From 7e06b1dcff09e0f30a87cef9918af6f352def8bb Mon Sep 17 00:00:00 2001 From: zador-blood-stained Date: Tue, 30 Aug 2016 23:04:38 +0300 Subject: [PATCH] Remove other patches merged by Hardkernel NOTE: C1 packaging patches are still broken --- .../odroidc1-default/1-patch-3.10.96-97.patch | 2341 ------ .../odroidc1-default/1-patch-3.10.97-98.patch | 1792 ----- .../odroidc1-default/1-patch-3.10.98-99.patch | 2573 ------- .../1-patch-3.10.99-100.patch | 1156 --- .../2-patch-3.10.100-101.patch | 1493 ---- .../2-patch-3.10.101-102.patch | 4381 ----------- .../2-patch-3.10.102-103.patch | 6785 ----------------- .../1-patch-3.10.96-97.patch | 2341 ------ .../1-patch-3.10.97-98.patch | 1792 ----- .../1-patch-3.10.98-99.patch | 2573 ------- .../1-patch-3.10.99-100.patch | 1156 --- .../2-patch-3.10.100-101.patch | 1493 ---- .../2-patch-3.10.101-102.patch | 4381 ----------- 13 files changed, 34257 deletions(-) delete mode 100644 patch/kernel/odroidc1-default/1-patch-3.10.96-97.patch delete mode 100644 patch/kernel/odroidc1-default/1-patch-3.10.97-98.patch delete mode 100644 patch/kernel/odroidc1-default/1-patch-3.10.98-99.patch delete mode 100644 patch/kernel/odroidc1-default/1-patch-3.10.99-100.patch delete mode 100644 patch/kernel/odroidc1-default/2-patch-3.10.100-101.patch delete mode 100644 patch/kernel/odroidc1-default/2-patch-3.10.101-102.patch delete mode 100644 patch/kernel/odroidc1-default/2-patch-3.10.102-103.patch delete mode 100644 patch/kernel/odroidxu4-default/1-patch-3.10.96-97.patch delete mode 100644 patch/kernel/odroidxu4-default/1-patch-3.10.97-98.patch delete mode 100644 patch/kernel/odroidxu4-default/1-patch-3.10.98-99.patch delete mode 100644 patch/kernel/odroidxu4-default/1-patch-3.10.99-100.patch delete mode 100644 patch/kernel/odroidxu4-default/2-patch-3.10.100-101.patch delete mode 100644 patch/kernel/odroidxu4-default/2-patch-3.10.101-102.patch diff --git a/patch/kernel/odroidc1-default/1-patch-3.10.96-97.patch b/patch/kernel/odroidc1-default/1-patch-3.10.96-97.patch deleted file mode 100644 index 487d76eb1..000000000 --- a/patch/kernel/odroidc1-default/1-patch-3.10.96-97.patch +++ /dev/null @@ -1,2341 +0,0 @@ -diff --git a/Makefile b/Makefile -index c88ea5d8d19c..f26470169c70 100644 ---- a/Makefile -+++ b/Makefile -@@ -1,6 +1,6 @@ - VERSION = 3 - PATCHLEVEL = 10 --SUBLEVEL = 96 -+SUBLEVEL = 97 - EXTRAVERSION = - NAME = TOSSUG Baby Fish - -diff --git a/arch/parisc/include/uapi/asm/mman.h b/arch/parisc/include/uapi/asm/mman.h -index 294d251ca7b2..2ae13ce592e8 100644 ---- a/arch/parisc/include/uapi/asm/mman.h -+++ b/arch/parisc/include/uapi/asm/mman.h -@@ -46,16 +46,6 @@ - #define MADV_DONTFORK 10 /* don't inherit across fork */ - #define MADV_DOFORK 11 /* do inherit across fork */ - --/* The range 12-64 is reserved for page size specification. */ --#define MADV_4K_PAGES 12 /* Use 4K pages */ --#define MADV_16K_PAGES 14 /* Use 16K pages */ --#define MADV_64K_PAGES 16 /* Use 64K pages */ --#define MADV_256K_PAGES 18 /* Use 256K pages */ --#define MADV_1M_PAGES 20 /* Use 1 Megabyte pages */ --#define MADV_4M_PAGES 22 /* Use 4 Megabyte pages */ --#define MADV_16M_PAGES 24 /* Use 16 Megabyte pages */ --#define MADV_64M_PAGES 26 /* Use 64 Megabyte pages */ -- - #define MADV_MERGEABLE 65 /* KSM may merge identical pages */ - #define MADV_UNMERGEABLE 66 /* KSM may not merge identical pages */ - -diff --git a/arch/parisc/include/uapi/asm/siginfo.h b/arch/parisc/include/uapi/asm/siginfo.h -index d7034728f377..1c75565d984b 100644 ---- a/arch/parisc/include/uapi/asm/siginfo.h -+++ b/arch/parisc/include/uapi/asm/siginfo.h -@@ -1,6 +1,10 @@ - #ifndef _PARISC_SIGINFO_H - #define _PARISC_SIGINFO_H - -+#if defined(__LP64__) -+#define __ARCH_SI_PREAMBLE_SIZE (4 * sizeof(int)) -+#endif -+ - #include - - #undef NSIGTRAP -diff --git a/arch/parisc/kernel/signal.c b/arch/parisc/kernel/signal.c -index 940188d1942c..ae9aa83854c0 100644 ---- a/arch/parisc/kernel/signal.c -+++ b/arch/parisc/kernel/signal.c -@@ -449,6 +449,55 @@ handle_signal(unsigned long sig, siginfo_t *info, struct k_sigaction *ka, - regs->gr[28]); - } - -+/* -+ * Check how the syscall number gets loaded into %r20 within -+ * the delay branch in userspace and adjust as needed. -+ */ -+ -+static void check_syscallno_in_delay_branch(struct pt_regs *regs) -+{ -+ u32 opcode, source_reg; -+ u32 __user *uaddr; -+ int err; -+ -+ /* Usually we don't have to restore %r20 (the system call number) -+ * because it gets loaded in the delay slot of the branch external -+ * instruction via the ldi instruction. -+ * In some cases a register-to-register copy instruction might have -+ * been used instead, in which case we need to copy the syscall -+ * number into the source register before returning to userspace. -+ */ -+ -+ /* A syscall is just a branch, so all we have to do is fiddle the -+ * return pointer so that the ble instruction gets executed again. -+ */ -+ regs->gr[31] -= 8; /* delayed branching */ -+ -+ /* Get assembler opcode of code in delay branch */ -+ uaddr = (unsigned int *) ((regs->gr[31] & ~3) + 4); -+ err = get_user(opcode, uaddr); -+ if (err) -+ return; -+ -+ /* Check if delay branch uses "ldi int,%r20" */ -+ if ((opcode & 0xffff0000) == 0x34140000) -+ return; /* everything ok, just return */ -+ -+ /* Check if delay branch uses "nop" */ -+ if (opcode == INSN_NOP) -+ return; -+ -+ /* Check if delay branch uses "copy %rX,%r20" */ -+ if ((opcode & 0xffe0ffff) == 0x08000254) { -+ source_reg = (opcode >> 16) & 31; -+ regs->gr[source_reg] = regs->gr[20]; -+ return; -+ } -+ -+ pr_warn("syscall restart: %s (pid %d): unexpected opcode 0x%08x\n", -+ current->comm, task_pid_nr(current), opcode); -+} -+ - static inline void - syscall_restart(struct pt_regs *regs, struct k_sigaction *ka) - { -@@ -471,10 +520,7 @@ syscall_restart(struct pt_regs *regs, struct k_sigaction *ka) - } - /* fallthrough */ - case -ERESTARTNOINTR: -- /* A syscall is just a branch, so all -- * we have to do is fiddle the return pointer. -- */ -- regs->gr[31] -= 8; /* delayed branching */ -+ check_syscallno_in_delay_branch(regs); - break; - } - } -@@ -523,15 +569,9 @@ insert_restart_trampoline(struct pt_regs *regs) - } - case -ERESTARTNOHAND: - case -ERESTARTSYS: -- case -ERESTARTNOINTR: { -- /* Hooray for delayed branching. We don't -- * have to restore %r20 (the system call -- * number) because it gets loaded in the delay -- * slot of the branch external instruction. -- */ -- regs->gr[31] -= 8; -+ case -ERESTARTNOINTR: -+ check_syscallno_in_delay_branch(regs); - return; -- } - default: - break; - } -diff --git a/arch/sh/include/uapi/asm/unistd_64.h b/arch/sh/include/uapi/asm/unistd_64.h -index e6820c86e8c7..47ebd5b5ed55 100644 ---- a/arch/sh/include/uapi/asm/unistd_64.h -+++ b/arch/sh/include/uapi/asm/unistd_64.h -@@ -278,7 +278,7 @@ - #define __NR_fsetxattr 256 - #define __NR_getxattr 257 - #define __NR_lgetxattr 258 --#define __NR_fgetxattr 269 -+#define __NR_fgetxattr 259 - #define __NR_listxattr 260 - #define __NR_llistxattr 261 - #define __NR_flistxattr 262 -diff --git a/crypto/af_alg.c b/crypto/af_alg.c -index 6ef6e2ad344e..0ca108f3c840 100644 ---- a/crypto/af_alg.c -+++ b/crypto/af_alg.c -@@ -125,6 +125,23 @@ int af_alg_release(struct socket *sock) - } - EXPORT_SYMBOL_GPL(af_alg_release); - -+void af_alg_release_parent(struct sock *sk) -+{ -+ struct alg_sock *ask = alg_sk(sk); -+ bool last; -+ -+ sk = ask->parent; -+ ask = alg_sk(sk); -+ -+ lock_sock(sk); -+ last = !--ask->refcnt; -+ release_sock(sk); -+ -+ if (last) -+ sock_put(sk); -+} -+EXPORT_SYMBOL_GPL(af_alg_release_parent); -+ - static int alg_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) - { - struct sock *sk = sock->sk; -@@ -132,6 +149,7 @@ static int alg_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) - struct sockaddr_alg *sa = (void *)uaddr; - const struct af_alg_type *type; - void *private; -+ int err; - - if (sock->state == SS_CONNECTED) - return -EINVAL; -@@ -157,16 +175,22 @@ static int alg_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) - return PTR_ERR(private); - } - -+ err = -EBUSY; - lock_sock(sk); -+ if (ask->refcnt) -+ goto unlock; - - swap(ask->type, type); - swap(ask->private, private); - -+ err = 0; -+ -+unlock: - release_sock(sk); - - alg_do_release(type, private); - -- return 0; -+ return err; - } - - static int alg_setkey(struct sock *sk, char __user *ukey, -@@ -199,11 +223,15 @@ static int alg_setsockopt(struct socket *sock, int level, int optname, - struct sock *sk = sock->sk; - struct alg_sock *ask = alg_sk(sk); - const struct af_alg_type *type; -- int err = -ENOPROTOOPT; -+ int err = -EBUSY; - - lock_sock(sk); -+ if (ask->refcnt) -+ goto unlock; -+ - type = ask->type; - -+ err = -ENOPROTOOPT; - if (level != SOL_ALG || !type) - goto unlock; - -@@ -247,14 +275,13 @@ int af_alg_accept(struct sock *sk, struct socket *newsock) - security_sk_clone(sk, sk2); - - err = type->accept(ask->private, sk2); -- if (err) { -- sk_free(sk2); -+ if (err) - goto unlock; -- } - - sk2->sk_family = PF_ALG; - -- sock_hold(sk); -+ if (!ask->refcnt++) -+ sock_hold(sk); - alg_sk(sk2)->parent = sk; - alg_sk(sk2)->type = type; - -diff --git a/crypto/algif_hash.c b/crypto/algif_hash.c -index 850246206b12..c542c0d88afd 100644 ---- a/crypto/algif_hash.c -+++ b/crypto/algif_hash.c -@@ -51,7 +51,8 @@ static int hash_sendmsg(struct kiocb *unused, struct socket *sock, - - lock_sock(sk); - if (!ctx->more) { -- err = crypto_ahash_init(&ctx->req); -+ err = af_alg_wait_for_completion(crypto_ahash_init(&ctx->req), -+ &ctx->completion); - if (err) - goto unlock; - } -@@ -131,6 +132,7 @@ static ssize_t hash_sendpage(struct socket *sock, struct page *page, - } else { - if (!ctx->more) { - err = crypto_ahash_init(&ctx->req); -+ err = af_alg_wait_for_completion(err, &ctx->completion); - if (err) - goto unlock; - } -@@ -192,9 +194,14 @@ static int hash_accept(struct socket *sock, struct socket *newsock, int flags) - struct sock *sk2; - struct alg_sock *ask2; - struct hash_ctx *ctx2; -+ bool more; - int err; - -- err = crypto_ahash_export(req, state); -+ lock_sock(sk); -+ more = ctx->more; -+ err = more ? crypto_ahash_export(req, state) : 0; -+ release_sock(sk); -+ - if (err) - return err; - -@@ -205,7 +212,10 @@ static int hash_accept(struct socket *sock, struct socket *newsock, int flags) - sk2 = newsock->sk; - ask2 = alg_sk(sk2); - ctx2 = ask2->private; -- ctx2->more = 1; -+ ctx2->more = more; -+ -+ if (!more) -+ return err; - - err = crypto_ahash_import(&ctx2->req, state); - if (err) { -diff --git a/crypto/crypto_user.c b/crypto/crypto_user.c -index c7666f401381..a3dfc0d83107 100644 ---- a/crypto/crypto_user.c -+++ b/crypto/crypto_user.c -@@ -477,6 +477,7 @@ static int crypto_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh) - if (link->dump == NULL) - return -EINVAL; - -+ down_read(&crypto_alg_sem); - list_for_each_entry(alg, &crypto_alg_list, cra_list) - dump_alloc += CRYPTO_REPORT_MAXSIZE; - -@@ -486,8 +487,11 @@ static int crypto_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh) - .done = link->done, - .min_dump_alloc = dump_alloc, - }; -- return netlink_dump_start(crypto_nlsk, skb, nlh, &c); -+ err = netlink_dump_start(crypto_nlsk, skb, nlh, &c); - } -+ up_read(&crypto_alg_sem); -+ -+ return err; - } - - err = nlmsg_parse(nlh, crypto_msg_min[type], attrs, CRYPTOCFGA_MAX, -diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c -index 9064a2f2760c..cb106934bf1c 100644 ---- a/drivers/ata/ahci.c -+++ b/drivers/ata/ahci.c -@@ -247,6 +247,26 @@ static const struct pci_device_id ahci_pci_tbl[] = { - { PCI_VDEVICE(INTEL, 0x3b2b), board_ahci }, /* PCH RAID */ - { PCI_VDEVICE(INTEL, 0x3b2c), board_ahci }, /* PCH RAID */ - { PCI_VDEVICE(INTEL, 0x3b2f), board_ahci }, /* PCH AHCI */ -+ { PCI_VDEVICE(INTEL, 0x19b0), board_ahci }, /* DNV AHCI */ -+ { PCI_VDEVICE(INTEL, 0x19b1), board_ahci }, /* DNV AHCI */ -+ { PCI_VDEVICE(INTEL, 0x19b2), board_ahci }, /* DNV AHCI */ -+ { PCI_VDEVICE(INTEL, 0x19b3), board_ahci }, /* DNV AHCI */ -+ { PCI_VDEVICE(INTEL, 0x19b4), board_ahci }, /* DNV AHCI */ -+ { PCI_VDEVICE(INTEL, 0x19b5), board_ahci }, /* DNV AHCI */ -+ { PCI_VDEVICE(INTEL, 0x19b6), board_ahci }, /* DNV AHCI */ -+ { PCI_VDEVICE(INTEL, 0x19b7), board_ahci }, /* DNV AHCI */ -+ { PCI_VDEVICE(INTEL, 0x19bE), board_ahci }, /* DNV AHCI */ -+ { PCI_VDEVICE(INTEL, 0x19bF), board_ahci }, /* DNV AHCI */ -+ { PCI_VDEVICE(INTEL, 0x19c0), board_ahci }, /* DNV AHCI */ -+ { PCI_VDEVICE(INTEL, 0x19c1), board_ahci }, /* DNV AHCI */ -+ { PCI_VDEVICE(INTEL, 0x19c2), board_ahci }, /* DNV AHCI */ -+ { PCI_VDEVICE(INTEL, 0x19c3), board_ahci }, /* DNV AHCI */ -+ { PCI_VDEVICE(INTEL, 0x19c4), board_ahci }, /* DNV AHCI */ -+ { PCI_VDEVICE(INTEL, 0x19c5), board_ahci }, /* DNV AHCI */ -+ { PCI_VDEVICE(INTEL, 0x19c6), board_ahci }, /* DNV AHCI */ -+ { PCI_VDEVICE(INTEL, 0x19c7), board_ahci }, /* DNV AHCI */ -+ { PCI_VDEVICE(INTEL, 0x19cE), board_ahci }, /* DNV AHCI */ -+ { PCI_VDEVICE(INTEL, 0x19cF), board_ahci }, /* DNV AHCI */ - { PCI_VDEVICE(INTEL, 0x1c02), board_ahci }, /* CPT AHCI */ - { PCI_VDEVICE(INTEL, 0x1c03), board_ahci }, /* CPT AHCI */ - { PCI_VDEVICE(INTEL, 0x1c04), board_ahci }, /* CPT RAID */ -diff --git a/drivers/ata/libahci.c b/drivers/ata/libahci.c -index cf5f35877559..d04f5c8dbbdc 100644 ---- a/drivers/ata/libahci.c -+++ b/drivers/ata/libahci.c -@@ -486,8 +486,8 @@ void ahci_save_initial_config(struct device *dev, - } - } - -- /* fabricate port_map from cap.nr_ports */ -- if (!port_map) { -+ /* fabricate port_map from cap.nr_ports for < AHCI 1.3 */ -+ if (!port_map && vers < 0x10300) { - port_map = (1 << ahci_nr_ports(cap)) - 1; - dev_warn(dev, "forcing PORTS_IMPL to 0x%x\n", port_map); - -@@ -1244,6 +1244,15 @@ static int ahci_exec_polled_cmd(struct ata_port *ap, int pmp, - ata_tf_to_fis(tf, pmp, is_cmd, fis); - ahci_fill_cmd_slot(pp, 0, cmd_fis_len | flags | (pmp << 12)); - -+ /* set port value for softreset of Port Multiplier */ -+ if (pp->fbs_enabled && pp->fbs_last_dev != pmp) { -+ tmp = readl(port_mmio + PORT_FBS); -+ tmp &= ~(PORT_FBS_DEV_MASK | PORT_FBS_DEC); -+ tmp |= pmp << PORT_FBS_DEV_OFFSET; -+ writel(tmp, port_mmio + PORT_FBS); -+ pp->fbs_last_dev = pmp; -+ } -+ - /* issue & wait */ - writel(1, port_mmio + PORT_CMD_ISSUE); - -diff --git a/drivers/char/tpm/tpm_ibmvtpm.c b/drivers/char/tpm/tpm_ibmvtpm.c -index a6524c3efdf7..ce854bbd33ef 100644 ---- a/drivers/char/tpm/tpm_ibmvtpm.c -+++ b/drivers/char/tpm/tpm_ibmvtpm.c -@@ -529,7 +529,7 @@ static void ibmvtpm_crq_process(struct ibmvtpm_crq *crq, - } - ibmvtpm->rtce_size = be16_to_cpu(crq->len); - ibmvtpm->rtce_buf = kmalloc(ibmvtpm->rtce_size, -- GFP_KERNEL); -+ GFP_ATOMIC); - if (!ibmvtpm->rtce_buf) { - dev_err(ibmvtpm->dev, "Failed to allocate memory for rtce buffer\n"); - return; -diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c -index de904e6a4ab7..5da58e3899eb 100644 ---- a/drivers/hid/usbhid/hid-core.c -+++ b/drivers/hid/usbhid/hid-core.c -@@ -490,8 +490,6 @@ static void hid_ctrl(struct urb *urb) - struct usbhid_device *usbhid = hid->driver_data; - int unplug = 0, status = urb->status; - -- spin_lock(&usbhid->lock); -- - switch (status) { - case 0: /* success */ - if (usbhid->ctrl[usbhid->ctrltail].dir == USB_DIR_IN) -@@ -511,6 +509,8 @@ static void hid_ctrl(struct urb *urb) - hid_warn(urb->dev, "ctrl urb status %d received\n", status); - } - -+ spin_lock(&usbhid->lock); -+ - if (unplug) { - usbhid->ctrltail = usbhid->ctrlhead; - } else { -diff --git a/drivers/md/dm-mpath.c b/drivers/md/dm-mpath.c -index 0ba21b0f3972..eb7ddb20fd48 100644 ---- a/drivers/md/dm-mpath.c -+++ b/drivers/md/dm-mpath.c -@@ -1608,11 +1608,8 @@ static int multipath_ioctl(struct dm_target *ti, unsigned int cmd, - /* - * Only pass ioctls through if the device sizes match exactly. - */ -- if (!bdev || ti->len != i_size_read(bdev->bd_inode) >> SECTOR_SHIFT) { -- int err = scsi_verify_blk_ioctl(NULL, cmd); -- if (err) -- r = err; -- } -+ if (!r && ti->len != i_size_read(bdev->bd_inode) >> SECTOR_SHIFT) -+ r = scsi_verify_blk_ioctl(NULL, cmd); - - if (r == -ENOTCONN && !fatal_signal_pending(current)) - queue_work(kmultipathd, &m->process_queued_ios); -diff --git a/drivers/md/persistent-data/dm-btree.c b/drivers/md/persistent-data/dm-btree.c -index b53669404cb5..6d7f4d950b8f 100644 ---- a/drivers/md/persistent-data/dm-btree.c -+++ b/drivers/md/persistent-data/dm-btree.c -@@ -455,8 +455,10 @@ static int btree_split_sibling(struct shadow_spine *s, dm_block_t root, - - r = insert_at(sizeof(__le64), pn, parent_index + 1, - le64_to_cpu(rn->keys[0]), &location); -- if (r) -+ if (r) { -+ unlock_block(s->info, right); - return r; -+ } - - if (key < le64_to_cpu(rn->keys[0])) { - unlock_block(s->info, right); -diff --git a/drivers/media/pci/saa7134/saa7134-alsa.c b/drivers/media/pci/saa7134/saa7134-alsa.c -index dbcdfbf8aed0..11b0ef3a2858 100644 ---- a/drivers/media/pci/saa7134/saa7134-alsa.c -+++ b/drivers/media/pci/saa7134/saa7134-alsa.c -@@ -1145,6 +1145,8 @@ static int alsa_device_init(struct saa7134_dev *dev) - - static int alsa_device_exit(struct saa7134_dev *dev) - { -+ if (!snd_saa7134_cards[dev->nr]) -+ return 1; - - snd_card_free(snd_saa7134_cards[dev->nr]); - snd_saa7134_cards[dev->nr] = NULL; -@@ -1194,7 +1196,8 @@ static void saa7134_alsa_exit(void) - int idx; - - for (idx = 0; idx < SNDRV_CARDS; idx++) { -- snd_card_free(snd_saa7134_cards[idx]); -+ if (snd_saa7134_cards[idx]) -+ snd_card_free(snd_saa7134_cards[idx]); - } - - saa7134_dmasound_init = NULL; -diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c -index e2b0a0969ebb..35fb8f0cb539 100644 ---- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c -+++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c -@@ -264,7 +264,7 @@ static int put_v4l2_create32(struct v4l2_create_buffers *kp, struct v4l2_create_ - - struct v4l2_standard32 { - __u32 index; -- __u32 id[2]; /* __u64 would get the alignment wrong */ -+ compat_u64 id; - __u8 name[24]; - struct v4l2_fract frameperiod; /* Frames, not fields */ - __u32 framelines; -@@ -284,7 +284,7 @@ static int put_v4l2_standard32(struct v4l2_standard *kp, struct v4l2_standard32 - { - if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_standard32)) || - put_user(kp->index, &up->index) || -- copy_to_user(up->id, &kp->id, sizeof(__u64)) || -+ put_user(kp->id, &up->id) || - copy_to_user(up->name, kp->name, 24) || - copy_to_user(&up->frameperiod, &kp->frameperiod, sizeof(kp->frameperiod)) || - put_user(kp->framelines, &up->framelines) || -@@ -576,10 +576,10 @@ struct v4l2_input32 { - __u32 type; /* Type of input */ - __u32 audioset; /* Associated audios (bitfield) */ - __u32 tuner; /* Associated tuner */ -- v4l2_std_id std; -+ compat_u64 std; - __u32 status; - __u32 reserved[4]; --} __attribute__ ((packed)); -+}; - - /* The 64-bit v4l2_input struct has extra padding at the end of the struct. - Otherwise it is identical to the 32-bit version. */ -@@ -719,6 +719,7 @@ static int put_v4l2_ext_controls32(struct v4l2_ext_controls *kp, struct v4l2_ext - struct v4l2_event32 { - __u32 type; - union { -+ compat_s64 value64; - __u8 data[64]; - } u; - __u32 pending; -diff --git a/drivers/media/v4l2-core/videobuf2-dma-contig.c b/drivers/media/v4l2-core/videobuf2-dma-contig.c -index fd56f2563201..297fbc59a800 100644 ---- a/drivers/media/v4l2-core/videobuf2-dma-contig.c -+++ b/drivers/media/v4l2-core/videobuf2-dma-contig.c -@@ -117,7 +117,8 @@ static void vb2_dc_prepare(void *buf_priv) - if (!sgt || buf->db_attach) - return; - -- dma_sync_sg_for_device(buf->dev, sgt->sgl, sgt->nents, buf->dma_dir); -+ dma_sync_sg_for_device(buf->dev, sgt->sgl, sgt->orig_nents, -+ buf->dma_dir); - } - - static void vb2_dc_finish(void *buf_priv) -@@ -129,7 +130,7 @@ static void vb2_dc_finish(void *buf_priv) - if (!sgt || buf->db_attach) - return; - -- dma_sync_sg_for_cpu(buf->dev, sgt->sgl, sgt->nents, buf->dma_dir); -+ dma_sync_sg_for_cpu(buf->dev, sgt->sgl, sgt->orig_nents, buf->dma_dir); - } - - /*********************************************/ -diff --git a/drivers/mtd/mtdpart.c b/drivers/mtd/mtdpart.c -index 301493382cd0..f8013c1d8cd5 100644 ---- a/drivers/mtd/mtdpart.c -+++ b/drivers/mtd/mtdpart.c -@@ -634,8 +634,10 @@ int add_mtd_partitions(struct mtd_info *master, - - for (i = 0; i < nbparts; i++) { - slave = allocate_partition(master, parts + i, i, cur_offset); -- if (IS_ERR(slave)) -+ if (IS_ERR(slave)) { -+ del_mtd_partitions(master); - return PTR_ERR(slave); -+ } - - mutex_lock(&mtd_partitions_mutex); - list_add(&slave->list, &mtd_partitions); -diff --git a/drivers/net/wireless/ti/wlcore/io.h b/drivers/net/wireless/ti/wlcore/io.h -index af7d9f9b3b4d..beed58b0c795 100644 ---- a/drivers/net/wireless/ti/wlcore/io.h -+++ b/drivers/net/wireless/ti/wlcore/io.h -@@ -203,19 +203,23 @@ static inline int __must_check wlcore_write_reg(struct wl1271 *wl, int reg, - - static inline void wl1271_power_off(struct wl1271 *wl) - { -- int ret; -+ int ret = 0; - - if (!test_bit(WL1271_FLAG_GPIO_POWER, &wl->flags)) - return; - -- ret = wl->if_ops->power(wl->dev, false); -+ if (wl->if_ops->power) -+ ret = wl->if_ops->power(wl->dev, false); - if (!ret) - clear_bit(WL1271_FLAG_GPIO_POWER, &wl->flags); - } - - static inline int wl1271_power_on(struct wl1271 *wl) - { -- int ret = wl->if_ops->power(wl->dev, true); -+ int ret = 0; -+ -+ if (wl->if_ops->power) -+ ret = wl->if_ops->power(wl->dev, true); - if (ret == 0) - set_bit(WL1271_FLAG_GPIO_POWER, &wl->flags); - -diff --git a/drivers/net/wireless/ti/wlcore/spi.c b/drivers/net/wireless/ti/wlcore/spi.c -index e26447832683..bfb57e671034 100644 ---- a/drivers/net/wireless/ti/wlcore/spi.c -+++ b/drivers/net/wireless/ti/wlcore/spi.c -@@ -72,7 +72,10 @@ - */ - #define SPI_AGGR_BUFFER_SIZE (4 * PAGE_SIZE) - --#define WSPI_MAX_NUM_OF_CHUNKS (SPI_AGGR_BUFFER_SIZE / WSPI_MAX_CHUNK_SIZE) -+/* Maximum number of SPI write chunks */ -+#define WSPI_MAX_NUM_OF_CHUNKS \ -+ ((SPI_AGGR_BUFFER_SIZE / WSPI_MAX_CHUNK_SIZE) + 1) -+ - - struct wl12xx_spi_glue { - struct device *dev; -@@ -270,9 +273,10 @@ static int __must_check wl12xx_spi_raw_write(struct device *child, int addr, - void *buf, size_t len, bool fixed) - { - struct wl12xx_spi_glue *glue = dev_get_drvdata(child->parent); -- struct spi_transfer t[2 * (WSPI_MAX_NUM_OF_CHUNKS + 1)]; -+ /* SPI write buffers - 2 for each chunk */ -+ struct spi_transfer t[2 * WSPI_MAX_NUM_OF_CHUNKS]; - struct spi_message m; -- u32 commands[WSPI_MAX_NUM_OF_CHUNKS]; -+ u32 commands[WSPI_MAX_NUM_OF_CHUNKS]; /* 1 command per chunk */ - u32 *cmd; - u32 chunk_len; - int i; -diff --git a/drivers/remoteproc/remoteproc_debugfs.c b/drivers/remoteproc/remoteproc_debugfs.c -index 157a57309601..4ef0dbdcace1 100644 ---- a/drivers/remoteproc/remoteproc_debugfs.c -+++ b/drivers/remoteproc/remoteproc_debugfs.c -@@ -156,7 +156,7 @@ rproc_recovery_write(struct file *filp, const char __user *user_buf, - char buf[10]; - int ret; - -- if (count > sizeof(buf)) -+ if (count < 1 || count > sizeof(buf)) - return count; - - ret = copy_from_user(buf, user_buf, count); -diff --git a/drivers/spi/spi-atmel.c b/drivers/spi/spi-atmel.c -index 380387a47b1d..462af46ceee7 100644 ---- a/drivers/spi/spi-atmel.c -+++ b/drivers/spi/spi-atmel.c -@@ -594,7 +594,8 @@ static int atmel_spi_next_xfer_dma_submit(struct spi_master *master, - - *plen = len; - -- if (atmel_spi_dma_slave_config(as, &slave_config, 8)) -+ if (atmel_spi_dma_slave_config(as, &slave_config, -+ xfer->bits_per_word)) - goto err_exit; - - /* Send both scatterlists */ -diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c -index 7c159634aaae..cc80ab14aa32 100644 ---- a/drivers/spi/spi.c -+++ b/drivers/spi/spi.c -@@ -1047,7 +1047,7 @@ struct spi_master *spi_alloc_master(struct device *dev, unsigned size) - master->bus_num = -1; - master->num_chipselect = 1; - master->dev.class = &spi_master_class; -- master->dev.parent = get_device(dev); -+ master->dev.parent = dev; - spi_master_set_devdata(master, &master[1]); - - return master; -diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c -index 2967b6eb4c70..8977eaf24d9f 100644 ---- a/drivers/tty/tty_io.c -+++ b/drivers/tty/tty_io.c -@@ -2576,6 +2576,28 @@ static int tiocsetd(struct tty_struct *tty, int __user *p) - } - - /** -+ * tiocgetd - get line discipline -+ * @tty: tty device -+ * @p: pointer to user data -+ * -+ * Retrieves the line discipline id directly from the ldisc. -+ * -+ * Locking: waits for ldisc reference (in case the line discipline -+ * is changing or the tty is being hungup) -+ */ -+ -+static int tiocgetd(struct tty_struct *tty, int __user *p) -+{ -+ struct tty_ldisc *ld; -+ int ret; -+ -+ ld = tty_ldisc_ref_wait(tty); -+ ret = put_user(ld->ops->num, p); -+ tty_ldisc_deref(ld); -+ return ret; -+} -+ -+/** - * send_break - performed time break - * @tty: device to break on - * @duration: timeout in mS -@@ -2789,7 +2811,7 @@ long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg) - case TIOCGSID: - return tiocgsid(tty, real_tty, p); - case TIOCGETD: -- return put_user(tty->ldisc->ops->num, (int __user *)p); -+ return tiocgetd(tty, p); - case TIOCSETD: - return tiocsetd(tty, p); - case TIOCVHANGUP: -diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c -index 4dc18615cd0f..9dd6fa3a1260 100644 ---- a/drivers/usb/host/xhci.c -+++ b/drivers/usb/host/xhci.c -@@ -4788,6 +4788,9 @@ static int __init xhci_hcd_init(void) - { - int retval; - -+ if (usb_disabled()) -+ return -ENODEV; -+ - retval = xhci_register_pci(); - if (retval < 0) { - printk(KERN_DEBUG "Problem registering PCI driver."); -@@ -4816,9 +4819,6 @@ static int __init xhci_hcd_init(void) - /* xhci_run_regs has eight fields and embeds 128 xhci_intr_regs */ - BUILD_BUG_ON(sizeof(struct xhci_run_regs) != (8+8*128)*32/8); - -- if (usb_disabled()) -- return -ENODEV; -- - return 0; - unreg_pci: - xhci_unregister_pci(); -diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c -index 72c14d7d604f..89ba7cfba5bc 100644 ---- a/drivers/usb/serial/cp210x.c -+++ b/drivers/usb/serial/cp210x.c -@@ -98,6 +98,7 @@ static const struct usb_device_id id_table[] = { - { USB_DEVICE(0x10C4, 0x81AC) }, /* MSD Dash Hawk */ - { USB_DEVICE(0x10C4, 0x81AD) }, /* INSYS USB Modem */ - { USB_DEVICE(0x10C4, 0x81C8) }, /* Lipowsky Industrie Elektronik GmbH, Baby-JTAG */ -+ { USB_DEVICE(0x10C4, 0x81D7) }, /* IAI Corp. RCB-CV-USB USB to RS485 Adaptor */ - { USB_DEVICE(0x10C4, 0x81E2) }, /* Lipowsky Industrie Elektronik GmbH, Baby-LIN */ - { USB_DEVICE(0x10C4, 0x81E7) }, /* Aerocomm Radio */ - { USB_DEVICE(0x10C4, 0x81E8) }, /* Zephyr Bioharness */ -diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c -index 514f3117ee2b..4e865664699b 100644 ---- a/drivers/usb/serial/ftdi_sio.c -+++ b/drivers/usb/serial/ftdi_sio.c -@@ -840,6 +840,7 @@ static struct usb_device_id id_table_combined [] = { - { USB_DEVICE(FTDI_VID, FTDI_TURTELIZER_PID), - .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, - { USB_DEVICE(RATOC_VENDOR_ID, RATOC_PRODUCT_ID_USB60F) }, -+ { USB_DEVICE(RATOC_VENDOR_ID, RATOC_PRODUCT_ID_SCU18) }, - { USB_DEVICE(FTDI_VID, FTDI_REU_TINY_PID) }, - - /* Papouch devices based on FTDI chip */ -diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h -index bfb0ecd98808..3eff1d6a2b17 100644 ---- a/drivers/usb/serial/ftdi_sio_ids.h -+++ b/drivers/usb/serial/ftdi_sio_ids.h -@@ -615,6 +615,7 @@ - */ - #define RATOC_VENDOR_ID 0x0584 - #define RATOC_PRODUCT_ID_USB60F 0xb020 -+#define RATOC_PRODUCT_ID_SCU18 0xb03a - - /* - * Infineon Technologies -diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c -index bdbe642e6569..81f6a572f016 100644 ---- a/drivers/usb/serial/option.c -+++ b/drivers/usb/serial/option.c -@@ -269,6 +269,8 @@ static void option_instat_callback(struct urb *urb); - #define TELIT_PRODUCT_CC864_SINGLE 0x1006 - #define TELIT_PRODUCT_DE910_DUAL 0x1010 - #define TELIT_PRODUCT_UE910_V2 0x1012 -+#define TELIT_PRODUCT_LE922_USBCFG0 0x1042 -+#define TELIT_PRODUCT_LE922_USBCFG3 0x1043 - #define TELIT_PRODUCT_LE920 0x1200 - #define TELIT_PRODUCT_LE910 0x1201 - -@@ -623,6 +625,16 @@ static const struct option_blacklist_info telit_le920_blacklist = { - .reserved = BIT(1) | BIT(5), - }; - -+static const struct option_blacklist_info telit_le922_blacklist_usbcfg0 = { -+ .sendsetup = BIT(2), -+ .reserved = BIT(0) | BIT(1) | BIT(3), -+}; -+ -+static const struct option_blacklist_info telit_le922_blacklist_usbcfg3 = { -+ .sendsetup = BIT(0), -+ .reserved = BIT(1) | BIT(2) | BIT(3), -+}; -+ - static const struct usb_device_id option_ids[] = { - { USB_DEVICE(OPTION_VENDOR_ID, OPTION_PRODUCT_COLT) }, - { USB_DEVICE(OPTION_VENDOR_ID, OPTION_PRODUCT_RICOLA) }, -@@ -1168,6 +1180,10 @@ static const struct usb_device_id option_ids[] = { - { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_CC864_SINGLE) }, - { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_DE910_DUAL) }, - { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_UE910_V2) }, -+ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE922_USBCFG0), -+ .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg0 }, -+ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE922_USBCFG3), -+ .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg3 }, - { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910), - .driver_info = (kernel_ulong_t)&telit_le910_blacklist }, - { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920), -@@ -1679,7 +1695,7 @@ static const struct usb_device_id option_ids[] = { - { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_EU3_P) }, - { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_PH8), - .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, -- { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_AHXX) }, -+ { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_AHXX, 0xff) }, - { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_PLXX), - .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, - { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_HC28_MDM) }, -diff --git a/drivers/usb/serial/ti_usb_3410_5052.c b/drivers/usb/serial/ti_usb_3410_5052.c -index 4cc84c0c990d..0a7c68fa5e5e 100644 ---- a/drivers/usb/serial/ti_usb_3410_5052.c -+++ b/drivers/usb/serial/ti_usb_3410_5052.c -@@ -158,7 +158,7 @@ static unsigned int product_5052_count; - /* the array dimension is the number of default entries plus */ - /* TI_EXTRA_VID_PID_COUNT user defined entries plus 1 terminating */ - /* null entry */ --static struct usb_device_id ti_id_table_3410[15+TI_EXTRA_VID_PID_COUNT+1] = { -+static struct usb_device_id ti_id_table_3410[16+TI_EXTRA_VID_PID_COUNT+1] = { - { USB_DEVICE(TI_VENDOR_ID, TI_3410_PRODUCT_ID) }, - { USB_DEVICE(TI_VENDOR_ID, TI_3410_EZ430_ID) }, - { USB_DEVICE(MTS_VENDOR_ID, MTS_GSM_NO_FW_PRODUCT_ID) }, -@@ -184,7 +184,7 @@ static struct usb_device_id ti_id_table_5052[5+TI_EXTRA_VID_PID_COUNT+1] = { - { USB_DEVICE(TI_VENDOR_ID, TI_5052_FIRMWARE_PRODUCT_ID) }, - }; - --static struct usb_device_id ti_id_table_combined[19+2*TI_EXTRA_VID_PID_COUNT+1] = { -+static struct usb_device_id ti_id_table_combined[20+2*TI_EXTRA_VID_PID_COUNT+1] = { - { USB_DEVICE(TI_VENDOR_ID, TI_3410_PRODUCT_ID) }, - { USB_DEVICE(TI_VENDOR_ID, TI_3410_EZ430_ID) }, - { USB_DEVICE(MTS_VENDOR_ID, MTS_GSM_NO_FW_PRODUCT_ID) }, -diff --git a/drivers/usb/serial/visor.c b/drivers/usb/serial/visor.c -index 727905de0ba4..605068e6acf2 100644 ---- a/drivers/usb/serial/visor.c -+++ b/drivers/usb/serial/visor.c -@@ -551,6 +551,11 @@ static int treo_attach(struct usb_serial *serial) - (serial->num_interrupt_in == 0)) - return 0; - -+ if (serial->num_bulk_in < 2 || serial->num_interrupt_in < 2) { -+ dev_err(&serial->interface->dev, "missing endpoints\n"); -+ return -ENODEV; -+ } -+ - /* - * It appears that Treos and Kyoceras want to use the - * 1st bulk in endpoint to communicate with the 2nd bulk out endpoint, -@@ -604,8 +609,10 @@ static int clie_5_attach(struct usb_serial *serial) - */ - - /* some sanity check */ -- if (serial->num_ports < 2) -- return -1; -+ if (serial->num_bulk_out < 2) { -+ dev_err(&serial->interface->dev, "missing bulk out endpoints\n"); -+ return -ENODEV; -+ } - - /* port 0 now uses the modified endpoint Address */ - port = serial->port[0]; -diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c -index 618bcc84a09e..948e6f21b594 100644 ---- a/fs/binfmt_elf.c -+++ b/fs/binfmt_elf.c -@@ -682,16 +682,16 @@ static int load_elf_binary(struct linux_binprm *bprm) - */ - would_dump(bprm, interpreter); - -- retval = kernel_read(interpreter, 0, bprm->buf, -- BINPRM_BUF_SIZE); -- if (retval != BINPRM_BUF_SIZE) { -+ /* Get the exec headers */ -+ retval = kernel_read(interpreter, 0, -+ (void *)&loc->interp_elf_ex, -+ sizeof(loc->interp_elf_ex)); -+ if (retval != sizeof(loc->interp_elf_ex)) { - if (retval >= 0) - retval = -EIO; - goto out_free_dentry; - } - -- /* Get the exec headers */ -- loc->interp_elf_ex = *((struct elfhdr *)bprm->buf); - break; - } - elf_ppnt++; -diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h -index 2a71466b0115..6f74b8919237 100644 ---- a/fs/ext4/ext4.h -+++ b/fs/ext4/ext4.h -@@ -26,6 +26,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -728,19 +729,55 @@ struct move_extent { - <= (EXT4_GOOD_OLD_INODE_SIZE + \ - (einode)->i_extra_isize)) \ - -+/* -+ * We use an encoding that preserves the times for extra epoch "00": -+ * -+ * extra msb of adjust for signed -+ * epoch 32-bit 32-bit tv_sec to -+ * bits time decoded 64-bit tv_sec 64-bit tv_sec valid time range -+ * 0 0 1 -0x80000000..-0x00000001 0x000000000 1901-12-13..1969-12-31 -+ * 0 0 0 0x000000000..0x07fffffff 0x000000000 1970-01-01..2038-01-19 -+ * 0 1 1 0x080000000..0x0ffffffff 0x100000000 2038-01-19..2106-02-07 -+ * 0 1 0 0x100000000..0x17fffffff 0x100000000 2106-02-07..2174-02-25 -+ * 1 0 1 0x180000000..0x1ffffffff 0x200000000 2174-02-25..2242-03-16 -+ * 1 0 0 0x200000000..0x27fffffff 0x200000000 2242-03-16..2310-04-04 -+ * 1 1 1 0x280000000..0x2ffffffff 0x300000000 2310-04-04..2378-04-22 -+ * 1 1 0 0x300000000..0x37fffffff 0x300000000 2378-04-22..2446-05-10 -+ * -+ * Note that previous versions of the kernel on 64-bit systems would -+ * incorrectly use extra epoch bits 1,1 for dates between 1901 and -+ * 1970. e2fsck will correct this, assuming that it is run on the -+ * affected filesystem before 2242. -+ */ -+ - static inline __le32 ext4_encode_extra_time(struct timespec *time) - { -- return cpu_to_le32((sizeof(time->tv_sec) > 4 ? -- (time->tv_sec >> 32) & EXT4_EPOCH_MASK : 0) | -- ((time->tv_nsec << EXT4_EPOCH_BITS) & EXT4_NSEC_MASK)); -+ u32 extra = sizeof(time->tv_sec) > 4 ? -+ ((time->tv_sec - (s32)time->tv_sec) >> 32) & EXT4_EPOCH_MASK : 0; -+ return cpu_to_le32(extra | (time->tv_nsec << EXT4_EPOCH_BITS)); - } - - static inline void ext4_decode_extra_time(struct timespec *time, __le32 extra) - { -- if (sizeof(time->tv_sec) > 4) -- time->tv_sec |= (__u64)(le32_to_cpu(extra) & EXT4_EPOCH_MASK) -- << 32; -- time->tv_nsec = (le32_to_cpu(extra) & EXT4_NSEC_MASK) >> EXT4_EPOCH_BITS; -+ if (unlikely(sizeof(time->tv_sec) > 4 && -+ (extra & cpu_to_le32(EXT4_EPOCH_MASK)))) { -+#if LINUX_VERSION_CODE < KERNEL_VERSION(4,20,0) -+ /* Handle legacy encoding of pre-1970 dates with epoch -+ * bits 1,1. We assume that by kernel version 4.20, -+ * everyone will have run fsck over the affected -+ * filesystems to correct the problem. (This -+ * backwards compatibility may be removed before this -+ * time, at the discretion of the ext4 developers.) -+ */ -+ u64 extra_bits = le32_to_cpu(extra) & EXT4_EPOCH_MASK; -+ if (extra_bits == 3 && ((time->tv_sec) & 0x80000000) != 0) -+ extra_bits = 0; -+ time->tv_sec += extra_bits << 32; -+#else -+ time->tv_sec += (u64)(le32_to_cpu(extra) & EXT4_EPOCH_MASK) << 32; -+#endif -+ } -+ time->tv_nsec = (le32_to_cpu(extra) & EXT4_NSEC_MASK) >> EXT4_EPOCH_BITS; - } - - #define EXT4_INODE_SET_XTIME(xtime, inode, raw_inode) \ -diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c -index a69bd74ed390..fa7d2e668c3a 100644 ---- a/fs/ext4/resize.c -+++ b/fs/ext4/resize.c -@@ -1025,7 +1025,7 @@ exit_free: - * do not copy the full number of backups at this time. The resize - * which changed s_groups_count will backup again. - */ --static void update_backups(struct super_block *sb, int blk_off, char *data, -+static void update_backups(struct super_block *sb, sector_t blk_off, char *data, - int size, int meta_bg) - { - struct ext4_sb_info *sbi = EXT4_SB(sb); -@@ -1050,7 +1050,7 @@ static void update_backups(struct super_block *sb, int blk_off, char *data, - group = ext4_list_backups(sb, &three, &five, &seven); - last = sbi->s_groups_count; - } else { -- group = ext4_meta_bg_first_group(sb, group) + 1; -+ group = ext4_get_group_number(sb, blk_off) + 1; - last = (ext4_group_t)(group + EXT4_DESC_PER_BLOCK(sb) - 2); - } - -diff --git a/fs/fscache/netfs.c b/fs/fscache/netfs.c -index e028b8eb1c40..0912b90e05bc 100644 ---- a/fs/fscache/netfs.c -+++ b/fs/fscache/netfs.c -@@ -45,9 +45,6 @@ int __fscache_register_netfs(struct fscache_netfs *netfs) - netfs->primary_index->parent = &fscache_fsdef_index; - netfs->primary_index->netfs_data = netfs; - -- atomic_inc(&netfs->primary_index->parent->usage); -- atomic_inc(&netfs->primary_index->parent->n_children); -- - spin_lock_init(&netfs->primary_index->lock); - INIT_HLIST_HEAD(&netfs->primary_index->backing_objects); - -@@ -60,6 +57,9 @@ int __fscache_register_netfs(struct fscache_netfs *netfs) - goto already_registered; - } - -+ atomic_inc(&netfs->primary_index->parent->usage); -+ atomic_inc(&netfs->primary_index->parent->n_children); -+ - list_add(&netfs->link, &fscache_netfs_list); - ret = 0; - -@@ -70,8 +70,7 @@ already_registered: - up_write(&fscache_addremove_sem); - - if (ret < 0) { -- netfs->primary_index->parent = NULL; -- __fscache_cookie_put(netfs->primary_index); -+ kmem_cache_free(fscache_cookie_jar, netfs->primary_index); - netfs->primary_index = NULL; - } - -diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c -index ec34e11d6854..21b828c713cc 100644 ---- a/fs/jbd2/transaction.c -+++ b/fs/jbd2/transaction.c -@@ -1936,6 +1936,7 @@ static int journal_unmap_buffer(journal_t *journal, struct buffer_head *bh, - - if (!buffer_dirty(bh)) { - /* bdflush has written it. We can drop it now */ -+ __jbd2_journal_remove_checkpoint(jh); - goto zap_buffer; - } - -@@ -1965,6 +1966,7 @@ static int journal_unmap_buffer(journal_t *journal, struct buffer_head *bh, - /* The orphan record's transaction has - * committed. We can cleanse this buffer */ - clear_buffer_jbddirty(bh); -+ __jbd2_journal_remove_checkpoint(jh); - goto zap_buffer; - } - } -diff --git a/fs/ocfs2/dlm/dlmmaster.c b/fs/ocfs2/dlm/dlmmaster.c -index 2c119d5d04c9..d084200dbc4e 100644 ---- a/fs/ocfs2/dlm/dlmmaster.c -+++ b/fs/ocfs2/dlm/dlmmaster.c -@@ -2456,6 +2456,11 @@ static int dlm_migrate_lockres(struct dlm_ctxt *dlm, - spin_lock(&dlm->master_lock); - ret = dlm_add_migration_mle(dlm, res, mle, &oldmle, name, - namelen, target, dlm->node_num); -+ /* get an extra reference on the mle. -+ * otherwise the assert_master from the new -+ * master will destroy this. -+ */ -+ dlm_get_mle_inuse(mle); - spin_unlock(&dlm->master_lock); - spin_unlock(&dlm->spinlock); - -@@ -2491,6 +2496,7 @@ fail: - if (mle_added) { - dlm_mle_detach_hb_events(dlm, mle); - dlm_put_mle(mle); -+ dlm_put_mle_inuse(mle); - } else if (mle) { - kmem_cache_free(dlm_mle_cache, mle); - mle = NULL; -@@ -2508,17 +2514,6 @@ fail: - * ensure that all assert_master work is flushed. */ - flush_workqueue(dlm->dlm_worker); - -- /* get an extra reference on the mle. -- * otherwise the assert_master from the new -- * master will destroy this. -- * also, make sure that all callers of dlm_get_mle -- * take both dlm->spinlock and dlm->master_lock */ -- spin_lock(&dlm->spinlock); -- spin_lock(&dlm->master_lock); -- dlm_get_mle_inuse(mle); -- spin_unlock(&dlm->master_lock); -- spin_unlock(&dlm->spinlock); -- - /* notify new node and send all lock state */ - /* call send_one_lockres with migration flag. - * this serves as notice to the target node that a -@@ -3246,6 +3241,15 @@ top: - mle->new_master != dead_node) - continue; - -+ if (mle->new_master == dead_node && mle->inuse) { -+ mlog(ML_NOTICE, "%s: target %u died during " -+ "migration from %u, the MLE is " -+ "still keep used, ignore it!\n", -+ dlm->name, dead_node, -+ mle->master); -+ continue; -+ } -+ - /* If we have reached this point, this mle needs to be - * removed from the list and freed. */ - dlm_clean_migration_mle(dlm, mle); -diff --git a/fs/ocfs2/dlm/dlmrecovery.c b/fs/ocfs2/dlm/dlmrecovery.c -index 9bd981cd3142..01c69f24e416 100644 ---- a/fs/ocfs2/dlm/dlmrecovery.c -+++ b/fs/ocfs2/dlm/dlmrecovery.c -@@ -2326,6 +2326,8 @@ static void dlm_do_local_recovery_cleanup(struct dlm_ctxt *dlm, u8 dead_node) - break; - } - } -+ dlm_lockres_clear_refmap_bit(dlm, res, -+ dead_node); - spin_unlock(&res->spinlock); - continue; - } -diff --git a/fs/sysv/inode.c b/fs/sysv/inode.c -index c327d4ee1235..7b3792e5844a 100644 ---- a/fs/sysv/inode.c -+++ b/fs/sysv/inode.c -@@ -161,14 +161,8 @@ void sysv_set_inode(struct inode *inode, dev_t rdev) - inode->i_fop = &sysv_dir_operations; - inode->i_mapping->a_ops = &sysv_aops; - } else if (S_ISLNK(inode->i_mode)) { -- if (inode->i_blocks) { -- inode->i_op = &sysv_symlink_inode_operations; -- inode->i_mapping->a_ops = &sysv_aops; -- } else { -- inode->i_op = &sysv_fast_symlink_inode_operations; -- nd_terminate_link(SYSV_I(inode)->i_data, inode->i_size, -- sizeof(SYSV_I(inode)->i_data) - 1); -- } -+ inode->i_op = &sysv_symlink_inode_operations; -+ inode->i_mapping->a_ops = &sysv_aops; - } else - init_special_inode(inode, inode->i_mode, rdev); - } -diff --git a/include/crypto/if_alg.h b/include/crypto/if_alg.h -index d61c11170213..2f38daaab3d7 100644 ---- a/include/crypto/if_alg.h -+++ b/include/crypto/if_alg.h -@@ -30,6 +30,8 @@ struct alg_sock { - - struct sock *parent; - -+ unsigned int refcnt; -+ - const struct af_alg_type *type; - void *private; - }; -@@ -64,6 +66,7 @@ int af_alg_register_type(const struct af_alg_type *type); - int af_alg_unregister_type(const struct af_alg_type *type); - - int af_alg_release(struct socket *sock); -+void af_alg_release_parent(struct sock *sk); - int af_alg_accept(struct sock *sk, struct socket *newsock); - - int af_alg_make_sg(struct af_alg_sgl *sgl, void __user *addr, int len, -@@ -80,11 +83,6 @@ static inline struct alg_sock *alg_sk(struct sock *sk) - return (struct alg_sock *)sk; - } - --static inline void af_alg_release_parent(struct sock *sk) --{ -- sock_put(alg_sk(sk)->parent); --} -- - static inline void af_alg_init_completion(struct af_alg_completion *completion) - { - init_completion(&completion->completion); -diff --git a/include/linux/signal.h b/include/linux/signal.h -index 2ac423bdb676..53944e50e421 100644 ---- a/include/linux/signal.h -+++ b/include/linux/signal.h -@@ -247,7 +247,6 @@ extern int sigprocmask(int, sigset_t *, sigset_t *); - extern void set_current_blocked(sigset_t *); - extern void __set_current_blocked(const sigset_t *); - extern int show_unhandled_signals; --extern int sigsuspend(sigset_t *); - - struct sigaction { - #ifndef __ARCH_HAS_IRIX_SIGACTION -diff --git a/kernel/signal.c b/kernel/signal.c -index 2e51bcbea1e3..4d1f7fa3138d 100644 ---- a/kernel/signal.c -+++ b/kernel/signal.c -@@ -3551,7 +3551,7 @@ SYSCALL_DEFINE0(pause) - - #endif - --int sigsuspend(sigset_t *set) -+static int sigsuspend(sigset_t *set) - { - current->saved_sigmask = current->blocked; - set_current_blocked(set); -diff --git a/scripts/recordmcount.h b/scripts/recordmcount.h -index 49b582a225b0..b9897e2be404 100644 ---- a/scripts/recordmcount.h -+++ b/scripts/recordmcount.h -@@ -377,7 +377,7 @@ static void nop_mcount(Elf_Shdr const *const relhdr, - - if (mcountsym == Elf_r_sym(relp) && !is_fake_mcount(relp)) { - if (make_nop) -- ret = make_nop((void *)ehdr, shdr->sh_offset + relp->r_offset); -+ ret = make_nop((void *)ehdr, _w(shdr->sh_offset) + _w(relp->r_offset)); - if (warn_on_notrace_sect && !once) { - printf("Section %s has mcount callers being ignored\n", - txtname); -diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c -index 3fdf998ad057..572f95175e97 100644 ---- a/sound/core/compress_offload.c -+++ b/sound/core/compress_offload.c -@@ -44,6 +44,13 @@ - #include - #include - -+/* struct snd_compr_codec_caps overflows the ioctl bit size for some -+ * architectures, so we need to disable the relevant ioctls. -+ */ -+#if _IOC_SIZEBITS < 14 -+#define COMPR_CODEC_CAPS_OVERFLOW -+#endif -+ - /* TODO: - * - add substream support for multiple devices in case of - * SND_DYNAMIC_MINORS is not used -@@ -427,6 +434,7 @@ out: - return retval; - } - -+#ifndef COMPR_CODEC_CAPS_OVERFLOW - static int - snd_compr_get_codec_caps(struct snd_compr_stream *stream, unsigned long arg) - { -@@ -450,6 +458,7 @@ out: - kfree(caps); - return retval; - } -+#endif /* !COMPR_CODEC_CAPS_OVERFLOW */ - - /* revisit this with snd_pcm_preallocate_xxx */ - static int snd_compr_allocate_buffer(struct snd_compr_stream *stream, -@@ -791,9 +800,11 @@ static long snd_compr_ioctl(struct file *f, unsigned int cmd, unsigned long arg) - case _IOC_NR(SNDRV_COMPRESS_GET_CAPS): - retval = snd_compr_get_caps(stream, arg); - break; -+#ifndef COMPR_CODEC_CAPS_OVERFLOW - case _IOC_NR(SNDRV_COMPRESS_GET_CODEC_CAPS): - retval = snd_compr_get_codec_caps(stream, arg); - break; -+#endif - case _IOC_NR(SNDRV_COMPRESS_SET_PARAMS): - retval = snd_compr_set_params(stream, arg); - break; -diff --git a/sound/core/oss/pcm_oss.c b/sound/core/oss/pcm_oss.c -index 4c1cc51772e6..7417f96cea6e 100644 ---- a/sound/core/oss/pcm_oss.c -+++ b/sound/core/oss/pcm_oss.c -@@ -834,7 +834,8 @@ static int choose_rate(struct snd_pcm_substream *substream, - return snd_pcm_hw_param_near(substream, params, SNDRV_PCM_HW_PARAM_RATE, best_rate, NULL); - } - --static int snd_pcm_oss_change_params(struct snd_pcm_substream *substream) -+static int snd_pcm_oss_change_params(struct snd_pcm_substream *substream, -+ bool trylock) - { - struct snd_pcm_runtime *runtime = substream->runtime; - struct snd_pcm_hw_params *params, *sparams; -@@ -848,7 +849,10 @@ static int snd_pcm_oss_change_params(struct snd_pcm_substream *substream) - struct snd_mask sformat_mask; - struct snd_mask mask; - -- if (mutex_lock_interruptible(&runtime->oss.params_lock)) -+ if (trylock) { -+ if (!(mutex_trylock(&runtime->oss.params_lock))) -+ return -EAGAIN; -+ } else if (mutex_lock_interruptible(&runtime->oss.params_lock)) - return -EINTR; - sw_params = kmalloc(sizeof(*sw_params), GFP_KERNEL); - params = kmalloc(sizeof(*params), GFP_KERNEL); -@@ -1091,7 +1095,7 @@ static int snd_pcm_oss_get_active_substream(struct snd_pcm_oss_file *pcm_oss_fil - if (asubstream == NULL) - asubstream = substream; - if (substream->runtime->oss.params) { -- err = snd_pcm_oss_change_params(substream); -+ err = snd_pcm_oss_change_params(substream, false); - if (err < 0) - return err; - } -@@ -1130,7 +1134,7 @@ static int snd_pcm_oss_make_ready(struct snd_pcm_substream *substream) - return 0; - runtime = substream->runtime; - if (runtime->oss.params) { -- err = snd_pcm_oss_change_params(substream); -+ err = snd_pcm_oss_change_params(substream, false); - if (err < 0) - return err; - } -@@ -2168,7 +2172,7 @@ static int snd_pcm_oss_get_space(struct snd_pcm_oss_file *pcm_oss_file, int stre - runtime = substream->runtime; - - if (runtime->oss.params && -- (err = snd_pcm_oss_change_params(substream)) < 0) -+ (err = snd_pcm_oss_change_params(substream, false)) < 0) - return err; - - info.fragsize = runtime->oss.period_bytes; -@@ -2804,7 +2808,12 @@ static int snd_pcm_oss_mmap(struct file *file, struct vm_area_struct *area) - return -EIO; - - if (runtime->oss.params) { -- if ((err = snd_pcm_oss_change_params(substream)) < 0) -+ /* use mutex_trylock() for params_lock for avoiding a deadlock -+ * between mmap_sem and params_lock taken by -+ * copy_from/to_user() in snd_pcm_oss_write/read() -+ */ -+ err = snd_pcm_oss_change_params(substream, true); -+ if (err < 0) - return err; - } - #ifdef CONFIG_SND_PCM_OSS_PLUGINS -diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c -index 7b596b5751db..500765f20843 100644 ---- a/sound/core/rawmidi.c -+++ b/sound/core/rawmidi.c -@@ -934,31 +934,36 @@ static long snd_rawmidi_kernel_read1(struct snd_rawmidi_substream *substream, - unsigned long flags; - long result = 0, count1; - struct snd_rawmidi_runtime *runtime = substream->runtime; -+ unsigned long appl_ptr; - -+ spin_lock_irqsave(&runtime->lock, flags); - while (count > 0 && runtime->avail) { - count1 = runtime->buffer_size - runtime->appl_ptr; - if (count1 > count) - count1 = count; -- spin_lock_irqsave(&runtime->lock, flags); - if (count1 > (int)runtime->avail) - count1 = runtime->avail; -+ -+ /* update runtime->appl_ptr before unlocking for userbuf */ -+ appl_ptr = runtime->appl_ptr; -+ runtime->appl_ptr += count1; -+ runtime->appl_ptr %= runtime->buffer_size; -+ runtime->avail -= count1; -+ - if (kernelbuf) -- memcpy(kernelbuf + result, runtime->buffer + runtime->appl_ptr, count1); -+ memcpy(kernelbuf + result, runtime->buffer + appl_ptr, count1); - if (userbuf) { - spin_unlock_irqrestore(&runtime->lock, flags); - if (copy_to_user(userbuf + result, -- runtime->buffer + runtime->appl_ptr, count1)) { -+ runtime->buffer + appl_ptr, count1)) { - return result > 0 ? result : -EFAULT; - } - spin_lock_irqsave(&runtime->lock, flags); - } -- runtime->appl_ptr += count1; -- runtime->appl_ptr %= runtime->buffer_size; -- runtime->avail -= count1; -- spin_unlock_irqrestore(&runtime->lock, flags); - result += count1; - count -= count1; - } -+ spin_unlock_irqrestore(&runtime->lock, flags); - return result; - } - -@@ -1161,8 +1166,9 @@ static long snd_rawmidi_kernel_write1(struct snd_rawmidi_substream *substream, - unsigned long flags; - long count1, result; - struct snd_rawmidi_runtime *runtime = substream->runtime; -+ unsigned long appl_ptr; - -- if (snd_BUG_ON(!kernelbuf && !userbuf)) -+ if (!kernelbuf && !userbuf) - return -EINVAL; - if (snd_BUG_ON(!runtime->buffer)) - return -EINVAL; -@@ -1181,12 +1187,19 @@ static long snd_rawmidi_kernel_write1(struct snd_rawmidi_substream *substream, - count1 = count; - if (count1 > (long)runtime->avail) - count1 = runtime->avail; -+ -+ /* update runtime->appl_ptr before unlocking for userbuf */ -+ appl_ptr = runtime->appl_ptr; -+ runtime->appl_ptr += count1; -+ runtime->appl_ptr %= runtime->buffer_size; -+ runtime->avail -= count1; -+ - if (kernelbuf) -- memcpy(runtime->buffer + runtime->appl_ptr, -+ memcpy(runtime->buffer + appl_ptr, - kernelbuf + result, count1); - else if (userbuf) { - spin_unlock_irqrestore(&runtime->lock, flags); -- if (copy_from_user(runtime->buffer + runtime->appl_ptr, -+ if (copy_from_user(runtime->buffer + appl_ptr, - userbuf + result, count1)) { - spin_lock_irqsave(&runtime->lock, flags); - result = result > 0 ? result : -EFAULT; -@@ -1194,9 +1207,6 @@ static long snd_rawmidi_kernel_write1(struct snd_rawmidi_substream *substream, - } - spin_lock_irqsave(&runtime->lock, flags); - } -- runtime->appl_ptr += count1; -- runtime->appl_ptr %= runtime->buffer_size; -- runtime->avail -= count1; - result += count1; - count -= count1; - } -diff --git a/sound/core/seq/oss/seq_oss_synth.c b/sound/core/seq/oss/seq_oss_synth.c -index c5b773a1eea9..4a09c3085ca4 100644 ---- a/sound/core/seq/oss/seq_oss_synth.c -+++ b/sound/core/seq/oss/seq_oss_synth.c -@@ -310,7 +310,7 @@ snd_seq_oss_synth_cleanup(struct seq_oss_devinfo *dp) - struct seq_oss_synth *rec; - struct seq_oss_synthinfo *info; - -- if (snd_BUG_ON(dp->max_synthdev >= SNDRV_SEQ_OSS_MAX_SYNTH_DEVS)) -+ if (snd_BUG_ON(dp->max_synthdev > SNDRV_SEQ_OSS_MAX_SYNTH_DEVS)) - return; - for (i = 0; i < dp->max_synthdev; i++) { - info = &dp->synths[i]; -diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c -index ecfbf5f39d38..08865dcbf5f1 100644 ---- a/sound/core/seq/seq_clientmgr.c -+++ b/sound/core/seq/seq_clientmgr.c -@@ -678,6 +678,9 @@ static int deliver_to_subscribers(struct snd_seq_client *client, - else - down_read(&grp->list_mutex); - list_for_each_entry(subs, &grp->list_head, src_list) { -+ /* both ports ready? */ -+ if (atomic_read(&subs->ref_count) != 2) -+ continue; - event->dest = subs->info.dest; - if (subs->info.flags & SNDRV_SEQ_PORT_SUBS_TIMESTAMP) - /* convert time according to flag with subscription */ -diff --git a/sound/core/seq/seq_ports.c b/sound/core/seq/seq_ports.c -index 9516e5ce3aad..67c91d226552 100644 ---- a/sound/core/seq/seq_ports.c -+++ b/sound/core/seq/seq_ports.c -@@ -175,10 +175,6 @@ struct snd_seq_client_port *snd_seq_create_port(struct snd_seq_client *client, - } - - /* */ --enum group_type { -- SRC_LIST, DEST_LIST --}; -- - static int subscribe_port(struct snd_seq_client *client, - struct snd_seq_client_port *port, - struct snd_seq_port_subs_info *grp, -@@ -205,6 +201,20 @@ static struct snd_seq_client_port *get_client_port(struct snd_seq_addr *addr, - return NULL; - } - -+static void delete_and_unsubscribe_port(struct snd_seq_client *client, -+ struct snd_seq_client_port *port, -+ struct snd_seq_subscribers *subs, -+ bool is_src, bool ack); -+ -+static inline struct snd_seq_subscribers * -+get_subscriber(struct list_head *p, bool is_src) -+{ -+ if (is_src) -+ return list_entry(p, struct snd_seq_subscribers, src_list); -+ else -+ return list_entry(p, struct snd_seq_subscribers, dest_list); -+} -+ - /* - * remove all subscribers on the list - * this is called from port_delete, for each src and dest list. -@@ -212,7 +222,7 @@ static struct snd_seq_client_port *get_client_port(struct snd_seq_addr *addr, - static void clear_subscriber_list(struct snd_seq_client *client, - struct snd_seq_client_port *port, - struct snd_seq_port_subs_info *grp, -- int grptype) -+ int is_src) - { - struct list_head *p, *n; - -@@ -221,15 +231,13 @@ static void clear_subscriber_list(struct snd_seq_client *client, - struct snd_seq_client *c; - struct snd_seq_client_port *aport; - -- if (grptype == SRC_LIST) { -- subs = list_entry(p, struct snd_seq_subscribers, src_list); -+ subs = get_subscriber(p, is_src); -+ if (is_src) - aport = get_client_port(&subs->info.dest, &c); -- } else { -- subs = list_entry(p, struct snd_seq_subscribers, dest_list); -+ else - aport = get_client_port(&subs->info.sender, &c); -- } -- list_del(p); -- unsubscribe_port(client, port, grp, &subs->info, 0); -+ delete_and_unsubscribe_port(client, port, subs, is_src, false); -+ - if (!aport) { - /* looks like the connected port is being deleted. - * we decrease the counter, and when both ports are deleted -@@ -237,21 +245,14 @@ static void clear_subscriber_list(struct snd_seq_client *client, - */ - if (atomic_dec_and_test(&subs->ref_count)) - kfree(subs); -- } else { -- /* ok we got the connected port */ -- struct snd_seq_port_subs_info *agrp; -- agrp = (grptype == SRC_LIST) ? &aport->c_dest : &aport->c_src; -- down_write(&agrp->list_mutex); -- if (grptype == SRC_LIST) -- list_del(&subs->dest_list); -- else -- list_del(&subs->src_list); -- up_write(&agrp->list_mutex); -- unsubscribe_port(c, aport, agrp, &subs->info, 1); -- kfree(subs); -- snd_seq_port_unlock(aport); -- snd_seq_client_unlock(c); -+ continue; - } -+ -+ /* ok we got the connected port */ -+ delete_and_unsubscribe_port(c, aport, subs, !is_src, true); -+ kfree(subs); -+ snd_seq_port_unlock(aport); -+ snd_seq_client_unlock(c); - } - } - -@@ -264,8 +265,8 @@ static int port_delete(struct snd_seq_client *client, - snd_use_lock_sync(&port->use_lock); - - /* clear subscribers info */ -- clear_subscriber_list(client, port, &port->c_src, SRC_LIST); -- clear_subscriber_list(client, port, &port->c_dest, DEST_LIST); -+ clear_subscriber_list(client, port, &port->c_src, true); -+ clear_subscriber_list(client, port, &port->c_dest, false); - - if (port->private_free) - port->private_free(port->private_data); -@@ -484,85 +485,120 @@ static int match_subs_info(struct snd_seq_port_subscribe *r, - return 0; - } - -- --/* connect two ports */ --int snd_seq_port_connect(struct snd_seq_client *connector, -- struct snd_seq_client *src_client, -- struct snd_seq_client_port *src_port, -- struct snd_seq_client *dest_client, -- struct snd_seq_client_port *dest_port, -- struct snd_seq_port_subscribe *info) -+static int check_and_subscribe_port(struct snd_seq_client *client, -+ struct snd_seq_client_port *port, -+ struct snd_seq_subscribers *subs, -+ bool is_src, bool exclusive, bool ack) - { -- struct snd_seq_port_subs_info *src = &src_port->c_src; -- struct snd_seq_port_subs_info *dest = &dest_port->c_dest; -- struct snd_seq_subscribers *subs, *s; -- int err, src_called = 0; -- unsigned long flags; -- int exclusive; -+ struct snd_seq_port_subs_info *grp; -+ struct list_head *p; -+ struct snd_seq_subscribers *s; -+ int err; - -- subs = kzalloc(sizeof(*subs), GFP_KERNEL); -- if (! subs) -- return -ENOMEM; -- -- subs->info = *info; -- atomic_set(&subs->ref_count, 2); -- -- down_write(&src->list_mutex); -- down_write_nested(&dest->list_mutex, SINGLE_DEPTH_NESTING); -- -- exclusive = info->flags & SNDRV_SEQ_PORT_SUBS_EXCLUSIVE ? 1 : 0; -+ grp = is_src ? &port->c_src : &port->c_dest; - err = -EBUSY; -+ down_write(&grp->list_mutex); - if (exclusive) { -- if (! list_empty(&src->list_head) || ! list_empty(&dest->list_head)) -+ if (!list_empty(&grp->list_head)) - goto __error; - } else { -- if (src->exclusive || dest->exclusive) -+ if (grp->exclusive) - goto __error; - /* check whether already exists */ -- list_for_each_entry(s, &src->list_head, src_list) { -- if (match_subs_info(info, &s->info)) -- goto __error; -- } -- list_for_each_entry(s, &dest->list_head, dest_list) { -- if (match_subs_info(info, &s->info)) -+ list_for_each(p, &grp->list_head) { -+ s = get_subscriber(p, is_src); -+ if (match_subs_info(&subs->info, &s->info)) - goto __error; - } - } - -- if ((err = subscribe_port(src_client, src_port, src, info, -- connector->number != src_client->number)) < 0) -- goto __error; -- src_called = 1; -- -- if ((err = subscribe_port(dest_client, dest_port, dest, info, -- connector->number != dest_client->number)) < 0) -+ err = subscribe_port(client, port, grp, &subs->info, ack); -+ if (err < 0) { -+ grp->exclusive = 0; - goto __error; -+ } - - /* add to list */ -- write_lock_irqsave(&src->list_lock, flags); -- // write_lock(&dest->list_lock); // no other lock yet -- list_add_tail(&subs->src_list, &src->list_head); -- list_add_tail(&subs->dest_list, &dest->list_head); -- // write_unlock(&dest->list_lock); // no other lock yet -- write_unlock_irqrestore(&src->list_lock, flags); -+ write_lock_irq(&grp->list_lock); -+ if (is_src) -+ list_add_tail(&subs->src_list, &grp->list_head); -+ else -+ list_add_tail(&subs->dest_list, &grp->list_head); -+ grp->exclusive = exclusive; -+ atomic_inc(&subs->ref_count); -+ write_unlock_irq(&grp->list_lock); -+ err = 0; -+ -+ __error: -+ up_write(&grp->list_mutex); -+ return err; -+} - -- src->exclusive = dest->exclusive = exclusive; -+static void delete_and_unsubscribe_port(struct snd_seq_client *client, -+ struct snd_seq_client_port *port, -+ struct snd_seq_subscribers *subs, -+ bool is_src, bool ack) -+{ -+ struct snd_seq_port_subs_info *grp; -+ -+ grp = is_src ? &port->c_src : &port->c_dest; -+ down_write(&grp->list_mutex); -+ write_lock_irq(&grp->list_lock); -+ if (is_src) -+ list_del(&subs->src_list); -+ else -+ list_del(&subs->dest_list); -+ grp->exclusive = 0; -+ write_unlock_irq(&grp->list_lock); -+ up_write(&grp->list_mutex); -+ -+ unsubscribe_port(client, port, grp, &subs->info, ack); -+} -+ -+/* connect two ports */ -+int snd_seq_port_connect(struct snd_seq_client *connector, -+ struct snd_seq_client *src_client, -+ struct snd_seq_client_port *src_port, -+ struct snd_seq_client *dest_client, -+ struct snd_seq_client_port *dest_port, -+ struct snd_seq_port_subscribe *info) -+{ -+ struct snd_seq_subscribers *subs; -+ bool exclusive; -+ int err; -+ -+ subs = kzalloc(sizeof(*subs), GFP_KERNEL); -+ if (!subs) -+ return -ENOMEM; -+ -+ subs->info = *info; -+ atomic_set(&subs->ref_count, 0); -+ INIT_LIST_HEAD(&subs->src_list); -+ INIT_LIST_HEAD(&subs->dest_list); -+ -+ exclusive = !!(info->flags & SNDRV_SEQ_PORT_SUBS_EXCLUSIVE); -+ -+ err = check_and_subscribe_port(src_client, src_port, subs, true, -+ exclusive, -+ connector->number != src_client->number); -+ if (err < 0) -+ goto error; -+ err = check_and_subscribe_port(dest_client, dest_port, subs, false, -+ exclusive, -+ connector->number != dest_client->number); -+ if (err < 0) -+ goto error_dest; - -- up_write(&dest->list_mutex); -- up_write(&src->list_mutex); - return 0; - -- __error: -- if (src_called) -- unsubscribe_port(src_client, src_port, src, info, -- connector->number != src_client->number); -+ error_dest: -+ delete_and_unsubscribe_port(src_client, src_port, subs, true, -+ connector->number != src_client->number); -+ error: - kfree(subs); -- up_write(&dest->list_mutex); -- up_write(&src->list_mutex); - return err; - } - -- - /* remove the connection */ - int snd_seq_port_disconnect(struct snd_seq_client *connector, - struct snd_seq_client *src_client, -@@ -572,37 +608,28 @@ int snd_seq_port_disconnect(struct snd_seq_client *connector, - struct snd_seq_port_subscribe *info) - { - struct snd_seq_port_subs_info *src = &src_port->c_src; -- struct snd_seq_port_subs_info *dest = &dest_port->c_dest; - struct snd_seq_subscribers *subs; - int err = -ENOENT; -- unsigned long flags; - - down_write(&src->list_mutex); -- down_write_nested(&dest->list_mutex, SINGLE_DEPTH_NESTING); -- - /* look for the connection */ - list_for_each_entry(subs, &src->list_head, src_list) { - if (match_subs_info(info, &subs->info)) { -- write_lock_irqsave(&src->list_lock, flags); -- // write_lock(&dest->list_lock); // no lock yet -- list_del(&subs->src_list); -- list_del(&subs->dest_list); -- // write_unlock(&dest->list_lock); -- write_unlock_irqrestore(&src->list_lock, flags); -- src->exclusive = dest->exclusive = 0; -- unsubscribe_port(src_client, src_port, src, info, -- connector->number != src_client->number); -- unsubscribe_port(dest_client, dest_port, dest, info, -- connector->number != dest_client->number); -- kfree(subs); -+ atomic_dec(&subs->ref_count); /* mark as not ready */ - err = 0; - break; - } - } -- -- up_write(&dest->list_mutex); - up_write(&src->list_mutex); -- return err; -+ if (err < 0) -+ return err; -+ -+ delete_and_unsubscribe_port(src_client, src_port, subs, true, -+ connector->number != src_client->number); -+ delete_and_unsubscribe_port(dest_client, dest_port, subs, false, -+ connector->number != dest_client->number); -+ kfree(subs); -+ return 0; - } - - -diff --git a/sound/core/seq/seq_timer.c b/sound/core/seq/seq_timer.c -index 24d44b2f61ac..6ec30a98a92a 100644 ---- a/sound/core/seq/seq_timer.c -+++ b/sound/core/seq/seq_timer.c -@@ -92,6 +92,9 @@ void snd_seq_timer_delete(struct snd_seq_timer **tmr) - - void snd_seq_timer_defaults(struct snd_seq_timer * tmr) - { -+ unsigned long flags; -+ -+ spin_lock_irqsave(&tmr->lock, flags); - /* setup defaults */ - tmr->ppq = 96; /* 96 PPQ */ - tmr->tempo = 500000; /* 120 BPM */ -@@ -107,21 +110,25 @@ void snd_seq_timer_defaults(struct snd_seq_timer * tmr) - tmr->preferred_resolution = seq_default_timer_resolution; - - tmr->skew = tmr->skew_base = SKEW_BASE; -+ spin_unlock_irqrestore(&tmr->lock, flags); - } - --void snd_seq_timer_reset(struct snd_seq_timer * tmr) -+static void seq_timer_reset(struct snd_seq_timer *tmr) - { -- unsigned long flags; -- -- spin_lock_irqsave(&tmr->lock, flags); -- - /* reset time & songposition */ - tmr->cur_time.tv_sec = 0; - tmr->cur_time.tv_nsec = 0; - - tmr->tick.cur_tick = 0; - tmr->tick.fraction = 0; -+} -+ -+void snd_seq_timer_reset(struct snd_seq_timer *tmr) -+{ -+ unsigned long flags; - -+ spin_lock_irqsave(&tmr->lock, flags); -+ seq_timer_reset(tmr); - spin_unlock_irqrestore(&tmr->lock, flags); - } - -@@ -140,8 +147,11 @@ static void snd_seq_timer_interrupt(struct snd_timer_instance *timeri, - tmr = q->timer; - if (tmr == NULL) - return; -- if (!tmr->running) -+ spin_lock_irqsave(&tmr->lock, flags); -+ if (!tmr->running) { -+ spin_unlock_irqrestore(&tmr->lock, flags); - return; -+ } - - resolution *= ticks; - if (tmr->skew != tmr->skew_base) { -@@ -150,8 +160,6 @@ static void snd_seq_timer_interrupt(struct snd_timer_instance *timeri, - (((resolution & 0xffff) * tmr->skew) >> 16); - } - -- spin_lock_irqsave(&tmr->lock, flags); -- - /* update timer */ - snd_seq_inc_time_nsec(&tmr->cur_time, resolution); - -@@ -298,26 +306,30 @@ int snd_seq_timer_open(struct snd_seq_queue *q) - t->callback = snd_seq_timer_interrupt; - t->callback_data = q; - t->flags |= SNDRV_TIMER_IFLG_AUTO; -+ spin_lock_irq(&tmr->lock); - tmr->timeri = t; -+ spin_unlock_irq(&tmr->lock); - return 0; - } - - int snd_seq_timer_close(struct snd_seq_queue *q) - { - struct snd_seq_timer *tmr; -+ struct snd_timer_instance *t; - - tmr = q->timer; - if (snd_BUG_ON(!tmr)) - return -EINVAL; -- if (tmr->timeri) { -- snd_timer_stop(tmr->timeri); -- snd_timer_close(tmr->timeri); -- tmr->timeri = NULL; -- } -+ spin_lock_irq(&tmr->lock); -+ t = tmr->timeri; -+ tmr->timeri = NULL; -+ spin_unlock_irq(&tmr->lock); -+ if (t) -+ snd_timer_close(t); - return 0; - } - --int snd_seq_timer_stop(struct snd_seq_timer * tmr) -+static int seq_timer_stop(struct snd_seq_timer *tmr) - { - if (! tmr->timeri) - return -EINVAL; -@@ -328,6 +340,17 @@ int snd_seq_timer_stop(struct snd_seq_timer * tmr) - return 0; - } - -+int snd_seq_timer_stop(struct snd_seq_timer *tmr) -+{ -+ unsigned long flags; -+ int err; -+ -+ spin_lock_irqsave(&tmr->lock, flags); -+ err = seq_timer_stop(tmr); -+ spin_unlock_irqrestore(&tmr->lock, flags); -+ return err; -+} -+ - static int initialize_timer(struct snd_seq_timer *tmr) - { - struct snd_timer *t; -@@ -360,13 +383,13 @@ static int initialize_timer(struct snd_seq_timer *tmr) - return 0; - } - --int snd_seq_timer_start(struct snd_seq_timer * tmr) -+static int seq_timer_start(struct snd_seq_timer *tmr) - { - if (! tmr->timeri) - return -EINVAL; - if (tmr->running) -- snd_seq_timer_stop(tmr); -- snd_seq_timer_reset(tmr); -+ seq_timer_stop(tmr); -+ seq_timer_reset(tmr); - if (initialize_timer(tmr) < 0) - return -EINVAL; - snd_timer_start(tmr->timeri, tmr->ticks); -@@ -375,14 +398,25 @@ int snd_seq_timer_start(struct snd_seq_timer * tmr) - return 0; - } - --int snd_seq_timer_continue(struct snd_seq_timer * tmr) -+int snd_seq_timer_start(struct snd_seq_timer *tmr) -+{ -+ unsigned long flags; -+ int err; -+ -+ spin_lock_irqsave(&tmr->lock, flags); -+ err = seq_timer_start(tmr); -+ spin_unlock_irqrestore(&tmr->lock, flags); -+ return err; -+} -+ -+static int seq_timer_continue(struct snd_seq_timer *tmr) - { - if (! tmr->timeri) - return -EINVAL; - if (tmr->running) - return -EBUSY; - if (! tmr->initialized) { -- snd_seq_timer_reset(tmr); -+ seq_timer_reset(tmr); - if (initialize_timer(tmr) < 0) - return -EINVAL; - } -@@ -392,11 +426,24 @@ int snd_seq_timer_continue(struct snd_seq_timer * tmr) - return 0; - } - -+int snd_seq_timer_continue(struct snd_seq_timer *tmr) -+{ -+ unsigned long flags; -+ int err; -+ -+ spin_lock_irqsave(&tmr->lock, flags); -+ err = seq_timer_continue(tmr); -+ spin_unlock_irqrestore(&tmr->lock, flags); -+ return err; -+} -+ - /* return current 'real' time. use timeofday() to get better granularity. */ - snd_seq_real_time_t snd_seq_timer_get_cur_time(struct snd_seq_timer *tmr) - { - snd_seq_real_time_t cur_time; -+ unsigned long flags; - -+ spin_lock_irqsave(&tmr->lock, flags); - cur_time = tmr->cur_time; - if (tmr->running) { - struct timeval tm; -@@ -412,7 +459,7 @@ snd_seq_real_time_t snd_seq_timer_get_cur_time(struct snd_seq_timer *tmr) - } - snd_seq_sanity_real_time(&cur_time); - } -- -+ spin_unlock_irqrestore(&tmr->lock, flags); - return cur_time; - } - -diff --git a/sound/core/seq/seq_virmidi.c b/sound/core/seq/seq_virmidi.c -index 4b50e604276d..0fa691e01384 100644 ---- a/sound/core/seq/seq_virmidi.c -+++ b/sound/core/seq/seq_virmidi.c -@@ -254,9 +254,13 @@ static int snd_virmidi_output_open(struct snd_rawmidi_substream *substream) - */ - static int snd_virmidi_input_close(struct snd_rawmidi_substream *substream) - { -+ struct snd_virmidi_dev *rdev = substream->rmidi->private_data; - struct snd_virmidi *vmidi = substream->runtime->private_data; -- snd_midi_event_free(vmidi->parser); -+ -+ write_lock_irq(&rdev->filelist_lock); - list_del(&vmidi->list); -+ write_unlock_irq(&rdev->filelist_lock); -+ snd_midi_event_free(vmidi->parser); - substream->runtime->private_data = NULL; - kfree(vmidi); - return 0; -diff --git a/sound/core/timer.c b/sound/core/timer.c -index 4e436fe53afa..d90d8f4b85fe 100644 ---- a/sound/core/timer.c -+++ b/sound/core/timer.c -@@ -300,8 +300,7 @@ int snd_timer_open(struct snd_timer_instance **ti, - return 0; - } - --static int _snd_timer_stop(struct snd_timer_instance *timeri, -- int keep_flag, int event); -+static int _snd_timer_stop(struct snd_timer_instance *timeri, int event); - - /* - * close a timer instance -@@ -343,7 +342,7 @@ int snd_timer_close(struct snd_timer_instance *timeri) - spin_unlock_irq(&timer->lock); - mutex_lock(®ister_mutex); - list_del(&timeri->open_list); -- if (timer && list_empty(&timer->open_list_head) && -+ if (list_empty(&timer->open_list_head) && - timer->hw.close) - timer->hw.close(timer); - /* remove slave links */ -@@ -415,7 +414,7 @@ static void snd_timer_notify1(struct snd_timer_instance *ti, int event) - spin_lock_irqsave(&timer->lock, flags); - list_for_each_entry(ts, &ti->slave_active_head, active_list) - if (ts->ccallback) -- ts->ccallback(ti, event + 100, &tstamp, resolution); -+ ts->ccallback(ts, event + 100, &tstamp, resolution); - spin_unlock_irqrestore(&timer->lock, flags); - } - -@@ -444,6 +443,10 @@ static int snd_timer_start_slave(struct snd_timer_instance *timeri) - unsigned long flags; - - spin_lock_irqsave(&slave_active_lock, flags); -+ if (timeri->flags & SNDRV_TIMER_IFLG_RUNNING) { -+ spin_unlock_irqrestore(&slave_active_lock, flags); -+ return -EBUSY; -+ } - timeri->flags |= SNDRV_TIMER_IFLG_RUNNING; - if (timeri->master && timeri->timer) { - spin_lock(&timeri->timer->lock); -@@ -468,23 +471,30 @@ int snd_timer_start(struct snd_timer_instance *timeri, unsigned int ticks) - return -EINVAL; - if (timeri->flags & SNDRV_TIMER_IFLG_SLAVE) { - result = snd_timer_start_slave(timeri); -- snd_timer_notify1(timeri, SNDRV_TIMER_EVENT_START); -+ if (result >= 0) -+ snd_timer_notify1(timeri, SNDRV_TIMER_EVENT_START); - return result; - } - timer = timeri->timer; - if (timer == NULL) - return -EINVAL; - spin_lock_irqsave(&timer->lock, flags); -+ if (timeri->flags & (SNDRV_TIMER_IFLG_RUNNING | -+ SNDRV_TIMER_IFLG_START)) { -+ result = -EBUSY; -+ goto unlock; -+ } - timeri->ticks = timeri->cticks = ticks; - timeri->pticks = 0; - result = snd_timer_start1(timer, timeri, ticks); -+ unlock: - spin_unlock_irqrestore(&timer->lock, flags); -- snd_timer_notify1(timeri, SNDRV_TIMER_EVENT_START); -+ if (result >= 0) -+ snd_timer_notify1(timeri, SNDRV_TIMER_EVENT_START); - return result; - } - --static int _snd_timer_stop(struct snd_timer_instance * timeri, -- int keep_flag, int event) -+static int _snd_timer_stop(struct snd_timer_instance *timeri, int event) - { - struct snd_timer *timer; - unsigned long flags; -@@ -493,19 +503,30 @@ static int _snd_timer_stop(struct snd_timer_instance * timeri, - return -ENXIO; - - if (timeri->flags & SNDRV_TIMER_IFLG_SLAVE) { -- if (!keep_flag) { -- spin_lock_irqsave(&slave_active_lock, flags); -- timeri->flags &= ~SNDRV_TIMER_IFLG_RUNNING; -- list_del_init(&timeri->ack_list); -- list_del_init(&timeri->active_list); -+ spin_lock_irqsave(&slave_active_lock, flags); -+ if (!(timeri->flags & SNDRV_TIMER_IFLG_RUNNING)) { - spin_unlock_irqrestore(&slave_active_lock, flags); -+ return -EBUSY; - } -+ if (timeri->timer) -+ spin_lock(&timeri->timer->lock); -+ timeri->flags &= ~SNDRV_TIMER_IFLG_RUNNING; -+ list_del_init(&timeri->ack_list); -+ list_del_init(&timeri->active_list); -+ if (timeri->timer) -+ spin_unlock(&timeri->timer->lock); -+ spin_unlock_irqrestore(&slave_active_lock, flags); - goto __end; - } - timer = timeri->timer; - if (!timer) - return -EINVAL; - spin_lock_irqsave(&timer->lock, flags); -+ if (!(timeri->flags & (SNDRV_TIMER_IFLG_RUNNING | -+ SNDRV_TIMER_IFLG_START))) { -+ spin_unlock_irqrestore(&timer->lock, flags); -+ return -EBUSY; -+ } - list_del_init(&timeri->ack_list); - list_del_init(&timeri->active_list); - if ((timeri->flags & SNDRV_TIMER_IFLG_RUNNING) && -@@ -520,9 +541,7 @@ static int _snd_timer_stop(struct snd_timer_instance * timeri, - } - } - } -- if (!keep_flag) -- timeri->flags &= -- ~(SNDRV_TIMER_IFLG_RUNNING | SNDRV_TIMER_IFLG_START); -+ timeri->flags &= ~(SNDRV_TIMER_IFLG_RUNNING | SNDRV_TIMER_IFLG_START); - spin_unlock_irqrestore(&timer->lock, flags); - __end: - if (event != SNDRV_TIMER_EVENT_RESOLUTION) -@@ -541,7 +560,7 @@ int snd_timer_stop(struct snd_timer_instance *timeri) - unsigned long flags; - int err; - -- err = _snd_timer_stop(timeri, 0, SNDRV_TIMER_EVENT_STOP); -+ err = _snd_timer_stop(timeri, SNDRV_TIMER_EVENT_STOP); - if (err < 0) - return err; - timer = timeri->timer; -@@ -571,10 +590,15 @@ int snd_timer_continue(struct snd_timer_instance *timeri) - if (! timer) - return -EINVAL; - spin_lock_irqsave(&timer->lock, flags); -+ if (timeri->flags & SNDRV_TIMER_IFLG_RUNNING) { -+ result = -EBUSY; -+ goto unlock; -+ } - if (!timeri->cticks) - timeri->cticks = 1; - timeri->pticks = 0; - result = snd_timer_start1(timer, timeri, timer->sticks); -+ unlock: - spin_unlock_irqrestore(&timer->lock, flags); - snd_timer_notify1(timeri, SNDRV_TIMER_EVENT_CONTINUE); - return result; -@@ -585,7 +609,7 @@ int snd_timer_continue(struct snd_timer_instance *timeri) - */ - int snd_timer_pause(struct snd_timer_instance * timeri) - { -- return _snd_timer_stop(timeri, 0, SNDRV_TIMER_EVENT_PAUSE); -+ return _snd_timer_stop(timeri, SNDRV_TIMER_EVENT_PAUSE); - } - - /* -@@ -702,8 +726,8 @@ void snd_timer_interrupt(struct snd_timer * timer, unsigned long ticks_left) - ti->cticks = ti->ticks; - } else { - ti->flags &= ~SNDRV_TIMER_IFLG_RUNNING; -- if (--timer->running) -- list_del_init(&ti->active_list); -+ --timer->running; -+ list_del_init(&ti->active_list); - } - if ((timer->hw.flags & SNDRV_TIMER_HW_TASKLET) || - (ti->flags & SNDRV_TIMER_IFLG_FAST)) -diff --git a/sound/drivers/dummy.c b/sound/drivers/dummy.c -index fd798f753609..982a2c2faf24 100644 ---- a/sound/drivers/dummy.c -+++ b/sound/drivers/dummy.c -@@ -109,6 +109,9 @@ struct dummy_timer_ops { - snd_pcm_uframes_t (*pointer)(struct snd_pcm_substream *); - }; - -+#define get_dummy_ops(substream) \ -+ (*(const struct dummy_timer_ops **)(substream)->runtime->private_data) -+ - struct dummy_model { - const char *name; - int (*playback_constraints)(struct snd_pcm_runtime *runtime); -@@ -137,7 +140,6 @@ struct snd_dummy { - int iobox; - struct snd_kcontrol *cd_volume_ctl; - struct snd_kcontrol *cd_switch_ctl; -- const struct dummy_timer_ops *timer_ops; - }; - - /* -@@ -231,6 +233,8 @@ struct dummy_model *dummy_models[] = { - */ - - struct dummy_systimer_pcm { -+ /* ops must be the first item */ -+ const struct dummy_timer_ops *timer_ops; - spinlock_t lock; - struct timer_list timer; - unsigned long base_time; -@@ -368,6 +372,8 @@ static struct dummy_timer_ops dummy_systimer_ops = { - */ - - struct dummy_hrtimer_pcm { -+ /* ops must be the first item */ -+ const struct dummy_timer_ops *timer_ops; - ktime_t base_time; - ktime_t period_time; - atomic_t running; -@@ -494,31 +500,25 @@ static struct dummy_timer_ops dummy_hrtimer_ops = { - - static int dummy_pcm_trigger(struct snd_pcm_substream *substream, int cmd) - { -- struct snd_dummy *dummy = snd_pcm_substream_chip(substream); -- - switch (cmd) { - case SNDRV_PCM_TRIGGER_START: - case SNDRV_PCM_TRIGGER_RESUME: -- return dummy->timer_ops->start(substream); -+ return get_dummy_ops(substream)->start(substream); - case SNDRV_PCM_TRIGGER_STOP: - case SNDRV_PCM_TRIGGER_SUSPEND: -- return dummy->timer_ops->stop(substream); -+ return get_dummy_ops(substream)->stop(substream); - } - return -EINVAL; - } - - static int dummy_pcm_prepare(struct snd_pcm_substream *substream) - { -- struct snd_dummy *dummy = snd_pcm_substream_chip(substream); -- -- return dummy->timer_ops->prepare(substream); -+ return get_dummy_ops(substream)->prepare(substream); - } - - static snd_pcm_uframes_t dummy_pcm_pointer(struct snd_pcm_substream *substream) - { -- struct snd_dummy *dummy = snd_pcm_substream_chip(substream); -- -- return dummy->timer_ops->pointer(substream); -+ return get_dummy_ops(substream)->pointer(substream); - } - - static struct snd_pcm_hardware dummy_pcm_hardware = { -@@ -564,17 +564,19 @@ static int dummy_pcm_open(struct snd_pcm_substream *substream) - struct snd_dummy *dummy = snd_pcm_substream_chip(substream); - struct dummy_model *model = dummy->model; - struct snd_pcm_runtime *runtime = substream->runtime; -+ const struct dummy_timer_ops *ops; - int err; - -- dummy->timer_ops = &dummy_systimer_ops; -+ ops = &dummy_systimer_ops; - #ifdef CONFIG_HIGH_RES_TIMERS - if (hrtimer) -- dummy->timer_ops = &dummy_hrtimer_ops; -+ ops = &dummy_hrtimer_ops; - #endif - -- err = dummy->timer_ops->create(substream); -+ err = ops->create(substream); - if (err < 0) - return err; -+ get_dummy_ops(substream) = ops; - - runtime->hw = dummy->pcm_hw; - if (substream->pcm->device & 1) { -@@ -596,7 +598,7 @@ static int dummy_pcm_open(struct snd_pcm_substream *substream) - err = model->capture_constraints(substream->runtime); - } - if (err < 0) { -- dummy->timer_ops->free(substream); -+ get_dummy_ops(substream)->free(substream); - return err; - } - return 0; -@@ -604,8 +606,7 @@ static int dummy_pcm_open(struct snd_pcm_substream *substream) - - static int dummy_pcm_close(struct snd_pcm_substream *substream) - { -- struct snd_dummy *dummy = snd_pcm_substream_chip(substream); -- dummy->timer_ops->free(substream); -+ get_dummy_ops(substream)->free(substream); - return 0; - } - -diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c -index 69a2aafb0b0f..babbf238a648 100644 ---- a/sound/pci/hda/patch_realtek.c -+++ b/sound/pci/hda/patch_realtek.c -@@ -2188,6 +2188,7 @@ static const struct snd_pci_quirk alc882_fixup_tbl[] = { - SND_PCI_QUIRK(0x104d, 0x9047, "Sony Vaio TT", ALC889_FIXUP_VAIO_TT), - SND_PCI_QUIRK(0x104d, 0x905a, "Sony Vaio Z", ALC882_FIXUP_NO_PRIMARY_HP), - SND_PCI_QUIRK(0x104d, 0x9043, "Sony Vaio VGC-LN51JGB", ALC882_FIXUP_NO_PRIMARY_HP), -+ SND_PCI_QUIRK(0x104d, 0x9044, "Sony VAIO AiO", ALC882_FIXUP_NO_PRIMARY_HP), - - /* All Apple entries are in codec SSIDs */ - SND_PCI_QUIRK(0x106b, 0x00a0, "MacBookPro 3,1", ALC889_FIXUP_MBP_VREF), -diff --git a/sound/soc/soc-pcm.c b/sound/soc/soc-pcm.c -index 02d26915b61d..c6d408c819b1 100644 ---- a/sound/soc/soc-pcm.c -+++ b/sound/soc/soc-pcm.c -@@ -1248,7 +1248,8 @@ static int dpcm_be_dai_hw_free(struct snd_soc_pcm_runtime *fe, int stream) - (be->dpcm[stream].state != SND_SOC_DPCM_STATE_PREPARE) && - (be->dpcm[stream].state != SND_SOC_DPCM_STATE_HW_FREE) && - (be->dpcm[stream].state != SND_SOC_DPCM_STATE_PAUSED) && -- (be->dpcm[stream].state != SND_SOC_DPCM_STATE_STOP)) -+ (be->dpcm[stream].state != SND_SOC_DPCM_STATE_STOP) && -+ (be->dpcm[stream].state != SND_SOC_DPCM_STATE_SUSPEND)) - continue; - - dev_dbg(be->dev, "ASoC: hw_free BE %s\n", -diff --git a/sound/usb/midi.c b/sound/usb/midi.c -index dabbe05d17f5..37ecba340876 100644 ---- a/sound/usb/midi.c -+++ b/sound/usb/midi.c -@@ -2291,7 +2291,6 @@ int snd_usbmidi_create(struct snd_card *card, - else - err = snd_usbmidi_create_endpoints(umidi, endpoints); - if (err < 0) { -- snd_usbmidi_free(umidi); - return err; - } - -diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c -index 94cd28c2bd8d..44550a4cf893 100644 ---- a/sound/usb/quirks.c -+++ b/sound/usb/quirks.c -@@ -900,8 +900,12 @@ void snd_usb_set_interface_quirk(struct usb_device *dev) - * "Playback Design" products need a 50ms delay after setting the - * USB interface. - */ -- if (le16_to_cpu(dev->descriptor.idVendor) == 0x23ba) -+ switch (le16_to_cpu(dev->descriptor.idVendor)) { -+ case 0x23ba: /* Playback Design */ -+ case 0x0644: /* TEAC Corp. */ - mdelay(50); -+ break; -+ } - } - - void snd_usb_ctl_msg_quirk(struct usb_device *dev, unsigned int pipe, -@@ -916,6 +920,14 @@ void snd_usb_ctl_msg_quirk(struct usb_device *dev, unsigned int pipe, - (requesttype & USB_TYPE_MASK) == USB_TYPE_CLASS) - mdelay(20); - -+ /* -+ * "TEAC Corp." products need a 20ms delay after each -+ * class compliant request -+ */ -+ if ((le16_to_cpu(dev->descriptor.idVendor) == 0x0644) && -+ (requesttype & USB_TYPE_MASK) == USB_TYPE_CLASS) -+ mdelay(20); -+ - /* Marantz/Denon devices with USB DAC functionality need a delay - * after each class compliant request - */ diff --git a/patch/kernel/odroidc1-default/1-patch-3.10.97-98.patch b/patch/kernel/odroidc1-default/1-patch-3.10.97-98.patch deleted file mode 100644 index 332f8fede..000000000 --- a/patch/kernel/odroidc1-default/1-patch-3.10.97-98.patch +++ /dev/null @@ -1,1792 +0,0 @@ -diff --git a/Makefile b/Makefile -index f26470169c70..dadd1edc6f84 100644 ---- a/Makefile -+++ b/Makefile -@@ -1,6 +1,6 @@ - VERSION = 3 - PATCHLEVEL = 10 --SUBLEVEL = 97 -+SUBLEVEL = 98 - EXTRAVERSION = - NAME = TOSSUG Baby Fish - -diff --git a/arch/arm/common/icst.c b/arch/arm/common/icst.c -index 2dc6da70ae59..d7ed252708c5 100644 ---- a/arch/arm/common/icst.c -+++ b/arch/arm/common/icst.c -@@ -16,7 +16,7 @@ - */ - #include - #include -- -+#include - #include - - /* -@@ -29,7 +29,11 @@ EXPORT_SYMBOL(icst525_s2div); - - unsigned long icst_hz(const struct icst_params *p, struct icst_vco vco) - { -- return p->ref * 2 * (vco.v + 8) / ((vco.r + 2) * p->s2div[vco.s]); -+ u64 dividend = p->ref * 2 * (u64)(vco.v + 8); -+ u32 divisor = (vco.r + 2) * p->s2div[vco.s]; -+ -+ do_div(dividend, divisor); -+ return (unsigned long)dividend; - } - - EXPORT_SYMBOL(icst_hz); -@@ -58,6 +62,7 @@ icst_hz_to_vco(const struct icst_params *p, unsigned long freq) - - if (f > p->vco_min && f <= p->vco_max) - break; -+ i++; - } while (i < 8); - - if (i >= 8) -diff --git a/arch/m32r/kernel/setup.c b/arch/m32r/kernel/setup.c -index 0392112a5d70..a5ecef7188ba 100644 ---- a/arch/m32r/kernel/setup.c -+++ b/arch/m32r/kernel/setup.c -@@ -81,7 +81,10 @@ static struct resource code_resource = { - }; - - unsigned long memory_start; -+EXPORT_SYMBOL(memory_start); -+ - unsigned long memory_end; -+EXPORT_SYMBOL(memory_end); - - void __init setup_arch(char **); - int get_cpuinfo(char *); -diff --git a/arch/x86/include/asm/segment.h b/arch/x86/include/asm/segment.h -index c48a95035a77..4dde707a6ff7 100644 ---- a/arch/x86/include/asm/segment.h -+++ b/arch/x86/include/asm/segment.h -@@ -212,8 +212,19 @@ - #define TLS_SIZE (GDT_ENTRY_TLS_ENTRIES * 8) - - #ifdef __KERNEL__ -+ -+/* -+ * early_idt_handler_array is an array of entry points referenced in the -+ * early IDT. For simplicity, it's a real array with one entry point -+ * every nine bytes. That leaves room for an optional 'push $0' if the -+ * vector has no error code (two bytes), a 'push $vector_number' (two -+ * bytes), and a jump to the common entry code (up to five bytes). -+ */ -+#define EARLY_IDT_HANDLER_SIZE 9 -+ - #ifndef __ASSEMBLY__ --extern const char early_idt_handlers[NUM_EXCEPTION_VECTORS][2+2+5]; -+ -+extern const char early_idt_handler_array[NUM_EXCEPTION_VECTORS][EARLY_IDT_HANDLER_SIZE]; - - /* - * Load a segment. Fall back on loading the zero -diff --git a/arch/x86/kernel/head64.c b/arch/x86/kernel/head64.c -index 55b67614ed94..3b861b7661ee 100644 ---- a/arch/x86/kernel/head64.c -+++ b/arch/x86/kernel/head64.c -@@ -162,7 +162,7 @@ void __init x86_64_start_kernel(char * real_mode_data) - clear_bss(); - - for (i = 0; i < NUM_EXCEPTION_VECTORS; i++) -- set_intr_gate(i, &early_idt_handlers[i]); -+ set_intr_gate(i, &early_idt_handler_array[i]); - load_idt((const struct desc_ptr *)&idt_descr); - - copy_bootdata(__va(real_mode_data)); -diff --git a/arch/x86/kernel/head_32.S b/arch/x86/kernel/head_32.S -index df63cae573e0..8060c8b95b3a 100644 ---- a/arch/x86/kernel/head_32.S -+++ b/arch/x86/kernel/head_32.S -@@ -499,21 +499,22 @@ check_x87: - __INIT - setup_once: - /* -- * Set up a idt with 256 entries pointing to ignore_int, -- * interrupt gates. It doesn't actually load idt - that needs -- * to be done on each CPU. Interrupts are enabled elsewhere, -- * when we can be relatively sure everything is ok. -+ * Set up a idt with 256 interrupt gates that push zero if there -+ * is no error code and then jump to early_idt_handler_common. -+ * It doesn't actually load the idt - that needs to be done on -+ * each CPU. Interrupts are enabled elsewhere, when we can be -+ * relatively sure everything is ok. - */ - - movl $idt_table,%edi -- movl $early_idt_handlers,%eax -+ movl $early_idt_handler_array,%eax - movl $NUM_EXCEPTION_VECTORS,%ecx - 1: - movl %eax,(%edi) - movl %eax,4(%edi) - /* interrupt gate, dpl=0, present */ - movl $(0x8E000000 + __KERNEL_CS),2(%edi) -- addl $9,%eax -+ addl $EARLY_IDT_HANDLER_SIZE,%eax - addl $8,%edi - loop 1b - -@@ -545,26 +546,28 @@ setup_once: - andl $0,setup_once_ref /* Once is enough, thanks */ - ret - --ENTRY(early_idt_handlers) -+ENTRY(early_idt_handler_array) - # 36(%esp) %eflags - # 32(%esp) %cs - # 28(%esp) %eip - # 24(%rsp) error code - i = 0 - .rept NUM_EXCEPTION_VECTORS -- .if (EXCEPTION_ERRCODE_MASK >> i) & 1 -- ASM_NOP2 -- .else -+ .ifeq (EXCEPTION_ERRCODE_MASK >> i) & 1 - pushl $0 # Dummy error code, to make stack frame uniform - .endif - pushl $i # 20(%esp) Vector number -- jmp early_idt_handler -+ jmp early_idt_handler_common - i = i + 1 -+ .fill early_idt_handler_array + i*EARLY_IDT_HANDLER_SIZE - ., 1, 0xcc - .endr --ENDPROC(early_idt_handlers) -+ENDPROC(early_idt_handler_array) - -- /* This is global to keep gas from relaxing the jumps */ --ENTRY(early_idt_handler) -+early_idt_handler_common: -+ /* -+ * The stack is the hardware frame, an error code or zero, and the -+ * vector number. -+ */ - cld - - cmpl $2,(%esp) # X86_TRAP_NMI -@@ -624,7 +627,7 @@ ex_entry: - is_nmi: - addl $8,%esp /* drop vector number and error code */ - iret --ENDPROC(early_idt_handler) -+ENDPROC(early_idt_handler_common) - - /* This is the default interrupt "handler" :-) */ - ALIGN -diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S -index 3280489905a8..54bf9c2d0d13 100644 ---- a/arch/x86/kernel/head_64.S -+++ b/arch/x86/kernel/head_64.S -@@ -329,26 +329,28 @@ bad_address: - jmp bad_address - - __INIT -- .globl early_idt_handlers --early_idt_handlers: -+ENTRY(early_idt_handler_array) - # 104(%rsp) %rflags - # 96(%rsp) %cs - # 88(%rsp) %rip - # 80(%rsp) error code - i = 0 - .rept NUM_EXCEPTION_VECTORS -- .if (EXCEPTION_ERRCODE_MASK >> i) & 1 -- ASM_NOP2 -- .else -+ .ifeq (EXCEPTION_ERRCODE_MASK >> i) & 1 - pushq $0 # Dummy error code, to make stack frame uniform - .endif - pushq $i # 72(%rsp) Vector number -- jmp early_idt_handler -+ jmp early_idt_handler_common - i = i + 1 -+ .fill early_idt_handler_array + i*EARLY_IDT_HANDLER_SIZE - ., 1, 0xcc - .endr -+ENDPROC(early_idt_handler_array) - --/* This is global to keep gas from relaxing the jumps */ --ENTRY(early_idt_handler) -+early_idt_handler_common: -+ /* -+ * The stack is the hardware frame, an error code or zero, and the -+ * vector number. -+ */ - cld - - cmpl $2,(%rsp) # X86_TRAP_NMI -@@ -420,7 +422,7 @@ ENTRY(early_idt_handler) - is_nmi: - addq $16,%rsp # drop vector number and error code - INTERRUPT_RETURN --ENDPROC(early_idt_handler) -+ENDPROC(early_idt_handler_common) - - __INITDATA - -diff --git a/block/blk-core.c b/block/blk-core.c -index 5a750b18172e..9ae84ae05e6a 100644 ---- a/block/blk-core.c -+++ b/block/blk-core.c -@@ -3097,6 +3097,9 @@ int blk_pre_runtime_suspend(struct request_queue *q) - { - int ret = 0; - -+ if (!q->dev) -+ return ret; -+ - spin_lock_irq(q->queue_lock); - if (q->nr_pending) { - ret = -EBUSY; -@@ -3124,6 +3127,9 @@ EXPORT_SYMBOL(blk_pre_runtime_suspend); - */ - void blk_post_runtime_suspend(struct request_queue *q, int err) - { -+ if (!q->dev) -+ return; -+ - spin_lock_irq(q->queue_lock); - if (!err) { - q->rpm_status = RPM_SUSPENDED; -@@ -3148,6 +3154,9 @@ EXPORT_SYMBOL(blk_post_runtime_suspend); - */ - void blk_pre_runtime_resume(struct request_queue *q) - { -+ if (!q->dev) -+ return; -+ - spin_lock_irq(q->queue_lock); - q->rpm_status = RPM_RESUMING; - spin_unlock_irq(q->queue_lock); -@@ -3170,6 +3179,9 @@ EXPORT_SYMBOL(blk_pre_runtime_resume); - */ - void blk_post_runtime_resume(struct request_queue *q, int err) - { -+ if (!q->dev) -+ return; -+ - spin_lock_irq(q->queue_lock); - if (!err) { - q->rpm_status = RPM_ACTIVE; -diff --git a/drivers/iio/adc/ad7793.c b/drivers/iio/adc/ad7793.c -index 334e31ff7a4e..6bd0c1ade9f2 100644 ---- a/drivers/iio/adc/ad7793.c -+++ b/drivers/iio/adc/ad7793.c -@@ -101,7 +101,7 @@ - #define AD7795_CH_AIN1M_AIN1M 8 /* AIN1(-) - AIN1(-) */ - - /* ID Register Bit Designations (AD7793_REG_ID) */ --#define AD7785_ID 0xB -+#define AD7785_ID 0x3 - #define AD7792_ID 0xA - #define AD7793_ID 0xB - #define AD7794_ID 0xF -diff --git a/drivers/iio/dac/ad5064.c b/drivers/iio/dac/ad5064.c -index aa26d50ab638..4eda4ea037b7 100644 ---- a/drivers/iio/dac/ad5064.c -+++ b/drivers/iio/dac/ad5064.c -@@ -602,10 +602,16 @@ static int ad5064_i2c_write(struct ad5064_state *st, unsigned int cmd, - unsigned int addr, unsigned int val) - { - struct i2c_client *i2c = to_i2c_client(st->dev); -+ int ret; - - st->data.i2c[0] = (cmd << 4) | addr; - put_unaligned_be16(val, &st->data.i2c[1]); -- return i2c_master_send(i2c, st->data.i2c, 3); -+ -+ ret = i2c_master_send(i2c, st->data.i2c, 3); -+ if (ret < 0) -+ return ret; -+ -+ return 0; - } - - static int ad5064_i2c_probe(struct i2c_client *i2c, -diff --git a/drivers/iio/dac/mcp4725.c b/drivers/iio/dac/mcp4725.c -index a612ec766d96..029207bbf03d 100644 ---- a/drivers/iio/dac/mcp4725.c -+++ b/drivers/iio/dac/mcp4725.c -@@ -166,6 +166,7 @@ static int mcp4725_probe(struct i2c_client *client, - data->client = client; - - indio_dev->dev.parent = &client->dev; -+ indio_dev->name = id->name; - indio_dev->info = &mcp4725_info; - indio_dev->channels = &mcp4725_channel; - indio_dev->num_channels = 1; -diff --git a/drivers/iio/imu/adis_buffer.c b/drivers/iio/imu/adis_buffer.c -index 99d8e0b0dd34..d0538bcdc1b8 100644 ---- a/drivers/iio/imu/adis_buffer.c -+++ b/drivers/iio/imu/adis_buffer.c -@@ -43,7 +43,7 @@ int adis_update_scan_mode(struct iio_dev *indio_dev, - return -ENOMEM; - - rx = adis->buffer; -- tx = rx + indio_dev->scan_bytes; -+ tx = rx + scan_count; - - spi_message_init(&adis->msg); - -diff --git a/drivers/input/mouse/elantech.c b/drivers/input/mouse/elantech.c -index 02099afb6c79..77f06d001a66 100644 ---- a/drivers/input/mouse/elantech.c -+++ b/drivers/input/mouse/elantech.c -@@ -1081,7 +1081,7 @@ static int elantech_set_input_params(struct psmouse *psmouse) - input_set_abs_params(dev, ABS_TOOL_WIDTH, ETP_WMIN_V2, - ETP_WMAX_V2, 0, 0); - } -- input_mt_init_slots(dev, 2, 0); -+ input_mt_init_slots(dev, 2, INPUT_MT_SEMI_MT); - input_set_abs_params(dev, ABS_MT_POSITION_X, x_min, x_max, 0, 0); - input_set_abs_params(dev, ABS_MT_POSITION_Y, y_min, y_max, 0, 0); - break; -@@ -1357,6 +1357,13 @@ static const struct dmi_system_id no_hw_res_dmi_table[] = { - DMI_MATCH(DMI_PRODUCT_NAME, "U2442"), - }, - }, -+ { -+ /* Fujitsu LIFEBOOK U745 does not work with crc_enabled == 0 */ -+ .matches = { -+ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"), -+ DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK U745"), -+ }, -+ }, - #endif - { } - }; -diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h -index 4de2571938b8..5102b4f68f18 100644 ---- a/drivers/input/serio/i8042-x86ia64io.h -+++ b/drivers/input/serio/i8042-x86ia64io.h -@@ -258,6 +258,13 @@ static const struct dmi_system_id __initconst i8042_dmi_nomux_table[] = { - }, - }, - { -+ /* Fujitsu Lifebook U745 */ -+ .matches = { -+ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"), -+ DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK U745"), -+ }, -+ }, -+ { - /* Fujitsu T70H */ - .matches = { - DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"), -diff --git a/drivers/iommu/dmar.c b/drivers/iommu/dmar.c -index a7967ceb79e6..3d4622cae2cf 100644 ---- a/drivers/iommu/dmar.c -+++ b/drivers/iommu/dmar.c -@@ -968,7 +968,7 @@ void dmar_disable_qi(struct intel_iommu *iommu) - - raw_spin_lock_irqsave(&iommu->register_lock, flags); - -- sts = dmar_readq(iommu->reg + DMAR_GSTS_REG); -+ sts = readl(iommu->reg + DMAR_GSTS_REG); - if (!(sts & DMA_GSTS_QIES)) - goto end; - -diff --git a/drivers/iommu/intel_irq_remapping.c b/drivers/iommu/intel_irq_remapping.c -index 45011f63ad16..990cc298824a 100644 ---- a/drivers/iommu/intel_irq_remapping.c -+++ b/drivers/iommu/intel_irq_remapping.c -@@ -495,7 +495,7 @@ static void iommu_disable_irq_remapping(struct intel_iommu *iommu) - - raw_spin_lock_irqsave(&iommu->register_lock, flags); - -- sts = dmar_readq(iommu->reg + DMAR_GSTS_REG); -+ sts = readl(iommu->reg + DMAR_GSTS_REG); - if (!(sts & DMA_GSTS_IRES)) - goto end; - -diff --git a/drivers/net/wan/x25_asy.c b/drivers/net/wan/x25_asy.c -index 5895f1978691..e98de425f8e0 100644 ---- a/drivers/net/wan/x25_asy.c -+++ b/drivers/net/wan/x25_asy.c -@@ -545,16 +545,12 @@ static void x25_asy_receive_buf(struct tty_struct *tty, - - static int x25_asy_open_tty(struct tty_struct *tty) - { -- struct x25_asy *sl = tty->disc_data; -+ struct x25_asy *sl; - int err; - - if (tty->ops->write == NULL) - return -EOPNOTSUPP; - -- /* First make sure we're not already connected. */ -- if (sl && sl->magic == X25_ASY_MAGIC) -- return -EEXIST; -- - /* OK. Find a free X.25 channel to use. */ - sl = x25_asy_alloc(); - if (sl == NULL) -diff --git a/drivers/platform/x86/intel_scu_ipcutil.c b/drivers/platform/x86/intel_scu_ipcutil.c -index 02bc5a6343c3..aa454241489c 100644 ---- a/drivers/platform/x86/intel_scu_ipcutil.c -+++ b/drivers/platform/x86/intel_scu_ipcutil.c -@@ -49,7 +49,7 @@ struct scu_ipc_data { - - static int scu_reg_access(u32 cmd, struct scu_ipc_data *data) - { -- int count = data->count; -+ unsigned int count = data->count; - - if (count == 0 || count == 3 || count > 4) - return -EINVAL; -diff --git a/drivers/scsi/device_handler/scsi_dh_rdac.c b/drivers/scsi/device_handler/scsi_dh_rdac.c -index 69c915aa77c2..d661fcda1932 100644 ---- a/drivers/scsi/device_handler/scsi_dh_rdac.c -+++ b/drivers/scsi/device_handler/scsi_dh_rdac.c -@@ -569,7 +569,7 @@ static int mode_select_handle_sense(struct scsi_device *sdev, - /* - * Command Lock contention - */ -- err = SCSI_DH_RETRY; -+ err = SCSI_DH_IMM_RETRY; - break; - default: - break; -@@ -619,6 +619,8 @@ retry: - err = mode_select_handle_sense(sdev, h->sense); - if (err == SCSI_DH_RETRY && retry_cnt--) - goto retry; -+ if (err == SCSI_DH_IMM_RETRY) -+ goto retry; - } - if (err == SCSI_DH_OK) { - h->state = RDAC_STATE_ACTIVE; -diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c -index 3cafe0d784b8..3020f1ff4abb 100644 ---- a/drivers/scsi/hosts.c -+++ b/drivers/scsi/hosts.c -@@ -305,6 +305,17 @@ static void scsi_host_dev_release(struct device *dev) - kfree(queuedata); - } - -+ if (shost->shost_state == SHOST_CREATED) { -+ /* -+ * Free the shost_dev device name here if scsi_host_alloc() -+ * and scsi_host_put() have been called but neither -+ * scsi_host_add() nor scsi_host_remove() has been called. -+ * This avoids that the memory allocated for the shost_dev -+ * name is leaked. -+ */ -+ kfree(dev_name(&shost->shost_dev)); -+ } -+ - scsi_destroy_command_freelist(shost); - if (shost->bqt) - blk_free_tags(shost->bqt); -diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c -index 9e2dd478dd15..135d7b56fbe6 100644 ---- a/drivers/scsi/scsi_sysfs.c -+++ b/drivers/scsi/scsi_sysfs.c -@@ -789,7 +789,7 @@ sdev_store_queue_ramp_up_period(struct device *dev, - return -EINVAL; - - sdev->queue_ramp_up_period = msecs_to_jiffies(period); -- return period; -+ return count; - } - - static struct device_attribute sdev_attr_queue_ramp_up_period = -@@ -1030,31 +1030,25 @@ static void __scsi_remove_target(struct scsi_target *starget) - void scsi_remove_target(struct device *dev) - { - struct Scsi_Host *shost = dev_to_shost(dev->parent); -- struct scsi_target *starget, *last = NULL; -+ struct scsi_target *starget, *last_target = NULL; - unsigned long flags; - -- /* remove targets being careful to lookup next entry before -- * deleting the last -- */ -+restart: - spin_lock_irqsave(shost->host_lock, flags); - list_for_each_entry(starget, &shost->__targets, siblings) { -- if (starget->state == STARGET_DEL) -+ if (starget->state == STARGET_DEL || -+ starget == last_target) - continue; - if (starget->dev.parent == dev || &starget->dev == dev) { -- /* assuming new targets arrive at the end */ - kref_get(&starget->reap_ref); -+ last_target = starget; - spin_unlock_irqrestore(shost->host_lock, flags); -- if (last) -- scsi_target_reap(last); -- last = starget; - __scsi_remove_target(starget); -- spin_lock_irqsave(shost->host_lock, flags); -+ scsi_target_reap(starget); -+ goto restart; - } - } - spin_unlock_irqrestore(shost->host_lock, flags); -- -- if (last) -- scsi_target_reap(last); - } - EXPORT_SYMBOL(scsi_remove_target); - -diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c -index 26b543bc4f53..4afce0e838a2 100644 ---- a/drivers/scsi/sd.c -+++ b/drivers/scsi/sd.c -@@ -3090,8 +3090,8 @@ static int sd_suspend(struct device *dev) - struct scsi_disk *sdkp = scsi_disk_get_from_dev(dev); - int ret = 0; - -- if (!sdkp) -- return 0; /* this can happen */ -+ if (!sdkp) /* E.g.: runtime suspend following sd_remove() */ -+ return 0; - - if (sdkp->WCE) { - sd_printk(KERN_NOTICE, sdkp, "Synchronizing SCSI cache\n"); -@@ -3115,6 +3115,9 @@ static int sd_resume(struct device *dev) - struct scsi_disk *sdkp = scsi_disk_get_from_dev(dev); - int ret = 0; - -+ if (!sdkp) /* E.g.: runtime resume at the start of sd_probe() */ -+ return 0; -+ - if (!sdkp->device->manage_start_stop) - goto done; - -diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c -index 721d839d6c54..0be16bf5f0cd 100644 ---- a/drivers/scsi/sg.c -+++ b/drivers/scsi/sg.c -@@ -1258,7 +1258,7 @@ sg_mmap(struct file *filp, struct vm_area_struct *vma) - } - - sfp->mmap_called = 1; -- vma->vm_flags |= VM_DONTEXPAND | VM_DONTDUMP; -+ vma->vm_flags |= VM_IO | VM_DONTEXPAND | VM_DONTDUMP; - vma->vm_private_data = sfp; - vma->vm_ops = &sg_mmap_vm_ops; - return 0; -diff --git a/drivers/scsi/sr.c b/drivers/scsi/sr.c -index 119d67f9c47e..1ac9943cbb93 100644 ---- a/drivers/scsi/sr.c -+++ b/drivers/scsi/sr.c -@@ -142,6 +142,9 @@ static int sr_runtime_suspend(struct device *dev) - { - struct scsi_cd *cd = dev_get_drvdata(dev); - -+ if (!cd) /* E.g.: runtime suspend following sr_remove() */ -+ return 0; -+ - if (cd->media_present) - return -EBUSY; - else -@@ -1006,6 +1009,7 @@ static int sr_remove(struct device *dev) - - blk_queue_prep_rq(cd->device->request_queue, scsi_prep_fn); - del_gendisk(cd->disk); -+ dev_set_drvdata(dev, NULL); - - mutex_lock(&sr_ref_mutex); - kref_put(&cd->kref, sr_kref_release); -diff --git a/drivers/staging/iio/adc/lpc32xx_adc.c b/drivers/staging/iio/adc/lpc32xx_adc.c -index 2f2f7fdd0691..9cbe2dd70499 100644 ---- a/drivers/staging/iio/adc/lpc32xx_adc.c -+++ b/drivers/staging/iio/adc/lpc32xx_adc.c -@@ -76,7 +76,7 @@ static int lpc32xx_read_raw(struct iio_dev *indio_dev, - - if (mask == IIO_CHAN_INFO_RAW) { - mutex_lock(&indio_dev->mlock); -- clk_enable(info->clk); -+ clk_prepare_enable(info->clk); - /* Measurement setup */ - __raw_writel(AD_INTERNAL | (chan->address) | AD_REFp | AD_REFm, - LPC32XX_ADC_SELECT(info->adc_base)); -@@ -84,7 +84,7 @@ static int lpc32xx_read_raw(struct iio_dev *indio_dev, - __raw_writel(AD_PDN_CTRL | AD_STROBE, - LPC32XX_ADC_CTRL(info->adc_base)); - wait_for_completion(&info->completion); /* set by ISR */ -- clk_disable(info->clk); -+ clk_disable_unprepare(info->clk); - *val = info->value; - mutex_unlock(&indio_dev->mlock); - -diff --git a/drivers/staging/speakup/selection.c b/drivers/staging/speakup/selection.c -index b9359753784e..364978e63d8d 100644 ---- a/drivers/staging/speakup/selection.c -+++ b/drivers/staging/speakup/selection.c -@@ -139,7 +139,9 @@ static void __speakup_paste_selection(struct work_struct *work) - struct tty_ldisc *ld; - DECLARE_WAITQUEUE(wait, current); - -- ld = tty_ldisc_ref_wait(tty); -+ ld = tty_ldisc_ref(tty); -+ if (!ld) -+ goto tty_unref; - - /* FIXME: this is completely unsafe */ - add_wait_queue(&vc->paste_wait, &wait); -@@ -158,6 +160,7 @@ static void __speakup_paste_selection(struct work_struct *work) - current->state = TASK_RUNNING; - - tty_ldisc_deref(ld); -+tty_unref: - tty_kref_put(tty); - } - -diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c -index 06cd916f91fe..d74da9598d58 100644 ---- a/drivers/target/iscsi/iscsi_target.c -+++ b/drivers/target/iscsi/iscsi_target.c -@@ -3960,6 +3960,17 @@ reject: - return iscsit_add_reject(conn, ISCSI_REASON_BOOKMARK_NO_RESOURCES, buf); - } - -+static bool iscsi_target_check_conn_state(struct iscsi_conn *conn) -+{ -+ bool ret; -+ -+ spin_lock_bh(&conn->state_lock); -+ ret = (conn->conn_state != TARG_CONN_STATE_LOGGED_IN); -+ spin_unlock_bh(&conn->state_lock); -+ -+ return ret; -+} -+ - int iscsi_target_rx_thread(void *arg) - { - int ret, rc; -@@ -3977,7 +3988,7 @@ int iscsi_target_rx_thread(void *arg) - * incoming iscsi/tcp socket I/O, and/or failing the connection. - */ - rc = wait_for_completion_interruptible(&conn->rx_login_comp); -- if (rc < 0) -+ if (rc < 0 || iscsi_target_check_conn_state(conn)) - return 0; - - if (conn->conn_transport->transport_type == ISCSI_INFINIBAND) { -diff --git a/drivers/target/iscsi/iscsi_target_configfs.c b/drivers/target/iscsi/iscsi_target_configfs.c -index c45b3365d63d..200d779d0c03 100644 ---- a/drivers/target/iscsi/iscsi_target_configfs.c -+++ b/drivers/target/iscsi/iscsi_target_configfs.c -@@ -1730,7 +1730,8 @@ static void lio_tpg_release_fabric_acl( - } - - /* -- * Called with spin_lock_bh(struct se_portal_group->session_lock) held.. -+ * Called with spin_lock_irq(struct se_portal_group->session_lock) held -+ * or not held. - * - * Also, this function calls iscsit_inc_session_usage_count() on the - * struct iscsi_session in question. -@@ -1738,19 +1739,32 @@ static void lio_tpg_release_fabric_acl( - static int lio_tpg_shutdown_session(struct se_session *se_sess) - { - struct iscsi_session *sess = se_sess->fabric_sess_ptr; -+ struct se_portal_group *se_tpg = se_sess->se_tpg; -+ bool local_lock = false; -+ -+ if (!spin_is_locked(&se_tpg->session_lock)) { -+ spin_lock_irq(&se_tpg->session_lock); -+ local_lock = true; -+ } - - spin_lock(&sess->conn_lock); - if (atomic_read(&sess->session_fall_back_to_erl0) || - atomic_read(&sess->session_logout) || - (sess->time2retain_timer_flags & ISCSI_TF_EXPIRED)) { - spin_unlock(&sess->conn_lock); -+ if (local_lock) -+ spin_unlock_irq(&sess->conn_lock); - return 0; - } - atomic_set(&sess->session_reinstatement, 1); - spin_unlock(&sess->conn_lock); - - iscsit_stop_time2retain_timer(sess); -+ spin_unlock_irq(&se_tpg->session_lock); -+ - iscsit_stop_session(sess, 1, 1); -+ if (!local_lock) -+ spin_lock_irq(&se_tpg->session_lock); - - return 1; - } -diff --git a/drivers/target/iscsi/iscsi_target_nego.c b/drivers/target/iscsi/iscsi_target_nego.c -index 77c276acccb6..2a61a01142e9 100644 ---- a/drivers/target/iscsi/iscsi_target_nego.c -+++ b/drivers/target/iscsi/iscsi_target_nego.c -@@ -384,6 +384,7 @@ err: - if (login->login_complete) { - if (conn->rx_thread && conn->rx_thread_active) { - send_sig(SIGINT, conn->rx_thread, 1); -+ complete(&conn->rx_login_comp); - kthread_stop(conn->rx_thread); - } - if (conn->tx_thread && conn->tx_thread_active) { -diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c -index 7cb36813aac2..deee2b81afff 100644 ---- a/drivers/tty/pty.c -+++ b/drivers/tty/pty.c -@@ -623,7 +623,14 @@ static void pty_unix98_remove(struct tty_driver *driver, struct tty_struct *tty) - /* this is called once with whichever end is closed last */ - static void pty_unix98_shutdown(struct tty_struct *tty) - { -- devpts_kill_index(tty->driver_data, tty->index); -+ struct inode *ptmx_inode; -+ -+ if (tty->driver->subtype == PTY_TYPE_MASTER) -+ ptmx_inode = tty->driver_data; -+ else -+ ptmx_inode = tty->link->driver_data; -+ devpts_kill_index(ptmx_inode, tty->index); -+ devpts_del_ref(ptmx_inode); - } - - static const struct tty_operations ptm_unix98_ops = { -@@ -714,6 +721,18 @@ static int ptmx_open(struct inode *inode, struct file *filp) - set_bit(TTY_PTY_LOCK, &tty->flags); /* LOCK THE SLAVE */ - tty->driver_data = inode; - -+ /* -+ * In the case where all references to ptmx inode are dropped and we -+ * still have /dev/tty opened pointing to the master/slave pair (ptmx -+ * is closed/released before /dev/tty), we must make sure that the inode -+ * is still valid when we call the final pty_unix98_shutdown, thus we -+ * hold an additional reference to the ptmx inode. For the same /dev/tty -+ * last close case, we also need to make sure the super_block isn't -+ * destroyed (devpts instance unmounted), before /dev/tty is closed and -+ * on its release devpts_kill_index is called. -+ */ -+ devpts_add_ref(inode); -+ - tty_add_file(tty, filp); - - slave_inode = devpts_pty_new(inode, -diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c -index 9dd6fa3a1260..507677b9bdc7 100644 ---- a/drivers/usb/host/xhci.c -+++ b/drivers/usb/host/xhci.c -@@ -1502,7 +1502,9 @@ int xhci_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, int status) - if (temp == 0xffffffff || (xhci->xhc_state & XHCI_STATE_HALTED)) { - xhci_dbg(xhci, "HW died, freeing TD.\n"); - urb_priv = urb->hcpriv; -- for (i = urb_priv->td_cnt; i < urb_priv->length; i++) { -+ for (i = urb_priv->td_cnt; -+ i < urb_priv->length && xhci->devs[urb->dev->slot_id]; -+ i++) { - td = urb_priv->td[i]; - if (!list_empty(&td->td_list)) - list_del_init(&td->td_list); -diff --git a/fs/aio.c b/fs/aio.c -index ded94c4fa30d..9798d4edfd8f 100644 ---- a/fs/aio.c -+++ b/fs/aio.c -@@ -977,12 +977,17 @@ static ssize_t aio_setup_vectored_rw(int rw, struct kiocb *kiocb, bool compat) - - static ssize_t aio_setup_single_vector(int rw, struct kiocb *kiocb) - { -- if (unlikely(!access_ok(!rw, kiocb->ki_buf, kiocb->ki_nbytes))) -- return -EFAULT; -+ size_t len = kiocb->ki_nbytes; -+ -+ if (len > MAX_RW_COUNT) -+ len = MAX_RW_COUNT; -+ -+ if (unlikely(!access_ok(!rw, kiocb->ki_buf, len))) -+ return -EFAULT; - - kiocb->ki_iovec = &kiocb->ki_inline_vec; - kiocb->ki_iovec->iov_base = kiocb->ki_buf; -- kiocb->ki_iovec->iov_len = kiocb->ki_nbytes; -+ kiocb->ki_iovec->iov_len = len; - kiocb->ki_nr_segs = 1; - return 0; - } -diff --git a/fs/btrfs/backref.c b/fs/btrfs/backref.c -index d85f90c92bb4..bca854b44056 100644 ---- a/fs/btrfs/backref.c -+++ b/fs/btrfs/backref.c -@@ -1228,7 +1228,8 @@ char *btrfs_ref_to_path(struct btrfs_root *fs_root, struct btrfs_path *path, - read_extent_buffer(eb, dest + bytes_left, - name_off, name_len); - if (eb != eb_in) { -- btrfs_tree_read_unlock_blocking(eb); -+ if (!path->skip_locking) -+ btrfs_tree_read_unlock_blocking(eb); - free_extent_buffer(eb); - } - ret = inode_ref_info(parent, 0, fs_root, path, &found_key); -@@ -1247,9 +1248,10 @@ char *btrfs_ref_to_path(struct btrfs_root *fs_root, struct btrfs_path *path, - eb = path->nodes[0]; - /* make sure we can use eb after releasing the path */ - if (eb != eb_in) { -- atomic_inc(&eb->refs); -- btrfs_tree_read_lock(eb); -- btrfs_set_lock_blocking_rw(eb, BTRFS_READ_LOCK); -+ if (!path->skip_locking) -+ btrfs_set_lock_blocking_rw(eb, BTRFS_READ_LOCK); -+ path->nodes[0] = NULL; -+ path->locks[0] = 0; - } - btrfs_release_path(path); - iref = btrfs_item_ptr(eb, slot, struct btrfs_inode_ref); -diff --git a/fs/cifs/cifsencrypt.c b/fs/cifs/cifsencrypt.c -index 5c807b23ca67..182e82f22b3a 100644 ---- a/fs/cifs/cifsencrypt.c -+++ b/fs/cifs/cifsencrypt.c -@@ -591,7 +591,7 @@ setup_ntlmv2_rsp(struct cifs_ses *ses, const struct nls_table *nls_cp) - - ses->auth_key.response = kmalloc(baselen + tilen, GFP_KERNEL); - if (!ses->auth_key.response) { -- rc = ENOMEM; -+ rc = -ENOMEM; - ses->auth_key.len = 0; - goto setup_ntlmv2_rsp_ret; - } -diff --git a/fs/devpts/inode.c b/fs/devpts/inode.c -index a726b9f29cb7..61af24e379ad 100644 ---- a/fs/devpts/inode.c -+++ b/fs/devpts/inode.c -@@ -564,6 +564,26 @@ void devpts_kill_index(struct inode *ptmx_inode, int idx) - mutex_unlock(&allocated_ptys_lock); - } - -+/* -+ * pty code needs to hold extra references in case of last /dev/tty close -+ */ -+ -+void devpts_add_ref(struct inode *ptmx_inode) -+{ -+ struct super_block *sb = pts_sb_from_inode(ptmx_inode); -+ -+ atomic_inc(&sb->s_active); -+ ihold(ptmx_inode); -+} -+ -+void devpts_del_ref(struct inode *ptmx_inode) -+{ -+ struct super_block *sb = pts_sb_from_inode(ptmx_inode); -+ -+ iput(ptmx_inode); -+ deactivate_super(sb); -+} -+ - /** - * devpts_pty_new -- create a new inode in /dev/pts/ - * @ptmx_inode: inode of the master -diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c -index fa7d2e668c3a..cf0a70486618 100644 ---- a/fs/ext4/resize.c -+++ b/fs/ext4/resize.c -@@ -181,7 +181,7 @@ static struct ext4_new_flex_group_data *alloc_flex_gd(unsigned long flexbg_size) - if (flex_gd == NULL) - goto out3; - -- if (flexbg_size >= UINT_MAX / sizeof(struct ext4_new_flex_group_data)) -+ if (flexbg_size >= UINT_MAX / sizeof(struct ext4_new_group_data)) - goto out2; - flex_gd->count = flexbg_size; - -diff --git a/fs/fuse/file.c b/fs/fuse/file.c -index 4fafb8484bbc..35f604b5f408 100644 ---- a/fs/fuse/file.c -+++ b/fs/fuse/file.c -@@ -993,6 +993,7 @@ static ssize_t fuse_fill_write_pages(struct fuse_req *req, - - mark_page_accessed(page); - -+ iov_iter_advance(ii, tmp); - if (!tmp) { - unlock_page(page); - page_cache_release(page); -@@ -1005,7 +1006,6 @@ static ssize_t fuse_fill_write_pages(struct fuse_req *req, - req->page_descs[req->num_pages].length = tmp; - req->num_pages++; - -- iov_iter_advance(ii, tmp); - count += tmp; - pos += tmp; - offset += tmp; -diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c -index 78679b489484..d8ac734a1e44 100644 ---- a/fs/nfs/nfs4proc.c -+++ b/fs/nfs/nfs4proc.c -@@ -1005,6 +1005,7 @@ static void __update_open_stateid(struct nfs4_state *state, nfs4_stateid *open_s - * Protect the call to nfs4_state_set_mode_locked and - * serialise the stateid update - */ -+ spin_lock(&state->owner->so_lock); - write_seqlock(&state->seqlock); - if (deleg_stateid != NULL) { - nfs4_stateid_copy(&state->stateid, deleg_stateid); -@@ -1013,7 +1014,6 @@ static void __update_open_stateid(struct nfs4_state *state, nfs4_stateid *open_s - if (open_stateid != NULL) - nfs_set_open_stateid_locked(state, open_stateid, fmode); - write_sequnlock(&state->seqlock); -- spin_lock(&state->owner->so_lock); - update_open_stateflags(state, fmode); - spin_unlock(&state->owner->so_lock); - } -diff --git a/fs/proc/array.c b/fs/proc/array.c -index 09f0d9c374a3..5c45eb5e4e0d 100644 ---- a/fs/proc/array.c -+++ b/fs/proc/array.c -@@ -398,7 +398,7 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, - - state = *get_task_state(task); - vsize = eip = esp = 0; -- permitted = ptrace_may_access(task, PTRACE_MODE_READ | PTRACE_MODE_NOAUDIT); -+ permitted = ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS | PTRACE_MODE_NOAUDIT); - mm = get_task_mm(task); - if (mm) { - vsize = task_vsize(mm); -diff --git a/fs/proc/base.c b/fs/proc/base.c -index 8fc784aef0b8..7b5d453ebf53 100644 ---- a/fs/proc/base.c -+++ b/fs/proc/base.c -@@ -239,7 +239,7 @@ out: - - static int proc_pid_auxv(struct task_struct *task, char *buffer) - { -- struct mm_struct *mm = mm_access(task, PTRACE_MODE_READ); -+ struct mm_struct *mm = mm_access(task, PTRACE_MODE_READ_FSCREDS); - int res = PTR_ERR(mm); - if (mm && !IS_ERR(mm)) { - unsigned int nwords = 0; -@@ -269,7 +269,7 @@ static int proc_pid_wchan(struct task_struct *task, char *buffer) - wchan = get_wchan(task); - - if (lookup_symbol_name(wchan, symname) < 0) -- if (!ptrace_may_access(task, PTRACE_MODE_READ)) -+ if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)) - return 0; - else - return sprintf(buffer, "%lu", wchan); -@@ -283,7 +283,7 @@ static int lock_trace(struct task_struct *task) - int err = mutex_lock_killable(&task->signal->cred_guard_mutex); - if (err) - return err; -- if (!ptrace_may_access(task, PTRACE_MODE_ATTACH)) { -+ if (!ptrace_may_access(task, PTRACE_MODE_ATTACH_FSCREDS)) { - mutex_unlock(&task->signal->cred_guard_mutex); - return -EPERM; - } -@@ -557,7 +557,7 @@ static int proc_fd_access_allowed(struct inode *inode) - */ - task = get_proc_task(inode); - if (task) { -- allowed = ptrace_may_access(task, PTRACE_MODE_READ); -+ allowed = ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS); - put_task_struct(task); - } - return allowed; -@@ -592,7 +592,7 @@ static bool has_pid_permissions(struct pid_namespace *pid, - return true; - if (in_group_p(pid->pid_gid)) - return true; -- return ptrace_may_access(task, PTRACE_MODE_READ); -+ return ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS); - } - - -@@ -707,7 +707,7 @@ static int __mem_open(struct inode *inode, struct file *file, unsigned int mode) - if (!task) - return -ESRCH; - -- mm = mm_access(task, mode); -+ mm = mm_access(task, mode | PTRACE_MODE_FSCREDS); - put_task_struct(task); - - if (IS_ERR(mm)) -@@ -1761,7 +1761,7 @@ static int map_files_d_revalidate(struct dentry *dentry, unsigned int flags) - if (!task) - goto out_notask; - -- mm = mm_access(task, PTRACE_MODE_READ); -+ mm = mm_access(task, PTRACE_MODE_READ_FSCREDS); - if (IS_ERR_OR_NULL(mm)) - goto out; - -@@ -1896,7 +1896,7 @@ static struct dentry *proc_map_files_lookup(struct inode *dir, - goto out; - - result = ERR_PTR(-EACCES); -- if (!ptrace_may_access(task, PTRACE_MODE_READ)) -+ if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)) - goto out_put_task; - - result = ERR_PTR(-ENOENT); -@@ -1952,7 +1952,7 @@ proc_map_files_readdir(struct file *filp, void *dirent, filldir_t filldir) - goto out; - - ret = -EACCES; -- if (!ptrace_may_access(task, PTRACE_MODE_READ)) -+ if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)) - goto out_put_task; - - ret = 0; -@@ -2488,7 +2488,7 @@ static int do_io_accounting(struct task_struct *task, char *buffer, int whole) - if (result) - return result; - -- if (!ptrace_may_access(task, PTRACE_MODE_READ)) { -+ if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)) { - result = -EACCES; - goto out_unlock; - } -diff --git a/fs/proc/namespaces.c b/fs/proc/namespaces.c -index 54bdc6701e9f..ac49a8d4aaf8 100644 ---- a/fs/proc/namespaces.c -+++ b/fs/proc/namespaces.c -@@ -125,7 +125,7 @@ static void *proc_ns_follow_link(struct dentry *dentry, struct nameidata *nd) - if (!task) - goto out; - -- if (!ptrace_may_access(task, PTRACE_MODE_READ)) -+ if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)) - goto out_put_task; - - ns_path.dentry = proc_ns_get_dentry(sb, task, ei->ns.ns_ops); -@@ -158,7 +158,7 @@ static int proc_ns_readlink(struct dentry *dentry, char __user *buffer, int bufl - if (!task) - goto out; - -- if (!ptrace_may_access(task, PTRACE_MODE_READ)) -+ if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)) - goto out_put_task; - - len = -ENOENT; -diff --git a/fs/udf/inode.c b/fs/udf/inode.c -index 789814f27438..5c1120a5fa42 100644 ---- a/fs/udf/inode.c -+++ b/fs/udf/inode.c -@@ -2055,14 +2055,29 @@ void udf_write_aext(struct inode *inode, struct extent_position *epos, - epos->offset += adsize; - } - -+/* -+ * Only 1 indirect extent in a row really makes sense but allow upto 16 in case -+ * someone does some weird stuff. -+ */ -+#define UDF_MAX_INDIR_EXTS 16 -+ - int8_t udf_next_aext(struct inode *inode, struct extent_position *epos, - struct kernel_lb_addr *eloc, uint32_t *elen, int inc) - { - int8_t etype; -+ unsigned int indirections = 0; - - while ((etype = udf_current_aext(inode, epos, eloc, elen, inc)) == - (EXT_NEXT_EXTENT_ALLOCDECS >> 30)) { - int block; -+ -+ if (++indirections > UDF_MAX_INDIR_EXTS) { -+ udf_err(inode->i_sb, -+ "too many indirect extents in inode %lu\n", -+ inode->i_ino); -+ return -1; -+ } -+ - epos->block = *eloc; - epos->offset = sizeof(struct allocExtDesc); - brelse(epos->bh); -diff --git a/fs/udf/unicode.c b/fs/udf/unicode.c -index 44b815e57f94..685fbd8a2937 100644 ---- a/fs/udf/unicode.c -+++ b/fs/udf/unicode.c -@@ -132,11 +132,15 @@ int udf_CS0toUTF8(struct ustr *utf_o, const struct ustr *ocu_i) - if (c < 0x80U) - utf_o->u_name[utf_o->u_len++] = (uint8_t)c; - else if (c < 0x800U) { -+ if (utf_o->u_len > (UDF_NAME_LEN - 4)) -+ break; - utf_o->u_name[utf_o->u_len++] = - (uint8_t)(0xc0 | (c >> 6)); - utf_o->u_name[utf_o->u_len++] = - (uint8_t)(0x80 | (c & 0x3f)); - } else { -+ if (utf_o->u_len > (UDF_NAME_LEN - 5)) -+ break; - utf_o->u_name[utf_o->u_len++] = - (uint8_t)(0xe0 | (c >> 12)); - utf_o->u_name[utf_o->u_len++] = -@@ -177,17 +181,22 @@ int udf_CS0toUTF8(struct ustr *utf_o, const struct ustr *ocu_i) - static int udf_UTF8toCS0(dstring *ocu, struct ustr *utf, int length) - { - unsigned c, i, max_val, utf_char; -- int utf_cnt, u_len; -+ int utf_cnt, u_len, u_ch; - - memset(ocu, 0, sizeof(dstring) * length); - ocu[0] = 8; - max_val = 0xffU; -+ u_ch = 1; - - try_again: - u_len = 0U; - utf_char = 0U; - utf_cnt = 0U; - for (i = 0U; i < utf->u_len; i++) { -+ /* Name didn't fit? */ -+ if (u_len + 1 + u_ch >= length) -+ return 0; -+ - c = (uint8_t)utf->u_name[i]; - - /* Complete a multi-byte UTF-8 character */ -@@ -229,6 +238,7 @@ try_again: - if (max_val == 0xffU) { - max_val = 0xffffU; - ocu[0] = (uint8_t)0x10U; -+ u_ch = 2; - goto try_again; - } - goto error_out; -@@ -281,7 +291,7 @@ static int udf_CS0toNLS(struct nls_table *nls, struct ustr *utf_o, - c = (c << 8) | ocu[i++]; - - len = nls->uni2char(c, &utf_o->u_name[utf_o->u_len], -- UDF_NAME_LEN - utf_o->u_len); -+ UDF_NAME_LEN - 2 - utf_o->u_len); - /* Valid character? */ - if (len >= 0) - utf_o->u_len += len; -@@ -299,15 +309,19 @@ static int udf_NLStoCS0(struct nls_table *nls, dstring *ocu, struct ustr *uni, - int len; - unsigned i, max_val; - uint16_t uni_char; -- int u_len; -+ int u_len, u_ch; - - memset(ocu, 0, sizeof(dstring) * length); - ocu[0] = 8; - max_val = 0xffU; -+ u_ch = 1; - - try_again: - u_len = 0U; - for (i = 0U; i < uni->u_len; i++) { -+ /* Name didn't fit? */ -+ if (u_len + 1 + u_ch >= length) -+ return 0; - len = nls->char2uni(&uni->u_name[i], uni->u_len - i, &uni_char); - if (!len) - continue; -@@ -320,6 +334,7 @@ try_again: - if (uni_char > max_val) { - max_val = 0xffffU; - ocu[0] = (uint8_t)0x10U; -+ u_ch = 2; - goto try_again; - } - -diff --git a/include/linux/compiler.h b/include/linux/compiler.h -index a2329c5e6206..a2ce6f8871c4 100644 ---- a/include/linux/compiler.h -+++ b/include/linux/compiler.h -@@ -131,7 +131,7 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect); - */ - #define if(cond, ...) __trace_if( (cond , ## __VA_ARGS__) ) - #define __trace_if(cond) \ -- if (__builtin_constant_p((cond)) ? !!(cond) : \ -+ if (__builtin_constant_p(!!(cond)) ? !!(cond) : \ - ({ \ - int ______r; \ - static struct ftrace_branch_data \ -diff --git a/include/linux/devpts_fs.h b/include/linux/devpts_fs.h -index 251a2090a554..e0ee0b3000b2 100644 ---- a/include/linux/devpts_fs.h -+++ b/include/linux/devpts_fs.h -@@ -19,6 +19,8 @@ - - int devpts_new_index(struct inode *ptmx_inode); - void devpts_kill_index(struct inode *ptmx_inode, int idx); -+void devpts_add_ref(struct inode *ptmx_inode); -+void devpts_del_ref(struct inode *ptmx_inode); - /* mknod in devpts */ - struct inode *devpts_pty_new(struct inode *ptmx_inode, dev_t device, int index, - void *priv); -@@ -32,6 +34,8 @@ void devpts_pty_kill(struct inode *inode); - /* Dummy stubs in the no-pty case */ - static inline int devpts_new_index(struct inode *ptmx_inode) { return -EINVAL; } - static inline void devpts_kill_index(struct inode *ptmx_inode, int idx) { } -+static inline void devpts_add_ref(struct inode *ptmx_inode) { } -+static inline void devpts_del_ref(struct inode *ptmx_inode) { } - static inline struct inode *devpts_pty_new(struct inode *ptmx_inode, - dev_t device, int index, void *priv) - { -diff --git a/include/linux/ptrace.h b/include/linux/ptrace.h -index bb980ae6d9d3..6af8988f5ddd 100644 ---- a/include/linux/ptrace.h -+++ b/include/linux/ptrace.h -@@ -56,7 +56,29 @@ extern void exit_ptrace(struct task_struct *tracer); - #define PTRACE_MODE_READ 0x01 - #define PTRACE_MODE_ATTACH 0x02 - #define PTRACE_MODE_NOAUDIT 0x04 --/* Returns true on success, false on denial. */ -+#define PTRACE_MODE_FSCREDS 0x08 -+#define PTRACE_MODE_REALCREDS 0x10 -+ -+/* shorthands for READ/ATTACH and FSCREDS/REALCREDS combinations */ -+#define PTRACE_MODE_READ_FSCREDS (PTRACE_MODE_READ | PTRACE_MODE_FSCREDS) -+#define PTRACE_MODE_READ_REALCREDS (PTRACE_MODE_READ | PTRACE_MODE_REALCREDS) -+#define PTRACE_MODE_ATTACH_FSCREDS (PTRACE_MODE_ATTACH | PTRACE_MODE_FSCREDS) -+#define PTRACE_MODE_ATTACH_REALCREDS (PTRACE_MODE_ATTACH | PTRACE_MODE_REALCREDS) -+ -+/** -+ * ptrace_may_access - check whether the caller is permitted to access -+ * a target task. -+ * @task: target task -+ * @mode: selects type of access and caller credentials -+ * -+ * Returns true on success, false on denial. -+ * -+ * One of the flags PTRACE_MODE_FSCREDS and PTRACE_MODE_REALCREDS must -+ * be set in @mode to specify whether the access was requested through -+ * a filesystem syscall (should use effective capabilities and fsuid -+ * of the caller) or through an explicit syscall such as -+ * process_vm_writev or ptrace (and should use the real credentials). -+ */ - extern bool ptrace_may_access(struct task_struct *task, unsigned int mode); - - static inline int ptrace_reparented(struct task_struct *child) -diff --git a/include/linux/radix-tree.h b/include/linux/radix-tree.h -index ffc444c38b0a..e02e09f85fad 100644 ---- a/include/linux/radix-tree.h -+++ b/include/linux/radix-tree.h -@@ -322,12 +322,28 @@ void **radix_tree_next_chunk(struct radix_tree_root *root, - struct radix_tree_iter *iter, unsigned flags); - - /** -+ * radix_tree_iter_retry - retry this chunk of the iteration -+ * @iter: iterator state -+ * -+ * If we iterate over a tree protected only by the RCU lock, a race -+ * against deletion or creation may result in seeing a slot for which -+ * radix_tree_deref_retry() returns true. If so, call this function -+ * and continue the iteration. -+ */ -+static inline __must_check -+void **radix_tree_iter_retry(struct radix_tree_iter *iter) -+{ -+ iter->next_index = iter->index; -+ return NULL; -+} -+ -+/** - * radix_tree_chunk_size - get current chunk size - * - * @iter: pointer to radix tree iterator - * Returns: current chunk size - */ --static __always_inline unsigned -+static __always_inline long - radix_tree_chunk_size(struct radix_tree_iter *iter) - { - return iter->next_index - iter->index; -@@ -361,9 +377,9 @@ radix_tree_next_slot(void **slot, struct radix_tree_iter *iter, unsigned flags) - return slot + offset + 1; - } - } else { -- unsigned size = radix_tree_chunk_size(iter) - 1; -+ long size = radix_tree_chunk_size(iter); - -- while (size--) { -+ while (--size > 0) { - slot++; - iter->index++; - if (likely(*slot)) -diff --git a/kernel/events/core.c b/kernel/events/core.c -index d9b0aad17dbf..0f5207839673 100644 ---- a/kernel/events/core.c -+++ b/kernel/events/core.c -@@ -2938,7 +2938,7 @@ find_lively_task_by_vpid(pid_t vpid) - - /* Reuse ptrace permission checks for now. */ - err = -EACCES; -- if (!ptrace_may_access(task, PTRACE_MODE_READ)) -+ if (!ptrace_may_access(task, PTRACE_MODE_READ_REALCREDS)) - goto errout; - - return task; -@@ -5639,6 +5639,10 @@ static int perf_tp_filter_match(struct perf_event *event, - { - void *record = data->raw->data; - -+ /* only top level events have filters set */ -+ if (event->parent) -+ event = event->parent; -+ - if (likely(!event->filter) || filter_match_preds(event->filter, record)) - return 1; - return 0; -diff --git a/kernel/futex.c b/kernel/futex.c -index 625a4e659e7a..edc4beae4df1 100644 ---- a/kernel/futex.c -+++ b/kernel/futex.c -@@ -2494,6 +2494,11 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags, - if (q.pi_state && (q.pi_state->owner != current)) { - spin_lock(q.lock_ptr); - ret = fixup_pi_state_owner(uaddr2, &q, current); -+ /* -+ * Drop the reference to the pi state which -+ * the requeue_pi() code acquired for us. -+ */ -+ free_pi_state(q.pi_state); - spin_unlock(q.lock_ptr); - } - } else { -@@ -2620,7 +2625,7 @@ SYSCALL_DEFINE3(get_robust_list, int, pid, - } - - ret = -EPERM; -- if (!ptrace_may_access(p, PTRACE_MODE_READ)) -+ if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS)) - goto err_unlock; - - head = p->robust_list; -diff --git a/kernel/futex_compat.c b/kernel/futex_compat.c -index f9f44fd4d34d..3888617a1f9e 100644 ---- a/kernel/futex_compat.c -+++ b/kernel/futex_compat.c -@@ -155,7 +155,7 @@ COMPAT_SYSCALL_DEFINE3(get_robust_list, int, pid, - } - - ret = -EPERM; -- if (!ptrace_may_access(p, PTRACE_MODE_READ)) -+ if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS)) - goto err_unlock; - - head = p->compat_robust_list; -diff --git a/kernel/kcmp.c b/kernel/kcmp.c -index 0aa69ea1d8fd..3a47fa998fe0 100644 ---- a/kernel/kcmp.c -+++ b/kernel/kcmp.c -@@ -122,8 +122,8 @@ SYSCALL_DEFINE5(kcmp, pid_t, pid1, pid_t, pid2, int, type, - &task2->signal->cred_guard_mutex); - if (ret) - goto err; -- if (!ptrace_may_access(task1, PTRACE_MODE_READ) || -- !ptrace_may_access(task2, PTRACE_MODE_READ)) { -+ if (!ptrace_may_access(task1, PTRACE_MODE_READ_REALCREDS) || -+ !ptrace_may_access(task2, PTRACE_MODE_READ_REALCREDS)) { - ret = -EPERM; - goto err_unlock; - } -diff --git a/kernel/module.c b/kernel/module.c -index fd2afdf48a89..70a4754c001f 100644 ---- a/kernel/module.c -+++ b/kernel/module.c -@@ -3398,6 +3398,11 @@ static inline int is_arm_mapping_symbol(const char *str) - && (str[2] == '\0' || str[2] == '.'); - } - -+static const char *symname(struct module *mod, unsigned int symnum) -+{ -+ return mod->strtab + mod->symtab[symnum].st_name; -+} -+ - static const char *get_ksymbol(struct module *mod, - unsigned long addr, - unsigned long *size, -@@ -3420,15 +3425,15 @@ static const char *get_ksymbol(struct module *mod, - - /* We ignore unnamed symbols: they're uninformative - * and inserted at a whim. */ -+ if (*symname(mod, i) == '\0' -+ || is_arm_mapping_symbol(symname(mod, i))) -+ continue; -+ - if (mod->symtab[i].st_value <= addr -- && mod->symtab[i].st_value > mod->symtab[best].st_value -- && *(mod->strtab + mod->symtab[i].st_name) != '\0' -- && !is_arm_mapping_symbol(mod->strtab + mod->symtab[i].st_name)) -+ && mod->symtab[i].st_value > mod->symtab[best].st_value) - best = i; - if (mod->symtab[i].st_value > addr -- && mod->symtab[i].st_value < nextval -- && *(mod->strtab + mod->symtab[i].st_name) != '\0' -- && !is_arm_mapping_symbol(mod->strtab + mod->symtab[i].st_name)) -+ && mod->symtab[i].st_value < nextval) - nextval = mod->symtab[i].st_value; - } - -@@ -3439,7 +3444,7 @@ static const char *get_ksymbol(struct module *mod, - *size = nextval - mod->symtab[best].st_value; - if (offset) - *offset = addr - mod->symtab[best].st_value; -- return mod->strtab + mod->symtab[best].st_name; -+ return symname(mod, best); - } - - /* For kallsyms to ask for address resolution. NULL means not found. Careful -@@ -3540,8 +3545,7 @@ int module_get_kallsym(unsigned int symnum, unsigned long *value, char *type, - if (symnum < mod->num_symtab) { - *value = mod->symtab[symnum].st_value; - *type = mod->symtab[symnum].st_info; -- strlcpy(name, mod->strtab + mod->symtab[symnum].st_name, -- KSYM_NAME_LEN); -+ strlcpy(name, symname(mod, symnum), KSYM_NAME_LEN); - strlcpy(module_name, mod->name, MODULE_NAME_LEN); - *exported = is_exported(name, *value, mod); - preempt_enable(); -@@ -3558,7 +3562,7 @@ static unsigned long mod_find_symname(struct module *mod, const char *name) - unsigned int i; - - for (i = 0; i < mod->num_symtab; i++) -- if (strcmp(name, mod->strtab+mod->symtab[i].st_name) == 0 && -+ if (strcmp(name, symname(mod, i)) == 0 && - mod->symtab[i].st_info != 'U') - return mod->symtab[i].st_value; - return 0; -@@ -3602,7 +3606,7 @@ int module_kallsyms_on_each_symbol(int (*fn)(void *, const char *, - if (mod->state == MODULE_STATE_UNFORMED) - continue; - for (i = 0; i < mod->num_symtab; i++) { -- ret = fn(data, mod->strtab + mod->symtab[i].st_name, -+ ret = fn(data, symname(mod, i), - mod, mod->symtab[i].st_value); - if (ret != 0) - return ret; -diff --git a/kernel/ptrace.c b/kernel/ptrace.c -index 30ab20623bca..72b0b3e0e065 100644 ---- a/kernel/ptrace.c -+++ b/kernel/ptrace.c -@@ -225,6 +225,14 @@ static int ptrace_has_cap(struct user_namespace *ns, unsigned int mode) - static int __ptrace_may_access(struct task_struct *task, unsigned int mode) - { - const struct cred *cred = current_cred(), *tcred; -+ int dumpable = 0; -+ kuid_t caller_uid; -+ kgid_t caller_gid; -+ -+ if (!(mode & PTRACE_MODE_FSCREDS) == !(mode & PTRACE_MODE_REALCREDS)) { -+ WARN(1, "denying ptrace access check without PTRACE_MODE_*CREDS\n"); -+ return -EPERM; -+ } - - /* May we inspect the given task? - * This check is used both for attaching with ptrace -@@ -234,18 +242,33 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode) - * because setting up the necessary parent/child relationship - * or halting the specified task is impossible. - */ -- int dumpable = 0; -+ - /* Don't let security modules deny introspection */ - if (same_thread_group(task, current)) - return 0; - rcu_read_lock(); -+ if (mode & PTRACE_MODE_FSCREDS) { -+ caller_uid = cred->fsuid; -+ caller_gid = cred->fsgid; -+ } else { -+ /* -+ * Using the euid would make more sense here, but something -+ * in userland might rely on the old behavior, and this -+ * shouldn't be a security problem since -+ * PTRACE_MODE_REALCREDS implies that the caller explicitly -+ * used a syscall that requests access to another process -+ * (and not a filesystem syscall to procfs). -+ */ -+ caller_uid = cred->uid; -+ caller_gid = cred->gid; -+ } - tcred = __task_cred(task); -- if (uid_eq(cred->uid, tcred->euid) && -- uid_eq(cred->uid, tcred->suid) && -- uid_eq(cred->uid, tcred->uid) && -- gid_eq(cred->gid, tcred->egid) && -- gid_eq(cred->gid, tcred->sgid) && -- gid_eq(cred->gid, tcred->gid)) -+ if (uid_eq(caller_uid, tcred->euid) && -+ uid_eq(caller_uid, tcred->suid) && -+ uid_eq(caller_uid, tcred->uid) && -+ gid_eq(caller_gid, tcred->egid) && -+ gid_eq(caller_gid, tcred->sgid) && -+ gid_eq(caller_gid, tcred->gid)) - goto ok; - if (ptrace_has_cap(tcred->user_ns, mode)) - goto ok; -@@ -312,7 +335,7 @@ static int ptrace_attach(struct task_struct *task, long request, - goto out; - - task_lock(task); -- retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH); -+ retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH_REALCREDS); - task_unlock(task); - if (retval) - goto unlock_creds; -diff --git a/lib/dma-debug.c b/lib/dma-debug.c -index d87a17a819d0..eb43517bf261 100644 ---- a/lib/dma-debug.c -+++ b/lib/dma-debug.c -@@ -962,7 +962,7 @@ static inline bool overlap(void *addr, unsigned long len, void *start, void *end - - static void check_for_illegal_area(struct device *dev, void *addr, unsigned long len) - { -- if (overlap(addr, len, _text, _etext) || -+ if (overlap(addr, len, _stext, _etext) || - overlap(addr, len, __start_rodata, __end_rodata)) - err_printk(dev, NULL, "DMA-API: device driver maps memory from kernel text or rodata [addr=%p] [len=%lu]\n", addr, len); - } -diff --git a/lib/klist.c b/lib/klist.c -index 358a368a2947..2e59aecbec0d 100644 ---- a/lib/klist.c -+++ b/lib/klist.c -@@ -282,9 +282,9 @@ void klist_iter_init_node(struct klist *k, struct klist_iter *i, - struct klist_node *n) - { - i->i_klist = k; -- i->i_cur = n; -- if (n) -- kref_get(&n->n_ref); -+ i->i_cur = NULL; -+ if (n && kref_get_unless_zero(&n->n_ref)) -+ i->i_cur = n; - } - EXPORT_SYMBOL_GPL(klist_iter_init_node); - -diff --git a/lib/radix-tree.c b/lib/radix-tree.c -index e7964296fd50..936a02c1c77b 100644 ---- a/lib/radix-tree.c -+++ b/lib/radix-tree.c -@@ -1015,9 +1015,13 @@ radix_tree_gang_lookup(struct radix_tree_root *root, void **results, - return 0; - - radix_tree_for_each_slot(slot, root, &iter, first_index) { -- results[ret] = indirect_to_ptr(rcu_dereference_raw(*slot)); -+ results[ret] = rcu_dereference_raw(*slot); - if (!results[ret]) - continue; -+ if (radix_tree_is_indirect_ptr(results[ret])) { -+ slot = radix_tree_iter_retry(&iter); -+ continue; -+ } - if (++ret == max_items) - break; - } -@@ -1094,9 +1098,13 @@ radix_tree_gang_lookup_tag(struct radix_tree_root *root, void **results, - return 0; - - radix_tree_for_each_tagged(slot, root, &iter, first_index, tag) { -- results[ret] = indirect_to_ptr(rcu_dereference_raw(*slot)); -+ results[ret] = rcu_dereference_raw(*slot); - if (!results[ret]) - continue; -+ if (radix_tree_is_indirect_ptr(results[ret])) { -+ slot = radix_tree_iter_retry(&iter); -+ continue; -+ } - if (++ret == max_items) - break; - } -diff --git a/mm/memcontrol.c b/mm/memcontrol.c -index eaa3accb01e7..437ae2cbe102 100644 ---- a/mm/memcontrol.c -+++ b/mm/memcontrol.c -@@ -5790,16 +5790,17 @@ static void mem_cgroup_usage_unregister_event(struct cgroup *cgrp, - swap_buffers: - /* Swap primary and spare array */ - thresholds->spare = thresholds->primary; -- /* If all events are unregistered, free the spare array */ -- if (!new) { -- kfree(thresholds->spare); -- thresholds->spare = NULL; -- } - - rcu_assign_pointer(thresholds->primary, new); - - /* To be sure that nobody uses thresholds */ - synchronize_rcu(); -+ -+ /* If all events are unregistered, free the spare array */ -+ if (!new) { -+ kfree(thresholds->spare); -+ thresholds->spare = NULL; -+ } - unlock: - mutex_unlock(&memcg->thresholds_lock); - } -diff --git a/mm/memory-failure.c b/mm/memory-failure.c -index f97d709594e6..37df20faddd5 100644 ---- a/mm/memory-failure.c -+++ b/mm/memory-failure.c -@@ -1472,7 +1472,7 @@ static int get_any_page(struct page *page, unsigned long pfn, int flags) - * Did it turn free? - */ - ret = __get_any_page(page, pfn, 0); -- if (!PageLRU(page)) { -+ if (ret == 1 && !PageLRU(page)) { - /* Drop page reference which is from __get_any_page() */ - put_page(page); - pr_info("soft_offline: %#lx: unknown non LRU page type %lx\n", -diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c -index d85d3a0e06ce..7f1bf93fa87f 100644 ---- a/mm/memory_hotplug.c -+++ b/mm/memory_hotplug.c -@@ -1209,23 +1209,30 @@ int is_mem_section_removable(unsigned long start_pfn, unsigned long nr_pages) - */ - static int test_pages_in_a_zone(unsigned long start_pfn, unsigned long end_pfn) - { -- unsigned long pfn; -+ unsigned long pfn, sec_end_pfn; - struct zone *zone = NULL; - struct page *page; - int i; -- for (pfn = start_pfn; -+ for (pfn = start_pfn, sec_end_pfn = SECTION_ALIGN_UP(start_pfn); - pfn < end_pfn; -- pfn += MAX_ORDER_NR_PAGES) { -- i = 0; -- /* This is just a CONFIG_HOLES_IN_ZONE check.*/ -- while ((i < MAX_ORDER_NR_PAGES) && !pfn_valid_within(pfn + i)) -- i++; -- if (i == MAX_ORDER_NR_PAGES) -+ pfn = sec_end_pfn + 1, sec_end_pfn += PAGES_PER_SECTION) { -+ /* Make sure the memory section is present first */ -+ if (!present_section_nr(pfn_to_section_nr(pfn))) - continue; -- page = pfn_to_page(pfn + i); -- if (zone && page_zone(page) != zone) -- return 0; -- zone = page_zone(page); -+ for (; pfn < sec_end_pfn && pfn < end_pfn; -+ pfn += MAX_ORDER_NR_PAGES) { -+ i = 0; -+ /* This is just a CONFIG_HOLES_IN_ZONE check.*/ -+ while ((i < MAX_ORDER_NR_PAGES) && -+ !pfn_valid_within(pfn + i)) -+ i++; -+ if (i == MAX_ORDER_NR_PAGES) -+ continue; -+ page = pfn_to_page(pfn + i); -+ if (zone && page_zone(page) != zone) -+ return 0; -+ zone = page_zone(page); -+ } - } - return 1; - } -diff --git a/mm/process_vm_access.c b/mm/process_vm_access.c -index fd26d0433509..e739825be8b3 100644 ---- a/mm/process_vm_access.c -+++ b/mm/process_vm_access.c -@@ -298,7 +298,7 @@ static ssize_t process_vm_rw_core(pid_t pid, const struct iovec *lvec, - goto free_proc_pages; - } - -- mm = mm_access(task, PTRACE_MODE_ATTACH); -+ mm = mm_access(task, PTRACE_MODE_ATTACH_REALCREDS); - if (!mm || IS_ERR(mm)) { - rc = IS_ERR(mm) ? PTR_ERR(mm) : -ESRCH; - /* -diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c -index 9ec416552cc5..8d69df16f6a8 100644 ---- a/net/ipv6/ip6mr.c -+++ b/net/ipv6/ip6mr.c -@@ -336,7 +336,7 @@ static struct mr6_table *ip6mr_new_table(struct net *net, u32 id) - - static void ip6mr_free_table(struct mr6_table *mrt) - { -- del_timer(&mrt->ipmr_expire_timer); -+ del_timer_sync(&mrt->ipmr_expire_timer); - mroute_clean_tables(mrt, true); - kfree(mrt); - } -diff --git a/scripts/bloat-o-meter b/scripts/bloat-o-meter -index 6129020c41a9..81228a443122 100755 ---- a/scripts/bloat-o-meter -+++ b/scripts/bloat-o-meter -@@ -55,8 +55,8 @@ for name in common: - delta.sort() - delta.reverse() - --print "add/remove: %s/%s grow/shrink: %s/%s up/down: %s/%s (%s)" % \ -- (add, remove, grow, shrink, up, -down, up-down) --print "%-40s %7s %7s %+7s" % ("function", "old", "new", "delta") -+print("add/remove: %s/%s grow/shrink: %s/%s up/down: %s/%s (%s)" % \ -+ (add, remove, grow, shrink, up, -down, up-down)) -+print("%-40s %7s %7s %+7s" % ("function", "old", "new", "delta")) - for d, n in delta: -- if d: print "%-40s %7s %7s %+7d" % (n, old.get(n,"-"), new.get(n,"-"), d) -+ if d: print("%-40s %7s %7s %+7d" % (n, old.get(n,"-"), new.get(n,"-"), d)) -diff --git a/security/commoncap.c b/security/commoncap.c -index c9219a66b7c6..4fd7bf2b19e1 100644 ---- a/security/commoncap.c -+++ b/security/commoncap.c -@@ -142,12 +142,17 @@ int cap_ptrace_access_check(struct task_struct *child, unsigned int mode) - { - int ret = 0; - const struct cred *cred, *child_cred; -+ const kernel_cap_t *caller_caps; - - rcu_read_lock(); - cred = current_cred(); - child_cred = __task_cred(child); -+ if (mode & PTRACE_MODE_FSCREDS) -+ caller_caps = &cred->cap_effective; -+ else -+ caller_caps = &cred->cap_permitted; - if (cred->user_ns == child_cred->user_ns && -- cap_issubset(child_cred->cap_permitted, cred->cap_permitted)) -+ cap_issubset(child_cred->cap_permitted, *caller_caps)) - goto out; - if (ns_capable(child_cred->user_ns, CAP_SYS_PTRACE)) - goto out; -diff --git a/sound/core/seq/seq_ports.c b/sound/core/seq/seq_ports.c -index 67c91d226552..ee0522a8f730 100644 ---- a/sound/core/seq/seq_ports.c -+++ b/sound/core/seq/seq_ports.c -@@ -540,19 +540,22 @@ static void delete_and_unsubscribe_port(struct snd_seq_client *client, - bool is_src, bool ack) - { - struct snd_seq_port_subs_info *grp; -+ struct list_head *list; -+ bool empty; - - grp = is_src ? &port->c_src : &port->c_dest; -+ list = is_src ? &subs->src_list : &subs->dest_list; - down_write(&grp->list_mutex); - write_lock_irq(&grp->list_lock); -- if (is_src) -- list_del(&subs->src_list); -- else -- list_del(&subs->dest_list); -+ empty = list_empty(list); -+ if (!empty) -+ list_del_init(list); - grp->exclusive = 0; - write_unlock_irq(&grp->list_lock); - up_write(&grp->list_mutex); - -- unsubscribe_port(client, port, grp, &subs->info, ack); -+ if (!empty) -+ unsubscribe_port(client, port, grp, &subs->info, ack); - } - - /* connect two ports */ -diff --git a/tools/lib/traceevent/event-parse.c b/tools/lib/traceevent/event-parse.c -index 82b0606dcb8a..c3efcf2f816b 100644 ---- a/tools/lib/traceevent/event-parse.c -+++ b/tools/lib/traceevent/event-parse.c -@@ -4190,13 +4190,12 @@ static void pretty_print(struct trace_seq *s, void *data, int size, struct event - sizeof(long) != 8) { - char *p; - -- ls = 2; - /* make %l into %ll */ -- p = strchr(format, 'l'); -- if (p) -+ if (ls == 1 && (p = strchr(format, 'l'))) - memmove(p+1, p, strlen(p)+1); - else if (strcmp(format, "%p") == 0) - strcpy(format, "0x%llx"); -+ ls = 2; - } - switch (ls) { - case -2: diff --git a/patch/kernel/odroidc1-default/1-patch-3.10.98-99.patch b/patch/kernel/odroidc1-default/1-patch-3.10.98-99.patch deleted file mode 100644 index e405e5ac5..000000000 --- a/patch/kernel/odroidc1-default/1-patch-3.10.98-99.patch +++ /dev/null @@ -1,2573 +0,0 @@ -diff --git a/Makefile b/Makefile -index dadd1edc6f84..f1e6491fd7d8 100644 ---- a/Makefile -+++ b/Makefile -@@ -1,6 +1,6 @@ - VERSION = 3 - PATCHLEVEL = 10 --SUBLEVEL = 98 -+SUBLEVEL = 99 - EXTRAVERSION = - NAME = TOSSUG Baby Fish - -diff --git a/arch/arc/kernel/unwind.c b/arch/arc/kernel/unwind.c -index a8d02223da44..14558a9fa3b3 100644 ---- a/arch/arc/kernel/unwind.c -+++ b/arch/arc/kernel/unwind.c -@@ -984,42 +984,13 @@ int arc_unwind(struct unwind_frame_info *frame) - (const u8 *)(fde + - 1) + - *fde, ptrType); -- if (pc >= endLoc) -+ if (pc >= endLoc) { - fde = NULL; -- } else -- fde = NULL; -- } -- if (fde == NULL) { -- for (fde = table->address, tableSize = table->size; -- cie = NULL, tableSize > sizeof(*fde) -- && tableSize - sizeof(*fde) >= *fde; -- tableSize -= sizeof(*fde) + *fde, -- fde += 1 + *fde / sizeof(*fde)) { -- cie = cie_for_fde(fde, table); -- if (cie == &bad_cie) { - cie = NULL; -- break; - } -- if (cie == NULL -- || cie == ¬_fde -- || (ptrType = fde_pointer_type(cie)) < 0) -- continue; -- ptr = (const u8 *)(fde + 2); -- startLoc = read_pointer(&ptr, -- (const u8 *)(fde + 1) + -- *fde, ptrType); -- if (!startLoc) -- continue; -- if (!