diff options
| author |   Anthony G. Basile <blueness@gentoo.org> | 2015-03-21 11:56:03 -0400 |
|---|---|---|
| committer | Anthony G. Basile <blueness@gentoo.org> | 2015-03-21 11:56:03 -0400 |
| commit | 11eefb7b86f45b78b1b60c22fcafb340ced8550f (patch) | |
| tree | ea09e6dd8803fd8d447babbd6154ecf9c94e391a | |
| parent | Grsec/PaX: 3.1-{3.2.68,3.14.35,3.19.1}-201503122205 (diff) | |
| download | hardened-patchset-11eefb7b86f45b78b1b60c22fcafb340ced8550f.tar.gz hardened-patchset-11eefb7b86f45b78b1b60c22fcafb340ced8550f.tar.bz2 hardened-patchset-11eefb7b86f45b78b1b60c22fcafb340ced8550f.zip | |
Grsec/PaX: 3.1-{3.2.68,3.14.36,3.19.2}-20150320190320150320
| -rw-r--r-- | 3.14.35/1034_linux-3.14.35.patch | 2036 | ||||
| -rw-r--r-- | 3.14.36/0000_README (renamed from 3.14.35/0000_README) | 6 | ||||
| -rw-r--r-- | 3.14.36/4420_grsecurity-3.1-3.14.36-201503182218.patch (renamed from 3.14.35/4420_grsecurity-3.1-3.14.35-201503092203.patch) | 949 | ||||
| -rw-r--r-- | 3.14.36/4425_grsec_remove_EI_PAX.patch (renamed from 3.14.35/4425_grsec_remove_EI_PAX.patch) | 0 | ||||
| -rw-r--r-- | 3.14.36/4427_force_XATTR_PAX_tmpfs.patch (renamed from 3.14.35/4427_force_XATTR_PAX_tmpfs.patch) | 0 | ||||
| -rw-r--r-- | 3.14.36/4430_grsec-remove-localversion-grsec.patch (renamed from 3.14.35/4430_grsec-remove-localversion-grsec.patch) | 0 | ||||
| -rw-r--r-- | 3.14.36/4435_grsec-mute-warnings.patch (renamed from 3.14.35/4435_grsec-mute-warnings.patch) | 0 | ||||
| -rw-r--r-- | 3.14.36/4440_grsec-remove-protected-paths.patch (renamed from 3.14.35/4440_grsec-remove-protected-paths.patch) | 0 | ||||
| -rw-r--r-- | 3.14.36/4450_grsec-kconfig-default-gids.patch (renamed from 3.14.35/4450_grsec-kconfig-default-gids.patch) | 0 | ||||
| -rw-r--r-- | 3.14.36/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 3.14.35/4465_selinux-avc_audit-log-curr_ip.patch) | 0 | ||||
| -rw-r--r-- | 3.14.36/4470_disable-compat_vdso.patch (renamed from 3.14.35/4470_disable-compat_vdso.patch) | 0 | ||||
| -rw-r--r-- | 3.14.36/4475_emutramp_default_on.patch (renamed from 3.14.35/4475_emutramp_default_on.patch) | 0 | ||||
| -rw-r--r-- | 3.19.1/1000_linux-3.19.1.patch | 7185 | ||||
| -rw-r--r-- | 3.19.2/0000_README (renamed from 3.19.1/0000_README) | 6 | ||||
| -rw-r--r-- | 3.19.2/4420_grsecurity-3.1-3.19.2-201503201903.patch (renamed from 3.19.1/4420_grsecurity-3.1-3.19.1-201503122205.patch) | 1049 | ||||
| -rw-r--r-- | 3.19.2/4425_grsec_remove_EI_PAX.patch (renamed from 3.19.1/4425_grsec_remove_EI_PAX.patch) | 0 | ||||
| -rw-r--r-- | 3.19.2/4427_force_XATTR_PAX_tmpfs.patch (renamed from 3.19.1/4427_force_XATTR_PAX_tmpfs.patch) | 0 | ||||
| -rw-r--r-- | 3.19.2/4430_grsec-remove-localversion-grsec.patch (renamed from 3.19.1/4430_grsec-remove-localversion-grsec.patch) | 0 | ||||
| -rw-r--r-- | 3.19.2/4435_grsec-mute-warnings.patch (renamed from 3.19.1/4435_grsec-mute-warnings.patch) | 0 | ||||
| -rw-r--r-- | 3.19.2/4440_grsec-remove-protected-paths.patch (renamed from 3.19.1/4440_grsec-remove-protected-paths.patch) | 0 | ||||
| -rw-r--r-- | 3.19.2/4450_grsec-kconfig-default-gids.patch (renamed from 3.19.1/4450_grsec-kconfig-default-gids.patch) | 0 | ||||
| -rw-r--r-- | 3.19.2/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 3.19.1/4465_selinux-avc_audit-log-curr_ip.patch) | 0 | ||||
| -rw-r--r-- | 3.19.2/4470_disable-compat_vdso.patch (renamed from 3.19.1/4470_disable-compat_vdso.patch) | 0 | ||||
| -rw-r--r-- | 3.19.2/4475_emutramp_default_on.patch (renamed from 3.19.1/4475_emutramp_default_on.patch) | 0 | ||||
| -rw-r--r-- | 3.2.68/0000_README | 2 | ||||
| -rw-r--r-- | 3.2.68/4420_grsecurity-3.1-3.2.68-201503182213.patch (renamed from 3.2.68/4420_grsecurity-3.1-3.2.68-201503092202.patch) | 364 |
26 files changed, 1368 insertions, 10229 deletions
diff --git a/3.14.35/1034_linux-3.14.35.patch b/3.14.35/1034_linux-3.14.35.patch deleted file mode 100644 index 668231d..0000000 --- a/3.14.35/1034_linux-3.14.35.patch +++ /dev/null @@ -1,2036 +0,0 @@ -diff --git a/Makefile b/Makefile -index 5443481..9720e86 100644 ---- a/Makefile -+++ b/Makefile -@@ -1,6 +1,6 @@ - VERSION = 3 - PATCHLEVEL = 14 --SUBLEVEL = 34 -+SUBLEVEL = 35 - EXTRAVERSION = - NAME = Remembering Coco - -diff --git a/arch/arc/include/asm/pgtable.h b/arch/arc/include/asm/pgtable.h -index 6b0b7f7e..7670f33 100644 ---- a/arch/arc/include/asm/pgtable.h -+++ b/arch/arc/include/asm/pgtable.h -@@ -259,7 +259,8 @@ static inline void pmd_set(pmd_t *pmdp, pte_t *ptep) - #define pmd_clear(xp) do { pmd_val(*(xp)) = 0; } while (0) - - #define pte_page(x) (mem_map + \ -- (unsigned long)(((pte_val(x) - PAGE_OFFSET) >> PAGE_SHIFT))) -+ (unsigned long)(((pte_val(x) - CONFIG_LINUX_LINK_BASE) >> \ -+ PAGE_SHIFT))) - - #define mk_pte(page, pgprot) \ - ({ \ -diff --git a/arch/arm/boot/dts/am335x-bone-common.dtsi b/arch/arm/boot/dts/am335x-bone-common.dtsi -index 2e7d932..b3eff40 100644 ---- a/arch/arm/boot/dts/am335x-bone-common.dtsi -+++ b/arch/arm/boot/dts/am335x-bone-common.dtsi -@@ -197,6 +197,7 @@ - - usb@47401000 { - status = "okay"; -+ dr_mode = "peripheral"; - }; - - usb@47401800 { -diff --git a/arch/arm/boot/dts/tegra20.dtsi b/arch/arm/boot/dts/tegra20.dtsi -index 48d2a7f..ce978bc 100644 ---- a/arch/arm/boot/dts/tegra20.dtsi -+++ b/arch/arm/boot/dts/tegra20.dtsi -@@ -76,9 +76,9 @@ - reset-names = "2d"; - }; - -- gr3d@54140000 { -+ gr3d@54180000 { - compatible = "nvidia,tegra20-gr3d"; -- reg = <0x54140000 0x00040000>; -+ reg = <0x54180000 0x00040000>; - clocks = <&tegra_car TEGRA20_CLK_GR3D>; - resets = <&tegra_car 24>; - reset-names = "3d"; -@@ -138,9 +138,9 @@ - status = "disabled"; - }; - -- dsi@542c0000 { -+ dsi@54300000 { - compatible = "nvidia,tegra20-dsi"; -- reg = <0x542c0000 0x00040000>; -+ reg = <0x54300000 0x00040000>; - clocks = <&tegra_car TEGRA20_CLK_DSI>; - resets = <&tegra_car 48>; - reset-names = "dsi"; -diff --git a/arch/arm/mach-omap2/omap_hwmod_7xx_data.c b/arch/arm/mach-omap2/omap_hwmod_7xx_data.c -index 2e35ff9..d3ac4c6 100644 ---- a/arch/arm/mach-omap2/omap_hwmod_7xx_data.c -+++ b/arch/arm/mach-omap2/omap_hwmod_7xx_data.c -@@ -1669,7 +1669,7 @@ static struct omap_hwmod dra7xx_uart3_hwmod = { - .class = &dra7xx_uart_hwmod_class, - .clkdm_name = "l4per_clkdm", - .main_clk = "uart3_gfclk_mux", -- .flags = HWMOD_SWSUP_SIDLE_ACT, -+ .flags = HWMOD_SWSUP_SIDLE_ACT | DEBUG_OMAP4UART3_FLAGS, - .prcm = { - .omap4 = { - .clkctrl_offs = DRA7XX_CM_L4PER_UART3_CLKCTRL_OFFSET, -diff --git a/arch/arm/mach-pxa/corgi.c b/arch/arm/mach-pxa/corgi.c -index f162f1b..82fd9dd 100644 ---- a/arch/arm/mach-pxa/corgi.c -+++ b/arch/arm/mach-pxa/corgi.c -@@ -26,6 +26,7 @@ - #include <linux/i2c.h> - #include <linux/i2c/pxa-i2c.h> - #include <linux/io.h> -+#include <linux/regulator/machine.h> - #include <linux/spi/spi.h> - #include <linux/spi/ads7846.h> - #include <linux/spi/corgi_lcd.h> -@@ -711,6 +712,8 @@ static void __init corgi_init(void) - sharpsl_nand_partitions[1].size = 53 * 1024 * 1024; - - platform_add_devices(devices, ARRAY_SIZE(devices)); -+ -+ regulator_has_full_constraints(); - } - - static void __init fixup_corgi(struct tag *tags, char **cmdline, -diff --git a/arch/arm/mach-pxa/hx4700.c b/arch/arm/mach-pxa/hx4700.c -index a7c30eb..007fd8a 100644 ---- a/arch/arm/mach-pxa/hx4700.c -+++ b/arch/arm/mach-pxa/hx4700.c -@@ -892,6 +892,8 @@ static void __init hx4700_init(void) - mdelay(10); - gpio_set_value(GPIO71_HX4700_ASIC3_nRESET, 1); - mdelay(10); -+ -+ regulator_has_full_constraints(); - } - - MACHINE_START(H4700, "HP iPAQ HX4700") -diff --git a/arch/arm/mach-pxa/poodle.c b/arch/arm/mach-pxa/poodle.c -index aedf053..b4fff29 100644 ---- a/arch/arm/mach-pxa/poodle.c -+++ b/arch/arm/mach-pxa/poodle.c -@@ -25,6 +25,7 @@ - #include <linux/gpio.h> - #include <linux/i2c.h> - #include <linux/i2c/pxa-i2c.h> -+#include <linux/regulator/machine.h> - #include <linux/spi/spi.h> - #include <linux/spi/ads7846.h> - #include <linux/spi/pxa2xx_spi.h> -@@ -454,6 +455,7 @@ static void __init poodle_init(void) - pxa_set_i2c_info(NULL); - i2c_register_board_info(0, ARRAY_AND_SIZE(poodle_i2c_devices)); - poodle_init_spi(); -+ regulator_has_full_constraints(); - } - - static void __init fixup_poodle(struct tag *tags, char **cmdline, -diff --git a/arch/arm/mach-sa1100/pm.c b/arch/arm/mach-sa1100/pm.c -index 6645d1e..34853d5 100644 ---- a/arch/arm/mach-sa1100/pm.c -+++ b/arch/arm/mach-sa1100/pm.c -@@ -81,6 +81,7 @@ static int sa11x0_pm_enter(suspend_state_t state) - /* - * Ensure not to come back here if it wasn't intended - */ -+ RCSR = RCSR_SMR; - PSPR = 0; - - /* -diff --git a/arch/arm64/kernel/signal32.c b/arch/arm64/kernel/signal32.c -index b3fc9f5..7ed72dc 100644 ---- a/arch/arm64/kernel/signal32.c -+++ b/arch/arm64/kernel/signal32.c -@@ -151,8 +151,7 @@ int copy_siginfo_to_user32(compat_siginfo_t __user *to, const siginfo_t *from) - case __SI_TIMER: - err |= __put_user(from->si_tid, &to->si_tid); - err |= __put_user(from->si_overrun, &to->si_overrun); -- err |= __put_user((compat_uptr_t)(unsigned long)from->si_ptr, -- &to->si_ptr); -+ err |= __put_user(from->si_int, &to->si_int); - break; - case __SI_POLL: - err |= __put_user(from->si_band, &to->si_band); -@@ -181,7 +180,7 @@ int copy_siginfo_to_user32(compat_siginfo_t __user *to, const siginfo_t *from) - case __SI_MESGQ: /* But this is */ - err |= __put_user(from->si_pid, &to->si_pid); - err |= __put_user(from->si_uid, &to->si_uid); -- err |= __put_user((compat_uptr_t)(unsigned long)from->si_ptr, &to->si_ptr); -+ err |= __put_user(from->si_int, &to->si_int); - break; - default: /* this is just in case for now ... */ - err |= __put_user(from->si_pid, &to->si_pid); -diff --git a/arch/metag/include/asm/processor.h b/arch/metag/include/asm/processor.h -index a8a3747..eb2005b 100644 ---- a/arch/metag/include/asm/processor.h -+++ b/arch/metag/include/asm/processor.h -@@ -149,8 +149,8 @@ extern void exit_thread(void); - - unsigned long get_wchan(struct task_struct *p); - --#define KSTK_EIP(tsk) ((tsk)->thread.kernel_context->CurrPC) --#define KSTK_ESP(tsk) ((tsk)->thread.kernel_context->AX[0].U0) -+#define KSTK_EIP(tsk) (task_pt_regs(tsk)->ctx.CurrPC) -+#define KSTK_ESP(tsk) (task_pt_regs(tsk)->ctx.AX[0].U0) - - #define user_stack_pointer(regs) ((regs)->ctx.AX[0].U0) - -diff --git a/arch/mips/kernel/mips_ksyms.c b/arch/mips/kernel/mips_ksyms.c -index 6e58e97..cedeb56 100644 ---- a/arch/mips/kernel/mips_ksyms.c -+++ b/arch/mips/kernel/mips_ksyms.c -@@ -14,6 +14,7 @@ - #include <linux/mm.h> - #include <asm/uaccess.h> - #include <asm/ftrace.h> -+#include <asm/fpu.h> - - extern void *__bzero(void *__s, size_t __count); - extern long __strncpy_from_user_nocheck_asm(char *__to, -@@ -26,6 +27,13 @@ extern long __strnlen_user_nocheck_asm(const char *s); - extern long __strnlen_user_asm(const char *s); - - /* -+ * Core architecture code -+ */ -+#ifdef CONFIG_CPU_R4K_FPU -+EXPORT_SYMBOL_GPL(_save_fp); -+#endif -+ -+/* - * String functions - */ - EXPORT_SYMBOL(memset); -diff --git a/arch/mips/kvm/kvm_locore.S b/arch/mips/kvm/kvm_locore.S -index bbace09..03a2db5 100644 ---- a/arch/mips/kvm/kvm_locore.S -+++ b/arch/mips/kvm/kvm_locore.S -@@ -428,7 +428,7 @@ __kvm_mips_return_to_guest: - /* Setup status register for running guest in UM */ - .set at - or v1, v1, (ST0_EXL | KSU_USER | ST0_IE) -- and v1, v1, ~ST0_CU0 -+ and v1, v1, ~(ST0_CU0 | ST0_MX) - .set noat - mtc0 v1, CP0_STATUS - ehb -diff --git a/arch/mips/kvm/kvm_mips.c b/arch/mips/kvm/kvm_mips.c -index 3e0ff8d..897c605 100644 ---- a/arch/mips/kvm/kvm_mips.c -+++ b/arch/mips/kvm/kvm_mips.c -@@ -15,6 +15,7 @@ - #include <linux/vmalloc.h> - #include <linux/fs.h> - #include <linux/bootmem.h> -+#include <asm/fpu.h> - #include <asm/page.h> - #include <asm/cacheflush.h> - #include <asm/mmu_context.h> -@@ -418,11 +419,13 @@ int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *run) - vcpu->mmio_needed = 0; - } - -+ lose_fpu(1); -+ -+ local_irq_disable(); - /* Check if we have any exceptions/interrupts pending */ - kvm_mips_deliver_interrupts(vcpu, - kvm_read_c0_guest_cause(vcpu->arch.cop0)); - -- local_irq_disable(); - kvm_guest_enter(); - - r = __kvm_mips_vcpu_run(run, vcpu); -@@ -1021,9 +1024,6 @@ void kvm_mips_set_c0_status(void) - { - uint32_t status = read_c0_status(); - -- if (cpu_has_fpu) -- status |= (ST0_CU1); -- - if (cpu_has_dsp) - status |= (ST0_MX); - -diff --git a/arch/powerpc/sysdev/axonram.c b/arch/powerpc/sysdev/axonram.c -index 47b6b9f..830edc8 100644 ---- a/arch/powerpc/sysdev/axonram.c -+++ b/arch/powerpc/sysdev/axonram.c -@@ -156,7 +156,7 @@ axon_ram_direct_access(struct block_device *device, sector_t sector, - } - - *kaddr = (void *)(bank->ph_addr + offset); -- *pfn = virt_to_phys(kaddr) >> PAGE_SHIFT; -+ *pfn = virt_to_phys(*kaddr) >> PAGE_SHIFT; - - return 0; - } -diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c -index fab97ad..1777f89 100644 ---- a/arch/x86/kvm/x86.c -+++ b/arch/x86/kvm/x86.c -@@ -1207,21 +1207,22 @@ void kvm_track_tsc_matching(struct kvm_vcpu *vcpu) - { - #ifdef CONFIG_X86_64 - bool vcpus_matched; -- bool do_request = false; - struct kvm_arch *ka = &vcpu->kvm->arch; - struct pvclock_gtod_data *gtod = &pvclock_gtod_data; - - vcpus_matched = (ka->nr_vcpus_matched_tsc + 1 == - atomic_read(&vcpu->kvm->online_vcpus)); - -- if (vcpus_matched && gtod->clock.vclock_mode == VCLOCK_TSC) -- if (!ka->use_master_clock) -- do_request = 1; -- -- if (!vcpus_matched && ka->use_master_clock) -- do_request = 1; -- -- if (do_request) -+ /* -+ * Once the masterclock is enabled, always perform request in -+ * order to update it. -+ * -+ * In order to enable masterclock, the host clocksource must be TSC -+ * and the vcpus need to have matched TSCs. When that happens, -+ * perform request to enable masterclock. -+ */ -+ if (ka->use_master_clock || -+ (gtod->clock.vclock_mode == VCLOCK_TSC && vcpus_matched)) - kvm_make_request(KVM_REQ_MASTERCLOCK_UPDATE, vcpu); - - trace_kvm_track_tsc(vcpu->vcpu_id, ka->nr_vcpus_matched_tsc, -diff --git a/arch/x86/mm/gup.c b/arch/x86/mm/gup.c -index 207d9aef..448ee89 100644 ---- a/arch/x86/mm/gup.c -+++ b/arch/x86/mm/gup.c -@@ -172,7 +172,7 @@ static int gup_pmd_range(pud_t pud, unsigned long addr, unsigned long end, - */ - if (pmd_none(pmd) || pmd_trans_splitting(pmd)) - return 0; -- if (unlikely(pmd_large(pmd))) { -+ if (unlikely(pmd_large(pmd) || !pmd_present(pmd))) { - /* - * NUMA hinting faults need to be handled in the GUP - * slowpath for accounting purposes and so that they -diff --git a/arch/x86/mm/hugetlbpage.c b/arch/x86/mm/hugetlbpage.c -index 8b977eb..006cc91 100644 ---- a/arch/x86/mm/hugetlbpage.c -+++ b/arch/x86/mm/hugetlbpage.c -@@ -66,9 +66,15 @@ follow_huge_addr(struct mm_struct *mm, unsigned long address, int write) - return ERR_PTR(-EINVAL); - } - -+/* -+ * pmd_huge() returns 1 if @pmd is hugetlb related entry, that is normal -+ * hugetlb entry or non-present (migration or hwpoisoned) hugetlb entry. -+ * Otherwise, returns 0. -+ */ - int pmd_huge(pmd_t pmd) - { -- return !!(pmd_val(pmd) & _PAGE_PSE); -+ return !pmd_none(pmd) && -+ (pmd_val(pmd) & (_PAGE_PRESENT|_PAGE_PSE)) != _PAGE_PRESENT; - } - - int pud_huge(pud_t pud) -diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c -index 25e7e13..3601ff2 100644 ---- a/arch/x86/mm/mmap.c -+++ b/arch/x86/mm/mmap.c -@@ -35,12 +35,12 @@ struct __read_mostly va_alignment va_align = { - .flags = -1, - }; - --static unsigned int stack_maxrandom_size(void) -+static unsigned long stack_maxrandom_size(void) - { -- unsigned int max = 0; -+ unsigned long max = 0; - if ((current->flags & PF_RANDOMIZE) && - !(current->personality & ADDR_NO_RANDOMIZE)) { -- max = ((-1U) & STACK_RND_MASK) << PAGE_SHIFT; -+ max = ((-1UL) & STACK_RND_MASK) << PAGE_SHIFT; - } - - return max; -diff --git a/block/blk-throttle.c b/block/blk-throttle.c -index 1474c3a..1599878 100644 ---- a/block/blk-throttle.c -+++ b/block/blk-throttle.c -@@ -1292,6 +1292,9 @@ static u64 tg_prfill_cpu_rwstat(struct seq_file *sf, - struct blkg_rwstat rwstat = { }, tmp; - int i, cpu; - -+ if (tg->stats_cpu == NULL) -+ return 0; -+ - for_each_possible_cpu(cpu) { - struct tg_stats_cpu *sc = per_cpu_ptr(tg->stats_cpu, cpu); - -diff --git a/block/cfq-iosched.c b/block/cfq-iosched.c -index 91c25f26..d9bba99 100644 ---- a/block/cfq-iosched.c -+++ b/block/cfq-iosched.c -@@ -3585,6 +3585,11 @@ retry: - - blkcg = bio_blkcg(bio); - cfqg = cfq_lookup_create_cfqg(cfqd, blkcg); -+ if (!cfqg) { -+ cfqq = &cfqd->oom_cfqq; -+ goto out; -+ } -+ - cfqq = cic_to_cfqq(cic, is_sync); - - /* -@@ -3621,7 +3626,7 @@ retry: - } else - cfqq = &cfqd->oom_cfqq; - } -- -+out: - if (new_cfqq) - kmem_cache_free(cfq_pool, new_cfqq); - -@@ -3651,12 +3656,17 @@ static struct cfq_queue * - cfq_get_queue(struct cfq_data *cfqd, bool is_sync, struct cfq_io_cq *cic, - struct bio *bio, gfp_t gfp_mask) - { -- const int ioprio_class = IOPRIO_PRIO_CLASS(cic->ioprio); -- const int ioprio = IOPRIO_PRIO_DATA(cic->ioprio); -+ int ioprio_class = IOPRIO_PRIO_CLASS(cic->ioprio); -+ int ioprio = IOPRIO_PRIO_DATA(cic->ioprio); - struct cfq_queue **async_cfqq = NULL; - struct cfq_queue *cfqq = NULL; - - if (!is_sync) { -+ if (!ioprio_valid(cic->ioprio)) { -+ struct task_struct *tsk = current; -+ ioprio = task_nice_ioprio(tsk); -+ ioprio_class = task_nice_ioclass(tsk); -+ } - async_cfqq = cfq_async_queue_prio(cfqd, ioprio_class, ioprio); - cfqq = *async_cfqq; - } -diff --git a/drivers/bluetooth/ath3k.c b/drivers/bluetooth/ath3k.c -index b11949c..f667e37 100644 ---- a/drivers/bluetooth/ath3k.c -+++ b/drivers/bluetooth/ath3k.c -@@ -157,6 +157,8 @@ static const struct usb_device_id ath3k_blist_tbl[] = { - #define USB_REQ_DFU_DNLOAD 1 - #define BULK_SIZE 4096 - #define FW_HDR_SIZE 20 -+#define TIMEGAP_USEC_MIN 50 -+#define TIMEGAP_USEC_MAX 100 - - static int ath3k_load_firmware(struct usb_device *udev, - const struct firmware *firmware) -@@ -187,6 +189,9 @@ static int ath3k_load_firmware(struct usb_device *udev, - count -= 20; - - while (count) { -+ /* workaround the compatibility issue with xHCI controller*/ -+ usleep_range(TIMEGAP_USEC_MIN, TIMEGAP_USEC_MAX); -+ - size = min_t(uint, count, BULK_SIZE); - pipe = usb_sndbulkpipe(udev, 0x02); - memcpy(send_buf, firmware->data + sent, size); -@@ -283,6 +288,9 @@ static int ath3k_load_fwfile(struct usb_device *udev, - count -= size; - - while (count) { -+ /* workaround the compatibility issue with xHCI controller*/ -+ usleep_range(TIMEGAP_USEC_MIN, TIMEGAP_USEC_MAX); -+ - size = min_t(uint, count, BULK_SIZE); - pipe = usb_sndbulkpipe(udev, 0x02); - -diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c -index 6af1700..cfb9089 100644 ---- a/drivers/char/tpm/tpm-interface.c -+++ b/drivers/char/tpm/tpm-interface.c -@@ -1122,7 +1122,7 @@ struct tpm_chip *tpm_register_hardware(struct device *dev, - - /* Make chip available */ - spin_lock(&driver_lock); -- list_add_rcu(&chip->list, &tpm_chip_list); -+ list_add_tail_rcu(&chip->list, &tpm_chip_list); - spin_unlock(&driver_lock); - - return chip; -diff --git a/drivers/char/tpm/tpm_i2c_atmel.c b/drivers/char/tpm/tpm_i2c_atmel.c -index 7727292..503a85a 100644 ---- a/drivers/char/tpm/tpm_i2c_atmel.c -+++ b/drivers/char/tpm/tpm_i2c_atmel.c -@@ -168,6 +168,10 @@ static int i2c_atmel_probe(struct i2c_client *client, - - chip->vendor.priv = devm_kzalloc(dev, sizeof(struct priv_data), - GFP_KERNEL); -+ if (!chip->vendor.priv) { -+ rc = -ENOMEM; -+ goto out_err; -+ } - - /* Default timeouts */ - chip->vendor.timeout_a = msecs_to_jiffies(TPM_I2C_SHORT_TIMEOUT); -diff --git a/drivers/char/tpm/tpm_i2c_nuvoton.c b/drivers/char/tpm/tpm_i2c_nuvoton.c -index 7b158ef..23c7b13 100644 ---- a/drivers/char/tpm/tpm_i2c_nuvoton.c -+++ b/drivers/char/tpm/tpm_i2c_nuvoton.c -@@ -538,6 +538,11 @@ static int i2c_nuvoton_probe(struct i2c_client *client, - - chip->vendor.priv = devm_kzalloc(dev, sizeof(struct priv_data), - GFP_KERNEL); -+ if (!chip->vendor.priv) { -+ rc = -ENOMEM; -+ goto out_err; -+ } -+ - init_waitqueue_head(&chip->vendor.read_queue); - init_waitqueue_head(&chip->vendor.int_queue); - -diff --git a/drivers/char/tpm/tpm_i2c_stm_st33.c b/drivers/char/tpm/tpm_i2c_stm_st33.c -index be9af2e..576d111 100644 ---- a/drivers/char/tpm/tpm_i2c_stm_st33.c -+++ b/drivers/char/tpm/tpm_i2c_stm_st33.c -@@ -488,7 +488,7 @@ static int tpm_stm_i2c_send(struct tpm_chip *chip, unsigned char *buf, - if (burstcnt < 0) - return burstcnt; - size = min_t(int, len - i - 1, burstcnt); -- ret = I2C_WRITE_DATA(client, TPM_DATA_FIFO, buf, size); -+ ret = I2C_WRITE_DATA(client, TPM_DATA_FIFO, buf + i, size); - if (ret < 0) - goto out_err; - -diff --git a/drivers/char/tpm/tpm_ibmvtpm.c b/drivers/char/tpm/tpm_ibmvtpm.c -index af74c57..eff9d58 100644 ---- a/drivers/char/tpm/tpm_ibmvtpm.c -+++ b/drivers/char/tpm/tpm_ibmvtpm.c -@@ -148,7 +148,8 @@ static int tpm_ibmvtpm_send(struct tpm_chip *chip, u8 *buf, size_t count) - crq.len = (u16)count; - crq.data = ibmvtpm->rtce_dma_handle; - -- rc = ibmvtpm_send_crq(ibmvtpm->vdev, word[0], word[1]); -+ rc = ibmvtpm_send_crq(ibmvtpm->vdev, cpu_to_be64(word[0]), -+ cpu_to_be64(word[1])); - if (rc != H_SUCCESS) { - dev_err(ibmvtpm->dev, "tpm_ibmvtpm_send failed rc=%d\n", rc); - rc = 0; -@@ -186,7 +187,8 @@ static int ibmvtpm_crq_get_rtce_size(struct ibmvtpm_dev *ibmvtpm) - crq.valid = (u8)IBMVTPM_VALID_CMD; - crq.msg = (u8)VTPM_GET_RTCE_BUFFER_SIZE; - -- rc = ibmvtpm_send_crq(ibmvtpm->vdev, buf[0], buf[1]); -+ rc = ibmvtpm_send_crq(ibmvtpm->vdev, cpu_to_be64(buf[0]), -+ cpu_to_be64(buf[1])); - if (rc != H_SUCCESS) - dev_err(ibmvtpm->dev, - "ibmvtpm_crq_get_rtce_size failed rc=%d\n", rc); -@@ -212,7 +214,8 @@ static int ibmvtpm_crq_get_version(struct ibmvtpm_dev *ibmvtpm) - crq.valid = (u8)IBMVTPM_VALID_CMD; - crq.msg = (u8)VTPM_GET_VERSION; - -- rc = ibmvtpm_send_crq(ibmvtpm->vdev, buf[0], buf[1]); -+ rc = ibmvtpm_send_crq(ibmvtpm->vdev, cpu_to_be64(buf[0]), -+ cpu_to_be64(buf[1])); - if (rc != H_SUCCESS) - dev_err(ibmvtpm->dev, - "ibmvtpm_crq_get_version failed rc=%d\n", rc); -@@ -307,6 +310,14 @@ static int tpm_ibmvtpm_remove(struct vio_dev *vdev) - static unsigned long tpm_ibmvtpm_get_desired_dma(struct vio_dev *vdev) - { - struct ibmvtpm_dev *ibmvtpm = ibmvtpm_get_data(&vdev->dev); -+ -+ /* ibmvtpm initializes at probe time, so the data we are -+ * asking for may not be set yet. Estimate that 4K required -+ * for TCE-mapped buffer in addition to CRQ. -+ */ -+ if (!ibmvtpm) -+ return CRQ_RES_BUF_SIZE + PAGE_SIZE; -+ - return CRQ_RES_BUF_SIZE + ibmvtpm->rtce_size; - } - -@@ -327,7 +338,8 @@ static int tpm_ibmvtpm_suspend(struct device *dev) - crq.valid = (u8)IBMVTPM_VALID_CMD; - crq.msg = (u8)VTPM_PREPARE_TO_SUSPEND; - -- rc = ibmvtpm_send_crq(ibmvtpm->vdev, buf[0], buf[1]); -+ rc = ibmvtpm_send_crq(ibmvtpm->vdev, cpu_to_be64(buf[0]), -+ cpu_to_be64(buf[1])); - if (rc != H_SUCCESS) - dev_err(ibmvtpm->dev, - "tpm_ibmvtpm_suspend failed rc=%d\n", rc); -@@ -472,11 +484,11 @@ static void ibmvtpm_crq_process(struct ibmvtpm_crq *crq, - case IBMVTPM_VALID_CMD: - switch (crq->msg) { - case VTPM_GET_RTCE_BUFFER_SIZE_RES: -- if (crq->len <= 0) { -+ if (be16_to_cpu(crq->len) <= 0) { - dev_err(ibmvtpm->dev, "Invalid rtce size\n"); - return; - } -- ibmvtpm->rtce_size = crq->len; -+ ibmvtpm->rtce_size = be16_to_cpu(crq->len); - ibmvtpm->rtce_buf = kmalloc(ibmvtpm->rtce_size, - GFP_KERNEL); - if (!ibmvtpm->rtce_buf) { -@@ -497,11 +509,11 @@ static void ibmvtpm_crq_process(struct ibmvtpm_crq *crq, - - return; - case VTPM_GET_VERSION_RES: -- ibmvtpm->vtpm_version = crq->data; -+ ibmvtpm->vtpm_version = be32_to_cpu(crq->data); - return; - case VTPM_TPM_COMMAND_RES: - /* len of the data in rtce buffer */ -- ibmvtpm->res_len = crq->len; -+ ibmvtpm->res_len = be16_to_cpu(crq->len); - wake_up_interruptible(&ibmvtpm->wq); - return; - default: -diff --git a/drivers/char/tpm/tpm_tis.c b/drivers/char/tpm/tpm_tis.c -index 2c46734..51350cd 100644 ---- a/drivers/char/tpm/tpm_tis.c -+++ b/drivers/char/tpm/tpm_tis.c -@@ -75,6 +75,10 @@ enum tis_defaults { - #define TPM_DID_VID(l) (0x0F00 | ((l) << 12)) - #define TPM_RID(l) (0x0F04 | ((l) << 12)) - -+struct priv_data { -+ bool irq_tested; -+}; -+ - static LIST_HEAD(tis_chips); - static DEFINE_MUTEX(tis_lock); - -@@ -338,12 +342,27 @@ out_err: - return rc; - } - -+static void disable_interrupts(struct tpm_chip *chip) -+{ -+ u32 intmask; -+ -+ intmask = -+ ioread32(chip->vendor.iobase + -+ TPM_INT_ENABLE(chip->vendor.locality)); -+ intmask &= ~TPM_GLOBAL_INT_ENABLE; -+ iowrite32(intmask, -+ chip->vendor.iobase + -+ TPM_INT_ENABLE(chip->vendor.locality)); -+ free_irq(chip->vendor.irq, chip); -+ chip->vendor.irq = 0; -+} -+ - /* - * If interrupts are used (signaled by an irq set in the vendor structure) - * tpm.c can skip polling for the data to be available as the interrupt is - * waited for here - */ --static int tpm_tis_send(struct tpm_chip *chip, u8 *buf, size_t len) -+static int tpm_tis_send_main(struct tpm_chip *chip, u8 *buf, size_t len) - { - int rc; - u32 ordinal; -@@ -373,6 +392,30 @@ out_err: - return rc; - } - -+static int tpm_tis_send(struct tpm_chip *chip, u8 *buf, size_t len) -+{ -+ int rc, irq; -+ struct priv_data *priv = chip->vendor.priv; -+ -+ if (!chip->vendor.irq || priv->irq_tested) -+ return tpm_tis_send_main(chip, buf, len); -+ -+ /* Verify receipt of the expected IRQ */ -+ irq = chip->vendor.irq; -+ chip->vendor.irq = 0; -+ rc = tpm_tis_send_main(chip, buf, len); -+ chip->vendor.irq = irq; -+ if (!priv->irq_tested) -+ msleep(1); -+ if (!priv->irq_tested) { -+ disable_interrupts(chip); -+ dev_err(chip->dev, -+ FW_BUG "TPM interrupt not working, polling instead\n"); -+ } -+ priv->irq_tested = true; -+ return rc; -+} -+ - struct tis_vendor_timeout_override { - u32 did_vid; - unsigned long timeout_us[4]; -@@ -505,6 +548,7 @@ static irqreturn_t tis_int_handler(int dummy, void *dev_id) - if (interrupt == 0) - return IRQ_NONE; - -+ ((struct priv_data *)chip->vendor.priv)->irq_tested = true; - if (interrupt & TPM_INTF_DATA_AVAIL_INT) - wake_up_interruptible(&chip->vendor.read_queue); - if (interrupt & TPM_INTF_LOCALITY_CHANGE_INT) -@@ -534,9 +578,14 @@ static int tpm_tis_init(struct device *dev, resource_size_t start, - u32 vendor, intfcaps, intmask; - int rc, i, irq_s, irq_e, probe; - struct tpm_chip *chip; -+ struct priv_data *priv; - -+ priv = devm_kzalloc(dev, sizeof(struct priv_data), GFP_KERNEL); -+ if (priv == NULL) -+ return -ENOMEM; - if (!(chip = tpm_register_hardware(dev, &tpm_tis))) - return -ENODEV; -+ chip->vendor.priv = priv; - - chip->vendor.iobase = ioremap(start, len); - if (!chip->vendor.iobase) { -@@ -605,19 +654,6 @@ static int tpm_tis_init(struct device *dev, resource_size_t start, - if (intfcaps & TPM_INTF_DATA_AVAIL_INT) - dev_dbg(dev, "\tData Avail Int Support\n"); - -- /* get the timeouts before testing for irqs */ -- if (tpm_get_timeouts(chip)) { -- dev_err(dev, "Could not get TPM timeouts and durations\n"); -- rc = -ENODEV; -- goto out_err; -- } -- -- if (tpm_do_selftest(chip)) { -- dev_err(dev, "TPM self test failed\n"); -- rc = -ENODEV; -- goto out_err; -- } -- - /* INTERRUPT Setup */ - init_waitqueue_head(&chip->vendor.read_queue); - init_waitqueue_head(&chip->vendor.int_queue); -@@ -719,6 +755,18 @@ static int tpm_tis_init(struct device *dev, resource_size_t start, - } - } - -+ if (tpm_get_timeouts(chip)) { -+ dev_err(dev, "Could not get TPM timeouts and durations\n"); -+ rc = -ENODEV; -+ goto out_err; -+ } -+ -+ if (tpm_do_selftest(chip)) { -+ dev_err(dev, "TPM self test failed\n"); -+ rc = -ENODEV; -+ goto out_err; -+ } -+ - INIT_LIST_HEAD(&chip->vendor.list); - mutex_lock(&tis_lock); - list_add(&chip->vendor.list, &tis_chips); -diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c -index 4854f81..ef3b8ad 100644 ---- a/drivers/cpufreq/cpufreq.c -+++ b/drivers/cpufreq/cpufreq.c -@@ -1365,9 +1365,10 @@ static int __cpufreq_remove_dev_finish(struct device *dev, - unsigned long flags; - struct cpufreq_policy *policy; - -- read_lock_irqsave(&cpufreq_driver_lock, flags); -+ write_lock_irqsave(&cpufreq_driver_lock, flags); - policy = per_cpu(cpufreq_cpu_data, cpu); -- read_unlock_irqrestore(&cpufreq_driver_lock, flags); -+ per_cpu(cpufreq_cpu_data, cpu) = NULL; -+ write_unlock_irqrestore(&cpufreq_driver_lock, flags); - - if (!policy) { - pr_debug("%s: No cpu_data found\n", __func__); -@@ -1422,7 +1423,6 @@ static int __cpufreq_remove_dev_finish(struct device *dev, - } - } - -- per_cpu(cpufreq_cpu_data, cpu) = NULL; - return 0; - } - -diff --git a/drivers/cpufreq/s3c2416-cpufreq.c b/drivers/cpufreq/s3c2416-cpufreq.c -index 826b8be..82cef00 100644 ---- a/drivers/cpufreq/s3c2416-cpufreq.c -+++ b/drivers/cpufreq/s3c2416-cpufreq.c -@@ -263,7 +263,7 @@ out: - } - - #ifdef CONFIG_ARM_S3C2416_CPUFREQ_VCORESCALE --static void __init s3c2416_cpufreq_cfg_regulator(struct s3c2416_data *s3c_freq) -+static void s3c2416_cpufreq_cfg_regulator(struct s3c2416_data *s3c_freq) - { - int count, v, i, found; - struct cpufreq_frequency_table *freq; -@@ -335,7 +335,7 @@ static struct notifier_block s3c2416_cpufreq_reboot_notifier = { - .notifier_call = s3c2416_cpufreq_reboot_notifier_evt, - }; - --static int __init s3c2416_cpufreq_driver_init(struct cpufreq_policy *policy) -+static int s3c2416_cpufreq_driver_init(struct cpufreq_policy *policy) - { - struct s3c2416_data *s3c_freq = &s3c2416_cpufreq; - struct cpufreq_frequency_table *freq; -diff --git a/drivers/cpufreq/s3c24xx-cpufreq.c b/drivers/cpufreq/s3c24xx-cpufreq.c -index 2506974..0eb5b40 100644 ---- a/drivers/cpufreq/s3c24xx-cpufreq.c -+++ b/drivers/cpufreq/s3c24xx-cpufreq.c -@@ -454,7 +454,7 @@ static struct cpufreq_driver s3c24xx_driver = { - }; - - --int __init s3c_cpufreq_register(struct s3c_cpufreq_info *info) -+int s3c_cpufreq_register(struct s3c_cpufreq_info *info) - { - if (!info || !info->name) { - printk(KERN_ERR "%s: failed to pass valid information\n", -diff --git a/drivers/cpufreq/speedstep-lib.c b/drivers/cpufreq/speedstep-lib.c -index 7047821..4ab7a21 100644 ---- a/drivers/cpufreq/speedstep-lib.c -+++ b/drivers/cpufreq/speedstep-lib.c -@@ -400,6 +400,7 @@ unsigned int speedstep_get_freqs(enum speedstep_processor processor, - - pr_debug("previous speed is %u\n", prev_speed); - -+ preempt_disable(); - local_irq_save(flags); - - /* switch to low state */ -@@ -464,6 +465,8 @@ unsigned int speedstep_get_freqs(enum speedstep_processor processor, - - out: - local_irq_restore(flags); -+ preempt_enable(); -+ - return ret; - } - EXPORT_SYMBOL_GPL(speedstep_get_freqs); -diff --git a/drivers/cpufreq/speedstep-smi.c b/drivers/cpufreq/speedstep-smi.c -index 998c17b..b52d8af 100644 ---- a/drivers/cpufreq/speedstep-smi.c -+++ b/drivers/cpufreq/speedstep-smi.c -@@ -156,6 +156,7 @@ static void speedstep_set_state(unsigned int state) - return; - - /* Disable IRQs */ -+ preempt_disable(); - local_irq_save(flags); - - command = (smi_sig & 0xffffff00) | (smi_cmd & 0xff); -@@ -166,9 +167,19 @@ static void speedstep_set_state(unsigned int state) - - do { - if (retry) { -+ /* -+ * We need to enable interrupts, otherwise the blockage -+ * won't resolve. -+ * -+ * We disable preemption so that other processes don't -+ * run. If other processes were running, they could -+ * submit more DMA requests, making the blockage worse. -+ */ - pr_debug("retry %u, previous result %u, waiting...\n", - retry, result); -+ local_irq_enable(); - mdelay(retry * 50); -+ local_irq_disable(); - } - retry++; - __asm__ __volatile__( -@@ -185,6 +196,7 @@ static void speedstep_set_state(unsigned int state) - - /* enable IRQs */ - local_irq_restore(flags); -+ preempt_enable(); - - if (new_state == state) - pr_debug("change to %u MHz succeeded after %u tries " -diff --git a/drivers/edac/amd64_edac.c b/drivers/edac/amd64_edac.c -index 98e14ee..278603c 100644 ---- a/drivers/edac/amd64_edac.c -+++ b/drivers/edac/amd64_edac.c -@@ -2006,14 +2006,20 @@ static void __log_bus_error(struct mem_ctl_info *mci, struct err_info *err, - - static inline void decode_bus_error(int node_id, struct mce *m) - { -- struct mem_ctl_info *mci = mcis[node_id]; -- struct amd64_pvt *pvt = mci->pvt_info; -+ struct mem_ctl_info *mci; -+ struct amd64_pvt *pvt; - u8 ecc_type = (m->status >> 45) & 0x3; - u8 xec = XEC(m->status, 0x1f); - u16 ec = EC(m->status); - u64 sys_addr; - struct err_info err; - -+ mci = edac_mc_find(node_id); -+ if (!mci) -+ return; -+ -+ pvt = mci->pvt_info; -+ - /* Bail out early if this was an 'observed' error */ - if (PP(ec) == NBSL_PP_OBS) - return; -diff --git a/drivers/gpio/gpio-tps65912.c b/drivers/gpio/gpio-tps65912.c -index 59ee486..6005d26 100644 ---- a/drivers/gpio/gpio-tps65912.c -+++ b/drivers/gpio/gpio-tps65912.c -@@ -26,9 +26,12 @@ struct tps65912_gpio_data { - struct gpio_chip gpio_chip; - }; - -+#define to_tgd(gc) container_of(gc, struct tps65912_gpio_data, gpio_chip) -+ - static int tps65912_gpio_get(struct gpio_chip *gc, unsigned offset) - { -- struct tps65912 *tps65912 = container_of(gc, struct tps65912, gpio); -+ struct tps65912_gpio_data *tps65912_gpio = to_tgd(gc); -+ struct tps65912 *tps65912 = tps65912_gpio->tps65912; - int val; - - val = tps65912_reg_read(tps65912, TPS65912_GPIO1 + offset); -@@ -42,7 +45,8 @@ static int tps65912_gpio_get(struct gpio_chip *gc, unsigned offset) - static void tps65912_gpio_set(struct gpio_chip *gc, unsigned offset, - int value) - { -- struct tps65912 *tps65912 = container_of(gc, struct tps65912, gpio); -+ struct tps65912_gpio_data *tps65912_gpio = to_tgd(gc); -+ struct tps65912 *tps65912 = tps65912_gpio->tps65912; - - if (value) - tps65912_set_bits(tps65912, TPS65912_GPIO1 + offset, -@@ -55,7 +59,8 @@ static void tps65912_gpio_set(struct gpio_chip *gc, unsigned offset, - static int tps65912_gpio_output(struct gpio_chip *gc, unsigned offset, - int value) - { -- struct tps65912 *tps65912 = container_of(gc, struct tps65912, gpio); -+ struct tps65912_gpio_data *tps65912_gpio = to_tgd(gc); -+ struct tps65912 *tps65912 = tps65912_gpio->tps65912; - - /* Set the initial value */ - tps65912_gpio_set(gc, offset, value); -@@ -66,7 +71,8 @@ static int tps65912_gpio_output(struct gpio_chip *gc, unsigned offset, - - static int tps65912_gpio_input(struct gpio_chip *gc, unsigned offset) - { -- struct tps65912 *tps65912 = container_of(gc, struct tps65912, gpio); -+ struct tps65912_gpio_data *tps65912_gpio = to_tgd(gc); -+ struct tps65912 *tps65912 = tps65912_gpio->tps65912; - - return tps65912_clear_bits(tps65912, TPS65912_GPIO1 + offset, - GPIO_CFG_MASK); -diff --git a/drivers/gpio/gpiolib-of.c b/drivers/gpio/gpiolib-of.c -index 74ed17d..d26028c 100644 ---- a/drivers/gpio/gpiolib-of.c -+++ b/drivers/gpio/gpiolib-of.c -@@ -45,12 +45,13 @@ static int of_gpiochip_find_and_xlate(struct gpio_chip *gc, void *data) - - ret = gc->of_xlate(gc, &gg_data->gpiospec, gg_data->flags); - if (ret < 0) { -- /* We've found the gpio chip, but the translation failed. -- * Return true to stop looking and return the translation -- * error via out_gpio -+ /* We've found a gpio chip, but the translation failed. -+ * Store translation error in out_gpio. -+ * Return false to keep looking, as more than one gpio chip -+ * could be registered per of-node. - */ - gg_data->out_gpio = ERR_PTR(ret); -- return true; -+ return false; - } - - gg_data->out_gpio = gpio_to_desc(ret + gc->base); -diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c -index 6e5d8fe..17be889 100644 ---- a/drivers/hid/i2c-hid/i2c-hid.c -+++ b/drivers/hid/i2c-hid/i2c-hid.c -@@ -356,7 +356,10 @@ static int i2c_hid_hwreset(struct i2c_client *client) - static void i2c_hid_get_input(struct i2c_hid *ihid) - { - int ret, ret_size; -- int size = ihid->bufsize; -+ int size = le16_to_cpu(ihid->hdesc.wMaxInputLength); -+ -+ if (size > ihid->bufsize) -+ size = ihid->bufsize; - - ret = i2c_master_recv(ihid->client, ihid->inbuf, size); - if (ret != size) { -diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c -index 55de4f6..b96ee9d 100644 ---- a/drivers/md/raid1.c -+++ b/drivers/md/raid1.c -@@ -561,7 +561,7 @@ static int read_balance(struct r1conf *conf, struct r1bio *r1_bio, int *max_sect - if (test_bit(WriteMostly, &rdev->flags)) { - /* Don't balance among write-mostly, just - * use the first as a last resort */ -- if (best_disk < 0) { -+ if (best_dist_disk < 0) { - if (is_badblock(rdev, this_sector, sectors, - &first_bad, &bad_sectors)) { - if (first_bad < this_sector) -@@ -570,7 +570,8 @@ static int read_balance(struct r1conf *conf, struct r1bio *r1_bio, int *max_sect - best_good_sectors = first_bad - this_sector; - } else - best_good_sectors = sectors; -- best_disk = disk; -+ best_dist_disk = disk; -+ best_pending_disk = disk; - } - continue; - } -diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c -index 175584a..3545faf 100644 ---- a/drivers/md/raid5.c -+++ b/drivers/md/raid5.c -@@ -3071,7 +3071,8 @@ static void handle_stripe_dirtying(struct r5conf *conf, - * generate correct data from the parity. - */ - if (conf->max_degraded == 2 || -- (recovery_cp < MaxSector && sh->sector >= recovery_cp)) { -+ (recovery_cp < MaxSector && sh->sector >= recovery_cp && -+ s->failed == 0)) { - /* Calculate the real rcw later - for now make it - * look like rcw is cheaper - */ -diff --git a/drivers/media/usb/dvb-usb-v2/lmedm04.c b/drivers/media/usb/dvb-usb-v2/lmedm04.c -index f674dc0..d2a4e6d 100644 ---- a/drivers/media/usb/dvb-usb-v2/lmedm04.c -+++ b/drivers/media/usb/dvb-usb-v2/lmedm04.c -@@ -350,6 +350,7 @@ static int lme2510_int_read(struct dvb_usb_adapter *adap) - { - struct dvb_usb_device *d = adap_to_d(adap); - struct lme2510_state *lme_int = adap_to_priv(adap); -+ struct usb_host_endpoint *ep; - - lme_int->lme_urb = usb_alloc_urb(0, GFP_ATOMIC); - -@@ -371,6 +372,12 @@ static int lme2510_int_read(struct dvb_usb_adapter *adap) - adap, - 8); - -+ /* Quirk of pipe reporting PIPE_BULK but behaves as interrupt */ -+ ep = usb_pipe_endpoint(d->udev, lme_int->lme_urb->pipe); -+ -+ if (usb_endpoint_type(&ep->desc) == USB_ENDPOINT_XFER_BULK) -+ lme_int->lme_urb->pipe = usb_rcvbulkpipe(d->udev, 0xa), -+ - lme_int->lme_urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP; - - usb_submit_urb(lme_int->lme_urb, GFP_ATOMIC); -diff --git a/drivers/media/usb/em28xx/em28xx-audio.c b/drivers/media/usb/em28xx/em28xx-audio.c -index dfdfa77..c39f7d3 100644 ---- a/drivers/media/usb/em28xx/em28xx-audio.c -+++ b/drivers/media/usb/em28xx/em28xx-audio.c -@@ -814,7 +814,7 @@ static int em28xx_audio_urb_init(struct em28xx *dev) - if (urb_size > ep_size * npackets) - npackets = DIV_ROUND_UP(urb_size, ep_size); - -- em28xx_info("Number of URBs: %d, with %d packets and %d size", -+ em28xx_info("Number of URBs: %d, with %d packets and %d size\n", - num_urb, npackets, urb_size); - - /* Estimate the bytes per period */ -@@ -974,7 +974,7 @@ static int em28xx_audio_fini(struct em28xx *dev) - return 0; - } - -- em28xx_info("Closing audio extension"); -+ em28xx_info("Closing audio extension\n"); - - if (dev->adev.sndcard) { - snd_card_disconnect(dev->adev.sndcard); -diff --git a/drivers/media/usb/em28xx/em28xx-dvb.c b/drivers/media/usb/em28xx/em28xx-dvb.c -index 1373cfa..ec2ebe9 100644 ---- a/drivers/media/usb/em28xx/em28xx-dvb.c -+++ b/drivers/media/usb/em28xx/em28xx-dvb.c -@@ -1468,7 +1468,7 @@ static int em28xx_dvb_fini(struct em28xx *dev) - return 0; - } - -- em28xx_info("Closing DVB extension"); -+ em28xx_info("Closing DVB extension\n"); - - if (dev->dvb) { - struct em28xx_dvb *dvb = dev->dvb; -diff --git a/drivers/media/usb/em28xx/em28xx-input.c b/drivers/media/usb/em28xx/em28xx-input.c -index 18f65d8..dd59c00 100644 ---- a/drivers/media/usb/em28xx/em28xx-input.c -+++ b/drivers/media/usb/em28xx/em28xx-input.c -@@ -810,7 +810,7 @@ static int em28xx_ir_fini(struct em28xx *dev) - return 0; - } - -- em28xx_info("Closing input extension"); -+ em28xx_info("Closing input extension\n"); - - em28xx_shutdown_buttons(dev); - -diff --git a/drivers/media/usb/em28xx/em28xx-video.c b/drivers/media/usb/em28xx/em28xx-video.c -index e24ee08..0e8d085 100644 ---- a/drivers/media/usb/em28xx/em28xx-video.c -+++ b/drivers/media/usb/em28xx/em28xx-video.c -@@ -1900,7 +1900,7 @@ static int em28xx_v4l2_fini(struct em28xx *dev) - return 0; - } - -- em28xx_info("Closing video extension"); -+ em28xx_info("Closing video extension\n"); - - mutex_lock(&dev->lock); - -diff --git a/drivers/mmc/host/sdhci-pxav3.c b/drivers/mmc/host/sdhci-pxav3.c -index 793dacd..561c6b4 100644 ---- a/drivers/mmc/host/sdhci-pxav3.c -+++ b/drivers/mmc/host/sdhci-pxav3.c -@@ -201,8 +201,8 @@ static struct sdhci_pxa_platdata *pxav3_get_mmc_pdata(struct device *dev) - if (!pdata) - return NULL; - -- of_property_read_u32(np, "mrvl,clk-delay-cycles", &clk_delay_cycles); -- if (clk_delay_cycles > 0) -+ if (!of_property_read_u32(np, "mrvl,clk-delay-cycles", -+ &clk_delay_cycles)) - pdata->clk_delay_cycles = clk_delay_cycles; - - return pdata; -diff --git a/drivers/net/wireless/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/iwlwifi/mvm/mac80211.c -index d06414e..a041746 100644 ---- a/drivers/net/wireless/iwlwifi/mvm/mac80211.c -+++ b/drivers/net/wireless/iwlwifi/mvm/mac80211.c -@@ -410,9 +410,6 @@ static void iwl_mvm_cleanup_iterator(void *data, u8 *mac, - mvmvif->uploaded = false; - mvmvif->ap_sta_id = IWL_MVM_STATION_COUNT; - -- /* does this make sense at all? */ -- mvmvif->color++; -- - spin_lock_bh(&mvm->time_event_lock); - iwl_mvm_te_clear_data(mvm, &mvmvif->time_event_data); - spin_unlock_bh(&mvm->time_event_lock); -@@ -597,7 +594,7 @@ static int iwl_mvm_mac_add_interface(struct ieee80211_hw *hw, - - ret = iwl_mvm_mac_ctxt_add(mvm, vif); - if (ret) -- goto out_release; -+ goto out_remove_mac; - - iwl_mvm_power_disable(mvm, vif); - -diff --git a/drivers/net/wireless/iwlwifi/mvm/tx.c b/drivers/net/wireless/iwlwifi/mvm/tx.c -index 76ee486..4efcb28 100644 ---- a/drivers/net/wireless/iwlwifi/mvm/tx.c -+++ b/drivers/net/wireless/iwlwifi/mvm/tx.c -@@ -835,6 +835,11 @@ int iwl_mvm_rx_ba_notif(struct iwl_mvm *mvm, struct iwl_rx_cmd_buffer *rxb, - sta_id = ba_notif->sta_id; - tid = ba_notif->tid; - -+ if (WARN_ONCE(sta_id >= IWL_MVM_STATION_COUNT || -+ tid >= IWL_MAX_TID_COUNT, -+ "sta_id %d tid %d", sta_id, tid)) -+ return 0; -+ - rcu_read_lock(); - - sta = rcu_dereference(mvm->fw_id_to_mac_id[sta_id]); -diff --git a/drivers/net/wireless/iwlwifi/pcie/tx.c b/drivers/net/wireless/iwlwifi/pcie/tx.c -index 3d54900..52427fb 100644 ---- a/drivers/net/wireless/iwlwifi/pcie/tx.c -+++ b/drivers/net/wireless/iwlwifi/pcie/tx.c -@@ -729,7 +729,12 @@ void iwl_trans_pcie_tx_reset(struct iwl_trans *trans) - iwl_write_direct32(trans, FH_KW_MEM_ADDR_REG, - trans_pcie->kw.dma >> 4); - -- iwl_pcie_tx_start(trans, trans_pcie->scd_base_addr); -+ /* -+ * Send 0 as the scd_base_addr since the device may have be reset -+ * while we were in WoWLAN in which case SCD_SRAM_BASE_ADDR will -+ * contain garbage. -+ */ -+ iwl_pcie_tx_start(trans, 0); - } - - /* -diff --git a/drivers/pci/pci-driver.c b/drivers/pci/pci-driver.c -index 25f0bc6..7f41551 100644 ---- a/drivers/pci/pci-driver.c -+++ b/drivers/pci/pci-driver.c -@@ -1324,7 +1324,7 @@ static int pci_uevent(struct device *dev, struct kobj_uevent_env *env) - if (add_uevent_var(env, "PCI_SLOT_NAME=%s", pci_name(pdev))) - return -ENOMEM; - -- if (add_uevent_var(env, "MODALIAS=pci:v%08Xd%08Xsv%08Xsd%08Xbc%02Xsc%02Xi%02x", -+ if (add_uevent_var(env, "MODALIAS=pci:v%08Xd%08Xsv%08Xsd%08Xbc%02Xsc%02Xi%02X", - pdev->vendor, pdev->device, - pdev->subsystem_vendor, pdev->subsystem_device, - (u8)(pdev->class >> 16), (u8)(pdev->class >> 8), -diff --git a/drivers/pci/rom.c b/drivers/pci/rom.c -index 5d59572..5510c88 100644 ---- a/drivers/pci/rom.c -+++ b/drivers/pci/rom.c -@@ -69,6 +69,7 @@ size_t pci_get_rom_size(struct pci_dev *pdev, void __iomem *rom, size_t size) - { - void __iomem *image; - int last_image; -+ unsigned length; - - image = rom; - do { -@@ -91,9 +92,9 @@ size_t pci_get_rom_size(struct pci_dev *pdev, void __iomem *rom, size_t size) - if (readb(pds + 3) != 'R') - break; - last_image = readb(pds + 21) & 0x80; -- /* this length is reliable */ -- image += readw(pds + 16) * 512; -- } while (!last_image); -+ length = readw(pds + 16); -+ image += length * 512; -+ } while (length && !last_image); - - /* never return a size larger than the PCI resource window */ - /* there are known ROMs that get the size wrong */ -diff --git a/drivers/power/88pm860x_charger.c b/drivers/power/88pm860x_charger.c -index de029bb..5ccca87 100644 ---- a/drivers/power/88pm860x_charger.c -+++ b/drivers/power/88pm860x_charger.c -@@ -711,6 +711,7 @@ static int pm860x_charger_probe(struct platform_device *pdev) - return 0; - - out_irq: -+ power_supply_unregister(&info->usb); - while (--i >= 0) - free_irq(info->irq[i], info); - out: -diff --git a/drivers/power/bq24190_charger.c b/drivers/power/bq24190_charger.c -index ad3ff8f..e4c95e1 100644 ---- a/drivers/power/bq24190_charger.c -+++ b/drivers/power/bq24190_charger.c -@@ -929,7 +929,7 @@ static void bq24190_charger_init(struct power_supply *charger) - charger->properties = bq24190_charger_properties; - charger->num_properties = ARRAY_SIZE(bq24190_charger_properties); - charger->supplied_to = bq24190_charger_supplied_to; -- charger->num_supplies = ARRAY_SIZE(bq24190_charger_supplied_to); -+ charger->num_supplicants = ARRAY_SIZE(bq24190_charger_supplied_to); - charger->get_property = bq24190_charger_get_property; - charger->set_property = bq24190_charger_set_property; - charger->property_is_writeable = bq24190_charger_property_is_writeable; -diff --git a/drivers/power/gpio-charger.c b/drivers/power/gpio-charger.c -index a0024b2..86e03c6 100644 ---- a/drivers/power/gpio-charger.c -+++ b/drivers/power/gpio-charger.c -@@ -168,7 +168,7 @@ static int gpio_charger_suspend(struct device *dev) - - if (device_may_wakeup(dev)) - gpio_charger->wakeup_enabled = -- enable_irq_wake(gpio_charger->irq); -+ !enable_irq_wake(gpio_charger->irq); - - return 0; - } -@@ -178,7 +178,7 @@ static int gpio_charger_resume(struct device *dev) - struct platform_device *pdev = to_platform_device(dev); - struct gpio_charger *gpio_charger = platform_get_drvdata(pdev); - -- if (gpio_charger->wakeup_enabled) -+ if (device_may_wakeup(dev) && gpio_charger->wakeup_enabled) - disable_irq_wake(gpio_charger->irq); - power_supply_changed(&gpio_charger->charger); - -diff --git a/drivers/scsi/megaraid/megaraid_sas_fusion.c b/drivers/scsi/megaraid/megaraid_sas_fusion.c -index f655592..a1f04e3 100644 ---- a/drivers/scsi/megaraid/megaraid_sas_fusion.c -+++ b/drivers/scsi/megaraid/megaraid_sas_fusion.c -@@ -92,6 +92,8 @@ megasas_enable_intr_fusion(struct megasas_instance *instance) - { - struct megasas_register_set __iomem *regs; - regs = instance->reg_set; -+ -+ instance->mask_interrupts = 0; - /* For Thunderbolt/Invader also clear intr on enable */ - writel(~0, ®s->outbound_intr_status); - readl(®s->outbound_intr_status); -@@ -100,7 +102,6 @@ megasas_enable_intr_fusion(struct megasas_instance *instance) - - /* Dummy readl to force pci flush */ - readl(®s->outbound_intr_mask); -- instance->mask_interrupts = 0; - } - - /** -diff --git a/drivers/target/iscsi/iscsi_target_tq.c b/drivers/target/iscsi/iscsi_target_tq.c -index 601e9cc..bb2890e 100644 ---- a/drivers/target/iscsi/iscsi_target_tq.c -+++ b/drivers/target/iscsi/iscsi_target_tq.c -@@ -24,36 +24,22 @@ - #include "iscsi_target_tq.h" - #include "iscsi_target.h" - --static LIST_HEAD(active_ts_list); - static LIST_HEAD(inactive_ts_list); --static DEFINE_SPINLOCK(active_ts_lock); - static DEFINE_SPINLOCK(inactive_ts_lock); - static DEFINE_SPINLOCK(ts_bitmap_lock); - --static void iscsi_add_ts_to_active_list(struct iscsi_thread_set *ts) --{ -- spin_lock(&active_ts_lock); -- list_add_tail(&ts->ts_list, &active_ts_list); -- iscsit_global->active_ts++; -- spin_unlock(&active_ts_lock); --} -- - static void iscsi_add_ts_to_inactive_list(struct iscsi_thread_set *ts) - { -+ if (!list_empty(&ts->ts_list)) { -+ WARN_ON(1); -+ return; -+ } - spin_lock(&inactive_ts_lock); - list_add_tail(&ts->ts_list, &inactive_ts_list); - iscsit_global->inactive_ts++; - spin_unlock(&inactive_ts_lock); - } - --static void iscsi_del_ts_from_active_list(struct iscsi_thread_set *ts) --{ -- spin_lock(&active_ts_lock); -- list_del(&ts->ts_list); -- iscsit_global->active_ts--; -- spin_unlock(&active_ts_lock); --} -- - static struct iscsi_thread_set *iscsi_get_ts_from_inactive_list(void) - { - struct iscsi_thread_set *ts; -@@ -66,7 +52,7 @@ static struct iscsi_thread_set *iscsi_get_ts_from_inactive_list(void) - - ts = list_first_entry(&inactive_ts_list, struct iscsi_thread_set, ts_list); - -- list_del(&ts->ts_list); -+ list_del_init(&ts->ts_list); - iscsit_global->inactive_ts--; - spin_unlock(&inactive_ts_lock); - -@@ -204,8 +190,6 @@ static void iscsi_deallocate_extra_thread_sets(void) - - void iscsi_activate_thread_set(struct iscsi_conn *conn, struct iscsi_thread_set *ts) - { -- iscsi_add_ts_to_active_list(ts); -- - spin_lock_bh(&ts->ts_state_lock); - conn->thread_set = ts; - ts->conn = conn; -@@ -397,7 +381,6 @@ struct iscsi_conn *iscsi_rx_thread_pre_handler(struct iscsi_thread_set *ts) - - if (ts->delay_inactive && (--ts->thread_count == 0)) { - spin_unlock_bh(&ts->ts_state_lock); -- iscsi_del_ts_from_active_list(ts); - - if (!iscsit_global->in_shutdown) - iscsi_deallocate_extra_thread_sets(); -@@ -452,7 +435,6 @@ struct iscsi_conn *iscsi_tx_thread_pre_handler(struct iscsi_thread_set *ts) - - if (ts->delay_inactive && (--ts->thread_count == 0)) { - spin_unlock_bh(&ts->ts_state_lock); -- iscsi_del_ts_from_active_list(ts); - - if (!iscsit_global->in_shutdown) - iscsi_deallocate_extra_thread_sets(); -diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c -index 25c9bc7..e49616e 100644 ---- a/drivers/tty/pty.c -+++ b/drivers/tty/pty.c -@@ -209,6 +209,9 @@ static int pty_signal(struct tty_struct *tty, int sig) - unsigned long flags; - struct pid *pgrp; - -+ if (sig != SIGINT && sig != SIGQUIT && sig != SIGTSTP) -+ return -EINVAL; -+ - if (tty->link) { - spin_lock_irqsave(&tty->link->ctrl_lock, flags); - pgrp = get_pid(tty->link->pgrp); -diff --git a/drivers/tty/serial/atmel_serial.c b/drivers/tty/serial/atmel_serial.c -index ce352b8..0d3e6cb 100644 ---- a/drivers/tty/serial/atmel_serial.c -+++ b/drivers/tty/serial/atmel_serial.c -@@ -2392,7 +2392,7 @@ static int atmel_serial_probe(struct platform_device *pdev) - - ret = atmel_init_port(port, pdev); - if (ret) -- goto err; -+ goto err_clear_bit; - - if (!atmel_use_pdc_rx(&port->uart)) { - ret = -ENOMEM; -@@ -2441,6 +2441,8 @@ err_alloc_ring: - clk_put(port->clk); - port->clk = NULL; - } -+err_clear_bit: -+ clear_bit(port->uart.line, atmel_ports_in_use); - err: - return ret; - } -diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c -index 23b5d32..693091a 100644 ---- a/drivers/tty/vt/vt.c -+++ b/drivers/tty/vt/vt.c -@@ -498,6 +498,7 @@ void invert_screen(struct vc_data *vc, int offset, int count, int viewed) - #endif - if (DO_UPDATE(vc)) - do_update_region(vc, (unsigned long) p, count); -+ notify_update(vc); - } - - /* used by selection: complement pointer position */ -@@ -514,6 +515,7 @@ void complement_pos(struct vc_data *vc, int offset) - scr_writew(old, screenpos(vc, old_offset, 1)); - if (DO_UPDATE(vc)) - vc->vc_sw->con_putc(vc, old, oldy, oldx); -+ notify_update(vc); - } - - old_offset = offset; -@@ -531,8 +533,8 @@ void complement_pos(struct vc_data *vc, int offset) - oldy = (offset >> 1) / vc->vc_cols; - vc->vc_sw->con_putc(vc, new, oldy, oldx); - } -+ notify_update(vc); - } -- - } - - static void insert_char(struct vc_data *vc, unsigned int nr) -diff --git a/drivers/usb/core/buffer.c b/drivers/usb/core/buffer.c -index 684ef70..506b969 100644 ---- a/drivers/usb/core/buffer.c -+++ b/drivers/usb/core/buffer.c -@@ -22,17 +22,25 @@ - */ - - /* FIXME tune these based on pool statistics ... */ --static const size_t pool_max[HCD_BUFFER_POOLS] = { -- /* platforms without dma-friendly caches might need to -- * prevent cacheline sharing... -- */ -- 32, -- 128, -- 512, -- PAGE_SIZE / 2 -- /* bigger --> allocate pages */ -+static size_t pool_max[HCD_BUFFER_POOLS] = { -+ 32, 128, 512, 2048, - }; - -+void __init usb_init_pool_max(void) -+{ -+ /* -+ * The pool_max values must never be smaller than -+ * ARCH_KMALLOC_MINALIGN. -+ */ -+ if (ARCH_KMALLOC_MINALIGN <= 32) -+ ; /* Original value is okay */ -+ else if (ARCH_KMALLOC_MINALIGN <= 64) -+ pool_max[0] = 64; -+ else if (ARCH_KMALLOC_MINALIGN <= 128) -+ pool_max[0] = 0; /* Don't use this pool */ -+ else -+ BUILD_BUG(); /* We don't allow this */ -+} - - /* SETUP primitives */ - -diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c -index ef6ec13b..ee6c556 100644 ---- a/drivers/usb/core/hcd.c -+++ b/drivers/usb/core/hcd.c -@@ -1617,6 +1617,7 @@ static int unlink1(struct usb_hcd *hcd, struct urb *urb, int status) - int usb_hcd_unlink_urb (struct urb *urb, int status) - { - struct usb_hcd *hcd; -+ struct usb_device *udev = urb->dev; - int retval = -EIDRM; - unsigned long flags; - -@@ -1628,20 +1629,19 @@ int usb_hcd_unlink_urb (struct urb *urb, int status) - spin_lock_irqsave(&hcd_urb_unlink_lock, flags); - if (atomic_read(&urb->use_count) > 0) { - retval = 0; -- usb_get_dev(urb->dev); -+ usb_get_dev(udev); - } - spin_unlock_irqrestore(&hcd_urb_unlink_lock, flags); - if (retval == 0) { - hcd = bus_to_hcd(urb->dev->bus); - retval = unlink1(hcd, urb, status); -- usb_put_dev(urb->dev); -+ if (retval == 0) -+ retval = -EINPROGRESS; -+ else if (retval != -EIDRM && retval != -EBUSY) -+ dev_dbg(&udev->dev, "hcd_unlink_urb %p fail %d\n", -+ urb, retval); -+ usb_put_dev(udev); - } -- -- if (retval == 0) -- retval = -EINPROGRESS; -- else if (retval != -EIDRM && retval != -EBUSY) -- dev_dbg(&urb->dev->dev, "hcd_unlink_urb %p fail %d\n", -- urb, retval); - return retval; - } - -diff --git a/drivers/usb/core/usb.c b/drivers/usb/core/usb.c -index 4d11449..a922730 100644 ---- a/drivers/usb/core/usb.c -+++ b/drivers/usb/core/usb.c -@@ -1050,6 +1050,7 @@ static int __init usb_init(void) - pr_info("%s: USB support disabled\n", usbcore_name); - return 0; - } -+ usb_init_pool_max(); - - retval = usb_debugfs_init(); - if (retval) -diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c -index 9e8708c..a2d0409 100644 ---- a/drivers/usb/serial/cp210x.c -+++ b/drivers/usb/serial/cp210x.c -@@ -56,6 +56,7 @@ static const struct usb_device_id id_table[] = { - { USB_DEVICE(0x0846, 0x1100) }, /* NetGear Managed Switch M4100 series, M5300 series, M7100 series */ - { USB_DEVICE(0x08e6, 0x5501) }, /* Gemalto Prox-PU/CU contactless smartcard reader */ - { USB_DEVICE(0x08FD, 0x000A) }, /* Digianswer A/S , ZigBee/802.15.4 MAC Device */ -+ { USB_DEVICE(0x0908, 0x01FF) }, /* Siemens RUGGEDCOM USB Serial Console */ - { USB_DEVICE(0x0BED, 0x1100) }, /* MEI (TM) Cashflow-SC Bill/Voucher Acceptor */ - { USB_DEVICE(0x0BED, 0x1101) }, /* MEI series 2000 Combo Acceptor */ - { USB_DEVICE(0x0FCF, 0x1003) }, /* Dynastream ANT development board */ -diff --git a/drivers/xen/manage.c b/drivers/xen/manage.c -index 602913d..edfd797 100644 ---- a/drivers/xen/manage.c -+++ b/drivers/xen/manage.c -@@ -113,10 +113,16 @@ static void do_suspend(void) - - err = freeze_processes(); - if (err) { -- pr_err("%s: freeze failed %d\n", __func__, err); -+ pr_err("%s: freeze processes failed %d\n", __func__, err); - goto out; - } - -+ err = freeze_kernel_threads(); -+ if (err) { -+ pr_err("%s: freeze kernel threads failed %d\n", __func__, err); -+ goto out_thaw; -+ } -+ - err = dpm_suspend_start(PMSG_FREEZE); - if (err) { - pr_err("%s: dpm_suspend_start %d\n", __func__, err); -diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c -index 67be295..f4d7b2f 100644 ---- a/fs/binfmt_elf.c -+++ b/fs/binfmt_elf.c -@@ -549,11 +549,12 @@ out: - - static unsigned long randomize_stack_top(unsigned long stack_top) - { -- unsigned int random_variable = 0; -+ unsigned long random_variable = 0; - - if ((current->flags & PF_RANDOMIZE) && - !