commit: 4f5e8935a83b7b615e64287b1ba50633ac6e39b1 Author: Alice Ferrazzi <alicef <AT> gentoo <DOT> org> AuthorDate: Fri Dec 15 20:22:14 2017 +0000 Commit: Alice Ferrazzi <alicef <AT> gentoo <DOT> org> CommitDate: Fri Dec 15 20:22:14 2017 +0000 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=4f5e8935
linux kernel 4.1.48 0000_README | 4 + 1047_linux-4.1.48.patch | 3434 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 3438 insertions(+) diff --git a/0000_README b/0000_README index b37932b..1b3166c 100644 --- a/0000_README +++ b/0000_README @@ -231,6 +231,10 @@ Patch: 1046_linux-4.1.47.patch From: http://www.kernel.org Desc: Linux 4.1.47 +Patch: 1047_linux-4.1.48.patch +From: http://www.kernel.org +Desc: Linux 4.1.48 + Patch: 1500_XATTR_USER_PREFIX.patch From: https://bugs.gentoo.org/show_bug.cgi?id=470644 Desc: Support for namespace user.pax.* on tmpfs. diff --git a/1047_linux-4.1.48.patch b/1047_linux-4.1.48.patch new file mode 100644 index 0000000..bf1334d --- /dev/null +++ b/1047_linux-4.1.48.patch @@ -0,0 +1,3434 @@ +diff --git a/Makefile b/Makefile +index c730c9719f6d..97edf556bfe4 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 1 +-SUBLEVEL = 47 ++SUBLEVEL = 48 + EXTRAVERSION = + NAME = Series 4800 + +diff --git a/arch/arm/mm/dump.c b/arch/arm/mm/dump.c +index 9fe8e241335c..e1f6f0daa847 100644 +--- a/arch/arm/mm/dump.c ++++ b/arch/arm/mm/dump.c +@@ -126,8 +126,8 @@ static const struct prot_bits section_bits[] = { + .val = PMD_SECT_USER, + .set = "USR", + }, { +- .mask = L_PMD_SECT_RDONLY, +- .val = L_PMD_SECT_RDONLY, ++ .mask = L_PMD_SECT_RDONLY | PMD_SECT_AP2, ++ .val = L_PMD_SECT_RDONLY | PMD_SECT_AP2, + .set = "ro", + .clear = "RW", + #elif __LINUX_ARM_ARCH__ >= 6 +diff --git a/arch/arm/mm/init.c b/arch/arm/mm/init.c +index be92fa0f2f35..10058c00ddd9 100644 +--- a/arch/arm/mm/init.c ++++ b/arch/arm/mm/init.c +@@ -609,8 +609,8 @@ static struct section_perm ro_perms[] = { + .start = (unsigned long)_stext, + .end = (unsigned long)__init_begin, + #ifdef CONFIG_ARM_LPAE +- .mask = ~L_PMD_SECT_RDONLY, +- .prot = L_PMD_SECT_RDONLY, ++ .mask = ~(L_PMD_SECT_RDONLY | PMD_SECT_AP2), ++ .prot = L_PMD_SECT_RDONLY | PMD_SECT_AP2, + #else + .mask = ~(PMD_SECT_APX | PMD_SECT_AP_WRITE), + .prot = PMD_SECT_APX | PMD_SECT_AP_WRITE, +diff --git a/arch/mips/bcm47xx/leds.c b/arch/mips/bcm47xx/leds.c +index 0e4ade342333..5c2e12923327 100644 +--- a/arch/mips/bcm47xx/leds.c ++++ b/arch/mips/bcm47xx/leds.c +@@ -330,7 +330,7 @@ bcm47xx_leds_linksys_wrt54g3gv2[] __initconst = { + /* Verified on: WRT54GS V1.0 */ + static const struct gpio_led + bcm47xx_leds_linksys_wrt54g_type_0101[] __initconst = { +- BCM47XX_GPIO_LED(0, "green", "wlan", 0, LEDS_GPIO_DEFSTATE_OFF), ++ BCM47XX_GPIO_LED(0, "green", "wlan", 1, LEDS_GPIO_DEFSTATE_OFF), + BCM47XX_GPIO_LED(1, "green", "power", 0, LEDS_GPIO_DEFSTATE_ON), + BCM47XX_GPIO_LED(7, "green", "dmz", 1, LEDS_GPIO_DEFSTATE_OFF), + }; +diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c +index 5c3aa41a162f..81a13fd56d13 100644 +--- a/arch/mips/kernel/ptrace.c ++++ b/arch/mips/kernel/ptrace.c +@@ -561,6 +561,19 @@ static const struct user_regset_view user_mips64_view = { + .n = ARRAY_SIZE(mips64_regsets), + }; + ++#ifdef CONFIG_MIPS32_N32 ++ ++static const struct user_regset_view user_mipsn32_view = { ++ .name = "mipsn32", ++ .e_flags = EF_MIPS_ABI2, ++ .e_machine = ELF_ARCH, ++ .ei_osabi = ELF_OSABI, ++ .regsets = mips64_regsets, ++ .n = ARRAY_SIZE(mips64_regsets), ++}; ++ ++#endif /* CONFIG_MIPS32_N32 */ ++ + #endif /* CONFIG_64BIT */ + + const struct user_regset_view *task_user_regset_view(struct task_struct *task) +@@ -571,6 +584,10 @@ const struct user_regset_view *task_user_regset_view(struct task_struct *task) + #ifdef CONFIG_MIPS32_O32 + if (test_tsk_thread_flag(task, TIF_32BIT_REGS)) + return &user_mips_view; ++#endif ++#ifdef CONFIG_MIPS32_N32 ++ if (test_tsk_thread_flag(task, TIF_32BIT_ADDR)) ++ return &user_mipsn32_view; + #endif + return &user_mips64_view; + #endif +diff --git a/arch/mips/kernel/setup.c b/arch/mips/kernel/setup.c +index 51e77841f9f6..2734f6a4857d 100644 +--- a/arch/mips/kernel/setup.c ++++ b/arch/mips/kernel/setup.c +@@ -147,35 +147,6 @@ void __init detect_memory_region(phys_addr_t start, phys_addr_t sz_min, phys_add + add_memory_region(start, size, BOOT_MEM_RAM); + } + +-bool __init memory_region_available(phys_addr_t start, phys_addr_t size) +-{ +- int i; +- bool in_ram = false, free = true; +- +- for (i = 0; i < boot_mem_map.nr_map; i++) { +- phys_addr_t start_, end_; +- +- start_ = boot_mem_map.map[i].addr; +- end_ = boot_mem_map.map[i].addr + boot_mem_map.map[i].size; +- +- switch (boot_mem_map.map[i].type) { +- case BOOT_MEM_RAM: +- if (start >= start_ && start + size <= end_) +- in_ram = true; +- break; +- case BOOT_MEM_RESERVED: +- if ((start >= start_ && start < end_) || +- (start < start_ && start + size >= start_)) +- free = false; +- break; +- default: +- continue; +- } +- } +- +- return in_ram && free; +-} +- + static void __init print_memory_map(void) + { + int i; +@@ -324,19 +295,11 @@ static void __init bootmem_init(void) + + #else /* !CONFIG_SGI_IP27 */ + +-static unsigned long __init bootmap_bytes(unsigned long pages) +-{ +- unsigned long bytes = DIV_ROUND_UP(pages, 8); +- +- return ALIGN(bytes, sizeof(long)); +-} +- + static void __init bootmem_init(void) + { + unsigned long reserved_end; + unsigned long mapstart = ~0UL; + unsigned long bootmap_size; +- bool bootmap_valid = false; + int i; + + /* +@@ -411,43 +374,12 @@ static void __init bootmem_init(void) + mapstart = max(mapstart, (unsigned long)PFN_UP(__pa(initrd_end))); + #endif + +- /* +- * check that mapstart doesn't overlap with any of +- * memory regions that have been reserved through eg. DTB +- */ +- bootmap_size = bootmap_bytes(max_low_pfn - min_low_pfn); +- +- bootmap_valid = memory_region_available(PFN_PHYS(mapstart), +- bootmap_size); +- for (i = 0; i < boot_mem_map.nr_map && !bootmap_valid; i++) { +- unsigned long mapstart_addr; +- +- switch (boot_mem_map.map[i].type) { +- case BOOT_MEM_RESERVED: +- mapstart_addr = PFN_ALIGN(boot_mem_map.map[i].addr + +- boot_mem_map.map[i].size); +- if (PHYS_PFN(mapstart_addr) < mapstart) +- break; +- +- bootmap_valid = memory_region_available(mapstart_addr, +- bootmap_size); +- if (bootmap_valid) +- mapstart = PHYS_PFN(mapstart_addr); +- break; +- default: +- break; +- } +- } +- +- if (!bootmap_valid) +- panic("No memory area to place a bootmap bitmap"); +- + /* + * Initialize the boot-time allocator with low memory only. + */ +- if (bootmap_size != init_bootmem_node(NODE_DATA(0), mapstart, +- min_low_pfn, max_low_pfn)) +- panic("Unexpected memory size required for bootmap"); ++ bootmap_size = init_bootmem_node(NODE_DATA(0), mapstart, ++ min_low_pfn, max_low_pfn); ++ + + for (i = 0; i < boot_mem_map.nr_map; i++) { + unsigned long start, end; +diff --git a/arch/mips/ralink/mt7620.c b/arch/mips/ralink/mt7620.c +index c57215a66181..e916b14234e6 100644 +--- a/arch/mips/ralink/mt7620.c ++++ b/arch/mips/ralink/mt7620.c +@@ -132,8 +132,8 @@ static struct rt2880_pmx_func i2c_grp_mt7628[] = { + FUNC("i2c", 0, 4, 2), + }; + +-static struct rt2880_pmx_func refclk_grp_mt7628[] = { FUNC("reclk", 0, 36, 1) }; +-static struct rt2880_pmx_func perst_grp_mt7628[] = { FUNC("perst", 0, 37, 1) }; ++static struct rt2880_pmx_func refclk_grp_mt7628[] = { FUNC("refclk", 0, 37, 1) }; ++static struct rt2880_pmx_func perst_grp_mt7628[] = { FUNC("perst", 0, 36, 1) }; + static struct rt2880_pmx_func wdt_grp_mt7628[] = { FUNC("wdt", 0, 38, 1) }; + static struct rt2880_pmx_func spi_grp_mt7628[] = { FUNC("spi", 0, 7, 4) }; + +diff --git a/arch/parisc/kernel/syscall.S b/arch/parisc/kernel/syscall.S +index 95f090fe385a..196395a0ac91 100644 +--- a/arch/parisc/kernel/syscall.S ++++ b/arch/parisc/kernel/syscall.S +@@ -688,15 +688,15 @@ cas_action: + /* ELF32 Process entry path */ + lws_compare_and_swap_2: + #ifdef CONFIG_64BIT +- /* Clip the input registers */ ++ /* Clip the input registers. We don't need to clip %r23 as we ++ only use it for word operations */ + depdi 0, 31, 32, %r26 + depdi 0, 31, 32, %r25 + depdi 0, 31, 32, %r24 +- depdi 0, 31, 32, %r23 + #endif + + /* Check the validity of the size pointer */ +- subi,>>= 4, %r23, %r0 ++ subi,>>= 3, %r23, %r0 + b,n lws_exit_nosys + + /* Jump to the functions which will load the old and new values into +diff --git a/arch/powerpc/kernel/signal.c b/arch/powerpc/kernel/signal.c +index cf8c7e4e0b21..984a54c85952 100644 +--- a/arch/powerpc/kernel/signal.c ++++ b/arch/powerpc/kernel/signal.c +@@ -102,7 +102,7 @@ static void check_syscall_restart(struct pt_regs *regs, struct k_sigaction *ka, + static void do_signal(struct pt_regs *regs) + { + sigset_t *oldset = sigmask_to_save(); +- struct ksignal ksig; ++ struct ksignal ksig = { .sig = 0 }; + int ret; + int is32 = is_32bit_task(); + +diff --git a/arch/s390/include/asm/asm-prototypes.h b/arch/s390/include/asm/asm-prototypes.h +new file mode 100644 +index 000000000000..2c3413b0ca52 +--- /dev/null ++++ b/arch/s390/include/asm/asm-prototypes.h +@@ -0,0 +1,8 @@ ++#ifndef _ASM_S390_PROTOTYPES_H ++ ++#include <linux/kvm_host.h> ++#include <linux/ftrace.h> ++#include <asm/fpu/api.h> ++#include <asm-generic/asm-prototypes.h> ++ ++#endif /* _ASM_S390_PROTOTYPES_H */ +diff --git a/arch/s390/kernel/dis.c b/arch/s390/kernel/dis.c +index 8140d10c6785..d7c277664ec4 100644 +--- a/arch/s390/kernel/dis.c ++++ b/arch/s390/kernel/dis.c +@@ -1549,6 +1549,7 @@ static struct s390_insn opcode_e7[] = { + { "vfsq", 0xce, INSTR_VRR_VV000MM }, + { "vfs", 0xe2, INSTR_VRR_VVV00MM }, + { "vftci", 0x4a, INSTR_VRI_VVIMM }, ++ { "", 0, INSTR_INVALID } + }; + + static struct s390_insn opcode_eb[] = { +@@ -1954,7 +1955,7 @@ void show_code(struct pt_regs *regs) + { + char *mode = user_mode(regs) ? "User" : "Krnl"; + unsigned char code[64]; +- char buffer[64], *ptr; ++ char buffer[128], *ptr; + mm_segment_t old_fs; + unsigned long addr; + int start, end, opsize, hops, i; +@@ -2017,7 +2018,7 @@ void show_code(struct pt_regs *regs) + start += opsize; + printk(buffer); + ptr = buffer; +- ptr += sprintf(ptr, "\n "); ++ ptr += sprintf(ptr, "\n\t "); + hops++; + } + printk("\n"); +diff --git a/arch/s390/kernel/runtime_instr.c b/arch/s390/kernel/runtime_instr.c +index 26b4ae96fdd7..ddbec1054f75 100644 +--- a/arch/s390/kernel/runtime_instr.c ++++ b/arch/s390/kernel/runtime_instr.c +@@ -53,12 +53,14 @@ void exit_thread_runtime_instr(void) + { + struct task_struct *task = current; + ++ preempt_disable(); + if (!task->thread.ri_cb) + return; + disable_runtime_instr(); + kfree(task->thread.ri_cb); + task->thread.ri_signum = 0; + task->thread.ri_cb = NULL; ++ preempt_enable(); + } + + static void runtime_instr_int_handler(struct ext_code ext_code, +@@ -100,9 +102,7 @@ SYSCALL_DEFINE2(s390_runtime_instr, int, command, int, signum) + return -EOPNOTSUPP; + + if (command == S390_RUNTIME_INSTR_STOP) { +- preempt_disable(); + exit_thread_runtime_instr(); +- preempt_enable(); + return 0; + } + +diff --git a/arch/x86/include/asm/efi.h b/arch/x86/include/asm/efi.h +index 3738b138b843..b047734842df 100644 +--- a/arch/x86/include/asm/efi.h ++++ b/arch/x86/include/asm/efi.h +@@ -3,6 +3,7 @@ + + #include <asm/i387.h> + #include <asm/pgtable.h> ++#include <asm/tlb.h> + + /* + * We map the EFI regions needed for runtime services non-contiguously, +@@ -64,6 +65,17 @@ extern u64 asmlinkage efi_call(void *fp, ...); + + #define efi_call_phys(f, args...) efi_call((f), args) + ++/* ++ * Scratch space used for switching the pagetable in the EFI stub ++ */ ++struct efi_scratch { ++ u64 r15; ++ u64 prev_cr3; ++ pgd_t *efi_pgt; ++ bool use_pgd; ++ u64 phys_stack; ++} __packed; ++ + #define efi_call_virt(f, ...) \ + ({ \ + efi_status_t __s; \ +@@ -71,7 +83,20 @@ extern u64 asmlinkage efi_call(void *fp, ...); + efi_sync_low_kernel_mappings(); \ + preempt_disable(); \ + __kernel_fpu_begin(); \ ++ \ ++ if (efi_scratch.use_pgd) { \ ++ efi_scratch.prev_cr3 = read_cr3(); \ ++ write_cr3((unsigned long)efi_scratch.efi_pgt); \ ++ __flush_tlb_all(); \ ++ } \ ++ \ + __s = efi_call((void *)efi.systab->runtime->f, __VA_ARGS__); \ ++ \ ++ if (efi_scratch.use_pgd) { \ ++ write_cr3(efi_scratch.prev_cr3); \ ++ __flush_tlb_all(); \ ++ } \ ++ \ + __kernel_fpu_end(); \ + preempt_enable(); \ + __s; \ +@@ -98,6 +123,7 @@ extern void __init efi_memory_uc(u64 addr, unsigned long size); + extern void __init efi_map_region(efi_memory_desc_t *md); + extern void __init efi_map_region_fixed(efi_memory_desc_t *md); + extern void efi_sync_low_kernel_mappings(void); ++extern int __init efi_alloc_page_tables(void); + extern int __init efi_setup_page_tables(unsigned long pa_memmap, unsigned num_pages); + extern void __init efi_cleanup_page_tables(unsigned long pa_memmap, unsigned num_pages); + extern void __init old_map_region(efi_memory_desc_t *md); +diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c +index 23be7ffebb4b..c5ecf85227e0 100644 +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -1780,6 +1780,8 @@ static int ud_interception(struct vcpu_svm *svm) + int er; + + er = emulate_instruction(&svm->vcpu, EMULTYPE_TRAP_UD); ++ if (er == EMULATE_USER_EXIT) ++ return 0; + if (er != EMULATE_DONE) + kvm_queue_exception(&svm->vcpu, UD_VECTOR); + return 1; +@@ -3196,6 +3198,13 @@ static int svm_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr) + u32 ecx = msr->index; + u64 data = msr->data; + switch (ecx) { ++ case MSR_IA32_CR_PAT: ++ if (!kvm_mtrr_valid(vcpu, MSR_IA32_CR_PAT, data)) ++ return 1; ++ vcpu->arch.pat = data; ++ svm->vmcb->save.g_pat = data; ++ mark_dirty(svm->vmcb, VMCB_NPT); ++ break; + case MSR_IA32_TSC: + kvm_write_tsc(vcpu, msr); + break; +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index 33c1b5311b98..665b10a55b30 100644 +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -5096,6 +5096,8 @@ static int handle_exception(struct kvm_vcpu *vcpu) + return 1; + } + er = emulate_instruction(vcpu, EMULTYPE_TRAP_UD); ++ if (er == EMULATE_USER_EXIT) ++ return 0; + if (er != EMULATE_DONE) + kvm_queue_exception(vcpu, UD_VECTOR); + return 1; +@@ -9966,6 +9968,8 @@ static void load_vmcs12_host_state(struct kvm_vcpu *vcpu, + vmcs_writel(GUEST_SYSENTER_EIP, vmcs12->host_ia32_sysenter_eip); + vmcs_writel(GUEST_IDTR_BASE, vmcs12->host_idtr_base); + vmcs_writel(GUEST_GDTR_BASE, vmcs12->host_gdtr_base); ++ vmcs_write32(GUEST_IDTR_LIMIT, 0xFFFF); ++ vmcs_write32(GUEST_GDTR_LIMIT, 0xFFFF); + + /* If not VM_EXIT_CLEAR_BNDCFGS, the L2 value propagates to L1. */ + if (vmcs12->vm_exit_controls & VM_EXIT_CLEAR_BNDCFGS) +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 5f9cf11f9446..e4e7d45fd551 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -1697,6 +1697,9 @@ static int kvm_guest_time_update(struct kvm_vcpu *v) + */ + BUILD_BUG_ON(offsetof(struct pvclock_vcpu_time_info, version) != 0); + ++ if (guest_hv_clock.version & 1) ++ ++guest_hv_clock.version; /* first time write, random junk */ ++ + vcpu->hv_clock.version = guest_hv_clock.version + 1; + kvm_write_guest_cached(v->kvm, &vcpu->pv_time, + &vcpu->hv_clock, +@@ -5433,6 +5436,8 @@ int x86_emulate_instruction(struct kvm_vcpu *vcpu, + if (reexecute_instruction(vcpu, cr2, write_fault_to_spt, + emulation_type)) + return EMULATE_DONE; ++ if (ctxt->have_exception && inject_emulated_exception(vcpu)) ++ return EMULATE_DONE; + if (emulation_type & EMULTYPE_SKIP) + return EMULATE_FAIL; + return handle_emulation_failure(vcpu); +diff --git a/arch/x86/lib/x86-opcode-map.txt b/arch/x86/lib/x86-opcode-map.txt +index 816488c0b97e..2dc6a7df16cd 100644 +--- a/arch/x86/lib/x86-opcode-map.txt ++++ b/arch/x86/lib/x86-opcode-map.txt +@@ -822,7 +822,7 @@ EndTable + + GrpTable: Grp3_1 + 0: TEST Eb,Ib +-1: ++1: TEST Eb,Ib + 2: NOT Eb + 3: NEG Eb + 4: MUL AL,Eb +diff --git a/arch/x86/mm/pageattr.c b/arch/x86/mm/pageattr.c +index 2dd9b3ad3bb5..1e5a786e75ce 100644 +--- a/arch/x86/mm/pageattr.c ++++ b/arch/x86/mm/pageattr.c +@@ -884,15 +884,10 @@ static void populate_pte(struct cpa_data *cpa, + pte = pte_offset_kernel(pmd, start); + + while (num_pages-- && start < end) { +- +- /* deal with the NX bit */ +- if (!(pgprot_val(pgprot) & _PAGE_NX)) +- cpa->pfn &= ~_PAGE_NX; +- +- set_pte(pte, pfn_pte(cpa->pfn >> PAGE_SHIFT, pgprot)); ++ set_pte(pte, pfn_pte(cpa->pfn, pgprot)); + + start += PAGE_SIZE; +- cpa->pfn += PAGE_SIZE; ++ cpa->pfn++; + pte++; + } + } +@@ -948,11 +943,11 @@ static int populate_pmd(struct cpa_data *cpa, + + pmd = pmd_offset(pud, start); + +- set_pmd(pmd, __pmd(cpa->pfn | _PAGE_PSE | ++ set_pmd(pmd, __pmd(cpa->pfn << PAGE_SHIFT | _PAGE_PSE | + massage_pgprot(pmd_pgprot))); + + start += PMD_SIZE; +- cpa->pfn += PMD_SIZE; ++ cpa->pfn += PMD_SIZE >> PAGE_SHIFT; + cur_pages += PMD_SIZE >> PAGE_SHIFT; + } + +@@ -1021,11 +1016,11 @@ static int populate_pud(struct cpa_data *cpa, unsigned long start, pgd_t *pgd, + * Map everything starting from the Gb boundary, possibly with 1G pages + */ + while (end - start >= PUD_SIZE) { +- set_pud(pud, __pud(cpa->pfn | _PAGE_PSE | ++ set_pud(pud, __pud(cpa->pfn << PAGE_SHIFT | _PAGE_PSE | + massage_pgprot(pud_pgprot))); + + start += PUD_SIZE; +- cpa->pfn += PUD_SIZE; ++ cpa->pfn += PUD_SIZE >> PAGE_SHIFT; + cur_pages += PUD_SIZE >> PAGE_SHIFT; + pud++; + } +diff --git a/arch/x86/platform/efi/efi-bgrt.c b/arch/x86/platform/efi/efi-bgrt.c +index d7f997f7c26d..10380c8749b7 100644 +--- a/arch/x86/platform/efi/efi-bgrt.c ++++ b/arch/x86/platform/efi/efi-bgrt.c +@@ -28,8 +28,7 @@ struct bmp_header { + void __init efi_bgrt_init(void) + { + acpi_status status; +- void __iomem *image; +- bool ioremapped = false; ++ void *image; + struct bmp_header bmp_header; + + if (acpi_disabled) +@@ -65,20 +64,14 @@ void __init efi_bgrt_init(void) + return; + } + +- image = efi_lookup_mapped_addr(bgrt_tab->image_address); ++ image = early_memremap(bgrt_tab->image_address, sizeof(bmp_header)); + if (!image) { +- image = early_ioremap(bgrt_tab->image_address, +- sizeof(bmp_header)); +- ioremapped = true; +- if (!image) { +- pr_err("Ignoring BGRT: failed to map image header memory\n"); +- return; +- } ++ pr_err("Ignoring BGRT: failed to map image header memory\n"); ++ return; + } + +- memcpy_fromio(&bmp_header, image, sizeof(bmp_header)); +- if (ioremapped) +- early_iounmap(image, sizeof(bmp_header)); ++ memcpy(&bmp_header, image, sizeof(bmp_header)); ++ early_memunmap(image, sizeof(bmp_header)); + bgrt_image_size = bmp_header.size; + + bgrt_image = kmalloc(bgrt_image_size, GFP_KERNEL | __GFP_NOWARN); +@@ -88,18 +81,14 @@ void __init efi_bgrt_init(void) + return; + } + +- if (ioremapped) { +- image = early_ioremap(bgrt_tab->image_address, +- bmp_header.size); +- if (!image) { +- pr_err("Ignoring BGRT: failed to map image memory\n"); +- kfree(bgrt_image); +- bgrt_image = NULL; +- return; +- } ++ image = early_memremap(bgrt_tab->image_address, bmp_header.size); ++ if (!image) { ++ pr_err("Ignoring BGRT: failed to map image memory\n"); ++ kfree(bgrt_image); ++ bgrt_image = NULL; ++ return; + } + +- memcpy_fromio(bgrt_image, image, bgrt_image_size); +- if (ioremapped) +- early_iounmap(image, bmp_header.size); ++ memcpy(bgrt_image, image, bgrt_image_size); ++ early_memunmap(image, bmp_header.size); + } +diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c +index 477384985ac9..9b2fe733e9f7 100644 +--- a/arch/x86/platform/efi/efi.c ++++ b/arch/x86/platform/efi/efi.c +@@ -843,7 +843,7 @@ static void __init kexec_enter_virtual_mode(void) + * This function will switch the EFI runtime services to virtual mode. + * Essentially, we look through the EFI memmap and map every region that + * has the runtime attribute bit set in its memory descriptor into the +- * ->trampoline_pgd page table using a top-down VA allocation scheme. ++ * efi_pgd page table. + * + * The old method which used to update that memory descriptor with the + * virtual address obtained from ioremap() is still supported when the +@@ -853,8 +853,8 @@ static void __init kexec_enter_virtual_mode(void) + * + * The new method does a pagetable switch in a preemption-safe manner + * so that we're in a different address space when calling a runtime +- * function. For function arguments passing we do copy the PGDs of the +- * kernel page table into ->trampoline_pgd prior to each call. ++ * function. For function arguments passing we do copy the PUDs of the ++ * kernel page table into efi_pgd prior to each call. + * + * Specially for kexec boot, efi runtime maps in previous kernel should + * be passed in via setup_data. In that case runtime ranges will be mapped +@@ -869,6 +869,12 @@ static void __init __efi_enter_virtual_mode(void) + + efi.systab = NULL; + ++ if (efi_alloc_page_tables()) { ++ pr_err("Failed to allocate EFI page tables\n"); ++ clear_bit(EFI_RUNTIME_SERVICES, &efi.flags); ++ return; ++ } ++ + efi_merge_regions(); + new_memmap = efi_map_regions(&count, &pg_shift); + if (!new_memmap) { +@@ -928,28 +934,11 @@ static void __init __efi_enter_virtual_mode(void) + efi_runtime_mkexec(); + + /* +- * We mapped the descriptor array into the EFI pagetable above but we're +- * not unmapping it here. Here's why: +- * +- * We're copying select PGDs from the kernel page table to the EFI page +- * table and when we do so and make changes to those PGDs like unmapping +- * stuff from them, those changes appear in the kernel page table and we +- * go boom. +- * +- * From setup_real_mode(): +- * +- * ... +- * trampoline_pgd[0] = init_level4_pgt[pgd_index(__PAGE_OFFSET)].pgd; +- * +- * In this particular case, our allocation is in PGD 0 of the EFI page +- * table but we've copied that PGD from PGD[272] of the EFI page table: +- * +- * pgd_index(__PAGE_OFFSET = 0xffff880000000000) = 272 +- * +- * where the direct memory mapping in kernel space is. +- * +- * new_memmap's VA comes from that direct mapping and thus clearing it, +- * it would get cleared in the kernel page table too. ++ * We mapped the descriptor array into the EFI pagetable above ++ * but we're not unmapping it here because if we're running in ++ * EFI mixed mode we need all of memory to be accessible when ++ * we pass parameters to the EFI runtime services in the ++ * thunking code. + * + * efi_cleanup_page_tables(__pa(new_memmap), 1 << pg_shift); + */ +diff --git a/arch/x86/platform/efi/efi_32.c b/arch/x86/platform/efi/efi_32.c +index ed5b67338294..58d669bc8250 100644 +--- a/arch/x86/platform/efi/efi_32.c ++++ b/arch/x86/platform/efi/efi_32.c +@@ -38,6 +38,11 @@ + * say 0 - 3G. + */ + ++int __init efi_alloc_page_tables(void) ++{ ++ return 0; ++} ++ + void efi_sync_low_kernel_mappings(void) {} + void __init efi_dump_pagetable(void) {} + int __init efi_setup_page_tables(unsigned long pa_memmap, unsigned num_pages) +diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c +index a0ac0f9c307f..18dfaad71c99 100644 +--- a/arch/x86/platform/efi/efi_64.c ++++ b/arch/x86/platform/efi/efi_64.c +@@ -40,6 +40,7 @@ + #include <asm/fixmap.h> + #include <asm/realmode.h> + #include <asm/time.h> ++#include <asm/pgalloc.h> + + /* + * We allocate runtime services regions bottom-up, starting from -4G, i.e. +@@ -47,16 +48,7 @@ + */ + static u64 efi_va = EFI_VA_START; + +-/* +- * Scratch space used for switching the pagetable in the EFI stub +- */ +-struct efi_scratch { +- u64 r15; +- u64 prev_cr3; +- pgd_t *efi_pgt; +- bool use_pgd; +- u64 phys_stack; +-} __packed; ++struct efi_scratch efi_scratch; + + static void __init early_code_mapping_set_exec(int executable) + { +@@ -83,8 +75,11 @@ pgd_t * __init efi_call_phys_prolog(void) + int pgd; + int n_pgds; + +- if (!efi_enabled(EFI_OLD_MEMMAP)) +- return NULL; ++ if (!efi_enabled(EFI_OLD_MEMMAP)) { ++ save_pgd = (pgd_t *)read_cr3(); ++ write_cr3((unsigned long)efi_scratch.efi_pgt); ++ goto out; ++ } + + early_code_mapping_set_exec(1); + +@@ -96,6 +91,7 @@ pgd_t * __init efi_call_phys_prolog(void) + vaddress = (unsigned long)__va(pgd * PGDIR_SIZE); + set_pgd(pgd_offset_k(pgd * PGDIR_SIZE), *pgd_offset_k(vaddress)); + } ++out: + __flush_tlb_all(); + + return save_pgd; +@@ -109,8 +105,11 @@ void __init efi_call_phys_epilog(pgd_t *save_pgd) + int pgd_idx; + int nr_pgds; + +- if (!save_pgd) ++ if (!efi_enabled(EFI_OLD_MEMMAP)) { ++ write_cr3((unsigned long)save_pgd); ++ __flush_tlb_all(); + return; ++ } + + nr_pgds = DIV_ROUND_UP((max_pfn << PAGE_SHIFT) , PGDIR_SIZE); + +@@ -123,27 +122,97 @@ void __init efi_call_phys_epilog(pgd_t *save_pgd) + early_code_mapping_set_exec(0); + } + ++static pgd_t *efi_pgd; ++ ++/* ++ * We need our own copy of the higher levels of the page tables ++ * because we want to avoid inserting EFI region mappings (EFI_VA_END ++ * to EFI_VA_START) into the standard kernel page tables. Everything ++ * else can be shared, see efi_sync_low_kernel_mappings(). ++ */ ++int __init efi_alloc_page_tables(void) ++{ ++ pgd_t *pgd; ++ pud_t *pud; ++ gfp_t gfp_mask; ++ ++ if (efi_enabled(EFI_OLD_MEMMAP)) ++ return 0; ++ ++ gfp_mask = GFP_KERNEL | __GFP_NOTRACK | __GFP_REPEAT | __GFP_ZERO; ++ efi_pgd = (pgd_t *)__get_free_page(gfp_mask); ++ if (!efi_pgd) ++ return -ENOMEM; ++ ++ pgd = efi_pgd + pgd_index(EFI_VA_END); ++ ++ pud = pud_alloc_one(NULL, 0); ++ if (!pud) { ++ free_page((unsigned long)efi_pgd); ++ return -ENOMEM; ++ } ++ ++ pgd_populate(NULL, pgd, pud); ++ ++ return 0; ++} ++ + /* + * Add low kernel mappings for passing arguments to EFI functions. + */ + void efi_sync_low_kernel_mappings(void) + { +- unsigned num_pgds; +- pgd_t *pgd = (pgd_t *)__va(real_mode_header->trampoline_pgd); ++ unsigned num_entries; ++ pgd_t *pgd_k, *pgd_efi; ++ pud_t *pud_k, *pud_efi; + + if (efi_enabled(EFI_OLD_MEMMAP)) + return; + +- num_pgds = pgd_index(MODULES_END - 1) - pgd_index(PAGE_OFFSET); ++ /* ++ * We can share all PGD entries apart from the one entry that ++ * covers the EFI runtime mapping space. ++ * ++ * Make sure the EFI runtime region mappings are guaranteed to ++ * only span a single PGD entry and that the entry also maps ++ * other important kernel regions. ++ */ ++ BUILD_BUG_ON(pgd_index(EFI_VA_END) != pgd_index(MODULES_END)); ++ BUILD_BUG_ON((EFI_VA_START & PGDIR_MASK) != ++ (EFI_VA_END & PGDIR_MASK)); ++ ++ pgd_efi = efi_pgd + pgd_index(PAGE_OFFSET); ++ pgd_k = pgd_offset_k(PAGE_OFFSET); + +- memcpy(pgd + pgd_index(PAGE_OFFSET), +- init_mm.pgd + pgd_index(PAGE_OFFSET), +- sizeof(pgd_t) * num_pgds); ++ num_entries = pgd_index(EFI_VA_END) - pgd_index(PAGE_OFFSET); ++ memcpy(pgd_efi, pgd_k, sizeof(pgd_t) * num_entries); ++ ++ /* ++ * We share all the PUD entries apart from those that map the ++ * EFI regions. Copy around them. ++ */ ++ BUILD_BUG_ON((EFI_VA_START & ~PUD_MASK) != 0); ++ BUILD_BUG_ON((EFI_VA_END & ~PUD_MASK) != 0); ++ ++ pgd_efi = efi_pgd + pgd_index(EFI_VA_END); ++ pud_efi = pud_offset(pgd_efi, 0); ++ ++ pgd_k = pgd_offset_k(EFI_VA_END); ++ pud_k = pud_offset(pgd_k, 0); ++ ++ num_entries = pud_index(EFI_VA_END); ++ memcpy(pud_efi, pud_k, sizeof(pud_t) * num_entries); ++ ++ pud_efi = pud_offset(pgd_efi, EFI_VA_START); ++ pud_k = pud_offset(pgd_k, EFI_VA_START); ++ ++ num_entries = PTRS_PER_PUD - pud_index(EFI_VA_START); ++ memcpy(pud_efi, pud_k, sizeof(pud_t) * num_entries); + } + + int __init efi_setup_page_tables(unsigned long pa_memmap, unsigned num_pages) + { +- unsigned long text; ++ unsigned long pfn, text; + struct page *page; + unsigned npages; + pgd_t *pgd; +@@ -151,8 +220,8 @@ int __init efi_setup_page_tables(unsigned long pa_memmap, unsigned num_pages) + if (efi_enabled(EFI_OLD_MEMMAP)) + return 0; + +- efi_scratch.efi_pgt = (pgd_t *)(unsigned long)real_mode_header->trampoline_pgd; +- pgd = __va(efi_scratch.efi_pgt); ++ efi_scratch.efi_pgt = (pgd_t *)__pa(efi_pgd); ++ pgd = efi_pgd; + + /* + * It can happen that the physical address of new_memmap lands in memory +@@ -160,7 +229,8 @@ int __init efi_setup_page_tables(unsigned long pa_memmap, unsigned num_pages) + * and ident-map those pages containing the map before calling + * phys_efi_set_virtual_address_map(). + */ +- if (kernel_map_pages_in_pgd(pgd, pa_memmap, pa_memmap, num_pages, _PAGE_NX)) { ++ pfn = pa_memmap >> PAGE_SHIFT; ++ if (kernel_map_pages_in_pgd(pgd, pfn, pa_memmap, num_pages, _PAGE_NX)) { + pr_err("Error ident-mapping new memmap (0x%lx)!