commit: c13c64f2c17f2f38c7d2c4bf9bdc16390f9b6795 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org> AuthorDate: Fri Aug 11 17:44:50 2017 +0000 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org> CommitDate: Fri Aug 11 17:44:50 2017 +0000 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=c13c64f2
Linux patch 4.4.81 0000_README | 4 + 1080_linux-4.4.81.patch | 2112 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 2116 insertions(+) diff --git a/0000_README b/0000_README index 82594ae..c396c3a 100644 --- a/0000_README +++ b/0000_README @@ -363,6 +363,10 @@ Patch: 1079_linux-4.4.80.patch From: http://www.kernel.org Desc: Linux 4.4.80 +Patch: 1080_linux-4.4.81.patch +From: http://www.kernel.org +Desc: Linux 4.4.81 + Patch: 1500_XATTR_USER_PREFIX.patch From: https://bugs.gentoo.org/show_bug.cgi?id=470644 Desc: Support for namespace user.pax.* on tmpfs. diff --git a/1080_linux-4.4.81.patch b/1080_linux-4.4.81.patch new file mode 100644 index 0000000..952c856 --- /dev/null +++ b/1080_linux-4.4.81.patch @@ -0,0 +1,2112 @@ +diff --git a/Makefile b/Makefile +index dddd55adde24..d049e53a6960 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 4 +-SUBLEVEL = 80 ++SUBLEVEL = 81 + EXTRAVERSION = + NAME = Blurry Fish Butt + +diff --git a/arch/arm/boot/dts/armada-388-gp.dts b/arch/arm/boot/dts/armada-388-gp.dts +index cd316021d6ce..6c1b45c1af66 100644 +--- a/arch/arm/boot/dts/armada-388-gp.dts ++++ b/arch/arm/boot/dts/armada-388-gp.dts +@@ -89,7 +89,7 @@ + pinctrl-names = "default"; + pinctrl-0 = <&pca0_pins>; + interrupt-parent = <&gpio0>; +- interrupts = <18 IRQ_TYPE_EDGE_FALLING>; ++ interrupts = <18 IRQ_TYPE_LEVEL_LOW>; + gpio-controller; + #gpio-cells = <2>; + interrupt-controller; +@@ -101,7 +101,7 @@ + compatible = "nxp,pca9555"; + pinctrl-names = "default"; + interrupt-parent = <&gpio0>; +- interrupts = <18 IRQ_TYPE_EDGE_FALLING>; ++ interrupts = <18 IRQ_TYPE_LEVEL_LOW>; + gpio-controller; + #gpio-cells = <2>; + interrupt-controller; +diff --git a/arch/arm/include/asm/ftrace.h b/arch/arm/include/asm/ftrace.h +index bfe2a2f5a644..22b73112b75f 100644 +--- a/arch/arm/include/asm/ftrace.h ++++ b/arch/arm/include/asm/ftrace.h +@@ -54,6 +54,24 @@ static inline void *return_address(unsigned int level) + + #define ftrace_return_address(n) return_address(n) + ++#define ARCH_HAS_SYSCALL_MATCH_SYM_NAME ++ ++static inline bool arch_syscall_match_sym_name(const char *sym, ++ const char *name) ++{ ++ if (!strcmp(sym, "sys_mmap2")) ++ sym = "sys_mmap_pgoff"; ++ else if (!strcmp(sym, "sys_statfs64_wrapper")) ++ sym = "sys_statfs64"; ++ else if (!strcmp(sym, "sys_fstatfs64_wrapper")) ++ sym = "sys_fstatfs64"; ++ else if (!strcmp(sym, "sys_arm_fadvise64_64")) ++ sym = "sys_fadvise64_64"; ++ ++ /* Ignore case since sym may start with "SyS" instead of "sys" */ ++ return !strcasecmp(sym, name); ++} ++ + #endif /* ifndef __ASSEMBLY__ */ + + #endif /* _ASM_ARM_FTRACE */ +diff --git a/arch/sparc/include/asm/trap_block.h b/arch/sparc/include/asm/trap_block.h +index ec9c04de3664..ff05992dae7a 100644 +--- a/arch/sparc/include/asm/trap_block.h ++++ b/arch/sparc/include/asm/trap_block.h +@@ -54,6 +54,7 @@ extern struct trap_per_cpu trap_block[NR_CPUS]; + void init_cur_cpu_trap(struct thread_info *); + void setup_tba(void); + extern int ncpus_probed; ++extern u64 cpu_mondo_counter[NR_CPUS]; + + unsigned long real_hard_smp_processor_id(void); + +diff --git a/arch/sparc/kernel/smp_64.c b/arch/sparc/kernel/smp_64.c +index 95a9fa0d2195..4511caa3b7e9 100644 +--- a/arch/sparc/kernel/smp_64.c ++++ b/arch/sparc/kernel/smp_64.c +@@ -617,22 +617,48 @@ retry: + } + } + +-/* Multi-cpu list version. */ ++#define CPU_MONDO_COUNTER(cpuid) (cpu_mondo_counter[cpuid]) ++#define MONDO_USEC_WAIT_MIN 2 ++#define MONDO_USEC_WAIT_MAX 100 ++#define MONDO_RETRY_LIMIT 500000 ++ ++/* Multi-cpu list version. ++ * ++ * Deliver xcalls to 'cnt' number of cpus in 'cpu_list'. ++ * Sometimes not all cpus receive the mondo, requiring us to re-send ++ * the mondo until all cpus have received, or cpus are truly stuck ++ * unable to receive mondo, and we timeout. ++ * Occasionally a target cpu strand is borrowed briefly by hypervisor to ++ * perform guest service, such as PCIe error handling. Consider the ++ * service time, 1 second overall wait is reasonable for 1 cpu. ++ * Here two in-between mondo check wait time are defined: 2 usec for ++ * single cpu quick turn around and up to 100usec for large cpu count. ++ * Deliver mondo to large number of cpus could take longer, we adjusts ++ * the retry count as long as target cpus are making forward progress. ++ */ + static void hypervisor_xcall_deliver(struct trap_per_cpu *tb, int cnt) + { +- int retries, this_cpu, prev_sent, i, saw_cpu_error; ++ int this_cpu, tot_cpus, prev_sent, i, rem; ++ int usec_wait, retries, tot_retries; ++ u16 first_cpu = 0xffff; ++ unsigned long xc_rcvd = 0; + unsigned long status; ++ int ecpuerror_id = 0; ++ int enocpu_id = 0; + u16 *cpu_list; ++ u16 cpu; + + this_cpu = smp_processor_id(); +- + cpu_list = __va(tb->cpu_list_pa); +- +- saw_cpu_error = 0; +- retries = 0; ++ usec_wait = cnt * MONDO_USEC_WAIT_MIN; ++ if (usec_wait > MONDO_USEC_WAIT_MAX) ++ usec_wait = MONDO_USEC_WAIT_MAX; ++ retries = tot_retries = 0; ++ tot_cpus = cnt; + prev_sent = 0; ++ + do { +- int forward_progress, n_sent; ++ int n_sent, mondo_delivered, target_cpu_busy; + + status = sun4v_cpu_mondo_send(cnt, + tb->cpu_list_pa, +@@ -640,94 +666,113 @@ static void hypervisor_xcall_deliver(struct trap_per_cpu *tb, int cnt) + + /* HV_EOK means all cpus received the xcall, we're done. */ + if (likely(status == HV_EOK)) +- break; ++ goto xcall_done; ++ ++ /* If not these non-fatal errors, panic */ ++ if (unlikely((status != HV_EWOULDBLOCK) && ++ (status != HV_ECPUERROR) && ++ (status != HV_ENOCPU))) ++ goto fatal_errors; + + /* First, see if we made any forward progress. ++ * ++ * Go through the cpu_list, count the target cpus that have ++ * received our mondo (n_sent), and those that did not (rem). ++ * Re-pack cpu_list with the cpus remain to be retried in the ++ * front - this simplifies tracking the truly stalled cpus. + * + * The hypervisor indicates successful sends by setting + * cpu list entries to the value 0xffff. ++ * ++ * EWOULDBLOCK means some target cpus did not receive the ++ * mondo and retry usually helps. ++ * ++ * ECPUERROR means at least one target cpu is in error state, ++ * it's usually safe to skip the faulty cpu and retry. ++ * ++ * ENOCPU means one of the target cpu doesn't belong to the ++ * domain, perhaps offlined which is unexpected, but not ++ * fatal and it's okay to skip the offlined cpu. + */ ++ rem = 0; + n_sent = 0; + for (i = 0; i < cnt; i++) { +- if (likely(cpu_list[i] == 0xffff)) ++ cpu = cpu_list[i]; ++ if (likely(cpu == 0xffff)) { + n_sent++; ++ } else if ((status == HV_ECPUERROR) && ++ (sun4v_cpu_state(cpu) == HV_CPU_STATE_ERROR)) { ++ ecpuerror_id = cpu + 1; ++ } else if (status == HV_ENOCPU && !cpu_online(cpu)) { ++ enocpu_id = cpu + 1; ++ } else { ++ cpu_list[rem++] = cpu; ++ } + } + +- forward_progress = 0; +- if (n_sent > prev_sent) +- forward_progress = 1; ++ /* No cpu remained, we're done. */ ++ if (rem == 0) ++ break; + +- prev_sent = n_sent; ++ /* Otherwise, update the cpu count for retry. */ ++ cnt = rem; + +- /* If we get a HV_ECPUERROR, then one or more of the cpus +- * in the list are in error state. Use the cpu_state() +- * hypervisor call to find out which cpus are in error state. ++ /* Record the overall number of mondos received by the ++ * first of the remaining cpus. + */ +- if (unlikely(status == HV_ECPUERROR)) { +- for (i = 0; i < cnt; i++) { +- long err; +- u16 cpu; ++ if (first_cpu != cpu_list[0]) { ++ first_cpu = cpu_list[0]; ++ xc_rcvd = CPU_MONDO_COUNTER(first_cpu); ++ } + +- cpu = cpu_list[i]; +- if (cpu == 0xffff) +- continue; ++ /* Was any mondo delivered successfully? */ ++ mondo_delivered = (n_sent > prev_sent); ++ prev_sent = n_sent; + +- err = sun4v_cpu_state(cpu); +- if (err == HV_CPU_STATE_ERROR) { +- saw_cpu_error = (cpu + 1); +- cpu_list[i] = 0xffff; +- } +- } +- } else if (unlikely(status != HV_EWOULDBLOCK)) +- goto fatal_mondo_error; ++ /* or, was any target cpu busy processing other mondos? */ ++ target_cpu_busy = (xc_rcvd < CPU_MONDO_COUNTER(first_cpu)); ++ xc_rcvd = CPU_MONDO_COUNTER(first_cpu); + +- /* Don't bother rewriting the CPU list, just leave the +- * 0xffff and non-0xffff entries in there and the +- * hypervisor will do the right thing. +- * +- * Only advance timeout state if we didn't make any +- * forward progress. ++ /* Retry count is for no progress. If we're making progress, ++ * reset the retry count. + */ +- if (unlikely(!forward_progress)) { +- if (unlikely(++retries > 10000)) +- goto fatal_mondo_timeout; +- +- /* Delay a little bit to let other cpus catch up +- * on their cpu mondo queue work. +- */ +- udelay(2 * cnt); ++ if (likely(mondo_delivered || target_cpu_busy)) { ++ tot_retries += retries; ++ retries = 0; ++ } else if (unlikely(retries > MONDO_RETRY_LIMIT)) { ++ goto fatal_mondo_timeout; + } +- } while (1); + +- if (unlikely(saw_cpu_error)) +- goto fatal_mondo_cpu_error; ++ /* Delay a little bit to let other cpus catch up on ++ * their cpu mondo queue work. ++ */ ++ if (!mondo_delivered) ++ udelay(usec_wait); + +- return; ++ retries++; ++ } while (1); + +-fatal_mondo_cpu_error: +- printk(KERN_CRIT "CPU[%d]: SUN4V mondo cpu error, some target cpus " +- "(including %d) were in error state\n", +- this_cpu, saw_cpu_error - 1); ++xcall_done: ++ if (unlikely(ecpuerror_id > 0)) { ++ pr_crit("CPU[%d]: SUN4V mondo cpu error, target cpu(%d) was in error state\n", ++ this_cpu, ecpuerror_id - 1); ++ } else if (unlikely(enocpu_id > 0)) { ++ pr_crit("CPU[%d]: SUN4V mondo cpu error, target cpu(%d) does not belong to the domain\n", ++ this_cpu, enocpu_id - 1); ++ } + return; + ++fatal_errors: ++ /* fatal errors include bad alignment, etc */ ++ pr_crit("CPU[%d]: Args were cnt(%d) cpulist_pa(%lx) mondo_block_pa(%lx)\n", ++ this_cpu, tot_cpus, tb->cpu_list_pa, tb->cpu_mondo_block_pa); ++ panic("Unexpected SUN4V mondo error %lu\n", status); ++ + fatal_mondo_timeout: +- printk(KERN_CRIT "CPU[%d]: SUN4V mondo timeout, no forward " +- " progress after %d retries.