(current->personality & ADDR_NO_RANDOMIZE)) { -- random_variable = get_random_int() & STACK_RND_MASK; -+ random_variable = (unsigned long) get_random_int(); -+ random_variable &= STACK_RND_MASK; - random_variable <<= PAGE_SHIFT; - } - #ifdef CONFIG_STACK_GROWSUP -diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c -index cbd3a7d..93de3ba 100644 ---- a/fs/btrfs/ctree.c -+++ b/fs/btrfs/ctree.c -@@ -2655,32 +2655,23 @@ static int key_search(struct extent_buffer *b, struct btrfs_key *key, - return 0; - } - --int btrfs_find_item(struct btrfs_root *fs_root, struct btrfs_path *found_path, -+int btrfs_find_item(struct btrfs_root *fs_root, struct btrfs_path *path, - u64 iobjectid, u64 ioff, u8 key_type, - struct btrfs_key *found_key) - { - int ret; - struct btrfs_key key; - struct extent_buffer *eb; -- struct btrfs_path *path; -+ -+ ASSERT(path); - - key.type = key_type; - key.objectid = iobjectid; - key.offset = ioff; - -- if (found_path == NULL) { -- path = btrfs_alloc_path(); -- if (!path) -- return -ENOMEM; -- } else -- path = found_path; -- - ret = btrfs_search_slot(NULL, fs_root, &key, path, 0, 0); -- if ((ret < 0) || (found_key == NULL)) { -- if (path != found_path) -- btrfs_free_path(path); -+ if ((ret < 0) || (found_key == NULL)) - return ret; -- } - - eb = path->nodes[0]; - if (ret && path->slots[0] >= btrfs_header_nritems(eb)) { -diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c -index 0db8ded..f48d5fc 100644 ---- a/fs/btrfs/disk-io.c -+++ b/fs/btrfs/disk-io.c -@@ -1560,6 +1560,7 @@ struct btrfs_root *btrfs_get_fs_root(struct btrfs_fs_info *fs_info, - bool check_ref) - { - struct btrfs_root *root; -+ struct btrfs_path *path; - int ret; - - if (location->objectid == BTRFS_ROOT_TREE_OBJECTID) -@@ -1599,8 +1600,14 @@ again: - if (ret) - goto fail; - -- ret = btrfs_find_item(fs_info->tree_root, NULL, BTRFS_ORPHAN_OBJECTID, -+ path = btrfs_alloc_path(); -+ if (!path) { -+ ret = -ENOMEM; -+ goto fail; -+ } -+ ret = btrfs_find_item(fs_info->tree_root, path, BTRFS_ORPHAN_OBJECTID, - location->objectid, BTRFS_ORPHAN_ITEM_KEY, NULL); -+ btrfs_free_path(path); - if (ret < 0) - goto fail; - if (ret == 0) -@@ -2411,7 +2418,7 @@ int open_ctree(struct super_block *sb, - features |= BTRFS_FEATURE_INCOMPAT_COMPRESS_LZO; - - if (features & BTRFS_FEATURE_INCOMPAT_SKINNY_METADATA) -- printk(KERN_ERR "BTRFS: has skinny extents\n"); -+ printk(KERN_INFO "BTRFS: has skinny extents\n"); - - /* - * flag our filesystem as having big metadata blocks if -diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c -index 39d83da..aeb57b98 100644 ---- a/fs/btrfs/tree-log.c -+++ b/fs/btrfs/tree-log.c -@@ -1238,10 +1238,19 @@ static int insert_orphan_item(struct btrfs_trans_handle *trans, - struct btrfs_root *root, u64 offset) - { - int ret; -- ret = btrfs_find_item(root, NULL, BTRFS_ORPHAN_OBJECTID, -+ struct btrfs_path *path; -+ -+ path = btrfs_alloc_path(); -+ if (!path) -+ return -ENOMEM; -+ -+ ret = btrfs_find_item(root, path, BTRFS_ORPHAN_OBJECTID, - offset, BTRFS_ORPHAN_ITEM_KEY, NULL); - if (ret > 0) - ret = btrfs_insert_orphan_item(trans, root, offset); -+ -+ btrfs_free_path(path); -+ - return ret; - } - -diff --git a/fs/jffs2/scan.c b/fs/jffs2/scan.c -index 7654e87..9ad5ba4 100644 ---- a/fs/jffs2/scan.c -+++ b/fs/jffs2/scan.c -@@ -510,6 +510,10 @@ static int jffs2_scan_eraseblock (struct jffs2_sb_info *c, struct jffs2_eraseblo - sumlen = c->sector_size - je32_to_cpu(sm->offset); - sumptr = buf + buf_size - sumlen; - -+ /* sm->offset maybe wrong but MAGIC maybe right */ -+ if (sumlen > c->sector_size) -+ goto full_scan; -+ - /* Now, make sure the summary itself is available */ - if (sumlen > buf_size) { - /* Need to kmalloc for this. */ -@@ -544,6 +548,7 @@ static int jffs2_scan_eraseblock (struct jffs2_sb_info *c, struct jffs2_eraseblo - } - } - -+full_scan: - buf_ofs = jeb->offset; - - if (!buf_size) { -diff --git a/fs/nfs/callback.c b/fs/nfs/callback.c -index 073b4cf..0a2016b 100644 ---- a/fs/nfs/callback.c -+++ b/fs/nfs/callback.c -@@ -128,22 +128,24 @@ nfs41_callback_svc(void *vrqstp) - if (try_to_freeze()) - continue; - -- prepare_to_wait(&serv->sv_cb_waitq, &wq, TASK_INTERRUPTIBLE); -+ prepare_to_wait(&serv->sv_cb_waitq, &wq, TASK_UNINTERRUPTIBLE); - spin_lock_bh(&serv->sv_cb_lock); - if (!list_empty(&serv->sv_cb_list)) { - req = list_first_entry(&serv->sv_cb_list, - struct rpc_rqst, rq_bc_list); - list_del(&req->rq_bc_list); - spin_unlock_bh(&serv->sv_cb_lock); -+ finish_wait(&serv->sv_cb_waitq, &wq); - dprintk("Invoking bc_svc_process()\n"); - error = bc_svc_process(serv, req, rqstp); - dprintk("bc_svc_process() returned w/ error code= %d\n", - error); - } else { - spin_unlock_bh(&serv->sv_cb_lock); -- schedule(); -+ /* schedule_timeout to game the hung task watchdog */ -+ schedule_timeout(60 * HZ); -+ finish_wait(&serv->sv_cb_waitq, &wq); - } -- finish_wait(&serv->sv_cb_waitq, &wq); - } - return 0; - } -diff --git a/fs/nfs/callback_xdr.c b/fs/nfs/callback_xdr.c -index f4ccfe6..02f8d09 100644 ---- a/fs/nfs/callback_xdr.c -+++ b/fs/nfs/callback_xdr.c -@@ -464,8 +464,10 @@ static __be32 decode_cb_sequence_args(struct svc_rqst *rqstp, - - for (i = 0; i < args->csa_nrclists; i++) { - status = decode_rc_list(xdr, &args->csa_rclists[i]); -- if (status) -+ if (status) { -+ args->csa_nrclists = i; - goto out_free; -+ } - } - } - status = 0; -diff --git a/fs/xfs/xfs_buf_item.c b/fs/xfs/xfs_buf_item.c -index 3314911..645f180 100644 ---- a/fs/xfs/xfs_buf_item.c -+++ b/fs/xfs/xfs_buf_item.c -@@ -319,6 +319,10 @@ xfs_buf_item_format( - ASSERT(atomic_read(&bip->bli_refcount) > 0); - ASSERT((bip->bli_flags & XFS_BLI_LOGGED) || - (bip->bli_flags & XFS_BLI_STALE)); -+ ASSERT((bip->bli_flags & XFS_BLI_STALE) || -+ (xfs_blft_from_flags(&bip->__bli_format) > XFS_BLFT_UNKNOWN_BUF -+ && xfs_blft_from_flags(&bip->__bli_format) < XFS_BLFT_MAX_BUF)); -+ - - /* - * If it is an inode buffer, transfer the in-memory state to the -diff --git a/fs/xfs/xfs_inode.c b/fs/xfs/xfs_inode.c -index 3a137e9..5d90b8d 100644 ---- a/fs/xfs/xfs_inode.c -+++ b/fs/xfs/xfs_inode.c -@@ -1946,6 +1946,7 @@ xfs_iunlink( - agi->agi_unlinked[bucket_index] = cpu_to_be32(agino); - offset = offsetof(xfs_agi_t, agi_unlinked) + - (sizeof(xfs_agino_t) * bucket_index); -+ xfs_trans_buf_set_type(tp, agibp, XFS_BLFT_AGI_BUF); - xfs_trans_log_buf(tp, agibp, offset, - (offset + sizeof(xfs_agino_t) - 1)); - return 0; -@@ -2037,6 +2038,7 @@ xfs_iunlink_remove( - agi->agi_unlinked[bucket_index] = cpu_to_be32(next_agino); - offset = offsetof(xfs_agi_t, agi_unlinked) + - (sizeof(xfs_agino_t) * bucket_index); -+ xfs_trans_buf_set_type(tp, agibp, XFS_BLFT_AGI_BUF); - xfs_trans_log_buf(tp, agibp, offset, - (offset + sizeof(xfs_agino_t) - 1)); - } else { -diff --git a/fs/xfs/xfs_qm.c b/fs/xfs/xfs_qm.c -index 6d7d1de..1b271f5 100644 ---- a/fs/xfs/xfs_qm.c -+++ b/fs/xfs/xfs_qm.c -@@ -1108,6 +1108,11 @@ xfs_qm_reset_dqcounts( - */ - xfs_dqcheck(mp, ddq, id+j, type, XFS_QMOPT_DQREPAIR, - "xfs_quotacheck"); -+ /* -+ * Reset type in case we are reusing group quota file for -+ * project quotas or vice versa -+ */ -+ ddq->d_flags = type; - ddq->d_bcount = 0; - ddq->d_icount = 0; - ddq->d_rtbcount = 0; -diff --git a/fs/xfs/xfs_trans.c b/fs/xfs/xfs_trans.c -index c812c5c..b626f3d 100644 ---- a/fs/xfs/xfs_trans.c -+++ b/fs/xfs/xfs_trans.c -@@ -474,6 +474,7 @@ xfs_trans_apply_sb_deltas( - whole = 1; - } - -+ xfs_trans_buf_set_type(tp, bp, XFS_BLFT_SB_BUF); - if (whole) - /* - * Log the whole thing, the fields are noncontiguous. -diff --git a/include/linux/fsnotify.h b/include/linux/fsnotify.h -index 1c804b0..7ee1774 100644 ---- a/include/linux/fsnotify.h -+++ b/include/linux/fsnotify.h -@@ -101,8 +101,10 @@ static inline void fsnotify_move(struct inode *old_dir, struct inode *new_dir, - new_dir_mask |= FS_ISDIR; - } - -- fsnotify(old_dir, old_dir_mask, old_dir, FSNOTIFY_EVENT_INODE, old_name, fs_cookie); -- fsnotify(new_dir, new_dir_mask, new_dir, FSNOTIFY_EVENT_INODE, new_name, fs_cookie); -+ fsnotify(old_dir, old_dir_mask, source, FSNOTIFY_EVENT_INODE, old_name, -+ fs_cookie); -+ fsnotify(new_dir, new_dir_mask, source, FSNOTIFY_EVENT_INODE, new_name, -+ fs_cookie); - - if (target) - fsnotify_link_count(target); -diff --git a/include/linux/usb/hcd.h b/include/linux/usb/hcd.h -index efe8d8a..e34bce3 100644 ---- a/include/linux/usb/hcd.h -+++ b/include/linux/usb/hcd.h -@@ -447,6 +447,7 @@ extern const struct dev_pm_ops usb_hcd_pci_pm_ops; - #endif /* CONFIG_PCI */ - - /* pci-ish (pdev null is ok) buffer alloc/mapping support */ -+void usb_init_pool_max(void); - int hcd_buffer_create(struct usb_hcd *hcd); - void hcd_buffer_destroy(struct usb_hcd *hcd); - -diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c -index 0b097c8..449518e 100644 ---- a/kernel/debug/kdb/kdb_main.c -+++ b/kernel/debug/kdb/kdb_main.c -@@ -2535,7 +2535,7 @@ static int kdb_summary(int argc, const char **argv) - #define K(x) ((x) << (PAGE_SHIFT - 10)) - kdb_printf("\nMemTotal: %8lu kB\nMemFree: %8lu kB\n" - "Buffers: %8lu kB\n", -- val.totalram, val.freeram, val.bufferram); -+ K(val.totalram), K(val.freeram), K(val.bufferram)); - return 0; - } - -diff --git a/kernel/time/ntp.c b/kernel/time/ntp.c -index 28db9be..6211d5d 100644 ---- a/kernel/time/ntp.c -+++ b/kernel/time/ntp.c -@@ -631,10 +631,14 @@ int ntp_validate_timex(struct timex *txc) - if ((txc->modes & ADJ_SETOFFSET) && (!capable(CAP_SYS_TIME))) - return -EPERM; - -- if (txc->modes & ADJ_FREQUENCY) { -- if (LONG_MIN / PPM_SCALE > txc->freq) -+ /* -+ * Check for potential multiplication overflows that can -+ * only happen on 64-bit systems: -+ */ -+ if ((txc->modes & ADJ_FREQUENCY) && (BITS_PER_LONG == 64)) { -+ if (LLONG_MIN / PPM_SCALE > txc->freq) - return -EINVAL; -- if (LONG_MAX / PPM_SCALE < txc->freq) -+ if (LLONG_MAX / PPM_SCALE < txc->freq) - return -EINVAL; - } - -diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c -index 7113672..813b021 100644 ---- a/kernel/trace/trace.c -+++ b/kernel/trace/trace.c -@@ -4694,7 +4694,7 @@ tracing_mark_write(struct file *filp, const char __user *ubuf, - *fpos += written; - - out_unlock: -- for (i = 0; i < nr_pages; i++){ -+ for (i = nr_pages - 1; i >= 0; i--) { - kunmap_atomic(map_page[i]); - put_page(pages[i]); - } -diff --git a/mm/hugetlb.c b/mm/hugetlb.c -index 67d0c17..472259b 100644 ---- a/mm/hugetlb.c -+++ b/mm/hugetlb.c -@@ -3456,6 +3456,8 @@ follow_huge_pmd(struct mm_struct *mm, unsigned long address, - { - struct page *page; - -+ if (!pmd_present(*pmd)) -+ return NULL; - page = pte_page(*(pte_t *)pmd); - if (page) - page += ((address & ~PMD_MASK) >> PAGE_SHIFT); -diff --git a/net/ceph/osd_client.c b/net/ceph/osd_client.c -index 0676f2b..45f077c 100644 ---- a/net/ceph/osd_client.c -+++ b/net/ceph/osd_client.c -@@ -977,12 +977,24 @@ static void put_osd(struct ceph_osd *osd) - */ - static void __remove_osd(struct ceph_osd_client *osdc, struct ceph_osd *osd) - { -- dout("__remove_osd %p\n", osd); -- BUG_ON(!list_empty(&osd->o_requests)); -- rb_erase(&osd->o_node, &osdc->osds); -+ dout("%s %p osd%d\n", __func__, osd, osd->o_osd); -+ WARN_ON(!list_empty(&osd->o_requests)); -+ WARN_ON(!list_empty(&osd->o_linger_requests)); -+ - list_del_init(&osd->o_osd_lru); -- ceph_con_close(&osd->o_con); -- put_osd(osd); -+ rb_erase(&osd->o_node, &osdc->osds); -+ RB_CLEAR_NODE(&osd->o_node); -+} -+ -+static void remove_osd(struct ceph_osd_client *osdc, struct ceph_osd *osd) -+{ -+ dout("%s %p osd%d\n", __func__, osd, osd->o_osd); -+ -+ if (!RB_EMPTY_NODE(&osd->o_node)) { -+ ceph_con_close(&osd->o_con); -+ __remove_osd(osdc, osd); -+ put_osd(osd); -+ } - } - - static void remove_all_osds(struct ceph_osd_client *osdc) -@@ -992,7 +1004,7 @@ static void remove_all_osds(struct ceph_osd_client *osdc) - while (!RB_EMPTY_ROOT(&osdc->osds)) { - struct ceph_osd *osd = rb_entry(rb_first(&osdc->osds), - struct ceph_osd, o_node); -- __remove_osd(osdc, osd); -+ remove_osd(osdc, osd); - } - mutex_unlock(&osdc->request_mutex); - } -@@ -1022,7 +1034,7 @@ static void remove_old_osds(struct ceph_osd_client *osdc) - list_for_each_entry_safe(osd, nosd, &osdc->osd_lru, o_osd_lru) { - if (time_before(jiffies, osd->lru_ttl)) - break; -- __remove_osd(osdc, osd); -+ remove_osd(osdc, osd); - } - mutex_unlock(&osdc->request_mutex); - } -@@ -1037,8 +1049,7 @@ static int __reset_osd(struct ceph_osd_client *osdc, struct ceph_osd *osd) - dout("__reset_osd %p osd%d\n", osd, osd->o_osd); - if (list_empty(&osd->o_requests) && - list_empty(&osd->o_linger_requests)) { -- __remove_osd(osdc, osd); -- -+ remove_osd(osdc, osd); - return -ENODEV; - } - -@@ -1840,6 +1851,7 @@ static void reset_changed_osds(struct ceph_osd_client *osdc) - { - struct rb_node *p, *n; - -+ dout("%s %p\n", __func__, osdc); - for (p = rb_first(&osdc->osds); p; p = n) { - struct ceph_osd *osd = rb_entry(p, struct ceph_osd, o_node); - -diff --git a/sound/pci/riptide/riptide.c b/sound/pci/riptide/riptide.c -index 56cc891..d99c8d3 100644 ---- a/sound/pci/riptide/riptide.c -+++ b/sound/pci/riptide/riptide.c -@@ -2032,32 +2032,43 @@ snd_riptide_joystick_probe(struct pci_dev *pci, const struct pci_device_id *id) - { - static int dev; - struct gameport *gameport; -+ int ret; - - if (dev >= SNDRV_CARDS) - return -ENODEV; -+ - if (!enable[dev]) { -- dev++; -- return -ENOENT; -+ ret = -ENOENT; -+ goto inc_dev; - } - -- if (!joystick_port[dev++]) -- return 0; -+ if (!joystick_port[dev]) { -+ ret = 0; -+ goto inc_dev; -+ } - - gameport = gameport_allocate_port(); -- if (!gameport) -- return -ENOMEM; -+ if (!gameport) { -+ ret = -ENOMEM; -+ goto inc_dev; -+ } - if (!request_region(joystick_port[dev], 8, "Riptide gameport")) { - snd_printk(KERN_WARNING - "Riptide: cannot grab gameport 0x%x\n", - joystick_port[dev]); - gameport_free_port(gameport); -- return -EBUSY; -+ ret = -EBUSY; -+ goto inc_dev; - } - - gameport->io = joystick_port[dev]; - gameport_register_port(gameport); - pci_set_drvdata(pci, gameport); -- return 0; -+ -+ ret = 0; -+inc_dev: -+ dev++; -+ return ret; - } - - static void snd_riptide_joystick_remove(struct pci_dev *pci) -diff --git a/sound/pci/rme9652/hdspm.c b/sound/pci/rme9652/hdspm.c -index e98dc00..2116750 100644 ---- a/sound/pci/rme9652/hdspm.c -+++ b/sound/pci/rme9652/hdspm.c -@@ -6102,6 +6102,9 @@ static int snd_hdspm_playback_open(struct snd_pcm_substream *substream) - snd_pcm_hw_constraint_minmax(runtime, - SNDRV_PCM_HW_PARAM_PERIOD_SIZE, - 64, 8192); -+ snd_pcm_hw_constraint_minmax(runtime, -+ SNDRV_PCM_HW_PARAM_PERIODS, -+ 2, 2); - break; - } - -@@ -6176,6 +6179,9 @@ static int snd_hdspm_capture_open(struct snd_pcm_substream *substream) - snd_pcm_hw_constraint_minmax(runtime, - SNDRV_PCM_HW_PARAM_PERIOD_SIZE, - 64, 8192); -+ snd_pcm_hw_constraint_minmax(runtime, -+ SNDRV_PCM_HW_PARAM_PERIODS, -+ 2, 2); - break; - } - diff --git a/3.14.35/0000_README b/3.14.36/0000_README index f876e1c..ea2152e 100644 --- a/3.14.35/0000_README +++ b/3.14.36/0000_README @@ -2,11 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 1034_linux-3.14.35.patch -From: http://www.kernel.org -Desc: Linux 3.14.35 - -Patch: 4420_grsecurity-3.1-3.14.35-201503092203.patch +Patch: 4420_grsecurity-3.1-3.14.36-201503182218.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.14.35/4420_grsecurity-3.1-3.14.35-201503092203.patch b/3.14.36/4420_grsecurity-3.1-3.14.36-201503182218.patch index 6e35a88..28c0f41 100644 --- a/3.14.35/4420_grsecurity-3.1-3.14.35-201503092203.patch +++ b/3.14.36/4420_grsecurity-3.1-3.14.36-201503182218.patch @@ -292,7 +292,7 @@ index 5d91ba1..935a4e7 100644 pcd. [PARIDE] diff --git a/Makefile b/Makefile -index 9720e86..98643f8 100644 +index 4e6537b..ce0ac5f 100644 --- a/Makefile +++ b/Makefile @@ -244,8 +244,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -23088,7 +23088,7 @@ index c5a9cb9..b6a5426 100644 /* diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S -index 02553d6..ff1450f4 100644 +index 06469ee..ff1450f4 100644 --- a/arch/x86/kernel/entry_64.S +++ b/arch/x86/kernel/entry_64.S @@ -60,6 +60,8 @@ @@ -23758,7 +23758,7 @@ index 02553d6..ff1450f4 100644 .popsection /* -@@ -539,25 +1008,26 @@ ENTRY(ret_from_fork) +@@ -539,7 +1008,7 @@ ENTRY(ret_from_fork) RESTORE_REST @@ -23766,19 +23766,9 @@ index 02553d6..ff1450f4 100644 + testb $3, CS-ARGOFFSET(%rsp) # from kernel_thread? jz 1f -- testl $_TIF_IA32, TI_flags(%rcx) # 32-bit compat task needs IRET -- jnz int_ret_from_sys_call -- -- RESTORE_TOP_OF_STACK %rdi, -ARGOFFSET -- jmp ret_from_sys_call # go to the SYSRET fastpath -+ /* -+ * By the time we get here, we have no idea whether our pt_regs, -+ * ti flags, and ti status came from the 64-bit SYSCALL fast path, -+ * the slow path, or one of the ia32entry paths. -+ * Use int_ret_from_sys_call to return, since it can safely handle -+ * all of the above. -+ */ -+ jmp int_ret_from_sys_call + /* +@@ -552,15 +1021,13 @@ ENTRY(ret_from_fork) + jmp int_ret_from_sys_call 1: - subq $REST_SKIP, %rsp # leave space for volatiles @@ -23794,7 +23784,7 @@ index 02553d6..ff1450f4 100644 /* * System call entry. Up to 6 arguments in registers are supported. -@@ -594,7 +1064,7 @@ END(ret_from_fork) +@@ -597,7 +1064,7 @@ END(ret_from_fork) ENTRY(system_call) CFI_STARTPROC simple CFI_SIGNAL_FRAME @@ -23803,7 +23793,7 @@ index 02553d6..ff1450f4 100644 CFI_REGISTER rip,rcx /*CFI_REGISTER rflags,r11*/ SWAPGS_UNSAFE_STACK -@@ -607,16 +1077,23 @@ GLOBAL(system_call_after_swapgs) +@@ -610,16 +1077,23 @@ GLOBAL(system_call_after_swapgs) movq %rsp,PER_CPU_VAR(old_rsp) movq PER_CPU_VAR(kernel_stack),%rsp @@ -23829,7 +23819,7 @@ index 02553d6..ff1450f4 100644 jnz tracesys system_call_fastpath: #if __SYSCALL_MASK == ~0 -@@ -640,10 +1117,13 @@ sysret_check: +@@ -643,10 +1117,13 @@ sysret_check: LOCKDEP_SYS_EXIT DISABLE_INTERRUPTS(CLBR_NONE) TRACE_IRQS_OFF @@ -23844,7 +23834,7 @@ index 02553d6..ff1450f4 100644 /* * sysretq will re-enable interrupts: */ -@@ -702,6 +1182,9 @@ auditsys: +@@ -705,6 +1182,9 @@ auditsys: movq %rax,%rsi /* 2nd arg: syscall number */ movl $AUDIT_ARCH_X86_64,%edi /* 1st arg: audit arch */ call __audit_syscall_entry @@ -23854,7 +23844,7 @@ index 02553d6..ff1450f4 100644 LOAD_ARGS 0 /* reload call-clobbered registers */ jmp system_call_fastpath -@@ -723,7 +1206,7 @@ sysret_audit: +@@ -726,7 +1206,7 @@ sysret_audit: /* Do syscall tracing */ tracesys: #ifdef CONFIG_AUDITSYSCALL @@ -23863,7 +23853,7 @@ index 02553d6..ff1450f4 100644 jz auditsys #endif SAVE_REST -@@ -731,12 +1214,15 @@ tracesys: +@@ -734,12 +1214,15 @@ tracesys: FIXUP_TOP_OF_STACK %rdi movq %rsp,%rdi call syscall_trace_enter @@ -23880,7 +23870,7 @@ index 02553d6..ff1450f4 100644 RESTORE_REST #if __SYSCALL_MASK == ~0 cmpq $__NR_syscall_max,%rax -@@ -766,7 +1252,9 @@ GLOBAL(int_with_check) +@@ -769,7 +1252,9 @@ GLOBAL(int_with_check) andl %edi,%edx jnz int_careful andl $~TS_COMPAT,TI_status(%rcx) @@ -23891,7 +23881,7 @@ index 02553d6..ff1450f4 100644 /* Either reschedule or signal or syscall exit tracking needed. */ /* First do a reschedule test. */ -@@ -812,7 +1300,7 @@ int_restore_rest: +@@ -815,7 +1300,7 @@ int_restore_rest: TRACE_IRQS_OFF jmp int_with_check CFI_ENDPROC @@ -23900,7 +23890,7 @@ index 02553d6..ff1450f4 100644 .macro FORK_LIKE func ENTRY(stub_\func) -@@ -825,9 +1313,10 @@ ENTRY(stub_\func) +@@ -828,9 +1313,10 @@ ENTRY(stub_\func) DEFAULT_FRAME 0 8 /* offset 8: return address */ call sys_\func RESTORE_TOP_OF_STACK %r11, 8 @@ -23913,7 +23903,7 @@ index 02553d6..ff1450f4 100644 .endm .macro FIXED_FRAME label,func -@@ -837,9 +1326,10 @@ ENTRY(\label) +@@ -840,9 +1326,10 @@ ENTRY(\label) FIXUP_TOP_OF_STACK %r11, 8-ARGOFFSET call \func RESTORE_TOP_OF_STACK %r11, 8-ARGOFFSET @@ -23925,7 +23915,7 @@ index 02553d6..ff1450f4 100644 .endm FORK_LIKE clone -@@ -847,19 +1337,6 @@ END(\label) +@@ -850,19 +1337,6 @@ END(\label) FORK_LIKE vfork FIXED_FRAME stub_iopl, sys_iopl @@ -23945,7 +23935,7 @@ index 02553d6..ff1450f4 100644 ENTRY(stub_execve) CFI_STARTPROC addq $8, %rsp -@@ -871,7 +1348,7 @@ ENTRY(stub_execve) +@@ -874,7 +1348,7 @@ ENTRY(stub_execve) RESTORE_REST jmp int_ret_from_sys_call CFI_ENDPROC @@ -23954,7 +23944,7 @@ index 02553d6..ff1450f4 100644 /* * sigreturn is special because it needs to restore all registers on return. -@@ -888,7 +1365,7 @@ ENTRY(stub_rt_sigreturn) +@@ -891,7 +1365,7 @@ ENTRY(stub_rt_sigreturn) RESTORE_REST jmp int_ret_from_sys_call CFI_ENDPROC @@ -23963,7 +23953,7 @@ index 02553d6..ff1450f4 100644 #ifdef CONFIG_X86_X32_ABI ENTRY(stub_x32_rt_sigreturn) -@@ -902,7 +1379,7 @@ ENTRY(stub_x32_rt_sigreturn) +@@ -905,7 +1379,7 @@ ENTRY(stub_x32_rt_sigreturn) RESTORE_REST jmp int_ret_from_sys_call CFI_ENDPROC @@ -23972,7 +23962,7 @@ index 02553d6..ff1450f4 100644 ENTRY(stub_x32_execve) CFI_STARTPROC -@@ -916,7 +1393,7 @@ ENTRY(stub_x32_execve) +@@ -919,7 +1393,7 @@ ENTRY(stub_x32_execve) RESTORE_REST jmp int_ret_from_sys_call CFI_ENDPROC @@ -23981,7 +23971,7 @@ index 02553d6..ff1450f4 100644 #endif -@@ -953,7 +1430,7 @@ vector=vector+1 +@@ -956,7 +1430,7 @@ vector=vector+1 2: jmp common_interrupt .endr CFI_ENDPROC @@ -23990,7 +23980,7 @@ index 02553d6..ff1450f4 100644 .previous END(interrupt) -@@ -970,8 +1447,8 @@ END(interrupt) +@@ -973,8 +1447,8 @@ END(interrupt) /* 0(%rsp): ~(interrupt number) */ .macro interrupt func /* reserve pt_regs for scratch regs and rbp */ @@ -24001,7 +23991,7 @@ index 02553d6..ff1450f4 100644 SAVE_ARGS_IRQ call \func .endm -@@ -998,14 +1475,14 @@ ret_from_intr: +@@ -1001,14 +1475,14 @@ ret_from_intr: /* Restore saved previous stack */ popq %rsi @@ -24020,7 +24010,7 @@ index 02553d6..ff1450f4 100644 je retint_kernel /* Interrupt came from user space */ -@@ -1027,12 +1504,35 @@ retint_swapgs: /* return to user-space */ +@@ -1030,12 +1504,35 @@ retint_swapgs: /* return to user-space */ * The iretq could re-enable interrupts: */ DISABLE_INTERRUPTS(CLBR_ANY) @@ -24056,7 +24046,7 @@ index 02553d6..ff1450f4 100644 /* * The iretq could re-enable interrupts: */ -@@ -1070,15 +1570,15 @@ native_irq_return_ldt: +@@ -1073,15 +1570,15 @@ native_irq_return_ldt: SWAPGS movq PER_CPU_VAR(espfix_waddr),%rdi movq %rax,(0*8)(%rdi) /* RAX */ @@ -24077,7 +24067,7 @@ index 02553d6..ff1450f4 100644 movq %rax,(4*8)(%rdi) andl $0xffff0000,%eax popq_cfi %rdi -@@ -1132,7 +1632,7 @@ ENTRY(retint_kernel) +@@ -1135,7 +1632,7 @@ ENTRY(retint_kernel) jmp exit_intr #endif CFI_ENDPROC @@ -24086,7 +24076,7 @@ index 02553d6..ff1450f4 100644 /* * End of kprobes section -@@ -1151,7 +1651,7 @@ ENTRY(\sym) +@@ -1154,7 +1651,7 @@ ENTRY(\sym) interrupt \do_sym jmp ret_from_intr CFI_ENDPROC @@ -24095,7 +24085,7 @@ index 02553d6..ff1450f4 100644 .endm #ifdef CONFIG_TRACING -@@ -1239,7 +1739,7 @@ ENTRY(\sym) +@@ -1242,7 +1739,7 @@ ENTRY(\sym) call \do_sym jmp error_exit /* %ebx: no swapgs flag */ CFI_ENDPROC @@ -24104,7 +24094,7 @@ index 02553d6..ff1450f4 100644 .endm .macro paranoidzeroentry sym do_sym -@@ -1257,10 +1757,10 @@ ENTRY(\sym) +@@ -1260,10 +1757,10 @@ ENTRY(\sym) call \do_sym jmp paranoid_exit /* %ebx: no swapgs flag */ CFI_ENDPROC @@ -24117,7 +24107,7 @@ index 02553d6..ff1450f4 100644 .macro paranoidzeroentry_ist sym do_sym ist ENTRY(\sym) INTR_FRAME -@@ -1273,12 +1773,18 @@ ENTRY(\sym) +@@ -1276,12 +1773,18 @@ ENTRY(\sym) TRACE_IRQS_OFF_DEBUG movq %rsp,%rdi /* pt_regs pointer */ xorl %esi,%esi /* no error code */ @@ -24137,7 +24127,7 @@ index 02553d6..ff1450f4 100644 .endm .macro errorentry sym do_sym -@@ -1296,7 +1802,7 @@ ENTRY(\sym) +@@ -1299,7 +1802,7 @@ ENTRY(\sym) call \do_sym jmp error_exit /* %ebx: no swapgs flag */ CFI_ENDPROC @@ -24146,7 +24136,7 @@ index 02553d6..ff1450f4 100644 .endm #ifdef CONFIG_TRACING -@@ -1327,7 +1833,7 @@ ENTRY(\sym) +@@ -1330,7 +1833,7 @@ ENTRY(\sym) call \do_sym jmp paranoid_exit /* %ebx: no swapgs flag */ CFI_ENDPROC @@ -24155,7 +24145,7 @@ index 02553d6..ff1450f4 100644 .endm zeroentry divide_error do_divide_error -@@ -1357,9 +1863,10 @@ gs_change: +@@ -1360,9 +1863,10 @@ gs_change: 2: mfence /* workaround */ SWAPGS popfq_cfi @@ -24167,7 +24157,7 @@ index 02553d6..ff1450f4 100644 _ASM_EXTABLE(gs_change,bad_gs) .section .fixup,"ax" -@@ -1387,9 +1894,10 @@ ENTRY(do_softirq_own_stack) +@@ -1390,9 +1894,10 @@ ENTRY(do_softirq_own_stack) CFI_DEF_CFA_REGISTER rsp CFI_ADJUST_CFA_OFFSET -8 decl PER_CPU_VAR(irq_count) @@ -24179,7 +24169,7 @@ index 02553d6..ff1450f4 100644 #ifdef CONFIG_XEN zeroentry xen_hypervisor_callback xen_do_hypervisor_callback -@@ -1427,7 +1935,7 @@ ENTRY(xen_do_hypervisor_callback) # do_hypervisor_callback(struct *pt_regs) +@@ -1430,7 +1935,7 @@ ENTRY(xen_do_hypervisor_callback) # do_hypervisor_callback(struct *pt_regs) decl PER_CPU_VAR(irq_count) jmp error_exit CFI_ENDPROC @@ -24188,7 +24178,7 @@ index 02553d6..ff1450f4 100644 /* * Hypervisor uses this for application faults while it executes. -@@ -1486,7 +1994,7 @@ ENTRY(xen_failsafe_callback) +@@ -1489,7 +1994,7 @@ ENTRY(xen_failsafe_callback) SAVE_ALL jmp error_exit CFI_ENDPROC @@ -24197,7 +24187,7 @@ index 02553d6..ff1450f4 100644 apicinterrupt3 HYPERVISOR_CALLBACK_VECTOR \ xen_hvm_callback_vector xen_evtchn_do_upcall -@@ -1538,18 +2046,33 @@ ENTRY(paranoid_exit) +@@ -1541,18 +2046,33 @@ ENTRY(paranoid_exit) DEFAULT_FRAME DISABLE_INTERRUPTS(CLBR_NONE) TRACE_IRQS_OFF_DEBUG @@ -24233,7 +24223,7 @@ index 02553d6..ff1450f4 100644 jmp irq_return paranoid_userspace: GET_THREAD_INFO(%rcx) -@@ -1578,7 +2101,7 @@ paranoid_schedule: +@@ -1581,7 +2101,7 @@ paranoid_schedule: TRACE_IRQS_OFF jmp paranoid_userspace CFI_ENDPROC @@ -24242,7 +24232,7 @@ index 02553d6..ff1450f4 100644 /* * Exception entry point. This expects an error code/orig_rax on the stack. -@@ -1605,12 +2128,23 @@ ENTRY(error_entry) +@@ -1608,12 +2128,23 @@ ENTRY(error_entry) movq_cfi r14, R14+8 movq_cfi r15, R15+8 xorl %ebx,%ebx @@ -24267,7 +24257,7 @@ index 02553d6..ff1450f4 100644 ret /* -@@ -1644,7 +2178,7 @@ error_bad_iret: +@@ -1647,7 +2178,7 @@ error_bad_iret: decl %ebx /* Return to usergs */ jmp error_sti CFI_ENDPROC @@ -24276,7 +24266,7 @@ index 02553d6..ff1450f4 100644 /* ebx: no swapgs flag (1: don't need swapgs, 0: need it) */ -@@ -1655,7 +2189,7 @@ ENTRY(error_exit) +@@ -1658,7 +2189,7 @@ ENTRY(error_exit) DISABLE_INTERRUPTS(CLBR_NONE) TRACE_IRQS_OFF GET_THREAD_INFO(%rcx) @@ -24285,7 +24275,7 @@ index 02553d6..ff1450f4 100644 jne retint_kernel LOCKDEP_SYS_EXIT_IRQ movl TI_flags(%rcx),%edx -@@ -1664,7 +2198,7 @@ ENTRY(error_exit) +@@ -1667,7 +2198,7 @@ ENTRY(error_exit) jnz retint_careful jmp retint_swapgs CFI_ENDPROC @@ -24294,7 +24284,7 @@ index 02553d6..ff1450f4 100644 /* * Test if a given stack is an NMI stack or not. -@@ -1722,9 +2256,11 @@ ENTRY(nmi) +@@ -1725,9 +2256,11 @@ ENTRY(nmi) * If %cs was not the kernel segment, then the NMI triggered in user * space, which means it is definitely not nested. */ @@ -24307,7 +24297,7 @@ index 02553d6..ff1450f4 100644 /* * Check the special variable on the stack to see if NMIs are * executing. -@@ -1758,8 +2294,7 @@ nested_nmi: +@@ -1761,8 +2294,7 @@ nested_nmi: 1: /* Set up the interrupted NMIs stack to jump to repeat_nmi */ @@ -24317,7 +24307,7 @@ index 02553d6..ff1450f4 100644 CFI_ADJUST_CFA_OFFSET 1*8 leaq -10*8(%rsp), %rdx pushq_cfi $__KERNEL_DS -@@ -1777,6 +2312,7 @@ nested_nmi_out: +@@ -1780,6 +2312,7 @@ nested_nmi_out: CFI_RESTORE rdx /* No need to check faults here */ @@ -24325,7 +24315,7 @@ index 02553d6..ff1450f4 100644 INTERRUPT_RETURN CFI_RESTORE_STATE -@@ -1873,13 +2409,13 @@ end_repeat_nmi: +@@ -1876,13 +2409,13 @@ end_repeat_nmi: subq $ORIG_RAX-R15, %rsp CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15 /* @@ -24341,7 +24331,7 @@ index 02553d6..ff1450f4 100644 DEFAULT_FRAME 0 /* -@@ -1889,9 +2425,9 @@ end_repeat_nmi: +@@ -1892,9 +2425,9 @@ end_repeat_nmi: * NMI itself takes a page fault, the page fault that was preempted * will read the information from the NMI page fault and not the * origin fault. Save it off and restore it if it changes. @@ -24353,7 +24343,7 @@ index 02553d6..ff1450f4 100644 /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */ movq %rsp,%rdi -@@ -1900,31 +2436,36 @@ end_repeat_nmi: +@@ -1903,31 +2436,36 @@ end_repeat_nmi: /* Did the NMI take a page fault? Restore cr2 if it did */ movq %cr2, %rcx @@ -28713,7 +28703,7 @@ index c697625..a032162 100644 out: diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c -index 38d3751..497a96f 100644 +index 09651d4..cdb8f22 100644 --- a/arch/x86/kvm/emulate.c +++ b/arch/x86/kvm/emulate.c @@ -2258,7 +2258,7 @@ static int em_sysenter(struct x86_emulate_ctxt *ctxt) @@ -43382,6 +43372,25 @@ index 9f5ad7c..588cd84 100644 wake_up_process(pool->thread); } } +diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c +index a841123..055ebeb 100644 +--- a/drivers/infiniband/core/umem.c ++++ b/drivers/infiniband/core/umem.c +@@ -94,6 +94,14 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr, + if (dmasync) + dma_set_attr(DMA_ATTR_WRITE_BARRIER, &attrs); + ++ /* ++ * If the combination of the addr and size requested for this memory ++ * region causes an integer overflow, return error. ++ */ ++ if ((PAGE_ALIGN(addr + size) <= size) || ++ (PAGE_ALIGN(addr + size) <= addr)) ++ return ERR_PTR(-EINVAL); ++ + if (!can_do_mlock()) + return ERR_PTR(-EPERM); + diff --git a/drivers/infiniband/hw/cxgb4/mem.c b/drivers/infiniband/hw/cxgb4/mem.c index 41b1195..27971a0 100644 --- a/drivers/infiniband/hw/cxgb4/mem.c @@ -44069,7 +44078,7 @@ index eb62461..2b7fc71 100644 /* Blow away the connection if it exists. */ diff --git a/drivers/infiniband/hw/qib/qib.h b/drivers/infiniband/hw/qib/qib.h -index 1946101..09766d2 100644 +index 675d3c7..65d72bc 100644 --- a/drivers/infiniband/hw/qib/qib.h +++ b/drivers/infiniband/hw/qib/qib.h @@ -52,6 +52,7 @@ @@ -44733,7 +44742,7 @@ index e2d4e58..40cd045 100644 /* error message helper function */ diff --git a/drivers/isdn/icn/icn.c b/drivers/isdn/icn/icn.c -index 53d487f..cae33fe 100644 +index 53d487f..b4987ea 100644 --- a/drivers/isdn/icn/icn.c +++ b/drivers/isdn/icn/icn.c @@ -1045,7 +1045,7 @@ icn_writecmd(const u_char *buf, int len, int user, icn_card *card) @@ -44777,6 +44786,15 @@ index 53d487f..cae33fe 100644 i = icn_writecmd(cbuf, strlen(cbuf), 0, card); } break; +@@ -1610,7 +1609,7 @@ icn_setup(char *line) + if (ints[0] > 1) + membase = (unsigned long)ints[2]; + if (str && *str) { +- strcpy(sid, str); ++ strlcpy(sid, str, sizeof(sid)); + icn_id = sid; + if ((p = strchr(sid, ','))) { + *p++ = 0; diff --git a/drivers/isdn/mISDN/dsp_cmx.c b/drivers/isdn/mISDN/dsp_cmx.c index a4f05c5..1433bc5 100644 --- a/drivers/isdn/mISDN/dsp_cmx.c @@ -45007,7 +45025,7 @@ index 5152142..623d141 100644 DMWARN("name not supplied when creating device"); return -EINVAL; diff --git a/drivers/md/dm-raid1.c b/drivers/md/dm-raid1.c -index 7dfdb5c..4caada6 100644 +index 089d627..ef7352e 100644 --- a/drivers/md/dm-raid1.c +++ b/drivers/md/dm-raid1.c @@ -40,7 +40,7 @@ enum dm_raid1_error { @@ -45064,7 +45082,7 @@ index 7dfdb5c..4caada6 100644 m = NULL; if (likely(m)) -@@ -927,7 +927,7 @@ static int get_mirror(struct mirror_set *ms, struct dm_target *ti, +@@ -936,7 +936,7 @@ static int get_mirror(struct mirror_set *ms, struct dm_target *ti, } ms->mirror[mirror].ms = ms; @@ -45073,7 +45091,7 @@ index 7dfdb5c..4caada6 100644 ms->mirror[mirror].error_type = 0; ms->mirror[mirror].offset = offset; -@@ -1342,7 +1342,7 @@ static void mirror_resume(struct dm_target *ti) +@@ -1351,7 +1351,7 @@ static void mirror_resume(struct dm_target *ti) */ static char device_status_char(struct mirror *m) { @@ -45193,7 +45211,7 @@ index e9d33ad..dae9880d 100644 pmd->bl_info.value_type.inc = data_block_inc; pmd->bl_info.value_type.dec = data_block_dec; diff --git a/drivers/md/dm.c b/drivers/md/dm.c -index 65ee3a0..1852af9 100644 +index 1582c3da..2a5ea0b 100644 --- a/drivers/md/dm.c +++ b/drivers/md/dm.c @@ -187,9 +187,9 @@ struct mapped_device { @@ -45228,7 +45246,7 @@ index 65ee3a0..1852af9 100644 wake_up(&md->eventq); } -@@ -2747,18 +2747,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action, +@@ -2740,18 +2740,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action, uint32_t dm_next_uevent_seq(struct mapped_device *md) { @@ -48382,7 +48400,7 @@ index fbf7dcd..ad71499 100644 }; diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c -index 07c942b..747b848 100644 +index e8c21f9..747b848 100644 --- a/drivers/net/macvtap.c +++ b/drivers/net/macvtap.c @@ -422,7 +422,7 @@ static void macvtap_setup(struct net_device *dev) @@ -48394,33 +48412,7 @@ index 07c942b..747b848 100644 .kind = "macvtap", .setup = macvtap_setup, .newlink = macvtap_newlink, -@@ -637,12 +637,15 @@ static void macvtap_skb_to_vnet_hdr(const struct sk_buff *skb, - } /* else everything is zero */ - } - -+/* Neighbour code has some assumptions on HH_DATA_MOD alignment */ -+#define MACVTAP_RESERVE HH_DATA_OFF(ETH_HLEN) -+ - /* Get packet from user space buffer */ - static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr *m, - const struct iovec *iv, unsigned long total_len, - size_t count, int noblock) - { -- int good_linear = SKB_MAX_HEAD(NET_IP_ALIGN); -+ int good_linear = SKB_MAX_HEAD(MACVTAP_RESERVE); - struct sk_buff *skb; - struct macvlan_dev *vlan; - unsigned long len = total_len; -@@ -701,7 +704,7 @@ static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr *m, - linear = vnet_hdr.hdr_len; - } - -- skb = macvtap_alloc_skb(&q->sk, NET_IP_ALIGN, copylen, -+ skb = macvtap_alloc_skb(&q->sk, MACVTAP_RESERVE, copylen, - linear, noblock, &err); - if (!skb) - goto err; -@@ -1023,7 +1026,7 @@ static long macvtap_ioctl(struct file *file, unsigned int cmd, +@@ -1026,7 +1026,7 @@ static long macvtap_ioctl(struct file *file, unsigned int cmd, } ret = 0; @@ -48429,7 +48421,7 @@ index 07c942b..747b848 100644 put_user(q->flags, &ifr->ifr_flags)) ret = -EFAULT; macvtap_put_vlan(vlan); -@@ -1193,7 +1196,7 @@ static int macvtap_device_event(struct notifier_block *unused, +@@ -1196,7 +1196,7 @@ static int macvtap_device_event(struct notifier_block *unused, return NOTIFY_DONE; } @@ -48518,10 +48510,10 @@ index 1252d9c..80e660b 100644 /* We've got a compressed packet; read the change byte */ diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c -index 32efe83..cef96b8 100644 +index c28e2da..f58845e 100644 --- a/drivers/net/team/team.c +++ b/drivers/net/team/team.c -@@ -2098,7 +2098,7 @@ static unsigned int team_get_num_rx_queues(void) +@@ -2096,7 +2096,7 @@ static unsigned int team_get_num_rx_queues(void) return TEAM_DEFAULT_NUM_RX_QUEUES; } @@ -48530,7 +48522,7 @@ index 32efe83..cef96b8 100644 .kind = DRV_NAME, .priv_size = sizeof(struct team), .setup = team_setup, -@@ -2886,7 +2886,7 @@ static int team_device_event(struct notifier_block *unused, +@@ -2884,7 +2884,7 @@ static int team_device_event(struct notifier_block *unused, return NOTIFY_DONE; } @@ -51960,7 +51952,7 @@ index e8abb73..faa6fbe 100644 if (!sdp->request_queue->rq_timeout) { if (sdp->type != TYPE_MOD) diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c -index df5e961..df6b97f 100644 +index eb81c98..e6716ae 100644 --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -1102,7 +1102,7 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg) @@ -52533,6 +52525,122 @@ index dc23395..cf7e9b1 100644 struct io_req { struct list_head list; +diff --git a/drivers/staging/rts5139/rts51x_transport.c b/drivers/staging/rts5139/rts51x_transport.c +index c172f4a..ad5aeb6 100644 +--- a/drivers/staging/rts5139/rts51x_transport.c ++++ b/drivers/staging/rts5139/rts51x_transport.c +@@ -339,11 +339,18 @@ int rts51x_ctrl_transfer(struct rts51x_chip *chip, unsigned int pipe, + void *data, u16 size, int timeout) + { + struct rts51x_usb *rts51x = chip->usb; ++ void *buf = kmalloc(size, GFP_KERNEL); + int result; ++ int ret; ++ ++ if (buf == NULL) ++ TRACE_RET(chip, STATUS_ERROR); + + RTS51X_DEBUGP("%s: rq=%02x rqtype=%02x value=%04x index=%02x len=%u\n", + __func__, request, requesttype, value, index, size); + ++ memcpy(buf, data, size); ++ + /* fill in the devrequest structure */ + rts51x->cr->bRequestType = requesttype; + rts51x->cr->bRequest = request; +@@ -353,12 +360,17 @@ int rts51x_ctrl_transfer(struct rts51x_chip *chip, unsigned int pipe, + + /* fill and submit the URB */ + usb_fill_control_urb(rts51x->current_urb, rts51x->pusb_dev, pipe, +- (unsigned char *)rts51x->cr, data, size, ++ (unsigned char *)rts51x->cr, buf, size, + urb_done_completion, NULL); + result = rts51x_msg_common(chip, rts51x->current_urb, timeout); + +- return interpret_urb_result(chip, pipe, size, result, ++ ret = interpret_urb_result(chip, pipe, size, result, + rts51x->current_urb->actual_length); ++ memcpy(data, buf, size); ++ ++ kfree(buf); ++ ++ return ret; + } + + static int rts51x_clear_halt(struct rts51x_chip *chip, unsigned int pipe) +@@ -535,17 +547,30 @@ static int rts51x_bulk_transfer_buf(struct rts51x_chip *chip, + unsigned int *act_len, int timeout) + { + int result; ++ int ret; ++ void *newbuf = kmalloc(length, GFP_KERNEL); ++ ++ if (newbuf == NULL) ++ TRACE_RET(chip, STATUS_ERROR); ++ ++ memcpy(newbuf, buf, length); + + /* fill and submit the URB */ + usb_fill_bulk_urb(chip->usb->current_urb, chip->usb->pusb_dev, pipe, +- buf, length, urb_done_completion, NULL); ++ newbuf, length, urb_done_completion, NULL); + result = rts51x_msg_common(chip, chip->usb->current_urb, timeout); + + /* store the actual length of the data transferred */ + if (act_len) + *act_len = chip->usb->current_urb->actual_length; +- return interpret_urb_result(chip, pipe, length, result, ++ ret = interpret_urb_result(chip, pipe, length, result, + chip->usb->current_urb->actual_length); ++ ++ memcpy(buf, newbuf, length); ++ ++ kfree(newbuf); ++ ++ return ret; + } + + int rts51x_transfer_data(struct rts51x_chip *chip, unsigned int pipe, +@@ -624,11 +649,19 @@ int rts51x_get_epc_status(struct rts51x_chip *chip, u16 *status) + unsigned int pipe = RCV_INTR_PIPE(chip); + struct usb_host_endpoint *ep; + struct completion urb_done; ++ u16 *buf_status; + int result; ++ int ret; + + if (!status) + TRACE_RET(chip, STATUS_ERROR); + ++ buf_status = kmalloc(sizeof(*status), GFP_KERNEL); ++ if (buf_status == NULL) ++ TRACE_RET(chip, STATUS_ERROR); ++ ++ *buf_status = *status; ++ + /* set up data structures for the wakeup system */ + init_completion(&urb_done); + +@@ -638,12 +671,17 @@ int rts51x_get_epc_status(struct rts51x_chip *chip, u16 *status) + /* Set interval to 10 here to match the endpoint descriptor, + * the polling interval is controlled by the polling thread */ + usb_fill_int_urb(chip->usb->intr_urb, chip->usb->pusb_dev, pipe, +- status, 2, urb_done_completion, &urb_done, 10); ++ buf_status, 2, urb_done_completion, &urb_done, 10); + + result = rts51x_msg_common(chip, chip->usb->intr_urb, 100); + +- return interpret_urb_result(chip, pipe, 2, result, ++ ret = interpret_urb_result(chip, pipe, 2, result, + chip->usb->intr_urb->actual_length); ++ *status = *buf_status; ++ ++ kfree(buf_status); ++ ++ return ret; + } + + u8 media_not_present[] = { diff --git a/drivers/staging/sbe-2t3e3/netdev.c b/drivers/staging/sbe-2t3e3/netdev.c index 1f5088b..0e59820 100644 --- a/drivers/staging/sbe-2t3e3/netdev.c @@ -53914,20 +54022,9 @@ index ce396ec..04a37be 100644 if (get_user(c, buf)) diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c -index 25d0741..f36ed8a 100644 +index 39988fa..f36ed8a 100644 --- a/drivers/tty/tty_io.c +++ b/drivers/tty/tty_io.c -@@ -996,8 +996,8 @@ EXPORT_SYMBOL(start_tty); - /* We limit tty time update visibility to every 8 seconds or so. */ - static void tty_update_time(struct timespec *time) - { -- unsigned long sec = get_seconds() & ~7; -- if ((long)(sec - time->tv_sec) > 0) -+ unsigned long sec = get_seconds(); -+ if (abs(sec - time->tv_sec) & ~7) - time->tv_sec = sec; - } - @@ -3480,7 +3480,7 @@ EXPORT_SYMBOL_GPL(get_current_tty); void tty_default_fops(struct file_operations *fops) @@ -53937,31 +54034,6 @@ index 25d0741..f36ed8a 100644 } /* -diff --git a/drivers/tty/tty_ioctl.c b/drivers/tty/tty_ioctl.c -index 6fd60fe..22da05d 100644 ---- a/drivers/tty/tty_ioctl.c -+++ b/drivers/tty/tty_ioctl.c -@@ -217,11 +217,17 @@ void tty_wait_until_sent(struct tty_struct *tty, long timeout) - #endif - if (!timeout) - timeout = MAX_SCHEDULE_TIMEOUT; -+ - if (wait_event_interruptible_timeout(tty->write_wait, -- !tty_chars_in_buffer(tty), timeout) >= 0) { -- if (tty->ops->wait_until_sent) -- tty->ops->wait_until_sent(tty, timeout); -+ !tty_chars_in_buffer(tty), timeout) < 0) { -+ return; - } -+ -+ if (timeout == MAX_SCHEDULE_TIMEOUT) -+ timeout = 0; -+ -+ if (tty->ops->wait_until_sent) -+ tty->ops->wait_until_sent(tty, timeout); - } - EXPORT_SYMBOL(tty_wait_until_sent); - diff --git a/drivers/tty/tty_ldisc.c b/drivers/tty/tty_ldisc.c index 2d822aa..a566234 100644 --- a/drivers/tty/tty_ldisc.c @@ -54348,7 +54420,7 @@ index 2a3bbdf..91d72cf 100644 file->f_version = event_count; return POLLIN | POLLRDNORM; diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c -index 9ca7716..a2ccc2e 100644 +index 45b7b96..e016243 100644 --- a/drivers/usb/core/devio.c +++ b/drivers/usb/core/devio.c @@ -187,7 +187,7 @@ static ssize_t usbdev_read(struct file *file, char __user *buf, size_t nbytes, @@ -54753,29 +54825,6 @@ index 29fa1c3..a57b08e 100644 struct usb_serial_port *port = info->port; struct usb_serial *serial; int retval = -ENODEV; -diff --git a/drivers/usb/serial/generic.c b/drivers/usb/serial/generic.c -index b63ce02..d6a1979 100644 ---- a/drivers/usb/serial/generic.c -+++ b/drivers/usb/serial/generic.c -@@ -258,7 +258,8 @@ void usb_serial_generic_wait_until_sent(struct tty_struct *tty, long timeout) - * character or at least one jiffy. - */ - period = max_t(unsigned long, (10 * HZ / bps), 1); -- period = min_t(unsigned long, period, timeout); -+ if (timeout) -+ period = min_t(unsigned long, period, timeout); - - dev_dbg(&port->dev, "%s - timeout = %u ms, period = %u ms\n", - __func__, jiffies_to_msecs(timeout), -@@ -268,7 +269,7 @@ void usb_serial_generic_wait_until_sent(struct tty_struct *tty, long timeout) - schedule_timeout_interruptible(period); - if (signal_pending(current)) - break; -- if (time_after(jiffies, expire)) -+ if (timeout && time_after(jiffies, expire)) - break; - } - } diff --git a/drivers/usb/storage/usb.h b/drivers/usb/storage/usb.h index 75f70f0..d467e1a 100644 --- a/drivers/usb/storage/usb.h @@ -58459,34 +58508,19 @@ index 6530ced..4a827e2 100644 goto out_sig; if (offset > inode->i_sb->s_maxbytes) diff --git a/fs/autofs4/dev-ioctl.c b/fs/autofs4/dev-ioctl.c -index 3182c0e..23b078e 100644 +index e3399dc..23b078e 100644 --- a/fs/autofs4/dev-ioctl.c +++ b/fs/autofs4/dev-ioctl.c -@@ -95,7 +95,7 @@ static int check_dev_ioctl_version(int cmd, struct autofs_dev_ioctl *param) - */ - static struct autofs_dev_ioctl *copy_dev_ioctl(struct autofs_dev_ioctl __user *in) - { -- struct autofs_dev_ioctl tmp; -+ struct autofs_dev_ioctl tmp, *res; - - if (copy_from_user(&tmp, in, sizeof(tmp))) - return ERR_PTR(-EFAULT); -@@ -103,7 +103,14 @@ static struct autofs_dev_ioctl *copy_dev_ioctl(struct autofs_dev_ioctl __user *i +@@ -103,6 +103,9 @@ static struct autofs_dev_ioctl *copy_dev_ioctl(struct autofs_dev_ioctl __user *i if (tmp.size < sizeof(tmp)) return ERR_PTR(-EINVAL); -- return memdup_user(in, tmp.size); + if (tmp.size > (PATH_MAX + sizeof(tmp))) + return ERR_PTR(-ENAMETOOLONG); + -+ res = memdup_user(in, tmp.size); -+ if (!IS_ERR(res)) -+ res->size = tmp.size; -+ -+ return res; - } - - static inline void free_dev_ioctl(struct autofs_dev_ioctl *param) + res = memdup_user(in, tmp.size); + if (!IS_ERR(res)) + res->size = tmp.size; diff --git a/fs/autofs4/waitq.c b/fs/autofs4/waitq.c index 116fd38..c04182da 100644 --- a/fs/autofs4/waitq.c @@ -59778,19 +59812,6 @@ index ff286f3..8153a14 100644 .name = "features", .attrs = attrs, }; -diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c -index aeb57b98..a7f32bf 100644 ---- a/fs/btrfs/tree-log.c -+++ b/fs/btrfs/tree-log.c -@@ -979,7 +979,7 @@ again: - base = btrfs_item_ptr_offset(leaf, path->slots[0]); - - while (cur_offset < item_size) { -- extref = (struct btrfs_inode_extref *)base + cur_offset; -+ extref = (struct btrfs_inode_extref *)(base + cur_offset); - - victim_name_len = btrfs_inode_extref_name_len(leaf, extref); - diff --git a/fs/buffer.c b/fs/buffer.c index eef21c6..10a8304 100644 --- a/fs/buffer.c @@ -61045,30 +61066,10 @@ index 4366127..b8c2cf9 100644 dcache_init(); inode_init(); diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c -index 1576195..5bf8b25 100644 +index 1ff8fe5..5bf8b25 100644 --- a/fs/debugfs/inode.c +++ b/fs/debugfs/inode.c -@@ -245,10 +245,19 @@ static int debugfs_show_options(struct seq_file *m, struct dentry *root) - return 0; - } - -+static void debugfs_evict_inode(struct inode *inode) -+{ -+ truncate_inode_pages(&inode->i_data, 0); -+ clear_inode(inode); -+ if (S_ISLNK(inode->i_mode)) -+ kfree(inode->i_private); -+} -+ - static const struct super_operations debugfs_super_operations = { - .statfs = simple_statfs, - .remount_fs = debugfs_remount, - .show_options = debugfs_show_options, -+ .evict_inode = debugfs_evict_inode, - }; - - static int debug_fill_super(struct super_block *sb, void *data, int silent) -@@ -415,7 +424,11 @@ EXPORT_SYMBOL_GPL(debugfs_create_file); +@@ -424,7 +424,11 @@ EXPORT_SYMBOL_GPL(debugfs_create_file); */ struct dentry *debugfs_create_dir(const char *name, struct dentry *parent) { @@ -61080,38 +61081,6 @@ index 1576195..5bf8b25 100644 parent, NULL, NULL); } EXPORT_SYMBOL_GPL(debugfs_create_dir); -@@ -465,23 +478,14 @@ static int __debugfs_remove(struct dentry *dentry, struct dentry *parent) - int ret = 0; - - if (debugfs_positive(dentry)) { -- if (dentry->d_inode) { -- dget(dentry); -- switch (dentry->d_inode->i_mode & S_IFMT) { -- case S_IFDIR: -- ret = simple_rmdir(parent->d_inode, dentry); -- break; -- case S_IFLNK: -- kfree(dentry->d_inode->i_private); -- /* fall through */ -- default: -- simple_unlink(parent->d_inode, dentry); -- break; -- } -- if (!ret) -- d_delete(dentry); -- dput(dentry); -- } -+ dget(dentry); -+ if (S_ISDIR(dentry->d_inode->i_mode)) -+ ret = simple_rmdir(parent->d_inode, dentry); -+ else -+ simple_unlink(parent->d_inode, dentry); -+ if (!ret) -+ d_delete(dentry); -+ dput(dentry); - } - return ret; - } diff --git a/fs/ecryptfs/inode.c b/fs/ecryptfs/inode.c index a85ceb7..5097313b 100644 --- a/fs/ecryptfs/inode.c @@ -62275,6 +62244,48 @@ index 1268a1b..adf949f 100644 __ext4_warning(sb, function, line, "MMP failure info: last update time: %llu, last update " "node: %s, last update device: %s\n", +diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c +index 2400ad1..0bc93ab 100644 +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -400,7 +400,7 @@ static int set_flexbg_block_bitmap(struct super_block *sb, handle_t *handle, + + ext4_debug("mark blocks [%llu/%u] used\n", block, count); + for (count2 = count; count > 0; count -= count2, block += count2) { +- ext4_fsblk_t start; ++ ext4_fsblk_t start, diff; + struct buffer_head *bh; + ext4_group_t group; + int err; +@@ -409,10 +409,6 @@ static int set_flexbg_block_bitmap(struct super_block *sb, handle_t *handle, + start = ext4_group_first_block_no(sb, group); + group -= flex_gd->groups[0].group; + +- count2 = EXT4_BLOCKS_PER_GROUP(sb) - (block - start); +- if (count2 > count) +- count2 = count; +- + if (flex_gd->bg_flags[group] & EXT4_BG_BLOCK_UNINIT) { + BUG_ON(flex_gd->count > 1); + continue; +@@ -429,9 +425,15 @@ static int set_flexbg_block_bitmap(struct super_block *sb, handle_t *handle, + err = ext4_journal_get_write_access(handle, bh); + if (err) + return err; ++ ++ diff = block - start; ++ count2 = EXT4_BLOCKS_PER_GROUP(sb) - diff; ++ if (count2 > count) ++ count2 = count; ++ + ext4_debug("mark block bitmap %#04llx (+%llu/%u)\n", block, +- block - start, count2); +- ext4_set_bits(bh->b_data, block - start, count2); ++ diff, count2); ++ ext4_set_bits(bh->b_data, diff, count2); + + err = ext4_handle_dirty_metadata(handle, NULL, bh); + if (unlikely(err)) diff --git a/fs/ext4/super.c b/fs/ext4/super.c index 9fb3e6c..9a82508 100644 --- a/fs/ext4/super.c @@ -66743,10 +66754,10 @@ index 985ea88..d118a0a 100644 } diff --git a/fs/proc/generic.c b/fs/proc/generic.c -index b7f268e..3bea6b7 100644 +index 2e2d9d5..0ac3d4e 100644 --- a/fs/proc/generic.c +++ b/fs/proc/generic.c -@@ -23,6 +23,7 @@ +@@ -22,6 +22,7 @@ #include <linux/bitops.h> #include <linux/spinlock.h> #include <linux/completion.h> @@ -66754,7 +66765,7 @@ index b7f268e..3bea6b7 100644 #include <asm/uaccess.h> #include "internal.h" -@@ -207,6 +208,15 @@ struct dentry *proc_lookup(struct inode *dir, struct dentry *dentry, +@@ -195,6 +196,15 @@ struct dentry *proc_lookup(struct inode *dir, struct dentry *dentry, return proc_lookup_de(PDE(dir), dir, dentry); } @@ -66770,7 +66781,7 @@ index b7f268e..3bea6b7 100644 /* * This returns non-zero if at EOF, so that the /proc * root directory can use this and check if it should -@@ -264,6 +274,16 @@ int proc_readdir(struct file *file, struct dir_context *ctx) +@@ -252,6 +262,16 @@ int proc_readdir(struct file *file, struct dir_context *ctx) return proc_readdir_de(PDE(inode), file, ctx); } @@ -66787,7 +66798,7 @@ index b7f268e..3bea6b7 100644 /* * These are the generic /proc directory operations. They * use the in-memory "struct proc_dir_entry" tree to parse -@@ -275,6 +295,12 @@ static const struct file_operations proc_dir_operations = { +@@ -263,6 +283,12 @@ static const struct file_operations proc_dir_operations = { .iterate = proc_readdir, }; @@ -66800,7 +66811,7 @@ index b7f268e..3bea6b7 100644 /* * proc directories can do almost nothing.. */ -@@ -284,6 +310,12 @@ static const struct inode_operations proc_dir_inode_operations = { +@@ -272,6 +298,12 @@ static const struct inode_operations proc_dir_inode_operations = { .setattr = proc_notify_change, }; @@ -66813,7 +66824,7 @@ index b7f268e..3bea6b7 100644 static int proc_register(struct proc_dir_entry * dir, struct proc_dir_entry * dp) { struct proc_dir_entry *tmp; -@@ -294,8 +326,13 @@ static int proc_register(struct proc_dir_entry * dir, struct proc_dir_entry * dp +@@ -282,8 +314,13 @@ static int proc_register(struct proc_dir_entry * dir, struct proc_dir_entry * dp return ret; if (S_ISDIR(dp->mode)) { @@ -66829,7 +66840,7 @@ index b7f268e..3bea6b7 100644 dir->nlink++; } else if (S_ISLNK(dp->mode)) { dp->proc_iops = &proc_link_inode_operations; -@@ -407,6 +444,27 @@ struct proc_dir_entry *proc_mkdir_data(const char *name, umode_t mode, +@@ -395,6 +432,27 @@ struct proc_dir_entry *proc_mkdir_data(const char *name, umode_t mode, } EXPORT_SYMBOL_GPL(proc_mkdir_data); @@ -66857,7 +66868,7 @@ index b7f268e..3bea6b7 100644 struct proc_dir_entry *proc_mkdir_mode(const char *name, umode_t mode, struct proc_dir_entry *parent) { -@@ -421,6 +479,13 @@ struct proc_dir_entry *proc_mkdir(const char *name, +@@ -409,6 +467,13 @@ struct proc_dir_entry *proc_mkdir(const char *name, } EXPORT_SYMBOL(proc_mkdir); @@ -66872,13 +66883,13 @@ index b7f268e..3bea6b7 100644 struct proc_dir_entry *parent, const struct file_operations *proc_fops, diff --git a/fs/proc/inode.c b/fs/proc/inode.c -index 124fc43..8afbb02 100644 +index 2f2815f..07fa320 100644 --- a/fs/proc/inode.c +++ b/fs/proc/inode.c -@@ -23,11 +23,17 @@ - #include <linux/slab.h> +@@ -24,11 +24,17 @@ #include <linux/mount.h> #include <linux/magic.h> + #include <linux/namei.h> +#include <linux/grsecurity.h> #include <asm/uaccess.h> @@ -66893,7 +66904,7 @@ index 124fc43..8afbb02 100644 static void proc_evict_inode(struct inode *inode) { struct proc_dir_entry *de; -@@ -55,6 +61,13 @@ static void proc_evict_inode(struct inode *inode) +@@ -56,6 +62,13 @@ static void proc_evict_inode(struct inode *inode) ns = PROC_I(inode)->ns.ns; if (ns_ops && ns) ns_ops->put(ns); @@ -66907,7 +66918,7 @@ index 124fc43..8afbb02 100644 } static struct kmem_cache * proc_inode_cachep; -@@ -413,7 +426,11 @@ struct inode *proc_get_inode(struct super_block *sb, struct proc_dir_entry *de) +@@ -434,7 +447,11 @@ struct inode *proc_get_inode(struct super_block *sb, struct proc_dir_entry *de) if (de->mode) { inode->i_mode = de->mode; inode->i_uid = de->uid; @@ -66920,7 +66931,7 @@ index 124fc43..8afbb02 100644 if (de->size) inode->i_size = de->size; diff --git a/fs/proc/internal.h b/fs/proc/internal.h -index 651d09a..6a4b495 100644 +index 8b8ca1d..d15474f 100644 --- a/fs/proc/internal.h +++ b/fs/proc/internal.h @@ -46,9 +46,10 @@ struct proc_dir_entry { @@ -88370,7 +88381,7 @@ index 9a00147..d814573 100644 struct snd_soc_platform { const char *name; diff --git a/include/target/target_core_base.h b/include/target/target_core_base.h -index 1772fad..282e3e2 100644 +index 34932540..8d54ec7 100644 --- a/include/target/target_core_base.h +++ b/include/target/target_core_base.h @@ -754,7 +754,7 @@ struct se_device { @@ -88764,7 +88775,7 @@ index 30f5362..8ed8ac9 100644 void *pmi_pal; u8 *vbe_state_orig; /* diff --git a/init/Kconfig b/init/Kconfig -index 8b9521a..8a3cc34 100644 +index 8b9521a..8a3cc34d 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -1079,6 +1079,7 @@ endif # CGROUPS @@ -96858,7 +96869,7 @@ index b32b70c..e512eb0 100644 set_page_address(page, (void *)vaddr); diff --git a/mm/hugetlb.c b/mm/hugetlb.c -index 472259b..7a58e99 100644 +index c3e8660..3499fac 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -2070,6 +2070,7 @@ static int hugetlb_sysctl_handler_common(bool obey_mempolicy, @@ -96905,7 +96916,7 @@ index 472259b..7a58e99 100644 if (ret) goto out; -@@ -2629,6 +2633,27 @@ static int unmap_ref_private(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2630,6 +2634,27 @@ static int unmap_ref_private(struct mm_struct *mm, struct vm_area_struct *vma, return 1; } @@ -96933,7 +96944,7 @@ index 472259b..7a58e99 100644 /* * Hugetlb_cow() should be called with page lock of the original hugepage held. * Called with hugetlb_instantiation_mutex held and pte_page locked so we -@@ -2745,6 +2770,11 @@ retry_avoidcopy: +@@ -2746,6 +2771,11 @@ retry_avoidcopy: make_huge_pte(vma, new_page, 1)); page_remove_rmap(old_page); hugepage_add_new_anon_rmap(new_page, vma, address); @@ -96945,7 +96956,7 @@ index 472259b..7a58e99 100644 /* Make the old page be freed below */ new_page = old_page; } -@@ -2909,6 +2939,10 @@ retry: +@@ -2910,6 +2940,10 @@ retry: && (vma->vm_flags & VM_SHARED))); set_huge_pte_at(mm, address, ptep, new_pte); @@ -96956,7 +96967,7 @@ index 472259b..7a58e99 100644 if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) { /* Optimization, do the COW without a second fault */ ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page, ptl); -@@ -2939,6 +2973,10 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2940,6 +2974,10 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, static DEFINE_MUTEX(hugetlb_instantiation_mutex); struct hstate *h = hstate_vma(vma); @@ -96967,7 +96978,7 @@ index 472259b..7a58e99 100644 address &= huge_page_mask(h); ptep = huge_pte_offset(mm, address); -@@ -2952,6 +2990,26 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2953,6 +2991,26 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, VM_FAULT_SET_HINDEX(hstate_index(h)); } @@ -97270,7 +97281,7 @@ index a98c7fc..393f8f1 100644 } unset_migratetype_isolate(page, MIGRATE_MOVABLE); diff --git a/mm/memory.c b/mm/memory.c -index 7f30bea..67cb92b 100644 +index 102af09..4118c57 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -403,6 +403,7 @@ static inline void free_pmd_range(struct mmu_gather *tlb, pud_t *pud, @@ -98155,7 +98166,7 @@ index b1eb536..091d154 100644 capable(CAP_IPC_LOCK)) ret = do_mlockall(flags); diff --git a/mm/mmap.c b/mm/mmap.c -index 085bcd8..916b1d4 100644 +index d4c97ba..916b1d4 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -37,6 +37,7 @@ @@ -98220,24 +98231,6 @@ index 085bcd8..916b1d4 100644 /* * Make sure vm_committed_as in one cacheline and not cacheline shared with * other variables. It can be updated by several CPUs frequently. -@@ -129,7 +150,7 @@ EXPORT_SYMBOL_GPL(vm_memory_committed); - */ - int __vm_enough_memory(struct mm_struct *mm, long pages, int cap_sys_admin) - { -- unsigned long free, allowed, reserve; -+ long free, allowed, reserve; - - vm_acct_memory(pages); - -@@ -193,7 +214,7 @@ int __vm_enough_memory(struct mm_struct *mm, long pages, int cap_sys_admin) - */ - if (mm) { - reserve = sysctl_user_reserve_kbytes >> (PAGE_SHIFT - 10); -- allowed -= min(mm->total_vm / 32, reserve); -+ allowed -= min_t(long, mm->total_vm / 32, reserve); - } - - if (percpu_counter_read_positive(&vm_committed_as) < allowed) @@ -247,6 +268,7 @@ static struct vm_area_struct *remove_vma(struct vm_area_struct *vma) struct vm_area_struct *next = vma->vm_next; @@ -99766,7 +99759,7 @@ index 05f1180..c3cde48 100644 out: if (ret & ~PAGE_MASK) diff --git a/mm/nommu.c b/mm/nommu.c -index 3ee4f74..d79b8e2 100644 +index 76b3f90..d79b8e2 100644 --- a/mm/nommu.c +++ b/mm/nommu.c @@ -66,7 +66,6 @@ int sysctl_max_map_count = DEFAULT_MAX_MAP_COUNT; @@ -99801,24 +99794,6 @@ index 3ee4f74..d79b8e2 100644 *region = *vma->vm_region; new->vm_region = region; -@@ -1905,7 +1896,7 @@ EXPORT_SYMBOL(unmap_mapping_range); - */ - int __vm_enough_memory(struct mm_struct *mm, long pages, int cap_sys_admin) - { -- unsigned long free, allowed, reserve; -+ long free, allowed, reserve; - - vm_acct_memory(pages); - -@@ -1969,7 +1960,7 @@ int __vm_enough_memory(struct mm_struct *mm, long pages, int cap_sys_admin) - */ - if (mm) { - reserve = sysctl_user_reserve_kbytes >> (PAGE_SHIFT - 10); -- allowed -= min(mm->total_vm / 32, reserve); -+ allowed -= min_t(long, mm->total_vm / 32, reserve); - } - - if (percpu_counter_read_positive(&vm_committed_as) < allowed) @@ -2001,8 +1992,8 @@ int generic_file_remap_pages(struct vm_area_struct *vma, unsigned long addr, } EXPORT_SYMBOL(generic_file_remap_pages); @@ -99864,7 +99839,7 @@ index 9f45f87..749bfd8 100644 unsigned long bg_thresh, unsigned long dirty, diff --git a/mm/page_alloc.c b/mm/page_alloc.c -index ea41913..d1a474f 100644 +index 0479732..4c6aee3 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -61,6 +61,7 @@ @@ -99960,7 +99935,7 @@ index ea41913..d1a474f 100644 if (order && (gfp_flags & __GFP_COMP)) prep_compound_page(page, order); -@@ -1948,7 +1988,7 @@ static void reset_alloc_batches(struct zone *preferred_zone) +@@ -1946,7 +1986,7 @@ static void reset_alloc_batches(struct zone *preferred_zone) do { mod_zone_page_state(zone, NR_ALLOC_BATCH, high_wmark_pages(zone) - low_wmark_pages(zone) - @@ -99969,7 +99944,7 @@ index ea41913..d1a474f 100644 zone_clear_flag(zone, ZONE_FAIR_DEPLETED); } while (zone++ != preferred_zone); } -@@ -5711,7 +5751,7 @@ static void __setup_per_zone_wmarks(void) +@@ -5709,7 +5749,7 @@ static void __setup_per_zone_wmarks(void) __mod_zone_page_state(zone, NR_ALLOC_BATCH, high_wmark_pages(zone) - low_wmark_pages(zone) - @@ -99978,7 +99953,7 @@ index ea41913..d1a474f 100644 setup_zone_migrate_reserve(zone); spin_unlock_irqrestore(&zone->lock, flags); -@@ -6652,4 +6692,4 @@ void dump_page(struct page *page, char *reason) +@@ -6650,4 +6690,4 @@ void dump_page(struct page *page, char *reason) { dump_page_badflags(page, reason, 0); } @@ -102626,7 +102601,7 @@ index 2e87eec..6301eb0 100644 switch (ss->ss_family) { diff --git a/net/compat.c b/net/compat.c -index cbc1a2a..ab7644e 100644 +index 275af79..859a46f 100644 --- a/net/compat.c +++ b/net/compat.c @@ -73,9 +73,9 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg) @@ -102756,7 +102731,7 @@ index cbc1a2a..ab7644e 100644 struct group_filter __user *kgf; int __user *koptlen; u32 interface, fmode, numsrc; -@@ -804,7 +804,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args) +@@ -795,7 +795,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args) if (call < SYS_SOCKET || call > SYS_SENDMMSG) return -EINVAL; @@ -102779,7 +102754,7 @@ index a16ed7b..eb44d17 100644 return err; diff --git a/net/core/dev.c b/net/core/dev.c -index 4ed77d7..e1ef1c9 100644 +index f6d8d7f..846845c 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -1695,14 +1695,14 @@ int dev_forward_skb(struct net_device *dev, struct sk_buff *skb) @@ -103182,7 +103157,7 @@ index 723fa7d..81bd037 100644 iph->ttl = 64; iph->protocol = IPPROTO_UDP; diff --git a/net/core/pktgen.c b/net/core/pktgen.c -index fdac61c..e5e5b46 100644 +index ca68d32..236499d 100644 --- a/net/core/pktgen.c +++ b/net/core/pktgen.c @@ -3719,7 +3719,7 @@ static int __net_init pg_net_init(struct net *net) @@ -103195,7 +103170,7 @@ index fdac61c..e5e5b46 100644 pr_warn("cannot create /proc/net/%s\n", PG_PROC_DIR); return -ENODEV; diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c -index a6613ff..810aa44 100644 +index 8aadd6a..adf3f59 100644 --- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c @@ -58,7 +58,7 @@ struct rtnl_link { @@ -103233,7 +103208,7 @@ index a6613ff..810aa44 100644 } EXPORT_SYMBOL_GPL(__rtnl_link_unregister); -@@ -2010,6 +2013,10 @@ replay: +@@ -2006,6 +2009,10 @@ replay: if (IS_ERR(dest_net)) return PTR_ERR(dest_net); @@ -103244,7 +103219,7 @@ index a6613ff..810aa44 100644 dev = rtnl_create_link(dest_net, ifname, ops, tb); if (IS_ERR(dev)) { err = PTR_ERR(dev); -@@ -2689,6 +2696,9 @@ static int rtnl_bridge_setlink(struct sk_buff *skb, struct nlmsghdr *nlh) +@@ -2693,6 +2700,9 @@ static int rtnl_bridge_setlink(struct sk_buff *skb, struct nlmsghdr *nlh) if (br_spec) { nla_for_each_nested(attr, br_spec, rem) { if (nla_type(attr) == IFLA_BRIDGE_FLAGS) { @@ -103254,7 +103229,7 @@ index a6613ff..810aa44 100644 have_flags = true; flags = nla_get_u16(attr); break; -@@ -2759,6 +2769,9 @@ static int rtnl_bridge_dellink(struct sk_buff *skb, struct nlmsghdr *nlh) +@@ -2763,6 +2773,9 @@ static int rtnl_bridge_dellink(struct sk_buff *skb, struct nlmsghdr *nlh) if (br_spec) { nla_for_each_nested(attr, br_spec, rem) { if (nla_type(attr) == IFLA_BRIDGE_FLAGS) { @@ -103559,10 +103534,19 @@ index c38e7a2..773e3d7 100644 } EXPORT_SYMBOL_GPL(sock_diag_unregister); diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c -index cf9cd13..8b56af3 100644 +index cf9cd13..26d07e0 100644 --- a/net/core/sysctl_net_core.c +++ b/net/core/sysctl_net_core.c -@@ -32,7 +32,7 @@ static int rps_sock_flow_sysctl(struct ctl_table *table, int write, +@@ -25,6 +25,8 @@ + static int zero = 0; + static int one = 1; + static int ushort_max = USHRT_MAX; ++static int min_sndbuf = SOCK_MIN_SNDBUF; ++static int min_rcvbuf = SOCK_MIN_RCVBUF; + + #ifdef CONFIG_RPS + static int rps_sock_flow_sysctl(struct ctl_table *table, int write, +@@ -32,7 +34,7 @@ static int rps_sock_flow_sysctl(struct ctl_table *table, int write, { unsigned int orig_size, size; int ret, i; @@ -103571,7 +103555,7 @@ index cf9cd13..8b56af3 100644 .data = &size, .maxlen = sizeof(size), .mode = table->mode -@@ -200,7 +200,7 @@ static int set_default_qdisc(struct ctl_table *table, int write, +@@ -200,7 +202,7 @@ static int set_default_qdisc(struct ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos) { char id[IFNAMSIZ]; @@ -103580,7 +103564,43 @@ index cf9cd13..8b56af3 100644 .data = id, .maxlen = IFNAMSIZ, }; -@@ -379,13 +379,12 @@ static struct ctl_table netns_core_table[] = { +@@ -223,7 +225,7 @@ static struct ctl_table net_core_table[] = { + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = proc_dointvec_minmax, +- .extra1 = &one, ++ .extra1 = &min_sndbuf, + }, + { + .procname = "rmem_max", +@@ -231,7 +233,7 @@ static struct ctl_table net_core_table[] = { + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = proc_dointvec_minmax, +- .extra1 = &one, ++ .extra1 = &min_rcvbuf, + }, + { + .procname = "wmem_default", +@@ -239,7 +241,7 @@ static struct ctl_table net_core_table[] = { + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = proc_dointvec_minmax, +- .extra1 = &one, ++ .extra1 = &min_sndbuf, + }, + { + .procname = "rmem_default", +@@ -247,7 +249,7 @@ static struct ctl_table net_core_table[] = { + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = proc_dointvec_minmax, +- .extra1 = &one, ++ .extra1 = &min_rcvbuf, + }, + { + .procname = "dev_weight", +@@ -379,13 +381,12 @@ static struct ctl_table netns_core_table[] = { static __net_init int sysctl_core_net_init(struct net *net) { @@ -103596,7 +103616,7 @@ index cf9cd13..8b56af3 100644 if (tbl == NULL) goto err_dup; -@@ -395,17 +394,16 @@ static __net_init int sysctl_core_net_init(struct net *net) +@@ -395,17 +396,16 @@ static __net_init int sysctl_core_net_init(struct net *net) if (net->user_ns != &init_user_ns) { tbl[0].procname = NULL; } @@ -103618,7 +103638,7 @@ index cf9cd13..8b56af3 100644 err_dup: return -ENOMEM; } -@@ -420,7 +418,7 @@ static __net_exit void sysctl_core_net_exit(struct net *net) +@@ -420,7 +420,7 @@ static __net_exit void sysctl_core_net_exit(struct net *net) kfree(tbl); } @@ -103911,6 +103931,42 @@ index 0d1e2cb..4501a2c 100644 EXPORT_SYMBOL(sysctl_local_reserved_ports); void inet_get_local_port_range(struct net *net, int *low, int *high) +diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c +index e34dccb..4eeba4e 100644 +--- a/net/ipv4/inet_diag.c ++++ b/net/ipv4/inet_diag.c +@@ -71,6 +71,20 @@ static inline void inet_diag_unlock_handler( + mutex_unlock(&inet_diag_table_mutex); + } + ++static size_t inet_sk_attr_size(void) ++{ ++ return nla_total_size(sizeof(struct tcp_info)) ++ + nla_total_size(1) /* INET_DIAG_SHUTDOWN */ ++ + nla_total_size(1) /* INET_DIAG_TOS */ ++ + nla_total_size(1) /* INET_DIAG_TCLASS */ ++ + nla_total_size(sizeof(struct inet_diag_meminfo)) ++ + nla_total_size(sizeof(struct inet_diag_msg)) ++ + nla_total_size(SK_MEMINFO_VARS * sizeof(u32)) ++ + nla_total_size(TCP_CA_NAME_MAX) ++ + nla_total_size(sizeof(struct tcpvegas_info)) ++ + 64; ++} ++ + int inet_sk_diag_fill(struct sock *sk, struct inet_connection_sock *icsk, + struct sk_buff *skb, struct inet_diag_req_v2 *req, + struct user_namespace *user_ns, +@@ -324,9 +338,7 @@ int inet_diag_dump_one_icsk(struct inet_hashinfo *hashinfo, struct sk_buff *in_s + if (err) + goto out; + +- rep = nlmsg_new(sizeof(struct inet_diag_msg) + +- sizeof(struct inet_diag_meminfo) + +- sizeof(struct tcp_info) + 64, GFP_KERNEL); ++ rep = nlmsg_new(inet_sk_attr_size(), GFP_KERNEL); + if (!rep) { + err = -ENOMEM; + goto out; diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c index 8b9cf27..9c17cab 100644 --- a/net/ipv4/inet_hashtables.c @@ -103955,7 +104011,7 @@ index bf2cb4a..d83ba8a 100644 p->rate_tokens = 0; /* 60*HZ is arbitrary, but chosen enough high so that the first diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c -index c10a3ce..dd71f84 100644 +index 9ff497d..877a388 100644 --- a/net/ipv4/ip_fragment.c +++ b/net/ipv4/ip_fragment.c @@ -283,7 +283,7 @@ static inline int ip_frag_too_far(struct ipq *qp) @@ -103967,7 +104023,7 @@ index c10a3ce..dd71f84 100644 qp->rid = end; rc = qp->q.fragments && (end - start) > max; -@@ -760,12 +760,11 @@ static struct ctl_table ip4_frags_ctl_table[] = { +@@ -763,12 +763,11 @@ static struct ctl_table ip4_frags_ctl_table[] = { static int __net_init ip4_frags_ns_ctl_register(struct net *net) { @@ -103982,7 +104038,7 @@ index c10a3ce..dd71f84 100644 if (table == NULL) goto err_alloc; -@@ -776,9 +775,10 @@ static int __net_init ip4_frags_ns_ctl_register(struct net *net) +@@ -779,9 +778,10 @@ static int __net_init ip4_frags_ns_ctl_register(struct net *net) /* Don't export sysctls to unprivileged users */ if (net->user_ns != &init_user_ns) table[0].procname = NULL; @@ -103995,7 +104051,7 @@ index c10a3ce..dd71f84 100644 if (hdr == NULL) goto err_reg; -@@ -786,8 +786,7 @@ static int __net_init ip4_frags_ns_ctl_register(struct net *net) +@@ -789,8 +789,7 @@ static int __net_init ip4_frags_ns_ctl_register(struct net *net) return 0; err_reg: @@ -104271,7 +104327,7 @@ index 2510c02..cfb34fa 100644 pr_err("Unable to proc dir entry\n"); return -ENOMEM; diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c -index 04ce671..f13b8c2 100644 +index b94002a..f13b8c2 100644 --- a/net/ipv4/ping.c +++ b/net/ipv4/ping.c @@ -59,7 +59,7 @@ struct ping_table { @@ -104283,38 +104339,20 @@ index 04ce671..f13b8c2 100644 EXPORT_SYMBOL_GPL(pingv6_ops); static u16 ping_port_rover; -@@ -259,6 +259,9 @@ int ping_init_sock(struct sock *sk) +@@ -259,10 +259,9 @@ int ping_init_sock(struct sock *sk) kgid_t low, high; int ret = 0; -+ if (sk->sk_family == AF_INET6) +-#if IS_ENABLED(CONFIG_IPV6) + if (sk->sk_family == AF_INET6) +- inet6_sk(sk)->ipv6only = 1; +-#endif + sk->sk_ipv6only = 1; + inet_get_ping_group_range_net(net, &low, &high); if (gid_lte(low, group) && gid_lte(group, high)) return 0; -@@ -305,6 +308,11 @@ static int ping_check_bind_addr(struct sock *sk, struct inet_sock *isk, - if (addr_len < sizeof(*addr)) - return -EINVAL; - -+ if (addr->sin_family != AF_INET && -+ !