(ptrType & DW_EH_PE_indirect)) -- ptrType &= -- DW_EH_PE_FORM | DW_EH_PE_signed; -- endLoc = -- startLoc + read_pointer(&ptr, -- (const u8 *)(fde + -- 1) + -- *fde, ptrType); -- if (pc >= startLoc && pc < endLoc) -- break; -+ } else { -+ fde = NULL; -+ cie = NULL; - } - } - } -diff --git a/arch/mips/kvm/kvm_locore.S b/arch/mips/kvm/kvm_locore.S -index 920b63210806..34c35f0e3290 100644 ---- a/arch/mips/kvm/kvm_locore.S -+++ b/arch/mips/kvm/kvm_locore.S -@@ -156,9 +156,11 @@ FEXPORT(__kvm_mips_vcpu_run) - - FEXPORT(__kvm_mips_load_asid) - /* Set the ASID for the Guest Kernel */ -- sll t0, t0, 1 /* with kseg0 @ 0x40000000, kernel */ -- /* addresses shift to 0x80000000 */ -- bltz t0, 1f /* If kernel */ -+ PTR_L t0, VCPU_COP0(k1) -+ LONG_L t0, COP0_STATUS(t0) -+ andi t0, KSU_USER | ST0_ERL | ST0_EXL -+ xori t0, KSU_USER -+ bnez t0, 1f /* If kernel */ - addiu t1, k1, VCPU_GUEST_KERNEL_ASID /* (BD) */ - addiu t1, k1, VCPU_GUEST_USER_ASID /* else user */ - 1: -@@ -442,9 +444,11 @@ __kvm_mips_return_to_guest: - mtc0 t0, CP0_EPC - - /* Set the ASID for the Guest Kernel */ -- sll t0, t0, 1 /* with kseg0 @ 0x40000000, kernel */ -- /* addresses shift to 0x80000000 */ -- bltz t0, 1f /* If kernel */ -+ PTR_L t0, VCPU_COP0(k1) -+ LONG_L t0, COP0_STATUS(t0) -+ andi t0, KSU_USER | ST0_ERL | ST0_EXL -+ xori t0, KSU_USER -+ bnez t0, 1f /* If kernel */ - addiu t1, k1, VCPU_GUEST_KERNEL_ASID /* (BD) */ - addiu t1, k1, VCPU_GUEST_USER_ASID /* else user */ - 1: -diff --git a/arch/mips/kvm/kvm_mips.c b/arch/mips/kvm/kvm_mips.c -index 843ec38fec7b..8aa5f30d8579 100644 ---- a/arch/mips/kvm/kvm_mips.c -+++ b/arch/mips/kvm/kvm_mips.c -@@ -308,7 +308,7 @@ struct kvm_vcpu *kvm_arch_vcpu_create(struct kvm *kvm, unsigned int id) - - if (!gebase) { - err = -ENOMEM; -- goto out_free_cpu; -+ goto out_uninit_cpu; - } - kvm_info("Allocated %d bytes for KVM Exception Handlers @ %p\n", - ALIGN(size, PAGE_SIZE), gebase); -@@ -368,6 +368,9 @@ struct kvm_vcpu *kvm_arch_vcpu_create(struct kvm *kvm, unsigned int id) - out_free_gebase: - kfree(gebase); - -+out_uninit_cpu: -+ kvm_vcpu_uninit(vcpu); -+ - out_free_cpu: - kfree(vcpu); - -diff --git a/arch/mips/kvm/kvm_mips_emul.c b/arch/mips/kvm/kvm_mips_emul.c -index c76f297b7149..33085819cd89 100644 ---- a/arch/mips/kvm/kvm_mips_emul.c -+++ b/arch/mips/kvm/kvm_mips_emul.c -@@ -935,7 +935,7 @@ kvm_mips_emulate_cache(uint32_t inst, uint32_t *opc, uint32_t cause, - - base = (inst >> 21) & 0x1f; - op_inst = (inst >> 16) & 0x1f; -- offset = inst & 0xffff; -+ offset = (int16_t)inst; - cache = (inst >> 16) & 0x3; - op = (inst >> 18) & 0x7; - -diff --git a/arch/s390/mm/extable.c b/arch/s390/mm/extable.c -index 4d1ee88864e8..18c8b819b0aa 100644 ---- a/arch/s390/mm/extable.c -+++ b/arch/s390/mm/extable.c -@@ -52,12 +52,16 @@ void sort_extable(struct exception_table_entry *start, - int i; - - /* Normalize entries to being relative to the start of the section */ -- for (p = start, i = 0; p < finish; p++, i += 8) -+ for (p = start, i = 0; p < finish; p++, i += 8) { - p->insn += i; -+ p->fixup += i + 4; -+ } - sort(start, finish - start, sizeof(*start), cmp_ex, NULL); - /* Denormalize all entries */ -- for (p = start, i = 0; p < finish; p++, i += 8) -+ for (p = start, i = 0; p < finish; p++, i += 8) { - p->insn -= i; -+ p->fixup -= i + 4; -+ } - } - - #ifdef CONFIG_MODULES -diff --git a/arch/sparc/kernel/sys_sparc_64.c b/arch/sparc/kernel/sys_sparc_64.c -index be8db9bb7878..666510b39870 100644 ---- a/arch/sparc/kernel/sys_sparc_64.c -+++ b/arch/sparc/kernel/sys_sparc_64.c -@@ -416,7 +416,7 @@ out: - - SYSCALL_DEFINE1(sparc64_personality, unsigned long, personality) - { -- int ret; -+ long ret; - - if (personality(current->personality) == PER_LINUX32 && - personality(personality) == PER_LINUX) -diff --git a/arch/um/os-Linux/start_up.c b/arch/um/os-Linux/start_up.c -index 337518c5042a..b412c62486f0 100644 ---- a/arch/um/os-Linux/start_up.c -+++ b/arch/um/os-Linux/start_up.c -@@ -95,6 +95,8 @@ static int start_ptraced_child(void) - { - int pid, n, status; - -+ fflush(stdout); -+ - pid = fork(); - if (pid == 0) - ptrace_child(); -diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c -index 6033be9ff81a..3c8bffdc71c8 100644 ---- a/arch/x86/platform/efi/efi.c -+++ b/arch/x86/platform/efi/efi.c -@@ -250,12 +250,19 @@ static efi_status_t __init phys_efi_set_virtual_address_map( - efi_memory_desc_t *virtual_map) - { - efi_status_t status; -+ unsigned long flags; - - efi_call_phys_prelog(); -+ -+ /* Disable interrupts around EFI calls: */ -+ local_irq_save(flags); - status = efi_call_phys4(efi_phys.set_virtual_address_map, - memory_map_size, descriptor_size, - descriptor_version, virtual_map); -+ local_irq_restore(flags); -+ - efi_call_phys_epilog(); -+ - return status; - } - -diff --git a/arch/x86/platform/efi/efi_32.c b/arch/x86/platform/efi/efi_32.c -index 40e446941dd7..bebbee05e331 100644 ---- a/arch/x86/platform/efi/efi_32.c -+++ b/arch/x86/platform/efi/efi_32.c -@@ -33,19 +33,16 @@ - - /* - * To make EFI call EFI runtime service in physical addressing mode we need -- * prelog/epilog before/after the invocation to disable interrupt, to -- * claim EFI runtime service handler exclusively and to duplicate a memory in -- * low memory space say 0 - 3G. -+ * prolog/epilog before/after the invocation to claim the EFI runtime service -+ * handler exclusively and to duplicate a memory mapping in low memory space, -+ * say 0 - 3G. - */ - --static unsigned long efi_rt_eflags; - - void efi_call_phys_prelog(void) - { - struct desc_ptr gdt_descr; - -- local_irq_save(efi_rt_eflags); -- - load_cr3(initial_page_table); - __flush_tlb_all(); - -@@ -64,6 +61,4 @@ void efi_call_phys_epilog(void) - - load_cr3(swapper_pg_dir); - __flush_tlb_all(); -- -- local_irq_restore(efi_rt_eflags); - } -diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c -index 39a0e7f1f0a3..2f6c1a9734c8 100644 ---- a/arch/x86/platform/efi/efi_64.c -+++ b/arch/x86/platform/efi/efi_64.c -@@ -40,7 +40,6 @@ - #include - - static pgd_t *save_pgd __initdata; --static unsigned long efi_flags __initdata; - - static void __init early_code_mapping_set_exec(int executable) - { -@@ -66,7 +65,6 @@ void __init efi_call_phys_prelog(void) - int n_pgds; - - early_code_mapping_set_exec(1); -- local_irq_save(efi_flags); - - n_pgds = DIV_ROUND_UP((max_pfn << PAGE_SHIFT), PGDIR_SIZE); - save_pgd = kmalloc(n_pgds * sizeof(pgd_t), GFP_KERNEL); -@@ -90,7 +88,6 @@ void __init efi_call_phys_epilog(void) - set_pgd(pgd_offset_k(pgd * PGDIR_SIZE), save_pgd[pgd]); - kfree(save_pgd); - __flush_tlb_all(); -- local_irq_restore(efi_flags); - early_code_mapping_set_exec(0); - } - -diff --git a/block/partitions/mac.c b/block/partitions/mac.c -index 76d8ba6379a9..bd5b91465230 100644 ---- a/block/partitions/mac.c -+++ b/block/partitions/mac.c -@@ -32,7 +32,7 @@ int mac_partition(struct parsed_partitions *state) - Sector sect; - unsigned char *data; - int slot, blocks_in_map; -- unsigned secsize; -+ unsigned secsize, datasize, partoffset; - #ifdef CONFIG_PPC_PMAC - int found_root = 0; - int found_root_goodness = 0; -@@ -50,10 +50,14 @@ int mac_partition(struct parsed_partitions *state) - } - secsize = be16_to_cpu(md->block_size); - put_dev_sector(sect); -- data = read_part_sector(state, secsize/512, §); -+ datasize = round_down(secsize, 512); -+ data = read_part_sector(state, datasize / 512, §); - if (!data) - return -1; -- part = (struct mac_partition *) (data + secsize%512); -+ partoffset = secsize % 512; -+ if (partoffset + sizeof(*part) > datasize) -+ return -1; -+ part = (struct mac_partition *) (data + partoffset); - if (be16_to_cpu(part->signature) != MAC_PARTITION_MAGIC) { - put_dev_sector(sect); - return 0; /* not a MacOS disk */ -diff --git a/drivers/ata/libata-sff.c b/drivers/ata/libata-sff.c -index 136803c47cdb..96e5ed188636 100644 ---- a/drivers/ata/libata-sff.c -+++ b/drivers/ata/libata-sff.c -@@ -997,12 +997,9 @@ static inline int ata_hsm_ok_in_wq(struct ata_port *ap, - static void ata_hsm_qc_complete(struct ata_queued_cmd *qc, int in_wq) - { - struct ata_port *ap = qc->ap; -- unsigned long flags; - - if (ap->ops->error_handler) { - if (in_wq) { -- spin_lock_irqsave(ap->lock, flags); -- - /* EH might have kicked in while host lock is - * released. - */ -@@ -1014,8 +1011,6 @@ static void ata_hsm_qc_complete(struct ata_queued_cmd *qc, int in_wq) - } else - ata_port_freeze(ap); - } -- -- spin_unlock_irqrestore(ap->lock, flags); - } else { - if (likely(!(qc->err_mask & AC_ERR_HSM))) - ata_qc_complete(qc); -@@ -1024,10 +1019,8 @@ static void ata_hsm_qc_complete(struct ata_queued_cmd *qc, int in_wq) - } - } else { - if (in_wq) { -- spin_lock_irqsave(ap->lock, flags); - ata_sff_irq_on(ap); - ata_qc_complete(qc); -- spin_unlock_irqrestore(ap->lock, flags); - } else - ata_qc_complete(qc); - } -@@ -1048,9 +1041,10 @@ int ata_sff_hsm_move(struct ata_port *ap, struct ata_queued_cmd *qc, - { - struct ata_link *link = qc->dev->link; - struct ata_eh_info *ehi = &link->eh_info; -- unsigned long flags = 0; - int poll_next; - -+ lockdep_assert_held(ap->lock); -+ - WARN_ON_ONCE((qc->flags & ATA_QCFLAG_ACTIVE) == 0); - - /* Make sure ata_sff_qc_issue() does not throw things -@@ -1112,14 +1106,6 @@ fsm_start: - } - } - -- /* Send the CDB (atapi) or the first data block (ata pio out). -- * During the state transition, interrupt handler shouldn't -- * be invoked before the data transfer is complete and -- * hsm_task_state is changed. Hence, the following locking. -- */ -- if (in_wq) -- spin_lock_irqsave(ap->lock, flags); -- - if (qc->tf.protocol == ATA_PROT_PIO) { - /* PIO data out protocol. - * send first data block. -@@ -1135,9 +1121,6 @@ fsm_start: - /* send CDB */ - atapi_send_cdb(ap, qc); - -- if (in_wq) -- spin_unlock_irqrestore(ap->lock, flags); -- - /* if polling, ata_sff_pio_task() handles the rest. - * otherwise, interrupt handler takes over from here. - */ -@@ -1361,12 +1344,14 @@ static void ata_sff_pio_task(struct work_struct *work) - u8 status; - int poll_next; - -+ spin_lock_irq(ap->lock); -+ - BUG_ON(ap->sff_pio_task_link == NULL); - /* qc can be NULL if timeout occurred */ - qc = ata_qc_from_tag(ap, link->active_tag); - if (!qc) { - ap->sff_pio_task_link = NULL; -- return; -+ goto out_unlock; - } - - fsm_start: -@@ -1381,11 +1366,14 @@ fsm_start: - */ - status = ata_sff_busy_wait(ap, ATA_BUSY, 5); - if (status & ATA_BUSY) { -+ spin_unlock_irq(ap->lock); - ata_msleep(ap, 2); -+ spin_lock_irq(ap->lock); -+ - status = ata_sff_busy_wait(ap, ATA_BUSY, 10); - if (status & ATA_BUSY) { - ata_sff_queue_pio_task(link, ATA_SHORT_PAUSE); -- return; -+ goto out_unlock; - } - } - -@@ -1402,6 +1390,8 @@ fsm_start: - */ - if (poll_next) - goto fsm_start; -+out_unlock: -+ spin_unlock_irq(ap->lock); - } - - /** -diff --git a/drivers/ata/sata_sil.c b/drivers/ata/sata_sil.c -index dd1faa564eb2..cdfb98e70cfd 100644 ---- a/drivers/ata/sata_sil.c -+++ b/drivers/ata/sata_sil.c -@@ -631,6 +631,9 @@ static void sil_dev_config(struct ata_device *dev) - unsigned int n, quirks = 0; - unsigned char model_num[ATA_ID_PROD_LEN + 1]; - -+ /* This controller doesn't support trim */ -+ dev->horkage |= ATA_HORKAGE_NOTRIM; -+ - ata_id_c_string(dev->id, model_num, ATA_ID_PROD, sizeof(model_num)); - - for (n = 0; sil_blacklist[n].product; n++) -diff --git a/drivers/clocksource/vt8500_timer.c b/drivers/clocksource/vt8500_timer.c -index 64f553f04fa4..5874ebf9dced 100644 ---- a/drivers/clocksource/vt8500_timer.c -+++ b/drivers/clocksource/vt8500_timer.c -@@ -50,6 +50,8 @@ - - #define msecs_to_loops(t) (loops_per_jiffy / 1000 * HZ * t) - -+#define MIN_OSCR_DELTA 16 -+ - static void __iomem *regbase; - - static cycle_t vt8500_timer_read(struct clocksource *cs) -@@ -80,7 +82,7 @@ static int vt8500_timer_set_next_event(unsigned long cycles, - cpu_relax(); - writel((unsigned long)alarm, regbase + TIMER_MATCH_VAL); - -- if ((signed)(alarm - clocksource.read(&clocksource)) <= 16) -+ if ((signed)(alarm - clocksource.read(&clocksource)) <= MIN_OSCR_DELTA) - return -ETIME; - - writel(1, regbase + TIMER_IER_VAL); -@@ -162,7 +164,7 @@ static void __init vt8500_timer_init(struct device_node *np) - pr_err("%s: setup_irq failed for %s\n", __func__, - clockevent.name); - clockevents_config_and_register(&clockevent, VT8500_TIMER_HZ, -- 4, 0xf0000000); -+ MIN_OSCR_DELTA * 2, 0xf0000000); - } - - CLOCKSOURCE_OF_DECLARE(vt8500, "via,vt8500-timer", vt8500_timer_init); -diff --git a/drivers/gpu/drm/ast/ast_drv.h b/drivers/gpu/drm/ast/ast_drv.h -index b6b7d70f2832..5cfc1765af74 100644 ---- a/drivers/gpu/drm/ast/ast_drv.h -+++ b/drivers/gpu/drm/ast/ast_drv.h -@@ -296,6 +296,7 @@ int ast_framebuffer_init(struct drm_device *dev, - int ast_fbdev_init(struct drm_device *dev); - void ast_fbdev_fini(struct drm_device *dev); - void ast_fbdev_set_suspend(struct drm_device *dev, int state); -+void ast_fbdev_set_base(struct ast_private *ast, unsigned long gpu_addr); - - struct ast_bo { - struct ttm_buffer_object bo; -diff --git a/drivers/gpu/drm/ast/ast_fb.c b/drivers/gpu/drm/ast/ast_fb.c -index fbc0823cfa18..a298d8f72225 100644 ---- a/drivers/gpu/drm/ast/ast_fb.c -+++ b/drivers/gpu/drm/ast/ast_fb.c -@@ -366,3 +366,10 @@ void ast_fbdev_set_suspend(struct drm_device *dev, int state) - - fb_set_suspend(ast->fbdev->helper.fbdev, state); - } -+ -+void ast_fbdev_set_base(struct ast_private *ast, unsigned long gpu_addr) -+{ -+ ast->fbdev->helper.fbdev->fix.smem_start = -+ ast->fbdev->helper.fbdev->apertures->ranges[0].base + gpu_addr; -+ ast->fbdev->helper.fbdev->fix.smem_len = ast->vram_size - gpu_addr; -+} -diff --git a/drivers/gpu/drm/ast/ast_main.c b/drivers/gpu/drm/ast/ast_main.c -index 96f874a508e2..313ccaf25f49 100644 ---- a/drivers/gpu/drm/ast/ast_main.c -+++ b/drivers/gpu/drm/ast/ast_main.c -@@ -359,6 +359,7 @@ int ast_driver_load(struct drm_device *dev, unsigned long flags) - dev->mode_config.min_height = 0; - dev->mode_config.preferred_depth = 24; - dev->mode_config.prefer_shadow = 1; -+ dev->mode_config.fb_base = pci_resource_start(ast->dev->pdev, 0); - - if (ast->chip == AST2100 || - ast->chip == AST2200 || -diff --git a/drivers/gpu/drm/ast/ast_mode.c b/drivers/gpu/drm/ast/ast_mode.c -index e8f6418b6dec..f3a54ad77e3f 100644 ---- a/drivers/gpu/drm/ast/ast_mode.c -+++ b/drivers/gpu/drm/ast/ast_mode.c -@@ -509,6 +509,8 @@ static int ast_crtc_do_set_base(struct drm_crtc *crtc, - ret = ttm_bo_kmap(&bo->bo, 0, bo->bo.num_pages, &bo->kmap); - if (ret) - DRM_ERROR("failed to kmap fbcon\n"); -+ else -+ ast_fbdev_set_base(ast, gpu_addr); - } - ast_bo_unreserve(bo); - -diff --git a/drivers/gpu/drm/radeon/radeon_atombios.c b/drivers/gpu/drm/radeon/radeon_atombios.c -index ba2ab9a9b988..f3cce23f4a62 100644 ---- a/drivers/gpu/drm/radeon/radeon_atombios.c -+++ b/drivers/gpu/drm/radeon/radeon_atombios.c -@@ -452,7 +452,9 @@ static bool radeon_atom_apply_quirks(struct drm_device *dev, - } - - /* Fujitsu D3003-S2 board lists DVI-I as DVI-D and VGA */ -- if (((dev->pdev->device == 0x9802) || (dev->pdev->device == 0x9806)) && -+ if (((dev->pdev->device == 0x9802) || -+ (dev->pdev->device == 0x9805) || -+ (dev->pdev->device == 0x9806)) && - (dev->pdev->subsystem_vendor == 0x1734) && - (dev->pdev->subsystem_device == 0x11bd)) { - if (*connector_type == DRM_MODE_CONNECTOR_VGA) { -@@ -463,14 +465,6 @@ static bool radeon_atom_apply_quirks(struct drm_device *dev, - } - } - -- /* Fujitsu D3003-S2 board lists DVI-I as DVI-I and VGA */ -- if ((dev->pdev->device == 0x9805) && -- (dev->pdev->subsystem_vendor == 0x1734) && -- (dev->pdev->subsystem_device == 0x11bd)) { -- if (*connector_type == DRM_MODE_CONNECTOR_VGA) -- return false; -- } -- - return true; - } - -diff --git a/drivers/gpu/drm/radeon/radeon_irq_kms.c b/drivers/gpu/drm/radeon/radeon_irq_kms.c -index db83d075606e..6acd3646ac08 100644 ---- a/drivers/gpu/drm/radeon/radeon_irq_kms.c -+++ b/drivers/gpu/drm/radeon/radeon_irq_kms.c -@@ -73,6 +73,11 @@ static void radeon_hotplug_work_func(struct work_struct *work) - struct drm_mode_config *mode_config = &dev->mode_config; - struct drm_connector *connector; - -+ /* we can race here at startup, some boards seem to trigger -+ * hotplug irqs when they shouldn't. */ -+ if (!rdev->mode_info.mode_config_initialized) -+ return; -+ - mutex_lock(&mode_config->mutex); - if (mode_config->num_connector) { - list_for_each_entry(connector, &mode_config->connector_list, head) -diff --git a/drivers/gpu/drm/radeon/radeon_sa.c b/drivers/gpu/drm/radeon/radeon_sa.c -index f0bac68254b7..bb166849aa6e 100644 ---- a/drivers/gpu/drm/radeon/radeon_sa.c -+++ b/drivers/gpu/drm/radeon/radeon_sa.c -@@ -349,8 +349,13 @@ int radeon_sa_bo_new(struct radeon_device *rdev, - /* see if we can skip over some allocations */ - } while (radeon_sa_bo_next_hole(sa_manager, fences, tries)); - -+ for (i = 0; i < RADEON_NUM_RINGS; ++i) -+ radeon_fence_ref(fences[i]); -+ - spin_unlock(&sa_manager->wq.lock); - r = radeon_fence_wait_any(rdev, fences, false); -+ for (i = 0; i < RADEON_NUM_RINGS; ++i) -+ radeon_fence_unref(&fences[i]); - spin_lock(&sa_manager->wq.lock); - /* if we have nothing to wait for block */ - if (r == -ENOENT && block) { -diff --git a/drivers/gpu/drm/radeon/radeon_ttm.c b/drivers/gpu/drm/radeon/radeon_ttm.c -index 4a14e113369d..f7015592544f 100644 ---- a/drivers/gpu/drm/radeon/radeon_ttm.c -+++ b/drivers/gpu/drm/radeon/radeon_ttm.c -@@ -619,7 +619,7 @@ static int radeon_ttm_tt_populate(struct ttm_tt *ttm) - 0, PAGE_SIZE, - PCI_DMA_BIDIRECTIONAL); - if (pci_dma_mapping_error(rdev->pdev, gtt->ttm.dma_address[i])) { -- while (--i) { -+ while (i--) { - pci_unmap_page(rdev->pdev, gtt->ttm.dma_address[i], - PAGE_SIZE, PCI_DMA_BIDIRECTIONAL); - gtt->ttm.dma_address[i] = 0; -diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c -index 6c44c69a5ba4..94a0baac93dd 100644 ---- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c -+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c -@@ -25,6 +25,7 @@ - * - **************************************************************************/ - #include -+#include - - #include - #include "vmwgfx_drv.h" -@@ -1192,6 +1193,12 @@ static int vmw_probe(struct pci_dev *pdev, const struct pci_device_id *ent) - static int __init vmwgfx_init(void) - { - int ret; -+ -+#ifdef CONFIG_VGA_CONSOLE -+ if (vgacon_text_force()) -+ return -EINVAL; -+#endif -+ - ret = drm_pci_init(&driver, &vmw_pci_driver); - if (ret) - DRM_ERROR("Failed initializing DRM.\n"); -diff --git a/drivers/gpu/vga/vgaarb.c b/drivers/gpu/vga/vgaarb.c -index e893f6e1937d..3c84e96a485a 100644 ---- a/drivers/gpu/vga/vgaarb.c -+++ b/drivers/gpu/vga/vgaarb.c -@@ -392,8 +392,10 @@ int vga_get(struct pci_dev *pdev, unsigned int rsrc, int interruptible) - set_current_state(interruptible ? - TASK_INTERRUPTIBLE : - TASK_UNINTERRUPTIBLE); -- if (signal_pending(current)) { -- rc = -EINTR; -+ if (interruptible && signal_pending(current)) { -+ __set_current_state(TASK_RUNNING); -+ remove_wait_queue(&vga_wait_queue, &wait); -+ rc = -ERESTARTSYS; - break; - } - schedule(); -diff --git a/drivers/infiniband/hw/cxgb3/iwch_cm.c b/drivers/infiniband/hw/cxgb3/iwch_cm.c -index 3e094cd6a0e3..a9194ef626cd 100644 ---- a/drivers/infiniband/hw/cxgb3/iwch_cm.c -+++ b/drivers/infiniband/hw/cxgb3/iwch_cm.c -@@ -149,7 +149,7 @@ static int iwch_l2t_send(struct t3cdev *tdev, struct sk_buff *skb, struct l2t_en - error = l2t_send(tdev, skb, l2e); - if (error < 0) - kfree_skb(skb); -- return error; -+ return error < 0 ? error : 0; - } - - int iwch_cxgb3_ofld_send(struct t3cdev *tdev, struct sk_buff *skb) -@@ -165,7 +165,7 @@ int iwch_cxgb3_ofld_send(struct t3cdev *tdev, struct sk_buff *skb) - error = cxgb3_ofld_send(tdev, skb); - if (error < 0) - kfree_skb(skb); -- return error; -+ return error < 0 ? error : 0; - } - - static void release_tid(struct t3cdev *tdev, u32 hwtid, struct sk_buff *skb) -diff --git a/drivers/infiniband/hw/qib/qib_verbs_mcast.c b/drivers/infiniband/hw/qib/qib_verbs_mcast.c -index dabb697b1c2a..48ba1c3e945a 100644 ---- a/drivers/infiniband/hw/qib/qib_verbs_mcast.c -+++ b/drivers/infiniband/hw/qib/qib_verbs_mcast.c -@@ -286,15 +286,13 @@ int qib_multicast_detach(struct ib_qp *ibqp, union ib_gid *gid, u16 lid) - struct qib_ibdev *dev = to_idev(ibqp->device); - struct qib_ibport *ibp = to_iport(ibqp->device, qp->port_num); - struct qib_mcast *mcast = NULL; -- struct qib_mcast_qp *p, *tmp; -+ struct qib_mcast_qp *p, *tmp, *delp = NULL; - struct rb_node *n; - int last = 0; - int ret; - -- if (ibqp->qp_num <= 1 || qp->state == IB_QPS_RESET) { -- ret = -EINVAL; -- goto bail; -- } -+ if (ibqp->qp_num <= 1 || qp->state == IB_QPS_RESET) -+ return -EINVAL; - - spin_lock_irq(&ibp->lock); - -@@ -303,8 +301,7 @@ int qib_multicast_detach(struct ib_qp *ibqp, union ib_gid *gid, u16 lid) - while (1) { - if (n == NULL) { - spin_unlock_irq(&ibp->lock); -- ret = -EINVAL; -- goto bail; -+ return -EINVAL; - } - - mcast = rb_entry(n, struct qib_mcast, rb_node); -@@ -328,6 +325,7 @@ int qib_multicast_detach(struct ib_qp *ibqp, union ib_gid *gid, u16 lid) - */ - list_del_rcu(&p->list); - mcast->n_attached--; -+ delp = p; - - /* If this was the last attached QP, remove the GID too. */ - if (list_empty(&mcast->qp_list)) { -@@ -338,15 +336,16 @@ int qib_multicast_detach(struct ib_qp *ibqp, union ib_gid *gid, u16 lid) - } - - spin_unlock_irq(&ibp->lock); -+ /* QP not attached */ -+ if (!delp) -+ return -EINVAL; -+ /* -+ * Wait for any list walkers to finish before freeing the -+ * list element. -+ */ -+ wait_event(mcast->wait, atomic_read(&mcast->refcount) <= 1); -+ qib_mcast_qp_free(delp); - -- if (p) { -- /* -- * Wait for any list walkers to finish before freeing the -- * list element. -- */ -- wait_event(mcast->wait, atomic_read(&mcast->refcount) <= 1); -- qib_mcast_qp_free(p); -- } - if (last) { - atomic_dec(&mcast->refcount); - wait_event(mcast->wait, !atomic_read(&mcast->refcount)); -@@ -355,11 +354,7 @@ int qib_multicast_detach(struct ib_qp *ibqp, union ib_gid *gid, u16 lid) - dev->n_mcast_grps_allocated--; - spin_unlock_irq(&dev->n_mcast_grps_lock); - } -- -- ret = 0; -- --bail: -- return ret; -+ return 0; - } - - int qib_mcast_tree_empty(struct qib_ibport *ibp) -diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c -index b4713cea1913..2d2915fdbf02 100644 ---- a/drivers/md/bcache/super.c -+++ b/drivers/md/bcache/super.c -@@ -1959,8 +1959,10 @@ static int __init bcache_init(void) - closure_debug_init(); - - bcache_major = register_blkdev(0, "bcache"); -- if (bcache_major < 0) -+ if (bcache_major < 0) { -+ unregister_reboot_notifier(&reboot); - return bcache_major; -+ } - - if (!(bcache_wq = create_workqueue("bcache")) || - !(bcache_kobj = kobject_create_and_add("bcache", fs_kobj)) || -diff --git a/drivers/md/dm-exception-store.h b/drivers/md/dm-exception-store.h -index 0b2536247cf5..84e27708ad97 100644 ---- a/drivers/md/dm-exception-store.h -+++ b/drivers/md/dm-exception-store.h -@@ -70,7 +70,7 @@ struct dm_exception_store_type { - * Update the metadata with this exception. - */ - void (*commit_exception) (struct dm_exception_store *store, -- struct dm_exception *e, -+ struct dm_exception *e, int valid, - void (*callback) (void *, int success), - void *callback_context); - -diff --git a/drivers/md/dm-snap-persistent.c b/drivers/md/dm-snap-persistent.c -index 2d2b1b7588d7..8f6d3ea55401 100644 ---- a/drivers/md/dm-snap-persistent.c -+++ b/drivers/md/dm-snap-persistent.c -@@ -646,7 +646,7 @@ static int persistent_prepare_exception(struct dm_exception_store *store, - } - - static void persistent_commit_exception(struct dm_exception_store *store, -- struct dm_exception *e, -+ struct dm_exception *e, int valid, - void (*callback) (void *, int success), - void *callback_context) - { -@@ -655,6 +655,9 @@ static void persistent_commit_exception(struct dm_exception_store *store, - struct core_exception ce; - struct commit_callback *cb; - -+ if (!valid) -+ ps->valid = 0; -+ - ce.old_chunk = e->old_chunk; - ce.new_chunk = e->new_chunk; - write_exception(ps, ps->current_committed++, &ce); -diff --git a/drivers/md/dm-snap-transient.c b/drivers/md/dm-snap-transient.c -index 1ce9a2586e41..31439d53cf7e 100644 ---- a/drivers/md/dm-snap-transient.c -+++ b/drivers/md/dm-snap-transient.c -@@ -52,12 +52,12 @@ static int transient_prepare_exception(struct dm_exception_store *store, - } - - static void transient_commit_exception(struct dm_exception_store *store, -- struct dm_exception *e, -+ struct dm_exception *e, int valid, - void (*callback) (void *, int success), - void *callback_context) - { - /* Just succeed */ -- callback(callback_context, 1); -+ callback(callback_context, valid); - } - - static void transient_usage(struct dm_exception_store *store, -diff --git a/drivers/md/dm-snap.c b/drivers/md/dm-snap.c -index d892a05c84f4..dbd0f00f7395 100644 ---- a/drivers/md/dm-snap.c -+++ b/drivers/md/dm-snap.c -@@ -1388,8 +1388,9 @@ static void __invalidate_snapshot(struct dm_snapshot *s, int err) - dm_table_event(s->ti->table); - } - --static void pending_complete(struct dm_snap_pending_exception *pe, int success) -+static void pending_complete(void *context, int success) - { -+ struct dm_snap_pending_exception *pe = context; - struct dm_exception *e; - struct dm_snapshot *s = pe->snap; - struct bio *origin_bios = NULL; -@@ -1459,24 +1460,13 @@ out: - free_pending_exception(pe); - } - --static void commit_callback(void *context, int success) --{ -- struct dm_snap_pending_exception *pe = context; -- -- pending_complete(pe, success); --} -- - static void complete_exception(struct dm_snap_pending_exception *pe) - { - struct dm_snapshot *s = pe->snap; - -- if (unlikely(pe->copy_error)) -- pending_complete(pe, 0); -- -- else -- /* Update the metadata if we are persistent */ -- s->store->type->commit_exception(s->store, &pe->e, -- commit_callback, pe); -+ /* Update the metadata if we are persistent */ -+ s->store->type->commit_exception(s->store, &pe->e, !pe->copy_error, -+ pending_complete, pe); - } - - /* -diff --git a/drivers/md/dm-thin-metadata.c b/drivers/md/dm-thin-metadata.c -index 43f6250baadd..4bf9211b2740 100644 ---- a/drivers/md/dm-thin-metadata.c -+++ b/drivers/md/dm-thin-metadata.c -@@ -1191,6 +1191,12 @@ static int __reserve_metadata_snap(struct dm_pool_metadata *pmd) - dm_block_t held_root; - - /* -+ * We commit to ensure the btree roots which we increment in a -+ * moment are up to date. -+ */ -+ __commit_transaction(pmd); -+ -+ /* - * Copy the superblock. - */ - dm_sm_inc_block(pmd->metadata_sm, THIN_SUPERBLOCK_LOCATION); -diff --git a/drivers/md/dm-thin.c b/drivers/md/dm-thin.c -index ec56072c6326..295f74d4f0ab 100644 ---- a/drivers/md/dm-thin.c -+++ b/drivers/md/dm-thin.c -@@ -2281,7 +2281,7 @@ static void pool_postsuspend(struct dm_target *ti) - struct pool_c *pt = ti->private; - struct pool *pool = pt->pool; - -- cancel_delayed_work(&pool->waker); -+ cancel_delayed_work_sync(&pool->waker); - flush_workqueue(pool->wq); - (void) commit_or_fallback(pool); - } -diff --git a/drivers/md/persistent-data/dm-btree.c b/drivers/md/persistent-data/dm-btree.c -index 6d7f4d950b8f..b07fcda9ca71 100644 ---- a/drivers/md/persistent-data/dm-btree.c -+++ b/drivers/md/persistent-data/dm-btree.c -@@ -235,6 +235,16 @@ static bool is_internal_level(struct dm_btree_info *info, struct frame *f) - return f->level < (info->levels - 1); - } - -+static void unlock_all_frames(struct del_stack *s) -+{ -+ struct frame *f; -+ -+ while (unprocessed_frames(s)) { -+ f = s->spine + s->top--; -+ dm_tm_unlock(s->tm, f->b); -+ } -+} -+ - int dm_btree_del(struct dm_btree_info *info, dm_block_t root) - { - int r; -@@ -290,9 +300,13 @@ int dm_btree_del(struct dm_btree_info *info, dm_block_t root) - f->current_child = f->nr_children; - } - } -- - out: -+ if (r) { -+ /* cleanup all frames of del_stack */ -+ unlock_all_frames(s); -+ } - kfree(s); -+ - return r; - } - EXPORT_SYMBOL_GPL(dm_btree_del); -diff --git a/drivers/media/dvb-core/dvb_frontend.c b/drivers/media/dvb-core/dvb_frontend.c -index 1f925e856974..46a984291b7d 100644 ---- a/drivers/media/dvb-core/dvb_frontend.c -+++ b/drivers/media/dvb-core/dvb_frontend.c -@@ -2195,9 +2195,9 @@ static int dvb_frontend_ioctl_legacy(struct file *file, - dev_dbg(fe->dvb->device, "%s: current delivery system on cache: %d, V3 type: %d\n", - __func__, c->delivery_system, fe->ops.info.type); - -- /* Force the CAN_INVERSION_AUTO bit on. If the frontend doesn't -- * do it, it is done for it. */ -- info->caps |= FE_CAN_INVERSION_AUTO; -+ /* Set CAN_INVERSION_AUTO bit on in other than oneshot mode */ -+ if (!(fepriv->tune_mode_flags & FE_TUNE_MODE_ONESHOT)) -+ info->caps |= FE_CAN_INVERSION_AUTO; - err = 0; - break; - } -diff --git a/drivers/media/dvb-frontends/tda1004x.c b/drivers/media/dvb-frontends/tda1004x.c -index a2631be7ffac..08e0f0dd8728 100644 ---- a/drivers/media/dvb-frontends/tda1004x.c -+++ b/drivers/media/dvb-frontends/tda1004x.c -@@ -903,9 +903,18 @@ static int tda1004x_get_fe(struct dvb_frontend *fe) - { - struct dtv_frontend_properties *fe_params = &fe->dtv_property_cache; - struct tda1004x_state* state = fe->demodulator_priv; -+ int status; - - dprintk("%s\n", __func__); - -+ status = tda1004x_read_byte(state, TDA1004X_STATUS_CD); -+ if (status == -1) -+ return -EIO; -+ -+ /* Only update the properties cache if device is locked */ -+ if (!(status & 8)) -+ return 0; -+ - // inversion status - fe_params->inversion = INVERSION_OFF; - if (tda1004x_read_byte(state, TDA1004X_CONFC1) & 0x20) -diff --git a/drivers/media/usb/gspca/ov534.c b/drivers/media/usb/gspca/ov534.c -index 2e28c81a03ab..a5bee0d0d686 100644 ---- a/drivers/media/usb/gspca/ov534.c -+++ b/drivers/media/usb/gspca/ov534.c -@@ -1490,8 +1490,13 @@ static void sd_set_streamparm(struct gspca_dev *gspca_dev, - struct v4l2_fract *tpf = &cp->timeperframe; - struct sd *sd = (struct sd *) gspca_dev; - -- /* Set requested framerate */ -- sd->frame_rate = tpf->denominator / tpf->numerator; -+ if (tpf->numerator == 0 || tpf->denominator == 0) -+ /* Set default framerate */ -+ sd->frame_rate = 30; -+ else -+ /* Set requested framerate */ -+ sd->frame_rate = tpf->denominator / tpf->numerator; -+ - if (gspca_dev->streaming) - set_frame_rate(gspca_dev); - -diff --git a/drivers/media/usb/gspca/topro.c b/drivers/media/usb/gspca/topro.c -index 4cb511ccc5f6..22ea6aefd22f 100644 ---- a/drivers/media/usb/gspca/topro.c -+++ b/drivers/media/usb/gspca/topro.c -@@ -4791,7 +4791,11 @@ static void sd_set_streamparm(struct gspca_dev *gspca_dev, - struct v4l2_fract *tpf = &cp->timeperframe; - int fr, i; - -- sd->framerate = tpf->denominator / tpf->numerator; -+ if (tpf->numerator == 0 || tpf->denominator == 0) -+ sd->framerate = 30; -+ else -+ sd->framerate = tpf->denominator / tpf->numerator; -+ - if (gspca_dev->streaming) - setframerate(gspca_dev, v4l2_ctrl_g_ctrl(gspca_dev->exposure)); - -diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c -index 885ba4a19a6c..ebb40a292d67 100644 ---- a/drivers/mmc/card/block.c -+++ b/drivers/mmc/card/block.c -@@ -59,8 +59,7 @@ MODULE_ALIAS("mmc:block"); - #define INAND_CMD38_ARG_SECTRIM2 0x88 - #define MMC_BLK_TIMEOUT_MS (10 * 60 * 1000) /* 10 minute timeout */ - --#define mmc_req_rel_wr(req) (((req->cmd_flags & REQ_FUA) || \ -- (req->cmd_flags & REQ_META)) && \ -+#define mmc_req_rel_wr(req) ((req->cmd_flags & REQ_FUA) && \ - (rq_data_dir(req) == WRITE)) - #define PACKED_CMD_VER 0x01 - #define PACKED_CMD_WR 0x02 -@@ -1300,13 +1299,9 @@ static void mmc_blk_rw_rq_prep(struct mmc_queue_req *mqrq, - - /* - * Reliable writes are used to implement Forced Unit Access and -- * REQ_META accesses, and are supported only on MMCs. -- * -- * XXX: this really needs a good explanation of why REQ_META -- * is treated special. -+ * are supported only on MMCs. - */ -- bool do_rel_wr = ((req->cmd_flags & REQ_FUA) || -- (req->cmd_flags & REQ_META)) && -+ bool do_rel_wr = (req->cmd_flags & REQ_FUA) && - (rq_data_dir(req) == WRITE) && - (md->flags & MMC_BLK_REL_WR); - -diff --git a/drivers/mmc/host/mmci.c b/drivers/mmc/host/mmci.c -index f4f3038c1df0..faeda85e78fa 100644 ---- a/drivers/mmc/host/mmci.c -+++ b/drivers/mmc/host/mmci.c -@@ -1740,7 +1740,7 @@ static struct amba_id mmci_ids[] = { - { - .id = 0x00280180, - .mask = 0x00ffffff, -- .data = &variant_u300, -+ .data = &variant_nomadik, - }, - { - .id = 0x00480180, -diff --git a/drivers/net/can/sja1000/sja1000.c b/drivers/net/can/sja1000/sja1000.c -index c2d0559115d3..732a8ed571c2 100644 ---- a/drivers/net/can/sja1000/sja1000.c -+++ b/drivers/net/can/sja1000/sja1000.c -@@ -187,6 +187,9 @@ static void sja1000_start(struct net_device *dev) - /* clear interrupt flags */ - priv->read_reg(priv, SJA1000_IR); - -+ /* clear interrupt flags */ -+ priv->read_reg(priv, SJA1000_IR); -+ - /* leave reset mode */ - set_normal_mode(dev); - } -diff --git a/drivers/net/can/usb/ems_usb.c b/drivers/net/can/usb/ems_usb.c -index 5f9a7ad9b964..d921416295ce 100644 ---- a/drivers/net/can/usb/ems_usb.c -+++ b/drivers/net/can/usb/ems_usb.c -@@ -118,6 +118,9 @@ MODULE_LICENSE("GPL v2"); - */ - #define EMS_USB_ARM7_CLOCK 8000000 - -+#define CPC_TX_QUEUE_TRIGGER_LOW 25 -+#define CPC_TX_QUEUE_TRIGGER_HIGH 35 -+ - /* - * CAN-Message representation in a CPC_MSG. Message object type is - * CPC_MSG_TYPE_CAN_FRAME or CPC_MSG_TYPE_RTR_FRAME or -@@ -279,6 +282,11 @@ static void ems_usb_read_interrupt_callback(struct urb *urb) - switch (urb->status) { - case 0: - dev->free_slots = dev->intr_in_buffer[1]; -+ if(dev->free_slots > CPC_TX_QUEUE_TRIGGER_HIGH){ -+ if (netif_queue_stopped(netdev)){ -+ netif_wake_queue(netdev); -+ } -+ } - break; - - case -ECONNRESET: /* unlink */ -@@ -530,8 +538,6 @@ static void ems_usb_write_bulk_callback(struct urb *urb) - /* Release context */ - context->echo_index = MAX_TX_URBS; - -- if (netif_queue_stopped(netdev)) -- netif_wake_queue(netdev); - } - - /* -@@ -591,7 +597,7 @@ static int ems_usb_start(struct ems_usb *dev) - int err, i; - - dev->intr_in_buffer[0] = 0; -- dev->free_slots = 15; /* initial size */ -+ dev->free_slots = 50; /* initial size */ - - for (i = 0; i < MAX_RX_URBS; i++) { - struct urb *urb = NULL; -@@ -841,7 +847,7 @@ static netdev_tx_t ems_usb_start_xmit(struct sk_buff *skb, struct net_device *ne - - /* Slow down tx path */ - if (atomic_read(&dev->active_tx_urbs) >= MAX_TX_URBS || -- dev->free_slots < 5) { -+ dev->free_slots < CPC_TX_QUEUE_TRIGGER_LOW) { - netif_stop_queue(netdev); - } - } -diff --git a/drivers/pci/pcie/aer/aerdrv.c b/drivers/pci/pcie/aer/aerdrv.c -index 76ef634caf6f..b84e713445d0 100644 ---- a/drivers/pci/pcie/aer/aerdrv.c -+++ b/drivers/pci/pcie/aer/aerdrv.c -@@ -262,7 +262,6 @@ static struct aer_rpc *aer_alloc_rpc(struct pcie_device *dev) - rpc->rpd = dev; - INIT_WORK(&rpc->dpc_handler, aer_isr); - mutex_init(&rpc->rpc_mutex); -- init_waitqueue_head(&rpc->wait_release); - - /* Use PCIe bus function to store rpc into PCIe device */ - set_service_data(dev, rpc); -@@ -285,8 +284,7 @@ static void aer_remove(struct pcie_device *dev) - if (rpc->isr) - free_irq(dev->irq, dev); - -- wait_event(rpc->wait_release, rpc->prod_idx == rpc->cons_idx); -- -+ flush_work(&rpc->dpc_handler); - aer_disable_rootport(rpc); - kfree(rpc); - set_service_data(dev, NULL); -diff --git a/drivers/pci/pcie/aer/aerdrv.h b/drivers/pci/pcie/aer/aerdrv.h -index d12c77cd6991..3b8766e1e51b 100644 ---- a/drivers/pci/pcie/aer/aerdrv.h -+++ b/drivers/pci/pcie/aer/aerdrv.h -@@ -76,7 +76,6 @@ struct aer_rpc { - * recovery on the same - * root port hierarchy - */ -- wait_queue_head_t wait_release; - }; - - struct aer_broadcast_data { -diff --git a/drivers/pci/pcie/aer/aerdrv_core.c b/drivers/pci/pcie/aer/aerdrv_core.c -index 0f4554e48cc5..a017aac0d7ed 100644 ---- a/drivers/pci/pcie/aer/aerdrv_core.c -+++ b/drivers/pci/pcie/aer/aerdrv_core.c -@@ -817,8 +817,6 @@ void aer_isr(struct work_struct *work) - while (get_e_source(rpc, &e_src)) - aer_isr_one_error(p_device, &e_src); - mutex_unlock(&rpc->rpc_mutex); -- -- wake_up(&rpc->wait_release); - } - - /** -diff --git a/drivers/pci/xen-pcifront.c b/drivers/pci/xen-pcifront.c -index f7197a790341..eb402f4f0e2f 100644 ---- a/drivers/pci/xen-pcifront.c -+++ b/drivers/pci/xen-pcifront.c -@@ -51,7 +51,7 @@ struct pcifront_device { - }; - - struct pcifront_sd { -- int domain; -+ struct pci_sysdata sd; - struct pcifront_device *pdev; - }; - -@@ -65,7 +65,9 @@ static inline void pcifront_init_sd(struct pcifront_sd *sd, - unsigned int domain, unsigned int bus, - struct pcifront_device *pdev) - { -- sd->domain = domain; -+ /* Because we do not expose that information via XenBus. */ -+ sd->sd.node = first_online_node; -+ sd->sd.domain = domain; - sd->pdev = pdev; - } - -@@ -463,8 +465,8 @@ static int pcifront_scan_root(struct pcifront_device *pdev, - dev_info(&pdev->xdev->dev, "Creating PCI Frontend Bus %04x:%02x\n", - domain, bus); - -- bus_entry = kmalloc(sizeof(*bus_entry), GFP_KERNEL); -- sd = kmalloc(sizeof(*sd), GFP_KERNEL); -+ bus_entry = kzalloc(sizeof(*bus_entry), GFP_KERNEL); -+ sd = kzalloc(sizeof(*sd), GFP_KERNEL); - if (!bus_entry || !sd) { - err = -ENOMEM; - goto err_out; -diff --git a/drivers/power/wm831x_power.c b/drivers/power/wm831x_power.c -index 3bed2f55cf7d..3ccadf631d45 100644 ---- a/drivers/power/wm831x_power.c -+++ b/drivers/power/wm831x_power.c -@@ -567,7 +567,7 @@ static int wm831x_power_probe(struct platform_device *pdev) - - irq = wm831x_irq(wm831x, platform_get_irq_byname(pdev, "SYSLO")); - ret = request_threaded_irq(irq, NULL, wm831x_syslo_irq, -- IRQF_TRIGGER_RISING, "System power low", -+ IRQF_TRIGGER_RISING | IRQF_ONESHOT, "System power low", - power); - if (ret != 0) { - dev_err(&pdev->dev, "Failed to request SYSLO IRQ %d: %d\n", -@@ -577,7 +577,7 @@ static int wm831x_power_probe(struct platform_device *pdev) - - irq = wm831x_irq(wm831x, platform_get_irq_byname(pdev, "PWR SRC")); - ret = request_threaded_irq(irq, NULL, wm831x_pwr_src_irq, -- IRQF_TRIGGER_RISING, "Power source", -+ IRQF_TRIGGER_RISING | IRQF_ONESHOT, "Power source", - power); - if (ret != 0) { - dev_err(&pdev->dev, "Failed to request PWR SRC IRQ %d: %d\n", -@@ -590,7 +590,7 @@ static int wm831x_power_probe(struct platform_device *pdev) - platform_get_irq_byname(pdev, - wm831x_bat_irqs[i])); - ret = request_threaded_irq(irq, NULL, wm831x_bat_irq, -- IRQF_TRIGGER_RISING, -+ IRQF_TRIGGER_RISING | IRQF_ONESHOT, - wm831x_bat_irqs[i], - power); - if (ret != 0) { -diff --git a/drivers/s390/block/dasd_alias.c b/drivers/s390/block/dasd_alias.c -index a2597e683e79..6a64e86e8ccd 100644 ---- a/drivers/s390/block/dasd_alias.c -+++ b/drivers/s390/block/dasd_alias.c -@@ -264,8 +264,10 @@ void dasd_alias_disconnect_device_from_lcu(struct dasd_device *device) - spin_unlock_irqrestore(&lcu->lock, flags); - cancel_work_sync(&lcu->suc_data.worker); - spin_lock_irqsave(&lcu->lock, flags); -- if (device == lcu->suc_data.device) -+ if (device == lcu->suc_data.device) { -+ dasd_put_device(device); - lcu->suc_data.device = NULL; -+ } - } - was_pending = 0; - if (device == lcu->ruac_data.device) { -@@ -273,8 +275,10 @@ void dasd_alias_disconnect_device_from_lcu(struct dasd_device *device) - was_pending = 1; - cancel_delayed_work_sync(&lcu->ruac_data.dwork); - spin_lock_irqsave(&lcu->lock, flags); -- if (device == lcu->ruac_data.device) -+ if (device == lcu->ruac_data.device) { -+ dasd_put_device(device); - lcu->ruac_data.device = NULL; -+ } - } - private->lcu = NULL; - spin_unlock_irqrestore(&lcu->lock, flags); -@@ -549,8 +553,10 @@ static void lcu_update_work(struct work_struct *work) - if ((rc && (rc != -EOPNOTSUPP)) || (lcu->flags & NEED_UAC_UPDATE)) { - DBF_DEV_EVENT(DBF_WARNING, device, "could not update" - " alias data in lcu (rc = %d), retry later", rc); -- schedule_delayed_work(&lcu->ruac_data.dwork, 30*HZ); -+ if (!schedule_delayed_work(&lcu->ruac_data.dwork, 30*HZ)) -+ dasd_put_device(device); - } else { -+ dasd_put_device(device); - lcu->ruac_data.device = NULL; - lcu->flags &= ~UPDATE_PENDING; - } -@@ -593,8 +599,10 @@ static int _schedule_lcu_update(struct alias_lcu *lcu, - */ - if (!usedev) - return -EINVAL; -+ dasd_get_device(usedev); - lcu->ruac_data.device = usedev; -- schedule_delayed_work(&lcu->ruac_data.dwork, 0); -+ if (!schedule_delayed_work(&lcu->ruac_data.dwork, 0)) -+ dasd_put_device(usedev); - return 0; - } - -@@ -722,7 +730,7 @@ static int reset_summary_unit_check(struct alias_lcu *lcu, - ASCEBC((char *) &cqr->magic, 4); - ccw = cqr->cpaddr; - ccw->cmd_code = DASD_ECKD_CCW_RSCK; -- ccw->flags = 0 ; -+ ccw->flags = CCW_FLAG_SLI; - ccw->count = 16; - ccw->cda = (__u32)(addr_t) cqr->data; - ((char *)cqr->data)[0] = reason; -@@ -926,6 +934,7 @@ static void summary_unit_check_handling_work(struct work_struct *work) - /* 3. read new alias configuration */ - _schedule_lcu_update(lcu, device); - lcu->suc_data.device = NULL; -+ dasd_put_device(device); - spin_unlock_irqrestore(&lcu->lock, flags); - } - -@@ -985,6 +994,8 @@ void dasd_alias_handle_summary_unit_check(struct dasd_device *device, - } - lcu->suc_data.reason = reason; - lcu->suc_data.device = device; -+ dasd_get_device(device); - spin_unlock(&lcu->lock); -- schedule_work(&lcu->suc_data.worker); -+ if (!schedule_work(&lcu->suc_data.worker)) -+ dasd_put_device(device); - }; -diff --git a/drivers/scsi/megaraid/megaraid_sas.h b/drivers/scsi/megaraid/megaraid_sas.h -index b52121358385..280e769a1686 100644 ---- a/drivers/scsi/megaraid/megaraid_sas.h -+++ b/drivers/scsi/megaraid/megaraid_sas.h -@@ -300,6 +300,8 @@ enum MR_EVT_ARGS { - MR_EVT_ARGS_GENERIC, - }; - -+ -+#define SGE_BUFFER_SIZE 4096 - /* - * define constants for device list query options - */ -diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c -index 78b4fe845245..e6dfa8108301 100644 ---- a/drivers/scsi/megaraid/megaraid_sas_base.c -+++ b/drivers/scsi/megaraid/megaraid_sas_base.c -@@ -3602,7 +3602,7 @@ static int megasas_init_fw(struct megasas_instance *instance) - } - - instance->max_sectors_per_req = instance->max_num_sge * -- PAGE_SIZE / 512; -+ SGE_BUFFER_SIZE / 512; - if (tmp_sectors && (instance->max_sectors_per_req > tmp_sectors)) - instance->max_sectors_per_req = tmp_sectors; - -@@ -5051,6 +5051,9 @@ static int megasas_mgmt_compat_ioctl_fw(struct file *file, unsigned long arg) - int i; - int error = 0; - compat_uptr_t ptr; -+ unsigned long local_raw_ptr; -+ u32 local_sense_off; -+ u32 local_sense_len; - - if (clear_user(ioc, sizeof(*ioc))) - return -EFAULT; -@@ -5068,9 +5071,15 @@ static int megasas_mgmt_compat_ioctl_fw(struct file *file, unsigned long arg) - * sense_len is not null, so prepare the 64bit value under - * the same condition. - */ -- if (ioc->sense_len) { -+ if (get_user(local_raw_ptr, ioc->frame.raw) || -+ get_user(local_sense_off, &ioc->sense_off) || -+ get_user(local_sense_len, &ioc->sense_len)) -+ return -EFAULT; -+ -+ -+ if (local_sense_len) { - void __user **sense_ioc_ptr = -- (void __user **)(ioc->frame.raw + ioc->sense_off); -+ (void __user **)((u8*)local_raw_ptr + local_sense_off); - compat_uptr_t *sense_cioc_ptr = - (compat_uptr_t *)(cioc->frame.raw + cioc->sense_off); - if (get_user(ptr, sense_cioc_ptr) || -diff --git a/drivers/scsi/ses.c b/drivers/scsi/ses.c -index eba183c428cf..3643bbf5456d 100644 ---- a/drivers/scsi/ses.c -+++ b/drivers/scsi/ses.c -@@ -70,6 +70,7 @@ static int ses_probe(struct device *dev) - static int ses_recv_diag(struct scsi_device *sdev, int page_code, - void *buf, int bufflen) - { -+ int ret; - unsigned char cmd[] = { - RECEIVE_DIAGNOSTIC, - 1, /* Set PCV bit */ -@@ -78,9 +79,26 @@ static int ses_recv_diag(struct scsi_device *sdev, int page_code, - bufflen & 0xff, - 0 - }; -+ unsigned char recv_page_code; - -- return scsi_execute_req(sdev, cmd, DMA_FROM_DEVICE, buf, bufflen, -+ ret = scsi_execute_req(sdev, cmd, DMA_FROM_DEVICE, buf, bufflen, - NULL, SES_TIMEOUT, SES_RETRIES, NULL); -+ if (unlikely(!ret)) -+ return ret; -+ -+ recv_page_code = ((unsigned char *)buf)[0]; -+ -+ if (likely(recv_page_code == page_code)) -+ return ret; -+ -+ /* successful diagnostic but wrong page code. This happens to some -+ * USB devices, just print a message and pretend there was an error */ -+ -+ sdev_printk(KERN_ERR, sdev, -+ "Wrong diagnostic page; asked for %d got %u\n", -+ page_code, recv_page_code); -+ -+ return -EINVAL; - } - - static int ses_send_diag(struct scsi_device *sdev, int page_code, -@@ -436,7 +454,15 @@ static void ses_enclosure_data_process(struct enclosure_device *edev, - if (desc_ptr) - desc_ptr += len; - -- if (addl_desc_ptr) -+ if (addl_desc_ptr && -+ /* only find additional descriptions for specific devices */ -+ (type_ptr[0] == ENCLOSURE_COMPONENT_DEVICE || -+ type_ptr[0] == ENCLOSURE_COMPONENT_ARRAY_DEVICE || -+ type_ptr[0] == ENCLOSURE_COMPONENT_SAS_EXPANDER || -+ /* these elements are optional */ -+ type_ptr[0] == ENCLOSURE_COMPONENT_SCSI_TARGET_PORT || -+ type_ptr[0] == ENCLOSURE_COMPONENT_SCSI_INITIATOR_PORT || -+ type_ptr[0] == ENCLOSURE_COMPONENT_CONTROLLER_ELECTRONICS)) - addl_desc_ptr += addl_desc_ptr[1] + 2; - - } -diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c -index d2ea64de92df..d6dab8adf60e 100644 ---- a/drivers/usb/class/cdc-acm.c -+++ b/drivers/usb/class/cdc-acm.c -@@ -1726,6 +1726,11 @@ static const struct usb_device_id acm_ids[] = { - }, - #endif - -+ /*Samsung phone in firmware update mode */ -+ { USB_DEVICE(0x04e8, 0x685d), -+ .driver_info = IGNORE_DEVICE, -+ }, -+ - /* Exclude Infineon Flash Loader utility */ - { USB_DEVICE(0x058b, 0x0041), - .driver_info = IGNORE_DEVICE, -diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c -index 89ba7cfba5bc..303f3b3fb65f 100644 ---- a/drivers/usb/serial/cp210x.c -+++ b/drivers/usb/serial/cp210x.c -@@ -162,6 +162,8 @@ static const struct usb_device_id id_table[] = { - { USB_DEVICE(0x1843, 0x0200) }, /* Vaisala USB Instrument Cable */ - { USB_DEVICE(0x18EF, 0xE00F) }, /* ELV USB-I2C-Interface */ - { USB_DEVICE(0x18EF, 0xE025) }, /* ELV Marble Sound Board 1 */ -+ { USB_DEVICE(0x1901, 0x0190) }, /* GE B850 CP2105 Recorder interface */ -+ { USB_DEVICE(0x1901, 0x0193) }, /* GE B650 CP2104 PMC interface */ - { USB_DEVICE(0x1ADB, 0x0001) }, /* Schweitzer Engineering C662 Cable */ - { USB_DEVICE(0x1B1C, 0x1C00) }, /* Corsair USB Dongle */ - { USB_DEVICE(0x1BA4, 0x0002) }, /* Silicon Labs 358x factory default */ -diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c -index 81f6a572f016..9bab34cf01d4 100644 ---- a/drivers/usb/serial/option.c -+++ b/drivers/usb/serial/option.c -@@ -315,6 +315,7 @@ static void option_instat_callback(struct urb *urb); - #define TOSHIBA_PRODUCT_G450 0x0d45 - - #define ALINK_VENDOR_ID 0x1e0e -+#define SIMCOM_PRODUCT_SIM7100E 0x9001 /* Yes, ALINK_VENDOR_ID */ - #define ALINK_PRODUCT_PH300 0x9100 - #define ALINK_PRODUCT_3GU 0x9200 - -@@ -615,6 +616,10 @@ static const struct option_blacklist_info zte_1255_blacklist = { - .reserved = BIT(3) | BIT(4), - }; - -+static const struct option_blacklist_info simcom_sim7100e_blacklist = { -+ .reserved = BIT(5) | BIT(6), -+}; -+ - static const struct option_blacklist_info telit_le910_blacklist = { - .sendsetup = BIT(0), - .reserved = BIT(1) | BIT(2), -@@ -1130,6 +1135,8 @@ static const struct usb_device_id option_ids[] = { - { USB_DEVICE(KYOCERA_VENDOR_ID, KYOCERA_PRODUCT_KPC650) }, - { USB_DEVICE(KYOCERA_VENDOR_ID, KYOCERA_PRODUCT_KPC680) }, - { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x6000)}, /* ZTE AC8700 */ -+ { USB_DEVICE_AND_INTERFACE_INFO(QUALCOMM_VENDOR_ID, 0x6001, 0xff, 0xff, 0xff), /* 4G LTE usb-modem U901 */ -+ .driver_info = (kernel_ulong_t)&net_intf3_blacklist }, - { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x6613)}, /* Onda H600/ZTE MF330 */ - { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x0023)}, /* ONYX 3G device */ - { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x9000)}, /* SIMCom SIM5218 */ -@@ -1645,6 +1652,8 @@ static const struct usb_device_id option_ids[] = { - { USB_DEVICE(ALINK_VENDOR_ID, 0x9000) }, - { USB_DEVICE(ALINK_VENDOR_ID, ALINK_PRODUCT_PH300) }, - { USB_DEVICE_AND_INTERFACE_INFO(ALINK_VENDOR_ID, ALINK_PRODUCT_3GU, 0xff, 0xff, 0xff) }, -+ { USB_DEVICE(ALINK_VENDOR_ID, SIMCOM_PRODUCT_SIM7100E), -+ .driver_info = (kernel_ulong_t)&simcom_sim7100e_blacklist }, - { USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_X060S_X200), - .driver_info = (kernel_ulong_t)&alcatel_x200_blacklist - }, -diff --git a/drivers/virtio/virtio.c b/drivers/virtio/virtio.c -index ee59b74768d9..beaa7cc4e857 100644 ---- a/drivers/virtio/virtio.c -+++ b/drivers/virtio/virtio.c -@@ -238,6 +238,7 @@ static int virtio_init(void) - static void __exit virtio_exit(void) - { - bus_unregister(&virtio_bus); -+ ida_destroy(&virtio_index_ida); - } - core_initcall(virtio_init); - module_exit(virtio_exit); -diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c -index 7360f03ddbe1..9612a01198df 100644 ---- a/fs/btrfs/disk-io.c -+++ b/fs/btrfs/disk-io.c -@@ -2437,6 +2437,7 @@ int open_ctree(struct super_block *sb, - "unsupported option features (%Lx).\n", - (unsigned long long)features); - err = -EINVAL; -+ brelse(bh); - goto fail_alloc; - } - -diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c -index ae29b403a7e2..b5d13c4eea00 100644 ---- a/fs/btrfs/inode.c -+++ b/fs/btrfs/inode.c -@@ -7477,15 +7477,28 @@ int btrfs_readpage(struct file *file, struct page *page) - static int btrfs_writepage(struct page *page, struct writeback_control *wbc) - { - struct extent_io_tree *tree; -- -+ struct inode *inode = page->mapping->host; -+ int ret; - - if (current->flags & PF_MEMALLOC) { - redirty_page_for_writepage(wbc, page); - unlock_page(page); - return 0; - } -+ -+ /* -+ * If we are under memory pressure we will call this directly from the -+ * VM, we need to make sure we have the inode referenced for the ordered -+ * extent. If not just return like we didn't do anything. -+ */ -+ if (!igrab(inode)) { -+ redirty_page_for_writepage(wbc, page); -+ return AOP_WRITEPAGE_ACTIVATE; -+ } - tree = &BTRFS_I(page->mapping->host)->io_tree; -- return extent_write_full_page(tree, page, btrfs_get_extent, wbc); -+ ret = extent_write_full_page(tree, page, btrfs_get_extent, wbc); -+ btrfs_add_delayed_iput(inode); -+ return ret; - } - - static int btrfs_writepages(struct address_space *mapping, -@@ -8474,9 +8487,11 @@ static int btrfs_symlink(struct inode *dir, struct dentry *dentry, - /* - * 2 items for inode item and ref - * 2 items for dir items -+ * 1 item for updating parent inode item -+ * 1 item for the inline extent item - * 1 item for xattr if selinux is on - */ -- trans = btrfs_start_transaction(root, 5); -+ trans = btrfs_start_transaction(root, 7); - if (IS_ERR(trans)) - return PTR_ERR(trans); - -diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c -index 414c1b9eb896..3104e0eec816 100644 ---- a/fs/btrfs/send.c -+++ b/fs/btrfs/send.c -@@ -1338,7 +1338,21 @@ static int read_symlink(struct send_ctx *sctx, - ret = btrfs_search_slot(NULL, root, &key, path, 0, 0); - if (ret < 0) - goto out; -- BUG_ON(ret); -+ if (ret) { -+ /* -+ * An empty symlink inode. Can happen in rare error paths when -+ * creating a symlink (transaction committed before the inode -+ * eviction handler removed the symlink inode items and a crash -+ * happened in between or the subvol was snapshoted in between). -+ * Print an informative message to dmesg/syslog so that the user -+ * can delete the symlink. -+ */ -+ btrfs_err(root->fs_info, -+ "Found empty symlink inode %llu at root %llu", -+ ino, root->root_key.objectid); -+ ret = -EIO; -+ goto out; -+ } - - ei = btrfs_item_ptr(path->nodes[0], path->slots[0], - struct btrfs_file_extent_item); -diff --git a/fs/hostfs/hostfs_kern.c b/fs/hostfs/hostfs_kern.c -index 32f35f187989..b58a9cbb9695 100644 ---- a/fs/hostfs/hostfs_kern.c -+++ b/fs/hostfs/hostfs_kern.c -@@ -720,15 +720,13 @@ static int hostfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, - - init_special_inode(inode, mode, dev); - err = do_mknod(name, mode, MAJOR(dev), MINOR(dev)); -- if (!err) -+ if (err) - goto out_free; - - err = read_name(inode, name); - __putname(name); - if (err) - goto out_put; -- if (err) -- goto out_put; - - d_instantiate(dentry, inode); - return 0; -diff --git a/fs/lockd/host.c b/fs/lockd/host.c -index 969d589c848d..b5f3c3ab0d5f 100644 ---- a/fs/lockd/host.c -+++ b/fs/lockd/host.c -@@ -116,7 +116,7 @@ static struct nlm_host *nlm_alloc_host(struct nlm_lookup_host_info *ni, - atomic_inc(&nsm->sm_count); - else { - host = NULL; -- nsm = nsm_get_handle(ni->sap, ni->salen, -+ nsm = nsm_get_handle(ni->net, ni->sap, ni->salen, - ni->hostname, ni->hostname_len); - if (unlikely(nsm == NULL)) { - dprintk("lockd: %s failed; no nsm handle\n", -@@ -534,17 +534,18 @@ static struct nlm_host *next_host_state(struct hlist_head *cache, - - /** - * nlm_host_rebooted - Release all resources held by rebooted host -+ * @net: network namespace - * @info: pointer to decoded results of NLM_SM_NOTIFY call - * - * We were notified that the specified host has rebooted. Release - * all resources held by that peer. - */ --void nlm_host_rebooted(const struct nlm_reboot *info) -+void nlm_host_rebooted(const struct net *net, const struct nlm_reboot *info) - { - struct nsm_handle *nsm; - struct nlm_host *host; - -- nsm = nsm_reboot_lookup(info); -+ nsm = nsm_reboot_lookup(net, info); - if (unlikely(nsm == NULL)) - return; - -diff --git a/fs/lockd/mon.c b/fs/lockd/mon.c -index 6ae664b489af..13fac49aff7f 100644 ---- a/fs/lockd/mon.c -+++ b/fs/lockd/mon.c -@@ -51,7 +51,6 @@ struct nsm_res { - }; - - static const struct rpc_program nsm_program; --static LIST_HEAD(nsm_handles); - static DEFINE_SPINLOCK(nsm_lock); - - /* -@@ -259,33 +258,35 @@ void nsm_unmonitor(const struct nlm_host *host) - } - } - --static struct nsm_handle *nsm_lookup_hostname(const char *hostname, -- const size_t len) -+static struct nsm_handle *nsm_lookup_hostname(const struct list_head *nsm_handles, -+ const char *hostname, const size_t len) - { - struct nsm_handle *nsm; - -- list_for_each_entry(nsm, &nsm_handles, sm_link) -+ list_for_each_entry(nsm, nsm_handles, sm_link) - if (strlen(nsm->sm_name) == len && - memcmp(nsm->sm_name, hostname, len) == 0) - return nsm; - return NULL; - } - --static struct nsm_handle *nsm_lookup_addr(const struct sockaddr *sap) -+static struct nsm_handle *nsm_lookup_addr(const struct list_head *nsm_handles, -+ const struct sockaddr *sap) - { - struct nsm_handle *nsm; - -- list_for_each_entry(nsm, &nsm_handles, sm_link) -+ list_for_each_entry(nsm, nsm_handles, sm_link) - if (rpc_cmp_addr(nsm_addr(nsm), sap)) - return nsm; - return NULL; - } - --static struct nsm_handle *nsm_lookup_priv(const struct nsm_private *priv) -+static struct nsm_handle *nsm_lookup_priv(const struct list_head *nsm_handles, -+ const struct nsm_private *priv) - { - struct nsm_handle *nsm; - -- list_for_each_entry(nsm, &nsm_handles, sm_link) -+ list_for_each_entry(nsm, nsm_handles, sm_link) - if (memcmp(nsm->sm_priv.data, priv->data, - sizeof(priv->data)) == 0) - return nsm; -@@ -350,6 +351,7 @@ static struct nsm_handle *nsm_create_handle(const struct sockaddr *sap, - - /** - * nsm_get_handle - Find or create a cached nsm_handle -+ * @net: network namespace - * @sap: pointer to socket address of handle to find - * @salen: length of socket address - * @hostname: pointer to C string containing hostname to find -@@ -362,11 +364,13 @@ static struct nsm_handle *nsm_create_handle(const struct sockaddr *sap, - * @hostname cannot be found in the handle cache. Returns NULL if - * an error occurs. - */ --struct nsm_handle *nsm_get_handle(const struct sockaddr *sap, -+struct nsm_handle *nsm_get_handle(const struct net *net, -+ const struct sockaddr *sap, - const size_t salen, const char *hostname, - const size_t hostname_len) - { - struct nsm_handle *cached, *new = NULL; -+ struct lockd_net *ln = net_generic(net, lockd_net_id); - - if (hostname && memchr(hostname, '/', hostname_len) != NULL) { - if (printk_ratelimit()) { -@@ -381,9 +385,10 @@ retry: - spin_lock(&nsm_lock); - - if (nsm_use_hostnames && hostname != NULL) -- cached = nsm_lookup_hostname(hostname, hostname_len); -+ cached = nsm_lookup_hostname(&ln->nsm_handles, -+ hostname, hostname_len); - else -- cached = nsm_lookup_addr(sap); -+ cached = nsm_lookup_addr(&ln->nsm_handles, sap); - - if (cached != NULL) { - atomic_inc(&cached->sm_count); -@@ -397,7 +402,7 @@ retry: - } - - if (new != NULL) { -- list_add(&new->sm_link, &nsm_handles); -+ list_add(&new->sm_link, &ln->nsm_handles); - spin_unlock(&nsm_lock); - dprintk("lockd: created nsm_handle for %s (%s)\n", - new->sm_name, new->sm_addrbuf); -@@ -414,19 +419,22 @@ retry: - - /** - * nsm_reboot_lookup - match NLMPROC_SM_NOTIFY arguments to an nsm_handle -+ * @net: network namespace - * @info: pointer to NLMPROC_SM_NOTIFY arguments - * - * Returns a matching nsm_handle if found in the nsm cache. The returned - * nsm_handle's reference count is bumped. Otherwise returns NULL if some - * error occurred. - */ --struct nsm_handle *nsm_reboot_lookup(const struct nlm_reboot *info) -+struct nsm_handle *nsm_reboot_lookup(const struct net *net, -+ const struct nlm_reboot *info) - { - struct nsm_handle *cached; -+ struct lockd_net *ln = net_generic(net, lockd_net_id); - - spin_lock(&nsm_lock); - -- cached = nsm_lookup_priv(&info->priv); -+ cached = nsm_lookup_priv(&ln->nsm_handles, &info->priv); - if (unlikely(cached == NULL)) { - spin_unlock(&nsm_lock); - dprintk("lockd: never saw rebooted peer '%.*s' before\n", -diff --git a/fs/lockd/netns.h b/fs/lockd/netns.h -index 5010b55628b4..414da99744e9 100644 ---- a/fs/lockd/netns.h -+++ b/fs/lockd/netns.h -@@ -16,6 +16,7 @@ struct lockd_net { - spinlock_t nsm_clnt_lock; - unsigned int nsm_users; - struct rpc_clnt *nsm_clnt; -+ struct list_head nsm_handles; - }; - - extern int lockd_net_id; -diff --git a/fs/lockd/svc.c b/fs/lockd/svc.c -index 7a318480ab7a..ce05c60ff06d 100644 ---- a/fs/lockd/svc.c -+++ b/fs/lockd/svc.c -@@ -583,6 +583,7 @@ static int lockd_init_net(struct net *net) - INIT_DELAYED_WORK(&ln->grace_period_end, grace_ender); - INIT_LIST_HEAD(&ln->grace_list); - spin_lock_init(&ln->nsm_clnt_lock); -+ INIT_LIST_HEAD(&ln->nsm_handles); - return 0; - } - -diff --git a/fs/lockd/svc4proc.c b/fs/lockd/svc4proc.c -index b147d1ae71fd..09c576f26c7b 100644 ---- a/fs/lockd/svc4proc.c -+++ b/fs/lockd/svc4proc.c -@@ -421,7 +421,7 @@ nlm4svc_proc_sm_notify(struct svc_rqst *rqstp, struct nlm_reboot *argp, - return rpc_system_err; - } - -- nlm_host_rebooted(argp); -+ nlm_host_rebooted(SVC_NET(rqstp), argp); - return rpc_success; - } - -diff --git a/fs/lockd/svcproc.c b/fs/lockd/svcproc.c -index 21171f0c6477..fb26b9f522e7 100644 ---- a/fs/lockd/svcproc.c -+++ b/fs/lockd/svcproc.c -@@ -464,7 +464,7 @@ nlmsvc_proc_sm_notify(struct svc_rqst *rqstp, struct nlm_reboot *argp, - return rpc_system_err; - } - -- nlm_host_rebooted(argp); -+ nlm_host_rebooted(SVC_NET(rqstp), argp); - return rpc_success; - } - -diff --git a/fs/namei.c b/fs/namei.c -index 157c3dbacf6c..c87e15ee9255 100644 ---- a/fs/namei.c -+++ b/fs/namei.c -@@ -2917,6 +2917,10 @@ opened: - goto exit_fput; - } - out: -+ if (unlikely(error > 0)) { -+ WARN_ON(1); -+ error = -EINVAL; -+ } - if (got_write) - mnt_drop_write(nd->path.mnt); - path_put(&save_parent); -diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c -index cfa9163b3bb7..2bdaf57c82d0 100644 ---- a/fs/nfs/nfs4state.c -+++ b/fs/nfs/nfs4state.c -@@ -1452,7 +1452,7 @@ restart: - } - spin_unlock(&state->state_lock); - nfs4_put_open_state(state); -- clear_bit(NFS4CLNT_RECLAIM_NOGRACE, -+ clear_bit(NFS_STATE_RECLAIM_NOGRACE, - &state->flags); - spin_lock(&sp->so_lock); - goto restart; -diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c -index 9f285fb9bab3..b86db1236c7c 100644 ---- a/fs/proc/task_mmu.c -+++ b/fs/proc/task_mmu.c -@@ -170,7 +170,7 @@ static void *m_start(struct seq_file *m, loff_t *pos) - if (!priv->task) - return ERR_PTR(-ESRCH); - -- mm = mm_access(priv->task, PTRACE_MODE_READ); -+ mm = mm_access(priv->task, PTRACE_MODE_READ_FSCREDS); - if (!mm || IS_ERR(mm)) - return mm; - down_read(&mm->mmap_sem); -@@ -1044,7 +1044,7 @@ static ssize_t pagemap_read(struct file *file, char __user *buf, - if (!pm.buffer) - goto out_task; - -- mm = mm_access(task, PTRACE_MODE_READ); -+ mm = mm_access(task, PTRACE_MODE_READ_FSCREDS); - ret = PTR_ERR(mm); - if (!mm || IS_ERR(mm)) - goto out_free; -diff --git a/fs/proc/task_nommu.c b/fs/proc/task_nommu.c -index 56123a6f462e..123c19890b14 100644 ---- a/fs/proc/task_nommu.c -+++ b/fs/proc/task_nommu.c -@@ -223,7 +223,7 @@ static void *m_start(struct seq_file *m, loff_t *pos) - if (!priv->task) - return ERR_PTR(-ESRCH); - -- mm = mm_access(priv->task, PTRACE_MODE_READ); -+ mm = mm_access(priv->task, PTRACE_MODE_READ_FSCREDS); - if (!mm || IS_ERR(mm)) { - put_task_struct(priv->task); - priv->task = NULL; -diff --git a/fs/splice.c b/fs/splice.c -index f183f1342c01..3b94a6bba29f 100644 ---- a/fs/splice.c -+++ b/fs/splice.c -@@ -949,6 +949,7 @@ ssize_t __splice_from_pipe(struct pipe_inode_info *pipe, struct splice_desc *sd, - - splice_from_pipe_begin(sd); - do { -+ cond_resched(); - ret = splice_from_pipe_next(pipe, sd); - if (ret > 0) - ret = splice_from_pipe_feed(pipe, sd, actor); -@@ -1189,7 +1190,7 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd, - long ret, bytes; - umode_t i_mode; - size_t len; -- int i, flags; -+ int i, flags, more; - - /* - * We require the input being a regular file, as we don't want to -@@ -1232,6 +1233,7 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd, - * Don't block on output, we have to drain the direct pipe. - */ - sd->flags &= ~SPLICE_F_NONBLOCK; -+ more = sd->flags & SPLICE_F_MORE; - - while (len) { - size_t read_len; -@@ -1245,6 +1247,15 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd, - sd->total_len = read_len; - - /* -+ * If more data is pending, set SPLICE_F_MORE -+ * If this is the last data and SPLICE_F_MORE was not set -+ * initially, clears it. -+ */ -+ if (read_len < len) -+ sd->flags |= SPLICE_F_MORE; -+ else if (!more) -+ sd->flags &= ~SPLICE_F_MORE; -+ /* - * NOTE: nonblocking mode only applies to the input. We - * must not do the output in nonblocking mode as then we - * could get stuck data in the internal pipe: -diff --git a/include/linux/enclosure.h b/include/linux/enclosure.h -index 9a33c5f7e126..f6c229e2bffa 100644 ---- a/include/linux/enclosure.h -+++ b/include/linux/enclosure.h -@@ -29,7 +29,11 @@ - /* A few generic types ... taken from ses-2 */ - enum enclosure_component_type { - ENCLOSURE_COMPONENT_DEVICE = 0x01, -+ ENCLOSURE_COMPONENT_CONTROLLER_ELECTRONICS = 0x07, -+ ENCLOSURE_COMPONENT_SCSI_TARGET_PORT = 0x14, -+ ENCLOSURE_COMPONENT_SCSI_INITIATOR_PORT = 0x15, - ENCLOSURE_COMPONENT_ARRAY_DEVICE = 0x17, -+ ENCLOSURE_COMPONENT_SAS_EXPANDER = 0x18, - }; - - /* ses-2 common element status */ -diff --git a/include/linux/lockd/lockd.h b/include/linux/lockd/lockd.h -index dcaad79f54ed..0adf073f13b3 100644 ---- a/include/linux/lockd/lockd.h -+++ b/include/linux/lockd/lockd.h -@@ -236,7 +236,8 @@ void nlm_rebind_host(struct nlm_host *); - struct nlm_host * nlm_get_host(struct nlm_host *); - void nlm_shutdown_hosts(void); - void nlm_shutdown_hosts_net(struct net *net); --void nlm_host_rebooted(const struct nlm_reboot *); -+void nlm_host_rebooted(const struct net *net, -+ const struct nlm_reboot *); - - /* - * Host monitoring -@@ -244,11 +245,13 @@ void nlm_host_rebooted(const struct nlm_reboot *); - int nsm_monitor(const struct nlm_host *host); - void nsm_unmonitor(const struct nlm_host *host); - --struct nsm_handle *nsm_get_handle(const struct sockaddr *sap, -+struct nsm_handle *nsm_get_handle(const struct net *net, -+ const struct sockaddr *sap, - const size_t salen, - const char *hostname, - const size_t hostname_len); --struct nsm_handle *nsm_reboot_lookup(const struct nlm_reboot *info); -+struct nsm_handle *nsm_reboot_lookup(const struct net *net, -+ const struct nlm_reboot *info); - void nsm_release(struct nsm_handle *nsm); - - /* -diff --git a/include/linux/nfs_fs.h b/include/linux/nfs_fs.h -index fc01d5cb4cf1..7d2021d3ee08 100644 ---- a/include/linux/nfs_fs.h -+++ b/include/linux/nfs_fs.h -@@ -578,9 +578,7 @@ static inline void nfs3_forget_cached_acls(struct inode *inode) - - static inline loff_t nfs_size_to_loff_t(__u64 size) - { -- if (size > (__u64) OFFSET_MAX - 1) -- return OFFSET_MAX - 1; -- return (loff_t) size; -+ return min_t(u64, size, OFFSET_MAX); - } - - static inline ino_t -diff --git a/include/linux/tracepoint.h b/include/linux/tracepoint.h -index ba605015c4d8..0b2d0cbe0bab 100644 ---- a/include/linux/tracepoint.h -+++ b/include/linux/tracepoint.h -@@ -14,8 +14,11 @@ - * See the file COPYING for more details. - */ - -+#include - #include - #include -+#include -+#include - #include - #include - -@@ -126,6 +129,9 @@ static inline void tracepoint_synchronize_unregister(void) - void *it_func; \ - void *__data; \ - \ -+ if (!cpu_online(raw_smp_processor_id())) \ -+ return; \ -+ \ - if (!(cond)) \ - return; \ - prercu; \ -diff --git a/include/net/af_unix.h b/include/net/af_unix.h -index 686760024572..6278e4d32612 100644 ---- a/include/net/af_unix.h -+++ b/include/net/af_unix.h -@@ -6,8 +6,8 @@ - #include - #include - --extern void unix_inflight(struct file *fp); --extern void unix_notinflight(struct file *fp); -+extern void unix_inflight(struct user_struct *user, struct file *fp); -+extern void unix_notinflight(struct user_struct *user, struct file *fp); - extern void unix_gc(void); - extern void wait_for_unix_gc(void); - extern struct sock *unix_get_socket(struct file *filp); -diff --git a/include/net/scm.h b/include/net/scm.h -index 8de2d37d2077..d00cd43a990c 100644 ---- a/include/net/scm.h -+++ b/include/net/scm.h -@@ -21,6 +21,7 @@ struct scm_creds { - struct scm_fp_list { - short count; - short max; -+ struct user_struct *user; - struct file *fp[SCM_MAX_FD]; - }; - -diff --git a/kernel/irq/manage.c b/kernel/irq/manage.c -index a79d267b64ec..7b0d31b67f6a 100644 ---- a/kernel/irq/manage.c -+++ b/kernel/irq/manage.c -@@ -1229,6 +1229,7 @@ static struct irqaction *__free_irq(unsigned int irq, void *dev_id) - if (!desc) - return NULL; - -+ chip_bus_lock(desc); - raw_spin_lock_irqsave(&desc->lock, flags); - - /* -@@ -1242,7 +1243,7 @@ static struct irqaction *__free_irq(unsigned int irq, void *dev_id) - if (!action) { - WARN(1, "Trying to free already-free IRQ %d\n", irq); - raw_spin_unlock_irqrestore(&desc->lock, flags); -- -+ chip_bus_sync_unlock(desc); - return NULL; - } - -@@ -1265,6 +1266,7 @@ static struct irqaction *__free_irq(unsigned int irq, void *dev_id) - #endif - - raw_spin_unlock_irqrestore(&desc->lock, flags); -+ chip_bus_sync_unlock(desc); - - unregister_handler_proc(irq, action); - -@@ -1338,9 +1340,7 @@ void free_irq(unsigned int irq, void *dev_id) - desc->affinity_notify = NULL; - #endif - -- chip_bus_lock(desc); - kfree(__free_irq(irq, dev_id)); -- chip_bus_sync_unlock(desc); - } - EXPORT_SYMBOL(free_irq); - -diff --git a/kernel/resource.c b/kernel/resource.c -index d7386986e10e..b8422b135b68 100644 ---- a/kernel/resource.c -+++ b/kernel/resource.c -@@ -961,9 +961,10 @@ struct resource * __request_region(struct resource *parent, - if (!conflict) - break; - if (conflict != parent) { -- parent = conflict; -- if (!(conflict->flags & IORESOURCE_BUSY)) -+ if (!(conflict->flags & IORESOURCE_BUSY)) { -+ parent = conflict; - continue; -+ } - } - if (conflict->flags & flags & IORESOURCE_MUXED) { - add_wait_queue(&muxed_resource_wait, &wait); -diff --git a/kernel/sched/core.c b/kernel/sched/core.c -index c771f2547bef..f234c84d36c8 100644 ---- a/kernel/sched/core.c -+++ b/kernel/sched/core.c -@@ -1587,7 +1587,6 @@ out: - */ - int wake_up_process(struct task_struct *p) - { -- WARN_ON(task_is_stopped_or_traced(p)); - return try_to_wake_up(p, TASK_NORMAL, 0); - } - EXPORT_SYMBOL(wake_up_process); -diff --git a/kernel/time/posix-clock.c b/kernel/time/posix-clock.c -index ce033c7aa2e8..9cff0ab82b63 100644 ---- a/kernel/time/posix-clock.c -+++ b/kernel/time/posix-clock.c -@@ -69,10 +69,10 @@ static ssize_t posix_clock_read(struct file *fp, char __user *buf, - static unsigned int posix_clock_poll(struct file *fp, poll_table *wait) - { - struct posix_clock *clk = get_posix_clock(fp); -- int result = 0; -+ unsigned int result = 0; - - if (!clk) -- return -ENODEV; -+ return POLLERR; - - if (clk->ops.poll) - result = clk->ops.poll(clk, fp, wait); -diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c -index ab21b8c66535..cb73c4e0741e 100644 ---- a/kernel/trace/ring_buffer.c -+++ b/kernel/trace/ring_buffer.c -@@ -1948,12 +1948,6 @@ rb_set_commit_to_write(struct ring_buffer_per_cpu *cpu_buffer) - goto again; - } - --static void rb_reset_reader_page(struct ring_buffer_per_cpu *cpu_buffer) --{ -- cpu_buffer->read_stamp = cpu_buffer->reader_page->page->time_stamp; -- cpu_buffer->reader_page->read = 0; --} -- - static void rb_inc_iter(struct ring_buffer_iter *iter) - { - struct ring_buffer_per_cpu *cpu_buffer = iter->cpu_buffer; -@@ -3591,7 +3585,7 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer) - - /* Finally update the reader page to the new head */ - cpu_buffer->reader_page = reader; -- rb_reset_reader_page(cpu_buffer); -+ cpu_buffer->reader_page->read = 0; - - if (overwrite != cpu_buffer->last_overrun) { - cpu_buffer->lost_events = overwrite - cpu_buffer->last_overrun; -@@ -3601,6 +3595,10 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer) - goto again; - - out: -+ /* Update the read_stamp on the first event */ -+ if (reader && reader->read == 0) -+ cpu_buffer->read_stamp = reader->page->time_stamp; -+ - arch_spin_unlock(&cpu_buffer->lock); - local_irq_restore(flags); - -diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c -index 5a898f15bfc6..7d054b7671ec 100644 ---- a/kernel/trace/trace_events.c -+++ b/kernel/trace/trace_events.c -@@ -602,7 +602,8 @@ t_next(struct seq_file *m, void *v, loff_t *pos) - * The ftrace subsystem is for showing formats only. - * They can not be enabled or disabled via the event files. - */ -- if (call->class && call->class->reg) -+ if (call->class && call->class->reg && -+ !(call->flags & TRACE_EVENT_FL_IGNORE_ENABLE)) - return file; - } - -diff --git a/kernel/workqueue.c b/kernel/workqueue.c -index fa927fd5778d..fe7c4b91d2e7 100644 ---- a/kernel/workqueue.c -+++ b/kernel/workqueue.c -@@ -1450,13 +1450,13 @@ static void __queue_delayed_work(int cpu, struct workqueue_struct *wq, - timer_stats_timer_set_start_info(&dwork->timer); - - dwork->wq = wq; -- /* timer isn't guaranteed to run in this cpu, record earlier */ -- if (cpu == WORK_CPU_UNBOUND) -- cpu = raw_smp_processor_id(); - dwork->cpu = cpu; - timer->expires = jiffies + delay; - -- add_timer_on(timer, cpu); -+ if (unlikely(cpu != WORK_CPU_UNBOUND)) -+ add_timer_on(timer, cpu); -+ else -+ add_timer(timer); - } - - /** -diff --git a/lib/devres.c b/lib/devres.c -index 823533138fa0..20afaf181b27 100644 ---- a/lib/devres.c -+++ b/lib/devres.c -@@ -423,7 +423,7 @@ void pcim_iounmap_regions(struct pci_dev *pdev, int mask) - if (!iomap) - return; - -- for (i = 0; i < DEVICE_COUNT_RESOURCE; i++) { -+ for (i = 0; i < PCIM_IOMAP_MAX; i++) { - if (!(mask & (1 << i))) - continue; - -diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c -index e3bea2e0821a..025ced8fbb57 100644 ---- a/net/ceph/messenger.c -+++ b/net/ceph/messenger.c -@@ -2277,7 +2277,7 @@ static int read_partial_message(struct ceph_connection *con) - con->in_base_pos = -front_len - middle_len - data_len - - sizeof(m->footer); - con->in_tag = CEPH_MSGR_TAG_READY; -- return 0; -+ return 1; - } else if ((s64)seq - (s64)con->in_seq > 1) { - pr_err("read_partial_message bad seq %lld expected %lld\n", - seq, con->in_seq + 1); -@@ -2310,7 +2310,7 @@ static int read_partial_message(struct ceph_connection *con) - sizeof(m->footer); - con->in_tag = CEPH_MSGR_TAG_READY; - con->in_seq++; -- return 0; -+ return 1; - } - - BUG_ON(!con->in_msg); -diff --git a/net/core/scm.c b/net/core/scm.c -index dbc6bfcdf446..7a6cf8351cde 100644 ---- a/net/core/scm.c -+++ b/net/core/scm.c -@@ -87,6 +87,7 @@ static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp) - *fplp = fpl; - fpl->count = 0; - fpl->max = SCM_MAX_FD; -+ fpl->user = NULL; - } - fpp = &fpl->fp[fpl->count]; - -@@ -107,6 +108,10 @@ static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp) - *fpp++ = file; - fpl->count++; - } -+ -+ if (!fpl->user) -+ fpl->user = get_uid(current_user()); -+ - return num; - } - -@@ -119,6 +124,7 @@ void __scm_destroy(struct scm_cookie *scm) - scm->fp = NULL; - for (i=fpl->count-1; i>=0; i--) - fput(fpl->fp[i]); -+ free_uid(fpl->user); - kfree(fpl); - } - } -@@ -337,6 +343,7 @@ struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl) - for (i = 0; i < fpl->count; i++) - get_file(fpl->fp[i]); - new_fpl->max = new_fpl->count; -+ new_fpl->user = get_uid(fpl->user); - } - return new_fpl; - } -diff --git a/net/mac80211/mesh_pathtbl.c b/net/mac80211/mesh_pathtbl.c -index 89aacfd2756d..9ba6d8c7c793 100644 ---- a/net/mac80211/mesh_pathtbl.c -+++ b/net/mac80211/mesh_pathtbl.c -@@ -747,10 +747,8 @@ void mesh_plink_broken(struct sta_info *sta) - static void mesh_path_node_reclaim(struct rcu_head *rp) - { - struct mpath_node *node = container_of(rp, struct mpath_node, rcu); -- struct ieee80211_sub_if_data *sdata = node->mpath->sdata; - - del_timer_sync(&node->mpath->timer); -- atomic_dec(&sdata->u.mesh.mpaths); - kfree(node->mpath); - kfree(node); - } -@@ -758,8 +756,9 @@ static void mesh_path_node_reclaim(struct rcu_head *rp) - /* needs to be called with the corresponding hashwlock taken */ - static void __mesh_path_del(struct mesh_table *tbl, struct mpath_node *node) - { -- struct mesh_path *mpath; -- mpath = node->mpath; -+ struct mesh_path *mpath = node->mpath; -+ struct ieee80211_sub_if_data *sdata = node->mpath->sdata; -+ - spin_lock(&mpath->state_lock); - mpath->flags |= MESH_PATH_RESOLVING; - if (mpath->is_gate) -@@ -767,6 +766,7 @@ static void __mesh_path_del(struct mesh_table *tbl, struct mpath_node *node) - hlist_del_rcu(&node->list); - call_rcu(&node->rcu, mesh_path_node_reclaim); - spin_unlock(&mpath->state_lock); -+ atomic_dec(&sdata->u.mesh.mpaths); - atomic_dec(&tbl->entries); - } - -diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c -index 0283baedcdfb..9dc979abb461 100644 ---- a/net/netfilter/nf_conntrack_core.c -+++ b/net/netfilter/nf_conntrack_core.c -@@ -311,6 +311,21 @@ static void death_by_timeout(unsigned long ul_conntrack) - nf_ct_put(ct); - } - -+static inline bool -+nf_ct_key_equal(struct nf_conntrack_tuple_hash *h, -+ const struct nf_conntrack_tuple *tuple, -+ u16 zone) -+{ -+ struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h); -+ -+ /* A conntrack can be recreated with the equal tuple, -+ * so we need to check that the conntrack is confirmed -+ */ -+ return nf_ct_tuple_equal(tuple, &h->tuple) && -+ nf_ct_zone(ct) == zone && -+ nf_ct_is_confirmed(ct); -+} -+ - /* - * Warning : - * - Caller must take a reference on returned object -@@ -332,8 +347,7 @@ ____nf_conntrack_find(struct net *net, u16 zone, - local_bh_disable(); - begin: - hlist_nulls_for_each_entry_rcu(h, n, &net->ct.hash[bucket], hnnode) { -- if (nf_ct_tuple_equal(tuple, &h->tuple) && -- nf_ct_zone(nf_ct_tuplehash_to_ctrack(h)) == zone) { -+ if (nf_ct_key_equal(h, tuple, zone)) { - NF_CT_STAT_INC(net, found); - local_bh_enable(); - return h; -@@ -380,8 +394,7 @@ begin: - !atomic_inc_not_zero(&ct->ct_general.use))) - h = NULL; - else { -- if (unlikely(!nf_ct_tuple_equal(tuple, &h->tuple) || -- nf_ct_zone(ct) != zone)) { -+ if (unlikely(!nf_ct_key_equal(h, tuple, zone))) { - nf_ct_put(ct); - goto begin; - } -diff --git a/net/rds/connection.c b/net/rds/connection.c -index e88bf3976e54..642ad42c416b 100644 ---- a/net/rds/connection.c -+++ b/net/rds/connection.c -@@ -177,12 +177,6 @@ static struct rds_connection *__rds_conn_create(__be32 laddr, __be32 faddr, - } - } - -- if (trans == NULL) { -- kmem_cache_free(rds_conn_slab, conn); -- conn = ERR_PTR(-ENODEV); -- goto out; -- } -- - conn->c_trans = trans; - - ret = trans->conn_alloc(conn, gfp); -diff --git a/net/rds/send.c b/net/rds/send.c -index 88eace57dd6b..31c9fa464b11 100644 ---- a/net/rds/send.c -+++ b/net/rds/send.c -@@ -955,11 +955,13 @@ int rds_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, - release_sock(sk); - } - -- /* racing with another thread binding seems ok here */ -+ lock_sock(sk); - if (daddr == 0 || rs->rs_bound_addr == 0) { -+ release_sock(sk); - ret = -ENOTCONN; /* XXX not a great errno */ - goto out; - } -+ release_sock(sk); - - /* size of rm including all sgs */ - ret = rds_rm_size(msg, payload_len); -diff --git a/net/rfkill/core.c b/net/rfkill/core.c -index 1cec5e4f3a5e..6563cc04c578 100644 ---- a/net/rfkill/core.c -+++ b/net/rfkill/core.c -@@ -51,7 +51,6 @@ - struct rfkill { - spinlock_t lock; - -- const char *name; - enum rfkill_type type; - - unsigned long state; -@@ -75,6 +74,7 @@ struct rfkill { - struct delayed_work poll_work; - struct work_struct uevent_work; - struct work_struct sync_work; -+ char name[]; - }; - #define to_rfkill(d) container_of(d, struct rfkill, dev) - -@@ -871,14 +871,14 @@ struct rfkill * __must_check rfkill_alloc(const char *name, - if (WARN_ON(type == RFKILL_TYPE_ALL || type >= NUM_RFKILL_TYPES)) - return NULL; - -- rfkill = kzalloc(sizeof(*rfkill), GFP_KERNEL); -+ rfkill = kzalloc(sizeof(*rfkill) + strlen(name) + 1, GFP_KERNEL); - if (!rfkill) - return NULL; - - spin_lock_init(&rfkill->lock); - INIT_LIST_HEAD(&rfkill->node); - rfkill->type = type; -- rfkill->name = name; -+ strcpy(rfkill->name, name); - rfkill->ops = ops; - rfkill->data = ops_data; - -@@ -1088,17 +1088,6 @@ static unsigned int rfkill_fop_poll(struct file *file, poll_table *wait) - return res; - } - --static bool rfkill_readable(struct rfkill_data *data) --{ -- bool r; -- -- mutex_lock(&data->mtx); -- r = !list_empty(&data->events); -- mutex_unlock(&data->mtx); -- -- return r; --} -- - static ssize_t rfkill_fop_read(struct file *file, char __user *buf, - size_t count, loff_t *pos) - { -@@ -1115,8 +1104,11 @@ static ssize_t rfkill_fop_read(struct file *file, char __user *buf, - goto out; - } - mutex_unlock(&data->mtx); -+ /* since we re-check and it just compares pointers, -+ * using !list_empty() without locking isn't a problem -+ */ - ret = wait_event_interruptible(data->read_wait, -- rfkill_readable(data)); -+ !list_empty(&data->events)); - mutex_lock(&data->mtx); - - if (ret) -diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c -index 231b71944c52..a4266b9b2429 100644 ---- a/net/sunrpc/cache.c -+++ b/net/sunrpc/cache.c -@@ -1221,7 +1221,7 @@ int qword_get(char **bpp, char *dest, int bufsize) - if (bp[0] == '\\' && bp[1] == 'x') { - /* HEX STRING */ - bp += 2; -- while (len < bufsize) { -+ while (len < bufsize - 1) { - int h, l; - - h = hex_to_bin(bp[0]); -diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c -index a673c1f4f638..8f118c7c19e1 100644 ---- a/net/unix/af_unix.c -+++ b/net/unix/af_unix.c -@@ -1466,7 +1466,7 @@ static void unix_detach_fds(struct scm_cookie *scm, struct sk_buff *skb) - UNIXCB(skb).fp = NULL; - - for (i = scm->fp->count-1; i >= 0; i--) -- unix_notinflight(scm->fp->fp[i]); -+ unix_notinflight(scm->fp->user, scm->fp->fp[i]); - } - - static void unix_destruct_scm(struct sk_buff *skb) -@@ -1531,7 +1531,7 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb) - return -ENOMEM; - - for (i = scm->fp->count - 1; i >= 0; i--) -- unix_inflight(scm->fp->fp[i]); -+ unix_inflight(scm->fp->user, scm->fp->fp[i]); - return max_level; - } - -diff --git a/net/unix/garbage.c b/net/unix/garbage.c -index 06730fe6ad9d..a72182d6750f 100644 ---- a/net/unix/garbage.c -+++ b/net/unix/garbage.c -@@ -122,7 +122,7 @@ struct sock *unix_get_socket(struct file *filp) - * descriptor if it is for an AF_UNIX socket. - */ - --void unix_inflight(struct file *fp) -+void unix_inflight(struct user_struct *user, struct file *fp) - { - struct sock *s = unix_get_socket(fp); - -@@ -139,11 +139,11 @@ void unix_inflight(struct file *fp) - } - unix_tot_inflight++; - } -- fp->f_cred->user->unix_inflight++; -+ user->unix_inflight++; - spin_unlock(&unix_gc_lock); - } - --void unix_notinflight(struct file *fp) -+void unix_notinflight(struct user_struct *user, struct file *fp) - { - struct sock *s = unix_get_socket(fp); - -@@ -157,7 +157,7 @@ void unix_notinflight(struct file *fp) - list_del_init(&u->link); - unix_tot_inflight--; - } -- fp->f_cred->user->unix_inflight--; -+ user->unix_inflight--; - spin_unlock(&unix_gc_lock); - } - -diff --git a/scripts/recordmcount.c b/scripts/recordmcount.c -index 9c22317778eb..ee625e3a56ba 100644 ---- a/scripts/recordmcount.c -+++ b/scripts/recordmcount.c -@@ -189,6 +189,20 @@ static void *mmap_file(char const *fname) - addr = umalloc(sb.st_size); - uread(fd_map, addr, sb.st_size); - } -+ if (sb.st_nlink != 1) { -+ /* file is hard-linked, break the hard link */ -+ close(fd_map); -+ if (unlink(fname) < 0) { -+ perror(fname); -+ fail_file(); -+ } -+ fd_map = open(fname, O_RDWR | O_CREAT, sb.st_mode); -+ if (fd_map < 0) { -+ perror(fname); -+ fail_file(); -+ } -+ uwrite(fd_map, addr, sb.st_size); -+ } - return addr; - } - -diff --git a/tools/Makefile b/tools/Makefile -index 41067f304215..b82a15b92b1c 100644 ---- a/tools/Makefile -+++ b/tools/Makefile -@@ -22,6 +22,10 @@ help: - @echo ' from the kernel command line to build and install one of' - @echo ' the tools above' - @echo '' -+ @echo ' $$ make tools/all' -+ @echo '' -+ @echo ' builds all tools.' -+ @echo '' - @echo ' $$ make tools/install' - @echo '' - @echo ' installs all tools.' -@@ -50,6 +54,10 @@ selftests: FORCE - turbostat x86_energy_perf_policy: FORCE - $(call descend,power/x86/$@) - -+all: cgroup cpupower firewire lguest \ -+ perf selftests turbostat usb \ -+ virtio vm net x86_energy_perf_policy -+ - cpupower_install: - $(call descend,power/$(@:_install=),install) - -diff --git a/virt/kvm/async_pf.c b/virt/kvm/async_pf.c -index ea475cd03511..ca2d05a07b57 100644 ---- a/virt/kvm/async_pf.c -+++ b/virt/kvm/async_pf.c -@@ -158,7 +158,7 @@ int kvm_setup_async_pf(struct kvm_vcpu *vcpu, gva_t gva, gfn_t gfn, - * do alloc nowait since if we are going to sleep anyway we - * may as well sleep faulting in page - */ -- work = kmem_cache_zalloc(async_pf_cache, GFP_NOWAIT); -+ work = kmem_cache_zalloc(async_pf_cache, GFP_NOWAIT | __GFP_NOWARN); - if (!work) - return 0; - diff --git a/patch/kernel/odroidc1-default/1-patch-3.10.99-100.patch b/patch/kernel/odroidc1-default/1-patch-3.10.99-100.patch deleted file mode 100644 index da39546c5..000000000 --- a/patch/kernel/odroidc1-default/1-patch-3.10.99-100.patch +++ /dev/null @@ -1,1156 +0,0 @@ -diff --git a/Makefile b/Makefile -index f1e6491fd7d8..40d4d3bf52c3 100644 ---- a/Makefile -+++ b/Makefile -@@ -1,6 +1,6 @@ - VERSION = 3 - PATCHLEVEL = 10 --SUBLEVEL = 99 -+SUBLEVEL = 100 - EXTRAVERSION = - NAME = TOSSUG Baby Fish - -diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S -index c9305ef1d411..e73982b93537 100644 ---- a/arch/x86/ia32/ia32entry.S -+++ b/arch/x86/ia32/ia32entry.S -@@ -422,6 +422,7 @@ ENTRY(ia32_syscall) - /*CFI_REL_OFFSET cs,CS-RIP*/ - CFI_REL_OFFSET rip,RIP-RIP - PARAVIRT_ADJUST_EXCEPTION_FRAME -+ ASM_CLAC /* Do this early to minimize exposure */ - SWAPGS - /* - * No need to follow this irqs on/off section: the syscall -diff --git a/arch/x86/kernel/acpi/sleep.c b/arch/x86/kernel/acpi/sleep.c -index ec94e11807dc..ca0805633f26 100644 ---- a/arch/x86/kernel/acpi/sleep.c -+++ b/arch/x86/kernel/acpi/sleep.c -@@ -16,6 +16,7 @@ - #include - #include - -+#include - #include "../../realmode/rm/wakeup.h" - #include "sleep.h" - -@@ -96,7 +97,13 @@ int acpi_suspend_lowlevel(void) - saved_magic = 0x123456789abcdef0L; - #endif /* CONFIG_64BIT */ - -+ /* -+ * Pause/unpause graph tracing around do_suspend_lowlevel as it has -+ * inconsistent call/return info after it jumps to the wakeup vector. -+ */ -+ pause_graph_tracing(); - do_suspend_lowlevel(); -+ unpause_graph_tracing(); - return 0; - } - -diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c -index 04e7db668362..f3f0801a0e81 100644 ---- a/drivers/ata/libata-scsi.c -+++ b/drivers/ata/libata-scsi.c -@@ -673,19 +673,18 @@ static int ata_ioc32(struct ata_port *ap) - int ata_sas_scsi_ioctl(struct ata_port *ap, struct scsi_device *scsidev, - int cmd, void __user *arg) - { -- int val = -EINVAL, rc = -EINVAL; -+ unsigned long val; -+ int rc = -EINVAL; - unsigned long flags; - - switch (cmd) { -- case ATA_IOC_GET_IO32: -+ case HDIO_GET_32BIT: - spin_lock_irqsave(ap->lock, flags); - val = ata_ioc32(ap); - spin_unlock_irqrestore(ap->lock, flags); -- if (copy_to_user(arg, &val, 1)) -- return -EFAULT; -- return 0; -+ return put_user(val, (unsigned long __user *)arg); - -- case ATA_IOC_SET_IO32: -+ case HDIO_SET_32BIT: - val = (unsigned long) arg; - rc = 0; - spin_lock_irqsave(ap->lock, flags); -diff --git a/drivers/edac/edac_mc_sysfs.c b/drivers/edac/edac_mc_sysfs.c -index 88cd940ece63..453c816b4537 100644 ---- a/drivers/edac/edac_mc_sysfs.c -+++ b/drivers/edac/edac_mc_sysfs.c -@@ -973,21 +973,26 @@ nomem: - */ - int edac_create_sysfs_mci_device(struct mem_ctl_info *mci) - { -+ char *name; - int i, err; - - /* - * The memory controller needs its own bus, in order to avoid - * namespace conflicts at /sys/bus/edac. - */ -- mci->bus->name = kasprintf(GFP_KERNEL, "mc%d", mci->mc_idx); -- if (!mci->bus->name) -+ name = kasprintf(GFP_KERNEL, "mc%d", mci->mc_idx); -+ if (!name) - return -ENOMEM; - -+ mci->bus->name = name; -+ - edac_dbg(0, "creating bus %s\n", mci->bus->name); - - err = bus_register(mci->bus); -- if (err < 0) -+ if (err < 0) { -+ kfree(name); - return err; -+ } - - /* get the /sys/devices/system/edac subsys reference */ - mci->dev.type = &mci_attr_type; -@@ -1071,7 +1076,8 @@ fail: - fail2: - device_unregister(&mci->dev); - bus_unregister(mci->bus); -- kfree(mci->bus->name); -+ kfree(name); -+ - return err; - } - -@@ -1102,10 +1108,12 @@ void edac_remove_sysfs_mci_device(struct mem_ctl_info *mci) - - void edac_unregister_sysfs(struct mem_ctl_info *mci) - { -+ const char *name = mci->bus->name; -+ - edac_dbg(1, "Unregistering device %s\n", dev_name(&mci->dev)); - device_unregister(&mci->dev); - bus_unregister(mci->bus); -- kfree(mci->bus->name); -+ kfree(name); - } - - static void mc_attr_release(struct device *dev) -diff --git a/drivers/gpu/drm/ast/ast_main.c b/drivers/gpu/drm/ast/ast_main.c -index 313ccaf25f49..62834322b337 100644 ---- a/drivers/gpu/drm/ast/ast_main.c -+++ b/drivers/gpu/drm/ast/ast_main.c -@@ -124,7 +124,7 @@ static int ast_get_dram_info(struct drm_device *dev) - } while (ast_read32(ast, 0x10000) != 0x01); - data = ast_read32(ast, 0x10004); - -- if (data & 0x400) -+ if (data & 0x40) - ast->dram_bus_width = 16; - else - ast->dram_bus_width = 32; -diff --git a/drivers/gpu/drm/radeon/radeon_sa.c b/drivers/gpu/drm/radeon/radeon_sa.c -index bb166849aa6e..f0bac68254b7 100644 ---- a/drivers/gpu/drm/radeon/radeon_sa.c -+++ b/drivers/gpu/drm/radeon/radeon_sa.c -@@ -349,13 +349,8 @@ int radeon_sa_bo_new(struct radeon_device *rdev, - /* see if we can skip over some allocations */ - } while (radeon_sa_bo_next_hole(sa_manager, fences, tries)); - -- for (i = 0; i < RADEON_NUM_RINGS; ++i) -- radeon_fence_ref(fences[i]); -- - spin_unlock(&sa_manager->wq.lock); - r = radeon_fence_wait_any(rdev, fences, false); -- for (i = 0; i < RADEON_NUM_RINGS; ++i) -- radeon_fence_unref(&fences[i]); - spin_lock(&sa_manager->wq.lock); - /* if we have nothing to wait for block */ - if (r == -ENOENT && block) { -diff --git a/drivers/mtd/ubi/upd.c b/drivers/mtd/ubi/upd.c -index 2a1b6e037e1a..0134ba32a057 100644 ---- a/drivers/mtd/ubi/upd.c -+++ b/drivers/mtd/ubi/upd.c -@@ -193,7 +193,7 @@ int ubi_start_leb_change(struct ubi_device *ubi, struct ubi_volume *vol, - vol->changing_leb = 1; - vol->ch_lnum = req->lnum; - -- vol->upd_buf = vmalloc(req->bytes); -+ vol->upd_buf = vmalloc(ALIGN((int)req->bytes, ubi->min_io_size)); - if (!vol->upd_buf) - return -ENOMEM; - -diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c -index 303f3b3fb65f..84b770461655 100644 ---- a/drivers/usb/serial/cp210x.c -+++ b/drivers/usb/serial/cp210x.c -@@ -164,6 +164,7 @@ static const struct usb_device_id id_table[] = { - { USB_DEVICE(0x18EF, 0xE025) }, /* ELV Marble Sound Board 1 */ - { USB_DEVICE(0x1901, 0x0190) }, /* GE B850 CP2105 Recorder interface */ - { USB_DEVICE(0x1901, 0x0193) }, /* GE B650 CP2104 PMC interface */ -+ { USB_DEVICE(0x19CF, 0x3000) }, /* Parrot NMEA GPS Flight Recorder */ - { USB_DEVICE(0x1ADB, 0x0001) }, /* Schweitzer Engineering C662 Cable */ - { USB_DEVICE(0x1B1C, 0x1C00) }, /* Corsair USB Dongle */ - { USB_DEVICE(0x1BA4, 0x0002) }, /* Silicon Labs 358x factory default */ -diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c -index 9bab34cf01d4..24366a2afea6 100644 ---- a/drivers/usb/serial/option.c -+++ b/drivers/usb/serial/option.c -@@ -271,6 +271,7 @@ static void option_instat_callback(struct urb *urb); - #define TELIT_PRODUCT_UE910_V2 0x1012 - #define TELIT_PRODUCT_LE922_USBCFG0 0x1042 - #define TELIT_PRODUCT_LE922_USBCFG3 0x1043 -+#define TELIT_PRODUCT_LE922_USBCFG5 0x1045 - #define TELIT_PRODUCT_LE920 0x1200 - #define TELIT_PRODUCT_LE910 0x1201 - -@@ -1140,6 +1141,8 @@ static const struct usb_device_id option_ids[] = { - { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x6613)}, /* Onda H600/ZTE MF330 */ - { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x0023)}, /* ONYX 3G device */ - { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x9000)}, /* SIMCom SIM5218 */ -+ { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x9003), /* Quectel UC20 */ -+ .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, - { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6001) }, - { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CMU_300) }, - { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6003), -@@ -1191,6 +1194,8 @@ static const struct usb_device_id option_ids[] = { - .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg0 }, - { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE922_USBCFG3), - .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg3 }, -+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, TELIT_PRODUCT_LE922_USBCFG5, 0xff), -+ .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg0 }, - { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910), - .driver_info = (kernel_ulong_t)&telit_le910_blacklist }, - { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920), -diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c -index d17c5d72cd29..4c86850bd627 100644 ---- a/fs/cifs/cifssmb.c -+++ b/fs/cifs/cifssmb.c -@@ -1389,11 +1389,10 @@ openRetry: - * current bigbuf. - */ - static int --cifs_readv_discard(struct TCP_Server_Info *server, struct mid_q_entry *mid) -+discard_remaining_data(struct TCP_Server_Info *server) - { - unsigned int rfclen = get_rfc1002_length(server->smallbuf); - int remaining = rfclen + 4 - server->total_read; -- struct cifs_readdata *rdata = mid->callback_data; - - while (remaining > 0) { - int length; -@@ -1407,10 +1406,20 @@ cifs_readv_discard(struct TCP_Server_Info *server, struct mid_q_entry *mid) - remaining -= length; - } - -- dequeue_mid(mid, rdata->result); - return 0; - } - -+static int -+cifs_readv_discard(struct TCP_Server_Info *server, struct mid_q_entry *mid) -+{ -+ int length; -+ struct cifs_readdata *rdata = mid->callback_data; -+ -+ length = discard_remaining_data(server); -+ dequeue_mid(mid, rdata->result); -+ return length; -+} -+ - int - cifs_readv_receive(struct TCP_Server_Info *server, struct mid_q_entry *mid) - { -@@ -1439,6 +1448,12 @@ cifs_readv_receive(struct TCP_Server_Info *server, struct mid_q_entry *mid) - return length; - server->total_read += length; - -+ if (server->ops->is_status_pending && -+ server->ops->is_status_pending(buf, server, 0)) { -+ discard_remaining_data(server); -+ return -1; -+ } -+ - /* Was the SMB read successful? */ - rdata->result = server->ops->map_error(buf, false); - if (rdata->result != 0) { -diff --git a/fs/jffs2/README.Locking b/fs/jffs2/README.Locking -index 3ea36554107f..8918ac905a3b 100644 ---- a/fs/jffs2/README.Locking -+++ b/fs/jffs2/README.Locking -@@ -2,10 +2,6 @@ - JFFS2 LOCKING DOCUMENTATION - --------------------------- - --At least theoretically, JFFS2 does not require the Big Kernel Lock --(BKL), which was always helpfully obtained for it by Linux 2.4 VFS --code. It has its own locking, as described below. -- - This document attempts to describe the existing locking rules for - JFFS2. It is not expected to remain perfectly up to date, but ought to - be fairly close. -@@ -69,6 +65,7 @@ Ordering constraints: - any f->sem held. - 2. Never attempt to lock two file mutexes in one thread. - No ordering rules have been made for doing so. -+ 3. Never lock a page cache page with f->sem held. - - - erase_completion_lock spinlock -diff --git a/fs/jffs2/build.c b/fs/jffs2/build.c -index a3750f902adc..c1f04947d7dc 100644 ---- a/fs/jffs2/build.c -+++ b/fs/jffs2/build.c -@@ -49,7 +49,8 @@ next_inode(int *i, struct jffs2_inode_cache *ic, struct jffs2_sb_info *c) - - - static void jffs2_build_inode_pass1(struct jffs2_sb_info *c, -- struct jffs2_inode_cache *ic) -+ struct jffs2_inode_cache *ic, -+ int *dir_hardlinks) - { - struct jffs2_full_dirent *fd; - -@@ -68,19 +69,21 @@ static void jffs2_build_inode_pass1(struct jffs2_sb_info *c, - dbg_fsbuild("child \"%s\" (ino #%u) of dir ino #%u doesn't exist!\n", - fd->name, fd->ino, ic->ino); - jffs2_mark_node_obsolete(c, fd->raw); -+ /* Clear the ic/raw union so it doesn't cause problems later. */ -+ fd->ic = NULL; - continue; - } - -+ /* From this point, fd->raw is no longer used so we can set fd->ic */ -+ fd->ic = child_ic; -+ child_ic->pino_nlink++; -+ /* If we appear (at this stage) to have hard-linked directories, -+ * set a flag to trigger a scan later */ - if (fd->type == DT_DIR) { -- if (child_ic->pino_nlink) { -- JFFS2_ERROR("child dir \"%s\" (ino #%u) of dir ino #%u appears to be a hard link\n", -- fd->name, fd->ino, ic->ino); -- /* TODO: What do we do about it? */ -- } else { -- child_ic->pino_nlink = ic->ino; -- } -- } else -- child_ic->pino_nlink++; -+ child_ic->flags |= INO_FLAGS_IS_DIR; -+ if (child_ic->pino_nlink > 1) -+ *dir_hardlinks = 1; -+ } - - dbg_fsbuild("increased nlink for child \"%s\" (ino #%u)\n", fd->name, fd->ino); - /* Can't free scan_dents so far. We might need them in pass 2 */ -@@ -94,8 +97,7 @@ static void jffs2_build_inode_pass1(struct jffs2_sb_info *c, - */ - static int jffs2_build_filesystem(struct jffs2_sb_info *c) - { -- int ret; -- int i; -+ int ret, i, dir_hardlinks = 0; - struct jffs2_inode_cache *ic; - struct jffs2_full_dirent *fd; - struct jffs2_full_dirent *dead_fds = NULL; -@@ -119,7 +121,7 @@ static int jffs2_build_filesystem(struct jffs2_sb_info *c) - /* Now scan the directory tree, increasing nlink according to every dirent found. */ - for_each_inode(i, c, ic) { - if (ic->scan_dents) { -- jffs2_build_inode_pass1(c, ic); -+ jffs2_build_inode_pass1(c, ic, &dir_hardlinks); - cond_resched(); - } - } -@@ -155,6 +157,20 @@ static int jffs2_build_filesystem(struct jffs2_sb_info *c) - } - - dbg_fsbuild("pass 2a complete\n"); -+ -+ if (dir_hardlinks) { -+ /* If we detected directory hardlinks earlier, *hopefully* -+ * they are gone now because some of the links were from -+ * dead directories which still had some old dirents lying -+ * around and not yet garbage-collected, but which have -+ * been discarded above. So clear the pino_nlink field -+ * in each directory, so that the final scan below can -+ * print appropriate warnings. */ -+ for_each_inode(i, c, ic) { -+ if (ic->flags & INO_FLAGS_IS_DIR) -+ ic->pino_nlink = 0; -+ } -+ } - dbg_fsbuild("freeing temporary data structures\n"); - - /* Finally, we can scan again and free the dirent structs */ -@@ -162,6 +178,33 @@ static int jffs2_build_filesystem(struct jffs2_sb_info *c) - while(ic->scan_dents) { - fd = ic->scan_dents; - ic->scan_dents = fd->next; -+ /* We do use the pino_nlink field to count nlink of -+ * directories during fs build, so set it to the -+ * parent ino# now. Now that there's hopefully only -+ * one. */ -+ if (fd->type == DT_DIR) { -+ if (!fd->ic) { -+ /* We'll have complained about it and marked the coresponding -+ raw node obsolete already. Just skip it. */ -+ continue; -+ } -+ -+ /* We *have* to have set this in jffs2_build_inode_pass1() */ -+ BUG_ON(!(fd->ic->flags & INO_FLAGS_IS_DIR)); -+ -+ /* We clear ic->pino_nlink ∀ directories' ic *only* if dir_hardlinks -+ * is set. Otherwise, we know this should never trigger anyway, so -+ * we don't do the check. And ic->pino_nlink still contains the nlink -+ * value (which is 1). */ -+ if (dir_hardlinks && fd->ic->pino_nlink) { -+ JFFS2_ERROR("child dir \"%s\" (ino #%u) of dir ino #%u is also hard linked from dir ino #%u\n", -+ fd->name, fd->ino, ic->ino, fd->ic->pino_nlink); -+ /* Should we unlink it from its previous parent? */ -+ } -+ -+ /* For directories, ic->pino_nlink holds that parent inode # */ -+ fd->ic->pino_nlink = ic->ino; -+ } - jffs2_free_full_dirent(fd); - } - ic->scan_dents = NULL; -@@ -240,11 +283,7 @@ static void jffs2_build_remove_unlinked_inode(struct jffs2_sb_info *c, - - /* Reduce nlink of the child. If it's now zero, stick it on the - dead_fds list to be cleaned up later. Else just free the fd */ -- -- if (fd->type == DT_DIR) -- child_ic->pino_nlink = 0; -- else -- child_ic->pino_nlink--; -+ child_ic->pino_nlink--; - - if (!child_ic->pino_nlink) { - dbg_fsbuild("inode #%u (\"%s\") now has no links; adding to dead_fds list.\n", -diff --git a/fs/jffs2/file.c b/fs/jffs2/file.c -index 1506673c087e..60ef3fb707ff 100644 ---- a/fs/jffs2/file.c -+++ b/fs/jffs2/file.c -@@ -138,39 +138,33 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping, - struct page *pg; - struct inode *inode = mapping->host; - struct jffs2_inode_info *f = JFFS2_INODE_INFO(inode); -- struct jffs2_sb_info *c = JFFS2_SB_INFO(inode->i_sb); -- struct jffs2_raw_inode ri; -- uint32_t alloc_len = 0; - pgoff_t index = pos >> PAGE_CACHE_SHIFT; - uint32_t pageofs = index << PAGE_CACHE_SHIFT; - int ret = 0; - -- jffs2_dbg(1, "%s()\n", __func__); -- -- if (pageofs > inode->i_size) { -- ret = jffs2_reserve_space(c, sizeof(ri), &alloc_len, -- ALLOC_NORMAL, JFFS2_SUMMARY_INODE_SIZE); -- if (ret) -- return ret; -- } -- -- mutex_lock(&f->sem); - pg = grab_cache_page_write_begin(mapping, index, flags); -- if (!pg) { -- if (alloc_len) -- jffs2_complete_reservation(c); -- mutex_unlock(&f->sem); -+ if (!pg) - return -ENOMEM; -- } - *pagep = pg; - -- if (alloc_len) { -+ jffs2_dbg(1, "%s()\n", __func__); -+ -+ if (pageofs > inode->i_size) { - /* Make new hole frag from old EOF to new page */ -+ struct jffs2_sb_info *c = JFFS2_SB_INFO(inode->i_sb); -+ struct jffs2_raw_inode ri; - struct jffs2_full_dnode *fn; -+ uint32_t alloc_len; - - jffs2_dbg(1, "Writing new hole frag 0x%x-0x%x between current EOF and new page\n", - (unsigned int)inode->i_size, pageofs); - -+ ret = jffs2_reserve_space(c, sizeof(ri), &alloc_len, -+ ALLOC_NORMAL, JFFS2_SUMMARY_INODE_SIZE); -+ if (ret) -+ goto out_page; -+ -+ mutex_lock(&f->sem); - memset(&ri, 0, sizeof(ri)); - - ri.magic = cpu_to_je16(JFFS2_MAGIC_BITMASK); -@@ -197,6 +191,7 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping, - if (IS_ERR(fn)) { - ret = PTR_ERR(fn); - jffs2_complete_reservation(c); -+ mutex_unlock(&f->sem); - goto out_page; - } - ret = jffs2_add_full_dnode_to_inode(c, f, fn); -@@ -211,10 +206,12 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping, - jffs2_mark_node_obsolete(c, fn->raw); - jffs2_free_full_dnode(fn); - jffs2_complete_reservation(c); -+ mutex_unlock(&f->sem); - goto out_page; - } - jffs2_complete_reservation(c); - inode->i_size = pageofs; -+ mutex_unlock(&f->sem); - } - - /* -@@ -223,18 +220,18 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping, - * case of a short-copy. - */ - if (!PageUptodate(pg)) { -+ mutex_lock(&f->sem); - ret = jffs2_do_readpage_nolock(inode, pg); -+ mutex_unlock(&f->sem); - if (ret) - goto out_page; - } -- mutex_unlock(&f->sem); - jffs2_dbg(1, "end write_begin(). pg->flags %lx\n", pg->flags); - return ret; - - out_page: - unlock_page(pg); - page_cache_release(pg); -- mutex_unlock(&f->sem); - return ret; - } - -diff --git a/fs/jffs2/gc.c b/fs/jffs2/gc.c -index 5a2dec2b064c..95d5880a63ee 100644 ---- a/fs/jffs2/gc.c -+++ b/fs/jffs2/gc.c -@@ -1296,14 +1296,17 @@ static int jffs2_garbage_collect_dnode(struct jffs2_sb_info *c, struct jffs2_era - BUG_ON(start > orig_start); - } - -- /* First, use readpage() to read the appropriate page into the page cache */ -- /* Q: What happens if we actually try to GC the _same_ page for which commit_write() -- * triggered garbage collection in the first place? -- * A: I _think_ it's OK. read_cache_page shouldn't deadlock, we'll write out the -- * page OK. We'll actually write it out again in commit_write, which is a little -- * suboptimal, but at least we're correct. -- */ -+ /* The rules state that we must obtain the page lock *before* f->sem, so -+ * drop f->sem temporarily. Since we also hold c->alloc_sem, nothing's -+ * actually going to *change* so we're safe; we only allow reading. -+ * -+ * It is important to note that jffs2_write_begin() will ensure that its -+ * page is marked Uptodate before allocating space. That means that if we -+ * end up here trying to GC the *same* page that jffs2_write_begin() is -+ * trying to write out, read_cache_page() will not deadlock. */ -+ mutex_unlock(&f->sem); - pg_ptr = jffs2_gc_fetch_page(c, f, start, &pg); -+ mutex_lock(&f->sem); - - if (IS_ERR(pg_ptr)) { - pr_warn("read_cache_page() returned error: %ld\n", -diff --git a/fs/jffs2/nodelist.h b/fs/jffs2/nodelist.h -index fa35ff79ab35..0637271f3770 100644 ---- a/fs/jffs2/nodelist.h -+++ b/fs/jffs2/nodelist.h -@@ -194,6 +194,7 @@ struct jffs2_inode_cache { - #define INO_STATE_CLEARING 6 /* In clear_inode() */ - - #define INO_FLAGS_XATTR_CHECKED 0x01 /* has no duplicate xattr_ref */ -+#define INO_FLAGS_IS_DIR 0x02 /* is a directory */ - - #define RAWNODE_CLASS_INODE_CACHE 0 - #define RAWNODE_CLASS_XATTR_DATUM 1 -@@ -249,7 +250,10 @@ struct jffs2_readinode_info - - struct jffs2_full_dirent - { -- struct jffs2_raw_node_ref *raw; -+ union { -+ struct jffs2_raw_node_ref *raw; -+ struct jffs2_inode_cache *ic; /* Just during part of build */ -+ }; - struct jffs2_full_dirent *next; - uint32_t version; - uint32_t ino; /* == zero for unlink */ -diff --git a/fs/locks.c b/fs/locks.c -index 0274c953b07d..f7b1de7e6735 100644 ---- a/fs/locks.c -+++ b/fs/locks.c -@@ -1852,7 +1852,6 @@ int fcntl_setlk(unsigned int fd, struct file *filp, unsigned int cmd, - goto out; - } - --again: - error = flock_to_posix_lock(filp, file_lock, &flock); - if (error) - goto out; -@@ -1883,19 +1882,22 @@ again: - * Attempt to detect a close/fcntl race and recover by - * releasing the lock that was just acquired. - */ -- /* -- * we need that spin_lock here - it prevents reordering between -- * update of inode->i_flock and check for it done in close(). -- * rcu_read_lock() wouldn't do. -- */ -- spin_lock(¤t->files->file_lock); -- f = fcheck(fd); -- spin_unlock(¤t->files->file_lock); -- if (!error && f != filp && flock.l_type != F_UNLCK) { -- flock.l_type = F_UNLCK; -- goto again; -+ if (!error && file_lock->fl_type != F_UNLCK) { -+ /* -+ * We need that spin_lock here - it prevents reordering between -+ * update of inode->i_flock and check for it done in -+ * close(). rcu_read_lock() wouldn't do. -+ */ -+ spin_lock(¤t->files->file_lock); -+ f = fcheck(fd); -+ spin_unlock(¤t->files->file_lock); -+ if (f != filp) { -+ file_lock->fl_type = F_UNLCK; -+ error = do_lock_file_wait(filp, cmd, file_lock); -+ WARN_ON_ONCE(error); -+ error = -EBADF; -+ } - } -- - out: - locks_free_lock(file_lock); - return error; -@@ -1970,7 +1972,6 @@ int fcntl_setlk64(unsigned int fd, struct file *filp, unsigned int cmd, - goto out; - } - --again: - error = flock64_to_posix_lock(filp, file_lock, &flock); - if (error) - goto out; -@@ -2001,14 +2002,22 @@ again: - * Attempt to detect a close/fcntl race and recover by - * releasing the lock that was just acquired. - */ -- spin_lock(¤t->files->file_lock); -- f = fcheck(fd); -- spin_unlock(¤t->files->file_lock); -- if (!error && f != filp && flock.l_type != F_UNLCK) { -- flock.l_type = F_UNLCK; -- goto again; -+ if (!error && file_lock->fl_type != F_UNLCK) { -+ /* -+ * We need that spin_lock here - it prevents reordering between -+ * update of inode->i_flock and check for it done in -+ * close(). rcu_read_lock() wouldn't do. -+ */ -+ spin_lock(¤t->files->file_lock); -+ f = fcheck(fd); -+ spin_unlock(¤t->files->file_lock); -+ if (f != filp) { -+ file_lock->fl_type = F_UNLCK; -+ error = do_lock_file_wait(filp, cmd, file_lock); -+ WARN_ON_ONCE(error); -+ error = -EBADF; -+ } - } -- - out: - locks_free_lock(file_lock); - return error; -diff --git a/include/linux/ata.h b/include/linux/ata.h -index ee0bd9524055..f60ffe29b3a1 100644 ---- a/include/linux/ata.h -+++ b/include/linux/ata.h -@@ -477,8 +477,8 @@ enum ata_tf_protocols { - }; - - enum ata_ioctls { -- ATA_IOC_GET_IO32 = 0x309, -- ATA_IOC_SET_IO32 = 0x324, -+ ATA_IOC_GET_IO32 = 0x309, /* HDIO_GET_32BIT */ -+ ATA_IOC_SET_IO32 = 0x324, /* HDIO_SET_32BIT */ - }; - - /* core structures */ -diff --git a/include/linux/libata.h b/include/linux/libata.h -index 8ad0771b88ab..8017e5c459cf 100644 ---- a/include/linux/libata.h -+++ b/include/linux/libata.h -@@ -666,7 +666,7 @@ struct ata_device { - union { - u16 id[ATA_ID_WORDS]; /* IDENTIFY xxx DEVICE data */ - u32 gscr[SATA_PMP_GSCR_DWORDS]; /* PMP GSCR block */ -- }; -+ } ____cacheline_aligned; - - /* DEVSLP Timing Variables from Identify Device Data Log */ - u8 devslp_timing[ATA_LOG_DEVSLP_SIZE]; -diff --git a/sound/core/control_compat.c b/sound/core/control_compat.c -index 2bb95a7a8809..c14565bde887 100644 ---- a/sound/core/control_compat.c -+++ b/sound/core/control_compat.c -@@ -170,6 +170,19 @@ struct snd_ctl_elem_value32 { - unsigned char reserved[128]; - }; - -+#ifdef CONFIG_X86_X32 -+/* x32 has a different alignment for 64bit values from ia32 */ -+struct snd_ctl_elem_value_x32 { -+ struct snd_ctl_elem_id id; -+ unsigned int indirect; /* bit-field causes misalignment */ -+ union { -+ s32 integer[128]; -+ unsigned char data[512]; -+ s64 integer64[64]; -+ } value; -+ unsigned char reserved[128]; -+}; -+#endif /* CONFIG_X86_X32 */ - - /* get the value type and count of the control */ - static int get_ctl_type(struct snd_card *card, struct snd_ctl_elem_id *id, -@@ -219,9 +232,11 @@ static int get_elem_size(int type, int count) - - static int copy_ctl_value_from_user(struct snd_card *card, - struct snd_ctl_elem_value *data, -- struct snd_ctl_elem_value32 __user *data32, -+ void __user *userdata, -+ void __user *valuep, - int *typep, int *countp) - { -+ struct snd_ctl_elem_value32 __user *data32 = userdata; - int i, type, size; - int uninitialized_var(count); - unsigned int indirect; -@@ -239,8 +254,9 @@ static int copy_ctl_value_from_user(struct snd_card *card, - if (type == SNDRV_CTL_ELEM_TYPE_BOOLEAN || - type == SNDRV_CTL_ELEM_TYPE_INTEGER) { - for (i = 0; i < count; i++) { -+ s32 __user *intp = valuep; - int val; -- if (get_user(val, &data32->value.integer[i])) -+ if (get_user(val, &intp[i])) - return -EFAULT; - data->value.integer.value[i] = val; - } -@@ -250,8 +266,7 @@ static int copy_ctl_value_from_user(struct snd_card *card, - printk(KERN_ERR "snd_ioctl32_ctl_elem_value: unknown type %d\n", type); - return -EINVAL; - } -- if (copy_from_user(data->value.bytes.data, -- data32->value.data, size)) -+ if (copy_from_user(data->value.bytes.data, valuep, size)) - return -EFAULT; - } - -@@ -261,7 +276,8 @@ static int copy_ctl_value_from_user(struct snd_card *card, - } - - /* restore the value to 32bit */ --static int copy_ctl_value_to_user(struct snd_ctl_elem_value32 __user *data32, -+static int copy_ctl_value_to_user(void __user *userdata, -+ void __user *valuep, - struct snd_ctl_elem_value *data, - int type, int count) - { -@@ -270,22 +286,22 @@ static int copy_ctl_value_to_user(struct snd_ctl_elem_value32 __user *data32, - if (type == SNDRV_CTL_ELEM_TYPE_BOOLEAN || - type == SNDRV_CTL_ELEM_TYPE_INTEGER) { - for (i = 0; i < count; i++) { -+ s32 __user *intp = valuep; - int val; - val = data->value.integer.value[i]; -- if (put_user(val, &data32->value.integer[i])) -+ if (put_user(val, &intp[i])) - return -EFAULT; - } - } else { - size = get_elem_size(type, count); -- if (copy_to_user(data32->value.data, -- data->value.bytes.data, size)) -+ if (copy_to_user(valuep, data->value.bytes.data, size)) - return -EFAULT; - } - return 0; - } - --static int snd_ctl_elem_read_user_compat(struct snd_card *card, -- struct snd_ctl_elem_value32 __user *data32) -+static int ctl_elem_read_user(struct snd_card *card, -+ void __user *userdata, void __user *valuep) - { - struct snd_ctl_elem_value *data; - int err, type, count; -@@ -294,7 +310,9 @@ static int snd_ctl_elem_read_user_compat(struct snd_card *card, - if (data == NULL) - return -ENOMEM; - -- if ((err = copy_ctl_value_from_user(card, data, data32, &type, &count)) < 0) -+ err = copy_ctl_value_from_user(card, data, userdata, valuep, -+ &type, &count); -+ if (err < 0) - goto error; - - snd_power_lock(card); -@@ -303,14 +321,15 @@ static int snd_ctl_elem_read_user_compat(struct snd_card *card, - err = snd_ctl_elem_read(card, data); - snd_power_unlock(card); - if (err >= 0) -- err = copy_ctl_value_to_user(data32, data, type, count); -+ err = copy_ctl_value_to_user(userdata, valuep, data, -+ type, count); - error: - kfree(data); - return err; - } - --static int snd_ctl_elem_write_user_compat(struct snd_ctl_file *file, -- struct snd_ctl_elem_value32 __user *data32) -+static int ctl_elem_write_user(struct snd_ctl_file *file, -+ void __user *userdata, void __user *valuep) - { - struct snd_ctl_elem_value *data; - struct snd_card *card = file->card; -@@ -320,7 +339,9 @@ static int snd_ctl_elem_write_user_compat(struct snd_ctl_file *file, - if (data == NULL) - return -ENOMEM; - -- if ((err = copy_ctl_value_from_user(card, data, data32, &type, &count)) < 0) -+ err = copy_ctl_value_from_user(card, data, userdata, valuep, -+ &type, &count); -+ if (err < 0) - goto error; - - snd_power_lock(card); -@@ -329,12 +350,39 @@ static int snd_ctl_elem_write_user_compat(struct snd_ctl_file *file, - err = snd_ctl_elem_write(card, file, data); - snd_power_unlock(card); - if (err >= 0) -- err = copy_ctl_value_to_user(data32, data, type, count); -+ err = copy_ctl_value_to_user(userdata, valuep, data, -+ type, count); - error: - kfree(data); - return err; - } - -+static int snd_ctl_elem_read_user_compat(struct snd_card *card, -+ struct snd_ctl_elem_value32 __user *data32) -+{ -+ return ctl_elem_read_user(card, data32, &data32->value); -+} -+ -+static int snd_ctl_elem_write_user_compat(struct snd_ctl_file *file, -+ struct snd_ctl_elem_value32 __user *data32) -+{ -+ return ctl_elem_write_user(file, data32, &data32->value); -+} -+ -+#ifdef CONFIG_X86_X32 -+static int snd_ctl_elem_read_user_x32(struct snd_card *card, -+ struct snd_ctl_elem_value_x32 __user *data32) -+{ -+ return ctl_elem_read_user(card, data32, &data32->value); -+} -+ -+static int snd_ctl_elem_write_user_x32(struct snd_ctl_file *file, -+ struct snd_ctl_elem_value_x32 __user *data32) -+{ -+ return ctl_elem_write_user(file, data32, &data32->value); -+} -+#endif /* CONFIG_X86_X32 */ -+ - /* add or replace a user control */ - static int snd_ctl_elem_add_compat(struct snd_ctl_file *file, - struct snd_ctl_elem_info32 __user *data32, -@@ -393,6 +441,10 @@ enum { - SNDRV_CTL_IOCTL_ELEM_WRITE32 = _IOWR('U', 0x13, struct snd_ctl_elem_value32), - SNDRV_CTL_IOCTL_ELEM_ADD32 = _IOWR('U', 0x17, struct snd_ctl_elem_info32), - SNDRV_CTL_IOCTL_ELEM_REPLACE32 = _IOWR('U', 0x18, struct snd_ctl_elem_info32), -+#ifdef CONFIG_X86_X32 -+ SNDRV_CTL_IOCTL_ELEM_READ_X32 = _IOWR('U', 0x12, struct snd_ctl_elem_value_x32), -+ SNDRV_CTL_IOCTL_ELEM_WRITE_X32 = _IOWR('U', 0x13, struct snd_ctl_elem_value_x32), -+#endif /* CONFIG_X86_X32 */ - }; - - static inline long snd_ctl_ioctl_compat(struct file *file, unsigned int cmd, unsigned long arg) -@@ -431,6 +483,12 @@ static inline long snd_ctl_ioctl_compat(struct file *file, unsigned int cmd, uns - return snd_ctl_elem_add_compat(ctl, argp, 0); - case SNDRV_CTL_IOCTL_ELEM_REPLACE32: - return snd_ctl_elem_add_compat(ctl, argp, 1); -+#ifdef CONFIG_X86_X32 -+ case SNDRV_CTL_IOCTL_ELEM_READ_X32: -+ return snd_ctl_elem_read_user_x32(ctl->card, argp); -+ case SNDRV_CTL_IOCTL_ELEM_WRITE_X32: -+ return snd_ctl_elem_write_user_x32(ctl, argp); -+#endif /* CONFIG_X86_X32 */ - } - - down_read(&snd_ioctl_rwsem); -diff --git a/sound/core/rawmidi_compat.c b/sound/core/rawmidi_compat.c -index 5268c1f58c25..09a89094dcf7 100644 ---- a/sound/core/rawmidi_compat.c -+++ b/sound/core/rawmidi_compat.c -@@ -94,9 +94,58 @@ static int snd_rawmidi_ioctl_status_compat(struct snd_rawmidi_file *rfile, - return 0; - } - -+#ifdef CONFIG_X86_X32 -+/* X32 ABI has 64bit timespec and 64bit alignment */ -+struct snd_rawmidi_status_x32 { -+ s32 stream; -+ u32 rsvd; /* alignment */ -+ struct timespec tstamp; -+ u32 avail; -+ u32 xruns; -+ unsigned char reserved[16]; -+} __attribute__((packed)); -+ -+#define put_timespec(src, dst) copy_to_user(dst, src, sizeof(*dst)) -+ -+static int snd_rawmidi_ioctl_status_x32(struct snd_rawmidi_file *rfile, -+ struct snd_rawmidi_status_x32 __user *src) -+{ -+ int err; -+ struct snd_rawmidi_status status; -+ -+ if (rfile->output == NULL) -+ return -EINVAL; -+ if (get_user(status.stream, &src->stream)) -+ return -EFAULT; -+ -+ switch (status.stream) { -+ case SNDRV_RAWMIDI_STREAM_OUTPUT: -+ err = snd_rawmidi_output_status(rfile->output, &status); -+ break; -+ case SNDRV_RAWMIDI_STREAM_INPUT: -+ err = snd_rawmidi_input_status(rfile->input, &status); -+ break; -+ default: -+ return -EINVAL; -+ } -+ if (err < 0) -+ return err; -+ -+ if (put_timespec(&status.tstamp, &src->tstamp) || -+ put_user(status.avail, &src->avail) || -+ put_user(status.xruns, &src->xruns)) -+ return -EFAULT; -+ -+ return 0; -+} -+#endif /* CONFIG_X86_X32 */ -+ - enum { - SNDRV_RAWMIDI_IOCTL_PARAMS32 = _IOWR('W', 0x10, struct snd_rawmidi_params32), - SNDRV_RAWMIDI_IOCTL_STATUS32 = _IOWR('W', 0x20, struct snd_rawmidi_status32), -+#ifdef CONFIG_X86_X32 -+ SNDRV_RAWMIDI_IOCTL_STATUS_X32 = _IOWR('W', 0x20, struct snd_rawmidi_status_x32), -+#endif /* CONFIG_X86_X32 */ - }; - - static long snd_rawmidi_ioctl_compat(struct file *file, unsigned int cmd, unsigned long arg) -@@ -115,6 +164,10 @@ static long snd_rawmidi_ioctl_compat(struct file *file, unsigned int cmd, unsign - return snd_rawmidi_ioctl_params_compat(rfile, argp); - case SNDRV_RAWMIDI_IOCTL_STATUS32: - return snd_rawmidi_ioctl_status_compat(rfile, argp); -+#ifdef CONFIG_X86_X32 -+ case SNDRV_RAWMIDI_IOCTL_STATUS_X32: -+ return snd_rawmidi_ioctl_status_x32(rfile, argp); -+#endif /* CONFIG_X86_X32 */ - } - return -ENOIOCTLCMD; - } -diff --git a/sound/core/seq/oss/seq_oss.c b/sound/core/seq/oss/seq_oss.c -index 8d4d5e853efe..ab774954c985 100644 ---- a/sound/core/seq/oss/seq_oss.c -+++ b/sound/core/seq/oss/seq_oss.c -@@ -150,8 +150,6 @@ odev_release(struct inode *inode, struct file *file) - if ((dp = file->private_data) == NULL) - return 0; - -- snd_seq_oss_drain_write(dp); -- - mutex_lock(®ister_mutex); - snd_seq_oss_release(dp); - mutex_unlock(®ister_mutex); -diff --git a/sound/core/seq/oss/seq_oss_device.h b/sound/core/seq/oss/seq_oss_device.h -index c0154a959d55..2464112b08ad 100644 ---- a/sound/core/seq/oss/seq_oss_device.h -+++ b/sound/core/seq/oss/seq_oss_device.h -@@ -131,7 +131,6 @@ int snd_seq_oss_write(struct seq_oss_devinfo *dp, const char __user *buf, int co - unsigned int snd_seq_oss_poll(struct seq_oss_devinfo *dp, struct file *file, poll_table * wait); - - void snd_seq_oss_reset(struct seq_oss_devinfo *dp); --void snd_seq_oss_drain_write(struct seq_oss_devinfo *dp); - - /* */ - void snd_seq_oss_process_queue(struct seq_oss_devinfo *dp, abstime_t time); -diff --git a/sound/core/seq/oss/seq_oss_init.c b/sound/core/seq/oss/seq_oss_init.c -index b3f39b5ed742..f9e09e458227 100644 ---- a/sound/core/seq/oss/seq_oss_init.c -+++ b/sound/core/seq/oss/seq_oss_init.c -@@ -457,23 +457,6 @@ snd_seq_oss_release(struct seq_oss_devinfo *dp) - - - /* -- * Wait until the queue is empty (if we don't have nonblock) -- */ --void --snd_seq_oss_drain_write(struct seq_oss_devinfo *dp) --{ -- if (! dp->timer->running) -- return; -- if (is_write_mode(dp->file_mode) && !is_nonblock_mode(dp->file_mode) && -- dp->writeq) { -- debug_printk(("syncing..\n")); -- while (snd_seq_oss_writeq_sync(dp->writeq)) -- ; -- } --} -- -- --/* - * reset sequencer devices - */ - void -diff --git a/sound/core/timer_compat.c b/sound/core/timer_compat.c -index e05802ae6e1b..2e908225d754 100644 ---- a/sound/core/timer_compat.c -+++ b/sound/core/timer_compat.c -@@ -70,13 +70,14 @@ static int snd_timer_user_status_compat(struct file *file, - struct snd_timer_status32 __user *_status) - { - struct snd_timer_user *tu; -- struct snd_timer_status status; -+ struct snd_timer_status32 status; - - tu = file->private_data; - if (snd_BUG_ON(!tu->timeri)) - return -ENXIO; - memset(&status, 0, sizeof(status)); -- status.tstamp = tu->tstamp; -+ status.tstamp.tv_sec = tu->tstamp.tv_sec; -+ status.tstamp.tv_nsec = tu->tstamp.tv_nsec; - status.resolution = snd_timer_resolution(tu->timeri); - status.lost = tu->timeri->lost; - status.overrun = tu->overrun; -@@ -88,12 +89,21 @@ static int snd_timer_user_status_compat(struct file *file, - return 0; - } - -+#ifdef CONFIG_X86_X32 -+/* X32 ABI has the same struct as x86-64 */ -+#define snd_timer_user_status_x32(file, s) \ -+ snd_timer_user_status(file, s) -+#endif /* CONFIG_X86_X32 */ -+ - /* - */ - - enum { - SNDRV_TIMER_IOCTL_INFO32 = _IOR('T', 0x11, struct snd_timer_info32), - SNDRV_TIMER_IOCTL_STATUS32 = _IOW('T', 0x14, struct snd_timer_status32), -+#ifdef CONFIG_X86_X32 -+ SNDRV_TIMER_IOCTL_STATUS_X32 = _IOW('T', 0x14, struct snd_timer_status), -+#endif /* CONFIG_X86_X32 */ - }; - - static long snd_timer_user_ioctl_compat(struct file *file, unsigned int cmd, unsigned long arg) -@@ -122,6 +132,10 @@ static long snd_timer_user_ioctl_compat(struct file *file, unsigned int cmd, uns - return snd_timer_user_info_compat(file, argp); - case SNDRV_TIMER_IOCTL_STATUS32: - return snd_timer_user_status_compat(file, argp); -+#ifdef CONFIG_X86_X32 -+ case SNDRV_TIMER_IOCTL_STATUS_X32: -+ return snd_timer_user_status_x32(file, argp); -+#endif /* CONFIG_X86_X32 */ - } - return -ENOIOCTLCMD; - } -diff --git a/sound/pci/rme9652/hdsp.c b/sound/pci/rme9652/hdsp.c -index 94084cdb130c..9a281f45eb9c 100644 ---- a/sound/pci/rme9652/hdsp.c -+++ b/sound/pci/rme9652/hdsp.c -@@ -2923,7 +2923,7 @@ static int snd_hdsp_get_dds_offset(struct snd_kcontrol *kcontrol, struct snd_ctl - { - struct hdsp *hdsp = snd_kcontrol_chip(kcontrol); - -- ucontrol->value.enumerated.item[0] = hdsp_dds_offset(hdsp); -+ ucontrol->value.integer.value[0] = hdsp_dds_offset(hdsp); - return 0; - } - -@@ -2935,7 +2935,7 @@ static int snd_hdsp_put_dds_offset(struct snd_kcontrol *kcontrol, struct snd_ctl - - if (!snd_hdsp_use_is_exclusive(hdsp)) - return -EBUSY; -- val = ucontrol->value.enumerated.item[0]; -+ val = ucontrol->value.integer.value[0]; - spin_lock_irq(&hdsp->lock); - if (val != hdsp_dds_offset(hdsp)) - change = (hdsp_set_dds_offset(hdsp, val) == 0) ? 1 : 0; -diff --git a/sound/pci/rme9652/hdspm.c b/sound/pci/rme9652/hdspm.c -index dd910d249987..8444098d2a8e 100644 ---- a/sound/pci/rme9652/hdspm.c -+++ b/sound/pci/rme9652/hdspm.c -@@ -1423,6 +1423,9 @@ static void hdspm_set_dds_value(struct hdspm *hdspm, int rate) - { - u64 n; - -+ if (snd_BUG_ON(rate <= 0)) -+ return; -+ - if (rate >= 112000) - rate /= 4; - else if (rate >= 56000) -@@ -2045,6 +2048,8 @@ static int hdspm_get_system_sample_rate(struct hdspm *hdspm) - } else { - /* slave mode, return external sample rate */ - rate = hdspm_external_sample_rate(hdspm); -+ if (!rate) -+ rate = hdspm->system_sample_rate; - } - } - -@@ -2090,8 +2095,11 @@ static int snd_hdspm_put_system_sample_rate(struct snd_kcontrol *kcontrol, - ucontrol) - { - struct hdspm *hdspm = snd_kcontrol_chip(kcontrol); -+ int rate = ucontrol->value.integer.value[0]; - -- hdspm_set_dds_value(hdspm, ucontrol->value.enumerated.item[0]); -+ if (rate < 27000 || rate > 207000) -+ return -EINVAL; -+ hdspm_set_dds_value(hdspm, ucontrol->value.integer.value[0]); - return 0; - } - -@@ -4199,7 +4207,7 @@ static int snd_hdspm_get_tco_word_term(struct snd_kcontrol *kcontrol, - { - struct hdspm *hdspm = snd_kcontrol_chip(kcontrol); - -- ucontrol->value.enumerated.item[0] = hdspm->tco->term; -+ ucontrol->value.integer.value[0] = hdspm->tco->term; - - return 0; - } -@@ -4210,8 +4218,8 @@ static int snd_hdspm_put_tco_word_term(struct snd_kcontrol *kcontrol, - { - struct hdspm *hdspm = snd_kcontrol_chip(kcontrol); - -- if (hdspm->tco->term != ucontrol->value.enumerated.item[0]) { -- hdspm->tco->term = ucontrol->value.enumerated.item[0]; -+ if (hdspm->tco->term != ucontrol->value.integer.value[0]) { -+ hdspm->tco->term = ucontrol->value.integer.value[0]; - - hdspm_tco_write(hdspm); - diff --git a/patch/kernel/odroidc1-default/2-patch-3.10.100-101.patch b/patch/kernel/odroidc1-default/2-patch-3.10.100-101.patch deleted file mode 100644 index d9647df43..000000000 --- a/patch/kernel/odroidc1-default/2-patch-3.10.100-101.patch +++ /dev/null @@ -1,1493 +0,0 @@ -diff --git a/Documentation/filesystems/efivarfs.txt b/Documentation/filesystems/efivarfs.txt -index c477af086e65..686a64bba775 100644 ---- a/Documentation/filesystems/efivarfs.txt -+++ b/Documentation/filesystems/efivarfs.txt -@@ -14,3 +14,10 @@ filesystem. - efivarfs is typically mounted like this, - - mount -t efivarfs none /sys/firmware/efi/efivars -+ -+Due to the presence of numerous firmware bugs where removing non-standard -+UEFI variables causes the system firmware to fail to POST, efivarfs -+files that are not well-known standardized variables are created -+as immutable files. This doesn't prevent removal - "chattr -i" will work - -+but it does prevent this kind of failure from being accomplished -+accidentally. -diff --git a/Makefile b/Makefile -index 40d4d3bf52c3..4be9e643cef0 100644 ---- a/Makefile -+++ b/Makefile -@@ -1,6 +1,6 @@ - VERSION = 3 - PATCHLEVEL = 10 --SUBLEVEL = 100 -+SUBLEVEL = 101 - EXTRAVERSION = - NAME = TOSSUG Baby Fish - -diff --git a/arch/powerpc/kernel/module_64.c b/arch/powerpc/kernel/module_64.c -index 6ee59a0eb268..48b4cf6b2a24 100644 ---- a/arch/powerpc/kernel/module_64.c -+++ b/arch/powerpc/kernel/module_64.c -@@ -192,7 +192,7 @@ static void dedotify(Elf64_Sym *syms, unsigned int numsyms, char *strtab) - if (syms[i].st_shndx == SHN_UNDEF) { - char *name = strtab + syms[i].st_name; - if (name[0] == '.') -- memmove(name, name+1, strlen(name)); -+ syms[i].st_name++; - } - } - } -diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c -index 04cc2fa7744f..335fe70967a8 100644 ---- a/arch/x86/kvm/vmx.c -+++ b/arch/x86/kvm/vmx.c -@@ -1487,6 +1487,13 @@ static void add_atomic_switch_msr(struct vcpu_vmx *vmx, unsigned msr, - return; - } - break; -+ case MSR_IA32_PEBS_ENABLE: -+ /* PEBS needs a quiescent period after being disabled (to write -+ * a record). Disabling PEBS through VMX MSR swapping doesn't -+ * provide that period, so a CPU could write host's record into -+ * guest's memory. -+ */ -+ wrmsrl(MSR_IA32_PEBS_ENABLE, 0); - } - - for (i = 0; i < m->nr; ++i) -diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c -index 41ba726c1ce2..7f2b6dec4b2b 100644 ---- a/arch/x86/kvm/x86.c -+++ b/arch/x86/kvm/x86.c -@@ -1941,6 +1941,8 @@ static void accumulate_steal_time(struct kvm_vcpu *vcpu) - - static void record_steal_time(struct kvm_vcpu *vcpu) - { -+ accumulate_steal_time(vcpu); -+ - if (!(vcpu->arch.st.msr_val & KVM_MSR_ENABLED)) - return; - -@@ -2074,12 +2076,6 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info) - if (!(data & KVM_MSR_ENABLED)) - break; - -- vcpu->arch.st.last_steal = current->sched_info.run_delay; -- -- preempt_disable(); -- accumulate_steal_time(vcpu); -- preempt_enable(); -- - kvm_make_request(KVM_REQ_STEAL_UPDATE, vcpu); - - break; -@@ -2758,7 +2754,6 @@ void kvm_arch_vcpu_load(struct kvm_vcpu *vcpu, int cpu) - vcpu->cpu = cpu; - } - -- accumulate_steal_time(vcpu); - kvm_make_request(KVM_REQ_STEAL_UPDATE, vcpu); - } - -diff --git a/crypto/af_alg.c b/crypto/af_alg.c -index 0ca108f3c840..1aaa555fab56 100644 ---- a/crypto/af_alg.c -+++ b/crypto/af_alg.c -@@ -125,23 +125,6 @@ int af_alg_release(struct socket *sock) - } - EXPORT_SYMBOL_GPL(af_alg_release); - --void af_alg_release_parent(struct sock *sk) --{ -- struct alg_sock *ask = alg_sk(sk); -- bool last; -- -- sk = ask->parent; -- ask = alg_sk(sk); -- -- lock_sock(sk); -- last = !--ask->refcnt; -- release_sock(sk); -- -- if (last) -- sock_put(sk); --} --EXPORT_SYMBOL_GPL(af_alg_release_parent); -- - static int alg_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) - { - struct sock *sk = sock->sk; -@@ -149,7 +132,6 @@ static int alg_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) - struct sockaddr_alg *sa = (void *)uaddr; - const struct af_alg_type *type; - void *private; -- int err; - - if (sock->state == SS_CONNECTED) - return -EINVAL; -@@ -175,22 +157,16 @@ static int alg_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) - return PTR_ERR(private); - } - -- err = -EBUSY; - lock_sock(sk); -- if (ask->refcnt) -- goto unlock; - - swap(ask->type, type); - swap(ask->private, private); - -- err = 0; -- --unlock: - release_sock(sk); - - alg_do_release(type, private); - -- return err; -+ return 0; - } - - static int alg_setkey(struct sock *sk, char __user *ukey, -@@ -223,15 +199,11 @@ static int alg_setsockopt(struct socket *sock, int level, int optname, - struct sock *sk = sock->sk; - struct alg_sock *ask = alg_sk(sk); - const struct af_alg_type *type; -- int err = -EBUSY; -+ int err = -ENOPROTOOPT; - - lock_sock(sk); -- if (ask->refcnt) -- goto unlock; -- - type = ask->type; - -- err = -ENOPROTOOPT; - if (level != SOL_ALG || !type) - goto unlock; - -@@ -280,8 +252,7 @@ int af_alg_accept(struct sock *sk, struct socket *newsock) - - sk2->sk_family = PF_ALG; - -- if (!ask->refcnt++) -- sock_hold(sk); -+ sock_hold(sk); - alg_sk(sk2)->parent = sk; - alg_sk(sk2)->type = type; - -diff --git a/drivers/firmware/efi/efivars.c b/drivers/firmware/efi/efivars.c -index 8bd1bb6dbe47..24ae2a694e9b 100644 ---- a/drivers/firmware/efi/efivars.c -+++ b/drivers/firmware/efi/efivars.c -@@ -219,7 +219,8 @@ efivar_store_raw(struct efivar_entry *entry, const char *buf, size_t count) - } - - if ((new_var->Attributes & ~EFI_VARIABLE_MASK) != 0 || -- efivar_validate(new_var, new_var->Data, new_var->DataSize) == false) { -+ efivar_validate(new_var->VendorGuid, new_var->VariableName, -+ new_var->Data, new_var->DataSize) == false) { - printk(KERN_ERR "efivars: Malformed variable content\n"); - return -EINVAL; - } -@@ -334,7 +335,8 @@ static ssize_t efivar_create(struct file *filp, struct kobject *kobj, - return -EACCES; - - if ((new_var->Attributes & ~EFI_VARIABLE_MASK) != 0 || -- efivar_validate(new_var, new_var->Data, new_var->DataSize) == false) { -+ efivar_validate(new_var->VendorGuid, new_var->VariableName, -+ new_var->Data, new_var->DataSize) == false) { - printk(KERN_ERR "efivars: Malformed variable content\n"); - return -EINVAL; - } -@@ -405,35 +407,27 @@ efivar_create_sysfs_entry(struct efivar_entry *new_var) - { - int i, short_name_size; - char *short_name; -- unsigned long variable_name_size; -- efi_char16_t *variable_name; -- -- variable_name = new_var->var.VariableName; -- variable_name_size = ucs2_strlen(variable_name) * sizeof(efi_char16_t); -+ unsigned long utf8_name_size; -+ efi_char16_t *variable_name = new_var->var.VariableName; - - /* -- * Length of the variable bytes in ASCII, plus the '-' separator, -+ * Length of the variable bytes in UTF8, plus the '-' separator, - * plus the GUID, plus trailing NUL - */ -- short_name_size = variable_name_size / sizeof(efi_char16_t) -- + 1 + EFI_VARIABLE_GUID_LEN + 1; -- -- short_name = kzalloc(short_name_size, GFP_KERNEL); -+ utf8_name_size = ucs2_utf8size(variable_name); -+ short_name_size = utf8_name_size + 1 + EFI_VARIABLE_GUID_LEN + 1; - -+ short_name = kmalloc(short_name_size, GFP_KERNEL); - if (!short_name) - return 1; - -- /* Convert Unicode to normal chars (assume top bits are 0), -- ala UTF-8 */ -- for (i=0; i < (int)(variable_name_size / sizeof(efi_char16_t)); i++) { -- short_name[i] = variable_name[i] & 0xFF; -- } -+ ucs2_as_utf8(short_name, variable_name, short_name_size); -+ - /* This is ugly, but necessary to separate one vendor's - private variables from another's. */ -- -- *(short_name + strlen(short_name)) = '-'; -+ short_name[utf8_name_size] = '-'; - efi_guid_unparse(&new_var->var.VendorGuid, -- short_name + strlen(short_name)); -+ short_name + utf8_name_size + 1); - - new_var->kobj.kset = efivars_kset; - -diff --git a/drivers/firmware/efi/vars.c b/drivers/firmware/efi/vars.c -index 7dbc319e1cf5..9f82b5545edd 100644 ---- a/drivers/firmware/efi/vars.c -+++ b/drivers/firmware/efi/vars.c -@@ -42,7 +42,7 @@ DECLARE_WORK(efivar_work, NULL); - EXPORT_SYMBOL_GPL(efivar_work); - - static bool --validate_device_path(struct efi_variable *var, int match, u8 *buffer, -+validate_device_path(efi_char16_t *var_name, int match, u8 *buffer, - unsigned long len) - { - struct efi_generic_dev_path *node; -@@ -75,7 +75,7 @@ validate_device_path(struct efi_variable *var, int match, u8 *buffer, - } - - static bool --validate_boot_order(struct efi_variable *var, int match, u8 *buffer, -+validate_boot_order(efi_char16_t *var_name, int match, u8 *buffer, - unsigned long len) - { - /* An array of 16-bit integers */ -@@ -86,18 +86,18 @@ validate_boot_order(struct efi_variable *var, int match, u8 *buffer, - } - - static bool --validate_load_option(struct efi_variable *var, int match, u8 *buffer, -+validate_load_option(efi_char16_t *var_name, int match, u8 *buffer, - unsigned long len) - { - u16 filepathlength; - int i, desclength = 0, namelen; - -- namelen = ucs2_strnlen(var->VariableName, sizeof(var->VariableName)); -+ namelen = ucs2_strnlen(var_name, EFI_VAR_NAME_LEN); - - /* Either "Boot" or "Driver" followed by four digits of hex */ - for (i = match; i < match+4; i++) { -- if (var->VariableName[i] > 127 || -- hex_to_bin(var->VariableName[i] & 0xff) < 0) -+ if (var_name[i] > 127 || -+ hex_to_bin(var_name[i] & 0xff) < 0) - return true; - } - -@@ -132,12 +132,12 @@ validate_load_option(struct efi_variable *var, int match, u8 *buffer, - /* - * And, finally, check the filepath - */ -- return validate_device_path(var, match, buffer + desclength + 6, -+ return validate_device_path(var_name, match, buffer + desclength + 6, - filepathlength); - } - - static bool --validate_uint16(struct efi_variable *var, int match, u8 *buffer, -+validate_uint16(efi_char16_t *var_name, int match, u8 *buffer, - unsigned long len) - { - /* A single 16-bit integer */ -@@ -148,7 +148,7 @@ validate_uint16(struct efi_variable *var, int match, u8 *buffer, - } - - static bool --validate_ascii_string(struct efi_variable *var, int match, u8 *buffer, -+validate_ascii_string(efi_char16_t *var_name, int match, u8 *buffer, - unsigned long len) - { - int i; -@@ -165,67 +165,133 @@ validate_ascii_string(struct efi_variable *var, int match, u8 *buffer, - } - - struct variable_validate { -+ efi_guid_t vendor; - char *name; -- bool (*validate)(struct efi_variable *var, int match, u8 *data, -+ bool (*validate)(efi_char16_t *var_name, int match, u8 *data, - unsigned long len); - }; - -+/* -+ * This is the list of variables we need to validate, as well as the -+ * whitelist for what we think is safe not to default to immutable. -+ * -+ * If it has a validate() method that's not NULL, it'll go into the -+ * validation routine. If not, it is assumed valid, but still used for -+ * whitelisting. -+ * -+ * Note that it's sorted by {vendor,name}, but globbed names must come after -+ * any other name with the same prefix. -+ */ - static const struct variable_validate variable_validate[] = { -- { "BootNext", validate_uint16 }, -- { "BootOrder", validate_boot_order }, -- { "DriverOrder", validate_boot_order }, -- { "Boot*", validate_load_option }, -- { "Driver*", validate_load_option }, -- { "ConIn", validate_device_path }, -- { "ConInDev", validate_device_path }, -- { "ConOut", validate_device_path }, -- { "ConOutDev", validate_device_path }, -- { "ErrOut", validate_device_path }, -- { "ErrOutDev", validate_device_path }, -- { "Timeout", validate_uint16 }, -- { "Lang", validate_ascii_string }, -- { "PlatformLang", validate_ascii_string }, -- { "", NULL }, -+ { EFI_GLOBAL_VARIABLE_GUID, "BootNext", validate_uint16 }, -+ { EFI_GLOBAL_VARIABLE_GUID, "BootOrder", validate_boot_order }, -+ { EFI_GLOBAL_VARIABLE_GUID, "Boot*", validate_load_option }, -+ { EFI_GLOBAL_VARIABLE_GUID, "DriverOrder", validate_boot_order }, -+ { EFI_GLOBAL_VARIABLE_GUID, "Driver*", validate_load_option }, -+ { EFI_GLOBAL_VARIABLE_GUID, "ConIn", validate_device_path }, -+ { EFI_GLOBAL_VARIABLE_GUID, "ConInDev", validate_device_path }, -+ { EFI_GLOBAL_VARIABLE_GUID, "ConOut", validate_device_path }, -+ { EFI_GLOBAL_VARIABLE_GUID, "ConOutDev", validate_device_path }, -+ { EFI_GLOBAL_VARIABLE_GUID, "ErrOut", validate_device_path }, -+ { EFI_GLOBAL_VARIABLE_GUID, "ErrOutDev", validate_device_path }, -+ { EFI_GLOBAL_VARIABLE_GUID, "Lang", validate_ascii_string }, -+ { EFI_GLOBAL_VARIABLE_GUID, "OsIndications", NULL }, -+ { EFI_GLOBAL_VARIABLE_GUID, "PlatformLang", validate_ascii_string }, -+ { EFI_GLOBAL_VARIABLE_GUID, "Timeout", validate_uint16 }, -+ { LINUX_EFI_CRASH_GUID, "*", NULL }, -+ { NULL_GUID, "", NULL }, - }; - -+static bool -+variable_matches(const char *var_name, size_t len, const char *match_name, -+ int *match) -+{ -+ for (*match = 0; ; (*match)++) { -+ char c = match_name[*match]; -+ char u = var_name[*match]; -+ -+ /* Wildcard in the matching name means we've matched */ -+ if (c == '*') -+ return true; -+ -+ /* Case sensitive match */ -+ if (!c && *match == len) -+ return true; -+ -+ if (c != u) -+ return false; -+ -+ if (!c) -+ return true; -+ } -+ return true; -+} -+ - bool --efivar_validate(struct efi_variable *var, u8 *data, unsigned long len) -+efivar_validate(efi_guid_t vendor, efi_char16_t *var_name, u8 *data, -+ unsigned long data_size) - { - int i; -- u16 *unicode_name = var->VariableName; -+ unsigned long utf8_size; -+ u8 *utf8_name; - -- for (i = 0; variable_validate[i].validate != NULL; i++) { -- const char *name = variable_validate[i].name; -- int match; -+ utf8_size = ucs2_utf8size(var_name); -+ utf8_name = kmalloc(utf8_size + 1, GFP_KERNEL); -+ if (!utf8_name) -+ return false; - -- for (match = 0; ; match++) { -- char c = name[match]; -- u16 u = unicode_name[match]; -+ ucs2_as_utf8(utf8_name, var_name, utf8_size); -+ utf8_name[utf8_size] = '\0'; - -- /* All special variables are plain ascii */ -- if (u > 127) -- return true; -+ for (i = 0; variable_validate[i].name[0] != '\0'; i++) { -+ const char *name = variable_validate[i].name; -+ int match = 0; - -- /* Wildcard in the matching name means we've matched */ -- if (c == '*') -- return variable_validate[i].validate(var, -- match, data, len); -+ if (efi_guidcmp(vendor, variable_validate[i].vendor)) -+ continue; - -- /* Case sensitive match */ -- if (c != u) -+ if (variable_matches(utf8_name, utf8_size+1, name, &match)) { -+ if (variable_validate[i].validate == NULL) - break; -- -- /* Reached the end of the string while matching */ -- if (!c) -- return variable_validate[i].validate(var, -- match, data, len); -+ kfree(utf8_name); -+ return variable_validate[i].validate(var_name, match, -+ data, data_size); - } - } -- -+ kfree(utf8_name); - return true; - } - EXPORT_SYMBOL_GPL(efivar_validate); - -+bool -+efivar_variable_is_removable(efi_guid_t vendor, const char *var_name, -+ size_t len) -+{ -+ int i; -+ bool found = false; -+ int match = 0; -+ -+ /* -+ * Check if our variable is in the validated variables list -+ */ -+ for (i = 0; variable_validate[i].name[0] != '\0'; i++) { -+ if (efi_guidcmp(variable_validate[i].vendor, vendor)) -+ continue; -+ -+ if (variable_matches(var_name, len, -+ variable_validate[i].name, &match)) { -+ found = true; -+ break; -+ } -+ } -+ -+ /* -+ * If it's in our list, it is removable. -+ */ -+ return found; -+} -+EXPORT_SYMBOL_GPL(efivar_variable_is_removable); -+ - static efi_status_t - check_var_size(u32 attributes, unsigned long size) - { -@@ -797,7 +863,7 @@ int efivar_entry_set_get_size(struct efivar_entry *entry, u32 attributes, - - *set = false; - -- if (efivar_validate(&entry->var, data, *size) == false) -+ if (efivar_validate(*vendor, name, data, *size) == false) - return -EINVAL; - - /* -diff --git a/fs/efivarfs/file.c b/fs/efivarfs/file.c -index 8dd524f32284..08f105a06fbf 100644 ---- a/fs/efivarfs/file.c -+++ b/fs/efivarfs/file.c -@@ -10,6 +10,7 @@ - #include - #include - #include -+#include - - #include "internal.h" - -@@ -108,9 +109,79 @@ out_free: - return size; - } - -+static int -+efivarfs_ioc_getxflags(struct file *file, void __user *arg) -+{ -+ struct inode *inode = file->f_mapping->host; -+ unsigned int i_flags; -+ unsigned int flags = 0; -+ -+ i_flags = inode->i_flags; -+ if (i_flags & S_IMMUTABLE) -+ flags |= FS_IMMUTABLE_FL; -+ -+ if (copy_to_user(arg, &flags, sizeof(flags))) -+ return -EFAULT; -+ return 0; -+} -+ -+static int -+efivarfs_ioc_setxflags(struct file *file, void __user *arg) -+{ -+ struct inode *inode = file->f_mapping->host; -+ unsigned int flags; -+ unsigned int i_flags = 0; -+ int error; -+ -+ if (!inode_owner_or_capable(inode)) -+ return -EACCES; -+ -+ if (copy_from_user(&flags, arg, sizeof(flags))) -+ return -EFAULT; -+ -+ if (flags & ~FS_IMMUTABLE_FL) -+ return -EOPNOTSUPP; -+ -+ if (!capable(CAP_LINUX_IMMUTABLE)) -+ return -EPERM; -+ -+ if (flags & FS_IMMUTABLE_FL) -+ i_flags |= S_IMMUTABLE; -+ -+ -+ error = mnt_want_write_file(file); -+ if (error) -+ return error; -+ -+ mutex_lock(&inode->i_mutex); -+ inode->i_flags &= ~S_IMMUTABLE; -+ inode->i_flags |= i_flags; -+ mutex_unlock(&inode->i_mutex); -+ -+ mnt_drop_write_file(file); -+ -+ return 0; -+} -+ -+long -+efivarfs_file_ioctl(struct file *file, unsigned int cmd, unsigned long p) -+{ -+ void __user *arg = (void __user *)p; -+ -+ switch (cmd) { -+ case FS_IOC_GETFLAGS: -+ return efivarfs_ioc_getxflags(file, arg); -+ case FS_IOC_SETFLAGS: -+ return efivarfs_ioc_setxflags(file, arg); -+ } -+ -+ return -ENOTTY; -+} -+ - const struct file_operations efivarfs_file_operations = { - .open = simple_open, - .read = efivarfs_file_read, - .write = efivarfs_file_write, - .llseek = no_llseek, -+ .unlocked_ioctl = efivarfs_file_ioctl, - }; -diff --git a/fs/efivarfs/inode.c b/fs/efivarfs/inode.c -index 7e787fb90293..d0351bc7b533 100644 ---- a/fs/efivarfs/inode.c -+++ b/fs/efivarfs/inode.c -@@ -15,7 +15,8 @@ - #include "internal.h" - - struct inode *efivarfs_get_inode(struct super_block *sb, -- const struct inode *dir, int mode, dev_t dev) -+ const struct inode *dir, int mode, -+ dev_t dev, bool is_removable) - { - struct inode *inode = new_inode(sb); - -@@ -23,6 +24,7 @@ struct inode *efivarfs_get_inode(struct super_block *sb, - inode->i_ino = get_next_ino(); - inode->i_mode = mode; - inode->i_atime = inode->i_mtime = inode->i_ctime = CURRENT_TIME; -+ inode->i_flags = is_removable ? 