Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/1010_linux-3.14.11.patch
diff options
context:
space:
mode:
Diffstat (limited to '1010_linux-3.14.11.patch')
-rw-r--r--1010_linux-3.14.11.patch1804
1 files changed, 1804 insertions, 0 deletions
diff --git a/1010_linux-3.14.11.patch b/1010_linux-3.14.11.patch
new file mode 100644
index 00000000..2f99b670
--- /dev/null
+++ b/1010_linux-3.14.11.patch
@@ -0,0 +1,1804 @@
+diff --git a/Documentation/SubmittingPatches b/Documentation/SubmittingPatches
+index 26b1e31d5a13..1ec219a14904 100644
+--- a/Documentation/SubmittingPatches
++++ b/Documentation/SubmittingPatches
+@@ -119,6 +119,20 @@ Example:
+ platform_set_drvdata(), but left the variable "dev" unused,
+ delete it.
+
++If your patch fixes a bug in a specific commit, e.g. you found an issue using
++git-bisect, please use the 'Fixes:' tag with the first 12 characters of the
++SHA-1 ID, and the one line summary.
++Example:
++
++ Fixes: e21d2170f366 ("video: remove unnecessary platform_set_drvdata()")
++
++The following git-config settings can be used to add a pretty format for
++outputting the above style in the git log or git show commands
++
++ [core]
++ abbrev = 12
++ [pretty]
++ fixes = Fixes: %h (\"%s\")
+
+ 3) Separate your changes.
+
+@@ -430,7 +444,7 @@ person it names. This tag documents that potentially interested parties
+ have been included in the discussion
+
+
+-14) Using Reported-by:, Tested-by:, Reviewed-by: and Suggested-by:
++14) Using Reported-by:, Tested-by:, Reviewed-by:, Suggested-by: and Fixes:
+
+ If this patch fixes a problem reported by somebody else, consider adding a
+ Reported-by: tag to credit the reporter for their contribution. Please
+@@ -485,6 +499,12 @@ idea was not posted in a public forum. That said, if we diligently credit our
+ idea reporters, they will, hopefully, be inspired to help us again in the
+ future.
+
++A Fixes: tag indicates that the patch fixes an issue in a previous commit. It
++is used to make it easy to determine where a bug originated, which can help
++review a bug fix. This tag also assists the stable kernel team in determining
++which stable kernel versions should receive your fix. This is the preferred
++method for indicating a bug fixed by the patch. See #2 above for more details.
++
+
+ 15) The canonical patch format
+
+diff --git a/Makefile b/Makefile
+index bd5d673ab57f..f1bbec5ece95 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 3
+ PATCHLEVEL = 14
+-SUBLEVEL = 10
++SUBLEVEL = 11
+ EXTRAVERSION =
+ NAME = Remembering Coco
+
+diff --git a/arch/arm/boot/dts/exynos5420.dtsi b/arch/arm/boot/dts/exynos5420.dtsi
+index 8db792b26f79..15eb8d4e4d3c 100644
+--- a/arch/arm/boot/dts/exynos5420.dtsi
++++ b/arch/arm/boot/dts/exynos5420.dtsi
+@@ -323,6 +323,13 @@
+ #dma-cells = <1>;
+ #dma-channels = <8>;
+ #dma-requests = <1>;
++ /*
++ * MDMA1 can support both secure and non-secure
++ * AXI transactions. When this is enabled in the kernel
++ * for boards that run in secure mode, we are getting
++ * imprecise external aborts causing the kernel to oops.
++ */
++ status = "disabled";
+ };
+ };
+
+diff --git a/arch/mips/kernel/irq-msc01.c b/arch/mips/kernel/irq-msc01.c
+index fab40f7d2e03..ac9facc08694 100644
+--- a/arch/mips/kernel/irq-msc01.c
++++ b/arch/mips/kernel/irq-msc01.c
+@@ -131,7 +131,7 @@ void __init init_msc_irqs(unsigned long icubase, unsigned int irqbase, msc_irqma
+
+ board_bind_eic_interrupt = &msc_bind_eic_interrupt;
+
+- for (; nirq >= 0; nirq--, imp++) {
++ for (; nirq > 0; nirq--, imp++) {
+ int n = imp->im_irq;
+
+ switch (imp->im_type) {
+diff --git a/arch/mips/kvm/kvm_mips.c b/arch/mips/kvm/kvm_mips.c
+index 5efce56f0df0..3e0ff8d0fbf9 100644
+--- a/arch/mips/kvm/kvm_mips.c
++++ b/arch/mips/kvm/kvm_mips.c
+@@ -149,9 +149,7 @@ void kvm_mips_free_vcpus(struct kvm *kvm)
+ if (kvm->arch.guest_pmap[i] != KVM_INVALID_PAGE)
+ kvm_mips_release_pfn_clean(kvm->arch.guest_pmap[i]);
+ }
+-
+- if (kvm->arch.guest_pmap)
+- kfree(kvm->arch.guest_pmap);
++ kfree(kvm->arch.guest_pmap);
+
+ kvm_for_each_vcpu(i, vcpu, kvm) {
+ kvm_arch_vcpu_free(vcpu);
+@@ -389,12 +387,9 @@ void kvm_arch_vcpu_free(struct kvm_vcpu *vcpu)
+
+ kvm_mips_dump_stats(vcpu);
+
+- if (vcpu->arch.guest_ebase)
+- kfree(vcpu->arch.guest_ebase);
+-
+- if (vcpu->arch.kseg0_commpage)
+- kfree(vcpu->arch.kseg0_commpage);
+-
++ kfree(vcpu->arch.guest_ebase);
++ kfree(vcpu->arch.kseg0_commpage);
++ kfree(vcpu);
+ }
+
+ void kvm_arch_vcpu_destroy(struct kvm_vcpu *vcpu)
+diff --git a/arch/powerpc/include/asm/switch_to.h b/arch/powerpc/include/asm/switch_to.h
+index 0e83e7d8c73f..b5fad8afe837 100644
+--- a/arch/powerpc/include/asm/switch_to.h
++++ b/arch/powerpc/include/asm/switch_to.h
+@@ -84,6 +84,8 @@ static inline void clear_task_ebb(struct task_struct *t)
+ {
+ #ifdef CONFIG_PPC_BOOK3S_64
+ /* EBB perf events are not inherited, so clear all EBB state. */
++ t->thread.ebbrr = 0;
++ t->thread.ebbhr = 0;
+ t->thread.bescr = 0;
+ t->thread.mmcr2 = 0;
+ t->thread.mmcr0 = 0;
+diff --git a/arch/powerpc/include/asm/systbl.h b/arch/powerpc/include/asm/systbl.h
+index 3ddf70276706..0616916b446a 100644
+--- a/arch/powerpc/include/asm/systbl.h
++++ b/arch/powerpc/include/asm/systbl.h
+@@ -190,7 +190,7 @@ SYSCALL_SPU(getcwd)
+ SYSCALL_SPU(capget)
+ SYSCALL_SPU(capset)
+ COMPAT_SYS(sigaltstack)
+-COMPAT_SYS_SPU(sendfile)
++SYSX_SPU(sys_sendfile64,compat_sys_sendfile,sys_sendfile)
+ SYSCALL(ni_syscall)
+ SYSCALL(ni_syscall)
+ PPC_SYS(vfork)
+diff --git a/arch/powerpc/include/uapi/asm/cputable.h b/arch/powerpc/include/uapi/asm/cputable.h
+index 5b7657959faa..de2c0e4ee1aa 100644
+--- a/arch/powerpc/include/uapi/asm/cputable.h
++++ b/arch/powerpc/include/uapi/asm/cputable.h
+@@ -41,5 +41,6 @@
+ #define PPC_FEATURE2_EBB 0x10000000
+ #define PPC_FEATURE2_ISEL 0x08000000
+ #define PPC_FEATURE2_TAR 0x04000000
++#define PPC_FEATURE2_VEC_CRYPTO 0x02000000
+
+ #endif /* _UAPI__ASM_POWERPC_CPUTABLE_H */
+diff --git a/arch/powerpc/kernel/cputable.c b/arch/powerpc/kernel/cputable.c
+index 6c8dd5da4de5..7ac1eab3ff8a 100644
+--- a/arch/powerpc/kernel/cputable.c
++++ b/arch/powerpc/kernel/cputable.c
+@@ -109,7 +109,8 @@ extern void __restore_cpu_e6500(void);
+ PPC_FEATURE_PSERIES_PERFMON_COMPAT)
+ #define COMMON_USER2_POWER8 (PPC_FEATURE2_ARCH_2_07 | \
+ PPC_FEATURE2_HTM_COMP | PPC_FEATURE2_DSCR | \
+- PPC_FEATURE2_ISEL | PPC_FEATURE2_TAR)
++ PPC_FEATURE2_ISEL | PPC_FEATURE2_TAR | \
++ PPC_FEATURE2_VEC_CRYPTO)
+ #define COMMON_USER_PA6T (COMMON_USER_PPC64 | PPC_FEATURE_PA6T |\
+ PPC_FEATURE_TRUE_LE | \
+ PPC_FEATURE_HAS_ALTIVEC_COMP)
+diff --git a/arch/powerpc/kernel/legacy_serial.c b/arch/powerpc/kernel/legacy_serial.c
+index 40bd7bd4e19a..8a8b722870a1 100644
+--- a/arch/powerpc/kernel/legacy_serial.c
++++ b/arch/powerpc/kernel/legacy_serial.c
+@@ -48,6 +48,9 @@ static struct of_device_id legacy_serial_parents[] __initdata = {
+ static unsigned int legacy_serial_count;
+ static int legacy_serial_console = -1;
+
++static const upf_t legacy_port_flags = UPF_BOOT_AUTOCONF | UPF_SKIP_TEST |
++ UPF_SHARE_IRQ | UPF_FIXED_PORT;
++
+ static unsigned int tsi_serial_in(struct uart_port *p, int offset)
+ {
+ unsigned int tmp;
+@@ -153,8 +156,6 @@ static int __init add_legacy_soc_port(struct device_node *np,
+ {