(addr->sin_family == AF_UNSPEC && -+ addr->sin_addr.s_addr == htonl(INADDR_ANY))) -+ return -EAFNOSUPPORT; -+ - pr_debug("ping_check_bind_addr(sk=%p,addr=%pI4,port=%d)\n", - sk, &addr->sin_addr.s_addr, ntohs(addr->sin_port)); - -@@ -330,7 +338,7 @@ static int ping_check_bind_addr(struct sock *sk, struct inet_sock *isk, - return -EINVAL; - - if (addr->sin6_family != AF_INET6) -- return -EINVAL; -+ return -EAFNOSUPPORT; - - pr_debug("ping_check_bind_addr(sk=%p,addr=%pI6c,port=%d)\n", - sk, addr->sin6_addr.s6_addr, ntohs(addr->sin6_port)); -@@ -350,7 +358,7 @@ static int ping_check_bind_addr(struct sock *sk, struct inet_sock *isk, +@@ -359,7 +358,7 @@ static int ping_check_bind_addr(struct sock *sk, struct inet_sock *isk, return -ENODEV; } } @@ -104323,7 +104361,7 @@ index 04ce671..f13b8c2 100644 scoped); rcu_read_unlock(); -@@ -558,7 +566,7 @@ void ping_err(struct sk_buff *skb, int offset, u32 info) +@@ -567,7 +566,7 @@ void ping_err(struct sk_buff *skb, int offset, u32 info) } #if IS_ENABLED(CONFIG_IPV6) } else if (skb->protocol == htons(ETH_P_IPV6)) { @@ -104332,7 +104370,7 @@ index 04ce671..f13b8c2 100644 #endif } -@@ -576,7 +584,7 @@ void ping_err(struct sk_buff *skb, int offset, u32 info) +@@ -585,7 +584,7 @@ void ping_err(struct sk_buff *skb, int offset, u32 info) info, (u8 *)icmph); #if IS_ENABLED(CONFIG_IPV6) } else if (family == AF_INET6) { @@ -104341,16 +104379,7 @@ index 04ce671..f13b8c2 100644 info, (u8 *)icmph); #endif } -@@ -716,7 +724,7 @@ static int ping_v4_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *m - if (msg->msg_namelen < sizeof(*usin)) - return -EINVAL; - if (usin->sin_family != AF_INET) -- return -EINVAL; -+ return -EAFNOSUPPORT; - daddr = usin->sin_addr.s_addr; - /* no remote port */ - } else { -@@ -860,7 +868,7 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, +@@ -869,7 +868,7 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, return ip_recv_error(sk, msg, len, addr_len); #if IS_ENABLED(CONFIG_IPV6) } else if (family == AF_INET6) { @@ -104359,7 +104388,7 @@ index 04ce671..f13b8c2 100644 addr_len); #endif } -@@ -918,10 +926,10 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, +@@ -927,10 +926,10 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, } if (inet6_sk(sk)->rxopt.all) @@ -104372,7 +104401,7 @@ index 04ce671..f13b8c2 100644 else if (skb->protocol == htons(ETH_P_IP) && isk->cmsg_flags) ip_cmsg_recv(msg, skb); #endif -@@ -1116,7 +1124,7 @@ static void ping_v4_format_sock(struct sock *sp, struct seq_file *f, +@@ -1125,7 +1124,7 @@ static void ping_v4_format_sock(struct sock *sp, struct seq_file *f, from_kuid_munged(seq_user_ns(f), sock_i_uid(sp)), 0, sock_i_ino(sp), atomic_read(&sp->sk_refcnt), sp, @@ -105479,23 +105508,10 @@ index 767ab8d..c5ec70a 100644 return -ENOMEM; } diff --git a/net/ipv6/ping.c b/net/ipv6/ping.c -index bda7429..5b5bbe3 100644 +index 4611995..5b5bbe3 100644 --- a/net/ipv6/ping.c +++ b/net/ipv6/ping.c -@@ -103,9 +103,10 @@ int ping_v6_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, - - if (msg->msg_name) { - DECLARE_SOCKADDR(struct sockaddr_in6 *, u, msg->msg_name); -- if (msg->msg_namelen < sizeof(struct sockaddr_in6) || -- u->sin6_family != AF_INET6) { -+ if (msg->msg_namelen < sizeof(*u)) - return -EINVAL; -+ if (u->sin6_family != AF_INET6) { -+ return -EAFNOSUPPORT; - } - if (sk->sk_bound_dev_if && - sk->sk_bound_dev_if != u->sin6_scope_id) { -@@ -246,6 +247,24 @@ static struct pernet_operations ping_v6_net_ops = { +@@ -247,6 +247,24 @@ static struct pernet_operations ping_v6_net_ops = { }; #endif @@ -105520,7 +105536,7 @@ index bda7429..5b5bbe3 100644 int __init pingv6_init(void) { #ifdef CONFIG_PROC_FS -@@ -253,13 +272,7 @@ int __init pingv6_init(void) +@@ -254,13 +272,7 @@ int __init pingv6_init(void) if (ret) return ret; #endif @@ -105535,7 +105551,7 @@ index bda7429..5b5bbe3 100644 return inet6_register_protosw(&pingv6_protosw); } -@@ -268,14 +281,9 @@ int __init pingv6_init(void) +@@ -269,14 +281,9 @@ int __init pingv6_init(void) */ void pingv6_exit(void) { @@ -105682,7 +105698,7 @@ index cc85a9b..526a133 100644 return -ENOMEM; } diff --git a/net/ipv6/route.c b/net/ipv6/route.c -index 6f1b850..50e95c7 100644 +index 3809ca2..fdda6b4 100644 --- a/net/ipv6/route.c +++ b/net/ipv6/route.c @@ -2970,7 +2970,7 @@ struct ctl_table ipv6_route_table_template[] = { @@ -105999,7 +106015,7 @@ index e15c16a..7cf07aa 100644 if (!ipx_proc_dir) goto out; diff --git a/net/irda/ircomm/ircomm_tty.c b/net/irda/ircomm/ircomm_tty.c -index 2ba8b97..6d33010 100644 +index fdcb968..2b6cc59 100644 --- a/net/irda/ircomm/ircomm_tty.c +++ b/net/irda/ircomm/ircomm_tty.c @@ -317,11 +317,11 @@ static int ircomm_tty_block_til_ready(struct ircomm_tty_cb *self, @@ -106055,7 +106071,7 @@ index 2ba8b97..6d33010 100644 /* Not really used by us, but lets do it anyway */ self->port.low_latency = (self->port.flags & ASYNC_LOW_LATENCY) ? 1 : 0; -@@ -987,7 +987,7 @@ static void ircomm_tty_hangup(struct tty_struct *tty) +@@ -989,7 +989,7 @@ static void ircomm_tty_hangup(struct tty_struct *tty) tty_kref_put(port->tty); } port->tty = NULL; @@ -106064,7 +106080,7 @@ index 2ba8b97..6d33010 100644 spin_unlock_irqrestore(&port->lock, flags); wake_up_interruptible(&port->open_wait); -@@ -1344,7 +1344,7 @@ static void ircomm_tty_line_info(struct ircomm_tty_cb *self, struct seq_file *m) +@@ -1346,7 +1346,7 @@ static void ircomm_tty_line_info(struct ircomm_tty_cb *self, struct seq_file *m) seq_putc(m, '\n'); seq_printf(m, "Role: %s\n", self->client ? "client" : "server"); @@ -106383,18 +106399,6 @@ index 6ff1346..936ca9a 100644 return -EFAULT; return p; -diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c -index e5a7ac2..dca076f 100644 ---- a/net/mac80211/tx.c -+++ b/net/mac80211/tx.c -@@ -562,6 +562,7 @@ ieee80211_tx_h_check_control_port_protocol(struct ieee80211_tx_data *tx) - if (tx->sdata->control_port_no_encrypt) - info->flags |= IEEE80211_TX_INTFL_DONT_ENCRYPT; - info->control.flags |= IEEE80211_TX_CTRL_PORT_CTRL_PROTO; -+ info->flags |= IEEE80211_TX_CTL_USE_MINRATE; - } - - return TX_CONTINUE; diff --git a/net/mac80211/util.c b/net/mac80211/util.c index 6427625..afa5a5a 100644 --- a/net/mac80211/util.c @@ -107260,6 +107264,94 @@ index a91e1db..cf3053f 100644 #else ic->i_ack_next = 0; #endif +diff --git a/net/rds/iw_rdma.c b/net/rds/iw_rdma.c +index a817705..dba8d08 100644 +--- a/net/rds/iw_rdma.c ++++ b/net/rds/iw_rdma.c +@@ -88,7 +88,9 @@ static unsigned int rds_iw_unmap_fastreg_list(struct rds_iw_mr_pool *pool, + int *unpinned); + static void rds_iw_destroy_fastreg(struct rds_iw_mr_pool *pool, struct rds_iw_mr *ibmr); + +-static int rds_iw_get_device(struct rds_sock *rs, struct rds_iw_device **rds_iwdev, struct rdma_cm_id **cm_id) ++static int rds_iw_get_device(struct sockaddr_in *src, struct sockaddr_in *dst, ++ struct rds_iw_device **rds_iwdev, ++ struct rdma_cm_id **cm_id) + { + struct rds_iw_device *iwdev; + struct rds_iw_cm_id *i_cm_id; +@@ -112,15 +114,15 @@ static int rds_iw_get_device(struct rds_sock *rs, struct rds_iw_device **rds_iwd + src_addr->sin_port, + dst_addr->sin_addr.s_addr, + dst_addr->sin_port, +- rs->rs_bound_addr, +- rs->rs_bound_port, +- rs->rs_conn_addr, +- rs->rs_conn_port); ++ src->sin_addr.s_addr, ++ src->sin_port, ++ dst->sin_addr.s_addr, ++ dst->sin_port); + #ifdef WORKING_TUPLE_DETECTION +- if (src_addr->sin_addr.s_addr == rs->rs_bound_addr && +- src_addr->sin_port == rs->rs_bound_port && +- dst_addr->sin_addr.s_addr == rs->rs_conn_addr && +- dst_addr->sin_port == rs->rs_conn_port) { ++ if (src_addr->sin_addr.s_addr == src->sin_addr.s_addr && ++ src_addr->sin_port == src->sin_port && ++ dst_addr->sin_addr.s_addr == dst->sin_addr.s_addr && ++ dst_addr->sin_port == dst->sin_port) { + #else + /* FIXME - needs to compare the local and remote + * ipaddr/port tuple, but the ipaddr is the only +@@ -128,7 +130,7 @@ static int rds_iw_get_device(struct rds_sock *rs, struct rds_iw_device **rds_iwd + * zero'ed. It doesn't appear to be properly populated + * during connection setup... + */ +- if (src_addr->sin_addr.s_addr == rs->rs_bound_addr) { ++ if (src_addr->sin_addr.s_addr == src->sin_addr.s_addr) { + #endif + spin_unlock_irq(&iwdev->spinlock); + *rds_iwdev = iwdev; +@@ -180,19 +182,13 @@ int rds_iw_update_cm_id(struct rds_iw_device *rds_iwdev, struct rdma_cm_id *cm_i + { + struct sockaddr_in *src_addr, *dst_addr; + struct rds_iw_device *rds_iwdev_old; +- struct rds_sock rs; + struct rdma_cm_id *pcm_id; + int rc; + + src_addr = (struct sockaddr_in *)&cm_id->route.addr.src_addr; + dst_addr = (struct sockaddr_in *)&cm_id->route.addr.dst_addr; + +- rs.rs_bound_addr = src_addr->sin_addr.s_addr; +- rs.rs_bound_port = src_addr->sin_port; +- rs.rs_conn_addr = dst_addr->sin_addr.s_addr; +- rs.rs_conn_port = dst_addr->sin_port; +- +- rc = rds_iw_get_device(&rs, &rds_iwdev_old, &pcm_id); ++ rc = rds_iw_get_device(src_addr, dst_addr, &rds_iwdev_old, &pcm_id); + if (rc) + rds_iw_remove_cm_id(rds_iwdev, cm_id); + +@@ -598,9 +594,17 @@ void *rds_iw_get_mr(struct scatterlist *sg, unsigned long nents, + struct rds_iw_device *rds_iwdev; + struct rds_iw_mr *ibmr = NULL; + struct rdma_cm_id *cm_id; ++ struct sockaddr_in src = { ++ .sin_addr.s_addr = rs->rs_bound_addr, ++ .sin_port = rs->rs_bound_port, ++ }; ++ struct sockaddr_in dst = { ++ .sin_addr.s_addr = rs->rs_conn_addr, ++ .sin_port = rs->rs_conn_port, ++ }; + int ret; + +- ret = rds_iw_get_device(rs, &rds_iwdev, &cm_id); ++ ret = rds_iw_get_device(&src, &dst, &rds_iwdev, &cm_id); + if (ret || !cm_id) { + ret = -ENODEV; + goto out; diff --git a/net/rds/iw_recv.c b/net/rds/iw_recv.c index 4503335..db566b4 100644 --- a/net/rds/iw_recv.c @@ -108299,18 +108391,9 @@ index 0f73f45..a96aa52 100644 /* make a copy for the caller */ *handle = ctxh; diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c -index ae333c1..1dca80d 100644 +index 0adc66c..1dca80d 100644 --- a/net/sunrpc/cache.c +++ b/net/sunrpc/cache.c -@@ -920,7 +920,7 @@ static unsigned int cache_poll(struct file *filp, poll_table *wait, - poll_wait(filp, &queue_wait, wait); - - /* alway allow write */ -- mask = POLL_OUT | POLLWRNORM; -+ mask = POLLOUT | POLLWRNORM; - - if (!rp) - return mask; @@ -1609,7 +1609,7 @@ static int create_cache_proc_entries(struct cache_detail *cd, struct net *net) struct sunrpc_net *sn; @@ -108632,7 +108715,7 @@ index 6424372..afd36e9 100644 sub->evt.event = htohl(event, sub->swap); sub->evt.found_lower = htohl(found_lower, sub->swap); diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c -index 94404f1..5782191 100644 +index 94404f1..5c1346e 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c @@ -791,6 +791,12 @@ static struct sock *unix_find_other(struct net *net, @@ -108681,7 +108764,24 @@ index 94404f1..5782191 100644 done_path_create(&path, dentry); return err; } -@@ -2344,9 +2363,13 @@ static int unix_seq_show(struct seq_file *seq, void *v) +@@ -2243,11 +2262,14 @@ static unsigned int unix_dgram_poll(struct file *file, struct socket *sock, + writable = unix_writable(sk); + other = unix_peer_get(sk); + if (other) { +- if (unix_peer(other) != sk) { ++ unix_state_lock(other); ++ if (!sock_flag(other, SOCK_DEAD) && unix_peer(other) != sk) { ++ unix_state_unlock(other); + sock_poll_wait(file, &unix_sk(other)->peer_wait, wait); + if (unix_recvq_full(other)) + writable = 0; +- } ++ } else ++ unix_state_unlock(other); + sock_put(other); + } + +@@ -2344,9 +2366,13 @@ static int unix_seq_show(struct seq_file *seq, void *v) seq_puts(seq, "Num RefCount Protocol Flags Type St " "Inode Path\n"); else { @@ -108696,7 +108796,7 @@ index 94404f1..5782191 100644 seq_printf(seq, "%pK: %08X %08X %08X %04X %02X %5lu", s, -@@ -2373,8 +2396,10 @@ static int unix_seq_show(struct seq_file *seq, void *v) +@@ -2373,8 +2399,10 @@ static int unix_seq_show(struct seq_file *seq, void *v) } for ( ; i < len; i++) seq_putc(seq, u->addr->name->sun_path[i]); @@ -111478,10 +111578,10 @@ index c4ac3c1..5266261 100644 if (err < 0) return err; diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c -index 566b0f6..636730b 100644 +index ee24057..3114985 100644 --- a/sound/core/pcm_native.c +++ b/sound/core/pcm_native.c -@@ -2811,11 +2811,11 @@ int snd_pcm_kernel_ioctl(struct snd_pcm_substream *substream, +@@ -2813,11 +2813,11 @@ int snd_pcm_kernel_ioctl(struct snd_pcm_substream *substream, switch (substream->stream) { case SNDRV_PCM_STREAM_PLAYBACK: result = snd_pcm_playback_ioctl1(NULL, substream, cmd, @@ -113059,7 +113159,7 @@ index 0000000..3b5af59 +} diff --git a/tools/gcc/gcc-common.h b/tools/gcc/gcc-common.h new file mode 100644 -index 0000000..de1d984 +index 0000000..cd95c07 --- /dev/null +++ b/tools/gcc/gcc-common.h @@ -0,0 +1,375 @@ @@ -113283,7 +113383,7 @@ index 0000000..de1d984 + +#define int_const_binop(code, arg1, arg2) int_const_binop((code), (arg1), (arg2), 0) + -+static inline bool gimple_clobber_p(gimple s) ++static inline bool gimple_clobber_p(gimple s __unused) +{ + return false; +} @@ -119906,10 +120006,10 @@ index 0000000..4378111 +} diff --git a/tools/gcc/size_overflow_plugin/size_overflow_hash.data b/tools/gcc/size_overflow_plugin/size_overflow_hash.data new file mode 100644 -index 0000000..3d3508d +index 0000000..f084dc7 --- /dev/null +++ b/tools/gcc/size_overflow_plugin/size_overflow_hash.data -@@ -0,0 +1,6042 @@ +@@ -0,0 +1,6045 @@ +intel_fake_agp_alloc_by_type_1 intel_fake_agp_alloc_by_type 1 1 NULL +ocfs2_get_refcount_tree_3 ocfs2_get_refcount_tree 0 3 NULL +storvsc_connect_to_vsp_22 storvsc_connect_to_vsp 2 22 NULL @@ -124402,6 +124502,7 @@ index 0000000..3d3508d +joydev_handle_JSIOCSAXMAP_48898 joydev_handle_JSIOCSAXMAP 3 48898 NULL +xdi_copy_to_user_48900 xdi_copy_to_user 4 48900 NULL +msg_hdr_sz_48908 msg_hdr_sz 0 48908 NULL ++rts51x_ctrl_transfer_48914 rts51x_ctrl_transfer 8 48914 NULL +sep_crypto_dma_48937 sep_crypto_dma 0 48937 NULL +si5351_write_parameters_48940 si5351_write_parameters 2 48940 NULL +event_heart_beat_read_48961 event_heart_beat_read 3 48961 NULL @@ -124544,6 +124645,7 @@ index 0000000..3d3508d +lpfc_idiag_pcicfg_read_50334 lpfc_idiag_pcicfg_read 3 50334 NULL +snd_pcm_lib_writev_50337 snd_pcm_lib_writev 0-3 50337 NULL +tpm_read_50344 tpm_read 3 50344 NULL ++rts51x_bulk_transfer_buf_50352 rts51x_bulk_transfer_buf 4 50352 NULL +isdn_ppp_read_50356 isdn_ppp_read 4 50356 NULL +iwl_dbgfs_echo_test_write_50362 iwl_dbgfs_echo_test_write 3 50362 NULL +xfrm_send_migrate_50365 xfrm_send_migrate 5 50365 NULL @@ -125412,6 +125514,7 @@ index 0000000..3d3508d +journal_init_dev_59384 journal_init_dev 5 59384 NULL +__net_get_random_once_59389 __net_get_random_once 2 59389 NULL +isku_sysfs_read_keys_function_59412 isku_sysfs_read_keys_function 6 59412 NULL ++rts51x_transfer_data_59416 rts51x_transfer_data 4 59416 NULL +pci_ctrl_read_59424 pci_ctrl_read 0 59424 NULL +vxge_hw_ring_rxds_per_block_get_59425 vxge_hw_ring_rxds_per_block_get 0 59425 NULL +SyS_sched_setaffinity_59442 SyS_sched_setaffinity 2 59442 NULL diff --git a/3.14.35/4425_grsec_remove_EI_PAX.patch b/3.14.36/4425_grsec_remove_EI_PAX.patch index 86e242a..86e242a 100644 --- a/3.14.35/4425_grsec_remove_EI_PAX.patch +++ b/3.14.36/4425_grsec_remove_EI_PAX.patch diff --git a/3.14.35/4427_force_XATTR_PAX_tmpfs.patch b/3.14.36/4427_force_XATTR_PAX_tmpfs.patch index 4c236cc..4c236cc 100644 --- a/3.14.35/4427_force_XATTR_PAX_tmpfs.patch +++ b/3.14.36/4427_force_XATTR_PAX_tmpfs.patch diff --git a/3.14.35/4430_grsec-remove-localversion-grsec.patch b/3.14.36/4430_grsec-remove-localversion-grsec.patch index 31cf878..31cf878 100644 --- a/3.14.35/4430_grsec-remove-localversion-grsec.patch +++ b/3.14.36/4430_grsec-remove-localversion-grsec.patch diff --git a/3.14.35/4435_grsec-mute-warnings.patch b/3.14.36/4435_grsec-mute-warnings.patch index 392cefb..392cefb 100644 --- a/3.14.35/4435_grsec-mute-warnings.patch +++ b/3.14.36/4435_grsec-mute-warnings.patch diff --git a/3.14.35/4440_grsec-remove-protected-paths.patch b/3.14.36/4440_grsec-remove-protected-paths.patch index 741546d..741546d 100644 --- a/3.14.35/4440_grsec-remove-protected-paths.patch +++ b/3.14.36/4440_grsec-remove-protected-paths.patch diff --git a/3.14.35/4450_grsec-kconfig-default-gids.patch b/3.14.36/4450_grsec-kconfig-default-gids.patch index 8c878fc..8c878fc 100644 --- a/3.14.35/4450_grsec-kconfig-default-gids.patch +++ b/3.14.36/4450_grsec-kconfig-default-gids.patch diff --git a/3.14.35/4465_selinux-avc_audit-log-curr_ip.patch b/3.14.36/4465_selinux-avc_audit-log-curr_ip.patch index bba906e..bba906e 100644 --- a/3.14.35/4465_selinux-avc_audit-log-curr_ip.patch +++ b/3.14.36/4465_selinux-avc_audit-log-curr_ip.patch diff --git a/3.14.35/4470_disable-compat_vdso.patch b/3.14.36/4470_disable-compat_vdso.patch index 3b3953b..3b3953b 100644 --- a/3.14.35/4470_disable-compat_vdso.patch +++ b/3.14.36/4470_disable-compat_vdso.patch diff --git a/3.14.35/4475_emutramp_default_on.patch b/3.14.36/4475_emutramp_default_on.patch index ad4967a..ad4967a 100644 --- a/3.14.35/4475_emutramp_default_on.patch +++ b/3.14.36/4475_emutramp_default_on.patch diff --git a/3.19.1/1000_linux-3.19.1.patch b/3.19.1/1000_linux-3.19.1.patch deleted file mode 100644 index 0d6158e..0000000 --- a/3.19.1/1000_linux-3.19.1.patch +++ /dev/null @@ -1,7185 +0,0 @@ -diff --git a/Makefile b/Makefile -index b15036b..688777b 100644 ---- a/Makefile -+++ b/Makefile -@@ -1,6 +1,6 @@ - VERSION = 3 - PATCHLEVEL = 19 --SUBLEVEL = 0 -+SUBLEVEL = 1 - EXTRAVERSION = - NAME = Diseased Newt - -diff --git a/arch/arc/include/asm/pgtable.h b/arch/arc/include/asm/pgtable.h -index 6b0b7f7e..7670f33 100644 ---- a/arch/arc/include/asm/pgtable.h -+++ b/arch/arc/include/asm/pgtable.h -@@ -259,7 +259,8 @@ static inline void pmd_set(pmd_t *pmdp, pte_t *ptep) - #define pmd_clear(xp) do { pmd_val(*(xp)) = 0; } while (0) - - #define pte_page(x) (mem_map + \ -- (unsigned long)(((pte_val(x) - PAGE_OFFSET) >> PAGE_SHIFT))) -+ (unsigned long)(((pte_val(x) - CONFIG_LINUX_LINK_BASE) >> \ -+ PAGE_SHIFT))) - - #define mk_pte(page, pgprot) \ - ({ \ -diff --git a/arch/arm/boot/dts/am335x-bone-common.dtsi b/arch/arm/boot/dts/am335x-bone-common.dtsi -index 6cc25ed..2c6248d 100644 ---- a/arch/arm/boot/dts/am335x-bone-common.dtsi -+++ b/arch/arm/boot/dts/am335x-bone-common.dtsi -@@ -195,6 +195,7 @@ - - &usb0 { - status = "okay"; -+ dr_mode = "peripheral"; - }; - - &usb1 { -diff --git a/arch/arm/boot/dts/bcm63138.dtsi b/arch/arm/boot/dts/bcm63138.dtsi -index d2d8e94..f46329c 100644 ---- a/arch/arm/boot/dts/bcm63138.dtsi -+++ b/arch/arm/boot/dts/bcm63138.dtsi -@@ -66,8 +66,9 @@ - reg = <0x1d000 0x1000>; - cache-unified; - cache-level = <2>; -- cache-sets = <16>; -- cache-size = <0x80000>; -+ cache-size = <524288>; -+ cache-sets = <1024>; -+ cache-line-size = <32>; - interrupts = <GIC_PPI 0 IRQ_TYPE_LEVEL_HIGH>; - }; - -diff --git a/arch/arm/boot/dts/tegra20.dtsi b/arch/arm/boot/dts/tegra20.dtsi -index 8acf5d8..f76fe94 100644 ---- a/arch/arm/boot/dts/tegra20.dtsi -+++ b/arch/arm/boot/dts/tegra20.dtsi -@@ -68,9 +68,9 @@ - reset-names = "2d"; - }; - -- gr3d@54140000 { -+ gr3d@54180000 { - compatible = "nvidia,tegra20-gr3d"; -- reg = <0x54140000 0x00040000>; -+ reg = <0x54180000 0x00040000>; - clocks = <&tegra_car TEGRA20_CLK_GR3D>; - resets = <&tegra_car 24>; - reset-names = "3d"; -@@ -130,9 +130,9 @@ - status = "disabled"; - }; - -- dsi@542c0000 { -+ dsi@54300000 { - compatible = "nvidia,tegra20-dsi"; -- reg = <0x542c0000 0x00040000>; -+ reg = <0x54300000 0x00040000>; - clocks = <&tegra_car TEGRA20_CLK_DSI>; - resets = <&tegra_car 48>; - reset-names = "dsi"; -diff --git a/arch/arm/mach-bcm/Kconfig b/arch/arm/mach-bcm/Kconfig -index aaeec78..8b11f44 100644 ---- a/arch/arm/mach-bcm/Kconfig -+++ b/arch/arm/mach-bcm/Kconfig -@@ -68,7 +68,7 @@ config ARCH_BCM_MOBILE - This enables support for systems based on Broadcom mobile SoCs. - - config ARCH_BCM_281XX -- bool "Broadcom BCM281XX SoC family" -+ bool "Broadcom BCM281XX SoC family" if ARCH_MULTI_V7 - select ARCH_BCM_MOBILE - select HAVE_SMP - help -@@ -77,7 +77,7 @@ config ARCH_BCM_281XX - variants. - - config ARCH_BCM_21664 -- bool "Broadcom BCM21664 SoC family" -+ bool "Broadcom BCM21664 SoC family" if ARCH_MULTI_V7 - select ARCH_BCM_MOBILE - select HAVE_SMP - help -diff --git a/arch/arm/mach-bcm/platsmp-brcmstb.c b/arch/arm/mach-bcm/platsmp-brcmstb.c -index 31c87a2..e209e6f 100644 ---- a/arch/arm/mach-bcm/platsmp-brcmstb.c -+++ b/arch/arm/mach-bcm/platsmp-brcmstb.c -@@ -17,6 +17,7 @@ - #include <linux/errno.h> - #include <linux/init.h> - #include <linux/io.h> -+#include <linux/jiffies.h> - #include <linux/of_address.h> - #include <linux/of_platform.h> - #include <linux/printk.h> -@@ -94,10 +95,35 @@ static u32 pwr_ctrl_rd(u32 cpu) - return readl_relaxed(base); - } - --static void pwr_ctrl_wr(u32 cpu, u32 val) -+static void pwr_ctrl_set(unsigned int cpu, u32 val, u32 mask) - { - void __iomem *base = pwr_ctrl_get_base(cpu); -- writel(val, base); -+ writel((readl(base) & mask) | val, base); -+} -+ -+static void pwr_ctrl_clr(unsigned int cpu, u32 val, u32 mask) -+{ -+ void __iomem *base = pwr_ctrl_get_base(cpu); -+ writel((readl(base) & mask) & ~val, base); -+} -+ -+#define POLL_TMOUT_MS 500 -+static int pwr_ctrl_wait_tmout(unsigned int cpu, u32 set, u32 mask) -+{ -+ const unsigned long timeo = jiffies + msecs_to_jiffies(POLL_TMOUT_MS); -+ u32 tmp; -+ -+ do { -+ tmp = pwr_ctrl_rd(cpu) & mask; -+ if (!set == !tmp) -+ return 0; -+ } while (time_before(jiffies, timeo)); -+ -+ tmp = pwr_ctrl_rd(cpu) & mask; -+ if (!set == !tmp) -+ return 0; -+ -+ return -ETIMEDOUT; - } - - static void cpu_rst_cfg_set(u32 cpu, int set) -@@ -139,15 +165,22 @@ static void brcmstb_cpu_power_on(u32 cpu) - * The secondary cores power was cut, so we must go through - * power-on initialization. - */ -- u32 tmp; -+ pwr_ctrl_set(cpu, ZONE_MAN_ISO_CNTL_MASK, 0xffffff00); -+ pwr_ctrl_set(cpu, ZONE_MANUAL_CONTROL_MASK, -1); -+ pwr_ctrl_set(cpu, ZONE_RESERVED_1_MASK, -1); - -- /* Request zone power up */ -- pwr_ctrl_wr(cpu, ZONE_PWR_UP_REQ_MASK); -+ pwr_ctrl_set(cpu, ZONE_MAN_MEM_PWR_MASK, -1); - -- /* Wait for the power up FSM to complete */ -- do { -- tmp = pwr_ctrl_rd(cpu); -- } while (!(tmp & ZONE_PWR_ON_STATE_MASK)); -+ if (pwr_ctrl_wait_tmout(cpu, 1, ZONE_MEM_PWR_STATE_MASK)) -+ panic("ZONE_MEM_PWR_STATE_MASK set timeout"); -+ -+ pwr_ctrl_set(cpu, ZONE_MAN_CLKEN_MASK, -1); -+ -+ if (pwr_ctrl_wait_tmout(cpu, 1, ZONE_DPG_PWR_STATE_MASK)) -+ panic("ZONE_DPG_PWR_STATE_MASK set timeout"); -+ -+ pwr_ctrl_clr(cpu, ZONE_MAN_ISO_CNTL_MASK, -1); -+ pwr_ctrl_set(cpu, ZONE_MAN_RESET_CNTL_MASK, -1); - } - - static int brcmstb_cpu_get_power_state(u32 cpu) -@@ -174,25 +207,33 @@ static void brcmstb_cpu_die(u32 cpu) - - static int brcmstb_cpu_kill(u32 cpu) - { -- u32 tmp; -+ /* -+ * Ordinarily, the hardware forbids power-down of CPU0 (which is good -+ * because it is the boot CPU), but this is not true when using BPCM -+ * manual mode. Consequently, we must avoid turning off CPU0 here to -+ * ensure that TI2C master reset will work. -+ */ -+ if (cpu == 0) { -+ pr_warn("SMP: refusing to power off CPU0\n"); -+ return 1; -+ } - - while (per_cpu_sw_state_rd(cpu)) - ; - -- /* Program zone reset */ -- pwr_ctrl_wr(cpu, ZONE_RESET_STATE_MASK | ZONE_BLK_RST_ASSERT_MASK | -- ZONE_PWR_DN_REQ_MASK); -+ pwr_ctrl_set(cpu, ZONE_MANUAL_CONTROL_MASK, -1); -+ pwr_ctrl_clr(cpu, ZONE_MAN_RESET_CNTL_MASK, -1); -+ pwr_ctrl_clr(cpu, ZONE_MAN_CLKEN_MASK, -1); -+ pwr_ctrl_set(cpu, ZONE_MAN_ISO_CNTL_MASK, -1); -+ pwr_ctrl_clr(cpu, ZONE_MAN_MEM_PWR_MASK, -1); - -- /* Verify zone reset */ -- tmp = pwr_ctrl_rd(cpu); -- if (!(tmp & ZONE_RESET_STATE_MASK)) -- pr_err("%s: Zone reset bit for CPU %d not asserted!\n", -- __func__, cpu); -+ if (pwr_ctrl_wait_tmout(cpu, 0, ZONE_MEM_PWR_STATE_MASK)) -+ panic("ZONE_MEM_PWR_STATE_MASK clear timeout"); - -- /* Wait for power down */ -- do { -- tmp = pwr_ctrl_rd(cpu); -- } while (!(tmp & ZONE_PWR_OFF_STATE_MASK)); -+ pwr_ctrl_clr(cpu, ZONE_RESERVED_1_MASK, -1); -+ -+ if (pwr_ctrl_wait_tmout(cpu, 0, ZONE_DPG_PWR_STATE_MASK)) -+ panic("ZONE_DPG_PWR_STATE_MASK clear timeout"); - - /* Flush pipeline before resetting CPU */ - mb(); -diff --git a/arch/arm/mach-mvebu/system-controller.c b/arch/arm/mach-mvebu/system-controller.c -index a068cb5..c6c132a 100644 ---- a/arch/arm/mach-mvebu/system-controller.c -+++ b/arch/arm/mach-mvebu/system-controller.c -@@ -126,7 +126,7 @@ int mvebu_system_controller_get_soc_id(u32 *dev, u32 *rev) - return -ENODEV; - } - --#ifdef CONFIG_SMP -+#if defined(CONFIG_SMP) && defined(CONFIG_MACH_MVEBU_V7) - void mvebu_armada375_smp_wa_init(void) - { - u32 dev, rev; -diff --git a/arch/arm/mach-omap2/omap_hwmod_7xx_data.c b/arch/arm/mach-omap2/omap_hwmod_7xx_data.c -index ffd6604..b6ea88f 100644 ---- a/arch/arm/mach-omap2/omap_hwmod_7xx_data.c -+++ b/arch/arm/mach-omap2/omap_hwmod_7xx_data.c -@@ -2017,7 +2017,7 @@ static struct omap_hwmod dra7xx_uart3_hwmod = { - .class = &dra7xx_uart_hwmod_class, - .clkdm_name = "l4per_clkdm", - .main_clk = "uart3_gfclk_mux", -- .flags = HWMOD_SWSUP_SIDLE_ACT, -+ .flags = HWMOD_SWSUP_SIDLE_ACT | DEBUG_OMAP4UART3_FLAGS, - .prcm = { - .omap4 = { - .clkctrl_offs = DRA7XX_CM_L4PER_UART3_CLKCTRL_OFFSET, -diff --git a/arch/arm/mach-pxa/corgi.c b/arch/arm/mach-pxa/corgi.c -index 06022b2..89f790d 100644 ---- a/arch/arm/mach-pxa/corgi.c -+++ b/arch/arm/mach-pxa/corgi.c -@@ -26,6 +26,7 @@ - #include <linux/i2c.h> - #include <linux/i2c/pxa-i2c.h> - #include <linux/io.h> -+#include <linux/regulator/machine.h> - #include <linux/spi/spi.h> - #include <linux/spi/ads7846.h> - #include <linux/spi/corgi_lcd.h> -@@ -752,6 +753,8 @@ static void __init corgi_init(void) - sharpsl_nand_partitions[1].size = 53 * 1024 * 1024; - - platform_add_devices(devices, ARRAY_SIZE(devices)); -+ -+ regulator_has_full_constraints(); - } - - static void __init fixup_corgi(struct tag *tags, char **cmdline) -diff --git a/arch/arm/mach-pxa/hx4700.c b/arch/arm/mach-pxa/hx4700.c -index c66ad4e..5fb41ad 100644 ---- a/arch/arm/mach-pxa/hx4700.c -+++ b/arch/arm/mach-pxa/hx4700.c -@@ -893,6 +893,8 @@ static void __init hx4700_init(void) - mdelay(10); - gpio_set_value(GPIO71_HX4700_ASIC3_nRESET, 1); - mdelay(10); -+ -+ regulator_has_full_constraints(); - } - - MACHINE_START(H4700, "HP iPAQ HX4700") -diff --git a/arch/arm/mach-pxa/poodle.c b/arch/arm/mach-pxa/poodle.c -index 29019be..195b112 100644 ---- a/arch/arm/mach-pxa/poodle.c -+++ b/arch/arm/mach-pxa/poodle.c -@@ -25,6 +25,7 @@ - #include <linux/gpio.h> - #include <linux/i2c.h> - #include <linux/i2c/pxa-i2c.h> -+#include <linux/regulator/machine.h> - #include <linux/spi/spi.h> - #include <linux/spi/ads7846.h> - #include <linux/spi/pxa2xx_spi.h> -@@ -455,6 +456,7 @@ static void __init poodle_init(void) - pxa_set_i2c_info(NULL); - i2c_register_board_info(0, ARRAY_AND_SIZE(poodle_i2c_devices)); - poodle_init_spi(); -+ regulator_has_full_constraints(); - } - - static void __init fixup_poodle(struct tag *tags, char **cmdline) -diff --git a/arch/arm/mach-pxa/spitz.c b/arch/arm/mach-pxa/spitz.c -index 962a7f3..f4e2e27 100644 ---- a/arch/arm/mach-pxa/spitz.c -+++ b/arch/arm/mach-pxa/spitz.c -@@ -979,6 +979,8 @@ static void __init spitz_init(void) - spitz_nand_init(); - spitz_i2c_init(); - spitz_audio_init(); -+ -+ regulator_has_full_constraints(); - } - - static void __init spitz_fixup(struct tag *tags, char **cmdline) -diff --git a/arch/arm/mach-sa1100/pm.c b/arch/arm/mach-sa1100/pm.c -index 6645d1e..34853d5 100644 ---- a/arch/arm/mach-sa1100/pm.c -+++ b/arch/arm/mach-sa1100/pm.c -@@ -81,6 +81,7 @@ static int sa11x0_pm_enter(suspend_state_t state) - /* - * Ensure not to come back here if it wasn't intended - */ -+ RCSR = RCSR_SMR; - PSPR = 0; - - /* -diff --git a/arch/arm/mach-vexpress/Kconfig b/arch/arm/mach-vexpress/Kconfig -index d6b16d9..3c2509b 100644 ---- a/arch/arm/mach-vexpress/Kconfig -+++ b/arch/arm/mach-vexpress/Kconfig -@@ -73,6 +73,7 @@ config ARCH_VEXPRESS_TC2_PM - depends on MCPM - select ARM_CCI - select ARCH_VEXPRESS_SPC -+ select ARM_CPU_SUSPEND - help - Support for CPU and cluster power management on Versatile Express - with a TC2 (A15x2 A7x3) big.LITTLE core tile. -diff --git a/arch/arm64/kernel/signal32.c b/arch/arm64/kernel/signal32.c -index 5a1ba6e..6ae9340 100644 ---- a/arch/arm64/kernel/signal32.c -+++ b/arch/arm64/kernel/signal32.c -@@ -154,8 +154,7 @@ int copy_siginfo_to_user32(compat_siginfo_t __user *to, const siginfo_t *from) - case __SI_TIMER: - err |= __put_user(from->si_tid, &to->si_tid); - err |= __put_user(from->si_overrun, &to->si_overrun); -- err |= __put_user((compat_uptr_t)(unsigned long)from->si_ptr, -- &to->si_ptr); -+ err |= __put_user(from->si_int, &to->si_int); - break; - case __SI_POLL: - err |= __put_user(from->si_band, &to->si_band); -@@ -184,7 +183,7 @@ int copy_siginfo_to_user32(compat_siginfo_t __user *to, const siginfo_t *from) - case __SI_MESGQ: /* But this is */ - err |= __put_user(from->si_pid, &to->si_pid); - err |= __put_user(from->si_uid, &to->si_uid); -- err |= __put_user((compat_uptr_t)(unsigned long)from->si_ptr, &to->si_ptr); -+ err |= __put_user(from->si_int, &to->si_int); - break; - case __SI_SYS: - err |= __put_user((compat_uptr_t)(unsigned long) -diff --git a/arch/metag/include/asm/processor.h b/arch/metag/include/asm/processor.h -index 881071c..13272fd 100644 ---- a/arch/metag/include/asm/processor.h -+++ b/arch/metag/include/asm/processor.h -@@ -149,8 +149,8 @@ extern void exit_thread(void); - - unsigned long get_wchan(struct task_struct *p); - --#define KSTK_EIP(tsk) ((tsk)->thread.kernel_context->CurrPC) --#define KSTK_ESP(tsk) ((tsk)->thread.kernel_context->AX[0].U0) -+#define KSTK_EIP(tsk) (task_pt_regs(tsk)->ctx.CurrPC) -+#define KSTK_ESP(tsk) (task_pt_regs(tsk)->ctx.AX[0].U0) - - #define user_stack_pointer(regs) ((regs)->ctx.AX[0].U0) - -diff --git a/arch/mips/alchemy/common/clock.c b/arch/mips/alchemy/common/clock.c -index 48a9dfc..c4d21ce 100644 ---- a/arch/mips/alchemy/common/clock.c -+++ b/arch/mips/alchemy/common/clock.c -@@ -127,6 +127,8 @@ static unsigned long alchemy_clk_cpu_recalc(struct clk_hw *hw, - t = 396000000; - else { - t = alchemy_rdsys(AU1000_SYS_CPUPLL) & 0x7f; -+ if (alchemy_get_cputype() < ALCHEMY_CPU_AU1300) -+ t &= 0x3f; - t *= parent_rate; - } - -diff --git a/arch/mips/include/asm/asmmacro.h b/arch/mips/include/asm/asmmacro.h -index 6caf876..71fef0a 100644 ---- a/arch/mips/include/asm/asmmacro.h -+++ b/arch/mips/include/asm/asmmacro.h -@@ -304,7 +304,7 @@ - .set push - .set noat - SET_HARDFLOAT -- add $1, \base, \off -+ addu $1, \base, \off - .word LDD_MSA_INSN | (\wd << 6) - .set pop - .endm -@@ -313,7 +313,7 @@ - .set push - .set noat - SET_HARDFLOAT -- add $1, \base, \off -+ addu $1, \base, \off - .word STD_MSA_INSN | (\wd << 6) - .set pop - .endm -diff --git a/arch/mips/include/asm/cpu-info.h b/arch/mips/include/asm/cpu-info.h -index a6c9ccb..c3f4f2d 100644 ---- a/arch/mips/include/asm/cpu-info.h -+++ b/arch/mips/include/asm/cpu-info.h -@@ -84,6 +84,11 @@ struct cpuinfo_mips { - * (shifted by _CACHE_SHIFT) - */ - unsigned int writecombine; -+ /* -+ * Simple counter to prevent enabling HTW in nested -+ * htw_start/htw_stop calls -+ */ -+ unsigned int htw_seq; - } __attribute__((aligned(SMP_CACHE_BYTES))); - - extern struct cpuinfo_mips cpu_data[]; -diff --git a/arch/mips/include/asm/mmu_context.h b/arch/mips/include/asm/mmu_context.h -index 2f82568..bc01579 100644 ---- a/arch/mips/include/asm/mmu_context.h -+++ b/arch/mips/include/asm/mmu_context.h -@@ -25,7 +25,6 @@ do { \ - if (cpu_has_htw) { \ - write_c0_pwbase(pgd); \ - back_to_back_c0_hazard(); \ -- htw_reset(); \ - } \ - } while (0) - -@@ -142,6 +141,7 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, - unsigned long flags; - local_irq_save(flags); - -+ htw_stop(); - /* Check if our ASID is of an older version and thus invalid */ - if ((cpu_context(cpu, next) ^ asid_cache(cpu)) & ASID_VERSION_MASK) - get_new_mmu_context(next, cpu); -@@ -154,6 +154,7 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, - */ - cpumask_clear_cpu(cpu, mm_cpumask(prev)); - cpumask_set_cpu(cpu, mm_cpumask(next)); -+ htw_start(); - - local_irq_restore(flags); - } -@@ -180,6 +181,7 @@ activate_mm(struct mm_struct *prev, struct mm_struct *next) - - local_irq_save(flags); - -+ htw_stop(); - /* Unconditionally get a new ASID. */ - get_new_mmu_context(next, cpu); - -@@ -189,6 +191,7 @@ activate_mm(struct mm_struct *prev, struct mm_struct *next) - /* mark mmu ownership change */ - cpumask_clear_cpu(cpu, mm_cpumask(prev)); - cpumask_set_cpu(cpu, mm_cpumask(next)); -+ htw_start(); - - local_irq_restore(flags); - } -@@ -203,6 +206,7 @@ drop_mmu_context(struct mm_struct *mm, unsigned cpu) - unsigned long flags; - - local_irq_save(flags); -+ htw_stop(); - - if (cpumask_test_cpu(cpu, mm_cpumask(mm))) { - get_new_mmu_context(mm, cpu); -@@ -211,6 +215,7 @@ drop_mmu_context(struct mm_struct *mm, unsigned cpu) - /* will get a new context next time */ - cpu_context(cpu, mm) = 0; - } -+ htw_start(); - local_irq_restore(flags); - } - -diff --git a/arch/mips/include/asm/pgtable.h b/arch/mips/include/asm/pgtable.h -index 62a6ba3..845016d 100644 ---- a/arch/mips/include/asm/pgtable.h -+++ b/arch/mips/include/asm/pgtable.h -@@ -99,29 +99,35 @@ extern void paging_init(void); - - #define htw_stop() \ - do { \ -- if (cpu_has_htw) \ -- write_c0_pwctl(read_c0_pwctl() & \ -- ~(1 << MIPS_PWCTL_PWEN_SHIFT)); \ -+ unsigned long flags; \ -+ \ -+ if (cpu_has_htw) { \ -+ local_irq_save(flags); \ -+ if(!raw_current_cpu_data.htw_seq++) { \ -+ write_c0_pwctl(read_c0_pwctl() & \ -+ ~(1 << MIPS_PWCTL_PWEN_SHIFT)); \ -+ back_to_back_c0_hazard(); \ -+ } \ -+ local_irq_restore(flags); \ -+ } \ - } while(0) - - #define htw_start() \ - do { \ -- if (cpu_has_htw) \ -- write_c0_pwctl(read_c0_pwctl() | \ -- (1 << MIPS_PWCTL_PWEN_SHIFT)); \ --} while(0) -- -- --#define htw_reset() \ --do { \ -+ unsigned long flags; \ -+ \ - if (cpu_has_htw) { \ -- htw_stop(); \ -- back_to_back_c0_hazard(); \ -- htw_start(); \ -- back_to_back_c0_hazard(); \ -+ local_irq_save(flags); \ -+ if (!--raw_current_cpu_data.htw_seq) { \ -+ write_c0_pwctl(read_c0_pwctl() | \ -+ (1 << MIPS_PWCTL_PWEN_SHIFT)); \ -+ back_to_back_c0_hazard(); \ -+ } \ -+ local_irq_restore(flags); \ - } \ - } while(0) - -+ - extern void set_pte_at(struct mm_struct *mm, unsigned long addr, pte_t *ptep, - pte_t pteval); - -@@ -153,12 +159,13 @@ static inline void pte_clear(struct mm_struct *mm, unsigned long addr, pte_t *pt - { - pte_t null = __pte(0); - -+ htw_stop(); - /* Preserve global status for the pair */ - if (ptep_buddy(ptep)->pte_low & _PAGE_GLOBAL) - null.pte_low = null.pte_high = _PAGE_GLOBAL; - - set_pte_at(mm, addr, ptep, null); -- htw_reset(); -+ htw_start(); - } - #else - -@@ -188,6 +195,7 @@ static inline void set_pte(pte_t *ptep, pte_t pteval) - - static inline void pte_clear(struct mm_struct *mm, unsigned long addr, pte_t *ptep) - { -+ htw_stop(); - #if !defined(CONFIG_CPU_R3000) && !defined(CONFIG_CPU_TX39XX) - /* Preserve global status for the pair */ - if (pte_val(*ptep_buddy(ptep)) & _PAGE_GLOBAL) -@@ -195,7 +203,7 @@ static inline void pte_clear(struct mm_struct *mm, unsigned long addr, pte_t *pt - else - #endif - set_pte_at(mm, addr, ptep, __pte(0)); -- htw_reset(); -+ htw_start(); - } - #endif - -diff --git a/arch/mips/kernel/cps-vec.S b/arch/mips/kernel/cps-vec.S -index 0384b05..55b759a 100644 ---- a/arch/mips/kernel/cps-vec.S -+++ b/arch/mips/kernel/cps-vec.S -@@ -99,11 +99,11 @@ not_nmi: - xori t2, t1, 0x7 - beqz t2, 1f - li t3, 32 -- addi t1, t1, 1 -+ addiu t1, t1, 1 - sllv t1, t3, t1 - 1: /* At this point t1 == I-cache sets per way */ - _EXT t2, v0, MIPS_CONF1_IA_SHF, MIPS_CONF1_IA_SZ -- addi t2, t2, 1 -+ addiu t2, t2, 1 - mul t1, t1, t0 - mul t1, t1, t2 - -@@ -126,11 +126,11 @@ icache_done: - xori t2, t1, 0x7 - beqz t2, 1f - li t3, 32 -- addi t1, t1, 1 -+ addiu t1, t1, 1 - sllv t1, t3, t1 - 1: /* At this point t1 == D-cache sets per way */ - _EXT t2, v0, MIPS_CONF1_DA_SHF, MIPS_CONF1_DA_SZ -- addi t2, t2, 1 -+ addiu t2, t2, 1 - mul t1, t1, t0 - mul t1, t1, t2 - -@@ -250,7 +250,7 @@ LEAF(mips_cps_core_init) - mfc0 t0, CP0_MVPCONF0 - srl t0, t0, MVPCONF0_PVPE_SHIFT - andi t0, t0, (MVPCONF0_PVPE >> MVPCONF0_PVPE_SHIFT) -- addi t7, t0, 1 -+ addiu t7, t0, 1 - - /* If there's only 1, we're done */ - beqz t0, 2f -@@ -280,7 +280,7 @@ LEAF(mips_cps_core_init) - mttc0 t0, CP0_TCHALT - - /* Next VPE */ -- addi t5, t5, 1 -+ addiu t5, t5, 1 - slt t0, t5, t7 - bnez t0, 1b - nop -@@ -317,7 +317,7 @@ LEAF(mips_cps_boot_vpes) - mfc0 t1, CP0_MVPCONF0 - srl t1, t1, MVPCONF0_PVPE_SHIFT - andi t1, t1, MVPCONF0_PVPE >> MVPCONF0_PVPE_SHIFT -- addi t1, t1, 1 -+ addiu t1, t1, 1 - - /* Calculate a mask for the VPE ID from EBase.CPUNum */ - clz t1, t1 -@@ -424,7 +424,7 @@ LEAF(mips_cps_boot_vpes) - - /* Next VPE */ - 2: srl t6, t6, 1 -- addi t5, t5, 1 -+ addiu t5, t5, 1 - bnez t6, 1b - nop - -diff --git a/arch/mips/kernel/cpu-probe.c b/arch/mips/kernel/cpu-probe.c -index 5342674..228ae86 100644 ---- a/arch/mips/kernel/cpu-probe.c -+++ b/arch/mips/kernel/cpu-probe.c -@@ -424,8 +424,10 @@ static inline unsigned int decode_config3(struct cpuinfo_mips *c) - if (config3 & MIPS_CONF3_MSA) - c->ases |= MIPS_ASE_MSA; - /* Only tested on 32-bit cores */ -- if ((config3 & MIPS_CONF3_PW) && config_enabled(CONFIG_32BIT)) -+ if ((config3 & MIPS_CONF3_PW) && config_enabled(CONFIG_32BIT)) { -+ c->htw_seq = 0; - c->options |= MIPS_CPU_HTW; -+ } - - return config3 & MIPS_CONF_M; - } -diff --git a/arch/mips/kernel/mips_ksyms.c b/arch/mips/kernel/mips_ksyms.c -index 17eaf0c..1a73c6c 100644 ---- a/arch/mips/kernel/mips_ksyms.c -+++ b/arch/mips/kernel/mips_ksyms.c -@@ -14,6 +14,8 @@ - #include <linux/mm.h> - #include <asm/uaccess.h> - #include <asm/ftrace.h> -+#include <asm/fpu.h> -+#include <asm/msa.h> - - extern void *__bzero(void *__s, size_t __count); - extern long __strncpy_from_kernel_nocheck_asm(char *__to, -@@ -32,6 +34,14 @@ extern long __strnlen_user_nocheck_asm(const char *s); - extern long __strnlen_user_asm(const char *s); - - /* -+ * Core architecture code -+ */ -+EXPORT_SYMBOL_GPL(_save_fp); -+#ifdef CONFIG_CPU_HAS_MSA -+EXPORT_SYMBOL_GPL(_save_msa); -+#endif -+ -+/* - * String functions - */ - EXPORT_SYMBOL(memset); -diff --git a/arch/mips/kvm/locore.S b/arch/mips/kvm/locore.S -index d7279c0..4a68b17 100644 ---- a/arch/mips/kvm/locore.S -+++ b/arch/mips/kvm/locore.S -@@ -434,7 +434,7 @@ __kvm_mips_return_to_guest: - /* Setup status register for running guest in UM */ - .set at - or v1, v1, (ST0_EXL | KSU_USER | ST0_IE) -- and v1, v1, ~ST0_CU0 -+ and v1, v1, ~(ST0_CU0 | ST0_MX) - .set noat - mtc0 v1, CP0_STATUS - ehb -diff --git a/arch/mips/kvm/mips.c b/arch/mips/kvm/mips.c -index e3b21e5..270bbd4 100644 ---- a/arch/mips/kvm/mips.c -+++ b/arch/mips/kvm/mips.c -@@ -15,9 +15,11 @@ - #include <linux/vmalloc.h> - #include <linux/fs.h> - #include <linux/bootmem.h> -+#include <asm/fpu.h> - #include <asm/page.h> - #include <asm/cacheflush.h> - #include <asm/mmu_context.h> -+#include <asm/pgtable.h> - - #include <linux/kvm_host.h> - -@@ -378,6 +380,8 @@ int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *run) - vcpu->mmio_needed = 0; - } - -+ lose_fpu(1); -+ - local_irq_disable(); - /* Check if we have any exceptions/interrupts pending */ - kvm_mips_deliver_interrupts(vcpu, -@@ -385,8 +389,14 @@ int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *run) - - kvm_guest_enter(); - -+ /* Disable hardware page table walking while in guest */ -+ htw_stop(); -+ - r = __kvm_mips_vcpu_run(run, vcpu); - -+ /* Re-enable HTW before enabling interrupts */ -+ htw_start(); -+ - kvm_guest_exit(); - local_irq_enable(); - -@@ -980,9 +990,6 @@ static void kvm_mips_set_c0_status(void) - { - uint32_t status = read_c0_status(); - -- if (cpu_has_fpu) -- status |= (ST0_CU1); -- - if (cpu_has_dsp) - status |= (ST0_MX); - -@@ -1002,6 +1009,9 @@ int kvm_mips_handle_exit(struct kvm_run *run, struct kvm_vcpu *vcpu) - enum emulation_result er = EMULATE_DONE; - int ret = RESUME_GUEST; - -+ /* re-enable HTW before enabling interrupts */ -+ htw_start(); -+ - /* Set a default exit reason */ - run->exit_reason = KVM_EXIT_UNKNOWN; - run->ready_for_interrupt_injection = 1; -@@ -1136,6 +1146,9 @@ skip_emul: - } - } - -+ /* Disable HTW before returning to guest or host */ -+ htw_stop(); -+ - return ret; - } - -diff --git a/arch/powerpc/kvm/book3s_hv_rm_xics.c b/arch/powerpc/kvm/book3s_hv_rm_xics.c -index 7b066f6..7c22997 100644 ---- a/arch/powerpc/kvm/book3s_hv_rm_xics.c -+++ b/arch/powerpc/kvm/book3s_hv_rm_xics.c -@@ -152,7 +152,7 @@ static void icp_rm_down_cppr(struct kvmppc_xics *xics, struct kvmppc_icp *icp, - * in virtual mode. - */ - do { -- old_state = new_state = ACCESS_ONCE(icp->state); -+ old_state = new_state = READ_ONCE(icp->state); - - /* Down_CPPR */ - new_state.cppr = new_cppr; -@@ -211,7 +211,7 @@ unsigned long kvmppc_rm_h_xirr(struct kvm_vcpu *vcpu) - * pending priority - */ - do { -- old_state = new_state = ACCESS_ONCE(icp->state); -+ old_state = new_state = READ_ONCE(icp->state); - - xirr = old_state.xisr | (((u32)old_state.cppr) << 24); - if (!old_state.xisr) -@@ -277,7 +277,7 @@ int kvmppc_rm_h_ipi(struct kvm_vcpu *vcpu, unsigned long server, - * whenever the MFRR is made less favored. - */ - do { -- old_state = new_state = ACCESS_ONCE(icp->state); -+ old_state = new_state = READ_ONCE(icp->state); - - /* Set_MFRR */ - new_state.mfrr = mfrr; -@@ -352,7 +352,7 @@ int kvmppc_rm_h_cppr(struct kvm_vcpu *vcpu, unsigned long cppr) - icp_rm_clr_vcpu_irq(icp->vcpu); - - do { -- old_state = new_state = ACCESS_ONCE(icp->state); -+ old_state = new_state = READ_ONCE(icp->state); - - reject = 0; - new_state.cppr = cppr; -diff --git a/arch/powerpc/kvm/book3s_xics.c b/arch/powerpc/kvm/book3s_xics.c -index 807351f..a4a8d9f 100644 ---- a/arch/powerpc/kvm/book3s_xics.c -+++ b/arch/powerpc/kvm/book3s_xics.c -@@ -327,7 +327,7 @@ static bool icp_try_to_deliver(struct kvmppc_icp *icp, u32 irq, u8 priority, - icp->server_num); - - do { -- old_state = new_state = ACCESS_ONCE(icp->state); -+ old_state = new_state = READ_ONCE(icp->state); - - *reject = 0; - -@@ -512,7 +512,7 @@ static void icp_down_cppr(struct kvmppc_xics *xics, struct kvmppc_icp *icp, - * in virtual mode. - */ - do { -- old_state = new_state = ACCESS_ONCE(icp->state); -+ old_state = new_state = READ_ONCE(icp->state); - - /* Down_CPPR */ - new_state.cppr = new_cppr; -@@ -567,7 +567,7 @@ static noinline unsigned long kvmppc_h_xirr(struct kvm_vcpu *vcpu) - * pending priority - */ - do { -- old_state = new_state = ACCESS_ONCE(icp->state); -+ old_state = new_state = READ_ONCE(icp->state); - - xirr = old_state.xisr | (((u32)old_state.cppr) << 24); - if (!old_state.xisr) -@@ -634,7 +634,7 @@ static noinline int kvmppc_h_ipi(struct kvm_vcpu *vcpu, unsigned long server, - * whenever the MFRR is made less favored. - */ - do { -- old_state = new_state = ACCESS_ONCE(icp->state); -+ old_state = new_state = READ_ONCE(icp->state); - - /* Set_MFRR */ - new_state.mfrr = mfrr; -@@ -679,7 +679,7 @@ static int kvmppc_h_ipoll(struct kvm_vcpu *vcpu, unsigned long server) - if (!icp) - return H_PARAMETER; - } -- state = ACCESS_ONCE(icp->state); -+ state = READ_ONCE(icp->state); - kvmppc_set_gpr(vcpu, 4, ((u32)state.cppr << 24) | state.xisr); - kvmppc_set_gpr(vcpu, 5, state.mfrr); - return H_SUCCESS; -@@ -721,7 +721,7 @@ static noinline void kvmppc_h_cppr(struct kvm_vcpu *vcpu, unsigned long cppr) - BOOK3S_INTERRUPT_EXTERNAL_LEVEL); - - do { -- old_state = new_state = ACCESS_ONCE(icp->state); -+ old_state = new_state = READ_ONCE(icp->state); - - reject = 0; - new_state.cppr = cppr; -@@ -885,7 +885,7 @@ static int xics_debug_show(struct seq_file *m, void *private) - if (!icp) - continue; - -- state.raw = ACCESS_ONCE(icp->state.raw); -+ state.raw = READ_ONCE(icp->state.raw); - seq_printf(m, "cpu server %#lx XIRR:%#x PPRI:%#x CPPR:%#x MFRR:%#x OUT:%d NR:%d\n", - icp->server_num, state.xisr, - state.pending_pri, state.cppr, state.mfrr, -@@ -1082,7 +1082,7 @@ int kvmppc_xics_set_icp(struct kvm_vcpu *vcpu, u64 icpval) - * the ICS states before the ICP states. - */ - do { -- old_state = ACCESS_ONCE(icp->state); -+ old_state = READ_ONCE(icp->state); - - if (new_state.mfrr <= old_state.mfrr) { - resend = false; -diff --git a/arch/powerpc/mm/hugetlbpage.c b/arch/powerpc/mm/hugetlbpage.c -index 5ff4e07..620d0ec 100644 ---- a/arch/powerpc/mm/hugetlbpage.c -+++ b/arch/powerpc/mm/hugetlbpage.c -@@ -978,7 +978,7 @@ pte_t *find_linux_pte_or_hugepte(pgd_t *pgdir, unsigned long ea, unsigned *shift - */ - pdshift = PUD_SHIFT; - pudp = pud_offset(&pgd, ea); -- pud = ACCESS_ONCE(*pudp); -+ pud = READ_ONCE(*pudp); - - if (pud_none(pud)) - return NULL; -@@ -990,7 +990,7 @@ pte_t *find_linux_pte_or_hugepte(pgd_t *pgdir, unsigned long ea, unsigned *shift - else { - pdshift = PMD_SHIFT; - pmdp = pmd_offset(&pud, ea); -- pmd = ACCESS_ONCE(*pmdp); -+ pmd = READ_ONCE(*pmdp); - /* - * A hugepage collapse is captured by pmd_none, because - * it mark the pmd none and do a hpte invalidate. -diff --git a/arch/powerpc/sysdev/axonram.c b/arch/powerpc/sysdev/axonram.c -index f532c92..367533b 100644 ---- a/arch/powerpc/sysdev/axonram.c -+++ b/arch/powerpc/sysdev/axonram.c -@@ -156,7 +156,7 @@ axon_ram_direct_access(struct block_device *device, sector_t sector, - } - - *kaddr = (void *)(bank->ph_addr + offset); -- *pfn = virt_to_phys(kaddr) >> PAGE_SHIFT; -+ *pfn = virt_to_phys(*kaddr) >> PAGE_SHIFT; - - return 0; - } -diff --git a/arch/s390/kvm/interrupt.c b/arch/s390/kvm/interrupt.c -index f00f31e..f512cff 100644 ---- a/arch/s390/kvm/interrupt.c -+++ b/arch/s390/kvm/interrupt.c -@@ -820,7 +820,7 @@ no_timer: - __unset_cpu_idle(vcpu); - vcpu->srcu_idx = srcu_read_lock(&vcpu->kvm->srcu); - -- hrtimer_try_to_cancel(&vcpu->arch.ckc_timer); -+ hrtimer_cancel(&vcpu->arch.ckc_timer); - return 0; - } - -@@ -840,10 +840,20 @@ void kvm_s390_vcpu_wakeup(struct kvm_vcpu *vcpu) - enum hrtimer_restart kvm_s390_idle_wakeup(struct hrtimer *timer) - { - struct kvm_vcpu *vcpu; -+ u64 now, sltime; - - vcpu = container_of(timer, struct kvm_vcpu, arch.ckc_timer); -- kvm_s390_vcpu_wakeup(vcpu); -+ now = get_tod_clock_fast() + vcpu->arch.sie_block->epoch; -+ sltime = tod_to_ns(vcpu->arch.sie_block->ckc - now); - -+ /* -+ * If the monotonic clock runs faster than the tod clock we might be -+ * woken up too early and have to go back to sleep to avoid deadlocks. -+ */ -+ if (vcpu->arch.sie_block->ckc > now && -+ hrtimer_forward_now(timer, ns_to_ktime(sltime))) -+ return HRTIMER_RESTART; -+ kvm_s390_vcpu_wakeup(vcpu); - return HRTIMER_NORESTART; - } - -@@ -1187,6 +1197,8 @@ static int __inject_vm(struct kvm *kvm, struct kvm_s390_interrupt_info *inti) - list_add_tail(&inti->list, &iter->list); - } - atomic_set(&fi->active, 1); -+ if (atomic_read(&kvm->online_vcpus) == 0) -+ goto unlock_fi; - sigcpu = find_first_bit(fi->idle_mask, KVM_MAX_VCPUS); - if (sigcpu == KVM_MAX_VCPUS) { - do { -@@ -1221,6 +1233,7 @@ int kvm_s390_inject_vm(struct kvm *kvm, - struct kvm_s390_interrupt *s390int) - { - struct kvm_s390_interrupt_info *inti; -+ int rc; - - inti = kzalloc(sizeof(*inti), GFP_KERNEL); - if (!inti) -@@ -1268,7 +1281,10 @@ int kvm_s390_inject_vm(struct kvm *kvm, - trace_kvm_s390_inject_vm(s390int->type, s390int->parm, s390int->parm64, - 2); - -- return __inject_vm(kvm, inti); -+ rc = __inject_vm(kvm, inti); -+ if (rc) -+ kfree(inti); -+ return rc; - } - - void kvm_s390_reinject_io_int(struct kvm *kvm, -diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c -index 3e09801..9af01dc 100644 ---- a/arch/s390/kvm/kvm-s390.c -+++ b/arch/s390/kvm/kvm-s390.c -@@ -670,7 +670,7 @@ int kvm_arch_vcpu_setup(struct kvm_vcpu *vcpu) - if (rc) - return rc; - } -- hrtimer_init(&vcpu->arch.ckc_timer, CLOCK_REALTIME, HRTIMER_MODE_ABS); -+ hrtimer_init(&vcpu->arch.ckc_timer, CLOCK_MONOTONIC, HRTIMER_MODE_REL); - vcpu->arch.ckc_timer.function = kvm_s390_idle_wakeup; - get_cpu_id(&vcpu->arch.cpu_id); - vcpu->arch.cpu_id.version = 0xff; -diff --git a/arch/sh/mm/gup.c b/arch/sh/mm/gup.c -index 37458f3..e113bb4 100644 ---- a/arch/sh/mm/gup.c -+++ b/arch/sh/mm/gup.c -@@ -17,7 +17,7 @@ - static inline pte_t gup_get_pte(pte_t *ptep) - { - #ifndef CONFIG_X2TLB -- return ACCESS_ONCE(*ptep); -+ return READ_ONCE(*ptep); - #else - /* - * With get_user_pages_fast, we walk down the pagetables without -diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile -index ad754b4..8bd44e8 100644 ---- a/arch/x86/boot/compressed/Makefile -+++ b/arch/x86/boot/compressed/Makefile -@@ -49,6 +49,7 @@ $(obj)/eboot.o: KBUILD_CFLAGS += -fshort-wchar -mno-red-zone - - vmlinux-objs-$(CONFIG_EFI_STUB) += $(obj)/eboot.o $(obj)/efi_stub_$(BITS).o \ - $(objtree)/drivers/firmware/efi/libstub/lib.a -+vmlinux-objs-$(CONFIG_EFI_MIXED) += $(obj)/efi_thunk_$(BITS).o - - $(obj)/vmlinux: $(vmlinux-objs-y) FORCE - $(call if_changed,ld) -diff --git a/arch/x86/boot/compressed/efi_stub_64.S b/arch/x86/boot/compressed/efi_stub_64.S -index 7ff3632..99494df 100644 ---- a/arch/x86/boot/compressed/efi_stub_64.S -+++ b/arch/x86/boot/compressed/efi_stub_64.S -@@ -3,28 +3,3 @@ - #include <asm/processor-flags.h> - - #include "../../platform/efi/efi_stub_64.S" -- --#ifdef CONFIG_EFI_MIXED -- .code64 -- .text --ENTRY(efi64_thunk) -- push %rbp -- push %rbx -- -- subq $16, %rsp -- leaq efi_exit32(%rip), %rax -- movl %eax, 8(%rsp) -- leaq efi_gdt64(%rip), %rax -- movl %eax, 4(%rsp) -- movl %eax, 2(%rax) /* Fixup the gdt base address */ -- leaq efi32_boot_gdt(%rip), %rax -- movl %eax, (%rsp) -- -- call __efi64_thunk -- -- addq $16, %rsp -- pop %rbx -- pop %rbp -- ret --ENDPROC(efi64_thunk) --#endif /* CONFIG_EFI_MIXED */ -diff --git a/arch/x86/boot/compressed/efi_thunk_64.S b/arch/x86/boot/compressed/efi_thunk_64.S -new file mode 100644 -index 0000000..630384a ---- /dev/null -+++ b/arch/x86/boot/compressed/efi_thunk_64.S -@@ -0,0 +1,196 @@ -+/* -+ * Copyright (C) 2014, 2015 Intel Corporation; author Matt Fleming -+ * -+ * Early support for invoking 32-bit EFI services from a 64-bit kernel. -+ * -+ * Because this thunking occurs before ExitBootServices() we have to -+ * restore the firmware's 32-bit GDT before we make EFI serivce calls, -+ * since the firmware's 32-bit IDT is still currently installed and it -+ * needs to be able to service interrupts. -+ * -+ * On the plus side, we don't have to worry about mangling 64-bit -+ * addresses into 32-bits because we're executing with an identify -+ * mapped pagetable and haven't transitioned to 64-bit virtual addresses -+ * yet. -+ */ -+ -+#include <linux/linkage.h> -+#include <asm/msr.h> -+#include <asm/page_types.h> -+#include <asm/processor-flags.h> -+#include <asm/segment.h> -+ -+ .code64 -+ .text -+ENTRY(efi64_thunk) -+ push %rbp -+ push %rbx -+ -+ subq $8, %rsp -+ leaq efi_exit32(%rip), %rax -+ movl %eax, 4(%rsp) -+ leaq efi_gdt64(%rip), %rax -+ movl %eax, (%rsp) -+ movl %eax, 2(%rax) /* Fixup the gdt base address */ -+ -+ movl %ds, %eax -+ push %rax -+ movl %es, %eax -+ push %rax -+ movl %ss, %eax -+ push %rax -+ -+ /* -+ * Convert x86-64 ABI params to i386 ABI -+ */ -+ subq $32, %rsp -+ movl %esi, 0x0(%rsp) -+ movl %edx, 0x4(%rsp) -+ movl %ecx, 0x8(%rsp) -+ movq %r8, %rsi -+ movl %esi, 0xc(%rsp) -+ movq %r9, %rsi -+ movl %esi, 0x10(%rsp) -+ -+ sgdt save_gdt(%rip) -+ -+ leaq 1f(%rip), %rbx -+ movq %rbx, func_rt_ptr(%rip) -+ -+ /* -+ * Switch to gdt with 32-bit segments. This is the firmware GDT -+ * that was installed when the kernel started executing. This -+ * pointer was saved at the EFI stub entry point in head_64.S. -+ */ -+ leaq efi32_boot_gdt(%rip), %rax -+ lgdt (%rax) -+ -+ pushq $__KERNEL_CS -+ leaq efi_enter32(%rip), %rax -+ pushq %rax -+ lretq -+ -+1: addq $32, %rsp -+ -+ lgdt save_gdt(%rip) -+ -+ pop %rbx -+ movl %ebx, %ss -+ pop %rbx -+ movl %ebx, %es -+ pop %rbx -+ movl %ebx, %ds -+ -+ /* -+ * Convert 32-bit status code into 64-bit. -+ */ -+ test %rax, %rax -+ jz 1f -+ movl %eax, %ecx -+ andl $0x0fffffff, %ecx -+ andl $0xf0000000, %eax -+ shl $32, %rax -+ or %rcx, %rax -+1: -+ addq $8, %rsp -+ pop %rbx -+ pop %rbp -+ ret -+ENDPROC(efi64_thunk) -+ -+ENTRY(efi_exit32) -+ movq func_rt_ptr(%rip), %rax -+ push %rax -+ mov %rdi, %rax -+ ret -+ENDPROC(efi_exit32) -+ -+ .code32 -+/* -+ * EFI service pointer must be in %edi. -+ * -+ * The stack should represent the 32-bit calling convention. -+ */ -+ENTRY(efi_enter32) -+ movl $__KERNEL_DS, %eax -+ movl %eax, %ds -+ movl %eax, %es -+ movl %eax, %ss -+ -+ /* Reload pgtables */ -+ movl %cr3, %eax -+ movl %eax, %cr3 -+ -+ /* Disable paging */ -+ movl %cr0, %eax -+ btrl $X86_CR0_PG_BIT, %eax -+ movl %eax, %cr0 -+ -+ /* Disable long mode via EFER */ -+ movl $MSR_EFER, %ecx -+ rdmsr -+ btrl $_EFER_LME, %eax -+ wrmsr -+ -+ call *%edi -+ -+ /* We must preserve return value */ -+ movl %eax, %edi -+ -+ /* -+ * Some firmware will return with interrupts enabled. Be sure to -+ * disable them before we switch GDTs. -+ */ -+ cli -+ -+ movl 56(%esp), %eax -+ movl %eax, 2(%eax) -+ lgdtl (%eax) -+ -+ movl %cr4, %eax -+ btsl $(X86_CR4_PAE_BIT), %eax -+ movl %eax, %cr4 -+ -+ movl %cr3, %eax -+ movl %eax, %cr3 -+ -+ movl $MSR_EFER, %ecx -+ rdmsr -+ btsl $_EFER_LME, %eax -+ wrmsr -+ -+ xorl %eax, %eax -+ lldt %ax -+ -+ movl 60(%esp), %eax -+ pushl $__KERNEL_CS -+ pushl %eax -+ -+ /* Enable paging */ -+ movl %cr0, %eax -+ btsl $X86_CR0_PG_BIT, %eax -+ movl %eax, %cr0 -+ lret -+ENDPROC(efi_enter32) -+ -+ .data -+ .balign 8 -+ .global efi32_boot_gdt -+efi32_boot_gdt: .word 0 -+ .quad 0 -+ -+save_gdt: .word 0 -+ .quad 0 -+func_rt_ptr: .quad 0 -+ -+ .global efi_gdt64 -+efi_gdt64: -+ .word efi_gdt64_end - efi_gdt64 -+ .long 0 /* Filled out by user */ -+ .word 0 -+ .quad 0x0000000000000000 /* NULL descriptor */ -+ .quad 0x00af9a000000ffff /* __KERNEL_CS */ -+ .quad 0x00cf92000000ffff /* __KERNEL_DS */ -+ .quad 0x0080890000000000 /* TS descriptor */ -+ .quad 0x0000000000000000 /* TS continued */ -+efi_gdt64_end: -diff --git a/arch/x86/include/asm/spinlock.h b/arch/x86/include/asm/spinlock.h -index 625660f..cf87de3 100644 ---- a/arch/x86/include/asm/spinlock.h -+++ b/arch/x86/include/asm/spinlock.h -@@ -46,7 +46,7 @@ static __always_inline bool static_key_false(struct static_key *key); - - static inline void __ticket_enter_slowpath(arch_spinlock_t *lock) - { -- set_bit(0, (volatile unsigned long *)&lock->tickets.tail); -+ set_bit(0, (volatile unsigned long *)&lock->tickets.head); - } - - #else /* !CONFIG_PARAVIRT_SPINLOCKS */ -@@ -60,10 +60,30 @@ static inline void __ticket_unlock_kick(arch_spinlock_t *lock, - } - - #endif /* CONFIG_PARAVIRT_SPINLOCKS */ -+static inline int __tickets_equal(__ticket_t one, __ticket_t two) -+{ -+ return !