0 : S_IMMUTABLE; - switch (mode & S_IFMT) { - case S_IFREG: - inode->i_fop = &efivarfs_file_operations; -@@ -102,22 +104,17 @@ static void efivarfs_hex_to_guid(const char *str, efi_guid_t *guid) - static int efivarfs_create(struct inode *dir, struct dentry *dentry, - umode_t mode, bool excl) - { -- struct inode *inode; -+ struct inode *inode = NULL; - struct efivar_entry *var; - int namelen, i = 0, err = 0; -+ bool is_removable = false; - - if (!efivarfs_valid_name(dentry->d_name.name, dentry->d_name.len)) - return -EINVAL; - -- inode = efivarfs_get_inode(dir->i_sb, dir, mode, 0); -- if (!inode) -- return -ENOMEM; -- - var = kzalloc(sizeof(struct efivar_entry), GFP_KERNEL); -- if (!var) { -- err = -ENOMEM; -- goto out; -- } -+ if (!var) -+ return -ENOMEM; - - /* length of the variable name itself: remove GUID and separator */ - namelen = dentry->d_name.len - EFI_VARIABLE_GUID_LEN - 1; -@@ -125,6 +122,16 @@ static int efivarfs_create(struct inode *dir, struct dentry *dentry, - efivarfs_hex_to_guid(dentry->d_name.name + namelen + 1, - &var->var.VendorGuid); - -+ if (efivar_variable_is_removable(var->var.VendorGuid, -+ dentry->d_name.name, namelen)) -+ is_removable = true; -+ -+ inode = efivarfs_get_inode(dir->i_sb, dir, mode, 0, is_removable); -+ if (!inode) { -+ err = -ENOMEM; -+ goto out; -+ } -+ - for (i = 0; i < namelen; i++) - var->var.VariableName[i] = dentry->d_name.name[i]; - -@@ -138,7 +145,8 @@ static int efivarfs_create(struct inode *dir, struct dentry *dentry, - out: - if (err) { - kfree(var); -- iput(inode); -+ if (inode) -+ iput(inode); - } - return err; - } -diff --git a/fs/efivarfs/internal.h b/fs/efivarfs/internal.h -index b5ff16addb7c..b4505188e799 100644 ---- a/fs/efivarfs/internal.h -+++ b/fs/efivarfs/internal.h -@@ -15,7 +15,8 @@ extern const struct file_operations efivarfs_file_operations; - extern const struct inode_operations efivarfs_dir_inode_operations; - extern bool efivarfs_valid_name(const char *str, int len); - extern struct inode *efivarfs_get_inode(struct super_block *sb, -- const struct inode *dir, int mode, dev_t dev); -+ const struct inode *dir, int mode, dev_t dev, -+ bool is_removable); - - extern struct list_head efivarfs_list; - -diff --git a/fs/efivarfs/super.c b/fs/efivarfs/super.c -index 141aee31884f..5a3655f690d9 100644 ---- a/fs/efivarfs/super.c -+++ b/fs/efivarfs/super.c -@@ -128,8 +128,9 @@ static int efivarfs_callback(efi_char16_t *name16, efi_guid_t vendor, - struct dentry *dentry, *root = sb->s_root; - unsigned long size = 0; - char *name; -- int len, i; -+ int len; - int err = -ENOMEM; -+ bool is_removable = false; - - entry = kmalloc(sizeof(*entry), GFP_KERNEL); - if (!entry) -@@ -138,15 +139,17 @@ static int efivarfs_callback(efi_char16_t *name16, efi_guid_t vendor, - memcpy(entry->var.VariableName, name16, name_size); - memcpy(&(entry->var.VendorGuid), &vendor, sizeof(efi_guid_t)); - -- len = ucs2_strlen(entry->var.VariableName); -+ len = ucs2_utf8size(entry->var.VariableName); - - /* name, plus '-', plus GUID, plus NUL*/ - name = kmalloc(len + 1 + EFI_VARIABLE_GUID_LEN + 1, GFP_KERNEL); - if (!name) - goto fail; - -- for (i = 0; i < len; i++) -- name[i] = entry->var.VariableName[i] & 0xFF; -+ ucs2_as_utf8(name, entry->var.VariableName, len); -+ -+ if (efivar_variable_is_removable(entry->var.VendorGuid, name, len)) -+ is_removable = true; - - name[len] = '-'; - -@@ -154,7 +157,8 @@ static int efivarfs_callback(efi_char16_t *name16, efi_guid_t vendor, - - name[len + EFI_VARIABLE_GUID_LEN+1] = '\0'; - -- inode = efivarfs_get_inode(sb, root->d_inode, S_IFREG | 0644, 0); -+ inode = efivarfs_get_inode(sb, root->d_inode, S_IFREG | 0644, 0, -+ is_removable); - if (!inode) - goto fail_name; - -@@ -210,7 +214,7 @@ static int efivarfs_fill_super(struct super_block *sb, void *data, int silent) - sb->s_d_op = &efivarfs_d_ops; - sb->s_time_gran = 1; - -- inode = efivarfs_get_inode(sb, NULL, S_IFDIR | 0755, 0); -+ inode = efivarfs_get_inode(sb, NULL, S_IFDIR | 0755, 0, true); - if (!inode) - return -ENOMEM; - inode->i_op = &efivarfs_dir_inode_operations; -diff --git a/include/crypto/if_alg.h b/include/crypto/if_alg.h -index 2f38daaab3d7..d61c11170213 100644 ---- a/include/crypto/if_alg.h -+++ b/include/crypto/if_alg.h -@@ -30,8 +30,6 @@ struct alg_sock { - - struct sock *parent; - -- unsigned int refcnt; -- - const struct af_alg_type *type; - void *private; - }; -@@ -66,7 +64,6 @@ int af_alg_register_type(const struct af_alg_type *type); - int af_alg_unregister_type(const struct af_alg_type *type); - - int af_alg_release(struct socket *sock); --void af_alg_release_parent(struct sock *sk); - int af_alg_accept(struct sock *sk, struct socket *newsock); - - int af_alg_make_sg(struct af_alg_sgl *sgl, void __user *addr, int len, -@@ -83,6 +80,11 @@ static inline struct alg_sock *alg_sk(struct sock *sk) - return (struct alg_sock *)sk; - } - -+static inline void af_alg_release_parent(struct sock *sk) -+{ -+ sock_put(alg_sk(sk)->parent); -+} -+ - static inline void af_alg_init_completion(struct af_alg_completion *completion) - { - init_completion(&completion->completion); -diff --git a/include/linux/efi.h b/include/linux/efi.h -index 2bc0ad78d058..63fa51c864ec 100644 ---- a/include/linux/efi.h -+++ b/include/linux/efi.h -@@ -769,8 +769,10 @@ struct efivars { - * and we use a page for reading/writing. - */ - -+#define EFI_VAR_NAME_LEN 1024 -+ - struct efi_variable { -- efi_char16_t VariableName[1024/sizeof(efi_char16_t)]; -+ efi_char16_t VariableName[EFI_VAR_NAME_LEN/sizeof(efi_char16_t)]; - efi_guid_t VendorGuid; - unsigned long DataSize; - __u8 Data[1024]; -@@ -832,7 +834,10 @@ int efivar_entry_iter(int (*func)(struct efivar_entry *, void *), - struct efivar_entry *efivar_entry_find(efi_char16_t *name, efi_guid_t guid, - struct list_head *head, bool remove); - --bool efivar_validate(struct efi_variable *var, u8 *data, unsigned long len); -+bool efivar_validate(efi_guid_t vendor, efi_char16_t *var_name, u8 *data, -+ unsigned long data_size); -+bool efivar_variable_is_removable(efi_guid_t vendor, const char *name, -+ size_t len); - - extern struct work_struct efivar_work; - void efivar_run_worker(void); -diff --git a/include/linux/module.h b/include/linux/module.h -index 46f1ea01e6f6..761dc2848ffa 100644 ---- a/include/linux/module.h -+++ b/include/linux/module.h -@@ -220,6 +220,12 @@ struct module_ref { - unsigned long decs; - } __attribute((aligned(2 * sizeof(unsigned long)))); - -+struct mod_kallsyms { -+ Elf_Sym *symtab; -+ unsigned int num_symtab; -+ char *strtab; -+}; -+ - struct module - { - enum module_state state; -@@ -308,14 +314,9 @@ struct module - #endif - - #ifdef CONFIG_KALLSYMS -- /* -- * We keep the symbol and string tables for kallsyms. -- * The core_* fields below are temporary, loader-only (they -- * could really be discarded after module init). -- */ -- Elf_Sym *symtab, *core_symtab; -- unsigned int num_symtab, core_num_syms; -- char *strtab, *core_strtab; -+ /* Protected by RCU and/or module_mutex: use rcu_dereference() */ -+ struct mod_kallsyms *kallsyms; -+ struct mod_kallsyms core_kallsyms; - - /* Section attributes */ - struct module_sect_attrs *sect_attrs; -diff --git a/include/linux/tracepoint.h b/include/linux/tracepoint.h -index 0b2d0cbe0bab..36e5e9998865 100644 ---- a/include/linux/tracepoint.h -+++ b/include/linux/tracepoint.h -@@ -129,9 +129,6 @@ static inline void tracepoint_synchronize_unregister(void) - void *it_func; \ - void *__data; \ - \ -- if (!cpu_online(raw_smp_processor_id())) \ -- return; \ -- \ - if (!(cond)) \ - return; \ - prercu; \ -@@ -265,15 +262,19 @@ static inline void tracepoint_synchronize_unregister(void) - * "void *__data, proto" as the callback prototype. - */ - #define DECLARE_TRACE_NOARGS(name) \ -- __DECLARE_TRACE(name, void, , 1, void *__data, __data) -+ __DECLARE_TRACE(name, void, , \ -+ cpu_online(raw_smp_processor_id()), \ -+ void *__data, __data) - - #define DECLARE_TRACE(name, proto, args) \ -- __DECLARE_TRACE(name, PARAMS(proto), PARAMS(args), 1, \ -- PARAMS(void *__data, proto), \ -- PARAMS(__data, args)) -+ __DECLARE_TRACE(name, PARAMS(proto), PARAMS(args), \ -+ cpu_online(raw_smp_processor_id()), \ -+ PARAMS(void *__data, proto), \ -+ PARAMS(__data, args)) - - #define DECLARE_TRACE_CONDITION(name, proto, args, cond) \ -- __DECLARE_TRACE(name, PARAMS(proto), PARAMS(args), PARAMS(cond), \ -+ __DECLARE_TRACE(name, PARAMS(proto), PARAMS(args), \ -+ cpu_online(raw_smp_processor_id()) && (PARAMS(cond)), \ - PARAMS(void *__data, proto), \ - PARAMS(__data, args)) - -diff --git a/include/linux/ucs2_string.h b/include/linux/ucs2_string.h -index cbb20afdbc01..bb679b48f408 100644 ---- a/include/linux/ucs2_string.h -+++ b/include/linux/ucs2_string.h -@@ -11,4 +11,8 @@ unsigned long ucs2_strlen(const ucs2_char_t *s); - unsigned long ucs2_strsize(const ucs2_char_t *data, unsigned long maxlength); - int ucs2_strncmp(const ucs2_char_t *a, const ucs2_char_t *b, size_t len); - -+unsigned long ucs2_utf8size(const ucs2_char_t *src); -+unsigned long ucs2_as_utf8(u8 *dest, const ucs2_char_t *src, -+ unsigned long maxlength); -+ - #endif /* _LINUX_UCS2_STRING_H_ */ -diff --git a/kernel/module.c b/kernel/module.c -index 70a4754c001f..f8a4f48b48a9 100644 ---- a/kernel/module.c -+++ b/kernel/module.c -@@ -179,6 +179,9 @@ struct load_info { - struct _ddebug *debug; - unsigned int num_debug; - bool sig_ok; -+#ifdef CONFIG_KALLSYMS -+ unsigned long mod_kallsyms_init_off; -+#endif - struct { - unsigned int sym, str, mod, vers, info, pcpu; - } index; -@@ -2346,8 +2349,20 @@ static void layout_symtab(struct module *mod, struct load_info *info) - strsect->sh_entsize = get_offset(mod, &mod->init_size, strsect, - info->index.str) | INIT_OFFSET_MASK; - pr_debug("\t%s\n", info->secstrings + strsect->sh_name); -+ -+ /* We'll tack temporary mod_kallsyms on the end. */ -+ mod->init_size = ALIGN(mod->init_size, -+ __alignof__(struct mod_kallsyms)); -+ info->mod_kallsyms_init_off = mod->init_size; -+ mod->init_size += sizeof(struct mod_kallsyms); -+ mod->init_size = debug_align(mod->init_size); - } - -+/* -+ * We use the full symtab and strtab which layout_symtab arranged to -+ * be appended to the init section. Later we switch to the cut-down -+ * core-only ones. -+ */ - static void add_kallsyms(struct module *mod, const struct load_info *info) - { - unsigned int i, ndst; -@@ -2356,28 +2371,33 @@ static void add_kallsyms(struct module *mod, const struct load_info *info) - char *s; - Elf_Shdr *symsec = &info->sechdrs[info->index.sym]; - -- mod->symtab = (void *)symsec->sh_addr; -- mod->num_symtab = symsec->sh_size / sizeof(Elf_Sym); -+ /* Set up to point into init section. */ -+ mod->kallsyms = mod->module_init + info->mod_kallsyms_init_off; -+ -+ mod->kallsyms->symtab = (void *)symsec->sh_addr; -+ mod->kallsyms->num_symtab = symsec->sh_size / sizeof(Elf_Sym); - /* Make sure we get permanent strtab: don't use info->strtab. */ -- mod->strtab = (void *)info->sechdrs[info->index.str].sh_addr; -+ mod->kallsyms->strtab = (void *)info->sechdrs[info->index.str].sh_addr; - - /* Set types up while we still have access to sections. */ -- for (i = 0; i < mod->num_symtab; i++) -- mod->symtab[i].st_info = elf_type(&mod->symtab[i], info); -- -- mod->core_symtab = dst = mod->module_core + info->symoffs; -- mod->core_strtab = s = mod->module_core + info->stroffs; -- src = mod->symtab; -- for (ndst = i = 0; i < mod->num_symtab; i++) { -+ for (i = 0; i < mod->kallsyms->num_symtab; i++) -+ mod->kallsyms->symtab[i].st_info -+ = elf_type(&mod->kallsyms->symtab[i], info); -+ -+ /* Now populate the cut down core kallsyms for after init. */ -+ mod->core_kallsyms.symtab = dst = mod->module_core + info->symoffs; -+ mod->core_kallsyms.strtab = s = mod->module_core + info->stroffs; -+ src = mod->kallsyms->symtab; -+ for (ndst = i = 0; i < mod->kallsyms->num_symtab; i++) { - if (i == 0 || - is_core_symbol(src+i, info->sechdrs, info->hdr->e_shnum)) { - dst[ndst] = src[i]; -- dst[ndst++].st_name = s - mod->core_strtab; -- s += strlcpy(s, &mod->strtab[src[i].st_name], -+ dst[ndst++].st_name = s - mod->core_kallsyms.strtab; -+ s += strlcpy(s, &mod->kallsyms->strtab[src[i].st_name], - KSYM_NAME_LEN) + 1; - } - } -- mod->core_num_syms = ndst; -+ mod->core_kallsyms.num_symtab = ndst; - } - #else - static inline void layout_symtab(struct module *mod, struct load_info *info) -@@ -3117,9 +3137,8 @@ static int do_init_module(struct module *mod) - module_put(mod); - trim_init_extable(mod); - #ifdef CONFIG_KALLSYMS -- mod->num_symtab = mod->core_num_syms; -- mod->symtab = mod->core_symtab; -- mod->strtab = mod->core_strtab; -+ /* Switch to core kallsyms now init is done: kallsyms may be walking! */ -+ rcu_assign_pointer(mod->kallsyms, &mod->core_kallsyms); - #endif - unset_module_init_ro_nx(mod); - module_free(mod, mod->module_init); -@@ -3398,9 +3417,9 @@ static inline int is_arm_mapping_symbol(const char *str) - && (str[2] == '\0' || str[2] == '.'); - } - --static const char *symname(struct module *mod, unsigned int symnum) -+static const char *symname(struct mod_kallsyms *kallsyms, unsigned int symnum) - { -- return mod->strtab + mod->symtab[symnum].st_name; -+ return kallsyms->strtab + kallsyms->symtab[symnum].st_name; - } - - static const char *get_ksymbol(struct module *mod, -@@ -3410,6 +3429,7 @@ static const char *get_ksymbol(struct module *mod, - { - unsigned int i, best = 0; - unsigned long nextval; -+ struct mod_kallsyms *kallsyms = rcu_dereference_sched(mod->kallsyms); - - /* At worse, next value is at end of module */ - if (within_module_init(addr, mod)) -@@ -3419,32 +3439,32 @@ static const char *get_ksymbol(struct module *mod, - - /* Scan for closest preceding symbol, and next symbol. (ELF - starts real symbols at 1). */ -- for (i = 1; i < mod->num_symtab; i++) { -- if (mod->symtab[i].st_shndx == SHN_UNDEF) -+ for (i = 1; i < kallsyms->num_symtab; i++) { -+ if (kallsyms->symtab[i].st_shndx == SHN_UNDEF) - continue; - - /* We ignore unnamed symbols: they're uninformative - * and inserted at a whim. */ -- if (*symname(mod, i) == '\0' -- || is_arm_mapping_symbol(symname(mod, i))) -+ if (*symname(kallsyms, i) == '\0' -+ || is_arm_mapping_symbol(symname(kallsyms, i))) - continue; - -- if (mod->symtab[i].st_value <= addr -- && mod->symtab[i].st_value > mod->symtab[best].st_value) -+ if (kallsyms->symtab[i].st_value <= addr -+ && kallsyms->symtab[i].st_value > kallsyms->symtab[best].st_value) - best = i; -- if (mod->symtab[i].st_value > addr -- && mod->symtab[i].st_value < nextval) -- nextval = mod->symtab[i].st_value; -+ if (kallsyms->symtab[i].st_value > addr -+ && kallsyms->symtab[i].st_value < nextval) -+ nextval = kallsyms->symtab[i].st_value; - } - - if (!best) - return NULL; - - if (size) -- *size = nextval - mod->symtab[best].st_value; -+ *size = nextval - kallsyms->symtab[best].st_value; - if (offset) -- *offset = addr - mod->symtab[best].st_value; -- return symname(mod, best); -+ *offset = addr - kallsyms->symtab[best].st_value; -+ return symname(kallsyms, best); - } - - /* For kallsyms to ask for address resolution. NULL means not found. Careful -@@ -3540,18 +3560,21 @@ int module_get_kallsym(unsigned int symnum, unsigned long *value, char *type, - - preempt_disable(); - list_for_each_entry_rcu(mod, &modules, list) { -+ struct mod_kallsyms *kallsyms; -+ - if (mod->state == MODULE_STATE_UNFORMED) - continue; -- if (symnum < mod->num_symtab) { -- *value = mod->symtab[symnum].st_value; -- *type = mod->symtab[symnum].st_info; -- strlcpy(name, symname(mod, symnum), KSYM_NAME_LEN); -+ kallsyms = rcu_dereference_sched(mod->kallsyms); -+ if (symnum < kallsyms->num_symtab) { -+ *value = kallsyms->symtab[symnum].st_value; -+ *type = kallsyms->symtab[symnum].st_info; -+ strlcpy(name, symname(kallsyms, symnum), KSYM_NAME_LEN); - strlcpy(module_name, mod->name, MODULE_NAME_LEN); - *exported = is_exported(name, *value, mod); - preempt_enable(); - return 0; - } -- symnum -= mod->num_symtab; -+ symnum -= kallsyms->num_symtab; - } - preempt_enable(); - return -ERANGE; -@@ -3560,11 +3583,12 @@ int module_get_kallsym(unsigned int symnum, unsigned long *value, char *type, - static unsigned long mod_find_symname(struct module *mod, const char *name) - { - unsigned int i; -+ struct mod_kallsyms *kallsyms = rcu_dereference_sched(mod->kallsyms); - -- for (i = 0; i < mod->num_symtab; i++) -- if (strcmp(name, symname(mod, i)) == 0 && -- mod->symtab[i].st_info != 'U') -- return mod->symtab[i].st_value; -+ for (i = 0; i < kallsyms->num_symtab; i++) -+ if (strcmp(name, symname(kallsyms, i)) == 0 && -+ kallsyms->symtab[i].st_info != 'U') -+ return kallsyms->symtab[i].st_value; - return 0; - } - -@@ -3603,11 +3627,14 @@ int module_kallsyms_on_each_symbol(int (*fn)(void *, const char *, - int ret; - - list_for_each_entry(mod, &modules, list) { -+ /* We hold module_mutex: no need for rcu_dereference_sched */ -+ struct mod_kallsyms *kallsyms = mod->kallsyms; -+ - if (mod->state == MODULE_STATE_UNFORMED) - continue; -- for (i = 0; i < mod->num_symtab; i++) { -- ret = fn(data, symname(mod, i), -- mod, mod->symtab[i].st_value); -+ for (i = 0; i < kallsyms->num_symtab; i++) { -+ ret = fn(data, symname(kallsyms, i), -+ mod, kallsyms->symtab[i].st_value); - if (ret != 0) - return ret; - } -diff --git a/lib/ucs2_string.c b/lib/ucs2_string.c -index 6f500ef2301d..f0b323abb4c6 100644 ---- a/lib/ucs2_string.c -+++ b/lib/ucs2_string.c -@@ -49,3 +49,65 @@ ucs2_strncmp(const ucs2_char_t *a, const ucs2_char_t *b, size_t len) - } - } - EXPORT_SYMBOL(ucs2_strncmp); -+ -+unsigned long -+ucs2_utf8size(const ucs2_char_t *src) -+{ -+ unsigned long i; -+ unsigned long j = 0; -+ -+ for (i = 0; i < ucs2_strlen(src); i++) { -+ u16 c = src[i]; -+ -+ if (c >= 0x800) -+ j += 3; -+ else if (c >= 0x80) -+ j += 2; -+ else -+ j += 1; -+ } -+ -+ return j; -+} -+EXPORT_SYMBOL(ucs2_utf8size); -+ -+/* -+ * copy at most maxlength bytes of whole utf8 characters to dest from the -+ * ucs2 string src. -+ * -+ * The return value is the number of characters copied, not including the -+ * final NUL character. -+ */ -+unsigned long -+ucs2_as_utf8(u8 *dest, const ucs2_char_t *src, unsigned long maxlength) -+{ -+ unsigned int i; -+ unsigned long j = 0; -+ unsigned long limit = ucs2_strnlen(src, maxlength); -+ -+ for (i = 0; maxlength && i < limit; i++) { -+ u16 c = src[i]; -+ -+ if (c >= 0x800) { -+ if (maxlength < 3) -+ break; -+ maxlength -= 3; -+ dest[j++] = 0xe0 | (c & 0xf000) >> 12; -+ dest[j++] = 0x80 | (c & 0x0fc0) >> 6; -+ dest[j++] = 0x80 | (c & 0x003f); -+ } else if (c >= 0x80) { -+ if (maxlength < 2) -+ break; -+ maxlength -= 2; -+ dest[j++] = 0xc0 | (c & 0x7c0) >> 6; -+ dest[j++] = 0x80 | (c & 0x03f); -+ } else { -+ maxlength -= 1; -+ dest[j++] = c & 0x7f; -+ } -+ } -+ if (maxlength) -+ dest[j] = '\0'; -+ return j; -+} -+EXPORT_SYMBOL(ucs2_as_utf8); -diff --git a/net/mac80211/agg-rx.c b/net/mac80211/agg-rx.c -index 31bf2586fb84..864408026202 100644 ---- a/net/mac80211/agg-rx.c -+++ b/net/mac80211/agg-rx.c -@@ -290,7 +290,7 @@ void ieee80211_process_addba_request(struct ieee80211_local *local, - } - - /* prepare A-MPDU MLME for Rx aggregation */ -- tid_agg_rx = kmalloc(sizeof(struct tid_ampdu_rx), GFP_KERNEL); -+ tid_agg_rx = kzalloc(sizeof(*tid_agg_rx), GFP_KERNEL); - if (!tid_agg_rx) - goto end; - -diff --git a/net/mac80211/rc80211_minstrel_ht.c b/net/mac80211/rc80211_minstrel_ht.c -index f3bbea1eb9e7..13f10aab9213 100644 ---- a/net/mac80211/rc80211_minstrel_ht.c -+++ b/net/mac80211/rc80211_minstrel_ht.c -@@ -454,7 +454,7 @@ minstrel_aggr_check(struct ieee80211_sta *pubsta, struct sk_buff *skb) - if (skb_get_queue_mapping(skb) == IEEE80211_AC_VO) - return; - -- ieee80211_start_tx_ba_session(pubsta, tid, 5000); -+ ieee80211_start_tx_ba_session(pubsta, tid, 0); - } - - static void -diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c -index c8717c1d082e..87dd619fb2e9 100644 ---- a/net/wireless/wext-core.c -+++ b/net/wireless/wext-core.c -@@ -342,6 +342,39 @@ static const int compat_event_type_size[] = { - - /* IW event code */ - -+static void wireless_nlevent_flush(void) -+{ -+ struct sk_buff *skb; -+ struct net *net; -+ -+ ASSERT_RTNL(); -+ -+ for_each_net(net) { -+ while ((skb = skb_dequeue(&net->wext_nlevents))) -+ rtnl_notify(skb, net, 0, RTNLGRP_LINK, NULL, -+ GFP_KERNEL); -+ } -+} -+ -+static int wext_netdev_notifier_call(struct notifier_block *nb, -+ unsigned long state, void *ptr) -+{ -+ /* -+ * When a netdev changes state in any way, flush all pending messages -+ * to avoid them going out in a strange order, e.g. RTM_NEWLINK after -+ * RTM_DELLINK, or with IFF_UP after without IFF_UP during dev_close() -+ * or similar - all of which could otherwise happen due to delays from -+ * schedule_work(). -+ */ -+ wireless_nlevent_flush(); -+ -+ return NOTIFY_OK; -+} -+ -+static struct notifier_block wext_netdev_notifier = { -+ .notifier_call = wext_netdev_notifier_call, -+}; -+ - static int __net_init wext_pernet_init(struct net *net) - { - skb_queue_head_init(&net->wext_nlevents); -@@ -360,7 +393,12 @@ static struct pernet_operations wext_pernet_ops = { - - static int __init wireless_nlevent_init(void) - { -- return register_pernet_subsys(&wext_pernet_ops); -+ int err = register_pernet_subsys(&wext_pernet_ops); -+ -+ if (err) -+ return err; -+ -+ return register_netdevice_notifier(&wext_netdev_notifier); - } - - subsys_initcall(wireless_nlevent_init); -@@ -368,17 +406,8 @@ subsys_initcall(wireless_nlevent_init); - /* Process events generated by the wireless layer or the driver. */ - static void wireless_nlevent_process(struct work_struct *work) - { -- struct sk_buff *skb; -- struct net *net; -- - rtnl_lock(); -- -- for_each_net(net) { -- while ((skb = skb_dequeue(&net->wext_nlevents))) -- rtnl_notify(skb, net, 0, RTNLGRP_LINK, NULL, -- GFP_KERNEL); -- } -- -+ wireless_nlevent_flush(); - rtnl_unlock(); - } - -diff --git a/sound/soc/codecs/wm8958-dsp2.c b/sound/soc/codecs/wm8958-dsp2.c -index 754f88e1fdab..4892966fc1b8 100644 ---- a/sound/soc/codecs/wm8958-dsp2.c -+++ b/sound/soc/codecs/wm8958-dsp2.c -@@ -459,7 +459,7 @@ static int wm8958_put_mbc_enum(struct snd_kcontrol *kcontrol, - struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol); - struct wm8994_priv *wm8994 = snd_soc_codec_get_drvdata(codec); - struct wm8994 *control = wm8994->wm8994; -- int value = ucontrol->value.integer.value[0]; -+ int value = ucontrol->value.enumerated.item[0]; - int reg; - - /* Don't allow on the fly reconfiguration */ -@@ -549,7 +549,7 @@ static int wm8958_put_vss_enum(struct snd_kcontrol *kcontrol, - struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol); - struct wm8994_priv *wm8994 = snd_soc_codec_get_drvdata(codec); - struct wm8994 *control = wm8994->wm8994; -- int value = ucontrol->value.integer.value[0]; -+ int value = ucontrol->value.enumerated.item[0]; - int reg; - - /* Don't allow on the fly reconfiguration */ -@@ -582,7 +582,7 @@ static int wm8958_put_vss_hpf_enum(struct snd_kcontrol *kcontrol, - struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol); - struct wm8994_priv *wm8994 = snd_soc_codec_get_drvdata(codec); - struct wm8994 *control = wm8994->wm8994; -- int value = ucontrol->value.integer.value[0]; -+ int value = ucontrol->value.enumerated.item[0]; - int reg; - - /* Don't allow on the fly reconfiguration */ -@@ -749,7 +749,7 @@ static int wm8958_put_enh_eq_enum(struct snd_kcontrol *kcontrol, - struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol); - struct wm8994_priv *wm8994 = snd_soc_codec_get_drvdata(codec); - struct wm8994 *control = wm8994->wm8994; -- int value = ucontrol->value.integer.value[0]; -+ int value = ucontrol->value.enumerated.item[0]; - int reg; - - /* Don't allow on the fly reconfiguration */ -diff --git a/sound/soc/codecs/wm8994.c b/sound/soc/codecs/wm8994.c -index 6e746c7474bf..cda3cf23474b 100644 ---- a/sound/soc/codecs/wm8994.c -+++ b/sound/soc/codecs/wm8994.c -@@ -361,7 +361,7 @@ static int wm8994_put_drc_enum(struct snd_kcontrol *kcontrol, - struct wm8994 *control = wm8994->wm8994; - struct wm8994_pdata *pdata = &control->pdata; - int drc = wm8994_get_drc(kcontrol->id.name); -- int value = ucontrol->value.integer.value[0]; -+ int value = ucontrol->value.enumerated.item[0]; - - if (drc < 0) - return drc; -@@ -468,7 +468,7 @@ static int wm8994_put_retune_mobile_enum(struct snd_kcontrol *kcontrol, - struct wm8994 *control = wm8994->wm8994; - struct wm8994_pdata *pdata = &control->pdata; - int block = wm8994_get_retune_mobile_block(kcontrol->id.name); -- int value = ucontrol->value.integer.value[0]; -+ int value = ucontrol->value.enumerated.item[0]; - - if (block < 0) - return block; -diff --git a/tools/testing/selftests/efivarfs/efivarfs.sh b/tools/testing/selftests/efivarfs/efivarfs.sh -index 77edcdcc016b..057278448515 100644 ---- a/tools/testing/selftests/efivarfs/efivarfs.sh -+++ b/tools/testing/selftests/efivarfs/efivarfs.sh -@@ -88,7 +88,11 @@ test_delete() - exit 1 - fi - -- rm $file -+ rm $file 2>/dev/null -+ if [ $? -ne 0 ]; then -+ chattr -i $file -+ rm $file -+ fi - - if [ -e $file ]; then - echo "$file couldn't be deleted" >&2 -@@ -111,6 +115,7 @@ test_zero_size_delete() - exit 1 - fi - -+ chattr -i $file - printf "$attrs" > $file - - if [ -e $file ]; then -@@ -141,7 +146,11 @@ test_valid_filenames() - echo "$file could not be created" >&2 - ret=1 - else -- rm $file -+ rm $file 2>/dev/null -+ if [ $? -ne 0 ]; then -+ chattr -i $file -+ rm $file -+ fi - fi - done - -@@ -174,7 +183,11 @@ test_invalid_filenames() - - if [ -e $file ]; then - echo "Creating $file should have failed" >&2 -- rm $file -+ rm $file 2>/dev/null -+ if [ $? -ne 0 ]; then -+ chattr -i $file -+ rm $file -+ fi - ret=1 - fi - done -diff --git a/tools/testing/selftests/efivarfs/open-unlink.c b/tools/testing/selftests/efivarfs/open-unlink.c -index 8c0764407b3c..4af74f733036 100644 ---- a/tools/testing/selftests/efivarfs/open-unlink.c -+++ b/tools/testing/selftests/efivarfs/open-unlink.c -@@ -1,10 +1,68 @@ -+#include - #include - #include - #include - #include -+#include - #include - #include - #include -+#include -+ -+static int set_immutable(const char *path, int immutable) -+{ -+ unsigned int flags; -+ int fd; -+ int rc; -+ int error; -+ -+ fd = open(path, O_RDONLY); -+ if (fd < 0) -+ return fd; -+ -+ rc = ioctl(fd, FS_IOC_GETFLAGS, &flags); -+ if (rc < 0) { -+ error = errno; -+ close(fd); -+ errno = error; -+ return rc; -+ } -+ -+ if (immutable) -+ flags |= FS_IMMUTABLE_FL; -+ else -+ flags &= ~FS_IMMUTABLE_FL; -+ -+ rc = ioctl(fd, FS_IOC_SETFLAGS, &flags); -+ error = errno; -+ close(fd); -+ errno = error; -+ return rc; -+} -+ -+static int get_immutable(const char *path) -+{ -+ unsigned int flags; -+ int fd; -+ int rc; -+ int error; -+ -+ fd = open(path, O_RDONLY); -+ if (fd < 0) -+ return fd; -+ -+ rc = ioctl(fd, FS_IOC_GETFLAGS, &flags); -+ if (rc < 0) { -+ error = errno; -+ close(fd); -+ errno = error; -+ return rc; -+ } -+ close(fd); -+ if (flags & FS_IMMUTABLE_FL) -+ return 1; -+ return 0; -+} - - int main(int argc, char **argv) - { -@@ -27,7 +85,7 @@ int main(int argc, char **argv) - buf[4] = 0; - - /* create a test variable */ -- fd = open(path, O_WRONLY | O_CREAT); -+ fd = open(path, O_WRONLY | O_CREAT, 0600); - if (fd < 0) { - perror("open(O_WRONLY)"); - return EXIT_FAILURE; -@@ -41,6 +99,18 @@ int main(int argc, char **argv) - - close(fd); - -+ rc = get_immutable(path); -+ if (rc < 0) { -+ perror("ioctl(FS_IOC_GETFLAGS)"); -+ return EXIT_FAILURE; -+ } else if (rc) { -+ rc = set_immutable(path, 0); -+ if (rc < 0) { -+ perror("ioctl(FS_IOC_SETFLAGS)"); -+ return EXIT_FAILURE; -+ } -+ } -+ - fd = open(path, O_RDONLY); - if (fd < 0) { - perror("open"); diff --git a/patch/kernel/odroidc1-default/2-patch-3.10.101-102.patch b/patch/kernel/odroidc1-default/2-patch-3.10.101-102.patch deleted file mode 100644 index af1472cd2..000000000 --- a/patch/kernel/odroidc1-default/2-patch-3.10.101-102.patch +++ /dev/null @@ -1,4381 +0,0 @@ -diff --git a/MAINTAINERS b/MAINTAINERS -index 48c748080c96..29d7d74a8d04 100644 ---- a/MAINTAINERS -+++ b/MAINTAINERS -@@ -3032,8 +3032,8 @@ F: Documentation/x86/efi-stub.txt - F: arch/ia64/kernel/efi.c - F: arch/x86/boot/compressed/eboot.[ch] - F: arch/x86/include/asm/efi.h --F: arch/x86/platform/efi/* --F: drivers/firmware/efi/* -+F: arch/x86/platform/efi/ -+F: drivers/firmware/efi/ - F: include/linux/efi*.h - - EFI VARIABLE FILESYSTEM -diff --git a/Makefile b/Makefile -index 4be9e643cef0..868093c16ae0 100644 ---- a/Makefile -+++ b/Makefile -@@ -1,6 +1,6 @@ - VERSION = 3 - PATCHLEVEL = 10 --SUBLEVEL = 101 -+SUBLEVEL = 102 - EXTRAVERSION = - NAME = TOSSUG Baby Fish - -diff --git a/arch/arm/mach-omap2/cpuidle34xx.c b/arch/arm/mach-omap2/cpuidle34xx.c -index e18709d3b95d..38e1bdcaf015 100644 ---- a/arch/arm/mach-omap2/cpuidle34xx.c -+++ b/arch/arm/mach-omap2/cpuidle34xx.c -@@ -34,6 +34,7 @@ - #include "pm.h" - #include "control.h" - #include "common.h" -+#include "soc.h" - - /* Mach specific information to be recorded in the C-state driver_data */ - struct omap3_idle_statedata { -@@ -322,6 +323,69 @@ static struct cpuidle_driver omap3_idle_driver = { - .safe_state_index = 0, - }; - -+/* -+ * Numbers based on measurements made in October 2009 for PM optimized kernel -+ * with CPU freq enabled on device Nokia N900. Assumes OPP2 (main idle OPP, -+ * and worst case latencies). -+ */ -+static struct cpuidle_driver omap3430_idle_driver = { -+ .name = "omap3430_idle", -+ .owner = THIS_MODULE, -+ .states = { -+ { -+ .enter = omap3_enter_idle_bm, -+ .exit_latency = 110 + 162, -+ .target_residency = 5, -+ .name = "C1", -+ .desc = "MPU ON + CORE ON", -+ }, -+ { -+ .enter = omap3_enter_idle_bm, -+ .exit_latency = 106 + 180, -+ .target_residency = 309, -+ .name = "C2", -+ .desc = "MPU ON + CORE ON", -+ }, -+ { -+ .enter = omap3_enter_idle_bm, -+ .exit_latency = 107 + 410, -+ .target_residency = 46057, -+ .name = "C3", -+ .desc = "MPU RET + CORE ON", -+ }, -+ { -+ .enter = omap3_enter_idle_bm, -+ .exit_latency = 121 + 3374, -+ .target_residency = 46057, -+ .name = "C4", -+ .desc = "MPU OFF + CORE ON", -+ }, -+ { -+ .enter = omap3_enter_idle_bm, -+ .exit_latency = 855 + 1146, -+ .target_residency = 46057, -+ .name = "C5", -+ .desc = "MPU RET + CORE RET", -+ }, -+ { -+ .enter = omap3_enter_idle_bm, -+ .exit_latency = 7580 + 4134, -+ .target_residency = 484329, -+ .name = "C6", -+ .desc = "MPU OFF + CORE RET", -+ }, -+ { -+ .enter = omap3_enter_idle_bm, -+ .exit_latency = 7505 + 15274, -+ .target_residency = 484329, -+ .name = "C7", -+ .desc = "MPU OFF + CORE OFF", -+ }, -+ }, -+ .state_count = ARRAY_SIZE(omap3_idle_data), -+ .safe_state_index = 0, -+}; -+ - /* Public functions */ - - /** -@@ -340,5 +404,8 @@ int __init omap3_idle_init(void) - if (!mpu_pd || !core_pd || !per_pd || !cam_pd) - return -ENODEV; - -- return cpuidle_register(&omap3_idle_driver, NULL); -+ if (cpu_is_omap3430()) -+ return cpuidle_register(&omap3430_idle_driver, NULL); -+ else -+ return cpuidle_register(&omap3_idle_driver, NULL); - } -diff --git a/arch/arm/mach-omap2/sleep34xx.S b/arch/arm/mach-omap2/sleep34xx.S -index d1dedc8195ed..eafd120b53f1 100644 ---- a/arch/arm/mach-omap2/sleep34xx.S -+++ b/arch/arm/mach-omap2/sleep34xx.S -@@ -203,23 +203,8 @@ save_context_wfi: - */ - ldr r1, kernel_flush - blx r1 -- /* -- * The kernel doesn't interwork: v7_flush_dcache_all in particluar will -- * always return in Thumb state when CONFIG_THUMB2_KERNEL is enabled. -- * This sequence switches back to ARM. Note that .align may insert a -- * nop: bx pc needs to be word-aligned in order to work. -- */ -- THUMB( .thumb ) -- THUMB( .align ) -- THUMB( bx pc ) -- THUMB( nop ) -- .arm -- - b omap3_do_wfi -- --/* -- * Local variables -- */ -+ENDPROC(omap34xx_cpu_suspend) - omap3_do_wfi_sram_addr: - .word omap3_do_wfi_sram - kernel_flush: -@@ -364,10 +349,7 @@ exit_nonoff_modes: - * =================================== - */ - ldmfd sp!, {r4 - r11, pc} @ restore regs and return -- --/* -- * Local variables -- */ -+ENDPROC(omap3_do_wfi) - sdrc_power: - .word SDRC_POWER_V - cm_idlest1_core: -diff --git a/arch/arm/mach-socfpga/headsmp.S b/arch/arm/mach-socfpga/headsmp.S -index 9004bfb1756e..a6f5519072cc 100644 ---- a/arch/arm/mach-socfpga/headsmp.S -+++ b/arch/arm/mach-socfpga/headsmp.S -@@ -12,6 +12,7 @@ - - __CPUINIT - .arch armv7-a -+ .arm - - ENTRY(secondary_trampoline) - movw r2, #:lower16:cpu1start_addr -diff --git a/arch/parisc/kernel/parisc_ksyms.c b/arch/parisc/kernel/parisc_ksyms.c -index 568b2c61ea02..3cad8aadc69e 100644 ---- a/arch/parisc/kernel/parisc_ksyms.c -+++ b/arch/parisc/kernel/parisc_ksyms.c -@@ -47,11 +47,11 @@ EXPORT_SYMBOL(__cmpxchg_u64); - EXPORT_SYMBOL(lclear_user); - EXPORT_SYMBOL(lstrnlen_user); - --/* Global fixups */ --extern void fixup_get_user_skip_1(void); --extern void fixup_get_user_skip_2(void); --extern void fixup_put_user_skip_1(void); --extern void fixup_put_user_skip_2(void); -+/* Global fixups - defined as int to avoid creation of function pointers */ -+extern int fixup_get_user_skip_1; -+extern int fixup_get_user_skip_2; -+extern int fixup_put_user_skip_1; -+extern int fixup_put_user_skip_2; - EXPORT_SYMBOL(fixup_get_user_skip_1); - EXPORT_SYMBOL(fixup_get_user_skip_2); - EXPORT_SYMBOL(fixup_put_user_skip_1); -diff --git a/arch/parisc/kernel/traps.c b/arch/parisc/kernel/traps.c -index b3f87a3b4bce..0c329b2c5df4 100644 ---- a/arch/parisc/kernel/traps.c -+++ b/arch/parisc/kernel/traps.c -@@ -811,6 +811,9 @@ void notrace handle_interruption(int code, struct pt_regs *regs) - - if (fault_space == 0 && !in_atomic()) - { -+ /* Clean up and return if in exception table. */ -+ if (fixup_exception(regs)) -+ return; - pdc_chassis_send_status(PDC_CHASSIS_DIRECT_PANIC); - parisc_terminate("Kernel Fault", regs, code, fault_address); - } -diff --git a/arch/powerpc/include/uapi/asm/cputable.h b/arch/powerpc/include/uapi/asm/cputable.h -index de2c0e4ee1aa..67de80a8e178 100644 ---- a/arch/powerpc/include/uapi/asm/cputable.h -+++ b/arch/powerpc/include/uapi/asm/cputable.h -@@ -31,6 +31,7 @@ - #define PPC_FEATURE_PSERIES_PERFMON_COMPAT \ - 0x00000040 - -+/* Reserved - do not use 0x00000004 */ - #define PPC_FEATURE_TRUE_LE 0x00000002 - #define PPC_FEATURE_PPC_LE 0x00000001 - -diff --git a/arch/powerpc/kernel/prom.c b/arch/powerpc/kernel/prom.c -index 8b6f7a99cce2..e8c45b7438e7 100644 ---- a/arch/powerpc/kernel/prom.c -+++ b/arch/powerpc/kernel/prom.c -@@ -159,7 +159,7 @@ static struct ibm_pa_feature { - {CPU_FTR_NOEXECUTE, 0, 0, 0, 6, 0}, - {CPU_FTR_NODSISRALIGN, 0, 0, 1, 1, 1}, - {0, MMU_FTR_CI_LARGE_PAGE, 0, 1, 2, 0}, -- {CPU_FTR_REAL_LE, PPC_FEATURE_TRUE_LE, 5, 0, 0}, -+ {CPU_FTR_REAL_LE, 0, PPC_FEATURE_TRUE_LE, 5, 0, 0}, - }; - - static void __init scan_features(unsigned long node, unsigned char *ftrs, -diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h -index 98b68c2f1a1c..b76c1bf6125d 100644 ---- a/arch/x86/include/asm/kvm_host.h -+++ b/arch/x86/include/asm/kvm_host.h -@@ -59,7 +59,7 @@ - (~(unsigned long)(X86_CR4_VME | X86_CR4_PVI | X86_CR4_TSD | X86_CR4_DE\ - | X86_CR4_PSE | X86_CR4_PAE | X86_CR4_MCE \ - | X86_CR4_PGE | X86_CR4_PCE | X86_CR4_OSFXSR | X86_CR4_PCIDE \ -- | X86_CR4_OSXSAVE | X86_CR4_SMEP | X86_CR4_RDWRGSFS \ -+ | X86_CR4_OSXSAVE | X86_CR4_SMEP | X86_CR4_FSGSBASE \ - | X86_CR4_OSXMMEXCPT | X86_CR4_VMXE)) - - #define CR8_RESERVED_BITS (~(unsigned long)X86_CR8_TPR) -diff --git a/arch/x86/include/asm/xen/hypervisor.h b/arch/x86/include/asm/xen/hypervisor.h -index 125f344f06a9..8ac93f05a8ea 100644 ---- a/arch/x86/include/asm/xen/hypervisor.h -+++ b/arch/x86/include/asm/xen/hypervisor.h -@@ -71,4 +71,6 @@ static inline bool xen_x2apic_para_available(void) - } - #endif - -+extern void xen_set_iopl_mask(unsigned mask); -+ - #endif /* _ASM_X86_XEN_HYPERVISOR_H */ -diff --git a/arch/x86/include/uapi/asm/processor-flags.h b/arch/x86/include/uapi/asm/processor-flags.h -index b16e6d28f149..180a0c3c224d 100644 ---- a/arch/x86/include/uapi/asm/processor-flags.h -+++ b/arch/x86/include/uapi/asm/processor-flags.h -@@ -2,75 +2,129 @@ - #define _UAPI_ASM_X86_PROCESSOR_FLAGS_H - /* Various flags defined: can be included from assembler. */ - -+#include -+ - /* - * EFLAGS bits - */ --#define X86_EFLAGS_CF 0x00000001 /* Carry Flag */ --#define X86_EFLAGS_FIXED 0x00000002 /* Bit 1 - always on */ --#define X86_EFLAGS_PF 0x00000004 /* Parity Flag */ --#define X86_EFLAGS_AF 0x00000010 /* Auxiliary carry Flag */ --#define X86_EFLAGS_ZF 0x00000040 /* Zero Flag */ --#define X86_EFLAGS_SF 0x00000080 /* Sign Flag */ --#define X86_EFLAGS_TF 0x00000100 /* Trap Flag */ --#define X86_EFLAGS_IF 0x00000200 /* Interrupt Flag */ --#define X86_EFLAGS_DF 0x00000400 /* Direction Flag */ --#define X86_EFLAGS_OF 0x00000800 /* Overflow Flag */ --#define X86_EFLAGS_IOPL 0x00003000 /* IOPL mask */ --#define X86_EFLAGS_NT 0x00004000 /* Nested Task */ --#define X86_EFLAGS_RF 0x00010000 /* Resume Flag */ --#define X86_EFLAGS_VM 0x00020000 /* Virtual Mode */ --#define X86_EFLAGS_AC 0x00040000 /* Alignment Check */ --#define X86_EFLAGS_VIF 0x00080000 /* Virtual Interrupt Flag */ --#define X86_EFLAGS_VIP 0x00100000 /* Virtual Interrupt Pending */ --#define X86_EFLAGS_ID 0x00200000 /* CPUID detection flag */ -+#define X86_EFLAGS_CF_BIT 0 /* Carry Flag */ -+#define X86_EFLAGS_CF _BITUL(X86_EFLAGS_CF_BIT) -+#define X86_EFLAGS_FIXED_BIT 1 /* Bit 1 - always on */ -+#define X86_EFLAGS_FIXED _BITUL(X86_EFLAGS_FIXED_BIT) -+#define X86_EFLAGS_PF_BIT 2 /* Parity Flag */ -+#define X86_EFLAGS_PF _BITUL(X86_EFLAGS_PF_BIT) -+#define X86_EFLAGS_AF_BIT 4 /* Auxiliary carry Flag */ -+#define X86_EFLAGS_AF _BITUL(X86_EFLAGS_AF_BIT) -+#define X86_EFLAGS_ZF_BIT 6 /* Zero Flag */ -+#define X86_EFLAGS_ZF _BITUL(X86_EFLAGS_ZF_BIT) -+#define X86_EFLAGS_SF_BIT 7 /* Sign Flag */ -+#define X86_EFLAGS_SF _BITUL(X86_EFLAGS_SF_BIT) -+#define X86_EFLAGS_TF_BIT 8 /* Trap Flag */ -+#define X86_EFLAGS_TF _BITUL(X86_EFLAGS_TF_BIT) -+#define X86_EFLAGS_IF_BIT 9 /* Interrupt Flag */ -+#define X86_EFLAGS_IF _BITUL(X86_EFLAGS_IF_BIT) -+#define X86_EFLAGS_DF_BIT 10 /* Direction Flag */ -+#define X86_EFLAGS_DF _BITUL(X86_EFLAGS_DF_BIT) -+#define X86_EFLAGS_OF_BIT 11 /* Overflow Flag */ -+#define X86_EFLAGS_OF _BITUL(X86_EFLAGS_OF_BIT) -+#define X86_EFLAGS_IOPL_BIT 12 /* I/O Privilege Level (2 bits) */ -+#define X86_EFLAGS_IOPL (_AC(3,UL) << X86_EFLAGS_IOPL_BIT) -+#define X86_EFLAGS_NT_BIT 14 /* Nested Task */ -+#define X86_EFLAGS_NT _BITUL(X86_EFLAGS_NT_BIT) -+#define X86_EFLAGS_RF_BIT 16 /* Resume Flag */ -+#define X86_EFLAGS_RF _BITUL(X86_EFLAGS_RF_BIT) -+#define X86_EFLAGS_VM_BIT 17 /* Virtual Mode */ -+#define X86_EFLAGS_VM _BITUL(X86_EFLAGS_VM_BIT) -+#define X86_EFLAGS_AC_BIT 18 /* Alignment Check/Access Control */ -+#define X86_EFLAGS_AC _BITUL(X86_EFLAGS_AC_BIT) -+#define X86_EFLAGS_AC_BIT 18 /* Alignment Check/Access Control */ -+#define X86_EFLAGS_AC _BITUL(X86_EFLAGS_AC_BIT) -+#define X86_EFLAGS_VIF_BIT 19 /* Virtual Interrupt Flag */ -+#define X86_EFLAGS_VIF _BITUL(X86_EFLAGS_VIF_BIT) -+#define X86_EFLAGS_VIP_BIT 20 /* Virtual Interrupt Pending */ -+#define X86_EFLAGS_VIP _BITUL(X86_EFLAGS_VIP_BIT) -+#define X86_EFLAGS_ID_BIT 21 /* CPUID detection */ -+#define X86_EFLAGS_ID _BITUL(X86_EFLAGS_ID_BIT) - - /* - * Basic CPU control in CR0 - */ --#define X86_CR0_PE 0x00000001 /* Protection Enable */ --#define X86_CR0_MP 0x00000002 /* Monitor Coprocessor */ --#define X86_CR0_EM 0x00000004 /* Emulation */ --#define X86_CR0_TS 0x00000008 /* Task Switched */ --#define X86_CR0_ET 0x00000010 /* Extension Type */ --#define X86_CR0_NE 0x00000020 /* Numeric Error */ --#define X86_CR0_WP 0x00010000 /* Write Protect */ --#define X86_CR0_AM 0x00040000 /* Alignment Mask */ --#define X86_CR0_NW 0x20000000 /* Not Write-through */ --#define X86_CR0_CD 0x40000000 /* Cache Disable */ --#define X86_CR0_PG 0x80000000 /* Paging */ -+#define X86_CR0_PE_BIT 0 /* Protection Enable */ -+#define X86_CR0_PE _BITUL(X86_CR0_PE_BIT) -+#define X86_CR0_MP_BIT 1 /* Monitor Coprocessor */ -+#define X86_CR0_MP _BITUL(X86_CR0_MP_BIT) -+#define X86_CR0_EM_BIT 2 /* Emulation */ -+#define X86_CR0_EM _BITUL(X86_CR0_EM_BIT) -+#define X86_CR0_TS_BIT 3 /* Task Switched */ -+#define X86_CR0_TS _BITUL(X86_CR0_TS_BIT) -+#define X86_CR0_ET_BIT 4 /* Extension Type */ -+#define X86_CR0_ET _BITUL(X86_CR0_ET_BIT) -+#define X86_CR0_NE_BIT 5 /* Numeric Error */ -+#define X86_CR0_NE _BITUL(X86_CR0_NE_BIT) -+#define X86_CR0_WP_BIT 16 /* Write Protect */ -+#define X86_CR0_WP _BITUL(X86_CR0_WP_BIT) -+#define X86_CR0_AM_BIT 18 /* Alignment Mask */ -+#define X86_CR0_AM _BITUL(X86_CR0_AM_BIT) -+#define X86_CR0_NW_BIT 29 /* Not Write-through */ -+#define X86_CR0_NW _BITUL(X86_CR0_NW_BIT) -+#define X86_CR0_CD_BIT 30 /* Cache Disable */ -+#define X86_CR0_CD _BITUL(X86_CR0_CD_BIT) -+#define X86_CR0_PG_BIT 31 /* Paging */ -+#define X86_CR0_PG _BITUL(X86_CR0_PG_BIT) - - /* - * Paging options in CR3 - */ --#define X86_CR3_PWT 0x00000008 /* Page Write Through */ --#define X86_CR3_PCD 0x00000010 /* Page Cache Disable */ --#define X86_CR3_PCID_MASK 0x00000fff /* PCID Mask */ -+#define X86_CR3_PWT_BIT 3 /* Page Write Through */ -+#define X86_CR3_PWT _BITUL(X86_CR3_PWT_BIT) -+#define X86_CR3_PCD_BIT 4 /* Page Cache Disable */ -+#define X86_CR3_PCD _BITUL(X86_CR3_PCD_BIT) -+#define X86_CR3_PCID_MASK _AC(0x00000fff,UL) /* PCID Mask */ - - /* - * Intel CPU features in CR4 - */ --#define X86_CR4_VME 0x00000001 /* enable vm86 extensions */ --#define X86_CR4_PVI 0x00000002 /* virtual interrupts flag enable */ --#define X86_CR4_TSD 0x00000004 /* disable time stamp at ipl 3 */ --#define X86_CR4_DE 0x00000008 /* enable debugging extensions */ --#define X86_CR4_PSE 0x00000010 /* enable page size extensions */ --#define X86_CR4_PAE 0x00000020 /* enable physical address extensions */ --#define X86_CR4_MCE 0x00000040 /* Machine check enable */ --#define X86_CR4_PGE 0x00000080 /* enable global pages */ --#define X86_CR4_PCE 0x00000100 /* enable performance counters at ipl 3 */ --#define X86_CR4_OSFXSR 0x00000200 /* enable fast FPU save and restore */ --#define X86_CR4_OSXMMEXCPT 0x00000400 /* enable unmasked SSE exceptions */ --#define X86_CR4_VMXE 0x00002000 /* enable VMX virtualization */ --#define X86_CR4_RDWRGSFS 0x00010000 /* enable RDWRGSFS support */ --#define X86_CR4_PCIDE 0x00020000 /* enable PCID support */ --#define X86_CR4_OSXSAVE 0x00040000 /* enable xsave and xrestore */ --#define X86_CR4_SMEP 0x00100000 /* enable SMEP support */ --#define X86_CR4_SMAP 0x00200000 /* enable SMAP support */ -+#define X86_CR4_VME_BIT 0 /* enable vm86 extensions */ -+#define X86_CR4_VME _BITUL(X86_CR4_VME_BIT) -+#define X86_CR4_PVI_BIT 1 /* virtual interrupts flag enable */ -+#define X86_CR4_PVI _BITUL(X86_CR4_PVI_BIT) -+#define X86_CR4_TSD_BIT 2 /* disable time stamp at ipl 3 */ -+#define X86_CR4_TSD _BITUL(X86_CR4_TSD_BIT) -+#define X86_CR4_DE_BIT 3 /* enable debugging extensions */ -+#define X86_CR4_DE _BITUL(X86_CR4_DE_BIT) -+#define X86_CR4_PSE_BIT 4 /* enable page size extensions */ -+#define X86_CR4_PSE _BITUL(X86_CR4_PSE_BIT) -+#define X86_CR4_PAE_BIT 5 /* enable physical address extensions */ -+#define X86_CR4_PAE _BITUL(X86_CR4_PAE_BIT) -+#define X86_CR4_MCE_BIT 6 /* Machine check enable */ -+#define X86_CR4_MCE _BITUL(X86_CR4_MCE_BIT) -+#define X86_CR4_PGE_BIT 7 /* enable global pages */ -+#define X86_CR4_PGE _BITUL(X86_CR4_PGE_BIT) -+#define X86_CR4_PCE_BIT 8 /* enable performance counters at ipl 3 */ -+#define X86_CR4_PCE _BITUL(X86_CR4_PCE_BIT) -+#define X86_CR4_OSFXSR_BIT 9 /* enable fast FPU save and restore */ -+#define X86_CR4_OSFXSR _BITUL(X86_CR4_OSFXSR_BIT) -+#define X86_CR4_OSXMMEXCPT_BIT 10 /* enable unmasked SSE exceptions */ -+#define X86_CR4_OSXMMEXCPT _BITUL(X86_CR4_OSXMMEXCPT_BIT) -+#define X86_CR4_VMXE_BIT 13 /* enable VMX virtualization */ -+#define X86_CR4_VMXE _BITUL(X86_CR4_VMXE_BIT) -+#define X86_CR4_SMXE_BIT 14 /* enable safer mode (TXT) */ -+#define X86_CR4_SMXE _BITUL(X86_CR4_SMXE_BIT) -+#define X86_CR4_FSGSBASE_BIT 16 /* enable RDWRFSGS support */ -+#define X86_CR4_FSGSBASE _BITUL(X86_CR4_FSGSBASE_BIT) -+#define X86_CR4_PCIDE_BIT 17 /* enable PCID support */ -+#define X86_CR4_PCIDE _BITUL(X86_CR4_PCIDE_BIT) -+#define X86_CR4_OSXSAVE_BIT 18 /* enable xsave and xrestore */ -+#define X86_CR4_OSXSAVE _BITUL(X86_CR4_OSXSAVE_BIT) -+#define X86_CR4_SMEP_BIT 20 /* enable SMEP support */ -+#define X86_CR4_SMEP _BITUL(X86_CR4_SMEP_BIT) -+#define X86_CR4_SMAP_BIT 21 /* enable SMAP support */ -+#define X86_CR4_SMAP _BITUL(X86_CR4_SMAP_BIT) - - /* - * x86-64 Task Priority Register, CR8 - */ --#define X86_CR8_TPR 0x0000000F /* task priority register */ -+#define X86_CR8_TPR _AC(0x0000000f,UL) /* task priority register */ - - /* - * AMD and Transmeta use MSRs for configuration; see -diff --git a/arch/x86/kernel/cpu/perf_event.h b/arch/x86/kernel/cpu/perf_event.h -index ba9aadfa683b..5fd0bbe1aeb0 100644 ---- a/arch/x86/kernel/cpu/perf_event.h -+++ b/arch/x86/kernel/cpu/perf_event.h -@@ -665,6 +665,8 @@ void intel_pmu_lbr_init_atom(void); - - void intel_pmu_lbr_init_snb(void); - -+void intel_pmu_pebs_data_source_nhm(void); -+ - int intel_pmu_setup_lbr_filter(struct perf_event *event); - - int p4_pmu_init(void); -diff --git a/arch/x86/kernel/cpu/perf_event_intel.c b/arch/x86/kernel/cpu/perf_event_intel.c -index 6d6bb6f4fd43..ac057583282a 100644 ---- a/arch/x86/kernel/cpu/perf_event_intel.c -+++ b/arch/x86/kernel/cpu/perf_event_intel.c -@@ -2088,6 +2088,7 @@ __init int intel_pmu_init(void) - intel_perfmon_event_map[PERF_COUNT_HW_STALLED_CYCLES_BACKEND] = - X86_CONFIG(.event=0xb1, .umask=0x3f, .inv=1, .cmask=1); - -+ intel_pmu_pebs_data_source_nhm(); - x86_add_quirk(intel_nehalem_quirk); - - pr_cont("Nehalem events, "); -@@ -2133,6 +2134,7 @@ __init int intel_pmu_init(void) - intel_perfmon_event_map[PERF_COUNT_HW_STALLED_CYCLES_BACKEND] = - X86_CONFIG(.event=0xb1, .umask=0x3f, .inv=1, .cmask=1); - -+ intel_pmu_pebs_data_source_nhm(); - pr_cont("Westmere events, "); - break; - -diff --git a/arch/x86/kernel/cpu/perf_event_intel_ds.c b/arch/x86/kernel/cpu/perf_event_intel_ds.c -index 60250f687052..17b090a298b4 100644 ---- a/arch/x86/kernel/cpu/perf_event_intel_ds.c -+++ b/arch/x86/kernel/cpu/perf_event_intel_ds.c -@@ -50,7 +50,8 @@ union intel_x86_pebs_dse { - #define OP_LH (P(OP, LOAD) | P(LVL, HIT)) - #define SNOOP_NONE_MISS (P(SNOOP, NONE) | P(SNOOP, MISS)) - --static const u64 pebs_data_source[] = { -+/* Version for Sandy Bridge and later */ -+static u64 pebs_data_source[] = { - P(OP, LOAD) | P(LVL, MISS) | P(LVL, L3) | P(SNOOP, NA),/* 0x00:ukn L3 */ - OP_LH | P(LVL, L1) | P(SNOOP, NONE), /* 0x01: L1 local */ - OP_LH | P(LVL, LFB) | P(SNOOP, NONE), /* 0x02: LFB hit */ -@@ -69,6 +70,14 @@ static const u64 pebs_data_source[] = { - OP_LH | P(LVL, UNC) | P(SNOOP, NONE), /* 0x0f: uncached */ - }; - -+/* Patch up minor differences in the bits */ -+void __init intel_pmu_pebs_data_source_nhm(void) -+{ -+ pebs_data_source[0x05] = OP_LH | P(LVL, L3) | P(SNOOP, HIT); -+ pebs_data_source[0x06] = OP_LH | P(LVL, L3) | P(SNOOP, HITM); -+ pebs_data_source[0x07] = OP_LH | P(LVL, L3) | P(SNOOP, HITM); -+} -+ - static u64 precise_store_data(u64 status) - { - union intel_x86_pebs_dse dse; -diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c -index 4ddaf66ea35f..792621a32457 100644 ---- a/arch/x86/kernel/ioport.c -+++ b/arch/x86/kernel/ioport.c -@@ -96,9 +96,14 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on) - SYSCALL_DEFINE1(iopl, unsigned int, level) - { - struct pt_regs *regs = current_pt_regs(); -- unsigned int old = (regs->flags >> 12) & 3; - struct thread_struct *t = ¤t->thread; - -+ /* -+ * Careful: the IOPL bits in regs->flags are undefined under Xen PV -+ * and changing them has no effect. -+ */ -+ unsigned int old = t->iopl >> X86_EFLAGS_IOPL_BIT; -+ - if (level > 3) - return -EINVAL; - /* Trying to gain more privileges? */ -@@ -106,8 +111,9 @@ SYSCALL_DEFINE1(iopl, unsigned int, level) - if (!capable(CAP_SYS_RAWIO)) - return -EPERM; - } -- regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | (level << 12); -- t->iopl = level << 12; -+ regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | -+ (level << X86_EFLAGS_IOPL_BIT); -+ t->iopl = level << X86_EFLAGS_IOPL_BIT; - set_iopl_mask(t->iopl); - - return 0; -diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c -index 7099ab1e075b..580001c2b69a 100644 ---- a/arch/x86/kernel/process_64.c -+++ b/arch/x86/kernel/process_64.c -@@ -49,6 +49,7 @@ - #include - #include - #include -+#include - - asmlinkage extern void ret_from_fork(void); - -@@ -412,6 +413,17 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p) - task_thread_info(prev_p)->flags & _TIF_WORK_CTXSW_PREV)) - __switch_to_xtra(prev_p, next_p, tss); - -+#ifdef CONFIG_XEN -+ /* -+ * On Xen PV, IOPL bits in pt_regs->flags have no effect, and -+ * current_pt_regs()->flags may not match the current task's -+ * intended IOPL. We need to switch it manually. -+ */ -+ if (unlikely(xen_pv_domain() && -+ prev->iopl != next->iopl)) -+ xen_set_iopl_mask(next->iopl); -+#endif -+ - return prev_p; - } - -diff --git a/arch/x86/kvm/i8254.c b/arch/x86/kvm/i8254.c -index 1406ffde3e35..b0a706d063cb 100644 ---- a/arch/x86/kvm/i8254.c -+++ b/arch/x86/kvm/i8254.c -@@ -244,7 +244,7 @@ static void kvm_pit_ack_irq(struct kvm_irq_ack_notifier *kian) - * PIC is being reset. Handle it gracefully here - */ - atomic_inc(&ps->pending); -- else if (value > 0) -+ else if (value > 0 && ps->reinject) - /* in this case, we had multiple outstanding pit interrupts - * that we needed to inject. Reinject - */ -@@ -287,7 +287,9 @@ static void pit_do_work(struct kthread_work *work) - * last one has been acked. - */ - spin_lock(&ps->inject_lock); -- if (ps->irq_ack) { -+ if (!ps->reinject) -+ inject = 1; -+ else if (ps->irq_ack) { - ps->irq_ack = 0; - inject = 1; - } -@@ -316,10 +318,10 @@ static enum hrtimer_restart pit_timer_fn(struct hrtimer *data) - struct kvm_kpit_state *ps = container_of(data, struct kvm_kpit_state, timer); - struct kvm_pit *pt = ps->kvm->arch.vpit; - -- if (ps->reinject || !atomic_read(&ps->pending)) { -+ if (ps->reinject) - atomic_inc(&ps->pending); -- queue_kthread_work(&pt->worker, &pt->expired); -- } -+ -+ queue_kthread_work(&pt->worker, &pt->expired); - - if (ps->is_periodic) { - hrtimer_add_expires_ns(&ps->timer, ps->period); -diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c -index 7f2b6dec4b2b..3c0b085b4336 100644 ---- a/arch/x86/kvm/x86.c -+++ b/arch/x86/kvm/x86.c -@@ -626,7 +626,7 @@ int kvm_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4) - if (!guest_cpuid_has_smep(vcpu) && (cr4 & X86_CR4_SMEP)) - return 1; - -- if (!guest_cpuid_has_fsgsbase(vcpu) && (cr4 & X86_CR4_RDWRGSFS)) -+ if (!guest_cpuid_has_fsgsbase(vcpu) && (cr4 & X86_CR4_FSGSBASE)) - return 1; - - if (is_long_mode(vcpu)) { -diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c -index 91cbe75a91d5..34511cf6baad 100644 ---- a/arch/x86/xen/enlighten.c -+++ b/arch/x86/xen/enlighten.c -@@ -952,7 +952,7 @@ static void xen_load_sp0(struct tss_struct *tss, - xen_mc_issue(PARAVIRT_LAZY_CPU); - } - --static void xen_set_iopl_mask(unsigned mask) -+void xen_set_iopl_mask(unsigned mask) - { - struct physdev_set_iopl set_iopl; - -diff --git a/arch/xtensa/kernel/head.S b/arch/xtensa/kernel/head.S -index 7d740ebbe198..bb12d778f64f 100644 ---- a/arch/xtensa/kernel/head.S -+++ b/arch/xtensa/kernel/head.S -@@ -118,7 +118,7 @@ ENTRY(_startup) - wsr a0, icountlevel - - .set _index, 0 -- .rept XCHAL_NUM_DBREAK - 1 -+ .rept XCHAL_NUM_DBREAK - wsr a0, SREG_DBREAKC + _index - .set _index, _index + 1 - .endr -diff --git a/arch/xtensa/platforms/iss/console.c b/arch/xtensa/platforms/iss/console.c -index 70cb408bc20d..92d785fefb6d 100644 ---- a/arch/xtensa/platforms/iss/console.c -+++ b/arch/xtensa/platforms/iss/console.c -@@ -100,21 +100,23 @@ static void rs_poll(unsigned long priv) - { - struct tty_port *port = (struct tty_port *)priv; - int i = 0; -+ int rd = 1; - unsigned char c; - - spin_lock(&timer_lock); - - while (simc_poll(0)) { -- simc_read(0, &c, 1); -+ rd = simc_read(0, &c, 1); -+ if (rd <= 0) -+ break; - tty_insert_flip_char(port, c, TTY_NORMAL); - i++; - } - - if (i) - tty_flip_buffer_push(port); -- -- -- mod_timer(&serial_timer, jiffies + SERIAL_TIMER_VALUE); -+ if (rd) -+ mod_timer(&serial_timer, jiffies + SERIAL_TIMER_VALUE); - spin_unlock(&timer_lock); - } - -diff --git a/crypto/ahash.c b/crypto/ahash.c -index 857ae2b2a2a2..bcd5efc7eb4c 100644 ---- a/crypto/ahash.c -+++ b/crypto/ahash.c -@@ -64,8 +64,9 @@ static int hash_walk_new_entry(struct crypto_hash_walk *walk) - struct scatterlist *sg; - - sg = walk->sg; -- walk->pg = sg_page(sg); - walk->offset = sg->offset; -+ walk->pg = sg_page(walk->sg) + (walk->offset >> PAGE_SHIFT); -+ walk->offset = offset_in_page(walk->offset); - walk->entrylen = sg->length; - - if (walk->entrylen > walk->total) -diff --git a/crypto/gcm.c b/crypto/gcm.c -index b4c252066f7b..cd97cdd8cabe 100644 ---- a/crypto/gcm.c -+++ b/crypto/gcm.c -@@ -1173,6 +1173,9 @@ static struct aead_request *crypto_rfc4543_crypt(struct aead_request *req, - aead_request_set_tfm(subreq, ctx->child); - aead_request_set_callback(subreq, req->base.flags, crypto_rfc4543_done, - req); -+ if (!enc) -+ aead_request_set_callback(subreq, req->base.flags, -+ req->base.complete, req->base.data); - aead_request_set_crypt(subreq, cipher, cipher, enc ? 0 : authsize, iv); - aead_request_set_assoc(subreq, assoc, assoclen); - -diff --git a/drivers/acpi/acpica/dsmethod.c b/drivers/acpi/acpica/dsmethod.c -index a9ffd44c18fe..2184259c386b 100644 ---- a/drivers/acpi/acpica/dsmethod.c -+++ b/drivers/acpi/acpica/dsmethod.c -@@ -267,6 +267,9 @@ acpi_ds_begin_method_execution(struct acpi_namespace_node *method_node, - obj_desc->method.mutex->mutex. - original_sync_level = - obj_desc->method.mutex->mutex.sync_level; -+ -+ obj_desc->method.mutex->mutex.thread_id = -+ acpi_os_get_thread_id(); - } - } - -diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c -index a5c987ae665d..d593fa5247f5 100644 ---- a/drivers/block/nbd.c -+++ b/drivers/block/nbd.c -@@ -581,8 +581,8 @@ static void do_nbd_request(struct request_queue *q) - BUG_ON(nbd->magic != NBD_MAGIC); - - if (unlikely(!nbd->sock)) { -- dev_err(disk_to_dev(nbd->disk), -- "Attempted send on closed socket\n"); -+ dev_err_ratelimited(disk_to_dev(nbd->disk), -+ "Attempted send on closed socket\n"); - req->errors++; - nbd_end_request(req); - spin_lock_irq(q->queue_lock); -diff --git a/drivers/block/paride/pd.c b/drivers/block/paride/pd.c -index 19ad8f0c83ef..897b6b9e53b1 100644 ---- a/drivers/block/paride/pd.c -+++ b/drivers/block/paride/pd.c -@@ -126,7 +126,7 @@ - */ - #include - --static bool verbose = 0; -+static int verbose = 0; - static int major = PD_MAJOR; - static char *name = PD_NAME; - static int cluster = 64; -@@ -161,7 +161,7 @@ enum {D_PRT, D_PRO, D_UNI, D_MOD, D_GEO, D_SBY, D_DLY, D_SLV}; - static DEFINE_MUTEX(pd_mutex); - static DEFINE_SPINLOCK(pd_lock); - --module_param(verbose, bool, 0); -+module_param(verbose, int, 0); - module_param(major, int, 0); - module_param(name, charp, 0); - module_param(cluster, int, 0); -diff --git a/drivers/block/paride/pt.c b/drivers/block/paride/pt.c -index 2596042eb987..ada45058e04d 100644 ---- a/drivers/block/paride/pt.c -+++ b/drivers/block/paride/pt.c -@@ -117,7 +117,7 @@ - - */ - --static bool verbose = 0; -+static int verbose = 0; - static int major = PT_MAJOR; - static char *name = PT_NAME; - static int disable = 0; -@@ -152,7 +152,7 @@ static int (*drives[4])[6] = {&drive0, &drive1, &drive2, &drive3}; - - #include - --module_param(verbose, bool, 0); -+module_param(verbose, int, 0); - module_param(major, int, 0); - module_param(name, charp, 0); - module_param_array(drive0, int, NULL, 0); -diff --git a/drivers/bluetooth/hci_vhci.c b/drivers/bluetooth/hci_vhci.c -index d8b7aed6e4a9..f3ce1c4f83e0 100644 ---- a/drivers/bluetooth/hci_vhci.c -+++ b/drivers/bluetooth/hci_vhci.c -@@ -265,6 +265,7 @@ static int vhci_release(struct inode *inode, struct file *file) - hci_unregister_dev(hdev); - hci_free_dev(hdev); - -+ skb_queue_purge(&data->readq); - file->private_data = NULL; - kfree(data); - -diff --git a/drivers/clk/versatile/clk-sp810.c b/drivers/clk/versatile/clk-sp810.c -index b9e05bde0c06..a21e2fa66a2a 100644 ---- a/drivers/clk/versatile/clk-sp810.c -+++ b/drivers/clk/versatile/clk-sp810.c -@@ -141,6 +141,7 @@ void __init clk_sp810_of_setup(struct device_node *node) - const char *parent_names[2]; - char name[12]; - struct clk_init_data init; -+ static int instance; - int i; - - if (!sp810) { -@@ -172,7 +173,7 @@ void __init clk_sp810_of_setup(struct device_node *node) - init.num_parents = ARRAY_SIZE(parent_names); - - for (i = 0; i < ARRAY_SIZE(sp810->timerclken); i++) { -- snprintf(name, ARRAY_SIZE(name), "timerclken%d", i); -+ snprintf(name, sizeof(name), "sp810_%d_%d", instance, i); - - sp810->timerclken[i].sp810 = sp810; - sp810->timerclken[i].channel = i; -@@ -184,5 +185,6 @@ void __init clk_sp810_of_setup(struct device_node *node) - } - - of_clk_add_provider(node, clk_sp810_timerclken_of_get, sp810); -+ instance++; - } - CLK_OF_DECLARE(sp810, "arm,sp810", clk_sp810_of_setup); -diff --git a/drivers/edac/amd64_edac.c b/drivers/edac/amd64_edac.c -index 8b3d90143514..19353112cf10 100644 ---- a/drivers/edac/amd64_edac.c -+++ b/drivers/edac/amd64_edac.c -@@ -1266,7 +1266,7 @@ static u64 f1x_get_norm_dct_addr(struct amd64_pvt *pvt, u8 range, - u64 chan_off; - u64 dram_base = get_dram_base(pvt, range); - u64 hole_off = f10_dhar_offset(pvt); -- u64 dct_sel_base_off = (pvt->dct_sel_hi & 0xFFFFFC00) << 16; -+ u64 dct_sel_base_off = (u64)(pvt->dct_sel_hi & 0xFFFFFC00) << 16; - - if (hi_rng) { - /* -diff --git a/drivers/edac/i7core_edac.c b/drivers/edac/i7core_edac.c -index 271818a5a33a..c4131a7a2b46 100644 ---- a/drivers/edac/i7core_edac.c -+++ b/drivers/edac/i7core_edac.c -@@ -1878,7 +1878,7 @@ static int i7core_mce_check_error(struct notifier_block *nb, unsigned long val, - - i7_dev = get_i7core_dev(mce->socketid); - if (!i7_dev) -- return NOTIFY_BAD; -+ return NOTIFY_DONE; - - mci = i7_dev->mci; - pvt = mci->pvt_info; -diff --git a/drivers/edac/sb_edac.c b/drivers/edac/sb_edac.c -index 3bdefbfb4377..0d40f7f0c379 100644 ---- a/drivers/edac/sb_edac.c -+++ b/drivers/edac/sb_edac.c -@@ -1538,7 +1538,7 @@ static int sbridge_mce_check_error(struct notifier_block *nb, unsigned long val, - - mci = get_mci_for_node_id(mce->socketid); - if (!mci) -- return NOTIFY_BAD; -+ return NOTIFY_DONE; - pvt = mci->pvt_info; - - /* -diff --git a/drivers/firmware/efi/vars.c b/drivers/firmware/efi/vars.c -index 9f82b5545edd..61e7ec5a742c 100644 ---- a/drivers/firmware/efi/vars.c -+++ b/drivers/firmware/efi/vars.c -@@ -202,29 +202,44 @@ static const struct variable_validate variable_validate[] = { - { NULL_GUID, "", NULL }, - }; - -+/* -+ * Check if @var_name matches the pattern given in @match_name. -+ * -+ * @var_name: an array of @len non-NUL characters. -+ * @match_name: a NUL-terminated pattern string, optionally ending in "*". A -+ * final "*" character matches any trailing characters @var_name, -+ * including the case when there are none left in @var_name. -+ * @match: on output, the number of non-wildcard characters in @match_name -+ * that @var_name matches, regardless of the return value. -+ * @return: whether @var_name fully matches @match_name. -+ */ - static bool - variable_matches(const char *var_name, size_t len, const char *match_name, - int *match) - { - for (*match = 0; ; (*match)++) { - char c = match_name[*match]; -- char u = var_name[*match]; - -- /* Wildcard in the matching name means we've matched */ -- if (c == '*') -+ switch (c) { -+ case '*': -+ /* Wildcard in @match_name means we've matched. */ - return true; - -- /* Case sensitive match */ -- if (!c && *match == len) -- return true; -+ case '\0': -+ /* @match_name has ended. Has @var_name too? */ -+ return (*match == len); - -- if (c != u) -+ default: -+ /* -+ * We've reached a non-wildcard char in @match_name. -+ * Continue only if there's an identical character in -+ * @var_name. -+ */ -+ if (*match < len && c == var_name[*match]) -+ continue; - return false; -- -- if (!c) -- return true; -+ } - } -- return true; - } - - bool -diff --git a/drivers/gpu/drm/radeon/atombios_encoders.c b/drivers/gpu/drm/radeon/atombios_encoders.c -index 1b564d7e4191..5b8d868d8691 100644 ---- a/drivers/gpu/drm/radeon/atombios_encoders.c -+++ b/drivers/gpu/drm/radeon/atombios_encoders.c -@@ -870,8 +870,6 @@ atombios_dig_encoder_setup(struct drm_encoder *encoder, int action, int panel_mo - else - args.v1.ucLaneNum = 4; - -- if (ENCODER_MODE_IS_DP(args.v1.ucEncoderMode) && (dp_clock == 270000)) -- args.v1.ucConfig |= ATOM_ENCODER_CONFIG_DPLINKRATE_2_70GHZ; - switch (radeon_encoder->encoder_id) { - case ENCODER_OBJECT_ID_INTERNAL_UNIPHY: - args.v1.ucConfig = ATOM_ENCODER_CONFIG_V2_TRANSMITTER1; -@@ -888,6 +886,10 @@ atombios_dig_encoder_setup(struct drm_encoder *encoder, int action, int panel_mo - args.v1.ucConfig |= ATOM_ENCODER_CONFIG_LINKB; - else - args.v1.ucConfig |= ATOM_ENCODER_CONFIG_LINKA; -+ -+ if (ENCODER_MODE_IS_DP(args.v1.ucEncoderMode) && (dp_clock == 270000)) -+ args.v1.ucConfig |= ATOM_ENCODER_CONFIG_DPLINKRATE_2_70GHZ; -+ - break; - case 2: - case 3: -diff --git a/drivers/gpu/drm/radeon/radeon_sa.c b/drivers/gpu/drm/radeon/radeon_sa.c -index f0bac68254b7..8962411b5f2b 100644 ---- a/drivers/gpu/drm/radeon/radeon_sa.c -+++ b/drivers/gpu/drm/radeon/radeon_sa.c -@@ -349,8 +349,15 @@ int radeon_sa_bo_new(struct radeon_device *rdev, - /* see if we can skip over some allocations */ - } while (radeon_sa_bo_next_hole(sa_manager, fences, tries)); - -+ for (i = 0; i < RADEON_NUM_RINGS; ++i) { -+ if (fences[i]) -+ radeon_fence_ref(fences[i]); -+ } -+ - spin_unlock(&sa_manager->wq.lock); - r = radeon_fence_wait_any(rdev, fences, false); -+ for (i = 0; i < RADEON_NUM_RINGS; ++i) -+ radeon_fence_unref(&fences[i]); - spin_lock(&sa_manager->wq.lock); - /* if we have nothing to wait for block */ - if (r == -ENOENT && block) { -diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c -index 5da58e3899eb..92aef9824d6f 100644 ---- a/drivers/hid/usbhid/hid-core.c -+++ b/drivers/hid/usbhid/hid-core.c -@@ -988,14 +988,6 @@ static int usbhid_output_raw_report(struct hid_device *hid, __u8 *buf, size_t co - return ret; - } - --static void usbhid_restart_queues(struct usbhid_device *usbhid) --{ -- if (usbhid->urbout && !test_bit(HID_OUT_RUNNING, &usbhid->iofl)) -- usbhid_restart_out_queue(usbhid); -- if (!test_bit(HID_CTRL_RUNNING, &usbhid->iofl)) -- usbhid_restart_ctrl_queue(usbhid); --} -- - static void hid_free_buffers(struct usb_device *dev, struct hid_device *hid) - { - struct usbhid_device *usbhid = hid->driver_data; -@@ -1412,6 +1404,37 @@ static void hid_cease_io(struct usbhid_device *usbhid) - usb_kill_urb(usbhid->urbout); - } - -+static void hid_restart_io(struct hid_device *hid) -+{ -+ struct usbhid_device *usbhid = hid->driver_data; -+ int clear_halt = test_bit(HID_CLEAR_HALT, &usbhid->iofl); -+ int reset_pending = test_bit(HID_RESET_PENDING, &usbhid->iofl); -+ -+ spin_lock_irq(&usbhid->lock); -+ clear_bit(HID_SUSPENDED, &usbhid->iofl); -+ usbhid_mark_busy(usbhid); -+ -+ if (clear_halt || reset_pending) -+ schedule_work(&usbhid->reset_work); -+ usbhid->retry_delay = 0; -+ spin_unlock_irq(&usbhid->lock); -+ -+ if (reset_pending || !test_bit(HID_STARTED, &usbhid->iofl)) -+ return; -+ -+ if (!clear_halt) { -+ if (hid_start_in(hid) < 0) -+ hid_io_error(hid); -+ } -+ -+ spin_lock_irq(&usbhid->lock); -+ if (usbhid->urbout && !test_bit(HID_OUT_RUNNING, &usbhid->iofl)) -+ usbhid_restart_out_queue(usbhid); -+ if (!test_bit(HID_CTRL_RUNNING, &usbhid->iofl)) -+ usbhid_restart_ctrl_queue(usbhid); -+ spin_unlock_irq(&usbhid->lock); -+} -+ - /* Treat USB reset pretty much the same as suspend/resume */ - static int hid_pre_reset(struct usb_interface *intf) - { -@@ -1461,14 +1484,14 @@ static int hid_post_reset(struct usb_interface *intf) - return 1; - } - -+ /* No need to do another reset or clear a halted endpoint */ - spin_lock_irq(&usbhid->lock); - clear_bit(HID_RESET_PENDING, &usbhid->iofl); -+ clear_bit(HID_CLEAR_HALT, &usbhid->iofl); - spin_unlock_irq(&usbhid->lock); - hid_set_idle(dev, intf->cur_altsetting->desc.bInterfaceNumber, 0, 0); -- status = hid_start_in(hid); -- if (status < 0) -- hid_io_error(hid); -- usbhid_restart_queues(usbhid); -+ -+ hid_restart_io(hid); - - return 0; - } -@@ -1491,25 +1514,9 @@ void usbhid_put_power(struct hid_device *hid) - #ifdef CONFIG_PM - static int hid_resume_common(struct hid_device *hid, bool driver_suspended) - { -- struct usbhid_device *usbhid = hid->driver_data; -- int status; -- -- spin_lock_irq(&usbhid->lock); -- clear_bit(HID_SUSPENDED, &usbhid->iofl); -- usbhid_mark_busy(usbhid); -- -- if (test_bit(HID_CLEAR_HALT, &usbhid->iofl) || -- test_bit(HID_RESET_PENDING, &usbhid->iofl)) -- schedule_work(&usbhid->reset_work); -- usbhid->retry_delay = 0; -- -- usbhid_restart_queues(usbhid); -- spin_unlock_irq(&usbhid->lock); -- -- status = hid_start_in(hid); -- if (status < 0) -- hid_io_error(hid); -+ int status = 0; - -+ hid_restart_io(hid); - if (driver_suspended && hid->driver && hid->driver->resume) - status = hid->driver->resume(hid); - return status; -@@ -1576,12 +1583,8 @@ static int hid_suspend(struct usb_interface *intf, pm_message_t message) - static int hid_resume(struct usb_interface *intf) - { - struct hid_device *hid = usb_get_intfdata (intf); -- struct usbhid_device *usbhid = hid->driver_data; - int status; - -- if (!test_bit(HID_STARTED, &usbhid->iofl)) -- return 0; -- - status = hid_resume_common(hid, true); - dev_dbg(&intf->dev, "resume status %d\n", status); - return 0; -@@ -1590,10 +1593,8 @@ static int hid_resume(struct usb_interface *intf) - static int hid_reset_resume(struct usb_interface *intf) - { - struct hid_device *hid = usb_get_intfdata(intf); -- struct usbhid_device *usbhid = hid->driver_data; - int status; - -- clear_bit(HID_SUSPENDED, &usbhid->iofl); - status = hid_post_reset(intf); - if (status >= 0 && hid->driver && hid->driver->reset_resume) { - int ret = hid->driver->reset_resume(hid); -diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c -index f445b0840d33..80754e2d8086 100644 ---- a/drivers/hv/vmbus_drv.c -+++ b/drivers/hv/vmbus_drv.c -@@ -32,6 +32,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -517,6 +518,39 @@ static void vmbus_flow_handler(unsigned int irq, struct irq_desc *desc) - desc->action->handler(irq, desc->action->dev_id); - } - -+#ifdef CONFIG_HOTPLUG_CPU -+static int hyperv_cpu_disable(void) -+{ -+ return -ENOSYS; -+} -+ -+static void hv_cpu_hotplug_quirk(bool vmbus_loaded) -+{ -+ static void *previous_cpu_disable; -+ -+ /* -+ * Offlining a CPU when running on newer hypervisors (WS2012R2, Win8, -+ * ...) is not supported at this moment as channel interrupts are -+ * distributed across all of them. -+ */ -+ -+ if ((vmbus_proto_version == VERSION_WS2008) || -+ (vmbus_proto_version == VERSION_WIN7)) -+ return; -+ -+ if (vmbus_loaded) { -+ previous_cpu_disable = smp_ops.cpu_disable; -+ smp_ops.cpu_disable = hyperv_cpu_disable; -+ pr_notice("CPU offlining is not supported by hypervisor\n"); -+ } else if (previous_cpu_disable) -+ smp_ops.cpu_disable = previous_cpu_disable; -+} -+#else -+static void hv_cpu_hotplug_quirk(bool vmbus_loaded) -+{ -+} -+#endif -+ - /* - * vmbus_bus_init -Main vmbus driver initialization routine. - * -@@ -572,6 +606,7 @@ static int vmbus_bus_init(int irq) - if (ret) - goto err_irq; - -+ hv_cpu_hotplug_quirk(true); - vmbus_request_offers(); - - return 0; -@@ -808,6 +843,7 @@ static void __exit vmbus_exit(void) - bus_unregister(&hv_bus); - hv_cleanup(); - acpi_bus_unregister_driver(&vmbus_acpi_driver); -+ hv_cpu_hotplug_quirk(false); - } - - -diff --git a/drivers/hwmon/max1111.c b/drivers/hwmon/max1111.c -index eda077de8a9f..f787f04a0d1a 100644 ---- a/drivers/hwmon/max1111.c -+++ b/drivers/hwmon/max1111.c -@@ -85,6 +85,9 @@ static struct max1111_data *the_max1111; - - int max1111_read_channel(int channel) - { -+ if (!the_max1111 || !the_max1111->spi) -+ return -ENODEV; -+ - return max1111_read(&the_max1111->spi->dev, channel); - } - EXPORT_SYMBOL(max1111_read_channel); -@@ -260,6 +263,9 @@ static int max1111_remove(struct spi_device *spi) - { - struct max1111_data *data = spi_get_drvdata(spi); - -+#ifdef CONFIG_SHARPSL_PM -+ the_max1111 = NULL; -+#endif - hwmon_device_unregister(data->hwmon_dev); - sysfs_remove_group(&spi->dev.kobj, &max1110_attr_group); - sysfs_remove_group(&spi->dev.kobj, &max1111_attr_group); -diff --git a/drivers/i2c/busses/i2c-cpm.c b/drivers/i2c/busses/i2c-cpm.c -index 3823623baa48..693e4ceb85ce 100644 ---- a/drivers/i2c/busses/i2c-cpm.c -+++ b/drivers/i2c/busses/i2c-cpm.c -@@ -120,8 +120,8 @@ struct cpm_i2c { - cbd_t __iomem *rbase; - u_char *txbuf[CPM_MAXBD]; - u_char *rxbuf[CPM_MAXBD]; -- u32 txdma[CPM_MAXBD]; -- u32 rxdma[CPM_MAXBD]; -+ dma_addr_t txdma[CPM_MAXBD]; -+ dma_addr_t rxdma[CPM_MAXBD]; - }; - - static irqreturn_t cpm_i2c_interrupt(int irq, void *dev_id) -diff --git a/drivers/input/misc/ati_remote2.c b/drivers/input/misc/ati_remote2.c -index f63341f20b91..e8c6a4842e91 100644 ---- a/drivers/input/misc/ati_remote2.c -+++ b/drivers/input/misc/ati_remote2.c -@@ -817,26 +817,49 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d - - ar2->udev = udev; - -+ /* Sanity check, first interface must have an endpoint */ -+ if (alt->desc.bNumEndpoints < 1 || !alt->endpoint) { -+ dev_err(&interface->dev, -+ "%s(): interface 0 must have an endpoint\n", __func__); -+ r = -ENODEV; -+ goto fail1; -+ } - ar2->intf[0] = interface; - ar2->ep[0] = &alt->endpoint[0].desc; - -+ /* Sanity check, the device must have two interfaces */ - ar2->intf[1] = usb_ifnum_to_if(udev, 1); -+ if ((udev->actconfig->desc.bNumInterfaces < 2) || !ar2->intf[1]) { -+ dev_err(&interface->dev, "%s(): need 2 interfaces, found %d\n", -+ __func__, udev->actconfig->desc.bNumInterfaces); -+ r = -ENODEV; -+ goto fail1; -+ } -+ - r = usb_driver_claim_interface(&ati_remote2_driver, ar2->intf[1], ar2); - if (r) - goto fail1; -+ -+ /* Sanity check, second interface must have an endpoint */ - alt = ar2->intf[1]->cur_altsetting; -+ if (alt->desc.bNumEndpoints < 1 || !alt->endpoint) { -+ dev_err(&interface->dev, -+ "%s(): interface 1 must have an endpoint\n", __func__); -+ r = -ENODEV; -+ goto fail2; -+ } - ar2->ep[1] = &alt->endpoint[0].desc; - - r = ati_remote2_urb_init(ar2); - if (r) -- goto fail2; -+ goto fail3; - - ar2->channel_mask = channel_mask; - ar2->mode_mask = mode_mask; - - r = ati_remote2_setup(ar2, ar2->channel_mask); - if (r) -- goto fail2; -+ goto fail3; - - usb_make_path(udev, ar2->phys, sizeof(ar2->phys)); - strlcat(ar2->phys, "/input0", sizeof(ar2->phys)); -@@ -845,11 +868,11 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d - - r = sysfs_create_group(&udev->dev.kobj, &ati_remote2_attr_group); - if (r) -- goto fail2; -+ goto fail3; - - r = ati_remote2_input_init(ar2); - if (r) -- goto fail3; -+ goto fail4; - - usb_set_intfdata(interface, ar2); - -@@ -857,10 +880,11 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d - - return 0; - -- fail3: -+ fail4: - sysfs_remove_group(&udev->dev.kobj, &ati_remote2_attr_group); -- fail2: -+ fail3: - ati_remote2_urb_cleanup(ar2); -+ fail2: - usb_driver_release_interface(&ati_remote2_driver, ar2->intf[1]); - fail1: - kfree(ar2); -diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c -index e204f26b0011..77164dc1bedd 100644 ---- a/drivers/input/misc/ims-pcu.c -+++ b/drivers/input/misc/ims-pcu.c -@@ -1433,6 +1433,8 @@ static int ims_pcu_parse_cdc_data(struct usb_interface *intf, struct ims_pcu *pc - - pcu->ctrl_intf = usb_ifnum_to_if(pcu->udev, - union_desc->bMasterInterface0); -+ if (!pcu->ctrl_intf) -+ return -EINVAL; - - alt = pcu->ctrl_intf->cur_altsetting; - pcu->ep_ctrl = &alt->endpoint[0].desc; -@@ -1440,6 +1442,8 @@ static int ims_pcu_parse_cdc_data(struct usb_interface *intf, struct ims_pcu *pc - - pcu->data_intf = usb_ifnum_to_if(pcu->udev, - union_desc->bSlaveInterface0); -+ if (!pcu->data_intf) -+ return -EINVAL; - - alt = pcu->data_intf->cur_altsetting; - if (alt->desc.bNumEndpoints != 2) { -diff --git a/drivers/input/misc/max8997_haptic.c b/drivers/input/misc/max8997_haptic.c -index e973133212a5..a8c91226cd22 100644 ---- a/drivers/input/misc/max8997_haptic.c -+++ b/drivers/input/misc/max8997_haptic.c -@@ -246,12 +246,14 @@ static int max8997_haptic_probe(struct platform_device *pdev) - struct max8997_dev *iodev = dev_get_drvdata(pdev->dev.parent); - const struct max8997_platform_data *pdata = - dev_get_platdata(iodev->dev); -- const struct max8997_haptic_platform_data *haptic_pdata = -- pdata->haptic_pdata; -+ const struct max8997_haptic_platform_data *haptic_pdata = NULL; - struct max8997_haptic *chip; - struct input_dev *input_dev; - int error; - -+ if (pdata) -+ haptic_pdata = pdata->haptic_pdata; -+ - if (!haptic_pdata) { - dev_err(&pdev->dev, "no haptic platform data\n"); - return -EINVAL; -diff --git a/drivers/input/misc/powermate.c b/drivers/input/misc/powermate.c -index 49c0c3ebd321..21ce1cf757bb 100644 ---- a/drivers/input/misc/powermate.c -+++ b/drivers/input/misc/powermate.c -@@ -308,6 +308,9 @@ static int powermate_probe(struct usb_interface *intf, const struct usb_device_i - int error = -ENOMEM; - - interface = intf->cur_altsetting; -+ if (interface->desc.bNumEndpoints < 1) -+ return -EINVAL; -+ - endpoint = &interface->endpoint[0].desc; - if (!usb_endpoint_is_int_in(endpoint)) - return -EIO; -diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c -index 29e01ab6859f..a9f8f925ba2b 100644 ---- a/drivers/input/tablet/gtco.c -+++ b/drivers/input/tablet/gtco.c -@@ -869,6 +869,14 @@ static int gtco_probe(struct usb_interface *usbinterface, - goto err_free_buf; - } - -+ /* Sanity check that a device has an endpoint */ -+ if (usbinterface->altsetting[0].desc.bNumEndpoints < 1) { -+ dev_err(&usbinterface->dev, -+ "Invalid number of endpoints\n"); -+ error = -EINVAL; -+ goto err_free_urb; -+ } -+ - /* - * The endpoint is always altsetting 0, we know this since we know - * this device only has one interrupt endpoint -@@ -890,7 +898,7 @@ static int gtco_probe(struct usb_interface *usbinterface, - * HID report descriptor - */ - if (usb_get_extra_descriptor(usbinterface->cur_altsetting, -- HID_DEVICE_TYPE, &hid_desc) != 0){ -+ HID_DEVICE_TYPE, &hid_desc) != 0) { - dev_err(&usbinterface->dev, - "Can't retrieve exta USB descriptor to get hid report descriptor length\n"); - error = -EIO; -diff --git a/drivers/input/touchscreen/ads7846.c b/drivers/input/touchscreen/ads7846.c -index 84ccf140c1bb..9332e46b53ed 100644 ---- a/drivers/input/touchscreen/ads7846.c -+++ b/drivers/input/touchscreen/ads7846.c -@@ -697,18 +697,22 @@ static int ads7846_no_filter(void *ads, int data_idx, int *val) - - static int ads7846_get_value(struct ads7846 *ts, struct spi_message *m) - { -+ int value; - struct spi_transfer *t = - list_entry(m->transfers.prev, struct spi_transfer, transfer_list); - - if (ts->model == 7845) { -- return be16_to_cpup((__be16 *)&(((char*)t->rx_buf)[1])) >> 3; -+ value = be16_to_cpup((__be16 *)&(((char *)t->rx_buf)[1])); - } else { - /* - * adjust: on-wire is a must-ignore bit, a BE12 value, then - * padding; built from two 8 bit values written msb-first. - */ -- return be16_to_cpup((__be16 *)t->rx_buf) >> 3; -+ value = be16_to_cpup((__be16 *)t->rx_buf); - } -+ -+ /* enforce ADC output is 12 bits width */ -+ return (value >> 3) & 0xfff; - } - - static void ads7846_update_value(struct spi_message *m, int val) -diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c -index 2d2915fdbf02..2a4c13af482a 100644 ---- a/drivers/md/bcache/super.c -+++ b/drivers/md/bcache/super.c -@@ -1295,6 +1295,9 @@ static void cache_set_flush(struct closure *cl) - set_bit(CACHE_SET_STOPPING_2, &c->flags); - wake_up(&c->alloc_wait); - -+ if (!c) -+ closure_return(cl); -+ - bch_cache_accounting_destroy(&c->accounting); - - kobject_put(&c->internal); -diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c -index ef18ca745b1e..9ee3c460fa37 100644 ---- a/drivers/md/raid5.c -+++ b/drivers/md/raid5.c -@@ -5658,8 +5658,8 @@ static int run(struct mddev *mddev) - } - - if (discard_supported && -- mddev->queue->limits.max_discard_sectors >= stripe && -- mddev->queue->limits.discard_granularity >= stripe) -+ mddev->queue->limits.max_discard_sectors >= (stripe >> 9) && -+ mddev->queue->limits.discard_granularity >= stripe) - queue_flag_set_unlocked(QUEUE_FLAG_DISCARD, - mddev->queue); - else -diff --git a/drivers/media/pci/bt8xx/bttv-driver.c b/drivers/media/pci/bt8xx/bttv-driver.c -index e2633d9270b7..aa4519e5cafa 100644 ---- a/drivers/media/pci/bt8xx/bttv-driver.c -+++ b/drivers/media/pci/bt8xx/bttv-driver.c -@@ -2376,6 +2376,19 @@ static int bttv_g_fmt_vid_overlay(struct file *file, void *priv, - return 0; - } - -+static void bttv_get_width_mask_vid_cap(const struct bttv_format *fmt, -+ unsigned int *width_mask, -+ unsigned int *width_bias) -+{ -+ if (fmt->flags & FORMAT_FLAGS_PLANAR) { -+ *width_mask = ~15; /* width must be a multiple of 16 pixels */ -+ *width_bias = 8; /* nearest */ -+ } else { -+ *width_mask = ~3; /* width must be a multiple of 4 pixels */ -+ *width_bias = 2; /* nearest */ -+ } -+} -+ - static int bttv_try_fmt_vid_cap(struct file *file, void *priv, - struct v4l2_format *f) - { -@@ -2385,6 +2398,7 @@ static int bttv_try_fmt_vid_cap(struct file *file, void *priv, - enum v4l2_field field; - __s32 width, height; - __s32 height2; -+ unsigned int width_mask, width_bias; - int rc; - - fmt = format_by_fourcc(f->fmt.pix.pixelformat); -@@ -2417,9 +2431,9 @@ static int bttv_try_fmt_vid_cap(struct file *file, void *priv, - width = f->fmt.pix.width; - height = f->fmt.pix.height; - -+ bttv_get_width_mask_vid_cap(fmt, &width_mask, &width_bias); - rc = limit_scaled_size_lock(fh, &width, &height, field, -- /* width_mask: 4 pixels */ ~3, -- /* width_bias: nearest */ 2, -+ width_mask, width_bias, - /* adjust_size */ 1, - /* adjust_crop */ 0); - if (0 != rc) -@@ -2452,6 +2466,7 @@ static int bttv_s_fmt_vid_cap(struct file *file, void *priv, - struct bttv_fh *fh = priv; - struct bttv *btv = fh->btv; - __s32 width, height; -+ unsigned int width_mask, width_bias; - enum v4l2_field field; - - retval = bttv_switch_type(fh, f->type); -@@ -2466,9 +2481,10 @@ static int bttv_s_fmt_vid_cap(struct file *file, void *priv, - height = f->fmt.pix.height; - field = f->fmt.pix.field; - -+ fmt = format_by_fourcc(f->fmt.pix.pixelformat); -+ bttv_get_width_mask_vid_cap(fmt, &width_mask, &width_bias); - retval = limit_scaled_size_lock(fh, &width, &height, f->fmt.pix.field, -- /* width_mask: 4 pixels */ ~3, -- /* width_bias: nearest */ 2, -+ width_mask, width_bias, - /* adjust_size */ 1, - /* adjust_crop */ 1); - if (0 != retval) -@@ -2476,8 +2492,6 @@ static int bttv_s_fmt_vid_cap(struct file *file, void *priv, - - f->fmt.pix.field = field; - -- fmt = format_by_fourcc(f->fmt.pix.pixelformat); -- - /* update our state informations */ - fh->fmt = fmt; - fh->cap.field = f->fmt.pix.field; -diff --git a/drivers/media/usb/pwc/pwc-if.c b/drivers/media/usb/pwc/pwc-if.c -index 77bbf7889659..db1e8ee13ded 100644 ---- a/drivers/media/usb/pwc/pwc-if.c -+++ b/drivers/media/usb/pwc/pwc-if.c -@@ -91,6 +91,7 @@ static const struct usb_device_id pwc_device_table [] = { - { USB_DEVICE(0x0471, 0x0312) }, - { USB_DEVICE(0x0471, 0x0313) }, /* the 'new' 720K */ - { USB_DEVICE(0x0471, 0x0329) }, /* Philips SPC 900NC PC Camera */ -+ { USB_DEVICE(0x0471, 0x032C) }, /* Philips SPC 880NC PC Camera */ - { USB_DEVICE(0x069A, 0x0001) }, /* Askey */ - { USB_DEVICE(0x046D, 0x08B0) }, /* Logitech QuickCam Pro 3000 */ - { USB_DEVICE(0x046D, 0x08B1) }, /* Logitech QuickCam Notebook Pro */ -@@ -799,6 +800,11 @@ static int usb_pwc_probe(struct usb_interface *intf, const struct usb_device_id - name = "Philips SPC 900NC webcam"; - type_id = 740; - break; -+ case 0x032C: -+ PWC_INFO("Philips SPC 880NC USB webcam detected.\n"); -+ name = "Philips SPC 880NC webcam"; -+ type_id = 740; -+ break; - default: - return -ENODEV; - break; -diff --git a/drivers/media/usb/usbvision/usbvision-video.c b/drivers/media/usb/usbvision/usbvision-video.c -index d34c2afe2c24..bcfefe61a592 100644 ---- a/drivers/media/usb/usbvision/usbvision-video.c -+++ b/drivers/media/usb/usbvision/usbvision-video.c -@@ -1459,6 +1459,7 @@ static void usbvision_release(struct usb_usbvision *usbvision) - - usbvision_remove_sysfs(usbvision->vdev); - usbvision_unregister_video(usbvision); -+ kfree(usbvision->alt_max_pkt_size); - - usb_free_urb(usbvision->ctrl_urb); - -@@ -1520,7 +1521,7 @@ static int usbvision_probe(struct usb_interface *intf, - const struct usb_host_interface *interface; - struct usb_usbvision *usbvision = NULL; - const struct usb_endpoint_descriptor *endpoint; -- int model, i; -+ int model, i, ret; - - PDEBUG(DBG_PROBE, "VID=%#04x, PID=%#04x, ifnum=%u", - dev->descriptor.idVendor, -@@ -1529,33 +1530,51 @@ static int usbvision_probe(struct usb_interface *intf, - model = devid->driver_info; - if (model < 0 || model >= usbvision_device_data_size) { - PDEBUG(DBG_PROBE, "model out of bounds %d", model); -- return -ENODEV; -+ ret = -ENODEV; -+ goto err_usb; - } - printk(KERN_INFO "%s: %s found\n", __func__, - usbvision_device_data[model].model_string); - - if (usbvision_device_data[model].interface >= 0) - interface = &dev->actconfig->interface[usbvision_device_data[model].interface]->altsetting[0]; -- else -+ else if (ifnum < dev->actconfig->desc.bNumInterfaces) - interface = &dev->actconfig->interface[ifnum]->altsetting[0]; -+ else { -+ dev_err(&intf->dev, "interface %d is invalid, max is %d\n", -+ ifnum, dev->actconfig->desc.bNumInterfaces - 1); -+ ret = -ENODEV; -+ goto err_usb; -+ } -+ -+ if (interface->desc.bNumEndpoints < 2) { -+ dev_err(&intf->dev, "interface %d has %d endpoints, but must" -+ " have minimum 2\n", ifnum, interface->desc.bNumEndpoints); -+ ret = -ENODEV; -+ goto err_usb; -+ } - endpoint = &interface->endpoint[1].desc; -+ - if (!usb_endpoint_xfer_isoc(endpoint)) { - dev_err(&intf->dev, "%s: interface %d. has non-ISO endpoint!\n", - __func__, ifnum); - dev_err(&intf->dev, "%s: Endpoint attributes %d", - __func__, endpoint->bmAttributes); -- return -ENODEV; -+ ret = -ENODEV; -+ goto err_usb; - } - if (usb_endpoint_dir_out(endpoint)) { - dev_err(&intf->dev, "%s: interface %d. has ISO OUT endpoint!\n", - __func__, ifnum); -- return -ENODEV; -+ ret = -ENODEV; -+ goto err_usb; - } - - usbvision = usbvision_alloc(dev, intf); - if (usbvision == NULL) { - dev_err(&intf->dev, "%s: couldn't allocate USBVision struct\n", __func__); -- return -ENOMEM; -+ ret = -ENOMEM; -+ goto err_usb; - } - - if (dev->descriptor.bNumConfigurations > 1) -@@ -1574,7 +1593,8 @@ static int usbvision_probe(struct usb_interface *intf, - usbvision->alt_max_pkt_size = kmalloc(32 * usbvision->num_alt, GFP_KERNEL); - if (usbvision->alt_max_pkt_size == NULL) { - dev_err(&intf->dev, "usbvision: out of memory!\n"); -- return -ENOMEM; -+ ret = -ENOMEM; -+ goto err_pkt; - } - - for (i = 0; i < usbvision->num_alt; i++) { -@@ -1609,6 +1629,12 @@ static int usbvision_probe(struct usb_interface *intf, - - PDEBUG(DBG_PROBE, "success"); - return 0; -+ -+err_pkt: -+ usbvision_release(usbvision); -+err_usb: -+ usb_put_dev(dev); -+ return ret; - } - - -diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c -index 35fb8f0cb539..07d6ce4c9c6f 100644 ---- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c -+++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c -@@ -392,7 +392,8 @@ static int get_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user - get_user(kp->index, &up->index) || - get_user(kp->type, &up->type) || - get_user(kp->flags, &up->flags) || -- get_user(kp->memory, &up->memory)) -+ get_user(kp->memory, &up->memory) || -+ get_user(kp->length, &up->length)) - return -EFAULT; - - if (V4L2_TYPE_IS_OUTPUT(kp->type)) -@@ -404,9 +405,6 @@ static int get_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user - return -EFAULT; - - if (V4L2_TYPE_IS_MULTIPLANAR(kp->type)) { -- if (get_user(kp->length, &up->length)) -- return -EFAULT; -- - num_planes = kp->length; - if (num_planes == 0) { - kp->m.planes = NULL; -@@ -439,16 +437,14 @@ static int get_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user - } else { - switch (kp->memory) { - case V4L2_MEMORY_MMAP: -- if (get_user(kp->length, &up->length) || -- get_user(kp->m.offset, &up->m.offset)) -+ if (get_user(kp->m.offset, &up->m.offset)) - return -EFAULT; - break; - case V4L2_MEMORY_USERPTR: - { - compat_long_t tmp; - -- if (get_user(kp->length, &up->length) || -- get_user(tmp, &up->m.userptr)) -+ if (get_user(tmp, &up->m.userptr)) - return -EFAULT; - - kp->m.userptr = (unsigned long)compat_ptr(tmp); -@@ -490,7 +486,8 @@ static int put_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user - copy_to_user(&up->timecode, &kp->timecode, sizeof(struct v4l2_timecode)) || - put_user(kp->sequence, &up->sequence) || - put_user(kp->reserved2, &up->reserved2) || -- put_user(kp->reserved, &up->reserved)) -+ put_user(kp->reserved, &up->reserved) || -+ put_user(kp->length, &up->length)) - return -EFAULT; - - if (V4L2_TYPE_IS_MULTIPLANAR(kp->type)) { -@@ -513,13 +510,11 @@ static int put_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user - } else { - switch (kp->memory) { - case V4L2_MEMORY_MMAP: -- if (put_user(kp->length, &up->length) || -- put_user(kp->m.offset, &up->m.offset)) -+ if (put_user(kp->m.offset, &up->m.offset)) - return -EFAULT; - break; - case V4L2_MEMORY_USERPTR: -- if (put_user(kp->length, &up->length) || -- put_user(kp->m.userptr, &up->m.userptr)) -+ if (put_user(kp->m.userptr, &up->m.userptr)) - return -EFAULT; - break; - case V4L2_MEMORY_OVERLAY: -diff --git a/drivers/mfd/omap-usb-tll.c b/drivers/mfd/omap-usb-tll.c -index e59ac4cbac96..c7576a503e5b 100644 ---- a/drivers/mfd/omap-usb-tll.c -+++ b/drivers/mfd/omap-usb-tll.c -@@ -269,6 +269,8 @@ static int usbtll_omap_probe(struct platform_device *pdev) - - if (IS_ERR(tll->ch_clk[i])) - dev_dbg(dev, "can't get clock : %s\n", clkname); -+ else -+ clk_prepare(tll->ch_clk[i]); - } - - pm_runtime_put_sync(dev); -@@ -301,9 +303,12 @@ static int usbtll_omap_remove(struct platform_device *pdev) - tll_dev = NULL; - spin_unlock(&tll_lock); - -- for (i = 0; i < tll->nch; i++) -- if (!IS_ERR(tll->ch_clk[i])) -+ for (i = 0; i < tll->nch; i++) { -+ if (!IS_ERR(tll->ch_clk[i])) { -+ clk_unprepare(tll->ch_clk[i]); - clk_put(tll->ch_clk[i]); -+ } -+ } - - pm_runtime_disable(&pdev->dev); - return 0; -diff --git a/drivers/misc/Kconfig b/drivers/misc/Kconfig -index c002d8660e30..7a6818407836 100644 ---- a/drivers/misc/Kconfig -+++ b/drivers/misc/Kconfig -@@ -451,7 +451,7 @@ config ARM_CHARLCD - still useful. - - config BMP085 -- bool -+ tristate - depends on SYSFS - - config BMP085_I2C -diff --git a/drivers/misc/ad525x_dpot.c b/drivers/misc/ad525x_dpot.c -index 8f99e8e3f0ac..beb7422c3cc7 100644 ---- a/drivers/misc/ad525x_dpot.c -+++ b/drivers/misc/ad525x_dpot.c -@@ -216,7 +216,7 @@ static s32 dpot_read_i2c(struct dpot_data *dpot, u8 reg) - */ - value = swab16(value); - -- if (dpot->uid == DPOT_UID(AD5271_ID)) -+ if (dpot->uid == DPOT_UID(AD5274_ID)) - value = value >> 2; - return value; - default: -diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c -index ebb40a292d67..c6bf23599eb9 100644 ---- a/drivers/mmc/card/block.c -+++ b/drivers/mmc/card/block.c -@@ -2322,11 +2322,12 @@ static const struct mmc_fixup blk_fixups[] = - MMC_QUIRK_BLK_NO_CMD23), - - /* -- * Some Micron MMC cards needs longer data read timeout than -- * indicated in CSD. -+ * Some MMC cards need longer data read timeout than indicated in CSD. - */ - MMC_FIXUP(CID_NAME_ANY, CID_MANFID_MICRON, 0x200, add_quirk_mmc, - MMC_QUIRK_LONG_READ_TIME), -+ MMC_FIXUP("008GE0", CID_MANFID_TOSHIBA, CID_OEMID_ANY, add_quirk_mmc, -+ MMC_QUIRK_LONG_READ_TIME), - - /* - * On these Samsung MoviNAND parts, performing secure erase or -diff --git a/drivers/mmc/core/core.c b/drivers/mmc/core/core.c -index 68ab26385d06..3ae6f1325773 100644 ---- a/drivers/mmc/core/core.c -+++ b/drivers/mmc/core/core.c -@@ -801,11 +801,11 @@ void mmc_set_data_timeout(struct mmc_data *data, const struct mmc_card *card) - /* - * Some cards require longer data read timeout than indicated in CSD. - * Address this by setting the read timeout to a "reasonably high" -- * value. For the cards tested, 300ms has proven enough. If necessary, -+ * value. For the cards tested, 600ms has proven enough. If necessary, - * this value can be increased if other problematic cards require this. - */ - if (mmc_card_long_read_time(card) && data->flags & MMC_DATA_READ) { -- data->timeout_ns = 300000000; -+ data->timeout_ns = 600000000; - data->timeout_clks = 0; - } - -diff --git a/drivers/mmc/core/mmc.c b/drivers/mmc/core/mmc.c -index 0cbd1effe960..dda1a42ae822 100644 ---- a/drivers/mmc/core/mmc.c -+++ b/drivers/mmc/core/mmc.c -@@ -266,6 +266,9 @@ static void mmc_select_card_type(struct mmc_card *card) - card->ext_csd.card_type = card_type; - } - -+/* Minimum partition switch timeout in milliseconds */ -+#define MMC_MIN_PART_SWITCH_TIME 300 -+ - /* - * Decode extended CSD. - */ -@@ -330,6 +333,10 @@ static int mmc_read_ext_csd(struct mmc_card *card, u8 *ext_csd) - - /* EXT_CSD value is in units of 10ms, but we store in ms */ - card->ext_csd.part_time = 10 * ext_csd[EXT_CSD_PART_SWITCH_TIME]; -+ /* Some eMMC set the value too low so set a minimum */ -+ if (card->ext_csd.part_time && -+ card->ext_csd.part_time < MMC_MIN_PART_SWITCH_TIME) -+ card->ext_csd.part_time = MMC_MIN_PART_SWITCH_TIME; - - /* Sleep / awake timeout in 100ns units */ - if (sa_shift > 0 && sa_shift <= 0x17) -diff --git a/drivers/mtd/onenand/onenand_base.c b/drivers/mtd/onenand/onenand_base.c -index b3f41f200622..0f13fd4748ec 100644 ---- a/drivers/mtd/onenand/onenand_base.c -+++ b/drivers/mtd/onenand/onenand_base.c -@@ -2610,6 +2610,7 @@ static int onenand_default_block_markbad(struct mtd_info *mtd, loff_t ofs) - */ - static int onenand_block_markbad(struct mtd_info *mtd, loff_t ofs) - { -+ struct onenand_chip *this = mtd->priv; - int ret; - - ret = onenand_block_isbad(mtd, ofs); -@@ -2621,7 +2622,7 @@ static int onenand_block_markbad(struct mtd_info *mtd, loff_t ofs) - } - - onenand_get_device(mtd, FL_WRITING); -- ret = mtd_block_markbad(mtd, ofs); -+ ret = this->block_markbad(mtd, ofs); - onenand_release_device(mtd); - return ret; - } -diff --git a/drivers/net/ethernet/atheros/atlx/atl2.c b/drivers/net/ethernet/atheros/atlx/atl2.c -index 265ce1b752ed..96fe542b4acb 100644 ---- a/drivers/net/ethernet/atheros/atlx/atl2.c -+++ b/drivers/net/ethernet/atheros/atlx/atl2.c -@@ -1413,7 +1413,7 @@ static int atl2_probe(struct pci_dev *pdev, const struct pci_device_id *ent) - - err = -EIO; - -- netdev->hw_features = NETIF_F_SG | NETIF_F_HW_VLAN_CTAG_RX; -+ netdev->hw_features = NETIF_F_HW_VLAN_CTAG_RX; - netdev->features |= (NETIF_F_HW_VLAN_CTAG_TX | NETIF_F_HW_VLAN_CTAG_RX); - - /* Init PHY as early as possible due to power saving issue */ -diff --git a/drivers/net/ethernet/jme.c b/drivers/net/ethernet/jme.c -index 070a6f1a0577..2f4cbcae9c7c 100644 ---- a/drivers/net/ethernet/jme.c -+++ b/drivers/net/ethernet/jme.c -@@ -3290,13 +3290,14 @@ jme_resume(struct device *dev) - jme_reset_phy_processor(jme); - jme_phy_calibration(jme); - jme_phy_setEA(jme); -- jme_start_irq(jme); - netif_device_attach(netdev); - - atomic_inc(&jme->link_changing); - - jme_reset_link(jme); - -+ jme_start_irq(jme); -+ - return 0; - } - -diff --git a/drivers/net/ethernet/qlogic/qlge/qlge_main.c b/drivers/net/ethernet/qlogic/qlge/qlge_main.c -index f87cc216045b..a978cc2eafe0 100644 ---- a/drivers/net/ethernet/qlogic/qlge/qlge_main.c -+++ b/drivers/net/ethernet/qlogic/qlge/qlge_main.c -@@ -1620,7 +1620,18 @@ static void ql_process_mac_rx_skb(struct ql_adapter *qdev, - return; - } - skb_reserve(new_skb, NET_IP_ALIGN); -+ -+ pci_dma_sync_single_for_cpu(qdev->pdev, -+ dma_unmap_addr(sbq_desc, mapaddr), -+ dma_unmap_len(sbq_desc, maplen), -+ PCI_DMA_FROMDEVICE); -+ - memcpy(skb_put(new_skb, length), skb->data, length); -+ -+ pci_dma_sync_single_for_device(qdev->pdev, -+ dma_unmap_addr(sbq_desc, mapaddr), -+ dma_unmap_len(sbq_desc, maplen), -+ PCI_DMA_FROMDEVICE); - skb = new_skb; - - /* Frame error, so drop the packet. */ -diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c -index b93a0fb17236..93b652516a94 100644 ---- a/drivers/net/ethernet/renesas/sh_eth.c -+++ b/drivers/net/ethernet/renesas/sh_eth.c -@@ -1161,7 +1161,8 @@ static void sh_eth_ring_format(struct net_device *ndev) - mdp->dirty_rx = (u32) (i - mdp->num_rx_ring); - - /* Mark the last entry as wrapping the ring. */ -- rxdesc->status |= cpu_to_edmac(mdp, RD_RDEL); -+ if (rxdesc) -+ rxdesc->status |= cpu_to_edmac(mdp, RD_RDEL); - - memset(mdp->tx_ring, 0, tx_ringsize); - -diff --git a/drivers/net/irda/irtty-sir.c b/drivers/net/irda/irtty-sir.c -index a41267197839..0d71fa9f0c68 100644 ---- a/drivers/net/irda/irtty-sir.c -+++ b/drivers/net/irda/irtty-sir.c -@@ -430,16 +430,6 @@ static int irtty_open(struct tty_struct *tty) - - /* Module stuff handled via irda_ldisc.owner - Jean II */ - -- /* First make sure we're not already connected. */ -- if (tty->disc_data != NULL) { -- priv = tty->disc_data; -- if (priv && priv->magic == IRTTY_MAGIC) { -- ret = -EEXIST; -- goto out; -- } -- tty->disc_data = NULL; /* ### */ -- } -- - /* stop the underlying driver */ - irtty_stop_receiver(tty, TRUE); - if (tty->ops->stop) -diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c -index a2d7d5f066f1..14a8d2958698 100644 ---- a/drivers/net/ppp/ppp_generic.c -+++ b/drivers/net/ppp/ppp_generic.c -@@ -2220,7 +2220,7 @@ int ppp_register_net_channel(struct net *net, struct ppp_channel *chan) - - pch->ppp = NULL; - pch->chan = chan; -- pch->chan_net = net; -+ pch->chan_net = get_net(net); - chan->ppp = pch; - init_ppp_file(&pch->file, CHANNEL); - pch->file.hdrlen = chan->hdrlen; -@@ -2317,6 +2317,8 @@ ppp_unregister_channel(struct ppp_channel *chan) - spin_lock_bh(&pn->all_channels_lock); - list_del(&pch->list); - spin_unlock_bh(&pn->all_channels_lock); -+ put_net(pch->chan_net); -+ pch->chan_net = NULL; - - pch->file.dead = 1; - wake_up_interruptible(&pch->file.rwait); -diff --git a/drivers/net/rionet.c b/drivers/net/rionet.c -index f433b594388e..00a8128cf927 100644 ---- a/drivers/net/rionet.c -+++ b/drivers/net/rionet.c -@@ -269,7 +269,7 @@ static void rionet_outb_msg_event(struct rio_mport *mport, void *dev_id, int mbo - struct net_device *ndev = dev_id; - struct rionet_private *rnet = netdev_priv(ndev); - -- spin_lock(&rnet->lock); -+ spin_lock(&rnet->tx_lock); - - if (netif_msg_intr(rnet)) - printk(KERN_INFO -@@ -288,7 +288,7 @@ static void rionet_outb_msg_event(struct rio_mport *mport, void *dev_id, int mbo - if (rnet->tx_cnt < RIONET_TX_RING_SIZE) - netif_wake_queue(ndev); - -- spin_unlock(&rnet->lock); -+ spin_unlock(&rnet->tx_lock); - } - - static int rionet_open(struct net_device *ndev) -diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c -index 43afde8f48d2..74581cbcafa7 100644 ---- a/drivers/net/usb/cdc_ncm.c -+++ b/drivers/net/usb/cdc_ncm.c -@@ -464,7 +464,11 @@ advance: - - iface_no = ctx->data->cur_altsetting->desc.bInterfaceNumber; - -- /* reset data interface */ -+ /* Reset data interface. Some devices will not reset properly -+ * unless they are configured first. Toggle the altsetting to -+ * force a reset -+ */ -+ usb_set_interface(dev->udev, iface_no, data_altsetting); - temp = usb_set_interface(dev->udev, iface_no, 0); - if (temp) - goto error2; -diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c -index 0244a1fb38f9..12aaf1f4f890 100644 ---- a/drivers/net/usb/qmi_wwan.c -+++ b/drivers/net/usb/qmi_wwan.c -@@ -724,6 +724,7 @@ static const struct usb_device_id products[] = { - {QMI_FIXED_INTF(0x19d2, 0x1426, 2)}, /* ZTE MF91 */ - {QMI_FIXED_INTF(0x19d2, 0x1428, 2)}, /* Telewell TW-LTE 4G v2 */ - {QMI_FIXED_INTF(0x19d2, 0x2002, 4)}, /* ZTE (Vodafone) K3765-Z */ -+ {QMI_FIXED_INTF(0x2001, 0x7e19, 4)}, /* D-Link DWM-221 B1 */ - {QMI_FIXED_INTF(0x0f3d, 0x68a2, 8)}, /* Sierra Wireless MC7700 */ - {QMI_FIXED_INTF(0x114f, 0x68a2, 8)}, /* Sierra Wireless MC7750 */ - {QMI_FIXED_INTF(0x1199, 0x68a2, 8)}, /* Sierra Wireless MC7710 in QMI mode */ -diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c -index fb068ada0c5a..2255d8965037 100644 ---- a/drivers/net/usb/usbnet.c -+++ b/drivers/net/usb/usbnet.c -@@ -1622,6 +1622,13 @@ out3: - if (info->unbind) - info->unbind (dev, udev); - out1: -+ /* subdrivers must undo all they did in bind() if they -+ * fail it, but we may fail later and a deferred kevent -+ * may trigger an error resubmitting itself and, worse, -+ * schedule a timer. So we kill it all just in case. -+ */ -+ cancel_work_sync(&dev->kevent); -+ del_timer_sync(&dev->delay); - free_netdev(net); - out: - return status; -diff --git a/drivers/net/wan/farsync.c b/drivers/net/wan/farsync.c -index bcfff0d62de4..2dfa1478d7d1 100644 ---- a/drivers/net/wan/farsync.c -+++ b/drivers/net/wan/farsync.c -@@ -2545,7 +2545,7 @@ fst_add_one(struct pci_dev *pdev, const struct pci_device_id *ent) - dev->mem_start = card->phys_mem - + BUF_OFFSET ( txBuffer[i][0][0]); - dev->mem_end = card->phys_mem -- + BUF_OFFSET ( txBuffer[i][NUM_TX_BUFFER][0]); -+ + BUF_OFFSET ( txBuffer[i][NUM_TX_BUFFER - 1][LEN_RX_BUFFER - 1]); - dev->base_addr = card->pci_conf; - dev->irq = card->irq; - -diff --git a/drivers/net/wireless/ath/ath9k/eeprom.c b/drivers/net/wireless/ath/ath9k/eeprom.c -index 971d770722cf..2ac05486424b 100644 ---- a/drivers/net/wireless/ath/ath9k/eeprom.c -+++ b/drivers/net/wireless/ath/ath9k/eeprom.c -@@ -408,10 +408,9 @@ void ath9k_hw_get_gain_boundaries_pdadcs(struct ath_hw *ah, - - if (match) { - if (AR_SREV_9287(ah)) { -- /* FIXME: array overrun? */ - for (i = 0; i < numXpdGains; i++) { - minPwrT4[i] = data_9287[idxL].pwrPdg[i][0]; -- maxPwrT4[i] = data_9287[idxL].pwrPdg[i][4]; -+ maxPwrT4[i] = data_9287[idxL].pwrPdg[i][intercepts - 1]; - ath9k_hw_fill_vpd_table(minPwrT4[i], maxPwrT4[i], - data_9287[idxL].pwrPdg[i], - data_9287[idxL].vpdPdg[i], -@@ -421,7 +420,7 @@ void ath9k_hw_get_gain_boundaries_pdadcs(struct ath_hw *ah, - } else if (eeprom_4k) { - for (i = 0; i < numXpdGains; i++) { - minPwrT4[i] = data_4k[idxL].pwrPdg[i][0]; -- maxPwrT4[i] = data_4k[idxL].pwrPdg[i][4]; -+ maxPwrT4[i] = data_4k[idxL].pwrPdg[i][intercepts - 1]; - ath9k_hw_fill_vpd_table(minPwrT4[i], maxPwrT4[i], - data_4k[idxL].pwrPdg[i], - data_4k[idxL].vpdPdg[i], -@@ -431,7 +430,7 @@ void ath9k_hw_get_gain_boundaries_pdadcs(struct ath_hw *ah, - } else { - for (i = 0; i < numXpdGains; i++) { - minPwrT4[i] = data_def[idxL].pwrPdg[i][0]; -- maxPwrT4[i] = data_def[idxL].pwrPdg[i][4]; -+ maxPwrT4[i] = data_def[idxL].pwrPdg[i][intercepts - 1]; - ath9k_hw_fill_vpd_table(minPwrT4[i], maxPwrT4[i], - data_def[idxL].pwrPdg[i], - data_def[idxL].vpdPdg[i], -diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c -index 034a4d2964d6..d332d55885f8 100644 ---- a/drivers/pci/probe.c -+++ b/drivers/pci/probe.c -@@ -173,6 +173,9 @@ int __pci_read_base(struct pci_dev *dev, enum pci_bar_type type, - struct pci_bus_region region; - bool bar_too_big = false, bar_disabled = false; - -+ if (dev->non_compliant_bars) -+ return 0; -+ - mask = type ? PCI_ROM_ADDRESS_MASK : ~0; - - /* No printks while decoding is disabled! */ -@@ -981,6 +984,7 @@ void set_pcie_hotplug_bridge(struct pci_dev *pdev) - int pci_setup_device(struct pci_dev *dev) - { - u32 class; -+ u16 cmd; - u8 hdr_type; - struct pci_slot *slot; - int pos = 0; -@@ -1028,6 +1032,16 @@ int pci_setup_device(struct pci_dev *dev) - /* device class may be changed after fixup */ - class = dev->class >> 8; - -+ if (dev->non_compliant_bars) { -+ pci_read_config_word(dev, PCI_COMMAND, &cmd); -+ if (cmd & (PCI_COMMAND_IO | PCI_COMMAND_MEMORY)) { -+ dev_info(&dev->dev, "device has non-compliant BARs; disabling IO/MEM decoding\n"); -+ cmd &= ~PCI_COMMAND_IO; -+ cmd &= ~PCI_COMMAND_MEMORY; -+ pci_write_config_word(dev, PCI_COMMAND, cmd); -+ } -+ } -+ - switch (dev->hdr_type) { /* header type */ - case PCI_HEADER_TYPE_NORMAL: /* standard header */ - if (class == PCI_CLASS_BRIDGE_PCI) -diff --git a/drivers/pnp/pnpbios/bioscalls.c b/drivers/pnp/pnpbios/bioscalls.c -index 769d265b221b..deb7f4bcdb7b 100644 ---- a/drivers/pnp/pnpbios/bioscalls.c -+++ b/drivers/pnp/pnpbios/bioscalls.c -@@ -21,7 +21,7 @@ - - #include "pnpbios.h" - --static struct { -+__visible struct { - u16 offset; - u16 segment; - } pnp_bios_callpoint; -@@ -41,6 +41,7 @@ asmlinkage void pnp_bios_callfunc(void); - - __asm__(".text \n" - __ALIGN_STR "\n" -+ ".globl pnp_bios_callfunc\n" - "pnp_bios_callfunc:\n" - " pushl %edx \n" - " pushl %ecx \n" -@@ -66,9 +67,9 @@ static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092, - * after PnP BIOS oopses. - */ - --u32 pnp_bios_fault_esp; --u32 pnp_bios_fault_eip; --u32 pnp_bios_is_utter_crap = 0; -+__visible u32 pnp_bios_fault_esp; -+__visible u32 pnp_bios_fault_eip; -+__visible u32 pnp_bios_is_utter_crap = 0; - - static spinlock_t pnp_bios_lock; - -diff --git a/drivers/rtc/rtc-vr41xx.c b/drivers/rtc/rtc-vr41xx.c -index f91be04b9050..ca0f213c06a5 100644 ---- a/drivers/rtc/rtc-vr41xx.c -+++ b/drivers/rtc/rtc-vr41xx.c -@@ -272,12 +272,13 @@ static irqreturn_t rtclong1_interrupt(int irq, void *dev_id) - } - - static const struct rtc_class_ops vr41xx_rtc_ops = { -- .release = vr41xx_rtc_release, -- .ioctl = vr41xx_rtc_ioctl, -- .read_time = vr41xx_rtc_read_time, -- .set_time = vr41xx_rtc_set_time, -- .read_alarm = vr41xx_rtc_read_alarm, -- .set_alarm = vr41xx_rtc_set_alarm, -+ .release = vr41xx_rtc_release, -+ .ioctl = vr41xx_rtc_ioctl, -+ .read_time = vr41xx_rtc_read_time, -+ .set_time = vr41xx_rtc_set_time, -+ .read_alarm = vr41xx_rtc_read_alarm, -+ .set_alarm = vr41xx_rtc_set_alarm, -+ .alarm_irq_enable = vr41xx_rtc_alarm_irq_enable, - }; - - static int rtc_probe(struct platform_device *pdev) -diff --git a/drivers/scsi/aacraid/commsup.c b/drivers/scsi/aacraid/commsup.c -index 1be0776a80c4..6a0d362e2596 100644 ---- a/drivers/scsi/aacraid/commsup.c -+++ b/drivers/scsi/aacraid/commsup.c -@@ -83,9 +83,12 @@ static int fib_map_alloc(struct aac_dev *dev) - - void aac_fib_map_free(struct aac_dev *dev) - { -- pci_free_consistent(dev->pdev, -- dev->max_fib_size * (dev->scsi_host_ptr->can_queue + AAC_NUM_MGT_FIB), -- dev->hw_fib_va, dev->hw_fib_pa); -+ if (dev->hw_fib_va && dev->max_fib_size) { -+ pci_free_consistent(dev->pdev, -+ (dev->max_fib_size * -+ (dev->scsi_host_ptr->can_queue + AAC_NUM_MGT_FIB)), -+ dev->hw_fib_va, dev->hw_fib_pa); -+ } - dev->hw_fib_va = NULL; - dev->hw_fib_pa = 0; - } -diff --git a/drivers/scsi/be2iscsi/be_main.c b/drivers/scsi/be2iscsi/be_main.c -index bfe812fcce34..a683a831527b 100644 ---- a/drivers/scsi/be2iscsi/be_main.c -+++ b/drivers/scsi/be2iscsi/be_main.c -@@ -4040,6 +4040,7 @@ put_shost: - scsi_host_put(phba->shost); - free_kset: - iscsi_boot_destroy_kset(phba->boot_kset); -+ phba->boot_kset = NULL; - return -ENOMEM; - } - -diff --git a/drivers/scsi/ipr.c b/drivers/scsi/ipr.c -index 4a79a5f0d95e..25ac2c00f8b3 100644 ---- a/drivers/scsi/ipr.c -+++ b/drivers/scsi/ipr.c -@@ -3908,13 +3908,17 @@ static ssize_t ipr_store_update_fw(struct device *dev, - struct ipr_sglist *sglist; - char fname[100]; - char *src; -- int len, result, dnld_size; -+ char *endline; -+ int result, dnld_size; - - if (!capable(CAP_SYS_ADMIN)) - return -EACCES; - -- len = snprintf(fname, 99, "%s", buf); -- fname[len-1] = '\0'; -+ snprintf(fname, sizeof(fname), "%s", buf); -+ -+ endline = strchr(fname, '\n'); -+ if (endline) -+ *endline = '\0'; - - if (request_firmware(&fw_entry, fname, &ioa_cfg->pdev->dev)) { - dev_err(&ioa_cfg->pdev->dev, "Firmware file %s not found\n", fname); -diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c -index cb465b253910..e6e0679ec882 100644 ---- a/drivers/scsi/lpfc/lpfc_init.c -+++ b/drivers/scsi/lpfc/lpfc_init.c -@@ -2684,7 +2684,7 @@ lpfc_online(struct lpfc_hba *phba) - } - - vports = lpfc_create_vport_work_array(phba); -- if (vports != NULL) -+ if (vports != NULL) { - for (i = 0; i <= phba->max_vports && vports[i] != NULL; i++) { - struct Scsi_Host *shost; - shost = lpfc_shost_from_vport(vports[i]); -@@ -2701,7 +2701,8 @@ lpfc_online(struct lpfc_hba *phba) - } - spin_unlock_irq(shost->host_lock); - } -- lpfc_destroy_vport_work_array(phba, vports); -+ } -+ lpfc_destroy_vport_work_array(phba, vports); - - lpfc_unblock_mgmt_io(phba); - return 0; -diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c -index 0be16bf5f0cd..1f65e32db285 100644 ---- a/drivers/scsi/sg.c -+++ b/drivers/scsi/sg.c -@@ -633,7 +633,8 @@ sg_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos) - else - hp->dxfer_direction = (mxsize > 0) ? SG_DXFER_FROM_DEV : SG_DXFER_NONE; - hp->dxfer_len = mxsize; -- if (hp->dxfer_direction == SG_DXFER_TO_DEV) -+ if ((hp->dxfer_direction == SG_DXFER_TO_DEV) || -+ (hp->dxfer_direction == SG_DXFER_TO_FROM_DEV)) - hp->dxferp = (char __user *)buf + cmd_size; - else - hp->dxferp = NULL; -diff --git a/drivers/staging/usbip/usbip_common.c b/drivers/staging/usbip/usbip_common.c -index 7b97df6f2a42..b4f237e55931 100644 ---- a/drivers/staging/usbip/usbip_common.c -+++ b/drivers/staging/usbip/usbip_common.c -@@ -784,6 +784,17 @@ int usbip_recv_xbuff(struct usbip_device *ud, struct urb *urb) - if (!(size > 0)) - return 0; - -+ if (size > urb->transfer_buffer_length) { -+ /* should not happen, probably malicious packet */ -+ if (ud->side == USBIP_STUB) { -+ usbip_event_add(ud, SDEV_EVENT_ERROR_TCP); -+ return 0; -+ } else { -+ usbip_event_add(ud, VDEV_EVENT_ERROR_TCP); -+ return -EPIPE; -+ } -+ } -+ - ret = usbip_recv(ud->tcp_socket, urb->transfer_buffer, size); - if (ret != size) { - dev_err(&urb->dev->dev, "recv xbuf, %d\n", ret); -diff --git a/drivers/tty/serial/8250/8250_core.c b/drivers/tty/serial/8250/8250_core.c -index d8c06a3d391e..1119d533c8e2 100644 ---- a/drivers/tty/serial/8250/8250_core.c -+++ b/drivers/tty/serial/8250/8250_core.c -@@ -686,22 +686,16 @@ static int size_fifo(struct uart_8250_port *up) - */ - static unsigned int autoconfig_read_divisor_id(struct uart_8250_port *p) - { -- unsigned char old_dll, old_dlm, old_lcr; -- unsigned int id; -+ unsigned char old_lcr; -+ unsigned int id, old_dl; - - old_lcr = serial_in(p, UART_LCR); - serial_out(p, UART_LCR, UART_LCR_CONF_MODE_A); -+ old_dl = serial_dl_read(p); -+ serial_dl_write(p, 0); -+ id = serial_dl_read(p); -+ serial_dl_write(p, old_dl); - -- old_dll = serial_in(p, UART_DLL); -- old_dlm = serial_in(p, UART_DLM); -- -- serial_out(p, UART_DLL, 0); -- serial_out(p, UART_DLM, 0); -- -- id = serial_in(p, UART_DLL) | serial_in(p, UART_DLM) << 8; -- -- serial_out(p, UART_DLL, old_dll); -- serial_out(p, UART_DLM, old_dlm); - serial_out(p, UART_LCR, old_lcr); - - return id; -diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c -index b8366b154fb9..921bf90bcc6a 100644 ---- a/drivers/tty/serial/samsung.c -+++ b/drivers/tty/serial/samsung.c -@@ -724,6 +724,8 @@ static void s3c24xx_serial_set_termios(struct uart_port *port, - /* check to see if we need to change clock source */ - - if (ourport->baudclk != clk) { -+ clk_prepare_enable(clk); -+ - s3c24xx_serial_setsource(port, clk_sel); - - if (!IS_ERR(ourport->baudclk)) { -@@ -731,8 +733,6 @@ static void s3c24xx_serial_set_termios(struct uart_port *port, - ourport->baudclk = ERR_PTR(-EINVAL); - } - -- clk_prepare_enable(clk); -- - ourport->baudclk = clk; - ourport->baudclk_rate = clk ? clk_get_rate(clk) : 0; - } -diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c -index db9d69fa1085..6dff194751f1 100644 ---- a/drivers/tty/vt/vt.c -+++ b/drivers/tty/vt/vt.c -@@ -3534,9 +3534,10 @@ static int do_register_con_driver(const struct consw *csw, int first, int last) - goto err; - - desc = csw->con_startup(); -- -- if (!desc) -+ if (!desc) { -+ retval = -ENODEV; - goto err; -+ } - - retval = -EINVAL; - -diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c -index d6dab8adf60e..e7436ebbf04c 100644 ---- a/drivers/usb/class/cdc-acm.c -+++ b/drivers/usb/class/cdc-acm.c -@@ -997,6 +997,9 @@ static int acm_probe(struct usb_interface *intf, - if (quirks == NO_UNION_NORMAL) { - data_interface = usb_ifnum_to_if(usb_dev, 1); - control_interface = usb_ifnum_to_if(usb_dev, 0); -+ /* we would crash */ -+ if (!data_interface || !control_interface) -+ return -ENODEV; - goto skip_normal_probe; - } - -diff --git a/drivers/usb/core/driver.c b/drivers/usb/core/driver.c -index 2cdd5079ae78..f7310dd107ca 100644 ---- a/drivers/usb/core/driver.c -+++ b/drivers/usb/core/driver.c -@@ -461,11 +461,15 @@ static int usb_unbind_interface(struct device *dev) - int usb_driver_claim_interface(struct usb_driver *driver, - struct usb_interface *iface, void *priv) - { -- struct device *dev = &iface->dev; -+ struct device *dev; - struct usb_device *udev; - int retval = 0; - int lpm_disable_error; - -+ if (!iface) -+ return -ENODEV; -+ -+ dev = &iface->dev; - if (dev->driver) - return -EBUSY; - -diff --git a/drivers/usb/core/hcd-pci.c b/drivers/usb/core/hcd-pci.c -index 4676917e2b1f..1eac8ddc5556 100644 ---- a/drivers/usb/core/hcd-pci.c -+++ b/drivers/usb/core/hcd-pci.c -@@ -74,6 +74,15 @@ static void for_each_companion(struct pci_dev *pdev, struct usb_hcd *hcd, - if (companion->bus != pdev->bus || - PCI_SLOT(companion->devfn) != slot) - continue; -+ -+ /* -+ * Companion device should be either UHCI,OHCI or EHCI host -+ * controller, otherwise skip. -+ */ -+ if (companion->class != CL_UHCI && companion->class != CL_OHCI && -+ companion->class != CL_EHCI) -+ continue; -+ - companion_hcd = pci_get_drvdata(companion); - if (!companion_hcd || !companion_hcd->self.root_hub) - continue; -diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c -index 92873f2773fc..8eb2de6beee4 100644 ---- a/drivers/usb/core/hub.c -+++ b/drivers/usb/core/hub.c -@@ -4167,7 +4167,13 @@ hub_port_init (struct usb_hub *hub, struct usb_device *udev, int port1, - r = -EPROTO; - break; - } -- if (r == 0) -+ /* -+ * Some devices time out if they are powered on -+ * when already connected. They need a second -+ * reset. But only on the first attempt, -+ * lest we get into a time out/reset loop -+ */ -+ if (r == 0 || (r == -ETIMEDOUT && j == 0)) - break; - } - udev->descriptor.bMaxPacketSize0 = -diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c -index 87e82e6b0c38..af9e4e8c9064 100644 ---- a/drivers/usb/host/xhci-mem.c -+++ b/drivers/usb/host/xhci-mem.c -@@ -1861,6 +1861,11 @@ no_bw: - kfree(xhci->port_array); - kfree(xhci->rh_bw); - -+ xhci->usb2_ports = NULL; -+ xhci->usb3_ports = NULL; -+ xhci->port_array = NULL; -+ xhci->rh_bw = NULL; -+ - xhci->page_size = 0; - xhci->page_shift = 0; - xhci->bus_state[0].bus_suspended = 0; -diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c -index d36f34e25bed..4c24ba0a6574 100644 ---- a/drivers/usb/misc/iowarrior.c -+++ b/drivers/usb/misc/iowarrior.c -@@ -792,6 +792,12 @@ static int iowarrior_probe(struct usb_interface *interface, - iface_desc = interface->cur_altsetting; - dev->product_id = le16_to_cpu(udev->descriptor.idProduct); - -+ if (iface_desc->desc.bNumEndpoints < 1) { -+ dev_err(&interface->dev, "Invalid number of endpoints\n"); -+ retval = -EINVAL; -+ goto error; -+ } -+ - /* set up the endpoint information */ - for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) { - endpoint = &iface_desc->endpoint[i].desc; -diff --git a/drivers/usb/renesas_usbhs/fifo.c b/drivers/usb/renesas_usbhs/fifo.c -index 45b94019aec8..157a9f9afc2d 100644 ---- a/drivers/usb/renesas_usbhs/fifo.c -+++ b/drivers/usb/renesas_usbhs/fifo.c -@@ -166,7 +166,8 @@ static int usbhsf_pkt_handler(struct usbhs_pipe *pipe, int type) - goto __usbhs_pkt_handler_end; - } - -- ret = func(pkt, &is_done); -+ if (likely(func)) -+ ret = func(pkt, &is_done); - - if (is_done) - __usbhsf_pkt_del(pkt); -@@ -933,6 +934,7 @@ static int usbhsf_dma_try_pop(struct usbhs_pkt *pkt, int *is_done) - - pkt->trans = len; - -+ usbhsf_tx_irq_ctrl(pipe, 0); - INIT_WORK(&pkt->work, xfer_work); - schedule_work(&pkt->work); - -diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c -index 84b770461655..0093261ccc57 100644 ---- a/drivers/usb/serial/cp210x.c -+++ b/drivers/usb/serial/cp210x.c -@@ -108,6 +108,7 @@ static const struct usb_device_id id_table[] = { - { USB_DEVICE(0x10C4, 0x826B) }, /* Cygnal Integrated Products, Inc., Fasttrax GPS demonstration module */ - { USB_DEVICE(0x10C4, 0x8281) }, /* Nanotec Plug & Drive */ - { USB_DEVICE(0x10C4, 0x8293) }, /* Telegesis ETRX2USB */ -+ { USB_DEVICE(0x10C4, 0x82F4) }, /* Starizona MicroTouch */ - { USB_DEVICE(0x10C4, 0x82F9) }, /* Procyon AVS */ - { USB_DEVICE(0x10C4, 0x8341) }, /* Siemens MC35PU GPRS Modem */ - { USB_DEVICE(0x10C4, 0x8382) }, /* Cygnal Integrated Products, Inc. */ -@@ -117,6 +118,7 @@ static const struct usb_device_id id_table[] = { - { USB_DEVICE(0x10C4, 0x8418) }, /* IRZ Automation Teleport SG-10 GSM/GPRS Modem */ - { USB_DEVICE(0x10C4, 0x846E) }, /* BEI USB Sensor Interface (VCP) */ - { USB_DEVICE(0x10C4, 0x8477) }, /* Balluff RFID */ -+ { USB_DEVICE(0x10C4, 0x84B6) }, /* Starizona Hyperion */ - { USB_DEVICE(0x10C4, 0x85EA) }, /* AC-Services IBUS-IF */ - { USB_DEVICE(0x10C4, 0x85EB) }, /* AC-Services CIS-IBUS */ - { USB_DEVICE(0x10C4, 0x85F8) }, /* Virtenio Preon32 */ -@@ -140,6 +142,8 @@ static const struct usb_device_id id_table[] = { - { USB_DEVICE(0x10C4, 0xF004) }, /* Elan Digital Systems USBcount50 */ - { USB_DEVICE(0x10C5, 0xEA61) }, /* Silicon Labs MobiData GPRS USB Modem */ - { USB_DEVICE(0x10CE, 0xEA6A) }, /* Silicon Labs MobiData GPRS USB Modem 100EU */ -+ { USB_DEVICE(0x12B8, 0xEC60) }, /* Link G4 ECU */ -+ { USB_DEVICE(0x12B8, 0xEC62) }, /* Link G4+ ECU */ - { USB_DEVICE(0x13AD, 0x9999) }, /* Baltech card reader */ - { USB_DEVICE(0x1555, 0x0004) }, /* Owen AC4 USB-RS485 Converter */ - { USB_DEVICE(0x166A, 0x0201) }, /* Clipsal 5500PACA C-Bus Pascal Automation Controller */ -@@ -164,6 +168,7 @@ static const struct usb_device_id id_table[] = { - { USB_DEVICE(0x18EF, 0xE025) }, /* ELV Marble Sound Board 1 */ - { USB_DEVICE(0x1901, 0x0190) }, /* GE B850 CP2105 Recorder interface */ - { USB_DEVICE(0x1901, 0x0193) }, /* GE B650 CP2104 PMC interface */ -+ { USB_DEVICE(0x1901, 0x0194) }, /* GE Healthcare Remote Alarm Box */ - { USB_DEVICE(0x19CF, 0x3000) }, /* Parrot NMEA GPS Flight Recorder */ - { USB_DEVICE(0x1ADB, 0x0001) }, /* Schweitzer Engineering C662 Cable */ - { USB_DEVICE(0x1B1C, 0x1C00) }, /* Corsair USB Dongle */ -diff --git a/drivers/usb/serial/cypress_m8.c b/drivers/usb/serial/cypress_m8.c -index 082120198f87..09f0f631389e 100644 ---- a/drivers/usb/serial/cypress_m8.c -+++ b/drivers/usb/serial/cypress_m8.c -@@ -449,6 +449,11 @@ static int cypress_generic_port_probe(struct usb_serial_port *port) - struct usb_serial *serial = port->serial; - struct cypress_private *priv; - -+ if (!port->interrupt_out_urb || !port->interrupt_in_urb) { -+ dev_err(&port->dev, "required endpoint is missing\n"); -+ return -ENODEV; -+ } -+ - priv = kzalloc(sizeof(struct cypress_private), GFP_KERNEL); - if (!priv) - return -ENOMEM; -@@ -606,12 +611,6 @@ static int cypress_open(struct tty_struct *tty, struct usb_serial_port *port) - cypress_set_termios(tty, port, &priv->tmp_termios); - - /* setup the port and start reading from the device */ -- if (!port->interrupt_in_urb) { -- dev_err(&port->dev, "%s - interrupt_in_urb is empty!\n", -- __func__); -- return -1; -- } -- - usb_fill_int_urb(port->interrupt_in_urb, serial->dev, - usb_rcvintpipe(serial->dev, port->interrupt_in_endpointAddress), - port->interrupt_in_urb->transfer_buffer, -diff --git a/drivers/usb/serial/digi_acceleport.c b/drivers/usb/serial/digi_acceleport.c -index 7b807d389527..8c34d9cfb226 100644 ---- a/drivers/usb/serial/digi_acceleport.c -+++ b/drivers/usb/serial/digi_acceleport.c -@@ -1253,8 +1253,27 @@ static int digi_port_init(struct usb_serial_port *port, unsigned port_num) - - static int digi_startup(struct usb_serial *serial) - { -+ struct device *dev = &serial->interface->dev; - struct digi_serial *serial_priv; - int ret; -+ int i; -+ -+ /* check whether the device has the expected number of endpoints */ -+ if (serial->num_port_pointers < serial->type->num_ports + 1) { -+ dev_err(dev, "OOB endpoints missing\n"); -+ return -ENODEV; -+ } -+ -+ for (i = 0; i < serial->type->num_ports + 1 ; i++) { -+ if (!serial->port[i]->read_urb) { -+ dev_err(dev, "bulk-in endpoint missing\n"); -+ return -ENODEV; -+ } -+ if (!serial->port[i]->write_urb) { -+ dev_err(dev, "bulk-out endpoint missing\n"); -+ return -ENODEV; -+ } -+ } - - serial_priv = kzalloc(sizeof(*serial_priv), GFP_KERNEL); - if (!serial_priv) -diff --git a/drivers/usb/serial/io_edgeport.c b/drivers/usb/serial/io_edgeport.c -index 1477e8593476..c574d312f1f5 100644 ---- a/drivers/usb/serial/io_edgeport.c -+++ b/drivers/usb/serial/io_edgeport.c -@@ -2988,16 +2988,9 @@ static void edge_disconnect(struct usb_serial *serial) - { - struct edgeport_serial *edge_serial = usb_get_serial_data(serial); - -- /* stop reads and writes on all ports */ -- /* free up our endpoint stuff */ - if (edge_serial->is_epic) { - usb_kill_urb(edge_serial->interrupt_read_urb); -- usb_free_urb(edge_serial->interrupt_read_urb); -- kfree(edge_serial->interrupt_in_buffer); -- - usb_kill_urb(edge_serial->read_urb); -- usb_free_urb(edge_serial->read_urb); -- kfree(edge_serial->bulk_in_buffer); - } - } - -@@ -3010,6 +3003,16 @@ static void edge_release(struct usb_serial *serial) - { - struct edgeport_serial *edge_serial = usb_get_serial_data(serial); - -+ if (edge_serial->is_epic) { -+ usb_kill_urb(edge_serial->interrupt_read_urb); -+ usb_free_urb(edge_serial->interrupt_read_urb); -+ kfree(edge_serial->interrupt_in_buffer); -+ -+ usb_kill_urb(edge_serial->read_urb); -+ usb_free_urb(edge_serial->read_urb); -+ kfree(edge_serial->bulk_in_buffer); -+ } -+ - kfree(edge_serial); - } - -diff --git a/drivers/usb/serial/keyspan.c b/drivers/usb/serial/keyspan.c -index cec377b8bb8b..32a67c69eec8 100644 ---- a/drivers/usb/serial/keyspan.c -+++ b/drivers/usb/serial/keyspan.c -@@ -2392,6 +2392,10 @@ static void keyspan_release(struct usb_serial *serial) - - s_priv = usb_get_serial_data(serial); - -+ /* Make sure to unlink the URBs submitted in attach. */ -+ usb_kill_urb(s_priv->instat_urb); -+ usb_kill_urb(s_priv->indat_urb); -+ - usb_free_urb(s_priv->instat_urb); - usb_free_urb(s_priv->indat_urb); - usb_free_urb(s_priv->glocont_urb); -diff --git a/drivers/usb/serial/mct_u232.c b/drivers/usb/serial/mct_u232.c -index 6a15adf53360..c14c29ff1151 100644 ---- a/drivers/usb/serial/mct_u232.c -+++ b/drivers/usb/serial/mct_u232.c -@@ -377,14 +377,21 @@ static void mct_u232_msr_to_state(struct usb_serial_port *port, - - static int mct_u232_port_probe(struct usb_serial_port *port) - { -+ struct usb_serial *serial = port->serial; - struct mct_u232_private *priv; - -+ /* check first to simplify error handling */ -+ if (!serial->port[1] || !serial->port[1]->interrupt_in_urb) { -+ dev_err(&port->dev, "expected endpoint missing\n"); -+ return -ENODEV; -+ } -+ - priv = kzalloc(sizeof(*priv), GFP_KERNEL); - if (!priv) - return -ENOMEM; - - /* Use second interrupt-in endpoint for reading. */ -- priv->read_urb = port->serial->port[1]->interrupt_in_urb; -+ priv->read_urb = serial->port[1]->interrupt_in_urb; - priv->read_urb->context = port; - - spin_lock_init(&priv->lock); -diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c -index 24366a2afea6..bcb6f5c2bae4 100644 ---- a/drivers/usb/serial/option.c -+++ b/drivers/usb/serial/option.c -@@ -375,18 +375,22 @@ static void option_instat_callback(struct urb *urb); - #define HAIER_PRODUCT_CE81B 0x10f8 - #define HAIER_PRODUCT_CE100 0x2009 - --/* Cinterion (formerly Siemens) products */ --#define SIEMENS_VENDOR_ID 0x0681 --#define CINTERION_VENDOR_ID 0x1e2d -+/* Gemalto's Cinterion products (formerly Siemens) */ -+#define SIEMENS_VENDOR_ID 0x0681 -+#define CINTERION_VENDOR_ID 0x1e2d -+#define CINTERION_PRODUCT_HC25_MDMNET 0x0040 - #define CINTERION_PRODUCT_HC25_MDM 0x0047 --#define CINTERION_PRODUCT_HC25_MDMNET 0x0040 -+#define CINTERION_PRODUCT_HC28_MDMNET 0x004A /* same for HC28J */ - #define CINTERION_PRODUCT_HC28_MDM 0x004C --#define CINTERION_PRODUCT_HC28_MDMNET 0x004A /* same for HC28J */ - #define CINTERION_PRODUCT_EU3_E 0x0051 - #define CINTERION_PRODUCT_EU3_P 0x0052 - #define CINTERION_PRODUCT_PH8 0x0053 - #define CINTERION_PRODUCT_AHXX 0x0055 - #define CINTERION_PRODUCT_PLXX 0x0060 -+#define CINTERION_PRODUCT_PH8_2RMNET 0x0082 -+#define CINTERION_PRODUCT_PH8_AUDIO 0x0083 -+#define CINTERION_PRODUCT_AHXX_2RMNET 0x0084 -+#define CINTERION_PRODUCT_AHXX_AUDIO 0x0085 - - /* Olivetti products */ - #define OLIVETTI_VENDOR_ID 0x0b3c -@@ -641,6 +645,10 @@ static const struct option_blacklist_info telit_le922_blacklist_usbcfg3 = { - .reserved = BIT(1) | BIT(2) | BIT(3), - }; - -+static const struct option_blacklist_info cinterion_rmnet2_blacklist = { -+ .reserved = BIT(4) | BIT(5), -+}; -+ - static const struct usb_device_id option_ids[] = { - { USB_DEVICE(OPTION_VENDOR_ID, OPTION_PRODUCT_COLT) }, - { USB_DEVICE(OPTION_VENDOR_ID, OPTION_PRODUCT_RICOLA) }, -@@ -1712,7 +1720,13 @@ static const struct usb_device_id option_ids[] = { - { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_AHXX, 0xff) }, - { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_PLXX), - .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, -- { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_HC28_MDM) }, -+ { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_PH8_2RMNET, 0xff), -+ .driver_info = (kernel_ulong_t)&cinterion_rmnet2_blacklist }, -+ { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_PH8_AUDIO, 0xff), -+ .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, -+ { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_AHXX_2RMNET, 0xff) }, -+ { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_AHXX_AUDIO, 0xff) }, -+ { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_HC28_MDM) }, - { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_HC28_MDMNET) }, - { USB_DEVICE(SIEMENS_VENDOR_ID, CINTERION_PRODUCT_HC25_MDM) }, - { USB_DEVICE(SIEMENS_VENDOR_ID, CINTERION_PRODUCT_HC25_MDMNET) }, -@@ -1818,6 +1832,8 @@ static const struct usb_device_id option_ids[] = { - { USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x7d02, 0xff, 0x00, 0x00) }, - { USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x7d03, 0xff, 0x02, 0x01) }, - { USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x7d03, 0xff, 0x00, 0x00) }, -+ { USB_DEVICE_INTERFACE_CLASS(0x2001, 0x7e19, 0xff), /* D-Link DWM-221 B1 */ -+ .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, - { USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e01, 0xff, 0xff, 0xff) }, /* D-Link DWM-152/C1 */ - { USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e02, 0xff, 0xff, 0xff) }, /* D-Link DWM-156/C1 */ - { USB_DEVICE_INTERFACE_CLASS(0x2020, 0x4000, 0xff) }, /* OLICARD300 - MT6225 */ -diff --git a/drivers/usb/serial/quatech2.c b/drivers/usb/serial/quatech2.c -index 02b0803425c5..13824b5ca343 100644 ---- a/drivers/usb/serial/quatech2.c -+++ b/drivers/usb/serial/quatech2.c -@@ -141,6 +141,7 @@ static void qt2_release(struct usb_serial *serial) - - serial_priv = usb_get_serial_data(serial); - -+ usb_kill_urb(serial_priv->read_urb); - usb_free_urb(serial_priv->read_urb); - kfree(serial_priv); - } -diff --git a/drivers/video/da8xx-fb.c b/drivers/video/da8xx-fb.c -index 0810939936f4..b13bfb2e52a2 100644 ---- a/drivers/video/da8xx-fb.c -+++ b/drivers/video/da8xx-fb.c -@@ -226,8 +226,7 @@ static struct fb_videomode known_lcd_panels[] = { - .lower_margin = 2, - .hsync_len = 0, - .vsync_len = 0, -- .sync = FB_SYNC_CLK_INVERT | -- FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT, -+ .sync = FB_SYNC_CLK_INVERT, - }, - /* Sharp LK043T1DG01 */ - [1] = { -@@ -241,7 +240,7 @@ static struct fb_videomode known_lcd_panels[] = { - .lower_margin = 2, - .hsync_len = 41, - .vsync_len = 10, -- .sync = FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT, -+ .sync = 0, - .flag = 0, - }, - [2] = { -@@ -256,7 +255,7 @@ static struct fb_videomode known_lcd_panels[] = { - .lower_margin = 10, - .hsync_len = 10, - .vsync_len = 10, -- .sync = FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT, -+ .sync = 0, - .flag = 0, - }, - }; -diff --git a/drivers/watchdog/rc32434_wdt.c b/drivers/watchdog/rc32434_wdt.c -index f78bc008cbb7..ea8f58216d4d 100644 ---- a/drivers/watchdog/rc32434_wdt.c -+++ b/drivers/watchdog/rc32434_wdt.c -@@ -237,7 +237,7 @@ static long rc32434_wdt_ioctl(struct file *file, unsigned int cmd, - return -EINVAL; - /* Fall through */ - case WDIOC_GETTIMEOUT: -- return copy_to_user(argp, &timeout, sizeof(int)); -+ return copy_to_user(argp, &timeout, sizeof(int)) ? -EFAULT : 0; - default: - return -ENOTTY; - } -diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c -index 8edc9eb1ef7b..d65e16e9d1d9 100644 ---- a/fs/cifs/sess.c -+++ b/fs/cifs/sess.c -@@ -487,19 +487,27 @@ int build_ntlmssp_auth_blob(unsigned char *pbuffer, - sec_blob->LmChallengeResponse.MaximumLength = 0; - - sec_blob->NtChallengeResponse.BufferOffset = cpu_to_le32(tmp - pbuffer); -- rc = setup_ntlmv2_rsp(ses, nls_cp); -- if (rc) { -- cifs_dbg(VFS, "Error %d during NTLMSSP authentication\n", rc); -- goto setup_ntlmv2_ret; -- } -- memcpy(tmp, ses->auth_key.response + CIFS_SESS_KEY_SIZE, -- ses->auth_key.len - CIFS_SESS_KEY_SIZE); -- tmp += ses->auth_key.len - CIFS_SESS_KEY_SIZE; -+ if (ses->user_name != NULL) { -+ rc = setup_ntlmv2_rsp(ses, nls_cp); -+ if (rc) { -+ cifs_dbg(VFS, "Error %d during NTLMSSP authentication\n", rc); -+ goto setup_ntlmv2_ret; -+ } -+ memcpy(tmp, ses->auth_key.response + CIFS_SESS_KEY_SIZE, -+ ses->auth_key.len - CIFS_SESS_KEY_SIZE); -+ tmp += ses->auth_key.len - CIFS_SESS_KEY_SIZE; - -- sec_blob->NtChallengeResponse.Length = -- cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE); -- sec_blob->NtChallengeResponse.MaximumLength = -- cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE); -+ sec_blob->NtChallengeResponse.Length = -+ cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE); -+ sec_blob->NtChallengeResponse.MaximumLength = -+ cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE); -+ } else { -+ /* -+ * don't send an NT Response for anonymous access -+ */ -+ sec_blob->NtChallengeResponse.Length = 0; -+ sec_blob->NtChallengeResponse.MaximumLength = 0; -+ } - - if (ses->domainName == NULL) { - sec_blob->DomainName.BufferOffset = cpu_to_le32(tmp - pbuffer); -diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h -index 6f74b8919237..046e3e93783e 100644 ---- a/fs/ext4/ext4.h -+++ b/fs/ext4/ext4.h -@@ -851,6 +851,29 @@ do { \ - #include "extents_status.h" - - /* -+ * Lock subclasses for i_data_sem in the ext4_inode_info structure. -+ * -+ * These are needed to avoid lockdep false positives when we need to -+ * allocate blocks to the quota inode during ext4_map_blocks(), while -+ * holding i_data_sem for a normal (non-quota) inode. Since we don't -+ * do quota tracking for the quota inode, this avoids deadlock (as -+ * well as infinite recursion, since it isn't turtles all the way -+ * down...) -+ * -+ * I_DATA_SEM_NORMAL - Used for most inodes -+ * I_DATA_SEM_OTHER - Used by move_inode.c for the second normal inode -+ * where the second inode has larger inode number -+ * than the first -+ * I_DATA_SEM_QUOTA - Used for quota inodes only -+ */ -+enum { -+ I_DATA_SEM_NORMAL = 0, -+ I_DATA_SEM_OTHER, -+ I_DATA_SEM_QUOTA, -+}; -+ -+ -+/* - * fourth extended file system inode data in memory - */ - struct ext4_inode_info { -diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c -index 10b71e4029a0..fb7e576df25c 100644 ---- a/fs/ext4/inode.c -+++ b/fs/ext4/inode.c -@@ -5063,6 +5063,8 @@ int ext4_mark_inode_dirty(handle_t *handle, struct inode *inode) - might_sleep(); - trace_ext4_mark_inode_dirty(inode, _RET_IP_); - err = ext4_reserve_inode_write(handle, inode, &iloc); -+ if (err) -+ return err; - if (ext4_handle_valid(handle) && - EXT4_I(inode)->i_extra_isize < sbi->s_want_extra_isize && - !ext4_test_inode_state(inode, EXT4_STATE_NO_EXPAND)) { -@@ -5093,9 +5095,7 @@ int ext4_mark_inode_dirty(handle_t *handle, struct inode *inode) - } - } - } -- if (!err) -- err = ext4_mark_iloc_dirty(handle, inode, &iloc); -- return err; -+ return ext4_mark_iloc_dirty(handle, inode, &iloc); - } - - /* -diff --git a/fs/ext4/move_extent.c b/fs/ext4/move_extent.c -index 3dcbf364022f..ad52ace2b79a 100644 ---- a/fs/ext4/move_extent.c -+++ b/fs/ext4/move_extent.c -@@ -154,10 +154,10 @@ ext4_double_down_write_data_sem(struct inode *first, struct inode *second) - { - if (first < second) { - down_write(&EXT4_I(first)->i_data_sem); -- down_write_nested(&EXT4_I(second)->i_data_sem, SINGLE_DEPTH_NESTING); -+ down_write_nested(&EXT4_I(second)->i_data_sem, I_DATA_SEM_OTHER); - } else { - down_write(&EXT4_I(second)->i_data_sem); -- down_write_nested(&EXT4_I(first)->i_data_sem, SINGLE_DEPTH_NESTING); -+ down_write_nested(&EXT4_I(first)->i_data_sem, I_DATA_SEM_OTHER); - - } - } -@@ -1117,6 +1117,13 @@ mext_check_arguments(struct inode *orig_inode, - return -EINVAL; - } - -+ if (IS_NOQUOTA(orig_inode) || IS_NOQUOTA(donor_inode)) { -+ ext4_debug("ext4 move extent: The argument files should " -+ "not be quota files [ino:orig %lu, donor %lu]\n", -+ orig_inode->i_ino, donor_inode->i_ino); -+ return -EBUSY; -+ } -+ - /* Ext4 move extent supports only extent based file */ - if (!(ext4_test_inode_flag(orig_inode, EXT4_INODE_EXTENTS))) { - ext4_debug("ext4 move extent: orig file is not extents " -diff --git a/fs/ext4/super.c b/fs/ext4/super.c -index a7e079749425..063eb5094a63 100644 ---- a/fs/ext4/super.c -+++ b/fs/ext4/super.c -@@ -4984,6 +4984,20 @@ static int ext4_quota_on_mount(struct super_block *sb, int type) - EXT4_SB(sb)->s_jquota_fmt, type); - } - -+static void lockdep_set_quota_inode(struct inode *inode, int subclass) -+{ -+ struct ext4_inode_info *ei = EXT4_I(inode); -+ -+ /* The first argument of lockdep_set_subclass has to be -+ * *exactly* the same as the argument to init_rwsem() --- in -+ * this case, in init_once() --- or lockdep gets unhappy -+ * because the name of the lock is set using the -+ * stringification of the argument to init_rwsem(). -+ */ -+ (void) ei; /* shut up clang warning if !CONFIG_LOCKDEP */ -+ lockdep_set_subclass(&ei->i_data_sem, subclass); -+} -+ - /* - * Standard function to be called on quota_on - */ -@@ -5023,8 +5037,12 @@ static int ext4_quota_on(struct super_block *sb, int type, int format_id, - if (err) - return err; - } -- -- return dquot_quota_on(sb, type, format_id, path); -+ lockdep_set_quota_inode(path->dentry->d_inode, I_DATA_SEM_QUOTA); -+ err = dquot_quota_on(sb, type, format_id, path); -+ if (err) -+ lockdep_set_quota_inode(path->dentry->d_inode, -+ I_DATA_SEM_NORMAL); -+ return err; - } - - static int ext4_quota_enable(struct super_block *sb, int type, int format_id, -@@ -5050,8 +5068,11 @@ static int ext4_quota_enable(struct super_block *sb, int type, int format_id, - - /* Don't account quota for quota files to avoid recursion */ - qf_inode->i_flags |= S_NOQUOTA; -+ lockdep_set_quota_inode(qf_inode, I_DATA_SEM_QUOTA); - err = dquot_enable(qf_inode, type, format_id, flags); - iput(qf_inode); -+ if (err) -+ lockdep_set_quota_inode(qf_inode, I_DATA_SEM_NORMAL); - - return err; - } -diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c -index 735d7522a3a9..204659a5f6db 100644 ---- a/fs/isofs/rock.c -+++ b/fs/isofs/rock.c -@@ -203,6 +203,8 @@ int get_rock_ridge_filename(struct iso_directory_record *de, - int retnamlen = 0; - int truncate = 0; - int ret = 0; -+ char *p; -+ int len; - - if (!ISOFS_SB(inode->i_sb)->s_rock) - return 0; -@@ -267,12 +269,17 @@ repeat: - rr->u.NM.flags); - break; - } -- if ((strlen(retname) + rr->len - 5) >= 254) { -+ len = rr->len - 5; -+ if (retnamlen + len >= 254) { - truncate = 1; - break; - } -- strncat(retname, rr->u.NM.name, rr->len - 5); -- retnamlen += rr->len - 5; -+ p = memchr(rr->u.NM.name, '\0', len); -+ if (unlikely(p)) -+ len = p - rr->u.NM.name; -+ memcpy(retname + retnamlen, rr->u.NM.name, len); -+ retnamlen += len; -+ retname[retnamlen] = '\0'; - break; - case SIG('R', 'E'): - kfree(rs.buffer); -diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c -index 644f95e7208f..85733dd95e14 100644 ---- a/fs/jbd2/journal.c -+++ b/fs/jbd2/journal.c -@@ -1407,11 +1407,12 @@ out: - /** - * jbd2_mark_journal_empty() - Mark on disk journal as empty. - * @journal: The journal to update. -+ * @write_op: With which operation should we write the journal sb - * - * Update a journal's dynamic superblock fields to show that journal is empty. - * Write updated superblock to disk waiting for IO to complete. - */ --static void jbd2_mark_journal_empty(journal_t *journal) -+static void jbd2_mark_journal_empty(journal_t *journal, int write_op) - { - journal_superblock_t *sb = journal->j_superblock; - -@@ -1429,7 +1430,7 @@ static void jbd2_mark_journal_empty(journal_t *journal) - sb->s_start = cpu_to_be32(0); - read_unlock(&journal->j_state_lock); - -- jbd2_write_superblock(journal, WRITE_FUA); -+ jbd2_write_superblock(journal, write_op); - - /* Log is no longer empty */ - write_lock(&journal->j_state_lock); -@@ -1697,7 +1698,13 @@ int jbd2_journal_destroy(journal_t *journal) - if (journal->j_sb_buffer) { - if (!is_journal_aborted(journal)) { - mutex_lock(&journal->j_checkpoint_mutex); -- jbd2_mark_journal_empty(journal); -+ -+ write_lock(&journal->j_state_lock); -+ journal->j_tail_sequence = -+ ++journal->j_transaction_sequence; -+ write_unlock(&journal->j_state_lock); -+ -+ jbd2_mark_journal_empty(journal, WRITE_FLUSH_FUA); - mutex_unlock(&journal->j_checkpoint_mutex); - } else - err = -EIO; -@@ -1952,7 +1959,7 @@ int jbd2_journal_flush(journal_t *journal) - * the magic code for a fully-recovered superblock. Any future - * commits of data to the journal will restore the current - * s_start value. */ -- jbd2_mark_journal_empty(journal); -+ jbd2_mark_journal_empty(journal, WRITE_FUA); - mutex_unlock(&journal->j_checkpoint_mutex); - write_lock(&journal->j_state_lock); - J_ASSERT(!journal->j_running_transaction); -@@ -1998,7 +2005,7 @@ int jbd2_journal_wipe(journal_t *journal, int write) - if (write) { - /* Lock to make assertions happy... */ - mutex_lock(&journal->j_checkpoint_mutex); -- jbd2_mark_journal_empty(journal); -+ jbd2_mark_journal_empty(journal, WRITE_FUA); - mutex_unlock(&journal->j_checkpoint_mutex); - } - -diff --git a/fs/ocfs2/dlm/dlmconvert.c b/fs/ocfs2/dlm/dlmconvert.c -index 29a886d1e82c..f65bdcf61526 100644 ---- a/fs/ocfs2/dlm/dlmconvert.c -+++ b/fs/ocfs2/dlm/dlmconvert.c -@@ -265,6 +265,7 @@ enum dlm_status dlmconvert_remote(struct dlm_ctxt *dlm, - struct dlm_lock *lock, int flags, int type) - { - enum dlm_status status; -+ u8 old_owner = res->owner; - - mlog(0, "type=%d, convert_type=%d, busy=%d\n", lock->ml.type, - lock->ml.convert_type, res->state & DLM_LOCK_RES_IN_PROGRESS); -@@ -290,6 +291,19 @@ enum dlm_status dlmconvert_remote(struct dlm_ctxt *dlm, - status = DLM_DENIED; - goto bail; - } -+ -+ if (lock->ml.type == type && lock->ml.convert_type == LKM_IVMODE) { -+ mlog(0, "last convert request returned DLM_RECOVERING, but " -+ "owner has already queued and sent ast to me. res %.*s, " -+ "(cookie=%u:%llu, type=%d, conv=%d)\n", -+ res->lockname.len, res->lockname.name, -+ dlm_get_lock_cookie_node(be64_to_cpu(lock->ml.cookie)), -+ dlm_get_lock_cookie_seq(be64_to_cpu(lock->ml.cookie)), -+ lock->ml.type, lock->ml.convert_type); -+ status = DLM_NORMAL; -+ goto bail; -+ } -+ - res->state |= DLM_LOCK_RES_IN_PROGRESS; - /* move lock to local convert queue */ - /* do not alter lock refcount. switching lists. */ -@@ -319,11 +333,19 @@ enum dlm_status dlmconvert_remote(struct dlm_ctxt *dlm, - spin_lock(&res->spinlock); - res->state &= ~DLM_LOCK_RES_IN_PROGRESS; - lock->convert_pending = 0; -- /* if it failed, move it back to granted queue */ -+ /* if it failed, move it back to granted queue. -+ * if master returns DLM_NORMAL and then down before sending ast, -+ * it may have already been moved to granted queue, reset to -+ * DLM_RECOVERING and retry convert */ - if (status != DLM_NORMAL) { - if (status != DLM_NOTQUEUED) - dlm_error(status); - dlm_revert_pending_convert(res, lock); -+ } else if ((res->state & DLM_LOCK_RES_RECOVERING) || -+ (old_owner != res->owner)) { -+ mlog(0, "res %.*s is in recovering or has been recovered.\n", -+ res->lockname.len, res->lockname.name); -+ status = DLM_RECOVERING; - } - bail: - spin_unlock(&res->spinlock); -diff --git a/fs/ocfs2/dlm/dlmrecovery.c b/fs/ocfs2/dlm/dlmrecovery.c -index 01c69f24e416..33e9d705ee8f 100644 ---- a/fs/ocfs2/dlm/dlmrecovery.c -+++ b/fs/ocfs2/dlm/dlmrecovery.c -@@ -2034,7 +2034,6 @@ void dlm_move_lockres_to_recovery_list(struct dlm_ctxt *dlm, - dlm_lock_get(lock); - if (lock->convert_pending) { - /* move converting lock back to granted */ -- BUG_ON(i != DLM_CONVERTING_LIST); - mlog(0, "node died with convert pending " - "on %.*s. move back to granted list.\n", - res->lockname.len, res->lockname.name); -diff --git a/fs/pipe.c b/fs/pipe.c -index 3e7ab278bb0c..50267e6ba688 100644 ---- a/fs/pipe.c -+++ b/fs/pipe.c -@@ -401,6 +401,7 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov, - void *addr; - size_t chars = buf->len, remaining; - int error, atomic; -+ int offset; - - if (chars > total_len) - chars = total_len; -@@ -414,9 +415,10 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov, - - atomic = !iov_fault_in_pages_write(iov, chars); - remaining = chars; -+ offset = buf->offset; - redo: - addr = ops->map(pipe, buf, atomic); -- error = pipe_iov_copy_to_user(iov, addr, &buf->offset, -+ error = pipe_iov_copy_to_user(iov, addr, &offset, - &remaining, atomic); - ops->unmap(pipe, buf, addr); - if (unlikely(error)) { -@@ -432,6 +434,7 @@ redo: - break; - } - ret += chars; -+ buf->offset += chars; - buf->len -= chars; - - /* Was it a packet buffer? Clean up and exit */ -diff --git a/fs/proc/base.c b/fs/proc/base.c -index 7b5d453ebf53..e5160b744d0b 100644 ---- a/fs/proc/base.c -+++ b/fs/proc/base.c -@@ -844,7 +844,8 @@ static ssize_t environ_read(struct file *file, char __user *buf, - int ret = 0; - struct mm_struct *mm = file->private_data; - -- if (!mm) -+ /* Ensure the process spawned far enough to have an environment. */ -+ if (!mm || !mm->env_end) - return 0; - - page = (char *)__get_free_page(GFP_TEMPORARY); -diff --git a/fs/splice.c b/fs/splice.c -index 3b94a6bba29f..2ffa7b0c62fd 100644 ---- a/fs/splice.c -+++ b/fs/splice.c -@@ -189,6 +189,9 @@ ssize_t splice_to_pipe(struct pipe_inode_info *pipe, - unsigned int spd_pages = spd->nr_pages; - int ret, do_wakeup, page_nr; - -+ if (!spd_pages) -+ return 0; -+ - ret = 0; - do_wakeup = 0; - page_nr = 0; -diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h -index 02ae99e8e6d3..953cd12175c4 100644 ---- a/include/linux/compiler-gcc.h -+++ b/include/linux/compiler-gcc.h -@@ -100,10 +100,116 @@ - #define __maybe_unused __attribute__((unused)) - #define __always_unused __attribute__((unused)) - --#define __gcc_header(x) #x --#define _gcc_header(x) __gcc_header(linux/compiler-gcc##x.h) --#define gcc_header(x) _gcc_header(x) --#include gcc_header(__GNUC__) -+/* gcc version specific checks */ -+ -+#if GCC_VERSION < 30200 -+# error Sorry, your compiler is too old - please upgrade it. -+#endif -+ -+#if GCC_VERSION < 30300 -+# define __used __attribute__((__unused__)) -+#else -+# define __used __attribute__((__used__)) -+#endif -+ -+#ifdef CONFIG_GCOV_KERNEL -+# if GCC_VERSION < 30400 -+# error "GCOV profiling support for gcc versions below 3.4 not included" -+# endif /* __GNUC_MINOR__ */ -+#endif /* CONFIG_GCOV_KERNEL */ -+ -+#if GCC_VERSION >= 30400 -+#define __must_check __attribute__((warn_unused_result)) -+#endif -+ -+#if GCC_VERSION >= 40000 -+ -+/* GCC 4.1.[01] miscompiles __weak */ -+#ifdef __KERNEL__ -+# if GCC_VERSION >= 40100 && GCC_VERSION <= 40101 -+# error Your version of gcc miscompiles the __weak directive -+# endif -+#endif -+ -+#define __used __attribute__((__used__)) -+#define __compiler_offsetof(a, b) \ -+ __builtin_offsetof(a, b) -+ -+#if GCC_VERSION >= 40100 && GCC_VERSION < 40600 -+# define __compiletime_object_size(obj) __builtin_object_size(obj, 0) -+#endif -+ -+#if GCC_VERSION >= 40300 -+/* Mark functions as cold. gcc will assume any path leading to a call -+ * to them will be unlikely. This means a lot of manual unlikely()s -+ * are unnecessary now for any paths leading to the usual suspects -+ * like BUG(), printk(), panic() etc. [but let's keep them for now for -+ * older compilers] -+ * -+ * Early snapshots of gcc 4.3 don't support this and we can't detect this -+ * in the preprocessor, but we can live with this because they're unreleased. -+ * Maketime probing would be overkill here. -+ * -+ * gcc also has a __attribute__((__hot__)) to move hot functions into -+ * a special section, but I don't see any sense in this right now in -+ * the kernel context -+ */ -+#define __cold __attribute__((__cold__)) -+ -+#define __UNIQUE_ID(prefix) __PASTE(__PASTE(__UNIQUE_ID_, prefix), __COUNTER__) -+ -+#ifndef __CHECKER__ -+# define __compiletime_warning(message) __attribute__((warning(message))) -+# define __compiletime_error(message) __attribute__((error(message))) -+#endif /* __CHECKER__ */ -+#endif /* GCC_VERSION >= 40300 */ -+ -+#if GCC_VERSION >= 40500 -+/* -+ * Mark a position in code as unreachable. This can be used to -+ * suppress control flow warnings after asm blocks that transfer -+ * control elsewhere. -+ * -+ * Early snapshots of gcc 4.5 don't support this and we can't detect -+ * this in the preprocessor, but we can live with this because they're -+ * unreleased. Really, we need to have autoconf for the kernel. -+ */ -+#define unreachable() __builtin_unreachable() -+ -+/* Mark a function definition as prohibited from being cloned. */ -+#define __noclone __attribute__((__noclone__, __optimize__("no-tracer"))) -+ -+#endif /* GCC_VERSION >= 40500 */ -+ -+#if GCC_VERSION >= 40600 -+/* -+ * Tell the optimizer that something else uses this function or variable. -+ */ -+#define __visible __attribute__((externally_visible)) -+#endif -+ -+/* -+ * GCC 'asm goto' miscompiles certain code sequences: -+ * -+ * http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58670 -+ * -+ * Work it around via a compiler barrier quirk suggested by Jakub Jelinek. -+ * -+ * (asm goto is automatically volatile - the naming reflects this.) -+ */ -+#define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0) -+ -+#ifdef CONFIG_ARCH_USE_BUILTIN_BSWAP -+#if GCC_VERSION >= 40400 -+#define __HAVE_BUILTIN_BSWAP32__ -+#define __HAVE_BUILTIN_BSWAP64__ -+#endif -+#if GCC_VERSION >= 40800 || (defined(__powerpc__) && GCC_VERSION >= 40600) -+#define __HAVE_BUILTIN_BSWAP16__ -+#endif -+#endif /* CONFIG_ARCH_USE_BUILTIN_BSWAP */ -+ -+#endif /* gcc version >= 40000 specific checks */ - - #if !defined(__noclone) - #define __noclone /* not needed */ -diff --git a/include/linux/compiler-gcc3.h b/include/linux/compiler-gcc3.h -deleted file mode 100644 -index 7d89febe4d79..000000000000 ---- a/include/linux/compiler-gcc3.h -+++ /dev/null -@@ -1,23 +0,0 @@ --#ifndef __LINUX_COMPILER_H --#error "Please don't include directly, include instead." --#endif -- --#if GCC_VERSION < 30200 --# error Sorry, your compiler is too old - please upgrade it. --#endif -- --#if GCC_VERSION >= 30300 --# define __used __attribute__((__used__)) --#else --# define __used __attribute__((__unused__)) --#endif -- --#if GCC_VERSION >= 30400 --#define __must_check __attribute__((warn_unused_result)) --#endif -- --#ifdef CONFIG_GCOV_KERNEL --# if GCC_VERSION < 30400 --# error "GCOV profiling support for gcc versions below 3.4 not included" --# endif /* __GNUC_MINOR__ */ --#endif /* CONFIG_GCOV_KERNEL */ -diff --git a/include/linux/compiler-gcc4.h b/include/linux/compiler-gcc4.h -deleted file mode 100644 -index 2507fd2a1eb4..000000000000 ---- a/include/linux/compiler-gcc4.h -+++ /dev/null -@@ -1,88 +0,0 @@ --#ifndef __LINUX_COMPILER_H --#error "Please don't include directly, include instead." --#endif -- --/* GCC 4.1.