAC_CLK_AXI]); ++ ++ return ret; + } + + /* Enable clocks; needs emac_clks_phase1_init to be called before */ +diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c +index 545cb6262cffd..93d3152752ff4 100644 +--- a/drivers/net/ethernet/renesas/ravb_main.c ++++ b/drivers/net/ethernet/renesas/ravb_main.c +@@ -1444,6 +1444,7 @@ static void ravb_tx_timeout_work(struct work_struct *work) + struct ravb_private *priv = container_of(work, struct ravb_private, + work); + struct net_device *ndev = priv->ndev; ++ int error; + + netif_tx_stop_all_queues(ndev); + +@@ -1452,15 +1453,36 @@ static void ravb_tx_timeout_work(struct work_struct *work) + ravb_ptp_stop(ndev); + + /* Wait for DMA stopping */ +- ravb_stop_dma(ndev); ++ if (ravb_stop_dma(ndev)) { ++ /* If ravb_stop_dma() fails, the hardware is still operating ++ * for TX and/or RX. So, this should not call the following ++ * functions because ravb_dmac_init() is possible to fail too. ++ * Also, this should not retry ravb_stop_dma() again and again ++ * here because it's possible to wait forever. So, this just ++ * re-enables the TX and RX and skip the following ++ * re-initialization procedure. ++ */ ++ ravb_rcv_snd_enable(ndev); ++ goto out; ++ } + + ravb_ring_free(ndev, RAVB_BE); + ravb_ring_free(ndev, RAVB_NC); + + /* Device init */ +- ravb_dmac_init(ndev); ++ error = ravb_dmac_init(ndev); ++ if (error) { ++ /* If ravb_dmac_init() fails, descriptors are freed. So, this ++ * should return here to avoid re-enabling the TX and RX in ++ * ravb_emac_init(). ++ */ ++ netdev_err(ndev, "%s: ravb_dmac_init() failed, error %d\n", ++ __func__, error); ++ return; ++ } + ravb_emac_init(ndev); + ++out: + /* Initialise PTP Clock driver */ + if (priv->chip_id == RCAR_GEN2) + ravb_ptp_init(ndev, priv->pdev); +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c +index bcc5d1e16ce2c..1924788d28da0 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c +@@ -362,6 +362,7 @@ static int ipq806x_gmac_probe(struct platform_device *pdev) + plat_dat->has_gmac = true; + plat_dat->bsp_priv = gmac; + plat_dat->fix_mac_speed = ipq806x_gmac_fix_mac_speed; ++ plat_dat->multicast_filter_bins = 0; + + err = stmmac_dvr_probe(&pdev->dev, plat_dat, &stmmac_res); + if (err) +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c +index 3a2edf9f51e22..bd265eb36e70c 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c +@@ -172,6 +172,9 @@ static void dwmac1000_set_filter(struct mac_device_info *hw, + value = GMAC_FRAME_FILTER_PR; + } else if (dev->flags & IFF_ALLMULTI) { + value = GMAC_FRAME_FILTER_PM; /* pass all multi */ ++ } else if (!netdev_mc_empty(dev) && (mcbitslog2 == 0)) { ++ /* Fall back to all multicast if we've no filter */ ++ value = GMAC_FRAME_FILTER_PM; + } else if (!netdev_mc_empty(dev)) { + struct netdev_hw_addr *ha; + +diff --git a/drivers/net/ethernet/toshiba/spider_net.c b/drivers/net/ethernet/toshiba/spider_net.c +index 1085987946212..9507ca2e02acd 100644 +--- a/drivers/net/ethernet/toshiba/spider_net.c ++++ b/drivers/net/ethernet/toshiba/spider_net.c +@@ -296,8 +296,8 @@ spider_net_free_chain(struct spider_net_card *card, + descr = descr->next; + } while (descr != chain->ring); + +- dma_free_coherent(&card->pdev->dev, chain->num_desc, +- chain->hwring, chain->dma_addr); ++ dma_free_coherent(&card->pdev->dev, chain->num_desc * sizeof(struct spider_net_hw_descr), ++ chain->hwring, chain->dma_addr); + } + + /** +diff --git a/drivers/net/phy/mdio-bcm-unimac.c b/drivers/net/phy/mdio-bcm-unimac.c +index 8c73b2e771ddd..e6ff731d753d9 100644 +--- a/drivers/net/phy/mdio-bcm-unimac.c ++++ b/drivers/net/phy/mdio-bcm-unimac.c +@@ -177,6 +177,8 @@ static int unimac_mdio_probe(struct platform_device *pdev) + return -ENOMEM; + + r = platform_get_resource(pdev, IORESOURCE_MEM, 0); ++ if (!r) ++ return -EINVAL; + + /* Just ioremap, as this MDIO block is usually integrated into an + * Ethernet MAC controller register range +diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c +index 27fc699d8be5b..c4b4c2c347647 100644 +--- a/drivers/net/usb/hso.c ++++ b/drivers/net/usb/hso.c +@@ -1404,8 +1404,9 @@ static void hso_serial_set_termios(struct tty_struct *tty, struct ktermios *old) + unsigned long flags; + + if (old) +- hso_dbg(0x16, "Termios called with: cflags new[%d] - old[%d]\n", +- tty->termios.c_cflag, old->c_cflag); ++ hso_dbg(0x16, "Termios called with: cflags new[%u] - old[%u]\n", ++ (unsigned int)tty->termios.c_cflag, ++ (unsigned int)old->c_cflag); + + /* the actual setup */ + spin_lock_irqsave(&serial->serial_lock, flags); +@@ -2273,12 +2274,14 @@ static int hso_serial_common_create(struct hso_serial *serial, int num_urbs, + + minor = get_free_serial_index(); + if (minor < 0) +- goto exit; ++ goto exit2; + + /* register our minor number */ + serial->parent->dev = tty_port_register_device_attr(&serial->port, + tty_drv, minor, &serial->parent->interface->dev, + serial->parent, hso_serial_dev_groups); ++ if (IS_ERR(serial->parent->dev)) ++ goto exit2; + dev = serial->parent->dev; + + /* fill in specific data for later use */ +@@ -2324,6 +2327,7 @@ static int hso_serial_common_create(struct hso_serial *serial, int num_urbs, + return 0; + exit: + hso_serial_tty_unregister(serial); ++exit2: + hso_serial_common_free(serial); + return -1; + } +diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c +index 65e94dffaabc9..bca6237597233 100644 +--- a/drivers/net/usb/lan78xx.c ++++ b/drivers/net/usb/lan78xx.c +@@ -315,10 +315,6 @@ struct lan78xx_net { + struct tasklet_struct bh; + struct delayed_work wq; + +- struct usb_host_endpoint *ep_blkin; +- struct usb_host_endpoint *ep_blkout; +- struct usb_host_endpoint *ep_intr; +- + int msg_enable; + + struct urb *urb_intr; +@@ -2554,78 +2550,12 @@ lan78xx_start_xmit(struct sk_buff *skb, struct net_device *net) + return NETDEV_TX_OK; + } + +-static int +-lan78xx_get_endpoints(struct lan78xx_net *dev, struct usb_interface *intf) +-{ +- int tmp; +- struct usb_host_interface *alt = NULL; +- struct usb_host_endpoint *in = NULL, *out = NULL; +- struct usb_host_endpoint *status = NULL; +- +- for (tmp = 0; tmp < intf->num_altsetting; tmp++) { +- unsigned ep; +- +- in = NULL; +- out = NULL; +- status = NULL; +- alt = intf->altsetting + tmp; +- +- for (ep = 0; ep < alt->desc.bNumEndpoints; ep++) { +- struct usb_host_endpoint *e; +- int intr = 0; +- +- e = alt->endpoint + ep; +- switch (e->desc.bmAttributes) { +- case USB_ENDPOINT_XFER_INT: +- if (!usb_endpoint_dir_in(&e->desc)) +- continue; +- intr = 1; +- /* FALLTHROUGH */ +- case USB_ENDPOINT_XFER_BULK: +- break; +- default: +- continue; +- } +- if (usb_endpoint_dir_in(&e->desc)) { +- if (!intr && !in) +- in = e; +- else if (intr && !status) +- status = e; +- } else { +- if (!out) +- out = e; +- } +- } +- if (in && out) +- break; +- } +- if (!alt || !in || !out) +- return -EINVAL; +- +- dev->pipe_in = usb_rcvbulkpipe(dev->udev, +- in->desc.bEndpointAddress & +- USB_ENDPOINT_NUMBER_MASK); +- dev->pipe_out = usb_sndbulkpipe(dev->udev, +- out->desc.bEndpointAddress & +- USB_ENDPOINT_NUMBER_MASK); +- dev->ep_intr = status; +- +- return 0; +-} +- + static int lan78xx_bind(struct lan78xx_net *dev, struct usb_interface *intf) + { + struct lan78xx_priv *pdata = NULL; + int ret; + int i; + +- ret = lan78xx_get_endpoints(dev, intf); +- if (ret) { +- netdev_warn(dev->net, "lan78xx_get_endpoints failed: %d\n", +- ret); +- return ret; +- } +- + dev->data[0] = (unsigned long)kzalloc(sizeof(*pdata), GFP_KERNEL); + + pdata = (struct lan78xx_priv *)(dev->data[0]); +@@ -3333,6 +3263,7 @@ static void lan78xx_stat_monitor(unsigned long param) + static int lan78xx_probe(struct usb_interface *intf, + const struct usb_device_id *id) + { ++ struct usb_host_endpoint *ep_blkin, *ep_blkout, *ep_intr; + struct lan78xx_net *dev; + struct net_device *netdev; + struct usb_device *udev; +@@ -3383,6 +3314,34 @@ static int lan78xx_probe(struct usb_interface *intf, + + mutex_init(&dev->stats.access_lock); + ++ if (intf->cur_altsetting->desc.bNumEndpoints < 3) { ++ ret = -ENODEV; ++ goto out2; ++ } ++ ++ dev->pipe_in = usb_rcvbulkpipe(udev, BULK_IN_PIPE); ++ ep_blkin = usb_pipe_endpoint(udev, dev->pipe_in); ++ if (!ep_blkin || !usb_endpoint_is_bulk_in(&ep_blkin->desc)) { ++ ret = -ENODEV; ++ goto out2; ++ } ++ ++ dev->pipe_out = usb_sndbulkpipe(udev, BULK_OUT_PIPE); ++ ep_blkout = usb_pipe_endpoint(udev, dev->pipe_out); ++ if (!ep_blkout || !usb_endpoint_is_bulk_out(&ep_blkout->desc)) { ++ ret = -ENODEV; ++ goto out2; ++ } ++ ++ ep_intr = &intf->cur_altsetting->endpoint[2]; ++ if (!usb_endpoint_is_int_in(&ep_intr->desc)) { ++ ret = -ENODEV; ++ goto out2; ++ } ++ ++ dev->pipe_intr = usb_rcvintpipe(dev->udev, ++ usb_endpoint_num(&ep_intr->desc)); ++ + ret = lan78xx_bind(dev, intf); + if (ret < 0) + goto out2; +@@ -3392,18 +3351,7 @@ static int lan78xx_probe(struct usb_interface *intf, + netdev->mtu = dev->hard_mtu - netdev->hard_header_len; + netif_set_gso_max_size(netdev, MAX_SINGLE_PACKET_SIZE - MAX_HEADER); + +- dev->ep_blkin = (intf->cur_altsetting)->endpoint + 0; +- dev->ep_blkout = (intf->cur_altsetting)->endpoint + 1; +- dev->ep_intr = (intf->cur_altsetting)->endpoint + 2; +- +- dev->pipe_in = usb_rcvbulkpipe(udev, BULK_IN_PIPE); +- dev->pipe_out = usb_sndbulkpipe(udev, BULK_OUT_PIPE); +- +- dev->pipe_intr = usb_rcvintpipe(dev->udev, +- dev->ep_intr->desc.bEndpointAddress & +- USB_ENDPOINT_NUMBER_MASK); +- period = dev->ep_intr->desc.bInterval; +- ++ period = ep_intr->desc.bInterval; + maxp = usb_maxpacket(dev->udev, dev->pipe_intr, 0); + buf = kmalloc(maxp, GFP_KERNEL); + if (buf) { +@@ -3416,6 +3364,7 @@ static int lan78xx_probe(struct usb_interface *intf, + usb_fill_int_urb(dev->urb_intr, dev->udev, + dev->pipe_intr, buf, maxp, + intr_complete, dev, period); ++ dev->urb_intr->transfer_flags |= URB_FREE_BUFFER; + } + } + +diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c +index b1470d30d079f..088bb5870ac5b 100644 +--- a/drivers/net/vxlan.c ++++ b/drivers/net/vxlan.c +@@ -889,6 +889,7 @@ static int vxlan_fdb_dump(struct sk_buff *skb, struct netlink_callback *cb, + for (h = 0; h < FDB_HASH_SIZE; ++h) { + struct vxlan_fdb *f; + ++ rcu_read_lock(); + hlist_for_each_entry_rcu(f, &vxlan->fdb_head[h], hlist) { + struct vxlan_rdst *rd; + +@@ -901,12 +902,15 @@ static int vxlan_fdb_dump(struct sk_buff *skb, struct netlink_callback *cb, + cb->nlh->nlmsg_seq, + RTM_NEWNEIGH, + NLM_F_MULTI, rd); +- if (err < 0) ++ if (err < 0) { ++ rcu_read_unlock(); + goto out; ++ } + skip: + *idx += 1; + } + } ++ rcu_read_unlock(); + } + out: + return err; +@@ -2106,7 +2110,7 @@ static void vxlan_xmit_one(struct sk_buff *skb, struct net_device *dev, + else if (info->key.tun_flags & TUNNEL_DONT_FRAGMENT) + df = htons(IP_DF); + +- tos = ip_tunnel_ecn_encap(RT_TOS(tos), old_iph, skb); ++ tos = ip_tunnel_ecn_encap(tos, old_iph, skb); + ttl = ttl ? : ip4_dst_hoplimit(&rt->dst); + err = vxlan_build_skb(skb, &rt->dst, sizeof(struct iphdr), + vni, md, flags, udp_sum); +@@ -2165,7 +2169,7 @@ static void vxlan_xmit_one(struct sk_buff *skb, struct net_device *dev, + if (!info) + udp_sum = !(flags & VXLAN_F_UDP_ZERO_CSUM6_TX); + +- tos = ip_tunnel_ecn_encap(RT_TOS(tos), old_iph, skb); ++ tos = ip_tunnel_ecn_encap(tos, old_iph, skb); + ttl = ttl ? : ip6_dst_hoplimit(ndst); + skb_scrub_packet(skb, xnet); + err = vxlan_build_skb(skb, ndst, sizeof(struct ipv6hdr), +diff --git a/drivers/net/wan/lapbether.c b/drivers/net/wan/lapbether.c +index f5657783fad4e..6eb0f7a85e531 100644 +--- a/drivers/net/wan/lapbether.c ++++ b/drivers/net/wan/lapbether.c +@@ -160,6 +160,12 @@ static netdev_tx_t lapbeth_xmit(struct sk_buff *skb, + if (!netif_running(dev)) + goto drop; + ++ /* There should be a pseudo header of 1 byte added by upper layers. ++ * Check to make sure it is there before reading it. ++ */ ++ if (skb->len < 1) ++ goto drop; ++ + switch (skb->data[0]) { + case X25_IFACE_DATA: + break; +@@ -308,6 +314,7 @@ static void lapbeth_setup(struct net_device *dev) + dev->netdev_ops = &lapbeth_netdev_ops; + dev->destructor = free_netdev; + dev->type = ARPHRD_X25; ++ dev->hard_header_len = 0; + dev->mtu = 1000; + dev->addr_len = 0; + } +@@ -334,7 +341,8 @@ static int lapbeth_new_device(struct net_device *dev) + * then this driver prepends a length field of 2 bytes, + * then the underlying Ethernet device prepends its own header. + */ +- ndev->hard_header_len = -1 + 3 + 2 + dev->hard_header_len; ++ ndev->needed_headroom = -1 + 3 + 2 + dev->hard_header_len ++ + dev->needed_headroom; + + lapbeth = netdev_priv(ndev); + lapbeth->axdev = ndev; +diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c +index 257b6ee51e54b..1af216aa5adae 100644 +--- a/drivers/net/wireless/ath/ath9k/htc_hst.c ++++ b/drivers/net/wireless/ath/ath9k/htc_hst.c +@@ -175,6 +175,7 @@ static int htc_config_pipe_credits(struct htc_target *target) + time_left = wait_for_completion_timeout(&target->cmd_wait, HZ); + if (!time_left) { + dev_err(target->dev, "HTC credit config timeout\n"); ++ kfree_skb(skb); + return -ETIMEDOUT; + } + +@@ -211,6 +212,7 @@ static int htc_setup_complete(struct htc_target *target) + time_left = wait_for_completion_timeout(&target->cmd_wait, HZ); + if (!time_left) { + dev_err(target->dev, "HTC start timeout\n"); ++ kfree_skb(skb); + return -ETIMEDOUT; + } + +@@ -284,6 +286,7 @@ int htc_connect_service(struct htc_target *target, + if (!time_left) { + dev_err(target->dev, "Service connection timeout for: %d\n", + service_connreq->service_id); ++ kfree_skb(skb); + return -ETIMEDOUT; + } + +diff --git a/drivers/net/wireless/ath/ath9k/wmi.c b/drivers/net/wireless/ath/ath9k/wmi.c +index 8f14897ae5a33..f100533eb7adc 100644 +--- a/drivers/net/wireless/ath/ath9k/wmi.c ++++ b/drivers/net/wireless/ath/ath9k/wmi.c +@@ -340,6 +340,7 @@ int ath9k_wmi_cmd(struct wmi *wmi, enum wmi_cmd_id cmd_id, + ath_dbg(common, WMI, "Timeout waiting for WMI command: %s\n", + wmi_cmd_to_name(cmd_id)); + mutex_unlock(&wmi->op_mutex); ++ kfree_skb(skb); + return -ETIMEDOUT; + } + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h +index 59013572fbe3f..d6a4a08fd3c44 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h +@@ -30,7 +30,7 @@ + #define BRCMF_ARP_OL_PEER_AUTO_REPLY 0x00000008 + + #define BRCMF_BSS_INFO_VERSION 109 /* curr ver of brcmf_bss_info_le struct */ +-#define BRCMF_BSS_RSSI_ON_CHANNEL 0x0002 ++#define BRCMF_BSS_RSSI_ON_CHANNEL 0x0004 + + #define BRCMF_STA_WME 0x00000002 /* WMM association */ + #define BRCMF_STA_AUTHE 0x00000008 /* Authenticated */ +diff --git a/drivers/net/wireless/intel/iwlegacy/common.c b/drivers/net/wireless/intel/iwlegacy/common.c +index db2373fe8ac32..55573d090503b 100644 +--- a/drivers/net/wireless/intel/iwlegacy/common.c ++++ b/drivers/net/wireless/intel/iwlegacy/common.c +@@ -4302,8 +4302,8 @@ il_apm_init(struct il_priv *il) + * power savings, even without L1. + */ + if (il->cfg->set_l0s) { +- pcie_capability_read_word(il->pci_dev, PCI_EXP_LNKCTL, &lctl); +- if (lctl & PCI_EXP_LNKCTL_ASPM_L1) { ++ ret = pcie_capability_read_word(il->pci_dev, PCI_EXP_LNKCTL, &lctl); ++ if (!ret && (lctl & PCI_EXP_LNKCTL_ASPM_L1)) { + /* L1-ASPM enabled; disable(!) L0S */ + il_set_bit(il, CSR_GIO_REG, + CSR_GIO_REG_VAL_L0S_ENABLED); +diff --git a/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c b/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c +index 8548027abf71b..1e26936c0d727 100644 +--- a/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c ++++ b/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c +@@ -586,6 +586,11 @@ static int mwifiex_ret_802_11_key_material_v1(struct mwifiex_private *priv, + { + struct host_cmd_ds_802_11_key_material *key = + &resp->params.key_material; ++ int len; ++ ++ len = le16_to_cpu(key->key_param_set.key_len); ++ if (len > sizeof(key->key_param_set.key)) ++ return -EINVAL; + + if (le16_to_cpu(key->action) == HostCmd_ACT_GEN_SET) { + if ((le16_to_cpu(key->key_param_set.key_info) & KEY_MCAST)) { +@@ -599,9 +604,8 @@ static int mwifiex_ret_802_11_key_material_v1(struct mwifiex_private *priv, + + memset(priv->aes_key.key_param_set.key, 0, + sizeof(key->key_param_set.key)); +- priv->aes_key.key_param_set.key_len = key->key_param_set.key_len; +- memcpy(priv->aes_key.key_param_set.key, key->key_param_set.key, +- le16_to_cpu(priv->aes_key.key_param_set.key_len)); ++ priv->aes_key.key_param_set.key_len = cpu_to_le16(len); ++ memcpy(priv->aes_key.key_param_set.key, key->key_param_set.key, len); + + return 0; + } +@@ -616,9 +620,14 @@ static int mwifiex_ret_802_11_key_material_v2(struct mwifiex_private *priv, + struct host_cmd_ds_command *resp) + { + struct host_cmd_ds_802_11_key_material_v2 *key_v2; +- __le16 len; ++ int len; + + key_v2 = &resp->params.key_material_v2; ++ ++ len = le16_to_cpu(key_v2->key_param_set.key_params.aes.key_len); ++ if (len > WLAN_KEY_LEN_CCMP) ++ return -EINVAL; ++ + if (le16_to_cpu(key_v2->action) == HostCmd_ACT_GEN_SET) { + if ((le16_to_cpu(key_v2->key_param_set.key_info) & KEY_MCAST)) { + mwifiex_dbg(priv->adapter, INFO, "info: key: GTK is set\n"); +@@ -634,10 +643,9 @@ static int mwifiex_ret_802_11_key_material_v2(struct mwifiex_private *priv, + memset(priv->aes_key_v2.key_param_set.key_params.aes.key, 0, + WLAN_KEY_LEN_CCMP); + priv->aes_key_v2.key_param_set.key_params.aes.key_len = +- key_v2->key_param_set.key_params.aes.key_len; +- len = priv->aes_key_v2.key_param_set.key_params.aes.key_len; ++ cpu_to_le16(len); + memcpy(priv->aes_key_v2.key_param_set.key_params.aes.key, +- key_v2->key_param_set.key_params.aes.key, le16_to_cpu(len)); ++ key_v2->key_param_set.key_params.aes.key, len); + + return 0; + } +diff --git a/drivers/net/wireless/ti/wl1251/event.c b/drivers/net/wireless/ti/wl1251/event.c +index d0593bc1f1a92..daddeaa66bf4a 100644 +--- a/drivers/net/wireless/ti/wl1251/event.c ++++ b/drivers/net/wireless/ti/wl1251/event.c +@@ -84,7 +84,7 @@ static int wl1251_event_ps_report(struct wl1251 *wl, + break; + } + +- return 0; ++ return ret; + } + + static void wl1251_event_mbox_dump(struct event_mailbox *mbox) +diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c +index 6d391a268469f..ceaf6b30d683d 100644 +--- a/drivers/net/xen-netfront.c ++++ b/drivers/net/xen-netfront.c +@@ -62,6 +62,8 @@ module_param_named(max_queues, xennet_max_queues, uint, 0644); + MODULE_PARM_DESC(max_queues, + "Maximum number of queues per virtual interface"); + ++#define XENNET_TIMEOUT (5 * HZ) ++ + static const struct ethtool_ops xennet_ethtool_ops; + + struct netfront_cb { +@@ -1355,12 +1357,15 @@ static struct net_device *xennet_create_dev(struct xenbus_device *dev) + + netif_carrier_off(netdev); + +- xenbus_switch_state(dev, XenbusStateInitialising); +- wait_event(module_wq, +- xenbus_read_driver_state(dev->otherend) != +- XenbusStateClosed && +- xenbus_read_driver_state(dev->otherend) != +- XenbusStateUnknown); ++ do { ++ xenbus_switch_state(dev, XenbusStateInitialising); ++ err = wait_event_timeout(module_wq, ++ xenbus_read_driver_state(dev->otherend) != ++ XenbusStateClosed && ++ xenbus_read_driver_state(dev->otherend) != ++ XenbusStateUnknown, XENNET_TIMEOUT); ++ } while (!err); ++ + return netdev; + + exit: +@@ -2172,28 +2177,43 @@ static const struct attribute_group xennet_dev_group = { + }; + #endif /* CONFIG_SYSFS */ + +-static int xennet_remove(struct xenbus_device *dev) ++static void xennet_bus_close(struct xenbus_device *dev) + { +- struct netfront_info *info = dev_get_drvdata(&dev->dev); +- +- dev_dbg(&dev->dev, "%s\n", dev->nodename); ++ int ret; + +- if (xenbus_read_driver_state(dev->otherend) != XenbusStateClosed) { ++ if (xenbus_read_driver_state(dev->otherend) == XenbusStateClosed) ++ return; ++ do { + xenbus_switch_state(dev, XenbusStateClosing); +- wait_event(module_wq, +- xenbus_read_driver_state(dev->otherend) == +- XenbusStateClosing || +- xenbus_read_driver_state(dev->otherend) == +- XenbusStateUnknown); ++ ret = wait_event_timeout(module_wq, ++ xenbus_read_driver_state(dev->otherend) == ++ XenbusStateClosing || ++ xenbus_read_driver_state(dev->otherend) == ++ XenbusStateClosed || ++ xenbus_read_driver_state(dev->otherend) == ++ XenbusStateUnknown, ++ XENNET_TIMEOUT); ++ } while (!ret); ++ ++ if (xenbus_read_driver_state(dev->otherend) == XenbusStateClosed) ++ return; + ++ do { + xenbus_switch_state(dev, XenbusStateClosed); +- wait_event(module_wq, +- xenbus_read_driver_state(dev->otherend) == +- XenbusStateClosed || +- xenbus_read_driver_state(dev->otherend) == +- XenbusStateUnknown); +- } ++ ret = wait_event_timeout(module_wq, ++ xenbus_read_driver_state(dev->otherend) == ++ XenbusStateClosed || ++ xenbus_read_driver_state(dev->otherend) == ++ XenbusStateUnknown, ++ XENNET_TIMEOUT); ++ } while (!ret); ++} ++ ++static int xennet_remove(struct xenbus_device *dev) ++{ ++ struct netfront_info *info = dev_get_drvdata(&dev->dev); + ++ xennet_bus_close(dev); + xennet_disconnect_backend(info); + + if (info->netdev->reg_state == NETREG_REGISTERED) +diff --git a/drivers/nfc/s3fwrn5/core.c b/drivers/nfc/s3fwrn5/core.c +index 9d9c8d57a042d..64b58455e620b 100644 +--- a/drivers/nfc/s3fwrn5/core.c ++++ b/drivers/nfc/s3fwrn5/core.c +@@ -209,6 +209,7 @@ int s3fwrn5_recv_frame(struct nci_dev *ndev, struct sk_buff *skb, + case S3FWRN5_MODE_FW: + return s3fwrn5_fw_recv_frame(ndev, skb); + default: ++ kfree_skb(skb); + return -ENODEV; + } + } +diff --git a/drivers/parisc/sba_iommu.c b/drivers/parisc/sba_iommu.c +index 188fab57d170e..a7f542e784dd0 100644 +--- a/drivers/parisc/sba_iommu.c ++++ b/drivers/parisc/sba_iommu.c +@@ -1283,7 +1283,7 @@ sba_ioc_init_pluto(struct parisc_device *sba, struct ioc *ioc, int ioc_num) + ** (one that doesn't overlap memory or LMMIO space) in the + ** IBASE and IMASK registers. + */ +- ioc->ibase = READ_REG(ioc->ioc_hpa + IOC_IBASE); ++ ioc->ibase = READ_REG(ioc->ioc_hpa + IOC_IBASE) & ~0x1fffffULL; + iova_space_size = ~(READ_REG(ioc->ioc_hpa + IOC_IMASK) & 0xFFFFFFFFUL) + 1; + + if ((ioc->ibase < 0xfed00000UL) && ((ioc->ibase + iova_space_size) > 0xfee00000UL)) { +diff --git a/drivers/pci/access.c b/drivers/pci/access.c +index 7b5cf6d1181a9..6f2a07567532d 100644 +--- a/drivers/pci/access.c ++++ b/drivers/pci/access.c +@@ -185,17 +185,13 @@ EXPORT_SYMBOL(pci_bus_set_ops); + static DECLARE_WAIT_QUEUE_HEAD(pci_cfg_wait); + + static noinline void pci_wait_cfg(struct pci_dev *dev) ++ __must_hold(&pci_lock) + { +- DECLARE_WAITQUEUE(wait, current); +- +- __add_wait_queue(&pci_cfg_wait, &wait); + do { +- set_current_state(TASK_UNINTERRUPTIBLE); + raw_spin_unlock_irq(&pci_lock); +- schedule(); ++ wait_event(pci_cfg_wait, !dev->block_cfg_access); + raw_spin_lock_irq(&pci_lock); + } while (dev->block_cfg_access); +- __remove_wait_queue(&pci_cfg_wait, &wait); + } + + /* Returns 0 on success, negative values indicate error. */ +diff --git a/drivers/pci/hotplug/acpiphp_glue.c b/drivers/pci/hotplug/acpiphp_glue.c +index d44b55879c673..7f2b9ef185e44 100644 +--- a/drivers/pci/hotplug/acpiphp_glue.c ++++ b/drivers/pci/hotplug/acpiphp_glue.c +@@ -136,13 +136,21 @@ static struct acpiphp_context *acpiphp_grab_context(struct acpi_device *adev) + struct acpiphp_context *context; + + acpi_lock_hp_context(); ++ + context = acpiphp_get_context(adev); +- if (!context || context->func.parent->is_going_away) { +- acpi_unlock_hp_context(); +- return NULL; ++ if (!context) ++ goto unlock; ++ ++ if (context->func.parent->is_going_away) { ++ acpiphp_put_context(context); ++ context = NULL; ++ goto unlock; + } ++ + get_bridge(context->func.parent); + acpiphp_put_context(context); ++ ++unlock: + acpi_unlock_hp_context(); + return context; + } +diff --git a/drivers/pci/pcie/aspm.c b/drivers/pci/pcie/aspm.c +index 75551a781e887..5eae5f35dcc7b 100644 +--- a/drivers/pci/pcie/aspm.c ++++ b/drivers/pci/pcie/aspm.c +@@ -832,6 +832,7 @@ static int pcie_aspm_get_policy(char *buffer, struct kernel_param *kp) + cnt += sprintf(buffer + cnt, "[%s] ", policy_str[i]); + else + cnt += sprintf(buffer + cnt, "%s ", policy_str[i]); ++ cnt += sprintf(buffer + cnt, "\n"); + return cnt; + } + +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c +index 496296bc35816..1fdb1ef5eaaeb 100644 +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -2046,6 +2046,19 @@ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x10f1, quirk_disable_aspm_l0s); + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x10f4, quirk_disable_aspm_l0s); + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x1508, quirk_disable_aspm_l0s); + ++static void quirk_disable_aspm_l0s_l1(struct pci_dev *dev) ++{ ++ pci_info(dev, "Disabling ASPM L0s/L1\n"); ++ pci_disable_link_state(dev, PCIE_LINK_STATE_L0S | PCIE_LINK_STATE_L1); ++} ++ ++/* ++ * ASM1083/1085 PCIe-PCI bridge devices cause AER timeout errors on the ++ * upstream PCIe root port when ASPM is enabled. At least L0s mode is affected; ++ * disable both L0s and L1 for now to be safe. ++ */ ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ASMEDIA, 0x1080, quirk_disable_aspm_l0s_l1); ++ + /* + * Some Pericom PCIe-to-PCI bridges in reverse mode need the PCIe Retrain + * Link bit cleared after starting the link retrain process to allow this +diff --git a/drivers/pinctrl/pinctrl-single.c b/drivers/pinctrl/pinctrl-single.c +index bfdf720db270d..8769a579ecb13 100644 +--- a/drivers/pinctrl/pinctrl-single.c ++++ b/drivers/pinctrl/pinctrl-single.c +@@ -1078,7 +1078,7 @@ static int pcs_parse_pinconf(struct pcs_device *pcs, struct device_node *np, + + /* If pinconf isn't supported, don't parse properties in below. */ + if (!PCS_HAS_PINCONF) +- return 0; ++ return -ENOTSUPP; + + /* cacluate how much properties are supported in current node */ + for (i = 0; i < ARRAY_SIZE(prop2); i++) { +@@ -1090,7 +1090,7 @@ static int pcs_parse_pinconf(struct pcs_device *pcs, struct device_node *np, + nconfs++; + } + if (!nconfs) +- return 0; ++ return -ENOTSUPP; + + func->conf = devm_kzalloc(pcs->dev, + sizeof(struct pcs_conf_vals) * nconfs, +@@ -1203,9 +1203,12 @@ static int pcs_parse_one_pinctrl_entry(struct pcs_device *pcs, + + if (PCS_HAS_PINCONF) { + res = pcs_parse_pinconf(pcs, np, function, map); +- if (res) ++ if (res == 0) ++ *num_maps = 2; ++ else if (res == -ENOTSUPP) ++ *num_maps = 1; ++ else + goto free_pingroups; +- *num_maps = 2; + } else { + *num_maps = 1; + } +diff --git a/drivers/platform/x86/intel-hid.c b/drivers/platform/x86/intel-hid.c +index 12dbb50633761..a5c645b9e3f2a 100644 +--- a/drivers/platform/x86/intel-hid.c ++++ b/drivers/platform/x86/intel-hid.c +@@ -264,7 +264,7 @@ check_acpi_dev(acpi_handle handle, u32 lvl, void *context, void **rv) + return AE_OK; + + if (acpi_match_device_ids(dev, ids) == 0) +- if (acpi_create_platform_device(dev, NULL)) ++ if (!IS_ERR_OR_NULL(acpi_create_platform_device(dev, NULL))) + dev_info(&dev->dev, + "intel-hid: created platform device\n"); + +diff --git a/drivers/platform/x86/intel-vbtn.c b/drivers/platform/x86/intel-vbtn.c +index a74340dff530e..1cf2a38add5f9 100644 +--- a/drivers/platform/x86/intel-vbtn.c ++++ b/drivers/platform/x86/intel-vbtn.c +@@ -168,7 +168,7 @@ check_acpi_dev(acpi_handle handle, u32 lvl, void *context, void **rv) + return AE_OK; + + if (acpi_match_device_ids(dev, ids) == 0) +- if (acpi_create_platform_device(dev, NULL)) ++ if (!IS_ERR_OR_NULL(acpi_create_platform_device(dev, NULL))) + dev_info(&dev->dev, + "intel-vbtn: created platform device\n"); + +diff --git a/drivers/power/supply/88pm860x_battery.c b/drivers/power/supply/88pm860x_battery.c +index 63c57dc82ac1d..4eda5065b5bbc 100644 +--- a/drivers/power/supply/88pm860x_battery.c ++++ b/drivers/power/supply/88pm860x_battery.c +@@ -436,7 +436,7 @@ static void pm860x_init_battery(struct pm860x_battery_info *info) + int ret; + int data; + int bat_remove; +- int soc; ++ int soc = 0; + + /* measure enable on GPADC1 */ + data = MEAS1_GP1; +@@ -499,7 +499,9 @@ static void pm860x_init_battery(struct pm860x_battery_info *info) + } + mutex_unlock(&info->lock); + +- calc_soc(info, OCV_MODE_ACTIVE, &soc); ++ ret = calc_soc(info, OCV_MODE_ACTIVE, &soc); ++ if (ret < 0) ++ goto out; + + data = pm860x_reg_read(info->i2c, PM8607_POWER_UP_LOG); + bat_remove = data & BAT_WU_LOG; +diff --git a/drivers/pwm/pwm-bcm-iproc.c b/drivers/pwm/pwm-bcm-iproc.c +index 31b01035d0ab3..8cfba3614e601 100644 +--- a/drivers/pwm/pwm-bcm-iproc.c ++++ b/drivers/pwm/pwm-bcm-iproc.c +@@ -85,8 +85,6 @@ static void iproc_pwmc_get_state(struct pwm_chip *chip, struct pwm_device *pwm, + u64 tmp, multi, rate; + u32 value, prescale; + +- rate = clk_get_rate(ip->clk); +- + value = readl(ip->base + IPROC_PWM_CTRL_OFFSET); + + if (value & BIT(IPROC_PWM_CTRL_EN_SHIFT(pwm->hwpwm))) +@@ -99,6 +97,13 @@ static void iproc_pwmc_get_state(struct pwm_chip *chip, struct pwm_device *pwm, + else + state->polarity = PWM_POLARITY_INVERSED; + ++ rate = clk_get_rate(ip->clk); ++ if (rate == 0) { ++ state->period = 0; ++ state->duty_cycle = 0; ++ return; ++ } ++ + value = readl(ip->base + IPROC_PWM_PRESCALE_OFFSET); + prescale = value >> IPROC_PWM_PRESCALE_SHIFT(pwm->hwpwm); + prescale &= IPROC_PWM_PRESCALE_MAX; +diff --git a/drivers/s390/net/qeth_l2_main.c b/drivers/s390/net/qeth_l2_main.c +index 51152681aba6e..c878c87966163 100644 +--- a/drivers/s390/net/qeth_l2_main.c ++++ b/drivers/s390/net/qeth_l2_main.c +@@ -1675,6 +1675,10 @@ static void qeth_bridge_state_change(struct qeth_card *card, + int extrasize; + + QETH_CARD_TEXT(card, 2, "brstchng"); ++ if (qports->num_entries == 0) { ++ QETH_CARD_TEXT(card, 2, "BPempty"); ++ return; ++ } + if (qports->entry_length != sizeof(struct qeth_sbp_port_entry)) { + QETH_CARD_TEXT_(card, 2, "BPsz%04x", qports->entry_length); + return; +diff --git a/drivers/scsi/arm/cumana_2.c b/drivers/scsi/arm/cumana_2.c +index edce5f3cfdba0..93ba83e3148eb 100644 +--- a/drivers/scsi/arm/cumana_2.c ++++ b/drivers/scsi/arm/cumana_2.c +@@ -454,7 +454,7 @@ static int cumanascsi2_probe(struct expansion_card *ec, + + if (info->info.scsi.dma != NO_DMA) + free_dma(info->info.scsi.dma); +- free_irq(ec->irq, host); ++ free_irq(ec->irq, info); + + out_release: + fas216_release(host); +diff --git a/drivers/scsi/arm/eesox.c b/drivers/scsi/arm/eesox.c +index e93e047f43165..65bb34ce93b94 100644 +--- a/drivers/scsi/arm/eesox.c ++++ b/drivers/scsi/arm/eesox.c +@@ -575,7 +575,7 @@ static int eesoxscsi_probe(struct expansion_card *ec, const struct ecard_id *id) + + if (info->info.scsi.dma != NO_DMA) + free_dma(info->info.scsi.dma); +- free_irq(ec->irq, host); ++ free_irq(ec->irq, info); + + out_remove: + fas216_remove(host); +diff --git a/drivers/scsi/arm/powertec.c b/drivers/scsi/arm/powertec.c +index 79aa88911b7f3..b5e4a25ea1ef3 100644 +--- a/drivers/scsi/arm/powertec.c ++++ b/drivers/scsi/arm/powertec.c +@@ -382,7 +382,7 @@ static int powertecscsi_probe(struct expansion_card *ec, + + if (info->info.scsi.dma != NO_DMA) + free_dma(info->info.scsi.dma); +- free_irq(ec->irq, host); ++ free_irq(ec->irq, info); + + out_release: + fas216_release(host); +diff --git a/drivers/scsi/mesh.c b/drivers/scsi/mesh.c +index 1753e42826dd9..a880abf5abaad 100644 +--- a/drivers/scsi/mesh.c ++++ b/drivers/scsi/mesh.c +@@ -1044,6 +1044,8 @@ static void handle_error(struct mesh_state *ms) + while ((in_8(&mr->bus_status1) & BS1_RST) != 0) + udelay(1); + printk("done\n"); ++ if (ms->dma_started) ++ halt_dma(ms); + handle_reset(ms); + /* request_q is empty, no point in mesh_start() */ + return; +@@ -1356,7 +1358,8 @@ static void halt_dma(struct mesh_state *ms) + ms->conn_tgt, ms->data_ptr, scsi_bufflen(cmd), + ms->tgts[ms->conn_tgt].data_goes_out); + } +- scsi_dma_unmap(cmd); ++ if (cmd) ++ scsi_dma_unmap(cmd); + ms->dma_started = 0; + } + +@@ -1711,6 +1714,9 @@ static int mesh_host_reset(struct scsi_cmnd *cmd) + + spin_lock_irqsave(ms->host->host_lock, flags); + ++ if (ms->dma_started) ++ halt_dma(ms); ++ + /* Reset the controller & dbdma channel */ + out_le32(&md->control, (RUN|PAUSE|FLUSH|WAKE) << 16); /* stop dma */ + out_8(&mr->exception, 0xff); /* clear all exception bits */ +diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c +index d7118d3767c35..99bfb003be3fc 100644 +--- a/drivers/scsi/scsi_debug.c ++++ b/drivers/scsi/scsi_debug.c +@@ -4986,6 +4986,12 @@ static int __init scsi_debug_init(void) + pr_err("submit_queues must be 1 or more\n"); + return -EINVAL; + } ++ ++ if ((sdebug_max_queue > SDEBUG_CANQUEUE) || (sdebug_max_queue < 1)) { ++ pr_err("max_queue must be in range [1, %d]\n", SDEBUG_CANQUEUE); ++ return -EINVAL; ++ } ++ + sdebug_q_arr = kcalloc(submit_queues, sizeof(struct sdebug_queue), + GFP_KERNEL); + if (sdebug_q_arr == NULL) +diff --git a/drivers/staging/rtl8192u/r8192U_core.c b/drivers/staging/rtl8192u/r8192U_core.c +index 6ec3790566504..fa4c47c7d2166 100644 +--- a/drivers/staging/rtl8192u/r8192U_core.c ++++ b/drivers/staging/rtl8192u/r8192U_core.c +@@ -2522,7 +2522,7 @@ static int rtl8192_read_eeprom_info(struct net_device *dev) + ret = eprom_read(dev, (EEPROM_TxPwIndex_CCK >> 1)); + if (ret < 0) + return ret; +- priv->EEPROMTxPowerLevelCCK = ((u16)ret & 0xff) >> 8; ++ priv->EEPROMTxPowerLevelCCK = ((u16)ret & 0xff00) >> 8; + } else + priv->EEPROMTxPowerLevelCCK = 0x10; + RT_TRACE(COMP_EPROM, "CCK Tx Power Levl: 0x%02x\n", priv->EEPROMTxPowerLevelCCK); +diff --git a/drivers/usb/dwc2/platform.c b/drivers/usb/dwc2/platform.c +index 38926495c751d..f985315ebd3bd 100644 +--- a/drivers/usb/dwc2/platform.c ++++ b/drivers/usb/dwc2/platform.c +@@ -668,6 +668,7 @@ static int dwc2_driver_probe(struct platform_device *dev) + if (hsotg->gadget_enabled) { + retval = usb_add_gadget_udc(hsotg->dev, &hsotg->gadget); + if (retval) { ++ hsotg->gadget.udc = NULL; + dwc2_hsotg_remove(hsotg); + goto error; + } +@@ -676,7 +677,8 @@ static int dwc2_driver_probe(struct platform_device *dev) + return 0; + + error: +- dwc2_lowlevel_hw_disable(hsotg); ++ if (hsotg->dr_mode != USB_DR_MODE_PERIPHERAL) ++ dwc2_lowlevel_hw_disable(hsotg); + return retval; + } + +diff --git a/drivers/usb/gadget/udc/bdc/bdc_core.c b/drivers/usb/gadget/udc/bdc/bdc_core.c +index e9bd8d4abca00..f09a74d79c9eb 100644 +--- a/drivers/usb/gadget/udc/bdc/bdc_core.c ++++ b/drivers/usb/gadget/udc/bdc/bdc_core.c +@@ -286,6 +286,7 @@ static void bdc_mem_init(struct bdc *bdc, bool reinit) + * in that case reinit is passed as 1 + */ + if (reinit) { ++ int i; + /* Enable interrupts */ + temp = bdc_readl(bdc->regs, BDC_BDCSC); + temp |= BDC_GIE; +@@ -295,6 +296,9 @@ static void bdc_mem_init(struct bdc *bdc, bool reinit) + /* Initialize SRR to 0 */ + memset(bdc->srr.sr_bds, 0, + NUM_SR_ENTRIES * sizeof(struct bdc_bd)); ++ /* clear ep flags to avoid post disconnect stops/deconfigs */ ++ for (i = 1; i < bdc->num_eps; ++i) ++ bdc->bdc_ep_array[i]->flags = 0; + } else { + /* One time initiaization only */ + /* Enable status report function pointers */ +diff --git a/drivers/usb/gadget/udc/bdc/bdc_ep.c b/drivers/usb/gadget/udc/bdc/bdc_ep.c +index 303735c7990c8..8b1b48fa4ebfc 100644 +--- a/drivers/usb/gadget/udc/bdc/bdc_ep.c ++++ b/drivers/usb/gadget/udc/bdc/bdc_ep.c +@@ -621,7 +621,6 @@ int bdc_ep_enable(struct bdc_ep *ep) + } + bdc_dbg_bd_list(bdc, ep); + /* only for ep0: config ep is called for ep0 from connect event */ +- ep->flags |= BDC_EP_ENABLED; + if (ep->ep_num == 1) + return ret; + +@@ -765,10 +764,13 @@ static int ep_dequeue(struct bdc_ep *ep, struct bdc_req *req) + __func__, ep->name, start_bdi, end_bdi); + dev_dbg(bdc->dev, "ep_dequeue ep=%p ep->desc=%p\n", + ep, (void *)ep->usb_ep.desc); +- /* Stop the ep to see where the HW is ? */ +- ret = bdc_stop_ep(bdc, ep->ep_num); +- /* if there is an issue with stopping ep, then no need to go further */ +- if (ret) ++ /* if still connected, stop the ep to see where the HW is ? */ ++ if (!(bdc_readl(bdc->regs, BDC_USPC) & BDC_PST_MASK)) { ++ ret = bdc_stop_ep(bdc, ep->ep_num); ++ /* if there is an issue, then no need to go further */ ++ if (ret) ++ return 0; ++ } else + return 0; + + /* +@@ -1917,7 +1919,9 @@ static int bdc_gadget_ep_disable(struct usb_ep *_ep) + __func__, ep->name, ep->flags); + + if (!(ep->flags & BDC_EP_ENABLED)) { +- dev_warn(bdc->dev, "%s is already disabled\n", ep->name); ++ if (bdc->gadget.speed != USB_SPEED_UNKNOWN) ++ dev_warn(bdc->dev, "%s is already disabled\n", ++ ep->name); + return 0; + } + spin_lock_irqsave(&bdc->lock, flags); +diff --git a/drivers/usb/gadget/udc/net2280.c b/drivers/usb/gadget/udc/net2280.c +index dfaed8e8cc524..c8c45264e94cc 100644 +--- a/drivers/usb/gadget/udc/net2280.c ++++ b/drivers/usb/gadget/udc/net2280.c +@@ -3785,8 +3785,10 @@ static int net2280_probe(struct pci_dev *pdev, const struct pci_device_id *id) + return 0; + + done: +- if (dev) ++ if (dev) { + net2280_remove(pdev); ++ kfree(dev); ++ } + return retval; + } + +diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c +index 613544d25fadc..abf8a3cac2651 100644 +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -255,6 +255,8 @@ static struct usb_serial_driver cp210x_device = { + .break_ctl = cp210x_break_ctl, + .set_termios = cp210x_set_termios, + .tx_empty = cp210x_tx_empty, ++ .throttle = usb_serial_generic_throttle, ++ .unthrottle = usb_serial_generic_unthrottle, + .tiocmget = cp210x_tiocmget, + .tiocmset = cp210x_tiocmset, + .port_probe = cp210x_port_probe, +@@ -765,6 +767,7 @@ static void cp210x_get_termios_port(struct usb_serial_port *port, + u32 baud; + u16 bits; + u32 ctl_hs; ++ u32 flow_repl; + + cp210x_read_u32_reg(port, CP210X_GET_BAUDRATE, &baud); + +@@ -865,6 +868,22 @@ static void cp210x_get_termios_port(struct usb_serial_port *port, + ctl_hs = le32_to_cpu(flow_ctl.ulControlHandshake); + if (ctl_hs & CP210X_SERIAL_CTS_HANDSHAKE) { + dev_dbg(dev, "%s - flow control = CRTSCTS\n", __func__); ++ /* ++ * When the port is closed, the CP210x hardware disables ++ * auto-RTS and RTS is deasserted but it leaves auto-CTS when ++ * in hardware flow control mode. When re-opening the port, if ++ * auto-CTS is enabled on the cp210x, then auto-RTS must be ++ * re-enabled in the driver. ++ */ ++ flow_repl = le32_to_cpu(flow_ctl.ulFlowReplace); ++ flow_repl &= ~CP210X_SERIAL_RTS_MASK; ++ flow_repl |= CP210X_SERIAL_RTS_SHIFT(CP210X_SERIAL_RTS_FLOW_CTL); ++ flow_ctl.ulFlowReplace = cpu_to_le32(flow_repl); ++ cp210x_write_reg_block(port, ++ CP210X_SET_FLOW, ++ &flow_ctl, ++ sizeof(flow_ctl)); ++ + cflag |= CRTSCTS; + } else { + dev_dbg(dev, "%s - flow control = NONE\n", __func__); +diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c +index a7cb0968259ee..0c8b24ff44a05 100644 +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -2051,12 +2051,11 @@ static int ftdi_prepare_write_buffer(struct usb_serial_port *port, + #define FTDI_RS_ERR_MASK (FTDI_RS_BI | FTDI_RS_PE | FTDI_RS_FE | FTDI_RS_OE) + + static int ftdi_process_packet(struct usb_serial_port *port, +- struct ftdi_private *priv, char *packet, int len) ++ struct ftdi_private *priv, unsigned char *buf, int len) + { ++ unsigned char status; + int i; +- char status; + char flag; +- char *ch; + + if (len < 2) { + dev_dbg(&port->dev, "malformed packet\n"); +@@ -2066,7 +2065,7 @@ static int ftdi_process_packet(struct usb_serial_port *port, + /* Compare new line status to the old one, signal if different/ + N.B. packet may be processed more than once, but differences + are only processed once. */ +- status = packet[0] & FTDI_STATUS_B0_MASK; ++ status = buf[0] & FTDI_STATUS_B0_MASK; + if (status != priv->prev_status) { + char diff_status = status ^ priv->prev_status; + +@@ -2092,13 +2091,12 @@ static int ftdi_process_packet(struct usb_serial_port *port, + } + + /* save if the transmitter is empty or not */ +- if (packet[1] & FTDI_RS_TEMT) ++ if (buf[1] & FTDI_RS_TEMT) + priv->transmit_empty = 1; + else + priv->transmit_empty = 0; + +- len -= 2; +- if (!len) ++ if (len == 2) + return 0; /* status only */ + + /* +@@ -2106,40 +2104,41 @@ static int ftdi_process_packet(struct usb_serial_port *port, + * data payload to avoid over-reporting. + */ + flag = TTY_NORMAL; +- if (packet[1] & FTDI_RS_ERR_MASK) { ++ if (buf[1] & FTDI_RS_ERR_MASK) { + /* Break takes precedence over parity, which takes precedence + * over framing errors */ +- if (packet[1] & FTDI_RS_BI) { ++ if (buf[1] & FTDI_RS_BI) { + flag = TTY_BREAK; + port->icount.brk++; + usb_serial_handle_break(port); +- } else if (packet[1] & FTDI_RS_PE) { ++ } else if (buf[1] & FTDI_RS_PE) { + flag = TTY_PARITY; + port->icount.parity++; +- } else if (packet[1] & FTDI_RS_FE) { ++ } else if (buf[1] & FTDI_RS_FE) { + flag = TTY_FRAME; + port->icount.frame++; + } + /* Overrun is special, not associated with a char */ +- if (packet[1] & FTDI_RS_OE) { ++ if (buf[1] & FTDI_RS_OE) { + port->icount.overrun++; + tty_insert_flip_char(&port->port, 0, TTY_OVERRUN); + } + } + +- port->icount.rx += len; +- ch = packet + 2; ++ port->icount.rx += len - 2; + + if (port->port.console && port->sysrq) { +- for (i = 0; i < len; i++, ch++) { +- if (!usb_serial_handle_sysrq_char(port, *ch)) +- tty_insert_flip_char(&port->port, *ch, flag); ++ for (i = 2; i < len; i++) { ++ if (usb_serial_handle_sysrq_char(port, buf[i])) ++ continue; ++ tty_insert_flip_char(&port->port, buf[i], flag); + } + } else { +- tty_insert_flip_string_fixed_flag(&port->port, ch, flag, len); ++ tty_insert_flip_string_fixed_flag(&port->port, buf + 2, flag, ++ len - 2); + } + +- return len; ++ return len - 2; + } + + static void ftdi_process_read_urb(struct urb *urb) +diff --git a/drivers/usb/serial/iuu_phoenix.c b/drivers/usb/serial/iuu_phoenix.c +index d6ac1f472b779..bdeb2b2489549 100644 +--- a/drivers/usb/serial/iuu_phoenix.c ++++ b/drivers/usb/serial/iuu_phoenix.c +@@ -369,10 +369,11 @@ static void iuu_led_activity_on(struct urb *urb) + struct usb_serial_port *port = urb->context; + int result; + char *buf_ptr = port->write_urb->transfer_buffer; +- *buf_ptr++ = IUU_SET_LED; ++ + if (xmas) { +- get_random_bytes(buf_ptr, 6); +- *(buf_ptr+7) = 1; ++ buf_ptr[0] = IUU_SET_LED; ++ get_random_bytes(buf_ptr + 1, 6); ++ buf_ptr[7] = 1; + } else { + iuu_rgbf_fill_buffer(buf_ptr, 255, 255, 0, 0, 0, 0, 255); + } +@@ -390,13 +391,14 @@ static void iuu_led_activity_off(struct urb *urb) + struct usb_serial_port *port = urb->context; + int result; + char *buf_ptr = port->write_urb->transfer_buffer; ++ + if (xmas) { + iuu_rxcmd(urb); + return; +- } else { +- *buf_ptr++ = IUU_SET_LED; +- iuu_rgbf_fill_buffer(buf_ptr, 0, 0, 255, 255, 0, 0, 255); + } ++ ++ iuu_rgbf_fill_buffer(buf_ptr, 0, 0, 255, 255, 0, 0, 255); ++ + usb_fill_bulk_urb(port->write_urb, port->serial->dev, + usb_sndbulkpipe(port->serial->dev, + port->bulk_out_endpointAddress), +diff --git a/drivers/usb/serial/qcserial.c b/drivers/usb/serial/qcserial.c +index c59e6d4a8a612..11fb4d78e2dbc 100644 +--- a/drivers/usb/serial/qcserial.c ++++ b/drivers/usb/serial/qcserial.c +@@ -159,6 +159,7 @@ static const struct usb_device_id id_table[] = { + {DEVICE_SWI(0x1199, 0x9056)}, /* Sierra Wireless Modem */ + {DEVICE_SWI(0x1199, 0x9060)}, /* Sierra Wireless Modem */ + {DEVICE_SWI(0x1199, 0x9061)}, /* Sierra Wireless Modem */ ++ {DEVICE_SWI(0x1199, 0x9062)}, /* Sierra Wireless EM7305 QDL */ + {DEVICE_SWI(0x1199, 0x9063)}, /* Sierra Wireless EM7305 */ + {DEVICE_SWI(0x1199, 0x9070)}, /* Sierra Wireless MC74xx */ + {DEVICE_SWI(0x1199, 0x9071)}, /* Sierra Wireless MC74xx */ +diff --git a/drivers/video/console/bitblit.c b/drivers/video/console/bitblit.c +index dbfe4eecf12e5..05d1d36a56654 100644 +--- a/drivers/video/console/bitblit.c ++++ b/drivers/video/console/bitblit.c +@@ -216,7 +216,7 @@ static void bit_clear_margins(struct vc_data *vc, struct fb_info *info, + region.color = 0; + region.rop = ROP_COPY; + +- if (rw && !bottom_only) { ++ if ((int) rw > 0 && !bottom_only) { + region.dx = info->var.xoffset + rs; + region.dy = 0; + region.width = rw; +@@ -224,7 +224,7 @@ static void bit_clear_margins(struct vc_data *vc, struct fb_info *info, + info->fbops->fb_fillrect(info, ®ion); + } + +- if (bh) { ++ if ((int) bh > 0) { + region.dx = info->var.xoffset; + region.dy = info->var.yoffset + bs; + region.width = rs; +diff --git a/drivers/video/console/fbcon_ccw.c b/drivers/video/console/fbcon_ccw.c +index 5a3cbf6dff4d9..34da8bba9273a 100644 +--- a/drivers/video/console/fbcon_ccw.c ++++ b/drivers/video/console/fbcon_ccw.c +@@ -201,7 +201,7 @@ static void ccw_clear_margins(struct vc_data *vc, struct fb_info *info, + region.color = 0; + region.rop = ROP_COPY; + +- if (rw && !bottom_only) { ++ if ((int) rw > 0 && !bottom_only) { + region.dx = 0; + region.dy = info->var.yoffset; + region.height = rw; +@@ -209,7 +209,7 @@ static void ccw_clear_margins(struct vc_data *vc, struct fb_info *info, + info->fbops->fb_fillrect(info, ®ion); + } + +- if (bh) { ++ if ((int) bh > 0) { + region.dx = info->var.xoffset + bs; + region.dy = 0; + region.height = info->var.yres_virtual; +diff --git a/drivers/video/console/fbcon_cw.c b/drivers/video/console/fbcon_cw.c +index e7ee44db4e98b..0b552b3fc22ab 100644 +--- a/drivers/video/console/fbcon_cw.c ++++ b/drivers/video/console/fbcon_cw.c +@@ -184,7 +184,7 @@ static void cw_clear_margins(struct vc_data *vc, struct fb_info *info, + region.color = 0; + region.rop = ROP_COPY; + +- if (rw && !bottom_only) { ++ if ((int) rw > 0 && !bottom_only) { + region.dx = 0; + region.dy = info->var.yoffset + rs; + region.height = rw; +@@ -192,7 +192,7 @@ static void cw_clear_margins(struct vc_data *vc, struct fb_info *info, + info->fbops->fb_fillrect(info, ®ion); + } + +- if (bh) { ++ if ((int) bh > 0) { + region.dx = info->var.xoffset; + region.dy = info->var.yoffset; + region.height = info->var.yres; +diff --git a/drivers/video/console/fbcon_ud.c b/drivers/video/console/fbcon_ud.c +index 19e3714abfe8f..7f62efe2da526 100644 +--- a/drivers/video/console/fbcon_ud.c ++++ b/drivers/video/console/fbcon_ud.c +@@ -231,7 +231,7 @@ static void ud_clear_margins(struct vc_data *vc, struct fb_info *info, + region.color = 0; + region.rop = ROP_COPY; + +- if (rw && !bottom_only) { ++ if ((int) rw > 0 && !bottom_only) { + region.dy = 0; + region.dx = info->var.xoffset; + region.width = rw; +@@ -239,7 +239,7 @@ static void ud_clear_margins(struct vc_data *vc, struct fb_info *info, + info->fbops->fb_fillrect(info, ®ion); + } + +- if (bh) { ++ if ((int) bh > 0) { + region.dy = info->var.yoffset; + region.dx = info->var.xoffset; + region.height = bh; +diff --git a/drivers/video/console/newport_con.c b/drivers/video/console/newport_con.c +index e3b9521e4ec3e..33bddf3f30406 100644 +--- a/drivers/video/console/newport_con.c ++++ b/drivers/video/console/newport_con.c +@@ -31,6 +31,8 @@ + #include + #include + ++#define NEWPORT_LEN 0x10000 ++ + #define FONT_DATA ((unsigned char *)font_vga_8x16.data) + + /* borrowed from fbcon.c */ +@@ -42,6 +44,7 @@ + static unsigned char *font_data[MAX_NR_CONSOLES]; + + static struct newport_regs *npregs; ++static unsigned long newport_addr; + + static int logo_active; + static int topscan; +@@ -701,7 +704,6 @@ const struct consw newport_con = { + static int newport_probe(struct gio_device *dev, + const struct gio_device_id *id) + { +- unsigned long newport_addr; + int err; + + if (!dev->resource.start) +@@ -711,7 +713,7 @@ static int newport_probe(struct gio_device *dev, + return -EBUSY; /* we only support one Newport as console */ + + newport_addr = dev->resource.start + 0xF0000; +- if (!request_mem_region(newport_addr, 0x10000, "Newport")) ++ if (!request_mem_region(newport_addr, NEWPORT_LEN, "Newport")) + return -ENODEV; + + npregs = (struct newport_regs *)/* ioremap cannot fail */ +@@ -719,6 +721,11 @@ static int newport_probe(struct gio_device *dev, + console_lock(); + err = do_take_over_console(&newport_con, 0, MAX_NR_CONSOLES - 1, 1); + console_unlock(); ++ ++ if (err) { ++ iounmap((void *)npregs); ++ release_mem_region(newport_addr, NEWPORT_LEN); ++ } + return err; + } + +@@ -726,6 +733,7 @@ static void newport_remove(struct gio_device *dev) + { + give_up_console(&newport_con); + iounmap((void *)npregs); ++ release_mem_region(newport_addr, NEWPORT_LEN); + } + + static struct gio_device_id newport_ids[] = { +diff --git a/drivers/video/console/vgacon.c b/drivers/video/console/vgacon.c +index 42c0a26646f66..d45ba7317b225 100644 +--- a/drivers/video/console/vgacon.c ++++ b/drivers/video/console/vgacon.c +@@ -219,6 +219,10 @@ static void vgacon_scrollback_update(struct vc_data *c, int t, int count) + p = (void *) (c->vc_origin + t * c->vc_size_row); + + while (count--) { ++ if ((vgacon_scrollback_tail + c->vc_size_row) > ++ vgacon_scrollback_size) ++ vgacon_scrollback_tail = 0; ++ + scr_memcpyw(vgacon_scrollback + vgacon_scrollback_tail, + p, c->vc_size_row); + vgacon_scrollback_cnt++; +diff --git a/drivers/video/fbdev/neofb.c b/drivers/video/fbdev/neofb.c +index db023a97d1eae..e243254a57214 100644 +--- a/drivers/video/fbdev/neofb.c ++++ b/drivers/video/fbdev/neofb.c +@@ -1820,6 +1820,7 @@ static int neo_scan_monitor(struct fb_info *info) + #else + printk(KERN_ERR + "neofb: Only 640x480, 800x600/480 and 1024x768 panels are currently supported\n"); ++ kfree(info->monspecs.modedb); + return -1; + #endif + default: +diff --git a/drivers/video/fbdev/omap2/omapfb/dss/dss.c b/drivers/video/fbdev/omap2/omapfb/dss/dss.c +index 48c6500c24e1f..4429ad37b64cd 100644 +--- a/drivers/video/fbdev/omap2/omapfb/dss/dss.c ++++ b/drivers/video/fbdev/omap2/omapfb/dss/dss.c +@@ -843,7 +843,7 @@ static const struct dss_features omap34xx_dss_feats = { + }; + + static const struct dss_features omap3630_dss_feats = { +- .fck_div_max = 32, ++ .fck_div_max = 31, + .dss_fck_multiplier = 1, + .parent_clk_name = "dpll4_ck", + .dpi_select_source = &dss_dpi_select_source_omap2_omap3, +diff --git a/drivers/video/fbdev/pxafb.c b/drivers/video/fbdev/pxafb.c +index 8503310a38167..7f8b6af29aab4 100644 +--- a/drivers/video/fbdev/pxafb.c ++++ b/drivers/video/fbdev/pxafb.c +@@ -2447,8 +2447,8 @@ static int pxafb_remove(struct platform_device *dev) + + free_pages_exact(fbi->video_mem, fbi->video_mem_size); + +- dma_free_wc(&dev->dev, fbi->dma_buff_size, fbi->dma_buff, +- fbi->dma_buff_phys); ++ dma_free_coherent(&dev->dev, fbi->dma_buff_size, fbi->dma_buff, ++ fbi->dma_buff_phys); + + iounmap(fbi->mmio_base); + +diff --git a/drivers/video/fbdev/sm712fb.c b/drivers/video/fbdev/sm712fb.c +index 0d92ff366a7b7..17efcdd4dc99b 100644 +--- a/drivers/video/fbdev/sm712fb.c ++++ b/drivers/video/fbdev/sm712fb.c +@@ -1428,6 +1428,8 @@ static int smtc_map_smem(struct smtcfb_info *sfb, + static void smtc_unmap_smem(struct smtcfb_info *sfb) + { + if (sfb && sfb->fb->screen_base) { ++ if (sfb->chip_id == 0x720) ++ sfb->fb->screen_base -= 0x00200000; + iounmap(sfb->fb->screen_base); + sfb->fb->screen_base = NULL; + } +diff --git a/drivers/watchdog/f71808e_wdt.c b/drivers/watchdog/f71808e_wdt.c +index 88cd2a52d8d32..ae4974701e5c7 100644 +--- a/drivers/watchdog/f71808e_wdt.c ++++ b/drivers/watchdog/f71808e_wdt.c +@@ -688,9 +688,9 @@ static int __init watchdog_init(int sioaddr) + * into the module have been registered yet. + */ + watchdog.sioaddr = sioaddr; +- watchdog.ident.options = WDIOC_SETTIMEOUT +- | WDIOF_MAGICCLOSE +- | WDIOF_KEEPALIVEPING; ++ watchdog.ident.options = WDIOF_MAGICCLOSE ++ | WDIOF_KEEPALIVEPING ++ | WDIOF_CARDRESET; + + snprintf(watchdog.ident.identity, + sizeof(watchdog.ident.identity), "%s watchdog", +@@ -704,6 +704,13 @@ static int __init watchdog_init(int sioaddr) + wdt_conf = superio_inb(sioaddr, F71808FG_REG_WDT_CONF); + watchdog.caused_reboot = wdt_conf & BIT(F71808FG_FLAG_WDTMOUT_STS); + ++ /* ++ * We don't want WDTMOUT_STS to stick around till regular reboot. ++ * Write 1 to the bit to clear it to zero. ++ */ ++ superio_outb(sioaddr, F71808FG_REG_WDT_CONF, ++ wdt_conf | BIT(F71808FG_FLAG_WDTMOUT_STS)); ++ + superio_exit(sioaddr); + + err = watchdog_set_timeout(timeout); +diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c +index 05f9f5983ee17..1b76e8a99c40b 100644 +--- a/drivers/xen/balloon.c ++++ b/drivers/xen/balloon.c +@@ -634,11 +634,13 @@ static int add_ballooned_pages(int nr_pages) + if (xen_hotplug_unpopulated) { + st = reserve_additional_memory(); + if (st != BP_ECANCELED) { ++ int rc; ++ + mutex_unlock(&balloon_mutex); +- wait_event(balloon_wq, ++ rc = wait_event_interruptible(balloon_wq, + !list_empty(&ballooned_pages)); + mutex_lock(&balloon_mutex); +- return 0; ++ return rc ? -ENOMEM : 0; + } + } + +@@ -694,6 +696,12 @@ int alloc_xenballooned_pages(int nr_pages, struct page **pages) + out_undo: + mutex_unlock(&balloon_mutex); + free_xenballooned_pages(pgno, pages); ++ /* ++ * NB: free_xenballooned_pages will only subtract pgno pages, but since ++ * target_unpopulated is incremented with nr_pages at the start we need ++ * to remove the remaining ones also, or accounting will be screwed. ++ */ ++ balloon_stats.target_unpopulated -= nr_pages - pgno; + return ret; + } + EXPORT_SYMBOL(alloc_xenballooned_pages); +diff --git a/fs/9p/v9fs.c b/fs/9p/v9fs.c +index a8ff430686196..719c737ace262 100644 +--- a/fs/9p/v9fs.c ++++ b/fs/9p/v9fs.c +@@ -457,10 +457,9 @@ void v9fs_session_close(struct v9fs_session_info *v9ses) + } + + #ifdef CONFIG_9P_FSCACHE +- if (v9ses->fscache) { ++ if (v9ses->fscache) + v9fs_cache_session_put_cookie(v9ses); +- kfree(v9ses->cachetag); +- } ++ kfree(v9ses->cachetag); + #endif + kfree(v9ses->uname); + kfree(v9ses->aname); +diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c +index 1de0170519280..d9909e2fc4c21 100644 +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -1527,9 +1527,16 @@ int btrfs_init_fs_root(struct btrfs_root *root) + spin_lock_init(&root->ino_cache_lock); + init_waitqueue_head(&root->ino_cache_wait); + +- ret = get_anon_bdev(&root->anon_dev); +- if (ret) +- goto fail; ++ /* ++ * Don't assign anonymous block device to roots that are not exposed to ++ * userspace, the id pool is limited to 1M ++ */ ++ if (is_fstree(root->root_key.objectid) && ++ btrfs_root_refs(&root->root_item) > 0) { ++ ret = get_anon_bdev(&root->anon_dev); ++ if (ret) ++ goto fail; ++ } + + mutex_lock(&root->objectid_mutex); + ret = btrfs_find_highest_objectid(root, +diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c +index 8c0ff985c1919..fa22bb29eee6f 100644 +--- a/fs/btrfs/extent_io.c ++++ b/fs/btrfs/extent_io.c +@@ -4340,6 +4340,8 @@ int try_release_extent_mapping(struct extent_map_tree *map, + + /* once for us */ + free_extent_map(em); ++ ++ cond_resched(); /* Allow large-extent preemption. */ + } + } + return try_release_extent_state(map, tree, page, mask); +diff --git a/fs/btrfs/free-space-cache.c b/fs/btrfs/free-space-cache.c +index a84a1ceb260af..568ff2ee015be 100644 +--- a/fs/btrfs/free-space-cache.c ++++ b/fs/btrfs/free-space-cache.c +@@ -2152,7 +2152,7 @@ out: + static bool try_merge_free_space(struct btrfs_free_space_ctl *ctl, + struct btrfs_free_space *info, bool update_stat) + { +- struct btrfs_free_space *left_info; ++ struct btrfs_free_space *left_info = NULL; + struct btrfs_free_space *right_info; + bool merged = false; + u64 offset = info->offset; +@@ -2167,7 +2167,7 @@ static bool try_merge_free_space(struct btrfs_free_space_ctl *ctl, + if (right_info && rb_prev(&right_info->offset_index)) + left_info = rb_entry(rb_prev(&right_info->offset_index), + struct btrfs_free_space, offset_index); +- else ++ else if (!right_info) + left_info = tree_search_offset(ctl, offset - 1, 0, 0); + + if (right_info && !right_info->bitmap) { +diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c +index f79682937faf4..c28ac9c464251 100644 +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -3755,11 +3755,8 @@ static noinline int copy_items(struct btrfs_trans_handle *trans, + log->fs_info->csum_root, + ds + cs, ds + cs + cl - 1, + &ordered_sums, 0); +- if (ret) { +- btrfs_release_path(dst_path); +- kfree(ins_data); +- return ret; +- } ++ if (ret) ++ break; + } + } + } +@@ -3772,7 +3769,6 @@ static noinline int copy_items(struct btrfs_trans_handle *trans, + * we have to do this after the loop above to avoid changing the + * log tree while trying to change the log tree. + */ +- ret = 0; + while (!list_empty(&ordered_sums)) { + struct btrfs_ordered_sum *sums = list_entry(ordered_sums.next, + struct btrfs_ordered_sum, +diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c +index 0a23b6002ff12..cf1a3d2f6ad8b 100644 +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -776,6 +776,8 @@ SMB2_auth_kerberos(struct SMB2_sess_data *sess_data) + spnego_key = cifs_get_spnego_key(ses); + if (IS_ERR(spnego_key)) { + rc = PTR_ERR(spnego_key); ++ if (rc == -ENOKEY) ++ cifs_dbg(VFS, "Verify user has a krb5 ticket and keyutils is installed\n"); + spnego_key = NULL; + goto out; + } +diff --git a/fs/dlm/lockspace.c b/fs/dlm/lockspace.c +index b14bb2c460426..499f54f99891c 100644 +--- a/fs/dlm/lockspace.c ++++ b/fs/dlm/lockspace.c +@@ -626,6 +626,9 @@ static int new_lockspace(const char *name, const char *cluster, + wait_event(ls->ls_recover_lock_wait, + test_bit(LSFL_RECOVER_LOCK, &ls->ls_flags)); + ++ /* let kobject handle freeing of ls if there's an error */ ++ do_unreg = 1; ++ + ls->ls_kobj.kset = dlm_kset; + error = kobject_init_and_add(&ls->ls_kobj, &dlm_ktype, NULL, + "%s", ls->ls_name); +@@ -633,9 +636,6 @@ static int new_lockspace(const char *name, const char *cluster, + goto out_recoverd; + kobject_uevent(&ls->ls_kobj, KOBJ_ADD); + +- /* let kobject handle freeing of ls if there's an error */ +- do_unreg = 1; +- + /* This uevent triggers dlm_controld in userspace to add us to the + group of nodes that are members of this lockspace (managed by the + cluster infrastructure.) Once it's done that, it tells us who the +diff --git a/fs/ext2/ialloc.c b/fs/ext2/ialloc.c +index 395fc074c0db8..6e1907cc1741a 100644 +--- a/fs/ext2/ialloc.c ++++ b/fs/ext2/ialloc.c +@@ -79,6 +79,7 @@ static void ext2_release_inode(struct super_block *sb, int group, int dir) + if (dir) + le16_add_cpu(&desc->bg_used_dirs_count, -1); + spin_unlock(sb_bgl_lock(EXT2_SB(sb), group)); ++ percpu_counter_inc(&EXT2_SB(sb)->s_freeinodes_counter); + if (dir) + percpu_counter_dec(&EXT2_SB(sb)->s_dirs_counter); + mark_buffer_dirty(bh); +@@ -530,7 +531,7 @@ got: + goto fail; + } + +- percpu_counter_add(&sbi->s_freeinodes_counter, -1); ++ percpu_counter_dec(&sbi->s_freeinodes_counter); + if (S_ISDIR(mode)) + percpu_counter_inc(&sbi->s_dirs_counter); + +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index d8780e04aaf00..ccce89de6d7e3 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -3575,6 +3575,11 @@ static ssize_t ext4_direct_IO_read(struct kiocb *iocb, struct iov_iter *iter) + struct address_space *mapping = iocb->ki_filp->f_mapping; + struct inode *inode = mapping->host; + ssize_t ret; ++ loff_t offset = iocb->ki_pos; ++ loff_t size = i_size_read(inode); ++ ++ if (offset >= size) ++ return 0; + + /* + * Shared inode_lock is enough for us - it protects against concurrent +diff --git a/fs/f2fs/dir.c b/fs/f2fs/dir.c +index b414892be08b7..9a11b48e55ca2 100644 +--- a/fs/f2fs/dir.c ++++ b/fs/f2fs/dir.c +@@ -843,6 +843,17 @@ bool f2fs_fill_dentries(struct dir_context *ctx, struct f2fs_dentry_ptr *d, + de_name.name = d->filename[bit_pos]; + de_name.len = le16_to_cpu(de->name_len); + ++ /* check memory boundary before moving forward */ ++ bit_pos += GET_DENTRY_SLOTS(le16_to_cpu(de->name_len)); ++ if (unlikely(bit_pos > d->max || ++ le16_to_cpu(de->name_len) > F2FS_NAME_LEN)) { ++ f2fs_msg(F2FS_I_SB(d->inode)->sb, KERN_WARNING, ++ "%s: corrupted namelen=%d, run fsck to fix.", ++ __func__, le16_to_cpu(de->name_len)); ++ set_sbi_flag(F2FS_I_SB(d->inode)->sb->s_fs_info, SBI_NEED_FSCK); ++ return -EINVAL; ++ } ++ + if (f2fs_encrypted_inode(d->inode)) { + int save_len = fstr->len; + int err; +@@ -861,7 +872,6 @@ bool f2fs_fill_dentries(struct dir_context *ctx, struct f2fs_dentry_ptr *d, + le32_to_cpu(de->ino), d_type)) + return true; + +- bit_pos += GET_DENTRY_SLOTS(le16_to_cpu(de->name_len)); + ctx->pos = start_pos + bit_pos; + } + return false; +diff --git a/fs/minix/inode.c b/fs/minix/inode.c +index f975d667c5390..1191f293ef1db 100644 +--- a/fs/minix/inode.c ++++ b/fs/minix/inode.c +@@ -155,6 +155,23 @@ static int minix_remount (struct super_block * sb, int * flags, char * data) + return 0; + } + ++static bool minix_check_superblock(struct minix_sb_info *sbi) ++{ ++ if (sbi->s_imap_blocks == 0 || sbi->s_zmap_blocks == 0) ++ return false; ++ ++ /* ++ * s_max_size must not exceed the block mapping limitation. This check ++ * is only needed for V1 filesystems, since V2/V3 support an extra level ++ * of indirect blocks which places the limit well above U32_MAX. ++ */ ++ if (sbi->s_version == MINIX_V1 && ++ sbi->s_max_size > (7 + 512 + 512*512) * BLOCK_SIZE) ++ return false; ++ ++ return true; ++} ++ + static int minix_fill_super(struct super_block *s, void *data, int silent) + { + struct buffer_head *bh; +@@ -233,11 +250,12 @@ static int minix_fill_super(struct super_block *s, void *data, int silent) + } else + goto out_no_fs; + ++ if (!minix_check_superblock(sbi)) ++ goto out_illegal_sb; ++ + /* + * Allocate the buffer map to keep the superblock small. + */ +- if (sbi->s_imap_blocks == 0 || sbi->s_zmap_blocks == 0) +- goto out_illegal_sb; + i = (sbi->s_imap_blocks + sbi->s_zmap_blocks) * sizeof(bh); + map = kzalloc(i, GFP_KERNEL); + if (!map) +@@ -472,6 +490,13 @@ static struct inode *V1_minix_iget(struct inode *inode) + iget_failed(inode); + return ERR_PTR(-EIO); + } ++ if (raw_inode->i_nlinks == 0) { ++ printk("MINIX-fs: deleted inode referenced: %lu\n", ++ inode->i_ino); ++ brelse(bh); ++ iget_failed(inode); ++ return ERR_PTR(-ESTALE); ++ } + inode->i_mode = raw_inode->i_mode; + i_uid_write(inode, raw_inode->i_uid); + i_gid_write(inode, raw_inode->i_gid); +@@ -505,6 +530,13 @@ static struct inode *V2_minix_iget(struct inode *inode) + iget_failed(inode); + return ERR_PTR(-EIO); + } ++ if (raw_inode->i_nlinks == 0) { ++ printk("MINIX-fs: deleted inode referenced: %lu\n", ++ inode->i_ino); ++ brelse(bh); ++ iget_failed(inode); ++ return ERR_PTR(-ESTALE); ++ } + inode->i_mode = raw_inode->i_mode; + i_uid_write(inode, raw_inode->i_uid); + i_gid_write(inode, raw_inode->i_gid); +diff --git a/fs/minix/itree_common.c b/fs/minix/itree_common.c +index 4c57c9af6946f..0417c4c5ebbd8 100644 +--- a/fs/minix/itree_common.c ++++ b/fs/minix/itree_common.c +@@ -74,6 +74,7 @@ static int alloc_branch(struct inode *inode, + int n = 0; + int i; + int parent = minix_new_block(inode); ++ int err = -ENOSPC; + + branch[0].key = cpu_to_block(parent); + if (parent) for (n = 1; n < num; n++) { +@@ -84,6 +85,11 @@ static int alloc_branch(struct inode *inode, + break; + branch[n].key = cpu_to_block(nr); + bh = sb_getblk(inode->i_sb, parent); ++ if (!bh) { ++ minix_free_block(inode, nr); ++ err = -ENOMEM; ++ break; ++ } + lock_buffer(bh); + memset(bh->b_data, 0, bh->b_size); + branch[n].bh = bh; +@@ -102,7 +108,7 @@ static int alloc_branch(struct inode *inode, + bforget(branch[i].bh); + for (i = 0; i < n; i++) + minix_free_block(inode, block_to_cpu(branch[i].key)); +- return -ENOSPC; ++ return err; + } + + static inline int splice_branch(struct inode *inode, +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index c189722bf9c71..714457bb1440a 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -5212,8 +5212,6 @@ static int _nfs4_get_security_label(struct inode *inode, void *buf, + return ret; + if (!(fattr.valid & NFS_ATTR_FATTR_V4_SECURITY_LABEL)) + return -ENOENT; +- if (buflen < label.len) +- return -ERANGE; + return 0; + } + +diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c +index d7f8d5ce30e3e..0a7c4e30a385e 100644 +--- a/fs/nfs/nfs4xdr.c ++++ b/fs/nfs/nfs4xdr.c +@@ -4163,7 +4163,11 @@ static int decode_attr_security_label(struct xdr_stream *xdr, uint32_t *bitmap, + goto out_overflow; + if (len < NFS4_MAXLABELLEN) { + if (label) { +- memcpy(label->label, p, len); ++ if (label->len) { ++ if (label->len < len) ++ return -ERANGE; ++ memcpy(label->label, p, len); ++ } + label->len = len; + label->pi = pi; + label->lfs = lfs; +diff --git a/fs/ocfs2/ocfs2.h b/fs/ocfs2/ocfs2.h +index 594575e380e81..994a8abdd3701 100644 +--- a/fs/ocfs2/ocfs2.h ++++ b/fs/ocfs2/ocfs2.h +@@ -337,8 +337,8 @@ struct ocfs2_super + spinlock_t osb_lock; + u32 s_next_generation; + unsigned long osb_flags; +- s16 s_inode_steal_slot; +- s16 s_meta_steal_slot; ++ u16 s_inode_steal_slot; ++ u16 s_meta_steal_slot; + atomic_t s_num_inodes_stolen; + atomic_t s_num_meta_stolen; + +diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c +index 00558bc59052e..f8d092b80a49f 100644 +--- a/fs/ocfs2/suballoc.c ++++ b/fs/ocfs2/suballoc.c +@@ -895,9 +895,9 @@ static void __ocfs2_set_steal_slot(struct ocfs2_super *osb, int slot, int type) + { + spin_lock(&osb->osb_lock); + if (type == INODE_ALLOC_SYSTEM_INODE) +- osb->s_inode_steal_slot = slot; ++ osb->s_inode_steal_slot = (u16)slot; + else if (type == EXTENT_ALLOC_SYSTEM_INODE) +- osb->s_meta_steal_slot = slot; ++ osb->s_meta_steal_slot = (u16)slot; + spin_unlock(&osb->osb_lock); + } + +diff --git a/fs/ocfs2/super.c b/fs/ocfs2/super.c +index 64dfbe5755da5..4d6e99ea37b8e 100644 +--- a/fs/ocfs2/super.c ++++ b/fs/ocfs2/super.c +@@ -91,7 +91,7 @@ struct mount_options + unsigned long commit_interval; + unsigned long mount_opt; + unsigned int atime_quantum; +- signed short slot; ++ unsigned short slot; + int localalloc_opt; + unsigned int resv_level; + int dir_resv_level; +@@ -1369,7 +1369,7 @@ static int ocfs2_parse_options(struct super_block *sb, + goto bail; + } + if (option) +- mopt->slot = (s16)option; ++ mopt->slot = (u16)option; + break; + case Opt_commit: + if (match_int(&args[0], &option)) { +diff --git a/fs/ufs/super.c b/fs/ufs/super.c +index 351162ff1bfd2..e320d824ee4d9 100644 +--- a/fs/ufs/super.c ++++ b/fs/ufs/super.c +@@ -99,7 +99,7 @@ static struct inode *ufs_nfs_get_inode(struct super_block *sb, u64 ino, u32 gene + struct ufs_sb_private_info *uspi = UFS_SB(sb)->s_uspi; + struct inode *inode; + +- if (ino < UFS_ROOTINO || ino > uspi->s_ncg * uspi->s_ipg) ++ if (ino < UFS_ROOTINO || ino > (u64)uspi->s_ncg * uspi->s_ipg) + return ERR_PTR(-ESTALE); + + inode = ufs_iget(sb, ino); +diff --git a/fs/xattr.c b/fs/xattr.c +index 2f64231823013..c0fd99c95aa15 100644 +--- a/fs/xattr.c ++++ b/fs/xattr.c +@@ -203,10 +203,22 @@ int __vfs_setxattr_noperm(struct dentry *dentry, const char *name, + return error; + } + +- ++/** ++ * __vfs_setxattr_locked: set an extended attribute while holding the inode ++ * lock ++ * ++ * @dentry - object to perform setxattr on ++ * @name - xattr name to set ++ * @value - value to set @name to ++ * @size - size of @value ++ * @flags - flags to pass into filesystem operations ++ * @delegated_inode - on return, will contain an inode pointer that ++ * a delegation was broken on, NULL if none. ++ */ + int +-vfs_setxattr(struct dentry *dentry, const char *name, const void *value, +- size_t size, int flags) ++__vfs_setxattr_locked(struct dentry *dentry, const char *name, ++ const void *value, size_t size, int flags, ++ struct inode **delegated_inode) + { + struct inode *inode = dentry->d_inode; + int error; +@@ -215,15 +227,40 @@ vfs_setxattr(struct dentry *dentry, const char *name, const void *value, + if (error) + return error; + +- inode_lock(inode); + error = security_inode_setxattr(dentry, name, value, size, flags); + if (error) + goto out; + ++ error = try_break_deleg(inode, delegated_inode); ++ if (error) ++ goto out; ++ + error = __vfs_setxattr_noperm(dentry, name, value, size, flags); + + out: ++ return error; ++} ++EXPORT_SYMBOL_GPL(__vfs_setxattr_locked); ++ ++int ++vfs_setxattr(struct dentry *dentry, const char *name, const void *value, ++ size_t size, int flags) ++{ ++ struct inode *inode = dentry->d_inode; ++ struct inode *delegated_inode = NULL; ++ int error; ++ ++retry_deleg: ++ inode_lock(inode); ++ error = __vfs_setxattr_locked(dentry, name, value, size, flags, ++ &delegated_inode); + inode_unlock(inode); ++ ++ if (delegated_inode) { ++ error = break_deleg_wait(&delegated_inode); ++ if (!error) ++ goto retry_deleg; ++ } + return error; + } + EXPORT_SYMBOL_GPL(vfs_setxattr); +@@ -379,8 +416,18 @@ __vfs_removexattr(struct dentry *dentry, const char *name) + } + EXPORT_SYMBOL(__vfs_removexattr); + ++/** ++ * __vfs_removexattr_locked: set an extended attribute while holding the inode ++ * lock ++ * ++ * @dentry - object to perform setxattr on ++ * @name - name of xattr to remove ++ * @delegated_inode - on return, will contain an inode pointer that ++ * a delegation was broken on, NULL if none. ++ */ + int +-vfs_removexattr(struct dentry *dentry, const char *name) ++__vfs_removexattr_locked(struct dentry *dentry, const char *name, ++ struct inode **delegated_inode) + { + struct inode *inode = dentry->d_inode; + int error; +@@ -389,11 +436,14 @@ vfs_removexattr(struct dentry *dentry, const char *name) + if (error) + return error; + +- inode_lock(inode); + error = security_inode_removexattr(dentry, name); + if (error) + goto out; + ++ error = try_break_deleg(inode, delegated_inode); ++ if (error) ++ goto out; ++ + error = __vfs_removexattr(dentry, name); + + if (!error) { +@@ -402,12 +452,32 @@ vfs_removexattr(struct dentry *dentry, const char *name) + } + + out: ++ return error; ++} ++EXPORT_SYMBOL_GPL(__vfs_removexattr_locked); ++ ++int ++vfs_removexattr(struct dentry *dentry, const char *name) ++{ ++ struct inode *inode = dentry->d_inode; ++ struct inode *delegated_inode = NULL; ++ int error; ++ ++retry_deleg: ++ inode_lock(inode); ++ error = __vfs_removexattr_locked(dentry, name, &delegated_inode); + inode_unlock(inode); ++ ++ if (delegated_inode) { ++ error = break_deleg_wait(&delegated_inode); ++ if (!error) ++ goto retry_deleg; ++ } ++ + return error; + } + EXPORT_SYMBOL_GPL(vfs_removexattr); + +- + /* + * Extended attribute SET operations + */ +diff --git a/fs/xfs/libxfs/xfs_attr_leaf.c b/fs/xfs/libxfs/xfs_attr_leaf.c +index c6c15e5717e42..70da4113c2baf 100644 +--- a/fs/xfs/libxfs/xfs_attr_leaf.c ++++ b/fs/xfs/libxfs/xfs_attr_leaf.c +@@ -785,9 +785,8 @@ xfs_attr_shortform_to_leaf(xfs_da_args_t *args) + ASSERT(blkno == 0); + error = xfs_attr3_leaf_create(args, blkno, &bp); + if (error) { +- error = xfs_da_shrink_inode(args, 0, bp); +- bp = NULL; +- if (error) ++ /* xfs_attr3_leaf_create may not have instantiated a block */ ++ if (bp && (xfs_da_shrink_inode(args, 0, bp) != 0)) + goto out; + xfs_idata_realloc(dp, size, XFS_ATTR_FORK); /* try to put */ + memcpy(ifp->if_u1.if_data, tmpbuffer, size); /* it back */ +diff --git a/fs/xfs/xfs_icache.c b/fs/xfs/xfs_icache.c +index 86a4911520cc5..69c112ddb544d 100644 +--- a/fs/xfs/xfs_icache.c ++++ b/fs/xfs/xfs_icache.c +@@ -307,6 +307,46 @@ xfs_reinit_inode( + return error; + } + ++/* ++ * If we are allocating a new inode, then check what was returned is ++ * actually a free, empty inode. If we are not allocating an inode, ++ * then check we didn't find a free inode. ++ * ++ * Returns: ++ * 0 if the inode free state matches the lookup context ++ * -ENOENT if the inode is free and we are not allocating ++ * -EFSCORRUPTED if there is any state mismatch at all ++ */ ++static int ++xfs_iget_check_free_state( ++ struct xfs_inode *ip, ++ int flags) ++{ ++ if (flags & XFS_IGET_CREATE) { ++ /* should be a free inode */ ++ if (VFS_I(ip)->i_mode != 0) { ++ xfs_warn(ip->i_mount, ++"Corruption detected! Free inode 0x%llx not marked free! (mode 0x%x)", ++ ip->i_ino, VFS_I(ip)->i_mode); ++ return -EFSCORRUPTED; ++ } ++ ++ if (ip->i_d.di_nblocks != 0) { ++ xfs_warn(ip->i_mount, ++"Corruption detected! Free inode 0x%llx has blocks allocated!", ++ ip->i_ino); ++ return -EFSCORRUPTED; ++ } ++ return 0; ++ } ++ ++ /* should be an allocated inode */ ++ if (VFS_I(ip)->i_mode == 0) ++ return -ENOENT; ++ ++ return 0; ++} ++ + /* + * Check the validity of the inode we just found it the cache + */ +@@ -356,12 +396,12 @@ xfs_iget_cache_hit( + } + + /* +- * If lookup is racing with unlink return an error immediately. ++ * Check the inode free state is valid. This also detects lookup ++ * racing with unlinks. + */ +- if (VFS_I(ip)->i_mode == 0 && !