\n", +- this_cpu, retries); +- goto dump_cpu_list_and_out; +- +-fatal_mondo_error: +- printk(KERN_CRIT "CPU[%d]: Unexpected SUN4V mondo error %lu\n", +- this_cpu, status); +- printk(KERN_CRIT "CPU[%d]: Args were cnt(%d) cpulist_pa(%lx) " +- "mondo_block_pa(%lx)\n", +- this_cpu, cnt, tb->cpu_list_pa, tb->cpu_mondo_block_pa); +- +-dump_cpu_list_and_out: +- printk(KERN_CRIT "CPU[%d]: CPU list [ ", this_cpu); +- for (i = 0; i < cnt; i++) +- printk("%u ", cpu_list[i]); +- printk("]\n"); ++ /* some cpus being non-responsive to the cpu mondo */ ++ pr_crit("CPU[%d]: SUN4V mondo timeout, cpu(%d) made no forward progress after %d retries. Total target cpus(%d).\n", ++ this_cpu, first_cpu, (tot_retries + retries), tot_cpus); ++ panic("SUN4V mondo timeout panic\n"); + } + + static void (*xcall_deliver_impl)(struct trap_per_cpu *, int); +diff --git a/arch/sparc/kernel/sun4v_ivec.S b/arch/sparc/kernel/sun4v_ivec.S +index 559bc5e9c199..34631995859a 100644 +--- a/arch/sparc/kernel/sun4v_ivec.S ++++ b/arch/sparc/kernel/sun4v_ivec.S +@@ -26,6 +26,21 @@ sun4v_cpu_mondo: + ldxa [%g0] ASI_SCRATCHPAD, %g4 + sub %g4, TRAP_PER_CPU_FAULT_INFO, %g4 + ++ /* Get smp_processor_id() into %g3 */ ++ sethi %hi(trap_block), %g5 ++ or %g5, %lo(trap_block), %g5 ++ sub %g4, %g5, %g3 ++ srlx %g3, TRAP_BLOCK_SZ_SHIFT, %g3 ++ ++ /* Increment cpu_mondo_counter[smp_processor_id()] */ ++ sethi %hi(cpu_mondo_counter), %g5 ++ or %g5, %lo(cpu_mondo_counter), %g5 ++ sllx %g3, 3, %g3 ++ add %g5, %g3, %g5 ++ ldx [%g5], %g3 ++ add %g3, 1, %g3 ++ stx %g3, [%g5] ++ + /* Get CPU mondo queue base phys address into %g7. */ + ldx [%g4 + TRAP_PER_CPU_CPU_MONDO_PA], %g7 + +diff --git a/arch/sparc/kernel/traps_64.c b/arch/sparc/kernel/traps_64.c +index cc97a43268ee..d883c5951e8b 100644 +--- a/arch/sparc/kernel/traps_64.c ++++ b/arch/sparc/kernel/traps_64.c +@@ -2659,6 +2659,7 @@ void do_getpsr(struct pt_regs *regs) + } + } + ++u64 cpu_mondo_counter[NR_CPUS] = {0}; + struct trap_per_cpu trap_block[NR_CPUS]; + EXPORT_SYMBOL(trap_block); + +diff --git a/arch/x86/boot/string.c b/arch/x86/boot/string.c +index 318b8465d302..06ceddb3a22e 100644 +--- a/arch/x86/boot/string.c ++++ b/arch/x86/boot/string.c +@@ -14,6 +14,7 @@ + + #include <linux/types.h> + #include "ctype.h" ++#include "string.h" + + int memcmp(const void *s1, const void *s2, size_t len) + { +diff --git a/arch/x86/boot/string.h b/arch/x86/boot/string.h +index 725e820602b1..113588ddb43f 100644 +--- a/arch/x86/boot/string.h ++++ b/arch/x86/boot/string.h +@@ -18,4 +18,13 @@ int memcmp(const void *s1, const void *s2, size_t len); + #define memset(d,c,l) __builtin_memset(d,c,l) + #define memcmp __builtin_memcmp + ++extern int strcmp(const char *str1, const char *str2); ++extern int strncmp(const char *cs, const char *ct, size_t count); ++extern size_t strlen(const char *s); ++extern char *strstr(const char *s1, const char *s2); ++extern size_t strnlen(const char *s, size_t maxlen); ++extern unsigned int atou(const char *s); ++extern unsigned long long simple_strtoull(const char *cp, char **endp, ++ unsigned int base); ++ + #endif /* BOOT_STRING_H */ +diff --git a/arch/x86/kernel/kvm.c b/arch/x86/kernel/kvm.c +index cec49ecf5f31..32187f8a49b4 100644 +--- a/arch/x86/kernel/kvm.c ++++ b/arch/x86/kernel/kvm.c +@@ -151,6 +151,8 @@ void kvm_async_pf_task_wait(u32 token) + if (hlist_unhashed(&n.link)) + break; + ++ rcu_irq_exit(); ++ + if (!n.halted) { + local_irq_enable(); + schedule(); +@@ -159,11 +161,11 @@ void kvm_async_pf_task_wait(u32 token) + /* + * We cannot reschedule. So halt. + */ +- rcu_irq_exit(); + native_safe_halt(); + local_irq_disable(); +- rcu_irq_enter(); + } ++ ++ rcu_irq_enter(); + } + if (!n.halted) + finish_wait(&n.wq, &wait); +diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c +index e417e1a1d02c..5b2aee83d776 100644 +--- a/drivers/ata/libata-scsi.c ++++ b/drivers/ata/libata-scsi.c +@@ -2832,10 +2832,12 @@ static unsigned int atapi_xlat(struct ata_queued_cmd *qc) + static struct ata_device *ata_find_dev(struct ata_port *ap, int devno) + { + if (!sata_pmp_attached(ap)) { +- if (likely(devno < ata_link_max_devices(&ap->link))) ++ if (likely(devno >= 0 && ++ devno < ata_link_max_devices(&ap->link))) + return &ap->link.device[devno]; + } else { +- if (likely(devno < ap->nr_pmp_links)) ++ if (likely(devno >= 0 && ++ devno < ap->nr_pmp_links)) + return &ap->pmp_link[devno].device[0]; + } + +diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c +index 6ca35495a5be..1e5cd39d0cc2 100644 +--- a/drivers/block/virtio_blk.c ++++ b/drivers/block/virtio_blk.c +@@ -641,11 +641,12 @@ static int virtblk_probe(struct virtio_device *vdev) + if (err) + goto out_put_disk; + +- q = vblk->disk->queue = blk_mq_init_queue(&vblk->tag_set); ++ q = blk_mq_init_queue(&vblk->tag_set); + if (IS_ERR(q)) { + err = -ENOMEM; + goto out_free_tags; + } ++ vblk->disk->queue = q; + + q->queuedata = vblk; + +diff --git a/drivers/gpu/drm/rcar-du/rcar_du_drv.c b/drivers/gpu/drm/rcar-du/rcar_du_drv.c +index bf4674aa6405..bb9cd35d7fdf 100644 +--- a/drivers/gpu/drm/rcar-du/rcar_du_drv.c ++++ b/drivers/gpu/drm/rcar-du/rcar_du_drv.c +@@ -296,7 +296,7 @@ static int rcar_du_probe(struct platform_device *pdev) + mem = platform_get_resource(pdev, IORESOURCE_MEM, 0); + rcdu->mmio = devm_ioremap_resource(&pdev->dev, mem); + if (IS_ERR(rcdu->mmio)) +- ret = PTR_ERR(rcdu->mmio); ++ return PTR_ERR(rcdu->mmio); + + /* DRM/KMS objects */ + ddev = drm_dev_alloc(&rcar_du_driver, &pdev->dev); +diff --git a/drivers/gpu/drm/virtio/virtgpu_fb.c b/drivers/gpu/drm/virtio/virtgpu_fb.c +index 6a81e084593b..2b59d80a09b8 100644 +--- a/drivers/gpu/drm/virtio/virtgpu_fb.c ++++ b/drivers/gpu/drm/virtio/virtgpu_fb.c +@@ -338,7 +338,7 @@ static int virtio_gpufb_create(struct drm_fb_helper *helper, + info->fbops = &virtio_gpufb_ops; + info->pixmap.flags = FB_PIXMAP_SYSTEM; + +- info->screen_base = obj->vmap; ++ info->screen_buffer = obj->vmap; + info->screen_size = obj->gem_base.size; + drm_fb_helper_fill_fix(info, fb->pitches[0], fb->depth); + drm_fb_helper_fill_var(info, &vfbdev->helper, +diff --git a/drivers/infiniband/ulp/isert/ib_isert.c b/drivers/infiniband/ulp/isert/ib_isert.c +index b0edb66a291b..0b7f5a701c60 100644 +--- a/drivers/infiniband/ulp/isert/ib_isert.c ++++ b/drivers/infiniband/ulp/isert/ib_isert.c +@@ -1581,7 +1581,7 @@ isert_rcv_completion(struct iser_rx_desc *desc, + struct isert_conn *isert_conn, + u32 xfer_len) + { +- struct ib_device *ib_dev = isert_conn->cm_id->device; ++ struct ib_device *ib_dev = isert_conn->device->ib_device; + struct iscsi_hdr *hdr; + u64 rx_dma; + int rx_buflen; +diff --git a/drivers/media/pci/saa7164/saa7164-bus.c b/drivers/media/pci/saa7164/saa7164-bus.c +index a18fe5d47238..b4857cd7069e 100644 +--- a/drivers/media/pci/saa7164/saa7164-bus.c ++++ b/drivers/media/pci/saa7164/saa7164-bus.c +@@ -393,11 +393,11 @@ int saa7164_bus_get(struct saa7164_dev *dev, struct tmComResInfo* msg, + msg_tmp.size = le16_to_cpu((__force __le16)msg_tmp.size); + msg_tmp.command = le32_to_cpu((__force __le32)msg_tmp.command); + msg_tmp.controlselector = le16_to_cpu((__force __le16)msg_tmp.controlselector); ++ memcpy(msg, &msg_tmp, sizeof(*msg)); + + /* No need to update the read positions, because this was a peek */ + /* If the caller specifically want to peek, return */ + if (peekonly) { +- memcpy(msg, &msg_tmp, sizeof(*msg)); + goto peekout; + } + +@@ -442,21 +442,15 @@ int saa7164_bus_get(struct saa7164_dev *dev, struct tmComResInfo* msg, + space_rem = bus->m_dwSizeGetRing - curr_grp; + + if (space_rem < sizeof(*msg)) { +- /* msg wraps around the ring */ +- memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, space_rem); +- memcpy_fromio((u8 *)msg + space_rem, bus->m_pdwGetRing, +- sizeof(*msg) - space_rem); + if (buf) + memcpy_fromio(buf, bus->m_pdwGetRing + sizeof(*msg) - + space_rem, buf_size); + + } else if (space_rem == sizeof(*msg)) { +- memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, sizeof(*msg)); + if (buf) + memcpy_fromio(buf, bus->m_pdwGetRing, buf_size); + } else { + /* Additional data wraps around the ring */ +- memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, sizeof(*msg)); + if (buf) { + memcpy_fromio(buf, bus->m_pdwGetRing + curr_grp + + sizeof(*msg), space_rem - sizeof(*msg)); +@@ -469,15 +463,10 @@ int saa7164_bus_get(struct saa7164_dev *dev, struct tmComResInfo* msg, + + } else { + /* No wrapping */ +- memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, sizeof(*msg)); + if (buf) + memcpy_fromio(buf, bus->m_pdwGetRing + curr_grp + sizeof(*msg), + buf_size); + } +- /* Convert from little endian to CPU */ +- msg->size = le16_to_cpu((__force __le16)msg->size); +- msg->command = le32_to_cpu((__force __le32)msg->command); +- msg->controlselector = le16_to_cpu((__force __le16)msg->controlselector); + + /* Update the read positions, adjusting the ring */ + saa7164_writel(bus->m_dwGetReadPos, new_grp); +diff --git a/drivers/media/platform/davinci/vpfe_capture.c b/drivers/media/platform/davinci/vpfe_capture.c +index 7767e072d623..1f656a3a84b9 100644 +--- a/drivers/media/platform/davinci/vpfe_capture.c ++++ b/drivers/media/platform/davinci/vpfe_capture.c +@@ -1709,27 +1709,9 @@ static long vpfe_param_handler(struct file *file, void *priv, + + switch (cmd) { + case VPFE_CMD_S_CCDC_RAW_PARAMS: ++ ret = -EINVAL; + v4l2_warn(&vpfe_dev->v4l2_dev, +- "VPFE_CMD_S_CCDC_RAW_PARAMS: experimental ioctl\n"); +- if (ccdc_dev->hw_ops.set_params) { +- ret = ccdc_dev->hw_ops.set_params(param); +- if (ret) { +- v4l2_dbg(1, debug, &vpfe_dev->v4l2_dev, +- "Error setting parameters in CCDC\n"); +- goto unlock_out; +- } +- ret = vpfe_get_ccdc_image_format(vpfe_dev, +- &vpfe_dev->fmt); +- if (ret < 0) { +- v4l2_dbg(1, debug, &vpfe_dev->v4l2_dev, +- "Invalid image format at CCDC\n"); +- goto unlock_out; +- } +- } else { +- ret = -EINVAL; +- v4l2_dbg(1, debug, &vpfe_dev->v4l2_dev, +- "VPFE_CMD_S_CCDC_RAW_PARAMS not supported\n"); +- } ++ "VPFE_CMD_S_CCDC_RAW_PARAMS not supported\n"); + break; + default: + ret = -ENOTTY; +diff --git a/drivers/media/rc/ir-lirc-codec.c b/drivers/media/rc/ir-lirc-codec.c +index a32659fcd266..efc21b1da211 100644 +--- a/drivers/media/rc/ir-lirc-codec.c ++++ b/drivers/media/rc/ir-lirc-codec.c +@@ -254,7 +254,7 @@ static long ir_lirc_ioctl(struct file *filep, unsigned int cmd, + return 0; + + case LIRC_GET_REC_RESOLUTION: +- val = dev->rx_resolution; ++ val = dev->rx_resolution / 1000; + break; + + case LIRC_SET_WIDEBAND_RECEIVER: +diff --git a/drivers/net/ethernet/aurora/nb8800.c b/drivers/net/ethernet/aurora/nb8800.c +index ecc4a334c507..0a54e7dac0ab 100644 +--- a/drivers/net/ethernet/aurora/nb8800.c ++++ b/drivers/net/ethernet/aurora/nb8800.c +@@ -608,7 +608,7 @@ static void nb8800_mac_config(struct net_device *dev) + mac_mode |= HALF_DUPLEX; + + if (gigabit) { +- if (priv->phy_mode == PHY_INTERFACE_MODE_RGMII) ++ if (phy_interface_is_rgmii(dev->phydev)) + mac_mode |= RGMII_MODE; + + mac_mode |= GMAC_MODE; +@@ -1295,11 +1295,10 @@ static int nb8800_tangox_init(struct net_device *dev) + break; + + case PHY_INTERFACE_MODE_RGMII: +- pad_mode = PAD_MODE_RGMII; +- break; +- ++ case PHY_INTERFACE_MODE_RGMII_ID: ++ case PHY_INTERFACE_MODE_RGMII_RXID: + case PHY_INTERFACE_MODE_RGMII_TXID: +- pad_mode = PAD_MODE_RGMII | PAD_MODE_GTX_CLK_DELAY; ++ pad_mode = PAD_MODE_RGMII; + break; + + default: +diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c +index 21e5b9ed1ead..3613469dc5c6 100644 +--- a/drivers/net/ethernet/broadcom/tg3.c ++++ b/drivers/net/ethernet/broadcom/tg3.c +@@ -8722,11 +8722,14 @@ static void tg3_free_consistent(struct tg3 *tp) + tg3_mem_rx_release(tp); + tg3_mem_tx_release(tp); + ++ /* Protect tg3_get_stats64() from reading freed tp->hw_stats. */ ++ tg3_full_lock(tp, 0); + if (tp->hw_stats) { + dma_free_coherent(&tp->pdev->dev, sizeof(struct tg3_hw_stats), + tp->hw_stats, tp->stats_mapping); + tp->hw_stats = NULL; + } ++ tg3_full_unlock(tp); + } + + /* +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +index cc199063612a..6c66d2979795 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -630,6 +630,10 @@ static void dump_command(struct mlx5_core_dev *dev, + pr_debug("\n"); + } + ++static void free_msg(struct mlx5_core_dev *dev, struct mlx5_cmd_msg *msg); ++static void mlx5_free_cmd_msg(struct mlx5_core_dev *dev, ++ struct mlx5_cmd_msg *msg); ++ + static void cmd_work_handler(struct work_struct *work) + { + struct mlx5_cmd_work_ent *ent = container_of(work, struct mlx5_cmd_work_ent, work); +@@ -638,16 +642,27 @@ static void cmd_work_handler(struct work_struct *work) + struct mlx5_cmd_layout *lay; + struct semaphore *sem; + unsigned long flags; ++ int alloc_ret; + + sem = ent->page_queue ? &cmd->pages_sem : &cmd->sem; + down(sem); + if (!ent->page_queue) { +- ent->idx = alloc_ent(cmd); +- if (ent->idx < 0) { ++ alloc_ret = alloc_ent(cmd); ++ if (alloc_ret < 0) { ++ if (ent->callback) { ++ ent->callback(-EAGAIN, ent->context); ++ mlx5_free_cmd_msg(dev, ent->out); ++ free_msg(dev, ent->in); ++ free_cmd(ent); ++ } else { ++ ent->ret = -EAGAIN; ++ complete(&ent->done); ++ } + mlx5_core_err(dev, "failed to allocate command entry\n"); + up(sem); + return; + } ++ ent->idx = alloc_ret; + } else { + ent->idx = cmd->max_reg_cmds; + spin_lock_irqsave(&cmd->alloc_lock, flags); +diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c +index 4296066a7ad3..479af106aaeb 100644 +--- a/drivers/net/ethernet/renesas/sh_eth.c ++++ b/drivers/net/ethernet/renesas/sh_eth.c +@@ -819,6 +819,7 @@ static struct sh_eth_cpu_data r8a7740_data = { + .rpadir_value = 2 << 16, + .no_trimd = 1, + .no_ade = 1, ++ .hw_crc = 1, + .tsu = 1, + .select_mii = 1, + .shift_rd0 = 1, +diff --git a/drivers/net/irda/mcs7780.c b/drivers/net/irda/mcs7780.c +index bca6a1e72d1d..e1bb802d4a4d 100644 +--- a/drivers/net/irda/mcs7780.c ++++ b/drivers/net/irda/mcs7780.c +@@ -141,9 +141,19 @@ static int mcs_set_reg(struct mcs_cb *mcs, __u16 reg, __u16 val) + static int mcs_get_reg(struct mcs_cb *mcs, __u16 reg, __u16 * val) + { + struct usb_device *dev = mcs->usbdev; +- int ret = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), MCS_RDREQ, +- MCS_RD_RTYPE, 0, reg, val, 2, +- msecs_to_jiffies(MCS_CTRL_TIMEOUT)); ++ void *dmabuf; ++ int ret; ++ ++ dmabuf = kmalloc(sizeof(__u16), GFP_KERNEL); ++ if (!dmabuf) ++ return -ENOMEM; ++ ++ ret = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), MCS_RDREQ, ++ MCS_RD_RTYPE, 0, reg, dmabuf, 2, ++ msecs_to_jiffies(MCS_CTRL_TIMEOUT)); ++ ++ memcpy(val, dmabuf, sizeof(__u16)); ++ kfree(dmabuf); + + return ret; + } +diff --git a/drivers/net/phy/dp83867.c b/drivers/net/phy/dp83867.c +index 32f10662f4ac..7242dd4b3238 100644 +--- a/drivers/net/phy/dp83867.c ++++ b/drivers/net/phy/dp83867.c +@@ -29,6 +29,7 @@ + #define MII_DP83867_MICR 0x12 + #define MII_DP83867_ISR 0x13 + #define DP83867_CTRL 0x1f ++#define DP83867_CFG3 0x1e + + /* Extended Registers */ + #define DP83867_RGMIICTL 0x0032 +@@ -89,6 +90,8 @@ static int dp83867_config_intr(struct phy_device *phydev) + micr_status |= + (MII_DP83867_MICR_AN_ERR_INT_EN | + MII_DP83867_MICR_SPEED_CHNG_INT_EN | ++ MII_DP83867_MICR_AUTONEG_COMP_INT_EN | ++ MII_DP83867_MICR_LINK_STS_CHNG_INT_EN | + MII_DP83867_MICR_DUP_MODE_CHNG_INT_EN | + MII_DP83867_MICR_SLEEP_MODE_CHNG_INT_EN); + +@@ -184,6 +187,13 @@ static int dp83867_config_init(struct phy_device *phydev) + DP83867_DEVADDR, phydev->addr, delay); + } + ++ /* Enable Interrupt output INT_OE in CFG3 register */ ++ if (phy_interrupt_is_valid(phydev)) { ++ val = phy_read(phydev, DP83867_CFG3); ++ val |= BIT(7); ++ phy_write(phydev, DP83867_CFG3, val); ++ } ++ + return 0; + } + +diff --git a/drivers/net/phy/phy.c b/drivers/net/phy/phy.c +index 851c0e121807..49d9f0a789fe 100644 +--- a/drivers/net/phy/phy.c ++++ b/drivers/net/phy/phy.c +@@ -541,6 +541,9 @@ void phy_stop_machine(struct phy_device *phydev) + if (phydev->state > PHY_UP && phydev->state != PHY_HALTED) + phydev->state = PHY_UP; + mutex_unlock(&phydev->lock); ++ ++ /* Now we can run the state machine synchronously */ ++ phy_state_machine(&phydev->state_queue.work); + } + + /** +@@ -918,6 +921,15 @@ void phy_state_machine(struct work_struct *work) + if (old_link != phydev->link) + phydev->state = PHY_CHANGELINK; + } ++ /* ++ * Failsafe: check that nobody set phydev->link=0 between two ++ * poll cycles, otherwise we won't leave RUNNING state as long ++ * as link remains down. ++ */ ++ if (!phydev->link && phydev->state == PHY_RUNNING) { ++ phydev->state = PHY_CHANGELINK; ++ dev_err(&phydev->dev, "no link in PHY_RUNNING\n"); ++ } + break; + case PHY_CHANGELINK: + err = phy_read_status(phydev); +diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c +index 1d1e5f7723ab..8179727d3423 100644 +--- a/drivers/net/phy/phy_device.c ++++ b/drivers/net/phy/phy_device.c +@@ -1368,6 +1368,8 @@ static int phy_remove(struct device *dev) + { + struct phy_device *phydev = to_phy_device(dev); + ++ cancel_delayed_work_sync(&phydev->state_queue); ++ + mutex_lock(&phydev->lock); + phydev->state = PHY_DOWN; + mutex_unlock(&phydev->lock); +diff --git a/drivers/net/xen-netback/common.h