[01] miscompiles __weak */ --#ifdef __KERNEL__ --# if GCC_VERSION >= 40100 && GCC_VERSION <= 40101 --# error Your version of gcc miscompiles the __weak directive --# endif --#endif -- --#define __used __attribute__((__used__)) --#define __must_check __attribute__((warn_unused_result)) --#define __compiler_offsetof(a,b) __builtin_offsetof(a,b) -- --#if GCC_VERSION >= 40100 && GCC_VERSION < 40600 --# define __compiletime_object_size(obj) __builtin_object_size(obj, 0) --#endif -- --#if GCC_VERSION >= 40300 --/* Mark functions as cold. gcc will assume any path leading to a call -- to them will be unlikely. This means a lot of manual unlikely()s -- are unnecessary now for any paths leading to the usual suspects -- like BUG(), printk(), panic() etc. [but let's keep them for now for -- older compilers] -- -- Early snapshots of gcc 4.3 don't support this and we can't detect this -- in the preprocessor, but we can live with this because they're unreleased. -- Maketime probing would be overkill here. -- -- gcc also has a __attribute__((__hot__)) to move hot functions into -- a special section, but I don't see any sense in this right now in -- the kernel context */ --#define __cold __attribute__((__cold__)) -- --#define __UNIQUE_ID(prefix) __PASTE(__PASTE(__UNIQUE_ID_, prefix), __COUNTER__) -- --#ifndef __CHECKER__ --# define __compiletime_warning(message) __attribute__((warning(message))) --# define __compiletime_error(message) __attribute__((error(message))) --#endif /* __CHECKER__ */ --#endif /* GCC_VERSION >= 40300 */ -- --#if GCC_VERSION >= 40500 --/* -- * Mark a position in code as unreachable. This can be used to -- * suppress control flow warnings after asm blocks that transfer -- * control elsewhere. -- * -- * Early snapshots of gcc 4.5 don't support this and we can't detect -- * this in the preprocessor, but we can live with this because they're -- * unreleased. Really, we need to have autoconf for the kernel. -- */ --#define unreachable() __builtin_unreachable() -- --/* Mark a function definition as prohibited from being cloned. */ --#define __noclone __attribute__((__noclone__)) -- --#endif /* GCC_VERSION >= 40500 */ -- --#if GCC_VERSION >= 40600 --/* -- * Tell the optimizer that something else uses this function or variable. -- */ --#define __visible __attribute__((externally_visible)) --#endif -- --/* -- * GCC 'asm goto' miscompiles certain code sequences: -- * -- * http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58670 -- * -- * Work it around via a compiler barrier quirk suggested by Jakub Jelinek. -- * Fixed in GCC 4.8.2 and later versions. -- * -- * (asm goto is automatically volatile - the naming reflects this.) -- */ --#define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0) -- --#ifdef CONFIG_ARCH_USE_BUILTIN_BSWAP --#if GCC_VERSION >= 40400 --#define __HAVE_BUILTIN_BSWAP32__ --#define __HAVE_BUILTIN_BSWAP64__ --#endif --#if GCC_VERSION >= 40800 || (defined(__powerpc__) && GCC_VERSION >= 40600) --#define __HAVE_BUILTIN_BSWAP16__ --#endif --#endif /* CONFIG_ARCH_USE_BUILTIN_BSWAP */ -diff --git a/include/linux/compiler-gcc5.h b/include/linux/compiler-gcc5.h -deleted file mode 100644 -index cdd1cc202d51..000000000000 ---- a/include/linux/compiler-gcc5.h -+++ /dev/null -@@ -1,66 +0,0 @@ --#ifndef __LINUX_COMPILER_H --#error "Please don't include directly, include instead." --#endif -- --#define __used __attribute__((__used__)) --#define __must_check __attribute__((warn_unused_result)) --#define __compiler_offsetof(a, b) __builtin_offsetof(a, b) -- --/* Mark functions as cold. gcc will assume any path leading to a call -- to them will be unlikely. This means a lot of manual unlikely()s -- are unnecessary now for any paths leading to the usual suspects -- like BUG(), printk(), panic() etc. [but let's keep them for now for -- older compilers] -- -- Early snapshots of gcc 4.3 don't support this and we can't detect this -- in the preprocessor, but we can live with this because they're unreleased. -- Maketime probing would be overkill here. -- -- gcc also has a __attribute__((__hot__)) to move hot functions into -- a special section, but I don't see any sense in this right now in -- the kernel context */ --#define __cold __attribute__((__cold__)) -- --#define __UNIQUE_ID(prefix) __PASTE(__PASTE(__UNIQUE_ID_, prefix), __COUNTER__) -- --#ifndef __CHECKER__ --# define __compiletime_warning(message) __attribute__((warning(message))) --# define __compiletime_error(message) __attribute__((error(message))) --#endif /* __CHECKER__ */ -- --/* -- * Mark a position in code as unreachable. This can be used to -- * suppress control flow warnings after asm blocks that transfer -- * control elsewhere. -- * -- * Early snapshots of gcc 4.5 don't support this and we can't detect -- * this in the preprocessor, but we can live with this because they're -- * unreleased. Really, we need to have autoconf for the kernel. -- */ --#define unreachable() __builtin_unreachable() -- --/* Mark a function definition as prohibited from being cloned. */ --#define __noclone __attribute__((__noclone__)) -- --/* -- * Tell the optimizer that something else uses this function or variable. -- */ --#define __visible __attribute__((externally_visible)) -- --/* -- * GCC 'asm goto' miscompiles certain code sequences: -- * -- * http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58670 -- * -- * Work it around via a compiler barrier quirk suggested by Jakub Jelinek. -- * Fixed in GCC 4.8.2 and later versions. -- * -- * (asm goto is automatically volatile - the naming reflects this.) -- */ --#define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0) -- --#ifdef CONFIG_ARCH_USE_BUILTIN_BSWAP --#define __HAVE_BUILTIN_BSWAP32__ --#define __HAVE_BUILTIN_BSWAP64__ --#define __HAVE_BUILTIN_BSWAP16__ --#endif /* CONFIG_ARCH_USE_BUILTIN_BSWAP */ -diff --git a/include/linux/kernel.h b/include/linux/kernel.h -index 341551c7b4c8..5f4554b8348a 100644 ---- a/include/linux/kernel.h -+++ b/include/linux/kernel.h -@@ -557,7 +557,7 @@ do { \ - - #define do_trace_printk(fmt, args...) \ - do { \ -- static const char *trace_printk_fmt \ -+ static const char *trace_printk_fmt __used \ - __attribute__((section("__trace_printk_fmt"))) = \ - __builtin_constant_p(fmt) ? fmt : NULL; \ - \ -@@ -604,7 +604,7 @@ extern int __trace_puts(unsigned long ip, const char *str, int size); - */ - - #define trace_puts(str) ({ \ -- static const char *trace_printk_fmt \ -+ static const char *trace_printk_fmt __used \ - __attribute__((section("__trace_printk_fmt"))) = \ - __builtin_constant_p(str) ? str : NULL; \ - \ -@@ -624,7 +624,7 @@ extern void trace_dump_stack(int skip); - #define ftrace_vprintk(fmt, vargs) \ - do { \ - if (__builtin_constant_p(fmt)) { \ -- static const char *trace_printk_fmt \ -+ static const char *trace_printk_fmt __used \ - __attribute__((section("__trace_printk_fmt"))) = \ - __builtin_constant_p(fmt) ? fmt : NULL; \ - \ -diff --git a/include/linux/mod_devicetable.h b/include/linux/mod_devicetable.h -index b3bd7e737e8b..d31364857aa8 100644 ---- a/include/linux/mod_devicetable.h -+++ b/include/linux/mod_devicetable.h -@@ -397,6 +397,7 @@ struct virtio_device_id { - /* - * For Hyper-V devices we use the device guid as the id. - */ -+#define vmbus_device_id hv_vmbus_device_id - struct hv_vmbus_device_id { - __u8 guid[16]; - kernel_ulong_t driver_data; /* Data private to the driver */ -@@ -547,6 +548,11 @@ struct amba_id { - * See documentation of "x86_match_cpu" for details. - */ - -+/* -+ * MODULE_DEVICE_TABLE expects this struct to be called x86cpu_device_id. -+ * Although gcc seems to ignore this error, clang fails without this define. -+ */ -+#define x86cpu_device_id x86_cpu_id - struct x86_cpu_id { - __u16 vendor; - __u16 family; -@@ -574,6 +580,7 @@ struct ipack_device_id { - #define MEI_CL_MODULE_PREFIX "mei:" - #define MEI_CL_NAME_SIZE 32 - -+#define mei_device_id mei_cl_device_id - struct mei_cl_device_id { - char name[MEI_CL_NAME_SIZE]; - kernel_ulong_t driver_info; -diff --git a/include/linux/pci.h b/include/linux/pci.h -index 102136ab1a5f..655ef37fd139 100644 ---- a/include/linux/pci.h -+++ b/include/linux/pci.h -@@ -330,6 +330,7 @@ struct pci_dev { - unsigned int __aer_firmware_first:1; - unsigned int broken_intx_masking:1; - unsigned int io_window_1k:1; /* Intel P2P bridge 1K I/O windows */ -+ unsigned int non_compliant_bars:1; /* broken BARs; ignore them */ - pci_dev_flags_t dev_flags; - atomic_t enable_cnt; /* pci_enable_device has been called */ - -diff --git a/include/linux/poison.h b/include/linux/poison.h -index 2110a81c5e2a..253c9b4198ef 100644 ---- a/include/linux/poison.h -+++ b/include/linux/poison.h -@@ -19,8 +19,8 @@ - * under normal circumstances, used to verify that nobody uses - * non-initialized list entries. - */ --#define LIST_POISON1 ((void *) 0x00100100 + POISON_POINTER_DELTA) --#define LIST_POISON2 ((void *) 0x00200200 + POISON_POINTER_DELTA) -+#define LIST_POISON1 ((void *) 0x100 + POISON_POINTER_DELTA) -+#define LIST_POISON2 ((void *) 0x200 + POISON_POINTER_DELTA) - - /********** include/linux/timer.h **********/ - /* -diff --git a/include/uapi/linux/const.h b/include/uapi/linux/const.h -index c22c707c455d..c872bfd25e13 100644 ---- a/include/uapi/linux/const.h -+++ b/include/uapi/linux/const.h -@@ -21,4 +21,7 @@ - #define _AT(T,X) ((T)(X)) - #endif - -+#define _BITUL(x) (_AC(1,UL) << (x)) -+#define _BITULL(x) (_AC(1,ULL) << (x)) -+ - #endif /* !(_LINUX_CONST_H) */ -diff --git a/kernel/sched/core.c b/kernel/sched/core.c -index f234c84d36c8..655d6110a6e1 100644 ---- a/kernel/sched/core.c -+++ b/kernel/sched/core.c -@@ -5217,6 +5217,7 @@ migration_call(struct notifier_block *nfb, unsigned long action, void *hcpu) - - case CPU_UP_PREPARE: - rq->calc_load_update = calc_load_update; -+ account_reset_rq(rq); - break; - - case CPU_ONLINE: -diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h -index dfa31d533e3f..e7f4d554fa5d 100644 ---- a/kernel/sched/sched.h -+++ b/kernel/sched/sched.h -@@ -1378,3 +1378,16 @@ static inline u64 irq_time_read(int cpu) - } - #endif /* CONFIG_64BIT */ - #endif /* CONFIG_IRQ_TIME_ACCOUNTING */ -+ -+static inline void account_reset_rq(struct rq *rq) -+{ -+#ifdef CONFIG_IRQ_TIME_ACCOUNTING -+ rq->prev_irq_time = 0; -+#endif -+#ifdef CONFIG_PARAVIRT -+ rq->prev_steal_time = 0; -+#endif -+#ifdef CONFIG_PARAVIRT_TIME_ACCOUNTING -+ rq->prev_steal_time_rq = 0; -+#endif -+} -diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c -index cb73c4e0741e..c4ce3a951a1c 100644 ---- a/kernel/trace/ring_buffer.c -+++ b/kernel/trace/ring_buffer.c -@@ -463,7 +463,7 @@ struct ring_buffer_per_cpu { - raw_spinlock_t reader_lock; /* serialize readers */ - arch_spinlock_t lock; - struct lock_class_key lock_key; -- unsigned int nr_pages; -+ unsigned long nr_pages; - struct list_head *pages; - struct buffer_page *head_page; /* read from head */ - struct buffer_page *tail_page; /* write to tail */ -@@ -483,7 +483,7 @@ struct ring_buffer_per_cpu { - u64 write_stamp; - u64 read_stamp; - /* ring buffer pages to update, > 0 to add, < 0 to remove */ -- int nr_pages_to_update; -+ long nr_pages_to_update; - struct list_head new_pages; /* new pages to add */ - struct work_struct update_pages_work; - struct completion update_done; -@@ -1120,10 +1120,10 @@ static int rb_check_pages(struct ring_buffer_per_cpu *cpu_buffer) - return 0; - } - --static int __rb_allocate_pages(int nr_pages, struct list_head *pages, int cpu) -+static int __rb_allocate_pages(long nr_pages, struct list_head *pages, int cpu) - { -- int i; - struct buffer_page *bpage, *tmp; -+ long i; - - for (i = 0; i < nr_pages; i++) { - struct page *page; -@@ -1160,7 +1160,7 @@ free_pages: - } - - static int rb_allocate_pages(struct ring_buffer_per_cpu *cpu_buffer, -- unsigned nr_pages) -+ unsigned long nr_pages) - { - LIST_HEAD(pages); - -@@ -1185,7 +1185,7 @@ static int rb_allocate_pages(struct ring_buffer_per_cpu *cpu_buffer, - } - - static struct ring_buffer_per_cpu * --rb_allocate_cpu_buffer(struct ring_buffer *buffer, int nr_pages, int cpu) -+rb_allocate_cpu_buffer(struct ring_buffer *buffer, long nr_pages, int cpu) - { - struct ring_buffer_per_cpu *cpu_buffer; - struct buffer_page *bpage; -@@ -1284,8 +1284,9 @@ struct ring_buffer *__ring_buffer_alloc(unsigned long size, unsigned flags, - struct lock_class_key *key) - { - struct ring_buffer *buffer; -+ long nr_pages; - int bsize; -- int cpu, nr_pages; -+ int cpu; - - /* keep it in its own cache line */ - buffer = kzalloc(ALIGN(sizeof(*buffer), cache_line_size()), -@@ -1408,12 +1409,12 @@ static inline unsigned long rb_page_write(struct buffer_page *bpage) - } - - static int --rb_remove_pages(struct ring_buffer_per_cpu *cpu_buffer, unsigned int nr_pages) -+rb_remove_pages(struct ring_buffer_per_cpu *cpu_buffer, unsigned long nr_pages) - { - struct list_head *tail_page, *to_remove, *next_page; - struct buffer_page *to_remove_page, *tmp_iter_page; - struct buffer_page *last_page, *first_page; -- unsigned int nr_removed; -+ unsigned long nr_removed; - unsigned long head_bit; - int page_entries; - -@@ -1629,7 +1630,7 @@ int ring_buffer_resize(struct ring_buffer *buffer, unsigned long size, - int cpu_id) - { - struct ring_buffer_per_cpu *cpu_buffer; -- unsigned nr_pages; -+ unsigned long nr_pages; - int cpu, err = 0; - - /* -@@ -1643,14 +1644,13 @@ int ring_buffer_resize(struct ring_buffer *buffer, unsigned long size, - !cpumask_test_cpu(cpu_id, buffer->cpumask)) - return size; - -- size = DIV_ROUND_UP(size, BUF_PAGE_SIZE); -- size *= BUF_PAGE_SIZE; -+ nr_pages = DIV_ROUND_UP(size, BUF_PAGE_SIZE); - - /* we need a minimum of two pages */ -- if (size < BUF_PAGE_SIZE * 2) -- size = BUF_PAGE_SIZE * 2; -+ if (nr_pages < 2) -+ nr_pages = 2; - -- nr_pages = DIV_ROUND_UP(size, BUF_PAGE_SIZE); -+ size = nr_pages * BUF_PAGE_SIZE; - - /* - * Don't succeed if resizing is disabled, as a reader might be -@@ -4607,8 +4607,9 @@ static int rb_cpu_notify(struct notifier_block *self, - struct ring_buffer *buffer = - container_of(self, struct ring_buffer, cpu_notify); - long cpu = (long)hcpu; -- int cpu_i, nr_pages_same; -- unsigned int nr_pages; -+ long nr_pages_same; -+ int cpu_i; -+ unsigned long nr_pages; - - switch (action) { - case CPU_UP_PREPARE: -diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c -index 640e4c44b170..eff26a976f02 100644 ---- a/kernel/trace/trace.c -+++ b/kernel/trace/trace.c -@@ -4351,7 +4351,10 @@ static ssize_t tracing_splice_read_pipe(struct file *filp, - - spd.nr_pages = i; - -- ret = splice_to_pipe(pipe, &spd); -+ if (i) -+ ret = splice_to_pipe(pipe, &spd); -+ else -+ ret = 0; - out: - splice_shrink_spd(&spd); - return ret; -diff --git a/kernel/trace/trace_irqsoff.c b/kernel/trace/trace_irqsoff.c -index 2aefbee93a6d..56e083e26ca9 100644 ---- a/kernel/trace/trace_irqsoff.c -+++ b/kernel/trace/trace_irqsoff.c -@@ -118,8 +118,12 @@ static int func_prolog_dec(struct trace_array *tr, - return 0; - - local_save_flags(*flags); -- /* slight chance to get a false positive on tracing_cpu */ -- if (!irqs_disabled_flags(*flags)) -+ /* -+ * Slight chance to get a false positive on tracing_cpu, -+ * although I'm starting to think there isn't a chance. -+ * Leave this for now just to be paranoid. -+ */ -+ if (!irqs_disabled_flags(*flags) && !preempt_count()) - return 0; - - *data = per_cpu_ptr(tr->trace_buffer.data, cpu); -diff --git a/kernel/trace/trace_printk.c b/kernel/trace/trace_printk.c -index a9077c1b4ad3..fdb23e84b011 100644 ---- a/kernel/trace/trace_printk.c -+++ b/kernel/trace/trace_printk.c -@@ -272,6 +272,9 @@ static int t_show(struct seq_file *m, void *v) - const char *str = *fmt; - int i; - -+ if (!*fmt) -+ return 0; -+ - seq_printf(m, "0x%lx : \"", *(unsigned long *)fmt); - - /* -diff --git a/kernel/workqueue.c b/kernel/workqueue.c -index fe7c4b91d2e7..66972ac0c6c0 100644 ---- a/kernel/workqueue.c -+++ b/kernel/workqueue.c -@@ -606,6 +606,35 @@ static void set_work_pool_and_clear_pending(struct work_struct *work, - */ - smp_wmb(); - set_work_data(work, (unsigned long)pool_id << WORK_OFFQ_POOL_SHIFT, 0); -+ /* -+ * The following mb guarantees that previous clear of a PENDING bit -+ * will not be reordered with any speculative LOADS or STORES from -+ * work->current_func, which is executed afterwards. This possible -+ * reordering can lead to a missed execution on attempt to qeueue -+ * the same @work. E.g. consider this case: -+ * -+ * CPU#0 CPU#1 -+ * ---------------------------- -------------------------------- -+ * -+ * 1 STORE event_indicated -+ * 2 queue_work_on() { -+ * 3 test_and_set_bit(PENDING) -+ * 4 } set_..._and_clear_pending() { -+ * 5 set_work_data() # clear bit -+ * 6 smp_mb() -+ * 7 work->current_func() { -+ * 8 LOAD event_indicated -+ * } -+ * -+ * Without an explicit full barrier speculative LOAD on line 8 can -+ * be executed before CPU#0 does STORE on line 1. If that happens, -+ * CPU#0 observes the PENDING bit is still set and new execution of -+ * a @work is not queued in a hope, that CPU#1 will eventually -+ * finish the queued @work. Meanwhile CPU#1 does not see -+ * event_indicated is set, because speculative LOAD was executed -+ * before actual STORE. -+ */ -+ smp_mb(); - } - - static void clear_work_data(struct work_struct *work) -diff --git a/net/batman-adv/send.c b/net/batman-adv/send.c -index 263cfd1ccee7..cf5b76661252 100644 ---- a/net/batman-adv/send.c -+++ b/net/batman-adv/send.c -@@ -353,6 +353,9 @@ batadv_purge_outstanding_packets(struct batadv_priv *bat_priv, - - if (pending) { - hlist_del(&forw_packet->list); -+ if (!forw_packet->own) -+ atomic_inc(&bat_priv->batman_queue_left); -+ - batadv_forw_packet_free(forw_packet); - } - } -@@ -379,6 +382,9 @@ batadv_purge_outstanding_packets(struct batadv_priv *bat_priv, - - if (pending) { - hlist_del(&forw_packet->list); -+ if (!forw_packet->own) -+ atomic_inc(&bat_priv->bcast_queue_left); -+ - batadv_forw_packet_free(forw_packet); - } - } -diff --git a/net/bridge/br_ioctl.c b/net/bridge/br_ioctl.c -index b73eaba85667..a882db499d33 100644 ---- a/net/bridge/br_ioctl.c -+++ b/net/bridge/br_ioctl.c -@@ -21,18 +21,19 @@ - #include - #include "br_private.h" - --/* called with RTNL */ - static int get_bridge_ifindices(struct net *net, int *indices, int num) - { - struct net_device *dev; - int i = 0; - -- for_each_netdev(net, dev) { -+ rcu_read_lock(); -+ for_each_netdev_rcu(net, dev) { - if (i >= num) - break; - if (dev->priv_flags & IFF_EBRIDGE) - indices[i++] = dev->ifindex; - } -+ rcu_read_unlock(); - - return i; - } -diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c -index a67310e00b3f..602c6d0492e2 100644 ---- a/net/core/rtnetlink.c -+++ b/net/core/rtnetlink.c -@@ -899,14 +899,16 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb, struct net_device *dev, - goto nla_put_failure; - - if (1) { -- struct rtnl_link_ifmap map = { -- .mem_start = dev->mem_start, -- .mem_end = dev->mem_end, -- .base_addr = dev->base_addr, -- .irq = dev->irq, -- .dma = dev->dma, -- .port = dev->if_port, -- }; -+ struct rtnl_link_ifmap map; -+ -+ memset(&map, 0, sizeof(map)); -+ map.mem_start = dev->mem_start; -+ map.mem_end = dev->mem_end; -+ map.base_addr = dev->base_addr; -+ map.irq = dev->irq; -+ map.dma = dev->dma; -+ map.port = dev->if_port; -+ - if (nla_put(skb, IFLA_MAP, sizeof(map), &map)) - goto nla_put_failure; - } -diff --git a/net/decnet/dn_route.c b/net/decnet/dn_route.c -index fe32388ea24f..b9610051f3b2 100644 ---- a/net/decnet/dn_route.c -+++ b/net/decnet/dn_route.c -@@ -1030,10 +1030,13 @@ source_ok: - if (!fld.daddr) { - fld.daddr = fld.saddr; - -- err = -EADDRNOTAVAIL; - if (dev_out) - dev_put(dev_out); -+ err = -EINVAL; - dev_out = init_net.loopback_dev; -+ if (!dev_out->dn_ptr) -+ goto out; -+ err = -EADDRNOTAVAIL; - dev_hold(dev_out); - if (!fld.daddr) { - fld.daddr = -@@ -1106,6 +1109,8 @@ source_ok: - if (dev_out == NULL) - goto out; - dn_db = rcu_dereference_raw(dev_out->dn_ptr); -+ if (!dn_db) -+ goto e_inval; - /* Possible improvement - check all devices for local addr */ - if (dn_dev_islocal(dev_out, fld.daddr)) { - dev_put(dev_out); -@@ -1147,6 +1152,8 @@ select_source: - dev_put(dev_out); - dev_out = init_net.loopback_dev; - dev_hold(dev_out); -+ if (!dev_out->dn_ptr) -+ goto e_inval; - fld.flowidn_oif = dev_out->ifindex; - if (res.fi) - dn_fib_info_put(res.fi); -diff --git a/net/ipv4/route.c b/net/ipv4/route.c -index 222e1b6141d3..624ca8ed350c 100644 ---- a/net/ipv4/route.c -+++ b/net/ipv4/route.c -@@ -1876,6 +1876,18 @@ static struct rtable *__mkroute_output(const struct fib_result *res, - */ - if (fi && res->prefixlen < 4) - fi = NULL; -+ } else if ((type == RTN_LOCAL) && (orig_oif != 0) && -+ (orig_oif != dev_out->ifindex)) { -+ /* For local routes that require a particular output interface -+ * we do not want to cache the result. Caching the result -+ * causes incorrect behaviour when there are multiple source -+ * addresses on the interface, the end result being that if the -+ * intended recipient is waiting on that interface for the -+ * packet he won't receive it because it will be delivered on -+ * the loopback interface and the IP_PKTINFO ipi_ifindex will -+ * be set to the loopback interface as well. -+ */ -+ fi = NULL; - } - - fnhe = NULL; -diff --git a/net/ipv6/exthdrs_core.c b/net/ipv6/exthdrs_core.c -index 51af9d0d019a..f66c1b629582 100644 ---- a/net/ipv6/exthdrs_core.c -+++ b/net/ipv6/exthdrs_core.c -@@ -257,7 +257,11 @@ int ipv6_find_hdr(const struct sk_buff *skb, unsigned int *offset, - *fragoff = _frag_off; - return hp->nexthdr; - } -- return -ENOENT; -+ if (!found) -+ return -ENOENT; -+ if (fragoff) -+ *fragoff = _frag_off; -+ break; - } - hdrlen = 8; - } else if (nexthdr == NEXTHDR_AUTH) { -diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c -index 14f46af17704..31bab1ab007c 100644 ---- a/net/ipv6/ip6_tunnel.c -+++ b/net/ipv6/ip6_tunnel.c -@@ -266,12 +266,12 @@ static int ip6_tnl_create2(struct net_device *dev) - - t = netdev_priv(dev); - -+ dev->rtnl_link_ops = &ip6_link_ops; - err = register_netdevice(dev); - if (err < 0) - goto out; - - strcpy(t->parms.name, dev->name); -- dev->rtnl_link_ops = &ip6_link_ops; - - dev_hold(dev); - ip6_tnl_link(ip6n, t); -diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c -index 7e3901893413..3046d0244393 100644 ---- a/net/ipv6/udp.c -+++ b/net/ipv6/udp.c -@@ -839,11 +839,9 @@ int __udp6_lib_rcv(struct sk_buff *skb, struct udp_table *udptable, - int ret = udpv6_queue_rcv_skb(sk, skb); - sock_put(sk); - -- /* a return value > 0 means to resubmit the input, but -- * it wants the return to be -protocol, or 0 -- */ -+ /* a return value > 0 means to resubmit the input */ - if (ret > 0) -- return -ret; -+ return ret; - - return 0; - } -diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c -index da1a1cee1a08..07f8b97f9ae9 100644 ---- a/net/l2tp/l2tp_ip.c -+++ b/net/l2tp/l2tp_ip.c -@@ -123,12 +123,11 @@ static int l2tp_ip_recv(struct sk_buff *skb) - struct l2tp_tunnel *tunnel = NULL; - int length; - -- /* Point to L2TP header */ -- optr = ptr = skb->data; -- - if (!pskb_may_pull(skb, 4)) - goto discard; - -+ /* Point to L2TP header */ -+ optr = ptr = skb->data; - session_id = ntohl(*((__be32 *) ptr)); - ptr += 4; - -@@ -156,6 +155,9 @@ static int l2tp_ip_recv(struct sk_buff *skb) - if (!pskb_may_pull(skb, length)) - goto discard; - -+ /* Point to L2TP header */ -+ optr = ptr = skb->data; -+ ptr += 4; - pr_debug("%s: ip recv\n", tunnel->name); - print_hex_dump_bytes("", DUMP_PREFIX_OFFSET, ptr, length); - } -diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c -index e6e8408c9e36..db96af978da5 100644 ---- a/net/l2tp/l2tp_ip6.c -+++ b/net/l2tp/l2tp_ip6.c -@@ -135,12 +135,11 @@ static int l2tp_ip6_recv(struct sk_buff *skb) - struct l2tp_tunnel *tunnel = NULL; - int length; - -- /* Point to L2TP header */ -- optr = ptr = skb->data; -- - if (!pskb_may_pull(skb, 4)) - goto discard; - -+ /* Point to L2TP header */ -+ optr = ptr = skb->data; - session_id = ntohl(*((__be32 *) ptr)); - ptr += 4; - -@@ -168,6 +167,9 @@ static int l2tp_ip6_recv(struct sk_buff *skb) - if (!pskb_may_pull(skb, length)) - goto discard; - -+ /* Point to L2TP header */ -+ optr = ptr = skb->data; -+ ptr += 4; - pr_debug("%s: ip recv\n", tunnel->name); - print_hex_dump_bytes("", DUMP_PREFIX_OFFSET, ptr, length); - } -diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c -index c3ee80547066..9d140594082c 100644 ---- a/net/llc/af_llc.c -+++ b/net/llc/af_llc.c -@@ -626,6 +626,7 @@ static void llc_cmsg_rcv(struct msghdr *msg, struct sk_buff *skb) - if (llc->cmsg_flags & LLC_CMSG_PKTINFO) { - struct llc_pktinfo info; - -+ memset(&info, 0, sizeof(info)); - info.lpi_ifindex = llc_sk(skb->sk)->dev->ifindex; - llc_pdu_decode_dsap(skb, &info.lpi_sap); - llc_pdu_decode_da(skb, info.lpi_mac); -diff --git a/net/netfilter/ipvs/ip_vs_pe_sip.c b/net/netfilter/ipvs/ip_vs_pe_sip.c -index bed5f7042529..bb318e4623a3 100644 ---- a/net/netfilter/ipvs/ip_vs_pe_sip.c -+++ b/net/netfilter/ipvs/ip_vs_pe_sip.c -@@ -88,7 +88,7 @@ ip_vs_sip_fill_param(struct ip_vs_conn_param *p, struct sk_buff *skb) - dptr = skb->data + dataoff; - datalen = skb->len - dataoff; - -- if (get_callid(dptr, dataoff, datalen, &matchoff, &matchlen)) -+ if (get_callid(dptr, 0, datalen, &matchoff, &matchlen)) - return -EINVAL; - - /* N.B: pe_data is only set on success, -diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c -index 39fa33969b09..2d454a235e84 100644 ---- a/net/packet/af_packet.c -+++ b/net/packet/af_packet.c -@@ -2997,6 +2997,7 @@ static int packet_mc_add(struct sock *sk, struct packet_mreq_max *mreq) - i->ifindex = mreq->mr_ifindex; - i->alen = mreq->mr_alen; - memcpy(i->addr, mreq->mr_address, i->alen); -+ memset(i->addr + i->alen, 0, sizeof(i->addr) - i->alen); - i->count = 1; - i->next = po->mclist; - po->mclist = i; -diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c -index bee032a7003f..10d3e2874dd1 100644 ---- a/net/sctp/ipv6.c -+++ b/net/sctp/ipv6.c -@@ -520,6 +520,8 @@ static int sctp_v6_cmp_addr(const union sctp_addr *addr1, - } - return 0; - } -+ if (addr1->v6.sin6_port != addr2->v6.sin6_port) -+ return 0; - if (!ipv6_addr_equal(&addr1->v6.sin6_addr, &addr2->v6.sin6_addr)) - return 0; - /* If this is a linklocal address, compare the scope_id. */ -diff --git a/net/socket.c b/net/socket.c -index 53b6e411f7a4..e91e8ed1b8df 100644 ---- a/net/socket.c -+++ b/net/socket.c -@@ -2381,31 +2381,31 @@ int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen, - break; - } - --out_put: -- fput_light(sock->file, fput_needed); -- - if (err == 0) -- return datagrams; -+ goto out_put; - -- if (datagrams != 0) { -+ if (datagrams == 0) { -+ datagrams = err; -+ goto out_put; -+ } -+ -+ /* -+ * We may return less entries than requested (vlen) if the -+ * sock is non block and there aren't enough datagrams... -+ */ -+ if (err != -EAGAIN) { - /* -- * We may return less entries than requested (vlen) if the -- * sock is non block and there aren't enough datagrams... -+ * ... or if recvmsg returns an error after we -+ * received some datagrams, where we record the -+ * error to return on the next call or if the -+ * app asks about it using getsockopt(SO_ERROR). - */ -- if (err != -EAGAIN) { -- /* -- * ... or if recvmsg returns an error after we -- * received some datagrams, where we record the -- * error to return on the next call or if the -- * app asks about it using getsockopt(SO_ERROR). -- */ -- sock->sk->sk_err = -err; -- } -- -- return datagrams; -+ sock->sk->sk_err = -err; - } -+out_put: -+ fput_light(sock->file, fput_needed); - -- return err; -+ return datagrams; - } - - SYSCALL_DEFINE5(recvmmsg, int, fd, struct mmsghdr __user *, mmsg, -diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c -index 9b88693bcc99..66a9bf52fac6 100644 ---- a/net/vmw_vsock/af_vsock.c -+++ b/net/vmw_vsock/af_vsock.c -@@ -1804,27 +1804,8 @@ vsock_stream_recvmsg(struct kiocb *kiocb, - else if (sk->sk_shutdown & RCV_SHUTDOWN) - err = 0; - -- if (copied > 0) { -- /* We only do these additional bookkeeping/notification steps -- * if we actually copied something out of the queue pair -- * instead of just peeking ahead. -- */ -- -- if (!(flags & MSG_PEEK)) { -- /* If the other side has shutdown for sending and there -- * is nothing more to read, then modify the socket -- * state. -- */ -- if (vsk->peer_shutdown & SEND_SHUTDOWN) { -- if (vsock_stream_has_data(vsk) <= 0) { -- sk->sk_state = SS_UNCONNECTED; -- sock_set_flag(sk, SOCK_DONE); -- sk->sk_state_change(sk); -- } -- } -- } -+ if (copied > 0) - err = copied; -- } - - out_wait: - finish_wait(sk_sleep(sk), &wait); -diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c -index 90a0e552cb32..dd3dbed89c8f 100644 ---- a/net/wireless/nl80211.c -+++ b/net/wireless/nl80211.c -@@ -10685,7 +10685,7 @@ static int nl80211_netlink_notify(struct notifier_block * nb, - struct wireless_dev *wdev; - struct cfg80211_beacon_registration *reg, *tmp; - -- if (state != NETLINK_URELEASE) -+ if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC) - return NOTIFY_DONE; - - rcu_read_lock(); -diff --git a/net/x25/x25_facilities.c b/net/x25/x25_facilities.c -index 66c638730c7a..de7552d8ee20 100644 ---- a/net/x25/x25_facilities.c -+++ b/net/x25/x25_facilities.c -@@ -271,6 +271,7 @@ int x25_negotiate_facilities(struct sk_buff *skb, struct sock *sk, - - memset(&theirs, 0, sizeof(theirs)); - memcpy(new, ours, sizeof(*new)); -+ memset(dte, 0, sizeof(*dte)); - - len = x25_parse_facilities(skb, &theirs, dte, &x25->vc_facil_mask); - if (len < 0) -diff --git a/scripts/coccinelle/iterators/use_after_iter.cocci b/scripts/coccinelle/iterators/use_after_iter.cocci -index 06284c57a951..93e37ff8b0f6 100644 ---- a/scripts/coccinelle/iterators/use_after_iter.cocci -+++ b/scripts/coccinelle/iterators/use_after_iter.cocci -@@ -123,7 +123,7 @@ list_remove_head(x,c,...) - | - sizeof(<+...c...+>) - | --&c->member -+ &c->member - | - c = E - | -diff --git a/sound/core/timer.c b/sound/core/timer.c -index d90d8f4b85fe..38742e826900 100644 ---- a/sound/core/timer.c -+++ b/sound/core/timer.c -@@ -1012,8 +1012,8 @@ static int snd_timer_s_start(struct snd_timer * timer) - njiff += timer->sticks - priv->correction; - priv->correction = 0; - } -- priv->last_expires = priv->tlist.expires = njiff; -- add_timer(&priv->tlist); -+ priv->last_expires = njiff; -+ mod_timer(&priv->tlist, njiff); - return 0; - } - -diff --git a/sound/pci/intel8x0.c b/sound/pci/intel8x0.c -index b8fe40531b9c..7022450fb6dd 100644 ---- a/sound/pci/intel8x0.c -+++ b/sound/pci/intel8x0.c -@@ -2885,6 +2885,7 @@ static void intel8x0_measure_ac97_clock(struct intel8x0 *chip) - - static struct snd_pci_quirk intel8x0_clock_list[] = { - SND_PCI_QUIRK(0x0e11, 0x008a, "AD1885", 41000), -+ SND_PCI_QUIRK(0x1014, 0x0581, "AD1981B", 48000), - SND_PCI_QUIRK(0x1028, 0x00be, "AD1885", 44100), - SND_PCI_QUIRK(0x1028, 0x0177, "AD1980", 48000), - SND_PCI_QUIRK(0x1028, 0x01ad, "AD1981B", 48000), -diff --git a/sound/soc/samsung/s3c-i2s-v2.c b/sound/soc/samsung/s3c-i2s-v2.c -index 20e98d1dded2..38c36cdd8c77 100644 ---- a/sound/soc/samsung/s3c-i2s-v2.c -+++ b/sound/soc/samsung/s3c-i2s-v2.c -@@ -732,7 +732,7 @@ static int s3c2412_i2s_resume(struct snd_soc_dai *dai) - #endif - - int s3c_i2sv2_register_component(struct device *dev, int id, -- struct snd_soc_component_driver *cmp_drv, -+ const struct snd_soc_component_driver *cmp_drv, - struct snd_soc_dai_driver *dai_drv) - { - struct snd_soc_dai_ops *ops = drv->ops; -diff --git a/sound/soc/samsung/s3c-i2s-v2.h b/sound/soc/samsung/s3c-i2s-v2.h -index 90abab364b49..d0684145ed1f 100644 ---- a/sound/soc/samsung/s3c-i2s-v2.h -+++ b/sound/soc/samsung/s3c-i2s-v2.h -@@ -101,7 +101,7 @@ extern int s3c_i2sv2_probe(struct snd_soc_dai *dai, - * soc core. - */ - extern int s3c_i2sv2_register_component(struct device *dev, int id, -- struct snd_soc_component_driver *cmp_drv, -+ const struct snd_soc_component_driver *cmp_drv, - struct snd_soc_dai_driver *dai_drv); - - #endif /* __SND_SOC_S3C24XX_S3C_I2SV2_I2S_H */ -diff --git a/tools/perf/Documentation/perf-stat.txt b/tools/perf/Documentation/perf-stat.txt -index 2fe87fb558f0..8c9604797e87 100644 ---- a/tools/perf/Documentation/perf-stat.txt -+++ b/tools/perf/Documentation/perf-stat.txt -@@ -50,6 +50,14 @@ OPTIONS - --scale:: - scale/normalize counter values - -+-d:: -+--detailed:: -+ print more detailed statistics, can be specified up to 3 times -+ -+ -d: detailed events, L1 and LLC data cache -+ -d -d: more detailed events, dTLB and iTLB events -+ -d -d -d: very detailed events, adding prefetch events -+ - -r:: - --repeat=:: - repeat command and print average + stddev (max: 100). 0 means forever. -diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c -index 1d4b8bed4e48..4f865e122c21 100644 ---- a/virt/kvm/kvm_main.c -+++ b/virt/kvm/kvm_main.c -@@ -468,6 +468,16 @@ static struct kvm *kvm_create_vm(unsigned long type) - if (!kvm) - return ERR_PTR(-ENOMEM); - -+ spin_lock_init(&kvm->mmu_lock); -+ atomic_inc(¤t->mm->mm_count); -+ kvm->mm = current->mm; -+ kvm_eventfd_init(kvm); -+ mutex_init(&kvm->lock); -+ mutex_init(&kvm->irq_lock); -+ mutex_init(&kvm->slots_lock); -+ atomic_set(&kvm->users_count, 1); -+ INIT_LIST_HEAD(&kvm->devices); -+ - r = kvm_arch_init_vm(kvm, type); - if (r) - goto out_err_nodisable; -@@ -497,16 +507,6 @@ static struct kvm *kvm_create_vm(unsigned long type) - goto out_err; - } - -- spin_lock_init(&kvm->mmu_lock); -- kvm->mm = current->mm; -- atomic_inc(&kvm->mm->mm_count); -- kvm_eventfd_init(kvm); -- mutex_init(&kvm->lock); -- mutex_init(&kvm->irq_lock); -- mutex_init(&kvm->slots_lock); -- atomic_set(&kvm->users_count, 1); -- INIT_LIST_HEAD(&kvm->devices); -- - r = kvm_init_mmu_notifier(kvm); - if (r) - goto out_err; -@@ -526,6 +526,7 @@ out_err_nodisable: - kfree(kvm->buses[i]); - kfree(kvm->memslots); - kvm_arch_free_vm(kvm); -+ mmdrop(current->mm); - return ERR_PTR(r); - } - diff --git a/patch/kernel/odroidc1-default/2-patch-3.10.102-103.patch b/patch/kernel/odroidc1-default/2-patch-3.10.102-103.patch deleted file mode 100644 index a1db16bea..000000000 --- a/patch/kernel/odroidc1-default/2-patch-3.10.102-103.patch +++ /dev/null @@ -1,6785 +0,0 @@ -diff --git a/Documentation/scsi/scsi_eh.txt b/Documentation/scsi/scsi_eh.txt -index 6ff16b620d84..c08b62d63afa 100644 ---- a/Documentation/scsi/scsi_eh.txt -+++ b/Documentation/scsi/scsi_eh.txt -@@ -255,19 +255,23 @@ scmd->allowed. - - 3. scmd recovered - ACTION: scsi_eh_finish_cmd() is invoked to EH-finish scmd -- - shost->host_failed-- - - clear scmd->eh_eflags - - scsi_setup_cmd_retry() - - move from local eh_work_q to local eh_done_q - LOCKING: none -+ CONCURRENCY: at most one thread per separate eh_work_q to -+ keep queue manipulation lockless - - 4. EH completes - ACTION: scsi_eh_flush_done_q() retries scmds or notifies upper -- layer of failure. -+ layer of failure. May be called concurrently but must have -+ a no more than one thread per separate eh_work_q to -+ manipulate the queue locklessly - - scmd is removed from eh_done_q and scmd->eh_entry is cleared - - if retry is necessary, scmd is requeued using - scsi_queue_insert() - - otherwise, scsi_finish_command() is invoked for scmd -+ - zero shost->host_failed - LOCKING: queue or finish function performs appropriate locking - - -diff --git a/Documentation/sysctl/fs.txt b/Documentation/sysctl/fs.txt -index 88152f214f48..302b5ed616a6 100644 ---- a/Documentation/sysctl/fs.txt -+++ b/Documentation/sysctl/fs.txt -@@ -32,6 +32,8 @@ Currently, these files are in /proc/sys/fs: - - nr_open - - overflowuid - - overflowgid -+- pipe-user-pages-hard -+- pipe-user-pages-soft - - protected_hardlinks - - protected_symlinks - - suid_dumpable -@@ -159,6 +161,27 @@ The default is 65534. - - ============================================================== - -+pipe-user-pages-hard: -+ -+Maximum total number of pages a non-privileged user may allocate for pipes. -+Once this limit is reached, no new pipes may be allocated until usage goes -+below the limit again. When set to 0, no limit is applied, which is the default -+setting. -+ -+============================================================== -+ -+pipe-user-pages-soft: -+ -+Maximum total number of pages a non-privileged user may allocate for pipes -+before the pipe size gets limited to a single page. Once this limit is reached, -+new pipes will be limited to a single page in size for this user in order to -+limit total memory usage, and trying to increase them using fcntl() will be -+denied until usage goes below the limit again. The default value allows to -+allocate up to 1024 pipes at their default size. When set to 0, no limit is -+applied. -+ -+============================================================== -+ - protected_hardlinks: - - A long-standing class of security issues is the hardlink-based -diff --git a/Makefile b/Makefile -index 868093c16ae0..d3cb458b295a 100644 ---- a/Makefile -+++ b/Makefile -@@ -1,6 +1,6 @@ - VERSION = 3 - PATCHLEVEL = 10 --SUBLEVEL = 102 -+SUBLEVEL = 103 - EXTRAVERSION = - NAME = TOSSUG Baby Fish - -diff --git a/arch/arc/kernel/stacktrace.c b/arch/arc/kernel/stacktrace.c -index ca0207b9d5b6..06997ad70725 100644 ---- a/arch/arc/kernel/stacktrace.c -+++ b/arch/arc/kernel/stacktrace.c -@@ -131,7 +131,7 @@ arc_unwind_core(struct task_struct *tsk, struct pt_regs *regs, - * prelogue is setup (callee regs saved and then fp set and not other - * way around - */ -- pr_warn("CONFIG_ARC_DW2_UNWIND needs to be enabled\n"); -+ pr_warn_once("CONFIG_ARC_DW2_UNWIND needs to be enabled\n"); - return 0; - - #endif -diff --git a/arch/arc/mm/tlbex.S b/arch/arc/mm/tlbex.S -index 3357d26ffe54..74691e652a3a 100644 ---- a/arch/arc/mm/tlbex.S -+++ b/arch/arc/mm/tlbex.S -@@ -219,7 +219,7 @@ ex_saved_reg1: - #ifdef CONFIG_SMP - sr r0, [ARC_REG_SCRATCH_DATA0] ; freeup r0 to code with - GET_CPU_ID r0 ; get to per cpu scratch mem, -- lsl r0, r0, L1_CACHE_SHIFT ; cache line wide per cpu -+ asl r0, r0, L1_CACHE_SHIFT ; cache line wide per cpu - add r0, @ex_saved_reg1, r0 - #else - st r0, [@ex_saved_reg1] -@@ -239,7 +239,7 @@ ex_saved_reg1: - .macro TLBMISS_RESTORE_REGS - #ifdef CONFIG_SMP - GET_CPU_ID r0 ; get to per cpu scratch mem -- lsl r0, r0, L1_CACHE_SHIFT ; each is cache line wide -+ asl r0, r0, L1_CACHE_SHIFT ; each is cache line wide - add r0, @ex_saved_reg1, r0 - ld_s r3, [r0,12] - ld_s r2, [r0, 8] -diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c -index 03deeffd9f6d..4e2110d48c41 100644 ---- a/arch/arm/kernel/ptrace.c -+++ b/arch/arm/kernel/ptrace.c -@@ -733,8 +733,8 @@ static int vfp_set(struct task_struct *target, - if (ret) - return ret; - -- vfp_flush_hwstate(thread); - thread->vfpstate.hard = new_vfp; -+ vfp_flush_hwstate(thread); - - return 0; - } -diff --git a/arch/arm/kernel/sys_oabi-compat.c b/arch/arm/kernel/sys_oabi-compat.c -index 3e94811690ce..a0aee80b608d 100644 ---- a/arch/arm/kernel/sys_oabi-compat.c -+++ b/arch/arm/kernel/sys_oabi-compat.c -@@ -275,8 +275,12 @@ asmlinkage long sys_oabi_epoll_wait(int epfd, - mm_segment_t fs; - long ret, err, i; - -- if (maxevents <= 0 || maxevents > (INT_MAX/sizeof(struct epoll_event))) -+ if (maxevents <= 0 || -+ maxevents > (INT_MAX/sizeof(*kbuf)) || -+ maxevents > (INT_MAX/sizeof(*events))) - return -EINVAL; -+ if (!access_ok(VERIFY_WRITE, events, sizeof(*events) * maxevents)) -+ return -EFAULT; - kbuf = kmalloc(sizeof(*kbuf) * maxevents, GFP_KERNEL); - if (!kbuf) - return -ENOMEM; -@@ -313,6 +317,8 @@ asmlinkage long sys_oabi_semtimedop(int semid, - - if (nsops < 1 || nsops > SEMOPM) - return -EINVAL; -+ if (!access_ok(VERIFY_READ, tsops, sizeof(*tsops) * nsops)) -+ return -EFAULT; - sops = kmalloc(sizeof(*sops) * nsops, GFP_KERNEL); - if (!sops) - return -ENOMEM; -diff --git a/arch/metag/include/asm/cmpxchg_lnkget.h b/arch/metag/include/asm/cmpxchg_lnkget.h -index 0154e2807ebb..2369ad394876 100644 ---- a/arch/metag/include/asm/cmpxchg_lnkget.h -+++ b/arch/metag/include/asm/cmpxchg_lnkget.h -@@ -73,7 +73,7 @@ static inline unsigned long __cmpxchg_u32(volatile int *m, unsigned long old, - " DCACHE [%2], %0\n" - #endif - "2:\n" -- : "=&d" (temp), "=&da" (retval) -+ : "=&d" (temp), "=&d" (retval) - : "da" (m), "bd" (old), "da" (new) - : "cc" - ); -diff --git a/arch/mips/ath79/early_printk.c b/arch/mips/ath79/early_printk.c -index b955fafc58ba..d1adc59af5bf 100644 ---- a/arch/mips/ath79/early_printk.c -+++ b/arch/mips/ath79/early_printk.c -@@ -31,13 +31,15 @@ static inline void prom_putchar_wait(void __iomem *reg, u32 mask, u32 val) - } while (1); - } - -+#define BOTH_EMPTY (UART_LSR_TEMT | UART_LSR_THRE) -+ - static void prom_putchar_ar71xx(unsigned char ch) - { - void __iomem *base = (void __iomem *)(KSEG1ADDR(AR71XX_UART_BASE)); - -- prom_putchar_wait(base + UART_LSR * 4, UART_LSR_THRE, UART_LSR_THRE); -+ prom_putchar_wait(base + UART_LSR * 4, BOTH_EMPTY, BOTH_EMPTY); - __raw_writel(ch, base + UART_TX * 4); -- prom_putchar_wait(base + UART_LSR * 4, UART_LSR_THRE, UART_LSR_THRE); -+ prom_putchar_wait(base + UART_LSR * 4, BOTH_EMPTY, BOTH_EMPTY); - } - - static void prom_putchar_ar933x(unsigned char ch) -diff --git a/arch/mips/include/asm/kvm_host.h b/arch/mips/include/asm/kvm_host.h -index 4d6fa0bf1305..883a162083af 100644 ---- a/arch/mips/include/asm/kvm_host.h -+++ b/arch/mips/include/asm/kvm_host.h -@@ -349,6 +349,7 @@ struct kvm_mips_tlb { - #define KVM_MIPS_GUEST_TLB_SIZE 64 - struct kvm_vcpu_arch { - void *host_ebase, *guest_ebase; -+ int (*vcpu_run)(struct kvm_run *run, struct kvm_vcpu *vcpu); - unsigned long host_stack; - unsigned long host_gp; - -diff --git a/arch/mips/include/asm/processor.h b/arch/mips/include/asm/processor.h -index 1470b7b68b0e..a7e71744fe89 100644 ---- a/arch/mips/include/asm/processor.h -+++ b/arch/mips/include/asm/processor.h -@@ -51,7 +51,7 @@ extern unsigned int vced_count, vcei_count; - * User space process size: 2GB. This is hardcoded into a few places, - * so don't change it unless you know what you are doing. - */ --#define TASK_SIZE 0x7fff8000UL -+#define TASK_SIZE 0x80000000UL - #endif - - #ifdef __KERNEL__ -diff --git a/arch/mips/include/uapi/asm/siginfo.h b/arch/mips/include/uapi/asm/siginfo.h -index 6a8714193fb9..b5f77f76c899 100644 ---- a/arch/mips/include/uapi/asm/siginfo.h -+++ b/arch/mips/include/uapi/asm/siginfo.h -@@ -45,13 +45,13 @@ typedef struct siginfo { - - /* kill() */ - struct { -- pid_t _pid; /* sender's pid */ -+ __kernel_pid_t _pid; /* sender's pid */ - __ARCH_SI_UID_T _uid; /* sender's uid */ - } _kill; - - /* POSIX.1b timers */ - struct { -- timer_t _tid; /* timer id */ -+ __kernel_timer_t _tid; /* timer id */ - int _overrun; /* overrun count */ - char _pad[sizeof( __ARCH_SI_UID_T) - sizeof(int)]; - sigval_t _sigval; /* same as below */ -@@ -60,26 +60,26 @@ typedef struct siginfo { - - /* POSIX.1b signals */ - struct { -- pid_t _pid; /* sender's pid */ -+ __kernel_pid_t _pid; /* sender's pid */ - __ARCH_SI_UID_T _uid; /* sender's uid */ - sigval_t _sigval; - } _rt; - - /* SIGCHLD */ - struct { -- pid_t _pid; /* which child */ -+ __kernel_pid_t _pid; /* which child */ - __ARCH_SI_UID_T _uid; /* sender's uid */ - int _status; /* exit code */ -- clock_t _utime; -- clock_t _stime; -+ __kernel_clock_t _utime; -+ __kernel_clock_t _stime; - } _sigchld; - - /* IRIX SIGCHLD */ - struct { -- pid_t _pid; /* which child */ -- clock_t _utime; -+ __kernel_pid_t _pid; /* which child */ -+ __kernel_clock_t _utime; - int _status; /* exit code */ -- clock_t _stime; -+ __kernel_clock_t _stime; - } _irix_sigchld; - - /* SIGILL, SIGFPE, SIGSEGV, SIGBUS */ -diff --git a/arch/mips/kernel/scall64-n32.S b/arch/mips/kernel/scall64-n32.S -index cab150789c8d..b657fbefc466 100644 ---- a/arch/mips/kernel/scall64-n32.S -+++ b/arch/mips/kernel/scall64-n32.S -@@ -349,7 +349,7 @@ EXPORT(sysn32_call_table) - PTR sys_ni_syscall /* available, was setaltroot */ - PTR sys_add_key - PTR sys_request_key -- PTR sys_keyctl /* 6245 */ -+ PTR compat_sys_keyctl /* 6245 */ - PTR sys_set_thread_area - PTR sys_inotify_init - PTR sys_inotify_add_watch -diff --git a/arch/mips/kernel/scall64-o32.S b/arch/mips/kernel/scall64-o32.S -index 37605dc8eef7..bf56d7e271dd 100644 ---- a/arch/mips/kernel/scall64-o32.S -+++ b/arch/mips/kernel/scall64-o32.S -@@ -474,7 +474,7 @@ sys_call_table: - PTR sys_ni_syscall /* available, was setaltroot */ - PTR sys_add_key /* 4280 */ - PTR sys_request_key -- PTR sys_keyctl -+ PTR compat_sys_keyctl - PTR sys_set_thread_area - PTR sys_inotify_init - PTR sys_inotify_add_watch /* 4285 */ -diff --git a/arch/mips/kvm/kvm_locore.S b/arch/mips/kvm/kvm_locore.S -index 34c35f0e3290..73553cd98070 100644 ---- a/arch/mips/kvm/kvm_locore.S -+++ b/arch/mips/kvm/kvm_locore.S -@@ -227,6 +227,7 @@ FEXPORT(__kvm_mips_load_k0k1) - /* Jump to guest */ - eret - .set pop -+EXPORT(__kvm_mips_vcpu_run_end) - - VECTOR(MIPSX(exception), unknown) - /* -diff --git a/arch/mips/kvm/kvm_mips.c b/arch/mips/kvm/kvm_mips.c -index 8aa5f30d8579..97a181a44e53 100644 ---- a/arch/mips/kvm/kvm_mips.c -+++ b/arch/mips/kvm/kvm_mips.c -@@ -343,6 +343,15 @@ struct kvm_vcpu *kvm_arch_vcpu_create(struct kvm *kvm, unsigned int id) - memcpy(gebase + offset, mips32_GuestException, - mips32_GuestExceptionEnd - mips32_GuestException); - -+#ifdef MODULE -+ offset += mips32_GuestExceptionEnd - mips32_GuestException; -+ memcpy(gebase + offset, (char *)__kvm_mips_vcpu_run, -+ __kvm_mips_vcpu_run_end - (char *)__kvm_mips_vcpu_run); -+ vcpu->arch.vcpu_run = gebase + offset; -+#else -+ vcpu->arch.vcpu_run = __kvm_mips_vcpu_run; -+#endif -+ - /* Invalidate the icache for these ranges */ - mips32_SyncICache((unsigned long) gebase, ALIGN(size, PAGE_SIZE)); - -@@ -426,7 +435,7 @@ int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *run) - - kvm_guest_enter(); - -- r = __kvm_mips_vcpu_run(run, vcpu); -+ r = vcpu->arch.vcpu_run(run, vcpu); - - kvm_guest_exit(); - local_irq_enable(); -diff --git a/arch/mips/kvm/kvm_mips_emul.c b/arch/mips/kvm/kvm_mips_emul.c -index 33085819cd89..9f7643874fba 100644 ---- a/arch/mips/kvm/kvm_mips_emul.c -+++ b/arch/mips/kvm/kvm_mips_emul.c -@@ -972,8 +972,13 @@ kvm_mips_emulate_cache(uint32_t inst, uint32_t *opc, uint32_t cause, - preempt_disable(); - if (KVM_GUEST_KSEGX(va) == KVM_GUEST_KSEG0) { - -- if (kvm_mips_host_tlb_lookup(vcpu, va) < 0) { -- kvm_mips_handle_kseg0_tlb_fault(va, vcpu); -+ if (kvm_mips_host_tlb_lookup(vcpu, va) < 0 && -+ kvm_mips_handle_kseg0_tlb_fault(va, vcpu)) { -+ kvm_err("%s: handling mapped kseg0 tlb fault for %lx, vcpu: %p, ASID: %#lx\n", -+ __func__, va, vcpu, read_c0_entryhi()); -+ er = EMULATE_FAIL; -+ preempt_enable(); -+ goto done; - } - } else if ((KVM_GUEST_KSEGX(va) < KVM_GUEST_KSEG0) || - KVM_GUEST_KSEGX(va) == KVM_GUEST_KSEG23) { -@@ -1006,11 +1011,16 @@ kvm_mips_emulate_cache(uint32_t inst, uint32_t *opc, uint32_t cause, - run, vcpu); - preempt_enable(); - goto dont_update_pc; -- } else { -- /* We fault an entry from the guest tlb to the shadow host TLB */ -- kvm_mips_handle_mapped_seg_tlb_fault(vcpu, tlb, -- NULL, -- NULL); -+ } -+ /* We fault an entry from the guest tlb to the shadow host TLB */ -+ if (kvm_mips_handle_mapped_seg_tlb_fault(vcpu, tlb, -+ NULL, NULL)) { -+ kvm_err("%s: handling mapped seg tlb fault for %lx, index: %u, vcpu: %p, ASID: %#lx\n", -+ __func__, va, index, vcpu, -+ read_c0_entryhi()); -+ er = EMULATE_FAIL; -+ preempt_enable(); -+ goto done; - } - } - } else { -@@ -1821,8 +1831,13 @@ kvm_mips_handle_tlbmiss(unsigned long cause, uint32_t *opc, - tlb->tlb_hi, tlb->tlb_lo0, tlb->tlb_lo1); - #endif - /* OK we have a Guest TLB entry, now inject it into the shadow host TLB */ -- kvm_mips_handle_mapped_seg_tlb_fault(vcpu, tlb, NULL, -- NULL); -+ if (kvm_mips_handle_mapped_seg_tlb_fault(vcpu, tlb, -+ NULL, NULL)) { -+ kvm_err("%s: handling mapped seg tlb fault for %lx, index: %u, vcpu: %p, ASID: %#lx\n", -+ __func__, va, index, vcpu, -+ read_c0_entryhi()); -+ er = EMULATE_FAIL; -+ } - } - } - -diff --git a/arch/mips/kvm/kvm_mips_int.h b/arch/mips/kvm/kvm_mips_int.h -index 20da7d29eede..bf41ea36210e 100644 ---- a/arch/mips/kvm/kvm_mips_int.h -+++ b/arch/mips/kvm/kvm_mips_int.h -@@ -27,6 +27,8 @@ - #define MIPS_EXC_MAX 12 - /* XXXSL More to follow */ - -+extern char __kvm_mips_vcpu_run_end[]; -+ - #define C_TI (_ULCAST_(1) << 30) - - #define KVM_MIPS_IRQ_DELIVER_ALL_AT_ONCE (0) -diff --git a/arch/mips/kvm/kvm_tlb.c b/arch/mips/kvm/kvm_tlb.c -index c777dd36d4a8..4bee4397dca8 100644 ---- a/arch/mips/kvm/kvm_tlb.c -+++ b/arch/mips/kvm/kvm_tlb.c -@@ -312,7 +312,7 @@ int kvm_mips_handle_kseg0_tlb_fault(unsigned long badvaddr, - } - - gfn = (KVM_GUEST_CPHYSADDR(badvaddr) >> PAGE_SHIFT); -- if (gfn >= kvm->arch.guest_pmap_npages) { -+ if ((gfn | 1) >= kvm->arch.guest_pmap_npages) { - kvm_err("%s: Invalid gfn: %#llx, BadVaddr: %#lx\n", __func__, - gfn, badvaddr); - kvm_mips_dump_host_tlbs(); -@@ -397,21 +397,38 @@ kvm_mips_handle_mapped_seg_tlb_fault(struct kvm_vcpu *vcpu, - unsigned long entryhi = 0, entrylo0 = 0, entrylo1 = 0; - struct kvm *kvm = vcpu->kvm; - pfn_t pfn0, pfn1; -+ gfn_t gfn0, gfn1; -+ long tlb_lo[2]; -+ -+ tlb_lo[0] = tlb->tlb_lo0; -+ tlb_lo[1] = tlb->tlb_lo1; -+ -+ /* -+ * The commpage address must not be mapped to anything else if the guest -+ * TLB contains entries nearby, or commpage accesses will break. -+ */ -+ if (!((tlb->tlb_hi ^ KVM_GUEST_COMMPAGE_ADDR) & -+ VPN2_MASK & (PAGE_MASK << 1))) -+ tlb_lo[(KVM_GUEST_COMMPAGE_ADDR >> PAGE_SHIFT) & 1] = 0; -+ -+ gfn0 = mips3_tlbpfn_to_paddr(tlb_lo[0]) >> PAGE_SHIFT; -+ gfn1 = mips3_tlbpfn_to_paddr(tlb_lo[1]) >> PAGE_SHIFT; -+ if (gfn0 >= kvm->arch.guest_pmap_npages || -+ gfn1 >= kvm->arch.guest_pmap_npages) { -+ kvm_err("%s: Invalid gfn: [%#llx, %#llx], EHi: %#lx\n", -+ __func__, gfn0, gfn1, tlb->tlb_hi); -+ kvm_mips_dump_guest_tlbs(vcpu); -+ return -1; -+ } - -+ if (kvm_mips_map_page(kvm, gfn0) < 0) -+ return -1; - -- if ((tlb->tlb_hi & VPN2_MASK) == 0) { -- pfn0 = 0; -- pfn1 = 0; -- } else { -- if (kvm_mips_map_page(kvm, mips3_tlbpfn_to_paddr(tlb->tlb_lo0) >> PAGE_SHIFT) < 0) -- return -1; -- -- if (kvm_mips_map_page(kvm, mips3_tlbpfn_to_paddr(tlb->tlb_lo1) >> PAGE_SHIFT) < 0) -- return -1; -+ if (kvm_mips_map_page(kvm, gfn1) < 0) -+ return -1; - -- pfn0 = kvm->arch.guest_pmap[mips3_tlbpfn_to_paddr(tlb->tlb_lo0) >> PAGE_SHIFT]; -- pfn1 = kvm->arch.guest_pmap[mips3_tlbpfn_to_paddr(tlb->tlb_lo1) >> PAGE_SHIFT]; -- } -+ pfn0 = kvm->arch.guest_pmap[gfn0]; -+ pfn1 = kvm->arch.guest_pmap[gfn1]; - - if (hpa0) - *hpa0 = pfn0 << PAGE_SHIFT; -@@ -423,9 +440,9 @@ kvm_mips_handle_mapped_seg_tlb_fault(struct kvm_vcpu *vcpu, - entryhi = (tlb->tlb_hi & VPN2_MASK) | (KVM_GUEST_KERNEL_MODE(vcpu) ? - kvm_mips_get_kernel_asid(vcpu) : kvm_mips_get_user_asid(vcpu)); - entrylo0 = mips3_paddr_to_tlbpfn(pfn0 << PAGE_SHIFT) | (0x3 << 3) | -- (tlb->tlb_lo0 & MIPS3_PG_D) | (tlb->tlb_lo0 & MIPS3_PG_V); -+ (tlb_lo[0] & MIPS3_PG_D) | (tlb_lo[0] & MIPS3_PG_V); - entrylo1 = mips3_paddr_to_tlbpfn(pfn1 << PAGE_SHIFT) | (0x3 << 3) | -- (tlb->tlb_lo1 & MIPS3_PG_D) | (tlb->tlb_lo1 & MIPS3_PG_V); -+ (tlb_lo[1] & MIPS3_PG_D) | (tlb_lo[1] & MIPS3_PG_V); - - #ifdef DEBUG - kvm_debug("@ %#lx tlb_lo0: 0x%08lx tlb_lo1: 0x%08lx\n", vcpu->arch.pc, -@@ -909,10 +926,16 @@ uint32_t kvm_get_inst(uint32_t *opc, struct kvm_vcpu *vcpu) - local_irq_restore(flags); - return KVM_INVALID_INST; - } -- kvm_mips_handle_mapped_seg_tlb_fault(vcpu, -- &vcpu->arch. -- guest_tlb[index], -- NULL, NULL); -+ if (kvm_mips_handle_mapped_seg_tlb_fault(vcpu, -+ &vcpu->arch.guest_tlb[index], -+ NULL, NULL)) { -+ kvm_err("%s: handling mapped seg tlb fault failed for %p, index: %u, vcpu: %p, ASID: %#lx\n", -+ __func__, opc, index, vcpu, -+ read_c0_entryhi()); -+ kvm_mips_dump_guest_tlbs(vcpu); -+ local_irq_restore(flags); -+ return KVM_INVALID_INST; -+ } - inst = *(opc); - } - local_irq_restore(flags); -diff --git a/arch/mips/math-emu/cp1emu.c b/arch/mips/math-emu/cp1emu.c -index f03771900813..3d492a823a55 100644 ---- a/arch/mips/math-emu/cp1emu.c -+++ b/arch/mips/math-emu/cp1emu.c -@@ -684,9 +684,11 @@ static int isBranchInstr(struct pt_regs *regs, struct mm_decoded_insn dec_insn, - case spec_op: - switch (insn.r_format.func) { - case jalr_op: -- regs->regs[insn.r_format.rd] = -- regs->cp0_epc + dec_insn.pc_inc + -- dec_insn.next_pc_inc; -+ if (insn.r_format.rd != 0) { -+ regs->regs[insn.r_format.rd] = -+ regs->cp0_epc + dec_insn.pc_inc + -+ dec_insn.next_pc_inc; -+ } - /* Fall through */ - case jr_op: - *contpc = regs->regs[insn.r_format.rs]; -diff --git a/arch/parisc/kernel/unaligned.c b/arch/parisc/kernel/unaligned.c -index d7c0acb35ec2..8d49614d600d 100644 ---- a/arch/parisc/kernel/unaligned.c -+++ b/arch/parisc/kernel/unaligned.c -@@ -666,7 +666,7 @@ void handle_unaligned(struct pt_regs *regs) - break; - } - -- if (modify && R1(regs->iir)) -+ if (ret == 0 && modify && R1(regs->iir)) - regs->gr[R1(regs->iir)] = newbase; - - -@@ -677,6 +677,14 @@ void handle_unaligned(struct pt_regs *regs) - - if (ret) - { -+ /* -+ * The unaligned handler failed. -+ * If we were called by __get_user() or __put_user() jump -+ * to it's exception fixup handler instead of crashing. -+ */ -+ if (!user_mode(regs) && fixup_exception(regs)) -+ return; -+ - printk(KERN_CRIT "Unaligned handler failed, ret = %d\n", ret); - die_if_kernel("Unaligned data reference", regs, 28); - -diff --git a/arch/powerpc/include/asm/reg.h b/arch/powerpc/include/asm/reg.h -index 60c31698f7d5..469d7715d6aa 100644 ---- a/arch/powerpc/include/asm/reg.h -+++ b/arch/powerpc/include/asm/reg.h -@@ -643,7 +643,7 @@ - #define MMCR0_FCWAIT 0x00000002UL /* freeze counter in WAIT state */ - #define MMCR0_FCHV 0x00000001UL /* freeze conditions in hypervisor mode */ - #define SPRN_MMCR1 798 --#define SPRN_MMCR2 769 -+#define SPRN_MMCR2 785 - #define SPRN_MMCRA 0x312 - #define MMCRA_SDSYNC 0x80000000UL /* SDAR synced with SIAR */ - #define MMCRA_SDAR_DCACHE_MISS 0x40000000UL -@@ -677,13 +677,13 @@ - #define SPRN_PMC6 792 - #define SPRN_PMC7 793 - #define SPRN_PMC8 794 --#define SPRN_SIAR 780 --#define SPRN_SDAR 781 - #define SPRN_SIER 784 - #define SIER_SIPR 0x2000000 /* Sampled MSR_PR */ - #define SIER_SIHV 0x1000000 /* Sampled MSR_HV */ - #define SIER_SIAR_VALID 0x0400000 /* SIAR contents valid */ - #define SIER_SDAR_VALID 0x0200000 /* SDAR contents valid */ -+#define SPRN_SIAR 796 -+#define SPRN_SDAR 797 - - #define SPRN_PA6T_MMCR0 795 - #define PA6T_MMCR0_EN0 0x0000000000000001UL -diff --git a/arch/powerpc/kernel/exceptions-64s.S b/arch/powerpc/kernel/exceptions-64s.S -index 902ca3c6b4b6..3ac1d3a90551 100644 ---- a/arch/powerpc/kernel/exceptions-64s.S -+++ b/arch/powerpc/kernel/exceptions-64s.S -@@ -857,11 +857,6 @@ hv_facility_unavailable_relon_trampoline: - #endif - STD_RELON_EXCEPTION_PSERIES(0x5700, 0x1700, altivec_assist) - -- /* Other future vectors */ -- .align 7 -- .globl __end_interrupts --__end_interrupts: -- - .align 7 - system_call_entry_direct: - #if defined(CONFIG_RELOCATABLE) -@@ -1191,6 +1186,17 @@ __end_handlers: - STD_RELON_EXCEPTION_PSERIES_OOL(0xf60, facility_unavailable) - STD_RELON_EXCEPTION_HV_OOL(0xf80, hv_facility_unavailable) - -+ /* -+ * The __end_interrupts marker must be past the out-of-line (OOL) -+ * handlers, so that they are copied to real address 0x100 when running -+ * a relocatable kernel. This ensures they can be reached from the short -+ * trampoline handlers (like 0x4f00, 0x4f20, etc.) which branch -+ * directly, without using LOAD_HANDLER(). -+ */ -+ .align 7 -+ .globl __end_interrupts -+__end_interrupts: -+ - #if defined(CONFIG_PPC_PSERIES) || defined(CONFIG_PPC_POWERNV) - /* - * Data area reserved for FWNMI option. -diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c -index d55357ee9028..a5e339806589 100644 ---- a/arch/powerpc/kernel/process.c -+++ b/arch/powerpc/kernel/process.c -@@ -1088,6 +1088,16 @@ void start_thread(struct pt_regs *regs, unsigned long start, unsigned long sp) - current->thread.regs = regs - 1; - } - -+#ifdef CONFIG_PPC_TRANSACTIONAL_MEM -+ /* -+ * Clear any transactional state, we're exec()ing. The cause is -+ * not important as there will never be a recheckpoint so it's not -+ * user visible. -+ */ -+ if (MSR_TM_SUSPENDED(mfmsr())) -+ tm_reclaim_current(0); -+#endif -+ - memset(regs->gpr, 0, sizeof(regs->gpr)); - regs->ctr = 0; - regs->link = 0; -diff --git a/arch/powerpc/platforms/pseries/eeh_pseries.c b/arch/powerpc/platforms/pseries/eeh_pseries.c -index 68f97d5a4679..dc0278e7fd91 100644 ---- a/arch/powerpc/platforms/pseries/eeh_pseries.c -+++ b/arch/powerpc/platforms/pseries/eeh_pseries.c -@@ -551,29 +551,50 @@ static int pseries_eeh_configure_bridge(struct eeh_pe *pe) - { - int config_addr; - int ret; -+ /* Waiting 0.2s maximum before skipping configuration */ -+ int max_wait = 200; - - /* Figure out the PE address */ - config_addr = pe->config_addr; - if (pe->addr) - config_addr = pe->addr; - -- /* Use new configure-pe function, if supported */ -- if (ibm_configure_pe != RTAS_UNKNOWN_SERVICE) { -- ret = rtas_call(ibm_configure_pe, 3, 1, NULL, -- config_addr, BUID_HI(pe->phb->buid), -- BUID_LO(pe->phb->buid)); -- } else if (ibm_configure_bridge != RTAS_UNKNOWN_SERVICE) { -- ret = rtas_call(ibm_configure_bridge, 3, 1, NULL, -- config_addr, BUID_HI(pe->phb->buid), -- BUID_LO(pe->phb->buid)); -- } else { -- return -EFAULT; -- } -+ while (max_wait > 0) { -+ /* Use new configure-pe function, if supported */ -+ if (ibm_configure_pe != RTAS_UNKNOWN_SERVICE) { -+ ret = rtas_call(ibm_configure_pe, 3, 1, NULL, -+ config_addr, BUID_HI(pe->phb->buid), -+ BUID_LO(pe->phb->buid)); -+ } else if (ibm_configure_bridge != RTAS_UNKNOWN_SERVICE) { -+ ret = rtas_call(ibm_configure_bridge, 3, 1, NULL, -+ config_addr, BUID_HI(pe->phb->buid), -+ BUID_LO(pe->phb->buid)); -+ } else { -+ return -EFAULT; -+ } - -- if (ret) -- pr_warning("%s: Unable to configure bridge PHB#%d-PE#%x (%d)\n", -- __func__, pe->phb->global_number, pe->addr, ret); -+ if (!ret) -+ return ret; -+ -+ /* -+ * If RTAS returns a delay value that's above 100ms, cut it -+ * down to 100ms in case firmware made a mistake. For more -+ * on how these delay values work see rtas_busy_delay_time -+ */ -+ if (ret > RTAS_EXTENDED_DELAY_MIN+2 && -+ ret <= RTAS_EXTENDED_DELAY_MAX) -+ ret = RTAS_EXTENDED_DELAY_MIN+2; -+ -+ max_wait -= rtas_busy_delay_time(ret); -+ -+ if (max_wait < 0) -+ break; -+ -+ rtas_busy_delay(ret); -+ } - -+ pr_warn("%s: Unable to configure bridge PHB#%d-PE#%x (%d)\n", -+ __func__, pe->phb->global_number, pe->addr, ret); - return ret; - } - -diff --git a/arch/powerpc/platforms/pseries/iommu.c b/arch/powerpc/platforms/pseries/iommu.c -index 86ae364900d6..401369134ba3 100644 ---- a/arch/powerpc/platforms/pseries/iommu.c -+++ b/arch/powerpc/platforms/pseries/iommu.c -@@ -858,7 +858,8 @@ machine_arch_initcall(pseries, find_existing_ddw_windows); - static int query_ddw(struct pci_dev *dev, const u32 *ddw_avail, - struct ddw_query_response *query) - { -- struct eeh_dev *edev; -+ struct device_node *dn; -+ struct pci_dn *pdn; - u32 cfg_addr; - u64 buid; - int ret; -@@ -869,11 +870,10 @@ static int query_ddw(struct pci_dev *dev, const u32 *ddw_avail, - * Retrieve them from the pci device, not the node with the - * dma-window property - */ -- edev = pci_dev_to_eeh_dev(dev); -- cfg_addr = edev->config_addr; -- if (edev->pe_config_addr) -- cfg_addr = edev->pe_config_addr; -- buid = edev->phb->buid; -+ dn = pci_device_to_OF_node(dev); -+ pdn = PCI_DN(dn); -+ buid = pdn->phb->buid; -+ cfg_addr = ((pdn->busno << 16) | (pdn->devfn << 8)); - - ret = rtas_call(ddw_avail[0], 3, 5, (u32 *)query, - cfg_addr, BUID_HI(buid), BUID_LO(buid)); -@@ -887,7 +887,8 @@ static int create_ddw(struct pci_dev *dev, const u32 *ddw_avail, - struct ddw_create_response *create, int page_shift, - int window_shift) - { -- struct eeh_dev *edev; -+ struct device_node *dn; -+ struct pci_dn *pdn; - u32 cfg_addr; - u64 buid; - int ret; -@@ -898,11 +899,10 @@ static int create_ddw(struct pci_dev *dev, const u32 *ddw_avail, - * Retrieve them from the pci device, not the node with the - * dma-window property - */ -- edev = pci_dev_to_eeh_dev(dev); -- cfg_addr = edev->config_addr; -- if (edev->pe_config_addr) -- cfg_addr = edev->pe_config_addr; -- buid = edev->phb->buid; -+ dn = pci_device_to_OF_node(dev); -+ pdn = PCI_DN(dn); -+ buid = pdn->phb->buid; -+ cfg_addr = ((pdn->busno << 16) | (pdn->devfn << 8)); - - do { - /* extra outputs are LIOBN and dma-addr (hi, lo) */ -diff --git a/arch/s390/include/asm/syscall.h b/arch/s390/include/asm/syscall.h -index cd29d2f4e4f3..749313b452ae 100644 ---- a/arch/s390/include/asm/syscall.h -+++ b/arch/s390/include/asm/syscall.h -@@ -54,7 +54,7 @@ static inline void syscall_set_return_value(struct task_struct *task, - struct pt_regs *regs, - int error, long val) - { -- regs->gprs[2] = error ? -error : val; -+ regs->gprs[2] = error ? error : val; - } - - static inline void syscall_get_arguments(struct task_struct *task, -diff --git a/arch/x86/boot/Makefile b/arch/x86/boot/Makefile -index 6cf0111783d3..368f3582c93e 100644 ---- a/arch/x86/boot/Makefile -+++ b/arch/x86/boot/Makefile -@@ -168,6 +168,9 @@ isoimage: $(obj)/bzImage - for i in lib lib64 share end ; do \ - if [ -f /usr/$$i/syslinux/isolinux.bin ] ; then \ - cp /usr/$$i/syslinux/isolinux.bin $(obj)/isoimage ; \ -+ if [ -f /usr/$$i/syslinux/ldlinux.c32 ]; then \ -+ cp /usr/$$i/syslinux/ldlinux.c32 $(obj)/isoimage ; \ -+ fi ; \ - break ; \ - fi ; \ - if [ $$i = end ] ; then exit 1 ; fi ; \ -diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h -index be12c534fd59..29a3d1b00ca9 100644 ---- a/arch/x86/include/asm/mmu_context.h -+++ b/arch/x86/include/asm/mmu_context.h -@@ -42,7 +42,34 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, - #endif - cpumask_set_cpu(cpu, mm_cpumask(next)); - -- /* Re-load page tables */ -+ /* -+ * Re-load page tables. -+ * -+ * This logic has an ordering constraint: -+ * -+ * CPU 0: Write to a PTE for 'next' -+ * CPU 0: load bit 1 in mm_cpumask. if nonzero, send IPI. -+ * CPU 1: set bit 1 in next's mm_cpumask -+ * CPU 1: load from the PTE that CPU 0 writes (implicit) -+ * -+ * We need to prevent an outcome in which CPU 1 observes -+ * the new PTE value and CPU 0 observes bit 1 clear in -+ * mm_cpumask. (If that occurs, then the IPI will never -+ * be sent, and CPU 0's TLB will contain a stale entry.) -+ * -+ * The bad outcome can occur if either CPU's load is -+ * reordered before that CPU's store, so both CPUs must -+ * execute full barriers to prevent this from happening. -+ * -+ * Thus, switch_mm needs a full barrier between the -+ * store to mm_cpumask and any operation that could load -+ * from next->pgd. TLB fills are special and can happen -+ * due to instruction fetches or for no reason at all, -+ * and neither LOCK nor MFENCE orders them. -+ * Fortunately, load_cr3() is serializing and gives the -+ * ordering guarantee we need. -+ * -+ */ - load_cr3(next->pgd); - - /* Stop flush ipis for the previous mm */ -@@ -65,10 +92,14 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, - * schedule, protecting us from simultaneous changes. - */ - cpumask_set_cpu(cpu, mm_cpumask(next)); -+ - /* - * We were in lazy tlb mode and leave_mm disabled - * tlb flush IPI delivery. We must reload CR3 - * to make sure to use no freed page tables. -+ * -+ * As above, load_cr3() is serializing and orders TLB -+ * fills with respect to the mm_cpumask write. - */ - load_cr3(next->pgd); - load_LDT_nolock(&next->context); -diff --git a/arch/x86/kernel/amd_nb.c b/arch/x86/kernel/amd_nb.c -index 59554dca96ec..e6a3b1e35fae 100644 ---- a/arch/x86/kernel/amd_nb.c -+++ b/arch/x86/kernel/amd_nb.c -@@ -67,8 +67,8 @@ int amd_cache_northbridges(void) - while ((misc = next_northbridge(misc, amd_nb_misc_ids)) != NULL) - i++; - -- if (i == 0) -- return 0; -+ if (!i) -+ return -ENODEV; - - nb = kzalloc(i * sizeof(struct amd_northbridge), GFP_KERNEL); - if (!nb) -diff --git a/arch/x86/kernel/apm_32.c b/arch/x86/kernel/apm_32.c -index 53a4e2744846..3ab03430211d 100644 ---- a/arch/x86/kernel/apm_32.c -+++ b/arch/x86/kernel/apm_32.c -@@ -392,7 +392,7 @@ static struct cpuidle_device apm_cpuidle_device; - /* - * Local variables - */ --static struct { -+__visible struct { - unsigned long offset; - unsigned short segment; - } apm_bios_entry; -diff --git a/arch/x86/kernel/cpu/perf_event_intel.c b/arch/x86/kernel/cpu/perf_event_intel.c -index ac057583282a..a18154454e36 100644 ---- a/arch/x86/kernel/cpu/perf_event_intel.c -+++ b/arch/x86/kernel/cpu/perf_event_intel.c -@@ -2241,13 +2241,16 @@ __init int intel_pmu_init(void) - * counter, so do not extend mask to generic counters - */ - for_each_event_constraint(c, x86_pmu.event_constraints) { -- if (c->cmask != X86_RAW_EVENT_MASK -- || c->idxmsk64 == INTEL_PMC_MSK_FIXED_REF_CYCLES) { -+ if (c->cmask == X86_RAW_EVENT_MASK -+ && c->idxmsk64 == INTEL_PMC_MSK_FIXED_REF_CYCLES) { -+ c->idxmsk64 |= (1ULL << x86_pmu.num_counters) - 1; - continue; - } - -- c->idxmsk64 |= (1ULL << x86_pmu.num_counters) - 1; -- c->weight += x86_pmu.num_counters; -+ c->idxmsk64 &= -+ ~(~0ULL << (INTEL_PMC_IDX_FIXED + x86_pmu.num_counters_fixed)); -+ c->weight = hweight64(c->idxmsk64); -+ - } - } - -diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c -index 0c6c07cea3f7..766aa3bf1798 100644 ---- a/arch/x86/kernel/kprobes/core.c -+++ b/arch/x86/kernel/kprobes/core.c -@@ -908,7 +908,19 @@ int __kprobes kprobe_fault_handler(struct pt_regs *regs, int trapnr) - * normal page fault. - */ - regs->ip = (unsigned long)cur->addr; -+ /* -+ * Trap flag (TF) has been set here because this fault -+ * happened where the single stepping will be done. -+ * So clear it by resetting the current kprobe: -+ */ -+ regs->flags &= ~X86_EFLAGS_TF; -+ -+ /* -+ * If the TF flag was set before the kprobe hit, -+ * don't touch it: -+ */ - regs->flags |= kcb->kprobe_old_flags; -+ - if (kcb->kprobe_status == KPROBE_REENTER) - restore_previous_kprobe(kcb); - else -diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c -index 3c0b085b4336..8e57771d4bfd 100644 ---- a/arch/x86/kvm/x86.c -+++ b/arch/x86/kvm/x86.c -@@ -2966,6 +2966,11 @@ static int kvm_vcpu_ioctl_x86_set_debugregs(struct kvm_vcpu *vcpu, - if (dbgregs->flags) - return -EINVAL; - -+ if (dbgregs->dr6 & ~0xffffffffull) -+ return -EINVAL; -+ if (dbgregs->dr7 & ~0xffffffffull) -+ return -EINVAL; -+ - memcpy(vcpu->arch.db, dbgregs->db, sizeof(vcpu->arch.db)); - vcpu->arch.dr6 = dbgregs->dr6; - vcpu->arch.dr7 = dbgregs->dr7; -diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c -index 282375f13c7e..c26b610a604d 100644 ---- a/arch/x86/mm/tlb.c -+++ b/arch/x86/mm/tlb.c -@@ -149,7 +149,9 @@ void flush_tlb_current_task(void) - - preempt_disable(); - -+ /* This is an implicit full barrier that synchronizes with switch_mm. */ - local_flush_tlb(); -+ - if (cpumask_any_but(mm_cpumask(mm), smp_processor_id()) < nr_cpu_ids) - flush_tlb_others(mm_cpumask(mm), mm, 0UL, TLB_FLUSH_ALL); - preempt_enable(); -@@ -188,11 +190,19 @@ void flush_tlb_mm_range(struct mm_struct *mm, unsigned long start, - unsigned act_entries, tlb_entries = 0; - - preempt_disable(); -- if (current->active_mm != mm) -+ if (current->active_mm != mm) { -+ /* Synchronize with switch_mm. */ -+ smp_mb(); -+ - goto flush_all; -+ } - - if (!current->mm) { - leave_mm(smp_processor_id()); -+ -+ /* Synchronize with switch_mm. */ -+ smp_mb(); -+ - goto flush_all; - } - -@@ -242,10 +252,18 @@ void flush_tlb_page(struct vm_area_struct *vma, unsigned long start) - preempt_disable(); - - if (current->active_mm == mm) { -- if (current->mm) -+ if (current->mm) { -+ /* -+ * Implicit full barrier (INVLPG) that synchronizes -+ * with switch_mm. -+ */ - __flush_tlb_one(start); -- else -+ } else { - leave_mm(smp_processor_id()); -+ -+ /* Synchronize with switch_mm. */ -+ smp_mb(); -+ } - } - - if (cpumask_any_but(mm_cpumask(mm), smp_processor_id()) < nr_cpu_ids) -diff --git a/block/genhd.c b/block/genhd.c -index b09f5fc94dee..7af2f6a18d9b 100644 ---- a/block/genhd.c -+++ b/block/genhd.c -@@ -829,6 +829,7 @@ static void disk_seqf_stop(struct seq_file *seqf, void *v) - if (iter) { - class_dev_iter_exit(iter); - kfree(iter); -+ seqf->private = NULL; - } - } - -diff --git a/crypto/gcm.c b/crypto/gcm.c -index cd97cdd8cabe..451e420ce56c 100644 ---- a/crypto/gcm.c -+++ b/crypto/gcm.c -@@ -716,7 +716,9 @@ static struct crypto_instance *crypto_gcm_alloc_common(struct rtattr **tb, - - ghash_alg = crypto_find_alg(ghash_name, &crypto_ahash_type, - CRYPTO_ALG_TYPE_HASH, -- CRYPTO_ALG_TYPE_AHASH_MASK); -+ CRYPTO_ALG_TYPE_AHASH_MASK | -+ crypto_requires_sync(algt->type, -+ algt->mask)); - if (IS_ERR(ghash_alg)) - return ERR_CAST(ghash_alg); - -diff --git a/crypto/scatterwalk.c b/crypto/scatterwalk.c -index 7281b8a93ad3..79cbbbfffffc 100644 ---- a/crypto/scatterwalk.c -+++ b/crypto/scatterwalk.c -@@ -68,7 +68,8 @@ static void scatterwalk_pagedone(struct scatter_walk *walk, int out, - - void scatterwalk_done(struct scatter_walk *walk, int out, int more) - { -- if (!(scatterwalk_pagelen(walk) & (PAGE_SIZE - 1)) || !more) -+ if (!more || walk->offset >= walk->sg->offset + walk->sg->length || -+ !(walk->offset & (PAGE_SIZE - 1))) - scatterwalk_pagedone(walk, out, more); - } - EXPORT_SYMBOL_GPL(scatterwalk_done); -diff --git a/drivers/acpi/pci_root.c b/drivers/acpi/pci_root.c -index a02a91cd1de4..c5e3dd93865a 100644 ---- a/drivers/acpi/pci_root.c -+++ b/drivers/acpi/pci_root.c -@@ -385,6 +385,7 @@ static int acpi_pci_root_add(struct acpi_device *device, - int result; - struct acpi_pci_root *root; - u32 flags, base_flags; -+ bool no_aspm = false, clear_aspm = false; - - root = kzalloc(sizeof(struct acpi_pci_root), GFP_KERNEL); - if (!root) -@@ -445,31 +446,10 @@ static int acpi_pci_root_add(struct acpi_device *device, - flags = base_flags = OSC_PCI_SEGMENT_GROUPS_SUPPORT; - acpi_pci_osc_support(root, flags); - -- /* -- * TBD: Need PCI interface for enumeration/configuration of roots. -- */ -- - mutex_lock(&acpi_pci_root_lock); - list_add_tail(&root->node, &acpi_pci_roots); - mutex_unlock(&acpi_pci_root_lock); - -- /* -- * Scan the Root Bridge -- * -------------------- -- * Must do this prior to any attempt to bind the root device, as the -- * PCI namespace does not get created until this call is made (and -- * thus the root bridge's pci_dev does not exist). -- */ -- root->bus = pci_acpi_scan_root(root); -- if (!root->bus) { -- printk(KERN_ERR PREFIX -- "Bus %04x:%02x not present in PCI namespace\n", -- root->segment, (unsigned int)root->secondary.start); -- result = -ENODEV; -- goto out_del_root; -- } -- -- /* Indicate support for various _OSC capabilities. */ - if (pci_ext_cfg_avail()) - flags |= OSC_EXT_PCI_CONFIG_SUPPORT; - if (pcie_aspm_support_enabled()) { -@@ -483,7 +463,7 @@ static int acpi_pci_root_add(struct acpi_device *device, - if (ACPI_FAILURE(status)) { - dev_info(&device->dev, "ACPI _OSC support " - "notification failed, disabling PCIe ASPM\n"); -- pcie_no_aspm(); -+ no_aspm = true; - flags = base_flags; - } - } -@@ -515,7 +495,7 @@ static int acpi_pci_root_add(struct acpi_device *device, - * We have ASPM control, but the FADT indicates - * that it's unsupported. Clear it. - */ -- pcie_clear_aspm(root->bus); -+ clear_aspm = true; - } - } else { - dev_info(&device->dev, -@@ -524,7 +504,14 @@ static int acpi_pci_root_add(struct acpi_device *device, - acpi_format_exception(status), flags); - pr_info("ACPI _OSC control for PCIe not granted, " - "disabling ASPM\n"); -- pcie_no_aspm(); -+ /* -+ * We want to disable ASPM here, but aspm_disabled -+ * needs to remain in its state from boot so that we -+ * properly handle PCIe 1.1 devices. So we set this -+ * flag here, to defer the action until after the ACPI -+ * root scan. -+ */ -+ no_aspm = true; - } - } else { - dev_info(&device->dev, -@@ -532,6 +519,33 @@ static int acpi_pci_root_add(struct acpi_device *device, - "(_OSC support mask: 0x%02x)\n", flags); - } - -+ /* -+ * TBD: Need PCI interface for enumeration/configuration of roots. -+ */ -+ -+ /* -+ * Scan the Root Bridge -+ * -------------------- -+ * Must do this prior to any attempt to bind the root device, as the -+ * PCI namespace does not get created until this call is made (and -+ * thus the root bridge's pci_dev does not exist). -+ */ -+ root->bus = pci_acpi_scan_root(root); -+ if (!root->bus) { -+ dev_err(&device->dev, -+ "Bus %04x:%02x not present in PCI namespace\n", -+ root->segment, (unsigned int)root->secondary.start); -+ result = -ENODEV; -+ goto end; -+ } -+ -+ if (clear_aspm) { -+ dev_info(&device->dev, "Disabling ASPM (FADT indicates it is unsupported)\n"); -+ pcie_clear_aspm(root->bus); -+ } -+ if (no_aspm) -+ pcie_no_aspm(); -+ - pci_acpi_add_bus_pm_notifier(device, root->bus); - if (device->wakeup.flags.run_wake) - device_set_run_wake(root->bus->bridge, true); -@@ -548,11 +562,6 @@ static int acpi_pci_root_add(struct acpi_device *device, - pci_bus_add_devices(root->bus); - return 1; - --out_del_root: -- mutex_lock(&acpi_pci_root_lock); -- list_del(&root->node); -- mutex_unlock(&acpi_pci_root_lock); -- - end: - kfree(root); - return result; -diff --git a/drivers/ata/libata-eh.c b/drivers/ata/libata-eh.c -index 063036d876b0..126eb86f239f 100644 ---- a/drivers/ata/libata-eh.c -+++ b/drivers/ata/libata-eh.c -@@ -604,7 +604,7 @@ void ata_scsi_error(struct Scsi_Host *host) - ata_scsi_port_error_handler(host, ap); - - /* finish or retry handled scmd's and clean up */ -- WARN_ON(host->host_failed || !list_empty(&eh_work_q)); -+ WARN_ON(!list_empty(&eh_work_q)); - - DPRINTK("EXIT\n"); - } -diff --git a/drivers/base/module.c b/drivers/base/module.c -index db930d3ee312..2a215780eda2 100644 ---- a/drivers/base/module.c -+++ b/drivers/base/module.c -@@ -24,10 +24,12 @@ static char *make_driver_name(struct device_driver *drv) - - static void module_create_drivers_dir(struct module_kobject *mk) - { -- if (!mk || mk->drivers_dir) -- return; -+ static DEFINE_MUTEX(drivers_dir_mutex); - -- mk->drivers_dir = kobject_create_and_add("drivers", &mk->kobj); -+ mutex_lock(&drivers_dir_mutex); -+ if (mk && !mk->drivers_dir) -+ mk->drivers_dir = kobject_create_and_add("drivers", &mk->kobj); -+ mutex_unlock(&drivers_dir_mutex); - } - - void module_add_driver(struct module *mod, struct device_driver *drv) -diff --git a/drivers/crypto/ux500/hash/hash_core.c b/drivers/crypto/ux500/hash/hash_core.c -index 6789c1653913..cde4a6e0fab0 100644 ---- a/drivers/crypto/ux500/hash/hash_core.c -+++ b/drivers/crypto/ux500/hash/hash_core.c -@@ -806,7 +806,7 @@ int hash_process_data( - &device_data->state); - memmove(req_ctx->state.buffer, - device_data->state.buffer, -- HASH_BLOCK_SIZE / sizeof(u32)); -+ HASH_BLOCK_SIZE); - if (ret) { - dev_err(device_data->dev, "[%s] " - "hash_resume_state()" -@@ -858,7 +858,7 @@ int hash_process_data( - - memmove(device_data->state.buffer, - req_ctx->state.buffer, -- HASH_BLOCK_SIZE / sizeof(u32)); -+ HASH_BLOCK_SIZE); - if (ret) { - dev_err(device_data->dev, "[%s] " - "hash_save_state()" -diff --git a/drivers/gpio/gpio-pca953x.c b/drivers/gpio/gpio-pca953x.c -index 426c51dd420c..ac11e455aea5 100644 ---- a/drivers/gpio/gpio-pca953x.c -+++ b/drivers/gpio/gpio-pca953x.c -@@ -75,7 +75,7 @@ MODULE_DEVICE_TABLE(i2c, pca953x_id); - #define MAX_BANK 5 - #define BANK_SZ 8 - --#define NBANK(chip) (chip->gpio_chip.ngpio / BANK_SZ) -+#define NBANK(chip) DIV_ROUND_UP(chip->gpio_chip.ngpio, BANK_SZ) - - struct pca953x_chip { - unsigned gpio_start; -diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c -index b78cbe74dadf..93b74107d20d 100644 ---- a/drivers/gpu/drm/drm_fb_helper.c -+++ b/drivers/gpu/drm/drm_fb_helper.c -@@ -1313,7 +1313,6 @@ static int drm_pick_crtcs(struct drm_fb_helper *fb_helper, - int n, int width, int height) - { - int c, o; -- struct drm_device *dev = fb_helper->dev; - struct drm_connector *connector; - struct drm_connector_helper_funcs *connector_funcs; - struct drm_encoder *encoder; -@@ -1334,7 +1333,7 @@ static int drm_pick_crtcs(struct drm_fb_helper *fb_helper, - if (modes[n] == NULL) - return best_score; - -- crtcs = kzalloc(dev->mode_config.num_connector * -+ crtcs = kzalloc(fb_helper->connector_count * - sizeof(struct drm_fb_helper_crtc *), GFP_KERNEL); - if (!crtcs) - return best_score; -@@ -1381,7 +1380,7 @@ static int drm_pick_crtcs(struct drm_fb_helper *fb_helper, - best_crtc = crtc; - best_score = score; - memcpy(best_crtcs, crtcs, -- dev->mode_config.num_connector * -+ fb_helper->connector_count * - sizeof(struct drm_fb_helper_crtc *)); - } - } -diff --git a/drivers/gpu/drm/gma500/mdfld_dsi_pkg_sender.c b/drivers/gpu/drm/gma500/mdfld_dsi_pkg_sender.c -index 489ffd2c66e5..a3d37e4a84ae 100644 ---- a/drivers/gpu/drm/gma500/mdfld_dsi_pkg_sender.c -+++ b/drivers/gpu/drm/gma500/mdfld_dsi_pkg_sender.c -@@ -85,7 +85,7 @@ static const char *const dsi_errors[] = { - "RX Prot Violation", - "HS Generic Write FIFO Full", - "LP Generic Write FIFO Full", -- "Generic Read Data Avail" -+ "Generic Read Data Avail", - "Special Packet Sent", - "Tearing Effect", - }; -diff --git a/drivers/gpu/drm/radeon/radeon_atombios.c b/drivers/gpu/drm/radeon/radeon_atombios.c -index f3cce23f4a62..f4b9b1c0cae8 100644 ---- a/drivers/gpu/drm/radeon/radeon_atombios.c -+++ b/drivers/gpu/drm/radeon/radeon_atombios.c -@@ -1144,7 +1144,7 @@ bool radeon_atom_get_clock_info(struct drm_device *dev) - le16_to_cpu(firmware_info->info.usReferenceClock); - p1pll->reference_div = 0; - -- if (crev < 2) -+ if ((frev < 2) && (crev < 2)) - p1pll->pll_out_min = - le16_to_cpu(firmware_info->info.usMinPixelClockPLL_Output); - else -@@ -1153,7 +1153,7 @@ bool radeon_atom_get_clock_info(struct drm_device *dev) - p1pll->pll_out_max = - le32_to_cpu(firmware_info->info.ulMaxPixelClockPLL_Output); - -- if (crev >= 4) { -+ if (((frev < 2) && (crev >= 4)) || (frev >= 2)) { - p1pll->lcd_pll_out_min = - le16_to_cpu(firmware_info->info_14.usLcdMinPixelClockPLL_Output) * 100; - if (p1pll->lcd_pll_out_min == 0) -diff --git a/drivers/gpu/drm/radeon/radeon_atpx_handler.c b/drivers/gpu/drm/radeon/radeon_atpx_handler.c -index 8c44ef57864b..a7e1893de838 100644 ---- a/drivers/gpu/drm/radeon/radeon_atpx_handler.c -+++ b/drivers/gpu/drm/radeon/radeon_atpx_handler.c -@@ -11,6 +11,7 @@ - #include - #include - #include -+#include - - #include "radeon_acpi.h" - -@@ -252,6 +253,10 @@ static int radeon_atpx_set_discrete_state(struct radeon_atpx *atpx, u8 state) - if (!info) - return -EIO; - kfree(info); -+ -+ /* 200ms delay is required after off */ -+ if (state == 0) -+ msleep(200); - } - return 0; - } -diff --git a/drivers/gpu/drm/radeon/radeon_connectors.c b/drivers/gpu/drm/radeon/radeon_connectors.c -index 1fbd38b371d4..ea62810aeda6 100644 ---- a/drivers/gpu/drm/radeon/radeon_connectors.c -+++ b/drivers/gpu/drm/radeon/radeon_connectors.c -@@ -1691,7 +1691,6 @@ radeon_add_atom_connector(struct drm_device *dev, - 1); - /* no HPD on analog connectors */ - radeon_connector->hpd.hpd = RADEON_HPD_NONE; -- connector->polled = DRM_CONNECTOR_POLL_CONNECT; - connector->interlace_allowed = true; - connector->doublescan_allowed = true; - break; -@@ -1889,8 +1888,10 @@ radeon_add_atom_connector(struct drm_device *dev, - } - - if (radeon_connector->hpd.hpd == RADEON_HPD_NONE) { -- if (i2c_bus->valid) -- connector->polled = DRM_CONNECTOR_POLL_CONNECT; -+ if (i2c_bus->valid) { -+ connector->polled = DRM_CONNECTOR_POLL_CONNECT | -+ DRM_CONNECTOR_POLL_DISCONNECT; -+ } - } else - connector->polled = DRM_CONNECTOR_POLL_HPD; - -@@ -1962,7 +1963,6 @@ radeon_add_legacy_connector(struct drm_device *dev, - 1); - /* no HPD on analog connectors */ - radeon_connector->hpd.hpd = RADEON_HPD_NONE; -- connector->polled = DRM_CONNECTOR_POLL_CONNECT; - connector->interlace_allowed = true; - connector->doublescan_allowed = true; - break; -@@ -2047,10 +2047,13 @@ radeon_add_legacy_connector(struct drm_device *dev, - } - - if (radeon_connector->hpd.hpd == RADEON_HPD_NONE) { -- if (i2c_bus->valid) -- connector->polled = DRM_CONNECTOR_POLL_CONNECT; -+ if (i2c_bus->valid) { -+ connector->polled = DRM_CONNECTOR_POLL_CONNECT | -+ DRM_CONNECTOR_POLL_DISCONNECT; -+ } - } else - connector->polled = DRM_CONNECTOR_POLL_HPD; -+ - connector->display_info.subpixel_order = subpixel_order; - drm_sysfs_connector_add(connector); - } -diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c -index 8df1525f71d2..e9db3f8125ed 100644 ---- a/drivers/gpu/drm/radeon/radeon_device.c -+++ b/drivers/gpu/drm/radeon/radeon_device.c -@@ -449,6 +449,23 @@ void radeon_gtt_location(struct radeon_device *rdev, struct radeon_mc *mc) - /* - * GPU helpers function. - */ -+ -+/** -+ * radeon_device_is_virtual - check if we are running is a virtual environment -+ * -+ * Check if the asic has been passed through to a VM (all asics). -+ * Used at driver startup. -+ * Returns true if virtual or false if not. -+ */ -+static bool radeon_device_is_virtual(void) -+{ -+#ifdef CONFIG_X86 -+ return boot_cpu_has(X86_FEATURE_HYPERVISOR); -+#else -+ return false; -+#endif -+} -+ - /** - * radeon_card_posted - check if the hw has already been initialized - * -@@ -462,6 +479,10 @@ bool radeon_card_posted(struct radeon_device *rdev) - { - uint32_t reg; - -+ /* for pass through, always force asic_init */ -+ if (radeon_device_is_virtual()) -+ return false; -+ - /* required for EFI mode on macbook2,1 which uses an r5xx asic */ - if (efi_enabled(EFI_BOOT) && - (rdev->pdev->subsystem_vendor == PCI_VENDOR_ID_APPLE) && -diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c -index a3915d12e746..eb5700e40e1a 100644 ---- a/drivers/hid/hid-input.c -+++ b/drivers/hid/hid-input.c -@@ -1084,7 +1084,7 @@ void hidinput_hid_event(struct hid_device *hid, struct hid_field *field, struct - return; - - /* report the usage code as scancode if the key status has changed */ -- if (usage->type == EV_KEY && !!test_bit(usage->code, input->key) != value) -+ if (usage->type == EV_KEY && (!!test_bit(usage->code, input->key)) != value) - input_event(input, EV_MSC, MSC_SCAN, usage->hid); - - input_event(input, usage->type, usage->code, value); -diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c -index 2f1ddca6f2e0..700145b15088 100644 ---- a/drivers/hid/usbhid/hiddev.c -+++ b/drivers/hid/usbhid/hiddev.c -@@ -516,13 +516,13 @@ static noinline int hiddev_ioctl_usage(struct hiddev *hiddev, unsigned int cmd, - goto inval; - } else if (uref->usage_index >= field->report_count) - goto inval; -- -- else if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) && -- (uref_multi->num_values > HID_MAX_MULTI_USAGES || -- uref->usage_index + uref_multi->num_values > field->report_count)) -- goto inval; - } - -+ if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) && -+ (uref_multi->num_values > HID_MAX_MULTI_USAGES || -+ uref->usage_index + uref_multi->num_values > field->report_count)) -+ goto inval; -+ - switch (cmd) { - case HIDIOCGUSAGE: - uref->value = field->value[uref->usage_index]; -diff --git a/drivers/iio/accel/kxsd9.c b/drivers/iio/accel/kxsd9.c -index 7c9a1d97dc68..a22c427454db 100644 ---- a/drivers/iio/accel/kxsd9.c -+++ b/drivers/iio/accel/kxsd9.c -@@ -81,7 +81,7 @@ static int kxsd9_write_scale(struct iio_dev *indio_dev, int micro) - - mutex_lock(&st->buf_lock); - ret = spi_w8r8(st->us, KXSD9_READ(KXSD9_REG_CTRL_C)); -- if (ret) -+ if (ret < 0) - goto error_ret; - st->tx[0] = KXSD9_WRITE(KXSD9_REG_CTRL_C); - st->tx[1] = (ret & ~KXSD9_FS_MASK) | i; -@@ -163,7 +163,7 @@ static int kxsd9_read_raw(struct iio_dev *indio_dev, - break; - case IIO_CHAN_INFO_SCALE: - ret = spi_w8r8(st->us, KXSD9_READ(KXSD9_REG_CTRL_C)); -- if (ret) -+ if (ret < 0) - goto error_ret; - *val2 = kxsd9_micro_scales[ret & KXSD9_FS_MASK]; - ret = IIO_VAL_INT_PLUS_MICRO; -diff --git a/drivers/iio/adc/ad7266.c b/drivers/iio/adc/ad7266.c -index c2744a75c3b0..6569a4e2a436 100644 ---- a/drivers/iio/adc/ad7266.c -+++ b/drivers/iio/adc/ad7266.c -@@ -406,7 +406,7 @@ static int ad7266_probe(struct spi_device *spi) - st = iio_priv(indio_dev); - - st->reg = regulator_get(&spi->dev, "vref"); -- if (!IS_ERR_OR_NULL(st->reg)) { -+ if (!IS_ERR(st->reg)) { - ret = regulator_enable(st->reg); - if (ret) - goto error_put_reg; -@@ -417,6 +417,10 @@ static int ad7266_probe(struct spi_device *spi) - - st->vref_uv = ret; - } else { -+ /* Any other error indicates that the regulator does exist */ -+ if (PTR_ERR(st->reg) != -ENODEV) -+ return PTR_ERR(st->reg); -+ - /* Use internal reference */ - st->vref_uv = 2500000; - } -diff --git a/drivers/iio/industrialio-trigger.c b/drivers/iio/industrialio-trigger.c -index 4d6c7d84e155..301becccf5ed 100644 ---- a/drivers/iio/industrialio-trigger.c -+++ b/drivers/iio/industrialio-trigger.c -@@ -203,22 +203,35 @@ static int iio_trigger_attach_poll_func(struct iio_trigger *trig, - - /* Prevent the module from being removed whilst attached to a trigger */ - __module_get(pf->indio_dev->info->driver_module); -+ -+ /* Get irq number */ - pf->irq = iio_trigger_get_irq(trig); -+ if (pf->irq < 0) -+ goto out_put_module; -+ -+ /* Request irq */ - ret = request_threaded_irq(pf->irq, pf->h, pf->thread, - pf->type, pf->name, - pf); -- if (ret < 0) { -- module_put(pf->indio_dev->info->driver_module); -- return ret; -- } -+ if (ret < 0) -+ goto out_put_irq; - -+ /* Enable trigger in driver */ - if (trig->ops && trig->ops->set_trigger_state && notinuse) { - ret = trig->ops->set_trigger_state(trig, true); - if (ret < 0) -- module_put(pf->indio_dev->info->driver_module); -+ goto out_free_irq; - } - - return ret; -+ -+out_free_irq: -+ free_irq(pf->irq, pf); -+out_put_irq: -+ iio_trigger_put_irq(trig, pf->irq); -+out_put_module: -+ module_put(pf->indio_dev->info->driver_module); -+ return ret; - } - - static int iio_trigger_detach_poll_func(struct iio_trigger *trig, -diff --git a/drivers/infiniband/core/ucm.c b/drivers/infiniband/core/ucm.c -index f2f63933e8a9..5befec118a18 100644 ---- a/drivers/infiniband/core/ucm.c -+++ b/drivers/infiniband/core/ucm.c -@@ -48,6 +48,7 @@ - - #include - -+#include - #include - #include - #include -@@ -1104,6 +1105,9 @@ static ssize_t ib_ucm_write(struct file *filp, const char __user *buf, - struct ib_ucm_cmd_hdr hdr; - ssize_t result; - -+ if (WARN_ON_ONCE(!ib_safe_file_access(filp))) -+ return -EACCES; -+ - if (len < sizeof(hdr)) - return -EINVAL; - -diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c -index 5ca44cd9b00c..99f1c170770f 100644 ---- a/drivers/infiniband/core/ucma.c -+++ b/drivers/infiniband/core/ucma.c -@@ -43,6 +43,7 @@ - #include - #include - -+#include - #include - #include - #include -@@ -1249,6 +1250,9 @@ static ssize_t ucma_write(struct file *filp, const char __user *buf, - struct rdma_ucm_cmd_hdr hdr; - ssize_t ret; - -+ if (WARN_ON_ONCE(!ib_safe_file_access(filp))) -+ return -EACCES; -+ - if (len < sizeof(hdr)) - return -EINVAL; - -diff --git a/drivers/infiniband/core/uverbs_main.c b/drivers/infiniband/core/uverbs_main.c -index b6062b9236a2..f50623d07a75 100644 ---- a/drivers/infiniband/core/uverbs_main.c -+++ b/drivers/infiniband/core/uverbs_main.c -@@ -48,6 +48,8 @@ - - #include - -+#include -+ - #include "uverbs.h" - - MODULE_AUTHOR("Roland Dreier"); -@@ -588,6 +590,9 @@ static ssize_t ib_uverbs_write(struct file *filp, const char __user *buf, - struct ib_uverbs_file *file = filp->private_data; - struct ib_uverbs_cmd_hdr hdr; - -+ if (WARN_ON_ONCE(!ib_safe_file_access(filp))) -+ return -EACCES; -+ - if (count < sizeof hdr) - return -EINVAL; - -diff --git a/drivers/infiniband/hw/mlx4/ah.c b/drivers/infiniband/hw/mlx4/ah.c -index 890c23b3d714..f55d69500a5f 100644 ---- a/drivers/infiniband/hw/mlx4/ah.c -+++ b/drivers/infiniband/hw/mlx4/ah.c -@@ -65,6 +65,7 @@ static struct ib_ah *create_ib_ah(struct ib_pd *pd, struct ib_ah_attr *ah_attr, - - ah->av.ib.port_pd = cpu_to_be32(to_mpd(pd)->pdn | (ah_attr->port_num << 24)); - ah->av.ib.g_slid = ah_attr->src_path_bits; -+ ah->av.ib.sl_tclass_flowlabel = cpu_to_be32(ah_attr->sl << 28); - if (ah_attr->ah_flags & IB_AH_GRH) { - ah->av.ib.g_slid |= 0x80; - ah->av.ib.gid_index = ah_attr->grh.sgid_index; -@@ -82,7 +83,6 @@ static struct ib_ah *create_ib_ah(struct ib_pd *pd, struct ib_ah_attr *ah_attr, - !(1 << ah->av.ib.stat_rate & dev->caps.stat_rate_support)) - --ah->av.ib.stat_rate; - } -- ah->av.ib.sl_tclass_flowlabel = cpu_to_be32(ah_attr->sl << 28); - - return &ah->ibah; - } -diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c -index 262a18437ceb..1fe3bdb0da14 100644 ---- a/drivers/infiniband/hw/mlx4/qp.c -+++ b/drivers/infiniband/hw/mlx4/qp.c -@@ -346,7 +346,7 @@ static int send_wqe_overhead(enum mlx4_ib_qp_type type, u32 flags) - sizeof (struct mlx4_wqe_raddr_seg); - case MLX4_IB_QPT_RC: - return sizeof (struct mlx4_wqe_ctrl_seg) + -- sizeof (struct mlx4_wqe_atomic_seg) + -+ sizeof (struct mlx4_wqe_masked_atomic_seg) + - sizeof (struct mlx4_wqe_raddr_seg); - case MLX4_IB_QPT_SMI: - case MLX4_IB_QPT_GSI: -diff --git a/drivers/infiniband/hw/qib/qib_file_ops.c b/drivers/infiniband/hw/qib/qib_file_ops.c -index b56c9428f3c5..8cb29b36c82a 100644 ---- a/drivers/infiniband/hw/qib/qib_file_ops.c -+++ b/drivers/infiniband/hw/qib/qib_file_ops.c -@@ -45,6 +45,8 @@ - #include - #include - -+#include -+ - #include "qib.h" - #include "qib_common.h" - #include "qib_user_sdma.h" -@@ -1977,6 +1979,9 @@ static ssize_t qib_write(struct file *fp, const char __user *data, - ssize_t ret = 0; - void *dest; - -+ if (WARN_ON_ONCE(!ib_safe_file_access(fp))) -+ return -EACCES; -+ - if (count < sizeof(cmd.type)) { - ret = -EINVAL; - goto bail; -diff --git a/drivers/infiniband/ulp/ipoib/ipoib_main.c b/drivers/infiniband/ulp/ipoib/ipoib_main.c -index b6e049a3c7a8..a481094af85f 100644 ---- a/drivers/infiniband/ulp/ipoib/ipoib_main.c -+++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c -@@ -887,7 +887,9 @@ struct ipoib_neigh *ipoib_neigh_get(struct net_device *dev, u8 *daddr) - neigh = NULL; - goto out_unlock; - } -- neigh->alive = jiffies; -+ -+ if (likely(skb_queue_len(&neigh->queue) < IPOIB_MAX_PATH_REC_QUEUE)) -+ neigh->alive = jiffies; - goto out_unlock; - } - } -diff --git a/drivers/input/joystick/xpad.c b/drivers/input/joystick/xpad.c -index 856c1b03e22d..685e125d6366 100644 ---- a/drivers/input/joystick/xpad.c -+++ b/drivers/input/joystick/xpad.c -@@ -843,6 +843,9 @@ static int xpad_probe(struct usb_interface *intf, const struct usb_device_id *id - struct usb_endpoint_descriptor *ep_irq_in; - int i, error; - -+ if (intf->cur_altsetting->desc.bNumEndpoints != 2) -+ return -ENODEV; -+ - for (i = 0; xpad_device[i].idVendor; i++) { - if ((le16_to_cpu(udev->descriptor.idVendor) == xpad_device[i].idVendor) && - (le16_to_cpu(udev->descriptor.idProduct) == xpad_device[i].idProduct)) -diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c -index a0a4bbaef02c..3f2f3ac96a55 100644 ---- a/drivers/input/misc/uinput.c -+++ b/drivers/input/misc/uinput.c -@@ -835,9 +835,15 @@ static long uinput_ioctl(struct file *file, unsigned int cmd, unsigned long arg) - } - - #ifdef CONFIG_COMPAT -+ -+#define UI_SET_PHYS_COMPAT _IOW(UINPUT_IOCTL_BASE, 108, compat_uptr_t) -+ - static long uinput_compat_ioctl(struct file *file, - unsigned int cmd, unsigned long arg) - { -+ if (cmd == UI_SET_PHYS_COMPAT) -+ cmd = UI_SET_PHYS; -+ - return uinput_ioctl_handler(file, cmd, arg, compat_ptr(arg)); - } - #endif -diff --git a/drivers/input/touchscreen/wacom_w8001.c b/drivers/input/touchscreen/wacom_w8001.c -index 9a83be6b6584..abba11220f29 100644 ---- a/drivers/input/touchscreen/wacom_w8001.c -+++ b/drivers/input/touchscreen/wacom_w8001.c -@@ -28,7 +28,7 @@ MODULE_AUTHOR("Jaya Kumar "); - MODULE_DESCRIPTION(DRIVER_DESC); - MODULE_LICENSE("GPL"); - --#define W8001_MAX_LENGTH 11 -+#define W8001_MAX_LENGTH 13 - #define W8001_LEAD_MASK 0x80 - #define W8001_LEAD_BYTE 0x80 - #define W8001_TAB_MASK 0x40 -diff --git a/drivers/isdn/hardware/mISDN/hfcpci.c b/drivers/isdn/hardware/mISDN/hfcpci.c -index a7e4939787c9..eab9167937e2 100644 ---- a/drivers/isdn/hardware/mISDN/hfcpci.c -+++ b/drivers/isdn/hardware/mISDN/hfcpci.c -@@ -2295,8 +2295,8 @@ _hfcpci_softirq(struct device *dev, void *arg) - static void - hfcpci_softirq(void *arg) - { -- (void) driver_for_each_device(&hfc_driver.driver, NULL, arg, -- _hfcpci_softirq); -+ WARN_ON_ONCE(driver_for_each_device(&hfc_driver.driver, NULL, arg, -+ _hfcpci_softirq) != 0); - - /* if next event would be in the past ... */ - if ((s32)(hfc_jiffies + tics - jiffies) <= 0) -diff --git a/drivers/md/dm-flakey.c b/drivers/md/dm-flakey.c -index 7fcf21cb4ff8..a9a47cd029d5 100644 ---- a/drivers/md/dm-flakey.c -+++ b/drivers/md/dm-flakey.c -@@ -286,10 +286,16 @@ static int flakey_map(struct dm_target *ti, struct bio *bio) - pb->bio_submitted = true; - - /* -- * Map reads as normal. -+ * Map reads as normal only if corrupt_bio_byte set. - */ -- if (bio_data_dir(bio) == READ) -- goto map_bio; -+ if (bio_data_dir(bio) == READ) { -+ /* If flags were specified, only corrupt those that match. */ -+ if (fc->corrupt_bio_byte && (fc->corrupt_bio_rw == READ) && -+ all_corrupt_bio_flags_match(bio, fc)) -+ goto map_bio; -+ else -+ return -EIO; -+ } - - /* - * Drop writes? -@@ -327,12 +333,13 @@ static int flakey_end_io(struct dm_target *ti, struct bio *bio, int error) - - /* - * Corrupt successful READs while in down state. -- * If flags were specified, only corrupt those that match. - */ -- if (fc->corrupt_bio_byte && !error && pb->bio_submitted && -- (bio_data_dir(bio) == READ) && (fc->corrupt_bio_rw == READ) && -- all_corrupt_bio_flags_match(bio, fc)) -- corrupt_bio_data(bio, fc); -+ if (!error && pb->bio_submitted && (bio_data_dir(bio) == READ)) { -+ if (fc->corrupt_bio_byte) -+ corrupt_bio_data(bio, fc); -+ else -+ return -EIO; -+ } - - return error; - } -diff --git a/drivers/media/dvb-frontends/stb6100.c b/drivers/media/dvb-frontends/stb6100.c -index cea175d19890..4ef8a5c7003e 100644 ---- a/drivers/media/dvb-frontends/stb6100.c -+++ b/drivers/media/dvb-frontends/stb6100.c -@@ -193,7 +193,7 @@ static int stb6100_write_reg_range(struct stb6100_state *state, u8 buf[], int st - .len = len + 1 - }; - -- if (1 + len > sizeof(buf)) { -+ if (1 + len > sizeof(cmdbuf)) { - printk(KERN_WARNING - "%s: i2c wr: len=%d is too big!\n", - KBUILD_MODNAME, len); -diff --git a/drivers/media/platform/s5p-mfc/s5p_mfc.c b/drivers/media/platform/s5p-mfc/s5p_mfc.c -index 961d7ff75427..eb92027cef92 100644 ---- a/drivers/media/platform/s5p-mfc/s5p_mfc.c -+++ b/drivers/media/platform/s5p-mfc/s5p_mfc.c -@@ -1000,6 +1000,11 @@ static int match_child(struct device *dev, void *data) - return !strcmp(dev_name(dev), (char *)data); - } - -+static void s5p_mfc_memdev_release(struct device *dev) -+{ -+ dma_release_declared_memory(dev); -+} -+ - static void *mfc_get_drv_data(struct platform_device *pdev); - - static int s5p_mfc_alloc_memdevs(struct s5p_mfc_dev *dev) -@@ -1012,6 +1017,9 @@ static int s5p_mfc_alloc_memdevs(struct s5p_mfc_dev *dev) - mfc_err("Not enough memory\n"); - return -ENOMEM; - } -+ -+ dev_set_name(dev->mem_dev_l, "%s", "s5p-mfc-l"); -+ dev->mem_dev_l->release = s5p_mfc_memdev_release; - device_initialize(dev->mem_dev_l); - of_property_read_u32_array(dev->plat_dev->dev.of_node, - "samsung,mfc-l", mem_info, 2); -@@ -1029,6 +1037,9 @@ static int s5p_mfc_alloc_memdevs(struct s5p_mfc_dev *dev) - mfc_err("Not enough memory\n"); - return -ENOMEM; - } -+ -+ dev_set_name(dev->mem_dev_r, "%s", "s5p-mfc-r"); -+ dev->mem_dev_r->release = s5p_mfc_memdev_release; - device_initialize(dev->mem_dev_r); - of_property_read_u32_array(dev->plat_dev->dev.of_node, - "samsung,mfc-r", mem_info, 2); -diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c -index c6bf23599eb9..a2863b7b9e21 100644 ---- a/drivers/mmc/card/block.c -+++ b/drivers/mmc/card/block.c -@@ -1582,8 +1582,8 @@ static void mmc_blk_packed_hdr_wrq_prep(struct mmc_queue_req *mqrq, - - packed_cmd_hdr = packed->cmd_hdr; - memset(packed_cmd_hdr, 0, sizeof(packed->cmd_hdr)); -- packed_cmd_hdr[0] = (packed->nr_entries << 16) | -- (PACKED_CMD_WR << 8) | PACKED_CMD_VER; -+ packed_cmd_hdr[0] = cpu_to_le32((packed->nr_entries << 16) | -+ (PACKED_CMD_WR << 8) | PACKED_CMD_VER); - hdr_blocks = mmc_large_sector(card) ? 8 : 1; - - /* -@@ -1597,14 +1597,14 @@ static void mmc_blk_packed_hdr_wrq_prep(struct mmc_queue_req *mqrq, - ((brq->data.blocks * brq->data.blksz) >= - card->ext_csd.data_tag_unit_size); - /* Argument of CMD23 */ -- packed_cmd_hdr[(i * 2)] = -+ packed_cmd_hdr[(i * 2)] = cpu_to_le32( - (do_rel_wr ? MMC_CMD23_ARG_REL_WR : 0) | - (do_data_tag ? MMC_CMD23_ARG_TAG_REQ : 0) | -- blk_rq_sectors(prq); -+ blk_rq_sectors(prq)); - /* Argument of CMD18 or CMD25 */ -- packed_cmd_hdr[((i * 2)) + 1] = -+ packed_cmd_hdr[((i * 2)) + 1] = cpu_to_le32( - mmc_card_blockaddr(card) ? -- blk_rq_pos(prq) : blk_rq_pos(prq) << 9; -+ blk_rq_pos(prq) : blk_rq_pos(prq) << 9); - packed->blocks += blk_rq_sectors(prq); - i++; - } -diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c -index a56133585e92..03331c173bd0 100644 ---- a/drivers/mtd/ubi/build.c -+++ b/drivers/mtd/ubi/build.c -@@ -997,6 +997,9 @@ int ubi_attach_mtd_dev(struct mtd_info *mtd, int ubi_num, - goto out_detach; - } - -+ /* Make device "available" before it becomes accessible via sysfs */ -+ ubi_devices[ubi_num] = ubi; -+ - err = uif_init(ubi, &ref); - if (err) - goto out_detach; -@@ -1041,7 +1044,6 @@ int ubi_attach_mtd_dev(struct mtd_info *mtd, int ubi_num, - wake_up_process(ubi->bgt_thread); - spin_unlock(&ubi->wl_lock); - -- ubi_devices[ubi_num] = ubi; - ubi_notify_all(ubi, UBI_VOLUME_ADDED, NULL); - return ubi_num; - -@@ -1052,6 +1054,7 @@ out_uif: - ubi_assert(ref); - uif_close(ubi); - out_detach: -+ ubi_devices[ubi_num] = NULL; - ubi_wl_close(ubi); - ubi_free_internal_volumes(ubi); - vfree(ubi->vtbl); -diff --git a/drivers/mtd/ubi/vmt.c b/drivers/mtd/ubi/vmt.c -index 8330703c098f..96131eb34c9f 100644 ---- a/drivers/mtd/ubi/vmt.c -+++ b/drivers/mtd/ubi/vmt.c -@@ -534,13 +534,6 @@ int ubi_resize_volume(struct ubi_volume_desc *desc, int reserved_pebs) - spin_unlock(&ubi->volumes_lock); - } - -- /* Change volume table record */ -- vtbl_rec = ubi->vtbl[vol_id]; -- vtbl_rec.reserved_pebs = cpu_to_be32(reserved_pebs); -- err = ubi_change_vtbl_record(ubi, vol_id, &vtbl_rec); -- if (err) -- goto out_acc; -- - if (pebs < 0) { - for (i = 0; i < -pebs; i++) { - err = ubi_eba_unmap_leb(ubi, vol, reserved_pebs + i); -@@ -558,6 +551,24 @@ int ubi_resize_volume(struct ubi_volume_desc *desc, int reserved_pebs) - spin_unlock(&ubi->volumes_lock); - } - -+ /* -+ * When we shrink a volume we have to flush all pending (erase) work. -+ * Otherwise it can happen that upon next attach UBI finds a LEB with -+ * lnum > highest_lnum and refuses to attach. -+ */ -+ if (pebs < 0) { -+ err = ubi_wl_flush(ubi, vol_id, UBI_ALL); -+ if (err) -+ goto out_acc; -+ } -+ -+ /* Change volume table record */ -+ vtbl_rec = ubi->vtbl[vol_id]; -+ vtbl_rec.reserved_pebs = cpu_to_be32(reserved_pebs); -+ err = ubi_change_vtbl_record(ubi, vol_id, &vtbl_rec); -+ if (err) -+ goto out_acc; -+ - vol->reserved_pebs = reserved_pebs; - if (vol->vol_type == UBI_DYNAMIC_VOLUME) { - vol->used_ebs = reserved_pebs; -diff --git a/drivers/net/can/at91_can.c b/drivers/net/can/at91_can.c -index 535d5dd8d816..024078c5fb16 100644 ---- a/drivers/net/can/at91_can.c -+++ b/drivers/net/can/at91_can.c -@@ -731,9 +731,10 @@ static int at91_poll_rx(struct net_device *dev, int quota) - - /* upper group completed, look again in lower */ - if (priv->rx_next > get_mb_rx_low_last(priv) && -- quota > 0 && mb > get_mb_rx_last(priv)) { -+ mb > get_mb_rx_last(priv)) { - priv->rx_next = get_mb_rx_first(priv); -- goto again; -+ if (quota > 0) -+ goto again; - } - - return received; -diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c -index f66aeb79abdf..464e5f66b66d 100644 ---- a/drivers/net/can/dev.c -+++ b/drivers/net/can/dev.c -@@ -772,6 +772,11 @@ static int can_newlink(struct net *src_net, struct net_device *dev, - return -EOPNOTSUPP; - } - -+static void can_dellink(struct net_device *dev, struct list_head *head) -+{ -+ return; -+} -+ - static struct rtnl_link_ops can_link_ops __read_mostly = { - .kind = "can", - .maxtype = IFLA_CAN_MAX, -@@ -779,6 +784,7 @@ static struct rtnl_link_ops can_link_ops __read_mostly = { - .setup = can_setup, - .newlink = can_newlink, - .changelink = can_changelink, -+ .dellink = can_dellink, - .get_size = can_get_size, - .fill_info = can_fill_info, - .get_xstats_size = can_get_xstats_size, -diff --git a/drivers/net/ethernet/atheros/alx/main.c b/drivers/net/ethernet/atheros/alx/main.c -index a85a9c2f1385..7357e54f1de9 100644 ---- a/drivers/net/ethernet/atheros/alx/main.c -+++ b/drivers/net/ethernet/atheros/alx/main.c -@@ -86,9 +86,14 @@ static int alx_refill_rx_ring(struct alx_priv *alx, gfp_t gfp) - while (!cur_buf->skb && next != rxq->read_idx) { - struct alx_rfd *rfd = &rxq->rfd[cur]; - -- skb = __netdev_alloc_skb(alx->dev, alx->rxbuf_size, gfp); -+ skb = __netdev_alloc_skb(alx->dev, alx->rxbuf_size + 64, gfp); - if (!skb) - break; -+ -+ /* Workround for the HW RX DMA overflow issue */ -+ if (((unsigned long)skb->data & 0xfff) == 0xfc0) -+ skb_reserve(skb, 64); -+ - dma = dma_map_single(&alx->hw.pdev->dev, - skb->data, alx->rxbuf_size, - DMA_FROM_DEVICE); -diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c -index d5643c143bb8..df3af299a7d2 100644 ---- a/drivers/net/ethernet/marvell/mvneta.c -+++ b/drivers/net/ethernet/marvell/mvneta.c -@@ -210,7 +210,7 @@ - /* Various constants */ - - /* Coalescing */ --#define MVNETA_TXDONE_COAL_PKTS 1 -+#define MVNETA_TXDONE_COAL_PKTS 0 /* interrupt per packet */ - #define MVNETA_RX_COAL_PKTS 32 - #define MVNETA_RX_COAL_USEC 100 - -diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c -index 74581cbcafa7..a5802419381f 100644 ---- a/drivers/net/usb/cdc_ncm.c -+++ b/drivers/net/usb/cdc_ncm.c -@@ -477,6 +477,13 @@ advance: - if (cdc_ncm_setup(ctx)) - goto error2; - -+ /* Some firmwares need a pause here or they will silently fail -+ * to set up the interface properly. This value was decided -+ * empirically on a Sierra Wireless MC7455 running 02.08.02.00 -+ * firmware. -+ */ -+ usleep_range(10000, 20000); -+ - /* configure data interface */ - temp = usb_set_interface(dev->udev, iface_no, data_altsetting); - if (temp) -@@ -598,24 +605,13 @@ EXPORT_SYMBOL_GPL(cdc_ncm_select_altsetting); - - static int cdc_ncm_bind(struct usbnet *dev, struct usb_interface *intf) - { -- int ret; -- - /* MBIM backwards compatible function? */ - cdc_ncm_select_altsetting(dev, intf); - if (cdc_ncm_comm_intf_is_mbim(intf->cur_altsetting)) - return -ENODEV; - - /* NCM data altsetting is always 1 */ -- ret = cdc_ncm_bind_common(dev, intf, 1); -- -- /* -- * We should get an event when network connection is "connected" or -- * "disconnected". Set network connection in "disconnected" state -- * (carrier is OFF) during attach, so the IP network stack does not -- * start IPv6 negotiation and more. -- */ -- usbnet_link_change(dev, 0, 0); -- return ret; -+ return cdc_ncm_bind_common(dev, intf, 1); - } - - static void cdc_ncm_align_tail(struct sk_buff *skb, size_t modulus, size_t remainder, size_t max) -@@ -1161,7 +1157,8 @@ static void cdc_ncm_disconnect(struct usb_interface *intf) - - static const struct driver_info cdc_ncm_info = { - .description = "CDC NCM", -- .flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET, -+ .flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET -+ | FLAG_LINK_INTR, - .bind = cdc_ncm_bind, - .unbind = cdc_ncm_unbind, - .check_connect = cdc_ncm_check_connect, -@@ -1175,7 +1172,7 @@ static const struct driver_info cdc_ncm_info = { - static const struct driver_info wwan_info = { - .description = "Mobile Broadband Network Device", - .flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET -- | FLAG_WWAN, -+ | FLAG_LINK_INTR | FLAG_WWAN, - .bind = cdc_ncm_bind, - .unbind = cdc_ncm_unbind, - .check_connect = cdc_ncm_check_connect, -@@ -1189,7 +1186,7 @@ static const struct driver_info wwan_info = { - static const struct driver_info wwan_noarp_info = { - .description = "Mobile Broadband Network Device (NO ARP)", - .flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET -- | FLAG_WWAN | FLAG_NOARP, -+ | FLAG_LINK_INTR | FLAG_WWAN | FLAG_NOARP, - .bind = cdc_ncm_bind, - .unbind = cdc_ncm_unbind, - .check_connect = cdc_ncm_check_connect, -diff --git a/drivers/net/wireless/ath/ath5k/led.c b/drivers/net/wireless/ath/ath5k/led.c -index f77ef36acf87..61879b1f7083 100644 ---- a/drivers/net/wireless/ath/ath5k/led.c -+++ b/drivers/net/wireless/ath/ath5k/led.c -@@ -77,7 +77,7 @@ static DEFINE_PCI_DEVICE_TABLE(ath5k_led_devices) = { - /* HP Compaq CQ60-206US (ddreggors@jumptv.com) */ - { ATH_SDEVICE(PCI_VENDOR_ID_HP, 0x0137a), ATH_LED(3, 1) }, - /* HP Compaq C700 (nitrousnrg@gmail.com) */ -- { ATH_SDEVICE(PCI_VENDOR_ID_HP, 0x0137b), ATH_LED(3, 1) }, -+ { ATH_SDEVICE(PCI_VENDOR_ID_HP, 0x0137b), ATH_LED(3, 0) }, - /* LiteOn AR5BXB63 (magooz@salug.it) */ - { ATH_SDEVICE(PCI_VENDOR_ID_ATHEROS, 0x3067), ATH_LED(3, 0) }, - /* IBM-specific AR5212 (all others) */ -diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c -index cb34c7895f2a..735c26620387 100644 ---- a/drivers/net/wireless/mac80211_hwsim.c -+++ b/drivers/net/wireless/mac80211_hwsim.c -@@ -1931,6 +1931,7 @@ static int hwsim_tx_info_frame_received_nl(struct sk_buff *skb_2, - if (!info->attrs[HWSIM_ATTR_ADDR_TRANSMITTER] || - !info->attrs[HWSIM_ATTR_FLAGS] || - !info->attrs[HWSIM_ATTR_COOKIE] || -+ !info->attrs[HWSIM_ATTR_SIGNAL] || - !info->attrs[HWSIM_ATTR_TX_INFO]) - goto out; - -diff --git a/drivers/net/wireless/rtlwifi/base.c b/drivers/net/wireless/rtlwifi/base.c -index 6fc0853fd7f9..d066f74f743a 100644 ---- a/drivers/net/wireless/rtlwifi/base.c -+++ b/drivers/net/wireless/rtlwifi/base.c -@@ -1392,9 +1392,9 @@ void rtl_watchdog_wq_callback(void *data) - if (((rtlpriv->link_info.num_rx_inperiod + - rtlpriv->link_info.num_tx_inperiod) > 8) || - (rtlpriv->link_info.num_rx_inperiod > 2)) -- rtlpriv->enter_ps = true; -- else - rtlpriv->enter_ps = false; -+ else -+ rtlpriv->enter_ps = true; - - /* LeisurePS only work in infra mode. */ - schedule_work(&rtlpriv->works.lps_change_work); -diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c -index d332d55885f8..2d7cd0c080d3 100644 ---- a/drivers/pci/probe.c -+++ b/drivers/pci/probe.c -@@ -173,9 +173,6 @@ int __pci_read_base(struct pci_dev *dev, enum pci_bar_type type, - struct pci_bus_region region; - bool bar_too_big = false, bar_disabled = false; - -- if (dev->non_compliant_bars) -- return 0; -- - mask = type ? PCI_ROM_ADDRESS_MASK : ~0; - - /* No printks while decoding is disabled! */ -@@ -295,6 +292,9 @@ static void pci_read_bases(struct pci_dev *dev, unsigned int howmany, int rom) - { - unsigned int pos, reg; - -+ if (dev->non_compliant_bars) -+ return; -+ - for (pos = 0; pos < howmany; pos++) { - struct resource *res = &dev->resource[pos]; - reg = PCI_BASE_ADDRESS_0 + (pos << 2); -diff --git a/drivers/platform/x86/hp-wmi.c b/drivers/platform/x86/hp-wmi.c -index d111c8687f9b..46497c6cbcc1 100644 ---- a/drivers/platform/x86/hp-wmi.c -+++ b/drivers/platform/x86/hp-wmi.c -@@ -640,6 +640,11 @@ static int hp_wmi_rfkill_setup(struct platform_device *device) - if (err) - return err; - -+ err = hp_wmi_perform_query(HPWMI_WIRELESS_QUERY, 1, &wireless, -+ sizeof(wireless), 0); -+ if (err) -+ return err; -+ - if (wireless & 0x1) { - wifi_rfkill = rfkill_alloc("hp-wifi", &device->dev, - RFKILL_TYPE_WLAN, -diff --git a/drivers/s390/net/qeth_l2_main.c b/drivers/s390/net/qeth_l2_main.c -index ec8ccdae7aba..0090de46aa5e 100644 ---- a/drivers/s390/net/qeth_l2_main.c -+++ b/drivers/s390/net/qeth_l2_main.c -@@ -898,6 +898,7 @@ static void qeth_l2_remove_device(struct ccwgroup_device *cgdev) - qeth_l2_set_offline(cgdev); - - if (card->dev) { -+ netif_napi_del(&card->napi); - unregister_netdev(card->dev); - card->dev = NULL; - } -diff --git a/drivers/s390/net/qeth_l3_main.c b/drivers/s390/net/qeth_l3_main.c -index c1b0b2761f8d..7366bef742de 100644 ---- a/drivers/s390/net/qeth_l3_main.c -+++ b/drivers/s390/net/qeth_l3_main.c -@@ -3333,6 +3333,7 @@ static void qeth_l3_remove_device(struct ccwgroup_device *cgdev) - qeth_l3_set_offline(cgdev); - - if (card->dev) { -+ netif_napi_del(&card->napi); - unregister_netdev(card->dev); - card->dev = NULL; - } -diff --git a/drivers/scsi/aacraid/commsup.c b/drivers/scsi/aacraid/commsup.c -index 6a0d362e2596..284efac5f202 100644 ---- a/drivers/scsi/aacraid/commsup.c -+++ b/drivers/scsi/aacraid/commsup.c -@@ -590,10 +590,10 @@ int aac_fib_send(u16 command, struct fib *fibptr, unsigned long size, - } - return -EFAULT; - } -- /* We used to udelay() here but that absorbed -- * a CPU when a timeout occured. Not very -- * useful. */ -- cpu_relax(); -+ /* -+ * Allow other processes / CPUS to use core -+ */ -+ schedule(); - } - } else if (down_interruptible(&fibptr->event_wait)) { - /* Do nothing ... satisfy -@@ -1920,6 +1920,10 @@ int aac_command_thread(void *data) - if (difference <= 0) - difference = 1; - set_current_state(TASK_INTERRUPTIBLE); -+ -+ if (kthread_should_stop()) -+ break; -+ - schedule_timeout(difference); - - if (kthread_should_stop()) -diff --git a/drivers/scsi/be2iscsi/be_main.c b/drivers/scsi/be2iscsi/be_main.c -index a683a831527b..02278130826b 100644 ---- a/drivers/scsi/be2iscsi/be_main.c -+++ b/drivers/scsi/be2iscsi/be_main.c -@@ -2978,7 +2978,7 @@ be_sgl_create_contiguous(void *virtual_address, - { - WARN_ON(!virtual_address); - WARN_ON(!physical_address); -- WARN_ON(!length > 0); -+ WARN_ON(!length); - WARN_ON(!sgl); - - sgl->va = virtual_address; -diff --git a/drivers/scsi/ipr.c b/drivers/scsi/ipr.c -index 25ac2c00f8b3..2891faa8e384 100644 ---- a/drivers/scsi/ipr.c -+++ b/drivers/scsi/ipr.c -@@ -9607,6 +9607,7 @@ static int ipr_probe_ioa(struct pci_dev *pdev, - ioa_cfg->intr_flag = IPR_USE_MSI; - else { - ioa_cfg->intr_flag = IPR_USE_LSI; -+ ioa_cfg->clear_isr = 1; - ioa_cfg->nvectors = 1; - dev_info(&pdev->dev, "Cannot enable MSI.\n"); - } -diff --git a/drivers/scsi/scsi_error.c b/drivers/scsi/scsi_error.c -index 9acbc885239b..5ba69ea8eb92 100644 ---- a/drivers/scsi/scsi_error.c -+++ b/drivers/scsi/scsi_error.c -@@ -898,7 +898,6 @@ static int scsi_request_sense(struct scsi_cmnd *scmd) - */ - void scsi_eh_finish_cmd(struct scsi_cmnd *scmd, struct list_head *done_q) - { -- scmd->device->host->host_failed--; - scmd->eh_eflags = 0; - list_move_tail(&scmd->eh_entry, done_q); - } -@@ -1892,6 +1891,9 @@ int scsi_error_handler(void *data) - else - scsi_unjam_host(shost); - -+ /* All scmds have been handled */ -+ shost->host_failed = 0; -+ - /* - * Note - if the above fails completely, the action is to take - * individual devices offline and flush the queue of any -diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c -index 9f3168e8e5a8..60031e15d562 100644 ---- a/drivers/scsi/scsi_lib.c -+++ b/drivers/scsi/scsi_lib.c -@@ -546,66 +546,6 @@ void scsi_run_host_queues(struct Scsi_Host *shost) - - static void __scsi_release_buffers(struct scsi_cmnd *, int); - --/* -- * Function: scsi_end_request() -- * -- * Purpose: Post-processing of completed commands (usually invoked at end -- * of upper level post-processing and scsi_io_completion). -- * -- * Arguments: cmd - command that is complete. -- * error - 0 if I/O indicates success, < 0 for I/O error. -- * bytes - number of bytes of completed I/O -- * requeue - indicates whether we should requeue leftovers. -- * -- * Lock status: Assumed that lock is not held upon entry. -- * -- * Returns: cmd if requeue required, NULL otherwise. -- * -- * Notes: This is called for block device requests in order to -- * mark some number of sectors as complete. -- * -- * We are guaranteeing that the request queue will be goosed -- * at some point during this call. -- * Notes: If cmd was requeued, upon return it will be a stale pointer. -- */ --static struct scsi_cmnd *scsi_end_request(struct scsi_cmnd *cmd, int error, -- int bytes, int requeue) --{ -- struct request_queue *q = cmd->device->request_queue; -- struct request *req = cmd->request; -- -- /* -- * If there are blocks left over at the end, set up the command -- * to queue the remainder of them. -- */ -- if (blk_end_request(req, error, bytes)) { -- /* kill remainder if no retrys */ -- if (error && scsi_noretry_cmd(cmd)) -- blk_end_request_all(req, error); -- else { -- if (requeue) { -- /* -- * Bleah. Leftovers again. Stick the -- * leftovers in the front of the -- * queue, and goose the queue again. -- */ -- scsi_release_buffers(cmd); -- scsi_requeue_command(q, cmd); -- cmd = NULL; -- } -- return cmd; -- } -- } -- -- /* -- * This will goose the queue request function at the end, so we don't -- * need to worry about launching another command. -- */ -- __scsi_release_buffers(cmd, 0); -- scsi_next_command(cmd); -- return NULL; --} -- - static inline unsigned int scsi_sgtable_index(unsigned short nents) - { - unsigned int index; -@@ -735,16 +675,9 @@ static int __scsi_error_from_host_byte(struct scsi_cmnd *cmd, int result) - * - * Returns: Nothing - * -- * Notes: This function is matched in terms of capabilities to -- * the function that created the scatter-gather list. -- * In other words, if there are no bounce buffers -- * (the normal case for most drivers), we don't need -- * the logic to deal with cleaning up afterwards. -- * -- * We must call scsi_end_request(). This will finish off -- * the specified number of sectors. If we are done, the -- * command block will be released and the queue function -- * will be goosed. If we are not done then we have to -+ * Notes: We will finish off the specified number of sectors. If we -+ * are done, the command block will be released and the queue -+ * function will be goosed. If we are not done then we have to - * figure out what to do next: - * - * a) We can call scsi_requeue_command(). The request -@@ -753,7 +686,7 @@ static int __scsi_error_from_host_byte(struct scsi_cmnd *cmd, int result) - * be used if we made forward progress, or if we want - * to switch from READ(10) to READ(6) for example. - * -- * b) We can call scsi_queue_insert(). The request will -+ * b) We can call __scsi_queue_insert(). The request will - * be put back on the queue and retried using the same - * command as before, possibly after a delay. - * -@@ -857,12 +790,28 @@ void scsi_io_completion(struct scsi_cmnd *cmd, unsigned int good_bytes) - } - - /* -- * A number of bytes were successfully read. If there -- * are leftovers and there is some kind of error -- * (result != 0), retry the rest. -+ * special case: failed zero length commands always need to -+ * drop down into the retry code. Otherwise, if we finished -+ * all bytes in the request we are done now. - */ -- if (scsi_end_request(cmd, error, good_bytes, result == 0) == NULL) -- return; -+ if (!(blk_rq_bytes(req) == 0 && error) && -+ !blk_end_request(req, error, good_bytes)) -+ goto next_command; -+ -+ /* -+ * Kill remainder if no retrys. -+ */ -+ if (error && scsi_noretry_cmd(cmd)) { -+ blk_end_request_all(req, error); -+ goto next_command; -+ } -+ -+ /* -+ * If there had been no error, but we have leftover bytes in the -+ * requeues just queue the command up again. -+ */ -+ if (result == 0) -+ goto requeue; - - error = __scsi_error_from_host_byte(cmd, result); - -@@ -984,7 +933,6 @@ void scsi_io_completion(struct scsi_cmnd *cmd, unsigned int good_bytes) - switch (action) { - case ACTION_FAIL: - /* Give up and fail the remainder of the request */ -- scsi_release_buffers(cmd); - if (!(req->cmd_flags & REQ_QUIET)) { - if (description) - scmd_printk(KERN_INFO, cmd, "%s\n", -@@ -994,12 +942,11 @@ void scsi_io_completion(struct scsi_cmnd *cmd, unsigned int good_bytes) - scsi_print_sense("", cmd); - scsi_print_command(cmd); - } -- if (blk_end_request_err(req, error)) -- scsi_requeue_command(q, cmd); -- else -- scsi_next_command(cmd); -- break; -+ if (!blk_end_request_err(req, error)) -+ goto next_command; -+ /*FALLTHRU*/ - case ACTION_REPREP: -+ requeue: - /* Unprep the request and put it back at the head of the queue. - * A new command will be prepared and issued. - */ -@@ -1015,6 +962,11 @@ void scsi_io_completion(struct scsi_cmnd *cmd, unsigned int good_bytes) - __scsi_queue_insert(cmd, SCSI_MLQUEUE_DEVICE_BUSY, 0); - break; - } -+ return; -+ -+next_command: -+ __scsi_release_buffers(cmd, 0); -+ scsi_next_command(cmd); - } - - static int scsi_init_sgtable(struct request *req, struct scsi_data_buffer *sdb, -diff --git a/drivers/spi/spi-xilinx.c b/drivers/spi/spi-xilinx.c -index 34d18dcfa0db..109a535b639c 100644 ---- a/drivers/spi/spi-xilinx.c -+++ b/drivers/spi/spi-xilinx.c -@@ -315,7 +315,7 @@ static int xilinx_spi_txrx_bufs(struct spi_device *spi, struct spi_transfer *t) - } - - /* See if there is more data to send */ -- if (!xspi->remaining_bytes > 0) -+ if (xspi->remaining_bytes <= 0) - break; - } - -diff --git a/drivers/staging/iio/accel/sca3000_core.c b/drivers/staging/iio/accel/sca3000_core.c -index 32950ad94857..b30c41b3e0cc 100644 ---- a/drivers/staging/iio/accel/sca3000_core.c -+++ b/drivers/staging/iio/accel/sca3000_core.c -@@ -588,7 +588,7 @@ static ssize_t sca3000_read_frequency(struct device *dev, - goto error_ret_mut; - ret = sca3000_read_ctrl_reg(st, SCA3000_REG_CTRL_SEL_OUT_CTRL); - mutex_unlock(&st->lock); -- if (ret) -+ if (ret < 0) - goto error_ret; - val = ret; - if (base_freq > 0) -diff --git a/drivers/tty/vt/keyboard.c b/drivers/tty/vt/keyboard.c -index a9af1b9ae160..1f6e09649e5a 100644 ---- a/drivers/tty/vt/keyboard.c -+++ b/drivers/tty/vt/keyboard.c -@@ -371,34 +371,22 @@ static void to_utf8(struct vc_data *vc, uint c) - - static void do_compute_shiftstate(void) - { -- unsigned int i, j, k, sym, val; -+ unsigned int k, sym, val; - - shift_state = 0; - memset(shift_down, 0, sizeof(shift_down)); - -- for (i = 0; i < ARRAY_SIZE(key_down); i++) { -- -- if (!key_down[i]) -+ for_each_set_bit(k, key_down, min(NR_KEYS, KEY_CNT)) { -+ sym = U(key_maps[0][k]); -+ if (KTYP(sym) != KT_SHIFT && KTYP(sym) != KT_SLOCK) - continue; - -- k = i * BITS_PER_LONG; -- -- for (j = 0; j < BITS_PER_LONG; j++, k++) { -- -- if (!test_bit(k, key_down)) -- continue; -+ val = KVAL(sym); -+ if (val == KVAL(K_CAPSSHIFT)) -+ val = KVAL(K_SHIFT); - -- sym = U(key_maps[0][k]); -- if (KTYP(sym) != KT_SHIFT && KTYP(sym) != KT_SLOCK) -- continue; -- -- val = KVAL(sym); -- if (val == KVAL(K_CAPSSHIFT)) -- val = KVAL(K_SHIFT); -- -- shift_down[val]++; -- shift_state |= (1 << val); -- } -+ shift_down[val]++; -+ shift_state |= BIT(val); - } - } - -diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c -index 62e532fb82ad..cfce807531f6 100644 ---- a/drivers/usb/core/devio.c -+++ b/drivers/usb/core/devio.c -@@ -1106,10 +1106,11 @@ static int proc_getdriver(struct dev_state *ps, void __user *arg) - - static int proc_connectinfo(struct dev_state *ps, void __user *arg) - { -- struct usbdevfs_connectinfo ci = { -- .devnum = ps->dev->devnum, -- .slow = ps->dev->speed == USB_SPEED_LOW -- }; -+ struct usbdevfs_connectinfo ci; -+ -+ memset(&ci, 0, sizeof(ci)); -+ ci.devnum = ps->dev->devnum; -+ ci.slow = ps->dev->speed == USB_SPEED_LOW; - - if (copy_to_user(arg, &ci, sizeof(ci))) - return -EFAULT; -diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c -index 8eb2de6beee4..4e5156d212dd 100644 ---- a/drivers/usb/core/hub.c -+++ b/drivers/usb/core/hub.c -@@ -113,6 +113,7 @@ EXPORT_SYMBOL_GPL(ehci_cf_port_reset_rwsem); - #define HUB_DEBOUNCE_STEP 25 - #define HUB_DEBOUNCE_STABLE 100 - -+static void hub_release(struct kref *kref); - static int usb_reset_and_verify_device(struct usb_device *udev); - - static inline char *portspeed(struct usb_hub *hub, int portstatus) -@@ -1024,10 +1025,20 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type) - unsigned delay; - - /* Continue a partial initialization */ -- if (type == HUB_INIT2) -- goto init2; -- if (type == HUB_INIT3) -+ if (type == HUB_INIT2 || type == HUB_INIT3) { -+ device_lock(hub->intfdev); -+ -+ /* Was the hub disconnected while we were waiting? */ -+ if (hub->disconnected) { -+ device_unlock(hub->intfdev); -+ kref_put(&hub->kref, hub_release); -+ return; -+ } -+ if (type == HUB_INIT2) -+ goto init2; - goto init3; -+ } -+ kref_get(&hub->kref); - - /* The superspeed hub except for root hub has to use Hub Depth - * value as an offset into the route string to locate the bits -@@ -1224,6 +1235,7 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type) - PREPARE_DELAYED_WORK(&hub->init_work, hub_init_func3); - schedule_delayed_work(&hub->init_work, - msecs_to_jiffies(delay)); -+ device_unlock(hub->intfdev); - return; /* Continues at init3: below */ - } else { - msleep(delay); -@@ -1244,6 +1256,11 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type) - /* Allow autosuspend if it was suppressed */ - if (type <= HUB_INIT3) - usb_autopm_put_interface_async(to_usb_interface(hub->intfdev)); -+ -+ if (type == HUB_INIT2 || type == HUB_INIT3) -+ device_unlock(hub->intfdev); -+ -+ kref_put(&hub->kref, hub_release); - } - - /* Implement the continuations for the delays above */ -diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c -index 94e9cddc05c1..aa27ec1f4813 100644 ---- a/drivers/usb/core/quirks.c -+++ b/drivers/usb/core/quirks.c -@@ -170,14 +170,6 @@ static const struct usb_device_id usb_quirk_list[] = { - /* INTEL VALUE SSD */ - { USB_DEVICE(0x8086, 0xf1a5), .driver_info = USB_QUIRK_RESET_RESUME }, - -- { } /* terminating entry must be last */ --}; -- --static const struct usb_device_id usb_interface_quirk_list[] = { -- /* Logitech UVC Cameras */ -- { USB_VENDOR_AND_INTERFACE_INFO(0x046d, USB_CLASS_VIDEO, 1, 0), -- .driver_info = USB_QUIRK_RESET_RESUME }, -- - /* ASUS Base Station(T100) */ - { USB_DEVICE(0x0b05, 0x17e0), .driver_info = - USB_QUIRK_IGNORE_REMOTE_WAKEUP }, -@@ -191,6 +183,14 @@ static const struct usb_device_id usb_interface_quirk_list[] = { - { } /* terminating entry must be last */ - }; - -+static const struct usb_device_id usb_interface_quirk_list[] = { -+ /* Logitech UVC Cameras */ -+ { USB_VENDOR_AND_INTERFACE_INFO(0x046d, USB_CLASS_VIDEO, 1, 0), -+ .driver_info = USB_QUIRK_RESET_RESUME }, -+ -+ { } /* terminating entry must be last */ -+}; -+ - static bool usb_match_any_interface(struct usb_device *udev, - const struct usb_device_id *id) - { -diff --git a/drivers/usb/musb/musb_host.c b/drivers/usb/musb/musb_host.c -index 9d3044bdebe5..c6cc5201665a 100644 ---- a/drivers/usb/musb/musb_host.c -+++ b/drivers/usb/musb/musb_host.c -@@ -581,14 +581,13 @@ musb_rx_reinit(struct musb *musb, struct musb_qh *qh, struct musb_hw_ep *ep) - musb_writew(ep->regs, MUSB_TXCSR, 0); - - /* scrub all previous state, clearing toggle */ -- } else { -- csr = musb_readw(ep->regs, MUSB_RXCSR); -- if (csr & MUSB_RXCSR_RXPKTRDY) -- WARNING("rx%d, packet/%d ready?\n", ep->epnum, -- musb_readw(ep->regs, MUSB_RXCOUNT)); -- -- musb_h_flush_rxfifo(ep, MUSB_RXCSR_CLRDATATOG); - } -+ csr = musb_readw(ep->regs, MUSB_RXCSR); -+ if (csr & MUSB_RXCSR_RXPKTRDY) -+ WARNING("rx%d, packet/%d ready?\n", ep->epnum, -+ musb_readw(ep->regs, MUSB_RXCOUNT)); -+ -+ musb_h_flush_rxfifo(ep, MUSB_RXCSR_CLRDATATOG); - - /* target addr and (for multipoint) hub addr/port */ - if (musb->is_multipoint) { -@@ -948,9 +947,15 @@ static void musb_bulk_nak_timeout(struct musb *musb, struct musb_hw_ep *ep, - if (is_in) { - dma = is_dma_capable() ? ep->rx_channel : NULL; - -- /* clear nak timeout bit */ -+ /* -+ * Need to stop the transaction by clearing REQPKT first -+ * then the NAK Timeout bit ref MUSBMHDRC USB 2.0 HIGH-SPEED -+ * DUAL-ROLE CONTROLLER Programmer's Guide, section 9.2.2 -+ */ - rx_csr = musb_readw(epio, MUSB_RXCSR); - rx_csr |= MUSB_RXCSR_H_WZC_BITS; -+ rx_csr &= ~MUSB_RXCSR_H_REQPKT; -+ musb_writew(epio, MUSB_RXCSR, rx_csr); - rx_csr &= ~MUSB_RXCSR_DATAERROR; - musb_writew(epio, MUSB_RXCSR, rx_csr); - -diff --git a/drivers/usb/renesas_usbhs/mod_gadget.c b/drivers/usb/renesas_usbhs/mod_gadget.c -index ed4949faa70d..64223a923932 100644 ---- a/drivers/usb/renesas_usbhs/mod_gadget.c -+++ b/drivers/usb/renesas_usbhs/mod_gadget.c -@@ -558,6 +558,9 @@ static int usbhsg_ep_enable(struct usb_ep *ep, - struct usbhs_priv *priv = usbhsg_gpriv_to_priv(gpriv); - struct usbhs_pipe *pipe; - int ret = -EIO; -+ unsigned long flags; -+ -+ usbhs_lock(priv, flags); - - /* - * if it already have pipe, -@@ -566,7 +569,8 @@ static int usbhsg_ep_enable(struct usb_ep *ep, - if (uep->pipe) { - usbhs_pipe_clear(uep->pipe); - usbhs_pipe_sequence_data0(uep->pipe); -- return 0; -+ ret = 0; -+ goto usbhsg_ep_enable_end; - } - - pipe = usbhs_pipe_malloc(priv, -@@ -594,6 +598,9 @@ static int usbhsg_ep_enable(struct usb_ep *ep, - ret = 0; - } - -+usbhsg_ep_enable_end: -+ usbhs_unlock(priv, flags); -+ - return ret; - } - -diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c -index bcb6f5c2bae4..006a2a721edf 100644 ---- a/drivers/usb/serial/option.c -+++ b/drivers/usb/serial/option.c -@@ -274,6 +274,7 @@ static void option_instat_callback(struct urb *urb); - #define TELIT_PRODUCT_LE922_USBCFG5 0x1045 - #define TELIT_PRODUCT_LE920 0x1200 - #define TELIT_PRODUCT_LE910 0x1201 -+#define TELIT_PRODUCT_LE910_USBCFG4 0x1206 - - /* ZTE PRODUCTS */ - #define ZTE_VENDOR_ID 0x19d2 -@@ -1206,6 +1207,8 @@ static const struct usb_device_id option_ids[] = { - .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg0 }, - { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910), - .driver_info = (kernel_ulong_t)&telit_le910_blacklist }, -+ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910_USBCFG4), -+ .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg3 }, - { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920), - .driver_info = (kernel_ulong_t)&telit_le920_blacklist }, - { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_MF622, 0xff, 0xff, 0xff) }, /* ZTE WCDMA products */ -diff --git a/drivers/virtio/virtio_balloon.c b/drivers/virtio/virtio_balloon.c -index 7d7add5ceba4..148e8ea1bc96 100644 ---- a/drivers/virtio/virtio_balloon.c -+++ b/drivers/virtio/virtio_balloon.c -@@ -177,6 +177,8 @@ static void leak_balloon(struct virtio_balloon *vb, size_t num) - num = min(num, ARRAY_SIZE(vb->pfns)); - - mutex_lock(&vb->balloon_lock); -+ /* We can't release more pages than taken */ -+ num = min(num, (size_t)vb->num_pages); - for (vb->num_pfns = 0; vb->num_pfns < num; - vb->num_pfns += VIRTIO_BALLOON_PAGES_PER_PAGE) { - page = balloon_page_dequeue(vb_dev_info); -diff --git a/drivers/xen/xen-acpi-processor.c b/drivers/xen/xen-acpi-processor.c -index 8abd7d579037..2e4517277e80 100644 ---- a/drivers/xen/xen-acpi-processor.c -+++ b/drivers/xen/xen-acpi-processor.c -@@ -426,36 +426,7 @@ upload: - - return 0; - } --static int __init check_prereq(void) --{ -- struct cpuinfo_x86 *c = &cpu_data(0); -- -- if (!xen_initial_domain()) -- return -ENODEV; -- -- if (!acpi_gbl_FADT.smi_command) -- return -ENODEV; -- -- if (c->x86_vendor == X86_VENDOR_INTEL) { -- if (!cpu_has(c, X86_FEATURE_EST)) -- return -ENODEV; - -- return 0; -- } -- if (c->x86_vendor == X86_VENDOR_AMD) { -- /* Copied from powernow-k8.h, can't include ../cpufreq/powernow -- * as we get compile warnings for the static functions. -- */ --#define CPUID_FREQ_VOLT_CAPABILITIES 0x80000007 --#define USE_HW_PSTATE 0x00000080 -- u32 eax, ebx, ecx, edx; -- cpuid(CPUID_FREQ_VOLT_CAPABILITIES, &eax, &ebx, &ecx, &edx); -- if ((edx & USE_HW_PSTATE) != USE_HW_PSTATE) -- return -ENODEV; -- return 0; -- } -- return -ENODEV; --} - /* acpi_perf_data is a pointer to percpu data. */ - static struct acpi_processor_performance __percpu *acpi_perf_data; - -@@ -511,10 +482,10 @@ static struct syscore_ops xap_syscore_ops = { - static int __init xen_acpi_processor_init(void) - { - unsigned int i; -- int rc = check_prereq(); -+ int rc; - -- if (rc) -- return rc; -+ if (!xen_initial_domain()) -+ return -ENODEV; - - nr_acpi_bits = get_max_acpi_id() + 1; - acpi_ids_done = kcalloc(BITS_TO_LONGS(nr_acpi_bits), sizeof(unsigned long), GFP_KERNEL); -diff --git a/drivers/xen/xen-pciback/conf_space.c b/drivers/xen/xen-pciback/conf_space.c -index 75fe3d466515..ba3fac8318bb 100644 ---- a/drivers/xen/xen-pciback/conf_space.c -+++ b/drivers/xen/xen-pciback/conf_space.c -@@ -183,8 +183,7 @@ int xen_pcibk_config_read(struct pci_dev *dev, int offset, int size, - field_start = OFFSET(cfg_entry); - field_end = OFFSET(cfg_entry) + field->size; - -- if ((req_start >= field_start && req_start < field_end) -- || (req_end > field_start && req_end <= field_end)) { -+ if (req_end > field_start && field_end > req_start) { - err = conf_space_read(dev, cfg_entry, field_start, - &tmp_val); - if (err) -@@ -230,8 +229,7 @@ int xen_pcibk_config_write(struct pci_dev *dev, int offset, int size, u32 value) - field_start = OFFSET(cfg_entry); - field_end = OFFSET(cfg_entry) + field->size; - -- if ((req_start >= field_start && req_start < field_end) -- || (req_end > field_start && req_end <= field_end)) { -+ if (req_end > field_start && field_end > req_start) { - tmp_val = 0; - - err = xen_pcibk_config_read(dev, field_start, -diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c -index d05a30072023..7c33afd7d5d3 100644 ---- a/fs/cifs/connect.c -+++ b/fs/cifs/connect.c -@@ -408,7 +408,9 @@ cifs_echo_request(struct work_struct *work) - * server->ops->need_neg() == true. Also, no need to ping if - * we got a response recently. - */ -- if (!server->ops->need_neg || server->ops->need_neg(server) || -+ -+ if (server->tcpStatus == CifsNeedReconnect || -+ server->tcpStatus == CifsExiting || server->tcpStatus == CifsNew || - (server->ops->can_echo && !server->ops->can_echo(server)) || - time_before(jiffies, server->lstrp + SMB_ECHO_INTERVAL - HZ)) - goto requeue_echo; -diff --git a/fs/cifs/dir.c b/fs/cifs/dir.c -index 0c2425b21974..a998c929286f 100644 ---- a/fs/cifs/dir.c -+++ b/fs/cifs/dir.c -@@ -227,6 +227,13 @@ cifs_do_create(struct inode *inode, struct dentry *direntry, unsigned int xid, - goto cifs_create_get_file_info; - } - -+ if (S_ISDIR(newinode->i_mode)) { -+ CIFSSMBClose(xid, tcon, fid->netfid); -+ iput(newinode); -+ rc = -EISDIR; -+ goto out; -+ } -+ - if (!S_ISREG(newinode->i_mode)) { - /* - * The server may allow us to open things like -@@ -391,10 +398,14 @@ cifs_create_set_dentry: - if (rc != 0) { - cifs_dbg(FYI, "Create worked, get_inode_info failed rc = %d\n", - rc); -- if (server->ops->close) -- server->ops->close(xid, tcon, fid); -- goto out; -+ goto out_err; - } -+ -+ if (S_ISDIR(newinode->i_mode)) { -+ rc = -EISDIR; -+ goto out_err; -+ } -+ - d_drop(direntry); - d_add(direntry, newinode); - -@@ -402,6 +413,13 @@ out: - kfree(buf); - kfree(full_path); - return rc; -+ -+out_err: -+ if (server->ops->close) -+ server->ops->close(xid, tcon, fid); -+ if (newinode) -+ iput(newinode); -+ goto out; - } - - int -diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c -index eb0de4c3ca76..9dd8c968d94e 100644 ---- a/fs/cifs/smb2pdu.c -+++ b/fs/cifs/smb2pdu.c -@@ -1250,6 +1250,33 @@ SMB2_echo(struct TCP_Server_Info *server) - - cifs_dbg(FYI, "In echo request\n"); - -+ if (server->tcpStatus == CifsNeedNegotiate) { -+ struct list_head *tmp, *tmp2; -+ struct cifs_ses *ses; -+ struct cifs_tcon *tcon; -+ -+ cifs_dbg(FYI, "Need negotiate, reconnecting tcons\n"); -+ spin_lock(&cifs_tcp_ses_lock); -+ list_for_each(tmp, &server->smb_ses_list) { -+ ses = list_entry(tmp, struct cifs_ses, smb_ses_list); -+ list_for_each(tmp2, &ses->tcon_list) { -+ tcon = list_entry(tmp2, struct cifs_tcon, -+ tcon_list); -+ /* add check for persistent handle reconnect */ -+ if (tcon && tcon->need_reconnect) { -+ spin_unlock(&cifs_tcp_ses_lock); -+ rc = smb2_reconnect(SMB2_ECHO, tcon); -+ spin_lock(&cifs_tcp_ses_lock); -+ } -+ } -+ } -+ spin_unlock(&cifs_tcp_ses_lock); -+ } -+ -+ /* if no session, renegotiate failed above */ -+ if (server->tcpStatus == CifsNeedNegotiate) -+ return -EIO; -+ - rc = small_smb2_init(SMB2_ECHO, NULL, (void **)&req); - if (rc) - return rc; -diff --git a/fs/dcache.c b/fs/dcache.c -index 17222fa5bdc6..2d0b9d2f3c43 100644 ---- a/fs/dcache.c -+++ b/fs/dcache.c -@@ -1311,7 +1311,7 @@ struct dentry *d_alloc(struct dentry * parent, const struct qstr *name) - struct dentry *dentry = __d_alloc(parent->d_sb, name); - if (!dentry) - return NULL; -- -+ dentry->d_flags |= DCACHE_RCUACCESS; - spin_lock(&parent->d_lock); - /* - * don't need child lock because it is not subject -@@ -2101,7 +2101,6 @@ static void __d_rehash(struct dentry * entry, struct hlist_bl_head *b) - { - BUG_ON(!d_unhashed(entry)); - hlist_bl_lock(b); -- entry->d_flags |= DCACHE_RCUACCESS; - hlist_bl_add_head_rcu(&entry->d_hash, b); - hlist_bl_unlock(b); - } -@@ -2285,6 +2284,7 @@ static void __d_move(struct dentry * dentry, struct dentry * target) - - /* ... and switch the parents */ - if (IS_ROOT(dentry)) { -+ dentry->d_flags |= DCACHE_RCUACCESS; - dentry->d_parent = target->d_parent; - target->d_parent = target; - INIT_LIST_HEAD(&target->d_child); -@@ -2401,6 +2401,7 @@ static void __d_materialise_dentry(struct dentry *dentry, struct dentry *anon) - switch_names(dentry, anon); - swap(dentry->d_name.hash, anon->d_name.hash); - -+ dentry->d_flags |= DCACHE_RCUACCESS; - dentry->d_parent = dentry; - list_del_init(&dentry->d_child); - anon->d_parent = dparent; -diff --git a/fs/ecryptfs/file.c b/fs/ecryptfs/file.c -index 9ff3664bb3ea..d4644cc938ba 100644 ---- a/fs/ecryptfs/file.c -+++ b/fs/ecryptfs/file.c -@@ -183,6 +183,19 @@ out: - return rc; - } - -+static int ecryptfs_mmap(struct file *file, struct vm_area_struct *vma) -+{ -+ struct file *lower_file = ecryptfs_file_to_lower(file); -+ /* -+ * Don't allow mmap on top of file systems that don't support it -+ * natively. If FILESYSTEM_MAX_STACK_DEPTH > 2 or ecryptfs -+ * allows recursive mounting, this will need to be extended. -+ */ -+ if (!lower_file->f_op->mmap) -+ return -ENODEV; -+ return generic_file_mmap(file, vma); -+} -+ - /** - * ecryptfs_open - * @inode: inode speciying file to open -@@ -358,7 +371,7 @@ const struct file_operations ecryptfs_main_fops = { - #ifdef CONFIG_COMPAT - .compat_ioctl = ecryptfs_compat_ioctl, - #endif -- .mmap = generic_file_mmap, -+ .mmap = ecryptfs_mmap, - .open = ecryptfs_open, - .flush = ecryptfs_flush, - .release = ecryptfs_release, -diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c -index df633bb25909..7eea76168d33 100644 ---- a/fs/ext4/extents.c -+++ b/fs/ext4/extents.c -@@ -361,9 +361,13 @@ static int ext4_valid_extent(struct inode *inode, struct ext4_extent *ext) - ext4_fsblk_t block = ext4_ext_pblock(ext); - int len = ext4_ext_get_actual_len(ext); - ext4_lblk_t lblock = le32_to_cpu(ext->ee_block); -- ext4_lblk_t last = lblock + len - 1; - -- if (len == 0 || lblock > last) -+ /* -+ * We allow neither: -+ * - zero length -+ * - overflow/wrap-around -+ */ -+ if (lblock + len <= lblock) - return 0; - return ext4_data_block_valid(EXT4_SB(inode->i_sb), block, len); - } -@@ -454,6 +458,10 @@ static int __ext4_ext_check(const char *function, unsigned int line, - error_msg = "invalid extent entries"; - goto corrupted; - } -+ if (unlikely(depth > 32)) { -+ error_msg = "too large eh_depth"; -+ goto corrupted; -+ } - /* Verify checksum on non-root extent tree nodes */ - if (ext_depth(inode) != depth && - !ext4_extent_block_csum_verify(inode, eh)) { -diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c -index 4d4718cf25ab..00cbc648e1dc 100644 ---- a/fs/ext4/ialloc.c -+++ b/fs/ext4/ialloc.c -@@ -1027,11 +1027,13 @@ struct inode *ext4_orphan_get(struct super_block *sb, unsigned long ino) - goto iget_failed; - - /* -- * If the orphans has i_nlinks > 0 then it should be able to be -- * truncated, otherwise it won't be removed from the orphan list -- * during processing and an infinite loop will result. -+ * If the orphans has i_nlinks > 0 then it should be able to -+ * be truncated, otherwise it won't be removed from the orphan -+ * list during processing and an infinite loop will result. -+ * Similarly, it must not be a bad inode. - */ -- if (inode->i_nlink && !ext4_can_truncate(inode)) -+ if ((inode->i_nlink && !ext4_can_truncate(inode)) || -+ is_bad_inode(inode)) - goto bad_orphan; - - if (NEXT_ORPHAN(inode) > max_ino) -diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c -index fb7e576df25c..221b58298847 100644 ---- a/fs/ext4/inode.c -+++ b/fs/ext4/inode.c -@@ -206,9 +206,9 @@ void ext4_evict_inode(struct inode *inode) - * Note that directories do not have this problem because they - * don't use page cache. - */ -- if (ext4_should_journal_data(inode) && -- (S_ISLNK(inode->i_mode) || S_ISREG(inode->i_mode)) && -- inode->i_ino != EXT4_JOURNAL_INO) { -+ if (inode->i_ino != EXT4_JOURNAL_INO && -+ ext4_should_journal_data(inode) && -+ (S_ISLNK(inode->i_mode) || S_ISREG(inode->i_mode))) { - journal_t *journal = EXT4_SB(inode->i_sb)->s_journal; - tid_t commit_tid = EXT4_I(inode)->i_datasync_tid; - -diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c -index 61ee01603940..08b4495c1b12 100644 ---- a/fs/ext4/mballoc.c -+++ b/fs/ext4/mballoc.c -@@ -1232,6 +1232,7 @@ static void ext4_mb_unload_buddy(struct ext4_buddy *e4b) - static int mb_find_order_for_block(struct ext4_buddy *e4b, int block) - { - int order = 1; -+ int bb_incr = 1 << (e4b->bd_blkbits - 1); - void *bb; - - BUG_ON(e4b->bd_bitmap == e4b->bd_buddy); -@@ -1244,7 +1245,8 @@ static int mb_find_order_for_block(struct ext4_buddy *e4b, int block) - /* this block is part of buddy of order 'order' */ - return order; - } -- bb += 1 << (e4b->bd_blkbits - order); -+ bb += bb_incr; -+ bb_incr >>= 1; - order++; - } - return 0; -@@ -2514,7 +2516,7 @@ int ext4_mb_init(struct super_block *sb) - { - struct ext4_sb_info *sbi = EXT4_SB(sb); - unsigned i, j; -- unsigned offset; -+ unsigned offset, offset_incr; - unsigned max; - int ret; - -@@ -2543,11 +2545,13 @@ int ext4_mb_init(struct super_block *sb) - - i = 1; - offset = 0; -+ offset_incr = 1 << (sb->s_blocksize_bits - 1); - max = sb->s_blocksize << 2; - do { - sbi->s_mb_offsets[i] = offset; - sbi->s_mb_maxs[i] = max; -- offset += 1 << (sb->s_blocksize_bits - i); -+ offset += offset_incr; -+ offset_incr = offset_incr >> 1; - max = max >> 1; - i++; - } while (i <= sb->s_blocksize_bits + 1); -@@ -2872,7 +2876,7 @@ ext4_mb_mark_diskspace_used(struct ext4_allocation_context *ac, - ext4_error(sb, "Allocating blocks %llu-%llu which overlap " - "fs metadata", block, block+len); - /* File system mounted not to panic on error -- * Fix the bitmap and repeat the block allocation -+ * Fix the bitmap and return EUCLEAN - * We leak some of the blocks here. - */ - ext4_lock_group(sb, ac->ac_b_ex.fe_group); -@@ -2881,7 +2885,7 @@ ext4_mb_mark_diskspace_used(struct ext4_allocation_context *ac, - ext4_unlock_group(sb, ac->ac_b_ex.fe_group); - err = ext4_handle_dirty_metadata(handle, NULL, bitmap_bh); - if (!err) -- err = -EAGAIN; -+ err = -EUCLEAN; - goto out_err; - } - -@@ -4448,18 +4452,7 @@ repeat: - } - if (likely(ac->ac_status == AC_STATUS_FOUND)) { - *errp = ext4_mb_mark_diskspace_used(ac, handle, reserv_clstrs); -- if (*errp == -EAGAIN) { -- /* -- * drop the reference that we took -- * in ext4_mb_use_best_found -- */ -- ext4_mb_release_context(ac); -- ac->ac_b_ex.fe_group = 0; -- ac->ac_b_ex.fe_start = 0; -- ac->ac_b_ex.fe_len = 0; -- ac->ac_status = AC_STATUS_CONTINUE; -- goto repeat; -- } else if (*errp) { -+ if (*errp) { - ext4_discard_allocated_blocks(ac); - goto errout; - } else { -diff --git a/fs/ext4/super.c b/fs/ext4/super.c -index 063eb5094a63..15a81897df4e 100644 ---- a/fs/ext4/super.c -+++ b/fs/ext4/super.c -@@ -2153,6 +2153,16 @@ static void ext4_orphan_cleanup(struct super_block *sb, - while (es->s_last_orphan) { - struct inode *inode; - -+ /* -+ * We may have encountered an error during cleanup; if -+ * so, skip the rest. -+ */ -+ if (EXT4_SB(sb)->s_mount_state & EXT4_ERROR_FS) { -+ jbd_debug(1, "Skipping orphan recovery on fs with errors.