+ u64 addr;
+ const __be32 *addrp;
+- upf_t flags = UPF_BOOT_AUTOCONF | UPF_SKIP_TEST | UPF_SHARE_IRQ
+- | UPF_FIXED_PORT;
+ struct device_node *tsi = of_get_parent(np);
+
+ /* We only support ports that have a clock frequency properly
+@@ -185,9 +186,11 @@ static int __init add_legacy_soc_port(struct device_node *np,
+ * IO port value. It will be fixed up later along with the irq
+ */
+ if (tsi && !strcmp(tsi->type, "tsi-bridge"))
+- return add_legacy_port(np, -1, UPIO_TSI, addr, addr, NO_IRQ, flags, 0);
++ return add_legacy_port(np, -1, UPIO_TSI, addr, addr,
++ NO_IRQ, legacy_port_flags, 0);
+ else
+- return add_legacy_port(np, -1, UPIO_MEM, addr, addr, NO_IRQ, flags, 0);
++ return add_legacy_port(np, -1, UPIO_MEM, addr, addr,
++ NO_IRQ, legacy_port_flags, 0);
+ }
+
+ static int __init add_legacy_isa_port(struct device_node *np,
+@@ -233,7 +236,7 @@ static int __init add_legacy_isa_port(struct device_node *np,
+
+ /* Add port, irq will be dealt with later */
+ return add_legacy_port(np, index, UPIO_PORT, be32_to_cpu(reg[1]),
+- taddr, NO_IRQ, UPF_BOOT_AUTOCONF, 0);
++ taddr, NO_IRQ, legacy_port_flags, 0);
+
+ }
+
+@@ -306,7 +309,7 @@ static int __init add_legacy_pci_port(struct device_node *np,
+ * IO port value. It will be fixed up later along with the irq
+ */
+ return add_legacy_port(np, index, iotype, base, addr, NO_IRQ,
+- UPF_BOOT_AUTOCONF, np != pci_dev);
++ legacy_port_flags, np != pci_dev);
+ }
+ #endif
+
+diff --git a/arch/powerpc/kernel/setup-common.c b/arch/powerpc/kernel/setup-common.c
+index bc76cc6b419c..04aa4d3c7c05 100644
+--- a/arch/powerpc/kernel/setup-common.c
++++ b/arch/powerpc/kernel/setup-common.c
+@@ -456,9 +456,17 @@ void __init smp_setup_cpu_maps(void)
+ }
+
+ for (j = 0; j < nthreads && cpu < nr_cpu_ids; j++) {
++ bool avail;
++
+ DBG(" thread %d -> cpu %d (hard id %d)\n",
+ j, cpu, be32_to_cpu(intserv[j]));
+- set_cpu_present(cpu, true);
++
++ avail = of_device_is_available(dn);
++ if (!avail)
++ avail = !of_property_match_string(dn,
++ "enable-method", "spin-table");
++
++ set_cpu_present(cpu, avail);
+ set_hard_smp_processor_id(cpu, be32_to_cpu(intserv[j]));
+ set_cpu_possible(cpu, true);
+ cpu++;
+diff --git a/arch/powerpc/kernel/time.c b/arch/powerpc/kernel/time.c
+index 57d4bada19bd..f8b994abb57f 100644
+--- a/arch/powerpc/kernel/time.c
++++ b/arch/powerpc/kernel/time.c
+@@ -511,7 +511,7 @@ void timer_interrupt(struct pt_regs * regs)
+ may_hard_irq_enable();
+
+
+-#if defined(CONFIG_PPC32) && defined(CONFIG_PMAC)
++#if defined(CONFIG_PPC32) && defined(CONFIG_PPC_PMAC)
+ if (atomic_read(&ppc_n_lost_interrupts) != 0)
+ do_IRQ(regs);
+ #endif
+diff --git a/arch/powerpc/lib/sstep.c b/arch/powerpc/lib/sstep.c
+index c0511c27a733..412dd46dd0b7 100644
+--- a/arch/powerpc/lib/sstep.c
++++ b/arch/powerpc/lib/sstep.c
+@@ -1470,7 +1470,7 @@ int __kprobes emulate_step(struct pt_regs *regs, unsigned int instr)
+ regs->gpr[rd] = byterev_4(val);
+ goto ldst_done;
+
+-#ifdef CONFIG_PPC_CPU
++#ifdef CONFIG_PPC_FPU
+ case 535: /* lfsx */
+ case 567: /* lfsux */
+ if (!(regs->msr & MSR_FP))
+diff --git a/arch/powerpc/mm/hash_utils_64.c b/arch/powerpc/mm/hash_utils_64.c
+index d766d6ee33fe..6650699eb3b6 100644
+--- a/arch/powerpc/mm/hash_utils_64.c
++++ b/arch/powerpc/mm/hash_utils_64.c
+@@ -960,6 +960,22 @@ void hash_failure_debug(unsigned long ea, unsigned long access,
+ trap, vsid, ssize, psize, lpsize, pte);
+ }
+
++static void check_paca_psize(unsigned long ea, struct mm_struct *mm,
++ int psize, bool user_region)
++{
++ if (user_region) {
++ if (psize != get_paca_psize(ea)) {
++ get_paca()->context = mm->context;
++ slb_flush_and_rebolt();
++ }
++ } else if (get_paca()->vmalloc_sllp !=
++ mmu_psize_defs[mmu_vmalloc_psize].sllp) {
++ get_paca()->vmalloc_sllp =
++ mmu_psize_defs[mmu_vmalloc_psize].sllp;
++ slb_vmalloc_update();
++ }
++}
++
+ /* Result code is:
+ * 0 - handled
+ * 1 - normal page fault
+@@ -1081,6 +1097,8 @@ int hash_page(unsigned long ea, unsigned long access, unsigned long trap)
+ WARN_ON(1);
+ }
+ #endif
++ check_paca_psize(ea, mm, psize, user_region);
++
+ goto bail;
+ }
+
+@@ -1121,17 +1139,8 @@ int hash_page(unsigned long ea, unsigned long access, unsigned long trap)
+ #endif
+ }
+ }
+- if (user_region) {
+- if (psize != get_paca_psize(ea)) {
+- get_paca()->context = mm->context;
+- slb_flush_and_rebolt();
+- }
+- } else if (get_paca()->vmalloc_sllp !=
+- mmu_psize_defs[mmu_vmalloc_psize].sllp) {
+- get_paca()->vmalloc_sllp =
+- mmu_psize_defs[mmu_vmalloc_psize].sllp;
+- slb_vmalloc_update();
+- }
++
++ check_paca_psize(ea, mm, psize, user_region);
+ #endif /* CONFIG_PPC_64K_PAGES */
+
+ #ifdef CONFIG_PPC_HAS_HASH_64K
+diff --git a/arch/powerpc/platforms/pseries/eeh_pseries.c b/arch/powerpc/platforms/pseries/eeh_pseries.c
+index 8a8f0472d98f..83da53fde6b5 100644
+--- a/arch/powerpc/platforms/pseries/eeh_pseries.c
++++ b/arch/powerpc/platforms/pseries/eeh_pseries.c
+@@ -464,6 +464,7 @@ static int pseries_eeh_get_state(struct eeh_pe *pe, int *state)
+ } else {
+ result = EEH_STATE_NOT_SUPPORT;
+ }
++ break;
+ default:
+ result = EEH_STATE_NOT_SUPPORT;
+ }
+diff --git a/arch/x86/include/asm/ptrace.h b/arch/x86/include/asm/ptrace.h
+index 14fd6fd75a19..6205f0c434db 100644
+--- a/arch/x86/include/asm/ptrace.h
++++ b/arch/x86/include/asm/ptrace.h
+@@ -231,6 +231,22 @@ static inline unsigned long regs_get_kernel_stack_nth(struct pt_regs *regs,
+
+ #define ARCH_HAS_USER_SINGLE_STEP_INFO
+
++/*
++ * When hitting ptrace_stop(), we cannot return using SYSRET because
++ * that does not restore the full CPU state, only a minimal set. The
++ * ptracer can change arbitrary register values, which is usually okay
++ * because the usual ptrace stops run off the signal delivery path which
++ * forces IRET; however, ptrace_event() stops happen in arbitrary places
++ * in the kernel and don't force IRET path.
++ *
++ * So force IRET path after a ptrace stop.
++ */
++#define arch_ptrace_stop_needed(code, info) \
++({ \
++ set_thread_flag(TIF_NOTIFY_RESUME); \
++ false; \
++})
++
+ struct user_desc;
+ extern int do_get_thread_area(struct task_struct *p, int idx,
+ struct user_desc __user *info);
+diff --git a/drivers/block/mtip32xx/mtip32xx.c b/drivers/block/mtip32xx/mtip32xx.c
+index a8939b98f9c3..4e763b0dbbfc 100644
+--- a/drivers/block/mtip32xx/mtip32xx.c
++++ b/drivers/block/mtip32xx/mtip32xx.c
+@@ -1529,6 +1529,37 @@ static inline void ata_swap_string(u16 *buf, unsigned int len)
+ be16_to_cpus(&buf[i]);
+ }
+
++static void mtip_set_timeout(struct driver_data *dd,
++ struct host_to_dev_fis *fis,
++ unsigned int *timeout, u8 erasemode)
++{
++ switch (fis->command) {
++ case ATA_CMD_DOWNLOAD_MICRO:
++ *timeout = 120000; /* 2 minutes */
++ break;
++ case ATA_CMD_SEC_ERASE_UNIT:
++ case 0xFC:
++ if (erasemode)
++ *timeout = ((*(dd->port->identify + 90) * 2) * 60000);
++ else
++ *timeout = ((*(dd->port->identify + 89) * 2) * 60000);
++ break;
++ case ATA_CMD_STANDBYNOW1:
++ *timeout = 120000; /* 2 minutes */
++ break;
++ case 0xF7:
++ case 0xFA:
++ *timeout = 60000; /* 60 seconds */
++ break;
++ case ATA_CMD_SMART:
++ *timeout = 15000; /* 15 seconds */
++ break;
++ default:
++ *timeout = MTIP_IOCTL_COMMAND_TIMEOUT_MS;
++ break;
++ }
++}
++
+ /*
+ * Request the device identity information.
