diff options
| -rw-r--r-- | 0000_README | 4 | ||||
| -rw-r--r-- | 1042_linux-4.1.43.patch | 5611 |
2 files changed, 5615 insertions, 0 deletions
diff --git a/0000_README b/0000_README index 85eb55c3..60f0ad1e 100644 --- a/0000_README +++ b/0000_README @@ -211,6 +211,10 @@ Patch: 1041_linux-4.1.42.patch From: http://www.kernel.org Desc: Linux 4.1.42 +Patch: 1042_linux-4.1.43.patch +From: http://www.kernel.org +Desc: Linux 4.1.43 + Patch: 1500_XATTR_USER_PREFIX.patch From: https://bugs.gentoo.org/show_bug.cgi?id=470644 Desc: Support for namespace user.pax.* on tmpfs. diff --git a/1042_linux-4.1.43.patch b/1042_linux-4.1.43.patch new file mode 100644 index 00000000..ad0b1119 --- /dev/null +++ b/1042_linux-4.1.43.patch @@ -0,0 +1,5611 @@ +diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt +index c831001c45f1..4c88aa047790 100644 +--- a/Documentation/sysctl/kernel.txt ++++ b/Documentation/sysctl/kernel.txt +@@ -798,14 +798,13 @@ via the /proc/sys interface: + Each write syscall must fully contain the sysctl value to be + written, and multiple writes on the same sysctl file descriptor + will rewrite the sysctl value, regardless of file position. +- 0 - (default) Same behavior as above, but warn about processes that +- perform writes to a sysctl file descriptor when the file position +- is not 0. +- 1 - Respect file position when writing sysctl strings. Multiple writes +- will append to the sysctl value buffer. Anything past the max length +- of the sysctl value buffer will be ignored. Writes to numeric sysctl +- entries must always be at file position 0 and the value must be +- fully contained in the buffer sent in the write syscall. ++ 0 - Same behavior as above, but warn about processes that perform writes ++ to a sysctl file descriptor when the file position is not 0. ++ 1 - (default) Respect file position when writing sysctl strings. Multiple ++ writes will append to the sysctl value buffer. Anything past the max ++ length of the sysctl value buffer will be ignored. Writes to numeric ++ sysctl entries must always be at file position 0 and the value must ++ be fully contained in the buffer sent in the write syscall. + + ============================================================== + +diff --git a/Makefile b/Makefile +index 0c3313f14ff0..50d0a93fa343 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 1 +-SUBLEVEL = 42 ++SUBLEVEL = 43 + EXTRAVERSION = + NAME = Series 4800 + +@@ -622,6 +622,12 @@ endif + # Tell gcc to never replace conditional load with a non-conditional one + KBUILD_CFLAGS += $(call cc-option,--param=allow-store-data-races=0) + ++# check for 'asm goto' ++ifeq ($(shell $(CONFIG_SHELL) $(srctree)/scripts/gcc-goto.sh $(CC) $(KBUILD_CFLAGS)), y) ++ KBUILD_CFLAGS += -DCC_HAVE_ASM_GOTO ++ KBUILD_AFLAGS += -DCC_HAVE_ASM_GOTO ++endif ++ + ifdef CONFIG_READABLE_ASM + # Disable optimizations that make assembler listings hard to read. + # reorder blocks reorders the control in the function +@@ -777,12 +783,6 @@ KBUILD_CFLAGS += $(call cc-option,-Werror=date-time) + # use the deterministic mode of AR if available + KBUILD_ARFLAGS := $(call ar-option,D) + +-# check for 'asm goto' +-ifeq ($(shell $(CONFIG_SHELL) $(srctree)/scripts/gcc-goto.sh $(CC) $(KBUILD_CFLAGS)), y) +- KBUILD_CFLAGS += -DCC_HAVE_ASM_GOTO +- KBUILD_AFLAGS += -DCC_HAVE_ASM_GOTO +-endif +- + include scripts/Makefile.kasan + include scripts/Makefile.extrawarn + +diff --git a/arch/arm/boot/dts/bcm5301x.dtsi b/arch/arm/boot/dts/bcm5301x.dtsi +index 78aec6270c2f..90fbda066122 100644 +--- a/arch/arm/boot/dts/bcm5301x.dtsi ++++ b/arch/arm/boot/dts/bcm5301x.dtsi +@@ -54,14 +54,14 @@ + timer@0200 { + compatible = "arm,cortex-a9-global-timer"; + reg = <0x0200 0x100>; +- interrupts = <GIC_PPI 11 IRQ_TYPE_LEVEL_HIGH>; ++ interrupts = <GIC_PPI 11 IRQ_TYPE_EDGE_RISING>; + clocks = <&clk_periph>; + }; + + local-timer@0600 { + compatible = "arm,cortex-a9-twd-timer"; + reg = <0x0600 0x100>; +- interrupts = <GIC_PPI 13 IRQ_TYPE_LEVEL_HIGH>; ++ interrupts = <GIC_PPI 13 IRQ_TYPE_EDGE_RISING>; + clocks = <&clk_periph>; + }; + +diff --git a/arch/arm/boot/dts/imx6dl.dtsi b/arch/arm/boot/dts/imx6dl.dtsi +index f94bf72832af..d6da4cc23920 100644 +--- a/arch/arm/boot/dts/imx6dl.dtsi ++++ b/arch/arm/boot/dts/imx6dl.dtsi +@@ -30,7 +30,7 @@ + /* kHz uV */ + 996000 1250000 + 792000 1175000 +- 396000 1075000 ++ 396000 1150000 + >; + fsl,soc-operating-points = < + /* ARM kHz SOC-PU uV */ +diff --git a/arch/arm/include/asm/elf.h b/arch/arm/include/asm/elf.h +index d2315ffd8f12..f13ae153fb24 100644 +--- a/arch/arm/include/asm/elf.h ++++ b/arch/arm/include/asm/elf.h +@@ -112,12 +112,8 @@ int dump_task_regs(struct task_struct *t, elf_gregset_t *elfregs); + #define CORE_DUMP_USE_REGSET + #define ELF_EXEC_PAGESIZE 4096 + +-/* This is the location that an ET_DYN program is loaded if exec'ed. Typical +- use of this is to invoke "./ld.so someprog" to test out a new version of +- the loader. We need to make sure that it is out of the way of the program +- that it will "exec", and that there is sufficient room for the brk. */ +- +-#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2) ++/* This is the base location for PIE (ET_DYN with INTERP) loads. */ ++#define ELF_ET_DYN_BASE 0x400000UL + + /* When the program starts, a1 contains a pointer to a function to be + registered with atexit, as per the SVR4 ABI. A value of 0 means we +diff --git a/arch/arm/mm/mmu.c b/arch/arm/mm/mmu.c +index 7186382672b5..d89d35b40e47 100644 +--- a/arch/arm/mm/mmu.c ++++ b/arch/arm/mm/mmu.c +@@ -1136,15 +1136,15 @@ void __init sanity_check_meminfo(void) + + high_memory = __va(arm_lowmem_limit - 1) + 1; + ++ if (!memblock_limit) ++ memblock_limit = arm_lowmem_limit; ++ + /* + * Round the memblock limit down to a pmd size. This + * helps to ensure that we will allocate memory from the + * last full pmd, which should be mapped. + */ +- if (memblock_limit) +- memblock_limit = round_down(memblock_limit, PMD_SIZE); +- if (!memblock_limit) +- memblock_limit = arm_lowmem_limit; ++ memblock_limit = round_down(memblock_limit, PMD_SIZE); + + memblock_set_current_limit(memblock_limit); + } +diff --git a/arch/arm64/include/asm/barrier.h b/arch/arm64/include/asm/barrier.h +index 71f19c4dc0de..ffe7850afdbd 100644 +--- a/arch/arm64/include/asm/barrier.h ++++ b/arch/arm64/include/asm/barrier.h +@@ -63,23 +63,33 @@ do { \ + + #define smp_store_release(p, v) \ + do { \ ++ union { typeof(*p) __val; char __c[1]; } __u = \ ++ { .__val = (__force typeof(*p)) (v) }; \ + compiletime_assert_atomic_type(*p); \ + switch (sizeof(*p)) { \ + case 1: \ + asm volatile ("stlrb %w1, %0" \ +- : "=Q" (*p) : "r" (v) : "memory"); \ ++ : "=Q" (*p) \ ++ : "r" (*(__u8 *)__u.__c) \ ++ : "memory"); \ + break; \ + case 2: \ + asm volatile ("stlrh %w1, %0" \ +- : "=Q" (*p) : "r" (v) : "memory"); \ ++ : "=Q" (*p) \ ++ : "r" (*(__u16 *)__u.__c) \ ++ : "memory"); \ + break; \ + case 4: \ + asm volatile ("stlr %w1, %0" \ +- : "=Q" (*p) : "r" (v) : "memory"); \ ++ : "=Q" (*p) \ ++ : "r" (*(__u32 *)__u.__c) \ ++ : "memory"); \ + break; \ + case 8: \ + asm volatile ("stlr %1, %0" \ +- : "=Q" (*p) : "r" (v) : "memory"); \ ++ : "=Q" (*p) \ ++ : "r" (*(__u64 *)__u.__c) \ ++ : "memory"); \ + break; \ + } \ + } while (0) +diff --git a/arch/arm64/kernel/armv8_deprecated.c b/arch/arm64/kernel/armv8_deprecated.c +index 7ac3920b1356..802dd71ed0b3 100644 +--- a/arch/arm64/kernel/armv8_deprecated.c ++++ b/arch/arm64/kernel/armv8_deprecated.c +@@ -298,7 +298,8 @@ static void register_insn_emulation_sysctl(struct ctl_table *table) + " .quad 1b, 4b\n" \ + " .popsection\n" \ + : "=&r" (res), "+r" (data), "=&r" (temp) \ +- : "r" (addr), "i" (-EAGAIN), "i" (-EFAULT) \ ++ : "r" ((unsigned long)addr), "i" (-EAGAIN), \ ++ "i" (-EFAULT) \ + : "memory") + + #define __user_swp_asm(data, addr, res, temp) \ +diff --git a/arch/mips/kernel/entry.S b/arch/mips/kernel/entry.S +index 7791840cf22c..db07793f7b43 100644 +--- a/arch/mips/kernel/entry.S ++++ b/arch/mips/kernel/entry.S +@@ -11,6 +11,7 @@ + #include <asm/asm.h> + #include <asm/asmmacro.h> + #include <asm/compiler.h> ++#include <asm/irqflags.h> + #include <asm/regdef.h> + #include <asm/mipsregs.h> + #include <asm/stackframe.h> +@@ -137,6 +138,7 @@ work_pending: + andi t0, a2, _TIF_NEED_RESCHED # a2 is preloaded with TI_FLAGS + beqz t0, work_notifysig + work_resched: ++ TRACE_IRQS_OFF + jal schedule + + local_irq_disable # make sure need_resched and +@@ -173,6 +175,7 @@ syscall_exit_work: + beqz t0, work_pending # trace bit set? + local_irq_enable # could let syscall_trace_leave() + # call schedule() instead ++ TRACE_IRQS_ON + move a0, sp + jal syscall_trace_leave + b resume_userspace +diff --git a/arch/mips/kernel/pm-cps.c b/arch/mips/kernel/pm-cps.c +index 06147179a175..cd25b616075d 100644 +--- a/arch/mips/kernel/pm-cps.c ++++ b/arch/mips/kernel/pm-cps.c +@@ -55,7 +55,6 @@ DECLARE_BITMAP(state_support, CPS_PM_STATE_COUNT); + * state. Actually per-core rather than per-CPU. + */ + static DEFINE_PER_CPU_ALIGNED(u32*, ready_count); +-static DEFINE_PER_CPU_ALIGNED(void*, ready_count_alloc); + + /* Indicates online CPUs coupled with the current CPU */ + static DEFINE_PER_CPU_ALIGNED(cpumask_t, online_coupled); +@@ -624,7 +623,6 @@ static int __init cps_gen_core_entries(unsigned cpu) + { + enum cps_pm_state state; + unsigned core = cpu_data[cpu].core; +- unsigned dlinesz = cpu_data[cpu].dcache.linesz; + void *entry_fn, *core_rc; + + for (state = CPS_PM_NC_WAIT; state < CPS_PM_STATE_COUNT; state++) { +@@ -644,16 +642,11 @@ static int __init cps_gen_core_entries(unsigned cpu) + } + + if (!per_cpu(ready_count, core)) { +- core_rc = kmalloc(dlinesz * 2, GFP_KERNEL); ++ core_rc = kmalloc(sizeof(u32), GFP_KERNEL); + if (!core_rc) { + pr_err("Failed allocate core %u ready_count\n", core); + return -ENOMEM; + } +- per_cpu(ready_count_alloc, core) = core_rc; +- +- /* Ensure ready_count is aligned to a cacheline boundary */ +- core_rc += dlinesz - 1; +- core_rc = (void *)((unsigned long)core_rc & ~(dlinesz - 1)); + per_cpu(ready_count, core) = core_rc; + } + +diff --git a/arch/mips/kernel/traps.c b/arch/mips/kernel/traps.c +index 74403953e407..2e29b1aed924 100644 +--- a/arch/mips/kernel/traps.c ++++ b/arch/mips/kernel/traps.c +@@ -193,6 +193,8 @@ void show_stack(struct task_struct *task, unsigned long *sp) + { + struct pt_regs regs; + mm_segment_t old_fs = get_fs(); ++ ++ regs.cp0_status = KSU_KERNEL; + if (sp) { + regs.regs[29] = (unsigned long)sp; + regs.regs[31] = 0; +diff --git a/arch/mips/ralink/mt7620.c b/arch/mips/ralink/mt7620.c +index 2ea5ff6dc22e..c57215a66181 100644 +--- a/arch/mips/ralink/mt7620.c ++++ b/arch/mips/ralink/mt7620.c +@@ -98,31 +98,31 @@ static struct rt2880_pmx_group mt7620a_pinmux_data[] = { + }; + + static struct rt2880_pmx_func pwm1_grp_mt7628[] = { +- FUNC("sdcx", 3, 19, 1), ++ FUNC("sdxc d6", 3, 19, 1), + FUNC("utif", 2, 19, 1), + FUNC("gpio", 1, 19, 1), +- FUNC("pwm", 0, 19, 1), ++ FUNC("pwm1", 0, 19, 1), + }; + + static struct rt2880_pmx_func pwm0_grp_mt7628[] = { +- FUNC("sdcx", 3, 18, 1), ++ FUNC("sdxc d7", 3, 18, 1), + FUNC("utif", 2, 18, 1), + FUNC("gpio", 1, 18, 1), +- FUNC("pwm", 0, 18, 1), ++ FUNC("pwm0", 0, 18, 1), + }; + + static struct rt2880_pmx_func uart2_grp_mt7628[] = { +- FUNC("sdcx", 3, 20, 2), ++ FUNC("sdxc d5 d4", 3, 20, 2), + FUNC("pwm", 2, 20, 2), + FUNC("gpio", 1, 20, 2), +- FUNC("uart", 0, 20, 2), ++ FUNC("uart2", 0, 20, 2), + }; + + static struct rt2880_pmx_func uart1_grp_mt7628[] = { +- FUNC("sdcx", 3, 45, 2), ++ FUNC("sw_r", 3, 45, 2), + FUNC("pwm", 2, 45, 2), + FUNC("gpio", 1, 45, 2), +- FUNC("uart", 0, 45, 2), ++ FUNC("uart1", 0, 45, 2), + }; + + static struct rt2880_pmx_func i2c_grp_mt7628[] = { +@@ -134,21 +134,21 @@ static struct rt2880_pmx_func i2c_grp_mt7628[] = { + + static struct rt2880_pmx_func refclk_grp_mt7628[] = { FUNC("reclk", 0, 36, 1) }; + static struct rt2880_pmx_func perst_grp_mt7628[] = { FUNC("perst", 0, 37, 1) }; +-static struct rt2880_pmx_func wdt_grp_mt7628[] = { FUNC("wdt", 0, 15, 38) }; ++static struct rt2880_pmx_func wdt_grp_mt7628[] = { FUNC("wdt", 0, 38, 1) }; + static struct rt2880_pmx_func spi_grp_mt7628[] = { FUNC("spi", 0, 7, 4) }; + + static struct rt2880_pmx_func sd_mode_grp_mt7628[] = { + FUNC("jtag", 3, 22, 8), + FUNC("utif", 2, 22, 8), + FUNC("gpio", 1, 22, 8), +- FUNC("sdcx", 0, 22, 8), ++ FUNC("sdxc", 0, 22, 8), + }; + + static struct rt2880_pmx_func uart0_grp_mt7628[] = { + FUNC("-", 3, 12, 2), + FUNC("-", 2, 12, 2), + FUNC("gpio", 1, 12, 2), +- FUNC("uart", 0, 12, 2), ++ FUNC("uart0", 0, 12, 2), + }; + + static struct rt2880_pmx_func i2s_grp_mt7628[] = { +@@ -162,7 +162,7 @@ static struct rt2880_pmx_func spi_cs1_grp_mt7628[] = { + FUNC("-", 3, 6, 1), + FUNC("refclk", 2, 6, 1), + FUNC("gpio", 1, 6, 1), +- FUNC("spi", 0, 6, 1), ++ FUNC("spi cs1", 0, 6, 1), + }; + + static struct rt2880_pmx_func spis_grp_mt7628[] = { +@@ -179,28 +179,44 @@ static struct rt2880_pmx_func gpio_grp_mt7628[] = { + FUNC("gpio", 0, 11, 1), + }; + +-#define MT7628_GPIO_MODE_MASK 0x3 +- +-#define MT7628_GPIO_MODE_PWM1 30 +-#define MT7628_GPIO_MODE_PWM0 28 +-#define MT7628_GPIO_MODE_UART2 26 +-#define MT7628_GPIO_MODE_UART1 24 +-#define MT7628_GPIO_MODE_I2C 20 +-#define MT7628_GPIO_MODE_REFCLK 18 +-#define MT7628_GPIO_MODE_PERST 16 +-#define MT7628_GPIO_MODE_WDT 14 +-#define MT7628_GPIO_MODE_SPI 12 +-#define MT7628_GPIO_MODE_SDMODE 10 +-#define MT7628_GPIO_MODE_UART0 8 +-#define MT7628_GPIO_MODE_I2S 6 +-#define MT7628_GPIO_MODE_CS1 4 +-#define MT7628_GPIO_MODE_SPIS 2 +-#define MT7628_GPIO_MODE_GPIO 0 ++static struct rt2880_pmx_func wled_kn_grp_mt7628[] = { ++ FUNC("rsvd", 3, 35, 1), ++ FUNC("rsvd", 2, 35, 1), ++ FUNC("gpio", 1, 35, 1), ++ FUNC("wled_kn", 0, 35, 1), ++}; ++ ++static struct rt2880_pmx_func wled_an_grp_mt7628[] = { ++ FUNC("rsvd", 3, 44, 1), ++ FUNC("rsvd", 2, 44, 1), ++ FUNC("gpio", 1, 44, 1), ++ FUNC("wled_an", 0, 44, 1), ++}; ++ ++#define MT7628_GPIO_MODE_MASK 0x3 ++ ++#define MT7628_GPIO_MODE_WLED_KN 48 ++#define MT7628_GPIO_MODE_WLED_AN 32 ++#define MT7628_GPIO_MODE_PWM1 30 ++#define MT7628_GPIO_MODE_PWM0 28 ++#define MT7628_GPIO_MODE_UART2 26 ++#define MT7628_GPIO_MODE_UART1 24 ++#define MT7628_GPIO_MODE_I2C 20 ++#define MT7628_GPIO_MODE_REFCLK 18 ++#define MT7628_GPIO_MODE_PERST 16 ++#define MT7628_GPIO_MODE_WDT 14 ++#define MT7628_GPIO_MODE_SPI 12 ++#define MT7628_GPIO_MODE_SDMODE 10 ++#define MT7628_GPIO_MODE_UART0 8 ++#define MT7628_GPIO_MODE_I2S 6 ++#define MT7628_GPIO_MODE_CS1 4 ++#define MT7628_GPIO_MODE_SPIS 2 ++#define MT7628_GPIO_MODE_GPIO 0 + + static struct rt2880_pmx_group mt7628an_pinmux_data[] = { +- GRP_G("pmw1", pwm1_grp_mt7628, MT7628_GPIO_MODE_MASK, ++ GRP_G("pwm1", pwm1_grp_mt7628, MT7628_GPIO_MODE_MASK, + 1, MT7628_GPIO_MODE_PWM1), +- GRP_G("pmw1", pwm0_grp_mt7628, MT7628_GPIO_MODE_MASK, ++ GRP_G("pwm0", pwm0_grp_mt7628, MT7628_GPIO_MODE_MASK, + 1, MT7628_GPIO_MODE_PWM0), + GRP_G("uart2", uart2_grp_mt7628, MT7628_GPIO_MODE_MASK, + 1, MT7628_GPIO_MODE_UART2), +@@ -224,6 +240,10 @@ static struct rt2880_pmx_group mt7628an_pinmux_data[] = { + 1, MT7628_GPIO_MODE_SPIS), + GRP_G("gpio", gpio_grp_mt7628, MT7628_GPIO_MODE_MASK, + 1, MT7628_GPIO_MODE_GPIO), ++ GRP_G("wled_an", wled_an_grp_mt7628, MT7628_GPIO_MODE_MASK, ++ 1, MT7628_GPIO_MODE_WLED_AN), ++ GRP_G("wled_kn", wled_kn_grp_mt7628, MT7628_GPIO_MODE_MASK, ++ 1, MT7628_GPIO_MODE_WLED_KN), + { 0 } + }; + +diff --git a/arch/parisc/include/asm/dma-mapping.h b/arch/parisc/include/asm/dma-mapping.h +index d0eae5f2bd87..4fb62add2636 100644 +--- a/arch/parisc/include/asm/dma-mapping.h ++++ b/arch/parisc/include/asm/dma-mapping.h +@@ -39,6 +39,8 @@ struct hppa_dma_ops { + ** flush/purge and allocate "regular" cacheable pages for everything. + */ + ++#define DMA_ERROR_CODE (~(dma_addr_t)0) ++ + #ifdef CONFIG_PA11 + extern struct hppa_dma_ops pcxl_dma_ops; + extern struct hppa_dma_ops pcx_dma_ops; +@@ -209,12 +211,13 @@ parisc_walk_tree(struct device *dev) + break; + } + } +- BUG_ON(!dev->platform_data); + return dev->platform_data; + } +- +-#define GET_IOC(dev) (HBA_DATA(parisc_walk_tree(dev))->iommu) +- ++ ++#define GET_IOC(dev) ({ \ ++ void *__pdata = parisc_walk_tree(dev); \ ++ __pdata ? HBA_DATA(__pdata)->iommu : NULL; \ ++}) + + #ifdef CONFIG_IOMMU_CCIO + struct parisc_device; +diff --git a/arch/parisc/kernel/syscall_table.S b/arch/parisc/kernel/syscall_table.S +index 8eefb12d1d33..3781b8c0fad9 100644 +--- a/arch/parisc/kernel/syscall_table.S ++++ b/arch/parisc/kernel/syscall_table.S +@@ -361,7 +361,7 @@ + ENTRY_SAME(ni_syscall) /* 263: reserved for vserver */ + ENTRY_SAME(add_key) + ENTRY_SAME(request_key) /* 265 */ +- ENTRY_SAME(keyctl) ++ ENTRY_COMP(keyctl) + ENTRY_SAME(ioprio_set) + ENTRY_SAME(ioprio_get) + ENTRY_SAME(inotify_init) +diff --git a/arch/parisc/mm/fault.c b/arch/parisc/mm/fault.c +index 50d64a7fc672..3b7c02f9b726 100644 +--- a/arch/parisc/mm/fault.c ++++ b/arch/parisc/mm/fault.c +@@ -303,7 +303,7 @@ bad_area: + case 15: /* Data TLB miss fault/Data page fault */ + /* send SIGSEGV when outside of vma */ + if (!vma || +- address < vma->vm_start || address > vma->vm_end) { ++ address < vma->vm_start || address >= vma->vm_end) { + si.si_signo = SIGSEGV; + si.si_code = SEGV_MAPERR; + break; +diff --git a/arch/powerpc/include/asm/elf.h b/arch/powerpc/include/asm/elf.h +index ee46ffef608e..743ad7a400d6 100644 +--- a/arch/powerpc/include/asm/elf.h ++++ b/arch/powerpc/include/asm/elf.h +@@ -23,12 +23,13 @@ + #define CORE_DUMP_USE_REGSET + #define ELF_EXEC_PAGESIZE PAGE_SIZE + +-/* This is the location that an ET_DYN program is loaded if exec'ed. Typical +- use of this is to invoke "./ld.so someprog" to test out a new version of +- the loader. We need to make sure that it is out of the way of the program +- that it will "exec", and that there is sufficient room for the brk. */ +- +-#define ELF_ET_DYN_BASE 0x20000000 ++/* ++ * This is the base location for PIE (ET_DYN with INTERP) loads. On ++ * 64-bit, this is raised to 4GB to leave the entire 32-bit address ++ * space open for things that want to use the area for 32-bit pointers. ++ */ ++#define ELF_ET_DYN_BASE (is_32bit_task() ? 0x000400000UL : \ ++ 0x100000000UL) + + #define ELF_CORE_EFLAGS (is_elf2_task() ? 2 : 0) + +diff --git a/arch/powerpc/kernel/eeh.c b/arch/powerpc/kernel/eeh.c +index b264937bba68..9340d05bcdc9 100644 +--- a/arch/powerpc/kernel/eeh.c ++++ b/arch/powerpc/kernel/eeh.c +@@ -306,9 +306,17 @@ void eeh_slot_error_detail(struct eeh_pe *pe, int severity) + * + * For pHyp, we have to enable IO for log retrieval. Otherwise, + * 0xFF's is always returned from PCI config space. ++ * ++ * When the @severity is EEH_LOG_PERM, the PE is going to be ++ * removed. Prior to that, the drivers for devices included in ++ * the PE will be closed. The drivers rely on working IO path ++ * to bring the devices to quiet state. Otherwise, PCI traffic ++ * from those devices after they are removed is like to cause ++ * another unexpected EEH error. + */ + if (!(pe->type & EEH_PE_PHB)) { +- if (eeh_has_flag(EEH_ENABLE_IO_FOR_LOG)) ++ if (eeh_has_flag(EEH_ENABLE_IO_FOR_LOG) || ++ severity == EEH_LOG_PERM) + eeh_pci_enable(pe, EEH_OPT_THAW_MMIO); + + /* +diff --git a/arch/powerpc/kernel/eeh_driver.c b/arch/powerpc/kernel/eeh_driver.c +index 0a4f23a070ab..ffca0bf5b8b4 100644 +--- a/arch/powerpc/kernel/eeh_driver.c ++++ b/arch/powerpc/kernel/eeh_driver.c +@@ -651,7 +651,7 @@ static int eeh_reset_device(struct eeh_pe *pe, struct pci_bus *bus) + */ + #define MAX_WAIT_FOR_RECOVERY 300 + +-static void eeh_handle_normal_event(struct eeh_pe *pe) ++static bool eeh_handle_normal_event(struct eeh_pe *pe) + { + struct pci_bus *frozen_bus; + int rc = 0; +@@ -661,7 +661,7 @@ static void eeh_handle_normal_event(struct eeh_pe *pe) + if (!frozen_bus) { + pr_err("%s: Cannot find PCI bus for PHB#%d-PE#%x\n", + __func__, pe->phb->global_number, pe->addr); +- return; ++ return false; + } + + eeh_pe_update_time_stamp(pe); +@@ -778,7 +778,7 @@ static void eeh_handle_normal_event(struct eeh_pe *pe) + pr_info("EEH: Notify device driver to resume\n"); + eeh_pe_dev_traverse(pe, eeh_report_resume, NULL); + +- return; ++ return false; + + excess_failures: + /* +@@ -819,7 +819,11 @@ perm_error: + pci_lock_rescan_remove(); + pcibios_remove_pci_devices(frozen_bus); + pci_unlock_rescan_remove(); ++ ++ /* The passed PE should no longer be used */ ++ return true; + } ++ return false; + } + + static void eeh_handle_special_event(void) +@@ -885,7 +889,14 @@ static void eeh_handle_special_event(void) + */ + if (rc == EEH_NEXT_ERR_FROZEN_PE || + rc == EEH_NEXT_ERR_FENCED_PHB) { +- eeh_handle_normal_event(pe); ++ /* ++ * eeh_handle_normal_event() can make the PE stale if it ++ * determines that the PE cannot possibly be recovered. ++ * Don't modify the PE state if that's the case. ++ */ ++ if (eeh_handle_normal_event(pe)) ++ continue; ++ + eeh_pe_state_clear(pe, EEH_PE_RECOVERING); + } else { + pci_lock_rescan_remove(); +diff --git a/arch/powerpc/kernel/kprobes.c b/arch/powerpc/kernel/kprobes.c +index 7c053f281406..1138fec3dd65 100644 +--- a/arch/powerpc/kernel/kprobes.c ++++ b/arch/powerpc/kernel/kprobes.c +@@ -514,6 +514,15 @@ int __kprobes setjmp_pre_handler(struct kprobe *p, struct pt_regs *regs) + #endif + #endif + ++ /* ++ * jprobes use jprobe_return() which skips the normal return ++ * path of the function, and this messes up the accounting of the ++ * function graph tracer. ++ * ++ * Pause function graph tracing while performing the jprobe function. ++ */ ++ pause_graph_tracing(); ++ + return 1; + } + +@@ -536,6 +545,8 @@ int __kprobes longjmp_break_handler(struct kprobe *p, struct pt_regs *regs) + * saved regs... + */ + memcpy(regs, &kcb->jprobe_saved_regs, sizeof(struct pt_regs)); ++ /* It's OK to start function graph tracing again */ ++ unpause_graph_tracing(); + preempt_enable_no_resched(); + return 1; + } +diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c +index 63c37fd2b7a6..c1e10ffadd17 100644 +--- a/arch/powerpc/kvm/book3s_hv.c ++++ b/arch/powerpc/kvm/book3s_hv.c +@@ -2238,6 +2238,27 @@ static int kvmppc_vcpu_run_hv(struct kvm_run *run, struct kvm_vcpu *vcpu) + return -EINVAL; + } + ++ /* ++ * Don't allow entry with a suspended transaction, because ++ * the guest entry/exit code will lose it. ++ * If the guest has TM enabled, save away their TM-related SPRs ++ * (they will get restored by the TM unavailable interrupt). ++ */ ++#ifdef CONFIG_PPC_TRANSACTIONAL_MEM ++ if (cpu_has_feature(CPU_FTR_TM) && current->thread.regs && ++ (current->thread.regs->msr & MSR_TM)) { ++ if (MSR_TM_ACTIVE(current->thread.regs->msr)) { ++ run->exit_reason = KVM_EXIT_FAIL_ENTRY; ++ run->fail_entry.hardware_entry_failure_reason = 0; ++ return -EINVAL; ++ } ++ current->thread.tm_tfhar = mfspr(SPRN_TFHAR); ++ current->thread.tm_tfiar = mfspr(SPRN_TFIAR); ++ current->thread.tm_texasr = mfspr(SPRN_TEXASR); ++ current->thread.regs->msr &= ~MSR_TM; ++ } ++#endif ++ + kvmppc_core_prepare_to_enter(vcpu); + + /* No need to go into the guest when all we'll do is come back out */ +diff --git a/arch/s390/include/asm/ctl_reg.h b/arch/s390/include/asm/ctl_reg.h +index d7697ab802f6..8e136b88cdf4 100644 +--- a/arch/s390/include/asm/ctl_reg.h ++++ b/arch/s390/include/asm/ctl_reg.h +@@ -15,7 +15,9 @@ + BUILD_BUG_ON(sizeof(addrtype) != (high - low + 1) * sizeof(long));\ + asm volatile( \ + " lctlg %1,%2,%0\n" \ +- : : "Q" (*(addrtype *)(&array)), "i" (low), "i" (high));\ ++ : \ ++ : "Q" (*(addrtype *)(&array)), "i" (low), "i" (high) \ ++ : "memory"); \ + } + + #define __ctl_store(array, low, high) { \ +diff --git a/arch/s390/include/asm/elf.h b/arch/s390/include/asm/elf.h +index 3ad48f22de78..f133ce08b270 100644 +--- a/arch/s390/include/asm/elf.h ++++ b/arch/s390/include/asm/elf.h +@@ -154,14 +154,13 @@ extern unsigned int vdso_enabled; + #define CORE_DUMP_USE_REGSET + #define ELF_EXEC_PAGESIZE 4096 + +-/* This is the location that an ET_DYN program is loaded if exec'ed. Typical +- use of this is to invoke "./ld.so someprog" to test out a new version of +- the loader. We need to make sure that it is out of the way of the program +- that it will "exec", and that there is sufficient room for the brk. 64-bit +- tasks are aligned to 4GB. */ +-#define ELF_ET_DYN_BASE (is_32bit_task() ? \ +- (STACK_TOP / 3 * 2) : \ +- (STACK_TOP / 3 * 2) & ~((1UL << 32) - 1)) ++/* ++ * This is the base location for PIE (ET_DYN with INTERP) loads. On ++ * 64-bit, this is raised to 4GB to leave the entire 32-bit address ++ * space open for things that want to use the area for 32-bit pointers. ++ */ ++#define ELF_ET_DYN_BASE (is_compat_task() ? 