\n", pa_memmap); + return 1; + } +@@ -185,8 +255,9 @@ int __init efi_setup_page_tables(unsigned long pa_memmap, unsigned num_pages) + + npages = (_end - _text) >> PAGE_SHIFT; + text = __pa(_text); ++ pfn = text >> PAGE_SHIFT; + +- if (kernel_map_pages_in_pgd(pgd, text >> PAGE_SHIFT, text, npages, 0)) { ++ if (kernel_map_pages_in_pgd(pgd, pfn, text, npages, 0)) { + pr_err("Failed to map kernel text 1:1\n"); + return 1; + } +@@ -196,20 +267,20 @@ int __init efi_setup_page_tables(unsigned long pa_memmap, unsigned num_pages) + + void __init efi_cleanup_page_tables(unsigned long pa_memmap, unsigned num_pages) + { +- pgd_t *pgd = (pgd_t *)__va(real_mode_header->trampoline_pgd); +- +- kernel_unmap_pages_in_pgd(pgd, pa_memmap, num_pages); ++ kernel_unmap_pages_in_pgd(efi_pgd, pa_memmap, num_pages); + } + + static void __init __map_region(efi_memory_desc_t *md, u64 va) + { +- pgd_t *pgd = (pgd_t *)__va(real_mode_header->trampoline_pgd); +- unsigned long pf = 0; ++ unsigned long flags = 0; ++ unsigned long pfn; ++ pgd_t *pgd = efi_pgd; + + if (!(md->attribute & EFI_MEMORY_WB)) +- pf |= _PAGE_PCD; ++ flags |= _PAGE_PCD; + +- if (kernel_map_pages_in_pgd(pgd, md->phys_addr, va, md->num_pages, pf)) ++ pfn = md->phys_addr >> PAGE_SHIFT; ++ if (kernel_map_pages_in_pgd(pgd, pfn, va, md->num_pages, flags)) + pr_warn("Error mapping PA 0x%llx -> VA 0x%llx!\n", + md->phys_addr, va); + } +@@ -312,9 +383,7 @@ void __init efi_runtime_mkexec(void) + void __init efi_dump_pagetable(void) + { + #ifdef CONFIG_EFI_PGT_DUMP +- pgd_t *pgd = (pgd_t *)__va(real_mode_header->trampoline_pgd); +- +- ptdump_walk_pgd_level(NULL, pgd); ++ ptdump_walk_pgd_level(NULL, efi_pgd); + #endif + } + +diff --git a/arch/x86/platform/efi/efi_stub_64.S b/arch/x86/platform/efi/efi_stub_64.S +index 86d0f9e08dd9..32020cb8bb08 100644 +--- a/arch/x86/platform/efi/efi_stub_64.S ++++ b/arch/x86/platform/efi/efi_stub_64.S +@@ -38,41 +38,6 @@ + mov %rsi, %cr0; \ + mov (%rsp), %rsp + +- /* stolen from gcc */ +- .macro FLUSH_TLB_ALL +- movq %r15, efi_scratch(%rip) +- movq %r14, efi_scratch+8(%rip) +- movq %cr4, %r15 +- movq %r15, %r14 +- andb $0x7f, %r14b +- movq %r14, %cr4 +- movq %r15, %cr4 +- movq efi_scratch+8(%rip), %r14 +- movq efi_scratch(%rip), %r15 +- .endm +- +- .macro SWITCH_PGT +- cmpb $0, efi_scratch+24(%rip) +- je 1f +- movq %r15, efi_scratch(%rip) # r15 +- # save previous CR3 +- movq %cr3, %r15 +- movq %r15, efi_scratch+8(%rip) # prev_cr3 +- movq efi_scratch+16(%rip), %r15 # EFI pgt +- movq %r15, %cr3 +- 1: +- .endm +- +- .macro RESTORE_PGT +- cmpb $0, efi_scratch+24(%rip) +- je 2f +- movq efi_scratch+8(%rip), %r15 +- movq %r15, %cr3 +- movq efi_scratch(%rip), %r15 +- FLUSH_TLB_ALL +- 2: +- .endm +- + ENTRY(efi_call) + SAVE_XMM + mov (%rsp), %rax +@@ -83,16 +48,8 @@ ENTRY(efi_call) + mov %r8, %r9 + mov %rcx, %r8 + mov %rsi, %rcx +- SWITCH_PGT + call *%rdi +- RESTORE_PGT + addq $48, %rsp + RESTORE_XMM + ret + ENDPROC(efi_call) +- +- .data +-ENTRY(efi_scratch) +- .fill 3,8,0 +- .byte 0 +- .quad 0 +diff --git a/drivers/ata/libata-eh.c b/drivers/ata/libata-eh.c +index 5ab6fa9cfc2f..5e8c07abf2e7 100644 +--- a/drivers/ata/libata-eh.c ++++ b/drivers/ata/libata-eh.c +@@ -2237,8 +2237,8 @@ static void ata_eh_link_autopsy(struct ata_link *link) + if (dev->flags & ATA_DFLAG_DUBIOUS_XFER) + eflags |= ATA_EFLAG_DUBIOUS_XFER; + ehc->i.action |= ata_eh_speed_down(dev, eflags, all_err_mask); ++ trace_ata_eh_link_autopsy(dev, ehc->i.action, all_err_mask); + } +- trace_ata_eh_link_autopsy(dev, ehc->i.action, all_err_mask); + DPRINTK("EXIT\n"); + } + +diff --git a/drivers/clk/ti/clk-dra7-atl.c b/drivers/clk/ti/clk-dra7-atl.c +index 0a1df821860f..6fe6e08479e6 100644 +--- a/drivers/clk/ti/clk-dra7-atl.c ++++ b/drivers/clk/ti/clk-dra7-atl.c +@@ -264,7 +264,7 @@ static int of_dra7_atl_clk_probe(struct platform_device *pdev) + + /* Get configuration for the ATL instances */ + snprintf(prop, sizeof(prop), "atl%u", i); +- cfg_node = of_find_node_by_name(node, prop); ++ cfg_node = of_get_child_by_name(node, prop); + if (cfg_node) { + ret = of_property_read_u32(cfg_node, "bws", + &cdesc->bws); +@@ -277,6 +277,7 @@ static int of_dra7_atl_clk_probe(struct platform_device *pdev) + atl_write(cinfo, DRA7_ATL_AWSMUX_REG(i), + cdesc->aws); + } ++ of_node_put(cfg_node); + } + + cdesc->probed = true; +diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c +index 1f2c86d81176..91231143d991 100644 +--- a/drivers/firmware/efi/efi.c ++++ b/drivers/firmware/efi/efi.c +@@ -237,38 +237,6 @@ err_put: + subsys_initcall(efisubsys_init); + + +-/* +- * We can't ioremap data in EFI boot services RAM, because we've already mapped +- * it as RAM. So, look it up in the existing EFI memory map instead. Only +- * callable after efi_enter_virtual_mode and before efi_free_boot_services. +- */ +-void __iomem *efi_lookup_mapped_addr(u64 phys_addr) +-{ +- struct efi_memory_map *map; +- void *p; +- map = efi.memmap; +- if (!map) +- return NULL; +- if (WARN_ON(!map->map)) +- return NULL; +- for (p = map->map; p < map->map_end; p += map->desc_size) { +- efi_memory_desc_t *md = p; +- u64 size = md->num_pages << EFI_PAGE_SHIFT; +- u64 end = md->phys_addr + size; +- if (!(md->attribute & EFI_MEMORY_RUNTIME) && +- md->type != EFI_BOOT_SERVICES_CODE && +- md->type != EFI_BOOT_SERVICES_DATA) +- continue; +- if (!md->virt_addr) +- continue; +- if (phys_addr >= md->phys_addr && phys_addr < end) { +- phys_addr += md->virt_addr - md->phys_addr; +- return (__force void __iomem *)(unsigned long)phys_addr; +- } +- } +- return NULL; +-} +- + static __initdata efi_config_table_type_t common_tables[] = { + {ACPI_20_TABLE_GUID, "ACPI 2.0", &efi.acpi20}, + {ACPI_TABLE_GUID, "ACPI", &efi.acpi}, +diff --git a/drivers/gpu/drm/armada/Makefile b/drivers/gpu/drm/armada/Makefile +index d6f43e06150a..c9c619727806 100644 +--- a/drivers/gpu/drm/armada/Makefile ++++ b/drivers/gpu/drm/armada/Makefile +@@ -5,3 +5,5 @@ armada-y += armada_510.o + armada-$(CONFIG_DEBUG_FS) += armada_debugfs.o + + obj-$(CONFIG_DRM_ARMADA) := armada.o ++ ++CFLAGS_armada_trace.o := -I$(src) +diff --git a/drivers/gpu/drm/i915/intel_i2c.c b/drivers/gpu/drm/i915/intel_i2c.c +index ae628001fd97..b4891066a369 100644 +--- a/drivers/gpu/drm/i915/intel_i2c.c ++++ b/drivers/gpu/drm/i915/intel_i2c.c +@@ -394,7 +394,9 @@ static bool + gmbus_is_index_read(struct i2c_msg *msgs, int i, int num) + { + return (i + 1 < num && +- !(msgs[i].flags & I2C_M_RD) && msgs[i].len <= 2 && ++ msgs[i].addr == msgs[i + 1].addr && ++ !(msgs[i].flags & I2C_M_RD) && ++ (msgs[i].len == 1 || msgs[i].len == 2) && + (msgs[i + 1].flags & I2C_M_RD)); + } + +diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c +index 30904a9b2a4c..91848659b38e 100644 +--- a/drivers/gpu/drm/panel/panel-simple.c ++++ b/drivers/gpu/drm/panel/panel-simple.c +@@ -352,6 +352,7 @@ static int panel_simple_remove(struct device *dev) + drm_panel_remove(&panel->base); + + panel_simple_disable(&panel->base); ++ panel_simple_unprepare(&panel->base); + + if (panel->ddc) + put_device(&panel->ddc->dev); +@@ -367,6 +368,7 @@ static void panel_simple_shutdown(struct device *dev) + struct panel_simple *panel = dev_get_drvdata(dev); + + panel_simple_disable(&panel->base); ++ panel_simple_unprepare(&panel->base); + } + + static const struct drm_display_mode ampire_am800480r3tmqwa1h_mode = { +diff --git a/drivers/iio/light/cm3232.c b/drivers/iio/light/cm3232.c +index 39c8d99cc48e..02107ccf57a1 100644 +--- a/drivers/iio/light/cm3232.c ++++ b/drivers/iio/light/cm3232.c +@@ -119,7 +119,7 @@ static int cm3232_reg_init(struct cm3232_chip *chip) + if (ret < 0) + dev_err(&chip->client->dev, "Error writing reg_cmd\n"); + +- return 0; ++ return ret; + } + + /** +diff --git a/drivers/infiniband/ulp/srp/ib_srp.c b/drivers/infiniband/ulp/srp/ib_srp.c +index b60fde9d9878..18e688d68e66 100644 +--- a/drivers/infiniband/ulp/srp/ib_srp.c ++++ b/drivers/infiniband/ulp/srp/ib_srp.c +@@ -670,12 +670,19 @@ static void srp_path_rec_completion(int status, + static int srp_lookup_path(struct srp_rdma_ch *ch) + { + struct srp_target_port *target = ch->target; +- int ret; ++ int ret = -ENODEV; + + ch->path.numb_path = 1; + + init_completion(&ch->done); + ++ /* ++ * Avoid that the SCSI host can be removed by srp_remove_target() ++ * before srp_path_rec_completion() is called. ++ */ ++ if (!scsi_host_get(target->scsi_host)) ++ goto out; ++ + ch->path_query_id = ib_sa_path_rec_get(&srp_sa_client, + target->srp_host->srp_dev->dev, + target->srp_host->port, +@@ -689,18 +696,24 @@ static int srp_lookup_path(struct srp_rdma_ch *ch) + GFP_KERNEL, + srp_path_rec_completion, + ch, &ch->path_query); +- if (ch->path_query_id < 0) +- return ch->path_query_id; ++ ret = ch->path_query_id; ++ if (ret < 0) ++ goto put; + + ret = wait_for_completion_interruptible(&ch->done); + if (ret < 0) +- return ret; ++ goto put; + +- if (ch->status < 0) ++ ret = ch->status; ++ if (ret < 0) + shost_printk(KERN_WARNING, target->scsi_host, + PFX "Path record query failed\n"); + +- return ch->status; ++put: ++ scsi_host_put(target->scsi_host); ++ ++out: ++ return ret; + } + + static int srp_send_req(struct srp_rdma_ch *ch, bool multich) +diff --git a/drivers/infiniband/ulp/srpt/ib_srpt.c b/drivers/infiniband/ulp/srpt/ib_srpt.c +index 27e5b0090e40..416cd07ab87a 100644 +--- a/drivers/infiniband/ulp/srpt/ib_srpt.c ++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c +@@ -3516,7 +3516,7 @@ static int srpt_parse_i_port_id(u8 i_port_id[16], const char *name) + { + const char *p; + unsigned len, count, leading_zero_bytes; +- int ret, rc; ++ int ret; + + p = name; + if (strncasecmp(p, "0x", 2) == 0) +@@ -3528,10 +3528,9 @@ static int srpt_parse_i_port_id(u8 i_port_id[16], const char *name) + count = min(len / 2, 16U); + leading_zero_bytes = 16 - count; + memset(i_port_id, 0, leading_zero_bytes); +- rc = hex2bin(i_port_id + leading_zero_bytes, p, count); +- if (rc < 0) +- pr_debug("hex2bin failed for srpt_parse_i_port_id: %d\n", rc); +- ret = 0; ++ ret = hex2bin(i_port_id + leading_zero_bytes, p, count); ++ if (ret < 0) ++ pr_debug("hex2bin failed for srpt_parse_i_port_id: %d\n", ret); + out: + return ret; + } +diff --git a/drivers/md/bcache/alloc.c b/drivers/md/bcache/alloc.c +index 8eeab72b93e2..4d46f2ce606f 100644 +--- a/drivers/md/bcache/alloc.c ++++ b/drivers/md/bcache/alloc.c +@@ -406,7 +406,8 @@ long bch_bucket_alloc(struct cache *ca, unsigned reserve, bool wait) + + finish_wait(&ca->set->bucket_wait, &w); + out: +- wake_up_process(ca->alloc_thread); ++ if (ca->alloc_thread) ++ wake_up_process(ca->alloc_thread); + + trace_bcache_alloc(ca, reserve); + +@@ -478,7 +479,7 @@ int __bch_bucket_alloc_set(struct cache_set *c, unsigned reserve, + if (b == -1) + goto err; + +- k->ptr[i] = PTR(ca->buckets[b].gen, ++ k->ptr[i] = MAKE_PTR(ca->buckets[b].gen, + bucket_to_sector(c, b), + ca->sb.nr_this_dev); + +diff --git a/drivers/md/bcache/extents.c b/drivers/md/bcache/extents.c +index 243de0bf15cd..4bf15182c4da 100644 +--- a/drivers/md/bcache/extents.c ++++ b/drivers/md/bcache/extents.c +@@ -584,7 +584,7 @@ static bool bch_extent_merge(struct btree_keys *bk, struct bkey *l, struct bkey + return false; + + for (i = 0; i < KEY_PTRS(l); i++) +- if (l->ptr[i] + PTR(0, KEY_SIZE(l), 0) != r->ptr[i] || ++ if (l->ptr[i] + MAKE_PTR(0, KEY_SIZE(l), 0) != r->ptr[i] || + PTR_BUCKET_NR(b->c, l, i) != PTR_BUCKET_NR(b->c, r, i)) + return false; + +diff --git a/drivers/md/bcache/journal.c b/drivers/md/bcache/journal.c +index fe080ad0e558..6fb47a2a3d9d 100644 +--- a/drivers/md/bcache/journal.c ++++ b/drivers/md/bcache/journal.c +@@ -508,7 +508,7 @@ static void journal_reclaim(struct cache_set *c) + continue; + + ja->cur_idx = next; +- k->ptr[n++] = PTR(0, ++ k->ptr[n++] = MAKE_PTR(0, + bucket_to_sector(c, ca->sb.d[ja->cur_idx]), + ca->sb.nr_this_dev); + } +diff --git a/drivers/md/dm-bufio.c b/drivers/md/dm-bufio.c +index 4520bca6dc3f..51dc353f7962 100644 +--- a/drivers/md/dm-bufio.c ++++ b/drivers/md/dm-bufio.c +@@ -922,7 +922,8 @@ static void __get_memory_limit(struct dm_bufio_client *c, + buffers = c->minimum_buffers; + + *limit_buffers = buffers; +- *threshold_buffers = buffers * DM_BUFIO_WRITEBACK_PERCENT / 100; ++ *threshold_buffers = mult_frac(buffers, ++ DM_BUFIO_WRITEBACK_PERCENT, 100); + } + + /* +@@ -1823,19 +1824,15 @@ static int __init dm_bufio_init(void) + memset(&dm_bufio_caches, 0, sizeof dm_bufio_caches); + memset(&dm_bufio_cache_names, 0, sizeof dm_bufio_cache_names); + +- mem = (__u64)((totalram_pages - totalhigh_pages) * +- DM_BUFIO_MEMORY_PERCENT / 100) << PAGE_SHIFT; ++ mem = (__u64)mult_frac(totalram_pages - totalhigh_pages, ++ DM_BUFIO_MEMORY_PERCENT, 100) << PAGE_SHIFT; + + if (mem > ULONG_MAX) + mem = ULONG_MAX; + + #ifdef CONFIG_MMU +- /* +- * Get the size of vmalloc space the same way as VMALLOC_TOTAL +- * in fs/proc/internal.h +- */ +- if (mem > (VMALLOC_END - VMALLOC_START) * DM_BUFIO_VMALLOC_PERCENT / 