+ *
+@@ -1644,6 +1675,7 @@ static int mtip_standby_immediate(struct mtip_port *port)
+ int rv;
+ struct host_to_dev_fis fis;
+ unsigned long start;
++ unsigned int timeout;
+
+ /* Build the FIS. */
+ memset(&fis, 0, sizeof(struct host_to_dev_fis));
+@@ -1651,6 +1683,8 @@ static int mtip_standby_immediate(struct mtip_port *port)
+ fis.opts = 1 << 7;
+ fis.command = ATA_CMD_STANDBYNOW1;
+
++ mtip_set_timeout(port->dd, &fis, &timeout, 0);
++
+ start = jiffies;
+ rv = mtip_exec_internal_command(port,
+ &fis,
+@@ -1659,7 +1693,7 @@ static int mtip_standby_immediate(struct mtip_port *port)
+ 0,
+ 0,
+ GFP_ATOMIC,
+- 15000);
++ timeout);
+ dbg_printk(MTIP_DRV_NAME "Time taken to complete standby cmd: %d ms\n",
+ jiffies_to_msecs(jiffies - start));
+ if (rv)
+@@ -2202,36 +2236,6 @@ static unsigned int implicit_sector(unsigned char command,
+ }
+ return rv;
+ }
+-static void mtip_set_timeout(struct driver_data *dd,
+- struct host_to_dev_fis *fis,
+- unsigned int *timeout, u8 erasemode)
+-{
+- switch (fis->command) {
+- case ATA_CMD_DOWNLOAD_MICRO:
+- *timeout = 120000; /* 2 minutes */
+- break;
+- case ATA_CMD_SEC_ERASE_UNIT:
+- case 0xFC:
+- if (erasemode)
+- *timeout = ((*(dd->port->identify + 90) * 2) * 60000);
+- else
+- *timeout = ((*(dd->port->identify + 89) * 2) * 60000);
+- break;
+- case ATA_CMD_STANDBYNOW1:
+- *timeout = 120000; /* 2 minutes */
+- break;
+- case 0xF7:
+- case 0xFA:
+- *timeout = 60000; /* 60 seconds */
+- break;
+- case ATA_CMD_SMART:
+- *timeout = 15000; /* 15 seconds */
+- break;
+- default:
+- *timeout = MTIP_IOCTL_COMMAND_TIMEOUT_MS;
+- break;
+- }
+-}
+
+ /*
+ * Executes a taskfile
+@@ -4479,6 +4483,57 @@ static DEFINE_HANDLER(5);
+ static DEFINE_HANDLER(6);
+ static DEFINE_HANDLER(7);
+
++static void mtip_disable_link_opts(struct driver_data *dd, struct pci_dev *pdev)
++{
++ int pos;
++ unsigned short pcie_dev_ctrl;
++
++ pos = pci_find_capability(pdev, PCI_CAP_ID_EXP);
++ if (pos) {
++ pci_read_config_word(pdev,
++ pos + PCI_EXP_DEVCTL,
++ &pcie_dev_ctrl);
++ if (pcie_dev_ctrl & (1 << 11) ||
++ pcie_dev_ctrl & (1 << 4)) {
++ dev_info(&dd->pdev->dev,
++ "Disabling ERO/No-Snoop on bridge device %04x:%04x\n",
++ pdev->vendor, pdev->device);
++ pcie_dev_ctrl &= ~(PCI_EXP_DEVCTL_NOSNOOP_EN |
++ PCI_EXP_DEVCTL_RELAX_EN);
++ pci_write_config_word(pdev,
++ pos + PCI_EXP_DEVCTL,
++ pcie_dev_ctrl);
++ }
++ }
++}
++
++static void mtip_fix_ero_nosnoop(struct driver_data *dd, struct pci_dev *pdev)
++{
++ /*
++ * This workaround is specific to AMD/ATI chipset with a PCI upstream
++ * device with device id 0x5aXX
++ */
++ if (pdev->bus && pdev->bus->self) {
++ if (pdev->bus->self->vendor == PCI_VENDOR_ID_ATI &&
++ ((pdev->bus->self->device & 0xff00) == 0x5a00)) {
++ mtip_disable_link_opts(dd, pdev->bus->self);
++ } else {
++ /* Check further up the topology */
++ struct pci_dev *parent_dev = pdev->bus->self;
++ if (parent_dev->bus &&
++ parent_dev->bus->parent &&
++ parent_dev->bus->parent->self &&
++ parent_dev->bus->parent->self->vendor ==
++ PCI_VENDOR_ID_ATI &&
++ (parent_dev->bus->parent->self->device &
++ 0xff00) == 0x5a00) {
++ mtip_disable_link_opts(dd,
++ parent_dev->bus->parent->self);
++ }
++ }
++ }
++}
++
+ /*
+ * Called for each supported PCI device detected.
+ *
+@@ -4630,6 +4685,8 @@ static int mtip_pci_probe(struct pci_dev *pdev,
+ goto block_initialize_err;
+ }
+
++ mtip_fix_ero_nosnoop(dd, pdev);
++
+ /* Initialize the block layer. */
+ rv = mtip_block_initialize(dd);
+ if (rv < 0) {
+@@ -4933,13 +4990,13 @@ static int __init mtip_init(void)
+ */
+ static void __exit mtip_exit(void)
+ {
+- debugfs_remove_recursive(dfs_parent);
+-
+ /* Release the allocated major block device number. */
+ unregister_blkdev(mtip_major, MTIP_DRV_NAME);
+
+ /* Unregister the PCI driver. */
+ pci_unregister_driver(&mtip_pci_driver);
++
++ debugfs_remove_recursive(dfs_parent);
+ }
+
+ MODULE_AUTHOR("Micron Technology, Inc");
+diff --git a/drivers/infiniband/core/user_mad.c b/drivers/infiniband/core/user_mad.c
+index f0d588f8859e..1acb99100556 100644
+--- a/drivers/infiniband/core/user_mad.c
++++ b/drivers/infiniband/core/user_mad.c
+@@ -98,7 +98,7 @@ struct ib_umad_port {
+
+ struct ib_umad_device {
+ int start_port, end_port;
+- struct kref ref;
++ struct kobject kobj;
+ struct ib_umad_port port[0];
+ };
+
+@@ -134,14 +134,18 @@ static DECLARE_BITMAP(dev_map, IB_UMAD_MAX_PORTS);
+ static void ib_umad_add_one(struct ib_device *device);
+ static void ib_umad_remove_one(struct ib_device *device);
+
+-static void ib_umad_release_dev(struct kref *ref)
++static void ib_umad_release_dev(struct kobject *kobj)
+ {
+ struct ib_umad_device *dev =
+- container_of(ref, struct ib_umad_device, ref);
++ container_of(kobj, struct ib_umad_device, kobj);
+
+ kfree(dev);
+ }
+
++static struct kobj_type ib_umad_dev_ktype = {
++ .release = ib_umad_release_dev,
++};
++
+ static int hdr_size(struct ib_umad_file *file)
+ {
+ return file->use_pkey_index ? sizeof (struct ib_user_mad_hdr) :
+@@ -780,27 +784,19 @@ static int ib_umad_open(struct inode *inode, struct file *filp)
+ {
+ struct ib_umad_port *port;
+ struct ib_umad_file *file;
+- int ret;
++ int ret = -ENXIO;
+
+ port = container_of(inode->i_cdev, struct ib_umad_port, cdev);
+- if (port)
+- kref_get(&port->umad_dev->ref);
+- else
+- return -ENXIO;
+
+ mutex_lock(&port->file_mutex);
+
+- if (!port->ib_dev) {
+- ret = -ENXIO;
++ if (!port->ib_dev)
+ goto out;
+- }
+
++ ret = -ENOMEM;
+ file = kzalloc(sizeof *file, GFP_KERNEL);
+- if (!file) {
+- kref_put(&port->umad_dev->ref, ib_umad_release_dev);
+- ret = -ENOMEM;
++ if (!file)
+ goto out;
+- }
+
+ mutex_init(&file->mutex);
+ spin_lock_init(&file->send_lock);
+@@ -814,6 +810,13 @@ static int ib_umad_open(struct inode *inode, struct file *filp)
+ list_add_tail(&file->port_list, &port->file_list);
+
+ ret = nonseekable_open(inode, filp);
++ if (ret) {
++ list_del(&file->port_list);
++ kfree(file);
++ goto out;
++ }
++
++ kobject_get(&port->umad_dev->kobj);
+
+ out:
+ mutex_unlock(&port->file_mutex);
+@@ -852,7 +855,7 @@ static int ib_umad_close(struct inode *inode, struct file *filp)
+ mutex_unlock(&file->port->file_mutex);
+
+ kfree(file);
+- kref_put(&dev->ref, ib_umad_release_dev);
++ kobject_put(&dev->kobj);
+
+ return 0;
+ }
+@@ -880,10 +883,6 @@ static int ib_umad_sm_open(struct inode *inode, struct file *filp)
+ int ret;
+
+ port = container_of(inode->i_cdev, struct ib_umad_port, sm_cdev);
+- if (port)
+- kref_get(&port->umad_dev->ref);
+- else
+- return -ENXIO;
+
+ if (filp->f_flags & O_NONBLOCK) {
+ if (down_trylock(&port->sm_sem)) {
+@@ -898,17 +897,27 @@ static int ib_umad_sm_open(struct inode *inode, struct file *filp)
+ }
+
+ ret = ib_modify_port(port->ib_dev, port->port_num, 0, &props);
+- if (ret) {
+- up(&port->sm_sem);
+- goto fail;
+- }
++ if (ret)
++ goto err_up_sem;
+
+ filp->private_data = port;
+
+- return nonseekable_open(inode, filp);