(flags & XFS_IGET_CREATE)) { +- error = -ENOENT; ++ error = xfs_iget_check_free_state(ip, flags); ++ if (error) + goto out_error; +- } + + /* + * If IRECLAIMABLE is set, we've torn down the VFS inode already. +@@ -471,10 +511,14 @@ xfs_iget_cache_miss( + + trace_xfs_iget_miss(ip); + +- if ((VFS_I(ip)->i_mode == 0) && !(flags & XFS_IGET_CREATE)) { +- error = -ENOENT; ++ ++ /* ++ * Check the inode free state is valid. This also detects lookup ++ * racing with unlinks. ++ */ ++ error = xfs_iget_check_free_state(ip, flags); ++ if (error) + goto out_destroy; +- } + + /* + * Preload the radix tree so we can insert safely under the +diff --git a/fs/xfs/xfs_log.c b/fs/xfs/xfs_log.c +index 7bfcd09d446b7..6bc949c63a75d 100644 +--- a/fs/xfs/xfs_log.c ++++ b/fs/xfs/xfs_log.c +@@ -2634,7 +2634,6 @@ xlog_state_do_callback( + int funcdidcallbacks; /* flag: function did callbacks */ + int repeats; /* for issuing console warnings if + * looping too many times */ +- int wake = 0; + + spin_lock(&log->l_icloglock); + first_iclog = iclog = log->l_iclog; +@@ -2836,11 +2835,9 @@ xlog_state_do_callback( + #endif + + if (log->l_iclog->ic_state & (XLOG_STATE_ACTIVE|XLOG_STATE_IOERROR)) +- wake = 1; +- spin_unlock(&log->l_icloglock); +- +- if (wake) + wake_up_all(&log->l_flush_wait); ++ ++ spin_unlock(&log->l_icloglock); + } + + +@@ -4002,7 +3999,9 @@ xfs_log_force_umount( + * item committed callback functions will do this again under lock to + * avoid races. + */ ++ spin_lock(&log->l_cilp->xc_push_lock); + wake_up_all(&log->l_cilp->xc_commit_wait); ++ spin_unlock(&log->l_cilp->xc_push_lock); + xlog_state_do_callback(log, XFS_LI_ABORTED, NULL); + + #ifdef XFSERRORDEBUG +diff --git a/fs/xfs/xfs_reflink.c b/fs/xfs/xfs_reflink.c +index 6b753b969f7b8..aa99711a8ff96 100644 +--- a/fs/xfs/xfs_reflink.c ++++ b/fs/xfs/xfs_reflink.c +@@ -1108,6 +1108,7 @@ xfs_reflink_remap_extent( + xfs_filblks_t rlen; + xfs_filblks_t unmap_len; + xfs_off_t newlen; ++ int64_t qres; + int error; + + unmap_len = irec->br_startoff + irec->br_blockcount - destoff; +@@ -1135,13 +1136,19 @@ xfs_reflink_remap_extent( + xfs_ilock(ip, XFS_ILOCK_EXCL); + xfs_trans_ijoin(tp, ip, 0); + +- /* If we're not just clearing space, then do we have enough quota? */ +- if (real_extent) { +- error = xfs_trans_reserve_quota_nblks(tp, ip, +- irec->br_blockcount, 0, XFS_QMOPT_RES_REGBLKS); +- if (error) +- goto out_cancel; +- } ++ /* ++ * Reserve quota for this operation. We don't know if the first unmap ++ * in the dest file will cause a bmap btree split, so we always reserve ++ * at least enough blocks for that split. If the extent being mapped ++ * in is written, we need to reserve quota for that too. ++ */ ++ qres = XFS_EXTENTADD_SPACE_RES(mp, XFS_DATA_FORK); ++ if (real_extent) ++ qres += irec->br_blockcount; ++ error = xfs_trans_reserve_quota_nblks(tp, ip, qres, 0, ++ XFS_QMOPT_RES_REGBLKS); ++ if (error) ++ goto out_cancel; + + trace_xfs_reflink_remap(ip, irec->br_startoff, + irec->br_blockcount, irec->br_startblock); +diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h +index 1462071a19bf2..4fdb1d9848444 100644 +--- a/include/asm-generic/vmlinux.lds.h ++++ b/include/asm-generic/vmlinux.lds.h +@@ -250,7 +250,8 @@ + + #define PAGE_ALIGNED_DATA(page_align) \ + . = ALIGN(page_align); \ +- *(.data..page_aligned) ++ *(.data..page_aligned) \ ++ . = ALIGN(page_align); + + #define READ_MOSTLY_DATA(align) \ + . = ALIGN(align); \ +@@ -625,7 +626,9 @@ + . = ALIGN(bss_align); \ + .bss : AT(ADDR(.bss) - LOAD_OFFSET) { \ + BSS_FIRST_SECTIONS \ ++ . = ALIGN(PAGE_SIZE); \ + *(.bss..page_aligned) \ ++ . = ALIGN(PAGE_SIZE); \ + *(.dynbss) \ + *(BSS_MAIN) \ + *(COMMON) \ +diff --git a/include/linux/intel-iommu.h b/include/linux/intel-iommu.h +index 27dbab59f034c..d86ac620f0aac 100644 +--- a/include/linux/intel-iommu.h ++++ b/include/linux/intel-iommu.h +@@ -317,8 +317,8 @@ enum { + + #define QI_DEV_EIOTLB_ADDR(a) ((u64)(a) & VTD_PAGE_MASK) + #define QI_DEV_EIOTLB_SIZE (((u64)1) << 11) +-#define QI_DEV_EIOTLB_GLOB(g) ((u64)g) +-#define QI_DEV_EIOTLB_PASID(p) (((u64)p) << 32) ++#define QI_DEV_EIOTLB_GLOB(g) ((u64)(g) & 0x1) ++#define QI_DEV_EIOTLB_PASID(p) ((u64)((p) & 0xfffff) << 32) + #define QI_DEV_EIOTLB_SID(sid) ((u64)((sid) & 0xffff) << 16) + #define QI_DEV_EIOTLB_QDEP(qd) ((u64)((qd) & 0x1f) << 4) + #define QI_DEV_EIOTLB_PFSID(pfsid) (((u64)(pfsid & 0xf) << 12) | \ +diff --git a/include/linux/mmzone.h b/include/linux/mmzone.h +index e3d7754f25f00..5c7645e156a50 100644 +--- a/include/linux/mmzone.h ++++ b/include/linux/mmzone.h +@@ -756,7 +756,8 @@ static inline bool is_dev_zone(const struct zone *zone) + #include + + extern struct mutex zonelists_mutex; +-void build_all_zonelists(pg_data_t *pgdat, struct zone *zone); ++void build_all_zonelists(pg_data_t *pgdat, struct zone *zone, ++ bool hotplug_context); + void wakeup_kswapd(struct zone *zone, int order, enum zone_type classzone_idx); + bool __zone_watermark_ok(struct zone *z, unsigned int order, unsigned long mark, + int classzone_idx, unsigned int alloc_flags, +diff --git a/include/linux/prandom.h b/include/linux/prandom.h +new file mode 100644 +index 0000000000000..aa16e6468f91e +--- /dev/null ++++ b/include/linux/prandom.h +@@ -0,0 +1,78 @@ ++/* SPDX-License-Identifier: GPL-2.0 */ ++/* ++ * include/linux/prandom.h ++ * ++ * Include file for the fast pseudo-random 32-bit ++ * generation. ++ */ ++#ifndef _LINUX_PRANDOM_H ++#define _LINUX_PRANDOM_H ++ ++#include ++#include ++ ++u32 prandom_u32(void); ++void prandom_bytes(void *buf, size_t nbytes); ++void prandom_seed(u32 seed); ++void prandom_reseed_late(void); ++ ++struct rnd_state { ++ __u32 s1, s2, s3, s4; ++}; ++ ++DECLARE_PER_CPU(struct rnd_state, net_rand_state); ++ ++u32 prandom_u32_state(struct rnd_state *state); ++void prandom_bytes_state(struct rnd_state *state, void *buf, size_t nbytes); ++void prandom_seed_full_state(struct rnd_state __percpu *pcpu_state); ++ ++#define prandom_init_once(pcpu_state) \ ++ DO_ONCE(prandom_seed_full_state, (pcpu_state)) ++ ++/** ++ * prandom_u32_max - returns a pseudo-random number in interval [0, ep_ro) ++ * @ep_ro: right open interval endpoint ++ * ++ * Returns a pseudo-random number that is in interval [0, ep_ro). Note ++ * that the result depends on PRNG being well distributed in [0, ~0U] ++ * u32 space. Here we use maximally equidistributed combined Tausworthe ++ * generator, that is, prandom_u32(). This is useful when requesting a ++ * random index of an array containing ep_ro elements, for example. ++ * ++ * Returns: pseudo-random number in interval [0, ep_ro) ++ */ ++static inline u32 prandom_u32_max(u32 ep_ro) ++{ ++ return (u32)(((u64) prandom_u32() * ep_ro) >> 32); ++} ++ ++/* ++ * Handle minimum values for seeds ++ */ ++static inline u32 __seed(u32 x, u32 m) ++{ ++ return (x < m) ? x + m : x; ++} ++ ++/** ++ * prandom_seed_state - set seed for prandom_u32_state(). ++ * @state: pointer to state structure to receive the seed. ++ * @seed: arbitrary 64-bit value to use as a seed. ++ */ ++static inline void prandom_seed_state(struct rnd_state *state, u64 seed) ++{ ++ u32 i = (seed >> 32) ^ (seed << 10) ^ seed; ++ ++ state->s1 = __seed(i, 2U); ++ state->s2 = __seed(i, 8U); ++ state->s3 = __seed(i, 16U); ++ state->s4 = __seed(i, 128U); ++} ++ ++/* Pseudo random number generator from numerical recipes. */ ++static inline u32 next_pseudo_random32(u32 seed) ++{ ++ return seed * 1664525 + 1013904223; ++} ++ ++#endif +diff --git a/include/linux/random.h b/include/linux/random.h +index 16ab429735a78..15cd754544686 100644 +--- a/include/linux/random.h ++++ b/include/linux/random.h +@@ -46,61 +46,12 @@ unsigned int get_random_int(void); + unsigned long get_random_long(void); + unsigned long randomize_page(unsigned long start, unsigned long range); + +-u32 prandom_u32(void); +-void prandom_bytes(void *buf, size_t nbytes); +-void prandom_seed(u32 seed); +-void prandom_reseed_late(void); +- +-struct rnd_state { +- __u32 s1, s2, s3, s4; +-}; +- +-u32 prandom_u32_state(struct rnd_state *state); +-void prandom_bytes_state(struct rnd_state *state, void *buf, size_t nbytes); +-void prandom_seed_full_state(struct rnd_state __percpu *pcpu_state); +- +-#define prandom_init_once(pcpu_state) \ +- DO_ONCE(prandom_seed_full_state, (pcpu_state)) +- +-/** +- * prandom_u32_max - returns a pseudo-random number in interval [0, ep_ro) +- * @ep_ro: right open interval endpoint +- * +- * Returns a pseudo-random number that is in interval [0, ep_ro). Note +- * that the result depends on PRNG being well distributed in [0, ~0U] +- * u32 space. Here we use maximally equidistributed combined Tausworthe +- * generator, that is, prandom_u32(). This is useful when requesting a +- * random index of an array containing ep_ro elements, for example. +- * +- * Returns: pseudo-random number in interval [0, ep_ro) +- */ +-static inline u32 prandom_u32_max(u32 ep_ro) +-{ +- return (u32)(((u64) prandom_u32() * ep_ro) >> 32); +-} +- + /* +- * Handle minimum values for seeds ++ * This is designed to be standalone for just prandom ++ * users, but for now we include it from ++ * for legacy reasons. + */ +-static inline u32 __seed(u32 x, u32 m) +-{ +- return (x < m) ? x + m : x; +-} +- +-/** +- * prandom_seed_state - set seed for prandom_u32_state(). +- * @state: pointer to state structure to receive the seed. +- * @seed: arbitrary 64-bit value to use as a seed. +- */ +-static inline void prandom_seed_state(struct rnd_state *state, u64 seed) +-{ +- u32 i = (seed >> 32) ^ (seed << 10) ^ seed; +- +- state->s1 = __seed(i, 2U); +- state->s2 = __seed(i, 8U); +- state->s3 = __seed(i, 16U); +- state->s4 = __seed(i, 128U); +-} ++#include + + #ifdef CONFIG_ARCH_RANDOM + # include +@@ -131,10 +82,4 @@ static inline bool arch_has_random_seed(void) + } + #endif + +-/* Pseudo random number generator from numerical recipes. */ +-static inline u32 next_pseudo_random32(u32 seed) +-{ +- return seed * 1664525 + 1013904223; +-} +- + #endif /* _LINUX_RANDOM_H */ +diff --git a/include/linux/tracepoint.h b/include/linux/tracepoint.h +index be586c632a0c0..f261114e2758a 100644 +--- a/include/linux/tracepoint.h ++++ b/include/linux/tracepoint.h +@@ -314,7 +314,7 @@ extern void syscall_unregfunc(void); + static const char *___tp_str __tracepoint_string = str; \ + ___tp_str; \ + }) +-#define __tracepoint_string __attribute__((section("__tracepoint_str"))) ++#define __tracepoint_string __attribute__((section("__tracepoint_str"), used)) + #else + /* + * tracepoint_string() is used to save the string address for userspace +diff --git a/include/linux/xattr.h b/include/linux/xattr.h +index e77605a0c8da3..1b1c9bfd24e99 100644 +--- a/include/linux/xattr.h ++++ b/include/linux/xattr.h +@@ -51,8 +51,10 @@ ssize_t vfs_getxattr(struct dentry *, const char *, void *, size_t); + ssize_t vfs_listxattr(struct dentry *d, char *list, size_t size); + int __vfs_setxattr(struct dentry *, struct inode *, const char *, const void *, size_t, int); + int __vfs_setxattr_noperm(struct dentry *, const char *, const void *, size_t, int); ++int __vfs_setxattr_locked(struct dentry *, const char *, const void *, size_t, int, struct inode **); + int vfs_setxattr(struct dentry *, const char *, const void *, size_t, int); + int __vfs_removexattr(struct dentry *, const char *); ++int __vfs_removexattr_locked(struct dentry *, const char *, struct inode **); + int vfs_removexattr(struct dentry *, const char *); + + ssize_t generic_listxattr(struct dentry *dentry, char *buffer, size_t buffer_size); +diff --git a/include/net/addrconf.h b/include/net/addrconf.h +index 019b06c035a84..34ea021df0083 100644 +--- a/include/net/addrconf.h ++++ b/include/net/addrconf.h +@@ -253,6 +253,7 @@ int ipv6_sock_ac_join(struct sock *sk, int ifindex, + const struct in6_addr *addr); + int ipv6_sock_ac_drop(struct sock *sk, int ifindex, + const struct in6_addr *addr); ++void __ipv6_sock_ac_close(struct sock *sk); + void ipv6_sock_ac_close(struct sock *sk); + + int __ipv6_dev_ac_inc(struct inet6_dev *idev, const struct in6_addr *addr); +diff --git a/include/net/sock.h b/include/net/sock.h +index db68c72126d54..d0e18917d8be8 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -784,6 +784,8 @@ static inline int sk_memalloc_socks(void) + { + return static_key_false(&memalloc_socks); + } ++ ++void __receive_sock(struct file *file); + #else + + static inline int sk_memalloc_socks(void) +@@ -791,6 +793,8 @@ static inline int sk_memalloc_socks(void) + return 0; + } + ++static inline void __receive_sock(struct file *file) ++{ } + #endif + + static inline gfp_t sk_gfp_mask(const struct sock *sk, gfp_t gfp_mask) +diff --git a/include/uapi/drm/Kbuild b/include/uapi/drm/Kbuild +index 9355dd8eff3ba..489b093580dd0 100644 +--- a/include/uapi/drm/Kbuild ++++ b/include/uapi/drm/Kbuild +@@ -20,3 +20,6 @@ header-y += vmwgfx_drm.h + header-y += msm_drm.h + header-y += vc4_drm.h + header-y += virtgpu_drm.h ++header-y += armada_drm.h ++header-y += etnaviv_drm.h ++header-y += vgem_drm.h +diff --git a/include/uapi/linux/Kbuild b/include/uapi/linux/Kbuild +index cd2be1c8e9fb6..39bf68b36332e 100644 +--- a/include/uapi/linux/Kbuild ++++ b/include/uapi/linux/Kbuild +@@ -475,3 +475,23 @@ header-y += xilinx-v4l2-controls.h + header-y += zorro.h + header-y += zorro_ids.h + header-y += userfaultfd.h ++header-y += auto_dev-ioctl.h ++header-y += bcache.h ++header-y += btrfs_tree.h ++header-y += coresight-stm.h ++header-y += cryptouser.h ++header-y += hash_info.h ++header-y += kcm.h ++header-y += kcov.h ++header-y += kfd_ioctl.h ++header-y += lightnvm.h ++header-y += module.h ++header-y += nilfs2_api.h ++header-y += nilfs2_ondisk.h ++header-y += nsfs.h ++header-y += pr.h ++header-y += qrtr.h ++header-y += stm.h ++header-y += wil6210_uapi.h ++header-y += cifs/ ++header-y += genwqe/ +diff --git a/include/uapi/linux/bcache.h b/include/uapi/linux/bcache.h +index 8562b1cb776b7..3b92610502ca8 100644 +--- a/include/uapi/linux/bcache.h ++++ b/include/uapi/linux/bcache.h +@@ -5,7 +5,7 @@ + * Bcache on disk data structures + */ + +-#include ++#include + + #define BITMASK(name, type, field, offset, size) \ + static inline __u64 name(const type *k) \ +diff --git a/include/uapi/linux/btrfs_tree.h b/include/uapi/linux/btrfs_tree.h +index a1ded2a1bf1da..2abf660e9f65c 100644 +--- a/include/uapi/linux/btrfs_tree.h ++++ b/include/uapi/linux/btrfs_tree.h +@@ -1,6 +1,8 @@ + #ifndef _BTRFS_CTREE_H_ + #define _BTRFS_CTREE_H_ + ++#include ++ + /* + * This header contains the structure definitions and constants used + * by file system objects that can be retrieved using +diff --git a/include/uapi/linux/cifs/Kbuild b/include/uapi/linux/cifs/Kbuild +new file mode 100644 +index 0000000000000..829f5d44f5be4 +--- /dev/null ++++ b/include/uapi/linux/cifs/Kbuild +@@ -0,0 +1 @@ ++header-y += cifs_mount.h +diff --git a/include/uapi/linux/cryptouser.h b/include/uapi/linux/cryptouser.h +index 79b5ded2001a3..3d0aa2bc69f32 100644 +--- a/include/uapi/linux/cryptouser.h ++++ b/include/uapi/linux/cryptouser.h +@@ -18,6 +18,8 @@ + * 51 Franklin St - Fifth Floor, Boston, MA 02110-1301 USA. + */ + ++#include ++ + /* Netlink configuration messages. */ + enum { + CRYPTO_MSG_BASE = 0x10, +diff --git a/include/uapi/linux/genwqe/Kbuild b/include/uapi/linux/genwqe/Kbuild +new file mode 100644 +index 0000000000000..027f11d24ca31 +--- /dev/null ++++ b/include/uapi/linux/genwqe/Kbuild +@@ -0,0 +1 @@ ++header-y += genwqe_card.h +diff --git a/include/uapi/linux/pr.h b/include/uapi/linux/pr.h +index 57d7c0f916b6f..645ef3cf3dd08 100644 +--- a/include/uapi/linux/pr.h ++++ b/include/uapi/linux/pr.h +@@ -1,6 +1,8 @@ + #ifndef _UAPI_PR_H + #define _UAPI_PR_H + ++#include ++ + enum pr_type { + PR_WRITE_EXCLUSIVE = 1, + PR_EXCLUSIVE_ACCESS = 2, +diff --git a/include/uapi/linux/qrtr.h b/include/uapi/linux/qrtr.h +index 66c0748d26e2b..9d76c566f66e8 100644 +--- a/include/uapi/linux/qrtr.h ++++ b/include/uapi/linux/qrtr.h +@@ -2,6 +2,7 @@ + #define _LINUX_QRTR_H + + #include ++#include + + struct sockaddr_qrtr { + __kernel_sa_family_t sq_family; +diff --git a/init/main.c b/init/main.c +index d47860dbe8969..7ad08957dd180 100644 +--- a/init/main.c ++++ b/init/main.c +@@ -512,7 +512,7 @@ asmlinkage __visible void __init start_kernel(void) + smp_prepare_boot_cpu(); /* arch-specific boot-cpu hooks */ + boot_cpu_hotplug_init(); + +- build_all_zonelists(NULL, NULL); ++ build_all_zonelists(NULL, NULL, false); + page_alloc_init(); + + pr_notice("Kernel command line: %s\n", boot_command_line); +diff --git a/kernel/cgroup.c b/kernel/cgroup.c +index f047c73189f36..684d02f343b4c 100644 +--- a/kernel/cgroup.c ++++ b/kernel/cgroup.c +@@ -6355,6 +6355,8 @@ void cgroup_sk_clone(struct sock_cgroup_data *skcd) + { + /* Socket clone path */ + if (skcd->val) { ++ if (skcd->no_refcnt) ++ return; + /* + * We might be cloning a socket which is left in an empty + * cgroup and the cgroup might have already been rmdir'd. +diff --git a/kernel/kprobes.c b/kernel/kprobes.c +index a864e94ecb6b6..9aa2dbe6a4568 100644 +--- a/kernel/kprobes.c ++++ b/kernel/kprobes.c +@@ -2029,6 +2029,13 @@ static void kill_kprobe(struct kprobe *p) + * the original probed function (which will be freed soon) any more. + */ + arch_remove_kprobe(p); ++ ++ /* ++ * The module is going away. We should disarm the kprobe which ++ * is using ftrace. ++ */ ++ if (kprobe_ftrace(p)) ++ disarm_kprobe_ftrace(p); + } + + /* Disable one kprobe */ +diff --git a/kernel/time/timer.c b/kernel/time/timer.c +index 88c2c597f61c4..d2e4698d43fec 100644 +--- a/kernel/time/timer.c ++++ b/kernel/time/timer.c +@@ -42,6 +42,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -1635,6 +1636,13 @@ void update_process_times(int user_tick) + #endif + scheduler_tick(); + run_posix_cpu_timers(p); ++ ++ /* The current CPU might make use of net randoms without receiving IRQs ++ * to renew them often enough. Let's update the net_rand_state from a ++ * non-constant value that's not affine to the number of calls to make ++ * sure it's updated when there's some activity (we don't care in idle). ++ */ ++ this_cpu_add(net_rand_state.s1, rol32(jiffies, 24) + user_tick); + } + + /** +diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c +index 2ae98f8bce81b..4d1be82e7011a 100644 +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -4987,8 +4987,11 @@ static int referenced_filters(struct dyn_ftrace *rec) + int cnt = 0; + + for (ops = ftrace_ops_list; ops != &ftrace_list_end; ops = ops->next) { +- if (ops_references_rec(ops, rec)) +- cnt++; ++ if (ops_references_rec(ops, rec)) { ++ cnt++; ++ if (ops->flags & FTRACE_OPS_FL_SAVE_REGS) ++ rec->flags |= FTRACE_FL_REGS; ++ } + } + + return cnt; +@@ -5084,8 +5087,8 @@ void ftrace_module_enable(struct module *mod) + if (ftrace_start_up) + cnt += referenced_filters(rec); + +- /* This clears FTRACE_FL_DISABLED */ +- rec->flags = cnt; ++ rec->flags &= ~FTRACE_FL_DISABLED; ++ rec->flags += cnt; + + if (ftrace_start_up && cnt) { + int failed = __ftrace_replace_code(rec, 1); +diff --git a/lib/dynamic_debug.c b/lib/dynamic_debug.c +index c7c96bc7654af..91c451e0f4741 100644 +--- a/lib/dynamic_debug.c ++++ b/lib/dynamic_debug.c +@@ -85,22 +85,22 @@ static struct { unsigned flag:8; char opt_char; } opt_array[] = { + { _DPRINTK_FLAGS_NONE, '_' }, + }; + ++struct flagsbuf { char buf[ARRAY_SIZE(opt_array)+1]; }; ++ + /* format a string into buf[] which describes the _ddebug's flags */ +-static char *ddebug_describe_flags(struct _ddebug *dp, char *buf, +- size_t maxlen) ++static char *ddebug_describe_flags(unsigned int flags, struct flagsbuf *fb) + { +- char *p = buf; ++ char *p = fb->buf; + int i; + +- BUG_ON(maxlen < 6); + for (i = 0; i < ARRAY_SIZE(opt_array); ++i) +- if (dp->flags & opt_array[i].flag) ++ if (flags & opt_array[i].flag) + *p++ = opt_array[i].opt_char; +- if (p == buf) ++ if (p == fb->buf) + *p++ = '_'; + *p = '\0'; + +- return buf; ++ return fb->buf; + } + + #define vpr_info(fmt, ...) \ +@@ -142,7 +142,7 @@ static int ddebug_change(const struct ddebug_query *query, + struct ddebug_table *dt; + unsigned int newflags; + unsigned int nfound = 0; +- char flagbuf[10]; ++ struct flagsbuf fbuf; + + /* search for matching ddebugs */ + mutex_lock(&ddebug_lock); +@@ -199,8 +199,7 @@ static int ddebug_change(const struct ddebug_query *query, + vpr_info("changed %s:%d [%s]%s =%s\n", + trim_prefix(dp->filename), dp->lineno, + dt->mod_name, dp->function, +- ddebug_describe_flags(dp, flagbuf, +- sizeof(flagbuf))); ++ ddebug_describe_flags(dp->flags, &fbuf)); + } + } + mutex_unlock(&ddebug_lock); +@@ -779,7 +778,7 @@ static int ddebug_proc_show(struct seq_file *m, void *p) + { + struct ddebug_iter *iter = m->private; + struct _ddebug *dp = p; +- char flagsbuf[10]; ++ struct flagsbuf flags; + + vpr_info("called m=%p p=%p\n", m, p); + +@@ -792,7 +791,7 @@ static int ddebug_proc_show(struct seq_file *m, void *p) + seq_printf(m, "%s:%u [%s]%s =%s \"", + trim_prefix(dp->filename), dp->lineno, + iter->table->mod_name, dp->function, +- ddebug_describe_flags(dp, flagsbuf, sizeof(flagsbuf))); ++ ddebug_describe_flags(dp->flags, &flags)); + seq_escape(m, dp->format, "\t\r\n\""); + seq_puts(m, "\"\n"); + +diff --git a/lib/random32.c b/lib/random32.c +index fa594b1140e64..889dab44bd747 100644 +--- a/lib/random32.c ++++ b/lib/random32.c +@@ -47,7 +47,7 @@ static inline void prandom_state_selftest(void) + } + #endif + +-static DEFINE_PER_CPU(struct rnd_state, net_rand_state) __latent_entropy; ++DEFINE_PER_CPU(struct rnd_state, net_rand_state); + + /** + * prandom_u32_state - seeded pseudo-random number generator. +diff --git a/mm/khugepaged.c b/mm/khugepaged.c +index 8217ee5d66ef2..3080c6415493c 100644 +--- a/mm/khugepaged.c ++++ b/mm/khugepaged.c +@@ -1250,6 +1250,7 @@ static void collect_mm_slot(struct mm_slot *mm_slot) + static void retract_page_tables(struct address_space *mapping, pgoff_t pgoff) + { + struct vm_area_struct *vma; ++ struct mm_struct *mm; + unsigned long addr; + pmd_t *pmd, _pmd; + +@@ -1263,7 +1264,8 @@ static void retract_page_tables(struct address_space *mapping, pgoff_t pgoff) + continue; + if (vma->vm_end < addr + HPAGE_PMD_SIZE) + continue; +- pmd = mm_find_pmd(vma->vm_mm, addr); ++ mm = vma->vm_mm; ++ pmd = mm_find_pmd(mm, addr); + if (!pmd) + continue; + /* +@@ -1272,14 +1274,16 @@ static void retract_page_tables(struct address_space *mapping, pgoff_t pgoff) + * re-fault. Not ideal, but it's more important to not disturb + * the system too much. + */ +- if (down_write_trylock(&vma->vm_mm->mmap_sem)) { +- spinlock_t *ptl = pmd_lock(vma->vm_mm, pmd); +- /* assume page table is clear */ +- _pmd = pmdp_collapse_flush(vma, addr, pmd); +- spin_unlock(ptl); +- up_write(&vma->vm_mm->mmap_sem); +- atomic_long_dec(&vma->vm_mm->nr_ptes); +- pte_free(vma->vm_mm, pmd_pgtable(_pmd)); ++ if (down_write_trylock(&mm->mmap_sem)) { ++ if (!khugepaged_test_exit(mm)) { ++ spinlock_t *ptl = pmd_lock(mm, pmd); ++ /* assume page table is clear */ ++ _pmd = pmdp_collapse_flush(vma, addr, pmd); ++ spin_unlock(ptl); ++ atomic_long_dec(&mm->nr_ptes); ++ pte_free(mm, pmd_pgtable(_pmd)); ++ } ++ up_write(&mm->mmap_sem); + } + } + i_mmap_unlock_write(mapping); +diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c +index 449999657c0bb..a4ffe59963176 100644 +--- a/mm/memory_hotplug.c ++++ b/mm/memory_hotplug.c +@@ -1125,7 +1125,7 @@ int __ref online_pages(unsigned long pfn, unsigned long nr_pages, int online_typ + mutex_lock(&zonelists_mutex); + if (!populated_zone(zone)) { + need_zonelists_rebuild = 1; +- build_all_zonelists(NULL, zone); ++ build_all_zonelists(NULL, zone, true); + } + + ret = walk_system_ram_range(pfn, nr_pages, &onlined_pages, +@@ -1146,7 +1146,7 @@ int __ref online_pages(unsigned long pfn, unsigned long nr_pages, int online_typ + if (onlined_pages) { + node_states_set_node(nid, &arg); + if (need_zonelists_rebuild) +- build_all_zonelists(NULL, NULL); ++ build_all_zonelists(NULL, NULL, true); + else + zone_pcp_update(zone); + } +@@ -1220,7 +1220,7 @@ static pg_data_t __ref *hotadd_new_pgdat(int nid, u64 start) + * to access not-initialized zonelist, build here. + */ + mutex_lock(&zonelists_mutex); +- build_all_zonelists(pgdat, NULL); ++ build_all_zonelists(pgdat, NULL, true); + mutex_unlock(&zonelists_mutex); + + /* +@@ -1276,7 +1276,7 @@ int try_online_node(int nid) + + if (pgdat->node_zonelists->_zonerefs->zone == NULL) { + mutex_lock(&zonelists_mutex); +- build_all_zonelists(NULL, NULL); ++ build_all_zonelists(NULL, NULL, true); + mutex_unlock(&zonelists_mutex); + } + +@@ -2016,7 +2016,7 @@ repeat: + if (!populated_zone(zone)) { + zone_pcp_reset(zone); + mutex_lock(&zonelists_mutex); +- build_all_zonelists(NULL, NULL); ++ build_all_zonelists(NULL, NULL, true); + mutex_unlock(&zonelists_mutex); + } else + zone_pcp_update(zone); +diff --git a/mm/mmap.c b/mm/mmap.c +index d221266d100f4..7109f886e739e 100644 +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -3018,6 +3018,7 @@ void exit_mmap(struct mm_struct *mm) + if (vma->vm_flags & VM_ACCOUNT) + nr_accounted += vma_pages(vma); + vma = remove_vma(vma); ++ cond_resched(); + } + vm_unacct_memory(nr_accounted); + } +diff --git a/mm/page_alloc.c b/mm/page_alloc.c +index de00e0fec4845..f394dd87fa033 100644 +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -4608,7 +4608,7 @@ int numa_zonelist_order_handler(struct ctl_table *table, int write, + user_zonelist_order = oldval; + } else if (oldval != user_zonelist_order) { + mutex_lock(&zonelists_mutex); +- build_all_zonelists(NULL, NULL); ++ build_all_zonelists(NULL, NULL, false); + mutex_unlock(&zonelists_mutex); + } + } +@@ -4988,11 +4988,12 @@ build_all_zonelists_init(void) + * (2) call of __init annotated helper build_all_zonelists_init + * [protected by SYSTEM_BOOTING]. + */ +-void __ref build_all_zonelists(pg_data_t *pgdat, struct zone *zone) ++void __ref build_all_zonelists(pg_data_t *pgdat, struct zone *zone, ++ bool hotplug_context) + { + set_zonelist_order(); + +- if (system_state == SYSTEM_BOOTING) { ++ if (system_state == SYSTEM_BOOTING && !hotplug_context) { + build_all_zonelists_init(); + } else { + #ifdef CONFIG_MEMORY_HOTPLUG +diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c +index aa4586672cee9..bad27b0ec65d6 100644 +--- a/net/9p/trans_fd.c ++++ b/net/9p/trans_fd.c +@@ -295,7 +295,6 @@ static void p9_read_work(struct work_struct *work) + { + int n, err; + struct p9_conn *m; +- int status = REQ_STATUS_ERROR; + + m = container_of(work, struct p9_conn, rq); + +@@ -375,11 +374,21 @@ static void p9_read_work(struct work_struct *work) + if ((m->req) && (m->rc.offset == m->rc.capacity)) { + p9_debug(P9_DEBUG_TRANS, "got new packet\n"); + spin_lock(&m->client->lock); +- if (m->req->status != REQ_STATUS_ERROR) +- status = REQ_STATUS_RCVD; +- list_del(&m->req->req_list); +- /* update req->status while holding client->lock */ +- p9_client_cb(m->client, m->req, status); ++ if (m->req->status == REQ_STATUS_SENT) { ++ list_del(&m->req->req_list); ++ p9_client_cb(m->client, m->req, REQ_STATUS_RCVD); ++ } else if (m->req->status == REQ_STATUS_FLSHD) { ++ /* Ignore replies associated with a cancelled request. */ ++ p9_debug(P9_DEBUG_TRANS, ++ "Ignore replies associated with a cancelled request\n"); ++ } else { ++ spin_unlock(&m->client->lock); ++ p9_debug(P9_DEBUG_ERROR, ++ "Request tag %d errored out while we were reading the reply\n", ++ m->rc.tag); ++ err = -EIO; ++ goto error; ++ } + spin_unlock(&m->client->lock); + m->rc.sdata = NULL; + m->rc.offset = 0; +@@ -712,11 +721,20 @@ static int p9_fd_cancelled(struct p9_client *client, struct p9_req_t *req) + { + p9_debug(P9_DEBUG_TRANS, "client %p req %p\n", client, req); + ++ spin_lock(&client->lock); ++ /* Ignore cancelled request if message has been received ++ * before lock. ++ */ ++ if (req->status == REQ_STATUS_RCVD) { ++ spin_unlock(&client->lock); ++ return 0; ++ } ++ + /* we haven't received a response for oldreq, + * remove it from the list. + */ +- spin_lock(&client->lock); + list_del(&req->req_list); ++ req->status = REQ_STATUS_FLSHD; + spin_unlock(&client->lock); + + return 0; +@@ -797,20 +815,28 @@ static int p9_fd_open(struct p9_client *client, int rfd, int wfd) + return -ENOMEM; + + ts->rd = fget(rfd); ++ if (!ts->rd) ++ goto out_free_ts; ++ if (!(ts->rd->f_mode & FMODE_READ)) ++ goto out_put_rd; + ts->wr = fget(wfd); +- if (!ts->rd || !ts->wr) { +- if (ts->rd) +- fput(ts->rd); +- if (ts->wr) +- fput(ts->wr); +- kfree(ts); +- return -EIO; +- } ++ if (!ts->wr) ++ goto out_put_rd; ++ if (!(ts->wr->f_mode & FMODE_WRITE)) ++ goto out_put_wr; + + client->trans = ts; + client->status = Connected; + + return 0; ++ ++out_put_wr: ++ fput(ts->wr); ++out_put_rd: ++ fput(ts->rd); ++out_free_ts: ++ kfree(ts); ++ return -EIO; + } + + static int p9_socket_open(struct p9_client *client, struct socket *csocket) +diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c +index 21096c8822231..3bfd747aa515b 100644 +--- a/net/bluetooth/6lowpan.c ++++ b/net/bluetooth/6lowpan.c +@@ -57,6 +57,7 @@ static bool enable_6lowpan; + /* We are listening incoming connections via this channel + */ + static struct l2cap_chan *listen_chan; ++static DEFINE_MUTEX(set_lock); + + struct lowpan_peer { + struct list_head list; +@@ -1187,12 +1188,14 @@ static void do_enable_set(struct work_struct *work) + + enable_6lowpan = set_enable->flag; + ++ mutex_lock(&set_lock); + if (listen_chan) { + l2cap_chan_close(listen_chan, 0); + l2cap_chan_put(listen_chan); + } + + listen_chan = bt_6lowpan_listen(); ++ mutex_unlock(&set_lock); + + kfree(set_enable); + } +@@ -1244,11 +1247,13 @@ static ssize_t lowpan_control_write(struct file *fp, + if (ret == -EINVAL) + return ret; + ++ mutex_lock(&set_lock); + if (listen_chan) { + l2cap_chan_close(listen_chan, 0); + l2cap_chan_put(listen_chan); + listen_chan = NULL; + } ++ mutex_unlock(&set_lock); + + if (conn) { + struct lowpan_peer *peer; +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index a8aa3f29f2d61..757977c54d9ef 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -2094,7 +2094,7 @@ static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb) + + BT_DBG("%s num_rsp %d", hdev->name, num_rsp); + +- if (!num_rsp) ++ if (!num_rsp || skb->len < num_rsp * sizeof(*info) + 1) + return; + + if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) +@@ -3623,6 +3623,9 @@ static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, + struct inquiry_info_with_rssi_and_pscan_mode *info; + info = (void *) (skb->data + 1); + ++ if (skb->len < num_rsp * sizeof(*info) + 1) ++ goto unlock; ++ + for (; num_rsp; num_rsp--, info++) { + u32 flags; + +@@ -3644,6 +3647,9 @@ static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, + } else { + struct inquiry_info_with_rssi *info = (void *) (skb->data + 1); + ++ if (skb->len < num_rsp * sizeof(*info) + 1) ++ goto unlock; ++ + for (; num_rsp; num_rsp--, info++) { + u32 flags; + +@@ -3664,6 +3670,7 @@ static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, + } + } + ++unlock: + hci_dev_unlock(hdev); + } + +@@ -3826,7 +3833,7 @@ static void hci_extended_inquiry_result_evt(struct hci_dev *hdev, + + BT_DBG("%s num_rsp %d", hdev->name, num_rsp); + +- if (!num_rsp) ++ if (!num_rsp || skb->len < num_rsp * sizeof(*info) + 1) + return; + + if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) +diff --git a/net/compat.c b/net/compat.c +index 633fcf6ee3697..ce851cf4d0f9d 100644 +--- a/net/compat.c ++++ b/net/compat.c +@@ -284,6 +284,7 @@ void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm) + break; + } + /* Bump the usage count and install the file. */ ++ __receive_sock(fp[i]); + fd_install(new_fd, get_file(fp[i])); + } + +diff --git a/net/core/sock.c b/net/core/sock.c +index 3be209f749654..d468ffb5a31c6 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -2323,6 +2323,27 @@ int sock_no_mmap(struct file *file, struct socket *sock, struct vm_area_struct * + } + EXPORT_SYMBOL(sock_no_mmap); + ++/* ++ * When a file is received (via SCM_RIGHTS, etc), we must bump the ++ * various sock-based usage counts. ++ */ ++void __receive_sock(struct file *file) ++{ ++ struct socket *sock; ++ int error; ++ ++ /* ++ * The resulting value of "error" is ignored here since we only ++ * need to take action when the file is a socket and testing ++ * "sock" for NULL is sufficient. ++ */ ++ sock = sock_from_file(file, &error); ++ if (sock) { ++ sock_update_netprioidx(&sock->sk->sk_cgrp_data); ++ sock_update_classid(&sock->sk->sk_cgrp_data); ++ } ++} ++ + ssize_t sock_no_sendpage(struct socket *sock, struct page *page, int offset, size_t size, int flags) + { + ssize_t res; +diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c +index a1a7ed6fc8dda..88e357b5fc0f8 100644 +--- a/net/ipv4/fib_trie.c ++++ b/net/ipv4/fib_trie.c +@@ -1719,7 +1719,7 @@ struct fib_table *fib_trie_unmerge(struct fib_table *oldtb) + while ((l = leaf_walk_rcu(&tp, key)) != NULL) { + struct key_vector *local_l = NULL, *local_tp; + +- hlist_for_each_entry_rcu(fa, &l->leaf, fa_list) { ++ hlist_for_each_entry(fa, &l->leaf, fa_list) { + struct fib_alias *new_fa; + + if (local_tb->tb_id != fa->tb_id) +diff --git a/net/ipv6/anycast.c b/net/ipv6/anycast.c +index 514ac259f5433..b831e9b2e9063 100644 +--- a/net/ipv6/anycast.c ++++ b/net/ipv6/anycast.c +@@ -170,7 +170,7 @@ int ipv6_sock_ac_drop(struct sock *sk, int ifindex, const struct in6_addr *addr) + return 0; + } + +-void ipv6_sock_ac_close(struct sock *sk) ++void __ipv6_sock_ac_close(struct sock *sk) + { + struct ipv6_pinfo *np = inet6_sk(sk); + struct net_device *dev = NULL; +@@ -178,10 +178,7 @@ void ipv6_sock_ac_close(struct sock *sk) + struct net *net = sock_net(sk); + int prev_index; + +- if (!np->ipv6_ac_list) +- return; +- +- rtnl_lock(); ++ ASSERT_RTNL(); + pac = np->ipv6_ac_list; + np->ipv6_ac_list = NULL; + +@@ -198,6 +195,16 @@ void ipv6_sock_ac_close(struct sock *sk) + sock_kfree_s(sk, pac, sizeof(*pac)); + pac = next; + } ++} ++ ++void ipv6_sock_ac_close(struct sock *sk) ++{ ++ struct ipv6_pinfo *np = inet6_sk(sk); ++ ++ if (!np->ipv6_ac_list) ++ return; ++ rtnl_lock(); ++ __ipv6_sock_ac_close(sk); + rtnl_unlock(); + } + +diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c +index 2c770bba212cf..622063438953b 100644 +--- a/net/ipv6/ipv6_sockglue.c ++++ b/net/ipv6/ipv6_sockglue.c +@@ -206,6 +206,7 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname, + + fl6_free_socklist(sk); + __ipv6_sock_mc_close(sk); ++ __ipv6_sock_ac_close(sk); + + /* + * Sock is moving from IPv6 to IPv4 (sk_prot), so +diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c +index 88dd5d218fe30..1a13715b9a591 100644 +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -1964,6 +1964,7 @@ static int ieee80211_leave_mesh(struct wiphy *wiphy, struct net_device *dev) + ieee80211_stop_mesh(sdata); + mutex_lock(&sdata->local->mtx); + ieee80211_vif_release_channel(sdata); ++ kfree(sdata->u.mesh.ie); + mutex_unlock(&sdata->local->mtx); + + return 0; +diff --git a/net/mac80211/mesh_pathtbl.c b/net/mac80211/mesh_pathtbl.c +index 8c17d498df301..7c409ba1ddc74 100644 +--- a/net/mac80211/mesh_pathtbl.c ++++ b/net/mac80211/mesh_pathtbl.c +@@ -555,6 +555,7 @@ static void mesh_path_free_rcu(struct mesh_table *tbl, + del_timer_sync(&mpath->timer); + atomic_dec(&sdata->u.mesh.mpaths); + atomic_dec(&tbl->entries); ++ mesh_path_flush_pending(mpath); + kfree_rcu(mpath, rcu); + } + +diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c +index 4f7061c3b7706..fef8d7758dae9 100644 +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -946,7 +946,7 @@ static void __sta_info_destroy_part2(struct sta_info *sta) + might_sleep(); + lockdep_assert_held(&local->sta_mtx); + +- while (sta->sta_state == IEEE80211_STA_AUTHORIZED) { ++ if (sta->sta_state == IEEE80211_STA_AUTHORIZED) { + ret = sta_info_move_state(sta, IEEE80211_STA_ASSOC); + WARN_ON_ONCE(ret); + } +diff --git a/net/nfc/rawsock.c b/net/nfc/rawsock.c +index e386e6c90b179..574af981806fa 100644 +--- a/net/nfc/rawsock.c ++++ b/net/nfc/rawsock.c +@@ -344,10 +344,13 @@ static int rawsock_create(struct net *net, struct socket *sock, + if ((sock->type != SOCK_SEQPACKET) && (sock->type != SOCK_RAW)) + return -ESOCKTNOSUPPORT; + +- if (sock->type == SOCK_RAW) ++ if (sock->type == SOCK_RAW) { ++ if (!capable(CAP_NET_RAW)) ++ return -EPERM; + sock->ops = &rawsock_raw_ops; +- else ++ } else { + sock->ops = &rawsock_ops; ++ } + + sk = sk_alloc(net, PF_NFC, GFP_ATOMIC, nfc_proto->proto, kern); + if (!sk) +diff --git a/net/rds/recv.c b/net/rds/recv.c +index f16ee1b13b8d6..488a198be3e1f 100644 +--- a/net/rds/recv.c ++++ b/net/rds/recv.c +@@ -405,12 +405,13 @@ static int rds_still_queued(struct rds_sock *rs, struct rds_incoming *inc, + int rds_notify_queue_get(struct rds_sock *rs, struct msghdr *msghdr) + { + struct rds_notifier *notifier; +- struct rds_rdma_notify cmsg = { 0 }; /* fill holes with zero */ ++ struct rds_rdma_notify cmsg; + unsigned int count = 0, max_messages = ~0U; + unsigned long flags; + LIST_HEAD(copy); + int err = 0; + ++ memset(&cmsg, 0, sizeof(cmsg)); /* fill holes with zero */ + + /* put_cmsg copies to user space and thus may sleep. We can't do this + * with rs_lock held, so first grab as many notifications as we can stuff +diff --git a/net/socket.c b/net/socket.c +index 88abc72df2a69..ab64ae80ca2cd 100644 +--- a/net/socket.c ++++ b/net/socket.c +@@ -498,7 +498,7 @@ static struct socket *sockfd_lookup_light(int fd, int *err, int *fput_needed) + if (f.file) { + sock = sock_from_file(f.file, err); + if (likely(sock)) { +- *fput_needed = f.flags; ++ *fput_needed = f.flags & FDPUT_FPUT; + return sock; + } + fdput(f); +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index 0048f90944ddf..e107754e29a77 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -11317,13 +11317,13 @@ static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info) + if (!wdev->netdev && !wdev->p2p_started) + return -ENETDOWN; + } +- +- if (!vcmd->doit) +- return -EOPNOTSUPP; + } else { + wdev = NULL; + } + ++ if (!vcmd->doit) ++ return -EOPNOTSUPP; ++ + if (info->attrs[NL80211_ATTR_VENDOR_DATA]) { + data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]); + len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]); +diff --git a/net/x25/x25_subr.c b/net/x25/x25_subr.c +index 6b5af65f491fb..a3163645b5bd3 100644 +--- a/net/x25/x25_subr.c ++++ b/net/x25/x25_subr.c +@@ -368,6 +368,12 @@ void x25_disconnect(struct sock *sk, int reason, unsigned char cause, + sk->sk_state_change(sk); + sock_set_flag(sk, SOCK_DEAD); + } ++ if (x25->neighbour) { ++ read_lock_bh(&x25_list_lock); ++ x25_neigh_put(x25->neighbour); ++ x25->neighbour = NULL; ++ read_unlock_bh(&x25_list_lock); ++ } + } + + /* +diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c +index 3397b216bc6ca..4aecdc8f74b2a 100644 +--- a/security/smack/smackfs.c ++++ b/security/smack/smackfs.c +@@ -907,7 +907,7 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf, + } + + ret = sscanf(rule, "%d", &maplevel); +- if (ret != 1 || maplevel > SMACK_CIPSO_MAXLEVEL) ++ if (ret != 1 || maplevel < 0 || maplevel > SMACK_CIPSO_MAXLEVEL) + goto out; + + rule += SMK_DIGITLEN; +@@ -928,6 +928,10 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf, + + for (i = 0; i < catlen; i++) { + rule += SMK_DIGITLEN; ++ if (rule > data + count) { ++ rc = -EOVERFLOW; ++ goto out; ++ } + ret = sscanf(rule, "%u", &cat); + if (ret != 1 || cat > SMACK_CIPSO_MAXCATNUM) + goto out; +@@ -2741,7 +2745,6 @@ static int smk_open_relabel_self(struct inode *inode, struct file *file) + static ssize_t smk_write_relabel_self(struct file *file, const char __user *buf, + size_t count, loff_t *ppos) + { +- struct task_smack *tsp = current_security(); + char *data; + int rc; + LIST_HEAD(list_tmp); +@@ -2766,11 +2769,21 @@ static ssize_t smk_write_relabel_self(struct file *file, const char __user *buf, + kfree(data); + + if (!rc || (rc == -EINVAL && list_empty(&list_tmp))) { ++ struct cred *new; ++ struct task_smack *tsp; ++ ++ new = prepare_creds(); ++ if (!new) { ++ rc = -ENOMEM; ++ goto out; ++ } ++ tsp = new->security; + smk_destroy_label_list(&tsp->smk_relabel); + list_splice(&list_tmp, &tsp->smk_relabel); ++ commit_creds(new); + return count; + } +- ++out: + smk_destroy_label_list(&list_tmp); + return rc; + } +diff --git a/sound/core/seq/oss/seq_oss.c b/sound/core/seq/oss/seq_oss.c +index 8cdf489df80e0..4b78979599131 100644 +--- a/sound/core/seq/oss/seq_oss.c ++++ b/sound/core/seq/oss/seq_oss.c +@@ -181,10 +181,16 @@ static long + odev_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + { + struct seq_oss_devinfo *dp; ++ long rc; ++ + dp = file->private_data; + if (snd_BUG_ON(!dp)) + return -ENXIO; +- return snd_seq_oss_ioctl(dp, cmd, arg); ++ ++ mutex_lock(®ister_mutex); ++ rc = snd_seq_oss_ioctl(dp, cmd, arg); ++ mutex_unlock(®ister_mutex); ++ return rc; + } + + #ifdef CONFIG_COMPAT +diff --git a/sound/pci/echoaudio/echoaudio.c b/sound/pci/echoaudio/echoaudio.c +index d73ee11a32bd0..db14ee43e461a 100644 +--- a/sound/pci/echoaudio/echoaudio.c ++++ b/sound/pci/echoaudio/echoaudio.c +@@ -2215,7 +2215,6 @@ static int snd_echo_resume(struct device *dev) + if (err < 0) { + kfree(commpage_bak); + dev_err(dev, "resume init_hw err=%d\n", err); +- snd_echo_free(chip); + return err; + } + +@@ -2242,7 +2241,6 @@ static int snd_echo_resume(struct device *dev) + if (request_irq(pci->irq, snd_echo_interrupt, IRQF_SHARED, + KBUILD_MODNAME, chip)) { + dev_err(chip->card->dev, "cannot grab irq\n"); +- snd_echo_free(chip); + return -EBUSY; + } + chip->irq = pci->irq; +diff --git a/sound/usb/card.h b/sound/usb/card.h +index 111b0f009afa4..f1a517ac49b28 100644 +--- a/sound/usb/card.h ++++ b/sound/usb/card.h +@@ -125,6 +125,7 @@ struct snd_usb_substream { + unsigned int tx_length_quirk:1; /* add length specifier to transfers */ + unsigned int fmt_type; /* USB audio format type (1-3) */ + unsigned int pkt_offset_adj; /* Bytes to drop from beginning of packets (for non-compliant devices) */ ++ unsigned int stream_offset_adj; /* Bytes to drop from beginning of stream (for non-compliant devices) */ + + unsigned int running: 1; /* running status */ + +diff --git a/sound/usb/mixer_quirks.c b/sound/usb/mixer_quirks.c +index 198515f86fcc2..1f2c69e599d9c 100644 +--- a/sound/usb/mixer_quirks.c ++++ b/sound/usb/mixer_quirks.c +@@ -195,6 +195,7 @@ static const struct rc_config { + { USB_ID(0x041e, 0x3042), 0, 1, 1, 1, 1, 0x000d }, /* Usb X-Fi S51 */ + { USB_ID(0x041e, 0x30df), 0, 1, 1, 1, 1, 0x000d }, /* Usb X-Fi S51 Pro */ + { USB_ID(0x041e, 0x3237), 0, 1, 1, 1, 1, 0x000d }, /* Usb X-Fi S51 Pro */ ++ { USB_ID(0x041e, 0x3263), 0, 1, 1, 1, 1, 0x000d }, /* Usb X-Fi S51 Pro */ + { USB_ID(0x041e, 0x3048), 2, 2, 6, 6, 2, 0x6e91 }, /* Toshiba SB0500 */ + }; + +diff --git a/sound/usb/pcm.c b/sound/usb/pcm.c +index 9bc995f9b4e17..ec7bea45c852c 100644 +--- a/sound/usb/pcm.c ++++ b/sound/usb/pcm.c +@@ -1312,6 +1312,12 @@ static void retire_capture_urb(struct snd_usb_substream *subs, + // continue; + } + bytes = urb->iso_frame_desc[i].actual_length; ++ if (subs->stream_offset_adj > 0) { ++ unsigned int adj = min(subs->stream_offset_adj, bytes); ++ cp += adj; ++ bytes -= adj; ++ subs->stream_offset_adj -= adj; ++ } + frames = bytes / stride; + if (!subs->txfr_quirk) + bytes = frames * stride; +diff --git a/sound/usb/quirks-table.h b/sound/usb/quirks-table.h +index ec56ce3820619..689fd3103e5b6 100644 +--- a/sound/usb/quirks-table.h ++++ b/sound/usb/quirks-table.h +@@ -3335,7 +3335,13 @@ AU0828_DEVICE(0x2040, 0x7270, "Hauppauge", "HVR-950Q"), + * with. + */ + { +- USB_DEVICE(0x534d, 0x2109), ++ .match_flags = USB_DEVICE_ID_MATCH_DEVICE | ++ USB_DEVICE_ID_MATCH_INT_CLASS | ++ USB_DEVICE_ID_MATCH_INT_SUBCLASS, ++ .idVendor = 0x534d, ++ .idProduct = 0x2109, ++ .bInterfaceClass = USB_CLASS_AUDIO, ++ .bInterfaceSubClass = USB_SUBCLASS_AUDIOCONTROL, + .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) { + .vendor_name = "MacroSilicon", + .product_name = "MS2109", +@@ -3374,5 +3380,61 @@ AU0828_DEVICE(0x2040, 0x7270, "Hauppauge", "HVR-950Q"), + } + } + }, ++{ ++ /* ++ * PIONEER DJ DDJ-RB ++ * PCM is 4 channels out, 2 dummy channels in @ 44.1 fixed ++ * The feedback for the output is the dummy input. ++ */ ++ USB_DEVICE_VENDOR_SPEC(0x2b73, 0x000e), ++ .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) { ++ .ifnum = QUIRK_ANY_INTERFACE, ++ .type = QUIRK_COMPOSITE, ++ .data = (const struct snd_usb_audio_quirk[]) { ++ { ++ .ifnum = 0, ++ .type = QUIRK_AUDIO_FIXED_ENDPOINT, ++ .data = &(const struct audioformat) { ++ .formats = SNDRV_PCM_FMTBIT_S24_3LE, ++ .channels = 4, ++ .iface = 0, ++ .altsetting = 1, ++ .altset_idx = 1, ++ .endpoint = 0x01, ++ .ep_attr = USB_ENDPOINT_XFER_ISOC| ++ USB_ENDPOINT_SYNC_ASYNC, ++ .rates = SNDRV_PCM_RATE_44100, ++ .rate_min = 44100, ++ .rate_max = 44100, ++ .nr_rates = 1, ++ .rate_table = (unsigned int[]) { 44100 } ++ } ++ }, ++ { ++ .ifnum = 0, ++ .type = QUIRK_AUDIO_FIXED_ENDPOINT, ++ .data = &(const struct audioformat) { ++ .formats = SNDRV_PCM_FMTBIT_S24_3LE, ++ .channels = 2, ++ .iface = 0, ++ .altsetting = 1, ++ .altset_idx = 1, ++ .endpoint = 0x82, ++ .ep_attr = USB_ENDPOINT_XFER_ISOC| ++ USB_ENDPOINT_SYNC_ASYNC| ++ USB_ENDPOINT_USAGE_IMPLICIT_FB, ++ .rates = SNDRV_PCM_RATE_44100, ++ .rate_min = 44100, ++ .rate_max = 44100, ++ .nr_rates = 1, ++ .rate_table = (unsigned int[]) { 44100 } ++ } ++ }, ++ { ++ .ifnum = -1 ++ } ++ } ++ } ++}, + + #undef USB_DEVICE_VENDOR_SPEC +diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c +index 486d27129ac39..08e1af85af384 100644 +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -1121,6 +1121,9 @@ void snd_usb_set_format_quirk(struct snd_usb_substream *subs, + case USB_ID(0x041e, 0x3f19): /* E-Mu 0204 USB */ + set_format_emu_quirk(subs, fmt); + break; ++ case USB_ID(0x534d, 0x2109): /* MacroSilicon MS2109 */ ++ subs->stream_offset_adj = 2; ++ break; + } + } + +diff --git a/sound/usb/stream.c b/sound/usb/stream.c +index 8e9548bc1f1a9..499f8def98de8 100644 +--- a/sound/usb/stream.c ++++ b/sound/usb/stream.c +@@ -95,6 +95,7 @@ static void snd_usb_init_substream(struct snd_usb_stream *as, + subs->tx_length_quirk = as->chip->tx_length_quirk; + subs->speed = snd_usb_get_speed(subs->dev); + subs->pkt_offset_adj = 0; ++ subs->stream_offset_adj = 0; + + snd_usb_set_pcm_ops(as->pcm, stream); + +diff --git a/tools/lib/traceevent/event-parse.c b/tools/lib/traceevent/event-parse.c +index 62f4cacf253ab..b9db8739487dc 100644 +--- a/tools/lib/traceevent/event-parse.c ++++ b/tools/lib/traceevent/event-parse.c +@@ -2764,6 +2764,7 @@ process_dynamic_array_len(struct event_format *event, struct print_arg *arg, + if (read_expected(EVENT_DELIM, ")") < 0) + goto out_err; + ++ free_token(token); + type = read_token(&token); + *tok = token; + +diff --git a/tools/testing/selftests/powerpc/benchmarks/context_switch.c b/tools/testing/selftests/powerpc/benchmarks/context_switch.c +index a36883ad48a45..4b4d2ce912566 100644 +--- a/tools/testing/selftests/powerpc/benchmarks/context_switch.c ++++ b/tools/testing/selftests/powerpc/benchmarks/context_switch.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -97,8 +98,9 @@ static void start_thread_on(void *(*fn)(void *), void *arg, unsigned long cpu) + + static void start_process_on(void *(*fn)(void *), void *arg, unsigned long cpu) + { +- int pid; +- cpu_set_t cpuset; ++ int pid, ncpus; ++ cpu_set_t *cpuset; ++ size_t size; + + pid = fork(); + if (pid == -1) { +@@ -109,14 +111,23 @@ static void start_process_on(void *(*fn)(void *), void *arg, unsigned long cpu) + if (pid) + return; + +- CPU_ZERO(&cpuset); +- CPU_SET(cpu, &cpuset); ++ ncpus = get_nprocs(); ++ size = CPU_ALLOC_SIZE(ncpus); ++ cpuset = CPU_ALLOC(ncpus); ++ if (!cpuset) { ++ perror("malloc"); ++ exit(1); ++ } ++ CPU_ZERO_S(size, cpuset); ++ CPU_SET_S(cpu, size, cpuset); + +- if (sched_setaffinity(0, sizeof(cpuset), &cpuset)) { ++ if (sched_setaffinity(0, size, cpuset)) { + perror("sched_setaffinity"); ++ CPU_FREE(cpuset); + exit(1); + } + ++ CPU_FREE(cpuset); + fn(arg); + + exit(0); +diff --git a/tools/testing/selftests/powerpc/utils.c b/tools/testing/selftests/powerpc/utils.c +index dcf74184bfd0a..bafb70d0ee264 100644 +--- a/tools/testing/selftests/powerpc/utils.c ++++ b/tools/testing/selftests/powerpc/utils.c +@@ -12,6 +12,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -62,26 +63,38 @@ out: + + int pick_online_cpu(void) + { +- cpu_set_t mask; +- int cpu; ++ int ncpus, cpu = -1; ++ cpu_set_t *mask; ++ size_t size; ++ ++ ncpus = get_nprocs_conf(); ++ size = CPU_ALLOC_SIZE(ncpus); ++ mask = CPU_ALLOC(ncpus); ++ if (!mask) { ++ perror("malloc"); ++ return -1; ++ } + +- CPU_ZERO(&mask); ++ CPU_ZERO_S(size, mask); + +- if (sched_getaffinity(0, sizeof(mask), &mask)) { ++ if (sched_getaffinity(0, size, mask)) { + perror("sched_getaffinity"); +- return -1; ++ goto done; + } + + /* We prefer a primary thread, but skip 0 */ +- for (cpu = 8; cpu < CPU_SETSIZE; cpu += 8) +- if (CPU_ISSET(cpu, &mask)) +- return cpu; ++ for (cpu = 8; cpu < ncpus; cpu += 8) ++ if (CPU_ISSET_S(cpu, size, mask)) ++ goto done; + + /* Search for anything, but in reverse */ +- for (cpu = CPU_SETSIZE - 1; cpu >= 0; cpu--) +- if (CPU_ISSET(cpu, &mask)) +- return cpu; ++ for (cpu = ncpus - 1; cpu >= 0; cpu--) ++ if (CPU_ISSET_S(cpu, size, mask)) ++ goto done; + + printf("No cpus in affinity mask?!\n"); +- return -1; ++ ++done: ++ CPU_FREE(mask); ++ return cpu; + } diff --git a/patch/kernel/meson64-legacy/patch-4.9.233-234-modified.patch b/patch/kernel/meson64-legacy/patch-4.9.233-234-modified.patch new file mode 100644 index 000000000..6d0c3b342 --- /dev/null +++ b/patch/kernel/meson64-legacy/patch-4.9.233-234-modified.patch @@ -0,0 +1,1074 @@ +diff --git a/Makefile b/Makefile +index af68e8c3fb962..e5a6f33e95de6 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 9 +-SUBLEVEL = 233 ++SUBLEVEL = 234 + EXTRAVERSION = + NAME = Roaring Lionus + +diff --git a/arch/alpha/include/asm/io.h b/arch/alpha/include/asm/io.h +index ff4049155c840..355aec0867f4d 100644 +--- a/arch/alpha/include/asm/io.h ++++ b/arch/alpha/include/asm/io.h +@@ -491,10 +491,10 @@ extern inline void writeq(u64 b, volatile void __iomem *addr) + } + #endif + +-#define ioread16be(p) be16_to_cpu(ioread16(p)) +-#define ioread32be(p) be32_to_cpu(ioread32(p)) +-#define iowrite16be(v,p) iowrite16(cpu_to_be16(v), (p)) +-#define iowrite32be(v,p) iowrite32(cpu_to_be32(v), (p)) ++#define ioread16be(p) swab16(ioread16(p)) ++#define ioread32be(p) swab32(ioread32(p)) ++#define iowrite16be(v,p) iowrite16(swab16(v), (p)) ++#define iowrite32be(v,p) iowrite32(swab32(v), (p)) + + #define inb_p inb + #define inw_p inw +diff --git a/arch/arm/kvm/mmu.c b/arch/arm/kvm/mmu.c +index bb0d5e21d60bd..b5ce1e81f945a 100644 +--- a/arch/arm/kvm/mmu.c ++++ b/arch/arm/kvm/mmu.c +@@ -298,12 +298,6 @@ static void unmap_stage2_range(struct kvm *kvm, phys_addr_t start, u64 size) + next = stage2_pgd_addr_end(addr, end); + if (!stage2_pgd_none(*pgd)) + unmap_stage2_puds(kvm, pgd, addr, next); +- /* +- * If the range is too large, release the kvm->mmu_lock +- * to prevent starvation and lockup detector warnings. +- */ +- if (next != end) +- cond_resched_lock(&kvm->mmu_lock); + } while (pgd++, addr = next, addr != end); + } + +diff --git a/arch/m68k/include/asm/m53xxacr.h b/arch/m68k/include/asm/m53xxacr.h +index 3177ce8331d69..baee0c77b9818 100644 +--- a/arch/m68k/include/asm/m53xxacr.h ++++ b/arch/m68k/include/asm/m53xxacr.h +@@ -88,9 +88,9 @@ + * coherency though in all cases. And for copyback caches we will need + * to push cached data as well. + */ +-#define CACHE_INIT CACR_CINVA +-#define CACHE_INVALIDATE CACR_CINVA +-#define CACHE_INVALIDATED CACR_CINVA ++#define CACHE_INIT (CACHE_MODE + CACR_CINVA - CACR_EC) ++#define CACHE_INVALIDATE (CACHE_MODE + CACR_CINVA) ++#define CACHE_INVALIDATED (CACHE_MODE + CACR_CINVA) + + #define ACR0_MODE ((CONFIG_RAMBASE & 0xff000000) + \ + (0x000f0000) + \ +diff --git a/arch/powerpc/mm/fault.c b/arch/powerpc/mm/fault.c +index 2791f568bdb25..3e4fb430ae457 100644 +--- a/arch/powerpc/mm/fault.c ++++ b/arch/powerpc/mm/fault.c +@@ -192,6 +192,9 @@ static int mm_fault_error(struct pt_regs *regs, unsigned long addr, int fault) + return MM_FAULT_CONTINUE; + } + ++// This comes from 64-bit struct rt_sigframe + __SIGNAL_FRAMESIZE ++#define SIGFRAME_MAX_SIZE (4096 + 128) ++ + /* + * For 600- and 800-family processors, the error_code parameter is DSISR + * for a data fault, SRR1 for an instruction fault. For 400-family processors +@@ -341,7 +344,7 @@ retry: + /* + * N.B. The POWER/Open ABI allows programs to access up to + * 288 bytes below the stack pointer. +- * The kernel signal delivery code writes up to about 1.5kB ++ * The kernel signal delivery code writes up to about 4kB + * below the stack pointer (r1) before decrementing it. + * The exec code can write slightly over 640kB to the stack + * before setting the user r1. Thus we allow the stack to +@@ -365,7 +368,7 @@ retry: + * between the last mapped region and the stack will + * expand the stack rather than segfaulting. + */ +- if (address + 2048 < uregs->gpr[1] && !store_update_sp) ++ if (address + SIGFRAME_MAX_SIZE < uregs->gpr[1] && !store_update_sp) + goto bad_area; + } + if (expand_stack(vma, address)) +diff --git a/arch/powerpc/platforms/pseries/ras.c b/arch/powerpc/platforms/pseries/ras.c +index 0af19aa1df57d..3d6b372fab3f6 100644 +--- a/arch/powerpc/platforms/pseries/ras.c ++++ b/arch/powerpc/platforms/pseries/ras.c +@@ -101,7 +101,6 @@ static void handle_system_shutdown(char event_modifier) + case EPOW_SHUTDOWN_ON_UPS: + pr_emerg("Loss of system power detected. System is running on" + " UPS/battery. Check RTAS error log for details\n"); +- orderly_poweroff(true); + break; + + case EPOW_SHUTDOWN_LOSS_OF_CRITICAL_FUNCTIONS: +diff --git a/arch/x86/include/asm/archrandom.h b/arch/x86/include/asm/archrandom.h +index 5b0579abb3982..3ac991d81e74d 100644 +--- a/arch/x86/include/asm/archrandom.h ++++ b/arch/x86/include/asm/archrandom.h +@@ -45,7 +45,7 @@ static inline bool rdrand_long(unsigned long *v) + bool ok; + unsigned int retry = RDRAND_RETRY_LOOPS; + do { +- asm volatile(RDRAND_LONG "\n\t" ++ asm volatile(RDRAND_LONG + CC_SET(c) + : CC_OUT(c) (ok), "=a" (*v)); + if (ok) +@@ -59,7 +59,7 @@ static inline bool rdrand_int(unsigned int *v) + bool ok; + unsigned int retry = RDRAND_RETRY_LOOPS; + do { +- asm volatile(RDRAND_INT "\n\t" ++ asm volatile(RDRAND_INT + CC_SET(c) + : CC_OUT(c) (ok), "=a" (*v)); + if (ok) +@@ -71,7 +71,7 @@ static inline bool rdrand_int(unsigned int *v) + static inline bool rdseed_long(unsigned long *v) + { + bool ok; +- asm volatile(RDSEED_LONG "\n\t" ++ asm volatile(RDSEED_LONG + CC_SET(c) + : CC_OUT(c) (ok), "=a" (*v)); + return ok; +@@ -80,7 +80,7 @@ static inline bool rdseed_long(unsigned long *v) + static inline bool rdseed_int(unsigned int *v) + { + bool ok; +- asm volatile(RDSEED_INT "\n\t" ++ asm volatile(RDSEED_INT + CC_SET(c) + : CC_OUT(c) (ok), "=a" (*v)); + return ok; +diff --git a/arch/x86/include/asm/bitops.h b/arch/x86/include/asm/bitops.h +index 68557f52b9619..fb402d4c45082 100644 +--- a/arch/x86/include/asm/bitops.h ++++ b/arch/x86/include/asm/bitops.h +@@ -77,7 +77,7 @@ set_bit(long nr, volatile unsigned long *addr) + : "iq" ((u8)CONST_MASK(nr)) + : "memory"); + } else { +- asm volatile(LOCK_PREFIX "bts %1,%0" ++ asm volatile(LOCK_PREFIX __ASM_SIZE(bts) " %1,%0" + : BITOP_ADDR(addr) : "Ir" (nr) : "memory"); + } + } +@@ -93,7 +93,7 @@ set_bit(long nr, volatile unsigned long *addr) + */ + static __always_inline void __set_bit(long nr, volatile unsigned long *addr) + { +- asm volatile("bts %1,%0" : ADDR : "Ir" (nr) : "memory"); ++ asm volatile(__ASM_SIZE(bts) " %1,%0" : ADDR : "Ir" (nr) : "memory"); + } + + /** +@@ -114,7 +114,7 @@ clear_bit(long nr, volatile unsigned long *addr) + : CONST_MASK_ADDR(nr, addr) + : "iq" ((u8)~CONST_MASK(nr))); + } else { +- asm volatile(LOCK_PREFIX "btr %1,%0" ++ asm volatile(LOCK_PREFIX __ASM_SIZE(btr) " %1,%0" + : BITOP_ADDR(addr) + : "Ir" (nr)); + } +@@ -136,7 +136,7 @@ static __always_inline void clear_bit_unlock(long nr, volatile unsigned long *ad + + static __always_inline void __clear_bit(long nr, volatile unsigned long *addr) + { +- asm volatile("btr %1,%0" : ADDR : "Ir" (nr)); ++ asm volatile(__ASM_SIZE(btr) " %1,%0" : ADDR : "Ir" (nr)); + } + + /* +@@ -168,7 +168,7 @@ static __always_inline void __clear_bit_unlock(long nr, volatile unsigned long * + */ + static __always_inline void __change_bit(long nr, volatile unsigned long *addr) + { +- asm volatile("btc %1,%0" : ADDR : "Ir" (nr)); ++ asm volatile(__ASM_SIZE(btc) " %1,%0" : ADDR : "Ir" (nr)); + } + + /** +@@ -187,7 +187,7 @@ static __always_inline void change_bit(long nr, volatile unsigned long *addr) + : CONST_MASK_ADDR(nr, addr) + : "iq" ((u8)CONST_MASK(nr))); + } else { +- asm volatile(LOCK_PREFIX "btc %1,%0" ++ asm volatile(LOCK_PREFIX __ASM_SIZE(btc) " %1,%0" + : BITOP_ADDR(addr) + : "Ir" (nr)); + } +@@ -203,7 +203,8 @@ static __always_inline void change_bit(long nr, volatile unsigned long *addr) + */ + static __always_inline bool test_and_set_bit(long nr, volatile unsigned long *addr) + { +- GEN_BINARY_RMWcc(LOCK_PREFIX "bts", *addr, "Ir", nr, "%0", c); ++ GEN_BINARY_RMWcc(LOCK_PREFIX __ASM_SIZE(bts), ++ *addr, "Ir", nr, "%0", c); + } + + /** +@@ -232,7 +233,7 @@ static __always_inline bool __test_and_set_bit(long nr, volatile unsigned long * + { + bool oldbit; + +- asm("bts %2,%1\n\t" ++ asm(__ASM_SIZE(bts) " %2,%1" + CC_SET(c) + : CC_OUT(c) (oldbit), ADDR + : "Ir" (nr)); +@@ -249,7 +250,8 @@ static __always_inline bool __test_and_set_bit(long nr, volatile unsigned long * + */ + static __always_inline bool test_and_clear_bit(long nr, volatile unsigned long *addr) + { +- GEN_BINARY_RMWcc(LOCK_PREFIX "btr", *addr, "Ir", nr, "%0", c); ++ GEN_BINARY_RMWcc(LOCK_PREFIX __ASM_SIZE(btr), ++ *addr, "Ir", nr, "%0", c); + } + + /** +@@ -272,7 +274,7 @@ static __always_inline bool __test_and_clear_bit(long nr, volatile unsigned long + { + bool oldbit; + +- asm volatile("btr %2,%1\n\t" ++ asm volatile(__ASM_SIZE(btr) " %2,%1" + CC_SET(c) + : CC_OUT(c) (oldbit), ADDR + : "Ir" (nr)); +@@ -284,7 +286,7 @@ static __always_inline bool __test_and_change_bit(long nr, volatile unsigned lon + { + bool oldbit; + +- asm volatile("btc %2,%1\n\t" ++ asm volatile(__ASM_SIZE(btc) " %2,%1" + CC_SET(c) + : CC_OUT(c) (oldbit), ADDR + : "Ir" (nr) : "memory"); +@@ -302,7 +304,8 @@ static __always_inline bool __test_and_change_bit(long nr, volatile unsigned lon + */ + static __always_inline bool test_and_change_bit(long nr, volatile unsigned long *addr) + { +- GEN_BINARY_RMWcc(LOCK_PREFIX "btc", *addr, "Ir", nr, "%0", c); ++ GEN_BINARY_RMWcc(LOCK_PREFIX __ASM_SIZE(btc), ++ *addr, "Ir", nr, "%0", c); + } + + static __always_inline bool constant_test_bit(long nr, const volatile unsigned long *addr) +@@ -315,7 +318,7 @@ static __always_inline bool variable_test_bit(long nr, volatile const unsigned l + { + bool oldbit; + +- asm volatile("bt %2,%1\n\t" ++ asm volatile(__ASM_SIZE(bt) " %2,%1" + CC_SET(c) + : CC_OUT(c) (oldbit) + : "m" (*(unsigned long *)addr), "Ir" (nr)); +diff --git a/arch/x86/include/asm/percpu.h b/arch/x86/include/asm/percpu.h +index 2cb5d0f13641a..f7745ef149c08 100644 +--- a/arch/x86/include/asm/percpu.h ++++ b/arch/x86/include/asm/percpu.h +@@ -536,7 +536,7 @@ static inline bool x86_this_cpu_variable_test_bit(int nr, + { + bool oldbit; + +- asm volatile("bt "__percpu_arg(2)",%1\n\t" ++ asm volatile("btl "__percpu_arg(2)",%1" + CC_SET(c) + : CC_OUT(c) (oldbit) + : "m" (*(unsigned long __percpu *)addr), "Ir" (nr)); +diff --git a/drivers/gpu/drm/imx/imx-ldb.c b/drivers/gpu/drm/imx/imx-ldb.c +index 67881e5517fbf..2df407b2b0da7 100644 +--- a/drivers/gpu/drm/imx/imx-ldb.c ++++ b/drivers/gpu/drm/imx/imx-ldb.c +@@ -317,6 +317,7 @@ static void imx_ldb_encoder_disable(struct drm_encoder *encoder) + { + struct imx_ldb_channel *imx_ldb_ch = enc_to_imx_ldb_ch(encoder); + struct imx_ldb *ldb = imx_ldb_ch->ldb; ++ int dual = ldb->ldb_ctrl & LDB_SPLIT_MODE_EN; + int mux, ret; + + /* +@@ -333,14 +334,14 @@ static void imx_ldb_encoder_disable(struct drm_encoder *encoder) + + drm_panel_disable(imx_ldb_ch->panel); + +- if (imx_ldb_ch == &ldb->channel[0]) ++ if (imx_ldb_ch == &ldb->channel[0] || dual) + ldb->ldb_ctrl &= ~LDB_CH0_MODE_EN_MASK; +- else if (imx_ldb_ch == &ldb->channel[1]) ++ if (imx_ldb_ch == &ldb->channel[1] || dual) + ldb->ldb_ctrl &= ~LDB_CH1_MODE_EN_MASK; + + regmap_write(ldb->regmap, IOMUXC_GPR2, ldb->ldb_ctrl); + +- if (ldb->ldb_ctrl & LDB_SPLIT_MODE_EN) { ++ if (dual) { + clk_disable_unprepare(ldb->clk[0]); + clk_disable_unprepare(ldb->clk[1]); + } +diff --git a/drivers/input/mouse/psmouse-base.c b/drivers/input/mouse/psmouse-base.c +index 5cbf17aa84439..597ecae02c405 100644 +--- a/drivers/input/mouse/psmouse-base.c ++++ b/drivers/input/mouse/psmouse-base.c +@@ -1909,7 +1909,7 @@ static int psmouse_get_maxproto(char *buffer, const struct kernel_param *kp) + { + int type = *((unsigned int *)kp->arg); + +- return sprintf(buffer, "%s", psmouse_protocol_by_type(type)->name); ++ return sprintf(buffer, "%s\n", psmouse_protocol_by_type(type)->name); + } + + static int __init psmouse_init(void) +diff --git a/drivers/media/pci/ttpci/budget-core.c b/drivers/media/pci/ttpci/budget-core.c +index 6d42dcfd4825b..e7bdfc4e4aa83 100644 +--- a/drivers/media/pci/ttpci/budget-core.c ++++ b/drivers/media/pci/ttpci/budget-core.c +@@ -386,20 +386,25 @@ static int budget_register(struct budget *budget) + ret = dvbdemux->dmx.add_frontend(&dvbdemux->dmx, &budget->hw_frontend); + + if (ret < 0) +- return ret; ++ goto err_release_dmx; + + budget->mem_frontend.source = DMX_MEMORY_FE; + ret = dvbdemux->dmx.add_frontend(&dvbdemux->dmx, &budget->mem_frontend); + if (ret < 0) +- return ret; ++ goto err_release_dmx; + + ret = dvbdemux->dmx.connect_frontend(&dvbdemux->dmx, &budget->hw_frontend); + if (ret < 0) +- return ret; ++ goto err_release_dmx; + + dvb_net_init(&budget->dvb_adapter, &budget->dvb_net, &dvbdemux->dmx); + + return 0; ++ ++err_release_dmx: ++ dvb_dmxdev_release(&budget->dmxdev); ++ dvb_dmx_release(&budget->demux); ++ return ret; + } + + static void budget_unregister(struct budget *budget) +diff --git a/drivers/media/platform/davinci/vpss.c b/drivers/media/platform/davinci/vpss.c +index c2c68988e38ac..9884b34d6f406 100644 +--- a/drivers/media/platform/davinci/vpss.c ++++ b/drivers/media/platform/davinci/vpss.c +@@ -519,19 +519,31 @@ static void vpss_exit(void) + + static int __init vpss_init(void) + { ++ int ret; ++ + if (!request_mem_region(VPSS_CLK_CTRL, 4, "vpss_clock_control")) + return -EBUSY; + + oper_cfg.vpss_regs_base2 = ioremap(VPSS_CLK_CTRL, 4); + if (unlikely(!oper_cfg.vpss_regs_base2)) { +- release_mem_region(VPSS_CLK_CTRL, 4); +- return -ENOMEM; ++ ret = -ENOMEM; ++ goto err_ioremap; + } + + writel(VPSS_CLK_CTRL_VENCCLKEN | +- VPSS_CLK_CTRL_DACCLKEN, oper_cfg.vpss_regs_base2); ++ VPSS_CLK_CTRL_DACCLKEN, oper_cfg.vpss_regs_base2); ++ ++ ret = platform_driver_register(&vpss_driver); ++ if (ret) ++ goto err_pd_register; ++ ++ return 0; + +- return platform_driver_register(&vpss_driver); ++err_pd_register: ++ iounmap(oper_cfg.vpss_regs_base2); ++err_ioremap: ++ release_mem_region(VPSS_CLK_CTRL, 4); ++ return ret; + } + subsys_initcall(vpss_init); + module_exit(vpss_exit); +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index 060f9b1769298..c387be5c926b7 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -1175,6 +1175,8 @@ static int b53_arl_op(struct b53_device *dev, int op, int port, + return ret; + + switch (ret) { ++ case -ETIMEDOUT: ++ return ret; + case -ENOSPC: + dev_dbg(dev->dev, "{%pM,%.4d} no space left in ARL\n", + addr, vid); +diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c +index 8df32398d3435..9b3ea0406e0d5 100644 +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -3505,11 +3505,11 @@ failed_mii_init: + failed_irq: + failed_init: + fec_ptp_stop(pdev); +- if (fep->reg_phy) +- regulator_disable(fep->reg_phy); + failed_reset: + pm_runtime_put_noidle(&pdev->dev); + pm_runtime_disable(&pdev->dev); ++ if (fep->reg_phy) ++ regulator_disable(fep->reg_phy); + failed_regulator: + failed_clk_ipg: + fec_enet_clk_enable(ndev, false); +diff --git a/drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h b/drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h +index 67e396b2b3472..0e75c3a34fe7c 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h ++++ b/drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h +@@ -1107,7 +1107,7 @@ struct i40e_aqc_set_vsi_promiscuous_modes { + #define I40E_AQC_SET_VSI_PROMISC_BROADCAST 0x04 + #define I40E_AQC_SET_VSI_DEFAULT 0x08 + #define I40E_AQC_SET_VSI_PROMISC_VLAN 0x10 +-#define I40E_AQC_SET_VSI_PROMISC_TX 0x8000 ++#define I40E_AQC_SET_VSI_PROMISC_RX_ONLY 0x8000 + __le16 seid; + #define I40E_AQC_VSI_PROM_CMD_SEID_MASK 0x3FF + __le16 vlan_tag; +diff --git a/drivers/net/ethernet/intel/i40e/i40e_common.c b/drivers/net/ethernet/intel/i40e/i40e_common.c +index 2154a34c1dd80..09b47088dcc2b 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_common.