100) +- mem = (VMALLOC_END - VMALLOC_START) * DM_BUFIO_VMALLOC_PERCENT / 100; ++ if (mem > mult_frac(VMALLOC_TOTAL, DM_BUFIO_VMALLOC_PERCENT, 100)) ++ mem = mult_frac(VMALLOC_TOTAL, DM_BUFIO_VMALLOC_PERCENT, 100); + #endif + + dm_bufio_default_cache_size = mem; +diff --git a/drivers/md/dm.c b/drivers/md/dm.c +index 87de9a0848b7..d192ab2ed17c 100644 +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -3516,11 +3516,15 @@ struct mapped_device *dm_get_from_kobject(struct kobject *kobj) + + md = container_of(kobj, struct mapped_device, kobj_holder.kobj); + +- if (test_bit(DMF_FREEING, &md->flags) || +- dm_deleting_md(md)) +- return NULL; +- ++ spin_lock(&_minor_lock); ++ if (test_bit(DMF_FREEING, &md->flags) || dm_deleting_md(md)) { ++ md = NULL; ++ goto out; ++ } + dm_get(md); ++out: ++ spin_unlock(&_minor_lock); ++ + return md; + } + +diff --git a/drivers/media/rc/ir-lirc-codec.c b/drivers/media/rc/ir-lirc-codec.c +index 4795c31ceebc..d2c1b340cf67 100644 +--- a/drivers/media/rc/ir-lirc-codec.c ++++ b/drivers/media/rc/ir-lirc-codec.c +@@ -289,11 +289,14 @@ static long ir_lirc_ioctl(struct file *filep, unsigned int cmd, + if (!dev->max_timeout) + return -ENOSYS; + ++ /* Check for multiply overflow */ ++ if (val > U32_MAX / 1000) ++ return -EINVAL; ++ + tmp = val * 1000; + +- if (tmp < dev->min_timeout || +- tmp > dev->max_timeout) +- return -EINVAL; ++ if (tmp < dev->min_timeout || tmp > dev->max_timeout) ++ return -EINVAL; + + dev->timeout = tmp; + break; +diff --git a/drivers/media/usb/as102/as102_fw.c b/drivers/media/usb/as102/as102_fw.c +index 07d08c49f4d4..b2e16bb67572 100644 +--- a/drivers/media/usb/as102/as102_fw.c ++++ b/drivers/media/usb/as102/as102_fw.c +@@ -101,18 +101,23 @@ static int as102_firmware_upload(struct as10x_bus_adapter_t *bus_adap, + unsigned char *cmd, + const struct firmware *firmware) { + +- struct as10x_fw_pkt_t fw_pkt; ++ struct as10x_fw_pkt_t *fw_pkt; + int total_read_bytes = 0, errno = 0; + unsigned char addr_has_changed = 0; + ++ fw_pkt = kmalloc(sizeof(*fw_pkt), GFP_KERNEL); ++ if (!fw_pkt) ++ return -ENOMEM; ++ ++ + for (total_read_bytes = 0; total_read_bytes < firmware->size; ) { + int read_bytes = 0, data_len = 0; + + /* parse intel hex line */ + read_bytes = parse_hex_line( + (u8 *) (firmware->data + total_read_bytes), +- fw_pkt.raw.address, +- fw_pkt.raw.data, ++ fw_pkt->raw.address, ++ fw_pkt->raw.data, + &data_len, + &addr_has_changed); + +@@ -122,28 +127,28 @@ static int as102_firmware_upload(struct as10x_bus_adapter_t *bus_adap, + /* detect the end of file */ + total_read_bytes += read_bytes; + if (total_read_bytes == firmware->size) { +- fw_pkt.u.request[0] = 0x00; +- fw_pkt.u.request[1] = 0x03; ++ fw_pkt->u.request[0] = 0x00; ++ fw_pkt->u.request[1] = 0x03; + + /* send EOF command */ + errno = bus_adap->ops->upload_fw_pkt(bus_adap, + (uint8_t *) +- &fw_pkt, 2, 0); ++ fw_pkt, 2, 0); + if (errno < 0) + goto error; + } else { + if (!addr_has_changed) { + /* prepare command to send */ +- fw_pkt.u.request[0] = 0x00; +- fw_pkt.u.request[1] = 0x01; ++ fw_pkt->u.request[0] = 0x00; ++ fw_pkt->u.request[1] = 0x01; + +- data_len += sizeof(fw_pkt.u.request); +- data_len += sizeof(fw_pkt.raw.address); ++ data_len += sizeof(fw_pkt->u.request); ++ data_len += sizeof(fw_pkt->raw.address); + + /* send cmd to device */ + errno = bus_adap->ops->upload_fw_pkt(bus_adap, + (uint8_t *) +- &fw_pkt, ++ fw_pkt, + data_len, + 0); + if (errno < 0) +@@ -152,6 +157,7 @@ static int as102_firmware_upload(struct as10x_bus_adapter_t *bus_adap, + } + } + error: ++ kfree(fw_pkt); + return (errno == 0) ? total_read_bytes : errno; + } + +diff --git a/drivers/media/usb/cx231xx/cx231xx-cards.c b/drivers/media/usb/cx231xx/cx231xx-cards.c +index 3503fcef7b51..2b437d89d32c 100644 +--- a/drivers/media/usb/cx231xx/cx231xx-cards.c ++++ b/drivers/media/usb/cx231xx/cx231xx-cards.c +@@ -1636,7 +1636,7 @@ static int cx231xx_usb_probe(struct usb_interface *interface, + nr = dev->devno; + + assoc_desc = udev->actconfig->intf_assoc[0]; +- if (assoc_desc->bFirstInterface != ifnum) { ++ if (!assoc_desc || assoc_desc->bFirstInterface != ifnum) { + dev_err(d, "Not found matching IAD interface\n"); + retval = -ENODEV; + goto err_if; +diff --git a/drivers/media/v4l2-core/v4l2-ctrls.c b/drivers/media/v4l2-core/v4l2-ctrls.c +index e3a3468002e6..a8423943ffe4 100644 +--- a/drivers/media/v4l2-core/v4l2-ctrls.c ++++ b/drivers/media/v4l2-core/v4l2-ctrls.c +@@ -1198,6 +1198,16 @@ void v4l2_ctrl_fill(u32 id, const char **name, enum v4l2_ctrl_type *type, + } + EXPORT_SYMBOL(v4l2_ctrl_fill); + ++static u32 user_flags(const struct v4l2_ctrl *ctrl) ++{ ++ u32 flags = ctrl->flags; ++ ++ if (ctrl->is_ptr) ++ flags |= V4L2_CTRL_FLAG_HAS_PAYLOAD; ++ ++ return flags; ++} ++ + static void fill_event(struct v4l2_event *ev, struct v4l2_ctrl *ctrl, u32 changes) + { + memset(ev->reserved, 0, sizeof(ev->reserved)); +@@ -1205,7 +1215,7 @@ static void fill_event(struct v4l2_event *ev, struct v4l2_ctrl *ctrl, u32 change + ev->id = ctrl->id; + ev->u.ctrl.changes = changes; + ev->u.ctrl.type = ctrl->type; +- ev->u.ctrl.flags = ctrl->flags; ++ ev->u.ctrl.flags = user_flags(ctrl); + if (ctrl->is_ptr) + ev->u.ctrl.value64 = 0; + else +@@ -2549,10 +2559,8 @@ int v4l2_query_ext_ctrl(struct v4l2_ctrl_handler *hdl, struct v4l2_query_ext_ctr + else + qc->id = ctrl->id; + strlcpy(qc->name, ctrl->name, sizeof(qc->name)); +- qc->flags = ctrl->flags; ++ qc->flags = user_flags(ctrl); + qc->type = ctrl->type; +- if (ctrl->is_ptr) +- qc->flags |= V4L2_CTRL_FLAG_HAS_PAYLOAD; + qc->elem_size = ctrl->elem_size; + qc->elems = ctrl->elems; + qc->nr_of_dims = ctrl->nr_of_dims; +diff --git a/drivers/misc/eeprom/at24.c b/drivers/misc/eeprom/at24.c +index 2d3db81be099..b3b69f0e0dd7 100644 +--- a/drivers/misc/eeprom/at24.c ++++ b/drivers/misc/eeprom/at24.c +@@ -275,6 +275,9 @@ static ssize_t at24_read(struct at24_data *at24, + if (unlikely(!count)) + return count; + ++ if (off + count > at24->chip.byte_len) ++ return -EINVAL; ++ + /* + * Read data from chip, protecting against concurrent updates + * from this host, but not from other I2C masters. +@@ -329,6 +332,9 @@ static ssize_t at24_eeprom_write(struct at24_data *at24, const char *buf, + unsigned long timeout, write_time; + unsigned next_page; + ++ if (offset + count > at24->chip.byte_len) ++ return -EINVAL; ++ + /* Get corresponding I2C address and adjust offset */ + client = at24_translate_offset(at24, &offset); + +diff --git a/drivers/mmc/core/bus.c b/drivers/mmc/core/bus.c +index 972ff844cf5a..cf7c7bc1e940 100644 +--- a/drivers/mmc/core/bus.c ++++ b/drivers/mmc/core/bus.c +@@ -155,6 +155,9 @@ static int mmc_bus_suspend(struct device *dev) + return ret; + + ret = host->bus_ops->suspend(host); ++ if (ret) ++ pm_generic_resume(dev); ++ + return ret; + } + +diff --git a/drivers/mtd/nand/nand_base.c b/drivers/mtd/nand/nand_base.c +index fa5cd51cba38..f84113fc7cb7 100644 +--- a/drivers/mtd/nand/nand_base.c ++++ b/drivers/mtd/nand/nand_base.c +@@ -2518,15 +2518,18 @@ static int panic_nand_write(struct mtd_info *mtd, loff_t to, size_t len, + size_t *retlen, const uint8_t *buf) + { + struct nand_chip *chip = mtd->priv; ++ int chipnr = (int)(to >> chip->chip_shift); + struct mtd_oob_ops ops; + int ret; + +- /* Wait for the device to get ready */ +- panic_nand_wait(mtd, chip, 400); +- + /* Grab the device */ + panic_nand_get_device(chip, mtd, FL_WRITING); + ++ chip->select_chip(mtd, chipnr); ++ ++ /* Wait for the device to get ready */ ++ panic_nand_wait(mtd, chip, 400); ++ + memset(&ops, 0, sizeof(ops)); + ops.len = len; + ops.datbuf = (uint8_t *)buf; +diff --git a/drivers/net/ethernet/3com/typhoon.c b/drivers/net/ethernet/3com/typhoon.c +index 8f8418d2ac4a..a0012c3cb4f6 100644 +--- a/drivers/net/ethernet/3com/typhoon.c ++++ b/drivers/net/ethernet/3com/typhoon.c +@@ -2366,9 +2366,9 @@ typhoon_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) + * 4) Get the hardware address. + * 5) Put the card to sleep. + */ +- if (typhoon_reset(ioaddr, WaitSleep) < 0) { ++ err = typhoon_reset(ioaddr, WaitSleep); ++ if (err < 0) { + err_msg = "could not reset 3XP"; +- err = -EIO; + goto error_out_dma; + } + +@@ -2382,24 +2382,25 @@ typhoon_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) + typhoon_init_interface(tp); + typhoon_init_rings(tp); + +- if(typhoon_boot_3XP(tp, TYPHOON_STATUS_WAITING_FOR_HOST) < 0) { ++ err = typhoon_boot_3XP(tp, TYPHOON_STATUS_WAITING_FOR_HOST); ++ if (err < 0) { + err_msg = "cannot boot 3XP sleep image"; +- err = -EIO; + goto error_out_reset; + } + + INIT_COMMAND_WITH_RESPONSE(&xp_cmd, TYPHOON_CMD_READ_MAC_ADDRESS); +- if(typhoon_issue_command(tp, 1, &xp_cmd, 1, xp_resp) < 0) { ++ err = typhoon_issue_command(tp, 1, &xp_cmd, 1, xp_resp); ++ if (err < 0) { + err_msg = "cannot read MAC address"; +- err = -EIO; + goto error_out_reset; + } + + *(__be16 *)&dev->dev_addr[0] = htons(le16_to_cpu(xp_resp[0].parm1)); + *(__be32 *)&dev->dev_addr[2] = htonl(le32_to_cpu(xp_resp[0].parm2)); + +- if(!is_valid_ether_addr(dev->dev_addr)) { ++ if (!is_valid_ether_addr(dev->dev_addr)) { + err_msg = "Could not obtain valid ethernet address, aborting"; ++ err = -EIO; + goto error_out_reset; + } + +@@ -2407,7 +2408,8 @@ typhoon_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) + * later when we print out the version reported. + */ + INIT_COMMAND_WITH_RESPONSE(&xp_cmd, TYPHOON_CMD_READ_VERSIONS); +- if(typhoon_issue_command(tp, 1, &xp_cmd, 3, xp_resp) < 0) { ++ err = typhoon_issue_command(tp, 1, &xp_cmd, 3, xp_resp); ++ if (err < 0) { + err_msg = "Could not get Sleep Image version"; + goto error_out_reset; + } +@@ -2424,9 +2426,9 @@ typhoon_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) + if(xp_resp[0].numDesc != 0) + tp->capabilities |= TYPHOON_WAKEUP_NEEDS_RESET; + +- if(typhoon_sleep(tp, PCI_D3hot, 0) < 0) { ++ err = typhoon_sleep(tp, PCI_D3hot, 0); ++ if (err < 0) { + err_msg = "cannot put adapter to sleep"; +- err = -EIO; + goto error_out_reset; + } + +@@ -2449,7 +2451,8 @@ typhoon_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) + dev->features = dev->hw_features | + NETIF_F_HW_VLAN_CTAG_RX | NETIF_F_RXCSUM; + +- if(register_netdev(dev) < 0) { ++ err = register_netdev(dev); ++ if (err < 0) { + err_msg = "unable to register netdev"; + goto error_out_reset; + } +diff --git a/drivers/net/ethernet/intel/e1000e/mac.c b/drivers/net/ethernet/intel/e1000e/mac.c +index 30b74d590bee..1c9cb53c25a3 100644 +--- a/drivers/net/ethernet/intel/e1000e/mac.c ++++ b/drivers/net/ethernet/intel/e1000e/mac.c +@@ -410,6 +410,9 @@ void e1000e_clear_hw_cntrs_base(struct e1000_hw *hw) + * Checks to see of the link status of the hardware has changed. If a + * change in link status has been detected, then we read the PHY registers + * to get the current speed/duplex if link exists. ++ * ++ * Returns a negative error code (-E1000_ERR_*) or 0 (link down) or 1 (link ++ * up). + **/ + s32 e1000e_check_for_copper_link(struct e1000_hw *hw) + { +@@ -423,7 +426,7 @@ s32 e1000e_check_for_copper_link(struct e1000_hw *hw) + * Change or Rx Sequence Error interrupt. + */ + if (!mac->get_link_status) +- return 0; ++ return 1; + + /* First we want to see if the MII Status Register reports + * link. If so, then we want to get the current speed/duplex +@@ -461,10 +464,12 @@ s32 e1000e_check_for_copper_link(struct e1000_hw *hw) + * different link partner. + */ + ret_val = e1000e_config_fc_after_link_up(hw); +- if (ret_val) ++ if (ret_val) { + e_dbg("Error configuring flow control\n"); ++ return ret_val; ++ } + +- return ret_val; ++ return 1; + } + + /** +diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c +index 68913d103542..39e9d7db23df 100644 +--- a/drivers/net/ethernet/intel/e1000e/netdev.c ++++ b/drivers/net/ethernet/intel/e1000e/netdev.c +@@ -4866,7 +4866,7 @@ static bool e1000e_has_link(struct e1000_adapter *adapter) + case e1000_media_type_copper: + if (hw->mac.get_link_status) { + ret_val = hw->mac.ops.check_for_link(hw); +- link_active = !hw->mac.get_link_status; ++ link_active = ret_val > 0; + } else { + link_active = true; + } +@@ -4884,7 +4884,7 @@ static bool e1000e_has_link(struct e1000_adapter *adapter) + break; + } + +- if ((ret_val == E1000_ERR_PHY) && (hw->phy.type == e1000_phy_igp_3) && ++ if ((ret_val == -E1000_ERR_PHY) && (hw->phy.type == e1000_phy_igp_3) && + (er32(CTRL) & E1000_PHY_CTRL_GBE_DISABLE)) { + /* See e1000_kmrn_lock_loss_workaround_ich8lan() */ + e_info("Gigabit has been disabled, downgrading speed\n"); +diff --git a/drivers/net/ethernet/intel/e1000e/phy.c b/drivers/net/ethernet/intel/e1000e/phy.c +index b2005e13fb01..0963aa2d5e45 100644 +--- a/drivers/net/ethernet/intel/e1000e/phy.c ++++ b/drivers/net/ethernet/intel/e1000e/phy.c +@@ -1744,6 +1744,7 @@ s32 e1000e_phy_has_link_generic(struct e1000_hw *hw, u32 iterations, + s32 ret_val = 0; + u16 i, phy_status; + ++ *success = false; + for (i = 0; i < iterations; i++) { + /* Some PHYs require the MII_BMSR register to be read + * twice due to the link bit being sticky. No harm doing +@@ -1763,16 +1764,16 @@ s32 e1000e_phy_has_link_generic(struct e1000_hw *hw, u32 iterations, + ret_val = e1e_rphy(hw, MII_BMSR, &phy_status); + if (ret_val) + break; +- if (phy_status & BMSR_LSTATUS) ++ if (phy_status & BMSR_LSTATUS) { ++ *success = true; + break; ++ } + if (usec_interval >= 1000) + msleep(usec_interval / 1000); + else + udelay(usec_interval); + } + +- *success = (i < iterations); +- + return ret_val; + } + +diff --git a/drivers/net/ethernet/intel/fm10k/fm10k_main.c b/drivers/net/ethernet/intel/fm10k/fm10k_main.c +index c9da1b5d4804..ae0b9300ab08 100644 +--- a/drivers/net/ethernet/intel/fm10k/fm10k_main.c ++++ b/drivers/net/ethernet/intel/fm10k/fm10k_main.c +@@ -1239,7 +1239,7 @@ static bool fm10k_clean_tx_irq(struct fm10k_q_vector *q_vector, + break; + + /* prevent any other reads prior to eop_desc */ +- read_barrier_depends(); ++ smp_rmb(); + + /* if DD is not set pending work has not been completed */ + if (!