((one ^ two) & ~TICKET_SLOWPATH_FLAG); -+} -+ -+static inline void __ticket_check_and_clear_slowpath(arch_spinlock_t *lock, -+ __ticket_t head) -+{ -+ if (head & TICKET_SLOWPATH_FLAG) { -+ arch_spinlock_t old, new; -+ -+ old.tickets.head = head; -+ new.tickets.head = head & ~TICKET_SLOWPATH_FLAG; -+ old.tickets.tail = new.tickets.head + TICKET_LOCK_INC; -+ new.tickets.tail = old.tickets.tail; -+ -+ /* try to clear slowpath flag when there are no contenders */ -+ cmpxchg(&lock->head_tail, old.head_tail, new.head_tail); -+ } -+} - - static __always_inline int arch_spin_value_unlocked(arch_spinlock_t lock) - { -- return lock.tickets.head == lock.tickets.tail; -+ return __tickets_equal(lock.tickets.head, lock.tickets.tail); - } - - /* -@@ -87,18 +107,21 @@ static __always_inline void arch_spin_lock(arch_spinlock_t *lock) - if (likely(inc.head == inc.tail)) - goto out; - -- inc.tail &= ~TICKET_SLOWPATH_FLAG; - for (;;) { - unsigned count = SPIN_THRESHOLD; - - do { -- if (READ_ONCE(lock->tickets.head) == inc.tail) -- goto out; -+ inc.head = READ_ONCE(lock->tickets.head); -+ if (__tickets_equal(inc.head, inc.tail)) -+ goto clear_slowpath; - cpu_relax(); - } while (--count); - __ticket_lock_spinning(lock, inc.tail); - } --out: barrier(); /* make sure nothing creeps before the lock is taken */ -+clear_slowpath: -+ __ticket_check_and_clear_slowpath(lock, inc.head); -+out: -+ barrier(); /* make sure nothing creeps before the lock is taken */ - } - - static __always_inline int arch_spin_trylock(arch_spinlock_t *lock) -@@ -106,56 +129,30 @@ static __always_inline int arch_spin_trylock(arch_spinlock_t *lock) - arch_spinlock_t old, new; - - old.tickets = READ_ONCE(lock->tickets); -- if (old.tickets.head != (old.tickets.tail & ~TICKET_SLOWPATH_FLAG)) -+ if (!__tickets_equal(old.tickets.head, old.tickets.tail)) - return 0; - - new.head_tail = old.head_tail + (TICKET_LOCK_INC << TICKET_SHIFT); -+ new.head_tail &= ~TICKET_SLOWPATH_FLAG; - - /* cmpxchg is a full barrier, so nothing can move before it */ - return cmpxchg(&lock->head_tail, old.head_tail, new.head_tail) == old.head_tail; - } - --static inline void __ticket_unlock_slowpath(arch_spinlock_t *lock, -- arch_spinlock_t old) --{ -- arch_spinlock_t new; -- -- BUILD_BUG_ON(((__ticket_t)NR_CPUS) != NR_CPUS); -- -- /* Perform the unlock on the "before" copy */ -- old.tickets.head += TICKET_LOCK_INC; -- -- /* Clear the slowpath flag */ -- new.head_tail = old.head_tail & ~(TICKET_SLOWPATH_FLAG << TICKET_SHIFT); -- -- /* -- * If the lock is uncontended, clear the flag - use cmpxchg in -- * case it changes behind our back though. -- */ -- if (new.tickets.head != new.tickets.tail || -- cmpxchg(&lock->head_tail, old.head_tail, -- new.head_tail) != old.head_tail) { -- /* -- * Lock still has someone queued for it, so wake up an -- * appropriate waiter. -- */ -- __ticket_unlock_kick(lock, old.tickets.head); -- } --} -- - static __always_inline void arch_spin_unlock(arch_spinlock_t *lock) - { - if (TICKET_SLOWPATH_FLAG && -- static_key_false(¶virt_ticketlocks_enabled)) { -- arch_spinlock_t prev; -+ static_key_false(¶virt_ticketlocks_enabled)) { -+ __ticket_t head; - -- prev = *lock; -- add_smp(&lock->tickets.head, TICKET_LOCK_INC); -+ BUILD_BUG_ON(((__ticket_t)NR_CPUS) != NR_CPUS); - -- /* add_smp() is a full mb() */ -+ head = xadd(&lock->tickets.head, TICKET_LOCK_INC); - -- if (unlikely(lock->tickets.tail & TICKET_SLOWPATH_FLAG)) -- __ticket_unlock_slowpath(lock, prev); -+ if (unlikely(head & TICKET_SLOWPATH_FLAG)) { -+ head &= ~TICKET_SLOWPATH_FLAG; -+ __ticket_unlock_kick(lock, (head + TICKET_LOCK_INC)); -+ } - } else - __add(&lock->tickets.head, TICKET_LOCK_INC, UNLOCK_LOCK_PREFIX); - } -@@ -164,14 +161,15 @@ static inline int arch_spin_is_locked(arch_spinlock_t *lock) - { - struct __raw_tickets tmp = READ_ONCE(lock->tickets); - -- return tmp.tail != tmp.head; -+ return !__tickets_equal(tmp.tail, tmp.head); - } - - static inline int arch_spin_is_contended(arch_spinlock_t *lock) - { - struct __raw_tickets tmp = READ_ONCE(lock->tickets); - -- return (__ticket_t)(tmp.tail - tmp.head) > TICKET_LOCK_INC; -+ tmp.head &= ~TICKET_SLOWPATH_FLAG; -+ return (tmp.tail - tmp.head) > TICKET_LOCK_INC; - } - #define arch_spin_is_contended arch_spin_is_contended - -@@ -183,16 +181,16 @@ static __always_inline void arch_spin_lock_flags(arch_spinlock_t *lock, - - static inline void arch_spin_unlock_wait(arch_spinlock_t *lock) - { -- __ticket_t head = ACCESS_ONCE(lock->tickets.head); -+ __ticket_t head = READ_ONCE(lock->tickets.head); - - for (;;) { -- struct __raw_tickets tmp = ACCESS_ONCE(lock->tickets); -+ struct __raw_tickets tmp = READ_ONCE(lock->tickets); - /* - * We need to check "unlocked" in a loop, tmp.head == head - * can be false positive because of overflow. - */ -- if (tmp.head == (tmp.tail & ~TICKET_SLOWPATH_FLAG) || -- tmp.head != head) -+ if (__tickets_equal(tmp.head, tmp.tail) || -+ !__tickets_equal(tmp.head, head)) - break; - - cpu_relax(); -diff --git a/arch/x86/kernel/acpi/boot.c b/arch/x86/kernel/acpi/boot.c -index b9e30da..b5ddc96 100644 ---- a/arch/x86/kernel/acpi/boot.c -+++ b/arch/x86/kernel/acpi/boot.c -@@ -613,6 +613,11 @@ int acpi_gsi_to_irq(u32 gsi, unsigned int *irqp) - { - int rc, irq, trigger, polarity; - -+ if (acpi_irq_model == ACPI_IRQ_MODEL_PIC) { -+ *irqp = gsi; -+ return 0; -+ } -+ - rc = acpi_get_override_irq(gsi, &trigger, &polarity); - if (rc == 0) { - trigger = trigger ? ACPI_LEVEL_SENSITIVE : ACPI_EDGE_SENSITIVE; -diff --git a/arch/x86/kernel/kvm.c b/arch/x86/kernel/kvm.c -index 94f6434..e354cc6 100644 ---- a/arch/x86/kernel/kvm.c -+++ b/arch/x86/kernel/kvm.c -@@ -609,7 +609,7 @@ static inline void check_zero(void) - u8 ret; - u8 old; - -- old = ACCESS_ONCE(zero_stats); -+ old = READ_ONCE(zero_stats); - if (unlikely(old)) { - ret = cmpxchg(&zero_stats, old, 0); - /* This ensures only one fellow resets the stat */ -@@ -727,6 +727,7 @@ __visible void kvm_lock_spinning(struct arch_spinlock *lock, __ticket_t want) - int cpu; - u64 start; - unsigned long flags; -+ __ticket_t head; - - if (in_nmi()) - return; -@@ -768,11 +769,15 @@ __visible void kvm_lock_spinning(struct arch_spinlock *lock, __ticket_t want) - */ - __ticket_enter_slowpath(lock); - -+ /* make sure enter_slowpath, which is atomic does not cross the read */ -+ smp_mb__after_atomic(); -+ - /* - * check again make sure it didn't become free while - * we weren't looking. - */ -- if (ACCESS_ONCE(lock->tickets.head) == want) { -+ head = READ_ONCE(lock->tickets.head); -+ if (__tickets_equal(head, want)) { - add_stats(TAKEN_SLOW_PICKUP, 1); - goto out; - } -@@ -803,8 +808,8 @@ static void kvm_unlock_kick(struct arch_spinlock *lock, __ticket_t ticket) - add_stats(RELEASED_SLOW, 1); - for_each_cpu(cpu, &waiting_cpus) { - const struct kvm_lock_waiting *w = &per_cpu(klock_waiting, cpu); -- if (ACCESS_ONCE(w->lock) == lock && -- ACCESS_ONCE(w->want) == ticket) { -+ if (READ_ONCE(w->lock) == lock && -+ READ_ONCE(w->want) == ticket) { - add_stats(RELEASED_SLOW_KICKED, 1); - kvm_kick_cpu(cpu); - break; -diff --git a/arch/x86/kernel/pmc_atom.c b/arch/x86/kernel/pmc_atom.c -index 0ee5025e..8bb9a61 100644 ---- a/arch/x86/kernel/pmc_atom.c -+++ b/arch/x86/kernel/pmc_atom.c -@@ -217,6 +217,8 @@ static int pmc_dbgfs_register(struct pmc_dev *pmc, struct pci_dev *pdev) - if (!dir) - return -ENOMEM; - -+ pmc->dbgfs_dir = dir; -+ - f = debugfs_create_file("dev_state", S_IFREG | S_IRUGO, - dir, pmc, &pmc_dev_state_ops); - if (!f) { -@@ -229,7 +231,7 @@ static int pmc_dbgfs_register(struct pmc_dev *pmc, struct pci_dev *pdev) - dev_err(&pdev->dev, "sleep_state register failed\n"); - goto err; - } -- pmc->dbgfs_dir = dir; -+ - return 0; - err: - pmc_dbgfs_unregister(pmc); -diff --git a/arch/x86/mm/gup.c b/arch/x86/mm/gup.c -index d754782..224b142 100644 ---- a/arch/x86/mm/gup.c -+++ b/arch/x86/mm/gup.c -@@ -172,7 +172,7 @@ static int gup_pmd_range(pud_t pud, unsigned long addr, unsigned long end, - */ - if (pmd_none(pmd) || pmd_trans_splitting(pmd)) - return 0; -- if (unlikely(pmd_large(pmd))) { -+ if (unlikely(pmd_large(pmd) || !pmd_present(pmd))) { - /* - * NUMA hinting faults need to be handled in the GUP - * slowpath for accounting purposes and so that they -diff --git a/arch/x86/mm/hugetlbpage.c b/arch/x86/mm/hugetlbpage.c -index 8b977eb..006cc91 100644 ---- a/arch/x86/mm/hugetlbpage.c -+++ b/arch/x86/mm/hugetlbpage.c -@@ -66,9 +66,15 @@ follow_huge_addr(struct mm_struct *mm, unsigned long address, int write) - return ERR_PTR(-EINVAL); - } - -+/* -+ * pmd_huge() returns 1 if @pmd is hugetlb related entry, that is normal -+ * hugetlb entry or non-present (migration or hwpoisoned) hugetlb entry. -+ * Otherwise, returns 0. -+ */ - int pmd_huge(pmd_t pmd) - { -- return !!(pmd_val(pmd) & _PAGE_PSE); -+ return !pmd_none(pmd) && -+ (pmd_val(pmd) & (_PAGE_PRESENT|_PAGE_PSE)) != _PAGE_PRESENT; - } - - int pud_huge(pud_t pud) -diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c -index 919b912..df4552b 100644 ---- a/arch/x86/mm/mmap.c -+++ b/arch/x86/mm/mmap.c -@@ -35,12 +35,12 @@ struct va_alignment __read_mostly va_align = { - .flags = -1, - }; - --static unsigned int stack_maxrandom_size(void) -+static unsigned long stack_maxrandom_size(void) - { -- unsigned int max = 0; -+ unsigned long max = 0; - if ((current->flags & PF_RANDOMIZE) && - !(current->personality & ADDR_NO_RANDOMIZE)) { -- max = ((-1U) & STACK_RND_MASK) << PAGE_SHIFT; -+ max = ((-1UL) & STACK_RND_MASK) << PAGE_SHIFT; - } - - return max; -diff --git a/arch/x86/platform/efi/efi_stub_64.S b/arch/x86/platform/efi/efi_stub_64.S -index 5fcda72..86d0f9e 100644 ---- a/arch/x86/platform/efi/efi_stub_64.S -+++ b/arch/x86/platform/efi/efi_stub_64.S -@@ -91,167 +91,6 @@ ENTRY(efi_call) - ret - ENDPROC(efi_call) - --#ifdef CONFIG_EFI_MIXED -- --/* -- * We run this function from the 1:1 mapping. -- * -- * This function must be invoked with a 1:1 mapped stack. -- */ --ENTRY(__efi64_thunk) -- movl %ds, %eax -- push %rax -- movl %es, %eax -- push %rax -- movl %ss, %eax -- push %rax -- -- subq $32, %rsp -- movl %esi, 0x0(%rsp) -- movl %edx, 0x4(%rsp) -- movl %ecx, 0x8(%rsp) -- movq %r8, %rsi -- movl %esi, 0xc(%rsp) -- movq %r9, %rsi -- movl %esi, 0x10(%rsp) -- -- sgdt save_gdt(%rip) -- -- leaq 1f(%rip), %rbx -- movq %rbx, func_rt_ptr(%rip) -- -- /* Switch to gdt with 32-bit segments */ -- movl 64(%rsp), %eax -- lgdt (%rax) -- -- leaq efi_enter32(%rip), %rax -- pushq $__KERNEL_CS -- pushq %rax -- lretq -- --1: addq $32, %rsp -- -- lgdt save_gdt(%rip) -- -- pop %rbx -- movl %ebx, %ss -- pop %rbx -- movl %ebx, %es -- pop %rbx -- movl %ebx, %ds -- -- /* -- * Convert 32-bit status code into 64-bit. -- */ -- test %rax, %rax -- jz 1f -- movl %eax, %ecx -- andl $0x0fffffff, %ecx -- andl $0xf0000000, %eax -- shl $32, %rax -- or %rcx, %rax --1: -- ret --ENDPROC(__efi64_thunk) -- --ENTRY(efi_exit32) -- movq func_rt_ptr(%rip), %rax -- push %rax -- mov %rdi, %rax -- ret --ENDPROC(efi_exit32) -- -- .code32 --/* -- * EFI service pointer must be in %edi. -- * -- * The stack should represent the 32-bit calling convention. -- */ --ENTRY(efi_enter32) -- movl $__KERNEL_DS, %eax -- movl %eax, %ds -- movl %eax, %es -- movl %eax, %ss -- -- /* Reload pgtables */ -- movl %cr3, %eax -- movl %eax, %cr3 -- -- /* Disable paging */ -- movl %cr0, %eax -- btrl $X86_CR0_PG_BIT, %eax -- movl %eax, %cr0 -- -- /* Disable long mode via EFER */ -- movl $MSR_EFER, %ecx -- rdmsr -- btrl $_EFER_LME, %eax -- wrmsr -- -- call *%edi -- -- /* We must preserve return value */ -- movl %eax, %edi -- -- /* -- * Some firmware will return with interrupts enabled. Be sure to -- * disable them before we switch GDTs. -- */ -- cli -- -- movl 68(%esp), %eax -- movl %eax, 2(%eax) -- lgdtl (%eax) -- -- movl %cr4, %eax -- btsl $(X86_CR4_PAE_BIT), %eax -- movl %eax, %cr4 -- -- movl %cr3, %eax -- movl %eax, %cr3 -- -- movl $MSR_EFER, %ecx -- rdmsr -- btsl $_EFER_LME, %eax -- wrmsr -- -- xorl %eax, %eax -- lldt %ax -- -- movl 72(%esp), %eax -- pushl $__KERNEL_CS -- pushl %eax -- -- /* Enable paging */ -- movl %cr0, %eax -- btsl $X86_CR0_PG_BIT, %eax -- movl %eax, %cr0 -- lret --ENDPROC(efi_enter32) -- -- .data -- .balign 8 -- .global efi32_boot_gdt --efi32_boot_gdt: .word 0 -- .quad 0 -- --save_gdt: .word 0 -- .quad 0 --func_rt_ptr: .quad 0 -- -- .global efi_gdt64 --efi_gdt64: -- .word efi_gdt64_end - efi_gdt64 -- .long 0 /* Filled out by user */ -- .word 0 -- .quad 0x0000000000000000 /* NULL descriptor */ -- .quad 0x00af9a000000ffff /* __KERNEL_CS */ -- .quad 0x00cf92000000ffff /* __KERNEL_DS */ -- .quad 0x0080890000000000 /* TS descriptor */ -- .quad 0x0000000000000000 /* TS continued */ --efi_gdt64_end: --#endif /* CONFIG_EFI_MIXED */ -- - .data - ENTRY(efi_scratch) - .fill 3,8,0 -diff --git a/arch/x86/platform/efi/efi_thunk_64.S b/arch/x86/platform/efi/efi_thunk_64.S -index 8806fa7..ff85d28 100644 ---- a/arch/x86/platform/efi/efi_thunk_64.S -+++ b/arch/x86/platform/efi/efi_thunk_64.S -@@ -1,9 +1,26 @@ - /* - * Copyright (C) 2014 Intel Corporation; author Matt Fleming -+ * -+ * Support for invoking 32-bit EFI runtime services from a 64-bit -+ * kernel. -+ * -+ * The below thunking functions are only used after ExitBootServices() -+ * has been called. This simplifies things considerably as compared with -+ * the early EFI thunking because we can leave all the kernel state -+ * intact (GDT, IDT, etc) and simply invoke the the 32-bit EFI runtime -+ * services from __KERNEL32_CS. This means we can continue to service -+ * interrupts across an EFI mixed mode call. -+ * -+ * We do however, need to handle the fact that we're running in a full -+ * 64-bit virtual address space. Things like the stack and instruction -+ * addresses need to be accessible by the 32-bit firmware, so we rely on -+ * using the identity mappings in the EFI page table to access the stack -+ * and kernel text (see efi_setup_page_tables()). - */ - - #include <linux/linkage.h> - #include <asm/page_types.h> -+#include <asm/segment.h> - - .text - .code64 -@@ -33,14 +50,6 @@ ENTRY(efi64_thunk) - leaq efi_exit32(%rip), %rbx - subq %rax, %rbx - movl %ebx, 8(%rsp) -- leaq efi_gdt64(%rip), %rbx -- subq %rax, %rbx -- movl %ebx, 2(%ebx) -- movl %ebx, 4(%rsp) -- leaq efi_gdt32(%rip), %rbx -- subq %rax, %rbx -- movl %ebx, 2(%ebx) -- movl %ebx, (%rsp) - - leaq __efi64_thunk(%rip), %rbx - subq %rax, %rbx -@@ -52,14 +61,92 @@ ENTRY(efi64_thunk) - retq - ENDPROC(efi64_thunk) - -- .data --efi_gdt32: -- .word efi_gdt32_end - efi_gdt32 -- .long 0 /* Filled out above */ -- .word 0 -- .quad 0x0000000000000000 /* NULL descriptor */ -- .quad 0x00cf9a000000ffff /* __KERNEL_CS */ -- .quad 0x00cf93000000ffff /* __KERNEL_DS */ --efi_gdt32_end: -+/* -+ * We run this function from the 1:1 mapping. -+ * -+ * This function must be invoked with a 1:1 mapped stack. -+ */ -+ENTRY(__efi64_thunk) -+ movl %ds, %eax -+ push %rax -+ movl %es, %eax -+ push %rax -+ movl %ss, %eax -+ push %rax -+ -+ subq $32, %rsp -+ movl %esi, 0x0(%rsp) -+ movl %edx, 0x4(%rsp) -+ movl %ecx, 0x8(%rsp) -+ movq %r8, %rsi -+ movl %esi, 0xc(%rsp) -+ movq %r9, %rsi -+ movl %esi, 0x10(%rsp) -+ -+ leaq 1f(%rip), %rbx -+ movq %rbx, func_rt_ptr(%rip) -+ -+ /* Switch to 32-bit descriptor */ -+ pushq $__KERNEL32_CS -+ leaq efi_enter32(%rip), %rax -+ pushq %rax -+ lretq -+ -+1: addq $32, %rsp -+ -+ pop %rbx -+ movl %ebx, %ss -+ pop %rbx -+ movl %ebx, %es -+ pop %rbx -+ movl %ebx, %ds - -+ /* -+ * Convert 32-bit status code into 64-bit. -+ */ -+ test %rax, %rax -+ jz 1f -+ movl %eax, %ecx -+ andl $0x0fffffff, %ecx -+ andl $0xf0000000, %eax -+ shl $32, %rax -+ or %rcx, %rax -+1: -+ ret -+ENDPROC(__efi64_thunk) -+ -+ENTRY(efi_exit32) -+ movq func_rt_ptr(%rip), %rax -+ push %rax -+ mov %rdi, %rax -+ ret -+ENDPROC(efi_exit32) -+ -+ .code32 -+/* -+ * EFI service pointer must be in %edi. -+ * -+ * The stack should represent the 32-bit calling convention. -+ */ -+ENTRY(efi_enter32) -+ movl $__KERNEL_DS, %eax -+ movl %eax, %ds -+ movl %eax, %es -+ movl %eax, %ss -+ -+ call *%edi -+ -+ /* We must preserve return value */ -+ movl %eax, %edi -+ -+ movl 72(%esp), %eax -+ pushl $__KERNEL_CS -+ pushl %eax -+ -+ lret -+ENDPROC(efi_enter32) -+ -+ .data -+ .balign 8 -+func_rt_ptr: .quad 0 - efi_saved_sp: .quad 0 -diff --git a/arch/x86/xen/p2m.c b/arch/x86/xen/p2m.c -index 70fb507..376a0a9 100644 ---- a/arch/x86/xen/p2m.c -+++ b/arch/x86/xen/p2m.c -@@ -554,7 +554,7 @@ static bool alloc_p2m(unsigned long pfn) - mid_mfn = NULL; - } - -- p2m_pfn = pte_pfn(ACCESS_ONCE(*ptep)); -+ p2m_pfn = pte_pfn(READ_ONCE(*ptep)); - if (p2m_pfn == PFN_DOWN(__pa(p2m_identity)) || - p2m_pfn == PFN_DOWN(__pa(p2m_missing))) { - /* p2m leaf page is missing */ -diff --git a/arch/x86/xen/spinlock.c b/arch/x86/xen/spinlock.c -index 23b45eb..956374c 100644 ---- a/arch/x86/xen/spinlock.c -+++ b/arch/x86/xen/spinlock.c -@@ -41,7 +41,7 @@ static u8 zero_stats; - static inline void check_zero(void) - { - u8 ret; -- u8 old = ACCESS_ONCE(zero_stats); -+ u8 old = READ_ONCE(zero_stats); - if (unlikely(old)) { - ret = cmpxchg(&zero_stats, old, 0); - /* This ensures only one fellow resets the stat */ -@@ -112,6 +112,7 @@ __visible void xen_lock_spinning(struct arch_spinlock *lock, __ticket_t want) - struct xen_lock_waiting *w = this_cpu_ptr(&lock_waiting); - int cpu = smp_processor_id(); - u64 start; -+ __ticket_t head; - unsigned long flags; - - /* If kicker interrupts not initialized yet, just spin */ -@@ -159,11 +160,15 @@ __visible void xen_lock_spinning(struct arch_spinlock *lock, __ticket_t want) - */ - __ticket_enter_slowpath(lock); - -+ /* make sure enter_slowpath, which is atomic does not cross the read */ -+ smp_mb__after_atomic(); -+ - /* - * check again make sure it didn't become free while - * we weren't looking - */ -- if (ACCESS_ONCE(lock->tickets.head) == want) { -+ head = READ_ONCE(lock->tickets.head); -+ if (__tickets_equal(head, want)) { - add_stats(TAKEN_SLOW_PICKUP, 1); - goto out; - } -@@ -204,8 +209,8 @@ static void xen_unlock_kick(struct arch_spinlock *lock, __ticket_t next) - const struct xen_lock_waiting *w = &per_cpu(lock_waiting, cpu); - - /* Make sure we read lock before want */ -- if (ACCESS_ONCE(w->lock) == lock && -- ACCESS_ONCE(w->want) == next) { -+ if (READ_ONCE(w->lock) == lock && -+ READ_ONCE(w->want) == next) { - add_stats(RELEASED_SLOW_KICKED, 1); - xen_send_IPI_one(cpu, XEN_SPIN_UNLOCK_VECTOR); - break; -diff --git a/block/blk-mq-tag.c b/block/blk-mq-tag.c -index 60c9d4a..3a415ec 100644 ---- a/block/blk-mq-tag.c -+++ b/block/blk-mq-tag.c -@@ -509,6 +509,7 @@ static int bt_alloc(struct blk_mq_bitmap_tags *bt, unsigned int depth, - bt->bs = kzalloc(BT_WAIT_QUEUES * sizeof(*bt->bs), GFP_KERNEL); - if (!bt->bs) { - kfree(bt->map); -+ bt->map = NULL; - return -ENOMEM; - } - -diff --git a/block/blk-throttle.c b/block/blk-throttle.c -index 9273d09..5b9c6d5 100644 ---- a/block/blk-throttle.c -+++ b/block/blk-throttle.c -@@ -1292,6 +1292,9 @@ static u64 tg_prfill_cpu_rwstat(struct seq_file *sf, - struct blkg_rwstat rwstat = { }, tmp; - int i, cpu; - -+ if (tg->stats_cpu == NULL) -+ return 0; -+ - for_each_possible_cpu(cpu) { - struct tg_stats_cpu *sc = per_cpu_ptr(tg->stats_cpu, cpu); - -diff --git a/block/cfq-iosched.c b/block/cfq-iosched.c -index 6f2751d..5da8e6e 100644 ---- a/block/cfq-iosched.c -+++ b/block/cfq-iosched.c -@@ -3590,6 +3590,11 @@ retry: - - blkcg = bio_blkcg(bio); - cfqg = cfq_lookup_create_cfqg(cfqd, blkcg); -+ if (!cfqg) { -+ cfqq = &cfqd->oom_cfqq; -+ goto out; -+ } -+ - cfqq = cic_to_cfqq(cic, is_sync); - - /* -@@ -3626,7 +3631,7 @@ retry: - } else - cfqq = &cfqd->oom_cfqq; - } -- -+out: - if (new_cfqq) - kmem_cache_free(cfq_pool, new_cfqq); - -@@ -3656,12 +3661,17 @@ static struct cfq_queue * - cfq_get_queue(struct cfq_data *cfqd, bool is_sync, struct cfq_io_cq *cic, - struct bio *bio, gfp_t gfp_mask) - { -- const int ioprio_class = IOPRIO_PRIO_CLASS(cic->ioprio); -- const int ioprio = IOPRIO_PRIO_DATA(cic->ioprio); -+ int ioprio_class = IOPRIO_PRIO_CLASS(cic->ioprio); -+ int ioprio = IOPRIO_PRIO_DATA(cic->ioprio); - struct cfq_queue **async_cfqq = NULL; - struct cfq_queue *cfqq = NULL; - - if (!is_sync) { -+ if (!ioprio_valid(cic->ioprio)) { -+ struct task_struct *tsk = current; -+ ioprio = task_nice_ioprio(tsk); -+ ioprio_class = task_nice_ioclass(tsk); -+ } - async_cfqq = cfq_async_queue_prio(cfqd, ioprio_class, ioprio); - cfqq = *async_cfqq; - } -diff --git a/drivers/acpi/acpi_lpss.c b/drivers/acpi/acpi_lpss.c -index e75737f..7d5880d 100644 ---- a/drivers/acpi/acpi_lpss.c -+++ b/drivers/acpi/acpi_lpss.c -@@ -105,7 +105,7 @@ static void lpss_uart_setup(struct lpss_private_data *pdata) - } - } - --static void byt_i2c_setup(struct lpss_private_data *pdata) -+static void lpss_deassert_reset(struct lpss_private_data *pdata) - { - unsigned int offset; - u32 val; -@@ -114,9 +114,18 @@ static void byt_i2c_setup(struct lpss_private_data *pdata) - val = readl(pdata->mmio_base + offset); - val |= LPSS_RESETS_RESET_APB | LPSS_RESETS_RESET_FUNC; - writel(val, pdata->mmio_base + offset); -+} -+ -+#define LPSS_I2C_ENABLE 0x6c -+ -+static void byt_i2c_setup(struct lpss_private_data *pdata) -+{ -+ lpss_deassert_reset(pdata); - - if (readl(pdata->mmio_base + pdata->dev_desc->prv_offset)) - pdata->fixed_clk_rate = 133000000; -+ -+ writel(0, pdata->mmio_base + LPSS_I2C_ENABLE); - } - - static struct lpss_device_desc lpt_dev_desc = { -@@ -166,6 +175,12 @@ static struct lpss_device_desc byt_i2c_dev_desc = { - .setup = byt_i2c_setup, - }; - -+static struct lpss_device_desc bsw_spi_dev_desc = { -+ .flags = LPSS_CLK | LPSS_CLK_GATE | LPSS_CLK_DIVIDER | LPSS_SAVE_CTX, -+ .prv_offset = 0x400, -+ .setup = lpss_deassert_reset, -+}; -+ - #else - - #define LPSS_ADDR(desc) (0UL) -@@ -198,7 +213,7 @@ static const struct acpi_device_id acpi_lpss_device_ids[] = { - /* Braswell LPSS devices */ - { "80862288", LPSS_ADDR(byt_pwm_dev_desc) }, - { "8086228A", LPSS_ADDR(byt_uart_dev_desc) }, -- { "8086228E", LPSS_ADDR(byt_spi_dev_desc) }, -+ { "8086228E", LPSS_ADDR(bsw_spi_dev_desc) }, - { "808622C1", LPSS_ADDR(byt_i2c_dev_desc) }, - - { "INT3430", LPSS_ADDR(lpt_dev_desc) }, -diff --git a/drivers/bluetooth/ath3k.c b/drivers/bluetooth/ath3k.c -index 1ee27ac..de4c849 100644 ---- a/drivers/bluetooth/ath3k.c -+++ b/drivers/bluetooth/ath3k.c -@@ -108,6 +108,7 @@ static const struct usb_device_id ath3k_table[] = { - { USB_DEVICE(0x13d3, 0x3393) }, - { USB_DEVICE(0x13d3, 0x3402) }, - { USB_DEVICE(0x13d3, 0x3408) }, -+ { USB_DEVICE(0x13d3, 0x3423) }, - { USB_DEVICE(0x13d3, 0x3432) }, - - /* Atheros AR5BBU12 with sflash firmware */ -@@ -162,6 +163,7 @@ static const struct usb_device_id ath3k_blist_tbl[] = { - { USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 }, - { USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 }, - { USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 }, -+ { USB_DEVICE(0x13d3, 0x3423), .driver_info = BTUSB_ATH3012 }, - { USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 }, - - /* Atheros AR5BBU22 with sflash firmware */ -@@ -174,6 +176,8 @@ static const struct usb_device_id ath3k_blist_tbl[] = { - #define USB_REQ_DFU_DNLOAD 1 - #define BULK_SIZE 4096 - #define FW_HDR_SIZE 20 -+#define TIMEGAP_USEC_MIN 50 -+#define TIMEGAP_USEC_MAX 100 - - static int ath3k_load_firmware(struct usb_device *udev, - const struct firmware *firmware) -@@ -205,6 +209,9 @@ static int ath3k_load_firmware(struct usb_device *udev, - pipe = usb_sndbulkpipe(udev, 0x02); - - while (count) { -+ /* workaround the compatibility issue with xHCI controller*/ -+ usleep_range(TIMEGAP_USEC_MIN, TIMEGAP_USEC_MAX); -+ - size = min_t(uint, count, BULK_SIZE); - memcpy(send_buf, firmware->data + sent, size); - -@@ -302,6 +309,9 @@ static int ath3k_load_fwfile(struct usb_device *udev, - pipe = usb_sndbulkpipe(udev, 0x02); - - while (count) { -+ /* workaround the compatibility issue with xHCI controller*/ -+ usleep_range(TIMEGAP_USEC_MIN, TIMEGAP_USEC_MAX); -+ - size = min_t(uint, count, BULK_SIZE); - memcpy(send_buf, firmware->data + sent, size); - -diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c -index 19cf2cf..c91ec52 100644 ---- a/drivers/bluetooth/btusb.c -+++ b/drivers/bluetooth/btusb.c -@@ -109,16 +109,24 @@ static const struct usb_device_id btusb_table[] = { - { USB_DEVICE(0x13d3, 0x3404), - .driver_info = BTUSB_BCM_PATCHRAM }, - -+ /* Broadcom BCM20702B0 (Dynex/Insignia) */ -+ { USB_DEVICE(0x19ff, 0x0239), .driver_info = BTUSB_BCM_PATCHRAM }, -+ - /* Foxconn - Hon Hai */ - { USB_VENDOR_AND_INTERFACE_INFO(0x0489, 0xff, 0x01, 0x01), - .driver_info = BTUSB_BCM_PATCHRAM }, - -+ /* Lite-On Technology - Broadcom based */ -+ { USB_VENDOR_AND_INTERFACE_INFO(0x04ca, 0xff, 0x01, 0x01), -+ .driver_info = BTUSB_BCM_PATCHRAM }, -+ - /* Broadcom devices with vendor specific id */ - { USB_VENDOR_AND_INTERFACE_INFO(0x0a5c, 0xff, 0x01, 0x01), - .driver_info = BTUSB_BCM_PATCHRAM }, - - /* ASUSTek Computer - Broadcom based */ -- { USB_VENDOR_AND_INTERFACE_INFO(0x0b05, 0xff, 0x01, 0x01) }, -+ { USB_VENDOR_AND_INTERFACE_INFO(0x0b05, 0xff, 0x01, 0x01), -+ .driver_info = BTUSB_BCM_PATCHRAM }, - - /* Belkin F8065bf - Broadcom based */ - { USB_VENDOR_AND_INTERFACE_INFO(0x050d, 0xff, 0x01, 0x01) }, -@@ -188,6 +196,7 @@ static const struct usb_device_id blacklist_table[] = { - { USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 }, - { USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 }, - { USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 }, -+ { USB_DEVICE(0x13d3, 0x3423), .driver_info = BTUSB_ATH3012 }, - { USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 }, - - /* Atheros AR5BBU12 with sflash firmware */ -diff --git a/drivers/char/random.c b/drivers/char/random.c -index 04645c0..9cd6968 100644 ---- a/drivers/char/random.c -+++ b/drivers/char/random.c -@@ -569,19 +569,19 @@ static void fast_mix(struct fast_pool *f) - __u32 c = f->pool[2], d = f->pool[3]; - - a += b; c += d; -- b = rol32(a, 6); d = rol32(c, 27); -+ b = rol32(b, 6); d = rol32(d, 27); - d ^= a; b ^= c; - - a += b; c += d; -- b = rol32(a, 16); d = rol32(c, 14); -+ b = rol32(b, 16); d = rol32(d, 14); - d ^= a; b ^= c; - - a += b; c += d; -- b = rol32(a, 6); d = rol32(c, 27); -+ b = rol32(b, 6); d = rol32(d, 27); - d ^= a; b ^= c; - - a += b; c += d; -- b = rol32(a, 16); d = rol32(c, 14); -+ b = rol32(b, 16); d = rol32(d, 14); - d ^= a; b ^= c; - - f->pool[0] = a; f->pool[1] = b; -diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c -index 6af1700..cfb9089 100644 ---- a/drivers/char/tpm/tpm-interface.c -+++ b/drivers/char/tpm/tpm-interface.c -@@ -1122,7 +1122,7 @@ struct tpm_chip *tpm_register_hardware(struct device *dev, - - /* Make chip available */ - spin_lock(&driver_lock); -- list_add_rcu(&chip->list, &tpm_chip_list); -+ list_add_tail_rcu(&chip->list, &tpm_chip_list); - spin_unlock(&driver_lock); - - return chip; -diff --git a/drivers/char/tpm/tpm_i2c_atmel.c b/drivers/char/tpm/tpm_i2c_atmel.c -index 7727292..503a85a 100644 ---- a/drivers/char/tpm/tpm_i2c_atmel.c -+++ b/drivers/char/tpm/tpm_i2c_atmel.c -@@ -168,6 +168,10 @@ static int i2c_atmel_probe(struct i2c_client *client, - - chip->vendor.priv = devm_kzalloc(dev, sizeof(struct priv_data), - GFP_KERNEL); -+ if (!chip->vendor.priv) { -+ rc = -ENOMEM; -+ goto out_err; -+ } - - /* Default timeouts */ - chip->vendor.timeout_a = msecs_to_jiffies(TPM_I2C_SHORT_TIMEOUT); -diff --git a/drivers/char/tpm/tpm_i2c_nuvoton.c b/drivers/char/tpm/tpm_i2c_nuvoton.c -index 7b158ef..23c7b13 100644 ---- a/drivers/char/tpm/tpm_i2c_nuvoton.c -+++ b/drivers/char/tpm/tpm_i2c_nuvoton.c -@@ -538,6 +538,11 @@ static int i2c_nuvoton_probe(struct i2c_client *client, - - chip->vendor.priv = devm_kzalloc(dev, sizeof(struct priv_data), - GFP_KERNEL); -+ if (!chip->vendor.priv) { -+ rc = -ENOMEM; -+ goto out_err; -+ } -+ - init_waitqueue_head(&chip->vendor.read_queue); - init_waitqueue_head(&chip->vendor.int_queue); - -diff --git a/drivers/char/tpm/tpm_i2c_stm_st33.c b/drivers/char/tpm/tpm_i2c_stm_st33.c -index 4669e37..7d1c540 100644 ---- a/drivers/char/tpm/tpm_i2c_stm_st33.c -+++ b/drivers/char/tpm/tpm_i2c_stm_st33.c -@@ -487,7 +487,7 @@ static int tpm_stm_i2c_send(struct tpm_chip *chip, unsigned char *buf, - if (burstcnt < 0) - return burstcnt; - size = min_t(int, len - i - 1, burstcnt); -- ret = I2C_WRITE_DATA(client, TPM_DATA_FIFO, buf, size); -+ ret = I2C_WRITE_DATA(client, TPM_DATA_FIFO, buf + i, size); - if (ret < 0) - goto out_err; - -diff --git a/drivers/char/tpm/tpm_ibmvtpm.c b/drivers/char/tpm/tpm_ibmvtpm.c -index af74c57..eff9d58 100644 ---- a/drivers/char/tpm/tpm_ibmvtpm.c -+++ b/drivers/char/tpm/tpm_ibmvtpm.c -@@ -148,7 +148,8 @@ static int tpm_ibmvtpm_send(struct tpm_chip *chip, u8 *buf, size_t count) - crq.len = (u16)count; - crq.data = ibmvtpm->rtce_dma_handle; - -- rc = ibmvtpm_send_crq(ibmvtpm->vdev, word[0], word[1]); -+ rc = ibmvtpm_send_crq(ibmvtpm->vdev, cpu_to_be64(word[0]), -+ cpu_to_be64(word[1])); - if (rc != H_SUCCESS) { - dev_err(ibmvtpm->dev, "tpm_ibmvtpm_send failed rc=%d\n", rc); - rc = 0; -@@ -186,7 +187,8 @@ static int ibmvtpm_crq_get_rtce_size(struct ibmvtpm_dev *ibmvtpm) - crq.valid = (u8)IBMVTPM_VALID_CMD; - crq.msg = (u8)VTPM_GET_RTCE_BUFFER_SIZE; - -- rc = ibmvtpm_send_crq(ibmvtpm->vdev, buf[0], buf[1]); -+ rc = ibmvtpm_send_crq(ibmvtpm->vdev, cpu_to_be64(buf[0]), -+ cpu_to_be64(buf[1])); - if (rc != H_SUCCESS) - dev_err(ibmvtpm->dev, - "ibmvtpm_crq_get_rtce_size failed rc=%d\n", rc); -@@ -212,7 +214,8 @@ static int ibmvtpm_crq_get_version(struct ibmvtpm_dev *ibmvtpm) - crq.valid = (u8)IBMVTPM_VALID_CMD; - crq.msg = (u8)VTPM_GET_VERSION; - -- rc = ibmvtpm_send_crq(ibmvtpm->vdev, buf[0], buf[1]); -+ rc = ibmvtpm_send_crq(ibmvtpm->vdev, cpu_to_be64(buf[0]), -+ cpu_to_be64(buf[1])); - if (rc != H_SUCCESS) - dev_err(ibmvtpm->dev, - "ibmvtpm_crq_get_version failed rc=%d\n", rc); -@@ -307,6 +310,14 @@ static int tpm_ibmvtpm_remove(struct vio_dev *vdev) - static unsigned long tpm_ibmvtpm_get_desired_dma(struct vio_dev *vdev) - { - struct ibmvtpm_dev *ibmvtpm = ibmvtpm_get_data(&vdev->dev); -+ -+ /* ibmvtpm initializes at probe time, so the data we are -+ * asking for may not be set yet. Estimate that 4K required -+ * for TCE-mapped buffer in addition to CRQ. -+ */ -+ if (!ibmvtpm) -+ return CRQ_RES_BUF_SIZE + PAGE_SIZE; -+ - return CRQ_RES_BUF_SIZE + ibmvtpm->rtce_size; - } - -@@ -327,7 +338,8 @@ static int tpm_ibmvtpm_suspend(struct device *dev) - crq.valid = (u8)IBMVTPM_VALID_CMD; - crq.msg = (u8)VTPM_PREPARE_TO_SUSPEND; - -- rc = ibmvtpm_send_crq(ibmvtpm->vdev, buf[0], buf[1]); -+ rc = ibmvtpm_send_crq(ibmvtpm->vdev, cpu_to_be64(buf[0]), -+ cpu_to_be64(buf[1])); - if (rc != H_SUCCESS) - dev_err(ibmvtpm->dev, - "tpm_ibmvtpm_suspend failed rc=%d\n", rc); -@@ -472,11 +484,11 @@ static void ibmvtpm_crq_process(struct ibmvtpm_crq *crq, - case IBMVTPM_VALID_CMD: - switch (crq->msg) { - case VTPM_GET_RTCE_BUFFER_SIZE_RES: -- if (crq->len <= 0) { -+ if (be16_to_cpu(crq->len) <= 0) { - dev_err(ibmvtpm->dev, "Invalid rtce size\n"); - return; - } -- ibmvtpm->rtce_size = crq->len; -+ ibmvtpm->rtce_size = be16_to_cpu(crq->len); - ibmvtpm->rtce_buf = kmalloc(ibmvtpm->rtce_size, - GFP_KERNEL); - if (!ibmvtpm->rtce_buf) { -@@ -497,11 +509,11 @@ static void ibmvtpm_crq_process(struct ibmvtpm_crq *crq, - - return; - case VTPM_GET_VERSION_RES: -- ibmvtpm->vtpm_version = crq->data; -+ ibmvtpm->vtpm_version = be32_to_cpu(crq->data); - return; - case VTPM_TPM_COMMAND_RES: - /* len of the data in rtce buffer */ -- ibmvtpm->res_len = crq->len; -+ ibmvtpm->res_len = be16_to_cpu(crq->len); - wake_up_interruptible(&ibmvtpm->wq); - return; - default: -diff --git a/drivers/char/tpm/tpm_tis.c b/drivers/char/tpm/tpm_tis.c -index 6f19854..ccb140d 100644 ---- a/drivers/char/tpm/tpm_tis.c -+++ b/drivers/char/tpm/tpm_tis.c -@@ -75,6 +75,10 @@ enum tis_defaults { - #define TPM_DID_VID(l) (0x0F00 | ((l) << 12)) - #define TPM_RID(l) (0x0F04 | ((l) << 12)) - -+struct priv_data { -+ bool irq_tested; -+}; -+ - static LIST_HEAD(tis_chips); - static DEFINE_MUTEX(tis_lock); - -@@ -338,12 +342,27 @@ out_err: - return rc; - } - -+static void disable_interrupts(struct tpm_chip *chip) -+{ -+ u32 intmask; -+ -+ intmask = -+ ioread32(chip->vendor.iobase + -+ TPM_INT_ENABLE(chip->vendor.locality)); -+ intmask &= ~TPM_GLOBAL_INT_ENABLE; -+ iowrite32(intmask, -+ chip->vendor.iobase + -+ TPM_INT_ENABLE(chip->vendor.locality)); -+ free_irq(chip->vendor.irq, chip); -+ chip->vendor.irq = 0; -+} -+ - /* - * If interrupts are used (signaled by an irq set in the vendor structure) - * tpm.c can skip polling for the data to be available as the interrupt is - * waited for here - */ --static int tpm_tis_send(struct tpm_chip *chip, u8 *buf, size_t len) -+static int tpm_tis_send_main(struct tpm_chip *chip, u8 *buf, size_t len) - { - int rc; - u32 ordinal; -@@ -373,6 +392,30 @@ out_err: - return rc; - } - -+static int tpm_tis_send(struct tpm_chip *chip, u8 *buf, size_t len) -+{ -+ int rc, irq; -+ struct priv_data *priv = chip->vendor.priv; -+ -+ if (!chip->vendor.irq || priv->irq_tested) -+ return tpm_tis_send_main(chip, buf, len); -+ -+ /* Verify receipt of the expected IRQ */ -+ irq = chip->vendor.irq; -+ chip->vendor.irq = 0; -+ rc = tpm_tis_send_main(chip, buf, len); -+ chip->vendor.irq = irq; -+ if (!priv->irq_tested) -+ msleep(1); -+ if (!priv->irq_tested) { -+ disable_interrupts(chip); -+ dev_err(chip->dev, -+ FW_BUG "TPM interrupt not working, polling instead\n"); -+ } -+ priv->irq_tested = true; -+ return rc; -+} -+ - struct tis_vendor_timeout_override { - u32 did_vid; - unsigned long timeout_us[4]; -@@ -505,6 +548,7 @@ static irqreturn_t tis_int_handler(int dummy, void *dev_id) - if (interrupt == 0) - return IRQ_NONE; - -+ ((struct priv_data *)chip->vendor.priv)->irq_tested = true; - if (interrupt & TPM_INTF_DATA_AVAIL_INT) - wake_up_interruptible(&chip->vendor.read_queue); - if (interrupt & TPM_INTF_LOCALITY_CHANGE_INT) -@@ -534,9 +578,14 @@ static int tpm_tis_init(struct device *dev, resource_size_t start, - u32 vendor, intfcaps, intmask; - int rc, i, irq_s, irq_e, probe; - struct tpm_chip *chip; -+ struct priv_data *priv; - -+ priv = devm_kzalloc(dev, sizeof(struct priv_data), GFP_KERNEL); -+ if (priv == NULL) -+ return -ENOMEM; - if (!(chip = tpm_register_hardware(dev, &tpm_tis))) - return -ENODEV; -+ chip->vendor.priv = priv; - - chip->vendor.iobase = ioremap(start, len); - if (!chip->vendor.iobase) { -@@ -605,19 +654,6 @@ static int tpm_tis_init(struct device *dev, resource_size_t start, - if (intfcaps & TPM_INTF_DATA_AVAIL_INT) - dev_dbg(dev, "\tData Avail Int Support\n"); - -- /* get the timeouts before testing for irqs */ -- if (tpm_get_timeouts(chip)) { -- dev_err(dev, "Could not get TPM timeouts and durations\n"); -- rc = -ENODEV; -- goto out_err; -- } -- -- if (tpm_do_selftest(chip)) { -- dev_err(dev, "TPM self test failed\n"); -- rc = -ENODEV; -- goto out_err; -- } -- - /* INTERRUPT Setup */ - init_waitqueue_head(&chip->vendor.read_queue); - init_waitqueue_head(&chip->vendor.int_queue); -@@ -719,6 +755,18 @@ static int tpm_tis_init(struct device *dev, resource_size_t start, - } - } - -+ if (tpm_get_timeouts(chip)) { -+ dev_err(dev, "Could not get TPM timeouts and durations\n"); -+ rc = -ENODEV; -+ goto out_err; -+ } -+ -+ if (tpm_do_selftest(chip)) { -+ dev_err(dev, "TPM self test failed\n"); -+ rc = -ENODEV; -+ goto out_err; -+ } -+ - INIT_LIST_HEAD(&chip->vendor.list); - mutex_lock(&tis_lock); - list_add(&chip->vendor.list, &tis_chips); -diff --git a/drivers/clocksource/mtk_timer.c b/drivers/clocksource/mtk_timer.c -index 32a3d25..68ab423 100644 ---- a/drivers/clocksource/mtk_timer.c -+++ b/drivers/clocksource/mtk_timer.c -@@ -224,6 +224,8 @@ static void __init mtk_timer_init(struct device_node *node) - } - rate = clk_get_rate(clk); - -+ mtk_timer_global_reset(evt); -+ - if (request_irq(evt->dev.irq, mtk_timer_interrupt, - IRQF_TIMER | IRQF_IRQPOLL, "mtk_timer", evt)) { - pr_warn("failed to setup irq %d\n", evt->dev.irq); -@@ -232,8 +234,6 @@ static void __init mtk_timer_init(struct device_node *node) - - evt->ticks_per_jiffy = DIV_ROUND_UP(rate, HZ); - -- mtk_timer_global_reset(evt); -- - /* Configure clock source */ - mtk_timer_setup(evt, GPT_CLK_SRC, TIMER_CTRL_OP_FREERUN); - clocksource_mmio_init(evt->gpt_base + TIMER_CNT_REG(GPT_CLK_SRC), -@@ -241,10 +241,11 @@ static void __init mtk_timer_init(struct device_node *node) - - /* Configure clock event */ - mtk_timer_setup(evt, GPT_CLK_EVT, TIMER_CTRL_OP_REPEAT); -- mtk_timer_enable_irq(evt, GPT_CLK_EVT); -- - clockevents_config_and_register(&evt->dev, rate, 0x3, - 0xffffffff); -+ -+ mtk_timer_enable_irq(evt, GPT_CLK_EVT); -+ - return; - - err_clk_disable: -diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c -index 46bed4f..7030c40 100644 ---- a/drivers/cpufreq/cpufreq.c -+++ b/drivers/cpufreq/cpufreq.c -@@ -1416,9 +1416,10 @@ static int __cpufreq_remove_dev_finish(struct device *dev, - unsigned long flags; - struct cpufreq_policy *policy; - -- read_lock_irqsave(&cpufreq_driver_lock, flags); -+ write_lock_irqsave(&cpufreq_driver_lock, flags); - policy = per_cpu(cpufreq_cpu_data, cpu); -- read_unlock_irqrestore(&cpufreq_driver_lock, flags); -+ per_cpu(cpufreq_cpu_data, cpu) = NULL; -+ write_unlock_irqrestore(&cpufreq_driver_lock, flags); - - if (!policy) { - pr_debug("%s: No cpu_data found\n", __func__); -@@ -1473,7 +1474,6 @@ static int __cpufreq_remove_dev_finish(struct device *dev, - } - } - -- per_cpu(cpufreq_cpu_data, cpu) = NULL; - return 0; - } - -diff --git a/drivers/cpufreq/s3c2416-cpufreq.c b/drivers/cpufreq/s3c2416-cpufreq.c -index 2fd53ea..d6d4257 100644 ---- a/drivers/cpufreq/s3c2416-cpufreq.c -+++ b/drivers/cpufreq/s3c2416-cpufreq.c -@@ -263,7 +263,7 @@ out: - } - - #ifdef CONFIG_ARM_S3C2416_CPUFREQ_VCORESCALE --static void __init s3c2416_cpufreq_cfg_regulator(struct s3c2416_data *s3c_freq) -+static void s3c2416_cpufreq_cfg_regulator(struct s3c2416_data *s3c_freq) - { - int count, v, i, found; - struct cpufreq_frequency_table *pos; -@@ -333,7 +333,7 @@ static struct notifier_block s3c2416_cpufreq_reboot_notifier = { - .notifier_call = s3c2416_cpufreq_reboot_notifier_evt, - }; - --static int __init s3c2416_cpufreq_driver_init(struct cpufreq_policy *policy) -+static int s3c2416_cpufreq_driver_init(struct cpufreq_policy *policy) - { - struct s3c2416_data *s3c_freq = &s3c2416_cpufreq; - struct cpufreq_frequency_table *pos; -diff --git a/drivers/cpufreq/s3c24xx-cpufreq.c b/drivers/cpufreq/s3c24xx-cpufreq.c -index d00f1ce..733aa51 100644 ---- a/drivers/cpufreq/s3c24xx-cpufreq.c -+++ b/drivers/cpufreq/s3c24xx-cpufreq.c -@@ -144,11 +144,6 @@ static void s3c_cpufreq_setfvco(struct s3c_cpufreq_config *cfg) - (cfg->info->set_fvco)(cfg); - } - --static inline void s3c_cpufreq_resume_clocks(void) --{ -- cpu_cur.info->resume_clocks(); --} -- - static inline void s3c_cpufreq_updateclk(struct clk *clk, - unsigned int freq) - { -@@ -417,9 +412,6 @@ static int s3c_cpufreq_resume(struct cpufreq_policy *policy) - - last_target = ~0; /* invalidate last_target setting */ - -- /* first, find out what speed we resumed at. */ -- s3c_cpufreq_resume_clocks(); -- - /* whilst we will be called later on, we try and re-set the - * cpu frequencies as soon as possible so that we do not end - * up resuming devices and then immediately having to re-set -@@ -454,7 +446,7 @@ static struct cpufreq_driver s3c24xx_driver = { - }; - - --int __init s3c_cpufreq_register(struct s3c_cpufreq_info *info) -+int s3c_cpufreq_register(struct s3c_cpufreq_info *info) - { - if (!info || !info->name) { - printk(KERN_ERR "%s: failed to pass valid information\n", -diff --git a/drivers/cpufreq/speedstep-lib.c b/drivers/cpufreq/speedstep-lib.c -index 7047821..4ab7a21 100644 ---- a/drivers/cpufreq/speedstep-lib.c -+++ b/drivers/cpufreq/speedstep-lib.c -@@ -400,6 +400,7 @@ unsigned int speedstep_get_freqs(enum speedstep_processor processor, - - pr_debug("previous speed is %u\n", prev_speed); - -+ preempt_disable(); - local_irq_save(flags); - - /* switch to low state */ -@@ -464,6 +465,8 @@ unsigned int speedstep_get_freqs(enum speedstep_processor processor, - - out: - local_irq_restore(flags); -+ preempt_enable(); -+ - return ret; - } - EXPORT_SYMBOL_GPL(speedstep_get_freqs); -diff --git a/drivers/cpufreq/speedstep-smi.c b/drivers/cpufreq/speedstep-smi.c -index 5fc96d5..819229e 100644 ---- a/drivers/cpufreq/speedstep-smi.c -+++ b/drivers/cpufreq/speedstep-smi.c -@@ -156,6 +156,7 @@ static void speedstep_set_state(unsigned int state) - return; - - /* Disable IRQs */ -+ preempt_disable(); - local_irq_save(flags); - - command = (smi_sig & 0xffffff00) | (smi_cmd & 0xff); -@@ -166,9 +167,19 @@ static void speedstep_set_state(unsigned int state) - - do { - if (retry) { -+ /* -+ * We need to enable interrupts, otherwise the blockage -+ * won't resolve. -+ * -+ * We disable preemption so that other processes don't -+ * run. If other processes were running, they could -+ * submit more DMA requests, making the blockage worse. -+ */ - pr_debug("retry %u, previous result %u, waiting...\n", - retry, result); -+ local_irq_enable(); - mdelay(retry * 50); -+ local_irq_disable(); - } - retry++; - __asm__ __volatile__( -@@ -185,6 +196,7 @@ static void speedstep_set_state(unsigned int state) - - /* enable IRQs */ - local_irq_restore(flags); -+ preempt_enable(); - - if (new_state == state) - pr_debug("change to %u MHz succeeded after %u tries " -diff --git a/drivers/edac/amd64_edac.c b/drivers/edac/amd64_edac.c -index 17638d7..5907c17 100644 ---- a/drivers/edac/amd64_edac.c -+++ b/drivers/edac/amd64_edac.c -@@ -2174,14 +2174,20 @@ static void __log_bus_error(struct mem_ctl_info *mci, struct err_info *err, - - static inline void decode_bus_error(int node_id, struct mce *m) - { -- struct mem_ctl_info *mci = mcis[node_id]; -- struct amd64_pvt *pvt = mci->pvt_info; -+ struct mem_ctl_info *mci; -+ struct amd64_pvt *pvt; - u8 ecc_type = (m->status >> 45) & 0x3; - u8 xec = XEC(m->status, 0x1f); - u16 ec = EC(m->status); - u64 sys_addr; - struct err_info err; - -+ mci = edac_mc_find(node_id); -+ if (!mci) -+ return; -+ -+ pvt = mci->pvt_info; -+ - /* Bail out early if this was an 'observed' error */ - if (PP(ec) == NBSL_PP_OBS) - return; -diff --git a/drivers/edac/sb_edac.c b/drivers/edac/sb_edac.c -index 63aa673..1acf57b 100644 ---- a/drivers/edac/sb_edac.c -+++ b/drivers/edac/sb_edac.c -@@ -2447,7 +2447,7 @@ static int sbridge_probe(struct pci_dev *pdev, const struct pci_device_id *id) - rc = sbridge_get_all_devices(&num_mc, pci_dev_descr_ibridge_table); - type = IVY_BRIDGE; - break; -- case PCI_DEVICE_ID_INTEL_SBRIDGE_IMC_TA: -+ case PCI_DEVICE_ID_INTEL_SBRIDGE_IMC_HA0: - rc = sbridge_get_all_devices(&num_mc, pci_dev_descr_sbridge_table); - type = SANDY_BRIDGE; - break; -@@ -2460,8 +2460,11 @@ static int sbridge_probe(struct pci_dev *pdev, const struct pci_device_id *id) - type = BROADWELL; - break; - } -- if (unlikely(rc < 0)) -+ if (unlikely(rc < 0)) { -+ edac_dbg(0, "couldn't get all devices for 0x%x\n", pdev->device); - goto fail0; -+ } -+ - mc = 0; - - list_for_each_entry(sbridge_dev, &sbridge_edac_list, list) { -@@ -2474,7 +2477,7 @@ static int sbridge_probe(struct pci_dev *pdev, const struct pci_device_id *id) - goto fail1; - } - -- sbridge_printk(KERN_INFO, "Driver loaded.\n"); -+ sbridge_printk(KERN_INFO, "%s\n", SBRIDGE_REVISION); - - mutex_unlock(&sbridge_edac_lock); - return 0; -diff --git a/drivers/gpio/gpio-tps65912.c b/drivers/gpio/gpio-tps65912.c -index 472fb5b..9cdbc0c 100644 ---- a/drivers/gpio/gpio-tps65912.c -+++ b/drivers/gpio/gpio-tps65912.c -@@ -26,9 +26,12 @@ struct tps65912_gpio_data { - struct gpio_chip gpio_chip; - }; - -+#define to_tgd(gc) container_of(gc, struct tps65912_gpio_data, gpio_chip) -+ - static int tps65912_gpio_get(struct gpio_chip *gc, unsigned offset) - { -- struct tps65912 *tps65912 = container_of(gc, struct tps65912, gpio); -+ struct tps65912_gpio_data *tps65912_gpio = to_tgd(gc); -+ struct tps65912 *tps65912 = tps65912_gpio->tps65912; - int val; - - val = tps65912_reg_read(tps65912, TPS65912_GPIO1 + offset); -@@ -42,7 +45,8 @@ static int tps65912_gpio_get(struct gpio_chip *gc, unsigned offset) - static void tps65912_gpio_set(struct gpio_chip *gc, unsigned offset, - int value) - { -- struct tps65912 *tps65912 = container_of(gc, struct tps65912, gpio); -+ struct tps65912_gpio_data *tps65912_gpio = to_tgd(gc); -+ struct tps65912 *tps65912 = tps65912_gpio->tps65912; - - if (value) - tps65912_set_bits(tps65912, TPS65912_GPIO1 + offset, -@@ -55,7 +59,8 @@ static void tps65912_gpio_set(struct gpio_chip *gc, unsigned offset, - static int tps65912_gpio_output(struct gpio_chip *gc, unsigned offset, - int value) - { -- struct tps65912 *tps65912 = container_of(gc, struct tps65912, gpio); -+ struct tps65912_gpio_data *tps65912_gpio = to_tgd(gc); -+ struct tps65912 *tps65912 = tps65912_gpio->tps65912; - - /* Set the initial value */ - tps65912_gpio_set(gc, offset, value); -@@ -66,7 +71,8 @@ static int tps65912_gpio_output(struct gpio_chip *gc, unsigned offset, - - static int tps65912_gpio_input(struct gpio_chip *gc, unsigned offset) - { -- struct tps65912 *tps65912 = container_of(gc, struct tps65912, gpio); -+ struct tps65912_gpio_data *tps65912_gpio = to_tgd(gc); -+ struct tps65912 *tps65912 = tps65912_gpio->tps65912; - - return tps65912_clear_bits(tps65912, TPS65912_GPIO1 + offset, - GPIO_CFG_MASK); -diff --git a/drivers/gpio/gpiolib-of.c b/drivers/gpio/gpiolib-of.c -index 08261f2..26645a8 100644 ---- a/drivers/gpio/gpiolib-of.c -+++ b/drivers/gpio/gpiolib-of.c -@@ -46,12 +46,13 @@ static int of_gpiochip_find_and_xlate(struct gpio_chip *gc, void *data) - - ret = gc->of_xlate(gc, &gg_data->gpiospec, gg_data->flags); - if (ret < 0) { -- /* We've found the gpio chip, but the translation failed. -- * Return true to stop looking and return the translation -- * error via out_gpio -+ /* We've found a gpio chip, but the translation failed. -+ * Store translation error in out_gpio. -+ * Return false to keep looking, as more than one gpio chip -+ * could be registered per of-node. - */ - gg_data->out_gpio = ERR_PTR(ret); -- return true; -+ return false; - } - - gg_data->out_gpio = gpiochip_get_desc(gc, ret); -diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c -index d43e967..5e72fc2 100644 ---- a/drivers/hid/i2c-hid/i2c-hid.c -+++ b/drivers/hid/i2c-hid/i2c-hid.c -@@ -370,7 +370,10 @@ static int i2c_hid_hwreset(struct i2c_client *client) - static void i2c_hid_get_input(struct i2c_hid *ihid) - { - int ret, ret_size; -- int size = ihid->bufsize; -+ int size = le16_to_cpu(ihid->hdesc.wMaxInputLength); -+ -+ if (size > ihid->bufsize) -+ size = ihid->bufsize; - - ret = i2c_master_recv(ihid->client, ihid->inbuf, size); - if (ret != size) { -diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c -index 40b35be..2f2f38f 100644 ---- a/drivers/md/raid1.c -+++ b/drivers/md/raid1.c -@@ -560,7 +560,7 @@ static int read_balance(struct r1conf *conf, struct r1bio *r1_bio, int *max_sect - if (test_bit(WriteMostly, &rdev->flags)) { - /* Don't balance among write-mostly, just - * use the first as a last resort */ -- if (best_disk < 0) { -+ if (best_dist_disk < 0) { - if (is_badblock(rdev, this_sector, sectors, - &first_bad, &bad_sectors)) { - if (first_bad < this_sector) -@@ -569,7 +569,8 @@ static int read_balance(struct r1conf *conf, struct r1bio *r1_bio, int *max_sect - best_good_sectors = first_bad - this_sector; - } else - best_good_sectors = sectors; -- best_disk = disk; -+ best_dist_disk = disk; -+ best_pending_disk = disk; - } - continue; - } -diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c -index b98765f..8577cc7 100644 ---- a/drivers/md/raid5.c -+++ b/drivers/md/raid5.c -@@ -3102,7 +3102,8 @@ static void handle_stripe_dirtying(struct r5conf *conf, - * generate correct data from the parity. - */ - if (conf->max_degraded == 2 || -- (recovery_cp < MaxSector && sh->sector >= recovery_cp)) { -+ (recovery_cp < MaxSector && sh->sector >= recovery_cp && -+ s->failed == 0)) { - /* Calculate the real rcw later - for now make it - * look like rcw is cheaper - */ -diff --git a/drivers/media/dvb-frontends/si2168.c b/drivers/media/dvb-frontends/si2168.c -index ce9ab44..acf0fc3 100644 ---- a/drivers/media/dvb-frontends/si2168.c -+++ b/drivers/media/dvb-frontends/si2168.c -@@ -635,6 +635,8 @@ static const struct dvb_frontend_ops si2168_ops = { - .delsys = {SYS_DVBT, SYS_DVBT2, SYS_DVBC_ANNEX_A}, - .info = { - .name = "Silicon Labs Si2168", -+ .symbol_rate_min = 1000000, -+ .symbol_rate_max = 7200000, - .caps = FE_CAN_FEC_1_2 | - FE_CAN_FEC_2_3 | - FE_CAN_FEC_3_4 | -diff --git a/drivers/media/platform/Kconfig b/drivers/media/platform/Kconfig -index 765bffb..6a1334b 100644 ---- a/drivers/media/platform/Kconfig -+++ b/drivers/media/platform/Kconfig -@@ -56,10 +56,8 @@ config VIDEO_VIU - - config VIDEO_TIMBERDALE - tristate "Support for timberdale Video In/LogiWIN" -- depends on VIDEO_V4L2 && I2C && DMADEVICES -- depends on MFD_TIMBERDALE || COMPILE_TEST -- select DMA_ENGINE -- select TIMB_DMA -+ depends on VIDEO_V4L2 && I2C -+ depends on (MFD_TIMBERDALE && TIMB_DMA) || COMPILE_TEST - select VIDEO_ADV7180 - select VIDEOBUF_DMA_CONTIG - ---help--- -diff --git a/drivers/media/rc/rc-main.c b/drivers/media/rc/rc-main.c -index 86ffcd5..f8c5e47 100644 ---- a/drivers/media/rc/rc-main.c -+++ b/drivers/media/rc/rc-main.c -@@ -1021,16 +1021,16 @@ static ssize_t store_protocols(struct device *device, - goto out; - } - -- if (new_protocols == old_protocols) { -- rc = len; -- goto out; -+ if (new_protocols != old_protocols) { -+ *current_protocols = new_protocols; -+ IR_dprintk(1, "Protocols changed to 0x%llx\n", -+ (long long)new_protocols); - } - -- *current_protocols = new_protocols; -- IR_dprintk(1, "Protocols changed to 0x%llx\n", (long long)new_protocols); -- - /* -- * If the protocol is changed the filter needs updating. -+ * If a protocol change was attempted the filter may need updating, even -+ * if the actual protocol mask hasn't changed (since the driver may have -+ * cleared the filter). - * Try setting the same filter with the new protocol (if any). - * Fall back to clearing the filter. - */ -diff --git a/drivers/media/usb/dvb-usb-v2/lmedm04.c b/drivers/media/usb/dvb-usb-v2/lmedm04.c -index 994de53..15db9f6 100644 ---- a/drivers/media/usb/dvb-usb-v2/lmedm04.c -+++ b/drivers/media/usb/dvb-usb-v2/lmedm04.c -@@ -344,15 +344,17 @@ static void lme2510_int_response(struct urb *lme_urb) - - usb_submit_urb(lme_urb, GFP_ATOMIC); - -- /* interrupt urb is due every 48 msecs while streaming -- * add 12msecs for system lag */ -- st->int_urb_due = jiffies + msecs_to_jiffies(60); -+ /* Interrupt urb is due every 48 msecs while streaming the buffer -+ * stores up to 4 periods if missed. Allow 200 msec for next interrupt. -+ */ -+ st->int_urb_due = jiffies + msecs_to_jiffies(200); - } - - static int lme2510_int_read(struct dvb_usb_adapter *adap) - { - struct dvb_usb_device *d = adap_to_d(adap); - struct lme2510_state *lme_int = adap_to_priv(adap); -+ struct usb_host_endpoint *ep; - - lme_int->lme_urb = usb_alloc_urb(0, GFP_ATOMIC); - -@@ -374,6 +376,12 @@ static int lme2510_int_read(struct dvb_usb_adapter *adap) - adap, - 8); - -+ /* Quirk of pipe reporting PIPE_BULK but behaves as interrupt */ -+ ep = usb_pipe_endpoint(d->udev, lme_int->lme_urb->pipe); -+ -+ if (usb_endpoint_type(&ep->desc) == USB_ENDPOINT_XFER_BULK) -+ lme_int->lme_urb->pipe = usb_rcvbulkpipe(d->udev, 0xa), -+ - lme_int->lme_urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP; - - usb_submit_urb(lme_int->lme_urb, GFP_ATOMIC); -diff --git a/drivers/media/usb/em28xx/em28xx-audio.c b/drivers/media/usb/em28xx/em28xx-audio.c -index 44ae1e0..49a5f95 100644 ---- a/drivers/media/usb/em28xx/em28xx-audio.c -+++ b/drivers/media/usb/em28xx/em28xx-audio.c -@@ -820,7 +820,7 @@ static int em28xx_audio_urb_init(struct em28xx *dev) - if (urb_size > ep_size * npackets) - npackets = DIV_ROUND_UP(urb_size, ep_size); - -- em28xx_info("Number of URBs: %d, with %d packets and %d size", -+ em28xx_info("Number of URBs: %d, with %d packets and %d size\n", - num_urb, npackets, urb_size); - - /* Estimate the bytes per period */ -@@ -981,7 +981,7 @@ static int em28xx_audio_fini(struct em28xx *dev) - return 0; - } - -- em28xx_info("Closing audio extension"); -+ em28xx_info("Closing audio extension\n"); - - if (dev->adev.sndcard) { - snd_card_disconnect(dev->adev.sndcard); -@@ -1005,7 +1005,7 @@ static int em28xx_audio_suspend(struct em28xx *dev) - if (dev->usb_audio_type != EM28XX_USB_AUDIO_VENDOR) - return 0; - -- em28xx_info("Suspending audio extension"); -+ em28xx_info("Suspending audio extension\n"); - em28xx_deinit_isoc_audio(dev); - atomic_set(&dev->adev.stream_started, 0); - return 0; -@@ -1019,7 +1019,7 @@ static int em28xx_audio_resume(struct em28xx *dev) - if (dev->usb_audio_type != EM28XX_USB_AUDIO_VENDOR) - return 0; - -- em28xx_info("Resuming audio extension"); -+ em28xx_info("Resuming audio extension\n"); - /* Nothing to do other than schedule_work() ?? */ - schedule_work(&dev->adev.wq_trigger); - return 0; -diff --git a/drivers/media/usb/em28xx/em28xx-core.c b/drivers/media/usb/em28xx/em28xx-core.c -index 86461a7..3745607 100644 ---- a/drivers/media/usb/em28xx/em28xx-core.c -+++ b/drivers/media/usb/em28xx/em28xx-core.c -@@ -1125,7 +1125,7 @@ int em28xx_suspend_extension(struct em28xx *dev) - { - const struct em28xx_ops *ops = NULL; - -- em28xx_info("Suspending extensions"); -+ em28xx_info("Suspending extensions\n"); - mutex_lock(&em28xx_devlist_mutex); - list_for_each_entry(ops, &em28xx_extension_devlist, next) { - if (ops->suspend) -@@ -1139,7 +1139,7 @@ int em28xx_resume_extension(struct em28xx *dev) - { - const struct em28xx_ops *ops = NULL; - -- em28xx_info("Resuming extensions"); -+ em28xx_info("Resuming extensions\n"); - mutex_lock(&em28xx_devlist_mutex); - list_for_each_entry(ops, &em28xx_extension_devlist, next) { - if (ops->resume) -diff --git a/drivers/media/usb/em28xx/em28xx-dvb.c b/drivers/media/usb/em28xx/em28xx-dvb.c -index 9877b69..aee70d4 100644 ---- a/drivers/media/usb/em28xx/em28xx-dvb.c -+++ b/drivers/media/usb/em28xx/em28xx-dvb.c -@@ -1724,7 +1724,7 @@ static int em28xx_dvb_fini(struct em28xx *dev) - if (!dev->dvb) - return 0; - -- em28xx_info("Closing DVB extension"); -+ em28xx_info("Closing DVB extension\n"); - - dvb = dev->dvb; - client = dvb->i2c_client_tuner; -@@ -1775,17 +1775,17 @@ static int em28xx_dvb_suspend(struct em28xx *dev) - if (!dev->board.has_dvb) - return 0; - -- em28xx_info("Suspending DVB extension"); -+ em28xx_info("Suspending DVB extension\n"); - if (dev->dvb) { - struct em28xx_dvb *dvb = dev->dvb; - - if (dvb->fe[0]) { - ret = dvb_frontend_suspend(dvb->fe[0]); -- em28xx_info("fe0 suspend %d", ret); -+ em28xx_info("fe0 suspend %d\n", ret); - } - if (dvb->fe[1]) { - dvb_frontend_suspend(dvb->fe[1]); -- em28xx_info("fe1 suspend %d", ret); -+ em28xx_info("fe1 suspend %d\n", ret); - } - } - -@@ -1802,18 +1802,18 @@ static int em28xx_dvb_resume(struct em28xx *dev) - if (!dev->board.has_dvb) - return 0; - -- em28xx_info("Resuming DVB extension"); -+ em28xx_info("Resuming DVB extension\n"); - if (dev->dvb) { - struct em28xx_dvb *dvb = dev->dvb; - - if (dvb->fe[0]) { - ret = dvb_frontend_resume(dvb->fe[0]); -- em28xx_info("fe0 resume %d", ret); -+ em28xx_info("fe0 resume %d\n", ret); - } - - if (dvb->fe[1]) { - ret = dvb_frontend_resume(dvb->fe[1]); -- em28xx_info("fe1 resume %d", ret); -+ em28xx_info("fe1 resume %d\n", ret); - } - } - -diff --git a/drivers/media/usb/em28xx/em28xx-input.c b/drivers/media/usb/em28xx/em28xx-input.c -index d8dc03a..4007356 100644 ---- a/drivers/media/usb/em28xx/em28xx-input.c -+++ b/drivers/media/usb/em28xx/em28xx-input.c -@@ -654,8 +654,6 @@ next_button: - if (dev->num_button_polling_addresses) { - memset(dev->button_polling_last_values, 0, - EM28XX_NUM_BUTTON_ADDRESSES_MAX); -- INIT_DELAYED_WORK(&dev->buttons_query_work, -- em28xx_query_buttons); - schedule_delayed_work(&dev->buttons_query_work, - msecs_to_jiffies(dev->button_polling_interval)); - } -@@ -689,6 +687,7 @@ static int em28xx_ir_init(struct em28xx *dev) - } - - kref_get(&dev->ref); -+ INIT_DELAYED_WORK(&dev->buttons_query_work, em28xx_query_buttons); - - if (dev->board.buttons) - em28xx_init_buttons(dev); -@@ -833,7 +832,7 @@ static int em28xx_ir_fini(struct em28xx *dev) - return 0; - } - -- em28xx_info("Closing input extension"); -+ em28xx_info("Closing input extension\n"); - - em28xx_shutdown_buttons(dev); - -@@ -862,7 +861,7 @@ static int em28xx_ir_suspend(struct em28xx *dev) - if (dev->is_audio_only) - return 0; - -- em28xx_info("Suspending input extension"); -+ em28xx_info("Suspending input extension\n"); - if (ir) - cancel_delayed_work_sync(&ir->work); - cancel_delayed_work_sync(&dev->buttons_query_work); -@@ -879,7 +878,7 @@ static int em28xx_ir_resume(struct em28xx *dev) - if (dev->is_audio_only) - return 0; - -- em28xx_info("Resuming input extension"); -+ em28xx_info("Resuming input extension\n"); - /* if suspend calls ir_raw_event_unregister(), the should call - ir_raw_event_register() */ - if (ir) -diff --git a/drivers/media/usb/em28xx/em28xx-video.c b/drivers/media/usb/em28xx/em28xx-video.c -index cf7f58b..f220c1f37 100644 ---- a/drivers/media/usb/em28xx/em28xx-video.c -+++ b/drivers/media/usb/em28xx/em28xx-video.c -@@ -1958,7 +1958,7 @@ static int em28xx_v4l2_fini(struct em28xx *dev) - if (v4l2 == NULL) - return 0; - -- em28xx_info("Closing video extension"); -+ em28xx_info("Closing video extension\n"); - - mutex_lock(&dev->lock); - -@@ -2007,7 +2007,7 @@ static int em28xx_v4l2_suspend(struct em28xx *dev) - if (!dev->has_video) - return 0; - -- em28xx_info("Suspending video extension"); -+ em28xx_info("Suspending video extension\n"); - em28xx_stop_urbs(dev); - return 0; - } -@@ -2020,7 +2020,7 @@ static int em28xx_v4l2_resume(struct em28xx *dev) - if (!dev->has_video) - return 0; - -- em28xx_info("Resuming video extension"); -+ em28xx_info("Resuming video extension\n"); - /* what do we do here */ - return 0; - } -diff --git a/drivers/misc/mei/hw-me.c b/drivers/misc/mei/hw-me.c -index 06ff0a2..f8fd503 100644 ---- a/drivers/misc/mei/hw-me.c -+++ b/drivers/misc/mei/hw-me.c -@@ -242,7 +242,7 @@ static int mei_me_hw_reset(struct mei_device *dev, bool intr_enable) - if ((hcsr & H_RST) == H_RST) { - dev_warn(dev->dev, "H_RST is set = 0x%08X", hcsr); - hcsr &= ~H_RST; -- mei_me_reg_write(hw, H_CSR, hcsr); -+ mei_hcsr_set(hw, hcsr); - hcsr = mei_hcsr_read(hw); - } - -@@ -335,6 +335,7 @@ static int mei_me_hw_ready_wait(struct mei_device *dev) - return -ETIME; - } - -+ mei_me_hw_reset_release(dev); - dev->recvd_hw_ready = false; - return 0; - } -@@ -731,9 +732,7 @@ irqreturn_t mei_me_irq_thread_handler(int irq, void *dev_id) - /* check if we need to start the dev */ - if (!mei_host_is_ready(dev)) { - if (mei_hw_is_ready(dev)) { -- mei_me_hw_reset_release(dev); - dev_dbg(dev->dev, "we need to start the dev.