b/drivers/net/xen-netback/common.h +index 0333ab0fd926..34173b5e886f 100644 +--- a/drivers/net/xen-netback/common.h ++++ b/drivers/net/xen-netback/common.h +@@ -201,6 +201,7 @@ struct xenvif_queue { /* Per-queue data for xenvif */ + unsigned long remaining_credit; + struct timer_list credit_timeout; + u64 credit_window_start; ++ bool rate_limited; + + /* Statistics */ + struct xenvif_stats stats; +diff --git a/drivers/net/xen-netback/interface.c b/drivers/net/xen-netback/interface.c +index e7bd63eb2876..60b26f32d31d 100644 +--- a/drivers/net/xen-netback/interface.c ++++ b/drivers/net/xen-netback/interface.c +@@ -105,7 +105,11 @@ static int xenvif_poll(struct napi_struct *napi, int budget) + + if (work_done < budget) { + napi_complete(napi); +- xenvif_napi_schedule_or_enable_events(queue); ++ /* If the queue is rate-limited, it shall be ++ * rescheduled in the timer callback. ++ */ ++ if (likely(!queue->rate_limited)) ++ xenvif_napi_schedule_or_enable_events(queue); + } + + return work_done; +diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c +index 1049c34e7d43..72ee1c305cc4 100644 +--- a/drivers/net/xen-netback/netback.c ++++ b/drivers/net/xen-netback/netback.c +@@ -687,6 +687,7 @@ static void tx_add_credit(struct xenvif_queue *queue) + max_credit = ULONG_MAX; /* wrapped: clamp to ULONG_MAX */ + + queue->remaining_credit = min(max_credit, max_burst); ++ queue->rate_limited = false; + } + + void xenvif_tx_credit_callback(unsigned long data) +@@ -1184,8 +1185,10 @@ static bool tx_credit_exceeded(struct xenvif_queue *queue, unsigned size) + msecs_to_jiffies(queue->credit_usec / 1000); + + /* Timer could already be pending in rare cases. */ +- if (timer_pending(&queue->credit_timeout)) ++ if (timer_pending(&queue->credit_timeout)) { ++ queue->rate_limited = true; + return true; ++ } + + /* Passed the point where we can replenish credit? */ + if (time_after_eq64(now, next_credit)) { +@@ -1200,6 +1203,7 @@ static bool tx_credit_exceeded(struct xenvif_queue *queue, unsigned size) + mod_timer(&queue->credit_timeout, + next_credit); + queue->credit_window_start = next_credit; ++ queue->rate_limited = true; + + return true; + } +diff --git a/drivers/scsi/qla2xxx/qla_attr.c b/drivers/scsi/qla2xxx/qla_attr.c +index 6b942d9e5b74..1ed85dfc008d 100644 +--- a/drivers/scsi/qla2xxx/qla_attr.c ++++ b/drivers/scsi/qla2xxx/qla_attr.c +@@ -329,12 +329,15 @@ qla2x00_sysfs_read_optrom(struct file *filp, struct kobject *kobj, + struct qla_hw_data *ha = vha->hw; + ssize_t rval = 0; + ++ mutex_lock(&ha->optrom_mutex); ++ + if (ha->optrom_state != QLA_SREADING) +- return 0; ++ goto out; + +- mutex_lock(&ha->optrom_mutex); + rval = memory_read_from_buffer(buf, count, &off, ha->optrom_buffer, + ha->optrom_region_size); ++ ++out: + mutex_unlock(&ha->optrom_mutex); + + return rval; +@@ -349,14 +352,19 @@ qla2x00_sysfs_write_optrom(struct file *filp, struct kobject *kobj, + struct device, kobj))); + struct qla_hw_data *ha = vha->hw; + +- if (ha->optrom_state != QLA_SWRITING) ++ mutex_lock(&ha->optrom_mutex); ++ ++ if (ha->optrom_state != QLA_SWRITING) { ++ mutex_unlock(&ha->optrom_mutex); + return -EINVAL; +- if (off > ha->optrom_region_size) ++ } ++ if (off > ha->optrom_region_size) { ++ mutex_unlock(&ha->optrom_mutex); + return -ERANGE; ++ } + if (off + count > ha->optrom_region_size) + count = ha->optrom_region_size - off; + +- mutex_lock(&ha->optrom_mutex); + memcpy(&ha->optrom_buffer[off], buf, count); + mutex_unlock(&ha->optrom_mutex); + +diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c +index a180c000e246..31d5d9c0e10b 100644 +--- a/drivers/target/iscsi/iscsi_target.c ++++ b/drivers/target/iscsi/iscsi_target.c +@@ -3965,6 +3965,8 @@ int iscsi_target_tx_thread(void *arg) + { + int ret = 0; + struct iscsi_conn *conn = arg; ++ bool conn_freed = false; ++ + /* + * Allow ourselves to be interrupted by SIGINT so that a + * connection recovery / failure event can be triggered externally. +@@ -3990,12 +3992,14 @@ get_immediate: + goto transport_err; + + ret = iscsit_handle_response_queue(conn); +- if (ret == 1) ++ if (ret == 1) { + goto get_immediate; +- else if (ret == -ECONNRESET) ++ } else if (ret == -ECONNRESET) { ++ conn_freed = true; + goto out; +- else if (ret < 0) ++ } else if (ret < 0) { + goto transport_err; ++ } + } + + transport_err: +@@ -4005,8 +4009,13 @@ transport_err: + * responsible for cleaning up the early connection failure. + */ + if (conn->conn_state != TARG_CONN_STATE_IN_LOGIN) +- iscsit_take_action_for_connection_exit(conn); ++ iscsit_take_action_for_connection_exit(conn, &conn_freed); + out: ++ if (!conn_freed) { ++ while (!kthread_should_stop()) { ++ msleep(100); ++ } ++ } + return 0; + } + +@@ -4105,6 +4114,7 @@ int iscsi_target_rx_thread(void *arg) + u32 checksum = 0, digest = 0; + struct iscsi_conn *conn = arg; + struct kvec iov; ++ bool conn_freed = false; + /* + * Allow ourselves to be interrupted by SIGINT so that a + * connection recovery / failure event can be triggered externally. +@@ -4116,7 +4126,7 @@ int iscsi_target_rx_thread(void *arg) + */ + rc = wait_for_completion_interruptible(&conn->rx_login_comp); + if (rc < 0 || iscsi_target_check_conn_state(conn)) +- return 0; ++ goto out; + + if (conn->conn_transport->transport_type == ISCSI_INFINIBAND) { + struct completion comp; +@@ -4201,7 +4211,13 @@ int iscsi_target_rx_thread(void *arg) + transport_err: + if (!signal_pending(current)) + atomic_set(&conn->transport_failed, 1); +- iscsit_take_action_for_connection_exit(conn); ++ iscsit_take_action_for_connection_exit(conn, &conn_freed); ++out: ++ if (!conn_freed) { ++ while (!kthread_should_stop()) { ++ msleep(100); ++ } ++ } + return 0; + } + +@@ -4575,8 +4591,11 @@ static void iscsit_logout_post_handler_closesession( + * always sleep waiting for RX/TX thread shutdown to complete + * within iscsit_close_connection(). + */ +- if (conn->conn_transport->transport_type == ISCSI_TCP) ++ if (conn->conn_transport->transport_type == ISCSI_TCP) { + sleep = cmpxchg(&conn->tx_thread_active, true, false); ++ if (!sleep) ++ return; ++ } + + atomic_set(&conn->conn_logout_remove, 0); + complete(&conn->conn_logout_comp); +@@ -4592,8 +4611,11 @@ static void iscsit_logout_post_handler_samecid( + { + int sleep = 1; + +- if (conn->conn_transport->transport_type == ISCSI_TCP) ++ if (conn->conn_transport->transport_type == ISCSI_TCP) { + sleep = cmpxchg(&conn->tx_thread_active, true, false); ++ if (!sleep) ++ return; ++ } + + atomic_set(&conn->conn_logout_remove, 0); + complete(&conn->conn_logout_comp); +diff --git a/drivers/target/iscsi/iscsi_target_erl0.c b/drivers/target/iscsi/iscsi_target_erl0.c +index 210f6e4830e3..6c88fb021444 100644 +--- a/drivers/target/iscsi/iscsi_target_erl0.c ++++ b/drivers/target/iscsi/iscsi_target_erl0.c +@@ -930,8 +930,10 @@ static void iscsit_handle_connection_cleanup(struct iscsi_conn *conn) + } + } + +-void iscsit_take_action_for_connection_exit(struct iscsi_conn *conn) ++void iscsit_take_action_for_connection_exit(struct iscsi_conn *conn, bool *conn_freed) + { ++ *conn_freed = false; ++ + spin_lock_bh(&conn->state_lock); + if (atomic_read(&conn->connection_exit)) { + spin_unlock_bh(&conn->state_lock); +@@ -942,6 +944,7 @@ void iscsit_take_action_for_connection_exit(struct iscsi_conn *conn) + if (conn->conn_state == TARG_CONN_STATE_IN_LOGOUT) { + spin_unlock_bh(&conn->state_lock); + iscsit_close_connection(conn); ++ *conn_freed = true; + return; + } + +@@ -955,4 +958,5 @@ void iscsit_take_action_for_connection_exit(struct iscsi_conn *conn) + spin_unlock_bh(&conn->state_lock); + + iscsit_handle_connection_cleanup(conn); ++ *conn_freed = true; + } +diff --git a/drivers/target/iscsi/iscsi_target_erl0.h b/drivers/target/iscsi/iscsi_target_erl0.h +index a9e2f9497fb2..fbc1d84a63c3 100644 +--- a/drivers/target/iscsi/iscsi_target_erl0.h ++++ b/drivers/target/iscsi/iscsi_target_erl0.h +@@ -9,6 +9,6 @@ extern int iscsit_stop_time2retain_timer(struct iscsi_session *); + extern void iscsit_connection_reinstatement_rcfr(struct iscsi_conn *); + extern void iscsit_cause_connection_reinstatement(struct iscsi_conn *, int); + extern void iscsit_fall_back_to_erl0(struct iscsi_session *); +-extern void iscsit_take_action_for_connection_exit(struct iscsi_conn *); ++extern void iscsit_take_action_for_connection_exit(struct iscsi_conn *, bool *); + + #endif /*** ISCSI_TARGET_ERL0_H ***/ +diff --git a/drivers/target/iscsi/iscsi_target_login.c b/drivers/target/iscsi/iscsi_target_login.c +index 4a137b0ae3dc..b19edffa7d98 100644 +--- a/drivers/target/iscsi/iscsi_target_login.c ++++ b/drivers/target/iscsi/iscsi_target_login.c +@@ -1436,5 +1436,9 @@ int iscsi_target_login_thread(void *arg) + break; + } + ++ while (!kthread_should_stop()) { ++ msleep(100); ++ } ++ + return 0; + } +diff --git a/drivers/target/iscsi/iscsi_target_nego.c b/drivers/target/iscsi/iscsi_target_nego.c +index 549a2bbbf4df..58c629aec73c 100644 +--- a/drivers/target/iscsi/iscsi_target_nego.c ++++ b/drivers/target/iscsi/iscsi_target_nego.c +@@ -489,14 +489,60 @@ static void iscsi_target_restore_sock_callbacks(struct iscsi_conn *conn) + + static int iscsi_target_do_login(struct iscsi_conn *, struct iscsi_login *); + +-static bool iscsi_target_sk_state_check(struct sock *sk) ++static bool __iscsi_target_sk_check_close(struct sock *sk) + { + if (sk->sk_state == TCP_CLOSE_WAIT || sk->sk_state == TCP_CLOSE) { +- pr_debug("iscsi_target_sk_state_check: TCP_CLOSE_WAIT|TCP_CLOSE," ++ pr_debug("__iscsi_target_sk_check_close: TCP_CLOSE_WAIT|TCP_CLOSE," + "returning FALSE\n"); +- return false; ++ return true; + } +- return true; ++ return false; ++} ++ ++static bool iscsi_target_sk_check_close(struct iscsi_conn *conn) ++{ ++ bool state = false; ++ ++ if (conn->sock) { ++ struct sock *sk = conn->sock->sk; ++ ++ read_lock_bh(&sk->sk_callback_lock); ++ state = (__iscsi_target_sk_check_close(sk) || ++ test_bit(LOGIN_FLAGS_CLOSED, &conn->login_flags)); ++ read_unlock_bh(&sk->sk_callback_lock); ++ } ++ return state; ++} ++ ++static bool iscsi_target_sk_check_flag(struct iscsi_conn *conn, unsigned int flag) ++{ ++ bool state = false; ++ ++ if (conn->sock) { ++ struct sock *sk = conn->sock->sk; ++ ++ read_lock_bh(&sk->sk_callback_lock); ++ state = test_bit(flag, &conn->login_flags); ++ read_unlock_bh(&sk->sk_callback_lock); ++ } ++ return state; ++} ++ ++static bool iscsi_target_sk_check_and_clear(struct iscsi_conn *conn, unsigned int flag) ++{ ++ bool state = false; ++ ++ if (conn->sock) { ++ struct sock *sk = conn->sock->sk; ++ ++ write_lock_bh(&sk->sk_callback_lock); ++ state = (__iscsi_target_sk_check_close(sk) || ++ test_bit(LOGIN_FLAGS_CLOSED, &conn->login_flags)); ++ if (!state) ++ clear_bit(flag, &conn->login_flags); ++ write_unlock_bh(&sk->sk_callback_lock); ++ } ++ return state; + } + + static void iscsi_target_login_drop(struct iscsi_conn *conn, struct iscsi_login *login) +@@ -536,6 +582,20 @@ static void iscsi_target_do_login_rx(struct work_struct *work) + + pr_debug("entering iscsi_target_do_login_rx, conn: %p, %s:%d\n", + conn, current->comm, current->pid); ++ /* ++ * If iscsi_target_do_login_rx() has been invoked by ->sk_data_ready() ++ * before initial PDU processing in iscsi_target_start_negotiation() ++ * has completed, go ahead and retry until it's cleared. ++ * ++ * Otherwise if the TCP connection drops while this is occuring, ++ * iscsi_target_start_negotiation() will detect the failure, call ++ * cancel_delayed_work_sync(&conn->login_work), and cleanup the ++ * remaining iscsi connection resources from iscsi_np process context. ++ */ ++ if (iscsi_target_sk_check_flag(conn, LOGIN_FLAGS_INITIAL_PDU)) { ++ schedule_delayed_work(&conn->login_work, msecs_to_jiffies(10)); ++ return; ++ } + + spin_lock(&tpg->tpg_state_lock); + state = (tpg->tpg_state == TPG_STATE_ACTIVE); +@@ -543,26 +603,12 @@ static void iscsi_target_do_login_rx(struct work_struct *work) + + if (!state) { + pr_debug("iscsi_target_do_login_rx: tpg_state != TPG_STATE_ACTIVE\n"); +- iscsi_target_restore_sock_callbacks(conn); +- iscsi_target_login_drop(conn, login); +- iscsit_deaccess_np(np, tpg, tpg_np); +- return; ++ goto err; + } + +- if (conn->sock) { +- struct sock *sk = conn->sock->sk; +- +- read_lock_bh(&sk->sk_callback_lock); +- state = iscsi_target_sk_state_check(sk); +- read_unlock_bh(&sk->sk_callback_lock); +- +- if (!state) { +- pr_debug("iscsi_target_do_login_rx, TCP state CLOSE\n"); +- iscsi_target_restore_sock_callbacks(conn); +- iscsi_target_login_drop(conn, login); +- iscsit_deaccess_np(np, tpg, tpg_np); +- return; +- } ++ if (iscsi_target_sk_check_close(conn)) { ++ pr_debug("iscsi_target_do_login_rx, TCP state CLOSE\n"); ++ goto err; + } + + conn->login_kworker = current; +@@ -580,34 +626,29 @@ static void iscsi_target_do_login_rx(struct work_struct *work) + flush_signals(current); + conn->login_kworker = NULL; + +- if (rc < 0) { +- iscsi_target_restore_sock_callbacks(conn); +- iscsi_target_login_drop(conn, login); +- iscsit_deaccess_np(np, tpg, tpg_np); +- return; +- } ++ if (rc < 0) ++ goto err; + + pr_debug("iscsi_target_do_login_rx after rx_login_io, %p, %s:%d\n", + conn, current->comm, current->pid); + + rc = iscsi_target_do_login(conn, login); + if (rc < 0) { +- iscsi_target_restore_sock_callbacks(conn); +- iscsi_target_login_drop(conn, login); +- iscsit_deaccess_np(np, tpg, tpg_np); ++ goto err; + } else if (!rc) { +- if (conn->sock) { +- struct sock *sk = conn->sock->sk; +- +- write_lock_bh(&sk->sk_callback_lock); +- clear_bit(LOGIN_FLAGS_READ_ACTIVE, &conn->login_flags); +- write_unlock_bh(&sk->sk_callback_lock); +- } ++ if (iscsi_target_sk_check_and_clear(conn, LOGIN_FLAGS_READ_ACTIVE)) ++ goto err; + } else if (rc == 1) { + iscsi_target_nego_release(conn); + iscsi_post_login_handler(np, conn, zero_tsih); + iscsit_deaccess_np(np, tpg, tpg_np); + } ++ return; ++ ++err: ++ iscsi_target_restore_sock_callbacks(conn); ++ iscsi_target_login_drop(conn, login); ++ iscsit_deaccess_np(np, tpg, tpg_np); + } + + static void iscsi_target_do_cleanup(struct work_struct *work) +@@ -655,31 +696,54 @@ static void iscsi_target_sk_state_change(struct sock *sk) + orig_state_change(sk); + return; + } ++ state = __iscsi_target_sk_check_close(sk); ++ pr_debug("__iscsi_target_sk_close_change: state: %d\n", state); ++ + if (test_bit(LOGIN_FLAGS_READ_ACTIVE, &conn->login_flags)) { + pr_debug("Got LOGIN_FLAGS_READ_ACTIVE=1 sk_state_change" + " conn: %p\n", conn); ++ if (state) ++ set_bit(LOGIN_FLAGS_CLOSED, &conn->login_flags); + write_unlock_bh(&sk->sk_callback_lock); + orig_state_change(sk); + return; + } +- if (test_and_set_bit(LOGIN_FLAGS_CLOSED, &conn->login_flags)) { ++ if (test_bit(LOGIN_FLAGS_CLOSED, &conn->login_flags)) { + pr_debug("Got LOGIN_FLAGS_CLOSED=1 sk_state_change conn: %p\n", + conn); + write_unlock_bh(&sk->sk_callback_lock); + orig_state_change(sk); + return; + } ++ /* ++ * If the TCP connection has dropped, go ahead and set LOGIN_FLAGS_CLOSED, ++ * but only queue conn->login_work -> iscsi_target_do_login_rx() ++ * processing if LOGIN_FLAGS_INITIAL_PDU has already been cleared. ++ * ++ * When iscsi_target_do_login_rx() runs, iscsi_target_sk_check_close() ++ * will detect the dropped TCP connection from delayed workqueue context. ++ * ++ * If LOGIN_FLAGS_INITIAL_PDU is still set, which means the initial ++ * iscsi_target_start_negotiation() is running, iscsi_target_do_login() ++ * via iscsi_target_sk_check_close() or iscsi_target_start_negotiation() ++ * via iscsi_target_sk_check_and_clear() is responsible for detecting the ++ * dropped TCP connection in iscsi_np process context, and cleaning up ++ * the remaining iscsi connection resources. ++ */ ++ if (state) { ++ pr_debug("iscsi_target_sk_state_change got failed state\n"); ++ set_bit(LOGIN_FLAGS_CLOSED, &conn->login_flags); ++ state = test_bit(LOGIN_FLAGS_INITIAL_PDU, &conn->login_flags); ++ write_unlock_bh(&sk->sk_callback_lock); + +- state = iscsi_target_sk_state_check(sk); +- write_unlock_bh(&sk->sk_callback_lock); +- +- pr_debug("iscsi_target_sk_state_change: state: %d\n", state); ++ orig_state_change(sk); + +- if (!state) { +- pr_debug("iscsi_target_sk_state_change got failed state\n"); +- schedule_delayed_work(&conn->login_cleanup_work, 0); ++ if (!state) ++ schedule_delayed_work(&conn->login_work, 0); + return; + } ++ write_unlock_bh(&sk->sk_callback_lock); ++ + orig_state_change(sk); + } + +@@ -944,6 +1008,15 @@ static int iscsi_target_do_login(struct iscsi_conn *conn, struct iscsi_login *lo + if (iscsi_target_handle_csg_one(conn, login) < 0) + return -1; + if (login_rsp->flags & ISCSI_FLAG_LOGIN_TRANSIT) { ++ /* ++ * Check to make sure the TCP connection has not ++ * dropped asynchronously while session reinstatement ++ * was occuring in this kthread context, before ++ * transitioning to full feature phase operation. ++ */ ++ if (iscsi_target_sk_check_close(conn)) ++ return -1; ++ + login->tsih = conn->sess->tsih; + login->login_complete = 1; + iscsi_target_restore_sock_callbacks(conn); +@@ -970,21 +1043,6 @@ static int iscsi_target_do_login(struct iscsi_conn *conn, struct iscsi_login *lo + break; + } + +- if (conn->sock) { +- struct sock *sk = conn->sock->sk; +- bool state; +- +- read_lock_bh(&sk->sk_callback_lock); +- state = iscsi_target_sk_state_check(sk); +- read_unlock_bh(&sk->sk_callback_lock); +- +- if (!state) { +- pr_debug("iscsi_target_do_login() failed state for" +- " conn: %p\n", conn); +- return -1; +- } +- } +- + return 0; + } + +@@ -1248,16 +1306,28 @@ int iscsi_target_start_negotiation( + { + int ret; + ++ if (conn->sock) { ++ struct sock *sk = conn->sock->sk; ++ ++ write_lock_bh(&sk->sk_callback_lock); ++ set_bit(LOGIN_FLAGS_READY, &conn->login_flags); ++ set_bit(LOGIN_FLAGS_INITIAL_PDU, &conn->login_flags); ++ write_unlock_bh(&sk->sk_callback_lock); ++ } ++ /* ++ * If iscsi_target_do_login returns zero to signal more PDU ++ * exchanges are required to complete the login, go ahead and ++ * clear LOGIN_FLAGS_INITIAL_PDU but only if the TCP connection ++ * is still active. ++ * ++ * Otherwise if TCP connection dropped asynchronously, go ahead ++ * and perform connection cleanup now. ++ */ + ret = iscsi_target_do_login(conn, login); +- if (!ret) { +- if (conn->sock) { +- struct