++ ret = nonseekable_open(inode, filp);
++ if (ret)
++ goto err_clr_sm_cap;
++
++ kobject_get(&port->umad_dev->kobj);
++
++ return 0;
++
++err_clr_sm_cap:
++ swap(props.set_port_cap_mask, props.clr_port_cap_mask);
++ ib_modify_port(port->ib_dev, port->port_num, 0, &props);
++
++err_up_sem:
++ up(&port->sm_sem);
+
+ fail:
+- kref_put(&port->umad_dev->ref, ib_umad_release_dev);
+ return ret;
+ }
+
+@@ -927,7 +936,7 @@ static int ib_umad_sm_close(struct inode *inode, struct file *filp)
+
+ up(&port->sm_sem);
+
+- kref_put(&port->umad_dev->ref, ib_umad_release_dev);
++ kobject_put(&port->umad_dev->kobj);
+
+ return ret;
+ }
+@@ -995,6 +1004,7 @@ static int find_overflow_devnum(void)
+ }
+
+ static int ib_umad_init_port(struct ib_device *device, int port_num,
++ struct ib_umad_device *umad_dev,
+ struct ib_umad_port *port)
+ {
+ int devnum;
+@@ -1027,6 +1037,7 @@ static int ib_umad_init_port(struct ib_device *device, int port_num,
+
+ cdev_init(&port->cdev, &umad_fops);
+ port->cdev.owner = THIS_MODULE;
++ port->cdev.kobj.parent = &umad_dev->kobj;
+ kobject_set_name(&port->cdev.kobj, "umad%d", port->dev_num);
+ if (cdev_add(&port->cdev, base, 1))
+ goto err_cdev;
+@@ -1045,6 +1056,7 @@ static int ib_umad_init_port(struct ib_device *device, int port_num,
+ base += IB_UMAD_MAX_PORTS;
+ cdev_init(&port->sm_cdev, &umad_sm_fops);
+ port->sm_cdev.owner = THIS_MODULE;
++ port->sm_cdev.kobj.parent = &umad_dev->kobj;
+ kobject_set_name(&port->sm_cdev.kobj, "issm%d", port->dev_num);
+ if (cdev_add(&port->sm_cdev, base, 1))
+ goto err_sm_cdev;
+@@ -1138,7 +1150,7 @@ static void ib_umad_add_one(struct ib_device *device)
+ if (!umad_dev)
+ return;
+
+- kref_init(&umad_dev->ref);
++ kobject_init(&umad_dev->kobj, &ib_umad_dev_ktype);
+
+ umad_dev->start_port = s;
+ umad_dev->end_port = e;
+@@ -1146,7 +1158,8 @@ static void ib_umad_add_one(struct ib_device *device)
+ for (i = s; i <= e; ++i) {
+ umad_dev->port[i - s].umad_dev = umad_dev;
+
+- if (ib_umad_init_port(device, i, &umad_dev->port[i - s]))
++ if (ib_umad_init_port(device, i, umad_dev,
++ &umad_dev->port[i - s]))
+ goto err;
+ }
+
+@@ -1158,7 +1171,7 @@ err:
+ while (--i >= s)
+ ib_umad_kill_port(&umad_dev->port[i - s]);
+
+- kref_put(&umad_dev->ref, ib_umad_release_dev);
++ kobject_put(&umad_dev->kobj);
+ }
+
+ static void ib_umad_remove_one(struct ib_device *device)
+@@ -1172,7 +1185,7 @@ static void ib_umad_remove_one(struct ib_device *device)
+ for (i = 0; i <= umad_dev->end_port - umad_dev->start_port; ++i)
+ ib_umad_kill_port(&umad_dev->port[i]);
+
+- kref_put(&umad_dev->ref, ib_umad_release_dev);
++ kobject_put(&umad_dev->kobj);
+ }
+
+ static char *umad_devnode(struct device *dev, umode_t *mode)
+diff --git a/drivers/infiniband/hw/ipath/ipath_diag.c b/drivers/infiniband/hw/ipath/ipath_diag.c
+index e2f9a51f4a38..45802e97332e 100644
+--- a/drivers/infiniband/hw/ipath/ipath_diag.c
++++ b/drivers/infiniband/hw/ipath/ipath_diag.c
+@@ -346,6 +346,10 @@ static ssize_t ipath_diagpkt_write(struct file *fp,
+ ret = -EFAULT;
+ goto bail;
+ }
++ dp.len = odp.len;
++ dp.unit = odp.unit;
++ dp.data = odp.data;
++ dp.pbc_wd = 0;
+ } else {
+ ret = -EINVAL;
+ goto bail;
+diff --git a/drivers/infiniband/hw/mlx5/cq.c b/drivers/infiniband/hw/mlx5/cq.c
+index b1705ce6eb88..8c726f183980 100644
+--- a/drivers/infiniband/hw/mlx5/cq.c
++++ b/drivers/infiniband/hw/mlx5/cq.c
+@@ -32,6 +32,7 @@
+
+ #include <linux/kref.h>
+ #include <rdma/ib_umem.h>
++#include <rdma/ib_user_verbs.h>
+ #include "mlx5_ib.h"
+ #include "user.h"
+
+@@ -540,14 +541,24 @@ static int create_cq_user(struct mlx5_ib_dev *dev, struct ib_udata *udata,
+ int *cqe_size, int *index, int *inlen)
+ {
+ struct mlx5_ib_create_cq ucmd;
++ size_t ucmdlen;
+ int page_shift;
+ int npages;
+ int ncont;
+ int err;
+
+- if (ib_copy_from_udata(&ucmd, udata, sizeof(ucmd)))
++ ucmdlen =
++ (udata->inlen - sizeof(struct ib_uverbs_cmd_hdr) <
++ sizeof(ucmd)) ? (sizeof(ucmd) -
++ sizeof(ucmd.reserved)) : sizeof(ucmd);
++
++ if (ib_copy_from_udata(&ucmd, udata, ucmdlen))
+ return -EFAULT;
+
++ if (ucmdlen == sizeof(ucmd) &&
++ ucmd.reserved != 0)
++ return -EINVAL;
++
+ if (ucmd.cqe_size != 64 && ucmd.cqe_size != 128)
+ return -EINVAL;
+
+diff --git a/drivers/infiniband/hw/mlx5/srq.c b/drivers/infiniband/hw/mlx5/srq.c
+index 210b3eaf188a..384af6dec5eb 100644
+--- a/drivers/infiniband/hw/mlx5/srq.c
++++ b/drivers/infiniband/hw/mlx5/srq.c
+@@ -35,6 +35,7 @@
+ #include <linux/mlx5/srq.h>
+ #include <linux/slab.h>
+ #include <rdma/ib_umem.h>
++#include <rdma/ib_user_verbs.h>
+
+ #include "mlx5_ib.h"
+ #include "user.h"
+@@ -78,16 +79,27 @@ static int create_srq_user(struct ib_pd *pd, struct mlx5_ib_srq *srq,
+ {
+ struct mlx5_ib_dev *dev = to_mdev(pd->device);
+ struct mlx5_ib_create_srq ucmd;
++ size_t ucmdlen;
+ int err;
+ int npages;
+ int page_shift;
+ int ncont;
+ u32 offset;
+
+- if (ib_copy_from_udata(&ucmd, udata, sizeof(ucmd))) {
++ ucmdlen =
++ (udata->inlen - sizeof(struct ib_uverbs_cmd_hdr) <
++ sizeof(ucmd)) ? (sizeof(ucmd) -
++ sizeof(ucmd.reserved)) : sizeof(ucmd);
++
++ if (ib_copy_from_udata(&ucmd, udata, ucmdlen)) {
+ mlx5_ib_dbg(dev, "failed copy udata\n");
+ return -EFAULT;
+ }
++
++ if (ucmdlen == sizeof(ucmd) &&
++ ucmd.reserved != 0)
++ return -EINVAL;
++
+ srq->wq_sig = !!(ucmd.flags & MLX5_SRQ_FLAG_SIGNATURE);
+
+ srq->umem = ib_umem_get(pd->uobject->context, ucmd.buf_addr, buf_size,
+diff --git a/drivers/infiniband/hw/mlx5/user.h b/drivers/infiniband/hw/mlx5/user.h
+index 0f4f8e42a17f..d0ba264ac1ed 100644
+--- a/drivers/infiniband/hw/mlx5/user.h
++++ b/drivers/infiniband/hw/mlx5/user.h
+@@ -91,6 +91,7 @@ struct mlx5_ib_create_cq {
+ __u64 buf_addr;
+ __u64 db_addr;
+ __u32 cqe_size;
++ __u32 reserved; /* explicit padding (optional on i386) */
+ };
+
+ struct mlx5_ib_create_cq_resp {
+@@ -109,6 +110,7 @@ struct mlx5_ib_create_srq {
+ __u64 buf_addr;
+ __u64 db_addr;
+ __u32 flags;
++ __u32 reserved; /* explicit padding (optional on i386) */
+ };
+
+ struct mlx5_ib_create_srq_resp {
+diff --git a/drivers/infiniband/hw/qib/qib_mad.c b/drivers/infiniband/hw/qib/qib_mad.c
+index ccb119143d20..1dd9fcbb7c9a 100644
+--- a/drivers/infiniband/hw/qib/qib_mad.c
++++ b/drivers/infiniband/hw/qib/qib_mad.c
+@@ -1028,7 +1028,7 @@ static int set_pkeys(struct qib_devdata *dd, u8 port, u16 *pkeys)
+
+ event.event = IB_EVENT_PKEY_CHANGE;
+ event.device = &dd->verbs_dev.ibdev;
+- event.element.port_num = 1;
++ event.element.port_num = port;
+ ib_dispatch_event(&event);
+ }
+ return 0;
+diff --git a/drivers/infiniband/ulp/srp/ib_srp.c b/drivers/infiniband/ulp/srp/ib_srp.c
+index 529b6bcdca7a..e96c07ee6756 100644
+--- a/drivers/infiniband/ulp/srp/ib_srp.c
++++ b/drivers/infiniband/ulp/srp/ib_srp.c
+@@ -1576,6 +1576,12 @@ err_unmap:
+ err_iu:
+ srp_put_tx_iu(target, iu, SRP_IU_CMD);
+
++ /*
++ * Avoid that the loops that iterate over the request ring can
++ * encounter a dangling SCSI command pointer.