\n"); -- - dev->recvd_hw_ready = true; - wake_up(&dev->wait_hw_ready); - } else { -diff --git a/drivers/mmc/host/sdhci-pxav3.c b/drivers/mmc/host/sdhci-pxav3.c -index ca3424e..e187f70 100644 ---- a/drivers/mmc/host/sdhci-pxav3.c -+++ b/drivers/mmc/host/sdhci-pxav3.c -@@ -118,6 +118,38 @@ static int mv_conf_mbus_windows(struct platform_device *pdev, - return 0; - } - -+static int armada_38x_quirks(struct platform_device *pdev, -+ struct sdhci_host *host) -+{ -+ struct device_node *np = pdev->dev.of_node; -+ -+ host->quirks |= SDHCI_QUIRK_MISSING_CAPS; -+ /* -+ * According to erratum 'FE-2946959' both SDR50 and DDR50 -+ * modes require specific clock adjustments in SDIO3 -+ * Configuration register, if the adjustment is not done, -+ * remove them from the capabilities. -+ */ -+ host->caps1 = sdhci_readl(host, SDHCI_CAPABILITIES_1); -+ host->caps1 &= ~(SDHCI_SUPPORT_SDR50 | SDHCI_SUPPORT_DDR50); -+ -+ /* -+ * According to erratum 'ERR-7878951' Armada 38x SDHCI -+ * controller has different capabilities than the ones shown -+ * in its registers -+ */ -+ host->caps = sdhci_readl(host, SDHCI_CAPABILITIES); -+ if (of_property_read_bool(np, "no-1-8-v")) { -+ host->caps &= ~SDHCI_CAN_VDD_180; -+ host->mmc->caps &= ~MMC_CAP_1_8V_DDR; -+ } else { -+ host->caps &= ~SDHCI_CAN_VDD_330; -+ } -+ host->caps1 &= ~(SDHCI_SUPPORT_SDR104 | SDHCI_USE_SDR50_TUNING); -+ -+ return 0; -+} -+ - static void pxav3_reset(struct sdhci_host *host, u8 mask) - { - struct platform_device *pdev = to_platform_device(mmc_dev(host->mmc)); -@@ -268,8 +300,8 @@ static struct sdhci_pxa_platdata *pxav3_get_mmc_pdata(struct device *dev) - if (!pdata) - return NULL; - -- of_property_read_u32(np, "mrvl,clk-delay-cycles", &clk_delay_cycles); -- if (clk_delay_cycles > 0) -+ if (!of_property_read_u32(np, "mrvl,clk-delay-cycles", -+ &clk_delay_cycles)) - pdata->clk_delay_cycles = clk_delay_cycles; - - return pdata; -@@ -318,15 +350,18 @@ static int sdhci_pxav3_probe(struct platform_device *pdev) - if (!IS_ERR(pxa->clk_core)) - clk_prepare_enable(pxa->clk_core); - -+ /* enable 1/8V DDR capable */ -+ host->mmc->caps |= MMC_CAP_1_8V_DDR; -+ - if (of_device_is_compatible(np, "marvell,armada-380-sdhci")) { -+ ret = armada_38x_quirks(pdev, host); -+ if (ret < 0) -+ goto err_clk_get; - ret = mv_conf_mbus_windows(pdev, mv_mbus_dram_info()); - if (ret < 0) - goto err_mbus_win; - } - -- /* enable 1/8V DDR capable */ -- host->mmc->caps |= MMC_CAP_1_8V_DDR; -- - match = of_match_device(of_match_ptr(sdhci_pxav3_of_match), &pdev->dev); - if (match) { - ret = mmc_of_parse(host->mmc); -@@ -365,10 +400,11 @@ static int sdhci_pxav3_probe(struct platform_device *pdev) - } - } - -- pm_runtime_enable(&pdev->dev); -- pm_runtime_get_sync(&pdev->dev); -+ pm_runtime_get_noresume(&pdev->dev); -+ pm_runtime_set_active(&pdev->dev); - pm_runtime_set_autosuspend_delay(&pdev->dev, PXAV3_RPM_DELAY_MS); - pm_runtime_use_autosuspend(&pdev->dev); -+ pm_runtime_enable(&pdev->dev); - pm_suspend_ignore_children(&pdev->dev, 1); - - ret = sdhci_add_host(host); -@@ -391,8 +427,8 @@ static int sdhci_pxav3_probe(struct platform_device *pdev) - return 0; - - err_add_host: -- pm_runtime_put_sync(&pdev->dev); - pm_runtime_disable(&pdev->dev); -+ pm_runtime_put_noidle(&pdev->dev); - err_of_parse: - err_cd_req: - err_mbus_win: -@@ -457,11 +493,11 @@ static int sdhci_pxav3_runtime_suspend(struct device *dev) - struct sdhci_host *host = dev_get_drvdata(dev); - struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host); - struct sdhci_pxa *pxa = pltfm_host->priv; -- unsigned long flags; -+ int ret; - -- spin_lock_irqsave(&host->lock, flags); -- host->runtime_suspended = true; -- spin_unlock_irqrestore(&host->lock, flags); -+ ret = sdhci_runtime_suspend_host(host); -+ if (ret) -+ return ret; - - clk_disable_unprepare(pxa->clk_io); - if (!IS_ERR(pxa->clk_core)) -@@ -475,17 +511,12 @@ static int sdhci_pxav3_runtime_resume(struct device *dev) - struct sdhci_host *host = dev_get_drvdata(dev); - struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host); - struct sdhci_pxa *pxa = pltfm_host->priv; -- unsigned long flags; - - clk_prepare_enable(pxa->clk_io); - if (!IS_ERR(pxa->clk_core)) - clk_prepare_enable(pxa->clk_core); - -- spin_lock_irqsave(&host->lock, flags); -- host->runtime_suspended = false; -- spin_unlock_irqrestore(&host->lock, flags); -- -- return 0; -+ return sdhci_runtime_resume_host(host); - } - #endif - -diff --git a/drivers/net/wireless/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/iwlwifi/mvm/mac80211.c -index 2091558..a704be0 100644 ---- a/drivers/net/wireless/iwlwifi/mvm/mac80211.c -+++ b/drivers/net/wireless/iwlwifi/mvm/mac80211.c -@@ -707,9 +707,6 @@ static void iwl_mvm_cleanup_iterator(void *data, u8 *mac, - mvmvif->uploaded = false; - mvmvif->ap_sta_id = IWL_MVM_STATION_COUNT; - -- /* does this make sense at all? */ -- mvmvif->color++; -- - spin_lock_bh(&mvm->time_event_lock); - iwl_mvm_te_clear_data(mvm, &mvmvif->time_event_data); - spin_unlock_bh(&mvm->time_event_lock); -@@ -1146,7 +1143,7 @@ static int iwl_mvm_mac_add_interface(struct ieee80211_hw *hw, - - ret = iwl_mvm_power_update_mac(mvm); - if (ret) -- goto out_release; -+ goto out_remove_mac; - - /* beacon filtering */ - ret = iwl_mvm_disable_beacon_filter(mvm, vif, 0); -diff --git a/drivers/net/wireless/iwlwifi/mvm/tx.c b/drivers/net/wireless/iwlwifi/mvm/tx.c -index c59d075..650a5f0 100644 ---- a/drivers/net/wireless/iwlwifi/mvm/tx.c -+++ b/drivers/net/wireless/iwlwifi/mvm/tx.c -@@ -930,6 +930,11 @@ int iwl_mvm_rx_ba_notif(struct iwl_mvm *mvm, struct iwl_rx_cmd_buffer *rxb, - sta_id = ba_notif->sta_id; - tid = ba_notif->tid; - -+ if (WARN_ONCE(sta_id >= IWL_MVM_STATION_COUNT || -+ tid >= IWL_MAX_TID_COUNT, -+ "sta_id %d tid %d", sta_id, tid)) -+ return 0; -+ - rcu_read_lock(); - - sta = rcu_dereference(mvm->fw_id_to_mac_id[sta_id]); -diff --git a/drivers/net/wireless/iwlwifi/pcie/tx.c b/drivers/net/wireless/iwlwifi/pcie/tx.c -index 8a6c7a0..76709f9 100644 ---- a/drivers/net/wireless/iwlwifi/pcie/tx.c -+++ b/drivers/net/wireless/iwlwifi/pcie/tx.c -@@ -722,7 +722,12 @@ void iwl_trans_pcie_tx_reset(struct iwl_trans *trans) - iwl_write_direct32(trans, FH_KW_MEM_ADDR_REG, - trans_pcie->kw.dma >> 4); - -- iwl_pcie_tx_start(trans, trans_pcie->scd_base_addr); -+ /* -+ * Send 0 as the scd_base_addr since the device may have be reset -+ * while we were in WoWLAN in which case SCD_SRAM_BASE_ADDR will -+ * contain garbage. -+ */ -+ iwl_pcie_tx_start(trans, 0); - } - - /* -diff --git a/drivers/net/wireless/rtlwifi/pci.c b/drivers/net/wireless/rtlwifi/pci.c -index c70efb9..e25faac 100644 ---- a/drivers/net/wireless/rtlwifi/pci.c -+++ b/drivers/net/wireless/rtlwifi/pci.c -@@ -816,11 +816,8 @@ static void _rtl_pci_rx_interrupt(struct ieee80211_hw *hw) - - /* get a new skb - if fail, old one will be reused */ - new_skb = dev_alloc_skb(rtlpci->rxbuffersize); -- if (unlikely(!new_skb)) { -- pr_err("Allocation of new skb failed in %s\n", -- __func__); -+ if (unlikely(!new_skb)) - goto no_new; -- } - if (rtlpriv->use_new_trx_flow) { - buffer_desc = - &rtlpci->rx_ring[rxring_idx].buffer_desc -diff --git a/drivers/net/wireless/rtlwifi/pci.h b/drivers/net/wireless/rtlwifi/pci.h -index 5e83230..d4567d1 100644 ---- a/drivers/net/wireless/rtlwifi/pci.h -+++ b/drivers/net/wireless/rtlwifi/pci.h -@@ -325,4 +325,11 @@ static inline void pci_write32_async(struct rtl_priv *rtlpriv, - writel(val, (u8 __iomem *) rtlpriv->io.pci_mem_start + addr); - } - -+static inline u16 calc_fifo_space(u16 rp, u16 wp) -+{ -+ if (rp <= wp) -+ return RTL_PCI_MAX_RX_COUNT - 1 + rp - wp; -+ return rp - wp - 1; -+} -+ - #endif -diff --git a/drivers/net/wireless/rtlwifi/rtl8192ee/fw.c b/drivers/net/wireless/rtlwifi/rtl8192ee/fw.c -index 45c128b..c5d4b80 100644 ---- a/drivers/net/wireless/rtlwifi/rtl8192ee/fw.c -+++ b/drivers/net/wireless/rtlwifi/rtl8192ee/fw.c -@@ -666,7 +666,6 @@ void rtl92ee_set_fw_rsvdpagepkt(struct ieee80211_hw *hw, bool b_dl_finished) - struct sk_buff *skb = NULL; - - u32 totalpacketlen; -- bool rtstatus; - u8 u1rsvdpageloc[5] = { 0 }; - bool b_dlok = false; - -@@ -728,10 +727,7 @@ void rtl92ee_set_fw_rsvdpagepkt(struct ieee80211_hw *hw, bool b_dl_finished) - memcpy((u8 *)skb_put(skb, totalpacketlen), - &reserved_page_packet, totalpacketlen); - -- rtstatus = rtl_cmd_send_packet(hw, skb); -- -- if (rtstatus) -- b_dlok = true; -+ b_dlok = true; - - if (b_dlok) { - RT_TRACE(rtlpriv, COMP_POWER, DBG_LOUD , -diff --git a/drivers/net/wireless/rtlwifi/rtl8192ee/hw.c b/drivers/net/wireless/rtlwifi/rtl8192ee/hw.c -index 1a87edc..b461b31 100644 ---- a/drivers/net/wireless/rtlwifi/rtl8192ee/hw.c -+++ b/drivers/net/wireless/rtlwifi/rtl8192ee/hw.c -@@ -85,29 +85,6 @@ static void _rtl92ee_enable_bcn_sub_func(struct ieee80211_hw *hw) - _rtl92ee_set_bcn_ctrl_reg(hw, 0, BIT(1)); - } - --static void _rtl92ee_return_beacon_queue_skb(struct ieee80211_hw *hw) --{ -- struct rtl_priv *rtlpriv = rtl_priv(hw); -- struct rtl_pci *rtlpci = rtl_pcidev(rtl_pcipriv(hw)); -- struct rtl8192_tx_ring *ring = &rtlpci->tx_ring[BEACON_QUEUE]; -- unsigned long flags; -- -- spin_lock_irqsave(&rtlpriv->locks.irq_th_lock, flags); -- while (skb_queue_len(&ring->queue)) { -- struct rtl_tx_buffer_desc *entry = -- &ring->buffer_desc[ring->idx]; -- struct sk_buff *skb = __skb_dequeue(&ring->queue); -- -- pci_unmap_single(rtlpci->pdev, -- rtlpriv->cfg->ops->get_desc( -- (u8 *)entry, true, HW_DESC_TXBUFF_ADDR), -- skb->len, PCI_DMA_TODEVICE); -- kfree_skb(skb); -- ring->idx = (ring->idx + 1) % ring->entries; -- } -- spin_unlock_irqrestore(&rtlpriv->locks.irq_th_lock, flags); --} -- - static void _rtl92ee_disable_bcn_sub_func(struct ieee80211_hw *hw) - { - _rtl92ee_set_bcn_ctrl_reg(hw, BIT(1), 0); -@@ -403,9 +380,6 @@ static void _rtl92ee_download_rsvd_page(struct ieee80211_hw *hw) - rtl_write_byte(rtlpriv, REG_DWBCN0_CTRL + 2, - bcnvalid_reg | BIT(0)); - -- /* Return Beacon TCB */ -- _rtl92ee_return_beacon_queue_skb(hw); -- - /* download rsvd page */ - rtl92ee_set_fw_rsvdpagepkt(hw, false); - -@@ -1163,6 +1137,139 @@ void rtl92ee_enable_hw_security_config(struct ieee80211_hw *hw) - rtlpriv->cfg->ops->set_hw_reg(hw, HW_VAR_WPA_CONFIG, &sec_reg_value); - } - -+static bool _rtl8192ee_check_pcie_dma_hang(struct rtl_priv *rtlpriv) -+{ -+ u8 tmp; -+ -+ /* write reg 0x350 Bit[26]=1. Enable debug port. */ -+ tmp = rtl_read_byte(rtlpriv, REG_BACKDOOR_DBI_DATA + 3); -+ if (!(tmp & BIT(2))) { -+ rtl_write_byte(rtlpriv, REG_BACKDOOR_DBI_DATA + 3, -+ tmp | BIT(2)); -+ mdelay(100); /* Suggested by DD Justin_tsai. */ -+ } -+ -+ /* read reg 0x350 Bit[25] if 1 : RX hang -+ * read reg 0x350 Bit[24] if 1 : TX hang -+ */ -+ tmp = rtl_read_byte(rtlpriv, REG_BACKDOOR_DBI_DATA + 3); -+ if ((tmp & BIT(0)) || (tmp & BIT(1))) { -+ RT_TRACE(rtlpriv, COMP_INIT, DBG_LOUD, -+ "CheckPcieDMAHang8192EE(): true!!\n"); -+ return true; -+ } -+ return false; -+} -+ -+static void _rtl8192ee_reset_pcie_interface_dma(struct rtl_priv *rtlpriv, -+ bool mac_power_on) -+{ -+ u8 tmp; -+ bool release_mac_rx_pause; -+ u8 backup_pcie_dma_pause; -+ -+ RT_TRACE(rtlpriv, COMP_INIT, DBG_LOUD, -+ "ResetPcieInterfaceDMA8192EE()\n"); -+ -+ /* Revise Note: Follow the document "PCIe RX DMA Hang Reset Flow_v03" -+ * released by SD1 Alan. -+ */ -+ -+ /* 1. disable register write lock -+ * write 0x1C bit[1:0] = 2'h0 -+ * write 0xCC bit[2] = 1'b1 -+ */ -+ tmp = rtl_read_byte(rtlpriv, REG_RSV_CTRL); -+ tmp &= ~(BIT(1) | BIT(0)); -+ rtl_write_byte(rtlpriv, REG_RSV_CTRL, tmp); -+ tmp = rtl_read_byte(rtlpriv, REG_PMC_DBG_CTRL2); -+ tmp |= BIT(2); -+ rtl_write_byte(rtlpriv, REG_PMC_DBG_CTRL2, tmp); -+ -+ /* 2. Check and pause TRX DMA -+ * write 0x284 bit[18] = 1'b1 -+ * write 0x301 = 0xFF -+ */ -+ tmp = rtl_read_byte(rtlpriv, REG_RXDMA_CONTROL); -+ if (tmp & BIT(2)) { -+ /* Already pause before the function for another reason. */ -+ release_mac_rx_pause = false; -+ } else { -+ rtl_write_byte(rtlpriv, REG_RXDMA_CONTROL, (tmp | BIT(2))); -+ release_mac_rx_pause = true; -+ } -+ -+ backup_pcie_dma_pause = rtl_read_byte(rtlpriv, REG_PCIE_CTRL_REG + 1); -+ if (backup_pcie_dma_pause != 0xFF) -+ rtl_write_byte(rtlpriv, REG_PCIE_CTRL_REG + 1, 0xFF); -+ -+ if (mac_power_on) { -+ /* 3. reset TRX function -+ * write 0x100 = 0x00 -+ */ -+ rtl_write_byte(rtlpriv, REG_CR, 0); -+ } -+ -+ /* 4. Reset PCIe DMA -+ * write 0x003 bit[0] = 0 -+ */ -+ tmp = rtl_read_byte(rtlpriv, REG_SYS_FUNC_EN + 1); -+ tmp &= ~(BIT(0)); -+ rtl_write_byte(rtlpriv, REG_SYS_FUNC_EN + 1, tmp); -+ -+ /* 5. Enable PCIe DMA -+ * write 0x003 bit[0] = 1 -+ */ -+ tmp = rtl_read_byte(rtlpriv, REG_SYS_FUNC_EN + 1); -+ tmp |= BIT(0); -+ rtl_write_byte(rtlpriv, REG_SYS_FUNC_EN + 1, tmp); -+ -+ if (mac_power_on) { -+ /* 6. enable TRX function -+ * write 0x100 = 0xFF -+ */ -+ rtl_write_byte(rtlpriv, REG_CR, 0xFF); -+ -+ /* We should init LLT & RQPN and -+ * prepare Tx/Rx descrptor address later -+ * because MAC function is reset. -+ */ -+ } -+ -+ /* 7. Restore PCIe autoload down bit -+ * write 0xF8 bit[17] = 1'b1 -+ */ -+ tmp = rtl_read_byte(rtlpriv, REG_MAC_PHY_CTRL_NORMAL + 2); -+ tmp |= BIT(1); -+ rtl_write_byte(rtlpriv, REG_MAC_PHY_CTRL_NORMAL + 2, tmp); -+ -+ /* In MAC power on state, BB and RF maybe in ON state, -+ * if we release TRx DMA here -+ * it will cause packets to be started to Tx/Rx, -+ * so we release Tx/Rx DMA later. -+ */ -+ if (!mac_power_on) { -+ /* 8. release TRX DMA -+ * write 0x284 bit[18] = 1'b0 -+ * write 0x301 = 0x00 -+ */ -+ if (release_mac_rx_pause) { -+ tmp = rtl_read_byte(rtlpriv, REG_RXDMA_CONTROL); -+ rtl_write_byte(rtlpriv, REG_RXDMA_CONTROL, -+ (tmp & (~BIT(2)))); -+ } -+ rtl_write_byte(rtlpriv, REG_PCIE_CTRL_REG + 1, -+ backup_pcie_dma_pause); -+ } -+ -+ /* 9. lock system register -+ * write 0xCC bit[2] = 1'b0 -+ */ -+ tmp = rtl_read_byte(rtlpriv, REG_PMC_DBG_CTRL2); -+ tmp &= ~(BIT(2)); -+ rtl_write_byte(rtlpriv, REG_PMC_DBG_CTRL2, tmp); -+} -+ - int rtl92ee_hw_init(struct ieee80211_hw *hw) - { - struct rtl_priv *rtlpriv = rtl_priv(hw); -@@ -1188,6 +1295,13 @@ int rtl92ee_hw_init(struct ieee80211_hw *hw) - rtlhal->fw_ps_state = FW_PS_STATE_ALL_ON_92E; - } - -+ if (_rtl8192ee_check_pcie_dma_hang(rtlpriv)) { -+ RT_TRACE(rtlpriv, COMP_INIT, DBG_DMESG, "92ee dma hang!\n"); -+ _rtl8192ee_reset_pcie_interface_dma(rtlpriv, -+ rtlhal->mac_func_enable); -+ rtlhal->mac_func_enable = false; -+ } -+ - rtstatus = _rtl92ee_init_mac(hw); - - rtl_write_byte(rtlpriv, 0x577, 0x03); -diff --git a/drivers/net/wireless/rtlwifi/rtl8192ee/reg.h b/drivers/net/wireless/rtlwifi/rtl8192ee/reg.h -index 3f2a959..1eaa1fa 100644 ---- a/drivers/net/wireless/rtlwifi/rtl8192ee/reg.h -+++ b/drivers/net/wireless/rtlwifi/rtl8192ee/reg.h -@@ -77,9 +77,11 @@ - #define REG_HIMRE 0x00B8 - #define REG_HISRE 0x00BC - -+#define REG_PMC_DBG_CTRL2 0x00CC - #define REG_EFUSE_ACCESS 0x00CF - #define REG_HPON_FSM 0x00EC - #define REG_SYS_CFG1 0x00F0 -+#define REG_MAC_PHY_CTRL_NORMAL 0x00F8 - #define REG_SYS_CFG2 0x00FC - - #define REG_CR 0x0100 -diff --git a/drivers/net/wireless/rtlwifi/rtl8192ee/trx.c b/drivers/net/wireless/rtlwifi/rtl8192ee/trx.c -index 2fcbef1..0069004 100644 ---- a/drivers/net/wireless/rtlwifi/rtl8192ee/trx.c -+++ b/drivers/net/wireless/rtlwifi/rtl8192ee/trx.c -@@ -512,6 +512,10 @@ bool rtl92ee_rx_query_desc(struct ieee80211_hw *hw, - struct ieee80211_hdr *hdr; - u32 phystatus = GET_RX_DESC_PHYST(pdesc); - -+ if (GET_RX_STATUS_DESC_RPT_SEL(pdesc) == 0) -+ status->packet_report_type = NORMAL_RX; -+ else -+ status->packet_report_type = C2H_PACKET; - status->length = (u16)GET_RX_DESC_PKT_LEN(pdesc); - status->rx_drvinfo_size = (u8)GET_RX_DESC_DRV_INFO_SIZE(pdesc) * - RX_DRV_INFO_SIZE_UNIT; -@@ -654,14 +658,7 @@ u16 rtl92ee_rx_desc_buff_remained_cnt(struct ieee80211_hw *hw, u8 queue_index) - if (!start_rx) - return 0; - -- if ((last_read_point > (RX_DESC_NUM_92E / 2)) && -- (read_point <= (RX_DESC_NUM_92E / 2))) { -- remind_cnt = RX_DESC_NUM_92E - write_point; -- } else { -- remind_cnt = (read_point >= write_point) ? -- (read_point - write_point) : -- (RX_DESC_NUM_92E - write_point + read_point); -- } -+ remind_cnt = calc_fifo_space(read_point, write_point); - - if (remind_cnt == 0) - return 0; -@@ -1207,8 +1204,7 @@ bool rtl92ee_is_tx_desc_closed(struct ieee80211_hw *hw, u8 hw_queue, u16 index) - static u8 stop_report_cnt; - struct rtl8192_tx_ring *ring = &rtlpci->tx_ring[hw_queue]; - -- /*checking Read/Write Point each interrupt wastes CPU */ -- if (stop_report_cnt > 15 || !rtlpriv->link_info.busytraffic) { -+ { - u16 point_diff = 0; - u16 cur_tx_rp, cur_tx_wp; - u32 tmpu32 = 0; -diff --git a/drivers/net/wireless/rtlwifi/rtl8192ee/trx.h b/drivers/net/wireless/rtlwifi/rtl8192ee/trx.h -index 6f9be1c..8effef9 100644 ---- a/drivers/net/wireless/rtlwifi/rtl8192ee/trx.h -+++ b/drivers/net/wireless/rtlwifi/rtl8192ee/trx.h -@@ -542,6 +542,8 @@ - LE_BITS_TO_4BYTE(__pdesc+8, 12, 4) - #define GET_RX_DESC_RX_IS_QOS(__pdesc) \ - LE_BITS_TO_4BYTE(__pdesc+8, 16, 1) -+#define GET_RX_STATUS_DESC_RPT_SEL(__pdesc) \ -+ LE_BITS_TO_4BYTE(__pdesc+8, 28, 1) - - #define GET_RX_DESC_RXMCS(__pdesc) \ - LE_BITS_TO_4BYTE(__pdesc+12, 0, 7) -diff --git a/drivers/pci/pci-driver.c b/drivers/pci/pci-driver.c -index 887e6bd..09a66ba 100644 ---- a/drivers/pci/pci-driver.c -+++ b/drivers/pci/pci-driver.c -@@ -1383,7 +1383,7 @@ static int pci_uevent(struct device *dev, struct kobj_uevent_env *env) - if (add_uevent_var(env, "PCI_SLOT_NAME=%s", pci_name(pdev))) - return -ENOMEM; - -- if (add_uevent_var(env, "MODALIAS=pci:v%08Xd%08Xsv%08Xsd%08Xbc%02Xsc%02Xi%02x", -+ if (add_uevent_var(env, "MODALIAS=pci:v%08Xd%08Xsv%08Xsd%08Xbc%02Xsc%02Xi%02X", - pdev->vendor, pdev->device, - pdev->subsystem_vendor, pdev->subsystem_device, - (u8)(pdev->class >> 16), (u8)(pdev->class >> 8), -diff --git a/drivers/pci/rom.c b/drivers/pci/rom.c -index f955edb..eb0ad53 100644 ---- a/drivers/pci/rom.c -+++ b/drivers/pci/rom.c -@@ -71,6 +71,7 @@ size_t pci_get_rom_size(struct pci_dev *pdev, void __iomem *rom, size_t size) - { - void __iomem *image; - int last_image; -+ unsigned length; - - image = rom; - do { -@@ -93,9 +94,9 @@ size_t pci_get_rom_size(struct pci_dev *pdev, void __iomem *rom, size_t size) - if (readb(pds + 3) != 'R') - break; - last_image = readb(pds + 21) & 0x80; -- /* this length is reliable */ -- image += readw(pds + 16) * 512; -- } while (!last_image); -+ length = readw(pds + 16); -+ image += length * 512; -+ } while (length && !last_image); - - /* never return a size larger than the PCI resource window */ - /* there are known ROMs that get the size wrong */ -diff --git a/drivers/platform/x86/samsung-laptop.c b/drivers/platform/x86/samsung-laptop.c -index ff765d8..ce364a4 100644 ---- a/drivers/platform/x86/samsung-laptop.c -+++ b/drivers/platform/x86/samsung-laptop.c -@@ -353,6 +353,7 @@ struct samsung_quirks { - bool broken_acpi_video; - bool four_kbd_backlight_levels; - bool enable_kbd_backlight; -+ bool use_native_backlight; - }; - - static struct samsung_quirks samsung_unknown = {}; -@@ -361,6 +362,10 @@ static struct samsung_quirks samsung_broken_acpi_video = { - .broken_acpi_video = true, - }; - -+static struct samsung_quirks samsung_use_native_backlight = { -+ .use_native_backlight = true, -+}; -+ - static struct samsung_quirks samsung_np740u3e = { - .four_kbd_backlight_levels = true, - .enable_kbd_backlight = true, -@@ -1507,7 +1512,7 @@ static struct dmi_system_id __initdata samsung_dmi_table[] = { - DMI_MATCH(DMI_PRODUCT_NAME, "N150P"), - DMI_MATCH(DMI_BOARD_NAME, "N150P"), - }, -- .driver_data = &samsung_broken_acpi_video, -+ .driver_data = &samsung_use_native_backlight, - }, - { - .callback = samsung_dmi_matched, -@@ -1517,7 +1522,7 @@ static struct dmi_system_id __initdata samsung_dmi_table[] = { - DMI_MATCH(DMI_PRODUCT_NAME, "N145P/N250P/N260P"), - DMI_MATCH(DMI_BOARD_NAME, "N145P/N250P/N260P"), - }, -- .driver_data = &samsung_broken_acpi_video, -+ .driver_data = &samsung_use_native_backlight, - }, - { - .callback = samsung_dmi_matched, -@@ -1557,7 +1562,7 @@ static struct dmi_system_id __initdata samsung_dmi_table[] = { - DMI_MATCH(DMI_PRODUCT_NAME, "N250P"), - DMI_MATCH(DMI_BOARD_NAME, "N250P"), - }, -- .driver_data = &samsung_broken_acpi_video, -+ .driver_data = &samsung_use_native_backlight, - }, - { - .callback = samsung_dmi_matched, -@@ -1616,6 +1621,15 @@ static int __init samsung_init(void) - pr_info("Disabling ACPI video driver\n"); - acpi_video_unregister(); - } -+ -+ if (samsung->quirks->use_native_backlight) { -+ pr_info("Using native backlight driver\n"); -+ /* Tell acpi-video to not handle the backlight */ -+ acpi_video_dmi_promote_vendor(); -+ acpi_video_unregister(); -+ /* And also do not handle it ourselves */ -+ samsung->handle_backlight = false; -+ } - #endif - - ret = samsung_platform_init(samsung); -diff --git a/drivers/power/88pm860x_charger.c b/drivers/power/88pm860x_charger.c -index 650930e..734ec4a 100644 ---- a/drivers/power/88pm860x_charger.c -+++ b/drivers/power/88pm860x_charger.c -@@ -711,6 +711,7 @@ static int pm860x_charger_probe(struct platform_device *pdev) - return 0; - - out_irq: -+ power_supply_unregister(&info->usb); - while (--i >= 0) - free_irq(info->irq[i], info); - out: -diff --git a/drivers/power/bq24190_charger.c b/drivers/power/bq24190_charger.c -index ad3ff8f..e4c95e1 100644 ---- a/drivers/power/bq24190_charger.c -+++ b/drivers/power/bq24190_charger.c -@@ -929,7 +929,7 @@ static void bq24190_charger_init(struct power_supply *charger) - charger->properties = bq24190_charger_properties; - charger->num_properties = ARRAY_SIZE(bq24190_charger_properties); - charger->supplied_to = bq24190_charger_supplied_to; -- charger->num_supplies = ARRAY_SIZE(bq24190_charger_supplied_to); -+ charger->num_supplicants = ARRAY_SIZE(bq24190_charger_supplied_to); - charger->get_property = bq24190_charger_get_property; - charger->set_property = bq24190_charger_set_property; - charger->property_is_writeable = bq24190_charger_property_is_writeable; -diff --git a/drivers/power/gpio-charger.c b/drivers/power/gpio-charger.c -index aef74bd..b7424c8 100644 ---- a/drivers/power/gpio-charger.c -+++ b/drivers/power/gpio-charger.c -@@ -229,7 +229,7 @@ static int gpio_charger_suspend(struct device *dev) - - if (device_may_wakeup(dev)) - gpio_charger->wakeup_enabled = -- enable_irq_wake(gpio_charger->irq); -+ !enable_irq_wake(gpio_charger->irq); - - return 0; - } -@@ -239,7 +239,7 @@ static int gpio_charger_resume(struct device *dev) - struct platform_device *pdev = to_platform_device(dev); - struct gpio_charger *gpio_charger = platform_get_drvdata(pdev); - -- if (gpio_charger->wakeup_enabled) -+ if (device_may_wakeup(dev) && gpio_charger->wakeup_enabled) - disable_irq_wake(gpio_charger->irq); - power_supply_changed(&gpio_charger->charger); - -diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c -index ff283d2..d63f041 100644 ---- a/drivers/scsi/megaraid/megaraid_sas_base.c -+++ b/drivers/scsi/megaraid/megaraid_sas_base.c -@@ -1689,22 +1689,66 @@ static int megasas_slave_alloc(struct scsi_device *sdev) - return 0; - } - -+/* -+* megasas_complete_outstanding_ioctls - Complete outstanding ioctls after a -+* kill adapter -+* @instance: Adapter soft state -+* -+*/ -+void megasas_complete_outstanding_ioctls(struct megasas_instance *instance) -+{ -+ int i; -+ struct megasas_cmd *cmd_mfi; -+ struct megasas_cmd_fusion *cmd_fusion; -+ struct fusion_context *fusion = instance->ctrl_context; -+ -+ /* Find all outstanding ioctls */ -+ if (fusion) { -+ for (i = 0; i < instance->max_fw_cmds; i++) { -+ cmd_fusion = fusion->cmd_list[i]; -+ if (cmd_fusion->sync_cmd_idx != (u32)ULONG_MAX) { -+ cmd_mfi = instance->cmd_list[cmd_fusion->sync_cmd_idx]; -+ if (cmd_mfi->sync_cmd && -+ cmd_mfi->frame->hdr.cmd != MFI_CMD_ABORT) -+ megasas_complete_cmd(instance, -+ cmd_mfi, DID_OK); -+ } -+ } -+ } else { -+ for (i = 0; i < instance->max_fw_cmds; i++) { -+ cmd_mfi = instance->cmd_list[i]; -+ if (cmd_mfi->sync_cmd && cmd_mfi->frame->hdr.cmd != -+ MFI_CMD_ABORT) -+ megasas_complete_cmd(instance, cmd_mfi, DID_OK); -+ } -+ } -+} -+ -+ - void megaraid_sas_kill_hba(struct megasas_instance *instance) - { -+ /* Set critical error to block I/O & ioctls in case caller didn't */ -+ instance->adprecovery = MEGASAS_HW_CRITICAL_ERROR; -+ /* Wait 1 second to ensure IO or ioctls in build have posted */ -+ msleep(1000); - if ((instance->pdev->device == PCI_DEVICE_ID_LSI_SAS0073SKINNY) || -- (instance->pdev->device == PCI_DEVICE_ID_LSI_SAS0071SKINNY) || -- (instance->pdev->device == PCI_DEVICE_ID_LSI_FUSION) || -- (instance->pdev->device == PCI_DEVICE_ID_LSI_PLASMA) || -- (instance->pdev->device == PCI_DEVICE_ID_LSI_INVADER) || -- (instance->pdev->device == PCI_DEVICE_ID_LSI_FURY)) { -- writel(MFI_STOP_ADP, &instance->reg_set->doorbell); -+ (instance->pdev->device == PCI_DEVICE_ID_LSI_SAS0071SKINNY) || -+ (instance->pdev->device == PCI_DEVICE_ID_LSI_FUSION) || -+ (instance->pdev->device == PCI_DEVICE_ID_LSI_PLASMA) || -+ (instance->pdev->device == PCI_DEVICE_ID_LSI_INVADER) || -+ (instance->pdev->device == PCI_DEVICE_ID_LSI_FURY)) { -+ writel(MFI_STOP_ADP, -+ &instance->reg_set->doorbell); - /* Flush */ - readl(&instance->reg_set->doorbell); - if (instance->mpio && instance->requestorId) - memset(instance->ld_ids, 0xff, MEGASAS_MAX_LD_IDS); - } else { -- writel(MFI_STOP_ADP, &instance->reg_set->inbound_doorbell); -+ writel(MFI_STOP_ADP, -+ &instance->reg_set->inbound_doorbell); - } -+ /* Complete outstanding ioctls when adapter is killed */ -+ megasas_complete_outstanding_ioctls(instance); - } - - /** -@@ -3028,10 +3072,9 @@ megasas_issue_pending_cmds_again(struct megasas_instance *instance) - "was tried multiple times during reset." - "Shutting down the HBA\n", - cmd, cmd->scmd, cmd->sync_cmd); -+ instance->instancet->disable_intr(instance); -+ atomic_set(&instance->fw_reset_no_pci_access, 1); - megaraid_sas_kill_hba(instance); -- -- instance->adprecovery = -- MEGASAS_HW_CRITICAL_ERROR; - return; - } - } -@@ -3165,8 +3208,8 @@ process_fw_state_change_wq(struct work_struct *work) - if (megasas_transition_to_ready(instance, 1)) { - printk(KERN_NOTICE "megaraid_sas:adapter not ready\n"); - -+ atomic_set(&instance->fw_reset_no_pci_access, 1); - megaraid_sas_kill_hba(instance); -- instance->adprecovery = MEGASAS_HW_CRITICAL_ERROR; - return ; - } - -@@ -3547,7 +3590,6 @@ static int megasas_create_frame_pool(struct megasas_instance *instance) - int i; - u32 max_cmd; - u32 sge_sz; -- u32 sgl_sz; - u32 total_sz; - u32 frame_count; - struct megasas_cmd *cmd; -@@ -3566,24 +3608,23 @@ static int megasas_create_frame_pool(struct megasas_instance *instance) - } - - /* -- * Calculated the number of 64byte frames required for SGL -- */ -- sgl_sz = sge_sz * instance->max_num_sge; -- frame_count = (sgl_sz + MEGAMFI_FRAME_SIZE - 1) / MEGAMFI_FRAME_SIZE; -- frame_count = 15; -- -- /* -- * We need one extra frame for the MFI command -+ * For MFI controllers. -+ * max_num_sge = 60 -+ * max_sge_sz = 16 byte (sizeof megasas_sge_skinny) -+ * Total 960 byte (15 MFI frame of 64 byte) -+ * -+ * Fusion adapter require only 3 extra frame. -+ * max_num_sge = 16 (defined as MAX_IOCTL_SGE) -+ * max_sge_sz = 12 byte (sizeof megasas_sge64) -+ * Total 192 byte (3 MFI frame of 64 byte) - */ -- frame_count++; -- -+ frame_count = instance->ctrl_context ? (3 + 1) : (15 + 1); - total_sz = MEGAMFI_FRAME_SIZE * frame_count; - /* - * Use DMA pool facility provided by PCI layer - */ - instance->frame_dma_pool = pci_pool_create("megasas frame pool", -- instance->pdev, total_sz, 64, -- 0); -+ instance->pdev, total_sz, 256, 0); - - if (!instance->frame_dma_pool) { - printk(KERN_DEBUG "megasas: failed to setup frame pool\n"); -diff --git a/drivers/scsi/megaraid/megaraid_sas_fp.c b/drivers/scsi/megaraid/megaraid_sas_fp.c -index 460c6a3..4f72287 100644 ---- a/drivers/scsi/megaraid/megaraid_sas_fp.c -+++ b/drivers/scsi/megaraid/megaraid_sas_fp.c -@@ -172,6 +172,7 @@ void MR_PopulateDrvRaidMap(struct megasas_instance *instance) - struct MR_FW_RAID_MAP_ALL *fw_map_old = NULL; - struct MR_FW_RAID_MAP *pFwRaidMap = NULL; - int i; -+ u16 ld_count; - - - struct MR_DRV_RAID_MAP_ALL *drv_map = -@@ -191,9 +192,10 @@ void MR_PopulateDrvRaidMap(struct megasas_instance *instance) - fw_map_old = (struct MR_FW_RAID_MAP_ALL *) - fusion->ld_map[(instance->map_id & 1)]; - pFwRaidMap = &fw_map_old->raidMap; -+ ld_count = (u16)le32_to_cpu(pFwRaidMap->ldCount); - - #if VD_EXT_DEBUG -- for (i = 0; i < le16_to_cpu(pFwRaidMap->ldCount); i++) { -+ for (i = 0; i < ld_count; i++) { - dev_dbg(&instance->pdev->dev, "(%d) :Index 0x%x " - "Target Id 0x%x Seq Num 0x%x Size 0/%llx\n", - instance->unique_id, i, -@@ -205,12 +207,15 @@ void MR_PopulateDrvRaidMap(struct megasas_instance *instance) - - memset(drv_map, 0, fusion->drv_map_sz); - pDrvRaidMap->totalSize = pFwRaidMap->totalSize; -- pDrvRaidMap->ldCount = (__le16)pFwRaidMap->ldCount; -+ pDrvRaidMap->ldCount = (__le16)cpu_to_le16(ld_count); - pDrvRaidMap->fpPdIoTimeoutSec = pFwRaidMap->fpPdIoTimeoutSec; - for (i = 0; i < MAX_RAIDMAP_LOGICAL_DRIVES + MAX_RAIDMAP_VIEWS; i++) - pDrvRaidMap->ldTgtIdToLd[i] = - (u8)pFwRaidMap->ldTgtIdToLd[i]; -- for (i = 0; i < le16_to_cpu(pDrvRaidMap->ldCount); i++) { -+ for (i = (MAX_RAIDMAP_LOGICAL_DRIVES + MAX_RAIDMAP_VIEWS); -+ i < MAX_LOGICAL_DRIVES_EXT; i++) -+ pDrvRaidMap->ldTgtIdToLd[i] = 0xff; -+ for (i = 0; i < ld_count; i++) { - pDrvRaidMap->ldSpanMap[i] = pFwRaidMap->ldSpanMap[i]; - #if VD_EXT_DEBUG - dev_dbg(&instance->pdev->dev, -@@ -252,7 +257,7 @@ u8 MR_ValidateMapInfo(struct megasas_instance *instance) - struct LD_LOAD_BALANCE_INFO *lbInfo; - PLD_SPAN_INFO ldSpanInfo; - struct MR_LD_RAID *raid; -- int ldCount, num_lds; -+ u16 ldCount, num_lds; - u16 ld; - u32 expected_size; - -@@ -356,7 +361,7 @@ static int getSpanInfo(struct MR_DRV_RAID_MAP_ALL *map, - - for (ldCount = 0; ldCount < MAX_LOGICAL_DRIVES_EXT; ldCount++) { - ld = MR_TargetIdToLdGet(ldCount, map); -- if (ld >= MAX_LOGICAL_DRIVES_EXT) -+ if (ld >= (MAX_LOGICAL_DRIVES_EXT - 1)) - continue; - raid = MR_LdRaidGet(ld, map); - dev_dbg(&instance->pdev->dev, "LD %x: span_depth=%x\n", -@@ -1157,7 +1162,7 @@ void mr_update_span_set(struct MR_DRV_RAID_MAP_ALL *map, - - for (ldCount = 0; ldCount < MAX_LOGICAL_DRIVES_EXT; ldCount++) { - ld = MR_TargetIdToLdGet(ldCount, map); -- if (ld >= MAX_LOGICAL_DRIVES_EXT) -+ if (ld >= (MAX_LOGICAL_DRIVES_EXT - 1)) - continue; - raid = MR_LdRaidGet(ld, map); - for (element = 0; element < MAX_QUAD_DEPTH; element++) { -diff --git a/drivers/scsi/megaraid/megaraid_sas_fusion.c b/drivers/scsi/megaraid/megaraid_sas_fusion.c -index 71557f6..0764d20 100644 ---- a/drivers/scsi/megaraid/megaraid_sas_fusion.c -+++ b/drivers/scsi/megaraid/megaraid_sas_fusion.c -@@ -103,6 +103,8 @@ megasas_enable_intr_fusion(struct megasas_instance *instance) - { - struct megasas_register_set __iomem *regs; - regs = instance->reg_set; -+ -+ instance->mask_interrupts = 0; - /* For Thunderbolt/Invader also clear intr on enable */ - writel(~0, ®s->outbound_intr_status); - readl(®s->outbound_intr_status); -@@ -111,7 +113,6 @@ megasas_enable_intr_fusion(struct megasas_instance *instance) - - /* Dummy readl to force pci flush */ - readl(®s->outbound_intr_mask); -- instance->mask_interrupts = 0; - } - - /** -@@ -698,12 +699,11 @@ megasas_ioc_init_fusion(struct megasas_instance *instance) - cpu_to_le32(lower_32_bits(ioc_init_handle)); - init_frame->data_xfer_len = cpu_to_le32(sizeof(struct MPI2_IOC_INIT_REQUEST)); - -- req_desc.Words = 0; -+ req_desc.u.low = cpu_to_le32(lower_32_bits(cmd->frame_phys_addr)); -+ req_desc.u.high = cpu_to_le32(upper_32_bits(cmd->frame_phys_addr)); - req_desc.MFAIo.RequestFlags = - (MEGASAS_REQ_DESCRIPT_FLAGS_MFA << -- MEGASAS_REQ_DESCRIPT_FLAGS_TYPE_SHIFT); -- cpu_to_le32s((u32 *)&req_desc.MFAIo); -- req_desc.Words |= cpu_to_le64(cmd->frame_phys_addr); -+ MEGASAS_REQ_DESCRIPT_FLAGS_TYPE_SHIFT); - - /* - * disable the intr before firing the init frame -@@ -1717,9 +1717,19 @@ megasas_build_dcdb_fusion(struct megasas_instance *instance, - if (scmd->device->channel < MEGASAS_MAX_PD_CHANNELS) - goto NonFastPath; - -+ /* -+ * For older firmware, Driver should not access ldTgtIdToLd -+ * beyond index 127 and for Extended VD firmware, ldTgtIdToLd -+ * should not go beyond 255. -+ */ -+ -+ if ((!fusion->fast_path_io) || -+ (device_id >= instance->fw_supported_vd_count)) -+ goto NonFastPath; -+ - ld = MR_TargetIdToLdGet(device_id, local_map_ptr); -- if ((ld >= instance->fw_supported_vd_count) || -- (!fusion->fast_path_io)) -+ -+ if (ld >= instance->fw_supported_vd_count) - goto NonFastPath; - - raid = MR_LdRaidGet(ld, local_map_ptr); -@@ -2612,7 +2622,6 @@ int megasas_reset_fusion(struct Scsi_Host *shost, int iotimeout) - instance->host->host_no); - megaraid_sas_kill_hba(instance); - instance->skip_heartbeat_timer_del = 1; -- instance->adprecovery = MEGASAS_HW_CRITICAL_ERROR; - retval = FAILED; - goto out; - } -@@ -2808,8 +2817,6 @@ int megasas_reset_fusion(struct Scsi_Host *shost, int iotimeout) - dev_info(&instance->pdev->dev, - "Failed from %s %d\n", - __func__, __LINE__); -- instance->adprecovery = -- MEGASAS_HW_CRITICAL_ERROR; - megaraid_sas_kill_hba(instance); - retval = FAILED; - } -@@ -2858,7 +2865,6 @@ int megasas_reset_fusion(struct Scsi_Host *shost, int iotimeout) - "adapter scsi%d.\n", instance->host->host_no); - megaraid_sas_kill_hba(instance); - instance->skip_heartbeat_timer_del = 1; -- instance->adprecovery = MEGASAS_HW_CRITICAL_ERROR; - retval = FAILED; - } else { - /* For VF: Restart HB timer if we didn't OCR */ -diff --git a/drivers/scsi/megaraid/megaraid_sas_fusion.h b/drivers/scsi/megaraid/megaraid_sas_fusion.h -index 5ab7dae..56e6db2 100644 ---- a/drivers/scsi/megaraid/megaraid_sas_fusion.h -+++ b/drivers/scsi/megaraid/megaraid_sas_fusion.h -@@ -306,14 +306,9 @@ struct MPI2_RAID_SCSI_IO_REQUEST { - * MPT RAID MFA IO Descriptor. - */ - struct MEGASAS_RAID_MFA_IO_REQUEST_DESCRIPTOR { --#if defined(__BIG_ENDIAN_BITFIELD) -- u32 MessageAddress1:24; /* bits 31:8*/ -- u32 RequestFlags:8; --#else - u32 RequestFlags:8; -- u32 MessageAddress1:24; /* bits 31:8*/ --#endif -- u32 MessageAddress2; /* bits 61:32 */ -+ u32 MessageAddress1:24; -+ u32 MessageAddress2; - }; - - /* Default Request Descriptor */ -diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c -index b14f64c..763bffe 100644 ---- a/drivers/scsi/sg.c -+++ b/drivers/scsi/sg.c -@@ -1350,6 +1350,17 @@ sg_rq_end_io(struct request *rq, int uptodate) - } - /* Rely on write phase to clean out srp status values, so no "else" */ - -+ /* -+ * Free the request as soon as it is complete so that its resources -+ * can be reused without waiting for userspace to read() the -+ * result. But keep the associated bio (if any) around until -+ * blk_rq_unmap_user() can be called from user context. -+ */ -+ srp->rq = NULL; -+ if (rq->cmd != rq->__cmd) -+ kfree(rq->cmd); -+ __blk_put_request(rq->q, rq); -+ - write_lock_irqsave(&sfp->rq_list_lock, iflags); - if (unlikely(srp->orphan)) { - if (sfp->keep_orphan) -@@ -1684,7 +1695,22 @@ sg_start_req(Sg_request *srp, unsigned char *cmd) - return -ENOMEM; - } - -- rq = blk_get_request(q, rw, GFP_ATOMIC); -+ /* -+ * NOTE -+ * -+ * With scsi-mq enabled, there are a fixed number of preallocated -+ * requests equal in number to shost->can_queue. If all of the -+ * preallocated requests are already in use, then using GFP_ATOMIC with -+ * blk_get_request() will return -EWOULDBLOCK, whereas using GFP_KERNEL -+ * will cause blk_get_request() to sleep until an active command -+ * completes, freeing up a request. Neither option is ideal, but -+ * GFP_KERNEL is the better choice to prevent userspace from getting an -+ * unexpected EWOULDBLOCK. -+ * -+ * With scsi-mq disabled, blk_get_request() with GFP_KERNEL usually -+ * does not sleep except under memory pressure. -+ */ -+ rq = blk_get_request(q, rw, GFP_KERNEL); - if (IS_ERR(rq)) { - kfree(long_cmdp); - return PTR_ERR(rq); -@@ -1777,10 +1803,10 @@ sg_finish_rem_req(Sg_request *srp) - SCSI_LOG_TIMEOUT(4, sg_printk(KERN_INFO, sfp->parentdp, - "sg_finish_rem_req: res_used=%d\n", - (int) srp->res_used)); -- if (srp->rq) { -- if (srp->bio) -- ret = blk_rq_unmap_user(srp->bio); -+ if (srp->bio) -+ ret = blk_rq_unmap_user(srp->bio); - -+ if (srp->rq) { - if (srp->rq->cmd != srp->rq->__cmd) - kfree(srp->rq->cmd); - blk_put_request(srp->rq); -diff --git a/drivers/target/iscsi/iscsi_target_tq.c b/drivers/target/iscsi/iscsi_target_tq.c -index 601e9cc..bb2890e 100644 ---- a/drivers/target/iscsi/iscsi_target_tq.c -+++ b/drivers/target/iscsi/iscsi_target_tq.c -@@ -24,36 +24,22 @@ - #include "iscsi_target_tq.h" - #include "iscsi_target.h" - --static LIST_HEAD(active_ts_list); - static LIST_HEAD(inactive_ts_list); --static DEFINE_SPINLOCK(active_ts_lock); - static DEFINE_SPINLOCK(inactive_ts_lock); - static DEFINE_SPINLOCK(ts_bitmap_lock); - --static void iscsi_add_ts_to_active_list(struct iscsi_thread_set *ts) --{ -- spin_lock(&active_ts_lock); -- list_add_tail(&ts->ts_list, &active_ts_list); -- iscsit_global->active_ts++; -- spin_unlock(&active_ts_lock); --} -- - static void iscsi_add_ts_to_inactive_list(struct iscsi_thread_set *ts) - { -+ if (!list_empty(&ts->ts_list)) { -+ WARN_ON(1); -+ return; -+ } - spin_lock(&inactive_ts_lock); - list_add_tail(&ts->ts_list, &inactive_ts_list); - iscsit_global->inactive_ts++; - spin_unlock(&inactive_ts_lock); - } - --static void iscsi_del_ts_from_active_list(struct iscsi_thread_set *ts) --{ -- spin_lock(&active_ts_lock); -- list_del(&ts->ts_list); -- iscsit_global->active_ts--; -- spin_unlock(&active_ts_lock); --} -- - static struct iscsi_thread_set *iscsi_get_ts_from_inactive_list(void) - { - struct iscsi_thread_set *ts; -@@ -66,7 +52,7 @@ static struct iscsi_thread_set *iscsi_get_ts_from_inactive_list(void) - - ts = list_first_entry(&inactive_ts_list, struct iscsi_thread_set, ts_list); - -- list_del(&ts->ts_list); -+ list_del_init(&ts->ts_list); - iscsit_global->inactive_ts--; - spin_unlock(&inactive_ts_lock); - -@@ -204,8 +190,6 @@ static void iscsi_deallocate_extra_thread_sets(void) - - void iscsi_activate_thread_set(struct iscsi_conn *conn, struct iscsi_thread_set *ts) - { -- iscsi_add_ts_to_active_list(ts); -- - spin_lock_bh(&ts->ts_state_lock); - conn->thread_set = ts; - ts->conn = conn; -@@ -397,7 +381,6 @@ struct iscsi_conn *iscsi_rx_thread_pre_handler(struct iscsi_thread_set *ts) - - if (ts->delay_inactive && (--ts->thread_count == 0)) { - spin_unlock_bh(&ts->ts_state_lock); -- iscsi_del_ts_from_active_list(ts); - - if (!iscsit_global->in_shutdown) - iscsi_deallocate_extra_thread_sets(); -@@ -452,7 +435,6 @@ struct iscsi_conn *iscsi_tx_thread_pre_handler(struct iscsi_thread_set *ts) - - if (ts->delay_inactive && (--ts->thread_count == 0)) { - spin_unlock_bh(&ts->ts_state_lock); -- iscsi_del_ts_from_active_list(ts); - - if (!iscsit_global->in_shutdown) - iscsi_deallocate_extra_thread_sets(); -diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c -index a9d256d..6e1f150 100644 ---- a/drivers/tty/pty.c -+++ b/drivers/tty/pty.c -@@ -210,6 +210,9 @@ static int pty_signal(struct tty_struct *tty, int sig) - { - struct pid *pgrp; - -+ if (sig != SIGINT && sig != SIGQUIT && sig != SIGTSTP) -+ return -EINVAL; -+ - if (tty->link) { - pgrp = tty_get_pgrp(tty->link); - if (pgrp) -diff --git a/drivers/tty/serial/atmel_serial.c b/drivers/tty/serial/atmel_serial.c -index 4d848a2..92a8b26 100644 ---- a/drivers/tty/serial/atmel_serial.c -+++ b/drivers/tty/serial/atmel_serial.c -@@ -794,7 +794,7 @@ static void atmel_tx_dma(struct uart_port *port) - return; - } - -- dma_sync_sg_for_device(port->dev, sg, 1, DMA_MEM_TO_DEV); -+ dma_sync_sg_for_device(port->dev, sg, 1, DMA_TO_DEVICE); - - atmel_port->desc_tx = desc; - desc->callback = atmel_complete_tx_dma; -@@ -927,7 +927,7 @@ static void atmel_rx_from_dma(struct uart_port *port) - dma_sync_sg_for_cpu(port->dev, - &atmel_port->sg_rx, - 1, -- DMA_DEV_TO_MEM); -+ DMA_FROM_DEVICE); - - /* - * ring->head points to the end of data already written by the DMA. -@@ -974,7 +974,7 @@ static void atmel_rx_from_dma(struct uart_port *port) - dma_sync_sg_for_device(port->dev, - &atmel_port->sg_rx, - 1, -- DMA_DEV_TO_MEM); -+ DMA_FROM_DEVICE); - - /* - * Drop the lock here since it might end up calling -@@ -2565,7 +2565,7 @@ static int atmel_serial_probe(struct platform_device *pdev) - - ret = atmel_init_port(port, pdev); - if (ret) -- goto err; -+ goto err_clear_bit; - - if (!atmel_use_pdc_rx(&port->uart)) { - ret = -ENOMEM; -@@ -2596,6 +2596,12 @@ static int atmel_serial_probe(struct platform_device *pdev) - device_init_wakeup(&pdev->dev, 1); - platform_set_drvdata(pdev, port); - -+ /* -+ * The peripheral clock has been disabled by atmel_init_port(): -+ * enable it before accessing I/O registers -+ */ -+ clk_prepare_enable(port->clk); -+ - if (rs485_enabled) { - UART_PUT_MR(&port->uart, ATMEL_US_USMODE_NORMAL); - UART_PUT_CR(&port->uart, ATMEL_US_RTSEN); -@@ -2606,6 +2612,12 @@ static int atmel_serial_probe(struct platform_device *pdev) - */ - atmel_get_ip_name(&port->uart); - -+ /* -+ * The peripheral clock can now safely be disabled till the port -+ * is used -+ */ -+ clk_disable_unprepare(port->clk); -+ - return 0; - - err_add_port: -@@ -2616,6 +2628,8 @@ err_alloc_ring: - clk_put(port->clk); - port->clk = NULL; - } -+err_clear_bit: -+ clear_bit(port->uart.line, atmel_ports_in_use); - err: - return ret; - } -diff --git a/drivers/tty/serial/fsl_lpuart.c b/drivers/tty/serial/fsl_lpuart.c -index e7cde3a..e95c497 100644 ---- a/drivers/tty/serial/fsl_lpuart.c -+++ b/drivers/tty/serial/fsl_lpuart.c -@@ -506,9 +506,6 @@ static inline void lpuart_prepare_rx(struct lpuart_port *sport) - - spin_lock_irqsave(&sport->port.lock, flags); - -- init_timer(&sport->lpuart_timer); -- sport->lpuart_timer.function = lpuart_timer_func; -- sport->lpuart_timer.data = (unsigned long)sport; - sport->lpuart_timer.expires = jiffies + sport->dma_rx_timeout; - add_timer(&sport->lpuart_timer); - -@@ -758,18 +755,18 @@ out: - static irqreturn_t lpuart_int(int irq, void *dev_id) - { - struct lpuart_port *sport = dev_id; -- unsigned char sts; -+ unsigned char sts, crdma; - - sts = readb(sport->port.membase + UARTSR1); -+ crdma = readb(sport->port.membase + UARTCR5); - -- if (sts & UARTSR1_RDRF) { -+ if (sts & UARTSR1_RDRF && !(crdma & UARTCR5_RDMAS)) { - if (sport->lpuart_dma_use) - lpuart_prepare_rx(sport); - else - lpuart_rxint(irq, dev_id); - } -- if (sts & UARTSR1_TDRE && -- !(readb(sport->port.membase + UARTCR5) & UARTCR5_TDMAS)) { -+ if (sts & UARTSR1_TDRE && !(crdma & UARTCR5_TDMAS)) { - if (sport->lpuart_dma_use) - lpuart_pio_tx(sport); - else -@@ -1106,7 +1103,10 @@ static int lpuart_startup(struct uart_port *port) - sport->lpuart_dma_use = false; - } else { - sport->lpuart_dma_use = true; -+ setup_timer(&sport->lpuart_timer, lpuart_timer_func, -+ (unsigned long)sport); - temp = readb(port->membase + UARTCR5); -+ temp &= ~UARTCR5_RDMAS; - writeb(temp | UARTCR5_TDMAS, port->membase + UARTCR5); - } - -@@ -1180,6 +1180,8 @@ static void lpuart_shutdown(struct uart_port *port) - devm_free_irq(port->dev, port->irq, sport); - - if (sport->lpuart_dma_use) { -+ del_timer_sync(&sport->lpuart_timer); -+ - lpuart_dma_tx_free(port); - lpuart_dma_rx_free(port); - } -diff --git a/drivers/tty/tty_mutex.c b/drivers/tty/tty_mutex.c -index 4486741..a872389 100644 ---- a/drivers/tty/tty_mutex.c -+++ b/drivers/tty/tty_mutex.c -@@ -46,12 +46,8 @@ EXPORT_SYMBOL(tty_unlock); - - void __lockfunc tty_lock_slave(struct tty_struct *tty) - { -- if (tty && tty != tty->link) { -- WARN_ON(!mutex_is_locked(&tty->link->legacy_mutex) || -- !tty->driver->type == TTY_DRIVER_TYPE_PTY || -- !tty->driver->type == PTY_TYPE_SLAVE); -+ if (tty && tty != tty->link) - tty_lock(tty); -- } - } - - void __lockfunc tty_unlock_slave(struct tty_struct *tty) -diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c -index f3fbbbc..42d8f17 100644 ---- a/drivers/tty/vt/vt.c -+++ b/drivers/tty/vt/vt.c -@@ -500,6 +500,7 @@ void invert_screen(struct vc_data *vc, int offset, int count, int viewed) - #endif - if (DO_UPDATE(vc)) - do_update_region(vc, (unsigned long) p, count); -+ notify_update(vc); - } - - /* used by selection: complement pointer position */ -@@ -516,6 +517,7 @@ void complement_pos(struct vc_data *vc, int offset) - scr_writew(old, screenpos(vc, old_offset, 1)); - if (DO_UPDATE(vc)) - vc->vc_sw->con_putc(vc, old, oldy, oldx); -+ notify_update(vc); - } - - old_offset = offset; -@@ -533,8 +535,8 @@ void complement_pos(struct vc_data *vc, int offset) - oldy = (offset >> 1) / vc->vc_cols; - vc->vc_sw->con_putc(vc, new, oldy, oldx); - } -+ notify_update(vc); - } -- - } - - static void insert_char(struct vc_data *vc, unsigned int nr) -diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c -index 546a17e8..a417b73 100644 ---- a/drivers/usb/class/cdc-acm.c -+++ b/drivers/usb/class/cdc-acm.c -@@ -1091,6 +1091,7 @@ static int acm_probe(struct usb_interface *intf, - unsigned long quirks; - int num_rx_buf; - int i; -+ unsigned int elength = 0; - int combined_interfaces = 0; - struct device *tty_dev; - int rv = -ENOMEM; -@@ -1136,9 +1137,12 @@ static int acm_probe(struct usb_interface *intf, - dev_err(&intf->dev, "skipping garbage\n"); - goto next_desc; - } -+ elength = buffer[0]; - - switch (buffer[2]) { - case USB_CDC_UNION_TYPE: /* we've found it */ -+ if (elength < sizeof(struct usb_cdc_union_desc)) -+ goto next_desc; - if (union_header) { - dev_err(&intf->dev, "More than one " - "union descriptor, skipping ...\n"); -@@ -1147,29 +1151,36 @@ static int acm_probe(struct usb_interface *intf, - union_header = (struct usb_cdc_union_desc *)buffer; - break; - case USB_CDC_COUNTRY_TYPE: /* export through sysfs*/ -+ if (elength < sizeof(struct usb_cdc_country_functional_desc)) -+ goto next_desc; - cfd = (struct usb_cdc_country_functional_desc *)buffer; - break; - case USB_CDC_HEADER_TYPE: /* maybe check version */ - break; /* for now we ignore it */ - case USB_CDC_ACM_TYPE: -+ if (elength < 4) -+ goto next_desc; - ac_management_function = buffer[3]; - break; - case USB_CDC_CALL_MANAGEMENT_TYPE: -+ if (elength < 5) -+ goto next_desc; - call_management_function = buffer[3]; - call_interface_num = buffer[4]; - break; - default: -- /* there are LOTS more CDC descriptors that -+ /* -+ * there are LOTS more CDC descriptors that - * could legitimately be found here. - */ - dev_dbg(&intf->dev, "Ignoring descriptor: " -- "type %02x, length %d\n", -- buffer[2], buffer[0]); -+ "type %02x, length %ud\n", -+ buffer[2], elength); - break; - } - next_desc: -- buflen -= buffer[0]; -- buffer += buffer[0]; -+ buflen -= elength; -+ buffer += elength; - } - - if (!union_header) { -diff --git a/drivers/usb/core/buffer.c b/drivers/usb/core/buffer.c -index 684ef70..506b969 100644 ---- a/drivers/usb/core/buffer.c -+++ b/drivers/usb/core/buffer.c -@@ -22,17 +22,25 @@ - */ - - /* FIXME tune these based on pool statistics ... */ --static const size_t pool_max[HCD_BUFFER_POOLS] = { -- /* platforms without dma-friendly caches might need to -- * prevent cacheline sharing... -- */ -- 32, -- 128, -- 512, -- PAGE_SIZE / 2 -- /* bigger --> allocate pages */ -+static size_t pool_max[HCD_BUFFER_POOLS] = { -+ 32, 128, 512, 2048, - }; - -+void __init usb_init_pool_max(void) -+{ -+ /* -+ * The pool_max values must never be smaller than -+ * ARCH_KMALLOC_MINALIGN. -+ */ -+ if (ARCH_KMALLOC_MINALIGN <= 32) -+ ; /* Original value is okay */ -+ else if (ARCH_KMALLOC_MINALIGN <= 64) -+ pool_max[0] = 64; -+ else if (ARCH_KMALLOC_MINALIGN <= 128) -+ pool_max[0] = 0; /* Don't use this pool */ -+ else -+ BUILD_BUG(); /* We don't allow this */ -+} - - /* SETUP primitives */ - -diff --git a/drivers/usb/core/driver.c b/drivers/usb/core/driver.c -index 874dec3..818369a 100644 ---- a/drivers/usb/core/driver.c -+++ b/drivers/usb/core/driver.c -@@ -275,21 +275,6 @@ static int usb_unbind_device(struct device *dev) - return 0; - } - --/* -- * Cancel any pending scheduled resets -- * -- * [see usb_queue_reset_device()] -- * -- * Called after unconfiguring / when releasing interfaces. See -- * comments in __usb_queue_reset_device() regarding -- * udev->reset_running. -- */ --static void usb_cancel_queued_reset(struct usb_interface *iface) --{ -- if (iface->reset_running == 0) -- cancel_work_sync(&iface->reset_ws); --} -- - /* called from driver core with dev locked */ - static int usb_probe_interface(struct device *dev) - { -@@ -380,7 +365,6 @@ static int usb_probe_interface(struct device *dev) - usb_set_intfdata(intf, NULL); - intf->needs_remote_wakeup = 0; - intf->condition = USB_INTERFACE_UNBOUND; -- usb_cancel_queued_reset(intf); - - /* If the LPM disable succeeded, balance the ref counts. */ - if (!lpm_disable_error) -@@ -425,7 +409,6 @@ static int usb_unbind_interface(struct device *dev) - usb_disable_interface(udev, intf, false); - - driver->disconnect(intf); -- usb_cancel_queued_reset(intf); - - /* Free streams */ - for (i = 0, j = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) { -@@ -1797,6 +1780,18 @@ static int autosuspend_check(struct usb_device *udev) - dev_dbg(&udev->dev, "remote wakeup needed for autosuspend\n"); - return -EOPNOTSUPP; - } -+ -+ /* -+ * If the device is a direct child of the root hub and the HCD -+ * doesn't handle wakeup requests, don't allow autosuspend when -+ * wakeup is needed. -+ */ -+ if (w && udev->parent == udev->bus->root_hub && -+ bus_to_hcd(udev->bus)->cant_recv_wakeups) { -+ dev_dbg(&udev->dev, "HCD doesn't handle wakeup requests\n"); -+ return -EOPNOTSUPP; -+ } -+ - udev->do_remote_wakeup = w; - return 0; - } -diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c -index 11cee55..45a915c 100644 ---- a/drivers/usb/core/hcd.c -+++ b/drivers/usb/core/hcd.c -@@ -1618,6 +1618,7 @@ static int unlink1(struct usb_hcd *hcd, struct urb *urb, int status) - int usb_hcd_unlink_urb (struct urb *urb, int status) - { - struct usb_hcd *hcd; -+ struct usb_device *udev = urb->dev; - int retval = -EIDRM; - unsigned long flags; - -@@ -1629,20 +1630,19 @@ int usb_hcd_unlink_urb (struct urb *urb, int status) - spin_lock_irqsave(&hcd_urb_unlink_lock, flags); - if (atomic_read(&urb->use_count) > 0) { - retval = 0; -- usb_get_dev(urb->dev); -+ usb_get_dev(udev); - } - spin_unlock_irqrestore(&hcd_urb_unlink_lock, flags); - if (retval == 0) { - hcd = bus_to_hcd(urb->dev->bus); - retval = unlink1(hcd, urb, status); -- usb_put_dev(urb->dev); -+ if (retval == 0) -+ retval = -EINPROGRESS; -+ else if (retval != -EIDRM && retval != -EBUSY) -+ dev_dbg(&udev->dev, "hcd_unlink_urb %p fail %d\n", -+ urb, retval); -+ usb_put_dev(udev); - } -- -- if (retval == 0) -- retval = -EINPROGRESS; -- else if (retval != -EIDRM && retval != -EBUSY) -- dev_dbg(&urb->dev->dev, "hcd_unlink_urb %p fail %d\n", -- urb, retval); - return retval; - } - -diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c -index aeb50bb..b4bfa3a 100644 ---- a/drivers/usb/core/hub.c -+++ b/drivers/usb/core/hub.c -@@ -5589,26 +5589,19 @@ EXPORT_SYMBOL_GPL(usb_reset_device); - * possible; depending on how the driver attached to each interface - * handles ->pre_reset(), the second reset might happen or not. - * -- * - If a driver is unbound and it had a pending reset, the reset will -- * be cancelled. -+ * - If the reset is delayed so long that the interface is unbound from -+ * its driver, the reset will be skipped. - * -- * - This function can be called during .probe() or .disconnect() -- * times. On return from .disconnect(), any pending resets will be -- * cancelled. -- * -- * There is no no need to lock/unlock the @reset_ws as schedule_work() -- * does its own. -- * -- * NOTE: We don't do any reference count tracking because it is not -- * needed. The lifecycle of the work_struct is tied to the -- * usb_interface. Before destroying the interface we cancel the -- * work_struct, so the fact that work_struct is queued and or -- * running means the interface (and thus, the device) exist and -- * are referenced. -+ * - This function can be called during .probe(). It can also be called -+ * during .disconnect(), but doing so is pointless because the reset -+ * will not occur. If you really want to reset the device during -+ * .disconnect(), call usb_reset_device() directly -- but watch out -+ * for nested unbinding issues! - */ - void usb_queue_reset_device(struct usb_interface *iface) - { -- schedule_work(&iface->reset_ws); -+ if (schedule_work(&iface->reset_ws)) -+ usb_get_intf(iface); - } - EXPORT_SYMBOL_GPL(usb_queue_reset_device); - -diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c -index f7b7713..f368d20 100644 ---- a/drivers/usb/core/message.c -+++ b/drivers/usb/core/message.c -@@ -1551,6 +1551,7 @@ static void usb_release_interface(struct device *dev) - altsetting_to_usb_interface_cache(intf->altsetting); - - kref_put(&intfc->ref, usb_release_interface_cache); -+ usb_put_dev(interface_to_usbdev(intf)); - kfree(intf); - } - -@@ -1626,24 +1627,6 @@ static struct usb_interface_assoc_descriptor *find_iad(struct usb_device *dev, - - /* - * Internal function to queue a device reset -- * -- * This is initialized into the workstruct in 'struct -- * usb_device->reset_ws' that is launched by -- * message.c:usb_set_configuration() when initializing each 'struct -- * usb_interface'. -- * -- * It is safe to get the USB device without reference counts because -- * the life cycle of @iface is bound to the life cycle of @udev. Then, -- * this function will be ran only if @iface is alive (and before -- * freeing it any scheduled instances of it will have been cancelled). -- * -- * We need to set a flag (usb_dev->reset_running) because when we call -- * the reset, the interfaces might be unbound. The current interface -- * cannot try to remove the queued work as it would cause a deadlock -- * (you cannot remove your work from within your executing -- * workqueue). This flag lets it know, so that -- * usb_cancel_queued_reset() doesn't try to do it. -- * - * See usb_queue_reset_device() for more details - */ - static void __usb_queue_reset_device(struct work_struct *ws) -@@ -1655,11 +1638,10 @@ static void __usb_queue_reset_device(struct work_struct *ws) - - rc = usb_lock_device_for_reset(udev, iface); - if (rc >= 0) { -- iface->reset_running = 1; - usb_reset_device(udev); -- iface->reset_running = 0; - usb_unlock_device(udev); - } -+ usb_put_intf(iface); /* Undo _get_ in usb_queue_reset_device() */ - } - - -@@ -1854,6 +1836,7 @@ free_interfaces: - dev_set_name(&intf->dev, "%d-%s:%d.%d", - dev->bus->busnum, dev->devpath, - configuration, alt->desc.bInterfaceNumber); -+ usb_get_dev(dev); - } - kfree(new_interfaces); - -diff --git a/drivers/usb/core/usb.c b/drivers/usb/core/usb.c -index 2a92b97..b1fb9ae 100644 ---- a/drivers/usb/core/usb.c -+++ b/drivers/usb/core/usb.c -@@ -1049,6 +1049,7 @@ static int __init usb_init(void) - pr_info("%s: USB support disabled\n", usbcore_name); - return 0; - } -+ usb_init_pool_max(); - - retval = usb_debugfs_init(); - if (retval) -diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c -index 8f65ab3..4efd3bd 100644 ---- a/drivers/usb/dwc3/gadget.c -+++ b/drivers/usb/dwc3/gadget.c -@@ -2043,6 +2043,7 @@ static void dwc3_resume_gadget(struct dwc3 *dwc) - if (dwc->gadget_driver && dwc->gadget_driver->resume) { - spin_unlock(&dwc->lock); - dwc->gadget_driver->resume(&dwc->gadget); -+ spin_lock(&dwc->lock); - } - } - -diff --git a/drivers/usb/host/isp1760-hcd.c b/drivers/usb/host/isp1760-hcd.c -index 395649f..c83ac89 100644 ---- a/drivers/usb/host/isp1760-hcd.c -+++ b/drivers/usb/host/isp1760-hcd.c -@@ -2247,6 +2247,9 @@ struct usb_hcd *isp1760_register(phys_addr_t res_start, resource_size_t res_len, - hcd->rsrc_start = res_start; - hcd->rsrc_len = res_len; - -+ /* This driver doesn't support wakeup requests */ -+ hcd->cant_recv_wakeups = 1; -+ - ret = usb_add_hcd(hcd, irq, irqflags); - if (ret) - goto err_unmap; -diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c -index f4c56fc..f40c856 100644 ---- a/drivers/usb/serial/cp210x.c -+++ b/drivers/usb/serial/cp210x.c -@@ -56,6 +56,7 @@ static const struct usb_device_id id_table[] = { - { USB_DEVICE(0x0846, 0x1100) }, /* NetGear Managed Switch M4100 series, M5300 series, M7100 series */ - { USB_DEVICE(0x08e6, 0x5501) }, /* Gemalto Prox-PU/CU contactless smartcard reader */ - { USB_DEVICE(0x08FD, 0x000A) }, /* Digianswer A/S , ZigBee/802.15.4 MAC Device */ -+ { USB_DEVICE(0x0908, 0x01FF) }, /* Siemens RUGGEDCOM USB Serial Console */ - { USB_DEVICE(0x0BED, 0x1100) }, /* MEI (TM) Cashflow-SC Bill/Voucher Acceptor */ - { USB_DEVICE(0x0BED, 0x1101) }, /* MEI series 2000 Combo Acceptor */ - { USB_DEVICE(0x0FCF, 0x1003) }, /* Dynastream ANT development board */ -diff --git a/drivers/xen/manage.c b/drivers/xen/manage.c -index f8bb36f..bf19407 100644 ---- a/drivers/xen/manage.c -+++ b/drivers/xen/manage.c -@@ -105,10 +105,16 @@ static void do_suspend(void) - - err = freeze_processes(); - if (err) { -- pr_err("%s: freeze failed %d\n", __func__, err); -+ pr_err("%s: freeze processes failed %d\n", __func__, err); - goto out; - } - -+ err = freeze_kernel_threads(); -+ if (err) { -+ pr_err("%s: freeze kernel threads failed %d\n", __func__, err); -+ goto out_thaw; -+ } -+ - err = dpm_suspend_start(PMSG_FREEZE); - if (err) { - pr_err("%s: dpm_suspend_start %d\n", __func__, err); -diff --git a/drivers/xen/xen-scsiback.c b/drivers/xen/xen-scsiback.c -index e999496e..8e38499 100644 ---- a/drivers/xen/xen-scsiback.c -+++ b/drivers/xen/xen-scsiback.c -@@ -708,12 +708,11 @@ static int prepare_pending_reqs(struct vscsibk_info *info, - static int scsiback_do_cmd_fn(struct vscsibk_info *info) - { - struct vscsiif_back_ring *ring = &info->ring; -- struct vscsiif_request *ring_req; -+ struct vscsiif_request ring_req; - struct vscsibk_pend *pending_req; - RING_IDX rc, rp; - int err, more_to_do; - uint32_t result; -- uint8_t act; - - rc = ring->req_cons; - rp = ring->sring->req_prod; -@@ -734,11 +733,10 @@ static int scsiback_do_cmd_fn(struct vscsibk_info *info) - if (!pending_req) - return 1; - -- ring_req = RING_GET_REQUEST(ring, rc); -+ ring_req = *RING_GET_REQUEST(ring, rc); - ring->req_cons = ++rc; - -- act = ring_req->act; -- err = prepare_pending_reqs(info, ring_req, pending_req); -+ err = prepare_pending_reqs(info, &ring_req, pending_req); - if (err) { - switch (err) { - case -ENODEV: -@@ -754,9 +752,9 @@ static int scsiback_do_cmd_fn(struct vscsibk_info *info) - return 1; - } - -- switch (act) { -+ switch (ring_req.act) { - case VSCSIIF_ACT_SCSI_CDB: -- if (scsiback_gnttab_data_map(ring_req, pending_req)) { -+ if (scsiback_gnttab_data_map(&ring_req, pending_req)) { - scsiback_fast_flush_area(pending_req); - scsiback_do_resp_with_sense(NULL, - DRIVER_ERROR << 24, 0, pending_req); -@@ -767,7 +765,7 @@ static int scsiback_do_cmd_fn(struct vscsibk_info *info) - break; - case VSCSIIF_ACT_SCSI_ABORT: - scsiback_device_action(pending_req, TMR_ABORT_TASK, -- ring_req->ref_rqid); -+ ring_req.ref_rqid); - break; - case VSCSIIF_ACT_SCSI_RESET: - scsiback_device_action(pending_req, TMR_LUN_RESET, 0); -diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c -index 02b1691..995986b 100644 ---- a/fs/binfmt_elf.c -+++ b/fs/binfmt_elf.c -@@ -645,11 +645,12 @@ out: - - static unsigned long randomize_stack_top(unsigned long stack_top) - { -- unsigned int random_variable = 0; -+ unsigned long random_variable = 0; - - if ((current->flags & PF_RANDOMIZE) && - !