0x000400000UL : \ ++ 0x100000000UL) + + /* This yields a mask that user programs can use to figure out what + instruction set this CPU supports. */ +diff --git a/arch/s390/mm/vmem.c b/arch/s390/mm/vmem.c +index ef7d6c8fea66..f354fd84adeb 100644 +--- a/arch/s390/mm/vmem.c ++++ b/arch/s390/mm/vmem.c +@@ -372,7 +372,7 @@ void __init vmem_map_init(void) + ro_end = (unsigned long)&_eshared & PAGE_MASK; + for_each_memblock(memory, reg) { + start = reg->base; +- end = reg->base + reg->size - 1; ++ end = reg->base + reg->size; + if (start >= ro_end || end <= ro_start) + vmem_add_mem(start, end - start, 0); + else if (start >= ro_start && end <= ro_end) +diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h +index 3b5b7a9c866d..2903ff34174c 100644 +--- a/arch/x86/include/asm/elf.h ++++ b/arch/x86/include/asm/elf.h +@@ -245,12 +245,13 @@ extern int force_personality32; + #define CORE_DUMP_USE_REGSET + #define ELF_EXEC_PAGESIZE 4096 + +-/* This is the location that an ET_DYN program is loaded if exec'ed. Typical +- use of this is to invoke "./ld.so someprog" to test out a new version of +- the loader. We need to make sure that it is out of the way of the program +- that it will "exec", and that there is sufficient room for the brk. */ +- +-#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2) ++/* ++ * This is the base location for PIE (ET_DYN with INTERP) loads. On ++ * 64-bit, this is raised to 4GB to leave the entire 32-bit address ++ * space open for things that want to use the area for 32-bit pointers. ++ */ ++#define ELF_ET_DYN_BASE (mmap_is_ia32() ? 0x000400000UL : \ ++ 0x100000000UL) + + /* This yields a mask that user programs can use to figure out what + instruction set this CPU supports. This could be done in user space, +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index 99a15e38fa06..32e29f926e5a 100644 +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -2118,7 +2118,7 @@ static int nested_vmx_check_exception(struct kvm_vcpu *vcpu, unsigned nr) + if (!(vmcs12->exception_bitmap & (1u << nr))) + return 0; + +- nested_vmx_vmexit(vcpu, to_vmx(vcpu)->exit_reason, ++ nested_vmx_vmexit(vcpu, EXIT_REASON_EXCEPTION_NMI, + vmcs_read32(VM_EXIT_INTR_INFO), + vmcs_readl(EXIT_QUALIFICATION)); + return 1; +@@ -6153,7 +6153,6 @@ static __init int hardware_setup(void) + vmx_disable_intercept_for_msr(MSR_IA32_SYSENTER_CS, false); + vmx_disable_intercept_for_msr(MSR_IA32_SYSENTER_ESP, false); + vmx_disable_intercept_for_msr(MSR_IA32_SYSENTER_EIP, false); +- vmx_disable_intercept_for_msr(MSR_IA32_BNDCFGS, true); + + memcpy(vmx_msr_bitmap_legacy_x2apic, + vmx_msr_bitmap_legacy, PAGE_SIZE); +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index c730e4708c7d..9d7ea42482e3 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -4910,6 +4910,8 @@ static bool emulator_get_segment(struct x86_emulate_ctxt *ctxt, u16 *selector, + + if (var.unusable) { + memset(desc, 0, sizeof(*desc)); ++ if (base3) ++ *base3 = 0; + return false; + } + +@@ -6049,7 +6051,8 @@ static int emulator_fix_hypercall(struct x86_emulate_ctxt *ctxt) + + kvm_x86_ops->patch_hypercall(vcpu, instruction); + +- return emulator_write_emulated(ctxt, rip, instruction, 3, NULL); ++ return emulator_write_emulated(ctxt, rip, instruction, 3, ++ &ctxt->exception); + } + + /* +diff --git a/arch/x86/lib/copy_user_64.S b/arch/x86/lib/copy_user_64.S +index fa997dfaef24..2f1c52e252b0 100644 +--- a/arch/x86/lib/copy_user_64.S ++++ b/arch/x86/lib/copy_user_64.S +@@ -112,7 +112,7 @@ ENTRY(copy_user_generic_unrolled) + movl %edx,%ecx + andl $63,%edx + shrl $6,%ecx +- jz 17f ++ jz .L_copy_short_string + 1: movq (%rsi),%r8 + 2: movq 1*8(%rsi),%r9 + 3: movq 2*8(%rsi),%r10 +@@ -133,7 +133,8 @@ ENTRY(copy_user_generic_unrolled) + leaq 64(%rdi),%rdi + decl %ecx + jnz 1b +-17: movl %edx,%ecx ++.L_copy_short_string: ++ movl %edx,%ecx + andl $7,%edx + shrl $3,%ecx + jz 20f +@@ -251,6 +252,8 @@ ENDPROC(copy_user_generic_string) + ENTRY(copy_user_enhanced_fast_string) + CFI_STARTPROC + ASM_STAC ++ cmpl $64,%edx ++ jb .L_copy_short_string /* less then 64 bytes, avoid the costly 'rep' */ + movl %edx,%ecx + 1: rep + movsb +diff --git a/arch/x86/mm/mpx.c b/arch/x86/mm/mpx.c +index 6a3c774eaff6..c2fea3af515d 100644 +--- a/arch/x86/mm/mpx.c ++++ b/arch/x86/mm/mpx.c +@@ -312,7 +312,7 @@ siginfo_t *mpx_generate_siginfo(struct pt_regs *regs, + * We were not able to extract an address from the instruction, + * probably because there was something invalid in it. + */ +- if (info->si_addr == (void *)-1) { ++ if (info->si_addr == (void __user *)-1) { + err = -EINVAL; + goto err_out; + } +diff --git a/arch/x86/tools/relocs.c b/arch/x86/tools/relocs.c +index 0c2fae8d929d..73eb7fd4aec4 100644 +--- a/arch/x86/tools/relocs.c ++++ b/arch/x86/tools/relocs.c +@@ -992,11 +992,12 @@ static void emit_relocs(int as_text, int use_real_mode) + die("Segment relocations found but --realmode not specified\n"); + + /* Order the relocations for more efficient processing */ +- sort_relocs(&relocs16); + sort_relocs(&relocs32); + #if ELF_BITS == 64 + sort_relocs(&relocs32neg); + sort_relocs(&relocs64); ++#else ++ sort_relocs(&relocs16); + #endif + + /* Print the relocations */ +diff --git a/drivers/base/core.c b/drivers/base/core.c +index 21d13038534e..ed29f61d1338 100644 +--- a/drivers/base/core.c ++++ b/drivers/base/core.c +@@ -1981,7 +1981,11 @@ void device_shutdown(void) + pm_runtime_get_noresume(dev); + pm_runtime_barrier(dev); + +- if (dev->bus && dev->bus->shutdown) { ++ if (dev->class && dev->class->shutdown) { ++ if (initcall_debug) ++ dev_info(dev, "shutdown\n"); ++ dev->class->shutdown(dev); ++ } else if (dev->bus && dev->bus->shutdown) { + if (initcall_debug) + dev_info(dev, "shutdown\n"); + dev->bus->shutdown(dev); +diff --git a/drivers/base/platform.c b/drivers/base/platform.c +index 7403de94832c..29a4ef08e051 100644 +--- a/drivers/base/platform.c ++++ b/drivers/base/platform.c +@@ -729,7 +729,7 @@ static ssize_t driver_override_store(struct device *dev, + const char *buf, size_t count) + { + struct platform_device *pdev = to_platform_device(dev); +- char *driver_override, *old = pdev->driver_override, *cp; ++ char *driver_override, *old, *cp; + + if (count > PATH_MAX) + return -EINVAL; +@@ -742,12 +742,15 @@ static ssize_t driver_override_store(struct device *dev, + if (cp) + *cp = '\0'; + ++ device_lock(dev); ++ old = pdev->driver_override; + if (strlen(driver_override)) { + pdev->driver_override = driver_override; + } else { + kfree(driver_override); + pdev->driver_override = NULL; + } ++ device_unlock(dev); + + kfree(old); + +@@ -758,8 +761,12 @@ static ssize_t driver_override_show(struct device *dev, + struct device_attribute *attr, char *buf) + { + struct platform_device *pdev = to_platform_device(dev); ++ ssize_t len; + +- return sprintf(buf, "%s\n", pdev->driver_override); ++ device_lock(dev); ++ len = sprintf(buf, "%s\n", pdev->driver_override); ++ device_unlock(dev); ++ return len; + } + static DEVICE_ATTR_RW(driver_override); + +diff --git a/drivers/base/power/sysfs.c b/drivers/base/power/sysfs.c +index d2be3f9c211c..dcc09e3e5778 100644 +--- a/drivers/base/power/sysfs.c ++++ b/drivers/base/power/sysfs.c +@@ -268,6 +268,8 @@ static ssize_t pm_qos_latency_tolerance_store(struct device *dev, + value = PM_QOS_LATENCY_TOLERANCE_NO_CONSTRAINT; + else if (!strcmp(buf, "any") || !strcmp(buf, "any\n")) + value = PM_QOS_LATENCY_ANY; ++ else ++ return -EINVAL; + } + ret = dev_pm_qos_update_user_latency_tolerance(dev, value); + return ret < 0 ? ret : n; +diff --git a/drivers/char/random.c b/drivers/char/random.c +index 9cd6968e2f92..d55156fc064d 100644 +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -1714,13 +1714,15 @@ int random_int_secret_init(void) + return 0; + } + ++static DEFINE_PER_CPU(__u32 [MD5_DIGEST_WORDS], get_random_int_hash) ++ __aligned(sizeof(unsigned long)); ++ + /* + * Get a random word for internal kernel use only. Similar to urandom but + * with the goal of minimal entropy pool depletion. As a result, the random + * value is not cryptographically secure but for several uses the cost of + * depleting entropy is too high + */ +-static DEFINE_PER_CPU(__u32 [MD5_DIGEST_WORDS], get_random_int_hash); + unsigned int get_random_int(void) + { + __u32 *hash; +@@ -1741,6 +1743,28 @@ unsigned int get_random_int(void) + EXPORT_SYMBOL(get_random_int); + + /* ++ * Same as get_random_int(), but returns unsigned long. ++ */ ++unsigned long get_random_long(void) ++{ ++ __u32 *hash; ++ unsigned long ret; ++ ++ if (arch_get_random_long(&ret)) ++ return ret; ++ ++ hash = get_cpu_var(get_random_int_hash); ++ ++ hash[0] += current->pid + jiffies + random_get_entropy(); ++ md5_transform(hash, random_int_secret); ++ ret = *(unsigned long *)hash; ++ put_cpu_var(get_random_int_hash); ++ ++ return ret; ++} ++EXPORT_SYMBOL(get_random_long); ++ ++/* + * randomize_range() returns a start address such that + * + * [...... <range> .....] +diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c +index 810b171b55b7..374b0006aa7a 100644 +--- a/drivers/char/virtio_console.c ++++ b/drivers/char/virtio_console.c +@@ -1864,7 +1864,7 @@ static void config_work_handler(struct work_struct *work) + { + struct ports_device *portdev; + +- portdev = container_of(work, struct ports_device, control_work); ++ portdev = container_of(work, struct ports_device, config_work); + if (!use_multiport(portdev)) { + struct virtio_device *vdev; + struct port *port; +diff --git a/drivers/cpufreq/cpufreq_conservative.c b/drivers/cpufreq/cpufreq_conservative.c +index 25a70d06c5bf..55836a538a68 100644 +--- a/drivers/cpufreq/cpufreq_conservative.c ++++ b/drivers/cpufreq/cpufreq_conservative.c +@@ -204,8 +204,8 @@ static ssize_t store_down_threshold(struct dbs_data *dbs_data, const char *buf, + int ret; + ret = sscanf(buf, "%u", &input); + +- /* cannot be lower than 11 otherwise freq will not fall */ +- if (ret != 1 || input < 11 || input > 100 || ++ /* cannot be lower than 1 otherwise freq will not fall */ ++ if (ret != 1 || input < 1 || input > 100 || + input >= cs_tuners->up_threshold) + return -EINVAL; + +diff --git a/drivers/cpufreq/s3c2416-cpufreq.c b/drivers/cpufreq/s3c2416-cpufreq.c +index d6d425773fa4..5b2db3c6568f 100644 +--- a/drivers/cpufreq/s3c2416-cpufreq.c ++++ b/drivers/cpufreq/s3c2416-cpufreq.c +@@ -400,7 +400,6 @@ static int s3c2416_cpufreq_driver_init(struct cpufreq_policy *policy) + rate = clk_get_rate(s3c_freq->hclk); + if (rate < 133 * 1000 * 1000) { + pr_err("cpufreq: HCLK not at 133MHz\n"); +- clk_put(s3c_freq->hclk); + ret = -EINVAL; + goto err_armclk; + } +diff --git a/drivers/crypto/atmel-sha.c b/drivers/crypto/atmel-sha.c +index 3178f84d2757..6bff78c5c032 100644 +--- a/drivers/crypto/atmel-sha.c ++++ b/drivers/crypto/atmel-sha.c +@@ -963,7 +963,9 @@ static int atmel_sha_finup(struct ahash_request *req) + ctx->flags |= SHA_FLAGS_FINUP; + + err1 = atmel_sha_update(req); +- if (err1 == -EINPROGRESS || err1 == -EBUSY) ++ if (err1 == -EINPROGRESS || ++ (err1 == -EBUSY && (ahash_request_flags(req) & ++ CRYPTO_TFM_REQ_MAY_BACKLOG))) + return err1; + + /* +diff --git a/drivers/crypto/caam/caamhash.c b/drivers/crypto/caam/caamhash.c +index 9742b3d66288..fc6d2d568541 100644 +--- a/drivers/crypto/caam/caamhash.c ++++ b/drivers/crypto/caam/caamhash.c +@@ -490,7 +490,7 @@ static int hash_digest_key(struct caam_hash_ctx *ctx, const u8 *key_in, + ret = caam_jr_enqueue(jrdev, desc, split_key_done, &result); + if (!ret) { + /* in progress */ +- wait_for_completion_interruptible(&result.completion); ++ wait_for_completion(&result.completion); + ret = result.err; + #ifdef DEBUG + print_hex_dump(KERN_ERR, +diff --git a/drivers/crypto/caam/key_gen.c b/drivers/crypto/caam/key_gen.c +index e1eaf4ff9762..3ce1d5cdcbd2 100644 +--- a/drivers/crypto/caam/key_gen.c ++++ b/drivers/crypto/caam/key_gen.c +@@ -103,7 +103,7 @@ int gen_split_key(struct device *jrdev, u8 *key_out, int split_key_len, + ret = caam_jr_enqueue(jrdev, desc, split_key_done, &result); + if (!ret) { + /* in progress */ +- wait_for_completion_interruptible(&result.completion); ++ wait_for_completion(&result.completion); + ret = result.err; + #ifdef DEBUG + print_hex_dump(KERN_ERR, "ctx.key@"__stringify(__LINE__)": ", +diff --git a/drivers/crypto/talitos.c b/drivers/crypto/talitos.c +index f062158d4dc9..eb79d49ab88c 100644 +--- a/drivers/crypto/talitos.c ++++ b/drivers/crypto/talitos.c +@@ -634,7 +634,7 @@ static void talitos_unregister_rng(struct device *dev) + * crypto alg + */ + #define TALITOS_CRA_PRIORITY 3000 +-#define TALITOS_MAX_KEY_SIZE 96 ++#define TALITOS_MAX_KEY_SIZE (AES_MAX_KEY_SIZE + SHA512_BLOCK_SIZE) + #define TALITOS_MAX_IV_LENGTH 16 /* max of AES_BLOCK_SIZE, DES3_EDE_BLOCK_SIZE */ + + struct talitos_ctx { +@@ -1322,6 +1322,11 @@ static int ablkcipher_setkey(struct crypto_ablkcipher *cipher, + { + struct talitos_ctx *ctx = crypto_ablkcipher_ctx(cipher); + ++ if (keylen > TALITOS_MAX_KEY_SIZE) { ++ crypto_ablkcipher_set_flags(cipher, CRYPTO_TFM_RES_BAD_KEY_LEN); ++ return -EINVAL; ++ } ++ + memcpy(&ctx->key, key, keylen); + ctx->keylen = keylen; + +diff --git a/drivers/dma/ep93xx_dma.c b/drivers/dma/ep93xx_dma.c +index 1638d39af595..023c08708b56 100644 +--- a/drivers/dma/ep93xx_dma.c ++++ b/drivers/dma/ep93xx_dma.c +@@ -201,7 +201,6 @@ struct ep93xx_dma_engine { + struct dma_device dma_dev; + bool m2m; + int (*hw_setup)(struct ep93xx_dma_chan *); +- void (*hw_synchronize)(struct ep93xx_dma_chan *); + void (*hw_shutdown)(struct ep93xx_dma_chan *); + void (*hw_submit)(struct ep93xx_dma_chan *); + int (*hw_interrupt)(struct ep93xx_dma_chan *); +@@ -336,27 +335,21 @@ static inline u32 m2p_channel_state(struct ep93xx_dma_chan *edmac) + return (readl(edmac->regs + M2P_STATUS) >> 4) & 0x3; + } + +-static void m2p_hw_synchronize(struct ep93xx_dma_chan *edmac) ++static void m2p_hw_shutdown(struct ep93xx_dma_chan *edmac) + { +- unsigned long flags; + u32 control; + +- spin_lock_irqsave(&edmac->lock, flags); + control = readl(edmac->regs + M2P_CONTROL); + control &= ~(M2P_CONTROL_STALLINT | M2P_CONTROL_NFBINT); + m2p_set_control(edmac, control); +- spin_unlock_irqrestore(&edmac->lock, flags); + + while (m2p_channel_state(edmac) >= M2P_STATE_ON) +- schedule(); +-} ++ cpu_relax(); + +-static void m2p_hw_shutdown(struct ep93xx_dma_chan *edmac) +-{ + m2p_set_control(edmac, 0); + +- while (m2p_channel_state(edmac) != M2P_STATE_IDLE) +- dev_warn(chan2dev(edmac), "M2P: Not yet IDLE\n"); ++ while (m2p_channel_state(edmac) == M2P_STATE_STALL) ++ cpu_relax(); + } + + static void m2p_fill_desc(struct ep93xx_dma_chan *edmac) +@@ -1172,26 +1165,6 @@ fail: + } + + /** +- * ep93xx_dma_synchronize - Synchronizes the termination of transfers to the +- * current context. +- * @chan: channel +- * +- * Synchronizes the DMA channel termination to the current context. When this +- * function returns it is guaranteed that all transfers for previously issued +- * descriptors have stopped and and it is safe to free the memory associated +- * with them. Furthermore it is guaranteed that all complete callback functions +- * for a previously submitted descriptor have finished running and it is safe to +- * free resources accessed from within the complete callbacks. +- */ +-static void ep93xx_dma_synchronize(struct dma_chan *chan) +-{ +- struct ep93xx_dma_chan *edmac = to_ep93xx_dma_chan(chan); +- +- if (edmac->edma->hw_synchronize) +- edmac->edma->hw_synchronize(edmac); +-} +- +-/** + * ep93xx_dma_terminate_all - terminate all transactions + * @chan: channel + * +@@ -1354,7 +1327,6 @@ static int __init ep93xx_dma_probe(struct platform_device *pdev) + dma_dev->device_prep_slave_sg = ep93xx_dma_prep_slave_sg; + dma_dev->device_prep_dma_cyclic = ep93xx_dma_prep_dma_cyclic; + dma_dev->device_config = ep93xx_dma_slave_config; +- dma_dev->device_synchronize = ep93xx_dma_synchronize; + dma_dev->device_terminate_all = ep93xx_dma_terminate_all; + dma_dev->device_issue_pending = ep93xx_dma_issue_pending; + dma_dev->device_tx_status = ep93xx_dma_tx_status; +@@ -1372,7 +1344,6 @@ static int __init ep93xx_dma_probe(struct platform_device *pdev) + } else { + dma_cap_set(DMA_PRIVATE, dma_dev->cap_mask); + +- edma->hw_synchronize = m2p_hw_synchronize; + edma->hw_setup = m2p_hw_setup; + edma->hw_shutdown = m2p_hw_shutdown; + edma->hw_submit = m2p_hw_submit; +diff --git a/drivers/gpu/drm/ast/ast_drv.h b/drivers/gpu/drm/ast/ast_drv.h +index d33ea7ff8614..20e26b3a5a3d 100644 +--- a/drivers/gpu/drm/ast/ast_drv.h ++++ b/drivers/gpu/drm/ast/ast_drv.h +@@ -113,7 +113,11 @@ struct ast_private { + struct ttm_bo_kmap_obj cache_kmap; + int next_cursor; + bool support_wide_screen; +- bool DisableP2A; ++ enum { ++ ast_use_p2a, ++ ast_use_dt, ++ ast_use_defaults ++ } config_mode; + + enum ast_tx_chip tx_chip_type; + u8 dp501_maxclk; +diff --git a/drivers/gpu/drm/ast/ast_main.c b/drivers/gpu/drm/ast/ast_main.c +index dacfe512a93f..fd9a738ff882 100644 +--- a/drivers/gpu/drm/ast/ast_main.c ++++ b/drivers/gpu/drm/ast/ast_main.c +@@ -62,13 +62,84 @@ uint8_t ast_get_index_reg_mask(struct ast_private *ast, + return ret; + } + ++static void ast_detect_config_mode(struct drm_device *dev, u32 *scu_rev) ++{ ++ struct device_node *np = dev->pdev->dev.of_node; ++ struct ast_private *ast = dev->dev_private; ++ uint32_t data, jregd0, jregd1; ++ ++ /* Defaults */ ++ ast->config_mode = ast_use_defaults; ++ *scu_rev = 0xffffffff; ++ ++ /* Check if we have device-tree properties */ ++ if (np && !of_property_read_u32(np, "aspeed,scu-revision-id", ++ scu_rev)) { ++ /* We do, disable P2A access */ ++ ast->config_mode = ast_use_dt; ++ DRM_INFO("Using device-tree for configuration\n"); ++ return; ++ } ++ ++ /* Not all families have a P2A bridge */ ++ if (dev->pdev->device != PCI_CHIP_AST2000) ++ return; ++ ++ /* ++ * The BMC will set SCU 0x40 D[12] to 1 if the P2 bridge ++ * is disabled. We force using P2A if VGA only mode bit ++ * is set D[7] ++ */ ++ jregd0 = ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xd0, 0xff); ++ jregd1 = ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xd1, 0xff); ++ if (!(jregd0 & 0x80) || !(jregd1 & 0x10)) { ++ /* Double check it's actually working */ ++ data = ast_read32(ast, 0xf004); ++ if (data != 0xFFFFFFFF) { ++ /* P2A works, grab silicon revision */ ++ ast->config_mode = ast_use_p2a; ++ ++ DRM_INFO("Using P2A bridge for configuration\n"); ++ ++ /* Read SCU7c (silicon revision register) */ ++ ast_write32(ast, 0xf004, 0x1e6e0000); ++ ast_write32(ast, 0xf000, 0x1); ++ *scu_rev = ast_read32(ast, 0x1207c); ++ return; ++ } ++ } ++ ++ /* We have a P2A bridge but it's disabled */ ++ DRM_INFO("P2A bridge disabled, using default configuration\n"); ++} + + static int ast_detect_chip(struct drm_device *dev, bool *need_post) + { + struct ast_private *ast = dev->dev_private; +- uint32_t data, jreg; ++ uint32_t jreg, scu_rev; ++ ++ /* ++ * If VGA isn't enabled, we need to enable now or subsequent ++ * access to the scratch registers will fail. We also inform ++ * our caller that it needs to POST the chip ++ * (Assumption: VGA not enabled -> need to POST) ++ */ ++ if (!ast_is_vga_enabled(dev)) { ++ ast_enable_vga(dev); ++ DRM_INFO("VGA not enabled on entry, requesting chip POST\n"); ++ *need_post = true; ++ } else ++ *need_post = false; ++ ++ ++ /* Enable extended register access */ ++ ast_enable_mmio(dev); + ast_open_key(ast); + ++ /* Find out whether P2A works or whether to use device-tree */ ++ ast_detect_config_mode(dev, &scu_rev); ++ ++ /* Identify chipset */ + if (dev->pdev->device == PCI_CHIP_AST1180) { + ast->chip = AST1100; + DRM_INFO("AST 1180 detected\n"); +@@ -80,12 +151,7 @@ static int ast_detect_chip(struct drm_device *dev, bool *need_post) + ast->chip = AST2300; + DRM_INFO("AST 2300 detected\n"); + } else if (dev->pdev->revision >= 0x10) { +- uint32_t data; +- ast_write32(ast, 0xf004, 0x1e6e0000); +- ast_write32(ast, 0xf000, 0x1); +- +- data = ast_read32(ast, 0x1207c); +- switch (data & 0x0300) { ++ switch (scu_rev & 0x0300) { + case 0x0200: + ast->chip = AST1100; + DRM_INFO("AST 1100 detected\n"); +@@ -110,26 +176,6 @@ static int ast_detect_chip(struct drm_device *dev, bool *need_post) + } + } + +- /* +- * If VGA isn't enabled, we need to enable now or subsequent +- * access to the scratch registers will fail. We also inform +- * our caller that it needs to POST the chip +- * (Assumption: VGA not enabled -> need to POST) +- */ +- if (!ast_is_vga_enabled(dev)) { +- ast_enable_vga(dev); +- ast_enable_mmio(dev); +- DRM_INFO("VGA not enabled on entry, requesting chip POST\n"); +- *need_post = true; +- } else +- *need_post = false; +- +- /* Check P2A Access */ +- ast->DisableP2A = true; +- data = ast_read32(ast, 0xf004); +- if (data != 0xFFFFFFFF) +- ast->DisableP2A = false; +- + /* Check if we support wide screen */ + switch (ast->chip) { + case AST1180: +@@ -146,17 +192,12 @@ static int ast_detect_chip(struct drm_device *dev, bool *need_post) + ast->support_wide_screen = true; + else { + ast->support_wide_screen = false; +- if (ast->DisableP2A == false) { +- /* Read SCU7c (silicon revision register) */ +- ast_write32(ast, 0xf004, 0x1e6e0000); +- ast_write32(ast, 0xf000, 0x1); +- data = ast_read32(ast, 0x1207c); +- data &= 0x300; +- if (ast->chip == AST2300 && data == 0x0) /* ast1300 */ +- ast->support_wide_screen = true; +- if (ast->chip == AST2400 && data == 0x100) /* ast1400 */ +- ast->support_wide_screen = true; +- } ++ if (ast->chip == AST2300 && ++ (scu_rev & 0x300) == 0x0) /* ast1300 */ ++ ast->support_wide_screen = true; ++ if (ast->chip == AST2400 && ++ (scu_rev & 0x300) == 0x100) /* ast1400 */ ++ ast->support_wide_screen = true; + } + break; + } +@@ -220,85 +261,102 @@ static int ast_detect_chip(struct drm_device *dev, bool *need_post) + + static int ast_get_dram_info(struct drm_device *dev) + { ++ struct device_node *np = dev->pdev->dev.of_node; + struct ast_private *ast = dev->dev_private; +- uint32_t data, data2; +- uint32_t