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_common.c +@@ -1922,6 +1922,21 @@ i40e_status i40e_aq_set_phy_debug(struct i40e_hw *hw, u8 cmd_flags, + return status; + } + ++/** ++ * i40e_is_aq_api_ver_ge ++ * @aq: pointer to AdminQ info containing HW API version to compare ++ * @maj: API major value ++ * @min: API minor value ++ * ++ * Assert whether current HW API version is greater/equal than provided. ++ **/ ++static bool i40e_is_aq_api_ver_ge(struct i40e_adminq_info *aq, u16 maj, ++ u16 min) ++{ ++ return (aq->api_maj_ver > maj || ++ (aq->api_maj_ver == maj && aq->api_min_ver >= min)); ++} ++ + /** + * i40e_aq_add_vsi + * @hw: pointer to the hw struct +@@ -2047,18 +2062,16 @@ i40e_status i40e_aq_set_vsi_unicast_promiscuous(struct i40e_hw *hw, + + if (set) { + flags |= I40E_AQC_SET_VSI_PROMISC_UNICAST; +- if (rx_only_promisc && +- (((hw->aq.api_maj_ver == 1) && (hw->aq.api_min_ver >= 5)) || +- (hw->aq.api_maj_ver > 1))) +- flags |= I40E_AQC_SET_VSI_PROMISC_TX; ++ if (rx_only_promisc && i40e_is_aq_api_ver_ge(&hw->aq, 1, 5)) ++ flags |= I40E_AQC_SET_VSI_PROMISC_RX_ONLY; + } + + cmd->promiscuous_flags = cpu_to_le16(flags); + + cmd->valid_flags = cpu_to_le16(I40E_AQC_SET_VSI_PROMISC_UNICAST); +- if (((hw->aq.api_maj_ver >= 1) && (hw->aq.api_min_ver >= 5)) || +- (hw->aq.api_maj_ver > 1)) +- cmd->valid_flags |= cpu_to_le16(I40E_AQC_SET_VSI_PROMISC_TX); ++ if (i40e_is_aq_api_ver_ge(&hw->aq, 1, 5)) ++ cmd->valid_flags |= ++ cpu_to_le16(I40E_AQC_SET_VSI_PROMISC_RX_ONLY); + + cmd->seid = cpu_to_le16(seid); + status = i40e_asq_send_command(hw, &desc, NULL, 0, cmd_details); +@@ -2155,11 +2168,17 @@ enum i40e_status_code i40e_aq_set_vsi_uc_promisc_on_vlan(struct i40e_hw *hw, + i40e_fill_default_direct_cmd_desc(&desc, + i40e_aqc_opc_set_vsi_promiscuous_modes); + +- if (enable) ++ if (enable) { + flags |= I40E_AQC_SET_VSI_PROMISC_UNICAST; ++ if (i40e_is_aq_api_ver_ge(&hw->aq, 1, 5)) ++ flags |= I40E_AQC_SET_VSI_PROMISC_RX_ONLY; ++ } + + cmd->promiscuous_flags = cpu_to_le16(flags); + cmd->valid_flags = cpu_to_le16(I40E_AQC_SET_VSI_PROMISC_UNICAST); ++ if (i40e_is_aq_api_ver_ge(&hw->aq, 1, 5)) ++ cmd->valid_flags |= ++ cpu_to_le16(I40E_AQC_SET_VSI_PROMISC_RX_ONLY); + cmd->seid = cpu_to_le16(seid); + cmd->vlan_tag = cpu_to_le16(vid | I40E_AQC_SET_VSI_VLAN_VALID); + +diff --git a/drivers/scsi/libfc/fc_disc.c b/drivers/scsi/libfc/fc_disc.c +index 880a9068ca126..ef06af4e3611d 100644 +--- a/drivers/scsi/libfc/fc_disc.c ++++ b/drivers/scsi/libfc/fc_disc.c +@@ -595,8 +595,12 @@ static void fc_disc_gpn_id_resp(struct fc_seq *sp, struct fc_frame *fp, + mutex_lock(&disc->disc_mutex); + if (PTR_ERR(fp) == -FC_EX_CLOSED) + goto out; +- if (IS_ERR(fp)) +- goto redisc; ++ if (IS_ERR(fp)) { ++ mutex_lock(&disc->disc_mutex); ++ fc_disc_restart(disc); ++ mutex_unlock(&disc->disc_mutex); ++ goto out; ++ } + + cp = fc_frame_payload_get(fp, sizeof(*cp)); + if (!cp) +@@ -621,7 +625,7 @@ static void fc_disc_gpn_id_resp(struct fc_seq *sp, struct fc_frame *fp, + new_rdata->disc_id = disc->disc_id; + lport->tt.rport_login(new_rdata); + } +- goto out; ++ goto free_fp; + } + rdata->disc_id = disc->disc_id; + lport->tt.rport_login(rdata); +@@ -635,6 +639,8 @@ static void fc_disc_gpn_id_resp(struct fc_seq *sp, struct fc_frame *fp, + redisc: + fc_disc_restart(disc); + } ++free_fp: ++ fc_frame_free(fp); + out: + mutex_unlock(&disc->disc_mutex); + kref_put(&rdata->kref, lport->tt.rport_destroy); +diff --git a/drivers/scsi/ufs/ufs_quirks.h b/drivers/scsi/ufs/ufs_quirks.h +index 71f73d1d1ad1f..6c944fbefd40a 100644 +--- a/drivers/scsi/ufs/ufs_quirks.h ++++ b/drivers/scsi/ufs/ufs_quirks.h +@@ -21,6 +21,7 @@ + #define UFS_ANY_VENDOR 0xFFFF + #define UFS_ANY_MODEL "ANY_MODEL" + ++#define UFS_VENDOR_MICRON 0x12C + #define UFS_VENDOR_TOSHIBA 0x198 + #define UFS_VENDOR_SAMSUNG 0x1CE + #define UFS_VENDOR_SKHYNIX 0x1AD +diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c +index af4b0a2021d6c..a7f520581cb0f 100644 +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -178,6 +178,8 @@ ufs_get_pm_lvl_to_link_pwr_state(enum ufs_pm_level lvl) + + static struct ufs_dev_fix ufs_fixups[] = { + /* UFS cards deviations table */ ++ UFS_FIX(UFS_VENDOR_MICRON, UFS_ANY_MODEL, ++ UFS_DEVICE_QUIRK_DELAY_BEFORE_LPM), + UFS_FIX(UFS_VENDOR_SAMSUNG, UFS_ANY_MODEL, + UFS_DEVICE_QUIRK_DELAY_BEFORE_LPM), + UFS_FIX(UFS_VENDOR_SAMSUNG, UFS_ANY_MODEL, UFS_DEVICE_NO_VCCQ), +diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c +index e459cd7302e27..5cad9f41c238b 100644 +--- a/drivers/virtio/virtio_ring.c ++++ b/drivers/virtio/virtio_ring.c +@@ -785,6 +785,9 @@ bool virtqueue_poll(struct virtqueue *_vq, unsigned last_used_idx) + { + struct vring_virtqueue *vq = to_vvq(_vq); + ++ if (unlikely(vq->broken)) ++ return false; ++ + virtio_mb(vq->weak_barriers); + return (u16)last_used_idx != virtio16_to_cpu(_vq->vdev, vq->vring.used->idx); + } +diff --git a/drivers/xen/preempt.c b/drivers/xen/preempt.c +index 5f6b77ea34fb5..128375ff80b8c 100644 +--- a/drivers/xen/preempt.c ++++ b/drivers/xen/preempt.c +@@ -31,7 +31,7 @@ EXPORT_SYMBOL_GPL(xen_in_preemptible_hcall); + asmlinkage __visible void xen_maybe_preempt_hcall(void) + { + if (unlikely(__this_cpu_read(xen_in_preemptible_hcall) +- && need_resched())) { ++ && need_resched() && !preempt_count())) { + /* + * Clear flag as we may be rescheduled on a different + * cpu. +diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h +index 2bc37d03d4075..abfc090510480 100644 +--- a/fs/btrfs/ctree.h ++++ b/fs/btrfs/ctree.h +@@ -3261,6 +3261,8 @@ ssize_t btrfs_listxattr(struct dentry *dentry, char *buffer, size_t size); + int btrfs_parse_options(struct btrfs_root *root, char *options, + unsigned long new_flags); + int btrfs_sync_fs(struct super_block *sb, int wait); ++char *btrfs_get_subvol_name_from_objectid(struct btrfs_fs_info *fs_info, ++ u64 subvol_objectid); + + static inline __printf(2, 3) + void btrfs_no_printk(const struct btrfs_fs_info *fs_info, const char *fmt, ...) +diff --git a/fs/btrfs/export.c b/fs/btrfs/export.c +index 2513a7f533342..92f80ed642194 100644 +--- a/fs/btrfs/export.c ++++ b/fs/btrfs/export.c +@@ -55,9 +55,9 @@ static int btrfs_encode_fh(struct inode *inode, u32 *fh, int *max_len, + return type; + } + +-static struct dentry *btrfs_get_dentry(struct super_block *sb, u64 objectid, +- u64 root_objectid, u32 generation, +- int check_generation) ++struct dentry *btrfs_get_dentry(struct super_block *sb, u64 objectid, ++ u64 root_objectid, u32 generation, ++ int check_generation) + { + struct btrfs_fs_info *fs_info = btrfs_sb(sb); + struct btrfs_root *root; +@@ -150,7 +150,7 @@ static struct dentry *btrfs_fh_to_dentry(struct super_block *sb, struct fid *fh, + return btrfs_get_dentry(sb, objectid, root_objectid, generation, 1); + } + +-static struct dentry *btrfs_get_parent(struct dentry *child) ++struct dentry *btrfs_get_parent(struct dentry *child) + { + struct inode *dir = d_inode(child); + struct btrfs_root *root = BTRFS_I(dir)->root; +diff --git a/fs/btrfs/export.h b/fs/btrfs/export.h +index 074348a95841f..7a305e5549991 100644 +--- a/fs/btrfs/export.h ++++ b/fs/btrfs/export.h +@@ -16,4 +16,9 @@ struct btrfs_fid { + u64 parent_root_objectid; + } __attribute__ ((packed)); + ++struct dentry *btrfs_get_dentry(struct super_block *sb, u64 objectid, ++ u64 root_objectid, u32 generation, ++ int check_generation); ++struct dentry *btrfs_get_parent(struct dentry *child); ++ + #endif +diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c +index 9286603a6a98b..3a0cb745164f8 100644 +--- a/fs/btrfs/super.c ++++ b/fs/btrfs/super.c +@@ -948,8 +948,8 @@ out: + return error; + } + +-static char *get_subvol_name_from_objectid(struct btrfs_fs_info *fs_info, +- u64 subvol_objectid) ++char *btrfs_get_subvol_name_from_objectid(struct btrfs_fs_info *fs_info, ++ u64 subvol_objectid) + { + struct btrfs_root *root = fs_info->tree_root; + struct btrfs_root *fs_root; +@@ -1225,6 +1225,7 @@ static int btrfs_show_options(struct seq_file *seq, struct dentry *dentry) + struct btrfs_fs_info *info = btrfs_sb(dentry->d_sb); + struct btrfs_root *root = info->tree_root; + char *compress_type; ++ const char *subvol_name; + + if (btrfs_test_opt(info, DEGRADED)) + seq_puts(seq, ",degraded"); +@@ -1311,8 +1312,13 @@ static int btrfs_show_options(struct seq_file *seq, struct dentry *dentry) + #endif + seq_printf(seq, ",subvolid=%llu", + BTRFS_I(d_inode(dentry))->root->root_key.objectid); +- seq_puts(seq, ",subvol="); +- seq_dentry(seq, dentry, " \t\n\\"); ++ subvol_name = btrfs_get_subvol_name_from_objectid(info, ++ BTRFS_I(d_inode(dentry))->root->root_key.objectid); ++ if (!IS_ERR(subvol_name)) { ++ seq_puts(seq, ",subvol="); ++ seq_escape(seq, subvol_name, " \t\n\\"); ++ kfree(subvol_name); ++ } + return 0; + } + +@@ -1430,8 +1436,8 @@ static struct dentry *mount_subvol(const char *subvol_name, u64 subvol_objectid, + goto out; + } + } +- subvol_name = get_subvol_name_from_objectid(btrfs_sb(mnt->mnt_sb), +- subvol_objectid); ++ subvol_name = btrfs_get_subvol_name_from_objectid( ++ btrfs_sb(mnt->mnt_sb), subvol_objectid); + if (IS_ERR(subvol_name)) { + root = ERR_CAST(subvol_name); + subvol_name = NULL; +diff --git a/fs/eventpoll.c b/fs/eventpoll.c +index a9c0bf8782f53..aad52e1858363 100644 +--- a/fs/eventpoll.c ++++ b/fs/eventpoll.c +@@ -1747,9 +1747,11 @@ static int ep_loop_check_proc(void *priv, void *cookie, int call_nests) + * not already there, and calling reverse_path_check() + * during ep_insert(). + */ +- if (list_empty(&epi->ffd.file->f_tfile_llink)) ++ if (list_empty(&epi->ffd.file->f_tfile_llink)) { ++ get_file(epi->ffd.file); + list_add(&epi->ffd.file->f_tfile_llink, + &tfile_check_list); ++ } + } + } + mutex_unlock(&ep->mtx); +@@ -1793,6 +1795,7 @@ static void clear_tfile_check_list(void) + file = list_first_entry(&tfile_check_list, struct file, + f_tfile_llink); + list_del_init(&file->f_tfile_llink); ++ fput(file); + } + INIT_LIST_HEAD(&tfile_check_list); + } +@@ -1943,13 +1946,13 @@ SYSCALL_DEFINE4(epoll_ctl, int, epfd, int, op, int, fd, + mutex_lock(&epmutex); + if (is_file_epoll(tf.file)) { + error = -ELOOP; +- if (ep_loop_check(ep, tf.file) != 0) { +- clear_tfile_check_list(); ++ if (ep_loop_check(ep, tf.file) != 0) + goto error_tgt_fput; +- } +- } else ++ } else { ++ get_file(tf.file); + list_add(&tf.file->f_tfile_llink, + &tfile_check_list); ++ } + mutex_lock_nested(&ep->mtx, 0); + if (is_file_epoll(tf.file)) { + tep = tf.file->private_data; +@@ -1973,8 +1976,6 @@ SYSCALL_DEFINE4(epoll_ctl, int, epfd, int, op, int, fd, + error = ep_insert(ep, &epds, tf.file, fd, full_check); + } else + error = -EEXIST; +- if (full_check) +- clear_tfile_check_list(); + break; + case EPOLL_CTL_DEL: + if (epi) +@@ -1997,8 +1998,10 @@ SYSCALL_DEFINE4(epoll_ctl, int, epfd, int, op, int, fd, + mutex_unlock(&ep->mtx); + + error_tgt_fput: +- if (full_check) ++ if (full_check) { ++ clear_tfile_check_list(); + mutex_unlock(&epmutex); ++ } + + fdput(tf); + error_fput: +diff --git a/fs/jffs2/dir.c b/fs/jffs2/dir.c +index e5a6deb38e1e1..f4a5ec92f5dc7 100644 +--- a/fs/jffs2/dir.c ++++ b/fs/jffs2/dir.c +@@ -590,10 +590,14 @@ static int jffs2_rmdir (struct inode *dir_i, struct dentry *dentry) + int ret; + uint32_t now = get_seconds(); + ++ mutex_lock(&f->sem); + for (fd = f->dents ; fd; fd = fd->next) { +- if (fd->ino) ++ if (fd->ino) { ++ mutex_unlock(&f->sem); + return -ENOTEMPTY; ++ } + } ++ mutex_unlock(&f->sem); + + ret = jffs2_do_unlink(c, dir_f, dentry->d_name.name, + dentry->d_name.len, f, now); +diff --git a/fs/romfs/storage.c b/fs/romfs/storage.c +index f86f51f99aceb..1dcadd22b440d 100644 +--- a/fs/romfs/storage.c ++++ b/fs/romfs/storage.c +@@ -221,10 +221,8 @@ int romfs_dev_read(struct super_block *sb, unsigned long pos, + size_t limit; + + limit = romfs_maxsize(sb); +- if (pos >= limit) ++ if (pos >= limit || buflen > limit - pos) + return -EIO; +- if (buflen > limit - pos) +- buflen = limit - pos; + + #ifdef CONFIG_ROMFS_ON_MTD + if (sb->s_mtd) +diff --git a/fs/xfs/xfs_sysfs.h b/fs/xfs/xfs_sysfs.h +index d04637181ef21..980c9429abec5 100644 +--- a/fs/xfs/xfs_sysfs.h ++++ b/fs/xfs/xfs_sysfs.h +@@ -44,9 +44,11 @@ xfs_sysfs_init( + struct xfs_kobj *parent_kobj, + const char *name) + { ++ struct kobject *parent; ++ ++ parent = parent_kobj ? &parent_kobj->kobject : NULL; + init_completion(&kobj->complete); +- return kobject_init_and_add(&kobj->kobject, ktype, +- &parent_kobj->kobject, "%s", name); ++ return kobject_init_and_add(&kobj->kobject, ktype, parent, "%s", name); + } + + static inline void +diff --git a/fs/xfs/xfs_trans_dquot.c b/fs/xfs/xfs_trans_dquot.c +index c3d547211d160..9c42e50a5cb7e 100644 +--- a/fs/xfs/xfs_trans_dquot.c ++++ b/fs/xfs/xfs_trans_dquot.c +@@ -669,7 +669,7 @@ xfs_trans_dqresv( + } + } + if (ninos > 0) { +- total_count = be64_to_cpu(dqp->q_core.d_icount) + ninos; ++ total_count = dqp->q_res_icount + ninos; + timer = be32_to_cpu(dqp->q_core.d_itimer); + warns = be16_to_cpu(dqp->q_core.d_iwarns); + warnlimit = dqp->q_mount->m_quotainfo->qi_iwarnlimit; +diff --git a/kernel/relay.c b/kernel/relay.c +index 5034cb3a339fb..3623ad9b529c2 100644 +--- a/kernel/relay.c ++++ b/kernel/relay.c +@@ -196,6 +196,7 @@ free_buf: + static void relay_destroy_channel(struct kref *kref) + { + struct rchan *chan = container_of(kref, struct rchan, kref); ++ free_percpu(chan->buf); + kfree(chan); + } + +diff --git a/kernel/trace/trace_hwlat.c b/kernel/trace/trace_hwlat.c +index 5fe23f0ee7db6..d1e007c729235 100644 +--- a/kernel/trace/trace_hwlat.c ++++ b/kernel/trace/trace_hwlat.c +@@ -268,24 +268,14 @@ out: + static struct cpumask save_cpumask; + static bool disable_migrate; + +-static void move_to_next_cpu(bool initmask) ++static void move_to_next_cpu(void) + { +- static struct cpumask *current_mask; ++ struct cpumask *current_mask = &save_cpumask; ++ struct trace_array *tr = hwlat_trace; + int next_cpu; + + if (disable_migrate) + return; +- +- /* Just pick the first CPU on first iteration */ +- if (initmask) { +- current_mask = &save_cpumask; +- get_online_cpus(); +- cpumask_and(current_mask, cpu_online_mask, tracing_buffer_mask); +- put_online_cpus(); +- next_cpu = cpumask_first(current_mask); +- goto set_affinity; +- } +- + /* + * If for some reason the user modifies the CPU affinity + * of this thread, than stop migrating for the duration +@@ -295,14 +285,13 @@ static void move_to_next_cpu(bool initmask) + goto disable; + + get_online_cpus(); +- cpumask_and(current_mask, cpu_online_mask, tracing_buffer_mask); ++ cpumask_and(current_mask, cpu_online_mask, tr->tracing_cpumask); + next_cpu = cpumask_next(smp_processor_id(), current_mask); + put_online_cpus(); + + if (next_cpu >= nr_cpu_ids) + next_cpu = cpumask_first(current_mask); + +- set_affinity: + if (next_cpu >= nr_cpu_ids) /* Shouldn't happen! */ + goto disable; + +@@ -332,12 +321,10 @@ static void move_to_next_cpu(bool initmask) + static int kthread_fn(void *data) + { + u64 interval; +- bool initmask = true; + + while (!kthread_should_stop()) { + +- move_to_next_cpu(initmask); +- initmask = false; ++ move_to_next_cpu(); + + local_irq_disable(); + get_sample(); +@@ -368,13 +355,27 @@ static int kthread_fn(void *data) + */ + static int start_kthread(struct trace_array *tr) + { ++ struct cpumask *current_mask = &save_cpumask; + struct task_struct *kthread; ++ int next_cpu; ++ ++ /* Just pick the first CPU on first iteration */ ++ current_mask = &save_cpumask; ++ get_online_cpus(); ++ cpumask_and(current_mask, cpu_online_mask, tr->tracing_cpumask); ++ put_online_cpus(); ++ next_cpu = cpumask_first(current_mask); + + kthread = kthread_create(kthread_fn, NULL, "hwlatd"); + if (IS_ERR(kthread)) { + pr_err(BANNER "could not start sampling thread\n"); + return -ENOMEM; + } ++ ++ cpumask_clear(current_mask); ++ cpumask_set_cpu(next_cpu, current_mask); ++ sched_setaffinity(kthread->pid, current_mask); ++ + hwlat_kthread = kthread; + wake_up_process(kthread); + +diff --git a/mm/hugetlb.c b/mm/hugetlb.c +index 9914da93069e8..2c22ea7a20131 100644 +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -4380,25 +4380,21 @@ static bool vma_shareable(struct vm_area_struct *vma, unsigned long addr) + void adjust_range_if_pmd_sharing_possible(struct vm_area_struct *vma, + unsigned long *start, unsigned long *end) + { +- unsigned long check_addr = *start; ++ unsigned long a_start, a_end; + + if (!(vma->vm_flags & VM_MAYSHARE)) + return; + +- for (check_addr = *start; check_addr < *end; check_addr += PUD_SIZE) { +- unsigned long a_start = check_addr & PUD_MASK; +- unsigned long a_end = a_start + PUD_SIZE; ++ /* Extend the range to be PUD aligned for a worst case scenario */ ++ a_start = ALIGN_DOWN(*start, PUD_SIZE); ++ a_end = ALIGN(*end, PUD_SIZE); + +- /* +- * If sharing is possible, adjust start/end if necessary. +- */ +- if (range_in_vma(vma, a_start, a_end)) { +- if (a_start < *start) +- *start = a_start; +- if (a_end > *end) +- *end = a_end; +- } +- } ++ /* ++ * Intersect the range with the vma range, since pmd sharing won't be ++ * across vma after all ++ */ ++ *start = max(vma->vm_start, a_start); ++ *end = min(vma->vm_end, a_end); + } + + /* +diff --git a/mm/khugepaged.c b/mm/khugepaged.c +index 3080c6415493c..1538e5e5c628a 100644 +--- a/mm/khugepaged.c ++++ b/mm/khugepaged.c +@@ -391,7 +391,7 @@ static void insert_to_mm_slots_hash(struct mm_struct *mm, + + static inline int khugepaged_test_exit(struct mm_struct *mm) + { +- return atomic_read(&mm->mm_users) == 0; ++ return atomic_read(&mm->mm_users) == 0 || !mmget_still_valid(mm); + } + + int __khugepaged_enter(struct mm_struct *mm) +@@ -404,7 +404,7 @@ int __khugepaged_enter(struct mm_struct *mm) + return -ENOMEM; + + /* __khugepaged_exit() must not run from under us */ +- VM_BUG_ON_MM(khugepaged_test_exit(mm), mm); ++ VM_BUG_ON_MM(atomic_read(&mm->mm_users) == 0, mm); + if (unlikely(test_and_set_bit(MMF_VM_HUGEPAGE, &mm->flags))) { + free_mm_slot(mm_slot); + return 0; +@@ -1004,9 +1004,6 @@ static void collapse_huge_page(struct mm_struct *mm, + * handled by the anon_vma lock + PG_lock. + */ + down_write(&mm->mmap_sem); +- result = SCAN_ANY_PROCESS; +- if (!mmget_still_valid(mm)) +- goto out; + result = hugepage_vma_revalidate(mm, address, &vma); + if (result) + goto out; +diff --git a/mm/page_alloc.c b/mm/page_alloc.c +index f394dd87fa033..458523bc73916 100644 +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -1116,6 +1116,11 @@ static void free_pcppages_bulk(struct zone *zone, int count, + if (nr_scanned) + __mod_node_page_state(zone->zone_pgdat, NR_PAGES_SCANNED, -nr_scanned); + ++ /* ++ * Ensure proper count is passed which otherwise would stuck in the ++ * below while (list_empty(list)) loop. ++ */ ++ count = min(pcp->count, count); + while (count) { + struct page *page; + struct list_head *list; +@@ -6782,7 +6787,7 @@ int __meminit init_per_zone_wmark_min(void) + + return 0; + } +-core_initcall(init_per_zone_wmark_min) ++postcore_initcall(init_per_zone_wmark_min) + + /* + * min_free_kbytes_sysctl_handler - just a wrapper around proc_dointvec() so +diff --git a/sound/soc/intel/atom/sst-mfld-platform-pcm.c b/sound/soc/intel/atom/sst-mfld-platform-pcm.c +index e83e314a76a53..dc1b9a32c0575 100644 +--- a/sound/soc/intel/atom/sst-mfld-platform-pcm.c ++++ b/sound/soc/intel/atom/sst-mfld-platform-pcm.c +@@ -339,7 +339,7 @@ static int sst_media_open(struct snd_pcm_substream *substream, + + ret_val = power_up_sst(stream); + if (ret_val < 0) +- return ret_val; ++ goto out_power_up; + + /* Make sure, that the period size is always even */ + snd_pcm_hw_constraint_step(substream->runtime, 0, +@@ -348,8 +348,9 @@ static int sst_media_open(struct snd_pcm_substream *substream, + return snd_pcm_hw_constraint_integer(runtime, + SNDRV_PCM_HW_PARAM_PERIODS); + out_ops: +- kfree(stream); + mutex_unlock(&sst_lock); ++out_power_up: ++ kfree(stream); + return ret_val; + } + +diff --git a/tools/perf/util/probe-finder.c b/tools/perf/util/probe-finder.c +index 7d0d44b4f3d5c..863f668a07355 100644 +--- a/tools/perf/util/probe-finder.c ++++ b/tools/perf/util/probe-finder.c +@@ -1351,7 +1351,7 @@ int debuginfo__find_trace_events(struct debuginfo *dbg, + tf.ntevs = 0; + + ret = debuginfo__find_probes(dbg, &tf.pf); +- if (ret < 0) { ++ if (ret < 0 || tf.ntevs == 0) { + for (i = 0; i < tf.ntevs; i++) + clear_probe_trace_event(&tf.tevs[i]); + zfree(tevs); diff --git a/patch/kernel/meson64-legacy/patch-4.9.234-235.patch b/patch/kernel/meson64-legacy/patch-4.9.234-235.patch new file mode 100644 index 000000000..b00210d24 --- /dev/null +++ b/patch/kernel/meson64-legacy/patch-4.9.234-235.patch @@ -0,0 +1,2855 @@ +diff --git a/Makefile b/Makefile +index e5a6f33e95de6..d21084a36bd4d 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 9 +-SUBLEVEL = 234 ++SUBLEVEL = 235 + EXTRAVERSION = + NAME = Roaring Lionus + +diff --git a/arch/arm64/boot/dts/qcom/msm8916-pins.dtsi b/arch/arm64/boot/dts/qcom/msm8916-pins.dtsi +index fabc0cebe2aa2..1f9ff2cea2151 100644 +--- a/arch/arm64/boot/dts/qcom/msm8916-pins.dtsi ++++ b/arch/arm64/boot/dts/qcom/msm8916-pins.dtsi +@@ -555,7 +555,7 @@ + pins = "gpio63", "gpio64", "gpio65", "gpio66", + "gpio67", "gpio68"; + drive-strength = <2>; +- bias-disable; ++ bias-pull-down; + }; + }; + }; +diff --git a/arch/arm64/kvm/hyp/switch.c b/arch/arm64/kvm/hyp/switch.c +index 115b0955715f3..ed7e3a288b4e5 100644 +--- a/arch/arm64/kvm/hyp/switch.c ++++ b/arch/arm64/kvm/hyp/switch.c +@@ -412,7 +412,7 @@ static void __hyp_text __hyp_call_panic_nvhe(u64 spsr, u64 elr, u64 par, + * making sure it is a kernel address and not a PC-relative + * reference. + */ +- asm volatile("ldr %0, =__hyp_panic_string" : "=r" (str_va)); ++ asm volatile("ldr %0, =%1" : "=r" (str_va) : "S" (__hyp_panic_string)); + + __hyp_do_panic(str_va, + spsr, elr, +diff --git a/arch/mips/vdso/genvdso.c b/arch/mips/vdso/genvdso.c +index 530a36f465ced..afcc86726448e 100644 +--- a/arch/mips/vdso/genvdso.c ++++ b/arch/mips/vdso/genvdso.c +@@ -126,6 +126,7 @@ static void *map_vdso(const char *path, size_t *_size) + if (fstat(fd, &stat) != 0) { + fprintf(stderr, "%s: Failed to stat '%s': %s\n", program_name, + path, strerror(errno)); ++ close(fd); + return NULL; + } + +@@ -134,6 +135,7 @@ static void *map_vdso(const char *path, size_t *_size) + if (addr == MAP_FAILED) { + fprintf(stderr, "%s: Failed to map '%s': %s\n", program_name, + path, strerror(errno)); ++ close(fd); + return NULL; + } + +@@ -143,6 +145,7 @@ static void *map_vdso(const char *path, size_t *_size) + if (memcmp(ehdr->e_ident, ELFMAG, SELFMAG) != 0) { + fprintf(stderr, "%s: '%s' is not an ELF file\n", program_name, + path); ++ close(fd); + return NULL; + } + +@@ -154,6 +157,7 @@ static void *map_vdso(const char *path, size_t *_size) + default: + fprintf(stderr, "%s: '%s' has invalid ELF class\n", + program_name, path); ++ close(fd); + return NULL; + } + +@@ -165,6 +169,7 @@ static void *map_vdso(const char *path, size_t *_size) + default: + fprintf(stderr, "%s: '%s' has invalid ELF data order\n", + program_name, path); ++ close(fd); + return NULL; + } + +@@ -172,15 +177,18 @@ static void *map_vdso(const char *path, size_t *_size) + fprintf(stderr, + "%s: '%s' has invalid ELF machine (expected EM_MIPS)\n", + program_name, path); ++ close(fd); + return NULL; + } else if (swap_uint16(ehdr->e_type) != ET_DYN) { + fprintf(stderr, + "%s: '%s' has invalid ELF type (expected ET_DYN)\n", + program_name, path); ++ close(fd); + return NULL; + } + + *_size = stat.st_size; ++ close(fd); + return addr; + } + +@@ -284,10 +292,12 @@ int main(int argc, char **argv) + /* Calculate and write symbol offsets to */ + if (!get_symbols(dbg_vdso_path, dbg_vdso)) { + unlink(out_path); ++ fclose(out_file); + return EXIT_FAILURE; + } + + fprintf(out_file, "};\n"); ++ fclose(out_file); + + return EXIT_SUCCESS; + } +diff --git a/arch/powerpc/perf/core-book3s.c b/arch/powerpc/perf/core-book3s.c +index ba49ae6625f1b..a10b67df83bae 100644 +--- a/arch/powerpc/perf/core-book3s.c ++++ b/arch/powerpc/perf/core-book3s.c +@@ -2042,6 +2042,10 @@ static void record_and_restart(struct perf_event *event, unsigned long val, + + if (perf_event_overflow(event, &data, regs)) + power_pmu_stop(event, 0); ++ } else if (period) { ++ /* Account for interrupt in case of invalid SIAR */ ++ if (perf_event_account_interrupt(event)) ++ power_pmu_stop(event, 0); + } + } + +diff --git a/arch/powerpc/platforms/cell/Kconfig b/arch/powerpc/platforms/cell/Kconfig +index d9088f0b8fcc5..621be43433303 100644 +--- a/arch/powerpc/platforms/cell/Kconfig ++++ b/arch/powerpc/platforms/cell/Kconfig +@@ -45,6 +45,7 @@ config SPU_FS + tristate "SPU file system" + default m + depends on PPC_CELL ++ depends on COREDUMP + select SPU_BASE + select MEMORY_HOTPLUG + help +diff --git a/drivers/base/core.c b/drivers/base/core.c +index 69a71074dc65b..fe9f2aea84bd4 100644 +--- a/drivers/base/core.c ++++ b/drivers/base/core.c +@@ -2348,9 +2348,9 @@ static inline bool fwnode_is_primary(struct fwnode_handle *fwnode) + */ + void set_primary_fwnode(struct device *dev, struct fwnode_handle *fwnode) + { +- if (fwnode) { +- struct fwnode_handle *fn = dev->fwnode; ++ struct fwnode_handle *fn = dev->fwnode; + ++ if (fwnode) { + if (fwnode_is_primary(fn)) + fn = fn->secondary; + +@@ -2360,8 +2360,12 @@ void set_primary_fwnode(struct device *dev, struct fwnode_handle *fwnode) + } + dev->fwnode = fwnode; + } else { +- dev->fwnode = fwnode_is_primary(dev->fwnode) ? +- dev->fwnode->secondary : NULL; ++ if (fwnode_is_primary(fn)) { ++ dev->fwnode = fn->secondary; ++ fn->secondary = NULL; ++ } else { ++ dev->fwnode = NULL; ++ } + } + } + EXPORT_SYMBOL_GPL(set_primary_fwnode); +diff --git a/drivers/base/power/main.c b/drivers/base/power/main.c +index a2714890fe431..d707cd16ed014 100644 +--- a/drivers/base/power/main.c ++++ b/drivers/base/power/main.c +@@ -1366,13 +1366,17 @@ static int __device_suspend(struct device *dev, pm_message_t state, bool async) + } + + /* +- * If a device configured to wake up the system from sleep states +- * has been suspended at run time and there's a resume request pending +- * for it, this is equivalent to the device signaling wakeup, so the +- * system suspend operation should be aborted. ++ * Wait for possible runtime PM transitions of the device in progress ++ * to complete and if there's a runtime resume request pending for it, ++ * resume it before proceeding with invoking the system-wide suspend ++ * callbacks for it. ++ * ++ * If the system-wide suspend callbacks below change the configuration ++ * of the device, they must disable runtime PM for it or otherwise ++ * ensure that its runtime-resume callbacks will not be confused by that ++ * change in case they are invoked going forward. + */ +- if (pm_runtime_barrier(dev) && device_may_wakeup(dev)) +- pm_wakeup_event(dev, 0); ++ pm_runtime_barrier(dev); + + if (pm_wakeup_pending()) { + dev->power.direct_complete = false; +diff --git a/drivers/edac/ie31200_edac.c b/drivers/edac/ie31200_edac.c +index 1c88d97074951..3438b98e60948 100644 +--- a/drivers/edac/ie31200_edac.c ++++ b/drivers/edac/ie31200_edac.c +@@ -145,6 +145,8 @@ + (n << (28 + (2 * skl) - PAGE_SHIFT)) + + static int nr_channels; ++static struct pci_dev *mci_pdev; ++static int ie31200_registered = 1; + + struct ie31200_priv { + void __iomem *window; +@@ -512,12 +514,16 @@ fail_free: + static int ie31200_init_one(struct pci_dev *pdev, + const struct pci_device_id *ent) + { +- edac_dbg(0, "MC:\n"); ++ int rc; + ++ edac_dbg(0, "MC:\n"); + if (pci_enable_device(pdev) < 0) + return -EIO; ++ rc = ie31200_probe1(pdev, ent->driver_data); ++ if (rc == 0 && !mci_pdev) ++ mci_pdev = pci_dev_get(pdev); + +- return ie31200_probe1(pdev, ent->driver_data); ++ return rc; + } + + static void ie31200_remove_one(struct pci_dev *pdev) +@@ -526,6 +532,8 @@ static void ie31200_remove_one(struct pci_dev *pdev) + struct ie31200_priv *priv; + + edac_dbg(0, "\n"); ++ pci_dev_put(mci_pdev); ++ mci_pdev = NULL; + mci = edac_mc_del_mc(&pdev->dev); + if (!mci) + return; +@@ -574,17 +582,53 @@ static struct pci_driver ie31200_driver = { + + static int __init ie31200_init(void) + { ++ int pci_rc, i; ++ + edac_dbg(3, "MC:\n"); + /* Ensure that the OPSTATE is set correctly for POLL or NMI */ + opstate_init(); + +- return pci_register_driver(&ie31200_driver); ++ pci_rc = pci_register_driver(&ie31200_driver); ++ if (pci_rc < 0) ++ goto fail0; ++ ++ if (!mci_pdev) { ++ ie31200_registered = 0; ++ for (i = 0; ie31200_pci_tbl[i].vendor != 0; i++) { ++ mci_pdev = pci_get_device(ie31200_pci_tbl[i].vendor, ++ ie31200_pci_tbl[i].device, ++ NULL); ++ if (mci_pdev) ++ break; ++ } ++ if (!mci_pdev) { ++ edac_dbg(0, "ie31200 pci_get_device fail\n"); ++ pci_rc = -ENODEV; ++ goto fail1; ++ } ++ pci_rc = ie31200_init_one(mci_pdev, &ie31200_pci_tbl[i]); ++ if (pci_rc < 0) { ++ edac_dbg(0, "ie31200 init fail\n"); ++ pci_rc = -ENODEV; ++ goto fail1; ++ } ++ } ++ return 0; ++ ++fail1: ++ pci_unregister_driver(&ie31200_driver); ++fail0: ++ pci_dev_put(mci_pdev); ++ ++ return pci_rc; + } + + static void __exit ie31200_exit(void) + { + edac_dbg(3, "MC:\n"); + pci_unregister_driver(&ie31200_driver); ++ if (!ie31200_registered) ++ ie31200_remove_one(mci_pdev); + } + + module_init(ie31200_init); +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c +index e9311eb7b8d9f..694f631d9c90d 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c +@@ -734,8 +734,10 @@ amdgpu_connector_lvds_detect(struct drm_connector *connector, bool force) + + if (!drm_kms_helper_is_poll_worker()) { + r = pm_runtime_get_sync(connector->dev->dev); +- if (r < 0) ++ if (r < 0) { ++ pm_runtime_put_autosuspend(connector->dev->dev); + return connector_status_disconnected; ++ } + } + + if (encoder) { +@@ -872,8 +874,10 @@ amdgpu_connector_vga_detect(struct drm_connector *connector, bool force) + + if (!drm_kms_helper_is_poll_worker()) { + r = pm_runtime_get_sync(connector->dev->dev); +- if (r < 0) ++ if (r < 0) { ++ pm_runtime_put_autosuspend(connector->dev->dev); + return connector_status_disconnected; ++ } + } + + encoder = amdgpu_connector_best_single_encoder(connector); +@@ -996,8 +1000,10 @@ amdgpu_connector_dvi_detect(struct drm_connector *connector, bool force) + + if (!drm_kms_helper_is_poll_worker()) { + r = pm_runtime_get_sync(connector->dev->dev); +- if (r < 0) ++ if (r < 0) { ++ pm_runtime_put_autosuspend(connector->dev->dev); + return connector_status_disconnected; ++ } + } + + if (!force && amdgpu_connector_check_hpd_status_unchanged(connector)) { +@@ -1371,8 +1377,10 @@ amdgpu_connector_dp_detect(struct drm_connector *connector, bool force) + + if (!drm_kms_helper_is_poll_worker()) { + r = pm_runtime_get_sync(connector->dev->dev); +- if (r < 0) ++ if (r < 0) { ++ pm_runtime_put_autosuspend(connector->dev->dev); + return connector_status_disconnected; ++ } + } + + if (!force && amdgpu_connector_check_hpd_status_unchanged(connector)) { +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c +index 15a2d8f3725d5..fdf7a18058881 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c +@@ -268,7 +268,7 @@ int amdgpu_crtc_set_config(struct drm_mode_set *set) + + ret = pm_runtime_get_sync(dev->dev); + if (ret < 0) +- return ret; ++ goto out; + + ret = drm_crtc_helper_set_config(set); + +@@ -283,7 +283,7 @@ int amdgpu_crtc_set_config(struct drm_mode_set *set) + take the current one */ + if (active && !adev->have_disp_power_ref) { + adev->have_disp_power_ref = true; +- return ret; ++ goto out; + } + /* if we have no active crtcs, then drop the power ref + we got before */ +@@ -292,6 +292,7 @@ int amdgpu_crtc_set_config(struct drm_mode_set *set) + adev->have_disp_power_ref = false; + } + ++out: + /* drop the power reference we got coming in here */ + pm_runtime_put_autosuspend(dev->dev); + return ret; +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c +index e0890deccb2fe..7cae10fec78de 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c +@@ -633,11 +633,12 @@ long amdgpu_drm_ioctl(struct file *filp, + dev = file_priv->minor->dev; + ret = pm_runtime_get_sync(dev->dev); + if (ret < 0) +- return ret; ++ goto out; + + ret = drm_ioctl(filp, cmd, arg); + + pm_runtime_mark_last_busy(dev->dev); ++out: + pm_runtime_put_autosuspend(dev->dev); + return ret; + } +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c +index ab5134d920d96..96fc1566f28e5 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c +@@ -543,7 +543,7 @@ int amdgpu_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv) + + r = pm_runtime_get_sync(dev->dev); + if (r < 0) +- return r; ++ goto pm_put; + + fpriv = kzalloc(sizeof(*fpriv), GFP_KERNEL); + if (unlikely(!fpriv)) { +@@ -566,6 +566,7 @@ int amdgpu_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv) + + out_suspend: + pm_runtime_mark_last_busy(dev->dev); ++pm_put: + pm_runtime_put_autosuspend(dev->dev); + + return r; +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_topology.c b/drivers/gpu/drm/amd/amdkfd/kfd_topology.c +index 8c6e47c5507fb..74221e096855d 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_topology.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_topology.c +@@ -841,8 +841,10 @@ static int kfd_build_sysfs_node_entry(struct kfd_topology_device *dev, + + ret = kobject_init_and_add(dev->kobj_node, &node_type, + sys_props.kobj_nodes, "%d", id); +- if (ret < 0) ++ if (ret < 0) { ++ kobject_put(dev->kobj_node); + return ret; ++ } + + dev->kobj_mem = kobject_create_and_add("mem_banks", dev->kobj_node); + if (!dev->kobj_mem) +@@ -885,8 +887,10 @@ static int kfd_build_sysfs_node_entry(struct kfd_topology_device *dev, + return -ENOMEM; + ret = kobject_init_and_add(mem->kobj, &mem_type, + dev->kobj_mem, "%d", i); +- if (ret < 0) ++ if (ret < 0) { ++ kobject_put(mem->kobj); + return ret; ++ } + + mem->attr.name = "properties"; + mem->attr.mode = KFD_SYSFS_FILE_MODE; +@@ -904,8 +908,10 @@ static int kfd_build_sysfs_node_entry(struct kfd_topology_device *dev, + return -ENOMEM; + ret = kobject_init_and_add(cache->kobj, &cache_type, + dev->kobj_cache, "%d", i); +- if (ret < 0) ++ if (ret < 0) { ++ kobject_put(cache->kobj); + return ret; ++ } + + cache->attr.name = "properties"; + cache->attr.mode = KFD_SYSFS_FILE_MODE; +@@ -923,8 +929,10 @@ static int kfd_build_sysfs_node_entry(struct kfd_topology_device *dev, + return -ENOMEM; + ret = kobject_init_and_add(iolink->kobj, &iolink_type, + dev->kobj_iolink, "%d", i); +- if (ret < 0) ++ if (ret < 0) { ++ kobject_put(iolink->kobj); + return ret; ++ } + + iolink->attr.name = "properties"; + iolink->attr.mode = KFD_SYSFS_FILE_MODE; +@@ -976,8 +984,10 @@ static int kfd_topology_update_sysfs(void) + ret = kobject_init_and_add(sys_props.kobj_topology, + &sysprops_type, &kfd_device->kobj, + "topology"); +- if (ret < 0) ++ if (ret < 0) { ++ kobject_put(sys_props.kobj_topology); + return ret; ++ } + + sys_props.kobj_nodes = kobject_create_and_add("nodes", + sys_props.kobj_topology); +diff --git a/drivers/gpu/drm/nouveau/nouveau_connector.c b/drivers/gpu/drm/nouveau/nouveau_connector.c +index 5bfae1f972c74..0061deca290a4 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_connector.c ++++ b/drivers/gpu/drm/nouveau/nouveau_connector.c +@@ -281,8 +281,10 @@ nouveau_connector_detect(struct drm_connector *connector, bool force) + pm_runtime_get_noresume(dev->dev); + } else { + ret = pm_runtime_get_sync(dev->dev); +- if (ret < 0 && ret != -EACCES) ++ if (ret < 0 && ret != -EACCES) { ++ pm_runtime_put_autosuspend(dev->dev); + return conn_status; ++ } + } + + nv_encoder = nouveau_connector_ddc_detect(connector); +diff --git a/drivers/gpu/drm/nouveau/nouveau_fbcon.c b/drivers/gpu/drm/nouveau/nouveau_fbcon.c +index 275abc424ce25..40da9143f7220 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_fbcon.c ++++ b/drivers/gpu/drm/nouveau/nouveau_fbcon.c +@@ -183,8 +183,10 @@ nouveau_fbcon_open(struct fb_info *info, int user) + struct nouveau_fbdev *fbcon = info->par; + struct nouveau_drm *drm = nouveau_drm(fbcon->dev); + int ret = pm_runtime_get_sync(drm->dev->dev); +- if (ret < 0 && ret != -EACCES) ++ if (ret < 0 && ret != -EACCES) { ++ pm_runtime_put(drm->dev->dev); + return ret; ++ } + return 0; + } + +diff --git a/drivers/gpu/drm/radeon/radeon_connectors.c b/drivers/gpu/drm/radeon/radeon_connectors.c +index efa875120071a..9e6c2be0cc7d4 100644 +--- a/drivers/gpu/drm/radeon/radeon_connectors.c ++++ b/drivers/gpu/drm/radeon/radeon_connectors.c +@@ -892,8 +892,10 @@ radeon_lvds_detect(struct drm_connector *connector, bool force) + + if (!drm_kms_helper_is_poll_worker()) { + r = pm_runtime_get_sync(connector->dev->dev); +- if (r < 0) ++ if (r < 0) { ++ pm_runtime_put_autosuspend(connector->dev->dev); + return connector_status_disconnected; ++ } + } + + if (encoder) { +@@ -1038,8 +1040,10 @@ radeon_vga_detect(struct drm_connector *connector, bool force) + + if (!drm_kms_helper_is_poll_worker()) { + r = pm_runtime_get_sync(connector->dev->dev); +- if (r < 0) ++ if (r < 0) { ++ pm_runtime_put_autosuspend(connector->dev->dev); + return connector_status_disconnected; ++ } + } + + encoder = radeon_best_single_encoder(connector); +@@ -1176,8 +1180,10 @@ radeon_tv_detect(struct drm_connector *connector, bool force) + + if (!drm_kms_helper_is_poll_worker()) { + r = pm_runtime_get_sync(connector->dev->dev); +- if (r < 0) ++ if (r < 0) { ++ pm_runtime_put_autosuspend(connector->dev->dev); + return connector_status_disconnected; ++ } + } + + encoder = radeon_best_single_encoder(connector); +@@ -1260,8 +1266,10 @@ radeon_dvi_detect(struct drm_connector *connector, bool force) + + if (!drm_kms_helper_is_poll_worker()) { + r = pm_runtime_get_sync(connector->dev->dev); +- if (r < 0) ++ if (r < 0) { ++ pm_runtime_put_autosuspend(connector->dev->dev); + return connector_status_disconnected; ++ } + } + + if (radeon_connector->detected_hpd_without_ddc) { +@@ -1701,8 +1709,10 @@ radeon_dp_detect(struct drm_connector *connector, bool force) + + if (!drm_kms_helper_is_poll_worker()) { + r = pm_runtime_get_sync(connector->dev->dev); +- if (r < 0) ++ if (r < 0) { ++ pm_runtime_put_autosuspend(connector->dev->dev); + return connector_status_disconnected; ++ } + } + + if (!force && radeon_check_hpd_status_unchanged(connector)) { +diff --git a/drivers/hid/i2c-hid/i2c-hid-core.c b/drivers/hid/i2c-hid/i2c-hid-core.c +index 850527d5fab1b..606fd875740c0 100644 +--- a/drivers/hid/i2c-hid/i2c-hid-core.c ++++ b/drivers/hid/i2c-hid/i2c-hid-core.c +@@ -407,6 +407,19 @@ static int i2c_hid_set_power(struct i2c_client *client, int power_state) + dev_err(&client->dev, "failed to change power setting.\n"); + + set_pwr_exit: ++ ++ /* ++ * The HID over I2C specification states that if a DEVICE needs time ++ * after the PWR_ON request, it should utilise CLOCK stretching. ++ * However, it has been observered that the Windows driver provides a ++ * 1ms sleep between the PWR_ON and RESET requests. ++ * According to Goodix Windows even waits 60 ms after (other?) ++ * PWR_ON requests. Testing has confirmed that several devices ++ * will not work properly without a delay after a PWR_ON request. ++ */ ++ if (!ret && power_state == I2C_HID_PWR_ON) ++ msleep(60); ++ + return ret; + } + +@@ -428,15 +441,6 @@ static int i2c_hid_hwreset(struct i2c_client *client) + if (ret) + goto out_unlock; + +- /* +- * The HID over I2C specification states that if a DEVICE needs time +- * after the PWR_ON request, it should utilise CLOCK stretching. +- * However, it has been observered that the Windows driver provides a +- * 1ms sleep between the PWR_ON and RESET requests and that some devices +- * rely on this. +- */ +- usleep_range(1000, 5000); +- + i2c_hid_dbg(ihid, "resetting...\n"); + + ret = i2c_hid_command(client, &hid_reset_cmd, NULL, 0); +diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c +index dbdd265075daf..7bce23a43907e 100644 +--- a/drivers/hid/usbhid/hiddev.c ++++ b/drivers/hid/usbhid/hiddev.c +@@ -554,12 +554,16 @@ static noinline int hiddev_ioctl_usage(struct hiddev *hiddev, unsigned int cmd, + + switch (cmd) { + case HIDIOCGUSAGE: ++ if (uref->usage_index >= field->report_count) ++ goto inval; + uref->value = field->value[uref->usage_index]; + if (copy_to_user(user_arg, uref, sizeof(*uref))) + goto fault; + goto goodreturn; + + case HIDIOCSUSAGE: ++ if (uref->usage_index >= field->report_count) ++ goto inval; + field->value[uref->usage_index] = uref->value; + goto goodreturn; + +diff --git a/drivers/i2c/busses/i2c-rcar.c b/drivers/i2c/busses/i2c-rcar.c +index 4231673435e7b..6be02da2ccc46 100644 +--- a/drivers/i2c/busses/i2c-rcar.c ++++ b/drivers/i2c/busses/i2c-rcar.c +@@ -534,6 +534,7 @@ static bool rcar_i2c_slave_irq(struct rcar_i2c_priv *priv) + /* master sent stop */ + if (ssr_filtered & SSR) { + i2c_slave_event(priv->slave, I2C_SLAVE_STOP, &value); ++ rcar_i2c_write(priv, ICSCR, SIE | SDBS); /* clear our NACK */ + rcar_i2c_write(priv, ICSIER, SAR); + rcar_i2c_write(priv, ICSSR, ~SSR & 0xff); + } +diff --git a/drivers/iommu/iova.c b/drivers/iommu/iova.c +index f106fd9782bfb..99c36a5438a75 100644 +--- a/drivers/iommu/iova.c ++++ b/drivers/iommu/iova.c +@@ -676,7 +676,9 @@ iova_magazine_free_pfns(struct iova_magazine *mag, struct iova_domain *iovad) + for (i = 0 ; i < mag->size; ++i) { + struct iova *iova = private_find_iova(iovad, mag->pfns[i]); + +- BUG_ON(!iova); ++ if (WARN_ON(!iova)) ++ continue; ++ + private_free_iova(iovad, iova); + } + +diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c +index 29deda7aed040..2d3ff028f50c9 100644 +--- a/drivers/md/dm-table.c ++++ b/drivers/md/dm-table.c +@@ -510,14 +510,14 @@ static int adjoin(struct dm_table *table, struct dm_target *ti) + * On the other hand, dm-switch needs to process bulk data using messages and + * excessive use of GFP_NOIO could cause trouble. + */ +-static char **realloc_argv(unsigned *array_size, char **old_argv) ++static char **realloc_argv(unsigned *size, char **old_argv) + { + char **argv; + unsigned new_size; + gfp_t gfp; + +- if (*array_size) { +- new_size = *array_size * 2; ++ if (*size) { ++ new_size = *size * 2; + gfp = GFP_KERNEL; + } else { + new_size = 8; +@@ -525,8 +525,8 @@ static char **realloc_argv(unsigned *array_size, char **old_argv) + } + argv = kmalloc(new_size * sizeof(*argv), gfp); + if (argv) { +- memcpy(argv, old_argv, *array_size * sizeof(*argv)); +- *array_size = new_size; ++ memcpy(argv, old_argv, *size * sizeof(*argv)); ++ *size = new_size; + } + + kfree(old_argv); +diff --git a/drivers/media/pci/ttpci/av7110.c b/drivers/media/pci/ttpci/av7110.c +index 382caf200ba16..c313f51688f44 100644 +--- a/drivers/media/pci/ttpci/av7110.c ++++ b/drivers/media/pci/ttpci/av7110.c +@@ -426,14 +426,15 @@ static void debiirq(unsigned long cookie) + case DATA_CI_GET: + { + u8 *data = av7110->debi_virt; ++ u8 data_0 = data[0]; + +- if ((data[0] < 2) && data[2] == 0xff) { ++ if (data_0 < 2 && data[2] == 0xff) { + int flags = 0; + if (data[5] > 0) + flags |= CA_CI_MODULE_PRESENT; + if (data[5] > 5) + flags |= CA_CI_MODULE_READY; +- av7110->ci_slot[data[0]].flags = flags; ++ av7110->ci_slot[data_0].flags = flags; + } else + ci_get_data(&av7110->ci_rbuffer, + av7110->debi_virt, +diff --git a/drivers/media/platform/davinci/vpif_capture.c b/drivers/media/platform/davinci/vpif_capture.c +index 5104cc0ee40e3..a3c4cc025ed6f 100644 +--- a/drivers/media/platform/davinci/vpif_capture.c ++++ b/drivers/media/platform/davinci/vpif_capture.c +@@ -1408,8 +1408,6 @@ probe_out: + /* Unregister video device */ + video_unregister_device(&ch->video_dev); + } +- kfree(vpif_obj.sd); +- v4l2_device_unregister(&vpif_obj.v4l2_dev); + + return err; + } +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index d52fd842ef1fe..8322129c3f987 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1985,7 +1985,8 @@ static int bond_release_and_destroy(struct net_device *bond_dev, + int ret; + + ret = bond_release(bond_dev, slave_dev); +- if (ret == 0 && !bond_has_slaves(bond)) { ++ if (ret == 0 && !bond_has_slaves(bond) && ++ bond_dev->reg_state != NETREG_UNREGISTERING) { + bond_dev->priv_flags |= IFF_DISABLE_NETPOLL; + netdev_info(bond_dev, "Destroying bond %s\n", + bond_dev->name); +@@ -4131,13 +4132,23 @@ static netdev_tx_t bond_start_xmit(struct sk_buff *skb, struct net_device *dev) + return ret; + } + ++static u32 bond_mode_bcast_speed(struct slave *slave, u32 speed) ++{ ++ if (speed == 0 || speed == SPEED_UNKNOWN) ++ speed = slave->speed; ++ else ++ speed = min(speed, slave->speed); ++ ++ return speed; ++} ++ + static int bond_ethtool_get_settings(struct net_device *bond_dev, + struct ethtool_cmd *ecmd) + { + struct bonding *bond = netdev_priv(bond_dev); +- unsigned long speed = 0; + struct list_head *iter; + struct slave *slave; ++ u32 speed = 0; + + ecmd->duplex = DUPLEX_UNKNOWN; + ecmd->port = PORT_OTHER; +@@ -4149,8 +4160,13 @@ static int bond_ethtool_get_settings(struct net_device *bond_dev, + */ + bond_for_each_slave(bond, slave, iter) { + if (bond_slave_can_tx(slave)) { +- if (slave->speed != SPEED_UNKNOWN) +- speed += slave->speed; ++ if (slave->speed != SPEED_UNKNOWN) { ++ if (BOND_MODE(bond) == BOND_MODE_BROADCAST) ++ speed = bond_mode_bcast_speed(slave, ++ speed); ++ else ++ speed += slave->speed; ++ } + if (ecmd->duplex == DUPLEX_UNKNOWN && + slave->duplex != DUPLEX_UNKNOWN) + ecmd->duplex = slave->duplex; +diff --git a/drivers/net/ethernet/freescale/gianfar.c b/drivers/net/ethernet/freescale/gianfar.c +index b665d27f8e299..95ab44aa0eeab 100644 +--- a/drivers/net/ethernet/freescale/gianfar.c ++++ b/drivers/net/ethernet/freescale/gianfar.c +@@ -844,8 +844,10 @@ static int gfar_of_init(struct platform_device *ofdev, struct net_device **pdev) + continue; + + err = gfar_parse_group(child, priv, model); +- if (err) ++ if (err) { ++ of_node_put(child); + goto err_grp_init; ++ } + } + } else { /* SQ_SG_MODE */ + err = gfar_parse_group(np, priv, model); +diff --git a/drivers/net/ipvlan/ipvlan_main.c b/drivers/net/ipvlan/ipvlan_main.c +index 72f37e546ed24..ac757819cadb5 100644 +--- a/drivers/net/ipvlan/ipvlan_main.c ++++ b/drivers/net/ipvlan/ipvlan_main.c +@@ -168,12 +168,21 @@ static void ipvlan_port_destroy(struct net_device *dev) + kfree_rcu(port, rcu); + } + ++#define IPVLAN_ALWAYS_ON_OFLOADS \ ++ (NETIF_F_SG | NETIF_F_HW_CSUM | \ ++ NETIF_F_GSO_ROBUST | NETIF_F_GSO_SOFTWARE | NETIF_F_GSO_ENCAP_ALL) ++ ++#define IPVLAN_ALWAYS_ON \ ++ (IPVLAN_ALWAYS_ON_OFLOADS | NETIF_F_LLTX | NETIF_F_VLAN_CHALLENGED) ++ + #define IPVLAN_FEATURES \ + (NETIF_F_SG | NETIF_F_HW_CSUM | NETIF_F_HIGHDMA | NETIF_F_FRAGLIST | \ + NETIF_F_GSO | NETIF_F_TSO | NETIF_F_UFO | NETIF_F_GSO_ROBUST | \ + NETIF_F_TSO_ECN | NETIF_F_TSO6 | NETIF_F_GRO | NETIF_F_RXCSUM | \ + NETIF_F_HW_VLAN_CTAG_FILTER | NETIF_F_HW_VLAN_STAG_FILTER) + ++ /* NETIF_F_GSO_ENCAP_ALL NETIF_F_GSO_SOFTWARE Newly added */ ++ + #define IPVLAN_STATE_MASK \ + ((1<<__LINK_STATE_NOCARRIER) | (1<<__LINK_STATE_DORMANT)) + +@@ -186,7 +195,9 @@ static int ipvlan_init(struct net_device *dev) + dev->state = (dev->state & ~IPVLAN_STATE_MASK) | + (phy_dev->state & IPVLAN_STATE_MASK); + dev->features = phy_dev->features & IPVLAN_FEATURES; +- dev->features |= NETIF_F_LLTX; ++ dev->features |= IPVLAN_ALWAYS_ON; ++ dev->vlan_features = phy_dev->vlan_features & IPVLAN_FEATURES; ++ dev->vlan_features |= IPVLAN_ALWAYS_ON_OFLOADS; + dev->gso_max_size = phy_dev->gso_max_size; + dev->gso_max_segs = phy_dev->gso_max_segs; + dev->hard_header_len = phy_dev->hard_header_len; +@@ -274,7 +285,14 @@ static netdev_features_t ipvlan_fix_features(struct net_device *dev, + { + struct ipvl_dev *ipvlan = netdev_priv(dev); + +- return features & (ipvlan->sfeatures | ~IPVLAN_FEATURES); ++ features |= NETIF_F_ALL_FOR_ALL; ++ features &= (ipvlan->sfeatures | ~IPVLAN_FEATURES); ++ features = netdev_increment_features(ipvlan->phy_dev->features, ++ features, features); ++ features |= IPVLAN_ALWAYS_ON; ++ features &= (IPVLAN_FEATURES | IPVLAN_ALWAYS_ON); ++ ++ return features; + } + + static void ipvlan_change_rx_flags(struct net_device *dev, int change) +@@ -675,10 +693,9 @@ static int ipvlan_device_event(struct notifier_block *unused, + + case NETDEV_FEAT_CHANGE: + list_for_each_entry(ipvlan, &port->ipvlans, pnode) { +- ipvlan->dev->features = dev->features & IPVLAN_FEATURES; + ipvlan->dev->gso_max_size = dev->gso_max_size; + ipvlan->dev->gso_max_segs = dev->gso_max_segs; +- netdev_features_change(ipvlan->dev); ++ netdev_update_features(ipvlan->dev); + } + break; + +diff --git a/drivers/net/wireless/ath/ath10k/hw.h b/drivers/net/wireless/ath/ath10k/hw.h +index 6038b7486f1db..e04e0260035ad 100644 +--- a/drivers/net/wireless/ath/ath10k/hw.h ++++ b/drivers/net/wireless/ath/ath10k/hw.h +@@ -558,7 +558,7 @@ ath10k_rx_desc_get_l3_pad_bytes(struct ath10k_hw_params *hw, + + #define TARGET_10_4_TX_DBG_LOG_SIZE 1024 + #define TARGET_10_4_NUM_WDS_ENTRIES 32 +-#define TARGET_10_4_DMA_BURST_SIZE 0 ++#define TARGET_10_4_DMA_BURST_SIZE 1 + #define TARGET_10_4_MAC_AGGR_DELIM 0 + #define TARGET_10_4_RX_SKIP_DEFRAG_TIMEOUT_DUP_DETECTION_CHECK 1 + #define TARGET_10_4_VOW_CONFIG 0 +diff --git a/drivers/net/wireless/realtek/rtlwifi/usb.c b/drivers/net/wireless/realtek/rtlwifi/usb.c +index 93b22a5b6878e..e524573aa8a09 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/usb.c ++++ b/drivers/net/wireless/realtek/rtlwifi/usb.c +@@ -752,8 +752,11 @@ static int _rtl_usb_receive(struct ieee80211_hw *hw) + + usb_anchor_urb(urb, &rtlusb->rx_submitted); + err = usb_submit_urb(urb, GFP_KERNEL); +- if (err) ++ if (err) { ++ usb_unanchor_urb(urb); ++ usb_free_urb(urb); + goto err_out; ++ } + usb_free_urb(urb); + } + return 0; +diff --git a/drivers/pci/slot.c b/drivers/pci/slot.c +index 429d34c348b9f..01a343ad7155c 100644 +--- a/drivers/pci/slot.c ++++ b/drivers/pci/slot.c +@@ -303,13 +303,16 @@ placeholder: + slot_name = make_slot_name(name); + if (!slot_name) { + err = -ENOMEM; ++ kfree(slot); + goto err; + } + + err = kobject_init_and_add(&slot->kobj, &pci_slot_ktype, NULL, + "%s", slot_name); +- if (err) ++ if (err) { ++ kobject_put(&slot->kobj); + goto err; ++ } + + INIT_LIST_HEAD(&slot->list); + list_add(&slot->list, &parent->slots); +@@ -328,7 +331,6 @@ out: + mutex_unlock(&pci_slot_mutex); + return slot; + err: +- kfree(slot); + slot = ERR_PTR(err); + goto out; + } +diff --git a/drivers/s390/cio/css.c b/drivers/s390/cio/css.c +index 39a2b0cde9e42..d81fdcd6a1fe0 100644 +--- a/drivers/s390/cio/css.c ++++ b/drivers/s390/cio/css.c +@@ -529,6 +529,11 @@ static int slow_eval_known_fn(struct subchannel *sch, void *data) + rc = css_evaluate_known_subchannel(sch, 1); + if (rc == -EAGAIN) + css_schedule_eval(sch->schid); ++ /* ++ * The loop might take long time for platforms with lots of ++ * known devices. Allow scheduling here. ++ */ ++ cond_resched(); + } + return 0; + } +diff --git a/drivers/scsi/fcoe/fcoe_ctlr.c b/drivers/scsi/fcoe/fcoe_ctlr.c +index 3c2f34db937b6..f5f3a8113bc55 100644 +--- a/drivers/scsi/fcoe/fcoe_ctlr.c ++++ b/drivers/scsi/fcoe/fcoe_ctlr.c +@@ -267,9 +267,9 @@ static void fcoe_sysfs_fcf_del(struct fcoe_fcf *new) + WARN_ON(!fcf_dev); + new->fcf_dev = NULL; + fcoe_fcf_device_delete(fcf_dev); +- kfree(new); + mutex_unlock(&cdev->lock); + } ++ kfree(new); + } + + /** +diff --git a/drivers/scsi/lpfc/lpfc_vport.c b/drivers/scsi/lpfc/lpfc_vport.c +index e18bbc66e83b1..77cb16d8dfd35 100644 +--- a/drivers/scsi/lpfc/lpfc_vport.c ++++ b/drivers/scsi/lpfc/lpfc_vport.c +@@ -624,27 +624,16 @@ lpfc_vport_delete(struct fc_vport *fc_vport) + vport->port_state < LPFC_VPORT_READY) + return -EAGAIN; + } ++ + /* +- * This is a bit of a mess. We want to ensure the shost doesn't get +- * torn down until we're done with the embedded lpfc_vport structure. +- * +- * Beyond holding a reference for this function, we also need a +- * reference for outstanding I/O requests we schedule during delete +- * processing. But once we scsi_remove_host() we can no longer obtain +- * a reference through scsi_host_get(). +- * +- * So we take two references here. We release one reference at the +- * bottom of the function -- after delinking the vport. And we +- * release the other at the completion of the unreg_vpi that get's +- * initiated after we've disposed of all other resources associated +- * with the port. ++ * Take early refcount for outstanding I/O requests we schedule during ++ * delete processing for unreg_vpi. Always keep this before ++ * scsi_remove_host() as we can no longer obtain a reference through ++ * scsi_host_get() after scsi_host_remove as shost is set to SHOST_DEL. + */ + if (!scsi_host_get(shost)) + return VPORT_INVAL; +- if (!scsi_host_get(shost)) { +- scsi_host_put(shost); +- return VPORT_INVAL; +- } ++ + lpfc_free_sysfs_attr(vport); + + lpfc_debugfs_terminate(vport); +@@ -792,8 +781,9 @@ skip_logo: + if (!(vport->vpi_state & LPFC_VPI_REGISTERED) || + lpfc_mbx_unreg_vpi(vport)) + scsi_host_put(shost); +- } else ++ } else { + scsi_host_put(shost); ++ } + + lpfc_free_vpi(phba, vport->vpi); + vport->work_port_events = 0; +diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c +index 42b97f1196232..c2bce3f6eaace 100644 +--- a/drivers/scsi/scsi_transport_iscsi.c ++++ b/drivers/scsi/scsi_transport_iscsi.c +@@ -3191,7 +3191,7 @@ static int iscsi_set_flashnode_param(struct iscsi_transport *transport, + pr_err("%s could not find host no %u\n", + __func__, ev->u.set_flashnode.host_no); + err = -ENODEV; +- goto put_host; ++ goto exit_set_fnode; + } + + idx = ev->u.set_flashnode.flashnode_idx; +diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c +index a7f520581cb0f..ad5f2e2b4cbaf 100644 +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -659,6 +659,7 @@ unblock_reqs: + int ufshcd_hold(struct ufs_hba *hba, bool async) + { + int rc = 0; ++ bool flush_result; + unsigned long flags; + + if (!ufshcd_is_clkgating_allowed(hba)) +@@ -690,7 +691,9 @@ start: + break; + } + spin_unlock_irqrestore(hba->host->host_lock, flags); +- flush_work(&hba->clk_gating.ungate_work); ++ flush_result = flush_work(&hba->clk_gating.ungate_work); ++ if (hba->clk_gating.is_suspended && !flush_result) ++ goto out; + spin_lock_irqsave(hba->host->host_lock, flags); + goto start; + } +@@ -4397,7 +4400,7 @@ static void ufshcd_sl_intr(struct ufs_hba *hba, u32 intr_status) + */ + static irqreturn_t ufshcd_intr(int irq, void *__hba) + { +- u32 intr_status, enabled_intr_status; ++ u32 intr_status, enabled_intr_status = 0; + irqreturn_t retval = IRQ_NONE; + struct ufs_hba *hba = __hba; + int retries = hba->nutrs; +@@ -4411,7 +4414,7 @@ static irqreturn_t ufshcd_intr(int irq, void *__hba) + * read, make sure we handle them by checking the interrupt status + * again in a loop until we process all of the reqs before returning. + */ +- do { ++ while (intr_status && retries--) { + enabled_intr_status = + intr_status & ufshcd_readl(hba, REG_INTERRUPT_ENABLE); + if (intr_status) +@@ -4422,7 +4425,7 @@ static irqreturn_t ufshcd_intr(int irq, void *__hba) + } + + intr_status = ufshcd_readl(hba, REG_INTERRUPT_STATUS); +- } while (intr_status && --retries); ++ } + + spin_unlock(hba->host->host_lock); + return retval; +diff --git a/drivers/staging/media/cec/cec-api.c b/drivers/staging/media/cec/cec-api.c +index e274e2f223986..264bb7d1efcb8 100644 +--- a/drivers/staging/media/cec/cec-api.c ++++ b/drivers/staging/media/cec/cec-api.c +@@ -141,7 +141,13 @@ static long cec_adap_g_log_addrs(struct cec_adapter *adap, + struct cec_log_addrs log_addrs; + + mutex_lock(&adap->lock); +- log_addrs = adap->log_addrs; ++ /* ++ * We use memcpy here instead of assignment since there is a ++ * hole at the end of struct cec_log_addrs that an assignment ++ * might ignore. So when we do copy_to_user() we could leak ++ * one byte of memory. ++ */ ++ memcpy(&log_addrs, &adap->log_addrs, sizeof(log_addrs)); + if (!adap->is_configured) + memset(log_addrs.log_addr, CEC_LOG_ADDR_INVALID, + sizeof(log_addrs.log_addr)); +diff --git a/drivers/target/target_core_user.c b/drivers/target/target_core_user.c +index 1a83456a65a00..693fbb2858404 100644 +--- a/drivers/target/target_core_user.c ++++ b/drivers/target/target_core_user.c +@@ -666,7 +666,14 @@ static unsigned int tcmu_handle_completions(struct tcmu_dev *udev) + struct tcmu_cmd_entry *entry = (void *) mb + CMDR_OFF + udev->cmdr_last_cleaned; + struct tcmu_cmd *cmd; + +- tcmu_flush_dcache_range(entry, sizeof(*entry)); ++ /* ++ * Flush max. up to end of cmd ring since current entry might ++ * be a padding that is shorter than sizeof(*entry) ++ */ ++ size_t ring_left = head_to_end(udev->cmdr_last_cleaned, ++ udev->cmdr_size); ++ tcmu_flush_dcache_range(entry, ring_left < sizeof(*entry) ? ++ ring_left : sizeof(*entry)); + + if (tcmu_hdr_get_op(entry->hdr.len_op) == TCMU_OP_PAD) { + UPDATE_HEAD(udev->cmdr_last_cleaned, +diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c +index c7a7574172fae..5641b877dca53 100644 +--- a/drivers/tty/serial/8250/8250_port.c ++++ b/drivers/tty/serial/8250/8250_port.c +@@ -2205,6 +2205,10 @@ int serial8250_do_startup(struct uart_port *port) + + if (port->irq) { + unsigned char iir1; ++ ++ if (port->irqflags & IRQF_SHARED) ++ disable_irq_nosync(port->irq); ++ + /* + * Test for UARTs that do not reassert THRE when the + * transmitter is idle and the interrupt has already +@@ -2214,8 +2218,6 @@ int serial8250_do_startup(struct uart_port *port) + * allow register changes to become visible. + */ + spin_lock_irqsave(&port->lock, flags); +- if (up->port.irqflags & IRQF_SHARED) +- disable_irq_nosync(port->irq); + + wait_for_xmitr(up, UART_LSR_THRE); + serial_port_out_sync(port, UART_IER, UART_IER_THRI); +@@ -2227,9 +2229,10 @@ int serial8250_do_startup(struct uart_port *port) + iir = serial_port_in(port, UART_IIR); + serial_port_out(port, UART_IER, 0); + ++ spin_unlock_irqrestore(&port->lock, flags); ++ + if (port->irqflags & IRQF_SHARED) + enable_irq(port->irq); +- spin_unlock_irqrestore(&port->lock, flags); + + /* + * If the interrupt is not reasserted, or we otherwise +diff --git a/drivers/tty/serial/amba-pl011.c b/drivers/tty/serial/amba-pl011.c +index b3b9b3d2cddf9..6e27dee3876a4 100644 +--- a/drivers/tty/serial/amba-pl011.c ++++ b/drivers/tty/serial/amba-pl011.c +@@ -2249,9 +2249,8 @@ pl011_console_write(struct console *co, const char *s, unsigned int count) + clk_disable(uap->clk); + } + +-static void __init +-pl011_console_get_options(struct uart_amba_port *uap, int *baud, +- int *parity, int *bits) ++static void pl011_console_get_options(struct uart_amba_port *uap, int *baud, ++ int *parity, int *bits) + { + if (pl011_read(uap, REG_CR) & UART01x_CR_UARTEN) { + unsigned int lcr_h, ibrd, fbrd; +@@ -2284,7 +2283,7 @@ pl011_console_get_options(struct uart_amba_port *uap, int *baud, + } + } + +-static int __init pl011_console_setup(struct console *co, char *options) ++static int pl011_console_setup(struct console *co, char *options) + { + struct uart_amba_port *uap; + int baud = 38400; +@@ -2352,8 +2351,8 @@ static int __init pl011_console_setup(struct console *co, char *options) + * + * Returns 0 if console matches; otherwise non-zero to use default matching + */ +-static int __init pl011_console_match(struct console *co, char *name, int idx, +- char *options) ++static int pl011_console_match(struct console *co, char *name, int idx, ++ char *options) + { + unsigned char iotype; + resource_size_t addr; +@@ -2533,7 +2532,7 @@ static int pl011_setup_port(struct device *dev, struct uart_amba_port *uap, + + static int pl011_register_port(struct uart_amba_port *uap) + { +- int ret; ++ int ret, i; + + /* Ensure interrupts from this UART are masked and cleared */ + pl011_write(0, uap, REG_IMSC); +@@ -2544,6 +2543,9 @@ static int pl011_register_port(struct uart_amba_port *uap) + if (ret < 0) { + dev_err(uap->port.dev, + "Failed to register AMBA-PL011 driver\n"); ++ for (i = 0; i < ARRAY_SIZE(amba_ports); i++) ++ if (amba_ports[i] == uap) ++ amba_ports[i] = NULL; + return ret; + } + } +diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c +index 01ff8ec780237..4dfdb59061bea 100644 +--- a/drivers/tty/serial/samsung.c ++++ b/drivers/tty/serial/samsung.c +@@ -1725,9 +1725,11 @@ static int s3c24xx_serial_init_port(struct s3c24xx_uart_port *ourport, + ourport->tx_irq = ret + 1; + } + +- ret = platform_get_irq(platdev, 1); +- if (ret > 0) +- ourport->tx_irq = ret; ++ if (!s3c24xx_serial_has_interrupt_mask(port)) { ++ ret = platform_get_irq(platdev, 1); ++ if (ret > 0) ++ ourport->tx_irq = ret; ++ } + /* + * DMA is currently supported only on DT platforms, if DMA properties + * are specified. +diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c +index 3e5a3614fad03..1f00f42213c27 100644 +--- a/drivers/tty/vt/vt.c ++++ b/drivers/tty/vt/vt.c +@@ -868,7 +868,7 @@ static int vc_do_resize(struct tty_struct *tty, struct vc_data *vc, + unsigned int old_rows, old_row_size; + unsigned int new_cols, new_rows, new_row_size, new_screen_size; + unsigned int user; +- unsigned short *newscreen; ++ unsigned short *oldscreen, *newscreen; + + WARN_CONSOLE_UNLOCKED(); + +@@ -950,10 +950,11 @@ static int vc_do_resize(struct tty_struct *tty, struct vc_data *vc, + if (new_scr_end > new_origin) + scr_memsetw((void *)new_origin, vc->vc_video_erase_char, + new_scr_end - new_origin); +- kfree(vc->vc_screenbuf); ++ oldscreen = vc->vc_screenbuf; + vc->vc_screenbuf = newscreen; + vc->vc_screenbuf_size = new_screen_size; + set_origin(vc); ++ kfree(oldscreen); + + /* do part of a reset_terminal() */ + vc->vc_top = 0; +diff --git a/drivers/tty/vt/vt_ioctl.c b/drivers/tty/vt/vt_ioctl.c +index 4ed0d77e59181..78a3b969cae71 100644 +--- a/drivers/tty/vt/vt_ioctl.c ++++ b/drivers/tty/vt/vt_ioctl.c +@@ -896,12 +896,22 @@ int vt_ioctl(struct tty_struct *tty, + console_lock(); + vcp = vc_cons[i].d; + if (vcp) { ++ int ret; ++ int save_scan_lines = vcp->vc_scan_lines; ++ int save_font_height = vcp->vc_font.height; ++ + if (v.v_vlin) + vcp->vc_scan_lines = v.v_vlin; + if (v.v_clin) + vcp->vc_font.height = v.v_clin; + vcp->vc_resize_user = 1; +- vc_resize(vcp, v.v_cols, v.v_rows); ++ ret = vc_resize(vcp, v.v_cols, v.v_rows); ++ if (ret) { ++ vcp->vc_scan_lines = save_scan_lines; ++ vcp->vc_font.height = save_font_height; ++ console_unlock(); ++ return ret; ++ } + } + console_unlock(); + } +diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c +index e6e0f786547bf..eed7c8d8e3d4f 100644 +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -299,6 +299,8 @@ static const struct usb_device_id usb_quirk_list[] = { + + { USB_DEVICE(0x2386, 0x3119), .driver_info = USB_QUIRK_NO_LPM }, + ++ { USB_DEVICE(0x2386, 0x350e), .driver_info = USB_QUIRK_NO_LPM }, ++ + /* DJI CineSSD */ + { USB_DEVICE(0x2ca3, 0x0031), .driver_info = USB_QUIRK_NO_LPM }, + +diff --git a/drivers/usb/gadget/function/f_ncm.c b/drivers/usb/gadget/function/f_ncm.c +index 6399923239e78..b69747367bd75 100644 +--- a/drivers/usb/gadget/function/f_ncm.c ++++ b/drivers/usb/gadget/function/f_ncm.c +@@ -1209,12 +1209,15 @@ static int ncm_unwrap_ntb(struct gether *port, + int ndp_index; + unsigned dg_len, dg_len2; + unsigned ndp_len; ++ unsigned block_len; + struct sk_buff *skb2; + int ret = -EINVAL; +- unsigned max_size = le32_to_cpu(ntb_parameters.dwNtbOutMaxSize); ++ unsigned ntb_max = le32_to_cpu(ntb_parameters.dwNtbOutMaxSize); ++ unsigned frame_max = le16_to_cpu(ecm_desc.wMaxSegmentSize); + const struct ndp_parser_opts *opts = ncm->parser_opts; + unsigned crc_len = ncm->is_crc ? sizeof(uint32_t) : 0; + int dgram_counter; ++ bool ndp_after_header; + + /* dwSignature */ + if (get_unaligned_le32(tmp) != opts->nth_sign) { +@@ -1233,25 +1236,37 @@ static int ncm_unwrap_ntb(struct gether *port, + } + tmp++; /* skip wSequence */ + ++ block_len = get_ncm(&tmp, opts->block_length); + /* (d)wBlockLength */ +- if (get_ncm(&tmp, opts->block_length) > max_size) { ++ if (block_len > ntb_max) { + INFO(port->func.config->cdev, "OUT size exceeded\n"); + goto err; + } + + ndp_index = get_ncm(&tmp, opts->ndp_index); ++ ndp_after_header = false; + + /* Run through all the NDP's in the NTB */ + do { +- /* NCM 3.2 */ +- if (((ndp_index % 4) != 0) && +- (ndp_index < opts->nth_size)) { ++ /* ++ * NCM 3.2 ++ * dwNdpIndex ++ */ ++ if (((ndp_index % 4) != 0) || ++ (ndp_index < opts->nth_size) || ++ (ndp_index > (block_len - ++ opts->ndp_size))) { + INFO(port->func.config->cdev, "Bad index: %#X\n", + ndp_index); + goto err; + } ++ if (ndp_index == opts->nth_size) ++ ndp_after_header = true; + +- /* walk through NDP */ ++ /* ++ * walk through NDP ++ * dwSignature ++ */ + tmp = (void *)(skb->data + ndp_index); + if (get_unaligned_le32(tmp) != ncm->ndp_sign) { + INFO(port->func.config->cdev, "Wrong NDP SIGN\n"); +@@ -1262,14 +1277,15 @@ static int ncm_unwrap_ntb(struct gether *port, + ndp_len = get_unaligned_le16(tmp++); + /* + * NCM 3.3.1 ++ * wLength + * entry is 2 items + * item size is 16/32 bits, opts->dgram_item_len * 2 bytes + * minimal: struct usb_cdc_ncm_ndpX + normal entry + zero entry + * Each entry is a dgram index and a dgram length. + */ + if ((ndp_len < opts->ndp_size +- + 2 * 2 * (opts->dgram_item_len * 2)) +- || (ndp_len % opts->ndplen_align != 0)) { ++ + 2 * 2 * (opts->dgram_item_len * 2)) || ++ (ndp_len % opts->ndplen_align != 0)) { + INFO(port->func.config->cdev, "Bad NDP length: %#X\n", + ndp_len); + goto err; +@@ -1286,8 +1302,21 @@ static int ncm_unwrap_ntb(struct gether *port, + + do { + index = index2; ++ /* wDatagramIndex[0] */ ++ if ((index < opts->nth_size) || ++ (index > block_len - opts->dpe_size)) { ++ INFO(port->func.config->cdev, ++ "Bad index: %#X\n", index); ++ goto err; ++ } ++ + dg_len = dg_len2; +- if (dg_len < 14 + crc_len) { /* ethernet hdr + crc */ ++ /* ++ * wDatagramLength[0] ++ * ethernet hdr + crc or larger than max frame size ++ */ ++ if ((dg_len < 14 + crc_len) || ++ (dg_len > frame_max)) { + INFO(port->func.config->cdev, + "Bad dgram length: %#X\n", dg_len); + goto err; +@@ -1311,6 +1340,37 @@ static int ncm_unwrap_ntb(struct gether *port, + index2 = get_ncm(&tmp, opts->dgram_item_len); + dg_len2 = get_ncm(&tmp, opts->dgram_item_len); + ++ if (index2 == 0 || dg_len2 == 0) ++ break; ++ ++ /* wDatagramIndex[1] */ ++ if (ndp_after_header) { ++ if (index2 < opts->nth_size + opts->ndp_size) { ++ INFO(port->func.config->cdev, ++ "Bad index: %#X\n", index2); ++ goto err; ++ } ++ } else { ++ if (index2 < opts->nth_size + opts->dpe_size) { ++ INFO(port->func.config->cdev, ++ "Bad index: %#X\n", index2); ++ goto err; ++ } ++ } ++ if (index2 > block_len - opts->dpe_size) { ++ INFO(port->func.config->cdev, ++ "Bad index: %#X\n", index2); ++ goto err; ++ } ++ ++ /* wDatagramLength[1] */ ++ if ((dg_len2 < 14 + crc_len) || ++ (dg_len2 > frame_max)) { ++ INFO(port->func.config->cdev, ++ "Bad dgram length: %#X\n", dg_len); ++ goto err; ++ } ++ + /* + * Copy the data into a new skb. + * This ensures the truesize is correct +@@ -1327,9 +1387,6 @@ static int ncm_unwrap_ntb(struct gether *port, + ndp_len -= 2 * (opts->dgram_item_len * 2); + + dgram_counter++; +- +- if (index2 == 0 || dg_len2 == 0) +- break; + } while (ndp_len > 2 * (opts->dgram_item_len * 2)); + } while (ndp_index); + +diff --git a/drivers/usb/gadget/function/f_tcm.c b/drivers/usb/gadget/function/f_tcm.c +index d2351139342f6..7e8e262b36297 100644 +--- a/drivers/usb/gadget/function/f_tcm.c ++++ b/drivers/usb/gadget/function/f_tcm.c +@@ -751,12 +751,13 @@ static int uasp_alloc_stream_res(struct f_uas *fu, struct uas_stream *stream) + goto err_sts; + + return 0; ++ + err_sts: +- usb_ep_free_request(fu->ep_status, stream->req_status); +- stream->req_status = NULL; +-err_out: + usb_ep_free_request(fu->ep_out, stream->req_out); + stream->req_out = NULL; ++err_out: ++ usb_ep_free_request(fu->ep_in, stream->req_in); ++ stream->req_in = NULL; + out: + return -ENOMEM; + } +diff --git a/drivers/usb/gadget/u_f.h b/drivers/usb/gadget/u_f.h +index 2f03334c68741..d150a6795f481 100644 +--- a/drivers/usb/gadget/u_f.h ++++ b/drivers/usb/gadget/u_f.h +@@ -17,6 +17,7 @@ + #define __U_F_H__ + + #include ++#include + + /* Variable Length Array Macros **********************************************/ + #define vla_group(groupname) size_t groupname##__next = 0 +@@ -24,21 +25,36 @@ + + #define vla_item(groupname, type, name, n) \ + size_t groupname##_##name##__offset = ({ \ +- size_t align_mask = __alignof__(type) - 1; \ +- size_t offset = (groupname##__next + align_mask) & ~align_mask;\ +- size_t size = (n) * sizeof(type); \ +- groupname##__next = offset + size; \ ++ size_t offset = 0; \ ++ if (groupname##__next != SIZE_MAX) { \ ++ size_t align_mask = __alignof__(type) - 1; \ ++ size_t size = array_size(n, sizeof(type)); \ ++ offset = (groupname##__next + align_mask) & \ ++ ~align_mask; \ ++ if (check_add_overflow(offset, size, \ ++ &groupname##__next)) { \ ++ groupname##__next = SIZE_MAX; \ ++ offset = 0; \ ++ } \ ++ } \ + offset; \ + }) + + #define vla_item_with_sz(groupname, type, name, n) \ +- size_t groupname##_##name##__sz = (n) * sizeof(type); \ +- size_t groupname##_##name##__offset = ({ \ +- size_t align_mask = __alignof__(type) - 1; \ +- size_t offset = (groupname##__next + align_mask) & ~align_mask;\ +- size_t size = groupname##_##name##__sz; \ +- groupname##__next = offset + size; \ +- offset; \ ++ size_t groupname##_##name##__sz = array_size(n, sizeof(type)); \ ++ size_t groupname##_##name##__offset = ({ \ ++ size_t offset = 0; \ ++ if (groupname##__next != SIZE_MAX) { \ ++ size_t align_mask = __alignof__(type) - 1; \ ++ offset = (groupname##__next + align_mask) & \ ++ ~align_mask; \ ++ if (check_add_overflow(offset, groupname##_##name##__sz,\ ++ &groupname##__next)) { \ ++ groupname##__next = SIZE_MAX; \ ++ offset = 0; \ ++ } \ ++ } \ ++ offset; \ + }) + + #define vla_ptr(ptr, groupname, name) \ +diff --git a/drivers/usb/host/ohci-exynos.c b/drivers/usb/host/ohci-exynos.c +index 6865b919403f7..2ed062a2e93b4 100644 +--- a/drivers/usb/host/ohci-exynos.c ++++ b/drivers/usb/host/ohci-exynos.c +@@ -166,9 +166,8 @@ skip_phy: + hcd->rsrc_len = resource_size(res); + + irq = platform_get_irq(pdev, 0); +- if (!irq) { +- dev_err(&pdev->dev, "Failed to get IRQ\n"); +- err = -ENODEV; ++ if (irq < 0) { ++ err = irq; + goto fail_io; + } + +diff --git a/drivers/usb/host/xhci-hub.c b/drivers/usb/host/xhci-hub.c +index 04d36fa607342..194ea29d7a57e 100644 +--- a/drivers/usb/host/xhci-hub.c ++++ b/drivers/usb/host/xhci-hub.c +@@ -623,15 +623,6 @@ static void xhci_hub_report_usb3_link_state(struct xhci_hcd *xhci, + { + u32 pls = status_reg & PORT_PLS_MASK; + +- /* resume state is a xHCI internal state. +- * Do not report it to usb core, instead, pretend to be U3, +- * thus usb core knows it's not ready for transfer +- */ +- if (pls == XDEV_RESUME) { +- *status |= USB_SS_PORT_LS_U3; +- return; +- } +- + /* When the CAS bit is set then warm reset + * should be performed on port + */ +@@ -653,6 +644,16 @@ static void xhci_hub_report_usb3_link_state(struct xhci_hcd *xhci, + */ + pls |= USB_PORT_STAT_CONNECTION; + } else { ++ /* ++ * Resume state is an xHCI internal state. Do not report it to ++ * usb core, instead, pretend to be U3, thus usb core knows ++ * it's not ready for transfer. ++ */ ++ if (pls == XDEV_RESUME) { ++ *status |= USB_SS_PORT_LS_U3; ++ return; ++ } ++ + /* + * If CAS bit isn't set but the Port is already at + * Compliance Mode, fake a connection so the USB core +diff --git a/drivers/usb/misc/lvstest.c b/drivers/usb/misc/lvstest.c +index bd6e06ef88acd..5dfc58ac97f30 100644 +--- a/drivers/usb/misc/lvstest.c ++++ b/drivers/usb/misc/lvstest.c +@@ -392,7 +392,7 @@ static int lvs_rh_probe(struct usb_interface *intf, + USB_DT_SS_HUB_SIZE, USB_CTRL_GET_TIMEOUT); + if (ret < (USB_DT_HUB_NONVAR_SIZE + 2)) { + dev_err(&hdev->dev, "wrong root hub descriptor read %d\n", ret); +- return ret; ++ return ret < 0 ? ret : -EINVAL; + } + + /* submit urb to poll interrupt endpoint */ +diff --git a/drivers/usb/misc/sisusbvga/sisusb.c b/drivers/usb/misc/sisusbvga/sisusb.c +index 895e8c0288cf9..30b3bdc4e6761 100644 +--- a/drivers/usb/misc/sisusbvga/sisusb.c ++++ b/drivers/usb/misc/sisusbvga/sisusb.c +@@ -762,7 +762,7 @@ static int sisusb_write_mem_bulk(struct sisusb_usb_data *sisusb, u32 addr, + u8 swap8, fromkern = kernbuffer ? 