++ */
++ req->scmnd = NULL;
++
+ spin_lock_irqsave(&target->lock, flags);
+ list_add(&req->list, &target->free_reqs);
+
+diff --git a/drivers/input/mouse/elantech.c b/drivers/input/mouse/elantech.c
+index 230cdcf8e6fe..233516aff595 100644
+--- a/drivers/input/mouse/elantech.c
++++ b/drivers/input/mouse/elantech.c
+@@ -473,8 +473,15 @@ static void elantech_report_absolute_v3(struct psmouse *psmouse,
+ input_report_key(dev, BTN_TOOL_FINGER, fingers == 1);
+ input_report_key(dev, BTN_TOOL_DOUBLETAP, fingers == 2);
+ input_report_key(dev, BTN_TOOL_TRIPLETAP, fingers == 3);
+- input_report_key(dev, BTN_LEFT, packet[0] & 0x01);
+- input_report_key(dev, BTN_RIGHT, packet[0] & 0x02);
++
++ /* For clickpads map both buttons to BTN_LEFT */
++ if (etd->fw_version & 0x001000) {
++ input_report_key(dev, BTN_LEFT, packet[0] & 0x03);
++ } else {
++ input_report_key(dev, BTN_LEFT, packet[0] & 0x01);
++ input_report_key(dev, BTN_RIGHT, packet[0] & 0x02);
++ }
++
+ input_report_abs(dev, ABS_PRESSURE, pres);
+ input_report_abs(dev, ABS_TOOL_WIDTH, width);
+
+@@ -484,10 +491,17 @@ static void elantech_report_absolute_v3(struct psmouse *psmouse,
+ static void elantech_input_sync_v4(struct psmouse *psmouse)
+ {
+ struct input_dev *dev = psmouse->dev;
++ struct elantech_data *etd = psmouse->private;
+ unsigned char *packet = psmouse->packet;
+
+- input_report_key(dev, BTN_LEFT, packet[0] & 0x01);
+- input_report_key(dev, BTN_RIGHT, packet[0] & 0x02);
++ /* For clickpads map both buttons to BTN_LEFT */
++ if (etd->fw_version & 0x001000) {
++ input_report_key(dev, BTN_LEFT, packet[0] & 0x03);
++ } else {
++ input_report_key(dev, BTN_LEFT, packet[0] & 0x01);
++ input_report_key(dev, BTN_RIGHT, packet[0] & 0x02);
++ }
++
+ input_mt_report_pointer_emulation(dev, true);
+ input_sync(dev);
+ }
+@@ -835,7 +849,7 @@ static int elantech_set_absolute_mode(struct psmouse *psmouse)
+ if (etd->set_hw_resolution)
+ etd->reg_10 = 0x0b;
+ else
+- etd->reg_10 = 0x03;
++ etd->reg_10 = 0x01;
+
+ if (elantech_write_reg(psmouse, 0x10, etd->reg_10))
+ rc = -1;
+@@ -1336,7 +1350,8 @@ static int elantech_reconnect(struct psmouse *psmouse)
+ }
+
+ /*
+- * Some hw_version 3 models go into error state when we try to set bit 3 of r10
++ * Some hw_version 3 models go into error state when we try to set
++ * bit 3 and/or bit 1 of r10.
+ */
+ static const struct dmi_system_id no_hw_res_dmi_table[] = {
+ #if defined(CONFIG_DMI) && defined(CONFIG_X86)
+diff --git a/drivers/input/mouse/synaptics.c b/drivers/input/mouse/synaptics.c
+index c5ec703c727e..ec772d962f06 100644
+--- a/drivers/input/mouse/synaptics.c
++++ b/drivers/input/mouse/synaptics.c
+@@ -347,15 +347,6 @@ static int synaptics_resolution(struct psmouse *psmouse)
+ unsigned char resp[3];
+ int i;
+
+- for (i = 0; min_max_pnpid_table[i].pnp_ids; i++)
+- if (matches_pnp_id(psmouse, min_max_pnpid_table[i].pnp_ids)) {
+- priv->x_min = min_max_pnpid_table[i].x_min;
+- priv->x_max = min_max_pnpid_table[i].x_max;
+- priv->y_min = min_max_pnpid_table[i].y_min;
+- priv->y_max = min_max_pnpid_table[i].y_max;
+- return 0;
+- }
+-
+ if (SYN_ID_MAJOR(priv->identity) < 4)
+ return 0;
+
+@@ -366,6 +357,16 @@ static int synaptics_resolution(struct psmouse *psmouse)
+ }
+ }
+
++ for (i = 0; min_max_pnpid_table[i].pnp_ids; i++) {
++ if (matches_pnp_id(psmouse, min_max_pnpid_table[i].pnp_ids)) {
++ priv->x_min = min_max_pnpid_table[i].x_min;
++ priv->x_max = min_max_pnpid_table[i].x_max;
++ priv->y_min = min_max_pnpid_table[i].y_min;
++ priv->y_max = min_max_pnpid_table[i].y_max;
++ return 0;
++ }
++ }
++
+ if (SYN_EXT_CAP_REQUESTS(priv->capabilities) >= 5 &&
+ SYN_CAP_MAX_DIMENSIONS(priv->ext_cap_0c)) {
+ if (synaptics_send_cmd(psmouse, SYN_QUE_EXT_MAX_COORDS, resp)) {
+diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
+index 33bb970980d2..ed1b6db25b03 100644
+--- a/drivers/pci/pci.c
++++ b/drivers/pci/pci.c
+@@ -4102,7 +4102,7 @@ int pci_set_vga_state(struct pci_dev *dev, bool decode,
+ u16 cmd;
+ int rc;
+
+- WARN_ON((flags & PCI_VGA_STATE_CHANGE_DECODES) & (command_bits & ~(PCI_COMMAND_IO|PCI_COMMAND_MEMORY)));
++ WARN_ON((flags & PCI_VGA_STATE_CHANGE_DECODES) && (command_bits & ~(PCI_COMMAND_IO|PCI_COMMAND_MEMORY)));
+
+ /* ARCH specific VGA enables */
+ rc = pci_set_vga_state_arch(dev, decode, command_bits, flags);
+diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
+index 5cb726c193de..813f437f3ee8 100644
+--- a/drivers/pci/quirks.c
++++ b/drivers/pci/quirks.c
+@@ -2949,6 +2949,7 @@ static void disable_igfx_irq(struct pci_dev *dev)
+ }
+ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x0102, disable_igfx_irq);
+ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x010a, disable_igfx_irq);
++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x0152, disable_igfx_irq);
+
+ /*
+ * PCI devices which are on Intel chips can skip the 10ms delay
+diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c
+index 22601c718b07..f329ad294fc0 100644
+--- a/drivers/target/iscsi/iscsi_target.c
++++ b/drivers/target/iscsi/iscsi_target.c
+@@ -1290,7 +1290,7 @@ iscsit_check_dataout_hdr(struct iscsi_conn *conn, unsigned char *buf,
+ if (cmd->data_direction != DMA_TO_DEVICE) {
+ pr_err("Command ITT: 0x%08x received DataOUT for a"
+ " NON-WRITE command.\n", cmd->init_task_tag);
+- return iscsit_reject_cmd(cmd, ISCSI_REASON_PROTOCOL_ERROR, buf);
++ return iscsit_dump_data_payload(conn, payload_length, 1);
+ }
+ se_cmd = &cmd->se_cmd;
+ iscsit_mod_dataout_timer(cmd);
+diff --git a/drivers/target/iscsi/iscsi_target_login.c b/drivers/target/iscsi/iscsi_target_login.c
+index cad6fdcc64da..d509aa74cfa1 100644
+--- a/drivers/target/iscsi/iscsi_target_login.c
++++ b/drivers/target/iscsi/iscsi_target_login.c
+@@ -1196,7 +1196,7 @@ old_sess_out:
+ static int __iscsi_target_login_thread(struct iscsi_np *np)
+ {
+ u8 *buffer, zero_tsih = 0;
+- int ret = 0, rc, stop;
++ int ret = 0, rc;
+ struct iscsi_conn *conn = NULL;
+ struct iscsi_login *login;
+ struct iscsi_portal_group *tpg = NULL;
+@@ -1210,6 +1210,9 @@ static int __iscsi_target_login_thread(struct iscsi_np *np)
+ if (np->np_thread_state == ISCSI_NP_THREAD_RESET) {
+ np->np_thread_state = ISCSI_NP_THREAD_ACTIVE;
+ complete(&np->np_restart_comp);
++ } else if (np->np_thread_state == ISCSI_NP_THREAD_SHUTDOWN) {
++ spin_unlock_bh(&np->np_thread_lock);
++ goto exit;
+ } else {
+ np->np_thread_state = ISCSI_NP_THREAD_ACTIVE;
+ }
+@@ -1402,10 +1405,8 @@ old_sess_out:
+ }
+
+ out:
+- stop = kthread_should_stop();
+- /* Wait for another socket.. */
+- if (!stop)
+- return 1;
++ return 1;
++
+ exit:
+ iscsi_stop_login_thread_timer(np);
+ spin_lock_bh(&np->np_thread_lock);
+@@ -1422,7 +1423,7 @@ int iscsi_target_login_thread(void *arg)
+
+ allow_signal(SIGINT);
+
+- while (!kthread_should_stop()) {
++ while (1) {
+ ret = __iscsi_target_login_thread(np);
+ /*
+ * We break and exit here unless another sock_accept() call
+diff --git a/drivers/target/iscsi/iscsi_target_util.c b/drivers/target/iscsi/iscsi_target_util.c
+index e655b042ed18..ab77f80ead2b 100644
+--- a/drivers/target/iscsi/iscsi_target_util.c
++++ b/drivers/target/iscsi/iscsi_target_util.c
+@@ -1295,6 +1295,8 @@ int iscsit_tx_login_rsp(struct iscsi_conn *conn, u8 status_class, u8 status_deta
+ login->login_failed = 1;
+ iscsit_collect_login_stats(conn, status_class, status_detail);
+
++ memset(&login->rsp[0], 0, ISCSI_HDR_LEN);
++
+ hdr = (struct iscsi_login_rsp *)&login->rsp[0];
+ hdr->opcode = ISCSI_OP_LOGIN_RSP;
+ hdr->status_class = status_class;
+diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c
+index 26416c15d65c..6ea95d216eb8 100644
+--- a/drivers/target/target_core_device.c
++++ b/drivers/target/target_core_device.c
+@@ -616,6 +616,7 @@ void core_dev_unexport(
+ dev->export_count--;
+ spin_unlock(&hba->device_lock);
+
++ lun->lun_sep = NULL;
+ lun->lun_se_dev = NULL;
+ }
+
+diff --git a/drivers/watchdog/ath79_wdt.c b/drivers/watchdog/ath79_wdt.c
+index 9fa1f69dac13..61098cd5439e 100644
+--- a/drivers/watchdog/ath79_wdt.c
++++ b/drivers/watchdog/ath79_wdt.c
+@@ -20,6 +20,7 @@
+ #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
+ #include <linux/bitops.h>
++#include <linux/delay.h>
+ #include <linux/errno.h>
+ #include <linux/fs.h>
+ #include <linux/init.h>
+@@ -91,6 +92,15 @@ static inline void ath79_wdt_keepalive(void)
+ static inline void ath79_wdt_enable(void)
+ {
+ ath79_wdt_keepalive();
++
++ /*
++ * Updating the TIMER register requires a few microseconds
++ * on the AR934x SoCs at least. Use a small delay to ensure
++ * that the TIMER register is updated within the hardware
++ * before enabling the watchdog.