\n"); -+ es->s_last_orphan = 0; -+ break; -+ } -+ - inode = ext4_orphan_get(sb, le32_to_cpu(es->s_last_orphan)); - if (IS_ERR(inode)) { - es->s_last_orphan = 0; -diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c -index 4d371f3b9a45..efe802e5bb3d 100644 ---- a/fs/fuse/inode.c -+++ b/fs/fuse/inode.c -@@ -913,7 +913,7 @@ static void fuse_send_init(struct fuse_conn *fc, struct fuse_req *req) - arg->flags |= FUSE_ASYNC_READ | FUSE_POSIX_LOCKS | FUSE_ATOMIC_O_TRUNC | - FUSE_EXPORT_SUPPORT | FUSE_BIG_WRITES | FUSE_DONT_MASK | - FUSE_SPLICE_WRITE | FUSE_SPLICE_MOVE | FUSE_SPLICE_READ | -- FUSE_FLOCK_LOCKS | FUSE_IOCTL_DIR | FUSE_AUTO_INVAL_DATA | -+ FUSE_FLOCK_LOCKS | FUSE_HAS_IOCTL_DIR | FUSE_AUTO_INVAL_DATA | - FUSE_DO_READDIRPLUS | FUSE_READDIRPLUS_AUTO | FUSE_ASYNC_DIO; - req->in.h.opcode = FUSE_INIT; - req->in.numargs = 1; -diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c -index d8ac734a1e44..c2b89a1a403b 100644 ---- a/fs/nfs/nfs4proc.c -+++ b/fs/nfs/nfs4proc.c -@@ -2332,12 +2332,11 @@ static void nfs4_close_prepare(struct rpc_task *task, void *data) - call_close |= is_wronly; - else if (is_wronly) - calldata->arg.fmode |= FMODE_WRITE; -+ if (calldata->arg.fmode != (FMODE_READ|FMODE_WRITE)) -+ call_close |= is_rdwr; - } else if (is_rdwr) - calldata->arg.fmode |= FMODE_READ|FMODE_WRITE; - -- if (calldata->arg.fmode == 0) -- call_close |= is_rdwr; -- - if (!nfs4_valid_open_stateid(state)) - call_close = 0; - spin_unlock(&state->owner->so_lock); -diff --git a/fs/nilfs2/the_nilfs.c b/fs/nilfs2/the_nilfs.c -index 41e6a04a561f..0f9a5b4ad53b 100644 ---- a/fs/nilfs2/the_nilfs.c -+++ b/fs/nilfs2/the_nilfs.c -@@ -431,7 +431,7 @@ static int nilfs_valid_sb(struct nilfs_super_block *sbp) - if (!sbp || le16_to_cpu(sbp->s_magic) != NILFS_SUPER_MAGIC) - return 0; - bytes = le16_to_cpu(sbp->s_bytes); -- if (bytes > BLOCK_SIZE) -+ if (bytes < sumoff + 4 || bytes > BLOCK_SIZE) - return 0; - crc = crc32_le(le32_to_cpu(sbp->s_crc_seed), (unsigned char *)sbp, - sumoff); -diff --git a/fs/pipe.c b/fs/pipe.c -index 50267e6ba688..c281867c453e 100644 ---- a/fs/pipe.c -+++ b/fs/pipe.c -@@ -39,6 +39,12 @@ unsigned int pipe_max_size = 1048576; - */ - unsigned int pipe_min_size = PAGE_SIZE; - -+/* Maximum allocatable pages per user. Hard limit is unset by default, soft -+ * matches default values. -+ */ -+unsigned long pipe_user_pages_hard; -+unsigned long pipe_user_pages_soft = PIPE_DEF_BUFFERS * INR_OPEN_CUR; -+ - /* - * We use a start+len construction, which provides full use of the - * allocated memory. -@@ -794,20 +800,49 @@ pipe_fasync(int fd, struct file *filp, int on) - return retval; - } - -+static void account_pipe_buffers(struct pipe_inode_info *pipe, -+ unsigned long old, unsigned long new) -+{ -+ atomic_long_add(new - old, &pipe->user->pipe_bufs); -+} -+ -+static bool too_many_pipe_buffers_soft(struct user_struct *user) -+{ -+ return pipe_user_pages_soft && -+ atomic_long_read(&user->pipe_bufs) >= pipe_user_pages_soft; -+} -+ -+static bool too_many_pipe_buffers_hard(struct user_struct *user) -+{ -+ return pipe_user_pages_hard && -+ atomic_long_read(&user->pipe_bufs) >= pipe_user_pages_hard; -+} -+ - struct pipe_inode_info *alloc_pipe_info(void) - { - struct pipe_inode_info *pipe; - - pipe = kzalloc(sizeof(struct pipe_inode_info), GFP_KERNEL); - if (pipe) { -- pipe->bufs = kzalloc(sizeof(struct pipe_buffer) * PIPE_DEF_BUFFERS, GFP_KERNEL); -+ unsigned long pipe_bufs = PIPE_DEF_BUFFERS; -+ struct user_struct *user = get_current_user(); -+ -+ if (!too_many_pipe_buffers_hard(user)) { -+ if (too_many_pipe_buffers_soft(user)) -+ pipe_bufs = 1; -+ pipe->bufs = kzalloc(sizeof(struct pipe_buffer) * pipe_bufs, GFP_KERNEL); -+ } -+ - if (pipe->bufs) { - init_waitqueue_head(&pipe->wait); - pipe->r_counter = pipe->w_counter = 1; -- pipe->buffers = PIPE_DEF_BUFFERS; -+ pipe->buffers = pipe_bufs; -+ pipe->user = user; -+ account_pipe_buffers(pipe, 0, pipe_bufs); - mutex_init(&pipe->mutex); - return pipe; - } -+ free_uid(user); - kfree(pipe); - } - -@@ -818,6 +853,8 @@ void free_pipe_info(struct pipe_inode_info *pipe) - { - int i; - -+ account_pipe_buffers(pipe, pipe->buffers, 0); -+ free_uid(pipe->user); - for (i = 0; i < pipe->buffers; i++) { - struct pipe_buffer *buf = pipe->bufs + i; - if (buf->ops) -@@ -1208,6 +1245,7 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long nr_pages) - memcpy(bufs + head, pipe->bufs, tail * sizeof(struct pipe_buffer)); - } - -+ account_pipe_buffers(pipe, pipe->buffers, nr_pages); - pipe->curbuf = 0; - kfree(pipe->bufs); - pipe->bufs = bufs; -@@ -1279,6 +1317,11 @@ long pipe_fcntl(struct file *file, unsigned int cmd, unsigned long arg) - if (!capable(CAP_SYS_RESOURCE) && size > pipe_max_size) { - ret = -EPERM; - goto out; -+ } else if ((too_many_pipe_buffers_hard(pipe->user) || -+ too_many_pipe_buffers_soft(pipe->user)) && -+ !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN)) { -+ ret = -EPERM; -+ goto out; - } - ret = pipe_set_size(pipe, nr_pages); - break; -diff --git a/fs/ubifs/file.c b/fs/ubifs/file.c -index 881324c08430..a335e4e6aba1 100644 ---- a/fs/ubifs/file.c -+++ b/fs/ubifs/file.c -@@ -54,6 +54,7 @@ - #include - #include - #include -+#include - - static int read_block(struct inode *inode, void *addr, unsigned int block, - struct ubifs_data_node *dn) -@@ -1422,6 +1423,26 @@ static int ubifs_set_page_dirty(struct page *page) - return ret; - } - -+#ifdef CONFIG_MIGRATION -+static int ubifs_migrate_page(struct address_space *mapping, -+ struct page *newpage, struct page *page, enum migrate_mode mode) -+{ -+ int rc; -+ -+ rc = migrate_page_move_mapping(mapping, newpage, page, NULL, mode); -+ if (rc != MIGRATEPAGE_SUCCESS) -+ return rc; -+ -+ if (PagePrivate(page)) { -+ ClearPagePrivate(page); -+ SetPagePrivate(newpage); -+ } -+ -+ migrate_page_copy(newpage, page); -+ return MIGRATEPAGE_SUCCESS; -+} -+#endif -+ - static int ubifs_releasepage(struct page *page, gfp_t unused_gfp_flags) - { - /* -@@ -1558,6 +1579,9 @@ const struct address_space_operations ubifs_file_address_operations = { - .write_end = ubifs_write_end, - .invalidatepage = ubifs_invalidatepage, - .set_page_dirty = ubifs_set_page_dirty, -+#ifdef CONFIG_MIGRATION -+ .migratepage = ubifs_migrate_page, -+#endif - .releasepage = ubifs_releasepage, - }; - -diff --git a/fs/xfs/xfs_inode.c b/fs/xfs/xfs_inode.c -index f010ab4594f1..06dec557d247 100644 ---- a/fs/xfs/xfs_inode.c -+++ b/fs/xfs/xfs_inode.c -@@ -2604,13 +2604,14 @@ xfs_iflush_cluster( - * We need to check under the i_flags_lock for a valid inode - * here. Skip it if it is not valid or the wrong inode. - */ -- spin_lock(&ip->i_flags_lock); -- if (!ip->i_ino || -+ spin_lock(&iq->i_flags_lock); -+ if (!iq->i_ino || -+ __xfs_iflags_test(iq, XFS_ISTALE) || - (XFS_INO_TO_AGINO(mp, iq->i_ino) & mask) != first_index) { -- spin_unlock(&ip->i_flags_lock); -+ spin_unlock(&iq->i_flags_lock); - continue; - } -- spin_unlock(&ip->i_flags_lock); -+ spin_unlock(&iq->i_flags_lock); - - /* - * Do an un-protected check to see if the inode is dirty and -@@ -2726,7 +2727,7 @@ xfs_iflush( - struct xfs_buf **bpp) - { - struct xfs_mount *mp = ip->i_mount; -- struct xfs_buf *bp; -+ struct xfs_buf *bp = NULL; - struct xfs_dinode *dip; - int error; - -@@ -2768,14 +2769,22 @@ xfs_iflush( - } - - /* -- * Get the buffer containing the on-disk inode. -+ * Get the buffer containing the on-disk inode. We are doing a try-lock -+ * operation here, so we may get an EAGAIN error. In that case, we -+ * simply want to return with the inode still dirty. -+ * -+ * If we get any other error, we effectively have a corruption situation -+ * and we cannot flush the inode, so we treat it the same as failing -+ * xfs_iflush_int(). - */ - error = xfs_imap_to_bp(mp, NULL, &ip->i_imap, &dip, &bp, XBF_TRYLOCK, - 0); -- if (error || !bp) { -+ if (error == EAGAIN) { - xfs_ifunlock(ip); - return error; - } -+ if (error) -+ goto corrupt_out; - - /* - * First flush out the inode that xfs_iflush was called with. -@@ -2803,7 +2812,8 @@ xfs_iflush( - return 0; - - corrupt_out: -- xfs_buf_relse(bp); -+ if (bp) -+ xfs_buf_relse(bp); - xfs_force_shutdown(mp, SHUTDOWN_CORRUPT_INCORE); - cluster_corrupt_out: - error = XFS_ERROR(EFSCORRUPTED); -diff --git a/include/linux/console.h b/include/linux/console.h -index 73bab0f58af5..6877ffc97d8c 100644 ---- a/include/linux/console.h -+++ b/include/linux/console.h -@@ -153,6 +153,7 @@ extern int console_trylock(void); - extern void console_unlock(void); - extern void console_conditional_schedule(void); - extern void console_unblank(void); -+extern void console_flush_on_panic(void); - extern struct tty_driver *console_device(int *); - extern void console_stop(struct console *); - extern void console_start(struct console *); -diff --git a/include/linux/migrate.h b/include/linux/migrate.h -index a405d3dc0f61..e98692748066 100644 ---- a/include/linux/migrate.h -+++ b/include/linux/migrate.h -@@ -55,6 +55,9 @@ extern int migrate_vmas(struct mm_struct *mm, - extern void migrate_page_copy(struct page *newpage, struct page *page); - extern int migrate_huge_page_move_mapping(struct address_space *mapping, - struct page *newpage, struct page *page); -+extern int migrate_page_move_mapping(struct address_space *mapping, -+ struct page *newpage, struct page *page, -+ struct buffer_head *head, enum migrate_mode mode); - #else - - static inline void putback_lru_pages(struct list_head *l) {} -diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h -index dd49566315c6..547a5846e6ac 100644 ---- a/include/linux/netfilter/x_tables.h -+++ b/include/linux/netfilter/x_tables.h -@@ -239,11 +239,18 @@ extern void xt_unregister_match(struct xt_match *target); - extern int xt_register_matches(struct xt_match *match, unsigned int n); - extern void xt_unregister_matches(struct xt_match *match, unsigned int n); - -+int xt_check_entry_offsets(const void *base, const char *elems, -+ unsigned int target_offset, -+ unsigned int next_offset); -+ - extern int xt_check_match(struct xt_mtchk_param *, - unsigned int size, u_int8_t proto, bool inv_proto); - extern int xt_check_target(struct xt_tgchk_param *, - unsigned int size, u_int8_t proto, bool inv_proto); - -+void *xt_copy_counters_from_user(const void __user *user, unsigned int len, -+ struct xt_counters_info *info, bool compat); -+ - extern struct xt_table *xt_register_table(struct net *net, - const struct xt_table *table, - struct xt_table_info *bootstrap, -@@ -423,7 +430,7 @@ extern void xt_compat_init_offsets(u_int8_t af, unsigned int number); - extern int xt_compat_calc_jump(u_int8_t af, unsigned int offset); - - extern int xt_compat_match_offset(const struct xt_match *match); --extern int xt_compat_match_from_user(struct xt_entry_match *m, -+extern void xt_compat_match_from_user(struct xt_entry_match *m, - void **dstptr, unsigned int *size); - extern int xt_compat_match_to_user(const struct xt_entry_match *m, - void __user **dstptr, unsigned int *size); -@@ -433,6 +440,9 @@ extern void xt_compat_target_from_user(struct xt_entry_target *t, - void **dstptr, unsigned int *size); - extern int xt_compat_target_to_user(const struct xt_entry_target *t, - void __user **dstptr, unsigned int *size); -+int xt_compat_check_entry_offsets(const void *base, const char *elems, -+ unsigned int target_offset, -+ unsigned int next_offset); - - #endif /* CONFIG_COMPAT */ - #endif /* _X_TABLES_H */ -diff --git a/include/linux/pipe_fs_i.h b/include/linux/pipe_fs_i.h -index ab5752692113..b3374f63bc36 100644 ---- a/include/linux/pipe_fs_i.h -+++ b/include/linux/pipe_fs_i.h -@@ -42,6 +42,7 @@ struct pipe_buffer { - * @fasync_readers: reader side fasync - * @fasync_writers: writer side fasync - * @bufs: the circular array of pipe buffers -+ * @user: the user who created this pipe - **/ - struct pipe_inode_info { - struct mutex mutex; -@@ -57,6 +58,7 @@ struct pipe_inode_info { - struct fasync_struct *fasync_readers; - struct fasync_struct *fasync_writers; - struct pipe_buffer *bufs; -+ struct user_struct *user; - }; - - /* -@@ -140,6 +142,8 @@ void pipe_unlock(struct pipe_inode_info *); - void pipe_double_lock(struct pipe_inode_info *, struct pipe_inode_info *); - - extern unsigned int pipe_max_size, pipe_min_size; -+extern unsigned long pipe_user_pages_hard; -+extern unsigned long pipe_user_pages_soft; - int pipe_proc_fn(struct ctl_table *, int, void __user *, size_t *, loff_t *); - - -diff --git a/include/linux/sched.h b/include/linux/sched.h -index 4781332f2e11..7728941e7ddc 100644 ---- a/include/linux/sched.h -+++ b/include/linux/sched.h -@@ -671,6 +671,7 @@ struct user_struct { - #endif - unsigned long locked_shm; /* How many pages of mlocked shm ? */ - unsigned long unix_inflight; /* How many files in flight in unix sockets */ -+ atomic_long_t pipe_bufs; /* how many pages are allocated in pipe buffers */ - - #ifdef CONFIG_KEYS - struct key *uid_keyring; /* UID specific keyring */ -diff --git a/include/linux/usb/ehci_def.h b/include/linux/usb/ehci_def.h -index daec99af5d54..1c88b177cb9c 100644 ---- a/include/linux/usb/ehci_def.h -+++ b/include/linux/usb/ehci_def.h -@@ -178,11 +178,11 @@ struct ehci_regs { - * PORTSCx - */ - /* HOSTPC: offset 0x84 */ -- u32 hostpc[1]; /* HOSTPC extension */ -+ u32 hostpc[0]; /* HOSTPC extension */ - #define HOSTPC_PHCD (1<<22) /* Phy clock disable */ - #define HOSTPC_PSPD (3<<25) /* Port speed detection */ - -- u32 reserved5[16]; -+ u32 reserved5[17]; - - /* USBMODE_EX: offset 0xc8 */ - u32 usbmode_ex; /* USB Device mode extension */ -diff --git a/include/rdma/ib.h b/include/rdma/ib.h -new file mode 100644 -index 000000000000..f09331ad0aba ---- /dev/null -+++ b/include/rdma/ib.h -@@ -0,0 +1,54 @@ -+/* -+ * Copyright (c) 2010 Intel Corporation. All rights reserved. -+ * -+ * This software is available to you under a choice of one of two -+ * licenses. You may choose to be licensed under the terms of the GNU -+ * General Public License (GPL) Version 2, available from the file -+ * COPYING in the main directory of this source tree, or the -+ * OpenIB.org BSD license below: -+ * -+ * Redistribution and use in source and binary forms, with or -+ * without modification, are permitted provided that the following -+ * conditions are met: -+ * -+ * - Redistributions of source code must retain the above -+ * copyright notice, this list of conditions and the following -+ * disclaimer. -+ * -+ * - Redistributions in binary form must reproduce the above -+ * copyright notice, this list of conditions and the following -+ * disclaimer in the documentation and/or other materials -+ * provided with the distribution. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, -+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND -+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS -+ * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN -+ * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -+ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -+ * SOFTWARE. -+ */ -+ -+#if !defined(_RDMA_IB_H) -+#define _RDMA_IB_H -+ -+#include -+#include -+ -+/* -+ * The IB interfaces that use write() as bi-directional ioctl() are -+ * fundamentally unsafe, since there are lots of ways to trigger "write()" -+ * calls from various contexts with elevated privileges. That includes the -+ * traditional suid executable error message writes, but also various kernel -+ * interfaces that can write to file descriptors. -+ * -+ * This function provides protection for the legacy API by restricting the -+ * calling context. -+ */ -+static inline bool ib_safe_file_access(struct file *filp) -+{ -+ return filp->f_cred == current_cred() && segment_eq(get_fs(), USER_DS); -+} -+ -+#endif /* _RDMA_IB_H */ -diff --git a/kernel/module.c b/kernel/module.c -index f8a4f48b48a9..2c87e521032b 100644 ---- a/kernel/module.c -+++ b/kernel/module.c -@@ -2475,13 +2475,18 @@ static inline void kmemleak_load_module(const struct module *mod, - #endif - - #ifdef CONFIG_MODULE_SIG --static int module_sig_check(struct load_info *info) -+static int module_sig_check(struct load_info *info, int flags) - { - int err = -ENOKEY; - const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1; - const void *mod = info->hdr; - -- if (info->len > markerlen && -+ /* -+ * Require flags == 0, as a module with version information -+ * removed is no longer the module that was signed -+ */ -+ if (flags == 0 && -+ info->len > markerlen && - memcmp(mod + info->len - markerlen, MODULE_SIG_STRING, markerlen) == 0) { - /* We truncate the module to discard the signature */ - info->len -= markerlen; -@@ -2503,7 +2508,7 @@ static int module_sig_check(struct load_info *info) - return err; - } - #else /* !CONFIG_MODULE_SIG */ --static int module_sig_check(struct load_info *info) -+static int module_sig_check(struct load_info *info, int flags) - { - return 0; - } -@@ -3228,7 +3233,7 @@ static int load_module(struct load_info *info, const char __user *uargs, - struct module *mod; - long err; - -- err = module_sig_check(info); -+ err = module_sig_check(info, flags); - if (err) - goto free_copy; - -diff --git a/kernel/panic.c b/kernel/panic.c -index 167ec097ce8b..d3d74c4e2258 100644 ---- a/kernel/panic.c -+++ b/kernel/panic.c -@@ -22,6 +22,7 @@ - #include - #include - #include -+#include - - #define PANIC_TIMER_STEP 100 - #define PANIC_BLINK_SPD 18 -@@ -128,6 +129,8 @@ void panic(const char *fmt, ...) - - bust_spinlocks(0); - -+ console_flush_on_panic(); -+ - if (!panic_blink) - panic_blink = no_blink; - -diff --git a/kernel/printk.c b/kernel/printk.c -index fd0154a57d6e..ee8f6be7d8a9 100644 ---- a/kernel/printk.c -+++ b/kernel/printk.c -@@ -2033,13 +2033,24 @@ void console_unlock(void) - static u64 seen_seq; - unsigned long flags; - bool wake_klogd = false; -- bool retry; -+ bool do_cond_resched, retry; - - if (console_suspended) { - up(&console_sem); - return; - } - -+ /* -+ * Console drivers are called under logbuf_lock, so -+ * @console_may_schedule should be cleared before; however, we may -+ * end up dumping a lot of lines, for example, if called from -+ * console registration path, and should invoke cond_resched() -+ * between lines if allowable. Not doing so can cause a very long -+ * scheduling stall on a slow console leading to RCU stall and -+ * softlockup warnings which exacerbate the issue with more -+ * messages practically incapacitating the system. -+ */ -+ do_cond_resched = console_may_schedule; - console_may_schedule = 0; - - /* flush buffered message fragment immediately to console */ -@@ -2096,6 +2107,9 @@ skip: - call_console_drivers(level, text, len); - start_critical_timings(); - local_irq_restore(flags); -+ -+ if (do_cond_resched) -+ cond_resched(); - } - console_locked = 0; - mutex_release(&console_lock_dep_map, 1, _RET_IP_); -@@ -2164,6 +2178,25 @@ void console_unblank(void) - console_unlock(); - } - -+/** -+ * console_flush_on_panic - flush console content on panic -+ * -+ * Immediately output all pending messages no matter what. -+ */ -+void console_flush_on_panic(void) -+{ -+ /* -+ * If someone else is holding the console lock, trylock will fail -+ * and may_schedule may be set. Ignore and proceed to unlock so -+ * that messages are flushed out. As this can be called from any -+ * context and we don't want to get preempted while flushing, -+ * ensure may_schedule is cleared. -+ */ -+ console_trylock(); -+ console_may_schedule = 0; -+ console_unlock(); -+} -+ - /* - * Return the console tty driver structure and its associated index - */ -diff --git a/kernel/signal.c b/kernel/signal.c -index 4d1f7fa3138d..7b81c53b0097 100644 ---- a/kernel/signal.c -+++ b/kernel/signal.c -@@ -3004,11 +3004,9 @@ static int do_rt_sigqueueinfo(pid_t pid, int sig, siginfo_t *info) - * Nor can they impersonate a kill()/tgkill(), which adds source info. - */ - if ((info->si_code >= 0 || info->si_code == SI_TKILL) && -- (task_pid_vnr(current) != pid)) { -- /* We used to allow any < 0 si_code */ -- WARN_ON_ONCE(info->si_code < 0); -+ (task_pid_vnr(current) != pid)) - return -EPERM; -- } -+ - info->si_signo = sig; - - /* POSIX.1b doesn't mention process groups. */ -@@ -3053,12 +3051,10 @@ static int do_rt_tgsigqueueinfo(pid_t tgid, pid_t pid, int sig, siginfo_t *info) - /* Not even root can pretend to send signals from the kernel. - * Nor can they impersonate a kill()/tgkill(), which adds source info. - */ -- if (((info->si_code >= 0 || info->si_code == SI_TKILL)) && -- (task_pid_vnr(current) != pid)) { -- /* We used to allow any < 0 si_code */ -- WARN_ON_ONCE(info->si_code < 0); -+ if ((info->si_code >= 0 || info->si_code == SI_TKILL) && -+ (task_pid_vnr(current) != pid)) - return -EPERM; -- } -+ - info->si_signo = sig; - - return do_send_specific(tgid, pid, sig, info); -diff --git a/kernel/sysctl.c b/kernel/sysctl.c -index 9469f4c61a30..4fd49fe1046d 100644 ---- a/kernel/sysctl.c -+++ b/kernel/sysctl.c -@@ -1632,6 +1632,20 @@ static struct ctl_table fs_table[] = { - .proc_handler = &pipe_proc_fn, - .extra1 = &pipe_min_size, - }, -+ { -+ .procname = "pipe-user-pages-hard", -+ .data = &pipe_user_pages_hard, -+ .maxlen = sizeof(pipe_user_pages_hard), -+ .mode = 0644, -+ .proc_handler = proc_doulongvec_minmax, -+ }, -+ { -+ .procname = "pipe-user-pages-soft", -+ .data = &pipe_user_pages_soft, -+ .maxlen = sizeof(pipe_user_pages_soft), -+ .mode = 0644, -+ .proc_handler = proc_doulongvec_minmax, -+ }, - { } - }; - -diff --git a/kernel/trace/trace_printk.c b/kernel/trace/trace_printk.c -index fdb23e84b011..7be4d67cecbd 100644 ---- a/kernel/trace/trace_printk.c -+++ b/kernel/trace/trace_printk.c -@@ -38,6 +38,10 @@ struct trace_bprintk_fmt { - static inline struct trace_bprintk_fmt *lookup_format(const char *fmt) - { - struct trace_bprintk_fmt *pos; -+ -+ if (!fmt) -+ return ERR_PTR(-EINVAL); -+ - list_for_each_entry(pos, &trace_bprintk_fmt_list, list) { - if (!strcmp(pos->fmt, fmt)) - return pos; -@@ -59,7 +63,8 @@ void hold_module_trace_bprintk_format(const char **start, const char **end) - for (iter = start; iter < end; iter++) { - struct trace_bprintk_fmt *tb_fmt = lookup_format(*iter); - if (tb_fmt) { -- *iter = tb_fmt->fmt; -+ if (!IS_ERR(tb_fmt)) -+ *iter = tb_fmt->fmt; - continue; - } - -diff --git a/lib/dma-debug.c b/lib/dma-debug.c -index eb43517bf261..c32437f6be61 100644 ---- a/lib/dma-debug.c -+++ b/lib/dma-debug.c -@@ -445,9 +445,9 @@ static struct dma_debug_entry *dma_entry_alloc(void) - spin_lock_irqsave(&free_entries_lock, flags); - - if (list_empty(&free_entries)) { -- pr_err("DMA-API: debugging out of memory - disabling\n"); - global_disable = true; - spin_unlock_irqrestore(&free_entries_lock, flags); -+ pr_err("DMA-API: debugging out of memory - disabling\n"); - return NULL; - } - -diff --git a/mm/migrate.c b/mm/migrate.c -index a88c12f2235d..808f8abb1b8f 100644 ---- a/mm/migrate.c -+++ b/mm/migrate.c -@@ -30,6 +30,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -307,10 +308,12 @@ static inline bool buffer_migrate_lock_buffers(struct buffer_head *head, - * 2 for pages with a mapping - * 3 for pages with a mapping and PagePrivate/PagePrivate2 set. - */ --static int migrate_page_move_mapping(struct address_space *mapping, -+int migrate_page_move_mapping(struct address_space *mapping, - struct page *newpage, struct page *page, - struct buffer_head *head, enum migrate_mode mode) - { -+ struct zone *oldzone, *newzone; -+ int dirty; - int expected_count = 0; - void **pslot; - -@@ -321,6 +324,9 @@ static int migrate_page_move_mapping(struct address_space *mapping, - return MIGRATEPAGE_SUCCESS; - } - -+ oldzone = page_zone(page); -+ newzone = page_zone(newpage); -+ - spin_lock_irq(&mapping->tree_lock); - - pslot = radix_tree_lookup_slot(&mapping->page_tree, -@@ -361,6 +367,13 @@ static int migrate_page_move_mapping(struct address_space *mapping, - set_page_private(newpage, page_private(page)); - } - -+ /* Move dirty while page refs frozen and newpage not yet exposed */ -+ dirty = PageDirty(page); -+ if (dirty) { -+ ClearPageDirty(page); -+ SetPageDirty(newpage); -+ } -+ - radix_tree_replace_slot(pslot, newpage); - - /* -@@ -370,6 +383,9 @@ static int migrate_page_move_mapping(struct address_space *mapping, - */ - page_unfreeze_refs(page, expected_count - 1); - -+ spin_unlock(&mapping->tree_lock); -+ /* Leave irq disabled to prevent preemption while updating stats */ -+ - /* - * If moved to a different zone then also account - * the page for that zone. Other VM counters will be -@@ -380,16 +396,23 @@ static int migrate_page_move_mapping(struct address_space *mapping, - * via NR_FILE_PAGES and NR_ANON_PAGES if they - * are mapped to swap space. - */ -- __dec_zone_page_state(page, NR_FILE_PAGES); -- __inc_zone_page_state(newpage, NR_FILE_PAGES); -- if (!PageSwapCache(page) && PageSwapBacked(page)) { -- __dec_zone_page_state(page, NR_SHMEM); -- __inc_zone_page_state(newpage, NR_SHMEM); -+ if (newzone != oldzone) { -+ __dec_zone_state(oldzone, NR_FILE_PAGES); -+ __inc_zone_state(newzone, NR_FILE_PAGES); -+ if (PageSwapBacked(page) && !PageSwapCache(page)) { -+ __dec_zone_state(oldzone, NR_SHMEM); -+ __inc_zone_state(newzone, NR_SHMEM); -+ } -+ if (dirty && mapping_cap_account_dirty(mapping)) { -+ __dec_zone_state(oldzone, NR_FILE_DIRTY); -+ __inc_zone_state(newzone, NR_FILE_DIRTY); -+ } - } -- spin_unlock_irq(&mapping->tree_lock); -+ local_irq_enable(); - - return MIGRATEPAGE_SUCCESS; - } -+EXPORT_SYMBOL(migrate_page_move_mapping); - - /* - * The expected number of remaining references is the same as that -@@ -460,20 +483,9 @@ void migrate_page_copy(struct page *newpage, struct page *page) - if (PageMappedToDisk(page)) - SetPageMappedToDisk(newpage); - -- if (PageDirty(page)) { -- clear_page_dirty_for_io(page); -- /* -- * Want to mark the page and the radix tree as dirty, and -- * redo the accounting that clear_page_dirty_for_io undid, -- * but we can't use set_page_dirty because that function -- * is actually a signal that all of the page has become dirty. -- * Whereas only part of our page may be dirty. -- */ -- if (PageSwapBacked(page)) -- SetPageDirty(newpage); -- else -- __set_page_dirty_nobuffers(newpage); -- } -+ /* Move dirty on pages not done by migrate_page_move_mapping() */ -+ if (PageDirty(page)) -+ SetPageDirty(newpage); - - mlock_migrate_page(newpage, page); - ksm_migrate_page(newpage, page); -@@ -492,6 +504,7 @@ void migrate_page_copy(struct page *newpage, struct page *page) - if (PageWriteback(newpage)) - end_page_writeback(newpage); - } -+EXPORT_SYMBOL(migrate_page_copy); - - /************************************************************ - * Migration functions -diff --git a/mm/shmem.c b/mm/shmem.c -index 4e4a7349c5cd..cc02b6c6eec4 100644 ---- a/mm/shmem.c -+++ b/mm/shmem.c -@@ -1948,9 +1948,11 @@ static long shmem_fallocate(struct file *file, int mode, loff_t offset, - NULL); - if (error) { - /* Remove the !PageUptodate pages we added */ -- shmem_undo_range(inode, -- (loff_t)start << PAGE_CACHE_SHIFT, -- (loff_t)index << PAGE_CACHE_SHIFT, true); -+ if (index > start) { -+ shmem_undo_range(inode, -+ (loff_t)start << PAGE_CACHE_SHIFT, -+ ((loff_t)index << PAGE_CACHE_SHIFT) - 1, true); -+ } - goto undone; - } - -diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c -index 5f36f70ce44d..4b966c6c0145 100644 ---- a/net/bluetooth/l2cap_sock.c -+++ b/net/bluetooth/l2cap_sock.c -@@ -725,7 +725,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, - break; - } - -- if (get_user(opt, (u32 __user *) optval)) { -+ if (get_user(opt, (u16 __user *) optval)) { - err = -EFAULT; - break; - } -diff --git a/net/ceph/osdmap.c b/net/ceph/osdmap.c -index 7ec4e0522215..c1de8d404c47 100644 ---- a/net/ceph/osdmap.c -+++ b/net/ceph/osdmap.c -@@ -798,6 +798,110 @@ bad: - } - - /* -+ * Encoding order is (new_up_client, new_state, new_weight). Need to -+ * apply in the (new_weight, new_state, new_up_client) order, because -+ * an incremental map may look like e.g. -+ * -+ * new_up_client: { osd=6, addr=... } # set osd_state and addr -+ * new_state: { osd=6, xorstate=EXISTS } # clear osd_state -+ */ -+static int decode_new_up_state_weight(void **p, void *end, -+ struct ceph_osdmap *map) -+{ -+ void *new_up_client; -+ void *new_state; -+ void *new_weight_end; -+ u32 len; -+ -+ new_up_client = *p; -+ ceph_decode_32_safe(p, end, len, e_inval); -+ len *= sizeof(u32) + sizeof(struct ceph_entity_addr); -+ ceph_decode_need(p, end, len, e_inval); -+ *p += len; -+ -+ new_state = *p; -+ ceph_decode_32_safe(p, end, len, e_inval); -+ len *= sizeof(u32) + sizeof(u8); -+ ceph_decode_need(p, end, len, e_inval); -+ *p += len; -+ -+ /* new_weight */ -+ ceph_decode_32_safe(p, end, len, e_inval); -+ while (len--) { -+ s32 osd; -+ u32 w; -+ -+ ceph_decode_need(p, end, 2*sizeof(u32), e_inval); -+ osd = ceph_decode_32(p); -+ w = ceph_decode_32(p); -+ BUG_ON(osd >= map->max_osd); -+ pr_info("osd%d weight 0x%x %s\n", osd, w, -+ w == CEPH_OSD_IN ? "(in)" : -+ (w == CEPH_OSD_OUT ? "(out)" : "")); -+ map->osd_weight[osd] = w; -+ -+ /* -+ * If we are marking in, set the EXISTS, and clear the -+ * AUTOOUT and NEW bits. -+ */ -+ if (w) { -+ map->osd_state[osd] |= CEPH_OSD_EXISTS; -+ map->osd_state[osd] &= ~(CEPH_OSD_AUTOOUT | -+ CEPH_OSD_NEW); -+ } -+ } -+ new_weight_end = *p; -+ -+ /* new_state (up/down) */ -+ *p = new_state; -+ len = ceph_decode_32(p); -+ while (len--) { -+ s32 osd; -+ u8 xorstate; -+ -+ osd = ceph_decode_32(p); -+ xorstate = ceph_decode_8(p); -+ if (xorstate == 0) -+ xorstate = CEPH_OSD_UP; -+ BUG_ON(osd >= map->max_osd); -+ if ((map->osd_state[osd] & CEPH_OSD_UP) && -+ (xorstate & CEPH_OSD_UP)) -+ pr_info("osd%d down\n", osd); -+ if ((map->osd_state[osd] & CEPH_OSD_EXISTS) && -+ (xorstate & CEPH_OSD_EXISTS)) { -+ pr_info("osd%d does not exist\n", osd); -+ map->osd_weight[osd] = CEPH_OSD_IN; -+ memset(map->osd_addr + osd, 0, sizeof(*map->osd_addr)); -+ map->osd_state[osd] = 0; -+ } else { -+ map->osd_state[osd] ^= xorstate; -+ } -+ } -+ -+ /* new_up_client */ -+ *p = new_up_client; -+ len = ceph_decode_32(p); -+ while (len--) { -+ s32 osd; -+ struct ceph_entity_addr addr; -+ -+ osd = ceph_decode_32(p); -+ ceph_decode_copy(p, &addr, sizeof(addr)); -+ ceph_decode_addr(&addr); -+ BUG_ON(osd >= map->max_osd); -+ pr_info("osd%d up\n", osd); -+ map->osd_state[osd] |= CEPH_OSD_EXISTS | CEPH_OSD_UP; -+ map->osd_addr[osd] = addr; -+ } -+ -+ *p = new_weight_end; -+ return 0; -+ -+e_inval: -+ return -EINVAL; -+} -+ -+/* - * decode and apply an incremental map update. - */ - struct ceph_osdmap *osdmap_apply_incremental(void **p, void *end, -@@ -912,50 +1016,10 @@ struct ceph_osdmap *osdmap_apply_incremental(void **p, void *end, - __remove_pg_pool(&map->pg_pools, pi); - } - -- /* new_up */ -- err = -EINVAL; -- ceph_decode_32_safe(p, end, len, bad); -- while (len--) { -- u32 osd; -- struct ceph_entity_addr addr; -- ceph_decode_32_safe(p, end, osd, bad); -- ceph_decode_copy_safe(p, end, &addr, sizeof(addr), bad); -- ceph_decode_addr(&addr); -- pr_info("osd%d up\n", osd); -- BUG_ON(osd >= map->max_osd); -- map->osd_state[osd] |= CEPH_OSD_UP; -- map->osd_addr[osd] = addr; -- } -- -- /* new_state */ -- ceph_decode_32_safe(p, end, len, bad); -- while (len--) { -- u32 osd; -- u8 xorstate; -- ceph_decode_32_safe(p, end, osd, bad); -- xorstate = **(u8 **)p; -- (*p)++; /* clean flag */ -- if (xorstate == 0) -- xorstate = CEPH_OSD_UP; -- if (xorstate & CEPH_OSD_UP) -- pr_info("osd%d down\n", osd); -- if (osd < map->max_osd) -- map->osd_state[osd] ^= xorstate; -- } -- -- /* new_weight */ -- ceph_decode_32_safe(p, end, len, bad); -- while (len--) { -- u32 osd, off; -- ceph_decode_need(p, end, sizeof(u32)*2, bad); -- osd = ceph_decode_32(p); -- off = ceph_decode_32(p); -- pr_info("osd%d weight 0x%x %s\n", osd, off, -- off == CEPH_OSD_IN ? "(in)" : -- (off == CEPH_OSD_OUT ? "(out)" : "")); -- if (osd < map->max_osd) -- map->osd_weight[osd] = off; -- } -+ /* new_up_client, new_state, new_weight */ -+ err = decode_new_up_state_weight(p, end, map); -+ if (err) -+ goto bad; - - /* new_pg_temp */ - ceph_decode_32_safe(p, end, len, bad); -diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c -index b31553d385bb..89570f070e0e 100644 ---- a/net/ipv4/ipmr.c -+++ b/net/ipv4/ipmr.c -@@ -881,8 +881,10 @@ static struct mfc_cache *ipmr_cache_alloc(void) - { - struct mfc_cache *c = kmem_cache_zalloc(mrt_cachep, GFP_KERNEL); - -- if (c) -+ if (c) { -+ c->mfc_un.res.last_assert = jiffies - MFC_ASSERT_THRESH - 1; - c->mfc_un.res.minvif = MAXVIFS; -+ } - return c; - } - -diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c -index c8abe31961ed..95a5f261fe8a 100644 ---- a/net/ipv4/netfilter/arp_tables.c -+++ b/net/ipv4/netfilter/arp_tables.c -@@ -350,11 +350,12 @@ unsigned int arpt_do_table(struct sk_buff *skb, - } - - /* All zeroes == unconditional rule. */ --static inline bool unconditional(const struct arpt_arp *arp) -+static inline bool unconditional(const struct arpt_entry *e) - { - static const struct arpt_arp uncond; - -- return memcmp(arp, &uncond, sizeof(uncond)) == 0; -+ return e->target_offset == sizeof(struct arpt_entry) && -+ memcmp(&e->arp, &uncond, sizeof(uncond)) == 0; - } - - /* Figures out from what hook each rule can be called: returns 0 if -@@ -393,11 +394,10 @@ static int mark_source_chains(const struct xt_table_info *newinfo, - |= ((1 << hook) | (1 << NF_ARP_NUMHOOKS)); - - /* Unconditional return/END. */ -- if ((e->target_offset == sizeof(struct arpt_entry) && -+ if ((unconditional(e) && - (strcmp(t->target.u.user.name, - XT_STANDARD_TARGET) == 0) && -- t->verdict < 0 && unconditional(&e->arp)) || -- visited) { -+ t->verdict < 0) || visited) { - unsigned int oldpos, size; - - if ((strcmp(t->target.u.user.name, -@@ -430,6 +430,8 @@ static int mark_source_chains(const struct xt_table_info *newinfo, - size = e->next_offset; - e = (struct arpt_entry *) - (entry0 + pos + size); -+ if (pos + size >= newinfo->size) -+ return 0; - e->counters.pcnt = pos; - pos += size; - } else { -@@ -452,6 +454,8 @@ static int mark_source_chains(const struct xt_table_info *newinfo, - } else { - /* ... this is a fallthru */ - newpos = pos + e->next_offset; -+ if (newpos >= newinfo->size) -+ return 0; - } - e = (struct arpt_entry *) - (entry0 + newpos); -@@ -465,25 +469,6 @@ static int mark_source_chains(const struct xt_table_info *newinfo, - return 1; - } - --static inline int check_entry(const struct arpt_entry *e, const char *name) --{ -- const struct xt_entry_target *t; -- -- if (!arp_checkentry(&e->arp)) { -- duprintf("arp_tables: arp check failed %p %s.\n", e, name); -- return -EINVAL; -- } -- -- if (e->target_offset + sizeof(struct xt_entry_target) > e->next_offset) -- return -EINVAL; -- -- t = arpt_get_target_c(e); -- if (e->target_offset + t->u.target_size > e->next_offset) -- return -EINVAL; -- -- return 0; --} -- - static inline int check_target(struct arpt_entry *e, const char *name) - { - struct xt_entry_target *t = arpt_get_target(e); -@@ -513,10 +498,6 @@ find_check_entry(struct arpt_entry *e, const char *name, unsigned int size) - struct xt_target *target; - int ret; - -- ret = check_entry(e, name); -- if (ret) -- return ret; -- - t = arpt_get_target(e); - target = xt_request_find_target(NFPROTO_ARP, t->u.user.name, - t->u.user.revision); -@@ -542,7 +523,7 @@ static bool check_underflow(const struct arpt_entry *e) - const struct xt_entry_target *t; - unsigned int verdict; - -- if (!unconditional(&e->arp)) -+ if (!unconditional(e)) - return false; - t = arpt_get_target_c(e); - if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0) -@@ -561,9 +542,11 @@ static inline int check_entry_size_and_hooks(struct arpt_entry *e, - unsigned int valid_hooks) - { - unsigned int h; -+ int err; - - if ((unsigned long)e % __alignof__(struct arpt_entry) != 0 || -- (unsigned char *)e + sizeof(struct arpt_entry) >= limit) { -+ (unsigned char *)e + sizeof(struct arpt_entry) >= limit || -+ (unsigned char *)e + e->next_offset > limit) { - duprintf("Bad offset %p\n", e); - return -EINVAL; - } -@@ -575,6 +558,14 @@ static inline int check_entry_size_and_hooks(struct arpt_entry *e, - return -EINVAL; - } - -+ if (!arp_checkentry(&e->arp)) -+ return -EINVAL; -+ -+ err = xt_check_entry_offsets(e, e->elems, e->target_offset, -+ e->next_offset); -+ if (err) -+ return err; -+ - /* Check hooks & underflows */ - for (h = 0; h < NF_ARP_NUMHOOKS; h++) { - if (!(valid_hooks & (1 << h))) -@@ -583,9 +574,9 @@ static inline int check_entry_size_and_hooks(struct arpt_entry *e, - newinfo->hook_entry[h] = hook_entries[h]; - if ((unsigned char *)e - base == underflows[h]) { - if (!check_underflow(e)) { -- pr_err("Underflows must be unconditional and " -- "use the STANDARD target with " -- "ACCEPT/DROP\n"); -+ pr_debug("Underflows must be unconditional and " -+ "use the STANDARD target with " -+ "ACCEPT/DROP\n"); - return -EINVAL; - } - newinfo->underflow[h] = underflows[h]; -@@ -675,10 +666,8 @@ static int translate_table(struct xt_table_info *newinfo, void *entry0, - } - } - -- if (!mark_source_chains(newinfo, repl->valid_hooks, entry0)) { -- duprintf("Looping hook\n"); -+ if (!mark_source_chains(newinfo, repl->valid_hooks, entry0)) - return -ELOOP; -- } - - /* Finally, each sanity check must pass */ - i = 0; -@@ -1071,6 +1060,9 @@ static int do_replace(struct net *net, const void __user *user, - /* overflow check */ - if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters)) - return -ENOMEM; -+ if (tmp.num_counters == 0) -+ return -EINVAL; -+ - tmp.name[sizeof(tmp.name)-1] = 0; - - newinfo = xt_alloc_table_info(tmp.size); -@@ -1111,56 +1103,18 @@ static int do_add_counters(struct net *net, const void __user *user, - unsigned int i, curcpu; - struct xt_counters_info tmp; - struct xt_counters *paddc; -- unsigned int num_counters; -- const char *name; -- int size; -- void *ptmp; - struct xt_table *t; - const struct xt_table_info *private; - int ret = 0; - void *loc_cpu_entry; - struct arpt_entry *iter; - unsigned int addend; --#ifdef CONFIG_COMPAT -- struct compat_xt_counters_info compat_tmp; -- -- if (compat) { -- ptmp = &compat_tmp; -- size = sizeof(struct compat_xt_counters_info); -- } else --#endif -- { -- ptmp = &tmp; -- size = sizeof(struct xt_counters_info); -- } - -- if (copy_from_user(ptmp, user, size) != 0) -- return -EFAULT; -+ paddc = xt_copy_counters_from_user(user, len, &tmp, compat); -+ if (IS_ERR(paddc)) -+ return PTR_ERR(paddc); - --#ifdef CONFIG_COMPAT -- if (compat) { -- num_counters = compat_tmp.num_counters; -- name = compat_tmp.name; -- } else --#endif -- { -- num_counters = tmp.num_counters; -- name = tmp.name; -- } -- -- if (len != size + num_counters * sizeof(struct xt_counters)) -- return -EINVAL; -- -- paddc = vmalloc(len - size); -- if (!paddc) -- return -ENOMEM; -- -- if (copy_from_user(paddc, user + size, len - size) != 0) { -- ret = -EFAULT; -- goto free; -- } -- -- t = xt_find_table_lock(net, NFPROTO_ARP, name); -+ t = xt_find_table_lock(net, NFPROTO_ARP, tmp.name); - if (IS_ERR_OR_NULL(t)) { - ret = t ? PTR_ERR(t) : -ENOENT; - goto free; -@@ -1168,7 +1122,7 @@ static int do_add_counters(struct net *net, const void __user *user, - - local_bh_disable(); - private = t->private; -- if (private->number != num_counters) { -+ if (private->number != tmp.num_counters) { - ret = -EINVAL; - goto unlock_up_free; - } -@@ -1194,6 +1148,18 @@ static int do_add_counters(struct net *net, const void __user *user, - } - - #ifdef CONFIG_COMPAT -+struct compat_arpt_replace { -+ char name[XT_TABLE_MAXNAMELEN]; -+ u32 valid_hooks; -+ u32 num_entries; -+ u32 size; -+ u32 hook_entry[NF_ARP_NUMHOOKS]; -+ u32 underflow[NF_ARP_NUMHOOKS]; -+ u32 num_counters; -+ compat_uptr_t counters; -+ struct compat_arpt_entry entries[0]; -+}; -+ - static inline void compat_release_entry(struct compat_arpt_entry *e) - { - struct xt_entry_target *t; -@@ -1202,24 +1168,22 @@ static inline void compat_release_entry(struct compat_arpt_entry *e) - module_put(t->u.kernel.target->me); - } - --static inline int -+static int - check_compat_entry_size_and_hooks(struct compat_arpt_entry *e, - struct xt_table_info *newinfo, - unsigned int *size, - const unsigned char *base, -- const unsigned char *limit, -- const unsigned int *hook_entries, -- const unsigned int *underflows, -- const char *name) -+ const unsigned char *limit) - { - struct xt_entry_target *t; - struct xt_target *target; - unsigned int entry_offset; -- int ret, off, h; -+ int ret, off; - - duprintf("check_compat_entry_size_and_hooks %p\n", e); - if ((unsigned long)e % __alignof__(struct compat_arpt_entry) != 0 || -- (unsigned char *)e + sizeof(struct compat_arpt_entry) >= limit) { -+ (unsigned char *)e + sizeof(struct compat_arpt_entry) >= limit || -+ (unsigned char *)e + e->next_offset > limit) { - duprintf("Bad offset %p, limit = %p\n", e, limit); - return -EINVAL; - } -@@ -1231,8 +1195,11 @@ check_compat_entry_size_and_hooks(struct compat_arpt_entry *e, - return -EINVAL; - } - -- /* For purposes of check_entry casting the compat entry is fine */ -- ret = check_entry((struct arpt_entry *)e, name); -+ if (!arp_checkentry(&e->arp)) -+ return -EINVAL; -+ -+ ret = xt_compat_check_entry_offsets(e, e->elems, e->target_offset, -+ e->next_offset); - if (ret) - return ret; - -@@ -1256,17 +1223,6 @@ check_compat_entry_size_and_hooks(struct compat_arpt_entry *e, - if (ret) - goto release_target; - -- /* Check hooks & underflows */ -- for (h = 0; h < NF_ARP_NUMHOOKS; h++) { -- if ((unsigned char *)e - base == hook_entries[h]) -- newinfo->hook_entry[h] = hook_entries[h]; -- if ((unsigned char *)e - base == underflows[h]) -- newinfo->underflow[h] = underflows[h]; -- } -- -- /* Clear counters and comefrom */ -- memset(&e->counters, 0, sizeof(e->counters)); -- e->comefrom = 0; - return 0; - - release_target: -@@ -1275,18 +1231,17 @@ out: - return ret; - } - --static int -+static void - compat_copy_entry_from_user(struct compat_arpt_entry *e, void **dstptr, -- unsigned int *size, const char *name, -+ unsigned int *size, - struct xt_table_info *newinfo, unsigned char *base) - { - struct xt_entry_target *t; - struct xt_target *target; - struct arpt_entry *de; - unsigned int origsize; -- int ret, h; -+ int h; - -- ret = 0; - origsize = *size; - de = (struct arpt_entry *)*dstptr; - memcpy(de, e, sizeof(struct arpt_entry)); -@@ -1307,144 +1262,81 @@ compat_copy_entry_from_user(struct compat_arpt_entry *e, void **dstptr, - if ((unsigned char *)de - base < newinfo->underflow[h]) - newinfo->underflow[h] -= origsize - *size; - } -- return ret; - } - --static int translate_compat_table(const char *name, -- unsigned int valid_hooks, -- struct xt_table_info **pinfo, -+static int translate_compat_table(struct xt_table_info **pinfo, - void **pentry0, -- unsigned int total_size, -- unsigned int number, -- unsigned int *hook_entries, -- unsigned int *underflows) -+ const struct compat_arpt_replace *compatr) - { - unsigned int i, j; - struct xt_table_info *newinfo, *info; - void *pos, *entry0, *entry1; - struct compat_arpt_entry *iter0; -- struct arpt_entry *iter1; -+ struct arpt_replace repl; - unsigned int size; - int ret = 0; - - info = *pinfo; - entry0 = *pentry0; -- size = total_size; -- info->number = number; -- -- /* Init all hooks to impossible value. */ -- for (i = 0; i < NF_ARP_NUMHOOKS; i++) { -- info->hook_entry[i] = 0xFFFFFFFF; -- info->underflow[i] = 0xFFFFFFFF; -- } -+ size = compatr->size; -+ info->number = compatr->num_entries; - - duprintf("translate_compat_table: size %u\n", info->size); - j = 0; - xt_compat_lock(NFPROTO_ARP); -- xt_compat_init_offsets(NFPROTO_ARP, number); -+ xt_compat_init_offsets(NFPROTO_ARP, compatr->num_entries); - /* Walk through entries, checking offsets. */ -- xt_entry_foreach(iter0, entry0, total_size) { -+ xt_entry_foreach(iter0, entry0, compatr->size) { - ret = check_compat_entry_size_and_hooks(iter0, info, &size, - entry0, -- entry0 + total_size, -- hook_entries, -- underflows, -- name); -+ entry0 + compatr->size); - if (ret != 0) - goto out_unlock; - ++j; - } - - ret = -EINVAL; -- if (j != number) { -+ if (j != compatr->num_entries) { - duprintf("translate_compat_table: %u not %u entries\n", -- j, number); -+ j, compatr->num_entries); - goto out_unlock; - } - -- /* Check hooks all assigned */ -- for (i = 0; i < NF_ARP_NUMHOOKS; i++) { -- /* Only hooks which are valid */ -- if (!(valid_hooks & (1 << i))) -- continue; -- if (info->hook_entry[i] == 0xFFFFFFFF) { -- duprintf("Invalid hook entry %u %u\n", -- i, hook_entries[i]); -- goto out_unlock; -- } -- if (info->underflow[i] == 0xFFFFFFFF) { -- duprintf("Invalid underflow %u %u\n", -- i, underflows[i]); -- goto out_unlock; -- } -- } -- - ret = -ENOMEM; - newinfo = xt_alloc_table_info(size); - if (!newinfo) - goto out_unlock; - -- newinfo->number = number; -+ newinfo->number = compatr->num_entries; - for (i = 0; i < NF_ARP_NUMHOOKS; i++) { - newinfo->hook_entry[i] = info->hook_entry[i]; - newinfo->underflow[i] = info->underflow[i]; - } - entry1 = newinfo->entries[raw_smp_processor_id()]; - pos = entry1; -- size = total_size; -- xt_entry_foreach(iter0, entry0, total_size) { -- ret = compat_copy_entry_from_user(iter0, &pos, &size, -- name, newinfo, entry1); -- if (ret != 0) -- break; -- } -+ size = compatr->size; -+ xt_entry_foreach(iter0, entry0, compatr->size) -+ compat_copy_entry_from_user(iter0, &pos, &size, -+ newinfo, entry1); -+ -+ /* all module references in entry0 are now gone */ -+ - xt_compat_flush_offsets(NFPROTO_ARP); - xt_compat_unlock(NFPROTO_ARP); -- if (ret) -- goto free_newinfo; - -- ret = -ELOOP; -- if (!mark_source_chains(newinfo, valid_hooks, entry1)) -- goto free_newinfo; -+ memcpy(&repl, compatr, sizeof(*compatr)); - -- i = 0; -- xt_entry_foreach(iter1, entry1, newinfo->size) { -- ret = check_target(iter1, name); -- if (ret != 0) -- break; -- ++i; -- if (strcmp(arpt_get_target(iter1)->u.user.name, -- XT_ERROR_TARGET) == 0) -- ++newinfo->stacksize; -- } -- if (ret) { -- /* -- * The first i matches need cleanup_entry (calls ->destroy) -- * because they had called ->check already. The other j-i -- * entries need only release. -- */ -- int skip = i; -- j -= i; -- xt_entry_foreach(iter0, entry0, newinfo->size) { -- if (skip-- > 0) -- continue; -- if (j-- == 0) -- break; -- compat_release_entry(iter0); -- } -- xt_entry_foreach(iter1, entry1, newinfo->size) { -- if (i-- == 0) -- break; -- cleanup_entry(iter1); -- } -- xt_free_table_info(newinfo); -- return ret; -+ for (i = 0; i < NF_ARP_NUMHOOKS; i++) { -+ repl.hook_entry[i] = newinfo->hook_entry[i]; -+ repl.underflow[i] = newinfo->underflow[i]; - } - -- /* And one copy for every other CPU */ -- for_each_possible_cpu(i) -- if (newinfo->entries[i] && newinfo->entries[i] != entry1) -- memcpy(newinfo->entries[i], entry1, newinfo->size); -+ repl.num_counters = 0; -+ repl.counters = NULL; -+ repl.size = newinfo->size; -+ ret = translate_table(newinfo, entry1, &repl); -+ if (ret) -+ goto free_newinfo; - - *pinfo = newinfo; - *pentry0 = entry1; -@@ -1453,31 +1345,18 @@ static int translate_compat_table(const char *name, - - free_newinfo: - xt_free_table_info(newinfo); --out: -- xt_entry_foreach(iter0, entry0, total_size) { -+ return ret; -+out_unlock: -+ xt_compat_flush_offsets(NFPROTO_ARP); -+ xt_compat_unlock(NFPROTO_ARP); -+ xt_entry_foreach(iter0, entry0, compatr->size) { - if (j-- == 0) - break; - compat_release_entry(iter0); - } - return ret; --out_unlock: -- xt_compat_flush_offsets(NFPROTO_ARP); -- xt_compat_unlock(NFPROTO_ARP); -- goto out; - } - --struct compat_arpt_replace { -- char name[XT_TABLE_MAXNAMELEN]; -- u32 valid_hooks; -- u32 num_entries; -- u32 size; -- u32 hook_entry[NF_ARP_NUMHOOKS]; -- u32 underflow[NF_ARP_NUMHOOKS]; -- u32 num_counters; -- compat_uptr_t counters; -- struct compat_arpt_entry entries[0]; --}; -- - static int compat_do_replace(struct net *net, void __user *user, - unsigned int len) - { -@@ -1495,6 +1374,9 @@ static int compat_do_replace(struct net *net, void __user *user, - return -ENOMEM; - if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters)) - return -ENOMEM; -+ if (tmp.num_counters == 0) -+ return -EINVAL; -+ - tmp.name[sizeof(tmp.name)-1] = 0; - - newinfo = xt_alloc_table_info(tmp.size); -@@ -1508,10 +1390,7 @@ static int compat_do_replace(struct net *net, void __user *user, - goto free_newinfo; - } - -- ret = translate_compat_table(tmp.name, tmp.valid_hooks, -- &newinfo, &loc_cpu_entry, tmp.size, -- tmp.num_entries, tmp.hook_entry, -- tmp.underflow); -+ ret = translate_compat_table(&newinfo, &loc_cpu_entry, &tmp); - if (ret != 0) - goto free_newinfo; - -diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c -index 651c10774d58..92c8f2727ee9 100644 ---- a/net/ipv4/netfilter/ip_tables.c -+++ b/net/ipv4/netfilter/ip_tables.c -@@ -168,11 +168,12 @@ get_entry(const void *base, unsigned int offset) - - /* All zeroes == unconditional rule. */ - /* Mildly perf critical (only if packet tracing is on) */ --static inline bool unconditional(const struct ipt_ip *ip) -+static inline bool unconditional(const struct ipt_entry *e) - { - static const struct ipt_ip uncond; - -- return memcmp(ip, &uncond, sizeof(uncond)) == 0; -+ return e->target_offset == sizeof(struct ipt_entry) && -+ memcmp(&e->ip, &uncond, sizeof(uncond)) == 0; - #undef FWINV - } - -@@ -229,11 +230,10 @@ get_chainname_rulenum(const struct ipt_entry *s, const struct ipt_entry *e, - } else if (s == e) { - (*rulenum)++; - -- if (s->target_offset == sizeof(struct ipt_entry) && -+ if (unconditional(s) && - strcmp(t->target.u.kernel.target->name, - XT_STANDARD_TARGET) == 0 && -- t->verdict < 0 && -- unconditional(&s->ip)) { -+ t->verdict < 0) { - /* Tail of chains: STANDARD target (return/policy) */ - *comment = *chainname == hookname - ? comments[NF_IP_TRACE_COMMENT_POLICY] -@@ -467,11 +467,10 @@ mark_source_chains(const struct xt_table_info *newinfo, - e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS)); - - /* Unconditional return/END. */ -- if ((e->target_offset == sizeof(struct ipt_entry) && -+ if ((unconditional(e) && - (strcmp(t->target.u.user.name, - XT_STANDARD_TARGET) == 0) && -- t->verdict < 0 && unconditional(&e->ip)) || -- visited) { -+ t->verdict < 0) || visited) { - unsigned int oldpos, size; - - if ((strcmp(t->target.u.user.name, -@@ -512,6 +511,8 @@ mark_source_chains(const struct xt_table_info *newinfo, - size = e->next_offset; - e = (struct ipt_entry *) - (entry0 + pos + size); -+ if (pos + size >= newinfo->size) -+ return 0; - e->counters.pcnt = pos; - pos += size; - } else { -@@ -533,6 +534,8 @@ mark_source_chains(const struct xt_table_info *newinfo, - } else { - /* ... this is a fallthru */ - newpos = pos + e->next_offset; -+ if (newpos >= newinfo->size) -+ return 0; - } - e = (struct ipt_entry *) - (entry0 + newpos); -@@ -560,27 +563,6 @@ static void cleanup_match(struct xt_entry_match *m, struct net *net) - } - - static int --check_entry(const struct ipt_entry *e, const char *name) --{ -- const struct xt_entry_target *t; -- -- if (!ip_checkentry(&e->ip)) { -- duprintf("ip check failed %p %s.\n", e, name); -- return -EINVAL; -- } -- -- if (e->target_offset + sizeof(struct xt_entry_target) > -- e->next_offset) -- return -EINVAL; -- -- t = ipt_get_target_c(e); -- if (e->target_offset + t->u.target_size > e->next_offset) -- return -EINVAL; -- -- return 0; --} -- --static int - check_match(struct xt_entry_match *m, struct xt_mtchk_param *par) - { - const struct ipt_ip *ip = par->entryinfo; -@@ -657,10 +639,6 @@ find_check_entry(struct ipt_entry *e, struct net *net, const char *name, - struct xt_mtchk_param mtpar; - struct xt_entry_match *ematch; - -- ret = check_entry(e, name); -- if (ret) -- return ret; -- - j = 0; - mtpar.net = net; - mtpar.table = name; -@@ -704,7 +682,7 @@ static bool check_underflow(const struct ipt_entry *e) - const struct xt_entry_target *t; - unsigned int verdict; - -- if (!unconditional(&e->ip)) -+ if (!unconditional(e)) - return false; - t = ipt_get_target_c(e); - if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0) -@@ -724,9 +702,11 @@ check_entry_size_and_hooks(struct ipt_entry *e, - unsigned int valid_hooks) - { - unsigned int h; -+ int err; - - if ((unsigned long)e % __alignof__(struct ipt_entry) != 0 || -- (unsigned char *)e + sizeof(struct ipt_entry) >= limit) { -+ (unsigned char *)e + sizeof(struct ipt_entry) >= limit || -+ (unsigned char *)e + e->next_offset > limit) { - duprintf("Bad offset %p\n", e); - return -EINVAL; - } -@@ -738,6 +718,14 @@ check_entry_size_and_hooks(struct ipt_entry *e, - return -EINVAL; - } - -+ if (!ip_checkentry(&e->ip)) -+ return -EINVAL; -+ -+ err = xt_check_entry_offsets(e, e->elems, e->target_offset, -+ e->next_offset); -+ if (err) -+ return err; -+ - /* Check hooks & underflows */ - for (h = 0; h < NF_INET_NUMHOOKS; h++) { - if (!(valid_hooks & (1 << h))) -@@ -746,9 +734,9 @@ check_entry_size_and_hooks(struct ipt_entry *e, - newinfo->hook_entry[h] = hook_entries[h]; - if ((unsigned char *)e - base == underflows[h]) { - if (!check_underflow(e)) { -- pr_err("Underflows must be unconditional and " -- "use the STANDARD target with " -- "ACCEPT/DROP\n"); -+ pr_debug("Underflows must be unconditional and " -+ "use the STANDARD target with " -+ "ACCEPT/DROP\n"); - return -EINVAL; - } - newinfo->underflow[h] = underflows[h]; -@@ -1258,6 +1246,9 @@ do_replace(struct net *net, const void __user *user, unsigned int len) - /* overflow check */ - if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters)) - return -ENOMEM; -+ if (tmp.num_counters == 0) -+ return -EINVAL; -+ - tmp.name[sizeof(tmp.name)-1] = 0; - - newinfo = xt_alloc_table_info(tmp.size); -@@ -1299,56 +1290,18 @@ do_add_counters(struct net *net, const void __user *user, - unsigned int i, curcpu; - struct xt_counters_info tmp; - struct xt_counters *paddc; -- unsigned int num_counters; -- const char *name; -- int size; -- void *ptmp; - struct xt_table *t; - const struct xt_table_info *private; - int ret = 0; - void *loc_cpu_entry; - struct ipt_entry *iter; - unsigned int addend; --#ifdef CONFIG_COMPAT -- struct compat_xt_counters_info compat_tmp; -- -- if (compat) { -- ptmp = &compat_tmp; -- size = sizeof(struct compat_xt_counters_info); -- } else --#endif -- { -- ptmp = &tmp; -- size = sizeof(struct xt_counters_info); -- } -- -- if (copy_from_user(ptmp, user, size) != 0) -- return -EFAULT; -- --#ifdef CONFIG_COMPAT -- if (compat) { -- num_counters = compat_tmp.num_counters; -- name = compat_tmp.name; -- } else --#endif -- { -- num_counters = tmp.num_counters; -- name = tmp.name; -- } - -- if (len != size + num_counters * sizeof(struct xt_counters)) -- return -EINVAL; -- -- paddc = vmalloc(len - size); -- if (!paddc) -- return -ENOMEM; -- -- if (copy_from_user(paddc, user + size, len - size) != 0) { -- ret = -EFAULT; -- goto free; -- } -+ paddc = xt_copy_counters_from_user(user, len, &tmp, compat); -+ if (IS_ERR(paddc)) -+ return PTR_ERR(paddc); - -- t = xt_find_table_lock(net, AF_INET, name); -+ t = xt_find_table_lock(net, AF_INET, tmp.name); - if (IS_ERR_OR_NULL(t)) { - ret = t ? PTR_ERR(t) : -ENOENT; - goto free; -@@ -1356,7 +1309,7 @@ do_add_counters(struct net *net, const void __user *user, - - local_bh_disable(); - private = t->private; -- if (private->number != num_counters) { -+ if (private->number != tmp.num_counters) { - ret = -EINVAL; - goto unlock_up_free; - } -@@ -1435,7 +1388,6 @@ compat_copy_entry_to_user(struct ipt_entry *e, void __user **dstptr, - - static int - compat_find_calc_match(struct xt_entry_match *m, -- const char *name, - const struct ipt_ip *ip, - unsigned int hookmask, - int *size) -@@ -1471,21 +1423,19 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e, - struct xt_table_info *newinfo, - unsigned int *size, - const unsigned char *base, -- const unsigned char *limit, -- const unsigned int *hook_entries, -- const unsigned int *underflows, -- const char *name) -+ const unsigned char *limit) - { - struct xt_entry_match *ematch; - struct xt_entry_target *t; - struct xt_target *target; - unsigned int entry_offset; - unsigned int j; -- int ret, off, h; -+ int ret, off; - - duprintf("check_compat_entry_size_and_hooks %p\n", e); - if ((unsigned long)e % __alignof__(struct compat_ipt_entry) != 0 || -- (unsigned char *)e + sizeof(struct compat_ipt_entry) >= limit) { -+ (unsigned char *)e + sizeof(struct compat_ipt_entry) >= limit || -+ (unsigned char *)e + e->next_offset > limit) { - duprintf("Bad offset %p, limit = %p\n", e, limit); - return -EINVAL; - } -@@ -1497,8 +1447,11 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e, - return -EINVAL; - } - -- /* For purposes of check_entry casting the compat entry is fine */ -- ret = check_entry((struct ipt_entry *)e, name); -+ if (!ip_checkentry(&e->ip)) -+ return -EINVAL; -+ -+ ret = xt_compat_check_entry_offsets(e, e->elems, -+ e->target_offset, e->next_offset); - if (ret) - return ret; - -@@ -1506,8 +1459,8 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e, - entry_offset = (void *)e - (void *)base; - j = 0; - xt_ematch_foreach(ematch, e) { -- ret = compat_find_calc_match(ematch, name, -- &e->ip, e->comefrom, &off); -+ ret = compat_find_calc_match(ematch, &e->ip, e->comefrom, -+ &off); - if (ret != 0) - goto release_matches; - ++j; -@@ -1530,17 +1483,6 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e, - if (ret) - goto out; - -- /* Check hooks & underflows */ -- for (h = 0; h < NF_INET_NUMHOOKS; h++) { -- if ((unsigned char *)e - base == hook_entries[h]) -- newinfo->hook_entry[h] = hook_entries[h]; -- if ((unsigned char *)e - base == underflows[h]) -- newinfo->underflow[h] = underflows[h]; -- } -- -- /* Clear counters and comefrom */ -- memset(&e->counters, 0, sizeof(e->counters)); -- e->comefrom = 0; - return 0; - - out: -@@ -1554,19 +1496,18 @@ release_matches: - return ret; - } - --static int -+static void - compat_copy_entry_from_user(struct compat_ipt_entry *e, void **dstptr, -- unsigned int *size, const char *name, -+ unsigned int *size, - struct xt_table_info *newinfo, unsigned char *base) - { - struct xt_entry_target *t; - struct xt_target *target; - struct ipt_entry *de; - unsigned int origsize; -- int ret, h; -+ int h; - struct xt_entry_match *ematch; - -- ret = 0; - origsize = *size; - de = (struct ipt_entry *)*dstptr; - memcpy(de, e, sizeof(struct ipt_entry)); -@@ -1575,198 +1516,104 @@ compat_copy_entry_from_user(struct compat_ipt_entry *e, void **dstptr, - *dstptr += sizeof(struct ipt_entry); - *size += sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry); - -- xt_ematch_foreach(ematch, e) { -- ret = xt_compat_match_from_user(ematch, dstptr, size); -- if (ret != 0) -- return ret; -- } -+ xt_ematch_foreach(ematch, e) -+ xt_compat_match_from_user(ematch, dstptr, size); -+ - de->target_offset = e->target_offset - (origsize - *size); - t = compat_ipt_get_target(e); - target = t->u.kernel.target; - xt_compat_target_from_user(t, dstptr, size); - - de->next_offset = e->next_offset - (origsize - *size); -+ - for (h = 0; h < NF_INET_NUMHOOKS; h++) { - if ((unsigned char *)de - base < newinfo->hook_entry[h]) - newinfo->hook_entry[h] -= origsize - *size; - if ((unsigned char *)de - base < newinfo->underflow[h]) - newinfo->underflow[h] -= origsize - *size; - } -- return ret; --} -- --static int --compat_check_entry(struct ipt_entry *e, struct net *net, const char *name) --{ -- struct xt_entry_match *ematch; -- struct xt_mtchk_param mtpar; -- unsigned int j; -- int ret = 0; -- -- j = 0; -- mtpar.net = net; -- mtpar.table = name; -- mtpar.entryinfo = &e->ip; -- mtpar.hook_mask = e->comefrom; -- mtpar.family = NFPROTO_IPV4; -- xt_ematch_foreach(ematch, e) { -- ret = check_match(ematch, &mtpar); -- if (ret != 0) -- goto cleanup_matches; -- ++j; -- } -- -- ret = check_target(e, net, name); -- if (ret) -- goto cleanup_matches; -- return 0; -- -- cleanup_matches: -- xt_ematch_foreach(ematch, e) { -- if (j-- == 0) -- break; -- cleanup_match(ematch, net); -- } -- return ret; - } - - static int - translate_compat_table(struct net *net, -- const char *name, -- unsigned int valid_hooks, - struct xt_table_info **pinfo, - void **pentry0, -- unsigned int total_size, -- unsigned int number, -- unsigned int *hook_entries, -- unsigned int *underflows) -+ const struct compat_ipt_replace *compatr) - { - unsigned int i, j; - struct xt_table_info *newinfo, *info; - void *pos, *entry0, *entry1; - struct compat_ipt_entry *iter0; -- struct ipt_entry *iter1; -+ struct ipt_replace repl; - unsigned int size; - int ret; - - info = *pinfo; - entry0 = *pentry0; -- size = total_size; -- info->number = number; -- -- /* Init all hooks to impossible value. */ -- for (i = 0; i < NF_INET_NUMHOOKS; i++) { -- info->hook_entry[i] = 0xFFFFFFFF; -- info->underflow[i] = 0xFFFFFFFF; -- } -+ size = compatr->size; -+ info->number = compatr->num_entries; - - duprintf("translate_compat_table: size %u\n", info->size); - j = 0; - xt_compat_lock(AF_INET); -- xt_compat_init_offsets(AF_INET, number); -+ xt_compat_init_offsets(AF_INET, compatr->num_entries); - /* Walk through entries, checking offsets. */ -- xt_entry_foreach(iter0, entry0, total_size) { -+ xt_entry_foreach(iter0, entry0, compatr->size) { - ret = check_compat_entry_size_and_hooks(iter0, info, &size, - entry0, -- entry0 + total_size, -- hook_entries, -- underflows, -- name); -+ entry0 + compatr->size); - if (ret != 0) - goto out_unlock; - ++j; - } - - ret = -EINVAL; -- if (j != number) { -+ if (j != compatr->num_entries) { - duprintf("translate_compat_table: %u not %u entries\n", -- j, number); -+ j, compatr->num_entries); - goto out_unlock; - } - -- /* Check hooks all assigned */ -- for (i = 0; i < NF_INET_NUMHOOKS; i++) { -- /* Only hooks which are valid */ -- if (!(valid_hooks & (1 << i))) -- continue; -- if (info->hook_entry[i] == 0xFFFFFFFF) { -- duprintf("Invalid hook entry %u %u\n", -- i, hook_entries[i]); -- goto out_unlock; -- } -- if (info->underflow[i] == 0xFFFFFFFF) { -- duprintf("Invalid underflow %u %u\n", -- i, underflows[i]); -- goto out_unlock; -- } -- } -- - ret = -ENOMEM; - newinfo = xt_alloc_table_info(size); - if (!newinfo) - goto out_unlock; - -- newinfo->number = number; -+ newinfo->number = compatr->num_entries; - for (i = 0; i < NF_INET_NUMHOOKS; i++) { -- newinfo->hook_entry[i] = info->hook_entry[i]; -- newinfo->underflow[i] = info->underflow[i]; -+ newinfo->hook_entry[i] = compatr->hook_entry[i]; -+ newinfo->underflow[i] = compatr->underflow[i]; - } - entry1 = newinfo->entries[raw_smp_processor_id()]; - pos = entry1; -- size = total_size; -- xt_entry_foreach(iter0, entry0, total_size) { -- ret = compat_copy_entry_from_user(iter0, &pos, &size, -- name, newinfo, entry1); -- if (ret != 0) -- break; -- } -+ size = compatr->size; -+ xt_entry_foreach(iter0, entry0, compatr->size) -+ compat_copy_entry_from_user(iter0, &pos, &size, -+ newinfo, entry1); -+ -+ /* all module references in entry0 are now gone. -+ * entry1/newinfo contains a 64bit ruleset that looks exactly as -+ * generated by 64bit userspace. -+ * -+ * Call standard translate_table() to validate all hook_entrys, -+ * underflows, check for loops, etc. -+ */ - xt_compat_flush_offsets(AF_INET); - xt_compat_unlock(AF_INET); -- if (ret) -- goto free_newinfo; - -- ret = -ELOOP; -- if (!mark_source_chains(newinfo, valid_hooks, entry1)) -- goto free_newinfo; -+ memcpy(&repl, compatr, sizeof(*compatr)); - -- i = 0; -- xt_entry_foreach(iter1, entry1, newinfo->size) { -- ret = compat_check_entry(iter1, net, name); -- if (ret != 0) -- break; -- ++i; -- if (strcmp(ipt_get_target(iter1)->u.user.name, -- XT_ERROR_TARGET) == 0) -- ++newinfo->stacksize; -- } -- if (ret) { -- /* -- * The first i matches need cleanup_entry (calls ->destroy) -- * because they had called ->check already. The other j-i -- * entries need only release. -- */ -- int skip = i; -- j -= i; -- xt_entry_foreach(iter0, entry0, newinfo->size) { -- if (skip-- > 0) -- continue; -- if (j-- == 0) -- break; -- compat_release_entry(iter0); -- } -- xt_entry_foreach(iter1, entry1, newinfo->size) { -- if (i-- == 0) -- break; -- cleanup_entry(iter1, net); -- } -- xt_free_table_info(newinfo); -- return ret; -+ for (i = 0; i < NF_INET_NUMHOOKS; i++) { -+ repl.hook_entry[i] = newinfo->hook_entry[i]; -+ repl.underflow[i] = newinfo->underflow[i]; - } - -- /* And one copy for every other CPU */ -- for_each_possible_cpu(i) -- if (newinfo->entries[i] && newinfo->entries[i] != entry1) -- memcpy(newinfo->entries[i], entry1, newinfo->size); -+ repl.num_counters = 0; -+ repl.counters = NULL; -+ repl.size = newinfo->size; -+ ret = translate_table(net, newinfo, entry1, &repl); -+ if (ret) -+ goto free_newinfo; - - *pinfo = newinfo; - *pentry0 = entry1; -@@ -1775,17 +1622,16 @@ translate_compat_table(struct net *net, - - free_newinfo: - xt_free_table_info(newinfo); --out: -- xt_entry_foreach(iter0, entry0, total_size) { -+ return ret; -+out_unlock: -+ xt_compat_flush_offsets(AF_INET); -+ xt_compat_unlock(AF_INET); -+ xt_entry_foreach(iter0, entry0, compatr->size) { - if (j-- == 0) - break; - compat_release_entry(iter0); - } - return ret; --out_unlock: -- xt_compat_flush_offsets(AF_INET); -- xt_compat_unlock(AF_INET); -- goto out; - } - - static int -@@ -1805,6 +1651,9 @@ compat_do_replace(struct net *net, void __user *user, unsigned int len) - return -ENOMEM; - if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters)) - return -ENOMEM; -+ if (tmp.num_counters == 0) -+ return -EINVAL; -+ - tmp.name[sizeof(tmp.name)-1] = 0; - - newinfo = xt_alloc_table_info(tmp.size); -@@ -1819,10 +1668,7 @@ compat_do_replace(struct net *net, void __user *user, unsigned int len) - goto free_newinfo; - } - -- ret = translate_compat_table(net, tmp.name, tmp.valid_hooks, -- &newinfo, &loc_cpu_entry, tmp.size, -- tmp.num_entries, tmp.hook_entry, -- tmp.underflow); -+ ret = translate_compat_table(net, &newinfo, &loc_cpu_entry, &tmp); - if (ret != 0) - goto free_newinfo; - -diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c -index f89087c3cfc8..f3b15bb7fbec 100644 ---- a/net/ipv4/tcp_input.c -+++ b/net/ipv4/tcp_input.c -@@ -68,6 +68,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -87,7 +88,7 @@ int sysctl_tcp_adv_win_scale __read_mostly = 1; - EXPORT_SYMBOL(sysctl_tcp_adv_win_scale); - - /* rfc5961 challenge ack rate limiting */ --int sysctl_tcp_challenge_ack_limit = 100; -+int sysctl_tcp_challenge_ack_limit = 1000; - - int sysctl_tcp_stdurg __read_mostly; - int sysctl_tcp_rfc1337 __read_mostly; -@@ -3288,12 +3289,19 @@ static void tcp_send_challenge_ack(struct sock *sk) - static u32 challenge_timestamp; - static unsigned int challenge_count; - u32 now = jiffies / HZ; -+ u32 count; - - if (now != challenge_timestamp) { -+ u32 half = (sysctl_tcp_challenge_ack_limit + 1) >> 1; -+ - challenge_timestamp = now; -- challenge_count = 0; -+ ACCESS_ONCE(challenge_count) = half + -+ reciprocal_divide(prandom_u32(), -+ sysctl_tcp_challenge_ack_limit); - } -- if (++challenge_count <= sysctl_tcp_challenge_ack_limit) { -+ count = ACCESS_ONCE(challenge_count); -+ if (count > 0) { -+ ACCESS_ONCE(challenge_count) = count - 1; - NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK); - tcp_send_ack(sk); - } -diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c -index 76c80b59e80f..276b28301a6b 100644 ---- a/net/ipv4/tcp_output.c -+++ b/net/ipv4/tcp_output.c -@@ -222,7 +222,8 @@ void tcp_select_initial_window(int __space, __u32 mss, - /* Set window scaling on max possible window - * See RFC1323 for an explanation of the limit to 14 - */ -- space = max_t(u32, sysctl_tcp_rmem[2], sysctl_rmem_max); -+ space = max_t(u32, space, sysctl_tcp_rmem[2]); -+ space = max_t(u32, space, sysctl_rmem_max); - space = min_t(u32, space, *window_clamp); - while (space > 65535 && (*rcv_wscale) < 14) { - space >>= 1; -diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c -index 63b536bbf0b0..68174e4d88c7 100644 ---- a/net/ipv4/udp.c -+++ b/net/ipv4/udp.c -@@ -1208,6 +1208,7 @@ int udp_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, - int peeked, off = 0; - int err; - int is_udplite = IS_UDPLITE(sk); -+ bool checksum_valid = false; - bool slow; - - if (flags & MSG_ERRQUEUE) -@@ -1233,11 +1234,12 @@ try_again: - */ - - if (copied < ulen || UDP_SKB_CB(skb)->partial_cov) { -- if (udp_lib_checksum_complete(skb)) -+ checksum_valid = !udp_lib_checksum_complete(skb); -+ if (!checksum_valid) - goto csum_copy_err; - } - -- if (skb_csum_unnecessary(skb)) -+ if (checksum_valid || skb_csum_unnecessary(skb)) - err = skb_copy_datagram_iovec(skb, sizeof(struct udphdr), - msg->msg_iov, copied); - else { -diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c -index 8d69df16f6a8..107f75283b1b 100644 ---- a/net/ipv6/ip6mr.c -+++ b/net/ipv6/ip6mr.c -@@ -1077,6 +1077,7 @@ static struct mfc6_cache *ip6mr_cache_alloc(void) - struct mfc6_cache *c = kmem_cache_zalloc(mrt_cachep, GFP_KERNEL); - if (c == NULL) - return NULL; -+ c->mfc_un.res.last_assert = jiffies - MFC_ASSERT_THRESH - 1; - c->mfc_un.res.minvif = MAXMIFS; - return c; - } -diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c -index 89a4e4ddd8bb..e214222cd06f 100644 ---- a/net/ipv6/netfilter/ip6_tables.c -+++ b/net/ipv6/netfilter/ip6_tables.c -@@ -195,11 +195,12 @@ get_entry(const void *base, unsigned int offset) - - /* All zeroes == unconditional rule. */ - /* Mildly perf critical (only if packet tracing is on) */ --static inline bool unconditional(const struct ip6t_ip6 *ipv6) -+static inline bool unconditional(const struct ip6t_entry *e) - { - static const struct ip6t_ip6 uncond; - -- return memcmp(ipv6, &uncond, sizeof(uncond)) == 0; -+ return e->target_offset == sizeof(struct ip6t_entry) && -+ memcmp(&e->ipv6, &uncond, sizeof(uncond)) == 0; - } - - static inline const struct xt_entry_target * -@@ -255,11 +256,10 @@ get_chainname_rulenum(const struct ip6t_entry *s, const struct ip6t_entry *e, - } else if (s == e) { - (*rulenum)++; - -- if (s->target_offset == sizeof(struct ip6t_entry) && -+ if (unconditional(s) && - strcmp(t->target.u.kernel.target->name, - XT_STANDARD_TARGET) == 0 && -- t->verdict < 0 && -- unconditional(&s->ipv6)) { -+ t->verdict < 0) { - /* Tail of chains: STANDARD target (return/policy) */ - *comment = *chainname == hookname - ? comments[NF_IP6_TRACE_COMMENT_POLICY] -@@ -477,11 +477,10 @@ mark_source_chains(const struct xt_table_info *newinfo, - e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS)); - - /* Unconditional return/END. */ -- if ((e->target_offset == sizeof(struct ip6t_entry) && -+ if ((unconditional(e) && - (strcmp(t->target.u.user.name, - XT_STANDARD_TARGET) == 0) && -- t->verdict < 0 && -- unconditional(&e->ipv6)) || visited) { -+ t->verdict < 0) || visited) { - unsigned int oldpos, size; - - if ((strcmp(t->target.u.user.name, -@@ -522,6 +521,8 @@ mark_source_chains(const struct xt_table_info *newinfo, - size = e->next_offset; - e = (struct ip6t_entry *) - (entry0 + pos + size); -+ if (pos + size >= newinfo->size) -+ return 0; - e->counters.pcnt = pos; - pos += size; - } else { -@@ -543,6 +544,8 @@ mark_source_chains(const struct xt_table_info *newinfo, - } else { - /* ... this is a fallthru */ - newpos = pos + e->next_offset; -+ if (newpos >= newinfo->size) -+ return 0; - } - e = (struct ip6t_entry *) - (entry0 + newpos); -@@ -569,27 +572,6 @@ static void cleanup_match(struct xt_entry_match *m, struct net *net) - module_put(par.match->me); - } - --static int --check_entry(const struct ip6t_entry *e, const char *name) --{ -- const struct xt_entry_target *t; -- -- if (!ip6_checkentry(&e->ipv6)) { -- duprintf("ip_tables: ip check failed %p %s.\n", e, name); -- return -EINVAL; -- } -- -- if (e->target_offset + sizeof(struct xt_entry_target) > -- e->next_offset) -- return -EINVAL; -- -- t = ip6t_get_target_c(e); -- if (e->target_offset + t->u.target_size > e->next_offset) -- return -EINVAL; -- -- return 0; --} -- - static int check_match(struct xt_entry_match *m, struct xt_mtchk_param *par) - { - const struct ip6t_ip6 *ipv6 = par->entryinfo; -@@ -668,10 +650,6 @@ find_check_entry(struct ip6t_entry *e, struct net *net, const char *name, - struct xt_mtchk_param mtpar; - struct xt_entry_match *ematch; - -- ret = check_entry(e, name); -- if (ret) -- return ret; -- - j = 0; - mtpar.net = net; - mtpar.table = name; -@@ -715,7 +693,7 @@ static bool check_underflow(const struct ip6t_entry *e) - const struct xt_entry_target *t; - unsigned int verdict; - -- if (!unconditional(&e->ipv6)) -+ if (!unconditional(e)) - return false; - t = ip6t_get_target_c(e); - if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0) -@@ -735,9 +713,11 @@ check_entry_size_and_hooks(struct ip6t_entry *e, - unsigned int valid_hooks) - { - unsigned int h; -+ int err; - - if ((unsigned long)e % __alignof__(struct ip6t_entry) != 0 || -- (unsigned char *)e + sizeof(struct ip6t_entry) >= limit) { -+ (unsigned char *)e + sizeof(struct ip6t_entry) >= limit || -+ (unsigned char *)e + e->next_offset > limit) { - duprintf("Bad offset %p\n", e); - return -EINVAL; - } -@@ -749,6 +729,14 @@ check_entry_size_and_hooks(struct ip6t_entry *e, - return -EINVAL; - } - -+ if (!ip6_checkentry(&e->ipv6)) -+ return -EINVAL; -+ -+ err = xt_check_entry_offsets(e, e->elems, e->target_offset, -+ e->next_offset); -+ if (err) -+ return err; -+ - /* Check hooks & underflows */ - for (h = 0; h < NF_INET_NUMHOOKS; h++) { - if (!(valid_hooks & (1 << h))) -@@ -757,9 +745,9 @@ check_entry_size_and_hooks(struct ip6t_entry *e, - newinfo->hook_entry[h] = hook_entries[h]; - if ((unsigned char *)e - base == underflows[h]) { - if (!check_underflow(e)) { -- pr_err("Underflows must be unconditional and " -- "use the STANDARD target with " -- "ACCEPT/DROP\n"); -+ pr_debug("Underflows must be unconditional and " -+ "use the STANDARD target with " -+ "ACCEPT/DROP\n"); - return -EINVAL; - } - newinfo->underflow[h] = underflows[h]; -@@ -1268,6 +1256,9 @@ do_replace(struct net *net, const void __user *user, unsigned int len) - /* overflow check */ - if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters)) - return -ENOMEM; -+ if (tmp.num_counters == 0) -+ return -EINVAL; -+ - tmp.name[sizeof(tmp.name)-1] = 0; - - newinfo = xt_alloc_table_info(tmp.size); -@@ -1309,56 +1300,17 @@ do_add_counters(struct net *net, const void __user *user, unsigned int len, - unsigned int i, curcpu; - struct xt_counters_info tmp; - struct xt_counters *paddc; -- unsigned int num_counters; -- char *name; -- int size; -- void *ptmp; - struct xt_table *t; - const struct xt_table_info *private; - int ret = 0; - const void *loc_cpu_entry; - struct ip6t_entry *iter; - unsigned int addend; --#ifdef CONFIG_COMPAT -- struct compat_xt_counters_info compat_tmp; -- -- if (compat) { -- ptmp = &compat_tmp; -- size = sizeof(struct compat_xt_counters_info); -- } else --#endif -- { -- ptmp = &tmp; -- size = sizeof(struct xt_counters_info); -- } -- -- if (copy_from_user(ptmp, user, size) != 0) -- return -EFAULT; -- --#ifdef CONFIG_COMPAT -- if (compat) { -- num_counters = compat_tmp.num_counters; -- name = compat_tmp.name; -- } else --#endif -- { -- num_counters = tmp.num_counters; -- name = tmp.name; -- } - -- if (len != size + num_counters * sizeof(struct xt_counters)) -- return -EINVAL; -- -- paddc = vmalloc(len - size); -- if (!paddc) -- return -ENOMEM; -- -- if (copy_from_user(paddc, user + size, len - size) != 0) { -- ret = -EFAULT; -- goto free; -- } -- -- t = xt_find_table_lock(net, AF_INET6, name); -+ paddc = xt_copy_counters_from_user(user, len, &tmp, compat); -+ if (IS_ERR(paddc)) -+ return PTR_ERR(paddc); -+ t = xt_find_table_lock(net, AF_INET6, tmp.name); - if (IS_ERR_OR_NULL(t)) { - ret = t ? PTR_ERR(t) : -ENOENT; - goto free; -@@ -1367,7 +1319,7 @@ do_add_counters(struct net *net, const void __user *user, unsigned int len, - - local_bh_disable(); - private = t->private; -- if (private->number != num_counters) { -+ if (private->number != tmp.num_counters) { - ret = -EINVAL; - goto unlock_up_free; - } -@@ -1447,7 +1399,6 @@ compat_copy_entry_to_user(struct ip6t_entry *e, void __user **dstptr, - - static int - compat_find_calc_match(struct xt_entry_match *m, -- const char *name, - const struct ip6t_ip6 *ipv6, - unsigned int hookmask, - int *size) -@@ -1483,21 +1434,19 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e, - struct xt_table_info *newinfo, - unsigned int *size, - const unsigned char *base, -- const unsigned char *limit, -- const unsigned int *hook_entries, -- const unsigned int *underflows, -- const char *name) -+ const unsigned char *limit) - { - struct xt_entry_match *ematch; - struct xt_entry_target *t; - struct xt_target *target; - unsigned int entry_offset; - unsigned int j; -- int ret, off, h; -+ int ret, off; - - duprintf("check_compat_entry_size_and_hooks %p\n", e); - if ((unsigned long)e % __alignof__(struct compat_ip6t_entry) != 0 || -- (unsigned char *)e + sizeof(struct compat_ip6t_entry) >= limit) { -+ (unsigned char *)e + sizeof(struct compat_ip6t_entry) >= limit || -+ (unsigned char *)e + e->next_offset > limit) { - duprintf("Bad offset %p, limit = %p\n", e, limit); - return -EINVAL; - } -@@ -1509,8 +1458,11 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e, - return -EINVAL; - } - -- /* For purposes of check_entry casting the compat entry is fine */ -- ret = check_entry((struct ip6t_entry *)e, name); -+ if (!ip6_checkentry(&e->ipv6)) -+ return -EINVAL; -+ -+ ret = xt_compat_check_entry_offsets(e, e->elems, -+ e->target_offset, e->next_offset); - if (ret) - return ret; - -@@ -1518,8 +1470,8 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e, - entry_offset = (void *)e - (void *)base; - j = 0; - xt_ematch_foreach(ematch, e) { -- ret = compat_find_calc_match(ematch, name, -- &e->ipv6, e->comefrom, &off); -+ ret = compat_find_calc_match(ematch, &e->ipv6, e->comefrom, -+ &off); - if (ret != 0) - goto release_matches; - ++j; -@@ -1542,17 +1494,6 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e, - if (ret) - goto out; - -- /* Check hooks & underflows */ -- for (h = 0; h < NF_INET_NUMHOOKS; h++) { -- if ((unsigned char *)e - base == hook_entries[h]) -- newinfo->hook_entry[h] = hook_entries[h]; -- if ((unsigned char *)e - base == underflows[h]) -- newinfo->underflow[h] = underflows[h]; -- } -- -- /* Clear counters and comefrom */ -- memset(&e->counters, 0, sizeof(e->counters)); -- e->comefrom = 0; - return 0; - - out: -@@ -1566,18 +1507,17 @@ release_matches: - return ret; - } - --static int -+static void - compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr, -- unsigned int *size, const char *name, -+ unsigned int *size, - struct xt_table_info *newinfo, unsigned char *base) - { - struct xt_entry_target *t; - struct ip6t_entry *de; - unsigned int origsize; -- int ret, h; -+ int h; - struct xt_entry_match *ematch; - -- ret = 0; - origsize = *size; - de = (struct ip6t_entry *)*dstptr; - memcpy(de, e, sizeof(struct ip6t_entry)); -@@ -1586,11 +1526,9 @@ compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr, - *dstptr += sizeof(struct ip6t_entry); - *size += sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry); - -- xt_ematch_foreach(ematch, e) { -- ret = xt_compat_match_from_user(ematch, dstptr, size); -- if (ret != 0) -- return ret; -- } -+ xt_ematch_foreach(ematch, e) -+ xt_compat_match_from_user(ematch, dstptr, size); -+ - de->target_offset = e->target_offset - (origsize - *size); - t = compat_ip6t_get_target(e); - xt_compat_target_from_user(t, dstptr, size); -@@ -1602,181 +1540,82 @@ compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr, - if ((unsigned char *)de - base < newinfo->underflow[h]) - newinfo->underflow[h] -= origsize - *size; - } -- return ret; --} -- --static int compat_check_entry(struct ip6t_entry *e, struct net *net, -- const char *name) --{ -- unsigned int j; -- int ret = 0; -- struct xt_mtchk_param mtpar; -- struct xt_entry_match *ematch; -- -- j = 0; -- mtpar.net = net; -- mtpar.table = name; -- mtpar.entryinfo = &e->ipv6; -- mtpar.hook_mask = e->comefrom; -- mtpar.family = NFPROTO_IPV6; -- xt_ematch_foreach(ematch, e) { -- ret = check_match(ematch, &mtpar); -- if (ret != 0) -- goto cleanup_matches; -- ++j; -- } -- -- ret = check_target(e, net, name); -- if (ret) -- goto cleanup_matches; -- return 0; -- -- cleanup_matches: -- xt_ematch_foreach(ematch, e) { -- if (j-- == 0) -- break; -- cleanup_match(ematch, net); -- } -- return ret; - } - - static int - translate_compat_table(struct net *net, -- const char *name, -- unsigned int valid_hooks, - struct xt_table_info **pinfo, - void **pentry0, -- unsigned int total_size, -- unsigned int number, -- unsigned int *hook_entries, -- unsigned int *underflows) -+ const struct compat_ip6t_replace *compatr) - { - unsigned int i, j; - struct xt_table_info *newinfo, *info; - void *pos, *entry0, *entry1; - struct compat_ip6t_entry *iter0; -- struct ip6t_entry *iter1; -+ struct ip6t_replace repl; - unsigned int size; - int ret = 0; - - info = *pinfo; - entry0 = *pentry0; -- size = total_size; -- info->number = number; -- -- /* Init all hooks to impossible value. */ -- for (i = 0; i < NF_INET_NUMHOOKS; i++) { -- info->hook_entry[i] = 0xFFFFFFFF; -- info->underflow[i] = 0xFFFFFFFF; -- } -+ size = compatr->size; -+ info->number = compatr->num_entries; - - duprintf("translate_compat_table: size %u\n", info->size); - j = 0; - xt_compat_lock(AF_INET6); -- xt_compat_init_offsets(AF_INET6, number); -+ xt_compat_init_offsets(AF_INET6, compatr->num_entries); - /* Walk through entries, checking offsets. */ -- xt_entry_foreach(iter0, entry0, total_size) { -+ xt_entry_foreach(iter0, entry0, compatr->size) { - ret = check_compat_entry_size_and_hooks(iter0, info, &size, - entry0, -- entry0 + total_size, -- hook_entries, -- underflows, -- name); -+ entry0 + compatr->size); - if (ret != 0) - goto out_unlock; - ++j; - } - - ret = -EINVAL; -- if (j != number) { -+ if (j != compatr->num_entries) { - duprintf("translate_compat_table: %u not %u entries\n", -- j, number); -+ j, compatr->num_entries); - goto out_unlock; - } - -- /* Check hooks all assigned */ -- for (i = 0; i < NF_INET_NUMHOOKS; i++) { -- /* Only hooks which are valid */ -- if (!(valid_hooks & (1 << i))) -- continue; -- if (info->hook_entry[i] == 0xFFFFFFFF) { -- duprintf("Invalid hook entry %u %u\n", -- i, hook_entries[i]); -- goto out_unlock; -- } -- if (info->underflow[i] == 0xFFFFFFFF) { -- duprintf("Invalid underflow %u %u\n", -- i, underflows[i]); -- goto out_unlock; -- } -- } -- - ret = -ENOMEM; - newinfo = xt_alloc_table_info(size); - if (!newinfo) - goto out_unlock; - -- newinfo->number = number; -+ newinfo->number = compatr->num_entries; - for (i = 0; i < NF_INET_NUMHOOKS; i++) { -- newinfo->hook_entry[i] = info->hook_entry[i]; -- newinfo->underflow[i] = info->underflow[i]; -+ newinfo->hook_entry[i] = compatr->hook_entry[i]; -+ newinfo->underflow[i] = compatr->underflow[i]; - } - entry1 = newinfo->entries[raw_smp_processor_id()]; - pos = entry1; -- size = total_size; -- xt_entry_foreach(iter0, entry0, total_size) { -- ret = compat_copy_entry_from_user(iter0, &pos, &size, -- name, newinfo, entry1); -- if (ret != 0) -- break; -- } -+ size = compatr->size; -+ xt_entry_foreach(iter0, entry0, compatr->size) -+ compat_copy_entry_from_user(iter0, &pos, &size, -+ newinfo, entry1); -+ -+ /* all module references in entry0 are now gone. */ - xt_compat_flush_offsets(AF_INET6); - xt_compat_unlock(AF_INET6); -- if (ret) -- goto free_newinfo; - -- ret = -ELOOP; -- if (!mark_source_chains(newinfo, valid_hooks, entry1)) -- goto free_newinfo; -+ memcpy(&repl, compatr, sizeof(*compatr)); - -- i = 0; -- xt_entry_foreach(iter1, entry1, newinfo->size) { -- ret = compat_check_entry(iter1, net, name); -- if (ret != 0) -- break; -- ++i; -- if (strcmp(ip6t_get_target(iter1)->u.user.name, -- XT_ERROR_TARGET) == 0) -- ++newinfo->stacksize; -- } -- if (ret) { -- /* -- * The first i matches need cleanup_entry (calls ->destroy) -- * because they had called ->check already. The other j-i -- * entries need only release. -- */ -- int skip = i; -- j -= i; -- xt_entry_foreach(iter0, entry0, newinfo->size) { -- if (skip-- > 0) -- continue; -- if (j-- == 0) -- break; -- compat_release_entry(iter0); -- } -- xt_entry_foreach(iter1, entry1, newinfo->size) { -- if (i-- == 0) -- break; -- cleanup_entry(iter1, net); -- } -- xt_free_table_info(newinfo); -- return ret; -+ for (i = 0; i < NF_INET_NUMHOOKS; i++) { -+ repl.hook_entry[i] = newinfo->hook_entry[i]; -+ repl.underflow[i] = newinfo->underflow[i]; - } - -- /* And one copy for every other CPU */ -- for_each_possible_cpu(i) -- if (newinfo->entries[i] && newinfo->entries[i] != entry1) -- memcpy(newinfo->entries[i], entry1, newinfo->size); -+ repl.num_counters = 0; -+ repl.counters = NULL; -+ repl.size = newinfo->size; -+ ret = translate_table(net, newinfo, entry1, &repl); -+ if (ret) -+ goto free_newinfo; - - *pinfo = newinfo; - *pentry0 = entry1; -@@ -1785,17 +1624,16 @@ translate_compat_table(struct net *net, - - free_newinfo: - xt_free_table_info(newinfo); --out: -- xt_entry_foreach(iter0, entry0, total_size) { -+ return ret; -+out_unlock: -+ xt_compat_flush_offsets(AF_INET6); -+ xt_compat_unlock(AF_INET6); -+ xt_entry_foreach(iter0, entry0, compatr->size) { - if (j-- == 0) - break; - compat_release_entry(iter0); - } - return ret; --out_unlock: -- xt_compat_flush_offsets(AF_INET6); -- xt_compat_unlock(AF_INET6); -- goto out; - } - - static int -@@ -1815,6 +1653,9 @@ compat_do_replace(struct net *net, void __user *user, unsigned int len) - return -ENOMEM; - if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters)) - return -ENOMEM; -+ if (tmp.num_counters == 0) -+ return -EINVAL; -+ - tmp.name[sizeof(tmp.name)-1] = 0; - - newinfo = xt_alloc_table_info(tmp.size); -@@ -1829,10 +1670,7 @@ compat_do_replace(struct net *net, void __user *user, unsigned int len) - goto free_newinfo; - } - -- ret = translate_compat_table(net, tmp.name, tmp.valid_hooks, -- &newinfo, &loc_cpu_entry, tmp.size, -- tmp.num_entries, tmp.hook_entry, -- tmp.underflow); -+ ret = translate_compat_table(net, &newinfo, &loc_cpu_entry, &tmp); - if (ret != 0) - goto free_newinfo; - -diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c -index 4ddf67c6355b..d9535bb8fe2e 100644 ---- a/net/ipv6/sit.c -+++ b/net/ipv6/sit.c -@@ -530,13 +530,13 @@ static int ipip6_err(struct sk_buff *skb, u32 info) - - if (type == ICMP_DEST_UNREACH && code == ICMP_FRAG_NEEDED) { - ipv4_update_pmtu(skb, dev_net(skb->dev), info, -- t->parms.link, 0, IPPROTO_IPV6, 0); -+ t->parms.link, 0, iph->protocol, 0); - err = 0; - goto out; - } - if (type == ICMP_REDIRECT) { - ipv4_redirect(skb, dev_net(skb->dev), t->parms.link, 0, -- IPPROTO_IPV6, 0); -+ iph->protocol, 0); - err = 0; - goto out; - } -diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c -index 4659b8ab55d9..41c026f11edc 100644 ---- a/net/ipv6/tcp_ipv6.c -+++ b/net/ipv6/tcp_ipv6.c -@@ -1767,7 +1767,9 @@ static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i) - destp = ntohs(inet->inet_dport); - srcp = ntohs(inet->inet_sport); - -- if (icsk->icsk_pending == ICSK_TIME_RETRANS) { -+ if (icsk->icsk_pending == ICSK_TIME_RETRANS || -+ icsk->icsk_pending == ICSK_TIME_EARLY_RETRANS || -+ icsk->icsk_pending == ICSK_TIME_LOSS_PROBE) { - timer_active = 1; - timer_expires = icsk->icsk_timeout; - } else if (icsk->icsk_pending == ICSK_TIME_PROBE0) { -diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c -index 3046d0244393..d234e6f80570 100644 ---- a/net/ipv6/udp.c -+++ b/net/ipv6/udp.c -@@ -370,6 +370,7 @@ int udpv6_recvmsg(struct kiocb *iocb, struct sock *sk, - int peeked, off = 0; - int err; - int is_udplite = IS_UDPLITE(sk); -+ bool checksum_valid = false; - int is_udp4; - bool slow; - -@@ -401,11 +402,12 @@ try_again: - */ - - if (copied < ulen || UDP_SKB_CB(skb)->partial_cov) { -- if (udp_lib_checksum_complete(skb)) -+ checksum_valid = !udp_lib_checksum_complete(skb); -+ if (!checksum_valid) - goto csum_copy_err; - } - -- if (skb_csum_unnecessary(skb)) -+ if (checksum_valid || skb_csum_unnecessary(skb)) - err = skb_copy_datagram_iovec(skb, sizeof(struct udphdr), - msg->msg_iov, copied); - else { -diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c -index f8133ff5b081..c95bafa65f5b 100644 ---- a/net/irda/af_irda.c -+++ b/net/irda/af_irda.c -@@ -1039,8 +1039,11 @@ static int irda_connect(struct socket *sock, struct sockaddr *uaddr, - } - - /* Check if we have opened a local TSAP */ -- if (!self->tsap) -- irda_open_tsap(self, LSAP_ANY, addr->sir_name); -+ if (!self->tsap) { -+ err = irda_open_tsap(self, LSAP_ANY, addr->sir_name); -+ if (err) -+ goto out; -+ } - - /* Move to connecting socket, start sending Connect Requests */ - sock->state = SS_CONNECTING; -diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c -index 6952760881c8..f8765cc84e47 100644 ---- a/net/mac80211/mesh.c -+++ b/net/mac80211/mesh.c -@@ -161,6 +161,10 @@ void mesh_sta_cleanup(struct sta_info *sta) - del_timer_sync(&sta->plink_timer); - } - -+ /* make sure no readers can access nexthop sta from here on */ -+ mesh_path_flush_by_nexthop(sta); -+ synchronize_net(); -+ - if (changed) - ieee80211_mbss_info_change_notify(sdata, changed); - } -diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c -index 8b03028cca69..51c141b09dba 100644 ---- a/net/netfilter/x_tables.c -+++ b/net/netfilter/x_tables.c -@@ -435,6 +435,47 @@ int xt_check_match(struct xt_mtchk_param *par, - } - EXPORT_SYMBOL_GPL(xt_check_match); - -+/** xt_check_entry_match - check that matches end before start of target -+ * -+ * @match: beginning of xt_entry_match -+ * @target: beginning of this rules target (alleged end of matches) -+ * @alignment: alignment requirement of match structures -+ * -+ * Validates that all matches add up to the beginning of the target, -+ * and that each match covers at least the base structure size. -+ * -+ * Return: 0 on success, negative errno on failure. -+ */ -+static int xt_check_entry_match(const char *match, const char *target, -+ const size_t alignment) -+{ -+ const struct xt_entry_match *pos; -+ int length = target - match; -+ -+ if (length == 0) /* no matches */ -+ return 0; -+ -+ pos = (struct xt_entry_match *)match; -+ do { -+ if ((unsigned long)pos % alignment) -+ return -EINVAL; -+ -+ if (length < (int)sizeof(struct xt_entry_match)) -+ return -EINVAL; -+ -+ if (pos->u.match_size < sizeof(struct xt_entry_match)) -+ return -EINVAL; -+ -+ if (pos->u.match_size > length) -+ return -EINVAL; -+ -+ length -= pos->u.match_size; -+ pos = ((void *)((char *)(pos) + (pos)->u.match_size)); -+ } while (length > 0); -+ -+ return 0; -+} -+ - #ifdef CONFIG_COMPAT - int xt_compat_add_offset(u_int8_t af, unsigned int offset, int delta) - { -@@ -504,13 +545,14 @@ int xt_compat_match_offset(const struct xt_match *match) - } - EXPORT_SYMBOL_GPL(xt_compat_match_offset); - --int xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr, -- unsigned int *size) -+void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr, -+ unsigned int *size) - { - const struct xt_match *match = m->u.kernel.match; - struct compat_xt_entry_match *cm = (struct compat_xt_entry_match *)m; - int pad, off = xt_compat_match_offset(match); - u_int16_t msize = cm->u.user.match_size; -+ char name[sizeof(m->u.user.name)]; - - m = *dstptr; - memcpy(m, cm, sizeof(*cm)); -@@ -524,10 +566,12 @@ int xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr, - - msize += off; - m->u.user.match_size = msize; -+ strlcpy(name, match->name, sizeof(name)); -+ module_put(match->me); -+ strncpy(m->u.user.name, name, sizeof(m->u.user.name)); - - *size += off; - *dstptr += msize; -- return 0; - } - EXPORT_SYMBOL_GPL(xt_compat_match_from_user); - -@@ -558,8 +602,125 @@ int xt_compat_match_to_user(const struct xt_entry_match *m, - return 0; - } - EXPORT_SYMBOL_GPL(xt_compat_match_to_user); -+ -+/* non-compat version may have padding after verdict */ -+struct compat_xt_standard_target { -+ struct compat_xt_entry_target t; -+ compat_uint_t verdict; -+}; -+ -+int xt_compat_check_entry_offsets(const void *base, const char *elems, -+ unsigned int target_offset, -+ unsigned int next_offset) -+{ -+ long size_of_base_struct = elems - (const char *)base; -+ const struct compat_xt_entry_target *t; -+ const char *e = base; -+ -+ if (target_offset < size_of_base_struct) -+ return -EINVAL; -+ -+ if (target_offset + sizeof(*t) > next_offset) -+ return -EINVAL; -+ -+ t = (void *)(e + target_offset); -+ if (t->u.target_size < sizeof(*t)) -+ return -EINVAL; -+ -+ if (target_offset + t->u.target_size > next_offset) -+ return -EINVAL; -+ -+ if (strcmp(t->u.user.name, XT_STANDARD_TARGET) == 0 && -+ COMPAT_XT_ALIGN(target_offset + sizeof(struct compat_xt_standard_target)) != next_offset) -+ return -EINVAL; -+ -+ /* compat_xt_entry match has less strict aligment requirements, -+ * otherwise they are identical. In case of padding differences -+ * we need to add compat version of xt_check_entry_match. -+ */ -+ BUILD_BUG_ON(sizeof(struct compat_xt_entry_match) != sizeof(struct xt_entry_match)); -+ -+ return xt_check_entry_match(elems, base + target_offset, -+ __alignof__(struct compat_xt_entry_match)); -+} -+EXPORT_SYMBOL(xt_compat_check_entry_offsets); - #endif /* CONFIG_COMPAT */ - -+/** -+ * xt_check_entry_offsets - validate arp/ip/ip6t_entry -+ * -+ * @base: pointer to arp/ip/ip6t_entry -+ * @elems: pointer to first xt_entry_match, i.e. ip(6)t_entry->elems -+ * @target_offset: the arp/ip/ip6_t->target_offset -+ * @next_offset: the arp/ip/ip6_t->next_offset -+ * -+ * validates that target_offset and next_offset are sane and that all -+ * match sizes (if any) align with the target offset. -+ * -+ * This function does not validate the targets or matches themselves, it -+ * only tests that all the offsets and sizes are correct, that all -+ * match structures are aligned, and that the last structure ends where -+ * the target structure begins. -+ * -+ * Also see xt_compat_check_entry_offsets for CONFIG_COMPAT version. -+ * -+ * The arp/ip/ip6t_entry structure @base must have passed following tests: -+ * - it must point to a valid memory location -+ * - base to base + next_offset must be accessible, i.e. not exceed allocated -+ * length. -+ * -+ * A well-formed entry looks like this: -+ * -+ * ip(6)t_entry match [mtdata] match [mtdata] target [tgdata] ip(6)t_entry -+ * e->elems[]-----' | | -+ * matchsize | | -+ * matchsize | | -+ * | | -+ * target_offset---------------------------------' | -+ * next_offset---------------------------------------------------' -+ * -+ * elems[]: flexible array member at end of ip(6)/arpt_entry struct. -+ * This is where matches (if any) and the target reside. -+ * target_offset: beginning of target. -+ * next_offset: start of the next rule; also: size of this rule. -+ * Since targets have a minimum size, target_offset + minlen <= next_offset. -+ * -+ * Every match stores its size, sum of sizes must not exceed target_offset. -+ * -+ * Return: 0 on success, negative errno on failure. -+ */ -+int xt_check_entry_offsets(const void *base, -+ const char *elems, -+ unsigned int target_offset, -+ unsigned int next_offset) -+{ -+ long size_of_base_struct = elems - (const char *)base; -+ const struct xt_entry_target *t; -+ const char *e = base; -+ -+ /* target start is within the ip/ip6/arpt_entry struct */ -+ if (target_offset < size_of_base_struct) -+ return -EINVAL; -+ -+ if (target_offset + sizeof(*t) > next_offset) -+ return -EINVAL; -+ -+ t = (void *)(e + target_offset); -+ if (t->u.target_size < sizeof(*t)) -+ return -EINVAL; -+ -+ if (target_offset + t->u.target_size > next_offset) -+ return -EINVAL; -+ -+ if (strcmp(t->u.user.name, XT_STANDARD_TARGET) == 0 && -+ XT_ALIGN(target_offset + sizeof(struct xt_standard_target)) != next_offset) -+ return -EINVAL; -+ -+ return xt_check_entry_match(elems, base + target_offset, -+ __alignof__(struct xt_entry_match)); -+} -+EXPORT_SYMBOL(xt_check_entry_offsets); -+ - int xt_check_target(struct xt_tgchk_param *par, - unsigned int size, u_int8_t proto, bool inv_proto) - { -@@ -610,6 +771,80 @@ int xt_check_target(struct xt_tgchk_param *par, - } - EXPORT_SYMBOL_GPL(xt_check_target); - -+/** -+ * xt_copy_counters_from_user - copy counters and metadata from userspace -+ * -+ * @user: src pointer to userspace memory -+ * @len: alleged size of userspace memory -+ * @info: where to store the xt_counters_info metadata -+ * @compat: true if we setsockopt call is done by 32bit task on 64bit kernel -+ * -+ * Copies counter meta data from @user and stores it in @info. -+ * -+ * vmallocs memory to hold the counters, then copies the counter data -+ * from @user to the new memory and returns a pointer to it. -+ * -+ * If @compat is true, @info gets converted automatically to the 64bit -+ * representation. -+ * -+ * The metadata associated with the counters is stored in @info. -+ * -+ * Return: returns pointer that caller has to test via IS_ERR(). -+ * If IS_ERR is false, caller has to vfree the pointer. -+ */ -+void *xt_copy_counters_from_user(const void __user *user, unsigned int len, -+ struct xt_counters_info *info, bool compat) -+{ -+ void *mem; -+ u64 size; -+ -+#ifdef CONFIG_COMPAT -+ if (compat) { -+ /* structures only differ in size due to alignment */ -+ struct compat_xt_counters_info compat_tmp; -+ -+ if (len <= sizeof(compat_tmp)) -+ return ERR_PTR(-EINVAL); -+ -+ len -= sizeof(compat_tmp); -+ if (copy_from_user(&compat_tmp, user, sizeof(compat_tmp)) != 0) -+ return ERR_PTR(-EFAULT); -+ -+ strlcpy(info->name, compat_tmp.name, sizeof(info->name)); -+ info->num_counters = compat_tmp.num_counters; -+ user += sizeof(compat_tmp); -+ } else -+#endif -+ { -+ if (len <= sizeof(*info)) -+ return ERR_PTR(-EINVAL); -+ -+ len -= sizeof(*info); -+ if (copy_from_user(info, user, sizeof(*info)) != 0) -+ return ERR_PTR(-EFAULT); -+ -+ info->name[sizeof(info->name) - 1] = '\0'; -+ user += sizeof(*info); -+ } -+ -+ size = sizeof(struct xt_counters); -+ size *= info->num_counters; -+ -+ if (size != (u64)len) -+ return ERR_PTR(-EINVAL); -+ -+ mem = vmalloc(len); -+ if (!mem) -+ return ERR_PTR(-ENOMEM); -+ -+ if (copy_from_user(mem, user, len) == 0) -+ return mem; -+ -+ vfree(mem); -+ return ERR_PTR(-EFAULT); -+} -+EXPORT_SYMBOL_GPL(xt_copy_counters_from_user); -+ - #ifdef CONFIG_COMPAT - int xt_compat_target_offset(const struct xt_target *target) - { -@@ -625,6 +860,7 @@ void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr, - struct compat_xt_entry_target *ct = (struct compat_xt_entry_target *)t; - int pad, off = xt_compat_target_offset(target); - u_int16_t tsize = ct->u.user.target_size; -+ char name[sizeof(t->u.user.name)]; - - t = *dstptr; - memcpy(t, ct, sizeof(*ct)); -@@ -638,6 +874,9 @@ void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr, - - tsize += off; - t->u.user.target_size = tsize; -+ strlcpy(name, target->name, sizeof(name)); -+ module_put(target->me); -+ strncpy(t->u.user.name, name, sizeof(t->u.user.name)); - - *size += off; - *dstptr += tsize; -diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c -index 7c94aedd0912..5b1fbe45ff0b 100644 ---- a/net/netlabel/netlabel_kapi.c -+++ b/net/netlabel/netlabel_kapi.c -@@ -700,7 +700,11 @@ socket_setattr_return: - */ - void netlbl_sock_delattr(struct sock *sk) - { -- cipso_v4_sock_delattr(sk); -+ switch (sk->sk_family) { -+ case AF_INET: -+ cipso_v4_sock_delattr(sk); -+ break; -+ } - } - - /** -@@ -879,7 +883,11 @@ req_setattr_return: - */ - void netlbl_req_delattr(struct request_sock *req) - { -- cipso_v4_req_delattr(req); -+ switch (req->rsk_ops->family) { -+ case AF_INET: -+ cipso_v4_req_delattr(req); -+ break; -+ } - } - - /** -diff --git a/net/rfkill/rfkill-regulator.c b/net/rfkill/rfkill-regulator.c -index d11ac79246e4..cf5b145902e5 100644 ---- a/net/rfkill/rfkill-regulator.c -+++ b/net/rfkill/rfkill-regulator.c -@@ -30,6 +30,7 @@ struct rfkill_regulator_data { - static int rfkill_regulator_set_block(void *data, bool blocked) - { - struct rfkill_regulator_data *rfkill_data = data; -+ int ret = 0; - - pr_debug("%s: blocked: %d\n", __func__, blocked); - -@@ -40,15 +41,16 @@ static int rfkill_regulator_set_block(void *data, bool blocked) - } - } else { - if (!rfkill_data->reg_enabled) { -- regulator_enable(rfkill_data->vcc); -- rfkill_data->reg_enabled = true; -+ ret = regulator_enable(rfkill_data->vcc); -+ if (!ret) -+ rfkill_data->reg_enabled = true; - } - } - - pr_debug("%s: regulator_is_enabled after set_block: %d\n", __func__, - regulator_is_enabled(rfkill_data->vcc)); - -- return 0; -+ return ret; - } - - static struct rfkill_ops rfkill_regulator_ops = { -diff --git a/net/sctp/sm_sideeffect.c b/net/sctp/sm_sideeffect.c -index 8aab894aeabe..730914cdb7a1 100644 ---- a/net/sctp/sm_sideeffect.c -+++ b/net/sctp/sm_sideeffect.c -@@ -251,12 +251,13 @@ void sctp_generate_t3_rtx_event(unsigned long peer) - int error; - struct sctp_transport *transport = (struct sctp_transport *) peer; - struct sctp_association *asoc = transport->asoc; -- struct net *net = sock_net(asoc->base.sk); -+ struct sock *sk = asoc->base.sk; -+ struct net *net = sock_net(sk); - - /* Check whether a task is in the sock. */ - -- sctp_bh_lock_sock(asoc->base.sk); -- if (sock_owned_by_user(asoc->base.sk)) { -+ sctp_bh_lock_sock(sk); -+ if (sock_owned_by_user(sk)) { - SCTP_DEBUG_PRINTK("%s:Sock is busy.\n", __func__); - - /* Try again later. */ -@@ -279,10 +280,10 @@ void sctp_generate_t3_rtx_event(unsigned long peer) - transport, GFP_ATOMIC); - - if (error) -- asoc->base.sk->sk_err = -error; -+ sk->sk_err = -error; - - out_unlock: -- sctp_bh_unlock_sock(asoc->base.sk); -+ sctp_bh_unlock_sock(sk); - sctp_transport_put(transport); - } - -@@ -292,11 +293,12 @@ out_unlock: - static void sctp_generate_timeout_event(struct sctp_association *asoc, - sctp_event_timeout_t timeout_type) - { -- struct net *net = sock_net(asoc->base.sk); -+ struct sock *sk = asoc->base.sk; -+ struct net *net = sock_net(sk); - int error = 0; - -- sctp_bh_lock_sock(asoc->base.sk); -- if (sock_owned_by_user(asoc->base.sk)) { -+ sctp_bh_lock_sock(sk); -+ if (sock_owned_by_user(sk)) { - SCTP_DEBUG_PRINTK("%s:Sock is busy: timer %d\n", - __func__, - timeout_type); -@@ -320,10 +322,10 @@ static void sctp_generate_timeout_event(struct sctp_association *asoc, - (void *)timeout_type, GFP_ATOMIC); - - if (error) -- asoc->base.sk->sk_err = -error; -+ sk->sk_err = -error; - - out_unlock: -- sctp_bh_unlock_sock(asoc->base.sk); -+ sctp_bh_unlock_sock(sk); - sctp_association_put(asoc); - } - -@@ -373,10 +375,11 @@ void sctp_generate_heartbeat_event(unsigned long data) - int error = 0; - struct sctp_transport *transport = (struct sctp_transport *) data; - struct sctp_association *asoc = transport->asoc; -- struct net *net = sock_net(asoc->base.sk); -+ struct sock *sk = asoc->base.sk; -+ struct net *net = sock_net(sk); - -- sctp_bh_lock_sock(asoc->base.sk); -- if (sock_owned_by_user(asoc->base.sk)) { -+ sctp_bh_lock_sock(sk); -+ if (sock_owned_by_user(sk)) { - SCTP_DEBUG_PRINTK("%s:Sock is busy.\n", __func__); - - /* Try again later. */ -@@ -397,10 +400,10 @@ void sctp_generate_heartbeat_event(unsigned long data) - transport, GFP_ATOMIC); - - if (error) -- asoc->base.sk->sk_err = -error; -+ sk->sk_err = -error; - - out_unlock: -- sctp_bh_unlock_sock(asoc->base.sk); -+ sctp_bh_unlock_sock(sk); - sctp_transport_put(transport); - } - -@@ -411,10 +414,11 @@ void sctp_generate_proto_unreach_event(unsigned long data) - { - struct sctp_transport *transport = (struct sctp_transport *) data; - struct sctp_association *asoc = transport->asoc; -- struct net *net = sock_net(asoc->base.sk); -+ struct sock *sk = asoc->base.sk; -+ struct net *net = sock_net(sk); - -- sctp_bh_lock_sock(asoc->base.sk); -- if (sock_owned_by_user(asoc->base.sk)) { -+ sctp_bh_lock_sock(sk); -+ if (sock_owned_by_user(sk)) { - SCTP_DEBUG_PRINTK("%s:Sock is busy.\n", __func__); - - /* Try again later. */ -@@ -435,7 +439,7 @@ void sctp_generate_proto_unreach_event(unsigned long data) - asoc->state, asoc->ep, asoc, transport, GFP_ATOMIC); - - out_unlock: -- sctp_bh_unlock_sock(asoc->base.sk); -+ sctp_bh_unlock_sock(sk); - sctp_association_put(asoc); - } - -diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c -index 29b4ba93ab3c..62663a08ffbd 100644 ---- a/net/sunrpc/auth_gss/svcauth_gss.c -+++ b/net/sunrpc/auth_gss/svcauth_gss.c -@@ -859,8 +859,8 @@ unwrap_integ_data(struct svc_rqst *rqstp, struct xdr_buf *buf, u32 seq, struct g - goto out; - if (svc_getnl(&buf->head[0]) != seq) - goto out; -- /* trim off the mic at the end before returning */ -- xdr_buf_trim(buf, mic.len + 4); -+ /* trim off the mic and padding at the end before returning */ -+ xdr_buf_trim(buf, round_up_to_quad(mic.len) + 4); - stat = 0; - out: - kfree(mic.data); -diff --git a/scripts/asn1_compiler.c b/scripts/asn1_compiler.c -index db0e5cd34c70..91c4117637ae 100644 ---- a/scripts/asn1_compiler.c -+++ b/scripts/asn1_compiler.c -@@ -1353,6 +1353,8 @@ static void render_out_of_line_list(FILE *out) - render_opcode(out, "ASN1_OP_END_SET_OF%s,\n", act); - render_opcode(out, "_jump_target(%u),\n", entry); - break; -+ default: -+ break; - } - if (e->action) - render_opcode(out, "_action(ACT_%s),\n", -diff --git a/scripts/recordmcount.c b/scripts/recordmcount.c -index ee625e3a56ba..4f7d13da04a5 100644 ---- a/scripts/recordmcount.c -+++ b/scripts/recordmcount.c -@@ -33,10 +33,17 @@ - #include - #include - -+/* -+ * glibc synced up and added the metag number but didn't add the relocations. -+ * Work around this in a crude manner for now. -+ */ - #ifndef EM_METAG --/* Remove this when these make it to the standard system elf.h. */ - #define EM_METAG 174 -+#endif -+#ifndef R_METAG_ADDR32 - #define R_METAG_ADDR32 2 -+#endif -+#ifndef R_METAG_NONE - #define R_METAG_NONE 3 - #endif - -diff --git a/security/keys/key.c b/security/keys/key.c -index 8fb7c7bd4657..6595b2dd89fe 100644 ---- a/security/keys/key.c -+++ b/security/keys/key.c -@@ -580,7 +580,7 @@ int key_reject_and_link(struct key *key, - - mutex_unlock(&key_construction_mutex); - -- if (keyring) -+ if (keyring && link_ret == 0) - __key_link_end(keyring, key->type, prealloc); - - /* wake up anyone waiting for a key to be constructed */ -diff --git a/sound/core/control.c b/sound/core/control.c -index 3fcead61f0ef..251bc575f5c3 100644 ---- a/sound/core/control.c -+++ b/sound/core/control.c -@@ -150,6 +150,8 @@ void snd_ctl_notify(struct snd_card *card, unsigned int mask, - - if (snd_BUG_ON(!card || !id)) - return; -+ if (card->shutdown) -+ return; - read_lock(&card->ctl_files_rwlock); - #if defined(CONFIG_SND_MIXER_OSS) || defined(CONFIG_SND_MIXER_OSS_MODULE) - card->mixer_oss_change_count++; -diff --git a/sound/core/timer.c b/sound/core/timer.c -index 38742e826900..3476895ee1fb 100644 ---- a/sound/core/timer.c -+++ b/sound/core/timer.c -@@ -1208,6 +1208,7 @@ static void snd_timer_user_ccallback(struct snd_timer_instance *timeri, - tu->tstamp = *tstamp; - if ((tu->filter & (1 << event)) == 0 || !tu->tread) - return; -+ memset(&r1, 0, sizeof(r1)); - r1.event = event; - r1.tstamp = *tstamp; - r1.val = resolution; -@@ -1242,6 +1243,7 @@ static void snd_timer_user_tinterrupt(struct snd_timer_instance *timeri, - } - if ((tu->filter & (1 << SNDRV_TIMER_EVENT_RESOLUTION)) && - tu->last_resolution != resolution) { -+ memset(&r1, 0, sizeof(r1)); - r1.event = SNDRV_TIMER_EVENT_RESOLUTION; - r1.tstamp = tstamp; - r1.val = resolution; -@@ -1707,6 +1709,7 @@ static int snd_timer_user_params(struct file *file, - if (tu->timeri->flags & SNDRV_TIMER_IFLG_EARLY_EVENT) { - if (tu->tread) { - struct snd_timer_tread tread; -+ memset(&tread, 0, sizeof(tread)); - tread.event = SNDRV_TIMER_EVENT_EARLY; - tread.tstamp.tv_sec = 0; - tread.tstamp.tv_nsec = 0; -diff --git a/sound/drivers/dummy.c b/sound/drivers/dummy.c -index 982a2c2faf24..7f400a1d42e4 100644 ---- a/sound/drivers/dummy.c -+++ b/sound/drivers/dummy.c -@@ -422,6 +422,7 @@ static int dummy_hrtimer_stop(struct snd_pcm_substream *substream) - - static inline void dummy_hrtimer_sync(struct dummy_hrtimer_pcm *dpcm) - { -+ hrtimer_cancel(&dpcm->timer); - tasklet_kill(&dpcm->tasklet); - } - -diff --git a/sound/pci/au88x0/au88x0_core.c b/sound/pci/au88x0/au88x0_core.c -index ae59dbaa53d9..42d4b13f1fa7 100644 ---- a/sound/pci/au88x0/au88x0_core.c -+++ b/sound/pci/au88x0/au88x0_core.c -@@ -1442,9 +1442,8 @@ static int vortex_wtdma_bufshift(vortex_t * vortex, int wtdma) - int page, p, pp, delta, i; - - page = -- (hwread(vortex->mmio, VORTEX_WTDMA_STAT + (wtdma << 2)) & -- WT_SUBBUF_MASK) -- >> WT_SUBBUF_SHIFT; -+ (hwread(vortex->mmio, VORTEX_WTDMA_STAT + (wtdma << 2)) -+ >> WT_SUBBUF_SHIFT) & WT_SUBBUF_MASK; - if (dma->nr_periods >= 4) - delta = (page - dma->period_real) & 3; - else { -diff --git a/sound/pci/oxygen/oxygen_mixer.c b/sound/pci/oxygen/oxygen_mixer.c -index c0dbb52d45be..1e4bcb900fc6 100644 ---- a/sound/pci/oxygen/oxygen_mixer.c -+++ b/sound/pci/oxygen/oxygen_mixer.c -@@ -88,7 +88,7 @@ static int dac_mute_put(struct snd_kcontrol *ctl, - int changed; - - mutex_lock(&chip->mutex); -- changed = !value->value.integer.value[0] != chip->dac_mute; -+ changed = (!value->value.integer.value[0]) != chip->dac_mute; - if (changed) { - chip->dac_mute = !value->value.integer.value[0]; - chip->model.update_dac_mute(chip); -diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c -index 4f865e122c21..f71c4ad425c6 100644 ---- a/virt/kvm/kvm_main.c -+++ b/virt/kvm/kvm_main.c -@@ -2447,7 +2447,7 @@ static long kvm_vm_ioctl(struct file *filp, - if (copy_from_user(&routing, argp, sizeof(routing))) - goto out; - r = -EINVAL; -- if (routing.nr >= KVM_MAX_IRQ_ROUTES) -+ if (routing.nr > KVM_MAX_IRQ_ROUTES) - goto out; - if (routing.flags) - goto out; diff --git a/patch/kernel/odroidxu4-default/1-patch-3.10.96-97.patch b/patch/kernel/odroidxu4-default/1-patch-3.10.96-97.patch deleted file mode 100644 index 487d76eb1..000000000 --- a/patch/kernel/odroidxu4-default/1-patch-3.10.96-97.patch +++ /dev/null @@ -1,2341 +0,0 @@ -diff --git a/Makefile b/Makefile -index c88ea5d8d19c..f26470169c70 100644 ---- a/Makefile -+++ b/Makefile -@@ -1,6 +1,6 @@ - VERSION = 3 - PATCHLEVEL = 10 --SUBLEVEL = 96 -+SUBLEVEL = 97 - EXTRAVERSION = - NAME = TOSSUG Baby Fish - -diff --git a/arch/parisc/include/uapi/asm/mman.h b/arch/parisc/include/uapi/asm/mman.h -index 294d251ca7b2..2ae13ce592e8 100644 ---- a/arch/parisc/include/uapi/asm/mman.h -+++ b/arch/parisc/include/uapi/asm/mman.h -@@ -46,16 +46,6 @@ - #define MADV_DONTFORK 10 /* don't inherit across fork */ - #define MADV_DOFORK 11 /* do inherit across fork */ - --/* The range 12-64 is reserved for page size specification. */ --#define MADV_4K_PAGES 12 /* Use 4K pages */ --#define MADV_16K_PAGES 14 /* Use 16K pages */ --#define MADV_64K_PAGES 16 /* Use 64K pages */ --#define MADV_256K_PAGES 18 /* Use 256K pages */ --#define MADV_1M_PAGES 20 /* Use 1 Megabyte pages */ --#define MADV_4M_PAGES 22 /* Use 4 Megabyte pages */ --#define MADV_16M_PAGES 24 /* Use 16 Megabyte pages */ --#define MADV_64M_PAGES 26 /* Use 64 Megabyte pages */ -- - #define MADV_MERGEABLE 65 /* KSM may merge identical pages */ - #define MADV_UNMERGEABLE 66 /* KSM may not merge identical pages */ - -diff --git a/arch/parisc/include/uapi/asm/siginfo.h b/arch/parisc/include/uapi/asm/siginfo.h -index d7034728f377..1c75565d984b 100644 ---- a/arch/parisc/include/uapi/asm/siginfo.h -+++ b/arch/parisc/include/uapi/asm/siginfo.h -@@ -1,6 +1,10 @@ - #ifndef _PARISC_SIGINFO_H - #define _PARISC_SIGINFO_H - -+#if defined(__LP64__) -+#define __ARCH_SI_PREAMBLE_SIZE (4 * sizeof(int)) -+#endif -+ - #include - - #undef NSIGTRAP -diff --git a/arch/parisc/kernel/signal.c b/arch/parisc/kernel/signal.c -index 940188d1942c..ae9aa83854c0 100644 ---- a/arch/parisc/kernel/signal.c -+++ b/arch/parisc/kernel/signal.c -@@ -449,6 +449,55 @@ handle_signal(unsigned long sig, siginfo_t *info, struct k_sigaction *ka, - regs->gr[28]); - } - -+/* -+ * Check how the syscall number gets loaded into %r20 within -+ * the delay branch in userspace and adjust as needed. -+ */ -+ -+static void check_syscallno_in_delay_branch(struct pt_regs *regs) -+{ -+ u32 opcode, source_reg; -+ u32 __user *uaddr; -+ int err; -+ -+ /* Usually we don't have to restore %r20 (the system call number) -+ * because it gets loaded in the delay slot of the branch external -+ * instruction via the ldi instruction. -+ * In some cases a register-to-register copy instruction might have -+ * been used instead, in which case we need to copy the syscall -+ * number into the source register before returning to userspace. -+ */ -+ -+ /* A syscall is just a branch, so all we have to do is fiddle the -+ * return pointer so that the ble instruction gets executed again. -+ */ -+ regs->gr[31] -= 8; /* delayed branching */ -+ -+ /* Get assembler opcode of code in delay branch */ -+ uaddr = (unsigned int *) ((regs->gr[31] & ~3) + 4); -+ err = get_user(opcode, uaddr); -+ if (err) -+ return; -+ -+ /* Check if delay branch uses "ldi int,%r20" */ -+ if ((opcode & 0xffff0000) == 0x34140000) -+ return; /* everything ok, just return */ -+ -+ /* Check if delay branch uses "nop" */ -+ if (opcode == INSN_NOP) -+ return; -+ -+ /* Check if delay branch uses "copy %rX,%r20" */ -+ if ((opcode & 0xffe0ffff) == 0x08000254) { -+ source_reg = (opcode >> 16) & 31; -+ regs->gr[source_reg] = regs->gr[20]; -+ return; -+ } -+ -+ pr_warn("syscall restart: %s (pid %d): unexpected opcode 0x%08x\n", -+ current->comm, task_pid_nr(current), opcode); -+} -+ - static inline void - syscall_restart(struct pt_regs *regs, struct k_sigaction *ka) - { -@@ -471,10 +520,7 @@ syscall_restart(struct pt_regs *regs, struct k_sigaction *ka) - } - /* fallthrough */ - case -ERESTARTNOINTR: -- /* A syscall is just a branch, so all -- * we have to do is fiddle the return pointer. -- */ -- regs->gr[31] -= 8; /* delayed branching */ -+ check_syscallno_in_delay_branch(regs); - break; - } - } -@@ -523,15 +569,9 @@ insert_restart_trampoline(struct pt_regs *regs) - } - case -ERESTARTNOHAND: - case -ERESTARTSYS: -- case -ERESTARTNOINTR: { -- /* Hooray for delayed branching. We don't -- * have to restore %r20 (the system call -- * number) because it gets loaded in the delay -- * slot of the branch external instruction. -- */ -- regs->gr[31] -= 8; -+ case -ERESTARTNOINTR: -+ check_syscallno_in_delay_branch(regs); - return; -- } - default: - break; - } -diff --git a/arch/sh/include/uapi/asm/unistd_64.h b/arch/sh/include/uapi/asm/unistd_64.h -index e6820c86e8c7..47ebd5b5ed55 100644 ---- a/arch/sh/include/uapi/asm/unistd_64.h -+++ b/arch/sh/include/uapi/asm/unistd_64.h -@@ -278,7 +278,7 @@ - #define __NR_fsetxattr 256 - #define __NR_getxattr 257 - #define __NR_lgetxattr 258 --#define __NR_fgetxattr 269 -+#define __NR_fgetxattr 259 - #define __NR_listxattr 260 - #define __NR_llistxattr 261 - #define __NR_flistxattr 262 -diff --git a/crypto/af_alg.c b/crypto/af_alg.c -index 6ef6e2ad344e..0ca108f3c840 100644 ---- a/crypto/af_alg.c -+++ b/crypto/af_alg.c -@@ -125,6 +125,23 @@ int af_alg_release(struct socket *sock) - } - EXPORT_SYMBOL_GPL(af_alg_release); - -+void af_alg_release_parent(struct sock *sk) -+{ -+ struct alg_sock *ask = alg_sk(sk); -+ bool last; -+ -+ sk = ask->parent; -+ ask = alg_sk(sk); -+ -+ lock_sock(sk); -+ last = !--ask->refcnt; -+ release_sock(sk); -+ -+ if (last) -+ sock_put(sk); -+} -+EXPORT_SYMBOL_GPL(af_alg_release_parent); -+ - static int alg_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) - { - struct sock *sk = sock->sk; -@@ -132,6 +149,7 @@ static int alg_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) - struct sockaddr_alg *sa = (void *)uaddr; - const struct af_alg_type *type; - void *private; -+ int err; - - if (sock->state == SS_CONNECTED) - return -EINVAL; -@@ -157,16 +175,22 @@ static int alg_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) - return PTR_ERR(private); - } - -+ err = -EBUSY; - lock_sock(sk); -+ if (ask->refcnt) -+ goto unlock; - - swap(ask->type, type); - swap(ask->private, private); - -+ err = 0; -+ -+unlock: - release_sock(sk); - - alg_do_release(type, private); - -- return 0; -+ return err; - } - - static int alg_setkey(struct sock *sk, char __user *ukey, -@@ -199,11 +223,15 @@ static int alg_setsockopt(struct socket *sock, int level, int optname, - struct sock *sk = sock->sk; - struct alg_sock *ask = alg_sk(sk); - const struct af_alg_type *type; -- int err = -ENOPROTOOPT; -+ int err = -EBUSY; - - lock_sock(sk); -+ if (ask->refcnt) -+ goto unlock; -+ - type = ask->type; - -+ err = -ENOPROTOOPT; - if (level != SOL_ALG || !type) - goto unlock; - -@@ -247,14 +275,13 @@ int af_alg_accept(struct sock *sk, struct socket *newsock) - security_sk_clone(sk, sk2); - - err = type->accept(ask->private, sk2); -- if (err) { -- sk_free(sk2); -+ if (err) - goto unlock; -- } - - sk2->sk_family = PF_ALG; - -- sock_hold(sk); -+ if (!ask->refcnt++) -+ sock_hold(sk); - alg_sk(sk2)->parent = sk; - alg_sk(sk2)->type = type; - -diff --git a/crypto/algif_hash.c b/crypto/algif_hash.c -index 850246206b12..c542c0d88afd 100644 ---- a/crypto/algif_hash.c -+++ b/crypto/algif_hash.c -@@ -51,7 +51,8 @@ static int hash_sendmsg(struct kiocb *unused, struct socket *sock, - - lock_sock(sk); - if (!ctx->more) { -- err = crypto_ahash_init(&ctx->req); -+ err = af_alg_wait_for_completion(crypto_ahash_init(&ctx->req), -+ &ctx->completion); - if (err) - goto unlock; - } -@@ -131,6 +132,7 @@ static ssize_t hash_sendpage(struct socket *sock, struct page *page, - } else { - if (!ctx->more) { - err = crypto_ahash_init(&ctx->req); -+ err = af_alg_wait_for_completion(err, &ctx->completion); - if (err) - goto unlock; - } -@@ -192,9 +194,14 @@ static int hash_accept(struct socket *sock, struct socket *newsock, int flags) - struct sock *sk2; - struct alg_sock *ask2; - struct hash_ctx *ctx2; -+ bool more; - int err; - -- err = crypto_ahash_export(req, state); -+ lock_sock(sk); -+ more = ctx->more; -+ err = more ? crypto_ahash_export(req, state) : 0; -+ release_sock(sk); -+ - if (err) - return err; - -@@ -205,7 +212,10 @@ static int hash_accept(struct socket *sock, struct socket *newsock, int flags) - sk2 = newsock->sk; - ask2 = alg_sk(sk2); - ctx2 = ask2->private; -- ctx2->more = 1; -+ ctx2->more = more; -+ -+ if (!more) -+ return err; - - err = crypto_ahash_import(&ctx2->req, state); - if (err) { -diff --git a/crypto/crypto_user.c b/crypto/crypto_user.c -index c7666f401381..a3dfc0d83107 100644 ---- a/crypto/crypto_user.c -+++ b/crypto/crypto_user.c -@@ -477,6 +477,7 @@ static int crypto_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh) - if (link->dump == NULL) - return -EINVAL; - -+ down_read(&crypto_alg_sem); - list_for_each_entry(alg, &crypto_alg_list, cra_list) - dump_alloc += CRYPTO_REPORT_MAXSIZE; - -@@ -486,8 +487,11 @@ static int crypto_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh) - .done = link->done, - .min_dump_alloc = dump_alloc, - }; -- return netlink_dump_start(crypto_nlsk, skb, nlh, &c); -+ err = netlink_dump_start(crypto_nlsk, skb, nlh, &c); - } -+ up_read(&crypto_alg_sem); -+ -+ return err; - } - - err = nlmsg_parse(nlh, crypto_msg_min[type], attrs, CRYPTOCFGA_MAX, -diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c -index 9064a2f2760c..cb106934bf1c 100644 ---- a/drivers/ata/ahci.c -+++ b/drivers/ata/ahci.c -@@ -247,6 +247,26 @@ static const struct pci_device_id ahci_pci_tbl[] = { - { PCI_VDEVICE(INTEL, 0x3b2b), board_ahci }, /* PCH RAID */ - { PCI_VDEVICE(INTEL, 0x3b2c), board_ahci }, /* PCH RAID */ - { PCI_VDEVICE(INTEL, 0x3b2f), board_ahci }, /* PCH AHCI */ -+ { PCI_VDEVICE(INTEL, 0x19b0), board_ahci }, /* DNV AHCI */ -+ { PCI_VDEVICE(INTEL, 0x19b1), board_ahci }, /* DNV AHCI */ -+ { PCI_VDEVICE(INTEL, 0x19b2), board_ahci }, /* DNV AHCI */ -+ { PCI_VDEVICE(INTEL, 0x19b3), board_ahci }, /* DNV AHCI */ -+ { PCI_VDEVICE(INTEL, 0x19b4), board_ahci }, /* DNV AHCI */ -+ { PCI_VDEVICE(INTEL, 0x19b5), board_ahci }, /* DNV AHCI */ -+ { PCI_VDEVICE(INTEL, 0x19b6), board_ahci }, /* DNV AHCI */ -+ { PCI_VDEVICE(INTEL, 0x19b7), board_ahci }, /* DNV AHCI */ -+ { PCI_VDEVICE(INTEL, 0x19bE), board_ahci }, /* DNV AHCI */ -+ { PCI_VDEVICE(INTEL, 0x19bF), board_ahci }, /* DNV AHCI */ -+ { PCI_VDEVICE(INTEL, 0x19c0), board_ahci }, /* DNV AHCI */ -+ { PCI_VDEVICE(INTEL, 0x19c1), board_ahci }, /* DNV AHCI */ -+ { PCI_VDEVICE(INTEL, 0x19c2), board_ahci }, /* DNV AHCI */ -+ { PCI_VDEVICE(INTEL, 0x19c3), board_ahci }, /* DNV AHCI */ -+ { PCI_VDEVICE(INTEL, 0x19c4), board_ahci }, /* DNV AHCI */ -+ { PCI_VDEVICE(INTEL, 0x19c5), board_ahci }, /* DNV AHCI */ -+ { PCI_VDEVICE(INTEL, 0x19c6), board_ahci }, /* DNV AHCI */ -+ { PCI_VDEVICE(INTEL, 0x19c7), board_ahci }, /* DNV AHCI */ -+ { PCI_VDEVICE(INTEL, 0x19cE), board_ahci }, /* DNV AHCI */ -+ { PCI_VDEVICE(INTEL, 0x19cF), board_ahci }, /* DNV AHCI */ - { PCI_VDEVICE(INTEL, 0x1c02), board_ahci }, /* CPT AHCI */ - { PCI_VDEVICE(INTEL, 0x1c03), board_ahci }, /* CPT AHCI */ - { PCI_VDEVICE(INTEL, 0x1c04), board_ahci }, /* CPT RAID */ -diff --git a/drivers/ata/libahci.c b/drivers/ata/libahci.c -index cf5f35877559..d04f5c8dbbdc 100644 ---- a/drivers/ata/libahci.c -+++ b/drivers/ata/libahci.c -@@ -486,8 +486,8 @@ void ahci_save_initial_config(struct device *dev, - } - } - -- /* fabricate port_map from cap.nr_ports */ -- if (!port_map) { -+ /* fabricate port_map from cap.nr_ports for < AHCI 1.3 */ -+ if (!port_map && vers < 0x10300) { - port_map = (1 << ahci_nr_ports(cap)) - 1; - dev_warn(dev, "forcing PORTS_IMPL to 0x%x\n", port_map); - -@@ -1244,6 +1244,15 @@ static int ahci_exec_polled_cmd(struct ata_port *ap, int pmp, - ata_tf_to_fis(tf, pmp, is_cmd, fis); - ahci_fill_cmd_slot(pp, 0, cmd_fis_len | flags | (pmp << 12)); - -+ /* set port value for softreset of Port Multiplier */ -+ if (pp->fbs_enabled && pp->fbs_last_dev != pmp) { -+ tmp = readl(port_mmio + PORT_FBS); -+ tmp &= ~(PORT_FBS_DEV_MASK | PORT_FBS_DEC); -+ tmp |= pmp << PORT_FBS_DEV_OFFSET; -+ writel(tmp, port_mmio + PORT_FBS); -+ pp->fbs_last_dev = pmp; -+ } -+ - /* issue & wait */ - writel(1, port_mmio + PORT_CMD_ISSUE); - -diff --git a/drivers/char/tpm/tpm_ibmvtpm.c b/drivers/char/tpm/tpm_ibmvtpm.c -index a6524c3efdf7..ce854bbd33ef 100644 ---- a/drivers/char/tpm/tpm_ibmvtpm.c -+++ b/drivers/char/tpm/tpm_ibmvtpm.c -@@ -529,7 +529,7 @@ static void ibmvtpm_crq_process(struct ibmvtpm_crq *crq, - } - ibmvtpm->rtce_size = be16_to_cpu(crq->len); - ibmvtpm->rtce_buf = kmalloc(ibmvtpm->rtce_size, -- GFP_KERNEL); -+ GFP_ATOMIC); - if (!ibmvtpm->rtce_buf) { - dev_err(ibmvtpm->dev, "Failed to allocate memory for rtce buffer\n"); - return; -diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c -index de904e6a4ab7..5da58e3899eb 100644 ---- a/drivers/hid/usbhid/hid-core.c -+++ b/drivers/hid/usbhid/hid-core.c -@@ -490,8 +490,6 @@ static void hid_ctrl(struct urb *urb) - struct usbhid_device *usbhid = hid->driver_data; - int unplug = 0, status = urb->status; - -- spin_lock(&usbhid->lock); -- - switch (status) { - case 0: /* success */ - if (usbhid->ctrl[usbhid->ctrltail].dir == USB_DIR_IN) -@@ -511,6 +509,8 @@ static void hid_ctrl(struct urb *urb) - hid_warn(urb->dev, "ctrl urb status %d received\n", status); - } - -+ spin_lock(&usbhid->lock); -+ - if (unplug) { - usbhid->ctrltail = usbhid->ctrlhead; - } else { -diff --git a/drivers/md/dm-mpath.c b/drivers/md/dm-mpath.c -index 0ba21b0f3972..eb7ddb20fd48 100644 ---- a/drivers/md/dm-mpath.c -+++ b/drivers/md/dm-mpath.c -@@ -1608,11 +1608,8 @@ static int multipath_ioctl(struct dm_target *ti, unsigned int cmd, - /* - * Only pass ioctls through if the device sizes match exactly. - */ -- if (!bdev || ti->len != i_size_read(bdev->bd_inode) >> SECTOR_SHIFT) { -- int err = scsi_verify_blk_ioctl(NULL, cmd); -- if (err) -- r = err; -- } -+ if (!r && ti->len != i_size_read(bdev->bd_inode) >> SECTOR_SHIFT) -+ r = scsi_verify_blk_ioctl(NULL, cmd); - - if (r == -ENOTCONN && !fatal_signal_pending(current)) - queue_work(kmultipathd, &m->process_queued_ios); -diff --git a/drivers/md/persistent-data/dm-btree.c b/drivers/md/persistent-data/dm-btree.c -index b53669404cb5..6d7f4d950b8f 100644 ---- a/drivers/md/persistent-data/dm-btree.c -+++ b/drivers/md/persistent-data/dm-btree.c -@@ -455,8 +455,10 @@ static int btree_split_sibling(struct shadow_spine *s, dm_block_t root, - - r = insert_at(sizeof(__le64), pn, parent_index + 1, - le64_to_cpu(rn->keys[0]), &location); -- if (r) -+ if (r) { -+ unlock_block(s->info, right); - return r; -+ } - - if (key < le64_to_cpu(rn->keys[0])) { - unlock_block(s->info, right); -diff --git a/drivers/media/pci/saa7134/saa7134-alsa.c b/drivers/media/pci/saa7134/saa7134-alsa.c -index dbcdfbf8aed0..11b0ef3a2858 100644 ---- a/drivers/media/pci/saa7134/saa7134-alsa.c -+++ b/drivers/media/pci/saa7134/saa7134-alsa.c -@@ -1145,6 +1145,8 @@ static int alsa_device_init(struct saa7134_dev *dev) - - static int alsa_device_exit(struct saa7134_dev *dev) - { -+ if (!snd_saa7134_cards[dev->nr]) -+ return 1; - - snd_card_free(snd_saa7134_cards[dev->nr]); - snd_saa7134_cards[dev->nr] = NULL; -@@ -1194,7 +1196,8 @@ static void saa7134_alsa_exit(void) - int idx; - - for (idx = 0; idx < SNDRV_CARDS; idx++) { -- snd_card_free(snd_saa7134_cards[idx]); -+ if (snd_saa7134_cards[idx]) -+ snd_card_free(snd_saa7134_cards[idx]); - } - - saa7134_dmasound_init = NULL; -diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c -index e2b0a0969ebb..35fb8f0cb539 100644 ---- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c -+++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c -@@ -264,7 +264,7 @@ static int put_v4l2_create32(struct v4l2_create_buffers *kp, struct v4l2_create_ - - struct v4l2_standard32 { - __u32 index; -- __u32 id[2]; /* __u64 would get the alignment wrong */ -+ compat_u64 id; - __u8 name[24]; - struct v4l2_fract frameperiod; /* Frames, not fields */ - __u32 framelines; -@@ -284,7 +284,7 @@ static int put_v4l2_standard32(struct v4l2_standard *kp, struct v4l2_standard32 - { - if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_standard32)) || - put_user(kp->index, &up->index) || -- copy_to_user(up->id, &kp->id, sizeof(__u64)) || -+ put_user(kp->id, &up->id) || - copy_to_user(up->name, kp->name, 24) || - copy_to_user(&up->frameperiod, &kp->frameperiod, sizeof(kp->frameperiod)) || - put_user(kp->framelines, &up->framelines) || -@@ -576,10 +576,10 @@ struct v4l2_input32 { - __u32 type; /* Type of input */ - __u32 audioset; /* Associated audios (bitfield) */ - __u32 tuner; /* Associated tuner */ -- v4l2_std_id std; -+ compat_u64 std; - __u32 status; - __u32 reserved[4]; --} __attribute__ ((packed)); -+}; - - /* The 64-bit v4l2_input struct has extra padding at the end of the struct. - Otherwise it is identical to the 32-bit version. */ -@@ -719,6 +719,7 @@ static int put_v4l2_ext_controls32(struct v4l2_ext_controls *kp, struct v4l2_ext - struct v4l2_event32 { - __u32 type; - union { -+ compat_s64 value64; - __u8 data[64]; - } u; - __u32 pending; -diff --git a/drivers/media/v4l2-core/videobuf2-dma-contig.c b/drivers/media/v4l2-core/videobuf2-dma-contig.c -index fd56f2563201..297fbc59a800 100644 ---- a/drivers/media/v4l2-core/videobuf2-dma-contig.c -+++ b/drivers/media/v4l2-core/videobuf2-dma-contig.c -@@ -117,7 +117,8 @@ static void vb2_dc_prepare(void *buf_priv) - if (!sgt || buf->db_attach) - return; - -- dma_sync_sg_for_device(buf->dev, sgt->sgl, sgt->nents, buf->dma_dir); -+ dma_sync_sg_for_device(buf->dev, sgt->sgl, sgt->orig_nents, -+ buf->dma_dir); - } - - static void vb2_dc_finish(void *buf_priv) -@@ -129,7 +130,7 @@ static void vb2_dc_finish(void *buf_priv) - if (!sgt || buf->db_attach) - return; - -- dma_sync_sg_for_cpu(buf->dev, sgt->sgl, sgt->nents, buf->dma_dir); -+ dma_sync_sg_for_cpu(buf->dev, sgt->sgl, sgt->orig_nents, buf->dma_dir); - } - - /*********************************************/ -diff --git a/drivers/mtd/mtdpart.c b/drivers/mtd/mtdpart.c -index 301493382cd0..f8013c1d8cd5 100644 ---- a/drivers/mtd/mtdpart.c -+++ b/drivers/mtd/mtdpart.c -@@ -634,8 +634,10 @@ int add_mtd_partitions(struct mtd_info *master, - - for (i = 0; i < nbparts; i++) { - slave = allocate_partition(master, parts + i, i, cur_offset); -- if (IS_ERR(slave)) -+ if (IS_ERR(slave)) { -+ del_mtd_partitions(master); - return PTR_ERR(slave); -+ } - - mutex_lock(&mtd_partitions_mutex); - list_add(&slave->list, &mtd_partitions); -diff --git a/drivers/net/wireless/ti/wlcore/io.h b/drivers/net/wireless/ti/wlcore/io.h -index af7d9f9b3b4d..beed58b0c795 100644 ---- a/drivers/net/wireless/ti/wlcore/io.h -+++ b/drivers/net/wireless/ti/wlcore/io.h -@@ -203,19 +203,23 @@ static inline int __must_check wlcore_write_reg(struct wl1271 *wl, int reg, - - static inline void wl1271_power_off(struct wl1271 *wl) - { -- int ret; -+ int ret = 0; - - if (!test_bit(WL1271_FLAG_GPIO_POWER, &wl->flags)) - return; - -- ret = wl->if_ops->power(wl->dev, false); -+ if (wl->if_ops->power) -+ ret = wl->if_ops->power(wl->dev, false); - if (!ret) - clear_bit(WL1271_FLAG_GPIO_POWER, &wl->flags); - } - - static inline int wl1271_power_on(struct wl1271 *wl) - { -- int ret = wl->if_ops->power(wl->dev, true); -+ int ret = 0; -+ -+ if (wl->if_ops->power) -+ ret = wl->if_ops->power(wl->dev, true); - if (ret == 0) - set_bit(WL1271_FLAG_GPIO_POWER, &wl->flags); - -diff --git a/drivers/net/wireless/ti/wlcore/spi.c b/drivers/net/wireless/ti/wlcore/spi.c -index e26447832683..bfb57e671034 100644 ---- a/drivers/net/wireless/ti/wlcore/spi.c -+++ b/drivers/net/wireless/ti/wlcore/spi.c -@@ -72,7 +72,10 @@ - */ - #define SPI_AGGR_BUFFER_SIZE (4 * PAGE_SIZE) - --#define WSPI_MAX_NUM_OF_CHUNKS (SPI_AGGR_BUFFER_SIZE / WSPI_MAX_CHUNK_SIZE) -+/* Maximum number of SPI write chunks */ -+#define WSPI_MAX_NUM_OF_CHUNKS \ -+ ((SPI_AGGR_BUFFER_SIZE / WSPI_MAX_CHUNK_SIZE) + 1) -+ - - struct wl12xx_spi_glue { - struct device *dev; -@@ -270,9 +273,10 @@ static int __must_check wl12xx_spi_raw_write(struct device *child, int addr, - void *buf, size_t len, bool fixed) - { - struct wl12xx_spi_glue *glue = dev_get_drvdata(child->parent); -- struct spi_transfer t[2 * (WSPI_MAX_NUM_OF_CHUNKS + 1)]; -+ /* SPI write buffers - 2 for each chunk */ -+ struct spi_transfer t[2 * WSPI_MAX_NUM_OF_CHUNKS]; - struct spi_message m; -- u32 commands[WSPI_MAX_NUM_OF_CHUNKS]; -+ u32 commands[WSPI_MAX_NUM_OF_CHUNKS]; /* 1 command per chunk */ - u32 *cmd; - u32 chunk_len; - int i; -diff --git a/drivers/remoteproc/remoteproc_debugfs.c b/drivers/remoteproc/remoteproc_debugfs.c -index 157a57309601..4ef0dbdcace1 100644 ---- a/drivers/remoteproc/remoteproc_debugfs.c -+++ b/drivers/remoteproc/remoteproc_debugfs.c -@@ -156,7 +156,7 @@ rproc_recovery_write(struct file *filp, const char __user *user_buf, - char buf[10]; - int ret; - -- if (count > sizeof(buf)) -+ if (count < 1 || count > sizeof(buf)) - return count; - - ret = copy_from_user(buf, user_buf, count); -diff --git a/drivers/spi/spi-atmel.c b/drivers/spi/spi-atmel.c -index 380387a47b1d..462af46ceee7 100644 ---- a/drivers/spi/spi-atmel.c -+++ b/drivers/spi/spi-atmel.c -@@ -594,7 +594,8 @@ static int atmel_spi_next_xfer_dma_submit(struct spi_master *master, - - *plen = len; - -- if (atmel_spi_dma_slave_config(as, &slave_config, 8)) -+ if (atmel_spi_dma_slave_config(as, &slave_config, -+ xfer->bits_per_word)) - goto err_exit; - - /* Send both scatterlists */ -diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c -index 7c159634aaae..cc80ab14aa32 100644 ---- a/drivers/spi/spi.c -+++ b/drivers/spi/spi.c -@@ -1047,7 +1047,7 @@ struct spi_master *spi_alloc_master(struct device *dev, unsigned size) - master->bus_num = -1; - master->num_chipselect = 1; - master->dev.class = &spi_master_class; -- master->dev.parent = get_device(dev); -+ master->dev.parent = dev; - spi_master_set_devdata(master, &master[1]); - - return master; -diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c -index 2967b6eb4c70..8977eaf24d9f 100644 ---- a/drivers/tty/tty_io.c -+++ b/drivers/tty/tty_io.c -@@ -2576,6 +2576,28 @@ static int tiocsetd(struct tty_struct *tty, int __user *p) - } - - /** -+ * tiocgetd - get line discipline -+ * @tty: tty device -+ * @p: pointer to user data -+ * -+ * Retrieves the line discipline id directly from the ldisc. -+ * -+ * Locking: waits for ldisc reference (in case the line discipline -+ * is changing or the tty is being hungup) -+ */ -+ -+static int tiocgetd(struct tty_struct *tty, int __user *p) -+{ -+ struct tty_ldisc *ld; -+ int ret; -+ -+ ld = tty_ldisc_ref_wait(tty); -+ ret = put_user(ld->ops->num, p); -+ tty_ldisc_deref(ld); -+ return ret; -+} -+ -+/** - * send_break - performed time break - * @tty: device to break on - * @duration: timeout in mS -@@ -2789,7 +2811,7 @@ long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg) - case TIOCGSID: - return tiocgsid(tty, real_tty, p); - case TIOCGETD: -- return put_user(tty->ldisc->ops->num, (int __user *)p); -+ return tiocgetd(tty, p); - case TIOCSETD: - return tiocsetd(tty, p); - case TIOCVHANGUP: -diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c -index 4dc18615cd0f..9dd6fa3a1260 100644 ---- a/drivers/usb/host/xhci.c -+++ b/drivers/usb/host/xhci.c -@@ -4788,6 +4788,9 @@ static int __init xhci_hcd_init(void) - { - int retval; - -+ if (usb_disabled()) -+ return -ENODEV; -+ - retval = xhci_register_pci(); - if (retval < 0) { - printk(KERN_DEBUG "Problem registering PCI driver."); -@@ -4816,9 +4819,6 @@ static int __init xhci_hcd_init(void) - /* xhci_run_regs has eight fields and embeds 128 xhci_intr_regs */ - BUILD_BUG_ON(sizeof(struct xhci_run_regs) != (8+8*128)*32/8); - -- if (usb_disabled()) -- return -ENODEV; -- - return 0; - unreg_pci: - xhci_unregister_pci(); -diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c -index 72c14d7d604f..89ba7cfba5bc 100644 ---- a/drivers/usb/serial/cp210x.c -+++ b/drivers/usb/serial/cp210x.c -@@ -98,6 +98,7 @@ static const struct usb_device_id id_table[] = { - { USB_DEVICE(0x10C4, 0x81AC) }, /* MSD Dash Hawk */ - { USB_DEVICE(0x10C4, 0x81AD) }, /* INSYS USB Modem */ - { USB_DEVICE(0x10C4, 0x81C8) }, /* Lipowsky Industrie Elektronik GmbH, Baby-JTAG */ -+ { USB_DEVICE(0x10C4, 0x81D7) }, /* IAI Corp. RCB-CV-USB USB to RS485 Adaptor */ - { USB_DEVICE(0x10C4, 0x81E2) }, /* Lipowsky Industrie Elektronik GmbH, Baby-LIN */ - { USB_DEVICE(0x10C4, 0x81E7) }, /* Aerocomm Radio */ - { USB_DEVICE(0x10C4, 0x81E8) }, /* Zephyr Bioharness */ -diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c -index 514f3117ee2b..4e865664699b 100644 ---- a/drivers/usb/serial/ftdi_sio.c -+++ b/drivers/usb/serial/ftdi_sio.c -@@ -840,6 +840,7 @@ static struct usb_device_id id_table_combined [] = { - { USB_DEVICE(FTDI_VID, FTDI_TURTELIZER_PID), - .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, - { USB_DEVICE(RATOC_VENDOR_ID, RATOC_PRODUCT_ID_USB60F) }, -+ { USB_DEVICE(RATOC_VENDOR_ID, RATOC_PRODUCT_ID_SCU18) }, - { USB_DEVICE(FTDI_VID, FTDI_REU_TINY_PID) }, - - /* Papouch devices based on FTDI chip */ -diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h -index bfb0ecd98808..3eff1d6a2b17 100644 ---- a/drivers/usb/serial/ftdi_sio_ids.h -+++ b/drivers/usb/serial/ftdi_sio_ids.h -@@ -615,6 +615,7 @@ - */ - #define RATOC_VENDOR_ID 0x0584 - #define RATOC_PRODUCT_ID_USB60F 0xb020 -+#define RATOC_PRODUCT_ID_SCU18 0xb03a - - /* - * Infineon Technologies -diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c -index bdbe642e6569..81f6a572f016 100644 ---- a/drivers/usb/serial/option.c -+++ b/drivers/usb/serial/option.c -@@ -269,6 +269,8 @@ static void option_instat_callback(struct urb *urb); - #define TELIT_PRODUCT_CC864_SINGLE 0x1006 - #define TELIT_PRODUCT_DE910_DUAL 0x1010 - #define TELIT_PRODUCT_UE910_V2 0x1012 -+#define TELIT_PRODUCT_LE922_USBCFG0 0x1042 -+#define TELIT_PRODUCT_LE922_USBCFG3 0x1043 - #define TELIT_PRODUCT_LE920 0x1200 - #define TELIT_PRODUCT_LE910 0x1201 - -@@ -623,6 +625,16 @@ static const struct option_blacklist_info telit_le920_blacklist = { - .reserved = BIT(1) | BIT(5), - }; - -+static const struct option_blacklist_info telit_le922_blacklist_usbcfg0 = { -+ .sendsetup = BIT(2), -+ .reserved = BIT(0) | BIT(1) | BIT(3), -+}; -+ -+static const struct option_blacklist_info telit_le922_blacklist_usbcfg3 = { -+ .sendsetup = BIT(0), -+ .reserved = BIT(1) | BIT(2) | BIT(3), -+}; -+ - static const struct usb_device_id option_ids[] = { - { USB_DEVICE(OPTION_VENDOR_ID, OPTION_PRODUCT_COLT) }, - { USB_DEVICE(OPTION_VENDOR_ID, OPTION_PRODUCT_RICOLA) }, -@@ -1168,6 +1180,10 @@ static const struct usb_device_id option_ids[] = { - { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_CC864_SINGLE) }, - { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_DE910_DUAL) }, - { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_UE910_V2) }, -+ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE922_USBCFG0), -+ .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg0 }, -+ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE922_USBCFG3), -+ .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg3 }, - { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910), - .driver_info = (kernel_ulong_t)&telit_le910_blacklist }, - { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920), -@@ -1679,7 +1695,7 @@ static const struct usb_device_id option_ids[] = { - { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_EU3_P) }, - { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_PH8), - .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, -- { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_AHXX) }, -+ { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_AHXX, 0xff) }, - { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_PLXX), - .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, - { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_HC28_MDM) }, -diff --git a/drivers/usb/serial/ti_usb_3410_5052.c b/drivers/usb/serial/ti_usb_3410_5052.c -index 4cc84c0c990d..0a7c68fa5e5e 100644 ---- a/drivers/usb/serial/ti_usb_3410_5052.c -+++ b/drivers/usb/serial/ti_usb_3410_5052.c -@@ -158,7 +158,7 @@ static unsigned int product_5052_count; - /* the array dimension is the number of default entries plus */ - /* TI_EXTRA_VID_PID_COUNT user defined entries plus 1 terminating */ - /* null entry */ --static struct usb_device_id ti_id_table_3410[15+TI_EXTRA_VID_PID_COUNT+1] = { -+static struct usb_device_id ti_id_table_3410[16+TI_EXTRA_VID_PID_COUNT+1] = { - { USB_DEVICE(TI_VENDOR_ID, TI_3410_PRODUCT_ID) }, - { USB_DEVICE(TI_VENDOR_ID, TI_3410_EZ430_ID) }, - { USB_DEVICE(MTS_VENDOR_ID, MTS_GSM_NO_FW_PRODUCT_ID) }, -@@ -184,7 +184,7 @@ static struct usb_device_id ti_id_table_5052[5+TI_EXTRA_VID_PID_COUNT+1] = { - { USB_DEVICE(TI_VENDOR_ID, TI_5052_FIRMWARE_PRODUCT_ID) }, - }; - --static struct usb_device_id ti_id_table_combined[19+2*TI_EXTRA_VID_PID_COUNT+1] = { -+static struct usb_device_id ti_id_table_combined[20+2*TI_EXTRA_VID_PID_COUNT+1] = { - { USB_DEVICE(TI_VENDOR_ID, TI_3410_PRODUCT_ID) }, - { USB_DEVICE(TI_VENDOR_ID, TI_3410_EZ430_ID) }, - { USB_DEVICE(MTS_VENDOR_ID, MTS_GSM_NO_FW_PRODUCT_ID) }, -diff --git a/drivers/usb/serial/visor.c b/drivers/usb/serial/visor.c -index 727905de0ba4..605068e6acf2 100644 ---- a/drivers/usb/serial/visor.c -+++ b/drivers/usb/serial/visor.c -@@ -551,6 +551,11 @@ static int treo_attach(struct usb_serial *serial) - (serial->num_interrupt_in == 0)) - return 0; - -+ if (serial->num_bulk_in < 2 || serial->num_interrupt_in < 2) { -+ dev_err(&serial->interface->dev, "missing endpoints\n"); -+ return -ENODEV; -+ } -+ - /* - * It appears that Treos and Kyoceras want to use the - * 1st bulk in endpoint to communicate with the 2nd bulk out endpoint, -@@ -604,8 +609,10 @@ static int clie_5_attach(struct usb_serial *serial) - */ - - /* some sanity check */ -- if (serial->num_ports < 2) -- return -1; -+ if (serial->num_bulk_out < 2) { -+ dev_err(&serial->interface->dev, "missing bulk out endpoints\n"); -+ return -ENODEV; -+ } - - /* port 0 now uses the modified endpoint Address */ - port = serial->port[0]; -diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c -index 618bcc84a09e..948e6f21b594 100644 ---- a/fs/binfmt_elf.c -+++ b/fs/binfmt_elf.c -@@ -682,16 +682,16 @@ static int load_elf_binary(struct linux_binprm *bprm) - */ - would_dump(bprm, interpreter); - -- retval = kernel_read(interpreter, 0, bprm->buf, -- BINPRM_BUF_SIZE); -- if (retval != BINPRM_BUF_SIZE) { -+ /* Get the exec headers */ -+ retval = kernel_read(interpreter, 0, -+ (void *)&loc->interp_elf_ex, -+ sizeof(loc->interp_elf_ex)); -+ if (retval != sizeof(loc->interp_elf_ex)) { - if (retval >= 0) - retval = -EIO; - goto out_free_dentry; - } - -- /* Get the exec headers */ -- loc->interp_elf_ex = *((struct elfhdr *)bprm->buf); - break; - } - elf_ppnt++; -diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h -index 2a71466b0115..6f74b8919237 100644 ---- a/fs/ext4/ext4.h -+++ b/fs/ext4/ext4.h -@@ -26,6 +26,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -728,19 +729,55 @@ struct move_extent { - <= (EXT4_GOOD_OLD_INODE_SIZE + \ - (einode)->i_extra_isize)) \ - -+/* -+ * We use an encoding that preserves the times for extra epoch "00": -+ * -+ * extra msb of adjust for signed -+ * epoch 32-bit 32-bit tv_sec to -+ * bits time decoded 64-bit tv_sec 64-bit tv_sec valid time range -+ * 0 0 1 -0x80000000..