(eop_desc->flags & FM10K_TXD_FLAG_DONE)) +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index 5b5bea159bd5..13e0cf90e567 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -3283,7 +3283,7 @@ static bool i40e_clean_fdir_tx_irq(struct i40e_ring *tx_ring, int budget) + break; + + /* prevent any other reads prior to eop_desc */ +- read_barrier_depends(); ++ smp_rmb(); + + /* if the descriptor isn't done, no work yet to do */ + if (!(eop_desc->cmd_type_offset_bsz & +diff --git a/drivers/net/ethernet/intel/i40e/i40e_txrx.c b/drivers/net/ethernet/intel/i40e/i40e_txrx.c +index 9d95042d5a0f..c1e8303062de 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_txrx.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.c +@@ -712,7 +712,7 @@ static bool i40e_clean_tx_irq(struct i40e_ring *tx_ring, int budget) + break; + + /* prevent any other reads prior to eop_desc */ +- read_barrier_depends(); ++ smp_rmb(); + + /* we have caught up to head, no work left to do */ + if (tx_head == tx_desc) +diff --git a/drivers/net/ethernet/intel/i40evf/i40e_txrx.c b/drivers/net/ethernet/intel/i40evf/i40e_txrx.c +index 458fbb421090..1045ba3a554d 100644 +--- a/drivers/net/ethernet/intel/i40evf/i40e_txrx.c ++++ b/drivers/net/ethernet/intel/i40evf/i40e_txrx.c +@@ -231,7 +231,7 @@ static bool i40e_clean_tx_irq(struct i40e_ring *tx_ring, int budget) + break; + + /* prevent any other reads prior to eop_desc */ +- read_barrier_depends(); ++ smp_rmb(); + + /* we have caught up to head, no work left to do */ + if (tx_head == tx_desc) +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index b5a8a5e40870..34f15f56b2a1 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -6427,7 +6427,7 @@ static bool igb_clean_tx_irq(struct igb_q_vector *q_vector) + break; + + /* prevent any other reads prior to eop_desc */ +- read_barrier_depends(); ++ smp_rmb(); + + /* if DD is not set pending work has not been completed */ + if (!(eop_desc->wb.status & cpu_to_le32(E1000_TXD_STAT_DD))) +diff --git a/drivers/net/ethernet/intel/igbvf/netdev.c b/drivers/net/ethernet/intel/igbvf/netdev.c +index 95af14e139d7..70f8f743a416 100644 +--- a/drivers/net/ethernet/intel/igbvf/netdev.c ++++ b/drivers/net/ethernet/intel/igbvf/netdev.c +@@ -808,7 +808,7 @@ static bool igbvf_clean_tx_irq(struct igbvf_ring *tx_ring) + break; + + /* prevent any other reads prior to eop_desc */ +- read_barrier_depends(); ++ smp_rmb(); + + /* if DD is not set pending work has not been completed */ + if (!(eop_desc->wb.status & cpu_to_le32(E1000_TXD_STAT_DD))) +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +index 2462b3c5fa40..e9762d0079eb 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +@@ -1100,7 +1100,7 @@ static bool ixgbe_clean_tx_irq(struct ixgbe_q_vector *q_vector, + break; + + /* prevent any other reads prior to eop_desc */ +- read_barrier_depends(); ++ smp_rmb(); + + /* if DD is not set pending work has not been completed */ + if (!(eop_desc->wb.status & cpu_to_le32(IXGBE_TXD_STAT_DD))) +diff --git a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c +index 1d7b00b038a2..80029560dd11 100644 +--- a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c ++++ b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c +@@ -312,7 +312,7 @@ static bool ixgbevf_clean_tx_irq(struct ixgbevf_q_vector *q_vector, + break; + + /* prevent any other reads prior to eop_desc */ +- read_barrier_depends(); ++ smp_rmb(); + + /* if DD is not set pending work has not been completed */ + if (!(eop_desc->wb.status & cpu_to_le32(IXGBE_TXD_STAT_DD))) +diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c +index 56e0a1de0c37..6757d9c63bf2 100644 +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -3118,7 +3118,8 @@ static int ath10k_mac_txpower_recalc(struct ath10k *ar) + lockdep_assert_held(&ar->conf_mutex); + + list_for_each_entry(arvif, &ar->arvifs, list) { +- WARN_ON(arvif->txpower < 0); ++ if (arvif->txpower <= 0) ++ continue; + + if (txpower == -1) + txpower = arvif->txpower; +@@ -3126,8 +3127,8 @@ static int ath10k_mac_txpower_recalc(struct ath10k *ar) + txpower = min(txpower, arvif->txpower); + } + +- if (WARN_ON(txpower == -1)) +- return -EINVAL; ++ if (txpower == -1) ++ return 0; + + ret = ath10k_mac_txpower_setup(ar, txpower); + if (ret) { +diff --git a/drivers/net/wireless/ath/ath10k/wmi-tlv.c b/drivers/net/wireless/ath/ath10k/wmi-tlv.c +index ee0c5f602e29..87638a6e7388 100644 +--- a/drivers/net/wireless/ath/ath10k/wmi-tlv.c ++++ b/drivers/net/wireless/ath/ath10k/wmi-tlv.c +@@ -953,8 +953,10 @@ static int ath10k_wmi_tlv_op_pull_fw_stats(struct ath10k *ar, + struct ath10k_fw_stats_pdev *dst; + + src = data; +- if (data_len < sizeof(*src)) ++ if (data_len < sizeof(*src)) { ++ kfree(tb); + return -EPROTO; ++ } + + data += sizeof(*src); + data_len -= sizeof(*src); +@@ -974,8 +976,10 @@ static int ath10k_wmi_tlv_op_pull_fw_stats(struct ath10k *ar, + struct ath10k_fw_stats_vdev *dst; + + src = data; +- if (data_len < sizeof(*src)) ++ if (data_len < sizeof(*src)) { ++ kfree(tb); + return -EPROTO; ++ } + + data += sizeof(*src); + data_len -= sizeof(*src); +@@ -993,8 +997,10 @@ static int ath10k_wmi_tlv_op_pull_fw_stats(struct ath10k *ar, + struct ath10k_fw_stats_peer *dst; + + src = data; +- if (data_len < sizeof(*src)) ++ if (data_len < sizeof(*src)) { ++ kfree(tb); + return -EPROTO; ++ } + + data += sizeof(*src); + data_len -= sizeof(*src); +diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c +index 3c4e709cf9a1..5754d7b48c1f 100644 +--- a/drivers/pci/probe.c ++++ b/drivers/pci/probe.c +@@ -1319,8 +1319,16 @@ static void program_hpp_type0(struct pci_dev *dev, struct hpp_type0 *hpp) + + static void program_hpp_type1(struct pci_dev *dev, struct hpp_type1 *hpp) + { +- if (hpp) +- dev_warn(&dev->dev, "PCI-X settings not supported\n"); ++ int pos; ++ ++ if (!hpp) ++ return; ++ ++ pos = pci_find_capability(dev, PCI_CAP_ID_PCIX); ++ if (!pos) ++ return; ++ ++ dev_warn(&dev->dev, "PCI-X settings not supported\n"); + } + + static void program_hpp_type2(struct pci_dev *dev, struct hpp_type2 *hpp) +@@ -1331,6 +1339,9 @@ static void program_hpp_type2(struct pci_dev *dev, struct hpp_type2 *hpp) + if (!hpp) + return; + ++ if (!pci_is_pcie(dev)) ++ return; ++ + if (hpp->revision > 1) { + dev_warn(&dev->dev, "PCIe settings rev %d not supported\n", + hpp->revision); +diff --git a/drivers/staging/iio/cdc/ad7150.c b/drivers/staging/iio/cdc/ad7150.c +index a2b7ae3329c0..9fe1d5793cee 100644 +--- a/drivers/staging/iio/cdc/ad7150.c ++++ b/drivers/staging/iio/cdc/ad7150.c +@@ -275,7 +275,7 @@ static int ad7150_write_event_config(struct iio_dev *indio_dev, + error_ret: + mutex_unlock(&chip->state_lock); + +- return 0; ++ return ret; + } + + static int ad7150_read_event_value(struct iio_dev *indio_dev, +diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c +index 89d01943ca93..8df1ff3766c4 100644 +--- a/drivers/target/iscsi/iscsi_target.c ++++ b/drivers/target/iscsi/iscsi_target.c +@@ -1919,12 +1919,14 @@ attach: + + if (!(hdr->opcode & ISCSI_OP_IMMEDIATE)) { + int cmdsn_ret = iscsit_sequence_cmd(conn, cmd, buf, hdr->cmdsn); +- if (cmdsn_ret == CMDSN_HIGHER_THAN_EXP) ++ if (cmdsn_ret == CMDSN_HIGHER_THAN_EXP) { + out_of_order_cmdsn = 1; +- else if (cmdsn_ret == CMDSN_LOWER_THAN_EXP) ++ } else if (cmdsn_ret == CMDSN_LOWER_THAN_EXP) { ++ target_put_sess_cmd(&cmd->se_cmd); + return 0; +- else if (cmdsn_ret == CMDSN_ERROR_CANNOT_RECOVER) ++ } else if (cmdsn_ret == CMDSN_ERROR_CANNOT_RECOVER) { + return -1; ++ } + } + iscsit_ack_from_expstatsn(conn, be32_to_cpu(hdr->exp_statsn)); + +diff --git a/drivers/vhost/scsi.c b/drivers/vhost/scsi.c +index 2209040bff95..46ae8d258669 100644 +--- a/drivers/vhost/scsi.c ++++ b/drivers/vhost/scsi.c +@@ -862,6 +862,7 @@ vhost_scsi_iov_to_sgl(struct vhost_scsi_cmd *cmd, bool write, + struct scatterlist *sg, int sg_count) + { + size_t off = iter->iov_offset; ++ struct scatterlist *p = sg; + int i, ret; + + for (i = 0; i < iter->nr_segs; i++) { +@@ -870,8 +871,8 @@ vhost_scsi_iov_to_sgl(struct vhost_scsi_cmd *cmd, bool write, + + ret = vhost_scsi_map_to_sgl(cmd, base, len, sg, write); + if (ret < 0) { +- for (i = 0; i < sg_count; i++) { +- struct page *page = sg_page(&sg[i]); ++ while (p < sg) { ++ struct page *page = sg_page(p++); + if (page) + put_page(page); + } +diff --git a/drivers/xen/xenbus/xenbus_dev_frontend.c b/drivers/xen/xenbus/xenbus_dev_frontend.c +index 0e0eb10f82a0..816a0e08ef10 100644 +--- a/drivers/xen/xenbus/xenbus_dev_frontend.c ++++ b/drivers/xen/xenbus/xenbus_dev_frontend.c +@@ -316,7 +316,7 @@ static int xenbus_write_transaction(unsigned msg_type, + rc = -ENOMEM; + goto out; + } +- } else if (msg_type == XS_TRANSACTION_END) { ++ } else if (u->u.msg.tx_id != 0) { + list_for_each_entry(trans, &u->transactions, list) + if (trans->handle.id == u->u.msg.tx_id) + break; +diff --git a/fs/9p/vfs_inode.c b/fs/9p/vfs_inode.c +index 99c3c4ffe1d9..2df79195652b 100644 +--- a/fs/9p/vfs_inode.c ++++ b/fs/9p/vfs_inode.c +@@ -483,6 +483,9 @@ static int v9fs_test_inode(struct inode *inode, void *data) + + if (v9inode->qid.type != st->qid.type) + return 0; ++ ++ if (v9inode->qid.path != st->qid.path) ++ return 0; + return 1; + } + +diff --git a/fs/9p/vfs_inode_dotl.c b/fs/9p/vfs_inode_dotl.c +index ce7ab92f7e84..095424bfab5e 100644 +--- a/fs/9p/vfs_inode_dotl.c ++++ b/fs/9p/vfs_inode_dotl.c +@@ -87,6 +87,9 @@ static int v9fs_test_inode_dotl(struct inode *inode, void *data) + + if (v9inode->qid.type != st->qid.type) + return 0; ++ ++ if (v9inode->qid.path != st->qid.path) ++ return 0; + return 1; + } + +diff --git a/fs/autofs4/waitq.c b/fs/autofs4/waitq.c +index 35b755e79c2d..fe6e7050fe50 100644 +--- a/fs/autofs4/waitq.c ++++ b/fs/autofs4/waitq.c +@@ -87,7 +87,8 @@ static int autofs4_write(struct autofs_sb_info *sbi, + spin_unlock_irqrestore(¤t->sighand->siglock, flags); + } + +- return (bytes > 0); ++ /* if 'wr' returned 0 (impossible) we assume -EIO (safe) */ ++ return bytes == 0 ? 0 : wr < 0 ? wr : -EIO; + } + + static void autofs4_notify_daemon(struct autofs_sb_info *sbi, +@@ -101,6 +102,7 @@ static void autofs4_notify_daemon(struct autofs_sb_info *sbi, + } pkt; + struct file *pipe = NULL; + size_t pktsz; ++ int ret; + + DPRINTK("wait id = 0x%08lx, name = %.*s, type=%d", + (unsigned long) wq->wait_queue_token, wq->name.len, wq->name.name, type); +@@ -173,7 +175,18 @@ static void autofs4_notify_daemon(struct autofs_sb_info *sbi, + mutex_unlock(&sbi->wq_mutex); + + if (autofs4_write(sbi, pipe, &pkt, pktsz)) ++ switch (ret = autofs4_write(sbi, pipe, &pkt, pktsz)) { ++ case 0: ++ break; ++ case -ENOMEM: ++ case -ERESTARTSYS: ++ /* Just fail this one */ ++ autofs4_wait_release(sbi, wq->wait_queue_token, ret); ++ break; ++ default: + autofs4_catatonic_mode(sbi); ++ break; ++ } + fput(pipe); + } + +diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c +index 1d8b3f8c3654..0fd2354dfd0a 100644 +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -3260,13 +3260,6 @@ again: + goto again; + } + +- /* We've already setup this transaction, go ahead and exit */ +- if (block_group->cache_generation == trans->transid && +- i_size_read(inode)) { +- dcs = BTRFS_DC_SETUP; +- goto out_put; +- } +- + /* + * We want to set the generation to 0, that way if anything goes wrong + * from here on out we know not to trust this cache when we load up next +@@ -3290,6 +3283,13 @@ again: + } + WARN_ON(ret); + ++ /* We've already setup this transaction, go ahead and exit */ ++ if (block_group->cache_generation == trans->transid && ++ i_size_read(inode)) { ++ dcs = BTRFS_DC_SETUP; ++ goto out_put; ++ } ++ + if (i_size_read(inode) > 0) { + ret = btrfs_check_trunc_cache_free_space(root, + &root->fs_info->global_block_rsv); +diff --git a/fs/ecryptfs/messaging.c b/fs/ecryptfs/messaging.c +index 286f10b0363b..4f457d5c4933 100644 +--- a/fs/ecryptfs/messaging.c ++++ b/fs/ecryptfs/messaging.c +@@ -442,15 +442,16 @@ void ecryptfs_release_messaging(void) + } + if (ecryptfs_daemon_hash) { + struct ecryptfs_daemon *daemon; ++ struct hlist_node *n; + int i; + + mutex_lock(&ecryptfs_daemon_hash_mux); + for (i = 0; i < (1 << ecryptfs_hash_bits); i++) { + int rc; + +- hlist_for_each_entry(daemon, +- &ecryptfs_daemon_hash[i], +- euid_chain) { ++ hlist_for_each_entry_safe(daemon, n, ++ &ecryptfs_daemon_hash[i], ++ euid_chain) { + rc = ecryptfs_exorcise_daemon(daemon); + if (rc) + printk(KERN_ERR "%s: Error whilst " +diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c +index a3276bf9ac00..447d64e47c4c 100644 +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -4795,7 +4795,8 @@ static long ext4_zero_range(struct file *file, loff_t offset, + } + + if (!(mode & FALLOC_FL_KEEP_SIZE) && +- offset + len > i_size_read(inode)) { ++ (offset + len > i_size_read(inode) || ++ offset + len > EXT4_I(inode)->i_disksize)) { + new_size = offset + len; + ret = inode_newsize_ok(inode, new_size); + if (ret) +@@ -4964,7 +4965,8 @@ long ext4_fallocate(struct file *file, int mode, loff_t offset, loff_t len) + } + + if (!