++ */
++ udelay(2);
++
+ ath79_wdt_wr(WDOG_REG_CTRL, WDOG_CTRL_ACTION_FCR);
+ /* flush write */
+ ath79_wdt_rr(WDOG_REG_CTRL);
+diff --git a/drivers/watchdog/kempld_wdt.c b/drivers/watchdog/kempld_wdt.c
+index 20dc73844737..d9c1a1601926 100644
+--- a/drivers/watchdog/kempld_wdt.c
++++ b/drivers/watchdog/kempld_wdt.c
+@@ -162,7 +162,7 @@ static int kempld_wdt_set_stage_timeout(struct kempld_wdt_data *wdt_data,
+ kempld_get_mutex(pld);
+ stage_cfg = kempld_read8(pld, KEMPLD_WDT_STAGE_CFG(stage->id));
+ stage_cfg &= ~STAGE_CFG_PRESCALER_MASK;
+- stage_cfg |= STAGE_CFG_SET_PRESCALER(prescaler);
++ stage_cfg |= STAGE_CFG_SET_PRESCALER(PRESCALER_21);
+ kempld_write8(pld, KEMPLD_WDT_STAGE_CFG(stage->id), stage_cfg);
+ kempld_write32(pld, KEMPLD_WDT_STAGE_TIMEOUT(stage->id),
+ stage_timeout);
+diff --git a/drivers/watchdog/sp805_wdt.c b/drivers/watchdog/sp805_wdt.c
+index 3f786ce0a6f2..88bcdfb9f68f 100644
+--- a/drivers/watchdog/sp805_wdt.c
++++ b/drivers/watchdog/sp805_wdt.c
+@@ -60,7 +60,6 @@
+ * @adev: amba device structure of wdt
+ * @status: current status of wdt
+ * @load_val: load value to be set for current timeout
+- * @timeout: current programmed timeout
+ */
+ struct sp805_wdt {
+ struct watchdog_device wdd;
+@@ -69,7 +68,6 @@ struct sp805_wdt {
+ struct clk *clk;
+ struct amba_device *adev;
+ unsigned int load_val;
+- unsigned int timeout;
+ };
+
+ static bool nowayout = WATCHDOG_NOWAYOUT;
+@@ -99,7 +97,7 @@ static int wdt_setload(struct watchdog_device *wdd, unsigned int timeout)
+ spin_lock(&wdt->lock);
+ wdt->load_val = load;
+ /* roundup timeout to closest positive integer value */
+- wdt->timeout = div_u64((load + 1) * 2 + (rate / 2), rate);
++ wdd->timeout = div_u64((load + 1) * 2 + (rate / 2), rate);
+ spin_unlock(&wdt->lock);
+
+ return 0;
+diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
+index 360114ae8b82..15f9d98627a4 100644
+--- a/fs/nfs/inode.c
++++ b/fs/nfs/inode.c
+@@ -1555,18 +1555,20 @@ static int nfs_update_inode(struct inode *inode, struct nfs_fattr *fattr)
+ inode->i_version = fattr->change_attr;
+ }
+ } else if (server->caps & NFS_CAP_CHANGE_ATTR)
+- invalid |= save_cache_validity;
++ nfsi->cache_validity |= save_cache_validity;
+
+ if (fattr->valid & NFS_ATTR_FATTR_MTIME) {
+ memcpy(&inode->i_mtime, &fattr->mtime, sizeof(inode->i_mtime));
+ } else if (server->caps & NFS_CAP_MTIME)
+- invalid |= save_cache_validity & (NFS_INO_INVALID_ATTR
++ nfsi->cache_validity |= save_cache_validity &
++ (NFS_INO_INVALID_ATTR
+ | NFS_INO_REVAL_FORCED);
+
+ if (fattr->valid & NFS_ATTR_FATTR_CTIME) {
+ memcpy(&inode->i_ctime, &fattr->ctime, sizeof(inode->i_ctime));
+ } else if (server->caps & NFS_CAP_CTIME)
+- invalid |= save_cache_validity & (NFS_INO_INVALID_ATTR
++ nfsi->cache_validity |= save_cache_validity &
++ (NFS_INO_INVALID_ATTR
+ | NFS_INO_REVAL_FORCED);
+
+ /* Check if our cached file size is stale */
+@@ -1588,7 +1590,8 @@ static int nfs_update_inode(struct inode *inode, struct nfs_fattr *fattr)
+ (long long)new_isize);
+ }
+ } else
+- invalid |= save_cache_validity & (NFS_INO_INVALID_ATTR
++ nfsi->cache_validity |= save_cache_validity &
++ (NFS_INO_INVALID_ATTR
+ | NFS_INO_REVAL_PAGECACHE
+ | NFS_INO_REVAL_FORCED);
+
+@@ -1596,7 +1599,8 @@ static int nfs_update_inode(struct inode *inode, struct nfs_fattr *fattr)
+ if (fattr->valid & NFS_ATTR_FATTR_ATIME)
+ memcpy(&inode->i_atime, &fattr->atime, sizeof(inode->i_atime));
+ else if (server->caps & NFS_CAP_ATIME)
+- invalid |= save_cache_validity & (NFS_INO_INVALID_ATIME
++ nfsi->cache_validity |= save_cache_validity &
++ (NFS_INO_INVALID_ATIME
+ | NFS_INO_REVAL_FORCED);
+
+ if (fattr->valid & NFS_ATTR_FATTR_MODE) {
+@@ -1607,7 +1611,8 @@ static int nfs_update_inode(struct inode *inode, struct nfs_fattr *fattr)
+ invalid |= NFS_INO_INVALID_ATTR|NFS_INO_INVALID_ACCESS|NFS_INO_INVALID_ACL;
+ }
+ } else if (server->caps & NFS_CAP_MODE)
+- invalid |= save_cache_validity & (NFS_INO_INVALID_ATTR
++ nfsi->cache_validity |= save_cache_validity &
++ (NFS_INO_INVALID_ATTR
+ | NFS_INO_INVALID_ACCESS
+ | NFS_INO_INVALID_ACL
+ | NFS_INO_REVAL_FORCED);
+@@ -1618,7 +1623,8 @@ static int nfs_update_inode(struct inode *inode, struct nfs_fattr *fattr)
+ inode->i_uid = fattr->uid;
+ }
+ } else if (server->caps & NFS_CAP_OWNER)
+- invalid |= save_cache_validity & (NFS_INO_INVALID_ATTR
++ nfsi->cache_validity |= save_cache_validity &
++ (NFS_INO_INVALID_ATTR
+ | NFS_INO_INVALID_ACCESS
+ | NFS_INO_INVALID_ACL
+ | NFS_INO_REVAL_FORCED);
+@@ -1629,7 +1635,8 @@ static int nfs_update_inode(struct inode *inode, struct nfs_fattr *fattr)
+ inode->i_gid = fattr->gid;
+ }
+ } else if (server->caps & NFS_CAP_OWNER_GROUP)
+- invalid |= save_cache_validity & (NFS_INO_INVALID_ATTR
++ nfsi->cache_validity |= save_cache_validity &
++ (NFS_INO_INVALID_ATTR
+ | NFS_INO_INVALID_ACCESS
+ | NFS_INO_INVALID_ACL
+ | NFS_INO_REVAL_FORCED);
+@@ -1642,7 +1649,8 @@ static int nfs_update_inode(struct inode *inode, struct nfs_fattr *fattr)
+ set_nlink(inode, fattr->nlink);
+ }
+ } else if (server->caps & NFS_CAP_NLINK)
+- invalid |= save_cache_validity & (NFS_INO_INVALID_ATTR
++ nfsi->cache_validity |= save_cache_validity &
++ (NFS_INO_INVALID_ATTR
+ | NFS_INO_REVAL_FORCED);
+
+ if (fattr->valid & NFS_ATTR_FATTR_SPACE_USED) {
+diff --git a/fs/nfs/nfs4filelayout.c b/fs/nfs/nfs4filelayout.c
+index b9a35c05b60f..5e992fc51e61 100644
+--- a/fs/nfs/nfs4filelayout.c
++++ b/fs/nfs/nfs4filelayout.c
+@@ -1330,7 +1330,7 @@ filelayout_alloc_layout_hdr(struct inode *inode, gfp_t gfp_flags)
+ struct nfs4_filelayout *flo;
+
+ flo = kzalloc(sizeof(*flo), gfp_flags);
+- return &flo->generic_hdr;
++ return flo != NULL ? &flo->generic_hdr : NULL;
+ }
+
+ static void
+diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c
+index 0deb32105ccf..27f5f858502b 100644
+--- a/fs/nfs/nfs4state.c
++++ b/fs/nfs/nfs4state.c
+@@ -1456,7 +1456,7 @@ static int nfs4_reclaim_open_state(struct nfs4_state_owner *sp, const struct nfs
+ * server that doesn't support a grace period.