1 : 0; + u16 swap16; + u32 swap32, flag = (length >> 28) & 1; +- char buf[4]; ++ u8 buf[4]; + + /* if neither kernbuffer not userbuffer are given, assume + * data in obuf +diff --git a/drivers/usb/misc/yurex.c b/drivers/usb/misc/yurex.c +index 2350502f90540..1be1fa1b73770 100644 +--- a/drivers/usb/misc/yurex.c ++++ b/drivers/usb/misc/yurex.c +@@ -502,7 +502,7 @@ static ssize_t yurex_write(struct file *file, const char __user *user_buffer, + prepare_to_wait(&dev->waitq, &wait, TASK_INTERRUPTIBLE); + dev_dbg(&dev->interface->dev, "%s - submit %c\n", __func__, + dev->cntl_buffer[0]); +- retval = usb_submit_urb(dev->cntl_urb, GFP_KERNEL); ++ retval = usb_submit_urb(dev->cntl_urb, GFP_ATOMIC); + if (retval >= 0) + timeout = schedule_timeout(YUREX_WRITE_TIMEOUT); + finish_wait(&dev->waitq, &wait); +diff --git a/drivers/usb/storage/unusual_devs.h b/drivers/usb/storage/unusual_devs.h +index 46079468df426..4a94effb64f77 100644 +--- a/drivers/usb/storage/unusual_devs.h ++++ b/drivers/usb/storage/unusual_devs.h +@@ -2347,7 +2347,7 @@ UNUSUAL_DEV( 0x357d, 0x7788, 0x0114, 0x0114, + "JMicron", + "USB to ATA/ATAPI Bridge", + USB_SC_DEVICE, USB_PR_DEVICE, NULL, +- US_FL_BROKEN_FUA ), ++ US_FL_BROKEN_FUA | US_FL_IGNORE_UAS ), + + /* Reported by Andrey Rahmatullin */ + UNUSUAL_DEV( 0x4102, 0x1020, 0x0100, 0x0100, +diff --git a/drivers/usb/storage/unusual_uas.h b/drivers/usb/storage/unusual_uas.h +index 4df15faa66d71..018b0663d6109 100644 +--- a/drivers/usb/storage/unusual_uas.h ++++ b/drivers/usb/storage/unusual_uas.h +@@ -41,6 +41,13 @@ + * and don't forget to CC: the USB development list + */ + ++/* Reported-by: Till Dörges */ ++UNUSUAL_DEV(0x054c, 0x087d, 0x0000, 0x9999, ++ "Sony", ++ "PSZ-HA*", ++ USB_SC_DEVICE, USB_PR_DEVICE, NULL, ++ US_FL_NO_REPORT_OPCODES), ++ + /* Reported-by: Julian Groß */ + UNUSUAL_DEV(0x059f, 0x105f, 0x0000, 0x9999, + "LaCie", +@@ -156,6 +163,13 @@ UNUSUAL_DEV(0x152d, 0x0578, 0x0000, 0x9999, + USB_SC_DEVICE, USB_PR_DEVICE, NULL, + US_FL_BROKEN_FUA), + ++/* Reported-by: Thinh Nguyen */ ++UNUSUAL_DEV(0x154b, 0xf00d, 0x0000, 0x9999, ++ "PNY", ++ "Pro Elite SSD", ++ USB_SC_DEVICE, USB_PR_DEVICE, NULL, ++ US_FL_NO_ATA_1X), ++ + /* Reported-by: Hans de Goede */ + UNUSUAL_DEV(0x2109, 0x0711, 0x0000, 0x9999, + "VIA", +diff --git a/drivers/video/console/fbcon.c b/drivers/video/console/fbcon.c +index 178b507a6fe0c..dd6797e54e8ab 100644 +--- a/drivers/video/console/fbcon.c ++++ b/drivers/video/console/fbcon.c +@@ -2116,6 +2116,9 @@ static void updatescrollmode(struct display *p, + } + } + ++#define PITCH(w) (((w) + 7) >> 3) ++#define CALC_FONTSZ(h, p, c) ((h) * (p) * (c)) /* size = height * pitch * charcount */ ++ + static int fbcon_resize(struct vc_data *vc, unsigned int width, + unsigned int height, unsigned int user) + { +@@ -2125,6 +2128,24 @@ static int fbcon_resize(struct vc_data *vc, unsigned int width, + struct fb_var_screeninfo var = info->var; + int x_diff, y_diff, virt_w, virt_h, virt_fw, virt_fh; + ++ if (ops->p && ops->p->userfont && FNTSIZE(vc->vc_font.data)) { ++ int size; ++ int pitch = PITCH(vc->vc_font.width); ++ ++ /* ++ * If user font, ensure that a possible change to user font ++ * height or width will not allow a font data out-of-bounds access. ++ * NOTE: must use original charcount in calculation as font ++ * charcount can change and cannot be used to determine the ++ * font data allocated size. ++ */ ++ if (pitch <= 0) ++ return -EINVAL; ++ size = CALC_FONTSZ(vc->vc_font.height, pitch, FNTCHARCNT(vc->vc_font.data)); ++ if (size > FNTSIZE(vc->vc_font.data)) ++ return -EINVAL; ++ } ++ + virt_w = FBCON_SWAP(ops->rotate, width, height); + virt_h = FBCON_SWAP(ops->rotate, height, width); + virt_fw = FBCON_SWAP(ops->rotate, vc->vc_font.width, +@@ -2586,7 +2607,7 @@ static int fbcon_set_font(struct vc_data *vc, struct console_font *font, unsigne + int size; + int i, csum; + u8 *new_data, *data = font->data; +- int pitch = (font->width+7) >> 3; ++ int pitch = PITCH(font->width); + + /* Is there a reason why fbconsole couldn't handle any charcount >256? + * If not this check should be changed to charcount < 256 */ +@@ -2602,7 +2623,7 @@ static int fbcon_set_font(struct vc_data *vc, struct console_font *font, unsigne + if (fbcon_invalid_charcount(info, charcount)) + return -EINVAL; + +- size = h * pitch * charcount; ++ size = CALC_FONTSZ(h, pitch, charcount); + + new_data = kmalloc(FONT_EXTRA_WORDS * sizeof(int) + size, GFP_USER); + +diff --git a/drivers/video/fbdev/omap2/omapfb/dss/dispc.c b/drivers/video/fbdev/omap2/omapfb/dss/dispc.c +index 7a75dfda98457..00f5a54aaf9b7 100644 +--- a/drivers/video/fbdev/omap2/omapfb/dss/dispc.c ++++ b/drivers/video/fbdev/omap2/omapfb/dss/dispc.c +@@ -531,8 +531,11 @@ int dispc_runtime_get(void) + DSSDBG("dispc_runtime_get\n"); + + r = pm_runtime_get_sync(&dispc.pdev->dev); +- WARN_ON(r < 0); +- return r < 0 ? r : 0; ++ if (WARN_ON(r < 0)) { ++ pm_runtime_put_sync(&dispc.pdev->dev); ++ return r; ++ } ++ return 0; + } + EXPORT_SYMBOL(dispc_runtime_get); + +diff --git a/drivers/video/fbdev/omap2/omapfb/dss/dsi.c b/drivers/video/fbdev/omap2/omapfb/dss/dsi.c +index 30d49f3800b33..2bfd9063cdfc3 100644 +--- a/drivers/video/fbdev/omap2/omapfb/dss/dsi.c ++++ b/drivers/video/fbdev/omap2/omapfb/dss/dsi.c +@@ -1148,8 +1148,11 @@ static int dsi_runtime_get(struct platform_device *dsidev) + DSSDBG("dsi_runtime_get\n"); + + r = pm_runtime_get_sync(&dsi->pdev->dev); +- WARN_ON(r < 0); +- return r < 0 ? r : 0; ++ if (WARN_ON(r < 0)) { ++ pm_runtime_put_sync(&dsi->pdev->dev); ++ return r; ++ } ++ return 0; + } + + static void dsi_runtime_put(struct platform_device *dsidev) +diff --git a/drivers/video/fbdev/omap2/omapfb/dss/dss.c b/drivers/video/fbdev/omap2/omapfb/dss/dss.c +index 4429ad37b64cd..acecee5b1c102 100644 +--- a/drivers/video/fbdev/omap2/omapfb/dss/dss.c ++++ b/drivers/video/fbdev/omap2/omapfb/dss/dss.c +@@ -778,8 +778,11 @@ int dss_runtime_get(void) + DSSDBG("dss_runtime_get\n"); + + r = pm_runtime_get_sync(&dss.pdev->dev); +- WARN_ON(r < 0); +- return r < 0 ? r : 0; ++ if (WARN_ON(r < 0)) { ++ pm_runtime_put_sync(&dss.pdev->dev); ++ return r; ++ } ++ return 0; + } + + void dss_runtime_put(void) +diff --git a/drivers/video/fbdev/omap2/omapfb/dss/hdmi4.c b/drivers/video/fbdev/omap2/omapfb/dss/hdmi4.c +index 156a254705ea5..ab64bf0215e82 100644 +--- a/drivers/video/fbdev/omap2/omapfb/dss/hdmi4.c ++++ b/drivers/video/fbdev/omap2/omapfb/dss/hdmi4.c +@@ -50,9 +50,10 @@ static int hdmi_runtime_get(void) + DSSDBG("hdmi_runtime_get\n"); + + r = pm_runtime_get_sync(&hdmi.pdev->dev); +- WARN_ON(r < 0); +- if (r < 0) ++ if (WARN_ON(r < 0)) { ++ pm_runtime_put_sync(&hdmi.pdev->dev); + return r; ++ } + + return 0; + } +diff --git a/drivers/video/fbdev/omap2/omapfb/dss/hdmi5.c b/drivers/video/fbdev/omap2/omapfb/dss/hdmi5.c +index 4da36bcab9779..c6efaca3235a8 100644 +--- a/drivers/video/fbdev/omap2/omapfb/dss/hdmi5.c ++++ b/drivers/video/fbdev/omap2/omapfb/dss/hdmi5.c +@@ -54,9 +54,10 @@ static int hdmi_runtime_get(void) + DSSDBG("hdmi_runtime_get\n"); + + r = pm_runtime_get_sync(&hdmi.pdev->dev); +- WARN_ON(r < 0); +- if (r < 0) ++ if (WARN_ON(r < 0)) { ++ pm_runtime_put_sync(&hdmi.pdev->dev); + return r; ++ } + + return 0; + } +diff --git a/drivers/video/fbdev/omap2/omapfb/dss/venc.c b/drivers/video/fbdev/omap2/omapfb/dss/venc.c +index 392464da12e41..96714b4596d2d 100644 +--- a/drivers/video/fbdev/omap2/omapfb/dss/venc.c ++++ b/drivers/video/fbdev/omap2/omapfb/dss/venc.c +@@ -402,8 +402,11 @@ static int venc_runtime_get(void) + DSSDBG("venc_runtime_get\n"); + + r = pm_runtime_get_sync(&venc.pdev->dev); +- WARN_ON(r < 0); +- return r < 0 ? r : 0; ++ if (WARN_ON(r < 0)) { ++ pm_runtime_put_sync(&venc.pdev->dev); ++ return r; ++ } ++ return 0; + } + + static void venc_runtime_put(void) +diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c +index 4b0cc9d0ca537..0dadfabcfd80b 100644 +--- a/drivers/xen/events/events_base.c ++++ b/drivers/xen/events/events_base.c +@@ -155,7 +155,7 @@ int get_evtchn_to_irq(unsigned evtchn) + /* Get info for IRQ */ + struct irq_info *info_for_irq(unsigned irq) + { +- return irq_get_handler_data(irq); ++ return irq_get_chip_data(irq); + } + + /* Constructors for packed IRQ information. */ +@@ -384,7 +384,7 @@ static void xen_irq_init(unsigned irq) + info->type = IRQT_UNBOUND; + info->refcnt = -1; + +- irq_set_handler_data(irq, info); ++ irq_set_chip_data(irq, info); + + list_add_tail(&info->list, &xen_irq_list_head); + } +@@ -433,14 +433,14 @@ static int __must_check xen_allocate_irq_gsi(unsigned gsi) + + static void xen_free_irq(unsigned irq) + { +- struct irq_info *info = irq_get_handler_data(irq); ++ struct irq_info *info = irq_get_chip_data(irq); + + if (WARN_ON(!info)) + return; + + list_del(&info->list); + +- irq_set_handler_data(irq, NULL); ++ irq_set_chip_data(irq, NULL); + + WARN_ON(info->refcnt > 0); + +@@ -610,7 +610,7 @@ EXPORT_SYMBOL_GPL(xen_irq_from_gsi); + static void __unbind_from_irq(unsigned int irq) + { + int evtchn = evtchn_from_irq(irq); +- struct irq_info *info = irq_get_handler_data(irq); ++ struct irq_info *info = irq_get_chip_data(irq); + + if (info->refcnt > 0) { + info->refcnt--; +@@ -1114,7 +1114,7 @@ int bind_ipi_to_irqhandler(enum ipi_vector ipi, + + void unbind_from_irqhandler(unsigned int irq, void *dev_id) + { +- struct irq_info *info = irq_get_handler_data(irq); ++ struct irq_info *info = irq_get_chip_data(irq); + + if (WARN_ON(!info)) + return; +@@ -1148,7 +1148,7 @@ int evtchn_make_refcounted(unsigned int evtchn) + if (irq == -1) + return -ENOENT; + +- info = irq_get_handler_data(irq); ++ info = irq_get_chip_data(irq); + + if (!info) + return -ENOENT; +@@ -1176,7 +1176,7 @@ int evtchn_get(unsigned int evtchn) + if (irq == -1) + goto done; + +- info = irq_get_handler_data(irq); ++ info = irq_get_chip_data(irq); + + if (!info) + goto done; +diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c +index d9909e2fc4c21..b100b8dae5884 100644 +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -4432,6 +4432,7 @@ static void btrfs_cleanup_bg_io(struct btrfs_block_group_cache *cache) + cache->io_ctl.inode = NULL; + iput(inode); + } ++ ASSERT(cache->io_ctl.pages == NULL); + btrfs_put_block_group(cache); + } + +diff --git a/fs/btrfs/free-space-cache.c b/fs/btrfs/free-space-cache.c +index 568ff2ee015be..8e93bd391b352 100644 +--- a/fs/btrfs/free-space-cache.c ++++ b/fs/btrfs/free-space-cache.c +@@ -1165,7 +1165,6 @@ int btrfs_wait_cache_io(struct btrfs_root *root, + ret = update_cache_item(trans, root, inode, path, offset, + io_ctl->entries, io_ctl->bitmaps); + out: +- io_ctl_free(io_ctl); + if (ret) { + invalidate_inode_pages2(inode->i_mapping); + BTRFS_I(inode)->generation = 0; +@@ -1314,6 +1313,7 @@ static int __btrfs_write_out_cache(struct btrfs_root *root, struct inode *inode, + * them out later + */ + io_ctl_drop_pages(io_ctl); ++ io_ctl_free(io_ctl); + + unlock_extent_cached(&BTRFS_I(inode)->io_tree, 0, + i_size_read(inode) - 1, &cached_state, GFP_NOFS); +diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c +index c28ac9c464251..5bd1758f57b64 100644 +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -3191,11 +3191,13 @@ fail: + btrfs_free_path(path); + out_unlock: + mutex_unlock(&BTRFS_I(dir)->log_mutex); +- if (ret == -ENOSPC) { ++ if (err == -ENOSPC) { + btrfs_set_log_full_commit(root->fs_info, trans); +- ret = 0; +- } else if (ret < 0) +- btrfs_abort_transaction(trans, ret); ++ err = 0; ++ } else if (err < 0 && err != -ENOENT) { ++ /* ENOENT can be returned if the entry hasn't been fsynced yet */ ++ btrfs_abort_transaction(trans, err); ++ } + + btrfs_end_log_trans(root); + +diff --git a/fs/buffer.c b/fs/buffer.c +index a89be9741d125..52f1a60417d1d 100644 +--- a/fs/buffer.c ++++ b/fs/buffer.c +@@ -3203,6 +3203,15 @@ int __sync_dirty_buffer(struct buffer_head *bh, int op_flags) + WARN_ON(atomic_read(&bh->b_count) < 1); + lock_buffer(bh); + if (test_clear_buffer_dirty(bh)) { ++ /* ++ * The bh should be mapped, but it might not be if the ++ * device was hot-removed. Not much we can do but fail the I/O. ++ */ ++ if (!buffer_mapped(bh)) { ++ unlock_buffer(bh); ++ return -EIO; ++ } ++ + get_bh(bh); + bh->b_end_io = end_buffer_write_sync; + ret = submit_bh(REQ_OP_WRITE, op_flags, bh); +diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c +index 3139fbd4c34e3..4ec5a109df82b 100644 +--- a/fs/ceph/mds_client.c ++++ b/fs/ceph/mds_client.c +@@ -3386,6 +3386,9 @@ static void delayed_work(struct work_struct *work) + dout("mdsc delayed_work\n"); + ceph_check_delayed_caps(mdsc); + ++ if (mdsc->stopping) ++ return; ++ + mutex_lock(&mdsc->mutex); + renew_interval = mdsc->mdsmap->m_session_timeout >> 2; + renew_caps = time_after_eq(jiffies, HZ*renew_interval + +@@ -3717,7 +3720,16 @@ void ceph_mdsc_force_umount(struct ceph_mds_client *mdsc) + static void ceph_mdsc_stop(struct ceph_mds_client *mdsc) + { + dout("stop\n"); +- cancel_delayed_work_sync(&mdsc->delayed_work); /* cancel timer */ ++ /* ++ * Make sure the delayed work stopped before releasing ++ * the resources. ++ * ++ * Because the cancel_delayed_work_sync() will only ++ * guarantee that the work finishes executing. But the ++ * delayed work will re-arm itself again after that. ++ */ ++ flush_delayed_work(&mdsc->delayed_work); ++ + if (mdsc->mdsmap) + ceph_mdsmap_destroy(mdsc->mdsmap); + kfree(mdsc->sessions); +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index 370e4273042c5..472fa29c6f604 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -4680,13 +4680,6 @@ static int ext4_commit_super(struct super_block *sb, int sync) + if (!sbh || block_device_ejected(sb)) + return error; + +- /* +- * The superblock bh should be mapped, but it might not be if the +- * device was hot-removed. Not much we can do but fail the I/O. +- */ +- if (!buffer_mapped(sbh)) +- return error; +- + /* + * If the file system is mounted read-only, don't update the + * superblock write time. This avoids updating the superblock +diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c +index 5a1a6dbbc55fb..f978ae2bb846f 100644 +--- a/fs/fs-writeback.c ++++ b/fs/fs-writeback.c +@@ -45,7 +45,6 @@ struct wb_completion { + struct wb_writeback_work { + long nr_pages; + struct super_block *sb; +- unsigned long *older_than_this; + enum writeback_sync_modes sync_mode; + unsigned int tagged_writepages:1; + unsigned int for_kupdate:1; +@@ -160,7 +159,9 @@ static void inode_io_list_del_locked(struct inode *inode, + struct bdi_writeback *wb) + { + assert_spin_locked(&wb->list_lock); ++ assert_spin_locked(&inode->i_lock); + ++ inode->i_state &= ~I_SYNC_QUEUED; + list_del_init(&inode->i_io_list); + wb_io_lists_depopulated(wb); + } +@@ -1039,7 +1040,9 @@ void inode_io_list_del(struct inode *inode) + struct bdi_writeback *wb; + + wb = inode_to_wb_and_lock_list(inode); ++ spin_lock(&inode->i_lock); + inode_io_list_del_locked(inode, wb); ++ spin_unlock(&inode->i_lock); + spin_unlock(&wb->list_lock); + } + +@@ -1088,8 +1091,10 @@ void sb_clear_inode_writeback(struct inode *inode) + * the case then the inode must have been redirtied while it was being written + * out and we don't reset its dirtied_when. + */ +-static void redirty_tail(struct inode *inode, struct bdi_writeback *wb) ++static void redirty_tail_locked(struct inode *inode, struct bdi_writeback *wb) + { ++ assert_spin_locked(&inode->i_lock); ++ + if (!list_empty(&wb->b_dirty)) { + struct inode *tail; + +@@ -1098,6 +1103,14 @@ static void redirty_tail(struct inode *inode, struct bdi_writeback *wb) + inode->dirtied_when = jiffies; + } + inode_io_list_move_locked(inode, wb, &wb->b_dirty); ++ inode->i_state &= ~I_SYNC_QUEUED; ++} ++ ++static void redirty_tail(struct inode *inode, struct bdi_writeback *wb) ++{ ++ spin_lock(&inode->i_lock); ++ redirty_tail_locked(inode, wb); ++ spin_unlock(&inode->i_lock); + } + + /* +@@ -1136,16 +1149,13 @@ static bool inode_dirtied_after(struct inode *inode, unsigned long t) + #define EXPIRE_DIRTY_ATIME 0x0001 + + /* +- * Move expired (dirtied before work->older_than_this) dirty inodes from ++ * Move expired (dirtied before dirtied_before) dirty inodes from + * @delaying_queue to @dispatch_queue. + */ + static int move_expired_inodes(struct list_head *delaying_queue, + struct list_head *dispatch_queue, +- int flags, +- struct wb_writeback_work *work) ++ int flags, unsigned long dirtied_before) + { +- unsigned long *older_than_this = NULL; +- unsigned long expire_time; + LIST_HEAD(tmp); + struct list_head *pos, *node; + struct super_block *sb = NULL; +@@ -1153,21 +1163,17 @@ static int move_expired_inodes(struct list_head *delaying_queue, + int do_sb_sort = 0; + int moved = 0; + +- if ((flags & EXPIRE_DIRTY_ATIME) == 0) +- older_than_this = work->older_than_this; +- else if (!work->for_sync) { +- expire_time = jiffies - (dirtytime_expire_interval * HZ); +- older_than_this = &expire_time; +- } + while (!list_empty(delaying_queue)) { + inode = wb_inode(delaying_queue->prev); +- if (older_than_this && +- inode_dirtied_after(inode, *older_than_this)) ++ if (inode_dirtied_after(inode, dirtied_before)) + break; + list_move(&inode->i_io_list, &tmp); + moved++; ++ spin_lock(&inode->i_lock); + if (flags & EXPIRE_DIRTY_ATIME) +- set_bit(__I_DIRTY_TIME_EXPIRED, &inode->i_state); ++ inode->i_state |= I_DIRTY_TIME_EXPIRED; ++ inode->i_state |= I_SYNC_QUEUED; ++ spin_unlock(&inode->i_lock); + if (sb_is_blkdev_sb(inode->i_sb)) + continue; + if (sb && sb != inode->i_sb) +@@ -1205,18 +1211,22 @@ out: + * | + * +--> dequeue for IO + */ +-static void queue_io(struct bdi_writeback *wb, struct wb_writeback_work *work) ++static void queue_io(struct bdi_writeback *wb, struct wb_writeback_work *work, ++ unsigned long dirtied_before) + { + int moved; ++ unsigned long time_expire_jif = dirtied_before; + + assert_spin_locked(&wb->list_lock); + list_splice_init(&wb->b_more_io, &wb->b_io); +- moved = move_expired_inodes(&wb->b_dirty, &wb->b_io, 0, work); ++ moved = move_expired_inodes(&wb->b_dirty, &wb->b_io, 0, dirtied_before); ++ if (!work->for_sync) ++ time_expire_jif = jiffies - dirtytime_expire_interval * HZ; + moved += move_expired_inodes(&wb->b_dirty_time, &wb->b_io, +- EXPIRE_DIRTY_ATIME, work); ++ EXPIRE_DIRTY_ATIME, time_expire_jif); + if (moved) + wb_io_lists_populated(wb); +- trace_writeback_queue_io(wb, work, moved); ++ trace_writeback_queue_io(wb, work, dirtied_before, moved); + } + + static int write_inode(struct inode *inode, struct writeback_control *wbc) +@@ -1310,7 +1320,7 @@ static void requeue_inode(struct inode *inode, struct bdi_writeback *wb, + * writeback is not making progress due to locked + * buffers. Skip this inode for now. + */ +- redirty_tail(inode, wb); ++ redirty_tail_locked(inode, wb); + return; + } + +@@ -1330,7 +1340,7 @@ static void requeue_inode(struct inode *inode, struct bdi_writeback *wb, + * retrying writeback of the dirty page/inode + * that cannot be performed immediately. + */ +- redirty_tail(inode, wb); ++ redirty_tail_locked(inode, wb); + } + } else if (inode->i_state & I_DIRTY) { + /* +@@ -1338,10 +1348,11 @@ static void requeue_inode(struct inode *inode, struct bdi_writeback *wb, + * such as delayed allocation during submission or metadata + * updates after data IO completion. + */ +- redirty_tail(inode, wb); ++ redirty_tail_locked(inode, wb); + } else if (inode->i_state & I_DIRTY_TIME) { + inode->dirtied_when = jiffies; + inode_io_list_move_locked(inode, wb, &wb->b_dirty_time); ++ inode->i_state &= ~I_SYNC_QUEUED; + } else { + /* The inode is clean. Remove from writeback lists. */ + inode_io_list_del_locked(inode, wb); +@@ -1585,8 +1596,8 @@ static long writeback_sb_inodes(struct super_block *sb, + */ + spin_lock(&inode->i_lock); + if (inode->i_state & (I_NEW | I_FREEING | I_WILL_FREE)) { ++ redirty_tail_locked(inode, wb); + spin_unlock(&inode->i_lock); +- redirty_tail(inode, wb); + continue; + } + if ((inode->i_state & I_SYNC) && wbc.sync_mode != WB_SYNC_ALL) { +@@ -1727,7 +1738,7 @@ static long writeback_inodes_wb(struct bdi_writeback *wb, long nr_pages, + blk_start_plug(&plug); + spin_lock(&wb->list_lock); + if (list_empty(&wb->b_io)) +- queue_io(wb, &work); ++ queue_io(wb, &work, jiffies); + __writeback_inodes_wb(wb, &work); + spin_unlock(&wb->list_lock); + blk_finish_plug(&plug); +@@ -1747,7 +1758,7 @@ static long writeback_inodes_wb(struct bdi_writeback *wb, long nr_pages, + * takes longer than a dirty_writeback_interval interval, then leave a + * one-second gap. + * +- * older_than_this takes precedence over nr_to_write. So we'll only write back ++ * dirtied_before takes precedence over nr_to_write. So we'll only write back + * all dirty pages if they are all attached to "old" mappings. + */ + static long wb_writeback(struct bdi_writeback *wb, +@@ -1755,14 +1766,11 @@ static long wb_writeback(struct bdi_writeback *wb, + { + unsigned long wb_start = jiffies; + long nr_pages = work->nr_pages; +- unsigned long oldest_jif; ++ unsigned long dirtied_before = jiffies; + struct inode *inode; + long progress; + struct blk_plug plug; + +- oldest_jif = jiffies; +- work->older_than_this = &oldest_jif; +- + blk_start_plug(&plug); + spin_lock(&wb->list_lock); + for (;;) { +@@ -1796,14 +1804,14 @@ static long wb_writeback(struct bdi_writeback *wb, + * safe. + */ + if (work->for_kupdate) { +- oldest_jif = jiffies - ++ dirtied_before = jiffies - + msecs_to_jiffies(dirty_expire_interval * 10); + } else if (work->for_background) +- oldest_jif = jiffies; ++ dirtied_before = jiffies; + + trace_writeback_start(wb, work); + if (list_empty(&wb->b_io)) +- queue_io(wb, work); ++ queue_io(wb, work, dirtied_before); + if (work->sb) + progress = writeback_sb_inodes(work->sb, wb, work); + else +@@ -2176,11 +2184,12 @@ void __mark_inode_dirty(struct inode *inode, int flags) + inode->i_state |= flags; + + /* +- * If the inode is being synced, just update its dirty state. +- * The unlocker will place the inode on the appropriate +- * superblock list, based upon its state. ++ * If the inode is queued for writeback by flush worker, just ++ * update its dirty state. Once the flush worker is done with ++ * the inode it will place it on the appropriate superblock ++ * list, based upon its state. + */ +- if (inode->i_state & I_SYNC) ++ if (inode->i_state & I_SYNC_QUEUED) + goto out_unlock_inode; + + /* +diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c +index 8de458d64134a..cfbf5474bccab 100644 +--- a/fs/jbd2/transaction.c ++++ b/fs/jbd2/transaction.c +@@ -1896,6 +1896,9 @@ static void __jbd2_journal_temp_unlink_buffer(struct journal_head *jh) + */ + static void __jbd2_journal_unfile_buffer(struct journal_head *jh) + { ++ J_ASSERT_JH(jh, jh->b_transaction != NULL); ++ J_ASSERT_JH(jh, jh->b_next_transaction == NULL); ++ + __jbd2_journal_temp_unlink_buffer(jh); + jh->b_transaction = NULL; + jbd2_journal_put_journal_head(jh); +@@ -1987,6 +1990,7 @@ int jbd2_journal_try_to_free_buffers(journal_t *journal, + { + struct buffer_head *head; + struct buffer_head *bh; ++ bool has_write_io_error = false; + int ret = 0; + + J_ASSERT(PageLocked(page)); +@@ -2011,11 +2015,26 @@ int jbd2_journal_try_to_free_buffers(journal_t *journal, + jbd_unlock_bh_state(bh); + if (buffer_jbd(bh)) + goto busy; ++ ++ /* ++ * If we free a metadata buffer which has been failed to ++ * write out, the jbd2 checkpoint procedure will not detect ++ * this failure and may lead to filesystem inconsistency ++ * after cleanup journal tail. ++ */ ++ if (buffer_write_io_error(bh)) { ++ pr_err("JBD2: Error while async write back metadata bh %llu.", ++ (unsigned long long)bh->b_blocknr); ++ has_write_io_error = true; ++ } + } while ((bh = bh->b_this_page) != head); + + ret = try_to_free_buffers(page); + + busy: ++ if (has_write_io_error) ++ jbd2_journal_abort(journal, -EIO); ++ + return ret; + } + +@@ -2443,6 +2462,13 @@ void __jbd2_journal_refile_buffer(struct journal_head *jh) + + was_dirty = test_clear_buffer_jbddirty(bh); + __jbd2_journal_temp_unlink_buffer(jh); ++ ++ /* ++ * b_transaction must be set, otherwise the new b_transaction won't ++ * be holding jh reference ++ */ ++ J_ASSERT_JH(jh, jh->b_transaction != NULL); ++ + /* + * We set b_transaction here because b_next_transaction will inherit + * our jh reference and thus __jbd2_journal_file_buffer() must not +diff --git a/include/linux/efi.h b/include/linux/efi.h +index 02c4f16685b69..69605956beb85 100644 +--- a/include/linux/efi.h ++++ b/include/linux/efi.h +@@ -910,7 +910,11 @@ extern void *efi_get_pal_addr (void); + extern void efi_map_pal_code (void); + extern void efi_memmap_walk (efi_freemem_callback_t callback, void *arg); + extern void efi_gettimeofday (struct timespec64 *ts); ++#ifdef CONFIG_EFI + extern void efi_enter_virtual_mode (void); /* switch EFI to virtual mode, if possible */ ++#else ++static inline void efi_enter_virtual_mode (void) {} ++#endif + #ifdef CONFIG_X86 + extern void efi_late_init(void); + extern void efi_free_boot_services(void); +diff --git a/include/linux/fs.h b/include/linux/fs.h +index 2d569738eb320..b8d65e0ab9341 100644 +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -1954,6 +1954,10 @@ static inline bool HAS_UNMAPPED_ID(struct inode *inode) + * wb stat updates to grab mapping->tree_lock. See + * inode_switch_wb_work_fn() for details. + * ++ * I_SYNC_QUEUED Inode is queued in b_io or b_more_io writeback lists. ++ * Used to detect that mark_inode_dirty() should not move ++ * inode between dirty lists. ++ * + * Q: What is the difference between I_WILL_FREE and I_FREEING? + */ + #define I_DIRTY_SYNC (1 << 0) +@@ -1971,9 +1975,9 @@ static inline bool HAS_UNMAPPED_ID(struct inode *inode) + #define I_DIO_WAKEUP (1 << __I_DIO_WAKEUP) + #define I_LINKABLE (1 << 10) + #define I_DIRTY_TIME (1 << 11) +-#define __I_DIRTY_TIME_EXPIRED 12 +-#define I_DIRTY_TIME_EXPIRED (1 << __I_DIRTY_TIME_EXPIRED) ++#define I_DIRTY_TIME_EXPIRED (1 << 12) + #define I_WB_SWITCH (1 << 13) ++#define I_SYNC_QUEUED (1 << 17) + + #define I_DIRTY (I_DIRTY_SYNC | I_DIRTY_DATASYNC | I_DIRTY_PAGES) + #define I_DIRTY_ALL (I_DIRTY | I_DIRTY_TIME) +diff --git a/include/linux/overflow.h b/include/linux/overflow.h +index d309788f4cd24..40b48e2133cb8 100644 +--- a/include/linux/overflow.h ++++ b/include/linux/overflow.h +@@ -233,4 +233,77 @@ + (*_d >> _to_shift) != _a); \ + }) + ++/** ++ * array_size() - Calculate size of 2-dimensional array. ++ * ++ * @a: dimension one ++ * @b: dimension two ++ * ++ * Calculates size of 2-dimensional array: @a * @b. ++ * ++ * Returns: number of bytes needed to represent the array or SIZE_MAX on ++ * overflow. ++ */ ++static inline __must_check size_t array_size(size_t a, size_t b) ++{ ++ size_t bytes; ++ ++ if (check_mul_overflow(a, b, &bytes)) ++ return SIZE_MAX; ++ ++ return bytes; ++} ++ ++/** ++ * array3_size() - Calculate size of 3-dimensional array. ++ * ++ * @a: dimension one ++ * @b: dimension two ++ * @c: dimension three ++ * ++ * Calculates size of 3-dimensional array: @a * @b * @c. ++ * ++ * Returns: number of bytes needed to represent the array or SIZE_MAX on ++ * overflow. ++ */ ++static inline __must_check size_t array3_size(size_t a, size_t b, size_t c) ++{ ++ size_t bytes; ++ ++ if (check_mul_overflow(a, b, &bytes)) ++ return SIZE_MAX; ++ if (check_mul_overflow(bytes, c, &bytes)) ++ return SIZE_MAX; ++ ++ return bytes; ++} ++ ++static inline __must_check size_t __ab_c_size(size_t n, size_t size, size_t c) ++{ ++ size_t bytes; ++ ++ if (check_mul_overflow(n, size, &bytes)) ++ return SIZE_MAX; ++ if (check_add_overflow(bytes, c, &bytes)) ++ return SIZE_MAX; ++ ++ return bytes; ++} ++ ++/** ++ * struct_size() - Calculate size of structure with trailing array. ++ * @p: Pointer to the structure. ++ * @member: Name of the array member. ++ * @n: Number of elements in the array. ++ * ++ * Calculates size of memory needed for structure @p followed by an ++ * array of @n @member elements. ++ * ++ * Return: number of bytes needed or SIZE_MAX on overflow. ++ */ ++#define struct_size(p, member, n) \ ++ __ab_c_size(n, \ ++ sizeof(*(p)->member) + __must_be_array((p)->member),\ ++ sizeof(*(p))) ++ + #endif /* __LINUX_OVERFLOW_H */ +diff --git a/include/trace/events/writeback.h b/include/trace/events/writeback.h +index 2ccd9ccbf9efe..ec964a924cd2f 100644 +--- a/include/trace/events/writeback.h ++++ b/include/trace/events/writeback.h +@@ -360,8 +360,9 @@ DEFINE_WBC_EVENT(wbc_writepage); + TRACE_EVENT(writeback_queue_io, + TP_PROTO(struct bdi_writeback *wb, + struct wb_writeback_work *work, ++ unsigned long dirtied_before, + int moved), +- TP_ARGS(wb, work, moved), ++ TP_ARGS(wb, work, dirtied_before, moved), + TP_STRUCT__entry( + __array(char, name, 32) + __field(unsigned long, older) +@@ -371,19 +372,17 @@ TRACE_EVENT(writeback_queue_io, + __field(unsigned int, cgroup_ino) + ), + TP_fast_assign( +- unsigned long *older_than_this = work->older_than_this; + strncpy(__entry->name, dev_name(wb->bdi->dev), 32); +- __entry->older = older_than_this ? *older_than_this : 0; +- __entry->age = older_than_this ? +- (jiffies - *older_than_this) * 1000 / HZ : -1; ++ __entry->older = dirtied_before; ++ __entry->age = (jiffies - dirtied_before) * 1000 / HZ; + __entry->moved = moved; + __entry->reason = work->reason; + __entry->cgroup_ino = __trace_wb_assign_cgroup(wb); + ), + TP_printk("bdi %s: older=%lu age=%ld enqueue=%d reason=%s cgroup_ino=%u", + __entry->name, +- __entry->older, /* older_than_this in jiffies */ +- __entry->age, /* older_than_this in relative milliseconds */ ++ __entry->older, /* dirtied_before in jiffies */ ++ __entry->age, /* dirtied_before in relative milliseconds */ + __entry->moved, + __print_symbolic(__entry->reason, WB_WORK_REASON), + __entry->cgroup_ino +diff --git a/kernel/locking/lockdep_proc.c b/kernel/locking/lockdep_proc.c +index 75d80809c48c9..09bad6cbb95cf 100644 +--- a/kernel/locking/lockdep_proc.c ++++ b/kernel/locking/lockdep_proc.c +@@ -425,7 +425,7 @@ static void seq_lock_time(struct seq_file *m, struct lock_time *lt) + seq_time(m, lt->min); + seq_time(m, lt->max); + seq_time(m, lt->total); +- seq_time(m, lt->nr ? div_s64(lt->total, lt->nr) : 0); ++ seq_time(m, lt->nr ? div64_u64(lt->total, lt->nr) : 0); + } + + static void seq_stats(struct seq_file *m, struct lock_stat_data *data) +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index 7164569c1ec80..e72775024c6af 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -4591,8 +4591,8 @@ struct sk_buff *skb_vlan_untag(struct sk_buff *skb) + skb = skb_share_check(skb, GFP_ATOMIC); + if (unlikely(!skb)) + goto err_free; +- +- if (unlikely(!pskb_may_pull(skb, VLAN_HLEN))) ++ /* We may access the two bytes after vlan_hdr in vlan_set_encap_proto(). */ ++ if (unlikely(!pskb_may_pull(skb, VLAN_HLEN + sizeof(unsigned short)))) + goto err_free; + + vhdr = (struct vlan_hdr *)skb->data; +diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c +index ed795d50a8d2b..d9e60aa2ea1b2 100644 +--- a/net/ipv6/ip6_tunnel.c ++++ b/net/ipv6/ip6_tunnel.c +@@ -871,7 +871,15 @@ int ip6_tnl_rcv(struct ip6_tnl *t, struct sk_buff *skb, + struct metadata_dst *tun_dst, + bool log_ecn_err) + { +- return __ip6_tnl_rcv(t, skb, tpi, NULL, ip6ip6_dscp_ecn_decapsulate, ++ int (*dscp_ecn_decapsulate)(const struct ip6_tnl *t, ++ const struct ipv6hdr *ipv6h, ++ struct sk_buff *skb); ++ ++ dscp_ecn_decapsulate = ip6ip6_dscp_ecn_decapsulate; ++ if (tpi->proto == htons(ETH_P_IP)) ++ dscp_ecn_decapsulate = ip4ip6_dscp_ecn_decapsulate; ++ ++ return __ip6_tnl_rcv(t, skb, tpi, NULL, dscp_ecn_decapsulate, + log_ecn_err); + } + EXPORT_SYMBOL(ip6_tnl_rcv); +diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c +index cdc49e680be4b..403be9bfd8d16 100644 +--- a/net/tipc/netlink_compat.c ++++ b/net/tipc/netlink_compat.c +@@ -250,8 +250,9 @@ err_out: + static int tipc_nl_compat_dumpit(struct tipc_nl_compat_cmd_dump *cmd, + struct tipc_nl_compat_msg *msg) + { +- int err; ++ struct nlmsghdr *nlh; + struct sk_buff *arg; ++ int err; + + if (msg->req_type && (!msg->req_size || + !TLV_CHECK_TYPE(msg->req, msg->req_type))) +@@ -280,6 +281,15 @@ static int tipc_nl_compat_dumpit(struct tipc_nl_compat_cmd_dump *cmd, + return -ENOMEM; + } + ++ nlh = nlmsg_put(arg, 0, 0, tipc_genl_family.id, 0, NLM_F_MULTI); ++ if (!nlh) { ++ kfree_skb(arg); ++ kfree_skb(msg->rep); ++ msg->rep = NULL; ++ return -EMSGSIZE; ++ } ++ nlmsg_end(arg, nlh); ++ + err = __tipc_nl_compat_dumpit(cmd, msg, arg); + if (err) { + kfree_skb(msg->rep); +diff --git a/sound/pci/cs46xx/cs46xx_lib.c b/sound/pci/cs46xx/cs46xx_lib.c +index 528102cc2d5d0..d824ff4ae3e3b 100644 +--- a/sound/pci/cs46xx/cs46xx_lib.c ++++ b/sound/pci/cs46xx/cs46xx_lib.c +@@ -780,7 +780,7 @@ static void snd_cs46xx_set_capture_sample_rate(struct snd_cs46xx *chip, unsigned + rate = 48000 / 9; + + /* +- * We can not capture at at rate greater than the Input Rate (48000). ++ * We can not capture at a rate greater than the Input Rate (48000). + * Return an error if an attempt is made to stray outside that limit. + */ + if (rate > 48000) +diff --git a/sound/pci/cs46xx/dsp_spos_scb_lib.c b/sound/pci/cs46xx/dsp_spos_scb_lib.c +index 7488e1b7a7707..4e726d39b05d1 100644 +--- a/sound/pci/cs46xx/dsp_spos_scb_lib.c ++++ b/sound/pci/cs46xx/dsp_spos_scb_lib.c +@@ -1742,7 +1742,7 @@ int cs46xx_iec958_pre_open (struct snd_cs46xx *chip) + struct dsp_spos_instance * ins = chip->dsp_spos_instance; + + if ( ins->spdif_status_out & DSP_SPDIF_STATUS_OUTPUT_ENABLED ) { +- /* remove AsynchFGTxSCB and and PCMSerialInput_II */ ++ /* remove AsynchFGTxSCB and PCMSerialInput_II */ + cs46xx_dsp_disable_spdif_out (chip); + + /* save state */ +diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c +index cbe0248225c1c..4e67614f15f8e 100644 +--- a/sound/pci/hda/hda_codec.c ++++ b/sound/pci/hda/hda_codec.c +@@ -3496,7 +3496,7 @@ EXPORT_SYMBOL_GPL(snd_hda_set_power_save); + * @nid: NID to check / update + * + * Check whether the given NID is in the amp list. If it's in the list, +- * check the current AMP status, and update the the power-status according ++ * check the current AMP status, and update the power-status according + * to the mute status. + * + * This function is supposed to be set or called from the check_power_status +diff --git a/sound/pci/hda/hda_generic.c b/sound/pci/hda/hda_generic.c +index 949c90a859fab..184089c5e8cbc 100644 +--- a/sound/pci/hda/hda_generic.c ++++ b/sound/pci/hda/hda_generic.c +@@ -820,7 +820,7 @@ static void activate_amp_in(struct hda_codec *codec, struct nid_path *path, + } + } + +-/* sync power of each widget in the the given path */ ++/* sync power of each widget in the given path */ + static hda_nid_t path_power_update(struct hda_codec *codec, + struct nid_path *path, + bool allow_powerdown) +diff --git a/sound/pci/hda/patch_sigmatel.c b/sound/pci/hda/patch_sigmatel.c +index d1a6d20ace0da..80b72d0702c5e 100644 +--- a/sound/pci/hda/patch_sigmatel.c ++++ b/sound/pci/hda/patch_sigmatel.c +@@ -862,7 +862,7 @@ static int stac_auto_create_beep_ctls(struct hda_codec *codec, + static struct snd_kcontrol_new beep_vol_ctl = + HDA_CODEC_VOLUME(NULL, 0, 0, 0); + +- /* check for mute support for the the amp */ ++ /* check for mute support for the amp */ + if ((caps & AC_AMPCAP_MUTE) >> AC_AMPCAP_MUTE_SHIFT) { + const struct snd_kcontrol_new *temp; + if (spec->anabeep_nid == nid) +diff --git a/sound/pci/ice1712/prodigy192.c b/sound/pci/ice1712/prodigy192.c +index 3919aed39ca03..5e52086d7b986 100644 +--- a/sound/pci/ice1712/prodigy192.c ++++ b/sound/pci/ice1712/prodigy192.c +@@ -31,7 +31,7 @@ + * Experimentally I found out that only a combination of + * OCKS0=1, OCKS1=1 (128fs, 64fs output) and ice1724 - + * VT1724_MT_I2S_MCLK_128X=0 (256fs input) yields correct +- * sampling rate. That means the the FPGA doubles the ++ * sampling rate. That means that the FPGA doubles the + * MCK01 rate. + * + * Copyright (c) 2003 Takashi Iwai +diff --git a/sound/pci/oxygen/xonar_dg.c b/sound/pci/oxygen/xonar_dg.c +index 4cf3200e988b0..df44135e1b0c9 100644 +--- a/sound/pci/oxygen/xonar_dg.c ++++ b/sound/pci/oxygen/xonar_dg.c +@@ -39,7 +39,7 @@ + * GPIO 4 <- headphone detect + * GPIO 5 -> enable ADC analog circuit for the left channel + * GPIO 6 -> enable ADC analog circuit for the right channel +- * GPIO 7 -> switch green rear output jack between CS4245 and and the first ++ * GPIO 7 -> switch green rear output jack between CS4245 and the first + * channel of CS4361 (mechanical relay) + * GPIO 8 -> enable output to speakers + * +diff --git a/sound/soc/tegra/tegra30_ahub.c b/sound/soc/tegra/tegra30_ahub.c +index fef3b9a21a667..e441e23a37e4f 100644 +--- a/sound/soc/tegra/tegra30_ahub.c ++++ b/sound/soc/tegra/tegra30_ahub.c +@@ -656,8 +656,10 @@ static int tegra30_ahub_resume(struct device *dev) + int ret; + + ret = pm_runtime_get_sync(dev); +- if (ret < 0) ++ if (ret < 0) { ++ pm_runtime_put(dev); + return ret; ++ } + ret = regcache_sync(ahub->regmap_ahub); + ret |= regcache_sync(ahub->regmap_apbif); + pm_runtime_put(dev); +diff --git a/sound/soc/tegra/tegra30_i2s.c b/sound/soc/tegra/tegra30_i2s.c +index 8e55583aa104e..516f37896092c 100644 +--- a/sound/soc/tegra/tegra30_i2s.c ++++ b/sound/soc/tegra/tegra30_i2s.c +@@ -552,8 +552,10 @@ static int tegra30_i2s_resume(struct device *dev) + int ret; + + ret = pm_runtime_get_sync(dev); +- if (ret < 0) ++ if (ret < 0) { ++ pm_runtime_put(dev); + return ret; ++ } + ret = regcache_sync(i2s->regmap); + pm_runtime_put(dev); + +diff --git a/sound/usb/quirks-table.h b/sound/usb/quirks-table.h +index 689fd3103e5b6..a917b7e02d312 100644 +--- a/sound/usb/quirks-table.h ++++ b/sound/usb/quirks-table.h +@@ -3331,8 +3331,8 @@ AU0828_DEVICE(0x2040, 0x7270, "Hauppauge", "HVR-950Q"), + * they pretend to be 96kHz mono as a workaround for stereo being broken + * by that... + * +- * They also have swapped L-R channels, but that's for userspace to deal +- * with. ++ * They also have an issue with initial stream alignment that causes the ++ * channels to be swapped and out of phase, which is dealt with in quirks.c. + */ + { + .match_flags = USB_DEVICE_ID_MATCH_DEVICE | +diff --git a/tools/testing/selftests/powerpc/pmu/ebb/back_to_back_ebbs_test.c b/tools/testing/selftests/powerpc/pmu/ebb/back_to_back_ebbs_test.c +index 94110b1dcd3d8..031baa43646fb 100644 +--- a/tools/testing/selftests/powerpc/pmu/ebb/back_to_back_ebbs_test.c ++++ b/tools/testing/selftests/powerpc/pmu/ebb/back_to_back_ebbs_test.c +@@ -91,8 +91,6 @@ int back_to_back_ebbs(void) + ebb_global_disable(); + ebb_freeze_pmcs(); + +- count_pmc(1, sample_period); +- + dump_ebb_state(); + + event_close(&event); +diff --git a/tools/testing/selftests/powerpc/pmu/ebb/cycles_test.c b/tools/testing/selftests/powerpc/pmu/ebb/cycles_test.c +index 7c57a8d79535d..361e0be9df9ae 100644 +--- a/tools/testing/selftests/powerpc/pmu/ebb/cycles_test.c ++++ b/tools/testing/selftests/powerpc/pmu/ebb/cycles_test.c +@@ -42,8 +42,6 @@ int cycles(void) + ebb_global_disable(); + ebb_freeze_pmcs(); + +- count_pmc(1, sample_period); +- + dump_ebb_state(); + + event_close(&event); +diff --git a/tools/testing/selftests/powerpc/pmu/ebb/cycles_with_freeze_test.c b/tools/testing/selftests/powerpc/pmu/ebb/cycles_with_freeze_test.c +index ecf5ee3283a3e..fe7d0dc2a1a26 100644 +--- a/tools/testing/selftests/powerpc/pmu/ebb/cycles_with_freeze_test.c ++++ b/tools/testing/selftests/powerpc/pmu/ebb/cycles_with_freeze_test.c +@@ -99,8 +99,6 @@ int cycles_with_freeze(void) + ebb_global_disable(); + ebb_freeze_pmcs(); + +- count_pmc(1, sample_period); +- + dump_ebb_state(); + + printf("EBBs while frozen %d\n", ebbs_while_frozen); +diff --git a/tools/testing/selftests/powerpc/pmu/ebb/cycles_with_mmcr2_test.c b/tools/testing/selftests/powerpc/pmu/ebb/cycles_with_mmcr2_test.c +index c0faba520b35c..b9b30f974b5ea 100644 +--- a/tools/testing/selftests/powerpc/pmu/ebb/cycles_with_mmcr2_test.c ++++ b/tools/testing/selftests/powerpc/pmu/ebb/cycles_with_mmcr2_test.c +@@ -71,8 +71,6 @@ int cycles_with_mmcr2(void) + ebb_global_disable(); + ebb_freeze_pmcs(); + +- count_pmc(1, sample_period); +- + dump_ebb_state(); + + event_close(&event); +diff --git a/tools/testing/selftests/powerpc/pmu/ebb/ebb.c b/tools/testing/selftests/powerpc/pmu/ebb/ebb.c +index 46681fec549b8..2694ae161a84a 100644 +--- a/tools/testing/selftests/powerpc/pmu/ebb/ebb.c ++++ b/tools/testing/selftests/powerpc/pmu/ebb/ebb.c +@@ -396,8 +396,6 @@ int ebb_child(union pipe read_pipe, union pipe write_pipe) + ebb_global_disable(); + ebb_freeze_pmcs(); + +- count_pmc(1, sample_period); +- + dump_ebb_state(); + + event_close(&event); +diff --git a/tools/testing/selftests/powerpc/pmu/ebb/ebb_on_willing_child_test.c b/tools/testing/selftests/powerpc/pmu/ebb/ebb_on_willing_child_test.c +index a991d2ea8d0a1..174e4f4dae6c0 100644 +--- a/tools/testing/selftests/powerpc/pmu/ebb/ebb_on_willing_child_test.c ++++ b/tools/testing/selftests/powerpc/pmu/ebb/ebb_on_willing_child_test.c +@@ -38,8 +38,6 @@ static int victim_child(union pipe read_pipe, union pipe write_pipe) + ebb_global_disable(); + ebb_freeze_pmcs(); + +- count_pmc(1, sample_period); +- + dump_ebb_state(); + + FAIL_IF(ebb_state.stats.ebb_count == 0); +diff --git a/tools/testing/selftests/powerpc/pmu/ebb/lost_exception_test.c b/tools/testing/selftests/powerpc/pmu/ebb/lost_exception_test.c +index eb8acb78bc6c1..531083accfcad 100644 +--- a/tools/testing/selftests/powerpc/pmu/ebb/lost_exception_test.c ++++ b/tools/testing/selftests/powerpc/pmu/ebb/lost_exception_test.c +@@ -75,7 +75,6 @@ static int test_body(void) + ebb_freeze_pmcs(); + ebb_global_disable(); + +- count_pmc(4, sample_period); + mtspr(SPRN_PMC4, 0xdead); + + dump_summary_ebb_state(); +diff --git a/tools/testing/selftests/powerpc/pmu/ebb/multi_counter_test.c b/tools/testing/selftests/powerpc/pmu/ebb/multi_counter_test.c +index 6ff8c8ff27d66..035c02273cd49 100644 +--- a/tools/testing/selftests/powerpc/pmu/ebb/multi_counter_test.c ++++ b/tools/testing/selftests/powerpc/pmu/ebb/multi_counter_test.c +@@ -70,13 +70,6 @@ int multi_counter(void) + ebb_global_disable(); + ebb_freeze_pmcs(); + +- count_pmc(1, sample_period); +- count_pmc(2, sample_period); +- count_pmc(3, sample_period); +- count_pmc(4, sample_period); +- count_pmc(5, sample_period); +- count_pmc(6, sample_period); +- + dump_ebb_state(); + + for (i = 0; i < 6; i++) +diff --git a/tools/testing/selftests/powerpc/pmu/ebb/multi_ebb_procs_test.c b/tools/testing/selftests/powerpc/pmu/ebb/multi_ebb_procs_test.c +index 037cb6154f360..3e9d4ac965c85 100644 +--- a/tools/testing/selftests/powerpc/pmu/ebb/multi_ebb_procs_test.c ++++ b/tools/testing/selftests/powerpc/pmu/ebb/multi_ebb_procs_test.c +@@ -61,8 +61,6 @@ static int cycles_child(void) + ebb_global_disable(); + ebb_freeze_pmcs(); + +- count_pmc(1, sample_period); +- + dump_summary_ebb_state(); + + event_close(&event); +diff --git a/tools/testing/selftests/powerpc/pmu/ebb/pmae_handling_test.c b/tools/testing/selftests/powerpc/pmu/ebb/pmae_handling_test.c +index c5fa64790c22e..d90891fe96a32 100644 +--- a/tools/testing/selftests/powerpc/pmu/ebb/pmae_handling_test.c ++++ b/tools/testing/selftests/powerpc/pmu/ebb/pmae_handling_test.c +@@ -82,8 +82,6 @@ static int test_body(void) + ebb_global_disable(); + ebb_freeze_pmcs(); + +- count_pmc(1, sample_period); +- + dump_ebb_state(); + + if (mmcr0_mismatch) +diff --git a/tools/testing/selftests/powerpc/pmu/ebb/pmc56_overflow_test.c b/tools/testing/selftests/powerpc/pmu/ebb/pmc56_overflow_test.c +index 30e1ac62e8cb4..8ca92b9ee5b01 100644 +--- a/tools/testing/selftests/powerpc/pmu/ebb/pmc56_overflow_test.c ++++ b/tools/testing/selftests/powerpc/pmu/ebb/pmc56_overflow_test.c +@@ -76,8 +76,6 @@ int pmc56_overflow(void) + ebb_global_disable(); + ebb_freeze_pmcs(); + +- count_pmc(2, sample_period); +- + dump_ebb_state(); + + printf("PMC5/6 overflow %d\n", pmc56_overflowed); diff --git a/patch/kernel/meson64-legacy/patch-4.9.235-236.patch b/patch/kernel/meson64-legacy/patch-4.9.235-236.patch new file mode 100644 index 000000000..43e9051e1 --- /dev/null +++ b/patch/kernel/meson64-legacy/patch-4.9.235-236.patch @@ -0,0 +1,3781 @@ +diff --git a/Documentation/filesystems/affs.txt b/Documentation/filesystems/affs.txt +index 71b63c2b98410..a8f1a58e36922 100644 +--- a/Documentation/filesystems/affs.txt ++++ b/Documentation/filesystems/affs.txt +@@ -93,13 +93,15 @@ The Amiga protection flags RWEDRWEDHSPARWED are handled as follows: + + - R maps to r for user, group and others. On directories, R implies x. + +- - If both W and D are allowed, w will be set. ++ - W maps to w. + + - E maps to x. + +- - H and P are always retained and ignored under Linux. ++ - D is ignored. + +- - A is always reset when a file is written to. ++ - H, S and P are always retained and ignored under Linux. ++ ++ - A is cleared when a file is written to. + + User id and group id will be used unless set[gu]id are given as mount + options. Since most of the Amiga file systems are single user systems +@@ -111,11 +113,13 @@ Linux -> Amiga: + + The Linux rwxrwxrwx file mode is handled as follows: + +- - r permission will set R for user, group and others. ++ - r permission will allow R for user, group and others. ++ ++ - w permission will allow W for user, group and others. + +- - w permission will set W and D for user, group and others. ++ - x permission of the user will allow E for plain files. + +- - x permission of the user will set E for plain files. ++ - D will be allowed for user, group and others. + + - All other flags (suid, sgid, ...) are ignored and will + not be retained. +diff --git a/Makefile b/Makefile +index d21084a36bd4d..a454c9cd126e0 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 9 +-SUBLEVEL = 235 ++SUBLEVEL = 236 + EXTRAVERSION = + NAME = Roaring Lionus + +diff --git a/arch/arm64/include/asm/kvm_arm.h b/arch/arm64/include/asm/kvm_arm.h +index a11c8c2915c93..e8cb69b0cf4fb 100644 +--- a/arch/arm64/include/asm/kvm_arm.h ++++ b/arch/arm64/include/asm/kvm_arm.h +@@ -78,10 +78,11 @@ + * IMO: Override CPSR.I and enable signaling with VI + * FMO: Override CPSR.F and enable signaling with VF + * SWIO: Turn set/way invalidates into set/way clean+invalidate ++ * PTW: Take a stage2 fault if a stage1 walk steps in device memory + */ + #define HCR_GUEST_FLAGS (HCR_TSC | HCR_TSW | HCR_TWE | HCR_TWI | HCR_VM | \ + HCR_TVM | HCR_BSU_IS | HCR_FB | HCR_TAC | \ +- HCR_AMO | HCR_SWIO | HCR_TIDCP | HCR_RW) ++ HCR_AMO | HCR_SWIO | HCR_TIDCP | HCR_RW | HCR_PTW) + #define HCR_VIRT_EXCP_MASK (HCR_VSE | HCR_VI | HCR_VF) + #define HCR_INT_OVERRIDE (HCR_FMO | HCR_IMO) + #define HCR_HOST_NVHE_FLAGS (HCR_RW | HCR_API | HCR_APK) +diff --git a/arch/arm64/include/asm/kvm_asm.h b/arch/arm64/include/asm/kvm_asm.h +index 8f5cf83b23396..3d2fddac25b91 100644 +--- a/arch/arm64/include/asm/kvm_asm.h ++++ b/arch/arm64/include/asm/kvm_asm.h +@@ -82,6 +82,34 @@ extern u32 __init_stage2_translation(void); + *__hyp_this_cpu_ptr(sym); \ + }) + ++#define __KVM_EXTABLE(from, to) \ ++ " .pushsection __kvm_ex_table, \"a\"\n" \ ++ " .align 3\n" \ ++ " .long (" #from " - .), (" #to " - .)\n" \ ++ " .popsection\n" ++ ++ ++#define __kvm_at(at_op, addr) \ ++( { \ ++ int __kvm_at_err = 0; \ ++ u64 spsr, elr; \ ++ asm volatile( \ ++ " mrs %1, spsr_el2\n" \ ++ " mrs %2, elr_el2\n" \ ++ "1: at "at_op", %3\n" \ ++ " isb\n" \ ++ " b 9f\n" \ ++ "2: msr spsr_el2, %1\n" \ ++ " msr elr_el2, %2\n" \ ++ " mov %w0, %4\n" \ ++ "9:\n" \ ++ __KVM_EXTABLE(1b, 2b) \ ++ : "+r" (__kvm_at_err), "=&r" (spsr), "=&r" (elr) \ ++ : "r" (addr), "i" (-EFAULT)); \ ++ __kvm_at_err; \ ++} ) ++ ++ + #else /* __ASSEMBLY__ */ + + .macro hyp_adr_this_cpu reg, sym, tmp +@@ -106,6 +134,21 @@ extern u32 __init_stage2_translation(void); + kern_hyp_va \vcpu + .endm + ++/* ++ * KVM extable for unexpected exceptions. ++ * In the same format _asm_extable, but output to a different section so that ++ * it can be mapped to EL2. The KVM version is not sorted. The caller must ++ * ensure: ++ * x18 has the hypervisor value to allow any Shadow-Call-Stack instrumented ++ * code to write to it, and that SPSR_EL2 and ELR_EL2 are restored by the fixup. ++ */ ++.macro _kvm_extable, from, to ++ .pushsection __kvm_ex_table, "a" ++ .align 3 ++ .long (\from - .), (\to - .) ++ .popsection ++.endm ++ + #endif + + #endif /* __ARM_KVM_ASM_H__ */ +diff --git a/arch/arm64/kernel/vmlinux.lds.S b/arch/arm64/kernel/vmlinux.lds.S +index 6a584558b29d2..fa3ffad50a61c 100644 +--- a/arch/arm64/kernel/vmlinux.lds.S ++++ b/arch/arm64/kernel/vmlinux.lds.S +@@ -23,6 +23,13 @@ ENTRY(_text) + + jiffies = jiffies_64; + ++ ++#define HYPERVISOR_EXTABLE \ ++ . = ALIGN(SZ_8); \ ++ VMLINUX_SYMBOL(__start___kvm_ex_table) = .; \ ++ *(__kvm_ex_table) \ ++ VMLINUX_SYMBOL(__stop___kvm_ex_table) = .; ++ + #define HYPERVISOR_TEXT \ + /* \ + * Align to 4 KB so that \ +@@ -38,6 +45,7 @@ jiffies = jiffies_64; + VMLINUX_SYMBOL(__hyp_idmap_text_end) = .; \ + VMLINUX_SYMBOL(__hyp_text_start) = .; \ + *(.hyp.text) \ ++ HYPERVISOR_EXTABLE \ + VMLINUX_SYMBOL(__hyp_text_end) = .; + + #define IDMAP_TEXT \ +diff --git a/arch/arm64/kvm/hyp/entry.S b/arch/arm64/kvm/hyp/entry.S +index a360ac6e89e9d..4e0eac361f87c 100644 +--- a/arch/arm64/kvm/hyp/entry.S ++++ b/arch/arm64/kvm/hyp/entry.S +@@ -17,6 +17,7 @@ + + #include + ++#include + #include + #include + #include +@@ -62,6 +63,15 @@ ENTRY(__guest_enter) + // Store the host regs + save_callee_saved_regs x1 + ++ // Now the host state is stored if we have a pending RAS SError it must ++ // affect the host. If any asynchronous exception is pending we defer ++ // the guest entry. ++ mrs x1, isr_el1 ++ cbz x1, 1f ++ mov x0, #ARM_EXCEPTION_IRQ ++ ret ++ ++1: + add x18, x0, #VCPU_CONTEXT + + // Restore guest regs x0-x17 +@@ -135,18 +145,22 @@ ENTRY(__guest_exit) + // This is our single instruction exception window. A pending + // SError is guaranteed to occur at the earliest when we unmask + // it, and at the latest just after the ISB. +- .global abort_guest_exit_start + abort_guest_exit_start: + + isb + +- .global abort_guest_exit_end + abort_guest_exit_end: ++ msr daifset, #4 // Mask aborts ++ ret ++ ++ _kvm_extable abort_guest_exit_start, 9997f ++ _kvm_extable abort_guest_exit_end, 9997f ++9997: ++ msr daifset, #4 // Mask aborts ++ mov x0, #(1 << ARM_EXIT_WITH_SERROR_BIT) + +- // If the exception took place, restore the EL1 exception +- // context so that we can report some information. +- // Merge the exception code with the SError pending bit. +- tbz x0, #ARM_EXIT_WITH_SERROR_BIT, 1f ++ // restore the EL1 exception context so that we can report some ++ // information. Merge the exception code with the SError pending bit. + msr elr_el2, x2 + msr esr_el2, x3 + msr spsr_el2, x4 +diff --git a/arch/arm64/kvm/hyp/hyp-entry.S b/arch/arm64/kvm/hyp/hyp-entry.S +index bf4988f9dae8f..7ced1fb93d077 100644 +--- a/arch/arm64/kvm/hyp/hyp-entry.S ++++ b/arch/arm64/kvm/hyp/hyp-entry.S +@@ -25,6 +25,30 @@ + #include + #include + ++.macro save_caller_saved_regs_vect ++ stp x0, x1, [sp, #-16]! ++ stp x2, x3, [sp, #-16]! ++ stp x4, x5, [sp, #-16]! ++ stp x6, x7, [sp, #-16]! ++ stp x8, x9, [sp, #-16]! ++ stp x10, x11, [sp, #-16]! ++ stp x12, x13, [sp, #-16]! ++ stp x14, x15, [sp, #-16]! ++ stp x16, x17, [sp, #-16]! ++.endm ++ ++.macro restore_caller_saved_regs_vect ++ ldp x16, x17, [sp], #16 ++ ldp x14, x15, [sp], #16 ++ ldp x12, x13, [sp], #16 ++ ldp x10, x11, [sp], #16 ++ ldp x8, x9, [sp], #16 ++ ldp x6, x7, [sp], #16 ++ ldp x4, x5, [sp], #16 ++ ldp x2, x3, [sp], #16 ++ ldp x0, x1, [sp], #16 ++.endm ++ + .text + .pushsection .hyp.text, "ax" + +@@ -177,26 +201,24 @@ el1_error: + mov x0, #ARM_EXCEPTION_EL1_SERROR + b __guest_exit + ++el2_sync: ++ save_caller_saved_regs_vect ++ stp x29, x30, [sp, #-16]! ++ bl kvm_unexpected_el2_exception ++ ldp x29, x30, [sp], #16 ++ restore_caller_saved_regs_vect ++ ++ eret ++ + el2_error: +- /* +- * Only two possibilities: +- * 1) Either we come from the exit path, having just unmasked +- * PSTATE.A: change the return code to an EL2 fault, and +- * carry on, as we're already in a sane state to handle it. +- * 2) Or we come from anywhere else, and that's a bug: we panic. +- * +- * For (1), x0 contains the original return code and x1 doesn't +- * contain anything meaningful at that stage. We can reuse them +- * as temp registers. +- * For (2), who cares? +- */ +- mrs x0, elr_el2 +- adr x1, abort_guest_exit_start +- cmp x0, x1 +- adr x1, abort_guest_exit_end +- ccmp x0, x1, #4, ne +- b.ne __hyp_panic +- mov x0, #(1 << ARM_EXIT_WITH_SERROR_BIT) ++ save_caller_saved_regs_vect ++ stp x29, x30, [sp, #-16]! ++ ++ bl kvm_unexpected_el2_exception ++ ++ ldp x29, x30, [sp], #16 ++ restore_caller_saved_regs_vect ++ + eret + + ENTRY(__hyp_do_panic) +@@ -225,7 +247,6 @@ ENDPROC(\label) + invalid_vector el2t_irq_invalid + invalid_vector el2t_fiq_invalid + invalid_vector el2t_error_invalid +- invalid_vector el2h_sync_invalid + invalid_vector el2h_irq_invalid + invalid_vector el2h_fiq_invalid + invalid_vector el1_sync_invalid +@@ -242,7 +263,7 @@ ENTRY(__kvm_hyp_vector) + ventry el2t_fiq_invalid // FIQ EL2t + ventry el2t_error_invalid // Error EL2t + +- ventry el2h_sync_invalid // Synchronous EL2h ++ ventry el2_sync // Synchronous EL2h + ventry el2h_irq_invalid // IRQ EL2h + ventry el2h_fiq_invalid // FIQ EL2h + ventry el2_error // Error EL2h +diff --git a/arch/arm64/kvm/hyp/switch.c b/arch/arm64/kvm/hyp/switch.c +index ed7e3a288b4e5..0a2f37bceab0a 100644 +--- a/arch/arm64/kvm/hyp/switch.c ++++ b/arch/arm64/kvm/hyp/switch.c +@@ -25,6 +25,10 @@ + #include + #include + #include ++#include ++ ++extern struct exception_table_entry __start___kvm_ex_table; ++extern struct exception_table_entry __stop___kvm_ex_table; + + static bool __hyp_text __fpsimd_enabled_nvhe(void) + { +@@ -202,10 +206,10 @@ static bool __hyp_text __translate_far_to_hpfar(u64 far, u64 *hpfar) + * saved the guest context yet, and we may return early... + */ + par = read_sysreg(par_el1); +- asm volatile("at s1e1r, %0" : : "r" (far)); +- isb(); +- +- tmp = read_sysreg(par_el1); ++ if (!__kvm_at("s1e1r", far)) ++ tmp = read_sysreg(par_el1); ++ else ++ tmp = 1; /* back to the guest */ + write_sysreg(par, par_el1); + + if (unlikely(tmp & 1)) +@@ -454,3 +458,30 @@ void __hyp_text __noreturn hyp_panic(struct kvm_cpu_context *host_ctxt) + + unreachable(); + } ++ ++asmlinkage void __hyp_text kvm_unexpected_el2_exception(void) ++{ ++ unsigned long addr, fixup; ++ struct kvm_cpu_context *host_ctxt; ++ struct exception_table_entry *entry, *end; ++ unsigned long elr_el2 = read_sysreg(elr_el2); ++ ++ entry = hyp_symbol_addr(__start___kvm_ex_table); ++ end = hyp_symbol_addr(__stop___kvm_ex_table); ++ host_ctxt = __hyp_this_cpu_ptr(kvm_host_cpu_state); ++ ++ while (entry < end) { ++ addr = (unsigned long)&entry->insn + entry->insn; ++ fixup = (unsigned long)&entry->fixup + entry->fixup; ++ ++ if (addr != elr_el2) { ++ entry++; ++ continue; ++ } ++ ++ write_sysreg(fixup, elr_el2); ++ return; ++ } ++ ++ hyp_panic(host_ctxt); ++} +diff --git a/arch/mips/kernel/smp-bmips.c b/arch/mips/kernel/smp-bmips.c +index 416d53f587e7c..6e36717527754 100644 +--- a/arch/mips/kernel/smp-bmips.c ++++ b/arch/mips/kernel/smp-bmips.c +@@ -236,6 +236,8 @@ static void bmips_boot_secondary(int cpu, struct task_struct *idle) + */ + static void bmips_init_secondary(void) + { ++ bmips_cpu_setup(); ++ + switch (current_cpu_type()) { + case CPU_BMIPS4350: + case CPU_BMIPS4380: +diff --git a/arch/mips/mm/c-r4k.c b/arch/mips/mm/c-r4k.c +index 0ff379f0cc4a7..cb877f86f5fc9 100644 +--- a/arch/mips/mm/c-r4k.c ++++ b/arch/mips/mm/c-r4k.c +@@ -1746,7 +1746,11 @@ static void setup_scache(void) + printk("MIPS secondary cache %ldkB, %s, linesize %d bytes.\n", + scache_size >> 10, + way_string[c->scache.ways], c->scache.linesz); ++ ++ if (current_cpu_type() == CPU_BMIPS5000) ++ c->options |= MIPS_CPU_INCLUSIVE_CACHES; + } ++ + #else + if (!(c->scache.flags & MIPS_CACHE_NOT_PRESENT)) + panic("Dunno how to handle MIPS32 / MIPS64 second level cache"); +diff --git a/arch/s390/include/asm/percpu.h b/arch/s390/include/asm/percpu.h +index 90240dfef76a1..5889c1ed84c46 100644 +--- a/arch/s390/include/asm/percpu.h ++++ b/arch/s390/include/asm/percpu.h +@@ -28,7 +28,7 @@ + typedef typeof(pcp) pcp_op_T__; \ + pcp_op_T__ old__, new__, prev__; \ + pcp_op_T__ *ptr__; \ +- preempt_disable(); \ ++ preempt_disable_notrace(); \ + ptr__ = raw_cpu_ptr(&(pcp)); \ + prev__ = *ptr__; \ + do { \ +@@ -36,7 +36,7 @@ + new__ = old__ op (val); \ + prev__ = cmpxchg(ptr__, old__, new__); \ + } while (prev__ != old__); \ +- preempt_enable(); \ ++ preempt_enable_notrace(); \ + new__; \ + }) + +@@ -67,7 +67,7 @@ + typedef typeof(pcp) pcp_op_T__; \ + pcp_op_T__ val__ = (val); \ + pcp_op_T__ old__, *ptr__; \ +- preempt_disable(); \ ++ preempt_disable_notrace(); \ + ptr__ = raw_cpu_ptr(&(pcp)); \ + if (__builtin_constant_p(val__) && \ + ((szcast)val__ > -129) && ((szcast)val__ < 128)) { \ +@@ -83,7 +83,7 @@ + : [val__] "d" (val__) \ + : "cc"); \ + } \ +- preempt_enable(); \ ++ preempt_enable_notrace(); \ + } + + #define this_cpu_add_4(pcp, val) arch_this_cpu_add(pcp, val, "laa", "asi", int) +@@ -94,14 +94,14 @@ + typedef typeof(pcp) pcp_op_T__; \ + pcp_op_T__ val__ = (val); \ + pcp_op_T__ old__, *ptr__; \ +- preempt_disable(); \ ++ preempt_disable_notrace(); \ + ptr__ = raw_cpu_ptr(&(pcp)); \ + asm volatile( \ + op " %[old__],%[val__],%[ptr__]\n" \ + : [old__] "=d" (old__), [ptr__] "+Q" (*ptr__) \ + : [val__] "d" (val__) \ + : "cc"); \ +- preempt_enable(); \ ++ preempt_enable_notrace(); \ + old__ + val__; \ + }) + +@@ -113,14 +113,14 @@ + typedef typeof(pcp) pcp_op_T__; \ + pcp_op_T__ val__ = (val); \ + pcp_op_T__ old__, *ptr__; \ +- preempt_disable(); \ ++ preempt_disable_notrace(); \ + ptr__ = raw_cpu_ptr(&(pcp)); \ + asm volatile( \ + op " %[old__],%[val__],%[ptr__]\n" \ + : [old__] "=d" (old__), [ptr__] "+Q" (*ptr__) \ + : [val__] "d" (val__) \ + : "cc"); \ +- preempt_enable(); \ ++ preempt_enable_notrace(); \ + } + + #define this_cpu_and_4(pcp, val) arch_this_cpu_to_op(pcp, val, "lan") +@@ -135,10 +135,10 @@ + typedef typeof(pcp) pcp_op_T__; \ + pcp_op_T__ ret__; \ + pcp_op_T__ *ptr__; \ +- preempt_disable(); \ ++ preempt_disable_notrace(); \ + ptr__ = raw_cpu_ptr(&(pcp)); \ + ret__ = cmpxchg(ptr__, oval, nval); \ +- preempt_enable(); \ ++ preempt_enable_notrace(); \ + ret__; \ + }) + +@@ -151,10 +151,10 @@ + ({ \ + typeof(pcp) *ptr__; \ + typeof(pcp) ret__; \ +- preempt_disable(); \ ++ preempt_disable_notrace(); \ + ptr__ = raw_cpu_ptr(&(pcp)); \ + ret__ = xchg(ptr__, nval); \ +- preempt_enable(); \ ++ preempt_enable_notrace(); \ + ret__; \ + }) + +@@ -170,11 +170,11 @@ + typeof(pcp1) *p1__; \ + typeof(pcp2) *p2__; \ + int ret__; \ +- preempt_disable(); \ ++ preempt_disable_notrace(); \ + p1__ = raw_cpu_ptr(&(pcp1)); \ + p2__ = raw_cpu_ptr(&(pcp2)); \ + ret__ = __cmpxchg_double(p1__, p2__, o1__, o2__, n1__, n2__); \ +- preempt_enable(); \ ++ preempt_enable_notrace(); \ + ret__; \ + }) + +diff --git a/arch/xtensa/platforms/iss/simdisk.c b/arch/xtensa/platforms/iss/simdisk.c +index ede04cca30dde..82fb5102d8244 100644 +--- a/arch/xtensa/platforms/iss/simdisk.c ++++ b/arch/xtensa/platforms/iss/simdisk.c +@@ -21,7 +21,6 @@ + #include + + #define SIMDISK_MAJOR 240 +-#define SECTOR_SHIFT 9 + #define SIMDISK_MINORS 1 + #define MAX_SIMDISK_COUNT 10 + +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index 46bf7e9d00aba..2aa10cd4c5b75 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -4371,9 +4371,8 @@ static const struct ata_blacklist_entry ata_device_blacklist [] = { + /* https://bugzilla.kernel.org/show_bug.cgi?id=15573 */ + { "C300-CTFDDAC128MAG", "0001", ATA_HORKAGE_NONCQ, }, + +- /* Some Sandisk SSDs lock up hard with NCQ enabled. Reported on +- SD7SN6S256G and SD8SN8U256G */ +- { "SanDisk SD[78]SN*G", NULL, ATA_HORKAGE_NONCQ, }, ++ /* Sandisk SD7/8/9s lock up hard on large trims */ ++ { "SanDisk SD[789]*", NULL, ATA_HORKAGE_MAX_TRIM_128M, }, + + /* devices which puke on READ_NATIVE_MAX */ + { "HDS724040KLSA80", "KFAOA20N", ATA_HORKAGE_BROKEN_HPA, }, +diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c +index f4b38adb9d8a7..76ba83e245c23 100644 +--- a/drivers/ata/libata-scsi.c ++++ b/drivers/ata/libata-scsi.c +@@ -2314,6 +2314,7 @@ static unsigned int ata_scsiop_inq_89(struct ata_scsi_args *args, u8 *rbuf) + + static unsigned int ata_scsiop_inq_b0(struct ata_scsi_args *args, u8 *rbuf) + { ++ struct ata_device *dev = args->dev; + u16 min_io_sectors; + + rbuf[1] = 0xb0; +@@ -2339,7 +2340,12 @@ static unsigned int ata_scsiop_inq_b0(struct ata_scsi_args *args, u8 *rbuf) + * with the unmap bit set. + */ + if (ata_id_has_trim(args->id)) { +- put_unaligned_be64(65535 * ATA_MAX_TRIM_RNUM, &rbuf[36]); ++ u64 max_blocks = 65535 * ATA_MAX_TRIM_RNUM; ++ ++ if (dev->horkage & ATA_HORKAGE_MAX_TRIM_128M) ++ max_blocks = 128 << (20 - SECTOR_SHIFT); ++ ++ put_unaligned_be64(max_blocks, &rbuf[36]); + put_unaligned_be32(1, &rbuf[28]); + } + +diff --git a/drivers/block/brd.c b/drivers/block/brd.c +index 7e35574a17dfc..9d81ac8b4512a 100644 +--- a/drivers/block/brd.c ++++ b/drivers/block/brd.c +@@ -25,7 +25,6 @@ + + #include + +-#define SECTOR_SHIFT 9 + #define PAGE_SECTORS_SHIFT (PAGE_SHIFT - SECTOR_SHIFT) + #define PAGE_SECTORS (1 << PAGE_SECTORS_SHIFT) + +diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c +index 8a93ca4d6840c..19f336752ad75 100644 +--- a/drivers/block/rbd.c ++++ b/drivers/block/rbd.c +@@ -50,15 +50,6 @@ + + #define RBD_DEBUG /* Activate rbd_assert() calls */ + +-/* +- * The basic unit of block I/O is a sector. It is interpreted in a +- * number of contexts in Linux (blk, bio, genhd), but the default is +- * universally 512 bytes. These symbols are just slightly more +- * meaningful than the bare numbers they represent. +- */ +-#define SECTOR_SHIFT 9 +-#define SECTOR_SIZE (1ULL << SECTOR_SHIFT) +- + /* + * Increment the given counter and return its updated value. + * If the counter is already 0 it will not be incremented. +diff --git a/drivers/block/zram/zram_drv.h b/drivers/block/zram/zram_drv.h +index 74fcf10da3749..6d2475a39e84b 100644 +--- a/drivers/block/zram/zram_drv.h ++++ b/drivers/block/zram/zram_drv.h +@@ -37,7 +37,6 @@ static const size_t max_zpage_size = PAGE_SIZE / 4 * 3; + + /*-- End of configurable params */ + +-#define SECTOR_SHIFT 9 + #define SECTORS_PER_PAGE_SHIFT (PAGE_SHIFT - SECTOR_SHIFT) + #define SECTORS_PER_PAGE (1 << SECTORS_PER_PAGE_SHIFT) + #define ZRAM_LOGICAL_BLOCK_SHIFT 12 +diff --git a/drivers/dma/at_hdmac.c b/drivers/dma/at_hdmac.c +index a32cd71f94bbe..cb72b8c915c73 100644 +--- a/drivers/dma/at_hdmac.c ++++ b/drivers/dma/at_hdmac.c +@@ -1810,6 +1810,8 @@ static struct dma_chan *at_dma_xlate(struct of_phandle_args *dma_spec, + return NULL; + + dmac_pdev = of_find_device_by_node(dma_spec->np); ++ if (!dmac_pdev) ++ return NULL; + + dma_cap_zero(mask); + dma_cap_set(DMA_SLAVE, mask); +diff --git a/drivers/dma/of-dma.c b/drivers/dma/of-dma.c +index faae0bfe1109e..757cf48c1c5ed 100644 +--- a/drivers/dma/of-dma.c ++++ b/drivers/dma/of-dma.c +@@ -72,12 +72,12 @@ static struct dma_chan *of_dma_router_xlate(struct of_phandle_args *dma_spec, + return NULL; + + chan = ofdma_target->of_dma_xlate(&dma_spec_target, ofdma_target); +- if (chan) { +- chan->router = ofdma->dma_router; +- chan->route_data = route_data; +- } else { ++ if (IS_ERR_OR_NULL(chan)) { + ofdma->dma_router->route_free(ofdma->dma_router->dev, + route_data); ++ } else { ++ chan->router = ofdma->dma_router; ++ chan->route_data = route_data; + } + + /* +diff --git a/drivers/dma/pl330.c b/drivers/dma/pl330.c +index 57b375d0de292..16c08846ea0e1 100644 +--- a/drivers/dma/pl330.c ++++ b/drivers/dma/pl330.c +@@ -2677,6 +2677,7 @@ pl330_prep_dma_memcpy(struct dma_chan *chan, dma_addr_t dst, + while (burst != (1 << desc->rqcfg.brst_size)) + desc->rqcfg.brst_size++; + ++ desc->rqcfg.brst_len = get_burst_len(desc, len); + /* + * If burst size is smaller than bus width then make sure we only + * transfer one at a time to avoid a burst stradling an MFIFO entry. +@@ -2684,7 +2685,6 @@ pl330_prep_dma_memcpy(struct dma_chan *chan, dma_addr_t dst, + if (desc->rqcfg.brst_size * 8 < pl330->pcfg.data_bus_width) + desc->rqcfg.brst_len = 1; + +- desc->rqcfg.brst_len = get_burst_len(desc, len); + desc->bytes_requested = len; + + desc->txd.flags = flags; +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c +index b4b9d81525369..d99c9ed5dfe39 100644 +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -1406,6 +1406,17 @@ static void hid_output_field(const struct hid_device *hid, + } + } + ++/* ++ * Compute the size of a report. ++ */ ++static size_t hid_compute_report_size(struct hid_report *report) ++{ ++ if (report->size) ++ return ((report->size - 1) >> 3) + 1; ++ ++ return 0; ++} ++ + /* + * Create a report. 