sock *sk = conn->sock->sk; ++ if (!ret && iscsi_target_sk_check_and_clear(conn, LOGIN_FLAGS_INITIAL_PDU)) ++ ret = -1; + +- write_lock_bh(&sk->sk_callback_lock); +- set_bit(LOGIN_FLAGS_READY, &conn->login_flags); +- write_unlock_bh(&sk->sk_callback_lock); +- } +- } else if (ret < 0) { ++ if (ret < 0) { + cancel_delayed_work_sync(&conn->login_work); + cancel_delayed_work_sync(&conn->login_cleanup_work); + iscsi_target_restore_sock_callbacks(conn); +diff --git a/drivers/target/target_core_fabric_configfs.c b/drivers/target/target_core_fabric_configfs.c +index f916d18ccb48..b070ddf1dc37 100644 +--- a/drivers/target/target_core_fabric_configfs.c ++++ b/drivers/target/target_core_fabric_configfs.c +@@ -92,6 +92,11 @@ static int target_fabric_mappedlun_link( + pr_err("Source se_lun->lun_se_dev does not exist\n"); + return -EINVAL; + } ++ if (lun->lun_shutdown) { ++ pr_err("Unable to create mappedlun symlink because" ++ " lun->lun_shutdown=true\n"); ++ return -EINVAL; ++ } + se_tpg = lun->lun_tpg; + + nacl_ci = &lun_acl_ci->ci_parent->ci_group->cg_item; +diff --git a/drivers/target/target_core_tpg.c b/drivers/target/target_core_tpg.c +index 899c33b3c734..f69f4902dc07 100644 +--- a/drivers/target/target_core_tpg.c ++++ b/drivers/target/target_core_tpg.c +@@ -673,6 +673,8 @@ void core_tpg_remove_lun( + */ + struct se_device *dev = rcu_dereference_raw(lun->lun_se_dev); + ++ lun->lun_shutdown = true; ++ + core_clear_lun_from_tpg(lun, tpg); + /* + * Wait for any active I/O references to percpu se_lun->lun_ref to +@@ -694,6 +696,8 @@ void core_tpg_remove_lun( + } + if (!(dev->se_hba->hba_flags & HBA_FLAGS_INTERNAL_USE)) + hlist_del_rcu(&lun->link); ++ ++ lun->lun_shutdown = false; + mutex_unlock(&tpg->tpg_lun_mutex); + + percpu_ref_exit(&lun->lun_ref); +diff --git a/fs/ext4/file.c b/fs/ext4/file.c +index 8772bfc3415b..45ef9975caec 100644 +--- a/fs/ext4/file.c ++++ b/fs/ext4/file.c +@@ -500,6 +500,8 @@ static int ext4_find_unwritten_pgoff(struct inode *inode, + lastoff = page_offset(page); + bh = head = page_buffers(page); + do { ++ if (lastoff + bh->b_size <= startoff) ++ goto next; + if (buffer_uptodate(bh) || + buffer_unwritten(bh)) { + if (whence == SEEK_DATA) +@@ -514,6 +516,7 @@ static int ext4_find_unwritten_pgoff(struct inode *inode, + unlock_page(page); + goto out; + } ++next: + lastoff += bh->b_size; + bh = bh->b_this_page; + } while (bh != head); +diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c +index 34038e3598d5..74516efd874c 100644 +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -1926,7 +1926,8 @@ retry: + n_desc_blocks = o_desc_blocks + + le16_to_cpu(es->s_reserved_gdt_blocks); + n_group = n_desc_blocks * EXT4_DESC_PER_BLOCK(sb); +- n_blocks_count = n_group * EXT4_BLOCKS_PER_GROUP(sb); ++ n_blocks_count = (ext4_fsblk_t)n_group * ++ EXT4_BLOCKS_PER_GROUP(sb); + n_group--; /* set to last group number */ + } + +diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c +index 86e1cb899957..4f666368aa85 100644 +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -1078,6 +1078,8 @@ static int sanity_check_ckpt(struct f2fs_sb_info *sbi) + unsigned int total, fsmeta; + struct f2fs_super_block *raw_super = F2FS_RAW_SUPER(sbi); + struct f2fs_checkpoint *ckpt = F2FS_CKPT(sbi); ++ unsigned int main_segs, blocks_per_seg; ++ int i; + + total = le32_to_cpu(raw_super->segment_count); + fsmeta = le32_to_cpu(raw_super->segment_count_ckpt); +@@ -1089,6 +1091,20 @@ static int sanity_check_ckpt(struct f2fs_sb_info *sbi) + if (unlikely(fsmeta >= total)) + return 1; + ++ main_segs = le32_to_cpu(raw_super->segment_count_main); ++ blocks_per_seg = sbi->blocks_per_seg; ++ ++ for (i = 0; i < NR_CURSEG_NODE_TYPE; i++) { ++ if (le32_to_cpu(ckpt->cur_node_segno[i]) >= main_segs || ++ le16_to_cpu(ckpt->cur_node_blkoff[i]) >= blocks_per_seg) ++ return 1; ++ } ++ for (i = 0; i < NR_CURSEG_DATA_TYPE; i++) { ++ if (le32_to_cpu(ckpt->cur_data_segno[i]) >= main_segs || ++ le16_to_cpu(ckpt->cur_data_blkoff[i]) >= blocks_per_seg) ++ return 1; ++ } ++ + if (unlikely(f2fs_cp_error(sbi))) { + f2fs_msg(sbi->sb, KERN_ERR, "A bug case: need to run fsck"); + return 1; +diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h +index 2ccccbfcd532..36f4695aa604 100644 +--- a/include/linux/mm_types.h ++++ b/include/linux/mm_types.h +@@ -503,6 +503,10 @@ struct mm_struct { + * PROT_NONE or PROT_NUMA mapped page. + */ + bool tlb_flush_pending; ++#endif ++#ifdef CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH ++ /* See flush_tlb_batched_pending() */ ++ bool tlb_flush_batched; + #endif + struct uprobes_state uprobes_state; + #ifdef CONFIG_X86_INTEL_MPX +diff --git a/include/linux/sched.h b/include/linux/sched.h +index 352213b360d7..eff7c1fad26f 100644 +--- a/include/linux/sched.h ++++ b/include/linux/sched.h +@@ -801,6 +801,16 @@ struct signal_struct { + + #define SIGNAL_UNKILLABLE 0x00000040 /* for init: ignore fatal signals */ + ++#define SIGNAL_STOP_MASK (SIGNAL_CLD_MASK | SIGNAL_STOP_STOPPED | \ ++ SIGNAL_STOP_CONTINUED) ++ ++static inline void signal_set_stop_flags(struct signal_struct *sig, ++ unsigned int flags) ++{ ++ WARN_ON(sig->flags & (SIGNAL_GROUP_EXIT|SIGNAL_GROUP_COREDUMP)); ++ sig->flags = (sig->flags & ~SIGNAL_STOP_MASK) | flags; ++} ++ + /* If true, all threads except ->group_exit_task have pending SIGKILL */ + static inline int signal_group_exit(const struct signal_struct *sig) + { +diff --git a/include/linux/slab.h b/include/linux/slab.h +index 2037a861e367..8a2a9ffaf5de 100644 +--- a/include/linux/slab.h ++++ b/include/linux/slab.h +@@ -203,7 +203,7 @@ size_t ksize(const void *); + * (PAGE_SIZE*2). Larger requests are passed to the page allocator. + */ + #define KMALLOC_SHIFT_HIGH (PAGE_SHIFT + 1) +-#define KMALLOC_SHIFT_MAX (MAX_ORDER + PAGE_SHIFT) ++#define KMALLOC_SHIFT_MAX (MAX_ORDER + PAGE_SHIFT - 1) + #ifndef KMALLOC_SHIFT_LOW + #define KMALLOC_SHIFT_LOW 3 + #endif +@@ -216,7 +216,7 @@ size_t ksize(const void *); + * be allocated from the same page. + */ + #define KMALLOC_SHIFT_HIGH PAGE_SHIFT +-#define KMALLOC_SHIFT_MAX 30 ++#define KMALLOC_SHIFT_MAX (MAX_ORDER + PAGE_SHIFT - 1) + #ifndef KMALLOC_SHIFT_LOW + #define KMALLOC_SHIFT_LOW 3 + #endif +diff --git a/include/linux/workqueue.h b/include/linux/workqueue.h +index 0197358f1e81..262d5c95dfc8 100644 +--- a/include/linux/workqueue.h ++++ b/include/linux/workqueue.h +@@ -311,6 +311,7 @@ enum { + + __WQ_DRAINING = 1 << 16, /* internal: workqueue is draining */ + __WQ_ORDERED = 1 << 17, /* internal: workqueue is ordered */ ++ __WQ_ORDERED_EXPLICIT = 1 << 18, /* internal: alloc_ordered_workqueue() */ + + WQ_MAX_ACTIVE = 512, /* I like 512, better ideas? */ + WQ_MAX_UNBOUND_PER_CPU = 4, /* 4 * #cpus for unbound wq */ +@@ -408,7 +409,8 @@ __alloc_workqueue_key(const char *fmt, unsigned int flags, int max_active, + * Pointer to the allocated workqueue on success, %NULL on failure. + */ + #define alloc_ordered_workqueue(fmt, flags, args...) \ +- alloc_workqueue(fmt, WQ_UNBOUND | __WQ_ORDERED | (flags), 1, ##args) ++ alloc_workqueue(fmt, WQ_UNBOUND | __WQ_ORDERED | \ ++ __WQ_ORDERED_EXPLICIT | (flags), 1, ##args) + + #define create_workqueue(name) \ + alloc_workqueue("%s", WQ_MEM_RECLAIM, 1, (name)) +diff --git a/include/net/iw_handler.h b/include/net/iw_handler.h +index e0f4109e64c6..c2aa73e5e6bb 100644 +--- a/include/net/iw_handler.h ++++ b/include/net/iw_handler.h +@@ -556,7 +556,8 @@ iwe_stream_add_point(struct iw_request_info *info, char *stream, char *ends, + memcpy(stream + lcp_len, + ((char *) &iwe->u) + IW_EV_POINT_OFF, + IW_EV_POINT_PK_LEN - IW_EV_LCP_PK_LEN); +- memcpy(stream + point_len, extra, iwe->u.data.length); ++ if (iwe->u.data.length && extra) ++ memcpy(stream + point_len, extra, iwe->u.data.length); + stream += event_len; + } + return stream; +diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h +index ce13cf20f625..d33b17ba51d2 100644 +--- a/include/net/sctp/sctp.h ++++ b/include/net/sctp/sctp.h +@@ -444,6 +444,8 @@ _sctp_walk_params((pos), (chunk), ntohs((chunk)->chunk_hdr.length), member) + + #define _sctp_walk_params(pos, chunk, end, member)\ + for (pos.v = chunk->member;\ ++ (pos.v + offsetof(struct sctp_paramhdr, length) + sizeof(pos.p->length) <=\ ++ (void *)chunk + end) &&\ + pos.v <= (void *)chunk + end - ntohs(pos.p->length) &&\ + ntohs(pos.p->length) >= sizeof(sctp_paramhdr_t);\ + pos.v += WORD_ROUND(ntohs(pos.p->length))) +@@ -454,6 +456,8 @@ _sctp_walk_errors((err), (chunk_hdr), ntohs((chunk_hdr)->length)) + #define _sctp_walk_errors(err, chunk_hdr, end)\ + for (err = (sctp_errhdr_t *)((void *)chunk_hdr + \ + sizeof(sctp_chunkhdr_t));\ ++ ((void *)err + offsetof(sctp_errhdr_t, length) + sizeof(err->length) <=\ ++ (void *)chunk_hdr + end) &&\ + (void *)err <= (void *)chunk_hdr + end - ntohs(err->length) &&\ + ntohs(err->length) >= sizeof(sctp_errhdr_t); \ + err = (sctp_errhdr_t *)((void *)err + WORD_ROUND(ntohs(err->length)))) +diff --git a/include/target/iscsi/iscsi_target_core.h b/include/target/iscsi/iscsi_target_core.h +index e0efe3fcf739..fdda45f26f75 100644 +--- a/include/target/iscsi/iscsi_target_core.h ++++ b/include/target/iscsi/iscsi_target_core.h +@@ -562,6 +562,7 @@ struct iscsi_conn { + #define LOGIN_FLAGS_READ_ACTIVE 1 + #define LOGIN_FLAGS_CLOSED 2 + #define LOGIN_FLAGS_READY 4 ++#define LOGIN_FLAGS_INITIAL_PDU 8 + unsigned long login_flags; + struct delayed_work login_work; + struct delayed_work login_cleanup_work; +diff --git a/include/target/target_core_base.h b/include/target/target_core_base.h +index ed66414b91f0..1adf8739980c 100644 +--- a/include/target/target_core_base.h ++++ b/include/target/target_core_base.h +@@ -714,6 +714,7 @@ struct se_lun { + #define SE_LUN_LINK_MAGIC 0xffff7771 + u32 lun_link_magic; + u32 lun_access; ++ bool lun_shutdown; + u32 lun_index; + + /* RELATIVE TARGET PORT IDENTIFER */ +diff --git a/kernel/signal.c b/kernel/signal.c +index b92a047ddc82..5d50ea899b6d 100644 +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -346,7 +346,7 @@ static bool task_participate_group_stop(struct task_struct *task) + * fresh group stop. Read comment in do_signal_stop() for details. + */ + if (!sig->group_stop_count && !