+ */
+ spin_lock(&sp->so_lock);
+- write_seqcount_begin(&sp->so_reclaim_seqcount);
++ raw_write_seqcount_begin(&sp->so_reclaim_seqcount);
+ restart:
+ list_for_each_entry(state, &sp->so_states, open_states) {
+ if (!test_and_clear_bit(ops->state_flag_bit, &state->flags))
+@@ -1519,13 +1519,13 @@ restart:
+ spin_lock(&sp->so_lock);
+ goto restart;
+ }
+- write_seqcount_end(&sp->so_reclaim_seqcount);
++ raw_write_seqcount_end(&sp->so_reclaim_seqcount);
+ spin_unlock(&sp->so_lock);
+ return 0;
+ out_err:
+ nfs4_put_open_state(state);
+ spin_lock(&sp->so_lock);
+- write_seqcount_end(&sp->so_reclaim_seqcount);
++ raw_write_seqcount_end(&sp->so_reclaim_seqcount);
+ spin_unlock(&sp->so_lock);
+ return status;
+ }
+diff --git a/fs/nfs/super.c b/fs/nfs/super.c
+index 910ed906eb82..05c3a6e6518d 100644
+--- a/fs/nfs/super.c
++++ b/fs/nfs/super.c
+@@ -2246,6 +2246,7 @@ nfs_remount(struct super_block *sb, int *flags, char *raw_data)
+ data->nfs_server.addrlen = nfss->nfs_client->cl_addrlen;
+ data->version = nfsvers;
+ data->minorversion = nfss->nfs_client->cl_minorversion;
++ data->net = current->nsproxy->net_ns;
+ memcpy(&data->nfs_server.address, &nfss->nfs_client->cl_addr,
+ data->nfs_server.addrlen);
+
+diff --git a/fs/nfs/write.c b/fs/nfs/write.c
+index 9a3b6a4cd6b9..aaa16b31e21e 100644
+--- a/fs/nfs/write.c
++++ b/fs/nfs/write.c
+@@ -913,12 +913,14 @@ static bool nfs_write_pageuptodate(struct page *page, struct inode *inode)
+
+ if (nfs_have_delegated_attributes(inode))
+ goto out;
+- if (nfsi->cache_validity & (NFS_INO_INVALID_DATA|NFS_INO_REVAL_PAGECACHE))
++ if (nfsi->cache_validity & NFS_INO_REVAL_PAGECACHE)
+ return false;
+ smp_rmb();
+ if (test_bit(NFS_INO_INVALIDATING, &nfsi->flags))
+ return false;
+ out:
++ if (nfsi->cache_validity & NFS_INO_INVALID_DATA)
++ return false;
+ return PageUptodate(page) != 0;
+ }
+
+diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
+index 1693fd93fa58..34d2a1f2f400 100644
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -3723,7 +3723,7 @@ nfsd4_free_lock_stateid(struct nfs4_ol_stateid *stp)
+ * correspondance, and we have to delete the lockowner when we
+ * delete the lock stateid:
+ */
+- unhash_lockowner(lo);
++ release_lockowner(lo);
+ return nfs_ok;
+ }
+
+diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
+index 16e8fa71eb84..bc11bf68ec7f 100644
+--- a/fs/nfsd/nfs4xdr.c
++++ b/fs/nfsd/nfs4xdr.c
+@@ -2096,8 +2096,8 @@ nfsd4_encode_fattr(struct svc_fh *fhp, struct svc_export *exp,
+ err = vfs_getattr(&path, &stat);
+ if (err)
+ goto out_nfserr;
+- if ((bmval0 & (FATTR4_WORD0_FILES_FREE | FATTR4_WORD0_FILES_TOTAL |
+- FATTR4_WORD0_MAXNAME)) ||
++ if ((bmval0 & (FATTR4_WORD0_FILES_AVAIL | FATTR4_WORD0_FILES_FREE |
++ FATTR4_WORD0_FILES_TOTAL | FATTR4_WORD0_MAXNAME)) ||
+ (bmval1 & (FATTR4_WORD1_SPACE_AVAIL | FATTR4_WORD1_SPACE_FREE |
+ FATTR4_WORD1_SPACE_TOTAL))) {
+ err = vfs_statfs(&path, &statfs);
+diff --git a/fs/reiserfs/inode.c b/fs/reiserfs/inode.c
+index ad62bdbb451e..1e4cf9d73130 100644
+--- a/fs/reiserfs/inode.c
++++ b/fs/reiserfs/inode.c
+@@ -3220,8 +3220,14 @@ int reiserfs_setattr(struct dentry *dentry, struct iattr *attr)
+ attr->ia_size != i_size_read(inode)) {
+ error = inode_newsize_ok(inode, attr->ia_size);
+ if (!error) {
++ /*
++ * Could race against reiserfs_file_release
++ * if called from NFS, so take tailpack mutex.
++ */
++ mutex_lock(&REISERFS_I(inode)->tailpack);
+ truncate_setsize(inode, attr->ia_size);
+- reiserfs_vfs_truncate_file(inode);
++ reiserfs_truncate_file(inode, 1);
++ mutex_unlock(&REISERFS_I(inode)->tailpack);
+ }
+ }
+
+diff --git a/fs/ubifs/file.c b/fs/ubifs/file.c
+index 123c79b7261e..b56eb6275744 100644
+--- a/fs/ubifs/file.c
++++ b/fs/ubifs/file.c
+@@ -1525,8 +1525,7 @@ static int ubifs_vm_page_mkwrite(struct vm_area_struct *vma,
+ }
+
+ wait_for_stable_page(page);
+- unlock_page(page);
+- return 0;
++ return VM_FAULT_LOCKED;
+
+ out_unlock:
+ unlock_page(page);
+diff --git a/fs/ubifs/shrinker.c b/fs/ubifs/shrinker.c
+index f35135e28e96..9a9fb94a41c6 100644
+--- a/fs/ubifs/shrinker.c
++++ b/fs/ubifs/shrinker.c
+@@ -128,7 +128,6 @@ static int shrink_tnc(struct ubifs_info *c, int nr, int age, int *contention)
+ freed = ubifs_destroy_tnc_subtree(znode);
+ atomic_long_sub(freed, &ubifs_clean_zn_cnt);
+ atomic_long_sub(freed, &c->clean_zn_cnt);
+- ubifs_assert(atomic_long_read(&c->clean_zn_cnt) >= 0);
+ total_freed += freed;
+ znode = zprev;
+ }
+diff --git a/fs/xfs/xfs_mount.c b/fs/xfs/xfs_mount.c
+index f96c05669a9e..c6ff3cf5a5bb 100644
+--- a/fs/xfs/xfs_mount.c
++++ b/fs/xfs/xfs_mount.c
+@@ -320,8 +320,19 @@ reread:
+ /*
+ * Initialize the mount structure from the superblock.
+ */
+- xfs_sb_from_disk(&mp->m_sb, XFS_BUF_TO_SBP(bp));
+- xfs_sb_quota_from_disk(&mp->m_sb);
++ xfs_sb_from_disk(sbp, XFS_BUF_TO_SBP(bp));
++ xfs_sb_quota_from_disk(sbp);
++
++ /*
++ * If we haven't validated the superblock, do so now before we try
++ * to check the sector size and reread the superblock appropriately.
++ */
++ if (sbp->sb_magicnum != XFS_SB_MAGIC) {
++ if (loud)
++ xfs_warn(mp, "Invalid superblock magic number");
++ error = EINVAL;
++ goto release_buf;
++ }
+
+ /*
+ * We must be able to do sector-sized and sector-aligned IO.
+@@ -334,11 +345,11 @@ reread:
+ goto release_buf;
+ }
+
+- /*
+- * Re-read the superblock so the buffer is correctly sized,
+- * and properly verified.
+- */
+ if (buf_ops == NULL) {
++ /*
++ * Re-read the superblock so the buffer is correctly sized,
++ * and properly verified.
++ */
+ xfs_buf_relse(bp);
+ sector_size = sbp->sb_sectsize;
+ buf_ops = loud ? &xfs_sb_buf_ops : &xfs_sb_quiet_buf_ops;
+diff --git a/include/linux/ptrace.h b/include/linux/ptrace.h
+index 077904c8b70d..cc79eff4a1ad 100644
+--- a/include/linux/ptrace.h
++++ b/include/linux/ptrace.h
+@@ -334,6 +334,9 @@ static inline void user_single_step_siginfo(struct task_struct *tsk,
+ * calling arch_ptrace_stop() when it would be superfluous. For example,
+ * if the thread has not been back to user mode since the last stop, the
+ * thread state might indicate that nothing needs to be done.
++ *
++ * This is guaranteed to be invoked once before a task stops for ptrace and
++ * may include arch-specific operations necessary prior to a ptrace stop.
+ */
+ #define arch_ptrace_stop_needed(code, info) (0)
+ #endif
+diff --git a/include/trace/syscall.h b/include/trace/syscall.h
+index fed853f3d7aa..9674145e2f6a 100644
+--- a/include/trace/syscall.h
++++ b/include/trace/syscall.h
+@@ -4,6 +4,7 @@
+ #include <linux/tracepoint.h>
+ #include <linux/unistd.h>
+ #include <linux/ftrace_event.h>
++#include <linux/thread_info.h>
+
+ #include <asm/ptrace.h>
+
+@@ -32,4 +33,18 @@ struct syscall_metadata {
+ struct ftrace_event_call *exit_event;
+ };
+
++#if defined(CONFIG_TRACEPOINTS) && defined(CONFIG_HAVE_SYSCALL_TRACEPOINTS)
++static inline void syscall_tracepoint_update(struct task_struct *p)
++{
++ if (test_thread_flag(TIF_SYSCALL_TRACEPOINT))
++ set_tsk_thread_flag(p, TIF_SYSCALL_TRACEPOINT);
++ else
++ clear_tsk_thread_flag(p, TIF_SYSCALL_TRACEPOINT);
++}
++#else
++static inline void syscall_tracepoint_update(struct task_struct *p)
++{
++}
++#endif
++
+ #endif /* _TRACE_SYSCALL_H */
+diff --git a/kernel/fork.c b/kernel/fork.c
+index 45da005c9961..c44bff8097f5 100644
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -1484,7 +1484,9 @@ static struct task_struct *copy_process(unsigned long clone_flags,
+
+ total_forks++;
+ spin_unlock(&current->sighand->siglock);
++ syscall_tracepoint_update(p);
+ write_unlock_irq(&tasklist_lock);
++
+ proc_fork_connector(p);
+ cgroup_post_fork(p);
+ if (clone_flags & CLONE_THREAD)
+diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
+index 24c1f2382557..f0831c22760c 100644
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -1449,12 +1449,12 @@ static void tracing_stop_tr(struct trace_array *tr)
+
+ void trace_stop_cmdline_recording(void);
+
+-static void trace_save_cmdline(struct task_struct *tsk)
++static int trace_save_cmdline(struct task_struct *tsk)
+ {
+ unsigned pid, idx;
+
+ if (!tsk->pid || unlikely(tsk->pid > PID_MAX_DEFAULT))
+- return;
++ return 0;
+
+ /*
+ * It's not the end of the world if we don't get
+@@ -1463,7 +1463,7 @@ static void trace_save_cmdline(struct task_struct *tsk)
+ * so if we miss here, then better luck next time.