denum, num, div, ref_pll; ++ uint32_t mcr_cfg, mcr_scu_mpll, mcr_scu_strap; ++ uint32_t denum, num, div, ref_pll, dsel; + +- if (ast->DisableP2A) +- { ++ switch (ast->config_mode) { ++ case ast_use_dt: ++ /* ++ * If some properties are missing, use reasonable ++ * defaults for AST2400 ++ */ ++ if (of_property_read_u32(np, "aspeed,mcr-configuration", ++ &mcr_cfg)) ++ mcr_cfg = 0x00000577; ++ if (of_property_read_u32(np, "aspeed,mcr-scu-mpll", ++ &mcr_scu_mpll)) ++ mcr_scu_mpll = 0x000050C0; ++ if (of_property_read_u32(np, "aspeed,mcr-scu-strap", ++ &mcr_scu_strap)) ++ mcr_scu_strap = 0; ++ break; ++ case ast_use_p2a: ++ ast_write32(ast, 0xf004, 0x1e6e0000); ++ ast_write32(ast, 0xf000, 0x1); ++ mcr_cfg = ast_read32(ast, 0x10004); ++ mcr_scu_mpll = ast_read32(ast, 0x10120); ++ mcr_scu_strap = ast_read32(ast, 0x10170); ++ break; ++ case ast_use_defaults: ++ default: + ast->dram_bus_width = 16; + ast->dram_type = AST_DRAM_1Gx16; + ast->mclk = 396; ++ return 0; + } +- else +- { +- ast_write32(ast, 0xf004, 0x1e6e0000); +- ast_write32(ast, 0xf000, 0x1); +- data = ast_read32(ast, 0x10004); +- +- if (data & 0x40) +- ast->dram_bus_width = 16; +- else +- ast->dram_bus_width = 32; + +- if (ast->chip == AST2300 || ast->chip == AST2400) { +- switch (data & 0x03) { +- case 0: +- ast->dram_type = AST_DRAM_512Mx16; +- break; +- default: +- case 1: +- ast->dram_type = AST_DRAM_1Gx16; +- break; +- case 2: +- ast->dram_type = AST_DRAM_2Gx16; +- break; +- case 3: +- ast->dram_type = AST_DRAM_4Gx16; +- break; +- } +- } else { +- switch (data & 0x0c) { +- case 0: +- case 4: +- ast->dram_type = AST_DRAM_512Mx16; +- break; +- case 8: +- if (data & 0x40) +- ast->dram_type = AST_DRAM_1Gx16; +- else +- ast->dram_type = AST_DRAM_512Mx32; +- break; +- case 0xc: +- ast->dram_type = AST_DRAM_1Gx32; +- break; +- } +- } ++ if (mcr_cfg & 0x40) ++ ast->dram_bus_width = 16; ++ else ++ ast->dram_bus_width = 32; + +- data = ast_read32(ast, 0x10120); +- data2 = ast_read32(ast, 0x10170); +- if (data2 & 0x2000) +- ref_pll = 14318; +- else +- ref_pll = 12000; +- +- denum = data & 0x1f; +- num = (data & 0x3fe0) >> 5; +- data = (data & 0xc000) >> 14; +- switch (data) { +- case 3: +- div = 0x4; ++ if (ast->chip == AST2300 || ast->chip == AST2400) { ++ switch (mcr_cfg & 0x03) { ++ case 0: ++ ast->dram_type = AST_DRAM_512Mx16; + break; +- case 2: ++ default: + case 1: +- div = 0x2; ++ ast->dram_type = AST_DRAM_1Gx16; + break; +- default: +- div = 0x1; ++ case 2: ++ ast->dram_type = AST_DRAM_2Gx16; ++ break; ++ case 3: ++ ast->dram_type = AST_DRAM_4Gx16; ++ break; ++ } ++ } else { ++ switch (mcr_cfg & 0x0c) { ++ case 0: ++ case 4: ++ ast->dram_type = AST_DRAM_512Mx16; ++ break; ++ case 8: ++ if (mcr_cfg & 0x40) ++ ast->dram_type = AST_DRAM_1Gx16; ++ else ++ ast->dram_type = AST_DRAM_512Mx32; ++ break; ++ case 0xc: ++ ast->dram_type = AST_DRAM_1Gx32; + break; + } +- ast->mclk = ref_pll * (num + 2) / (denum + 2) * (div * 1000); + } ++ ++ if (mcr_scu_strap & 0x2000) ++ ref_pll = 14318; ++ else ++ ref_pll = 12000; ++ ++ denum = mcr_scu_mpll & 0x1f; ++ num = (mcr_scu_mpll & 0x3fe0) >> 5; ++ dsel = (mcr_scu_mpll & 0xc000) >> 14; ++ switch (dsel) { ++ case 3: ++ div = 0x4; ++ break; ++ case 2: ++ case 1: ++ div = 0x2; ++ break; ++ default: ++ div = 0x1; ++ break; ++ } ++ ast->mclk = ref_pll * (num + 2) / (denum + 2) * (div * 1000); + return 0; + } + +diff --git a/drivers/gpu/drm/ast/ast_post.c b/drivers/gpu/drm/ast/ast_post.c +index 270e8fb2803f..c7c58becb25d 100644 +--- a/drivers/gpu/drm/ast/ast_post.c ++++ b/drivers/gpu/drm/ast/ast_post.c +@@ -375,17 +375,14 @@ void ast_post_gpu(struct drm_device *dev) + ast_enable_mmio(dev); + ast_set_def_ext_reg(dev); + +- if (ast->DisableP2A == false) +- { ++ if (ast->config_mode == ast_use_p2a) { + if (ast->chip == AST2300 || ast->chip == AST2400) + ast_init_dram_2300(dev); + else + ast_init_dram_reg(dev); + + ast_init_3rdtx(dev); +- } +- else +- { ++ } else { + if (ast->tx_chip_type != AST_TX_NONE) + ast_set_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xa3, 0xcf, 0x80); /* Enable DVO */ + } +diff --git a/drivers/gpu/drm/radeon/radeon_combios.c b/drivers/gpu/drm/radeon/radeon_combios.c +index a9b01bcf7d0a..fcecaf5b5526 100644 +--- a/drivers/gpu/drm/radeon/radeon_combios.c ++++ b/drivers/gpu/drm/radeon/radeon_combios.c +@@ -3394,6 +3394,13 @@ void radeon_combios_asic_init(struct drm_device *dev) + rdev->pdev->subsystem_vendor == 0x103c && + rdev->pdev->subsystem_device == 0x280a) + return; ++ /* quirk for rs4xx Toshiba Sattellite L20-183 latop to make it resume ++ * - it hangs on resume inside the dynclk 1 table. ++ */ ++ if (rdev->family == CHIP_RS400 && ++ rdev->pdev->subsystem_vendor == 0x1179 && ++ rdev->pdev->subsystem_device == 0xff31) ++ return; + + /* DYN CLK 1 */ + table = combios_get_table_offset(dev, COMBIOS_DYN_CLK_1_TABLE); +diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c +index 83b3eb2e444a..3c74c60fb8ea 100644 +--- a/drivers/gpu/drm/radeon/radeon_device.c ++++ b/drivers/gpu/drm/radeon/radeon_device.c +@@ -127,6 +127,10 @@ static struct radeon_px_quirk radeon_px_quirk_list[] = { + * https://bugzilla.kernel.org/show_bug.cgi?id=51381 + */ + { PCI_VENDOR_ID_ATI, 0x6840, 0x1043, 0x2122, RADEON_PX_QUIRK_DISABLE_PX }, ++ /* Asus K53TK laptop with AMD A6-3420M APU and Radeon 7670m GPU ++ * https://bugs.freedesktop.org/show_bug.cgi?id=101491 ++ */ ++ { PCI_VENDOR_ID_ATI, 0x6741, 0x1043, 0x2122, RADEON_PX_QUIRK_DISABLE_PX }, + /* macbook pro 8.2 */ + { PCI_VENDOR_ID_ATI, 0x6741, PCI_VENDOR_ID_APPLE, 0x00e2, RADEON_PX_QUIRK_LONG_WAKEUP }, + { 0, 0, 0, 0, 0 }, +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_cmdbuf_res.c b/drivers/gpu/drm/vmwgfx/vmwgfx_cmdbuf_res.c +index 21e9b7f8dad0..c3b8ebac18c2 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_cmdbuf_res.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_cmdbuf_res.c +@@ -317,6 +317,7 @@ void vmw_cmdbuf_res_man_destroy(struct vmw_cmdbuf_res_manager *man) + list_for_each_entry_safe(entry, next, &man->list, head) + vmw_cmdbuf_res_free(man, entry); + ++ drm_ht_remove(&man->resources); + kfree(man); + } + +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c +index bf039dbaa7eb..07a963039b60 100644 +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -1228,6 +1228,7 @@ static void hid_input_field(struct hid_device *hid, struct hid_field *field, + /* Ignore report if ErrorRollOver */ + if (!(field->flags & HID_MAIN_ITEM_VARIABLE) && + value[n] >= min && value[n] <= max && ++ value[n] - min < field->maxusage && + field->usage[value[n] - min].hid == HID_UP_KEYBOARD + 1) + goto exit; + } +@@ -1240,11 +1241,13 @@ static void hid_input_field(struct hid_device *hid, struct hid_field *field, + } + + if (field->value[n] >= min && field->value[n] <= max ++ && field->value[n] - min < field->maxusage + && field->usage[field->value[n] - min].hid + && search(value, field->value[n], count)) + hid_process_event(hid, field, &field->usage[field->value[n] - min], 0, interrupt); + + if (value[n] >= min && value[n] <= max ++ && value[n] - min < field->maxusage + && field->usage[value[n] - min].hid + && search(field->value, value[n], count)) + hid_process_event(hid, field, &field->usage[value[n] - min], 1, interrupt); +diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c +index c4c9d9523694..1ec738292a1a 100644 +--- a/drivers/hid/i2c-hid/i2c-hid.c ++++ b/drivers/hid/i2c-hid/i2c-hid.c +@@ -362,6 +362,15 @@ static int i2c_hid_hwreset(struct i2c_client *client) + if (ret) + return ret; + ++ /* ++ * The HID over I2C specification states that if a DEVICE needs time ++ * after the PWR_ON request, it should utilise CLOCK stretching. ++ * However, it has been observered that the Windows driver provides a ++ * 1ms sleep between the PWR_ON and RESET requests and that some devices ++ * rely on this. ++ */ ++ usleep_range(1000, 5000); ++ + i2c_hid_dbg(ihid, "resetting...\n"); + + ret = i2c_hid_command(client, &hid_reset_cmd, NULL, 0); +diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h +index 785570272505..1f40cdc1b357 100644 +--- a/drivers/input/serio/i8042-x86ia64io.h ++++ b/drivers/input/serio/i8042-x86ia64io.h +@@ -698,6 +698,13 @@ static const struct dmi_system_id __initconst i8042_dmi_notimeout_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK U574"), + }, + }, ++ { ++ /* Fujitsu UH554 laptop */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK UH544"), ++ }, ++ }, + { } + }; + +diff --git a/drivers/iommu/amd_iommu_v2.c b/drivers/iommu/amd_iommu_v2.c +index 45087c3e5c57..d29c499375cb 100644 +--- a/drivers/iommu/amd_iommu_v2.c ++++ b/drivers/iommu/amd_iommu_v2.c +@@ -675,9 +675,9 @@ out_clear_state: + + out_unregister: + mmu_notifier_unregister(&pasid_state->mn, mm); ++ mmput(mm); + + out_free: +- mmput(mm); + free_pasid_state(pasid_state); + + out: +diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c +index b85a8614c128..275f59071f56 100644 +--- a/drivers/iommu/intel-iommu.c ++++ b/drivers/iommu/intel-iommu.c +@@ -965,7 +965,7 @@ static void dma_pte_free_level(struct dmar_domain *domain, int level, + if (!dma_pte_present(pte) || dma_pte_superpage(pte)) + goto next; + +- level_pfn = pfn & level_mask(level - 1); ++ level_pfn = pfn & level_mask(level); + level_pte = phys_to_virt(dma_pte_addr(pte)); + + if (level > 2) +diff --git a/drivers/irqchip/irq-gic-v3.c b/drivers/irqchip/irq-gic-v3.c +index f1b15a0b3774..9976c37b9c64 100644 +--- a/drivers/irqchip/irq-gic-v3.c ++++ b/drivers/irqchip/irq-gic-v3.c +@@ -612,6 +612,9 @@ static int gic_set_affinity(struct irq_data *d, const struct cpumask *mask_val, + int enabled; + u64 val; + ++ if (cpu >= nr_cpu_ids) ++ return -EINVAL; ++ + if (gic_irq_in_rdist(d)) + return -EINVAL; + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index 7453c3ed4b8f..1fdcd5735418 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -1852,7 +1852,7 @@ super_1_rdev_size_change(struct md_rdev *rdev, sector_t num_sectors) + } + sb = page_address(rdev->sb_page); + sb->data_size = cpu_to_le64(num_sectors); +- sb->super_offset = rdev->sb_start; ++ sb->super_offset = cpu_to_le64(rdev->sb_start); + sb->sb_csum = calc_sb_1_csum(sb); + md_super_write(rdev->mddev, rdev, rdev->sb_start, rdev->sb_size, + rdev->sb_page); +diff --git a/drivers/media/pci/saa7134/saa7134-i2c.c b/drivers/media/pci/saa7134/saa7134-i2c.c +index f4da674e7f26..ae651007ee0f 100644 +--- a/drivers/media/pci/saa7134/saa7134-i2c.c ++++ b/drivers/media/pci/saa7134/saa7134-i2c.c +@@ -350,12 +350,43 @@ static struct i2c_client saa7134_client_template = { + + /* ----------------------------------------------------------- */ + ++/* On Medion 7134 reading EEPROM needs DVB-T demod i2c gate open */ ++static void saa7134_i2c_eeprom_md7134_gate(struct saa7134_dev *dev) ++{ ++ u8 subaddr = 0x7, dmdregval; ++ u8 data[2]; ++ int ret; ++ struct i2c_msg i2cgatemsg_r[] = { {.addr = 0x08, .flags = 0, ++ .buf = &subaddr, .len = 1}, ++ {.addr = 0x08, ++ .flags = I2C_M_RD, ++ .buf = &dmdregval, .len = 1} ++ }; ++ struct i2c_msg i2cgatemsg_w[] = { {.addr = 0x08, .flags = 0, ++ .buf = data, .len = 2} }; ++ ++ ret = i2c_transfer(&dev->i2c_adap, i2cgatemsg_r, 2); ++ if ((ret == 2) && (dmdregval & 0x2)) { ++ pr_debug("%s: DVB-T demod i2c gate was left closed\n", ++ dev->name); ++ ++ data[0] = subaddr; ++ data[1] = (dmdregval & ~0x2); ++ if (i2c_transfer(&dev->i2c_adap, i2cgatemsg_w, 1) != 1) ++ pr_err("%s: EEPROM i2c gate open failure\n", ++ dev->name); ++ } ++} ++ + static int + saa7134_i2c_eeprom(struct saa7134_dev *dev, unsigned char *eedata, int len) + { + unsigned char buf; + int i,err; + ++ if (dev->board == SAA7134_BOARD_MD7134) ++ saa7134_i2c_eeprom_md7134_gate(dev); ++ + dev->i2c_client.addr = 0xa0 >> 1; + buf = 0; + if (1 != (err = i2c_master_send(&dev->i2c_client,&buf,1))) { +diff --git a/drivers/mtd/bcm47xxpart.c b/drivers/mtd/bcm47xxpart.c +index 5abab8800891..9190057535e6 100644 +--- a/drivers/mtd/bcm47xxpart.c ++++ b/drivers/mtd/bcm47xxpart.c +@@ -66,11 +66,13 @@ static const char *bcm47xxpart_trx_data_part_name(struct mtd_info *master, + { + uint32_t buf; + size_t bytes_read; ++ int err; + +- if (mtd_read(master, offset, sizeof(buf), &bytes_read, +- (uint8_t *)&buf) < 0) { +- pr_err("mtd_read error while parsing (offset: 0x%X)!\n", +- offset); ++ err = mtd_read(master, offset, sizeof(buf), &bytes_read, ++ (uint8_t *)&buf); ++ if (err && !mtd_is_bitflip(err)) { ++ pr_err("mtd_read error while parsing (offset: 0x%X): %d\n", ++ offset, err); + goto out_default; + } + +@@ -95,6 +97,7 @@ static int bcm47xxpart_parse(struct mtd_info *master, + int trx_part = -1; + int last_trx_part = -1; + int possible_nvram_sizes[] = { 0x8000, 0xF000, 0x10000, }; ++ int err; + + /* + * Some really old flashes (like AT45DB*) had smaller erasesize-s, but +@@ -118,8 +121,8 @@ static int bcm47xxpart_parse(struct mtd_info *master, + /* Parse block by block looking for magics */ + for (offset = 0; offset <= master->size - blocksize; + offset += blocksize) { +- /* Nothing more in higher memory */ +- if (offset >= 0x2000000) ++ /* Nothing more in higher memory on BCM47XX (MIPS) */ ++ if (config_enabled(CONFIG_BCM47XX) && offset >= 0x2000000) + break; + + if (curr_part >= BCM47XXPART_MAX_PARTS) { +@@ -128,10 +131,11 @@ static int bcm47xxpart_parse(struct mtd_info *master, + } + + /* Read beginning of the block */ +- if (mtd_read(master, offset, BCM47XXPART_BYTES_TO_READ, +- &bytes_read, (uint8_t *)buf) < 0) { +- pr_err("mtd_read error while parsing (offset: 0x%X)!\n", +- offset); ++ err = mtd_read(master, offset, BCM47XXPART_BYTES_TO_READ, ++ &bytes_read, (uint8_t *)buf); ++ if (err && !mtd_is_bitflip(err)) { ++ pr_err("mtd_read error while parsing (offset: 0x%X): %d\n", ++ offset, err); + continue; + } + +@@ -252,10 +256,11 @@ static int bcm47xxpart_parse(struct mtd_info *master, + } + + /* Read middle of the block */ +- if (mtd_read(master, offset + 0x8000, 0x4, +- &bytes_read, (uint8_t *)buf) < 0) { +- pr_err("mtd_read error while parsing (offset: 0x%X)!\n", +- offset); ++ err = mtd_read(master, offset + 0x8000, 0x4, &bytes_read, ++ (uint8_t *)buf); ++ if (err && !mtd_is_bitflip(err)) { ++ pr_err("mtd_read error while parsing (offset: 0x%X): %d\n", ++ offset, err); + continue; + } + +@@ -275,10 +280,11 @@ static int bcm47xxpart_parse(struct mtd_info *master, + } + + offset = master->size - possible_nvram_sizes[i]; +- if (mtd_read(master, offset, 0x4, &bytes_read, +- (uint8_t *)buf) < 0) { +- pr_err("mtd_read error while reading at offset 0x%X!\n", +- offset); ++ err = mtd_read(master, offset, 0x4, &bytes_read, ++ (uint8_t *)buf); ++ if (err && !mtd_is_bitflip(err)) { ++ pr_err("mtd_read error while reading (offset 0x%X): %d\n", ++ offset, err); + continue; + } + +diff --git a/drivers/mtd/spi-nor/spi-nor.c b/drivers/mtd/spi-nor/spi-nor.c +index 14a5d2325dac..ac2d68d6d446 100644 +--- a/drivers/mtd/spi-nor/spi-nor.c ++++ b/drivers/mtd/spi-nor/spi-nor.c +@@ -900,6 +900,13 @@ static int spansion_quad_enable(struct spi_nor *nor) + return -EINVAL; + } + ++ ret = spi_nor_wait_till_ready(nor); ++ if (ret) { ++ dev_err(nor->dev, ++ "timeout while writing configuration register\n"); ++ return ret; ++ } ++ + /* read back and check it */ + ret = read_cr(nor); + if (!(ret > 0 && (ret & CR_QUAD_EN_SPAN))) { +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-dev.c b/drivers/net/ethernet/amd/xgbe/xgbe-dev.c +index 21d9497518fd..8b3c60b1f486 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-dev.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-dev.c +@@ -2779,8 +2779,10 @@ static int xgbe_init(struct xgbe_prv_data *pdata) + + /* Flush Tx queues */ + ret = xgbe_flush_tx_queues(pdata); +- if (ret) ++ if (ret) { ++ netdev_err(pdata->netdev, "error flushing TX queues\n"); + return ret; ++ } + + /* + * Initialize DMA related features +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c +index 9fd6c69a8bac..eea5b58496a3 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c +@@ -951,7 +951,9 @@ static int xgbe_start(struct xgbe_prv_data *pdata) + + DBGPR("-->xgbe_start\n"); + +- hw_if->init(pdata); ++ ret = hw_if->init(pdata); ++ if (ret) ++ return ret; + + phy_start(pdata->phydev); + +diff --git a/drivers/net/ethernet/broadcom/bgmac.c b/drivers/net/ethernet/broadcom/bgmac.c +index 21e3c38c7c75..6f0aad85c524 100644 +--- a/drivers/net/ethernet/broadcom/bgmac.c ++++ b/drivers/net/ethernet/broadcom/bgmac.c +@@ -255,15 +255,16 @@ static void bgmac_dma_tx_free(struct bgmac *bgmac, struct bgmac_dma_ring *ring) + while (ring->start != ring->end) { + int slot_idx = ring->start % BGMAC_TX_RING_SLOTS; + struct bgmac_slot_info *slot = &ring->slots[slot_idx]; +- u32 ctl1; ++ u32 ctl0, ctl1; + int len; + + if (slot_idx == empty_slot) + break; + ++ ctl0 = le32_to_cpu(ring->cpu_base[slot_idx].ctl0); + ctl1 = le32_to_cpu(ring->cpu_base[slot_idx].ctl1); + len = ctl1 & BGMAC_DESC_CTL1_LEN; +- if (ctl1 & BGMAC_DESC_CTL0_SOF) ++ if (ctl0 & BGMAC_DESC_CTL0_SOF) + /* Unmap no longer used buffer */ + dma_unmap_single(dma_dev, slot->dma_addr, len, + DMA_TO_DEVICE); +@@ -466,6 +467,11 @@ static int bgmac_dma_rx_read(struct bgmac *bgmac, struct bgmac_dma_ring *ring, + len -= ETH_FCS_LEN; + + skb = build_skb(buf, BGMAC_RX_ALLOC_SIZE); ++ if (unlikely(!skb)) { ++ bgmac_err(bgmac, "build_skb failed\n"); ++ put_page(virt_to_head_page(buf)); ++ break; ++ } + skb_put(skb, BGMAC_RX_FRAME_OFFSET + + BGMAC_RX_BUF_OFFSET + len); + skb_pull(skb, BGMAC_RX_FRAME_OFFSET + +@@ -1299,7 +1305,8 @@ static int bgmac_open(struct net_device *net_dev) + + phy_start(bgmac->phy_dev); + +- netif_carrier_on(net_dev); ++ netif_start_queue(net_dev); ++ + return 0; + } + +@@ -1564,6 +1571,11 @@ static int bgmac_probe(struct bcma_device *core) + dev_warn(&core->dev, "Using random MAC: %pM\n", mac); + } + ++ /* This (reset &) enable is not preset in specs or reference driver but ++ * Broadcom does it in arch PCI code when enabling fake PCI device. ++ */ ++ bcma_core_enable(core, 0); ++ + /* Allocation and references */ + net_dev = alloc_etherdev(sizeof(*bgmac)); + if (!net_dev) +diff --git a/drivers/net/ethernet/emulex/benet/be_cmds.c b/drivers/net/ethernet/emulex/benet/be_cmds.c +index c5e1d0ac75f9..8f3ef77902b9 100644 +--- a/drivers/net/ethernet/emulex/benet/be_cmds.c ++++ b/drivers/net/ethernet/emulex/benet/be_cmds.c +@@ -1017,7 +1017,7 @@ int be_cmd_pmac_add(struct be_adapter *adapter, u8 *mac_addr, + err: + spin_unlock_bh(&adapter->mcc_lock); + +- if (status == MCC_STATUS_UNAUTHORIZED_REQUEST) ++ if (base_status(status) == MCC_STATUS_UNAUTHORIZED_REQUEST) + status = -EPERM; + + return status; +diff --git a/drivers/net/ethernet/korina.c b/drivers/net/ethernet/korina.c +index d74f5f4e5782..07eabf72c480 100644 +--- a/drivers/net/ethernet/korina.c ++++ b/drivers/net/ethernet/korina.c +@@ -900,10 +900,10 @@ static void korina_restart_task(struct work_struct *work) + DMA_STAT_DONE | DMA_STAT_HALT | DMA_STAT_ERR, + &lp->rx_dma_regs->dmasm); + +- korina_free_ring(dev); +- + napi_disable(&lp->napi); + ++ korina_free_ring(dev); ++ + if (korina_init(dev) < 0) { + printk(KERN_ERR "%s: cannot restart device\n", dev->name); + return; +@@ -1064,12 +1064,12 @@ static int korina_close(struct net_device *dev) + tmp = tmp | DMA_STAT_DONE | DMA_STAT_HALT | DMA_STAT_ERR; + writel(tmp, &lp->rx_dma_regs->dmasm); + +- korina_free_ring(dev); +- + napi_disable(&lp->napi); + + cancel_work_sync(&lp->restart_task); + ++ korina_free_ring(dev); ++ + free_irq(lp->rx_irq, dev); + free_irq(lp->tx_irq, dev); + free_irq(lp->ovr_irq, dev); +diff --git a/drivers/net/ethernet/mellanox/mlx4/eq.c b/drivers/net/ethernet/mellanox/mlx4/eq.c +index 337811d208bd..fdc129151b18 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/eq.c ++++ b/drivers/net/ethernet/mellanox/mlx4/eq.c +@@ -514,8 +514,9 @@ static int mlx4_eq_int(struct mlx4_dev *dev, struct mlx4_eq *eq) + break; + + case MLX4_EVENT_TYPE_SRQ_LIMIT: +- mlx4_dbg(dev, "%s: MLX4_EVENT_TYPE_SRQ_LIMIT\n", +- __func__); ++ mlx4_dbg(dev, "%s: MLX4_EVENT_TYPE_SRQ_LIMIT. srq_no=0x%x, eq 0x%x\n", ++ __func__, be32_to_cpu(eqe->event.srq.srqn), ++ eq->eqn); + case MLX4_EVENT_TYPE_SRQ_CATAS_ERROR: + if (mlx4_is_master(dev)) { + /* forward only to slave owning the SRQ */ +@@ -530,15 +531,19 @@ static int mlx4_eq_int(struct mlx4_dev *dev, struct mlx4_eq *eq) + eq->eqn, eq->cons_index, ret); + break; + } +- mlx4_warn(dev, "%s: slave:%d, srq_no:0x%x, event: %02x(%02x)\n", +- __func__, slave, +- be32_to_cpu(eqe->event.srq.srqn), +- eqe->type, eqe->subtype); ++ if (eqe->type == ++ MLX4_EVENT_TYPE_SRQ_CATAS_ERROR) ++ mlx4_warn(dev, "%s: slave:%d, srq_no:0x%x, event: %02x(%02x)\n", ++ __func__, slave, ++ be32_to_cpu(eqe->event.srq.srqn), ++ eqe->type, eqe->subtype); + + if (!ret && slave != dev->caps.function) { +- mlx4_warn(dev, "%s: sending event %02x(%02x) to slave:%d\n", +- __func__, eqe->type, +- eqe->subtype, slave); ++ if (eqe->type == ++ MLX4_EVENT_TYPE_SRQ_CATAS_ERROR) ++ mlx4_warn(dev, "%s: sending event %02x(%02x) to slave:%d\n", ++ __func__, eqe->type, ++ eqe->subtype, slave); + mlx4_slave_event(dev, slave, eqe); + break; + } +diff --git a/drivers/net/phy/dp83640.c b/drivers/net/phy/dp83640.c +index c56cf0b86f2c..09e3e0d8412e 100644 +--- a/drivers/net/phy/dp83640.c ++++ b/drivers/net/phy/dp83640.c +@@ -895,7 +895,7 @@ static void decode_txts(struct dp83640_private *dp83640, + if (overflow) { + pr_debug("tx timestamp queue overflow, count %d\n", overflow); + while (skb) { +- skb_complete_tx_timestamp(skb, NULL); ++ kfree_skb(skb); + skb = skb_dequeue(&dp83640->tx_queue); + } + return; +diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c +index ef36e8c70b4d..64ca961bca18 100644 +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -47,8 +47,16 @@ module_param(gso, bool, 0444); + */ + #define RECEIVE_AVG_WEIGHT 64 + ++/* With mergeable buffers we align buffer address and use the low bits to ++ * encode its true size. Buffer size is up to 1 page so we need to align to ++ * square root of page size to ensure we reserve enough bits to encode the true ++ * size. ++ */ ++#define MERGEABLE_BUFFER_MIN_ALIGN_SHIFT ((PAGE_SHIFT + 1) / 2) ++ + /* Minimum alignment for mergeable packet buffers. */ +-#define MERGEABLE_BUFFER_ALIGN max(L1_CACHE_BYTES, 256) ++#define MERGEABLE_BUFFER_ALIGN max(L1_CACHE_BYTES, \ ++ 1 << MERGEABLE_BUFFER_MIN_ALIGN_SHIFT) + + #define VIRTNET_DRIVER_VERSION "1.0.0" + +diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c +index d9e873c3a273..422a9379a644 100644 +--- a/drivers/net/vxlan.c ++++ b/drivers/net/vxlan.c +@@ -2136,7 +2136,7 @@ static void vxlan_cleanup(unsigned long arg) + = container_of(p, struct vxlan_fdb, hlist); + unsigned long timeout; + +- if (f->state & NUD_PERMANENT) ++ if (f->state & (NUD_PERMANENT | NUD_NOARP)) + continue; + + timeout = f->used + vxlan->age_interval * HZ; +diff --git a/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c +index 8a15ebbce4a3..c304b66af5c6 100644 +--- a/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c ++++ b/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c +@@ -4384,6 +4384,11 @@ brcmf_cfg80211_mgmt_tx(struct wiphy *wiphy, struct wireless_dev *wdev, + cfg80211_mgmt_tx_status(wdev, *cookie, buf, len, true, + GFP_KERNEL); + } else if (ieee80211_is_action(mgmt->frame_control)) { ++ if (len > BRCMF_FIL_ACTION_FRAME_SIZE + DOT11_MGMT_HDR_LEN) { ++ brcmf_err("invalid action frame length\n"); ++ err = -EINVAL; ++ goto exit; ++ } + af_params = kzalloc(sizeof(*af_params), GFP_KERNEL); + if (af_params == NULL) { + brcmf_err("unable to allocate frame\n"); +diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c +index eafaeb01aa3e..cdbad7d72afa 100644 +--- a/drivers/net/wireless/mac80211_hwsim.c ++++ b/drivers/net/wireless/mac80211_hwsim.c +@@ -2538,7 +2538,7 @@ static int mac80211_hwsim_new_radio(struct genl_info *info, + + tasklet_hrtimer_init(&data->beacon_timer, + mac80211_hwsim_beacon, +- CLOCK_MONOTONIC_RAW, HRTIMER_MODE_ABS); ++ CLOCK_MONOTONIC, HRTIMER_MODE_ABS); + + spin_lock_bh(&hwsim_radio_lock); + list_add_tail(&data->list, &hwsim_radios); +diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c +index ea1be52f5515..8a38a5bd34b8 100644 +--- a/drivers/net/xen-netfront.c ++++ b/drivers/net/xen-netfront.c +@@ -305,7 +305,7 @@ static void xennet_alloc_rx_buffers(struct netfront_queue *queue) + queue->rx_skbs[id] = skb; + + ref = gnttab_claim_grant_reference(&queue->gref_rx_head); +- BUG_ON((signed short)ref < 0); ++ WARN_ON_ONCE(IS_ERR_VALUE((unsigned long)(int)ref)); + queue->grant_rx_ref[id] = ref; + + pfn = page_to_pfn(skb_frag_page(&skb_shinfo(skb)->frags[0])); +@@ -323,7 +323,7 @@ static void xennet_alloc_rx_buffers(struct netfront_queue *queue) + queue->rx.req_prod_pvt = req_prod; + + /* Not enough requests? Try again later. */ +- if (req_prod - queue->rx.rsp_cons < NET_RX_SLOTS_MIN) { ++ if (req_prod - queue->rx.sring->req_prod < NET_RX_SLOTS_MIN) { + mod_timer(&queue->rx_refill_timer, jiffies + (HZ/10)); + return; + } +@@ -429,7 +429,7 @@ static struct xen_netif_tx_request *xennet_make_one_txreq( + id = get_id_from_freelist(&queue->tx_skb_freelist, queue->tx_skbs); + tx = RING_GET_REQUEST(&queue->tx, queue->tx.req_prod_pvt++); + ref = gnttab_claim_grant_reference(&queue->gref_tx_head); +- BUG_ON((signed short)ref < 0); ++ WARN_ON_ONCE(IS_ERR_VALUE((unsigned long)(int)ref)); + + gnttab_grant_foreign_access_ref(ref, queue->info->xbdev->otherend_id, + page_to_mfn(page), GNTMAP_readonly); +diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c +index 63ea1e5b1c95..bf89754fe973 100644 +--- a/drivers/of/fdt.c ++++ b/drivers/of/fdt.c +@@ -618,9 +618,12 @@ int __init of_scan_flat_dt(int (*it)(unsigned long node, + const char *pathp; + int offset, rc = 0, depth = -1; + +- for (offset = fdt_next_node(blob, -1, &depth); +- offset >= 0 && depth >= 0 && !rc; +- offset = fdt_next_node(blob, offset, &depth)) { ++ if (!blob) ++ return 0; ++ ++ for (offset = fdt_next_node(blob, -1, &depth); ++ offset >= 0 && depth >= 0 && !rc; ++ offset = fdt_next_node(blob, offset, &depth)) { + + pathp = fdt_get_name(blob, offset, NULL); + if (*pathp == '/') +diff --git a/drivers/parisc/ccio-dma.c b/drivers/parisc/ccio-dma.c +index 02ff84fcfa61..635e7c3a24ad 100644 +--- a/drivers/parisc/ccio-dma.c ++++ b/drivers/parisc/ccio-dma.c +@@ -743,6 +743,8 @@ ccio_map_single(struct device *dev, void *addr, size_t size, + + BUG_ON(!dev); + ioc = GET_IOC(dev); ++ if (!ioc) ++ return DMA_ERROR_CODE; + + BUG_ON(size <= 0); + +@@ -807,6 +809,10 @@ ccio_unmap_single(struct device *dev, dma_addr_t iova, size_t size, + + BUG_ON(!dev); + ioc = GET_IOC(dev); ++ if (!ioc) { ++ WARN_ON(!ioc); ++ return; ++ } + + DBG_RUN("%s() iovp 0x%lx/%x\n", + __func__, (long)iova, size); +@@ -910,6 +916,8 @@ ccio_map_sg(struct device *dev, struct scatterlist *sglist, int nents, + + BUG_ON(!dev); + ioc = GET_IOC(dev); ++ if (!ioc) ++ return 0; + + DBG_RUN_SG("%s() START %d entries\n", __func__, nents); + +@@ -982,6 +990,10 @@ ccio_unmap_sg(struct device *dev, struct scatterlist *sglist, int nents, + + BUG_ON(!dev); + ioc = GET_IOC(dev); ++ if (!ioc) { ++ WARN_ON(!ioc); ++ return; ++ } + + DBG_RUN_SG("%s() START %d entries, %p,%x\n", + __func__, nents, sg_virt(sglist), sglist->length); +diff --git a/drivers/parisc/dino.c b/drivers/parisc/dino.c +index a0580afe1713..7b0ca1551d7b 100644 +--- a/drivers/parisc/dino.c ++++ b/drivers/parisc/dino.c +@@ -154,7 +154,10 @@ struct dino_device + }; + + /* Looks nice and keeps the compiler happy */ +-#define DINO_DEV(d) ((struct dino_device *) d) ++#define DINO_DEV(d) ({ \ ++ void *__pdata = d; \ ++ BUG_ON(!__pdata); \ ++ (struct dino_device *)__pdata; }) + + + /* +diff --git a/drivers/parisc/lba_pci.c b/drivers/parisc/lba_pci.c +index a32c1f6c252c..3901ff66d0ee 100644 +--- a/drivers/parisc/lba_pci.c ++++ b/drivers/parisc/lba_pci.c +@@ -111,8 +111,10 @@ static u32 lba_t32; + + + /* Looks nice and keeps the compiler happy */ +-#define LBA_DEV(d) ((struct lba_device *) (d)) +- ++#define LBA_DEV(d) ({ \ ++ void *__pdata = d; \ ++ BUG_ON(!__pdata); \ ++ (struct lba_device *)__pdata; }) + + /* + ** Only allow 8 subsidiary busses per LBA +diff --git a/drivers/parisc/sba_iommu.c b/drivers/parisc/sba_iommu.c +index f1441e466c06..d3243071509a 100644 +--- a/drivers/parisc/sba_iommu.c ++++ b/drivers/parisc/sba_iommu.c +@@ -691,6 +691,8 @@ static int sba_dma_supported( struct device *dev, u64 mask) + return 0; + + ioc = GET_IOC(dev); ++ if (!ioc) ++ return 0; + + /* + * check if mask is >= than the current max IO Virt Address +@@ -722,6 +724,8 @@ sba_map_single(struct device *dev, void *addr, size_t size, + int pide; + + ioc = GET_IOC(dev); ++ if (!ioc) ++ return DMA_ERROR_CODE; + + /* save offset bits */ + offset = ((dma_addr_t) (long) addr) & ~IOVP_MASK; +@@ -803,6 +807,10 @@ sba_unmap_single(struct device *dev, dma_addr_t iova, size_t size, + DBG_RUN("%s() iovp 0x%lx/%x\n", __func__, (long) iova, size); + + ioc = GET_IOC(dev); ++ if (!ioc) { ++ WARN_ON(!ioc); ++ return; ++ } + offset = iova & ~IOVP_MASK; + iova ^= offset; /* clear offset bits */ + size += offset; +@@ -942,6 +950,8 @@ sba_map_sg(struct device *dev, struct scatterlist *sglist, int nents, + DBG_RUN_SG("%s() START %d entries\n", __func__, nents); + + ioc = GET_IOC(dev); ++ if (!ioc) ++ return 0; + + /* Fast path single entry scatterlists. */ + if (nents == 1) { +@@ -1027,6 +1037,10 @@ sba_unmap_sg(struct device *dev, struct scatterlist *sglist, int nents, + __func__, nents, sg_virt(sglist), sglist->length); + + ioc = GET_IOC(dev); ++ if (!ioc) { ++ WARN_ON(!ioc); ++ return; ++ } + + #ifdef SBA_COLLECT_STATS + ioc->usg_calls++; +diff --git a/drivers/pinctrl/freescale/pinctrl-mxs.c b/drivers/pinctrl/freescale/pinctrl-mxs.c +index 646d5c244af1..496075928af9 100644 +--- a/drivers/pinctrl/freescale/pinctrl-mxs.c ++++ b/drivers/pinctrl/freescale/pinctrl-mxs.c +@@ -195,6 +195,16 @@ static int mxs_pinctrl_get_func_groups(struct pinctrl_dev *pctldev, + return 0; + } + ++static void mxs_pinctrl_rmwl(u32 value, u32 mask, u8 shift, void __iomem *reg) ++{ ++ u32 tmp; ++ ++ tmp = readl(reg); ++ tmp &= ~(mask << shift); ++ tmp |= value << shift; ++ writel(tmp, reg); ++} ++ + static int mxs_pinctrl_set_mux(struct pinctrl_dev *pctldev, unsigned selector, + unsigned group) + { +@@ -212,8 +222,7 @@ static int mxs_pinctrl_set_mux(struct pinctrl_dev *pctldev, unsigned selector, + reg += bank * 0x20 + pin / 16 * 0x10; + shift = pin % 16 * 2; + +- writel(0x3 << shift, reg + CLR); +- writel(g->muxsel[i] << shift, reg + SET); ++ mxs_pinctrl_rmwl(g->muxsel[i], 0x3, shift, reg); + } + + return 0; +@@ -280,8 +289,7 @@ static int mxs_pinconf_group_set(struct pinctrl_dev *pctldev, + /* mA */ + if (config & MA_PRESENT) { + shift = pin % 8 * 4; +- writel(0x3 << shift, reg + CLR); +- writel(ma << shift, reg + SET); ++ mxs_pinctrl_rmwl(ma, 0x3, shift, reg); + } + + /* vol */ +diff --git a/drivers/pinctrl/meson/pinctrl-meson8b.c b/drivers/pinctrl/meson/pinctrl-meson8b.c +index 9677807db364..b505b87661f8 100644 +--- a/drivers/pinctrl/meson/pinctrl-meson8b.c ++++ b/drivers/pinctrl/meson/pinctrl-meson8b.c +@@ -732,8 +732,8 @@ static const char * const sdxc_c_groups[] = { + static const char * const nand_groups[] = { + "nand_io", "nand_io_ce0", "nand_io_ce1", + "nand_io_rb0", "nand_ale", "nand_cle", +- "nand_wen_clk", "nand_ren_clk", "nand_dqs0", +- "nand_dqs1" ++ "nand_wen_clk", "nand_ren_clk", "nand_dqs_0", ++ "nand_dqs_1" + }; + + static const char * const nor_groups[] = { +diff --git a/drivers/pinctrl/sh-pfc/core.c b/drivers/pinctrl/sh-pfc/core.c +index 7b2c9495c383..a2b021958213 100644 +--- a/drivers/pinctrl/sh-pfc/core.c ++++ b/drivers/pinctrl/sh-pfc/core.c +@@ -529,6 +529,9 @@ static int sh_pfc_probe(struct platform_device *pdev) + ret = info->ops->init(pfc); + if (ret < 0) + return ret; ++ ++ /* .init() may have overridden pfc->info */ ++ info = pfc->info; + } + + pinctrl_provide_dummies(); +diff --git a/drivers/platform/x86/ideapad-laptop.c b/drivers/platform/x86/ideapad-laptop.c +index 8cad6c165680..a100d58dbfd7 100644 +--- a/drivers/platform/x86/ideapad-laptop.c ++++ b/drivers/platform/x86/ideapad-laptop.c +@@ -800,6 +800,7 @@ static void ideapad_acpi_notify(acpi_handle handle, u32 event, void *data) + case 11: + case 7: + case 6: ++ case 1: + ideapad_input_report(priv, vpc_bit); + break; + case 5: +diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c +index 851e8efe364e..0e5b3584e918 100644 +--- a/drivers/scsi/lpfc/lpfc_els.c ++++ b/drivers/scsi/lpfc/lpfc_els.c +@@ -3600,12 +3600,14 @@ lpfc_els_free_iocb(struct lpfc_hba *phba, struct lpfc_iocbq *elsiocb) + } else { + buf_ptr1 = (struct lpfc_dmabuf *) elsiocb->context2; + lpfc_els_free_data(phba, buf_ptr1); ++ elsiocb->context2 = NULL; + } + } + + if (elsiocb->context3) { + buf_ptr = (struct lpfc_dmabuf *) elsiocb->context3; + lpfc_els_free_bpl(phba, buf_ptr); ++ elsiocb->context3 = NULL; + } + lpfc_sli_release_iocbq(phba, elsiocb); + return 0; +diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c +index 56f73682d4bd..edb1a4d648dd 100644 +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -5887,18 +5887,25 @@ lpfc_sli4_alloc_resource_identifiers(struct lpfc_hba *phba) + + free_vfi_bmask: + kfree(phba->sli4_hba.vfi_bmask); ++ phba->sli4_hba.vfi_bmask = NULL; + free_xri_ids: + kfree(phba->sli4_hba.xri_ids); ++ phba->sli4_hba.xri_ids = NULL; + free_xri_bmask: + kfree(phba->sli4_hba.xri_bmask); ++ phba->sli4_hba.xri_bmask = NULL; + free_vpi_ids: + kfree(phba->vpi_ids); ++ phba->vpi_ids = NULL; + free_vpi_bmask: + kfree(phba->vpi_bmask); ++ phba->vpi_bmask = NULL; + free_rpi_ids: + kfree(phba->sli4_hba.rpi_ids); ++ phba->sli4_hba.rpi_ids = NULL; + free_rpi_bmask: + kfree(phba->sli4_hba.rpi_bmask); ++ phba->sli4_hba.rpi_bmask = NULL; + err_exit: + return rc; + } +diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c +index 1f3991ba7580..b33762f1013f 100644 +--- a/drivers/scsi/qla2xxx/qla_isr.c ++++ b/drivers/scsi/qla2xxx/qla_isr.c +@@ -2434,6 +2434,10 @@ qla2x00_error_entry(scsi_qla_host_t *vha, struct rsp_que *rsp, sts_entry_t *pkt) + if (pkt->entry_status & RF_BUSY) + res = DID_BUS_BUSY << 16; + ++ if (pkt->entry_type == NOTIFY_ACK_TYPE && ++ pkt->handle == QLA_TGT_SKIP_HANDLE) ++ return; ++ + sp = qla2x00_get_sp_from_handle(vha, func, req, pkt); + if (sp) { + sp->done(ha, sp, res); +diff --git a/drivers/scsi/qla2xxx/qla_target.c b/drivers/scsi/qla2xxx/qla_target.c +index df6193b48177..4de1394ebf22 100644 +--- a/drivers/scsi/qla2xxx/qla_target.c ++++ b/drivers/scsi/qla2xxx/qla_target.c +@@ -2872,7 +2872,7 @@ static int __qlt_send_term_imm_notif(struct scsi_qla_host *vha, + + pkt->entry_type = NOTIFY_ACK_TYPE; + pkt->entry_count = 1; +- pkt->handle = QLA_TGT_SKIP_HANDLE | CTIO_COMPLETION_HANDLE_MARK; ++ pkt->handle = QLA_TGT_SKIP_HANDLE; + + nack = (struct nack_to_isp *)pkt; + nack->ox_id = ntfy->ox_id; +diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c +index 8a2cba63b5ff..80cebe691fee 100644 +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -2454,7 +2454,8 @@ sd_read_cache_type(struct scsi_disk *sdkp, unsigned char *buffer) + if (sdp->broken_fua) { + sd_first_printk(KERN_NOTICE, sdkp, "Disabling FUA\n"); + sdkp->DPOFUA = 0; +- } else if (sdkp->DPOFUA && !sdkp->device->use_10_for_rw) { ++ } else if (sdkp->DPOFUA && !sdkp->device->use_10_for_rw && ++ !sdkp->device->use_16_for_rw) { + sd_first_printk(KERN_NOTICE, sdkp, + "Uses READ/WRITE(6), disabling FUA\n"); + sdkp->DPOFUA = 0; +diff --git a/drivers/scsi/virtio_scsi.c b/drivers/scsi/virtio_scsi.c +index f164f24a4a55..d836414c920d 100644 +--- a/drivers/scsi/virtio_scsi.c ++++ b/drivers/scsi/virtio_scsi.c +@@ -531,7 +531,9 @@ static int virtscsi_queuecommand(struct virtio_scsi *vscsi, + { + struct Scsi_Host *shost = virtio_scsi_host(vscsi->vdev); + struct virtio_scsi_cmd *cmd = scsi_cmd_priv(sc); ++ unsigned long flags; + int req_size; ++ int ret; + + BUG_ON(scsi_sg_count(sc) > shost->sg_tablesize); + +@@ -556,8 +558,15 @@ static int virtscsi_queuecommand(struct virtio_scsi *vscsi, + req_size = sizeof(cmd->req.cmd); + } + +- if (virtscsi_kick_cmd(req_vq, cmd, req_size, sizeof(cmd->resp.cmd)) != 0) ++ ret = virtscsi_kick_cmd(req_vq, cmd, req_size, sizeof(cmd->resp.cmd)); ++ if (ret == -EIO) { ++ cmd->resp.cmd.response = VIRTIO_SCSI_S_BAD_TARGET; ++ spin_lock_irqsave(&req_vq->vq_lock, flags); ++ virtscsi_complete_cmd(vscsi, cmd); ++ spin_unlock_irqrestore(&req_vq->vq_lock, flags); ++ } else if (ret != 0) { + return SCSI_MLQUEUE_HOST_BUSY; ++ } + return 0; + } + +diff --git a/drivers/spi/spi-davinci.c b/drivers/spi/spi-davinci.c +index 5e991065f5b0..4e7110351e8c 100644 +--- a/drivers/spi/spi-davinci.c ++++ b/drivers/spi/spi-davinci.c +@@ -655,7 +655,7 @@ static int davinci_spi_bufs(struct spi_device *spi, struct spi_transfer *t) + buf = t->rx_buf; + t->rx_dma = dma_map_single(&spi->dev, buf, + t->len, DMA_FROM_DEVICE); +- if (!t->rx_dma) { ++ if (dma_mapping_error(&spi->dev, !t->rx_dma)) { + ret = -EFAULT; + goto err_rx_map; + } +@@ -669,7 +669,7 @@ static int davinci_spi_bufs(struct spi_device *spi, struct spi_transfer *t) + buf = (void *)t->tx_buf; + t->tx_dma = dma_map_single(&spi->dev, buf, + t->len, DMA_TO_DEVICE); +- if (!t->tx_dma) { ++ if (dma_mapping_error(&spi->dev, t->tx_dma)) { + ret = -EFAULT; + goto err_tx_map; + } +diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c +index e78ddbe5a954..a503132f91e8 100644 +--- a/drivers/staging/comedi/comedi_fops.c ++++ b/drivers/staging/comedi/comedi_fops.c +@@ -2885,6 +2885,7 @@ static int __init comedi_init(void) + dev = comedi_alloc_board_minor(NULL); + if (IS_ERR(dev)) { + comedi_cleanup_board_minors(); ++ class_destroy(comedi_class); + cdev_del(&comedi_cdev); + unregister_chrdev_region(MKDEV(COMEDI_MAJOR, 0), + COMEDI_NUM_MINORS); +diff --git a/drivers/staging/comedi/drivers/ni_mio_common.c b/drivers/staging/comedi/drivers/ni_mio_common.c +index f7bcefd46b5e..c50b304ce0b4 100644 +--- a/drivers/staging/comedi/drivers/ni_mio_common.c ++++ b/drivers/staging/comedi/drivers/ni_mio_common.c +@@ -2120,7 +2120,7 @@ static int ni_ai_insn_read(struct comedi_device *dev, + return -ETIME; + } + d += signbits; +- data[n] = d; ++ data[n] = d & 0xffff; + } + } else if (devpriv->is_6143) { + for (n = 0; n < insn->n; n++) { +@@ -2163,8 +2163,8 @@ static int ni_ai_insn_read(struct comedi_device *dev, + data[n] = dl; + } else { + d = ni_readw(dev, ADC_FIFO_Data_Register); +- d += signbits; /* subtle: needs to be short addition */ +- data[n] = d; ++ d += signbits; ++ data[n] = d & 0xffff; + } + } + } +diff --git a/drivers/staging/vt6656/main_usb.c b/drivers/staging/vt6656/main_usb.c +index 766fdcece074..4c6b479a34c2 100644 +--- a/drivers/staging/vt6656/main_usb.c ++++ b/drivers/staging/vt6656/main_usb.c +@@ -534,6 +534,9 @@ static int vnt_start(struct ieee80211_hw *hw) + goto free_all; + } + ++ if (vnt_key_init_table(priv)) ++ goto free_all; ++ + priv->int_interval = 1; /* bInterval is set to 1 */ + + vnt_int_start_interrupt(priv); +diff --git a/drivers/target/target_core_internal.h b/drivers/target/target_core_internal.h +index 68bd7f5d9f73..6d561e1170f4 100644 +--- a/drivers/target/target_core_internal.h ++++ b/drivers/target/target_core_internal.h +@@ -67,7 +67,7 @@ int init_se_kmem_caches(void); + void release_se_kmem_caches(void); + u32 scsi_get_new_index(scsi_index_t); + void transport_subsystem_check_init(void); +-void transport_cmd_finish_abort(struct se_cmd *, int); ++int transport_cmd_finish_abort(struct se_cmd *, int); + unsigned char *transport_dump_cmd_direction(struct se_cmd *); + void transport_dump_dev_state(struct se_device *, char *, int *); + void transport_dump_dev_info(struct se_device *, struct se_lun *, +diff --git a/drivers/target/target_core_tmr.c b/drivers/target/target_core_tmr.c +index eed7c5a31b15..44510bd74963 100644 +--- a/drivers/target/target_core_tmr.c ++++ b/drivers/target/target_core_tmr.c +@@ -78,7 +78,7 @@ void core_tmr_release_req(struct se_tmr_req *tmr) + kfree(tmr); + } + +-static void core_tmr_handle_tas_abort(struct se_cmd *cmd, int tas) ++static int core_tmr_handle_tas_abort(struct se_cmd *cmd, int tas) + { + unsigned long flags; + bool remove = true, send_tas; +@@ -94,7 +94,7 @@ static void core_tmr_handle_tas_abort(struct se_cmd *cmd, int tas) + transport_send_task_abort(cmd); + } + +- transport_cmd_finish_abort(cmd, remove); ++ return transport_cmd_finish_abort(cmd, remove); + } + + static int target_check_cdb_and_preempt(struct list_head *list, +@@ -190,8 +190,8 @@ void core_tmr_abort_task( + cancel_work_sync(&se_cmd->work); + transport_wait_for_tasks(se_cmd); + +- transport_cmd_finish_abort(se_cmd, true); +- target_put_sess_cmd(se_cmd); ++ if (!transport_cmd_finish_abort(se_cmd, true)) ++ target_put_sess_cmd(se_cmd); + + printk("ABORT_TASK: Sending TMR_FUNCTION_COMPLETE for" + " ref_tag: %d\n", ref_tag); +@@ -291,8 +291,8 @@ static void core_tmr_drain_tmr_list( + cancel_work_sync(&cmd->work); + transport_wait_for_tasks(cmd); + +- transport_cmd_finish_abort(cmd, 1); +- target_put_sess_cmd(cmd); ++ if (!transport_cmd_finish_abort(cmd, 1)) ++ target_put_sess_cmd(cmd); + } + } + +@@ -390,8 +390,8 @@ static void core_tmr_drain_state_list( + cancel_work_sync(&cmd->work); + transport_wait_for_tasks(cmd); + +- core_tmr_handle_tas_abort(cmd, tas); +- target_put_sess_cmd(cmd); ++ if (!core_tmr_handle_tas_abort(cmd, tas)) ++ target_put_sess_cmd(cmd); + } + } + +diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c +index 1cf3c0819b81..95c1c4ecf336 100644 +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -644,9 +644,10 @@ static void transport_lun_remove_cmd(struct se_cmd *cmd) + percpu_ref_put(&lun->lun_ref); + } + +-void transport_cmd_finish_abort(struct se_cmd *cmd, int remove) ++int transport_cmd_finish_abort(struct se_cmd *cmd, int remove) + { + bool ack_kref = (cmd->se_cmd_flags & SCF_ACK_KREF); ++ int ret = 0; + + if (cmd->se_cmd_flags & SCF_SE_LUN_CMD) + transport_lun_remove_cmd(cmd); +@@ -658,9 +659,11 @@ void transport_cmd_finish_abort(struct se_cmd *cmd, int remove) + cmd->se_tfo->aborted_task(cmd); + + if (transport_cmd_check_stop_to_fabric(cmd)) +- return; ++ return 1; + if (remove && ack_kref) +- transport_put_cmd(cmd); ++ ret = transport_put_cmd(cmd); ++ ++ return ret; + } + + static void target_complete_failure_work(struct work_struct *work) +diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c +index 2df90a54509a..50b67ff2b6ea 100644 +--- a/drivers/tty/vt/vt.c ++++ b/drivers/tty/vt/vt.c +@@ -2693,13 +2693,13 @@ int tioclinux(struct tty_struct *tty, unsigned long arg) + * related to the kernel should not use this. + */ + data = vt_get_shift_state(); +- ret = __put_user(data, p); ++ ret = put_user(data, p); + break; + case TIOCL_GETMOUSEREPORTING: + console_lock(); /* May be overkill */ + data = mouse_reporting(); + console_unlock(); +- ret = __put_user(data, p); ++ ret = put_user(data, p); + break; + case TIOCL_SETVESABLANK: + console_lock(); +@@ -2708,7 +2708,7 @@ int tioclinux(struct tty_struct *tty, unsigned long arg) + break; + case TIOCL_GETKMSGREDIRECT: + data = vt_get_kmsg_redirect(); +- ret = __put_user(data, p); ++ ret = put_user(data, p); + break; + case TIOCL_SETKMSGREDIRECT: + if (!capable(CAP_SYS_ADMIN)) { +diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c +index 96b21b0dac1e..3116edfcdc18 100644 +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -223,6 +223,10 @@ static const struct usb_device_id usb_quirk_list[] = { + /* Blackmagic Design UltraStudio SDI */ + { USB_DEVICE(0x1edb, 0xbd4f), .driver_info = USB_QUIRK_NO_LPM }, + ++ /* Hauppauge HVR-950q */ ++ { USB_DEVICE(0x2040, 0x7200), .driver_info = ++ USB_QUIRK_CONFIG_INTF_STRINGS }, ++ + /* INTEL VALUE SSD */ + { USB_DEVICE(0x8086, 0xf1a5), .driver_info = USB_QUIRK_RESET_RESUME }, + +diff --git a/drivers/usb/dwc3/dwc3-st.c b/drivers/usb/dwc3/dwc3-st.c +index 4a1a543deeda..da885c3bc33f 100644 +--- a/drivers/usb/dwc3/dwc3-st.c ++++ b/drivers/usb/dwc3/dwc3-st.c +@@ -227,7 +227,7 @@ static int st_dwc3_probe(struct platform_device *pdev) + + dwc3_data->syscfg_reg_off = res->start; + +- dev_vdbg(&pdev->dev, "glue-logic addr 0x%p, syscfg-reg offset 0x%x\n", ++ dev_vdbg(&pdev->dev, "glue-logic addr 0x%pK, syscfg-reg offset 0x%x\n", + dwc3_data->glue_base, dwc3_data->syscfg_reg_off); + + dwc3_data->rstc_pwrdn = devm_reset_control_get(dev, "powerdown"); +diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c +index 48412e4afb1b..ff56aaa00bf7 100644 +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -1202,7 +1202,7 @@ static int dwc3_gadget_ep_queue(struct usb_ep *ep, struct usb_request *request, + goto out; + } + +- if (WARN(req->dep != dep, "request %p belongs to '%s'\n", ++ if (WARN(req->dep != dep, "request %pK belongs to '%s'\n", + request, req->dep->name)) { + ret = -EINVAL; + goto out; +@@ -1249,7 +1249,7 @@ static int dwc3_gadget_ep_dequeue(struct usb_ep *ep, + dwc3_stop_active_transfer(dwc, dep->number, true); + goto out1; + } +- dev_err(dwc->dev, "request %p was not queued to %s\n", ++ dev_err(dwc->dev, "request %pK was not queued to %s\n", + request, ep->name); + ret = -EINVAL; + goto out0; +@@ -1854,7 +1854,7 @@ static int __dwc3_cleanup_done_trbs(struct dwc3 *dwc, struct dwc3_ep *dep, + * would help. Lets hope that if this occurs, someone + * fixes the root cause instead of looking away :) + */ +- dev_err(dwc->dev, "%s's TRB (%p) still owned by HW\n", ++ dev_err(dwc->dev, "%s's TRB (%pK) still owned by HW\n", + dep->name, trb); + + count = trb->size & DWC3_TRB_SIZE_MASK; +diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c +index 921dd8b0733f..804b209f4c08 100644 +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -1668,12 +1668,12 @@ static int ffs_func_eps_enable(struct ffs_function *func) + ep->ep->driver_data = ep; + ep->ep->desc = ds; + +- comp_desc = (struct usb_ss_ep_comp_descriptor *)(ds + +- USB_DT_ENDPOINT_SIZE); +- ep->ep->maxburst = comp_desc->bMaxBurst + 1; +- +- if (needs_comp_desc) ++ if (needs_comp_desc) { ++ comp_desc = (struct usb_ss_ep_comp_descriptor *)(ds + ++ USB_DT_ENDPOINT_SIZE); ++ ep->ep->maxburst = comp_desc->bMaxBurst + 1; + ep->ep->comp_desc = comp_desc; ++ } + + ret = usb_ep_enable(ep->ep); + if (likely(!ret)) { +@@ -3459,6 +3459,7 @@ static void ffs_closed(struct ffs_data *ffs) + { + struct ffs_dev *ffs_obj; + struct f_fs_opts *opts; ++ struct config_item *ci; + + ENTER(); + ffs_dev_lock(); +@@ -3482,8 +3483,11 @@ static void ffs_closed(struct ffs_data *ffs) + || !atomic_read(&opts->func_inst.group.cg_item.ci_kref.refcount)) + goto done; + +- unregister_gadget_item(ffs_obj->opts-> +- func_inst.group.cg_item.ci_parent->ci_parent); ++ ci = opts->func_inst.group.cg_item.ci_parent->ci_parent; ++ ffs_dev_unlock(); ++ ++ unregister_gadget_item(ci); ++ return; + done: + ffs_dev_unlock(); + } +diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c +index f36f964a9a37..69040e9069e0 100644 +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -132,6 +132,7 @@ static const struct usb_device_id id_table[] = { + { USB_DEVICE(0x10C4, 0x8977) }, /* CEL MeshWorks DevKit Device */ + { USB_DEVICE(0x10C4, 0x8998) }, /* KCF Technologies PRN */ + { USB_DEVICE(0x10C4, 0x8A2A) }, /* HubZ dual ZigBee and Z-Wave dongle */ ++ { USB_DEVICE(0x10C4, 0x8A5E) }, /* CEL EM3588 ZigBee USB Stick Long Range */ + { USB_DEVICE(0x10C4, 0xEA60) }, /* Silicon Labs factory default */ + { USB_DEVICE(0x10C4, 0xEA61) }, /* Silicon Labs factory default */ + { USB_DEVICE(0x10C4, 0xEA70) }, /* Silicon Labs factory default */ +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c +index 80d93bccc09b..5d841485bbe3 100644 +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1874,6 +1874,10 @@ static const struct usb_device_id option_ids[] = { + .driver_info = (kernel_ulong_t)&four_g_w100_blacklist + }, + { USB_DEVICE_INTERFACE_CLASS(LONGCHEER_VENDOR_ID, SPEEDUP_PRODUCT_SU9800, 0xff) }, ++ { USB_DEVICE_INTERFACE_CLASS(LONGCHEER_VENDOR_ID, 0x9801, 0xff), ++ .driver_info = (kernel_ulong_t)&net_intf3_blacklist }, ++ { USB_DEVICE_INTERFACE_CLASS(LONGCHEER_VENDOR_ID, 0x9803, 0xff), ++ .