(current->personality & ADDR_NO_RANDOMIZE)) { -- random_variable = get_random_int() & STACK_RND_MASK; -+ random_variable = (unsigned long) get_random_int(); -+ random_variable &= STACK_RND_MASK; - random_variable <<= PAGE_SHIFT; - } - #ifdef CONFIG_STACK_GROWSUP -diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c -index 14a72ed..f54511d 100644 ---- a/fs/btrfs/ctree.c -+++ b/fs/btrfs/ctree.c -@@ -2609,32 +2609,23 @@ static int key_search(struct extent_buffer *b, struct btrfs_key *key, - return 0; - } - --int btrfs_find_item(struct btrfs_root *fs_root, struct btrfs_path *found_path, -+int btrfs_find_item(struct btrfs_root *fs_root, struct btrfs_path *path, - u64 iobjectid, u64 ioff, u8 key_type, - struct btrfs_key *found_key) - { - int ret; - struct btrfs_key key; - struct extent_buffer *eb; -- struct btrfs_path *path; -+ -+ ASSERT(path); - - key.type = key_type; - key.objectid = iobjectid; - key.offset = ioff; - -- if (found_path == NULL) { -- path = btrfs_alloc_path(); -- if (!path) -- return -ENOMEM; -- } else -- path = found_path; -- - ret = btrfs_search_slot(NULL, fs_root, &key, path, 0, 0); -- if ((ret < 0) || (found_key == NULL)) { -- if (path != found_path) -- btrfs_free_path(path); -+ if ((ret < 0) || (found_key == NULL)) - return ret; -- } - - eb = path->nodes[0]; - if (ret && path->slots[0] >= btrfs_header_nritems(eb)) { -diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c -index 8c63419..6f46c9b 100644 ---- a/fs/btrfs/disk-io.c -+++ b/fs/btrfs/disk-io.c -@@ -1630,6 +1630,7 @@ struct btrfs_root *btrfs_get_fs_root(struct btrfs_fs_info *fs_info, - bool check_ref) - { - struct btrfs_root *root; -+ struct btrfs_path *path; - int ret; - - if (location->objectid == BTRFS_ROOT_TREE_OBJECTID) -@@ -1669,8 +1670,14 @@ again: - if (ret) - goto fail; - -- ret = btrfs_find_item(fs_info->tree_root, NULL, BTRFS_ORPHAN_OBJECTID, -+ path = btrfs_alloc_path(); -+ if (!path) { -+ ret = -ENOMEM; -+ goto fail; -+ } -+ ret = btrfs_find_item(fs_info->tree_root, path, BTRFS_ORPHAN_OBJECTID, - location->objectid, BTRFS_ORPHAN_ITEM_KEY, NULL); -+ btrfs_free_path(path); - if (ret < 0) - goto fail; - if (ret == 0) -@@ -2498,7 +2505,7 @@ int open_ctree(struct super_block *sb, - features |= BTRFS_FEATURE_INCOMPAT_COMPRESS_LZO; - - if (features & BTRFS_FEATURE_INCOMPAT_SKINNY_METADATA) -- printk(KERN_ERR "BTRFS: has skinny extents\n"); -+ printk(KERN_INFO "BTRFS: has skinny extents\n"); - - /* - * flag our filesystem as having big metadata blocks if -diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c -index 1a9585d..f78e9dc 100644 ---- a/fs/btrfs/tree-log.c -+++ b/fs/btrfs/tree-log.c -@@ -488,8 +488,20 @@ insert: - src_item = (struct btrfs_inode_item *)src_ptr; - dst_item = (struct btrfs_inode_item *)dst_ptr; - -- if (btrfs_inode_generation(eb, src_item) == 0) -+ if (btrfs_inode_generation(eb, src_item) == 0) { -+ struct extent_buffer *dst_eb = path->nodes[0]; -+ -+ if (S_ISREG(btrfs_inode_mode(eb, src_item)) && -+ S_ISREG(btrfs_inode_mode(dst_eb, dst_item))) { -+ struct btrfs_map_token token; -+ u64 ino_size = btrfs_inode_size(eb, src_item); -+ -+ btrfs_init_map_token(&token); -+ btrfs_set_token_inode_size(dst_eb, dst_item, -+ ino_size, &token); -+ } - goto no_copy; -+ } - - if (overwrite_root && - S_ISDIR(btrfs_inode_mode(eb, src_item)) && -@@ -1257,10 +1269,19 @@ static int insert_orphan_item(struct btrfs_trans_handle *trans, - struct btrfs_root *root, u64 offset) - { - int ret; -- ret = btrfs_find_item(root, NULL, BTRFS_ORPHAN_OBJECTID, -+ struct btrfs_path *path; -+ -+ path = btrfs_alloc_path(); -+ if (!path) -+ return -ENOMEM; -+ -+ ret = btrfs_find_item(root, path, BTRFS_ORPHAN_OBJECTID, - offset, BTRFS_ORPHAN_ITEM_KEY, NULL); - if (ret > 0) - ret = btrfs_insert_orphan_item(trans, root, offset); -+ -+ btrfs_free_path(path); -+ - return ret; - } - -@@ -3219,7 +3240,8 @@ static int drop_objectid_items(struct btrfs_trans_handle *trans, - static void fill_inode_item(struct btrfs_trans_handle *trans, - struct extent_buffer *leaf, - struct btrfs_inode_item *item, -- struct inode *inode, int log_inode_only) -+ struct inode *inode, int log_inode_only, -+ u64 logged_isize) - { - struct btrfs_map_token token; - -@@ -3232,7 +3254,7 @@ static void fill_inode_item(struct btrfs_trans_handle *trans, - * to say 'update this inode with these values' - */ - btrfs_set_token_inode_generation(leaf, item, 0, &token); -- btrfs_set_token_inode_size(leaf, item, 0, &token); -+ btrfs_set_token_inode_size(leaf, item, logged_isize, &token); - } else { - btrfs_set_token_inode_generation(leaf, item, - BTRFS_I(inode)->generation, -@@ -3284,7 +3306,7 @@ static int log_inode_item(struct btrfs_trans_handle *trans, - return ret; - inode_item = btrfs_item_ptr(path->nodes[0], path->slots[0], - struct btrfs_inode_item); -- fill_inode_item(trans, path->nodes[0], inode_item, inode, 0); -+ fill_inode_item(trans, path->nodes[0], inode_item, inode, 0, 0); - btrfs_release_path(path); - return 0; - } -@@ -3293,7 +3315,8 @@ static noinline int copy_items(struct btrfs_trans_handle *trans, - struct inode *inode, - struct btrfs_path *dst_path, - struct btrfs_path *src_path, u64 *last_extent, -- int start_slot, int nr, int inode_only) -+ int start_slot, int nr, int inode_only, -+ u64 logged_isize) - { - unsigned long src_offset; - unsigned long dst_offset; -@@ -3350,7 +3373,8 @@ static noinline int copy_items(struct btrfs_trans_handle *trans, - dst_path->slots[0], - struct btrfs_inode_item); - fill_inode_item(trans, dst_path->nodes[0], inode_item, -- inode, inode_only == LOG_INODE_EXISTS); -+ inode, inode_only == LOG_INODE_EXISTS, -+ logged_isize); - } else { - copy_extent_buffer(dst_path->nodes[0], src, dst_offset, - src_offset, ins_sizes[i]); -@@ -3902,6 +3926,33 @@ process: - return ret; - } - -+static int logged_inode_size(struct btrfs_root *log, struct inode *inode, -+ struct btrfs_path *path, u64 *size_ret) -+{ -+ struct btrfs_key key; -+ int ret; -+ -+ key.objectid = btrfs_ino(inode); -+ key.type = BTRFS_INODE_ITEM_KEY; -+ key.offset = 0; -+ -+ ret = btrfs_search_slot(NULL, log, &key, path, 0, 0); -+ if (ret < 0) { -+ return ret; -+ } else if (ret > 0) { -+ *size_ret = i_size_read(inode); -+ } else { -+ struct btrfs_inode_item *item; -+ -+ item = btrfs_item_ptr(path->nodes[0], path->slots[0], -+ struct btrfs_inode_item); -+ *size_ret = btrfs_inode_size(path->nodes[0], item); -+ } -+ -+ btrfs_release_path(path); -+ return 0; -+} -+ - /* log a single inode in the tree log. - * At least one parent directory for this inode must exist in the tree - * or be logged already. -@@ -3939,6 +3990,7 @@ static int btrfs_log_inode(struct btrfs_trans_handle *trans, - bool fast_search = false; - u64 ino = btrfs_ino(inode); - struct extent_map_tree *em_tree = &BTRFS_I(inode)->extent_tree; -+ u64 logged_isize = 0; - - path = btrfs_alloc_path(); - if (!path) -@@ -3992,6 +4044,25 @@ static int btrfs_log_inode(struct btrfs_trans_handle *trans, - max_key_type = BTRFS_XATTR_ITEM_KEY; - ret = drop_objectid_items(trans, log, path, ino, max_key_type); - } else { -+ if (inode_only == LOG_INODE_EXISTS) { -+ /* -+ * Make sure the new inode item we write to the log has -+ * the same isize as the current one (if it exists). -+ * This is necessary to prevent data loss after log -+ * replay, and also to prevent doing a wrong expanding -+ * truncate - for e.g. create file, write 4K into offset -+ * 0, fsync, write 4K into offset 4096, add hard link, -+ * fsync some other file (to sync log), power fail - if -+ * we use the inode's current i_size, after log replay -+ * we get a 8Kb file, with the last 4Kb extent as a hole -+ * (zeroes), as if an expanding truncate happened, -+ * instead of getting a file of 4Kb only. -+ */ -+ err = logged_inode_size(log, inode, path, -+ &logged_isize); -+ if (err) -+ goto out_unlock; -+ } - if (test_and_clear_bit(BTRFS_INODE_NEEDS_FULL_SYNC, - &BTRFS_I(inode)->runtime_flags)) { - clear_bit(BTRFS_INODE_COPY_EVERYTHING, -@@ -4047,7 +4118,8 @@ again: - } - - ret = copy_items(trans, inode, dst_path, path, &last_extent, -- ins_start_slot, ins_nr, inode_only); -+ ins_start_slot, ins_nr, inode_only, -+ logged_isize); - if (ret < 0) { - err = ret; - goto out_unlock; -@@ -4071,7 +4143,7 @@ next_slot: - if (ins_nr) { - ret = copy_items(trans, inode, dst_path, path, - &last_extent, ins_start_slot, -- ins_nr, inode_only); -+ ins_nr, inode_only, logged_isize); - if (ret < 0) { - err = ret; - goto out_unlock; -@@ -4092,7 +4164,8 @@ next_slot: - } - if (ins_nr) { - ret = copy_items(trans, inode, dst_path, path, &last_extent, -- ins_start_slot, ins_nr, inode_only); -+ ins_start_slot, ins_nr, inode_only, -+ logged_isize); - if (ret < 0) { - err = ret; - goto out_unlock; -diff --git a/fs/ext4/super.c b/fs/ext4/super.c -index 74c5f53..fc29b2c 100644 ---- a/fs/ext4/super.c -+++ b/fs/ext4/super.c -@@ -4864,9 +4864,8 @@ static int ext4_remount(struct super_block *sb, int *flags, char *data) - if ((old_opts.s_mount_opt & EXT4_MOUNT_JOURNAL_CHECKSUM) ^ - test_opt(sb, JOURNAL_CHECKSUM)) { - ext4_msg(sb, KERN_ERR, "changing journal_checksum " -- "during remount not supported"); -- err = -EINVAL; -- goto restore_opts; -+ "during remount not supported; ignoring"); -+ sbi->s_mount_opt ^= EXT4_MOUNT_JOURNAL_CHECKSUM; - } - - if (test_opt(sb, DATA_FLAGS) == EXT4_MOUNT_JOURNAL_DATA) { -diff --git a/fs/jffs2/scan.c b/fs/jffs2/scan.c -index 7654e87..9ad5ba4 100644 ---- a/fs/jffs2/scan.c -+++ b/fs/jffs2/scan.c -@@ -510,6 +510,10 @@ static int jffs2_scan_eraseblock (struct jffs2_sb_info *c, struct jffs2_eraseblo - sumlen = c->sector_size - je32_to_cpu(sm->offset); - sumptr = buf + buf_size - sumlen; - -+ /* sm->offset maybe wrong but MAGIC maybe right */ -+ if (sumlen > c->sector_size) -+ goto full_scan; -+ - /* Now, make sure the summary itself is available */ - if (sumlen > buf_size) { - /* Need to kmalloc for this. */ -@@ -544,6 +548,7 @@ static int jffs2_scan_eraseblock (struct jffs2_sb_info *c, struct jffs2_eraseblo - } - } - -+full_scan: - buf_ofs = jeb->offset; - - if (!buf_size) { -diff --git a/fs/lockd/mon.c b/fs/lockd/mon.c -index 1cc6ec5..47a32b6 100644 ---- a/fs/lockd/mon.c -+++ b/fs/lockd/mon.c -@@ -65,7 +65,7 @@ static inline struct sockaddr *nsm_addr(const struct nsm_handle *nsm) - return (struct sockaddr *)&nsm->sm_addr; - } - --static struct rpc_clnt *nsm_create(struct net *net) -+static struct rpc_clnt *nsm_create(struct net *net, const char *nodename) - { - struct sockaddr_in sin = { - .sin_family = AF_INET, -@@ -77,6 +77,7 @@ static struct rpc_clnt *nsm_create(struct net *net) - .address = (struct sockaddr *)&sin, - .addrsize = sizeof(sin), - .servername = "rpc.statd", -+ .nodename = nodename, - .program = &nsm_program, - .version = NSM_VERSION, - .authflavor = RPC_AUTH_NULL, -@@ -102,7 +103,7 @@ out: - return clnt; - } - --static struct rpc_clnt *nsm_client_get(struct net *net) -+static struct rpc_clnt *nsm_client_get(struct net *net, const char *nodename) - { - struct rpc_clnt *clnt, *new; - struct lockd_net *ln = net_generic(net, lockd_net_id); -@@ -111,7 +112,7 @@ static struct rpc_clnt *nsm_client_get(struct net *net) - if (clnt != NULL) - goto out; - -- clnt = new = nsm_create(net); -+ clnt = new = nsm_create(net, nodename); - if (IS_ERR(clnt)) - goto out; - -@@ -190,19 +191,23 @@ int nsm_monitor(const struct nlm_host *host) - struct nsm_res res; - int status; - struct rpc_clnt *clnt; -+ const char *nodename = NULL; - - dprintk("lockd: nsm_monitor(%s)\n", nsm->sm_name); - - if (nsm->sm_monitored) - return 0; - -+ if (host->h_rpcclnt) -+ nodename = host->h_rpcclnt->cl_nodename; -+ - /* - * Choose whether to record the caller_name or IP address of - * this peer in the local rpc.statd's database. - */ - nsm->sm_mon_name = nsm_use_hostnames ? nsm->sm_name : nsm->sm_addrbuf; - -- clnt = nsm_client_get(host->net); -+ clnt = nsm_client_get(host->net, nodename); - if (IS_ERR(clnt)) { - status = PTR_ERR(clnt); - dprintk("lockd: failed to create NSM upcall transport, " -diff --git a/fs/nfs/callback.c b/fs/nfs/callback.c -index b8fb3a4..351be920 100644 ---- a/fs/nfs/callback.c -+++ b/fs/nfs/callback.c -@@ -128,22 +128,24 @@ nfs41_callback_svc(void *vrqstp) - if (try_to_freeze()) - continue; - -- prepare_to_wait(&serv->sv_cb_waitq, &wq, TASK_INTERRUPTIBLE); -+ prepare_to_wait(&serv->sv_cb_waitq, &wq, TASK_UNINTERRUPTIBLE); - spin_lock_bh(&serv->sv_cb_lock); - if (!list_empty(&serv->sv_cb_list)) { - req = list_first_entry(&serv->sv_cb_list, - struct rpc_rqst, rq_bc_list); - list_del(&req->rq_bc_list); - spin_unlock_bh(&serv->sv_cb_lock); -+ finish_wait(&serv->sv_cb_waitq, &wq); - dprintk("Invoking bc_svc_process()\n"); - error = bc_svc_process(serv, req, rqstp); - dprintk("bc_svc_process() returned w/ error code= %d\n", - error); - } else { - spin_unlock_bh(&serv->sv_cb_lock); -- schedule(); -+ /* schedule_timeout to game the hung task watchdog */ -+ schedule_timeout(60 * HZ); -+ finish_wait(&serv->sv_cb_waitq, &wq); - } -- finish_wait(&serv->sv_cb_waitq, &wq); - } - return 0; - } -diff --git a/fs/nfs/callback_xdr.c b/fs/nfs/callback_xdr.c -index f4ccfe6..02f8d09 100644 ---- a/fs/nfs/callback_xdr.c -+++ b/fs/nfs/callback_xdr.c -@@ -464,8 +464,10 @@ static __be32 decode_cb_sequence_args(struct svc_rqst *rqstp, - - for (i = 0; i < args->csa_nrclists; i++) { - status = decode_rc_list(xdr, &args->csa_rclists[i]); -- if (status) -+ if (status) { -+ args->csa_nrclists = i; - goto out_free; -+ } - } - } - status = 0; -diff --git a/fs/nfs/direct.c b/fs/nfs/direct.c -index 294692f..a094b0c 100644 ---- a/fs/nfs/direct.c -+++ b/fs/nfs/direct.c -@@ -242,7 +242,7 @@ static void nfs_direct_release_pages(struct page **pages, unsigned int npages) - void nfs_init_cinfo_from_dreq(struct nfs_commit_info *cinfo, - struct nfs_direct_req *dreq) - { -- cinfo->lock = &dreq->lock; -+ cinfo->lock = &dreq->inode->i_lock; - cinfo->mds = &dreq->mds_cinfo; - cinfo->ds = &dreq->ds_cinfo; - cinfo->dreq = dreq; -diff --git a/fs/nfs/internal.h b/fs/nfs/internal.h -index b6f34bf..b84efe4 100644 ---- a/fs/nfs/internal.h -+++ b/fs/nfs/internal.h -@@ -375,7 +375,7 @@ extern struct rpc_stat nfs_rpcstat; - - extern int __init register_nfs_fs(void); - extern void __exit unregister_nfs_fs(void); --extern void nfs_sb_active(struct super_block *sb); -+extern bool nfs_sb_active(struct super_block *sb); - extern void nfs_sb_deactive(struct super_block *sb); - - /* namespace.c */ -@@ -493,6 +493,26 @@ extern int nfs41_walk_client_list(struct nfs_client *clp, - struct nfs_client **result, - struct rpc_cred *cred); - -+static inline struct inode *nfs_igrab_and_active(struct inode *inode) -+{ -+ inode = igrab(inode); -+ if (inode != NULL && !nfs_sb_active(inode->i_sb)) { -+ iput(inode); -+ inode = NULL; -+ } -+ return inode; -+} -+ -+static inline void nfs_iput_and_deactive(struct inode *inode) -+{ -+ if (inode != NULL) { -+ struct super_block *sb = inode->i_sb; -+ -+ iput(inode); -+ nfs_sb_deactive(sb); -+ } -+} -+ - /* - * Determine the device name as a string - */ -diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c -index c347705..89f6827 100644 ---- a/fs/nfs/nfs4proc.c -+++ b/fs/nfs/nfs4proc.c -@@ -5137,9 +5137,13 @@ static void nfs4_delegreturn_done(struct rpc_task *task, void *calldata) - static void nfs4_delegreturn_release(void *calldata) - { - struct nfs4_delegreturndata *data = calldata; -+ struct inode *inode = data->inode; - -- if (data->roc) -- pnfs_roc_release(data->inode); -+ if (inode) { -+ if (data->roc) -+ pnfs_roc_release(inode); -+ nfs_iput_and_deactive(inode); -+ } - kfree(calldata); - } - -@@ -5196,9 +5200,9 @@ static int _nfs4_proc_delegreturn(struct inode *inode, struct rpc_cred *cred, co - nfs_fattr_init(data->res.fattr); - data->timestamp = jiffies; - data->rpc_status = 0; -- data->inode = inode; -- data->roc = list_empty(&NFS_I(inode)->open_files) ? -- pnfs_roc(inode) : false; -+ data->inode = nfs_igrab_and_active(inode); -+ if (data->inode) -+ data->roc = nfs4_roc(inode); - - task_setup_data.callback_data = data; - msg.rpc_argp = &data->args; -diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c -index 0a5dda4..883ee88 100644 ---- a/fs/nfs/pnfs.c -+++ b/fs/nfs/pnfs.c -@@ -1445,19 +1445,19 @@ pnfs_generic_pg_init_read(struct nfs_pageio_descriptor *pgio, struct nfs_page *r - { - u64 rd_size = req->wb_bytes; - -- WARN_ON_ONCE(pgio->pg_lseg != NULL); -- -- if (pgio->pg_dreq == NULL) -- rd_size = i_size_read(pgio->pg_inode) - req_offset(req); -- else -- rd_size = nfs_dreq_bytes_left(pgio->pg_dreq); -- -- pgio->pg_lseg = pnfs_update_layout(pgio->pg_inode, -- req->wb_context, -- req_offset(req), -- rd_size, -- IOMODE_READ, -- GFP_KERNEL); -+ if (pgio->pg_lseg == NULL) { -+ if (pgio->pg_dreq == NULL) -+ rd_size = i_size_read(pgio->pg_inode) - req_offset(req); -+ else -+ rd_size = nfs_dreq_bytes_left(pgio->pg_dreq); -+ -+ pgio->pg_lseg = pnfs_update_layout(pgio->pg_inode, -+ req->wb_context, -+ req_offset(req), -+ rd_size, -+ IOMODE_READ, -+ GFP_KERNEL); -+ } - /* If no lseg, fall back to read through mds */ - if (pgio->pg_lseg == NULL) - nfs_pageio_reset_read_mds(pgio); -@@ -1469,14 +1469,13 @@ void - pnfs_generic_pg_init_write(struct nfs_pageio_descriptor *pgio, - struct nfs_page *req, u64 wb_size) - { -- WARN_ON_ONCE(pgio->pg_lseg != NULL); -- -- pgio->pg_lseg = pnfs_update_layout(pgio->pg_inode, -- req->wb_context, -- req_offset(req), -- wb_size, -- IOMODE_RW, -- GFP_NOFS); -+ if (pgio->pg_lseg == NULL) -+ pgio->pg_lseg = pnfs_update_layout(pgio->pg_inode, -+ req->wb_context, -+ req_offset(req), -+ wb_size, -+ IOMODE_RW, -+ GFP_NOFS); - /* If no lseg, fall back to write through mds */ - if (pgio->pg_lseg == NULL) - nfs_pageio_reset_write_mds(pgio); -diff --git a/fs/nfs/super.c b/fs/nfs/super.c -index 31a11b0..368d939 100644 ---- a/fs/nfs/super.c -+++ b/fs/nfs/super.c -@@ -405,12 +405,15 @@ void __exit unregister_nfs_fs(void) - unregister_filesystem(&nfs_fs_type); - } - --void nfs_sb_active(struct super_block *sb) -+bool nfs_sb_active(struct super_block *sb) - { - struct nfs_server *server = NFS_SB(sb); - -- if (atomic_inc_return(&server->active) == 1) -- atomic_inc(&sb->s_active); -+ if (!atomic_inc_not_zero(&sb->s_active)) -+ return false; -+ if (atomic_inc_return(&server->active) != 1) -+ atomic_dec(&sb->s_active); -+ return true; - } - EXPORT_SYMBOL_GPL(nfs_sb_active); - -diff --git a/fs/ocfs2/quota_local.c b/fs/ocfs2/quota_local.c -index 10b6539..465223b 100644 ---- a/fs/ocfs2/quota_local.c -+++ b/fs/ocfs2/quota_local.c -@@ -701,8 +701,8 @@ static int ocfs2_local_read_info(struct super_block *sb, int type) - /* We don't need the lock and we have to acquire quota file locks - * which will later depend on this lock */ - mutex_unlock(&sb_dqopt(sb)->dqio_mutex); -- info->dqi_maxblimit = 0x7fffffffffffffffLL; -- info->dqi_maxilimit = 0x7fffffffffffffffLL; -+ info->dqi_max_spc_limit = 0x7fffffffffffffffLL; -+ info->dqi_max_ino_limit = 0x7fffffffffffffffLL; - oinfo = kmalloc(sizeof(struct ocfs2_mem_dqinfo), GFP_NOFS); - if (!oinfo) { - mlog(ML_ERROR, "failed to allocate memory for ocfs2 quota" -diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c -index 246eae8..88f9b83 100644 ---- a/fs/proc/task_mmu.c -+++ b/fs/proc/task_mmu.c -@@ -1069,7 +1069,7 @@ static int pagemap_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end, - struct vm_area_struct *vma; - struct pagemapread *pm = walk->private; - spinlock_t *ptl; -- pte_t *pte; -+ pte_t *pte, *orig_pte; - int err = 0; - - /* find the first VMA at or above 'addr' */ -@@ -1130,15 +1130,19 @@ static int pagemap_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end, - BUG_ON(is_vm_hugetlb_page(vma)); - - /* Addresses in the VMA. */ -- for (; addr < min(end, vma->vm_end); addr += PAGE_SIZE) { -+ orig_pte = pte = pte_offset_map_lock(walk->mm, pmd, addr, &ptl); -+ for (; addr < min(end, vma->vm_end); pte++, addr += PAGE_SIZE) { - pagemap_entry_t pme; -- pte = pte_offset_map(pmd, addr); -+ - pte_to_pagemap_entry(&pme, pm, vma, addr, *pte); -- pte_unmap(pte); - err = add_to_pagemap(addr, &pme, pm); - if (err) -- return err; -+ break; - } -+ pte_unmap_unlock(orig_pte, ptl); -+ -+ if (err) -+ return err; - - if (addr == end) - break; -diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c -index 69df5b2..ca035a2 100644 ---- a/fs/quota/dquot.c -+++ b/fs/quota/dquot.c -@@ -2385,16 +2385,6 @@ out: - } - EXPORT_SYMBOL(dquot_quota_on_mount); - --static inline qsize_t qbtos(qsize_t blocks) --{ -- return blocks << QIF_DQBLKSIZE_BITS; --} -- --static inline qsize_t stoqb(qsize_t space) --{ -- return (space + QIF_DQBLKSIZE - 1) >> QIF_DQBLKSIZE_BITS; --} -- - /* Generic routine for getting common part of quota structure */ - static void do_get_dqblk(struct dquot *dquot, struct qc_dqblk *di) - { -@@ -2444,13 +2434,13 @@ static int do_set_dqblk(struct dquot *dquot, struct qc_dqblk *di) - return -EINVAL; - - if (((di->d_fieldmask & QC_SPC_SOFT) && -- stoqb(di->d_spc_softlimit) > dqi->dqi_maxblimit) || -+ di->d_spc_softlimit > dqi->dqi_max_spc_limit) || - ((di->d_fieldmask & QC_SPC_HARD) && -- stoqb(di->d_spc_hardlimit) > dqi->dqi_maxblimit) || -+ di->d_spc_hardlimit > dqi->dqi_max_spc_limit) || - ((di->d_fieldmask & QC_INO_SOFT) && -- (di->d_ino_softlimit > dqi->dqi_maxilimit)) || -+ (di->d_ino_softlimit > dqi->dqi_max_ino_limit)) || - ((di->d_fieldmask & QC_INO_HARD) && -- (di->d_ino_hardlimit > dqi->dqi_maxilimit))) -+ (di->d_ino_hardlimit > dqi->dqi_max_ino_limit))) - return -ERANGE; - - spin_lock(&dq_data_lock); -diff --git a/fs/quota/quota_v1.c b/fs/quota/quota_v1.c -index 469c684..8fe79be 100644 ---- a/fs/quota/quota_v1.c -+++ b/fs/quota/quota_v1.c -@@ -169,8 +169,8 @@ static int v1_read_file_info(struct super_block *sb, int type) - } - ret = 0; - /* limits are stored as unsigned 32-bit data */ -- dqopt->info[type].dqi_maxblimit = 0xffffffff; -- dqopt->info[type].dqi_maxilimit = 0xffffffff; -+ dqopt->info[type].dqi_max_spc_limit = 0xffffffffULL << QUOTABLOCK_BITS; -+ dqopt->info[type].dqi_max_ino_limit = 0xffffffff; - dqopt->info[type].dqi_igrace = - dqblk.dqb_itime ? dqblk.dqb_itime : MAX_IQ_TIME; - dqopt->info[type].dqi_bgrace = -diff --git a/fs/quota/quota_v2.c b/fs/quota/quota_v2.c -index 02751ec..d1a8054 100644 ---- a/fs/quota/quota_v2.c -+++ b/fs/quota/quota_v2.c -@@ -117,12 +117,12 @@ static int v2_read_file_info(struct super_block *sb, int type) - qinfo = info->dqi_priv; - if (version == 0) { - /* limits are stored as unsigned 32-bit data */ -- info->dqi_maxblimit = 0xffffffff; -- info->dqi_maxilimit = 0xffffffff; -+ info->dqi_max_spc_limit = 0xffffffffULL << QUOTABLOCK_BITS; -+ info->dqi_max_ino_limit = 0xffffffff; - } else { -- /* used space is stored as unsigned 64-bit value */ -- info->dqi_maxblimit = 0xffffffffffffffffULL; /* 2^64-1 */ -- info->dqi_maxilimit = 0xffffffffffffffffULL; -+ /* used space is stored as unsigned 64-bit value in bytes */ -+ info->dqi_max_spc_limit = 0xffffffffffffffffULL; /* 2^64-1 */ -+ info->dqi_max_ino_limit = 0xffffffffffffffffULL; - } - info->dqi_bgrace = le32_to_cpu(dinfo.dqi_bgrace); - info->dqi_igrace = le32_to_cpu(dinfo.dqi_igrace); -diff --git a/fs/udf/inode.c b/fs/udf/inode.c -index 5bc71d9..7b72b7d 100644 ---- a/fs/udf/inode.c -+++ b/fs/udf/inode.c -@@ -1288,6 +1288,7 @@ static int udf_read_inode(struct inode *inode, bool hidden_inode) - struct kernel_lb_addr *iloc = &iinfo->i_location; - unsigned int link_count; - unsigned int indirections = 0; -+ int bs = inode->i_sb->s_blocksize; - int ret = -EIO; - - reread: -@@ -1374,38 +1375,35 @@ reread: - if (fe->descTag.tagIdent == cpu_to_le16(TAG_IDENT_EFE)) { - iinfo->i_efe = 1; - iinfo->i_use = 0; -- ret = udf_alloc_i_data(inode, inode->i_sb->s_blocksize - -+ ret = udf_alloc_i_data(inode, bs - - sizeof(struct extendedFileEntry)); - if (ret) - goto out; - memcpy(iinfo->i_ext.i_data, - bh->b_data + sizeof(struct extendedFileEntry), -- inode->i_sb->s_blocksize - -- sizeof(struct extendedFileEntry)); -+ bs - sizeof(struct extendedFileEntry)); - } else if (fe->descTag.tagIdent == cpu_to_le16(TAG_IDENT_FE)) { - iinfo->i_efe = 0; - iinfo->i_use = 0; -- ret = udf_alloc_i_data(inode, inode->i_sb->s_blocksize - -- sizeof(struct fileEntry)); -+ ret = udf_alloc_i_data(inode, bs - sizeof(struct fileEntry)); - if (ret) - goto out; - memcpy(iinfo->i_ext.i_data, - bh->b_data + sizeof(struct fileEntry), -- inode->i_sb->s_blocksize - sizeof(struct fileEntry)); -+ bs - sizeof(struct fileEntry)); - } else if (fe->descTag.tagIdent == cpu_to_le16(TAG_IDENT_USE)) { - iinfo->i_efe = 0; - iinfo->i_use = 1; - iinfo->i_lenAlloc = le32_to_cpu( - ((struct unallocSpaceEntry *)bh->b_data)-> - lengthAllocDescs); -- ret = udf_alloc_i_data(inode, inode->i_sb->s_blocksize - -+ ret = udf_alloc_i_data(inode, bs - - sizeof(struct unallocSpaceEntry)); - if (ret) - goto out; - memcpy(iinfo->i_ext.i_data, - bh->b_data + sizeof(struct unallocSpaceEntry), -- inode->i_sb->s_blocksize - -- sizeof(struct unallocSpaceEntry)); -+ bs - sizeof(struct unallocSpaceEntry)); - return 0; - } - -@@ -1489,6 +1487,15 @@ reread: - } - inode->i_generation = iinfo->i_unique; - -+ /* -+ * Sanity check length of allocation descriptors and extended attrs to -+ * avoid integer overflows -+ */ -+ if (iinfo->i_lenEAttr > bs || iinfo->i_lenAlloc > bs) -+ goto out; -+ /* Now do exact checks */ -+ if (udf_file_entry_alloc_offset(inode) + iinfo->i_lenAlloc > bs) -+ goto out; - /* Sanity checks for files in ICB so that we don't get confused later */ - if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) { - /* -@@ -1498,8 +1505,7 @@ reread: - if (iinfo->i_lenAlloc != inode->i_size) - goto out; - /* File in ICB has to fit in there... */ -- if (inode->i_size > inode->i_sb->s_blocksize - -- udf_file_entry_alloc_offset(inode)) -+ if (inode->i_size > bs - udf_file_entry_alloc_offset(inode)) - goto out; - } - -diff --git a/fs/xfs/libxfs/xfs_bmap.c b/fs/xfs/libxfs/xfs_bmap.c -index b5eb474..4e20fe7 100644 ---- a/fs/xfs/libxfs/xfs_bmap.c -+++ b/fs/xfs/libxfs/xfs_bmap.c -@@ -973,7 +973,11 @@ xfs_bmap_local_to_extents( - *firstblock = args.fsbno; - bp = xfs_btree_get_bufl(args.mp, tp, args.fsbno, 0); - -- /* initialise the block and copy the data */ -+ /* -+ * Initialise the block and copy the data -+ * -+ * Note: init_fn must set the buffer log item type correctly! -+ */ - init_fn(tp, bp, ip, ifp); - - /* account for the change in fork size and log everything */ -diff --git a/fs/xfs/libxfs/xfs_symlink_remote.c b/fs/xfs/libxfs/xfs_symlink_remote.c -index c80c523..e7e26bd 100644 ---- a/fs/xfs/libxfs/xfs_symlink_remote.c -+++ b/fs/xfs/libxfs/xfs_symlink_remote.c -@@ -178,6 +178,8 @@ xfs_symlink_local_to_remote( - struct xfs_mount *mp = ip->i_mount; - char *buf; - -+ xfs_trans_buf_set_type(tp, bp, XFS_BLFT_SYMLINK_BUF); -+ - if (!xfs_sb_version_hascrc(&mp->m_sb)) { - bp->b_ops = NULL; - memcpy(bp->b_addr, ifp->if_u1.if_data, ifp->if_bytes); -diff --git a/fs/xfs/xfs_buf_item.c b/fs/xfs/xfs_buf_item.c -index 3f9bd58..744352b 100644 ---- a/fs/xfs/xfs_buf_item.c -+++ b/fs/xfs/xfs_buf_item.c -@@ -319,6 +319,10 @@ xfs_buf_item_format( - ASSERT(atomic_read(&bip->bli_refcount) > 0); - ASSERT((bip->bli_flags & XFS_BLI_LOGGED) || - (bip->bli_flags & XFS_BLI_STALE)); -+ ASSERT((bip->bli_flags & XFS_BLI_STALE) || -+ (xfs_blft_from_flags(&bip->__bli_format) > XFS_BLFT_UNKNOWN_BUF -+ && xfs_blft_from_flags(&bip->__bli_format) < XFS_BLFT_MAX_BUF)); -+ - - /* - * If it is an inode buffer, transfer the in-memory state to the -diff --git a/fs/xfs/xfs_inode.c b/fs/xfs/xfs_inode.c -index 41f804e..d745e1a 100644 ---- a/fs/xfs/xfs_inode.c -+++ b/fs/xfs/xfs_inode.c -@@ -1995,6 +1995,7 @@ xfs_iunlink( - agi->agi_unlinked[bucket_index] = cpu_to_be32(agino); - offset = offsetof(xfs_agi_t, agi_unlinked) + - (sizeof(xfs_agino_t) * bucket_index); -+ xfs_trans_buf_set_type(tp, agibp, XFS_BLFT_AGI_BUF); - xfs_trans_log_buf(tp, agibp, offset, - (offset + sizeof(xfs_agino_t) - 1)); - return 0; -@@ -2086,6 +2087,7 @@ xfs_iunlink_remove( - agi->agi_unlinked[bucket_index] = cpu_to_be32(next_agino); - offset = offsetof(xfs_agi_t, agi_unlinked) + - (sizeof(xfs_agino_t) * bucket_index); -+ xfs_trans_buf_set_type(tp, agibp, XFS_BLFT_AGI_BUF); - xfs_trans_log_buf(tp, agibp, offset, - (offset + sizeof(xfs_agino_t) - 1)); - } else { -diff --git a/fs/xfs/xfs_qm.c b/fs/xfs/xfs_qm.c -index 79fb19d..79a62bb 100644 ---- a/fs/xfs/xfs_qm.c -+++ b/fs/xfs/xfs_qm.c -@@ -842,6 +842,11 @@ xfs_qm_reset_dqcounts( - */ - xfs_dqcheck(mp, ddq, id+j, type, XFS_QMOPT_DQREPAIR, - "xfs_quotacheck"); -+ /* -+ * Reset type in case we are reusing group quota file for -+ * project quotas or vice versa -+ */ -+ ddq->d_flags = type; - ddq->d_bcount = 0; - ddq->d_icount = 0; - ddq->d_rtbcount = 0; -diff --git a/fs/xfs/xfs_trans.c b/fs/xfs/xfs_trans.c -index fa3135b..eb90cd5 100644 ---- a/fs/xfs/xfs_trans.c -+++ b/fs/xfs/xfs_trans.c -@@ -472,6 +472,7 @@ xfs_trans_apply_sb_deltas( - whole = 1; - } - -+ xfs_trans_buf_set_type(tp, bp, XFS_BLFT_SB_BUF); - if (whole) - /* - * Log the whole thing, the fields are noncontiguous. -diff --git a/fs/xfs/xfs_trans_buf.c b/fs/xfs/xfs_trans_buf.c -index 0a4d4ab..7579841 100644 ---- a/fs/xfs/xfs_trans_buf.c -+++ b/fs/xfs/xfs_trans_buf.c -@@ -327,9 +327,10 @@ xfs_trans_read_buf_map( - return -EIO; - } - -- if (tp) -+ if (tp) { - _xfs_trans_bjoin(tp, bp, 1); -- trace_xfs_trans_read_buf(bp->b_fspriv); -+ trace_xfs_trans_read_buf(bp->b_fspriv); -+ } - *bpp = bp; - return 0; - -diff --git a/include/linux/compiler.h b/include/linux/compiler.h -index 33063f8..fa6a314 100644 ---- a/include/linux/compiler.h -+++ b/include/linux/compiler.h -@@ -198,7 +198,7 @@ static __always_inline void data_access_exceeds_word_size(void) - { - } - --static __always_inline void __read_once_size(volatile void *p, void *res, int size) -+static __always_inline void __read_once_size(const volatile void *p, void *res, int size) - { - switch (size) { - case 1: *(__u8 *)res = *(volatile __u8 *)p; break; -@@ -255,10 +255,10 @@ static __always_inline void __write_once_size(volatile void *p, void *res, int s - */ - - #define READ_ONCE(x) \ -- ({ typeof(x) __val; __read_once_size(&x, &__val, sizeof(__val)); __val; }) -+ ({ union { typeof(x) __val; char __c[1]; } __u; __read_once_size(&(x), __u.__c, sizeof(x)); __u.__val; }) - - #define WRITE_ONCE(x, val) \ -- ({ typeof(x) __val; __val = val; __write_once_size(&x, &__val, sizeof(__val)); __val; }) -+ ({ typeof(x) __val = (val); __write_once_size(&(x), &__val, sizeof(__val)); __val; }) - - #endif /* __KERNEL__ */ - -@@ -447,12 +447,23 @@ static __always_inline void __write_once_size(volatile void *p, void *res, int s - * to make the compiler aware of ordering is to put the two invocations of - * ACCESS_ONCE() in different C statements. - * -- * This macro does absolutely -nothing- to prevent the CPU from reordering, -- * merging, or refetching absolutely anything at any time. Its main intended -- * use is to mediate communication between process-level code and irq/NMI -- * handlers, all running on the same CPU. -+ * ACCESS_ONCE will only work on scalar types. For union types, ACCESS_ONCE -+ * on a union member will work as long as the size of the member matches the -+ * size of the union and the size is smaller than word size. -+ * -+ * The major use cases of ACCESS_ONCE used to be (1) Mediating communication -+ * between process-level code and irq/NMI handlers, all running on the same CPU, -+ * and (2) Ensuring that the compiler does not fold, spindle, or otherwise -+ * mutilate accesses that either do not require ordering or that interact -+ * with an explicit memory barrier or atomic instruction that provides the -+ * required ordering. -+ * -+ * If possible use READ_ONCE/ASSIGN_ONCE instead. - */ --#define ACCESS_ONCE(x) (*(volatile typeof(x) *)&(x)) -+#define __ACCESS_ONCE(x) ({ \ -+ __maybe_unused typeof(x) __var = (__force typeof(x)) 0; \ -+ (volatile typeof(x) *)&(x); }) -+#define ACCESS_ONCE(x) (*__ACCESS_ONCE(x)) - - /* Ignore/forbid kprobes attach on very low level functions marked by this attribute: */ - #ifdef CONFIG_KPROBES -diff --git a/include/linux/fsnotify.h b/include/linux/fsnotify.h -index 1c804b0..7ee1774 100644 ---- a/include/linux/fsnotify.h -+++ b/include/linux/fsnotify.h -@@ -101,8 +101,10 @@ static inline void fsnotify_move(struct inode *old_dir, struct inode *new_dir, - new_dir_mask |= FS_ISDIR; - } - -- fsnotify(old_dir, old_dir_mask, old_dir, FSNOTIFY_EVENT_INODE, old_name, fs_cookie); -- fsnotify(new_dir, new_dir_mask, new_dir, FSNOTIFY_EVENT_INODE, new_name, fs_cookie); -+ fsnotify(old_dir, old_dir_mask, source, FSNOTIFY_EVENT_INODE, old_name, -+ fs_cookie); -+ fsnotify(new_dir, new_dir_mask, source, FSNOTIFY_EVENT_INODE, new_name, -+ fs_cookie); - - if (target) - fsnotify_link_count(target); -diff --git a/include/linux/kdb.h b/include/linux/kdb.h -index 75ae2e2..a19bcf9 100644 ---- a/include/linux/kdb.h -+++ b/include/linux/kdb.h -@@ -156,8 +156,14 @@ typedef enum { - KDB_REASON_SYSTEM_NMI, /* In NMI due to SYSTEM cmd; regs valid */ - } kdb_reason_t; - -+enum kdb_msgsrc { -+ KDB_MSGSRC_INTERNAL, /* direct call to kdb_printf() */ -+ KDB_MSGSRC_PRINTK, /* trapped from printk() */ -+}; -+ - extern int kdb_trap_printk; --extern __printf(1, 0) int vkdb_printf(const char *fmt, va_list args); -+extern __printf(2, 0) int vkdb_printf(enum kdb_msgsrc src, const char *fmt, -+ va_list args); - extern __printf(1, 2) int kdb_printf(const char *, ...); - typedef __printf(1, 2) int (*kdb_printf_t)(const char *, ...); - -diff --git a/include/linux/nfs_xdr.h b/include/linux/nfs_xdr.h -index 467c84e..06ebfa1 100644 ---- a/include/linux/nfs_xdr.h -+++ b/include/linux/nfs_xdr.h -@@ -1342,7 +1342,7 @@ struct nfs_commit_completion_ops { - }; - - struct nfs_commit_info { -- spinlock_t *lock; -+ spinlock_t *lock; /* inode->i_lock */ - struct nfs_mds_commit_info *mds; - struct pnfs_ds_commit_info *ds; - struct nfs_direct_req *dreq; /* O_DIRECT request */ -diff --git a/include/linux/quota.h b/include/linux/quota.h -index 097d7eb2..b86df49 100644 ---- a/include/linux/quota.h -+++ b/include/linux/quota.h -@@ -216,8 +216,8 @@ struct mem_dqinfo { - unsigned long dqi_flags; - unsigned int dqi_bgrace; - unsigned int dqi_igrace; -- qsize_t dqi_maxblimit; -- qsize_t dqi_maxilimit; -+ qsize_t dqi_max_spc_limit; -+ qsize_t dqi_max_ino_limit; - void *dqi_priv; - }; - -diff --git a/include/linux/sunrpc/clnt.h b/include/linux/sunrpc/clnt.h -index d86acc6..598ba80 100644 ---- a/include/linux/sunrpc/clnt.h -+++ b/include/linux/sunrpc/clnt.h -@@ -57,7 +57,7 @@ struct rpc_clnt { - const struct rpc_timeout *cl_timeout; /* Timeout strategy */ - - int cl_nodelen; /* nodename length */ -- char cl_nodename[UNX_MAXNODENAME]; -+ char cl_nodename[UNX_MAXNODENAME+1]; - struct rpc_pipe_dir_head cl_pipedir_objects; - struct rpc_clnt * cl_parent; /* Points to parent of clones */ - struct rpc_rtt cl_rtt_default; -@@ -112,6 +112,7 @@ struct rpc_create_args { - struct sockaddr *saddress; - const struct rpc_timeout *timeout; - const char *servername; -+ const char *nodename; - const struct rpc_program *program; - u32 prognumber; /* overrides program->number */ - u32 version; -diff --git a/include/linux/usb.h b/include/linux/usb.h -index f89c24a..058a769 100644 ---- a/include/linux/usb.h -+++ b/include/linux/usb.h -@@ -127,10 +127,6 @@ enum usb_interface_condition { - * to the sysfs representation for that device. - * @pm_usage_cnt: PM usage counter for this interface - * @reset_ws: Used for scheduling resets from atomic context. -- * @reset_running: set to 1 if the interface is currently running a -- * queued reset so that usb_cancel_queued_reset() doesn't try to -- * remove from the workqueue when running inside the worker -- * thread. See __usb_queue_reset_device(). - * @resetting_device: USB core reset the device, so use alt setting 0 as - * current; needs bandwidth alloc after reset. - * -@@ -181,7 +177,6 @@ struct usb_interface { - unsigned needs_remote_wakeup:1; /* driver requires remote wakeup */ - unsigned needs_altsetting0:1; /* switch to altsetting 0 is pending */ - unsigned needs_binding:1; /* needs delayed unbind/rebind */ -- unsigned reset_running:1; - unsigned resetting_device:1; /* true: bandwidth alloc after reset */ - - struct device dev; /* interface specific device info */ -diff --git a/include/linux/usb/hcd.h b/include/linux/usb/hcd.h -index 086bf13..68b1e83 100644 ---- a/include/linux/usb/hcd.h -+++ b/include/linux/usb/hcd.h -@@ -146,6 +146,8 @@ struct usb_hcd { - unsigned amd_resume_bug:1; /* AMD remote wakeup quirk */ - unsigned can_do_streams:1; /* HC supports streams */ - unsigned tpl_support:1; /* OTG & EH TPL support */ -+ unsigned cant_recv_wakeups:1; -+ /* wakeup requests from downstream aren't received */ - - unsigned int irq; /* irq allocated */ - void __iomem *regs; /* device memory/io */ -@@ -453,6 +455,7 @@ extern const struct dev_pm_ops usb_hcd_pci_pm_ops; - #endif /* CONFIG_PCI */ - - /* pci-ish (pdev null is ok) buffer alloc/mapping support */ -+void usb_init_pool_max(void); - int hcd_buffer_create(struct usb_hcd *hcd); - void hcd_buffer_destroy(struct usb_hcd *hcd); - -diff --git a/include/net/cipso_ipv4.h b/include/net/cipso_ipv4.h -index a6fd939..3ebb168 100644 ---- a/include/net/cipso_ipv4.h -+++ b/include/net/cipso_ipv4.h -@@ -121,13 +121,6 @@ extern int cipso_v4_rbm_strictvalid; - #endif - - /* -- * Helper Functions -- */ -- --#define CIPSO_V4_OPTEXIST(x) (IPCB(x)->opt.cipso != 0) --#define CIPSO_V4_OPTPTR(x) (skb_network_header(x) + IPCB(x)->opt.cipso) -- --/* - * DOI List Functions - */ - -@@ -190,7 +183,7 @@ static inline int cipso_v4_doi_domhsh_remove(struct cipso_v4_doi *doi_def, - - #ifdef CONFIG_NETLABEL - void cipso_v4_cache_invalidate(void); --int cipso_v4_cache_add(const struct sk_buff *skb, -+int cipso_v4_cache_add(const unsigned char *cipso_ptr, - const struct netlbl_lsm_secattr *secattr); - #else - static inline void cipso_v4_cache_invalidate(void) -@@ -198,7 +191,7 @@ static inline void cipso_v4_cache_invalidate(void) - return; - } - --static inline int cipso_v4_cache_add(const struct sk_buff *skb, -+static inline int cipso_v4_cache_add(const unsigned char *cipso_ptr, - const struct netlbl_lsm_secattr *secattr) - { - return 0; -@@ -211,6 +204,8 @@ static inline int cipso_v4_cache_add(const struct sk_buff *skb, - - #ifdef CONFIG_NETLABEL - void cipso_v4_error(struct sk_buff *skb, int error, u32 gateway); -+int cipso_v4_getattr(const unsigned char *cipso, -+ struct netlbl_lsm_secattr *secattr); - int cipso_v4_sock_setattr(struct sock *sk, - const struct cipso_v4_doi *doi_def, - const struct netlbl_lsm_secattr *secattr); -@@ -226,6 +221,7 @@ int cipso_v4_skbuff_setattr(struct sk_buff *skb, - int cipso_v4_skbuff_delattr(struct sk_buff *skb); - int cipso_v4_skbuff_getattr(const struct sk_buff *skb, - struct netlbl_lsm_secattr *secattr); -+unsigned char *cipso_v4_optptr(const struct sk_buff *skb); - int cipso_v4_validate(const struct sk_buff *skb, unsigned char **option); - #else - static inline void cipso_v4_error(struct sk_buff *skb, -@@ -235,6 +231,12 @@ static inline void cipso_v4_error(struct sk_buff *skb, - return; - } - -+static inline int cipso_v4_getattr(const unsigned char *cipso, -+ struct netlbl_lsm_secattr *secattr) -+{ -+ return -ENOSYS; -+} -+ - static inline int cipso_v4_sock_setattr(struct sock *sk, - const struct cipso_v4_doi *doi_def, - const struct netlbl_lsm_secattr *secattr) -@@ -282,6 +284,11 @@ static inline int cipso_v4_skbuff_getattr(const struct sk_buff *skb, - return -ENOSYS; - } - -+static inline unsigned char *cipso_v4_optptr(const struct sk_buff *skb) -+{ -+ return NULL; -+} -+ - static inline int cipso_v4_validate(const struct sk_buff *skb, - unsigned char **option) - { -diff --git a/kernel/debug/debug_core.c b/kernel/debug/debug_core.c -index 07ce18c..ac5c0f9 100644 ---- a/kernel/debug/debug_core.c -+++ b/kernel/debug/debug_core.c -@@ -604,7 +604,7 @@ return_normal: - online_cpus) - cpu_relax(); - if (!time_left) -- pr_crit("KGDB: Timed out waiting for secondary CPUs.\n"); -+ pr_crit("Timed out waiting for secondary CPUs.\n"); - - /* - * At this point the primary processor is completely -diff --git a/kernel/debug/kdb/kdb_io.c b/kernel/debug/kdb/kdb_io.c -index 7c70812..a550afb 100644 ---- a/kernel/debug/kdb/kdb_io.c -+++ b/kernel/debug/kdb/kdb_io.c -@@ -548,7 +548,7 @@ static int kdb_search_string(char *searched, char *searchfor) - return 0; - } - --int vkdb_printf(const char *fmt, va_list ap) -+int vkdb_printf(enum kdb_msgsrc src, const char *fmt, va_list ap) - { - int diag; - int linecount; -@@ -691,19 +691,20 @@ kdb_printit: - * Write to all consoles. - */ - retlen = strlen(kdb_buffer); -+ cp = (char *) printk_skip_level(kdb_buffer); - if (!dbg_kdb_mode && kgdb_connected) { -- gdbstub_msg_write(kdb_buffer, retlen); -+ gdbstub_msg_write(cp, retlen - (cp - kdb_buffer)); - } else { - if (dbg_io_ops && !dbg_io_ops->is_console) { -- len = retlen; -- cp = kdb_buffer; -+ len = retlen - (cp - kdb_buffer); -+ cp2 = cp; - while (len--) { -- dbg_io_ops->write_char(*cp); -- cp++; -+ dbg_io_ops->write_char(*cp2); -+ cp2++; - } - } - while (c) { -- c->write(c, kdb_buffer, retlen); -+ c->write(c, cp, retlen - (cp - kdb_buffer)); - touch_nmi_watchdog(); - c = c->next; - } -@@ -711,7 +712,10 @@ kdb_printit: - if (logging) { - saved_loglevel = console_loglevel; - console_loglevel = CONSOLE_LOGLEVEL_SILENT; -- printk(KERN_INFO "%s", kdb_buffer); -+ if (printk_get_level(kdb_buffer) || src == KDB_MSGSRC_PRINTK) -+ printk("%s", kdb_buffer); -+ else -+ pr_info("%s", kdb_buffer); - } - - if (KDB_STATE(PAGER)) { -@@ -844,7 +848,7 @@ int kdb_printf(const char *fmt, ...) - int r; - - va_start(ap, fmt); -- r = vkdb_printf(fmt, ap); -+ r = vkdb_printf(KDB_MSGSRC_INTERNAL, fmt, ap); - va_end(ap); - - return r; -diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c -index 7b40c5f..60f6bb8 100644 ---- a/kernel/debug/kdb/kdb_main.c -+++ b/kernel/debug/kdb/kdb_main.c -@@ -2256,7 +2256,7 @@ static int kdb_cpu(int argc, const char **argv) - /* - * Validate cpunum - */ -- if ((cpunum > NR_CPUS) || !kgdb_info[cpunum].enter_kgdb) -+ if ((cpunum >= CONFIG_NR_CPUS) || !kgdb_info[cpunum].enter_kgdb) - return KDB_BADCPUNUM; - - dbg_switch_cpu = cpunum; -@@ -2583,7 +2583,7 @@ static int kdb_summary(int argc, const char **argv) - #define K(x) ((x) << (PAGE_SHIFT - 10)) - kdb_printf("\nMemTotal: %8lu kB\nMemFree: %8lu kB\n" - "Buffers: %8lu kB\n", -- val.totalram, val.freeram, val.bufferram); -+ K(val.totalram), K(val.freeram), K(val.bufferram)); - return 0; - } - -diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c -index 02d6b6d..fae29e3 100644 ---- a/kernel/printk/printk.c -+++ b/kernel/printk/printk.c -@@ -1811,7 +1811,7 @@ int vprintk_default(const char *fmt, va_list args) - - #ifdef CONFIG_KGDB_KDB - if (unlikely(kdb_trap_printk)) { -- r = vkdb_printf(fmt, args); -+ r = vkdb_printf(KDB_MSGSRC_PRINTK, fmt, args); - return r; - } - #endif -diff --git a/kernel/softirq.c b/kernel/softirq.c -index 501baa9..c497fcd 100644 ---- a/kernel/softirq.c -+++ b/kernel/softirq.c -@@ -656,9 +656,13 @@ static void run_ksoftirqd(unsigned int cpu) - * in the task stack here. - */ - __do_softirq(); -- rcu_note_context_switch(); - local_irq_enable(); - cond_resched(); -+ -+ preempt_disable(); -+ rcu_note_context_switch(); -+ preempt_enable(); -+ - return; - } - local_irq_enable(); -diff --git a/kernel/time/ntp.c b/kernel/time/ntp.c -index 28bf91c..85fb3d6 100644 ---- a/kernel/time/ntp.c -+++ b/kernel/time/ntp.c -@@ -633,10 +633,14 @@ int ntp_validate_timex(struct timex *txc) - if ((txc->modes & ADJ_SETOFFSET) && (!capable(CAP_SYS_TIME))) - return -EPERM; - -- if (txc->modes & ADJ_FREQUENCY) { -- if (LONG_MIN / PPM_SCALE > txc->freq) -+ /* -+ * Check for potential multiplication overflows that can -+ * only happen on 64-bit systems: -+ */ -+ if ((txc->modes & ADJ_FREQUENCY) && (BITS_PER_LONG == 64)) { -+ if (LLONG_MIN / PPM_SCALE > txc->freq) - return -EINVAL; -- if (LONG_MAX / PPM_SCALE < txc->freq) -+ if (LLONG_MAX / PPM_SCALE < txc->freq) - return -EINVAL; - } - -diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c -index 7a4104c..d2e151c 100644 ---- a/kernel/trace/ring_buffer.c -+++ b/kernel/trace/ring_buffer.c -@@ -447,7 +447,10 @@ int ring_buffer_print_page_header(struct trace_seq *s) - struct rb_irq_work { - struct irq_work work; - wait_queue_head_t waiters; -+ wait_queue_head_t full_waiters; - bool waiters_pending; -+ bool full_waiters_pending; -+ bool wakeup_full; - }; - - /* -@@ -529,6 +532,10 @@ static void rb_wake_up_waiters(struct irq_work *work) - struct rb_irq_work *rbwork = container_of(work, struct rb_irq_work, work); - - wake_up_all(&rbwork->waiters); -+ if (rbwork->wakeup_full) { -+ rbwork->wakeup_full = false; -+ wake_up_all(&rbwork->full_waiters); -+ } - } - - /** -@@ -553,9 +560,11 @@ int ring_buffer_wait(struct ring_buffer *buffer, int cpu, bool full) - * data in any cpu buffer, or a specific buffer, put the - * caller on the appropriate wait queue. - */ -- if (cpu == RING_BUFFER_ALL_CPUS) -+ if (cpu == RING_BUFFER_ALL_CPUS) { - work = &buffer->irq_work; -- else { -+ /* Full only makes sense on per cpu reads */ -+ full = false; -+ } else { - if (!cpumask_test_cpu(cpu, buffer->cpumask)) - return -ENODEV; - cpu_buffer = buffer->buffers[cpu]; -@@ -564,7 +573,10 @@ int ring_buffer_wait(struct ring_buffer *buffer, int cpu, bool full) - - - while (true) { -- prepare_to_wait(&work->waiters, &wait, TASK_INTERRUPTIBLE); -+ if (full) -+ prepare_to_wait(&work->full_waiters, &wait, TASK_INTERRUPTIBLE); -+ else -+ prepare_to_wait(&work->waiters, &wait, TASK_INTERRUPTIBLE); - - /* - * The events can happen in critical sections where -@@ -586,7 +598,10 @@ int ring_buffer_wait(struct ring_buffer *buffer, int cpu, bool full) - * that is necessary is that the wake up happens after - * a task has been queued. It's OK for spurious wake ups. - */ -- work->waiters_pending = true; -+ if (full) -+ work->full_waiters_pending = true; -+ else -+ work->waiters_pending = true; - - if (signal_pending(current)) { - ret = -EINTR; -@@ -615,7 +630,10 @@ int ring_buffer_wait(struct ring_buffer *buffer, int cpu, bool full) - schedule(); - } - -- finish_wait(&work->waiters, &wait); -+ if (full) -+ finish_wait(&work->full_waiters, &wait); -+ else -+ finish_wait(&work->waiters, &wait); - - return ret; - } -@@ -1230,6 +1248,7 @@ rb_allocate_cpu_buffer(struct ring_buffer *buffer, int nr_pages, int cpu) - init_completion(&cpu_buffer->update_done); - init_irq_work(&cpu_buffer->irq_work.work, rb_wake_up_waiters); - init_waitqueue_head(&cpu_buffer->irq_work.waiters); -+ init_waitqueue_head(&cpu_buffer->irq_work.full_waiters); - - bpage = kzalloc_node(ALIGN(sizeof(*bpage), cache_line_size()), - GFP_KERNEL, cpu_to_node(cpu)); -@@ -2801,6 +2820,8 @@ static void rb_commit(struct ring_buffer_per_cpu *cpu_buffer, - static __always_inline void - rb_wakeups(struct ring_buffer *buffer, struct ring_buffer_per_cpu *cpu_buffer) - { -+ bool pagebusy; -+ - if (buffer->irq_work.waiters_pending) { - buffer->irq_work.waiters_pending = false; - /* irq_work_queue() supplies it's own memory barriers */ -@@ -2812,6 +2833,15 @@ rb_wakeups(struct ring_buffer *buffer, struct ring_buffer_per_cpu *cpu_buffer) - /* irq_work_queue() supplies it's own memory barriers */ - irq_work_queue(&cpu_buffer->irq_work.work); - } -+ -+ pagebusy = cpu_buffer->reader_page == cpu_buffer->commit_page; -+ -+ if (!pagebusy && cpu_buffer->irq_work.full_waiters_pending) { -+ cpu_buffer->irq_work.wakeup_full = true; -+ cpu_buffer->irq_work.full_waiters_pending = false; -+ /* irq_work_queue() supplies it's own memory barriers */ -+ irq_work_queue(&cpu_buffer->irq_work.work); -+ } - } - - /** -diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c -index 4a9079b..361a827 100644 ---- a/kernel/trace/trace.c -+++ b/kernel/trace/trace.c -@@ -4942,7 +4942,7 @@ tracing_mark_write(struct file *filp, const char __user *ubuf, - *fpos += written; - - out_unlock: -- for (i = 0; i < nr_pages; i++){ -+ for (i = nr_pages - 1; i >= 0; i--) { - kunmap_atomic(map_page[i]); - put_page(pages[i]); - } -diff --git a/mm/gup.c b/mm/gup.c -index 8dd50ce..9b2afbf 100644 ---- a/mm/gup.c -+++ b/mm/gup.c -@@ -926,7 +926,7 @@ static int gup_pmd_range(pud_t pud, unsigned long addr, unsigned long end, - - pmdp = pmd_offset(&pud, addr); - do { -- pmd_t pmd = ACCESS_ONCE(*pmdp); -+ pmd_t pmd = READ_ONCE(*pmdp); - - next = pmd_addr_end(addr, end); - if (pmd_none(pmd) || pmd_trans_splitting(pmd)) -diff --git a/mm/hugetlb.c b/mm/hugetlb.c -index 85032de..c49586f 100644 ---- a/mm/hugetlb.c -+++ b/mm/hugetlb.c -@@ -3666,6 +3666,8 @@ follow_huge_pmd(struct mm_struct *mm, unsigned long address, - { - struct page *page; - -+ if (!pmd_present(*pmd)) -+ return NULL; - page = pte_page(*(pte_t *)pmd); - if (page) - page += ((address & ~PMD_MASK) >> PAGE_SHIFT); -diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c -index 693ce8b..1775dbf 100644 ---- a/net/bluetooth/mgmt.c -+++ b/net/bluetooth/mgmt.c -@@ -7066,7 +7066,8 @@ void mgmt_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type, - * However when using service discovery, the value 127 will be - * returned when the RSSI is not available. - */ -- if (rssi == HCI_RSSI_INVALID && !hdev->discovery.report_invalid_rssi) -+ if (rssi == HCI_RSSI_INVALID && !hdev->discovery.report_invalid_rssi && -+ link_type == ACL_LINK) - rssi = 0; - - bacpy(&ev->addr.bdaddr, bdaddr); -diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c -index b67749b..757ae32 100644 ---- a/net/bluetooth/smp.c -+++ b/net/bluetooth/smp.c -@@ -2303,8 +2303,12 @@ static int smp_cmd_ident_addr_info(struct l2cap_conn *conn, - * implementations are not known of and in order to not over - * complicate our implementation, simply pretend that we never - * received an IRK for such a device. -+ * -+ * The Identity Address must also be a Static Random or Public -+ * Address, which hci_is_identity_address() checks for. - */ -- if (!bacmp(&info->bdaddr, BDADDR_ANY)) { -+ if (!bacmp(&info->bdaddr, BDADDR_ANY) || -+ !hci_is_identity_address(&info->bdaddr, info->addr_type)) { - BT_ERR("Ignoring IRK with no identity address"); - goto distribute; - } -diff --git a/net/ceph/osd_client.c b/net/ceph/osd_client.c -index 53299c7..f693a2f 100644 ---- a/net/ceph/osd_client.c -+++ b/net/ceph/osd_client.c -@@ -1048,14 +1048,24 @@ static void put_osd(struct ceph_osd *osd) - */ - static void __remove_osd(struct ceph_osd_client *osdc, struct ceph_osd *osd) - { -- dout("__remove_osd %p\n", osd); -+ dout("%s %p osd%d\n", __func__, osd, osd->o_osd); - WARN_ON(!list_empty(&osd->o_requests)); - WARN_ON(!list_empty(&osd->o_linger_requests)); - -- rb_erase(&osd->o_node, &osdc->osds); - list_del_init(&osd->o_osd_lru); -- ceph_con_close(&osd->o_con); -- put_osd(osd); -+ rb_erase(&osd->o_node, &osdc->osds); -+ RB_CLEAR_NODE(&osd->o_node); -+} -+ -+static void remove_osd(struct ceph_osd_client *osdc, struct ceph_osd *osd) -+{ -+ dout("%s %p osd%d\n", __func__, osd, osd->o_osd); -+ -+ if (!RB_EMPTY_NODE(&osd->o_node)) { -+ ceph_con_close(&osd->o_con); -+ __remove_osd(osdc, osd); -+ put_osd(osd); -+ } - } - - static void remove_all_osds(struct ceph_osd_client *osdc) -@@ -1065,7 +1075,7 @@ static void remove_all_osds(struct ceph_osd_client *osdc) - while (!RB_EMPTY_ROOT(&osdc->osds)) { - struct ceph_osd *osd = rb_entry(rb_first(&osdc->osds), - struct ceph_osd, o_node); -- __remove_osd(osdc, osd); -+ remove_osd(osdc, osd); - } - mutex_unlock(&osdc->request_mutex); - } -@@ -1106,7 +1116,7 @@ static void remove_old_osds(struct ceph_osd_client *osdc) - list_for_each_entry_safe(osd, nosd, &osdc->osd_lru, o_osd_lru) { - if (time_before(jiffies, osd->lru_ttl)) - break; -- __remove_osd(osdc, osd); -+ remove_osd(osdc, osd); - } - mutex_unlock(&osdc->request_mutex); - } -@@ -1121,8 +1131,7 @@ static int __reset_osd(struct ceph_osd_client *osdc, struct ceph_osd *osd) - dout("__reset_osd %p osd%d\n", osd, osd->o_osd); - if (list_empty(&osd->o_requests) && - list_empty(&osd->o_linger_requests)) { -- __remove_osd(osdc, osd); -- -+ remove_osd(osdc, osd); - return -ENODEV; - } - -@@ -1926,6 +1935,7 @@ static void reset_changed_osds(struct ceph_osd_client *osdc) - { - struct rb_node *p, *n; - -+ dout("%s %p\n", __func__, osdc); - for (p = rb_first(&osdc->osds); p; p = n) { - struct ceph_osd *osd = rb_entry(p, struct ceph_osd, o_node); - -diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c -index 5160c71..e361ea6 100644 ---- a/net/ipv4/cipso_ipv4.c -+++ b/net/ipv4/cipso_ipv4.c -@@ -378,20 +378,18 @@ static int cipso_v4_cache_check(const unsigned char *key, - * negative values on failure. - * - */ --int cipso_v4_cache_add(const struct sk_buff *skb, -+int cipso_v4_cache_add(const unsigned char *cipso_ptr, - const struct netlbl_lsm_secattr *secattr) - { - int ret_val = -EPERM; - u32 bkt; - struct cipso_v4_map_cache_entry *entry = NULL; - struct cipso_v4_map_cache_entry *old_entry = NULL; -- unsigned char *cipso_ptr; - u32 cipso_ptr_len; - - if (!cipso_v4_cache_enabled || cipso_v4_cache_bucketsize <= 0) - return 0; - -- cipso_ptr = CIPSO_V4_OPTPTR(skb); - cipso_ptr_len = cipso_ptr[1]; - - entry = kzalloc(sizeof(*entry), GFP_ATOMIC); -@@ -1579,6 +1577,33 @@ static int cipso_v4_parsetag_loc(const struct cipso_v4_doi *doi_def, - } - - /** -+ * cipso_v4_optptr - Find the CIPSO option in the packet -+ * @skb: the packet -+ * -+ * Description: -+ * Parse the packet's IP header looking for a CIPSO option. Returns a pointer -+ * to the start of the CIPSO option on success, NULL if one if not found. -+ * -+ */ -+unsigned char *cipso_v4_optptr(const struct sk_buff *skb) -+{ -+ const struct iphdr *iph = ip_hdr(skb); -+ unsigned char *optptr = (unsigned char *)&(ip_hdr(skb)[1]); -+ int optlen; -+ int taglen; -+ -+ for (optlen = iph->ihl*4 - sizeof(struct iphdr); optlen > 0; ) { -+ if (optptr[0] == IPOPT_CIPSO) -+ return optptr; -+ taglen = optptr[1]; -+ optlen -= taglen; -+ optptr += taglen; -+ } -+ -+ return NULL; -+} -+ -+/** - * cipso_v4_validate - Validate a CIPSO option - * @option: the start of the option, on error it is set to point to the error - * -@@ -2119,8 +2144,8 @@ void cipso_v4_req_delattr(struct request_sock *req) - * on success and negative values on failure. - * - */ --static int cipso_v4_getattr(const unsigned char *cipso, -- struct netlbl_lsm_secattr *secattr) -+int cipso_v4_getattr(const unsigned char *cipso, -+ struct netlbl_lsm_secattr *secattr) - { - int ret_val = -ENOMSG; - u32 doi; -@@ -2305,22 +2330,6 @@ int cipso_v4_skbuff_delattr(struct sk_buff *skb) - return 0; - } - --/** -- * cipso_v4_skbuff_getattr - Get the security attributes from the CIPSO option -- * @skb: the packet -- * @secattr: the security attributes -- * -- * Description: -- * Parse the given packet's CIPSO option and return the security attributes. -- * Returns zero on success and negative values on failure. -- * -- */ --int cipso_v4_skbuff_getattr(const struct sk_buff *skb, -- struct netlbl_lsm_secattr *secattr) --{ -- return cipso_v4_getattr(CIPSO_V4_OPTPTR(skb), secattr); --} -- - /* - * Setup Functions - */ -diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c -index a845cd4..28cddc8 100644 ---- a/net/netlabel/netlabel_kapi.c -+++ b/net/netlabel/netlabel_kapi.c -@@ -1065,10 +1065,12 @@ int netlbl_skbuff_getattr(const struct sk_buff *skb, - u16 family, - struct netlbl_lsm_secattr *secattr) - { -+ unsigned char *ptr; -+ - switch (family) { - case AF_INET: -- if (CIPSO_V4_OPTEXIST(skb) && -- cipso_v4_skbuff_getattr(skb, secattr) == 0) -+ ptr = cipso_v4_optptr(skb); -+ if (ptr && cipso_v4_getattr(ptr, secattr) == 0) - return 0; - break; - #if IS_ENABLED(CONFIG_IPV6) -@@ -1094,7 +1096,7 @@ int netlbl_skbuff_getattr(const struct sk_buff *skb, - */ - void netlbl_skbuff_err(struct sk_buff *skb, int error, int gateway) - { -- if (CIPSO_V4_OPTEXIST(skb)) -+ if (cipso_v4_optptr(skb)) - cipso_v4_error(skb, error, gateway); - } - -@@ -1126,11 +1128,14 @@ void netlbl_cache_invalidate(void) - int netlbl_cache_add(const struct sk_buff *skb, - const struct netlbl_lsm_secattr *secattr) - { -+ unsigned char *ptr; -+ - if ((secattr->flags & NETLBL_SECATTR_CACHE) == 0) - return -ENOMSG; - -- if (CIPSO_V4_OPTEXIST(skb)) -- return cipso_v4_cache_add(skb, secattr); -+ ptr = cipso_v4_optptr(skb); -+ if (ptr) -+ return cipso_v4_cache_add(ptr, secattr); - - return -ENOMSG; - } -diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c -index 05da12a..3f5d4d4 100644 ---- a/net/sunrpc/clnt.c -+++ b/net/sunrpc/clnt.c -@@ -286,10 +286,8 @@ static struct rpc_xprt *rpc_clnt_set_transport(struct rpc_clnt *clnt, - - static void rpc_clnt_set_nodename(struct rpc_clnt *clnt, const char *nodename) - { -- clnt->cl_nodelen = strlen(nodename); -- if (clnt->cl_nodelen > UNX_MAXNODENAME) -- clnt->cl_nodelen = UNX_MAXNODENAME; -- memcpy(clnt->cl_nodename, nodename, clnt->cl_nodelen); -+ clnt->cl_nodelen = strlcpy(clnt->cl_nodename, -+ nodename, sizeof(clnt->cl_nodename)); - } - - static int rpc_client_register(struct rpc_clnt *clnt, -@@ -365,6 +363,7 @@ static struct rpc_clnt * rpc_new_client(const struct rpc_create_args *args, - const struct rpc_version *version; - struct rpc_clnt *clnt = NULL; - const struct rpc_timeout *timeout; -+ const char *nodename = args->nodename; - int err; - - /* sanity check the name before trying to print it */ -@@ -420,8 +419,10 @@ static struct rpc_clnt * rpc_new_client(const struct rpc_create_args *args, - - atomic_set(&clnt->cl_count, 1); - -+ if (nodename == NULL) -+ nodename = utsname()->nodename; - /* save the nodename */ -- rpc_clnt_set_nodename(clnt, utsname()->nodename); -+ rpc_clnt_set_nodename(clnt, nodename); - - err = rpc_client_register(clnt, args->authflavor, args->client_name); - if (err) -@@ -576,6 +577,7 @@ static struct rpc_clnt *__rpc_clone_client(struct rpc_create_args *args, - if (xprt == NULL) - goto out_err; - args->servername = xprt->servername; -+ args->nodename = clnt->cl_nodename; - - new = rpc_new_client(args, xprt, clnt); - if (IS_ERR(new)) { -diff --git a/net/sunrpc/rpcb_clnt.c b/net/sunrpc/rpcb_clnt.c -index 0520201..cf5770d 100644 ---- a/net/sunrpc/rpcb_clnt.c -+++ b/net/sunrpc/rpcb_clnt.c -@@ -355,7 +355,8 @@ out: - return result; - } - --static struct rpc_clnt *rpcb_create(struct net *net, const char *hostname, -+static struct rpc_clnt *rpcb_create(struct net *net, const char *nodename, -+ const char *hostname, - struct sockaddr *srvaddr, size_t salen, - int proto, u32 version) - { -@@ -365,6 +366,7 @@ static struct rpc_clnt *rpcb_create(struct net *net, const char *hostname, - .address = srvaddr, - .addrsize = salen, - .servername = hostname, -+ .nodename = nodename, - .program = &rpcb_program, - .version = version, - .authflavor = RPC_AUTH_UNIX, -@@ -740,7 +742,9 @@ void rpcb_getport_async(struct rpc_task *task) - dprintk("RPC: %5u %s: trying rpcbind version %u\n", - task->tk_pid, __func__, bind_version); - -- rpcb_clnt = rpcb_create(xprt->xprt_net, xprt->servername, sap, salen, -+ rpcb_clnt = rpcb_create(xprt->xprt_net, -+ clnt->cl_nodename, -+ xprt->servername, sap, salen, - xprt->prot, bind_version); - if (IS_ERR(rpcb_clnt)) { - status = PTR_ERR(rpcb_clnt); -diff --git a/security/smack/smack.h b/security/smack/smack.h -index b828a37..b48359c 100644 ---- a/security/smack/smack.h -+++ b/security/smack/smack.h -@@ -298,6 +298,16 @@ static inline struct smack_known *smk_of_task(const struct task_smack *tsp) - return tsp->smk_task; - } - -+static inline struct smack_known *smk_of_task_struct(const struct task_struct *t) -+{ -+ struct smack_known *skp; -+ -+ rcu_read_lock(); -+ skp = smk_of_task(__task_cred(t)->security); -+ rcu_read_unlock(); -+ return skp; -+} -+ - /* - * Present a pointer to the forked smack label entry in an task blob. - */ -diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c -index f1b17a4..a717877 100644 ---- a/security/smack/smack_lsm.c -+++ b/security/smack/smack_lsm.c -@@ -43,8 +43,6 @@ - #include <linux/binfmts.h> - #include "smack.h" - --#define task_security(task) (task_cred_xxx((task), security)) -- - #define TRANS_TRUE "TRUE" - #define TRANS_TRUE_SIZE 4 - -@@ -120,7 +118,7 @@ static int smk_bu_current(char *note, struct smack_known *oskp, - static int smk_bu_task(struct task_struct *otp, int mode, int rc) - { - struct task_smack *tsp = current_security(); -- struct task_smack *otsp = task_security(otp); -+ struct smack_known *smk_task = smk_of_task_struct(otp); - char acc[SMK_NUM_ACCESS_TYPE + 1]; - - if (rc <= 0) -@@ -128,7 +126,7 @@ static int smk_bu_task(struct task_struct *otp, int mode, int rc) - - smk_bu_mode(mode, acc); - pr_info("Smack Bringup: (%s %s %s) %s to %s\n", -- tsp->smk_task->smk_known, otsp->smk_task->smk_known, acc, -+ tsp->smk_task->smk_known, smk_task->smk_known, acc, - current->comm, otp->comm); - return 0; - } -@@ -345,7 +343,8 @@ static int smk_ptrace_rule_check(struct task_struct *tracer, - saip = &ad; - } - -- tsp = task_security(tracer); -+ rcu_read_lock(); -+ tsp = __task_cred(tracer)->security; - tracer_known = smk_of_task(tsp); - - if ((mode & PTRACE_MODE_ATTACH) && -@@ -365,11 +364,14 @@ static int smk_ptrace_rule_check(struct task_struct *tracer, - tracee_known->smk_known, - 0, rc, saip); - -+ rcu_read_unlock(); - return rc; - } - - /* In case of rule==SMACK_PTRACE_DEFAULT or mode==PTRACE_MODE_READ */ - rc = smk_tskacc(tsp, tracee_known, smk_ptrace_mode(mode), saip); -+ -+ rcu_read_unlock(); - return rc; - } - -@@ -396,7 +398,7 @@ static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode) - if (rc != 0) - return rc; - -- skp = smk_of_task(task_security(ctp)); -+ skp = smk_of_task_struct(ctp); - - rc = smk_ptrace_rule_check(current, skp, mode, __func__); - return rc; -@@ -1826,7 +1828,7 @@ static int smk_curacc_on_task(struct task_struct *p, int access, - const char *caller) - { - struct smk_audit_info ad; -- struct smack_known *skp = smk_of_task(task_security(p)); -+ struct smack_known *skp = smk_of_task_struct(p); - int rc; - - smk_ad_init(&ad, caller, LSM_AUDIT_DATA_TASK); -@@ -1879,7 +1881,7 @@ static int smack_task_getsid(struct task_struct *p) - */ - static void smack_task_getsecid(struct task_struct *p, u32 *secid) - { -- struct smack_known *skp = smk_of_task(task_security(p)); -+ struct smack_known *skp = smk_of_task_struct(p); - - *secid = skp->smk_secid; - } -@@ -1986,7 +1988,7 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info, - { - struct smk_audit_info ad; - struct smack_known *skp; -- struct smack_known *tkp = smk_of_task(task_security(p)); -+ struct smack_known *tkp = smk_of_task_struct(p); - int rc; - - smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); -@@ -2040,7 +2042,7 @@ static int smack_task_wait(struct task_struct *p) - static void smack_task_to_inode(struct task_struct *p, struct inode *inode) - { - struct inode_smack *isp = inode->i_security; -- struct smack_known *skp = smk_of_task(task_security(p)); -+ struct smack_known *skp = smk_of_task_struct(p); - - isp->smk_inode = skp; - } -@@ -3200,7 +3202,7 @@ unlockandout: - */ - static int smack_getprocattr(struct task_struct *p, char *name, char **value) - { -- struct smack_known *skp = smk_of_task(task_security(p)); -+ struct smack_known *skp = smk_of_task_struct(p); - char *cp; - int slen; - -diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c -index 65f1f4e..0c993f7 100644 ---- a/sound/pci/hda/patch_realtek.c -+++ b/sound/pci/hda/patch_realtek.c -@@ -4844,6 +4844,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { - SND_PCI_QUIRK(0x103c, 0x18e6, "HP", ALC269_FIXUP_HP_GPIO_LED), - SND_PCI_QUIRK(0x103c, 0x218b, "HP", ALC269_FIXUP_LIMIT_INT_MIC_BOOST_MUTE_LED), - /* ALC282 */ -+ SND_PCI_QUIRK(0x103c, 0x21f9, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC1), - SND_PCI_QUIRK(0x103c, 0x2210, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC1), - SND_PCI_QUIRK(0x103c, 0x2214, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC1), - SND_PCI_QUIRK(0x103c, 0x2236, "HP", ALC269_FIXUP_HP_LINE1_MIC1_LED), -diff --git a/sound/pci/hda/patch_sigmatel.c b/sound/pci/hda/patch_sigmatel.c -index 605d140..6d36c5b 100644 ---- a/sound/pci/hda/patch_sigmatel.c -+++ b/sound/pci/hda/patch_sigmatel.c -@@ -99,6 +99,7 @@ enum { - STAC_HP_ENVY_BASS, - STAC_HP_BNB13_EQ, - STAC_HP_ENVY_TS_BASS, -+ STAC_92HD83XXX_GPIO10_EAPD, - STAC_92HD83XXX_MODELS - }; - -@@ -2141,6 +2142,19 @@ static void stac92hd83xxx_fixup_headset_jack(struct hda_codec *codec, - spec->headset_jack = 1; - } - -+static void stac92hd83xxx_fixup_gpio10_eapd(struct hda_codec *codec, -+ const struct hda_fixup *fix, -+ int action) -+{ -+ struct sigmatel_spec *spec = codec->spec; -+ -+ if (action != HDA_FIXUP_ACT_PRE_PROBE) -+ return; -+ spec->eapd_mask = spec->gpio_mask = spec->gpio_dir = -+ spec->gpio_data = 0x10; -+ spec->eapd_switch = 0; -+} -+ - static const struct hda_verb hp_bnb13_eq_verbs[] = { - /* 44.1KHz base */ - { 0x22, 0x7A6, 0x3E }, -@@ -2656,6 +2670,10 @@ static const struct hda_fixup stac92hd83xxx_fixups[] = { - {} - }, - }, -+ [STAC_92HD83XXX_GPIO10_EAPD] = { -+ .type = HDA_FIXUP_FUNC, -+ .v.func = stac92hd83xxx_fixup_gpio10_eapd, -+ }, - }; - - static const struct hda_model_fixup stac92hd83xxx_models[] = { -@@ -2861,6 +2879,8 @@ static const struct snd_pci_quirk stac92hd83xxx_fixup_tbl[] = { - SND_PCI_QUIRK(PCI_VENDOR_ID_HP, 0x148a, - "HP Mini", STAC_92HD83XXX_HP_LED), - SND_PCI_QUIRK_VENDOR(PCI_VENDOR_ID_HP, "HP", STAC_92HD83XXX_HP), -+ SND_PCI_QUIRK(PCI_VENDOR_ID_TOSHIBA, 0xfa91, -+ "Toshiba Satellite S50D", STAC_92HD83XXX_GPIO10_EAPD), - {} /* terminator */ - }; - -diff --git a/sound/pci/riptide/riptide.c b/sound/pci/riptide/riptide.c -index 6abc2ac..e768572 100644 ---- a/sound/pci/riptide/riptide.c -+++ b/sound/pci/riptide/riptide.c -@@ -2030,32 +2030,43 @@ snd_riptide_joystick_probe(struct pci_dev *pci, const struct pci_device_id *id) - { - static int dev; - struct gameport *gameport; -+ int ret; - - if (dev >= SNDRV_CARDS) - return -ENODEV; -+ - if (!enable[dev]) { -- dev++; -- return -ENOENT; -+ ret = -ENOENT; -+ goto inc_dev; - } - -- if (!joystick_port[dev++]) -- return 0; -+ if (!joystick_port[dev]) { -+ ret = 0; -+ goto inc_dev; -+ } - - gameport = gameport_allocate_port(); -- if (!gameport) -- return -ENOMEM; -+ if (!gameport) { -+ ret = -ENOMEM; -+ goto inc_dev; -+ } - if (!request_region(joystick_port[dev], 8, "Riptide gameport")) { - snd_printk(KERN_WARNING - "Riptide: cannot grab gameport 0x%x\n", - joystick_port[dev]); - gameport_free_port(gameport); -- return -EBUSY; -+ ret = -EBUSY; -+ goto inc_dev; - } - - gameport->io = joystick_port[dev]; - gameport_register_port(gameport); - pci_set_drvdata(pci, gameport); -- return 0; -+ -+ ret = 0; -+inc_dev: -+ dev++; -+ return ret; - } - - static void snd_riptide_joystick_remove(struct pci_dev *pci) -diff --git a/sound/pci/rme9652/hdspm.c b/sound/pci/rme9652/hdspm.c -index 3342705..13bc201 100644 ---- a/sound/pci/rme9652/hdspm.c -+++ b/sound/pci/rme9652/hdspm.c -@@ -6086,6 +6086,9 @@ static int snd_hdspm_playback_open(struct snd_pcm_substream *substream) - snd_pcm_hw_constraint_minmax(runtime, - SNDRV_PCM_HW_PARAM_PERIOD_SIZE, - 64, 8192); -+ snd_pcm_hw_constraint_minmax(runtime, -+ SNDRV_PCM_HW_PARAM_PERIODS, -+ 2, 2); - break; - } - -@@ -6160,6 +6163,9 @@ static int snd_hdspm_capture_open(struct snd_pcm_substream *substream) - snd_pcm_hw_constraint_minmax(runtime, - SNDRV_PCM_HW_PARAM_PERIOD_SIZE, - 64, 8192); -+ snd_pcm_hw_constraint_minmax(runtime, -+ SNDRV_PCM_HW_PARAM_PERIODS, -+ 2, 2); - break; - } - -diff --git a/sound/soc/codecs/Kconfig b/sound/soc/codecs/Kconfig -index 8349f98..ef2c70e 100644 ---- a/sound/soc/codecs/Kconfig -+++ b/sound/soc/codecs/Kconfig -@@ -525,7 +525,7 @@ config SND_SOC_RT5677 - - config SND_SOC_RT5677_SPI - tristate -- default SND_SOC_RT5677 -+ default SND_SOC_RT5677 && SPI - - #Freescale sgtl5000 codec - config SND_SOC_SGTL5000 -diff --git a/sound/soc/codecs/rt5670.c b/sound/soc/codecs/rt5670.c -index 8a0833d..1e574c8 100644 ---- a/sound/soc/codecs/rt5670.c -+++ b/sound/soc/codecs/rt5670.c -@@ -2522,6 +2522,7 @@ static struct snd_soc_codec_driver soc_codec_dev_rt5670 = { - static const struct regmap_config rt5670_regmap = { - .reg_bits = 8, - .val_bits = 16, -+ .use_single_rw = true, - .max_register = RT5670_VENDOR_ID2 + 1 + (ARRAY_SIZE(rt5670_ranges) * - RT5670_PR_SPACING), - .volatile_reg = rt5670_volatile_register, -diff --git a/sound/soc/codecs/rt5677.c b/sound/soc/codecs/rt5677.c -index 918ada9..cc90988 100644 ---- a/sound/soc/codecs/rt5677.c -+++ b/sound/soc/codecs/rt5677.c -@@ -702,6 +702,9 @@ static int rt5677_set_dsp_vad(struct snd_soc_codec *codec, bool on) - static bool activity; - int ret; - -+ if (!IS_ENABLED(CONFIG_SND_SOC_RT5677_SPI)) -+ return -ENXIO; -+ - if (on && !activity) { - activity = true; - -diff --git a/sound/soc/davinci/Kconfig b/sound/soc/davinci/Kconfig -index 8e948c6..2b81ca4 100644 ---- a/sound/soc/davinci/Kconfig -+++ b/sound/soc/davinci/Kconfig -@@ -58,13 +58,12 @@ choice - depends on MACH_DAVINCI_DM365_EVM - - config SND_DM365_AIC3X_CODEC -- bool "Audio Codec - AIC3101" -+ tristate "Audio Codec - AIC3101" - help - Say Y if you want to add support for AIC3101 audio codec - - config SND_DM365_VOICE_CODEC - tristate "Voice Codec - CQ93VC" -- depends on SND_DAVINCI_SOC - select MFD_DAVINCI_VOICECODEC - select SND_DAVINCI_SOC_VCIF - select SND_SOC_CQ0093VC -diff --git a/sound/soc/intel/sst/sst.h b/sound/soc/intel/sst/sst.h -index 7f4bbfc..562bc48 100644 ---- a/sound/soc/intel/sst/sst.h -+++ b/sound/soc/intel/sst/sst.h -@@ -58,6 +58,7 @@ enum sst_algo_ops { - #define SST_BLOCK_TIMEOUT 1000 - - #define FW_SIGNATURE_SIZE 4 -+#define FW_NAME_SIZE 32 - - /* stream states */ - enum sst_stream_states { -@@ -426,7 +427,7 @@ struct intel_sst_drv { - * Holder for firmware name. Due to async call it needs to be - * persistent till worker thread gets called - */ -- char firmware_name[20]; -+ char firmware_name[FW_NAME_SIZE]; - }; - - /* misc definitions */ -diff --git a/sound/soc/intel/sst/sst_acpi.c b/sound/soc/intel/sst/sst_acpi.c -index b336013..51f83ba 100644 ---- a/sound/soc/intel/sst/sst_acpi.c -+++ b/sound/soc/intel/sst/sst_acpi.c -@@ -47,7 +47,7 @@ struct sst_machines { - char board[32]; - char machine[32]; - void (*machine_quirk)(void); -- char firmware[32]; -+ char firmware[FW_NAME_SIZE]; - struct sst_platform_info *pdata; - - }; -diff --git a/sound/soc/pxa/mioa701_wm9713.c b/sound/soc/pxa/mioa701_wm9713.c -index 396dbd5..a9615a57 100644 ---- a/sound/soc/pxa/mioa701_wm9713.c -+++ b/sound/soc/pxa/mioa701_wm9713.c -@@ -81,7 +81,7 @@ static int rear_amp_power(struct snd_soc_codec *codec, int power) - static int rear_amp_event(struct snd_soc_dapm_widget *widget, - struct snd_kcontrol *kctl, int event) - { -- struct snd_soc_codec *codec = widget->codec; -+ struct snd_soc_codec *codec = widget->dapm->card->rtd[0].codec; - - return rear_amp_power(codec, SND_SOC_DAPM_EVENT_ON(event)); - } -diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c -index a739841..a0795ba 100644 ---- a/sound/usb/quirks.c -+++ b/sound/usb/quirks.c -@@ -1122,6 +1122,7 @@ int snd_usb_select_mode_quirk(struct snd_usb_substream *subs, - int err; - - switch (subs->stream->chip->usb_id) { -+ case USB_ID(0x154e, 0x1003): /* Denon DA-300USB */ - case USB_ID(0x154e, 0x3005): /* Marantz HD-DAC1 */ - case USB_ID(0x154e, 0x3006): /* Marantz SA-14S1 */ - -@@ -1201,6 +1202,7 @@ void snd_usb_ctl_msg_quirk(struct usb_device *dev, unsigned int pipe, - (requesttype & USB_TYPE_MASK) == USB_TYPE_CLASS) { - - switch (le16_to_cpu(dev->descriptor.idProduct)) { -+ case 0x1003: /* Denon DA300-USB */ - case 0x3005: /* Marantz HD-DAC1 */ - case 0x3006: /* Marantz SA-14S1 */ - mdelay(20); -@@ -1262,6 +1264,7 @@ u64 snd_usb_interface_dsd_format_quirks(struct snd_usb_audio *chip, - - /* Denon/Marantz devices with USB DAC functionality */ - switch (chip->usb_id) { -+ case USB_ID(0x154e, 0x1003): /* Denon DA300-USB */ - case USB_ID(0x154e, 0x3005): /* Marantz HD-DAC1 */ - case USB_ID(0x154e, 0x3006): /* Marantz SA-14S1 */ - if (fp->altsetting == 2) -diff --git a/tools/perf/util/cloexec.c b/tools/perf/util/cloexec.c -index 47b78b3..6da965b 100644 ---- a/tools/perf/util/cloexec.c -+++ b/tools/perf/util/cloexec.c -@@ -25,6 +25,10 @@ static int perf_flag_probe(void) - if (cpu < 0) - cpu = 0; - -+ /* -+ * Using -1 for the pid is a workaround to avoid gratuitous jump label -+ * changes. -+ */ - while (1) { - /* check cloexec flag */ - fd = sys_perf_event_open(&attr, pid, cpu, -1, -@@ -47,16 +51,24 @@ static int perf_flag_probe(void) - err, strerror_r(err, sbuf, sizeof(sbuf))); - - /* not supported, confirm error related to PERF_FLAG_FD_CLOEXEC */ -- fd = sys_perf_event_open(&attr, pid, cpu, -1, 0); -+ while (1) { -+ fd = sys_perf_event_open(&attr, pid, cpu, -1, 0); -+ if (fd < 0 && pid == -1 && errno == EACCES) { -+ pid = 0; -+ continue; -+ } -+ break; -+ } - err = errno; - -+ if (fd >= 0) -+ close(fd); -+ - if (WARN_ONCE(fd < 0 && err != EBUSY, - "perf_event_open(..., 0) failed unexpectedly with error %d (%s)\n", - err, strerror_r(err, sbuf, sizeof(sbuf)))) - return -1; - -- close(fd); -- - return 0; - } - diff --git a/3.19.1/0000_README b/3.19.2/0000_README index fa067a7..91abd27 100644 --- a/3.19.1/0000_README +++ b/3.19.2/0000_README @@ -2,11 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 1000_linux-3.19.1.patch -From: http://www.kernel.org -Desc: Linux 3.14.35 - -Patch: 4420_grsecurity-3.1-3.19.1-201503122205.patch +Patch: 4420_grsecurity-3.1-3.19.2-201503201903.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.19.1/4420_grsecurity-3.1-3.19.1-201503122205.patch b/3.19.2/4420_grsecurity-3.1-3.19.2-201503201903.patch index fd20fa4..585a368 100644 --- a/3.19.1/4420_grsecurity-3.1-3.19.1-201503122205.patch +++ b/3.19.2/4420_grsecurity-3.1-3.19.2-201503201903.patch @@ -370,7 +370,7 @@ index 176d4fe..17ceefa 100644 pcd. [PARIDE] diff --git a/Makefile b/Makefile -index 688777b..2821d8c 100644 +index e49665a..7c65470 100644 --- a/Makefile +++ b/Makefile @@ -298,7 +298,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -20493,10 +20493,10 @@ index 5eea099..ff7ef8d 100644 unsigned long mfn; diff --git a/arch/x86/include/asm/xsave.h b/arch/x86/include/asm/xsave.h -index 5fa9770..2b49d6c 100644 +index c9a6d68..cb57f42 100644 --- a/arch/x86/include/asm/xsave.h +++ b/arch/x86/include/asm/xsave.h -@@ -229,12 +229,16 @@ static inline int xsave_user(struct xsave_struct __user *buf) +@@ -223,12 +223,16 @@ static inline int xsave_user(struct xsave_struct __user *buf) if (unlikely(err)) return -EFAULT; @@ -20514,7 +20514,7 @@ index 5fa9770..2b49d6c 100644 return err; } -@@ -244,16 +248,20 @@ static inline int xsave_user(struct xsave_struct __user *buf) +@@ -238,16 +242,20 @@ static inline int xsave_user(struct xsave_struct __user *buf) static inline int xrestore_user(struct xsave_struct __user *buf, u64 mask) { int err = 0; @@ -23068,7 +23068,7 @@ index 000d419..8f66802 100644 #endif diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S -index 9ebaf63..c786610 100644 +index 4ee9a23..c786610 100644 --- a/arch/x86/kernel/entry_64.S +++ b/arch/x86/kernel/entry_64.S @@ -59,6 +59,8 @@ @@ -23663,7 +23663,7 @@ index 9ebaf63..c786610 100644 /* * A newly forked process directly context switches into this address. -@@ -331,25 +793,26 @@ ENTRY(ret_from_fork) +@@ -331,7 +793,7 @@ ENTRY(ret_from_fork) RESTORE_REST @@ -23671,19 +23671,9 @@ index 9ebaf63..c786610 100644 + testb $3, CS-ARGOFFSET(%rsp) # from kernel_thread? jz 1f -- testl $_TIF_IA32, TI_flags(%rcx) # 32-bit compat task needs IRET -- jnz int_ret_from_sys_call -- -- RESTORE_TOP_OF_STACK %rdi, -ARGOFFSET -- jmp ret_from_sys_call # go to the SYSRET fastpath -+ /* -+ * By the time we get here, we have no idea whether our pt_regs, -+ * ti flags, and ti status came from the 64-bit SYSCALL fast path, -+ * the slow path, or one of the ia32entry paths. -+ * Use int_ret_from_sys_call to return, since it can safely handle -+ * all of the above. -+ */ -+ jmp int_ret_from_sys_call + /* +@@ -344,15 +806,13 @@ ENTRY(ret_from_fork) + jmp int_ret_from_sys_call 1: - subq $REST_SKIP, %rsp # leave space for volatiles @@ -23699,7 +23689,7 @@ index 9ebaf63..c786610 100644 /* * System call entry. Up to 6 arguments in registers are supported. -@@ -386,7 +849,7 @@ END(ret_from_fork) +@@ -389,7 +849,7 @@ END(ret_from_fork) ENTRY(system_call) CFI_STARTPROC simple CFI_SIGNAL_FRAME @@ -23708,7 +23698,7 @@ index 9ebaf63..c786610 100644 CFI_REGISTER rip,rcx /*CFI_REGISTER rflags,r11*/ SWAPGS_UNSAFE_STACK -@@ -399,16 +862,23 @@ GLOBAL(system_call_after_swapgs) +@@ -402,16 +862,23 @@ GLOBAL(system_call_after_swapgs) movq %rsp,PER_CPU_VAR(old_rsp) movq PER_CPU_VAR(kernel_stack),%rsp @@ -23734,7 +23724,7 @@ index 9ebaf63..c786610 100644 jnz tracesys system_call_fastpath: #if __SYSCALL_MASK == ~0 -@@ -432,10 +902,13 @@ sysret_check: +@@ -435,10 +902,13 @@ sysret_check: LOCKDEP_SYS_EXIT DISABLE_INTERRUPTS(CLBR_NONE) TRACE_IRQS_OFF @@ -23749,7 +23739,7 @@ index 9ebaf63..c786610 100644 /* * sysretq will re-enable interrupts: */ -@@ -494,12 +967,15 @@ sysret_audit: +@@ -497,12 +967,15 @@ sysret_audit: /* Do syscall tracing */ tracesys: @@ -23767,7 +23757,7 @@ index 9ebaf63..c786610 100644 jmp system_call_fastpath /* and return to the fast path */ tracesys_phase2: -@@ -510,12 +986,14 @@ tracesys_phase2: +@@ -513,12 +986,14 @@ tracesys_phase2: movq %rax,%rdx call syscall_trace_enter_phase2 @@ -23783,7 +23773,7 @@ index 9ebaf63..c786610 100644 RESTORE_REST #if __SYSCALL_MASK == ~0 cmpq $__NR_syscall_max,%rax -@@ -545,7 +1023,9 @@ GLOBAL(int_with_check) +@@ -548,7 +1023,9 @@ GLOBAL(int_with_check) andl %edi,%edx jnz int_careful andl $~TS_COMPAT,TI_status(%rcx) @@ -23794,7 +23784,7 @@ index 9ebaf63..c786610 100644 /* Either reschedule or signal or syscall exit tracking needed. */ /* First do a reschedule test. */ -@@ -591,7 +1071,7 @@ int_restore_rest: +@@ -594,7 +1071,7 @@ int_restore_rest: TRACE_IRQS_OFF jmp int_with_check CFI_ENDPROC @@ -23803,7 +23793,7 @@ index 9ebaf63..c786610 100644 .macro FORK_LIKE func ENTRY(stub_\func) -@@ -604,9 +1084,10 @@ ENTRY(stub_\func) +@@ -607,9 +1084,10 @@ ENTRY(stub_\func) DEFAULT_FRAME 0 8 /* offset 8: return address */ call sys_\func RESTORE_TOP_OF_STACK %r11, 8 @@ -23816,7 +23806,7 @@ index 9ebaf63..c786610 100644 .endm .macro FIXED_FRAME label,func -@@ -616,9 +1097,10 @@ ENTRY(\label) +@@ -619,9 +1097,10 @@ ENTRY(\label) FIXUP_TOP_OF_STACK %r11, 8-ARGOFFSET call \func RESTORE_TOP_OF_STACK %r11, 8-ARGOFFSET @@ -23828,7 +23818,7 @@ index 9ebaf63..c786610 100644 .endm FORK_LIKE clone -@@ -626,19 +1108,6 @@ END(\label) +@@ -629,19 +1108,6 @@ END(\label) FORK_LIKE vfork FIXED_FRAME stub_iopl, sys_iopl @@ -23848,7 +23838,7 @@ index 9ebaf63..c786610 100644 ENTRY(stub_execve) CFI_STARTPROC addq $8, %rsp -@@ -650,7 +1119,7 @@ ENTRY(stub_execve) +@@ -653,7 +1119,7 @@ ENTRY(stub_execve) RESTORE_REST jmp int_ret_from_sys_call CFI_ENDPROC @@ -23857,7 +23847,7 @@ index 9ebaf63..c786610 100644 ENTRY(stub_execveat) CFI_STARTPROC -@@ -664,7 +1133,7 @@ ENTRY(stub_execveat) +@@ -667,7 +1133,7 @@ ENTRY(stub_execveat) RESTORE_REST jmp int_ret_from_sys_call CFI_ENDPROC @@ -23866,7 +23856,7 @@ index 9ebaf63..c786610 100644 /* * sigreturn is special because it needs to restore all registers on return. -@@ -681,7 +1150,7 @@ ENTRY(stub_rt_sigreturn) +@@ -684,7 +1150,7 @@ ENTRY(stub_rt_sigreturn) RESTORE_REST jmp int_ret_from_sys_call CFI_ENDPROC @@ -23875,7 +23865,7 @@ index 9ebaf63..c786610 100644 #ifdef CONFIG_X86_X32_ABI ENTRY(stub_x32_rt_sigreturn) -@@ -695,7 +1164,7 @@ ENTRY(stub_x32_rt_sigreturn) +@@ -698,7 +1164,7 @@ ENTRY(stub_x32_rt_sigreturn) RESTORE_REST jmp int_ret_from_sys_call CFI_ENDPROC @@ -23884,7 +23874,7 @@ index 9ebaf63..c786610 100644 ENTRY(stub_x32_execve) CFI_STARTPROC -@@ -760,7 +1229,7 @@ vector=vector+1 +@@ -763,7 +1229,7 @@ vector=vector+1 2: jmp common_interrupt .endr CFI_ENDPROC @@ -23893,7 +23883,7 @@ index 9ebaf63..c786610 100644 .previous END(interrupt) -@@ -777,8 +1246,8 @@ END(interrupt) +@@ -780,8 +1246,8 @@ END(interrupt) /* 0(%rsp): ~(interrupt number) */ .macro interrupt func /* reserve pt_regs for scratch regs and rbp */ @@ -23904,7 +23894,7 @@ index 9ebaf63..c786610 100644 SAVE_ARGS_IRQ call \func .endm -@@ -801,14 +1270,14 @@ ret_from_intr: +@@ -804,14 +1270,14 @@ ret_from_intr: /* Restore saved previous stack */ popq %rsi @@ -23923,7 +23913,7 @@ index 9ebaf63..c786610 100644 je retint_kernel /* Interrupt came from user space */ -@@ -830,12 +1299,35 @@ retint_swapgs: /* return to user-space */ +@@ -833,12 +1299,35 @@ retint_swapgs: /* return to user-space */ * The iretq could re-enable interrupts: */ DISABLE_INTERRUPTS(CLBR_ANY) @@ -23959,7 +23949,7 @@ index 9ebaf63..c786610 100644 /* * The iretq could re-enable interrupts: */ -@@ -873,15 +1365,15 @@ native_irq_return_ldt: +@@ -876,15 +1365,15 @@ native_irq_return_ldt: SWAPGS movq PER_CPU_VAR(espfix_waddr),%rdi movq %rax,(0*8)(%rdi) /* RAX */ @@ -23980,7 +23970,7 @@ index 9ebaf63..c786610 100644 movq %rax,(4*8)(%rdi) andl $0xffff0000,%eax popq_cfi %rdi -@@ -935,7 +1427,7 @@ ENTRY(retint_kernel) +@@ -938,7 +1427,7 @@ ENTRY(retint_kernel) jmp exit_intr #endif CFI_ENDPROC @@ -23989,7 +23979,7 @@ index 9ebaf63..c786610 100644 /* * APIC interrupts. -@@ -949,7 +1441,7 @@ ENTRY(\sym) +@@ -952,7 +1441,7 @@ ENTRY(\sym) interrupt \do_sym jmp ret_from_intr CFI_ENDPROC @@ -23998,7 +23988,7 @@ index 9ebaf63..c786610 100644 .endm #ifdef CONFIG_TRACING -@@ -1022,7 +1514,7 @@ apicinterrupt IRQ_WORK_VECTOR \ +@@ -1025,7 +1514,7 @@ apicinterrupt IRQ_WORK_VECTOR \ /* * Exception entry points. */ @@ -24007,7 +23997,7 @@ index 9ebaf63..c786610 100644 .macro idtentry sym do_sym has_error_code:req paranoid=0 shift_ist=-1 ENTRY(\sym) -@@ -1073,6 +1565,12 @@ ENTRY(\sym) +@@ -1076,6 +1565,12 @@ ENTRY(\sym) .endif .if \shift_ist != -1 @@ -24020,7 +24010,7 @@ index 9ebaf63..c786610 100644 subq $EXCEPTION_STKSZ, INIT_TSS_IST(\shift_ist) .endif -@@ -1089,7 +1587,7 @@ ENTRY(\sym) +@@ -1092,7 +1587,7 @@ ENTRY(\sym) .endif CFI_ENDPROC @@ -24029,7 +24019,7 @@ index 9ebaf63..c786610 100644 .endm #ifdef CONFIG_TRACING -@@ -1130,9 +1628,10 @@ gs_change: +@@ -1133,9 +1628,10 @@ gs_change: 2: mfence /* workaround */ SWAPGS popfq_cfi @@ -24041,7 +24031,7 @@ index 9ebaf63..c786610 100644 _ASM_EXTABLE(gs_change,bad_gs) .section .fixup,"ax" -@@ -1160,9 +1659,10 @@ ENTRY(do_softirq_own_stack) +@@ -1163,9 +1659,10 @@ ENTRY(do_softirq_own_stack) CFI_DEF_CFA_REGISTER rsp CFI_ADJUST_CFA_OFFSET -8 decl PER_CPU_VAR(irq_count) @@ -24053,7 +24043,7 @@ index 9ebaf63..c786610 100644 #ifdef CONFIG_XEN idtentry xen_hypervisor_callback xen_do_hypervisor_callback has_error_code=0 -@@ -1200,7 +1700,7 @@ ENTRY(xen_do_hypervisor_callback) # do_hypervisor_callback(struct *pt_regs) +@@ -1203,7 +1700,7 @@ ENTRY(xen_do_hypervisor_callback) # do_hypervisor_callback(struct *pt_regs) decl PER_CPU_VAR(irq_count) jmp error_exit CFI_ENDPROC @@ -24062,7 +24052,7 @@ index 9ebaf63..c786610 100644 /* * Hypervisor uses this for application faults while it executes. -@@ -1259,7 +1759,7 @@ ENTRY(xen_failsafe_callback) +@@ -1262,7 +1759,7 @@ ENTRY(xen_failsafe_callback) SAVE_ALL jmp error_exit CFI_ENDPROC @@ -24071,7 +24061,7 @@ index 9ebaf63..c786610 100644 apicinterrupt3 HYPERVISOR_CALLBACK_VECTOR \ xen_hvm_callback_vector xen_evtchn_do_upcall -@@ -1306,18 +1806,33 @@ ENTRY(paranoid_exit) +@@ -1309,18 +1806,33 @@ ENTRY(paranoid_exit) DEFAULT_FRAME DISABLE_INTERRUPTS(CLBR_NONE) TRACE_IRQS_OFF_DEBUG @@ -24107,7 +24097,7 @@ index 9ebaf63..c786610 100644 jmp irq_return paranoid_userspace: GET_THREAD_INFO(%rcx) -@@ -1346,7 +1861,7 @@ paranoid_schedule: +@@ -1349,7 +1861,7 @@ paranoid_schedule: TRACE_IRQS_OFF jmp paranoid_userspace CFI_ENDPROC @@ -24116,7 +24106,7 @@ index 9ebaf63..c786610 100644 /* * Exception entry point. This expects an error code/orig_rax on the stack. -@@ -1373,12 +1888,23 @@ ENTRY(error_entry) +@@ -1376,12 +1888,23 @@ ENTRY(error_entry) movq %r14, R14+8(%rsp) movq %r15, R15+8(%rsp) xorl %ebx,%ebx @@ -24141,7 +24131,7 @@ index 9ebaf63..c786610 100644 ret /* -@@ -1413,7 +1939,7 @@ error_bad_iret: +@@ -1416,7 +1939,7 @@ error_bad_iret: decl %ebx /* Return to usergs */ jmp error_sti CFI_ENDPROC @@ -24150,7 +24140,7 @@ index 9ebaf63..c786610 100644 /* ebx: no swapgs flag (1: don't need swapgs, 0: need it) */ -@@ -1424,7 +1950,7 @@ ENTRY(error_exit) +@@ -1427,7 +1950,7 @@ ENTRY(error_exit) DISABLE_INTERRUPTS(CLBR_NONE) TRACE_IRQS_OFF GET_THREAD_INFO(%rcx) @@ -24159,7 +24149,7 @@ index 9ebaf63..c786610 100644 jne retint_kernel LOCKDEP_SYS_EXIT_IRQ movl TI_flags(%rcx),%edx -@@ -1433,7 +1959,7 @@ ENTRY(error_exit) +@@ -1436,7 +1959,7 @@ ENTRY(error_exit) jnz retint_careful jmp retint_swapgs CFI_ENDPROC @@ -24168,7 +24158,7 @@ index 9ebaf63..c786610 100644 /* * Test if a given stack is an NMI stack or not. -@@ -1491,9 +2017,11 @@ ENTRY(nmi) +@@ -1494,9 +2017,11 @@ ENTRY(nmi) * If %cs was not the kernel segment, then the NMI triggered in user * space, which means it is definitely not nested. */ @@ -24181,7 +24171,7 @@ index 9ebaf63..c786610 100644 /* * Check the special variable on the stack to see if NMIs are * executing. -@@ -1527,8 +2055,7 @@ nested_nmi: +@@ -1530,8 +2055,7 @@ nested_nmi: 1: /* Set up the interrupted NMIs stack to jump to repeat_nmi */ @@ -24191,7 +24181,7 @@ index 9ebaf63..c786610 100644 CFI_ADJUST_CFA_OFFSET 1*8 leaq -10*8(%rsp), %rdx pushq_cfi $__KERNEL_DS -@@ -1546,6 +2073,7 @@ nested_nmi_out: +@@ -1549,6 +2073,7 @@ nested_nmi_out: CFI_RESTORE rdx /* No need to check faults here */ @@ -24199,7 +24189,7 @@ index 9ebaf63..c786610 100644 INTERRUPT_RETURN CFI_RESTORE_STATE -@@ -1642,13 +2170,13 @@ end_repeat_nmi: +@@ -1645,13 +2170,13 @@ end_repeat_nmi: subq $ORIG_RAX-R15, %rsp CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15 /* @@ -24215,7 +24205,7 @@ index 9ebaf63..c786610 100644 DEFAULT_FRAME 0 /* -@@ -1658,9 +2186,9 @@ end_repeat_nmi: +@@ -1661,9 +2186,9 @@ end_repeat_nmi: * NMI itself takes a page fault, the page fault that was preempted * will read the information from the NMI page fault and not the * origin fault. Save it off and restore it if it changes. @@ -24227,7 +24217,7 @@ index 9ebaf63..c786610 100644 /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */ movq %rsp,%rdi -@@ -1669,29 +2197,34 @@ end_repeat_nmi: +@@ -1672,29 +2197,34 @@ end_repeat_nmi: /* Did the NMI take a page fault? Restore cr2 if it did */ movq %cr2, %rcx @@ -28669,7 +28659,7 @@ index 8a80737..bac4961 100644 out: diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c -index de12c1d..4031e2a 100644 +index b24c2d8..e1e4e25 100644 --- a/arch/x86/kvm/emulate.c +++ b/arch/x86/kvm/emulate.c @@ -3503,7 +3503,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt) @@ -40029,10 +40019,10 @@ index 94a58a0..f5eba42 100644 container_of(_dev_attr, struct dmi_device_attribute, dev_attr) diff --git a/drivers/firmware/dmi_scan.c b/drivers/firmware/dmi_scan.c -index c5f7b4e..74bc7c9 100644 +index 69fac06..820f0c9a 100644 --- a/drivers/firmware/dmi_scan.c +++ b/drivers/firmware/dmi_scan.c -@@ -900,7 +900,7 @@ int dmi_walk(void (*decode)(const struct dmi_header *, void *), +@@ -901,7 +901,7 @@ int dmi_walk(void (*decode)(const struct dmi_header *, void *), if (buf == NULL) return -1; @@ -40532,7 +40522,7 @@ index 176de63..1ef9ac7 100644 return ret; diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c -index e7a16f1..e0d82e8 100644 +index 30d4eb3..92f2dc8 100644 --- a/drivers/gpu/drm/i915/intel_display.c +++ b/drivers/gpu/drm/i915/intel_display.c @@ -12935,13 +12935,13 @@ struct intel_quirk { @@ -42525,6 +42515,25 @@ index 9f5ad7c..588cd84 100644 wake_up_process(pool->thread); } } +diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c +index aec7a6a..8c014b5 100644 +--- a/drivers/infiniband/core/umem.c ++++ b/drivers/infiniband/core/umem.c +@@ -99,6 +99,14 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr, + if (dmasync) + dma_set_attr(DMA_ATTR_WRITE_BARRIER, &attrs); + ++ /* ++ * If the combination of the addr and size requested for this memory ++ * region causes an integer overflow, return error. ++ */ ++ if ((PAGE_ALIGN(addr + size) <= size) || ++ (PAGE_ALIGN(addr + size) <= addr)) ++ return ERR_PTR(-EINVAL); ++ + if (!can_do_mlock()) + return ERR_PTR(-EPERM); + diff --git a/drivers/infiniband/hw/cxgb4/mem.c b/drivers/infiniband/hw/cxgb4/mem.c index cb43c22..2e12dd7 100644 --- a/drivers/infiniband/hw/cxgb4/mem.c @@ -43177,7 +43186,7 @@ index c0d0296..3185f57 100644 /* Blow away the connection if it exists. */ diff --git a/drivers/infiniband/hw/qib/qib.h b/drivers/infiniband/hw/qib/qib.h -index c00ae09..04e91be 100644 +index b218254..1d1aa3c 100644 --- a/drivers/infiniband/hw/qib/qib.h +++ b/drivers/infiniband/hw/qib/qib.h @@ -52,6 +52,7 @@ @@ -43854,7 +43863,7 @@ index e2d4e58..40cd045 100644 /* error message helper function */ diff --git a/drivers/isdn/icn/icn.c b/drivers/isdn/icn/icn.c -index 6a7447c..cae33fe 100644 +index 6a7447c..b4987ea 100644 --- a/drivers/isdn/icn/icn.c +++ b/drivers/isdn/icn/icn.c @@ -1045,7 +1045,7 @@ icn_writecmd(const u_char *buf, int len, int user, icn_card *card) @@ -43866,6 +43875,15 @@ index 6a7447c..cae33fe 100644 return -EFAULT; } else memcpy(msg, buf, count); +@@ -1609,7 +1609,7 @@ icn_setup(char *line) + if (ints[0] > 1) + membase = (unsigned long)ints[2]; + if (str && *str) { +- strcpy(sid, str); ++ strlcpy(sid, str, sizeof(sid)); + icn_id = sid; + if ((p = strchr(sid, ','))) { + *p++ = 0; diff --git a/drivers/isdn/mISDN/dsp_cmx.c b/drivers/isdn/mISDN/dsp_cmx.c index 87f7dff..7300125 100644 --- a/drivers/isdn/mISDN/dsp_cmx.c @@ -44096,7 +44114,7 @@ index 73f791b..8c5d3ac 100644 DMWARN("name not supplied when creating device"); return -EINVAL; diff --git a/drivers/md/dm-raid1.c b/drivers/md/dm-raid1.c -index 7dfdb5c..4caada6 100644 +index 089d627..ef7352e 100644 --- a/drivers/md/dm-raid1.c +++ b/drivers/md/dm-raid1.c @@ -40,7 +40,7 @@ enum dm_raid1_error { @@ -44153,7 +44171,7 @@ index 7dfdb5c..4caada6 100644 m = NULL; if (likely(m)) -@@ -927,7 +927,7 @@ static int get_mirror(struct mirror_set *ms, struct dm_target *ti, +@@ -936,7 +936,7 @@ static int get_mirror(struct mirror_set *ms, struct dm_target *ti, } ms->mirror[mirror].ms = ms; @@ -44162,7 +44180,7 @@ index 7dfdb5c..4caada6 100644 ms->mirror[mirror].error_type = 0; ms->mirror[mirror].offset = offset; -@@ -1342,7 +1342,7 @@ static void mirror_resume(struct dm_target *ti) +@@ -1351,7 +1351,7 @@ static void mirror_resume(struct dm_target *ti) */ static char device_status_char(struct mirror *m) { @@ -44273,7 +44291,7 @@ index 43adbb8..7b34305 100644 pmd->bl_info.value_type.inc = data_block_inc; pmd->bl_info.value_type.dec = data_block_dec; diff --git a/drivers/md/dm.c b/drivers/md/dm.c -index 2caf5b3..104f98f 100644 +index 64b10e0..07db8f4 100644 --- a/drivers/md/dm.c +++ b/drivers/md/dm.c @@ -185,9 +185,9 @@ struct mapped_device { @@ -44308,7 +44326,7 @@ index 2caf5b3..104f98f 100644 wake_up(&md->eventq); } -@@ -3041,18 +3041,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action, +@@ -3034,18 +3034,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action, uint32_t dm_next_uevent_seq(struct mapped_device *md) { @@ -46927,10 +46945,32 @@ index 98d73aa..63ef9da 100644 Say Y here if you want to support for Freescale FlexCAN. diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c -index 847c1f8..69a0df3 100644 +index 847c1f8..3bed607 100644 --- a/drivers/net/can/dev.c +++ b/drivers/net/can/dev.c -@@ -950,7 +950,7 @@ static int can_newlink(struct net *src_net, struct net_device *dev, +@@ -578,6 +578,10 @@ struct sk_buff *alloc_can_skb(struct net_device *dev, struct can_frame **cf) + skb->pkt_type = PACKET_BROADCAST; + skb->ip_summed = CHECKSUM_UNNECESSARY; + ++ skb_reset_mac_header(skb); ++ skb_reset_network_header(skb); ++ skb_reset_transport_header(skb); ++ + can_skb_reserve(skb); + can_skb_prv(skb)->ifindex = dev->ifindex; + +@@ -602,6 +606,10 @@ struct sk_buff *alloc_canfd_skb(struct net_device *dev, + skb->pkt_type = PACKET_BROADCAST; + skb->ip_summed = CHECKSUM_UNNECESSARY; + ++ skb_reset_mac_header(skb); ++ skb_reset_network_header(skb); ++ skb_reset_transport_header(skb); ++ + can_skb_reserve(skb); + can_skb_prv(skb)->ifindex = dev->ifindex; + +@@ -950,7 +958,7 @@ static int can_newlink(struct net *src_net, struct net_device *dev, return -EOPNOTSUPP; } @@ -47990,7 +48030,7 @@ index c9f57fb..208bdc1 100644 u32 entry_offset, dump, no_entries, buf_offset = 0; int i, k, ops_cnt, ops_index, dump_size = 0; diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c -index 14a1c5c..38a141d 100644 +index 2e2cf80..ebc796d 100644 --- a/drivers/net/ethernet/realtek/r8169.c +++ b/drivers/net/ethernet/realtek/r8169.c @@ -788,22 +788,22 @@ struct rtl8169_private { @@ -48142,7 +48182,7 @@ index 612e073..a9f5eda 100644 }; diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c -index 919f4fc..012f6dd 100644 +index 4d050ee..012f6dd 100644 --- a/drivers/net/macvtap.c +++ b/drivers/net/macvtap.c @@ -436,7 +436,7 @@ static void macvtap_setup(struct net_device *dev) @@ -48154,32 +48194,7 @@ index 919f4fc..012f6dd 100644 .kind = "macvtap", .setup = macvtap_setup, .newlink = macvtap_newlink, -@@ -654,11 +654,14 @@ static void macvtap_skb_to_vnet_hdr(struct macvtap_queue *q, - } /* else everything is zero */ - } - -+/* Neighbour code has some assumptions on HH_DATA_MOD alignment */ -+#define MACVTAP_RESERVE HH_DATA_OFF(ETH_HLEN) -+ - /* Get packet from user space buffer */ - static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr *m, - struct iov_iter *from, int noblock) - { -- int good_linear = SKB_MAX_HEAD(NET_IP_ALIGN); -+ int good_linear = SKB_MAX_HEAD(MACVTAP_RESERVE); - struct sk_buff *skb; - struct macvlan_dev *vlan; - unsigned long total_len = iov_iter_count(from); -@@ -722,7 +725,7 @@ static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr *m, - linear = macvtap16_to_cpu(q, vnet_hdr.hdr_len); - } - -- skb = macvtap_alloc_skb(&q->sk, NET_IP_ALIGN, copylen, -+ skb = macvtap_alloc_skb(&q->sk, MACVTAP_RESERVE, copylen, - linear, noblock, &err); - if (!skb) - goto err; -@@ -1030,7 +1033,7 @@ static long macvtap_ioctl(struct file *file, unsigned int cmd, +@@ -1033,7 +1033,7 @@ static long macvtap_ioctl(struct file *file, unsigned int cmd, ret = 0; u = q->flags; @@ -48188,7 +48203,7 @@ index 919f4fc..012f6dd 100644 put_user(u, &ifr->ifr_flags)) ret = -EFAULT; macvtap_put_vlan(vlan); -@@ -1214,7 +1217,7 @@ static int macvtap_device_event(struct notifier_block *unused, +@@ -1217,7 +1217,7 @@ static int macvtap_device_event(struct notifier_block *unused, return NOTIFY_DONE; } @@ -48277,10 +48292,10 @@ index 079f7ad..b2a2bfa7 100644 /* We've got a compressed packet; read the change byte */ diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c -index f7ff493..153e0198 100644 +index 2c087ef..4859007 100644 --- a/drivers/net/team/team.c +++ b/drivers/net/team/team.c -@@ -2105,7 +2105,7 @@ static unsigned int team_get_num_rx_queues(void) +@@ -2103,7 +2103,7 @@ static unsigned int team_get_num_rx_queues(void) return TEAM_DEFAULT_NUM_RX_QUEUES; } @@ -48289,7 +48304,7 @@ index f7ff493..153e0198 100644 .kind = DRV_NAME, .priv_size = sizeof(struct team), .setup = team_setup, -@@ -2895,7 +2895,7 @@ static int team_device_event(struct notifier_block *unused, +@@ -2893,7 +2893,7 @@ static int team_device_event(struct notifier_block *unused, return NOTIFY_DONE; } @@ -51710,7 +51725,7 @@ index 05ea0d4..5af8049 100644 if (!sdp->request_queue->rq_timeout) { if (sdp->type != TYPE_MOD) diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c -index 763bffe..e0eacf4 100644 +index dbf8e77..0d565c7 100644 --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -1098,7 +1098,7 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg) @@ -53506,20 +53521,9 @@ index 42bad18..447d7a2 100644 if (get_user(c, buf)) diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c -index 51f066a..a7f6e86 100644 +index 2bb4dfc..a7f6e86 100644 --- a/drivers/tty/tty_io.c +++ b/drivers/tty/tty_io.c -@@ -1028,8 +1028,8 @@ EXPORT_SYMBOL(start_tty); - /* We limit tty time update visibility to every 8 seconds or so. */ - static void tty_update_time(struct timespec *time) - { -- unsigned long sec = get_seconds() & ~7; -- if ((long)(sec - time->tv_sec) > 0) -+ unsigned long sec = get_seconds(); -+ if (abs(sec - time->tv_sec) & ~7) - time->tv_sec = sec; - } - @@ -3503,7 +3503,7 @@ EXPORT_SYMBOL(tty_devnum); void tty_default_fops(struct file_operations *fops) @@ -53529,31 +53533,6 @@ index 51f066a..a7f6e86 100644 } /* -diff --git a/drivers/tty/tty_ioctl.c b/drivers/tty/tty_ioctl.c -index 1787fa4..552076b 100644 ---- a/drivers/tty/tty_ioctl.c -+++ b/drivers/tty/tty_ioctl.c -@@ -217,11 +217,17 @@ void tty_wait_until_sent(struct tty_struct *tty, long timeout) - #endif - if (!timeout) - timeout = MAX_SCHEDULE_TIMEOUT; -+ - if (wait_event_interruptible_timeout(tty->write_wait, -- !tty_chars_in_buffer(tty), timeout) >= 0) { -- if (tty->ops->wait_until_sent) -- tty->ops->wait_until_sent(tty, timeout); -+ !tty_chars_in_buffer(tty), timeout) < 0) { -+ return; - } -+ -+ if (timeout == MAX_SCHEDULE_TIMEOUT) -+ timeout = 0; -+ -+ if (tty->ops->wait_until_sent) -+ tty->ops->wait_until_sent(tty, timeout); - } - EXPORT_SYMBOL(tty_wait_until_sent); - diff --git a/drivers/tty/tty_ldisc.c b/drivers/tty/tty_ldisc.c index 3737f55..7cef448 100644 --- a/drivers/tty/tty_ldisc.c @@ -53931,7 +53910,7 @@ index 2a3bbdf..91d72cf 100644 file->f_version = event_count; return POLLIN | POLLRDNORM; diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c -index 0b59731..46ee7d1 100644 +index e500243..401300f 100644 --- a/drivers/usb/core/devio.c +++ b/drivers/usb/core/devio.c @@ -187,7 +187,7 @@ static ssize_t usbdev_read(struct file *file, char __user *buf, size_t nbytes, @@ -54336,29 +54315,6 @@ index 29fa1c3..a57b08e 100644 struct usb_serial_port *port = info->port; struct usb_serial *serial; int retval = -ENODEV; -diff --git a/drivers/usb/serial/generic.c b/drivers/usb/serial/generic.c -index ccf1df7..54e170d 100644 ---- a/drivers/usb/serial/generic.c -+++ b/drivers/usb/serial/generic.c -@@ -258,7 +258,8 @@ void usb_serial_generic_wait_until_sent(struct tty_struct *tty, long timeout) - * character or at least one jiffy. - */ - period = max_t(unsigned long, (10 * HZ / bps), 1); -- period = min_t(unsigned long, period, timeout); -+ if (timeout) -+ period = min_t(unsigned long, period, timeout); - - dev_dbg(&port->dev, "%s - timeout = %u ms, period = %u ms\n", - __func__, jiffies_to_msecs(timeout), -@@ -268,7 +269,7 @@ void usb_serial_generic_wait_until_sent(struct tty_struct *tty, long timeout) - schedule_timeout_interruptible(period); - if (signal_pending(current)) - break; -- if (time_after(jiffies, expire)) -+ if (timeout && time_after(jiffies, expire)) - break; - } - } diff --git a/drivers/usb/storage/usb.h b/drivers/usb/storage/usb.h index 307e339..6aa97cb 100644 --- a/drivers/usb/storage/usb.h @@ -58089,32 +58045,6 @@ index 6530ced..4a827e2 100644 if (limit != RLIM_INFINITY && offset > limit) goto out_sig; if (offset > inode->i_sb->s_maxbytes) -diff --git a/fs/autofs4/dev-ioctl.c b/fs/autofs4/dev-ioctl.c -index aaf96cb..ac7d921 100644 ---- a/fs/autofs4/dev-ioctl.c -+++ b/fs/autofs4/dev-ioctl.c -@@ -95,7 +95,7 @@ static int check_dev_ioctl_version(int cmd, struct autofs_dev_ioctl *param) - */ - static struct autofs_dev_ioctl *copy_dev_ioctl(struct autofs_dev_ioctl __user *in) - { -- struct autofs_dev_ioctl tmp; -+ struct autofs_dev_ioctl tmp, *res; - - if (copy_from_user(&tmp, in, sizeof(tmp))) - return ERR_PTR(-EFAULT); -@@ -106,7 +106,11 @@ static struct autofs_dev_ioctl *copy_dev_ioctl(struct autofs_dev_ioctl __user *i - if (tmp.size > (PATH_MAX + sizeof(tmp))) - return ERR_PTR(-ENAMETOOLONG); - -- return memdup_user(in, tmp.size); -+ res = memdup_user(in, tmp.size); -+ if (!IS_ERR(res)) -+ res->size = tmp.size; -+ -+ return res; - } - - static inline void free_dev_ioctl(struct autofs_dev_ioctl *param) diff --git a/fs/autofs4/waitq.c b/fs/autofs4/waitq.c index 116fd38..c04182da 100644 --- a/fs/autofs4/waitq.c @@ -59350,19 +59280,6 @@ index 2299bfd..4098e72 100644 __btrfs_remove_free_space_cache(cache->free_space_ctl); return 0; -diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c -index f78e9dc..069ab24 100644 ---- a/fs/btrfs/tree-log.c -+++ b/fs/btrfs/tree-log.c -@@ -1010,7 +1010,7 @@ again: - base = btrfs_item_ptr_offset(leaf, path->slots[0]); - - while (cur_offset < item_size) { -- extref = (struct btrfs_inode_extref *)base + cur_offset; -+ extref = (struct btrfs_inode_extref *)(base + cur_offset); - - victim_name_len = btrfs_inode_extref_name_len(leaf, extref); - diff --git a/fs/btrfs/tree-log.h b/fs/btrfs/tree-log.h index 154990c..d0cf699 100644 --- a/fs/btrfs/tree-log.h @@ -60578,30 +60495,10 @@ index e368d4f..b40ba59 100644 dcache_init(); inode_init(); diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c -index 05f2960..780f4f8 100644 +index 6f0ce53..780f4f8 100644 --- a/fs/debugfs/inode.c +++ b/fs/debugfs/inode.c -@@ -246,10 +246,19 @@ static int debugfs_show_options(struct seq_file *m, struct dentry *root) - return 0; - } - -+static void debugfs_evict_inode(struct inode *inode) -+{ -+ truncate_inode_pages_final(&inode->i_data); -+ clear_inode(inode); -+ if (S_ISLNK(inode->i_mode)) -+ kfree(inode->i_private); -+} -+ - static const struct super_operations debugfs_super_operations = { - .statfs = simple_statfs, - .remount_fs = debugfs_remount, - .show_options = debugfs_show_options, -+ .evict_inode = debugfs_evict_inode, - }; - - static int debug_fill_super(struct super_block *sb, void *data, int silent) -@@ -416,7 +425,11 @@ EXPORT_SYMBOL_GPL(debugfs_create_file); +@@ -425,7 +425,11 @@ EXPORT_SYMBOL_GPL(debugfs_create_file); */ struct dentry *debugfs_create_dir(const char *name, struct dentry *parent) { @@ -60613,38 +60510,6 @@ index 05f2960..780f4f8 100644 parent, NULL, NULL); } EXPORT_SYMBOL_GPL(debugfs_create_dir); -@@ -466,23 +479,14 @@ static int __debugfs_remove(struct dentry *dentry, struct dentry *parent) - int ret = 0; - - if (debugfs_positive(dentry)) { -- if (dentry->d_inode) { -- dget(dentry); -- switch (dentry->d_inode->i_mode & S_IFMT) { -- case S_IFDIR: -- ret = simple_rmdir(parent->d_inode, dentry); -- break; -- case S_IFLNK: -- kfree(dentry->d_inode->i_private); -- /* fall through */ -- default: -- simple_unlink(parent->d_inode, dentry); -- break; -- } -- if (!ret) -- d_delete(dentry); -- dput(dentry); -- } -+ dget(dentry); -+ if (S_ISDIR(dentry->d_inode->i_mode)) -+ ret = simple_rmdir(parent->d_inode, dentry); -+ else -+ simple_unlink(parent->d_inode, dentry); -+ if (!ret) -+ d_delete(dentry); -+ dput(dentry); - } - return ret; - } diff --git a/fs/ecryptfs/inode.c b/fs/ecryptfs/inode.c index 1686dc2..9611c50 100644 --- a/fs/ecryptfs/inode.c @@ -61798,6 +61663,48 @@ index 8313ca3..8a37d08 100644 __ext4_warning(sb, function, line, "MMP failure info: last update time: %llu, last update " "node: %s, last update device: %s\n", +diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c +index 8a8ec62..1b02de5 100644 +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -413,7 +413,7 @@ static int set_flexbg_block_bitmap(struct super_block *sb, handle_t *handle, + + ext4_debug("mark blocks [%llu/%u] used\n", block, count); + for (count2 = count; count > 0; count -= count2, block += count2) { +- ext4_fsblk_t start; ++ ext4_fsblk_t start, diff; + struct buffer_head *bh; + ext4_group_t group; + int err; +@@ -422,10 +422,6 @@ static int set_flexbg_block_bitmap(struct super_block *sb, handle_t *handle, + start = ext4_group_first_block_no(sb, group); + group -= flex_gd->groups[0].group; + +- count2 = EXT4_BLOCKS_PER_GROUP(sb) - (block - start); +- if (count2 > count) +- count2 = count; +- + if (flex_gd->bg_flags[group] & EXT4_BG_BLOCK_UNINIT) { + BUG_ON(flex_gd->count > 1); + continue; +@@ -443,9 +439,15 @@ static int set_flexbg_block_bitmap(struct super_block *sb, handle_t *handle, + err = ext4_journal_get_write_access(handle, bh); + if (err) + return err; ++ ++ diff = block - start; ++ count2 = EXT4_BLOCKS_PER_GROUP(sb) - diff; ++ if (count2 > count) ++ count2 = count; ++ + ext4_debug("mark block bitmap %#04llx (+%llu/%u)\n", block, +- block - start, count2); +- ext4_set_bits(bh->b_data, block - start, count2); ++ diff, count2); ++ ext4_set_bits(bh->b_data, diff, count2); + + err = ext4_handle_dirty_metadata(handle, NULL, bh); + if (unlikely(err)) diff --git a/fs/ext4/super.c b/fs/ext4/super.c index fc29b2c..6c8b255 100644 --- a/fs/ext4/super.c @@ -66120,10 +66027,10 @@ index 8e5ad83..1f07a8c 100644 } diff --git a/fs/proc/generic.c b/fs/proc/generic.c -index 7fea132..2923577 100644 +index b502bba..849e216 100644 --- a/fs/proc/generic.c +++ b/fs/proc/generic.c -@@ -23,6 +23,7 @@ +@@ -22,6 +22,7 @@ #include <linux/bitops.h> #include <linux/spinlock.h> #include <linux/completion.h> @@ -66131,7 +66038,7 @@ index 7fea132..2923577 100644 #include <asm/uaccess.h> #include "internal.h" -@@ -265,6 +266,15 @@ struct dentry *proc_lookup(struct inode *dir, struct dentry *dentry, +@@ -253,6 +254,15 @@ struct dentry *proc_lookup(struct inode *dir, struct dentry *dentry, return proc_lookup_de(PDE(dir), dir, dentry); } @@ -66147,7 +66054,7 @@ index 7fea132..2923577 100644 /* * This returns non-zero if at EOF, so that the /proc * root directory can use this and check if it should -@@ -322,6 +332,16 @@ int proc_readdir(struct file *file, struct dir_context *ctx) +@@ -310,6 +320,16 @@ int proc_readdir(struct file *file, struct dir_context *ctx) return proc_readdir_de(PDE(inode), file, ctx); } @@ -66164,7 +66071,7 @@ index 7fea132..2923577 100644 /* * These are the generic /proc directory operations. They * use the in-memory "struct proc_dir_entry" tree to parse -@@ -333,6 +353,12 @@ static const struct file_operations proc_dir_operations = { +@@ -321,6 +341,12 @@ static const struct file_operations proc_dir_operations = { .iterate = proc_readdir, }; @@ -66177,7 +66084,7 @@ index 7fea132..2923577 100644 /* * proc directories can do almost nothing.. */ -@@ -342,6 +368,12 @@ static const struct inode_operations proc_dir_inode_operations = { +@@ -330,6 +356,12 @@ static const struct inode_operations proc_dir_inode_operations = { .setattr = proc_notify_change, }; @@ -66190,7 +66097,7 @@ index 7fea132..2923577 100644 static int proc_register(struct proc_dir_entry * dir, struct proc_dir_entry * dp) { int ret; -@@ -351,8 +383,13 @@ static int proc_register(struct proc_dir_entry * dir, struct proc_dir_entry * dp +@@ -339,8 +371,13 @@ static int proc_register(struct proc_dir_entry * dir, struct proc_dir_entry * dp return ret; if (S_ISDIR(dp->mode)) { @@ -66206,7 +66113,7 @@ index 7fea132..2923577 100644 dir->nlink++; } else if (S_ISLNK(dp->mode)) { dp->proc_iops = &proc_link_inode_operations; -@@ -465,6 +502,27 @@ struct proc_dir_entry *proc_mkdir_data(const char *name, umode_t mode, +@@ -453,6 +490,27 @@ struct proc_dir_entry *proc_mkdir_data(const char *name, umode_t mode, } EXPORT_SYMBOL_GPL(proc_mkdir_data); @@ -66234,7 +66141,7 @@ index 7fea132..2923577 100644 struct proc_dir_entry *proc_mkdir_mode(const char *name, umode_t mode, struct proc_dir_entry *parent) { -@@ -479,6 +537,13 @@ struct proc_dir_entry *proc_mkdir(const char *name, +@@ -467,6 +525,13 @@ struct proc_dir_entry *proc_mkdir(const char *name, } EXPORT_SYMBOL(proc_mkdir); @@ -66249,13 +66156,13 @@ index 7fea132..2923577 100644 struct proc_dir_entry *parent, const struct file_operations *proc_fops, diff --git a/fs/proc/inode.c b/fs/proc/inode.c -index 8420a2f..7b98f00 100644 +index 3b0f838..a0e0f63e 100644 --- a/fs/proc/inode.c +++ b/fs/proc/inode.c -@@ -23,11 +23,17 @@ - #include <linux/slab.h> +@@ -24,11 +24,17 @@ #include <linux/mount.h> #include <linux/magic.h> + #include <linux/namei.h> +#include <linux/grsecurity.h> #include <asm/uaccess.h> @@ -66270,7 +66177,7 @@ index 8420a2f..7b98f00 100644 static void proc_evict_inode(struct inode *inode) { struct proc_dir_entry *de; -@@ -48,6 +54,13 @@ static void proc_evict_inode(struct inode *inode) +@@ -49,6 +55,13 @@ static void proc_evict_inode(struct inode *inode) RCU_INIT_POINTER(PROC_I(inode)->sysctl, NULL); sysctl_head_put(head); } @@ -66284,7 +66191,7 @@ index 8420a2f..7b98f00 100644 } static struct kmem_cache * proc_inode_cachep; -@@ -405,7 +418,11 @@ struct inode *proc_get_inode(struct super_block *sb, struct proc_dir_entry *de) +@@ -426,7 +439,11 @@ struct inode *proc_get_inode(struct super_block *sb, struct proc_dir_entry *de) if (de->mode) { inode->i_mode = de->mode; inode->i_uid = de->uid; @@ -66297,7 +66204,7 @@ index 8420a2f..7b98f00 100644 if (de->size) inode->i_size = de->size; diff --git a/fs/proc/internal.h b/fs/proc/internal.h -index 6fcdba5..d08b8f1 100644 +index c835b94..c9e01a3 100644 --- a/fs/proc/internal.h +++ b/fs/proc/internal.h @@ -47,9 +47,10 @@ struct proc_dir_entry { @@ -76782,10 +76689,10 @@ index 0000000..946f750 +#endif diff --git a/grsecurity/grsec_exec.c b/grsecurity/grsec_exec.c new file mode 100644 -index 0000000..14638ff +index 0000000..fb7531e --- /dev/null +++ b/grsecurity/grsec_exec.c -@@ -0,0 +1,188 @@ +@@ -0,0 +1,189 @@ +#include <linux/kernel.h> +#include <linux/sched.h> +#include <linux/file.h> @@ -76921,7 +76828,8 @@ index 0000000..14638ff + "CAP_MAC_ADMIN", + "CAP_SYSLOG", + "CAP_WAKE_ALARM", -+ "CAP_BLOCK_SUSPEND" ++ "CAP_BLOCK_SUSPEND", ++ "CAP_AUDIT_READ" +}; + +int captab_log_entries = sizeof(captab_log)/sizeof(captab_log[0]); @@ -80020,7 +79928,7 @@ index 7adbb65..2a1eb1f 100644 /** * drm_connector_helper_funcs - helper operations for connectors diff --git a/include/drm/i915_pciids.h b/include/drm/i915_pciids.h -index 180ad0e..53cdacf 100644 +index d016dc5..3951fe0 100644 --- a/include/drm/i915_pciids.h +++ b/include/drm/i915_pciids.h @@ -37,7 +37,7 @@ @@ -86982,7 +86890,7 @@ index ac8b333..59c3692 100644 struct snd_soc_dai_link_component { const char *name; diff --git a/include/target/target_core_base.h b/include/target/target_core_base.h -index 4a8795a..53d8119 100644 +index 672150b..9d4bec4 100644 --- a/include/target/target_core_base.h +++ b/include/target/target_core_base.h @@ -767,7 +767,7 @@ struct se_device { @@ -92577,7 +92485,7 @@ index 0bcebff..e7cd5b2 100644 } __initcall(ioresources_init); diff --git a/kernel/sched/auto_group.c b/kernel/sched/auto_group.c -index 8a2e230..6020954 100644 +index eae160d..c9aa22e 100644 --- a/kernel/sched/auto_group.c +++ b/kernel/sched/auto_group.c @@ -11,7 +11,7 @@ @@ -92630,10 +92538,10 @@ index 607f852..486bc87 100644 unsigned long timeout) { diff --git a/kernel/sched/core.c b/kernel/sched/core.c -index 5eab11d..537f3b6 100644 +index 44dfc8b..56d160d 100644 --- a/kernel/sched/core.c +++ b/kernel/sched/core.c -@@ -1897,7 +1897,7 @@ void set_numabalancing_state(bool enabled) +@@ -1902,7 +1902,7 @@ void set_numabalancing_state(bool enabled) int sysctl_numa_balancing(struct ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos) { @@ -92642,7 +92550,7 @@ index 5eab11d..537f3b6 100644 int err; int state = numabalancing_enabled; -@@ -2347,8 +2347,10 @@ context_switch(struct rq *rq, struct task_struct *prev, +@@ -2352,8 +2352,10 @@ context_switch(struct rq *rq, struct task_struct *prev, next->active_mm = oldmm; atomic_inc(&oldmm->mm_count); enter_lazy_tlb(oldmm, next); @@ -92654,7 +92562,7 @@ index 5eab11d..537f3b6 100644 if (!prev->mm) { prev->active_mm = NULL; -@@ -3147,6 +3149,8 @@ int can_nice(const struct task_struct *p, const int nice) +@@ -3152,6 +3154,8 @@ int can_nice(const struct task_struct *p, const int nice) /* convert nice value [19,-20] to rlimit style value [1,40] */ int nice_rlim = nice_to_rlimit(nice); @@ -92663,7 +92571,7 @@ index 5eab11d..537f3b6 100644 return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) || capable(CAP_SYS_NICE)); } -@@ -3173,7 +3177,8 @@ SYSCALL_DEFINE1(nice, int, increment) +@@ -3178,7 +3182,8 @@ SYSCALL_DEFINE1(nice, int, increment) nice = task_nice(current) + increment; nice = clamp_val(nice, MIN_NICE, MAX_NICE); @@ -92673,7 +92581,7 @@ index 5eab11d..537f3b6 100644 return -EPERM; retval = security_task_setnice(current, nice); -@@ -3468,6 +3473,7 @@ recheck: +@@ -3473,6 +3478,7 @@ recheck: if (policy != p->policy && !rlim_rtprio) return -EPERM; @@ -92681,7 +92589,7 @@ index 5eab11d..537f3b6 100644 /* can't increase priority */ if (attr->sched_priority > p->rt_priority && attr->sched_priority > rlim_rtprio) -@@ -4968,6 +4974,7 @@ void idle_task_exit(void) +@@ -4973,6 +4979,7 @@ void idle_task_exit(void) if (mm != &init_mm) { switch_mm(mm, &init_mm, current); @@ -92689,7 +92597,7 @@ index 5eab11d..537f3b6 100644 finish_arch_post_lock_switch(); } mmdrop(mm); -@@ -5063,7 +5070,7 @@ static void migrate_tasks(unsigned int dead_cpu) +@@ -5068,7 +5075,7 @@ static void migrate_tasks(unsigned int dead_cpu) #if defined(CONFIG_SCHED_DEBUG) && defined(CONFIG_SYSCTL) @@ -92698,7 +92606,7 @@ index 5eab11d..537f3b6 100644 { .procname = "sched_domain", .mode = 0555, -@@ -5080,17 +5087,17 @@ static struct ctl_table sd_ctl_root[] = { +@@ -5085,17 +5092,17 @@ static struct ctl_table sd_ctl_root[] = { {} }; @@ -92720,7 +92628,7 @@ index 5eab11d..537f3b6 100644 /* * In the intermediate directories, both the child directory and -@@ -5098,22 +5105,25 @@ static void sd_free_ctl_entry(struct ctl_table **tablep) +@@ -5103,22 +5110,25 @@ static void sd_free_ctl_entry(struct ctl_table **tablep) * will always be set. In the lowest directory the names are * static strings and all have proc handlers. */ @@ -92752,7 +92660,7 @@ index 5eab11d..537f3b6 100644 const char *procname, void *data, int maxlen, umode_t mode, proc_handler *proc_handler, bool load_idx) -@@ -5133,7 +5143,7 @@ set_table_entry(struct ctl_table *entry, +@@ -5138,7 +5148,7 @@ set_table_entry(struct ctl_table *entry, static struct ctl_table * sd_alloc_ctl_domain_table(struct sched_domain *sd) { @@ -92761,7 +92669,7 @@ index 5eab11d..537f3b6 100644 if (table == NULL) return NULL; -@@ -5171,9 +5181,9 @@ sd_alloc_ctl_domain_table(struct sched_domain *sd) +@@ -5176,9 +5186,9 @@ sd_alloc_ctl_domain_table(struct sched_domain *sd) return table; } @@ -92773,7 +92681,7 @@ index 5eab11d..537f3b6 100644 struct sched_domain *sd; int domain_num = 0, i; char buf[32]; -@@ -5200,11 +5210,13 @@ static struct ctl_table_header *sd_sysctl_header; +@@ -5205,11 +5215,13 @@ static struct ctl_table_header *sd_sysctl_header; static void register_sched_domain_sysctl(void) { int i, cpu_num = num_possible_cpus(); @@ -92788,7 +92696,7 @@ index 5eab11d..537f3b6 100644 if (entry == NULL) return; -@@ -5227,8 +5239,12 @@ static void unregister_sched_domain_sysctl(void) +@@ -5232,8 +5244,12 @@ static void unregister_sched_domain_sysctl(void) if (sd_sysctl_header) unregister_sysctl_table(sd_sysctl_header); sd_sysctl_header = NULL; @@ -93255,7 +93163,7 @@ index ea9c881..2194af5 100644 if (!retval) { if (old_rlim) diff --git a/kernel/sysctl.c b/kernel/sysctl.c -index 137c7f6..eab3b1a 100644 +index 88ea2d6..88acc77 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -94,7 +94,6 @@ @@ -93412,7 +93320,7 @@ index 137c7f6..eab3b1a 100644 }, { .procname = "perf_event_mlock_kb", -@@ -1343,6 +1384,13 @@ static struct ctl_table vm_table[] = { +@@ -1340,6 +1381,13 @@ static struct ctl_table vm_table[] = { .proc_handler = proc_dointvec_minmax, .extra1 = &zero, }, @@ -93426,7 +93334,7 @@ index 137c7f6..eab3b1a 100644 #else { .procname = "nr_trim_pages", -@@ -1825,6 +1873,16 @@ int proc_dostring(struct ctl_table *table, int write, +@@ -1822,6 +1870,16 @@ int proc_dostring(struct ctl_table *table, int write, (char __user *)buffer, lenp, ppos); } @@ -93443,7 +93351,7 @@ index 137c7f6..eab3b1a 100644 static size_t proc_skip_spaces(char **buf) { size_t ret; -@@ -1930,6 +1988,8 @@ static int proc_put_long(void __user **buf, size_t *size, unsigned long val, +@@ -1927,6 +1985,8 @@ static int proc_put_long(void __user **buf, size_t *size, unsigned long val, len = strlen(tmp); if (len > *size) len = *size; @@ -93452,7 +93360,7 @@ index 137c7f6..eab3b1a 100644 if (copy_to_user(*buf, tmp, len)) return -EFAULT; *size -= len; -@@ -2107,7 +2167,7 @@ int proc_dointvec(struct ctl_table *table, int write, +@@ -2104,7 +2164,7 @@ int proc_dointvec(struct ctl_table *table, int write, static int proc_taint(struct ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos) { @@ -93461,7 +93369,7 @@ index 137c7f6..eab3b1a 100644 unsigned long tmptaint = get_taint(); int err; -@@ -2135,7 +2195,6 @@ static int proc_taint(struct ctl_table *table, int write, +@@ -2132,7 +2192,6 @@ static int proc_taint(struct ctl_table *table, int write, return err; } @@ -93469,7 +93377,7 @@ index 137c7f6..eab3b1a 100644 static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos) { -@@ -2144,7 +2203,6 @@ static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, +@@ -2141,7 +2200,6 @@ static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, return proc_dointvec_minmax(table, write, buffer, lenp, ppos); } @@ -93477,7 +93385,7 @@ index 137c7f6..eab3b1a 100644 struct do_proc_dointvec_minmax_conv_param { int *min; -@@ -2704,6 +2762,12 @@ int proc_dostring(struct ctl_table *table, int write, +@@ -2701,6 +2759,12 @@ int proc_dostring(struct ctl_table *table, int write, return -ENOSYS; } @@ -93490,7 +93398,7 @@ index 137c7f6..eab3b1a 100644 int proc_dointvec(struct ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos) { -@@ -2760,5 +2824,6 @@ EXPORT_SYMBOL(proc_dointvec_minmax); +@@ -2757,5 +2821,6 @@ EXPORT_SYMBOL(proc_dointvec_minmax); EXPORT_SYMBOL(proc_dointvec_userhz_jiffies); EXPORT_SYMBOL(proc_dointvec_ms_jiffies); EXPORT_SYMBOL(proc_dostring); @@ -95564,7 +95472,7 @@ index 123bcd3..0de52ba 100644 set_page_address(page, (void *)vaddr); diff --git a/mm/hugetlb.c b/mm/hugetlb.c -index c49586f..41e5fd9 100644 +index 267e419..394bed9 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -2258,6 +2258,7 @@ static int hugetlb_sysctl_handler_common(bool obey_mempolicy, @@ -95611,7 +95519,7 @@ index c49586f..41e5fd9 100644 if (ret) goto out; -@@ -2797,6 +2801,27 @@ static void unmap_ref_private(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2798,6 +2802,27 @@ static void unmap_ref_private(struct mm_struct *mm, struct vm_area_struct *vma, i_mmap_unlock_write(mapping); } @@ -95639,7 +95547,7 @@ index c49586f..41e5fd9 100644 /* * Hugetlb_cow() should be called with page lock of the original hugepage held. * Called with hugetlb_instantiation_mutex held and pte_page locked so we -@@ -2909,6 +2934,11 @@ retry_avoidcopy: +@@ -2910,6 +2935,11 @@ retry_avoidcopy: make_huge_pte(vma, new_page, 1)); page_remove_rmap(old_page); hugepage_add_new_anon_rmap(new_page, vma, address); @@ -95651,7 +95559,7 @@ index c49586f..41e5fd9 100644 /* Make the old page be freed below */ new_page = old_page; } -@@ -3069,6 +3099,10 @@ retry: +@@ -3070,6 +3100,10 @@ retry: && (vma->vm_flags & VM_SHARED))); set_huge_pte_at(mm, address, ptep, new_pte); @@ -95662,9 +95570,9 @@ index c49586f..41e5fd9 100644 if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) { /* Optimization, do the COW without a second fault */ ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page, ptl); -@@ -3135,6 +3169,10 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, - struct hstate *h = hstate_vma(vma); +@@ -3137,6 +3171,10 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, struct address_space *mapping; + int need_wait_lock = 0; +#ifdef CONFIG_PAX_SEGMEXEC + struct vm_area_struct *vma_m; @@ -95673,7 +95581,7 @@ index c49586f..41e5fd9 100644 address &= huge_page_mask(h); ptep = huge_pte_offset(mm, address); -@@ -3148,6 +3186,26 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -3150,6 +3188,26 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, VM_FAULT_SET_HINDEX(hstate_index(h)); } @@ -95846,7 +95754,7 @@ index a271adc..831d82f 100644 if (end == start) return error; diff --git a/mm/memory-failure.c b/mm/memory-failure.c -index feb803b..d382029 100644 +index 20c29dd..22bd8e2 100644 --- a/mm/memory-failure.c +++ b/mm/memory-failure.c @@ -61,7 +61,7 @@ int sysctl_memory_failure_early_kill __read_mostly = 0; @@ -95952,7 +95860,7 @@ index feb803b..d382029 100644 return 0; } -@@ -1661,7 +1661,7 @@ static int __soft_offline_page(struct page *page, int flags) +@@ -1659,7 +1659,7 @@ static int __soft_offline_page(struct page *page, int flags) if (!is_free_buddy_page(page)) pr_info("soft offline: %#lx: page leaked\n", pfn); @@ -95961,7 +95869,7 @@ index feb803b..d382029 100644 } } else { pr_info("soft offline: %#lx: isolation failed: %d, page count %d, type %lx\n", -@@ -1731,11 +1731,11 @@ int soft_offline_page(struct page *page, int flags) +@@ -1729,11 +1729,11 @@ int soft_offline_page(struct page *page, int flags) if (PageHuge(page)) { set_page_hwpoison_huge_page(hpage); dequeue_hwpoisoned_huge_page(hpage); @@ -95976,7 +95884,7 @@ index feb803b..d382029 100644 } unset_migratetype_isolate(page, MIGRATE_MOVABLE); diff --git a/mm/memory.c b/mm/memory.c -index 2c3536c..e800104 100644 +index 6aa7822..3c76005 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -414,6 +414,7 @@ static inline void free_pmd_range(struct mmu_gather *tlb, pud_t *pud, @@ -96799,7 +96707,7 @@ index 73cf098..ab547c7 100644 capable(CAP_IPC_LOCK)) ret = do_mlockall(flags); diff --git a/mm/mmap.c b/mm/mmap.c -index 7f684d5..bb9333f 100644 +index e5cc3ca..bb9333f 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -41,6 +41,7 @@ @@ -96864,24 +96772,6 @@ index 7f684d5..bb9333f 100644 /* * Make sure vm_committed_as in one cacheline and not cacheline shared with * other variables. It can be updated by several CPUs frequently. -@@ -152,7 +173,7 @@ EXPORT_SYMBOL_GPL(vm_memory_committed); - */ - int __vm_enough_memory(struct mm_struct *mm, long pages, int cap_sys_admin) - { -- unsigned long free, allowed, reserve; -+ long free, allowed, reserve; - - VM_WARN_ONCE(percpu_counter_read(&vm_committed_as) < - -(s64)vm_committed_as_batch * num_online_cpus(), -@@ -220,7 +241,7 @@ int __vm_enough_memory(struct mm_struct *mm, long pages, int cap_sys_admin) - */ - if (mm) { - reserve = sysctl_user_reserve_kbytes >> (PAGE_SHIFT - 10); -- allowed -= min(mm->total_vm / 32, reserve); -+ allowed -= min_t(long, mm->total_vm / 32, reserve); - } - - if (percpu_counter_read_positive(&vm_committed_as) < allowed) @@ -274,6 +295,7 @@ static struct vm_area_struct *remove_vma(struct vm_area_struct *vma) struct vm_area_struct *next = vma->vm_next; @@ -98409,7 +98299,7 @@ index 17fa018..6f7892b 100644 out: if (ret & ~PAGE_MASK) diff --git a/mm/nommu.c b/mm/nommu.c -index 28bd8c4..98a6fe3 100644 +index ae5baae..cbb2ed5 100644 --- a/mm/nommu.c +++ b/mm/nommu.c @@ -71,7 +71,6 @@ int sysctl_max_map_count = DEFAULT_MAX_MAP_COUNT; @@ -98436,7 +98326,7 @@ index 28bd8c4..98a6fe3 100644 * expand a stack to a given address * - not supported under NOMMU conditions */ -@@ -1562,6 +1552,7 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -1560,6 +1550,7 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma, /* most fields are the same, copy all, and then fixup */ *new = *vma; @@ -98444,25 +98334,7 @@ index 28bd8c4..98a6fe3 100644 *region = *vma->vm_region; new->vm_region = region; -@@ -1895,7 +1886,7 @@ EXPORT_SYMBOL(unmap_mapping_range); - */ - int __vm_enough_memory(struct mm_struct *mm, long pages, int cap_sys_admin) - { -- unsigned long free, allowed, reserve; -+ long free, allowed, reserve; - - vm_acct_memory(pages); - -@@ -1959,7 +1950,7 @@ int __vm_enough_memory(struct mm_struct *mm, long pages, int cap_sys_admin) - */ - if (mm) { - reserve = sysctl_user_reserve_kbytes >> (PAGE_SHIFT - 10); -- allowed -= min(mm->total_vm / 32, reserve); -+ allowed -= min_t(long, mm->total_vm / 32, reserve); - } - - if (percpu_counter_read_positive(&vm_committed_as) < allowed) -@@ -1992,8 +1983,8 @@ int generic_file_remap_pages(struct vm_area_struct *vma, unsigned long addr, +@@ -1990,8 +1981,8 @@ int generic_file_remap_pages(struct vm_area_struct *vma, unsigned long addr, } EXPORT_SYMBOL(generic_file_remap_pages); @@ -98473,7 +98345,7 @@ index 28bd8c4..98a6fe3 100644 { struct vm_area_struct *vma; -@@ -2034,8 +2025,8 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm, +@@ -2032,8 +2023,8 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm, * * The caller must hold a reference on @mm. */ @@ -98484,7 +98356,7 @@ index 28bd8c4..98a6fe3 100644 { return __access_remote_vm(NULL, mm, addr, buf, len, write); } -@@ -2044,7 +2035,7 @@ int access_remote_vm(struct mm_struct *mm, unsigned long addr, +@@ -2042,7 +2033,7 @@ int access_remote_vm(struct mm_struct *mm, unsigned long addr, * Access another process' address space. * - source/target buffer must be kernel space */ @@ -98507,7 +98379,7 @@ index 6f43352..e44bf41 100644 unsigned long bg_thresh, unsigned long dirty, diff --git a/mm/page_alloc.c b/mm/page_alloc.c -index 8e20f9c..e235009 100644 +index 8bbef06..a8d1989 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -60,6 +60,7 @@ @@ -98612,7 +98484,7 @@ index 8e20f9c..e235009 100644 if (order && (gfp_flags & __GFP_COMP)) prep_compound_page(page, order); -@@ -1702,7 +1742,7 @@ again: +@@ -1700,7 +1740,7 @@ again: } __mod_zone_page_state(zone, NR_ALLOC_BATCH, -(1 << order)); @@ -98621,7 +98493,7 @@ index 8e20f9c..e235009 100644 !test_bit(ZONE_FAIR_DEPLETED, &zone->flags)) set_bit(ZONE_FAIR_DEPLETED, &zone->flags); -@@ -2023,7 +2063,7 @@ static void reset_alloc_batches(struct zone *preferred_zone) +@@ -2021,7 +2061,7 @@ static void reset_alloc_batches(struct zone *preferred_zone) do { mod_zone_page_state(zone, NR_ALLOC_BATCH, high_wmark_pages(zone) - low_wmark_pages(zone) - @@ -98630,24 +98502,7 @@ index 8e20f9c..e235009 100644 clear_bit(ZONE_FAIR_DEPLETED, &zone->flags); } while (zone++ != preferred_zone); } -@@ -2382,8 +2422,15 @@ __alloc_pages_may_oom(gfp_t gfp_mask, unsigned int order, - if (high_zoneidx < ZONE_NORMAL) - goto out; - /* The OOM killer does not compensate for light reclaim */ -- if (!