-0x00000001 0x000000000 1901-12-13..1969-12-31 -+ * 0 0 0 0x000000000..0x07fffffff 0x000000000 1970-01-01..2038-01-19 -+ * 0 1 1 0x080000000..0x0ffffffff 0x100000000 2038-01-19..2106-02-07 -+ * 0 1 0 0x100000000..0x17fffffff 0x100000000 2106-02-07..2174-02-25 -+ * 1 0 1 0x180000000..0x1ffffffff 0x200000000 2174-02-25..2242-03-16 -+ * 1 0 0 0x200000000..0x27fffffff 0x200000000 2242-03-16..2310-04-04 -+ * 1 1 1 0x280000000..0x2ffffffff 0x300000000 2310-04-04..2378-04-22 -+ * 1 1 0 0x300000000..0x37fffffff 0x300000000 2378-04-22..2446-05-10 -+ * -+ * Note that previous versions of the kernel on 64-bit systems would -+ * incorrectly use extra epoch bits 1,1 for dates between 1901 and -+ * 1970. e2fsck will correct this, assuming that it is run on the -+ * affected filesystem before 2242. -+ */ -+ - static inline __le32 ext4_encode_extra_time(struct timespec *time) - { -- return cpu_to_le32((sizeof(time->tv_sec) > 4 ? -- (time->tv_sec >> 32) & EXT4_EPOCH_MASK : 0) | -- ((time->tv_nsec << EXT4_EPOCH_BITS) & EXT4_NSEC_MASK)); -+ u32 extra = sizeof(time->tv_sec) > 4 ? -+ ((time->tv_sec - (s32)time->tv_sec) >> 32) & EXT4_EPOCH_MASK : 0; -+ return cpu_to_le32(extra | (time->tv_nsec << EXT4_EPOCH_BITS)); - } - - static inline void ext4_decode_extra_time(struct timespec *time, __le32 extra) - { -- if (sizeof(time->tv_sec) > 4) -- time->tv_sec |= (__u64)(le32_to_cpu(extra) & EXT4_EPOCH_MASK) -- << 32; -- time->tv_nsec = (le32_to_cpu(extra) & EXT4_NSEC_MASK) >> EXT4_EPOCH_BITS; -+ if (unlikely(sizeof(time->tv_sec) > 4 && -+ (extra & cpu_to_le32(EXT4_EPOCH_MASK)))) { -+#if LINUX_VERSION_CODE < KERNEL_VERSION(4,20,0) -+ /* Handle legacy encoding of pre-1970 dates with epoch -+ * bits 1,1. We assume that by kernel version 4.20, -+ * everyone will have run fsck over the affected -+ * filesystems to correct the problem. (This -+ * backwards compatibility may be removed before this -+ * time, at the discretion of the ext4 developers.) -+ */ -+ u64 extra_bits = le32_to_cpu(extra) & EXT4_EPOCH_MASK; -+ if (extra_bits == 3 && ((time->tv_sec) & 0x80000000) != 0) -+ extra_bits = 0; -+ time->tv_sec += extra_bits << 32; -+#else -+ time->tv_sec += (u64)(le32_to_cpu(extra) & EXT4_EPOCH_MASK) << 32; -+#endif -+ } -+ time->tv_nsec = (le32_to_cpu(extra) & EXT4_NSEC_MASK) >> EXT4_EPOCH_BITS; - } - - #define EXT4_INODE_SET_XTIME(xtime, inode, raw_inode) \ -diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c -index a69bd74ed390..fa7d2e668c3a 100644 ---- a/fs/ext4/resize.c -+++ b/fs/ext4/resize.c -@@ -1025,7 +1025,7 @@ exit_free: - * do not copy the full number of backups at this time. The resize - * which changed s_groups_count will backup again. - */ --static void update_backups(struct super_block *sb, int blk_off, char *data, -+static void update_backups(struct super_block *sb, sector_t blk_off, char *data, - int size, int meta_bg) - { - struct ext4_sb_info *sbi = EXT4_SB(sb); -@@ -1050,7 +1050,7 @@ static void update_backups(struct super_block *sb, int blk_off, char *data, - group = ext4_list_backups(sb, &three, &five, &seven); - last = sbi->s_groups_count; - } else { -- group = ext4_meta_bg_first_group(sb, group) + 1; -+ group = ext4_get_group_number(sb, blk_off) + 1; - last = (ext4_group_t)(group + EXT4_DESC_PER_BLOCK(sb) - 2); - } - -diff --git a/fs/fscache/netfs.c b/fs/fscache/netfs.c -index e028b8eb1c40..0912b90e05bc 100644 ---- a/fs/fscache/netfs.c -+++ b/fs/fscache/netfs.c -@@ -45,9 +45,6 @@ int __fscache_register_netfs(struct fscache_netfs *netfs) - netfs->primary_index->parent = &fscache_fsdef_index; - netfs->primary_index->netfs_data = netfs; - -- atomic_inc(&netfs->primary_index->parent->usage); -- atomic_inc(&netfs->primary_index->parent->n_children); -- - spin_lock_init(&netfs->primary_index->lock); - INIT_HLIST_HEAD(&netfs->primary_index->backing_objects); - -@@ -60,6 +57,9 @@ int __fscache_register_netfs(struct fscache_netfs *netfs) - goto already_registered; - } - -+ atomic_inc(&netfs->primary_index->parent->usage); -+ atomic_inc(&netfs->primary_index->parent->n_children); -+ - list_add(&netfs->link, &fscache_netfs_list); - ret = 0; - -@@ -70,8 +70,7 @@ already_registered: - up_write(&fscache_addremove_sem); - - if (ret < 0) { -- netfs->primary_index->parent = NULL; -- __fscache_cookie_put(netfs->primary_index); -+ kmem_cache_free(fscache_cookie_jar, netfs->primary_index); - netfs->primary_index = NULL; - } - -diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c -index ec34e11d6854..21b828c713cc 100644 ---- a/fs/jbd2/transaction.c -+++ b/fs/jbd2/transaction.c -@@ -1936,6 +1936,7 @@ static int journal_unmap_buffer(journal_t *journal, struct buffer_head *bh, - - if (!buffer_dirty(bh)) { - /* bdflush has written it. We can drop it now */ -+ __jbd2_journal_remove_checkpoint(jh); - goto zap_buffer; - } - -@@ -1965,6 +1966,7 @@ static int journal_unmap_buffer(journal_t *journal, struct buffer_head *bh, - /* The orphan record's transaction has - * committed. We can cleanse this buffer */ - clear_buffer_jbddirty(bh); -+ __jbd2_journal_remove_checkpoint(jh); - goto zap_buffer; - } - } -diff --git a/fs/ocfs2/dlm/dlmmaster.c b/fs/ocfs2/dlm/dlmmaster.c -index 2c119d5d04c9..d084200dbc4e 100644 ---- a/fs/ocfs2/dlm/dlmmaster.c -+++ b/fs/ocfs2/dlm/dlmmaster.c -@@ -2456,6 +2456,11 @@ static int dlm_migrate_lockres(struct dlm_ctxt *dlm, - spin_lock(&dlm->master_lock); - ret = dlm_add_migration_mle(dlm, res, mle, &oldmle, name, - namelen, target, dlm->node_num); -+ /* get an extra reference on the mle. -+ * otherwise the assert_master from the new -+ * master will destroy this. -+ */ -+ dlm_get_mle_inuse(mle); - spin_unlock(&dlm->master_lock); - spin_unlock(&dlm->spinlock); - -@@ -2491,6 +2496,7 @@ fail: - if (mle_added) { - dlm_mle_detach_hb_events(dlm, mle); - dlm_put_mle(mle); -+ dlm_put_mle_inuse(mle); - } else if (mle) { - kmem_cache_free(dlm_mle_cache, mle); - mle = NULL; -@@ -2508,17 +2514,6 @@ fail: - * ensure that all assert_master work is flushed. */ - flush_workqueue(dlm->dlm_worker); - -- /* get an extra reference on the mle. -- * otherwise the assert_master from the new -- * master will destroy this. -- * also, make sure that all callers of dlm_get_mle -- * take both dlm->spinlock and dlm->master_lock */ -- spin_lock(&dlm->spinlock); -- spin_lock(&dlm->master_lock); -- dlm_get_mle_inuse(mle); -- spin_unlock(&dlm->master_lock); -- spin_unlock(&dlm->spinlock); -- - /* notify new node and send all lock state */ - /* call send_one_lockres with migration flag. - * this serves as notice to the target node that a -@@ -3246,6 +3241,15 @@ top: - mle->new_master != dead_node) - continue; - -+ if (mle->new_master == dead_node && mle->inuse) { -+ mlog(ML_NOTICE, "%s: target %u died during " -+ "migration from %u, the MLE is " -+ "still keep used, ignore it!\n", -+ dlm->name, dead_node, -+ mle->master); -+ continue; -+ } -+ - /* If we have reached this point, this mle needs to be - * removed from the list and freed. */ - dlm_clean_migration_mle(dlm, mle); -diff --git a/fs/ocfs2/dlm/dlmrecovery.c b/fs/ocfs2/dlm/dlmrecovery.c -index 9bd981cd3142..01c69f24e416 100644 ---- a/fs/ocfs2/dlm/dlmrecovery.c -+++ b/fs/ocfs2/dlm/dlmrecovery.c -@@ -2326,6 +2326,8 @@ static void dlm_do_local_recovery_cleanup(struct dlm_ctxt *dlm, u8 dead_node) - break; - } - } -+ dlm_lockres_clear_refmap_bit(dlm, res, -+ dead_node); - spin_unlock(&res->spinlock); - continue; - } -diff --git a/fs/sysv/inode.c b/fs/sysv/inode.c -index c327d4ee1235..7b3792e5844a 100644 ---- a/fs/sysv/inode.c -+++ b/fs/sysv/inode.c -@@ -161,14 +161,8 @@ void sysv_set_inode(struct inode *inode, dev_t rdev) - inode->i_fop = &sysv_dir_operations; - inode->i_mapping->a_ops = &sysv_aops; - } else if (S_ISLNK(inode->i_mode)) { -- if (inode->i_blocks) { -- inode->i_op = &sysv_symlink_inode_operations; -- inode->i_mapping->a_ops = &sysv_aops; -- } else { -- inode->i_op = &sysv_fast_symlink_inode_operations; -- nd_terminate_link(SYSV_I(inode)->i_data, inode->i_size, -- sizeof(SYSV_I(inode)->i_data) - 1); -- } -+ inode->i_op = &sysv_symlink_inode_operations; -+ inode->i_mapping->a_ops = &sysv_aops; - } else - init_special_inode(inode, inode->i_mode, rdev); - } -diff --git a/include/crypto/if_alg.h b/include/crypto/if_alg.h -index d61c11170213..2f38daaab3d7 100644 ---- a/include/crypto/if_alg.h -+++ b/include/crypto/if_alg.h -@@ -30,6 +30,8 @@ struct alg_sock { - - struct sock *parent; - -+ unsigned int refcnt; -+ - const struct af_alg_type *type; - void *private; - }; -@@ -64,6 +66,7 @@ int af_alg_register_type(const struct af_alg_type *type); - int af_alg_unregister_type(const struct af_alg_type *type); - - int af_alg_release(struct socket *sock); -+void af_alg_release_parent(struct sock *sk); - int af_alg_accept(struct sock *sk, struct socket *newsock); - - int af_alg_make_sg(struct af_alg_sgl *sgl, void __user *addr, int len, -@@ -80,11 +83,6 @@ static inline struct alg_sock *alg_sk(struct sock *sk) - return (struct alg_sock *)sk; - } - --static inline void af_alg_release_parent(struct sock *sk) --{ -- sock_put(alg_sk(sk)->parent); --} -- - static inline void af_alg_init_completion(struct af_alg_completion *completion) - { - init_completion(&completion->completion); -diff --git a/include/linux/signal.h b/include/linux/signal.h -index 2ac423bdb676..53944e50e421 100644 ---- a/include/linux/signal.h -+++ b/include/linux/signal.h -@@ -247,7 +247,6 @@ extern int sigprocmask(int, sigset_t *, sigset_t *); - extern void set_current_blocked(sigset_t *); - extern void __set_current_blocked(const sigset_t *); - extern int show_unhandled_signals; --extern int sigsuspend(sigset_t *); - - struct sigaction { - #ifndef __ARCH_HAS_IRIX_SIGACTION -diff --git a/kernel/signal.c b/kernel/signal.c -index 2e51bcbea1e3..4d1f7fa3138d 100644 ---- a/kernel/signal.c -+++ b/kernel/signal.c -@@ -3551,7 +3551,7 @@ SYSCALL_DEFINE0(pause) - - #endif - --int sigsuspend(sigset_t *set) -+static int sigsuspend(sigset_t *set) - { - current->saved_sigmask = current->blocked; - set_current_blocked(set); -diff --git a/scripts/recordmcount.h b/scripts/recordmcount.h -index 49b582a225b0..b9897e2be404 100644 ---- a/scripts/recordmcount.h -+++ b/scripts/recordmcount.h -@@ -377,7 +377,7 @@ static void nop_mcount(Elf_Shdr const *const relhdr, - - if (mcountsym == Elf_r_sym(relp) && !is_fake_mcount(relp)) { - if (make_nop) -- ret = make_nop((void *)ehdr, shdr->sh_offset + relp->r_offset); -+ ret = make_nop((void *)ehdr, _w(shdr->sh_offset) + _w(relp->r_offset)); - if (warn_on_notrace_sect && !once) { - printf("Section %s has mcount callers being ignored\n", - txtname); -diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c -index 3fdf998ad057..572f95175e97 100644 ---- a/sound/core/compress_offload.c -+++ b/sound/core/compress_offload.c -@@ -44,6 +44,13 @@ - #include - #include - -+/* struct snd_compr_codec_caps overflows the ioctl bit size for some -+ * architectures, so we need to disable the relevant ioctls. -+ */ -+#if _IOC_SIZEBITS < 14 -+#define COMPR_CODEC_CAPS_OVERFLOW -+#endif -+ - /* TODO: - * - add substream support for multiple devices in case of - * SND_DYNAMIC_MINORS is not used -@@ -427,6 +434,7 @@ out: - return retval; - } - -+#ifndef COMPR_CODEC_CAPS_OVERFLOW - static int - snd_compr_get_codec_caps(struct snd_compr_stream *stream, unsigned long arg) - { -@@ -450,6 +458,7 @@ out: - kfree(caps); - return retval; - } -+#endif /* !COMPR_CODEC_CAPS_OVERFLOW */ - - /* revisit this with snd_pcm_preallocate_xxx */ - static int snd_compr_allocate_buffer(struct snd_compr_stream *stream, -@@ -791,9 +800,11 @@ static long snd_compr_ioctl(struct file *f, unsigned int cmd, unsigned long arg) - case _IOC_NR(SNDRV_COMPRESS_GET_CAPS): - retval = snd_compr_get_caps(stream, arg); - break; -+#ifndef COMPR_CODEC_CAPS_OVERFLOW - case _IOC_NR(SNDRV_COMPRESS_GET_CODEC_CAPS): - retval = snd_compr_get_codec_caps(stream, arg); - break; -+#endif - case _IOC_NR(SNDRV_COMPRESS_SET_PARAMS): - retval = snd_compr_set_params(stream, arg); - break; -diff --git a/sound/core/oss/pcm_oss.c b/sound/core/oss/pcm_oss.c -index 4c1cc51772e6..7417f96cea6e 100644 ---- a/sound/core/oss/pcm_oss.c -+++ b/sound/core/oss/pcm_oss.c -@@ -834,7 +834,8 @@ static int choose_rate(struct snd_pcm_substream *substream, - return snd_pcm_hw_param_near(substream, params, SNDRV_PCM_HW_PARAM_RATE, best_rate, NULL); - } - --static int snd_pcm_oss_change_params(struct snd_pcm_substream *substream) -+static int snd_pcm_oss_change_params(struct snd_pcm_substream *substream, -+ bool trylock) - { - struct snd_pcm_runtime *runtime = substream->runtime; - struct snd_pcm_hw_params *params, *sparams; -@@ -848,7 +849,10 @@ static int snd_pcm_oss_change_params(struct snd_pcm_substream *substream) - struct snd_mask sformat_mask; - struct snd_mask mask; - -- if (mutex_lock_interruptible(&runtime->oss.params_lock)) -+ if (trylock) { -+ if (!(mutex_trylock(&runtime->oss.params_lock))) -+ return -EAGAIN; -+ } else if (mutex_lock_interruptible(&runtime->oss.params_lock)) - return -EINTR; - sw_params = kmalloc(sizeof(*sw_params), GFP_KERNEL); - params = kmalloc(sizeof(*params), GFP_KERNEL); -@@ -1091,7 +1095,7 @@ static int snd_pcm_oss_get_active_substream(struct snd_pcm_oss_file *pcm_oss_fil - if (asubstream == NULL) - asubstream = substream; - if (substream->runtime->oss.params) { -- err = snd_pcm_oss_change_params(substream); -+ err = snd_pcm_oss_change_params(substream, false); - if (err < 0) - return err; - } -@@ -1130,7 +1134,7 @@ static int snd_pcm_oss_make_ready(struct snd_pcm_substream *substream) - return 0; - runtime = substream->runtime; - if (runtime->oss.params) { -- err = snd_pcm_oss_change_params(substream); -+ err = snd_pcm_oss_change_params(substream, false); - if (err < 0) - return err; - } -@@ -2168,7 +2172,7 @@ static int snd_pcm_oss_get_space(struct snd_pcm_oss_file *pcm_oss_file, int stre - runtime = substream->runtime; - - if (runtime->oss.params && -- (err = snd_pcm_oss_change_params(substream)) < 0) -+ (err = snd_pcm_oss_change_params(substream, false)) < 0) - return err; - - info.fragsize = runtime->oss.period_bytes; -@@ -2804,7 +2808,12 @@ static int snd_pcm_oss_mmap(struct file *file, struct vm_area_struct *area) - return -EIO; - - if (runtime->oss.params) { -- if ((err = snd_pcm_oss_change_params(substream)) < 0) -+ /* use mutex_trylock() for params_lock for avoiding a deadlock -+ * between mmap_sem and params_lock taken by -+ * copy_from/to_user() in snd_pcm_oss_write/read() -+ */ -+ err = snd_pcm_oss_change_params(substream, true); -+ if (err < 0) - return err; - } - #ifdef CONFIG_SND_PCM_OSS_PLUGINS -diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c -index 7b596b5751db..500765f20843 100644 ---- a/sound/core/rawmidi.c -+++ b/sound/core/rawmidi.c -@@ -934,31 +934,36 @@ static long snd_rawmidi_kernel_read1(struct snd_rawmidi_substream *substream, - unsigned long flags; - long result = 0, count1; - struct snd_rawmidi_runtime *runtime = substream->runtime; -+ unsigned long appl_ptr; - -+ spin_lock_irqsave(&runtime->lock, flags); - while (count > 0 && runtime->avail) { - count1 = runtime->buffer_size - runtime->appl_ptr; - if (count1 > count) - count1 = count; -- spin_lock_irqsave(&runtime->lock, flags); - if (count1 > (int)runtime->avail) - count1 = runtime->avail; -+ -+ /* update runtime->appl_ptr before unlocking for userbuf */ -+ appl_ptr = runtime->appl_ptr; -+ runtime->appl_ptr += count1; -+ runtime->appl_ptr %= runtime->buffer_size; -+ runtime->avail -= count1; -+ - if (kernelbuf) -- memcpy(kernelbuf + result, runtime->buffer + runtime->appl_ptr, count1); -+ memcpy(kernelbuf + result, runtime->buffer + appl_ptr, count1); - if (userbuf) { - spin_unlock_irqrestore(&runtime->lock, flags); - if (copy_to_user(userbuf + result, -- runtime->buffer + runtime->appl_ptr, count1)) { -+ runtime->buffer + appl_ptr, count1)) { - return result > 0 ? result : -EFAULT; - } - spin_lock_irqsave(&runtime->lock, flags); - } -- runtime->appl_ptr += count1; -- runtime->appl_ptr %= runtime->buffer_size; -- runtime->avail -= count1; -- spin_unlock_irqrestore(&runtime->lock, flags); - result += count1; - count -= count1; - } -+ spin_unlock_irqrestore(&runtime->lock, flags); - return result; - } - -@@ -1161,8 +1166,9 @@ static long snd_rawmidi_kernel_write1(struct snd_rawmidi_substream *substream, - unsigned long flags; - long count1, result; - struct snd_rawmidi_runtime *runtime = substream->runtime; -+ unsigned long appl_ptr; - -- if (snd_BUG_ON(!kernelbuf && !userbuf)) -+ if (!kernelbuf && !userbuf) - return -EINVAL; - if (snd_BUG_ON(!runtime->buffer)) - return -EINVAL; -@@ -1181,12 +1187,19 @@ static long snd_rawmidi_kernel_write1(struct snd_rawmidi_substream *substream, - count1 = count; - if (count1 > (long)runtime->avail) - count1 = runtime->avail; -+ -+ /* update runtime->appl_ptr before unlocking for userbuf */ -+ appl_ptr = runtime->appl_ptr; -+ runtime->appl_ptr += count1; -+ runtime->appl_ptr %= runtime->buffer_size; -+ runtime->avail -= count1; -+ - if (kernelbuf) -- memcpy(runtime->buffer + runtime->appl_ptr, -+ memcpy(runtime->buffer + appl_ptr, - kernelbuf + result, count1); - else if (userbuf) { - spin_unlock_irqrestore(&runtime->lock, flags); -- if (copy_from_user(runtime->buffer + runtime->appl_ptr, -+ if (copy_from_user(runtime->buffer + appl_ptr, - userbuf + result, count1)) { - spin_lock_irqsave(&runtime->lock, flags); - result = result > 0 ? result : -EFAULT; -@@ -1194,9 +1207,6 @@ static long snd_rawmidi_kernel_write1(struct snd_rawmidi_substream *substream, - } - spin_lock_irqsave(&runtime->lock, flags); - } -- runtime->appl_ptr += count1; -- runtime->appl_ptr %= runtime->buffer_size; -- runtime->avail -= count1; - result += count1; - count -= count1; - } -diff --git a/sound/core/seq/oss/seq_oss_synth.c b/sound/core/seq/oss/seq_oss_synth.c -index c5b773a1eea9..4a09c3085ca4 100644 ---- a/sound/core/seq/oss/seq_oss_synth.c -+++ b/sound/core/seq/oss/seq_oss_synth.c -@@ -310,7 +310,7 @@ snd_seq_oss_synth_cleanup(struct seq_oss_devinfo *dp) - struct seq_oss_synth *rec; - struct seq_oss_synthinfo *info; - -- if (snd_BUG_ON(dp->max_synthdev >= SNDRV_SEQ_OSS_MAX_SYNTH_DEVS)) -+ if (snd_BUG_ON(dp->max_synthdev > SNDRV_SEQ_OSS_MAX_SYNTH_DEVS)) - return; - for (i = 0; i < dp->max_synthdev; i++) { - info = &dp->synths[i]; -diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c -index ecfbf5f39d38..08865dcbf5f1 100644 ---- a/sound/core/seq/seq_clientmgr.c -+++ b/sound/core/seq/seq_clientmgr.c -@@ -678,6 +678,9 @@ static int deliver_to_subscribers(struct snd_seq_client *client, - else - down_read(&grp->list_mutex); - list_for_each_entry(subs, &grp->list_head, src_list) { -+ /* both ports ready? */ -+ if (atomic_read(&subs->ref_count) != 2) -+ continue; - event->dest = subs->info.dest; - if (subs->info.flags & SNDRV_SEQ_PORT_SUBS_TIMESTAMP) - /* convert time according to flag with subscription */ -diff --git a/sound/core/seq/seq_ports.c b/sound/core/seq/seq_ports.c -index 9516e5ce3aad..67c91d226552 100644 ---- a/sound/core/seq/seq_ports.c -+++ b/sound/core/seq/seq_ports.c -@@ -175,10 +175,6 @@ struct snd_seq_client_port *snd_seq_create_port(struct snd_seq_client *client, - } - - /* */ --enum group_type { -- SRC_LIST, DEST_LIST --}; -- - static int subscribe_port(struct snd_seq_client *client, - struct snd_seq_client_port *port, - struct snd_seq_port_subs_info *grp, -@@ -205,6 +201,20 @@ static struct snd_seq_client_port *get_client_port(struct snd_seq_addr *addr, - return NULL; - } - -+static void delete_and_unsubscribe_port(struct snd_seq_client *client, -+ struct snd_seq_client_port *port, -+ struct snd_seq_subscribers *subs, -+ bool is_src, bool ack); -+ -+static inline struct snd_seq_subscribers * -+get_subscriber(struct list_head *p, bool is_src) -+{ -+ if (is_src) -+ return list_entry(p, struct snd_seq_subscribers, src_list); -+ else -+ return list_entry(p, struct snd_seq_subscribers, dest_list); -+} -+ - /* - * remove all subscribers on the list - * this is called from port_delete, for each src and dest list. -@@ -212,7 +222,7 @@ static struct snd_seq_client_port *get_client_port(struct snd_seq_addr *addr, - static void clear_subscriber_list(struct snd_seq_client *client, - struct snd_seq_client_port *port, - struct snd_seq_port_subs_info *grp, -- int grptype) -+ int is_src) - { - struct list_head *p, *n; - -@@ -221,15 +231,13 @@ static void clear_subscriber_list(struct snd_seq_client *client, - struct snd_seq_client *c; - struct snd_seq_client_port *aport; - -- if (grptype == SRC_LIST) { -- subs = list_entry(p, struct snd_seq_subscribers, src_list); -+ subs = get_subscriber(p, is_src); -+ if (is_src) - aport = get_client_port(&subs->info.dest, &c); -- } else { -- subs = list_entry(p, struct snd_seq_subscribers, dest_list); -+ else - aport = get_client_port(&subs->info.sender, &c); -- } -- list_del(p); -- unsubscribe_port(client, port, grp, &subs->info, 0); -+ delete_and_unsubscribe_port(client, port, subs, is_src, false); -+ - if (!aport) { - /* looks like the connected port is being deleted. - * we decrease the counter, and when both ports are deleted -@@ -237,21 +245,14 @@ static void clear_subscriber_list(struct snd_seq_client *client, - */ - if (atomic_dec_and_test(&subs->ref_count)) - kfree(subs); -- } else { -- /* ok we got the connected port */ -- struct snd_seq_port_subs_info *agrp; -- agrp = (grptype == SRC_LIST) ? &aport->c_dest : &aport->c_src; -- down_write(&agrp->list_mutex); -- if (grptype == SRC_LIST) -- list_del(&subs->dest_list); -- else -- list_del(&subs->src_list); -- up_write(&agrp->list_mutex); -- unsubscribe_port(c, aport, agrp, &subs->info, 1); -- kfree(subs); -- snd_seq_port_unlock(aport); -- snd_seq_client_unlock(c); -+ continue; - } -+ -+ /* ok we got the connected port */ -+ delete_and_unsubscribe_port(c, aport, subs, !is_src, true); -+ kfree(subs); -+ snd_seq_port_unlock(aport); -+ snd_seq_client_unlock(c); - } - } - -@@ -264,8 +265,8 @@ static int port_delete(struct snd_seq_client *client, - snd_use_lock_sync(&port->use_lock); - - /* clear subscribers info */ -- clear_subscriber_list(client, port, &port->c_src, SRC_LIST); -- clear_subscriber_list(client, port, &port->c_dest, DEST_LIST); -+ clear_subscriber_list(client, port, &port->c_src, true); -+ clear_subscriber_list(client, port, &port->c_dest, false); - - if (port->private_free) - port->private_free(port->private_data); -@@ -484,85 +485,120 @@ static int match_subs_info(struct snd_seq_port_subscribe *r, - return 0; - } - -- --/* connect two ports */ --int snd_seq_port_connect(struct snd_seq_client *connector, -- struct snd_seq_client *src_client, -- struct snd_seq_client_port *src_port, -- struct snd_seq_client *dest_client, -- struct snd_seq_client_port *dest_port, -- struct snd_seq_port_subscribe *info) -+static int check_and_subscribe_port(struct snd_seq_client *client, -+ struct snd_seq_client_port *port, -+ struct snd_seq_subscribers *subs, -+ bool is_src, bool exclusive, bool ack) - { -- struct snd_seq_port_subs_info *src = &src_port->c_src; -- struct snd_seq_port_subs_info *dest = &dest_port->c_dest; -- struct snd_seq_subscribers *subs, *s; -- int err, src_called = 0; -- unsigned long flags; -- int exclusive; -+ struct snd_seq_port_subs_info *grp; -+ struct list_head *p; -+ struct snd_seq_subscribers *s; -+ int err; - -- subs = kzalloc(sizeof(*subs), GFP_KERNEL); -- if (! subs) -- return -ENOMEM; -- -- subs->info = *info; -- atomic_set(&subs->ref_count, 2); -- -- down_write(&src->list_mutex); -- down_write_nested(&dest->list_mutex, SINGLE_DEPTH_NESTING); -- -- exclusive = info->flags & SNDRV_SEQ_PORT_SUBS_EXCLUSIVE ? 1 : 0; -+ grp = is_src ? &port->c_src : &port->c_dest; - err = -EBUSY; -+ down_write(&grp->list_mutex); - if (exclusive) { -- if (! list_empty(&src->list_head) || ! list_empty(&dest->list_head)) -+ if (!list_empty(&grp->list_head)) - goto __error; - } else { -- if (src->exclusive || dest->exclusive) -+ if (grp->exclusive) - goto __error; - /* check whether already exists */ -- list_for_each_entry(s, &src->list_head, src_list) { -- if (match_subs_info(info, &s->info)) -- goto __error; -- } -- list_for_each_entry(s, &dest->list_head, dest_list) { -- if (match_subs_info(info, &s->info)) -+ list_for_each(p, &grp->list_head) { -+ s = get_subscriber(p, is_src); -+ if (match_subs_info(&subs->info, &s->info)) - goto __error; - } - } - -- if ((err = subscribe_port(src_client, src_port, src, info, -- connector->number != src_client->number)) < 0) -- goto __error; -- src_called = 1; -- -- if ((err = subscribe_port(dest_client, dest_port, dest, info, -- connector->number != dest_client->number)) < 0) -+ err = subscribe_port(client, port, grp, &subs->info, ack); -+ if (err < 0) { -+ grp->exclusive = 0; - goto __error; -+ } - - /* add to list */ -- write_lock_irqsave(&src->list_lock, flags); -- // write_lock(&dest->list_lock); // no other lock yet -- list_add_tail(&subs->src_list, &src->list_head); -- list_add_tail(&subs->dest_list, &dest->list_head); -- // write_unlock(&dest->list_lock); // no other lock yet -- write_unlock_irqrestore(&src->list_lock, flags); -+ write_lock_irq(&grp->list_lock); -+ if (is_src) -+ list_add_tail(&subs->src_list, &grp->list_head); -+ else -+ list_add_tail(&subs->dest_list, &grp->list_head); -+ grp->exclusive = exclusive; -+ atomic_inc(&subs->ref_count); -+ write_unlock_irq(&grp->list_lock); -+ err = 0; -+ -+ __error: -+ up_write(&grp->list_mutex); -+ return err; -+} - -- src->exclusive = dest->exclusive = exclusive; -+static void delete_and_unsubscribe_port(struct snd_seq_client *client, -+ struct snd_seq_client_port *port, -+ struct snd_seq_subscribers *subs, -+ bool is_src, bool ack) -+{ -+ struct snd_seq_port_subs_info *grp; -+ -+ grp = is_src ? &port->c_src : &port->c_dest; -+ down_write(&grp->list_mutex); -+ write_lock_irq(&grp->list_lock); -+ if (is_src) -+ list_del(&subs->src_list); -+ else -+ list_del(&subs->dest_list); -+ grp->exclusive = 0; -+ write_unlock_irq(&grp->list_lock); -+ up_write(&grp->list_mutex); -+ -+ unsubscribe_port(client, port, grp, &subs->info, ack); -+} -+ -+/* connect two ports */ -+int snd_seq_port_connect(struct snd_seq_client *connector, -+ struct snd_seq_client *src_client, -+ struct snd_seq_client_port *src_port, -+ struct snd_seq_client *dest_client, -+ struct snd_seq_client_port *dest_port, -+ struct snd_seq_port_subscribe *info) -+{ -+ struct snd_seq_subscribers *subs; -+ bool exclusive; -+ int err; -+ -+ subs = kzalloc(sizeof(*subs), GFP_KERNEL); -+ if (!subs) -+ return -ENOMEM; -+ -+ subs->info = *info; -+ atomic_set(&subs->ref_count, 0); -+ INIT_LIST_HEAD(&subs->src_list); -+ INIT_LIST_HEAD(&subs->dest_list); -+ -+ exclusive = !!(info->flags & SNDRV_SEQ_PORT_SUBS_EXCLUSIVE); -+ -+ err = check_and_subscribe_port(src_client, src_port, subs, true, -+ exclusive, -+ connector->number != src_client->number); -+ if (err < 0) -+ goto error; -+ err = check_and_subscribe_port(dest_client, dest_port, subs, false, -+ exclusive, -+ connector->number != dest_client->number); -+ if (err < 0) -+ goto error_dest; - -- up_write(&dest->list_mutex); -- up_write(&src->list_mutex); - return 0; - -- __error: -- if (src_called) -- unsubscribe_port(src_client, src_port, src, info, -- connector->number != src_client->number); -+ error_dest: -+ delete_and_unsubscribe_port(src_client, src_port, subs, true, -+ connector->number != src_client->number); -+ error: - kfree(subs); -- up_write(&dest->list_mutex); -- up_write(&src->list_mutex); - return err; - } - -- - /* remove the connection */ - int snd_seq_port_disconnect(struct snd_seq_client *connector, - struct snd_seq_client *src_client, -@@ -572,37 +608,28 @@ int snd_seq_port_disconnect(struct snd_seq_client *connector, - struct snd_seq_port_subscribe *info) - { - struct snd_seq_port_subs_info *src = &src_port->c_src; -- struct snd_seq_port_subs_info *dest = &dest_port->c_dest; - struct snd_seq_subscribers *subs; - int err = -ENOENT; -- unsigned long flags; - - down_write(&src->list_mutex); -- down_write_nested(&dest->list_mutex, SINGLE_DEPTH_NESTING); -- - /* look for the connection */ - list_for_each_entry(subs, &src->list_head, src_list) { - if (match_subs_info(info, &subs->info)) { -- write_lock_irqsave(&src->list_lock, flags); -- // write_lock(&dest->list_lock); // no lock yet -- list_del(&subs->src_list); -- list_del(&subs->dest_list); -- // write_unlock(&dest->list_lock); -- write_unlock_irqrestore(&src->list_lock, flags); -- src->exclusive = dest->exclusive = 0; -- unsubscribe_port(src_client, src_port, src, info, -- connector->number != src_client->number); -- unsubscribe_port(dest_client, dest_port, dest, info, -- connector->number != dest_client->number); -- kfree(subs); -+ atomic_dec(&subs->ref_count); /* mark as not ready */ - err = 0; - break; - } - } -- -- up_write(&dest->list_mutex); - up_write(&src->list_mutex); -- return err; -+ if (err < 0) -+ return err; -+ -+ delete_and_unsubscribe_port(src_client, src_port, subs, true, -+ connector->number != src_client->number); -+ delete_and_unsubscribe_port(dest_client, dest_port, subs, false, -+ connector->number != dest_client->number); -+ kfree(subs); -+ return 0; - } - - -diff --git a/sound/core/seq/seq_timer.c b/sound/core/seq/seq_timer.c -index 24d44b2f61ac..6ec30a98a92a 100644 ---- a/sound/core/seq/seq_timer.c -+++ b/sound/core/seq/seq_timer.c -@@ -92,6 +92,9 @@ void snd_seq_timer_delete(struct snd_seq_timer **tmr) - - void snd_seq_timer_defaults(struct snd_seq_timer * tmr) - { -+ unsigned long flags; -+ -+ spin_lock_irqsave(&tmr->lock, flags); - /* setup defaults */ - tmr->ppq = 96; /* 96 PPQ */ - tmr->tempo = 500000; /* 120 BPM */ -@@ -107,21 +110,25 @@ void snd_seq_timer_defaults(struct snd_seq_timer * tmr) - tmr->preferred_resolution = seq_default_timer_resolution; - - tmr->skew = tmr->skew_base = SKEW_BASE; -+ spin_unlock_irqrestore(&tmr->lock, flags); - } - --void snd_seq_timer_reset(struct snd_seq_timer * tmr) -+static void seq_timer_reset(struct snd_seq_timer *tmr) - { -- unsigned long flags; -- -- spin_lock_irqsave(&tmr->lock, flags); -- - /* reset time & songposition */ - tmr->cur_time.tv_sec = 0; - tmr->cur_time.tv_nsec = 0; - - tmr->tick.cur_tick = 0; - tmr->tick.fraction = 0; -+} -+ -+void snd_seq_timer_reset(struct snd_seq_timer *tmr) -+{ -+ unsigned long flags; - -+ spin_lock_irqsave(&tmr->lock, flags); -+ seq_timer_reset(tmr); - spin_unlock_irqrestore(&tmr->lock, flags); - } - -@@ -140,8 +147,11 @@ static void snd_seq_timer_interrupt(struct snd_timer_instance *timeri, - tmr = q->timer; - if (tmr == NULL) - return; -- if (!tmr->running) -+ spin_lock_irqsave(&tmr->lock, flags); -+ if (!tmr->running) { -+ spin_unlock_irqrestore(&tmr->lock, flags); - return; -+ } - - resolution *= ticks; - if (tmr->skew != tmr->skew_base) { -@@ -150,8 +160,6 @@ static void snd_seq_timer_interrupt(struct snd_timer_instance *timeri, - (((resolution & 0xffff) * tmr->skew) >> 16); - } - -- spin_lock_irqsave(&tmr->lock, flags); -- - /* update timer */ - snd_seq_inc_time_nsec(&tmr->cur_time, resolution); - -@@ -298,26 +306,30 @@ int snd_seq_timer_open(struct snd_seq_queue *q) - t->callback = snd_seq_timer_interrupt; - t->callback_data = q; - t->flags |= SNDRV_TIMER_IFLG_AUTO; -+ spin_lock_irq(&tmr->lock); - tmr->timeri = t; -+ spin_unlock_irq(&tmr->lock); - return 0; - } - - int snd_seq_timer_close(struct snd_seq_queue *q) - { - struct snd_seq_timer *tmr; -+ struct snd_timer_instance *t; - - tmr = q->timer; - if (snd_BUG_ON(!tmr)) - return -EINVAL; -- if (tmr->timeri) { -- snd_timer_stop(tmr->timeri); -- snd_timer_close(tmr->timeri); -- tmr->timeri = NULL; -- } -+ spin_lock_irq(&tmr->lock); -+ t = tmr->timeri; -+ tmr->timeri = NULL; -+ spin_unlock_irq(&tmr->lock); -+ if (t) -+ snd_timer_close(t); - return 0; - } - --int snd_seq_timer_stop(struct snd_seq_timer * tmr) -+static int seq_timer_stop(struct snd_seq_timer *tmr) - { - if (! tmr->timeri) - return -EINVAL; -@@ -328,6 +340,17 @@ int snd_seq_timer_stop(struct snd_seq_timer * tmr) - return 0; - } - -+int snd_seq_timer_stop(struct snd_seq_timer *tmr) -+{ -+ unsigned long flags; -+ int err; -+ -+ spin_lock_irqsave(&tmr->lock, flags); -+ err = seq_timer_stop(tmr); -+ spin_unlock_irqrestore(&tmr->lock, flags); -+ return err; -+} -+ - static int initialize_timer(struct snd_seq_timer *tmr) - { - struct snd_timer *t; -@@ -360,13 +383,13 @@ static int initialize_timer(struct snd_seq_timer *tmr) - return 0; - } - --int snd_seq_timer_start(struct snd_seq_timer * tmr) -+static int seq_timer_start(struct snd_seq_timer *tmr) - { - if (! tmr->timeri) - return -EINVAL; - if (tmr->running) -- snd_seq_timer_stop(tmr); -- snd_seq_timer_reset(tmr); -+ seq_timer_stop(tmr); -+ seq_timer_reset(tmr); - if (initialize_timer(tmr) < 0) - return -EINVAL; - snd_timer_start(tmr->timeri, tmr->ticks); -@@ -375,14 +398,25 @@ int snd_seq_timer_start(struct snd_seq_timer * tmr) - return 0; - } - --int snd_seq_timer_continue(struct snd_seq_timer * tmr) -+int snd_seq_timer_start(struct snd_seq_timer *tmr) -+{ -+ unsigned long flags; -+ int err; -+ -+ spin_lock_irqsave(&tmr->lock, flags); -+ err = seq_timer_start(tmr); -+ spin_unlock_irqrestore(&tmr->lock, flags); -+ return err; -+} -+ -+static int seq_timer_continue(struct snd_seq_timer *tmr) - { - if (! tmr->timeri) - return -EINVAL; - if (tmr->running) - return -EBUSY; - if (! tmr->initialized) { -- snd_seq_timer_reset(tmr); -+ seq_timer_reset(tmr); - if (initialize_timer(tmr) < 0) - return -EINVAL; - } -@@ -392,11 +426,24 @@ int snd_seq_timer_continue(struct snd_seq_timer * tmr) - return 0; - } - -+int snd_seq_timer_continue(struct snd_seq_timer *tmr) -+{ -+ unsigned long flags; -+ int err; -+ -+ spin_lock_irqsave(&tmr->lock, flags); -+ err = seq_timer_continue(tmr); -+ spin_unlock_irqrestore(&tmr->lock, flags); -+ return err; -+} -+ - /* return current 'real' time. use timeofday() to get better granularity. */ - snd_seq_real_time_t snd_seq_timer_get_cur_time(struct snd_seq_timer *tmr) - { - snd_seq_real_time_t cur_time; -+ unsigned long flags; - -+ spin_lock_irqsave(&tmr->lock, flags); - cur_time = tmr->cur_time; - if (tmr->running) { - struct timeval tm; -@@ -412,7 +459,7 @@ snd_seq_real_time_t snd_seq_timer_get_cur_time(struct snd_seq_timer *tmr) - } - snd_seq_sanity_real_time(&cur_time); - } -- -+ spin_unlock_irqrestore(&tmr->lock, flags); - return cur_time; - } - -diff --git a/sound/core/seq/seq_virmidi.c b/sound/core/seq/seq_virmidi.c -index 4b50e604276d..0fa691e01384 100644 ---- a/sound/core/seq/seq_virmidi.c -+++ b/sound/core/seq/seq_virmidi.c -@@ -254,9 +254,13 @@ static int snd_virmidi_output_open(struct snd_rawmidi_substream *substream) - */ - static int snd_virmidi_input_close(struct snd_rawmidi_substream *substream) - { -+ struct snd_virmidi_dev *rdev = substream->rmidi->private_data; - struct snd_virmidi *vmidi = substream->runtime->private_data; -- snd_midi_event_free(vmidi->parser); -+ -+ write_lock_irq(&rdev->filelist_lock); - list_del(&vmidi->list); -+ write_unlock_irq(&rdev->filelist_lock); -+ snd_midi_event_free(vmidi->parser); - substream->runtime->private_data = NULL; - kfree(vmidi); - return 0; -diff --git a/sound/core/timer.c b/sound/core/timer.c -index 4e436fe53afa..d90d8f4b85fe 100644 ---- a/sound/core/timer.c -+++ b/sound/core/timer.c -@@ -300,8 +300,7 @@ int snd_timer_open(struct snd_timer_instance **ti, - return 0; - } - --static int _snd_timer_stop(struct snd_timer_instance *timeri, -- int keep_flag, int event); -+static int _snd_timer_stop(struct snd_timer_instance *timeri, int event); - - /* - * close a timer instance -@@ -343,7 +342,7 @@ int snd_timer_close(struct snd_timer_instance *timeri) - spin_unlock_irq(&timer->lock); - mutex_lock(®ister_mutex); - list_del(&timeri->open_list); -- if (timer && list_empty(&timer->open_list_head) && -+ if (list_empty(&timer->open_list_head) && - timer->hw.close) - timer->hw.close(timer); - /* remove slave links */ -@@ -415,7 +414,7 @@ static void snd_timer_notify1(struct snd_timer_instance *ti, int event) - spin_lock_irqsave(&timer->lock, flags); - list_for_each_entry(ts, &ti->slave_active_head, active_list) - if (ts->ccallback) -- ts->ccallback(ti, event + 100, &tstamp, resolution); -+ ts->ccallback(ts, event + 100, &tstamp, resolution); - spin_unlock_irqrestore(&timer->lock, flags); - } - -@@ -444,6 +443,10 @@ static int snd_timer_start_slave(struct snd_timer_instance *timeri) - unsigned long flags; - - spin_lock_irqsave(&slave_active_lock, flags); -+ if (timeri->flags & SNDRV_TIMER_IFLG_RUNNING) { -+ spin_unlock_irqrestore(&slave_active_lock, flags); -+ return -EBUSY; -+ } - timeri->flags |= SNDRV_TIMER_IFLG_RUNNING; - if (timeri->master && timeri->timer) { - spin_lock(&timeri->timer->lock); -@@ -468,23 +471,30 @@ int snd_timer_start(struct snd_timer_instance *timeri, unsigned int ticks) - return -EINVAL; - if (timeri->flags & SNDRV_TIMER_IFLG_SLAVE) { - result = snd_timer_start_slave(timeri); -- snd_timer_notify1(timeri, SNDRV_TIMER_EVENT_START); -+ if (result >= 0) -+ snd_timer_notify1(timeri, SNDRV_TIMER_EVENT_START); - return result; - } - timer = timeri->timer; - if (timer == NULL) - return -EINVAL; - spin_lock_irqsave(&timer->lock, flags); -+ if (timeri->flags & (SNDRV_TIMER_IFLG_RUNNING | -+ SNDRV_TIMER_IFLG_START)) { -+ result = -EBUSY; -+ goto unlock; -+ } - timeri->ticks = timeri->cticks = ticks; - timeri->pticks = 0; - result = snd_timer_start1(timer, timeri, ticks); -+ unlock: - spin_unlock_irqrestore(&timer->lock, flags); -- snd_timer_notify1(timeri, SNDRV_TIMER_EVENT_START); -+ if (result >= 0) -+ snd_timer_notify1(timeri, SNDRV_TIMER_EVENT_START); - return result; - } - --static int _snd_timer_stop(struct snd_timer_instance * timeri, -- int keep_flag, int event) -+static int _snd_timer_stop(struct snd_timer_instance *timeri, int event) - { - struct snd_timer *timer; - unsigned long flags; -@@ -493,19 +503,30 @@ static int _snd_timer_stop(struct snd_timer_instance * timeri, - return -ENXIO; - - if (timeri->flags & SNDRV_TIMER_IFLG_SLAVE) { -- if (!keep_flag) { -- spin_lock_irqsave(&slave_active_lock, flags); -- timeri->flags &= ~SNDRV_TIMER_IFLG_RUNNING; -- list_del_init(&timeri->ack_list); -- list_del_init(&timeri->active_list); -+ spin_lock_irqsave(&slave_active_lock, flags); -+ if (!(timeri->flags & SNDRV_TIMER_IFLG_RUNNING)) { - spin_unlock_irqrestore(&slave_active_lock, flags); -+ return -EBUSY; - } -+ if (timeri->timer) -+ spin_lock(&timeri->timer->lock); -+ timeri->flags &= ~SNDRV_TIMER_IFLG_RUNNING; -+ list_del_init(&timeri->ack_list); -+ list_del_init(&timeri->active_list); -+ if (timeri->timer) -+ spin_unlock(&timeri->timer->lock); -+ spin_unlock_irqrestore(&slave_active_lock, flags); - goto __end; - } - timer = timeri->timer; - if (!timer) - return -EINVAL; - spin_lock_irqsave(&timer->lock, flags); -+ if (!(timeri->flags & (SNDRV_TIMER_IFLG_RUNNING | -+ SNDRV_TIMER_IFLG_START))) { -+ spin_unlock_irqrestore(&timer->lock, flags); -+ return -EBUSY; -+ } - list_del_init(&timeri->ack_list); - list_del_init(&timeri->active_list); - if ((timeri->flags & SNDRV_TIMER_IFLG_RUNNING) && -@@ -520,9 +541,7 @@ static int _snd_timer_stop(struct snd_timer_instance * timeri, - } - } - } -- if (!keep_flag) -- timeri->flags &= -- ~(SNDRV_TIMER_IFLG_RUNNING | SNDRV_TIMER_IFLG_START); -+ timeri->flags &= ~(SNDRV_TIMER_IFLG_RUNNING | SNDRV_TIMER_IFLG_START); - spin_unlock_irqrestore(&timer->lock, flags); - __end: - if (event != SNDRV_TIMER_EVENT_RESOLUTION) -@@ -541,7 +560,7 @@ int snd_timer_stop(struct snd_timer_instance *timeri) - unsigned long flags; - int err; - -- err = _snd_timer_stop(timeri, 0, SNDRV_TIMER_EVENT_STOP); -+ err = _snd_timer_stop(timeri, SNDRV_TIMER_EVENT_STOP); - if (err < 0) - return err; - timer = timeri->timer; -@@ -571,10 +590,15 @@ int snd_timer_continue(struct snd_timer_instance *timeri) - if (! timer) - return -EINVAL; - spin_lock_irqsave(&timer->lock, flags); -+ if (timeri->flags & SNDRV_TIMER_IFLG_RUNNING) { -+ result = -EBUSY; -+ goto unlock; -+ } - if (!timeri->cticks) - timeri->cticks = 1; - timeri->pticks = 0; - result = snd_timer_start1(timer, timeri, timer->sticks); -+ unlock: - spin_unlock_irqrestore(&timer->lock, flags); - snd_timer_notify1(timeri, SNDRV_TIMER_EVENT_CONTINUE); - return result; -@@ -585,7 +609,7 @@ int snd_timer_continue(struct snd_timer_instance *timeri) - */ - int snd_timer_pause(struct snd_timer_instance * timeri) - { -- return _snd_timer_stop(timeri, 0, SNDRV_TIMER_EVENT_PAUSE); -+ return _snd_timer_stop(timeri, SNDRV_TIMER_EVENT_PAUSE); - } - - /* -@@ -702,8 +726,8 @@ void snd_timer_interrupt(struct snd_timer * timer, unsigned long ticks_left) - ti->cticks = ti->ticks; - } else { - ti->flags &= ~SNDRV_TIMER_IFLG_RUNNING; -- if (--timer->running) -- list_del_init(&ti->active_list); -+ --timer->running; -+ list_del_init(&ti->active_list); - } - if ((timer->hw.flags & SNDRV_TIMER_HW_TASKLET) || - (ti->flags & SNDRV_TIMER_IFLG_FAST)) -diff --git a/sound/drivers/dummy.c b/sound/drivers/dummy.c -index fd798f753609..982a2c2faf24 100644 ---- a/sound/drivers/dummy.c -+++ b/sound/drivers/dummy.c -@@ -109,6 +109,9 @@ struct dummy_timer_ops { - snd_pcm_uframes_t (*pointer)(struct snd_pcm_substream *); - }; - -+#define get_dummy_ops(substream) \ -+ (*(const struct dummy_timer_ops **)(substream)->runtime->private_data) -+ - struct dummy_model { - const char *name; - int (*playback_constraints)(struct snd_pcm_runtime *runtime); -@@ -137,7 +140,6 @@ struct snd_dummy { - int iobox; - struct snd_kcontrol *cd_volume_ctl; - struct snd_kcontrol *cd_switch_ctl; -- const struct dummy_timer_ops *timer_ops; - }; - - /* -@@ -231,6 +233,8 @@ struct dummy_model *dummy_models[] = { - */ - - struct dummy_systimer_pcm { -+ /* ops must be the first item */ -+ const struct dummy_timer_ops *timer_ops; - spinlock_t lock; - struct timer_list timer; - unsigned long base_time; -@@ -368,6 +372,8 @@ static struct dummy_timer_ops dummy_systimer_ops = { - */ - - struct dummy_hrtimer_pcm { -+ /* ops must be the first item */ -+ const struct dummy_timer_ops *timer_ops; - ktime_t base_time; - ktime_t period_time; - atomic_t running; -@@ -494,31 +500,25 @@ static struct dummy_timer_ops dummy_hrtimer_ops = { - - static int dummy_pcm_trigger(struct snd_pcm_substream *substream, int cmd) - { -- struct snd_dummy *dummy = snd_pcm_substream_chip(substream); -- - switch (cmd) { - case SNDRV_PCM_TRIGGER_START: - case SNDRV_PCM_TRIGGER_RESUME: -- return dummy->timer_ops->start(substream); -+ return get_dummy_ops(substream)->start(substream); - case SNDRV_PCM_TRIGGER_STOP: - case SNDRV_PCM_TRIGGER_SUSPEND: -- return dummy->timer_ops->stop(substream); -+ return get_dummy_ops(substream)->stop(substream); - } - return -EINVAL; - } - - static int dummy_pcm_prepare(struct snd_pcm_substream *substream) - { -- struct snd_dummy *dummy = snd_pcm_substream_chip(substream); -- -- return dummy->timer_ops->prepare(substream); -+ return get_dummy_ops(substream)->prepare(substream); - } - - static snd_pcm_uframes_t dummy_pcm_pointer(struct snd_pcm_substream *substream) - { -- struct snd_dummy *dummy = snd_pcm_substream_chip(substream); -- -- return dummy->timer_ops->pointer(substream); -+ return get_dummy_ops(substream)->pointer(substream); - } - - static struct snd_pcm_hardware dummy_pcm_hardware = { -@@ -564,17 +564,19 @@ static int dummy_pcm_open(struct snd_pcm_substream *substream) - struct snd_dummy *dummy = snd_pcm_substream_chip(substream); - struct dummy_model *model = dummy->model; - struct snd_pcm_runtime *runtime = substream->runtime; -+ const struct dummy_timer_ops *ops; - int err; - -- dummy->timer_ops = &dummy_systimer_ops; -+ ops = &dummy_systimer_ops; - #ifdef CONFIG_HIGH_RES_TIMERS - if (hrtimer) -- dummy->timer_ops = &dummy_hrtimer_ops; -+ ops = &dummy_hrtimer_ops; - #endif - -- err = dummy->timer_ops->create(substream); -+ err = ops->create(substream); - if (err < 0) - return err; -+ get_dummy_ops(substream) = ops; - - runtime->hw = dummy->pcm_hw; - if (substream->pcm->device & 1) { -@@ -596,7 +598,7 @@ static int dummy_pcm_open(struct snd_pcm_substream *substream) - err = model->capture_constraints(substream->runtime); - } - if (err < 0) { -- dummy->timer_ops->free(substream); -+ get_dummy_ops(substream)->free(substream); - return err; - } - return 0; -@@ -604,8 +606,7 @@ static int dummy_pcm_open(struct snd_pcm_substream *substream) - - static int dummy_pcm_close(struct snd_pcm_substream *substream) - { -- struct snd_dummy *dummy = snd_pcm_substream_chip(substream); -- dummy->timer_ops->free(substream); -+ get_dummy_ops(substream)->free(substream); - return 0; - } - -diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c -index 69a2aafb0b0f..babbf238a648 100644 ---- a/sound/pci/hda/patch_realtek.c -+++ b/sound/pci/hda/patch_realtek.c -@@ -2188,6 +2188,7 @@ static const struct snd_pci_quirk alc882_fixup_tbl[] = { - SND_PCI_QUIRK(0x104d, 0x9047, "Sony Vaio TT", ALC889_FIXUP_VAIO_TT), - SND_PCI_QUIRK(0x104d, 0x905a, "Sony Vaio Z", ALC882_FIXUP_NO_PRIMARY_HP), - SND_PCI_QUIRK(0x104d, 0x9043, "Sony Vaio VGC-LN51JGB", ALC882_FIXUP_NO_PRIMARY_HP), -+ SND_PCI_QUIRK(0x104d, 0x9044, "Sony VAIO AiO", ALC882_FIXUP_NO_PRIMARY_HP), - - /* All Apple entries are in codec SSIDs */ - SND_PCI_QUIRK(0x106b, 0x00a0, "MacBookPro 3,1", ALC889_FIXUP_MBP_VREF), -diff --git a/sound/soc/soc-pcm.c b/sound/soc/soc-pcm.c -index 02d26915b61d..c6d408c819b1 100644 ---- a/sound/soc/soc-pcm.c -+++ b/sound/soc/soc-pcm.c -@@ -1248,7 +1248,8 @@ static int dpcm_be_dai_hw_free(struct snd_soc_pcm_runtime *fe, int stream) - (be->dpcm[stream].state != SND_SOC_DPCM_STATE_PREPARE) && - (be->dpcm[stream].state != SND_SOC_DPCM_STATE_HW_FREE) && - (be->dpcm[stream].state != SND_SOC_DPCM_STATE_PAUSED) && -- (be->dpcm[stream].state != SND_SOC_DPCM_STATE_STOP)) -+ (be->dpcm[stream].state != SND_SOC_DPCM_STATE_STOP) && -+ (be->dpcm[stream].state != SND_SOC_DPCM_STATE_SUSPEND)) - continue; - - dev_dbg(be->dev, "ASoC: hw_free BE %s\n", -diff --git a/sound/usb/midi.c b/sound/usb/midi.c -index dabbe05d17f5..37ecba340876 100644 ---- a/sound/usb/midi.c -+++ b/sound/usb/midi.c -@@ -2291,7 +2291,6 @@ int snd_usbmidi_create(struct snd_card *card, - else - err = snd_usbmidi_create_endpoints(umidi, endpoints); - if (err < 0) { -- snd_usbmidi_free(umidi); - return err; - } - -diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c -index 94cd28c2bd8d..44550a4cf893 100644 ---- a/sound/usb/quirks.c -+++ b/sound/usb/quirks.c -@@ -900,8 +900,12 @@ void snd_usb_set_interface_quirk(struct usb_device *dev) - * "Playback Design" products need a 50ms delay after setting the - * USB interface. - */ -- if (le16_to_cpu(dev->descriptor.idVendor) == 0x23ba) -+ switch (le16_to_cpu(dev->descriptor.idVendor)) { -+ case 0x23ba: /* Playback Design */ -+ case 0x0644: /* TEAC Corp. */ - mdelay(50); -+ break; -+ } - } - - void snd_usb_ctl_msg_quirk(struct usb_device *dev, unsigned int pipe, -@@ -916,6 +920,14 @@ void snd_usb_ctl_msg_quirk(struct usb_device *dev, unsigned int pipe, - (requesttype & USB_TYPE_MASK) == USB_TYPE_CLASS) - mdelay(20); - -+ /* -+ * "TEAC Corp." products need a 20ms delay after each -+ * class compliant request -+ */ -+ if ((le16_to_cpu(dev->descriptor.idVendor) == 0x0644) && -+ (requesttype & USB_TYPE_MASK) == USB_TYPE_CLASS) -+ mdelay(20); -+ - /* Marantz/Denon devices with USB DAC functionality need a delay - * after each class compliant request - */ diff --git a/patch/kernel/odroidxu4-default/1-patch-3.10.97-98.patch b/patch/kernel/odroidxu4-default/1-patch-3.10.97-98.patch deleted file mode 100644 index 332f8fede..000000000 --- a/patch/kernel/odroidxu4-default/1-patch-3.10.97-98.patch +++ /dev/null @@ -1,1792 +0,0 @@ -diff --git a/Makefile b/Makefile -index f26470169c70..dadd1edc6f84 100644 ---- a/Makefile -+++ b/Makefile -@@ -1,6 +1,6 @@ - VERSION = 3 - PATCHLEVEL = 10 --SUBLEVEL = 97 -+SUBLEVEL = 98 - EXTRAVERSION = - NAME = TOSSUG Baby Fish - -diff --git a/arch/arm/common/icst.c b/arch/arm/common/icst.c -index 2dc6da70ae59..d7ed252708c5 100644 ---- a/arch/arm/common/icst.c -+++ b/arch/arm/common/icst.c -@@ -16,7 +16,7 @@ - */ - #include - #include -- -+#include - #include - - /* -@@ -29,7 +29,11 @@ EXPORT_SYMBOL(icst525_s2div); - - unsigned long icst_hz(const struct icst_params *p, struct icst_vco vco) - { -- return p->ref * 2 * (vco.v + 8) / ((vco.r + 2) * p->s2div[vco.s]); -+ u64 dividend = p->ref * 2 * (u64)(vco.v + 8); -+ u32 divisor = (vco.r + 2) * p->s2div[vco.s]; -+ -+ do_div(dividend, divisor); -+ return (unsigned long)dividend; - } - - EXPORT_SYMBOL(icst_hz); -@@ -58,6 +62,7 @@ icst_hz_to_vco(const struct icst_params *p, unsigned long freq) - - if (f > p->vco_min && f <= p->vco_max) - break; -+ i++; - } while (i < 8); - - if (i >= 8) -diff --git a/arch/m32r/kernel/setup.c b/arch/m32r/kernel/setup.c -index 0392112a5d70..a5ecef7188ba 100644 ---- a/arch/m32r/kernel/setup.c -+++ b/arch/m32r/kernel/setup.c -@@ -81,7 +81,10 @@ static struct resource code_resource = { - }; - - unsigned long memory_start; -+EXPORT_SYMBOL(memory_start); -+ - unsigned long memory_end; -+EXPORT_SYMBOL(memory_end); - - void __init setup_arch(char **); - int get_cpuinfo(char *); -diff --git a/arch/x86/include/asm/segment.h b/arch/x86/include/asm/segment.h -index c48a95035a77..4dde707a6ff7 100644 ---- a/arch/x86/include/asm/segment.h -+++ b/arch/x86/include/asm/segment.h -@@ -212,8 +212,19 @@ - #define TLS_SIZE (GDT_ENTRY_TLS_ENTRIES * 8) - - #ifdef __KERNEL__ -+ -+/* -+ * early_idt_handler_array is an array of entry points referenced in the -+ * early IDT. For simplicity, it's a real array with one entry point -+ * every nine bytes. That leaves room for an optional 'push $0' if the -+ * vector has no error code (two bytes), a 'push $vector_number' (two -+ * bytes), and a jump to the common entry code (up to five bytes). -+ */ -+#define EARLY_IDT_HANDLER_SIZE 9 -+ - #ifndef __ASSEMBLY__ --extern const char early_idt_handlers[NUM_EXCEPTION_VECTORS][2+2+5]; -+ -+extern const char early_idt_handler_array[NUM_EXCEPTION_VECTORS][EARLY_IDT_HANDLER_SIZE]; - - /* - * Load a segment. Fall back on loading the zero -diff --git a/arch/x86/kernel/head64.c b/arch/x86/kernel/head64.c -index 55b67614ed94..3b861b7661ee 100644 ---- a/arch/x86/kernel/head64.c -+++ b/arch/x86/kernel/head64.c -@@ -162,7 +162,7 @@ void __init x86_64_start_kernel(char * real_mode_data) - clear_bss(); - - for (i = 0; i < NUM_EXCEPTION_VECTORS; i++) -- set_intr_gate(i, &early_idt_handlers[i]); -+ set_intr_gate(i, &early_idt_handler_array[i]); - load_idt((const struct desc_ptr *)&idt_descr); - - copy_bootdata(__va(real_mode_data)); -diff --git a/arch/x86/kernel/head_32.S b/arch/x86/kernel/head_32.S -index df63cae573e0..8060c8b95b3a 100644 ---- a/arch/x86/kernel/head_32.S -+++ b/arch/x86/kernel/head_32.S -@@ -499,21 +499,22 @@ check_x87: - __INIT - setup_once: - /* -- * Set up a idt with 256 entries pointing to ignore_int, -- * interrupt gates. It doesn't actually load idt - that needs -- * to be done on each CPU. Interrupts are enabled elsewhere, -- * when we can be relatively sure everything is ok. -+ * Set up a idt with 256 interrupt gates that push zero if there -+ * is no error code and then jump to early_idt_handler_common. -+ * It doesn't actually load the idt - that needs to be done on -+ * each CPU. Interrupts are enabled elsewhere, when we can be -+ * relatively sure everything is ok. - */ - - movl $idt_table,%edi -- movl $early_idt_handlers,%eax -+ movl $early_idt_handler_array,%eax - movl $NUM_EXCEPTION_VECTORS,%ecx - 1: - movl %eax,(%edi) - movl %eax,4(%edi) - /* interrupt gate, dpl=0, present */ - movl $(0x8E000000 + __KERNEL_CS),2(%edi) -- addl $9,%eax -+ addl $EARLY_IDT_HANDLER_SIZE,%eax - addl $8,%edi - loop 1b - -@@ -545,26 +546,28 @@ setup_once: - andl $0,setup_once_ref /* Once is enough, thanks */ - ret - --ENTRY(early_idt_handlers) -+ENTRY(early_idt_handler_array) - # 36(%esp) %eflags - # 32(%esp) %cs - # 28(%esp) %eip - # 24(%rsp) error code - i = 0 - .rept NUM_EXCEPTION_VECTORS -- .if (EXCEPTION_ERRCODE_MASK >> i) & 1 -- ASM_NOP2 -- .else -+ .ifeq (EXCEPTION_ERRCODE_MASK >> i) & 1 - pushl $0 # Dummy error code, to make stack frame uniform - .endif - pushl $i # 20(%esp) Vector number -- jmp early_idt_handler -+ jmp early_idt_handler_common - i = i + 1 -+ .fill early_idt_handler_array + i*EARLY_IDT_HANDLER_SIZE - ., 1, 0xcc - .endr --ENDPROC(early_idt_handlers) -+ENDPROC(early_idt_handler_array) - -- /* This is global to keep gas from relaxing the jumps */ --ENTRY(early_idt_handler) -+early_idt_handler_common: -+ /* -+ * The stack is the hardware frame, an error code or zero, and the -+ * vector number. -+ */ - cld - - cmpl $2,(%esp) # X86_TRAP_NMI -@@ -624,7 +627,7 @@ ex_entry: - is_nmi: - addl $8,%esp /* drop vector number and error code */ - iret --ENDPROC(early_idt_handler) -+ENDPROC(early_idt_handler_common) - - /* This is the default interrupt "handler" :-) */ - ALIGN -diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S -index 3280489905a8..54bf9c2d0d13 100644 ---- a/arch/x86/kernel/head_64.S -+++ b/arch/x86/kernel/head_64.S -@@ -329,26 +329,28 @@ bad_address: - jmp bad_address - - __INIT -- .globl early_idt_handlers --early_idt_handlers: -+ENTRY(early_idt_handler_array) - # 104(%rsp) %rflags - # 96(%rsp) %cs - # 88(%rsp) %rip - # 80(%rsp) error code - i = 0 - .rept NUM_EXCEPTION_VECTORS -- .if (EXCEPTION_ERRCODE_MASK >> i) & 1 -- ASM_NOP2 -- .else -+ .ifeq (EXCEPTION_ERRCODE_MASK >> i) & 1 - pushq $0 # Dummy error code, to make stack frame uniform - .endif - pushq $i # 72(%rsp) Vector number -- jmp early_idt_handler -+ jmp early_idt_handler_common - i = i + 1 -+ .fill early_idt_handler_array + i*EARLY_IDT_HANDLER_SIZE - ., 1, 0xcc - .endr -+ENDPROC(early_idt_handler_array) - --/* This is global to keep gas from relaxing the jumps */ --ENTRY(early_idt_handler) -+early_idt_handler_common: -+ /* -+ * The stack is the hardware frame, an error code or zero, and the -+ * vector number. -+ */ - cld - - cmpl $2,(%rsp) # X86_TRAP_NMI -@@ -420,7 +422,7 @@ ENTRY(early_idt_handler) - is_nmi: - addq $16,%rsp # drop vector number and error code - INTERRUPT_RETURN --ENDPROC(early_idt_handler) -+ENDPROC(early_idt_handler_common) - - __INITDATA - -diff --git a/block/blk-core.c b/block/blk-core.c -index 5a750b18172e..9ae84ae05e6a 100644 ---- a/block/blk-core.c -+++ b/block/blk-core.c -@@ -3097,6 +3097,9 @@ int blk_pre_runtime_suspend(struct request_queue *q) - { - int ret = 0; - -+ if (!q->dev) -+ return ret; -+ - spin_lock_irq(q->queue_lock); - if (q->nr_pending) { - ret = -EBUSY; -@@ -3124,6 +3127,9 @@ EXPORT_SYMBOL(blk_pre_runtime_suspend); - */ - void blk_post_runtime_suspend(struct request_queue *q, int err) - { -+ if (!q->dev) -+ return; -+ - spin_lock_irq(q->queue_lock); - if (!err) { - q->rpm_status = RPM_SUSPENDED; -@@ -3148,6 +3154,9 @@ EXPORT_SYMBOL(blk_post_runtime_suspend); - */ - void blk_pre_runtime_resume(struct request_queue *q) - { -+ if (!q->dev) -+ return; -+ - spin_lock_irq(q->queue_lock); - q->rpm_status = RPM_RESUMING; - spin_unlock_irq(q->queue_lock); -@@ -3170,6 +3179,9 @@ EXPORT_SYMBOL(blk_pre_runtime_resume); - */ - void blk_post_runtime_resume(struct request_queue *q, int err) - { -+ if (!q->dev) -+ return; -+ - spin_lock_irq(q->queue_lock); - if (!err) { - q->rpm_status = RPM_ACTIVE; -diff --git a/drivers/iio/adc/ad7793.c b/drivers/iio/adc/ad7793.c -index 334e31ff7a4e..6bd0c1ade9f2 100644 ---- a/drivers/iio/adc/ad7793.c -+++ b/drivers/iio/adc/ad7793.c -@@ -101,7 +101,7 @@ - #define AD7795_CH_AIN1M_AIN1M 8 /* AIN1(-) - AIN1(-) */ - - /* ID Register Bit Designations (AD7793_REG_ID) */ --#define AD7785_ID 0xB -+#define AD7785_ID 0x3 - #define AD7792_ID 0xA - #define AD7793_ID 0xB - #define AD7794_ID 0xF -diff --git a/drivers/iio/dac/ad5064.c b/drivers/iio/dac/ad5064.c -index aa26d50ab638..4eda4ea037b7 100644 ---- a/drivers/iio/dac/ad5064.c -+++ b/drivers/iio/dac/ad5064.c -@@ -602,10 +602,16 @@ static int ad5064_i2c_write(struct ad5064_state *st, unsigned int cmd, - unsigned int addr, unsigned int val) - { - struct i2c_client *i2c = to_i2c_client(st->dev); -+ int ret; - - st->data.i2c[0] = (cmd << 4) | addr; - put_unaligned_be16(val, &st->data.i2c[1]); -- return i2c_master_send(i2c, st->data.i2c, 3); -+ -+ ret = i2c_master_send(i2c, st->data.i2c, 3); -+ if (ret < 0) -+ return ret; -+ -+ return 0; - } - - static int ad5064_i2c_probe(struct i2c_client *i2c, -diff --git a/drivers/iio/dac/mcp4725.c b/drivers/iio/dac/mcp4725.c -index a612ec766d96..029207bbf03d 100644 ---- a/drivers/iio/dac/mcp4725.c -+++ b/drivers/iio/dac/mcp4725.c -@@ -166,6 +166,7 @@ static int mcp4725_probe(struct i2c_client *client, - data->client = client; - - indio_dev->dev.parent = &client->dev; -+ indio_dev->name = id->name; - indio_dev->info = &mcp4725_info; - indio_dev->channels = &mcp4725_channel; - indio_dev->num_channels = 1; -diff --git a/drivers/iio/imu/adis_buffer.c b/drivers/iio/imu/adis_buffer.c -index 99d8e0b0dd34..d0538bcdc1b8 100644 ---- a/drivers/iio/imu/adis_buffer.c -+++ b/drivers/iio/imu/adis_buffer.c -@@ -43,7 +43,7 @@ int adis_update_scan_mode(struct iio_dev *indio_dev, - return -ENOMEM; - - rx = adis->buffer; -- tx = rx + indio_dev->scan_bytes; -+ tx = rx + scan_count; - - spi_message_init(&adis->msg); - -diff --git a/drivers/input/mouse/elantech.c b/drivers/input/mouse/elantech.c -index 02099afb6c79..77f06d001a66 100644 ---- a/drivers/input/mouse/elantech.c -+++ b/drivers/input/mouse/elantech.c -@@ -1081,7 +1081,7 @@ static int elantech_set_input_params(struct psmouse *psmouse) - input_set_abs_params(dev, ABS_TOOL_WIDTH, ETP_WMIN_V2, - ETP_WMAX_V2, 0, 0); - } -- input_mt_init_slots(dev, 2, 0); -+ input_mt_init_slots(dev, 2, INPUT_MT_SEMI_MT); - input_set_abs_params(dev, ABS_MT_POSITION_X, x_min, x_max, 0, 0); - input_set_abs_params(dev, ABS_MT_POSITION_Y, y_min, y_max, 0, 0); - break; -@@ -1357,6 +1357,13 @@ static const struct dmi_system_id no_hw_res_dmi_table[] = { - DMI_MATCH(DMI_PRODUCT_NAME, "U2442"), - }, - }, -+ { -+ /* Fujitsu LIFEBOOK U745 does not work with crc_enabled == 0 */ -+ .matches = { -+ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"), -+ DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK U745"), -+ }, -+ }, - #endif - { } - }; -diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h -index 4de2571938b8..5102b4f68f18 100644 ---- a/drivers/input/serio/i8042-x86ia64io.h -+++ b/drivers/input/serio/i8042-x86ia64io.h -@@ -258,6 +258,13 @@ static const struct dmi_system_id __initconst i8042_dmi_nomux_table[] = { - }, - }, - { -+ /* Fujitsu Lifebook U745 */ -+ .matches = { -+ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"), -+ DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK U745"), -+ }, -+ }, -+ { - /* Fujitsu T70H */ - .matches = { - DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"), -diff --git a/drivers/iommu/dmar.c b/drivers/iommu/dmar.c -index a7967ceb79e6..3d4622cae2cf 100644 ---- a/drivers/iommu/dmar.c -+++ b/drivers/iommu/dmar.c -@@ -968,7 +968,7 @@ void dmar_disable_qi(struct intel_iommu *iommu) - - raw_spin_lock_irqsave(&iommu->register_lock, flags); - -- sts = dmar_readq(iommu->reg + DMAR_GSTS_REG); -+ sts = readl(iommu->reg + DMAR_GSTS_REG); - if (!(sts & DMA_GSTS_QIES)) - goto end; - -diff --git a/drivers/iommu/intel_irq_remapping.c b/drivers/iommu/intel_irq_remapping.c -index 45011f63ad16..990cc298824a 100644 ---- a/drivers/iommu/intel_irq_remapping.c -+++ b/drivers/iommu/intel_irq_remapping.c -@@ -495,7 +495,7 @@ static void iommu_disable_irq_remapping(struct intel_iommu *iommu) - - raw_spin_lock_irqsave(&iommu->register_lock, flags); - -- sts = dmar_readq(iommu->reg + DMAR_GSTS_REG); -+ sts = readl(iommu->reg + DMAR_GSTS_REG); - if (!(sts & DMA_GSTS_IRES)) - goto end; - -diff --git a/drivers/net/wan/x25_asy.c b/drivers/net/wan/x25_asy.c -index 5895f1978691..e98de425f8e0 100644 ---- a/drivers/net/wan/x25_asy.c -+++ b/drivers/net/wan/x25_asy.c -@@ -545,16 +545,12 @@ static void x25_asy_receive_buf(struct tty_struct *tty, - - static int x25_asy_open_tty(struct tty_struct *tty) - { -- struct x25_asy *sl = tty->disc_data; -+ struct x25_asy *sl; - int err; - - if (tty->ops->write == NULL) - return -EOPNOTSUPP; - -- /* First make sure we're not already connected. */ -- if (sl && sl->magic == X25_ASY_MAGIC) -- return -EEXIST; -- - /* OK. Find a free X.25 channel to use. */ - sl = x25_asy_alloc(); - if (sl == NULL) -diff --git a/drivers/platform/x86/intel_scu_ipcutil.c b/drivers/platform/x86/intel_scu_ipcutil.c -index 02bc5a6343c3..aa454241489c 100644 ---- a/drivers/platform/x86/intel_scu_ipcutil.c -+++ b/drivers/platform/x86/intel_scu_ipcutil.c -@@ -49,7 +49,7 @@ struct scu_ipc_data { - - static int scu_reg_access(u32 cmd, struct scu_ipc_data *data) - { -- int count = data->count; -+ unsigned int count = data->count; - - if (count == 0 || count == 3 || count > 4) - return -EINVAL; -diff --git a/drivers/scsi/device_handler/scsi_dh_rdac.c b/drivers/scsi/device_handler/scsi_dh_rdac.c -index 69c915aa77c2..d661fcda1932 100644 ---- a/drivers/scsi/device_handler/scsi_dh_rdac.c -+++ b/drivers/scsi/device_handler/scsi_dh_rdac.c -@@ -569,7 +569,7 @@ static int mode_select_handle_sense(struct scsi_device *sdev, - /* - * Command Lock contention - */ -- err = SCSI_DH_RETRY; -+ err = SCSI_DH_IMM_RETRY; - break; - default: - break; -@@ -619,6 +619,8 @@ retry: - err = mode_select_handle_sense(sdev, h->sense); - if (err == SCSI_DH_RETRY && retry_cnt--) - goto retry; -+ if (err == SCSI_DH_IMM_RETRY) -+ goto retry; - } - if (err == SCSI_DH_OK) { - h->state = RDAC_STATE_ACTIVE; -diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c -index 3cafe0d784b8..3020f1ff4abb 100644 ---- a/drivers/scsi/hosts.c -+++ b/drivers/scsi/hosts.c -@@ -305,6 +305,17 @@ static void scsi_host_dev_release(struct device *dev) - kfree(queuedata); - } - -+ if (shost->shost_state == SHOST_CREATED) { -+ /* -+ * Free the shost_dev device name here if scsi_host_alloc() -+ * and scsi_host_put() have been called but neither -+ * scsi_host_add() nor scsi_host_remove() has been called. -+ * This avoids that the memory allocated for the shost_dev -+ * name is leaked. -+ */ -+ kfree(dev_name(&shost->shost_dev)); -+ } -+ - scsi_destroy_command_freelist(shost); - if (shost->bqt) - blk_free_tags(shost->bqt); -diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c -index 9e2dd478dd15..135d7b56fbe6 100644 ---- a/drivers/scsi/scsi_sysfs.c -+++ b/drivers/scsi/scsi_sysfs.c -@@ -789,7 +789,7 @@ sdev_store_queue_ramp_up_period(struct device *dev, - return -EINVAL; - - sdev->queue_ramp_up_period = msecs_to_jiffies(period); -- return period; -+ return count; - } - - static struct device_attribute sdev_attr_queue_ramp_up_period = -@@ -1030,31 +1030,25 @@ static void __scsi_remove_target(struct scsi_target *starget) - void scsi_remove_target(struct device *dev) - { - struct Scsi_Host *shost = dev_to_shost(dev->parent); -- struct scsi_target *starget, *last = NULL; -+ struct scsi_target *starget, *last_target = NULL; - unsigned long flags; - -- /* remove targets being careful to lookup next entry before -- * deleting the last -- */ -+restart: - spin_lock_irqsave(shost->host_lock, flags); - list_for_each_entry(starget, &shost->__targets, siblings) { -- if (starget->state == STARGET_DEL) -+ if (starget->state == STARGET_DEL || -+ starget == last_target) - continue; - if (starget->dev.parent == dev || &starget->dev == dev) { -- /* assuming new targets arrive at the end */ - kref_get(&starget->reap_ref); -+ last_target = starget; - spin_unlock_irqrestore(shost->host_lock, flags); -- if (last) -- scsi_target_reap(last); -- last = starget; - __scsi_remove_target(starget); -- spin_lock_irqsave(shost->host_lock, flags); -+ scsi_target_reap(starget); -+ goto restart; - } - } - spin_unlock_irqrestore(shost->host_lock, flags); -- -- if (last) -- scsi_target_reap(last); - } - EXPORT_SYMBOL(scsi_remove_target); - -diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c -index 26b543bc4f53..4afce0e838a2 100644 ---- a/drivers/scsi/sd.c -+++ b/drivers/scsi/sd.c -@@ -3090,8 +3090,8 @@ static int sd_suspend(struct device *dev) - struct scsi_disk *sdkp = scsi_disk_get_from_dev(dev); - int ret = 0; - -- if (!sdkp) -- return 0; /* this can happen */ -+ if (!sdkp) /* E.g.: runtime suspend following sd_remove() */ -+ return 0; - - if (sdkp->WCE) { - sd_printk(KERN_NOTICE, sdkp, "Synchronizing SCSI cache\n"); -@@ -3115,6 +3115,9 @@ static int sd_resume(struct device *dev) - struct scsi_disk *sdkp = scsi_disk_get_from_dev(dev); - int ret = 0; - -+ if (!sdkp) /* E.g.: runtime resume at the start of sd_probe() */ -+ return 0; -+ - if (!sdkp->device->manage_start_stop) - goto done; - -diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c -index 721d839d6c54..0be16bf5f0cd 100644 ---- a/drivers/scsi/sg.c -+++ b/drivers/scsi/sg.c -@@ -1258,7 +1258,7 @@ sg_mmap(struct file *filp, struct vm_area_struct *vma) - } - - sfp->mmap_called = 1; -- vma->vm_flags |= VM_DONTEXPAND | VM_DONTDUMP; -+ vma->vm_flags |= VM_IO | VM_DONTEXPAND | VM_DONTDUMP; - vma->vm_private_data = sfp; - vma->vm_ops = &sg_mmap_vm_ops; - return 0; -diff --git a/drivers/scsi/sr.c b/drivers/scsi/sr.c -index 119d67f9c47e..1ac9943cbb93 100644 ---- a/drivers/scsi/sr.c -+++ b/drivers/scsi/sr.c -@@ -142,6 +142,9 @@ static int sr_runtime_suspend(struct device *dev) - { - struct scsi_cd *cd = dev_get_drvdata(dev); - -+ if (!cd) /* E.g.: runtime suspend following sr_remove() */ -+ return 0; -+ - if (cd->media_present) - return -EBUSY; - else -@@ -1006,6 +1009,7 @@ static int sr_remove(struct device *dev) - - blk_queue_prep_rq(cd->device->request_queue, scsi_prep_fn); - del_gendisk(cd->disk); -+ dev_set_drvdata(dev, NULL); - - mutex_lock(&sr_ref_mutex); - kref_put(&cd->kref, sr_kref_release); -diff --git a/drivers/staging/iio/adc/lpc32xx_adc.c b/drivers/staging/iio/adc/lpc32xx_adc.c -index 2f2f7fdd0691..9cbe2dd70499 100644 ---- a/drivers/staging/iio/adc/lpc32xx_adc.c -+++ b/drivers/staging/iio/adc/lpc32xx_adc.c -@@ -76,7 +76,7 @@ static int lpc32xx_read_raw(struct iio_dev *indio_dev, - - if (mask == IIO_CHAN_INFO_RAW) { - mutex_lock(&indio_dev->mlock); -- clk_enable(info->clk); -+ clk_prepare_enable(info->clk); - /* Measurement setup */ - __raw_writel(AD_INTERNAL | (chan->address) | AD_REFp | AD_REFm, - LPC32XX_ADC_SELECT(info->adc_base)); -@@ -84,7 +84,7 @@ static int lpc32xx_read_raw(struct iio_dev *indio_dev, - __raw_writel(AD_PDN_CTRL | AD_STROBE, - LPC32XX_ADC_CTRL(info->adc_base)); - wait_for_completion(&info->completion); /* set by ISR */ -- clk_disable(info->clk); -+ clk_disable_unprepare(info->clk); - *val = info->value; - mutex_unlock(&indio_dev->mlock); - -diff --git a/drivers/staging/speakup/selection.c b/drivers/staging/speakup/selection.c -index b9359753784e..364978e63d8d 100644 ---- a/drivers/staging/speakup/selection.c -+++ b/drivers/staging/speakup/selection.c -@@ -139,7 +139,9 @@ static void __speakup_paste_selection(struct work_struct *work) - struct tty_ldisc *ld; - DECLARE_WAITQUEUE(wait, current); - -- ld = tty_ldisc_ref_wait(tty); -+ ld = tty_ldisc_ref(tty); -+ if (!ld) -+ goto tty_unref; - - /* FIXME: this is completely unsafe */ - add_wait_queue(&vc->paste_wait, &wait); -@@ -158,6 +160,7 @@ static void __speakup_paste_selection(struct work_struct *work) - current->state = TASK_RUNNING; - - tty_ldisc_deref(ld); -+tty_unref: - tty_kref_put(tty); - } - -diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c -index 06cd916f91fe..d74da9598d58 100644 ---- a/drivers/target/iscsi/iscsi_target.c -+++ b/drivers/target/iscsi/iscsi_target.c -@@ -3960,6 +3960,17 @@ reject: - return iscsit_add_reject(conn, ISCSI_REASON_BOOKMARK_NO_RESOURCES, buf); - } - -+static bool iscsi_target_check_conn_state(struct iscsi_conn *conn) -+{ -+ bool ret; -+ -+ spin_lock_bh(&conn->state_lock); -+ ret = (conn->conn_state != TARG_CONN_STATE_LOGGED_IN); -+ spin_unlock_bh(&conn->state_lock); -+ -+ return ret; -+} -+ - int iscsi_target_rx_thread(void *arg) - { - int ret, rc; -@@ -3977,7 +3988,7 @@ int iscsi_target_rx_thread(void *arg) - * incoming iscsi/tcp socket I/O, and/or failing the connection. - */ - rc = wait_for_completion_interruptible(&conn->rx_login_comp); -- if (rc < 0) -+ if (rc < 0 || iscsi_target_check_conn_state(conn)) - return 0; - - if (conn->conn_transport->transport_type == ISCSI_INFINIBAND) { -diff --git a/drivers/target/iscsi/iscsi_target_configfs.c b/drivers/target/iscsi/iscsi_target_configfs.c -index c45b3365d63d..200d779d0c03 100644 ---- a/drivers/target/iscsi/iscsi_target_configfs.c -+++ b/drivers/target/iscsi/iscsi_target_configfs.c -@@ -1730,7 +1730,8 @@ static void lio_tpg_release_fabric_acl( - } - - /* -- * Called with spin_lock_bh(struct se_portal_group->session_lock) held.. -+ * Called with spin_lock_irq(struct se_portal_group->session_lock) held -+ * or not held. - * - * Also, this function calls iscsit_inc_session_usage_count() on the - * struct iscsi_session in question. -@@ -1738,19 +1739,32 @@ static void lio_tpg_release_fabric_acl( - static int lio_tpg_shutdown_session(struct se_session *se_sess) - { - struct iscsi_session *sess = se_sess->fabric_sess_ptr; -+ struct se_portal_group *se_tpg = se_sess->se_tpg; -+ bool local_lock = false; -+ -+ if (!spin_is_locked(&se_tpg->session_lock)) { -+ spin_lock_irq(&se_tpg->session_lock); -+ local_lock = true; -+ } - - spin_lock(&sess->conn_lock); - if (atomic_read(&sess->session_fall_back_to_erl0) || - atomic_read(&sess->session_logout) || - (sess->time2retain_timer_flags & ISCSI_TF_EXPIRED)) { - spin_unlock(&sess->conn_lock); -+ if (local_lock) -+ spin_unlock_irq(&sess->conn_lock); - return 0; - } - atomic_set(&sess->session_reinstatement, 1); - spin_unlock(&sess->conn_lock); - - iscsit_stop_time2retain_timer(sess); -+ spin_unlock_irq(&se_tpg->session_lock); -+ - iscsit_stop_session(sess, 1, 1); -+ if (!local_lock) -+ spin_lock_irq(&se_tpg->session_lock); - - return 1; - } -diff --git a/drivers/target/iscsi/iscsi_target_nego.c b/drivers/target/iscsi/iscsi_target_nego.c -index 77c276acccb6..2a61a01142e9 100644 ---- a/drivers/target/iscsi/iscsi_target_nego.c -+++ b/drivers/target/iscsi/iscsi_target_nego.c -@@ -384,6 +384,7 @@ err: - if (login->login_complete) { - if (conn->rx_thread && conn->rx_thread_active) { - send_sig(SIGINT, conn->rx_thread, 1); -+ complete(&conn->rx_login_comp); - kthread_stop(conn->rx_thread); - } - if (conn->tx_thread && conn->tx_thread_active) { -diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c -index 7cb36813aac2..deee2b81afff 100644 ---- a/drivers/tty/pty.c -+++ b/drivers/tty/pty.c -@@ -623,7 +623,14 @@ static void pty_unix98_remove(struct tty_driver *driver, struct tty_struct *tty) - /* this is called once with whichever end is closed last */ - static void pty_unix98_shutdown(struct tty_struct *tty) - { -- devpts_kill_index(tty->driver_data, tty->index); -+ struct inode *ptmx_inode; -+ -+ if (tty->driver->subtype == PTY_TYPE_MASTER) -+ ptmx_inode = tty->driver_data; -+ else -+ ptmx_inode = tty->link->driver_data; -+ devpts_kill_index(ptmx_inode, tty->index); -+ devpts_del_ref(ptmx_inode); - } - - static const struct tty_operations ptm_unix98_ops = { -@@ -714,6 +721,18 @@ static int ptmx_open(struct inode *inode, struct file *filp) - set_bit(TTY_PTY_LOCK, &tty->flags); /* LOCK THE SLAVE */ - tty->driver_data = inode; - -+ /* -+ * In the case where all references to ptmx inode are dropped and we -+ * still have /dev/tty opened pointing to the master/slave pair (ptmx -+ * is closed/released before /dev/tty), we must make sure that the inode -+ * is still valid when we call the final pty_unix98_shutdown, thus we -+ * hold an additional reference to the ptmx inode. For the same /dev/tty -+ * last close case, we also need to make sure the super_block isn't -+ * destroyed (devpts instance unmounted), before /dev/tty is closed and -+ * on its release devpts_kill_index is called. -+ */ -+ devpts_add_ref(inode); -+ - tty_add_file(tty, filp); - - slave_inode = devpts_pty_new(inode, -diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c -index 9dd6fa3a1260..507677b9bdc7 100644 ---- a/drivers/usb/host/xhci.c -+++ b/drivers/usb/host/xhci.c -@@ -1502,7 +1502,9 @@ int xhci_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, int status) - if (temp == 0xffffffff || (xhci->xhc_state & XHCI_STATE_HALTED)) { - xhci_dbg(xhci, "HW died, freeing TD.\n"); - urb_priv = urb->hcpriv; -- for (i = urb_priv->td_cnt; i < urb_priv->length; i++) { -+ for (i = urb_priv->td_cnt; -+ i < urb_priv->length && xhci->devs[urb->dev->slot_id]; -+ i++) { - td = urb_priv->td[i]; - if (!list_empty(&td->td_list)) - list_del_init(&td->td_list); -diff --git a/fs/aio.c b/fs/aio.c -index ded94c4fa30d..9798d4edfd8f 100644 ---- a/fs/aio.c -+++ b/fs/aio.c -@@ -977,12 +977,17 @@ static ssize_t aio_setup_vectored_rw(int rw, struct kiocb *kiocb, bool compat) - - static ssize_t aio_setup_single_vector(int rw, struct kiocb *kiocb) - { -- if (unlikely(!access_ok(!rw, kiocb->ki_buf, kiocb->ki_nbytes))) -- return -EFAULT; -+ size_t len = kiocb->ki_nbytes; -+ -+ if (len > MAX_RW_COUNT) -+ len = MAX_RW_COUNT; -+ -+ if (unlikely(!access_ok(!rw, kiocb->ki_buf, len))) -+ return -EFAULT; - - kiocb->ki_iovec = &kiocb->ki_inline_vec; - kiocb->ki_iovec->iov_base = kiocb->ki_buf; -- kiocb->ki_iovec->iov_len = kiocb->ki_nbytes; -+ kiocb->ki_iovec->iov_len = len; - kiocb->ki_nr_segs = 1; - return 0; - } -diff --git a/fs/btrfs/backref.c b/fs/btrfs/backref.c -index d85f90c92bb4..bca854b44056 100644 ---- a/fs/btrfs/backref.c -+++ b/fs/btrfs/backref.c -@@ -1228,7 +1228,8 @@ char *btrfs_ref_to_path(struct btrfs_root *fs_root, struct btrfs_path *path, - read_extent_buffer(eb, dest + bytes_left, - name_off, name_len); - if (eb != eb_in) { -- btrfs_tree_read_unlock_blocking(eb); -+ if (!path->skip_locking) -+ btrfs_tree_read_unlock_blocking(eb); - free_extent_buffer(eb); - } - ret = inode_ref_info(parent, 0, fs_root, path, &found_key); -@@ -1247,9 +1248,10 @@ char *btrfs_ref_to_path(struct btrfs_root *fs_root, struct btrfs_path *path, - eb = path->nodes[0]; - /* make sure we can use eb after releasing the path */ - if (eb != eb_in) { -- atomic_inc(&eb->refs); -- btrfs_tree_read_lock(eb); -- btrfs_set_lock_blocking_rw(eb, BTRFS_READ_LOCK); -+ if (!path->skip_locking) -+ btrfs_set_lock_blocking_rw(eb, BTRFS_READ_LOCK); -+ path->nodes[0] = NULL; -+ path->locks[0] = 0; - } - btrfs_release_path(path); - iref = btrfs_item_ptr(eb, slot, struct btrfs_inode_ref); -diff --git a/fs/cifs/cifsencrypt.c b/fs/cifs/cifsencrypt.c -index 5c807b23ca67..182e82f22b3a 100644 ---- a/fs/cifs/cifsencrypt.c -+++ b/fs/cifs/cifsencrypt.c -@@ -591,7 +591,7 @@ setup_ntlmv2_rsp(struct cifs_ses *ses, const struct nls_table *nls_cp) - - ses->auth_key.response = kmalloc(baselen + tilen, GFP_KERNEL); - if (!ses->auth_key.response) { -- rc = ENOMEM; -+ rc = -ENOMEM; - ses->auth_key.len = 0; - goto setup_ntlmv2_rsp_ret; - } -diff --git a/fs/devpts/inode.c b/fs/devpts/inode.c -index a726b9f29cb7..61af24e379ad 100644 ---- a/fs/devpts/inode.c -+++ b/fs/devpts/inode.c -@@ -564,6 +564,26 @@ void devpts_kill_index(struct inode *ptmx_inode, int idx) - mutex_unlock(&allocated_ptys_lock); - } - -+/* -+ * pty code needs to hold extra references in case of last /dev/tty close -+ */ -+ -+void devpts_add_ref(struct inode *ptmx_inode) -+{ -+ struct super_block *sb = pts_sb_from_inode(ptmx_inode); -+ -+ atomic_inc(&sb->s_active); -+ ihold(ptmx_inode); -+} -+ -+void devpts_del_ref(struct inode *ptmx_inode) -+{ -+ struct super_block *sb = pts_sb_from_inode(ptmx_inode); -+ -+ iput(ptmx_inode); -+ deactivate_super(sb); -+} -+ - /** - * devpts_pty_new -- create a new inode in /dev/pts/ - * @ptmx_inode: inode of the master -diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c -index fa7d2e668c3a..cf0a70486618 100644 ---- a/fs/ext4/resize.c -+++ b/fs/ext4/resize.c -@@ -181,7 +181,7 @@ static struct ext4_new_flex_group_data *alloc_flex_gd(unsigned long flexbg_size) - if (flex_gd == NULL) - goto out3; - -- if (flexbg_size >= UINT_MAX / sizeof(struct ext4_new_flex_group_data)) -+ if (flexbg_size >= UINT_MAX / sizeof(struct ext4_new_group_data)) - goto out2; - flex_gd->count = flexbg_size; - -diff --git a/fs/fuse/file.c b/fs/fuse/file.c -index 4fafb8484bbc..35f604b5f408 100644 ---- a/fs/fuse/file.c -+++ b/fs/fuse/file.c -@@ -993,6 +993,7 @@ static ssize_t fuse_fill_write_pages(struct fuse_req *req, - - mark_page_accessed(page); - -+ iov_iter_advance(ii, tmp); - if (!tmp) { - unlock_page(page); - page_cache_release(page); -@@ -1005,7 +1006,6 @@ static ssize_t fuse_fill_write_pages(struct fuse_req *req, - req->page_descs[req->num_pages].length = tmp; - req->num_pages++; - -- iov_iter_advance(ii, tmp); - count += tmp; - pos += tmp; - offset += tmp; -diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c -index 78679b489484..d8ac734a1e44 100644 ---- a/fs/nfs/nfs4proc.c -+++ b/fs/nfs/nfs4proc.c -@@ -1005,6 +1005,7 @@ static void __update_open_stateid(struct nfs4_state *state, nfs4_stateid *open_s - * Protect the call to nfs4_state_set_mode_locked and - * serialise the stateid update - */ -+ spin_lock(&state->owner->so_lock); - write_seqlock(&state->seqlock); - if (deleg_stateid != NULL) { - nfs4_stateid_copy(&state->stateid, deleg_stateid); -@@ -1013,7 +1014,6 @@ static void __update_open_stateid(struct nfs4_state *state, nfs4_stateid *open_s - if (open_stateid != NULL) - nfs_set_open_stateid_locked(state, open_stateid, fmode); - write_sequnlock(&state->seqlock); -- spin_lock(&state->owner->so_lock); - update_open_stateflags(state, fmode); - spin_unlock(&state->owner->so_lock); - } -diff --git a/fs/proc/array.c b/fs/proc/array.c -index 09f0d9c374a3..5c45eb5e4e0d 100644 ---- a/fs/proc/array.c -+++ b/fs/proc/array.c -@@ -398,7 +398,7 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, - - state = *get_task_state(task); - vsize = eip = esp = 0; -- permitted = ptrace_may_access(task, PTRACE_MODE_READ | PTRACE_MODE_NOAUDIT); -+ permitted = ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS | PTRACE_MODE_NOAUDIT); - mm = get_task_mm(task); - if (mm) { - vsize = task_vsize(mm); -diff --git a/fs/proc/base.c b/fs/proc/base.c -index 8fc784aef0b8..7b5d453ebf53 100644 ---- a/fs/proc/base.c -+++ b/fs/proc/base.c -@@ -239,7 +239,7 @@ out: - - static int proc_pid_auxv(struct task_struct *task, char *buffer) - { -- struct mm_struct *mm = mm_access(task, PTRACE_MODE_READ); -+ struct mm_struct *mm = mm_access(task, PTRACE_MODE_READ_FSCREDS); - int res = PTR_ERR(mm); - if (mm && !IS_ERR(mm)) { - unsigned int nwords = 0; -@@ -269,7 +269,7 @@ static int proc_pid_wchan(struct task_struct *task, char *buffer) - wchan = get_wchan(task); - - if (lookup_symbol_name(wchan, symname) < 0) -- if (!ptrace_may_access(task, PTRACE_MODE_READ)) -+ if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)) - return 0; - else - return sprintf(buffer, "%lu", wchan); -@@ -283,7 +283,7 @@ static int lock_trace(struct task_struct *task) - int err = mutex_lock_killable(&task->signal->cred_guard_mutex); - if (err) - return err; -- if (!ptrace_may_access(task, PTRACE_MODE_ATTACH)) { -+ if (!ptrace_may_access(task, PTRACE_MODE_ATTACH_FSCREDS)) { - mutex_unlock(&task->signal->cred_guard_mutex); - return -EPERM; - } -@@ -557,7 +557,7 @@ static int proc_fd_access_allowed(struct inode *inode) - */ - task = get_proc_task(inode); - if (task) { -- allowed = ptrace_may_access(task, PTRACE_MODE_READ); -+ allowed = ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS); - put_task_struct(task); - } - return allowed; -@@ -592,7 +592,7 @@ static bool has_pid_permissions(struct pid_namespace *pid, - return true; - if (in_group_p(pid->pid_gid)) - return true; -- return ptrace_may_access(task, PTRACE_MODE_READ); -+ return ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS); - } - - -@@ -707,7 +707,7 @@ static int __mem_open(struct inode *inode, struct file *file, unsigned int mode) - if (!task) - return -ESRCH; - -- mm = mm_access(task, mode); -+ mm = mm_access(task, mode | PTRACE_MODE_FSCREDS); - put_task_struct(task); - - if (IS_ERR(mm)) -@@ -1761,7 +1761,7 @@ static int map_files_d_revalidate(struct dentry *dentry, unsigned int flags) - if (!task) - goto out_notask; - -- mm = mm_access(task, PTRACE_MODE_READ); -+ mm = mm_access(task, PTRACE_MODE_READ_FSCREDS); - if (IS_ERR_OR_NULL(mm)) - goto out; - -@@ -1896,7 +1896,7 @@ static struct dentry *proc_map_files_lookup(struct inode *dir, - goto out; - - result = ERR_PTR(-EACCES); -- if (!ptrace_may_access(task, PTRACE_MODE_READ)) -+ if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)) - goto out_put_task; - - result = ERR_PTR(-ENOENT); -@@ -1952,7 +1952,7 @@ proc_map_files_readdir(struct file *filp, void *dirent, filldir_t filldir) - goto out; - - ret = -EACCES; -- if (!ptrace_may_access(task, PTRACE_MODE_READ)) -+ if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)) - goto out_put_task; - - ret = 0; -@@ -2488,7 +2488,7 @@ static int do_io_accounting(struct task_struct *task, char *buffer, int whole) - if (result) - return result; - -- if (!ptrace_may_access(task, PTRACE_MODE_READ)) { -+ if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)) { - result = -EACCES; - goto out_unlock; - } -diff --git a/fs/proc/namespaces.c b/fs/proc/namespaces.c -index 54bdc6701e9f..ac49a8d4aaf8 100644 ---- a/fs/proc/namespaces.c -+++ b/fs/proc/namespaces.c -@@ -125,7 +125,7 @@ static void *proc_ns_follow_link(struct dentry *dentry, struct nameidata *nd) - if (!task) - goto out; - -- if (!ptrace_may_access(task, PTRACE_MODE_READ)) -+ if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)) - goto out_put_task; - - ns_path.dentry = proc_ns_get_dentry(sb, task, ei->ns.ns_ops); -@@ -158,7 +158,7 @@ static int proc_ns_readlink(struct dentry *dentry, char __user *buffer, int bufl - if (!task) - goto out; - -- if (!ptrace_may_access(task, PTRACE_MODE_READ)) -+ if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)) - goto out_put_task; - - len = -ENOENT; -diff --git a/fs/udf/inode.c b/fs/udf/inode.c -index 789814f27438..5c1120a5fa42 100644 ---- a/fs/udf/inode.c -+++ b/fs/udf/inode.c -@@ -2055,14 +2055,29 @@ void udf_write_aext(struct inode *inode, struct extent_position *epos, - epos->offset += adsize; - } - -+/* -+ * Only 1 indirect extent in a row really makes sense but allow upto 16 in case -+ * someone does some weird stuff. -+ */ -+#define UDF_MAX_INDIR_EXTS 16 -+ - int8_t udf_next_aext(struct inode *inode, struct extent_position *epos, - struct kernel_lb_addr *eloc, uint32_t *elen, int inc) - { - int8_t etype; -+ unsigned int indirections = 0; - - while ((etype = udf_current_aext(inode, epos, eloc, elen, inc)) == - (EXT_NEXT_EXTENT_ALLOCDECS >> 30)) { - int block; -+ -+ if (++indirections > UDF_MAX_INDIR_EXTS) { -+ udf_err(inode->i_sb, -+ "too many indirect extents in inode %lu\n", -+ inode->i_ino); -+ return -1; -+ } -+ - epos->block = *eloc; - epos->offset = sizeof(struct allocExtDesc); - brelse(epos->bh); -diff --git a/fs/udf/unicode.c b/fs/udf/unicode.c -index 44b815e57f94..685fbd8a2937 100644 ---- a/fs/udf/unicode.c -+++ b/fs/udf/unicode.c -@@ -132,11 +132,15 @@ int udf_CS0toUTF8(struct ustr *utf_o, const struct ustr *ocu_i) - if (c < 0x80U) - utf_o->u_name[utf_o->u_len++] = (uint8_t)c; - else if (c < 0x800U) { -+ if (utf_o->u_len > (UDF_NAME_LEN - 4)) -+ break; - utf_o->u_name[utf_o->u_len++] = - (uint8_t)(0xc0 | (c >> 6)); - utf_o->u_name[utf_o->u_len++] = - (uint8_t)(0x80 | (c & 0x3f)); - } else { -+ if (utf_o->u_len > (UDF_NAME_LEN - 5)) -+ break; - utf_o->u_name[utf_o->u_len++] = - (uint8_t)(0xe0 | (c >> 12)); - utf_o->u_name[utf_o->u_len++] = -@@ -177,17 +181,22 @@ int udf_CS0toUTF8(struct ustr *utf_o, const struct ustr *ocu_i) - static int udf_UTF8toCS0(dstring *ocu, struct ustr *utf, int length) - { - unsigned c, i, max_val, utf_char; -- int utf_cnt, u_len; -+ int utf_cnt, u_len, u_ch; - - memset(ocu, 0, sizeof(dstring) * length); - ocu[0] = 8; - max_val = 0xffU; -+ u_ch = 1; - - try_again: - u_len = 0U; - utf_char = 0U; - utf_cnt = 0U; - for (i = 0U; i < utf->u_len; i++) { -+ /* Name didn't fit? */ -+ if (u_len + 1 + u_ch >= length) -+ return 0; -+ - c = (uint8_t)utf->u_name[i]; - - /* Complete a multi-byte UTF-8 character */ -@@ -229,6 +238,7 @@ try_again: - if (max_val == 0xffU) { - max_val = 0xffffU; - ocu[0] = (uint8_t)0x10U; -+ u_ch = 2; - goto try_again; - } - goto error_out; -@@ -281,7 +291,7 @@ static int udf_CS0toNLS(struct nls_table *nls, struct ustr *utf_o, - c = (c << 8) | ocu[i++]; - - len = nls->uni2char(c, &utf_o->u_name[utf_o->u_len], -- UDF_NAME_LEN - utf_o->u_len); -+ UDF_NAME_LEN - 2 - utf_o->u_len); - /* Valid character? */ - if (len >= 0) - utf_o->u_len += len; -@@ -299,15 +309,19 @@ static int udf_NLStoCS0(struct nls_table *nls, dstring *ocu, struct ustr *uni, - int len; - unsigned i, max_val; - uint16_t uni_char; -- int u_len; -+ int u_len, u_ch; - - memset(ocu, 0, sizeof(dstring) * length); - ocu[0] = 8; - max_val = 0xffU; -+ u_ch = 1; - - try_again: - u_len = 0U; - for (i = 0U; i < uni->u_len; i++) { -+ /* Name didn't fit? */ -+ if (u_len + 1 + u_ch >= length) -+ return 0; - len = nls->char2uni(&uni->u_name[i], uni->u_len - i, &uni_char); - if (!len) - continue; -@@ -320,6 +334,7 @@ try_again: - if (uni_char > max_val) { - max_val = 0xffffU; - ocu[0] = (uint8_t)0x10U; -+ u_ch = 2; - goto try_again; - } - -diff --git a/include/linux/compiler.h b/include/linux/compiler.h -index a2329c5e6206..a2ce6f8871c4 100644 ---- a/include/linux/compiler.h -+++ b/include/linux/compiler.h -@@ -131,7 +131,7 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect); - */ - #define if(cond, ...) __trace_if( (cond , ## __VA_ARGS__) ) - #define __trace_if(cond) \ -- if (__builtin_constant_p((cond)) ? !!(cond) : \ -+ if (__builtin_constant_p(!!(cond)) ? !!(cond) : \ - ({ \ - int ______r; \ - static struct ftrace_branch_data \ -diff --git a/include/linux/devpts_fs.h b/include/linux/devpts_fs.h -index 251a2090a554..e0ee0b3000b2 100644 ---- a/include/linux/devpts_fs.h -+++ b/include/linux/devpts_fs.h -@@ -19,6 +19,8 @@ - - int devpts_new_index(struct inode *ptmx_inode); - void devpts_kill_index(struct inode *ptmx_inode, int idx); -+void devpts_add_ref(struct inode *ptmx_inode); -+void devpts_del_ref(struct inode *ptmx_inode); - /* mknod in devpts */ - struct inode *devpts_pty_new(struct inode *ptmx_inode, dev_t device, int index, - void *priv); -@@ -32,6 +34,8 @@ void devpts_pty_kill(struct inode *inode); - /* Dummy stubs in the no-pty case */ - static inline int devpts_new_index(struct inode *ptmx_inode) { return -EINVAL; } - static inline void devpts_kill_index(struct inode *ptmx_inode, int idx) { } -+static inline void devpts_add_ref(struct inode *ptmx_inode) { } -+static inline void devpts_del_ref(struct inode *ptmx_inode) { } - static inline struct inode *devpts_pty_new(struct inode *ptmx_inode, - dev_t device, int index, void *priv) - { -diff --git a/include/linux/ptrace.h b/include/linux/ptrace.h -index bb980ae6d9d3..6af8988f5ddd 100644 ---- a/include/linux/ptrace.h -+++ b/include/linux/ptrace.h -@@ -56,7 +56,29 @@ extern void exit_ptrace(struct task_struct *tracer); - #define PTRACE_MODE_READ 0x01 - #define PTRACE_MODE_ATTACH 0x02 - #define PTRACE_MODE_NOAUDIT 0x04 --/* Returns true on success, false on denial. */ -+#define PTRACE_MODE_FSCREDS 0x08 -+#define PTRACE_MODE_REALCREDS 0x10 -+ -+/* shorthands for READ/ATTACH and FSCREDS/REALCREDS combinations */ -+#define PTRACE_MODE_READ_FSCREDS (PTRACE_MODE_READ | PTRACE_MODE_FSCREDS) -+#define PTRACE_MODE_READ_REALCREDS (PTRACE_MODE_READ | PTRACE_MODE_REALCREDS) -+#define PTRACE_MODE_ATTACH_FSCREDS (PTRACE_MODE_ATTACH | PTRACE_MODE_FSCREDS) -+#define PTRACE_MODE_ATTACH_REALCREDS (PTRACE_MODE_ATTACH | PTRACE_MODE_REALCREDS) -+ -+/** -+ * ptrace_may_access - check whether the caller is permitted to access -+ * a target task. -+ * @task: target task -+ * @mode: selects type of access and caller credentials -+ * -+ * Returns true on success, false on denial. -+ * -+ * One of the flags PTRACE_MODE_FSCREDS and PTRACE_MODE_REALCREDS must -+ * be set in @mode to specify whether the access was requested through -+ * a filesystem syscall (should use effective capabilities and fsuid -+ * of the caller) or through an explicit syscall such as -+ * process_vm_writev or ptrace (and should use the real credentials). -+ */ - extern bool ptrace_may_access(struct task_struct *task, unsigned int mode); - - static inline int ptrace_reparented(struct task_struct *child) -diff --git a/include/linux/radix-tree.h b/include/linux/radix-tree.h -index ffc444c38b0a..e02e09f85fad 100644 ---- a/include/linux/radix-tree.h -+++ b/include/linux/radix-tree.h -@@ -322,12 +322,28 @@ void **radix_tree_next_chunk(struct radix_tree_root *root, - struct radix_tree_iter *iter, unsigned flags); - - /** -+ * radix_tree_iter_retry - retry this chunk of the iteration -+ * @iter: iterator state -+ * -+ * If we iterate over a tree protected only by the RCU lock, a race -+ * against deletion or creation may result in seeing a slot for which -+ * radix_tree_deref_retry() returns true. If so, call this function -+ * and continue the iteration. -+ */ -+static inline __must_check -+void **radix_tree_iter_retry(struct radix_tree_iter *iter) -+{ -+ iter->next_index = iter->index; -+ return NULL; -+} -+ -+/** - * radix_tree_chunk_size - get current chunk size - * - * @iter: pointer to radix tree iterator - * Returns: current chunk size - */ --static __always_inline unsigned -+static __always_inline long - radix_tree_chunk_size(struct radix_tree_iter *iter) - { - return iter->next_index - iter->index; -@@ -361,9 +377,9 @@ radix_tree_next_slot(void **slot, struct radix_tree_iter *iter, unsigned flags) - return slot + offset + 1; - } - } else { -- unsigned size = radix_tree_chunk_size(iter) - 1; -+ long size = radix_tree_chunk_size(iter); - -- while (size--) { -+ while (--size > 0) { - slot++; - iter->index++; - if (likely(*slot)) -diff --git a/kernel/events/core.c b/kernel/events/core.c -index d9b0aad17dbf..0f5207839673 100644 ---- a/kernel/events/core.c -+++ b/kernel/events/core.c -@@ -2938,7 +2938,7 @@ find_lively_task_by_vpid(pid_t vpid) - - /* Reuse ptrace permission checks for now. */ - err = -EACCES; -- if (!ptrace_may_access(task, PTRACE_MODE_READ)) -+ if (!ptrace_may_access(task, PTRACE_MODE_READ_REALCREDS)) - goto errout; - - return task; -@@ -5639,6 +5639,10 @@ static int perf_tp_filter_match(struct perf_event *event, - { - void *record = data->raw->data; - -+ /* only top level events have filters set */ -+ if (event->parent) -+ event = event->parent; -+ - if (likely(!event->filter) || filter_match_preds(event->filter, record)) - return 1; - return 0; -diff --git a/kernel/futex.c b/kernel/futex.c -index 625a4e659e7a..edc4beae4df1 100644 ---- a/kernel/futex.c -+++ b/kernel/futex.c -@@ -2494,6 +2494,11 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags, - if (q.pi_state && (q.pi_state->owner != current)) { - spin_lock(q.lock_ptr); - ret = fixup_pi_state_owner(uaddr2, &q, current); -+ /* -+ * Drop the reference to the pi state which -+ * the requeue_pi() code acquired for us. -+ */ -+ free_pi_state(q.pi_state); - spin_unlock(q.lock_ptr); - } - } else { -@@ -2620,7 +2625,7 @@ SYSCALL_DEFINE3(get_robust_list, int, pid, - } - - ret = -EPERM; -- if (!ptrace_may_access(p, PTRACE_MODE_READ)) -+ if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS)) - goto err_unlock; - - head = p->robust_list; -diff --git a/kernel/futex_compat.c b/kernel/futex_compat.c -index f9f44fd4d34d..3888617a1f9e 100644 ---- a/kernel/futex_compat.c -+++ b/kernel/futex_compat.c -@@ -155,7 +155,7 @@ COMPAT_SYSCALL_DEFINE3(get_robust_list, int, pid, - } - - ret = -EPERM; -- if (!ptrace_may_access(p, PTRACE_MODE_READ)) -+ if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS)) - goto err_unlock; - - head = p->compat_robust_list; -diff --git a/kernel/kcmp.c b/kernel/kcmp.c -index 0aa69ea1d8fd..3a47fa998fe0 100644 ---- a/kernel/kcmp.c -+++ b/kernel/kcmp.c -@@ -122,8 +122,8 @@ SYSCALL_DEFINE5(kcmp, pid_t, pid1, pid_t, pid2, int, type, - &task2->signal->cred_guard_mutex); - if (ret) - goto err; -- if (!ptrace_may_access(task1, PTRACE_MODE_READ) || -- !ptrace_may_access(task2, PTRACE_MODE_READ)) { -+ if (!ptrace_may_access(task1, PTRACE_MODE_READ_REALCREDS) || -+ !ptrace_may_access(task2, PTRACE_MODE_READ_REALCREDS)) { - ret = -EPERM; - goto err_unlock; - } -diff --git a/kernel/module.c b/kernel/module.c -index fd2afdf48a89..70a4754c001f 100644 ---- a/kernel/module.c -+++ b/kernel/module.c -@@ -3398,6 +3398,11 @@ static inline int is_arm_mapping_symbol(const char *str) - && (str[2] == '\0' || str[2] == '.'); - } - -+static const char *symname(struct module *mod, unsigned int symnum) -+{ -+ return mod->strtab + mod->symtab[symnum].st_name; -+} -+ - static const char *get_ksymbol(struct module *mod, - unsigned long addr, - unsigned long *size, -@@ -3420,15 +3425,15 @@ static const char *get_ksymbol(struct module *mod, - - /* We ignore unnamed symbols: they're uninformative - * and inserted at a whim. */ -+ if (*symname(mod, i) == '\0' -+ || is_arm_mapping_symbol(symname(mod, i))) -+ continue; -+ - if (mod->symtab[i].st_value <= addr -- && mod->symtab[i].st_value > mod->symtab[best].st_value -- && *(mod->strtab + mod->symtab[i].st_name) != '\0' -- && !is_arm_mapping_symbol(mod->strtab + mod->symtab[i].st_name)) -+ && mod->symtab[i].st_value > mod->symtab[best].st_value) - best = i; - if (mod->symtab[i].st_value > addr -- && mod->symtab[i].st_value < nextval -- && *(mod->strtab + mod->symtab[i].st_name) != '\0' -- && !is_arm_mapping_symbol(mod->strtab + mod->symtab[i].st_name)) -+ && mod->symtab[i].st_value < nextval) - nextval = mod->symtab[i].st_value; - } - -@@ -3439,7 +3444,7 @@ static const char *get_ksymbol(struct module *mod, - *size = nextval - mod->symtab[best].st_value; - if (offset) - *offset = addr - mod->symtab[best].st_value; -- return mod->strtab + mod->symtab[best].st_name; -+ return symname(mod, best); - } - - /* For kallsyms to ask for address resolution. NULL means not found. Careful -@@ -3540,8 +3545,7 @@ int module_get_kallsym(unsigned int symnum, unsigned long *value, char *type, - if (symnum < mod->num_symtab) { - *value = mod->symtab[symnum].st_value; - *type = mod->symtab[symnum].st_info; -- strlcpy(name, mod->strtab + mod->symtab[symnum].st_name, -- KSYM_NAME_LEN); -+ strlcpy(name, symname(mod, symnum), KSYM_NAME_LEN); - strlcpy(module_name, mod->name, MODULE_NAME_LEN); - *exported = is_exported(name, *value, mod); - preempt_enable(); -@@ -3558,7 +3562,7 @@ static unsigned long mod_find_symname(struct module *mod, const char *name) - unsigned int i; - - for (i = 0; i < mod->num_symtab; i++) -- if (strcmp(name, mod->strtab+mod->symtab[i].st_name) == 0 && -+ if (strcmp(name, symname(mod, i)) == 0 && - mod->symtab[i].st_info != 'U') - return mod->symtab[i].st_value; - return 0; -@@ -3602,7 +3606,7 @@ int module_kallsyms_on_each_symbol(int (*fn)(void *, const char *, - if (mod->state == MODULE_STATE_UNFORMED) - continue; - for (i = 0; i < mod->num_symtab; i++) { -- ret = fn(data, mod->strtab + mod->symtab[i].st_name, -+ ret = fn(data, symname(mod, i), - mod, mod->symtab[i].st_value); - if (ret != 0) - return ret; -diff --git a/kernel/ptrace.c b/kernel/ptrace.c -index 30ab20623bca..72b0b3e0e065 100644 ---- a/kernel/ptrace.c -+++ b/kernel/ptrace.c -@@ -225,6 +225,14 @@ static int ptrace_has_cap(struct user_namespace *ns, unsigned int mode) - static int __ptrace_may_access(struct task_struct *task, unsigned int mode) - { - const struct cred *cred = current_cred(), *tcred; -+ int dumpable = 0; -+ kuid_t caller_uid; -+ kgid_t caller_gid; -+ -+ if (!(mode & PTRACE_MODE_FSCREDS) == !(mode & PTRACE_MODE_REALCREDS)) { -+ WARN(1, "denying ptrace access check without PTRACE_MODE_*CREDS\n"); -+ return -EPERM; -+ } - - /* May we inspect the given task? - * This check is used both for attaching with ptrace -@@ -234,18 +242,33 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode) - * because setting up the necessary parent/child relationship - * or halting the specified task is impossible. - */ -- int dumpable = 0; -+ - /* Don't let security modules deny introspection */ - if (same_thread_group(task, current)) - return 0; - rcu_read_lock(); -+ if (mode & PTRACE_MODE_FSCREDS) { -+ caller_uid = cred->fsuid; -+ caller_gid = cred->fsgid; -+ } else { -+ /* -+ * Using the euid would make more sense here, but something -+ * in userland might rely on the old behavior, and this -+ * shouldn't be a security problem since -+ * PTRACE_MODE_REALCREDS implies that the caller explicitly -+ * used a syscall that requests access to another process -+ * (and not a filesystem syscall to procfs). -+ */ -+ caller_uid = cred->uid; -+ caller_gid = cred->gid; -+ } - tcred = __task_cred(task); -- if (uid_eq(cred->uid, tcred->euid) && -- uid_eq(cred->uid, tcred->suid) && -- uid_eq(cred->uid, tcred->uid) && -- gid_eq(cred->gid, tcred->egid) && -- gid_eq(cred->gid, tcred->sgid) && -- gid_eq(cred->gid, tcred->gid)) -+ if (uid_eq(caller_uid, tcred->euid) && -+ uid_eq(caller_uid, tcred->suid) && -+ uid_eq(caller_uid, tcred->uid) && -+ gid_eq(caller_gid, tcred->egid) && -+ gid_eq(caller_gid, tcred->sgid) && -+ gid_eq(caller_gid, tcred->gid)) - goto ok; - if (ptrace_has_cap(tcred->user_ns, mode)) - goto ok; -@@ -312,7 +335,7 @@ static int ptrace_attach(struct task_struct *task, long request, - goto out; - - task_lock(task); -- retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH); -+ retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH_REALCREDS); - task_unlock(task); - if (retval) - goto unlock_creds; -diff --git a/lib/dma-debug.c b/lib/dma-debug.c -index d87a17a819d0..eb43517bf261 100644 ---- a/lib/dma-debug.c -+++ b/lib/dma-debug.c -@@ -962,7 +962,7 @@ static inline bool overlap(void *addr, unsigned long len, void *start, void *end - - static void check_for_illegal_area(struct device *dev, void *addr, unsigned long len) - { -- if (overlap(addr, len, _text, _etext) || -+ if (overlap(addr, len, _stext, _etext) || - overlap(addr, len, __start_rodata, __end_rodata)) - err_printk(dev, NULL, "DMA-API: device driver maps memory from kernel text or rodata [addr=%p] [len=%lu]\n", addr, len); - } -diff --git a/lib/klist.c b/lib/klist.c -index 358a368a2947..2e59aecbec0d 100644 ---- a/lib/klist.c -+++ b/lib/klist.c -@@ -282,9 +282,9 @@ void klist_iter_init_node(struct klist *k, struct klist_iter *i, - struct klist_node *n) - { - i->i_klist = k; -- i->i_cur = n; -- if (n) -- kref_get(&n->n_ref); -+ i->i_cur = NULL; -+ if (n && kref_get_unless_zero(&n->n_ref)) -+ i->i_cur = n; - } - EXPORT_SYMBOL_GPL(klist_iter_init_node); - -diff --git a/lib/radix-tree.c b/lib/radix-tree.c -index e7964296fd50..936a02c1c77b 100644 ---- a/lib/radix-tree.c -+++ b/lib/radix-tree.c -@@ -1015,9 +1015,13 @@ radix_tree_gang_lookup(struct radix_tree_root *root, void **results, - return 0; - - radix_tree_for_each_slot(slot, root, &iter, first_index) { -- results[ret] = indirect_to_ptr(rcu_dereference_raw(*slot)); -+ results[ret] = rcu_dereference_raw(*slot); - if (!results[ret]) - continue; -+ if (radix_tree_is_indirect_ptr(results[ret])) { -+ slot = radix_tree_iter_retry(&iter); -+ continue; -+ } - if (++ret == max_items) - break; - } -@@ -1094,9 +1098,13 @@ radix_tree_gang_lookup_tag(struct radix_tree_root *root, void **results, - return 0; - - radix_tree_for_each_tagged(slot, root, &iter, first_index, tag) { -- results[ret] = indirect_to_ptr(rcu_dereference_raw(*slot)); -+ results[ret] = rcu_dereference_raw(*slot); - if (!results[ret]) - continue; -+ if (radix_tree_is_indirect_ptr(results[ret])) { -+ slot = radix_tree_iter_retry(&iter); -+ continue; -+ } - if (++ret == max_items) - break; - } -diff --git a/mm/memcontrol.c b/mm/memcontrol.c -index eaa3accb01e7..437ae2cbe102 100644 ---- a/mm/memcontrol.c -+++ b/mm/memcontrol.c -@@ -5790,16 +5790,17 @@ static void mem_cgroup_usage_unregister_event(struct cgroup *cgrp, - swap_buffers: - /* Swap primary and spare array */ - thresholds->spare = thresholds->primary; -- /* If all events are unregistered, free the spare array */ -- if (!new) { -- kfree(thresholds->spare); -- thresholds->spare = NULL; -- } - - rcu_assign_pointer(thresholds->primary, new); - - /* To be sure that nobody uses thresholds */ - synchronize_rcu(); -+ -+ /* If all events are unregistered, free the spare array */ -+ if (!new) { -+ kfree(thresholds->spare); -+ thresholds->spare = NULL; -+ } - unlock: - mutex_unlock(&memcg->thresholds_lock); - } -diff --git a/mm/memory-failure.c b/mm/memory-failure.c -index f97d709594e6..37df20faddd5 100644 ---- a/mm/memory-failure.c -+++ b/mm/memory-failure.c -@@ -1472,7 +1472,7 @@ static int get_any_page(struct page *page, unsigned long pfn, int flags) - * Did it turn free? - */ - ret = __get_any_page(page, pfn, 0); -- if (!PageLRU(page)) { -+ if (ret == 1 && !PageLRU(page)) { - /* Drop page reference which is from __get_any_page() */ - put_page(page); - pr_info("soft_offline: %#lx: unknown non LRU page type %lx\n", -diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c -index d85d3a0e06ce..7f1bf93fa87f 100644 ---- a/mm/memory_hotplug.c -+++ b/mm/memory_hotplug.c -@@ -1209,23 +1209,30 @@ int is_mem_section_removable(unsigned long start_pfn, unsigned long nr_pages) - */ - static int test_pages_in_a_zone(unsigned long start_pfn, unsigned long end_pfn) - { -- unsigned long pfn; -+ unsigned long pfn, sec_end_pfn; - struct zone *zone = NULL; - struct page *page; - int i; -- for (pfn = start_pfn; -+ for (pfn = start_pfn, sec_end_pfn = SECTION_ALIGN_UP(start_pfn); - pfn < end_pfn; -- pfn += MAX_ORDER_NR_PAGES) { -- i = 0; -- /* This is just a CONFIG_HOLES_IN_ZONE check.*/ -- while ((i < MAX_ORDER_NR_PAGES) && !pfn_valid_within(pfn + i)) -- i++; -- if (i == MAX_ORDER_NR_PAGES) -+ pfn = sec_end_pfn + 1, sec_end_pfn += PAGES_PER_SECTION) { -+ /* Make sure the memory section is present first */ -+ if (!present_section_nr(pfn_to_section_nr(pfn))) - continue; -- page = pfn_to_page(pfn + i); -- if (zone && page_zone(page) != zone) -- return 0; -- zone = page_zone(page); -+ for (; pfn < sec_end_pfn && pfn < end_pfn; -+ pfn += MAX_ORDER_NR_PAGES) { -+ i = 0; -+ /* This is just a CONFIG_HOLES_IN_ZONE check.*/ -+ while ((i < MAX_ORDER_NR_PAGES) && -+ !pfn_valid_within(pfn + i)) -+ i++; -+ if (i == MAX_ORDER_NR_PAGES) -+ continue; -+ page = pfn_to_page(pfn + i); -+ if (zone && page_zone(page) != zone) -+ return 0; -+ zone = page_zone(page); -+ } - } - return 1; - } -diff --git a/mm/process_vm_access.c b/mm/process_vm_access.c -index fd26d0433509..e739825be8b3 100644 ---- a/mm/process_vm_access.c -+++ b/mm/process_vm_access.c -@@ -298,7 +298,7 @@ static ssize_t process_vm_rw_core(pid_t pid, const struct iovec *lvec, - goto free_proc_pages; - } - -- mm = mm_access(task, PTRACE_MODE_ATTACH); -+ mm = mm_access(task, PTRACE_MODE_ATTACH_REALCREDS); - if (!mm || IS_ERR(mm)) { - rc = IS_ERR(mm) ? PTR_ERR(mm) : -ESRCH; - /* -diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c -index 9ec416552cc5..8d69df16f6a8 100644 ---- a/net/ipv6/ip6mr.c -+++ b/net/ipv6/ip6mr.c -@@ -336,7 +336,7 @@ static struct mr6_table *ip6mr_new_table(struct net *net, u32 id) - - static void ip6mr_free_table(struct mr6_table *mrt) - { -- del_timer(&mrt->ipmr_expire_timer); -+ del_timer_sync(&mrt->ipmr_expire_timer); - mroute_clean_tables(mrt, true); - kfree(mrt); - } -diff --git a/scripts/bloat-o-meter b/scripts/bloat-o-meter -index 6129020c41a9..81228a443122 100755 ---- a/scripts/bloat-o-meter -+++ b/scripts/bloat-o-meter -@@ -55,8 +55,8 @@ for name in common: - delta.sort() - delta.reverse() - --print "add/remove: %s/%s grow/shrink: %s/%s up/down: %s/%s (%s)" % \ -- (add, remove, grow, shrink, up, -down, up-down) --print "%-40s %7s %7s %+7s" % ("function", "old", "new", "delta") -+print("add/remove: %s/%s grow/shrink: %s/%s up/down: %s/%s (%s)" % \ -+ (add, remove, grow, shrink, up, -down, up-down)) -+print("%-40s %7s %7s %+7s" % ("function", "old", "new", "delta")) - for d, n in delta: -- if d: print "%-40s %7s %7s %+7d" % (n, old.get(n,"-"), new.get(n,"-"), d) -+ if d: print("%-40s %7s %7s %+7d" % (n, old.get(n,"-"), new.get(n,"-"), d)) -diff --git a/security/commoncap.c b/security/commoncap.c -index c9219a66b7c6..4fd7bf2b19e1 100644 ---- a/security/commoncap.c -+++ b/security/commoncap.c -@@ -142,12 +142,17 @@ int cap_ptrace_access_check(struct task_struct *child, unsigned int mode) - { - int ret = 0; - const struct cred *cred, *child_cred; -+ const kernel_cap_t *caller_caps; - - rcu_read_lock(); - cred = current_cred(); - child_cred = __task_cred(child); -+ if (mode & PTRACE_MODE_FSCREDS) -+ caller_caps = &cred->cap_effective; -+ else -+ caller_caps = &cred->cap_permitted; - if (cred->user_ns == child_cred->user_ns && -- cap_issubset(child_cred->cap_permitted, cred->cap_permitted)) -+ cap_issubset(child_cred->cap_permitted, *caller_caps)) - goto out; - if (ns_capable(child_cred->user_ns, CAP_SYS_PTRACE)) - goto out; -diff --git a/sound/core/seq/seq_ports.c b/sound/core/seq/seq_ports.c -index 67c91d226552..ee0522a8f730 100644 ---- a/sound/core/seq/seq_ports.c -+++ b/sound/core/seq/seq_ports.c -@@ -540,19 +540,22 @@ static void delete_and_unsubscribe_port(struct snd_seq_client *client, - bool is_src, bool ack) - { - struct snd_seq_port_subs_info *grp; -+ struct list_head *list; -+ bool empty; - - grp = is_src ? &port->c_src : &port->c_dest; -+ list = is_src ? &subs->src_list : &subs->dest_list; - down_write(&grp->list_mutex); - write_lock_irq(&grp->list_lock); -- if (is_src) -- list_del(&subs->src_list); -- else -- list_del(&subs->dest_list); -+ empty = list_empty(list); -+ if (!empty) -+ list_del_init(list); - grp->exclusive = 0; - write_unlock_irq(&grp->list_lock); - up_write(&grp->list_mutex); - -- unsubscribe_port(client, port, grp, &subs->info, ack); -+ if (!empty) -+ unsubscribe_port(client, port, grp, &subs->info, ack); - } - - /* connect two ports */ -diff --git a/tools/lib/traceevent/event-parse.c b/tools/lib/traceevent/event-parse.c -index 82b0606dcb8a..c3efcf2f816b 100644 ---- a/tools/lib/traceevent/event-parse.c -+++ b/tools/lib/traceevent/event-parse.c -@@ -4190,13 +4190,12 @@ static void pretty_print(struct trace_seq *s, void *data, int size, struct event - sizeof(long) != 8) { - char *p; - -- ls = 2; - /* make %l into %ll */ -- p = strchr(format, 'l'); -- if (p) -+ if (ls == 1 && (p = strchr(format, 'l'))) - memmove(p+1, p, strlen(p)+1); - else if (strcmp(format, "%p") == 0) - strcpy(format, "0x%llx"); -+ ls = 2; - } - switch (ls) { - case -2: diff --git a/patch/kernel/odroidxu4-default/1-patch-3.10.98-99.patch b/patch/kernel/odroidxu4-default/1-patch-3.10.98-99.patch deleted file mode 100644 index e405e5ac5..000000000 --- a/patch/kernel/odroidxu4-default/1-patch-3.10.98-99.patch +++ /dev/null @@ -1,2573 +0,0 @@ -diff --git a/Makefile b/Makefile -index dadd1edc6f84..f1e6491fd7d8 100644 ---- a/Makefile -+++ b/Makefile -@@ -1,6 +1,6 @@ - VERSION = 3 - PATCHLEVEL = 10 --SUBLEVEL = 98 -+SUBLEVEL = 99 - EXTRAVERSION = - NAME = TOSSUG Baby Fish - -diff --git a/arch/arc/kernel/unwind.c b/arch/arc/kernel/unwind.c -index a8d02223da44..14558a9fa3b3 100644 ---- a/arch/arc/kernel/unwind.c -+++ b/arch/arc/kernel/unwind.c -@@ -984,42 +984,13 @@ int arc_unwind(struct unwind_frame_info *frame) - (const u8 *)(fde + - 1) + - *fde, ptrType); -- if (pc >= endLoc) -+ if (pc >= endLoc) { - fde = NULL; -- } else -- fde = NULL; -- } -- if (fde == NULL) { -- for (fde = table->address, tableSize = table->size; -- cie = NULL, tableSize > sizeof(*fde) -- && tableSize - sizeof(*fde) >= *fde; -- tableSize -= sizeof(*fde) + *fde, -- fde += 1 + *fde / sizeof(*fde)) { -- cie = cie_for_fde(fde, table); -- if (cie == &bad_cie) { - cie = NULL; -- break; - } -- if (cie == NULL -- || cie == ¬_fde -- || (ptrType = fde_pointer_type(cie)) < 0) -- continue; -- ptr = (const u8 *)(fde + 2); -- startLoc = read_pointer(&ptr, -- (const u8 *)(fde + 1) + -- *fde, ptrType); -- if (!startLoc) -- continue; -- if (!(ptrType & DW_EH_PE_indirect)) -- ptrType &= -- DW_EH_PE_FORM | DW_EH_PE_signed; -- endLoc = -- startLoc + read_pointer(&ptr, -- (const u8 *)(fde + -- 1) + -- *fde, ptrType); -- if (pc >= startLoc && pc < endLoc) -- break; -+ } else { -+ fde = NULL; -+ cie = NULL; - } - } - } -diff --git a/arch/mips/kvm/kvm_locore.S b/arch/mips/kvm/kvm_locore.S -index 920b63210806..34c35f0e3290 100644 ---- a/arch/mips/kvm/kvm_locore.S -+++ b/arch/mips/kvm/kvm_locore.S -@@ -156,9 +156,11 @@ FEXPORT(__kvm_mips_vcpu_run) - - FEXPORT(__kvm_mips_load_asid) - /* Set the ASID for the Guest Kernel */ -- sll t0, t0, 1 /* with kseg0 @ 0x40000000, kernel */ -- /* addresses shift to 0x80000000 */ -- bltz t0, 1f /* If kernel */ -+ PTR_L t0, VCPU_COP0(k1) -+ LONG_L t0, COP0_STATUS(t0) -+ andi t0, KSU_USER | ST0_ERL | ST0_EXL -+ xori t0, KSU_USER -+ bnez t0, 1f /* If kernel */ - addiu t1, k1, VCPU_GUEST_KERNEL_ASID /* (BD) */ - addiu t1, k1, VCPU_GUEST_USER_ASID /* else user */ - 1: -@@ -442,9 +444,11 @@ __kvm_mips_return_to_guest: - mtc0 t0, CP0_EPC - - /* Set the ASID for the Guest Kernel */ -- sll t0, t0, 1 /* with kseg0 @ 0x40000000, kernel */ -- /* addresses shift to 0x80000000 */ -- bltz t0, 1f /* If kernel */ -+ PTR_L t0, VCPU_COP0(k1) -+ LONG_L t0, COP0_STATUS(t0) -+ andi t0, KSU_USER | ST0_ERL | ST0_EXL -+ xori t0, KSU_USER -+ bnez t0, 1f /* If kernel */ - addiu t1, k1, VCPU_GUEST_KERNEL_ASID /* (BD) */ - addiu t1, k1, VCPU_GUEST_USER_ASID /* else user */ - 1: -diff --git a/arch/mips/kvm/kvm_mips.c b/arch/mips/kvm/kvm_mips.c -index 843ec38fec7b..8aa5f30d8579 100644 ---- a/arch/mips/kvm/kvm_mips.c -+++ b/arch/mips/kvm/kvm_mips.c -@@ -308,7 +308,7 @@ struct kvm_vcpu *kvm_arch_vcpu_create(struct kvm *kvm, unsigned int id) - - if (!gebase) { - err = -ENOMEM; -- goto out_free_cpu; -+ goto out_uninit_cpu; - } - kvm_info("Allocated %d bytes for KVM Exception Handlers @ %p\n", - ALIGN(size, PAGE_SIZE), gebase); -@@ -368,6 +368,9 @@ struct kvm_vcpu *kvm_arch_vcpu_create(struct kvm *kvm, unsigned int id) - out_free_gebase: - kfree(gebase); - -+out_uninit_cpu: -+ kvm_vcpu_uninit(vcpu); -+ - out_free_cpu: - kfree(vcpu); - -diff --git a/arch/mips/kvm/kvm_mips_emul.c b/arch/mips/kvm/kvm_mips_emul.c -index c76f297b7149..33085819cd89 100644 ---- a/arch/mips/kvm/kvm_mips_emul.c -+++ b/arch/mips/kvm/kvm_mips_emul.c -@@ -935,7 +935,7 @@ kvm_mips_emulate_cache(uint32_t inst, uint32_t *opc, uint32_t cause, - - base = (inst >> 21) & 0x1f; - op_inst = (inst >> 16) & 0x1f; -- offset = inst & 0xffff; -+ offset = (int16_t)inst; - cache = (inst >> 16) & 0x3; - op = (inst >> 18) & 0x7; - -diff --git a/arch/s390/mm/extable.c b/arch/s390/mm/extable.c -index 4d1ee88864e8..18c8b819b0aa 100644 ---- a/arch/s390/mm/extable.c -+++ b/arch/s390/mm/extable.c -@@ -52,12 +52,16 @@ void sort_extable(struct exception_table_entry *start, - int i; - - /* Normalize entries to being relative to the start of the section */ -- for (p = start, i = 0; p < finish; p++, i += 8) -+ for (p = start, i = 0; p < finish; p++, i += 8) { - p->insn += i; -+ p->fixup += i + 4; -+ } - sort(start, finish - start, sizeof(*start), cmp_ex, NULL); - /* Denormalize all entries */ -- for (p = start, i = 0; p < finish; p++, i += 8) -+ for (p = start, i = 0; p < finish; p++, i += 8) { - p->insn -= i; -+ p->fixup -= i + 4; -+ } - } - - #ifdef CONFIG_MODULES -diff --git a/arch/sparc/kernel/sys_sparc_64.c b/arch/sparc/kernel/sys_sparc_64.c -index be8db9bb7878..666510b39870 100644 ---- a/arch/sparc/kernel/sys_sparc_64.c -+++ b/arch/sparc/kernel/sys_sparc_64.c -@@ -416,7 +416,7 @@ out: - - SYSCALL_DEFINE1(sparc64_personality, unsigned long, personality) - { -- int ret; -+ long ret; - - if (personality(current->personality) == PER_LINUX32 && - personality(personality) == PER_LINUX) -diff --git a/arch/um/os-Linux/start_up.c b/arch/um/os-Linux/start_up.c -index 337518c5042a..b412c62486f0 100644 ---- a/arch/um/os-Linux/start_up.c -+++ b/arch/um/os-Linux/start_up.c -@@ -95,6 +95,8 @@ static int start_ptraced_child(void) - { - int pid, n, status; - -+ fflush(stdout); -+ - pid = fork(); - if (pid == 0) - ptrace_child(); -diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c -index 6033be9ff81a..3c8bffdc71c8 100644 ---- a/arch/x86/platform/efi/efi.c -+++ b/arch/x86/platform/efi/efi.c -@@ -250,12 +250,19 @@ static efi_status_t __init phys_efi_set_virtual_address_map( - efi_memory_desc_t *virtual_map) - { - efi_status_t status; -+ unsigned long flags; - - efi_call_phys_prelog(); -+ -+ /* Disable interrupts around EFI calls: */ -+ local_irq_save(flags); - status = efi_call_phys4(efi_phys.set_virtual_address_map, - memory_map_size, descriptor_size, - descriptor_version, virtual_map); -+ local_irq_restore(flags); -+ - efi_call_phys_epilog(); -+ - return status; - } - -diff --git a/arch/x86/platform/efi/efi_32.c b/arch/x86/platform/efi/efi_32.c -index 40e446941dd7..bebbee05e331 100644 ---- a/arch/x86/platform/efi/efi_32.c -+++ b/arch/x86/platform/efi/efi_32.c -@@ -33,19 +33,16 @@ - - /* - * To make EFI call EFI runtime service in physical addressing mode we need -- * prelog/epilog before/after the invocation to disable interrupt, to -- * claim EFI runtime service handler exclusively and to duplicate a memory in -- * low memory space say 0 - 3G. -+ * prolog/epilog before/after the invocation to claim the EFI runtime service -+ * handler exclusively and to duplicate a memory mapping in low memory space, -+ * say 0 - 3G. - */ - --static unsigned long efi_rt_eflags; - - void efi_call_phys_prelog(void) - { - struct desc_ptr gdt_descr; - -- local_irq_save(efi_rt_eflags); -- - load_cr3(initial_page_table); - __flush_tlb_all(); - -@@ -64,6 +61,4 @@ void efi_call_phys_epilog(void) - - load_cr3(swapper_pg_dir); - __flush_tlb_all(); -- -- local_irq_restore(efi_rt_eflags); - } -diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c -index 39a0e7f1f0a3..2f6c1a9734c8 100644 ---- a/arch/x86/platform/efi/efi_64.c -+++ b/arch/x86/platform/efi/efi_64.c -@@ -40,7 +40,6 @@ - #include - - static pgd_t *save_pgd __initdata; --static unsigned long efi_flags __initdata; - - static void __init early_code_mapping_set_exec(int executable) - { -@@ -66,7 +65,6 @@ void __init efi_call_phys_prelog(void) - int n_pgds; - - early_code_mapping_set_exec(1); -- local_irq_save(efi_flags); - - n_pgds = DIV_ROUND_UP((max_pfn << PAGE_SHIFT), PGDIR_SIZE); - save_pgd = kmalloc(n_pgds * sizeof(pgd_t), GFP_KERNEL); -@@ -90,7 +88,6 @@ void __init efi_call_phys_epilog(void) - set_pgd(pgd_offset_k(pgd * PGDIR_SIZE), save_pgd[pgd]); - kfree(save_pgd); - __flush_tlb_all(); -- local_irq_restore(efi_flags); - early_code_mapping_set_exec(0); - } - -diff --git a/block/partitions/mac.c b/block/partitions/mac.c -index 76d8ba6379a9..bd5b91465230 100644 ---- a/block/partitions/mac.c -+++ b/block/partitions/mac.c -@@ -32,7 +32,7 @@ int mac_partition(struct parsed_partitions *state) - Sector sect; - unsigned char *data; - int slot, blocks_in_map; -- unsigned secsize; -+ unsigned secsize, datasize, partoffset; - #ifdef CONFIG_PPC_PMAC - int found_root = 0; - int found_root_goodness = 0; -@@ -50,10 +50,14 @@ int mac_partition(struct parsed_partitions *state) - } - secsize = be16_to_cpu(md->block_size); - put_dev_sector(sect); -- data = read_part_sector(state, secsize/512, §); -+ datasize = round_down(secsize, 512); -+ data = read_part_sector(state, datasize / 512, §); - if (!data) - return -1; -- part = (struct mac_partition *) (data + secsize%512); -+ partoffset = secsize % 512; -+ if (partoffset + sizeof(*part) > datasize) -+ return -1; -+ part = (struct mac_partition *) (data + partoffset); - if (be16_to_cpu(part->signature) != MAC_PARTITION_MAGIC) { - put_dev_sector(sect); - return 0; /* not a MacOS disk */ -diff --git a/drivers/ata/libata-sff.c b/drivers/ata/libata-sff.c -index 136803c47cdb..96e5ed188636 100644 ---- a/drivers/ata/libata-sff.c -+++ b/drivers/ata/libata-sff.c -@@ -997,12 +997,9 @@ static inline int ata_hsm_ok_in_wq(struct ata_port *ap, - static void ata_hsm_qc_complete(struct ata_queued_cmd *qc, int in_wq) - { - struct ata_port *ap = qc->ap; -- unsigned long flags; - - if (ap->ops->error_handler) { - if (in_wq) { -- spin_lock_irqsave(ap->lock, flags); -- - /* EH might have kicked in while host lock is - * released. - */ -@@ -1014,8 +1011,6 @@ static void ata_hsm_qc_complete(struct ata_queued_cmd *qc, int in_wq) - } else - ata_port_freeze(ap); - } -- -- spin_unlock_irqrestore(ap->lock, flags); - } else { - if (likely(!(qc->err_mask & AC_ERR_HSM))) - ata_qc_complete(qc); -@@ -1024,10 +1019,8 @@ static void ata_hsm_qc_complete(struct ata_queued_cmd *qc, int in_wq) - } - } else { - if (in_wq) { -- spin_lock_irqsave(ap->lock, flags); - ata_sff_irq_on(ap); - ata_qc_complete(qc); -- spin_unlock_irqrestore(ap->lock, flags); - } else - ata_qc_complete(qc); - } -@@ -1048,9 +1041,10 @@ int ata_sff_hsm_move(struct ata_port *ap, struct ata_queued_cmd *qc, - { - struct ata_link *link = qc->dev->link; - struct ata_eh_info *ehi = &link->eh_info; -- unsigned long flags = 0; - int poll_next; - -+ lockdep_assert_held(ap->lock); -+ - WARN_ON_ONCE((qc->flags & ATA_QCFLAG_ACTIVE) == 0); - - /* Make sure ata_sff_qc_issue() does not throw things -@@ -1112,14 +1106,6 @@ fsm_start: - } - } - -- /* Send the CDB (atapi) or the first data block (ata pio out). -- * During the state transition, interrupt handler shouldn't -- * be invoked before the data transfer is complete and -- * hsm_task_state is changed. Hence, the following locking. -- */ -- if (in_wq) -- spin_lock_irqsave(ap->lock, flags); -- - if (qc->tf.protocol == ATA_PROT_PIO) { - /* PIO data out protocol. - * send first data block. -@@ -1135,9 +1121,6 @@ fsm_start: - /* send CDB */ - atapi_send_cdb(ap, qc); - -- if (in_wq) -- spin_unlock_irqrestore(ap->lock, flags); -- - /* if polling, ata_sff_pio_task() handles the rest. - * otherwise, interrupt handler takes over from here. - */ -@@ -1361,12 +1344,14 @@ static void ata_sff_pio_task(struct work_struct *work) - u8 status; - int poll_next; - -+ spin_lock_irq(ap->lock); -+ - BUG_ON(ap->sff_pio_task_link == NULL); - /* qc can be NULL if timeout occurred */ - qc = ata_qc_from_tag(ap, link->active_tag); - if (!qc) { - ap->sff_pio_task_link = NULL; -- return; -+ goto out_unlock; - } - - fsm_start: -@@ -1381,11 +1366,14 @@ fsm_start: - */ - status = ata_sff_busy_wait(ap, ATA_BUSY, 5); - if (status & ATA_BUSY) { -+ spin_unlock_irq(ap->lock); - ata_msleep(ap, 2); -+ spin_lock_irq(ap->lock); -+ - status = ata_sff_busy_wait(ap, ATA_BUSY, 10); - if (status & ATA_BUSY) { - ata_sff_queue_pio_task(link, ATA_SHORT_PAUSE); -- return; -+ goto out_unlock; - } - } - -@@ -1402,6 +1390,8 @@ fsm_start: - */ - if (poll_next) - goto fsm_start; -+out_unlock: -+ spin_unlock_irq(ap->lock); - } - - /** -diff --git a/drivers/ata/sata_sil.c b/drivers/ata/sata_sil.c -index dd1faa564eb2..cdfb98e70cfd 100644 ---- a/drivers/ata/sata_sil.c -+++ b/drivers/ata/sata_sil.c -@@ -631,6 +631,9 @@ static void sil_dev_config(struct ata_device *dev) - unsigned int n, quirks = 0; - unsigned char model_num[ATA_ID_PROD_LEN + 1]; - -+ /* This controller doesn't support trim */ -+ dev->horkage |= ATA_HORKAGE_NOTRIM; -+ - ata_id_c_string(dev->id, model_num, ATA_ID_PROD, sizeof(model_num)); - - for (n = 0; sil_blacklist[n].product; n++) -diff --git a/drivers/clocksource/vt8500_timer.c b/drivers/clocksource/vt8500_timer.c -index 64f553f04fa4..5874ebf9dced 100644 ---- a/drivers/clocksource/vt8500_timer.c -+++ b/drivers/clocksource/vt8500_timer.c -@@ -50,6 +50,8 @@ - - #define msecs_to_loops(t) (loops_per_jiffy / 1000 * HZ * t) - -+#define MIN_OSCR_DELTA 16 -+ - static void __iomem *regbase; - - static cycle_t vt8500_timer_read(struct clocksource *cs) -@@ -80,7 +82,7 @@ static int vt8500_timer_set_next_event(unsigned long cycles, - cpu_relax(); - writel((unsigned long)alarm, regbase + TIMER_MATCH_VAL); - -- if ((signed)(alarm - clocksource.read(&clocksource)) <= 16) -+ if ((signed)(alarm - clocksource.read(&clocksource)) <= MIN_OSCR_DELTA) - return -ETIME; - - writel(1, regbase + TIMER_IER_VAL); -@@ -162,7 +164,7 @@ static void __init vt8500_timer_init(struct device_node *np) - pr_err("%s: setup_irq failed for %s\n", __func__, - clockevent.name); - clockevents_config_and_register(&clockevent, VT8500_TIMER_HZ, -- 4, 0xf0000000); -+ MIN_OSCR_DELTA * 2, 0xf0000000); - } - - CLOCKSOURCE_OF_DECLARE(vt8500, "via,vt8500-timer", vt8500_timer_init); -diff --git a/drivers/gpu/drm/ast/ast_drv.h b/drivers/gpu/drm/ast/ast_drv.h -index b6b7d70f2832..5cfc1765af74 100644 ---- a/drivers/gpu/drm/ast/ast_drv.h -+++ b/drivers/gpu/drm/ast/ast_drv.h -@@ -296,6 +296,7 @@ int ast_framebuffer_init(struct drm_device *dev, - int ast_fbdev_init(struct drm_device *dev); - void ast_fbdev_fini(struct drm_device *dev); - void ast_fbdev_set_suspend(struct drm_device *dev, int state); -+void ast_fbdev_set_base(struct ast_private *ast, unsigned long gpu_addr); - - struct ast_bo { - struct ttm_buffer_object bo; -diff --git a/drivers/gpu/drm/ast/ast_fb.c b/drivers/gpu/drm/ast/ast_fb.c -index fbc0823cfa18..a298d8f72225 100644 ---- a/drivers/gpu/drm/ast/ast_fb.c -+++ b/drivers/gpu/drm/ast/ast_fb.c -@@ -366,3 +366,10 @@ void ast_fbdev_set_suspend(struct drm_device *dev, int state) - - fb_set_suspend(ast->fbdev->helper.fbdev, state); - } -+ -+void ast_fbdev_set_base(struct ast_private *ast, unsigned long gpu_addr) -+{ -+ ast->fbdev->helper.fbdev->fix.smem_start = -+ ast->fbdev->helper.fbdev->apertures->ranges[0].base + gpu_addr; -+ ast->fbdev->helper.fbdev->fix.smem_len = ast->vram_size - gpu_addr; -+} -diff --git a/drivers/gpu/drm/ast/ast_main.c b/drivers/gpu/drm/ast/ast_main.c -index 96f874a508e2..313ccaf25f49 100644 ---- a/drivers/gpu/drm/ast/ast_main.c -+++ b/drivers/gpu/drm/ast/ast_main.c -@@ -359,6 +359,7 @@ int ast_driver_load(struct drm_device *dev, unsigned long flags) - dev->mode_config.min_height = 0; - dev->mode_config.preferred_depth = 24; - dev->mode_config.prefer_shadow = 1; -+ dev->mode_config.fb_base = pci_resource_start(ast->dev->pdev, 0); - - if (ast->chip == AST2100 || - ast->chip == AST2200 || -diff --git a/drivers/gpu/drm/ast/ast_mode.c b/drivers/gpu/drm/ast/ast_mode.c -index e8f6418b6dec..f3a54ad77e3f 100644 ---- a/drivers/gpu/drm/ast/ast_mode.c -+++ b/drivers/gpu/drm/ast/ast_mode.c -@@ -509,6 +509,8 @@ static int ast_crtc_do_set_base(struct drm_crtc *crtc, - ret = ttm_bo_kmap(&bo->bo, 0, bo->bo.num_pages, &bo->kmap); - if (ret) - DRM_ERROR("failed to kmap fbcon\n"); -+ else -+ ast_fbdev_set_base(ast, gpu_addr); - } - ast_bo_unreserve(bo); - -diff --git a/drivers/gpu/drm/radeon/radeon_atombios.c b/drivers/gpu/drm/radeon/radeon_atombios.c -index ba2ab9a9b988..f3cce23f4a62 100644 ---- a/drivers/gpu/drm/radeon/radeon_atombios.c -+++ b/drivers/gpu/drm/radeon/radeon_atombios.c -@@ -452,7 +452,9 @@ static bool radeon_atom_apply_quirks(struct drm_device *dev, - } - - /* Fujitsu D3003-S2 board lists DVI-I as DVI-D and VGA */ -- if (((dev->pdev->device == 0x9802) || (dev->pdev->device == 0x9806)) && -+ if (((dev->pdev->device == 0x9802) || -+ (dev->pdev->device == 0x9805) || -+ (dev->pdev->device == 0x9806)) && - (dev->pdev->subsystem_vendor == 0x1734) && - (dev->pdev->subsystem_device == 0x11bd)) { - if (*connector_type == DRM_MODE_CONNECTOR_VGA) { -@@ -463,14 +465,6 @@ static bool radeon_atom_apply_quirks(struct drm_device *dev, - } - } - -- /* Fujitsu D3003-S2 board lists DVI-I as DVI-I and VGA */ -- if ((dev->pdev->device == 0x9805) && -- (dev->pdev->subsystem_vendor == 0x1734) && -- (dev->pdev->subsystem_device == 0x11bd)) { -- if (*connector_type == DRM_MODE_CONNECTOR_VGA) -- return false; -- } -- - return true; - } - -diff --git a/drivers/gpu/drm/radeon/radeon_irq_kms.c b/drivers/gpu/drm/radeon/radeon_irq_kms.c -index db83d075606e..6acd3646ac08 100644 ---- a/drivers/gpu/drm/radeon/radeon_irq_kms.c -+++ b/drivers/gpu/drm/radeon/radeon_irq_kms.c -@@ -73,6 +73,11 @@ static void radeon_hotplug_work_func(struct work_struct *work) - struct drm_mode_config *mode_config = &dev->mode_config; - struct drm_connector *connector; - -+ /* we can race here at startup, some boards seem to trigger -+ * hotplug irqs when they shouldn't. */ -+ if (!rdev->mode_info.mode_config_initialized) -+ return; -+ - mutex_lock(&mode_config->mutex); - if (mode_config->num_connector) { - list_for_each_entry(connector, &mode_config->connector_list, head) -diff --git a/drivers/gpu/drm/radeon/radeon_sa.c b/drivers/gpu/drm/radeon/radeon_sa.c -index f0bac68254b7..bb166849aa6e 100644 ---- a/drivers/gpu/drm/radeon/radeon_sa.c -+++ b/drivers/gpu/drm/radeon/radeon_sa.c -@@ -349,8 +349,13 @@ int radeon_sa_bo_new(struct radeon_device *rdev, - /* see if we can skip over some allocations */ - } while (radeon_sa_bo_next_hole(sa_manager, fences, tries)); - -+ for (i = 0; i < RADEON_NUM_RINGS; ++i) -+ radeon_fence_ref(fences[i]); -+ - spin_unlock(&sa_manager->wq.lock); - r = radeon_fence_wait_any(rdev, fences, false); -+ for (i = 0; i < RADEON_NUM_RINGS; ++i) -+ radeon_fence_unref(&fences[i]); - spin_lock(&sa_manager->wq.lock); - /* if we have nothing to wait for block */ - if (r == -ENOENT && block) { -diff --git a/drivers/gpu/drm/radeon/radeon_ttm.c b/drivers/gpu/drm/radeon/radeon_ttm.c -index 4a14e113369d..f7015592544f 100644 ---- a/drivers/gpu/drm/radeon/radeon_ttm.c -+++ b/drivers/gpu/drm/radeon/radeon_ttm.c -@@ -619,7 +619,7 @@ static int radeon_ttm_tt_populate(struct ttm_tt *ttm) - 0, PAGE_SIZE, - PCI_DMA_BIDIRECTIONAL); - if (pci_dma_mapping_error(rdev->pdev, gtt->ttm.dma_address[i])) { -- while (--i) { -+ while (i--) { - pci_unmap_page(rdev->pdev, gtt->ttm.dma_address[i], - PAGE_SIZE, PCI_DMA_BIDIRECTIONAL); - gtt->ttm.dma_address[i] = 0; -diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c -index 6c44c69a5ba4..94a0baac93dd 100644 ---- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c -+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c -@@ -25,6 +25,7 @@ - * - **************************************************************************/ - #include -+#include - - #include - #include "vmwgfx_drv.h" -@@ -1192,6 +1193,12 @@ static int vmw_probe(struct pci_dev *pdev, const struct pci_device_id *ent) - static int __init vmwgfx_init(void) - { - int ret; -+ -+#ifdef CONFIG_VGA_CONSOLE -+ if (vgacon_text_force()) -+ return -EINVAL; -+#endif -+ - ret = drm_pci_init(&driver, &vmw_pci_driver); - if (ret) - DRM_ERROR("Failed initializing DRM.\n"); -diff --git a/drivers/gpu/vga/vgaarb.c b/drivers/gpu/vga/vgaarb.c -index e893f6e1937d..3c84e96a485a 100644 ---- a/drivers/gpu/vga/vgaarb.c -+++ b/drivers/gpu/vga/vgaarb.c -@@ -392,8 +392,10 @@ int vga_get(struct pci_dev *pdev, unsigned int rsrc, int interruptible) - set_current_state(interruptible ? - TASK_INTERRUPTIBLE : - TASK_UNINTERRUPTIBLE); -- if (signal_pending(current)) { -- rc = -EINTR; -+ if (interruptible && signal_pending(current)) { -+ __set_current_state(TASK_RUNNING); -+ remove_wait_queue(&vga_wait_queue, &wait); -+ rc = -ERESTARTSYS; - break; - } - schedule(); -diff --git a/drivers/infiniband/hw/cxgb3/iwch_cm.c b/drivers/infiniband/hw/cxgb3/iwch_cm.c -index 3e094cd6a0e3..a9194ef626cd 100644 ---- a/drivers/infiniband/hw/cxgb3/iwch_cm.c -+++ b/drivers/infiniband/hw/cxgb3/iwch_cm.c -@@ -149,7 +149,7 @@ static int iwch_l2t_send(struct t3cdev *tdev, struct sk_buff *skb, struct l2t_en - error = l2t_send(tdev, skb, l2e); - if (error < 0) - kfree_skb(skb); -- return error; -+ return error < 0 ? error : 0; - } - - int iwch_cxgb3_ofld_send(struct t3cdev *tdev, struct sk_buff *skb) -@@ -165,7 +165,7 @@ int iwch_cxgb3_ofld_send(struct t3cdev *tdev, struct sk_buff *skb) - error = cxgb3_ofld_send(tdev, skb); - if (error < 0) - kfree_skb(skb); -- return error; -+ return error < 0 ? error : 0; - } - - static void release_tid(struct t3cdev *tdev, u32 hwtid, struct sk_buff *skb) -diff --git a/drivers/infiniband/hw/qib/qib_verbs_mcast.c b/drivers/infiniband/hw/qib/qib_verbs_mcast.c -index dabb697b1c2a..48ba1c3e945a 100644 ---- a/drivers/infiniband/hw/qib/qib_verbs_mcast.c -+++ b/drivers/infiniband/hw/qib/qib_verbs_mcast.c -@@ -286,15 +286,13 @@ int qib_multicast_detach(struct ib_qp *ibqp, union ib_gid *gid, u16 lid) - struct qib_ibdev *dev = to_idev(ibqp->device); - struct qib_ibport *ibp = to_iport(ibqp->device, qp->port_num); - struct qib_mcast *mcast = NULL; -- struct qib_mcast_qp *p, *tmp; -+ struct qib_mcast_qp *p, *tmp, *delp = NULL; - struct rb_node *n; - int last = 0; - int ret; - -- if (ibqp->qp_num <= 1 || qp->state == IB_QPS_RESET) { -- ret = -EINVAL; -- goto bail; -- } -+ if (ibqp->qp_num <= 1 || qp->state == IB_QPS_RESET) -+ return -EINVAL; - - spin_lock_irq(&ibp->lock); - -@@ -303,8 +301,7 @@ int qib_multicast_detach(struct ib_qp *ibqp, union ib_gid *gid, u16 lid) - while (1) { - if (n == NULL) { - spin_unlock_irq(&ibp->lock); -- ret = -EINVAL; -- goto bail; -+ return -EINVAL; - } - - mcast = rb_entry(n, struct qib_mcast, rb_node); -@@ -328,6 +325,7 @@ int qib_multicast_detach(struct ib_qp *ibqp, union ib_gid *gid, u16 lid) - */ - list_del_rcu(&p->list); - mcast->n_attached--; -+ delp = p; - - /* If this was the last attached QP, remove the GID too. */ - if (list_empty(&mcast->qp_list)) { -@@ -338,15 +336,16 @@ int qib_multicast_detach(struct ib_qp *ibqp, union ib_gid *gid, u16 lid) - } - - spin_unlock_irq(&ibp->lock); -+ /* QP not attached */ -+ if (!delp) -+ return -EINVAL; -+ /* -+ * Wait for any list walkers to finish before freeing the -+ * list element. -+ */ -+ wait_event(mcast->wait, atomic_read(&mcast->refcount) <= 1); -+ qib_mcast_qp_free(delp); - -- if (p) { -- /* -- * Wait for any list walkers to finish before freeing the -- * list element. -- */ -- wait_event(mcast->wait, atomic_read(&mcast->refcount) <= 1); -- qib_mcast_qp_free(p); -- } - if (last) { - atomic_dec(&mcast->refcount); - wait_event(mcast->wait, !atomic_read(&mcast->refcount)); -@@ -355,11 +354,7 @@ int qib_multicast_detach(struct ib_qp *ibqp, union ib_gid *gid, u16 lid) - dev->n_mcast_grps_allocated--; - spin_unlock_irq(&dev->n_mcast_grps_lock); - } -- -- ret = 0; -- --bail: -- return ret; -+ return 0; - } - - int qib_mcast_tree_empty(struct qib_ibport *ibp) -diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c -index b4713cea1913..2d2915fdbf02 100644 ---- a/drivers/md/bcache/super.c -+++ b/drivers/md/bcache/super.c -@@ -1959,8 +1959,10 @@ static int __init bcache_init(void) - closure_debug_init(); - - bcache_major = register_blkdev(0, "bcache"); -- if (bcache_major < 0) -+ if (bcache_major < 0) { -+ unregister_reboot_notifier(&reboot); - return bcache_major; -+ } - - if (!(bcache_wq = create_workqueue("bcache")) || - !(bcache_kobj = kobject_create_and_add("bcache", fs_kobj)) || -diff --git a/drivers/md/dm-exception-store.h b/drivers/md/dm-exception-store.h -index 0b2536247cf5..84e27708ad97 100644 ---- a/drivers/md/dm-exception-store.h -+++ b/drivers/md/dm-exception-store.h -@@ -70,7 +70,7 @@ struct dm_exception_store_type { - * Update the metadata with this exception. - */ - void (*commit_exception) (struct dm_exception_store *store, -- struct dm_exception *e, -+ struct dm_exception *e, int valid, - void (*callback) (void *, int success), - void *callback_context); - -diff --git a/drivers/md/dm-snap-persistent.c b/drivers/md/dm-snap-persistent.c -index 2d2b1b7588d7..8f6d3ea55401 100644 ---- a/drivers/md/dm-snap-persistent.c -+++ b/drivers/md/dm-snap-persistent.c -@@ -646,7 +646,7 @@ static int persistent_prepare_exception(struct dm_exception_store *store, - } - - static void persistent_commit_exception(struct dm_exception_store *store, -- struct dm_exception *e, -+ struct dm_exception *e, int valid, - void (*callback) (void *, int success), - void *callback_context) - { -@@ -655,6 +655,9 @@ static void persistent_commit_exception(struct dm_exception_store *store, - struct core_exception ce; - struct commit_callback *cb; - -+ if (!valid) -+ ps->valid = 0; -+ - ce.old_chunk = e->old_chunk; - ce.new_chunk = e->new_chunk; - write_exception(ps, ps->current_committed++, &ce); -diff --git a/drivers/md/dm-snap-transient.c b/drivers/md/dm-snap-transient.c -index 1ce9a2586e41..31439d53cf7e 100644 ---- a/drivers/md/dm-snap-transient.c -+++ b/drivers/md/dm-snap-transient.c -@@ -52,12 +52,12 @@ static int transient_prepare_exception(struct dm_exception_store *store, - } - - static void transient_commit_exception(struct dm_exception_store *store, -- struct dm_exception *e, -+ struct dm_exception *e, int valid, - void (*callback) (void *, int success), - void *callback_context) - { - /* Just succeed */ -- callback(callback_context, 1); -+ callback(callback_context, valid); - } - - static void transient_usage(struct dm_exception_store *store, -diff --git a/drivers/md/dm-snap.c b/drivers/md/dm-snap.c -index d892a05c84f4..dbd0f00f7395 100644 ---- a/drivers/md/dm-snap.c -+++ b/drivers/md/dm-snap.c -@@ -1388,8 +1388,9 @@ static void __invalidate_snapshot(struct dm_snapshot *s, int err) - dm_table_event(s->ti->table); - } - --static void pending_complete(struct dm_snap_pending_exception *pe, int success) -+static void pending_complete(void *context, int success) - { -+ struct dm_snap_pending_exception *pe = context; - struct dm_exception *e; - struct dm_snapshot *s = pe->snap; - struct bio *origin_bios = NULL; -@@ -1459,24 +1460,13 @@ out: - free_pending_exception(pe); - } - --static void commit_callback(void *context, int success) --{ -- struct dm_snap_pending_exception *pe = context; -- -- pending_complete(pe, success); --} -- - static void complete_exception(struct dm_snap_pending_exception *pe) - { - struct dm_snapshot *s = pe->snap; - -- if (unlikely(pe->copy_error)) -- pending_complete(pe, 0); -- -- else -- /* Update the metadata if we are persistent */ -- s->store->type->commit_exception(s->store, &pe->e, -- commit_callback, pe); -+ /* Update the metadata if we are persistent */ -+ s->store->type->commit_exception(s->store, &pe->e, !pe->copy_error, -+ pending_complete, pe); - } - - /* -diff --git a/drivers/md/dm-thin-metadata.c b/drivers/md/dm-thin-metadata.c -index 43f6250baadd..4bf9211b2740 100644 ---- a/drivers/md/dm-thin-metadata.c -+++ b/drivers/md/dm-thin-metadata.c -@@ -1191,6 +1191,12 @@ static int __reserve_metadata_snap(struct dm_pool_metadata *pmd) - dm_block_t held_root; - - /* -+ * We commit to ensure the btree roots which we increment in a -+ * moment are up to date. -+ */ -+ __commit_transaction(pmd); -+ -+ /* - * Copy the superblock. - */ - dm_sm_inc_block(pmd->metadata_sm, THIN_SUPERBLOCK_LOCATION); -diff --git a/drivers/md/dm-thin.c b/drivers/md/dm-thin.c -index ec56072c6326..295f74d4f0ab 100644 ---- a/drivers/md/dm-thin.c -+++ b/drivers/md/dm-thin.c -@@ -2281,7 +2281,7 @@ static void pool_postsuspend(struct dm_target *ti) - struct pool_c *pt = ti->private; - struct pool *pool = pt->pool; - -- cancel_delayed_work(&pool->waker); -+ cancel_delayed_work_sync(&pool->waker); - flush_workqueue(pool->wq); - (void) commit_or_fallback(pool); - } -diff --git a/drivers/md/persistent-data/dm-btree.c b/drivers/md/persistent-data/dm-btree.c -index 6d7f4d950b8f..b07fcda9ca71 100644 ---- a/drivers/md/persistent-data/dm-btree.c -+++ b/drivers/md/persistent-data/dm-btree.c -@@ -235,6 +235,16 @@ static bool is_internal_level(struct dm_btree_info *info, struct frame *f) - return f->level < (info->levels - 1); - } - -+static void unlock_all_frames(struct del_stack *s) -+{ -+ struct frame *f; -+ -+ while (unprocessed_frames(s)) { -+ f = s->spine + s->top--; -+ dm_tm_unlock(s->tm, f->b); -+ } -+} -+ - int dm_btree_del(struct dm_btree_info *info, dm_block_t root) - { - int r; -@@ -290,9 +300,13 @@ int dm_btree_del(struct dm_btree_info *info, dm_block_t root) - f->current_child = f->nr_children; - } - } -- - out: -+ if (r) { -+ /* cleanup all frames of del_stack */ -+ unlock_all_frames(s); -+ } - kfree(s); -+ - return r; - } - EXPORT_SYMBOL_GPL(dm_btree_del); -diff --git a/drivers/media/dvb-core/dvb_frontend.c b/drivers/media/dvb-core/dvb_frontend.c -index 1f925e856974..46a984291b7d 100644 ---- a/drivers/media/dvb-core/dvb_frontend.c -+++ b/drivers/media/dvb-core/dvb_frontend.c -@@ -2195,9 +2195,9 @@ static int dvb_frontend_ioctl_legacy(struct file *file, - dev_dbg(fe->dvb->device, "%s: current delivery system on cache: %d, V3 type: %d\n", - __func__, c->delivery_system, fe->ops.info.type); - -- /* Force the CAN_INVERSION_AUTO bit on. If the frontend doesn't -- * do it, it is done for it. */ -- info->caps |= FE_CAN_INVERSION_AUTO; -+ /* Set CAN_INVERSION_AUTO bit on in other than oneshot mode */ -+ if (!(fepriv->tune_mode_flags & FE_TUNE_MODE_ONESHOT)) -+ info->caps |= FE_CAN_INVERSION_AUTO; - err = 0; - break; - } -diff --git a/drivers/media/dvb-frontends/tda1004x.c b/drivers/media/dvb-frontends/tda1004x.c -index a2631be7ffac..08e0f0dd8728 100644 ---- a/drivers/media/dvb-frontends/tda1004x.c -+++ b/drivers/media/dvb-frontends/tda1004x.c -@@ -903,9 +903,18 @@ static int tda1004x_get_fe(struct dvb_frontend *fe) - { - struct dtv_frontend_properties *fe_params = &fe->dtv_property_cache; - struct tda1004x_state* state = fe->demodulator_priv; -+ int status; - - dprintk("%s\n", __func__); - -+ status = tda1004x_read_byte(state, TDA1004X_STATUS_CD); -+ if (status == -1) -+ return -EIO; -+ -+ /* Only update the properties cache if device is locked */ -+ if (!