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, + { USB_DEVICE(LONGCHEER_VENDOR_ID, ZOOM_PRODUCT_4597) }, + { USB_DEVICE(LONGCHEER_VENDOR_ID, IBALL_3_5G_CONNECT) }, + { USB_DEVICE(HAIER_VENDOR_ID, HAIER_PRODUCT_CE100) }, +diff --git a/drivers/usb/serial/qcserial.c b/drivers/usb/serial/qcserial.c +index 4f91868736a5..23c303b2a3a2 100644 +--- a/drivers/usb/serial/qcserial.c ++++ b/drivers/usb/serial/qcserial.c +@@ -156,6 +156,7 @@ static const struct usb_device_id id_table[] = { + {DEVICE_SWI(0x1199, 0x9056)}, /* Sierra Wireless Modem */ + {DEVICE_SWI(0x1199, 0x9060)}, /* Sierra Wireless Modem */ + {DEVICE_SWI(0x1199, 0x9061)}, /* Sierra Wireless Modem */ ++ {DEVICE_SWI(0x1199, 0x9063)}, /* Sierra Wireless EM7305 */ + {DEVICE_SWI(0x1199, 0x9070)}, /* Sierra Wireless MC74xx */ + {DEVICE_SWI(0x1199, 0x9071)}, /* Sierra Wireless MC74xx */ + {DEVICE_SWI(0x1199, 0x9078)}, /* Sierra Wireless EM74xx */ +diff --git a/drivers/usb/usbip/stub_main.c b/drivers/usb/usbip/stub_main.c +index 44ab43fc4fcc..af10f7b131a4 100644 +--- a/drivers/usb/usbip/stub_main.c ++++ b/drivers/usb/usbip/stub_main.c +@@ -262,7 +262,11 @@ void stub_device_cleanup_urbs(struct stub_device *sdev) + kmem_cache_free(stub_priv_cache, priv); + + kfree(urb->transfer_buffer); ++ urb->transfer_buffer = NULL; ++ + kfree(urb->setup_packet); ++ urb->setup_packet = NULL; ++ + usb_free_urb(urb); + } + } +diff --git a/drivers/usb/usbip/stub_tx.c b/drivers/usb/usbip/stub_tx.c +index dbcabc9dbe0d..021003c4de53 100644 +--- a/drivers/usb/usbip/stub_tx.c ++++ b/drivers/usb/usbip/stub_tx.c +@@ -28,7 +28,11 @@ static void stub_free_priv_and_urb(struct stub_priv *priv) + struct urb *urb = priv->urb; + + kfree(urb->setup_packet); ++ urb->setup_packet = NULL; ++ + kfree(urb->transfer_buffer); ++ urb->transfer_buffer = NULL; ++ + list_del(&priv->list); + kmem_cache_free(stub_priv_cache, priv); + usb_free_urb(urb); +diff --git a/drivers/watchdog/bcm_kona_wdt.c b/drivers/watchdog/bcm_kona_wdt.c +index 22d8ae65772a..35af1d15c7ef 100644 +--- a/drivers/watchdog/bcm_kona_wdt.c ++++ b/drivers/watchdog/bcm_kona_wdt.c +@@ -304,6 +304,8 @@ static int bcm_kona_wdt_probe(struct platform_device *pdev) + if (!wdt) + return -ENOMEM; + ++ spin_lock_init(&wdt->lock); ++ + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + wdt->base = devm_ioremap_resource(dev, res); + if (IS_ERR(wdt->base)) +@@ -316,7 +318,6 @@ static int bcm_kona_wdt_probe(struct platform_device *pdev) + return ret; + } + +- spin_lock_init(&wdt->lock); + platform_set_drvdata(pdev, wdt); + watchdog_set_drvdata(&bcm_kona_wdt_wdd, wdt); + +diff --git a/drivers/xen/swiotlb-xen.c b/drivers/xen/swiotlb-xen.c +index 4c549323c605..3a0e6a031174 100644 +--- a/drivers/xen/swiotlb-xen.c ++++ b/drivers/xen/swiotlb-xen.c +@@ -416,9 +416,9 @@ dma_addr_t xen_swiotlb_map_page(struct device *dev, struct page *page, + if (map == SWIOTLB_MAP_ERROR) + return DMA_ERROR_CODE; + ++ dev_addr = xen_phys_to_bus(map); + xen_dma_map_page(dev, pfn_to_page(map >> PAGE_SHIFT), + dev_addr, map & ~PAGE_MASK, size, dir, attrs); +- dev_addr = xen_phys_to_bus(map); + + /* + * Ensure that the address returned is DMA'ble +@@ -574,13 +574,14 @@ xen_swiotlb_map_sg_attrs(struct device *hwdev, struct scatterlist *sgl, + sg_dma_len(sgl) = 0; + return 0; + } ++ dev_addr = xen_phys_to_bus(map); + xen_dma_map_page(hwdev, pfn_to_page(map >> PAGE_SHIFT), + dev_addr, + map & ~PAGE_MASK, + sg->length, + dir, + attrs); +- sg->dma_address = xen_phys_to_bus(map); ++ sg->dma_address = dev_addr; + } else { + /* we are not interested in the dma_addr returned by + * xen_dma_map_page, only in the potential cache flushes executed +diff --git a/fs/autofs4/dev-ioctl.c b/fs/autofs4/dev-ioctl.c +index ac7d921ed984..257425511d10 100644 +--- a/fs/autofs4/dev-ioctl.c ++++ b/fs/autofs4/dev-ioctl.c +@@ -331,7 +331,7 @@ static int autofs_dev_ioctl_fail(struct file *fp, + int status; + + token = (autofs_wqt_t) param->fail.token; +- status = param->fail.status ? param->fail.status : -ENOENT; ++ status = param->fail.status < 0 ? param->fail.status : -ENOENT; + return autofs4_wait_release(sbi, token, status); + } + +diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c +index cd46e4158830..90f20f8ce87e 100644 +--- a/fs/binfmt_elf.c ++++ b/fs/binfmt_elf.c +@@ -904,17 +904,60 @@ static int load_elf_binary(struct linux_binprm *bprm) + elf_flags = MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE; + + vaddr = elf_ppnt->p_vaddr; ++ /* ++ * If we are loading ET_EXEC or we have already performed ++ * the ET_DYN load_addr calculations, proceed normally. ++ */ + if (loc->elf_ex.e_type == ET_EXEC || load_addr_set) { + elf_flags |= MAP_FIXED; + } else if (loc->elf_ex.e_type == ET_DYN) { +- /* Try and get dynamic programs out of the way of the +- * default mmap base, as well as whatever program they +- * might try to exec. This is because the brk will +- * follow the loader, and is not movable. */ +- load_bias = ELF_ET_DYN_BASE - vaddr; +- if (current->flags & PF_RANDOMIZE) +- load_bias += arch_mmap_rnd(); +- load_bias = ELF_PAGESTART(load_bias); ++ /* ++ * This logic is run once for the first LOAD Program ++ * Header for ET_DYN binaries to calculate the ++ * randomization (load_bias) for all the LOAD ++ * Program Headers, and to calculate the entire ++ * size of the ELF mapping (total_size). (Note that ++ * load_addr_set is set to true later once the ++ * initial mapping is performed.) ++ * ++ * There are effectively two types of ET_DYN ++ * binaries: programs (i.e. PIE: ET_DYN with INTERP) ++ * and loaders (ET_DYN without INTERP, since they ++ * _are_ the ELF interpreter). The loaders must ++ * be loaded away from programs since the program ++ * may otherwise collide with the loader (especially ++ * for ET_EXEC which does not have a randomized ++ * position). For example to handle invocations of ++ * "./ld.so someprog" to test out a new version of ++ * the loader, the subsequent program that the ++ * loader loads must avoid the loader itself, so ++ * they cannot share the same load range. Sufficient ++ * room for the brk must be allocated with the ++ * loader as well, since brk must be available with ++ * the loader. ++ * ++ * Therefore, programs are loaded offset from ++ * ELF_ET_DYN_BASE and loaders are loaded into the ++ * independently randomized mmap region (0 load_bias ++ * without MAP_FIXED). ++ */ ++ if (elf_interpreter) { ++ load_bias = ELF_ET_DYN_BASE; ++ if (current->flags & PF_RANDOMIZE) ++ load_bias += arch_mmap_rnd(); ++ elf_flags |= MAP_FIXED; ++ } else ++ load_bias = 0; ++ ++ /* ++ * Since load_bias is used for all subsequent loading ++ * calculations, we must lower it by the first vaddr ++ * so that the remaining calculations based on the ++ * ELF vaddrs will be correctly offset. The result ++ * is then page aligned. ++ */ ++ load_bias = ELF_PAGESTART(load_bias - vaddr); ++ + total_size = total_mapping_size(elf_phdata, + loc->elf_ex.e_phnum); + if (!total_size) { +@@ -2285,6 +2328,7 @@ static int elf_core_dump(struct coredump_params *cprm) + goto end_coredump; + } + } ++ dump_truncate(cprm); + + if (!elf_core_write_extra_data(cprm)) + goto end_coredump; +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c +index 04997ac958c4..db6115486166 100644 +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -4358,8 +4358,19 @@ search_again: + if (found_type > min_type) { + del_item = 1; + } else { +- if (item_end < new_size) ++ if (item_end < new_size) { ++ /* ++ * With NO_HOLES mode, for the following mapping ++ * ++ * [0-4k][hole][8k-12k] ++ * ++ * if truncating isize down to 6k, it ends up ++ * isize being 8k. ++ */ ++ if (btrfs_fs_incompat(root->fs_info, NO_HOLES)) ++ last_size = new_size; + break; ++ } + if (found_key.offset >= new_size) + del_item = 1; + else +diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c +index 7d7bd466520b..cb3406815330 100644 +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -401,6 +401,9 @@ cifs_reconnect(struct TCP_Server_Info *server) + } + } while (server->tcpStatus == CifsNeedReconnect); + ++ if (server->tcpStatus == CifsNeedNegotiate) ++ mod_delayed_work(cifsiod_wq, &server->echo, 0); ++ + return rc; + } + +@@ -410,18 +413,27 @@ cifs_echo_request(struct work_struct *work) + int rc; + struct TCP_Server_Info *server = container_of(work, + struct TCP_Server_Info, echo.work); ++ unsigned long echo_interval; ++ ++ /* ++ * If we need to renegotiate, set echo interval to zero to ++ * immediately call echo service where we can renegotiate. ++ */ ++ if (server->tcpStatus == CifsNeedNegotiate) ++ echo_interval = 0; ++ else ++ echo_interval = SMB_ECHO_INTERVAL; + + /* +- * We cannot send an echo if it is disabled or until the +- * NEGOTIATE_PROTOCOL request is done, which is indicated by +- * server->ops->need_neg() == true. Also, no need to ping if +- * we got a response recently. ++ * We cannot send an echo if it is disabled. ++ * Also, no need to ping if we got a response recently. + */ + + if (server->tcpStatus == CifsNeedReconnect || +- server->tcpStatus == CifsExiting || server->tcpStatus == CifsNew || ++ server->tcpStatus == CifsExiting || ++ server->tcpStatus == CifsNew || + (server->ops->can_echo && !server->ops->can_echo(server)) || +- time_before(jiffies, server->lstrp + SMB_ECHO_INTERVAL - HZ)) ++ time_before(jiffies, server->lstrp + echo_interval - HZ)) + goto requeue_echo; + + rc = server->ops->echo ? server->ops->echo(server) : -ENOSYS; +diff --git a/fs/cifs/smb1ops.c b/fs/cifs/smb1ops.c +index 87b87e091e8e..efd72e1fae74 100644 +--- a/fs/cifs/smb1ops.c ++++ b/fs/cifs/smb1ops.c +@@ -849,8 +849,13 @@ cifs_query_dir_first(const unsigned int xid, struct cifs_tcon *tcon, + struct cifs_fid *fid, __u16 search_flags, + struct cifs_search_info *srch_inf) + { +- return CIFSFindFirst(xid, tcon, path, cifs_sb, +- &fid->netfid, search_flags, srch_inf, true); ++ int rc; ++ ++ rc = CIFSFindFirst(xid, tcon, path, cifs_sb, ++ &fid->netfid, search_flags, srch_inf, true); ++ if (rc) ++ cifs_dbg(FYI, "find first failed=%d\n", rc); ++ return rc; + } + + static int +diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c +index 57aeae6116d6..16212dab81d5 100644 +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -843,7 +843,7 @@ smb2_query_dir_first(const unsigned int xid, struct cifs_tcon *tcon, + rc = SMB2_open(xid, &oparms, utf16_path, &oplock, NULL, NULL); + kfree(utf16_path); + if (rc) { +- cifs_dbg(VFS, "open dir failed\n"); ++ cifs_dbg(FYI, "open dir failed rc=%d\n", rc); + return rc; + } + +@@ -853,7 +853,7 @@ smb2_query_dir_first(const unsigned int xid, struct cifs_tcon *tcon, + rc = SMB2_query_directory(xid, tcon, fid->persistent_fid, + fid->volatile_fid, 0, srch_inf); + if (rc) { +- cifs_dbg(VFS, "query directory failed\n"); ++ cifs_dbg(FYI, "query directory failed rc=%d\n", rc); + SMB2_close(xid, tcon, fid->persistent_fid, fid->volatile_fid); + } + return rc; +diff --git a/fs/coredump.c b/fs/coredump.c +index 26d05e3bc6db..e07cbb629f1c 100644 +--- a/fs/coredump.c ++++ b/fs/coredump.c +@@ -803,3 +803,21 @@ int dump_align(struct coredump_params *cprm, int align) + return mod ? dump_skip(cprm, align - mod) : 1; + } + EXPORT_SYMBOL(dump_align); ++ ++/* ++ * Ensures that file size is big enough to contain the current file ++ * postion. This prevents gdb from complaining about a truncated file ++ * if the last "write" to the file was dump_skip. ++ */ ++void dump_truncate(struct coredump_params *cprm) ++{ ++ struct file *file = cprm->file; ++ loff_t offset; ++ ++ if (file->f_op->llseek && file->f_op->llseek != no_llseek) { ++ offset = file->f_op->llseek(file, 0, SEEK_CUR); ++ if (i_size_read(file->f_mapping->host) < offset) ++ do_truncate(file->f_path.dentry, offset, 0, file); ++ } ++} ++EXPORT_SYMBOL(dump_truncate); +diff --git a/fs/dcache.c b/fs/dcache.c +index 11d466bbfb0b..5ca8f0b2b897 100644 +--- a/fs/dcache.c ++++ b/fs/dcache.c +@@ -1128,11 +1128,12 @@ void shrink_dcache_sb(struct super_block *sb) + LIST_HEAD(dispose); + + freed = list_lru_walk(&sb->s_dentry_lru, +- dentry_lru_isolate_shrink, &dispose, UINT_MAX); ++ dentry_lru_isolate_shrink, &dispose, 1024); + + this_cpu_sub(nr_dentry_unused, freed); + shrink_dentry_list(&dispose); +- } while (freed > 0); ++ cond_resched(); ++ } while (list_lru_count(&sb->s_dentry_lru) > 0); + } + EXPORT_SYMBOL(shrink_dcache_sb); + +diff --git a/fs/exec.c b/fs/exec.c +index 04c9cab4d4d3..3ba35c21726e 100644 +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -199,7 +199,24 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos, + + if (write) { + unsigned long size = bprm->vma->vm_end - bprm->vma->vm_start; +- struct rlimit *rlim; ++ unsigned long ptr_size, limit; ++ ++ /* ++ * Since the stack will hold pointers to the strings, we ++ * must account for them as well. ++ * ++ * The size calculation is the entire vma while each arg page is ++ * built, so each time we get here it's calculating how far it ++ * is currently (rather than each call being just the newly ++ * added size from the arg page). As a result, we need to ++ * always add the entire size of the pointers, so that on the ++ * last call to get_arg_page() we'll actually have the entire ++ * correct size. ++ */ ++ ptr_size = (bprm->argc + bprm->envc) * sizeof(void *); ++ if (ptr_size > ULONG_MAX - size) ++ goto fail; ++ size += ptr_size; + + acct_arg_size(bprm, size / PAGE_SIZE); + +@@ -211,20 +228,24 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos, + return page; + + /* +- * Limit to 1/4-th the stack size for the argv+env strings. ++ * Limit to 1/4 of the max stack size or 3/4 of _STK_LIM ++ * (whichever is smaller) for the argv+env strings. + * This ensures that: + * - the remaining binfmt code will not run out of stack space, + * - the program will have a reasonable amount of stack left + * to work from. + */ +- rlim = current->signal->rlim; +- if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur) / 4) { +- put_page(page); +- return NULL; +- } ++ limit = _STK_LIM / 4 * 3; ++ limit = min(limit, rlimit(RLIMIT_STACK) / 4); ++ if (size > limit) ++ goto fail; + } + + return page; ++ ++fail: ++ put_page(page); ++ return NULL; + } + + static void put_arg_page(struct page *page) +diff --git a/fs/fcntl.c b/fs/fcntl.c +index ee85cd4e136a..62376451bbce 100644 +--- a/fs/fcntl.c ++++ b/fs/fcntl.c +@@ -740,16 +740,10 @@ static int __init fcntl_init(void) + * Exceptions: O_NONBLOCK is a two bit define on parisc; O_NDELAY + * is defined as O_NONBLOCK on some platforms and not on others. + */ +- BUILD_BUG_ON(21 - 1 /* for O_RDONLY being 0 */ != HWEIGHT32( +- O_RDONLY | O_WRONLY | O_RDWR | +- O_CREAT | O_EXCL | O_NOCTTY | +- O_TRUNC | O_APPEND | /* O_NONBLOCK | */ +- __O_SYNC | O_DSYNC | FASYNC | +- O_DIRECT | O_LARGEFILE | O_DIRECTORY | +- O_NOFOLLOW | O_NOATIME | O_CLOEXEC | +- __FMODE_EXEC | O_PATH | __O_TMPFILE | +- __FMODE_NONOTIFY +- )); ++ BUILD_BUG_ON(21 - 1 /* for O_RDONLY being 0 */ != ++ HWEIGHT32( ++ (VALID_OPEN_FLAGS & ~(O_NONBLOCK | O_NDELAY)) | ++ __FMODE_EXEC | __FMODE_NONOTIFY)); + + fasync_cache = kmem_cache_create("fasync_cache", + sizeof(struct fasync_struct), 0, SLAB_PANIC, NULL); +diff --git a/fs/mount.h b/fs/mount.h +index 32cabd55a787..bae2b0943019 100644 +--- a/fs/mount.h ++++ b/fs/mount.h +@@ -57,6 +57,7 @@ struct mount { + struct mnt_namespace *mnt_ns; /* containing namespace */ + struct mountpoint *mnt_mp; /* where is it mounted */ + struct hlist_node mnt_mp_list; /* list mounts with the same mountpoint */ ++ struct list_head mnt_umounting; /* list entry for umount propagation */ + #ifdef CONFIG_FSNOTIFY + struct hlist_head mnt_fsnotify_marks; + __u32 mnt_fsnotify_mask; +diff --git a/fs/namespace.c b/fs/namespace.c +index df20ee946f7c..58b281ad30d5 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -237,6 +237,7 @@ static struct mount *alloc_vfsmnt(const char *name) + INIT_LIST_HEAD(&mnt->mnt_slave_list); + INIT_LIST_HEAD(&mnt->mnt_slave); + INIT_HLIST_NODE(&mnt->mnt_mp_list); ++ INIT_LIST_HEAD(&mnt->mnt_umounting); + #ifdef CONFIG_FSNOTIFY + INIT_HLIST_HEAD(&mnt->mnt_fsnotify_marks); + #endif +diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c +index aadb4af4a0fe..b6d97dfa9cb6 100644 +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -2446,6 +2446,20 @@ int nfs_may_open(struct inode *inode, struct rpc_cred *cred, int openflags) + } + EXPORT_SYMBOL_GPL(nfs_may_open); + ++static int nfs_execute_ok(struct inode *inode, int mask) ++{ ++ struct nfs_server *server = NFS_SERVER(inode); ++ int ret; ++ ++ if (mask & MAY_NOT_BLOCK) ++ ret = nfs_revalidate_inode_rcu(server, inode); ++ else ++ ret = nfs_revalidate_inode(server, inode); ++ if (ret == 0 && !execute_ok(inode)) ++ ret = -EACCES; ++ return ret; ++} ++ + int nfs_permission(struct inode *inode, int mask) + { + struct rpc_cred *cred; +@@ -2463,6 +2477,9 @@ int nfs_permission(struct inode *inode, int mask) + case S_IFLNK: + goto out; + case S_IFREG: ++ if ((mask & MAY_OPEN) && ++ nfs_server_capable(inode, NFS_CAP_ATOMIC_OPEN)) ++ return 0; + break; + case S_IFDIR: + /* +@@ -2495,8 +2512,8 @@ force_lookup: + res = PTR_ERR(cred); + } + out: +- if (!res && (mask & MAY_EXEC) && !execute_ok(inode)) +- res = -EACCES; ++ if (!res && (mask & MAY_EXEC)) ++ res = nfs_execute_ok(inode, mask); + + dfprintk(VFS, "NFS: permission(%s/%lu), mask=0x%x, res=%d\n", + inode->i_sb->s_id, inode->i_ino, mask, res); +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index 5d8c7e978c33..f06af7248be7 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -2068,8 +2068,6 @@ static int nfs4_opendata_access(struct rpc_cred *cred, + if ((mask & ~cache.mask & (MAY_READ | MAY_EXEC)) == 0) + return 0; + +- /* even though OPEN succeeded, access is denied. Close the file */ +- nfs4_close_state(state, fmode); + return -EACCES; + } + +diff --git a/fs/open.c b/fs/open.c +index ff80b2542989..d0169e52d7fe 100644 +--- a/fs/open.c ++++ b/fs/open.c +@@ -881,6 +881,12 @@ static inline int build_open_flags(int flags, umode_t mode, struct open_flags *o + int lookup_flags = 0; + int acc_mode; + ++ /* ++ * Clear out all open flags we don't know about so that we don't report ++ * them in fcntl(F_GETFD) or similar interfaces. ++ */ ++ flags &= VALID_OPEN_FLAGS; ++ + if (flags & (O_CREAT | __O_TMPFILE)) + op->mode = (mode & S_IALLUGO) | S_IFREG; + else +diff --git a/fs/pnode.c b/fs/pnode.c +index b394ca5307ec..d15c63e97ef1 100644 +--- a/fs/pnode.c ++++ b/fs/pnode.c +@@ -24,6 +24,11 @@ static inline struct mount *first_slave(struct mount *p) + return list_entry(p->mnt_slave_list.next, struct mount, mnt_slave); + } + ++static inline struct mount *last_slave(struct mount *p) ++{ ++ return list_entry(p->mnt_slave_list.prev, struct mount, mnt_slave); ++} ++ + static inline struct mount *next_slave(struct mount *p) + { + return list_entry(p->mnt_slave.next, struct mount, mnt_slave); +@@ -164,6 +169,19 @@ static struct mount *propagation_next(struct mount *m, + } + } + ++static struct mount *skip_propagation_subtree(struct mount *m, ++ struct mount *origin) ++{ ++ /* ++ * Advance m such that propagation_next will not return ++ * the slaves of m. ++ */ ++ if (!IS_MNT_NEW(m) && !list_empty(&m->mnt_slave_list)) ++ m = last_slave(m); ++ ++ return m; ++} ++ + static struct mount *next_group(struct mount *m, struct mount *origin) + { + while (1) { +@@ -415,65 +433,104 @@ void propagate_mount_unlock(struct mount *mnt) + } + } + +-/* +- * Mark all mounts that the MNT_LOCKED logic will allow to be unmounted. +- */ +-static void mark_umount_candidates(struct mount *mnt) ++static void umount_one(struct mount *mnt, struct list_head *to_umount) + { +- struct mount *parent = mnt->mnt_parent; +- struct mount *m; +- +- BUG_ON(parent == mnt); +- +- for (m = propagation_next(parent, parent); m; +- m = propagation_next(m, parent)) { +- struct mount *child = __lookup_mnt(&m->mnt, +- mnt->mnt_mountpoint); +- if (!child || (child->mnt.mnt_flags & MNT_UMOUNT)) +- continue; +- if (!IS_MNT_LOCKED(child) || IS_MNT_MARKED(m)) { +- SET_MNT_MARK(child); +- } +- } ++ CLEAR_MNT_MARK(mnt); ++ mnt->mnt.mnt_flags |= MNT_UMOUNT; ++ list_del_init(&mnt->mnt_child); ++ list_del_init(&mnt->mnt_umounting); ++ list_move_tail(&mnt->mnt_list, to_umount); + } + + /* + * NOTE: unmounting 'mnt' naturally propagates to all other mounts its + * parent propagates to. + */ +-static void __propagate_umount(struct mount *mnt) ++static bool __propagate_umount(struct mount *mnt, ++ struct list_head *to_umount, ++ struct list_head *to_restore) + { +- struct mount *parent = mnt->mnt_parent; +- struct mount *m; ++ bool progress = false; ++ struct mount *child; + +- BUG_ON(parent == mnt); ++ /* ++ * The state of the parent won't change if this mount is ++ * already unmounted or marked as without children. ++ */ ++ if (mnt->mnt.mnt_flags & (MNT_UMOUNT | MNT_MARKED)) ++ goto out; + +- for (m = propagation_next(parent, parent); m; +- m = propagation_next(m, parent)) { +- struct mount *topper; +- struct mount *child = __lookup_mnt(&m->mnt, +- mnt->mnt_mountpoint); +- /* +- * umount the child only if the child has no children +- * and the child is marked safe to unmount. +- */ +- if (!child || !IS_MNT_MARKED(child)) ++ /* Verify topper is the only grandchild that has not been ++ * speculatively unmounted. ++ */ ++ list_for_each_entry(child, &mnt->mnt_mounts, mnt_child) { ++ if (child->mnt_mountpoint == mnt->mnt.mnt_root) + continue; +- CLEAR_MNT_MARK(child); ++ if (!list_empty(&child->mnt_umounting) && IS_MNT_MARKED(child)) ++ continue; ++ /* Found a mounted child */ ++ goto children; ++ } + +- /* If there is exactly one mount covering all of child +- * replace child with that mount. +- */ +- topper = find_topper(child); +- if (topper) +- mnt_change_mountpoint(child->mnt_parent, child->mnt_mp, +- topper); ++ /* Mark mounts that can be unmounted if not locked */ ++ SET_MNT_MARK(mnt); ++ progress = true; ++ ++ /* If a mount is without children and not locked umount it. */ ++ if (!IS_MNT_LOCKED(mnt)) { ++ umount_one(mnt, to_umount); ++ } else { ++children: ++ list_move_tail(&mnt->mnt_umounting, to_restore); ++ } ++out: ++ return progress; ++} ++ ++static void umount_list(struct list_head *to_umount, ++ struct list_head *to_restore) ++{ ++ struct mount *mnt, *child, *tmp; ++ list_for_each_entry(mnt, to_umount, mnt_list) { ++ list_for_each_entry_safe(child, tmp, &mnt->mnt_mounts, mnt_child) { ++ /* topper? */ ++ if (child->mnt_mountpoint == mnt->mnt.mnt_root) ++ list_move_tail(&child->mnt_umounting, to_restore); ++ else ++ umount_one(child, to_umount); ++ } ++ } ++} + +- if (list_empty(&child->mnt_mounts)) { +- list_del_init(&child->mnt_child); +- child->mnt.mnt_flags |= MNT_UMOUNT; +- list_move_tail(&child->mnt_list, &mnt->mnt_list); ++static void restore_mounts(struct list_head *to_restore) ++{ ++ /* Restore mounts to a clean working state */ ++ while (!list_empty(to_restore)) { ++ struct mount *mnt, *parent; ++ struct mountpoint *mp; ++ ++ mnt = list_first_entry(to_restore, struct mount, mnt_umounting); ++ CLEAR_MNT_MARK(mnt); ++ list_del_init(&mnt->mnt_umounting); ++ ++ /* Should this mount be reparented? */ ++ mp = mnt->mnt_mp; ++ parent = mnt->mnt_parent; ++ while (parent->mnt.mnt_flags & MNT_UMOUNT) { ++ mp = parent->mnt_mp; ++ parent = parent->mnt_parent; + } ++ if (parent != mnt->mnt_parent) ++ mnt_change_mountpoint(parent, mp, mnt); ++ } ++} ++ ++static void cleanup_umount_visitations(struct list_head *visited) ++{ ++ while (!list_empty(visited)) { ++ struct mount *mnt = ++ list_first_entry(visited, struct mount, mnt_umounting); ++ list_del_init(&mnt->mnt_umounting); + } + } + +@@ -487,11 +544,68 @@ static void __propagate_umount(struct mount *mnt) + int propagate_umount(struct list_head *list) + { + struct mount *mnt; ++ LIST_HEAD(to_restore); ++ LIST_HEAD(to_umount); ++ LIST_HEAD(visited); ++ ++ /* Find candidates for unmounting */ ++ list_for_each_entry_reverse(mnt, list, mnt_list) { ++ struct mount *parent = mnt->mnt_parent; ++ struct mount *m; ++ ++ /* ++ * If this mount has already been visited it is known that it's ++ * entire peer group and all of their slaves in the propagation ++ * tree for the mountpoint has already been visited and there is ++ * no need to visit them again. ++ */ ++ if (!list_empty(&mnt->mnt_umounting)) ++ continue; ++ ++ list_add_tail(&mnt->mnt_umounting, &visited); ++ for (m = propagation_next(parent, parent); m; ++ m = propagation_next(m, parent)) { ++ struct mount *child = __lookup_mnt(&m->mnt, ++ mnt->mnt_mountpoint); ++ if (!child) ++ continue; ++ ++ if (!list_empty(&child->mnt_umounting)) { ++ /* ++ * If the child has already been visited it is ++ * know that it's entire peer group and all of ++ * their slaves in the propgation tree for the ++ * mountpoint has already been visited and there ++ * is no need to visit this subtree again. ++ */ ++ m = skip_propagation_subtree(m, parent); ++ continue; ++ } else if (child->mnt.mnt_flags & MNT_UMOUNT) { ++ /* ++ * We have come accross an partially unmounted ++ * mount in list that has not been visited yet. ++ * Remember it has been visited and continue ++ * about our merry way. ++ */ ++ list_add_tail(&child->mnt_umounting, &visited); ++ continue; ++ } ++ ++ /* Check the child and parents while progress is made */ ++ while (__propagate_umount(child, ++ &to_umount, &to_restore)) { ++ /* Is the parent a umount candidate? */ ++ child = child->mnt_parent; ++ if (list_empty(&child->mnt_umounting)) ++ break; ++ } ++ } ++ } + +- list_for_each_entry_reverse(mnt, list, mnt_list) +- mark_umount_candidates(mnt); ++ umount_list(&to_umount, &to_restore); ++ restore_mounts(&to_restore); ++ cleanup_umount_visitations(&visited); ++ list_splice_tail(&to_umount, list); + +- list_for_each_entry(mnt, list, mnt_list) +- __propagate_umount(mnt); + return 0; + } +diff --git a/fs/xfs/xfs_attr.h b/fs/xfs/xfs_attr.h +index dd4824589470..234331227c0c 100644 +--- a/fs/xfs/xfs_attr.h ++++ b/fs/xfs/xfs_attr.h +@@ -112,6 +112,7 @@ typedef struct attrlist_cursor_kern { + *========================================================================*/ + + ++/* Return 0 on success, or -errno; other state communicated via *context */ + typedef int (*put_listent_func_t)(struct xfs_attr_list_context *, int, + unsigned char *, int, int, unsigned char *); + +diff --git a/fs/xfs/xfs_attr_list.c b/fs/xfs/xfs_attr_list.c +index 8f7e09d0d0f0..36db8b21969f 100644 +--- a/fs/xfs/xfs_attr_list.c ++++ b/fs/xfs/xfs_attr_list.c +@@ -108,16 +108,14 @@ xfs_attr_shortform_list(xfs_attr_list_context_t *context) + (int)sfe->namelen, + (int)sfe->valuelen, + &sfe->nameval[sfe->namelen]); +- ++ if (error) ++ return error; + /* + * Either search callback finished early or + * didn't fit it all in the buffer after all. + */ + if (context->seen_enough) + break; +- +- if (error) +- return error; + sfe = XFS_ATTR_SF_NEXTENTRY(sfe); + } + trace_xfs_attr_list_sf_all(context); +@@ -581,7 +579,7 @@ xfs_attr_put_listent( + trace_xfs_attr_list_full(context); + alist->al_more = 1; + context->seen_enough = 1; +- return 1; ++ return 0; + } + + aep = (attrlist_ent_t *)&context->alist[context->firstu]; +diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c +index e69a0899bc05..3b7985991823 100644 +--- a/fs/xfs/xfs_ioctl.c ++++ b/fs/xfs/xfs_ioctl.c +@@ -402,6 +402,7 @@ xfs_attrlist_by_handle( + { + int error = -ENOMEM; + attrlist_cursor_kern_t *cursor; ++ struct xfs_fsop_attrlist_handlereq __user *p = arg; + xfs_fsop_attrlist_handlereq_t al_hreq; + struct dentry *dentry; + char *kbuf; +@@ -434,6 +435,11 @@ xfs_attrlist_by_handle( + if (error) + goto out_kfree; + ++ if (copy_to_user(&p->pos, cursor, sizeof(attrlist_cursor_kern_t))) { ++ error = -EFAULT; ++ goto out_kfree; ++ } ++ + if (copy_to_user(al_hreq.buffer, kbuf, al_hreq.buflen)) + error = -EFAULT; + +diff --git a/fs/xfs/xfs_xattr.c b/fs/xfs/xfs_xattr.c +index c036815183cb..ead53c933de6 100644 +--- a/fs/xfs/xfs_xattr.c ++++ b/fs/xfs/xfs_xattr.c +@@ -151,7 +151,8 @@ xfs_xattr_put_listent( + arraytop = context->count + prefix_len + namelen + 1; + if (arraytop > context->firstu) { + context->count = -1; /* insufficient space */ +- return 1; ++ context->seen_enough = 1; ++ return 0; + } + offset = (char *)context->alist + context->count; + strncpy(offset, xfs_xattr_prefix(flags), prefix_len); +@@ -193,12 +194,15 @@ list_one_attr(const char *name, const size_t len, void *data, + } + + ssize_t +-xfs_vn_listxattr(struct dentry *dentry, char *data, size_t size) ++xfs_vn_listxattr( ++ struct dentry *dentry, ++ char *data, ++ size_t size) + { + struct xfs_attr_list_context context; + struct attrlist_cursor_kern cursor = { 0 }; +- struct inode *inode = d_inode(dentry); +- int error; ++ struct inode *inode = d_inode(dentry); ++ int error; + + /* + * First read the regular on-disk attributes. +@@ -216,7 +220,9 @@ xfs_vn_listxattr(struct dentry *dentry, char *data, size_t size) + else + context.put_listent = xfs_xattr_put_listent_sizes; + +- xfs_attr_list_int(&context); ++ error = xfs_attr_list_int(&context); ++ if (error) ++ return error; + if (context.count < 0) + return -ERANGE; + +diff --git a/include/linux/coredump.h b/include/linux/coredump.h +index d016a121a8c4..28ffa94aed6b 100644 +--- a/include/linux/coredump.h ++++ b/include/linux/coredump.h +@@ -14,6 +14,7 @@ struct coredump_params; + extern int dump_skip(struct coredump_params *cprm, size_t nr); + extern int dump_emit(struct coredump_params *cprm, const void *addr, int nr); + extern int dump_align(struct coredump_params *cprm, int align); ++extern void dump_truncate(struct coredump_params *cprm); + #ifdef CONFIG_COREDUMP + extern void do_coredump(const siginfo_t *siginfo); + #else +diff --git a/include/linux/device.h b/include/linux/device.h +index 6558af90c8fe..98a1d9748eec 100644 +--- a/include/linux/device.h ++++ b/include/linux/device.h +@@ -338,6 +338,7 @@ int subsys_virtual_register(struct bus_type *subsys, + * @suspend: Used to put the device to sleep mode, usually to a low power + * state. + * @resume: Used to bring the device from the sleep mode. ++ * @shutdown: Called at shut-down time to quiesce the device. + * @ns_type: Callbacks so sysfs can detemine namespaces. + * @namespace: Namespace of the device belongs to this class. + * @pm: The default device power management operations of this class. +@@ -366,6 +367,7 @@ struct class { + + int (*suspend)(struct device *dev, pm_message_t state); + int (*resume)(struct device *dev); ++ int (*shutdown)(struct device *dev); + + const struct kobj_ns_type_operations *ns_type; + const void *(*namespace)(struct device *dev); +diff --git a/include/linux/fcntl.h b/include/linux/fcntl.h +index 76ce329e656d..1b48d9c9a561 100644 +--- a/include/linux/fcntl.h ++++ b/include/linux/fcntl.h +@@ -3,6 +3,12 @@ + + #include <uapi/linux/fcntl.h> + ++/* list of all valid flags for the open/openat flags argument: */ ++#define VALID_OPEN_FLAGS \ ++ (O_RDONLY | O_WRONLY | O_RDWR | O_CREAT | O_EXCL | O_NOCTTY | O_TRUNC | \ ++ O_APPEND | O_NDELAY | O_NONBLOCK | O_NDELAY | __O_SYNC | O_DSYNC | \ ++ FASYNC | O_DIRECT | O_LARGEFILE | O_DIRECTORY | O_NOFOLLOW | \ ++ O_NOATIME | O_CLOEXEC | O_PATH | __O_TMPFILE) + + #ifndef force_o_largefile + #define force_o_largefile() (BITS_PER_LONG != 32) +diff --git a/include/linux/list_lru.h b/include/linux/list_lru.h +index 2a6b9947aaa3..743b34f56f2b 100644 +--- a/include/linux/list_lru.h ++++ b/include/linux/list_lru.h +@@ -44,6 +44,7 @@ struct list_lru_node { + /* for cgroup aware lrus points to per cgroup lists, otherwise NULL */ + struct list_lru_memcg *memcg_lrus; + #endif ++ long nr_items; + } ____cacheline_aligned_in_smp; + + struct list_lru { +diff --git a/include/linux/random.h b/include/linux/random.h +index b05856e16b75..0fe49a14daa5 100644 +--- a/include/linux/random.h ++++ b/include/linux/random.h +@@ -23,6 +23,7 @@ extern const struct file_operations random_fops, urandom_fops; + #endif + + unsigned int get_random_int(void); ++unsigned long get_random_long(void); + unsigned long randomize_range(unsigned long start, unsigned long end, unsigned long len); + + u32 prandom_u32(void); +diff --git a/include/linux/timekeeper_internal.h b/include/linux/timekeeper_internal.h +index fb86963859c7..866cb3c596f9 100644 +--- a/include/linux/timekeeper_internal.h ++++ b/include/linux/timekeeper_internal.h +@@ -29,7 +29,6 @@ + */ + struct tk_read_base { + struct clocksource *clock; +- cycle_t (*read)(struct clocksource *cs); + cycle_t mask; + cycle_t cycle_last; + u32 mult; +diff --git a/include/linux/usb/hcd.h b/include/linux/usb/hcd.h +index c00c7393ce8c..e70cea22f093 100644 +--- a/include/linux/usb/hcd.h ++++ b/include/linux/usb/hcd.h +@@ -548,9 +548,9 @@ extern void usb_ep0_reinit(struct usb_device *); + ((USB_DIR_IN|USB_TYPE_STANDARD|USB_RECIP_INTERFACE)<<8) + + #define EndpointRequest \ +- ((USB_DIR_IN|USB_TYPE_STANDARD|USB_RECIP_INTERFACE)<<8) ++ ((USB_DIR_IN|USB_TYPE_STANDARD|USB_RECIP_ENDPOINT)<<8) + #define EndpointOutRequest \ +- ((USB_DIR_OUT|USB_TYPE_STANDARD|USB_RECIP_INTERFACE)<<8) ++ ((USB_DIR_OUT|USB_TYPE_STANDARD|USB_RECIP_ENDPOINT)<<8) + + /* class requests from the USB 2.0 hub spec, table 11-15 */ + /* GetBusState and SetHubDescriptor are optional, omitted */ +diff --git a/include/net/xfrm.h b/include/net/xfrm.h +index 36ac102c97c7..3dac7ac61f48 100644 +--- a/include/net/xfrm.h ++++ b/include/net/xfrm.h +@@ -945,10 +945,6 @@ struct xfrm_dst { + struct flow_cache_object flo; + struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX]; + int num_pols, num_xfrms; +-#ifdef CONFIG_XFRM_SUB_POLICY +- struct flowi *origin; +- struct xfrm_selector *partner; +-#endif + u32 xfrm_genid; + u32 policy_genid; + u32 route_mtu_cached; +@@ -964,12 +960,6 @@ static inline void xfrm_dst_destroy(struct xfrm_dst *xdst) + dst_release(xdst->route); + if (likely(xdst->u.dst.xfrm)) + xfrm_state_put(xdst->u.dst.xfrm); +-#ifdef CONFIG_XFRM_SUB_POLICY +- kfree(xdst->origin); +- xdst->origin = NULL; +- kfree(xdst->partner); +- xdst->partner = NULL; +-#endif + } + #endif + +diff --git a/ipc/mqueue.c b/ipc/mqueue.c +index c3fc5c2b63f3..e4e8b6080b33 100644 +--- a/ipc/mqueue.c ++++ b/ipc/mqueue.c +@@ -1239,8 +1239,10 @@ retry: + + timeo = MAX_SCHEDULE_TIMEOUT; + ret = netlink_attachskb(sock, nc, &timeo, NULL); +- if (ret == 1) ++ if (ret == 1) { ++ sock = NULL; + goto retry; ++ } + if (ret) { + sock = NULL; + nc = NULL; +diff --git a/kernel/extable.c b/kernel/extable.c +index c98f926277a8..818019777503 100644 +--- a/kernel/extable.c ++++ b/kernel/extable.c +@@ -67,7 +67,7 @@ static inline int init_kernel_text(unsigned long addr) + return 0; + } + +-int core_kernel_text(unsigned long addr) ++int notrace core_kernel_text(unsigned long addr) + { + if (addr >= (unsigned long)_stext && + addr < (unsigned long)_etext) +diff --git a/kernel/fork.c b/kernel/fork.c +index 8209fa2d36ef..edc1916e89ee 100644 +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -361,7 +361,7 @@ static struct task_struct *dup_task_struct(struct task_struct *orig) + set_task_stack_end_magic(tsk); + + #ifdef CONFIG_CC_STACKPROTECTOR +- tsk->stack_canary = get_random_int(); ++ tsk->stack_canary = get_random_long(); + #endif + + /* +diff --git a/kernel/panic.c b/kernel/panic.c +index a4f7820f5930..10e28b8d1ac9 100644 +--- a/kernel/panic.c ++++ b/kernel/panic.c +@@ -166,7 +166,7 @@ void panic(const char *fmt, ...) + * Delay timeout seconds before rebooting the machine. + * We can't use the "normal" timers since we just panicked. + */ +- pr_emerg("Rebooting in %d seconds..", panic_timeout); ++ pr_emerg("Rebooting in %d seconds..\n", panic_timeout); + + for (i = 0; i < panic_timeout * 1000; i += PANIC_TIMER_STEP) { + touch_nmi_watchdog(); +diff --git a/kernel/sched/core.c b/kernel/sched/core.c +index 6cb5f00696f5..976d5fbcd60d 100644 +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -5863,6 +5863,9 @@ enum s_alloc { + * Build an iteration mask that can exclude certain CPUs from the upwards + * domain traversal. + * ++ * Only CPUs that can arrive at this group should be considered to continue ++ * balancing. ++ * + * Asymmetric node setups can result in situations where the domain tree is of + * unequal depth, make sure to skip domains that already cover the entire + * range. +@@ -5874,18 +5877,31 @@ enum s_alloc { + */ + static void build_group_mask(struct sched_domain *sd, struct sched_group *sg) + { +- const struct cpumask *span = sched_domain_span(sd); ++ const struct cpumask *sg_span = sched_group_cpus(sg); + struct sd_data *sdd = sd->private; + struct sched_domain *sibling; + int i; + +- for_each_cpu(i, span) { ++ for_each_cpu(i, sg_span) { + sibling = *per_cpu_ptr(sdd->sd, i); +- if (!cpumask_test_cpu(i, sched_domain_span(sibling))) ++ ++ /* ++ * Can happen in the asymmetric case, where these siblings are ++ * unused. The mask will not be empty because those CPUs that ++ * do have the top domain _should_ span the domain. ++ */ ++ if (!sibling->child) ++ continue; ++ ++ /* If we would not end up here, we can't continue from here */ ++ if (!cpumask_equal(sg_span, sched_domain_span(sibling->child))) + continue; + + cpumask_set_cpu(i, sched_group_mask(sg)); + } ++ ++ /* We must not have empty masks here */ ++ WARN_ON_ONCE(cpumask_empty(sched_group_mask(sg))); + } + + /* +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index 1431089b8a67..d59551865035 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -173,7 +173,7 @@ extern int no_unaligned_warning; + #define SYSCTL_WRITES_WARN 0 + #define SYSCTL_WRITES_STRICT 1 + +-static int sysctl_writes_strict = SYSCTL_WRITES_WARN; ++static int sysctl_writes_strict = SYSCTL_WRITES_STRICT; + + static int proc_do_cad_pid(struct ctl_table *table, int write, + void __user *buffer, size_t *lenp, loff_t *ppos); +diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c +index d296b904685b..308f8f019594 100644 +--- a/kernel/time/timekeeping.c ++++ b/kernel/time/timekeeping.c +@@ -116,6 +116,26 @@ static inline void tk_update_sleep_time(struct timekeeper *tk, ktime_t delta) + tk->offs_boot = ktime_add(tk->offs_boot, delta); + } + ++/* ++ * tk_clock_read - atomic clocksource read() helper ++ * ++ * This helper is necessary to use in the read paths because, while the ++ * seqlock ensures we don't return a bad value while structures are updated, ++ * it doesn't protect from potential crashes. There is the possibility that ++ * the tkr's clocksource may change between the read reference, and the ++ * clock reference passed to the read function. This can cause crashes if ++ * the wrong clocksource is passed to the wrong read function. ++ * This isn't necessary to use when holding the timekeeper_lock or doing ++ * a read of the fast-timekeeper tkrs (which is protected by its own locking ++ * and update logic). ++ */ ++static inline u64 tk_clock_read(struct tk_read_base *tkr) ++{ ++ struct clocksource *clock = READ_ONCE(tkr->clock); ++ ++ return clock->read(clock); ++} ++ + #ifdef CONFIG_DEBUG_TIMEKEEPING + #define WARNING_FREQ (HZ*300) /* 5 minute rate-limiting */ + /* +@@ -184,7 +204,7 @@ static inline cycle_t timekeeping_get_delta(struct tk_read_base *tkr) + */ + do { + seq = read_seqcount_begin(&tk_core.seq); +- now = tkr->read(tkr->clock); ++ now = tk_clock_read(tkr); + last = tkr->cycle_last; + mask = tkr->mask; + max = tkr->clock->max_cycles; +@@ -218,7 +238,7 @@ static inline cycle_t timekeeping_get_delta(struct tk_read_base *tkr) + cycle_t cycle_now, delta; + + /* read clocksource */ +- cycle_now = tkr->read(tkr->clock); ++ cycle_now = tk_clock_read(tkr); + + /* calculate the delta since the last update_wall_time */ + delta = clocksource_delta(cycle_now, tkr->cycle_last, tkr->mask); +@@ -246,12 +266,10 @@ static void tk_setup_internals(struct timekeeper *tk, struct clocksource *clock) + + old_clock = tk->tkr_mono.clock; + tk->tkr_mono.clock = clock; +- tk->tkr_mono.read = clock->read; + tk->tkr_mono.mask = clock->mask; +- tk->tkr_mono.cycle_last = tk->tkr_mono.read(clock); ++ tk->tkr_mono.cycle_last = tk_clock_read(&tk->tkr_mono); + + tk->tkr_raw.clock = clock; +- tk->tkr_raw.read = clock->read; + tk->tkr_raw.mask = clock->mask; + tk->tkr_raw.cycle_last = tk->tkr_mono.cycle_last; + +@@ -440,7 +458,7 @@ static __always_inline u64 __ktime_get_fast_ns(struct tk_fast *tkf) + + now += timekeeping_delta_to_ns(tkr, + clocksource_delta( +- tkr->read(tkr->clock), ++ tk_clock_read(tkr), + tkr->cycle_last, + tkr->mask)); + } while (read_seqcount_retry(&tkf->seq, seq)); +@@ -468,6 +486,10 @@ static cycle_t dummy_clock_read(struct clocksource *cs) + return cycles_at_suspend; + } + ++static struct clocksource dummy_clock = { ++ .read = dummy_clock_read, ++}; ++ + /** + * halt_fast_timekeeper - Prevent fast timekeeper from accessing clocksource. + * @tk: Timekeeper to snapshot. +@@ -484,13 +506,13 @@ static void halt_fast_timekeeper(struct timekeeper *tk) + struct tk_read_base *tkr = &tk->tkr_mono; + + memcpy(&tkr_dummy, tkr, sizeof(tkr_dummy)); +- cycles_at_suspend = tkr->read(tkr->clock); +- tkr_dummy.read = dummy_clock_read; ++ cycles_at_suspend = tk_clock_read(tkr); ++ tkr_dummy.clock = &dummy_clock; + update_fast_timekeeper(&tkr_dummy, &tk_fast_mono); + + tkr = &tk->tkr_raw; + memcpy(&tkr_dummy, tkr, sizeof(tkr_dummy)); +- tkr_dummy.read = dummy_clock_read; ++ tkr_dummy.clock = &dummy_clock; + update_fast_timekeeper(&tkr_dummy, &tk_fast_raw); + } + +@@ -635,11 +657,10 @@ static void timekeeping_update(struct timekeeper *tk, unsigned int action) + */ + static void timekeeping_forward_now(struct timekeeper *tk) + { +- struct clocksource *clock = tk->tkr_mono.clock; + cycle_t cycle_now, delta; + s64 nsec; + +- cycle_now = tk->tkr_mono.read(clock); ++ cycle_now = tk_clock_read(&tk->tkr_mono); + delta = clocksource_delta(cycle_now, tk->tkr_mono.cycle_last, tk->tkr_mono.mask); + tk->tkr_mono.cycle_last = cycle_now; + tk->tkr_raw.cycle_last = cycle_now; +@@ -1406,7 +1427,7 @@ void timekeeping_resume(void) + * The less preferred source will only be tried if there is no better + * usable source. The rtc part is handled separately in rtc core code. + */ +- cycle_now = tk->tkr_mono.read(clock); ++ cycle_now = tk_clock_read(&tk->tkr_mono); + if ((clock->flags & CLOCK_SOURCE_SUSPEND_NONSTOP) && + cycle_now > tk->tkr_mono.cycle_last) { + u64 num, max = ULLONG_MAX; +@@ -1801,7 +1822,7 @@ void update_wall_time(void) + #ifdef CONFIG_ARCH_USES_GETTIMEOFFSET + offset = real_tk->cycle_interval; + #else +- offset = clocksource_delta(tk->tkr_mono.read(tk->tkr_mono.clock), ++ offset = clocksource_delta(tk_clock_read(&tk->tkr_mono), + tk->tkr_mono.cycle_last, tk->tkr_mono.mask); + #endif + +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index a4c0ae70c6dd..591b3b4f5337 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -1638,7 +1638,7 @@ tracing_generic_entry_update(struct trace_entry *entry, unsigned long flags, + TRACE_FLAG_IRQS_NOSUPPORT | + #endif + ((pc & HARDIRQ_MASK) ? TRACE_FLAG_HARDIRQ : 0) | +- ((pc & SOFTIRQ_MASK) ? TRACE_FLAG_SOFTIRQ : 0) | ++ ((pc & SOFTIRQ_OFFSET) ? TRACE_FLAG_SOFTIRQ : 0) | + (tif_need_resched() ? TRACE_FLAG_NEED_RESCHED : 0) | + (test_preempt_need_resched() ? TRACE_FLAG_PREEMPT_RESCHED : 0); + } +diff --git a/kernel/trace/trace_kprobe.c b/kernel/trace/trace_kprobe.c +index 28b291f83a4c..9a4aee1d3345 100644 +--- a/kernel/trace/trace_kprobe.c ++++ b/kernel/trace/trace_kprobe.c +@@ -671,30 +671,25 @@ static int create_trace_kprobe(int argc, char **argv) + pr_info("Probe point is not specified.\n"); + return -EINVAL; + } +- if (isdigit(argv[1][0])) { +- if (is_return) { +- pr_info("Return probe point must be a symbol.\n"); +- return -EINVAL; +- } +- /* an address specified */ +- ret = kstrtoul(&argv[1][0], 0, (unsigned long *)&addr); +- if (ret) { +- pr_info("Failed to parse address.\n"); +- return ret; +- } +- } else { ++ ++ /* try to parse an address. if that fails, try to read the ++ * input as a symbol. */ ++ if (kstrtoul(argv[1], 0, (unsigned long *)&addr)) { + /* a symbol specified */ + symbol = argv[1]; + /* TODO: support .init module functions */ + ret = traceprobe_split_symbol_offset(symbol, &offset); + if (ret) { +- pr_info("Failed to parse symbol.\n"); ++ pr_info("Failed to parse either an address or a symbol.\n"); + return ret; + } + if (offset && is_return) { + pr_info("Return probe must be used without offset.\n"); + return -EINVAL; + } ++ } else if (is_return) { ++ pr_info("Return probe point must be a symbol.