(mode & FALLOC_FL_KEEP_SIZE) && +- offset + len > i_size_read(inode)) { ++ (offset + len > i_size_read(inode) || ++ offset + len > EXT4_I(inode)->i_disksize)) { + new_size = offset + len; + ret = inode_newsize_ok(inode, new_size); + if (ret) +diff --git a/fs/isofs/isofs.h b/fs/isofs/isofs.h +index 0ac4c1f73fbd..25177e6bd603 100644 +--- a/fs/isofs/isofs.h ++++ b/fs/isofs/isofs.h +@@ -103,7 +103,7 @@ static inline unsigned int isonum_733(char *p) + /* Ignore bigendian datum due to broken mastering programs */ + return get_unaligned_le32(p); + } +-extern int iso_date(char *, int); ++extern int iso_date(u8 *, int); + + struct inode; /* To make gcc happy */ + +diff --git a/fs/isofs/rock.h b/fs/isofs/rock.h +index ed09e2b08637..f835976ce033 100644 +--- a/fs/isofs/rock.h ++++ b/fs/isofs/rock.h +@@ -65,7 +65,7 @@ struct RR_PL_s { + }; + + struct stamp { +- char time[7]; ++ __u8 time[7]; /* actually 6 unsigned, 1 signed */ + } __attribute__ ((packed)); + + struct RR_TF_s { +diff --git a/fs/isofs/util.c b/fs/isofs/util.c +index 005a15cfd30a..37860fea364d 100644 +--- a/fs/isofs/util.c ++++ b/fs/isofs/util.c +@@ -15,7 +15,7 @@ + * to GMT. Thus we should always be correct. + */ + +-int iso_date(char * p, int flag) ++int iso_date(u8 *p, int flag) + { + int year, month, day, hour, minute, second, tz; + int crtime; +diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c +index 4227adce3e52..1484ae1907c6 100644 +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -1279,7 +1279,7 @@ static int nfs_weak_revalidate(struct dentry *dentry, unsigned int flags) + return 0; + } + +- error = nfs_revalidate_inode(NFS_SERVER(inode), inode); ++ error = nfs_lookup_verify_inode(inode, flags); + dfprintk(LOOKUPCACHE, "NFS: %s: inode %lu is %s\n", + __func__, inode->i_ino, error ? "invalid" : "valid"); + return !error; +@@ -1439,6 +1439,7 @@ static int nfs4_lookup_revalidate(struct dentry *, unsigned int); + + const struct dentry_operations nfs4_dentry_operations = { + .d_revalidate = nfs4_lookup_revalidate, ++ .d_weak_revalidate = nfs_weak_revalidate, + .d_delete = nfs_dentry_delete, + .d_iput = nfs_dentry_iput, + .d_automount = nfs_d_automount, +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index f06af7248be7..1ce18913762a 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -242,15 +242,12 @@ const u32 nfs4_fsinfo_bitmap[3] = { FATTR4_WORD0_MAXFILESIZE + }; + + const u32 nfs4_fs_locations_bitmap[3] = { +- FATTR4_WORD0_TYPE +- | FATTR4_WORD0_CHANGE ++ FATTR4_WORD0_CHANGE + | FATTR4_WORD0_SIZE + | FATTR4_WORD0_FSID + | FATTR4_WORD0_FILEID + | FATTR4_WORD0_FS_LOCATIONS, +- FATTR4_WORD1_MODE +- | FATTR4_WORD1_NUMLINKS +- | FATTR4_WORD1_OWNER ++ FATTR4_WORD1_OWNER + | FATTR4_WORD1_OWNER_GROUP + | FATTR4_WORD1_RAWDEV + | FATTR4_WORD1_SPACE_USED +@@ -6212,9 +6209,7 @@ static int _nfs4_proc_fs_locations(struct rpc_clnt *client, struct inode *dir, + struct page *page) + { + struct nfs_server *server = NFS_SERVER(dir); +- u32 bitmask[3] = { +- [0] = FATTR4_WORD0_FSID | FATTR4_WORD0_FS_LOCATIONS, +- }; ++ u32 bitmask[3]; + struct nfs4_fs_locations_arg args = { + .dir_fh = NFS_FH(dir), + .name = name, +@@ -6233,12 +6228,15 @@ static int _nfs4_proc_fs_locations(struct rpc_clnt *client, struct inode *dir, + + dprintk("%s: start\n", __func__); + ++ bitmask[0] = nfs4_fattr_bitmap[0] | FATTR4_WORD0_FS_LOCATIONS; ++ bitmask[1] = nfs4_fattr_bitmap[1]; ++ + /* Ask for the fileid of the absent filesystem if mounted_on_fileid + * is not supported */ + if (NFS_SERVER(dir)->attr_bitmask[1] & FATTR4_WORD1_MOUNTED_ON_FILEID) +- bitmask[1] |= FATTR4_WORD1_MOUNTED_ON_FILEID; ++ bitmask[0] &= ~FATTR4_WORD0_FILEID; + else +- bitmask[0] |= FATTR4_WORD0_FILEID; ++ bitmask[1] &= ~FATTR4_WORD1_MOUNTED_ON_FILEID; + + nfs_fattr_init(&fs_locations->fattr); + fs_locations->server = server; +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index f175b833b6ba..0ee31759ddde 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -1319,7 +1319,7 @@ static int nfs_parse_mount_options(char *raw, + mnt->options |= NFS_OPTION_MIGRATION; + break; + case Opt_nomigration: +- mnt->options &= NFS_OPTION_MIGRATION; ++ mnt->options &= ~NFS_OPTION_MIGRATION; + break; + + /* +diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c +index 22e9799323ad..529434f926f1 100644 +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -3776,7 +3776,8 @@ static struct nfs4_delegation *find_deleg_stateid(struct nfs4_client *cl, statei + { + struct nfs4_stid *ret; + +- ret = find_stateid_by_type(cl, s, NFS4_DELEG_STID); ++ ret = find_stateid_by_type(cl, s, ++ NFS4_DELEG_STID|NFS4_REVOKED_DELEG_STID); + if (!ret) + return NULL; + return delegstateid(ret); +@@ -3799,6 +3800,12 @@ nfs4_check_deleg(struct nfs4_client *cl, struct nfsd4_open *open, + deleg = find_deleg_stateid(cl, &open->op_delegate_stateid); + if (deleg == NULL) + goto out; ++ if (deleg->dl_stid.sc_type == NFS4_REVOKED_DELEG_STID) { ++ nfs4_put_stid(&deleg->dl_stid); ++ if (cl->cl_minorversion) ++ status = nfserr_deleg_revoked; ++ goto out; ++ } + flags = share_access_to_flags(open->op_share_access); + status = nfs4_check_delegmode(deleg, flags); + if (status) { +@@ -4655,6 +4662,16 @@ nfsd4_lookup_stateid(struct nfsd4_compound_state *cstate, + struct nfs4_stid **s, struct nfsd_net *nn) + { + __be32 status; ++ bool return_revoked = false; ++ ++ /* ++ * only return revoked delegations if explicitly asked. ++ * otherwise we report revoked or bad_stateid status. ++ */ ++ if (typemask & NFS4_REVOKED_DELEG_STID) ++ return_revoked = true; ++ else if (typemask & NFS4_DELEG_STID) ++ typemask |= NFS4_REVOKED_DELEG_STID; + + if (ZERO_STATEID(stateid) || ONE_STATEID(stateid)) + return nfserr_bad_stateid; +@@ -4669,6 +4686,12 @@ nfsd4_lookup_stateid(struct nfsd4_compound_state *cstate, + *s = find_stateid_by_type(cstate->clp, stateid, typemask); + if (!*s) + return nfserr_bad_stateid; ++ if (((*s)->sc_type == NFS4_REVOKED_DELEG_STID) && !return_revoked) { ++ nfs4_put_stid(*s); ++ if (cstate->minorversion) ++ return nfserr_deleg_revoked; ++ return nfserr_bad_stateid; ++ } + return nfs_ok; + } + +diff --git a/fs/nilfs2/segment.c b/fs/nilfs2/segment.c +index c6abbad9b8e3..3cdd5cc80c11 100644 +--- a/fs/nilfs2/segment.c ++++ b/fs/nilfs2/segment.c +@@ -1883,8 +1883,6 @@ static int nilfs_segctor_collect_dirty_files(struct nilfs_sc_info *sci, + "failed to get inode block.\n"); + return err; + } +- mark_buffer_dirty(ibh); +- nilfs_mdt_mark_dirty(ifile); + spin_lock(&nilfs->ns_inode_lock); + if (likely(!ii->i_bh)) + ii->i_bh = ibh; +@@ -1893,6 +1891,10 @@ static int nilfs_segctor_collect_dirty_files(struct nilfs_sc_info *sci, + goto retry; + } + ++ // Always redirty the buffer to avoid race condition ++ mark_buffer_dirty(ii->i_bh); ++ nilfs_mdt_mark_dirty(ifile); ++ + clear_bit(NILFS_I_QUEUED, &ii->i_state); + set_bit(NILFS_I_BUSY, &ii->i_state); + list_move_tail(&ii->i_dirty, &sci->sc_dirty_files); +diff --git a/include/linux/netlink.h b/include/linux/netlink.h +index 6835c1279df7..0a9f48df9c9e 100644 +--- a/include/linux/netlink.h ++++ b/include/linux/netlink.h +@@ -120,6 +120,7 @@ netlink_skb_clone(struct sk_buff *skb, gfp_t gfp_mask) + struct netlink_callback { + struct sk_buff *skb; + const struct nlmsghdr *nlh; ++ int (*start)(struct netlink_callback *); + int (*dump)(struct sk_buff * skb, + struct netlink_callback *cb); + int (*done)(struct netlink_callback *cb); +@@ -142,6 +143,7 @@ struct nlmsghdr * + __nlmsg_put(struct sk_buff *skb, u32 portid, u32 seq, int type, int len, int flags); + + struct netlink_dump_control { ++ int (*start)(struct netlink_callback *); + int (*dump)(struct sk_buff *skb, struct netlink_callback *); + int (*done)(struct netlink_callback *); + void *data; +diff --git a/include/net/genetlink.h b/include/net/genetlink.h +index a9af1cc8c1bc..d76f2da89b5a 100644 +--- a/include/net/genetlink.h ++++ b/include/net/genetlink.h +@@ -114,6 +114,7 @@ static inline void genl_info_net_set(struct genl_info *info, struct net *net) + * @flags: flags + * @policy: attribute validation policy + * @doit: standard command callback ++ * @start: start callback for dumps + * @dumpit: callback for dumpers + * @done: completion callback for dumps + * @ops_list: operations list +@@ -122,6 +123,7 @@ struct genl_ops { + const struct nla_policy *policy; + int (*doit)(struct sk_buff *skb, + struct genl_info *info); ++ int (*start)(struct netlink_callback *cb); + int (*dumpit)(struct sk_buff *skb, + struct netlink_callback *cb); + int (*done)(struct netlink_callback *cb); +diff --git a/include/trace/events/sunrpc.h b/include/trace/events/sunrpc.h +index 5664ca07c9c7..a01a076ea060 100644 +--- a/include/trace/events/sunrpc.h ++++ b/include/trace/events/sunrpc.h +@@ -455,20 +455,22 @@ TRACE_EVENT(svc_recv, + TP_ARGS(rqst, status), + + TP_STRUCT__entry( +- __field(struct sockaddr *, addr) + __field(__be32, xid) + __field(int, status) + __field(unsigned long, flags) ++ __dynamic_array(unsigned char, addr, rqst->rq_addrlen) + ), + + TP_fast_assign( +- __entry->addr = (struct sockaddr *)&rqst->rq_addr; + __entry->xid = status > 0 ? rqst->rq_xid : 0; + __entry->status = status; + __entry->flags = rqst->rq_flags; ++ memcpy(__get_dynamic_array(addr), ++ &rqst->rq_addr, rqst->rq_addrlen); + ), + +- TP_printk("addr=%pIScp xid=0x%x status=%d flags=%s", __entry->addr, ++ TP_printk("addr=%pIScp xid=0x%x status=%d flags=%s", ++ (struct sockaddr *)__get_dynamic_array(addr), + be32_to_cpu(__entry->xid), __entry->status, + show_rqstp_flags(__entry->flags)) + ); +@@ -480,22 +482,23 @@ DECLARE_EVENT_CLASS(svc_rqst_status, + TP_ARGS(rqst, status), + + TP_STRUCT__entry( +- __field(struct sockaddr *, addr) + __field(__be32, xid) +- __field(int, dropme) + __field(int, status) + __field(unsigned long, flags) ++ __dynamic_array(unsigned char, addr, rqst->rq_addrlen) + ), + + TP_fast_assign( +- __entry->addr = (struct sockaddr *)&rqst->rq_addr; + __entry->xid = rqst->rq_xid; + __entry->status = status; + __entry->flags = rqst->rq_flags; ++ memcpy(__get_dynamic_array(addr), ++ &rqst->rq_addr, rqst->rq_addrlen); + ), + + TP_printk("addr=%pIScp rq_xid=0x%x status=%d flags=%s", +- __entry->addr, be32_to_cpu(__entry->xid), ++ (struct sockaddr *)__get_dynamic_array(addr), ++ be32_to_cpu(__entry->xid), + __entry->status, show_rqstp_flags(__entry->flags)) + ); + +diff --git a/include/uapi/linux/bcache.h b/include/uapi/linux/bcache.h +index 22b6ad31c706..8562b1cb776b 100644 +--- a/include/uapi/linux/bcache.h ++++ b/include/uapi/linux/bcache.h +@@ -90,7 +90,7 @@ PTR_FIELD(PTR_GEN, 0, 8) + + #define PTR_CHECK_DEV ((1 << PTR_DEV_BITS) - 1) + +-#define PTR(gen, offset, dev) \ ++#define MAKE_PTR(gen, offset, dev) \ + ((((__u64) dev) << 51) | ((__u64) offset) << 8 | gen) + + /* Bkey utility code */ +diff --git a/kernel/sched/core.c b/kernel/sched/core.c +index f2f8ff54d2c0..8fbedeb5553f 100644 +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -577,8 +577,7 @@ void resched_cpu(int cpu) + struct rq *rq = cpu_rq(cpu); + unsigned long flags; + +- if (!raw_spin_trylock_irqsave(&rq->lock, flags)) +- return; ++ raw_spin_lock_irqsave(&rq->lock, flags); + resched_curr(rq); + raw_spin_unlock_irqrestore(&rq->lock, flags); + } +diff --git a/mm/huge_memory.c b/mm/huge_memory.c +index bdd6a8dd5797..4aa31c77cbab 100644 +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -1235,17 +1235,11 @@ struct page *follow_trans_huge_pmd(struct vm_area_struct *vma, + VM_BUG_ON_PAGE(!PageHead(page), page); + if (flags & FOLL_TOUCH) { + pmd_t _pmd; +- /* +- * We should set the dirty bit only for FOLL_WRITE but +- * for now the dirty bit in the pmd is meaningless. +- * And if the dirty bit will become meaningful and +- * we'll only set it with FOLL_WRITE, an atomic +- * set_bit will be required on the pmd to set the +- * young bit, instead of the current set_pmd_at. +- */ +- _pmd = pmd_mkyoung(pmd_mkdirty(*pmd)); ++ _pmd = pmd_mkyoung(*pmd); ++ if (flags & FOLL_WRITE) ++ _pmd = pmd_mkdirty(_pmd); + if (pmdp_set_access_flags(vma, addr & HPAGE_PMD_MASK, +- pmd, _pmd, 1)) ++ pmd, _pmd, flags & FOLL_WRITE)) + update_mmu_cache_pmd(vma, addr, pmd); + } + if ((flags & FOLL_POPULATE) && (vma->vm_flags & VM_LOCKED)) { +diff --git a/mm/madvise.c b/mm/madvise.c +index d551475517bf..a9c866c9cc0e 100644 +--- a/mm/madvise.c ++++ b/mm/madvise.c +@@ -221,15 +221,14 @@ static long madvise_willneed(struct vm_area_struct *vma, + { + struct file *file = vma->vm_file; + ++ *prev = vma; + #ifdef CONFIG_SWAP + if (!file) { +- *prev = vma; + force_swapin_readahead(vma, start, end); + return 0; + } + + if (shmem_mapping(file->f_mapping)) { +- *prev = vma; + force_shm_swapin_readahead(vma, start, end, + file->f_mapping); + return 0; +@@ -244,7 +243,6 @@ static long madvise_willneed(struct vm_area_struct *vma, + return 0; + } + +- *prev = vma; + start = ((start - vma->vm_start) >> PAGE_SHIFT) + vma->vm_pgoff; + if (end > vma->vm_end) + end = vma->vm_end; +diff --git a/net/9p/client.c b/net/9p/client.c +index fb4ac475311c..77b608dee691 100644 +--- a/net/9p/client.c ++++ b/net/9p/client.c +@@ -749,8 +749,7 @@ p9_client_rpc(struct p9_client *c, int8_t type, const char *fmt, ...) + } + again: + /* Wait for the response */ +- err = wait_event_interruptible(*req->wq, +- req->status >= REQ_STATUS_RCVD); ++ err = wait_event_killable(*req->wq, req->status >= REQ_STATUS_RCVD); + + /* + * Make sure our req is coherent with regard to updates in other +diff --git a/net/9p/trans_virtio.c b/net/9p/trans_virtio.c +index 9dd49ca67dbc..202923a36677 100644 +--- a/net/9p/trans_virtio.c ++++ b/net/9p/trans_virtio.c +@@ -290,8 +290,8 @@ req_retry: + if (err == -ENOSPC) { + chan->ring_bufs_avail = 0; + spin_unlock_irqrestore(&chan->lock, flags); +- err = wait_event_interruptible(*chan->vc_wq, +- chan->ring_bufs_avail); ++ err = wait_event_killable(*chan->vc_wq, ++ chan->ring_bufs_avail); + if (err == -ERESTARTSYS) + return err; + +@@ -331,7 +331,7 @@ static int p9_get_mapped_pages(struct virtio_chan *chan, + * Other zc request to finish here + */ + if (atomic_read(&vp_pinned) >= chan->p9_max_pages) { +- err = wait_event_interruptible(vp_wq, ++ err = wait_event_killable(vp_wq, + (atomic_read(&vp_pinned) < chan->p9_max_pages)); + if (err == -ERESTARTSYS) + return err; +@@ -475,8 +475,8 @@ req_retry_pinned: + if (err == -ENOSPC) { + chan->ring_bufs_avail = 0; + spin_unlock_irqrestore(&chan->lock, flags); +- err = wait_event_interruptible(*chan->vc_wq, +- chan->ring_bufs_avail); ++ err = wait_event_killable(*chan->vc_wq, ++ chan->ring_bufs_avail); + if (err == -ERESTARTSYS) + goto err_out; + +@@ -493,8 +493,7 @@ req_retry_pinned: + virtqueue_kick(chan->vq); + spin_unlock_irqrestore(&chan->lock, flags); + p9_debug(P9_DEBUG_TRANS, "virtio request kicked\n"); +- err = wait_event_interruptible(*req->wq, +- req->status >= REQ_STATUS_RCVD); ++ err = wait_event_killable(*req->wq, req->status >= REQ_STATUS_RCVD); + /* + * Non kernel buffers are pinned, unpin them + */ +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index 897f5941d86b..135fe458bfac 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -3056,7 +3056,11 @@ static int ip6_route_dev_notify(struct notifier_block *this, + net->ipv6.ip6_blk_hole_entry->dst.dev = dev; + net->ipv6.ip6_blk_hole_entry->rt6i_idev = in6_dev_get(dev); + #endif +- } else if (event == NETDEV_UNREGISTER) { ++ } else if (event == NETDEV_UNREGISTER && ++ dev->reg_state != NETREG_UNREGISTERED) { ++ /* NETDEV_UNREGISTER could be fired for multiple times by ++ * netdev_wait_allrefs(). Make sure we only call this once. ++ */ + in6_dev_put(net->ipv6.ip6_null_entry->rt6i_idev); + #ifdef CONFIG_IPV6_MULTIPLE_TABLES + in6_dev_put(net->ipv6.ip6_prohibit_entry->rt6i_idev); +diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h +index cdf8609a6240..d0f2ce65e474 100644 +--- a/net/mac80211/ieee80211_i.h ++++ b/net/mac80211/ieee80211_i.h +@@ -690,7 +690,6 @@ struct ieee80211_if_mesh { + const struct ieee80211_mesh_sync_ops *sync_ops; + s64 sync_offset_clockdrift_max; + spinlock_t sync_offset_lock; +- bool adjusting_tbtt; + /* mesh power save */ + enum nl80211_mesh_power_mode nonpeer_pm; + int ps_peers_light_sleep; +diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c +index c5af4e3d4497..48257f17688f 100644 +--- a/net/mac80211/mesh.c ++++ b/net/mac80211/mesh.c +@@ -289,8 +289,6 @@ int mesh_add_meshconf_ie(struct ieee80211_sub_if_data *sdata, + /* Mesh PS mode. See IEEE802.11-2012 8.4.2.100.8 */ + *pos |= ifmsh->ps_peers_deep_sleep ? + IEEE80211_MESHCONF_CAPAB_POWER_SAVE_LEVEL : 0x00; +- *pos++ |= ifmsh->adjusting_tbtt ? +- IEEE80211_MESHCONF_CAPAB_TBTT_ADJUSTING : 0x00; + *pos++ = 0x00; + + return 0; +@@ -792,7 +790,6 @@ int ieee80211_start_mesh(struct ieee80211_sub_if_data *sdata) + ifmsh->mesh_cc_id = 0; /* Disabled */ + /* register sync ops from extensible synchronization framework */ + ifmsh->sync_ops = ieee80211_mesh_sync_ops_get(ifmsh->mesh_sp_id); +- ifmsh->adjusting_tbtt = false; + ifmsh->sync_offset_clockdrift_max = 0; + set_bit(MESH_WORK_HOUSEKEEPING, &ifmsh->wrkq_flags); + ieee80211_mesh_root_setup(ifmsh); +diff --git a/net/mac80211/mesh_plink.c b/net/mac80211/mesh_plink.c +index 60d737f144e3..7f758c9aa200 100644 +--- a/net/mac80211/mesh_plink.c ++++ b/net/mac80211/mesh_plink.c +@@ -452,12 +452,14 @@ mesh_sta_info_alloc(struct ieee80211_sub_if_data *sdata, u8 *addr, + + /* Userspace handles station allocation */ + if (sdata->u.mesh.user_mpm || +- sdata->u.mesh.security & IEEE80211_MESH_SEC_AUTHED) +- cfg80211_notify_new_peer_candidate(sdata->dev, addr, +- elems->ie_start, +- elems->total_len, +- GFP_KERNEL); +- else ++ sdata->u.mesh.security & IEEE80211_MESH_SEC_AUTHED) { ++ if (mesh_peer_accepts_plinks(elems) && ++ mesh_plink_availables(sdata)) ++ cfg80211_notify_new_peer_candidate(sdata->dev, addr, ++ elems->ie_start, ++ elems->total_len, ++ GFP_KERNEL); ++ } else + sta = __mesh_sta_info_alloc(sdata, addr); + + return sta; +diff --git a/net/mac80211/mesh_sync.c b/net/mac80211/mesh_sync.c +index 09625d6205c3..6e8ece73bfa6 100644 +--- a/net/mac80211/mesh_sync.c ++++ b/net/mac80211/mesh_sync.c +@@ -119,7 +119,6 @@ static void mesh_sync_offset_rx_bcn_presp(struct ieee80211_sub_if_data *sdata, + */ + + if (elems->mesh_config && mesh_peer_tbtt_adjusting(elems)) { +- clear_sta_flag(sta, WLAN_STA_TOFFSET_KNOWN); + msync_dbg(sdata, "STA %pM : is adjusting TBTT\n", + sta->sta.addr); + goto no_sync; +@@ -168,11 +167,9 @@ static void mesh_sync_offset_adjust_tbtt(struct ieee80211_sub_if_data *sdata, + struct beacon_data *beacon) + { + struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh; +- u8 cap; + + WARN_ON(ifmsh->mesh_sp_id != IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET); + WARN_ON(!rcu_read_lock_held()); +- cap = beacon->meshconf->meshconf_cap; + + spin_lock_bh(&ifmsh->sync_offset_lock); + +@@ -186,21 +183,13 @@ static void mesh_sync_offset_adjust_tbtt(struct ieee80211_sub_if_data *sdata, + "TBTT : kicking off TBTT adjustment with clockdrift_max=%lld\n", + ifmsh->sync_offset_clockdrift_max); + set_bit(MESH_WORK_DRIFT_ADJUST, &ifmsh->wrkq_flags); +- +- ifmsh->adjusting_tbtt = true; + } else { + msync_dbg(sdata, + "TBTT : max clockdrift=%lld; too small to adjust\n", + (long long)ifmsh->sync_offset_clockdrift_max); + ifmsh->sync_offset_clockdrift_max = 0; +- +- ifmsh->adjusting_tbtt = false; + } + spin_unlock_bh(&ifmsh->sync_offset_lock); +- +- beacon->meshconf->meshconf_cap = ifmsh->adjusting_tbtt ? +- IEEE80211_MESHCONF_CAPAB_TBTT_ADJUSTING | cap : +- ~IEEE80211_MESHCONF_CAPAB_TBTT_ADJUSTING & cap; + } + + static const struct sync_method sync_methods[] = { +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 34ded09317e7..792f6637c83e 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -1925,7 +1925,7 @@ static void nf_tables_rule_destroy(const struct nft_ctx *ctx, + * is called on error from nf_tables_newrule(). + */ + expr = nft_expr_first(rule); +- while (expr->ops && expr != nft_expr_last(rule)) { ++ while (expr != nft_expr_last(rule) && expr->ops) { + nf_tables_expr_destroy(ctx, expr); + expr = nft_expr_next(expr); + } +diff --git a/net/netfilter/nft_queue.c b/net/netfilter/nft_queue.c +index 96805d21d618..b204b7db515f 100644 +--- a/net/netfilter/nft_queue.c ++++ b/net/netfilter/nft_queue.c +@@ -37,7 +37,7 @@ static void nft_queue_eval(const struct nft_expr *expr, + + if (priv->queues_total > 1) { + if (priv->flags & NFT_QUEUE_FLAG_CPU_FANOUT) { +- int cpu = smp_processor_id(); ++ int cpu = raw_smp_processor_id(); + + queue = priv->queuenum + cpu % priv->queues_total; + } else { +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index 1c0d4aee783d..a5815be7c81c 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -2821,6 +2821,7 @@ int __netlink_dump_start(struct sock *ssk, struct sk_buff *skb, + + cb = &nlk->cb; + memset(cb, 0, sizeof(*cb)); ++ cb->start = control->start; + cb->dump = control->dump; + cb->done = control->done; + cb->nlh = nlh; +@@ -2834,6 +2835,9 @@ int __netlink_dump_start(struct sock *ssk, struct sk_buff *skb, + + mutex_unlock(nlk->cb_mutex); + ++ if (cb->start) ++ cb->start(cb); ++ + ret = netlink_dump(sk); + sock_put(sk); + +diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c +index 2ed5f964772e..3d111b053e3e 100644 +--- a/net/netlink/genetlink.c ++++ b/net/netlink/genetlink.c +@@ -513,6 +513,20 @@ void *genlmsg_put(struct sk_buff *skb, u32 portid, u32 seq, + } + EXPORT_SYMBOL(genlmsg_put); + ++static int genl_lock_start(struct netlink_callback *cb) ++{ ++ /* our ops are always const - netlink API doesn't propagate that */ ++ const struct genl_ops *ops = cb->data; ++ int rc = 0; ++ ++ if (ops->start) { ++ genl_lock(); ++ rc = ops->start(cb); ++ genl_unlock(); ++ } ++ return rc; ++} ++ + static int genl_lock_dumpit(struct sk_buff *skb, struct netlink_callback *cb) + { + /* our ops are always const - netlink API doesn't propagate that */ +@@ -577,6 +591,7 @@ static int genl_family_rcv_msg(struct genl_family *family, + .module = family->module, + /* we have const, but the netlink API doesn't */ + .data = (void *)ops, ++ .start = genl_lock_start, + .dump = genl_lock_dumpit, + .done = genl_lock_done, + }; +@@ -588,6 +603,7 @@ static int genl_family_rcv_msg(struct genl_family *family, + } else { + struct netlink_dump_control c = { + .module = family->module, ++ .start = ops->start, + .dump = ops->dumpit, + .done = ops->done, + }; +diff --git a/net/nfc/core.c b/net/nfc/core.c +index 54596f609d04..ab4b1e1d186d 100644 +--- a/net/nfc/core.c ++++ b/net/nfc/core.c +@@ -1093,7 +1093,7 @@ struct nfc_dev *nfc_allocate_device(struct nfc_ops *ops, + err_free_dev: + kfree(dev); + +- return ERR_PTR(rc); ++ return NULL; + } + EXPORT_SYMBOL(nfc_allocate_device); + +diff --git a/net/rds/send.c b/net/rds/send.c +index eba0eaf4cc38..37730bfa393f 100644 +--- a/net/rds/send.c ++++ b/net/rds/send.c +@@ -932,6 +932,11 @@ static int rds_cmsg_send(struct rds_sock *rs, struct rds_message *rm, + ret = rds_cmsg_rdma_map(rs, rm, cmsg); + if (!ret) + *allocated_mr = 1; ++ else if (ret == -ENODEV) ++ /* Accommodate the get_mr() case which can fail ++ * if connection isn't established yet. ++ */ ++ ret = -EAGAIN; + break; + case RDS_CMSG_ATOMIC_CSWP: + case RDS_CMSG_ATOMIC_FADD: +@@ -1039,8 +1044,12 @@ int rds_sendmsg(struct socket *sock, struct msghdr *msg, size_t payload_len) + + /* Parse any control messages the user may have included. */ + ret = rds_cmsg_send(rs, rm, msg, &allocated_mr); +- if (ret) ++ if (ret) { ++ /* Trigger connection so that its ready for the next retry */ ++ if (ret == -EAGAIN) ++ rds_conn_connect_if_down(conn); + goto out; ++ } + + if (rm->rdma.op_active && !conn->c_trans->xmit_rdma) { + printk_ratelimited(KERN_NOTICE "rdma_op %p conn xmit_rdma %p\n", +diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c +index e1c69b216db3..dfc542ecf9c4 100644 +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -1209,10 +1209,14 @@ static int vsock_stream_connect(struct socket *sock, struct sockaddr *addr, + + if (signal_pending(current)) { + err = sock_intr_errno(timeout); +- goto out_wait_error; ++ sk->sk_state = SS_UNCONNECTED; ++ sock->state = SS_UNCONNECTED; ++ goto out_wait; + } else if (timeout == 0) { + err = -ETIMEDOUT; +- goto out_wait_error; ++ sk->sk_state = SS_UNCONNECTED; ++ sock->state = SS_UNCONNECTED; ++ goto out_wait; + } + + prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE); +@@ -1220,20 +1224,17 @@ static int vsock_stream_connect(struct socket *sock, struct sockaddr *addr, + + if (sk->sk_err) { + err = -sk->sk_err; +- goto out_wait_error; +- } else ++ sk->sk_state = SS_UNCONNECTED; ++ sock->state = SS_UNCONNECTED; ++ } else { + err = 0; ++ } + + out_wait: + finish_wait(sk_sleep(sk), &wait); + out: + release_sock(sk); + return err; +- +-out_wait_error: +- sk->sk_state = SS_UNCONNECTED; +- sock->state = SS_UNCONNECTED; +- goto out_wait; + } + + static int vsock_accept(struct socket *sock, struct socket *newsock, int flags) +@@ -1270,18 +1271,20 @@ static int vsock_accept(struct socket *sock, struct socket *newsock, int flags) + listener->sk_err == 0) { + release_sock(listener); + timeout = schedule_timeout(timeout); ++ finish_wait(sk_sleep(listener), &wait); + lock_sock(listener); + + if (signal_pending(current)) { + err = sock_intr_errno(timeout); +- goto out_wait; ++ goto out; + } else if (timeout == 0) { + err = -EAGAIN; +- goto out_wait; ++ goto out; + } + + prepare_to_wait(sk_sleep(listener), &wait, TASK_INTERRUPTIBLE); + } ++ finish_wait(sk_sleep(listener), &wait); + + if (listener->sk_err) + err = -listener->sk_err; +@@ -1301,19 +1304,15 @@ static int vsock_accept(struct socket *sock, struct socket *newsock, int flags) + */ + if (err) { + vconnected->rejected = true; +- release_sock(connected); +- sock_put(connected); +- goto out_wait; ++ } else { ++ newsock->state = SS_CONNECTED; ++ sock_graft(connected, newsock); + } + +- newsock->state = SS_CONNECTED; +- sock_graft(connected, newsock); + release_sock(connected); + sock_put(connected); + } + +-out_wait: +- finish_wait(sk_sleep(listener), &wait); + out: + release_sock(listener); + return err; +@@ -1513,8 +1512,7 @@ static int vsock_stream_sendmsg(struct socket *sock, struct msghdr *msg, + long timeout; + int err; + struct vsock_transport_send_notify_data send_data; +- +- DEFINE_WAIT(wait); ++ DEFINE_WAIT_FUNC(wait, woken_wake_function); + + sk = sock->sk; + vsk = vsock_sk(sk); +@@ -1557,11 +1555,10 @@ static int vsock_stream_sendmsg(struct socket *sock, struct msghdr *msg, + if (err < 0) + goto out; + +- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE); +- + while (total_written < len) { + ssize_t written; + ++ add_wait_queue(sk_sleep(sk), &wait); + while (vsock_stream_has_space(vsk) == 0 && + sk->sk_err == 0 && + !