(sig->flags & SIGNAL_STOP_STOPPED)) { +- sig->flags = SIGNAL_STOP_STOPPED; ++ signal_set_stop_flags(sig, SIGNAL_STOP_STOPPED); + return true; + } + return false; +@@ -845,7 +845,7 @@ static bool prepare_signal(int sig, struct task_struct *p, bool force) + * will take ->siglock, notice SIGNAL_CLD_MASK, and + * notify its parent. See get_signal_to_deliver(). + */ +- signal->flags = why | SIGNAL_STOP_CONTINUED; ++ signal_set_stop_flags(signal, why | SIGNAL_STOP_CONTINUED); + signal->group_stop_count = 0; + signal->group_exit_code = 0; + } +diff --git a/kernel/workqueue.c b/kernel/workqueue.c +index 2c2f971f3e75..23231237f2e2 100644 +--- a/kernel/workqueue.c ++++ b/kernel/workqueue.c +@@ -3647,8 +3647,12 @@ static int apply_workqueue_attrs_locked(struct workqueue_struct *wq, + return -EINVAL; + + /* creating multiple pwqs breaks ordering guarantee */ +- if (WARN_ON((wq->flags & __WQ_ORDERED) && !list_empty(&wq->pwqs))) +- return -EINVAL; ++ if (!list_empty(&wq->pwqs)) { ++ if (WARN_ON(wq->flags & __WQ_ORDERED_EXPLICIT)) ++ return -EINVAL; ++ ++ wq->flags &= ~__WQ_ORDERED; ++ } + + ctx = apply_wqattrs_prepare(wq, attrs); + +@@ -3834,6 +3838,16 @@ struct workqueue_struct *__alloc_workqueue_key(const char *fmt, + struct workqueue_struct *wq; + struct pool_workqueue *pwq; + ++ /* ++ * Unbound && max_active == 1 used to imply ordered, which is no ++ * longer the case on NUMA machines due to per-node pools. While ++ * alloc_ordered_workqueue() is the right way to create an ordered ++ * workqueue, keep the previous behavior to avoid subtle breakages ++ * on NUMA. ++ */ ++ if ((flags & WQ_UNBOUND) && max_active == 1) ++ flags |= __WQ_ORDERED; ++ + /* see the comment above the definition of WQ_POWER_EFFICIENT */ + if ((flags & WQ_POWER_EFFICIENT) && wq_power_efficient) + flags |= WQ_UNBOUND; +@@ -4022,13 +4036,14 @@ void workqueue_set_max_active(struct workqueue_struct *wq, int max_active) + struct pool_workqueue *pwq; + + /* disallow meddling with max_active for ordered workqueues */ +- if (WARN_ON(wq->flags & __WQ_ORDERED)) ++ if (WARN_ON(wq->flags & __WQ_ORDERED_EXPLICIT)) + return; + + max_active = wq_clamp_max_active(max_active, wq->flags, wq->name); + + mutex_lock(&wq->mutex); + ++ wq->flags &= ~__WQ_ORDERED; + wq->saved_max_active = max_active; + + for_each_pwq(pwq, wq) +@@ -5154,7 +5169,7 @@ int workqueue_sysfs_register(struct workqueue_struct *wq) + * attributes breaks ordering guarantee. Disallow exposing ordered + * workqueues. + */ +- if (WARN_ON(wq->flags & __WQ_ORDERED)) ++ if (WARN_ON(wq->flags & __WQ_ORDERED_EXPLICIT)) + return -EINVAL; + + wq->wq_dev = wq_dev = kzalloc(sizeof(*wq_dev), GFP_KERNEL); +diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug +index 8c15b29d5adc..b53b375e14bd 100644 +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -145,7 +145,7 @@ config DEBUG_INFO_REDUCED + + config DEBUG_INFO_SPLIT + bool "Produce split debuginfo in .dwo files" +- depends on DEBUG_INFO ++ depends on DEBUG_INFO && !FRV + help + Generate debug info into separate .dwo files. This significantly + reduces the build directory size for builds with DEBUG_INFO, +diff --git a/mm/internal.h b/mm/internal.h +index 6979b2bd3227..f63f4393d633 100644 +--- a/mm/internal.h ++++ b/mm/internal.h +@@ -453,6 +453,7 @@ struct tlbflush_unmap_batch; + #ifdef CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH + void try_to_unmap_flush(void); + void try_to_unmap_flush_dirty(void); ++void flush_tlb_batched_pending(struct mm_struct *mm); + #else + static inline void try_to_unmap_flush(void) + { +@@ -460,6 +461,8 @@ static inline void try_to_unmap_flush(void) + static inline void try_to_unmap_flush_dirty(void) + { + } +- ++static inline void flush_tlb_batched_pending(struct mm_struct *mm) ++{ ++} + #endif /* CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH */ + #endif /* __MM_INTERNAL_H */ +diff --git a/mm/memory.c b/mm/memory.c +index e6fa13484447..9ac55172aa7b 100644 +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -1127,6 +1127,7 @@ again: + init_rss_vec(rss); + start_pte = pte_offset_map_lock(mm, pmd, addr, &ptl); + pte = start_pte; ++ flush_tlb_batched_pending(mm); + arch_enter_lazy_mmu_mode(); + do { + pte_t ptent = *pte; +diff --git a/mm/mprotect.c b/mm/mprotect.c +index ef5be8eaab00..c0b4b2a49462 100644 +--- a/mm/mprotect.c ++++ b/mm/mprotect.c +@@ -72,6 +72,7 @@ static unsigned long change_pte_range(struct vm_area_struct *vma, pmd_t *pmd, + if (!pte) + return 0; + ++ flush_tlb_batched_pending(vma->vm_mm); + arch_enter_lazy_mmu_mode(); + do { + oldpte = *pte; +diff --git a/mm/mremap.c b/mm/mremap.c +index c25bc6268e46..fe7b7f65f4f4 100644 +--- a/mm/mremap.c ++++ b/mm/mremap.c +@@ -135,6 +135,7 @@ static void move_ptes(struct vm_area_struct *vma, pmd_t *old_pmd, + new_ptl = pte_lockptr(mm, new_pmd); + if (new_ptl != old_ptl) + spin_lock_nested(new_ptl, SINGLE_DEPTH_NESTING); ++ flush_tlb_batched_pending(vma->vm_mm); + arch_enter_lazy_mmu_mode(); + + for (; old_addr < old_end; old_pte++, old_addr += PAGE_SIZE, +diff --git a/mm/page_alloc.c b/mm/page_alloc.c +index bd17a6bdf131..f9d648fce8cd 100644 +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -1527,14 +1527,14 @@ int move_freepages(struct zone *zone, + #endif + + for (page = start_page; page <= end_page;) { +- /* Make sure we are not inadvertently changing nodes */ +- VM_BUG_ON_PAGE(page_to_nid(page) != zone_to_nid(zone), page); +- + if (!pfn_valid_within(page_to_pfn(page))) { + page++; + continue; + } + ++ /* Make sure we are not inadvertently changing nodes */ ++ VM_BUG_ON_PAGE(page_to_nid(page) != zone_to_nid(zone), page); ++ + if (!PageBuddy(page)) { + page++; + continue; +@@ -5847,8 +5847,8 @@ unsigned long free_reserved_area(void *start, void *end, int poison, char *s) + } + + if (pages && s) +- pr_info("Freeing %s memory: %ldK (%p - %p)\n", +- s, pages << (PAGE_SHIFT - 10), start, end); ++ pr_info("Freeing %s memory: %ldK\n", ++ s, pages << (PAGE_SHIFT - 10)); + + return pages; + } +diff --git a/mm/rmap.c b/mm/rmap.c +index b577fbb98d4b..ede183c32f45 100644 +--- a/mm/rmap.c ++++ b/mm/rmap.c +@@ -648,6 +648,13 @@ static void set_tlb_ubc_flush_pending(struct mm_struct *mm, + cpumask_or(&tlb_ubc->cpumask, &tlb_ubc->cpumask, mm_cpumask(mm)); + tlb_ubc->flush_required = true; + ++ /* ++ * Ensure compiler does not re-order the setting of tlb_flush_batched ++ * before the PTE is cleared. ++ */ ++ barrier(); ++ mm->tlb_flush_batched = true; ++ + /* + * If the PTE was dirty then it's best to assume it's writable. The + * caller must use try_to_unmap_flush_dirty() or try_to_unmap_flush() +@@ -675,6 +682,35 @@ static bool should_defer_flush(struct mm_struct *mm, enum ttu_flags flags) + + return should_defer; + } ++ ++/* ++ * Reclaim unmaps pages under the PTL but do not flush the TLB prior to ++ * releasing the PTL if TLB flushes are batched. It's possible for a parallel ++ * operation such as mprotect or munmap to race between reclaim unmapping ++ * the page and flushing the page. If this race occurs, it potentially allows ++ * access to data via a stale TLB entry. Tracking all mm's that have TLB ++ * batching in flight would be expensive during reclaim so instead track ++ * whether TLB batching occurred in the past and if so then do a flush here ++ * if required. This will cost one additional flush per reclaim cycle paid ++ * by the first operation at risk such as mprotect and mumap. ++ * ++ * This must be called under the PTL so that an access to tlb_flush_batched ++ * that is potentially a "reclaim vs mprotect/munmap/etc" race will synchronise ++ * via the PTL. ++ */ ++void flush_tlb_batched_pending(struct mm_struct *mm) ++{ ++ if (mm->tlb_flush_batched) { ++ flush_tlb_mm(mm); ++ ++ /* ++ * Do not allow the compiler to re-order the clearing of ++ * tlb_flush_batched before the tlb is flushed. ++ */ ++ barrier(); ++ mm->tlb_flush_batched = false; ++ } ++} + #else + static void set_tlb_ubc_flush_pending(struct mm_struct *mm, + struct page *page, bool writable) +diff --git a/net/core/dev_ioctl.c b/net/core/dev_ioctl.c +index b94b1d293506..151e047ce072 