+ */
+ if (!arch_spin_trylock(&trace_cmdline_lock))
+- return;
++ return 0;
+
+ idx = map_pid_to_cmdline[tsk->pid];
+ if (idx == NO_CMDLINE_MAP) {
+@@ -1488,6 +1488,8 @@ static void trace_save_cmdline(struct task_struct *tsk)
+ memcpy(&saved_cmdlines[idx], tsk->comm, TASK_COMM_LEN);
+
+ arch_spin_unlock(&trace_cmdline_lock);
++
++ return 1;
+ }
+
+ void trace_find_cmdline(int pid, char comm[])
+@@ -1529,9 +1531,8 @@ void tracing_record_cmdline(struct task_struct *tsk)
+ if (!__this_cpu_read(trace_cmdline_save))
+ return;
+
+- __this_cpu_write(trace_cmdline_save, false);
+-
+- trace_save_cmdline(tsk);
++ if (trace_save_cmdline(tsk))
++ __this_cpu_write(trace_cmdline_save, false);
+ }
+
+ void
+diff --git a/kernel/watchdog.c b/kernel/watchdog.c
+index 4431610f049a..c9b6f01bf853 100644
+--- a/kernel/watchdog.c
++++ b/kernel/watchdog.c
+@@ -524,10 +524,8 @@ static void update_timers_all_cpus(void)
+ int cpu;
+
+ get_online_cpus();
+- preempt_disable();
+ for_each_online_cpu(cpu)
+ update_timers(cpu);
+- preempt_enable();
+ put_online_cpus();
+ }
+
+diff --git a/lib/lz4/lz4_decompress.c b/lib/lz4/lz4_decompress.c
+index b74da447e81e..7a85967060a5 100644
+--- a/lib/lz4/lz4_decompress.c
++++ b/lib/lz4/lz4_decompress.c
+@@ -192,6 +192,8 @@ static int lz4_uncompress_unknownoutputsize(const char *source, char *dest,
+ int s = 255;
+ while ((ip < iend) && (s == 255)) {
+ s = *ip++;
++ if (unlikely(length > (size_t)(length + s)))
++ goto _output_error;
+ length += s;
+ }
+ }
+@@ -232,6 +234,8 @@ static int lz4_uncompress_unknownoutputsize(const char *source, char *dest,
+ if (length == ML_MASK) {
+ while (ip < iend) {
+ int s = *ip++;
++ if (unlikely(length > (size_t)(length + s)))
++ goto _output_error;
+ length += s;
+ if (s == 255)
+ continue;
+@@ -284,7 +288,7 @@ static int lz4_uncompress_unknownoutputsize(const char *source, char *dest,
+
+ /* write overflow error detected */
+ _output_error:
+- return (int) (-(((char *) ip) - source));
++ return -1;
+ }
+
+ int lz4_decompress(const unsigned char *src, size_t *src_len,
+diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
+index 4f26ee46b51f..3d2d2c8108ca 100644
+--- a/net/netfilter/ipvs/ip_vs_core.c
++++ b/net/netfilter/ipvs/ip_vs_core.c
+@@ -1392,15 +1392,19 @@ ip_vs_in_icmp(struct sk_buff *skb, int *related, unsigned int hooknum)
+
+ if (ipip) {
+ __be32 info = ic->un.gateway;
++ __u8 type = ic->type;
++ __u8 code = ic->code;
+
+ /* Update the MTU */
+ if (ic->type == ICMP_DEST_UNREACH &&
+ ic->code == ICMP_FRAG_NEEDED) {
+ struct ip_vs_dest *dest = cp->dest;
+ u32 mtu = ntohs(ic->un.frag.mtu);
++ __be16 frag_off = cih->frag_off;
+
+ /* Strip outer IP and ICMP, go to IPIP header */
+- __skb_pull(skb, ihl + sizeof(_icmph));
++ if (pskb_pull(skb, ihl + sizeof(_icmph)) == NULL)
++ goto ignore_ipip;
+ offset2 -= ihl + sizeof(_icmph);
+ skb_reset_network_header(skb);
+ IP_VS_DBG(12, "ICMP for IPIP %pI4->%pI4: mtu=%u\n",
+@@ -1408,7 +1412,7 @@ ip_vs_in_icmp(struct sk_buff *skb, int *related, unsigned int hooknum)
+ ipv4_update_pmtu(skb, dev_net(skb->dev),
+ mtu, 0, 0, 0, 0);
+ /* Client uses PMTUD? */
+- if (!(cih->frag_off & htons(IP_DF)))
++ if (!(frag_off & htons(IP_DF)))
+ goto ignore_ipip;
+ /* Prefer the resulting PMTU */
+ if (dest) {
+@@ -1427,12 +1431,13 @@ ip_vs_in_icmp(struct sk_buff *skb, int *related, unsigned int hooknum)
+ /* Strip outer IP, ICMP and IPIP, go to IP header of
+ * original request.
+ */
+- __skb_pull(skb, offset2);
++ if (pskb_pull(skb, offset2) == NULL)
++ goto ignore_ipip;
+ skb_reset_network_header(skb);
+ IP_VS_DBG(12, "Sending ICMP for %pI4->%pI4: t=%u, c=%u, i=%u\n",
+ &ip_hdr(skb)->saddr, &ip_hdr(skb)->daddr,
+- ic->type, ic->code, ntohl(info));
+- icmp_send(skb, ic->type, ic->code, info);
++ type, code, ntohl(info));
++ icmp_send(skb, type, code, info);
+ /* ICMP can be shorter but anyways, account it */
+ ip_vs_out_stats(cp, skb);
+
+diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c
+index 06c6ff0cb911..a4acaf2bcf18 100644
+--- a/net/sunrpc/svc_xprt.c
++++ b/net/sunrpc/svc_xprt.c
+@@ -730,6 +730,8 @@ static int svc_handle_xprt(struct svc_rqst *rqstp, struct svc_xprt *xprt)
+ newxpt = xprt->xpt_ops->xpo_accept(xprt);
+ if (newxpt)
+ svc_add_new_temp_xprt(serv, newxpt);
++ else
++ module_put(xprt->xpt_class->xcl_owner);
+ } else if (xprt->xpt_ops->xpo_has_wspace(xprt)) {
+ /* XPT_DATA|XPT_DEFERRED case: */
+ dprintk("svc: server %p, pool %u, transport %p, inuse=%d\n",
+diff --git a/scripts/recordmcount.h b/scripts/recordmcount.h
+index 9d1421e63ff8..49b582a225b0 100644
+--- a/scripts/recordmcount.h
++++ b/scripts/recordmcount.h
+@@ -163,11 +163,11 @@ static int mcount_adjust = 0;
+
+ static int MIPS_is_fake_mcount(Elf_Rel const *rp)
+ {
+- static Elf_Addr old_r_offset;
++ static Elf_Addr old_r_offset = ~(Elf_Addr)0;
+ Elf_Addr current_r_offset = _w(rp->r_offset);
+ int is_fake;
+
+- is_fake = old_r_offset &&
++ is_fake = (old_r_offset != ~(Elf_Addr)0) &&
+ (current_r_offset - old_r_offset == MIPS_FAKEMCOUNT_OFFSET);
+ old_r_offset = current_r_offset;
+
+diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c
+index ce5b339d9333..3abfe2a642ec 100644
+--- a/sound/pci/hda/patch_hdmi.c
++++ b/sound/pci/hda/patch_hdmi.c
+@@ -2165,7 +2165,7 @@ static int generic_hdmi_resume(struct hda_codec *codec)
+ struct hdmi_spec *spec = codec->spec;
+ int pin_idx;
+
+- generic_hdmi_init(codec);
++ codec->patch_ops.init(codec);
+ snd_hda_codec_resume_amp(codec);
+ snd_hda_codec_resume_cache(codec);
+
+diff --git a/sound/usb/card.c b/sound/usb/card.c
+index d979050e6a6a..af1956042c9e 100644
+--- a/sound/usb/card.c
++++ b/sound/usb/card.c
+@@ -304,6 +304,11 @@ static int snd_usb_create_streams(struct snd_usb_audio *chip, int ctrlif)
+
+ static int snd_usb_audio_free(struct snd_usb_audio *chip)
+ {
++ struct list_head *p, *n;
++
++ list_for_each_safe(p, n, &chip->ep_list)
++ snd_usb_endpoint_free(p);
++
+ mutex_destroy(&chip->mutex);
+ kfree(chip);
+ return 0;
+@@ -580,7 +585,7 @@ static void snd_usb_audio_disconnect(struct usb_device *dev,
+ struct snd_usb_audio *chip)
+ {
+ struct snd_card *card;
+- struct list_head *p, *n;
++ struct list_head *p;
+
+ if (chip == (void *)-1L)
+ return;
+@@ -593,14 +598,16 @@ static void snd_usb_audio_disconnect(struct usb_device *dev,
+ mutex_lock(&register_mutex);
+ chip->num_interfaces--;
+ if (chip->num_interfaces <= 0) {
++ struct snd_usb_endpoint *ep;
++
+ snd_card_disconnect(card);
+ /* release the pcm resources */
+ list_for_each(p, &chip->pcm_list) {
+ snd_usb_stream_disconnect(p);
+ }
+ /* release the endpoint resources */
+- list_for_each_safe(p, n, &chip->ep_list) {
+- snd_usb_endpoint_free(p);
++ list_for_each_entry(ep, &chip->ep_list, list) {
++ snd_usb_endpoint_release(ep);
+ }
+ /* release the midi resources */
+ list_for_each(p, &chip->midi_list) {
+diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c
+index 814430fec6a2..105ece3c14e3 100644
+--- a/sound/usb/endpoint.c
++++ b/sound/usb/endpoint.c
+@@ -981,19 +981,30 @@ void snd_usb_endpoint_deactivate(struct snd_usb_endpoint *ep)
+ }
+
+ /**
++ * snd_usb_endpoint_release: Tear down an snd_usb_endpoint
++ *
++ * @ep: the endpoint to release
++ *
++ * This function does not care for the endpoint's use count but will tear
++ * down all the streaming URBs immediately.
++ */
++void snd_usb_endpoint_release(struct snd_usb_endpoint *ep)
++{
++ release_urbs(ep, 1);
++}
++
++/**
+ * snd_usb_endpoint_free: Free the resources of an snd_usb_endpoint
+ *
+ * @ep: the list header of the endpoint to free
+ *
+- * This function does not care for the endpoint's use count but will tear
+- * down all the streaming URBs immediately and free all resources.
++ * This free all resources of the given ep.
+ */
+ void snd_usb_endpoint_free(struct list_head *head)
+ {
+ struct snd_usb_endpoint *ep;
+
+ ep = list_entry(head, struct snd_usb_endpoint, list);
+- release_urbs(ep, 1);
+ kfree(ep);
+ }
+
+diff --git a/sound/usb/endpoint.h b/sound/usb/endpoint.h
+index 1c7e8ee48abc..e61ee5c356a3 100644
+--- a/sound/usb/endpoint.h
++++ b/sound/usb/endpoint.h
+@@ -23,6 +23,7 @@ void snd_usb_endpoint_stop(struct snd_usb_endpoint *ep);
+ void snd_usb_endpoint_sync_pending_stop(struct snd_usb_endpoint *ep);
+ int snd_usb_endpoint_activate(struct snd_usb_endpoint *ep);
+ void snd_usb_endpoint_deactivate(struct snd_usb_endpoint *ep);
++void snd_usb_endpoint_release(struct snd_usb_endpoint *ep);
+ void snd_usb_endpoint_free(struct list_head *head);
+
+ int snd_usb_endpoint_implicit_feedback_sink(struct snd_usb_endpoint *ep);