'data' has to be allocated using + * hid_alloc_report_buf() so that it has proper size. +@@ -1418,7 +1429,7 @@ void hid_output_report(struct hid_report *report, __u8 *data) + if (report->id > 0) + *data++ = report->id; + +- memset(data, 0, ((report->size - 1) >> 3) + 1); ++ memset(data, 0, hid_compute_report_size(report)); + for (n = 0; n < report->maxfield; n++) + hid_output_field(report->device, report->field[n], data); + } +@@ -1545,7 +1556,7 @@ int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size, + csize--; + } + +- rsize = ((report->size - 1) >> 3) + 1; ++ rsize = hid_compute_report_size(report); + + if (report_enum->numbered && rsize >= HID_MAX_BUFFER_SIZE) + rsize = HID_MAX_BUFFER_SIZE - 1; +diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c +index 26e9677309972..5e1a51ba6500f 100644 +--- a/drivers/hid/hid-input.c ++++ b/drivers/hid/hid-input.c +@@ -1026,6 +1026,10 @@ static void hidinput_configure_usage(struct hid_input *hidinput, struct hid_fiel + } + + mapped: ++ /* Mapping failed, bail out */ ++ if (!bit) ++ return; ++ + if (device->driver->input_mapped && + device->driver->input_mapped(device, hidinput, field, usage, + &bit, &max) < 0) { +diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c +index 1207102823de3..258a50ec15727 100644 +--- a/drivers/hid/hid-multitouch.c ++++ b/drivers/hid/hid-multitouch.c +@@ -567,6 +567,8 @@ static int mt_touch_input_mapping(struct hid_device *hdev, struct hid_input *hi, + case HID_UP_BUTTON: + code = BTN_MOUSE + ((usage->hid - 1) & HID_USAGE); + hid_map_usage(hi, usage, bit, max, EV_KEY, code); ++ if (!*bit) ++ return -1; + input_set_capability(hi->input, EV_KEY, code); + return 1; + +diff --git a/drivers/hwmon/applesmc.c b/drivers/hwmon/applesmc.c +index 0af7fd311979d..587fc5c686b3c 100644 +--- a/drivers/hwmon/applesmc.c ++++ b/drivers/hwmon/applesmc.c +@@ -758,15 +758,18 @@ static ssize_t applesmc_light_show(struct device *dev, + } + + ret = applesmc_read_key(LIGHT_SENSOR_LEFT_KEY, buffer, data_length); ++ if (ret) ++ goto out; + /* newer macbooks report a single 10-bit bigendian value */ + if (data_length == 10) { + left = be16_to_cpu(*(__be16 *)(buffer + 6)) >> 2; + goto out; + } + left = buffer[2]; ++ ++ ret = applesmc_read_key(LIGHT_SENSOR_RIGHT_KEY, buffer, data_length); + if (ret) + goto out; +- ret = applesmc_read_key(LIGHT_SENSOR_RIGHT_KEY, buffer, data_length); + right = buffer[2]; + + out: +@@ -814,12 +817,11 @@ static ssize_t applesmc_show_fan_speed(struct device *dev, + sprintf(newkey, fan_speed_fmt[to_option(attr)], to_index(attr)); + + ret = applesmc_read_key(newkey, buffer, 2); +- speed = ((buffer[0] << 8 | buffer[1]) >> 2); +- + if (ret) + return ret; +- else +- return snprintf(sysfsbuf, PAGE_SIZE, "%u\n", speed); ++ ++ speed = ((buffer[0] << 8 | buffer[1]) >> 2); ++ return snprintf(sysfsbuf, PAGE_SIZE, "%u\n", speed); + } + + static ssize_t applesmc_store_fan_speed(struct device *dev, +@@ -854,12 +856,11 @@ static ssize_t applesmc_show_fan_manual(struct device *dev, + u8 buffer[2]; + + ret = applesmc_read_key(FANS_MANUAL, buffer, 2); +- manual = ((buffer[0] << 8 | buffer[1]) >> to_index(attr)) & 0x01; +- + if (ret) + return ret; +- else +- return snprintf(sysfsbuf, PAGE_SIZE, "%d\n", manual); ++ ++ manual = ((buffer[0] << 8 | buffer[1]) >> to_index(attr)) & 0x01; ++ return snprintf(sysfsbuf, PAGE_SIZE, "%d\n", manual); + } + + static ssize_t applesmc_store_fan_manual(struct device *dev, +@@ -875,10 +876,11 @@ static ssize_t applesmc_store_fan_manual(struct device *dev, + return -EINVAL; + + ret = applesmc_read_key(FANS_MANUAL, buffer, 2); +- val = (buffer[0] << 8 | buffer[1]); + if (ret) + goto out; + ++ val = (buffer[0] << 8 | buffer[1]); ++ + if (input) + val = val | (0x01 << to_index(attr)); + else +@@ -954,13 +956,12 @@ static ssize_t applesmc_key_count_show(struct device *dev, + u32 count; + + ret = applesmc_read_key(KEY_COUNT_KEY, buffer, 4); +- count = ((u32)buffer[0]<<24) + ((u32)buffer[1]<<16) + +- ((u32)buffer[2]<<8) + buffer[3]; +- + if (ret) + return ret; +- else +- return snprintf(sysfsbuf, PAGE_SIZE, "%d\n", count); ++ ++ count = ((u32)buffer[0]<<24) + ((u32)buffer[1]<<16) + ++ ((u32)buffer[2]<<8) + buffer[3]; ++ return snprintf(sysfsbuf, PAGE_SIZE, "%d\n", count); + } + + static ssize_t applesmc_key_at_index_read_show(struct device *dev, +diff --git a/drivers/ide/ide-cd.c b/drivers/ide/ide-cd.c +index 883fe2cdd42cc..6e3b3a5a3c36f 100644 +--- a/drivers/ide/ide-cd.c ++++ b/drivers/ide/ide-cd.c +@@ -704,7 +704,7 @@ static ide_startstop_t cdrom_start_rw(ide_drive_t *drive, struct request *rq) + struct request_queue *q = drive->queue; + int write = rq_data_dir(rq) == WRITE; + unsigned short sectors_per_frame = +- queue_logical_block_size(q) >> SECTOR_BITS; ++ queue_logical_block_size(q) >> SECTOR_SHIFT; + + ide_debug_log(IDE_DBG_RQ, "rq->cmd[0]: 0x%x, rq->cmd_flags: 0x%x, " + "secs_per_frame: %u", +@@ -900,7 +900,7 @@ static int cdrom_read_capacity(ide_drive_t *drive, unsigned long *capacity, + * end up being bogus. + */ + blocklen = be32_to_cpu(capbuf.blocklen); +- blocklen = (blocklen >> SECTOR_BITS) << SECTOR_BITS; ++ blocklen = (blocklen >> SECTOR_SHIFT) << SECTOR_SHIFT; + switch (blocklen) { + case 512: + case 1024: +@@ -916,7 +916,7 @@ static int cdrom_read_capacity(ide_drive_t *drive, unsigned long *capacity, + } + + *capacity = 1 + be32_to_cpu(capbuf.lba); +- *sectors_per_frame = blocklen >> SECTOR_BITS; ++ *sectors_per_frame = blocklen >> SECTOR_SHIFT; + + ide_debug_log(IDE_DBG_PROBE, "cap: %lu, sectors_per_frame: %lu", + *capacity, *sectors_per_frame); +@@ -993,7 +993,7 @@ int ide_cd_read_toc(ide_drive_t *drive, struct request_sense *sense) + drive->probed_capacity = toc->capacity * sectors_per_frame; + + blk_queue_logical_block_size(drive->queue, +- sectors_per_frame << SECTOR_BITS); ++ sectors_per_frame << SECTOR_SHIFT); + + /* first read just the header, so we know how long the TOC is */ + stat = cdrom_read_tocentry(drive, 0, 1, 0, (char *) &toc->hdr, +diff --git a/drivers/ide/ide-cd.h b/drivers/ide/ide-cd.h +index 1efc936f5b667..7c6d017e84e9e 100644 +--- a/drivers/ide/ide-cd.h ++++ b/drivers/ide/ide-cd.h +@@ -20,11 +20,7 @@ + + /************************************************************************/ + +-#define SECTOR_BITS 9 +-#ifndef SECTOR_SIZE +-#define SECTOR_SIZE (1 << SECTOR_BITS) +-#endif +-#define SECTORS_PER_FRAME (CD_FRAMESIZE >> SECTOR_BITS) ++#define SECTORS_PER_FRAME (CD_FRAMESIZE >> SECTOR_SHIFT) + #define SECTOR_BUFFER_SIZE (CD_FRAMESIZE * 32) + + /* Capabilities Page size including 8 bytes of Mode Page Header */ +diff --git a/drivers/iommu/intel_irq_remapping.c b/drivers/iommu/intel_irq_remapping.c +index ac596928f6b40..ce125ec23d2a5 100644 +--- a/drivers/iommu/intel_irq_remapping.c ++++ b/drivers/iommu/intel_irq_remapping.c +@@ -486,12 +486,18 @@ static void iommu_enable_irq_remapping(struct intel_iommu *iommu) + + /* Enable interrupt-remapping */ + iommu->gcmd |= DMA_GCMD_IRE; +- iommu->gcmd &= ~DMA_GCMD_CFI; /* Block compatibility-format MSIs */ + writel(iommu->gcmd, iommu->reg + DMAR_GCMD_REG); +- + IOMMU_WAIT_OP(iommu, DMAR_GSTS_REG, + readl, (sts & DMA_GSTS_IRES), sts); + ++ /* Block compatibility-format MSIs */ ++ if (sts & DMA_GSTS_CFIS) { ++ iommu->gcmd &= ~DMA_GCMD_CFI; ++ writel(iommu->gcmd, iommu->reg + DMAR_GCMD_REG); ++ IOMMU_WAIT_OP(iommu, DMAR_GSTS_REG, ++ readl, !(sts & DMA_GSTS_CFIS), sts); ++ } ++ + /* + * With CFI clear in the Global Command register, we should be + * protected from dangerous (i.e. compatibility) interrupts +diff --git a/drivers/md/dm-cache-metadata.c b/drivers/md/dm-cache-metadata.c +index 62eb4b7caff33..a9208ab127080 100644 +--- a/drivers/md/dm-cache-metadata.c ++++ b/drivers/md/dm-cache-metadata.c +@@ -508,12 +508,16 @@ static int __create_persistent_data_objects(struct dm_cache_metadata *cmd, + CACHE_MAX_CONCURRENT_LOCKS); + if (IS_ERR(cmd->bm)) { + DMERR("could not create block manager"); +- return PTR_ERR(cmd->bm); ++ r = PTR_ERR(cmd->bm); ++ cmd->bm = NULL; ++ return r; + } + + r = __open_or_format_metadata(cmd, may_format_device); +- if (r) ++ if (r) { + dm_block_manager_destroy(cmd->bm); ++ cmd->bm = NULL; ++ } + + return r; + } +diff --git a/drivers/md/dm-thin-metadata.c b/drivers/md/dm-thin-metadata.c +index d20f4023f6c12..b5bf2ecfaf913 100644 +--- a/drivers/md/dm-thin-metadata.c ++++ b/drivers/md/dm-thin-metadata.c +@@ -700,12 +700,16 @@ static int __create_persistent_data_objects(struct dm_pool_metadata *pmd, bool f + THIN_MAX_CONCURRENT_LOCKS); + if (IS_ERR(pmd->bm)) { + DMERR("could not create block manager"); +- return PTR_ERR(pmd->bm); ++ r = PTR_ERR(pmd->bm); ++ pmd->bm = NULL; ++ return r; + } + + r = __open_or_format_metadata(pmd, format_device); +- if (r) ++ if (r) { + dm_block_manager_destroy(pmd->bm); ++ pmd->bm = NULL; ++ } + + return r; + } +diff --git a/drivers/net/ethernet/arc/emac_mdio.c b/drivers/net/ethernet/arc/emac_mdio.c +index a22403c688c95..337cfce78aef2 100644 +--- a/drivers/net/ethernet/arc/emac_mdio.c ++++ b/drivers/net/ethernet/arc/emac_mdio.c +@@ -152,6 +152,7 @@ int arc_mdio_probe(struct arc_emac_priv *priv) + if (IS_ERR(data->reset_gpio)) { + error = PTR_ERR(data->reset_gpio); + dev_err(priv->dev, "Failed to request gpio: %d\n", error); ++ mdiobus_free(bus); + return error; + } + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index 421cbba9a3bc8..dc34cfa2a58fc 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -5589,14 +5589,14 @@ static int __bnxt_open_nic(struct bnxt *bp, bool irq_re_init, bool link_re_init) + } + } + +- bnxt_enable_napi(bp); +- + rc = bnxt_init_nic(bp, irq_re_init); + if (rc) { + netdev_err(bp->dev, "bnxt_init_nic err: %x\n", rc); +- goto open_err; ++ goto open_err_irq; + } + ++ bnxt_enable_napi(bp); ++ + if (link_re_init) { + mutex_lock(&bp->link_lock); + rc = bnxt_update_phy_setting(bp); +@@ -5618,9 +5618,6 @@ static int __bnxt_open_nic(struct bnxt *bp, bool irq_re_init, bool link_re_init) + + return 0; + +-open_err: +- bnxt_disable_napi(bp); +- + open_err_irq: + bnxt_del_napi(bp); + +@@ -7085,6 +7082,7 @@ static int bnxt_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) + + bnxt_parse_log_pcie_link(bp); + ++ pci_save_state(pdev); + return 0; + + init_err: +@@ -7158,6 +7156,8 @@ static pci_ers_result_t bnxt_io_slot_reset(struct pci_dev *pdev) + "Cannot re-enable PCI device after reset.\n"); + } else { + pci_set_master(pdev); ++ pci_restore_state(pdev); ++ pci_save_state(pdev); + + if (netif_running(netdev)) + err = bnxt_open(netdev); +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c +index 427d4dbc97354..ac03bba10e4fd 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c +@@ -1457,6 +1457,9 @@ static int bnxt_get_nvram_directory(struct net_device *dev, u32 len, u8 *data) + if (rc != 0) + return rc; + ++ if (!dir_entries || !entry_length) ++ return -EIO; ++ + /* Insert 2 bytes of directory info (count and size of entries) */ + if (len < 2) + return -EINVAL; +diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c +index 5790b35064a8d..2db6102ed5848 100644 +--- a/drivers/net/ethernet/broadcom/tg3.c ++++ b/drivers/net/ethernet/broadcom/tg3.c +@@ -7201,8 +7201,8 @@ static inline void tg3_reset_task_schedule(struct tg3 *tp) + + static inline void tg3_reset_task_cancel(struct tg3 *tp) + { +- cancel_work_sync(&tp->reset_task); +- tg3_flag_clear(tp, RESET_TASK_PENDING); ++ if (test_and_clear_bit(TG3_FLAG_RESET_TASK_PENDING, tp->tg3_flags)) ++ cancel_work_sync(&tp->reset_task); + tg3_flag_clear(tp, TX_RECOVERY_PENDING); + } + +@@ -11174,18 +11174,27 @@ static void tg3_reset_task(struct work_struct *work) + + tg3_halt(tp, RESET_KIND_SHUTDOWN, 0); + err = tg3_init_hw(tp, true); +- if (err) ++ if (err) { ++ tg3_full_unlock(tp); ++ tp->irq_sync = 0; ++ tg3_napi_enable(tp); ++ /* Clear this flag so that tg3_reset_task_cancel() will not ++ * call cancel_work_sync() and wait forever. ++ */ ++ tg3_flag_clear(tp, RESET_TASK_PENDING); ++ dev_close(tp->dev); + goto out; ++ } + + tg3_netif_start(tp); + +-out: + tg3_full_unlock(tp); + + if (!err) + tg3_phy_start(tp); + + tg3_flag_clear(tp, RESET_TASK_PENDING); ++out: + rtnl_unlock(); + } + +diff --git a/drivers/net/ethernet/hisilicon/hns/hns_enet.c b/drivers/net/ethernet/hisilicon/hns/hns_enet.c +index 24a815997ec57..796f81106b432 100644 +--- a/drivers/net/ethernet/hisilicon/hns/hns_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_enet.c +@@ -1990,8 +1990,10 @@ static int hns_nic_dev_probe(struct platform_device *pdev) + priv->enet_ver = AE_VERSION_1; + else if (acpi_dev_found(hns_enet_acpi_match[1].id)) + priv->enet_ver = AE_VERSION_2; +- else +- return -ENXIO; ++ else { ++ ret = -ENXIO; ++ goto out_read_prop_fail; ++ } + + /* try to find port-idx-in-ae first */ + ret = acpi_node_get_property_reference(dev->fwnode, +@@ -2003,7 +2005,8 @@ static int hns_nic_dev_probe(struct platform_device *pdev) + priv->fwnode = acpi_fwnode_handle(args.adev); + } else { + dev_err(dev, "cannot read cfg data from OF or acpi\n"); +- return -ENXIO; ++ ret = -ENXIO; ++ goto out_read_prop_fail; + } + + ret = device_property_read_u32(dev, "port-idx-in-ae", &port_id); +diff --git a/drivers/net/ethernet/mellanox/mlx4/mr.c b/drivers/net/ethernet/mellanox/mlx4/mr.c +index 3637474cab8a0..50683693d9fc3 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/mr.c ++++ b/drivers/net/ethernet/mellanox/mlx4/mr.c +@@ -114,7 +114,7 @@ static int mlx4_buddy_init(struct mlx4_buddy *buddy, int max_order) + goto err_out; + + for (i = 0; i <= buddy->max_order; ++i) { +- s = BITS_TO_LONGS(1 << (buddy->max_order - i)); ++ s = BITS_TO_LONGS(1UL << (buddy->max_order - i)); + buddy->bits[i] = kcalloc(s, sizeof (long), GFP_KERNEL | __GFP_NOWARN); + if (!buddy->bits[i]) { + buddy->bits[i] = vzalloc(s * sizeof(long)); +diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c +index 93d3152752ff4..a5de56bcbac08 100644 +--- a/drivers/net/ethernet/renesas/ravb_main.c ++++ b/drivers/net/ethernet/renesas/ravb_main.c +@@ -1336,6 +1336,51 @@ static inline int ravb_hook_irq(unsigned int irq, irq_handler_t handler, + return error; + } + ++/* MDIO bus init function */ ++static int ravb_mdio_init(struct ravb_private *priv) ++{ ++ struct platform_device *pdev = priv->pdev; ++ struct device *dev = &pdev->dev; ++ int error; ++ ++ /* Bitbang init */ ++ priv->mdiobb.ops = &bb_ops; ++ ++ /* MII controller setting */ ++ priv->mii_bus = alloc_mdio_bitbang(&priv->mdiobb); ++ if (!priv->mii_bus) ++ return -ENOMEM; ++ ++ /* Hook up MII support for ethtool */ ++ priv->mii_bus->name = "ravb_mii"; ++ priv->mii_bus->parent = dev; ++ snprintf(priv->mii_bus->id, MII_BUS_ID_SIZE, "%s-%x", ++ pdev->name, pdev->id); ++ ++ /* Register MDIO bus */ ++ error = of_mdiobus_register(priv->mii_bus, dev->of_node); ++ if (error) ++ goto out_free_bus; ++ ++ return 0; ++ ++out_free_bus: ++ free_mdio_bitbang(priv->mii_bus); ++ return error; ++} ++ ++/* MDIO bus release function */ ++static int ravb_mdio_release(struct ravb_private *priv) ++{ ++ /* Unregister mdio bus */ ++ mdiobus_unregister(priv->mii_bus); ++ ++ /* Free bitbang info */ ++ free_mdio_bitbang(priv->mii_bus); ++ ++ return 0; ++} ++ + /* Network device open function for Ethernet AVB */ + static int ravb_open(struct net_device *ndev) + { +@@ -1344,6 +1389,13 @@ static int ravb_open(struct net_device *ndev) + struct device *dev = &pdev->dev; + int error; + ++ /* MDIO bus init */ ++ error = ravb_mdio_init(priv); ++ if (error) { ++ netdev_err(ndev, "failed to initialize MDIO\n"); ++ return error; ++ } ++ + napi_enable(&priv->napi[RAVB_BE]); + napi_enable(&priv->napi[RAVB_NC]); + +@@ -1421,6 +1473,7 @@ out_free_irq: + out_napi_off: + napi_disable(&priv->napi[RAVB_NC]); + napi_disable(&priv->napi[RAVB_BE]); ++ ravb_mdio_release(priv); + return error; + } + +@@ -1718,6 +1771,8 @@ static int ravb_close(struct net_device *ndev) + ravb_ring_free(ndev, RAVB_BE); + ravb_ring_free(ndev, RAVB_NC); + ++ ravb_mdio_release(priv); ++ + return 0; + } + +@@ -1820,51 +1875,6 @@ static const struct net_device_ops ravb_netdev_ops = { + .ndo_change_mtu = eth_change_mtu, + }; + +-/* MDIO bus init function */ +-static int ravb_mdio_init(struct ravb_private *priv) +-{ +- struct platform_device *pdev = priv->pdev; +- struct device *dev = &pdev->dev; +- int error; +- +- /* Bitbang init */ +- priv->mdiobb.ops = &bb_ops; +- +- /* MII controller setting */ +- priv->mii_bus = alloc_mdio_bitbang(&priv->mdiobb); +- if (!priv->mii_bus) +- return -ENOMEM; +- +- /* Hook up MII support for ethtool */ +- priv->mii_bus->name = "ravb_mii"; +- priv->mii_bus->parent = dev; +- snprintf(priv->mii_bus->id, MII_BUS_ID_SIZE, "%s-%x", +- pdev->name, pdev->id); +- +- /* Register MDIO bus */ +- error = of_mdiobus_register(priv->mii_bus, dev->of_node); +- if (error) +- goto out_free_bus; +- +- return 0; +- +-out_free_bus: +- free_mdio_bitbang(priv->mii_bus); +- return error; +-} +- +-/* MDIO bus release function */ +-static int ravb_mdio_release(struct ravb_private *priv) +-{ +- /* Unregister mdio bus */ +- mdiobus_unregister(priv->mii_bus); +- +- /* Free bitbang info */ +- free_mdio_bitbang(priv->mii_bus); +- +- return 0; +-} +- + static const struct of_device_id ravb_match_table[] = { + { .compatible = "renesas,etheravb-r8a7790", .data = (void *)RCAR_GEN2 }, + { .compatible = "renesas,etheravb-r8a7794", .data = (void *)RCAR_GEN2 }, +@@ -2069,13 +2079,6 @@ static int ravb_probe(struct platform_device *pdev) + eth_hw_addr_random(ndev); + } + +- /* MDIO bus init */ +- error = ravb_mdio_init(priv); +- if (error) { +- dev_err(&pdev->dev, "failed to initialize MDIO\n"); +- goto out_dma_free; +- } +- + netif_napi_add(ndev, &priv->napi[RAVB_BE], ravb_poll, 64); + netif_napi_add(ndev, &priv->napi[RAVB_NC], ravb_poll, 64); + +@@ -2095,8 +2098,6 @@ static int ravb_probe(struct platform_device *pdev) + out_napi_del: + netif_napi_del(&priv->napi[RAVB_NC]); + netif_napi_del(&priv->napi[RAVB_BE]); +- ravb_mdio_release(priv); +-out_dma_free: + dma_free_coherent(ndev->dev.parent, priv->desc_bat_size, priv->desc_bat, + priv->desc_bat_dma); + +@@ -2129,7 +2130,6 @@ static int ravb_remove(struct platform_device *pdev) + unregister_netdev(ndev); + netif_napi_del(&priv->napi[RAVB_NC]); + netif_napi_del(&priv->napi[RAVB_BE]); +- ravb_mdio_release(priv); + pm_runtime_disable(&pdev->dev); + free_netdev(ndev); + platform_set_drvdata(pdev, NULL); +diff --git a/drivers/net/usb/asix_common.c b/drivers/net/usb/asix_common.c +index 3dbb0646b0245..541c06c884e55 100644 +--- a/drivers/net/usb/asix_common.c ++++ b/drivers/net/usb/asix_common.c +@@ -277,7 +277,7 @@ int asix_read_phy_addr(struct usbnet *dev, int internal) + + netdev_dbg(dev->net, "asix_get_phy_addr()\n"); + +- if (ret < 0) { ++ if (ret < 2) { + netdev_err(dev->net, "Error reading PHYID register: %02x\n", ret); + goto out; + } +diff --git a/drivers/net/usb/dm9601.c b/drivers/net/usb/dm9601.c +index 0b4bdd39106b0..fb18801d0fe7b 100644 +--- a/drivers/net/usb/dm9601.c ++++ b/drivers/net/usb/dm9601.c +@@ -624,6 +624,10 @@ static const struct usb_device_id products[] = { + USB_DEVICE(0x0a46, 0x1269), /* DM9621A USB to Fast Ethernet Adapter */ + .driver_info = (unsigned long)&dm9601_info, + }, ++ { ++ USB_DEVICE(0x0586, 0x3427), /* ZyXEL Keenetic Plus DSL xDSL modem */ ++ .driver_info = (unsigned long)&dm9601_info, ++ }, + {}, // END + }; + +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index 254a27295f41d..74c925cd19a93 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -890,6 +890,7 @@ static const struct usb_device_id products[] = { + {QMI_FIXED_INTF(0x19d2, 0x2002, 4)}, /* ZTE (Vodafone) K3765-Z */ + {QMI_FIXED_INTF(0x2001, 0x7e19, 4)}, /* D-Link DWM-221 B1 */ + {QMI_FIXED_INTF(0x2001, 0x7e35, 4)}, /* D-Link DWM-222 */ ++ {QMI_FIXED_INTF(0x2001, 0x7e3d, 4)}, /* D-Link DWM-222 A2 */ + {QMI_FIXED_INTF(0x2020, 0x2031, 4)}, /* Olicard 600 */ + {QMI_FIXED_INTF(0x2020, 0x2033, 4)}, /* BroadMobi BM806U */ + {QMI_FIXED_INTF(0x2020, 0x2060, 4)}, /* BroadMobi BM818 */ +@@ -910,6 +911,8 @@ static const struct usb_device_id products[] = { + {QMI_FIXED_INTF(0x1199, 0x9056, 8)}, /* Sierra Wireless Modem */ + {QMI_FIXED_INTF(0x1199, 0x9057, 8)}, + {QMI_FIXED_INTF(0x1199, 0x9061, 8)}, /* Sierra Wireless Modem */ ++ {QMI_FIXED_INTF(0x1199, 0x9063, 8)}, /* Sierra Wireless EM7305 */ ++ {QMI_FIXED_INTF(0x1199, 0x9063, 10)}, /* Sierra Wireless EM7305 */ + {QMI_FIXED_INTF(0x1199, 0x9071, 8)}, /* Sierra Wireless MC74xx */ + {QMI_FIXED_INTF(0x1199, 0x9071, 10)}, /* Sierra Wireless MC74xx */ + {QMI_FIXED_INTF(0x1199, 0x9079, 8)}, /* Sierra Wireless EM74xx */ +@@ -923,10 +926,13 @@ static const struct usb_device_id products[] = { + {QMI_FIXED_INTF(0x2357, 0x9000, 4)}, /* TP-LINK MA260 */ + {QMI_QUIRK_SET_DTR(0x1bc7, 0x1031, 3)}, /* Telit LE910C1-EUX */ + {QMI_QUIRK_SET_DTR(0x1bc7, 0x1040, 2)}, /* Telit LE922A */ ++ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1050, 2)}, /* Telit FN980 */ + {QMI_FIXED_INTF(0x1bc7, 0x1100, 3)}, /* Telit ME910 */ + {QMI_FIXED_INTF(0x1bc7, 0x1101, 3)}, /* Telit ME910 dual modem */ + {QMI_FIXED_INTF(0x1bc7, 0x1200, 5)}, /* Telit LE920 */ +- {QMI_FIXED_INTF(0x1bc7, 0x1201, 2)}, /* Telit LE920 */ ++ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1201, 2)}, /* Telit LE920, LE920A4 */ ++ {QMI_FIXED_INTF(0x1c9e, 0x9801, 3)}, /* Telewell TW-3G HSPA+ */ ++ {QMI_FIXED_INTF(0x1c9e, 0x9803, 4)}, /* Telewell TW-3G HSPA+ */ + {QMI_FIXED_INTF(0x1c9e, 0x9b01, 3)}, /* XS Stick W100-2 from 4G Systems */ + {QMI_FIXED_INTF(0x0b3c, 0xc000, 4)}, /* Olivetti Olicard 100 */ + {QMI_FIXED_INTF(0x0b3c, 0xc001, 4)}, /* Olivetti Olicard 120 */ +diff --git a/drivers/nvdimm/nd.h b/drivers/nvdimm/nd.h +index bd29e598bac18..2a820c1fdfcde 100644 +--- a/drivers/nvdimm/nd.h ++++ b/drivers/nvdimm/nd.h +@@ -29,7 +29,6 @@ enum { + * BTT instance + */ + ND_MAX_LANES = 256, +- SECTOR_SHIFT = 9, + INT_LBASIZE_ALIGNMENT = 64, + }; + +diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c +index 96ea6c76be6e5..63b87a8472762 100644 +--- a/drivers/nvme/target/core.c ++++ b/drivers/nvme/target/core.c +@@ -205,6 +205,9 @@ static void nvmet_keep_alive_timer(struct work_struct *work) + + static void nvmet_start_keep_alive_timer(struct nvmet_ctrl *ctrl) + { ++ if (unlikely(ctrl->kato == 0)) ++ return; ++ + pr_debug("ctrl %d start keep-alive timer for %d secs\n", + ctrl->cntlid, ctrl->kato); + +@@ -214,6 +217,9 @@ static void nvmet_start_keep_alive_timer(struct nvmet_ctrl *ctrl) + + static void nvmet_stop_keep_alive_timer(struct nvmet_ctrl *ctrl) + { ++ if (unlikely(ctrl->kato == 0)) ++ return; ++ + pr_debug("ctrl %d stop keep-alive\n", ctrl->cntlid); + + cancel_delayed_work_sync(&ctrl->ka_work); +diff --git a/drivers/scsi/gdth.h b/drivers/scsi/gdth.h +index 3fd8b83ffbf9f..8039c809cef27 100644 +--- a/drivers/scsi/gdth.h ++++ b/drivers/scsi/gdth.h +@@ -177,9 +177,6 @@ + #define MSG_SIZE 34 /* size of message structure */ + #define MSG_REQUEST 0 /* async. event: message */ + +-/* cacheservice defines */ +-#define SECTOR_SIZE 0x200 /* always 512 bytes per sec. */ +- + /* DPMEM constants */ + #define DPMEM_MAGIC 0xC0FFEE11 + #define IC_HEADER_BYTES 48 +diff --git a/drivers/thermal/ti-soc-thermal/omap4-thermal-data.c b/drivers/thermal/ti-soc-thermal/omap4-thermal-data.c +index d255d33da9eb3..02e71d461d5c5 100644 +--- a/drivers/thermal/ti-soc-thermal/omap4-thermal-data.c ++++ b/drivers/thermal/ti-soc-thermal/omap4-thermal-data.c +@@ -49,20 +49,21 @@ static struct temp_sensor_data omap4430_mpu_temp_sensor_data = { + + /* + * Temperature values in milli degree celsius +- * ADC code values from 530 to 923 ++ * ADC code values from 13 to 107, see TRM ++ * "18.4.10.2.3 ADC Codes Versus Temperature". + */ + static const int + omap4430_adc_to_temp[OMAP4430_ADC_END_VALUE - OMAP4430_ADC_START_VALUE + 1] = { +- -38000, -35000, -34000, -32000, -30000, -28000, -26000, -24000, -22000, +- -20000, -18000, -17000, -15000, -13000, -12000, -10000, -8000, -6000, +- -5000, -3000, -1000, 0, 2000, 3000, 5000, 6000, 8000, 10000, 12000, +- 13000, 15000, 17000, 19000, 21000, 23000, 25000, 27000, 28000, 30000, +- 32000, 33000, 35000, 37000, 38000, 40000, 42000, 43000, 45000, 47000, +- 48000, 50000, 52000, 53000, 55000, 57000, 58000, 60000, 62000, 64000, +- 66000, 68000, 70000, 71000, 73000, 75000, 77000, 78000, 80000, 82000, +- 83000, 85000, 87000, 88000, 90000, 92000, 93000, 95000, 97000, 98000, +- 100000, 102000, 103000, 105000, 107000, 109000, 111000, 113000, 115000, +- 117000, 118000, 120000, 122000, 123000, ++ -40000, -38000, -35000, -34000, -32000, -30000, -28000, -26000, -24000, ++ -22000, -20000, -18500, -17000, -15000, -13500, -12000, -10000, -8000, ++ -6500, -5000, -3500, -1500, 0, 2000, 3500, 5000, 6500, 8500, 10000, ++ 12000, 13500, 15000, 17000, 19000, 21000, 23000, 25000, 27000, 28500, ++ 30000, 32000, 33500, 35000, 37000, 38500, 40000, 42000, 43500, 45000, ++ 47000, 48500, 50000, 52000, 53500, 55000, 57000, 58500, 60000, 62000, ++ 64000, 66000, 68000, 70000, 71500, 73500, 75000, 77000, 78500, 80000, ++ 82000, 83500, 85000, 87000, 88500, 90000, 92000, 93500, 95000, 97000, ++ 98500, 100000, 102000, 103500, 105000, 107000, 109000, 111000, 113000, ++ 115000, 117000, 118500, 120000, 122000, 123500, 125000, + }; + + /* OMAP4430 data */ +diff --git a/drivers/thermal/ti-soc-thermal/omap4xxx-bandgap.h b/drivers/thermal/ti-soc-thermal/omap4xxx-bandgap.h +index 6f2de3a3356d4..86850082b24b9 100644 +--- a/drivers/thermal/ti-soc-thermal/omap4xxx-bandgap.h ++++ b/drivers/thermal/ti-soc-thermal/omap4xxx-bandgap.h +@@ -67,9 +67,13 @@ + * and thresholds for OMAP4430. + */ + +-/* ADC conversion table limits */ +-#define OMAP4430_ADC_START_VALUE 0 +-#define OMAP4430_ADC_END_VALUE 127 ++/* ++ * ADC conversion table limits. Ignore values outside the TRM listed ++ * range to avoid bogus thermal shutdowns. See omap4430 TRM chapter ++ * "18.4.10.2.3 ADC Codes Versus Temperature". ++ */ ++#define OMAP4430_ADC_START_VALUE 13 ++#define OMAP4430_ADC_END_VALUE 107 + /* bandgap clock limits (no control on 4430) */ + #define OMAP4430_MAX_FREQ 32768 + #define OMAP4430_MIN_FREQ 32768 +diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c +index c94167d871789..2254c281cc766 100644 +--- a/drivers/vfio/pci/vfio_pci.c ++++ b/drivers/vfio/pci/vfio_pci.c +@@ -29,6 +29,7 @@ + #include + #include + #include ++#include + + #include "vfio_pci_private.h" + +@@ -181,6 +182,7 @@ no_mmap: + + static void vfio_pci_try_bus_reset(struct vfio_pci_device *vdev); + static void vfio_pci_disable(struct vfio_pci_device *vdev); ++static int vfio_pci_try_zap_and_vma_lock_cb(struct pci_dev *pdev, void *data); + + /* + * INTx masking requires the ability to disable INTx signaling via PCI_COMMAND +@@ -656,6 +658,12 @@ int vfio_pci_register_dev_region(struct vfio_pci_device *vdev, + return 0; + } + ++struct vfio_devices { ++ struct vfio_device **devices; ++ int cur_index; ++ int max_index; ++}; ++ + static long vfio_pci_ioctl(void *device_data, + unsigned int cmd, unsigned long arg) + { +@@ -729,7 +737,7 @@ static long vfio_pci_ioctl(void *device_data, + { + void __iomem *io; + size_t size; +- u16 orig_cmd; ++ u16 cmd; + + info.offset = VFIO_PCI_INDEX_TO_OFFSET(info.index); + info.flags = 0; +@@ -749,10 +757,7 @@ static long vfio_pci_ioctl(void *device_data, + * Is it really there? Enable memory decode for + * implicit access in pci_map_rom(). + */ +- pci_read_config_word(pdev, PCI_COMMAND, &orig_cmd); +- pci_write_config_word(pdev, PCI_COMMAND, +- orig_cmd | PCI_COMMAND_MEMORY); +- ++ cmd = vfio_pci_memory_lock_and_enable(vdev); + io = pci_map_rom(pdev, &size); + if (io) { + info.flags = VFIO_REGION_INFO_FLAG_READ; +@@ -760,8 +765,8 @@ static long vfio_pci_ioctl(void *device_data, + } else { + info.size = 0; + } ++ vfio_pci_memory_unlock_and_restore(vdev, cmd); + +- pci_write_config_word(pdev, PCI_COMMAND, orig_cmd); + break; + } + case VFIO_PCI_VGA_REGION_INDEX: +@@ -909,8 +914,16 @@ static long vfio_pci_ioctl(void *device_data, + return ret; + + } else if (cmd == VFIO_DEVICE_RESET) { +- return vdev->reset_works ? +- pci_try_reset_function(vdev->pdev) : -EINVAL; ++ int ret; ++ ++ if (!vdev->reset_works) ++ return -EINVAL; ++ ++ vfio_pci_zap_and_down_write_memory_lock(vdev); ++ ret = pci_try_reset_function(vdev->pdev); ++ up_write(&vdev->memory_lock); ++ ++ return ret; + + } else if (cmd == VFIO_DEVICE_GET_PCI_HOT_RESET_INFO) { + struct vfio_pci_hot_reset_info hdr; +@@ -990,8 +1003,9 @@ reset_info_exit: + int32_t *group_fds; + struct vfio_pci_group_entry *groups; + struct vfio_pci_group_info info; ++ struct vfio_devices devs = { .cur_index = 0 }; + bool slot = false; +- int i, count = 0, ret = 0; ++ int i, group_idx, mem_idx = 0, count = 0, ret = 0; + + minsz = offsetofend(struct vfio_pci_hot_reset, count); + +@@ -1043,9 +1057,9 @@ reset_info_exit: + * user interface and store the group and iommu ID. This + * ensures the group is held across the reset. + */ +- for (i = 0; i < hdr.count; i++) { ++ for (group_idx = 0; group_idx < hdr.count; group_idx++) { + struct vfio_group *group; +- struct fd f = fdget(group_fds[i]); ++ struct fd f = fdget(group_fds[group_idx]); + if (!f.file) { + ret = -EBADF; + break; +@@ -1058,8 +1072,9 @@ reset_info_exit: + break; + } + +- groups[i].group = group; +- groups[i].id = vfio_external_user_iommu_id(group); ++ groups[group_idx].group = group; ++ groups[group_idx].id = ++ vfio_external_user_iommu_id(group); + } + + kfree(group_fds); +@@ -1078,14 +1093,65 @@ reset_info_exit: + ret = vfio_pci_for_each_slot_or_bus(vdev->pdev, + vfio_pci_validate_devs, + &info, slot); +- if (!ret) +- /* User has access, do the reset */ +- ret = slot ? pci_try_reset_slot(vdev->pdev->slot) : +- pci_try_reset_bus(vdev->pdev->bus); ++ ++ if (ret) ++ goto hot_reset_release; ++ ++ devs.max_index = count; ++ devs.devices = kcalloc(count, sizeof(struct vfio_device *), ++ GFP_KERNEL); ++ if (!devs.devices) { ++ ret = -ENOMEM; ++ goto hot_reset_release; ++ } ++ ++ /* ++ * We need to get memory_lock for each device, but devices ++ * can share mmap_sem, therefore we need to zap and hold ++ * the vma_lock for each device, and only then get each ++ * memory_lock. ++ */ ++ ret = vfio_pci_for_each_slot_or_bus(vdev->pdev, ++ vfio_pci_try_zap_and_vma_lock_cb, ++ &devs, slot); ++ if (ret) ++ goto hot_reset_release; ++ ++ for (; mem_idx < devs.cur_index; mem_idx++) { ++ struct vfio_pci_device *tmp; ++ ++ tmp = vfio_device_data(devs.devices[mem_idx]); ++ ++ ret = down_write_trylock(&tmp->memory_lock); ++ if (!ret) { ++ ret = -EBUSY; ++ goto hot_reset_release; ++ } ++ mutex_unlock(&tmp->vma_lock); ++ } ++ ++ /* User has access, do the reset */ ++ ret = slot ? pci_try_reset_slot(vdev->pdev->slot) : ++ pci_try_reset_bus(vdev->pdev->bus); + + hot_reset_release: +- for (i--; i >= 0; i--) +- vfio_group_put_external_user(groups[i].group); ++ for (i = 0; i < devs.cur_index; i++) { ++ struct vfio_device *device; ++ struct vfio_pci_device *tmp; ++ ++ device = devs.devices[i]; ++ tmp = vfio_device_data(device); ++ ++ if (i < mem_idx) ++ up_write(&tmp->memory_lock); ++ else ++ mutex_unlock(&tmp->vma_lock); ++ vfio_device_put(device); ++ } ++ kfree(devs.devices); ++ ++ for (group_idx--; group_idx >= 0; group_idx--) ++ vfio_group_put_external_user(groups[group_idx].group); + + kfree(groups); + return ret; +@@ -1144,6 +1210,201 @@ static ssize_t vfio_pci_write(void *device_data, const char __user *buf, + return vfio_pci_rw(device_data, (char __user *)buf, count, ppos, true); + } + ++/* Return 1 on zap and vma_lock acquired, 0 on contention (only with @try) */ ++static int vfio_pci_zap_and_vma_lock(struct vfio_pci_device *vdev, bool try) ++{ ++ struct vfio_pci_mmap_vma *mmap_vma, *tmp; ++ ++ /* ++ * Lock ordering: ++ * vma_lock is nested under mmap_sem for vm_ops callback paths. ++ * The memory_lock semaphore is used by both code paths calling ++ * into this function to zap vmas and the vm_ops.fault callback ++ * to protect the memory enable state of the device. ++ * ++ * When zapping vmas we need to maintain the mmap_sem => vma_lock ++ * ordering, which requires using vma_lock to walk vma_list to ++ * acquire an mm, then dropping vma_lock to get the mmap_sem and ++ * reacquiring vma_lock. This logic is derived from similar ++ * requirements in uverbs_user_mmap_disassociate(). ++ * ++ * mmap_sem must always be the top-level lock when it is taken. ++ * Therefore we can only hold the memory_lock write lock when ++ * vma_list is empty, as we'd need to take mmap_sem to clear ++ * entries. vma_list can only be guaranteed empty when holding ++ * vma_lock, thus memory_lock is nested under vma_lock. ++ * ++ * This enables the vm_ops.fault callback to acquire vma_lock, ++ * followed by memory_lock read lock, while already holding ++ * mmap_sem without risk of deadlock. ++ */ ++ while (1) { ++ struct mm_struct *mm = NULL; ++ ++ if (try) { ++ if (!mutex_trylock(&vdev->vma_lock)) ++ return 0; ++ } else { ++ mutex_lock(&vdev->vma_lock); ++ } ++ while (!list_empty(&vdev->vma_list)) { ++ mmap_vma = list_first_entry(&vdev->vma_list, ++ struct vfio_pci_mmap_vma, ++ vma_next); ++ mm = mmap_vma->vma->vm_mm; ++ if (mmget_not_zero(mm)) ++ break; ++ ++ list_del(&mmap_vma->vma_next); ++ kfree(mmap_vma); ++ mm = NULL; ++ } ++ if (!mm) ++ return 1; ++ mutex_unlock(&vdev->vma_lock); ++ ++ if (try) { ++ if (!down_read_trylock(&mm->mmap_sem)) { ++ mmput(mm); ++ return 0; ++ } ++ } else { ++ down_read(&mm->mmap_sem); ++ } ++ if (mmget_still_valid(mm)) { ++ if (try) { ++ if (!mutex_trylock(&vdev->vma_lock)) { ++ up_read(&mm->mmap_sem); ++ mmput(mm); ++ return 0; ++ } ++ } else { ++ mutex_lock(&vdev->vma_lock); ++ } ++ list_for_each_entry_safe(mmap_vma, tmp, ++ &vdev->vma_list, vma_next) { ++ struct vm_area_struct *vma = mmap_vma->vma; ++ ++ if (vma->vm_mm != mm) ++ continue; ++ ++ list_del(&mmap_vma->vma_next); ++ kfree(mmap_vma); ++ ++ zap_vma_ptes(vma, vma->vm_start, ++ vma->vm_end - vma->vm_start); ++ } ++ mutex_unlock(&vdev->vma_lock); ++ } ++ up_read(&mm->mmap_sem); ++ mmput(mm); ++ } ++} ++ ++void vfio_pci_zap_and_down_write_memory_lock(struct vfio_pci_device *vdev) ++{ ++ vfio_pci_zap_and_vma_lock(vdev, false); ++ down_write(&vdev->memory_lock); ++ mutex_unlock(&vdev->vma_lock); ++} ++ ++u16 vfio_pci_memory_lock_and_enable(struct vfio_pci_device *vdev) ++{ ++ u16 cmd; ++ ++ down_write(&vdev->memory_lock); ++ pci_read_config_word(vdev->pdev, PCI_COMMAND, &cmd); ++ if (!(cmd & PCI_COMMAND_MEMORY)) ++ pci_write_config_word(vdev->pdev, PCI_COMMAND, ++ cmd | PCI_COMMAND_MEMORY); ++ ++ return cmd; ++} ++ ++void vfio_pci_memory_unlock_and_restore(struct vfio_pci_device *vdev, u16 cmd) ++{ ++ pci_write_config_word(vdev->pdev, PCI_COMMAND, cmd); ++ up_write(&vdev->memory_lock); ++} ++ ++/* Caller holds vma_lock */ ++static int __vfio_pci_add_vma(struct vfio_pci_device *vdev, ++ struct vm_area_struct *vma) ++{ ++ struct vfio_pci_mmap_vma *mmap_vma; ++ ++ mmap_vma = kmalloc(sizeof(*mmap_vma), GFP_KERNEL); ++ if (!mmap_vma) ++ return -ENOMEM; ++ ++ mmap_vma->vma = vma; ++ list_add(&mmap_vma->vma_next, &vdev->vma_list); ++ ++ return 0; ++} ++ ++/* ++ * Zap mmaps on open so that we can fault them in on access and therefore ++ * our vma_list only tracks mappings accessed since last zap. ++ */ ++static void vfio_pci_mmap_open(struct vm_area_struct *vma) ++{ ++ zap_vma_ptes(vma, vma->vm_start, vma->vm_end - vma->vm_start); ++} ++ ++static void vfio_pci_mmap_close(struct vm_area_struct *vma) ++{ ++ struct vfio_pci_device *vdev = vma->vm_private_data; ++ struct vfio_pci_mmap_vma *mmap_vma; ++ ++ mutex_lock(&vdev->vma_lock); ++ list_for_each_entry(mmap_vma, &vdev->vma_list, vma_next) { ++ if (mmap_vma->vma == vma) { ++ list_del(&mmap_vma->vma_next); ++ kfree(mmap_vma); ++ break; ++ } ++ } ++ mutex_unlock(&vdev->vma_lock); ++} ++ ++static int vfio_pci_mmap_fault(struct vm_area_struct *vma, struct vm_fault *vmf) ++{ ++ struct vfio_pci_device *vdev = vma->vm_private_data; ++ int ret = VM_FAULT_NOPAGE; ++ ++ mutex_lock(&vdev->vma_lock); ++ down_read(&vdev->memory_lock); ++ ++ if (!__vfio_pci_memory_enabled(vdev)) { ++ ret = VM_FAULT_SIGBUS; ++ mutex_unlock(&vdev->vma_lock); ++ goto up_out; ++ } ++ ++ if (__vfio_pci_add_vma(vdev, vma)) { ++ ret = VM_FAULT_OOM; ++ mutex_unlock(&vdev->vma_lock); ++ goto up_out; ++ } ++ ++ mutex_unlock(&vdev->vma_lock); ++ ++ if (remap_pfn_range(vma, vma->vm_start, vma->vm_pgoff, ++ vma->vm_end - vma->vm_start, vma->vm_page_prot)) ++ ret = VM_FAULT_SIGBUS; ++ ++up_out: ++ up_read(&vdev->memory_lock); ++ return ret; ++} ++ ++static const struct vm_operations_struct vfio_pci_mmap_ops = { ++ .open = vfio_pci_mmap_open, ++ .close = vfio_pci_mmap_close, ++ .fault = vfio_pci_mmap_fault, ++}; ++ + static int vfio_pci_mmap(void *device_data, struct vm_area_struct *vma) + { + struct vfio_pci_device *vdev = device_data; +@@ -1209,8 +1470,14 @@ static int vfio_pci_mmap(void *device_data, struct vm_area_struct *vma) + vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot); + vma->vm_pgoff = (pci_resource_start(pdev, index) >> PAGE_SHIFT) + pgoff; + +- return remap_pfn_range(vma, vma->vm_start, vma->vm_pgoff, +- req_len, vma->vm_page_prot); ++ /* ++ * See remap_pfn_range(), called from vfio_pci_fault() but we can't ++ * change vm_flags within the fault handler. Set them now. ++ */ ++ vma->vm_flags |= VM_IO | VM_PFNMAP | VM_DONTEXPAND | VM_DONTDUMP; ++ vma->vm_ops = &vfio_pci_mmap_ops; ++ ++ return 0; + } + + static void vfio_pci_request(void *device_data, unsigned int count) +@@ -1268,6 +1535,9 @@ static int vfio_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id) + mutex_init(&vdev->igate); + spin_lock_init(&vdev->irqlock); + ++ mutex_init(&vdev->vma_lock); ++ INIT_LIST_HEAD(&vdev->vma_list); ++ init_rwsem(&vdev->memory_lock); + ret = vfio_add_group_dev(&pdev->dev, &vfio_pci_ops, vdev); + if (ret) { + vfio_iommu_group_put(group, &pdev->dev); +@@ -1361,12 +1631,6 @@ static struct pci_driver vfio_pci_driver = { + .err_handler = &vfio_err_handlers, + }; + +-struct vfio_devices { +- struct vfio_device **devices; +- int cur_index; +- int max_index; +-}; +- + static int vfio_pci_get_devs(struct pci_dev *pdev, void *data) + { + struct vfio_devices *devs = data; +@@ -1388,6 +1652,39 @@ static int vfio_pci_get_devs(struct pci_dev *pdev, void *data) + return 0; + } + ++static int vfio_pci_try_zap_and_vma_lock_cb(struct pci_dev *pdev, void *data) ++{ ++ struct vfio_devices *devs = data; ++ struct vfio_device *device; ++ struct vfio_pci_device *vdev; ++ ++ if (devs->cur_index == devs->max_index) ++ return -ENOSPC; ++ ++ device = vfio_device_get_from_dev(&pdev->dev); ++ if (!device) ++ return -EINVAL; ++ ++ if (pci_dev_driver(pdev) != &vfio_pci_driver) { ++ vfio_device_put(device); ++ return -EBUSY; ++ } ++ ++ vdev = vfio_device_data(device); ++ ++ /* ++ * Locking multiple devices is prone to deadlock, runaway and ++ * unwind if we hit contention. ++ */ ++ if (!vfio_pci_zap_and_vma_lock(vdev, true)) { ++ vfio_device_put(device); ++ return -EBUSY; ++ } ++ ++ devs->devices[devs->cur_index++] = device; ++ return 0; ++} ++ + /* + * Attempt to do a bus/slot reset if there are devices affected by a reset for + * this device that are needs_reset and all of the affected devices are unused +diff --git a/drivers/vfio/pci/vfio_pci_config.c b/drivers/vfio/pci/vfio_pci_config.c +index ef45b8f5bf510..f3c2de04b20d3 100644 +--- a/drivers/vfio/pci/vfio_pci_config.c ++++ b/drivers/vfio/pci/vfio_pci_config.c +@@ -400,6 +400,20 @@ static inline void p_setd(struct perm_bits *p, int off, u32 virt, u32 write) + *(__le32 *)(&p->write[off]) = cpu_to_le32(write); + } + ++/* Caller should hold memory_lock semaphore */ ++bool __vfio_pci_memory_enabled(struct vfio_pci_device *vdev) ++{ ++ struct pci_dev *pdev = vdev->pdev; ++ u16 cmd = le16_to_cpu(*(__le16 *)&vdev->vconfig[PCI_COMMAND]); ++ ++ /* ++ * SR-IOV VF memory enable is handled by the MSE bit in the ++ * PF SR-IOV capability, there's therefore no need to trigger ++ * faults based on the virtual value. ++ */ ++ return pdev->is_virtfn || (cmd & PCI_COMMAND_MEMORY); ++} ++ + /* + * Restore the *real* BARs after we detect a FLR or backdoor reset. + * (backdoor = some device specific technique that we didn't catch) +@@ -560,13 +574,18 @@ static int vfio_basic_config_write(struct vfio_pci_device *vdev, int pos, + + new_cmd = le32_to_cpu(val); + ++ phys_io = !!(phys_cmd & PCI_COMMAND_IO); ++ virt_io = !!(le16_to_cpu(*virt_cmd) & PCI_COMMAND_IO); ++ new_io = !!(new_cmd & PCI_COMMAND_IO); ++ + phys_mem = !!(phys_cmd & PCI_COMMAND_MEMORY); + virt_mem = !!(le16_to_cpu(*virt_cmd) & PCI_COMMAND_MEMORY); + new_mem = !!(new_cmd & PCI_COMMAND_MEMORY); + +- phys_io = !!(phys_cmd & PCI_COMMAND_IO); +- virt_io = !!(le16_to_cpu(*virt_cmd) & PCI_COMMAND_IO); +- new_io = !!(new_cmd & PCI_COMMAND_IO); ++ if (!new_mem) ++ vfio_pci_zap_and_down_write_memory_lock(vdev); ++ else ++ down_write(&vdev->memory_lock); + + /* + * If the user is writing mem/io enable (new_mem/io) and we +@@ -583,8 +602,11 @@ static int vfio_basic_config_write(struct vfio_pci_device *vdev, int pos, + } + + count = vfio_default_config_write(vdev, pos, count, perm, offset, val); +- if (count < 0) ++ if (count < 0) { ++ if (offset == PCI_COMMAND) ++ up_write(&vdev->memory_lock); + return count; ++ } + + /* + * Save current memory/io enable bits in vconfig to allow for +@@ -595,6 +617,8 @@ static int vfio_basic_config_write(struct vfio_pci_device *vdev, int pos, + + *virt_cmd &= cpu_to_le16(~mask); + *virt_cmd |= cpu_to_le16(new_cmd & mask); ++ ++ up_write(&vdev->memory_lock); + } + + /* Emulate INTx disable */ +@@ -832,8 +856,11 @@ static int vfio_exp_config_write(struct vfio_pci_device *vdev, int pos, + pos - offset + PCI_EXP_DEVCAP, + &cap); + +- if (!ret && (cap & PCI_EXP_DEVCAP_FLR)) ++ if (!ret && (cap & PCI_EXP_DEVCAP_FLR)) { ++ vfio_pci_zap_and_down_write_memory_lock(vdev); + pci_try_reset_function(vdev->pdev); ++ up_write(&vdev->memory_lock); ++ } + } + + /* +@@ -911,8 +938,11 @@ static int vfio_af_config_write(struct vfio_pci_device *vdev, int pos, + pos - offset + PCI_AF_CAP, + &cap); + +- if (!ret && (cap & PCI_AF_CAP_FLR) && (cap & PCI_AF_CAP_TP)) ++ if (!ret && (cap & PCI_AF_CAP_FLR) && (cap & PCI_AF_CAP_TP)) { ++ vfio_pci_zap_and_down_write_memory_lock(vdev); + pci_try_reset_function(vdev->pdev); ++ up_write(&vdev->memory_lock); ++ } + } + + return count; +@@ -1705,6 +1735,15 @@ int vfio_config_init(struct vfio_pci_device *vdev) + vconfig[PCI_INTERRUPT_PIN]); + + vconfig[PCI_INTERRUPT_PIN] = 0; /* Gratuitous for good VFs */ ++ ++ /* ++ * VFs do no implement the memory enable bit of the COMMAND ++ * register therefore we'll not have it set in our initial ++ * copy of config space after pci_enable_device(). For ++ * consistency with PFs, set the virtual enable bit here. ++ */ ++ *(__le16 *)&vconfig[PCI_COMMAND] |= ++ cpu_to_le16(PCI_COMMAND_MEMORY); + } + + if (!IS_ENABLED(CONFIG_VFIO_PCI_INTX) || vdev->nointx) +diff --git a/drivers/vfio/pci/vfio_pci_intrs.c b/drivers/vfio/pci/vfio_pci_intrs.c +index 94594dc63c417..bdfdd506bc588 100644 +--- a/drivers/vfio/pci/vfio_pci_intrs.c ++++ b/drivers/vfio/pci/vfio_pci_intrs.c +@@ -252,6 +252,7 @@ static int vfio_msi_enable(struct vfio_pci_device *vdev, int nvec, bool msix) + struct pci_dev *pdev = vdev->pdev; + unsigned int flag = msix ? PCI_IRQ_MSIX : PCI_IRQ_MSI; + int ret; ++ u16 cmd; + + if (!is_irq_none(vdev)) + return -EINVAL; +@@ -261,13 +262,16 @@ static int vfio_msi_enable(struct vfio_pci_device *vdev, int nvec, bool msix) + return -ENOMEM; + + /* return the number of supported vectors if we can't get all: */ ++ cmd = vfio_pci_memory_lock_and_enable(vdev); + ret = pci_alloc_irq_vectors(pdev, 1, nvec, flag); + if (ret < nvec) { + if (ret > 0) + pci_free_irq_vectors(pdev); ++ vfio_pci_memory_unlock_and_restore(vdev, cmd); + kfree(vdev->ctx); + return ret; + } ++ vfio_pci_memory_unlock_and_restore(vdev, cmd); + + vdev->num_ctx = nvec; + vdev->irq_type = msix ? VFIO_PCI_MSIX_IRQ_INDEX : +@@ -290,6 +294,7 @@ static int vfio_msi_set_vector_signal(struct vfio_pci_device *vdev, + struct pci_dev *pdev = vdev->pdev; + struct eventfd_ctx *trigger; + int irq, ret; ++ u16 cmd; + + if (vector < 0 || vector >= vdev->num_ctx) + return -EINVAL; +@@ -298,7 +303,11 @@ static int vfio_msi_set_vector_signal(struct vfio_pci_device *vdev, + + if (vdev->ctx[vector].trigger) { + irq_bypass_unregister_producer(&vdev->ctx[vector].producer); ++ ++ cmd = vfio_pci_memory_lock_and_enable(vdev); + free_irq(irq, vdev->ctx[vector].trigger); ++ vfio_pci_memory_unlock_and_restore(vdev, cmd); ++ + kfree(vdev->ctx[vector].name); + eventfd_ctx_put(vdev->ctx[vector].trigger); + vdev->ctx[vector].trigger = NULL; +@@ -326,6 +335,7 @@ static int vfio_msi_set_vector_signal(struct vfio_pci_device *vdev, + * such a reset it would be unsuccessful. To avoid this, restore the + * cached value of the message prior to enabling. + */ ++ cmd = vfio_pci_memory_lock_and_enable(vdev); + if (msix) { + struct msi_msg msg; + +@@ -335,6 +345,7 @@ static int vfio_msi_set_vector_signal(struct vfio_pci_device *vdev, + + ret = request_irq(irq, vfio_msihandler, 0, + vdev->ctx[vector].name, trigger); ++ vfio_pci_memory_unlock_and_restore(vdev, cmd); + if (ret) { + kfree(vdev->ctx[vector].name); + eventfd_ctx_put(trigger); +@@ -379,6 +390,7 @@ static void vfio_msi_disable(struct vfio_pci_device *vdev, bool msix) + { + struct pci_dev *pdev = vdev->pdev; + int i; ++ u16 cmd; + + for (i = 0; i < vdev->num_ctx; i++) { + vfio_virqfd_disable(&vdev->ctx[i].unmask); +@@ -387,7 +399,9 @@ static void vfio_msi_disable(struct vfio_pci_device *vdev, bool msix) + + vfio_msi_set_block(vdev, 0, vdev->num_ctx, NULL, msix); + ++ cmd = vfio_pci_memory_lock_and_enable(vdev); + pci_free_irq_vectors(pdev); ++ vfio_pci_memory_unlock_and_restore(vdev, cmd); + + /* + * Both disable paths above use pci_intx_for_msi() to clear DisINTx +diff --git a/drivers/vfio/pci/vfio_pci_private.h b/drivers/vfio/pci/vfio_pci_private.h +index f561ac1c78a0d..f896cebb5c2c2 100644 +--- a/drivers/vfio/pci/vfio_pci_private.h ++++ b/drivers/vfio/pci/vfio_pci_private.h +@@ -63,6 +63,11 @@ struct vfio_pci_dummy_resource { + struct list_head res_next; + }; + ++struct vfio_pci_mmap_vma { ++ struct vm_area_struct *vma; ++ struct list_head vma_next; ++}; ++ + struct vfio_pci_device { + struct pci_dev *pdev; + void __iomem *barmap[PCI_STD_RESOURCE_END + 1]; +@@ -95,6 +100,9 @@ struct vfio_pci_device { + struct eventfd_ctx *err_trigger; + struct eventfd_ctx *req_trigger; + struct list_head dummy_resources_list; ++ struct mutex vma_lock; ++ struct list_head vma_list; ++ struct rw_semaphore memory_lock; + }; + + #define is_intx(vdev) (vdev->irq_type == VFIO_PCI_INTX_IRQ_INDEX) +@@ -130,6 +138,14 @@ extern int vfio_pci_register_dev_region(struct vfio_pci_device *vdev, + unsigned int type, unsigned int subtype, + const struct vfio_pci_regops *ops, + size_t size, u32 flags, void *data); ++ ++extern bool __vfio_pci_memory_enabled(struct vfio_pci_device *vdev); ++extern void vfio_pci_zap_and_down_write_memory_lock(struct vfio_pci_device ++ *vdev); ++extern u16 vfio_pci_memory_lock_and_enable(struct vfio_pci_device *vdev); ++extern void vfio_pci_memory_unlock_and_restore(struct vfio_pci_device *vdev, ++ u16 cmd); ++ + #ifdef CONFIG_VFIO_PCI_IGD + extern int vfio_pci_igd_init(struct vfio_pci_device *vdev); + #else +diff --git a/drivers/vfio/pci/vfio_pci_rdwr.c b/drivers/vfio/pci/vfio_pci_rdwr.c +index 357243d76f108..6445461a56013 100644 +--- a/drivers/vfio/pci/vfio_pci_rdwr.c ++++ b/drivers/vfio/pci/vfio_pci_rdwr.c +@@ -122,6 +122,7 @@ ssize_t vfio_pci_bar_rw(struct vfio_pci_device *vdev, char __user *buf, + size_t x_start = 0, x_end = 0; + resource_size_t end; + void __iomem *io; ++ struct resource *res = &vdev->pdev->resource[bar]; + ssize_t done; + + if (pci_resource_start(pdev, bar)) +@@ -137,6 +138,14 @@ ssize_t vfio_pci_bar_rw(struct vfio_pci_device *vdev, char __user *buf, + + count = min(count, (size_t)(end - pos)); + ++ if (res->flags & IORESOURCE_MEM) { ++ down_read(&vdev->memory_lock); ++ if (!__vfio_pci_memory_enabled(vdev)) { ++ up_read(&vdev->memory_lock); ++ return -EIO; ++ } ++ } ++ + if (bar == PCI_ROM_RESOURCE) { + /* + * The ROM can fill less space than the BAR, so we start the +@@ -144,20 +153,21 @@ ssize_t vfio_pci_bar_rw(struct vfio_pci_device *vdev, char __user *buf, + * filling large ROM BARs much faster. + */ + io = pci_map_rom(pdev, &x_start); +- if (!io) +- return -ENOMEM; ++ if (!io) { ++ done = -ENOMEM; ++ goto out; ++ } + x_end = end; + } else if (!vdev->barmap[bar]) { +- int ret; +- +- ret = pci_request_selected_regions(pdev, 1 << bar, "vfio"); +- if (ret) +- return ret; ++ done = pci_request_selected_regions(pdev, 1 << bar, "vfio"); ++ if (done) ++ goto out; + + io = pci_iomap(pdev, bar, 0); + if (!io) { + pci_release_selected_regions(pdev, 1 << bar); +- return -ENOMEM; ++ done = -ENOMEM; ++ goto out; + } + + vdev->barmap[bar] = io; +@@ -176,6 +186,9 @@ ssize_t vfio_pci_bar_rw(struct vfio_pci_device *vdev, char __user *buf, + + if (bar == PCI_ROM_RESOURCE) + pci_unmap_rom(pdev, io); ++out: ++ if (res->flags & IORESOURCE_MEM) ++ up_read(&vdev->memory_lock); + + return done; + } +diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c +index a9f58f3867f02..ccef02ceaad93 100644 +--- a/drivers/vfio/vfio_iommu_type1.c ++++ b/drivers/vfio/vfio_iommu_type1.c +@@ -213,6 +213,32 @@ static int put_pfn(unsigned long pfn, int prot) + return 0; + } + ++static int follow_fault_pfn(struct vm_area_struct *vma, struct mm_struct *mm, ++ unsigned long vaddr, unsigned long *pfn, ++ bool write_fault) ++{ ++ int ret; ++ ++ ret = follow_pfn(vma, vaddr, pfn); ++ if (ret) { ++ bool unlocked = false; ++ ++ ret = fixup_user_fault(NULL, mm, vaddr, ++ FAULT_FLAG_REMOTE | ++ (write_fault ? FAULT_FLAG_WRITE : 0), ++ &unlocked); ++ if (unlocked) ++ return -EAGAIN; ++ ++ if (ret) ++ return ret; ++ ++ ret = follow_pfn(vma, vaddr, pfn); ++ } ++ ++ return ret; ++} ++ + static int vaddr_get_pfn(unsigned long vaddr, int prot, unsigned long *pfn) + { + struct page *page[1]; +@@ -226,12 +252,16 @@ static int vaddr_get_pfn(unsigned long vaddr, int prot, unsigned long *pfn) + + down_read(¤t->mm->mmap_sem); + ++retry: + vma = find_vma_intersection(current->mm, vaddr, vaddr + 1); + + if (vma && vma->vm_flags & VM_PFNMAP) { +- if (!follow_pfn(vma, vaddr, pfn) && +- is_invalid_reserved_pfn(*pfn)) +- ret = 0; ++ ret = follow_fault_pfn(vma, current->mm, vaddr, pfn, prot & IOMMU_WRITE); ++ if (ret == -EAGAIN) ++ goto retry; ++ ++ if (!ret && !is_invalid_reserved_pfn(*pfn)) ++ ret = -EFAULT; + } + + up_read(¤t->mm->mmap_sem); +diff --git a/drivers/xen/xenbus/xenbus_client.c b/drivers/xen/xenbus/xenbus_client.c +index df27cefb2fa35..266f446ba331c 100644 +--- a/drivers/xen/xenbus/xenbus_client.c ++++ b/drivers/xen/xenbus/xenbus_client.c +@@ -384,8 +384,14 @@ int xenbus_grant_ring(struct xenbus_device *dev, void *vaddr, + int i, j; + + for (i = 0; i < nr_pages; i++) { +- err = gnttab_grant_foreign_access(dev->otherend_id, +- virt_to_gfn(vaddr), 0); ++ unsigned long gfn; ++ ++ if (is_vmalloc_addr(vaddr)) ++ gfn = pfn_to_gfn(vmalloc_to_pfn(vaddr)); ++ else ++ gfn = virt_to_gfn(vaddr); ++ ++ err = gnttab_grant_foreign_access(dev->otherend_id, gfn, 0); + if (err < 0) { + xenbus_dev_fatal(dev, err, + "granting access to ring page"); +diff --git a/fs/affs/amigaffs.c b/fs/affs/amigaffs.c +index 0ec65c133b934..e57f12317ab62 100644 +--- a/fs/affs/amigaffs.c ++++ b/fs/affs/amigaffs.c +@@ -391,23 +391,23 @@ prot_to_mode(u32 prot) + umode_t mode = 0; + + if (!(prot & FIBF_NOWRITE)) +- mode |= S_IWUSR; ++ mode |= 0200; + if (!(prot & FIBF_NOREAD)) +- mode |= S_IRUSR; ++ mode |= 0400; + if (!(prot & FIBF_NOEXECUTE)) +- mode |= S_IXUSR; ++ mode |= 0100; + if (prot & FIBF_GRP_WRITE) +- mode |= S_IWGRP; ++ mode |= 0020; + if (prot & FIBF_GRP_READ) +- mode |= S_IRGRP; ++ mode |= 0040; + if (prot & FIBF_GRP_EXECUTE) +- mode |= S_IXGRP; ++ mode |= 0010; + if (prot & FIBF_OTR_WRITE) +- mode |= S_IWOTH; ++ mode |= 0002; + if (prot & FIBF_OTR_READ) +- mode |= S_IROTH; ++ mode |= 0004; + if (prot & FIBF_OTR_EXECUTE) +- mode |= S_IXOTH; ++ mode |= 0001; + + return mode; + } +@@ -418,24 +418,51 @@ mode_to_prot(struct inode *inode) + u32 prot = AFFS_I(inode)->i_protect; + umode_t mode = inode->i_mode; + +- if (!(mode & S_IXUSR)) ++ /* ++ * First, clear all RWED bits for owner, group, other. ++ * Then, recalculate them afresh. ++ * ++ * We'll always clear the delete-inhibit bit for the owner, as that is ++ * the classic single-user mode AmigaOS protection bit and we need to ++ * stay compatible with all scenarios. ++ * ++ * Since multi-user AmigaOS is an extension, we'll only set the ++ * delete-allow bit if any of the other bits in the same user class ++ * (group/other) are used. ++ */ ++ prot &= ~(FIBF_NOEXECUTE | FIBF_NOREAD ++ | FIBF_NOWRITE | FIBF_NODELETE ++ | FIBF_GRP_EXECUTE | FIBF_GRP_READ ++ | FIBF_GRP_WRITE | FIBF_GRP_DELETE ++ | FIBF_OTR_EXECUTE | FIBF_OTR_READ ++ | FIBF_OTR_WRITE | FIBF_OTR_DELETE); ++ ++ /* Classic single-user AmigaOS flags. These are inverted. */ ++ if (!(mode & 0100)) + prot |= FIBF_NOEXECUTE; +- if (!(mode & S_IRUSR)) ++ if (!(mode & 0400)) + prot |= FIBF_NOREAD; +- if (!(mode & S_IWUSR)) ++ if (!(mode & 0200)) + prot |= FIBF_NOWRITE; +- if (mode & S_IXGRP) ++ ++ /* Multi-user extended flags. Not inverted. */ ++ if (mode & 0010) + prot |= FIBF_GRP_EXECUTE; +- if (mode & S_IRGRP) ++ if (mode & 0040) + prot |= FIBF_GRP_READ; +- if (mode & S_IWGRP) ++ if (mode & 0020) + prot |= FIBF_GRP_WRITE; +- if (mode & S_IXOTH) ++ if (mode & 0070) ++ prot |= FIBF_GRP_DELETE; ++ ++ if (mode & 0001) + prot |= FIBF_OTR_EXECUTE; +- if (mode & S_IROTH) ++ if (mode & 0004) + prot |= FIBF_OTR_READ; +- if (mode & S_IWOTH) ++ if (mode & 0002) + prot |= FIBF_OTR_WRITE; ++ if (mode & 0007) ++ prot |= FIBF_OTR_DELETE; + + AFFS_I(inode)->i_protect = prot; + } +diff --git a/fs/affs/file.c b/fs/affs/file.c +index 0deec9cc2362c..0daca9d00cd8b 100644 +--- a/fs/affs/file.c ++++ b/fs/affs/file.c +@@ -427,6 +427,24 @@ static int affs_write_begin(struct file *file, struct address_space *mapping, + return ret; + } + ++static int affs_write_end(struct file *file, struct address_space *mapping, ++ loff_t pos, unsigned int len, unsigned int copied, ++ struct page *page, void *fsdata) ++{ ++ struct inode *inode = mapping->host; ++ int ret; ++ ++ ret = generic_write_end(file, mapping, pos, len, copied, page, fsdata); ++ ++ /* Clear Archived bit on file writes, as AmigaOS would do */ ++ if (AFFS_I(inode)->i_protect & FIBF_ARCHIVED) { ++ AFFS_I(inode)->i_protect &= ~FIBF_ARCHIVED; ++ mark_inode_dirty(inode); ++ } ++ ++ return ret; ++} ++ + static sector_t _affs_bmap(struct address_space *mapping, sector_t block) + { + return generic_block_bmap(mapping,block,affs_get_block); +@@ -436,7 +454,7 @@ const struct address_space_operations affs_aops = { + .readpage = affs_readpage, + .writepage = affs_writepage, + .write_begin = affs_write_begin, +- .write_end = generic_write_end, ++ .write_end = affs_write_end, + .direct_IO = affs_direct_IO, + .bmap = _affs_bmap + }; +@@ -793,6 +811,12 @@ done: + if (tmp > inode->i_size) + inode->i_size = AFFS_I(inode)->mmu_private = tmp; + ++ /* Clear Archived bit on file writes, as AmigaOS would do */ ++ if (AFFS_I(inode)->i_protect & FIBF_ARCHIVED) { ++ AFFS_I(inode)->i_protect &= ~FIBF_ARCHIVED; ++ mark_inode_dirty(inode); ++ } ++ + err_first_bh: + unlock_page(page); + put_page(page); +diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c +index b5ebb43b1824f..65689cbc362db 100644 +--- a/fs/btrfs/ctree.c ++++ b/fs/btrfs/ctree.c +@@ -1360,7 +1360,8 @@ tree_mod_log_rewind(struct btrfs_fs_info *fs_info, struct btrfs_path *path, + btrfs_tree_read_unlock_blocking(eb); + free_extent_buffer(eb); + +- extent_buffer_get(eb_rewin); ++ btrfs_set_buffer_lockdep_class(btrfs_header_owner(eb_rewin), ++ eb_rewin, btrfs_header_level(eb_rewin)); + btrfs_tree_read_lock(eb_rewin); + __tree_mod_log_rewind(fs_info, eb_rewin, time_seq, tm); + WARN_ON(btrfs_header_nritems(eb_rewin) > +@@ -1430,8 +1431,6 @@ get_old_root(struct btrfs_root *root, u64 time_seq) + + if (!eb) + return NULL; +- extent_buffer_get(eb); +- btrfs_tree_read_lock(eb); + if (old_root) { + btrfs_set_header_bytenr(eb, eb->start); + btrfs_set_header_backref_rev(eb, BTRFS_MIXED_BACKREF_REV); +@@ -1439,6 +1438,9 @@ get_old_root(struct btrfs_root *root, u64 time_seq) + btrfs_set_header_level(eb, old_root->level); + btrfs_set_header_generation(eb, old_generation); + } ++ btrfs_set_buffer_lockdep_class(btrfs_header_owner(eb), eb, ++ btrfs_header_level(eb)); ++ btrfs_tree_read_lock(eb); + if (tm) + __tree_mod_log_rewind(root->fs_info, eb, time_seq, tm); + else +diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c +index fa22bb29eee6f..d6c827a9ebc56 100644 +--- a/fs/btrfs/extent_io.c ++++ b/fs/btrfs/extent_io.c +@@ -5488,9 +5488,9 @@ void read_extent_buffer(const struct extent_buffer *eb, void *dstv, + } + } + +-int read_extent_buffer_to_user(const struct extent_buffer *eb, +- void __user *dstv, +- unsigned long start, unsigned long len) ++int read_extent_buffer_to_user_nofault(const struct extent_buffer *eb, ++ void __user *dstv, ++ unsigned long start, unsigned long len) + { + size_t cur; + size_t offset; +@@ -5511,7 +5511,7 @@ int read_extent_buffer_to_user(const struct extent_buffer *eb, + + cur = min(len, (PAGE_SIZE - offset)); + kaddr = page_address(page); +- if (copy_to_user(dst, kaddr + offset, cur)) { ++ if (probe_user_write(dst, kaddr + offset, cur)) { + ret = -EFAULT; + break; + } +diff --git a/fs/btrfs/extent_io.h b/fs/btrfs/extent_io.h +index 9ecdc9584df77..75c03aa1800fe 100644 +--- a/fs/btrfs/extent_io.h ++++ b/fs/btrfs/extent_io.h +@@ -401,9 +401,9 @@ int memcmp_extent_buffer(const struct extent_buffer *eb, const void *ptrv, + void read_extent_buffer(const struct extent_buffer *eb, void *dst, + unsigned long start, + unsigned long len); +-int read_extent_buffer_to_user(const struct extent_buffer *eb, +- void __user *dst, unsigned long start, +- unsigned long len); ++int read_extent_buffer_to_user_nofault(const struct extent_buffer *eb, ++ void __user *dst, unsigned long start, ++ unsigned long len); + void write_extent_buffer(struct extent_buffer *eb, const void *src, + unsigned long start, unsigned long len); + void copy_extent_buffer(struct extent_buffer *dst, struct extent_buffer *src, +diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c +index eefe103c65daa..6db46daeed16b 100644 +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -2041,9 +2041,14 @@ static noinline int copy_to_sk(struct btrfs_path *path, + sh.len = item_len; + sh.transid = found_transid; + +- /* copy search result header */ +- if (copy_to_user(ubuf + *sk_offset, &sh, sizeof(sh))) { +- ret = -EFAULT; ++ /* ++ * Copy search result header. If we fault then loop again so we ++ * can fault in the pages and -EFAULT there if there's a ++ * problem. Otherwise we'll fault and then copy the buffer in ++ * properly this next time through ++ */ ++ if (probe_user_write(ubuf + *sk_offset, &sh, sizeof(sh))) { ++ ret = 0; + goto out; + } + +@@ -2051,10 +2056,14 @@ static noinline int copy_to_sk(struct btrfs_path *path, + + if (item_len) { + char __user *up = ubuf + *sk_offset; +- /* copy the item */ +- if (read_extent_buffer_to_user(leaf, up, +- item_off, item_len)) { +- ret = -EFAULT; ++ /* ++ * Copy the item, same behavior as above, but reset the ++ * * sk_offset so we copy the full thing again. ++ */ ++ if (read_extent_buffer_to_user_nofault(leaf, up, ++ item_off, item_len)) { ++ ret = 0; ++ *sk_offset -= sizeof(sh); + goto out; + } + +@@ -2142,6 +2151,10 @@ static noinline int search_ioctl(struct inode *inode, + key.offset = sk->min_offset; + + while (1) { ++ ret = fault_in_pages_writeable(ubuf, *buf_size - sk_offset); ++ if (ret) ++ break; ++ + ret = btrfs_search_forward(root, &key, path, sk->min_transid); + if (ret != 0) { + if (ret > 0) +diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c +index bace03a546b2d..c31b02692f706 100644 +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -4181,6 +4181,7 @@ static int btrfs_uuid_scan_kthread(void *data) + goto skip; + } + update_tree: ++ btrfs_release_path(path); + if (!btrfs_is_empty_uuid(root_item.uuid)) { + ret = btrfs_uuid_tree_add(trans, fs_info->uuid_root, + root_item.uuid, +@@ -4206,6 +4207,7 @@ update_tree: + } + + skip: ++ btrfs_release_path(path); + if (trans) { + ret = btrfs_end_transaction(trans, fs_info->uuid_root); + trans = NULL; +@@ -4213,7 +4215,6 @@ skip: + break; + } + +- btrfs_release_path(path); + if (key.offset < (u64)-1) { + key.offset++; + } else if (key.type < BTRFS_ROOT_ITEM_KEY) { +diff --git a/fs/ceph/file.c b/fs/ceph/file.c +index e7ddb23d9bb73..e818344a052cb 100644 +--- a/fs/ceph/file.c ++++ b/fs/ceph/file.c +@@ -1773,6 +1773,7 @@ const struct file_operations ceph_file_fops = { + .mmap = ceph_mmap, + .fsync = ceph_fsync, + .lock = ceph_lock, ++ .setlease = simple_nosetlease, + .flock = ceph_flock, + .splice_write = iter_file_splice_write, + .unlocked_ioctl = ceph_ioctl, +diff --git a/fs/eventpoll.c b/fs/eventpoll.c +index aad52e1858363..8c40d6652a9a9 100644 +--- a/fs/eventpoll.c ++++ b/fs/eventpoll.c +@@ -1748,9 +1748,9 @@ static int ep_loop_check_proc(void *priv, void *cookie, int call_nests) + * during ep_insert(). + */ + if (list_empty(&epi->ffd.file->f_tfile_llink)) { +- get_file(epi->ffd.file); +- list_add(&epi->ffd.file->f_tfile_llink, +- &tfile_check_list); ++ if (get_file_rcu(epi->ffd.file)) ++ list_add(&epi->ffd.file->f_tfile_llink, ++ &tfile_check_list); + } + } + } +diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h +index 060881478e59e..848aab6c69823 100644 +--- a/include/linux/blkdev.h ++++ b/include/linux/blkdev.h +@@ -850,6 +850,19 @@ static inline struct request_queue *bdev_get_queue(struct block_device *bdev) + return bdev->bd_disk->queue; /* this is never NULL */ + } + ++/* ++ * The basic unit of block I/O is a sector. It is used in a number of contexts ++ * in Linux (blk, bio, genhd). The size of one sector is 512 = 2**9 ++ * bytes. Variables of type sector_t represent an offset or size that is a ++ * multiple of 512 bytes. Hence these two constants. ++ */ ++#ifndef SECTOR_SHIFT ++#define SECTOR_SHIFT 9 ++#endif ++#ifndef SECTOR_SIZE ++#define SECTOR_SIZE (1 << SECTOR_SHIFT) ++#endif ++ + /* + * blk_rq_pos() : the current sector + * blk_rq_bytes() : bytes left in the entire request +@@ -877,19 +890,20 @@ extern unsigned int blk_rq_err_bytes(const struct request *rq); + + static inline unsigned int blk_rq_sectors(const struct request *rq) + { +- return blk_rq_bytes(rq) >> 9; ++ return blk_rq_bytes(rq) >> SECTOR_SHIFT; + } + + static inline unsigned int blk_rq_cur_sectors(const struct request *rq) + { +- return blk_rq_cur_bytes(rq) >> 9; ++ return blk_rq_cur_bytes(rq) >> SECTOR_SHIFT; + } + + static inline unsigned int blk_queue_get_max_sectors(struct request_queue *q, + int op) + { + if (unlikely(op == REQ_OP_DISCARD || op == REQ_OP_SECURE_ERASE)) +- return min(q->limits.max_discard_sectors, UINT_MAX >> 9); ++ return min(q->limits.max_discard_sectors, ++ UINT_MAX >> SECTOR_SHIFT); + + if (unlikely(op == REQ_OP_WRITE_SAME)) + return q->limits.max_write_same_sectors; +@@ -1162,16 +1176,21 @@ extern int blkdev_issue_zeroout(struct block_device *bdev, sector_t sector, + static inline int sb_issue_discard(struct super_block *sb, sector_t block, + sector_t nr_blocks, gfp_t gfp_mask, unsigned long flags) + { +- return blkdev_issue_discard(sb->s_bdev, block << (sb->s_blocksize_bits - 9), +- nr_blocks << (sb->s_blocksize_bits - 9), ++ return blkdev_issue_discard(sb->s_bdev, ++ block << (sb->s_blocksize_bits - ++ SECTOR_SHIFT), ++ nr_blocks << (sb->s_blocksize_bits - ++ SECTOR_SHIFT), + gfp_mask, flags); + } + static inline int sb_issue_zeroout(struct super_block *sb, sector_t block, + sector_t nr_blocks, gfp_t gfp_mask) + { + return blkdev_issue_zeroout(sb->s_bdev, +- block << (sb->s_blocksize_bits - 9), +- nr_blocks << (sb->s_blocksize_bits - 9), ++ block << (sb->s_blocksize_bits - ++ SECTOR_SHIFT), ++ nr_blocks << (sb->s_blocksize_bits - ++ SECTOR_SHIFT), + gfp_mask, true); + } + +@@ -1278,7 +1297,8 @@ static inline int queue_alignment_offset(struct request_queue *q) + static inline int queue_limit_alignment_offset(struct queue_limits *lim, sector_t sector) + { + unsigned int granularity = max(lim->physical_block_size, lim->io_min); +- unsigned int alignment = sector_div(sector, granularity >> 9) << 9; ++ unsigned int alignment = sector_div(sector, granularity >> SECTOR_SHIFT) ++ << SECTOR_SHIFT; + + return (granularity + lim->alignment_offset - alignment) % granularity; + } +@@ -1312,8 +1332,8 @@ static inline int queue_limit_discard_alignment(struct queue_limits *lim, sector + return 0; + + /* Why are these in bytes, not sectors? */ +- alignment = lim->discard_alignment >> 9; +- granularity = lim->discard_granularity >> 9; ++ alignment = lim->discard_alignment >> SECTOR_SHIFT; ++ granularity = lim->discard_granularity >> SECTOR_SHIFT; + if (!granularity) + return 0; + +@@ -1324,7 +1344,7 @@ static inline int queue_limit_discard_alignment(struct queue_limits *lim, sector + offset = (granularity + alignment - offset) % granularity; + + /* Turn it back into bytes, gaah */ +- return offset << 9; ++ return offset << SECTOR_SHIFT; + } + + static inline int bdev_discard_alignment(struct block_device *bdev) +diff --git a/include/linux/bvec.h b/include/linux/bvec.h +index 89b65b82d98f5..8047c3ad77a64 100644 +--- a/include/linux/bvec.h ++++ b/include/linux/bvec.h +@@ -88,10 +88,17 @@ static inline void bvec_iter_advance(const struct bio_vec *bv, + } + } + ++static inline void bvec_iter_skip_zero_bvec(struct bvec_iter *iter) ++{ ++ iter->bi_bvec_done = 0; ++ iter->bi_idx++; ++} ++ + #define for_each_bvec(bvl, bio_vec, iter, start) \ + for (iter = (start); \ + (iter).bi_size && \ + ((bvl = bvec_iter_bvec((bio_vec), (iter))), 1); \ +- bvec_iter_advance((bio_vec), &(iter), (bvl).bv_len)) ++ (bvl).bv_len ? (void)bvec_iter_advance((bio_vec), &(iter), \ ++ (bvl).bv_len) : bvec_iter_skip_zero_bvec(&(iter))) + + #endif /* __LINUX_BVEC_ITER_H */ +diff --git a/include/linux/device-mapper.h b/include/linux/device-mapper.h +index 9661bb2fbe221..165ddd482f0d7 100644 +--- a/include/linux/device-mapper.h ++++ b/include/linux/device-mapper.h +@@ -576,8 +576,6 @@ extern struct ratelimit_state dm_ratelimit_state; + #define DMEMIT(x...) sz += ((sz >= maxlen) ? \ + 0 : scnprintf(result + sz, maxlen - sz, x)) + +-#define SECTOR_SHIFT 9 +- + /* + * Definitions of return values from target end_io function. + */ +diff --git a/include/linux/hid.h b/include/linux/hid.h +index eda06f7ee84af..981657075f051 100644 +--- a/include/linux/hid.h ++++ b/include/linux/hid.h +@@ -874,34 +874,49 @@ static inline void hid_device_io_stop(struct hid_device *hid) { + * @max: maximal valid usage->code to consider later (out parameter) + * @type: input event type (EV_KEY, EV_REL, ...) + * @c: code which corresponds to this usage and type ++ * ++ * The value pointed to by @bit will be set to NULL if either @type is ++ * an unhandled event type, or if @c is out of range for @type. This ++ * can be used as an error condition. + */ + static inline void hid_map_usage(struct hid_input *hidinput, + struct hid_usage *usage, unsigned long **bit, int *max, +- __u8 type, __u16 c) ++ __u8 type, unsigned int c) + { + struct input_dev *input = hidinput->input; +- +- usage->type = type; +- usage->code = c; ++ unsigned long *bmap = NULL; ++ unsigned int limit = 0; + + switch (type) { + case EV_ABS: +- *bit = input->absbit; +- *max = ABS_MAX; ++ bmap = input->absbit; ++ limit = ABS_MAX; + break; + case EV_REL: +- *bit = input->relbit; +- *max = REL_MAX; ++ bmap = input->relbit; ++ limit = REL_MAX; + break; + case EV_KEY: +- *bit = input->keybit; +- *max = KEY_MAX; ++ bmap = input->keybit; ++ limit = KEY_MAX; + break; + case EV_LED: +- *bit = input->ledbit; +- *max = LED_MAX; ++ bmap = input->ledbit; ++ limit = LED_MAX; + break; + } ++ ++ if (unlikely(c > limit || !bmap)) { ++ pr_warn_ratelimited("%s: Invalid code %d type %d\n", ++ input->name, c, type); ++ *bit = NULL; ++ return; ++ } ++ ++ usage->type = type; ++ usage->code = c; ++ *max = limit; ++ *bit = bmap; + } + + /** +@@ -915,7 +930,8 @@ static inline void hid_map_usage_clear(struct hid_input *hidinput, + __u8 type, __u16 c) + { + hid_map_usage(hidinput, usage, bit, max, type, c); +- clear_bit(c, *bit); ++ if (*bit) ++ clear_bit(usage->code, *bit); + } + + /** +diff --git a/include/linux/ide.h b/include/linux/ide.h +index a633898f36ac8..eb2ac48c99db3 100644 +--- a/include/linux/ide.h ++++ b/include/linux/ide.h +@@ -128,7 +128,6 @@ struct ide_io_ports { + */ + #define PARTN_BITS 6 /* number of minor dev bits for partitions */ + #define MAX_DRIVES 2 /* per interface; 2 assumed by lots of code */ +-#define SECTOR_SIZE 512 + + /* + * Timeouts for various operations: +diff --git a/include/linux/libata.h b/include/linux/libata.h +index 780ccde2c3127..e2dac33eae964 100644 +--- a/include/linux/libata.h ++++ b/include/linux/libata.h +@@ -435,6 +435,7 @@ enum { + ATA_HORKAGE_NO_NCQ_LOG = (1 << 23), /* don't use NCQ for log read */ + ATA_HORKAGE_NOTRIM = (1 << 24), /* don't use TRIM */ + ATA_HORKAGE_MAX_SEC_1024 = (1 << 25), /* Limit max sects to 1024 */ ++ ATA_HORKAGE_MAX_TRIM_128M = (1 << 26), /* Limit max trim size to 128M */ + + /* DMA mask for user DMA control: User visible values; DO NOT + renumber */ +diff --git a/include/linux/log2.h b/include/linux/log2.h +index c373295f359fa..cca606609e1bc 100644 +--- a/include/linux/log2.h ++++ b/include/linux/log2.h +@@ -159,7 +159,7 @@ unsigned long __rounddown_pow_of_two(unsigned long n) + #define roundup_pow_of_two(n) \ + ( \ + __builtin_constant_p(n) ? ( \ +- (n == 1) ? 