\n"); ++ return -EINVAL; + } + argc -= 2; argv += 2; + +diff --git a/lib/cmdline.c b/lib/cmdline.c +index 8f13cf73c2ec..79069d7938ea 100644 +--- a/lib/cmdline.c ++++ b/lib/cmdline.c +@@ -22,14 +22,14 @@ + * the values[M, M+1, ..., N] into the ints array in get_options. + */ + +-static int get_range(char **str, int *pint) ++static int get_range(char **str, int *pint, int n) + { + int x, inc_counter, upper_range; + + (*str)++; + upper_range = simple_strtol((*str), NULL, 0); + inc_counter = upper_range - *pint; +- for (x = *pint; x < upper_range; x++) ++ for (x = *pint; n && x < upper_range; x++, n--) + *pint++ = x; + return inc_counter; + } +@@ -96,7 +96,7 @@ char *get_options(const char *str, int nints, int *ints) + break; + if (res == 3) { + int range_nums; +- range_nums = get_range((char **)&str, ints + i); ++ range_nums = get_range((char **)&str, ints + i, nints - i); + if (range_nums < 0) + break; + /* +diff --git a/lib/swiotlb.c b/lib/swiotlb.c +index 3c365ab6cf5f..87a203e439f8 100644 +--- a/lib/swiotlb.c ++++ b/lib/swiotlb.c +@@ -452,11 +452,11 @@ phys_addr_t swiotlb_tbl_map_single(struct device *hwdev, + : 1UL << (BITS_PER_LONG - IO_TLB_SHIFT); + + /* +- * For mappings greater than a page, we limit the stride (and +- * hence alignment) to a page size. ++ * For mappings greater than or equal to a page, we limit the stride ++ * (and hence alignment) to a page size. + */ + nslots = ALIGN(size, 1 << IO_TLB_SHIFT) >> IO_TLB_SHIFT; +- if (size > PAGE_SIZE) ++ if (size >= PAGE_SIZE) + stride = (1 << (PAGE_SHIFT - IO_TLB_SHIFT)); + else + stride = 1; +diff --git a/mm/huge_memory.c b/mm/huge_memory.c +index a58270f60602..bdd6a8dd5797 100644 +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -1294,8 +1294,11 @@ int do_huge_pmd_numa_page(struct mm_struct *mm, struct vm_area_struct *vma, + */ + if (unlikely(pmd_trans_migrating(*pmdp))) { + page = pmd_page(*pmdp); ++ if (!get_page_unless_zero(page)) ++ goto out_unlock; + spin_unlock(ptl); + wait_on_page_locked(page); ++ put_page(page); + goto out; + } + +@@ -1327,8 +1330,11 @@ int do_huge_pmd_numa_page(struct mm_struct *mm, struct vm_area_struct *vma, + + /* Migration could have started since the pmd_trans_migrating check */ + if (!page_locked) { ++ if (!get_page_unless_zero(page)) ++ goto out_unlock; + spin_unlock(ptl); + wait_on_page_locked(page); ++ put_page(page); + page_nid = -1; + goto out; + } +diff --git a/mm/list_lru.c b/mm/list_lru.c +index 84b4c21d78d7..2a6a2e4b64ba 100644 +--- a/mm/list_lru.c ++++ b/mm/list_lru.c +@@ -103,6 +103,7 @@ bool list_lru_add(struct list_lru *lru, struct list_head *item) + if (list_empty(item)) { + list_add_tail(item, &l->list); + l->nr_items++; ++ nlru->nr_items++; + spin_unlock(&nlru->lock); + return true; + } +@@ -122,6 +123,7 @@ bool list_lru_del(struct list_lru *lru, struct list_head *item) + if (!list_empty(item)) { + list_del_init(item); + l->nr_items--; ++ nlru->nr_items--; + spin_unlock(&nlru->lock); + return true; + } +@@ -169,15 +171,10 @@ EXPORT_SYMBOL_GPL(list_lru_count_one); + + unsigned long list_lru_count_node(struct list_lru *lru, int nid) + { +- long count = 0; +- int memcg_idx; ++ struct list_lru_node *nlru; + +- count += __list_lru_count_one(lru, nid, -1); +- if (list_lru_memcg_aware(lru)) { +- for_each_memcg_cache_index(memcg_idx) +- count += __list_lru_count_one(lru, nid, memcg_idx); +- } +- return count; ++ nlru = &lru->node[nid]; ++ return nlru->nr_items; + } + EXPORT_SYMBOL_GPL(list_lru_count_node); + +@@ -212,6 +209,7 @@ restart: + assert_spin_locked(&nlru->lock); + case LRU_REMOVED: + isolated++; ++ nlru->nr_items--; + /* + * If the lru lock has been dropped, our list + * traversal is now invalid and so we have to +diff --git a/mm/swap_cgroup.c b/mm/swap_cgroup.c +index 40dd0f9b00d6..09f733b0424a 100644 +--- a/mm/swap_cgroup.c ++++ b/mm/swap_cgroup.c +@@ -205,6 +205,8 @@ void swap_cgroup_swapoff(int type) + struct page *page = map[i]; + if (page) + __free_page(page); ++ if (!(i % SWAP_CLUSTER_MAX)) ++ cond_resched(); + } + vfree(map); + } +diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c +index 59555f0f8fc8..d45e590e8f10 100644 +--- a/net/8021q/vlan.c ++++ b/net/8021q/vlan.c +@@ -278,7 +278,8 @@ static int register_vlan_device(struct net_device *real_dev, u16 vlan_id) + return 0; + + out_free_newdev: +- free_netdev(new_dev); ++ if (new_dev->reg_state == NETREG_UNINITIALIZED) ++ free_netdev(new_dev); + return err; + } + +diff --git a/net/caif/cfpkt_skbuff.c b/net/caif/cfpkt_skbuff.c +index f6c3b2137eea..bcb62e10a99c 100644 +--- a/net/caif/cfpkt_skbuff.c ++++ b/net/caif/cfpkt_skbuff.c +@@ -81,11 +81,7 @@ static struct cfpkt *cfpkt_create_pfx(u16 len, u16 pfx) + { + struct sk_buff *skb; + +- if (likely(in_interrupt())) +- skb = alloc_skb(len + pfx, GFP_ATOMIC); +- else +- skb = alloc_skb(len + pfx, GFP_KERNEL); +- ++ skb = alloc_skb(len + pfx, GFP_ATOMIC); + if (unlikely(skb == NULL)) + return NULL; + +diff --git a/net/core/dev.c b/net/core/dev.c +index 0f9289ff0f2a..bd47736b689e 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -1214,8 +1214,9 @@ int dev_set_alias(struct net_device *dev, const char *alias, size_t len) + if (!new_ifalias) + return -ENOMEM; + dev->ifalias = new_ifalias; ++ memcpy(dev->ifalias, alias, len); ++ dev->ifalias[len] = 0; + +- strlcpy(dev->ifalias, alias, len+1); + return len; + } + +@@ -6726,8 +6727,8 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev, + } else { + netdev_stats_to_stats64(storage, &dev->stats); + } +- storage->rx_dropped += atomic_long_read(&dev->rx_dropped); +- storage->tx_dropped += atomic_long_read(&dev->tx_dropped); ++ storage->rx_dropped += (unsigned long)atomic_long_read(&dev->rx_dropped); ++ storage->tx_dropped += (unsigned long)atomic_long_read(&dev->tx_dropped); + return storage; + } + EXPORT_SYMBOL(dev_get_stats); +diff --git a/net/core/dst.c b/net/core/dst.c +index 540066cb33ef..4d385b292f5d 100644 +--- a/net/core/dst.c ++++ b/net/core/dst.c +@@ -373,6 +373,20 @@ static int dst_dev_event(struct notifier_block *this, unsigned long event, + spin_lock_bh(&dst_garbage.lock); + dst = dst_garbage.list; + dst_garbage.list = NULL; ++ /* The code in dst_ifdown places a hold on the loopback device. ++ * If the gc entry processing is set to expire after a lengthy ++ * interval, this hold can cause netdev_wait_allrefs() to hang ++ * out and wait for a long time -- until the the loopback ++ * interface is released. If we're really unlucky, it'll emit ++ * pr_emerg messages to console too. Reset the interval here, ++ * so dst cleanups occur in a more timely fashion. ++ */ ++ if (dst_garbage.timer_inc > DST_GC_INC) { ++ dst_garbage.timer_inc = DST_GC_INC; ++ dst_garbage.timer_expires = DST_GC_MIN; ++ mod_delayed_work(system_wq, &dst_gc_work, ++ dst_garbage.timer_expires); ++ } + spin_unlock_bh(&dst_garbage.lock); + + if (last) +diff --git a/net/decnet/dn_route.c b/net/decnet/dn_route.c +index 76d3bf70c31a..53b9099c331f 100644 +--- a/net/decnet/dn_route.c ++++ b/net/decnet/dn_route.c +@@ -188,12 +188,6 @@ static inline void dnrt_free(struct dn_route *rt) + call_rcu_bh(&rt->dst.rcu_head, dst_rcu_free); + } + +-static inline void dnrt_drop(struct dn_route *rt) +-{ +- dst_release(&rt->dst); +- call_rcu_bh(&rt->dst.rcu_head, dst_rcu_free); +-} +- + static void dn_dst_check_expire(unsigned long dummy) + { + int i; +@@ -248,7 +242,7 @@ static int dn_dst_gc(struct dst_ops *ops) + } + *rtp = rt->dst.dn_next; + rt->dst.dn_next = NULL; +- dnrt_drop(rt); ++ dnrt_free(rt); + break; + } + spin_unlock_bh(&dn_rt_hash_table[i].lock); +@@ -350,7 +344,7 @@ static int dn_insert_route(struct dn_route *rt, unsigned int hash, struct dn_rou + dst_use(&rth->dst, now); + spin_unlock_bh(&dn_rt_hash_table[hash].lock); + +- dnrt_drop(rt); ++ dst_free(&rt->dst); + *rp = rth; + return 0; + } +@@ -380,7 +374,7 @@ static void dn_run_flush(unsigned long dummy) + for(; rt; rt = next) { + next = rcu_dereference_raw(rt->dst.dn_next); + RCU_INIT_POINTER(rt->dst.dn_next, NULL); +- dst_free((struct dst_entry *)rt); ++ dnrt_free(rt); + } + + nothing_to_declare: +@@ -1189,7 +1183,7 @@ make_route: + if (dev_out->flags & IFF_LOOPBACK) + flags |= RTCF_LOCAL; + +- rt = dst_alloc(&dn_dst_ops, dev_out, 1, DST_OBSOLETE_NONE, DST_HOST); ++ rt = dst_alloc(&dn_dst_ops, dev_out, 0, DST_OBSOLETE_NONE, DST_HOST); + if (rt == NULL) + goto e_nobufs; + +diff --git a/net/decnet/netfilter/dn_rtmsg.c b/net/decnet/netfilter/dn_rtmsg.c +index af34fc9bdf69..2fe45762ca70 100644 +--- a/net/decnet/netfilter/dn_rtmsg.c ++++ b/net/decnet/netfilter/dn_rtmsg.c +@@ -102,7 +102,9 @@ static inline void dnrmg_receive_user_skb(struct sk_buff *skb) + { + struct nlmsghdr *nlh = nlmsg_hdr(skb); + +- if (nlh->nlmsg_len < sizeof(*nlh) || skb->len < nlh->nlmsg_len) ++ if (skb->len < sizeof(*nlh) || ++ nlh->nlmsg_len < sizeof(*nlh) || ++ skb->len < nlh->nlmsg_len) + return; + + if (!netlink_capable(skb, CAP_NET_ADMIN)) +diff --git a/net/dsa/slave.c b/net/dsa/slave.c +index 57978c5b2c91..fe2758c72dbf 100644 +--- a/net/dsa/slave.c ++++ b/net/dsa/slave.c +@@ -734,10 +734,8 @@ static int dsa_slave_phy_connect(struct dsa_slave_priv *p, + /* Use already configured phy mode */ + if (p->phy_interface == PHY_INTERFACE_MODE_NA) + p->phy_interface = p->phy->interface; +- phy_connect_direct(slave_dev, p->phy, dsa_slave_adjust_link, +- p->phy_interface); +- +- return 0; ++ return phy_connect_direct(slave_dev, p->phy, dsa_slave_adjust_link, ++ p->phy_interface); + } + + static int dsa_slave_phy_setup(struct dsa_slave_priv *p, +diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c +index 218abf9fb1ed..e2d3d62297ec 100644 +--- a/net/ipv4/igmp.c ++++ b/net/ipv4/igmp.c +@@ -1080,6 +1080,7 @@ static void igmpv3_add_delrec(struct in_device *in_dev, struct ip_mc_list *im) + pmc = kzalloc(sizeof(*pmc), GFP_KERNEL); + if (!pmc) + return; ++ spin_lock_init(&pmc->lock); + spin_lock_bh(&im->lock); + pmc->interface = im->interface; + in_dev_hold(in_dev); +@@ -1832,21 +1833,26 @@ static int ip_mc_add_src(struct in_device *in_dev, __be32 *pmca, int sfmode, + + static void ip_mc_clear_src(struct ip_mc_list *pmc) + { +- struct ip_sf_list *psf, *nextpsf; ++ struct ip_sf_list *psf, *nextpsf, *tomb, *sources; + +- for (psf = pmc->tomb; psf; psf = nextpsf) { ++ spin_lock_bh(&pmc->lock); ++ tomb = pmc->tomb; ++ pmc->tomb = NULL; ++ sources = pmc->sources; ++ pmc->sources = NULL; ++ pmc->sfmode = MCAST_EXCLUDE; ++ pmc->sfcount[MCAST_INCLUDE] = 0; ++ pmc->sfcount[MCAST_EXCLUDE] = 1; ++ spin_unlock_bh(&pmc->lock); ++ ++ for (psf = tomb; psf; psf = nextpsf) { + nextpsf = psf->sf_next; + kfree(psf); + } +- pmc->tomb = NULL; +- for (psf = pmc->sources; psf; psf = nextpsf) { ++ for (psf = sources; psf; psf = nextpsf) { + nextpsf = psf->sf_next; + kfree(psf); + } +- pmc->sources = NULL; +- pmc->sfmode = MCAST_EXCLUDE; +- pmc->sfcount[MCAST_INCLUDE] = 0; +- pmc->sfcount[MCAST_EXCLUDE] = 1; + } + + /* Join a multicast group +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index e31af0c23e56..df4edab0ba3a 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -286,9 +286,9 @@ static void addrconf_mod_rs_timer(struct inet6_dev *idev, + static void addrconf_mod_dad_work(struct inet6_ifaddr *ifp, + unsigned long delay) + { +- if (!delayed_work_pending(&ifp->dad_work)) +- in6_ifa_hold(ifp); +- mod_delayed_work(addrconf_wq, &ifp->dad_work, delay); ++ in6_ifa_hold(ifp); ++ if (mod_delayed_work(addrconf_wq, &ifp->dad_work, delay)) ++ in6_ifa_put(ifp); + } + + static int snmp6_alloc_dev(struct inet6_dev *idev) +@@ -1675,17 +1675,7 @@ struct inet6_ifaddr *ipv6_get_ifaddr(struct net *net, const struct in6_addr *add + + static void addrconf_dad_stop(struct inet6_ifaddr *ifp, int dad_failed) + { +- if (ifp->flags&IFA_F_PERMANENT) { +- spin_lock_bh(&ifp->lock); +- addrconf_del_dad_work(ifp); +- ifp->flags |= IFA_F_TENTATIVE; +- if (dad_failed) +- ifp->flags |= IFA_F_DADFAILED; +- spin_unlock_bh(&ifp->lock); +- if (dad_failed) +- ipv6_ifa_notify(0, ifp); +- in6_ifa_put(ifp); +- } else if (ifp->flags&IFA_F_TEMPORARY) { ++ if (ifp->flags&IFA_F_TEMPORARY) { + struct inet6_ifaddr *ifpub; + spin_lock_bh(&ifp->lock); + ifpub = ifp->ifpub; +@@ -1698,6 +1688,16 @@ static void addrconf_dad_stop(struct inet6_ifaddr *ifp, int dad_failed) + spin_unlock_bh(&ifp->lock); + } + ipv6_del_addr(ifp); ++ } else if (ifp->flags&IFA_F_PERMANENT || !dad_failed) { ++ spin_lock_bh(&ifp->lock); ++ addrconf_del_dad_work(ifp); ++ ifp->flags |= IFA_F_TENTATIVE; ++ if (dad_failed) ++ ifp->flags |= IFA_F_DADFAILED; ++ spin_unlock_bh(&ifp->lock); ++ if (dad_failed) ++ ipv6_ifa_notify(0, ifp); ++ in6_ifa_put(ifp); + } else { + ipv6_del_addr(ifp); + } +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index f91ee783a5fd..eefb8759cfa4 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -978,8 +978,10 @@ static int ip6_dst_lookup_tail(struct sock *sk, + } + #endif + if (ipv6_addr_v4mapped(&fl6->saddr) && +- !(ipv6_addr_v4mapped(&fl6->daddr) || ipv6_addr_any(&fl6->daddr))) +- return -EAFNOSUPPORT; ++ !(ipv6_addr_v4mapped(&fl6->daddr) || ipv6_addr_any(&fl6->daddr))) { ++ err = -EAFNOSUPPORT; ++ goto out_err_release; ++ } + + return 0; + +diff --git a/net/key/af_key.c b/net/key/af_key.c +index f0d52d721b3a..9a556e434f59 100644 +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -1135,6 +1135,7 @@ static struct xfrm_state * pfkey_msg2xfrm_state(struct net *net, + goto out; + } + ++ err = -ENOBUFS; + key = ext_hdrs[SADB_EXT_KEY_AUTH - 1]; + if (sa->sadb_sa_auth) { + int keysize = 0; +@@ -1146,8 +1147,10 @@ static struct xfrm_state * pfkey_msg2xfrm_state(struct net *net, + if (key) + keysize = (key->sadb_key_bits + 7) / 8; + x->aalg = kmalloc(sizeof(*x->aalg) + keysize, GFP_KERNEL); +- if (!x->aalg) ++ if (!x->aalg) { ++ err = -ENOMEM; + goto out; ++ } + strcpy(x->aalg->alg_name, a->name); + x->aalg->alg_key_len = 0; + if (key) { +@@ -1166,8 +1169,10 @@ static struct xfrm_state * pfkey_msg2xfrm_state(struct net *net, + goto out; + } + x->calg = kmalloc(sizeof(*x->calg), GFP_KERNEL); +- if (!x->calg) ++ if (!x->calg) { ++ err = -ENOMEM; + goto out; ++ } + strcpy(x->calg->alg_name, a->name); + x->props.calgo = sa->sadb_sa_encrypt; + } else { +@@ -1181,8 +1186,10 @@ static struct xfrm_state * pfkey_msg2xfrm_state(struct net *net, + if (key) + keysize = (key->sadb_key_bits + 7) / 8; + x->ealg = kmalloc(sizeof(*x->ealg) + keysize, GFP_KERNEL); +- if (!x->ealg) ++ if (!x->ealg) { ++ err = -ENOMEM; + goto out; ++ } + strcpy(x->ealg->alg_name, a->name); + x->ealg->alg_key_len = 0; + if (key) { +@@ -1226,8 +1233,10 @@ static struct xfrm_state * pfkey_msg2xfrm_state(struct net *net, + struct xfrm_encap_tmpl *natt; + + x->encap = kmalloc(sizeof(*x->encap), GFP_KERNEL); +- if (!x->encap) ++ if (!x->encap) { ++ err = -ENOMEM; + goto out; ++ } + + natt = x->encap; + n_type = ext_hdrs[SADB_X_EXT_NAT_T_TYPE-1]; +diff --git a/net/mac80211/main.c b/net/mac80211/main.c +index e86daed83c6f..0ddf23971b50 100644 +--- a/net/mac80211/main.c ++++ b/net/mac80211/main.c +@@ -887,12 +887,17 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) + supp_ht = supp_ht || sband->ht_cap.ht_supported; + supp_vht = supp_vht || sband->vht_cap.vht_supported; + +- if (sband->ht_cap.ht_supported) +- local->rx_chains = +- max(ieee80211_mcs_to_chains(&sband->ht_cap.mcs), +- local->rx_chains); ++ if (!sband->ht_cap.ht_supported) ++ continue; + + /* TODO: consider VHT for RX chains, hopefully it's the same */ ++ local->rx_chains = ++ max(ieee80211_mcs_to_chains(&sband->ht_cap.mcs), ++ local->rx_chains); ++ ++ /* no need to mask, SM_PS_DISABLED has all bits set */ ++ sband->ht_cap.cap |= WLAN_HT_CAP_SM_PS_DISABLED << ++ IEEE80211_HT_CAP_SM_PS_SHIFT; + } + + /* if low-level driver supports AP, we also support VLAN */ +diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c +index a26bd6532829..a837e405a8ab 100644 +--- a/net/netfilter/ipvs/ip_vs_core.c ++++ b/net/netfilter/ipvs/ip_vs_core.c +@@ -822,10 +822,8 @@ static int handle_response_icmp(int af, struct sk_buff *skb, + { + unsigned int verdict = NF_DROP; + +- if (IP_VS_FWD_METHOD(cp) != 0) { +- pr_err("shouldn't reach here, because the box is on the " +- "half connection in the tun/dr module.\n"); +- } ++ if (IP_VS_FWD_METHOD(cp) != IP_VS_CONN_F_MASQ) ++ goto ignore_cp; + + /* Ensure the checksum is correct */ + if (!skb_csum_unnecessary(skb) && ip_vs_checksum_complete(skb, ihl)) { +@@ -859,6 +857,8 @@ static int handle_response_icmp(int af, struct sk_buff *skb, + ip_vs_notrack(skb); + else + ip_vs_update_conntrack(skb, cp, 0); ++ ++ignore_cp: + verdict = NF_ACCEPT; + + out: +@@ -1229,8 +1229,11 @@ ip_vs_out(unsigned int hooknum, struct sk_buff *skb, int af) + */ + cp = pp->conn_out_get(af, skb, &iph, 0); + +- if (likely(cp)) ++ if (likely(cp)) { ++ if (IP_VS_FWD_METHOD(cp) != IP_VS_CONN_F_MASQ) ++ goto ignore_cp; + return handle_response(af, skb, pd, cp, &iph, hooknum); ++ } + if (sysctl_nat_icmp_send(net) && + (pp->protocol == IPPROTO_TCP || + pp->protocol == IPPROTO_UDP || +@@ -1272,9 +1275,15 @@ ip_vs_out(unsigned int hooknum, struct sk_buff *skb, int af) + } + } + } ++ ++out: + IP_VS_DBG_PKT(12, af, pp, skb, 0, + "ip_vs_out: packet continues traversal as normal"); + return NF_ACCEPT; ++ ++ignore_cp: ++ __ip_vs_conn_put(cp); ++ goto out; + } + + /* +diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c +index 6b8b0abbfab4..b6e939a8b099 100644 +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -45,6 +45,8 @@ + #include <net/netfilter/nf_conntrack_zones.h> + #include <net/netfilter/nf_conntrack_timestamp.h> + #include <net/netfilter/nf_conntrack_labels.h> ++#include <net/netfilter/nf_conntrack_seqadj.h> ++#include <net/netfilter/nf_conntrack_synproxy.h> + #ifdef CONFIG_NF_NAT_NEEDED + #include <net/netfilter/nf_nat_core.h> + #include <net/netfilter/nf_nat_l4proto.h> +@@ -1727,6 +1729,8 @@ ctnetlink_create_conntrack(struct net *net, u16 zone, + nf_ct_tstamp_ext_add(ct, GFP_ATOMIC); + nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC); + nf_ct_labels_ext_add(ct); ++ nfct_seqadj_ext_add(ct); ++ nfct_synproxy_ext_add(ct); + + /* we must add conntrack extensions before confirmation. */ + ct->status |= IPS_CONFIRMED; +diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c +index e762de5ee89b..6531d7039b11 100644 +--- a/net/netfilter/xt_TCPMSS.c ++++ b/net/netfilter/xt_TCPMSS.c +@@ -104,7 +104,7 @@ tcpmss_mangle_packet(struct sk_buff *skb, + tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff); + tcp_hdrlen = tcph->doff * 4; + +- if (len < tcp_hdrlen) ++ if (len < tcp_hdrlen || tcp_hdrlen < sizeof(struct tcphdr)) + return -1; + + if (info->mss == XT_TCPMSS_CLAMP_PMTU) { +@@ -156,6 +156,10 @@ tcpmss_mangle_packet(struct sk_buff *skb, + if (len > tcp_hdrlen) + return 0; + ++ /* tcph->doff has 4 bits, do not wrap it to 0 */ ++ if (tcp_hdrlen >= 15 * 4) ++ return 0; ++ + /* + * MSS Option not found ?! add it.. + */ +diff --git a/net/rxrpc/ar-key.c b/net/rxrpc/ar-key.c +index db0f39f5ef96..6851a6d98fce 100644 +--- a/net/rxrpc/ar-key.c ++++ b/net/rxrpc/ar-key.c +@@ -215,7 +215,7 @@ static int rxrpc_krb5_decode_principal(struct krb5_principal *princ, + unsigned int *_toklen) + { + const __be32 *xdr = *_xdr; +- unsigned int toklen = *_toklen, n_parts, loop, tmp; ++ unsigned int toklen = *_toklen, n_parts, loop, tmp, paddedlen; + + /* there must be at least one name, and at least #names+1 length + * words */ +@@ -245,16 +245,16 @@ static int rxrpc_krb5_decode_principal(struct krb5_principal *princ, + toklen -= 4; + if (tmp <= 0 || tmp > AFSTOKEN_STRING_MAX) + return -EINVAL; +- if (tmp > toklen) ++ paddedlen = (tmp + 3) & ~3; ++ if (paddedlen > toklen) + return -EINVAL; + princ->name_parts[loop] = kmalloc(tmp + 1, GFP_KERNEL); + if (!princ->name_parts[loop]) + return -ENOMEM; + memcpy(princ->name_parts[loop], xdr, tmp); + princ->name_parts[loop][tmp] = 0; +- tmp = (tmp + 3) & ~3; +- toklen -= tmp; +- xdr += tmp >> 2; ++ toklen -= paddedlen; ++ xdr += paddedlen >> 2; + } + + if (toklen < 4) +@@ -263,16 +263,16 @@ static int rxrpc_krb5_decode_principal(struct krb5_principal *princ, + toklen -= 4; + if (tmp <= 0 || tmp > AFSTOKEN_K5_REALM_MAX) + return -EINVAL; +- if (tmp > toklen) ++ paddedlen = (tmp + 3) & ~3; ++ if (paddedlen > toklen) + return -EINVAL; + princ->realm = kmalloc(tmp + 1, GFP_KERNEL); + if (!princ->realm) + return -ENOMEM; + memcpy(princ->realm, xdr, tmp); + princ->realm[tmp] = 0; +- tmp = (tmp + 3) & ~3; +- toklen -= tmp; +- xdr += tmp >> 2; ++ toklen -= paddedlen; ++ xdr += paddedlen >> 2; + + _debug("%s/...@%s", princ->name_parts[0], princ->realm); + +@@ -291,7 +291,7 @@ static int rxrpc_krb5_decode_tagged_data(struct krb5_tagged_data *td, + unsigned int *_toklen) + { + const __be32 *xdr = *_xdr; +- unsigned int toklen = *_toklen, len; ++ unsigned int toklen = *_toklen, len, paddedlen; + + /* there must be at least one tag and one length word */ + if (toklen <= 8) +@@ -305,15 +305,17 @@ static int rxrpc_krb5_decode_tagged_data(struct krb5_tagged_data *td, + toklen -= 8; + if (len > max_data_size) + return -EINVAL; ++ paddedlen = (len + 3) & ~3; ++ if (paddedlen > toklen) ++ return -EINVAL; + td->data_len = len; + + if (len > 0) { + td->data = kmemdup(xdr, len, GFP_KERNEL); + if (!td->data) + return -ENOMEM; +- len = (len + 3) & ~3; +- toklen -= len; +- xdr += len >> 2; ++ toklen -= paddedlen; ++ xdr += paddedlen >> 2; + } + + _debug("tag %x len %x", td->tag, td->data_len); +@@ -385,7 +387,7 @@ static int rxrpc_krb5_decode_ticket(u8 **_ticket, u16 *_tktlen, + const __be32 **_xdr, unsigned int *_toklen) + { + const __be32 *xdr = *_xdr; +- unsigned int toklen = *_toklen, len; ++ unsigned int toklen = *_toklen, len, paddedlen; + + /* there must be at least one length word */ + if (toklen <= 4) +@@ -397,6 +399,9 @@ static int rxrpc_krb5_decode_ticket(u8 **_ticket, u16 *_tktlen, + toklen -= 4; + if (len > AFSTOKEN_K5_TIX_MAX) + return -EINVAL; ++ paddedlen = (len + 3) & ~3; ++ if (paddedlen > toklen) ++ return -EINVAL; + *_tktlen = len; + + _debug("ticket len %u", len); +@@ -405,9 +410,8 @@ static int rxrpc_krb5_decode_ticket(u8 **_ticket, u16 *_tktlen, + *_ticket = kmemdup(xdr, len, GFP_KERNEL); + if (!*_ticket) + return -ENOMEM; +- len = (len + 3) & ~3; +- toklen -= len; +- xdr += len >> 2; ++ toklen -= paddedlen; ++ xdr += paddedlen >> 2; + } + + *_xdr = xdr; +@@ -550,7 +554,7 @@ static int rxrpc_preparse_xdr(struct key_preparsed_payload *prep) + { + const __be32 *xdr = prep->data, *token; + const char *cp; +- unsigned int len, tmp, loop, ntoken, toklen, sec_ix; ++ unsigned int len, paddedlen, loop, ntoken, toklen, sec_ix; + size_t datalen = prep->datalen; + int ret; + +@@ -576,22 +580,21 @@ static int rxrpc_preparse_xdr(struct key_preparsed_payload *prep) + if (len < 1 || len > AFSTOKEN_CELL_MAX) + goto not_xdr; + datalen -= 4; +- tmp = (len + 3) & ~3; +- if (tmp > datalen) ++ paddedlen = (len + 3) & ~3; ++ if (paddedlen > datalen) + goto not_xdr; + + cp = (const char *) xdr; + for (loop = 0; loop < len; loop++) + if (!isprint(cp[loop])) + goto not_xdr; +- if (len < tmp) +- for (; loop < tmp; loop++) +- if (cp[loop]) +- goto not_xdr; ++ for (; loop < paddedlen; loop++) ++ if (cp[loop]) ++ goto not_xdr; + _debug("cellname: [%u/%u] '%*.