(gfp_mask & __GFP_FS)) -+ if (!(gfp_mask & __GFP_FS)) { -+ /* -+ * XXX: Page reclaim didn't yield anything, -+ * and the OOM killer can't be invoked, but -+ * keep looping as per should_alloc_retry(). -+ */ -+ *did_some_progress = 1; - goto out; -+ } - /* - * GFP_THISNODE contains __GFP_NORETRY and we never hit this. - * Sanity check for bare calls of __GFP_THISNODE, not real OOM. -@@ -5776,7 +5823,7 @@ static void __setup_per_zone_wmarks(void) +@@ -5781,7 +5821,7 @@ static void __setup_per_zone_wmarks(void) __mod_zone_page_state(zone, NR_ALLOC_BATCH, high_wmark_pages(zone) - low_wmark_pages(zone) - @@ -100508,7 +100363,7 @@ index 39c3388..7d976d4 100644 if (v->nr_pages) seq_printf(m, " pages=%d", v->nr_pages); diff --git a/mm/vmstat.c b/mm/vmstat.c -index 1284f89..2e895e31 100644 +index cdac773..7dd324e 100644 --- a/mm/vmstat.c +++ b/mm/vmstat.c @@ -24,6 +24,7 @@ @@ -101261,10 +101116,20 @@ index 67a4a36..8d28068 100644 .priv_size = sizeof(struct chnl_net), .setup = ipcaif_net_setup, diff --git a/net/can/af_can.c b/net/can/af_can.c -index 66e0804..da61b8f 100644 +index 66e0804..93bcf05 100644 --- a/net/can/af_can.c +++ b/net/can/af_can.c -@@ -881,7 +881,7 @@ static const struct net_proto_family can_family_ops = { +@@ -259,6 +259,9 @@ int can_send(struct sk_buff *skb, int loop) + goto inval_skb; + } + ++ skb->ip_summed = CHECKSUM_UNNECESSARY; ++ ++ skb_reset_mac_header(skb); + skb_reset_network_header(skb); + skb_reset_transport_header(skb); + +@@ -881,7 +884,7 @@ static const struct net_proto_family can_family_ops = { }; /* notifier block for netdevice event */ @@ -101353,7 +101218,7 @@ index 33a2f20..371bd09 100644 switch (ss->ss_family) { diff --git a/net/compat.c b/net/compat.c -index 3236b41..7d8687f 100644 +index 94d3d5e..2bd2649 100644 --- a/net/compat.c +++ b/net/compat.c @@ -93,20 +93,20 @@ ssize_t get_compat_msghdr(struct msghdr *kmsg, @@ -101452,7 +101317,7 @@ index 3236b41..7d8687f 100644 struct group_filter __user *kgf; int __user *koptlen; u32 interface, fmode, numsrc; -@@ -777,7 +777,7 @@ COMPAT_SYSCALL_DEFINE2(socketcall, int, call, u32 __user *, args) +@@ -768,7 +768,7 @@ COMPAT_SYSCALL_DEFINE2(socketcall, int, call, u32 __user *, args) if (call < SYS_SOCKET || call > SYS_SENDMMSG) return -EINVAL; @@ -101475,7 +101340,7 @@ index df493d6..1145766 100644 return err; diff --git a/net/core/dev.c b/net/core/dev.c -index 7fe8292..133045e 100644 +index 4ff46f8..e877e78 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -1680,14 +1680,14 @@ int __dev_forward_skb(struct net_device *dev, struct sk_buff *skb) @@ -101606,7 +101471,7 @@ index ec9baea..dd6195d 100644 fp->len = fprog->len; /* Since unattached filters are not copied back to user diff --git a/net/core/flow.c b/net/core/flow.c -index a0348fd..340f65d 100644 +index 1033725..340f65d 100644 --- a/net/core/flow.c +++ b/net/core/flow.c @@ -65,7 +65,7 @@ static void flow_cache_new_hashrnd(unsigned long arg) @@ -101636,15 +101501,6 @@ index a0348fd..340f65d 100644 if (!IS_ERR(flo)) fle->object = flo; else -@@ -379,7 +379,7 @@ done: - static void flow_cache_flush_task(struct work_struct *work) - { - struct netns_xfrm *xfrm = container_of(work, struct netns_xfrm, -- flow_cache_gc_work); -+ flow_cache_flush_work); - struct net *net = container_of(xfrm, struct net, xfrm); - - flow_cache_flush(net); diff --git a/net/core/neighbour.c b/net/core/neighbour.c index 8d614c9..55752ea 100644 --- a/net/core/neighbour.c @@ -101794,10 +101650,10 @@ index e0ad5d1..04fa7f7 100644 iph->ttl = 64; iph->protocol = IPPROTO_UDP; diff --git a/net/core/pktgen.c b/net/core/pktgen.c -index da934fc..d82fded 100644 +index 352d183..1bddfaf 100644 --- a/net/core/pktgen.c +++ b/net/core/pktgen.c -@@ -3752,7 +3752,7 @@ static int __net_init pg_net_init(struct net *net) +@@ -3755,7 +3755,7 @@ static int __net_init pg_net_init(struct net *net) pn->net = net; INIT_LIST_HEAD(&pn->pktgen_threads); pn->pktgen_exiting = false; @@ -101807,7 +101663,7 @@ index da934fc..d82fded 100644 pr_warn("cannot create /proc/net/%s\n", PG_PROC_DIR); return -ENODEV; diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c -index 446cbaf..255153c 100644 +index 76ec6c5..9cfb81c 100644 --- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c @@ -60,7 +60,7 @@ struct rtnl_link { @@ -101854,7 +101710,7 @@ index 446cbaf..255153c 100644 goto nla_put_failure; if (1) { -@@ -2102,6 +2105,10 @@ replay: +@@ -2094,6 +2097,10 @@ replay: if (IS_ERR(dest_net)) return PTR_ERR(dest_net); @@ -101906,7 +101762,7 @@ index 3b6899b..cf36238 100644 { struct socket *sock; diff --git a/net/core/skbuff.c b/net/core/skbuff.c -index 395c15b..7f39726 100644 +index 62c67be..01893a0a 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -2123,7 +2123,7 @@ EXPORT_SYMBOL(__skb_checksum); @@ -102130,10 +101986,19 @@ index ad704c7..ca48aff 100644 } EXPORT_SYMBOL_GPL(sock_diag_unregister); diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c -index 31baba2..c71485b 100644 +index 31baba2..754e2e5 100644 --- a/net/core/sysctl_net_core.c +++ b/net/core/sysctl_net_core.c -@@ -34,7 +34,7 @@ static int rps_sock_flow_sysctl(struct ctl_table *table, int write, +@@ -25,6 +25,8 @@ + static int zero = 0; + static int one = 1; + static int ushort_max = USHRT_MAX; ++static int min_sndbuf = SOCK_MIN_SNDBUF; ++static int min_rcvbuf = SOCK_MIN_RCVBUF; + + static int net_msg_warn; /* Unused, but still a sysctl */ + +@@ -34,7 +36,7 @@ static int rps_sock_flow_sysctl(struct ctl_table *table, int write, { unsigned int orig_size, size; int ret, i; @@ -102142,7 +102007,7 @@ index 31baba2..c71485b 100644 .data = &size, .maxlen = sizeof(size), .mode = table->mode -@@ -202,7 +202,7 @@ static int set_default_qdisc(struct ctl_table *table, int write, +@@ -202,7 +204,7 @@ static int set_default_qdisc(struct ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos) { char id[IFNAMSIZ]; @@ -102151,7 +102016,7 @@ index 31baba2..c71485b 100644 .data = id, .maxlen = IFNAMSIZ, }; -@@ -220,7 +220,7 @@ static int set_default_qdisc(struct ctl_table *table, int write, +@@ -220,7 +222,7 @@ static int set_default_qdisc(struct ctl_table *table, int write, static int proc_do_rss_key(struct ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos) { @@ -102160,7 +102025,43 @@ index 31baba2..c71485b 100644 char buf[NETDEV_RSS_KEY_LEN * 3]; snprintf(buf, sizeof(buf), "%*phC", NETDEV_RSS_KEY_LEN, netdev_rss_key); -@@ -284,7 +284,7 @@ static struct ctl_table net_core_table[] = { +@@ -237,7 +239,7 @@ static struct ctl_table net_core_table[] = { + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = proc_dointvec_minmax, +- .extra1 = &one, ++ .extra1 = &min_sndbuf, + }, + { + .procname = "rmem_max", +@@ -245,7 +247,7 @@ static struct ctl_table net_core_table[] = { + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = proc_dointvec_minmax, +- .extra1 = &one, ++ .extra1 = &min_rcvbuf, + }, + { + .procname = "wmem_default", +@@ -253,7 +255,7 @@ static struct ctl_table net_core_table[] = { + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = proc_dointvec_minmax, +- .extra1 = &one, ++ .extra1 = &min_sndbuf, + }, + { + .procname = "rmem_default", +@@ -261,7 +263,7 @@ static struct ctl_table net_core_table[] = { + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = proc_dointvec_minmax, +- .extra1 = &one, ++ .extra1 = &min_rcvbuf, + }, + { + .procname = "dev_weight", +@@ -284,7 +286,7 @@ static struct ctl_table net_core_table[] = { .mode = 0444, .proc_handler = proc_do_rss_key, }, @@ -102169,7 +102070,7 @@ index 31baba2..c71485b 100644 { .procname = "bpf_jit_enable", .data = &bpf_jit_enable, -@@ -400,13 +400,12 @@ static struct ctl_table netns_core_table[] = { +@@ -400,13 +402,12 @@ static struct ctl_table netns_core_table[] = { static __net_init int sysctl_core_net_init(struct net *net) { @@ -102185,7 +102086,7 @@ index 31baba2..c71485b 100644 if (tbl == NULL) goto err_dup; -@@ -416,17 +415,16 @@ static __net_init int sysctl_core_net_init(struct net *net) +@@ -416,17 +417,16 @@ static __net_init int sysctl_core_net_init(struct net *net) if (net->user_ns != &init_user_ns) { tbl[0].procname = NULL; } @@ -102207,7 +102108,7 @@ index 31baba2..c71485b 100644 err_dup: return -ENOMEM; } -@@ -441,7 +439,7 @@ static __net_exit void sysctl_core_net_exit(struct net *net) +@@ -441,7 +441,7 @@ static __net_exit void sysctl_core_net_exit(struct net *net) kfree(tbl); } @@ -102478,6 +102379,42 @@ index f99f41b..1879da9 100644 return nh->nh_saddr; } +diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c +index e34dccb..4eeba4e 100644 +--- a/net/ipv4/inet_diag.c ++++ b/net/ipv4/inet_diag.c +@@ -71,6 +71,20 @@ static inline void inet_diag_unlock_handler( + mutex_unlock(&inet_diag_table_mutex); + } + ++static size_t inet_sk_attr_size(void) ++{ ++ return nla_total_size(sizeof(struct tcp_info)) ++ + nla_total_size(1) /* INET_DIAG_SHUTDOWN */ ++ + nla_total_size(1) /* INET_DIAG_TOS */ ++ + nla_total_size(1) /* INET_DIAG_TCLASS */ ++ + nla_total_size(sizeof(struct inet_diag_meminfo)) ++ + nla_total_size(sizeof(struct inet_diag_msg)) ++ + nla_total_size(SK_MEMINFO_VARS * sizeof(u32)) ++ + nla_total_size(TCP_CA_NAME_MAX) ++ + nla_total_size(sizeof(struct tcpvegas_info)) ++ + 64; ++} ++ + int inet_sk_diag_fill(struct sock *sk, struct inet_connection_sock *icsk, + struct sk_buff *skb, struct inet_diag_req_v2 *req, + struct user_namespace *user_ns, +@@ -324,9 +338,7 @@ int inet_diag_dump_one_icsk(struct inet_hashinfo *hashinfo, struct sk_buff *in_s + if (err) + goto out; + +- rep = nlmsg_new(sizeof(struct inet_diag_msg) + +- sizeof(struct inet_diag_meminfo) + +- sizeof(struct tcp_info) + 64, GFP_KERNEL); ++ rep = nlmsg_new(inet_sk_attr_size(), GFP_KERNEL); + if (!rep) { + err = -ENOMEM; + goto out; diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c index 9111a4e..3576905 100644 --- a/net/ipv4/inet_hashtables.c @@ -102522,7 +102459,7 @@ index 241afd7..31b95d5 100644 p->rate_tokens = 0; /* 60*HZ is arbitrary, but chosen enough high so that the first diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c -index e5b6d0d..187c8b0 100644 +index 145a50c..5dd8cc5 100644 --- a/net/ipv4/ip_fragment.c +++ b/net/ipv4/ip_fragment.c @@ -268,7 +268,7 @@ static int ip_frag_too_far(struct ipq *qp) @@ -102534,7 +102471,7 @@ index e5b6d0d..187c8b0 100644 qp->rid = end; rc = qp->q.fragments && (end - start) > max; -@@ -745,12 +745,11 @@ static struct ctl_table ip4_frags_ctl_table[] = { +@@ -748,12 +748,11 @@ static struct ctl_table ip4_frags_ctl_table[] = { static int __net_init ip4_frags_ns_ctl_register(struct net *net) { @@ -102549,7 +102486,7 @@ index e5b6d0d..187c8b0 100644 if (table == NULL) goto err_alloc; -@@ -764,9 +763,10 @@ static int __net_init ip4_frags_ns_ctl_register(struct net *net) +@@ -767,9 +766,10 @@ static int __net_init ip4_frags_ns_ctl_register(struct net *net) /* Don't export sysctls to unprivileged users */ if (net->user_ns != &init_user_ns) table[0].procname = NULL; @@ -102562,7 +102499,7 @@ index e5b6d0d..187c8b0 100644 if (hdr == NULL) goto err_reg; -@@ -774,8 +774,7 @@ static int __net_init ip4_frags_ns_ctl_register(struct net *net) +@@ -777,8 +777,7 @@ static int __net_init ip4_frags_ns_ctl_register(struct net *net) return 0; err_reg: @@ -102838,7 +102775,7 @@ index e90f83a..3e6acca 100644 pr_err("Unable to proc dir entry\n"); return -ENOMEM; diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c -index 2a3720f..d32b565 100644 +index 0ae28f5..d32b565 100644 --- a/net/ipv4/ping.c +++ b/net/ipv4/ping.c @@ -59,7 +59,7 @@ struct ping_table { @@ -102850,38 +102787,7 @@ index 2a3720f..d32b565 100644 EXPORT_SYMBOL_GPL(pingv6_ops); static u16 ping_port_rover; -@@ -259,6 +259,9 @@ int ping_init_sock(struct sock *sk) - kgid_t low, high; - int ret = 0; - -+ if (sk->sk_family == AF_INET6) -+ sk->sk_ipv6only = 1; -+ - inet_get_ping_group_range_net(net, &low, &high); - if (gid_lte(low, group) && gid_lte(group, high)) - return 0; -@@ -305,6 +308,11 @@ static int ping_check_bind_addr(struct sock *sk, struct inet_sock *isk, - if (addr_len < sizeof(*addr)) - return -EINVAL; - -+ if (addr->sin_family != AF_INET && -+ !(addr->sin_family == AF_UNSPEC && -+ addr->sin_addr.s_addr == htonl(INADDR_ANY))) -+ return -EAFNOSUPPORT; -+ - pr_debug("ping_check_bind_addr(sk=%p,addr=%pI4,port=%d)\n", - sk, &addr->sin_addr.s_addr, ntohs(addr->sin_port)); - -@@ -330,7 +338,7 @@ static int ping_check_bind_addr(struct sock *sk, struct inet_sock *isk, - return -EINVAL; - - if (addr->sin6_family != AF_INET6) -- return -EINVAL; -+ return -EAFNOSUPPORT; - - pr_debug("ping_check_bind_addr(sk=%p,addr=%pI6c,port=%d)\n", - sk, addr->sin6_addr.s6_addr, ntohs(addr->sin6_port)); -@@ -350,7 +358,7 @@ static int ping_check_bind_addr(struct sock *sk, struct inet_sock *isk, +@@ -358,7 +358,7 @@ static int ping_check_bind_addr(struct sock *sk, struct inet_sock *isk, return -ENODEV; } } @@ -102890,7 +102796,7 @@ index 2a3720f..d32b565 100644 scoped); rcu_read_unlock(); -@@ -558,7 +566,7 @@ void ping_err(struct sk_buff *skb, int offset, u32 info) +@@ -566,7 +566,7 @@ void ping_err(struct sk_buff *skb, int offset, u32 info) } #if IS_ENABLED(CONFIG_IPV6) } else if (skb->protocol == htons(ETH_P_IPV6)) { @@ -102899,7 +102805,7 @@ index 2a3720f..d32b565 100644 #endif } -@@ -576,7 +584,7 @@ void ping_err(struct sk_buff *skb, int offset, u32 info) +@@ -584,7 +584,7 @@ void ping_err(struct sk_buff *skb, int offset, u32 info) info, (u8 *)icmph); #if IS_ENABLED(CONFIG_IPV6) } else if (family == AF_INET6) { @@ -102908,16 +102814,7 @@ index 2a3720f..d32b565 100644 info, (u8 *)icmph); #endif } -@@ -716,7 +724,7 @@ static int ping_v4_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *m - if (msg->msg_namelen < sizeof(*usin)) - return -EINVAL; - if (usin->sin_family != AF_INET) -- return -EINVAL; -+ return -EAFNOSUPPORT; - daddr = usin->sin_addr.s_addr; - /* no remote port */ - } else { -@@ -911,10 +919,10 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, +@@ -919,10 +919,10 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, } if (inet6_sk(sk)->rxopt.all) @@ -102930,7 +102827,7 @@ index 2a3720f..d32b565 100644 else if (skb->protocol == htons(ETH_P_IP) && isk->cmsg_flags) ip_cmsg_recv(msg, skb); #endif -@@ -1109,7 +1117,7 @@ static void ping_v4_format_sock(struct sock *sp, struct seq_file *f, +@@ -1117,7 +1117,7 @@ static void ping_v4_format_sock(struct sock *sp, struct seq_file *f, from_kuid_munged(seq_user_ns(f), sock_i_uid(sp)), 0, sock_i_ino(sp), atomic_read(&sp->sk_refcnt), sp, @@ -103548,7 +103445,7 @@ index 6156f68..d6ab46d 100644 return -ENOMEM; } diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c -index f7c8bbe..534fa31 100644 +index dac9419..534fa31 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c @@ -171,7 +171,7 @@ static struct ipv6_devconf ipv6_devconf __read_mostly = { @@ -103621,30 +103518,7 @@ index f7c8bbe..534fa31 100644 for (h = s_h; h < NETDEV_HASHENTRIES; h++, s_idx = 0) { idx = 0; head = &net->dev_index_head[h]; -@@ -4572,6 +4579,22 @@ static int inet6_set_iftoken(struct inet6_dev *idev, struct in6_addr *token) - return 0; - } - -+static const struct nla_policy inet6_af_policy[IFLA_INET6_MAX + 1] = { -+ [IFLA_INET6_ADDR_GEN_MODE] = { .type = NLA_U8 }, -+ [IFLA_INET6_TOKEN] = { .len = sizeof(struct in6_addr) }, -+}; -+ -+static int inet6_validate_link_af(const struct net_device *dev, -+ const struct nlattr *nla) -+{ -+ struct nlattr *tb[IFLA_INET6_MAX + 1]; -+ -+ if (dev && !__in6_dev_get(dev)) -+ return -EAFNOSUPPORT; -+ -+ return nla_parse_nested(tb, IFLA_INET6_MAX, nla, inet6_af_policy); -+} -+ - static int inet6_set_link_af(struct net_device *dev, const struct nlattr *nla) - { - int err = -EINVAL; -@@ -4824,7 +4847,7 @@ static void __ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp) +@@ -4840,7 +4847,7 @@ static void __ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp) rt_genid_bump_ipv6(net); break; } @@ -103653,7 +103527,7 @@ index f7c8bbe..534fa31 100644 } static void ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp) -@@ -4844,7 +4867,7 @@ int addrconf_sysctl_forward(struct ctl_table *ctl, int write, +@@ -4860,7 +4867,7 @@ int addrconf_sysctl_forward(struct ctl_table *ctl, int write, int *valp = ctl->data; int val = *valp; loff_t pos = *ppos; @@ -103662,7 +103536,7 @@ index f7c8bbe..534fa31 100644 int ret; /* -@@ -4929,7 +4952,7 @@ int addrconf_sysctl_disable(struct ctl_table *ctl, int write, +@@ -4945,7 +4952,7 @@ int addrconf_sysctl_disable(struct ctl_table *ctl, int write, int *valp = ctl->data; int val = *valp; loff_t pos = *ppos; @@ -103671,14 +103545,6 @@ index f7c8bbe..534fa31 100644 int ret; /* -@@ -5393,6 +5416,7 @@ static struct rtnl_af_ops inet6_ops = { - .family = AF_INET6, - .fill_link_af = inet6_fill_link_af, - .get_link_af_size = inet6_get_link_af_size, -+ .validate_link_af = inet6_validate_link_af, - .set_link_af = inet6_set_link_af, - }; - diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c index e8c4400..a4cd5da 100644 --- a/net/ipv6/af_inet6.c @@ -103923,23 +103789,10 @@ index 6f187c8..34b367f 100644 return -ENOMEM; } diff --git a/net/ipv6/ping.c b/net/ipv6/ping.c -index 2d31483..47aba96 100644 +index fe7e3e4..47aba96 100644 --- a/net/ipv6/ping.c +++ b/net/ipv6/ping.c -@@ -102,9 +102,10 @@ int ping_v6_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, - - if (msg->msg_name) { - DECLARE_SOCKADDR(struct sockaddr_in6 *, u, msg->msg_name); -- if (msg->msg_namelen < sizeof(struct sockaddr_in6) || -- u->sin6_family != AF_INET6) { -+ if (msg->msg_namelen < sizeof(*u)) - return -EINVAL; -+ if (u->sin6_family != AF_INET6) { -+ return -EAFNOSUPPORT; - } - if (sk->sk_bound_dev_if && - sk->sk_bound_dev_if != u->sin6_scope_id) { -@@ -241,6 +242,24 @@ static struct pernet_operations ping_v6_net_ops = { +@@ -242,6 +242,24 @@ static struct pernet_operations ping_v6_net_ops = { }; #endif @@ -103964,7 +103817,7 @@ index 2d31483..47aba96 100644 int __init pingv6_init(void) { #ifdef CONFIG_PROC_FS -@@ -248,13 +267,7 @@ int __init pingv6_init(void) +@@ -249,13 +267,7 @@ int __init pingv6_init(void) if (ret) return ret; #endif @@ -103979,7 +103832,7 @@ index 2d31483..47aba96 100644 return inet6_register_protosw(&pingv6_protosw); } -@@ -263,14 +276,9 @@ int __init pingv6_init(void) +@@ -264,14 +276,9 @@ int __init pingv6_init(void) */ void pingv6_exit(void) { @@ -104126,7 +103979,7 @@ index d7d70e6..bd5e9fc 100644 return -ENOMEM; } diff --git a/net/ipv6/route.c b/net/ipv6/route.c -index 49596535..663a24a 100644 +index 1528d84..f393960 100644 --- a/net/ipv6/route.c +++ b/net/ipv6/route.c @@ -2978,7 +2978,7 @@ struct ctl_table ipv6_route_table_template[] = { @@ -104351,7 +104204,7 @@ index c1d247e..9e5949d 100644 if (!ipx_proc_dir) goto out; diff --git a/net/irda/ircomm/ircomm_tty.c b/net/irda/ircomm/ircomm_tty.c -index 40695b9..c1f2cef 100644 +index 4efe486..dee966e 100644 --- a/net/irda/ircomm/ircomm_tty.c +++ b/net/irda/ircomm/ircomm_tty.c @@ -310,10 +310,10 @@ static int ircomm_tty_block_til_ready(struct ircomm_tty_cb *self, @@ -104406,7 +104259,7 @@ index 40695b9..c1f2cef 100644 /* Not really used by us, but lets do it anyway */ self->port.low_latency = (self->port.flags & ASYNC_LOW_LATENCY) ? 1 : 0; -@@ -959,7 +959,7 @@ static void ircomm_tty_hangup(struct tty_struct *tty) +@@ -961,7 +961,7 @@ static void ircomm_tty_hangup(struct tty_struct *tty) tty_kref_put(port->tty); } port->tty = NULL; @@ -104415,7 +104268,7 @@ index 40695b9..c1f2cef 100644 spin_unlock_irqrestore(&port->lock, flags); wake_up_interruptible(&port->open_wait); -@@ -1306,7 +1306,7 @@ static void ircomm_tty_line_info(struct ircomm_tty_cb *self, struct seq_file *m) +@@ -1308,7 +1308,7 @@ static void ircomm_tty_line_info(struct ircomm_tty_cb *self, struct seq_file *m) seq_putc(m, '\n'); seq_printf(m, "Role: %s\n", self->client ? "client" : "server"); @@ -104760,18 +104613,6 @@ index d53355b..21f583a 100644 return -EBUSY; if (local->hw.flags & IEEE80211_HW_HAS_RATE_CONTROL) { -diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c -index 058686a..097821b 100644 ---- a/net/mac80211/tx.c -+++ b/net/mac80211/tx.c -@@ -566,6 +566,7 @@ ieee80211_tx_h_check_control_port_protocol(struct ieee80211_tx_data *tx) - if (tx->sdata->control_port_no_encrypt) - info->flags |= IEEE80211_TX_INTFL_DONT_ENCRYPT; - info->control.flags |= IEEE80211_TX_CTRL_PORT_CTRL_PROTO; -+ info->flags |= IEEE80211_TX_CTL_USE_MINRATE; - } - - return TX_CONTINUE; diff --git a/net/mac80211/util.c b/net/mac80211/util.c index 974ebe7..57bcd3c 100644 --- a/net/mac80211/util.c @@ -105296,10 +105137,10 @@ index 1786968..1ec6dac 100644 remove_proc_entry("ipt_hashlimit", net->proc_net); return -ENOMEM; diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c -index 30dbe34..9d0ad70 100644 +index a9faae8..1ea30e0 100644 --- a/net/netfilter/xt_recent.c +++ b/net/netfilter/xt_recent.c -@@ -643,7 +643,7 @@ static int __net_init recent_proc_net_init(struct net *net) +@@ -615,7 +615,7 @@ static int __net_init recent_proc_net_init(struct net *net) { struct recent_net *recent_net = recent_pernet(net); @@ -105421,7 +105262,7 @@ index 2034c6d..1a24f03 100644 } diff --git a/net/openvswitch/vport.h b/net/openvswitch/vport.h -index 99c8e71..0028a24 100644 +index 8a057d7..b5710c8 100644 --- a/net/openvswitch/vport.h +++ b/net/openvswitch/vport.h @@ -71,10 +71,10 @@ int ovs_vport_get_egress_tun_info(struct vport *vport, struct sk_buff *skb, @@ -105650,6 +105491,94 @@ index a91e1db..cf3053f 100644 #else ic->i_ack_next = 0; #endif +diff --git a/net/rds/iw_rdma.c b/net/rds/iw_rdma.c +index a817705..dba8d08 100644 +--- a/net/rds/iw_rdma.c ++++ b/net/rds/iw_rdma.c +@@ -88,7 +88,9 @@ static unsigned int rds_iw_unmap_fastreg_list(struct rds_iw_mr_pool *pool, + int *unpinned); + static void rds_iw_destroy_fastreg(struct rds_iw_mr_pool *pool, struct rds_iw_mr *ibmr); + +-static int rds_iw_get_device(struct rds_sock *rs, struct rds_iw_device **rds_iwdev, struct rdma_cm_id **cm_id) ++static int rds_iw_get_device(struct sockaddr_in *src, struct sockaddr_in *dst, ++ struct rds_iw_device **rds_iwdev, ++ struct rdma_cm_id **cm_id) + { + struct rds_iw_device *iwdev; + struct rds_iw_cm_id *i_cm_id; +@@ -112,15 +114,15 @@ static int rds_iw_get_device(struct rds_sock *rs, struct rds_iw_device **rds_iwd + src_addr->sin_port, + dst_addr->sin_addr.s_addr, + dst_addr->sin_port, +- rs->rs_bound_addr, +- rs->rs_bound_port, +- rs->rs_conn_addr, +- rs->rs_conn_port); ++ src->sin_addr.s_addr, ++ src->sin_port, ++ dst->sin_addr.s_addr, ++ dst->sin_port); + #ifdef WORKING_TUPLE_DETECTION +- if (src_addr->sin_addr.s_addr == rs->rs_bound_addr && +- src_addr->sin_port == rs->rs_bound_port && +- dst_addr->sin_addr.s_addr == rs->rs_conn_addr && +- dst_addr->sin_port == rs->rs_conn_port) { ++ if (src_addr->sin_addr.s_addr == src->sin_addr.s_addr && ++ src_addr->sin_port == src->sin_port && ++ dst_addr->sin_addr.s_addr == dst->sin_addr.s_addr && ++ dst_addr->sin_port == dst->sin_port) { + #else + /* FIXME - needs to compare the local and remote + * ipaddr/port tuple, but the ipaddr is the only +@@ -128,7 +130,7 @@ static int rds_iw_get_device(struct rds_sock *rs, struct rds_iw_device **rds_iwd + * zero'ed. It doesn't appear to be properly populated + * during connection setup... + */ +- if (src_addr->sin_addr.s_addr == rs->rs_bound_addr) { ++ if (src_addr->sin_addr.s_addr == src->sin_addr.s_addr) { + #endif + spin_unlock_irq(&iwdev->spinlock); + *rds_iwdev = iwdev; +@@ -180,19 +182,13 @@ int rds_iw_update_cm_id(struct rds_iw_device *rds_iwdev, struct rdma_cm_id *cm_i + { + struct sockaddr_in *src_addr, *dst_addr; + struct rds_iw_device *rds_iwdev_old; +- struct rds_sock rs; + struct rdma_cm_id *pcm_id; + int rc; + + src_addr = (struct sockaddr_in *)&cm_id->route.addr.src_addr; + dst_addr = (struct sockaddr_in *)&cm_id->route.addr.dst_addr; + +- rs.rs_bound_addr = src_addr->sin_addr.s_addr; +- rs.rs_bound_port = src_addr->sin_port; +- rs.rs_conn_addr = dst_addr->sin_addr.s_addr; +- rs.rs_conn_port = dst_addr->sin_port; +- +- rc = rds_iw_get_device(&rs, &rds_iwdev_old, &pcm_id); ++ rc = rds_iw_get_device(src_addr, dst_addr, &rds_iwdev_old, &pcm_id); + if (rc) + rds_iw_remove_cm_id(rds_iwdev, cm_id); + +@@ -598,9 +594,17 @@ void *rds_iw_get_mr(struct scatterlist *sg, unsigned long nents, + struct rds_iw_device *rds_iwdev; + struct rds_iw_mr *ibmr = NULL; + struct rdma_cm_id *cm_id; ++ struct sockaddr_in src = { ++ .sin_addr.s_addr = rs->rs_bound_addr, ++ .sin_port = rs->rs_bound_port, ++ }; ++ struct sockaddr_in dst = { ++ .sin_addr.s_addr = rs->rs_conn_addr, ++ .sin_port = rs->rs_conn_port, ++ }; + int ret; + +- ret = rds_iw_get_device(rs, &rds_iwdev, &cm_id); ++ ret = rds_iw_get_device(&src, &dst, &rds_iwdev, &cm_id); + if (ret || !cm_id) { + ret = -ENODEV; + goto out; diff --git a/net/rds/iw_recv.c b/net/rds/iw_recv.c index a66d179..cf1e258 100644 --- a/net/rds/iw_recv.c @@ -106217,7 +106146,7 @@ index 2e9ada1..40f425d 100644 table = kmemdup(sctp_net_table, sizeof(sctp_net_table), GFP_KERNEL); diff --git a/net/socket.c b/net/socket.c -index 418795c..c860724 100644 +index 418795c..c33fa46 100644 --- a/net/socket.c +++ b/net/socket.c @@ -89,6 +89,7 @@ @@ -106391,7 +106320,16 @@ index 418795c..c860724 100644 SYSCALL_DEFINE6(sendto, int, fd, void __user *, buff, size_t, len, unsigned int, flags, struct sockaddr __user *, addr, int, addr_len) -@@ -1817,7 +1882,7 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size, +@@ -1765,6 +1830,8 @@ SYSCALL_DEFINE6(sendto, int, fd, void __user *, buff, size_t, len, + + if (len > INT_MAX) + len = INT_MAX; ++ if (unlikely(!access_ok(VERIFY_READ, buff, len))) ++ return -EFAULT; + sock = sockfd_lookup_light(fd, &err, &fput_needed); + if (!sock) + goto out; +@@ -1817,12 +1884,14 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size, struct socket *sock; struct iovec iov; struct msghdr msg; @@ -106400,7 +106338,14 @@ index 418795c..c860724 100644 int err, err2; int fput_needed; -@@ -2065,7 +2130,7 @@ static int ___sys_sendmsg(struct socket *sock, struct user_msghdr __user *msg, + if (size > INT_MAX) + size = INT_MAX; ++ if (unlikely(!access_ok(VERIFY_WRITE, ubuf, size))) ++ return -EFAULT; + sock = sockfd_lookup_light(fd, &err, &fput_needed); + if (!sock) + goto out; +@@ -2065,7 +2134,7 @@ static int ___sys_sendmsg(struct socket *sock, struct user_msghdr __user *msg, * checking falls down on this. */ if (copy_from_user(ctl_buf, @@ -106409,7 +106354,7 @@ index 418795c..c860724 100644 ctl_len)) goto out_freectl; msg_sys->msg_control = ctl_buf; -@@ -2216,7 +2281,7 @@ static int ___sys_recvmsg(struct socket *sock, struct user_msghdr __user *msg, +@@ -2216,7 +2285,7 @@ static int ___sys_recvmsg(struct socket *sock, struct user_msghdr __user *msg, ssize_t err; /* kernel mode address */ @@ -106418,7 +106363,7 @@ index 418795c..c860724 100644 /* user mode address pointers */ struct sockaddr __user *uaddr; -@@ -2862,7 +2927,7 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32) +@@ -2862,7 +2931,7 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32) ifr = compat_alloc_user_space(buf_size); rxnfc = (void __user *)ifr + ALIGN(sizeof(struct ifreq), 8); @@ -106427,7 +106372,7 @@ index 418795c..c860724 100644 return -EFAULT; if (put_user(convert_in ? rxnfc : compat_ptr(data), -@@ -2973,7 +3038,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd, +@@ -2973,7 +3042,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd, old_fs = get_fs(); set_fs(KERNEL_DS); err = dev_ioctl(net, cmd, @@ -106436,7 +106381,7 @@ index 418795c..c860724 100644 set_fs(old_fs); return err; -@@ -3066,7 +3131,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd, +@@ -3066,7 +3135,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd, old_fs = get_fs(); set_fs(KERNEL_DS); @@ -106445,7 +106390,7 @@ index 418795c..c860724 100644 set_fs(old_fs); if (cmd == SIOCGIFMAP && !err) { -@@ -3150,7 +3215,7 @@ static int routing_ioctl(struct net *net, struct socket *sock, +@@ -3150,7 +3219,7 @@ static int routing_ioctl(struct net *net, struct socket *sock, ret |= get_user(rtdev, &(ur4->rt_dev)); if (rtdev) { ret |= copy_from_user(devname, compat_ptr(rtdev), 15); @@ -106454,7 +106399,7 @@ index 418795c..c860724 100644 devname[15] = 0; } else r4.rt_dev = NULL; -@@ -3377,8 +3442,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname, +@@ -3377,8 +3446,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname, int __user *uoptlen; int err; @@ -106465,7 +106410,7 @@ index 418795c..c860724 100644 set_fs(KERNEL_DS); if (level == SOL_SOCKET) -@@ -3398,7 +3463,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname, +@@ -3398,7 +3467,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname, char __user *uoptval; int err; @@ -106497,18 +106442,9 @@ index 224a82f..7a42b51 100644 /* make a copy for the caller */ *handle = ctxh; diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c -index 33fb105..567a54c 100644 +index 5199bb1..567a54c 100644 --- a/net/sunrpc/cache.c +++ b/net/sunrpc/cache.c -@@ -921,7 +921,7 @@ static unsigned int cache_poll(struct file *filp, poll_table *wait, - poll_wait(filp, &queue_wait, wait); - - /* alway allow write */ -- mask = POLL_OUT | POLLWRNORM; -+ mask = POLLOUT | POLLWRNORM; - - if (!rp) - return mask; @@ -1595,7 +1595,7 @@ static int create_cache_proc_entries(struct cache_detail *cd, struct net *net) struct sunrpc_net *sn; @@ -109688,10 +109624,10 @@ index 2d957ba..fda022c 100644 if (err < 0) return err; diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c -index 095d957..0659fdf 100644 +index 64d9863..969034b 100644 --- a/sound/core/pcm_native.c +++ b/sound/core/pcm_native.c -@@ -2954,11 +2954,11 @@ int snd_pcm_kernel_ioctl(struct snd_pcm_substream *substream, +@@ -2956,11 +2956,11 @@ int snd_pcm_kernel_ioctl(struct snd_pcm_substream *substream, switch (substream->stream) { case SNDRV_PCM_STREAM_PLAYBACK: result = snd_pcm_playback_ioctl1(NULL, substream, cmd, @@ -109913,10 +109849,10 @@ index 464385a..46ab3f6 100644 struct snd_rawmidi_substream *midi_input[PORTMAN_NUM_INPUT_PORTS]; }; diff --git a/sound/firewire/amdtp.c b/sound/firewire/amdtp.c -index 0d58018..6acc136 100644 +index 911341b..bd18b63 100644 --- a/sound/firewire/amdtp.c +++ b/sound/firewire/amdtp.c -@@ -574,7 +574,7 @@ static void update_pcm_pointers(struct amdtp_stream *s, +@@ -573,7 +573,7 @@ static void update_pcm_pointers(struct amdtp_stream *s, ptr = s->pcm_buffer_pointer + frames; if (ptr >= pcm->runtime->buffer_size) ptr -= pcm->runtime->buffer_size; @@ -109925,7 +109861,7 @@ index 0d58018..6acc136 100644 s->pcm_period_pointer += frames; if (s->pcm_period_pointer >= pcm->runtime->period_size) { -@@ -1014,7 +1014,7 @@ EXPORT_SYMBOL(amdtp_stream_pcm_pointer); +@@ -1013,7 +1013,7 @@ EXPORT_SYMBOL(amdtp_stream_pcm_pointer); */ void amdtp_stream_update(struct amdtp_stream *s) { @@ -116221,10 +116157,10 @@ index 0000000..b8e7188 +} diff --git a/tools/gcc/size_overflow_plugin/size_overflow_hash.data b/tools/gcc/size_overflow_plugin/size_overflow_hash.data new file mode 100644 -index 0000000..045070e +index 0000000..d9762e1 --- /dev/null +++ b/tools/gcc/size_overflow_plugin/size_overflow_hash.data -@@ -0,0 +1,27707 @@ +@@ -0,0 +1,27710 @@ +intel_fake_agp_alloc_by_type_1 intel_fake_agp_alloc_by_type 1 1 NULL nohasharray +iwl_set_tx_power_1 iwl_set_tx_power 0 1 &intel_fake_agp_alloc_by_type_1 +ocfs2_get_refcount_tree_3 ocfs2_get_refcount_tree 0 3 NULL @@ -123734,6 +123670,7 @@ index 0000000..045070e +copy_out_args_17816 copy_out_args 0 17816 NULL +generic_validate_add_page_17818 generic_validate_add_page 0 17818 NULL +_snd_pcm_lib_alloc_vmalloc_buffer_17820 _snd_pcm_lib_alloc_vmalloc_buffer 2 17820 NULL ++gnet_stats_copy_app_17821 gnet_stats_copy_app 3 17821 NULL +regmap_i2c_gather_write_17823 regmap_i2c_gather_write 0 17823 NULL +jme_request_irq_17824 jme_request_irq 0 17824 NULL +velocity_init_td_ring_17825 velocity_init_td_ring 0 17825 NULL @@ -128249,6 +128186,7 @@ index 0000000..045070e +adp5520_bl_office_max_store_28316 adp5520_bl_office_max_store 4-0 28316 NULL +snd_pcm_oss_read_28317 snd_pcm_oss_read 3-0 28317 NULL nohasharray +il4965_show_temperature_28317 il4965_show_temperature 0 28317 &snd_pcm_oss_read_28317 ++generic_access_phys_28318 generic_access_phys 4-2 28318 NULL +fc2580_set_params_28319 fc2580_set_params 0 28319 NULL +filldir64_28323 filldir64 3 28323 NULL +card_send_command_28325 card_send_command 0 28325 NULL nohasharray @@ -131630,7 +131568,8 @@ index 0000000..045070e +v9fs_xattr_set_36173 v9fs_xattr_set 0 36173 &snd_rme96_playback_trigger_36173 +xilly_get_dma_buffers_36174 xilly_get_dma_buffers 4 36174 NULL +try_or_set_cluster_36176 try_or_set_cluster 0 36176 NULL nohasharray -+__sync_dirty_buffer_36176 __sync_dirty_buffer 0 36176 &try_or_set_cluster_36176 ++__sync_dirty_buffer_36176 __sync_dirty_buffer 0 36176 &try_or_set_cluster_36176 nohasharray ++SyS_kexec_load_36176 SyS_kexec_load 2 36176 &__sync_dirty_buffer_36176 +mcp251x_hw_reset_36177 mcp251x_hw_reset 0 36177 NULL +modify_device_36179 modify_device 0 36179 NULL +dummy_validate_stream_36185 dummy_validate_stream 0 36185 NULL diff --git a/3.19.1/4425_grsec_remove_EI_PAX.patch b/3.19.2/4425_grsec_remove_EI_PAX.patch index 86e242a..86e242a 100644 --- a/3.19.1/4425_grsec_remove_EI_PAX.patch +++ b/3.19.2/4425_grsec_remove_EI_PAX.patch diff --git a/3.19.1/4427_force_XATTR_PAX_tmpfs.patch b/3.19.2/4427_force_XATTR_PAX_tmpfs.patch index 22c9273..22c9273 100644 --- a/3.19.1/4427_force_XATTR_PAX_tmpfs.patch +++ b/3.19.2/4427_force_XATTR_PAX_tmpfs.patch diff --git a/3.19.1/4430_grsec-remove-localversion-grsec.patch b/3.19.2/4430_grsec-remove-localversion-grsec.patch index 31cf878..31cf878 100644 --- a/3.19.1/4430_grsec-remove-localversion-grsec.patch +++ b/3.19.2/4430_grsec-remove-localversion-grsec.patch diff --git a/3.19.1/4435_grsec-mute-warnings.patch b/3.19.2/4435_grsec-mute-warnings.patch index 0585e08..0585e08 100644 --- a/3.19.1/4435_grsec-mute-warnings.patch +++ b/3.19.2/4435_grsec-mute-warnings.patch diff --git a/3.19.1/4440_grsec-remove-protected-paths.patch b/3.19.2/4440_grsec-remove-protected-paths.patch index 741546d..741546d 100644 --- a/3.19.1/4440_grsec-remove-protected-paths.patch +++ b/3.19.2/4440_grsec-remove-protected-paths.patch diff --git a/3.19.1/4450_grsec-kconfig-default-gids.patch b/3.19.2/4450_grsec-kconfig-default-gids.patch index 5c025da..5c025da 100644 --- a/3.19.1/4450_grsec-kconfig-default-gids.patch +++ b/3.19.2/4450_grsec-kconfig-default-gids.patch diff --git a/3.19.1/4465_selinux-avc_audit-log-curr_ip.patch b/3.19.2/4465_selinux-avc_audit-log-curr_ip.patch index ba89596..ba89596 100644 --- a/3.19.1/4465_selinux-avc_audit-log-curr_ip.patch +++ b/3.19.2/4465_selinux-avc_audit-log-curr_ip.patch diff --git a/3.19.1/4470_disable-compat_vdso.patch b/3.19.2/4470_disable-compat_vdso.patch index 2192180..2192180 100644 --- a/3.19.1/4470_disable-compat_vdso.patch +++ b/3.19.2/4470_disable-compat_vdso.patch diff --git a/3.19.1/4475_emutramp_default_on.patch b/3.19.2/4475_emutramp_default_on.patch index ad4967a..ad4967a 100644 --- a/3.19.1/4475_emutramp_default_on.patch +++ b/3.19.2/4475_emutramp_default_on.patch diff --git a/3.2.68/0000_README b/3.2.68/0000_README index 43d09c0..78cb951 100644 --- a/3.2.68/0000_README +++ b/3.2.68/0000_README @@ -190,7 +190,7 @@ Patch: 1067_linux-3.2.68.patch From: http://www.kernel.org Desc: Linux 3.2.68 -Patch: 4420_grsecurity-3.1-3.2.68-201503092202.patch +Patch: 4420_grsecurity-3.1-3.2.68-201503182213.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.2.68/4420_grsecurity-3.1-3.2.68-201503092202.patch b/3.2.68/4420_grsecurity-3.1-3.2.68-201503182213.patch index 0f1e8f1..ae778bb 100644 --- a/3.2.68/4420_grsecurity-3.1-3.2.68-201503092202.patch +++ b/3.2.68/4420_grsecurity-3.1-3.2.68-201503182213.patch @@ -38666,7 +38666,7 @@ index 61274bf..72cb4a2 100644 return container_of(adapter, struct intel_gmbus, adapter)->force_bit; } diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c -index a0b69ae..98ea0f3 100644 +index a0b69ae0..98ea0f3 100644 --- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c +++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c @@ -189,7 +189,7 @@ i915_gem_object_set_to_gpu_domain(struct drm_i915_gem_object *obj, @@ -41170,6 +41170,25 @@ index 176c8f9..2627b62 100644 wake_up_process(pool->thread); } } +diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c +index a841123..055ebeb 100644 +--- a/drivers/infiniband/core/umem.c ++++ b/drivers/infiniband/core/umem.c +@@ -94,6 +94,14 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr, + if (dmasync) + dma_set_attr(DMA_ATTR_WRITE_BARRIER, &attrs); + ++ /* ++ * If the combination of the addr and size requested for this memory ++ * region causes an integer overflow, return error. ++ */ ++ if ((PAGE_ALIGN(addr + size) <= size) || ++ (PAGE_ALIGN(addr + size) <= addr)) ++ return ERR_PTR(-EINVAL); ++ + if (!can_do_mlock()) + return ERR_PTR(-EPERM); + diff --git a/drivers/infiniband/hw/cxgb4/mem.c b/drivers/infiniband/hw/cxgb4/mem.c index 40c8353..946b0e4 100644 --- a/drivers/infiniband/hw/cxgb4/mem.c @@ -42469,7 +42488,7 @@ index fd10d7c..1eaf1f4 100644 /* error message helper function */ diff --git a/drivers/isdn/icn/icn.c b/drivers/isdn/icn/icn.c -index 1f355bb..43f1fea 100644 +index 1f355bb..3efedbb 100644 --- a/drivers/isdn/icn/icn.c +++ b/drivers/isdn/icn/icn.c @@ -1045,7 +1045,7 @@ icn_writecmd(const u_char * buf, int len, int user, icn_card * card) @@ -42481,6 +42500,15 @@ index 1f355bb..43f1fea 100644 return -EFAULT; } else memcpy(msg, buf, count); +@@ -1611,7 +1611,7 @@ icn_setup(char *line) + if (ints[0] > 1) + membase = (unsigned long)ints[2]; + if (str && *str) { +- strcpy(sid, str); ++ strlcpy(sid, str, sizeof(sid)); + icn_id = sid; + if ((p = strchr(sid, ','))) { + *p++ = 0; diff --git a/drivers/isdn/mISDN/dsp_cmx.c b/drivers/isdn/mISDN/dsp_cmx.c index 4d395de..c504763 100644 --- a/drivers/isdn/mISDN/dsp_cmx.c @@ -50652,6 +50680,122 @@ index 86308a0..feaa925 100644 struct io_req { struct list_head list; +diff --git a/drivers/staging/rts5139/rts51x_transport.c b/drivers/staging/rts5139/rts51x_transport.c +index e11467a..c9dac26 100644 +--- a/drivers/staging/rts5139/rts51x_transport.c ++++ b/drivers/staging/rts5139/rts51x_transport.c +@@ -337,11 +337,18 @@ int rts51x_ctrl_transfer(struct rts51x_chip *chip, unsigned int pipe, + void *data, u16 size, int timeout) + { + struct rts51x_usb *rts51x = chip->usb; ++ void *buf = kmalloc(size, GFP_KERNEL); + int result; ++ int ret; ++ ++ if (buf == NULL) ++ TRACE_RET(chip, STATUS_ERROR); + + RTS51X_DEBUGP("%s: rq=%02x rqtype=%02x value=%04x index=%02x len=%u\n", + __func__, request, requesttype, value, index, size); + ++ memcpy(buf, data, size); ++ + /* fill in the devrequest structure */ + rts51x->cr->bRequestType = requesttype; + rts51x->cr->bRequest = request; +@@ -351,12 +358,17 @@ int rts51x_ctrl_transfer(struct rts51x_chip *chip, unsigned int pipe, + + /* fill and submit the URB */ + usb_fill_control_urb(rts51x->current_urb, rts51x->pusb_dev, pipe, +- (unsigned char *)rts51x->cr, data, size, ++ (unsigned char *)rts51x->cr, buf, size, + urb_done_completion, NULL); + result = rts51x_msg_common(chip, rts51x->current_urb, timeout); + +- return interpret_urb_result(chip, pipe, size, result, ++ ret = interpret_urb_result(chip, pipe, size, result, + rts51x->current_urb->actual_length); ++ memcpy(data, buf, size); ++ ++ kfree(buf); ++ ++ return ret; + } + + int rts51x_clear_halt(struct rts51x_chip *chip, unsigned int pipe) +@@ -794,17 +806,30 @@ int rts51x_bulk_transfer_buf(struct rts51x_chip *chip, unsigned int pipe, + unsigned int *act_len, int timeout) + { + int result; ++ int ret; ++ void *newbuf = kmalloc(length, GFP_KERNEL); ++ ++ if (newbuf == NULL) ++ TRACE_RET(chip, STATUS_ERROR); ++ ++ memcpy(newbuf, buf, length); + + /* fill and submit the URB */ + usb_fill_bulk_urb(chip->usb->current_urb, chip->usb->pusb_dev, pipe, +- buf, length, urb_done_completion, NULL); ++ newbuf, length, urb_done_completion, NULL); + result = rts51x_msg_common(chip, chip->usb->current_urb, timeout); + + /* store the actual length of the data transferred */ + if (act_len) + *act_len = chip->usb->current_urb->actual_length; +- return interpret_urb_result(chip, pipe, length, result, ++ ret = interpret_urb_result(chip, pipe, length, result, + chip->usb->current_urb->actual_length); ++ ++ memcpy(buf, newbuf, length); ++ ++ kfree(newbuf); ++ ++ return ret; + } + + int rts51x_transfer_data(struct rts51x_chip *chip, unsigned int pipe, +@@ -888,11 +913,19 @@ int rts51x_get_epc_status(struct rts51x_chip *chip, u16 * status) + unsigned int pipe = RCV_INTR_PIPE(chip); + struct usb_host_endpoint *ep; + struct completion urb_done; ++ u16 *buf_status; + int result; ++ int ret; + + if (!status) + TRACE_RET(chip, STATUS_ERROR); + ++ buf_status = kmalloc(sizeof(*status), GFP_KERNEL); ++ if (buf_status == NULL) ++ TRACE_RET(chip, STATUS_ERROR); ++ ++ *buf_status = *status; ++ + /* set up data structures for the wakeup system */ + init_completion(&urb_done); + +@@ -902,12 +935,17 @@ int rts51x_get_epc_status(struct rts51x_chip *chip, u16 * status) + /* We set interval to 1 here, so the polling interval is controlled + * by our polling thread */ + usb_fill_int_urb(chip->usb->intr_urb, chip->usb->pusb_dev, pipe, +- status, 2, urb_done_completion, &urb_done, 1); ++ buf_status, 2, urb_done_completion, &urb_done, 1); + + result = rts51x_msg_common(chip, chip->usb->intr_urb, 50); + +- return interpret_urb_result(chip, pipe, 2, result, ++ ret = interpret_urb_result(chip, pipe, 2, result, + chip->usb->intr_urb->actual_length); ++ *status = *buf_status; ++ ++ kfree(buf_status); ++ ++ return ret; + } + + u8 media_not_present[] = { diff --git a/drivers/staging/sbe-2t3e3/netdev.c b/drivers/staging/sbe-2t3e3/netdev.c index c7b5e8b..783d6cbe 100644 --- a/drivers/staging/sbe-2t3e3/netdev.c @@ -104056,10 +104200,19 @@ index e093528..3966d08 100644 .exit = proto_exit_net, }; diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c -index f0bdd36..957fc06 100644 +index f0bdd36..5345e58 100644 --- a/net/core/sysctl_net_core.c +++ b/net/core/sysctl_net_core.c -@@ -28,7 +28,7 @@ static int rps_sock_flow_sysctl(ctl_table *table, int write, +@@ -21,6 +21,8 @@ + + static int zero = 0; + static int ushort_max = USHRT_MAX; ++static int min_sndbuf = SOCK_MIN_SNDBUF; ++static int min_rcvbuf = SOCK_MIN_RCVBUF; + + #ifdef CONFIG_RPS + static int rps_sock_flow_sysctl(ctl_table *table, int write, +@@ -28,7 +30,7 @@ static int rps_sock_flow_sysctl(ctl_table *table, int write, { unsigned int orig_size, size; int ret, i; @@ -104068,7 +104221,44 @@ index f0bdd36..957fc06 100644 .data = &size, .maxlen = sizeof(size), .mode = table->mode -@@ -210,29 +210,27 @@ __net_initdata struct ctl_path net_core_path[] = { +@@ -89,28 +91,32 @@ static struct ctl_table net_core_table[] = { + .data = &sysctl_wmem_max, + .maxlen = sizeof(int), + .mode = 0644, +- .proc_handler = proc_dointvec ++ .proc_handler = proc_dointvec_minmax, ++ .extra1 = &min_sndbuf, + }, + { + .procname = "rmem_max", + .data = &sysctl_rmem_max, + .maxlen = sizeof(int), + .mode = 0644, +- .proc_handler = proc_dointvec ++ .proc_handler = proc_dointvec_minmax, ++ .extra1 = &min_rcvbuf, + }, + { + .procname = "wmem_default", + .data = &sysctl_wmem_default, + .maxlen = sizeof(int), + .mode = 0644, +- .proc_handler = proc_dointvec ++ .proc_handler = proc_dointvec_minmax, ++ .extra1 = &min_sndbuf, + }, + { + .procname = "rmem_default", + .data = &sysctl_rmem_default, + .maxlen = sizeof(int), + .mode = 0644, +- .proc_handler = proc_dointvec ++ .proc_handler = proc_dointvec_minmax, ++ .extra1 = &min_rcvbuf, + }, + { + .procname = "dev_weight", +@@ -210,29 +216,27 @@ __net_initdata struct ctl_path net_core_path[] = { static __net_init int sysctl_core_net_init(struct net *net) { @@ -104104,7 +104294,7 @@ index f0bdd36..957fc06 100644 err_dup: return -ENOMEM; } -@@ -247,7 +245,7 @@ static __net_exit void sysctl_core_net_exit(struct net *net) +@@ -247,7 +251,7 @@ static __net_exit void sysctl_core_net_exit(struct net *net) kfree(tbl); } @@ -104468,10 +104658,30 @@ index 907ef2c..eba7111 100644 void inet_get_local_port_range(int *low, int *high) diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c -index 6be5e8e..22df23e 100644 +index 6be5e8e..daa1ffb 100644 --- a/net/ipv4/inet_diag.c +++ b/net/ipv4/inet_diag.c -@@ -114,8 +114,14 @@ static int inet_csk_diag_fill(struct sock *sk, +@@ -71,6 +71,19 @@ static inline void inet_diag_unlock_handler( + mutex_unlock(&inet_diag_table_mutex); + } + ++static size_t inet_sk_attr_size(void) ++{ ++ return nla_total_size(sizeof(struct tcp_info)) ++ + nla_total_size(1) /* INET_DIAG_SHUTDOWN */ ++ + nla_total_size(1) /* INET_DIAG_TOS */ ++ + nla_total_size(1) /* INET_DIAG_TCLASS */ ++ + nla_total_size(sizeof(struct inet_diag_meminfo)) ++ + nla_total_size(sizeof(struct inet_diag_msg)) ++ + nla_total_size(TCP_CA_NAME_MAX) ++ + nla_total_size(sizeof(struct tcpvegas_info)) ++ + 64; ++} ++ + static int inet_csk_diag_fill(struct sock *sk, + struct sk_buff *skb, + int ext, u32 pid, u32 seq, u16 nlmsg_flags, +@@ -114,8 +127,14 @@ static int inet_csk_diag_fill(struct sock *sk, r->idiag_retrans = 0; r->id.idiag_if = sk->sk_bound_dev_if; @@ -104486,7 +104696,7 @@ index 6be5e8e..22df23e 100644 r->id.idiag_sport = inet->inet_sport; r->id.idiag_dport = inet->inet_dport; -@@ -215,8 +221,14 @@ static int inet_twsk_diag_fill(struct inet_timewait_sock *tw, +@@ -215,8 +234,14 @@ static int inet_twsk_diag_fill(struct inet_timewait_sock *tw, r->idiag_retrans = 0; r->id.idiag_if = tw->tw_bound_dev_if; @@ -104501,7 +104711,7 @@ index 6be5e8e..22df23e 100644 r->id.idiag_sport = tw->tw_sport; r->id.idiag_dport = tw->tw_dport; -@@ -305,12 +317,14 @@ static int inet_diag_get_exact(struct sk_buff *in_skb, +@@ -305,18 +330,17 @@ static int inet_diag_get_exact(struct sk_buff *in_skb, if (sk == NULL) goto unlock; @@ -104515,8 +104725,15 @@ index 6be5e8e..22df23e 100644 +#endif err = -ENOMEM; - rep = alloc_skb(NLMSG_SPACE((sizeof(struct inet_diag_msg) + -@@ -600,8 +614,14 @@ static int inet_diag_fill_req(struct sk_buff *skb, struct sock *sk, +- rep = alloc_skb(NLMSG_SPACE((sizeof(struct inet_diag_msg) + +- sizeof(struct inet_diag_meminfo) + +- handler->idiag_info_size + 64)), +- GFP_KERNEL); ++ rep = alloc_skb(inet_sk_attr_size(), GFP_KERNEL); + if (!rep) + goto out; + +@@ -600,8 +624,14 @@ static int inet_diag_fill_req(struct sk_buff *skb, struct sock *sk, r->idiag_retrans = req->retrans; r->id.idiag_if = sk->sk_bound_dev_if; @@ -108192,6 +108409,94 @@ index 9556d28..f046d0e 100644 #else ic->i_ack_next = 0; #endif +diff --git a/net/rds/iw_rdma.c b/net/rds/iw_rdma.c +index 4e1de17..83725f3 100644 +--- a/net/rds/iw_rdma.c ++++ b/net/rds/iw_rdma.c +@@ -88,7 +88,9 @@ static unsigned int rds_iw_unmap_fastreg_list(struct rds_iw_mr_pool *pool, + int *unpinned); + static void rds_iw_destroy_fastreg(struct rds_iw_mr_pool *pool, struct rds_iw_mr *ibmr); + +-static int rds_iw_get_device(struct rds_sock *rs, struct rds_iw_device **rds_iwdev, struct rdma_cm_id **cm_id) ++static int rds_iw_get_device(struct sockaddr_in *src, struct sockaddr_in *dst, ++ struct rds_iw_device **rds_iwdev, ++ struct rdma_cm_id **cm_id) + { + struct rds_iw_device *iwdev; + struct rds_iw_cm_id *i_cm_id; +@@ -112,15 +114,15 @@ static int rds_iw_get_device(struct rds_sock *rs, struct rds_iw_device **rds_iwd + src_addr->sin_port, + dst_addr->sin_addr.s_addr, + dst_addr->sin_port, +- rs->rs_bound_addr, +- rs->rs_bound_port, +- rs->rs_conn_addr, +- rs->rs_conn_port); ++ src->sin_addr.s_addr, ++ src->sin_port, ++ dst->sin_addr.s_addr, ++ dst->sin_port); + #ifdef WORKING_TUPLE_DETECTION +- if (src_addr->sin_addr.s_addr == rs->rs_bound_addr && +- src_addr->sin_port == rs->rs_bound_port && +- dst_addr->sin_addr.s_addr == rs->rs_conn_addr && +- dst_addr->sin_port == rs->rs_conn_port) { ++ if (src_addr->sin_addr.s_addr == src->sin_addr.s_addr && ++ src_addr->sin_port == src->sin_port && ++ dst_addr->sin_addr.s_addr == dst->sin_addr.s_addr && ++ dst_addr->sin_port == dst->sin_port) { + #else + /* FIXME - needs to compare the local and remote + * ipaddr/port tuple, but the ipaddr is the only +@@ -128,7 +130,7 @@ static int rds_iw_get_device(struct rds_sock *rs, struct rds_iw_device **rds_iwd + * zero'ed. It doesn't appear to be properly populated + * during connection setup... + */ +- if (src_addr->sin_addr.s_addr == rs->rs_bound_addr) { ++ if (src_addr->sin_addr.s_addr == src->sin_addr.s_addr) { + #endif + spin_unlock_irq(&iwdev->spinlock); + *rds_iwdev = iwdev; +@@ -180,19 +182,13 @@ int rds_iw_update_cm_id(struct rds_iw_device *rds_iwdev, struct rdma_cm_id *cm_i + { + struct sockaddr_in *src_addr, *dst_addr; + struct rds_iw_device *rds_iwdev_old; +- struct rds_sock rs; + struct rdma_cm_id *pcm_id; + int rc; + + src_addr = (struct sockaddr_in *)&cm_id->route.addr.src_addr; + dst_addr = (struct sockaddr_in *)&cm_id->route.addr.dst_addr; + +- rs.rs_bound_addr = src_addr->sin_addr.s_addr; +- rs.rs_bound_port = src_addr->sin_port; +- rs.rs_conn_addr = dst_addr->sin_addr.s_addr; +- rs.rs_conn_port = dst_addr->sin_port; +- +- rc = rds_iw_get_device(&rs, &rds_iwdev_old, &pcm_id); ++ rc = rds_iw_get_device(src_addr, dst_addr, &rds_iwdev_old, &pcm_id); + if (rc) + rds_iw_remove_cm_id(rds_iwdev, cm_id); + +@@ -611,9 +607,17 @@ void *rds_iw_get_mr(struct scatterlist *sg, unsigned long nents, + struct rds_iw_device *rds_iwdev; + struct rds_iw_mr *ibmr = NULL; + struct rdma_cm_id *cm_id; ++ struct sockaddr_in src = { ++ .sin_addr.s_addr = rs->rs_bound_addr, ++ .sin_port = rs->rs_bound_port, ++ }; ++ struct sockaddr_in dst = { ++ .sin_addr.s_addr = rs->rs_conn_addr, ++ .sin_port = rs->rs_conn_port, ++ }; + int ret; + +- ret = rds_iw_get_device(rs, &rds_iwdev, &cm_id); ++ ret = rds_iw_get_device(&src, &dst, &rds_iwdev, &cm_id); + if (ret || !cm_id) { + ret = -ENODEV; + goto out; diff --git a/net/rds/iw_recv.c b/net/rds/iw_recv.c index 5e57347..3916042 100644 --- a/net/rds/iw_recv.c @@ -110052,7 +110357,7 @@ index 1983717..4d6102c 100644 sub->evt.event = htohl(event, sub->swap); diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c -index 8705ee3..fb87ef6 100644 +index 8705ee3..c66fcaa 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c @@ -768,6 +768,12 @@ static struct sock *unix_find_other(struct net *net, @@ -110101,7 +110406,24 @@ index 8705ee3..fb87ef6 100644 mutex_unlock(&path.dentry->d_inode->i_mutex); dput(path.dentry); path.dentry = dentry; -@@ -2276,9 +2296,13 @@ static int unix_seq_show(struct seq_file *seq, void *v) +@@ -2180,11 +2200,14 @@ static unsigned int unix_dgram_poll(struct file *file, struct socket *sock, + writable = unix_writable(sk); + other = unix_peer_get(sk); + if (other) { +- if (unix_peer(other) != sk) { ++ unix_state_lock(other); ++ if (!sock_flag(other, SOCK_DEAD) && unix_peer(other) != sk) { ++ unix_state_unlock(other); + sock_poll_wait(file, &unix_sk(other)->peer_wait, wait); + if (unix_recvq_full(other)) + writable = 0; +- } ++ } else ++ unix_state_unlock(other); + sock_put(other); + } + +@@ -2276,9 +2299,13 @@ static int unix_seq_show(struct seq_file *seq, void *v) seq_puts(seq, "Num RefCount Protocol Flags Type St " "Inode Path\n"); else { @@ -110116,7 +110438,7 @@ index 8705ee3..fb87ef6 100644 seq_printf(seq, "%pK: %08X %08X %08X %04X %02X %5lu", s, -@@ -2305,8 +2329,10 @@ static int unix_seq_show(struct seq_file *seq, void *v) +@@ -2305,8 +2332,10 @@ static int unix_seq_show(struct seq_file *seq, void *v) } for ( ; i < len; i++) seq_putc(seq, u->addr->name->sun_path[i]); @@ -115555,7 +115877,7 @@ index 0000000..3b5af59 +} diff --git a/tools/gcc/gcc-common.h b/tools/gcc/gcc-common.h new file mode 100644 -index 0000000..de1d984 +index 0000000..cd95c07 --- /dev/null +++ b/tools/gcc/gcc-common.h @@ -0,0 +1,375 @@ @@ -115779,7 +116101,7 @@ index 0000000..de1d984 + +#define int_const_binop(code, arg1, arg2) int_const_binop((code), (arg1), (arg2), 0) + -+static inline bool gimple_clobber_p(gimple s) ++static inline bool gimple_clobber_p(gimple s __unused) +{ + return false; +} @@ -122402,10 +122724,10 @@ index 0000000..4378111 +} diff --git a/tools/gcc/size_overflow_plugin/size_overflow_hash.data b/tools/gcc/size_overflow_plugin/size_overflow_hash.data new file mode 100644 -index 0000000..b45b095 +index 0000000..0d53d19 --- /dev/null +++ b/tools/gcc/size_overflow_plugin/size_overflow_hash.data -@@ -0,0 +1,5117 @@ +@@ -0,0 +1,5121 @@ +intel_fake_agp_alloc_by_type_1 intel_fake_agp_alloc_by_type 1 1 NULL +storvsc_connect_to_vsp_22 storvsc_connect_to_vsp 2 22 NULL +compat_sock_setsockopt_23 compat_sock_setsockopt 5 23 NULL @@ -122822,6 +123144,7 @@ index 0000000..b45b095 +inw_5558 inw 0 5558 NULL +fir16_create_5574 fir16_create 3 5574 NULL +bioset_create_5580 bioset_create 1 5580 NULL ++inet_sk_attr_size_5584 inet_sk_attr_size 0 5584 NULL +do_msgrcv_5590 do_msgrcv 4 5590 NULL +hidp_output_raw_report_5629 hidp_output_raw_report 3 5629 NULL +parse_arg_5657 parse_arg 2 5657 NULL @@ -126221,6 +126544,7 @@ index 0000000..b45b095 +mac_drv_rx_init_48898 mac_drv_rx_init 2 48898 &joydev_handle_JSIOCSAXMAP_48898 +xdi_copy_to_user_48900 xdi_copy_to_user 4 48900 NULL +msg_hdr_sz_48908 msg_hdr_sz 0 48908 NULL ++rts51x_ctrl_transfer_48914 rts51x_ctrl_transfer 8 48914 NULL +lpfc_sli4_get_els_iocb_cnt_48926 lpfc_sli4_get_els_iocb_cnt 0 48926 NULL +event_heart_beat_read_48961 event_heart_beat_read 3 48961 NULL +_alloc_set_attr_list_48991 _alloc_set_attr_list 4 48991 NULL @@ -126339,6 +126663,7 @@ index 0000000..b45b095 +ocfs2_block_to_cluster_group_50337 ocfs2_block_to_cluster_group 2 50337 NULL nohasharray +snd_pcm_lib_writev_50337 snd_pcm_lib_writev 3-0 50337 &ocfs2_block_to_cluster_group_50337 +tpm_read_50344 tpm_read 3 50344 NULL ++rts51x_bulk_transfer_buf_50352 rts51x_bulk_transfer_buf 4 50352 NULL +isdn_ppp_read_50356 isdn_ppp_read 4 50356 NULL +unpack_u16_chunk_50357 unpack_u16_chunk 0 50357 NULL +iwl_dbgfs_echo_test_write_50362 iwl_dbgfs_echo_test_write 3 50362 NULL @@ -127058,6 +127383,7 @@ index 0000000..b45b095 +pvr2_debugifc_print_info_59380 pvr2_debugifc_print_info 3 59380 NULL +journal_init_dev_59384 journal_init_dev 5 59384 NULL +fc_frame_alloc_fill_59394 fc_frame_alloc_fill 2 59394 NULL ++rts51x_transfer_data_59416 rts51x_transfer_data 4 59416 NULL +pci_ctrl_read_59424 pci_ctrl_read 0 59424 NULL +vxge_hw_ring_rxds_per_block_get_59425 vxge_hw_ring_rxds_per_block_get 0 59425 NULL +squashfs_read_data_59440 squashfs_read_data 6 59440 NULL |