1 : \ ++ ((n) == 1) ? 1 : \ + (1UL << (ilog2((n) - 1) + 1)) \ + ) : \ + __roundup_pow_of_two(n) \ +diff --git a/include/linux/uaccess.h b/include/linux/uaccess.h +index 9442423979c1c..cc5ba47062e87 100644 +--- a/include/linux/uaccess.h ++++ b/include/linux/uaccess.h +@@ -90,6 +90,17 @@ static inline unsigned long __copy_from_user_nocache(void *to, + extern long probe_kernel_read(void *dst, const void *src, size_t size); + extern long __probe_kernel_read(void *dst, const void *src, size_t size); + ++/* ++ * probe_user_read(): safely attempt to read from a location in user space ++ * @dst: pointer to the buffer that shall take the data ++ * @src: address to read from ++ * @size: size of the data chunk ++ * ++ * Safely read from address @src to the buffer at @dst. If a kernel fault ++ * happens, handle that and return -EFAULT. ++ */ ++extern long probe_user_read(void *dst, const void __user *src, size_t size); ++ + /* + * probe_kernel_write(): safely attempt to write to a location + * @dst: address to write to +@@ -102,7 +113,22 @@ extern long __probe_kernel_read(void *dst, const void *src, size_t size); + extern long notrace probe_kernel_write(void *dst, const void *src, size_t size); + extern long notrace __probe_kernel_write(void *dst, const void *src, size_t size); + ++/* ++ * probe_user_write(): safely attempt to write to a location in user space ++ * @dst: address to write to ++ * @src: pointer to the data that shall be written ++ * @size: size of the data chunk ++ * ++ * Safely write to address @dst from the buffer at @src. If a kernel fault ++ * happens, handle that and return -EFAULT. ++ */ ++extern long notrace probe_user_write(void __user *dst, const void *src, size_t size); ++extern long notrace __probe_user_write(void __user *dst, const void *src, size_t size); ++ + extern long strncpy_from_unsafe(char *dst, const void *unsafe_addr, long count); ++extern long strncpy_from_unsafe_user(char *dst, const void __user *unsafe_addr, ++ long count); ++extern long strnlen_unsafe_user(const void __user *unsafe_addr, long count); + + /** + * probe_kernel_address(): safely attempt to read from a location +diff --git a/include/net/inet_connection_sock.h b/include/net/inet_connection_sock.h +index 146054ceea8e0..5bb56ebf3c9f9 100644 +--- a/include/net/inet_connection_sock.h ++++ b/include/net/inet_connection_sock.h +@@ -319,5 +319,9 @@ int inet_csk_compat_getsockopt(struct sock *sk, int level, int optname, + int inet_csk_compat_setsockopt(struct sock *sk, int level, int optname, + char __user *optval, unsigned int optlen); + ++/* update the fast reuse flag when adding a socket */ ++void inet_csk_update_fastreuse(struct inet_bind_bucket *tb, ++ struct sock *sk); ++ + struct dst_entry *inet_csk_update_pmtu(struct sock *sk, u32 mtu); + #endif /* _INET_CONNECTION_SOCK_H */ +diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h +index 7ba9a624090fb..91e395fd0a65c 100644 +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -119,6 +119,8 @@ static inline u8 nft_reg_load8(u32 *sreg) + static inline void nft_data_copy(u32 *dst, const struct nft_data *src, + unsigned int len) + { ++ if (len % NFT_REG32_SIZE) ++ dst[len / NFT_REG32_SIZE] = 0; + memcpy(dst, src, len); + } + +diff --git a/include/uapi/linux/msdos_fs.h b/include/uapi/linux/msdos_fs.h +index e956704f5fb1b..95b8a9395ec10 100644 +--- a/include/uapi/linux/msdos_fs.h ++++ b/include/uapi/linux/msdos_fs.h +@@ -9,7 +9,9 @@ + * The MS-DOS filesystem constants/structures + */ + ++#ifndef SECTOR_SIZE + #define SECTOR_SIZE 512 /* sector size (bytes) */ ++#endif + #define SECTOR_BITS 9 /* log2(SECTOR_SIZE) */ + #define MSDOS_DPB (MSDOS_DPS) /* dir entries per block */ + #define MSDOS_DPB_BITS 4 /* log2(MSDOS_DPB) */ +diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h +index c6c4477c136b9..d121c22bf9284 100644 +--- a/include/uapi/linux/netfilter/nf_tables.h ++++ b/include/uapi/linux/netfilter/nf_tables.h +@@ -114,7 +114,7 @@ enum nf_tables_msg_types { + * @NFTA_LIST_ELEM: list element (NLA_NESTED) + */ + enum nft_list_attributes { +- NFTA_LIST_UNPEC, ++ NFTA_LIST_UNSPEC, + NFTA_LIST_ELEM, + __NFTA_LIST_MAX + }; +diff --git a/mm/hugetlb.c b/mm/hugetlb.c +index 2c22ea7a20131..b469d099dc5f6 100644 +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -2921,6 +2921,22 @@ static unsigned int cpuset_mems_nr(unsigned int *array) + } + + #ifdef CONFIG_SYSCTL ++static int proc_hugetlb_doulongvec_minmax(struct ctl_table *table, int write, ++ void *buffer, size_t *length, ++ loff_t *ppos, unsigned long *out) ++{ ++ struct ctl_table dup_table; ++ ++ /* ++ * In order to avoid races with __do_proc_doulongvec_minmax(), we ++ * can duplicate the @table and alter the duplicate of it. ++ */ ++ dup_table = *table; ++ dup_table.data = out; ++ ++ return proc_doulongvec_minmax(&dup_table, write, buffer, length, ppos); ++} ++ + static int hugetlb_sysctl_handler_common(bool obey_mempolicy, + struct ctl_table *table, int write, + void __user *buffer, size_t *length, loff_t *ppos) +@@ -2932,9 +2948,8 @@ static int hugetlb_sysctl_handler_common(bool obey_mempolicy, + if (!hugepages_supported()) + return -EOPNOTSUPP; + +- table->data = &tmp; +- table->maxlen = sizeof(unsigned long); +- ret = proc_doulongvec_minmax(table, write, buffer, length, ppos); ++ ret = proc_hugetlb_doulongvec_minmax(table, write, buffer, length, ppos, ++ &tmp); + if (ret) + goto out; + +@@ -2978,9 +2993,8 @@ int hugetlb_overcommit_handler(struct ctl_table *table, int write, + if (write && hstate_is_gigantic(h)) + return -EINVAL; + +- table->data = &tmp; +- table->maxlen = sizeof(unsigned long); +- ret = proc_doulongvec_minmax(table, write, buffer, length, ppos); ++ ret = proc_hugetlb_doulongvec_minmax(table, write, buffer, length, ppos, ++ &tmp); + if (ret) + goto out; + +diff --git a/mm/maccess.c b/mm/maccess.c +index 78f9274dd49d0..03ea550f5a743 100644 +--- a/mm/maccess.c ++++ b/mm/maccess.c +@@ -5,8 +5,32 @@ + #include + #include + ++static __always_inline long ++probe_read_common(void *dst, const void __user *src, size_t size) ++{ ++ long ret; ++ ++ pagefault_disable(); ++ ret = __copy_from_user_inatomic(dst, src, size); ++ pagefault_enable(); ++ ++ return ret ? -EFAULT : 0; ++} ++ ++static __always_inline long ++probe_write_common(void __user *dst, const void *src, size_t size) ++{ ++ long ret; ++ ++ pagefault_disable(); ++ ret = __copy_to_user_inatomic(dst, src, size); ++ pagefault_enable(); ++ ++ return ret ? -EFAULT : 0; ++} ++ + /** +- * probe_kernel_read(): safely attempt to read from a location ++ * probe_kernel_read(): safely attempt to read from a kernel-space location + * @dst: pointer to the buffer that shall take the data + * @src: address to read from + * @size: size of the data chunk +@@ -29,16 +53,40 @@ long __probe_kernel_read(void *dst, const void *src, size_t size) + mm_segment_t old_fs = get_fs(); + + set_fs(KERNEL_DS); +- pagefault_disable(); +- ret = __copy_from_user_inatomic(dst, +- (__force const void __user *)src, size); +- pagefault_enable(); ++ ret = probe_read_common(dst, (__force const void __user *)src, size); + set_fs(old_fs); + +- return ret ? -EFAULT : 0; ++ return ret; + } + EXPORT_SYMBOL_GPL(probe_kernel_read); + ++/** ++ * probe_user_read(): safely attempt to read from a user-space location ++ * @dst: pointer to the buffer that shall take the data ++ * @src: address to read from. This must be a user address. ++ * @size: size of the data chunk ++ * ++ * Safely read from user address @src to the buffer at @dst. If a kernel fault ++ * happens, handle that and return -EFAULT. ++ */ ++ ++long __weak probe_user_read(void *dst, const void __user *src, size_t size) ++ __attribute__((alias("__probe_user_read"))); ++ ++long __probe_user_read(void *dst, const void __user *src, size_t size) ++{ ++ long ret = -EFAULT; ++ mm_segment_t old_fs = get_fs(); ++ ++ set_fs(USER_DS); ++ if (access_ok(VERIFY_READ, src, size)) ++ ret = probe_read_common(dst, src, size); ++ set_fs(old_fs); ++ ++ return ret; ++} ++EXPORT_SYMBOL_GPL(probe_user_read); ++ + /** + * probe_kernel_write(): safely attempt to write to a location + * @dst: address to write to +@@ -48,6 +96,7 @@ EXPORT_SYMBOL_GPL(probe_kernel_read); + * Safely write to address @dst from the buffer at @src. If a kernel fault + * happens, handle that and return -EFAULT. + */ ++ + long __weak probe_kernel_write(void *dst, const void *src, size_t size) + __attribute__((alias("__probe_kernel_write"))); + +@@ -57,15 +106,40 @@ long __probe_kernel_write(void *dst, const void *src, size_t size) + mm_segment_t old_fs = get_fs(); + + set_fs(KERNEL_DS); +- pagefault_disable(); +- ret = __copy_to_user_inatomic((__force void __user *)dst, src, size); +- pagefault_enable(); ++ ret = probe_write_common((__force void __user *)dst, src, size); + set_fs(old_fs); + +- return ret ? -EFAULT : 0; ++ return ret; + } + EXPORT_SYMBOL_GPL(probe_kernel_write); + ++/** ++ * probe_user_write(): safely attempt to write to a user-space location ++ * @dst: address to write to ++ * @src: pointer to the data that shall be written ++ * @size: size of the data chunk ++ * ++ * Safely write to address @dst from the buffer at @src. If a kernel fault ++ * happens, handle that and return -EFAULT. ++ */ ++ ++long __weak probe_user_write(void __user *dst, const void *src, size_t size) ++ __attribute__((alias("__probe_user_write"))); ++ ++long __probe_user_write(void __user *dst, const void *src, size_t size) ++{ ++ long ret = -EFAULT; ++ mm_segment_t old_fs = get_fs(); ++ ++ set_fs(USER_DS); ++ if (access_ok(VERIFY_WRITE, dst, size)) ++ ret = probe_write_common(dst, src, size); ++ set_fs(old_fs); ++ ++ return ret; ++} ++EXPORT_SYMBOL_GPL(probe_user_write); ++ + /** + * strncpy_from_unsafe: - Copy a NUL terminated string from unsafe address. + * @dst: Destination address, in kernel space. This buffer must be at +@@ -105,3 +179,76 @@ long strncpy_from_unsafe(char *dst, const void *unsafe_addr, long count) + + return ret ? -EFAULT : src - unsafe_addr; + } ++ ++/** ++ * strncpy_from_unsafe_user: - Copy a NUL terminated string from unsafe user ++ * address. ++ * @dst: Destination address, in kernel space. This buffer must be at ++ * least @count bytes long. ++ * @unsafe_addr: Unsafe user address. ++ * @count: Maximum number of bytes to copy, including the trailing NUL. ++ * ++ * Copies a NUL-terminated string from unsafe user address to kernel buffer. ++ * ++ * On success, returns the length of the string INCLUDING the trailing NUL. ++ * ++ * If access fails, returns -EFAULT (some data may have been copied ++ * and the trailing NUL added). ++ * ++ * If @count is smaller than the length of the string, copies @count-1 bytes, ++ * sets the last byte of @dst buffer to NUL and returns @count. ++ */ ++long strncpy_from_unsafe_user(char *dst, const void __user *unsafe_addr, ++ long count) ++{ ++ mm_segment_t old_fs = get_fs(); ++ long ret; ++ ++ if (unlikely(count <= 0)) ++ return 0; ++ ++ set_fs(USER_DS); ++ pagefault_disable(); ++ ret = strncpy_from_user(dst, unsafe_addr, count); ++ pagefault_enable(); ++ set_fs(old_fs); ++ ++ if (ret >= count) { ++ ret = count; ++ dst[ret - 1] = '\0'; ++ } else if (ret > 0) { ++ ret++; ++ } ++ ++ return ret; ++} ++ ++/** ++ * strnlen_unsafe_user: - Get the size of a user string INCLUDING final NUL. ++ * @unsafe_addr: The string to measure. ++ * @count: Maximum count (including NUL) ++ * ++ * Get the size of a NUL-terminated string in user space without pagefault. ++ * ++ * Returns the size of the string INCLUDING the terminating NUL. ++ * ++ * If the string is too long, returns a number larger than @count. User ++ * has to check the return value against "> count". ++ * On exception (or invalid count), returns 0. ++ * ++ * Unlike strnlen_user, this can be used from IRQ handler etc. because ++ * it disables pagefaults. ++ */ ++long strnlen_unsafe_user(const void __user *unsafe_addr, long count) ++{ ++ mm_segment_t old_fs = get_fs(); ++ int ret; ++ ++ set_fs(USER_DS); ++ pagefault_disable(); ++ ret = strnlen_user(unsafe_addr, count); ++ pagefault_enable(); ++ set_fs(old_fs); ++ ++ return ret; ++} +diff --git a/mm/slub.c b/mm/slub.c +index 454c1d550ad22..51a73d2d1082e 100644 +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -625,12 +625,12 @@ static void slab_fix(struct kmem_cache *s, char *fmt, ...) + } + + static bool freelist_corrupted(struct kmem_cache *s, struct page *page, +- void *freelist, void *nextfree) ++ void **freelist, void *nextfree) + { + if ((s->flags & SLAB_CONSISTENCY_CHECKS) && +- !check_valid_pointer(s, page, nextfree)) { +- object_err(s, page, freelist, "Freechain corrupt"); +- freelist = NULL; ++ !check_valid_pointer(s, page, nextfree) && freelist) { ++ object_err(s, page, *freelist, "Freechain corrupt"); ++ *freelist = NULL; + slab_fix(s, "Isolate corrupted freechain"); + return true; + } +@@ -1320,7 +1320,7 @@ static inline void dec_slabs_node(struct kmem_cache *s, int node, + int objects) {} + + static bool freelist_corrupted(struct kmem_cache *s, struct page *page, +- void *freelist, void *nextfree) ++ void **freelist, void *nextfree) + { + return false; + } +@@ -2040,7 +2040,7 @@ static void deactivate_slab(struct kmem_cache *s, struct page *page, + * 'freelist' is already corrupted. So isolate all objects + * starting at 'freelist'. + */ +- if (freelist_corrupted(s, page, freelist, nextfree)) ++ if (freelist_corrupted(s, page, &freelist, nextfree)) + break; + + do { +diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c +index 00123064eb26d..e545b42ab0b98 100644 +--- a/net/batman-adv/bridge_loop_avoidance.c ++++ b/net/batman-adv/bridge_loop_avoidance.c +@@ -451,7 +451,10 @@ static void batadv_bla_send_claim(struct batadv_priv *bat_priv, u8 *mac, + skb->len + ETH_HLEN); + soft_iface->last_rx = jiffies; + +- netif_rx(skb); ++ if (in_interrupt()) ++ netif_rx(skb); ++ else ++ netif_rx_ni(skb); + out: + if (primary_if) + batadv_hardif_put(primary_if); +diff --git a/net/batman-adv/gateway_client.c b/net/batman-adv/gateway_client.c +index 3bd7ed6b6b3e1..9727afc030d8c 100644 +--- a/net/batman-adv/gateway_client.c ++++ b/net/batman-adv/gateway_client.c +@@ -673,8 +673,10 @@ batadv_gw_dhcp_recipient_get(struct sk_buff *skb, unsigned int *header_len, + + chaddr_offset = *header_len + BATADV_DHCP_CHADDR_OFFSET; + /* store the client address if the message is going to a client */ +- if (ret == BATADV_DHCP_TO_CLIENT && +- pskb_may_pull(skb, chaddr_offset + ETH_ALEN)) { ++ if (ret == BATADV_DHCP_TO_CLIENT) { ++ if (!pskb_may_pull(skb, chaddr_offset + ETH_ALEN)) ++ return BATADV_DHCP_NO; ++ + /* check if the DHCP packet carries an Ethernet DHCP */ + p = skb->data + *header_len + BATADV_DHCP_HTYPE_OFFSET; + if (*p != BATADV_DHCP_HTYPE_ETHERNET) +diff --git a/net/core/dev.c b/net/core/dev.c +index dd8d36feb69f4..9ac591dd16d50 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -5188,13 +5188,14 @@ void netif_napi_add(struct net_device *dev, struct napi_struct *napi, + pr_err_once("netif_napi_add() called with weight %d on device %s\n", + weight, dev->name); + napi->weight = weight; +- list_add(&napi->dev_list, &dev->napi_list); + napi->dev = dev; + #ifdef CONFIG_NETPOLL + spin_lock_init(&napi->poll_lock); + napi->poll_owner = -1; + #endif + set_bit(NAPI_STATE_SCHED, &napi->state); ++ set_bit(NAPI_STATE_NPSVC, &napi->state); ++ list_add_rcu(&napi->dev_list, &dev->napi_list); + napi_hash_add(napi); + } + EXPORT_SYMBOL(netif_napi_add); +diff --git a/net/core/netpoll.c b/net/core/netpoll.c +index 5de180a9b7f5a..9c1bad3909bd7 100644 +--- a/net/core/netpoll.c ++++ b/net/core/netpoll.c +@@ -178,7 +178,7 @@ static void poll_napi(struct net_device *dev) + { + struct napi_struct *napi; + +- list_for_each_entry(napi, &dev->napi_list, dev_list) { ++ list_for_each_entry_rcu(napi, &dev->napi_list, dev_list) { + if (napi->poll_owner != smp_processor_id() && + spin_trylock(&napi->poll_lock)) { + poll_one_napi(napi); +diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c +index 1bcbb7399fe69..5a0352ccadd3d 100644 +--- a/net/ipv4/inet_connection_sock.c ++++ b/net/ipv4/inet_connection_sock.c +@@ -89,6 +89,28 @@ int inet_csk_bind_conflict(const struct sock *sk, + } + EXPORT_SYMBOL_GPL(inet_csk_bind_conflict); + ++void inet_csk_update_fastreuse(struct inet_bind_bucket *tb, ++ struct sock *sk) ++{ ++ kuid_t uid = sock_i_uid(sk); ++ bool reuse = sk->sk_reuse && sk->sk_state != TCP_LISTEN; ++ ++ if (!hlist_empty(&tb->owners)) { ++ if (!reuse) ++ tb->fastreuse = 0; ++ if (!sk->sk_reuseport || !uid_eq(tb->fastuid, uid)) ++ tb->fastreuseport = 0; ++ } else { ++ tb->fastreuse = reuse; ++ if (sk->sk_reuseport) { ++ tb->fastreuseport = 1; ++ tb->fastuid = uid; ++ } else { ++ tb->fastreuseport = 0; ++ } ++ } ++} ++ + /* Obtain a reference to a local port for the given sock, + * if snum is zero it means select any available local port. + * We try to allocate an odd port (and leave even ports for connect()) +@@ -218,19 +240,10 @@ tb_found: + } + goto fail_unlock; + } +- if (!reuse) +- tb->fastreuse = 0; +- if (!sk->sk_reuseport || !uid_eq(tb->fastuid, uid)) +- tb->fastreuseport = 0; +- } else { +- tb->fastreuse = reuse; +- if (sk->sk_reuseport) { +- tb->fastreuseport = 1; +- tb->fastuid = uid; +- } else { +- tb->fastreuseport = 0; +- } + } ++ ++ inet_csk_update_fastreuse(tb, sk); ++ + success: + if (!inet_csk(sk)->icsk_bind_hash) + inet_bind_hash(sk, tb, port); +diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c +index 4bf542f4d9809..8876338707636 100644 +--- a/net/ipv4/inet_hashtables.c ++++ b/net/ipv4/inet_hashtables.c +@@ -163,6 +163,7 @@ int __inet_inherit_port(const struct sock *sk, struct sock *child) + return -ENOMEM; + } + } ++ inet_csk_update_fastreuse(tb, child); + } + inet_bind_hash(child, tb, port); + spin_unlock(&head->lock); +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 2fa1c4f2e94e0..ec460aedfc617 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -2592,7 +2592,8 @@ static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx, + goto nla_put_failure; + } + +- if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata)) ++ if (set->udata && ++ nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata)) + goto nla_put_failure; + + desc = nla_nest_start(skb, NFTA_SET_DESC); +diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c +index b2f88617611aa..f73d47b3ffb72 100644 +--- a/net/netfilter/nft_payload.c ++++ b/net/netfilter/nft_payload.c +@@ -74,7 +74,9 @@ static void nft_payload_eval(const struct nft_expr *expr, + u32 *dest = ®s->data[priv->dreg]; + int offset; + +- dest[priv->len / NFT_REG32_SIZE] = 0; ++ if (priv->len % NFT_REG32_SIZE) ++ dest[priv->len / NFT_REG32_SIZE] = 0; ++ + switch (priv->base) { + case NFT_PAYLOAD_LL_HEADER: + if (!skb_mac_header_was_set(skb)) +diff --git a/net/netlabel/netlabel_domainhash.c b/net/netlabel/netlabel_domainhash.c +index 41d0e95d171e1..b1a1718495f34 100644 +--- a/net/netlabel/netlabel_domainhash.c ++++ b/net/netlabel/netlabel_domainhash.c +@@ -99,6 +99,7 @@ static void netlbl_domhsh_free_entry(struct rcu_head *entry) + kfree(netlbl_domhsh_addr6_entry(iter6)); + } + #endif /* IPv6 */ ++ kfree(ptr->def.addrsel); + } + kfree(ptr->domain); + kfree(ptr); +@@ -550,6 +551,8 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry, + goto add_return; + } + #endif /* IPv6 */ ++ /* cleanup the new entry since we've moved everything over */ ++ netlbl_domhsh_free_entry(&entry->rcu); + } else + ret_val = -EINVAL; + +@@ -593,6 +596,12 @@ int netlbl_domhsh_remove_entry(struct netlbl_dom_map *entry, + { + int ret_val = 0; + struct audit_buffer *audit_buf; ++ struct netlbl_af4list *iter4; ++ struct netlbl_domaddr4_map *map4; ++#if IS_ENABLED(CONFIG_IPV6) ++ struct netlbl_af6list *iter6; ++ struct netlbl_domaddr6_map *map6; ++#endif /* IPv6 */ + + if (entry == NULL) + return -ENOENT; +@@ -610,6 +619,9 @@ int netlbl_domhsh_remove_entry(struct netlbl_dom_map *entry, + ret_val = -ENOENT; + spin_unlock(&netlbl_domhsh_lock); + ++ if (ret_val) ++ return ret_val; ++ + audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_DEL, audit_info); + if (audit_buf != NULL) { + audit_log_format(audit_buf, +@@ -619,40 +631,29 @@ int netlbl_domhsh_remove_entry(struct netlbl_dom_map *entry, + audit_log_end(audit_buf); + } + +- if (ret_val == 0) { +- struct netlbl_af4list *iter4; +- struct netlbl_domaddr4_map *map4; +-#if IS_ENABLED(CONFIG_IPV6) +- struct netlbl_af6list *iter6; +- struct netlbl_domaddr6_map *map6; +-#endif /* IPv6 */ +- +- switch (entry->def.type) { +- case NETLBL_NLTYPE_ADDRSELECT: +- netlbl_af4list_foreach_rcu(iter4, +- &entry->def.addrsel->list4) { +- map4 = netlbl_domhsh_addr4_entry(iter4); +- cipso_v4_doi_putdef(map4->def.cipso); +- } ++ switch (entry->def.type) { ++ case NETLBL_NLTYPE_ADDRSELECT: ++ netlbl_af4list_foreach_rcu(iter4, &entry->def.addrsel->list4) { ++ map4 = netlbl_domhsh_addr4_entry(iter4); ++ cipso_v4_doi_putdef(map4->def.cipso); ++ } + #if IS_ENABLED(CONFIG_IPV6) +- netlbl_af6list_foreach_rcu(iter6, +- &entry->def.addrsel->list6) { +- map6 = netlbl_domhsh_addr6_entry(iter6); +- calipso_doi_putdef(map6->def.calipso); +- } ++ netlbl_af6list_foreach_rcu(iter6, &entry->def.addrsel->list6) { ++ map6 = netlbl_domhsh_addr6_entry(iter6); ++ calipso_doi_putdef(map6->def.calipso); ++ } + #endif /* IPv6 */ +- break; +- case NETLBL_NLTYPE_CIPSOV4: +- cipso_v4_doi_putdef(entry->def.cipso); +- break; ++ break; ++ case NETLBL_NLTYPE_CIPSOV4: ++ cipso_v4_doi_putdef(entry->def.cipso); ++ break; + #if IS_ENABLED(CONFIG_IPV6) +- case NETLBL_NLTYPE_CALIPSO: +- calipso_doi_putdef(entry->def.calipso); +- break; ++ case NETLBL_NLTYPE_CALIPSO: ++ calipso_doi_putdef(entry->def.calipso); ++ break; + #endif /* IPv6 */ +- } +- call_rcu(&entry->rcu, netlbl_domhsh_free_entry); + } ++ call_rcu(&entry->rcu, netlbl_domhsh_free_entry); + + return ret_val; + } +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index 95f39dde1e08e..c0fe647dd4acb 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -6687,8 +6687,6 @@ static long sctp_get_port_local(struct sock *sk, union sctp_addr *addr) + + pr_debug("%s: begins, snum:%d\n", __func__, snum); + +- local_bh_disable(); +- + if (snum == 0) { + /* Search for an available port. */ + int low, high, remaining, index; +@@ -6707,20 +6705,21 @@ static long sctp_get_port_local(struct sock *sk, union sctp_addr *addr) + continue; + index = sctp_phashfn(sock_net(sk), rover); + head = &sctp_port_hashtable[index]; +- spin_lock(&head->lock); ++ spin_lock_bh(&head->lock); + sctp_for_each_hentry(pp, &head->chain) + if ((pp->port == rover) && + net_eq(sock_net(sk), pp->net)) + goto next; + break; + next: +- spin_unlock(&head->lock); ++ spin_unlock_bh(&head->lock); ++ cond_resched(); + } while (--remaining > 0); + + /* Exhausted local port range during search? */ + ret = 1; + if (remaining <= 0) +- goto fail; ++ return ret; + + /* OK, here is the one we will use. HEAD (the port + * hash table list entry) is non-NULL and we hold it's +@@ -6735,7 +6734,7 @@ static long sctp_get_port_local(struct sock *sk, union sctp_addr *addr) + * port iterator, pp being NULL. + */ + head = &sctp_port_hashtable[sctp_phashfn(sock_net(sk), snum)]; +- spin_lock(&head->lock); ++ spin_lock_bh(&head->lock); + sctp_for_each_hentry(pp, &head->chain) { + if ((pp->port == snum) && net_eq(pp->net, sock_net(sk))) + goto pp_found; +@@ -6819,10 +6818,7 @@ success: + ret = 0; + + fail_unlock: +- spin_unlock(&head->lock); +- +-fail: +- local_bh_enable(); ++ spin_unlock_bh(&head->lock); + return ret; + } + +diff --git a/net/wireless/reg.c b/net/wireless/reg.c +index 6d5f3f737207d..a649763b854d5 100644 +--- a/net/wireless/reg.c ++++ b/net/wireless/reg.c +@@ -2321,6 +2321,9 @@ int regulatory_hint_user(const char *alpha2, + if (WARN_ON(!alpha2)) + return -EINVAL; + ++ if (!is_world_regdom(alpha2) && !is_an_alpha2(alpha2)) ++ return -EINVAL; ++ + request = kzalloc(sizeof(struct regulatory_request), GFP_KERNEL); + if (!request) + return -ENOMEM; +diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl +index 55171647f5167..9432387dc1789 100755 +--- a/scripts/checkpatch.pl ++++ b/scripts/checkpatch.pl +@@ -2375,8 +2375,8 @@ sub process { + + # Check if the commit log has what seems like a diff which can confuse patch + if ($in_commit_log && !$commit_log_has_diff && +- (($line =~ m@^\s+diff\b.*a/[\w/]+@ && +- $line =~ m@^\s+diff\b.*a/([\w/]+)\s+b/$1\b@) || ++ (($line =~ m@^\s+diff\b.*a/([\w/]+)@ && ++ $line =~ m@^\s+diff\b.*a/[\w/]+\s+b/$1\b@) || + $line =~ m@^\s*(?:\-\-\-\s+a/|\+\+\+\s+b/)@ || + $line =~ m/^\s*\@\@ \-\d+,\d+ \+\d+,\d+ \@\@/)) { + ERROR("DIFF_IN_COMMIT_MSG", +diff --git a/sound/core/oss/mulaw.c b/sound/core/oss/mulaw.c +index 3788906421a73..fe27034f28460 100644 +--- a/sound/core/oss/mulaw.c ++++ b/sound/core/oss/mulaw.c +@@ -329,8 +329,8 @@ int snd_pcm_plugin_build_mulaw(struct snd_pcm_substream *plug, + snd_BUG(); + return -EINVAL; + } +- if (snd_BUG_ON(!snd_pcm_format_linear(format->format))) +- return -ENXIO; ++ if (!snd_pcm_format_linear(format->format)) ++ return -EINVAL; + + err = snd_pcm_plugin_build(plug, "Mu-Law<->linear conversion", + src_format, dst_format, +diff --git a/sound/firewire/digi00x/digi00x.c b/sound/firewire/digi00x/digi00x.c +index ef689997d6a5b..bf53e342788e2 100644 +--- a/sound/firewire/digi00x/digi00x.c ++++ b/sound/firewire/digi00x/digi00x.c +@@ -15,6 +15,7 @@ MODULE_LICENSE("GPL v2"); + #define VENDOR_DIGIDESIGN 0x00a07e + #define MODEL_CONSOLE 0x000001 + #define MODEL_RACK 0x000002 ++#define SPEC_VERSION 0x000001 + + static int name_card(struct snd_dg00x *dg00x) + { +@@ -185,14 +186,18 @@ static const struct ieee1394_device_id snd_dg00x_id_table[] = { + /* Both of 002/003 use the same ID. */ + { + .match_flags = IEEE1394_MATCH_VENDOR_ID | ++ IEEE1394_MATCH_VERSION | + IEEE1394_MATCH_MODEL_ID, + .vendor_id = VENDOR_DIGIDESIGN, ++ .version = SPEC_VERSION, + .model_id = MODEL_CONSOLE, + }, + { + .match_flags = IEEE1394_MATCH_VENDOR_ID | ++ IEEE1394_MATCH_VERSION | + IEEE1394_MATCH_MODEL_ID, + .vendor_id = VENDOR_DIGIDESIGN, ++ .version = SPEC_VERSION, + .model_id = MODEL_RACK, + }, + {} +diff --git a/sound/firewire/tascam/tascam.c b/sound/firewire/tascam/tascam.c +index 4c967ac1c0e83..40ed4c92e48bd 100644 +--- a/sound/firewire/tascam/tascam.c ++++ b/sound/firewire/tascam/tascam.c +@@ -225,11 +225,39 @@ static void snd_tscm_remove(struct fw_unit *unit) + } + + static const struct ieee1394_device_id snd_tscm_id_table[] = { ++ // Tascam, FW-1884. + { + .match_flags = IEEE1394_MATCH_VENDOR_ID | +- IEEE1394_MATCH_SPECIFIER_ID, ++ IEEE1394_MATCH_SPECIFIER_ID | ++ IEEE1394_MATCH_VERSION, + .vendor_id = 0x00022e, + .specifier_id = 0x00022e, ++ .version = 0x800000, ++ }, ++ // Tascam, FE-8 (.version = 0x800001) ++ // This kernel module doesn't support FE-8 because the most of features ++ // can be implemented in userspace without any specific support of this ++ // module. ++ // ++ // .version = 0x800002 is unknown. ++ // ++ // Tascam, FW-1082. ++ { ++ .match_flags = IEEE1394_MATCH_VENDOR_ID | ++ IEEE1394_MATCH_SPECIFIER_ID | ++ IEEE1394_MATCH_VERSION, ++ .vendor_id = 0x00022e, ++ .specifier_id = 0x00022e, ++ .version = 0x800003, ++ }, ++ // Tascam, FW-1804. ++ { ++ .match_flags = IEEE1394_MATCH_VENDOR_ID | ++ IEEE1394_MATCH_SPECIFIER_ID | ++ IEEE1394_MATCH_VERSION, ++ .vendor_id = 0x00022e, ++ .specifier_id = 0x00022e, ++ .version = 0x800004, + }, + /* FE-08 requires reverse-engineering because it just has faders. */ + {} +diff --git a/sound/pci/ca0106/ca0106_main.c b/sound/pci/ca0106/ca0106_main.c +index 6165a57a94aea..2c30a0672c17f 100644 +--- a/sound/pci/ca0106/ca0106_main.c ++++ b/sound/pci/ca0106/ca0106_main.c +@@ -551,7 +551,8 @@ static int snd_ca0106_pcm_power_dac(struct snd_ca0106 *chip, int channel_id, + else + /* Power down */ + chip->spi_dac_reg[reg] |= bit; +- return snd_ca0106_spi_write(chip, chip->spi_dac_reg[reg]); ++ if (snd_ca0106_spi_write(chip, chip->spi_dac_reg[reg]) != 0) ++ return -ENXIO; + } + return 0; + } +diff --git a/tools/perf/Documentation/perf-record.txt b/tools/perf/Documentation/perf-record.txt +index 92335193dc338..d443ca3abf27d 100644 +--- a/tools/perf/Documentation/perf-record.txt ++++ b/tools/perf/Documentation/perf-record.txt +@@ -33,6 +33,10 @@ OPTIONS + - a raw PMU event (eventsel+umask) in the form of rNNN where NNN is a + hexadecimal event descriptor. + ++ - a symbolic or raw PMU event followed by an optional colon ++ and a list of event modifiers, e.g., cpu-cycles:p. See the ++ linkperf:perf-list[1] man page for details on event modifiers. ++ + - a symbolically formed PMU event like 'pmu/param1=0x3,param2/' where + 'param1', 'param2', etc are defined as formats for the PMU in + /sys/bus/event_source/devices//format/*. +diff --git a/tools/perf/Documentation/perf-stat.txt b/tools/perf/Documentation/perf-stat.txt +index d96ccd4844df9..b099ac1de8546 100644 +--- a/tools/perf/Documentation/perf-stat.txt ++++ b/tools/perf/Documentation/perf-stat.txt +@@ -39,6 +39,10 @@ report:: + - a raw PMU event (eventsel+umask) in the form of rNNN where NNN is a + hexadecimal event descriptor. + ++ - a symbolic or raw PMU event followed by an optional colon ++ and a list of event modifiers, e.g., cpu-cycles:p. See the ++ linkperf:perf-list[1] man page for details on event modifiers. ++ + - a symbolically formed event like 'pmu/param1=0x3,param2/' where + param1 and param2 are defined as formats for the PMU in + /sys/bus/event_sources/devices//format/* diff --git a/patch/kernel/odroidxu4-current/patch-5.4.63-64.patch b/patch/kernel/odroidxu4-current/patch-5.4.63-64.patch new file mode 100644 index 000000000..92e487b99 --- /dev/null +++ b/patch/kernel/odroidxu4-current/patch-5.4.63-64.patch @@ -0,0 +1,4987 @@ +diff --git a/Documentation/devicetree/bindings/mmc/mtk-sd.txt b/Documentation/devicetree/bindings/mmc/mtk-sd.txt +index 8a532f4453f26..09aecec47003a 100644 +--- a/Documentation/devicetree/bindings/mmc/mtk-sd.txt ++++ b/Documentation/devicetree/bindings/mmc/mtk-sd.txt +@@ -49,6 +49,8 @@ Optional properties: + error caused by stop clock(fifo full) + Valid range = [0:0x7]. if not present, default value is 0. + applied to compatible "mediatek,mt2701-mmc". ++- resets: Phandle and reset specifier pair to softreset line of MSDC IP. ++- reset-names: Should be "hrst". + + Examples: + mmc0: mmc@11230000 { +diff --git a/Documentation/filesystems/affs.txt b/Documentation/filesystems/affs.txt +index 71b63c2b98410..a8f1a58e36922 100644 +--- a/Documentation/filesystems/affs.txt ++++ b/Documentation/filesystems/affs.txt +@@ -93,13 +93,15 @@ The Amiga protection flags RWEDRWEDHSPARWED are handled as follows: + + - R maps to r for user, group and others. On directories, R implies x. + +- - If both W and D are allowed, w will be set. ++ - W maps to w. + + - E maps to x. + +- - H and P are always retained and ignored under Linux. ++ - D is ignored. + +- - A is always reset when a file is written to. ++ - H, S and P are always retained and ignored under Linux. ++ ++ - A is cleared when a file is written to. + + User id and group id will be used unless set[gu]id are given as mount + options. Since most of the Amiga file systems are single user systems +@@ -111,11 +113,13 @@ Linux -> Amiga: + + The Linux rwxrwxrwx file mode is handled as follows: + +- - r permission will set R for user, group and others. ++ - r permission will allow R for user, group and others. ++ ++ - w permission will allow W for user, group and others. + +- - w permission will set W and D for user, group and others. ++ - x permission of the user will allow E for plain files. + +- - x permission of the user will set E for plain files. ++ - D will be allowed for user, group and others. + + - All other flags (suid, sgid, ...) are ignored and will + not be retained. +diff --git a/Makefile b/Makefile +index 418814b108ae6..7bdfb21bb9269 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,7 +1,7 @@ + # SPDX-License-Identifier: GPL-2.0 + VERSION = 5 + PATCHLEVEL = 4 +-SUBLEVEL = 63 ++SUBLEVEL = 64 + EXTRAVERSION = + NAME = Kleptomaniac Octopus + +diff --git a/arch/arc/kernel/perf_event.c b/arch/arc/kernel/perf_event.c +index 661fd842ea97d..79849f37e782c 100644 +--- a/arch/arc/kernel/perf_event.c ++++ b/arch/arc/kernel/perf_event.c +@@ -562,7 +562,7 @@ static int arc_pmu_device_probe(struct platform_device *pdev) + { + struct arc_reg_pct_build pct_bcr; + struct arc_reg_cc_build cc_bcr; +- int i, has_interrupts; ++ int i, has_interrupts, irq; + int counter_size; /* in bits */ + + union cc_name { +@@ -637,13 +637,7 @@ static int arc_pmu_device_probe(struct platform_device *pdev) + .attr_groups = arc_pmu->attr_groups, + }; + +- if (has_interrupts) { +- int irq = platform_get_irq(pdev, 0); +- +- if (irq < 0) { +- pr_err("Cannot get IRQ number for the platform\n"); +- return -ENODEV; +- } ++ if (has_interrupts && (irq = platform_get_irq(pdev, 0) >= 0)) { + + arc_pmu->irq = irq; + +@@ -652,9 +646,9 @@ static int arc_pmu_device_probe(struct platform_device *pdev) + this_cpu_ptr(&arc_pmu_cpu)); + + on_each_cpu(arc_cpu_pmu_irq_init, &irq, 1); +- +- } else ++ } else { + arc_pmu->pmu.capabilities |= PERF_PMU_CAP_NO_INTERRUPT; ++ } + + /* + * perf parser doesn't really like '-' symbol in events name, so let's +diff --git a/arch/arm64/boot/dts/mediatek/mt7622.dtsi b/arch/arm64/boot/dts/mediatek/mt7622.dtsi +index dac51e98204c0..7cd8c3f52b471 100644 +--- a/arch/arm64/boot/dts/mediatek/mt7622.dtsi ++++ b/arch/arm64/boot/dts/mediatek/mt7622.dtsi +@@ -686,6 +686,8 @@ + clocks = <&pericfg CLK_PERI_MSDC30_0_PD>, + <&topckgen CLK_TOP_MSDC50_0_SEL>; + clock-names = "source", "hclk"; ++ resets = <&pericfg MT7622_PERI_MSDC0_SW_RST>; ++ reset-names = "hrst"; + status = "disabled"; + }; + +diff --git a/arch/mips/kernel/smp-bmips.c b/arch/mips/kernel/smp-bmips.c +index 712c15de6ab9f..6b304acf506fe 100644 +--- a/arch/mips/kernel/smp-bmips.c ++++ b/arch/mips/kernel/smp-bmips.c +@@ -241,6 +241,8 @@ static int bmips_boot_secondary(int cpu, struct task_struct *idle) + */ + static void bmips_init_secondary(void) + { ++ bmips_cpu_setup(); ++ + switch (current_cpu_type()) { + case CPU_BMIPS4350: + case CPU_BMIPS4380: +diff --git a/arch/mips/kernel/traps.c b/arch/mips/kernel/traps.c +index 6a25364600266..8282d0feb0b21 100644 +--- a/arch/mips/kernel/traps.c ++++ b/arch/mips/kernel/traps.c +@@ -1240,6 +1240,18 @@ static int enable_restore_fp_context(int msa) + err = own_fpu_inatomic(1); + if (msa && !err) { + enable_msa(); ++ /* ++ * with MSA enabled, userspace can see MSACSR ++ * and MSA regs, but the values in them are from ++ * other task before current task, restore them ++ * from saved fp/msa context ++ */ ++ write_msa_csr(current->thread.fpu.msacsr); ++ /* ++ * own_fpu_inatomic(1) just restore low 64bit, ++ * fix the high 64bit ++ */ ++ init_msa_upper(); + set_thread_flag(TIF_USEDMSA); + set_thread_flag(TIF_MSA_CTX_LIVE); + } +diff --git a/arch/mips/mm/c-r4k.c b/arch/mips/mm/c-r4k.c +index 89b9c851d8227..c4785a456dedc 100644 +--- a/arch/mips/mm/c-r4k.c ++++ b/arch/mips/mm/c-r4k.c +@@ -1676,7 +1676,11 @@ static void setup_scache(void) + printk("MIPS secondary cache %ldkB, %s, linesize %d bytes.\n", + scache_size >> 10, + way_string[c->scache.ways], c->scache.linesz); ++ ++ if (current_cpu_type() == CPU_BMIPS5000) ++ c->options |= MIPS_CPU_INCLUSIVE_CACHES; + } ++ + #else + if (!(c->scache.flags & MIPS_CACHE_NOT_PRESENT)) + panic("Dunno how to handle MIPS32 / MIPS64 second level cache"); +diff --git a/arch/s390/include/asm/percpu.h b/arch/s390/include/asm/percpu.h +index 50b4ce8cddfdc..918f0ba4f4d20 100644 +--- a/arch/s390/include/asm/percpu.h ++++ b/arch/s390/include/asm/percpu.h +@@ -29,7 +29,7 @@ + typedef typeof(pcp) pcp_op_T__; \ + pcp_op_T__ old__, new__, prev__; \ + pcp_op_T__ *ptr__; \ +- preempt_disable(); \ ++ preempt_disable_notrace(); \ + ptr__ = raw_cpu_ptr(&(pcp)); \ + prev__ = *ptr__; \ + do { \ +@@ -37,7 +37,7 @@ + new__ = old__ op (val); \ + prev__ = cmpxchg(ptr__, old__, new__); \ + } while (prev__ != old__); \ +- preempt_enable(); \ ++ preempt_enable_notrace(); \ + new__; \ + }) + +@@ -68,7 +68,7 @@ + typedef typeof(pcp) pcp_op_T__; \ + pcp_op_T__ val__ = (val); \ + pcp_op_T__ old__, *ptr__; \ +- preempt_disable(); \ ++ preempt_disable_notrace(); \ + ptr__ = raw_cpu_ptr(&(pcp)); \ + if (__builtin_constant_p(val__) && \ + ((szcast)val__ > -129) && ((szcast)val__ < 128)) { \ +@@ -84,7 +84,7 @@ + : [val__] "d" (val__) \ + : "cc"); \ + } \ +- preempt_enable(); \ ++ preempt_enable_notrace(); \ + } + + #define this_cpu_add_4(pcp, val) arch_this_cpu_add(pcp, val, "laa", "asi", int) +@@ -95,14 +95,14 @@ + typedef typeof(pcp) pcp_op_T__; \ + pcp_op_T__ val__ = (val); \ + pcp_op_T__ old__, *ptr__; \ +- preempt_disable(); \ ++ preempt_disable_notrace(); \ + ptr__ = raw_cpu_ptr(&(pcp)); \ + asm volatile( \ + op " %[old__],%[val__],%[ptr__]\n" \ + : [old__] "=d" (old__), [ptr__] "+Q" (*ptr__) \ + : [val__] "d" (val__) \ + : "cc"); \ +- preempt_enable(); \ ++ preempt_enable_notrace(); \ + old__ + val__; \ + }) + +@@ -114,14 +114,14 @@ + typedef typeof(pcp) pcp_op_T__; \ + pcp_op_T__ val__ = (val); \ + pcp_op_T__ old__, *ptr__; \ +- preempt_disable(); \ ++ preempt_disable_notrace(); \ + ptr__ = raw_cpu_ptr(&(pcp)); \ + asm volatile( \ + op " %[old__],%[val__],%[ptr__]\n" \ + : [old__] "=d" (old__), [ptr__] "+Q" (*ptr__) \ + : [val__] "d" (val__) \ + : "cc"); \ +- preempt_enable(); \ ++ preempt_enable_notrace(); \ + } + + #define this_cpu_and_4(pcp, val) arch_this_cpu_to_op(pcp, val, "lan") +@@ -136,10 +136,10 @@ + typedef typeof(pcp) pcp_op_T__; \ + pcp_op_T__ ret__; \ + pcp_op_T__ *ptr__; \ +- preempt_disable(); \ ++ preempt_disable_notrace(); \ + ptr__ = raw_cpu_ptr(&(pcp)); \ + ret__ = cmpxchg(ptr__, oval, nval); \ +- preempt_enable(); \ ++ preempt_enable_notrace(); \ + ret__; \ + }) + +@@ -152,10 +152,10 @@ + ({ \ + typeof(pcp) *ptr__; \ + typeof(pcp) ret__; \ +- preempt_disable(); \ ++ preempt_disable_notrace(); \ + ptr__ = raw_cpu_ptr(&(pcp)); \ + ret__ = xchg(ptr__, nval); \ +- preempt_enable(); \ ++ preempt_enable_notrace(); \ + ret__; \ + }) + +@@ -171,11 +171,11 @@ + typeof(pcp1) *p1__; \ + typeof(pcp2) *p2__; \ + int ret__; \ +- preempt_disable(); \ ++ preempt_disable_notrace(); \ + p1__ = raw_cpu_ptr(&(pcp1)); \ + p2__ = raw_cpu_ptr(&(pcp2)); \ + ret__ = __cmpxchg_double(p1__, p2__, o1__, o2__, n1__, n2__); \ +- preempt_enable(); \ ++ preempt_enable_notrace(); \ + ret__; \ + }) + +diff --git a/arch/x86/include/asm/ptrace.h b/arch/x86/include/asm/ptrace.h +index 332eb35258676..902be2e6e96cf 100644 +--- a/arch/x86/include/asm/ptrace.h ++++ b/arch/x86/include/asm/ptrace.h +@@ -309,8 +309,8 @@ static inline unsigned long regs_get_kernel_argument(struct pt_regs *regs, + static const unsigned int argument_offs[] = { + #ifdef __i386__ + offsetof(struct pt_regs, ax), +- offsetof(struct pt_regs, cx), + offsetof(struct pt_regs, dx), ++ offsetof(struct pt_regs, cx), + #define NR_REG_ARGUMENTS 3 + #else + offsetof(struct pt_regs, di), +diff --git a/arch/x86/mm/numa_emulation.c b/arch/x86/mm/numa_emulation.c +index abffa0be80da1..87282258d5bea 100644 +--- a/arch/x86/mm/numa_emulation.c ++++ b/arch/x86/mm/numa_emulation.c +@@ -321,7 +321,7 @@ static int __init split_nodes_size_interleave(struct numa_meminfo *ei, + u64 addr, u64 max_addr, u64 size) + { + return split_nodes_size_interleave_uniform(ei, pi, addr, max_addr, size, +- 0, NULL, NUMA_NO_NODE); ++ 0, NULL, 0); + } + + int __init setup_emu2phys_nid(int *dfl_phys_nid) +diff --git a/block/blk-core.c b/block/blk-core.c +index d5e668ec751b5..ca6b677356864 100644 +--- a/block/blk-core.c ++++ b/block/blk-core.c +@@ -502,6 +502,7 @@ struct request_queue *blk_alloc_queue_node(gfp_t gfp_mask, int node_id) + goto fail_stats; + + q->backing_dev_info->ra_pages = VM_READAHEAD_PAGES; ++ q->backing_dev_info->io_pages = VM_READAHEAD_PAGES; + q->backing_dev_info->capabilities = BDI_CAP_CGROUP_WRITEBACK; + q->backing_dev_info->name = "block"; + q->node = node_id; +diff --git a/block/blk-iocost.c b/block/blk-iocost.c +index dcc6685d5becc..ef287c33d6d97 100644 +--- a/block/blk-iocost.c ++++ b/block/blk-iocost.c +@@ -2074,14 +2074,15 @@ static void ioc_pd_free(struct blkg_policy_data *pd) + { + struct ioc_gq *iocg = pd_to_iocg(pd); + struct ioc *ioc = iocg->ioc; ++ unsigned long flags; + + if (ioc) { +- spin_lock(&ioc->lock); ++ spin_lock_irqsave(&ioc->lock, flags); + if (!list_empty(&iocg->active_list)) { + propagate_active_weight(iocg, 0, 0); + list_del_init(&iocg->active_list); + } +- spin_unlock(&ioc->lock); ++ spin_unlock_irqrestore(&ioc->lock, flags); + + hrtimer_cancel(&iocg->waitq_timer); + hrtimer_cancel(&iocg->delay_timer); +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index 35f75c691d7cf..066b37963ad5f 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -4474,9 +4474,8 @@ static const struct ata_blacklist_entry ata_device_blacklist [] = { + /* https://bugzilla.kernel.org/show_bug.cgi?id=15573 */ + { "C300-CTFDDAC128MAG", "0001", ATA_HORKAGE_NONCQ, }, + +- /* Some Sandisk SSDs lock up hard with NCQ enabled. Reported on +- SD7SN6S256G and SD8SN8U256G */ +- { "SanDisk SD[78]SN*G", NULL, ATA_HORKAGE_NONCQ, }, ++ /* Sandisk SD7/8/9s lock up hard on large trims */ ++ { "SanDisk SD[789]*", NULL, ATA_HORKAGE_MAX_TRIM_128M, }, + + /* devices which puke on READ_NATIVE_MAX */ + { "HDS724040KLSA80", "KFAOA20N", ATA_HORKAGE_BROKEN_HPA, }, +diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c +index 5596c9b6ebf23..464efedc778b0 100644 +--- a/drivers/ata/libata-scsi.c ++++ b/drivers/ata/libata-scsi.c +@@ -2374,6 +2374,7 @@ static unsigned int ata_scsiop_inq_89(struct ata_scsi_args *args, u8 *rbuf) + + static unsigned int ata_scsiop_inq_b0(struct ata_scsi_args *args, u8 *rbuf) + { ++ struct ata_device *dev = args->dev; + u16 min_io_sectors; + + rbuf[1] = 0xb0; +@@ -2399,7 +2400,12 @@ static unsigned int ata_scsiop_inq_b0(struct ata_scsi_args *args, u8 *rbuf) + * with the unmap bit set. + */ + if (ata_id_has_trim(args->id)) { +- put_unaligned_be64(65535 * ATA_MAX_TRIM_RNUM, &rbuf[36]); ++ u64 max_blocks = 65535 * ATA_MAX_TRIM_RNUM; ++ ++ if (dev->horkage & ATA_HORKAGE_MAX_TRIM_128M) ++ max_blocks = 128 << (20 - SECTOR_SHIFT); ++ ++ put_unaligned_be64(max_blocks, &rbuf[36]); + put_unaligned_be32(1, &rbuf[28]); + } + +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c +index 7b61d53ba050e..7c577cabb9c3b 100644 +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -1349,6 +1349,8 @@ static void nbd_set_cmd_timeout(struct nbd_device *nbd, u64 timeout) + nbd->tag_set.timeout = timeout * HZ; + if (timeout) + blk_queue_rq_timeout(nbd->disk->queue, timeout * HZ); ++ else ++ blk_queue_rq_timeout(nbd->disk->queue, 30 * HZ); + } + + /* Must be called with config_lock held */ +diff --git a/drivers/cpuidle/cpuidle.c b/drivers/cpuidle/cpuidle.c +index 29d2d7a21bd7b..73f08cda21e0e 100644 +--- a/drivers/cpuidle/cpuidle.c ++++ b/drivers/cpuidle/cpuidle.c +@@ -148,7 +148,8 @@ static void enter_s2idle_proper(struct cpuidle_driver *drv, + */ + stop_critical_timings(); + drv->states[index].enter_s2idle(dev, drv, index); +- WARN_ON(!irqs_disabled()); ++ if (WARN_ON_ONCE(!irqs_disabled())) ++ local_irq_disable(); + /* + * timekeeping_resume() that will be called by tick_unfreeze() for the + * first CPU executing it calls functions containing RCU read-side +diff --git a/drivers/dma/at_hdmac.c b/drivers/dma/at_hdmac.c +index 672c73b4a2d4f..ff366c2f58c18 100644 +--- a/drivers/dma/at_hdmac.c ++++ b/drivers/dma/at_hdmac.c +@@ -1667,6 +1667,8 @@ static struct dma_chan *at_dma_xlate(struct of_phandle_args *dma_spec, + return NULL; + + dmac_pdev = of_find_device_by_node(dma_spec->np); ++ if (!dmac_pdev) ++ return NULL; + + dma_cap_zero(mask); + dma_cap_set(DMA_SLAVE, mask); +diff --git a/drivers/dma/dw-edma/dw-edma-core.c b/drivers/dma/dw-edma/dw-edma-core.c +index ff392c01bad1f..7f9a86c3c58ff 100644 +--- a/drivers/dma/dw-edma/dw-edma-core.c ++++ b/drivers/dma/dw-edma/dw-edma-core.c +@@ -391,7 +391,7 @@ dw_edma_device_transfer(struct dw_edma_transfer *xfer) + if (xfer->cyclic) { + burst->dar = xfer->xfer.cyclic.paddr; + } else { +- burst->dar = sg_dma_address(sg); ++ burst->dar = dst_addr; + /* Unlike the typical assumption by other + * drivers/IPs the peripheral memory isn't + * a FIFO memory, in this case, it's a +@@ -399,14 +399,13 @@ dw_edma_device_transfer(struct dw_edma_transfer *xfer) + * and destination addresses are increased + * by the same portion (data length) + */ +- src_addr += sg_dma_len(sg); + } + } else { + burst->dar = dst_addr; + if (xfer->cyclic) { + burst->sar = xfer->xfer.cyclic.paddr; + } else { +- burst->sar = sg_dma_address(sg); ++ burst->sar = src_addr; + /* Unlike the typical assumption by other + * drivers/IPs the peripheral memory isn't + * a FIFO memory, in this case, it's a +@@ -414,12 +413,14 @@ dw_edma_device_transfer(struct dw_edma_transfer *xfer) + * and destination addresses are increased + * by the same portion (data length) + */ +- dst_addr += sg_dma_len(sg); + } + } + +- if (!xfer->cyclic) ++ if (!xfer->cyclic) { ++ src_addr += sg_dma_len(sg); ++ dst_addr += sg_dma_len(sg); + sg = sg_next(sg); ++ } + } + + return vchan_tx_prep(&chan->vc, &desc->vd, xfer->flags); +diff --git a/drivers/dma/fsldma.h b/drivers/dma/fsldma.h +index 56f18ae992332..308bed0a560ac 100644 +--- a/drivers/dma/fsldma.h ++++ b/drivers/dma/fsldma.h +@@ -205,10 +205,10 @@ struct fsldma_chan { + #else + static u64 fsl_ioread64(const u64 __iomem *addr) + { +- u32 fsl_addr = lower_32_bits(addr); +- u64 fsl_addr_hi = (u64)in_le32((u32 *)(fsl_addr + 1)) << 32; ++ u32 val_lo = in_le32((u32 __iomem *)addr); ++ u32 val_hi = in_le32((u32 __iomem *)addr + 1); + +- return fsl_addr_hi | in_le32((u32 *)fsl_addr); ++ return ((u64)val_hi << 32) + val_lo; + } + + static void fsl_iowrite64(u64 val, u64 __iomem *addr) +@@ -219,10 +219,10 @@ static void fsl_iowrite64(u64 val, u64 __iomem *addr) + + static u64 fsl_ioread64be(const u64 __iomem *addr) + { +- u32 fsl_addr = lower_32_bits(addr); +- u64 fsl_addr_hi = (u64)in_be32((u32 *)fsl_addr) << 32; ++ u32 val_hi = in_be32((u32 __iomem *)addr); ++ u32 val_lo = in_be32((u32 __iomem *)addr + 1); + +- return fsl_addr_hi | in_be32((u32 *)(fsl_addr + 1)); ++ return ((u64)val_hi << 32) + val_lo; + } + + static void fsl_iowrite64be(u64 val, u64 __iomem *addr) +diff --git a/drivers/dma/of-dma.c b/drivers/dma/of-dma.c +index c2d779daa4b51..4bbf4172b9bf9 100644 +--- a/drivers/dma/of-dma.c ++++ b/drivers/dma/of-dma.c +@@ -69,12 +69,12 @@ static struct dma_chan *of_dma_router_xlate(struct of_phandle_args *dma_spec, + return NULL; + + chan = ofdma_target->of_dma_xlate(&dma_spec_target, ofdma_target); +- if (chan) { +- chan->router = ofdma->dma_router; +- chan->route_data = route_data; +- } else { ++ if (IS_ERR_OR_NULL(chan)) { + ofdma->dma_router->route_free(ofdma->dma_router->dev, + route_data); ++ } else { ++ chan->router = ofdma->dma_router; ++ chan->route_data = route_data; + } + + /* +diff --git a/drivers/dma/pl330.c b/drivers/dma/pl330.c +index 6cce9ef61b294..cd81d10974a29 100644 +--- a/drivers/dma/pl330.c ++++ b/drivers/dma/pl330.c +@@ -2788,6 +2788,7 @@ pl330_prep_dma_memcpy(struct dma_chan *chan, dma_addr_t dst, + while (burst != (1 << desc->rqcfg.brst_size)) + desc->rqcfg.brst_size++; + ++ desc->rqcfg.brst_len = get_burst_len(desc, len); + /* + * If burst size is smaller than bus width then make sure we only + * transfer one at a time to avoid a burst stradling an MFIFO entry. +@@ -2795,7 +2796,6 @@ pl330_prep_dma_memcpy(struct dma_chan *chan, dma_addr_t dst, + if (desc->rqcfg.brst_size * 8 < pl330->pcfg.data_bus_width) + desc->rqcfg.brst_len = 1; + +- desc->rqcfg.brst_len = get_burst_len(desc, len); + desc->bytes_requested = len; + + desc->txd.flags = flags; +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index 247f53d41993d..60e50181f6d39 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -2043,12 +2043,18 @@ static int amdgpu_dm_mode_config_init(struct amdgpu_device *adev) + &dm_atomic_state_funcs); + + r = amdgpu_display_modeset_create_props(adev); +- if (r) ++ if (r) { ++ dc_release_state(state->context); ++ kfree(state); + return r; ++ } + + r = amdgpu_dm_audio_init(adev); +- if (r) ++ if (r) { ++ dc_release_state(state->context); ++ kfree(state); + return r; ++ } + + return 0; + } +@@ -2064,6 +2070,8 @@ static void amdgpu_dm_update_backlight_caps(struct amdgpu_display_manager *dm) + #if defined(CONFIG_ACPI) + struct amdgpu_dm_backlight_caps caps; + ++ memset(&caps, 0, sizeof(caps)); ++ + if (dm->backlight_caps.caps_valid) + return; + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c +index 28a6c7b2ef4bb..2f858507ca702 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c +@@ -101,7 +101,7 @@ static ssize_t dm_dp_aux_transfer(struct drm_dp_aux *aux, + result = dc_link_aux_transfer_raw(TO_DM_AUX(aux)->ddc_service, &payload, + &operation_result); + +- if (payload.write) ++ if (payload.write && result >= 0) + result = msg->size; + + if (result < 0) +diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_resource.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_resource.c +index 1599bb9711111..e860ae05feda1 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_resource.c +@@ -1151,6 +1151,7 @@ static enum dc_status dcn10_validate_global(struct dc *dc, struct dc_state *cont + bool video_large = false; + bool desktop_large = false; + bool dcc_disabled = false; ++ bool mpo_enabled = false; + + for (i = 0; i < context->stream_count; i++) { + if (context->stream_status[i].plane_count == 0) +@@ -1159,6 +1160,9 @@ static enum dc_status dcn10_validate_global(struct dc *dc, struct dc_state *cont + if (context->stream_status[i].plane_count > 2) + return DC_FAIL_UNSUPPORTED_1; + ++ if (context->stream_status[i].plane_count > 1) ++ mpo_enabled = true; ++ + for (j = 0; j < context->stream_status[i].plane_count; j++) { + struct dc_plane_state *plane = + context->stream_status[i].plane_states[j]; +@@ -1182,6 +1186,10 @@ static enum dc_status dcn10_validate_global(struct dc *dc, struct dc_state *cont + } + } + ++ /* Disable MPO in multi-display configurations. */ ++ if (context->stream_count > 1 && mpo_enabled) ++ return DC_FAIL_UNSUPPORTED_1; ++ + /* + * Workaround: On DCN10 there is UMC issue that causes underflow when + * playing 4k video on 4k desktop with video downscaled and single channel +diff --git a/drivers/gpu/drm/amd/powerplay/hwmgr/vega10_thermal.c b/drivers/gpu/drm/amd/powerplay/hwmgr/vega10_thermal.c +index 36a17caa3761d..e8d01abf27fa8 100644 +--- a/drivers/gpu/drm/amd/powerplay/hwmgr/vega10_thermal.c ++++ b/drivers/gpu/drm/amd/powerplay/hwmgr/vega10_thermal.c +@@ -375,8 +375,18 @@ static int vega10_thermal_set_temperature_range(struct pp_hwmgr *hwmgr, + /* compare them in unit celsius degree */ + if (low < range->min / PP_TEMPERATURE_UNITS_PER_CENTIGRADES) + low = range->min / PP_TEMPERATURE_UNITS_PER_CENTIGRADES; +- if (high > tdp_table->usSoftwareShutdownTemp) +- high = tdp_table->usSoftwareShutdownTemp; ++ ++ /* ++ * As a common sense, usSoftwareShutdownTemp should be bigger ++ * than ThotspotLimit. For any invalid usSoftwareShutdownTemp, ++ * we will just use the max possible setting VEGA10_THERMAL_MAXIMUM_ALERT_TEMP ++ * to avoid false alarms. ++ */ ++ if ((tdp_table->usSoftwareShutdownTemp > ++ range->hotspot_crit_max / PP_TEMPERATURE_UNITS_PER_CENTIGRADES)) { ++ if (high > tdp_table->usSoftwareShutdownTemp) ++ high = tdp_table->usSoftwareShutdownTemp; ++ } + + if (low > high) + return -EINVAL; +diff --git a/drivers/gpu/drm/msm/adreno/a6xx_gmu.c b/drivers/gpu/drm/msm/adreno/a6xx_gmu.c +index 9ea748667fab0..40431a09dc97c 100644 +--- a/drivers/gpu/drm/msm/adreno/a6xx_gmu.c ++++ b/drivers/gpu/drm/msm/adreno/a6xx_gmu.c +@@ -199,12 +199,22 @@ static int a6xx_gmu_start(struct a6xx_gmu *gmu) + { + int ret; + u32 val; ++ u32 mask, reset_val; ++ ++ val = gmu_read(gmu, REG_A6XX_GMU_CM3_DTCM_START + 0xff8); ++ if (val <= 0x20010004) { ++ mask = 0xffffffff; ++ reset_val = 0xbabeface; ++ } else { ++ mask = 0x1ff; ++ reset_val = 0x100; ++ } + + gmu_write(gmu, REG_A6XX_GMU_CM3_SYSRESET, 1); + gmu_write(gmu, REG_A6XX_GMU_CM3_SYSRESET, 0); + + ret = gmu_poll_timeout(gmu, REG_A6XX_GMU_CM3_FW_INIT_RESULT, val, +- val == 0xbabeface, 100, 10000); ++ (val & mask) == reset_val, 100, 10000); + + if (ret) + DRM_DEV_ERROR(gmu->dev, "GMU firmware initialization timed out\n"); +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c +index 58d5acbcfc5c2..b984bafd27e25 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c +@@ -853,9 +853,9 @@ static int dpu_plane_atomic_check(struct drm_plane *plane, + crtc_state = drm_atomic_get_new_crtc_state(state->state, + state->crtc); + +- min_scale = FRAC_16_16(1, pdpu->pipe_sblk->maxdwnscale); ++ min_scale = FRAC_16_16(1, pdpu->pipe_sblk->maxupscale); + ret = drm_atomic_helper_check_plane_state(state, crtc_state, min_scale, +- pdpu->pipe_sblk->maxupscale << 16, ++ pdpu->pipe_sblk->maxdwnscale << 16, + true, true); + if (ret) { + DPU_ERROR_PLANE(pdpu, "Check plane state failed (%d)\n", ret); +diff --git a/drivers/gpu/drm/msm/msm_atomic.c b/drivers/gpu/drm/msm/msm_atomic.c +index 5ccfad794c6a5..561bfa48841c3 100644 +--- a/drivers/gpu/drm/msm/msm_atomic.c ++++ b/drivers/gpu/drm/msm/msm_atomic.c +@@ -27,6 +27,34 @@ int msm_atomic_prepare_fb(struct drm_plane *plane, + return msm_framebuffer_prepare(new_state->fb, kms->aspace); + } + ++/* ++ * Helpers to control vblanks while we flush.. basically just to ensure ++ * that vblank accounting is switched on, so we get valid seqn/timestamp ++ * on pageflip events (if requested) ++ */ ++ ++static void vblank_get(struct msm_kms *kms, unsigned crtc_mask) ++{ ++ struct drm_crtc *crtc; ++ ++ for_each_crtc_mask(kms->dev, crtc, crtc_mask) { ++ if (!crtc->state->active) ++ continue; ++ drm_crtc_vblank_get(crtc); ++ } ++} ++ ++static void vblank_put(struct msm_kms *kms, unsigned crtc_mask) ++{ ++ struct drm_crtc *crtc; ++ ++ for_each_crtc_mask(kms->dev, crtc, crtc_mask) { ++ if (!crtc->state->active) ++ continue; ++ drm_crtc_vblank_put(crtc); ++ } ++} ++ + static void msm_atomic_async_commit(struct msm_kms *kms, int crtc_idx) + { + unsigned crtc_mask = BIT(crtc_idx); +@@ -44,6 +72,8 @@ static void msm_atomic_async_commit(struct msm_kms *kms, int crtc_idx) + + kms->funcs->enable_commit(kms); + ++ vblank_get(kms, crtc_mask); ++ + /* + * Flush hardware updates: + */ +@@ -58,6 +88,8 @@ static void msm_atomic_async_commit(struct msm_kms *kms, int crtc_idx) + kms->funcs->wait_flush(kms, crtc_mask); + trace_msm_atomic_wait_flush_finish(crtc_mask); + ++ vblank_put(kms, crtc_mask); ++ + mutex_lock(&kms->commit_lock); + kms->funcs->complete_commit(kms, crtc_mask); + mutex_unlock(&kms->commit_lock); +@@ -221,6 +253,8 @@ void msm_atomic_commit_tail(struct drm_atomic_state *state) + */ + kms->pending_crtc_mask &= ~crtc_mask; + ++ vblank_get(kms, crtc_mask); ++ + /* + * Flush hardware updates: + */ +@@ -235,6 +269,8 @@ void msm_atomic_commit_tail(struct drm_atomic_state *state) + kms->funcs->wait_flush(kms, crtc_mask); + trace_msm_atomic_wait_flush_finish(crtc_mask); + ++ vblank_put(kms, crtc_mask); ++ + mutex_lock(&kms->commit_lock); + kms->funcs->complete_commit(kms, crtc_mask); + mutex_unlock(&kms->commit_lock); +diff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c +index b73fbb65e14b2..4558d66761b3c 100644 +--- a/drivers/gpu/drm/msm/msm_drv.c ++++ b/drivers/gpu/drm/msm/msm_drv.c +@@ -1321,6 +1321,13 @@ static int msm_pdev_remove(struct platform_device *pdev) + return 0; + } + ++static void msm_pdev_shutdown(struct platform_device *pdev) ++{ ++ struct drm_device *drm = platform_get_drvdata(pdev); ++ ++ drm_atomic_helper_shutdown(drm); ++} ++ + static const struct of_device_id dt_match[] = { + { .compatible = "qcom,mdp4", .data = (void *)KMS_MDP4 }, + { .compatible = "qcom,mdss", .data = (void *)KMS_MDP5 }, +@@ -1332,6 +1339,7 @@ MODULE_DEVICE_TABLE(of, dt_match); + static struct platform_driver msm_platform_driver = { + .probe = msm_pdev_probe, + .remove = msm_pdev_remove, ++ .shutdown = msm_pdev_shutdown, + .driver = { + .name = "msm", + .of_match_table = dt_match, +diff --git a/drivers/gpu/drm/omapdrm/omap_crtc.c b/drivers/gpu/drm/omapdrm/omap_crtc.c +index 3c5ddbf30e974..f5e18802e7bc6 100644 +--- a/drivers/gpu/drm/omapdrm/omap_crtc.c ++++ b/drivers/gpu/drm/omapdrm/omap_crtc.c +@@ -451,11 +451,12 @@ static void omap_crtc_atomic_enable(struct drm_crtc *crtc, + if (omap_state->manually_updated) + return; + +- spin_lock_irq(&crtc->dev->event_lock); + drm_crtc_vblank_on(crtc); ++ + ret = drm_crtc_vblank_get(crtc); + WARN_ON(ret != 0); + ++ spin_lock_irq(&crtc->dev->event_lock); + omap_crtc_arm_event(crtc); + spin_unlock_irq(&crtc->dev->event_lock); + } +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index 09df5ecc2c79b..fbc93d8dda5ed 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -730,6 +730,9 @@ + #define USB_DEVICE_ID_LENOVO_X1_TAB 0x60a3 + #define USB_DEVICE_ID_LENOVO_X1_TAB3 0x60b5 + #define USB_DEVICE_ID_LENOVO_PIXART_USB_MOUSE_608D 0x608d ++#define USB_DEVICE_ID_LENOVO_PIXART_USB_MOUSE_6019 0x6019 ++#define USB_DEVICE_ID_LENOVO_PIXART_USB_MOUSE_602E 0x602e ++#define USB_DEVICE_ID_LENOVO_PIXART_USB_MOUSE_6093 0x6093 + + #define USB_VENDOR_ID_LG 0x1fd2 + #define USB_DEVICE_ID_LG_MULTITOUCH 0x0064 +diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c +index b3dd60897ffda..8a739ec50cc00 100644 +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -105,6 +105,9 @@ static const struct hid_device_id hid_quirks[] = { + { HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_EASYPEN_M406XE), HID_QUIRK_MULTI_INPUT }, + { HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_PIXART_USB_OPTICAL_MOUSE_ID2), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_LENOVO, USB_DEVICE_ID_LENOVO_PIXART_USB_MOUSE_608D), HID_QUIRK_ALWAYS_POLL }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_LENOVO, USB_DEVICE_ID_LENOVO_PIXART_USB_MOUSE_6019), HID_QUIRK_ALWAYS_POLL }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_LENOVO, USB_DEVICE_ID_LENOVO_PIXART_USB_MOUSE_602E), HID_QUIRK_ALWAYS_POLL }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_LENOVO, USB_DEVICE_ID_LENOVO_PIXART_USB_MOUSE_6093), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_C007), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_C077), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_KEYBOARD_G710_PLUS), HID_QUIRK_NOGET }, +diff --git a/drivers/hwmon/applesmc.c b/drivers/hwmon/applesmc.c +index 183ff3d251299..006bc07bcd301 100644 +--- a/drivers/hwmon/applesmc.c ++++ b/drivers/hwmon/applesmc.c +@@ -748,15 +748,18 @@ static ssize_t applesmc_light_show(struct device *dev, + } + + ret = applesmc_read_key(LIGHT_SENSOR_LEFT_KEY, buffer, data_length); ++ if (ret) ++ goto out; + /* newer macbooks report a single 10-bit bigendian value */ + if (data_length == 10) { + left = be16_to_cpu(*(__be16 *)(buffer + 6)) >> 2; + goto out; + } + left = buffer[2]; ++ ++ ret = applesmc_read_key(LIGHT_SENSOR_RIGHT_KEY, buffer, data_length); + if (ret) + goto out; +- ret = applesmc_read_key(LIGHT_SENSOR_RIGHT_KEY, buffer, data_length); + right = buffer[2]; + + out: +@@ -805,12 +808,11 @@ static ssize_t applesmc_show_fan_speed(struct device *dev, + to_index(attr)); + + ret = applesmc_read_key(newkey, buffer, 2); +- speed = ((buffer[0] << 8 | buffer[1]) >> 2); +- + if (ret) + return ret; +- else +- return snprintf(sysfsbuf, PAGE_SIZE, "%u\n", speed); ++ ++ speed = ((buffer[0] << 8 | buffer[1]) >> 2); ++ return snprintf(sysfsbuf, PAGE_SIZE, "%u\n", speed); + } + + static ssize_t applesmc_store_fan_speed(struct device *dev, +@@ -846,12 +848,11 @@ static ssize_t applesmc_show_fan_manual(struct device *dev, + u8 buffer[2]; + + ret = applesmc_read_key(FANS_MANUAL, buffer, 2); +- manual = ((buffer[0] << 8 | buffer[1]) >> to_index(attr)) & 0x01; +- + if (ret) + return ret; +- else +- return snprintf(sysfsbuf, PAGE_SIZE, "%d\n", manual); ++ ++ manual = ((buffer[0] << 8 | buffer[1]) >> to_index(attr)) & 0x01; ++ return snprintf(sysfsbuf, PAGE_SIZE, "%d\n", manual); + } + + static ssize_t applesmc_store_fan_manual(struct device *dev, +@@ -867,10 +868,11 @@ static ssize_t applesmc_store_fan_manual(struct device *dev, + return -EINVAL; + + ret = applesmc_read_key(FANS_MANUAL, buffer, 2); +- val = (buffer[0] << 8 | buffer[1]); + if (ret) + goto out; + ++ val = (buffer[0] << 8 | buffer[1]); ++ + if (input) + val = val | (0x01 << to_index(attr)); + else +@@ -946,13 +948,12 @@ static ssize_t applesmc_key_count_show(struct device *dev, + u32 count; + + ret = applesmc_read_key(KEY_COUNT_KEY, buffer, 4); +- count = ((u32)buffer[0]<<24) + ((u32)buffer[1]<<16) + +- ((u32)buffer[2]<<8) + buffer[3]; +- + if (ret) + return ret; +- else +- return snprintf(sysfsbuf, PAGE_SIZE, "%d\n", count); ++ ++ count = ((u32)buffer[0]<<24) + ((u32)buffer[1]<<16) + ++ ((u32)buffer[2]<<8) + buffer[3]; ++ return snprintf(sysfsbuf, PAGE_SIZE, "%d\n", count); + } + + static ssize_t applesmc_key_at_index_read_show(struct device *dev, +diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c +index 3a7094f4813f2..cdafc652d9d1a 100644 +--- a/drivers/iommu/amd_iommu.c ++++ b/drivers/iommu/amd_iommu.c +@@ -4431,6 +4431,7 @@ int amd_iommu_deactivate_guest_mode(void *data) + struct amd_ir_data *ir_data = (struct amd_ir_data *)data; + struct irte_ga *entry = (struct irte_ga *) ir_data->entry; + struct irq_cfg *cfg = ir_data->cfg; ++ u64 valid = entry->lo.fields_remap.valid; + + if (!AMD_IOMMU_GUEST_IR_VAPIC(amd_iommu_guest_ir) || + !entry || !entry->lo.fields_vapic.guest_mode) +@@ -4439,6 +4440,7 @@ int amd_iommu_deactivate_guest_mode(void *data) + entry->lo.val = 0; + entry->hi.val = 0; + ++ entry->lo.fields_remap.valid = valid; + entry->lo.fields_remap.dm = apic->irq_dest_mode; + entry->lo.fields_remap.int_type = apic->irq_delivery_mode; + entry->hi.fields.vector = cfg->vector; +diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c +index cdc1f4736a116..2ffec65df3889 100644 +--- a/drivers/iommu/intel-iommu.c ++++ b/drivers/iommu/intel-iommu.c +@@ -123,29 +123,29 @@ static inline unsigned int level_to_offset_bits(int level) + return (level - 1) * LEVEL_STRIDE; + } + +-static inline int pfn_level_offset(unsigned long pfn, int level) ++static inline int pfn_level_offset(u64 pfn, int level) + { + return (pfn >> level_to_offset_bits(level)) & LEVEL_MASK; + } + +-static inline unsigned long level_mask(int level) ++static inline u64 level_mask(int level) + { +- return -1UL << level_to_offset_bits(level); ++ return -1ULL << level_to_offset_bits(level); + } + +-static inline unsigned long level_size(int level) ++static inline u64 level_size(int level) + { +- return 1UL << level_to_offset_bits(level); ++ return 1ULL << level_to_offset_bits(level); + } + +-static inline unsigned long align_to_level(unsigned long pfn, int level) ++static inline u64 align_to_level(u64 pfn, int level) + { + return (pfn + level_size(level) - 1) & level_mask(level); + } + + static inline unsigned long lvl_to_nr_pages(unsigned int lvl) + { +- return 1 << min_t(int, (lvl - 1) * LEVEL_STRIDE, MAX_AGAW_PFN_WIDTH); ++ return 1UL << min_t(int, (lvl - 1) * LEVEL_STRIDE, MAX_AGAW_PFN_WIDTH); + } + + /* VT-d pages must always be _smaller_ than MM pages. Otherwise things +diff --git a/drivers/iommu/intel_irq_remapping.c b/drivers/iommu/intel_irq_remapping.c +index 6bfb283e6f287..f697f3a1d46bc 100644 +--- a/drivers/iommu/intel_irq_remapping.c ++++ b/drivers/iommu/intel_irq_remapping.c +@@ -507,12 +507,18 @@ static void iommu_enable_irq_remapping(struct intel_iommu *iommu) + + /* Enable interrupt-remapping */ + iommu->gcmd |= DMA_GCMD_IRE; +- iommu->gcmd &= ~DMA_GCMD_CFI; /* Block compatibility-format MSIs */ + writel(iommu->gcmd, iommu->reg + DMAR_GCMD_REG); +- + IOMMU_WAIT_OP(iommu, DMAR_GSTS_REG, + readl, (sts & DMA_GSTS_IRES), sts); + ++ /* Block compatibility-format MSIs */ ++ if (sts & DMA_GSTS_CFIS) { ++ iommu->gcmd &= ~DMA_GCMD_CFI; ++ writel(iommu->gcmd, iommu->reg + DMAR_GCMD_REG); ++ IOMMU_WAIT_OP(iommu, DMAR_GSTS_REG, ++ readl, !