100644 +--- a/net/core/dev_ioctl.c ++++ b/net/core/dev_ioctl.c +@@ -28,6 +28,7 @@ static int dev_ifname(struct net *net, struct ifreq __user *arg) + + if (copy_from_user(&ifr, arg, sizeof(struct ifreq))) + return -EFAULT; ++ ifr.ifr_name[IFNAMSIZ-1] = 0; + + error = netdev_get_name(net, ifr.ifr_name, ifr.ifr_ifindex); + if (error) +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c +index 2ec5324a7ff7..5b3d611d8b5f 100644 +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -1742,7 +1742,8 @@ static int do_setlink(const struct sk_buff *skb, + struct sockaddr *sa; + int len; + +- len = sizeof(sa_family_t) + dev->addr_len; ++ len = sizeof(sa_family_t) + max_t(size_t, dev->addr_len, ++ sizeof(*sa)); + sa = kmalloc(len, GFP_KERNEL); + if (!sa) { + err = -ENOMEM; +diff --git a/net/dccp/feat.c b/net/dccp/feat.c +index 1704948e6a12..f227f002c73d 100644 +--- a/net/dccp/feat.c ++++ b/net/dccp/feat.c +@@ -1471,9 +1471,12 @@ int dccp_feat_init(struct sock *sk) + * singleton values (which always leads to failure). + * These settings can still (later) be overridden via sockopts. + */ +- if (ccid_get_builtin_ccids(&tx.val, &tx.len) || +- ccid_get_builtin_ccids(&rx.val, &rx.len)) ++ if (ccid_get_builtin_ccids(&tx.val, &tx.len)) + return -ENOBUFS; ++ if (ccid_get_builtin_ccids(&rx.val, &rx.len)) { ++ kfree(tx.val); ++ return -ENOBUFS; ++ } + + if (!dccp_feat_prefer(sysctl_dccp_tx_ccid, tx.val, tx.len) || + !dccp_feat_prefer(sysctl_dccp_rx_ccid, rx.val, rx.len)) +diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c +index 6467bf392e1b..e217f17997a4 100644 +--- a/net/dccp/ipv4.c ++++ b/net/dccp/ipv4.c +@@ -635,6 +635,7 @@ int dccp_v4_conn_request(struct sock *sk, struct sk_buff *skb) + goto drop_and_free; + + inet_csk_reqsk_queue_hash_add(sk, req, DCCP_TIMEOUT_INIT); ++ reqsk_put(req); + return 0; + + drop_and_free: +diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c +index 3470ad1843bb..09a9ab65f4e1 100644 +--- a/net/dccp/ipv6.c ++++ b/net/dccp/ipv6.c +@@ -376,6 +376,7 @@ static int dccp_v6_conn_request(struct sock *sk, struct sk_buff *skb) + goto drop_and_free; + + inet_csk_reqsk_queue_hash_add(sk, req, DCCP_TIMEOUT_INIT); ++ reqsk_put(req); + return 0; + + drop_and_free: +diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c +index 66dcb529fd9c..0cb240c749bf 100644 +--- a/net/ipv4/fib_frontend.c ++++ b/net/ipv4/fib_frontend.c +@@ -1319,13 +1319,14 @@ static struct pernet_operations fib_net_ops = { + + void __init ip_fib_init(void) + { +- rtnl_register(PF_INET, RTM_NEWROUTE, inet_rtm_newroute, NULL, NULL); +- rtnl_register(PF_INET, RTM_DELROUTE, inet_rtm_delroute, NULL, NULL); +- rtnl_register(PF_INET, RTM_GETROUTE, NULL, inet_dump_fib, NULL); ++ fib_trie_init(); + + register_pernet_subsys(&fib_net_ops); ++ + register_netdevice_notifier(&fib_netdev_notifier); + register_inetaddr_notifier(&fib_inetaddr_notifier); + +- fib_trie_init(); ++ rtnl_register(PF_INET, RTM_NEWROUTE, inet_rtm_newroute, NULL, NULL); ++ rtnl_register(PF_INET, RTM_DELROUTE, inet_rtm_delroute, NULL, NULL); ++ rtnl_register(PF_INET, RTM_GETROUTE, NULL, inet_dump_fib, NULL); + } +diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c +index 2b7283303650..5d58a6703a43 100644 +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -922,7 +922,8 @@ static int __ip_append_data(struct sock *sk, + csummode = CHECKSUM_PARTIAL; + + cork->length += length; +- if (((length > mtu) || (skb && skb_is_gso(skb))) && ++ if ((((length + (skb ? skb->len : fragheaderlen)) > mtu) || ++ (skb && skb_is_gso(skb))) && + (sk->sk_protocol == IPPROTO_UDP) && + (rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len && + (sk->sk_type == SOCK_DGRAM) && !sk->sk_no_check_tx) { +diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c +index 4cbe9f0a4281..731b91409625 100644 +--- a/net/ipv4/syncookies.c ++++ b/net/ipv4/syncookies.c +@@ -337,6 +337,7 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb) + treq = tcp_rsk(req); + treq->rcv_isn = ntohl(th->seq) - 1; + treq->snt_isn = cookie; ++ treq->txhash = net_tx_rndhash(); + req->mss = mss; + ireq->ir_num = ntohs(th->dest); + ireq->ir_rmt_port = th->source; +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index 150b4923fb72..0de3245ea42f 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -647,8 +647,6 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb, + *prevhdr = NEXTHDR_FRAGMENT; + tmp_hdr = kmemdup(skb_network_header(skb), hlen, GFP_ATOMIC); + if (!tmp_hdr) { +- IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)), +- IPSTATS_MIB_FRAGFAILS); + err = -ENOMEM; + goto fail; + } +@@ -767,8 +765,6 @@ slow_path: + frag = alloc_skb(len + hlen + sizeof(struct frag_hdr) + + hroom + troom, GFP_ATOMIC); + if (!frag) { +- IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)), +- IPSTATS_MIB_FRAGFAILS); + err = -ENOMEM; + goto fail; + } +@@ -1361,7 +1357,7 @@ emsgsize: + */ + + cork->length += length; +- if ((((length + fragheaderlen) > mtu) || ++ if ((((length + (skb ? skb->len : headersize)) > mtu) || + (skb && skb_is_gso(skb))) && + (sk->sk_protocol == IPPROTO_UDP) && + (rt->dst.dev->features & NETIF_F_UFO) && +diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c +index 8b56c5240429..f9f02581c4ca 100644 +--- a/net/ipv6/output_core.c ++++ b/net/ipv6/output_core.c +@@ -78,7 +78,7 @@ EXPORT_SYMBOL(ipv6_select_ident); + + int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) + { +- u16 offset = sizeof(struct ipv6hdr); ++ unsigned int offset = sizeof(struct ipv6hdr); + unsigned int packet_len = skb_tail_pointer(skb) - + skb_network_header(skb); + int found_rhdr = 0; +@@ -86,6 +86,7 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) + + while (offset <= packet_len) { + struct ipv6_opt_hdr *exthdr; ++ unsigned int len; + + switch (**nexthdr) { + +@@ -111,7 +112,10 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) + + exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) + + offset); +- offset += ipv6_optlen(exthdr); ++ len = ipv6_optlen(exthdr); ++ if (len + offset >= IPV6_MAXPLEN) ++ return -EINVAL; ++ offset += len; + *nexthdr = &exthdr->nexthdr; + } + +diff --git a/net/ipv6/syncookies.c b/net/ipv6/syncookies.c +index eaf7ac496d50..aee87282d352 100644 +--- a/net/ipv6/syncookies.c ++++ b/net/ipv6/syncookies.c +@@ -210,6 +210,7 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb) + treq->snt_synack.v64 = 0; + treq->rcv_isn = ntohl(th->seq) - 1; + treq->snt_isn = cookie; ++ treq->txhash = net_tx_rndhash(); + + /* + * We need to lookup the dst_entry to get the correct window size. +diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c +index ad58d2a6284e..6a2507f24b0f 100644 +--- a/net/openvswitch/conntrack.c ++++ b/net/openvswitch/conntrack.c +@@ -577,8 +577,8 @@ static int parse_ct(const struct nlattr *attr, struct ovs_conntrack_info *info, + + nla_for_each_nested(a, attr, rem) { + int type = nla_type(a); +- int maxlen = ovs_ct_attr_lens[type].maxlen; +- int minlen = ovs_ct_attr_lens[type].minlen; ++ int maxlen; ++ int minlen; + + if (type > OVS_CT_ATTR_MAX) { + OVS_NLERR(log, +@@ -586,6 +586,9 @@ static int parse_ct(const struct nlattr *attr, struct ovs_conntrack_info *info, + type, OVS_CT_ATTR_MAX); + return -EINVAL; + } ++ ++ maxlen = ovs_ct_attr_lens[type].maxlen; ++ minlen = ovs_ct_attr_lens[type].minlen; + if (nla_len(a) < minlen || nla_len(a) > maxlen) { + OVS_NLERR(log, + "Conntrack attr type has unexpected length (type=%d, length=%d, expected=%d)", +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index f8d6a0ca9c03..061771ca2582 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -4225,7 +4225,7 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, + register_prot_hook(sk); + } + spin_unlock(&po->bind_lock); +- if (closing && (po->tp_version > TPACKET_V2)) { ++ if (pg_vec && (po->tp_version > TPACKET_V2)) { + /* Because we don't support block-based V3 on tx-ring */ + if (!tx_ring) + prb_shutdown_retire_blk_timer(po, rb_queue); +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 46a34039ecdc..5cab24f52825 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -2233,6 +2233,7 @@ static const struct snd_pci_quirk alc882_fixup_tbl[] = { + SND_PCI_QUIRK(0x1043, 0x8691, "ASUS ROG Ranger VIII", ALC882_FIXUP_GPIO3), + SND_PCI_QUIRK(0x104d, 0x9047, "Sony Vaio TT", ALC889_FIXUP_VAIO_TT), + SND_PCI_QUIRK(0x104d, 0x905a, "Sony Vaio Z", ALC882_FIXUP_NO_PRIMARY_HP), ++ SND_PCI_QUIRK(0x104d, 0x9060, "Sony Vaio VPCL14M1R", ALC882_FIXUP_NO_PRIMARY_HP), + SND_PCI_QUIRK(0x104d, 0x9043, "Sony Vaio VGC-LN51JGB", ALC882_FIXUP_NO_PRIMARY_HP), + SND_PCI_QUIRK(0x104d, 0x9044, "Sony VAIO AiO", ALC882_FIXUP_NO_PRIMARY_HP), + +diff --git a/sound/soc/soc-pcm.c b/sound/soc/soc-pcm.c +index a1e605bbc465..977066ba1769 100644 +--- a/sound/soc/soc-pcm.c ++++ b/sound/soc/soc-pcm.c +@@ -181,6 +181,10 @@ int dpcm_dapm_stream_event(struct snd_soc_pcm_runtime *fe, int dir, + dev_dbg(be->dev, "ASoC: BE %s event %d dir %d\n", + be->dai_link->name, event, dir); + ++ if ((event == SND_SOC_DAPM_STREAM_STOP) && ++ (be->dpcm[dir].users >= 1)) ++ continue; ++ + snd_soc_dapm_stream_event(be, dir, event); + } +