(status & 8)) -+ return 0; -+ - // inversion status - fe_params->inversion = INVERSION_OFF; - if (tda1004x_read_byte(state, TDA1004X_CONFC1) & 0x20) -diff --git a/drivers/media/usb/gspca/ov534.c b/drivers/media/usb/gspca/ov534.c -index 2e28c81a03ab..a5bee0d0d686 100644 ---- a/drivers/media/usb/gspca/ov534.c -+++ b/drivers/media/usb/gspca/ov534.c -@@ -1490,8 +1490,13 @@ static void sd_set_streamparm(struct gspca_dev *gspca_dev, - struct v4l2_fract *tpf = &cp->timeperframe; - struct sd *sd = (struct sd *) gspca_dev; - -- /* Set requested framerate */ -- sd->frame_rate = tpf->denominator / tpf->numerator; -+ if (tpf->numerator == 0 || tpf->denominator == 0) -+ /* Set default framerate */ -+ sd->frame_rate = 30; -+ else -+ /* Set requested framerate */ -+ sd->frame_rate = tpf->denominator / tpf->numerator; -+ - if (gspca_dev->streaming) - set_frame_rate(gspca_dev); - -diff --git a/drivers/media/usb/gspca/topro.c b/drivers/media/usb/gspca/topro.c -index 4cb511ccc5f6..22ea6aefd22f 100644 ---- a/drivers/media/usb/gspca/topro.c -+++ b/drivers/media/usb/gspca/topro.c -@@ -4791,7 +4791,11 @@ static void sd_set_streamparm(struct gspca_dev *gspca_dev, - struct v4l2_fract *tpf = &cp->timeperframe; - int fr, i; - -- sd->framerate = tpf->denominator / tpf->numerator; -+ if (tpf->numerator == 0 || tpf->denominator == 0) -+ sd->framerate = 30; -+ else -+ sd->framerate = tpf->denominator / tpf->numerator; -+ - if (gspca_dev->streaming) - setframerate(gspca_dev, v4l2_ctrl_g_ctrl(gspca_dev->exposure)); - -diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c -index 885ba4a19a6c..ebb40a292d67 100644 ---- a/drivers/mmc/card/block.c -+++ b/drivers/mmc/card/block.c -@@ -59,8 +59,7 @@ MODULE_ALIAS("mmc:block"); - #define INAND_CMD38_ARG_SECTRIM2 0x88 - #define MMC_BLK_TIMEOUT_MS (10 * 60 * 1000) /* 10 minute timeout */ - --#define mmc_req_rel_wr(req) (((req->cmd_flags & REQ_FUA) || \ -- (req->cmd_flags & REQ_META)) && \ -+#define mmc_req_rel_wr(req) ((req->cmd_flags & REQ_FUA) && \ - (rq_data_dir(req) == WRITE)) - #define PACKED_CMD_VER 0x01 - #define PACKED_CMD_WR 0x02 -@@ -1300,13 +1299,9 @@ static void mmc_blk_rw_rq_prep(struct mmc_queue_req *mqrq, - - /* - * Reliable writes are used to implement Forced Unit Access and -- * REQ_META accesses, and are supported only on MMCs. -- * -- * XXX: this really needs a good explanation of why REQ_META -- * is treated special. -+ * are supported only on MMCs. - */ -- bool do_rel_wr = ((req->cmd_flags & REQ_FUA) || -- (req->cmd_flags & REQ_META)) && -+ bool do_rel_wr = (req->cmd_flags & REQ_FUA) && - (rq_data_dir(req) == WRITE) && - (md->flags & MMC_BLK_REL_WR); - -diff --git a/drivers/mmc/host/mmci.c b/drivers/mmc/host/mmci.c -index f4f3038c1df0..faeda85e78fa 100644 ---- a/drivers/mmc/host/mmci.c -+++ b/drivers/mmc/host/mmci.c -@@ -1740,7 +1740,7 @@ static struct amba_id mmci_ids[] = { - { - .id = 0x00280180, - .mask = 0x00ffffff, -- .data = &variant_u300, -+ .data = &variant_nomadik, - }, - { - .id = 0x00480180, -diff --git a/drivers/net/can/sja1000/sja1000.c b/drivers/net/can/sja1000/sja1000.c -index c2d0559115d3..732a8ed571c2 100644 ---- a/drivers/net/can/sja1000/sja1000.c -+++ b/drivers/net/can/sja1000/sja1000.c -@@ -187,6 +187,9 @@ static void sja1000_start(struct net_device *dev) - /* clear interrupt flags */ - priv->read_reg(priv, SJA1000_IR); - -+ /* clear interrupt flags */ -+ priv->read_reg(priv, SJA1000_IR); -+ - /* leave reset mode */ - set_normal_mode(dev); - } -diff --git a/drivers/net/can/usb/ems_usb.c b/drivers/net/can/usb/ems_usb.c -index 5f9a7ad9b964..d921416295ce 100644 ---- a/drivers/net/can/usb/ems_usb.c -+++ b/drivers/net/can/usb/ems_usb.c -@@ -118,6 +118,9 @@ MODULE_LICENSE("GPL v2"); - */ - #define EMS_USB_ARM7_CLOCK 8000000 - -+#define CPC_TX_QUEUE_TRIGGER_LOW 25 -+#define CPC_TX_QUEUE_TRIGGER_HIGH 35 -+ - /* - * CAN-Message representation in a CPC_MSG. Message object type is - * CPC_MSG_TYPE_CAN_FRAME or CPC_MSG_TYPE_RTR_FRAME or -@@ -279,6 +282,11 @@ static void ems_usb_read_interrupt_callback(struct urb *urb) - switch (urb->status) { - case 0: - dev->free_slots = dev->intr_in_buffer[1]; -+ if(dev->free_slots > CPC_TX_QUEUE_TRIGGER_HIGH){ -+ if (netif_queue_stopped(netdev)){ -+ netif_wake_queue(netdev); -+ } -+ } - break; - - case -ECONNRESET: /* unlink */ -@@ -530,8 +538,6 @@ static void ems_usb_write_bulk_callback(struct urb *urb) - /* Release context */ - context->echo_index = MAX_TX_URBS; - -- if (netif_queue_stopped(netdev)) -- netif_wake_queue(netdev); - } - - /* -@@ -591,7 +597,7 @@ static int ems_usb_start(struct ems_usb *dev) - int err, i; - - dev->intr_in_buffer[0] = 0; -- dev->free_slots = 15; /* initial size */ -+ dev->free_slots = 50; /* initial size */ - - for (i = 0; i < MAX_RX_URBS; i++) { - struct urb *urb = NULL; -@@ -841,7 +847,7 @@ static netdev_tx_t ems_usb_start_xmit(struct sk_buff *skb, struct net_device *ne - - /* Slow down tx path */ - if (atomic_read(&dev->active_tx_urbs) >= MAX_TX_URBS || -- dev->free_slots < 5) { -+ dev->free_slots < CPC_TX_QUEUE_TRIGGER_LOW) { - netif_stop_queue(netdev); - } - } -diff --git a/drivers/pci/pcie/aer/aerdrv.c b/drivers/pci/pcie/aer/aerdrv.c -index 76ef634caf6f..b84e713445d0 100644 ---- a/drivers/pci/pcie/aer/aerdrv.c -+++ b/drivers/pci/pcie/aer/aerdrv.c -@@ -262,7 +262,6 @@ static struct aer_rpc *aer_alloc_rpc(struct pcie_device *dev) - rpc->rpd = dev; - INIT_WORK(&rpc->dpc_handler, aer_isr); - mutex_init(&rpc->rpc_mutex); -- init_waitqueue_head(&rpc->wait_release); - - /* Use PCIe bus function to store rpc into PCIe device */ - set_service_data(dev, rpc); -@@ -285,8 +284,7 @@ static void aer_remove(struct pcie_device *dev) - if (rpc->isr) - free_irq(dev->irq, dev); - -- wait_event(rpc->wait_release, rpc->prod_idx == rpc->cons_idx); -- -+ flush_work(&rpc->dpc_handler); - aer_disable_rootport(rpc); - kfree(rpc); - set_service_data(dev, NULL); -diff --git a/drivers/pci/pcie/aer/aerdrv.h b/drivers/pci/pcie/aer/aerdrv.h -index d12c77cd6991..3b8766e1e51b 100644 ---- a/drivers/pci/pcie/aer/aerdrv.h -+++ b/drivers/pci/pcie/aer/aerdrv.h -@@ -76,7 +76,6 @@ struct aer_rpc { - * recovery on the same - * root port hierarchy - */ -- wait_queue_head_t wait_release; - }; - - struct aer_broadcast_data { -diff --git a/drivers/pci/pcie/aer/aerdrv_core.c b/drivers/pci/pcie/aer/aerdrv_core.c -index 0f4554e48cc5..a017aac0d7ed 100644 ---- a/drivers/pci/pcie/aer/aerdrv_core.c -+++ b/drivers/pci/pcie/aer/aerdrv_core.c -@@ -817,8 +817,6 @@ void aer_isr(struct work_struct *work) - while (get_e_source(rpc, &e_src)) - aer_isr_one_error(p_device, &e_src); - mutex_unlock(&rpc->rpc_mutex); -- -- wake_up(&rpc->wait_release); - } - - /** -diff --git a/drivers/pci/xen-pcifront.c b/drivers/pci/xen-pcifront.c -index f7197a790341..eb402f4f0e2f 100644 ---- a/drivers/pci/xen-pcifront.c -+++ b/drivers/pci/xen-pcifront.c -@@ -51,7 +51,7 @@ struct pcifront_device { - }; - - struct pcifront_sd { -- int domain; -+ struct pci_sysdata sd; - struct pcifront_device *pdev; - }; - -@@ -65,7 +65,9 @@ static inline void pcifront_init_sd(struct pcifront_sd *sd, - unsigned int domain, unsigned int bus, - struct pcifront_device *pdev) - { -- sd->domain = domain; -+ /* Because we do not expose that information via XenBus. */ -+ sd->sd.node = first_online_node; -+ sd->sd.domain = domain; - sd->pdev = pdev; - } - -@@ -463,8 +465,8 @@ static int pcifront_scan_root(struct pcifront_device *pdev, - dev_info(&pdev->xdev->dev, "Creating PCI Frontend Bus %04x:%02x\n", - domain, bus); - -- bus_entry = kmalloc(sizeof(*bus_entry), GFP_KERNEL); -- sd = kmalloc(sizeof(*sd), GFP_KERNEL); -+ bus_entry = kzalloc(sizeof(*bus_entry), GFP_KERNEL); -+ sd = kzalloc(sizeof(*sd), GFP_KERNEL); - if (!bus_entry || !sd) { - err = -ENOMEM; - goto err_out; -diff --git a/drivers/power/wm831x_power.c b/drivers/power/wm831x_power.c -index 3bed2f55cf7d..3ccadf631d45 100644 ---- a/drivers/power/wm831x_power.c -+++ b/drivers/power/wm831x_power.c -@@ -567,7 +567,7 @@ static int wm831x_power_probe(struct platform_device *pdev) - - irq = wm831x_irq(wm831x, platform_get_irq_byname(pdev, "SYSLO")); - ret = request_threaded_irq(irq, NULL, wm831x_syslo_irq, -- IRQF_TRIGGER_RISING, "System power low", -+ IRQF_TRIGGER_RISING | IRQF_ONESHOT, "System power low", - power); - if (ret != 0) { - dev_err(&pdev->dev, "Failed to request SYSLO IRQ %d: %d\n", -@@ -577,7 +577,7 @@ static int wm831x_power_probe(struct platform_device *pdev) - - irq = wm831x_irq(wm831x, platform_get_irq_byname(pdev, "PWR SRC")); - ret = request_threaded_irq(irq, NULL, wm831x_pwr_src_irq, -- IRQF_TRIGGER_RISING, "Power source", -+ IRQF_TRIGGER_RISING | IRQF_ONESHOT, "Power source", - power); - if (ret != 0) { - dev_err(&pdev->dev, "Failed to request PWR SRC IRQ %d: %d\n", -@@ -590,7 +590,7 @@ static int wm831x_power_probe(struct platform_device *pdev) - platform_get_irq_byname(pdev, - wm831x_bat_irqs[i])); - ret = request_threaded_irq(irq, NULL, wm831x_bat_irq, -- IRQF_TRIGGER_RISING, -+ IRQF_TRIGGER_RISING | IRQF_ONESHOT, - wm831x_bat_irqs[i], - power); - if (ret != 0) { -diff --git a/drivers/s390/block/dasd_alias.c b/drivers/s390/block/dasd_alias.c -index a2597e683e79..6a64e86e8ccd 100644 ---- a/drivers/s390/block/dasd_alias.c -+++ b/drivers/s390/block/dasd_alias.c -@@ -264,8 +264,10 @@ void dasd_alias_disconnect_device_from_lcu(struct dasd_device *device) - spin_unlock_irqrestore(&lcu->lock, flags); - cancel_work_sync(&lcu->suc_data.worker); - spin_lock_irqsave(&lcu->lock, flags); -- if (device == lcu->suc_data.device) -+ if (device == lcu->suc_data.device) { -+ dasd_put_device(device); - lcu->suc_data.device = NULL; -+ } - } - was_pending = 0; - if (device == lcu->ruac_data.device) { -@@ -273,8 +275,10 @@ void dasd_alias_disconnect_device_from_lcu(struct dasd_device *device) - was_pending = 1; - cancel_delayed_work_sync(&lcu->ruac_data.dwork); - spin_lock_irqsave(&lcu->lock, flags); -- if (device == lcu->ruac_data.device) -+ if (device == lcu->ruac_data.device) { -+ dasd_put_device(device); - lcu->ruac_data.device = NULL; -+ } - } - private->lcu = NULL; - spin_unlock_irqrestore(&lcu->lock, flags); -@@ -549,8 +553,10 @@ static void lcu_update_work(struct work_struct *work) - if ((rc && (rc != -EOPNOTSUPP)) || (lcu->flags & NEED_UAC_UPDATE)) { - DBF_DEV_EVENT(DBF_WARNING, device, "could not update" - " alias data in lcu (rc = %d), retry later", rc); -- schedule_delayed_work(&lcu->ruac_data.dwork, 30*HZ); -+ if (!schedule_delayed_work(&lcu->ruac_data.dwork, 30*HZ)) -+ dasd_put_device(device); - } else { -+ dasd_put_device(device); - lcu->ruac_data.device = NULL; - lcu->flags &= ~UPDATE_PENDING; - } -@@ -593,8 +599,10 @@ static int _schedule_lcu_update(struct alias_lcu *lcu, - */ - if (!usedev) - return -EINVAL; -+ dasd_get_device(usedev); - lcu->ruac_data.device = usedev; -- schedule_delayed_work(&lcu->ruac_data.dwork, 0); -+ if (!schedule_delayed_work(&lcu->ruac_data.dwork, 0)) -+ dasd_put_device(usedev); - return 0; - } - -@@ -722,7 +730,7 @@ static int reset_summary_unit_check(struct alias_lcu *lcu, - ASCEBC((char *) &cqr->magic, 4); - ccw = cqr->cpaddr; - ccw->cmd_code = DASD_ECKD_CCW_RSCK; -- ccw->flags = 0 ; -+ ccw->flags = CCW_FLAG_SLI; - ccw->count = 16; - ccw->cda = (__u32)(addr_t) cqr->data; - ((char *)cqr->data)[0] = reason; -@@ -926,6 +934,7 @@ static void summary_unit_check_handling_work(struct work_struct *work) - /* 3. read new alias configuration */ - _schedule_lcu_update(lcu, device); - lcu->suc_data.device = NULL; -+ dasd_put_device(device); - spin_unlock_irqrestore(&lcu->lock, flags); - } - -@@ -985,6 +994,8 @@ void dasd_alias_handle_summary_unit_check(struct dasd_device *device, - } - lcu->suc_data.reason = reason; - lcu->suc_data.device = device; -+ dasd_get_device(device); - spin_unlock(&lcu->lock); -- schedule_work(&lcu->suc_data.worker); -+ if (!schedule_work(&lcu->suc_data.worker)) -+ dasd_put_device(device); - }; -diff --git a/drivers/scsi/megaraid/megaraid_sas.h b/drivers/scsi/megaraid/megaraid_sas.h -index b52121358385..280e769a1686 100644 ---- a/drivers/scsi/megaraid/megaraid_sas.h -+++ b/drivers/scsi/megaraid/megaraid_sas.h -@@ -300,6 +300,8 @@ enum MR_EVT_ARGS { - MR_EVT_ARGS_GENERIC, - }; - -+ -+#define SGE_BUFFER_SIZE 4096 - /* - * define constants for device list query options - */ -diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c -index 78b4fe845245..e6dfa8108301 100644 ---- a/drivers/scsi/megaraid/megaraid_sas_base.c -+++ b/drivers/scsi/megaraid/megaraid_sas_base.c -@@ -3602,7 +3602,7 @@ static int megasas_init_fw(struct megasas_instance *instance) - } - - instance->max_sectors_per_req = instance->max_num_sge * -- PAGE_SIZE / 512; -+ SGE_BUFFER_SIZE / 512; - if (tmp_sectors && (instance->max_sectors_per_req > tmp_sectors)) - instance->max_sectors_per_req = tmp_sectors; - -@@ -5051,6 +5051,9 @@ static int megasas_mgmt_compat_ioctl_fw(struct file *file, unsigned long arg) - int i; - int error = 0; - compat_uptr_t ptr; -+ unsigned long local_raw_ptr; -+ u32 local_sense_off; -+ u32 local_sense_len; - - if (clear_user(ioc, sizeof(*ioc))) - return -EFAULT; -@@ -5068,9 +5071,15 @@ static int megasas_mgmt_compat_ioctl_fw(struct file *file, unsigned long arg) - * sense_len is not null, so prepare the 64bit value under - * the same condition. - */ -- if (ioc->sense_len) { -+ if (get_user(local_raw_ptr, ioc->frame.raw) || -+ get_user(local_sense_off, &ioc->sense_off) || -+ get_user(local_sense_len, &ioc->sense_len)) -+ return -EFAULT; -+ -+ -+ if (local_sense_len) { - void __user **sense_ioc_ptr = -- (void __user **)(ioc->frame.raw + ioc->sense_off); -+ (void __user **)((u8*)local_raw_ptr + local_sense_off); - compat_uptr_t *sense_cioc_ptr = - (compat_uptr_t *)(cioc->frame.raw + cioc->sense_off); - if (get_user(ptr, sense_cioc_ptr) || -diff --git a/drivers/scsi/ses.c b/drivers/scsi/ses.c -index eba183c428cf..3643bbf5456d 100644 ---- a/drivers/scsi/ses.c -+++ b/drivers/scsi/ses.c -@@ -70,6 +70,7 @@ static int ses_probe(struct device *dev) - static int ses_recv_diag(struct scsi_device *sdev, int page_code, - void *buf, int bufflen) - { -+ int ret; - unsigned char cmd[] = { - RECEIVE_DIAGNOSTIC, - 1, /* Set PCV bit */ -@@ -78,9 +79,26 @@ static int ses_recv_diag(struct scsi_device *sdev, int page_code, - bufflen & 0xff, - 0 - }; -+ unsigned char recv_page_code; - -- return scsi_execute_req(sdev, cmd, DMA_FROM_DEVICE, buf, bufflen, -+ ret = scsi_execute_req(sdev, cmd, DMA_FROM_DEVICE, buf, bufflen, - NULL, SES_TIMEOUT, SES_RETRIES, NULL); -+ if (unlikely(!ret)) -+ return ret; -+ -+ recv_page_code = ((unsigned char *)buf)[0]; -+ -+ if (likely(recv_page_code == page_code)) -+ return ret; -+ -+ /* successful diagnostic but wrong page code. This happens to some -+ * USB devices, just print a message and pretend there was an error */ -+ -+ sdev_printk(KERN_ERR, sdev, -+ "Wrong diagnostic page; asked for %d got %u\n", -+ page_code, recv_page_code); -+ -+ return -EINVAL; - } - - static int ses_send_diag(struct scsi_device *sdev, int page_code, -@@ -436,7 +454,15 @@ static void ses_enclosure_data_process(struct enclosure_device *edev, - if (desc_ptr) - desc_ptr += len; - -- if (addl_desc_ptr) -+ if (addl_desc_ptr && -+ /* only find additional descriptions for specific devices */ -+ (type_ptr[0] == ENCLOSURE_COMPONENT_DEVICE || -+ type_ptr[0] == ENCLOSURE_COMPONENT_ARRAY_DEVICE || -+ type_ptr[0] == ENCLOSURE_COMPONENT_SAS_EXPANDER || -+ /* these elements are optional */ -+ type_ptr[0] == ENCLOSURE_COMPONENT_SCSI_TARGET_PORT || -+ type_ptr[0] == ENCLOSURE_COMPONENT_SCSI_INITIATOR_PORT || -+ type_ptr[0] == ENCLOSURE_COMPONENT_CONTROLLER_ELECTRONICS)) - addl_desc_ptr += addl_desc_ptr[1] + 2; - - } -diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c -index d2ea64de92df..d6dab8adf60e 100644 ---- a/drivers/usb/class/cdc-acm.c -+++ b/drivers/usb/class/cdc-acm.c -@@ -1726,6 +1726,11 @@ static const struct usb_device_id acm_ids[] = { - }, - #endif - -+ /*Samsung phone in firmware update mode */ -+ { USB_DEVICE(0x04e8, 0x685d), -+ .driver_info = IGNORE_DEVICE, -+ }, -+ - /* Exclude Infineon Flash Loader utility */ - { USB_DEVICE(0x058b, 0x0041), - .driver_info = IGNORE_DEVICE, -diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c -index 89ba7cfba5bc..303f3b3fb65f 100644 ---- a/drivers/usb/serial/cp210x.c -+++ b/drivers/usb/serial/cp210x.c -@@ -162,6 +162,8 @@ static const struct usb_device_id id_table[] = { - { USB_DEVICE(0x1843, 0x0200) }, /* Vaisala USB Instrument Cable */ - { USB_DEVICE(0x18EF, 0xE00F) }, /* ELV USB-I2C-Interface */ - { USB_DEVICE(0x18EF, 0xE025) }, /* ELV Marble Sound Board 1 */ -+ { USB_DEVICE(0x1901, 0x0190) }, /* GE B850 CP2105 Recorder interface */ -+ { USB_DEVICE(0x1901, 0x0193) }, /* GE B650 CP2104 PMC interface */ - { USB_DEVICE(0x1ADB, 0x0001) }, /* Schweitzer Engineering C662 Cable */ - { USB_DEVICE(0x1B1C, 0x1C00) }, /* Corsair USB Dongle */ - { USB_DEVICE(0x1BA4, 0x0002) }, /* Silicon Labs 358x factory default */ -diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c -index 81f6a572f016..9bab34cf01d4 100644 ---- a/drivers/usb/serial/option.c -+++ b/drivers/usb/serial/option.c -@@ -315,6 +315,7 @@ static void option_instat_callback(struct urb *urb); - #define TOSHIBA_PRODUCT_G450 0x0d45 - - #define ALINK_VENDOR_ID 0x1e0e -+#define SIMCOM_PRODUCT_SIM7100E 0x9001 /* Yes, ALINK_VENDOR_ID */ - #define ALINK_PRODUCT_PH300 0x9100 - #define ALINK_PRODUCT_3GU 0x9200 - -@@ -615,6 +616,10 @@ static const struct option_blacklist_info zte_1255_blacklist = { - .reserved = BIT(3) | BIT(4), - }; - -+static const struct option_blacklist_info simcom_sim7100e_blacklist = { -+ .reserved = BIT(5) | BIT(6), -+}; -+ - static const struct option_blacklist_info telit_le910_blacklist = { - .sendsetup = BIT(0), - .reserved = BIT(1) | BIT(2), -@@ -1130,6 +1135,8 @@ static const struct usb_device_id option_ids[] = { - { USB_DEVICE(KYOCERA_VENDOR_ID, KYOCERA_PRODUCT_KPC650) }, - { USB_DEVICE(KYOCERA_VENDOR_ID, KYOCERA_PRODUCT_KPC680) }, - { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x6000)}, /* ZTE AC8700 */ -+ { USB_DEVICE_AND_INTERFACE_INFO(QUALCOMM_VENDOR_ID, 0x6001, 0xff, 0xff, 0xff), /* 4G LTE usb-modem U901 */ -+ .driver_info = (kernel_ulong_t)&net_intf3_blacklist }, - { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x6613)}, /* Onda H600/ZTE MF330 */ - { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x0023)}, /* ONYX 3G device */ - { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x9000)}, /* SIMCom SIM5218 */ -@@ -1645,6 +1652,8 @@ static const struct usb_device_id option_ids[] = { - { USB_DEVICE(ALINK_VENDOR_ID, 0x9000) }, - { USB_DEVICE(ALINK_VENDOR_ID, ALINK_PRODUCT_PH300) }, - { USB_DEVICE_AND_INTERFACE_INFO(ALINK_VENDOR_ID, ALINK_PRODUCT_3GU, 0xff, 0xff, 0xff) }, -+ { USB_DEVICE(ALINK_VENDOR_ID, SIMCOM_PRODUCT_SIM7100E), -+ .driver_info = (kernel_ulong_t)&simcom_sim7100e_blacklist }, - { USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_X060S_X200), - .driver_info = (kernel_ulong_t)&alcatel_x200_blacklist - }, -diff --git a/drivers/virtio/virtio.c b/drivers/virtio/virtio.c -index ee59b74768d9..beaa7cc4e857 100644 ---- a/drivers/virtio/virtio.c -+++ b/drivers/virtio/virtio.c -@@ -238,6 +238,7 @@ static int virtio_init(void) - static void __exit virtio_exit(void) - { - bus_unregister(&virtio_bus); -+ ida_destroy(&virtio_index_ida); - } - core_initcall(virtio_init); - module_exit(virtio_exit); -diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c -index 7360f03ddbe1..9612a01198df 100644 ---- a/fs/btrfs/disk-io.c -+++ b/fs/btrfs/disk-io.c -@@ -2437,6 +2437,7 @@ int open_ctree(struct super_block *sb, - "unsupported option features (%Lx).\n", - (unsigned long long)features); - err = -EINVAL; -+ brelse(bh); - goto fail_alloc; - } - -diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c -index ae29b403a7e2..b5d13c4eea00 100644 ---- a/fs/btrfs/inode.c -+++ b/fs/btrfs/inode.c -@@ -7477,15 +7477,28 @@ int btrfs_readpage(struct file *file, struct page *page) - static int btrfs_writepage(struct page *page, struct writeback_control *wbc) - { - struct extent_io_tree *tree; -- -+ struct inode *inode = page->mapping->host; -+ int ret; - - if (current->flags & PF_MEMALLOC) { - redirty_page_for_writepage(wbc, page); - unlock_page(page); - return 0; - } -+ -+ /* -+ * If we are under memory pressure we will call this directly from the -+ * VM, we need to make sure we have the inode referenced for the ordered -+ * extent. If not just return like we didn't do anything. -+ */ -+ if (!igrab(inode)) { -+ redirty_page_for_writepage(wbc, page); -+ return AOP_WRITEPAGE_ACTIVATE; -+ } - tree = &BTRFS_I(page->mapping->host)->io_tree; -- return extent_write_full_page(tree, page, btrfs_get_extent, wbc); -+ ret = extent_write_full_page(tree, page, btrfs_get_extent, wbc); -+ btrfs_add_delayed_iput(inode); -+ return ret; - } - - static int btrfs_writepages(struct address_space *mapping, -@@ -8474,9 +8487,11 @@ static int btrfs_symlink(struct inode *dir, struct dentry *dentry, - /* - * 2 items for inode item and ref - * 2 items for dir items -+ * 1 item for updating parent inode item -+ * 1 item for the inline extent item - * 1 item for xattr if selinux is on - */ -- trans = btrfs_start_transaction(root, 5); -+ trans = btrfs_start_transaction(root, 7); - if (IS_ERR(trans)) - return PTR_ERR(trans); - -diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c -index 414c1b9eb896..3104e0eec816 100644 ---- a/fs/btrfs/send.c -+++ b/fs/btrfs/send.c -@@ -1338,7 +1338,21 @@ static int read_symlink(struct send_ctx *sctx, - ret = btrfs_search_slot(NULL, root, &key, path, 0, 0); - if (ret < 0) - goto out; -- BUG_ON(ret); -+ if (ret) { -+ /* -+ * An empty symlink inode. Can happen in rare error paths when -+ * creating a symlink (transaction committed before the inode -+ * eviction handler removed the symlink inode items and a crash -+ * happened in between or the subvol was snapshoted in between). -+ * Print an informative message to dmesg/syslog so that the user -+ * can delete the symlink. -+ */ -+ btrfs_err(root->fs_info, -+ "Found empty symlink inode %llu at root %llu", -+ ino, root->root_key.objectid); -+ ret = -EIO; -+ goto out; -+ } - - ei = btrfs_item_ptr(path->nodes[0], path->slots[0], - struct btrfs_file_extent_item); -diff --git a/fs/hostfs/hostfs_kern.c b/fs/hostfs/hostfs_kern.c -index 32f35f187989..b58a9cbb9695 100644 ---- a/fs/hostfs/hostfs_kern.c -+++ b/fs/hostfs/hostfs_kern.c -@@ -720,15 +720,13 @@ static int hostfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, - - init_special_inode(inode, mode, dev); - err = do_mknod(name, mode, MAJOR(dev), MINOR(dev)); -- if (!err) -+ if (err) - goto out_free; - - err = read_name(inode, name); - __putname(name); - if (err) - goto out_put; -- if (err) -- goto out_put; - - d_instantiate(dentry, inode); - return 0; -diff --git a/fs/lockd/host.c b/fs/lockd/host.c -index 969d589c848d..b5f3c3ab0d5f 100644 ---- a/fs/lockd/host.c -+++ b/fs/lockd/host.c -@@ -116,7 +116,7 @@ static struct nlm_host *nlm_alloc_host(struct nlm_lookup_host_info *ni, - atomic_inc(&nsm->sm_count); - else { - host = NULL; -- nsm = nsm_get_handle(ni->sap, ni->salen, -+ nsm = nsm_get_handle(ni->net, ni->sap, ni->salen, - ni->hostname, ni->hostname_len); - if (unlikely(nsm == NULL)) { - dprintk("lockd: %s failed; no nsm handle\n", -@@ -534,17 +534,18 @@ static struct nlm_host *next_host_state(struct hlist_head *cache, - - /** - * nlm_host_rebooted - Release all resources held by rebooted host -+ * @net: network namespace - * @info: pointer to decoded results of NLM_SM_NOTIFY call - * - * We were notified that the specified host has rebooted. Release - * all resources held by that peer. - */ --void nlm_host_rebooted(const struct nlm_reboot *info) -+void nlm_host_rebooted(const struct net *net, const struct nlm_reboot *info) - { - struct nsm_handle *nsm; - struct nlm_host *host; - -- nsm = nsm_reboot_lookup(info); -+ nsm = nsm_reboot_lookup(net, info); - if (unlikely(nsm == NULL)) - return; - -diff --git a/fs/lockd/mon.c b/fs/lockd/mon.c -index 6ae664b489af..13fac49aff7f 100644 ---- a/fs/lockd/mon.c -+++ b/fs/lockd/mon.c -@@ -51,7 +51,6 @@ struct nsm_res { - }; - - static const struct rpc_program nsm_program; --static LIST_HEAD(nsm_handles); - static DEFINE_SPINLOCK(nsm_lock); - - /* -@@ -259,33 +258,35 @@ void nsm_unmonitor(const struct nlm_host *host) - } - } - --static struct nsm_handle *nsm_lookup_hostname(const char *hostname, -- const size_t len) -+static struct nsm_handle *nsm_lookup_hostname(const struct list_head *nsm_handles, -+ const char *hostname, const size_t len) - { - struct nsm_handle *nsm; - -- list_for_each_entry(nsm, &nsm_handles, sm_link) -+ list_for_each_entry(nsm, nsm_handles, sm_link) - if (strlen(nsm->sm_name) == len && - memcmp(nsm->sm_name, hostname, len) == 0) - return nsm; - return NULL; - } - --static struct nsm_handle *nsm_lookup_addr(const struct sockaddr *sap) -+static struct nsm_handle *nsm_lookup_addr(const struct list_head *nsm_handles, -+ const struct sockaddr *sap) - { - struct nsm_handle *nsm; - -- list_for_each_entry(nsm, &nsm_handles, sm_link) -+ list_for_each_entry(nsm, nsm_handles, sm_link) - if (rpc_cmp_addr(nsm_addr(nsm), sap)) - return nsm; - return NULL; - } - --static struct nsm_handle *nsm_lookup_priv(const struct nsm_private *priv) -+static struct nsm_handle *nsm_lookup_priv(const struct list_head *nsm_handles, -+ const struct nsm_private *priv) - { - struct nsm_handle *nsm; - -- list_for_each_entry(nsm, &nsm_handles, sm_link) -+ list_for_each_entry(nsm, nsm_handles, sm_link) - if (memcmp(nsm->sm_priv.data, priv->data, - sizeof(priv->data)) == 0) - return nsm; -@@ -350,6 +351,7 @@ static struct nsm_handle *nsm_create_handle(const struct sockaddr *sap, - - /** - * nsm_get_handle - Find or create a cached nsm_handle -+ * @net: network namespace - * @sap: pointer to socket address of handle to find - * @salen: length of socket address - * @hostname: pointer to C string containing hostname to find -@@ -362,11 +364,13 @@ static struct nsm_handle *nsm_create_handle(const struct sockaddr *sap, - * @hostname cannot be found in the handle cache. Returns NULL if - * an error occurs. - */ --struct nsm_handle *nsm_get_handle(const struct sockaddr *sap, -+struct nsm_handle *nsm_get_handle(const struct net *net, -+ const struct sockaddr *sap, - const size_t salen, const char *hostname, - const size_t hostname_len) - { - struct nsm_handle *cached, *new = NULL; -+ struct lockd_net *ln = net_generic(net, lockd_net_id); - - if (hostname && memchr(hostname, '/', hostname_len) != NULL) { - if (printk_ratelimit()) { -@@ -381,9 +385,10 @@ retry: - spin_lock(&nsm_lock); - - if (nsm_use_hostnames && hostname != NULL) -- cached = nsm_lookup_hostname(hostname, hostname_len); -+ cached = nsm_lookup_hostname(&ln->nsm_handles, -+ hostname, hostname_len); - else -- cached = nsm_lookup_addr(sap); -+ cached = nsm_lookup_addr(&ln->nsm_handles, sap); - - if (cached != NULL) { - atomic_inc(&cached->sm_count); -@@ -397,7 +402,7 @@ retry: - } - - if (new != NULL) { -- list_add(&new->sm_link, &nsm_handles); -+ list_add(&new->sm_link, &ln->nsm_handles); - spin_unlock(&nsm_lock); - dprintk("lockd: created nsm_handle for %s (%s)\n", - new->sm_name, new->sm_addrbuf); -@@ -414,19 +419,22 @@ retry: - - /** - * nsm_reboot_lookup - match NLMPROC_SM_NOTIFY arguments to an nsm_handle -+ * @net: network namespace - * @info: pointer to NLMPROC_SM_NOTIFY arguments - * - * Returns a matching nsm_handle if found in the nsm cache. The returned - * nsm_handle's reference count is bumped. Otherwise returns NULL if some - * error occurred. - */ --struct nsm_handle *nsm_reboot_lookup(const struct nlm_reboot *info) -+struct nsm_handle *nsm_reboot_lookup(const struct net *net, -+ const struct nlm_reboot *info) - { - struct nsm_handle *cached; -+ struct lockd_net *ln = net_generic(net, lockd_net_id); - - spin_lock(&nsm_lock); - -- cached = nsm_lookup_priv(&info->priv); -+ cached = nsm_lookup_priv(&ln->nsm_handles, &info->priv); - if (unlikely(cached == NULL)) { - spin_unlock(&nsm_lock); - dprintk("lockd: never saw rebooted peer '%.*s' before\n", -diff --git a/fs/lockd/netns.h b/fs/lockd/netns.h -index 5010b55628b4..414da99744e9 100644 ---- a/fs/lockd/netns.h -+++ b/fs/lockd/netns.h -@@ -16,6 +16,7 @@ struct lockd_net { - spinlock_t nsm_clnt_lock; - unsigned int nsm_users; - struct rpc_clnt *nsm_clnt; -+ struct list_head nsm_handles; - }; - - extern int lockd_net_id; -diff --git a/fs/lockd/svc.c b/fs/lockd/svc.c -index 7a318480ab7a..ce05c60ff06d 100644 ---- a/fs/lockd/svc.c -+++ b/fs/lockd/svc.c -@@ -583,6 +583,7 @@ static int lockd_init_net(struct net *net) - INIT_DELAYED_WORK(&ln->grace_period_end, grace_ender); - INIT_LIST_HEAD(&ln->grace_list); - spin_lock_init(&ln->nsm_clnt_lock); -+ INIT_LIST_HEAD(&ln->nsm_handles); - return 0; - } - -diff --git a/fs/lockd/svc4proc.c b/fs/lockd/svc4proc.c -index b147d1ae71fd..09c576f26c7b 100644 ---- a/fs/lockd/svc4proc.c -+++ b/fs/lockd/svc4proc.c -@@ -421,7 +421,7 @@ nlm4svc_proc_sm_notify(struct svc_rqst *rqstp, struct nlm_reboot *argp, - return rpc_system_err; - } - -- nlm_host_rebooted(argp); -+ nlm_host_rebooted(SVC_NET(rqstp), argp); - return rpc_success; - } - -diff --git a/fs/lockd/svcproc.c b/fs/lockd/svcproc.c -index 21171f0c6477..fb26b9f522e7 100644 ---- a/fs/lockd/svcproc.c -+++ b/fs/lockd/svcproc.c -@@ -464,7 +464,7 @@ nlmsvc_proc_sm_notify(struct svc_rqst *rqstp, struct nlm_reboot *argp, - return rpc_system_err; - } - -- nlm_host_rebooted(argp); -+ nlm_host_rebooted(SVC_NET(rqstp), argp); - return rpc_success; - } - -diff --git a/fs/namei.c b/fs/namei.c -index 157c3dbacf6c..c87e15ee9255 100644 ---- a/fs/namei.c -+++ b/fs/namei.c -@@ -2917,6 +2917,10 @@ opened: - goto exit_fput; - } - out: -+ if (unlikely(error > 0)) { -+ WARN_ON(1); -+ error = -EINVAL; -+ } - if (got_write) - mnt_drop_write(nd->path.mnt); - path_put(&save_parent); -diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c -index cfa9163b3bb7..2bdaf57c82d0 100644 ---- a/fs/nfs/nfs4state.c -+++ b/fs/nfs/nfs4state.c -@@ -1452,7 +1452,7 @@ restart: - } - spin_unlock(&state->state_lock); - nfs4_put_open_state(state); -- clear_bit(NFS4CLNT_RECLAIM_NOGRACE, -+ clear_bit(NFS_STATE_RECLAIM_NOGRACE, - &state->flags); - spin_lock(&sp->so_lock); - goto restart; -diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c -index 9f285fb9bab3..b86db1236c7c 100644 ---- a/fs/proc/task_mmu.c -+++ b/fs/proc/task_mmu.c -@@ -170,7 +170,7 @@ static void *m_start(struct seq_file *m, loff_t *pos) - if (!priv->task) - return ERR_PTR(-ESRCH); - -- mm = mm_access(priv->task, PTRACE_MODE_READ); -+ mm = mm_access(priv->task, PTRACE_MODE_READ_FSCREDS); - if (!mm || IS_ERR(mm)) - return mm; - down_read(&mm->mmap_sem); -@@ -1044,7 +1044,7 @@ static ssize_t pagemap_read(struct file *file, char __user *buf, - if (!pm.buffer) - goto out_task; - -- mm = mm_access(task, PTRACE_MODE_READ); -+ mm = mm_access(task, PTRACE_MODE_READ_FSCREDS); - ret = PTR_ERR(mm); - if (!mm || IS_ERR(mm)) - goto out_free; -diff --git a/fs/proc/task_nommu.c b/fs/proc/task_nommu.c -index 56123a6f462e..123c19890b14 100644 ---- a/fs/proc/task_nommu.c -+++ b/fs/proc/task_nommu.c -@@ -223,7 +223,7 @@ static void *m_start(struct seq_file *m, loff_t *pos) - if (!priv->task) - return ERR_PTR(-ESRCH); - -- mm = mm_access(priv->task, PTRACE_MODE_READ); -+ mm = mm_access(priv->task, PTRACE_MODE_READ_FSCREDS); - if (!mm || IS_ERR(mm)) { - put_task_struct(priv->task); - priv->task = NULL; -diff --git a/fs/splice.c b/fs/splice.c -index f183f1342c01..3b94a6bba29f 100644 ---- a/fs/splice.c -+++ b/fs/splice.c -@@ -949,6 +949,7 @@ ssize_t __splice_from_pipe(struct pipe_inode_info *pipe, struct splice_desc *sd, - - splice_from_pipe_begin(sd); - do { -+ cond_resched(); - ret = splice_from_pipe_next(pipe, sd); - if (ret > 0) - ret = splice_from_pipe_feed(pipe, sd, actor); -@@ -1189,7 +1190,7 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd, - long ret, bytes; - umode_t i_mode; - size_t len; -- int i, flags; -+ int i, flags, more; - - /* - * We require the input being a regular file, as we don't want to -@@ -1232,6 +1233,7 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd, - * Don't block on output, we have to drain the direct pipe. - */ - sd->flags &= ~SPLICE_F_NONBLOCK; -+ more = sd->flags & SPLICE_F_MORE; - - while (len) { - size_t read_len; -@@ -1245,6 +1247,15 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd, - sd->total_len = read_len; - - /* -+ * If more data is pending, set SPLICE_F_MORE -+ * If this is the last data and SPLICE_F_MORE was not set -+ * initially, clears it. -+ */ -+ if (read_len < len) -+ sd->flags |= SPLICE_F_MORE; -+ else if (!more) -+ sd->flags &= ~SPLICE_F_MORE; -+ /* - * NOTE: nonblocking mode only applies to the input. We - * must not do the output in nonblocking mode as then we - * could get stuck data in the internal pipe: -diff --git a/include/linux/enclosure.h b/include/linux/enclosure.h -index 9a33c5f7e126..f6c229e2bffa 100644 ---- a/include/linux/enclosure.h -+++ b/include/linux/enclosure.h -@@ -29,7 +29,11 @@ - /* A few generic types ... taken from ses-2 */ - enum enclosure_component_type { - ENCLOSURE_COMPONENT_DEVICE = 0x01, -+ ENCLOSURE_COMPONENT_CONTROLLER_ELECTRONICS = 0x07, -+ ENCLOSURE_COMPONENT_SCSI_TARGET_PORT = 0x14, -+ ENCLOSURE_COMPONENT_SCSI_INITIATOR_PORT = 0x15, - ENCLOSURE_COMPONENT_ARRAY_DEVICE = 0x17, -+ ENCLOSURE_COMPONENT_SAS_EXPANDER = 0x18, - }; - - /* ses-2 common element status */ -diff --git a/include/linux/lockd/lockd.h b/include/linux/lockd/lockd.h -index dcaad79f54ed..0adf073f13b3 100644 ---- a/include/linux/lockd/lockd.h -+++ b/include/linux/lockd/lockd.h -@@ -236,7 +236,8 @@ void nlm_rebind_host(struct nlm_host *); - struct nlm_host * nlm_get_host(struct nlm_host *); - void nlm_shutdown_hosts(void); - void nlm_shutdown_hosts_net(struct net *net); --void nlm_host_rebooted(const struct nlm_reboot *); -+void nlm_host_rebooted(const struct net *net, -+ const struct nlm_reboot *); - - /* - * Host monitoring -@@ -244,11 +245,13 @@ void nlm_host_rebooted(const struct nlm_reboot *); - int nsm_monitor(const struct nlm_host *host); - void nsm_unmonitor(const struct nlm_host *host); - --struct nsm_handle *nsm_get_handle(const struct sockaddr *sap, -+struct nsm_handle *nsm_get_handle(const struct net *net, -+ const struct sockaddr *sap, - const size_t salen, - const char *hostname, - const size_t hostname_len); --struct nsm_handle *nsm_reboot_lookup(const struct nlm_reboot *info); -+struct nsm_handle *nsm_reboot_lookup(const struct net *net, -+ const struct nlm_reboot *info); - void nsm_release(struct nsm_handle *nsm); - - /* -diff --git a/include/linux/nfs_fs.h b/include/linux/nfs_fs.h -index fc01d5cb4cf1..7d2021d3ee08 100644 ---- a/include/linux/nfs_fs.h -+++ b/include/linux/nfs_fs.h -@@ -578,9 +578,7 @@ static inline void nfs3_forget_cached_acls(struct inode *inode) - - static inline loff_t nfs_size_to_loff_t(__u64 size) - { -- if (size > (__u64) OFFSET_MAX - 1) -- return OFFSET_MAX - 1; -- return (loff_t) size; -+ return min_t(u64, size, OFFSET_MAX); - } - - static inline ino_t -diff --git a/include/linux/tracepoint.h b/include/linux/tracepoint.h -index ba605015c4d8..0b2d0cbe0bab 100644 ---- a/include/linux/tracepoint.h -+++ b/include/linux/tracepoint.h -@@ -14,8 +14,11 @@ - * See the file COPYING for more details. - */ - -+#include - #include - #include -+#include -+#include - #include - #include - -@@ -126,6 +129,9 @@ static inline void tracepoint_synchronize_unregister(void) - void *it_func; \ - void *__data; \ - \ -+ if (!cpu_online(raw_smp_processor_id())) \ -+ return; \ -+ \ - if (!(cond)) \ - return; \ - prercu; \ -diff --git a/include/net/af_unix.h b/include/net/af_unix.h -index 686760024572..6278e4d32612 100644 ---- a/include/net/af_unix.h -+++ b/include/net/af_unix.h -@@ -6,8 +6,8 @@ - #include - #include - --extern void unix_inflight(struct file *fp); --extern void unix_notinflight(struct file *fp); -+extern void unix_inflight(struct user_struct *user, struct file *fp); -+extern void unix_notinflight(struct user_struct *user, struct file *fp); - extern void unix_gc(void); - extern void wait_for_unix_gc(void); - extern struct sock *unix_get_socket(struct file *filp); -diff --git a/include/net/scm.h b/include/net/scm.h -index 8de2d37d2077..d00cd43a990c 100644 ---- a/include/net/scm.h -+++ b/include/net/scm.h -@@ -21,6 +21,7 @@ struct scm_creds { - struct scm_fp_list { - short count; - short max; -+ struct user_struct *user; - struct file *fp[SCM_MAX_FD]; - }; - -diff --git a/kernel/irq/manage.c b/kernel/irq/manage.c -index a79d267b64ec..7b0d31b67f6a 100644 ---- a/kernel/irq/manage.c -+++ b/kernel/irq/manage.c -@@ -1229,6 +1229,7 @@ static struct irqaction *__free_irq(unsigned int irq, void *dev_id) - if (!desc) - return NULL; - -+ chip_bus_lock(desc); - raw_spin_lock_irqsave(&desc->lock, flags); - - /* -@@ -1242,7 +1243,7 @@ static struct irqaction *__free_irq(unsigned int irq, void *dev_id) - if (!action) { - WARN(1, "Trying to free already-free IRQ %d\n", irq); - raw_spin_unlock_irqrestore(&desc->lock, flags); -- -+ chip_bus_sync_unlock(desc); - return NULL; - } - -@@ -1265,6 +1266,7 @@ static struct irqaction *__free_irq(unsigned int irq, void *dev_id) - #endif - - raw_spin_unlock_irqrestore(&desc->lock, flags); -+ chip_bus_sync_unlock(desc); - - unregister_handler_proc(irq, action); - -@@ -1338,9 +1340,7 @@ void free_irq(unsigned int irq, void *dev_id) - desc->affinity_notify = NULL; - #endif - -- chip_bus_lock(desc); - kfree(__free_irq(irq, dev_id)); -- chip_bus_sync_unlock(desc); - } - EXPORT_SYMBOL(free_irq); - -diff --git a/kernel/resource.c b/kernel/resource.c -index d7386986e10e..b8422b135b68 100644 ---- a/kernel/resource.c -+++ b/kernel/resource.c -@@ -961,9 +961,10 @@ struct resource * __request_region(struct resource *parent, - if (!conflict) - break; - if (conflict != parent) { -- parent = conflict; -- if (!(conflict->flags & IORESOURCE_BUSY)) -+ if (!(conflict->flags & IORESOURCE_BUSY)) { -+ parent = conflict; - continue; -+ } - } - if (conflict->flags & flags & IORESOURCE_MUXED) { - add_wait_queue(&muxed_resource_wait, &wait); -diff --git a/kernel/sched/core.c b/kernel/sched/core.c -index c771f2547bef..f234c84d36c8 100644 ---- a/kernel/sched/core.c -+++ b/kernel/sched/core.c -@@ -1587,7 +1587,6 @@ out: - */ - int wake_up_process(struct task_struct *p) - { -- WARN_ON(task_is_stopped_or_traced(p)); - return try_to_wake_up(p, TASK_NORMAL, 0); - } - EXPORT_SYMBOL(wake_up_process); -diff --git a/kernel/time/posix-clock.c b/kernel/time/posix-clock.c -index ce033c7aa2e8..9cff0ab82b63 100644 ---- a/kernel/time/posix-clock.c -+++ b/kernel/time/posix-clock.c -@@ -69,10 +69,10 @@ static ssize_t posix_clock_read(struct file *fp, char __user *buf, - static unsigned int posix_clock_poll(struct file *fp, poll_table *wait) - { - struct posix_clock *clk = get_posix_clock(fp); -- int result = 0; -+ unsigned int result = 0; - - if (!clk) -- return -ENODEV; -+ return POLLERR; - - if (clk->ops.poll) - result = clk->ops.poll(clk, fp, wait); -diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c -index ab21b8c66535..cb73c4e0741e 100644 ---- a/kernel/trace/ring_buffer.c -+++ b/kernel/trace/ring_buffer.c -@@ -1948,12 +1948,6 @@ rb_set_commit_to_write(struct ring_buffer_per_cpu *cpu_buffer) - goto again; - } - --static void rb_reset_reader_page(struct ring_buffer_per_cpu *cpu_buffer) --{ -- cpu_buffer->read_stamp = cpu_buffer->reader_page->page->time_stamp; -- cpu_buffer->reader_page->read = 0; --} -- - static void rb_inc_iter(struct ring_buffer_iter *iter) - { - struct ring_buffer_per_cpu *cpu_buffer = iter->cpu_buffer; -@@ -3591,7 +3585,7 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer) - - /* Finally update the reader page to the new head */ - cpu_buffer->reader_page = reader; -- rb_reset_reader_page(cpu_buffer); -+ cpu_buffer->reader_page->read = 0; - - if (overwrite != cpu_buffer->last_overrun) { - cpu_buffer->lost_events = overwrite - cpu_buffer->last_overrun; -@@ -3601,6 +3595,10 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer) - goto again; - - out: -+ /* Update the read_stamp on the first event */ -+ if (reader && reader->read == 0) -+ cpu_buffer->read_stamp = reader->page->time_stamp; -+ - arch_spin_unlock(&cpu_buffer->lock); - local_irq_restore(flags); - -diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c -index 5a898f15bfc6..7d054b7671ec 100644 ---- a/kernel/trace/trace_events.c -+++ b/kernel/trace/trace_events.c -@@ -602,7 +602,8 @@ t_next(struct seq_file *m, void *v, loff_t *pos) - * The ftrace subsystem is for showing formats only. - * They can not be enabled or disabled via the event files. - */ -- if (call->class && call->class->reg) -+ if (call->class && call->class->reg && -+ !(call->flags & TRACE_EVENT_FL_IGNORE_ENABLE)) - return file; - } - -diff --git a/kernel/workqueue.c b/kernel/workqueue.c -index fa927fd5778d..fe7c4b91d2e7 100644 ---- a/kernel/workqueue.c -+++ b/kernel/workqueue.c -@@ -1450,13 +1450,13 @@ static void __queue_delayed_work(int cpu, struct workqueue_struct *wq, - timer_stats_timer_set_start_info(&dwork->timer); - - dwork->wq = wq; -- /* timer isn't guaranteed to run in this cpu, record earlier */ -- if (cpu == WORK_CPU_UNBOUND) -- cpu = raw_smp_processor_id(); - dwork->cpu = cpu; - timer->expires = jiffies + delay; - -- add_timer_on(timer, cpu); -+ if (unlikely(cpu != WORK_CPU_UNBOUND)) -+ add_timer_on(timer, cpu); -+ else -+ add_timer(timer); - } - - /** -diff --git a/lib/devres.c b/lib/devres.c -index 823533138fa0..20afaf181b27 100644 ---- a/lib/devres.c -+++ b/lib/devres.c -@@ -423,7 +423,7 @@ void pcim_iounmap_regions(struct pci_dev *pdev, int mask) - if (!iomap) - return; - -- for (i = 0; i < DEVICE_COUNT_RESOURCE; i++) { -+ for (i = 0; i < PCIM_IOMAP_MAX; i++) { - if (!(mask & (1 << i))) - continue; - -diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c -index e3bea2e0821a..025ced8fbb57 100644 ---- a/net/ceph/messenger.c -+++ b/net/ceph/messenger.c -@@ -2277,7 +2277,7 @@ static int read_partial_message(struct ceph_connection *con) - con->in_base_pos = -front_len - middle_len - data_len - - sizeof(m->footer); - con->in_tag = CEPH_MSGR_TAG_READY; -- return 0; -+ return 1; - } else if ((s64)seq - (s64)con->in_seq > 1) { - pr_err("read_partial_message bad seq %lld expected %lld\n", - seq, con->in_seq + 1); -@@ -2310,7 +2310,7 @@ static int read_partial_message(struct ceph_connection *con) - sizeof(m->footer); - con->in_tag = CEPH_MSGR_TAG_READY; - con->in_seq++; -- return 0; -+ return 1; - } - - BUG_ON(!con->in_msg); -diff --git a/net/core/scm.c b/net/core/scm.c -index dbc6bfcdf446..7a6cf8351cde 100644 ---- a/net/core/scm.c -+++ b/net/core/scm.c -@@ -87,6 +87,7 @@ static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp) - *fplp = fpl; - fpl->count = 0; - fpl->max = SCM_MAX_FD; -+ fpl->user = NULL; - } - fpp = &fpl->fp[fpl->count]; - -@@ -107,6 +108,10 @@ static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp) - *fpp++ = file; - fpl->count++; - } -+ -+ if (!fpl->user) -+ fpl->user = get_uid(current_user()); -+ - return num; - } - -@@ -119,6 +124,7 @@ void __scm_destroy(struct scm_cookie *scm) - scm->fp = NULL; - for (i=fpl->count-1; i>=0; i--) - fput(fpl->fp[i]); -+ free_uid(fpl->user); - kfree(fpl); - } - } -@@ -337,6 +343,7 @@ struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl) - for (i = 0; i < fpl->count; i++) - get_file(fpl->fp[i]); - new_fpl->max = new_fpl->count; -+ new_fpl->user = get_uid(fpl->user); - } - return new_fpl; - } -diff --git a/net/mac80211/mesh_pathtbl.c b/net/mac80211/mesh_pathtbl.c -index 89aacfd2756d..9ba6d8c7c793 100644 ---- a/net/mac80211/mesh_pathtbl.c -+++ b/net/mac80211/mesh_pathtbl.c -@@ -747,10 +747,8 @@ void mesh_plink_broken(struct sta_info *sta) - static void mesh_path_node_reclaim(struct rcu_head *rp) - { - struct mpath_node *node = container_of(rp, struct mpath_node, rcu); -- struct ieee80211_sub_if_data *sdata = node->mpath->sdata; - - del_timer_sync(&node->mpath->timer); -- atomic_dec(&sdata->u.mesh.mpaths); - kfree(node->mpath); - kfree(node); - } -@@ -758,8 +756,9 @@ static void mesh_path_node_reclaim(struct rcu_head *rp) - /* needs to be called with the corresponding hashwlock taken */ - static void __mesh_path_del(struct mesh_table *tbl, struct mpath_node *node) - { -- struct mesh_path *mpath; -- mpath = node->mpath; -+ struct mesh_path *mpath = node->mpath; -+ struct ieee80211_sub_if_data *sdata = node->mpath->sdata; -+ - spin_lock(&mpath->state_lock); - mpath->flags |= MESH_PATH_RESOLVING; - if (mpath->is_gate) -@@ -767,6 +766,7 @@ static void __mesh_path_del(struct mesh_table *tbl, struct mpath_node *node) - hlist_del_rcu(&node->list); - call_rcu(&node->rcu, mesh_path_node_reclaim); - spin_unlock(&mpath->state_lock); -+ atomic_dec(&sdata->u.mesh.mpaths); - atomic_dec(&tbl->entries); - } - -diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c -index 0283baedcdfb..9dc979abb461 100644 ---- a/net/netfilter/nf_conntrack_core.c -+++ b/net/netfilter/nf_conntrack_core.c -@@ -311,6 +311,21 @@ static void death_by_timeout(unsigned long ul_conntrack) - nf_ct_put(ct); - } - -+static inline bool -+nf_ct_key_equal(struct nf_conntrack_tuple_hash *h, -+ const struct nf_conntrack_tuple *tuple, -+ u16 zone) -+{ -+ struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h); -+ -+ /* A conntrack can be recreated with the equal tuple, -+ * so we need to check that the conntrack is confirmed -+ */ -+ return nf_ct_tuple_equal(tuple, &h->tuple) && -+ nf_ct_zone(ct) == zone && -+ nf_ct_is_confirmed(ct); -+} -+ - /* - * Warning : - * - Caller must take a reference on returned object -@@ -332,8 +347,7 @@ ____nf_conntrack_find(struct net *net, u16 zone, - local_bh_disable(); - begin: - hlist_nulls_for_each_entry_rcu(h, n, &net->ct.hash[bucket], hnnode) { -- if (nf_ct_tuple_equal(tuple, &h->tuple) && -- nf_ct_zone(nf_ct_tuplehash_to_ctrack(h)) == zone) { -+ if (nf_ct_key_equal(h, tuple, zone)) { - NF_CT_STAT_INC(net, found); - local_bh_enable(); - return h; -@@ -380,8 +394,7 @@ begin: - !atomic_inc_not_zero(&ct->ct_general.use))) - h = NULL; - else { -- if (unlikely(!nf_ct_tuple_equal(tuple, &h->tuple) || -- nf_ct_zone(ct) != zone)) { -+ if (unlikely(!nf_ct_key_equal(h, tuple, zone))) { - nf_ct_put(ct); - goto begin; - } -diff --git a/net/rds/connection.c b/net/rds/connection.c -index e88bf3976e54..642ad42c416b 100644 ---- a/net/rds/connection.c -+++ b/net/rds/connection.c -@@ -177,12 +177,6 @@ static struct rds_connection *__rds_conn_create(__be32 laddr, __be32 faddr, - } - } - -- if (trans == NULL) { -- kmem_cache_free(rds_conn_slab, conn); -- conn = ERR_PTR(-ENODEV); -- goto out; -- } -- - conn->c_trans = trans; - - ret = trans->conn_alloc(conn, gfp); -diff --git a/net/rds/send.c b/net/rds/send.c -index 88eace57dd6b..31c9fa464b11 100644 ---- a/net/rds/send.c -+++ b/net/rds/send.c -@@ -955,11 +955,13 @@ int rds_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, - release_sock(sk); - } - -- /* racing with another thread binding seems ok here */ -+ lock_sock(sk); - if (daddr == 0 || rs->rs_bound_addr == 0) { -+ release_sock(sk); - ret = -ENOTCONN; /* XXX not a great errno */ - goto out; - } -+ release_sock(sk); - - /* size of rm including all sgs */ - ret = rds_rm_size(msg, payload_len); -diff --git a/net/rfkill/core.c b/net/rfkill/core.c -index 1cec5e4f3a5e..6563cc04c578 100644 ---- a/net/rfkill/core.c -+++ b/net/rfkill/core.c -@@ -51,7 +51,6 @@ - struct rfkill { - spinlock_t lock; - -- const char *name; - enum rfkill_type type; - - unsigned long state; -@@ -75,6 +74,7 @@ struct rfkill { - struct delayed_work poll_work; - struct work_struct uevent_work; - struct work_struct sync_work; -+ char name[]; - }; - #define to_rfkill(d) container_of(d, struct rfkill, dev) - -@@ -871,14 +871,14 @@ struct rfkill * __must_check rfkill_alloc(const char *name, - if (WARN_ON(type == RFKILL_TYPE_ALL || type >= NUM_RFKILL_TYPES)) - return NULL; - -- rfkill = kzalloc(sizeof(*rfkill), GFP_KERNEL); -+ rfkill = kzalloc(sizeof(*rfkill) + strlen(name) + 1, GFP_KERNEL); - if (!rfkill) - return NULL; - - spin_lock_init(&rfkill->lock); - INIT_LIST_HEAD(&rfkill->node); - rfkill->type = type; -- rfkill->name = name; -+ strcpy(rfkill->name, name); - rfkill->ops = ops; - rfkill->data = ops_data; - -@@ -1088,17 +1088,6 @@ static unsigned int rfkill_fop_poll(struct file *file, poll_table *wait) - return res; - } - --static bool rfkill_readable(struct rfkill_data *data) --{ -- bool r; -- -- mutex_lock(&data->mtx); -- r = !list_empty(&data->events); -- mutex_unlock(&data->mtx); -- -- return r; --} -- - static ssize_t rfkill_fop_read(struct file *file, char __user *buf, - size_t count, loff_t *pos) - { -@@ -1115,8 +1104,11 @@ static ssize_t rfkill_fop_read(struct file *file, char __user *buf, - goto out; - } - mutex_unlock(&data->mtx); -+ /* since we re-check and it just compares pointers, -+ * using !list_empty() without locking isn't a problem -+ */ - ret = wait_event_interruptible(data->read_wait, -- rfkill_readable(data)); -+ !list_empty(&data->events)); - mutex_lock(&data->mtx); - - if (ret) -diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c -index 231b71944c52..a4266b9b2429 100644 ---- a/net/sunrpc/cache.c -+++ b/net/sunrpc/cache.c -@@ -1221,7 +1221,7 @@ int qword_get(char **bpp, char *dest, int bufsize) - if (bp[0] == '\\' && bp[1] == 'x') { - /* HEX STRING */ - bp += 2; -- while (len < bufsize) { -+ while (len < bufsize - 1) { - int h, l; - - h = hex_to_bin(bp[0]); -diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c -index a673c1f4f638..8f118c7c19e1 100644 ---- a/net/unix/af_unix.c -+++ b/net/unix/af_unix.c -@@ -1466,7 +1466,7 @@ static void unix_detach_fds(struct scm_cookie *scm, struct sk_buff *skb) - UNIXCB(skb).fp = NULL; - - for (i = scm->fp->count-1; i >= 0; i--) -- unix_notinflight(scm->fp->fp[i]); -+ unix_notinflight(scm->fp->user, scm->fp->fp[i]); - } - - static void unix_destruct_scm(struct sk_buff *skb) -@@ -1531,7 +1531,7 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb) - return -ENOMEM; - - for (i = scm->fp->count - 1; i >= 0; i--) -- unix_inflight(scm->fp->fp[i]); -+ unix_inflight(scm->fp->user, scm->fp->fp[i]); - return max_level; - } - -diff --git a/net/unix/garbage.c b/net/unix/garbage.c -index 06730fe6ad9d..a72182d6750f 100644 ---- a/net/unix/garbage.c -+++ b/net/unix/garbage.c -@@ -122,7 +122,7 @@ struct sock *unix_get_socket(struct file *filp) - * descriptor if it is for an AF_UNIX socket. - */ - --void unix_inflight(struct file *fp) -+void unix_inflight(struct user_struct *user, struct file *fp) - { - struct sock *s = unix_get_socket(fp); - -@@ -139,11 +139,11 @@ void unix_inflight(struct file *fp) - } - unix_tot_inflight++; - } -- fp->f_cred->user->unix_inflight++; -+ user->unix_inflight++; - spin_unlock(&unix_gc_lock); - } - --void unix_notinflight(struct file *fp) -+void unix_notinflight(struct user_struct *user, struct file *fp) - { - struct sock *s = unix_get_socket(fp); - -@@ -157,7 +157,7 @@ void unix_notinflight(struct file *fp) - list_del_init(&u->link); - unix_tot_inflight--; - } -- fp->f_cred->user->unix_inflight--; -+ user->unix_inflight--; - spin_unlock(&unix_gc_lock); - } - -diff --git a/scripts/recordmcount.c b/scripts/recordmcount.c -index 9c22317778eb..ee625e3a56ba 100644 ---- a/scripts/recordmcount.c -+++ b/scripts/recordmcount.c -@@ -189,6 +189,20 @@ static void *mmap_file(char const *fname) - addr = umalloc(sb.st_size); - uread(fd_map, addr, sb.st_size); - } -+ if (sb.st_nlink != 1) { -+ /* file is hard-linked, break the hard link */ -+ close(fd_map); -+ if (unlink(fname) < 0) { -+ perror(fname); -+ fail_file(); -+ } -+ fd_map = open(fname, O_RDWR | O_CREAT, sb.st_mode); -+ if (fd_map < 0) { -+ perror(fname); -+ fail_file(); -+ } -+ uwrite(fd_map, addr, sb.st_size); -+ } - return addr; - } - -diff --git a/tools/Makefile b/tools/Makefile -index 41067f304215..b82a15b92b1c 100644 ---- a/tools/Makefile -+++ b/tools/Makefile -@@ -22,6 +22,10 @@ help: - @echo ' from the kernel command line to build and install one of' - @echo ' the tools above' - @echo '' -+ @echo ' $$ make tools/all' -+ @echo '' -+ @echo ' builds all tools.' -+ @echo '' - @echo ' $$ make tools/install' - @echo '' - @echo ' installs all tools.' -@@ -50,6 +54,10 @@ selftests: FORCE - turbostat x86_energy_perf_policy: FORCE - $(call descend,power/x86/$@) - -+all: cgroup cpupower firewire lguest \ -+ perf selftests turbostat usb \ -+ virtio vm net x86_energy_perf_policy -+ - cpupower_install: - $(call descend,power/$(@:_install=),install) - -diff --git a/virt/kvm/async_pf.c b/virt/kvm/async_pf.c -index ea475cd03511..ca2d05a07b57 100644 ---- a/virt/kvm/async_pf.c -+++ b/virt/kvm/async_pf.c -@@ -158,7 +158,7 @@ int kvm_setup_async_pf(struct kvm_vcpu *vcpu, gva_t gva, gfn_t gfn, - * do alloc nowait since if we are going to sleep anyway we - * may as well sleep faulting in page - */ -- work = kmem_cache_zalloc(async_pf_cache, GFP_NOWAIT); -+ work = kmem_cache_zalloc(async_pf_cache, GFP_NOWAIT | __GFP_NOWARN); - if (!work) - return 0; - diff --git a/patch/kernel/odroidxu4-default/1-patch-3.10.99-100.patch b/patch/kernel/odroidxu4-default/1-patch-3.10.99-100.patch deleted file mode 100644 index da39546c5..000000000 --- a/patch/kernel/odroidxu4-default/1-patch-3.10.99-100.patch +++ /dev/null @@ -1,1156 +0,0 @@ -diff --git a/Makefile b/Makefile -index f1e6491fd7d8..40d4d3bf52c3 100644 ---- a/Makefile -+++ b/Makefile -@@ -1,6 +1,6 @@ - VERSION = 3 - PATCHLEVEL = 10 --SUBLEVEL = 99 -+SUBLEVEL = 100 - EXTRAVERSION = - NAME = TOSSUG Baby Fish - -diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S -index c9305ef1d411..e73982b93537 100644 ---- a/arch/x86/ia32/ia32entry.S -+++ b/arch/x86/ia32/ia32entry.S -@@ -422,6 +422,7 @@ ENTRY(ia32_syscall) - /*CFI_REL_OFFSET cs,CS-RIP*/ - CFI_REL_OFFSET rip,RIP-RIP - PARAVIRT_ADJUST_EXCEPTION_FRAME -+ ASM_CLAC /* Do this early to minimize exposure */ - SWAPGS - /* - * No need to follow this irqs on/off section: the syscall -diff --git a/arch/x86/kernel/acpi/sleep.c b/arch/x86/kernel/acpi/sleep.c -index ec94e11807dc..ca0805633f26 100644 ---- a/arch/x86/kernel/acpi/sleep.c -+++ b/arch/x86/kernel/acpi/sleep.c -@@ -16,6 +16,7 @@ - #include - #include - -+#include - #include "../../realmode/rm/wakeup.h" - #include "sleep.h" - -@@ -96,7 +97,13 @@ int acpi_suspend_lowlevel(void) - saved_magic = 0x123456789abcdef0L; - #endif /* CONFIG_64BIT */ - -+ /* -+ * Pause/unpause graph tracing around do_suspend_lowlevel as it has -+ * inconsistent call/return info after it jumps to the wakeup vector. -+ */ -+ pause_graph_tracing(); - do_suspend_lowlevel(); -+ unpause_graph_tracing(); - return 0; - } - -diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c -index 04e7db668362..f3f0801a0e81 100644 ---- a/drivers/ata/libata-scsi.c -+++ b/drivers/ata/libata-scsi.c -@@ -673,19 +673,18 @@ static int ata_ioc32(struct ata_port *ap) - int ata_sas_scsi_ioctl(struct ata_port *ap, struct scsi_device *scsidev, - int cmd, void __user *arg) - { -- int val = -EINVAL, rc = -EINVAL; -+ unsigned long val; -+ int rc = -EINVAL; - unsigned long flags; - - switch (cmd) { -- case ATA_IOC_GET_IO32: -+ case HDIO_GET_32BIT: - spin_lock_irqsave(ap->lock, flags); - val = ata_ioc32(ap); - spin_unlock_irqrestore(ap->lock, flags); -- if (copy_to_user(arg, &val, 1)) -- return -EFAULT; -- return 0; -+ return put_user(val, (unsigned long __user *)arg); - -- case ATA_IOC_SET_IO32: -+ case HDIO_SET_32BIT: - val = (unsigned long) arg; - rc = 0; - spin_lock_irqsave(ap->lock, flags); -diff --git a/drivers/edac/edac_mc_sysfs.c b/drivers/edac/edac_mc_sysfs.c -index 88cd940ece63..453c816b4537 100644 ---- a/drivers/edac/edac_mc_sysfs.c -+++ b/drivers/edac/edac_mc_sysfs.c -@@ -973,21 +973,26 @@ nomem: - */ - int edac_create_sysfs_mci_device(struct mem_ctl_info *mci) - { -+ char *name; - int i, err; - - /* - * The memory controller needs its own bus, in order to avoid - * namespace conflicts at /sys/bus/edac. - */ -- mci->bus->name = kasprintf(GFP_KERNEL, "mc%d", mci->mc_idx); -- if (!mci->bus->name) -+ name = kasprintf(GFP_KERNEL, "mc%d", mci->mc_idx); -+ if (!name) - return -ENOMEM; - -+ mci->bus->name = name; -+ - edac_dbg(0, "creating bus %s\n", mci->bus->name); - - err = bus_register(mci->bus); -- if (err < 0) -+ if (err < 0) { -+ kfree(name); - return err; -+ } - - /* get the /sys/devices/system/edac subsys reference */ - mci->dev.type = &mci_attr_type; -@@ -1071,7 +1076,8 @@ fail: - fail2: - device_unregister(&mci->dev); - bus_unregister(mci->bus); -- kfree(mci->bus->name); -+ kfree(name); -+ - return err; - } - -@@ -1102,10 +1108,12 @@ void edac_remove_sysfs_mci_device(struct mem_ctl_info *mci) - - void edac_unregister_sysfs(struct mem_ctl_info *mci) - { -+ const char *name = mci->bus->name; -+ - edac_dbg(1, "Unregistering device %s\n", dev_name(&mci->dev)); - device_unregister(&mci->dev); - bus_unregister(mci->bus); -- kfree(mci->bus->name); -+ kfree(name); - } - - static void mc_attr_release(struct device *dev) -diff --git a/drivers/gpu/drm/ast/ast_main.c b/drivers/gpu/drm/ast/ast_main.c -index 313ccaf25f49..62834322b337 100644 ---- a/drivers/gpu/drm/ast/ast_main.c -+++ b/drivers/gpu/drm/ast/ast_main.c -@@ -124,7 +124,7 @@ static int ast_get_dram_info(struct drm_device *dev) - } while (ast_read32(ast, 0x10000) != 0x01); - data = ast_read32(ast, 0x10004); - -- if (data & 0x400) -+ if (data & 0x40) - ast->dram_bus_width = 16; - else - ast->dram_bus_width = 32; -diff --git a/drivers/gpu/drm/radeon/radeon_sa.c b/drivers/gpu/drm/radeon/radeon_sa.c -index bb166849aa6e..f0bac68254b7 100644 ---- a/drivers/gpu/drm/radeon/radeon_sa.c -+++ b/drivers/gpu/drm/radeon/radeon_sa.c -@@ -349,13 +349,8 @@ int radeon_sa_bo_new(struct radeon_device *rdev, - /* see if we can skip over some allocations */ - } while (radeon_sa_bo_next_hole(sa_manager, fences, tries)); - -- for (i = 0; i < RADEON_NUM_RINGS; ++i) -- radeon_fence_ref(fences[i]); -- - spin_unlock(&sa_manager->wq.lock); - r = radeon_fence_wait_any(rdev, fences, false); -- for (i = 0; i < RADEON_NUM_RINGS; ++i) -- radeon_fence_unref(&fences[i]); - spin_lock(&sa_manager->wq.lock); - /* if we have nothing to wait for block */ - if (r == -ENOENT && block) { -diff --git a/drivers/mtd/ubi/upd.c b/drivers/mtd/ubi/upd.c -index 2a1b6e037e1a..0134ba32a057 100644 ---- a/drivers/mtd/ubi/upd.c -+++ b/drivers/mtd/ubi/upd.c -@@ -193,7 +193,7 @@ int ubi_start_leb_change(struct ubi_device *ubi, struct ubi_volume *vol, - vol->changing_leb = 1; - vol->ch_lnum = req->lnum; - -- vol->upd_buf = vmalloc(req->bytes); -+ vol->upd_buf = vmalloc(ALIGN((int)req->bytes, ubi->min_io_size)); - if (!vol->upd_buf) - return -ENOMEM; - -diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c -index 303f3b3fb65f..84b770461655 100644 ---- a/drivers/usb/serial/cp210x.c -+++ b/drivers/usb/serial/cp210x.c -@@ -164,6 +164,7 @@ static const struct usb_device_id id_table[] = { - { USB_DEVICE(0x18EF, 0xE025) }, /* ELV Marble Sound Board 1 */ - { USB_DEVICE(0x1901, 0x0190) }, /* GE B850 CP2105 Recorder interface */ - { USB_DEVICE(0x1901, 0x0193) }, /* GE B650 CP2104 PMC interface */ -+ { USB_DEVICE(0x19CF, 0x3000) }, /* Parrot NMEA GPS Flight Recorder */ - { USB_DEVICE(0x1ADB, 0x0001) }, /* Schweitzer Engineering C662 Cable */ - { USB_DEVICE(0x1B1C, 0x1C00) }, /* Corsair USB Dongle */ - { USB_DEVICE(0x1BA4, 0x0002) }, /* Silicon Labs 358x factory default */ -diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c -index 9bab34cf01d4..24366a2afea6 100644 ---- a/drivers/usb/serial/option.c -+++ b/drivers/usb/serial/option.c -@@ -271,6 +271,7 @@ static void option_instat_callback(struct urb *urb); - #define TELIT_PRODUCT_UE910_V2 0x1012 - #define TELIT_PRODUCT_LE922_USBCFG0 0x1042 - #define TELIT_PRODUCT_LE922_USBCFG3 0x1043 -+#define TELIT_PRODUCT_LE922_USBCFG5 0x1045 - #define TELIT_PRODUCT_LE920 0x1200 - #define TELIT_PRODUCT_LE910 0x1201 - -@@ -1140,6 +1141,8 @@ static const struct usb_device_id option_ids[] = { - { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x6613)}, /* Onda H600/ZTE MF330 */ - { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x0023)}, /* ONYX 3G device */ - { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x9000)}, /* SIMCom SIM5218 */ -+ { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x9003), /* Quectel UC20 */ -+ .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, - { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6001) }, - { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CMU_300) }, - { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6003), -@@ -1191,6 +1194,8 @@ static const struct usb_device_id option_ids[] = { - .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg0 }, - { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE922_USBCFG3), - .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg3 }, -+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, TELIT_PRODUCT_LE922_USBCFG5, 0xff), -+ .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg0 }, - { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910), - .driver_info = (kernel_ulong_t)&telit_le910_blacklist }, - { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920), -diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c -index d17c5d72cd29..4c86850bd627 100644 ---- a/fs/cifs/cifssmb.c -+++ b/fs/cifs/cifssmb.c -@@ -1389,11 +1389,10 @@ openRetry: - * current bigbuf. - */ - static int --cifs_readv_discard(struct TCP_Server_Info *server, struct mid_q_entry *mid) -+discard_remaining_data(struct TCP_Server_Info *server) - { - unsigned int rfclen = get_rfc1002_length(server->smallbuf); - int remaining = rfclen + 4 - server->total_read; -- struct cifs_readdata *rdata = mid->callback_data; - - while (remaining > 0) { - int length; -@@ -1407,10 +1406,20 @@ cifs_readv_discard(struct TCP_Server_Info *server, struct mid_q_entry *mid) - remaining -= length; - } - -- dequeue_mid(mid, rdata->result); - return 0; - } - -+static int -+cifs_readv_discard(struct TCP_Server_Info *server, struct mid_q_entry *mid) -+{ -+ int length; -+ struct cifs_readdata *rdata = mid->callback_data; -+ -+ length = discard_remaining_data(server); -+ dequeue_mid(mid, rdata->result); -+ return length; -+} -+ - int - cifs_readv_receive(struct TCP_Server_Info *server, struct mid_q_entry *mid) - { -@@ -1439,6 +1448,12 @@ cifs_readv_receive(struct TCP_Server_Info *server, struct mid_q_entry *mid) - return length; - server->total_read += length; - -+ if (server->ops->is_status_pending && -+ server->ops->is_status_pending(buf, server, 0)) { -+ discard_remaining_data(server); -+ return -1; -+ } -+ - /* Was the SMB read successful? */ - rdata->result = server->ops->map_error(buf, false); - if (rdata->result != 0) { -diff --git a/fs/jffs2/README.Locking b/fs/jffs2/README.Locking -index 3ea36554107f..8918ac905a3b 100644 ---- a/fs/jffs2/README.Locking -+++ b/fs/jffs2/README.Locking -@@ -2,10 +2,6 @@ - JFFS2 LOCKING DOCUMENTATION - --------------------------- - --At least theoretically, JFFS2 does not require the Big Kernel Lock --(BKL), which was always helpfully obtained for it by Linux 2.4 VFS --code. It has its own locking, as described below. -- - This document attempts to describe the existing locking rules for - JFFS2. It is not expected to remain perfectly up to date, but ought to - be fairly close. -@@ -69,6 +65,7 @@ Ordering constraints: - any f->sem held. - 2. Never attempt to lock two file mutexes in one thread. - No ordering rules have been made for doing so. -+ 3. Never lock a page cache page with f->sem held. - - - erase_completion_lock spinlock -diff --git a/fs/jffs2/build.c b/fs/jffs2/build.c -index a3750f902adc..c1f04947d7dc 100644 ---- a/fs/jffs2/build.c -+++ b/fs/jffs2/build.c -@@ -49,7 +49,8 @@ next_inode(int *i, struct jffs2_inode_cache *ic, struct jffs2_sb_info *c) - - - static void jffs2_build_inode_pass1(struct jffs2_sb_info *c, -- struct jffs2_inode_cache *ic) -+ struct jffs2_inode_cache *ic, -+ int *dir_hardlinks) - { - struct jffs2_full_dirent *fd; - -@@ -68,19 +69,21 @@ static void jffs2_build_inode_pass1(struct jffs2_sb_info *c, - dbg_fsbuild("child \"%s\" (ino #%u) of dir ino #%u doesn't exist!\n", - fd->name, fd->ino, ic->ino); - jffs2_mark_node_obsolete(c, fd->raw); -+ /* Clear the ic/raw union so it doesn't cause problems later. */ -+ fd->ic = NULL; - continue; - } - -+ /* From this point, fd->raw is no longer used so we can set fd->ic */ -+ fd->ic = child_ic; -+ child_ic->pino_nlink++; -+ /* If we appear (at this stage) to have hard-linked directories, -+ * set a flag to trigger a scan later */ - if (fd->type == DT_DIR) { -- if (child_ic->pino_nlink) { -- JFFS2_ERROR("child dir \"%s\" (ino #%u) of dir ino #%u appears to be a hard link\n", -- fd->name, fd->ino, ic->ino); -- /* TODO: What do we do about it? */ -- } else { -- child_ic->pino_nlink = ic->ino; -- } -- } else -- child_ic->pino_nlink++; -+ child_ic->flags |= INO_FLAGS_IS_DIR; -+ if (child_ic->pino_nlink > 1) -+ *dir_hardlinks = 1; -+ } - - dbg_fsbuild("increased nlink for child \"%s\" (ino #%u)\n", fd->name, fd->ino); - /* Can't free scan_dents so far. We might need them in pass 2 */ -@@ -94,8 +97,7 @@ static void jffs2_build_inode_pass1(struct jffs2_sb_info *c, - */ - static int jffs2_build_filesystem(struct jffs2_sb_info *c) - { -- int ret; -- int i; -+ int ret, i, dir_hardlinks = 0; - struct jffs2_inode_cache *ic; - struct jffs2_full_dirent *fd; - struct jffs2_full_dirent *dead_fds = NULL; -@@ -119,7 +121,7 @@ static int jffs2_build_filesystem(struct jffs2_sb_info *c) - /* Now scan the directory tree, increasing nlink according to every dirent found. */ - for_each_inode(i, c, ic) { - if (ic->scan_dents) { -- jffs2_build_inode_pass1(c, ic); -+ jffs2_build_inode_pass1(c, ic, &dir_hardlinks); - cond_resched(); - } - } -@@ -155,6 +157,20 @@ static int jffs2_build_filesystem(struct jffs2_sb_info *c) - } - - dbg_fsbuild("pass 2a complete\n"); -+ -+ if (dir_hardlinks) { -+ /* If we detected directory hardlinks earlier, *hopefully* -+ * they are gone now because some of the links were from -+ * dead directories which still had some old dirents lying -+ * around and not yet garbage-collected, but which have -+ * been discarded above. So clear the pino_nlink field -+ * in each directory, so that the final scan below can -+ * print appropriate warnings. */ -+ for_each_inode(i, c, ic) { -+ if (ic->flags & INO_FLAGS_IS_DIR) -+ ic->pino_nlink = 0; -+ } -+ } - dbg_fsbuild("freeing temporary data structures\n"); - - /* Finally, we can scan again and free the dirent structs */ -@@ -162,6 +178,33 @@ static int jffs2_build_filesystem(struct jffs2_sb_info *c) - while(ic->scan_dents) { - fd = ic->scan_dents; - ic->scan_dents = fd->next; -+ /* We do use the pino_nlink field to count nlink of -+ * directories during fs build, so set it to the -+ * parent ino# now. Now that there's hopefully only -+ * one. */ -+ if (fd->type == DT_DIR) { -+ if (!fd->ic) { -+ /* We'll have complained about it and marked the coresponding -+ raw node obsolete already. Just skip it. */ -+ continue; -+ } -+ -+ /* We *have* to have set this in jffs2_build_inode_pass1() */ -+ BUG_ON(!(fd->ic->flags & INO_FLAGS_IS_DIR)); -+ -+ /* We clear ic->pino_nlink ∀ directories' ic *only* if dir_hardlinks -+ * is set. Otherwise, we know this should never trigger anyway, so -+ * we don't do the check. And ic->pino_nlink still contains the nlink -+ * value (which is 1). */ -+ if (dir_hardlinks && fd->ic->pino_nlink) { -+ JFFS2_ERROR("child dir \"%s\" (ino #%u) of dir ino #%u is also hard linked from dir ino #%u\n", -+ fd->name, fd->ino, ic->ino, fd->ic->pino_nlink); -+ /* Should we unlink it from its previous parent? */ -+ } -+ -+ /* For directories, ic->pino_nlink holds that parent inode # */ -+ fd->ic->pino_nlink = ic->ino; -+ } - jffs2_free_full_dirent(fd); - } - ic->scan_dents = NULL; -@@ -240,11 +283,7 @@ static void jffs2_build_remove_unlinked_inode(struct jffs2_sb_info *c, - - /* Reduce nlink of the child. If it's now zero, stick it on the - dead_fds list to be cleaned up later. Else just free the fd */ -- -- if (fd->type == DT_DIR) -- child_ic->pino_nlink = 0; -- else -- child_ic->pino_nlink--; -+ child_ic->pino_nlink--; - - if (!child_ic->pino_nlink) { - dbg_fsbuild("inode #%u (\"%s\") now has no links; adding to dead_fds list.\n", -diff --git a/fs/jffs2/file.c b/fs/jffs2/file.c -index 1506673c087e..60ef3fb707ff 100644 ---- a/fs/jffs2/file.c -+++ b/fs/jffs2/file.c -@@ -138,39 +138,33 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping, - struct page *pg; - struct inode *inode = mapping->host; - struct jffs2_inode_info *f = JFFS2_INODE_INFO(inode); -- struct jffs2_sb_info *c = JFFS2_SB_INFO(inode->i_sb); -- struct jffs2_raw_inode ri; -- uint32_t alloc_len = 0; - pgoff_t index = pos >> PAGE_CACHE_SHIFT; - uint32_t pageofs = index << PAGE_CACHE_SHIFT; - int ret = 0; - -- jffs2_dbg(1, "%s()\n", __func__); -- -- if (pageofs > inode->i_size) { -- ret = jffs2_reserve_space(c, sizeof(ri), &alloc_len, -- ALLOC_NORMAL, JFFS2_SUMMARY_INODE_SIZE); -- if (ret) -- return ret; -- } -- -- mutex_lock(&f->sem); - pg = grab_cache_page_write_begin(mapping, index, flags); -- if (!pg) { -- if (alloc_len) -- jffs2_complete_reservation(c); -- mutex_unlock(&f->sem); -+ if (!pg) - return -ENOMEM; -- } - *pagep = pg; - -- if (alloc_len) { -+ jffs2_dbg(1, "%s()\n", __func__); -+ -+ if (pageofs > inode->i_size) { - /* Make new hole frag from old EOF to new page */ -+ struct jffs2_sb_info *c = JFFS2_SB_INFO(inode->i_sb); -+ struct jffs2_raw_inode ri; - struct jffs2_full_dnode *fn; -+ uint32_t alloc_len; - - jffs2_dbg(1, "Writing new hole frag 0x%x-0x%x between current EOF and new page\n", - (unsigned int)inode->i_size, pageofs); - -+ ret = jffs2_reserve_space(c, sizeof(ri), &alloc_len, -+ ALLOC_NORMAL, JFFS2_SUMMARY_INODE_SIZE); -+ if (ret) -+ goto out_page; -+ -+ mutex_lock(&f->sem); - memset(&ri, 0, sizeof(ri)); - - ri.magic = cpu_to_je16(JFFS2_MAGIC_BITMASK); -@@ -197,6 +191,7 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping, - if (IS_ERR(fn)) { - ret = PTR_ERR(fn); - jffs2_complete_reservation(c); -+ mutex_unlock(&f->sem); - goto out_page; - } - ret = jffs2_add_full_dnode_to_inode(c, f, fn); -@@ -211,10 +206,12 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping, - jffs2_mark_node_obsolete(c, fn->raw); - jffs2_free_full_dnode(fn); - jffs2_complete_reservation(c); -+ mutex_unlock(&f->sem); - goto out_page; - } - jffs2_complete_reservation(c); - inode->i_size = pageofs; -+ mutex_unlock(&f->sem); - } - - /* -@@ -223,18 +220,18 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping, - * case of a short-copy. - */ - if (!PageUptodate(pg)) { -+ mutex_lock(&f->sem); - ret = jffs2_do_readpage_nolock(inode, pg); -+ mutex_unlock(&f->sem); - if (ret) - goto out_page; - } -- mutex_unlock(&f->sem); - jffs2_dbg(1, "end write_begin(). pg->flags %lx\n", pg->flags); - return ret; - - out_page: - unlock_page(pg); - page_cache_release(pg); -- mutex_unlock(&f->sem); - return ret; - } - -diff --git a/fs/jffs2/gc.c b/fs/jffs2/gc.c -index 5a2dec2b064c..95d5880a63ee 100644 ---- a/fs/jffs2/gc.c -+++ b/fs/jffs2/gc.c -@@ -1296,14 +1296,17 @@ static int jffs2_garbage_collect_dnode(struct jffs2_sb_info *c, struct jffs2_era - BUG_ON(start > orig_start); - } - -- /* First, use readpage() to read the appropriate page into the page cache */ -- /* Q: What happens if we actually try to GC the _same_ page for which commit_write() -- * triggered garbage collection in the first place? -- * A: I _think_ it's OK. read_cache_page shouldn't deadlock, we'll write out the -- * page OK. We'll actually write it out again in commit_write, which is a little -- * suboptimal, but at least we're correct. -- */ -+ /* The rules state that we must obtain the page lock *before* f->sem, so -+ * drop f->sem temporarily. Since we also hold c->alloc_sem, nothing's -+ * actually going to *change* so we're safe; we only allow reading. -+ * -+ * It is important to note that jffs2_write_begin() will ensure that its -+ * page is marked Uptodate before allocating space. That means that if we -+ * end up here trying to GC the *same* page that jffs2_write_begin() is -+ * trying to write out, read_cache_page() will not deadlock. */ -+ mutex_unlock(&f->sem); - pg_ptr = jffs2_gc_fetch_page(c, f, start, &pg); -+ mutex_lock(&f->sem); - - if (IS_ERR(pg_ptr)) { - pr_warn("read_cache_page() returned error: %ld\n", -diff --git a/fs/jffs2/nodelist.h b/fs/jffs2/nodelist.h -index fa35ff79ab35..0637271f3770 100644 ---- a/fs/jffs2/nodelist.h -+++ b/fs/jffs2/nodelist.h -@@ -194,6 +194,7 @@ struct jffs2_inode_cache { - #define INO_STATE_CLEARING 6 /* In clear_inode() */ - - #define INO_FLAGS_XATTR_CHECKED 0x01 /* has no duplicate xattr_ref */ -+#define INO_FLAGS_IS_DIR 0x02 /* is a directory */ - - #define RAWNODE_CLASS_INODE_CACHE 0 - #define RAWNODE_CLASS_XATTR_DATUM 1 -@@ -249,7 +250,10 @@ struct jffs2_readinode_info - - struct jffs2_full_dirent - { -- struct jffs2_raw_node_ref *raw; -+ union { -+ struct jffs2_raw_node_ref *raw; -+ struct jffs2_inode_cache *ic; /* Just during part of build */ -+ }; - struct jffs2_full_dirent *next; - uint32_t version; - uint32_t ino; /* == zero for unlink */ -diff --git a/fs/locks.c b/fs/locks.c -index 0274c953b07d..f7b1de7e6735 100644 ---- a/fs/locks.c -+++ b/fs/locks.c -@@ -1852,7 +1852,6 @@ int fcntl_setlk(unsigned int fd, struct file *filp, unsigned int cmd, - goto out; - } - --again: - error = flock_to_posix_lock(filp, file_lock, &flock); - if (error) - goto out; -@@ -1883,19 +1882,22 @@ again: - * Attempt to detect a close/fcntl race and recover by - * releasing the lock that was just acquired. - */ -- /* -- * we need that spin_lock here - it prevents reordering between -- * update of inode->i_flock and check for it done in close(). -- * rcu_read_lock() wouldn't do. -- */ -- spin_lock(¤t->files->file_lock); -- f = fcheck(fd); -- spin_unlock(¤t->files->file_lock); -- if (!error && f != filp && flock.l_type != F_UNLCK) { -- flock.l_type = F_UNLCK; -- goto again; -+ if (!error && file_lock->fl_type != F_UNLCK) { -+ /* -+ * We need that spin_lock here - it prevents reordering between -+ * update of inode->i_flock and check for it done in -+ * close(). rcu_read_lock() wouldn't do. -+ */ -+ spin_lock(¤t->files->file_lock); -+ f = fcheck(fd); -+ spin_unlock(¤t->files->file_lock); -+ if (f != filp) { -+ file_lock->fl_type = F_UNLCK; -+ error = do_lock_file_wait(filp, cmd, file_lock); -+ WARN_ON_ONCE(error); -+ error = -EBADF; -+ } - } -- - out: - locks_free_lock(file_lock); - return error; -@@ -1970,7 +1972,6 @@ int fcntl_setlk64(unsigned int fd, struct file *filp, unsigned int cmd, - goto out; - } - --again: - error = flock64_to_posix_lock(filp, file_lock, &flock); - if (error) - goto out; -@@ -2001,14 +2002,22 @@ again: - * Attempt to detect a close/fcntl race and recover by - * releasing the lock that was just acquired. - */ -- spin_lock(¤t->files->file_lock); -- f = fcheck(fd); -- spin_unlock(¤t->files->file_lock); -- if (!error && f != filp && flock.l_type != F_UNLCK) { -- flock.l_type = F_UNLCK; -- goto again; -+ if (!error && file_lock->fl_type != F_UNLCK) { -+ /* -+ * We need that spin_lock here - it prevents reordering between -+ * update of inode->i_flock and check for it done in -+ * close(). rcu_read_lock() wouldn't do. -+ */ -+ spin_lock(¤t->files->file_lock); -+ f = fcheck(fd); -+ spin_unlock(¤t->files->file_lock); -+ if (f != filp) { -+ file_lock->fl_type = F_UNLCK; -+ error = do_lock_file_wait(filp, cmd, file_lock); -+ WARN_ON_ONCE(error); -+ error = -EBADF; -+ } - } -- - out: - locks_free_lock(file_lock); - return error; -diff --git a/include/linux/ata.h b/include/linux/ata.h -index ee0bd9524055..f60ffe29b3a1 100644 ---- a/include/linux/ata.h -+++ b/include/linux/ata.h -@@ -477,8 +477,8 @@ enum ata_tf_protocols { - }; - - enum ata_ioctls { -- ATA_IOC_GET_IO32 = 0x309, -- ATA_IOC_SET_IO32 = 0x324, -+ ATA_IOC_GET_IO32 = 0x309, /* HDIO_GET_32BIT */ -+ ATA_IOC_SET_IO32 = 0x324, /* HDIO_SET_32BIT */ - }; - - /* core structures */ -diff --git a/include/linux/libata.h b/include/linux/libata.h -index 8ad0771b88ab..8017e5c459cf 100644 ---- a/include/linux/libata.h -+++ b/include/linux/libata.h -@@ -666,7 +666,7 @@ struct ata_device { - union { - u16 id[ATA_ID_WORDS]; /* IDENTIFY xxx DEVICE data */ - u32 gscr[SATA_PMP_GSCR_DWORDS]; /* PMP GSCR block */ -- }; -+ } ____cacheline_aligned; - - /* DEVSLP Timing Variables from Identify Device Data Log */ - u8 devslp_timing[ATA_LOG_DEVSLP_SIZE]; -diff --git a/sound/core/control_compat.c b/sound/core/control_compat.c -index 2bb95a7a8809..c14565bde887 100644 ---- a/sound/core/control_compat.c -+++ b/sound/core/control_compat.c -@@ -170,6 +170,19 @@ struct snd_ctl_elem_value32 { - unsigned char reserved[128]; - }; - -+#ifdef CONFIG_X86_X32 -+/* x32 has a different alignment for 64bit values from ia32 */ -+struct snd_ctl_elem_value_x32 { -+ struct snd_ctl_elem_id id; -+ unsigned int indirect; /* bit-field causes misalignment */ -+ union { -+ s32 integer[128]; -+ unsigned char data[512]; -+ s64 integer64[64]; -+ } value; -+ unsigned char reserved[128]; -+}; -+#endif /* CONFIG_X86_X32 */ - - /* get the value type and count of the control */ - static int get_ctl_type(struct snd_card *card, struct snd_ctl_elem_id *id, -@@ -219,9 +232,11 @@ static int get_elem_size(int type, int count) - - static int copy_ctl_value_from_user(struct snd_card *card, - struct snd_ctl_elem_value *data, -- struct snd_ctl_elem_value32 __user *data32, -+ void __user *userdata, -+ void __user *valuep, - int *typep, int *countp) - { -+ struct snd_ctl_elem_value32 __user *data32 = userdata; - int i, type, size; - int uninitialized_var(count); - unsigned int indirect; -@@ -239,8 +254,9 @@ static int copy_ctl_value_from_user(struct snd_card *card, - if (type == SNDRV_CTL_ELEM_TYPE_BOOLEAN || - type == SNDRV_CTL_ELEM_TYPE_INTEGER) { - for (i = 0; i < count; i++) { -+ s32 __user *intp = valuep; - int val; -- if (get_user(val, &data32->value.integer[i])) -+ if (get_user(val, &intp[i])) - return -EFAULT; - data->value.integer.value[i] = val; - } -@@ -250,8 +266,7 @@ static int copy_ctl_value_from_user(struct snd_card *card, - printk(KERN_ERR "snd_ioctl32_ctl_elem_value: unknown type %d\n", type); - return -EINVAL; - } -- if (copy_from_user(data->value.bytes.data, -- data32->value.data, size)) -+ if (copy_from_user(data->value.bytes.data, valuep, size)) - return -EFAULT; - } - -@@ -261,7 +276,8 @@ static int copy_ctl_value_from_user(struct snd_card *card, - } - - /* restore the value to 32bit */ --static int copy_ctl_value_to_user(struct snd_ctl_elem_value32 __user *data32, -+static int copy_ctl_value_to_user(void __user *userdata, -+ void __user *valuep, - struct snd_ctl_elem_value *data, - int type, int count) - { -@@ -270,22 +286,22 @@ static int copy_ctl_value_to_user(struct snd_ctl_elem_value32 __user *data32, - if (type == SNDRV_CTL_ELEM_TYPE_BOOLEAN || - type == SNDRV_CTL_ELEM_TYPE_INTEGER) { - for (i = 0; i < count; i++) { -+ s32 __user *intp = valuep; - int val; - val = data->value.integer.value[i]; -- if (put_user(val, &data32->value.integer[i])) -+ if (put_user(val, &intp[i])) - return -EFAULT; - } - } else { - size = get_elem_size(type, count); -- if (copy_to_user(data32->value.data, -- data->value.bytes.data, size)) -+ if (copy_to_user(valuep, data->value.bytes.data, size)) - return -EFAULT; - } - return 0; - } - --static int snd_ctl_elem_read_user_compat(struct snd_card *card, -- struct snd_ctl_elem_value32 __user *data32) -+static int ctl_elem_read_user(struct snd_card *card, -+ void __user *userdata, void __user *valuep) - { - struct snd_ctl_elem_value *data; - int err, type, count; -@@ -294,7 +310,9 @@ static int snd_ctl_elem_read_user_compat(struct snd_card *card, - if (data == NULL) - return -ENOMEM; - -- if ((err = copy_ctl_value_from_user(card, data, data32, &type, &count)) < 0) -+ err = copy_ctl_value_from_user(card, data, userdata, valuep, -+ &type, &count); -+ if (err < 0) - goto error; - - snd_power_lock(card); -@@ -303,14 +321,15 @@ static int snd_ctl_elem_read_user_compat(struct snd_card *card, - err = snd_ctl_elem_read(card, data); - snd_power_unlock(card); - if (err >= 0) -- err = copy_ctl_value_to_user(data32, data, type, count); -+ err = copy_ctl_value_to_user(userdata, valuep, data, -+ type, count); - error: - kfree(data); - return err; - } - --static int snd_ctl_elem_write_user_compat(struct snd_ctl_file *file, -- struct snd_ctl_elem_value32 __user *data32) -+static int ctl_elem_write_user(struct snd_ctl_file *file, -+ void __user *userdata, void __user *valuep) - { - struct snd_ctl_elem_value *data; - struct snd_card *card = file->card; -@@ -320,7 +339,9 @@ static int snd_ctl_elem_write_user_compat(struct snd_ctl_file *file, - if (data == NULL) - return -ENOMEM; - -- if ((err = copy_ctl_value_from_user(card, data, data32, &type, &count)) < 0) -+ err = copy_ctl_value_from_user(card, data, userdata, valuep, -+ &type, &count); -+ if (err < 0) - goto error; - - snd_power_lock(card); -@@ -329,12 +350,39 @@ static int snd_ctl_elem_write_user_compat(struct snd_ctl_file *file, - err = snd_ctl_elem_write(card, file, data); - snd_power_unlock(card); - if (err >= 0) -- err = copy_ctl_value_to_user(data32, data, type, count); -+ err = copy_ctl_value_to_user(userdata, valuep, data, -+ type, count); - error: - kfree(data); - return err; - } - -+static int snd_ctl_elem_read_user_compat(struct snd_card *card, -+ struct snd_ctl_elem_value32 __user *data32) -+{ -+ return ctl_elem_read_user(card, data32, &data32->value); -+} -+ -+static int snd_ctl_elem_write_user_compat(struct snd_ctl_file *file, -+ struct snd_ctl_elem_value32 __user *data32) -+{ -+ return ctl_elem_write_user(file, data32, &data32->value); -+} -+ -+#ifdef CONFIG_X86_X32 -+static int snd_ctl_elem_read_user_x32(struct snd_card *card, -+ struct snd_ctl_elem_value_x32 __user *data32) -+{ -+ return ctl_elem_read_user(card, data32, &data32->value); -+} -+ -+static int snd_ctl_elem_write_user_x32(struct snd_ctl_file *file, -+ struct snd_ctl_elem_value_x32 __user *data32) -+{ -+ return ctl_elem_write_user(file, data32, &data32->value); -+} -+#endif /* CONFIG_X86_X32 */ -+ - /* add or replace a user control */ - static int snd_ctl_elem_add_compat(struct snd_ctl_file *file, - struct snd_ctl_elem_info32 __user *data32, -@@ -393,6 +441,10 @@ enum { - SNDRV_CTL_IOCTL_ELEM_WRITE32 = _IOWR('U', 0x13, struct snd_ctl_elem_value32), - SNDRV_CTL_IOCTL_ELEM_ADD32 = _IOWR('U', 0x17, struct snd_ctl_elem_info32), - SNDRV_CTL_IOCTL_ELEM_REPLACE32 = _IOWR('U', 0x18, struct snd_ctl_elem_info32), -+#ifdef CONFIG_X86_X32 -+ SNDRV_CTL_IOCTL_ELEM_READ_X32 = _IOWR('U', 0x12, struct snd_ctl_elem_value_x32), -+ SNDRV_CTL_IOCTL_ELEM_WRITE_X32 = _IOWR('U', 0x13, struct snd_ctl_elem_value_x32), -+#endif /* CONFIG_X86_X32 */ - }; - - static inline long snd_ctl_ioctl_compat(struct file *file, unsigned int cmd, unsigned long arg) -@@ -431,6 +483,12 @@ static inline long snd_ctl_ioctl_compat(struct file *file, unsigned int cmd, uns - return snd_ctl_elem_add_compat(ctl, argp, 0); - case SNDRV_CTL_IOCTL_ELEM_REPLACE32: - return snd_ctl_elem_add_compat(ctl, argp, 1); -+#ifdef CONFIG_X86_X32 -+ case SNDRV_CTL_IOCTL_ELEM_READ_X32: -+ return snd_ctl_elem_read_user_x32(ctl->card, argp); -+ case SNDRV_CTL_IOCTL_ELEM_WRITE_X32: -+ return snd_ctl_elem_write_user_x32(ctl, argp); -+#endif /* CONFIG_X86_X32 */ - } - - down_read(&snd_ioctl_rwsem); -diff --git a/sound/core/rawmidi_compat.c b/sound/core/rawmidi_compat.c -index 5268c1f58c25..09a89094dcf7 100644 ---- a/sound/core/rawmidi_compat.c -+++ b/sound/core/rawmidi_compat.c -@@ -94,9 +94,58 @@ static int snd_rawmidi_ioctl_status_compat(struct snd_rawmidi_file *rfile, - return 0; - } - -+#ifdef CONFIG_X86_X32 -+/* X32 ABI has 64bit timespec and 64bit alignment */ -+struct snd_rawmidi_status_x32 { -+ s32 stream; -+ u32 rsvd; /* alignment */ -+ struct timespec tstamp; -+ u32 avail; -+ u32 xruns; -+ unsigned char reserved[16]; -+} __attribute__((packed)); -+ -+#define put_timespec(src, dst) copy_to_user(dst, src, sizeof(*dst)) -+ -+static int snd_rawmidi_ioctl_status_x32(struct snd_rawmidi_file *rfile, -+ struct snd_rawmidi_status_x32 __user *src) -+{ -+ int err; -+ struct snd_rawmidi_status status; -+ -+ if (rfile->output == NULL) -+ return -EINVAL; -+ if (get_user(status.stream, &src->stream)) -+ return -EFAULT; -+ -+ switch (status.stream) { -+ case SNDRV_RAWMIDI_STREAM_OUTPUT: -+ err = snd_rawmidi_output_status(rfile->output, &status); -+ break; -+ case SNDRV_RAWMIDI_STREAM_INPUT: -+ err = snd_rawmidi_input_status(rfile->input, &status); -+ break; -+ default: -+ return -EINVAL; -+ } -+ if (err < 0) -+ return err; -+ -+ if (put_timespec(&status.tstamp, &src->tstamp) || -+ put_user(status.avail, &src->avail) || -+ put_user(status.xruns, &src->xruns)) -+ return -EFAULT; -+ -+ return 0; -+} -+#endif /* CONFIG_X86_X32 */ -+ - enum { - SNDRV_RAWMIDI_IOCTL_PARAMS32 = _IOWR('W', 0x10, struct snd_rawmidi_params32), - SNDRV_RAWMIDI_IOCTL_STATUS32 = _IOWR('W', 0x20, struct snd_rawmidi_status32), -+#ifdef CONFIG_X86_X32 -+ SNDRV_RAWMIDI_IOCTL_STATUS_X32 = _IOWR('W', 0x20, struct snd_rawmidi_status_x32), -+#endif /* CONFIG_X86_X32 */ - }; - - static long snd_rawmidi_ioctl_compat(struct file *file, unsigned int cmd, unsigned long arg) -@@ -115,6 +164,10 @@ static long snd_rawmidi_ioctl_compat(struct file *file, unsigned int cmd, unsign - return snd_rawmidi_ioctl_params_compat(rfile, argp); - case SNDRV_RAWMIDI_IOCTL_STATUS32: - return snd_rawmidi_ioctl_status_compat(rfile, argp); -+#ifdef CONFIG_X86_X32 -+ case SNDRV_RAWMIDI_IOCTL_STATUS_X32: -+ return snd_rawmidi_ioctl_status_x32(rfile, argp); -+#endif /* CONFIG_X86_X32 */ - } - return -ENOIOCTLCMD; - } -diff --git a/sound/core/seq/oss/seq_oss.c b/sound/core/seq/oss/seq_oss.c -index 8d4d5e853efe..ab774954c985 100644 ---- a/sound/core/seq/oss/seq_oss.c -+++ b/sound/core/seq/oss/seq_oss.c -@@ -150,8 +150,6 @@ odev_release(struct inode *inode, struct file *file) - if ((dp = file->private_data) == NULL) - return 0; - -- snd_seq_oss_drain_write(dp); -- - mutex_lock(®ister_mutex); - snd_seq_oss_release(dp); - mutex_unlock(®ister_mutex); -diff --git a/sound/core/seq/oss/seq_oss_device.h b/sound/core/seq/oss/seq_oss_device.h -index c0154a959d55..2464112b08ad 100644 ---- a/sound/core/seq/oss/seq_oss_device.h -+++ b/sound/core/seq/oss/seq_oss_device.h -@@ -131,7 +131,6 @@ int snd_seq_oss_write(struct seq_oss_devinfo *dp, const char __user *buf, int co - unsigned int snd_seq_oss_poll(struct seq_oss_devinfo *dp, struct file *file, poll_table * wait); - - void snd_seq_oss_reset(struct seq_oss_devinfo *dp); --void snd_seq_oss_drain_write(struct seq_oss_devinfo *dp); - - /* */ - void snd_seq_oss_process_queue(struct seq_oss_devinfo *dp, abstime_t time); -diff --git a/sound/core/seq/oss/seq_oss_init.c b/sound/core/seq/oss/seq_oss_init.c -index b3f39b5ed742..f9e09e458227 100644 ---- a/sound/core/seq/oss/seq_oss_init.c -+++ b/sound/core/seq/oss/seq_oss_init.c -@@ -457,23 +457,6 @@ snd_seq_oss_release(struct seq_oss_devinfo *dp) - - - /* -- * Wait until the queue is empty (if we don't have nonblock) -- */ --void --snd_seq_oss_drain_write(struct seq_oss_devinfo *dp) --{ -- if (! dp->timer->running) -- return; -- if (is_write_mode(dp->file_mode) && !is_nonblock_mode(dp->file_mode) && -- dp->writeq) { -- debug_printk(("syncing..\n")); -- while (snd_seq_oss_writeq_sync(dp->writeq)) -- ; -- } --} -- -- --/* - * reset sequencer devices - */ - void -diff --git a/sound/core/timer_compat.c b/sound/core/timer_compat.c -index e05802ae6e1b..2e908225d754 100644 ---- a/sound/core/timer_compat.c -+++ b/sound/core/timer_compat.c -@@ -70,13 +70,14 @@ static int snd_timer_user_status_compat(struct file *file, - struct snd_timer_status32 __user *_status) - { - struct snd_timer_user *tu; -- struct snd_timer_status status; -+ struct snd_timer_status32 status; - - tu = file->private_data; - if (snd_BUG_ON(!tu->timeri)) - return -ENXIO; - memset(&status, 0, sizeof(status)); -- status.tstamp = tu->tstamp; -+ status.tstamp.tv_sec = tu->tstamp.tv_sec; -+ status.tstamp.tv_nsec = tu->tstamp.tv_nsec; - status.resolution = snd_timer_resolution(tu->timeri); - status.lost = tu->timeri->lost; - status.overrun = tu->overrun; -@@ -88,12 +89,21 @@ static int snd_timer_user_status_compat(struct file *file, - return 0; - } - -+#ifdef CONFIG_X86_X32 -+/* X32 ABI has the same struct as x86-64 */ -+#define snd_timer_user_status_x32(file, s) \ -+ snd_timer_user_status(file, s) -+#endif /* CONFIG_X86_X32 */ -+ - /* - */ - - enum { - SNDRV_TIMER_IOCTL_INFO32 = _IOR('T', 0x11, struct snd_timer_info32), - SNDRV_TIMER_IOCTL_STATUS32 = _IOW('T', 0x14, struct snd_timer_status32), -+#ifdef CONFIG_X86_X32 -+ SNDRV_TIMER_IOCTL_STATUS_X32 = _IOW('T', 0x14, struct snd_timer_status), -+#endif /* CONFIG_X86_X32 */ - }; - - static long snd_timer_user_ioctl_compat(struct file *file, unsigned int cmd, unsigned long arg) -@@ -122,6 +132,10 @@ static long snd_timer_user_ioctl_compat(struct file *file, unsigned int cmd, uns - return snd_timer_user_info_compat(file, argp); - case SNDRV_TIMER_IOCTL_STATUS32: - return snd_timer_user_status_compat(file, argp); -+#ifdef CONFIG_X86_X32 -+ case SNDRV_TIMER_IOCTL_STATUS_X32: -+ return snd_timer_user_status_x32(file, argp); -+#endif /* CONFIG_X86_X32 */ - } - return -ENOIOCTLCMD; - } -diff --git a/sound/pci/rme9652/hdsp.c b/sound/pci/rme9652/hdsp.c -index 94084cdb130c..9a281f45eb9c 100644 ---- a/sound/pci/rme9652/hdsp.c -+++ b/sound/pci/rme9652/hdsp.c -@@ -2923,7 +2923,7 @@ static int snd_hdsp_get_dds_offset(struct snd_kcontrol *kcontrol, struct snd_ctl - { - struct hdsp *hdsp = snd_kcontrol_chip(kcontrol); - -- ucontrol->value.enumerated.item[0] = hdsp_dds_offset(hdsp); -+ ucontrol->value.integer.value[0] = hdsp_dds_offset(hdsp); - return 0; - } - -@@ -2935,7 +2935,7 @@ static int snd_hdsp_put_dds_offset(struct snd_kcontrol *kcontrol, struct snd_ctl - - if (!snd_hdsp_use_is_exclusive(hdsp)) - return -EBUSY; -- val = ucontrol->value.enumerated.item[0]; -+ val = ucontrol->value.integer.value[0]; - spin_lock_irq(&hdsp->lock); - if (val != hdsp_dds_offset(hdsp)) - change = (hdsp_set_dds_offset(hdsp, val) == 0) ? 1 : 0; -diff --git a/sound/pci/rme9652/hdspm.c b/sound/pci/rme9652/hdspm.c -index dd910d249987..8444098d2a8e 100644 ---- a/sound/pci/rme9652/hdspm.c -+++ b/sound/pci/rme9652/hdspm.c -@@ -1423,6 +1423,9 @@ static void hdspm_set_dds_value(struct hdspm *hdspm, int rate) - { - u64 n; - -+ if (snd_BUG_ON(rate <= 0)) -+ return; -+ - if (rate >= 112000) - rate /= 4; - else if (rate >= 56000) -@@ -2045,6 +2048,8 @@ static int hdspm_get_system_sample_rate(struct hdspm *hdspm) - } else { - /* slave mode, return external sample rate */ - rate = hdspm_external_sample_rate(hdspm); -+ if (!rate) -+ rate = hdspm->system_sample_rate; - } - } - -@@ -2090,8 +2095,11 @@ static int snd_hdspm_put_system_sample_rate(struct snd_kcontrol *kcontrol, - ucontrol) - { - struct hdspm *hdspm = snd_kcontrol_chip(kcontrol); -+ int rate = ucontrol->value.integer.value[0]; - -- hdspm_set_dds_value(hdspm, ucontrol->value.enumerated.item[0]); -+ if (rate < 27000 || rate > 207000) -+ return -EINVAL; -+ hdspm_set_dds_value(hdspm, ucontrol->value.integer.value[0]); - return 0; - } - -@@ -4199,7 +4207,7 @@ static int snd_hdspm_get_tco_word_term(struct snd_kcontrol *kcontrol, - { - struct hdspm *hdspm = snd_kcontrol_chip(kcontrol); - -- ucontrol->value.enumerated.item[0] = hdspm->tco->term; -+ ucontrol->value.integer.value[0] = hdspm->tco->term; - - return 0; - } -@@ -4210,8 +4218,8 @@ static int snd_hdspm_put_tco_word_term(struct snd_kcontrol *kcontrol, - { - struct hdspm *hdspm = snd_kcontrol_chip(kcontrol); - -- if (hdspm->tco->term != ucontrol->value.enumerated.item[0]) { -- hdspm->tco->term = ucontrol->value.enumerated.item[0]; -+ if (hdspm->tco->term != ucontrol->value.integer.value[0]) { -+ hdspm->tco->term = ucontrol->value.integer.value[0]; - - hdspm_tco_write(hdspm); - diff --git a/patch/kernel/odroidxu4-default/2-patch-3.10.100-101.patch b/patch/kernel/odroidxu4-default/2-patch-3.10.100-101.patch deleted file mode 100644 index d9647df43..000000000 --- a/patch/kernel/odroidxu4-default/2-patch-3.10.100-101.patch +++ /dev/null @@ -1,1493 +0,0 @@ -diff --git a/Documentation/filesystems/efivarfs.txt b/Documentation/filesystems/efivarfs.txt -index c477af086e65..686a64bba775 100644 ---- a/Documentation/filesystems/efivarfs.txt -+++ b/Documentation/filesystems/efivarfs.txt -@@ -14,3 +14,10 @@ filesystem. - efivarfs is typically mounted like this, - - mount -t efivarfs none /sys/firmware/efi/efivars -+ -+Due to the presence of numerous firmware bugs where removing non-standard -+UEFI variables causes the system firmware to fail to POST, efivarfs -+files that are not well-known standardized variables are created -+as immutable files. This doesn't prevent removal - "chattr -i" will work - -+but it does prevent this kind of failure from being accomplished -+accidentally. -diff --git a/Makefile b/Makefile -index 40d4d3bf52c3..4be9e643cef0 100644 ---- a/Makefile -+++ b/Makefile -@@ -1,6 +1,6 @@ - VERSION = 3 - PATCHLEVEL = 10 --SUBLEVEL = 100 -+SUBLEVEL = 101 - EXTRAVERSION = - NAME = TOSSUG Baby Fish - -diff --git a/arch/powerpc/kernel/module_64.c b/arch/powerpc/kernel/module_64.c -index 6ee59a0eb268..48b4cf6b2a24 100644 ---- a/arch/powerpc/kernel/module_64.c -+++ b/arch/powerpc/kernel/module_64.c -@@ -192,7 +192,7 @@ static void dedotify(Elf64_Sym *syms, unsigned int numsyms, char *strtab) - if (syms[i].st_shndx == SHN_UNDEF) { - char *name = strtab + syms[i].st_name; - if (name[0] == '.') -- memmove(name, name+1, strlen(name)); -+ syms[i].st_name++; - } - } - } -diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c -index 04cc2fa7744f..335fe70967a8 100644 ---- a/arch/x86/kvm/vmx.c -+++ b/arch/x86/kvm/vmx.c -@@ -1487,6 +1487,13 @@ static void add_atomic_switch_msr(struct vcpu_vmx *vmx, unsigned msr, - return; - } - break; -+ case MSR_IA32_PEBS_ENABLE: -+ /* PEBS needs a quiescent period after being disabled (to write -+ * a record). Disabling PEBS through VMX MSR swapping doesn't -+ * provide that period, so a CPU could write host's record into -+ * guest's memory. -+ */ -+ wrmsrl(MSR_IA32_PEBS_ENABLE, 0); - } - - for (i = 0; i < m->nr; ++i) -diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c -index 41ba726c1ce2..7f2b6dec4b2b 100644 ---- a/arch/x86/kvm/x86.c -+++ b/arch/x86/kvm/x86.c -@@ -1941,6 +1941,8 @@ static void accumulate_steal_time(struct kvm_vcpu *vcpu) - - static void record_steal_time(struct kvm_vcpu *vcpu) - { -+ accumulate_steal_time(vcpu); -+ - if (!(vcpu->arch.st.msr_val & KVM_MSR_ENABLED)) - return; - -@@ -2074,12 +2076,6 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info) - if (!(data & KVM_MSR_ENABLED)) - break; - -- vcpu->arch.st.last_steal = current->sched_info.run_delay; -- -- preempt_disable(); -- accumulate_steal_time(vcpu); -- preempt_enable(); -- - kvm_make_request(KVM_REQ_STEAL_UPDATE, vcpu); - - break; -@@ -2758,7 +2754,6 @@ void kvm_arch_vcpu_load(struct kvm_vcpu *vcpu, int cpu) - vcpu->cpu = cpu; - } - -- accumulate_steal_time(vcpu); - kvm_make_request(KVM_REQ_STEAL_UPDATE, vcpu); - } - -diff --git a/crypto/af_alg.c b/crypto/af_alg.c -index 0ca108f3c840..1aaa555fab56 100644 ---- a/crypto/af_alg.c -+++ b/crypto/af_alg.c -@@ -125,23 +125,6 @@ int af_alg_release(struct socket *sock) - } - EXPORT_SYMBOL_GPL(af_alg_release); - --void af_alg_release_parent(struct sock *sk) --{ -- struct alg_sock *ask = alg_sk(sk); -- bool last; -- -- sk = ask->parent; -- ask = alg_sk(sk); -- -- lock_sock(sk); -- last = !--ask->refcnt; -- release_sock(sk); -- -- if (last) -- sock_put(sk); --} --EXPORT_SYMBOL_GPL(af_alg_release_parent); -- - static int alg_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) - { - struct sock *sk = sock->sk; -@@ -149,7 +132,6 @@ static int alg_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) - struct sockaddr_alg *sa = (void *)uaddr; - const struct af_alg_type *type; - void *private; -- int err; - - if (sock->state == SS_CONNECTED) - return -EINVAL; -@@ -175,22 +157,16 @@ static int alg_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) - return PTR_ERR(private); - } - -- err = -EBUSY; - lock_sock(sk); -- if (ask->refcnt) -- goto unlock; - - swap(ask->type, type); - swap(ask->private, private); - -- err = 0; -- --unlock: - release_sock(sk); - - alg_do_release(type, private); - -- return err; -+ return 0; - } - - static int alg_setkey(struct sock *sk, char __user *ukey, -@@ -223,15 +199,11 @@ static int alg_setsockopt(struct socket *sock, int level, int optname, - struct sock *sk = sock->sk; - struct alg_sock *ask = alg_sk(sk); - const struct af_alg_type *type; -- int err = -EBUSY; -+ int err = -ENOPROTOOPT; - - lock_sock(sk); -- if (ask->refcnt) -- goto unlock; -- - type = ask->type; - -- err = -ENOPROTOOPT; - if (level != SOL_ALG || !type) - goto unlock; - -@@ -280,8 +252,7 @@ int af_alg_accept(struct sock *sk, struct socket *newsock) - - sk2->sk_family = PF_ALG; - -- if (!ask->refcnt++) -- sock_hold(sk); -+ sock_hold(sk); - alg_sk(sk2)->parent = sk; - alg_sk(sk2)->type = type; - -diff --git a/drivers/firmware/efi/efivars.c b/drivers/firmware/efi/efivars.c -index 8bd1bb6dbe47..24ae2a694e9b 100644 ---- a/drivers/firmware/efi/efivars.c -+++ b/drivers/firmware/efi/efivars.c -@@ -219,7 +219,8 @@ efivar_store_raw(struct efivar_entry *entry, const char *buf, size_t count) - } - - if ((new_var->Attributes & ~EFI_VARIABLE_MASK) != 0 || -- efivar_validate(new_var, new_var->Data, new_var->DataSize) == false) { -+ efivar_validate(new_var->VendorGuid, new_var->VariableName, -+ new_var->Data, new_var->DataSize) == false) { - printk(KERN_ERR "efivars: Malformed variable content\n"); - return -EINVAL; - } -@@ -334,7 +335,8 @@ static ssize_t efivar_create(struct file *filp, struct kobject *kobj, - return -EACCES; - - if ((new_var->Attributes & ~EFI_VARIABLE_MASK) != 0 || -- efivar_validate(new_var, new_var->Data, new_var->DataSize) == false) { -+ efivar_validate(new_var->VendorGuid, new_var->VariableName, -+ new_var->Data, new_var->DataSize) == false) { - printk(KERN_ERR "efivars: Malformed variable content\n"); - return -EINVAL; - } -@@ -405,35 +407,27 @@ efivar_create_sysfs_entry(struct efivar_entry *new_var) - { - int i, short_name_size; - char *short_name; -- unsigned long variable_name_size; -- efi_char16_t *variable_name; -- -- variable_name = new_var->var.VariableName; -- variable_name_size = ucs2_strlen(variable_name) * sizeof(efi_char16_t); -+ unsigned long utf8_name_size; -+ efi_char16_t *variable_name = new_var->var.VariableName; - - /* -- * Length of the variable bytes in ASCII, plus the '-' separator, -+ * Length of the variable bytes in UTF8, plus the '-' separator, - * plus the GUID, plus trailing NUL - */ -- short_name_size = variable_name_size / sizeof(efi_char16_t) -- + 1 + EFI_VARIABLE_GUID_LEN + 1; -- -- short_name = kzalloc(short_name_size, GFP_KERNEL); -+ utf8_name_size = ucs2_utf8size(variable_name); -+ short_name_size = utf8_name_size + 1 + EFI_VARIABLE_GUID_LEN + 1; - -+ short_name = kmalloc(short_name_size, GFP_KERNEL); - if (!short_name) - return 1; - -- /* Convert Unicode to normal chars (assume top bits are 0), -- ala UTF-8 */ -- for (i=0; i < (int)(variable_name_size / sizeof(efi_char16_t)); i++) { -- short_name[i] = variable_name[i] & 0xFF; -- } -+ ucs2_as_utf8(short_name, variable_name, short_name_size); -+ - /* This is ugly, but necessary to separate one vendor's - private variables from another's. */ -- -- *(short_name + strlen(short_name)) = '-'; -+ short_name[utf8_name_size] = '-'; - efi_guid_unparse(&new_var->var.VendorGuid, -- short_name + strlen(short_name)); -+ short_name + utf8_name_size + 1); - - new_var->kobj.kset = efivars_kset; - -diff --git a/drivers/firmware/efi/vars.c b/drivers/firmware/efi/vars.c -index 7dbc319e1cf5..9f82b5545edd 100644 ---- a/drivers/firmware/efi/vars.c -+++ b/drivers/firmware/efi/vars.c -@@ -42,7 +42,7 @@ DECLARE_WORK(efivar_work, NULL); - EXPORT_SYMBOL_GPL(efivar_work); - - static bool --validate_device_path(struct efi_variable *var, int match, u8 *buffer, -+validate_device_path(efi_char16_t *var_name, int match, u8 *buffer, - unsigned long len) - { - struct efi_generic_dev_path *node; -@@ -75,7 +75,7 @@ validate_device_path(struct efi_variable *var, int match, u8 *buffer, - } - - static bool --validate_boot_order(struct efi_variable *var, int match, u8 *buffer, -+validate_boot_order(efi_char16_t *var_name, int match, u8 *buffer, - unsigned long len) - { - /* An array of 16-bit integers */ -@@ -86,18 +86,18 @@ validate_boot_order(struct efi_variable *var, int match, u8 *buffer, - } - - static bool --validate_load_option(struct efi_variable *var, int match, u8 *buffer, -+validate_load_option(efi_char16_t *var_name, int match, u8 *buffer, - unsigned long len) - { - u16 filepathlength; - int i, desclength = 0, namelen; - -- namelen = ucs2_strnlen(var->VariableName, sizeof(var->VariableName)); -+ namelen = ucs2_strnlen(var_name, EFI_VAR_NAME_LEN); - - /* Either "Boot" or "Driver" followed by four digits of hex */ - for (i = match; i < match+4; i++) { -- if (var->VariableName[i] > 127 || -- hex_to_bin(var->VariableName[i] & 0xff) < 0) -+ if (var_name[i] > 127 || -+ hex_to_bin(var_name[i] & 0xff) < 0) - return true; - } - -@@ -132,12 +132,12 @@ validate_load_option(struct efi_variable *var, int match, u8 *buffer, - /* - * And, finally, check the filepath - */ -- return validate_device_path(var, match, buffer + desclength + 6, -+ return validate_device_path(var_name, match, buffer + desclength + 6, - filepathlength); - } - - static bool --validate_uint16(struct efi_variable *var, int match, u8 *buffer, -+validate_uint16(efi_char16_t *var_name, int match, u8 *buffer, - unsigned long len) - { - /* A single 16-bit integer */ -@@ -148,7 +148,7 @@ validate_uint16(struct efi_variable *var, int match, u8 *buffer, - } - - static bool --validate_ascii_string(struct efi_variable *var, int match, u8 *buffer, -+validate_ascii_string(efi_char16_t *var_name, int match, u8 *buffer, - unsigned long len) - { - int i; -@@ -165,67 +165,133 @@ validate_ascii_string(struct efi_variable *var, int match, u8 *buffer, - } - - struct variable_validate { -+ efi_guid_t vendor; - char *name; -- bool (*validate)(struct efi_variable *var, int match, u8 *data, -+ bool (*validate)(efi_char16_t *var_name, int match, u8 *data, - unsigned long len); - }; - -+/* -+ * This is the list of variables we need to validate, as well as the -+ * whitelist for what we think is safe not to default to immutable. -+ * -+ * If it has a validate() method that's not NULL, it'll go into the -+ * validation routine. If not, it is assumed valid, but still used for -+ * whitelisting. -+ * -+ * Note that it's sorted by {vendor,name}, but globbed names must come after -+ * any other name with the same prefix. -+ */ - static const struct variable_validate variable_validate[] = { -- { "BootNext", validate_uint16 }, -- { "BootOrder", validate_boot_order }, -- { "DriverOrder", validate_boot_order }, -- { "Boot*", validate_load_option }, -- { "Driver*", validate_load_option }, -- { "ConIn", validate_device_path }, -- { "ConInDev", validate_device_path }, -- { "ConOut", validate_device_path }, -- { "ConOutDev", validate_device_path }, -- { "ErrOut", validate_device_path }, -- { "ErrOutDev", validate_device_path }, -- { "Timeout", validate_uint16 }, -- { "Lang", validate_ascii_string }, -- { "PlatformLang", validate_ascii_string }, -- { "", NULL }, -+ { EFI_GLOBAL_VARIABLE_GUID, "BootNext", validate_uint16 }, -+ { EFI_GLOBAL_VARIABLE_GUID, "BootOrder", validate_boot_order }, -+ { EFI_GLOBAL_VARIABLE_GUID, "Boot*", validate_load_option }, -+ { EFI_GLOBAL_VARIABLE_GUID, "DriverOrder", validate_boot_order }, -+ { EFI_GLOBAL_VARIABLE_GUID, "Driver*", validate_load_option }, -+ { EFI_GLOBAL_VARIABLE_GUID, "ConIn", validate_device_path }, -+ { EFI_GLOBAL_VARIABLE_GUID, "ConInDev", validate_device_path }, -+ { EFI_GLOBAL_VARIABLE_GUID, "ConOut", validate_device_path }, -+ { EFI_GLOBAL_VARIABLE_GUID, "ConOutDev", validate_device_path }, -+ { EFI_GLOBAL_VARIABLE_GUID, "ErrOut", validate_device_path }, -+ { EFI_GLOBAL_VARIABLE_GUID, "ErrOutDev", validate_device_path }, -+ { EFI_GLOBAL_VARIABLE_GUID, "Lang", validate_ascii_string }, -+ { EFI_GLOBAL_VARIABLE_GUID, "OsIndications", NULL }, -+ { EFI_GLOBAL_VARIABLE_GUID, "PlatformLang", validate_ascii_string }, -+ { EFI_GLOBAL_VARIABLE_GUID, "Timeout", validate_uint16 }, -+ { LINUX_EFI_CRASH_GUID, "*", NULL }, -+ { NULL_GUID, "", NULL }, - }; - -+static bool -+variable_matches(const char *var_name, size_t len, const char *match_name, -+ int *match) -+{ -+ for (*match = 0; ; (*match)++) { -+ char c = match_name[*match]; -+ char u = var_name[*match]; -+ -+ /* Wildcard in the matching name means we've matched */ -+ if (c == '*') -+ return true; -+ -+ /* Case sensitive match */ -+ if (!c && *match == len) -+ return true; -+ -+ if (c != u) -+ return false; -+ -+ if (!c) -+ return true; -+ } -+ return true; -+} -+ - bool --efivar_validate(struct efi_variable *var, u8 *data, unsigned long len) -+efivar_validate(efi_guid_t vendor, efi_char16_t *var_name, u8 *data, -+ unsigned long data_size) - { - int i; -- u16 *unicode_name = var->VariableName; -+ unsigned long utf8_size; -+ u8 *utf8_name; - -- for (i = 0; variable_validate[i].validate != NULL; i++) { -- const char *name = variable_validate[i].name; -- int match; -+ utf8_size = ucs2_utf8size(var_name); -+ utf8_name = kmalloc(utf8_size + 1, GFP_KERNEL); -+ if (!utf8_name) -+ return false; - -- for (match = 0; ; match++) { -- char c = name[match]; -- u16 u = unicode_name[match]; -+ ucs2_as_utf8(utf8_name, var_name, utf8_size); -+ utf8_name[utf8_size] = '\0'; - -- /* All special variables are plain ascii */ -- if (u > 127) -- return true; -+ for (i = 0; variable_validate[i].name[0] != '\0'; i++) { -+ const char *name = variable_validate[i].name; -+ int match = 0; - -- /* Wildcard in the matching name means we've matched */ -- if (c == '*') -- return variable_validate[i].validate(var, -- match, data, len); -+ if (efi_guidcmp(vendor, variable_validate[i].vendor)) -+ continue; - -- /* Case sensitive match */ -- if (c != u) -+ if (variable_matches(utf8_name, utf8_size+1, name, &match)) { -+ if (variable_validate[i].validate == NULL) - break; -- -- /* Reached the end of the string while matching */ -- if (!c) -- return variable_validate[i].validate(var, -- match, data, len); -+ kfree(utf8_name); -+ return variable_validate[i].validate(var_name, match, -+ data, data_size); - } - } -- -+ kfree(utf8_name); - return true; - } - EXPORT_SYMBOL_GPL(efivar_validate); - -+bool -+efivar_variable_is_removable(efi_guid_t vendor, const char *var_name, -+ size_t len) -+{ -+ int i; -+ bool found = false; -+ int match = 0; -+ -+ /* -+ * Check if our variable is in the validated variables list -+ */ -+ for (i = 0; variable_validate[i].name[0] != '\0'; i++) { -+ if (efi_guidcmp(variable_validate[i].vendor, vendor)) -+ continue; -+ -+ if (variable_matches(var_name, len, -+ variable_validate[i].name, &match)) { -+ found = true; -+ break; -+ } -+ } -+ -+ /* -+ * If it's in our list, it is removable. -+ */ -+ return found; -+} -+EXPORT_SYMBOL_GPL(efivar_variable_is_removable); -+ - static efi_status_t - check_var_size(u32 attributes, unsigned long size) - { -@@ -797,7 +863,7 @@ int efivar_entry_set_get_size(struct efivar_entry *entry, u32 attributes, - - *set = false; - -- if (efivar_validate(&entry->var, data, *size) == false) -+ if (efivar_validate(*vendor, name, data, *size) == false) - return -EINVAL; - - /* -diff --git a/fs/efivarfs/file.c b/fs/efivarfs/file.c -index 8dd524f32284..08f105a06fbf 100644 ---- a/fs/efivarfs/file.c -+++ b/fs/efivarfs/file.c -@@ -10,6 +10,7 @@ - #include - #include - #include -+#include - - #include "internal.h" - -@@ -108,9 +109,79 @@ out_free: - return size; - } - -+static int -+efivarfs_ioc_getxflags(struct file *file, void __user *arg) -+{ -+ struct inode *inode = file->f_mapping->host; -+ unsigned int i_flags; -+ unsigned int flags = 0; -+ -+ i_flags = inode->i_flags; -+ if (i_flags & S_IMMUTABLE) -+ flags |= FS_IMMUTABLE_FL; -+ -+ if (copy_to_user(arg, &flags, sizeof(flags))) -+ return -EFAULT; -+ return 0; -+} -+ -+static int -+efivarfs_ioc_setxflags(struct file *file, void __user *arg) -+{ -+ struct inode *inode = file->f_mapping->host; -+ unsigned int flags; -+ unsigned int i_flags = 0; -+ int error; -+ -+ if (!inode_owner_or_capable(inode)) -+ return -EACCES; -+ -+ if (copy_from_user(&flags, arg, sizeof(flags))) -+ return -EFAULT; -+ -+ if (flags & ~FS_IMMUTABLE_FL) -+ return -EOPNOTSUPP; -+ -+ if (!capable(CAP_LINUX_IMMUTABLE)) -+ return -EPERM; -+ -+ if (flags & FS_IMMUTABLE_FL) -+ i_flags |= S_IMMUTABLE; -+ -+ -+ error = mnt_want_write_file(file); -+ if (error) -+ return error; -+ -+ mutex_lock(&inode->i_mutex); -+ inode->i_flags &= ~S_IMMUTABLE; -+ inode->i_flags |= i_flags; -+ mutex_unlock(&inode->i_mutex); -+ -+ mnt_drop_write_file(file); -+ -+ return 0; -+} -+ -+long -+efivarfs_file_ioctl(struct file *file, unsigned int cmd, unsigned long p) -+{ -+ void __user *arg = (void __user *)p; -+ -+ switch (cmd) { -+ case FS_IOC_GETFLAGS: -+ return efivarfs_ioc_getxflags(file, arg); -+ case FS_IOC_SETFLAGS: -+ return efivarfs_ioc_setxflags(file, arg); -+ } -+ -+ return -ENOTTY; -+} -+ - const struct file_operations efivarfs_file_operations = { - .open = simple_open, - .read = efivarfs_file_read, - .write = efivarfs_file_write, - .llseek = no_llseek, -+ .unlocked_ioctl = efivarfs_file_ioctl, - }; -diff --git a/fs/efivarfs/inode.c b/fs/efivarfs/inode.c -index 7e787fb90293..d0351bc7b533 100644 ---- a/fs/efivarfs/inode.c -+++ b/fs/efivarfs/inode.c -@@ -15,7 +15,8 @@ - #include "internal.h" - - struct inode *efivarfs_get_inode(struct super_block *sb, -- const struct inode *dir, int mode, dev_t dev) -+ const struct inode *dir, int mode, -+ dev_t dev, bool is_removable) - { - struct inode *inode = new_inode(sb); - -@@ -23,6 +24,7 @@ struct inode *efivarfs_get_inode(struct super_block *sb, - inode->i_ino = get_next_ino(); - inode->i_mode = mode; - inode->i_atime = inode->i_mtime = inode->i_ctime = CURRENT_TIME; -+ inode->i_flags = is_removable ? 0 : S_IMMUTABLE; - switch (mode & S_IFMT) { - case S_IFREG: - inode->i_fop = &efivarfs_file_operations; -@@ -102,22 +104,17 @@ static void efivarfs_hex_to_guid(const char *str, efi_guid_t *guid) - static int efivarfs_create(struct inode *dir, struct dentry *dentry, - umode_t mode, bool excl) - { -- struct inode *inode; -+ struct inode *inode = NULL; - struct efivar_entry *var; - int namelen, i = 0, err = 0; -+ bool is_removable = false; - - if (!efivarfs_valid_name(dentry->d_name.name, dentry->d_name.len)) - return -EINVAL; - -- inode = efivarfs_get_inode(dir->i_sb, dir, mode, 0); -- if (!inode) -- return -ENOMEM; -- - var = kzalloc(sizeof(struct efivar_entry), GFP_KERNEL); -- if (!var) { -- err = -ENOMEM; -- goto out; -- } -+ if (!var) -+ return -ENOMEM; - - /* length of the variable name itself: remove GUID and separator */ - namelen = dentry->d_name.len - EFI_VARIABLE_GUID_LEN - 1; -@@ -125,6 +122,16 @@ static int efivarfs_create(struct inode *dir, struct dentry *dentry, - efivarfs_hex_to_guid(dentry->d_name.name + namelen + 1, - &var->var.VendorGuid); - -+ if (efivar_variable_is_removable(var->var.VendorGuid, -+ dentry->d_name.name, namelen)) -+ is_removable = true; -+ -+ inode = efivarfs_get_inode(dir->i_sb, dir, mode, 0, is_removable); -+ if (!inode) { -+ err = -ENOMEM; -+ goto out; -+ } -+ - for (i = 0; i < namelen; i++) - var->var.VariableName[i] = dentry->d_name.name[i]; - -@@ -138,7 +145,8 @@ static int efivarfs_create(struct inode *dir, struct dentry *dentry, - out: - if (err) { - kfree(var); -- iput(inode); -+ if (inode) -+ iput(inode); - } - return err; - } -diff --git a/fs/efivarfs/internal.h b/fs/efivarfs/internal.h -index b5ff16addb7c..b4505188e799 100644 ---- a/fs/efivarfs/internal.h -+++ b/fs/efivarfs/internal.h -@@ -15,7 +15,8 @@ extern const struct file_operations efivarfs_file_operations; - extern const struct inode_operations efivarfs_dir_inode_operations; - extern bool efivarfs_valid_name(const char *str, int len); - extern struct inode *efivarfs_get_inode(struct super_block *sb, -- const struct inode *dir, int mode, dev_t dev); -+ const struct inode *dir, int mode, dev_t dev, -+ bool is_removable); - - extern struct list_head efivarfs_list; - -diff --git a/fs/efivarfs/super.c b/fs/efivarfs/super.c -index 141aee31884f..5a3655f690d9 100644 ---- a/fs/efivarfs/super.c -+++ b/fs/efivarfs/super.c -@@ -128,8 +128,9 @@ static int efivarfs_callback(efi_char16_t *name16, efi_guid_t vendor, - struct dentry *dentry, *root = sb->s_root; - unsigned long size = 0; - char *name; -- int len, i; -+ int len; - int err = -ENOMEM; -+ bool is_removable = false; - - entry = kmalloc(sizeof(*entry), GFP_KERNEL); - if (!entry) -@@ -138,15 +139,17 @@ static int efivarfs_callback(efi_char16_t *name16, efi_guid_t vendor, - memcpy(entry->var.VariableName, name16, name_size); - memcpy(&(entry->var.VendorGuid), &vendor, sizeof(efi_guid_t)); - -- len = ucs2_strlen(entry->var.VariableName); -+ len = ucs2_utf8size(entry->var.VariableName); - - /* name, plus '-', plus GUID, plus NUL*/ - name = kmalloc(len + 1 + EFI_VARIABLE_GUID_LEN + 1, GFP_KERNEL); - if (!name) - goto fail; - -- for (i = 0; i < len; i++) -- name[i] = entry->var.VariableName[i] & 0xFF; -+ ucs2_as_utf8(name, entry->var.VariableName, len); -+ -+ if (efivar_variable_is_removable(entry->var.VendorGuid, name, len)) -+ is_removable = true; - - name[len] = '-'; - -@@ -154,7 +157,8 @@ static int efivarfs_callback(efi_char16_t *name16, efi_guid_t vendor, - - name[len + EFI_VARIABLE_GUID_LEN+1] = '\0'; - -- inode = efivarfs_get_inode(sb, root->d_inode, S_IFREG | 0644, 0); -+ inode = efivarfs_get_inode(sb, root->d_inode, S_IFREG | 0644, 0, -+ is_removable); - if (!inode) - goto fail_name; - -@@ -210,7 +214,7 @@ static int efivarfs_fill_super(struct super_block *sb, void *data, int silent) - sb->s_d_op = &efivarfs_d_ops; - sb->s_time_gran = 1; - -- inode = efivarfs_get_inode(sb, NULL, S_IFDIR | 0755, 0); -+ inode = efivarfs_get_inode(sb, NULL, S_IFDIR | 0755, 0, true); - if (!inode) - return -ENOMEM; - inode->i_op = &efivarfs_dir_inode_operations; -diff --git a/include/crypto/if_alg.h b/include/crypto/if_alg.h -index 2f38daaab3d7..d61c11170213 100644 ---- a/include/crypto/if_alg.h -+++ b/include/crypto/if_alg.h -@@ -30,8 +30,6 @@ struct alg_sock { - - struct sock *parent; - -- unsigned int refcnt; -- - const struct af_alg_type *type; - void *private; - }; -@@ -66,7 +64,6 @@ int af_alg_register_type(const struct af_alg_type *type); - int af_alg_unregister_type(const struct af_alg_type *type); - - int af_alg_release(struct socket *sock); --void af_alg_release_parent(struct sock *sk); - int af_alg_accept(struct sock *sk, struct socket *newsock); - - int af_alg_make_sg(struct af_alg_sgl *sgl, void __user *addr, int len, -@@ -83,6 +80,11 @@ static inline struct alg_sock *alg_sk(struct sock *sk) - return (struct alg_sock *)sk; - } - -+static inline void af_alg_release_parent(struct sock *sk) -+{ -+ sock_put(alg_sk(sk)->parent); -+} -+ - static inline void af_alg_init_completion(struct af_alg_completion *completion) - { - init_completion(&completion->completion); -diff --git a/include/linux/efi.h b/include/linux/efi.h -index 2bc0ad78d058..63fa51c864ec 100644 ---- a/include/linux/efi.h -+++ b/include/linux/efi.h -@@ -769,8 +769,10 @@ struct efivars { - * and we use a page for reading/writing. - */ - -+#define EFI_VAR_NAME_LEN 1024 -+ - struct efi_variable { -- efi_char16_t VariableName[1024/sizeof(efi_char16_t)]; -+ efi_char16_t VariableName[EFI_VAR_NAME_LEN/sizeof(efi_char16_t)]; - efi_guid_t VendorGuid; - unsigned long DataSize; - __u8 Data[1024]; -@@ -832,7 +834,10 @@ int efivar_entry_iter(int (*func)(struct efivar_entry *, void *), - struct efivar_entry *efivar_entry_find(efi_char16_t *name, efi_guid_t guid, - struct list_head *head, bool remove); - --bool efivar_validate(struct efi_variable *var, u8 *data, unsigned long len); -+bool efivar_validate(efi_guid_t vendor, efi_char16_t *var_name, u8 *data, -+ unsigned long data_size); -+bool efivar_variable_is_removable(efi_guid_t vendor, const char *name, -+ size_t len); - - extern struct work_struct efivar_work; - void efivar_run_worker(void); -diff --git a/include/linux/module.h b/include/linux/module.h -index 46f1ea01e6f6..761dc2848ffa 100644 ---- a/include/linux/module.h -+++ b/include/linux/module.h -@@ -220,6 +220,12 @@ struct module_ref { - unsigned long decs; - } __attribute((aligned(2 * sizeof(unsigned long)))); - -+struct mod_kallsyms { -+ Elf_Sym *symtab; -+ unsigned int num_symtab; -+ char *strtab; -+}; -+ - struct module - { - enum module_state state; -@@ -308,14 +314,9 @@ struct module - #endif - - #ifdef CONFIG_KALLSYMS -- /* -- * We keep the symbol and string tables for kallsyms. -- * The core_* fields below are temporary, loader-only (they -- * could really be discarded after module init). -- */ -- Elf_Sym *symtab, *core_symtab; -- unsigned int num_symtab, core_num_syms; -- char *strtab, *core_strtab; -+ /* Protected by RCU and/or module_mutex: use rcu_dereference() */ -+ struct mod_kallsyms *kallsyms; -+ struct mod_kallsyms core_kallsyms; - - /* Section attributes */ - struct module_sect_attrs *sect_attrs; -diff --git a/include/linux/tracepoint.h b/include/linux/tracepoint.h -index 0b2d0cbe0bab..36e5e9998865 100644 ---- a/include/linux/tracepoint.h -+++ b/include/linux/tracepoint.h -@@ -129,9 +129,6 @@ static inline void tracepoint_synchronize_unregister(void) - void *it_func; \ - void *__data; \ - \ -- if (!cpu_online(raw_smp_processor_id())) \ -- return; \ -- \ - if (!(cond)) \ - return; \ - prercu; \ -@@ -265,15 +262,19 @@ static inline void tracepoint_synchronize_unregister(void) - * "void *__data, proto" as the callback prototype. - */ - #define DECLARE_TRACE_NOARGS(name) \ -- __DECLARE_TRACE(name, void, , 1, void *__data, __data) -+ __DECLARE_TRACE(name, void, , \ -+ cpu_online(raw_smp_processor_id()), \ -+ void *__data, __data) - - #define DECLARE_TRACE(name, proto, args) \ -- __DECLARE_TRACE(name, PARAMS(proto), PARAMS(args), 1, \ -- PARAMS(void *__data, proto), \ -- PARAMS(__data, args)) -+ __DECLARE_TRACE(name, PARAMS(proto), PARAMS(args), \ -+ cpu_online(raw_smp_processor_id()), \ -+ PARAMS(void *__data, proto), \ -+ PARAMS(__data, args)) - - #define DECLARE_TRACE_CONDITION(name, proto, args, cond) \ -- __DECLARE_TRACE(name, PARAMS(proto), PARAMS(args), PARAMS(cond), \ -+ __DECLARE_TRACE(name, PARAMS(proto), PARAMS(args), \ -+ cpu_online(raw_smp_processor_id()) && (PARAMS(cond)), \ - PARAMS(void *__data, proto), \ - PARAMS(__data, args)) - -diff --git a/include/linux/ucs2_string.h b/include/linux/ucs2_string.h -index cbb20afdbc01..bb679b48f408 100644 ---- a/include/linux/ucs2_string.h -+++ b/include/linux/ucs2_string.h -@@ -11,4 +11,8 @@ unsigned long ucs2_strlen(const ucs2_char_t *s); - unsigned long ucs2_strsize(const ucs2_char_t *data, unsigned long maxlength); - int ucs2_strncmp(const ucs2_char_t *a, const ucs2_char_t *b, size_t len); - -+unsigned long ucs2_utf8size(const ucs2_char_t *src); -+unsigned long ucs2_as_utf8(u8 *dest, const ucs2_char_t *src, -+ unsigned long maxlength); -+ - #endif /* _LINUX_UCS2_STRING_H_ */ -diff --git a/kernel/module.c b/kernel/module.c -index 70a4754c001f..f8a4f48b48a9 100644 ---- a/kernel/module.c -+++ b/kernel/module.c -@@ -179,6 +179,9 @@ struct load_info { - struct _ddebug *debug; - unsigned int num_debug; - bool sig_ok; -+#ifdef CONFIG_KALLSYMS -+ unsigned long mod_kallsyms_init_off; -+#endif - struct { - unsigned int sym, str, mod, vers, info, pcpu; - } index; -@@ -2346,8 +2349,20 @@ static void layout_symtab(struct module *mod, struct load_info *info) - strsect->sh_entsize = get_offset(mod, &mod->init_size, strsect, - info->index.str) | INIT_OFFSET_MASK; - pr_debug("\t%s\n", info->secstrings + strsect->sh_name); -+ -+ /* We'll tack temporary mod_kallsyms on the end. */ -+ mod->init_size = ALIGN(mod->init_size, -+ __alignof__(struct mod_kallsyms)); -+ info->mod_kallsyms_init_off = mod->init_size; -+ mod->init_size += sizeof(struct mod_kallsyms); -+ mod->init_size = debug_align(mod->init_size); - } - -+/* -+ * We use the full symtab and strtab which layout_symtab arranged to -+ * be appended to the init section. Later we switch to the cut-down -+ * core-only ones. -+ */ - static void add_kallsyms(struct module *mod, const struct load_info *info) - { - unsigned int i, ndst; -@@ -2356,28 +2371,33 @@ static void add_kallsyms(struct module *mod, const struct load_info *info) - char *s; - Elf_Shdr *symsec = &info->sechdrs[info->index.sym]; - -- mod->symtab = (void *)symsec->sh_addr; -- mod->num_symtab = symsec->sh_size / sizeof(Elf_Sym); -+ /* Set up to point into init section. */ -+ mod->kallsyms = mod->module_init + info->mod_kallsyms_init_off; -+ -+ mod->kallsyms->symtab = (void *)symsec->sh_addr; -+ mod->kallsyms->num_symtab = symsec->sh_size / sizeof(Elf_Sym); - /* Make sure we get permanent strtab: don't use info->strtab. */ -- mod->strtab = (void *)info->sechdrs[info->index.str].sh_addr; -+ mod->kallsyms->strtab = (void *)info->sechdrs[info->index.str].sh_addr; - - /* Set types up while we still have access to sections. */ -- for (i = 0; i < mod->num_symtab; i++) -- mod->symtab[i].st_info = elf_type(&mod->symtab[i], info); -- -- mod->core_symtab = dst = mod->module_core + info->symoffs; -- mod->core_strtab = s = mod->module_core + info->stroffs; -- src = mod->symtab; -- for (ndst = i = 0; i < mod->num_symtab; i++) { -+ for (i = 0; i < mod->kallsyms->num_symtab; i++) -+ mod->kallsyms->symtab[i].st_info -+ = elf_type(&mod->kallsyms->symtab[i], info); -+ -+ /* Now populate the cut down core kallsyms for after init. */ -+ mod->core_kallsyms.symtab = dst = mod->module_core + info->symoffs; -+ mod->core_kallsyms.strtab = s = mod->module_core + info->stroffs; -+ src = mod->kallsyms->symtab; -+ for (ndst = i = 0; i < mod->kallsyms->num_symtab; i++) { - if (i == 0 || - is_core_symbol(src+i, info->sechdrs, info->hdr->e_shnum)) { - dst[ndst] = src[i]; -- dst[ndst++].st_name = s - mod->core_strtab; -- s += strlcpy(s, &mod->strtab[src[i].st_name], -+ dst[ndst++].st_name = s - mod->core_kallsyms.strtab; -+ s += strlcpy(s, &mod->kallsyms->strtab[src[i].st_name], - KSYM_NAME_LEN) + 1; - } - } -- mod->core_num_syms = ndst; -+ mod->core_kallsyms.num_symtab = ndst; - } - #else - static inline void layout_symtab(struct module *mod, struct load_info *info) -@@ -3117,9 +3137,8 @@ static int do_init_module(struct module *mod) - module_put(mod); - trim_init_extable(mod); - #ifdef CONFIG_KALLSYMS -- mod->num_symtab = mod->core_num_syms; -- mod->symtab = mod->core_symtab; -- mod->strtab = mod->core_strtab; -+ /* Switch to core kallsyms now init is done: kallsyms may be walking! */ -+ rcu_assign_pointer(mod->kallsyms, &mod->core_kallsyms); - #endif - unset_module_init_ro_nx(mod); - module_free(mod, mod->module_init); -@@ -3398,9 +3417,9 @@ static inline int is_arm_mapping_symbol(const char *str) - && (str[2] == '\0' || str[2] == '.'); - } - --static const char *symname(struct module *mod, unsigned int symnum) -+static const char *symname(struct mod_kallsyms *kallsyms, unsigned int symnum) - { -- return mod->strtab + mod->symtab[symnum].st_name; -+ return kallsyms->strtab + kallsyms->symtab[symnum].st_name; - } - - static const char *get_ksymbol(struct module *mod, -@@ -3410,6 +3429,7 @@ static const char *get_ksymbol(struct module *mod, - { - unsigned int i, best = 0; - unsigned long nextval; -+ struct mod_kallsyms *kallsyms = rcu_dereference_sched(mod->kallsyms); - - /* At worse, next value is at end of module */ - if (within_module_init(addr, mod)) -@@ -3419,32 +3439,32 @@ static const char *get_ksymbol(struct module *mod, - - /* Scan for closest preceding symbol, and next symbol. (ELF - starts real symbols at 1). */ -- for (i = 1; i < mod->num_symtab; i++) { -- if (mod->symtab[i].st_shndx == SHN_UNDEF) -+ for (i = 1; i < kallsyms->num_symtab; i++) { -+ if (kallsyms->symtab[i].st_shndx == SHN_UNDEF) - continue; - - /* We ignore unnamed symbols: they're uninformative - * and inserted at a whim. */ -- if (*symname(mod, i) == '\0' -- || is_arm_mapping_symbol(symname(mod, i))) -+ if (*symname(kallsyms, i) == '\0' -+ || is_arm_mapping_symbol(symname(kallsyms, i))) - continue; - -- if (mod->symtab[i].st_value <= addr -- && mod->symtab[i].st_value > mod->symtab[best].st_value) -+ if (kallsyms->symtab[i].st_value <= addr -+ && kallsyms->symtab[i].st_value > kallsyms->symtab[best].st_value) - best = i; -- if (mod->symtab[i].st_value > addr -- && mod->symtab[i].st_value < nextval) -- nextval = mod->symtab[i].st_value; -+ if (kallsyms->symtab[i].st_value > addr -+ && kallsyms->symtab[i].st_value < nextval) -+ nextval = kallsyms->symtab[i].st_value; - } - - if (!best) - return NULL; - - if (size) -- *size = nextval - mod->symtab[best].st_value; -+ *size = nextval - kallsyms->symtab[best].st_value; - if (offset) -- *offset = addr - mod->symtab[best].st_value; -- return symname(mod, best); -+ *offset = addr - kallsyms->symtab[best].st_value; -+ return symname(kallsyms, best); - } - - /* For kallsyms to ask for address resolution. NULL means not found. Careful -@@ -3540,18 +3560,21 @@ int module_get_kallsym(unsigned int symnum, unsigned long *value, char *type, - - preempt_disable(); - list_for_each_entry_rcu(mod, &modules, list) { -+ struct mod_kallsyms *kallsyms; -+ - if (mod->state == MODULE_STATE_UNFORMED) - continue; -- if (symnum < mod->num_symtab) { -- *value = mod->symtab[symnum].st_value; -- *type = mod->symtab[symnum].st_info; -- strlcpy(name, symname(mod, symnum), KSYM_NAME_LEN); -+ kallsyms = rcu_dereference_sched(mod->kallsyms); -+ if (symnum < kallsyms->num_symtab) { -+ *value = kallsyms->symtab[symnum].st_value; -+ *type = kallsyms->symtab[symnum].st_info; -+ strlcpy(name, symname(kallsyms, symnum), KSYM_NAME_LEN); - strlcpy(module_name, mod->name, MODULE_NAME_LEN); - *exported = is_exported(name, *value, mod); - preempt_enable(); - return 0; - } -- symnum -= mod->num_symtab; -+ symnum -= kallsyms->num_symtab; - } - preempt_enable(); - return -ERANGE; -@@ -3560,11 +3583,12 @@ int module_get_kallsym(unsigned int symnum, unsigned long *value, char *type, - static unsigned long mod_find_symname(struct module *mod, const char *name) - { - unsigned int i; -+ struct mod_kallsyms *kallsyms = rcu_dereference_sched(mod->kallsyms); - -- for (i = 0; i < mod->num_symtab; i++) -- if (strcmp(name, symname(mod, i)) == 0 && -- mod->symtab[i].st_info != 'U') -- return mod->symtab[i].st_value; -+ for (i = 0; i < kallsyms->num_symtab; i++) -+ if (strcmp(name, symname(kallsyms, i)) == 0 && -+ kallsyms->symtab[i].st_info != 'U') -+ return kallsyms->symtab[i].st_value; - return 0; - } - -@@ -3603,11 +3627,14 @@ int module_kallsyms_on_each_symbol(int (*fn)(void *, const char *, - int ret; - - list_for_each_entry(mod, &modules, list) { -+ /* We hold module_mutex: no need for rcu_dereference_sched */ -+ struct mod_kallsyms *kallsyms = mod->kallsyms; -+ - if (mod->state == MODULE_STATE_UNFORMED) - continue; -- for (i = 0; i < mod->num_symtab; i++) { -- ret = fn(data, symname(mod, i), -- mod, mod->symtab[i].st_value); -+ for (i = 0; i < kallsyms->num_symtab; i++) { -+ ret = fn(data, symname(kallsyms, i), -+ mod, kallsyms->symtab[i].st_value); - if (ret != 0) - return ret; - } -diff --git a/lib/ucs2_string.c b/lib/ucs2_string.c -index 6f500ef2301d..f0b323abb4c6 100644 ---- a/lib/ucs2_string.c -+++ b/lib/ucs2_string.c -@@ -49,3 +49,65 @@ ucs2_strncmp(const ucs2_char_t *a, const ucs2_char_t *b, size_t len) - } - } - EXPORT_SYMBOL(ucs2_strncmp); -+ -+unsigned long -+ucs2_utf8size(const ucs2_char_t *src) -+{ -+ unsigned long i; -+ unsigned long j = 0; -+ -+ for (i = 0; i < ucs2_strlen(src); i++) { -+ u16 c = src[i]; -+ -+ if (c >= 0x800) -+ j += 3; -+ else if (c >= 0x80) -+ j += 2; -+ else -+ j += 1; -+ } -+ -+ return j; -+} -+EXPORT_SYMBOL(ucs2_utf8size); -+ -+/* -+ * copy at most maxlength bytes of whole utf8 characters to dest from the -+ * ucs2 string src. -+ * -+ * The return value is the number of characters copied, not including the -+ * final NUL character. -+ */ -+unsigned long -+ucs2_as_utf8(u8 *dest, const ucs2_char_t *src, unsigned long maxlength) -+{ -+ unsigned int i; -+ unsigned long j = 0; -+ unsigned long limit = ucs2_strnlen(src, maxlength); -+ -+ for (i = 0; maxlength && i < limit; i++) { -+ u16 c = src[i]; -+ -+ if (c >= 0x800) { -+ if (maxlength < 3) -+ break; -+ maxlength -= 3; -+ dest[j++] = 0xe0 | (c & 0xf000) >> 12; -+ dest[j++] = 0x80 | (c & 0x0fc0) >> 6; -+ dest[j++] = 0x80 | (c & 0x003f); -+ } else if (c >= 0x80) { -+ if (maxlength < 2) -+ break; -+ maxlength -= 2; -+ dest[j++] = 0xc0 | (c & 0x7c0) >> 6; -+ dest[j++] = 0x80 | (c & 0x03f); -+ } else { -+ maxlength -= 1; -+ dest[j++] = c & 0x7f; -+ } -+ } -+ if (maxlength) -+ dest[j] = '\0'; -+ return j; -+} -+EXPORT_SYMBOL(ucs2_as_utf8); -diff --git a/net/mac80211/agg-rx.c b/net/mac80211/agg-rx.c -index 31bf2586fb84..864408026202 100644 ---- a/net/mac80211/agg-rx.c -+++ b/net/mac80211/agg-rx.c -@@ -290,7 +290,7 @@ void ieee80211_process_addba_request(struct ieee80211_local *local, - } - - /* prepare A-MPDU MLME for Rx aggregation */ -- tid_agg_rx = kmalloc(sizeof(struct tid_ampdu_rx), GFP_KERNEL); -+ tid_agg_rx = kzalloc(sizeof(*tid_agg_rx), GFP_KERNEL); - if (!tid_agg_rx) - goto end; - -diff --git a/net/mac80211/rc80211_minstrel_ht.c b/net/mac80211/rc80211_minstrel_ht.c -index f3bbea1eb9e7..13f10aab9213 100644 ---- a/net/mac80211/rc80211_minstrel_ht.c -+++ b/net/mac80211/rc80211_minstrel_ht.c -@@ -454,7 +454,7 @@ minstrel_aggr_check(struct ieee80211_sta *pubsta, struct sk_buff *skb) - if (skb_get_queue_mapping(skb) == IEEE80211_AC_VO) - return; - -- ieee80211_start_tx_ba_session(pubsta, tid, 5000); -+ ieee80211_start_tx_ba_session(pubsta, tid, 0); - } - - static void -diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c -index c8717c1d082e..87dd619fb2e9 100644 ---- a/net/wireless/wext-core.c -+++ b/net/wireless/wext-core.c -@@ -342,6 +342,39 @@ static const int compat_event_type_size[] = { - - /* IW event code */ - -+static void wireless_nlevent_flush(void) -+{ -+ struct sk_buff *skb; -+ struct net *net; -+ -+ ASSERT_RTNL(); -+ -+ for_each_net(net) { -+ while ((skb = skb_dequeue(&net->wext_nlevents))) -+ rtnl_notify(skb, net, 0, RTNLGRP_LINK, NULL, -+ GFP_KERNEL); -+ } -+} -+ -+static int wext_netdev_notifier_call(struct notifier_block *nb, -+ unsigned long state, void *ptr) -+{ -+ /* -+ * When a netdev changes state in any way, flush all pending messages -+ * to avoid them going out in a strange order, e.g. RTM_NEWLINK after -+ * RTM_DELLINK, or with IFF_UP after without IFF_UP during dev_close() -+ * or similar - all of which could otherwise happen due to delays from -+ * schedule_work(). -+ */ -+ wireless_nlevent_flush(); -+ -+ return NOTIFY_OK; -+} -+ -+static struct notifier_block wext_netdev_notifier = { -+ .notifier_call = wext_netdev_notifier_call, -+}; -+ - static int __net_init wext_pernet_init(struct net *net) - { - skb_queue_head_init(&net->wext_nlevents); -@@ -360,7 +393,12 @@ static struct pernet_operations wext_pernet_ops = { - - static int __init wireless_nlevent_init(void) - { -- return register_pernet_subsys(&wext_pernet_ops); -+ int err = register_pernet_subsys(&wext_pernet_ops); -+ -+ if (err) -+ return err; -+ -+ return register_netdevice_notifier(&wext_netdev_notifier); - } - - subsys_initcall(wireless_nlevent_init); -@@ -368,17 +406,8 @@ subsys_initcall(wireless_nlevent_init); - /* Process events generated by the wireless layer or the driver. */ - static void wireless_nlevent_process(struct work_struct *work) - { -- struct sk_buff *skb; -- struct net *net; -- - rtnl_lock(); -- -- for_each_net(net) { -- while ((skb = skb_dequeue(&net->wext_nlevents))) -- rtnl_notify(skb, net, 0, RTNLGRP_LINK, NULL, -- GFP_KERNEL); -- } -- -+ wireless_nlevent_flush(); - rtnl_unlock(); - } - -diff --git a/sound/soc/codecs/wm8958-dsp2.c b/sound/soc/codecs/wm8958-dsp2.c -index 754f88e1fdab..4892966fc1b8 100644 ---- a/sound/soc/codecs/wm8958-dsp2.c -+++ b/sound/soc/codecs/wm8958-dsp2.c -@@ -459,7 +459,7 @@ static int wm8958_put_mbc_enum(struct snd_kcontrol *kcontrol, - struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol); - struct wm8994_priv *wm8994 = snd_soc_codec_get_drvdata(codec); - struct wm8994 *control = wm8994->wm8994; -- int value = ucontrol->value.integer.value[0]; -+ int value = ucontrol->value.enumerated.item[0]; - int reg; - - /* Don't allow on the fly reconfiguration */ -@@ -549,7 +549,7 @@ static int wm8958_put_vss_enum(struct snd_kcontrol *kcontrol, - struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol); - struct wm8994_priv *wm8994 = snd_soc_codec_get_drvdata(codec); - struct wm8994 *control = wm8994->wm8994; -- int value = ucontrol->value.integer.value[0]; -+ int value = ucontrol->value.enumerated.item[0]; - int reg; - - /* Don't allow on the fly reconfiguration */ -@@ -582,7 +582,7 @@ static int wm8958_put_vss_hpf_enum(struct snd_kcontrol *kcontrol, - struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol); - struct wm8994_priv *wm8994 = snd_soc_codec_get_drvdata(codec); - struct wm8994 *control = wm8994->wm8994; -- int value = ucontrol->value.integer.value[0]; -+ int value = ucontrol->value.enumerated.item[0]; - int reg; - - /* Don't allow on the fly reconfiguration */ -@@ -749,7 +749,7 @@ static int wm8958_put_enh_eq_enum(struct snd_kcontrol *kcontrol, - struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol); - struct wm8994_priv *wm8994 = snd_soc_codec_get_drvdata(codec); - struct wm8994 *control = wm8994->wm8994; -- int value = ucontrol->value.integer.value[0]; -+ int value = ucontrol->value.enumerated.item[0]; - int reg; - - /* Don't allow on the fly reconfiguration */ -diff --git a/sound/soc/codecs/wm8994.c b/sound/soc/codecs/wm8994.c -index 6e746c7474bf..cda3cf23474b 100644 ---- a/sound/soc/codecs/wm8994.c -+++ b/sound/soc/codecs/wm8994.c -@@ -361,7 +361,7 @@ static int wm8994_put_drc_enum(struct snd_kcontrol *kcontrol, - struct wm8994 *control = wm8994->wm8994; - struct wm8994_pdata *pdata = &control->pdata; - int drc = wm8994_get_drc(kcontrol->id.name); -- int value = ucontrol->value.integer.value[0]; -+ int value = ucontrol->value.enumerated.item[0]; - - if (drc < 0) - return drc; -@@ -468,7 +468,7 @@ static int wm8994_put_retune_mobile_enum(struct snd_kcontrol *kcontrol, - struct wm8994 *control = wm8994->wm8994; - struct wm8994_pdata *pdata = &control->pdata; - int block = wm8994_get_retune_mobile_block(kcontrol->id.name); -- int value = ucontrol->value.integer.value[0]; -+ int value = ucontrol->value.enumerated.item[0]; - - if (block < 0) - return block; -diff --git a/tools/testing/selftests/efivarfs/efivarfs.sh b/tools/testing/selftests/efivarfs/efivarfs.sh -index 77edcdcc016b..057278448515 100644 ---- a/tools/testing/selftests/efivarfs/efivarfs.sh -+++ b/tools/testing/selftests/efivarfs/efivarfs.sh -@@ -88,7 +88,11 @@ test_delete() - exit 1 - fi - -- rm $file -+ rm $file 2>/dev/null -+ if [ $? -ne 0 ]; then -+ chattr -i $file -+ rm $file -+ fi - - if [ -e $file ]; then - echo "$file couldn't be deleted" >&2 -@@ -111,6 +115,7 @@ test_zero_size_delete() - exit 1 - fi - -+ chattr -i $file - printf "$attrs" > $file - - if [ -e $file ]; then -@@ -141,7 +146,11 @@ test_valid_filenames() - echo "$file could not be created" >&2 - ret=1 - else -- rm $file -+ rm $file 2>/dev/null -+ if [ $? -ne 0 ]; then -+ chattr -i $file -+ rm $file -+ fi - fi - done - -@@ -174,7 +183,11 @@ test_invalid_filenames() - - if [ -e $file ]; then - echo "Creating $file should have failed" >&2 -- rm $file -+ rm $file 2>/dev/null -+ if [ $? -ne 0 ]; then -+ chattr -i $file -+ rm $file -+ fi - ret=1 - fi - done -diff --git a/tools/testing/selftests/efivarfs/open-unlink.c b/tools/testing/selftests/efivarfs/open-unlink.c -index 8c0764407b3c..4af74f733036 100644 ---- a/tools/testing/selftests/efivarfs/open-unlink.c -+++ b/tools/testing/selftests/efivarfs/open-unlink.c -@@ -1,10 +1,68 @@ -+#include - #include - #include - #include - #include -+#include - #include - #include - #include -+#include -+ -+static int set_immutable(const char *path, int immutable) -+{ -+ unsigned int flags; -+ int fd; -+ int rc; -+ int error; -+ -+ fd = open(path, O_RDONLY); -+ if (fd < 0) -+ return fd; -+ -+ rc = ioctl(fd, FS_IOC_GETFLAGS, &flags); -+ if (rc < 0) { -+ error = errno; -+ close(fd); -+ errno = error; -+ return rc; -+ } -+ -+ if (immutable) -+ flags |= FS_IMMUTABLE_FL; -+ else -+ flags &= ~FS_IMMUTABLE_FL; -+ -+ rc = ioctl(fd, FS_IOC_SETFLAGS, &flags); -+ error = errno; -+ close(fd); -+ errno = error; -+ return rc; -+} -+ -+static int get_immutable(const char *path) -+{ -+ unsigned int flags; -+ int fd; -+ int rc; -+ int error; -+ -+ fd = open(path, O_RDONLY); -+ if (fd < 0) -+ return fd; -+ -+ rc = ioctl(fd, FS_IOC_GETFLAGS, &flags); -+ if (rc < 0) { -+ error = errno; -+ close(fd); -+ errno = error; -+ return rc; -+ } -+ close(fd); -+ if (flags & FS_IMMUTABLE_FL) -+ return 1; -+ return 0; -+} - - int main(int argc, char **argv) - { -@@ -27,7 +85,7 @@ int main(int argc, char **argv) - buf[4] = 0; - - /* create a test variable */ -- fd = open(path, O_WRONLY | O_CREAT); -+ fd = open(path, O_WRONLY | O_CREAT, 0600); - if (fd < 0) { - perror("open(O_WRONLY)"); - return EXIT_FAILURE; -@@ -41,6 +99,18 @@ int main(int argc, char **argv) - - close(fd); - -+ rc = get_immutable(path); -+ if (rc < 0) { -+ perror("ioctl(FS_IOC_GETFLAGS)"); -+ return EXIT_FAILURE; -+ } else if (rc) { -+ rc = set_immutable(path, 0); -+ if (rc < 0) { -+ perror("ioctl(FS_IOC_SETFLAGS)"); -+ return EXIT_FAILURE; -+ } -+ } -+ - fd = open(path, O_RDONLY); - if (fd < 0) { - perror("open"); diff --git a/patch/kernel/odroidxu4-default/2-patch-3.10.101-102.patch b/patch/kernel/odroidxu4-default/2-patch-3.10.101-102.patch deleted file mode 100644 index af1472cd2..000000000 --- a/patch/kernel/odroidxu4-default/2-patch-3.10.101-102.patch +++ /dev/null @@ -1,4381 +0,0 @@ -diff --git a/MAINTAINERS b/MAINTAINERS -index 48c748080c96..29d7d74a8d04 100644 ---- a/MAINTAINERS -+++ b/MAINTAINERS -@@ -3032,8 +3032,8 @@ F: Documentation/x86/efi-stub.txt - F: arch/ia64/kernel/efi.c - F: arch/x86/boot/compressed/eboot.