(sts & DMA_GSTS_CFIS), sts); ++ } ++ + /* + * With CFI clear in the Global Command register, we should be + * protected from dangerous (i.e. compatibility) interrupts +diff --git a/drivers/md/dm-cache-metadata.c b/drivers/md/dm-cache-metadata.c +index 151aa95775be2..af6d4f898e4c1 100644 +--- a/drivers/md/dm-cache-metadata.c ++++ b/drivers/md/dm-cache-metadata.c +@@ -537,12 +537,16 @@ static int __create_persistent_data_objects(struct dm_cache_metadata *cmd, + CACHE_MAX_CONCURRENT_LOCKS); + if (IS_ERR(cmd->bm)) { + DMERR("could not create block manager"); +- return PTR_ERR(cmd->bm); ++ r = PTR_ERR(cmd->bm); ++ cmd->bm = NULL; ++ return r; + } + + r = __open_or_format_metadata(cmd, may_format_device); +- if (r) ++ if (r) { + dm_block_manager_destroy(cmd->bm); ++ cmd->bm = NULL; ++ } + + return r; + } +diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c +index ffbda729e26e9..1af82fbbac0c4 100644 +--- a/drivers/md/dm-crypt.c ++++ b/drivers/md/dm-crypt.c +@@ -720,7 +720,7 @@ static int crypt_iv_eboiv_gen(struct crypt_config *cc, u8 *iv, + u8 buf[MAX_CIPHER_BLOCKSIZE] __aligned(__alignof__(__le64)); + struct skcipher_request *req; + struct scatterlist src, dst; +- struct crypto_wait wait; ++ DECLARE_CRYPTO_WAIT(wait); + int err; + + req = skcipher_request_alloc(any_tfm(cc), GFP_NOIO); +diff --git a/drivers/md/dm-integrity.c b/drivers/md/dm-integrity.c +index 1f63084ef3291..d6edfe84e7490 100644 +--- a/drivers/md/dm-integrity.c ++++ b/drivers/md/dm-integrity.c +@@ -2365,6 +2365,7 @@ next_chunk: + range.logical_sector = le64_to_cpu(ic->sb->recalc_sector); + if (unlikely(range.logical_sector >= ic->provided_data_sectors)) { + if (ic->mode == 'B') { ++ block_bitmap_op(ic, ic->recalc_bitmap, 0, ic->provided_data_sectors, BITMAP_OP_CLEAR); + DEBUG_print("queue_delayed_work: bitmap_flush_work\n"); + queue_delayed_work(ic->commit_wq, &ic->bitmap_flush_work, 0); + } +@@ -2442,6 +2443,17 @@ next_chunk: + goto err; + } + ++ if (ic->mode == 'B') { ++ sector_t start, end; ++ start = (range.logical_sector >> ++ (ic->sb->log2_sectors_per_block + ic->log2_blocks_per_bitmap_bit)) << ++ (ic->sb->log2_sectors_per_block + ic->log2_blocks_per_bitmap_bit); ++ end = ((range.logical_sector + range.n_sectors) >> ++ (ic->sb->log2_sectors_per_block + ic->log2_blocks_per_bitmap_bit)) << ++ (ic->sb->log2_sectors_per_block + ic->log2_blocks_per_bitmap_bit); ++ block_bitmap_op(ic, ic->recalc_bitmap, start, end - start, BITMAP_OP_CLEAR); ++ } ++ + advance_and_next: + cond_resched(); + +diff --git a/drivers/md/dm-mpath.c b/drivers/md/dm-mpath.c +index f2de4c73cc8fa..54ecfea2cf47b 100644 +--- a/drivers/md/dm-mpath.c ++++ b/drivers/md/dm-mpath.c +@@ -1190,17 +1190,25 @@ static void multipath_wait_for_pg_init_completion(struct multipath *m) + static void flush_multipath_work(struct multipath *m) + { + if (m->hw_handler_name) { +- set_bit(MPATHF_PG_INIT_DISABLED, &m->flags); +- smp_mb__after_atomic(); ++ unsigned long flags; ++ ++ if (!atomic_read(&m->pg_init_in_progress)) ++ goto skip; ++ ++ spin_lock_irqsave(&m->lock, flags); ++ if (atomic_read(&m->pg_init_in_progress) && ++ !test_and_set_bit(MPATHF_PG_INIT_DISABLED, &m->flags)) { ++ spin_unlock_irqrestore(&m->lock, flags); + +- if (atomic_read(&m->pg_init_in_progress)) + flush_workqueue(kmpath_handlerd); +- multipath_wait_for_pg_init_completion(m); ++ multipath_wait_for_pg_init_completion(m); + +- clear_bit(MPATHF_PG_INIT_DISABLED, &m->flags); +- smp_mb__after_atomic(); ++ spin_lock_irqsave(&m->lock, flags); ++ clear_bit(MPATHF_PG_INIT_DISABLED, &m->flags); ++ } ++ spin_unlock_irqrestore(&m->lock, flags); + } +- ++skip: + if (m->queue_mode == DM_TYPE_BIO_BASED) + flush_work(&m->process_queued_bios); + flush_work(&m->trigger_event); +diff --git a/drivers/md/dm-thin-metadata.c b/drivers/md/dm-thin-metadata.c +index 4cd8868f80040..a5ed59eafdc51 100644 +--- a/drivers/md/dm-thin-metadata.c ++++ b/drivers/md/dm-thin-metadata.c +@@ -739,12 +739,16 @@ static int __create_persistent_data_objects(struct dm_pool_metadata *pmd, bool f + THIN_MAX_CONCURRENT_LOCKS); + if (IS_ERR(pmd->bm)) { + DMERR("could not create block manager"); +- return PTR_ERR(pmd->bm); ++ r = PTR_ERR(pmd->bm); ++ pmd->bm = NULL; ++ return r; + } + + r = __open_or_format_metadata(pmd, format_device); +- if (r) ++ if (r) { + dm_block_manager_destroy(pmd->bm); ++ pmd->bm = NULL; ++ } + + return r; + } +@@ -954,7 +958,7 @@ int dm_pool_metadata_close(struct dm_pool_metadata *pmd) + } + + pmd_write_lock_in_core(pmd); +- if (!dm_bm_is_read_only(pmd->bm) && !pmd->fail_io) { ++ if (!pmd->fail_io && !dm_bm_is_read_only(pmd->bm)) { + r = __commit_transaction(pmd); + if (r < 0) + DMWARN("%s: __commit_transaction() failed, error = %d", +diff --git a/drivers/md/dm-writecache.c b/drivers/md/dm-writecache.c +index ed2f711c24c48..4e414b06192eb 100644 +--- a/drivers/md/dm-writecache.c ++++ b/drivers/md/dm-writecache.c +@@ -224,6 +224,7 @@ static int persistent_memory_claim(struct dm_writecache *wc) + pfn_t pfn; + int id; + struct page **pages; ++ sector_t offset; + + wc->memory_vmapped = false; + +@@ -242,9 +243,16 @@ static int persistent_memory_claim(struct dm_writecache *wc) + goto err1; + } + ++ offset = get_start_sect(wc->ssd_dev->bdev); ++ if (offset & (PAGE_SIZE / 512 - 1)) { ++ r = -EINVAL; ++ goto err1; ++ } ++ offset >>= PAGE_SHIFT - 9; ++ + id = dax_read_lock(); + +- da = dax_direct_access(wc->ssd_dev->dax_dev, 0, p, &wc->memory_map, &pfn); ++ da = dax_direct_access(wc->ssd_dev->dax_dev, offset, p, &wc->memory_map, &pfn); + if (da < 0) { + wc->memory_map = NULL; + r = da; +@@ -266,7 +274,7 @@ static int persistent_memory_claim(struct dm_writecache *wc) + i = 0; + do { + long daa; +- daa = dax_direct_access(wc->ssd_dev->dax_dev, i, p - i, ++ daa = dax_direct_access(wc->ssd_dev->dax_dev, offset + i, p - i, + NULL, &pfn); + if (daa <= 0) { + r = daa ? daa : -EINVAL; +diff --git a/drivers/md/persistent-data/dm-block-manager.c b/drivers/md/persistent-data/dm-block-manager.c +index 749ec268d957d..54c089a50b152 100644 +--- a/drivers/md/persistent-data/dm-block-manager.c ++++ b/drivers/md/persistent-data/dm-block-manager.c +@@ -493,7 +493,7 @@ int dm_bm_write_lock(struct dm_block_manager *bm, + void *p; + int r; + +- if (bm->read_only) ++ if (dm_bm_is_read_only(bm)) + return -EPERM; + + p = dm_bufio_read(bm->bufio, b, (struct dm_buffer **) result); +@@ -562,7 +562,7 @@ int dm_bm_write_lock_zero(struct dm_block_manager *bm, + struct buffer_aux *aux; + void *p; + +- if (bm->read_only) ++ if (dm_bm_is_read_only(bm)) + return -EPERM; + + p = dm_bufio_new(bm->bufio, b, (struct dm_buffer **) result); +@@ -602,7 +602,7 @@ EXPORT_SYMBOL_GPL(dm_bm_unlock); + + int dm_bm_flush(struct dm_block_manager *bm) + { +- if (bm->read_only) ++ if (dm_bm_is_read_only(bm)) + return -EPERM; + + return dm_bufio_write_dirty_buffers(bm->bufio); +@@ -616,19 +616,21 @@ void dm_bm_prefetch(struct dm_block_manager *bm, dm_block_t b) + + bool dm_bm_is_read_only(struct dm_block_manager *bm) + { +- return bm->read_only; ++ return (bm ? bm->read_only : true); + } + EXPORT_SYMBOL_GPL(dm_bm_is_read_only); + + void dm_bm_set_read_only(struct dm_block_manager *bm) + { +- bm->read_only = true; ++ if (bm) ++ bm->read_only = true; + } + EXPORT_SYMBOL_GPL(dm_bm_set_read_only); + + void dm_bm_set_read_write(struct dm_block_manager *bm) + { +- bm->read_only = false; ++ if (bm) ++ bm->read_only = false; + } + EXPORT_SYMBOL_GPL(dm_bm_set_read_write); + +diff --git a/drivers/media/platform/vicodec/vicodec-core.c b/drivers/media/platform/vicodec/vicodec-core.c +index 84ec36156f73f..c77281d43f892 100644 +--- a/drivers/media/platform/vicodec/vicodec-core.c ++++ b/drivers/media/platform/vicodec/vicodec-core.c +@@ -2052,6 +2052,7 @@ static int vicodec_request_validate(struct media_request *req) + } + ctrl = v4l2_ctrl_request_hdl_ctrl_find(hdl, + vicodec_ctrl_stateless_state.id); ++ v4l2_ctrl_request_hdl_put(hdl); + if (!ctrl) { + v4l2_info(&ctx->dev->v4l2_dev, + "Missing required codec control\n"); +diff --git a/drivers/media/rc/rc-main.c b/drivers/media/rc/rc-main.c +index 6f80c251f6413..e84f9dccf448a 100644 +--- a/drivers/media/rc/rc-main.c ++++ b/drivers/media/rc/rc-main.c +@@ -1256,6 +1256,10 @@ static ssize_t store_protocols(struct device *device, + } + + mutex_lock(&dev->lock); ++ if (!dev->registered) { ++ mutex_unlock(&dev->lock); ++ return -ENODEV; ++ } + + old_protocols = *current_protocols; + new_protocols = old_protocols; +@@ -1394,6 +1398,10 @@ static ssize_t store_filter(struct device *device, + return -EINVAL; + + mutex_lock(&dev->lock); ++ if (!dev->registered) { ++ mutex_unlock(&dev->lock); ++ return -ENODEV; ++ } + + new_filter = *filter; + if (fattr->mask) +@@ -1508,6 +1516,10 @@ static ssize_t store_wakeup_protocols(struct device *device, + int i; + + mutex_lock(&dev->lock); ++ if (!dev->registered) { ++ mutex_unlock(&dev->lock); ++ return -ENODEV; ++ } + + allowed = dev->allowed_wakeup_protocols; + +@@ -1565,25 +1577,25 @@ static void rc_dev_release(struct device *device) + kfree(dev); + } + +-#define ADD_HOTPLUG_VAR(fmt, val...) \ +- do { \ +- int err = add_uevent_var(env, fmt, val); \ +- if (err) \ +- return err; \ +- } while (0) +- + static int rc_dev_uevent(struct device *device, struct kobj_uevent_env *env) + { + struct rc_dev *dev = to_rc_dev(device); ++ int ret = 0; + +- if (dev->rc_map.name) +- ADD_HOTPLUG_VAR("NAME=%s", dev->rc_map.name); +- if (dev->driver_name) +- ADD_HOTPLUG_VAR("DRV_NAME=%s", dev->driver_name); +- if (dev->device_name) +- ADD_HOTPLUG_VAR("DEV_NAME=%s", dev->device_name); ++ mutex_lock(&dev->lock); + +- return 0; ++ if (!dev->registered) ++ ret = -ENODEV; ++ if (ret == 0 && dev->rc_map.name) ++ ret = add_uevent_var(env, "NAME=%s", dev->rc_map.name); ++ if (ret == 0 && dev->driver_name) ++ ret = add_uevent_var(env, "DRV_NAME=%s", dev->driver_name); ++ if (ret == 0 && dev->device_name) ++ ret = add_uevent_var(env, "DEV_NAME=%s", dev->device_name); ++ ++ mutex_unlock(&dev->lock); ++ ++ return ret; + } + + /* +@@ -1975,14 +1987,14 @@ void rc_unregister_device(struct rc_dev *dev) + del_timer_sync(&dev->timer_keyup); + del_timer_sync(&dev->timer_repeat); + +- rc_free_rx_device(dev); +- + mutex_lock(&dev->lock); + if (dev->users && dev->close) + dev->close(dev); + dev->registered = false; + mutex_unlock(&dev->lock); + ++ rc_free_rx_device(dev); ++ + /* + * lirc device should be freed with dev->registered = false, so + * that userspace polling will get notified. +diff --git a/drivers/misc/habanalabs/firmware_if.c b/drivers/misc/habanalabs/firmware_if.c +index ea2ca67fbfbfa..153858475abc1 100644 +--- a/drivers/misc/habanalabs/firmware_if.c ++++ b/drivers/misc/habanalabs/firmware_if.c +@@ -11,6 +11,7 @@ + #include + #include + ++#define FW_FILE_MAX_SIZE 0x1400000 /* maximum size of 20MB */ + /** + * hl_fw_push_fw_to_device() - Push FW code to device. + * @hdev: pointer to hl_device structure. +@@ -43,6 +44,14 @@ int hl_fw_push_fw_to_device(struct hl_device *hdev, const char *fw_name, + + dev_dbg(hdev->dev, "%s firmware size == %zu\n", fw_name, fw_size); + ++ if (fw_size > FW_FILE_MAX_SIZE) { ++ dev_err(hdev->dev, ++ "FW file size %zu exceeds maximum of %u bytes\n", ++ fw_size, FW_FILE_MAX_SIZE); ++ rc = -EINVAL; ++ goto out; ++ } ++ + fw_data = (const u64 *) fw->data; + + memcpy_toio(dst, fw_data, fw_size); +diff --git a/drivers/misc/habanalabs/memory.c b/drivers/misc/habanalabs/memory.c +index 22566b75ca50c..acfccf32be6b9 100644 +--- a/drivers/misc/habanalabs/memory.c ++++ b/drivers/misc/habanalabs/memory.c +@@ -67,6 +67,11 @@ static int alloc_device_memory(struct hl_ctx *ctx, struct hl_mem_in *args, + num_pgs = (args->alloc.mem_size + (page_size - 1)) >> page_shift; + total_size = num_pgs << page_shift; + ++ if (!total_size) { ++ dev_err(hdev->dev, "Cannot allocate 0 bytes\n"); ++ return -EINVAL; ++ } ++ + contiguous = args->flags & HL_MEM_CONTIGUOUS; + + if (contiguous) { +@@ -94,7 +99,7 @@ static int alloc_device_memory(struct hl_ctx *ctx, struct hl_mem_in *args, + phys_pg_pack->contiguous = contiguous; + + phys_pg_pack->pages = kvmalloc_array(num_pgs, sizeof(u64), GFP_KERNEL); +- if (!phys_pg_pack->pages) { ++ if (ZERO_OR_NULL_PTR(phys_pg_pack->pages)) { + rc = -ENOMEM; + goto pages_arr_err; + } +@@ -689,7 +694,7 @@ static int init_phys_pg_pack_from_userptr(struct hl_ctx *ctx, + + phys_pg_pack->pages = kvmalloc_array(total_npages, sizeof(u64), + GFP_KERNEL); +- if (!phys_pg_pack->pages) { ++ if (ZERO_OR_NULL_PTR(phys_pg_pack->pages)) { + rc = -ENOMEM; + goto page_pack_arr_mem_err; + } +diff --git a/drivers/misc/habanalabs/mmu.c b/drivers/misc/habanalabs/mmu.c +index 176c315836f12..d66e16de4cda3 100644 +--- a/drivers/misc/habanalabs/mmu.c ++++ b/drivers/misc/habanalabs/mmu.c +@@ -422,7 +422,7 @@ int hl_mmu_init(struct hl_device *hdev) + hdev->mmu_shadow_hop0 = kvmalloc_array(prop->max_asid, + prop->mmu_hop_table_size, + GFP_KERNEL | __GFP_ZERO); +- if (!hdev->mmu_shadow_hop0) { ++ if (ZERO_OR_NULL_PTR(hdev->mmu_shadow_hop0)) { + rc = -ENOMEM; + goto err_pool_add; + } +diff --git a/drivers/mmc/host/cqhci.c b/drivers/mmc/host/cqhci.c +index c19f4c3f115a4..2d65b32d205a5 100644 +--- a/drivers/mmc/host/cqhci.c ++++ b/drivers/mmc/host/cqhci.c +@@ -299,16 +299,16 @@ static void __cqhci_disable(struct cqhci_host *cq_host) + cq_host->activated = false; + } + +-int cqhci_suspend(struct mmc_host *mmc) ++int cqhci_deactivate(struct mmc_host *mmc) + { + struct cqhci_host *cq_host = mmc->cqe_private; + +- if (cq_host->enabled) ++ if (cq_host->enabled && cq_host->activated) + __cqhci_disable(cq_host); + + return 0; + } +-EXPORT_SYMBOL(cqhci_suspend); ++EXPORT_SYMBOL(cqhci_deactivate); + + int cqhci_resume(struct mmc_host *mmc) + { +diff --git a/drivers/mmc/host/cqhci.h b/drivers/mmc/host/cqhci.h +index def76e9b5cacf..437700179de4d 100644 +--- a/drivers/mmc/host/cqhci.h ++++ b/drivers/mmc/host/cqhci.h +@@ -230,7 +230,11 @@ irqreturn_t cqhci_irq(struct mmc_host *mmc, u32 intmask, int cmd_error, + int data_error); + int cqhci_init(struct cqhci_host *cq_host, struct mmc_host *mmc, bool dma64); + struct cqhci_host *cqhci_pltfm_init(struct platform_device *pdev); +-int cqhci_suspend(struct mmc_host *mmc); ++int cqhci_deactivate(struct mmc_host *mmc); ++static inline int cqhci_suspend(struct mmc_host *mmc) ++{ ++ return cqhci_deactivate(mmc); ++} + int cqhci_resume(struct mmc_host *mmc); + + #endif +diff --git a/drivers/mmc/host/mtk-sd.c b/drivers/mmc/host/mtk-sd.c +index 010fe29a48883..9d47a2bd2546b 100644 +--- a/drivers/mmc/host/mtk-sd.c ++++ b/drivers/mmc/host/mtk-sd.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -412,6 +413,7 @@ struct msdc_host { + struct pinctrl_state *pins_uhs; + struct delayed_work req_timeout; + int irq; /* host interrupt */ ++ struct reset_control *reset; + + struct clk *src_clk; /* msdc source clock */ + struct clk *h_clk; /* msdc h_clk */ +@@ -1474,6 +1476,12 @@ static void msdc_init_hw(struct msdc_host *host) + u32 val; + u32 tune_reg = host->dev_comp->pad_tune_reg; + ++ if (host->reset) { ++ reset_control_assert(host->reset); ++ usleep_range(10, 50); ++ reset_control_deassert(host->reset); ++ } ++ + /* Configure to MMC/SD mode, clock free running */ + sdr_set_bits(host->base + MSDC_CFG, MSDC_CFG_MODE | MSDC_CFG_CKPDN); + +@@ -2232,6 +2240,11 @@ static int msdc_drv_probe(struct platform_device *pdev) + if (IS_ERR(host->src_clk_cg)) + host->src_clk_cg = NULL; + ++ host->reset = devm_reset_control_get_optional_exclusive(&pdev->dev, ++ "hrst"); ++ if (IS_ERR(host->reset)) ++ return PTR_ERR(host->reset); ++ + host->irq = platform_get_irq(pdev, 0); + if (host->irq < 0) { + ret = -EINVAL; +diff --git a/drivers/mmc/host/sdhci-acpi.c b/drivers/mmc/host/sdhci-acpi.c +index 01fc437ed9659..5581a5c86fce3 100644 +--- a/drivers/mmc/host/sdhci-acpi.c ++++ b/drivers/mmc/host/sdhci-acpi.c +@@ -532,6 +532,11 @@ static const struct sdhci_acpi_slot sdhci_acpi_slot_qcom_sd = { + .caps = MMC_CAP_NONREMOVABLE, + }; + ++struct amd_sdhci_host { ++ bool tuned_clock; ++ bool dll_enabled; ++}; ++ + /* AMD sdhci reset dll register. */ + #define SDHCI_AMD_RESET_DLL_REGISTER 0x908 + +@@ -551,26 +556,66 @@ static void sdhci_acpi_amd_hs400_dll(struct sdhci_host *host) + } + + /* +- * For AMD Platform it is required to disable the tuning +- * bit first controller to bring to HS Mode from HS200 +- * mode, later enable to tune to HS400 mode. ++ * The initialization sequence for HS400 is: ++ * HS->HS200->Perform Tuning->HS->HS400 ++ * ++ * The re-tuning sequence is: ++ * HS400->DDR52->HS->HS200->Perform Tuning->HS->HS400 ++ * ++ * The AMD eMMC Controller can only use the tuned clock while in HS200 and HS400 ++ * mode. If we switch to a different mode, we need to disable the tuned clock. ++ * If we have previously performed tuning and switch back to HS200 or ++ * HS400, we can re-enable the tuned clock. ++ * + */ + static void amd_set_ios(struct mmc_host *mmc, struct mmc_ios *ios) + { + struct sdhci_host *host = mmc_priv(mmc); ++ struct sdhci_acpi_host *acpi_host = sdhci_priv(host); ++ struct amd_sdhci_host *amd_host = sdhci_acpi_priv(acpi_host); + unsigned int old_timing = host->timing; ++ u16 val; + + sdhci_set_ios(mmc, ios); +- if (old_timing == MMC_TIMING_MMC_HS200 && +- ios->timing == MMC_TIMING_MMC_HS) +- sdhci_writew(host, 0x9, SDHCI_HOST_CONTROL2); +- if (old_timing != MMC_TIMING_MMC_HS400 && +- ios->timing == MMC_TIMING_MMC_HS400) { +- sdhci_writew(host, 0x80, SDHCI_HOST_CONTROL2); +- sdhci_acpi_amd_hs400_dll(host); ++ ++ if (old_timing != host->timing && amd_host->tuned_clock) { ++ if (host->timing == MMC_TIMING_MMC_HS400 || ++ host->timing == MMC_TIMING_MMC_HS200) { ++ val = sdhci_readw(host, SDHCI_HOST_CONTROL2); ++ val |= SDHCI_CTRL_TUNED_CLK; ++ sdhci_writew(host, val, SDHCI_HOST_CONTROL2); ++ } else { ++ val = sdhci_readw(host, SDHCI_HOST_CONTROL2); ++ val &= ~SDHCI_CTRL_TUNED_CLK; ++ sdhci_writew(host, val, SDHCI_HOST_CONTROL2); ++ } ++ ++ /* DLL is only required for HS400 */ ++ if (host->timing == MMC_TIMING_MMC_HS400 && ++ !amd_host->dll_enabled) { ++ sdhci_acpi_amd_hs400_dll(host); ++ amd_host->dll_enabled = true; ++ } + } + } + ++static int amd_sdhci_execute_tuning(struct mmc_host *mmc, u32 opcode) ++{ ++ int err; ++ struct sdhci_host *host = mmc_priv(mmc); ++ struct sdhci_acpi_host *acpi_host = sdhci_priv(host); ++ struct amd_sdhci_host *amd_host = sdhci_acpi_priv(acpi_host); ++ ++ amd_host->tuned_clock = false; ++ ++ err = sdhci_execute_tuning(mmc, opcode); ++ ++ if (!err && !host->tuning_err) ++ amd_host->tuned_clock = true; ++ ++ return err; ++} ++ + static const struct sdhci_ops sdhci_acpi_ops_amd = { + .set_clock = sdhci_set_clock, + .set_bus_width = sdhci_set_bus_width, +@@ -598,6 +643,7 @@ static int sdhci_acpi_emmc_amd_probe_slot(struct platform_device *pdev, + + host->mmc_host_ops.select_drive_strength = amd_select_drive_strength; + host->mmc_host_ops.set_ios = amd_set_ios; ++ host->mmc_host_ops.execute_tuning = amd_sdhci_execute_tuning; + return 0; + } + +@@ -609,6 +655,7 @@ static const struct sdhci_acpi_slot sdhci_acpi_slot_amd_emmc = { + SDHCI_QUIRK_32BIT_ADMA_SIZE, + .quirks2 = SDHCI_QUIRK2_BROKEN_64_BIT_DMA, + .probe_slot = sdhci_acpi_emmc_amd_probe_slot, ++ .priv_size = sizeof(struct amd_sdhci_host), + }; + + struct sdhci_acpi_uid_slot { +diff --git a/drivers/mmc/host/sdhci-pci-core.c b/drivers/mmc/host/sdhci-pci-core.c +index 9b66e8b374ed7..425aa898e797a 100644 +--- a/drivers/mmc/host/sdhci-pci-core.c ++++ b/drivers/mmc/host/sdhci-pci-core.c +@@ -232,6 +232,14 @@ static void sdhci_pci_dumpregs(struct mmc_host *mmc) + sdhci_dumpregs(mmc_priv(mmc)); + } + ++static void sdhci_cqhci_reset(struct sdhci_host *host, u8 mask) ++{ ++ if ((host->mmc->caps2 & MMC_CAP2_CQE) && (mask & SDHCI_RESET_ALL) && ++ host->mmc->cqe_private) ++ cqhci_deactivate(host->mmc); ++ sdhci_reset(host, mask); ++} ++ + /*****************************************************************************\ + * * + * Hardware specific quirk handling * +@@ -722,7 +730,7 @@ static const struct sdhci_ops sdhci_intel_glk_ops = { + .set_power = sdhci_intel_set_power, + .enable_dma = sdhci_pci_enable_dma, + .set_bus_width = sdhci_set_bus_width, +- .reset = sdhci_reset, ++ .reset = sdhci_cqhci_reset, + .set_uhs_signaling = sdhci_set_uhs_signaling, + .hw_reset = sdhci_pci_hw_reset, + .irq = sdhci_cqhci_irq, +diff --git a/drivers/mmc/host/sdhci-tegra.c b/drivers/mmc/host/sdhci-tegra.c +index e37d271ca9636..c105356ad4cb7 100644 +--- a/drivers/mmc/host/sdhci-tegra.c ++++ b/drivers/mmc/host/sdhci-tegra.c +@@ -100,6 +100,12 @@ + #define NVQUIRK_DIS_CARD_CLK_CONFIG_TAP BIT(8) + #define NVQUIRK_CQHCI_DCMD_R1B_CMD_TIMING BIT(9) + ++/* ++ * NVQUIRK_HAS_TMCLK is for SoC's having separate timeout clock for Tegra ++ * SDMMC hardware data timeout. ++ */ ++#define NVQUIRK_HAS_TMCLK BIT(10) ++ + /* SDMMC CQE Base Address for Tegra Host Ver 4.1 and Higher */ + #define SDHCI_TEGRA_CQE_BASE_ADDR 0xF000 + +@@ -130,6 +136,7 @@ struct sdhci_tegra_autocal_offsets { + struct sdhci_tegra { + const struct sdhci_tegra_soc_data *soc_data; + struct gpio_desc *power_gpio; ++ struct clk *tmclk; + bool ddr_signaling; + bool pad_calib_required; + bool pad_control_available; +@@ -1385,7 +1392,8 @@ static const struct sdhci_tegra_soc_data soc_data_tegra210 = { + NVQUIRK_HAS_PADCALIB | + NVQUIRK_DIS_CARD_CLK_CONFIG_TAP | + NVQUIRK_ENABLE_SDR50 | +- NVQUIRK_ENABLE_SDR104, ++ NVQUIRK_ENABLE_SDR104 | ++ NVQUIRK_HAS_TMCLK, + .min_tap_delay = 106, + .max_tap_delay = 185, + }; +@@ -1422,6 +1430,7 @@ static const struct sdhci_tegra_soc_data soc_data_tegra186 = { + NVQUIRK_DIS_CARD_CLK_CONFIG_TAP | + NVQUIRK_ENABLE_SDR50 | + NVQUIRK_ENABLE_SDR104 | ++ NVQUIRK_HAS_TMCLK | + NVQUIRK_CQHCI_DCMD_R1B_CMD_TIMING, + .min_tap_delay = 84, + .max_tap_delay = 136, +@@ -1434,7 +1443,8 @@ static const struct sdhci_tegra_soc_data soc_data_tegra194 = { + NVQUIRK_HAS_PADCALIB | + NVQUIRK_DIS_CARD_CLK_CONFIG_TAP | + NVQUIRK_ENABLE_SDR50 | +- NVQUIRK_ENABLE_SDR104, ++ NVQUIRK_ENABLE_SDR104 | ++ NVQUIRK_HAS_TMCLK, + .min_tap_delay = 96, + .max_tap_delay = 139, + }; +@@ -1562,6 +1572,43 @@ static int sdhci_tegra_probe(struct platform_device *pdev) + goto err_power_req; + } + ++ /* ++ * Tegra210 has a separate SDMMC_LEGACY_TM clock used for host ++ * timeout clock and SW can choose TMCLK or SDCLK for hardware ++ * data timeout through the bit USE_TMCLK_FOR_DATA_TIMEOUT of ++ * the register SDHCI_TEGRA_VENDOR_SYS_SW_CTRL. ++ * ++ * USE_TMCLK_FOR_DATA_TIMEOUT bit default is set to 1 and SDMMC uses ++ * 12Mhz TMCLK which is advertised in host capability register. ++ * With TMCLK of 12Mhz provides maximum data timeout period that can ++ * be achieved is 11s better than using SDCLK for data timeout. ++ * ++ * So, TMCLK is set to 12Mhz and kept enabled all the time on SoC's ++ * supporting separate TMCLK. ++ */ ++ ++ if (soc_data->nvquirks & NVQUIRK_HAS_TMCLK) { ++ clk = devm_clk_get(&pdev->dev, "tmclk"); ++ if (IS_ERR(clk)) { ++ rc = PTR_ERR(clk); ++ if (rc == -EPROBE_DEFER) ++ goto err_power_req; ++ ++ dev_warn(&pdev->dev, "failed to get tmclk: %d\n", rc); ++ clk = NULL; ++ } ++ ++ clk_set_rate(clk, 12000000); ++ rc = clk_prepare_enable(clk); ++ if (rc) { ++ dev_err(&pdev->dev, ++ "failed to enable tmclk: %d\n", rc); ++ goto err_power_req; ++ } ++ ++ tegra_host->tmclk = clk; ++ } ++ + clk = devm_clk_get(mmc_dev(host->mmc), NULL); + if (IS_ERR(clk)) { + rc = PTR_ERR(clk); +@@ -1605,6 +1652,7 @@ err_add_host: + err_rst_get: + clk_disable_unprepare(pltfm_host->clk); + err_clk_get: ++ clk_disable_unprepare(tegra_host->tmclk); + err_power_req: + err_parse_dt: + sdhci_pltfm_free(pdev); +@@ -1622,6 +1670,7 @@ static int sdhci_tegra_remove(struct platform_device *pdev) + reset_control_assert(tegra_host->rst); + usleep_range(2000, 4000); + clk_disable_unprepare(pltfm_host->clk); ++ clk_disable_unprepare(tegra_host->tmclk); + + sdhci_pltfm_free(pdev); + +diff --git a/drivers/net/dsa/microchip/ksz8795.c b/drivers/net/dsa/microchip/ksz8795.c +index 8d50aacd19e51..84c4319e3b31f 100644 +--- a/drivers/net/dsa/microchip/ksz8795.c ++++ b/drivers/net/dsa/microchip/ksz8795.c +@@ -1270,9 +1270,6 @@ static int ksz8795_switch_init(struct ksz_device *dev) + /* set the real number of ports */ + dev->ds->num_ports = dev->port_cnt; + +- /* set the real number of ports */ +- dev->ds->num_ports = dev->port_cnt; +- + return 0; + } + +diff --git a/drivers/net/dsa/microchip/ksz9477.c b/drivers/net/dsa/microchip/ksz9477.c +index b15da9a8e3bb9..49ab1346dc3f7 100644 +--- a/drivers/net/dsa/microchip/ksz9477.c ++++ b/drivers/net/dsa/microchip/ksz9477.c +@@ -515,9 +515,6 @@ static int ksz9477_port_vlan_filtering(struct dsa_switch *ds, int port, + PORT_VLAN_LOOKUP_VID_0, false); + } + +- /* set the real number of ports */ +- dev->ds->num_ports = dev->port_cnt; +- + return 0; + } + +diff --git a/drivers/net/dsa/mt7530.c b/drivers/net/dsa/mt7530.c +index dc9a3bb241149..00d680cb44418 100644 +--- a/drivers/net/dsa/mt7530.c ++++ b/drivers/net/dsa/mt7530.c +@@ -1456,7 +1456,7 @@ unsupported: + phylink_set(mask, 100baseT_Full); + + if (state->interface != PHY_INTERFACE_MODE_MII) { +- phylink_set(mask, 1000baseT_Half); ++ /* This switch only supports 1G full-duplex. */ + phylink_set(mask, 1000baseT_Full); + if (port == 5) + phylink_set(mask, 1000baseX_Full); +diff --git a/drivers/net/ethernet/arc/emac_mdio.c b/drivers/net/ethernet/arc/emac_mdio.c +index 0187dbf3b87df..54cdafdd067db 100644 +--- a/drivers/net/ethernet/arc/emac_mdio.c ++++ b/drivers/net/ethernet/arc/emac_mdio.c +@@ -153,6 +153,7 @@ int arc_mdio_probe(struct arc_emac_priv *priv) + if (IS_ERR(data->reset_gpio)) { + error = PTR_ERR(data->reset_gpio); + dev_err(priv->dev, "Failed to request gpio: %d\n", error); ++ mdiobus_free(bus); + return error; + } + +diff --git a/drivers/net/ethernet/broadcom/bcmsysport.c b/drivers/net/ethernet/broadcom/bcmsysport.c +index 4dfdb5a58025b..71eb8914e620b 100644 +--- a/drivers/net/ethernet/broadcom/bcmsysport.c ++++ b/drivers/net/ethernet/broadcom/bcmsysport.c +@@ -2453,8 +2453,10 @@ static int bcm_sysport_probe(struct platform_device *pdev) + priv->tx_rings = devm_kcalloc(&pdev->dev, txq, + sizeof(struct bcm_sysport_tx_ring), + GFP_KERNEL); +- if (!priv->tx_rings) +- return -ENOMEM; ++ if (!priv->tx_rings) { ++ ret = -ENOMEM; ++ goto err_free_netdev; ++ } + + priv->is_lite = params->is_lite; + priv->num_rx_desc_words = params->num_rx_desc_words; +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index 2cbfe0cd7eefa..4030020f92be5 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -1143,6 +1143,9 @@ static int bnxt_discard_rx(struct bnxt *bp, struct bnxt_cp_ring_info *cpr, + + static void bnxt_queue_fw_reset_work(struct bnxt *bp, unsigned long delay) + { ++ if (!(test_bit(BNXT_STATE_IN_FW_RESET, &bp->state))) ++ return; ++ + if (BNXT_PF(bp)) + queue_delayed_work(bnxt_pf_wq, &bp->fw_reset_task, delay); + else +@@ -1159,10 +1162,12 @@ static void bnxt_queue_sp_work(struct bnxt *bp) + + static void bnxt_cancel_sp_work(struct bnxt *bp) + { +- if (BNXT_PF(bp)) ++ if (BNXT_PF(bp)) { + flush_workqueue(bnxt_pf_wq); +- else ++ } else { + cancel_work_sync(&bp->sp_task); ++ cancel_delayed_work_sync(&bp->fw_reset_task); ++ } + } + + static void bnxt_sched_reset(struct bnxt *bp, struct bnxt_rx_ring_info *rxr) +@@ -8933,16 +8938,19 @@ static ssize_t bnxt_show_temp(struct device *dev, + struct hwrm_temp_monitor_query_input req = {0}; + struct hwrm_temp_monitor_query_output *resp; + struct bnxt *bp = dev_get_drvdata(dev); +- u32 temp = 0; ++ u32 len = 0; + + resp = bp->hwrm_cmd_resp_addr; + bnxt_hwrm_cmd_hdr_init(bp, &req, HWRM_TEMP_MONITOR_QUERY, -1, -1); + mutex_lock(&bp->hwrm_cmd_lock); +- if (!_hwrm_send_message(bp, &req, sizeof(req), HWRM_CMD_TIMEOUT)) +- temp = resp->temp * 1000; /* display millidegree */ ++ if (!_hwrm_send_message_silent(bp, &req, sizeof(req), HWRM_CMD_TIMEOUT)) ++ len = sprintf(buf, "%u\n", resp->temp * 1000); /* display millidegree */ + mutex_unlock(&bp->hwrm_cmd_lock); + +- return sprintf(buf, "%u\n", temp); ++ if (len) ++ return len; ++ ++ return sprintf(buf, "unknown\n"); + } + static SENSOR_DEVICE_ATTR(temp1_input, 0444, bnxt_show_temp, NULL, 0); + +@@ -9124,15 +9132,15 @@ static int __bnxt_open_nic(struct bnxt *bp, bool irq_re_init, bool link_re_init) + } + } + +- bnxt_enable_napi(bp); +- bnxt_debug_dev_init(bp); +- + rc = bnxt_init_nic(bp, irq_re_init); + if (rc) { + netdev_err(bp->dev, "bnxt_init_nic err: %x\n", rc); +- goto open_err; ++ goto open_err_irq; + } + ++ bnxt_enable_napi(bp); ++ bnxt_debug_dev_init(bp); ++ + if (link_re_init) { + mutex_lock(&bp->link_lock); + rc = bnxt_update_phy_setting(bp); +@@ -9163,10 +9171,6 @@ static int __bnxt_open_nic(struct bnxt *bp, bool irq_re_init, bool link_re_init) + bnxt_vf_reps_open(bp); + return 0; + +-open_err: +- bnxt_debug_dev_exit(bp); +- bnxt_disable_napi(bp); +- + open_err_irq: + bnxt_del_napi(bp); + +@@ -11386,6 +11390,7 @@ static void bnxt_remove_one(struct pci_dev *pdev) + unregister_netdev(dev); + bnxt_dl_unregister(bp); + bnxt_shutdown_tc(bp); ++ clear_bit(BNXT_STATE_IN_FW_RESET, &bp->state); + bnxt_cancel_sp_work(bp); + bp->sp_event = 0; + +@@ -11900,6 +11905,7 @@ static int bnxt_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) + (long)pci_resource_start(pdev, 0), dev->dev_addr); + pcie_print_link_status(pdev); + ++ pci_save_state(pdev); + return 0; + + init_err_cleanup: +@@ -12066,6 +12072,8 @@ static pci_ers_result_t bnxt_io_slot_reset(struct pci_dev *pdev) + "Cannot re-enable PCI device after reset.\n"); + } else { + pci_set_master(pdev); ++ pci_restore_state(pdev); ++ pci_save_state(pdev); + + err = bnxt_hwrm_func_reset(bp); + if (!err && netif_running(netdev)) +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c +index 1f512e7c3d434..fd01bcc8e28d4 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c +@@ -769,7 +769,7 @@ static void bnxt_get_channels(struct net_device *dev, + int max_tx_sch_inputs; + + /* Get the most up-to-date max_tx_sch_inputs. */ +- if (BNXT_NEW_RM(bp)) ++ if (netif_running(dev) && BNXT_NEW_RM(bp)) + bnxt_hwrm_func_resc_qcaps(bp, false); + max_tx_sch_inputs = hw_resc->max_tx_sch_inputs; + +@@ -2161,6 +2161,9 @@ static int bnxt_get_nvram_directory(struct net_device *dev, u32 len, u8 *data) + if (rc != 0) + return rc; + ++ if (!dir_entries || !entry_length) ++ return -EIO; ++ + /* Insert 2 bytes of directory info (count and size of entries) */ + if (len < 2) + return -EINVAL; +diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c +index e12ba81288e64..70bd79dc43f2e 100644 +--- a/drivers/net/ethernet/broadcom/tg3.c ++++ b/drivers/net/ethernet/broadcom/tg3.c +@@ -7227,8 +7227,8 @@ static inline void tg3_reset_task_schedule(struct tg3 *tp) + + static inline void tg3_reset_task_cancel(struct tg3 *tp) + { +- cancel_work_sync(&tp->reset_task); +- tg3_flag_clear(tp, RESET_TASK_PENDING); ++ if (test_and_clear_bit(TG3_FLAG_RESET_TASK_PENDING, tp->tg3_flags)) ++ cancel_work_sync(&tp->reset_task); + tg3_flag_clear(tp, TX_RECOVERY_PENDING); + } + +@@ -11219,18 +11219,27 @@ static void tg3_reset_task(struct work_struct *work) + + tg3_halt(tp, RESET_KIND_SHUTDOWN, 0); + err = tg3_init_hw(tp, true); +- if (err) ++ if (err) { ++ tg3_full_unlock(tp); ++ tp->irq_sync = 0; ++ tg3_napi_enable(tp); ++ /* Clear this flag so that tg3_reset_task_cancel() will not ++ * call cancel_work_sync() and wait forever. ++ */ ++ tg3_flag_clear(tp, RESET_TASK_PENDING); ++ dev_close(tp->dev); + goto out; ++ } + + tg3_netif_start(tp); + +-out: + tg3_full_unlock(tp); + + if (!err) + tg3_phy_start(tp); + + tg3_flag_clear(tp, RESET_TASK_PENDING); ++out: + rtnl_unlock(); + } + +diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_thermal.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_thermal.c +index 3de8a5e83b6c7..d7fefdbf3e575 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_thermal.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_thermal.c +@@ -62,6 +62,7 @@ static struct thermal_zone_device_ops cxgb4_thermal_ops = { + int cxgb4_thermal_init(struct adapter *adap) + { + struct ch_thermal *ch_thermal = &adap->ch_thermal; ++ char ch_tz_name[THERMAL_NAME_LENGTH]; + int num_trip = CXGB4_NUM_TRIPS; + u32 param, val; + int ret; +@@ -82,7 +83,8 @@ int cxgb4_thermal_init(struct adapter *adap) + ch_thermal->trip_type = THERMAL_TRIP_CRITICAL; + } + +- ch_thermal->tzdev = thermal_zone_device_register("cxgb4", num_trip, ++ snprintf(ch_tz_name, sizeof(ch_tz_name), "cxgb4_%s", adap->name); ++ ch_thermal->tzdev = thermal_zone_device_register(ch_tz_name, num_trip, + 0, adap, + &cxgb4_thermal_ops, + NULL, 0, 0); +@@ -97,7 +99,9 @@ int cxgb4_thermal_init(struct adapter *adap) + + int cxgb4_thermal_remove(struct adapter *adap) + { +- if (adap->ch_thermal.tzdev) ++ if (adap->ch_thermal.tzdev) { + thermal_zone_device_unregister(adap->ch_thermal.tzdev); ++ adap->ch_thermal.tzdev = NULL; ++ } + return 0; + } +diff --git a/drivers/net/ethernet/cortina/gemini.c b/drivers/net/ethernet/cortina/gemini.c +index 28d4c54505f9a..c9fb1ec625d8b 100644 +--- a/drivers/net/ethernet/cortina/gemini.c ++++ b/drivers/net/ethernet/cortina/gemini.c +@@ -2445,8 +2445,8 @@ static int gemini_ethernet_port_probe(struct platform_device *pdev) + port->reset = devm_reset_control_get_exclusive(dev, NULL); + if (IS_ERR(port->reset)) { + dev_err(dev, "no reset\n"); +- clk_disable_unprepare(port->pclk); +- return PTR_ERR(port->reset); ++ ret = PTR_ERR(port->reset); ++ goto unprepare; + } + reset_control_reset(port->reset); + usleep_range(100, 500); +@@ -2501,25 +2501,25 @@ static int gemini_ethernet_port_probe(struct platform_device *pdev) + IRQF_SHARED, + port_names[port->id], + port); +- if (ret) { +- clk_disable_unprepare(port->pclk); +- return ret; +- } ++ if (ret) ++ goto unprepare; + + ret = register_netdev(netdev); +- if (!ret) { ++ if (ret) ++ goto unprepare; ++ ++ netdev_info(netdev, ++ "irq %d, DMA @ 0x%pap, GMAC @ 0x%pap\n", ++ port->irq, &dmares->start, ++ &gmacres->start); ++ ret = gmac_setup_phy(netdev); ++ if (ret) + netdev_info(netdev, +- "irq %d, DMA @ 0x%pap, GMAC @ 0x%pap\n", +- port->irq, &dmares->start, +- &gmacres->start); +- ret = gmac_setup_phy(netdev); +- if (ret) +- netdev_info(netdev, +- "PHY init failed, deferring to ifup time\n"); +- return 0; +- } ++ "PHY init failed, deferring to ifup time\n"); ++ return 0; + +- port->netdev = NULL; ++unprepare: ++ clk_disable_unprepare(port->pclk); + return ret; + } + +diff --git a/drivers/net/ethernet/hisilicon/hns/hns_enet.c b/drivers/net/ethernet/hisilicon/hns/hns_enet.c +index eb69e5c81a4d0..6d5d53cfc7ab4 100644 +--- a/drivers/net/ethernet/hisilicon/hns/hns_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_enet.c +@@ -2296,8 +2296,10 @@ static int hns_nic_dev_probe(struct platform_device *pdev) + priv->enet_ver = AE_VERSION_1; + else if (acpi_dev_found(hns_enet_acpi_match[1].id)) + priv->enet_ver = AE_VERSION_2; +- else +- return -ENXIO; ++ else { ++ ret = -ENXIO; ++ goto out_read_prop_fail; ++ } + + /* try to find port-idx-in-ae first */ + ret = acpi_node_get_property_reference(dev->fwnode, +@@ -2313,7 +2315,8 @@ static int hns_nic_dev_probe(struct platform_device *pdev) + priv->fwnode = args.fwnode; + } else { + dev_err(dev, "cannot read cfg data from OF or acpi\n"); +- return -ENXIO; ++ ret = -ENXIO; ++ goto out_read_prop_fail; + } + + ret = device_property_read_u32(dev, "port-idx-in-ae", &port_id); +diff --git a/drivers/net/ethernet/mellanox/mlx4/mr.c b/drivers/net/ethernet/mellanox/mlx4/mr.c +index 1a11bc0e16123..cfa0bba3940fb 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/mr.c ++++ b/drivers/net/ethernet/mellanox/mlx4/mr.c +@@ -114,7 +114,7 @@ static int mlx4_buddy_init(struct mlx4_buddy *buddy, int max_order) + goto err_out; + + for (i = 0; i <= buddy->max_order; ++i) { +- s = BITS_TO_LONGS(1 << (buddy->max_order - i)); ++ s = BITS_TO_LONGS(1UL << (buddy->max_order - i)); + buddy->bits[i] = kvmalloc_array(s, sizeof(long), GFP_KERNEL | __GFP_ZERO); + if (!buddy->bits[i]) + goto err_out_free; +diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c +index 30cdabf64ccc1..907ae1359a7c1 100644 +--- a/drivers/net/ethernet/renesas/ravb_main.c ++++ b/drivers/net/ethernet/renesas/ravb_main.c +@@ -1336,6 +1336,51 @@ static inline int ravb_hook_irq(unsigned int irq, irq_handler_t handler, + return error; + } + ++/* MDIO bus init function */ ++static int ravb_mdio_init(struct ravb_private *priv) ++{ ++ struct platform_device *pdev = priv->pdev; ++ struct device *dev = &pdev->dev; ++ int error; ++ ++ /* Bitbang init */ ++ priv->mdiobb.ops = &bb_ops; ++ ++ /* MII controller setting */ ++ priv->mii_bus = alloc_mdio_bitbang(&priv->mdiobb); ++ if (!priv->mii_bus) ++ return -ENOMEM; ++ ++ /* Hook up MII support for ethtool */ ++ priv->mii_bus->name = "ravb_mii"; ++ priv->mii_bus->parent = dev; ++ snprintf(priv->mii_bus->id, MII_BUS_ID_SIZE, "%s-%x", ++ pdev->name, pdev->id); ++ ++ /* Register MDIO bus */ ++ error = of_mdiobus_register(priv->mii_bus, dev->of_node); ++ if (error) ++ goto out_free_bus; ++ ++ return 0; ++ ++out_free_bus: ++ free_mdio_bitbang(priv->mii_bus); ++ return error; ++} ++ ++/* MDIO bus release function */ ++static int ravb_mdio_release(struct ravb_private *priv) ++{ ++ /* Unregister mdio bus */ ++ mdiobus_unregister(priv->mii_bus); ++ ++ /* Free bitbang info */ ++ free_mdio_bitbang(priv->mii_bus); ++ ++ return 0; ++} ++ + /* Network device open function for Ethernet AVB */ + static int ravb_open(struct net_device *ndev) + { +@@ -1344,6 +1389,13 @@ static int ravb_open(struct net_device *ndev) + struct device *dev = &pdev->dev; + int error; + ++ /* MDIO bus init */ ++ error = ravb_mdio_init(priv); ++ if (error) { ++ netdev_err(ndev, "failed to initialize MDIO\n"); ++ return error; ++ } ++ + napi_enable(&priv->napi[RAVB_BE]); + napi_enable(&priv->napi[RAVB_NC]); + +@@ -1421,6 +1473,7 @@ out_free_irq: + out_napi_off: + napi_disable(&priv->napi[RAVB_NC]); + napi_disable(&priv->napi[RAVB_BE]); ++ ravb_mdio_release(priv); + return error; + } + +@@ -1730,6 +1783,8 @@ static int ravb_close(struct net_device *ndev) + ravb_ring_free(ndev, RAVB_BE); + ravb_ring_free(ndev, RAVB_NC); + ++ ravb_mdio_release(priv); ++ + return 0; + } + +@@ -1881,51 +1936,6 @@ static const struct net_device_ops ravb_netdev_ops = { + .ndo_set_features = ravb_set_features, + }; + +-/* MDIO bus init function */ +-static int ravb_mdio_init(struct ravb_private *priv) +-{ +- struct platform_device *pdev = priv->pdev; +- struct device *dev = &pdev->dev; +- int error; +- +- /* Bitbang init */ +- priv->mdiobb.ops = &bb_ops; +- +- /* MII controller setting */ +- priv->mii_bus = alloc_mdio_bitbang(&priv->mdiobb); +- if (!priv->mii_bus) +- return -ENOMEM; +- +- /* Hook up MII support for ethtool */ +- priv->mii_bus->name = "ravb_mii"; +- priv->mii_bus->parent = dev; +- snprintf(priv->mii_bus->id, MII_BUS_ID_SIZE, "%s-%x", +- pdev->name, pdev->id); +- +- /* Register MDIO bus */ +- error = of_mdiobus_register(priv->mii_bus, dev->of_node); +- if (error) +- goto out_free_bus; +- +- return 0; +- +-out_free_bus: +- free_mdio_bitbang(priv->mii_bus); +- return error; +-} +- +-/* MDIO bus release function */ +-static int ravb_mdio_release(struct ravb_private *priv) +-{ +- /* Unregister mdio bus */ +- mdiobus_unregister(priv->mii_bus); +- +- /* Free bitbang info */ +- free_mdio_bitbang(priv->mii_bus); +- +- return 0; +-} +- + static const struct of_device_id ravb_match_table[] = { + { .compatible = "renesas,etheravb-r8a7790", .data = (void *)RCAR_GEN2 }, + { .compatible = "renesas,etheravb-r8a7794", .data = (void *)RCAR_GEN2 }, +@@ -2166,13 +2176,6 @@ static int ravb_probe(struct platform_device *pdev) + eth_hw_addr_random(ndev); + } + +- /* MDIO bus init */ +- error = ravb_mdio_init(priv); +- if (error) { +- dev_err(&pdev->dev, "failed to initialize MDIO\n"); +- goto out_dma_free; +- } +- + netif_napi_add(ndev, &priv->napi[RAVB_BE], ravb_poll, 64); + netif_napi_add(ndev, &priv->napi[RAVB_NC], ravb_poll, 64); + +@@ -2194,8 +2197,6 @@ static int ravb_probe(struct platform_device *pdev) + out_napi_del: + netif_napi_del(&priv->napi[RAVB_NC]); + netif_napi_del(&priv->napi[RAVB_BE]); +- ravb_mdio_release(priv); +-out_dma_free: + dma_free_coherent(ndev->dev.parent, priv->desc_bat_size, priv->desc_bat, + priv->desc_bat_dma); + +@@ -2227,7 +2228,6 @@ static int ravb_remove(struct platform_device *pdev) + unregister_netdev(ndev); + netif_napi_del(&priv->napi[RAVB_NC]); + netif_napi_del(&priv->napi[RAVB_BE]); +- ravb_mdio_release(priv); + pm_runtime_disable(&pdev->dev); + free_netdev(ndev); + platform_set_drvdata(pdev, NULL); +diff --git a/drivers/net/ethernet/ti/cpsw.c b/drivers/net/ethernet/ti/cpsw.c +index 39df8c8feb6ce..e7b4d93e3f288 100644 +--- a/drivers/net/ethernet/ti/cpsw.c ++++ b/drivers/net/ethernet/ti/cpsw.c +@@ -2209,7 +2209,7 @@ static int cpsw_ndo_vlan_rx_kill_vid(struct net_device *ndev, + HOST_PORT_NUM, ALE_VLAN, vid); + ret |= cpsw_ale_del_mcast(cpsw->ale, priv->ndev->broadcast, + 0, ALE_VLAN, vid); +- ret |= cpsw_ale_flush_multicast(cpsw->ale, 0, vid); ++ ret |= cpsw_ale_flush_multicast(cpsw->ale, ALE_PORT_HOST, vid); + err: + pm_runtime_put(cpsw->dev); + return ret; +diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c +index d89ec99abcd63..634bdea38ecb3 100644 +--- a/drivers/net/gtp.c ++++ b/drivers/net/gtp.c +@@ -1182,6 +1182,7 @@ static int gtp_genl_fill_info(struct sk_buff *skb, u32 snd_portid, u32 snd_seq, + goto nlmsg_failure; + + if (nla_put_u32(skb, GTPA_VERSION, pctx->gtp_version) || ++ nla_put_u32(skb, GTPA_LINK, pctx->dev->ifindex) || + nla_put_be32(skb, GTPA_PEER_ADDRESS, pctx->peer_addr_ip4.s_addr) || + nla_put_be32(skb, GTPA_MS_ADDRESS, pctx->ms_addr_ip4.s_addr)) + goto nla_put_failure; +diff --git a/drivers/net/usb/asix_common.c b/drivers/net/usb/asix_common.c +index e39f41efda3ec..7bc6e8f856fe0 100644 +--- a/drivers/net/usb/asix_common.c ++++ b/drivers/net/usb/asix_common.c +@@ -296,7 +296,7 @@ int asix_read_phy_addr(struct usbnet *dev, int internal) + + netdev_dbg(dev->net, "asix_get_phy_addr()\n"); + +- if (ret < 0) { ++ if (ret < 2) { + netdev_err(dev->net, "Error reading PHYID register: %02x\n", ret); + goto out; + } +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index ff5681da8780d..3cb017fa3a790 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -4012,7 +4012,7 @@ static void nvme_free_ctrl(struct device *dev) + container_of(dev, struct nvme_ctrl, ctrl_device); + struct nvme_subsystem *subsys = ctrl->subsys; + +- if (subsys && ctrl->instance != subsys->instance) ++ if (!subsys || ctrl->instance != subsys->instance) + ida_simple_remove(&nvme_instance_ida, ctrl->instance); + + kfree(ctrl->effects); +diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c +index 57a4062cbb59e..7d7176369edf7 100644 +--- a/drivers/nvme/target/core.c ++++ b/drivers/nvme/target/core.c +@@ -369,6 +369,9 @@ static void nvmet_keep_alive_timer(struct work_struct *work) + + static void nvmet_start_keep_alive_timer(struct nvmet_ctrl *ctrl) + { ++ if (unlikely(ctrl->kato == 0)) ++ return; ++ + pr_debug("ctrl %d start keep-alive timer for %d secs\n", + ctrl->cntlid, ctrl->kato); + +@@ -378,6 +381,9 @@ static void nvmet_start_keep_alive_timer(struct nvmet_ctrl *ctrl) + + static void nvmet_stop_keep_alive_timer(struct nvmet_ctrl *ctrl) + { ++ if (unlikely(ctrl->kato == 0)) ++ return; ++ + pr_debug("ctrl %d stop keep-alive\n", ctrl->cntlid); + + cancel_delayed_work_sync(&ctrl->ka_work); +diff --git a/drivers/nvme/target/fc.c b/drivers/nvme/target/fc.c +index ce8d819f86ccc..fc35f7ae67b0a 100644 +--- a/drivers/nvme/target/fc.c ++++ b/drivers/nvme/target/fc.c +@@ -1994,9 +1994,9 @@ nvmet_fc_fod_op_done(struct nvmet_fc_fcp_iod *fod) + return; + if (fcpreq->fcp_error || + fcpreq->transferred_length != fcpreq->transfer_length) { +- spin_lock(&fod->flock); ++ spin_lock_irqsave(&fod->flock, flags); + fod->abort = true; +- spin_unlock(&fod->flock); ++ spin_unlock_irqrestore(&fod->flock, flags); + + nvmet_req_complete(&fod->req, NVME_SC_INTERNAL); + return; +diff --git a/drivers/staging/media/sunxi/cedrus/cedrus.c b/drivers/staging/media/sunxi/cedrus/cedrus.c +index 3439f6ad63380..e80e82a276e93 100644 +--- a/drivers/staging/media/sunxi/cedrus/cedrus.c ++++ b/drivers/staging/media/sunxi/cedrus/cedrus.c +@@ -159,6 +159,7 @@ static int cedrus_request_validate(struct media_request *req) + struct v4l2_ctrl *ctrl_test; + unsigned int count; + unsigned int i; ++ int ret = 0; + + list_for_each_entry(obj, &req->objects, list) { + struct vb2_buffer *vb; +@@ -203,12 +204,16 @@ static int cedrus_request_validate(struct media_request *req) + if (!ctrl_test) { + v4l2_info(&ctx->dev->v4l2_dev, + "Missing required codec control\n"); +- return -ENOENT; ++ ret = -ENOENT; ++ break; + } + } + + v4l2_ctrl_request_hdl_put(hdl); + ++ if (ret) ++ return ret; ++ + return vb2_request_validate(req); + } + +diff --git a/drivers/thermal/qcom/qcom-spmi-temp-alarm.c b/drivers/thermal/qcom/qcom-spmi-temp-alarm.c +index bf7bae42c141c..6dc879fea9c8a 100644 +--- a/drivers/thermal/qcom/qcom-spmi-temp-alarm.c ++++ b/drivers/thermal/qcom/qcom-spmi-temp-alarm.c +@@ -1,6 +1,6 @@ + // SPDX-License-Identifier: GPL-2.0-only + /* +- * Copyright (c) 2011-2015, 2017, The Linux Foundation. All rights reserved. ++ * Copyright (c) 2011-2015, 2017, 2020, The Linux Foundation. All rights reserved. + */ + + #include +@@ -191,7 +191,7 @@ static int qpnp_tm_get_temp(void *data, int *temp) + chip->temp = mili_celsius; + } + +- *temp = chip->temp < 0 ? 0 : chip->temp; ++ *temp = chip->temp; + + return 0; + } +diff --git a/drivers/thermal/ti-soc-thermal/omap4-thermal-data.c b/drivers/thermal/ti-soc-thermal/omap4-thermal-data.c +index 63b02bfb2adf6..fdb8a495ab69a 100644 +--- a/drivers/thermal/ti-soc-thermal/omap4-thermal-data.c ++++ b/drivers/thermal/ti-soc-thermal/omap4-thermal-data.c +@@ -37,20 +37,21 @@ static struct temp_sensor_data omap4430_mpu_temp_sensor_data = { + + /* + * Temperature values in milli degree celsius +- * ADC code values from 530 to 923 ++ * ADC code values from 13 to 107, see TRM ++ * "18.4.10.2.3 ADC Codes Versus Temperature". + */ + static const int + omap4430_adc_to_temp[OMAP4430_ADC_END_VALUE - OMAP4430_ADC_START_VALUE + 1] = { +- -38000, -35000, -34000, -32000, -30000, -28000, -26000, -24000, -22000, +- -20000, -18000, -17000, -15000, -13000, -12000, -10000, -8000, -6000, +- -5000, -3000, -1000, 0, 2000, 3000, 5000, 6000, 8000, 10000, 12000, +- 13000, 15000, 17000, 19000, 21000, 23000, 25000, 27000, 28000, 30000, +- 32000, 33000, 35000, 37000, 38000, 40000, 42000, 43000, 45000, 47000, +- 48000, 50000, 52000, 53000, 55000, 57000, 58000, 60000, 62000, 64000, +- 66000, 68000, 70000, 71000, 73000, 75000, 77000, 78000, 80000, 82000, +- 83000, 85000, 87000, 88000, 90000, 92000, 93000, 95000, 97000, 98000, +- 100000, 102000, 103000, 105000, 107000, 109000, 111000, 113000, 115000, +- 117000, 118000, 120000, 122000, 123000, ++ -40000, -38000, -35000, -34000, -32000, -30000, -28000, -26000, -24000, ++ -22000, -20000, -18500, -17000, -15000, -13500, -12000, -10000, -8000, ++ -6500, -5000, -3500, -1500, 0, 2000, 3500, 5000, 6500, 8500, 10000, ++ 12000, 13500, 15000, 17000, 19000, 21000, 23000, 25000, 27000, 28500, ++ 30000, 32000, 33500, 35000, 37000, 38500, 40000, 42000, 43500, 45000, ++ 47000, 48500, 50000, 52000, 53500, 55000, 57000, 58500, 60000, 62000, ++ 64000, 66000, 68000, 70000, 71500, 73500, 75000, 77000, 78500, 80000, ++ 82000, 83500, 85000, 87000, 88500, 90000, 92000, 93500, 95000, 97000, ++ 98500, 100000, 102000, 103500, 105000, 107000, 109000, 111000, 113000, ++ 115000, 117000, 118500, 120000, 122000, 123500, 125000, + }; + + /* OMAP4430 data */ +diff --git a/drivers/thermal/ti-soc-thermal/omap4xxx-bandgap.h b/drivers/thermal/ti-soc-thermal/omap4xxx-bandgap.h +index a453ff8eb313e..9a3955c3853ba 100644 +--- a/drivers/thermal/ti-soc-thermal/omap4xxx-bandgap.h ++++ b/drivers/thermal/ti-soc-thermal/omap4xxx-bandgap.h +@@ -53,9 +53,13 @@ + * and thresholds for OMAP4430. + */ + +-/* ADC conversion table limits */ +-#define OMAP4430_ADC_START_VALUE 0 +-#define OMAP4430_ADC_END_VALUE 127 ++/* ++ * ADC conversion table limits. Ignore values outside the TRM listed ++ * range to avoid bogus thermal shutdowns. See omap4430 TRM chapter ++ * "18.4.10.2.3 ADC Codes Versus Temperature". ++ */ ++#define OMAP4430_ADC_START_VALUE 13 ++#define OMAP4430_ADC_END_VALUE 107 + /* bandgap clock limits (no control on 4430) */ + #define OMAP4430_MAX_FREQ 32768 + #define OMAP4430_MIN_FREQ 32768 +diff --git a/drivers/tty/serial/qcom_geni_serial.c b/drivers/tty/serial/qcom_geni_serial.c +index f98a79172ad23..0b184256034fb 100644 +--- a/drivers/tty/serial/qcom_geni_serial.c ++++ b/drivers/tty/serial/qcom_geni_serial.c +@@ -1063,7 +1063,7 @@ static unsigned int qcom_geni_serial_tx_empty(struct uart_port *uport) + } + + #ifdef CONFIG_SERIAL_QCOM_GENI_CONSOLE +-static int __init qcom_geni_console_setup(struct console *co, char *options) ++static int qcom_geni_console_setup(struct console *co, char *options) + { + struct uart_port *uport; + struct qcom_geni_serial_port *port; +diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c +index 02206162eaa9e..0d16f9806655f 100644 +--- a/drivers/vfio/pci/vfio_pci.c ++++ b/drivers/vfio/pci/vfio_pci.c +@@ -27,6 +27,7 @@ + #include + #include + #include ++#include + + #include "vfio_pci_private.h" + +@@ -177,6 +178,7 @@ no_mmap: + + static void vfio_pci_try_bus_reset(struct vfio_pci_device *vdev); + static void vfio_pci_disable(struct vfio_pci_device *vdev); ++static int vfio_pci_try_zap_and_vma_lock_cb(struct pci_dev *pdev, void *data); + + /* + * INTx masking requires the ability to disable INTx signaling via PCI_COMMAND +@@ -688,6 +690,12 @@ int vfio_pci_register_dev_region(struct vfio_pci_device *vdev, + return 0; + } + ++struct vfio_devices { ++ struct vfio_device **devices; ++ int cur_index; ++ int max_index; ++}; ++ + static long vfio_pci_ioctl(void *device_data, + unsigned int cmd, unsigned long arg) + { +@@ -761,7 +769,7 @@ static long vfio_pci_ioctl(void *device_data, + { + void __iomem *io; + size_t size; +- u16 orig_cmd; ++ u16 cmd; + + info.offset = VFIO_PCI_INDEX_TO_OFFSET(info.index); + info.flags = 0; +@@ -781,10 +789,7 @@ static long vfio_pci_ioctl(void *device_data, + * Is it really there? Enable memory decode for + * implicit access in pci_map_rom(). + */ +- pci_read_config_word(pdev, PCI_COMMAND, &orig_cmd); +- pci_write_config_word(pdev, PCI_COMMAND, +- orig_cmd | PCI_COMMAND_MEMORY); +- ++ cmd = vfio_pci_memory_lock_and_enable(vdev); + io = pci_map_rom(pdev, &size); + if (io) { + info.flags = VFIO_REGION_INFO_FLAG_READ; +@@ -792,8 +797,8 @@ static long vfio_pci_ioctl(void *device_data, + } else { + info.size = 0; + } ++ vfio_pci_memory_unlock_and_restore(vdev, cmd); + +- pci_write_config_word(pdev, PCI_COMMAND, orig_cmd); + break; + } + case VFIO_PCI_VGA_REGION_INDEX: +@@ -936,8 +941,16 @@ static long vfio_pci_ioctl(void *device_data, + return ret; + + } else if (cmd == VFIO_DEVICE_RESET) { +- return vdev->reset_works ? +- pci_try_reset_function(vdev->pdev) : -EINVAL; ++ int ret; ++ ++ if (!vdev->reset_works) ++ return -EINVAL; ++ ++ vfio_pci_zap_and_down_write_memory_lock(vdev); ++ ret = pci_try_reset_function(vdev->pdev); ++ up_write(&vdev->memory_lock); ++ ++ return ret; + + } else if (cmd == VFIO_DEVICE_GET_PCI_HOT_RESET_INFO) { + struct vfio_pci_hot_reset_info hdr; +@@ -1017,8 +1030,9 @@ reset_info_exit: + int32_t *group_fds; + struct vfio_pci_group_entry *groups; + struct vfio_pci_group_info info; ++ struct vfio_devices devs = { .cur_index = 0 }; + bool slot = false; +- int i, count = 0, ret = 0; ++ int i, group_idx, mem_idx = 0, count = 0, ret = 0; + + minsz = offsetofend(struct vfio_pci_hot_reset, count); + +@@ -1070,9 +1084,9 @@ reset_info_exit: + * user interface and store the group and iommu ID. This + * ensures the group is held across the reset. + */ +- for (i = 0; i < hdr.count; i++) { ++ for (group_idx = 0; group_idx < hdr.count; group_idx++) { + struct vfio_group *group; +- struct fd f = fdget(group_fds[i]); ++ struct fd f = fdget(group_fds[group_idx]); + if (!f.file) { + ret = -EBADF; + break; +@@ -1085,8 +1099,9 @@ reset_info_exit: + break; + } + +- groups[i].group = group; +- groups[i].id = vfio_external_user_iommu_id(group); ++ groups[group_idx].group = group; ++ groups[group_idx].id = ++ vfio_external_user_iommu_id(group); + } + + kfree(group_fds); +@@ -1105,13 +1120,63 @@ reset_info_exit: + ret = vfio_pci_for_each_slot_or_bus(vdev->pdev, + vfio_pci_validate_devs, + &info, slot); +- if (!ret) +- /* User has access, do the reset */ +- ret = pci_reset_bus(vdev->pdev); ++ if (ret) ++ goto hot_reset_release; ++ ++ devs.max_index = count; ++ devs.devices = kcalloc(count, sizeof(struct vfio_device *), ++ GFP_KERNEL); ++ if (!devs.devices) { ++ ret = -ENOMEM; ++ goto hot_reset_release; ++ } ++ ++ /* ++ * We need to get memory_lock for each device, but devices ++ * can share mmap_sem, therefore we need to zap and hold ++ * the vma_lock for each device, and only then get each ++ * memory_lock. ++ */ ++ ret = vfio_pci_for_each_slot_or_bus(vdev->pdev, ++ vfio_pci_try_zap_and_vma_lock_cb, ++ &devs, slot); ++ if (ret) ++ goto hot_reset_release; ++ ++ for (; mem_idx < devs.cur_index; mem_idx++) { ++ struct vfio_pci_device *tmp; ++ ++ tmp = vfio_device_data(devs.devices[mem_idx]); ++ ++ ret = down_write_trylock(&tmp->memory_lock); ++ if (!ret) { ++ ret = -EBUSY; ++ goto hot_reset_release; ++ } ++ mutex_unlock(&tmp->vma_lock); ++ } ++ ++ /* User has access, do the reset */ ++ ret = pci_reset_bus(vdev->pdev); + + hot_reset_release: +- for (i--; i >= 0; i--) +- vfio_group_put_external_user(groups[i].group); ++ for (i = 0; i < devs.cur_index; i++) { ++ struct vfio_device *device; ++ struct vfio_pci_device *tmp; ++ ++ device = devs.devices[i]; ++ tmp = vfio_device_data(device); ++ ++ if (i < mem_idx) ++ up_write(&tmp->memory_lock); ++ else ++ mutex_unlock(&tmp->vma_lock); ++ vfio_device_put(device); ++ } ++ kfree(devs.devices); ++ ++ for (group_idx--; group_idx >= 0; group_idx--) ++ vfio_group_put_external_user(groups[group_idx].group); + + kfree(groups); + return ret; +@@ -1192,6 +1257,202 @@ static ssize_t vfio_pci_write(void *device_data, const char __user *buf, + return vfio_pci_rw(device_data, (char __user *)buf, count, ppos, true); + } + ++/* Return 1 on zap and vma_lock acquired, 0 on contention (only with @try) */ ++static int vfio_pci_zap_and_vma_lock(struct vfio_pci_device *vdev, bool try) ++{ ++ struct vfio_pci_mmap_vma *mmap_vma, *tmp; ++ ++ /* ++ * Lock ordering: ++ * vma_lock is nested under mmap_sem for vm_ops callback paths. ++ * The memory_lock semaphore is used by both code paths calling ++ * into this function to zap vmas and the vm_ops.fault callback ++ * to protect the memory enable state of the device. ++ * ++ * When zapping vmas we need to maintain the mmap_sem => vma_lock ++ * ordering, which requires using vma_lock to walk vma_list to ++ * acquire an mm, then dropping vma_lock to get the mmap_sem and ++ * reacquiring vma_lock. This logic is derived from similar ++ * requirements in uverbs_user_mmap_disassociate(). ++ * ++ * mmap_sem must always be the top-level lock when it is taken. ++ * Therefore we can only hold the memory_lock write lock when ++ * vma_list is empty, as we'd need to take mmap_sem to clear ++ * entries. vma_list can only be guaranteed empty when holding ++ * vma_lock, thus memory_lock is nested under vma_lock. ++ * ++ * This enables the vm_ops.fault callback to acquire vma_lock, ++ * followed by memory_lock read lock, while already holding ++ * mmap_sem without risk of deadlock. ++ */ ++ while (1) { ++ struct mm_struct *mm = NULL; ++ ++ if (try) { ++ if (!mutex_trylock(&vdev->vma_lock)) ++ return 0; ++ } else { ++ mutex_lock(&vdev->vma_lock); ++ } ++ while (!list_empty(&vdev->vma_list)) { ++ mmap_vma = list_first_entry(&vdev->vma_list, ++ struct vfio_pci_mmap_vma, ++ vma_next); ++ mm = mmap_vma->vma->vm_mm; ++ if (mmget_not_zero(mm)) ++ break; ++ ++ list_del(&mmap_vma->vma_next); ++ kfree(mmap_vma); ++ mm = NULL; ++ } ++ if (!mm) ++ return 1; ++ mutex_unlock(&vdev->vma_lock); ++ ++ if (try) { ++ if (!down_read_trylock(&mm->mmap_sem)) { ++ mmput(mm); ++ return 0; ++ } ++ } else { ++ down_read(&mm->mmap_sem); ++ } ++ if (mmget_still_valid(mm)) { ++ if (try) { ++ if (!mutex_trylock(&vdev->vma_lock)) { ++ up_read(&mm->mmap_sem); ++ mmput(mm); ++ return 0; ++ } ++ } else { ++ mutex_lock(&vdev->vma_lock); ++ } ++ list_for_each_entry_safe(mmap_vma, tmp, ++ &vdev->vma_list, vma_next) { ++ struct vm_area_struct *vma = mmap_vma->vma; ++ ++ if (vma->vm_mm != mm) ++ continue; ++ ++ list_del(&mmap_vma->vma_next); ++ kfree(mmap_vma); ++ ++ zap_vma_ptes(vma, vma->vm_start, ++ vma->vm_end - vma->vm_start); ++ } ++ mutex_unlock(&vdev->vma_lock); ++ } ++ up_read(&mm->mmap_sem); ++ mmput(mm); ++ } ++} ++ ++void vfio_pci_zap_and_down_write_memory_lock(struct vfio_pci_device *vdev) ++{ ++ vfio_pci_zap_and_vma_lock(vdev, false); ++ down_write(&vdev->memory_lock); ++ mutex_unlock(&vdev->vma_lock); ++} ++ ++u16 vfio_pci_memory_lock_and_enable(struct vfio_pci_device *vdev) ++{ ++ u16 cmd; ++ ++ down_write(&vdev->memory_lock); ++ pci_read_config_word(vdev->pdev, PCI_COMMAND, &cmd); ++ if (!(cmd & PCI_COMMAND_MEMORY)) ++ pci_write_config_word(vdev->pdev, PCI_COMMAND, ++ cmd | PCI_COMMAND_MEMORY); ++ ++ return cmd; ++} ++ ++void vfio_pci_memory_unlock_and_restore(struct vfio_pci_device *vdev, u16 cmd) ++{ ++ pci_write_config_word(vdev->pdev, PCI_COMMAND, cmd); ++ up_write(&vdev->memory_lock); ++} ++ ++/* Caller holds vma_lock */ ++static int __vfio_pci_add_vma(struct vfio_pci_device *vdev, ++ struct vm_area_struct *vma) ++{ ++ struct vfio_pci_mmap_vma *mmap_vma; ++ ++ mmap_vma = kmalloc(sizeof(*mmap_vma), GFP_KERNEL); ++ if (!mmap_vma) ++ return -ENOMEM; ++ ++ mmap_vma->vma = vma; ++ list_add(&mmap_vma->vma_next, &vdev->vma_list); ++ ++ return 0; ++} ++ ++/* ++ * Zap mmaps on open so that we can fault them in on access and therefore ++ * our vma_list only tracks mappings accessed since last zap. ++ */ ++static void vfio_pci_mmap_open(struct vm_area_struct *vma) ++{ ++ zap_vma_ptes(vma, vma->vm_start, vma->vm_end - vma->vm_start); ++} ++ ++static void vfio_pci_mmap_close(struct vm_area_struct *vma) ++{ ++ struct vfio_pci_device *vdev = vma->vm_private_data; ++ struct vfio_pci_mmap_vma *mmap_vma; ++ ++ mutex_lock(&vdev->vma_lock); ++ list_for_each_entry(mmap_vma, &vdev->vma_list, vma_next) { ++ if (mmap_vma->vma == vma) { ++ list_del(&mmap_vma->vma_next); ++ kfree(mmap_vma); ++ break; ++ } ++ } ++ mutex_unlock(&vdev->vma_lock); ++} ++ ++static vm_fault_t vfio_pci_mmap_fault(struct vm_fault *vmf) ++{ ++ struct vm_area_struct *vma = vmf->vma; ++ struct vfio_pci_device *vdev = vma->vm_private_data; ++ vm_fault_t ret = VM_FAULT_NOPAGE; ++ ++ mutex_lock(&vdev->vma_lock); ++ down_read(&vdev->memory_lock); ++ ++ if (!__vfio_pci_memory_enabled(vdev)) { ++ ret = VM_FAULT_SIGBUS; ++ mutex_unlock(&vdev->vma_lock); ++ goto up_out; ++ } ++ ++ if (__vfio_pci_add_vma(vdev, vma)) { ++ ret = VM_FAULT_OOM; ++ mutex_unlock(&vdev->vma_lock); ++ goto up_out; ++ } ++ ++ mutex_unlock(&vdev->vma_lock); ++ ++ if (remap_pfn_range(vma, vma->vm_start, vma->vm_pgoff, ++ vma->vm_end - vma->vm_start, vma->vm_page_prot)) ++ ret = VM_FAULT_SIGBUS; ++ ++up_out: ++ up_read(&vdev->memory_lock); ++ return ret; ++} ++ ++static const struct vm_operations_struct vfio_pci_mmap_ops = { ++ .open = vfio_pci_mmap_open, ++ .close = vfio_pci_mmap_close, ++ .fault = vfio_pci_mmap_fault, ++}; ++ + static int vfio_pci_mmap(void *device_data, struct vm_area_struct *vma) + { + struct vfio_pci_device *vdev = device_data; +@@ -1250,8 +1511,14 @@ static int vfio_pci_mmap(void *device_data, struct vm_area_struct *vma) + vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot); + vma->vm_pgoff = (pci_resource_start(pdev, index) >> PAGE_SHIFT) + pgoff; + +- return remap_pfn_range(vma, vma->vm_start, vma->vm_pgoff, +- req_len, vma->vm_page_prot); ++ /* ++ * See remap_pfn_range(), called from vfio_pci_fault() but we can't ++ * change vm_flags within the fault handler. Set them now. ++ */ ++ vma->vm_flags |= VM_IO | VM_PFNMAP | VM_DONTEXPAND | VM_DONTDUMP; ++ vma->vm_ops = &vfio_pci_mmap_ops; ++ ++ return 0; + } + + static void vfio_pci_request(void *device_data, unsigned int count) +@@ -1327,6 +1594,9 @@ static int vfio_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id) + spin_lock_init(&vdev->irqlock); + mutex_init(&vdev->ioeventfds_lock); + INIT_LIST_HEAD(&vdev->ioeventfds_list); ++ mutex_init(&vdev->vma_lock); ++ INIT_LIST_HEAD(&vdev->vma_list); ++ init_rwsem(&vdev->memory_lock); + + ret = vfio_add_group_dev(&pdev->dev, &vfio_pci_ops, vdev); + if (ret) { +@@ -1516,12 +1786,6 @@ static void vfio_pci_reflck_put(struct vfio_pci_reflck *reflck) + kref_put_mutex(&reflck->kref, vfio_pci_reflck_release, &reflck_lock); + } + +-struct vfio_devices { +- struct vfio_device **devices; +- int cur_index; +- int max_index; +-}; +- + static int vfio_pci_get_unused_devs(struct pci_dev *pdev, void *data) + { + struct vfio_devices *devs = data; +@@ -1552,6 +1816,39 @@ static int vfio_pci_get_unused_devs(struct pci_dev *pdev, void *data) + return 0; + } + ++static int vfio_pci_try_zap_and_vma_lock_cb(struct pci_dev *pdev, void *data) ++{ ++ struct vfio_devices *devs = data; ++ struct vfio_device *device; ++ struct vfio_pci_device *vdev; ++ ++ if (devs->cur_index == devs->max_index) ++ return -ENOSPC; ++ ++ device = vfio_device_get_from_dev(&pdev->dev); ++ if (!device) ++ return -EINVAL; ++ ++ if (pci_dev_driver(pdev) != &vfio_pci_driver) { ++ vfio_device_put(device); ++ return -EBUSY; ++ } ++ ++ vdev = vfio_device_data(device); ++ ++ /* ++ * Locking multiple devices is prone to deadlock, runaway and ++ * unwind if we hit contention. ++ */ ++ if (!vfio_pci_zap_and_vma_lock(vdev, true)) { ++ vfio_device_put(device); ++ return -EBUSY; ++ } ++ ++ devs->devices[devs->cur_index++] = device; ++ return 0; ++} ++ + /* + * If a bus or slot reset is available for the provided device and: + * - All of the devices affected by that bus or slot reset are unused +diff --git a/drivers/vfio/pci/vfio_pci_config.c b/drivers/vfio/pci/vfio_pci_config.c +index d6359c37c9e55..927b608461c82 100644 +--- a/drivers/vfio/pci/vfio_pci_config.c ++++ b/drivers/vfio/pci/vfio_pci_config.c +@@ -395,6 +395,20 @@ static inline void p_setd(struct perm_bits *p, int off, u32 virt, u32 write) + *(__le32 *)(&p->write[off]) = cpu_to_le32(write); + } + ++/* Caller should hold memory_lock semaphore */ ++bool __vfio_pci_memory_enabled(struct vfio_pci_device *vdev) ++{ ++ struct pci_dev *pdev = vdev->pdev; ++ u16 cmd = le16_to_cpu(*(__le16 *)&vdev->vconfig[PCI_COMMAND]); ++ ++ /* ++ * SR-IOV VF memory enable is handled by the MSE bit in the ++ * PF SR-IOV capability, there's therefore no need to trigger ++ * faults based on the virtual value. ++ */ ++ return pdev->is_virtfn || (cmd & PCI_COMMAND_MEMORY); ++} ++ + /* + * Restore the *real* BARs after we detect a FLR or backdoor reset. + * (backdoor = some device specific technique that we didn't catch) +@@ -554,13 +568,18 @@ static int vfio_basic_config_write(struct vfio_pci_device *vdev, int pos, + + new_cmd = le32_to_cpu(val); + ++ phys_io = !!(phys_cmd & PCI_COMMAND_IO); ++ virt_io = !!(le16_to_cpu(*virt_cmd) & PCI_COMMAND_IO); ++ new_io = !!(new_cmd & PCI_COMMAND_IO); ++ + phys_mem = !!(phys_cmd & PCI_COMMAND_MEMORY); + virt_mem = !!(le16_to_cpu(*virt_cmd) & PCI_COMMAND_MEMORY); + new_mem = !!(new_cmd & PCI_COMMAND_MEMORY); + +- phys_io = !!(phys_cmd & PCI_COMMAND_IO); +- virt_io = !!(le16_to_cpu(*virt_cmd) & PCI_COMMAND_IO); +- new_io = !!(new_cmd & PCI_COMMAND_IO); ++ if (!new_mem) ++ vfio_pci_zap_and_down_write_memory_lock(vdev); ++ else ++ down_write(&vdev->memory_lock); + + /* + * If the user is writing mem/io enable (new_mem/io) and we +@@ -577,8 +596,11 @@ static int vfio_basic_config_write(struct vfio_pci_device *vdev, int pos, + } + + count = vfio_default_config_write(vdev, pos, count, perm, offset, val); +- if (count < 0) ++ if (count < 0) { ++ if (offset == PCI_COMMAND) ++ up_write(&vdev->memory_lock); + return count; ++ } + + /* + * Save current memory/io enable bits in vconfig to allow for +@@ -589,6 +611,8 @@ static int vfio_basic_config_write(struct vfio_pci_device *vdev, int pos, + + *virt_cmd &= cpu_to_le16(~mask); + *virt_cmd |= cpu_to_le16(new_cmd & mask); ++ ++ up_write(&vdev->memory_lock); + } + + /* Emulate INTx disable */ +@@ -826,8 +850,11 @@ static int vfio_exp_config_write(struct vfio_pci_device *vdev, int pos, + pos - offset + PCI_EXP_DEVCAP, + &cap); + +- if (!ret && (cap & PCI_EXP_DEVCAP_FLR)) ++ if (!ret && (cap & PCI_EXP_DEVCAP_FLR)) { ++ vfio_pci_zap_and_down_write_memory_lock(vdev); + pci_try_reset_function(vdev->pdev); ++ up_write(&vdev->memory_lock); ++ } + } + + /* +@@ -905,8 +932,11 @@ static int vfio_af_config_write(struct vfio_pci_device *vdev, int pos, + pos - offset + PCI_AF_CAP, + &cap); + +- if (!ret && (cap & PCI_AF_CAP_FLR) && (cap & PCI_AF_CAP_TP)) ++ if (!ret && (cap & PCI_AF_CAP_FLR) && (cap & PCI_AF_CAP_TP)) { ++ vfio_pci_zap_and_down_write_memory_lock(vdev); + pci_try_reset_function(vdev->pdev); ++ up_write(&vdev->memory_lock); ++ } + } + + return count; +@@ -1702,6 +1732,15 @@ int vfio_config_init(struct vfio_pci_device *vdev) + vconfig[PCI_INTERRUPT_PIN]); + + vconfig[PCI_INTERRUPT_PIN] = 0; /* Gratuitous for good VFs */ ++ ++ /* ++ * VFs do no implement the memory enable bit of the COMMAND ++ * register therefore we'll not have it set in our initial ++ * copy of config space after pci_enable_device(). For ++ * consistency with PFs, set the virtual enable bit here. ++ */ ++ *(__le16 *)&vconfig[PCI_COMMAND] |= ++ cpu_to_le16(PCI_COMMAND_MEMORY); + } + + if (!IS_ENABLED(CONFIG_VFIO_PCI_INTX) || vdev->nointx) +diff --git a/drivers/vfio/pci/vfio_pci_intrs.c b/drivers/vfio/pci/vfio_pci_intrs.c +index 2056f3f85f59b..1d9fb25929459 100644 +--- a/drivers/vfio/pci/vfio_pci_intrs.c ++++ b/drivers/vfio/pci/vfio_pci_intrs.c +@@ -249,6 +249,7 @@ static int vfio_msi_enable(struct vfio_pci_device *vdev, int nvec, bool msix) + struct pci_dev *pdev = vdev->pdev; + unsigned int flag = msix ? PCI_IRQ_MSIX : PCI_IRQ_MSI; + int ret; ++ u16 cmd; + + if (!is_irq_none(vdev)) + return -EINVAL; +@@ -258,13 +259,16 @@ static int vfio_msi_enable(struct vfio_pci_device *vdev, int nvec, bool msix) + return -ENOMEM; + + /* return the number of supported vectors if we can't get all: */ ++ cmd = vfio_pci_memory_lock_and_enable(vdev); + ret = pci_alloc_irq_vectors(pdev, 1, nvec, flag); + if (ret < nvec) { + if (ret > 0) + pci_free_irq_vectors(pdev); ++ vfio_pci_memory_unlock_and_restore(vdev, cmd); + kfree(vdev->ctx); + return ret; + } ++ vfio_pci_memory_unlock_and_restore(vdev, cmd); + + vdev->num_ctx = nvec; + vdev->irq_type = msix ? VFIO_PCI_MSIX_IRQ_INDEX : +@@ -287,6 +291,7 @@ static int vfio_msi_set_vector_signal(struct vfio_pci_device *vdev, + struct pci_dev *pdev = vdev->pdev; + struct eventfd_ctx *trigger; + int irq, ret; ++ u16 cmd; + + if (vector < 0 || vector >= vdev->num_ctx) + return -EINVAL; +@@ -295,7 +300,11 @@ static int vfio_msi_set_vector_signal(struct vfio_pci_device *vdev, + + if (vdev->ctx[vector].trigger) { + irq_bypass_unregister_producer(&vdev->ctx[vector].producer); ++ ++ cmd = vfio_pci_memory_lock_and_enable(vdev); + free_irq(irq, vdev->ctx[vector].trigger); ++ vfio_pci_memory_unlock_and_restore(vdev, cmd); ++ + kfree(vdev->ctx[vector].name); + eventfd_ctx_put(vdev->ctx[vector].trigger); + vdev->ctx[vector].trigger = NULL; +@@ -323,6 +332,7 @@ static int vfio_msi_set_vector_signal(struct vfio_pci_device *vdev, + * such a reset it would be unsuccessful. To avoid this, restore the + * cached value of the message prior to enabling. + */ ++ cmd = vfio_pci_memory_lock_and_enable(vdev); + if (msix) { + struct msi_msg msg; + +@@ -332,6 +342,7 @@ static int vfio_msi_set_vector_signal(struct vfio_pci_device *vdev, + + ret = request_irq(irq, vfio_msihandler, 0, + vdev->ctx[vector].name, trigger); ++ vfio_pci_memory_unlock_and_restore(vdev, cmd); + if (ret) { + kfree(vdev->ctx[vector].name); + eventfd_ctx_put(trigger); +@@ -376,6 +387,7 @@ static void vfio_msi_disable(struct vfio_pci_device *vdev, bool msix) + { + struct pci_dev *pdev = vdev->pdev; + int i; ++ u16 cmd; + + for (i = 0; i < vdev->num_ctx; i++) { + vfio_virqfd_disable(&vdev->ctx[i].unmask); +@@ -384,7 +396,9 @@ static void vfio_msi_disable(struct vfio_pci_device *vdev, bool msix) + + vfio_msi_set_block(vdev, 0, vdev->num_ctx, NULL, msix); + ++ cmd = vfio_pci_memory_lock_and_enable(vdev); + pci_free_irq_vectors(pdev); ++ vfio_pci_memory_unlock_and_restore(vdev, cmd); + + /* + * Both disable paths above use pci_intx_for_msi() to clear DisINTx +diff --git a/drivers/vfio/pci/vfio_pci_private.h b/drivers/vfio/pci/vfio_pci_private.h +index ee6ee91718a4d..987b4d311fde9 100644 +--- a/drivers/vfio/pci/vfio_pci_private.h ++++ b/drivers/vfio/pci/vfio_pci_private.h +@@ -84,6 +84,11 @@ struct vfio_pci_reflck { + struct mutex lock; + }; + ++struct vfio_pci_mmap_vma { ++ struct vm_area_struct *vma; ++ struct list_head vma_next; ++}; ++ + struct vfio_pci_device { + struct pci_dev *pdev; + void __iomem *barmap[PCI_STD_RESOURCE_END + 1]; +@@ -122,6 +127,9 @@ struct vfio_pci_device { + struct list_head dummy_resources_list; + struct mutex ioeventfds_lock; + struct list_head ioeventfds_list; ++ struct mutex vma_lock; ++ struct list_head vma_list; ++ struct rw_semaphore memory_lock; + }; + + #define is_intx(vdev) (vdev->irq_type == VFIO_PCI_INTX_IRQ_INDEX) +@@ -164,6 +172,13 @@ extern int vfio_pci_register_dev_region(struct vfio_pci_device *vdev, + extern int vfio_pci_set_power_state(struct vfio_pci_device *vdev, + pci_power_t state); + ++extern bool __vfio_pci_memory_enabled(struct vfio_pci_device *vdev); ++extern void vfio_pci_zap_and_down_write_memory_lock(struct vfio_pci_device ++ *vdev); ++extern u16 vfio_pci_memory_lock_and_enable(struct vfio_pci_device *vdev); ++extern void vfio_pci_memory_unlock_and_restore(struct vfio_pci_device *vdev, ++ u16 cmd); ++ + #ifdef CONFIG_VFIO_PCI_IGD + extern int vfio_pci_igd_init(struct vfio_pci_device *vdev); + #else +diff --git a/drivers/vfio/pci/vfio_pci_rdwr.c b/drivers/vfio/pci/vfio_pci_rdwr.c +index 0120d8324a402..83f81d24df78e 100644 +--- a/drivers/vfio/pci/vfio_pci_rdwr.c ++++ b/drivers/vfio/pci/vfio_pci_rdwr.c +@@ -162,6 +162,7 @@ ssize_t vfio_pci_bar_rw(struct vfio_pci_device *vdev, char __user *buf, + size_t x_start = 0, x_end = 0; + resource_size_t end; + void __iomem *io; ++ struct resource *res = &vdev->pdev->resource[bar]; + ssize_t done; + + if (pci_resource_start(pdev, bar)) +@@ -177,6 +178,14 @@ ssize_t vfio_pci_bar_rw(struct vfio_pci_device *vdev, char __user *buf, + + count = min(count, (size_t)(end - pos)); + ++ if (res->flags & IORESOURCE_MEM) { ++ down_read(&vdev->memory_lock); ++ if (!