*s'", +- len, tmp, len, len, (const char *) xdr); +- datalen -= tmp; +- xdr += tmp >> 2; ++ len, paddedlen, len, len, (const char *) xdr); ++ datalen -= paddedlen; ++ xdr += paddedlen >> 2; + + /* get the token count */ + if (datalen < 12) +@@ -612,10 +615,11 @@ static int rxrpc_preparse_xdr(struct key_preparsed_payload *prep) + sec_ix = ntohl(*xdr); + datalen -= 4; + _debug("token: [%x/%zx] %x", toklen, datalen, sec_ix); +- if (toklen < 20 || toklen > datalen) ++ paddedlen = (toklen + 3) & ~3; ++ if (toklen < 20 || toklen > datalen || paddedlen > datalen) + goto not_xdr; +- datalen -= (toklen + 3) & ~3; +- xdr += (toklen + 3) >> 2; ++ datalen -= paddedlen; ++ xdr += paddedlen >> 2; + + } while (--loop > 0); + +diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c +index c244a49ae4ac..25353056439d 100644 +--- a/net/sched/sch_api.c ++++ b/net/sched/sch_api.c +@@ -1004,6 +1004,9 @@ qdisc_create(struct net_device *dev, struct netdev_queue *dev_queue, + + return sch; + } ++ /* ops->init() failed, we call ->destroy() like qdisc_create_dflt() */ ++ if (ops->destroy) ++ ops->destroy(sch); + err_out3: + dev_put(dev); + kfree((char *) sch - sch->padded); +diff --git a/net/sched/sch_hhf.c b/net/sched/sch_hhf.c +index 792c6f330f77..c072305068e3 100644 +--- a/net/sched/sch_hhf.c ++++ b/net/sched/sch_hhf.c +@@ -644,7 +644,9 @@ static int hhf_init(struct Qdisc *sch, struct nlattr *opt) + q->hhf_arrays[i] = hhf_zalloc(HHF_ARRAYS_LEN * + sizeof(u32)); + if (!q->hhf_arrays[i]) { +- hhf_destroy(sch); ++ /* Note: hhf_destroy() will be called ++ * by our caller. ++ */ + return -ENOMEM; + } + } +@@ -655,7 +657,9 @@ static int hhf_init(struct Qdisc *sch, struct nlattr *opt) + q->hhf_valid_bits[i] = hhf_zalloc(HHF_ARRAYS_LEN / + BITS_PER_BYTE); + if (!q->hhf_valid_bits[i]) { +- hhf_destroy(sch); ++ /* Note: hhf_destroy() will be called ++ * by our caller. ++ */ + return -ENOMEM; + } + } +diff --git a/net/sched/sch_mq.c b/net/sched/sch_mq.c +index 3e82f047caaf..d9c84328e7eb 100644 +--- a/net/sched/sch_mq.c ++++ b/net/sched/sch_mq.c +@@ -52,7 +52,7 @@ static int mq_init(struct Qdisc *sch, struct nlattr *opt) + /* pre-allocate qdiscs, attachment can't fail */ + priv->qdiscs = kcalloc(dev->num_tx_queues, sizeof(priv->qdiscs[0]), + GFP_KERNEL); +- if (priv->qdiscs == NULL) ++ if (!priv->qdiscs) + return -ENOMEM; + + for (ntx = 0; ntx < dev->num_tx_queues; ntx++) { +@@ -60,18 +60,14 @@ static int mq_init(struct Qdisc *sch, struct nlattr *opt) + qdisc = qdisc_create_dflt(dev_queue, default_qdisc_ops, + TC_H_MAKE(TC_H_MAJ(sch->handle), + TC_H_MIN(ntx + 1))); +- if (qdisc == NULL) +- goto err; ++ if (!qdisc) ++ return -ENOMEM; + priv->qdiscs[ntx] = qdisc; + qdisc->flags |= TCQ_F_ONETXQUEUE | TCQ_F_NOPARENT; + } + + sch->flags |= TCQ_F_MQROOT; + return 0; +- +-err: +- mq_destroy(sch); +- return -ENOMEM; + } + + static void mq_attach(struct Qdisc *sch) +diff --git a/net/sched/sch_mqprio.c b/net/sched/sch_mqprio.c +index ad70ecf57ce7..66bccc5ff4ea 100644 +--- a/net/sched/sch_mqprio.c ++++ b/net/sched/sch_mqprio.c +@@ -117,20 +117,17 @@ static int mqprio_init(struct Qdisc *sch, struct nlattr *opt) + /* pre-allocate qdisc, attachment can't fail */ + priv->qdiscs = kcalloc(dev->num_tx_queues, sizeof(priv->qdiscs[0]), + GFP_KERNEL); +- if (priv->qdiscs == NULL) { +- err = -ENOMEM; +- goto err; +- } ++ if (!priv->qdiscs) ++ return -ENOMEM; + + for (i = 0; i < dev->num_tx_queues; i++) { + dev_queue = netdev_get_tx_queue(dev, i); + qdisc = qdisc_create_dflt(dev_queue, default_qdisc_ops, + TC_H_MAKE(TC_H_MAJ(sch->handle), + TC_H_MIN(i + 1))); +- if (qdisc == NULL) { +- err = -ENOMEM; +- goto err; +- } ++ if (!qdisc) ++ return -ENOMEM; ++ + priv->qdiscs[i] = qdisc; + qdisc->flags |= TCQ_F_ONETXQUEUE | TCQ_F_NOPARENT; + } +@@ -143,7 +140,7 @@ static int mqprio_init(struct Qdisc *sch, struct nlattr *opt) + priv->hw_owned = 1; + err = dev->netdev_ops->ndo_setup_tc(dev, qopt->num_tc); + if (err) +- goto err; ++ return err; + } else { + netdev_set_num_tc(dev, qopt->num_tc); + for (i = 0; i < qopt->num_tc; i++) +@@ -157,10 +154,6 @@ static int mqprio_init(struct Qdisc *sch, struct nlattr *opt) + + sch->flags |= TCQ_F_MQROOT; + return 0; +- +-err: +- mqprio_destroy(sch); +- return err; + } + + static void mqprio_attach(struct Qdisc *sch) +diff --git a/net/sched/sch_sfq.c b/net/sched/sch_sfq.c +index 4417fb25166f..fdcced6aa71d 100644 +--- a/net/sched/sch_sfq.c ++++ b/net/sched/sch_sfq.c +@@ -765,9 +765,10 @@ static int sfq_init(struct Qdisc *sch, struct nlattr *opt) + q->ht = sfq_alloc(sizeof(q->ht[0]) * q->divisor); + q->slots = sfq_alloc(sizeof(q->slots[0]) * q->maxflows); + if (!q->ht || !q->slots) { +- sfq_destroy(sch); ++ /* Note: sfq_destroy() will be called by our caller */ + return -ENOMEM; + } ++ + for (i = 0; i < q->divisor; i++) + q->ht[i] = SFQ_EMPTY_SLOT; + +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index 6c880961554f..34d3d4056a11 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -239,7 +239,7 @@ static struct sctp_transport *sctp_addr_id2transport(struct sock *sk, + union sctp_addr *laddr = (union sctp_addr *)addr; + struct sctp_transport *transport; + +- if (sctp_verify_addr(sk, laddr, af->sockaddr_len)) ++ if (!af || sctp_verify_addr(sk, laddr, af->sockaddr_len)) + return NULL; + + addr_asoc = sctp_endpoint_lookup_assoc(sctp_sk(sk)->ep, +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 03da879008d7..ce6f2bff5208 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -967,7 +967,8 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) + struct dentry *dentry; + + err = -EINVAL; +- if (sunaddr->sun_family != AF_UNIX) ++ if (addr_len < offsetofend(struct sockaddr_un, sun_family) || ++ sunaddr->sun_family != AF_UNIX) + goto out; + + if (addr_len == sizeof(short)) { +@@ -1098,6 +1099,10 @@ static int unix_dgram_connect(struct socket *sock, struct sockaddr *addr, + unsigned int hash; + int err; + ++ err = -EINVAL; ++ if (alen < offsetofend(struct sockaddr, sa_family)) ++ goto out; ++ + if (addr->sa_family != AF_UNSPEC) { + err = unix_mkname(sunaddr, alen, &hash); + if (err < 0) +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index 81203bbb2eef..e81e20cbe6dd 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -301,8 +301,7 @@ static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = { + [NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 }, + [NL80211_ATTR_PID] = { .type = NLA_U32 }, + [NL80211_ATTR_4ADDR] = { .type = NLA_U8 }, +- [NL80211_ATTR_PMKID] = { .type = NLA_BINARY, +- .len = WLAN_PMKID_LEN }, ++ [NL80211_ATTR_PMKID] = { .len = WLAN_PMKID_LEN }, + [NL80211_ATTR_DURATION] = { .type = NLA_U32 }, + [NL80211_ATTR_COOKIE] = { .type = NLA_U64 }, + [NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED }, +@@ -358,6 +357,7 @@ static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = { + [NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 }, + [NL80211_ATTR_P2P_CTWINDOW] = { .type = NLA_U8 }, + [NL80211_ATTR_P2P_OPPPS] = { .type = NLA_U8 }, ++ [NL80211_ATTR_LOCAL_MESH_POWER_MODE] = {. type = NLA_U32 }, + [NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 }, + [NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED }, + [NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 }, +@@ -5678,6 +5678,10 @@ static int validate_scan_freqs(struct nlattr *freqs) + struct nlattr *attr1, *attr2; + int n_channels = 0, tmp1, tmp2; + ++ nla_for_each_nested(attr1, freqs, tmp1) ++ if (nla_len(attr1) != sizeof(u32)) ++ return 0; ++ + nla_for_each_nested(attr1, freqs, tmp1) { + n_channels++; + /* +diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c +index 4cd2076ff84b..155070f500aa 100644 +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -1757,43 +1757,6 @@ free_dst: + goto out; + } + +-#ifdef CONFIG_XFRM_SUB_POLICY +-static int xfrm_dst_alloc_copy(void **target, const void *src, int size) +-{ +- if (!*target) { +- *target = kmalloc(size, GFP_ATOMIC); +- if (!*target) +- return -ENOMEM; +- } +- +- memcpy(*target, src, size); +- return 0; +-} +-#endif +- +-static int xfrm_dst_update_parent(struct dst_entry *dst, +- const struct xfrm_selector *sel) +-{ +-#ifdef CONFIG_XFRM_SUB_POLICY +- struct xfrm_dst *xdst = (struct xfrm_dst *)dst; +- return xfrm_dst_alloc_copy((void **)&(xdst->partner), +- sel, sizeof(*sel)); +-#else +- return 0; +-#endif +-} +- +-static int xfrm_dst_update_origin(struct dst_entry *dst, +- const struct flowi *fl) +-{ +-#ifdef CONFIG_XFRM_SUB_POLICY +- struct xfrm_dst *xdst = (struct xfrm_dst *)dst; +- return xfrm_dst_alloc_copy((void **)&(xdst->origin), fl, sizeof(*fl)); +-#else +- return 0; +-#endif +-} +- + static int xfrm_expand_policies(const struct flowi *fl, u16 family, + struct xfrm_policy **pols, + int *num_pols, int *num_xfrms) +@@ -1865,16 +1828,6 @@ xfrm_resolve_and_create_bundle(struct xfrm_policy **pols, int num_pols, + + xdst = (struct xfrm_dst *)dst; + xdst->num_xfrms = err; +- if (num_pols > 1) +- err = xfrm_dst_update_parent(dst, &pols[1]->selector); +- else +- err = xfrm_dst_update_origin(dst, fl); +- if (unlikely(err)) { +- dst_free(dst); +- XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTBUNDLECHECKERROR); +- return ERR_PTR(err); +- } +- + xdst->num_pols = num_pols; + memcpy(xdst->pols, pols, sizeof(struct xfrm_policy *) * num_pols); + xdst->policy_genid = atomic_read(&pols[0]->genid); +diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl +index c5ec977b9c37..928c1cf8606b 100755 +--- a/scripts/checkpatch.pl ++++ b/scripts/checkpatch.pl +@@ -3085,7 +3085,7 @@ sub process { + $fixedline =~ s/\s*=\s*$/ = {/; + fix_insert_line($fixlinenr, $fixedline); + $fixedline = $line; +- $fixedline =~ s/^(.\s*){\s*/$1/; ++ $fixedline =~ s/^(.\s*)\{\s*/$1/; + fix_insert_line($fixlinenr, $fixedline); + } + } +@@ -3435,7 +3435,7 @@ sub process { + my $fixedline = rtrim($prevrawline) . " {"; + fix_insert_line($fixlinenr, $fixedline); + $fixedline = $rawline; +- $fixedline =~ s/^(.\s*){\s*/$1\t/; ++ $fixedline =~ s/^(.\s*)\{\s*/$1\t/; + if ($fixedline !~ /^\+\s*$/) { + fix_insert_line($fixlinenr, $fixedline); + } +@@ -3924,7 +3924,7 @@ sub process { + if (ERROR("SPACING", + "space required before the open brace '{'\n" . $herecurr) && + $fix) { +- $fixed[$fixlinenr] =~ s/^(\+.*(?:do|\))){/$1 {/; ++ $fixed[$fixlinenr] =~ s/^(\+.*(?:do|\)))\{/$1 {/; + } + } + +diff --git a/security/keys/encrypted-keys/encrypted.c b/security/keys/encrypted-keys/encrypted.c +index 0a374a2ce030..8e1c0099bb66 100644 +--- a/security/keys/encrypted-keys/encrypted.c ++++ b/security/keys/encrypted-keys/encrypted.c +@@ -428,7 +428,7 @@ static int init_blkcipher_desc(struct blkcipher_desc *desc, const u8 *key, + static struct key *request_master_key(struct encrypted_key_payload *epayload, + u8 **master_key, size_t *master_keylen) + { +- struct key *mkey = NULL; ++ struct key *mkey = ERR_PTR(-EINVAL); + + if (!strncmp(epayload->master_desc, KEY_TRUSTED_PREFIX, + KEY_TRUSTED_PREFIX_LEN)) { +diff --git a/sound/pci/hda/hda_generic.c b/sound/pci/hda/hda_generic.c +index 0fda7b4901dd..e998aaf14338 100644 +--- a/sound/pci/hda/hda_generic.c ++++ b/sound/pci/hda/hda_generic.c +@@ -3188,6 +3188,7 @@ static int check_dyn_adc_switch(struct hda_codec *codec) + spec->input_paths[i][nums]); + spec->input_paths[i][nums] = + spec->input_paths[i][n]; ++ spec->input_paths[i][n] = 0; + } + } + nums++; +diff --git a/tools/lib/lockdep/uinclude/linux/lockdep.h b/tools/lib/lockdep/uinclude/linux/lockdep.h +index c1552c28507e..908a9c6fecf0 100644 +--- a/tools/lib/lockdep/uinclude/linux/lockdep.h ++++ b/tools/lib/lockdep/uinclude/linux/lockdep.h +@@ -8,7 +8,7 @@ + #include <linux/utsname.h> + + +-#define MAX_LOCK_DEPTH 2000UL ++#define MAX_LOCK_DEPTH 255UL + + #define asmlinkage + #define __visible +diff --git a/tools/perf/builtin-script.c b/tools/perf/builtin-script.c +index 58f10b8e6ff2..7ee9c19e8466 100644 +--- a/tools/perf/builtin-script.c ++++ b/tools/perf/builtin-script.c +@@ -1061,21 +1061,19 @@ static int is_directory(const char *base_path, const struct dirent *dent) + return S_ISDIR(st.st_mode); + } + +-#define for_each_lang(scripts_path, scripts_dir, lang_dirent, lang_next)\ +- while (!readdir_r(scripts_dir, &lang_dirent, &lang_next) && \ +- lang_next) \ +- if ((lang_dirent.d_type == DT_DIR || \ +- (lang_dirent.d_type == DT_UNKNOWN && \ +- is_directory(scripts_path, &lang_dirent))) && \ +- (strcmp(lang_dirent.d_name, ".")) && \ +- (strcmp(lang_dirent.d_name, ".."))) +- +-#define for_each_script(lang_path, lang_dir, script_dirent, script_next)\ +- while (!readdir_r(lang_dir, &script_dirent, &script_next) && \ +- script_next) \ +- if (script_dirent.d_type != DT_DIR && \ +- (script_dirent.d_type != DT_UNKNOWN || \ +- !is_directory(lang_path, &script_dirent))) ++#define for_each_lang(scripts_path, scripts_dir, lang_dirent) \ ++ while ((lang_dirent = readdir(scripts_dir)) != NULL) \ ++ if ((lang_dirent->d_type == DT_DIR || \ ++ (lang_dirent->d_type == DT_UNKNOWN && \ ++ is_directory(scripts_path, lang_dirent))) && \ ++ (strcmp(lang_dirent->d_name, ".")) && \ ++ (strcmp(lang_dirent->d_name, ".."))) ++ ++#define for_each_script(lang_path, lang_dir, script_dirent) \ ++ while ((script_dirent = readdir(lang_dir)) != NULL) \ ++ if (script_dirent->d_type != DT_DIR && \ ++ (script_dirent->d_type != DT_UNKNOWN || \ ++ !is_directory(lang_path, script_dirent))) + + + #define RECORD_SUFFIX "-record" +@@ -1221,7 +1219,7 @@ static int list_available_scripts(const struct option *opt __maybe_unused, + const char *s __maybe_unused, + int unset __maybe_unused) + { +- struct dirent *script_next, *lang_next, script_dirent, lang_dirent; ++ struct dirent *script_dirent, *lang_dirent; + char scripts_path[MAXPATHLEN]; + DIR *scripts_dir, *lang_dir; + char script_path[MAXPATHLEN]; +@@ -1236,19 +1234,19 @@ static int list_available_scripts(const struct option *opt __maybe_unused, + if (!scripts_dir) + return -1; + +- for_each_lang(scripts_path, scripts_dir, lang_dirent, lang_next) { ++ for_each_lang(scripts_path, scripts_dir, lang_dirent) { + snprintf(lang_path, MAXPATHLEN, "%s/%s/bin", scripts_path, +- lang_dirent.d_name); ++ lang_dirent->d_name); + lang_dir = opendir(lang_path); + if (!lang_dir) + continue; + +- for_each_script(lang_path, lang_dir, script_dirent, script_next) { +- script_root = get_script_root(&script_dirent, REPORT_SUFFIX); ++ for_each_script(lang_path, lang_dir, script_dirent) { ++ script_root = get_script_root(script_dirent, REPORT_SUFFIX); + if (script_root) { + desc = script_desc__findnew(script_root); + snprintf(script_path, MAXPATHLEN, "%s/%s", +- lang_path, script_dirent.d_name); ++ lang_path, script_dirent->d_name); + read_script_info(desc, script_path); + free(script_root); + } +@@ -1336,7 +1334,7 @@ static int check_ev_match(char *dir_name, char *scriptname, + */ + int find_scripts(char **scripts_array, char **scripts_path_array) + { +- struct dirent *script_next, *lang_next, script_dirent, lang_dirent; ++ struct dirent *script_dirent, *lang_dirent; + char scripts_path[MAXPATHLEN], lang_path[MAXPATHLEN]; + DIR *scripts_dir, *lang_dir; + struct perf_session *session; +@@ -1359,9 +1357,9 @@ int find_scripts(char **scripts_array, char **scripts_path_array) + return -1; + } + +- for_each_lang(scripts_path, scripts_dir, lang_dirent, lang_next) { ++ for_each_lang(scripts_path, scripts_dir, lang_dirent) { + snprintf(lang_path, MAXPATHLEN, "%s/%s", scripts_path, +- lang_dirent.d_name); ++ lang_dirent->d_name); + #ifdef NO_LIBPERL + if (strstr(lang_path, "perl")) + continue; +@@ -1375,16 +1373,16 @@ int find_scripts(char **scripts_array, char **scripts_path_array) + if (!lang_dir) + continue; + +- for_each_script(lang_path, lang_dir, script_dirent, script_next) { ++ for_each_script(lang_path, lang_dir, script_dirent) { + /* Skip those real time scripts: xxxtop.p[yl] */ +- if (strstr(script_dirent.d_name, "top.")) ++ if (strstr(script_dirent->d_name, "top.")) + continue; + sprintf(scripts_path_array[i], "%s/%s", lang_path, +- script_dirent.d_name); +- temp = strchr(script_dirent.d_name, '.'); ++ script_dirent->d_name); ++ temp = strchr(script_dirent->d_name, '.'); + snprintf(scripts_array[i], +- (temp - script_dirent.d_name) + 1, +- "%s", script_dirent.d_name); ++ (temp - script_dirent->d_name) + 1, ++ "%s", script_dirent->d_name); + + if (check_ev_match(lang_path, + scripts_array[i], session)) +@@ -1402,7 +1400,7 @@ int find_scripts(char **scripts_array, char **scripts_path_array) + + static char *get_script_path(const char *script_root, const char *suffix) + { +- struct dirent *script_next, *lang_next, script_dirent, lang_dirent; ++ struct dirent *script_dirent, *lang_dirent; + char scripts_path[MAXPATHLEN]; + char script_path[MAXPATHLEN]; + DIR *scripts_dir, *lang_dir; +@@ -1415,21 +1413,21 @@ static char *get_script_path(const char *script_root, const char *suffix) + if (!scripts_dir) + return NULL; + +- for_each_lang(scripts_path, scripts_dir, lang_dirent, lang_next) { ++ for_each_lang(scripts_path, scripts_dir, lang_dirent) { + snprintf(lang_path, MAXPATHLEN, "%s/%s/bin", scripts_path, +- lang_dirent.d_name); ++ lang_dirent->d_name); + lang_dir = opendir(lang_path); + if (!lang_dir) + continue; + +- for_each_script(lang_path, lang_dir, script_dirent, script_next) { +- __script_root = get_script_root(&script_dirent, suffix); ++ for_each_script(lang_path, lang_dir, script_dirent) { ++ __script_root = get_script_root(script_dirent, suffix); + if (__script_root && !strcmp(script_root, __script_root)) { + free(__script_root); + closedir(lang_dir); + closedir(scripts_dir); + snprintf(script_path, MAXPATHLEN, "%s/%s", +- lang_path, script_dirent.d_name); ++ lang_path, script_dirent->d_name); + return strdup(script_path); + } + free(__script_root); +diff --git a/tools/perf/builtin-top.c b/tools/perf/builtin-top.c +index 6a4d5d41c671..65e138019b99 100644 +--- a/tools/perf/builtin-top.c ++++ b/tools/perf/builtin-top.c +@@ -627,7 +627,7 @@ repeat: + case -1: + if (errno == EINTR) + continue; +- /* Fall trhu */ ++ __fallthrough; + default: + c = getc(stdin); + tcsetattr(0, TCSAFLUSH, &save); +diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c +index e122970361f2..09b9b74e4c1b 100644 +--- a/tools/perf/builtin-trace.c ++++ b/tools/perf/builtin-trace.c +@@ -1404,6 +1404,7 @@ static int trace__process_event(struct trace *trace, struct machine *machine, + color_fprintf(trace->output, PERF_COLOR_RED, + "LOST %" PRIu64 " events!\n", event->lost.lost); + ret = machine__process_lost_event(machine, event, sample); ++ break; + default: + ret = machine__process_event(machine, event, sample); + break; +diff --git a/tools/perf/tests/parse-events.c b/tools/perf/tests/parse-events.c +index 3de744961739..024583871237 100644 +--- a/tools/perf/tests/parse-events.c ++++ b/tools/perf/tests/parse-events.c +@@ -1677,15 +1677,14 @@ static int test_pmu_events(void) + } + + while (!ret && (ent = readdir(dir))) { +-#define MAX_NAME 100 + struct evlist_test e; +- char name[MAX_NAME]; ++ char name[2 * NAME_MAX + 1 + 12 + 3]; + + if (!strcmp(ent->d_name, ".") || + !strcmp(ent->d_name, "..")) + continue; + +- snprintf(name, MAX_NAME, "cpu/event=%s/u", ent->d_name); ++ snprintf(name, sizeof(name), "cpu/event=%s/u", ent->d_name); + + e.name = name; + e.check = test__checkevent_pmu_events; +@@ -1693,11 +1692,10 @@ static int test_pmu_events(void) + ret = test_event(&e); + if (ret) + break; +- snprintf(name, MAX_NAME, "%s:u,cpu/event=%s/u", ent->d_name, ent->d_name); ++ snprintf(name, sizeof(name), "%s:u,cpu/event=%s/u", ent->d_name, ent->d_name); + e.name = name; + e.check = test__checkevent_pmu_events_mix; + ret = test_event(&e); +-#undef MAX_NAME + } + + closedir(dir); +diff --git a/tools/perf/ui/browsers/annotate.c b/tools/perf/ui/browsers/annotate.c +index e5250eb2dd57..96b5638c3342 100644 +--- a/tools/perf/ui/browsers/annotate.c ++++ b/tools/perf/ui/browsers/annotate.c +@@ -716,11 +716,11 @@ static int annotate_browser__run(struct annotate_browser *browser, + nd = browser->curr_hot; + break; + case K_UNTAB: +- if (nd != NULL) ++ if (nd != NULL) { + nd = rb_next(nd); + if (nd == NULL) + nd = rb_first(&browser->entries); +- else ++ } else + nd = browser->curr_hot; + break; + case K_F1: +diff --git a/tools/perf/util/event.c b/tools/perf/util/event.c +index d18a59ab4ed5..12ad79717d94 100644 +--- a/tools/perf/util/event.c ++++ b/tools/perf/util/event.c +@@ -385,7 +385,7 @@ static int __event__synthesize_thread(union perf_event *comm_event, + { + char filename[PATH_MAX]; + DIR *tasks; +- struct dirent dirent, *next; ++ struct dirent *dirent; + pid_t tgid, ppid; + int rc = 0; + +@@ -413,11 +413,11 @@ static int __event__synthesize_thread(union perf_event *comm_event, + return 0; + } + +- while (!readdir_r(tasks, &dirent, &next) && next) { ++ while ((dirent = readdir(tasks)) != NULL) { + char *end; + pid_t _pid; + +- _pid = strtol(dirent.d_name, &end, 10); ++ _pid = strtol(dirent->d_name, &end, 10); + if (*end) + continue; + +@@ -523,7 +523,7 @@ int perf_event__synthesize_threads(struct perf_tool *tool, + { + DIR *proc; + char proc_path[PATH_MAX]; +- struct dirent dirent, *next; ++ struct dirent *dirent; + union perf_event *comm_event, *mmap_event, *fork_event; + int err = -1; + +@@ -548,9 +548,9 @@ int perf_event__synthesize_threads(struct perf_tool *tool, + if (proc == NULL) + goto out_free_fork; + +- while (!readdir_r(proc, &dirent, &next) && next) { ++ while ((dirent = readdir(proc)) != NULL) { + char *end; +- pid_t pid = strtol(dirent.d_name, &end, 10); ++ pid_t pid = strtol(dirent->d_name, &end, 10); + + if (*end) /* only interested in proper numerical dirents */ + continue; +diff --git a/tools/perf/util/pmu.c b/tools/perf/util/pmu.c +index 8b02a4355659..3297d7e85dd7 100644 +--- a/tools/perf/util/pmu.c ++++ b/tools/perf/util/pmu.c +@@ -148,7 +148,7 @@ static int perf_pmu__parse_unit(struct perf_pmu_alias *alias, char *dir, char *n + if (fd == -1) + return -1; + +- sret = read(fd, alias->unit, UNIT_MAX_LEN); ++ sret = read(fd, alias->unit, UNIT_MAX_LEN); + if (sret < 0) + goto error; + +diff --git a/tools/perf/util/scripting-engines/Build b/tools/perf/util/scripting-engines/Build +index 6516e220c247..82d28c67e0f3 100644 +--- a/tools/perf/util/scripting-engines/Build ++++ b/tools/perf/util/scripting-engines/Build +@@ -1,6 +1,6 @@ + libperf-$(CONFIG_LIBPERL) += trace-event-perl.o + libperf-$(CONFIG_LIBPYTHON) += trace-event-python.o + +-CFLAGS_trace-event-perl.o += $(PERL_EMBED_CCOPTS) -Wno-redundant-decls -Wno-strict-prototypes -Wno-unused-parameter -Wno-shadow -Wno-undef -Wno-switch-default ++CFLAGS_trace-event-perl.o += $(PERL_EMBED_CCOPTS) -Wno-redundant-decls -Wno-strict-prototypes -Wno-unused-parameter -Wno-shadow -Wno-nested-externs -Wno-undef -Wno-switch-default + + CFLAGS_trace-event-python.o += $(PYTHON_EMBED_CCOPTS) -Wno-redundant-decls -Wno-strict-prototypes -Wno-unused-parameter -Wno-shadow +diff --git a/tools/perf/util/string.c b/tools/perf/util/string.c +index 6afd6106ceb5..3b2d7fdde6a6 100644 +--- a/tools/perf/util/string.c ++++ b/tools/perf/util/string.c +@@ -21,6 +21,8 @@ s64 perf_atoll(const char *str) + case 'b': case 'B': + if (*p) + goto out_err; ++ ++ __fallthrough; + case '\0': + return length; + default: +diff --git a/tools/perf/util/thread.c b/tools/perf/util/thread.c +index 1c8fbc9588c5..c0b7e17e3167 100644 +--- a/tools/perf/util/thread.c ++++ b/tools/perf/util/thread.c +@@ -217,7 +217,7 @@ void thread__find_cpumode_addr_location(struct thread *thread, + struct addr_location *al) + { + size_t i; +- const u8 const cpumodes[] = { ++ const u8 cpumodes[] = { + PERF_RECORD_MISC_USER, + PERF_RECORD_MISC_KERNEL, + PERF_RECORD_MISC_GUEST_USER, +diff --git a/tools/perf/util/thread_map.c b/tools/perf/util/thread_map.c +index f93b9734735b..905a55401842 100644 +--- a/tools/perf/util/thread_map.c ++++ b/tools/perf/util/thread_map.c +@@ -63,7 +63,7 @@ struct thread_map *thread_map__new_by_uid(uid_t uid) + { + DIR *proc; + int max_threads = 32, items, i; +- char path[256]; ++ char path[NAME_MAX + 1 + 6]; + struct dirent dirent, *next, **namelist = NULL; + struct thread_map *threads = malloc(sizeof(*threads) + + max_threads * sizeof(pid_t)); |