(sk->sk_shutdown & SEND_SHUTDOWN) && +@@ -1570,27 +1567,30 @@ static int vsock_stream_sendmsg(struct socket *sock, struct msghdr *msg, + /* Don't wait for non-blocking sockets. */ + if (timeout == 0) { + err = -EAGAIN; +- goto out_wait; ++ remove_wait_queue(sk_sleep(sk), &wait); ++ goto out_err; + } + + err = transport->notify_send_pre_block(vsk, &send_data); +- if (err < 0) +- goto out_wait; ++ if (err < 0) { ++ remove_wait_queue(sk_sleep(sk), &wait); ++ goto out_err; ++ } + + release_sock(sk); +- timeout = schedule_timeout(timeout); ++ timeout = wait_woken(&wait, TASK_INTERRUPTIBLE, timeout); + lock_sock(sk); + if (signal_pending(current)) { + err = sock_intr_errno(timeout); +- goto out_wait; ++ remove_wait_queue(sk_sleep(sk), &wait); ++ goto out_err; + } else if (timeout == 0) { + err = -EAGAIN; +- goto out_wait; ++ remove_wait_queue(sk_sleep(sk), &wait); ++ goto out_err; + } +- +- prepare_to_wait(sk_sleep(sk), &wait, +- TASK_INTERRUPTIBLE); + } ++ remove_wait_queue(sk_sleep(sk), &wait); + + /* These checks occur both as part of and after the loop + * conditional since we need to check before and after +@@ -1598,16 +1598,16 @@ static int vsock_stream_sendmsg(struct socket *sock, struct msghdr *msg, + */ + if (sk->sk_err) { + err = -sk->sk_err; +- goto out_wait; ++ goto out_err; + } else if ((sk->sk_shutdown & SEND_SHUTDOWN) || + (vsk->peer_shutdown & RCV_SHUTDOWN)) { + err = -EPIPE; +- goto out_wait; ++ goto out_err; + } + + err = transport->notify_send_pre_enqueue(vsk, &send_data); + if (err < 0) +- goto out_wait; ++ goto out_err; + + /* Note that enqueue will only write as many bytes as are free + * in the produce queue, so we don't need to ensure len is +@@ -1620,7 +1620,7 @@ static int vsock_stream_sendmsg(struct socket *sock, struct msghdr *msg, + len - total_written); + if (written < 0) { + err = -ENOMEM; +- goto out_wait; ++ goto out_err; + } + + total_written += written; +@@ -1628,14 +1628,13 @@ static int vsock_stream_sendmsg(struct socket *sock, struct msghdr *msg, + err = transport->notify_send_post_enqueue( + vsk, written, &send_data); + if (err < 0) +- goto out_wait; ++ goto out_err; + + } + +-out_wait: ++out_err: + if (total_written > 0) + err = total_written; +- finish_wait(sk_sleep(sk), &wait); + out: + release_sock(sk); + return err; +@@ -1716,21 +1715,61 @@ vsock_stream_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, + if (err < 0) + goto out; + +- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE); + + while (1) { +- s64 ready = vsock_stream_has_data(vsk); ++ s64 ready; + +- if (ready < 0) { +- /* Invalid queue pair content. XXX This should be +- * changed to a connection reset in a later change. +- */ ++ prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE); ++ ready = vsock_stream_has_data(vsk); + +- err = -ENOMEM; +- goto out_wait; +- } else if (ready > 0) { ++ if (ready == 0) { ++ if (sk->sk_err != 0 || ++ (sk->sk_shutdown & RCV_SHUTDOWN) || ++ (vsk->peer_shutdown & SEND_SHUTDOWN)) { ++ finish_wait(sk_sleep(sk), &wait); ++ break; ++ } ++ /* Don't wait for non-blocking sockets. */ ++ if (timeout == 0) { ++ err = -EAGAIN; ++ finish_wait(sk_sleep(sk), &wait); ++ break; ++ } ++ ++ err = transport->notify_recv_pre_block( ++ vsk, target, &recv_data); ++ if (err < 0) { ++ finish_wait(sk_sleep(sk), &wait); ++ break; ++ } ++ release_sock(sk); ++ timeout = schedule_timeout(timeout); ++ lock_sock(sk); ++ ++ if (signal_pending(current)) { ++ err = sock_intr_errno(timeout); ++ finish_wait(sk_sleep(sk), &wait); ++ break; ++ } else if (timeout == 0) { ++ err = -EAGAIN; ++ finish_wait(sk_sleep(sk), &wait); ++ break; ++ } ++ } else { + ssize_t read; + ++ finish_wait(sk_sleep(sk), &wait); ++ ++ if (ready < 0) { ++ /* Invalid queue pair content. XXX This should ++ * be changed to a connection reset in a later ++ * change. ++ */ ++ ++ err = -ENOMEM; ++ goto out; ++ } ++ + err = transport->notify_recv_pre_dequeue( + vsk, target, &recv_data); + if (err < 0) +@@ -1750,42 +1789,12 @@ vsock_stream_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, + vsk, target, read, + !(flags & MSG_PEEK), &recv_data); + if (err < 0) +- goto out_wait; ++ goto out; + + if (read >= target || flags & MSG_PEEK) + break; + + target -= read; +- } else { +- if (sk->sk_err != 0 || (sk->sk_shutdown & RCV_SHUTDOWN) +- || (vsk->peer_shutdown & SEND_SHUTDOWN)) { +- break; +- } +- /* Don't wait for non-blocking sockets. */ +- if (timeout == 0) { +- err = -EAGAIN; +- break; +- } +- +- err = transport->notify_recv_pre_block( +- vsk, target, &recv_data); +- if (err < 0) +- break; +- +- release_sock(sk); +- timeout = schedule_timeout(timeout); +- lock_sock(sk); +- +- if (signal_pending(current)) { +- err = sock_intr_errno(timeout); +- break; +- } else if (timeout == 0) { +- err = -EAGAIN; +- break; +- } +- +- prepare_to_wait(sk_sleep(sk), &wait, +- TASK_INTERRUPTIBLE); + } + } + +@@ -1797,8 +1806,6 @@ vsock_stream_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, + if (copied > 0) + err = copied; + +-out_wait: +- finish_wait(sk_sleep(sk), &wait); + out: + release_sock(sk); + return err; +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index 2091664295ba..18d9cf2eb648 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -1622,32 +1622,34 @@ static int dump_one_policy(struct xfrm_policy *xp, int dir, int count, void *ptr + + static int xfrm_dump_policy_done(struct netlink_callback *cb) + { +- struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1]; ++ struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args; + struct net *net = sock_net(cb->skb->sk); + + xfrm_policy_walk_done(walk, net); + return 0; + } + ++static int xfrm_dump_policy_start(struct netlink_callback *cb) ++{ ++ struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args; ++ ++ BUILD_BUG_ON(sizeof(*walk) > sizeof(cb->args)); ++ ++ xfrm_policy_walk_init(walk, XFRM_POLICY_TYPE_ANY); ++ return 0; ++} ++ + static int xfrm_dump_policy(struct sk_buff *skb, struct netlink_callback *cb) + { + struct net *net = sock_net(skb->sk); +- struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1]; ++ struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args; + struct xfrm_dump_info info; + +- BUILD_BUG_ON(sizeof(struct xfrm_policy_walk) > +- sizeof(cb->args) - sizeof(cb->args[0])); +- + info.in_skb = cb->skb; + info.out_skb = skb; + info.nlmsg_seq = cb->nlh->nlmsg_seq; + info.nlmsg_flags = NLM_F_MULTI; + +- if (!cb->args[0]) { +- cb->args[0] = 1; +- xfrm_policy_walk_init(walk, XFRM_POLICY_TYPE_ANY); +- } +- + (void) xfrm_policy_walk(net, walk, dump_one_policy, &info); + + return skb->len; +@@ -2383,6 +2385,7 @@ static const struct nla_policy xfrma_spd_policy[XFRMA_SPD_MAX+1] = { + + static const struct xfrm_link { + int (*doit)(struct sk_buff *, struct nlmsghdr *, struct nlattr **); ++ int (*start)(struct netlink_callback *); + int (*dump)(struct sk_buff *, struct netlink_callback *); + int (*done)(struct netlink_callback *); + const struct nla_policy *nla_pol; +@@ -2396,6 +2399,7 @@ static const struct xfrm_link { + [XFRM_MSG_NEWPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_add_policy }, + [XFRM_MSG_DELPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_get_policy }, + [XFRM_MSG_GETPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_get_policy, ++ .start = xfrm_dump_policy_start, + .dump = xfrm_dump_policy, + .done = xfrm_dump_policy_done }, + [XFRM_MSG_ALLOCSPI - XFRM_MSG_BASE] = { .doit = xfrm_alloc_userspi }, +@@ -2447,6 +2451,7 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh) + + { + struct netlink_dump_control c = { ++ .start = link->start, + .dump = link->dump, + .done = link->done, + }; +diff --git a/sound/core/pcm_lib.c b/sound/core/pcm_lib.c +index 253a2da05cf0..9a7cc9a56a21 100644 +--- a/sound/core/pcm_lib.c ++++ b/sound/core/pcm_lib.c +@@ -264,8 +264,10 @@ static void update_audio_tstamp(struct snd_pcm_substream *substream, + runtime->rate); + *audio_tstamp = ns_to_timespec(audio_nsecs); + } +- runtime->status->audio_tstamp = *audio_tstamp; +- runtime->status->tstamp = *curr_tstamp; ++ if (!timespec_equal(&runtime->status->audio_tstamp, audio_tstamp)) { ++ runtime->status->audio_tstamp = *audio_tstamp; ++ runtime->status->tstamp = *curr_tstamp; ++ } + + /* + * re-take a driver timestamp to let apps detect if the reference tstamp +diff --git a/sound/core/timer_compat.c b/sound/core/timer_compat.c +index 0b4b028e8e98..de9155eed727 100644 +--- a/sound/core/timer_compat.c ++++ b/sound/core/timer_compat.c +@@ -40,11 +40,11 @@ static int snd_timer_user_info_compat(struct file *file, + struct snd_timer *t; + + tu = file->private_data; +- if (snd_BUG_ON(!tu->timeri)) +- return -ENXIO; ++ if (!tu->timeri) ++ return -EBADFD; + t = tu->timeri->timer; +- if (snd_BUG_ON(!t)) +- return -ENXIO; ++ if (!t) ++ return -EBADFD; + memset(&info, 0, sizeof(info)); + info.card = t->card ? t->card->number : -1; + if (t->hw.flags & SNDRV_TIMER_HW_SLAVE) +@@ -73,8 +73,8 @@ static int snd_timer_user_status_compat(struct file *file, + struct snd_timer_status32 status; + + tu = file->private_data; +- if (snd_BUG_ON(!tu->timeri)) +- return -ENXIO; ++ if (!tu->timeri) ++ return -EBADFD; + memset(&status, 0, sizeof(status)); + status.tstamp.tv_sec = tu->tstamp.tv_sec; + status.tstamp.tv_nsec = tu->tstamp.tv_nsec; +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c +index 68bd0ba8bab8..b8886d493083 100644 +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -2126,6 +2126,9 @@ static const struct pci_device_id azx_ids[] = { + /* AMD Hudson */ + { PCI_DEVICE(0x1022, 0x780d), + .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_ATI_SB }, ++ /* AMD Raven */ ++ { PCI_DEVICE(0x1022, 0x15e3), ++ .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_ATI_SB }, + /* ATI HDMI */ + { PCI_DEVICE(0x1002, 0x0002), + .driver_data = AZX_DRIVER_ATIHDMI_NS | AZX_DCAPS_PRESET_ATI_HDMI_NS }, +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 55601ce89e0f..75c4e14f4156 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -4297,7 +4297,7 @@ static void alc_no_shutup(struct hda_codec *codec) + static void alc_fixup_no_shutup(struct hda_codec *codec, + const struct hda_fixup *fix, int action) + { +- if (action == HDA_FIXUP_ACT_PRE_PROBE) { ++ if (action == HDA_FIXUP_ACT_PROBE) { + struct alc_spec *spec = codec->spec; + spec->shutup = alc_no_shutup; + } +diff --git a/sound/soc/codecs/wm_adsp.c b/sound/soc/codecs/wm_adsp.c +index 431d94397219..21a2f1bd7369 100644 +--- a/sound/soc/codecs/wm_adsp.c ++++ b/sound/soc/codecs/wm_adsp.c +@@ -533,7 +533,7 @@ static int wm_adsp_load(struct wm_adsp *dsp) + const struct wmfw_region *region; + const struct wm_adsp_region *mem; + const char *region_name; +- char *file, *text; ++ char *file, *text = NULL; + struct wm_adsp_buf *buf; + unsigned int reg; + int regions = 0; +@@ -678,10 +678,21 @@ static int wm_adsp_load(struct wm_adsp *dsp) + regions, le32_to_cpu(region->len), offset, + region_name); + ++ if ((pos + le32_to_cpu(region->len) + sizeof(*region)) > ++ firmware->size) { ++ adsp_err(dsp, ++ "%s.%d: %s region len %d bytes exceeds file length %zu\n", ++ file, regions, region_name, ++ le32_to_cpu(region->len), firmware->size); ++ ret = -EINVAL; ++ goto out_fw; ++ } ++ + if (text) { + memcpy(text, region->data, le32_to_cpu(region->len)); + adsp_info(dsp, "%s: %s\n", file, text); + kfree(text); ++ text = NULL; + } + + if (reg) { +@@ -724,6 +735,7 @@ out_fw: + regmap_async_complete(regmap); + wm_adsp_buf_free(&buf_list); + release_firmware(firmware); ++ kfree(text); + out: + kfree(file); + +@@ -1312,6 +1324,17 @@ static int wm_adsp_load_coeff(struct wm_adsp *dsp) + } + + if (reg) { ++ if ((pos + le32_to_cpu(blk->len) + sizeof(*blk)) > ++ firmware->size) { ++ adsp_err(dsp, ++ "%s.%d: %s region len %d bytes exceeds file length %zu\n", ++ file, blocks, region_name, ++ le32_to_cpu(blk->len), ++ firmware->size); ++ ret = -EINVAL; ++ goto out_fw; ++ } ++ + buf = wm_adsp_buf_alloc(blk->data, + le32_to_cpu(blk->len), + &buf_list); +diff --git a/sound/soc/sh/rcar/core.c b/sound/soc/sh/rcar/core.c +index 9f48d75fa992..9a198248e6cb 100644 +--- a/sound/soc/sh/rcar/core.c ++++ b/sound/soc/sh/rcar/core.c +@@ -850,10 +850,8 @@ static int __rsnd_kctrl_new(struct rsnd_mod *mod, + return -ENOMEM; + + ret = snd_ctl_add(card, kctrl); +- if (ret < 0) { +- snd_ctl_free_one(kctrl); ++ if (ret < 0) + return ret; +- } + + cfg->update = update; + cfg->card = card; +diff --git a/sound/usb/clock.c b/sound/usb/clock.c +index 7ccbcaf6a147..66294eb64501 100644 +--- a/sound/usb/clock.c ++++ b/sound/usb/clock.c +@@ -43,7 +43,7 @@ static struct uac_clock_source_descriptor * + while ((cs = snd_usb_find_csint_desc(ctrl_iface->extra, + ctrl_iface->extralen, + cs, UAC2_CLOCK_SOURCE))) { +- if (cs->bClockID == clock_id) ++ if (cs->bLength >= sizeof(*cs) && cs->bClockID == clock_id) + return cs; + } + +@@ -59,8 +59,11 @@ static struct uac_clock_selector_descriptor * + while ((cs = snd_usb_find_csint_desc(ctrl_iface->extra, + ctrl_iface->extralen, + cs, UAC2_CLOCK_SELECTOR))) { +- if (cs->bClockID == clock_id) ++ if (cs->bLength >= sizeof(*cs) && cs->bClockID == clock_id) { ++ if (cs->bLength < 5 + cs->bNrInPins) ++ return NULL; + return cs; ++ } + } + + return NULL; +@@ -75,7 +78,7 @@ static struct uac_clock_multiplier_descriptor * + while ((cs = snd_usb_find_csint_desc(ctrl_iface->extra, + ctrl_iface->extralen, + cs, UAC2_CLOCK_MULTIPLIER))) { +- if (cs->bClockID == clock_id) ++ if (cs->bLength >= sizeof(*cs) && cs->bClockID == clock_id) + return cs; + } + +diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c +index cb0ef39adc36..3ebfaa527825 100644 +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -1391,6 +1391,12 @@ static int parse_audio_feature_unit(struct mixer_build *state, int unitid, + __u8 *bmaControls; + + if (state->mixer->protocol == UAC_VERSION_1) { ++ if (hdr->bLength < 7) { ++ usb_audio_err(state->chip, ++ "unit %u: invalid UAC_FEATURE_UNIT descriptor\n", ++ unitid); ++ return -EINVAL; ++ } + csize = hdr->bControlSize; + if (!csize) { + usb_audio_dbg(state->chip, +@@ -1408,6 +1414,12 @@ static int parse_audio_feature_unit(struct mixer_build *state, int unitid, + } + } else { + struct uac2_feature_unit_descriptor *ftr = _ftr; ++ if (hdr->bLength < 6) { ++ usb_audio_err(state->chip, ++ "unit %u: invalid UAC_FEATURE_UNIT descriptor\n", ++ unitid); ++ return -EINVAL; ++ } + csize = 4; + channels = (hdr->bLength - 6) / 4 - 1; + bmaControls = ftr->bmaControls; +@@ -2008,7 +2020,8 @@ static int parse_audio_selector_unit(struct mixer_build *state, int unitid, + const struct usbmix_name_map *map; + char **namelist; + +- if (!desc->bNrInPins || desc->bLength < 5 + desc->bNrInPins) { ++ if (desc->bLength < 5 || !desc->bNrInPins || ++ desc->bLength < 5 + desc->bNrInPins) { + usb_audio_err(state->chip, + "invalid SELECTOR UNIT descriptor %d\n", unitid); + return -EINVAL;