__vfio_pci_memory_enabled(vdev)) { ++ up_read(&vdev->memory_lock); ++ return -EIO; ++ } ++ } ++ + if (bar == PCI_ROM_RESOURCE) { + /* + * The ROM can fill less space than the BAR, so we start the +@@ -184,13 +193,17 @@ ssize_t vfio_pci_bar_rw(struct vfio_pci_device *vdev, char __user *buf, + * filling large ROM BARs much faster. + */ + io = pci_map_rom(pdev, &x_start); +- if (!io) +- return -ENOMEM; ++ if (!io) { ++ done = -ENOMEM; ++ goto out; ++ } + x_end = end; + } else { + int ret = vfio_pci_setup_barmap(vdev, bar); +- if (ret) +- return ret; ++ if (ret) { ++ done = ret; ++ goto out; ++ } + + io = vdev->barmap[bar]; + } +@@ -207,6 +220,9 @@ ssize_t vfio_pci_bar_rw(struct vfio_pci_device *vdev, char __user *buf, + + if (bar == PCI_ROM_RESOURCE) + pci_unmap_rom(pdev, io); ++out: ++ if (res->flags & IORESOURCE_MEM) ++ up_read(&vdev->memory_lock); + + return done; + } +diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c +index ca8c10aa4a4bc..c6220f57fdf3e 100644 +--- a/drivers/vfio/vfio_iommu_type1.c ++++ b/drivers/vfio/vfio_iommu_type1.c +@@ -335,6 +335,32 @@ static int put_pfn(unsigned long pfn, int prot) + return 0; + } + ++static int follow_fault_pfn(struct vm_area_struct *vma, struct mm_struct *mm, ++ unsigned long vaddr, unsigned long *pfn, ++ bool write_fault) ++{ ++ int ret; ++ ++ ret = follow_pfn(vma, vaddr, pfn); ++ if (ret) { ++ bool unlocked = false; ++ ++ ret = fixup_user_fault(NULL, mm, vaddr, ++ FAULT_FLAG_REMOTE | ++ (write_fault ? FAULT_FLAG_WRITE : 0), ++ &unlocked); ++ if (unlocked) ++ return -EAGAIN; ++ ++ if (ret) ++ return ret; ++ ++ ret = follow_pfn(vma, vaddr, pfn); ++ } ++ ++ return ret; ++} ++ + static int vaddr_get_pfn(struct mm_struct *mm, unsigned long vaddr, + int prot, unsigned long *pfn) + { +@@ -377,12 +403,16 @@ static int vaddr_get_pfn(struct mm_struct *mm, unsigned long vaddr, + + vaddr = untagged_addr(vaddr); + ++retry: + vma = find_vma_intersection(mm, vaddr, vaddr + 1); + + if (vma && vma->vm_flags & VM_PFNMAP) { +- if (!follow_pfn(vma, vaddr, pfn) && +- is_invalid_reserved_pfn(*pfn)) +- ret = 0; ++ ret = follow_fault_pfn(vma, mm, vaddr, pfn, prot & IOMMU_WRITE); ++ if (ret == -EAGAIN) ++ goto retry; ++ ++ if (!ret && !is_invalid_reserved_pfn(*pfn)) ++ ret = -EFAULT; + } + + up_read(&mm->mmap_sem); +diff --git a/drivers/xen/xenbus/xenbus_client.c b/drivers/xen/xenbus/xenbus_client.c +index a38292ef79f6d..f38bdaea0ef11 100644 +--- a/drivers/xen/xenbus/xenbus_client.c ++++ b/drivers/xen/xenbus/xenbus_client.c +@@ -363,8 +363,14 @@ int xenbus_grant_ring(struct xenbus_device *dev, void *vaddr, + int i, j; + + for (i = 0; i < nr_pages; i++) { +- err = gnttab_grant_foreign_access(dev->otherend_id, +- virt_to_gfn(vaddr), 0); ++ unsigned long gfn; ++ ++ if (is_vmalloc_addr(vaddr)) ++ gfn = pfn_to_gfn(vmalloc_to_pfn(vaddr)); ++ else ++ gfn = virt_to_gfn(vaddr); ++ ++ err = gnttab_grant_foreign_access(dev->otherend_id, gfn, 0); + if (err < 0) { + xenbus_dev_fatal(dev, err, + "granting access to ring page"); +diff --git a/fs/affs/amigaffs.c b/fs/affs/amigaffs.c +index f708c45d5f664..29f11e10a7c7d 100644 +--- a/fs/affs/amigaffs.c ++++ b/fs/affs/amigaffs.c +@@ -420,24 +420,51 @@ affs_mode_to_prot(struct inode *inode) + u32 prot = AFFS_I(inode)->i_protect; + umode_t mode = inode->i_mode; + ++ /* ++ * First, clear all RWED bits for owner, group, other. ++ * Then, recalculate them afresh. ++ * ++ * We'll always clear the delete-inhibit bit for the owner, as that is ++ * the classic single-user mode AmigaOS protection bit and we need to ++ * stay compatible with all scenarios. ++ * ++ * Since multi-user AmigaOS is an extension, we'll only set the ++ * delete-allow bit if any of the other bits in the same user class ++ * (group/other) are used. ++ */ ++ prot &= ~(FIBF_NOEXECUTE | FIBF_NOREAD ++ | FIBF_NOWRITE | FIBF_NODELETE ++ | FIBF_GRP_EXECUTE | FIBF_GRP_READ ++ | FIBF_GRP_WRITE | FIBF_GRP_DELETE ++ | FIBF_OTR_EXECUTE | FIBF_OTR_READ ++ | FIBF_OTR_WRITE | FIBF_OTR_DELETE); ++ ++ /* Classic single-user AmigaOS flags. These are inverted. */ + if (!(mode & 0100)) + prot |= FIBF_NOEXECUTE; + if (!(mode & 0400)) + prot |= FIBF_NOREAD; + if (!(mode & 0200)) + prot |= FIBF_NOWRITE; ++ ++ /* Multi-user extended flags. Not inverted. */ + if (mode & 0010) + prot |= FIBF_GRP_EXECUTE; + if (mode & 0040) + prot |= FIBF_GRP_READ; + if (mode & 0020) + prot |= FIBF_GRP_WRITE; ++ if (mode & 0070) ++ prot |= FIBF_GRP_DELETE; ++ + if (mode & 0001) + prot |= FIBF_OTR_EXECUTE; + if (mode & 0004) + prot |= FIBF_OTR_READ; + if (mode & 0002) + prot |= FIBF_OTR_WRITE; ++ if (mode & 0007) ++ prot |= FIBF_OTR_DELETE; + + AFFS_I(inode)->i_protect = prot; + } +diff --git a/fs/affs/file.c b/fs/affs/file.c +index a85817f54483f..ba084b0b214b9 100644 +--- a/fs/affs/file.c ++++ b/fs/affs/file.c +@@ -428,6 +428,24 @@ static int affs_write_begin(struct file *file, struct address_space *mapping, + return ret; + } + ++static int affs_write_end(struct file *file, struct address_space *mapping, ++ loff_t pos, unsigned int len, unsigned int copied, ++ struct page *page, void *fsdata) ++{ ++ struct inode *inode = mapping->host; ++ int ret; ++ ++ ret = generic_write_end(file, mapping, pos, len, copied, page, fsdata); ++ ++ /* Clear Archived bit on file writes, as AmigaOS would do */ ++ if (AFFS_I(inode)->i_protect & FIBF_ARCHIVED) { ++ AFFS_I(inode)->i_protect &= ~FIBF_ARCHIVED; ++ mark_inode_dirty(inode); ++ } ++ ++ return ret; ++} ++ + static sector_t _affs_bmap(struct address_space *mapping, sector_t block) + { + return generic_block_bmap(mapping,block,affs_get_block); +@@ -437,7 +455,7 @@ const struct address_space_operations affs_aops = { + .readpage = affs_readpage, + .writepage = affs_writepage, + .write_begin = affs_write_begin, +- .write_end = generic_write_end, ++ .write_end = affs_write_end, + .direct_IO = affs_direct_IO, + .bmap = _affs_bmap + }; +@@ -794,6 +812,12 @@ done: + if (tmp > inode->i_size) + inode->i_size = AFFS_I(inode)->mmu_private = tmp; + ++ /* Clear Archived bit on file writes, as AmigaOS would do */ ++ if (AFFS_I(inode)->i_protect & FIBF_ARCHIVED) { ++ AFFS_I(inode)->i_protect &= ~FIBF_ARCHIVED; ++ mark_inode_dirty(inode); ++ } ++ + err_first_bh: + unlock_page(page); + put_page(page); +diff --git a/fs/afs/fs_probe.c b/fs/afs/fs_probe.c +index 02e976ca5732f..51ee3dd79700f 100644 +--- a/fs/afs/fs_probe.c ++++ b/fs/afs/fs_probe.c +@@ -92,8 +92,8 @@ responded: + } + } + +- rtt_us = rxrpc_kernel_get_srtt(call->net->socket, call->rxcall); +- if (rtt_us < server->probe.rtt) { ++ if (rxrpc_kernel_get_srtt(call->net->socket, call->rxcall, &rtt_us) && ++ rtt_us < server->probe.rtt) { + server->probe.rtt = rtt_us; + alist->preferred = index; + have_result = true; +diff --git a/fs/afs/vl_probe.c b/fs/afs/vl_probe.c +index e3aa013c21779..081b7e5b13f58 100644 +--- a/fs/afs/vl_probe.c ++++ b/fs/afs/vl_probe.c +@@ -92,8 +92,8 @@ responded: + } + } + +- rtt_us = rxrpc_kernel_get_srtt(call->net->socket, call->rxcall); +- if (rtt_us < server->probe.rtt) { ++ if (rxrpc_kernel_get_srtt(call->net->socket, call->rxcall, &rtt_us) && ++ rtt_us < server->probe.rtt) { + server->probe.rtt = rtt_us; + alist->preferred = index; + have_result = true; +diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c +index a989105d39c86..c05127f506373 100644 +--- a/fs/btrfs/ctree.c ++++ b/fs/btrfs/ctree.c +@@ -1339,6 +1339,8 @@ tree_mod_log_rewind(struct btrfs_fs_info *fs_info, struct btrfs_path *path, + btrfs_tree_read_unlock_blocking(eb); + free_extent_buffer(eb); + ++ btrfs_set_buffer_lockdep_class(btrfs_header_owner(eb_rewin), ++ eb_rewin, btrfs_header_level(eb_rewin)); + btrfs_tree_read_lock(eb_rewin); + __tree_mod_log_rewind(fs_info, eb_rewin, time_seq, tm); + WARN_ON(btrfs_header_nritems(eb_rewin) > +@@ -1412,7 +1414,6 @@ get_old_root(struct btrfs_root *root, u64 time_seq) + + if (!eb) + return NULL; +- btrfs_tree_read_lock(eb); + if (old_root) { + btrfs_set_header_bytenr(eb, eb->start); + btrfs_set_header_backref_rev(eb, BTRFS_MIXED_BACKREF_REV); +@@ -1420,6 +1421,9 @@ get_old_root(struct btrfs_root *root, u64 time_seq) + btrfs_set_header_level(eb, old_root->level); + btrfs_set_header_generation(eb, old_generation); + } ++ btrfs_set_buffer_lockdep_class(btrfs_header_owner(eb), eb, ++ btrfs_header_level(eb)); ++ btrfs_tree_read_lock(eb); + if (tm) + __tree_mod_log_rewind(fs_info, eb, time_seq, tm); + else +diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c +index ef05cbacef73f..541497036cc24 100644 +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -4446,7 +4446,7 @@ btrfs_init_new_buffer(struct btrfs_trans_handle *trans, struct btrfs_root *root, + return ERR_PTR(-EUCLEAN); + } + +- btrfs_set_buffer_lockdep_class(root->root_key.objectid, buf, level); ++ btrfs_set_buffer_lockdep_class(owner, buf, level); + btrfs_tree_lock(buf); + btrfs_clean_tree_block(buf); + clear_bit(EXTENT_BUFFER_STALE, &buf->bflags); +diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c +index 5707bf0575d43..60c21cfb19480 100644 +--- a/fs/btrfs/extent_io.c ++++ b/fs/btrfs/extent_io.c +@@ -5607,9 +5607,9 @@ void read_extent_buffer(const struct extent_buffer *eb, void *dstv, + } + } + +-int read_extent_buffer_to_user(const struct extent_buffer *eb, +- void __user *dstv, +- unsigned long start, unsigned long len) ++int read_extent_buffer_to_user_nofault(const struct extent_buffer *eb, ++ void __user *dstv, ++ unsigned long start, unsigned long len) + { + size_t cur; + size_t offset; +@@ -5630,7 +5630,7 @@ int read_extent_buffer_to_user(const struct extent_buffer *eb, + + cur = min(len, (PAGE_SIZE - offset)); + kaddr = page_address(page); +- if (copy_to_user(dst, kaddr + offset, cur)) { ++ if (probe_user_write(dst, kaddr + offset, cur)) { + ret = -EFAULT; + break; + } +diff --git a/fs/btrfs/extent_io.h b/fs/btrfs/extent_io.h +index cf3424d58fec7..bc858c8cef0a6 100644 +--- a/fs/btrfs/extent_io.h ++++ b/fs/btrfs/extent_io.h +@@ -457,9 +457,9 @@ int memcmp_extent_buffer(const struct extent_buffer *eb, const void *ptrv, + void read_extent_buffer(const struct extent_buffer *eb, void *dst, + unsigned long start, + unsigned long len); +-int read_extent_buffer_to_user(const struct extent_buffer *eb, +- void __user *dst, unsigned long start, +- unsigned long len); ++int read_extent_buffer_to_user_nofault(const struct extent_buffer *eb, ++ void __user *dst, unsigned long start, ++ unsigned long len); + void write_extent_buffer_fsid(struct extent_buffer *eb, const void *src); + void write_extent_buffer_chunk_tree_uuid(struct extent_buffer *eb, + const void *src); +diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c +index 88745b5182126..775fd5975191b 100644 +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -2105,9 +2105,14 @@ static noinline int copy_to_sk(struct btrfs_path *path, + sh.len = item_len; + sh.transid = found_transid; + +- /* copy search result header */ +- if (copy_to_user(ubuf + *sk_offset, &sh, sizeof(sh))) { +- ret = -EFAULT; ++ /* ++ * Copy search result header. If we fault then loop again so we ++ * can fault in the pages and -EFAULT there if there's a ++ * problem. Otherwise we'll fault and then copy the buffer in ++ * properly this next time through ++ */ ++ if (probe_user_write(ubuf + *sk_offset, &sh, sizeof(sh))) { ++ ret = 0; + goto out; + } + +@@ -2115,10 +2120,14 @@ static noinline int copy_to_sk(struct btrfs_path *path, + + if (item_len) { + char __user *up = ubuf + *sk_offset; +- /* copy the item */ +- if (read_extent_buffer_to_user(leaf, up, +- item_off, item_len)) { +- ret = -EFAULT; ++ /* ++ * Copy the item, same behavior as above, but reset the ++ * * sk_offset so we copy the full thing again. ++ */ ++ if (read_extent_buffer_to_user_nofault(leaf, up, ++ item_off, item_len)) { ++ ret = 0; ++ *sk_offset -= sizeof(sh); + goto out; + } + +@@ -2206,6 +2215,10 @@ static noinline int search_ioctl(struct inode *inode, + key.offset = sk->min_offset; + + while (1) { ++ ret = fault_in_pages_writeable(ubuf, *buf_size - sk_offset); ++ if (ret) ++ break; ++ + ret = btrfs_search_forward(root, &key, path, sk->min_transid); + if (ret != 0) { + if (ret > 0) +diff --git a/fs/btrfs/scrub.c b/fs/btrfs/scrub.c +index 498b824148187..93d7cb56e44b2 100644 +--- a/fs/btrfs/scrub.c ++++ b/fs/btrfs/scrub.c +@@ -3742,50 +3742,84 @@ static noinline_for_stack int scrub_supers(struct scrub_ctx *sctx, + return 0; + } + ++static void scrub_workers_put(struct btrfs_fs_info *fs_info) ++{ ++ if (refcount_dec_and_mutex_lock(&fs_info->scrub_workers_refcnt, ++ &fs_info->scrub_lock)) { ++ struct btrfs_workqueue *scrub_workers = NULL; ++ struct btrfs_workqueue *scrub_wr_comp = NULL; ++ struct btrfs_workqueue *scrub_parity = NULL; ++ ++ scrub_workers = fs_info->scrub_workers; ++ scrub_wr_comp = fs_info->scrub_wr_completion_workers; ++ scrub_parity = fs_info->scrub_parity_workers; ++ ++ fs_info->scrub_workers = NULL; ++ fs_info->scrub_wr_completion_workers = NULL; ++ fs_info->scrub_parity_workers = NULL; ++ mutex_unlock(&fs_info->scrub_lock); ++ ++ btrfs_destroy_workqueue(scrub_workers); ++ btrfs_destroy_workqueue(scrub_wr_comp); ++ btrfs_destroy_workqueue(scrub_parity); ++ } ++} ++ + /* + * get a reference count on fs_info->scrub_workers. start worker if necessary + */ + static noinline_for_stack int scrub_workers_get(struct btrfs_fs_info *fs_info, + int is_dev_replace) + { ++ struct btrfs_workqueue *scrub_workers = NULL; ++ struct btrfs_workqueue *scrub_wr_comp = NULL; ++ struct btrfs_workqueue *scrub_parity = NULL; + unsigned int flags = WQ_FREEZABLE | WQ_UNBOUND; + int max_active = fs_info->thread_pool_size; ++ int ret = -ENOMEM; + +- lockdep_assert_held(&fs_info->scrub_lock); ++ if (refcount_inc_not_zero(&fs_info->scrub_workers_refcnt)) ++ return 0; + +- if (refcount_read(&fs_info->scrub_workers_refcnt) == 0) { +- ASSERT(fs_info->scrub_workers == NULL); +- fs_info->scrub_workers = btrfs_alloc_workqueue(fs_info, "scrub", +- flags, is_dev_replace ? 1 : max_active, 4); +- if (!fs_info->scrub_workers) +- goto fail_scrub_workers; +- +- ASSERT(fs_info->scrub_wr_completion_workers == NULL); +- fs_info->scrub_wr_completion_workers = +- btrfs_alloc_workqueue(fs_info, "scrubwrc", flags, +- max_active, 2); +- if (!fs_info->scrub_wr_completion_workers) +- goto fail_scrub_wr_completion_workers; ++ scrub_workers = btrfs_alloc_workqueue(fs_info, "scrub", flags, ++ is_dev_replace ? 1 : max_active, 4); ++ if (!scrub_workers) ++ goto fail_scrub_workers; + +- ASSERT(fs_info->scrub_parity_workers == NULL); +- fs_info->scrub_parity_workers = +- btrfs_alloc_workqueue(fs_info, "scrubparity", flags, ++ scrub_wr_comp = btrfs_alloc_workqueue(fs_info, "scrubwrc", flags, + max_active, 2); +- if (!fs_info->scrub_parity_workers) +- goto fail_scrub_parity_workers; ++ if (!scrub_wr_comp) ++ goto fail_scrub_wr_completion_workers; + ++ scrub_parity = btrfs_alloc_workqueue(fs_info, "scrubparity", flags, ++ max_active, 2); ++ if (!scrub_parity) ++ goto fail_scrub_parity_workers; ++ ++ mutex_lock(&fs_info->scrub_lock); ++ if (refcount_read(&fs_info->scrub_workers_refcnt) == 0) { ++ ASSERT(fs_info->scrub_workers == NULL && ++ fs_info->scrub_wr_completion_workers == NULL && ++ fs_info->scrub_parity_workers == NULL); ++ fs_info->scrub_workers = scrub_workers; ++ fs_info->scrub_wr_completion_workers = scrub_wr_comp; ++ fs_info->scrub_parity_workers = scrub_parity; + refcount_set(&fs_info->scrub_workers_refcnt, 1); +- } else { +- refcount_inc(&fs_info->scrub_workers_refcnt); ++ mutex_unlock(&fs_info->scrub_lock); ++ return 0; + } +- return 0; ++ /* Other thread raced in and created the workers for us */ ++ refcount_inc(&fs_info->scrub_workers_refcnt); ++ mutex_unlock(&fs_info->scrub_lock); + ++ ret = 0; ++ btrfs_destroy_workqueue(scrub_parity); + fail_scrub_parity_workers: +- btrfs_destroy_workqueue(fs_info->scrub_wr_completion_workers); ++ btrfs_destroy_workqueue(scrub_wr_comp); + fail_scrub_wr_completion_workers: +- btrfs_destroy_workqueue(fs_info->scrub_workers); ++ btrfs_destroy_workqueue(scrub_workers); + fail_scrub_workers: +- return -ENOMEM; ++ return ret; + } + + int btrfs_scrub_dev(struct btrfs_fs_info *fs_info, u64 devid, u64 start, +@@ -3796,9 +3830,6 @@ int btrfs_scrub_dev(struct btrfs_fs_info *fs_info, u64 devid, u64 start, + int ret; + struct btrfs_device *dev; + unsigned int nofs_flag; +- struct btrfs_workqueue *scrub_workers = NULL; +- struct btrfs_workqueue *scrub_wr_comp = NULL; +- struct btrfs_workqueue *scrub_parity = NULL; + + if (btrfs_fs_closing(fs_info)) + return -EAGAIN; +@@ -3845,13 +3876,17 @@ int btrfs_scrub_dev(struct btrfs_fs_info *fs_info, u64 devid, u64 start, + if (IS_ERR(sctx)) + return PTR_ERR(sctx); + ++ ret = scrub_workers_get(fs_info, is_dev_replace); ++ if (ret) ++ goto out_free_ctx; ++ + mutex_lock(&fs_info->fs_devices->device_list_mutex); + dev = btrfs_find_device(fs_info->fs_devices, devid, NULL, NULL, true); + if (!dev || (test_bit(BTRFS_DEV_STATE_MISSING, &dev->dev_state) && + !is_dev_replace)) { + mutex_unlock(&fs_info->fs_devices->device_list_mutex); + ret = -ENODEV; +- goto out_free_ctx; ++ goto out; + } + + if (!is_dev_replace && !readonly && +@@ -3860,7 +3895,7 @@ int btrfs_scrub_dev(struct btrfs_fs_info *fs_info, u64 devid, u64 start, + btrfs_err_in_rcu(fs_info, "scrub: device %s is not writable", + rcu_str_deref(dev->name)); + ret = -EROFS; +- goto out_free_ctx; ++ goto out; + } + + mutex_lock(&fs_info->scrub_lock); +@@ -3869,7 +3904,7 @@ int btrfs_scrub_dev(struct btrfs_fs_info *fs_info, u64 devid, u64 start, + mutex_unlock(&fs_info->scrub_lock); + mutex_unlock(&fs_info->fs_devices->device_list_mutex); + ret = -EIO; +- goto out_free_ctx; ++ goto out; + } + + down_read(&fs_info->dev_replace.rwsem); +@@ -3880,17 +3915,10 @@ int btrfs_scrub_dev(struct btrfs_fs_info *fs_info, u64 devid, u64 start, + mutex_unlock(&fs_info->scrub_lock); + mutex_unlock(&fs_info->fs_devices->device_list_mutex); + ret = -EINPROGRESS; +- goto out_free_ctx; ++ goto out; + } + up_read(&fs_info->dev_replace.rwsem); + +- ret = scrub_workers_get(fs_info, is_dev_replace); +- if (ret) { +- mutex_unlock(&fs_info->scrub_lock); +- mutex_unlock(&fs_info->fs_devices->device_list_mutex); +- goto out_free_ctx; +- } +- + sctx->readonly = readonly; + dev->scrub_ctx = sctx; + mutex_unlock(&fs_info->fs_devices->device_list_mutex); +@@ -3943,24 +3971,14 @@ int btrfs_scrub_dev(struct btrfs_fs_info *fs_info, u64 devid, u64 start, + + mutex_lock(&fs_info->scrub_lock); + dev->scrub_ctx = NULL; +- if (refcount_dec_and_test(&fs_info->scrub_workers_refcnt)) { +- scrub_workers = fs_info->scrub_workers; +- scrub_wr_comp = fs_info->scrub_wr_completion_workers; +- scrub_parity = fs_info->scrub_parity_workers; +- +- fs_info->scrub_workers = NULL; +- fs_info->scrub_wr_completion_workers = NULL; +- fs_info->scrub_parity_workers = NULL; +- } + mutex_unlock(&fs_info->scrub_lock); + +- btrfs_destroy_workqueue(scrub_workers); +- btrfs_destroy_workqueue(scrub_wr_comp); +- btrfs_destroy_workqueue(scrub_parity); ++ scrub_workers_put(fs_info); + scrub_put_ctx(sctx); + + return ret; +- ++out: ++ scrub_workers_put(fs_info); + out_free_ctx: + scrub_free_ctx(sctx); + +diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c +index 0e44db066641e..91ea38506fbb7 100644 +--- a/fs/btrfs/tree-checker.c ++++ b/fs/btrfs/tree-checker.c +@@ -772,7 +772,7 @@ static int check_inode_item(struct extent_buffer *leaf, + /* Here we use super block generation + 1 to handle log tree */ + if (btrfs_inode_generation(leaf, iitem) > super_gen + 1) { + inode_item_err(fs_info, leaf, slot, +- "invalid inode generation: has %llu expect (0, %llu]", ++ "invalid inode transid: has %llu expect [0, %llu]", + btrfs_inode_generation(leaf, iitem), + super_gen + 1); + return -EUCLEAN; +diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c +index 196ddbcd29360..81be71fb569e1 100644 +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -4568,6 +4568,7 @@ static int btrfs_uuid_scan_kthread(void *data) + goto skip; + } + update_tree: ++ btrfs_release_path(path); + if (!btrfs_is_empty_uuid(root_item.uuid)) { + ret = btrfs_uuid_tree_add(trans, root_item.uuid, + BTRFS_UUID_KEY_SUBVOL, +@@ -4592,6 +4593,7 @@ update_tree: + } + + skip: ++ btrfs_release_path(path); + if (trans) { + ret = btrfs_end_transaction(trans); + trans = NULL; +@@ -4599,7 +4601,6 @@ skip: + break; + } + +- btrfs_release_path(path); + if (key.offset < (u64)-1) { + key.offset++; + } else if (key.type < BTRFS_ROOT_ITEM_KEY) { +diff --git a/fs/ceph/file.c b/fs/ceph/file.c +index 4a6b14a2bd7f9..a10711a6337af 100644 +--- a/fs/ceph/file.c ++++ b/fs/ceph/file.c +@@ -2198,6 +2198,7 @@ const struct file_operations ceph_file_fops = { + .mmap = ceph_mmap, + .fsync = ceph_fsync, + .lock = ceph_lock, ++ .setlease = simple_nosetlease, + .flock = ceph_flock, + .splice_read = generic_file_splice_read, + .splice_write = iter_file_splice_write, +diff --git a/fs/eventpoll.c b/fs/eventpoll.c +index 0d9b1e2b9da72..ae1d32344f7ac 100644 +--- a/fs/eventpoll.c ++++ b/fs/eventpoll.c +@@ -1992,9 +1992,9 @@ static int ep_loop_check_proc(void *priv, void *cookie, int call_nests) + * during ep_insert(). + */ + if (list_empty(&epi->ffd.file->f_tfile_llink)) { +- get_file(epi->ffd.file); +- list_add(&epi->ffd.file->f_tfile_llink, +- &tfile_check_list); ++ if (get_file_rcu(epi->ffd.file)) ++ list_add(&epi->ffd.file->f_tfile_llink, ++ &tfile_check_list); + } + } + } +diff --git a/fs/ext2/file.c b/fs/ext2/file.c +index 39c4772e96c9d..d73103cdda210 100644 +--- a/fs/ext2/file.c ++++ b/fs/ext2/file.c +@@ -93,8 +93,10 @@ static vm_fault_t ext2_dax_fault(struct vm_fault *vmf) + struct inode *inode = file_inode(vmf->vma->vm_file); + struct ext2_inode_info *ei = EXT2_I(inode); + vm_fault_t ret; ++ bool write = (vmf->flags & FAULT_FLAG_WRITE) && ++ (vmf->vma->vm_flags & VM_SHARED); + +- if (vmf->flags & FAULT_FLAG_WRITE) { ++ if (write) { + sb_start_pagefault(inode->i_sb); + file_update_time(vmf->vma->vm_file); + } +@@ -103,7 +105,7 @@ static vm_fault_t ext2_dax_fault(struct vm_fault *vmf) + ret = dax_iomap_fault(vmf, PE_SIZE_PTE, NULL, NULL, &ext2_iomap_ops); + + up_read(&ei->dax_sem); +- if (vmf->flags & FAULT_FLAG_WRITE) ++ if (write) + sb_end_pagefault(inode->i_sb); + return ret; + } +diff --git a/fs/xfs/libxfs/xfs_attr_leaf.c b/fs/xfs/libxfs/xfs_attr_leaf.c +index f0089e862216c..fe277ee5ec7c4 100644 +--- a/fs/xfs/libxfs/xfs_attr_leaf.c ++++ b/fs/xfs/libxfs/xfs_attr_leaf.c +@@ -946,8 +946,10 @@ xfs_attr_shortform_verify( + * struct xfs_attr_sf_entry has a variable length. + * Check the fixed-offset parts of the structure are + * within the data buffer. ++ * xfs_attr_sf_entry is defined with a 1-byte variable ++ * array at the end, so we must subtract that off. + */ +- if (((char *)sfep + sizeof(*sfep)) >= endp) ++ if (((char *)sfep + sizeof(*sfep) - 1) >= endp) + return __this_address; + + /* Don't allow names with known bad length. */ +diff --git a/fs/xfs/libxfs/xfs_bmap.c b/fs/xfs/libxfs/xfs_bmap.c +index 3f76da11197c4..19a600443b9ee 100644 +--- a/fs/xfs/libxfs/xfs_bmap.c ++++ b/fs/xfs/libxfs/xfs_bmap.c +@@ -6179,7 +6179,7 @@ xfs_bmap_validate_extent( + + isrt = XFS_IS_REALTIME_INODE(ip); + endfsb = irec->br_startblock + irec->br_blockcount - 1; +- if (isrt) { ++ if (isrt && whichfork == XFS_DATA_FORK) { + if (!xfs_verify_rtbno(mp, irec->br_startblock)) + return __this_address; + if (!xfs_verify_rtbno(mp, endfsb)) +diff --git a/fs/xfs/xfs_file.c b/fs/xfs/xfs_file.c +index 1ffb179f35d23..1e2176190c86f 100644 +--- a/fs/xfs/xfs_file.c ++++ b/fs/xfs/xfs_file.c +@@ -1172,6 +1172,14 @@ __xfs_filemap_fault( + return ret; + } + ++static inline bool ++xfs_is_write_fault( ++ struct vm_fault *vmf) ++{ ++ return (vmf->flags & FAULT_FLAG_WRITE) && ++ (vmf->vma->vm_flags & VM_SHARED); ++} ++ + static vm_fault_t + xfs_filemap_fault( + struct vm_fault *vmf) +@@ -1179,7 +1187,7 @@ xfs_filemap_fault( + /* DAX can shortcut the normal fault path on write faults! */ + return __xfs_filemap_fault(vmf, PE_SIZE_PTE, + IS_DAX(file_inode(vmf->vma->vm_file)) && +- (vmf->flags & FAULT_FLAG_WRITE)); ++ xfs_is_write_fault(vmf)); + } + + static vm_fault_t +@@ -1192,7 +1200,7 @@ xfs_filemap_huge_fault( + + /* DAX can shortcut the normal fault path on write faults! */ + return __xfs_filemap_fault(vmf, pe_size, +- (vmf->flags & FAULT_FLAG_WRITE)); ++ xfs_is_write_fault(vmf)); + } + + static vm_fault_t +diff --git a/include/linux/bvec.h b/include/linux/bvec.h +index a032f01e928c5..d7a628e066ee8 100644 +--- a/include/linux/bvec.h ++++ b/include/linux/bvec.h +@@ -110,11 +110,18 @@ static inline bool bvec_iter_advance(const struct bio_vec *bv, + return true; + } + ++static inline void bvec_iter_skip_zero_bvec(struct bvec_iter *iter) ++{ ++ iter->bi_bvec_done = 0; ++ iter->bi_idx++; ++} ++ + #define for_each_bvec(bvl, bio_vec, iter, start) \ + for (iter = (start); \ + (iter).bi_size && \ + ((bvl = bvec_iter_bvec((bio_vec), (iter))), 1); \ +- bvec_iter_advance((bio_vec), &(iter), (bvl).bv_len)) ++ (bvl).bv_len ? (void)bvec_iter_advance((bio_vec), &(iter), \ ++ (bvl).bv_len) : bvec_iter_skip_zero_bvec(&(iter))) + + /* for iterating one bio from start to end */ + #define BVEC_ITER_ALL_INIT (struct bvec_iter) \ +diff --git a/include/linux/libata.h b/include/linux/libata.h +index b9970f5bab67c..e752368ea3516 100644 +--- a/include/linux/libata.h ++++ b/include/linux/libata.h +@@ -422,6 +422,7 @@ enum { + ATA_HORKAGE_NO_DMA_LOG = (1 << 23), /* don't use DMA for log read */ + ATA_HORKAGE_NOTRIM = (1 << 24), /* don't use TRIM */ + ATA_HORKAGE_MAX_SEC_1024 = (1 << 25), /* Limit max sects to 1024 */ ++ ATA_HORKAGE_MAX_TRIM_128M = (1 << 26), /* Limit max trim size to 128M */ + + /* DMA mask for user DMA control: User visible values; DO NOT + renumber */ +diff --git a/include/linux/log2.h b/include/linux/log2.h +index 83a4a3ca3e8a7..c619ec6eff4ae 100644 +--- a/include/linux/log2.h ++++ b/include/linux/log2.h +@@ -173,7 +173,7 @@ unsigned long __rounddown_pow_of_two(unsigned long n) + #define roundup_pow_of_two(n) \ + ( \ + __builtin_constant_p(n) ? ( \ +- (n == 1) ? 1 : \ ++ ((n) == 1) ? 1 : \ + (1UL << (ilog2((n) - 1) + 1)) \ + ) : \ + __roundup_pow_of_two(n) \ +diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h +index 851425c3178f1..89016d08f6a27 100644 +--- a/include/linux/netfilter/nfnetlink.h ++++ b/include/linux/netfilter/nfnetlink.h +@@ -43,8 +43,7 @@ int nfnetlink_has_listeners(struct net *net, unsigned int group); + int nfnetlink_send(struct sk_buff *skb, struct net *net, u32 portid, + unsigned int group, int echo, gfp_t flags); + int nfnetlink_set_err(struct net *net, u32 portid, u32 group, int error); +-int nfnetlink_unicast(struct sk_buff *skb, struct net *net, u32 portid, +- int flags); ++int nfnetlink_unicast(struct sk_buff *skb, struct net *net, u32 portid); + + static inline u16 nfnl_msg_type(u8 subsys, u8 msg_type) + { +diff --git a/include/net/af_rxrpc.h b/include/net/af_rxrpc.h +index ab988940bf045..55b980b21f4b4 100644 +--- a/include/net/af_rxrpc.h ++++ b/include/net/af_rxrpc.h +@@ -59,7 +59,7 @@ bool rxrpc_kernel_abort_call(struct socket *, struct rxrpc_call *, + void rxrpc_kernel_end_call(struct socket *, struct rxrpc_call *); + void rxrpc_kernel_get_peer(struct socket *, struct rxrpc_call *, + struct sockaddr_rxrpc *); +-u32 rxrpc_kernel_get_srtt(struct socket *, struct rxrpc_call *); ++bool rxrpc_kernel_get_srtt(struct socket *, struct rxrpc_call *, u32 *); + int rxrpc_kernel_charge_accept(struct socket *, rxrpc_notify_rx_t, + rxrpc_user_attach_call_t, unsigned long, gfp_t, + unsigned int); +diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h +index 2d0275f13bbfd..bc2c73f549622 100644 +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -143,6 +143,8 @@ static inline u64 nft_reg_load64(u32 *sreg) + static inline void nft_data_copy(u32 *dst, const struct nft_data *src, + unsigned int len) + { ++ if (len % NFT_REG32_SIZE) ++ dst[len / NFT_REG32_SIZE] = 0; + memcpy(dst, src, len); + } + +diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h +index ed8881ad18edd..0a995403172cc 100644 +--- a/include/uapi/linux/netfilter/nf_tables.h ++++ b/include/uapi/linux/netfilter/nf_tables.h +@@ -132,7 +132,7 @@ enum nf_tables_msg_types { + * @NFTA_LIST_ELEM: list element (NLA_NESTED) + */ + enum nft_list_attributes { +- NFTA_LIST_UNPEC, ++ NFTA_LIST_UNSPEC, + NFTA_LIST_ELEM, + __NFTA_LIST_MAX + }; +diff --git a/mm/hugetlb.c b/mm/hugetlb.c +index 2a83b03c54a69..62ec514dae658 100644 +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -3082,6 +3082,22 @@ static unsigned int cpuset_mems_nr(unsigned int *array) + } + + #ifdef CONFIG_SYSCTL ++static int proc_hugetlb_doulongvec_minmax(struct ctl_table *table, int write, ++ void *buffer, size_t *length, ++ loff_t *ppos, unsigned long *out) ++{ ++ struct ctl_table dup_table; ++ ++ /* ++ * In order to avoid races with __do_proc_doulongvec_minmax(), we ++ * can duplicate the @table and alter the duplicate of it. ++ */ ++ dup_table = *table; ++ dup_table.data = out; ++ ++ return proc_doulongvec_minmax(&dup_table, write, buffer, length, ppos); ++} ++ + static int hugetlb_sysctl_handler_common(bool obey_mempolicy, + struct ctl_table *table, int write, + void __user *buffer, size_t *length, loff_t *ppos) +@@ -3093,9 +3109,8 @@ static int hugetlb_sysctl_handler_common(bool obey_mempolicy, + if (!hugepages_supported()) + return -EOPNOTSUPP; + +- table->data = &tmp; +- table->maxlen = sizeof(unsigned long); +- ret = proc_doulongvec_minmax(table, write, buffer, length, ppos); ++ ret = proc_hugetlb_doulongvec_minmax(table, write, buffer, length, ppos, ++ &tmp); + if (ret) + goto out; + +@@ -3139,9 +3154,8 @@ int hugetlb_overcommit_handler(struct ctl_table *table, int write, + if (write && hstate_is_gigantic(h)) + return -EINVAL; + +- table->data = &tmp; +- table->maxlen = sizeof(unsigned long); +- ret = proc_doulongvec_minmax(table, write, buffer, length, ppos); ++ ret = proc_hugetlb_doulongvec_minmax(table, write, buffer, length, ppos, ++ &tmp); + if (ret) + goto out; + +diff --git a/mm/khugepaged.c b/mm/khugepaged.c +index 3623d1c5343f2..9ec618d5ea557 100644 +--- a/mm/khugepaged.c ++++ b/mm/khugepaged.c +@@ -1592,7 +1592,7 @@ static void collapse_file(struct mm_struct *mm, + xas_unlock_irq(&xas); + page_cache_sync_readahead(mapping, &file->f_ra, + file, index, +- PAGE_SIZE); ++ end - index); + /* drain pagevecs to help isolate_lru_page() */ + lru_add_drain(); + page = find_lock_page(mapping, index); +diff --git a/mm/madvise.c b/mm/madvise.c +index d8cfc3a0c1534..26f7954865ed9 100644 +--- a/mm/madvise.c ++++ b/mm/madvise.c +@@ -288,9 +288,9 @@ static long madvise_willneed(struct vm_area_struct *vma, + */ + *prev = NULL; /* tell sys_madvise we drop mmap_sem */ + get_file(file); +- up_read(¤t->mm->mmap_sem); + offset = (loff_t)(start - vma->vm_start) + + ((loff_t)vma->vm_pgoff << PAGE_SHIFT); ++ up_read(¤t->mm->mmap_sem); + vfs_fadvise(file, offset, end - start, POSIX_FADV_WILLNEED); + fput(file); + down_read(¤t->mm->mmap_sem); +diff --git a/mm/slub.c b/mm/slub.c +index 709e31002504c..822ba07245291 100644 +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -645,12 +645,12 @@ static void slab_fix(struct kmem_cache *s, char *fmt, ...) + } + + static bool freelist_corrupted(struct kmem_cache *s, struct page *page, +- void *freelist, void *nextfree) ++ void **freelist, void *nextfree) + { + if ((s->flags & SLAB_CONSISTENCY_CHECKS) && +- !check_valid_pointer(s, page, nextfree)) { +- object_err(s, page, freelist, "Freechain corrupt"); +- freelist = NULL; ++ !check_valid_pointer(s, page, nextfree) && freelist) { ++ object_err(s, page, *freelist, "Freechain corrupt"); ++ *freelist = NULL; + slab_fix(s, "Isolate corrupted freechain"); + return true; + } +@@ -1394,7 +1394,7 @@ static inline void dec_slabs_node(struct kmem_cache *s, int node, + int objects) {} + + static bool freelist_corrupted(struct kmem_cache *s, struct page *page, +- void *freelist, void *nextfree) ++ void **freelist, void *nextfree) + { + return false; + } +@@ -2086,7 +2086,7 @@ static void deactivate_slab(struct kmem_cache *s, struct page *page, + * 'freelist' is already corrupted. So isolate all objects + * starting at 'freelist'. + */ +- if (freelist_corrupted(s, page, freelist, nextfree)) ++ if (freelist_corrupted(s, page, &freelist, nextfree)) + break; + + do { +diff --git a/net/batman-adv/bat_v_ogm.c b/net/batman-adv/bat_v_ogm.c +index a9e7540c56918..3165f6ff8ee71 100644 +--- a/net/batman-adv/bat_v_ogm.c ++++ b/net/batman-adv/bat_v_ogm.c +@@ -878,6 +878,12 @@ static void batadv_v_ogm_process(const struct sk_buff *skb, int ogm_offset, + ntohl(ogm_packet->seqno), ogm_throughput, ogm_packet->ttl, + ogm_packet->version, ntohs(ogm_packet->tvlv_len)); + ++ if (batadv_is_my_mac(bat_priv, ogm_packet->orig)) { ++ batadv_dbg(BATADV_DBG_BATMAN, bat_priv, ++ "Drop packet: originator packet from ourself\n"); ++ return; ++ } ++ + /* If the throughput metric is 0, immediately drop the packet. No need + * to create orig_node / neigh_node for an unusable route. + */ +@@ -1005,11 +1011,6 @@ int batadv_v_ogm_packet_recv(struct sk_buff *skb, + if (batadv_is_my_mac(bat_priv, ethhdr->h_source)) + goto free_skb; + +- ogm_packet = (struct batadv_ogm2_packet *)skb->data; +- +- if (batadv_is_my_mac(bat_priv, ogm_packet->orig)) +- goto free_skb; +- + batadv_inc_counter(bat_priv, BATADV_CNT_MGMT_RX); + batadv_add_counter(bat_priv, BATADV_CNT_MGMT_RX_BYTES, + skb->len + ETH_HLEN); +diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c +index 663a53b6d36e6..5f6309ade1ea1 100644 +--- a/net/batman-adv/bridge_loop_avoidance.c ++++ b/net/batman-adv/bridge_loop_avoidance.c +@@ -437,7 +437,10 @@ static void batadv_bla_send_claim(struct batadv_priv *bat_priv, u8 *mac, + batadv_add_counter(bat_priv, BATADV_CNT_RX_BYTES, + skb->len + ETH_HLEN); + +- netif_rx(skb); ++ if (in_interrupt()) ++ netif_rx(skb); ++ else ++ netif_rx_ni(skb); + out: + if (primary_if) + batadv_hardif_put(primary_if); +diff --git a/net/batman-adv/gateway_client.c b/net/batman-adv/gateway_client.c +index 47df4c6789886..89c9097007c3a 100644 +--- a/net/batman-adv/gateway_client.c ++++ b/net/batman-adv/gateway_client.c +@@ -703,8 +703,10 @@ batadv_gw_dhcp_recipient_get(struct sk_buff *skb, unsigned int *header_len, + + chaddr_offset = *header_len + BATADV_DHCP_CHADDR_OFFSET; + /* store the client address if the message is going to a client */ +- if (ret == BATADV_DHCP_TO_CLIENT && +- pskb_may_pull(skb, chaddr_offset + ETH_ALEN)) { ++ if (ret == BATADV_DHCP_TO_CLIENT) { ++ if (!pskb_may_pull(skb, chaddr_offset + ETH_ALEN)) ++ return BATADV_DHCP_NO; ++ + /* check if the DHCP packet carries an Ethernet DHCP */ + p = skb->data + *header_len + BATADV_DHCP_HTYPE_OFFSET; + if (*p != BATADV_DHCP_HTYPE_ETHERNET) +diff --git a/net/core/dev.c b/net/core/dev.c +index 25858f1f67cf7..56cd7b83a3829 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -5602,12 +5602,13 @@ static void napi_skb_free_stolen_head(struct sk_buff *skb) + kmem_cache_free(skbuff_head_cache, skb); + } + +-static gro_result_t napi_skb_finish(gro_result_t ret, struct sk_buff *skb) ++static gro_result_t napi_skb_finish(struct napi_struct *napi, ++ struct sk_buff *skb, ++ gro_result_t ret) + { + switch (ret) { + case GRO_NORMAL: +- if (netif_receive_skb_internal(skb)) +- ret = GRO_DROP; ++ gro_normal_one(napi, skb); + break; + + case GRO_DROP: +@@ -5639,7 +5640,7 @@ gro_result_t napi_gro_receive(struct napi_struct *napi, struct sk_buff *skb) + + skb_gro_reset_offset(skb); + +- ret = napi_skb_finish(dev_gro_receive(napi, skb), skb); ++ ret = napi_skb_finish(napi, skb, dev_gro_receive(napi, skb)); + trace_napi_gro_receive_exit(ret); + + return ret; +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index f7129232c8250..2023650c27249 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -744,11 +744,11 @@ static int nf_tables_gettable(struct net *net, struct sock *nlsk, + nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0, + family, table); + if (err < 0) +- goto err; ++ goto err_fill_table_info; + +- return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid); ++ return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); + +-err: ++err_fill_table_info: + kfree_skb(skb2); + return err; + } +@@ -1443,11 +1443,11 @@ static int nf_tables_getchain(struct net *net, struct sock *nlsk, + nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0, + family, table, chain); + if (err < 0) +- goto err; ++ goto err_fill_chain_info; + +- return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid); ++ return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); + +-err: ++err_fill_chain_info: + kfree_skb(skb2); + return err; + } +@@ -2622,11 +2622,11 @@ static int nf_tables_getrule(struct net *net, struct sock *nlsk, + nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0, + family, table, chain, rule, NULL); + if (err < 0) +- goto err; ++ goto err_fill_rule_info; + +- return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid); ++ return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); + +-err: ++err_fill_rule_info: + kfree_skb(skb2); + return err; + } +@@ -3353,7 +3353,8 @@ static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx, + goto nla_put_failure; + } + +- if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata)) ++ if (set->udata && ++ nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata)) + goto nla_put_failure; + + desc = nla_nest_start_noflag(skb, NFTA_SET_DESC); +@@ -3525,11 +3526,11 @@ static int nf_tables_getset(struct net *net, struct sock *nlsk, + + err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0); + if (err < 0) +- goto err; ++ goto err_fill_set_info; + +- return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid); ++ return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); + +-err: ++err_fill_set_info: + kfree_skb(skb2); + return err; + } +@@ -4304,24 +4305,18 @@ static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set, + err = -ENOMEM; + skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC); + if (skb == NULL) +- goto err1; ++ return err; + + err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid, + NFT_MSG_NEWSETELEM, 0, set, &elem); + if (err < 0) +- goto err2; ++ goto err_fill_setelem; + +- err = nfnetlink_unicast(skb, ctx->net, ctx->portid, MSG_DONTWAIT); +- /* This avoids a loop in nfnetlink. */ +- if (err < 0) +- goto err1; ++ return nfnetlink_unicast(skb, ctx->net, ctx->portid); + +- return 0; +-err2: ++err_fill_setelem: + kfree_skb(skb); +-err1: +- /* this avoids a loop in nfnetlink. */ +- return err == -EAGAIN ? -ENOBUFS : err; ++ return err; + } + + /* called with rcu_read_lock held */ +@@ -5498,10 +5493,11 @@ static int nf_tables_getobj(struct net *net, struct sock *nlsk, + nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0, + family, table, obj, reset); + if (err < 0) +- goto err; ++ goto err_fill_obj_info; + +- return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid); +-err: ++ return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); ++ ++err_fill_obj_info: + kfree_skb(skb2); + return err; + } +@@ -6173,10 +6169,11 @@ static int nf_tables_getflowtable(struct net *net, struct sock *nlsk, + NFT_MSG_NEWFLOWTABLE, 0, family, + flowtable); + if (err < 0) +- goto err; ++ goto err_fill_flowtable_info; + +- return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid); +-err: ++ return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); ++ ++err_fill_flowtable_info: + kfree_skb(skb2); + return err; + } +@@ -6337,10 +6334,11 @@ static int nf_tables_getgen(struct net *net, struct sock *nlsk, + err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid, + nlh->nlmsg_seq); + if (err < 0) +- goto err; ++ goto err_fill_gen_info; + +- return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid); +-err: ++ return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); ++ ++err_fill_gen_info: + kfree_skb(skb2); + return err; + } +diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c +index 99127e2d95a84..6d03b09096210 100644 +--- a/net/netfilter/nfnetlink.c ++++ b/net/netfilter/nfnetlink.c +@@ -148,10 +148,15 @@ int nfnetlink_set_err(struct net *net, u32 portid, u32 group, int error) + } + EXPORT_SYMBOL_GPL(nfnetlink_set_err); + +-int nfnetlink_unicast(struct sk_buff *skb, struct net *net, u32 portid, +- int flags) ++int nfnetlink_unicast(struct sk_buff *skb, struct net *net, u32 portid) + { +- return netlink_unicast(net->nfnl, skb, portid, flags); ++ int err; ++ ++ err = nlmsg_unicast(net->nfnl, skb, portid); ++ if (err == -EAGAIN) ++ err = -ENOBUFS; ++ ++ return err; + } + EXPORT_SYMBOL_GPL(nfnetlink_unicast); + +diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c +index 0ba020ca38e68..7ca2ca4bba055 100644 +--- a/net/netfilter/nfnetlink_log.c ++++ b/net/netfilter/nfnetlink_log.c +@@ -356,8 +356,7 @@ __nfulnl_send(struct nfulnl_instance *inst) + goto out; + } + } +- nfnetlink_unicast(inst->skb, inst->net, inst->peer_portid, +- MSG_DONTWAIT); ++ nfnetlink_unicast(inst->skb, inst->net, inst->peer_portid); + out: + inst->qlen = 0; + inst->skb = NULL; +diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c +index feabdfb22920b..6f0a2bad8ad5e 100644 +--- a/net/netfilter/nfnetlink_queue.c ++++ b/net/netfilter/nfnetlink_queue.c +@@ -681,7 +681,7 @@ __nfqnl_enqueue_packet(struct net *net, struct nfqnl_instance *queue, + *packet_id_ptr = htonl(entry->id); + + /* nfnetlink_unicast will either free the nskb or add it to a socket */ +- err = nfnetlink_unicast(nskb, net, queue->peer_portid, MSG_DONTWAIT); ++ err = nfnetlink_unicast(nskb, net, queue->peer_portid); + if (err < 0) { + if (queue->flags & NFQA_CFG_F_FAIL_OPEN) { + failopen = 1; +diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c +index 0e3bfbc26e790..62dc728bf93c9 100644 +--- a/net/netfilter/nft_payload.c ++++ b/net/netfilter/nft_payload.c +@@ -79,7 +79,9 @@ void nft_payload_eval(const struct nft_expr *expr, + u32 *dest = ®s->data[priv->dreg]; + int offset; + +- dest[priv->len / NFT_REG32_SIZE] = 0; ++ if (priv->len % NFT_REG32_SIZE) ++ dest[priv->len / NFT_REG32_SIZE] = 0; ++ + switch (priv->base) { + case NFT_PAYLOAD_LL_HEADER: + if (!skb_mac_header_was_set(skb)) +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 7735340c892eb..fbc2d4dfddf0e 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2169,7 +2169,8 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, + int skb_len = skb->len; + unsigned int snaplen, res; + unsigned long status = TP_STATUS_USER; +- unsigned short macoff, netoff, hdrlen; ++ unsigned short macoff, hdrlen; ++ unsigned int netoff; + struct sk_buff *copy_skb = NULL; + struct timespec ts; + __u32 ts_status; +@@ -2238,6 +2239,10 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, + } + macoff = netoff - maclen; + } ++ if (netoff > USHRT_MAX) { ++ atomic_inc(&po->tp_drops); ++ goto drop_n_restore; ++ } + if (po->tp_version <= TPACKET_V2) { + if (macoff + snaplen > po->rx_ring.frame_size) { + if (po->copy_thresh && +diff --git a/net/rxrpc/input.c b/net/rxrpc/input.c +index 22dec6049e1bb..6cace43b217ee 100644 +--- a/net/rxrpc/input.c ++++ b/net/rxrpc/input.c +@@ -844,7 +844,7 @@ static void rxrpc_input_ack(struct rxrpc_call *call, struct sk_buff *skb) + struct rxrpc_ackinfo info; + u8 acks[RXRPC_MAXACKS]; + } buf; +- rxrpc_serial_t acked_serial; ++ rxrpc_serial_t ack_serial, acked_serial; + rxrpc_seq_t first_soft_ack, hard_ack, prev_pkt; + int nr_acks, offset, ioffset; + +@@ -857,6 +857,7 @@ static void rxrpc_input_ack(struct rxrpc_call *call, struct sk_buff *skb) + } + offset += sizeof(buf.ack); + ++ ack_serial = sp->hdr.serial; + acked_serial = ntohl(buf.ack.serial); + first_soft_ack = ntohl(buf.ack.firstPacket); + prev_pkt = ntohl(buf.ack.previousPacket); +@@ -865,31 +866,31 @@ static void rxrpc_input_ack(struct rxrpc_call *call, struct sk_buff *skb) + summary.ack_reason = (buf.ack.reason < RXRPC_ACK__INVALID ? + buf.ack.reason : RXRPC_ACK__INVALID); + +- trace_rxrpc_rx_ack(call, sp->hdr.serial, acked_serial, ++ trace_rxrpc_rx_ack(call, ack_serial, acked_serial, + first_soft_ack, prev_pkt, + summary.ack_reason, nr_acks); + + if (buf.ack.reason == RXRPC_ACK_PING_RESPONSE) + rxrpc_input_ping_response(call, skb->tstamp, acked_serial, +- sp->hdr.serial); ++ ack_serial); + if (buf.ack.reason == RXRPC_ACK_REQUESTED) + rxrpc_input_requested_ack(call, skb->tstamp, acked_serial, +- sp->hdr.serial); ++ ack_serial); + + if (buf.ack.reason == RXRPC_ACK_PING) { +- _proto("Rx ACK %%%u PING Request", sp->hdr.serial); ++ _proto("Rx ACK %%%u PING Request", ack_serial); + rxrpc_propose_ACK(call, RXRPC_ACK_PING_RESPONSE, +- sp->hdr.serial, true, true, ++ ack_serial, true, true, + rxrpc_propose_ack_respond_to_ping); + } else if (sp->hdr.flags & RXRPC_REQUEST_ACK) { + rxrpc_propose_ACK(call, RXRPC_ACK_REQUESTED, +- sp->hdr.serial, true, true, ++ ack_serial, true, true, + rxrpc_propose_ack_respond_to_ack); + } + + /* Discard any out-of-order or duplicate ACKs (outside lock). */ + if (!rxrpc_is_ack_valid(call, first_soft_ack, prev_pkt)) { +- trace_rxrpc_rx_discard_ack(call->debug_id, sp->hdr.serial, ++ trace_rxrpc_rx_discard_ack(call->debug_id, ack_serial, + first_soft_ack, call->ackr_first_seq, + prev_pkt, call->ackr_prev_seq); + return; +@@ -905,7 +906,7 @@ static void rxrpc_input_ack(struct rxrpc_call *call, struct sk_buff *skb) + + /* Discard any out-of-order or duplicate ACKs (inside lock). */ + if (!rxrpc_is_ack_valid(call, first_soft_ack, prev_pkt)) { +- trace_rxrpc_rx_discard_ack(call->debug_id, sp->hdr.serial, ++ trace_rxrpc_rx_discard_ack(call->debug_id, ack_serial, + first_soft_ack, call->ackr_first_seq, + prev_pkt, call->ackr_prev_seq); + goto out; +@@ -965,7 +966,7 @@ static void rxrpc_input_ack(struct rxrpc_call *call, struct sk_buff *skb) + RXRPC_TX_ANNO_LAST && + summary.nr_acks == call->tx_top - hard_ack && + rxrpc_is_client_call(call)) +- rxrpc_propose_ACK(call, RXRPC_ACK_PING, sp->hdr.serial, ++ rxrpc_propose_ACK(call, RXRPC_ACK_PING, ack_serial, + false, true, + rxrpc_propose_ack_ping_for_lost_reply); + +diff --git a/net/rxrpc/peer_object.c b/net/rxrpc/peer_object.c +index efce27802a74f..e011594adcd13 100644 +--- a/net/rxrpc/peer_object.c ++++ b/net/rxrpc/peer_object.c +@@ -500,11 +500,21 @@ EXPORT_SYMBOL(rxrpc_kernel_get_peer); + * rxrpc_kernel_get_srtt - Get a call's peer smoothed RTT + * @sock: The socket on which the call is in progress. + * @call: The call to query ++ * @_srtt: Where to store the SRTT value. + * +- * Get the call's peer smoothed RTT. ++ * Get the call's peer smoothed RTT in uS. + */ +-u32 rxrpc_kernel_get_srtt(struct socket *sock, struct rxrpc_call *call) ++bool rxrpc_kernel_get_srtt(struct socket *sock, struct rxrpc_call *call, ++ u32 *_srtt) + { +- return call->peer->srtt_us >> 3; ++ struct rxrpc_peer *peer = call->peer; ++ ++ if (peer->rtt_count == 0) { ++ *_srtt = 1000000; /* 1S */ ++ return false; ++ } ++ ++ *_srtt = call->peer->srtt_us >> 3; ++ return true; + } + EXPORT_SYMBOL(rxrpc_kernel_get_srtt); +diff --git a/net/wireless/reg.c b/net/wireless/reg.c +index 1a8218f1bbe07..20a8e6af88c45 100644 +--- a/net/wireless/reg.c ++++ b/net/wireless/reg.c +@@ -2941,6 +2941,9 @@ int regulatory_hint_user(const char *alpha2, + if (WARN_ON(!alpha2)) + return -EINVAL; + ++ if (!is_world_regdom(alpha2) && !is_an_alpha2(alpha2)) ++ return -EINVAL; ++ + request = kzalloc(sizeof(struct regulatory_request), GFP_KERNEL); + if (!request) + return -ENOMEM; +diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl +index 6fcc66afb0880..0c9b114202796 100755 +--- a/scripts/checkpatch.pl ++++ b/scripts/checkpatch.pl +@@ -2576,8 +2576,8 @@ sub process { + + # Check if the commit log has what seems like a diff which can confuse patch + if ($in_commit_log && !$commit_log_has_diff && +- (($line =~ m@^\s+diff\b.*a/[\w/]+@ && +- $line =~ m@^\s+diff\b.*a/([\w/]+)\s+b/$1\b@) || ++ (($line =~ m@^\s+diff\b.*a/([\w/]+)@ && ++ $line =~ m@^\s+diff\b.*a/[\w/]+\s+b/$1\b@) || + $line =~ m@^\s*(?:\-\-\-\s+a/|\+\+\+\s+b/)@ || + $line =~ m/^\s*\@\@ \-\d+,\d+ \+\d+,\d+ \@\@/)) { + ERROR("DIFF_IN_COMMIT_MSG", +diff --git a/sound/core/oss/mulaw.c b/sound/core/oss/mulaw.c +index 3788906421a73..fe27034f28460 100644 +--- a/sound/core/oss/mulaw.c ++++ b/sound/core/oss/mulaw.c +@@ -329,8 +329,8 @@ int snd_pcm_plugin_build_mulaw(struct snd_pcm_substream *plug, + snd_BUG(); + return -EINVAL; + } +- if (snd_BUG_ON(!snd_pcm_format_linear(format->format))) +- return -ENXIO; ++ if (!snd_pcm_format_linear(format->format)) ++ return -EINVAL; + + err = snd_pcm_plugin_build(plug, "Mu-Law<->linear conversion", + src_format, dst_format, +diff --git a/sound/firewire/digi00x/digi00x.c b/sound/firewire/digi00x/digi00x.c +index 1f5fc0e7c0243..0e4b0eac30159 100644 +--- a/sound/firewire/digi00x/digi00x.c ++++ b/sound/firewire/digi00x/digi00x.c +@@ -14,6 +14,7 @@ MODULE_LICENSE("GPL v2"); + #define VENDOR_DIGIDESIGN 0x00a07e + #define MODEL_CONSOLE 0x000001 + #define MODEL_RACK 0x000002 ++#define SPEC_VERSION 0x000001 + + static int name_card(struct snd_dg00x *dg00x) + { +@@ -175,14 +176,18 @@ static const struct ieee1394_device_id snd_dg00x_id_table[] = { + /* Both of 002/003 use the same ID. */ + { + .match_flags = IEEE1394_MATCH_VENDOR_ID | ++ IEEE1394_MATCH_VERSION | + IEEE1394_MATCH_MODEL_ID, + .vendor_id = VENDOR_DIGIDESIGN, ++ .version = SPEC_VERSION, + .model_id = MODEL_CONSOLE, + }, + { + .match_flags = IEEE1394_MATCH_VENDOR_ID | ++ IEEE1394_MATCH_VERSION | + IEEE1394_MATCH_MODEL_ID, + .vendor_id = VENDOR_DIGIDESIGN, ++ .version = SPEC_VERSION, + .model_id = MODEL_RACK, + }, + {} +diff --git a/sound/firewire/tascam/tascam.c b/sound/firewire/tascam/tascam.c +index addc464503bcf..0175e3e835ead 100644 +--- a/sound/firewire/tascam/tascam.c ++++ b/sound/firewire/tascam/tascam.c +@@ -39,9 +39,6 @@ static const struct snd_tscm_spec model_specs[] = { + .midi_capture_ports = 2, + .midi_playback_ports = 4, + }, +- // This kernel module doesn't support FE-8 because the most of features +- // can be implemented in userspace without any specific support of this +- // module. + }; + + static int identify_model(struct snd_tscm *tscm) +@@ -211,11 +208,39 @@ static void snd_tscm_remove(struct fw_unit *unit) + } + + static const struct ieee1394_device_id snd_tscm_id_table[] = { ++ // Tascam, FW-1884. ++ { ++ .match_flags = IEEE1394_MATCH_VENDOR_ID | ++ IEEE1394_MATCH_SPECIFIER_ID | ++ IEEE1394_MATCH_VERSION, ++ .vendor_id = 0x00022e, ++ .specifier_id = 0x00022e, ++ .version = 0x800000, ++ }, ++ // Tascam, FE-8 (.version = 0x800001) ++ // This kernel module doesn't support FE-8 because the most of features ++ // can be implemented in userspace without any specific support of this ++ // module. ++ // ++ // .version = 0x800002 is unknown. ++ // ++ // Tascam, FW-1082. ++ { ++ .match_flags = IEEE1394_MATCH_VENDOR_ID | ++ IEEE1394_MATCH_SPECIFIER_ID | ++ IEEE1394_MATCH_VERSION, ++ .vendor_id = 0x00022e, ++ .specifier_id = 0x00022e, ++ .version = 0x800003, ++ }, ++ // Tascam, FW-1804. + { + .match_flags = IEEE1394_MATCH_VENDOR_ID | +- IEEE1394_MATCH_SPECIFIER_ID, ++ IEEE1394_MATCH_SPECIFIER_ID | ++ IEEE1394_MATCH_VERSION, + .vendor_id = 0x00022e, + .specifier_id = 0x00022e, ++ .version = 0x800004, + }, + {} + }; +diff --git a/sound/pci/ca0106/ca0106_main.c b/sound/pci/ca0106/ca0106_main.c +index 478412e0aa3c7..7aedaeb7a1968 100644 +--- a/sound/pci/ca0106/ca0106_main.c ++++ b/sound/pci/ca0106/ca0106_main.c +@@ -537,7 +537,8 @@ static int snd_ca0106_pcm_power_dac(struct snd_ca0106 *chip, int channel_id, + else + /* Power down */ + chip->spi_dac_reg[reg] |= bit; +- return snd_ca0106_spi_write(chip, chip->spi_dac_reg[reg]); ++ if (snd_ca0106_spi_write(chip, chip->spi_dac_reg[reg]) != 0) ++ return -ENXIO; + } + return 0; + } +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c +index 3a456410937b5..7353d2ec359ae 100644 +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -2671,8 +2671,6 @@ static const struct pci_device_id azx_ids[] = { + .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_ATI_HDMI }, + /* Zhaoxin */ + { PCI_DEVICE(0x1d17, 0x3288), .driver_data = AZX_DRIVER_ZHAOXIN }, +- /* Loongson */ +- { PCI_DEVICE(0x0014, 0x7a07), .driver_data = AZX_DRIVER_GENERIC }, + { 0, } + }; + MODULE_DEVICE_TABLE(pci, azx_ids); +diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c +index ec9460f3a288e..a13bad262598d 100644 +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -2798,6 +2798,7 @@ static void i915_pin_cvt_fixup(struct hda_codec *codec, + hda_nid_t cvt_nid) + { + if (per_pin) { ++ haswell_verify_D0(codec, per_pin->cvt_nid, per_pin->pin_nid); + snd_hda_set_dev_select(codec, per_pin->pin_nid, + per_pin->dev_id); + intel_verify_pin_cvt_connect(codec, per_pin); +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index d1b74c7cacd76..d614090dae49d 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -2466,6 +2466,7 @@ static const struct snd_pci_quirk alc882_fixup_tbl[] = { + SND_PCI_QUIRK(0x1462, 0x1276, "MSI-GL73", ALC1220_FIXUP_CLEVO_P950), + SND_PCI_QUIRK(0x1462, 0x1293, "MSI-GP65", ALC1220_FIXUP_CLEVO_P950), + SND_PCI_QUIRK(0x1462, 0x7350, "MSI-7350", ALC889_FIXUP_CD), ++ SND_PCI_QUIRK(0x1462, 0x9c37, "MSI X570-A PRO", ALC1220_FIXUP_CLEVO_P950), + SND_PCI_QUIRK(0x1462, 0xda57, "MSI Z270-Gaming", ALC1220_FIXUP_GB_DUAL_CODECS), + SND_PCI_QUIRK_VENDOR(0x1462, "MSI", ALC882_FIXUP_GPIO3), + SND_PCI_QUIRK(0x147b, 0x107a, "Abit AW9D-MAX", ALC882_FIXUP_ABIT_AW9D_MAX), +@@ -5849,6 +5850,39 @@ static void alc275_fixup_gpio4_off(struct hda_codec *codec, + } + } + ++/* Quirk for Thinkpad X1 7th and 8th Gen ++ * The following fixed routing needed ++ * DAC1 (NID 0x02) -> Speaker (NID 0x14); some eq applied secretly ++ * DAC2 (NID 0x03) -> Bass (NID 0x17) & Headphone (NID 0x21); sharing a DAC ++ * DAC3 (NID 0x06) -> Unused, due to the lack of volume amp ++ */ ++static void alc285_fixup_thinkpad_x1_gen7(struct hda_codec *codec, ++ const struct hda_fixup *fix, int action) ++{ ++ static const hda_nid_t conn[] = { 0x02, 0x03 }; /* exclude 0x06 */ ++ static const hda_nid_t preferred_pairs[] = { ++ 0x14, 0x02, 0x17, 0x03, 0x21, 0x03, 0 ++ }; ++ struct alc_spec *spec = codec->spec; ++ ++ switch (action) { ++ case HDA_FIXUP_ACT_PRE_PROBE: ++ snd_hda_override_conn_list(codec, 0x17, ARRAY_SIZE(conn), conn); ++ spec->gen.preferred_dacs = preferred_pairs; ++ break; ++ case HDA_FIXUP_ACT_BUILD: ++ /* The generic parser creates somewhat unintuitive volume ctls ++ * with the fixed routing above, and the shared DAC2 may be ++ * confusing for PA. ++ * Rename those to unique names so that PA doesn't touch them ++ * and use only Master volume. ++ */ ++ rename_ctl(codec, "Front Playback Volume", "DAC1 Playback Volume"); ++ rename_ctl(codec, "Bass Speaker Playback Volume", "DAC2 Playback Volume"); ++ break; ++ } ++} ++ + static void alc233_alc662_fixup_lenovo_dual_codecs(struct hda_codec *codec, + const struct hda_fixup *fix, + int action) +@@ -6117,6 +6151,7 @@ enum { + ALC289_FIXUP_DUAL_SPK, + ALC294_FIXUP_SPK2_TO_DAC1, + ALC294_FIXUP_ASUS_DUAL_SPK, ++ ALC285_FIXUP_THINKPAD_X1_GEN7, + ALC285_FIXUP_THINKPAD_HEADSET_JACK, + ALC294_FIXUP_ASUS_HPE, + ALC294_FIXUP_ASUS_COEF_1B, +@@ -7262,11 +7297,17 @@ static const struct hda_fixup alc269_fixups[] = { + .chained = true, + .chain_id = ALC294_FIXUP_SPK2_TO_DAC1 + }, ++ [ALC285_FIXUP_THINKPAD_X1_GEN7] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc285_fixup_thinkpad_x1_gen7, ++ .chained = true, ++ .chain_id = ALC269_FIXUP_THINKPAD_ACPI ++ }, + [ALC285_FIXUP_THINKPAD_HEADSET_JACK] = { + .type = HDA_FIXUP_FUNC, + .v.func = alc_fixup_headset_jack, + .chained = true, +- .chain_id = ALC285_FIXUP_SPEAKER2_TO_DAC1 ++ .chain_id = ALC285_FIXUP_THINKPAD_X1_GEN7 + }, + [ALC294_FIXUP_ASUS_HPE] = { + .type = HDA_FIXUP_VERBS, +@@ -7677,7 +7718,8 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x144d, 0xc169, "Samsung Notebook 9 Pen (NP930SBE-K01US)", ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET), + SND_PCI_QUIRK(0x144d, 0xc176, "Samsung Notebook 9 Pro (NP930MBE-K04US)", ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET), + SND_PCI_QUIRK(0x144d, 0xc189, "Samsung Galaxy Flex Book (NT950QCG-X716)", ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET), +- SND_PCI_QUIRK(0x144d, 0xc18a, "Samsung Galaxy Book Ion (NT950XCJ-X716A)", ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET), ++ SND_PCI_QUIRK(0x144d, 0xc18a, "Samsung Galaxy Book Ion (NP930XCJ-K01US)", ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET), ++ SND_PCI_QUIRK(0x144d, 0xc830, "Samsung Galaxy Book Ion (NT950XCJ-X716A)", ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET), + SND_PCI_QUIRK(0x144d, 0xc740, "Samsung Ativ book 8 (NP870Z5G)", ALC269_FIXUP_ATIV_BOOK_8), + SND_PCI_QUIRK(0x144d, 0xc812, "Samsung Notebook Pen S (NT950SBE-X58)", ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET), + SND_PCI_QUIRK(0x1458, 0xfa53, "Gigabyte BXBT-2807", ALC283_FIXUP_HEADSET_MIC), +diff --git a/sound/usb/pcm.c b/sound/usb/pcm.c +index 7b41f97489788..878f1201aad6e 100644 +--- a/sound/usb/pcm.c ++++ b/sound/usb/pcm.c +@@ -356,6 +356,7 @@ static int set_sync_ep_implicit_fb_quirk(struct snd_usb_substream *subs, + case USB_ID(0x07fd, 0x0008): /* MOTU M Series */ + case USB_ID(0x31e9, 0x0001): /* Solid State Logic SSL2 */ + case USB_ID(0x31e9, 0x0002): /* Solid State Logic SSL2+ */ ++ case USB_ID(0x0499, 0x172f): /* Steinberg UR22C */ + case USB_ID(0x0d9a, 0x00df): /* RTX6001 */ + ep = 0x81; + ifnum = 2; +diff --git a/tools/include/uapi/linux/perf_event.h b/tools/include/uapi/linux/perf_event.h +index bb7b271397a66..fabe5aeaa351a 100644 +--- a/tools/include/uapi/linux/perf_event.h ++++ b/tools/include/uapi/linux/perf_event.h +@@ -1131,7 +1131,7 @@ union perf_mem_data_src { + + #define PERF_MEM_SNOOPX_FWD 0x01 /* forward */ + /* 1 free */ +-#define PERF_MEM_SNOOPX_SHIFT 37 ++#define PERF_MEM_SNOOPX_SHIFT 38 + + /* locked instruction */ + #define PERF_MEM_LOCK_NA 0x01 /* not available */ +diff --git a/tools/perf/builtin-record.c b/tools/perf/builtin-record.c +index 23332861de6e4..454e275cd5dff 100644 +--- a/tools/perf/builtin-record.c ++++ b/tools/perf/builtin-record.c +@@ -2137,7 +2137,7 @@ static struct option __record_options[] = { + OPT_BOOLEAN(0, "tail-synthesize", &record.opts.tail_synthesize, + "synthesize non-sample events at the end of output"), + OPT_BOOLEAN(0, "overwrite", &record.opts.overwrite, "use overwrite mode"), +- OPT_BOOLEAN(0, "no-bpf-event", &record.opts.no_bpf_event, "record bpf events"), ++ OPT_BOOLEAN(0, "no-bpf-event", &record.opts.no_bpf_event, "do not record bpf events"), + OPT_BOOLEAN(0, "strict-freq", &record.opts.strict_freq, + "Fail if the specified frequency can't be used"), + OPT_CALLBACK('F', "freq", &record.opts, "freq or 'max'", +diff --git a/tools/perf/pmu-events/jevents.c b/tools/perf/pmu-events/jevents.c +index 99e3fd04a5cb3..d36ae65ae3330 100644 +--- a/tools/perf/pmu-events/jevents.c ++++ b/tools/perf/pmu-events/jevents.c +@@ -137,7 +137,7 @@ static char *fixregex(char *s) + return s; + + /* allocate space for a new string */ +- fixed = (char *) malloc(len + 1); ++ fixed = (char *) malloc(len + esc_count + 1); + if (!fixed) + return NULL; + +diff --git a/tools/testing/selftests/bpf/test_maps.c b/tools/testing/selftests/bpf/test_maps.c +index c812f0178b643..1c4219ceced2f 100644 +--- a/tools/testing/selftests/bpf/test_maps.c ++++ b/tools/testing/selftests/bpf/test_maps.c +@@ -1282,6 +1282,8 @@ static void __run_parallel(unsigned int tasks, + pid_t pid[tasks]; + int i; + ++ fflush(stdout); ++ + for (i = 0; i < tasks; i++) { + pid[i] = fork(); + if (pid[i] == 0) { diff --git a/patch/kernel/odroidxu4-current/patch-5.4.64-65.patch b/patch/kernel/odroidxu4-current/patch-5.4.64-65.patch new file mode 100644 index 000000000..720873a93 --- /dev/null +++ b/patch/kernel/odroidxu4-current/patch-5.4.64-65.patch @@ -0,0 +1,356 @@ +diff --git a/Makefile b/Makefile +index 7bdfb21bb9269..4cb68164b79ee 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,7 +1,7 @@ + # SPDX-License-Identifier: GPL-2.0 + VERSION = 5 + PATCHLEVEL = 4 +-SUBLEVEL = 64 ++SUBLEVEL = 65 + EXTRAVERSION = + NAME = Kleptomaniac Octopus + +diff --git a/drivers/net/usb/dm9601.c b/drivers/net/usb/dm9601.c +index b91f92e4e5f22..915ac75b55fc7 100644 +--- a/drivers/net/usb/dm9601.c ++++ b/drivers/net/usb/dm9601.c +@@ -625,6 +625,10 @@ static const struct usb_device_id products[] = { + USB_DEVICE(0x0a46, 0x1269), /* DM9621A USB to Fast Ethernet Adapter */ + .driver_info = (unsigned long)&dm9601_info, + }, ++ { ++ USB_DEVICE(0x0586, 0x3427), /* ZyXEL Keenetic Plus DSL xDSL modem */ ++ .driver_info = (unsigned long)&dm9601_info, ++ }, + {}, // END + }; + +diff --git a/net/core/dev.c b/net/core/dev.c +index 56cd7b83a3829..cdc1c3a144e1f 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -6231,12 +6231,13 @@ void netif_napi_add(struct net_device *dev, struct napi_struct *napi, + netdev_err_once(dev, "%s() called with weight %d\n", __func__, + weight); + napi->weight = weight; +- list_add(&napi->dev_list, &dev->napi_list); + napi->dev = dev; + #ifdef CONFIG_NETPOLL + napi->poll_owner = -1; + #endif + set_bit(NAPI_STATE_SCHED, &napi->state); ++ set_bit(NAPI_STATE_NPSVC, &napi->state); ++ list_add_rcu(&napi->dev_list, &dev->napi_list); + napi_hash_add(napi); + } + EXPORT_SYMBOL(netif_napi_add); +diff --git a/net/core/netpoll.c b/net/core/netpoll.c +index 849380a622ef9..cb67d36f3adb0 100644 +--- a/net/core/netpoll.c ++++ b/net/core/netpoll.c +@@ -161,7 +161,7 @@ static void poll_napi(struct net_device *dev) + struct napi_struct *napi; + int cpu = smp_processor_id(); + +- list_for_each_entry(napi, &dev->napi_list, dev_list) { ++ list_for_each_entry_rcu(napi, &dev->napi_list, dev_list) { + if (cmpxchg(&napi->poll_owner, -1, cpu) == -1) { + poll_one_napi(napi); + smp_store_release(&napi->poll_owner, -1); +diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c +index 47b6d73d30e55..51673d00bbeac 100644 +--- a/net/ipv4/fib_trie.c ++++ b/net/ipv4/fib_trie.c +@@ -2010,7 +2010,8 @@ void fib_info_notify_update(struct net *net, struct nl_info *info) + struct hlist_head *head = &net->ipv4.fib_table_hash[h]; + struct fib_table *tb; + +- hlist_for_each_entry_rcu(tb, head, tb_hlist) ++ hlist_for_each_entry_rcu(tb, head, tb_hlist, ++ lockdep_rtnl_is_held()) + __fib_info_notify_update(net, tb, info); + } + } +diff --git a/net/ipv6/sysctl_net_ipv6.c b/net/ipv6/sysctl_net_ipv6.c +index ec8fcfc60a27b..73842054bfe68 100644 +--- a/net/ipv6/sysctl_net_ipv6.c ++++ b/net/ipv6/sysctl_net_ipv6.c +@@ -21,6 +21,7 @@ + #include + #endif + ++static int two = 2; + static int flowlabel_reflect_max = 0x7; + static int auto_flowlabels_min; + static int auto_flowlabels_max = IP6_AUTO_FLOW_LABEL_MAX; +@@ -151,7 +152,7 @@ static struct ctl_table ipv6_table_template[] = { + .mode = 0644, + .proc_handler = proc_rt6_multipath_hash_policy, + .extra1 = SYSCTL_ZERO, +- .extra2 = SYSCTL_ONE, ++ .extra2 = &two, + }, + { + .procname = "seg6_flowlabel", +diff --git a/net/netlabel/netlabel_domainhash.c b/net/netlabel/netlabel_domainhash.c +index f5d34da0646ed..12aa803b2f689 100644 +--- a/net/netlabel/netlabel_domainhash.c ++++ b/net/netlabel/netlabel_domainhash.c +@@ -85,6 +85,7 @@ static void netlbl_domhsh_free_entry(struct rcu_head *entry) + kfree(netlbl_domhsh_addr6_entry(iter6)); + } + #endif /* IPv6 */ ++ kfree(ptr->def.addrsel); + } + kfree(ptr->domain); + kfree(ptr); +@@ -536,6 +537,8 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry, + goto add_return; + } + #endif /* IPv6 */ ++ /* cleanup the new entry since we've moved everything over */ ++ netlbl_domhsh_free_entry(&entry->rcu); + } else + ret_val = -EINVAL; + +@@ -579,6 +582,12 @@ int netlbl_domhsh_remove_entry(struct netlbl_dom_map *entry, + { + int ret_val = 0; + struct audit_buffer *audit_buf; ++ struct netlbl_af4list *iter4; ++ struct netlbl_domaddr4_map *map4; ++#if IS_ENABLED(CONFIG_IPV6) ++ struct netlbl_af6list *iter6; ++ struct netlbl_domaddr6_map *map6; ++#endif /* IPv6 */ + + if (entry == NULL) + return -ENOENT; +@@ -596,6 +605,9 @@ int netlbl_domhsh_remove_entry(struct netlbl_dom_map *entry, + ret_val = -ENOENT; + spin_unlock(&netlbl_domhsh_lock); + ++ if (ret_val) ++ return ret_val; ++ + audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_DEL, audit_info); + if (audit_buf != NULL) { + audit_log_format(audit_buf, +@@ -605,40 +617,29 @@ int netlbl_domhsh_remove_entry(struct netlbl_dom_map *entry, + audit_log_end(audit_buf); + } + +- if (ret_val == 0) { +- struct netlbl_af4list *iter4; +- struct netlbl_domaddr4_map *map4; +-#if IS_ENABLED(CONFIG_IPV6) +- struct netlbl_af6list *iter6; +- struct netlbl_domaddr6_map *map6; +-#endif /* IPv6 */ +- +- switch (entry->def.type) { +- case NETLBL_NLTYPE_ADDRSELECT: +- netlbl_af4list_foreach_rcu(iter4, +- &entry->def.addrsel->list4) { +- map4 = netlbl_domhsh_addr4_entry(iter4); +- cipso_v4_doi_putdef(map4->def.cipso); +- } ++ switch (entry->def.type) { ++ case NETLBL_NLTYPE_ADDRSELECT: ++ netlbl_af4list_foreach_rcu(iter4, &entry->def.addrsel->list4) { ++ map4 = netlbl_domhsh_addr4_entry(iter4); ++ cipso_v4_doi_putdef(map4->def.cipso); ++ } + #if IS_ENABLED(CONFIG_IPV6) +- netlbl_af6list_foreach_rcu(iter6, +- &entry->def.addrsel->list6) { +- map6 = netlbl_domhsh_addr6_entry(iter6); +- calipso_doi_putdef(map6->def.calipso); +- } ++ netlbl_af6list_foreach_rcu(iter6, &entry->def.addrsel->list6) { ++ map6 = netlbl_domhsh_addr6_entry(iter6); ++ calipso_doi_putdef(map6->def.calipso); ++ } + #endif /* IPv6 */ +- break; +- case NETLBL_NLTYPE_CIPSOV4: +- cipso_v4_doi_putdef(entry->def.cipso); +- break; ++ break; ++ case NETLBL_NLTYPE_CIPSOV4: ++ cipso_v4_doi_putdef(entry->def.cipso); ++ break; + #if IS_ENABLED(CONFIG_IPV6) +- case NETLBL_NLTYPE_CALIPSO: +- calipso_doi_putdef(entry->def.calipso); +- break; ++ case NETLBL_NLTYPE_CALIPSO: ++ calipso_doi_putdef(entry->def.calipso); ++ break; + #endif /* IPv6 */ +- } +- call_rcu(&entry->rcu, netlbl_domhsh_free_entry); + } ++ call_rcu(&entry->rcu, netlbl_domhsh_free_entry); + + return ret_val; + } +diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c +index b1eb12d33b9a6..6a5086e586efb 100644 +--- a/net/sched/sch_taprio.c ++++ b/net/sched/sch_taprio.c +@@ -1177,9 +1177,27 @@ static void taprio_offload_config_changed(struct taprio_sched *q) + spin_unlock(&q->current_entry_lock); + } + +-static void taprio_sched_to_offload(struct taprio_sched *q, ++static u32 tc_map_to_queue_mask(struct net_device *dev, u32 tc_mask) ++{ ++ u32 i, queue_mask = 0; ++ ++ for (i = 0; i < dev->num_tc; i++) { ++ u32 offset, count; ++ ++ if (!(tc_mask & BIT(i))) ++ continue; ++ ++ offset = dev->tc_to_txq[i].offset; ++ count = dev->tc_to_txq[i].count; ++ ++ queue_mask |= GENMASK(offset + count - 1, offset); ++ } ++ ++ return queue_mask; ++} ++ ++static void taprio_sched_to_offload(struct net_device *dev, + struct sched_gate_list *sched, +- const struct tc_mqprio_qopt *mqprio, + struct tc_taprio_qopt_offload *offload) + { + struct sched_entry *entry; +@@ -1194,7 +1212,8 @@ static void taprio_sched_to_offload(struct taprio_sched *q, + + e->command = entry->command; + e->interval = entry->interval; +- e->gate_mask = entry->gate_mask; ++ e->gate_mask = tc_map_to_queue_mask(dev, entry->gate_mask); ++ + i++; + } + +@@ -1202,7 +1221,6 @@ static void taprio_sched_to_offload(struct taprio_sched *q, + } + + static int taprio_enable_offload(struct net_device *dev, +- struct tc_mqprio_qopt *mqprio, + struct taprio_sched *q, + struct sched_gate_list *sched, + struct netlink_ext_ack *extack) +@@ -1224,7 +1242,7 @@ static int taprio_enable_offload(struct net_device *dev, + return -ENOMEM; + } + offload->enable = 1; +- taprio_sched_to_offload(q, sched, mqprio, offload); ++ taprio_sched_to_offload(dev, sched, offload); + + err = ops->ndo_setup_tc(dev, TC_SETUP_QDISC_TAPRIO, offload); + if (err < 0) { +@@ -1486,7 +1504,7 @@ static int taprio_change(struct Qdisc *sch, struct nlattr *opt, + } + + if (FULL_OFFLOAD_IS_ENABLED(q->flags)) +- err = taprio_enable_offload(dev, mqprio, q, new_admin, extack); ++ err = taprio_enable_offload(dev, q, new_admin, extack); + else + err = taprio_disable_offload(dev, q, extack); + if (err) +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index 58fe6556cdf5b..3a11212bb4c0e 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -8176,8 +8176,6 @@ static int sctp_get_port_local(struct sock *sk, union sctp_addr *addr) + + pr_debug("%s: begins, snum:%d\n", __func__, snum); + +- local_bh_disable(); +- + if (snum == 0) { + /* Search for an available port. */ + int low, high, remaining, index; +@@ -8196,20 +8194,21 @@ static int sctp_get_port_local(struct sock *sk, union sctp_addr *addr) + continue; + index = sctp_phashfn(sock_net(sk), rover); + head = &sctp_port_hashtable[index]; +- spin_lock(&head->lock); ++ spin_lock_bh(&head->lock); + sctp_for_each_hentry(pp, &head->chain) + if ((pp->port == rover) && + net_eq(sock_net(sk), pp->net)) + goto next; + break; + next: +- spin_unlock(&head->lock); ++ spin_unlock_bh(&head->lock); ++ cond_resched(); + } while (--remaining > 0); + + /* Exhausted local port range during search? */ + ret = 1; + if (remaining <= 0) +- goto fail; ++ return ret; + + /* OK, here is the one we will use. HEAD (the port + * hash table list entry) is non-NULL and we hold it's +@@ -8224,7 +8223,7 @@ static int sctp_get_port_local(struct sock *sk, union sctp_addr *addr) + * port iterator, pp being NULL. + */ + head = &sctp_port_hashtable[sctp_phashfn(sock_net(sk), snum)]; +- spin_lock(&head->lock); ++ spin_lock_bh(&head->lock); + sctp_for_each_hentry(pp, &head->chain) { + if ((pp->port == snum) && net_eq(pp->net, sock_net(sk))) + goto pp_found; +@@ -8324,10 +8323,7 @@ success: + ret = 0; + + fail_unlock: +- spin_unlock(&head->lock); +- +-fail: +- local_bh_enable(); ++ spin_unlock_bh(&head->lock); + return ret; + } + +diff --git a/net/tipc/socket.c b/net/tipc/socket.c +index aea951a1f805b..5318bb6611abc 100644 +--- a/net/tipc/socket.c ++++ b/net/tipc/socket.c +@@ -2616,18 +2616,21 @@ static int tipc_shutdown(struct socket *sock, int how) + + trace_tipc_sk_shutdown(sk, NULL, TIPC_DUMP_ALL, " "); + __tipc_shutdown(sock, TIPC_CONN_SHUTDOWN); +- sk->sk_shutdown = SEND_SHUTDOWN; ++ if (tipc_sk_type_connectionless(sk)) ++ sk->sk_shutdown = SHUTDOWN_MASK; ++ else ++ sk->sk_shutdown = SEND_SHUTDOWN; + + if (sk->sk_state == TIPC_DISCONNECTING) { + /* Discard any unreceived messages */ + __skb_queue_purge(&sk->sk_receive_queue); + +- /* Wake up anyone sleeping in poll */ +- sk->sk_state_change(sk); + res = 0; + } else { + res = -ENOTCONN; + } ++ /* Wake up anyone sleeping in poll. */ ++ sk->sk_state_change(sk); + + release_sock(sk); + return res;