[ch] - F: arch/x86/include/asm/efi.h --F: arch/x86/platform/efi/* --F: drivers/firmware/efi/* -+F: arch/x86/platform/efi/ -+F: drivers/firmware/efi/ - F: include/linux/efi*.h - - EFI VARIABLE FILESYSTEM -diff --git a/Makefile b/Makefile -index 4be9e643cef0..868093c16ae0 100644 ---- a/Makefile -+++ b/Makefile -@@ -1,6 +1,6 @@ - VERSION = 3 - PATCHLEVEL = 10 --SUBLEVEL = 101 -+SUBLEVEL = 102 - EXTRAVERSION = - NAME = TOSSUG Baby Fish - -diff --git a/arch/arm/mach-omap2/cpuidle34xx.c b/arch/arm/mach-omap2/cpuidle34xx.c -index e18709d3b95d..38e1bdcaf015 100644 ---- a/arch/arm/mach-omap2/cpuidle34xx.c -+++ b/arch/arm/mach-omap2/cpuidle34xx.c -@@ -34,6 +34,7 @@ - #include "pm.h" - #include "control.h" - #include "common.h" -+#include "soc.h" - - /* Mach specific information to be recorded in the C-state driver_data */ - struct omap3_idle_statedata { -@@ -322,6 +323,69 @@ static struct cpuidle_driver omap3_idle_driver = { - .safe_state_index = 0, - }; - -+/* -+ * Numbers based on measurements made in October 2009 for PM optimized kernel -+ * with CPU freq enabled on device Nokia N900. Assumes OPP2 (main idle OPP, -+ * and worst case latencies). -+ */ -+static struct cpuidle_driver omap3430_idle_driver = { -+ .name = "omap3430_idle", -+ .owner = THIS_MODULE, -+ .states = { -+ { -+ .enter = omap3_enter_idle_bm, -+ .exit_latency = 110 + 162, -+ .target_residency = 5, -+ .name = "C1", -+ .desc = "MPU ON + CORE ON", -+ }, -+ { -+ .enter = omap3_enter_idle_bm, -+ .exit_latency = 106 + 180, -+ .target_residency = 309, -+ .name = "C2", -+ .desc = "MPU ON + CORE ON", -+ }, -+ { -+ .enter = omap3_enter_idle_bm, -+ .exit_latency = 107 + 410, -+ .target_residency = 46057, -+ .name = "C3", -+ .desc = "MPU RET + CORE ON", -+ }, -+ { -+ .enter = omap3_enter_idle_bm, -+ .exit_latency = 121 + 3374, -+ .target_residency = 46057, -+ .name = "C4", -+ .desc = "MPU OFF + CORE ON", -+ }, -+ { -+ .enter = omap3_enter_idle_bm, -+ .exit_latency = 855 + 1146, -+ .target_residency = 46057, -+ .name = "C5", -+ .desc = "MPU RET + CORE RET", -+ }, -+ { -+ .enter = omap3_enter_idle_bm, -+ .exit_latency = 7580 + 4134, -+ .target_residency = 484329, -+ .name = "C6", -+ .desc = "MPU OFF + CORE RET", -+ }, -+ { -+ .enter = omap3_enter_idle_bm, -+ .exit_latency = 7505 + 15274, -+ .target_residency = 484329, -+ .name = "C7", -+ .desc = "MPU OFF + CORE OFF", -+ }, -+ }, -+ .state_count = ARRAY_SIZE(omap3_idle_data), -+ .safe_state_index = 0, -+}; -+ - /* Public functions */ - - /** -@@ -340,5 +404,8 @@ int __init omap3_idle_init(void) - if (!mpu_pd || !core_pd || !per_pd || !cam_pd) - return -ENODEV; - -- return cpuidle_register(&omap3_idle_driver, NULL); -+ if (cpu_is_omap3430()) -+ return cpuidle_register(&omap3430_idle_driver, NULL); -+ else -+ return cpuidle_register(&omap3_idle_driver, NULL); - } -diff --git a/arch/arm/mach-omap2/sleep34xx.S b/arch/arm/mach-omap2/sleep34xx.S -index d1dedc8195ed..eafd120b53f1 100644 ---- a/arch/arm/mach-omap2/sleep34xx.S -+++ b/arch/arm/mach-omap2/sleep34xx.S -@@ -203,23 +203,8 @@ save_context_wfi: - */ - ldr r1, kernel_flush - blx r1 -- /* -- * The kernel doesn't interwork: v7_flush_dcache_all in particluar will -- * always return in Thumb state when CONFIG_THUMB2_KERNEL is enabled. -- * This sequence switches back to ARM. Note that .align may insert a -- * nop: bx pc needs to be word-aligned in order to work. -- */ -- THUMB( .thumb ) -- THUMB( .align ) -- THUMB( bx pc ) -- THUMB( nop ) -- .arm -- - b omap3_do_wfi -- --/* -- * Local variables -- */ -+ENDPROC(omap34xx_cpu_suspend) - omap3_do_wfi_sram_addr: - .word omap3_do_wfi_sram - kernel_flush: -@@ -364,10 +349,7 @@ exit_nonoff_modes: - * =================================== - */ - ldmfd sp!, {r4 - r11, pc} @ restore regs and return -- --/* -- * Local variables -- */ -+ENDPROC(omap3_do_wfi) - sdrc_power: - .word SDRC_POWER_V - cm_idlest1_core: -diff --git a/arch/arm/mach-socfpga/headsmp.S b/arch/arm/mach-socfpga/headsmp.S -index 9004bfb1756e..a6f5519072cc 100644 ---- a/arch/arm/mach-socfpga/headsmp.S -+++ b/arch/arm/mach-socfpga/headsmp.S -@@ -12,6 +12,7 @@ - - __CPUINIT - .arch armv7-a -+ .arm - - ENTRY(secondary_trampoline) - movw r2, #:lower16:cpu1start_addr -diff --git a/arch/parisc/kernel/parisc_ksyms.c b/arch/parisc/kernel/parisc_ksyms.c -index 568b2c61ea02..3cad8aadc69e 100644 ---- a/arch/parisc/kernel/parisc_ksyms.c -+++ b/arch/parisc/kernel/parisc_ksyms.c -@@ -47,11 +47,11 @@ EXPORT_SYMBOL(__cmpxchg_u64); - EXPORT_SYMBOL(lclear_user); - EXPORT_SYMBOL(lstrnlen_user); - --/* Global fixups */ --extern void fixup_get_user_skip_1(void); --extern void fixup_get_user_skip_2(void); --extern void fixup_put_user_skip_1(void); --extern void fixup_put_user_skip_2(void); -+/* Global fixups - defined as int to avoid creation of function pointers */ -+extern int fixup_get_user_skip_1; -+extern int fixup_get_user_skip_2; -+extern int fixup_put_user_skip_1; -+extern int fixup_put_user_skip_2; - EXPORT_SYMBOL(fixup_get_user_skip_1); - EXPORT_SYMBOL(fixup_get_user_skip_2); - EXPORT_SYMBOL(fixup_put_user_skip_1); -diff --git a/arch/parisc/kernel/traps.c b/arch/parisc/kernel/traps.c -index b3f87a3b4bce..0c329b2c5df4 100644 ---- a/arch/parisc/kernel/traps.c -+++ b/arch/parisc/kernel/traps.c -@@ -811,6 +811,9 @@ void notrace handle_interruption(int code, struct pt_regs *regs) - - if (fault_space == 0 && !in_atomic()) - { -+ /* Clean up and return if in exception table. */ -+ if (fixup_exception(regs)) -+ return; - pdc_chassis_send_status(PDC_CHASSIS_DIRECT_PANIC); - parisc_terminate("Kernel Fault", regs, code, fault_address); - } -diff --git a/arch/powerpc/include/uapi/asm/cputable.h b/arch/powerpc/include/uapi/asm/cputable.h -index de2c0e4ee1aa..67de80a8e178 100644 ---- a/arch/powerpc/include/uapi/asm/cputable.h -+++ b/arch/powerpc/include/uapi/asm/cputable.h -@@ -31,6 +31,7 @@ - #define PPC_FEATURE_PSERIES_PERFMON_COMPAT \ - 0x00000040 - -+/* Reserved - do not use 0x00000004 */ - #define PPC_FEATURE_TRUE_LE 0x00000002 - #define PPC_FEATURE_PPC_LE 0x00000001 - -diff --git a/arch/powerpc/kernel/prom.c b/arch/powerpc/kernel/prom.c -index 8b6f7a99cce2..e8c45b7438e7 100644 ---- a/arch/powerpc/kernel/prom.c -+++ b/arch/powerpc/kernel/prom.c -@@ -159,7 +159,7 @@ static struct ibm_pa_feature { - {CPU_FTR_NOEXECUTE, 0, 0, 0, 6, 0}, - {CPU_FTR_NODSISRALIGN, 0, 0, 1, 1, 1}, - {0, MMU_FTR_CI_LARGE_PAGE, 0, 1, 2, 0}, -- {CPU_FTR_REAL_LE, PPC_FEATURE_TRUE_LE, 5, 0, 0}, -+ {CPU_FTR_REAL_LE, 0, PPC_FEATURE_TRUE_LE, 5, 0, 0}, - }; - - static void __init scan_features(unsigned long node, unsigned char *ftrs, -diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h -index 98b68c2f1a1c..b76c1bf6125d 100644 ---- a/arch/x86/include/asm/kvm_host.h -+++ b/arch/x86/include/asm/kvm_host.h -@@ -59,7 +59,7 @@ - (~(unsigned long)(X86_CR4_VME | X86_CR4_PVI | X86_CR4_TSD | X86_CR4_DE\ - | X86_CR4_PSE | X86_CR4_PAE | X86_CR4_MCE \ - | X86_CR4_PGE | X86_CR4_PCE | X86_CR4_OSFXSR | X86_CR4_PCIDE \ -- | X86_CR4_OSXSAVE | X86_CR4_SMEP | X86_CR4_RDWRGSFS \ -+ | X86_CR4_OSXSAVE | X86_CR4_SMEP | X86_CR4_FSGSBASE \ - | X86_CR4_OSXMMEXCPT | X86_CR4_VMXE)) - - #define CR8_RESERVED_BITS (~(unsigned long)X86_CR8_TPR) -diff --git a/arch/x86/include/asm/xen/hypervisor.h b/arch/x86/include/asm/xen/hypervisor.h -index 125f344f06a9..8ac93f05a8ea 100644 ---- a/arch/x86/include/asm/xen/hypervisor.h -+++ b/arch/x86/include/asm/xen/hypervisor.h -@@ -71,4 +71,6 @@ static inline bool xen_x2apic_para_available(void) - } - #endif - -+extern void xen_set_iopl_mask(unsigned mask); -+ - #endif /* _ASM_X86_XEN_HYPERVISOR_H */ -diff --git a/arch/x86/include/uapi/asm/processor-flags.h b/arch/x86/include/uapi/asm/processor-flags.h -index b16e6d28f149..180a0c3c224d 100644 ---- a/arch/x86/include/uapi/asm/processor-flags.h -+++ b/arch/x86/include/uapi/asm/processor-flags.h -@@ -2,75 +2,129 @@ - #define _UAPI_ASM_X86_PROCESSOR_FLAGS_H - /* Various flags defined: can be included from assembler. */ - -+#include -+ - /* - * EFLAGS bits - */ --#define X86_EFLAGS_CF 0x00000001 /* Carry Flag */ --#define X86_EFLAGS_FIXED 0x00000002 /* Bit 1 - always on */ --#define X86_EFLAGS_PF 0x00000004 /* Parity Flag */ --#define X86_EFLAGS_AF 0x00000010 /* Auxiliary carry Flag */ --#define X86_EFLAGS_ZF 0x00000040 /* Zero Flag */ --#define X86_EFLAGS_SF 0x00000080 /* Sign Flag */ --#define X86_EFLAGS_TF 0x00000100 /* Trap Flag */ --#define X86_EFLAGS_IF 0x00000200 /* Interrupt Flag */ --#define X86_EFLAGS_DF 0x00000400 /* Direction Flag */ --#define X86_EFLAGS_OF 0x00000800 /* Overflow Flag */ --#define X86_EFLAGS_IOPL 0x00003000 /* IOPL mask */ --#define X86_EFLAGS_NT 0x00004000 /* Nested Task */ --#define X86_EFLAGS_RF 0x00010000 /* Resume Flag */ --#define X86_EFLAGS_VM 0x00020000 /* Virtual Mode */ --#define X86_EFLAGS_AC 0x00040000 /* Alignment Check */ --#define X86_EFLAGS_VIF 0x00080000 /* Virtual Interrupt Flag */ --#define X86_EFLAGS_VIP 0x00100000 /* Virtual Interrupt Pending */ --#define X86_EFLAGS_ID 0x00200000 /* CPUID detection flag */ -+#define X86_EFLAGS_CF_BIT 0 /* Carry Flag */ -+#define X86_EFLAGS_CF _BITUL(X86_EFLAGS_CF_BIT) -+#define X86_EFLAGS_FIXED_BIT 1 /* Bit 1 - always on */ -+#define X86_EFLAGS_FIXED _BITUL(X86_EFLAGS_FIXED_BIT) -+#define X86_EFLAGS_PF_BIT 2 /* Parity Flag */ -+#define X86_EFLAGS_PF _BITUL(X86_EFLAGS_PF_BIT) -+#define X86_EFLAGS_AF_BIT 4 /* Auxiliary carry Flag */ -+#define X86_EFLAGS_AF _BITUL(X86_EFLAGS_AF_BIT) -+#define X86_EFLAGS_ZF_BIT 6 /* Zero Flag */ -+#define X86_EFLAGS_ZF _BITUL(X86_EFLAGS_ZF_BIT) -+#define X86_EFLAGS_SF_BIT 7 /* Sign Flag */ -+#define X86_EFLAGS_SF _BITUL(X86_EFLAGS_SF_BIT) -+#define X86_EFLAGS_TF_BIT 8 /* Trap Flag */ -+#define X86_EFLAGS_TF _BITUL(X86_EFLAGS_TF_BIT) -+#define X86_EFLAGS_IF_BIT 9 /* Interrupt Flag */ -+#define X86_EFLAGS_IF _BITUL(X86_EFLAGS_IF_BIT) -+#define X86_EFLAGS_DF_BIT 10 /* Direction Flag */ -+#define X86_EFLAGS_DF _BITUL(X86_EFLAGS_DF_BIT) -+#define X86_EFLAGS_OF_BIT 11 /* Overflow Flag */ -+#define X86_EFLAGS_OF _BITUL(X86_EFLAGS_OF_BIT) -+#define X86_EFLAGS_IOPL_BIT 12 /* I/O Privilege Level (2 bits) */ -+#define X86_EFLAGS_IOPL (_AC(3,UL) << X86_EFLAGS_IOPL_BIT) -+#define X86_EFLAGS_NT_BIT 14 /* Nested Task */ -+#define X86_EFLAGS_NT _BITUL(X86_EFLAGS_NT_BIT) -+#define X86_EFLAGS_RF_BIT 16 /* Resume Flag */ -+#define X86_EFLAGS_RF _BITUL(X86_EFLAGS_RF_BIT) -+#define X86_EFLAGS_VM_BIT 17 /* Virtual Mode */ -+#define X86_EFLAGS_VM _BITUL(X86_EFLAGS_VM_BIT) -+#define X86_EFLAGS_AC_BIT 18 /* Alignment Check/Access Control */ -+#define X86_EFLAGS_AC _BITUL(X86_EFLAGS_AC_BIT) -+#define X86_EFLAGS_AC_BIT 18 /* Alignment Check/Access Control */ -+#define X86_EFLAGS_AC _BITUL(X86_EFLAGS_AC_BIT) -+#define X86_EFLAGS_VIF_BIT 19 /* Virtual Interrupt Flag */ -+#define X86_EFLAGS_VIF _BITUL(X86_EFLAGS_VIF_BIT) -+#define X86_EFLAGS_VIP_BIT 20 /* Virtual Interrupt Pending */ -+#define X86_EFLAGS_VIP _BITUL(X86_EFLAGS_VIP_BIT) -+#define X86_EFLAGS_ID_BIT 21 /* CPUID detection */ -+#define X86_EFLAGS_ID _BITUL(X86_EFLAGS_ID_BIT) - - /* - * Basic CPU control in CR0 - */ --#define X86_CR0_PE 0x00000001 /* Protection Enable */ --#define X86_CR0_MP 0x00000002 /* Monitor Coprocessor */ --#define X86_CR0_EM 0x00000004 /* Emulation */ --#define X86_CR0_TS 0x00000008 /* Task Switched */ --#define X86_CR0_ET 0x00000010 /* Extension Type */ --#define X86_CR0_NE 0x00000020 /* Numeric Error */ --#define X86_CR0_WP 0x00010000 /* Write Protect */ --#define X86_CR0_AM 0x00040000 /* Alignment Mask */ --#define X86_CR0_NW 0x20000000 /* Not Write-through */ --#define X86_CR0_CD 0x40000000 /* Cache Disable */ --#define X86_CR0_PG 0x80000000 /* Paging */ -+#define X86_CR0_PE_BIT 0 /* Protection Enable */ -+#define X86_CR0_PE _BITUL(X86_CR0_PE_BIT) -+#define X86_CR0_MP_BIT 1 /* Monitor Coprocessor */ -+#define X86_CR0_MP _BITUL(X86_CR0_MP_BIT) -+#define X86_CR0_EM_BIT 2 /* Emulation */ -+#define X86_CR0_EM _BITUL(X86_CR0_EM_BIT) -+#define X86_CR0_TS_BIT 3 /* Task Switched */ -+#define X86_CR0_TS _BITUL(X86_CR0_TS_BIT) -+#define X86_CR0_ET_BIT 4 /* Extension Type */ -+#define X86_CR0_ET _BITUL(X86_CR0_ET_BIT) -+#define X86_CR0_NE_BIT 5 /* Numeric Error */ -+#define X86_CR0_NE _BITUL(X86_CR0_NE_BIT) -+#define X86_CR0_WP_BIT 16 /* Write Protect */ -+#define X86_CR0_WP _BITUL(X86_CR0_WP_BIT) -+#define X86_CR0_AM_BIT 18 /* Alignment Mask */ -+#define X86_CR0_AM _BITUL(X86_CR0_AM_BIT) -+#define X86_CR0_NW_BIT 29 /* Not Write-through */ -+#define X86_CR0_NW _BITUL(X86_CR0_NW_BIT) -+#define X86_CR0_CD_BIT 30 /* Cache Disable */ -+#define X86_CR0_CD _BITUL(X86_CR0_CD_BIT) -+#define X86_CR0_PG_BIT 31 /* Paging */ -+#define X86_CR0_PG _BITUL(X86_CR0_PG_BIT) - - /* - * Paging options in CR3 - */ --#define X86_CR3_PWT 0x00000008 /* Page Write Through */ --#define X86_CR3_PCD 0x00000010 /* Page Cache Disable */ --#define X86_CR3_PCID_MASK 0x00000fff /* PCID Mask */ -+#define X86_CR3_PWT_BIT 3 /* Page Write Through */ -+#define X86_CR3_PWT _BITUL(X86_CR3_PWT_BIT) -+#define X86_CR3_PCD_BIT 4 /* Page Cache Disable */ -+#define X86_CR3_PCD _BITUL(X86_CR3_PCD_BIT) -+#define X86_CR3_PCID_MASK _AC(0x00000fff,UL) /* PCID Mask */ - - /* - * Intel CPU features in CR4 - */ --#define X86_CR4_VME 0x00000001 /* enable vm86 extensions */ --#define X86_CR4_PVI 0x00000002 /* virtual interrupts flag enable */ --#define X86_CR4_TSD 0x00000004 /* disable time stamp at ipl 3 */ --#define X86_CR4_DE 0x00000008 /* enable debugging extensions */ --#define X86_CR4_PSE 0x00000010 /* enable page size extensions */ --#define X86_CR4_PAE 0x00000020 /* enable physical address extensions */ --#define X86_CR4_MCE 0x00000040 /* Machine check enable */ --#define X86_CR4_PGE 0x00000080 /* enable global pages */ --#define X86_CR4_PCE 0x00000100 /* enable performance counters at ipl 3 */ --#define X86_CR4_OSFXSR 0x00000200 /* enable fast FPU save and restore */ --#define X86_CR4_OSXMMEXCPT 0x00000400 /* enable unmasked SSE exceptions */ --#define X86_CR4_VMXE 0x00002000 /* enable VMX virtualization */ --#define X86_CR4_RDWRGSFS 0x00010000 /* enable RDWRGSFS support */ --#define X86_CR4_PCIDE 0x00020000 /* enable PCID support */ --#define X86_CR4_OSXSAVE 0x00040000 /* enable xsave and xrestore */ --#define X86_CR4_SMEP 0x00100000 /* enable SMEP support */ --#define X86_CR4_SMAP 0x00200000 /* enable SMAP support */ -+#define X86_CR4_VME_BIT 0 /* enable vm86 extensions */ -+#define X86_CR4_VME _BITUL(X86_CR4_VME_BIT) -+#define X86_CR4_PVI_BIT 1 /* virtual interrupts flag enable */ -+#define X86_CR4_PVI _BITUL(X86_CR4_PVI_BIT) -+#define X86_CR4_TSD_BIT 2 /* disable time stamp at ipl 3 */ -+#define X86_CR4_TSD _BITUL(X86_CR4_TSD_BIT) -+#define X86_CR4_DE_BIT 3 /* enable debugging extensions */ -+#define X86_CR4_DE _BITUL(X86_CR4_DE_BIT) -+#define X86_CR4_PSE_BIT 4 /* enable page size extensions */ -+#define X86_CR4_PSE _BITUL(X86_CR4_PSE_BIT) -+#define X86_CR4_PAE_BIT 5 /* enable physical address extensions */ -+#define X86_CR4_PAE _BITUL(X86_CR4_PAE_BIT) -+#define X86_CR4_MCE_BIT 6 /* Machine check enable */ -+#define X86_CR4_MCE _BITUL(X86_CR4_MCE_BIT) -+#define X86_CR4_PGE_BIT 7 /* enable global pages */ -+#define X86_CR4_PGE _BITUL(X86_CR4_PGE_BIT) -+#define X86_CR4_PCE_BIT 8 /* enable performance counters at ipl 3 */ -+#define X86_CR4_PCE _BITUL(X86_CR4_PCE_BIT) -+#define X86_CR4_OSFXSR_BIT 9 /* enable fast FPU save and restore */ -+#define X86_CR4_OSFXSR _BITUL(X86_CR4_OSFXSR_BIT) -+#define X86_CR4_OSXMMEXCPT_BIT 10 /* enable unmasked SSE exceptions */ -+#define X86_CR4_OSXMMEXCPT _BITUL(X86_CR4_OSXMMEXCPT_BIT) -+#define X86_CR4_VMXE_BIT 13 /* enable VMX virtualization */ -+#define X86_CR4_VMXE _BITUL(X86_CR4_VMXE_BIT) -+#define X86_CR4_SMXE_BIT 14 /* enable safer mode (TXT) */ -+#define X86_CR4_SMXE _BITUL(X86_CR4_SMXE_BIT) -+#define X86_CR4_FSGSBASE_BIT 16 /* enable RDWRFSGS support */ -+#define X86_CR4_FSGSBASE _BITUL(X86_CR4_FSGSBASE_BIT) -+#define X86_CR4_PCIDE_BIT 17 /* enable PCID support */ -+#define X86_CR4_PCIDE _BITUL(X86_CR4_PCIDE_BIT) -+#define X86_CR4_OSXSAVE_BIT 18 /* enable xsave and xrestore */ -+#define X86_CR4_OSXSAVE _BITUL(X86_CR4_OSXSAVE_BIT) -+#define X86_CR4_SMEP_BIT 20 /* enable SMEP support */ -+#define X86_CR4_SMEP _BITUL(X86_CR4_SMEP_BIT) -+#define X86_CR4_SMAP_BIT 21 /* enable SMAP support */ -+#define X86_CR4_SMAP _BITUL(X86_CR4_SMAP_BIT) - - /* - * x86-64 Task Priority Register, CR8 - */ --#define X86_CR8_TPR 0x0000000F /* task priority register */ -+#define X86_CR8_TPR _AC(0x0000000f,UL) /* task priority register */ - - /* - * AMD and Transmeta use MSRs for configuration; see -diff --git a/arch/x86/kernel/cpu/perf_event.h b/arch/x86/kernel/cpu/perf_event.h -index ba9aadfa683b..5fd0bbe1aeb0 100644 ---- a/arch/x86/kernel/cpu/perf_event.h -+++ b/arch/x86/kernel/cpu/perf_event.h -@@ -665,6 +665,8 @@ void intel_pmu_lbr_init_atom(void); - - void intel_pmu_lbr_init_snb(void); - -+void intel_pmu_pebs_data_source_nhm(void); -+ - int intel_pmu_setup_lbr_filter(struct perf_event *event); - - int p4_pmu_init(void); -diff --git a/arch/x86/kernel/cpu/perf_event_intel.c b/arch/x86/kernel/cpu/perf_event_intel.c -index 6d6bb6f4fd43..ac057583282a 100644 ---- a/arch/x86/kernel/cpu/perf_event_intel.c -+++ b/arch/x86/kernel/cpu/perf_event_intel.c -@@ -2088,6 +2088,7 @@ __init int intel_pmu_init(void) - intel_perfmon_event_map[PERF_COUNT_HW_STALLED_CYCLES_BACKEND] = - X86_CONFIG(.event=0xb1, .umask=0x3f, .inv=1, .cmask=1); - -+ intel_pmu_pebs_data_source_nhm(); - x86_add_quirk(intel_nehalem_quirk); - - pr_cont("Nehalem events, "); -@@ -2133,6 +2134,7 @@ __init int intel_pmu_init(void) - intel_perfmon_event_map[PERF_COUNT_HW_STALLED_CYCLES_BACKEND] = - X86_CONFIG(.event=0xb1, .umask=0x3f, .inv=1, .cmask=1); - -+ intel_pmu_pebs_data_source_nhm(); - pr_cont("Westmere events, "); - break; - -diff --git a/arch/x86/kernel/cpu/perf_event_intel_ds.c b/arch/x86/kernel/cpu/perf_event_intel_ds.c -index 60250f687052..17b090a298b4 100644 ---- a/arch/x86/kernel/cpu/perf_event_intel_ds.c -+++ b/arch/x86/kernel/cpu/perf_event_intel_ds.c -@@ -50,7 +50,8 @@ union intel_x86_pebs_dse { - #define OP_LH (P(OP, LOAD) | P(LVL, HIT)) - #define SNOOP_NONE_MISS (P(SNOOP, NONE) | P(SNOOP, MISS)) - --static const u64 pebs_data_source[] = { -+/* Version for Sandy Bridge and later */ -+static u64 pebs_data_source[] = { - P(OP, LOAD) | P(LVL, MISS) | P(LVL, L3) | P(SNOOP, NA),/* 0x00:ukn L3 */ - OP_LH | P(LVL, L1) | P(SNOOP, NONE), /* 0x01: L1 local */ - OP_LH | P(LVL, LFB) | P(SNOOP, NONE), /* 0x02: LFB hit */ -@@ -69,6 +70,14 @@ static const u64 pebs_data_source[] = { - OP_LH | P(LVL, UNC) | P(SNOOP, NONE), /* 0x0f: uncached */ - }; - -+/* Patch up minor differences in the bits */ -+void __init intel_pmu_pebs_data_source_nhm(void) -+{ -+ pebs_data_source[0x05] = OP_LH | P(LVL, L3) | P(SNOOP, HIT); -+ pebs_data_source[0x06] = OP_LH | P(LVL, L3) | P(SNOOP, HITM); -+ pebs_data_source[0x07] = OP_LH | P(LVL, L3) | P(SNOOP, HITM); -+} -+ - static u64 precise_store_data(u64 status) - { - union intel_x86_pebs_dse dse; -diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c -index 4ddaf66ea35f..792621a32457 100644 ---- a/arch/x86/kernel/ioport.c -+++ b/arch/x86/kernel/ioport.c -@@ -96,9 +96,14 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on) - SYSCALL_DEFINE1(iopl, unsigned int, level) - { - struct pt_regs *regs = current_pt_regs(); -- unsigned int old = (regs->flags >> 12) & 3; - struct thread_struct *t = ¤t->thread; - -+ /* -+ * Careful: the IOPL bits in regs->flags are undefined under Xen PV -+ * and changing them has no effect. -+ */ -+ unsigned int old = t->iopl >> X86_EFLAGS_IOPL_BIT; -+ - if (level > 3) - return -EINVAL; - /* Trying to gain more privileges? */ -@@ -106,8 +111,9 @@ SYSCALL_DEFINE1(iopl, unsigned int, level) - if (!capable(CAP_SYS_RAWIO)) - return -EPERM; - } -- regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | (level << 12); -- t->iopl = level << 12; -+ regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | -+ (level << X86_EFLAGS_IOPL_BIT); -+ t->iopl = level << X86_EFLAGS_IOPL_BIT; - set_iopl_mask(t->iopl); - - return 0; -diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c -index 7099ab1e075b..580001c2b69a 100644 ---- a/arch/x86/kernel/process_64.c -+++ b/arch/x86/kernel/process_64.c -@@ -49,6 +49,7 @@ - #include - #include - #include -+#include - - asmlinkage extern void ret_from_fork(void); - -@@ -412,6 +413,17 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p) - task_thread_info(prev_p)->flags & _TIF_WORK_CTXSW_PREV)) - __switch_to_xtra(prev_p, next_p, tss); - -+#ifdef CONFIG_XEN -+ /* -+ * On Xen PV, IOPL bits in pt_regs->flags have no effect, and -+ * current_pt_regs()->flags may not match the current task's -+ * intended IOPL. We need to switch it manually. -+ */ -+ if (unlikely(xen_pv_domain() && -+ prev->iopl != next->iopl)) -+ xen_set_iopl_mask(next->iopl); -+#endif -+ - return prev_p; - } - -diff --git a/arch/x86/kvm/i8254.c b/arch/x86/kvm/i8254.c -index 1406ffde3e35..b0a706d063cb 100644 ---- a/arch/x86/kvm/i8254.c -+++ b/arch/x86/kvm/i8254.c -@@ -244,7 +244,7 @@ static void kvm_pit_ack_irq(struct kvm_irq_ack_notifier *kian) - * PIC is being reset. Handle it gracefully here - */ - atomic_inc(&ps->pending); -- else if (value > 0) -+ else if (value > 0 && ps->reinject) - /* in this case, we had multiple outstanding pit interrupts - * that we needed to inject. Reinject - */ -@@ -287,7 +287,9 @@ static void pit_do_work(struct kthread_work *work) - * last one has been acked. - */ - spin_lock(&ps->inject_lock); -- if (ps->irq_ack) { -+ if (!ps->reinject) -+ inject = 1; -+ else if (ps->irq_ack) { - ps->irq_ack = 0; - inject = 1; - } -@@ -316,10 +318,10 @@ static enum hrtimer_restart pit_timer_fn(struct hrtimer *data) - struct kvm_kpit_state *ps = container_of(data, struct kvm_kpit_state, timer); - struct kvm_pit *pt = ps->kvm->arch.vpit; - -- if (ps->reinject || !atomic_read(&ps->pending)) { -+ if (ps->reinject) - atomic_inc(&ps->pending); -- queue_kthread_work(&pt->worker, &pt->expired); -- } -+ -+ queue_kthread_work(&pt->worker, &pt->expired); - - if (ps->is_periodic) { - hrtimer_add_expires_ns(&ps->timer, ps->period); -diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c -index 7f2b6dec4b2b..3c0b085b4336 100644 ---- a/arch/x86/kvm/x86.c -+++ b/arch/x86/kvm/x86.c -@@ -626,7 +626,7 @@ int kvm_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4) - if (!guest_cpuid_has_smep(vcpu) && (cr4 & X86_CR4_SMEP)) - return 1; - -- if (!guest_cpuid_has_fsgsbase(vcpu) && (cr4 & X86_CR4_RDWRGSFS)) -+ if (!guest_cpuid_has_fsgsbase(vcpu) && (cr4 & X86_CR4_FSGSBASE)) - return 1; - - if (is_long_mode(vcpu)) { -diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c -index 91cbe75a91d5..34511cf6baad 100644 ---- a/arch/x86/xen/enlighten.c -+++ b/arch/x86/xen/enlighten.c -@@ -952,7 +952,7 @@ static void xen_load_sp0(struct tss_struct *tss, - xen_mc_issue(PARAVIRT_LAZY_CPU); - } - --static void xen_set_iopl_mask(unsigned mask) -+void xen_set_iopl_mask(unsigned mask) - { - struct physdev_set_iopl set_iopl; - -diff --git a/arch/xtensa/kernel/head.S b/arch/xtensa/kernel/head.S -index 7d740ebbe198..bb12d778f64f 100644 ---- a/arch/xtensa/kernel/head.S -+++ b/arch/xtensa/kernel/head.S -@@ -118,7 +118,7 @@ ENTRY(_startup) - wsr a0, icountlevel - - .set _index, 0 -- .rept XCHAL_NUM_DBREAK - 1 -+ .rept XCHAL_NUM_DBREAK - wsr a0, SREG_DBREAKC + _index - .set _index, _index + 1 - .endr -diff --git a/arch/xtensa/platforms/iss/console.c b/arch/xtensa/platforms/iss/console.c -index 70cb408bc20d..92d785fefb6d 100644 ---- a/arch/xtensa/platforms/iss/console.c -+++ b/arch/xtensa/platforms/iss/console.c -@@ -100,21 +100,23 @@ static void rs_poll(unsigned long priv) - { - struct tty_port *port = (struct tty_port *)priv; - int i = 0; -+ int rd = 1; - unsigned char c; - - spin_lock(&timer_lock); - - while (simc_poll(0)) { -- simc_read(0, &c, 1); -+ rd = simc_read(0, &c, 1); -+ if (rd <= 0) -+ break; - tty_insert_flip_char(port, c, TTY_NORMAL); - i++; - } - - if (i) - tty_flip_buffer_push(port); -- -- -- mod_timer(&serial_timer, jiffies + SERIAL_TIMER_VALUE); -+ if (rd) -+ mod_timer(&serial_timer, jiffies + SERIAL_TIMER_VALUE); - spin_unlock(&timer_lock); - } - -diff --git a/crypto/ahash.c b/crypto/ahash.c -index 857ae2b2a2a2..bcd5efc7eb4c 100644 ---- a/crypto/ahash.c -+++ b/crypto/ahash.c -@@ -64,8 +64,9 @@ static int hash_walk_new_entry(struct crypto_hash_walk *walk) - struct scatterlist *sg; - - sg = walk->sg; -- walk->pg = sg_page(sg); - walk->offset = sg->offset; -+ walk->pg = sg_page(walk->sg) + (walk->offset >> PAGE_SHIFT); -+ walk->offset = offset_in_page(walk->offset); - walk->entrylen = sg->length; - - if (walk->entrylen > walk->total) -diff --git a/crypto/gcm.c b/crypto/gcm.c -index b4c252066f7b..cd97cdd8cabe 100644 ---- a/crypto/gcm.c -+++ b/crypto/gcm.c -@@ -1173,6 +1173,9 @@ static struct aead_request *crypto_rfc4543_crypt(struct aead_request *req, - aead_request_set_tfm(subreq, ctx->child); - aead_request_set_callback(subreq, req->base.flags, crypto_rfc4543_done, - req); -+ if (!enc) -+ aead_request_set_callback(subreq, req->base.flags, -+ req->base.complete, req->base.data); - aead_request_set_crypt(subreq, cipher, cipher, enc ? 0 : authsize, iv); - aead_request_set_assoc(subreq, assoc, assoclen); - -diff --git a/drivers/acpi/acpica/dsmethod.c b/drivers/acpi/acpica/dsmethod.c -index a9ffd44c18fe..2184259c386b 100644 ---- a/drivers/acpi/acpica/dsmethod.c -+++ b/drivers/acpi/acpica/dsmethod.c -@@ -267,6 +267,9 @@ acpi_ds_begin_method_execution(struct acpi_namespace_node *method_node, - obj_desc->method.mutex->mutex. - original_sync_level = - obj_desc->method.mutex->mutex.sync_level; -+ -+ obj_desc->method.mutex->mutex.thread_id = -+ acpi_os_get_thread_id(); - } - } - -diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c -index a5c987ae665d..d593fa5247f5 100644 ---- a/drivers/block/nbd.c -+++ b/drivers/block/nbd.c -@@ -581,8 +581,8 @@ static void do_nbd_request(struct request_queue *q) - BUG_ON(nbd->magic != NBD_MAGIC); - - if (unlikely(!nbd->sock)) { -- dev_err(disk_to_dev(nbd->disk), -- "Attempted send on closed socket\n"); -+ dev_err_ratelimited(disk_to_dev(nbd->disk), -+ "Attempted send on closed socket\n"); - req->errors++; - nbd_end_request(req); - spin_lock_irq(q->queue_lock); -diff --git a/drivers/block/paride/pd.c b/drivers/block/paride/pd.c -index 19ad8f0c83ef..897b6b9e53b1 100644 ---- a/drivers/block/paride/pd.c -+++ b/drivers/block/paride/pd.c -@@ -126,7 +126,7 @@ - */ - #include - --static bool verbose = 0; -+static int verbose = 0; - static int major = PD_MAJOR; - static char *name = PD_NAME; - static int cluster = 64; -@@ -161,7 +161,7 @@ enum {D_PRT, D_PRO, D_UNI, D_MOD, D_GEO, D_SBY, D_DLY, D_SLV}; - static DEFINE_MUTEX(pd_mutex); - static DEFINE_SPINLOCK(pd_lock); - --module_param(verbose, bool, 0); -+module_param(verbose, int, 0); - module_param(major, int, 0); - module_param(name, charp, 0); - module_param(cluster, int, 0); -diff --git a/drivers/block/paride/pt.c b/drivers/block/paride/pt.c -index 2596042eb987..ada45058e04d 100644 ---- a/drivers/block/paride/pt.c -+++ b/drivers/block/paride/pt.c -@@ -117,7 +117,7 @@ - - */ - --static bool verbose = 0; -+static int verbose = 0; - static int major = PT_MAJOR; - static char *name = PT_NAME; - static int disable = 0; -@@ -152,7 +152,7 @@ static int (*drives[4])[6] = {&drive0, &drive1, &drive2, &drive3}; - - #include - --module_param(verbose, bool, 0); -+module_param(verbose, int, 0); - module_param(major, int, 0); - module_param(name, charp, 0); - module_param_array(drive0, int, NULL, 0); -diff --git a/drivers/bluetooth/hci_vhci.c b/drivers/bluetooth/hci_vhci.c -index d8b7aed6e4a9..f3ce1c4f83e0 100644 ---- a/drivers/bluetooth/hci_vhci.c -+++ b/drivers/bluetooth/hci_vhci.c -@@ -265,6 +265,7 @@ static int vhci_release(struct inode *inode, struct file *file) - hci_unregister_dev(hdev); - hci_free_dev(hdev); - -+ skb_queue_purge(&data->readq); - file->private_data = NULL; - kfree(data); - -diff --git a/drivers/clk/versatile/clk-sp810.c b/drivers/clk/versatile/clk-sp810.c -index b9e05bde0c06..a21e2fa66a2a 100644 ---- a/drivers/clk/versatile/clk-sp810.c -+++ b/drivers/clk/versatile/clk-sp810.c -@@ -141,6 +141,7 @@ void __init clk_sp810_of_setup(struct device_node *node) - const char *parent_names[2]; - char name[12]; - struct clk_init_data init; -+ static int instance; - int i; - - if (!sp810) { -@@ -172,7 +173,7 @@ void __init clk_sp810_of_setup(struct device_node *node) - init.num_parents = ARRAY_SIZE(parent_names); - - for (i = 0; i < ARRAY_SIZE(sp810->timerclken); i++) { -- snprintf(name, ARRAY_SIZE(name), "timerclken%d", i); -+ snprintf(name, sizeof(name), "sp810_%d_%d", instance, i); - - sp810->timerclken[i].sp810 = sp810; - sp810->timerclken[i].channel = i; -@@ -184,5 +185,6 @@ void __init clk_sp810_of_setup(struct device_node *node) - } - - of_clk_add_provider(node, clk_sp810_timerclken_of_get, sp810); -+ instance++; - } - CLK_OF_DECLARE(sp810, "arm,sp810", clk_sp810_of_setup); -diff --git a/drivers/edac/amd64_edac.c b/drivers/edac/amd64_edac.c -index 8b3d90143514..19353112cf10 100644 ---- a/drivers/edac/amd64_edac.c -+++ b/drivers/edac/amd64_edac.c -@@ -1266,7 +1266,7 @@ static u64 f1x_get_norm_dct_addr(struct amd64_pvt *pvt, u8 range, - u64 chan_off; - u64 dram_base = get_dram_base(pvt, range); - u64 hole_off = f10_dhar_offset(pvt); -- u64 dct_sel_base_off = (pvt->dct_sel_hi & 0xFFFFFC00) << 16; -+ u64 dct_sel_base_off = (u64)(pvt->dct_sel_hi & 0xFFFFFC00) << 16; - - if (hi_rng) { - /* -diff --git a/drivers/edac/i7core_edac.c b/drivers/edac/i7core_edac.c -index 271818a5a33a..c4131a7a2b46 100644 ---- a/drivers/edac/i7core_edac.c -+++ b/drivers/edac/i7core_edac.c -@@ -1878,7 +1878,7 @@ static int i7core_mce_check_error(struct notifier_block *nb, unsigned long val, - - i7_dev = get_i7core_dev(mce->socketid); - if (!i7_dev) -- return NOTIFY_BAD; -+ return NOTIFY_DONE; - - mci = i7_dev->mci; - pvt = mci->pvt_info; -diff --git a/drivers/edac/sb_edac.c b/drivers/edac/sb_edac.c -index 3bdefbfb4377..0d40f7f0c379 100644 ---- a/drivers/edac/sb_edac.c -+++ b/drivers/edac/sb_edac.c -@@ -1538,7 +1538,7 @@ static int sbridge_mce_check_error(struct notifier_block *nb, unsigned long val, - - mci = get_mci_for_node_id(mce->socketid); - if (!mci) -- return NOTIFY_BAD; -+ return NOTIFY_DONE; - pvt = mci->pvt_info; - - /* -diff --git a/drivers/firmware/efi/vars.c b/drivers/firmware/efi/vars.c -index 9f82b5545edd..61e7ec5a742c 100644 ---- a/drivers/firmware/efi/vars.c -+++ b/drivers/firmware/efi/vars.c -@@ -202,29 +202,44 @@ static const struct variable_validate variable_validate[] = { - { NULL_GUID, "", NULL }, - }; - -+/* -+ * Check if @var_name matches the pattern given in @match_name. -+ * -+ * @var_name: an array of @len non-NUL characters. -+ * @match_name: a NUL-terminated pattern string, optionally ending in "*". A -+ * final "*" character matches any trailing characters @var_name, -+ * including the case when there are none left in @var_name. -+ * @match: on output, the number of non-wildcard characters in @match_name -+ * that @var_name matches, regardless of the return value. -+ * @return: whether @var_name fully matches @match_name. -+ */ - static bool - variable_matches(const char *var_name, size_t len, const char *match_name, - int *match) - { - for (*match = 0; ; (*match)++) { - char c = match_name[*match]; -- char u = var_name[*match]; - -- /* Wildcard in the matching name means we've matched */ -- if (c == '*') -+ switch (c) { -+ case '*': -+ /* Wildcard in @match_name means we've matched. */ - return true; - -- /* Case sensitive match */ -- if (!c && *match == len) -- return true; -+ case '\0': -+ /* @match_name has ended. Has @var_name too? */ -+ return (*match == len); - -- if (c != u) -+ default: -+ /* -+ * We've reached a non-wildcard char in @match_name. -+ * Continue only if there's an identical character in -+ * @var_name. -+ */ -+ if (*match < len && c == var_name[*match]) -+ continue; - return false; -- -- if (!c) -- return true; -+ } - } -- return true; - } - - bool -diff --git a/drivers/gpu/drm/radeon/atombios_encoders.c b/drivers/gpu/drm/radeon/atombios_encoders.c -index 1b564d7e4191..5b8d868d8691 100644 ---- a/drivers/gpu/drm/radeon/atombios_encoders.c -+++ b/drivers/gpu/drm/radeon/atombios_encoders.c -@@ -870,8 +870,6 @@ atombios_dig_encoder_setup(struct drm_encoder *encoder, int action, int panel_mo - else - args.v1.ucLaneNum = 4; - -- if (ENCODER_MODE_IS_DP(args.v1.ucEncoderMode) && (dp_clock == 270000)) -- args.v1.ucConfig |= ATOM_ENCODER_CONFIG_DPLINKRATE_2_70GHZ; - switch (radeon_encoder->encoder_id) { - case ENCODER_OBJECT_ID_INTERNAL_UNIPHY: - args.v1.ucConfig = ATOM_ENCODER_CONFIG_V2_TRANSMITTER1; -@@ -888,6 +886,10 @@ atombios_dig_encoder_setup(struct drm_encoder *encoder, int action, int panel_mo - args.v1.ucConfig |= ATOM_ENCODER_CONFIG_LINKB; - else - args.v1.ucConfig |= ATOM_ENCODER_CONFIG_LINKA; -+ -+ if (ENCODER_MODE_IS_DP(args.v1.ucEncoderMode) && (dp_clock == 270000)) -+ args.v1.ucConfig |= ATOM_ENCODER_CONFIG_DPLINKRATE_2_70GHZ; -+ - break; - case 2: - case 3: -diff --git a/drivers/gpu/drm/radeon/radeon_sa.c b/drivers/gpu/drm/radeon/radeon_sa.c -index f0bac68254b7..8962411b5f2b 100644 ---- a/drivers/gpu/drm/radeon/radeon_sa.c -+++ b/drivers/gpu/drm/radeon/radeon_sa.c -@@ -349,8 +349,15 @@ int radeon_sa_bo_new(struct radeon_device *rdev, - /* see if we can skip over some allocations */ - } while (radeon_sa_bo_next_hole(sa_manager, fences, tries)); - -+ for (i = 0; i < RADEON_NUM_RINGS; ++i) { -+ if (fences[i]) -+ radeon_fence_ref(fences[i]); -+ } -+ - spin_unlock(&sa_manager->wq.lock); - r = radeon_fence_wait_any(rdev, fences, false); -+ for (i = 0; i < RADEON_NUM_RINGS; ++i) -+ radeon_fence_unref(&fences[i]); - spin_lock(&sa_manager->wq.lock); - /* if we have nothing to wait for block */ - if (r == -ENOENT && block) { -diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c -index 5da58e3899eb..92aef9824d6f 100644 ---- a/drivers/hid/usbhid/hid-core.c -+++ b/drivers/hid/usbhid/hid-core.c -@@ -988,14 +988,6 @@ static int usbhid_output_raw_report(struct hid_device *hid, __u8 *buf, size_t co - return ret; - } - --static void usbhid_restart_queues(struct usbhid_device *usbhid) --{ -- if (usbhid->urbout && !test_bit(HID_OUT_RUNNING, &usbhid->iofl)) -- usbhid_restart_out_queue(usbhid); -- if (!test_bit(HID_CTRL_RUNNING, &usbhid->iofl)) -- usbhid_restart_ctrl_queue(usbhid); --} -- - static void hid_free_buffers(struct usb_device *dev, struct hid_device *hid) - { - struct usbhid_device *usbhid = hid->driver_data; -@@ -1412,6 +1404,37 @@ static void hid_cease_io(struct usbhid_device *usbhid) - usb_kill_urb(usbhid->urbout); - } - -+static void hid_restart_io(struct hid_device *hid) -+{ -+ struct usbhid_device *usbhid = hid->driver_data; -+ int clear_halt = test_bit(HID_CLEAR_HALT, &usbhid->iofl); -+ int reset_pending = test_bit(HID_RESET_PENDING, &usbhid->iofl); -+ -+ spin_lock_irq(&usbhid->lock); -+ clear_bit(HID_SUSPENDED, &usbhid->iofl); -+ usbhid_mark_busy(usbhid); -+ -+ if (clear_halt || reset_pending) -+ schedule_work(&usbhid->reset_work); -+ usbhid->retry_delay = 0; -+ spin_unlock_irq(&usbhid->lock); -+ -+ if (reset_pending || !test_bit(HID_STARTED, &usbhid->iofl)) -+ return; -+ -+ if (!clear_halt) { -+ if (hid_start_in(hid) < 0) -+ hid_io_error(hid); -+ } -+ -+ spin_lock_irq(&usbhid->lock); -+ if (usbhid->urbout && !test_bit(HID_OUT_RUNNING, &usbhid->iofl)) -+ usbhid_restart_out_queue(usbhid); -+ if (!test_bit(HID_CTRL_RUNNING, &usbhid->iofl)) -+ usbhid_restart_ctrl_queue(usbhid); -+ spin_unlock_irq(&usbhid->lock); -+} -+ - /* Treat USB reset pretty much the same as suspend/resume */ - static int hid_pre_reset(struct usb_interface *intf) - { -@@ -1461,14 +1484,14 @@ static int hid_post_reset(struct usb_interface *intf) - return 1; - } - -+ /* No need to do another reset or clear a halted endpoint */ - spin_lock_irq(&usbhid->lock); - clear_bit(HID_RESET_PENDING, &usbhid->iofl); -+ clear_bit(HID_CLEAR_HALT, &usbhid->iofl); - spin_unlock_irq(&usbhid->lock); - hid_set_idle(dev, intf->cur_altsetting->desc.bInterfaceNumber, 0, 0); -- status = hid_start_in(hid); -- if (status < 0) -- hid_io_error(hid); -- usbhid_restart_queues(usbhid); -+ -+ hid_restart_io(hid); - - return 0; - } -@@ -1491,25 +1514,9 @@ void usbhid_put_power(struct hid_device *hid) - #ifdef CONFIG_PM - static int hid_resume_common(struct hid_device *hid, bool driver_suspended) - { -- struct usbhid_device *usbhid = hid->driver_data; -- int status; -- -- spin_lock_irq(&usbhid->lock); -- clear_bit(HID_SUSPENDED, &usbhid->iofl); -- usbhid_mark_busy(usbhid); -- -- if (test_bit(HID_CLEAR_HALT, &usbhid->iofl) || -- test_bit(HID_RESET_PENDING, &usbhid->iofl)) -- schedule_work(&usbhid->reset_work); -- usbhid->retry_delay = 0; -- -- usbhid_restart_queues(usbhid); -- spin_unlock_irq(&usbhid->lock); -- -- status = hid_start_in(hid); -- if (status < 0) -- hid_io_error(hid); -+ int status = 0; - -+ hid_restart_io(hid); - if (driver_suspended && hid->driver && hid->driver->resume) - status = hid->driver->resume(hid); - return status; -@@ -1576,12 +1583,8 @@ static int hid_suspend(struct usb_interface *intf, pm_message_t message) - static int hid_resume(struct usb_interface *intf) - { - struct hid_device *hid = usb_get_intfdata (intf); -- struct usbhid_device *usbhid = hid->driver_data; - int status; - -- if (!test_bit(HID_STARTED, &usbhid->iofl)) -- return 0; -- - status = hid_resume_common(hid, true); - dev_dbg(&intf->dev, "resume status %d\n", status); - return 0; -@@ -1590,10 +1593,8 @@ static int hid_resume(struct usb_interface *intf) - static int hid_reset_resume(struct usb_interface *intf) - { - struct hid_device *hid = usb_get_intfdata(intf); -- struct usbhid_device *usbhid = hid->driver_data; - int status; - -- clear_bit(HID_SUSPENDED, &usbhid->iofl); - status = hid_post_reset(intf); - if (status >= 0 && hid->driver && hid->driver->reset_resume) { - int ret = hid->driver->reset_resume(hid); -diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c -index f445b0840d33..80754e2d8086 100644 ---- a/drivers/hv/vmbus_drv.c -+++ b/drivers/hv/vmbus_drv.c -@@ -32,6 +32,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -517,6 +518,39 @@ static void vmbus_flow_handler(unsigned int irq, struct irq_desc *desc) - desc->action->handler(irq, desc->action->dev_id); - } - -+#ifdef CONFIG_HOTPLUG_CPU -+static int hyperv_cpu_disable(void) -+{ -+ return -ENOSYS; -+} -+ -+static void hv_cpu_hotplug_quirk(bool vmbus_loaded) -+{ -+ static void *previous_cpu_disable; -+ -+ /* -+ * Offlining a CPU when running on newer hypervisors (WS2012R2, Win8, -+ * ...) is not supported at this moment as channel interrupts are -+ * distributed across all of them. -+ */ -+ -+ if ((vmbus_proto_version == VERSION_WS2008) || -+ (vmbus_proto_version == VERSION_WIN7)) -+ return; -+ -+ if (vmbus_loaded) { -+ previous_cpu_disable = smp_ops.cpu_disable; -+ smp_ops.cpu_disable = hyperv_cpu_disable; -+ pr_notice("CPU offlining is not supported by hypervisor\n"); -+ } else if (previous_cpu_disable) -+ smp_ops.cpu_disable = previous_cpu_disable; -+} -+#else -+static void hv_cpu_hotplug_quirk(bool vmbus_loaded) -+{ -+} -+#endif -+ - /* - * vmbus_bus_init -Main vmbus driver initialization routine. - * -@@ -572,6 +606,7 @@ static int vmbus_bus_init(int irq) - if (ret) - goto err_irq; - -+ hv_cpu_hotplug_quirk(true); - vmbus_request_offers(); - - return 0; -@@ -808,6 +843,7 @@ static void __exit vmbus_exit(void) - bus_unregister(&hv_bus); - hv_cleanup(); - acpi_bus_unregister_driver(&vmbus_acpi_driver); -+ hv_cpu_hotplug_quirk(false); - } - - -diff --git a/drivers/hwmon/max1111.c b/drivers/hwmon/max1111.c -index eda077de8a9f..f787f04a0d1a 100644 ---- a/drivers/hwmon/max1111.c -+++ b/drivers/hwmon/max1111.c -@@ -85,6 +85,9 @@ static struct max1111_data *the_max1111; - - int max1111_read_channel(int channel) - { -+ if (!the_max1111 || !the_max1111->spi) -+ return -ENODEV; -+ - return max1111_read(&the_max1111->spi->dev, channel); - } - EXPORT_SYMBOL(max1111_read_channel); -@@ -260,6 +263,9 @@ static int max1111_remove(struct spi_device *spi) - { - struct max1111_data *data = spi_get_drvdata(spi); - -+#ifdef CONFIG_SHARPSL_PM -+ the_max1111 = NULL; -+#endif - hwmon_device_unregister(data->hwmon_dev); - sysfs_remove_group(&spi->dev.kobj, &max1110_attr_group); - sysfs_remove_group(&spi->dev.kobj, &max1111_attr_group); -diff --git a/drivers/i2c/busses/i2c-cpm.c b/drivers/i2c/busses/i2c-cpm.c -index 3823623baa48..693e4ceb85ce 100644 ---- a/drivers/i2c/busses/i2c-cpm.c -+++ b/drivers/i2c/busses/i2c-cpm.c -@@ -120,8 +120,8 @@ struct cpm_i2c { - cbd_t __iomem *rbase; - u_char *txbuf[CPM_MAXBD]; - u_char *rxbuf[CPM_MAXBD]; -- u32 txdma[CPM_MAXBD]; -- u32 rxdma[CPM_MAXBD]; -+ dma_addr_t txdma[CPM_MAXBD]; -+ dma_addr_t rxdma[CPM_MAXBD]; - }; - - static irqreturn_t cpm_i2c_interrupt(int irq, void *dev_id) -diff --git a/drivers/input/misc/ati_remote2.c b/drivers/input/misc/ati_remote2.c -index f63341f20b91..e8c6a4842e91 100644 ---- a/drivers/input/misc/ati_remote2.c -+++ b/drivers/input/misc/ati_remote2.c -@@ -817,26 +817,49 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d - - ar2->udev = udev; - -+ /* Sanity check, first interface must have an endpoint */ -+ if (alt->desc.bNumEndpoints < 1 || !alt->endpoint) { -+ dev_err(&interface->dev, -+ "%s(): interface 0 must have an endpoint\n", __func__); -+ r = -ENODEV; -+ goto fail1; -+ } - ar2->intf[0] = interface; - ar2->ep[0] = &alt->endpoint[0].desc; - -+ /* Sanity check, the device must have two interfaces */ - ar2->intf[1] = usb_ifnum_to_if(udev, 1); -+ if ((udev->actconfig->desc.bNumInterfaces < 2) || !ar2->intf[1]) { -+ dev_err(&interface->dev, "%s(): need 2 interfaces, found %d\n", -+ __func__, udev->actconfig->desc.bNumInterfaces); -+ r = -ENODEV; -+ goto fail1; -+ } -+ - r = usb_driver_claim_interface(&ati_remote2_driver, ar2->intf[1], ar2); - if (r) - goto fail1; -+ -+ /* Sanity check, second interface must have an endpoint */ - alt = ar2->intf[1]->cur_altsetting; -+ if (alt->desc.bNumEndpoints < 1 || !alt->endpoint) { -+ dev_err(&interface->dev, -+ "%s(): interface 1 must have an endpoint\n", __func__); -+ r = -ENODEV; -+ goto fail2; -+ } - ar2->ep[1] = &alt->endpoint[0].desc; - - r = ati_remote2_urb_init(ar2); - if (r) -- goto fail2; -+ goto fail3; - - ar2->channel_mask = channel_mask; - ar2->mode_mask = mode_mask; - - r = ati_remote2_setup(ar2, ar2->channel_mask); - if (r) -- goto fail2; -+ goto fail3; - - usb_make_path(udev, ar2->phys, sizeof(ar2->phys)); - strlcat(ar2->phys, "/input0", sizeof(ar2->phys)); -@@ -845,11 +868,11 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d - - r = sysfs_create_group(&udev->dev.kobj, &ati_remote2_attr_group); - if (r) -- goto fail2; -+ goto fail3; - - r = ati_remote2_input_init(ar2); - if (r) -- goto fail3; -+ goto fail4; - - usb_set_intfdata(interface, ar2); - -@@ -857,10 +880,11 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d - - return 0; - -- fail3: -+ fail4: - sysfs_remove_group(&udev->dev.kobj, &ati_remote2_attr_group); -- fail2: -+ fail3: - ati_remote2_urb_cleanup(ar2); -+ fail2: - usb_driver_release_interface(&ati_remote2_driver, ar2->intf[1]); - fail1: - kfree(ar2); -diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c -index e204f26b0011..77164dc1bedd 100644 ---- a/drivers/input/misc/ims-pcu.c -+++ b/drivers/input/misc/ims-pcu.c -@@ -1433,6 +1433,8 @@ static int ims_pcu_parse_cdc_data(struct usb_interface *intf, struct ims_pcu *pc - - pcu->ctrl_intf = usb_ifnum_to_if(pcu->udev, - union_desc->bMasterInterface0); -+ if (!pcu->ctrl_intf) -+ return -EINVAL; - - alt = pcu->ctrl_intf->cur_altsetting; - pcu->ep_ctrl = &alt->endpoint[0].desc; -@@ -1440,6 +1442,8 @@ static int ims_pcu_parse_cdc_data(struct usb_interface *intf, struct ims_pcu *pc - - pcu->data_intf = usb_ifnum_to_if(pcu->udev, - union_desc->bSlaveInterface0); -+ if (!pcu->data_intf) -+ return -EINVAL; - - alt = pcu->data_intf->cur_altsetting; - if (alt->desc.bNumEndpoints != 2) { -diff --git a/drivers/input/misc/max8997_haptic.c b/drivers/input/misc/max8997_haptic.c -index e973133212a5..a8c91226cd22 100644 ---- a/drivers/input/misc/max8997_haptic.c -+++ b/drivers/input/misc/max8997_haptic.c -@@ -246,12 +246,14 @@ static int max8997_haptic_probe(struct platform_device *pdev) - struct max8997_dev *iodev = dev_get_drvdata(pdev->dev.parent); - const struct max8997_platform_data *pdata = - dev_get_platdata(iodev->dev); -- const struct max8997_haptic_platform_data *haptic_pdata = -- pdata->haptic_pdata; -+ const struct max8997_haptic_platform_data *haptic_pdata = NULL; - struct max8997_haptic *chip; - struct input_dev *input_dev; - int error; - -+ if (pdata) -+ haptic_pdata = pdata->haptic_pdata; -+ - if (!haptic_pdata) { - dev_err(&pdev->dev, "no haptic platform data\n"); - return -EINVAL; -diff --git a/drivers/input/misc/powermate.c b/drivers/input/misc/powermate.c -index 49c0c3ebd321..21ce1cf757bb 100644 ---- a/drivers/input/misc/powermate.c -+++ b/drivers/input/misc/powermate.c -@@ -308,6 +308,9 @@ static int powermate_probe(struct usb_interface *intf, const struct usb_device_i - int error = -ENOMEM; - - interface = intf->cur_altsetting; -+ if (interface->desc.bNumEndpoints < 1) -+ return -EINVAL; -+ - endpoint = &interface->endpoint[0].desc; - if (!usb_endpoint_is_int_in(endpoint)) - return -EIO; -diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c -index 29e01ab6859f..a9f8f925ba2b 100644 ---- a/drivers/input/tablet/gtco.c -+++ b/drivers/input/tablet/gtco.c -@@ -869,6 +869,14 @@ static int gtco_probe(struct usb_interface *usbinterface, - goto err_free_buf; - } - -+ /* Sanity check that a device has an endpoint */ -+ if (usbinterface->altsetting[0].desc.bNumEndpoints < 1) { -+ dev_err(&usbinterface->dev, -+ "Invalid number of endpoints\n"); -+ error = -EINVAL; -+ goto err_free_urb; -+ } -+ - /* - * The endpoint is always altsetting 0, we know this since we know - * this device only has one interrupt endpoint -@@ -890,7 +898,7 @@ static int gtco_probe(struct usb_interface *usbinterface, - * HID report descriptor - */ - if (usb_get_extra_descriptor(usbinterface->cur_altsetting, -- HID_DEVICE_TYPE, &hid_desc) != 0){ -+ HID_DEVICE_TYPE, &hid_desc) != 0) { - dev_err(&usbinterface->dev, - "Can't retrieve exta USB descriptor to get hid report descriptor length\n"); - error = -EIO; -diff --git a/drivers/input/touchscreen/ads7846.c b/drivers/input/touchscreen/ads7846.c -index 84ccf140c1bb..9332e46b53ed 100644 ---- a/drivers/input/touchscreen/ads7846.c -+++ b/drivers/input/touchscreen/ads7846.c -@@ -697,18 +697,22 @@ static int ads7846_no_filter(void *ads, int data_idx, int *val) - - static int ads7846_get_value(struct ads7846 *ts, struct spi_message *m) - { -+ int value; - struct spi_transfer *t = - list_entry(m->transfers.prev, struct spi_transfer, transfer_list); - - if (ts->model == 7845) { -- return be16_to_cpup((__be16 *)&(((char*)t->rx_buf)[1])) >> 3; -+ value = be16_to_cpup((__be16 *)&(((char *)t->rx_buf)[1])); - } else { - /* - * adjust: on-wire is a must-ignore bit, a BE12 value, then - * padding; built from two 8 bit values written msb-first. - */ -- return be16_to_cpup((__be16 *)t->rx_buf) >> 3; -+ value = be16_to_cpup((__be16 *)t->rx_buf); - } -+ -+ /* enforce ADC output is 12 bits width */ -+ return (value >> 3) & 0xfff; - } - - static void ads7846_update_value(struct spi_message *m, int val) -diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c -index 2d2915fdbf02..2a4c13af482a 100644 ---- a/drivers/md/bcache/super.c -+++ b/drivers/md/bcache/super.c -@@ -1295,6 +1295,9 @@ static void cache_set_flush(struct closure *cl) - set_bit(CACHE_SET_STOPPING_2, &c->flags); - wake_up(&c->alloc_wait); - -+ if (!c) -+ closure_return(cl); -+ - bch_cache_accounting_destroy(&c->accounting); - - kobject_put(&c->internal); -diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c -index ef18ca745b1e..9ee3c460fa37 100644 ---- a/drivers/md/raid5.c -+++ b/drivers/md/raid5.c -@@ -5658,8 +5658,8 @@ static int run(struct mddev *mddev) - } - - if (discard_supported && -- mddev->queue->limits.max_discard_sectors >= stripe && -- mddev->queue->limits.discard_granularity >= stripe) -+ mddev->queue->limits.max_discard_sectors >= (stripe >> 9) && -+ mddev->queue->limits.discard_granularity >= stripe) - queue_flag_set_unlocked(QUEUE_FLAG_DISCARD, - mddev->queue); - else -diff --git a/drivers/media/pci/bt8xx/bttv-driver.c b/drivers/media/pci/bt8xx/bttv-driver.c -index e2633d9270b7..aa4519e5cafa 100644 ---- a/drivers/media/pci/bt8xx/bttv-driver.c -+++ b/drivers/media/pci/bt8xx/bttv-driver.c -@@ -2376,6 +2376,19 @@ static int bttv_g_fmt_vid_overlay(struct file *file, void *priv, - return 0; - } - -+static void bttv_get_width_mask_vid_cap(const struct bttv_format *fmt, -+ unsigned int *width_mask, -+ unsigned int *width_bias) -+{ -+ if (fmt->flags & FORMAT_FLAGS_PLANAR) { -+ *width_mask = ~15; /* width must be a multiple of 16 pixels */ -+ *width_bias = 8; /* nearest */ -+ } else { -+ *width_mask = ~3; /* width must be a multiple of 4 pixels */ -+ *width_bias = 2; /* nearest */ -+ } -+} -+ - static int bttv_try_fmt_vid_cap(struct file *file, void *priv, - struct v4l2_format *f) - { -@@ -2385,6 +2398,7 @@ static int bttv_try_fmt_vid_cap(struct file *file, void *priv, - enum v4l2_field field; - __s32 width, height; - __s32 height2; -+ unsigned int width_mask, width_bias; - int rc; - - fmt = format_by_fourcc(f->fmt.pix.pixelformat); -@@ -2417,9 +2431,9 @@ static int bttv_try_fmt_vid_cap(struct file *file, void *priv, - width = f->fmt.pix.width; - height = f->fmt.pix.height; - -+ bttv_get_width_mask_vid_cap(fmt, &width_mask, &width_bias); - rc = limit_scaled_size_lock(fh, &width, &height, field, -- /* width_mask: 4 pixels */ ~3, -- /* width_bias: nearest */ 2, -+ width_mask, width_bias, - /* adjust_size */ 1, - /* adjust_crop */ 0); - if (0 != rc) -@@ -2452,6 +2466,7 @@ static int bttv_s_fmt_vid_cap(struct file *file, void *priv, - struct bttv_fh *fh = priv; - struct bttv *btv = fh->btv; - __s32 width, height; -+ unsigned int width_mask, width_bias; - enum v4l2_field field; - - retval = bttv_switch_type(fh, f->type); -@@ -2466,9 +2481,10 @@ static int bttv_s_fmt_vid_cap(struct file *file, void *priv, - height = f->fmt.pix.height; - field = f->fmt.pix.field; - -+ fmt = format_by_fourcc(f->fmt.pix.pixelformat); -+ bttv_get_width_mask_vid_cap(fmt, &width_mask, &width_bias); - retval = limit_scaled_size_lock(fh, &width, &height, f->fmt.pix.field, -- /* width_mask: 4 pixels */ ~3, -- /* width_bias: nearest */ 2, -+ width_mask, width_bias, - /* adjust_size */ 1, - /* adjust_crop */ 1); - if (0 != retval) -@@ -2476,8 +2492,6 @@ static int bttv_s_fmt_vid_cap(struct file *file, void *priv, - - f->fmt.pix.field = field; - -- fmt = format_by_fourcc(f->fmt.pix.pixelformat); -- - /* update our state informations */ - fh->fmt = fmt; - fh->cap.field = f->fmt.pix.field; -diff --git a/drivers/media/usb/pwc/pwc-if.c b/drivers/media/usb/pwc/pwc-if.c -index 77bbf7889659..db1e8ee13ded 100644 ---- a/drivers/media/usb/pwc/pwc-if.c -+++ b/drivers/media/usb/pwc/pwc-if.c -@@ -91,6 +91,7 @@ static const struct usb_device_id pwc_device_table [] = { - { USB_DEVICE(0x0471, 0x0312) }, - { USB_DEVICE(0x0471, 0x0313) }, /* the 'new' 720K */ - { USB_DEVICE(0x0471, 0x0329) }, /* Philips SPC 900NC PC Camera */ -+ { USB_DEVICE(0x0471, 0x032C) }, /* Philips SPC 880NC PC Camera */ - { USB_DEVICE(0x069A, 0x0001) }, /* Askey */ - { USB_DEVICE(0x046D, 0x08B0) }, /* Logitech QuickCam Pro 3000 */ - { USB_DEVICE(0x046D, 0x08B1) }, /* Logitech QuickCam Notebook Pro */ -@@ -799,6 +800,11 @@ static int usb_pwc_probe(struct usb_interface *intf, const struct usb_device_id - name = "Philips SPC 900NC webcam"; - type_id = 740; - break; -+ case 0x032C: -+ PWC_INFO("Philips SPC 880NC USB webcam detected.\n"); -+ name = "Philips SPC 880NC webcam"; -+ type_id = 740; -+ break; - default: - return -ENODEV; - break; -diff --git a/drivers/media/usb/usbvision/usbvision-video.c b/drivers/media/usb/usbvision/usbvision-video.c -index d34c2afe2c24..bcfefe61a592 100644 ---- a/drivers/media/usb/usbvision/usbvision-video.c -+++ b/drivers/media/usb/usbvision/usbvision-video.c -@@ -1459,6 +1459,7 @@ static void usbvision_release(struct usb_usbvision *usbvision) - - usbvision_remove_sysfs(usbvision->vdev); - usbvision_unregister_video(usbvision); -+ kfree(usbvision->alt_max_pkt_size); - - usb_free_urb(usbvision->ctrl_urb); - -@@ -1520,7 +1521,7 @@ static int usbvision_probe(struct usb_interface *intf, - const struct usb_host_interface *interface; - struct usb_usbvision *usbvision = NULL; - const struct usb_endpoint_descriptor *endpoint; -- int model, i; -+ int model, i, ret; - - PDEBUG(DBG_PROBE, "VID=%#04x, PID=%#04x, ifnum=%u", - dev->descriptor.idVendor, -@@ -1529,33 +1530,51 @@ static int usbvision_probe(struct usb_interface *intf, - model = devid->driver_info; - if (model < 0 || model >= usbvision_device_data_size) { - PDEBUG(DBG_PROBE, "model out of bounds %d", model); -- return -ENODEV; -+ ret = -ENODEV; -+ goto err_usb; - } - printk(KERN_INFO "%s: %s found\n", __func__, - usbvision_device_data[model].model_string); - - if (usbvision_device_data[model].interface >= 0) - interface = &dev->actconfig->interface[usbvision_device_data[model].interface]->altsetting[0]; -- else -+ else if (ifnum < dev->actconfig->desc.bNumInterfaces) - interface = &dev->actconfig->interface[ifnum]->altsetting[0]; -+ else { -+ dev_err(&intf->dev, "interface %d is invalid, max is %d\n", -+ ifnum, dev->actconfig->desc.bNumInterfaces - 1); -+ ret = -ENODEV; -+ goto err_usb; -+ } -+ -+ if (interface->desc.bNumEndpoints < 2) { -+ dev_err(&intf->dev, "interface %d has %d endpoints, but must" -+ " have minimum 2\n", ifnum, interface->desc.bNumEndpoints); -+ ret = -ENODEV; -+ goto err_usb; -+ } - endpoint = &interface->endpoint[1].desc; -+ - if (!usb_endpoint_xfer_isoc(endpoint)) { - dev_err(&intf->dev, "%s: interface %d. has non-ISO endpoint!\n", - __func__, ifnum); - dev_err(&intf->dev, "%s: Endpoint attributes %d", - __func__, endpoint->bmAttributes); -- return -ENODEV; -+ ret = -ENODEV; -+ goto err_usb; - } - if (usb_endpoint_dir_out(endpoint)) { - dev_err(&intf->dev, "%s: interface %d. has ISO OUT endpoint!\n", - __func__, ifnum); -- return -ENODEV; -+ ret = -ENODEV; -+ goto err_usb; - } - - usbvision = usbvision_alloc(dev, intf); - if (usbvision == NULL) { - dev_err(&intf->dev, "%s: couldn't allocate USBVision struct\n", __func__); -- return -ENOMEM; -+ ret = -ENOMEM; -+ goto err_usb; - } - - if (dev->descriptor.bNumConfigurations > 1) -@@ -1574,7 +1593,8 @@ static int usbvision_probe(struct usb_interface *intf, - usbvision->alt_max_pkt_size = kmalloc(32 * usbvision->num_alt, GFP_KERNEL); - if (usbvision->alt_max_pkt_size == NULL) { - dev_err(&intf->dev, "usbvision: out of memory!\n"); -- return -ENOMEM; -+ ret = -ENOMEM; -+ goto err_pkt; - } - - for (i = 0; i < usbvision->num_alt; i++) { -@@ -1609,6 +1629,12 @@ static int usbvision_probe(struct usb_interface *intf, - - PDEBUG(DBG_PROBE, "success"); - return 0; -+ -+err_pkt: -+ usbvision_release(usbvision); -+err_usb: -+ usb_put_dev(dev); -+ return ret; - } - - -diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c -index 35fb8f0cb539..07d6ce4c9c6f 100644 ---- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c -+++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c -@@ -392,7 +392,8 @@ static int get_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user - get_user(kp->index, &up->index) || - get_user(kp->type, &up->type) || - get_user(kp->flags, &up->flags) || -- get_user(kp->memory, &up->memory)) -+ get_user(kp->memory, &up->memory) || -+ get_user(kp->length, &up->length)) - return -EFAULT; - - if (V4L2_TYPE_IS_OUTPUT(kp->type)) -@@ -404,9 +405,6 @@ static int get_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user - return -EFAULT; - - if (V4L2_TYPE_IS_MULTIPLANAR(kp->type)) { -- if (get_user(kp->length, &up->length)) -- return -EFAULT; -- - num_planes = kp->length; - if (num_planes == 0) { - kp->m.planes = NULL; -@@ -439,16 +437,14 @@ static int get_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user - } else { - switch (kp->memory) { - case V4L2_MEMORY_MMAP: -- if (get_user(kp->length, &up->length) || -- get_user(kp->m.offset, &up->m.offset)) -+ if (get_user(kp->m.offset, &up->m.offset)) - return -EFAULT; - break; - case V4L2_MEMORY_USERPTR: - { - compat_long_t tmp; - -- if (get_user(kp->length, &up->length) || -- get_user(tmp, &up->m.userptr)) -+ if (get_user(tmp, &up->m.userptr)) - return -EFAULT; - - kp->m.userptr = (unsigned long)compat_ptr(tmp); -@@ -490,7 +486,8 @@ static int put_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user - copy_to_user(&up->timecode, &kp->timecode, sizeof(struct v4l2_timecode)) || - put_user(kp->sequence, &up->sequence) || - put_user(kp->reserved2, &up->reserved2) || -- put_user(kp->reserved, &up->reserved)) -+ put_user(kp->reserved, &up->reserved) || -+ put_user(kp->length, &up->length)) - return -EFAULT; - - if (V4L2_TYPE_IS_MULTIPLANAR(kp->type)) { -@@ -513,13 +510,11 @@ static int put_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user - } else { - switch (kp->memory) { - case V4L2_MEMORY_MMAP: -- if (put_user(kp->length, &up->length) || -- put_user(kp->m.offset, &up->m.offset)) -+ if (put_user(kp->m.offset, &up->m.offset)) - return -EFAULT; - break; - case V4L2_MEMORY_USERPTR: -- if (put_user(kp->length, &up->length) || -- put_user(kp->m.userptr, &up->m.userptr)) -+ if (put_user(kp->m.userptr, &up->m.userptr)) - return -EFAULT; - break; - case V4L2_MEMORY_OVERLAY: -diff --git a/drivers/mfd/omap-usb-tll.c b/drivers/mfd/omap-usb-tll.c -index e59ac4cbac96..c7576a503e5b 100644 ---- a/drivers/mfd/omap-usb-tll.c -+++ b/drivers/mfd/omap-usb-tll.c -@@ -269,6 +269,8 @@ static int usbtll_omap_probe(struct platform_device *pdev) - - if (IS_ERR(tll->ch_clk[i])) - dev_dbg(dev, "can't get clock : %s\n", clkname); -+ else -+ clk_prepare(tll->ch_clk[i]); - } - - pm_runtime_put_sync(dev); -@@ -301,9 +303,12 @@ static int usbtll_omap_remove(struct platform_device *pdev) - tll_dev = NULL; - spin_unlock(&tll_lock); - -- for (i = 0; i < tll->nch; i++) -- if (!IS_ERR(tll->ch_clk[i])) -+ for (i = 0; i < tll->nch; i++) { -+ if (!IS_ERR(tll->ch_clk[i])) { -+ clk_unprepare(tll->ch_clk[i]); - clk_put(tll->ch_clk[i]); -+ } -+ } - - pm_runtime_disable(&pdev->dev); - return 0; -diff --git a/drivers/misc/Kconfig b/drivers/misc/Kconfig -index c002d8660e30..7a6818407836 100644 ---- a/drivers/misc/Kconfig -+++ b/drivers/misc/Kconfig -@@ -451,7 +451,7 @@ config ARM_CHARLCD - still useful. - - config BMP085 -- bool -+ tristate - depends on SYSFS - - config BMP085_I2C -diff --git a/drivers/misc/ad525x_dpot.c b/drivers/misc/ad525x_dpot.c -index 8f99e8e3f0ac..beb7422c3cc7 100644 ---- a/drivers/misc/ad525x_dpot.c -+++ b/drivers/misc/ad525x_dpot.c -@@ -216,7 +216,7 @@ static s32 dpot_read_i2c(struct dpot_data *dpot, u8 reg) - */ - value = swab16(value); - -- if (dpot->uid == DPOT_UID(AD5271_ID)) -+ if (dpot->uid == DPOT_UID(AD5274_ID)) - value = value >> 2; - return value; - default: -diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c -index ebb40a292d67..c6bf23599eb9 100644 ---- a/drivers/mmc/card/block.c -+++ b/drivers/mmc/card/block.c -@@ -2322,11 +2322,12 @@ static const struct mmc_fixup blk_fixups[] = - MMC_QUIRK_BLK_NO_CMD23), - - /* -- * Some Micron MMC cards needs longer data read timeout than -- * indicated in CSD. -+ * Some MMC cards need longer data read timeout than indicated in CSD. - */ - MMC_FIXUP(CID_NAME_ANY, CID_MANFID_MICRON, 0x200, add_quirk_mmc, - MMC_QUIRK_LONG_READ_TIME), -+ MMC_FIXUP("008GE0", CID_MANFID_TOSHIBA, CID_OEMID_ANY, add_quirk_mmc, -+ MMC_QUIRK_LONG_READ_TIME), - - /* - * On these Samsung MoviNAND parts, performing secure erase or -diff --git a/drivers/mmc/core/core.c b/drivers/mmc/core/core.c -index 68ab26385d06..3ae6f1325773 100644 ---- a/drivers/mmc/core/core.c -+++ b/drivers/mmc/core/core.c -@@ -801,11 +801,11 @@ void mmc_set_data_timeout(struct mmc_data *data, const struct mmc_card *card) - /* - * Some cards require longer data read timeout than indicated in CSD. - * Address this by setting the read timeout to a "reasonably high" -- * value. For the cards tested, 300ms has proven enough. If necessary, -+ * value. For the cards tested, 600ms has proven enough. If necessary, - * this value can be increased if other problematic cards require this. - */ - if (mmc_card_long_read_time(card) && data->flags & MMC_DATA_READ) { -- data->timeout_ns = 300000000; -+ data->timeout_ns = 600000000; - data->timeout_clks = 0; - } - -diff --git a/drivers/mmc/core/mmc.c b/drivers/mmc/core/mmc.c -index 0cbd1effe960..dda1a42ae822 100644 ---- a/drivers/mmc/core/mmc.c -+++ b/drivers/mmc/core/mmc.c -@@ -266,6 +266,9 @@ static void mmc_select_card_type(struct mmc_card *card) - card->ext_csd.card_type = card_type; - } - -+/* Minimum partition switch timeout in milliseconds */ -+#define MMC_MIN_PART_SWITCH_TIME 300 -+ - /* - * Decode extended CSD. - */ -@@ -330,6 +333,10 @@ static int mmc_read_ext_csd(struct mmc_card *card, u8 *ext_csd) - - /* EXT_CSD value is in units of 10ms, but we store in ms */ - card->ext_csd.part_time = 10 * ext_csd[EXT_CSD_PART_SWITCH_TIME]; -+ /* Some eMMC set the value too low so set a minimum */ -+ if (card->ext_csd.part_time && -+ card->ext_csd.part_time < MMC_MIN_PART_SWITCH_TIME) -+ card->ext_csd.part_time = MMC_MIN_PART_SWITCH_TIME; - - /* Sleep / awake timeout in 100ns units */ - if (sa_shift > 0 && sa_shift <= 0x17) -diff --git a/drivers/mtd/onenand/onenand_base.c b/drivers/mtd/onenand/onenand_base.c -index b3f41f200622..0f13fd4748ec 100644 ---- a/drivers/mtd/onenand/onenand_base.c -+++ b/drivers/mtd/onenand/onenand_base.c -@@ -2610,6 +2610,7 @@ static int onenand_default_block_markbad(struct mtd_info *mtd, loff_t ofs) - */ - static int onenand_block_markbad(struct mtd_info *mtd, loff_t ofs) - { -+ struct onenand_chip *this = mtd->priv; - int ret; - - ret = onenand_block_isbad(mtd, ofs); -@@ -2621,7 +2622,7 @@ static int onenand_block_markbad(struct mtd_info *mtd, loff_t ofs) - } - - onenand_get_device(mtd, FL_WRITING); -- ret = mtd_block_markbad(mtd, ofs); -+ ret = this->block_markbad(mtd, ofs); - onenand_release_device(mtd); - return ret; - } -diff --git a/drivers/net/ethernet/atheros/atlx/atl2.c b/drivers/net/ethernet/atheros/atlx/atl2.c -index 265ce1b752ed..96fe542b4acb 100644 ---- a/drivers/net/ethernet/atheros/atlx/atl2.c -+++ b/drivers/net/ethernet/atheros/atlx/atl2.c -@@ -1413,7 +1413,7 @@ static int atl2_probe(struct pci_dev *pdev, const struct pci_device_id *ent) - - err = -EIO; - -- netdev->hw_features = NETIF_F_SG | NETIF_F_HW_VLAN_CTAG_RX; -+ netdev->hw_features = NETIF_F_HW_VLAN_CTAG_RX; - netdev->features |= (NETIF_F_HW_VLAN_CTAG_TX | NETIF_F_HW_VLAN_CTAG_RX); - - /* Init PHY as early as possible due to power saving issue */ -diff --git a/drivers/net/ethernet/jme.c b/drivers/net/ethernet/jme.c -index 070a6f1a0577..2f4cbcae9c7c 100644 ---- a/drivers/net/ethernet/jme.c -+++ b/drivers/net/ethernet/jme.c -@@ -3290,13 +3290,14 @@ jme_resume(struct device *dev) - jme_reset_phy_processor(jme); - jme_phy_calibration(jme); - jme_phy_setEA(jme); -- jme_start_irq(jme); - netif_device_attach(netdev); - - atomic_inc(&jme->link_changing); - - jme_reset_link(jme); - -+ jme_start_irq(jme); -+ - return 0; - } - -diff --git a/drivers/net/ethernet/qlogic/qlge/qlge_main.c b/drivers/net/ethernet/qlogic/qlge/qlge_main.c -index f87cc216045b..a978cc2eafe0 100644 ---- a/drivers/net/ethernet/qlogic/qlge/qlge_main.c -+++ b/drivers/net/ethernet/qlogic/qlge/qlge_main.c -@@ -1620,7 +1620,18 @@ static void ql_process_mac_rx_skb(struct ql_adapter *qdev, - return; - } - skb_reserve(new_skb, NET_IP_ALIGN); -+ -+ pci_dma_sync_single_for_cpu(qdev->pdev, -+ dma_unmap_addr(sbq_desc, mapaddr), -+ dma_unmap_len(sbq_desc, maplen), -+ PCI_DMA_FROMDEVICE); -+ - memcpy(skb_put(new_skb, length), skb->data, length); -+ -+ pci_dma_sync_single_for_device(qdev->pdev, -+ dma_unmap_addr(sbq_desc, mapaddr), -+ dma_unmap_len(sbq_desc, maplen), -+ PCI_DMA_FROMDEVICE); - skb = new_skb; - - /* Frame error, so drop the packet. */ -diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c -index b93a0fb17236..93b652516a94 100644 ---- a/drivers/net/ethernet/renesas/sh_eth.c -+++ b/drivers/net/ethernet/renesas/sh_eth.c -@@ -1161,7 +1161,8 @@ static void sh_eth_ring_format(struct net_device *ndev) - mdp->dirty_rx = (u32) (i - mdp->num_rx_ring); - - /* Mark the last entry as wrapping the ring. */ -- rxdesc->status |= cpu_to_edmac(mdp, RD_RDEL); -+ if (rxdesc) -+ rxdesc->status |= cpu_to_edmac(mdp, RD_RDEL); - - memset(mdp->tx_ring, 0, tx_ringsize); - -diff --git a/drivers/net/irda/irtty-sir.c b/drivers/net/irda/irtty-sir.c -index a41267197839..0d71fa9f0c68 100644 ---- a/drivers/net/irda/irtty-sir.c -+++ b/drivers/net/irda/irtty-sir.c -@@ -430,16 +430,6 @@ static int irtty_open(struct tty_struct *tty) - - /* Module stuff handled via irda_ldisc.owner - Jean II */ - -- /* First make sure we're not already connected. */ -- if (tty->disc_data != NULL) { -- priv = tty->disc_data; -- if (priv && priv->magic == IRTTY_MAGIC) { -- ret = -EEXIST; -- goto out; -- } -- tty->disc_data = NULL; /* ### */ -- } -- - /* stop the underlying driver */ - irtty_stop_receiver(tty, TRUE); - if (tty->ops->stop) -diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c -index a2d7d5f066f1..14a8d2958698 100644 ---- a/drivers/net/ppp/ppp_generic.c -+++ b/drivers/net/ppp/ppp_generic.c -@@ -2220,7 +2220,7 @@ int ppp_register_net_channel(struct net *net, struct ppp_channel *chan) - - pch->ppp = NULL; - pch->chan = chan; -- pch->chan_net = net; -+ pch->chan_net = get_net(net); - chan->ppp = pch; - init_ppp_file(&pch->file, CHANNEL); - pch->file.hdrlen = chan->hdrlen; -@@ -2317,6 +2317,8 @@ ppp_unregister_channel(struct ppp_channel *chan) - spin_lock_bh(&pn->all_channels_lock); - list_del(&pch->list); - spin_unlock_bh(&pn->all_channels_lock); -+ put_net(pch->chan_net); -+ pch->chan_net = NULL; - - pch->file.dead = 1; - wake_up_interruptible(&pch->file.rwait); -diff --git a/drivers/net/rionet.c b/drivers/net/rionet.c -index f433b594388e..00a8128cf927 100644 ---- a/drivers/net/rionet.c -+++ b/drivers/net/rionet.c -@@ -269,7 +269,7 @@ static void rionet_outb_msg_event(struct rio_mport *mport, void *dev_id, int mbo - struct net_device *ndev = dev_id; - struct rionet_private *rnet = netdev_priv(ndev); - -- spin_lock(&rnet->lock); -+ spin_lock(&rnet->tx_lock); - - if (netif_msg_intr(rnet)) - printk(KERN_INFO -@@ -288,7 +288,7 @@ static void rionet_outb_msg_event(struct rio_mport *mport, void *dev_id, int mbo - if (rnet->tx_cnt < RIONET_TX_RING_SIZE) - netif_wake_queue(ndev); - -- spin_unlock(&rnet->lock); -+ spin_unlock(&rnet->tx_lock); - } - - static int rionet_open(struct net_device *ndev) -diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c -index 43afde8f48d2..74581cbcafa7 100644 ---- a/drivers/net/usb/cdc_ncm.c -+++ b/drivers/net/usb/cdc_ncm.c -@@ -464,7 +464,11 @@ advance: - - iface_no = ctx->data->cur_altsetting->desc.bInterfaceNumber; - -- /* reset data interface */ -+ /* Reset data interface. Some devices will not reset properly -+ * unless they are configured first. Toggle the altsetting to -+ * force a reset -+ */ -+ usb_set_interface(dev->udev, iface_no, data_altsetting); - temp = usb_set_interface(dev->udev, iface_no, 0); - if (temp) - goto error2; -diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c -index 0244a1fb38f9..12aaf1f4f890 100644 ---- a/drivers/net/usb/qmi_wwan.c -+++ b/drivers/net/usb/qmi_wwan.c -@@ -724,6 +724,7 @@ static const struct usb_device_id products[] = { - {QMI_FIXED_INTF(0x19d2, 0x1426, 2)}, /* ZTE MF91 */ - {QMI_FIXED_INTF(0x19d2, 0x1428, 2)}, /* Telewell TW-LTE 4G v2 */ - {QMI_FIXED_INTF(0x19d2, 0x2002, 4)}, /* ZTE (Vodafone) K3765-Z */ -+ {QMI_FIXED_INTF(0x2001, 0x7e19, 4)}, /* D-Link DWM-221 B1 */ - {QMI_FIXED_INTF(0x0f3d, 0x68a2, 8)}, /* Sierra Wireless MC7700 */ - {QMI_FIXED_INTF(0x114f, 0x68a2, 8)}, /* Sierra Wireless MC7750 */ - {QMI_FIXED_INTF(0x1199, 0x68a2, 8)}, /* Sierra Wireless MC7710 in QMI mode */ -diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c -index fb068ada0c5a..2255d8965037 100644 ---- a/drivers/net/usb/usbnet.c -+++ b/drivers/net/usb/usbnet.c -@@ -1622,6 +1622,13 @@ out3: - if (info->unbind) - info->unbind (dev, udev); - out1: -+ /* subdrivers must undo all they did in bind() if they -+ * fail it, but we may fail later and a deferred kevent -+ * may trigger an error resubmitting itself and, worse, -+ * schedule a timer. So we kill it all just in case. -+ */ -+ cancel_work_sync(&dev->kevent); -+ del_timer_sync(&dev->delay); - free_netdev(net); - out: - return status; -diff --git a/drivers/net/wan/farsync.c b/drivers/net/wan/farsync.c -index bcfff0d62de4..2dfa1478d7d1 100644 ---- a/drivers/net/wan/farsync.c -+++ b/drivers/net/wan/farsync.c -@@ -2545,7 +2545,7 @@ fst_add_one(struct pci_dev *pdev, const struct pci_device_id *ent) - dev->mem_start = card->phys_mem - + BUF_OFFSET ( txBuffer[i][0][0]); - dev->mem_end = card->phys_mem -- + BUF_OFFSET ( txBuffer[i][NUM_TX_BUFFER][0]); -+ + BUF_OFFSET ( txBuffer[i][NUM_TX_BUFFER - 1][LEN_RX_BUFFER - 1]); - dev->base_addr = card->pci_conf; - dev->irq = card->irq; - -diff --git a/drivers/net/wireless/ath/ath9k/eeprom.c b/drivers/net/wireless/ath/ath9k/eeprom.c -index 971d770722cf..2ac05486424b 100644 ---- a/drivers/net/wireless/ath/ath9k/eeprom.c -+++ b/drivers/net/wireless/ath/ath9k/eeprom.c -@@ -408,10 +408,9 @@ void ath9k_hw_get_gain_boundaries_pdadcs(struct ath_hw *ah, - - if (match) { - if (AR_SREV_9287(ah)) { -- /* FIXME: array overrun? */ - for (i = 0; i < numXpdGains; i++) { - minPwrT4[i] = data_9287[idxL].pwrPdg[i][0]; -- maxPwrT4[i] = data_9287[idxL].pwrPdg[i][4]; -+ maxPwrT4[i] = data_9287[idxL].pwrPdg[i][intercepts - 1]; - ath9k_hw_fill_vpd_table(minPwrT4[i], maxPwrT4[i], - data_9287[idxL].pwrPdg[i], - data_9287[idxL].vpdPdg[i], -@@ -421,7 +420,7 @@ void ath9k_hw_get_gain_boundaries_pdadcs(struct ath_hw *ah, - } else if (eeprom_4k) { - for (i = 0; i < numXpdGains; i++) { - minPwrT4[i] = data_4k[idxL].pwrPdg[i][0]; -- maxPwrT4[i] = data_4k[idxL].pwrPdg[i][4]; -+ maxPwrT4[i] = data_4k[idxL].pwrPdg[i][intercepts - 1]; - ath9k_hw_fill_vpd_table(minPwrT4[i], maxPwrT4[i], - data_4k[idxL].pwrPdg[i], - data_4k[idxL].vpdPdg[i], -@@ -431,7 +430,7 @@ void ath9k_hw_get_gain_boundaries_pdadcs(struct ath_hw *ah, - } else { - for (i = 0; i < numXpdGains; i++) { - minPwrT4[i] = data_def[idxL].pwrPdg[i][0]; -- maxPwrT4[i] = data_def[idxL].pwrPdg[i][4]; -+ maxPwrT4[i] = data_def[idxL].pwrPdg[i][intercepts - 1]; - ath9k_hw_fill_vpd_table(minPwrT4[i], maxPwrT4[i], - data_def[idxL].pwrPdg[i], - data_def[idxL].vpdPdg[i], -diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c -index 034a4d2964d6..d332d55885f8 100644 ---- a/drivers/pci/probe.c -+++ b/drivers/pci/probe.c -@@ -173,6 +173,9 @@ int __pci_read_base(struct pci_dev *dev, enum pci_bar_type type, - struct pci_bus_region region; - bool bar_too_big = false, bar_disabled = false; - -+ if (dev->non_compliant_bars) -+ return 0; -+ - mask = type ? PCI_ROM_ADDRESS_MASK : ~0; - - /* No printks while decoding is disabled! */ -@@ -981,6 +984,7 @@ void set_pcie_hotplug_bridge(struct pci_dev *pdev) - int pci_setup_device(struct pci_dev *dev) - { - u32 class; -+ u16 cmd; - u8 hdr_type; - struct pci_slot *slot; - int pos = 0; -@@ -1028,6 +1032,16 @@ int pci_setup_device(struct pci_dev *dev) - /* device class may be changed after fixup */ - class = dev->class >> 8; - -+ if (dev->non_compliant_bars) { -+ pci_read_config_word(dev, PCI_COMMAND, &cmd); -+ if (cmd & (PCI_COMMAND_IO | PCI_COMMAND_MEMORY)) { -+ dev_info(&dev->dev, "device has non-compliant BARs; disabling IO/MEM decoding\n"); -+ cmd &= ~PCI_COMMAND_IO; -+ cmd &= ~PCI_COMMAND_MEMORY; -+ pci_write_config_word(dev, PCI_COMMAND, cmd); -+ } -+ } -+ - switch (dev->hdr_type) { /* header type */ - case PCI_HEADER_TYPE_NORMAL: /* standard header */ - if (class == PCI_CLASS_BRIDGE_PCI) -diff --git a/drivers/pnp/pnpbios/bioscalls.c b/drivers/pnp/pnpbios/bioscalls.c -index 769d265b221b..deb7f4bcdb7b 100644 ---- a/drivers/pnp/pnpbios/bioscalls.c -+++ b/drivers/pnp/pnpbios/bioscalls.c -@@ -21,7 +21,7 @@ - - #include "pnpbios.h" - --static struct { -+__visible struct { - u16 offset; - u16 segment; - } pnp_bios_callpoint; -@@ -41,6 +41,7 @@ asmlinkage void pnp_bios_callfunc(void); - - __asm__(".text \n" - __ALIGN_STR "\n" -+ ".globl pnp_bios_callfunc\n" - "pnp_bios_callfunc:\n" - " pushl %edx \n" - " pushl %ecx \n" -@@ -66,9 +67,9 @@ static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092, - * after PnP BIOS oopses. - */ - --u32 pnp_bios_fault_esp; --u32 pnp_bios_fault_eip; --u32 pnp_bios_is_utter_crap = 0; -+__visible u32 pnp_bios_fault_esp; -+__visible u32 pnp_bios_fault_eip; -+__visible u32 pnp_bios_is_utter_crap = 0; - - static spinlock_t pnp_bios_lock; - -diff --git a/drivers/rtc/rtc-vr41xx.c b/drivers/rtc/rtc-vr41xx.c -index f91be04b9050..ca0f213c06a5 100644 ---- a/drivers/rtc/rtc-vr41xx.c -+++ b/drivers/rtc/rtc-vr41xx.c -@@ -272,12 +272,13 @@ static irqreturn_t rtclong1_interrupt(int irq, void *dev_id) - } - - static const struct rtc_class_ops vr41xx_rtc_ops = { -- .release = vr41xx_rtc_release, -- .ioctl = vr41xx_rtc_ioctl, -- .read_time = vr41xx_rtc_read_time, -- .set_time = vr41xx_rtc_set_time, -- .read_alarm = vr41xx_rtc_read_alarm, -- .set_alarm = vr41xx_rtc_set_alarm, -+ .release = vr41xx_rtc_release, -+ .ioctl = vr41xx_rtc_ioctl, -+ .read_time = vr41xx_rtc_read_time, -+ .set_time = vr41xx_rtc_set_time, -+ .read_alarm = vr41xx_rtc_read_alarm, -+ .set_alarm = vr41xx_rtc_set_alarm, -+ .alarm_irq_enable = vr41xx_rtc_alarm_irq_enable, - }; - - static int rtc_probe(struct platform_device *pdev) -diff --git a/drivers/scsi/aacraid/commsup.c b/drivers/scsi/aacraid/commsup.c -index 1be0776a80c4..6a0d362e2596 100644 ---- a/drivers/scsi/aacraid/commsup.c -+++ b/drivers/scsi/aacraid/commsup.c -@@ -83,9 +83,12 @@ static int fib_map_alloc(struct aac_dev *dev) - - void aac_fib_map_free(struct aac_dev *dev) - { -- pci_free_consistent(dev->pdev, -- dev->max_fib_size * (dev->scsi_host_ptr->can_queue + AAC_NUM_MGT_FIB), -- dev->hw_fib_va, dev->hw_fib_pa); -+ if (dev->hw_fib_va && dev->max_fib_size) { -+ pci_free_consistent(dev->pdev, -+ (dev->max_fib_size * -+ (dev->scsi_host_ptr->can_queue + AAC_NUM_MGT_FIB)), -+ dev->hw_fib_va, dev->hw_fib_pa); -+ } - dev->hw_fib_va = NULL; - dev->hw_fib_pa = 0; - } -diff --git a/drivers/scsi/be2iscsi/be_main.c b/drivers/scsi/be2iscsi/be_main.c -index bfe812fcce34..a683a831527b 100644 ---- a/drivers/scsi/be2iscsi/be_main.c -+++ b/drivers/scsi/be2iscsi/be_main.c -@@ -4040,6 +4040,7 @@ put_shost: - scsi_host_put(phba->shost); - free_kset: - iscsi_boot_destroy_kset(phba->boot_kset); -+ phba->boot_kset = NULL; - return -ENOMEM; - } - -diff --git a/drivers/scsi/ipr.c b/drivers/scsi/ipr.c -index 4a79a5f0d95e..25ac2c00f8b3 100644 ---- a/drivers/scsi/ipr.c -+++ b/drivers/scsi/ipr.c -@@ -3908,13 +3908,17 @@ static ssize_t ipr_store_update_fw(struct device *dev, - struct ipr_sglist *sglist; - char fname[100]; - char *src; -- int len, result, dnld_size; -+ char *endline; -+ int result, dnld_size; - - if (!capable(CAP_SYS_ADMIN)) - return -EACCES; - -- len = snprintf(fname, 99, "%s", buf); -- fname[len-1] = '\0'; -+ snprintf(fname, sizeof(fname), "%s", buf); -+ -+ endline = strchr(fname, '\n'); -+ if (endline) -+ *endline = '\0'; - - if (request_firmware(&fw_entry, fname, &ioa_cfg->pdev->dev)) { - dev_err(&ioa_cfg->pdev->dev, "Firmware file %s not found\n", fname); -diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c -index cb465b253910..e6e0679ec882 100644 ---- a/drivers/scsi/lpfc/lpfc_init.c -+++ b/drivers/scsi/lpfc/lpfc_init.c -@@ -2684,7 +2684,7 @@ lpfc_online(struct lpfc_hba *phba) - } - - vports = lpfc_create_vport_work_array(phba); -- if (vports != NULL) -+ if (vports != NULL) { - for (i = 0; i <= phba->max_vports && vports[i] != NULL; i++) { - struct Scsi_Host *shost; - shost = lpfc_shost_from_vport(vports[i]); -@@ -2701,7 +2701,8 @@ lpfc_online(struct lpfc_hba *phba) - } - spin_unlock_irq(shost->host_lock); - } -- lpfc_destroy_vport_work_array(phba, vports); -+ } -+ lpfc_destroy_vport_work_array(phba, vports); - - lpfc_unblock_mgmt_io(phba); - return 0; -diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c -index 0be16bf5f0cd..1f65e32db285 100644 ---- a/drivers/scsi/sg.c -+++ b/drivers/scsi/sg.c -@@ -633,7 +633,8 @@ sg_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos) - else - hp->dxfer_direction = (mxsize > 0) ? SG_DXFER_FROM_DEV : SG_DXFER_NONE; - hp->dxfer_len = mxsize; -- if (hp->dxfer_direction == SG_DXFER_TO_DEV) -+ if ((hp->dxfer_direction == SG_DXFER_TO_DEV) || -+ (hp->dxfer_direction == SG_DXFER_TO_FROM_DEV)) - hp->dxferp = (char __user *)buf + cmd_size; - else - hp->dxferp = NULL; -diff --git a/drivers/staging/usbip/usbip_common.c b/drivers/staging/usbip/usbip_common.c -index 7b97df6f2a42..b4f237e55931 100644 ---- a/drivers/staging/usbip/usbip_common.c -+++ b/drivers/staging/usbip/usbip_common.c -@@ -784,6 +784,17 @@ int usbip_recv_xbuff(struct usbip_device *ud, struct urb *urb) - if (!(size > 0)) - return 0; - -+ if (size > urb->transfer_buffer_length) { -+ /* should not happen, probably malicious packet */ -+ if (ud->side == USBIP_STUB) { -+ usbip_event_add(ud, SDEV_EVENT_ERROR_TCP); -+ return 0; -+ } else { -+ usbip_event_add(ud, VDEV_EVENT_ERROR_TCP); -+ return -EPIPE; -+ } -+ } -+ - ret = usbip_recv(ud->tcp_socket, urb->transfer_buffer, size); - if (ret != size) { - dev_err(&urb->dev->dev, "recv xbuf, %d\n", ret); -diff --git a/drivers/tty/serial/8250/8250_core.c b/drivers/tty/serial/8250/8250_core.c -index d8c06a3d391e..1119d533c8e2 100644 ---- a/drivers/tty/serial/8250/8250_core.c -+++ b/drivers/tty/serial/8250/8250_core.c -@@ -686,22 +686,16 @@ static int size_fifo(struct uart_8250_port *up) - */ - static unsigned int autoconfig_read_divisor_id(struct uart_8250_port *p) - { -- unsigned char old_dll, old_dlm, old_lcr; -- unsigned int id; -+ unsigned char old_lcr; -+ unsigned int id, old_dl; - - old_lcr = serial_in(p, UART_LCR); - serial_out(p, UART_LCR, UART_LCR_CONF_MODE_A); -+ old_dl = serial_dl_read(p); -+ serial_dl_write(p, 0); -+ id = serial_dl_read(p); -+ serial_dl_write(p, old_dl); - -- old_dll = serial_in(p, UART_DLL); -- old_dlm = serial_in(p, UART_DLM); -- -- serial_out(p, UART_DLL, 0); -- serial_out(p, UART_DLM, 0); -- -- id = serial_in(p, UART_DLL) | serial_in(p, UART_DLM) << 8; -- -- serial_out(p, UART_DLL, old_dll); -- serial_out(p, UART_DLM, old_dlm); - serial_out(p, UART_LCR, old_lcr); - - return id; -diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c -index b8366b154fb9..921bf90bcc6a 100644 ---- a/drivers/tty/serial/samsung.c -+++ b/drivers/tty/serial/samsung.c -@@ -724,6 +724,8 @@ static void s3c24xx_serial_set_termios(struct uart_port *port, - /* check to see if we need to change clock source */ - - if (ourport->baudclk != clk) { -+ clk_prepare_enable(clk); -+ - s3c24xx_serial_setsource(port, clk_sel); - - if (!IS_ERR(ourport->baudclk)) { -@@ -731,8 +733,6 @@ static void s3c24xx_serial_set_termios(struct uart_port *port, - ourport->baudclk = ERR_PTR(-EINVAL); - } - -- clk_prepare_enable(clk); -- - ourport->baudclk = clk; - ourport->baudclk_rate = clk ? clk_get_rate(clk) : 0; - } -diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c -index db9d69fa1085..6dff194751f1 100644 ---- a/drivers/tty/vt/vt.c -+++ b/drivers/tty/vt/vt.c -@@ -3534,9 +3534,10 @@ static int do_register_con_driver(const struct consw *csw, int first, int last) - goto err; - - desc = csw->con_startup(); -- -- if (!desc) -+ if (!desc) { -+ retval = -ENODEV; - goto err; -+ } - - retval = -EINVAL; - -diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c -index d6dab8adf60e..e7436ebbf04c 100644 ---- a/drivers/usb/class/cdc-acm.c -+++ b/drivers/usb/class/cdc-acm.c -@@ -997,6 +997,9 @@ static int acm_probe(struct usb_interface *intf, - if (quirks == NO_UNION_NORMAL) { - data_interface = usb_ifnum_to_if(usb_dev, 1); - control_interface = usb_ifnum_to_if(usb_dev, 0); -+ /* we would crash */ -+ if (!data_interface || !control_interface) -+ return -ENODEV; - goto skip_normal_probe; - } - -diff --git a/drivers/usb/core/driver.c b/drivers/usb/core/driver.c -index 2cdd5079ae78..f7310dd107ca 100644 ---- a/drivers/usb/core/driver.c -+++ b/drivers/usb/core/driver.c -@@ -461,11 +461,15 @@ static int usb_unbind_interface(struct device *dev) - int usb_driver_claim_interface(struct usb_driver *driver, - struct usb_interface *iface, void *priv) - { -- struct device *dev = &iface->dev; -+ struct device *dev; - struct usb_device *udev; - int retval = 0; - int lpm_disable_error; - -+ if (!iface) -+ return -ENODEV; -+ -+ dev = &iface->dev; - if (dev->driver) - return -EBUSY; - -diff --git a/drivers/usb/core/hcd-pci.c b/drivers/usb/core/hcd-pci.c -index 4676917e2b1f..1eac8ddc5556 100644 ---- a/drivers/usb/core/hcd-pci.c -+++ b/drivers/usb/core/hcd-pci.c -@@ -74,6 +74,15 @@ static void for_each_companion(struct pci_dev *pdev, struct usb_hcd *hcd, - if (companion->bus != pdev->bus || - PCI_SLOT(companion->devfn) != slot) - continue; -+ -+ /* -+ * Companion device should be either UHCI,OHCI or EHCI host -+ * controller, otherwise skip. -+ */ -+ if (companion->class != CL_UHCI && companion->class != CL_OHCI && -+ companion->class != CL_EHCI) -+ continue; -+ - companion_hcd = pci_get_drvdata(companion); - if (!companion_hcd || !companion_hcd->self.root_hub) - continue; -diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c -index 92873f2773fc..8eb2de6beee4 100644 ---- a/drivers/usb/core/hub.c -+++ b/drivers/usb/core/hub.c -@@ -4167,7 +4167,13 @@ hub_port_init (struct usb_hub *hub, struct usb_device *udev, int port1, - r = -EPROTO; - break; - } -- if (r == 0) -+ /* -+ * Some devices time out if they are powered on -+ * when already connected. They need a second -+ * reset. But only on the first attempt, -+ * lest we get into a time out/reset loop -+ */ -+ if (r == 0 || (r == -ETIMEDOUT && j == 0)) - break; - } - udev->descriptor.bMaxPacketSize0 = -diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c -index 87e82e6b0c38..af9e4e8c9064 100644 ---- a/drivers/usb/host/xhci-mem.c -+++ b/drivers/usb/host/xhci-mem.c -@@ -1861,6 +1861,11 @@ no_bw: - kfree(xhci->port_array); - kfree(xhci->rh_bw); - -+ xhci->usb2_ports = NULL; -+ xhci->usb3_ports = NULL; -+ xhci->port_array = NULL; -+ xhci->rh_bw = NULL; -+ - xhci->page_size = 0; - xhci->page_shift = 0; - xhci->bus_state[0].bus_suspended = 0; -diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c -index d36f34e25bed..4c24ba0a6574 100644 ---- a/drivers/usb/misc/iowarrior.c -+++ b/drivers/usb/misc/iowarrior.c -@@ -792,6 +792,12 @@ static int iowarrior_probe(struct usb_interface *interface, - iface_desc = interface->cur_altsetting; - dev->product_id = le16_to_cpu(udev->descriptor.idProduct); - -+ if (iface_desc->desc.bNumEndpoints < 1) { -+ dev_err(&interface->dev, "Invalid number of endpoints\n"); -+ retval = -EINVAL; -+ goto error; -+ } -+ - /* set up the endpoint information */ - for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) { - endpoint = &iface_desc->endpoint[i].desc; -diff --git a/drivers/usb/renesas_usbhs/fifo.c b/drivers/usb/renesas_usbhs/fifo.c -index 45b94019aec8..157a9f9afc2d 100644 ---- a/drivers/usb/renesas_usbhs/fifo.c -+++ b/drivers/usb/renesas_usbhs/fifo.c -@@ -166,7 +166,8 @@ static int usbhsf_pkt_handler(struct usbhs_pipe *pipe, int type) - goto __usbhs_pkt_handler_end; - } - -- ret = func(pkt, &is_done); -+ if (likely(func)) -+ ret = func(pkt, &is_done); - - if (is_done) - __usbhsf_pkt_del(pkt); -@@ -933,6 +934,7 @@ static int usbhsf_dma_try_pop(struct usbhs_pkt *pkt, int *is_done) - - pkt->trans = len; - -+ usbhsf_tx_irq_ctrl(pipe, 0); - INIT_WORK(&pkt->work, xfer_work); - schedule_work(&pkt->work); - -diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c -index 84b770461655..0093261ccc57 100644 ---- a/drivers/usb/serial/cp210x.c -+++ b/drivers/usb/serial/cp210x.c -@@ -108,6 +108,7 @@ static const struct usb_device_id id_table[] = { - { USB_DEVICE(0x10C4, 0x826B) }, /* Cygnal Integrated Products, Inc., Fasttrax GPS demonstration module */ - { USB_DEVICE(0x10C4, 0x8281) }, /* Nanotec Plug & Drive */ - { USB_DEVICE(0x10C4, 0x8293) }, /* Telegesis ETRX2USB */ -+ { USB_DEVICE(0x10C4, 0x82F4) }, /* Starizona MicroTouch */ - { USB_DEVICE(0x10C4, 0x82F9) }, /* Procyon AVS */ - { USB_DEVICE(0x10C4, 0x8341) }, /* Siemens MC35PU GPRS Modem */ - { USB_DEVICE(0x10C4, 0x8382) }, /* Cygnal Integrated Products, Inc. */ -@@ -117,6 +118,7 @@ static const struct usb_device_id id_table[] = { - { USB_DEVICE(0x10C4, 0x8418) }, /* IRZ Automation Teleport SG-10 GSM/GPRS Modem */ - { USB_DEVICE(0x10C4, 0x846E) }, /* BEI USB Sensor Interface (VCP) */ - { USB_DEVICE(0x10C4, 0x8477) }, /* Balluff RFID */ -+ { USB_DEVICE(0x10C4, 0x84B6) }, /* Starizona Hyperion */ - { USB_DEVICE(0x10C4, 0x85EA) }, /* AC-Services IBUS-IF */ - { USB_DEVICE(0x10C4, 0x85EB) }, /* AC-Services CIS-IBUS */ - { USB_DEVICE(0x10C4, 0x85F8) }, /* Virtenio Preon32 */ -@@ -140,6 +142,8 @@ static const struct usb_device_id id_table[] = { - { USB_DEVICE(0x10C4, 0xF004) }, /* Elan Digital Systems USBcount50 */ - { USB_DEVICE(0x10C5, 0xEA61) }, /* Silicon Labs MobiData GPRS USB Modem */ - { USB_DEVICE(0x10CE, 0xEA6A) }, /* Silicon Labs MobiData GPRS USB Modem 100EU */ -+ { USB_DEVICE(0x12B8, 0xEC60) }, /* Link G4 ECU */ -+ { USB_DEVICE(0x12B8, 0xEC62) }, /* Link G4+ ECU */ - { USB_DEVICE(0x13AD, 0x9999) }, /* Baltech card reader */ - { USB_DEVICE(0x1555, 0x0004) }, /* Owen AC4 USB-RS485 Converter */ - { USB_DEVICE(0x166A, 0x0201) }, /* Clipsal 5500PACA C-Bus Pascal Automation Controller */ -@@ -164,6 +168,7 @@ static const struct usb_device_id id_table[] = { - { USB_DEVICE(0x18EF, 0xE025) }, /* ELV Marble Sound Board 1 */ - { USB_DEVICE(0x1901, 0x0190) }, /* GE B850 CP2105 Recorder interface */ - { USB_DEVICE(0x1901, 0x0193) }, /* GE B650 CP2104 PMC interface */ -+ { USB_DEVICE(0x1901, 0x0194) }, /* GE Healthcare Remote Alarm Box */ - { USB_DEVICE(0x19CF, 0x3000) }, /* Parrot NMEA GPS Flight Recorder */ - { USB_DEVICE(0x1ADB, 0x0001) }, /* Schweitzer Engineering C662 Cable */ - { USB_DEVICE(0x1B1C, 0x1C00) }, /* Corsair USB Dongle */ -diff --git a/drivers/usb/serial/cypress_m8.c b/drivers/usb/serial/cypress_m8.c -index 082120198f87..09f0f631389e 100644 ---- a/drivers/usb/serial/cypress_m8.c -+++ b/drivers/usb/serial/cypress_m8.c -@@ -449,6 +449,11 @@ static int cypress_generic_port_probe(struct usb_serial_port *port) - struct usb_serial *serial = port->serial; - struct cypress_private *priv; - -+ if (!port->interrupt_out_urb || !port->interrupt_in_urb) { -+ dev_err(&port->dev, "required endpoint is missing\n"); -+ return -ENODEV; -+ } -+ - priv = kzalloc(sizeof(struct cypress_private), GFP_KERNEL); - if (!priv) - return -ENOMEM; -@@ -606,12 +611,6 @@ static int cypress_open(struct tty_struct *tty, struct usb_serial_port *port) - cypress_set_termios(tty, port, &priv->tmp_termios); - - /* setup the port and start reading from the device */ -- if (!port->interrupt_in_urb) { -- dev_err(&port->dev, "%s - interrupt_in_urb is empty!\n", -- __func__); -- return -1; -- } -- - usb_fill_int_urb(port->interrupt_in_urb, serial->dev, - usb_rcvintpipe(serial->dev, port->interrupt_in_endpointAddress), - port->interrupt_in_urb->transfer_buffer, -diff --git a/drivers/usb/serial/digi_acceleport.c b/drivers/usb/serial/digi_acceleport.c -index 7b807d389527..8c34d9cfb226 100644 ---- a/drivers/usb/serial/digi_acceleport.c -+++ b/drivers/usb/serial/digi_acceleport.c -@@ -1253,8 +1253,27 @@ static int digi_port_init(struct usb_serial_port *port, unsigned port_num) - - static int digi_startup(struct usb_serial *serial) - { -+ struct device *dev = &serial->interface->dev; - struct digi_serial *serial_priv; - int ret; -+ int i; -+ -+ /* check whether the device has the expected number of endpoints */ -+ if (serial->num_port_pointers < serial->type->num_ports + 1) { -+ dev_err(dev, "OOB endpoints missing\n"); -+ return -ENODEV; -+ } -+ -+ for (i = 0; i < serial->type->num_ports + 1 ; i++) { -+ if (!serial->port[i]->read_urb) { -+ dev_err(dev, "bulk-in endpoint missing\n"); -+ return -ENODEV; -+ } -+ if (!serial->port[i]->write_urb) { -+ dev_err(dev, "bulk-out endpoint missing\n"); -+ return -ENODEV; -+ } -+ } - - serial_priv = kzalloc(sizeof(*serial_priv), GFP_KERNEL); - if (!serial_priv) -diff --git a/drivers/usb/serial/io_edgeport.c b/drivers/usb/serial/io_edgeport.c -index 1477e8593476..c574d312f1f5 100644 ---- a/drivers/usb/serial/io_edgeport.c -+++ b/drivers/usb/serial/io_edgeport.c -@@ -2988,16 +2988,9 @@ static void edge_disconnect(struct usb_serial *serial) - { - struct edgeport_serial *edge_serial = usb_get_serial_data(serial); - -- /* stop reads and writes on all ports */ -- /* free up our endpoint stuff */ - if (edge_serial->is_epic) { - usb_kill_urb(edge_serial->interrupt_read_urb); -- usb_free_urb(edge_serial->interrupt_read_urb); -- kfree(edge_serial->interrupt_in_buffer); -- - usb_kill_urb(edge_serial->read_urb); -- usb_free_urb(edge_serial->read_urb); -- kfree(edge_serial->bulk_in_buffer); - } - } - -@@ -3010,6 +3003,16 @@ static void edge_release(struct usb_serial *serial) - { - struct edgeport_serial *edge_serial = usb_get_serial_data(serial); - -+ if (edge_serial->is_epic) { -+ usb_kill_urb(edge_serial->interrupt_read_urb); -+ usb_free_urb(edge_serial->interrupt_read_urb); -+ kfree(edge_serial->interrupt_in_buffer); -+ -+ usb_kill_urb(edge_serial->read_urb); -+ usb_free_urb(edge_serial->read_urb); -+ kfree(edge_serial->bulk_in_buffer); -+ } -+ - kfree(edge_serial); - } - -diff --git a/drivers/usb/serial/keyspan.c b/drivers/usb/serial/keyspan.c -index cec377b8bb8b..32a67c69eec8 100644 ---- a/drivers/usb/serial/keyspan.c -+++ b/drivers/usb/serial/keyspan.c -@@ -2392,6 +2392,10 @@ static void keyspan_release(struct usb_serial *serial) - - s_priv = usb_get_serial_data(serial); - -+ /* Make sure to unlink the URBs submitted in attach. */ -+ usb_kill_urb(s_priv->instat_urb); -+ usb_kill_urb(s_priv->indat_urb); -+ - usb_free_urb(s_priv->instat_urb); - usb_free_urb(s_priv->indat_urb); - usb_free_urb(s_priv->glocont_urb); -diff --git a/drivers/usb/serial/mct_u232.c b/drivers/usb/serial/mct_u232.c -index 6a15adf53360..c14c29ff1151 100644 ---- a/drivers/usb/serial/mct_u232.c -+++ b/drivers/usb/serial/mct_u232.c -@@ -377,14 +377,21 @@ static void mct_u232_msr_to_state(struct usb_serial_port *port, - - static int mct_u232_port_probe(struct usb_serial_port *port) - { -+ struct usb_serial *serial = port->serial; - struct mct_u232_private *priv; - -+ /* check first to simplify error handling */ -+ if (!serial->port[1] || !serial->port[1]->interrupt_in_urb) { -+ dev_err(&port->dev, "expected endpoint missing\n"); -+ return -ENODEV; -+ } -+ - priv = kzalloc(sizeof(*priv), GFP_KERNEL); - if (!priv) - return -ENOMEM; - - /* Use second interrupt-in endpoint for reading. */ -- priv->read_urb = port->serial->port[1]->interrupt_in_urb; -+ priv->read_urb = serial->port[1]->interrupt_in_urb; - priv->read_urb->context = port; - - spin_lock_init(&priv->lock); -diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c -index 24366a2afea6..bcb6f5c2bae4 100644 ---- a/drivers/usb/serial/option.c -+++ b/drivers/usb/serial/option.c -@@ -375,18 +375,22 @@ static void option_instat_callback(struct urb *urb); - #define HAIER_PRODUCT_CE81B 0x10f8 - #define HAIER_PRODUCT_CE100 0x2009 - --/* Cinterion (formerly Siemens) products */ --#define SIEMENS_VENDOR_ID 0x0681 --#define CINTERION_VENDOR_ID 0x1e2d -+/* Gemalto's Cinterion products (formerly Siemens) */ -+#define SIEMENS_VENDOR_ID 0x0681 -+#define CINTERION_VENDOR_ID 0x1e2d -+#define CINTERION_PRODUCT_HC25_MDMNET 0x0040 - #define CINTERION_PRODUCT_HC25_MDM 0x0047 --#define CINTERION_PRODUCT_HC25_MDMNET 0x0040 -+#define CINTERION_PRODUCT_HC28_MDMNET 0x004A /* same for HC28J */ - #define CINTERION_PRODUCT_HC28_MDM 0x004C --#define CINTERION_PRODUCT_HC28_MDMNET 0x004A /* same for HC28J */ - #define CINTERION_PRODUCT_EU3_E 0x0051 - #define CINTERION_PRODUCT_EU3_P 0x0052 - #define CINTERION_PRODUCT_PH8 0x0053 - #define CINTERION_PRODUCT_AHXX 0x0055 - #define CINTERION_PRODUCT_PLXX 0x0060 -+#define CINTERION_PRODUCT_PH8_2RMNET 0x0082 -+#define CINTERION_PRODUCT_PH8_AUDIO 0x0083 -+#define CINTERION_PRODUCT_AHXX_2RMNET 0x0084 -+#define CINTERION_PRODUCT_AHXX_AUDIO 0x0085 - - /* Olivetti products */ - #define OLIVETTI_VENDOR_ID 0x0b3c -@@ -641,6 +645,10 @@ static const struct option_blacklist_info telit_le922_blacklist_usbcfg3 = { - .reserved = BIT(1) | BIT(2) | BIT(3), - }; - -+static const struct option_blacklist_info cinterion_rmnet2_blacklist = { -+ .reserved = BIT(4) | BIT(5), -+}; -+ - static const struct usb_device_id option_ids[] = { - { USB_DEVICE(OPTION_VENDOR_ID, OPTION_PRODUCT_COLT) }, - { USB_DEVICE(OPTION_VENDOR_ID, OPTION_PRODUCT_RICOLA) }, -@@ -1712,7 +1720,13 @@ static const struct usb_device_id option_ids[] = { - { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_AHXX, 0xff) }, - { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_PLXX), - .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, -- { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_HC28_MDM) }, -+ { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_PH8_2RMNET, 0xff), -+ .driver_info = (kernel_ulong_t)&cinterion_rmnet2_blacklist }, -+ { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_PH8_AUDIO, 0xff), -+ .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, -+ { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_AHXX_2RMNET, 0xff) }, -+ { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_AHXX_AUDIO, 0xff) }, -+ { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_HC28_MDM) }, - { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_HC28_MDMNET) }, - { USB_DEVICE(SIEMENS_VENDOR_ID, CINTERION_PRODUCT_HC25_MDM) }, - { USB_DEVICE(SIEMENS_VENDOR_ID, CINTERION_PRODUCT_HC25_MDMNET) }, -@@ -1818,6 +1832,8 @@ static const struct usb_device_id option_ids[] = { - { USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x7d02, 0xff, 0x00, 0x00) }, - { USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x7d03, 0xff, 0x02, 0x01) }, - { USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x7d03, 0xff, 0x00, 0x00) }, -+ { USB_DEVICE_INTERFACE_CLASS(0x2001, 0x7e19, 0xff), /* D-Link DWM-221 B1 */ -+ .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, - { USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e01, 0xff, 0xff, 0xff) }, /* D-Link DWM-152/C1 */ - { USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e02, 0xff, 0xff, 0xff) }, /* D-Link DWM-156/C1 */ - { USB_DEVICE_INTERFACE_CLASS(0x2020, 0x4000, 0xff) }, /* OLICARD300 - MT6225 */ -diff --git a/drivers/usb/serial/quatech2.c b/drivers/usb/serial/quatech2.c -index 02b0803425c5..13824b5ca343 100644 ---- a/drivers/usb/serial/quatech2.c -+++ b/drivers/usb/serial/quatech2.c -@@ -141,6 +141,7 @@ static void qt2_release(struct usb_serial *serial) - - serial_priv = usb_get_serial_data(serial); - -+ usb_kill_urb(serial_priv->read_urb); - usb_free_urb(serial_priv->read_urb); - kfree(serial_priv); - } -diff --git a/drivers/video/da8xx-fb.c b/drivers/video/da8xx-fb.c -index 0810939936f4..b13bfb2e52a2 100644 ---- a/drivers/video/da8xx-fb.c -+++ b/drivers/video/da8xx-fb.c -@@ -226,8 +226,7 @@ static struct fb_videomode known_lcd_panels[] = { - .lower_margin = 2, - .hsync_len = 0, - .vsync_len = 0, -- .sync = FB_SYNC_CLK_INVERT | -- FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT, -+ .sync = FB_SYNC_CLK_INVERT, - }, - /* Sharp LK043T1DG01 */ - [1] = { -@@ -241,7 +240,7 @@ static struct fb_videomode known_lcd_panels[] = { - .lower_margin = 2, - .hsync_len = 41, - .vsync_len = 10, -- .sync = FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT, -+ .sync = 0, - .flag = 0, - }, - [2] = { -@@ -256,7 +255,7 @@ static struct fb_videomode known_lcd_panels[] = { - .lower_margin = 10, - .hsync_len = 10, - .vsync_len = 10, -- .sync = FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT, -+ .sync = 0, - .flag = 0, - }, - }; -diff --git a/drivers/watchdog/rc32434_wdt.c b/drivers/watchdog/rc32434_wdt.c -index f78bc008cbb7..ea8f58216d4d 100644 ---- a/drivers/watchdog/rc32434_wdt.c -+++ b/drivers/watchdog/rc32434_wdt.c -@@ -237,7 +237,7 @@ static long rc32434_wdt_ioctl(struct file *file, unsigned int cmd, - return -EINVAL; - /* Fall through */ - case WDIOC_GETTIMEOUT: -- return copy_to_user(argp, &timeout, sizeof(int)); -+ return copy_to_user(argp, &timeout, sizeof(int)) ? -EFAULT : 0; - default: - return -ENOTTY; - } -diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c -index 8edc9eb1ef7b..d65e16e9d1d9 100644 ---- a/fs/cifs/sess.c -+++ b/fs/cifs/sess.c -@@ -487,19 +487,27 @@ int build_ntlmssp_auth_blob(unsigned char *pbuffer, - sec_blob->LmChallengeResponse.MaximumLength = 0; - - sec_blob->NtChallengeResponse.BufferOffset = cpu_to_le32(tmp - pbuffer); -- rc = setup_ntlmv2_rsp(ses, nls_cp); -- if (rc) { -- cifs_dbg(VFS, "Error %d during NTLMSSP authentication\n", rc); -- goto setup_ntlmv2_ret; -- } -- memcpy(tmp, ses->auth_key.response + CIFS_SESS_KEY_SIZE, -- ses->auth_key.len - CIFS_SESS_KEY_SIZE); -- tmp += ses->auth_key.len - CIFS_SESS_KEY_SIZE; -+ if (ses->user_name != NULL) { -+ rc = setup_ntlmv2_rsp(ses, nls_cp); -+ if (rc) { -+ cifs_dbg(VFS, "Error %d during NTLMSSP authentication\n", rc); -+ goto setup_ntlmv2_ret; -+ } -+ memcpy(tmp, ses->auth_key.response + CIFS_SESS_KEY_SIZE, -+ ses->auth_key.len - CIFS_SESS_KEY_SIZE); -+ tmp += ses->auth_key.len - CIFS_SESS_KEY_SIZE; - -- sec_blob->NtChallengeResponse.Length = -- cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE); -- sec_blob->NtChallengeResponse.MaximumLength = -- cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE); -+ sec_blob->NtChallengeResponse.Length = -+ cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE); -+ sec_blob->NtChallengeResponse.MaximumLength = -+ cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE); -+ } else { -+ /* -+ * don't send an NT Response for anonymous access -+ */ -+ sec_blob->NtChallengeResponse.Length = 0; -+ sec_blob->NtChallengeResponse.MaximumLength = 0; -+ } - - if (ses->domainName == NULL) { - sec_blob->DomainName.BufferOffset = cpu_to_le32(tmp - pbuffer); -diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h -index 6f74b8919237..046e3e93783e 100644 ---- a/fs/ext4/ext4.h -+++ b/fs/ext4/ext4.h -@@ -851,6 +851,29 @@ do { \ - #include "extents_status.h" - - /* -+ * Lock subclasses for i_data_sem in the ext4_inode_info structure. -+ * -+ * These are needed to avoid lockdep false positives when we need to -+ * allocate blocks to the quota inode during ext4_map_blocks(), while -+ * holding i_data_sem for a normal (non-quota) inode. Since we don't -+ * do quota tracking for the quota inode, this avoids deadlock (as -+ * well as infinite recursion, since it isn't turtles all the way -+ * down...) -+ * -+ * I_DATA_SEM_NORMAL - Used for most inodes -+ * I_DATA_SEM_OTHER - Used by move_inode.c for the second normal inode -+ * where the second inode has larger inode number -+ * than the first -+ * I_DATA_SEM_QUOTA - Used for quota inodes only -+ */ -+enum { -+ I_DATA_SEM_NORMAL = 0, -+ I_DATA_SEM_OTHER, -+ I_DATA_SEM_QUOTA, -+}; -+ -+ -+/* - * fourth extended file system inode data in memory - */ - struct ext4_inode_info { -diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c -index 10b71e4029a0..fb7e576df25c 100644 ---- a/fs/ext4/inode.c -+++ b/fs/ext4/inode.c -@@ -5063,6 +5063,8 @@ int ext4_mark_inode_dirty(handle_t *handle, struct inode *inode) - might_sleep(); - trace_ext4_mark_inode_dirty(inode, _RET_IP_); - err = ext4_reserve_inode_write(handle, inode, &iloc); -+ if (err) -+ return err; - if (ext4_handle_valid(handle) && - EXT4_I(inode)->i_extra_isize < sbi->s_want_extra_isize && - !ext4_test_inode_state(inode, EXT4_STATE_NO_EXPAND)) { -@@ -5093,9 +5095,7 @@ int ext4_mark_inode_dirty(handle_t *handle, struct inode *inode) - } - } - } -- if (!err) -- err = ext4_mark_iloc_dirty(handle, inode, &iloc); -- return err; -+ return ext4_mark_iloc_dirty(handle, inode, &iloc); - } - - /* -diff --git a/fs/ext4/move_extent.c b/fs/ext4/move_extent.c -index 3dcbf364022f..ad52ace2b79a 100644 ---- a/fs/ext4/move_extent.c -+++ b/fs/ext4/move_extent.c -@@ -154,10 +154,10 @@ ext4_double_down_write_data_sem(struct inode *first, struct inode *second) - { - if (first < second) { - down_write(&EXT4_I(first)->i_data_sem); -- down_write_nested(&EXT4_I(second)->i_data_sem, SINGLE_DEPTH_NESTING); -+ down_write_nested(&EXT4_I(second)->i_data_sem, I_DATA_SEM_OTHER); - } else { - down_write(&EXT4_I(second)->i_data_sem); -- down_write_nested(&EXT4_I(first)->i_data_sem, SINGLE_DEPTH_NESTING); -+ down_write_nested(&EXT4_I(first)->i_data_sem, I_DATA_SEM_OTHER); - - } - } -@@ -1117,6 +1117,13 @@ mext_check_arguments(struct inode *orig_inode, - return -EINVAL; - } - -+ if (IS_NOQUOTA(orig_inode) || IS_NOQUOTA(donor_inode)) { -+ ext4_debug("ext4 move extent: The argument files should " -+ "not be quota files [ino:orig %lu, donor %lu]\n", -+ orig_inode->i_ino, donor_inode->i_ino); -+ return -EBUSY; -+ } -+ - /* Ext4 move extent supports only extent based file */ - if (!(ext4_test_inode_flag(orig_inode, EXT4_INODE_EXTENTS))) { - ext4_debug("ext4 move extent: orig file is not extents " -diff --git a/fs/ext4/super.c b/fs/ext4/super.c -index a7e079749425..063eb5094a63 100644 ---- a/fs/ext4/super.c -+++ b/fs/ext4/super.c -@@ -4984,6 +4984,20 @@ static int ext4_quota_on_mount(struct super_block *sb, int type) - EXT4_SB(sb)->s_jquota_fmt, type); - } - -+static void lockdep_set_quota_inode(struct inode *inode, int subclass) -+{ -+ struct ext4_inode_info *ei = EXT4_I(inode); -+ -+ /* The first argument of lockdep_set_subclass has to be -+ * *exactly* the same as the argument to init_rwsem() --- in -+ * this case, in init_once() --- or lockdep gets unhappy -+ * because the name of the lock is set using the -+ * stringification of the argument to init_rwsem(). -+ */ -+ (void) ei; /* shut up clang warning if !CONFIG_LOCKDEP */ -+ lockdep_set_subclass(&ei->i_data_sem, subclass); -+} -+ - /* - * Standard function to be called on quota_on - */ -@@ -5023,8 +5037,12 @@ static int ext4_quota_on(struct super_block *sb, int type, int format_id, - if (err) - return err; - } -- -- return dquot_quota_on(sb, type, format_id, path); -+ lockdep_set_quota_inode(path->dentry->d_inode, I_DATA_SEM_QUOTA); -+ err = dquot_quota_on(sb, type, format_id, path); -+ if (err) -+ lockdep_set_quota_inode(path->dentry->d_inode, -+ I_DATA_SEM_NORMAL); -+ return err; - } - - static int ext4_quota_enable(struct super_block *sb, int type, int format_id, -@@ -5050,8 +5068,11 @@ static int ext4_quota_enable(struct super_block *sb, int type, int format_id, - - /* Don't account quota for quota files to avoid recursion */ - qf_inode->i_flags |= S_NOQUOTA; -+ lockdep_set_quota_inode(qf_inode, I_DATA_SEM_QUOTA); - err = dquot_enable(qf_inode, type, format_id, flags); - iput(qf_inode); -+ if (err) -+ lockdep_set_quota_inode(qf_inode, I_DATA_SEM_NORMAL); - - return err; - } -diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c -index 735d7522a3a9..204659a5f6db 100644 ---- a/fs/isofs/rock.c -+++ b/fs/isofs/rock.c -@@ -203,6 +203,8 @@ int get_rock_ridge_filename(struct iso_directory_record *de, - int retnamlen = 0; - int truncate = 0; - int ret = 0; -+ char *p; -+ int len; - - if (!ISOFS_SB(inode->i_sb)->s_rock) - return 0; -@@ -267,12 +269,17 @@ repeat: - rr->u.NM.flags); - break; - } -- if ((strlen(retname) + rr->len - 5) >= 254) { -+ len = rr->len - 5; -+ if (retnamlen + len >= 254) { - truncate = 1; - break; - } -- strncat(retname, rr->u.NM.name, rr->len - 5); -- retnamlen += rr->len - 5; -+ p = memchr(rr->u.NM.name, '\0', len); -+ if (unlikely(p)) -+ len = p - rr->u.NM.name; -+ memcpy(retname + retnamlen, rr->u.NM.name, len); -+ retnamlen += len; -+ retname[retnamlen] = '\0'; - break; - case SIG('R', 'E'): - kfree(rs.buffer); -diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c -index 644f95e7208f..85733dd95e14 100644 ---- a/fs/jbd2/journal.c -+++ b/fs/jbd2/journal.c -@@ -1407,11 +1407,12 @@ out: - /** - * jbd2_mark_journal_empty() - Mark on disk journal as empty. - * @journal: The journal to update. -+ * @write_op: With which operation should we write the journal sb - * - * Update a journal's dynamic superblock fields to show that journal is empty. - * Write updated superblock to disk waiting for IO to complete. - */ --static void jbd2_mark_journal_empty(journal_t *journal) -+static void jbd2_mark_journal_empty(journal_t *journal, int write_op) - { - journal_superblock_t *sb = journal->j_superblock; - -@@ -1429,7 +1430,7 @@ static void jbd2_mark_journal_empty(journal_t *journal) - sb->s_start = cpu_to_be32(0); - read_unlock(&journal->j_state_lock); - -- jbd2_write_superblock(journal, WRITE_FUA); -+ jbd2_write_superblock(journal, write_op); - - /* Log is no longer empty */ - write_lock(&journal->j_state_lock); -@@ -1697,7 +1698,13 @@ int jbd2_journal_destroy(journal_t *journal) - if (journal->j_sb_buffer) { - if (!is_journal_aborted(journal)) { - mutex_lock(&journal->j_checkpoint_mutex); -- jbd2_mark_journal_empty(journal); -+ -+ write_lock(&journal->j_state_lock); -+ journal->j_tail_sequence = -+ ++journal->j_transaction_sequence; -+ write_unlock(&journal->j_state_lock); -+ -+ jbd2_mark_journal_empty(journal, WRITE_FLUSH_FUA); - mutex_unlock(&journal->j_checkpoint_mutex); - } else - err = -EIO; -@@ -1952,7 +1959,7 @@ int jbd2_journal_flush(journal_t *journal) - * the magic code for a fully-recovered superblock. Any future - * commits of data to the journal will restore the current - * s_start value. */ -- jbd2_mark_journal_empty(journal); -+ jbd2_mark_journal_empty(journal, WRITE_FUA); - mutex_unlock(&journal->j_checkpoint_mutex); - write_lock(&journal->j_state_lock); - J_ASSERT(!journal->j_running_transaction); -@@ -1998,7 +2005,7 @@ int jbd2_journal_wipe(journal_t *journal, int write) - if (write) { - /* Lock to make assertions happy... */ - mutex_lock(&journal->j_checkpoint_mutex); -- jbd2_mark_journal_empty(journal); -+ jbd2_mark_journal_empty(journal, WRITE_FUA); - mutex_unlock(&journal->j_checkpoint_mutex); - } - -diff --git a/fs/ocfs2/dlm/dlmconvert.c b/fs/ocfs2/dlm/dlmconvert.c -index 29a886d1e82c..f65bdcf61526 100644 ---- a/fs/ocfs2/dlm/dlmconvert.c -+++ b/fs/ocfs2/dlm/dlmconvert.c -@@ -265,6 +265,7 @@ enum dlm_status dlmconvert_remote(struct dlm_ctxt *dlm, - struct dlm_lock *lock, int flags, int type) - { - enum dlm_status status; -+ u8 old_owner = res->owner; - - mlog(0, "type=%d, convert_type=%d, busy=%d\n", lock->ml.type, - lock->ml.convert_type, res->state & DLM_LOCK_RES_IN_PROGRESS); -@@ -290,6 +291,19 @@ enum dlm_status dlmconvert_remote(struct dlm_ctxt *dlm, - status = DLM_DENIED; - goto bail; - } -+ -+ if (lock->ml.type == type && lock->ml.convert_type == LKM_IVMODE) { -+ mlog(0, "last convert request returned DLM_RECOVERING, but " -+ "owner has already queued and sent ast to me. res %.*s, " -+ "(cookie=%u:%llu, type=%d, conv=%d)\n", -+ res->lockname.len, res->lockname.name, -+ dlm_get_lock_cookie_node(be64_to_cpu(lock->ml.cookie)), -+ dlm_get_lock_cookie_seq(be64_to_cpu(lock->ml.cookie)), -+ lock->ml.type, lock->ml.convert_type); -+ status = DLM_NORMAL; -+ goto bail; -+ } -+ - res->state |= DLM_LOCK_RES_IN_PROGRESS; - /* move lock to local convert queue */ - /* do not alter lock refcount. switching lists. */ -@@ -319,11 +333,19 @@ enum dlm_status dlmconvert_remote(struct dlm_ctxt *dlm, - spin_lock(&res->spinlock); - res->state &= ~DLM_LOCK_RES_IN_PROGRESS; - lock->convert_pending = 0; -- /* if it failed, move it back to granted queue */ -+ /* if it failed, move it back to granted queue. -+ * if master returns DLM_NORMAL and then down before sending ast, -+ * it may have already been moved to granted queue, reset to -+ * DLM_RECOVERING and retry convert */ - if (status != DLM_NORMAL) { - if (status != DLM_NOTQUEUED) - dlm_error(status); - dlm_revert_pending_convert(res, lock); -+ } else if ((res->state & DLM_LOCK_RES_RECOVERING) || -+ (old_owner != res->owner)) { -+ mlog(0, "res %.*s is in recovering or has been recovered.\n", -+ res->lockname.len, res->lockname.name); -+ status = DLM_RECOVERING; - } - bail: - spin_unlock(&res->spinlock); -diff --git a/fs/ocfs2/dlm/dlmrecovery.c b/fs/ocfs2/dlm/dlmrecovery.c -index 01c69f24e416..33e9d705ee8f 100644 ---- a/fs/ocfs2/dlm/dlmrecovery.c -+++ b/fs/ocfs2/dlm/dlmrecovery.c -@@ -2034,7 +2034,6 @@ void dlm_move_lockres_to_recovery_list(struct dlm_ctxt *dlm, - dlm_lock_get(lock); - if (lock->convert_pending) { - /* move converting lock back to granted */ -- BUG_ON(i != DLM_CONVERTING_LIST); - mlog(0, "node died with convert pending " - "on %.*s. move back to granted list.\n", - res->lockname.len, res->lockname.name); -diff --git a/fs/pipe.c b/fs/pipe.c -index 3e7ab278bb0c..50267e6ba688 100644 ---- a/fs/pipe.c -+++ b/fs/pipe.c -@@ -401,6 +401,7 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov, - void *addr; - size_t chars = buf->len, remaining; - int error, atomic; -+ int offset; - - if (chars > total_len) - chars = total_len; -@@ -414,9 +415,10 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov, - - atomic = !iov_fault_in_pages_write(iov, chars); - remaining = chars; -+ offset = buf->offset; - redo: - addr = ops->map(pipe, buf, atomic); -- error = pipe_iov_copy_to_user(iov, addr, &buf->offset, -+ error = pipe_iov_copy_to_user(iov, addr, &offset, - &remaining, atomic); - ops->unmap(pipe, buf, addr); - if (unlikely(error)) { -@@ -432,6 +434,7 @@ redo: - break; - } - ret += chars; -+ buf->offset += chars; - buf->len -= chars; - - /* Was it a packet buffer? Clean up and exit */ -diff --git a/fs/proc/base.c b/fs/proc/base.c -index 7b5d453ebf53..e5160b744d0b 100644 ---- a/fs/proc/base.c -+++ b/fs/proc/base.c -@@ -844,7 +844,8 @@ static ssize_t environ_read(struct file *file, char __user *buf, - int ret = 0; - struct mm_struct *mm = file->private_data; - -- if (!mm) -+ /* Ensure the process spawned far enough to have an environment. */ -+ if (!mm || !mm->env_end) - return 0; - - page = (char *)__get_free_page(GFP_TEMPORARY); -diff --git a/fs/splice.c b/fs/splice.c -index 3b94a6bba29f..2ffa7b0c62fd 100644 ---- a/fs/splice.c -+++ b/fs/splice.c -@@ -189,6 +189,9 @@ ssize_t splice_to_pipe(struct pipe_inode_info *pipe, - unsigned int spd_pages = spd->nr_pages; - int ret, do_wakeup, page_nr; - -+ if (!spd_pages) -+ return 0; -+ - ret = 0; - do_wakeup = 0; - page_nr = 0; -diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h -index 02ae99e8e6d3..953cd12175c4 100644 ---- a/include/linux/compiler-gcc.h -+++ b/include/linux/compiler-gcc.h -@@ -100,10 +100,116 @@ - #define __maybe_unused __attribute__((unused)) - #define __always_unused __attribute__((unused)) - --#define __gcc_header(x) #x --#define _gcc_header(x) __gcc_header(linux/compiler-gcc##x.h) --#define gcc_header(x) _gcc_header(x) --#include gcc_header(__GNUC__) -+/* gcc version specific checks */ -+ -+#if GCC_VERSION < 30200 -+# error Sorry, your compiler is too old - please upgrade it. -+#endif -+ -+#if GCC_VERSION < 30300 -+# define __used __attribute__((__unused__)) -+#else -+# define __used __attribute__((__used__)) -+#endif -+ -+#ifdef CONFIG_GCOV_KERNEL -+# if GCC_VERSION < 30400 -+# error "GCOV profiling support for gcc versions below 3.4 not included" -+# endif /* __GNUC_MINOR__ */ -+#endif /* CONFIG_GCOV_KERNEL */ -+ -+#if GCC_VERSION >= 30400 -+#define __must_check __attribute__((warn_unused_result)) -+#endif -+ -+#if GCC_VERSION >= 40000 -+ -+/* GCC 4.1.[01] miscompiles __weak */ -+#ifdef __KERNEL__ -+# if GCC_VERSION >= 40100 && GCC_VERSION <= 40101 -+# error Your version of gcc miscompiles the __weak directive -+# endif -+#endif -+ -+#define __used __attribute__((__used__)) -+#define __compiler_offsetof(a, b) \ -+ __builtin_offsetof(a, b) -+ -+#if GCC_VERSION >= 40100 && GCC_VERSION < 40600 -+# define __compiletime_object_size(obj) __builtin_object_size(obj, 0) -+#endif -+ -+#if GCC_VERSION >= 40300 -+/* Mark functions as cold. gcc will assume any path leading to a call -+ * to them will be unlikely. This means a lot of manual unlikely()s -+ * are unnecessary now for any paths leading to the usual suspects -+ * like BUG(), printk(), panic() etc. [but let's keep them for now for -+ * older compilers] -+ * -+ * Early snapshots of gcc 4.3 don't support this and we can't detect this -+ * in the preprocessor, but we can live with this because they're unreleased. -+ * Maketime probing would be overkill here. -+ * -+ * gcc also has a __attribute__((__hot__)) to move hot functions into -+ * a special section, but I don't see any sense in this right now in -+ * the kernel context -+ */ -+#define __cold __attribute__((__cold__)) -+ -+#define __UNIQUE_ID(prefix) __PASTE(__PASTE(__UNIQUE_ID_, prefix), __COUNTER__) -+ -+#ifndef __CHECKER__ -+# define __compiletime_warning(message) __attribute__((warning(message))) -+# define __compiletime_error(message) __attribute__((error(message))) -+#endif /* __CHECKER__ */ -+#endif /* GCC_VERSION >= 40300 */ -+ -+#if GCC_VERSION >= 40500 -+/* -+ * Mark a position in code as unreachable. This can be used to -+ * suppress control flow warnings after asm blocks that transfer -+ * control elsewhere. -+ * -+ * Early snapshots of gcc 4.5 don't support this and we can't detect -+ * this in the preprocessor, but we can live with this because they're -+ * unreleased. Really, we need to have autoconf for the kernel. -+ */ -+#define unreachable() __builtin_unreachable() -+ -+/* Mark a function definition as prohibited from being cloned. */ -+#define __noclone __attribute__((__noclone__, __optimize__("no-tracer"))) -+ -+#endif /* GCC_VERSION >= 40500 */ -+ -+#if GCC_VERSION >= 40600 -+/* -+ * Tell the optimizer that something else uses this function or variable. -+ */ -+#define __visible __attribute__((externally_visible)) -+#endif -+ -+/* -+ * GCC 'asm goto' miscompiles certain code sequences: -+ * -+ * http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58670 -+ * -+ * Work it around via a compiler barrier quirk suggested by Jakub Jelinek. -+ * -+ * (asm goto is automatically volatile - the naming reflects this.) -+ */ -+#define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0) -+ -+#ifdef CONFIG_ARCH_USE_BUILTIN_BSWAP -+#if GCC_VERSION >= 40400 -+#define __HAVE_BUILTIN_BSWAP32__ -+#define __HAVE_BUILTIN_BSWAP64__ -+#endif -+#if GCC_VERSION >= 40800 || (defined(__powerpc__) && GCC_VERSION >= 40600) -+#define __HAVE_BUILTIN_BSWAP16__ -+#endif -+#endif /* CONFIG_ARCH_USE_BUILTIN_BSWAP */ -+ -+#endif /* gcc version >= 40000 specific checks */ - - #if !defined(__noclone) - #define __noclone /* not needed */ -diff --git a/include/linux/compiler-gcc3.h b/include/linux/compiler-gcc3.h -deleted file mode 100644 -index 7d89febe4d79..000000000000 ---- a/include/linux/compiler-gcc3.h -+++ /dev/null -@@ -1,23 +0,0 @@ --#ifndef __LINUX_COMPILER_H --#error "Please don't include directly, include instead." --#endif -- --#if GCC_VERSION < 30200 --# error Sorry, your compiler is too old - please upgrade it. --#endif -- --#if GCC_VERSION >= 30300 --# define __used __attribute__((__used__)) --#else --# define __used __attribute__((__unused__)) --#endif -- --#if GCC_VERSION >= 30400 --#define __must_check __attribute__((warn_unused_result)) --#endif -- --#ifdef CONFIG_GCOV_KERNEL --# if GCC_VERSION < 30400 --# error "GCOV profiling support for gcc versions below 3.4 not included" --# endif /* __GNUC_MINOR__ */ --#endif /* CONFIG_GCOV_KERNEL */ -diff --git a/include/linux/compiler-gcc4.h b/include/linux/compiler-gcc4.h -deleted file mode 100644 -index 2507fd2a1eb4..000000000000 ---- a/include/linux/compiler-gcc4.h -+++ /dev/null -@@ -1,88 +0,0 @@ --#ifndef __LINUX_COMPILER_H --#error "Please don't include directly, include instead." --#endif -- --/* GCC 4.1.[01] miscompiles __weak */ --#ifdef __KERNEL__ --# if GCC_VERSION >= 40100 && GCC_VERSION <= 40101 --# error Your version of gcc miscompiles the __weak directive --# endif --#endif -- --#define __used __attribute__((__used__)) --#define __must_check __attribute__((warn_unused_result)) --#define __compiler_offsetof(a,b) __builtin_offsetof(a,b) -- --#if GCC_VERSION >= 40100 && GCC_VERSION < 40600 --# define __compiletime_object_size(obj) __builtin_object_size(obj, 0) --#endif -- --#if GCC_VERSION >= 40300 --/* Mark functions as cold. gcc will assume any path leading to a call -- to them will be unlikely. This means a lot of manual unlikely()s -- are unnecessary now for any paths leading to the usual suspects -- like BUG(), printk(), panic() etc. [but let's keep them for now for -- older compilers] -- -- Early snapshots of gcc 4.3 don't support this and we can't detect this -- in the preprocessor, but we can live with this because they're unreleased. -- Maketime probing would be overkill here. -- -- gcc also has a __attribute__((__hot__)) to move hot functions into -- a special section, but I don't see any sense in this right now in -- the kernel context */ --#define __cold __attribute__((__cold__)) -- --#define __UNIQUE_ID(prefix) __PASTE(__PASTE(__UNIQUE_ID_, prefix), __COUNTER__) -- --#ifndef __CHECKER__ --# define __compiletime_warning(message) __attribute__((warning(message))) --# define __compiletime_error(message) __attribute__((error(message))) --#endif /* __CHECKER__ */ --#endif /* GCC_VERSION >= 40300 */ -- --#if GCC_VERSION >= 40500 --/* -- * Mark a position in code as unreachable. This can be used to -- * suppress control flow warnings after asm blocks that transfer -- * control elsewhere. -- * -- * Early snapshots of gcc 4.5 don't support this and we can't detect -- * this in the preprocessor, but we can live with this because they're -- * unreleased. Really, we need to have autoconf for the kernel. -- */ --#define unreachable() __builtin_unreachable() -- --/* Mark a function definition as prohibited from being cloned. */ --#define __noclone __attribute__((__noclone__)) -- --#endif /* GCC_VERSION >= 40500 */ -- --#if GCC_VERSION >= 40600 --/* -- * Tell the optimizer that something else uses this function or variable. -- */ --#define __visible __attribute__((externally_visible)) --#endif -- --/* -- * GCC 'asm goto' miscompiles certain code sequences: -- * -- * http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58670 -- * -- * Work it around via a compiler barrier quirk suggested by Jakub Jelinek. -- * Fixed in GCC 4.8.2 and later versions. -- * -- * (asm goto is automatically volatile - the naming reflects this.) -- */ --#define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0) -- --#ifdef CONFIG_ARCH_USE_BUILTIN_BSWAP --#if GCC_VERSION >= 40400 --#define __HAVE_BUILTIN_BSWAP32__ --#define __HAVE_BUILTIN_BSWAP64__ --#endif --#if GCC_VERSION >= 40800 || (defined(__powerpc__) && GCC_VERSION >= 40600) --#define __HAVE_BUILTIN_BSWAP16__ --#endif --#endif /* CONFIG_ARCH_USE_BUILTIN_BSWAP */ -diff --git a/include/linux/compiler-gcc5.h b/include/linux/compiler-gcc5.h -deleted file mode 100644 -index cdd1cc202d51..000000000000 ---- a/include/linux/compiler-gcc5.h -+++ /dev/null -@@ -1,66 +0,0 @@ --#ifndef __LINUX_COMPILER_H --#error "Please don't include directly, include instead." --#endif -- --#define __used __attribute__((__used__)) --#define __must_check __attribute__((warn_unused_result)) --#define __compiler_offsetof(a, b) __builtin_offsetof(a, b) -- --/* Mark functions as cold. gcc will assume any path leading to a call -- to them will be unlikely. This means a lot of manual unlikely()s -- are unnecessary now for any paths leading to the usual suspects -- like BUG(), printk(), panic() etc. [but let's keep them for now for -- older compilers] -- -- Early snapshots of gcc 4.3 don't support this and we can't detect this -- in the preprocessor, but we can live with this because they're unreleased. -- Maketime probing would be overkill here. -- -- gcc also has a __attribute__((__hot__)) to move hot functions into -- a special section, but I don't see any sense in this right now in -- the kernel context */ --#define __cold __attribute__((__cold__)) -- --#define __UNIQUE_ID(prefix) __PASTE(__PASTE(__UNIQUE_ID_, prefix), __COUNTER__) -- --#ifndef __CHECKER__ --# define __compiletime_warning(message) __attribute__((warning(message))) --# define __compiletime_error(message) __attribute__((error(message))) --#endif /* __CHECKER__ */ -- --/* -- * Mark a position in code as unreachable. This can be used to -- * suppress control flow warnings after asm blocks that transfer -- * control elsewhere. -- * -- * Early snapshots of gcc 4.5 don't support this and we can't detect -- * this in the preprocessor, but we can live with this because they're -- * unreleased. Really, we need to have autoconf for the kernel. -- */ --#define unreachable() __builtin_unreachable() -- --/* Mark a function definition as prohibited from being cloned. */ --#define __noclone __attribute__((__noclone__)) -- --/* -- * Tell the optimizer that something else uses this function or variable. -- */ --#define __visible __attribute__((externally_visible)) -- --/* -- * GCC 'asm goto' miscompiles certain code sequences: -- * -- * http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58670 -- * -- * Work it around via a compiler barrier quirk suggested by Jakub Jelinek. -- * Fixed in GCC 4.8.2 and later versions. -- * -- * (asm goto is automatically volatile - the naming reflects this.) -- */ --#define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0) -- --#ifdef CONFIG_ARCH_USE_BUILTIN_BSWAP --#define __HAVE_BUILTIN_BSWAP32__ --#define __HAVE_BUILTIN_BSWAP64__ --#define __HAVE_BUILTIN_BSWAP16__ --#endif /* CONFIG_ARCH_USE_BUILTIN_BSWAP */ -diff --git a/include/linux/kernel.h b/include/linux/kernel.h -index 341551c7b4c8..5f4554b8348a 100644 ---- a/include/linux/kernel.h -+++ b/include/linux/kernel.h -@@ -557,7 +557,7 @@ do { \ - - #define do_trace_printk(fmt, args...) \ - do { \ -- static const char *trace_printk_fmt \ -+ static const char *trace_printk_fmt __used \ - __attribute__((section("__trace_printk_fmt"))) = \ - __builtin_constant_p(fmt) ? fmt : NULL; \ - \ -@@ -604,7 +604,7 @@ extern int __trace_puts(unsigned long ip, const char *str, int size); - */ - - #define trace_puts(str) ({ \ -- static const char *trace_printk_fmt \ -+ static const char *trace_printk_fmt __used \ - __attribute__((section("__trace_printk_fmt"))) = \ - __builtin_constant_p(str) ? str : NULL; \ - \ -@@ -624,7 +624,7 @@ extern void trace_dump_stack(int skip); - #define ftrace_vprintk(fmt, vargs) \ - do { \ - if (__builtin_constant_p(fmt)) { \ -- static const char *trace_printk_fmt \ -+ static const char *trace_printk_fmt __used \ - __attribute__((section("__trace_printk_fmt"))) = \ - __builtin_constant_p(fmt) ? fmt : NULL; \ - \ -diff --git a/include/linux/mod_devicetable.h b/include/linux/mod_devicetable.h -index b3bd7e737e8b..d31364857aa8 100644 ---- a/include/linux/mod_devicetable.h -+++ b/include/linux/mod_devicetable.h -@@ -397,6 +397,7 @@ struct virtio_device_id { - /* - * For Hyper-V devices we use the device guid as the id. - */ -+#define vmbus_device_id hv_vmbus_device_id - struct hv_vmbus_device_id { - __u8 guid[16]; - kernel_ulong_t driver_data; /* Data private to the driver */ -@@ -547,6 +548,11 @@ struct amba_id { - * See documentation of "x86_match_cpu" for details. - */ - -+/* -+ * MODULE_DEVICE_TABLE expects this struct to be called x86cpu_device_id. -+ * Although gcc seems to ignore this error, clang fails without this define. -+ */ -+#define x86cpu_device_id x86_cpu_id - struct x86_cpu_id { - __u16 vendor; - __u16 family; -@@ -574,6 +580,7 @@ struct ipack_device_id { - #define MEI_CL_MODULE_PREFIX "mei:" - #define MEI_CL_NAME_SIZE 32 - -+#define mei_device_id mei_cl_device_id - struct mei_cl_device_id { - char name[MEI_CL_NAME_SIZE]; - kernel_ulong_t driver_info; -diff --git a/include/linux/pci.h b/include/linux/pci.h -index 102136ab1a5f..655ef37fd139 100644 ---- a/include/linux/pci.h -+++ b/include/linux/pci.h -@@ -330,6 +330,7 @@ struct pci_dev { - unsigned int __aer_firmware_first:1; - unsigned int broken_intx_masking:1; - unsigned int io_window_1k:1; /* Intel P2P bridge 1K I/O windows */ -+ unsigned int non_compliant_bars:1; /* broken BARs; ignore them */ - pci_dev_flags_t dev_flags; - atomic_t enable_cnt; /* pci_enable_device has been called */ - -diff --git a/include/linux/poison.h b/include/linux/poison.h -index 2110a81c5e2a..253c9b4198ef 100644 ---- a/include/linux/poison.h -+++ b/include/linux/poison.h -@@ -19,8 +19,8 @@ - * under normal circumstances, used to verify that nobody uses - * non-initialized list entries. - */ --#define LIST_POISON1 ((void *) 0x00100100 + POISON_POINTER_DELTA) --#define LIST_POISON2 ((void *) 0x00200200 + POISON_POINTER_DELTA) -+#define LIST_POISON1 ((void *) 0x100 + POISON_POINTER_DELTA) -+#define LIST_POISON2 ((void *) 0x200 + POISON_POINTER_DELTA) - - /********** include/linux/timer.h **********/ - /* -diff --git a/include/uapi/linux/const.h b/include/uapi/linux/const.h -index c22c707c455d..c872bfd25e13 100644 ---- a/include/uapi/linux/const.h -+++ b/include/uapi/linux/const.h -@@ -21,4 +21,7 @@ - #define _AT(T,X) ((T)(X)) - #endif - -+#define _BITUL(x) (_AC(1,UL) << (x)) -+#define _BITULL(x) (_AC(1,ULL) << (x)) -+ - #endif /* !(_LINUX_CONST_H) */ -diff --git a/kernel/sched/core.c b/kernel/sched/core.c -index f234c84d36c8..655d6110a6e1 100644 ---- a/kernel/sched/core.c -+++ b/kernel/sched/core.c -@@ -5217,6 +5217,7 @@ migration_call(struct notifier_block *nfb, unsigned long action, void *hcpu) - - case CPU_UP_PREPARE: - rq->calc_load_update = calc_load_update; -+ account_reset_rq(rq); - break; - - case CPU_ONLINE: -diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h -index dfa31d533e3f..e7f4d554fa5d 100644 ---- a/kernel/sched/sched.h -+++ b/kernel/sched/sched.h -@@ -1378,3 +1378,16 @@ static inline u64 irq_time_read(int cpu) - } - #endif /* CONFIG_64BIT */ - #endif /* CONFIG_IRQ_TIME_ACCOUNTING */ -+ -+static inline void account_reset_rq(struct rq *rq) -+{ -+#ifdef CONFIG_IRQ_TIME_ACCOUNTING -+ rq->prev_irq_time = 0; -+#endif -+#ifdef CONFIG_PARAVIRT -+ rq->prev_steal_time = 0; -+#endif -+#ifdef CONFIG_PARAVIRT_TIME_ACCOUNTING -+ rq->prev_steal_time_rq = 0; -+#endif -+} -diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c -index cb73c4e0741e..c4ce3a951a1c 100644 ---- a/kernel/trace/ring_buffer.c -+++ b/kernel/trace/ring_buffer.c -@@ -463,7 +463,7 @@ struct ring_buffer_per_cpu { - raw_spinlock_t reader_lock; /* serialize readers */ - arch_spinlock_t lock; - struct lock_class_key lock_key; -- unsigned int nr_pages; -+ unsigned long nr_pages; - struct list_head *pages; - struct buffer_page *head_page; /* read from head */ - struct buffer_page *tail_page; /* write to tail */ -@@ -483,7 +483,7 @@ struct ring_buffer_per_cpu { - u64 write_stamp; - u64 read_stamp; - /* ring buffer pages to update, > 0 to add, < 0 to remove */ -- int nr_pages_to_update; -+ long nr_pages_to_update; - struct list_head new_pages; /* new pages to add */ - struct work_struct update_pages_work; - struct completion update_done; -@@ -1120,10 +1120,10 @@ static int rb_check_pages(struct ring_buffer_per_cpu *cpu_buffer) - return 0; - } - --static int __rb_allocate_pages(int nr_pages, struct list_head *pages, int cpu) -+static int __rb_allocate_pages(long nr_pages, struct list_head *pages, int cpu) - { -- int i; - struct buffer_page *bpage, *tmp; -+ long i; - - for (i = 0; i < nr_pages; i++) { - struct page *page; -@@ -1160,7 +1160,7 @@ free_pages: - } - - static int rb_allocate_pages(struct ring_buffer_per_cpu *cpu_buffer, -- unsigned nr_pages) -+ unsigned long nr_pages) - { - LIST_HEAD(pages); - -@@ -1185,7 +1185,7 @@ static int rb_allocate_pages(struct ring_buffer_per_cpu *cpu_buffer, - } - - static struct ring_buffer_per_cpu * --rb_allocate_cpu_buffer(struct ring_buffer *buffer, int nr_pages, int cpu) -+rb_allocate_cpu_buffer(struct ring_buffer *buffer, long nr_pages, int cpu) - { - struct ring_buffer_per_cpu *cpu_buffer; - struct buffer_page *bpage; -@@ -1284,8 +1284,9 @@ struct ring_buffer *__ring_buffer_alloc(unsigned long size, unsigned flags, - struct lock_class_key *key) - { - struct ring_buffer *buffer; -+ long nr_pages; - int bsize; -- int cpu, nr_pages; -+ int cpu; - - /* keep it in its own cache line */ - buffer = kzalloc(ALIGN(sizeof(*buffer), cache_line_size()), -@@ -1408,12 +1409,12 @@ static inline unsigned long rb_page_write(struct buffer_page *bpage) - } - - static int --rb_remove_pages(struct ring_buffer_per_cpu *cpu_buffer, unsigned int nr_pages) -+rb_remove_pages(struct ring_buffer_per_cpu *cpu_buffer, unsigned long nr_pages) - { - struct list_head *tail_page, *to_remove, *next_page; - struct buffer_page *to_remove_page, *tmp_iter_page; - struct buffer_page *last_page, *first_page; -- unsigned int nr_removed; -+ unsigned long nr_removed; - unsigned long head_bit; - int page_entries; - -@@ -1629,7 +1630,7 @@ int ring_buffer_resize(struct ring_buffer *buffer, unsigned long size, - int cpu_id) - { - struct ring_buffer_per_cpu *cpu_buffer; -- unsigned nr_pages; -+ unsigned long nr_pages; - int cpu, err = 0; - - /* -@@ -1643,14 +1644,13 @@ int ring_buffer_resize(struct ring_buffer *buffer, unsigned long size, - !cpumask_test_cpu(cpu_id, buffer->cpumask)) - return size; - -- size = DIV_ROUND_UP(size, BUF_PAGE_SIZE); -- size *= BUF_PAGE_SIZE; -+ nr_pages = DIV_ROUND_UP(size, BUF_PAGE_SIZE); - - /* we need a minimum of two pages */ -- if (size < BUF_PAGE_SIZE * 2) -- size = BUF_PAGE_SIZE * 2; -+ if (nr_pages < 2) -+ nr_pages = 2; - -- nr_pages = DIV_ROUND_UP(size, BUF_PAGE_SIZE); -+ size = nr_pages * BUF_PAGE_SIZE; - - /* - * Don't succeed if resizing is disabled, as a reader might be -@@ -4607,8 +4607,9 @@ static int rb_cpu_notify(struct notifier_block *self, - struct ring_buffer *buffer = - container_of(self, struct ring_buffer, cpu_notify); - long cpu = (long)hcpu; -- int cpu_i, nr_pages_same; -- unsigned int nr_pages; -+ long nr_pages_same; -+ int cpu_i; -+ unsigned long nr_pages; - - switch (action) { - case CPU_UP_PREPARE: -diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c -index 640e4c44b170..eff26a976f02 100644 ---- a/kernel/trace/trace.c -+++ b/kernel/trace/trace.c -@@ -4351,7 +4351,10 @@ static ssize_t tracing_splice_read_pipe(struct file *filp, - - spd.nr_pages = i; - -- ret = splice_to_pipe(pipe, &spd); -+ if (i) -+ ret = splice_to_pipe(pipe, &spd); -+ else -+ ret = 0; - out: - splice_shrink_spd(&spd); - return ret; -diff --git a/kernel/trace/trace_irqsoff.c b/kernel/trace/trace_irqsoff.c -index 2aefbee93a6d..56e083e26ca9 100644 ---- a/kernel/trace/trace_irqsoff.c -+++ b/kernel/trace/trace_irqsoff.c -@@ -118,8 +118,12 @@ static int func_prolog_dec(struct trace_array *tr, - return 0; - - local_save_flags(*flags); -- /* slight chance to get a false positive on tracing_cpu */ -- if (!irqs_disabled_flags(*flags)) -+ /* -+ * Slight chance to get a false positive on tracing_cpu, -+ * although I'm starting to think there isn't a chance. -+ * Leave this for now just to be paranoid. -+ */ -+ if (!irqs_disabled_flags(*flags) && !preempt_count()) - return 0; - - *data = per_cpu_ptr(tr->trace_buffer.data, cpu); -diff --git a/kernel/trace/trace_printk.c b/kernel/trace/trace_printk.c -index a9077c1b4ad3..fdb23e84b011 100644 ---- a/kernel/trace/trace_printk.c -+++ b/kernel/trace/trace_printk.c -@@ -272,6 +272,9 @@ static int t_show(struct seq_file *m, void *v) - const char *str = *fmt; - int i; - -+ if (!*fmt) -+ return 0; -+ - seq_printf(m, "0x%lx : \"", *(unsigned long *)fmt); - - /* -diff --git a/kernel/workqueue.c b/kernel/workqueue.c -index fe7c4b91d2e7..66972ac0c6c0 100644 ---- a/kernel/workqueue.c -+++ b/kernel/workqueue.c -@@ -606,6 +606,35 @@ static void set_work_pool_and_clear_pending(struct work_struct *work, - */ - smp_wmb(); - set_work_data(work, (unsigned long)pool_id << WORK_OFFQ_POOL_SHIFT, 0); -+ /* -+ * The following mb guarantees that previous clear of a PENDING bit -+ * will not be reordered with any speculative LOADS or STORES from -+ * work->current_func, which is executed afterwards. This possible -+ * reordering can lead to a missed execution on attempt to qeueue -+ * the same @work. E.g. consider this case: -+ * -+ * CPU#0 CPU#1 -+ * ---------------------------- -------------------------------- -+ * -+ * 1 STORE event_indicated -+ * 2 queue_work_on() { -+ * 3 test_and_set_bit(PENDING) -+ * 4 } set_..._and_clear_pending() { -+ * 5 set_work_data() # clear bit -+ * 6 smp_mb() -+ * 7 work->current_func() { -+ * 8 LOAD event_indicated -+ * } -+ * -+ * Without an explicit full barrier speculative LOAD on line 8 can -+ * be executed before CPU#0 does STORE on line 1. If that happens, -+ * CPU#0 observes the PENDING bit is still set and new execution of -+ * a @work is not queued in a hope, that CPU#1 will eventually -+ * finish the queued @work. Meanwhile CPU#1 does not see -+ * event_indicated is set, because speculative LOAD was executed -+ * before actual STORE. -+ */ -+ smp_mb(); - } - - static void clear_work_data(struct work_struct *work) -diff --git a/net/batman-adv/send.c b/net/batman-adv/send.c -index 263cfd1ccee7..cf5b76661252 100644 ---- a/net/batman-adv/send.c -+++ b/net/batman-adv/send.c -@@ -353,6 +353,9 @@ batadv_purge_outstanding_packets(struct batadv_priv *bat_priv, - - if (pending) { - hlist_del(&forw_packet->list); -+ if (!forw_packet->own) -+ atomic_inc(&bat_priv->batman_queue_left); -+ - batadv_forw_packet_free(forw_packet); - } - } -@@ -379,6 +382,9 @@ batadv_purge_outstanding_packets(struct batadv_priv *bat_priv, - - if (pending) { - hlist_del(&forw_packet->list); -+ if (!forw_packet->own) -+ atomic_inc(&bat_priv->bcast_queue_left); -+ - batadv_forw_packet_free(forw_packet); - } - } -diff --git a/net/bridge/br_ioctl.c b/net/bridge/br_ioctl.c -index b73eaba85667..a882db499d33 100644 ---- a/net/bridge/br_ioctl.c -+++ b/net/bridge/br_ioctl.c -@@ -21,18 +21,19 @@ - #include - #include "br_private.h" - --/* called with RTNL */ - static int get_bridge_ifindices(struct net *net, int *indices, int num) - { - struct net_device *dev; - int i = 0; - -- for_each_netdev(net, dev) { -+ rcu_read_lock(); -+ for_each_netdev_rcu(net, dev) { - if (i >= num) - break; - if (dev->priv_flags & IFF_EBRIDGE) - indices[i++] = dev->ifindex; - } -+ rcu_read_unlock(); - - return i; - } -diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c -index a67310e00b3f..602c6d0492e2 100644 ---- a/net/core/rtnetlink.c -+++ b/net/core/rtnetlink.c -@@ -899,14 +899,16 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb, struct net_device *dev, - goto nla_put_failure; - - if (1) { -- struct rtnl_link_ifmap map = { -- .mem_start = dev->mem_start, -- .mem_end = dev->mem_end, -- .base_addr = dev->base_addr, -- .irq = dev->irq, -- .dma = dev->dma, -- .port = dev->if_port, -- }; -+ struct rtnl_link_ifmap map; -+ -+ memset(&map, 0, sizeof(map)); -+ map.mem_start = dev->mem_start; -+ map.mem_end = dev->mem_end; -+ map.base_addr = dev->base_addr; -+ map.irq = dev->irq; -+ map.dma = dev->dma; -+ map.port = dev->if_port; -+ - if (nla_put(skb, IFLA_MAP, sizeof(map), &map)) - goto nla_put_failure; - } -diff --git a/net/decnet/dn_route.c b/net/decnet/dn_route.c -index fe32388ea24f..b9610051f3b2 100644 ---- a/net/decnet/dn_route.c -+++ b/net/decnet/dn_route.c -@@ -1030,10 +1030,13 @@ source_ok: - if (!fld.daddr) { - fld.daddr = fld.saddr; - -- err = -EADDRNOTAVAIL; - if (dev_out) - dev_put(dev_out); -+ err = -EINVAL; - dev_out = init_net.loopback_dev; -+ if (!dev_out->dn_ptr) -+ goto out; -+ err = -EADDRNOTAVAIL; - dev_hold(dev_out); - if (!fld.daddr) { - fld.daddr = -@@ -1106,6 +1109,8 @@ source_ok: - if (dev_out == NULL) - goto out; - dn_db = rcu_dereference_raw(dev_out->dn_ptr); -+ if (!dn_db) -+ goto e_inval; - /* Possible improvement - check all devices for local addr */ - if (dn_dev_islocal(dev_out, fld.daddr)) { - dev_put(dev_out); -@@ -1147,6 +1152,8 @@ select_source: - dev_put(dev_out); - dev_out = init_net.loopback_dev; - dev_hold(dev_out); -+ if (!dev_out->dn_ptr) -+ goto e_inval; - fld.flowidn_oif = dev_out->ifindex; - if (res.fi) - dn_fib_info_put(res.fi); -diff --git a/net/ipv4/route.c b/net/ipv4/route.c -index 222e1b6141d3..624ca8ed350c 100644 ---- a/net/ipv4/route.c -+++ b/net/ipv4/route.c -@@ -1876,6 +1876,18 @@ static struct rtable *__mkroute_output(const struct fib_result *res, - */ - if (fi && res->prefixlen < 4) - fi = NULL; -+ } else if ((type == RTN_LOCAL) && (orig_oif != 0) && -+ (orig_oif != dev_out->ifindex)) { -+ /* For local routes that require a particular output interface -+ * we do not want to cache the result. Caching the result -+ * causes incorrect behaviour when there are multiple source -+ * addresses on the interface, the end result being that if the -+ * intended recipient is waiting on that interface for the -+ * packet he won't receive it because it will be delivered on -+ * the loopback interface and the IP_PKTINFO ipi_ifindex will -+ * be set to the loopback interface as well. -+ */ -+ fi = NULL; - } - - fnhe = NULL; -diff --git a/net/ipv6/exthdrs_core.c b/net/ipv6/exthdrs_core.c -index 51af9d0d019a..f66c1b629582 100644 ---- a/net/ipv6/exthdrs_core.c -+++ b/net/ipv6/exthdrs_core.c -@@ -257,7 +257,11 @@ int ipv6_find_hdr(const struct sk_buff *skb, unsigned int *offset, - *fragoff = _frag_off; - return hp->nexthdr; - } -- return -ENOENT; -+ if (!found) -+ return -ENOENT; -+ if (fragoff) -+ *fragoff = _frag_off; -+ break; - } - hdrlen = 8; - } else if (nexthdr == NEXTHDR_AUTH) { -diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c -index 14f46af17704..31bab1ab007c 100644 ---- a/net/ipv6/ip6_tunnel.c -+++ b/net/ipv6/ip6_tunnel.c -@@ -266,12 +266,12 @@ static int ip6_tnl_create2(struct net_device *dev) - - t = netdev_priv(dev); - -+ dev->rtnl_link_ops = &ip6_link_ops; - err = register_netdevice(dev); - if (err < 0) - goto out; - - strcpy(t->parms.name, dev->name); -- dev->rtnl_link_ops = &ip6_link_ops; - - dev_hold(dev); - ip6_tnl_link(ip6n, t); -diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c -index 7e3901893413..3046d0244393 100644 ---- a/net/ipv6/udp.c -+++ b/net/ipv6/udp.c -@@ -839,11 +839,9 @@ int __udp6_lib_rcv(struct sk_buff *skb, struct udp_table *udptable, - int ret = udpv6_queue_rcv_skb(sk, skb); - sock_put(sk); - -- /* a return value > 0 means to resubmit the input, but -- * it wants the return to be -protocol, or 0 -- */ -+ /* a return value > 0 means to resubmit the input */ - if (ret > 0) -- return -ret; -+ return ret; - - return 0; - } -diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c -index da1a1cee1a08..07f8b97f9ae9 100644 ---- a/net/l2tp/l2tp_ip.c -+++ b/net/l2tp/l2tp_ip.c -@@ -123,12 +123,11 @@ static int l2tp_ip_recv(struct sk_buff *skb) - struct l2tp_tunnel *tunnel = NULL; - int length; - -- /* Point to L2TP header */ -- optr = ptr = skb->data; -- - if (!pskb_may_pull(skb, 4)) - goto discard; - -+ /* Point to L2TP header */ -+ optr = ptr = skb->data; - session_id = ntohl(*((__be32 *) ptr)); - ptr += 4; - -@@ -156,6 +155,9 @@ static int l2tp_ip_recv(struct sk_buff *skb) - if (!pskb_may_pull(skb, length)) - goto discard; - -+ /* Point to L2TP header */ -+ optr = ptr = skb->data; -+ ptr += 4; - pr_debug("%s: ip recv\n", tunnel->name); - print_hex_dump_bytes("", DUMP_PREFIX_OFFSET, ptr, length); - } -diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c -index e6e8408c9e36..db96af978da5 100644 ---- a/net/l2tp/l2tp_ip6.c -+++ b/net/l2tp/l2tp_ip6.c -@@ -135,12 +135,11 @@ static int l2tp_ip6_recv(struct sk_buff *skb) - struct l2tp_tunnel *tunnel = NULL; - int length; - -- /* Point to L2TP header */ -- optr = ptr = skb->data; -- - if (!pskb_may_pull(skb, 4)) - goto discard; - -+ /* Point to L2TP header */ -+ optr = ptr = skb->data; - session_id = ntohl(*((__be32 *) ptr)); - ptr += 4; - -@@ -168,6 +167,9 @@ static int l2tp_ip6_recv(struct sk_buff *skb) - if (!pskb_may_pull(skb, length)) - goto discard; - -+ /* Point to L2TP header */ -+ optr = ptr = skb->data; -+ ptr += 4; - pr_debug("%s: ip recv\n", tunnel->name); - print_hex_dump_bytes("", DUMP_PREFIX_OFFSET, ptr, length); - } -diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c -index c3ee80547066..9d140594082c 100644 ---- a/net/llc/af_llc.c -+++ b/net/llc/af_llc.c -@@ -626,6 +626,7 @@ static void llc_cmsg_rcv(struct msghdr *msg, struct sk_buff *skb) - if (llc->cmsg_flags & LLC_CMSG_PKTINFO) { - struct llc_pktinfo info; - -+ memset(&info, 0, sizeof(info)); - info.lpi_ifindex = llc_sk(skb->sk)->dev->ifindex; - llc_pdu_decode_dsap(skb, &info.lpi_sap); - llc_pdu_decode_da(skb, info.lpi_mac); -diff --git a/net/netfilter/ipvs/ip_vs_pe_sip.c b/net/netfilter/ipvs/ip_vs_pe_sip.c -index bed5f7042529..bb318e4623a3 100644 ---- a/net/netfilter/ipvs/ip_vs_pe_sip.c -+++ b/net/netfilter/ipvs/ip_vs_pe_sip.c -@@ -88,7 +88,7 @@ ip_vs_sip_fill_param(struct ip_vs_conn_param *p, struct sk_buff *skb) - dptr = skb->data + dataoff; - datalen = skb->len - dataoff; - -- if (get_callid(dptr, dataoff, datalen, &matchoff, &matchlen)) -+ if (get_callid(dptr, 0, datalen, &matchoff, &matchlen)) - return -EINVAL; - - /* N.B: pe_data is only set on success, -diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c -index 39fa33969b09..2d454a235e84 100644 ---- a/net/packet/af_packet.c -+++ b/net/packet/af_packet.c -@@ -2997,6 +2997,7 @@ static int packet_mc_add(struct sock *sk, struct packet_mreq_max *mreq) - i->ifindex = mreq->mr_ifindex; - i->alen = mreq->mr_alen; - memcpy(i->addr, mreq->mr_address, i->alen); -+ memset(i->addr + i->alen, 0, sizeof(i->addr) - i->alen); - i->count = 1; - i->next = po->mclist; - po->mclist = i; -diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c -index bee032a7003f..10d3e2874dd1 100644 ---- a/net/sctp/ipv6.c -+++ b/net/sctp/ipv6.c -@@ -520,6 +520,8 @@ static int sctp_v6_cmp_addr(const union sctp_addr *addr1, - } - return 0; - } -+ if (addr1->v6.sin6_port != addr2->v6.sin6_port) -+ return 0; - if (!ipv6_addr_equal(&addr1->v6.sin6_addr, &addr2->v6.sin6_addr)) - return 0; - /* If this is a linklocal address, compare the scope_id. */ -diff --git a/net/socket.c b/net/socket.c -index 53b6e411f7a4..e91e8ed1b8df 100644 ---- a/net/socket.c -+++ b/net/socket.c -@@ -2381,31 +2381,31 @@ int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen, - break; - } - --out_put: -- fput_light(sock->file, fput_needed); -- - if (err == 0) -- return datagrams; -+ goto out_put; - -- if (datagrams != 0) { -+ if (datagrams == 0) { -+ datagrams = err; -+ goto out_put; -+ } -+ -+ /* -+ * We may return less entries than requested (vlen) if the -+ * sock is non block and there aren't enough datagrams... -+ */ -+ if (err != -EAGAIN) { - /* -- * We may return less entries than requested (vlen) if the -- * sock is non block and there aren't enough datagrams... -+ * ... or if recvmsg returns an error after we -+ * received some datagrams, where we record the -+ * error to return on the next call or if the -+ * app asks about it using getsockopt(SO_ERROR). - */ -- if (err != -EAGAIN) { -- /* -- * ... or if recvmsg returns an error after we -- * received some datagrams, where we record the -- * error to return on the next call or if the -- * app asks about it using getsockopt(SO_ERROR). -- */ -- sock->sk->sk_err = -err; -- } -- -- return datagrams; -+ sock->sk->sk_err = -err; - } -+out_put: -+ fput_light(sock->file, fput_needed); - -- return err; -+ return datagrams; - } - - SYSCALL_DEFINE5(recvmmsg, int, fd, struct mmsghdr __user *, mmsg, -diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c -index 9b88693bcc99..66a9bf52fac6 100644 ---- a/net/vmw_vsock/af_vsock.c -+++ b/net/vmw_vsock/af_vsock.c -@@ -1804,27 +1804,8 @@ vsock_stream_recvmsg(struct kiocb *kiocb, - else if (sk->sk_shutdown & RCV_SHUTDOWN) - err = 0; - -- if (copied > 0) { -- /* We only do these additional bookkeeping/notification steps -- * if we actually copied something out of the queue pair -- * instead of just peeking ahead. -- */ -- -- if (!(flags & MSG_PEEK)) { -- /* If the other side has shutdown for sending and there -- * is nothing more to read, then modify the socket -- * state. -- */ -- if (vsk->peer_shutdown & SEND_SHUTDOWN) { -- if (vsock_stream_has_data(vsk) <= 0) { -- sk->sk_state = SS_UNCONNECTED; -- sock_set_flag(sk, SOCK_DONE); -- sk->sk_state_change(sk); -- } -- } -- } -+ if (copied > 0) - err = copied; -- } - - out_wait: - finish_wait(sk_sleep(sk), &wait); -diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c -index 90a0e552cb32..dd3dbed89c8f 100644 ---- a/net/wireless/nl80211.c -+++ b/net/wireless/nl80211.c -@@ -10685,7 +10685,7 @@ static int nl80211_netlink_notify(struct notifier_block * nb, - struct wireless_dev *wdev; - struct cfg80211_beacon_registration *reg, *tmp; - -- if (state != NETLINK_URELEASE) -+ if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC) - return NOTIFY_DONE; - - rcu_read_lock(); -diff --git a/net/x25/x25_facilities.c b/net/x25/x25_facilities.c -index 66c638730c7a..de7552d8ee20 100644 ---- a/net/x25/x25_facilities.c -+++ b/net/x25/x25_facilities.c -@@ -271,6 +271,7 @@ int x25_negotiate_facilities(struct sk_buff *skb, struct sock *sk, - - memset(&theirs, 0, sizeof(theirs)); - memcpy(new, ours, sizeof(*new)); -+ memset(dte, 0, sizeof(*dte)); - - len = x25_parse_facilities(skb, &theirs, dte, &x25->vc_facil_mask); - if (len < 0) -diff --git a/scripts/coccinelle/iterators/use_after_iter.cocci b/scripts/coccinelle/iterators/use_after_iter.cocci -index 06284c57a951..93e37ff8b0f6 100644 ---- a/scripts/coccinelle/iterators/use_after_iter.cocci -+++ b/scripts/coccinelle/iterators/use_after_iter.cocci -@@ -123,7 +123,7 @@ list_remove_head(x,c,...) - | - sizeof(<+...c...+>) - | --&c->member -+ &c->member - | - c = E - | -diff --git a/sound/core/timer.c b/sound/core/timer.c -index d90d8f4b85fe..38742e826900 100644 ---- a/sound/core/timer.c -+++ b/sound/core/timer.c -@@ -1012,8 +1012,8 @@ static int snd_timer_s_start(struct snd_timer * timer) - njiff += timer->sticks - priv->correction; - priv->correction = 0; - } -- priv->last_expires = priv->tlist.expires = njiff; -- add_timer(&priv->tlist); -+ priv->last_expires = njiff; -+ mod_timer(&priv->tlist, njiff); - return 0; - } - -diff --git a/sound/pci/intel8x0.c b/sound/pci/intel8x0.c -index b8fe40531b9c..7022450fb6dd 100644 ---- a/sound/pci/intel8x0.c -+++ b/sound/pci/intel8x0.c -@@ -2885,6 +2885,7 @@ static void intel8x0_measure_ac97_clock(struct intel8x0 *chip) - - static struct snd_pci_quirk intel8x0_clock_list[] = { - SND_PCI_QUIRK(0x0e11, 0x008a, "AD1885", 41000), -+ SND_PCI_QUIRK(0x1014, 0x0581, "AD1981B", 48000), - SND_PCI_QUIRK(0x1028, 0x00be, "AD1885", 44100), - SND_PCI_QUIRK(0x1028, 0x0177, "AD1980", 48000), - SND_PCI_QUIRK(0x1028, 0x01ad, "AD1981B", 48000), -diff --git a/sound/soc/samsung/s3c-i2s-v2.c b/sound/soc/samsung/s3c-i2s-v2.c -index 20e98d1dded2..38c36cdd8c77 100644 ---- a/sound/soc/samsung/s3c-i2s-v2.c -+++ b/sound/soc/samsung/s3c-i2s-v2.c -@@ -732,7 +732,7 @@ static int s3c2412_i2s_resume(struct snd_soc_dai *dai) - #endif - - int s3c_i2sv2_register_component(struct device *dev, int id, -- struct snd_soc_component_driver *cmp_drv, -+ const struct snd_soc_component_driver *cmp_drv, - struct snd_soc_dai_driver *dai_drv) - { - struct snd_soc_dai_ops *ops = drv->ops; -diff --git a/sound/soc/samsung/s3c-i2s-v2.h b/sound/soc/samsung/s3c-i2s-v2.h -index 90abab364b49..d0684145ed1f 100644 ---- a/sound/soc/samsung/s3c-i2s-v2.h -+++ b/sound/soc/samsung/s3c-i2s-v2.h -@@ -101,7 +101,7 @@ extern int s3c_i2sv2_probe(struct snd_soc_dai *dai, - * soc core. - */ - extern int s3c_i2sv2_register_component(struct device *dev, int id, -- struct snd_soc_component_driver *cmp_drv, -+ const struct snd_soc_component_driver *cmp_drv, - struct snd_soc_dai_driver *dai_drv); - - #endif /* __SND_SOC_S3C24XX_S3C_I2SV2_I2S_H */ -diff --git a/tools/perf/Documentation/perf-stat.txt b/tools/perf/Documentation/perf-stat.txt -index 2fe87fb558f0..8c9604797e87 100644 ---- a/tools/perf/Documentation/perf-stat.txt -+++ b/tools/perf/Documentation/perf-stat.txt -@@ -50,6 +50,14 @@ OPTIONS - --scale:: - scale/normalize counter values - -+-d:: -+--detailed:: -+ print more detailed statistics, can be specified up to 3 times -+ -+ -d: detailed events, L1 and LLC data cache -+ -d -d: more detailed events, dTLB and iTLB events -+ -d -d -d: very detailed events, adding prefetch events -+ - -r:: - --repeat=:: - repeat command and print average + stddev (max: 100). 0 means forever. -diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c -index 1d4b8bed4e48..4f865e122c21 100644 ---- a/virt/kvm/kvm_main.c -+++ b/virt/kvm/kvm_main.c -@@ -468,6 +468,16 @@ static struct kvm *kvm_create_vm(unsigned long type) - if (!kvm) - return ERR_PTR(-ENOMEM); - -+ spin_lock_init(&kvm->mmu_lock); -+ atomic_inc(¤t->mm->mm_count); -+ kvm->mm = current->mm; -+ kvm_eventfd_init(kvm); -+ mutex_init(&kvm->lock); -+ mutex_init(&kvm->irq_lock); -+ mutex_init(&kvm->slots_lock); -+ atomic_set(&kvm->users_count, 1); -+ INIT_LIST_HEAD(&kvm->devices); -+ - r = kvm_arch_init_vm(kvm, type); - if (r) - goto out_err_nodisable; -@@ -497,16 +507,6 @@ static struct kvm *kvm_create_vm(unsigned long type) - goto out_err; - } - -- spin_lock_init(&kvm->mmu_lock); -- kvm->mm = current->mm; -- atomic_inc(&kvm->mm->mm_count); -- kvm_eventfd_init(kvm); -- mutex_init(&kvm->lock); -- mutex_init(&kvm->irq_lock); -- mutex_init(&kvm->slots_lock); -- atomic_set(&kvm->users_count, 1); -- INIT_LIST_HEAD(&kvm->devices); -- - r = kvm_init_mmu_notifier(kvm); - if (r) - goto out_err; -@@ -526,6 +526,7 @@ out_err_nodisable: - kfree(kvm->buses[i]); - kfree(kvm->memslots); - kvm_arch_free_vm(kvm); -+ mmdrop(current->mm); - return ERR_PTR(r); - } -